commit 62813c2d2a3617a289397582b2db3db9f97111ee Author: Greg Kroah-Hartman Date: Wed Jul 19 16:37:03 2023 +0200 Linux 6.4.4 Link: https://lore.kernel.org/r/20230716194949.099592437@linuxfoundation.org Tested-by: Ronald Warsow Tested-by: Ron Economos Tested-by: Conor Dooley Tested-by: Shuah Khan Link: https://lore.kernel.org/r/20230717185649.282143678@linuxfoundation.org Tested-by: Ronald Warsow Link: https://lore.kernel.org/r/20230717201608.814406187@linuxfoundation.org Tested-by: Ronald Warsow Tested-by: Bagas Sanjaya Tested-by: Jon Hunter Tested-by: Chris Paterson (CIP) Tested-by: Ron Economos Tested-by: Justin M. Forbes Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Allen Pais Tested-by: SeongJae Park Tested-by: Rudi Heitbaum Tested-by: Jiri Slaby Signed-off-by: Greg Kroah-Hartman commit a1eaafa2c0ea2408a2f307e84473bd87235fa4a1 Author: Artur Rojek Date: Tue Jul 11 01:31:32 2023 +0200 sh: hd64461: Handle virq offset for offchip IRQ base and HD64461 IRQ commit 7c28a35e19fafa1d3b367bcd3ec4021427a9397b upstream. A recent change to start counting SuperH IRQ #s from 16 breaks support for the Hitachi HD64461 companion chip. Move the offchip IRQ base and HD64461 IRQ # by 16 in order to accommodate for the new virq numbering rules. Fixes: a8ac2961148e ("sh: Avoid using IRQ0 on SH3 and SH4") Signed-off-by: Artur Rojek Reviewed-by: Geert Uytterhoeven Reviewed-by: John Paul Adrian Glaubitz Link: https://lore.kernel.org/r/20230710233132.69734-1-contact@artur-rojek.eu Signed-off-by: John Paul Adrian Glaubitz Signed-off-by: Greg Kroah-Hartman commit b990fcf1f816102022f8c1fbc704fbb240baf876 Author: Geert Uytterhoeven Date: Sun Jul 9 15:10:43 2023 +0200 sh: mach-dreamcast: Handle virq offset in cascaded IRQ demux commit 3d20f7a6eb76afdf9d4ad9cb864c2e2da9c38e1f upstream. Take into account the virq offset when translating cascaded interrupts. Fixes: a8ac2961148e8c72 ("sh: Avoid using IRQ0 on SH3 and SH4") Signed-off-by: Geert Uytterhoeven Reviewed-by: John Paul Adrian Glaubitz Link: https://lore.kernel.org/r/7d0cb246c9f1cd24bb1f637ec5cb67e799a4c3b8.1688908227.git.geert+renesas@glider.be Signed-off-by: John Paul Adrian Glaubitz Signed-off-by: Greg Kroah-Hartman commit 42530519c7f23b5c23b32b98bab1feea5e8bcb47 Author: Geert Uytterhoeven Date: Sun Jul 9 15:10:23 2023 +0200 sh: mach-highlander: Handle virq offset in cascaded IRL demux commit a2601b8d8f077368c6d113b4d496559415c6d495 upstream. Take into account the virq offset when translating cascaded IRL interrupts. Fixes: a8ac2961148e8c72 ("sh: Avoid using IRQ0 on SH3 and SH4") Signed-off-by: Geert Uytterhoeven Reviewed-by: John Paul Adrian Glaubitz Link: https://lore.kernel.org/r/4fcb0d08a2b372431c41e04312742dc9e41e1be4.1688908186.git.geert+renesas@glider.be Signed-off-by: John Paul Adrian Glaubitz Signed-off-by: Greg Kroah-Hartman commit eca4937e394f64c21574432cb0545ea860ad01ee Author: Geert Uytterhoeven Date: Sun Jul 9 13:15:49 2023 +0200 sh: mach-r2d: Handle virq offset in cascaded IRL demux commit ab8aa4f0956d2e0fb8344deadb823ef743581795 upstream. When booting rts7751r2dplus_defconfig on QEMU, the system hangs due to an interrupt storm on IRQ 20. IRQ 20 aka event 0x280 is a cascaded IRL interrupt, which maps to IRQ_VOYAGER, the interrupt used by the Silicon Motion SM501 multimedia companion chip. As rts7751r2d_irq_demux() does not take into account the new virq offset, the interrupt is no longer translated, leading to an unhandled interrupt. Fix this by taking into account the virq offset when translating cascaded IRL interrupts. Fixes: a8ac2961148e8c72 ("sh: Avoid using IRQ0 on SH3 and SH4") Reported-by: Guenter Roeck Closes: https://lore.kernel.org/r/fbfea3ad-d327-4ad5-ac9c-648c7ca3fe1f@roeck-us.net Signed-off-by: Geert Uytterhoeven Reviewed-by: John Paul Adrian Glaubitz Tested-by: John Paul Adrian Glaubitz Tested-by: Guenter Roeck Link: https://lore.kernel.org/r/2c99d5df41c40691f6c407b7b6a040d406bc81ac.1688901306.git.geert+renesas@glider.be Signed-off-by: John Paul Adrian Glaubitz Signed-off-by: Greg Kroah-Hartman commit 7b43d7b8664c05c3926d738c9246c06368b2b633 Author: Michael Schmitz Date: Wed Jul 5 11:38:08 2023 +1200 block/partition: fix signedness issue for Amiga partitions commit 7eb1e47696aa231b1a567846bbe3a1e1befe1854 upstream. Making 'blk' sector_t (i.e. 64 bit if LBD support is active) fails the 'blk>0' test in the partition block loop if a value of (signed int) -1 is used to mark the end of the partition block list. Explicitly cast 'blk' to signed int to allow use of -1 to terminate the partition block linked list. Fixes: b6f3f28f604b ("block: add overflow checks for Amiga partition support") Reported-by: Christian Zigotzky Link: https://lore.kernel.org/r/024ce4fa-cc6d-50a2-9aae-3701d0ebf668@xenosoft.de Signed-off-by: Michael Schmitz Reviewed-by: Martin Steigerwald Tested-by: Christian Zigotzky Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman commit bd4f737b145d85c7183ec879ce46b57ce64362e1 Author: Andres Freund Date: Fri Jul 7 09:20:07 2023 -0700 io_uring: Use io_schedule* in cqring wait commit 8a796565cec3601071cbbd27d6304e202019d014 upstream. I observed poor performance of io_uring compared to synchronous IO. That turns out to be caused by deeper CPU idle states entered with io_uring, due to io_uring using plain schedule(), whereas synchronous IO uses io_schedule(). The losses due to this are substantial. On my cascade lake workstation, t/io_uring from the fio repository e.g. yields regressions between 20% and 40% with the following command: ./t/io_uring -r 5 -X0 -d 1 -s 1 -c 1 -p 0 -S$use_sync -R 0 /mnt/t2/fio/write.0.0 This is repeatable with different filesystems, using raw block devices and using different block devices. Use io_schedule_prepare() / io_schedule_finish() in io_cqring_wait_schedule() to address the difference. After that using io_uring is on par or surpassing synchronous IO (using registered files etc makes it reliably win, but arguably is a less fair comparison). There are other calls to schedule() in io_uring/, but none immediately jump out to be similarly situated, so I did not touch them. Similarly, it's possible that mutex_lock_io() should be used, but it's not clear if there are cases where that matters. Cc: stable@vger.kernel.org # 5.10+ Cc: Pavel Begunkov Cc: io-uring@vger.kernel.org Cc: linux-kernel@vger.kernel.org Signed-off-by: Andres Freund Link: https://lore.kernel.org/r/20230707162007.194068-1-andres@anarazel.de [axboe: minor style fixup] Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman commit 90583977cae9deb9475794e89d83d928e358ede5 Author: Sherry Sun Date: Mon Jun 19 16:06:13 2023 +0800 tty: serial: fsl_lpuart: add earlycon for imx8ulp platform commit e0edfdc15863ec80a1d9ac6e174dbccc00206dd0 upstream. Add earlycon support for imx8ulp platform. Signed-off-by: Sherry Sun Cc: stable Link: https://lore.kernel.org/r/20230619080613.16522-1-sherry.sun@nxp.com Signed-off-by: Greg Kroah-Hartman commit 35a1185745df947034e3f67f485ae0ac048d9ad5 Author: Jason A. Donenfeld Date: Mon Jul 3 03:27:05 2023 +0200 wireguard: netlink: send staged packets when setting initial private key commit f58d0a9b4c6a7a5199c3af967e43cc8b654604d4 upstream. Packets bound for peers can queue up prior to the device private key being set. For example, if persistent keepalive is set, a packet is queued up to be sent as soon as the device comes up. However, if the private key hasn't been set yet, the handshake message never sends, and no timer is armed to retry, since that would be pointless. But, if a user later sets a private key, the expectation is that those queued packets, such as a persistent keepalive, are actually sent. So adjust the configuration logic to account for this edge case, and add a test case to make sure this works. Maxim noticed this with a wg-quick(8) config to the tune of: [Interface] PostUp = wg set %i private-key somefile [Peer] PublicKey = ... Endpoint = ... PersistentKeepalive = 25 Here, the private key gets set after the device comes up using a PostUp script, triggering the bug. Fixes: e7096c131e51 ("net: WireGuard secure network tunnel") Cc: stable@vger.kernel.org Reported-by: Maxim Cournoyer Tested-by: Maxim Cournoyer Link: https://lore.kernel.org/wireguard/87fs7xtqrv.fsf@gmail.com/ Signed-off-by: Jason A. Donenfeld Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 9a1317621fbf2347872bba368e47f78a670bc2f9 Author: Jason A. Donenfeld Date: Mon Jul 3 03:27:04 2023 +0200 wireguard: queueing: use saner cpu selection wrapping commit 7387943fa35516f6f8017a3b0e9ce48a3bef9faa upstream. Using `% nr_cpumask_bits` is slow and complicated, and not totally robust toward dynamic changes to CPU topologies. Rather than storing the next CPU in the round-robin, just store the last one, and also return that value. This simplifies the loop drastically into a much more common pattern. Fixes: e7096c131e51 ("net: WireGuard secure network tunnel") Cc: stable@vger.kernel.org Reported-by: Linus Torvalds Tested-by: Manuel Leiner Signed-off-by: Jason A. Donenfeld Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit b79c09c2bf2d7643902a6ef26152de602c5c5e4b Author: Thadeu Lima de Souza Cascardo Date: Wed Jul 5 18:05:35 2023 -0300 netfilter: nf_tables: prevent OOB access in nft_byteorder_eval commit caf3ef7468f7534771b5c44cd8dbd6f7f87c2cbd upstream. When evaluating byteorder expressions with size 2, a union with 32-bit and 16-bit members is used. Since the 16-bit members are aligned to 32-bit, the array accesses will be out-of-bounds. It may lead to a stack-out-of-bounds access like the one below: [ 23.095215] ================================================================== [ 23.095625] BUG: KASAN: stack-out-of-bounds in nft_byteorder_eval+0x13c/0x320 [ 23.096020] Read of size 2 at addr ffffc90000007948 by task ping/115 [ 23.096358] [ 23.096456] CPU: 0 PID: 115 Comm: ping Not tainted 6.4.0+ #413 [ 23.096770] Call Trace: [ 23.096910] [ 23.097030] dump_stack_lvl+0x60/0xc0 [ 23.097218] print_report+0xcf/0x630 [ 23.097388] ? nft_byteorder_eval+0x13c/0x320 [ 23.097577] ? kasan_addr_to_slab+0xd/0xc0 [ 23.097760] ? nft_byteorder_eval+0x13c/0x320 [ 23.097949] kasan_report+0xc9/0x110 [ 23.098106] ? nft_byteorder_eval+0x13c/0x320 [ 23.098298] __asan_load2+0x83/0xd0 [ 23.098453] nft_byteorder_eval+0x13c/0x320 [ 23.098659] nft_do_chain+0x1c8/0xc50 [ 23.098852] ? __pfx_nft_do_chain+0x10/0x10 [ 23.099078] ? __kasan_check_read+0x11/0x20 [ 23.099295] ? __pfx___lock_acquire+0x10/0x10 [ 23.099535] ? __pfx___lock_acquire+0x10/0x10 [ 23.099745] ? __kasan_check_read+0x11/0x20 [ 23.099929] nft_do_chain_ipv4+0xfe/0x140 [ 23.100105] ? __pfx_nft_do_chain_ipv4+0x10/0x10 [ 23.100327] ? lock_release+0x204/0x400 [ 23.100515] ? nf_hook.constprop.0+0x340/0x550 [ 23.100779] nf_hook_slow+0x6c/0x100 [ 23.100977] ? __pfx_nft_do_chain_ipv4+0x10/0x10 [ 23.101223] nf_hook.constprop.0+0x334/0x550 [ 23.101443] ? __pfx_ip_local_deliver_finish+0x10/0x10 [ 23.101677] ? __pfx_nf_hook.constprop.0+0x10/0x10 [ 23.101882] ? __pfx_ip_rcv_finish+0x10/0x10 [ 23.102071] ? __pfx_ip_local_deliver_finish+0x10/0x10 [ 23.102291] ? rcu_read_lock_held+0x4b/0x70 [ 23.102481] ip_local_deliver+0xbb/0x110 [ 23.102665] ? __pfx_ip_rcv+0x10/0x10 [ 23.102839] ip_rcv+0x199/0x2a0 [ 23.102980] ? __pfx_ip_rcv+0x10/0x10 [ 23.103140] __netif_receive_skb_one_core+0x13e/0x150 [ 23.103362] ? __pfx___netif_receive_skb_one_core+0x10/0x10 [ 23.103647] ? mark_held_locks+0x48/0xa0 [ 23.103819] ? process_backlog+0x36c/0x380 [ 23.103999] __netif_receive_skb+0x23/0xc0 [ 23.104179] process_backlog+0x91/0x380 [ 23.104350] __napi_poll.constprop.0+0x66/0x360 [ 23.104589] ? net_rx_action+0x1cb/0x610 [ 23.104811] net_rx_action+0x33e/0x610 [ 23.105024] ? _raw_spin_unlock+0x23/0x50 [ 23.105257] ? __pfx_net_rx_action+0x10/0x10 [ 23.105485] ? mark_held_locks+0x48/0xa0 [ 23.105741] __do_softirq+0xfa/0x5ab [ 23.105956] ? __dev_queue_xmit+0x765/0x1c00 [ 23.106193] do_softirq.part.0+0x49/0xc0 [ 23.106423] [ 23.106547] [ 23.106670] __local_bh_enable_ip+0xf5/0x120 [ 23.106903] __dev_queue_xmit+0x789/0x1c00 [ 23.107131] ? __pfx___dev_queue_xmit+0x10/0x10 [ 23.107381] ? find_held_lock+0x8e/0xb0 [ 23.107585] ? lock_release+0x204/0x400 [ 23.107798] ? neigh_resolve_output+0x185/0x350 [ 23.108049] ? mark_held_locks+0x48/0xa0 [ 23.108265] ? neigh_resolve_output+0x185/0x350 [ 23.108514] neigh_resolve_output+0x246/0x350 [ 23.108753] ? neigh_resolve_output+0x246/0x350 [ 23.109003] ip_finish_output2+0x3c3/0x10b0 [ 23.109250] ? __pfx_ip_finish_output2+0x10/0x10 [ 23.109510] ? __pfx_nf_hook+0x10/0x10 [ 23.109732] __ip_finish_output+0x217/0x390 [ 23.109978] ip_finish_output+0x2f/0x130 [ 23.110207] ip_output+0xc9/0x170 [ 23.110404] ip_push_pending_frames+0x1a0/0x240 [ 23.110652] raw_sendmsg+0x102e/0x19e0 [ 23.110871] ? __pfx_raw_sendmsg+0x10/0x10 [ 23.111093] ? lock_release+0x204/0x400 [ 23.111304] ? __mod_lruvec_page_state+0x148/0x330 [ 23.111567] ? find_held_lock+0x8e/0xb0 [ 23.111777] ? find_held_lock+0x8e/0xb0 [ 23.111993] ? __rcu_read_unlock+0x7c/0x2f0 [ 23.112225] ? aa_sk_perm+0x18a/0x550 [ 23.112431] ? filemap_map_pages+0x4f1/0x900 [ 23.112665] ? __pfx_aa_sk_perm+0x10/0x10 [ 23.112880] ? find_held_lock+0x8e/0xb0 [ 23.113098] inet_sendmsg+0xa0/0xb0 [ 23.113297] ? inet_sendmsg+0xa0/0xb0 [ 23.113500] ? __pfx_inet_sendmsg+0x10/0x10 [ 23.113727] sock_sendmsg+0xf4/0x100 [ 23.113924] ? move_addr_to_kernel.part.0+0x4f/0xa0 [ 23.114190] __sys_sendto+0x1d4/0x290 [ 23.114391] ? __pfx___sys_sendto+0x10/0x10 [ 23.114621] ? __pfx_mark_lock.part.0+0x10/0x10 [ 23.114869] ? lock_release+0x204/0x400 [ 23.115076] ? find_held_lock+0x8e/0xb0 [ 23.115287] ? rcu_is_watching+0x23/0x60 [ 23.115503] ? __rseq_handle_notify_resume+0x6e2/0x860 [ 23.115778] ? __kasan_check_write+0x14/0x30 [ 23.116008] ? blkcg_maybe_throttle_current+0x8d/0x770 [ 23.116285] ? mark_held_locks+0x28/0xa0 [ 23.116503] ? do_syscall_64+0x37/0x90 [ 23.116713] __x64_sys_sendto+0x7f/0xb0 [ 23.116924] do_syscall_64+0x59/0x90 [ 23.117123] ? irqentry_exit_to_user_mode+0x25/0x30 [ 23.117387] ? irqentry_exit+0x77/0xb0 [ 23.117593] ? exc_page_fault+0x92/0x140 [ 23.117806] entry_SYSCALL_64_after_hwframe+0x6e/0xd8 [ 23.118081] RIP: 0033:0x7f744aee2bba [ 23.118282] Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb b8 0f 1f 00 f3 0f 1e fa 41 89 ca 64 8b 04 25 18 00 00 00 85 c0 75 15 b8 2c 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 7e c3 0f 1f 44 00 00 41 54 48 83 ec 30 44 89 [ 23.119237] RSP: 002b:00007ffd04a7c9f8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c [ 23.119644] RAX: ffffffffffffffda RBX: 00007ffd04a7e0a0 RCX: 00007f744aee2bba [ 23.120023] RDX: 0000000000000040 RSI: 000056488e9e6300 RDI: 0000000000000003 [ 23.120413] RBP: 000056488e9e6300 R08: 00007ffd04a80320 R09: 0000000000000010 [ 23.120809] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000040 [ 23.121219] R13: 00007ffd04a7dc38 R14: 00007ffd04a7ca00 R15: 00007ffd04a7e0a0 [ 23.121617] [ 23.121749] [ 23.121845] The buggy address belongs to the virtual mapping at [ 23.121845] [ffffc90000000000, ffffc90000009000) created by: [ 23.121845] irq_init_percpu_irqstack+0x1cf/0x270 [ 23.122707] [ 23.122803] The buggy address belongs to the physical page: [ 23.123104] page:0000000072ac19f0 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x24a09 [ 23.123609] flags: 0xfffffc0001000(reserved|node=0|zone=1|lastcpupid=0x1fffff) [ 23.123998] page_type: 0xffffffff() [ 23.124194] raw: 000fffffc0001000 ffffea0000928248 ffffea0000928248 0000000000000000 [ 23.124610] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 [ 23.125023] page dumped because: kasan: bad access detected [ 23.125326] [ 23.125421] Memory state around the buggy address: [ 23.125682] ffffc90000007800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 23.126072] ffffc90000007880: 00 00 00 00 00 f1 f1 f1 f1 f1 f1 00 00 f2 f2 00 [ 23.126455] >ffffc90000007900: 00 00 00 00 00 00 00 00 00 f2 f2 f2 f2 00 00 00 [ 23.126840] ^ [ 23.127138] ffffc90000007980: 00 00 00 00 00 00 00 00 00 00 00 00 00 f3 f3 f3 [ 23.127522] ffffc90000007a00: f3 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 [ 23.127906] ================================================================== [ 23.128324] Disabling lock debugging due to kernel taint Using simple s16 pointers for the 16-bit accesses fixes the problem. For the 32-bit accesses, src and dst can be used directly. Fixes: 96518518cc41 ("netfilter: add nftables") Cc: stable@vger.kernel.org Reported-by: Tanguy DUBROCA (@SidewayRE) from @Synacktiv working with ZDI Signed-off-by: Thadeu Lima de Souza Cascardo Reviewed-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso Signed-off-by: Greg Kroah-Hartman commit 5e5e967e8505fbdabfb6497367ec1b808cadc356 Author: Thadeu Lima de Souza Cascardo Date: Wed Jul 5 09:12:55 2023 -0300 netfilter: nf_tables: do not ignore genmask when looking up chain by id commit 515ad530795c118f012539ed76d02bacfd426d89 upstream. When adding a rule to a chain referring to its ID, if that chain had been deleted on the same batch, the rule might end up referring to a deleted chain. This will lead to a WARNING like following: [ 33.098431] ------------[ cut here ]------------ [ 33.098678] WARNING: CPU: 5 PID: 69 at net/netfilter/nf_tables_api.c:2037 nf_tables_chain_destroy+0x23d/0x260 [ 33.099217] Modules linked in: [ 33.099388] CPU: 5 PID: 69 Comm: kworker/5:1 Not tainted 6.4.0+ #409 [ 33.099726] Workqueue: events nf_tables_trans_destroy_work [ 33.100018] RIP: 0010:nf_tables_chain_destroy+0x23d/0x260 [ 33.100306] Code: 8b 7c 24 68 e8 64 9c ed fe 4c 89 e7 e8 5c 9c ed fe 48 83 c4 08 5b 41 5c 41 5d 41 5e 41 5f 5d 31 c0 89 c6 89 c7 c3 cc cc cc cc <0f> 0b 48 83 c4 08 5b 41 5c 41 5d 41 5e 41 5f 5d 31 c0 89 c6 89 c7 [ 33.101271] RSP: 0018:ffffc900004ffc48 EFLAGS: 00010202 [ 33.101546] RAX: 0000000000000001 RBX: ffff888006fc0a28 RCX: 0000000000000000 [ 33.101920] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 [ 33.102649] RBP: ffffc900004ffc78 R08: 0000000000000000 R09: 0000000000000000 [ 33.103018] R10: 0000000000000000 R11: 0000000000000000 R12: ffff8880135ef500 [ 33.103385] R13: 0000000000000000 R14: dead000000000122 R15: ffff888006fc0a10 [ 33.103762] FS: 0000000000000000(0000) GS:ffff888024c80000(0000) knlGS:0000000000000000 [ 33.104184] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 33.104493] CR2: 00007fe863b56a50 CR3: 00000000124b0001 CR4: 0000000000770ee0 [ 33.104872] PKRU: 55555554 [ 33.104999] Call Trace: [ 33.105113] [ 33.105214] ? show_regs+0x72/0x90 [ 33.105371] ? __warn+0xa5/0x210 [ 33.105520] ? nf_tables_chain_destroy+0x23d/0x260 [ 33.105732] ? report_bug+0x1f2/0x200 [ 33.105902] ? handle_bug+0x46/0x90 [ 33.106546] ? exc_invalid_op+0x19/0x50 [ 33.106762] ? asm_exc_invalid_op+0x1b/0x20 [ 33.106995] ? nf_tables_chain_destroy+0x23d/0x260 [ 33.107249] ? nf_tables_chain_destroy+0x30/0x260 [ 33.107506] nf_tables_trans_destroy_work+0x669/0x680 [ 33.107782] ? mark_held_locks+0x28/0xa0 [ 33.107996] ? __pfx_nf_tables_trans_destroy_work+0x10/0x10 [ 33.108294] ? _raw_spin_unlock_irq+0x28/0x70 [ 33.108538] process_one_work+0x68c/0xb70 [ 33.108755] ? lock_acquire+0x17f/0x420 [ 33.108977] ? __pfx_process_one_work+0x10/0x10 [ 33.109218] ? do_raw_spin_lock+0x128/0x1d0 [ 33.109435] ? _raw_spin_lock_irq+0x71/0x80 [ 33.109634] worker_thread+0x2bd/0x700 [ 33.109817] ? __pfx_worker_thread+0x10/0x10 [ 33.110254] kthread+0x18b/0x1d0 [ 33.110410] ? __pfx_kthread+0x10/0x10 [ 33.110581] ret_from_fork+0x29/0x50 [ 33.110757] [ 33.110866] irq event stamp: 1651 [ 33.111017] hardirqs last enabled at (1659): [] __up_console_sem+0x79/0xa0 [ 33.111379] hardirqs last disabled at (1666): [] __up_console_sem+0x5e/0xa0 [ 33.111740] softirqs last enabled at (1616): [] __irq_exit_rcu+0x9e/0xe0 [ 33.112094] softirqs last disabled at (1367): [] __irq_exit_rcu+0x9e/0xe0 [ 33.112453] ---[ end trace 0000000000000000 ]--- This is due to the nft_chain_lookup_byid ignoring the genmask. After this change, adding the new rule will fail as it will not find the chain. Fixes: 837830a4b439 ("netfilter: nf_tables: add NFTA_RULE_CHAIN_ID attribute") Cc: stable@vger.kernel.org Reported-by: Mingi Cho of Theori working with ZDI Signed-off-by: Thadeu Lima de Souza Cascardo Reviewed-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso Signed-off-by: Greg Kroah-Hartman commit fce5cc7cbd4b92f979bf02c9ec5fb69aaeba92d7 Author: Florent Revest Date: Mon Jul 3 16:52:16 2023 +0200 netfilter: conntrack: Avoid nf_ct_helper_hash uses after free commit 6eef7a2b933885a17679eb8ed0796ddf0ee5309b upstream. If nf_conntrack_init_start() fails (for example due to a register_nf_conntrack_bpf() failure), the nf_conntrack_helper_fini() clean-up path frees the nf_ct_helper_hash map. When built with NF_CONNTRACK=y, further netfilter modules (e.g: netfilter_conntrack_ftp) can still be loaded and call nf_conntrack_helpers_register(), independently of whether nf_conntrack initialized correctly. This accesses the nf_ct_helper_hash dangling pointer and causes a uaf, possibly leading to random memory corruption. This patch guards nf_conntrack_helper_register() from accessing a freed or uninitialized nf_ct_helper_hash pointer and fixes possible uses-after-free when loading a conntrack module. Cc: stable@vger.kernel.org Fixes: 12f7a505331e ("netfilter: add user-space connection tracking helper infrastructure") Signed-off-by: Florent Revest Reviewed-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso Signed-off-by: Greg Kroah-Hartman commit 14c6b21717f05e39aa2412a26762c1439e05e9cd Author: Tao Zhou Date: Fri Jul 7 11:07:32 2023 -0400 drm/amdgpu: check RAS irq existence for VCN/JPEG commit 4ff96bcc0d40b66bf3ddd6010830e9a4f9b85d53 upstream No RAS irq is allowed. Signed-off-by: Tao Zhou Reviewed-by: Hawking Zhang Signed-off-by: Alex Deucher Cc: stable@vger.kernel.org # 6.1.x Signed-off-by: Greg Kroah-Hartman commit c8ae016b2416a266849555865c2eaaf4e888cbc8 Author: Kenneth Feng Date: Fri Jul 7 11:07:31 2023 -0400 drm/amd/pm: add abnormal fan detection for smu 13.0.0 commit 2da0036ea99bccb27f7fe3cf2aa2900860e9be46 upstream add abnormal fan detection for smu 13.0.0 Signed-off-by: Kenneth Feng Reviewed-by: Evan Quan Signed-off-by: Alex Deucher Cc: stable@vger.kernel.org # 6.1.x Signed-off-by: Greg Kroah-Hartman commit f9fdc20982b542894bbc7f4d393f5a59e882f409 Author: Alex Deucher Date: Fri Jul 7 11:07:30 2023 -0400 drm/amdgpu/sdma4: set align mask to 255 commit e5df16d9428f5c6d2d0b1eff244d6c330ba9ef3a upstream The wptr needs to be incremented at at least 64 dword intervals, use 256 to align with windows. This should fix potential hangs with unaligned updates. Reviewed-by: Felix Kuehling Reviewed-by: Aaron Liu Reviewed-by: Christian König Signed-off-by: Alex Deucher Cc: stable@vger.kernel.org Signed-off-by: Greg Kroah-Hartman commit 50515f38521be02621a97fca802618a128fc2403 Author: Evan Quan Date: Fri Jul 7 11:07:29 2023 -0400 drm/amd/pm: revise the ASPM settings for thunderbolt attached scenario commit fd21987274463a439c074b8f3c93d3b132e4c031 upstream Also, correct the comment for NAVI10_PCIE__LC_L1_INACTIVITY_TBT_DEFAULT as 0x0000000E stands for 400ms instead of 4ms. Signed-off-by: Evan Quan Reviewed-by: Alex Deucher Signed-off-by: Alex Deucher Cc: stable@vger.kernel.org Signed-off-by: Greg Kroah-Hartman commit 414d11852603e615a9c0f010b7017ea30f16d2cc Author: Jiadong Zhu Date: Fri Jul 7 11:07:28 2023 -0400 drm/amdgpu: Skip mark offset for high priority rings commit ef3c36a6e025e9b16ca3321479ba016841fa17a0 upstream Only low priority rings are using chunks to save the offset. Bypass the mark offset callings from high priority rings. Signed-off-by: Jiadong Zhu Acked-by: Alex Deucher Signed-off-by: Alex Deucher (cherry picked from commit ef3c36a6e025e9b16ca3321479ba016841fa17a0) Cc: stable@vger.kernel.org Signed-off-by: Greg Kroah-Hartman commit fbec04aa5cb8fb64e44c59275fd4431abeaba06f Author: Christian König Date: Fri Jul 7 11:07:27 2023 -0400 drm/amdgpu: make sure that BOs have a backing store commit ca0b954a4315ca2228001c439ae1062561c81989 upstream It's perfectly possible that the BO is about to be destroyed and doesn't have a backing store associated with it. Signed-off-by: Christian König Reviewed-by: Alex Deucher Acked-by: Guchun Chen Tested-by: Mikhail Gavrilov Signed-off-by: Alex Deucher Cc: stable@vger.kernel.org # 6.3.x Signed-off-by: Greg Kroah-Hartman commit 2eb044def66c10dc9cb50b06b81fc839e867d3b1 Author: Christian König Date: Fri Jul 7 11:07:26 2023 -0400 drm/amdgpu: make sure BOs are locked in amdgpu_vm_get_memory commit e2ad8e2df432498b1cee2af04df605723f4d75e6 upstream. We need to grab the lock of the BO or otherwise can run into a crash when we try to inspect the current location. Signed-off-by: Christian König Reviewed-by: Alex Deucher Acked-by: Guchun Chen Tested-by: Mikhail Gavrilov Signed-off-by: Alex Deucher Cc: stable@vger.kernel.org # 6.3.x Signed-off-by: Greg Kroah-Hartman commit e46fce918eb389cd686e8360a5dd058349d66568 Author: WANG Xuerui Date: Thu Jun 29 20:58:43 2023 +0800 LoongArch: Include KBUILD_CPPFLAGS in CHECKFLAGS invocation commit 5ddc7a3794ddd3470635ebd325fa1dffea5b18c0 upstream. This is a port of commit 08f6554ff90e ("mips: Include KBUILD_CPPFLAGS in CHECKFLAGS invocation") to arch/loongarch, for fixing cross-compilation of Linux/LoongArch with Clang, where previously the `--target` flag would no longer be present for the CHECKFLAGS cc invocation leading to build failure. Reported-by: Nathan Chancellor Reviewed-by: Nathan Chancellor Link: https://github.com/ClangBuiltLinux/linux/issues/1787#issuecomment-1608306002 Signed-off-by: WANG Xuerui Signed-off-by: Huacai Chen Signed-off-by: Greg Kroah-Hartman commit d536af163c53ce9f9bcfe87d2e9946f06f1a7ea4 Author: Zhihao Cheng Date: Tue May 16 22:16:19 2023 +0800 ovl: fix null pointer dereference in ovl_get_acl_rcu() commit f4e19e595cc2e76a8a58413eb19d3d9c51328b53 upstream. Following process: P1 P2 path_openat link_path_walk may_lookup inode_permission(rcu) ovl_permission acl_permission_check check_acl get_cached_acl_rcu ovl_get_inode_acl realinode = ovl_inode_real(ovl_inode) drop_cache __dentry_kill(ovl_dentry) iput(ovl_inode) ovl_destroy_inode(ovl_inode) dput(oi->__upperdentry) dentry_kill(upperdentry) dentry_unlink_inode upperdentry->d_inode = NULL ovl_inode_upper upperdentry = ovl_i_dentry_upper(ovl_inode) d_inode(upperdentry) // returns NULL IS_POSIXACL(realinode) // NULL pointer dereference , will trigger an null pointer dereference at realinode: [ 205.472797] BUG: kernel NULL pointer dereference, address: 0000000000000028 [ 205.476701] CPU: 2 PID: 2713 Comm: ls Not tainted 6.3.0-12064-g2edfa098e750-dirty #1216 [ 205.478754] RIP: 0010:do_ovl_get_acl+0x5d/0x300 [ 205.489584] Call Trace: [ 205.489812] [ 205.490014] ovl_get_inode_acl+0x26/0x30 [ 205.490466] get_cached_acl_rcu+0x61/0xa0 [ 205.490908] generic_permission+0x1bf/0x4e0 [ 205.491447] ovl_permission+0x79/0x1b0 [ 205.491917] inode_permission+0x15e/0x2c0 [ 205.492425] link_path_walk+0x115/0x550 [ 205.493311] path_lookupat.isra.0+0xb2/0x200 [ 205.493803] filename_lookup+0xda/0x240 [ 205.495747] vfs_fstatat+0x7b/0xb0 Fetch a reproducer in [Link]. Use the helper ovl_i_path_realinode() to get realinode and then do non-nullptr checking. Link: https://bugzilla.kernel.org/show_bug.cgi?id=217404 Fixes: 332f606b32b6 ("ovl: enable RCU'd ->get_acl()") Cc: # v5.15 Signed-off-by: Zhihao Cheng Suggested-by: Christian Brauner Suggested-by: Amir Goldstein Signed-off-by: Amir Goldstein Signed-off-by: Miklos Szeredi Signed-off-by: Greg Kroah-Hartman commit a682c42c5f7eda211b9160c28fe49bf56e9fb39f Author: Zhihao Cheng Date: Tue May 16 22:16:17 2023 +0800 ovl: let helper ovl_i_path_real() return the realinode commit b2dd05f107b11966e26fe52a313b418364cf497b upstream. Let helper ovl_i_path_real() return the realinode to prepare for checking non-null realinode in RCU walking path. [msz] Use d_inode_rcu() since we are depending on the consitency between dentry and inode being non-NULL in an RCU setting. Signed-off-by: Zhihao Cheng Signed-off-by: Amir Goldstein Fixes: ffa5723c6d25 ("ovl: store lower path in ovl_inode") Cc: # v5.19 Signed-off-by: Miklos Szeredi Signed-off-by: Greg Kroah-Hartman commit 69f9ae7edf9ec0ff500429101923347fcba5c8c4 Author: Zhihao Cheng Date: Tue May 16 22:16:18 2023 +0800 ovl: fix null pointer dereference in ovl_permission() commit 1a73f5b8f079fd42a544c1600beface50c63af7c upstream. Following process: P1 P2 path_lookupat link_path_walk inode_permission ovl_permission ovl_i_path_real(inode, &realpath) path->dentry = ovl_i_dentry_upper(inode) drop_cache __dentry_kill(ovl_dentry) iput(ovl_inode) ovl_destroy_inode(ovl_inode) dput(oi->__upperdentry) dentry_kill(upperdentry) dentry_unlink_inode upperdentry->d_inode = NULL realinode = d_inode(realpath.dentry) // return NULL inode_permission(realinode) inode->i_sb // NULL pointer dereference , will trigger an null pointer dereference at realinode: [ 335.664979] BUG: kernel NULL pointer dereference, address: 0000000000000002 [ 335.668032] CPU: 0 PID: 2592 Comm: ls Not tainted 6.3.0 [ 335.669956] RIP: 0010:inode_permission+0x33/0x2c0 [ 335.678939] Call Trace: [ 335.679165] [ 335.679371] ovl_permission+0xde/0x320 [ 335.679723] inode_permission+0x15e/0x2c0 [ 335.680090] link_path_walk+0x115/0x550 [ 335.680771] path_lookupat.isra.0+0xb2/0x200 [ 335.681170] filename_lookup+0xda/0x240 [ 335.681922] vfs_statx+0xa6/0x1f0 [ 335.682233] vfs_fstatat+0x7b/0xb0 Fetch a reproducer in [Link]. Use the helper ovl_i_path_realinode() to get realinode and then do non-nullptr checking. Link: https://bugzilla.kernel.org/show_bug.cgi?id=217405 Fixes: 4b7791b2e958 ("ovl: handle idmappings in ovl_permission()") Cc: # v5.19 Signed-off-by: Zhihao Cheng Suggested-by: Christian Brauner Suggested-by: Amir Goldstein Signed-off-by: Amir Goldstein Signed-off-by: Miklos Szeredi Signed-off-by: Greg Kroah-Hartman commit e7c921db1739f95e495b746b8765893fa346af13 Author: Masahiro Yamada Date: Sun Apr 9 23:53:57 2023 +0900 kbuild: add $(CLANG_FLAGS) to KBUILD_CPPFLAGS commit feb843a469fb0ab00d2d23cfb9bcc379791011bb upstream. When preprocessing arch/*/kernel/vmlinux.lds.S, the target triple is not passed to $(CPP) because we add it only to KBUILD_{C,A}FLAGS. As a result, the linker script is preprocessed with predefined macros for the build host instead of the target. Assuming you use an x86 build machine, compare the following: $ clang -dM -E -x c /dev/null $ clang -dM -E -x c /dev/null -target aarch64-linux-gnu There is no actual problem presumably because our linker scripts do not rely on such predefined macros, but it is better to define correct ones. Move $(CLANG_FLAGS) to KBUILD_CPPFLAGS, so that all *.c, *.S, *.lds.S will be processed with the proper target triple. [Note] After the patch submission, we got an actual problem that needs this commit. (CBL issue 1859) Link: https://github.com/ClangBuiltLinux/linux/issues/1859 Reported-by: Tom Rini Signed-off-by: Masahiro Yamada Reviewed-by: Nathan Chancellor Tested-by: Nathan Chancellor Signed-off-by: Greg Kroah-Hartman commit 6de71217023caa3d0758aaa6f0ed584bee8a9ec4 Author: Nathan Chancellor Date: Tue Jun 6 15:40:35 2023 -0700 kbuild: Add KBUILD_CPPFLAGS to as-option invocation commit 43fc0a99906e04792786edf8534d8d58d1e9de0c upstream. After commit feb843a469fb ("kbuild: add $(CLANG_FLAGS) to KBUILD_CPPFLAGS"), there is an error while building certain PowerPC assembly files with clang: arch/powerpc/lib/copypage_power7.S: Assembler messages: arch/powerpc/lib/copypage_power7.S:34: Error: junk at end of line: `0b01000' arch/powerpc/lib/copypage_power7.S:35: Error: junk at end of line: `0b01010' arch/powerpc/lib/copypage_power7.S:37: Error: junk at end of line: `0b01000' arch/powerpc/lib/copypage_power7.S:38: Error: junk at end of line: `0b01010' arch/powerpc/lib/copypage_power7.S:40: Error: junk at end of line: `0b01010' clang: error: assembler command failed with exit code 1 (use -v to see invocation) as-option only uses KBUILD_AFLAGS, so after removing CLANG_FLAGS from KBUILD_AFLAGS, there is no more '--target=' or '--prefix=' flags. As a result of those missing flags, the host target will be tested during as-option calls and likely fail, meaning necessary flags may not get added when building assembly files, resulting in errors like seen above. Add KBUILD_CPPFLAGS to as-option invocations to clear up the errors. This should have been done in commit d5c8d6e0fa61 ("kbuild: Update assembler calls to use proper flags and language target"), which switched from using the assembler target to the assembler-with-cpp target, so flags that affect preprocessing are passed along in all relevant tests. as-option now mirrors cc-option. Fixes: feb843a469fb ("kbuild: add $(CLANG_FLAGS) to KBUILD_CPPFLAGS") Reported-by: Linux Kernel Functional Testing Closes: https://lore.kernel.org/CA+G9fYs=koW9WardsTtora+nMgLR3raHz-LSLr58tgX4T5Mxag@mail.gmail.com/ Signed-off-by: Nathan Chancellor Tested-by: Naresh Kamboju Signed-off-by: Masahiro Yamada Signed-off-by: Greg Kroah-Hartman commit 103d3437b3c69096802dc657f3befffd2cbdf124 Author: Nathan Chancellor Date: Thu Jun 1 12:50:39 2023 -0700 kbuild: Add CLANG_FLAGS to as-instr commit cff6e7f50bd315e5b39c4e46c704ac587ceb965f upstream. A future change will move CLANG_FLAGS from KBUILD_{A,C}FLAGS to KBUILD_CPPFLAGS so that '--target' is available while preprocessing. When that occurs, the following errors appear multiple times when building ARCH=powerpc powernv_defconfig: ld.lld: error: vmlinux.a(arch/powerpc/kernel/head_64.o):(.text+0x12d4): relocation R_PPC64_ADDR16_HI out of range: -4611686018409717520 is not in [-2147483648, 2147483647]; references '__start___soft_mask_table' ld.lld: error: vmlinux.a(arch/powerpc/kernel/head_64.o):(.text+0x12e8): relocation R_PPC64_ADDR16_HI out of range: -4611686018409717392 is not in [-2147483648, 2147483647]; references '__stop___soft_mask_table' Diffing the .o.cmd files reveals that -DHAVE_AS_ATHIGH=1 is not present anymore, because as-instr only uses KBUILD_AFLAGS, which will no longer contain '--target'. Mirror Kconfig's as-instr and add CLANG_FLAGS explicitly to the invocation to ensure the target information is always present. Signed-off-by: Nathan Chancellor Signed-off-by: Masahiro Yamada Signed-off-by: Greg Kroah-Hartman commit 03c0d4aa85507995617977b2ff241238f60d442d Author: Nathan Chancellor Date: Thu Jun 1 11:46:33 2023 -0700 powerpc/vdso: Include CLANG_FLAGS explicitly in ldflags-y commit a7e5eb53bf9b800d086e2ebcfebd9a3bb16bd1b0 upstream. A future change will move CLANG_FLAGS from KBUILD_{A,C}FLAGS to KBUILD_CPPFLAGS so that '--target' is available while preprocessing. When that occurs, the following error appears when building the compat PowerPC vDSO: clang: error: unsupported option '-mbig-endian' for target 'x86_64-pc-linux-gnu' make[3]: *** [.../arch/powerpc/kernel/vdso/Makefile:76: arch/powerpc/kernel/vdso/vdso32.so.dbg] Error 1 Explicitly add CLANG_FLAGS to ldflags-y, so that '--target' will always be present. Signed-off-by: Nathan Chancellor Signed-off-by: Masahiro Yamada Signed-off-by: Greg Kroah-Hartman commit 089f24d3f39eed0a95fc106696a8d61d1fc2af79 Author: Nathan Chancellor Date: Thu Jun 1 11:38:24 2023 -0700 mips: Include KBUILD_CPPFLAGS in CHECKFLAGS invocation commit 08f6554ff90ef189e6b8f0303e57005bddfdd6a7 upstream. A future change will move CLANG_FLAGS from KBUILD_{A,C}FLAGS to KBUILD_CPPFLAGS so that '--target' is available while preprocessing. When that occurs, the following error appears when building ARCH=mips with clang (tip of tree error shown): clang: error: unsupported option '-mabi=' for target 'x86_64-pc-linux-gnu' Add KBUILD_CPPFLAGS in the CHECKFLAGS invocation to keep everything working after the move. Signed-off-by: Nathan Chancellor Signed-off-by: Masahiro Yamada Signed-off-by: Greg Kroah-Hartman commit 528839d3262b536f2535f2d9cddb33616543a3dc Author: Arnd Bergmann Date: Fri Jun 9 22:20:56 2023 +0200 Input: ads7846 - fix pointer cast warning commit 11ca605653480b2ddc70ec142a0a686796a7fc87 upstream. The previous bugfix caused a warning on 64-bit builds: drivers/input/touchscreen/ads7846.c:1126:17: warning: cast to smaller integer type 'u32' (aka 'unsigned int') from 'const void *' [-Wvoid-pointer-to-int-cast] Change the cast back to something that works on both 32-bit and 64-bit kernels. Reported-by: kernel test robot Closes: https://lore.kernel.org/oe-kbuild-all/202306100442.jStknDT1-lkp@intel.com/ Fixes: 8f7913c04f6a7 ("Input: ads7846 - Fix usage of match data") Reviewed-by: Linus Walleij Signed-off-by: Arnd Bergmann Signed-off-by: Greg Kroah-Hartman commit f5a48c015129eed88a276e09188541ad5f5d766f Author: Jan Kara Date: Mon Jul 3 16:49:11 2023 +0200 fs: no need to check source commit 66d8fc0539b0d49941f313c9509a8384e4245ac1 upstream. The @source inode must be valid. It is even checked via IS_SWAPFILE() above making it pretty clear. So no need to check it when we unlock. What doesn't need to exist is the @target inode. The lock_two_inodes() helper currently swaps the @inode1 and @inode2 arguments if @inode1 is NULL to have consistent lock class usage. However, we know that at least for vfs_rename() that @inode1 is @source and thus is never NULL as per above. We also know that @source is a different inode than @target as that is checked right at the beginning of vfs_rename(). So we know that @source is valid and locked and that @target is locked. So drop the check whether @source is non-NULL. Fixes: 28eceeda130f ("fs: Lock moved directories") Reported-by: kernel test robot Reported-by: Dan Carpenter Closes: https://lore.kernel.org/r/202307030026.9sE2pk2x-lkp@intel.com Message-Id: <20230703-vfs-rename-source-v1-1-37eebb29b65b@kernel.org> [brauner: use commit message from patch I sent concurrently] Signed-off-by: Christian Brauner Signed-off-by: Greg Kroah-Hartman commit ac2d66430ea67bbcdb9fe0912ba5a68137cb8808 Author: Yu Kuai Date: Fri Jun 16 09:21:36 2023 +0800 md/raid1-10: fix casting from randomized structure in raid1_submit_write() commit b5a99602b74bbfa655be509c615181dd95b0719e upstream. Following build error triggered while build with clang version 17.0.0 with W=1(this can't be reporduced with gcc 13.1.0): drivers/md/raid1-10.c:117:25: error: casting from randomized structure pointer type 'struct block_device *' to 'struct md_rdev *' 117 | struct md_rdev *rdev = (struct md_rdev *)bio->bi_bdev; | ^ Fix this by casting 'bio->bi_bdev' to 'void *', as it used to be. Reported-by: kernel test robot Closes: https://lore.kernel.org/oe-kbuild-all/202306142042.fmjfmTF8-lkp@intel.com/ Fixes: 8295efbe68c0 ("md/raid1-10: factor out a helper to submit normal write") Signed-off-by: Yu Kuai Signed-off-by: Song Liu Link: https://lore.kernel.org/r/20230616012136.3047071-1-yukuai1@huaweicloud.com Signed-off-by: Greg Kroah-Hartman commit 20365396f64330a621c3e13e122f55a1be35c1b5 Author: Linus Walleij Date: Tue Jun 6 21:13:04 2023 +0200 Input: ads7846 - Fix usage of match data commit 8f7913c04f6a7b90bcf998ece17395d7090f6d44 upstream. device_get_match_data() returns the match data directly, fix this up and fix the probe crash. Fixes: 767d83361aaa ("Input: ads7846 - Convert to use software nodes") Reported-by: Guenter Roeck Signed-off-by: Linus Walleij Acked-by: Dmitry Torokhov Link: https://lore.kernel.org/r/20230606191304.3804174-1-linus.walleij@linaro.org Signed-off-by: Arnd Bergmann Signed-off-by: Greg Kroah-Hartman commit c503b8fc7845677f9b08b4124d34ab6f5cbd7e59 Author: Yu Kuai Date: Sat Jun 10 10:20:01 2023 +0800 blktrace: use inline function for blk_trace_remove() while blktrace is disabled commit cbe7cff4a76bc749dd70264ca5cf924e2adf9296 upstream. If config is disabled, call blk_trace_remove() directly will trigger build warning, hence use inline function instead, prepare to fix blktrace debugfs entries leakage. Signed-off-by: Yu Kuai Reviewed-by: Christoph Hellwig Link: https://lore.kernel.org/r/20230610022003.2557284-2-yukuai1@huaweicloud.com Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman commit 78a7f865e283552dc127ac19c9399cfb3355db27 Author: Christian Marangi Date: Wed Apr 19 23:07:39 2023 +0200 leds: trigger: netdev: Recheck NETDEV_LED_MODE_LINKUP on dev rename commit cee4bd16c3195a701be683f7da9e88c6e11acb73 upstream. Dev can be renamed also while up for supported device. We currently wrongly clear the NETDEV_LED_MODE_LINKUP flag on NETDEV_CHANGENAME event. Fix this by rechecking if the carrier is ok on NETDEV_CHANGENAME and correctly set the NETDEV_LED_MODE_LINKUP bit. Fixes: 5f820ed52371 ("leds: trigger: netdev: fix handling on interface rename") Cc: stable@vger.kernel.org # v5.5+ Signed-off-by: Christian Marangi Reviewed-by: Andrew Lunn Signed-off-by: Lee Jones Link: https://lore.kernel.org/r/20230419210743.3594-2-ansuelsmth@gmail.com Signed-off-by: Greg Kroah-Hartman commit 5dc4972929bce6d10be75b02c7bc5ceba9cc4b68 Author: Arnd Bergmann Date: Tue May 16 17:31:05 2023 +0200 ARM: orion5x: fix d2net gpio initialization commit f8ef1233939495c405a9faa4bd1ae7d3f581bae4 upstream. The DT version of this board has a custom file with the gpio device. However, it does nothing because the d2net_init() has no caller or prototype: arch/arm/mach-orion5x/board-d2net.c:101:13: error: no previous prototype for 'd2net_init' Call it from the board-dt file as intended. Fixes: 94b0bd366e36 ("ARM: orion5x: convert d2net to Device Tree") Reviewed-by: Andrew Lunn Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/20230516153109.514251-10-arnd@kernel.org Signed-off-by: Arnd Bergmann Signed-off-by: Greg Kroah-Hartman commit 18b4ca24eaa9a69f26b728e10635f29a733c9d67 Author: Krzysztof Kozlowski Date: Thu Apr 20 09:28:11 2023 +0200 ARM: dts: qcom: ipq4019: fix broken NAND controller properties override commit edcbdd57de499305e2a3737d4a73fe387f71d84c upstream. After renaming NAND controller node name from "qpic-nand" to "nand-controller", the board DTS/DTSI also have to be updated: Warning (unit_address_vs_reg): /soc/qpic-nand@79b0000: node has a unit name, but no reg or ranges property Cc: Fixes: 9e1e00f18afc ("ARM: dts: qcom: Fix node name for NAND controller node") Signed-off-by: Krzysztof Kozlowski Reviewed-by: Konrad Dybcio Reviewed-by: Manivannan Sadhasivam Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20230420072811.36947-1-krzysztof.kozlowski@linaro.org Signed-off-by: Greg Kroah-Hartman commit 7ad032cac44835d38ddd20e7563645ef7b820d70 Author: Linus Walleij Date: Fri Apr 14 15:57:47 2023 +0200 ARM: dts: qcom: msm8660: Fix regulator node names commit a0f19091d4f5bbe97485592257b88007eb5b1998 upstream. commit 04715461abf7 altered the node names in a DTSI file used by qcom-apq8060-dragonboard.dts breaking the board. Align the node names in the DTS file and the board boots again. Cc: stable@vger.kernel.org Fixes: 85055a1eecc1 ("ARM: dts: qcom-msm8660: align RPM regulators node name with bindings") Signed-off-by: Linus Walleij Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20230414135747.34994-1-linus.walleij@linaro.org Signed-off-by: Greg Kroah-Hartman commit 3f6af56d420447387489d707f7014d8df86872f9 Author: Krzysztof Kozlowski Date: Sun May 7 16:46:56 2023 +0200 regulator: tps65219: Fix matching interrupts for their regulators commit f050e56de80591fee55bedbdf5b6b998c740cd0c upstream. The driver's probe() first registers regulators in a loop and then in a second loop passes them as irq data to the interrupt handlers. However the function to get the regulator for given name tps65219_get_rdev_by_name() was a no-op due to argument passed by value, not pointer, thus the second loop assigned always same value - from previous loop. The interrupts, when fired, where executed with wrong data. Compiler also noticed it: drivers/regulator/tps65219-regulator.c: In function ‘tps65219_get_rdev_by_name’: drivers/regulator/tps65219-regulator.c:292:60: error: parameter ‘dev’ set but not used [-Werror=unused-but-set-parameter] Fixes: c12ac5fc3e0a ("regulator: drivers: Add TI TPS65219 PMIC regulators support") Cc: commit a94147563e9196e43885a367418620763063c3bc Author: Ricardo Ribalda Delgado Date: Mon Jun 12 11:05:31 2023 +0200 ASoC: mediatek: mt8173: Fix snd_soc_component_initialize error path commit a46d37012a5be1737393b8f82fd35665e4556eee upstream. If the second component fails to initialize, cleanup the first on. Reported-by: Dan Carpenter Cc: stable@kernel.org Fixes: f1b5bf07365d ("ASoC: mt2701/mt8173: replace platform to component") Signed-off-by: Ricardo Ribalda Delgado Reviewed-by: AngeloGioacchino Del Regno Link: https://lore.kernel.org/r/20230612-mt8173-fixup-v2-1-432aa99ce24d@chromium.org Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit 05be6adaac9388eb27468fbbb4a6d023debdb924 Author: Ricardo Ribalda Delgado Date: Mon Jun 12 11:05:32 2023 +0200 ASoC: mediatek: mt8173: Fix irq error path commit f9c058d14f4fe23ef523a7ff73734d51c151683c upstream. After reordering the irq probe, the error path was not properly done. Lets fix it. Reported-by: Dan Carpenter Cc: stable@kernel.org Fixes: 4cbb264d4e91 ("ASoC: mediatek: mt8173: Enable IRQ when pdata is ready") Signed-off-by: Ricardo Ribalda Delgado Reviewed-by: AngeloGioacchino Del Regno Link: https://lore.kernel.org/r/20230612-mt8173-fixup-v2-2-432aa99ce24d@chromium.org Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit 82270e7f284fd23914d7b6b71ec2873e385e4c4a Author: Filipe Manana Date: Thu Jun 8 11:27:40 2023 +0100 btrfs: do not BUG_ON() on tree mod log failure at __btrfs_cow_block() commit 40b0a749388517de244643c09bdbb98f7dcb6ef1 upstream. At __btrfs_cow_block(), instead of doing a BUG_ON() in case we fail to record a tree mod log root insertion operation, do a transaction abort instead. There's really no need for the BUG_ON(), we can properly release all resources in this context and turn the filesystem to RO mode and in an error state instead. CC: stable@vger.kernel.org # 5.4+ Reviewed-by: Qu Wenruo Signed-off-by: Filipe Manana Reviewed-by: David Sterba Signed-off-by: David Sterba Signed-off-by: Greg Kroah-Hartman commit 796eb12aa5e4bc3bd217e6fff0d37f7bf6f6a8ea Author: Filipe Manana Date: Thu Jun 8 11:27:38 2023 +0100 btrfs: fix extent buffer leak after tree mod log failure at split_node() commit ede600e497b1461d06d22a7d17703d9096868bc3 upstream. At split_node(), if we fail to log the tree mod log copy operation, we return without unlocking the split extent buffer we just allocated and without decrementing the reference we own on it. Fix this by unlocking it and decrementing the ref count before returning. Fixes: 5de865eebb83 ("Btrfs: fix tree mod logging") CC: stable@vger.kernel.org # 5.4+ Reviewed-by: Qu Wenruo Signed-off-by: Filipe Manana Reviewed-by: David Sterba Signed-off-by: David Sterba Signed-off-by: Greg Kroah-Hartman commit 6df630a1e382abc34acdf71758ef11100fa5ade4 Author: Filipe Manana Date: Thu Jun 8 11:27:37 2023 +0100 btrfs: add missing error handling when logging operation while COWing extent buffer commit d09c51521f22f9cbdfb1cf63e5c456077c622c84 upstream. When COWing an extent buffer that is not the root node, we need to log in the tree mod log that we replaced a pointer in the parent node, otherwise a tree mod log user doing a search on the b+tree can return incorrect results (that miss something). We are doing the call to btrfs_tree_mod_log_insert_key() but we totally ignore its return value. So fix this by adding the missing error handling, resulting in a transaction abort and freeing the COWed extent buffer. Fixes: f230475e62f7 ("Btrfs: put all block modifications into the tree mod log") CC: stable@vger.kernel.org # 5.4+ Reviewed-by: Qu Wenruo Signed-off-by: Filipe Manana Reviewed-by: David Sterba Signed-off-by: David Sterba Signed-off-by: Greg Kroah-Hartman commit a5cdc4012efa808e07d073c11dc2f366b5394ad3 Author: Filipe Manana Date: Mon Jun 19 17:21:47 2023 +0100 btrfs: fix race when deleting quota root from the dirty cow roots list commit b31cb5a6eb7a48b0a7bfdf06832b1fd5088d8c79 upstream. When disabling quotas we are deleting the quota root from the list fs_info->dirty_cowonly_roots without taking the lock that protects it, which is struct btrfs_fs_info::trans_lock. This unsynchronized list manipulation may cause chaos if there's another concurrent manipulation of this list, such as when adding a root to it with ctree.c:add_root_to_dirty_list(). This can result in all sorts of weird failures caused by a race, such as the following crash: [337571.278245] general protection fault, probably for non-canonical address 0xdead000000000108: 0000 [#1] PREEMPT SMP PTI [337571.278933] CPU: 1 PID: 115447 Comm: btrfs Tainted: G W 6.4.0-rc6-btrfs-next-134+ #1 [337571.279153] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014 [337571.279572] RIP: 0010:commit_cowonly_roots+0x11f/0x250 [btrfs] [337571.279928] Code: 85 38 06 00 (...) [337571.280363] RSP: 0018:ffff9f63446efba0 EFLAGS: 00010206 [337571.280582] RAX: ffff942d98ec2638 RBX: ffff9430b82b4c30 RCX: 0000000449e1c000 [337571.280798] RDX: dead000000000100 RSI: ffff9430021e4900 RDI: 0000000000036070 [337571.281015] RBP: ffff942d98ec2000 R08: ffff942d98ec2000 R09: 000000000000015b [337571.281254] R10: 0000000000000009 R11: 0000000000000001 R12: ffff942fe8fbf600 [337571.281476] R13: ffff942dabe23040 R14: ffff942dabe20800 R15: ffff942d92cf3b48 [337571.281723] FS: 00007f478adb7340(0000) GS:ffff94349fa40000(0000) knlGS:0000000000000000 [337571.281950] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [337571.282184] CR2: 00007f478ab9a3d5 CR3: 000000001e02c001 CR4: 0000000000370ee0 [337571.282416] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [337571.282647] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [337571.282874] Call Trace: [337571.283101] [337571.283327] ? __die_body+0x1b/0x60 [337571.283570] ? die_addr+0x39/0x60 [337571.283796] ? exc_general_protection+0x22e/0x430 [337571.284022] ? asm_exc_general_protection+0x22/0x30 [337571.284251] ? commit_cowonly_roots+0x11f/0x250 [btrfs] [337571.284531] btrfs_commit_transaction+0x42e/0xf90 [btrfs] [337571.284803] ? _raw_spin_unlock+0x15/0x30 [337571.285031] ? release_extent_buffer+0x103/0x130 [btrfs] [337571.285305] reset_balance_state+0x152/0x1b0 [btrfs] [337571.285578] btrfs_balance+0xa50/0x11e0 [btrfs] [337571.285864] ? __kmem_cache_alloc_node+0x14a/0x410 [337571.286086] btrfs_ioctl+0x249a/0x3320 [btrfs] [337571.286358] ? mod_objcg_state+0xd2/0x360 [337571.286577] ? refill_obj_stock+0xb0/0x160 [337571.286798] ? seq_release+0x25/0x30 [337571.287016] ? __rseq_handle_notify_resume+0x3ba/0x4b0 [337571.287235] ? percpu_counter_add_batch+0x2e/0xa0 [337571.287455] ? __x64_sys_ioctl+0x88/0xc0 [337571.287675] __x64_sys_ioctl+0x88/0xc0 [337571.287901] do_syscall_64+0x38/0x90 [337571.288126] entry_SYSCALL_64_after_hwframe+0x72/0xdc [337571.288352] RIP: 0033:0x7f478aaffe9b So fix this by locking struct btrfs_fs_info::trans_lock before deleting the quota root from that list. Fixes: bed92eae26cc ("Btrfs: qgroup implementation and prototypes") CC: stable@vger.kernel.org # 4.14+ Signed-off-by: Filipe Manana Signed-off-by: David Sterba Signed-off-by: Greg Kroah-Hartman commit 6c65062f66cf14e6a9db66400b99dfbe6b2f3f9e Author: Naohiro Aota Date: Tue Jun 6 14:36:36 2023 +0900 btrfs: reinsert BGs failed to reclaim commit 7e27180994383b7c741ad87749db01e4989a02ba upstream. The reclaim process can temporarily fail. For example, if the space is getting tight, it fails to make the block group read-only. If there are no further writes on that block group, the block group will never get back to the reclaim list, and the BG never gets reclaimed. In a certain workload, we can leave many such block groups never reclaimed. So, let's get it back to the list and give it a chance to be reclaimed. Fixes: 18bb8bbf13c1 ("btrfs: zoned: automatically reclaim zones") CC: stable@vger.kernel.org # 5.15+ Signed-off-by: Naohiro Aota Signed-off-by: David Sterba Signed-off-by: Greg Kroah-Hartman commit 7b063701b5c3daa91597acce658aaf05888ab8bf Author: David Sterba Date: Thu Jun 1 00:33:01 2023 +0200 btrfs: add block-group tree to lockdep classes commit 1a1b0e729d227f9f758f7b5f1c997e874e94156e upstream. The block group tree was not present among the lockdep classes. We could get potentially lockdep warnings but so far none has been seen, also because block-group-tree is a relatively new feature. CC: stable@vger.kernel.org # 6.1+ Signed-off-by: David Sterba Signed-off-by: Greg Kroah-Hartman commit f61029274c7024e40ac1d600bc9ef94afc84717c Author: Naohiro Aota Date: Tue Jun 6 14:36:35 2023 +0900 btrfs: bail out reclaim process if filesystem is read-only commit 93463ff7b54626f8276c0bd3d3f968fbf8d5d380 upstream. When a filesystem is read-only, we cannot reclaim a block group as it cannot rewrite the data. Just bail out in that case. Note that it can drop block groups in this case. As we did sb_start_write(), read-only filesystem means we got a fatal error and forced read-only. There is no chance to reclaim them again. Fixes: 18bb8bbf13c1 ("btrfs: zoned: automatically reclaim zones") CC: stable@vger.kernel.org # 5.15+ Reviewed-by: Filipe Manana Reviewed-by: Johannes Thumshirn Signed-off-by: Naohiro Aota Signed-off-by: David Sterba Signed-off-by: Greg Kroah-Hartman commit 9d9586ef1ac9059dfe42b464778963b281f2cfc5 Author: Naohiro Aota Date: Tue Jun 6 14:36:33 2023 +0900 btrfs: delete unused BGs while reclaiming BGs commit 3ed01616bad6c7e3de196676b542ae3df8058592 upstream. The reclaiming process only starts after the filesystem volumes are allocated to a certain level (75% by default). Thus, the list of reclaiming target block groups can build up so huge at the time the reclaim process kicks in. On a test run, there were over 1000 BGs in the reclaim list. As the reclaim involves rewriting the data, it takes really long time to reclaim the BGs. While the reclaim is running, btrfs_delete_unused_bgs() won't proceed because the reclaim side is holding fs_info->reclaim_bgs_lock. As a result, we will have a large number of unused BGs kept in the unused list. On my test run, I got 1057 unused BGs. Since deleting a block group is relatively easy and fast work, we can call btrfs_delete_unused_bgs() while it reclaims BGs, to avoid building up unused BGs. Fixes: 18bb8bbf13c1 ("btrfs: zoned: automatically reclaim zones") CC: stable@vger.kernel.org # 5.15+ Reviewed-by: Filipe Manana Reviewed-by: Johannes Thumshirn Signed-off-by: Naohiro Aota Signed-off-by: David Sterba Signed-off-by: Greg Kroah-Hartman commit 987cf64973ae53aa10b01ae4c51dc0daba2654db Author: Boris Burkov Date: Thu Jun 1 11:55:13 2023 -0700 btrfs: warn on invalid slot in tree mod log rewind commit 95c8e349d8e8f190e28854e7ca96de866d2dc5a4 upstream. The way that tree mod log tracks the ultimate length of the eb, the variable 'n', eventually turns up the correct value, but at intermediate steps during the rewind, n can be inaccurate as a representation of the end of the eb. For example, it doesn't get updated on move rewinds, and it does get updated for add/remove in the middle of the eb. To detect cases with invalid moves, introduce a separate variable called max_slot which tries to track the maximum valid slot in the rewind eb. We can then warn if we do a move whose src range goes beyond the max valid slot. There is a commented caveat that it is possible to have this value be an overestimate due to the challenge of properly handling 'add' operations in the middle of the eb, but in practice it doesn't cause enough of a problem to throw out the max idea in favor of tracking every valid slot. CC: stable@vger.kernel.org # 5.15+ Reviewed-by: Filipe Manana Signed-off-by: Boris Burkov Signed-off-by: David Sterba Signed-off-by: Greg Kroah-Hartman commit 11f14402fe3437852cb44945b3b9f1bdb4032956 Author: Boris Burkov Date: Thu Jun 1 11:55:14 2023 -0700 btrfs: insert tree mod log move in push_node_left commit 5cead5422a0e3d13b0bcee986c0f5c4ebb94100b upstream. There is a fairly unlikely race condition in tree mod log rewind that can result in a kernel panic which has the following trace: [530.569] BTRFS critical (device sda3): unable to find logical 0 length 4096 [530.585] BTRFS critical (device sda3): unable to find logical 0 length 4096 [530.602] BUG: kernel NULL pointer dereference, address: 0000000000000002 [530.618] #PF: supervisor read access in kernel mode [530.629] #PF: error_code(0x0000) - not-present page [530.641] PGD 0 P4D 0 [530.647] Oops: 0000 [#1] SMP [530.654] CPU: 30 PID: 398973 Comm: below Kdump: loaded Tainted: G S O K 5.12.0-0_fbk13_clang_7455_gb24de3bdb045 #1 [530.680] Hardware name: Quanta Mono Lake-M.2 SATA 1HY9U9Z001G/Mono Lake-M.2 SATA, BIOS F20_3A15 08/16/2017 [530.703] RIP: 0010:__btrfs_map_block+0xaa/0xd00 [530.755] RSP: 0018:ffffc9002c2f7600 EFLAGS: 00010246 [530.767] RAX: ffffffffffffffea RBX: ffff888292e41000 RCX: f2702d8b8be15100 [530.784] RDX: ffff88885fda6fb8 RSI: ffff88885fd973c8 RDI: ffff88885fd973c8 [530.800] RBP: ffff888292e410d0 R08: ffffffff82fd7fd0 R09: 00000000fffeffff [530.816] R10: ffffffff82e57fd0 R11: ffffffff82e57d70 R12: 0000000000000000 [530.832] R13: 0000000000001000 R14: 0000000000001000 R15: ffffc9002c2f76f0 [530.848] FS: 00007f38d64af000(0000) GS:ffff88885fd80000(0000) knlGS:0000000000000000 [530.866] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [530.880] CR2: 0000000000000002 CR3: 00000002b6770004 CR4: 00000000003706e0 [530.896] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [530.912] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [530.928] Call Trace: [530.934] ? btrfs_printk+0x13b/0x18c [530.943] ? btrfs_bio_counter_inc_blocked+0x3d/0x130 [530.955] btrfs_map_bio+0x75/0x330 [530.963] ? kmem_cache_alloc+0x12a/0x2d0 [530.973] ? btrfs_submit_metadata_bio+0x63/0x100 [530.984] btrfs_submit_metadata_bio+0xa4/0x100 [530.995] submit_extent_page+0x30f/0x360 [531.004] read_extent_buffer_pages+0x49e/0x6d0 [531.015] ? submit_extent_page+0x360/0x360 [531.025] btree_read_extent_buffer_pages+0x5f/0x150 [531.037] read_tree_block+0x37/0x60 [531.046] read_block_for_search+0x18b/0x410 [531.056] btrfs_search_old_slot+0x198/0x2f0 [531.066] resolve_indirect_ref+0xfe/0x6f0 [531.076] ? ulist_alloc+0x31/0x60 [531.084] ? kmem_cache_alloc_trace+0x12e/0x2b0 [531.095] find_parent_nodes+0x720/0x1830 [531.105] ? ulist_alloc+0x10/0x60 [531.113] iterate_extent_inodes+0xea/0x370 [531.123] ? btrfs_previous_extent_item+0x8f/0x110 [531.134] ? btrfs_search_path_in_tree+0x240/0x240 [531.146] iterate_inodes_from_logical+0x98/0xd0 [531.157] ? btrfs_search_path_in_tree+0x240/0x240 [531.168] btrfs_ioctl_logical_to_ino+0xd9/0x180 [531.179] btrfs_ioctl+0xe2/0x2eb0 This occurs when logical inode resolution takes a tree mod log sequence number, and then while backref walking hits a rewind on a busy node which has the following sequence of tree mod log operations (numbers filled in from a specific example, but they are somewhat arbitrary) REMOVE_WHILE_FREEING slot 532 REMOVE_WHILE_FREEING slot 531 REMOVE_WHILE_FREEING slot 530 ... REMOVE_WHILE_FREEING slot 0 REMOVE slot 455 REMOVE slot 454 REMOVE slot 453 ... REMOVE slot 0 ADD slot 455 ADD slot 454 ADD slot 453 ... ADD slot 0 MOVE src slot 0 -> dst slot 456 nritems 533 REMOVE slot 455 REMOVE slot 454 REMOVE slot 453 ... REMOVE slot 0 When this sequence gets applied via btrfs_tree_mod_log_rewind, it allocates a fresh rewind eb, and first inserts the correct key info for the 533 elements, then overwrites the first 456 of them, then decrements the count by 456 via the add ops, then rewinds the move by doing a memmove from 456:988->0:532. We have never written anything past 532, so that memmove writes garbage into the 0:532 range. In practice, this results in a lot of fully 0 keys. The rewind then puts valid keys into slots 0:455 with the last removes, but 456:532 are still invalid. When search_old_slot uses this eb, if it uses one of those invalid slots, it can then read the extent buffer and issue a bio for offset 0 which ultimately panics looking up extent mappings. This bad tree mod log sequence gets generated when the node balancing code happens to do a balance_node_right followed by a push_node_left while logging in the tree mod log. Illustrated for ebs L and R (left and right): L R start: [XXX|YYY|...] [ZZZ|...|...] balance_node_right: [XXX|YYY|...] [...|ZZZ|...] move Z to make room for Y [XXX|...|...] [YYY|ZZZ|...] copy Y from L to R push_node_left: [XXX|YYY|...] [...|ZZZ|...] copy Y from R to L [XXX|YYY|...] [ZZZ|...|...] move Z into emptied space (NOT LOGGED!) This is because balance_node_right logs a move, but push_node_left explicitly doesn't. That is because logging the move would remove the overwritten src < dst range in the right eb, which was already logged when we called btrfs_tree_mod_log_eb_copy. The correct sequence would include a move from 456:988 to 0:532 after remove 0:455 and before removing 0:532. Reversing that sequence would entail creating keys for 0:532, then moving those keys out to 456:988, then creating more keys for 0:455. i.e., REMOVE_WHILE_FREEING slot 532 REMOVE_WHILE_FREEING slot 531 REMOVE_WHILE_FREEING slot 530 ... REMOVE_WHILE_FREEING slot 0 MOVE src slot 456 -> dst slot 0 nritems 533 REMOVE slot 455 REMOVE slot 454 REMOVE slot 453 ... REMOVE slot 0 ADD slot 455 ADD slot 454 ADD slot 453 ... ADD slot 0 MOVE src slot 0 -> dst slot 456 nritems 533 REMOVE slot 455 REMOVE slot 454 REMOVE slot 453 ... REMOVE slot 0 Fix this to log the move but avoid the double remove by putting all the logging logic in btrfs_tree_mod_log_eb_copy which has enough information to detect these cases and properly log moves, removes, and adds. Leave btrfs_tree_mod_log_insert_move to handle insert_ptr and delete_ptr's tree mod logging. (Un)fortunately, this is quite difficult to reproduce, and I was only able to reproduce it by adding sleeps in btrfs_search_old_slot that would encourage more log rewinding during ino_to_logical ioctls. I was able to hit the warning in the previous patch in the series without the fix quite quickly, but not after this patch. CC: stable@vger.kernel.org # 5.15+ Reviewed-by: Filipe Manana Signed-off-by: Boris Burkov Signed-off-by: David Sterba Signed-off-by: Greg Kroah-Hartman commit 1ea89213cdfec04758a57e2d7d0bfab79936aef2 Author: Christoph Hellwig Date: Mon May 8 07:58:38 2023 -0700 btrfs: fix dirty_metadata_bytes for redirtied buffers commit f18cc97845aa4ae0e795c088c979fe1642b3b8e5 upstream. dirty_metadata_bytes is decremented in both places that clear the dirty bit in a buffer, but only incremented in btrfs_mark_buffer_dirty, which means that a buffer that is redirtied using btrfs_redirty_list_add won't be added to dirty_metadata_bytes, but it will be subtracted when written out, leading an inconsistency in the counter. Move the dirty_metadata_bytes from btrfs_mark_buffer_dirty into set_extent_buffer_dirty to also account for the redirty case, and remove the now unused set_extent_buffer_dirty return value. Fixes: d3575156f662 ("btrfs: zoned: redirty released extent buffers") CC: stable@vger.kernel.org # 5.15+ Reviewed-by: Naohiro Aota Signed-off-by: Christoph Hellwig Signed-off-by: David Sterba Signed-off-by: Greg Kroah-Hartman commit 1b532748ba00bd2a1d9b09e0d5e81280582c7770 Author: Matt Corallo Date: Mon Jun 5 16:49:45 2023 -0700 btrfs: add handling for RAID1C23/DUP to btrfs_reduce_alloc_profile commit 160fe8f6fdb13da6111677be6263e5d65e875987 upstream. Callers of `btrfs_reduce_alloc_profile` expect it to return exactly one allocation profile flag, and failing to do so may ultimately result in a WARN_ON and remount-ro when allocating new blocks, like the below transaction abort on 6.1. `btrfs_reduce_alloc_profile` has two ways of determining the profile, first it checks if a conversion balance is currently running and uses the profile we're converting to. If no balance is currently running, it returns the max-redundancy profile which at least one block in the selected block group has. This works by simply checking each known allocation profile bit in redundancy order. However, `btrfs_reduce_alloc_profile` has not been updated as new flags have been added - first with the `DUP` profile and later with the RAID1C34 profiles. Because of the way it checks, if we have blocks with different profiles and at least one is known, that profile will be selected. However, if none are known we may return a flag set with multiple allocation profiles set. This is currently only possible when a balance from one of the three unhandled profiles to another of the unhandled profiles is canceled after allocating at least one block using the new profile. In that case, a transaction abort like the below will occur and the filesystem will need to be mounted with -o skip_balance to get it mounted rw again (but the balance cannot be resumed without a similar abort). [770.648] ------------[ cut here ]------------ [770.648] BTRFS: Transaction aborted (error -22) [770.648] WARNING: CPU: 43 PID: 1159593 at fs/btrfs/extent-tree.c:4122 find_free_extent+0x1d94/0x1e00 [btrfs] [770.648] CPU: 43 PID: 1159593 Comm: btrfs Tainted: G W 6.1.0-0.deb11.7-powerpc64le #1 Debian 6.1.20-2~bpo11+1a~test [770.648] Hardware name: T2P9D01 REV 1.00 POWER9 0x4e1202 opal:skiboot-bc106a0 PowerNV [770.648] NIP: c00800000f6784fc LR: c00800000f6784f8 CTR: c000000000d746c0 [770.648] REGS: c000200089afe9a0 TRAP: 0700 Tainted: G W (6.1.0-0.deb11.7-powerpc64le Debian 6.1.20-2~bpo11+1a~test) [770.648] MSR: 9000000002029033 CR: 28848282 XER: 20040000 [770.648] CFAR: c000000000135110 IRQMASK: 0 GPR00: c00800000f6784f8 c000200089afec40 c00800000f7ea800 0000000000000026 GPR04: 00000001004820c2 c000200089afea00 c000200089afe9f8 0000000000000027 GPR08: c000200ffbfe7f98 c000000002127f90 ffffffffffffffd8 0000000026d6a6e8 GPR12: 0000000028848282 c000200fff7f3800 5deadbeef0000122 c00000002269d000 GPR16: c0002008c7797c40 c000200089afef17 0000000000000000 0000000000000000 GPR20: 0000000000000000 0000000000000001 c000200008bc5a98 0000000000000001 GPR24: 0000000000000000 c0000003c73088d0 c000200089afef17 c000000016d3a800 GPR28: c0000003c7308800 c00000002269d000 ffffffffffffffea 0000000000000001 [770.648] NIP [c00800000f6784fc] find_free_extent+0x1d94/0x1e00 [btrfs] [770.648] LR [c00800000f6784f8] find_free_extent+0x1d90/0x1e00 [btrfs] [770.648] Call Trace: [770.648] [c000200089afec40] [c00800000f6784f8] find_free_extent+0x1d90/0x1e00 [btrfs] (unreliable) [770.648] [c000200089afed30] [c00800000f681398] btrfs_reserve_extent+0x1a0/0x2f0 [btrfs] [770.648] [c000200089afeea0] [c00800000f681bf0] btrfs_alloc_tree_block+0x108/0x670 [btrfs] [770.648] [c000200089afeff0] [c00800000f66bd68] __btrfs_cow_block+0x170/0x850 [btrfs] [770.648] [c000200089aff100] [c00800000f66c58c] btrfs_cow_block+0x144/0x288 [btrfs] [770.648] [c000200089aff1b0] [c00800000f67113c] btrfs_search_slot+0x6b4/0xcb0 [btrfs] [770.648] [c000200089aff2a0] [c00800000f679f60] lookup_inline_extent_backref+0x128/0x7c0 [btrfs] [770.648] [c000200089aff3b0] [c00800000f67b338] lookup_extent_backref+0x70/0x190 [btrfs] [770.648] [c000200089aff470] [c00800000f67b54c] __btrfs_free_extent+0xf4/0x1490 [btrfs] [770.648] [c000200089aff5a0] [c00800000f67d770] __btrfs_run_delayed_refs+0x328/0x1530 [btrfs] [770.648] [c000200089aff740] [c00800000f67ea2c] btrfs_run_delayed_refs+0xb4/0x3e0 [btrfs] [770.648] [c000200089aff800] [c00800000f699aa4] btrfs_commit_transaction+0x8c/0x12b0 [btrfs] [770.648] [c000200089aff8f0] [c00800000f6dc628] reset_balance_state+0x1c0/0x290 [btrfs] [770.648] [c000200089aff9a0] [c00800000f6e2f7c] btrfs_balance+0x1164/0x1500 [btrfs] [770.648] [c000200089affb40] [c00800000f6f8e4c] btrfs_ioctl+0x2b54/0x3100 [btrfs] [770.648] [c000200089affc80] [c00000000053be14] sys_ioctl+0x794/0x1310 [770.648] [c000200089affd70] [c00000000002af98] system_call_exception+0x138/0x250 [770.648] [c000200089affe10] [c00000000000c654] system_call_common+0xf4/0x258 [770.648] --- interrupt: c00 at 0x7fff94126800 [770.648] NIP: 00007fff94126800 LR: 0000000107e0b594 CTR: 0000000000000000 [770.648] REGS: c000200089affe80 TRAP: 0c00 Tainted: G W (6.1.0-0.deb11.7-powerpc64le Debian 6.1.20-2~bpo11+1a~test) [770.648] MSR: 900000000000d033 CR: 24002848 XER: 00000000 [770.648] IRQMASK: 0 GPR00: 0000000000000036 00007fffc9439da0 00007fff94217100 0000000000000003 GPR04: 00000000c4009420 00007fffc9439ee8 0000000000000000 0000000000000000 GPR08: 00000000803c7416 0000000000000000 0000000000000000 0000000000000000 GPR12: 0000000000000000 00007fff9467d120 0000000107e64c9c 0000000107e64d0a GPR16: 0000000107e64d06 0000000107e64cf1 0000000107e64cc4 0000000107e64c73 GPR20: 0000000107e64c31 0000000107e64bf1 0000000107e64be7 0000000000000000 GPR24: 0000000000000000 00007fffc9439ee0 0000000000000003 0000000000000001 GPR28: 00007fffc943f713 0000000000000000 00007fffc9439ee8 0000000000000000 [770.648] NIP [00007fff94126800] 0x7fff94126800 [770.648] LR [0000000107e0b594] 0x107e0b594 [770.648] --- interrupt: c00 [770.648] Instruction dump: [770.648] 3b00ffe4 e8898828 481175f5 60000000 4bfff4fc 3be00000 4bfff570 3d220000 [770.648] 7fc4f378 e8698830 4811cd95 e8410018 <0fe00000> f9c10060 f9e10068 fa010070 [770.648] ---[ end trace 0000000000000000 ]--- [770.648] BTRFS: error (device dm-2: state A) in find_free_extent_update_loop:4122: errno=-22 unknown [770.648] BTRFS info (device dm-2: state EA): forced readonly [770.648] BTRFS: error (device dm-2: state EA) in __btrfs_free_extent:3070: errno=-22 unknown [770.648] BTRFS error (device dm-2: state EA): failed to run delayed ref for logical 17838685708288 num_bytes 24576 type 184 action 2 ref_mod 1: -22 [770.648] BTRFS: error (device dm-2: state EA) in btrfs_run_delayed_refs:2144: errno=-22 unknown [770.648] BTRFS: error (device dm-2: state EA) in reset_balance_state:3599: errno=-22 unknown Fixes: 47e6f7423b91 ("btrfs: add support for 3-copy replication (raid1c3)") Fixes: 8d6fac0087e5 ("btrfs: add support for 4-copy replication (raid1c4)") CC: stable@vger.kernel.org # 5.10+ Signed-off-by: Matt Corallo Reviewed-by: David Sterba Signed-off-by: David Sterba Signed-off-by: Greg Kroah-Hartman commit b9a6e00591a2958087a0252f3497cea6ef592bc3 Author: Abhijeet Rastogi Date: Tue May 16 20:08:49 2023 -0700 ipvs: increase ip_vs_conn_tab_bits range for 64BIT commit 04292c695f82b6cf0d25dd5ae494f16ddbb621f6 upstream. Current range [8, 20] is set purely due to historical reasons because at the time, ~1M (2^20) was considered sufficient. With this change, 27 is the upper limit for 64-bit, 20 otherwise. Previous change regarding this limit is here. Link: https://lore.kernel.org/all/86eabeb9dd62aebf1e2533926fdd13fed48bab1f.1631289960.git.aclaudi@redhat.com/T/#u Signed-off-by: Abhijeet Rastogi Acked-by: Julian Anastasov Acked-by: Simon Horman Signed-off-by: Pablo Neira Ayuso Cc: Allen Pais Signed-off-by: Greg Kroah-Hartman commit 7e3b21ebfe3302b8ddba8d68e63dfc7a3299d9f2 Author: Mario Limonciello Date: Thu May 18 11:11:50 2023 -0500 usb: typec: ucsi: Mark dGPUs as DEVICE scope commit a7fbfd44c0204f0629288edfd0d77829edb4a2f8 upstream. power_supply_is_system_supplied() checks whether any power supplies are present that aren't batteries to decide whether the system is running on DC or AC. Downstream drivers use this to make performance decisions. Navi dGPUs include an UCSI function that has been exported since commit 17631e8ca2d3 ("i2c: designware: Add driver support for AMD NAVI GPU"). This UCSI function registers a power supply since commit 992a60ed0d5e ("usb: typec: ucsi: register with power_supply class") but this is not a system power supply. As the power supply for a dGPU is only for powering devices connected to dGPU, create a device property to indicate that the UCSI endpoint is only for the scope of `POWER_SUPPLY_SCOPE_DEVICE`. Link: https://lore.kernel.org/lkml/20230516182541.5836-2-mario.limonciello@amd.com/ Reviewed-by: Evan Quan Tested-by: Evan Quan Signed-off-by: Mario Limonciello Reviewed-by: Heikki Krogerus Reviewed-by: Sebastian Reichel Acked-by: Andi Shyti Signed-off-by: Wolfram Sang Signed-off-by: Greg Kroah-Hartman commit 059484d31a8a72a2131539713018669350ac34c6 Author: Jan Kara Date: Thu Jun 1 12:58:25 2023 +0200 fs: Lock moved directories commit 28eceeda130f5058074dd007d9c59d2e8bc5af2e upstream. When a directory is moved to a different directory, some filesystems (udf, ext4, ocfs2, f2fs, and likely gfs2, reiserfs, and others) need to update their pointer to the parent and this must not race with other operations on the directory. Lock the directories when they are moved. Although not all filesystems need this locking, we perform it in vfs_rename() because getting the lock ordering right is really difficult and we don't want to expose these locking details to filesystems. CC: stable@vger.kernel.org Signed-off-by: Jan Kara Message-Id: <20230601105830.13168-5-jack@suse.cz> Signed-off-by: Christian Brauner Signed-off-by: Greg Kroah-Hartman commit 4cbd5eb173bf0fee1cca3e7dc6d7c2d5fcb93e97 Author: Jan Kara Date: Thu Jun 1 12:58:24 2023 +0200 fs: Establish locking order for unrelated directories commit f23ce757185319886ca80c4864ce5f81ac6cc9e9 upstream. Currently the locking order of inode locks for directories that are not in ancestor relationship is not defined because all operations that needed to lock two directories like this were serialized by sb->s_vfs_rename_mutex. However some filesystems need to lock two subdirectories for RENAME_EXCHANGE operations and for this we need the locking order established even for two tree-unrelated directories. Provide a helper function lock_two_inodes() that establishes lock ordering for any two inodes and use it in lock_two_directories(). CC: stable@vger.kernel.org Signed-off-by: Jan Kara Message-Id: <20230601105830.13168-4-jack@suse.cz> Signed-off-by: Christian Brauner Signed-off-by: Greg Kroah-Hartman commit f55aaecb4d768ef8a3f010c105459bfa6cd59bd6 Author: Jan Kara Date: Thu Jun 1 12:58:22 2023 +0200 Revert "udf: Protect rename against modification of moved directory" commit 7517ce5dc4d6963ef9ace2acb3f081ef8cd8a1e3 upstream. This reverts commit f950fd0529130a617b3da526da9fb6a896ce87c2. The locking is going to be provided by vfs_rename() in the following patches. CC: stable@vger.kernel.org Signed-off-by: Jan Kara Message-Id: <20230601105830.13168-2-jack@suse.cz> Signed-off-by: Christian Brauner Signed-off-by: Greg Kroah-Hartman commit 0b6f613e2b50b175df6eef700c48bf8ebf2f8235 Author: Jan Kara Date: Thu Jun 1 12:58:23 2023 +0200 Revert "f2fs: fix potential corruption when moving a directory" commit cde3c9d7e2a359e337216855dcb333a19daaa436 upstream. This reverts commit d94772154e524b329a168678836745d2773a6e02. The locking is going to be provided by VFS. CC: Jaegeuk Kim CC: stable@vger.kernel.org Signed-off-by: Jan Kara Message-Id: <20230601105830.13168-3-jack@suse.cz> Signed-off-by: Christian Brauner Signed-off-by: Greg Kroah-Hartman commit cf9b6fe98470956337ffe9854526c87529538dfd Author: Jan Kara Date: Thu Jun 1 12:58:21 2023 +0200 ext4: Remove ext4 locking of moved directory commit 3658840cd363f2be094f5dfd2f0b174a9055dd0f upstream. Remove locking of moved directory in ext4_rename2(). We will take care of it in VFS instead. This effectively reverts commit 0813299c586b ("ext4: Fix possible corruption when moving a directory") and followup fixes. CC: Ted Tso CC: stable@vger.kernel.org Signed-off-by: Jan Kara Message-Id: <20230601105830.13168-1-jack@suse.cz> Signed-off-by: Christian Brauner Signed-off-by: Greg Kroah-Hartman commit f80436e4f788625f24bdb6e872cb6cc66b06be17 Author: Thomas Weißschuh Date: Wed Jun 7 19:28:48 2023 +0200 fs: avoid empty option when generating legacy mount string commit 62176420274db5b5127cd7a0083a9aeb461756ee upstream. As each option string fragment is always prepended with a comma it would happen that the whole string always starts with a comma. This could be interpreted by filesystem drivers as an empty option and may produce errors. For example the NTFS driver from ntfs.ko behaves like this and fails when mounted via the new API. Link: https://github.com/util-linux/util-linux/issues/2298 Signed-off-by: Thomas Weißschuh Fixes: 3e1aeb00e6d1 ("vfs: Implement a filesystem superblock creation/configuration context") Cc: stable@vger.kernel.org Message-Id: <20230607-fs-empty-option-v1-1-20c8dbf4671b@weissschuh.net> Signed-off-by: Christian Brauner Signed-off-by: Greg Kroah-Hartman commit fb306470cadac7178c58b0c0f8226f278df04fc4 Author: Fabian Frederick Date: Sat May 6 06:56:12 2023 +0200 jffs2: reduce stack usage in jffs2_build_xattr_subsystem() commit 1168f095417643f663caa341211e117db552989f upstream. Use kcalloc() for allocation/flush of 128 pointers table to reduce stack usage. Function now returns -ENOMEM or 0 on success. stackusage Before: ./fs/jffs2/xattr.c:775 jffs2_build_xattr_subsystem 1208 dynamic,bounded After: ./fs/jffs2/xattr.c:775 jffs2_build_xattr_subsystem 192 dynamic,bounded Also update definition when CONFIG_JFFS2_FS_XATTR is not enabled Tested with an MTD mount point and some user set/getfattr. Many current target on OpenWRT also suffer from a compilation warning (that become an error with CONFIG_WERROR) with the following output: fs/jffs2/xattr.c: In function 'jffs2_build_xattr_subsystem': fs/jffs2/xattr.c:887:1: error: the frame size of 1088 bytes is larger than 1024 bytes [-Werror=frame-larger-than=] 887 | } | ^ Using dynamic allocation fix this compilation warning. Fixes: c9f700f840bd ("[JFFS2][XATTR] using 'delete marker' for xdatum/xref deletion") Reported-by: Tim Gardner Reported-by: kernel test robot Reported-by: Ron Economos Reported-by: Nathan Chancellor Reviewed-by: Nick Desaulniers Signed-off-by: Fabian Frederick Signed-off-by: Christian Marangi Cc: stable@vger.kernel.org Message-Id: <20230506045612.16616-1-ansuelsmth@gmail.com> Signed-off-by: Christian Brauner Signed-off-by: Greg Kroah-Hartman commit 7fd2ca4a860c169c812b19fa93a973bba1542c52 Author: Christian Brauner Date: Tue May 2 15:36:02 2023 +0200 nfsd: use vfs setgid helper commit 2d8ae8c417db284f598dffb178cc01e7db0f1821 upstream. We've aligned setgid behavior over multiple kernel releases. The details can be found in commit cf619f891971 ("Merge tag 'fs.ovl.setgid.v6.2' of git://git.kernel.org/pub/scm/linux/kernel/git/vfs/idmapping") and commit 426b4ca2d6a5 ("Merge tag 'fs.setgid.v6.0' of git://git.kernel.org/pub/scm/linux/kernel/git/brauner/linux"). Consistent setgid stripping behavior is now encapsulated in the setattr_should_drop_sgid() helper which is used by all filesystems that strip setgid bits outside of vfs proper. Usually ATTR_KILL_SGID is raised in e.g., chown_common() and is subject to the setattr_should_drop_sgid() check to determine whether the setgid bit can be retained. Since nfsd is raising ATTR_KILL_SGID unconditionally it will cause notify_change() to strip it even if the caller had the necessary privileges to retain it. Ensure that nfsd only raises ATR_KILL_SGID if the caller lacks the necessary privileges to retain the setgid bit. Without this patch the setgid stripping tests in LTP will fail: > As you can see, the problem is S_ISGID (0002000) was dropped on a > non-group-executable file while chown was invoked by super-user, while [...] > fchown02.c:66: TFAIL: testfile2: wrong mode permissions 0100700, expected 0102700 [...] > chown02.c:57: TFAIL: testfile2: wrong mode permissions 0100700, expected 0102700 With this patch all tests pass. Reported-by: Sherry Yang Signed-off-by: Christian Brauner Reviewed-by: Jeff Layton Cc: Signed-off-by: Chuck Lever Signed-off-by: Greg Kroah-Hartman commit ebe07db840992a3886694ac3d303b06f4b70ce00 Author: Roberto Sassu Date: Wed Jun 7 18:15:23 2023 +0200 shmem: use ramfs_kill_sb() for kill_sb method of ramfs-based tmpfs commit 36ce9d76b0a93bae799e27e4f5ac35478c676592 upstream. As the ramfs-based tmpfs uses ramfs_init_fs_context() for the init_fs_context method, which allocates fc->s_fs_info, use ramfs_kill_sb() to free it and avoid a memory leak. Link: https://lkml.kernel.org/r/20230607161523.2876433-1-roberto.sassu@huaweicloud.com Fixes: c3b1b1cbf002 ("ramfs: add support for "mode=" mount option") Signed-off-by: Roberto Sassu Cc: Hugh Dickins Cc: David Howells Cc: Al Viro Cc: Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman commit 35cbaf3516aac075f4d57d5a96473a223d3e6a55 Author: Ryan Roberts Date: Fri Jun 2 10:29:47 2023 +0100 mm/damon/ops-common: atomically test and clear young on ptes and pmds commit c11d34fa139e4b0fb4249a30f37b178353533fa1 upstream. It is racy to non-atomically read a pte, then clear the young bit, then write it back as this could discard dirty information. Further, it is bad practice to directly set a pte entry within a table. Instead clearing young must go through the arch-provided helper, ptep_test_and_clear_young() to ensure it is modified atomically and to give the arch code visibility and allow it to check (and potentially modify) the operation. Link: https://lkml.kernel.org/r/20230602092949.545577-3-ryan.roberts@arm.com Fixes: 3f49584b262c ("mm/damon: implement primitives for the virtual memory address spaces"). Signed-off-by: Ryan Roberts Reviewed-by: Zi Yan Reviewed-by: SeongJae Park Reviewed-by: Mike Rapoport (IBM) Cc: Christoph Hellwig Cc: Kirill A. Shutemov Cc: Lorenzo Stoakes Cc: Matthew Wilcox (Oracle) Cc: Uladzislau Rezki (Sony) Cc: Yu Zhao Cc: Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman commit 3fd41a972f7ff9140bcad72fe5dc1a95a5daa635 Author: Arnd Bergmann Date: Tue May 23 10:19:35 2023 +0200 autofs: use flexible array in ioctl structure commit e910c8e3aa02dc456e2f4c32cb479523c326b534 upstream. Commit df8fc4e934c1 ("kbuild: Enable -fstrict-flex-arrays=3") introduced a warning for the autofs_dev_ioctl structure: In function 'check_name', inlined from 'validate_dev_ioctl' at fs/autofs/dev-ioctl.c:131:9, inlined from '_autofs_dev_ioctl' at fs/autofs/dev-ioctl.c:624:8: fs/autofs/dev-ioctl.c:33:14: error: 'strchr' reading 1 or more bytes from a region of size 0 [-Werror=stringop-overread] 33 | if (!strchr(name, '/')) | ^~~~~~~~~~~~~~~~~ In file included from include/linux/auto_dev-ioctl.h:10, from fs/autofs/autofs_i.h:10, from fs/autofs/dev-ioctl.c:14: include/uapi/linux/auto_dev-ioctl.h: In function '_autofs_dev_ioctl': include/uapi/linux/auto_dev-ioctl.h:112:14: note: source object 'path' of size 0 112 | char path[0]; | ^~~~ This is easily fixed by changing the gnu 0-length array into a c99 flexible array. Since this is a uapi structure, we have to be careful about possible regressions but this one should be fine as they are equivalent here. While it would break building with ancient gcc versions that predate c99, it helps building with --std=c99 and -Wpedantic builds in user space, as well as non-gnu compilers. This means we probably also want it fixed in stable kernels. Cc: stable@vger.kernel.org Cc: Kees Cook Cc: "Gustavo A. R. Silva" Signed-off-by: Arnd Bergmann Signed-off-by: Kees Cook Link: https://lore.kernel.org/r/20230523081944.581710-1-arnd@kernel.org Signed-off-by: Greg Kroah-Hartman commit fd768cc263f3983e7abb40530b3026ada9a37250 Author: Tianjia Zhang Date: Thu Jun 1 14:42:44 2023 +0800 integrity: Fix possible multiple allocation in integrity_inode_get() commit 9df6a4870dc371136e90330cfbbc51464ee66993 upstream. When integrity_inode_get() is querying and inserting the cache, there is a conditional race in the concurrent environment. The race condition is the result of not properly implementing "double-checked locking". In this case, it first checks to see if the iint cache record exists before taking the lock, but doesn't check again after taking the integrity_iint_lock. Fixes: bf2276d10ce5 ("ima: allocating iint improvements") Signed-off-by: Tianjia Zhang Cc: Dmitry Kasatkin Cc: # v3.10+ Signed-off-by: Mimi Zohar Signed-off-by: Greg Kroah-Hartman commit d363ac7bd4bb57c3eab458f4c22c0839e1830b34 Author: Kees Cook Date: Tue Jun 6 15:24:45 2023 -0700 um: Use HOST_DIR for mrproper commit a5a319ec2c2236bb96d147c16196d2f1f3799301 upstream. When HEADER_ARCH was introduced, the MRPROPER_FILES (then MRPROPER_DIRS) list wasn't adjusted, leaving SUBARCH as part of the path argument. This resulted in the "mrproper" target not cleaning up arch/x86/... when SUBARCH was specified. Since HOST_DIR is arch/$(HEADER_ARCH), use it instead to get the correct path. Cc: Richard Weinberger Cc: Anton Ivanov Cc: Johannes Berg Cc: Azeem Shaikh Cc: linux-um@lists.infradead.org Fixes: 7bbe7204e937 ("um: merge Makefile-{i386,x86_64}") Cc: stable@vger.kernel.org Signed-off-by: Kees Cook Link: https://lore.kernel.org/r/20230606222442.never.807-kees@kernel.org Signed-off-by: Greg Kroah-Hartman commit bec85c4df15d29664245f7b7e9cd7dc926d6e699 Author: Siddh Raman Pant Date: Mon Jun 5 20:06:16 2023 +0530 watch_queue: prevent dangling pipe pointer commit 943211c87427f25bd22e0e63849fb486bb5f87fa upstream. NULL the dangling pipe reference while clearing watch_queue. If not done, a reference to a freed pipe remains in the watch_queue, as this function is called before freeing a pipe in free_pipe_info() (see line 834 of fs/pipe.c). The sole use of wqueue->defunct is for checking if the watch queue has been cleared, but wqueue->pipe is also NULLed while clearing. Thus, wqueue->defunct is superfluous, as wqueue->pipe can be checked for NULL. Hence, the former can be removed. Tested with keyutils testsuite. Cc: stable@vger.kernel.org # 6.1 Signed-off-by: Siddh Raman Pant Acked-by: David Howells Message-Id: <20230605143616.640517-1-code@siddh.me> Signed-off-by: Christian Brauner Signed-off-by: Greg Kroah-Hartman commit 4514847aee18d9391a0cf3aad75d3567c72795a4 Author: Zheng Wang Date: Thu Jun 15 20:12:22 2023 +0800 bcache: Fix __bch_btree_node_alloc to make the failure behavior consistent commit 80fca8a10b604afad6c14213fdfd816c4eda3ee4 upstream. In some specific situations, the return value of __bch_btree_node_alloc may be NULL. This may lead to a potential NULL pointer dereference in caller function like a calling chain : btree_split->bch_btree_node_alloc->__bch_btree_node_alloc. Fix it by initializing the return value in __bch_btree_node_alloc. Fixes: cafe56359144 ("bcache: A block layer cache") Cc: stable@vger.kernel.org Signed-off-by: Zheng Wang Signed-off-by: Coly Li Link: https://lore.kernel.org/r/20230615121223.22502-6-colyli@suse.de Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman commit 0cabf9e164660e8d66c4810396046383a1110a69 Author: Zheng Wang Date: Thu Jun 15 20:12:21 2023 +0800 bcache: Remove unnecessary NULL point check in node allocations commit 028ddcac477b691dd9205c92f991cc15259d033e upstream. Due to the previous fix of __bch_btree_node_alloc, the return value will never be a NULL pointer. So IS_ERR is enough to handle the failure situation. Fix it by replacing IS_ERR_OR_NULL check by an IS_ERR check. Fixes: cafe56359144 ("bcache: A block layer cache") Cc: stable@vger.kernel.org Signed-off-by: Zheng Wang Signed-off-by: Coly Li Link: https://lore.kernel.org/r/20230615121223.22502-5-colyli@suse.de Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman commit 2882a4c4f0c90e99f37dbd8db369b9982fd613e7 Author: Mingzhe Zou Date: Thu Jun 15 20:12:23 2023 +0800 bcache: fixup btree_cache_wait list damage commit f0854489fc07d2456f7cc71a63f4faf9c716ffbe upstream. We get a kernel crash about "list_add corruption. next->prev should be prev (ffff9c801bc01210), but was ffff9c77b688237c. (next=ffffae586d8afe68)." crash> struct list_head 0xffff9c801bc01210 struct list_head { next = 0xffffae586d8afe68, prev = 0xffffae586d8afe68 } crash> struct list_head 0xffff9c77b688237c struct list_head { next = 0x0, prev = 0x0 } crash> struct list_head 0xffffae586d8afe68 struct list_head struct: invalid kernel virtual address: ffffae586d8afe68 type: "gdb_readmem_callback" Cannot access memory at address 0xffffae586d8afe68 [230469.019492] Call Trace: [230469.032041] prepare_to_wait+0x8a/0xb0 [230469.044363] ? bch_btree_keys_free+0x6c/0xc0 [escache] [230469.056533] mca_cannibalize_lock+0x72/0x90 [escache] [230469.068788] mca_alloc+0x2ae/0x450 [escache] [230469.080790] bch_btree_node_get+0x136/0x2d0 [escache] [230469.092681] bch_btree_check_thread+0x1e1/0x260 [escache] [230469.104382] ? finish_wait+0x80/0x80 [230469.115884] ? bch_btree_check_recurse+0x1a0/0x1a0 [escache] [230469.127259] kthread+0x112/0x130 [230469.138448] ? kthread_flush_work_fn+0x10/0x10 [230469.149477] ret_from_fork+0x35/0x40 bch_btree_check_thread() and bch_dirty_init_thread() may call mca_cannibalize() to cannibalize other cached btree nodes. Only one thread can do it at a time, so the op of other threads will be added to the btree_cache_wait list. We must call finish_wait() to remove op from btree_cache_wait before free it's memory address. Otherwise, the list will be damaged. Also should call bch_cannibalize_unlock() to release the btree_cache_alloc_lock and wake_up other waiters. Fixes: 8e7102273f59 ("bcache: make bch_btree_check() to be multithreaded") Fixes: b144e45fc576 ("bcache: make bch_sectors_dirty_init() to be multithreaded") Cc: stable@vger.kernel.org Signed-off-by: Mingzhe Zou Signed-off-by: Coly Li Link: https://lore.kernel.org/r/20230615121223.22502-7-colyli@suse.de Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman commit 53e89d83dcc66813ef667c96ab82fb78c4c9b2b3 Author: Quan Zhou Date: Wed Jul 5 23:26:38 2023 +0800 wifi: mt76: mt7921e: fix init command fail with enabled device commit 525c469e5de9bf7e53574396196e80fc716ac9eb upstream. For some cases as below, we may encounter the unpreditable chip stats in driver probe() * The system reboot flow do not work properly, such as kernel oops while rebooting, and then the driver do not go back to default status at this moment. * Similar to the flow above. If the device was enabled in BIOS or UEFI, the system may switch to Linux without driver fully shutdown. To avoid the problem, force push the device back to default in probe() * mt7921e_mcu_fw_pmctrl() : return control privilege to chip side. * mt7921_wfsys_reset() : cleanup chip config before resource init. Error log [59007.600714] mt7921e 0000:02:00.0: ASIC revision: 79220010 [59010.889773] mt7921e 0000:02:00.0: Message 00000010 (seq 1) timeout [59010.889786] mt7921e 0000:02:00.0: Failed to get patch semaphore [59014.217839] mt7921e 0000:02:00.0: Message 00000010 (seq 2) timeout [59014.217852] mt7921e 0000:02:00.0: Failed to get patch semaphore [59017.545880] mt7921e 0000:02:00.0: Message 00000010 (seq 3) timeout [59017.545893] mt7921e 0000:02:00.0: Failed to get patch semaphore [59020.874086] mt7921e 0000:02:00.0: Message 00000010 (seq 4) timeout [59020.874099] mt7921e 0000:02:00.0: Failed to get patch semaphore [59024.202019] mt7921e 0000:02:00.0: Message 00000010 (seq 5) timeout [59024.202033] mt7921e 0000:02:00.0: Failed to get patch semaphore [59027.530082] mt7921e 0000:02:00.0: Message 00000010 (seq 6) timeout [59027.530096] mt7921e 0000:02:00.0: Failed to get patch semaphore [59030.857888] mt7921e 0000:02:00.0: Message 00000010 (seq 7) timeout [59030.857904] mt7921e 0000:02:00.0: Failed to get patch semaphore [59034.185946] mt7921e 0000:02:00.0: Message 00000010 (seq 8) timeout [59034.185961] mt7921e 0000:02:00.0: Failed to get patch semaphore [59037.514249] mt7921e 0000:02:00.0: Message 00000010 (seq 9) timeout [59037.514262] mt7921e 0000:02:00.0: Failed to get patch semaphore [59040.842362] mt7921e 0000:02:00.0: Message 00000010 (seq 10) timeout [59040.842375] mt7921e 0000:02:00.0: Failed to get patch semaphore [59040.923845] mt7921e 0000:02:00.0: hardware init failed Cc: stable@vger.kernel.org Fixes: 5c14a5f944b9 ("mt76: mt7921: introduce mt7921e support") Tested-by: Kai-Heng Feng Tested-by: Juan Martinez Co-developed-by: Leon Yen Signed-off-by: Leon Yen Signed-off-by: Quan Zhou Signed-off-by: Deren Wu Message-ID: <39fcb7cee08d4ab940d38d82f21897483212483f.1688569385.git.deren.wu@mediatek.com> Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman commit 54c1b922683d48a56e0d7bb9ff3e5d57808ded37 Author: Felix Fietkau Date: Tue Jul 11 13:50:52 2023 +0200 wifi: cfg80211: fix receiving mesh packets without RFC1042 header commit fec3ebb5ed299ac3a998f011c380f2ded47f4866 upstream. Fix ethernet header length field after stripping the mesh header Cc: stable@vger.kernel.org Link: https://lore.kernel.org/all/CT5GNZSK28AI.2K6M69OXM9RW5@syracuse/ Fixes: 986e43b19ae9 ("wifi: mac80211: fix receiving A-MSDU frames on mesh interfaces") Reported-and-tested-by: Nicolas Escande Signed-off-by: Felix Fietkau Link: https://lore.kernel.org/r/20230711115052.68430-1-nbd@nbd.name Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman commit 1a9f0e23079d1a6a355c09f981567ea4888023d8 Author: Alexander Wetzel Date: Thu Mar 23 17:55:27 2023 +0100 wifi: ath10k: Serialize wake_tx_queue ops commit b719ebc37a1eacd4fd4f1264f731b016e5ec0c6e upstream. Serialize the ath10k implementation of the wake_tx_queue ops. ath10k_mac_op_wake_tx_queue() must not run concurrent since it's using ieee80211_txq_schedule_start(). The intend of this patch is to sort out an issue discovered in the discussion referred to by the Link tag. I can't test it with real hardware and thus just implemented the per-ac queue lock Felix suggested. One obvious alternative to the per-ac lock would be to bring back the txqs_lock commit bb2edb733586 ("ath10k: migrate to mac80211 txq scheduling") dropped. Fixes: bb2edb733586 ("ath10k: migrate to mac80211 txq scheduling") Reported-by: Felix Fietkau Link: https://lore.kernel.org/r/519b5bb9-8899-ae7c-4eff-f3116cdfdb56@nbd.name CC: Signed-off-by: Alexander Wetzel Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20230323165527.156414-1-alexander@wetzel-home.de Signed-off-by: Greg Kroah-Hartman commit 12627f20eb459e9ae6009f5579ff86bbbc937444 Author: Johannes Berg Date: Fri Jun 16 22:28:44 2023 +0200 wifi: cfg80211: fix regulatory disconnect for non-MLO commit b22552fcaf1970360005c805d7fba4046cf2ab4a upstream. The multi-link loop here broke disconnect when multi-link operation (MLO) isn't active for a given interface, since in that case valid_links is 0 (indicating no links, i.e. no MLO.) Fix this by taking that into account properly and skipping the link only if there are valid_links in the first place. Cc: stable@vger.kernel.org Fixes: 7b0a0e3c3a88 ("wifi: cfg80211: do some rework towards MLO link APIs") Signed-off-by: Johannes Berg Link: https://lore.kernel.org/r/20230616222844.eb073d650c75.I72739923ef80919889ea9b50de9e4ba4baa836ae@changeid Signed-off-by: Johannes Berg Signed-off-by: Greg Kroah-Hartman commit cfc678270165074ab1829d8424cef80990626bd6 Author: Chevron Li Date: Tue May 23 19:11:14 2023 +0800 mmc: sdhci: fix DMA configure compatibility issue when 64bit DMA mode is used. commit 20dbd07ef0a8bc29eb03d6a95258ac8934cbe52d upstream. Bayhub SD host has hardware limitation: 1.The upper 32bit address is inhibited to be written at SD Host Register [03E][13]=0 (32bits addressing) mode, is admitted to be written only at SD Host Register [03E][13]=1 (64bits addressing) mode. 2.Because of above item#1, need to configure SD Host Register [03E][13] to 1(64bits addressing mode) before set 64bit ADMA system address's higher 32bits SD Host Register [05F~05C] if 64 bits addressing mode is used. The hardware limitation is reasonable for below reasons: 1.Normal flow should set DMA working mode first, then do DMA-transfer-related configuration, such as system address. 2.The hardware limitation may avoid the software to configure wrong higher 32bit address at 32bits addressing mode although it is redundant. The change that set 32bits/64bits addressing mode before set ADMA address, has no side-effect to other host IPs for below reason: The setting order is reasonable and standard: DMA Mode setting first and then DMA address setting. It meets all DMA setting sequence. Signed-off-by: Chevron Li Acked-by: Adrian Hunter Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/20230523111114.18124-1-chevron_li@126.com Signed-off-by: Ulf Hansson Signed-off-by: Greg Kroah-Hartman commit 0d8292bb9f0fc63ae1541a20c398196c2e1aa6f2 Author: Ulf Hansson Date: Mon Jun 12 16:37:30 2023 +0200 mmc: mmci: Set PROBE_PREFER_ASYNCHRONOUS commit 3108eb2e8aa7e955a9dd3a4c1bf19a7898961822 upstream. All mmc host drivers should have the asynchronous probe option enabled, but it seems like we failed to set it for mmci, so let's do that now. Fixes: 21b2cec61c04 ("mmc: Set PROBE_PREFER_ASYNCHRONOUS for drivers that existed in v4.4") Signed-off-by: Ulf Hansson Tested-by: Linus Walleij Tested-by: Yann Gautier Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/20230612143730.210390-1-ulf.hansson@linaro.org Signed-off-by: Greg Kroah-Hartman commit 21d3f844cad5e0ef7428098aa3bcb0f57d283787 Author: Robert Marko Date: Tue May 30 23:32:59 2023 +0200 mmc: core: disable TRIM on Micron MTFC4GACAJCN-1M commit dbfbddcddcebc9ce8a08757708d4e4a99d238e44 upstream. It seems that Micron MTFC4GACAJCN-1M despite advertising TRIM support does not work when the core is trying to use REQ_OP_WRITE_ZEROES. We are seeing the following errors in OpenWrt under 6.1 on Qnap Qhora 301W that we did not previously have and tracked it down to REQ_OP_WRITE_ZEROES: [ 18.085950] I/O error, dev loop0, sector 596 op 0x9:(WRITE_ZEROES) flags 0x800 phys_seg 0 prio class 2 Disabling TRIM makes the error go away, so lets add a quirk for this eMMC to disable TRIM. Signed-off-by: Robert Marko Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/20230530213259.1776512-1-robimarko@gmail.com Signed-off-by: Ulf Hansson Signed-off-by: Greg Kroah-Hartman commit 94675949da0255de7c94f3f74022309418141714 Author: Robert Marko Date: Mon Jun 19 21:35:58 2023 +0200 mmc: core: disable TRIM on Kingston EMMC04G-M627 commit f1738a1f816233e6dfc2407f24a31d596643fd90 upstream. It seems that Kingston EMMC04G-M627 despite advertising TRIM support does not work when the core is trying to use REQ_OP_WRITE_ZEROES. We are seeing I/O errors in OpenWrt under 6.1 on Zyxel NBG7815 that we did not previously have and tracked it down to REQ_OP_WRITE_ZEROES. Trying to use fstrim seems to also throw errors like: [93010.835112] I/O error, dev loop0, sector 16902 op 0x3:(DISCARD) flags 0x800 phys_seg 1 prio class 2 Disabling TRIM makes the error go away, so lets add a quirk for this eMMC to disable TRIM. Signed-off-by: Robert Marko Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/20230619193621.437358-1-robimarko@gmail.com Signed-off-by: Ulf Hansson Signed-off-by: Greg Kroah-Hartman commit 6d1ac6bc1bbbbdc63ba444784956f3d132f6ef97 Author: Yu Zhao Date: Mon Jun 19 13:38:21 2023 -0600 mm/mglru: make memcg_lru->lock irq safe commit 814bc1de03ea4361101408e63a68e4b82aef22cb upstream. lru_gen_rotate_memcg() can happen in softirq if memory.soft_limit_in_bytes is set. This requires memcg_lru->lock to be irq safe. Lockdep warns on this. This problem only affects memcg v1. Link: https://lkml.kernel.org/r/20230619193821.2710944-1-yuzhao@google.com Fixes: e4dde56cd208 ("mm: multi-gen LRU: per-node lru_gen_folio lists") Signed-off-by: Yu Zhao Reported-by: syzbot+87c490fd2be656269b6a@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=87c490fd2be656269b6a Reviewed-by: Yosry Ahmed Cc: Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman commit 58e80cb68b057e974768792c34708c6957810486 Author: Jens Axboe Date: Sun Jun 11 21:14:09 2023 -0600 io_uring: wait interruptibly for request completions on exit commit 4826c59453b3b4677d6bf72814e7ababdea86949 upstream. WHen the ring exits, cleanup is done and the final cancelation and waiting on completions is done by io_ring_exit_work. That function is invoked by kworker, which doesn't take any signals. Because of that, it doesn't really matter if we wait for completions in TASK_INTERRUPTIBLE or TASK_UNINTERRUPTIBLE state. However, it does matter to the hung task detection checker! Normally we expect cancelations and completions to happen rather quickly. Some test cases, however, will exit the ring and park the owning task stopped (eg via SIGSTOP). If the owning task needs to run task_work to complete requests, then io_ring_exit_work won't make any progress until the task is runnable again. Hence io_ring_exit_work can trigger the hung task detection, which is particularly problematic if panic-on-hung-task is enabled. As the ring exit doesn't take signals to begin with, have it wait interruptibly rather than uninterruptibly. io_uring has a separate stuck-exit warning that triggers independently anyway, so we're not really missing anything by making this switch. Cc: stable@vger.kernel.org # 5.10+ Link: https://lore.kernel.org/r/b0e4aaef-7088-56ce-244c-976edeac0e66@kernel.dk Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman commit 5cf0490a35af235360d1e372a8af3b55dbbd015d Author: Jianmin Lv Date: Wed Jun 14 19:59:32 2023 +0800 irqchip/loongson-pch-pic: Fix initialization of HT vector register commit f679616565f1cf1a4acb245dbc0032dafcd40637 upstream. In an ACPI-based dual-bridge system, IRQ of each bridge's PCH PIC sent to CPU is always a zero-based number, which means that the IRQ on PCH PIC of each bridge is mapped into vector range from 0 to 63 of upstream irqchip(e.g. EIOINTC). EIOINTC N: [0 ... 63 | 64 ... 255] -------- ---------- ^ ^ | | PCH PIC N | PCH MSI N For example, the IRQ vector number of sata controller on PCH PIC of each bridge is 16, which is sent to upstream irqchip of EIOINTC when an interrupt occurs, which will set bit 16 of EIOINTC. Since hwirq of 16 on EIOINTC has been mapped to a irq_desc for sata controller during hierarchy irq allocation, the related mapped IRQ will be found through irq_resolve_mapping() in the IRQ domain of EIOINTC. So, the IRQ number set in HT vector register should be fixed to be a zero-based number. Cc: stable@vger.kernel.org Reviewed-by: Huacai Chen Co-developed-by: liuyun Signed-off-by: liuyun Signed-off-by: Jianmin Lv Signed-off-by: Marc Zyngier Link: https://lore.kernel.org/r/20230614115936.5950-2-lvjianmin@loongson.cn Signed-off-by: Greg Kroah-Hartman commit adc096e680b9c534de48955c82f515ed41bdab89 Author: Dai Ngo Date: Tue Jun 6 16:41:02 2023 -0700 NFSD: add encoding of op_recall flag for write delegation commit 58f5d894006d82ed7335e1c37182fbc5f08c2f51 upstream. Modified nfsd4_encode_open to encode the op_recall flag properly for OPEN result with write delegation granted. Signed-off-by: Dai Ngo Reviewed-by: Jeff Layton Signed-off-by: Chuck Lever Cc: stable@vger.kernel.org Signed-off-by: Greg Kroah-Hartman commit 236381050d2b1746ed68a7391e2a48e67ea96944 Author: Liu Peibao Date: Wed Jun 14 19:59:33 2023 +0800 irqchip/loongson-pch-pic: Fix potential incorrect hwirq assignment commit 783422e704ca0fa41cb2fe9ed79e46b6fe7eae29 upstream. In DeviceTree path, when ht_vec_base is not zero, the hwirq of PCH PIC will be assigned incorrectly. Because when pch_pic_domain_translate() adds the ht_vec_base to hwirq, the hwirq does not have the ht_vec_base subtracted when calling irq_domain_set_info(). The ht_vec_base is designed for the parent irq chip/domain of the PCH PIC. It seems not proper to deal this in callbacks of the PCH PIC domain and let's put this back like the initial commit ef8c01eb64ca ("irqchip: Add Loongson PCH PIC controller"). Fixes: bcdd75c596c8 ("irqchip/loongson-pch-pic: Add ACPI init support") Cc: stable@vger.kernel.org Reviewed-by: Huacai Chen Signed-off-by: Liu Peibao Signed-off-by: Jianmin Lv Signed-off-by: Marc Zyngier Link: https://lore.kernel.org/r/20230614115936.5950-3-lvjianmin@loongson.cn Signed-off-by: Greg Kroah-Hartman commit 768c408594b52d8531e1a8ab62e5620c19213e73 Author: Jeff Layton Date: Fri Jun 16 17:51:34 2023 -0400 nfsd: move init of percpu reply_cache_stats counters back to nfsd_init_net commit ed9ab7346e908496816cffdecd46932035f66e2e upstream. Commit f5f9d4a314da ("nfsd: move reply cache initialization into nfsd startup") moved the initialization of the reply cache into nfsd startup, but didn't account for the stats counters, which can be accessed before nfsd is ever started. The result can be a NULL pointer dereference when someone accesses /proc/fs/nfsd/reply_cache_stats while nfsd is still shut down. This is a regression and a user-triggerable oops in the right situation: - non-x86_64 arch - /proc/fs/nfsd is mounted in the namespace - nfsd is not started in the namespace - unprivileged user calls "cat /proc/fs/nfsd/reply_cache_stats" Although this is easy to trigger on some arches (like aarch64), on x86_64, calling this_cpu_ptr(NULL) evidently returns a pointer to the fixed_percpu_data. That struct looks just enough like a newly initialized percpu var to allow nfsd_reply_cache_stats_show to access it without Oopsing. Move the initialization of the per-net+per-cpu reply-cache counters back into nfsd_init_net, while leaving the rest of the reply cache allocations to be done at nfsd startup time. Kudos to Eirik who did most of the legwork to track this down. Cc: stable@vger.kernel.org # v6.3+ Fixes: f5f9d4a314da ("nfsd: move reply cache initialization into nfsd startup") Reported-and-tested-by: Eirik Fuller Closes: https://bugzilla.redhat.com/show_bug.cgi?id=2215429 Signed-off-by: Jeff Layton Signed-off-by: Chuck Lever Signed-off-by: Greg Kroah-Hartman commit 7f4f66ac838137d6b27142ccc4edeb4b5f65295d Author: Jianmin Lv Date: Wed Jun 14 19:59:34 2023 +0800 irqchip/loongson-liointc: Fix IRQ trigger polarity commit 1d7471b4e0ebba5a4bf9db4ade43619e8f2d333d upstream. For the INT_POLARITY register of Loongson-2K series IRQ controller, '0' indicates high level or rising edge triggered, '1' indicates low level or falling edge triggered, and we can find out the information from the Loongson 2K1000LA User Manual v1.0, Table 9-2, Section 9.3 (中断寄存器描述 / Description of the Interrupt Registers). For Loongson-3 CPU series, setting INT_POLARITY register is not supported and writting it has no effect. So trigger polarity setting shouled be fixed for Loongson-2K CPU series. Fixes: 17343d0b4039 ("irqchip/loongson-liointc: Support to set IRQ type for ACPI path") Cc: stable@vger.kernel.org Reviewed-by: Huacai Chen Co-developed-by: Chong Qiao Signed-off-by: Chong Qiao Signed-off-by: Jianmin Lv Signed-off-by: Marc Zyngier Link: https://lore.kernel.org/r/20230614115936.5950-4-lvjianmin@loongson.cn Signed-off-by: Greg Kroah-Hartman commit 2e07e4bbf0ecb0fcca39917461a6e027f4cb3ffd Author: Mark Brown Date: Thu Jun 22 14:39:45 2023 +0100 arm64/signal: Restore TPIDR2 register rather than memory state commit 616cb2f4b141852cac3dfffe8354c8bf19e9999d upstream. Currently when restoring the TPIDR2 signal context we set the new value from the signal frame in the thread data structure but not the register, following the pattern for the rest of the data we are restoring. This does not work in the case of TPIDR2, the register always has the value for the current task. This means that either we return to userspace and ignore the new value or we context switch and save the register value on top of the newly restored value. Load the value from the signal context into the register instead. Fixes: 39e54499280f ("arm64/signal: Include TPIDR2 in the signal context") Signed-off-by: Mark Brown Cc: # 6.3.x Link: https://lore.kernel.org/r/20230621-arm64-fix-tpidr2-signal-restore-v2-1-c8e8fcc10302@kernel.org Signed-off-by: Catalin Marinas Signed-off-by: Greg Kroah-Hartman commit 4cfa81020c658f1fe42bc4a34ab0808eeff9f312 Author: Daniel Miess Date: Wed Jun 7 16:24:08 2023 +0800 Revert "drm/amd/display: Move DCN314 DOMAIN power control to DMCUB" [ Upstream commit bf0097c5c9aec528da75e2b5fcede472165322bb ] This reverts commit e383b12709e32d6494c948422070c2464b637e44. Controling hubp power gating using the DMCUB isn't stable so we are reverting this change to move control back into the driver. Cc: stable@vger.kernel.org # 6.3+ Reviewed-by: Nicholas Kazlauskas Acked-by: Hamza Mahfooz Signed-off-by: Daniel Miess Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit 64c79e58a721cc0446d90414f25eec2e03ef4e29 Author: Geert Uytterhoeven Date: Wed Jul 5 16:54:04 2023 +0200 lib: dhry: fix sleeping allocations inside non-preemptable section [ Upstream commit 8ba388c06bc8056935ec1814b2689bfb42f3b89a ] The Smatch static checker reports the following warnings: lib/dhry_run.c:38 dhry_benchmark() warn: sleeping in atomic context lib/dhry_run.c:43 dhry_benchmark() warn: sleeping in atomic context Indeed, dhry() does sleeping allocations inside the non-preemptable section delimited by get_cpu()/put_cpu(). Fix this by using atomic allocations instead. Add error handling, as atomic these allocations may fail. Link: https://lkml.kernel.org/r/bac6d517818a7cd8efe217c1ad649fffab9cc371.1688568764.git.geert+renesas@glider.be Fixes: 13684e966d46283e ("lib: dhry: fix unstable smp_processor_id(_) usage") Reported-by: Dan Carpenter Closes: https://lore.kernel.org/r/0469eb3a-02eb-4b41-b189-de20b931fa56@moroto.mountain Signed-off-by: Geert Uytterhoeven Signed-off-by: Andrew Morton Signed-off-by: Sasha Levin commit e22ca18614d2dfb935d9b32fb13e76f6dccff783 Author: Matthew Wilcox (Oracle) Date: Wed Jun 28 19:55:48 2023 +0100 writeback: account the number of pages written back [ Upstream commit 8344a3d44be3d18671e18c4ba23bb03dd21e14ad ] nr_to_write is a count of pages, so we need to decrease it by the number of pages in the folio we just wrote, not by 1. Most callers specify either LONG_MAX or 1, so are unaffected, but writeback_sb_inodes() might end up writing 512x as many pages as it asked for. Dave added: : XFS is the only filesystem this would affect, right? AFAIA, nothing : else enables large folios and uses writeback through : write_cache_pages() at this point... : : In which case, I'd be surprised if much difference, if any, gets : noticed by anyone. Link: https://lkml.kernel.org/r/20230628185548.981888-1-willy@infradead.org Fixes: 793917d997df ("mm/readahead: Add large folio readahead") Signed-off-by: Matthew Wilcox (Oracle) Reviewed-by: Christoph Hellwig Cc: Jan Kara Cc: Dave Chinner Signed-off-by: Andrew Morton Signed-off-by: Sasha Levin commit 22f127fffe72d3739e7e0cf4cae413102df2e356 Author: Robert Hancock Date: Tue Jun 6 12:25:58 2023 -0600 i2c: xiic: Don't try to handle more interrupt events after error [ Upstream commit cb6e45c9a0ad9e0f8664fd06db0227d185dc76ab ] In xiic_process, it is possible that error events such as arbitration lost or TX error can be raised in conjunction with other interrupt flags such as TX FIFO empty or bus not busy. Error events result in the controller being reset and the error returned to the calling request, but the function could potentially try to keep handling the other events, such as by writing more messages into the TX FIFO. Since the transaction has already failed, this is not helpful and will just cause issues. This problem has been present ever since: commit 7f9906bd7f72 ("i2c: xiic: Service all interrupts in isr") which allowed non-error events to be handled after errors, but became more obvious after: commit 743e227a8959 ("i2c: xiic: Defer xiic_wakeup() and __xiic_start_xfer() in xiic_process()") which reworked the code to add a WARN_ON which triggers if both the xfer_more and wakeup_req flags were set, since this combination is not supposed to happen, but was occurring in this scenario. Skip further interrupt handling after error flags are detected to avoid this problem. Fixes: 7f9906bd7f72 ("i2c: xiic: Service all interrupts in isr") Signed-off-by: Robert Hancock Acked-by: Andi Shyti Signed-off-by: Wolfram Sang Signed-off-by: Sasha Levin commit 346b1ac789fa8e666d1b564d9b9fa8880644faa0 Author: John Johansen Date: Mon Apr 17 02:57:55 2023 -0700 apparmor: fix profile verification and enable it [ Upstream commit 6f442d42c0d89876994a4a135eadf82b0e6ff6e4 ] The transition table size was not being set by compat mappings resulting in the profile verification code not being run. Unfortunately the checks were also buggy not being correctly updated from the old accept perms, to the new layout. Also indicate to userspace that the kernel has the permstable verification fixes. BugLink: http://bugs.launchpad.net/bugs/2017903 Fixes: 670f31774ab6 ("apparmor: verify permission table indexes") Signed-off-by: John Johansen Reviewed-by: Jon Tourville Signed-off-by: Sasha Levin commit 6108e25cfe4336de0583872d402884178b6ef8f1 Author: John Johansen Date: Fri Mar 10 15:59:45 2023 -0800 apparmor: fix policy_compat permission remap with extended permissions [ Upstream commit 0bac2002b397fda7c9ea81ee0b06a02242958107 ] If the extended permission table is present we should not be attempting to do a compat_permission remap as the compat_permissions are not stored in the dfa accept states. Fixes: fd1b2b95a211 ("apparmor: add the ability for policy to specify a permission table") Signed-off-by: John Johansen Reviewed-by: Jon Tourville Signed-off-by: Sasha Levin commit 33b1fe578f7d3cf6cdf0765ef9376644b1905c68 Author: John Johansen Date: Fri Apr 14 00:24:47 2023 -0700 apparmor: add missing failure check in compute_xmatch_perms [ Upstream commit 6600e9f692e36e265ef0828f08337fa294bb330f ] Add check for failure to allocate the permission table. Fixes: caa9f579ca72 ("apparmor: isolate policy backwards compatibility to its own file") Signed-off-by: John Johansen Signed-off-by: Sasha Levin commit 543731db0173252a835b9b43ca4c7c1203a1f41e Author: Danila Chernetsov Date: Tue Apr 4 19:05:49 2023 +0000 apparmor: fix missing error check for rhashtable_insert_fast [ Upstream commit 000518bc5aef25d3f703592a0296d578c98b1517 ] rhashtable_insert_fast() could return err value when memory allocation is failed. but unpack_profile() do not check values and this always returns success value. This patch just adds error check code. Found by Linux Verification Center (linuxtesting.org) with SVACE. Fixes: e025be0f26d5 ("apparmor: support querying extended trusted helper extra data") Signed-off-by: Danila Chernetsov Signed-off-by: John Johansen Signed-off-by: Sasha Levin commit e9e33faea104381bac80ac79328f0540fc2969f2 Author: Artur Rojek Date: Sat May 27 18:44:50 2023 +0200 sh: dma: Fix DMA channel offset calculation [ Upstream commit e82e47584847129a20b8c9f4a1dcde09374fb0e0 ] Various SoCs of the SH3, SH4 and SH4A family, which use this driver, feature a differing number of DMA channels, which can be distributed between up to two DMAC modules. The existing implementation fails to correctly accommodate for all those variations, resulting in wrong channel offset calculations and leading to kernel panics. Rewrite dma_base_addr() in order to properly calculate channel offsets in a DMAC module. Fix dmaor_read_reg() and dmaor_write_reg(), so that the correct DMAC module base is selected for the DMAOR register. Fixes: 7f47c7189b3e8f19 ("sh: dma: More legacy cpu dma chainsawing.") Signed-off-by: Artur Rojek Reviewed-by: Geert Uytterhoeven Reviewed-by: John Paul Adrian Glaubitz Link: https://lore.kernel.org/r/20230527164452.64797-2-contact@artur-rojek.eu Signed-off-by: John Paul Adrian Glaubitz Signed-off-by: Sasha Levin commit 96524810c654ba60b4fd24f28d88ca592e078511 Author: Marc Zyngier Date: Mon Jul 3 19:31:26 2023 +0100 risc-v: Fix order of IPI enablement vs RCU startup [ Upstream commit 6259f3443c6a376aa077816ac92e9ddeb0817d09 ] Conor reports that risc-v tries to enable IPIs before telling the core code to enable RCU. With the introduction of the mapple tree as a backing store for the irq descriptors, this results in a very shouty boot sequence, as RCU is legitimately upset. Restore some sanity by moving the risc_ipi_enable() call after notify_cpu_starting(), which explicitly enables RCU on the calling CPU. Fixes: 832f15f42646 ("RISC-V: Treat IPIs as normal Linux IRQs") Reported-by: Conor Dooley Signed-off-by: Marc Zyngier Link: https://lore.kernel.org/r/20230703-dupe-frying-79ae2ccf94eb@spud Cc: Anup Patel Cc: Palmer Dabbelt Cc: Linus Torvalds Tested-by: Conor Dooley Link: https://lore.kernel.org/r/20230703183126.1567625-1-maz@kernel.org Signed-off-by: Palmer Dabbelt Signed-off-by: Sasha Levin commit b8204a8ca897870ac08c961be5eb37af507750fc Author: Thorsten Winkler Date: Tue Jul 4 16:41:21 2023 +0200 s390/qeth: Fix vipa deletion [ Upstream commit 80de809bd35e2a8999edf9f5aaa2d8de18921f11 ] Change boolean parameter of function "qeth_l3_vipa_store" inside the "qeth_l3_dev_vipa_del4_store" function from "true" to "false" because "true" is used for adding a virtual ip address and "false" for deleting. Fixes: 2390166a6b45 ("s390/qeth: clean up L3 sysfs code") Reviewed-by: Alexandra Winter Reviewed-by: Wenjia Zhang Signed-off-by: Thorsten Winkler Signed-off-by: Alexandra Winter Reviewed-by: Simon Horman Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit cfc3b2e0c244200217293fd6159a883f643d5d0f Author: David Howells Date: Tue Jul 4 20:22:15 2023 +0100 afs: Fix accidental truncation when storing data [ Upstream commit 03275585cabd0240944f19f33d7584a1b099a3a8 ] When an AFS FS.StoreData RPC call is made, amongst other things it is given the resultant file size to be. On the server, this is processed by truncating the file to new size and then writing the data. Now, kafs has a lock (vnode->io_lock) that serves to serialise operations against a specific vnode (ie. inode), but the parameters for the op are set before the lock is taken. This allows two writebacks (say sync and kswapd) to race - and if writes are ongoing the writeback for a later write could occur before the writeback for an earlier one if the latter gets interrupted. Note that afs_writepages() cannot take i_mutex and only takes a shared lock on vnode->validate_lock. Also note that the server does the truncation and the write inside a lock, so there's no problem at that end. Fix this by moving the calculation for the proposed new i_size inside the vnode->io_lock. Also reset the iterator (which we might have read from) and update the mtime setting there. Fixes: bd80d8a80e12 ("afs: Use ITER_XARRAY for writing") Reported-by: Marc Dionne Signed-off-by: David Howells Reviewed-by: Jeffrey Altman Reviewed-by: Marc Dionne cc: linux-afs@lists.infradead.org cc: linux-fsdevel@vger.kernel.org Link: https://lore.kernel.org/r/3526895.1687960024@warthog.procyon.org.uk/ Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin commit e21994909eb2ccfda74c6e1a1f6ab30272b3ab47 Author: Hariprasad Kelam Date: Tue Jul 4 09:56:53 2023 +0530 octeontx-af: fix hardware timestamp configuration [ Upstream commit 14bb236b29922c4f57d8c05bfdbcb82677f917c9 ] MAC block on CN10K (RPM) supports hardware timestamp configuration. The previous patch which added timestamp configuration support has a bug. Though the netdev driver requests to disable timestamp configuration, the driver is always enabling it. This patch fixes the same. Fixes: d1489208681d ("octeontx2-af: cn10k: RPM hardware timestamp configuration") Signed-off-by: Hariprasad Kelam Signed-off-by: Sunil Goutham Reviewed-by: Simon Horman Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit af20ce74201d5b61f8dbb248a9901856550b7fc3 Author: Vladimir Oltean Date: Tue Jul 4 01:05:45 2023 +0300 net: dsa: sja1105: always enable the send_meta options [ Upstream commit a372d66af48506d9f7aaae2a474cd18f14d98cb8 ] incl_srcpt has the limitation, mentioned in commit b4638af8885a ("net: dsa: sja1105: always enable the INCL_SRCPT option"), that frames with a MAC DA of 01:80:c2:xx:yy:zz will be received as 01:80:c2:00:00:zz unless PTP RX timestamping is enabled. The incl_srcpt option was initially unconditionally enabled, then that changed with commit 42824463d38d ("net: dsa: sja1105: Limit use of incl_srcpt to bridge+vlan mode"), then again with b4638af8885a ("net: dsa: sja1105: always enable the INCL_SRCPT option"). Bottom line is that it now needs to be always enabled, otherwise the driver does not have a reliable source of information regarding source_port and switch_id for link-local traffic (tag_8021q VLANs may be imprecise since now they identify an entire bridging domain when ports are not standalone). If we accept that PTP RX timestamping (and therefore, meta frame generation) is always enabled in hardware, then that limitation could be avoided and packets with any MAC DA can be properly received, because meta frames do contain the original bytes from the MAC DA of their associated link-local packet. This change enables meta frame generation unconditionally, which also has the nice side effects of simplifying the switch control path (a switch reset is no longer required on hwtstamping settings change) and the tagger data path (it no longer needs to be informed whether to expect meta frames or not - it always does). Fixes: 227d07a07ef1 ("net: dsa: sja1105: Add support for traffic through standalone ports") Signed-off-by: Vladimir Oltean Reviewed-by: Simon Horman Reviewed-by: Florian Fainelli Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 666e1db22a88ffcb649bf1a2dc413dd8e606fa0e Author: Vladimir Oltean Date: Tue Jul 4 01:05:44 2023 +0300 net: dsa: tag_sja1105: fix MAC DA patching from meta frames [ Upstream commit 1dcf6efd5f0c1f4496b3ef7ec5a7db104a53b38c ] The SJA1105 manual says that at offset 4 into the meta frame payload we have "MAC destination byte 2" and at offset 5 we have "MAC destination byte 1". These are counted from the LSB, so byte 1 is h_dest[ETH_HLEN-2] aka h_dest[4] and byte 2 is h_dest[ETH_HLEN-3] aka h_dest[3]. The sja1105_meta_unpack() function decodes these the other way around, so a frame with MAC DA 01:80:c2:11:22:33 is received by the network stack as having 01:80:c2:22:11:33. Fixes: e53e18a6fe4d ("net: dsa: sja1105: Receive and decode meta frames") Signed-off-by: Vladimir Oltean Reviewed-by: Simon Horman Reviewed-by: Florian Fainelli Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit fda0f1e649b271b03a36366bb7c4fe0ba2c38979 Author: Guillaume Nault Date: Mon Jul 3 19:14:46 2023 +0200 pptp: Fix fib lookup calls. [ Upstream commit 84bef5b6037c15180ef88ac4216dc621d16df1a6 ] PPTP uses pppox sockets (struct pppox_sock). These sockets don't embed an inet_sock structure, so it's invalid to call inet_sk() on them. Therefore, the ip_route_output_ports() call in pptp_connect() has two problems: * The tos variable is set with RT_CONN_FLAGS(sk), which calls inet_sk() on the pppox socket. * ip_route_output_ports() tries to retrieve routing flags using inet_sk_flowi_flags(), which is also going to call inet_sk() on the pppox socket. While PPTP doesn't use inet sockets, it's actually really layered on top of IP and therefore needs a proper way to do fib lookups. So let's define pptp_route_output() to get a struct rtable from a pptp socket. Let's also replace the ip_route_output_ports() call of pptp_xmit() for consistency. In practice, this means that: * pptp_connect() sets ->flowi4_tos and ->flowi4_flags to zero instead of using bits of unrelated struct pppox_sock fields. * pptp_xmit() now respects ->sk_mark and ->sk_uid. * pptp_xmit() now calls the security_sk_classify_flow() security hook, thus allowing to set ->flowic_secid. * pptp_xmit() now passes the pppox socket to xfrm_lookup_route(). Found by code inspection. Fixes: 00959ade36ac ("PPTP: PPP over IPv4 (Point-to-Point Tunneling Protocol)") Signed-off-by: Guillaume Nault Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit ba11f4e59509538810e5c44578fc73984acdf1d7 Author: Woody Zhang Date: Wed Jun 14 21:19:07 2023 +0800 riscv: move memblock_allow_resize() after linear mapping is ready [ Upstream commit 85fadc0d04119c2fe4a20287767ab904c6d21ba1 ] The initial memblock metadata is accessed from kernel image mapping. The regions arrays need to "reallocated" from memblock and accessed through linear mapping to cover more memblock regions. So the resizing should not be allowed until linear mapping is ready. Note that there are memblock allocations when building linear mapping. This patch is similar to 24cc61d8cb5a ("arm64: memblock: don't permit memblock resizing until linear mapping is up"). In following log, many memblock regions are reserved before create_linear_mapping_page_table(). And then it triggered reallocation of memblock.reserved.regions and memcpy the old array in kernel image mapping to the new array in linear mapping which caused a page fault. [ 0.000000] memblock_reserve: [0x00000000bf01f000-0x00000000bf01ffff] early_init_fdt_scan_reserved_mem+0x28c/0x2c6 [ 0.000000] memblock_reserve: [0x00000000bf021000-0x00000000bf021fff] early_init_fdt_scan_reserved_mem+0x28c/0x2c6 [ 0.000000] memblock_reserve: [0x00000000bf023000-0x00000000bf023fff] early_init_fdt_scan_reserved_mem+0x28c/0x2c6 [ 0.000000] memblock_reserve: [0x00000000bf025000-0x00000000bf025fff] early_init_fdt_scan_reserved_mem+0x28c/0x2c6 [ 0.000000] memblock_reserve: [0x00000000bf027000-0x00000000bf027fff] early_init_fdt_scan_reserved_mem+0x28c/0x2c6 [ 0.000000] memblock_reserve: [0x00000000bf029000-0x00000000bf029fff] early_init_fdt_scan_reserved_mem+0x28c/0x2c6 [ 0.000000] memblock_reserve: [0x00000000bf02b000-0x00000000bf02bfff] early_init_fdt_scan_reserved_mem+0x28c/0x2c6 [ 0.000000] memblock_reserve: [0x00000000bf02d000-0x00000000bf02dfff] early_init_fdt_scan_reserved_mem+0x28c/0x2c6 [ 0.000000] memblock_reserve: [0x00000000bf02f000-0x00000000bf02ffff] early_init_fdt_scan_reserved_mem+0x28c/0x2c6 [ 0.000000] memblock_reserve: [0x00000000bf030000-0x00000000bf030fff] early_init_fdt_scan_reserved_mem+0x28c/0x2c6 [ 0.000000] OF: reserved mem: 0x0000000080000000..0x000000008007ffff (512 KiB) map non-reusable mmode_resv0@80000000 [ 0.000000] memblock_reserve: [0x00000000bf000000-0x00000000bf001fed] paging_init+0x19a/0x5ae [ 0.000000] memblock_phys_alloc_range: 4096 bytes align=0x1000 from=0x0000000000000000 max_addr=0x0000000000000000 alloc_pmd_fixmap+0x14/0x1c [ 0.000000] memblock_reserve: [0x000000017ffff000-0x000000017fffffff] memblock_alloc_range_nid+0xb8/0x128 [ 0.000000] memblock: reserved is doubled to 256 at [0x000000017fffd000-0x000000017fffe7ff] [ 0.000000] Unable to handle kernel paging request at virtual address ff600000ffffd000 [ 0.000000] Oops [#1] [ 0.000000] Modules linked in: [ 0.000000] CPU: 0 PID: 0 Comm: swapper Not tainted 6.4.0-rc1-00011-g99a670b2069c #66 [ 0.000000] Hardware name: riscv-virtio,qemu (DT) [ 0.000000] epc : __memcpy+0x60/0xf8 [ 0.000000] ra : memblock_double_array+0x192/0x248 [ 0.000000] epc : ffffffff8081d214 ra : ffffffff80a3dfc0 sp : ffffffff81403bd0 [ 0.000000] gp : ffffffff814fbb38 tp : ffffffff8140dac0 t0 : 0000000001600000 [ 0.000000] t1 : 0000000000000000 t2 : 000000008f001000 s0 : ffffffff81403c60 [ 0.000000] s1 : ffffffff80c0bc98 a0 : ff600000ffffd000 a1 : ffffffff80c0bcd8 [ 0.000000] a2 : 0000000000000c00 a3 : ffffffff80c0c8d8 a4 : 0000000080000000 [ 0.000000] a5 : 0000000000080000 a6 : 0000000000000000 a7 : 0000000080200000 [ 0.000000] s2 : ff600000ffffd000 s3 : 0000000000002000 s4 : 0000000000000c00 [ 0.000000] s5 : ffffffff80c0bc60 s6 : ffffffff80c0bcc8 s7 : 0000000000000000 [ 0.000000] s8 : ffffffff814fd0a8 s9 : 000000017fffe7ff s10: 0000000000000000 [ 0.000000] s11: 0000000000001000 t3 : 0000000000001000 t4 : 0000000000000000 [ 0.000000] t5 : 000000008f003000 t6 : ff600000ffffd000 [ 0.000000] status: 0000000200000100 badaddr: ff600000ffffd000 cause: 000000000000000f [ 0.000000] [] __memcpy+0x60/0xf8 [ 0.000000] [] memblock_add_range.isra.14+0x12c/0x162 [ 0.000000] [] memblock_reserve+0x6e/0x8c [ 0.000000] [] memblock_alloc_range_nid+0xb8/0x128 [ 0.000000] [] memblock_phys_alloc_range+0x5e/0x6a [ 0.000000] [] alloc_pmd_fixmap+0x14/0x1c [ 0.000000] [] alloc_p4d_fixmap+0xc/0x14 [ 0.000000] [] create_pgd_mapping+0x98/0x17c [ 0.000000] [] create_linear_mapping_range.constprop.10+0xe4/0x112 [ 0.000000] [] paging_init+0x3ec/0x5ae [ 0.000000] [] setup_arch+0xb2/0x576 [ 0.000000] [] start_kernel+0x72/0x57e [ 0.000000] Code: b303 0285 b383 0305 be03 0385 be83 0405 bf03 0485 (b023) 00ef [ 0.000000] ---[ end trace 0000000000000000 ]--- [ 0.000000] Kernel panic - not syncing: Attempted to kill the idle task! [ 0.000000] ---[ end Kernel panic - not syncing: Attempted to kill the idle task! ]--- Fixes: 671f9a3e2e24 ("RISC-V: Setup initial page tables in two stages") Signed-off-by: Woody Zhang Tested-by: Song Shuai Link: https://lore.kernel.org/r/tencent_FBB94CE615C5CCE7701CD39C15CCE0EE9706@qq.com Signed-off-by: Palmer Dabbelt Signed-off-by: Sasha Levin commit d003ad402ae69076478630b017956f5938a7e52b Author: Amir Goldstein Date: Thu Jun 29 07:20:44 2023 +0300 fanotify: disallow mount/sb marks on kernel internal pseudo fs [ Upstream commit 69562eb0bd3e6bb8e522a7b254334e0fb30dff0c ] Hopefully, nobody is trying to abuse mount/sb marks for watching all anonymous pipes/inodes. I cannot think of a good reason to allow this - it looks like an oversight that dated back to the original fanotify API. Link: https://lore.kernel.org/linux-fsdevel/20230628101132.kvchg544mczxv2pm@quack3/ Fixes: 0ff21db9fcc3 ("fanotify: hooks the fanotify_mark syscall to the vfsmount code") Signed-off-by: Amir Goldstein Reviewed-by: Christian Brauner Signed-off-by: Jan Kara Message-Id: <20230629042044.25723-1-amir73il@gmail.com> Signed-off-by: Sasha Levin commit 60e09765cee19f8e2abc95c1afd33729910a45ab Author: Ville Syrjälä Date: Fri Jun 9 17:13:53 2023 +0300 drm/i915/psr: Fix BDW PSR AUX CH data register offsets [ Upstream commit fdffb7dbc74f48cb1d404d9ab0c9fd769a59caf0 ] The multiplication got replaced by an addition in some cleanup. This means we never write the correct data to some of the BDW PSR data registers and thus we fail to actually wake up the panel from PSR. Fixes: 4ab4fa103217 ("drm/i915/psr: Make PSR registers relative to transcoders") Signed-off-by: Ville Syrjälä Link: https://patchwork.freedesktop.org/patch/msgid/20230609141404.12729-3-ville.syrjala@linux.intel.com Reviewed-by: Jouni Högander (cherry picked from commit 460dc4ba1442b3e5e543328d11db2702b98d3d7c) Signed-off-by: Tvrtko Ursulin Signed-off-by: Sasha Levin commit e5f1e5a57fbacea0930f932842304b782ff2e9ad Author: Lin Ma Date: Mon Jul 3 19:08:42 2023 +0800 net/sched: act_pedit: Add size check for TCA_PEDIT_PARMS_EX [ Upstream commit 30c45b5361d39b4b793780ffac5538090b9e2eb1 ] The attribute TCA_PEDIT_PARMS_EX is not be included in pedit_policy and one malicious user could fake a TCA_PEDIT_PARMS_EX whose length is smaller than the intended sizeof(struct tc_pedit). Hence, the dereference in tcf_pedit_init() could access dirty heap data. static int tcf_pedit_init(...) { // ... pattr = tb[TCA_PEDIT_PARMS]; // TCA_PEDIT_PARMS is included if (!pattr) pattr = tb[TCA_PEDIT_PARMS_EX]; // but this is not // ... parm = nla_data(pattr); index = parm->index; // parm is able to be smaller than 4 bytes // and this dereference gets dirty skb_buff // data created in netlink_sendmsg } This commit adds TCA_PEDIT_PARMS_EX length in pedit_policy which avoid the above case, just like the TCA_PEDIT_PARMS. Fixes: 71d0ed7079df ("net/act_pedit: Support using offset relative to the conventional network headers") Signed-off-by: Lin Ma Reviewed-by: Pedro Tammela Link: https://lore.kernel.org/r/20230703110842.590282-1-linma@zju.edu.cn Signed-off-by: Paolo Abeni Signed-off-by: Sasha Levin commit bc229885125741f5d88550e4e6851a475015ec33 Author: Ilya Maximets Date: Mon Jul 3 19:53:29 2023 +0200 xsk: Honor SO_BINDTODEVICE on bind [ Upstream commit f7306acec9aae9893d15e745c8791124d42ab10a ] Initial creation of an AF_XDP socket requires CAP_NET_RAW capability. A privileged process might create the socket and pass it to a non-privileged process for later use. However, that process will be able to bind the socket to any network interface. Even though it will not be able to receive any traffic without modification of the BPF map, the situation is not ideal. Sockets already have a mechanism that can be used to restrict what interface they can be attached to. That is SO_BINDTODEVICE. To change the SO_BINDTODEVICE binding the process will need CAP_NET_RAW. Make xsk_bind() honor the SO_BINDTODEVICE in order to allow safer workflow when non-privileged process is using AF_XDP. The intended workflow is following: 1. First process creates a bare socket with socket(AF_XDP, ...). 2. First process loads the XSK program to the interface. 3. First process adds the socket fd to a BPF map. 4. First process ties socket fd to a particular interface using SO_BINDTODEVICE. 5. First process sends socket fd to a second process. 6. Second process allocates UMEM. 7. Second process binds socket to the interface with bind(...). 8. Second process sends/receives the traffic. All the steps above are possible today if the first process is privileged and the second one has sufficient RLIMIT_MEMLOCK and no capabilities. However, the second process will be able to bind the socket to any interface it wants on step 7 and send traffic from it. With the proposed change, the second process will be able to bind the socket only to a specific interface chosen by the first process at step 4. Fixes: 965a99098443 ("xsk: add support for bind for Rx") Signed-off-by: Ilya Maximets Signed-off-by: Daniel Borkmann Acked-by: Magnus Karlsson Acked-by: John Fastabend Acked-by: Jason Wang Link: https://lore.kernel.org/bpf/20230703175329.3259672-1-i.maximets@ovn.org Signed-off-by: Sasha Levin commit 90b9e7202676742ede5f1e6c46000a53c6a6c4c0 Author: SeongJae Park Date: Sat Jul 1 17:14:47 2023 +0000 bpf, btf: Warn but return no error for NULL btf from __register_btf_kfunc_id_set() [ Upstream commit 3de4d22cc9ac7c9f38e10edcf54f9a8891a9c2aa ] __register_btf_kfunc_id_set() assumes .BTF to be part of the module's .ko file if CONFIG_DEBUG_INFO_BTF is enabled. If that's not the case, the function prints an error message and return an error. As a result, such modules cannot be loaded. However, the section could be stripped out during a build process. It would be better to let the modules loaded, because their basic functionalities have no problem [0], though the BTF functionalities will not be supported. Make the function to lower the level of the message from error to warn, and return no error. [0] https://lore.kernel.org/bpf/20220219082037.ow2kbq5brktf4f2u@apollo.legion Fixes: c446fdacb10d ("bpf: fix register_btf_kfunc_id_set for !CONFIG_DEBUG_INFO_BTF") Reported-by: Alexander Egorenkov Suggested-by: Kumar Kartikeya Dwivedi Signed-off-by: SeongJae Park Signed-off-by: Daniel Borkmann Acked-by: Jiri Olsa Link: https://lore.kernel.org/bpf/87y228q66f.fsf@oc8242746057.ibm.com Link: https://lore.kernel.org/bpf/20220219082037.ow2kbq5brktf4f2u@apollo.legion Link: https://lore.kernel.org/bpf/20230701171447.56464-1-sj@kernel.org Signed-off-by: Sasha Levin commit f9d46429de2a251e1e4962e1bf86c344d6336562 Author: Maxime Coquelin Date: Thu Jun 22 22:48:51 2023 +0200 vduse: fix NULL pointer dereference [ Upstream commit f06cf1e1a503169280467d12d2ec89bf2c30ace7 ] vduse_vdpa_set_vq_affinity callback can be called with NULL value as cpu_mask when deleting the vduse device. This patch resets virtqueue's IRQ affinity mask value to set all CPUs instead of dereferencing NULL cpu_mask. [ 4760.952149] BUG: kernel NULL pointer dereference, address: 0000000000000000 [ 4760.959110] #PF: supervisor read access in kernel mode [ 4760.964247] #PF: error_code(0x0000) - not-present page [ 4760.969385] PGD 0 P4D 0 [ 4760.971927] Oops: 0000 [#1] PREEMPT SMP PTI [ 4760.976112] CPU: 13 PID: 2346 Comm: vdpa Not tainted 6.4.0-rc6+ #4 [ 4760.982291] Hardware name: Dell Inc. PowerEdge R640/0W23H8, BIOS 2.8.1 06/26/2020 [ 4760.989769] RIP: 0010:memcpy_orig+0xc5/0x130 [ 4760.994049] Code: 16 f8 4c 89 07 4c 89 4f 08 4c 89 54 17 f0 4c 89 5c 17 f8 c3 cc cc cc cc 66 66 2e 0f 1f 84 00 00 00 00 00 66 90 83 fa 08 72 1b <4c> 8b 06 4c 8b 4c 16 f8 4c 89 07 4c 89 4c 17 f8 c3 cc cc cc cc 66 [ 4761.012793] RSP: 0018:ffffb1d565abb830 EFLAGS: 00010246 [ 4761.018020] RAX: ffff9f4bf6b27898 RBX: ffff9f4be23969c0 RCX: ffff9f4bcadf6400 [ 4761.025152] RDX: 0000000000000008 RSI: 0000000000000000 RDI: ffff9f4bf6b27898 [ 4761.032286] RBP: 0000000000000000 R08: 0000000000000008 R09: 0000000000000000 [ 4761.039416] R10: 0000000000000000 R11: 0000000000000600 R12: 0000000000000000 [ 4761.046549] R13: 0000000000000000 R14: 0000000000000080 R15: ffffb1d565abbb10 [ 4761.053680] FS: 00007f64c2ec2740(0000) GS:ffff9f635f980000(0000) knlGS:0000000000000000 [ 4761.061765] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 4761.067513] CR2: 0000000000000000 CR3: 0000001875270006 CR4: 00000000007706e0 [ 4761.074645] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 4761.081775] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 4761.088909] PKRU: 55555554 [ 4761.091620] Call Trace: [ 4761.094074] [ 4761.096180] ? __die+0x1f/0x70 [ 4761.099238] ? page_fault_oops+0x171/0x4f0 [ 4761.103340] ? exc_page_fault+0x7b/0x180 [ 4761.107265] ? asm_exc_page_fault+0x22/0x30 [ 4761.111460] ? memcpy_orig+0xc5/0x130 [ 4761.115126] vduse_vdpa_set_vq_affinity+0x3e/0x50 [vduse] [ 4761.120533] virtnet_clean_affinity.part.0+0x3d/0x90 [virtio_net] [ 4761.126635] remove_vq_common+0x1a4/0x250 [virtio_net] [ 4761.131781] virtnet_remove+0x5d/0x70 [virtio_net] [ 4761.136580] virtio_dev_remove+0x3a/0x90 [ 4761.140509] device_release_driver_internal+0x19b/0x200 [ 4761.145742] bus_remove_device+0xc2/0x130 [ 4761.149755] device_del+0x158/0x3e0 [ 4761.153245] ? kernfs_find_ns+0x35/0xc0 [ 4761.157086] device_unregister+0x13/0x60 [ 4761.161010] unregister_virtio_device+0x11/0x20 [ 4761.165543] device_release_driver_internal+0x19b/0x200 [ 4761.170770] bus_remove_device+0xc2/0x130 [ 4761.174782] device_del+0x158/0x3e0 [ 4761.178276] ? __pfx_vdpa_name_match+0x10/0x10 [vdpa] [ 4761.183336] device_unregister+0x13/0x60 [ 4761.187260] vdpa_nl_cmd_dev_del_set_doit+0x63/0xe0 [vdpa] Fixes: 28f6288eb63d ("vduse: Support set_vq_affinity callback") Cc: xieyongji@bytedance.com Signed-off-by: Maxime Coquelin Message-Id: <20230622204851.318125-1-maxime.coquelin@redhat.com> Signed-off-by: Michael S. Tsirkin Acked-by: Jason Wang Reviewed-by: Xie Yongji Signed-off-by: Sasha Levin commit 5738c0c4eec970c2629efd827053336a4f8b1ca0 Author: Eric Dumazet Date: Thu Jun 29 16:41:50 2023 +0000 tcp: annotate data races in __tcp_oow_rate_limited() [ Upstream commit 998127cdb4699b9d470a9348ffe9f1154346be5f ] request sockets are lockless, __tcp_oow_rate_limited() could be called on the same object from different cpus. This is harmless. Add READ_ONCE()/WRITE_ONCE() annotations to avoid a KCSAN report. Fixes: 4ce7e93cb3fe ("tcp: rate limit ACK sent by SYN_RECV request sockets") Signed-off-by: Eric Dumazet Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 58f9e88eb247263c74383b4ee8858abac15cdbe0 Author: Eric Dumazet Date: Sat Jul 1 02:48:24 2023 +0000 net: fix net_dev_start_xmit trace event vs skb_transport_offset() [ Upstream commit f88fcb1d7d961b4b402d675109726f94db87571c ] After blamed commit, we must be more careful about using skb_transport_offset(), as reminded us by syzbot: WARNING: CPU: 0 PID: 10 at include/linux/skbuff.h:2868 skb_transport_offset include/linux/skbuff.h:2977 [inline] WARNING: CPU: 0 PID: 10 at include/linux/skbuff.h:2868 perf_trace_net_dev_start_xmit+0x89a/0xce0 include/trace/events/net.h:14 Modules linked in: CPU: 0 PID: 10 Comm: kworker/u4:1 Not tainted 6.1.30-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/27/2023 Workqueue: bat_events batadv_iv_send_outstanding_bat_ogm_packet RIP: 0010:skb_transport_header include/linux/skbuff.h:2868 [inline] RIP: 0010:skb_transport_offset include/linux/skbuff.h:2977 [inline] RIP: 0010:perf_trace_net_dev_start_xmit+0x89a/0xce0 include/trace/events/net.h:14 Code: 8b 04 25 28 00 00 00 48 3b 84 24 c0 00 00 00 0f 85 4e 04 00 00 48 8d 65 d8 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc e8 56 22 01 fd <0f> 0b e9 f6 fc ff ff 89 f9 80 e1 07 80 c1 03 38 c1 0f 8c 86 f9 ff RSP: 0018:ffffc900002bf700 EFLAGS: 00010293 RAX: ffffffff8485d8ca RBX: 000000000000ffff RCX: ffff888100914280 RDX: 0000000000000000 RSI: 000000000000ffff RDI: 000000000000ffff RBP: ffffc900002bf818 R08: ffffffff8485d5b6 R09: fffffbfff0f8fb5e R10: 0000000000000000 R11: dffffc0000000001 R12: 1ffff110217d8f67 R13: ffff88810bec7b3a R14: dffffc0000000000 R15: dffffc0000000000 FS: 0000000000000000(0000) GS:ffff8881f6a00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f96cf6d52f0 CR3: 000000012224c000 CR4: 0000000000350ef0 Call Trace: [] trace_net_dev_start_xmit include/trace/events/net.h:14 [inline] [] xmit_one net/core/dev.c:3643 [inline] [] dev_hard_start_xmit+0x705/0x980 net/core/dev.c:3660 [] __dev_queue_xmit+0x16b2/0x3370 net/core/dev.c:4324 [] dev_queue_xmit include/linux/netdevice.h:3030 [inline] [] batadv_send_skb_packet+0x3f3/0x680 net/batman-adv/send.c:108 [] batadv_send_broadcast_skb+0x24/0x30 net/batman-adv/send.c:127 [] batadv_iv_ogm_send_to_if net/batman-adv/bat_iv_ogm.c:393 [inline] [] batadv_iv_ogm_emit net/batman-adv/bat_iv_ogm.c:421 [inline] [] batadv_iv_send_outstanding_bat_ogm_packet+0x69a/0x840 net/batman-adv/bat_iv_ogm.c:1701 [] process_one_work+0x8ac/0x1170 kernel/workqueue.c:2289 [] worker_thread+0xaa8/0x12d0 kernel/workqueue.c:2436 Fixes: 66e4c8d95008 ("net: warn if transport header was not set") Signed-off-by: Eric Dumazet Reported-by: syzbot Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit ea08220190361ac35a4e77d40cff639c21c26f42 Author: Vladimir Oltean Date: Sat Jul 1 01:20:10 2023 +0300 net: dsa: tag_sja1105: fix source port decoding in vlan_filtering=0 bridge mode [ Upstream commit a398b9ea0c3b791b7a0f4c6029a62cf628f97f22 ] There was a regression introduced by the blamed commit, where pinging to a VLAN-unaware bridge would fail with the repeated message "Couldn't decode source port" coming from the tagging protocol driver. When receiving packets with a bridge_vid as determined by dsa_tag_8021q_bridge_join(), dsa_8021q_rcv() will decode: - source_port = 0 (which isn't really valid, more like "don't know") - switch_id = 0 (which isn't really valid, more like "don't know") - vbid = value in range 1-7 Since the blamed patch has reversed the order of the checks, we are now going to believe that source_port != -1 and switch_id != -1, so they're valid, but they aren't. The minimal solution to the problem is to only populate source_port and switch_id with what dsa_8021q_rcv() came up with, if the vbid is zero, i.e. the source port information is trustworthy. Fixes: c1ae02d87689 ("net: dsa: tag_sja1105: always prefer source port information from INCL_SRCPT") Signed-off-by: Vladimir Oltean Reviewed-by: Simon Horman Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit f8fe2df13a0fe3e4044cf148615031a77d4f7c35 Author: Vladimir Oltean Date: Fri Jun 30 19:41:18 2023 +0300 net: bridge: keep ports without IFF_UNICAST_FLT in BR_PROMISC mode [ Upstream commit 6ca3c005d0604e8d2b439366e3923ea58db99641 ] According to the synchronization rules for .ndo_get_stats() as seen in Documentation/networking/netdevices.rst, acquiring a plain spin_lock() should not be illegal, but the bridge driver implementation makes it so. After running these commands, I am being faced with the following lockdep splat: $ ip link add link swp0 name macsec0 type macsec encrypt on && ip link set swp0 up $ ip link add dev br0 type bridge vlan_filtering 1 && ip link set br0 up $ ip link set macsec0 master br0 && ip link set macsec0 up ======================================================== WARNING: possible irq lock inversion dependency detected 6.4.0-04295-g31b577b4bd4a #603 Not tainted -------------------------------------------------------- swapper/1/0 just changed the state of lock: ffff6bd348724cd8 (&br->lock){+.-.}-{3:3}, at: br_forward_delay_timer_expired+0x34/0x198 but this lock took another, SOFTIRQ-unsafe lock in the past: (&ocelot->stats_lock){+.+.}-{3:3} and interrupts could create inverse lock ordering between them. other info that might help us debug this: Chain exists of: &br->lock --> &br->hash_lock --> &ocelot->stats_lock Possible interrupt unsafe locking scenario: CPU0 CPU1 ---- ---- lock(&ocelot->stats_lock); local_irq_disable(); lock(&br->lock); lock(&br->hash_lock); lock(&br->lock); *** DEADLOCK *** (details about the 3 locks skipped) swp0 is instantiated by drivers/net/dsa/ocelot/felix.c, and this only matters to the extent that its .ndo_get_stats64() method calls spin_lock(&ocelot->stats_lock). Documentation/locking/lockdep-design.rst says: | A lock is irq-safe means it was ever used in an irq context, while a lock | is irq-unsafe means it was ever acquired with irq enabled. (...) | Furthermore, the following usage based lock dependencies are not allowed | between any two lock-classes:: | | -> | -> Lockdep marks br->hash_lock as softirq-safe, because it is sometimes taken in softirq context (for example br_fdb_update() which runs in NET_RX softirq), and when it's not in softirq context it blocks softirqs by using spin_lock_bh(). Lockdep marks ocelot->stats_lock as softirq-unsafe, because it never blocks softirqs from running, and it is never taken from softirq context. So it can always be interrupted by softirqs. There is a call path through which a function that holds br->hash_lock: fdb_add_hw_addr() will call a function that acquires ocelot->stats_lock: ocelot_port_get_stats64(). This can be seen below: ocelot_port_get_stats64+0x3c/0x1e0 felix_get_stats64+0x20/0x38 dsa_slave_get_stats64+0x3c/0x60 dev_get_stats+0x74/0x2c8 rtnl_fill_stats+0x4c/0x150 rtnl_fill_ifinfo+0x5cc/0x7b8 rtmsg_ifinfo_build_skb+0xe4/0x150 rtmsg_ifinfo+0x5c/0xb0 __dev_notify_flags+0x58/0x200 __dev_set_promiscuity+0xa0/0x1f8 dev_set_promiscuity+0x30/0x70 macsec_dev_change_rx_flags+0x68/0x88 __dev_set_promiscuity+0x1a8/0x1f8 __dev_set_rx_mode+0x74/0xa8 dev_uc_add+0x74/0xa0 fdb_add_hw_addr+0x68/0xd8 fdb_add_local+0xc4/0x110 br_fdb_add_local+0x54/0x88 br_add_if+0x338/0x4a0 br_add_slave+0x20/0x38 do_setlink+0x3a4/0xcb8 rtnl_newlink+0x758/0x9d0 rtnetlink_rcv_msg+0x2f0/0x550 netlink_rcv_skb+0x128/0x148 rtnetlink_rcv+0x24/0x38 the plain English explanation for it is: The macsec0 bridge port is created without p->flags & BR_PROMISC, because it is what br_manage_promisc() decides for a VLAN filtering bridge with a single auto port. As part of the br_add_if() procedure, br_fdb_add_local() is called for the MAC address of the device, and this results in a call to dev_uc_add() for macsec0 while the softirq-safe br->hash_lock is taken. Because macsec0 does not have IFF_UNICAST_FLT, dev_uc_add() ends up calling __dev_set_promiscuity() for macsec0, which is propagated by its implementation, macsec_dev_change_rx_flags(), to the lower device: swp0. This triggers the call path: dev_set_promiscuity(swp0) -> rtmsg_ifinfo() -> dev_get_stats() -> ocelot_port_get_stats64() with a calling context that lockdep doesn't like (br->hash_lock held). Normally we don't see this, because even though many drivers that can be bridge ports don't support IFF_UNICAST_FLT, we need a driver that (a) doesn't support IFF_UNICAST_FLT, *and* (b) it forwards the IFF_PROMISC flag to another driver, and (c) *that* driver implements ndo_get_stats64() using a softirq-unsafe spinlock. Condition (b) is necessary because the first __dev_set_rx_mode() calls __dev_set_promiscuity() with "bool notify=false", and thus, the rtmsg_ifinfo() code path won't be entered. The same criteria also hold true for DSA switches which don't report IFF_UNICAST_FLT. When the DSA master uses a spin_lock() in its ndo_get_stats64() method, the same lockdep splat can be seen. I think the deadlock possibility is real, even though I didn't reproduce it, and I'm thinking of the following situation to support that claim: fdb_add_hw_addr() runs on a CPU A, in a context with softirqs locally disabled and br->hash_lock held, and may end up attempting to acquire ocelot->stats_lock. In parallel, ocelot->stats_lock is currently held by a thread B (say, ocelot_check_stats_work()), which is interrupted while holding it by a softirq which attempts to lock br->hash_lock. Thread B cannot make progress because br->hash_lock is held by A. Whereas thread A cannot make progress because ocelot->stats_lock is held by B. When taking the issue at face value, the bridge can avoid that problem by simply making the ports promiscuous from a code path with a saner calling context (br->hash_lock not held). A bridge port without IFF_UNICAST_FLT is going to become promiscuous as soon as we call dev_uc_add() on it (which we do unconditionally), so why not be preemptive and make it promiscuous right from the beginning, so as to not be taken by surprise. With this, we've broken the links between code that holds br->hash_lock or br->lock and code that calls into the ndo_change_rx_flags() or ndo_get_stats64() ops of the bridge port. Fixes: 2796d0c648c9 ("bridge: Automatically manage port promiscuous mode.") Signed-off-by: Vladimir Oltean Reviewed-by: Ido Schimmel Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit b018ce10361b8b24d7e6ec1d530cb4ce29732fe4 Author: Pali Rohár Date: Fri May 5 19:28:18 2023 +0200 powerpc: dts: turris1x.dts: Fix PCIe MEM size for pci2 node [ Upstream commit abaa02fc944f2f9f2c2e1925ddaceaf35c48528c ] Freescale PCIe controllers on their PCIe Root Ports do not have any mappable PCI BAR allocate from PCIe MEM. Information about 1MB window on BAR0 of PCIe Root Port was misleading because Freescale PCIe controllers have at BAR0 position different register PEXCSRBAR, and kernel correctly skipts BAR0 for these Freescale PCIe Root Ports. So update comment about P2020 PCIe Root Port and decrease PCIe MEM size required for PCIe controller (pci2 node) on which is on-board xHCI controller. lspci confirms that on P2020 PCIe Root Port is no PCI BAR and /proc/iomem sees that only c0000000-c000ffff and c0010000-c0011fff ranges are used. Fixes: 54c15ec3b738 ("powerpc: dts: Add DTS file for CZ.NIC Turris 1.x routers") Signed-off-by: Pali Rohár Signed-off-by: Michael Ellerman Link: https://msgid.link/20230505172818.18416-1-pali@kernel.org Signed-off-by: Sasha Levin commit d31ee3376fe2aedb180d4ef26b8f5ea03442a654 Author: Randy Dunlap Date: Fri Jun 30 22:47:12 2023 -0700 powerpc: allow PPC_EARLY_DEBUG_CPM only when SERIAL_CPM=y [ Upstream commit 39f49684036d24af800ff194c33c7b2653c591d7 ] In a randconfig with CONFIG_SERIAL_CPM=m and CONFIG_PPC_EARLY_DEBUG_CPM=y, there is a build error: ERROR: modpost: "udbg_putc" [drivers/tty/serial/cpm_uart/cpm_uart.ko] undefined! Prevent the build error by allowing PPC_EARLY_DEBUG_CPM only when SERIAL_CPM=y. Fixes: c374e00e17f1 ("[POWERPC] Add early debug console for CPM serial ports.") Signed-off-by: Randy Dunlap Reviewed-by: Pali Rohár Reviewed-by: Christophe Leroy Signed-off-by: Michael Ellerman Link: https://msgid.link/20230701054714.30512-1-rdunlap@infradead.org Signed-off-by: Sasha Levin commit 721b75ea2dfce53a8890dff92ae01afca8e74f88 Author: Zeng Heng Date: Thu Dec 8 00:28:07 2022 +0800 ntfs: Fix panic about slab-out-of-bounds caused by ntfs_listxattr() [ Upstream commit 3c675ddffb17a8b1e32efad5c983254af18b12c2 ] Here is a BUG report from syzbot: BUG: KASAN: slab-out-of-bounds in ntfs_list_ea fs/ntfs3/xattr.c:191 [inline] BUG: KASAN: slab-out-of-bounds in ntfs_listxattr+0x401/0x570 fs/ntfs3/xattr.c:710 Read of size 1 at addr ffff888021acaf3d by task syz-executor128/3632 Call Trace: ntfs_list_ea fs/ntfs3/xattr.c:191 [inline] ntfs_listxattr+0x401/0x570 fs/ntfs3/xattr.c:710 vfs_listxattr fs/xattr.c:457 [inline] listxattr+0x293/0x2d0 fs/xattr.c:804 Fix the logic of ea_all iteration. When the ea->name_len is 0, return immediately, or Add2Ptr() would visit invalid memory in the next loop. Fixes: be71b5cba2e6 ("fs/ntfs3: Add attrib operations") Reported-by: syzbot+9fcea5ef6dc4dc72d334@syzkaller.appspotmail.com Signed-off-by: Zeng Heng [almaz.alexandrovich@paragon-software.com: lines of the patch have changed] Signed-off-by: Konstantin Komarov Signed-off-by: Sasha Levin commit 84996061793a60447abc77d310a5566101af7747 Author: Hariprasad Kelam Date: Fri Jun 30 11:58:45 2023 +0530 octeontx2-af: Reset MAC features in FLR [ Upstream commit 2e3e94c2f5dc98a8a0e93850407064bc5389c306 ] AF driver configures MAC features like internal loopback and PFC upon receiving the request from PF and its VF netdev. But these features are not getting reset in FLR. This patch fixes the issue by resetting the same. Fixes: 23999b30ae67 ("octeontx2-af: Enable or disable CGX internal loopback") Fixes: 1121f6b02e7a ("octeontx2-af: Priority flow control configuration support") Signed-off-by: Hariprasad Kelam Signed-off-by: Sunil Goutham Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit b04872e15f3df62cb2fd530950f769626e1ef489 Author: Hariprasad Kelam Date: Fri Jun 30 11:58:44 2023 +0530 octeontx2-af: Add validation before accessing cgx and lmac [ Upstream commit 79ebb53772c95d3a6ae51b3c65f9985fdd430df6 ] with the addition of new MAC blocks like CN10K RPM and CN10KB RPM_USX, LMACs are noncontiguous and CGX blocks are also noncontiguous. But during RVU driver initialization, the driver is assuming they are contiguous and trying to access cgx or lmac with their id which is resulting in kernel panic. This patch fixes the issue by adding proper checks. [ 23.219150] pc : cgx_lmac_read+0x38/0x70 [ 23.219154] lr : rvu_program_channels+0x3f0/0x498 [ 23.223852] sp : ffff000100d6fc80 [ 23.227158] x29: ffff000100d6fc80 x28: ffff00010009f880 x27: 000000000000005a [ 23.234288] x26: ffff000102586768 x25: 0000000000002500 x24: fffffffffff0f000 Fixes: 91c6945ea1f9 ("octeontx2-af: cn10k: Add RPM MAC support") Signed-off-by: Hariprasad Kelam Signed-off-by: Sunil Goutham Reviewed-by: Simon Horman Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 425a724a7c6e62c7257080f932c42b0570d013a0 Author: Hariprasad Kelam Date: Fri Jun 30 11:58:43 2023 +0530 octeontx2-af: Fix mapping for NIX block from CGX connection [ Upstream commit 2e7bc57b976bb016c6569a54d95c1b8d88f9450a ] Firmware configures NIX block mapping for all MAC blocks. The current implementation reads the configuration and creates the mapping between RVU PF and NIX blocks. But this configuration is only valid for silicons that support multiple blocks. For all other silicons, all MAC blocks map to NIX0. This patch corrects the mapping by adding a check for the same. Fixes: c5a73b632b90 ("octeontx2-af: Map NIX block from CGX connection") Signed-off-by: Hariprasad Kelam Signed-off-by: Sunil Goutham Reviewed-by: Simon Horman Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 1faafa54bb80fb0394ab3624f1713149a969425f Author: Hariprasad Kelam Date: Fri Jun 30 11:58:42 2023 +0530 octeontx2-af: cn10kb: fix interrupt csr addresses [ Upstream commit 4c5a331cacda995e995a7857f0e44e8937d98d2c ] The current design is that, for asynchronous events like link_up and link_down firmware raises the interrupt to kernel. The previous patch which added RPM_USX driver has a bug where it uses old csr addresses for configuring interrupts. Which is resulting in losing interrupts from source firmware. This patch fixes the issue by correcting csr addresses. Fixes: b9d0fedc6234 ("octeontx2-af: cn10kb: Add RPM_USX MAC support") Signed-off-by: Hariprasad Kelam Signed-off-by: Sunil Goutham Reviewed-by: Simon Horman Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 0dc1f2b88b6ef0fdc467e377c542c1d68196ce07 Author: Chao Yu Date: Thu Jun 29 09:41:02 2023 +0800 f2fs: fix error path handling in truncate_dnode() [ Upstream commit 0135c482fa97e2fd8245cb462784112a00ed1211 ] If truncate_node() fails in truncate_dnode(), it missed to call f2fs_put_page(), fix it. Fixes: 7735730d39d7 ("f2fs: fix to propagate error from __get_meta_page()") Signed-off-by: Chao Yu Signed-off-by: Jaegeuk Kim Signed-off-by: Sasha Levin commit dfaa428d137d61cc66f61bc3ba47c096df4c8f2b Author: Nishanth Menon Date: Tue Jun 20 20:00:22 2023 -0500 mailbox: ti-msgmgr: Fill non-message tx data fields with 0x0 [ Upstream commit 1b712f18c461bd75f018033a15cf381e712806b5 ] Sec proxy/message manager data buffer is 60 bytes with the last of the registers indicating transmission completion. This however poses a bit of a challenge. The backing memory for sec_proxy / message manager is regular memory, and all sec proxy does is to trigger a burst of all 60 bytes of data over to the target thread backing ring accelerator. It doesn't do a memory scrub when it moves data out in the burst. When we transmit multiple messages, remnants of previous message is also transmitted which results in some random data being set in TISCI fields of messages that have been expanded forward. The entire concept of backward compatibility hinges on the fact that the unused message fields remain 0x0 allowing for 0x0 value to be specially considered when backward compatibility of message extension is done. So, instead of just writing the completion register, we continue to fill the message buffer up with 0x0 (note: for partial message involving completion, we already do this). This allows us to scale and introduce ABI changes back also work with other boot stages that may have left data in the internal memory. While at this, be consistent and explicit with the data_reg pointer increment. Fixes: aace66b170ce ("mailbox: Introduce TI message manager driver") Signed-off-by: Nishanth Menon Signed-off-by: Jassi Brar Signed-off-by: Sasha Levin commit a389109fb8e0bd32e3c33e703686199c4a876bdf Author: Mario Limonciello Date: Thu Jun 22 22:18:39 2023 -0500 drm/amd: Don't try to enable secure display TA multiple times [ Upstream commit 5c6d52ff4b61e5267b25be714eb5a9ba2a338199 ] If the securedisplay TA failed to load the first time, it's unlikely to work again after a suspend/resume cycle or reset cycle and it appears to be causing problems in futher attempts. Fixes: e42dfa66d592 ("drm/amdgpu: Add secure display TA load for Renoir") Reported-by: Filip Hejsek Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/2633 Signed-off-by: Mario Limonciello Acked-by: Alex Deucher Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit f0f26d35d4ac4ed4da29deb1a0f6503e95c54fc8 Author: Christian König Date: Tue Jun 20 13:18:13 2023 +0200 drm/amdgpu: fix number of fence calculations [ Upstream commit 570b295248b00c3cf4cf59e397de5cb2361e10c2 ] Since adding gang submit we need to take the gang size into account while reserving fences. Signed-off-by: Christian König Fixes: 4624459c84d7 ("drm/amdgpu: add gang submit frontend v6") Reviewed-by: Alex Deucher Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit 22ae32d80ef590d12a2364e4621f90f7c58445c7 Author: Jonas Gorski Date: Thu Jun 29 15:43:05 2023 +0200 spi: bcm-qspi: return error if neither hif_mspi nor mspi is available [ Upstream commit 7c1f23ad34fcdace50275a6aa1e1969b41c6233f ] If neither a "hif_mspi" nor "mspi" resource is present, the driver will just early exit in probe but still return success. Apart from not doing anything meaningful, this would then also lead to a null pointer access on removal, as platform_get_drvdata() would return NULL, which it would then try to dereference when trying to unregister the spi master. Fix this by unconditionally calling devm_ioremap_resource(), as it can handle a NULL res and will then return a viable ERR_PTR() if we get one. The "return 0;" was previously a "goto qspi_resource_err;" where then ret was returned, but since ret was still initialized to 0 at this place this was a valid conversion in 63c5395bb7a9 ("spi: bcm-qspi: Fix use-after-free on unbind"). The issue was not introduced by this commit, only made more obvious. Fixes: fa236a7ef240 ("spi: bcm-qspi: Add Broadcom MSPI driver") Signed-off-by: Jonas Gorski Reviewed-by: Kamal Dasu Link: https://lore.kernel.org/r/20230629134306.95823-1-jonas.gorski@gmail.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit cd716022c968bc6748f23708b986f845b45791b7 Author: Zhengchao Shao Date: Fri Jun 30 09:26:47 2023 +0800 mlxsw: minimal: fix potential memory leak in mlxsw_m_linecards_init [ Upstream commit 08fc75735fda3be97194bfbf3c899c87abb3d0fe ] The line cards array is not freed in the error path of mlxsw_m_linecards_init(), which can lead to a memory leak. Fix by freeing the array in the error path, thereby making the error path identical to mlxsw_m_linecards_fini(). Fixes: 01328e23a476 ("mlxsw: minimal: Extend module to port mapping with slot index") Signed-off-by: Zhengchao Shao Reviewed-by: Petr Machata Reviewed-by: Ido Schimmel Link: https://lore.kernel.org/r/20230630012647.1078002-1-shaozhengchao@huawei.com Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit 82b3e8afba06362204137d1455d79732ad1f1dfc Author: Pawel Dembicki Date: Wed Jun 28 21:43:27 2023 +0200 net: dsa: vsc73xx: fix MTU configuration [ Upstream commit 3cf62c8177adb0db9e15c8b898c44f997acf3ebf ] Switch in MAXLEN register stores the maximum size of a data frame. The MTU size is 18 bytes smaller than the frame size. The current settings are causing problems with packet forwarding. This patch fixes the MTU settings to proper values. Fixes: fb77ffc6ec86 ("net: dsa: vsc73xx: make the MTU configurable") Reviewed-by: Linus Walleij Signed-off-by: Pawel Dembicki Reviewed-by: Vladimir Oltean Link: https://lore.kernel.org/r/20230628194327.1765644-1-paweldembicki@gmail.com Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit 91a0632e73070928aafeb36b3cc676843c716931 Author: Nick Child Date: Wed Jun 28 13:22:44 2023 -0500 ibmvnic: Do not reset dql stats on NON_FATAL err [ Upstream commit 48538ccb825b05544ec308a509e2cc9c013402db ] All ibmvnic resets, make a call to netdev_tx_reset_queue() when re-opening the device. netdev_tx_reset_queue() resets the num_queued and num_completed byte counters. These stats are used in Byte Queue Limit (BQL) algorithms. The difference between these two stats tracks the number of bytes currently sitting on the physical NIC. ibmvnic increases the number of queued bytes though calls to netdev_tx_sent_queue() in the drivers xmit function. When, VIOS reports that it is done transmitting bytes, the ibmvnic device increases the number of completed bytes through calls to netdev_tx_completed_queue(). It is important to note that the driver batches its transmit calls and num_queued is increased every time that an skb is added to the next batch, not necessarily when the batch is sent to VIOS for transmission. Unlike other reset types, a NON FATAL reset will not flush the sub crq tx buffers. Therefore, it is possible for the batched skb array to be partially full. So if there is call to netdev_tx_reset_queue() when re-opening the device, the value of num_queued (0) would not account for the skb's that are currently batched. Eventually, when the batch is sent to VIOS, the call to netdev_tx_completed_queue() would increase num_completed to a value greater than the num_queued. This causes a BUG_ON crash: ibmvnic 30000002: Firmware reports error, cause: adapter problem. Starting recovery... ibmvnic 30000002: tx error 600 ibmvnic 30000002: tx error 600 ibmvnic 30000002: tx error 600 ibmvnic 30000002: tx error 600 ------------[ cut here ]------------ kernel BUG at lib/dynamic_queue_limits.c:27! Oops: Exception in kernel mode, sig: 5 [....] NIP dql_completed+0x28/0x1c0 LR ibmvnic_complete_tx.isra.0+0x23c/0x420 [ibmvnic] Call Trace: ibmvnic_complete_tx.isra.0+0x3f8/0x420 [ibmvnic] (unreliable) ibmvnic_interrupt_tx+0x40/0x70 [ibmvnic] __handle_irq_event_percpu+0x98/0x270 ---[ end trace ]--- Therefore, do not reset the dql stats when performing a NON_FATAL reset. Fixes: 0d973388185d ("ibmvnic: Introduce xmit_more support using batched subCRQ hcalls") Signed-off-by: Nick Child Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit 048b241b7f5f318e4eca6a42e64d650dbe6359c3 Author: Martin Habets Date: Wed Jun 28 13:32:20 2023 +0100 sfc: support for devlink port requires MAE access [ Upstream commit 915057ae79692d47f9fb3504785855be49abaea4 ] On systems without MAE permission efx->mae is not initialised, and trying to lookup an mport results in a NULL pointer dereference. Fixes: 25414b2a64ae ("sfc: add devlink port support for ef100") Signed-off-by: Martin Habets Reviewed-by: Jacob Keller Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit 662d31232b2c9155e7b1b34a815ee33e3abeed23 Author: Luiz Augusto von Dentz Date: Wed Jun 7 12:33:47 2023 -0700 Bluetooth: MGMT: Fix marking SCAN_RSP as not connectable [ Upstream commit 73f55453ea5236a586a7f1b3d5e2ee051d655351 ] When receiving a scan response there is no way to know if the remote device is connectable or not, so when it cannot be merged don't make any assumption and instead just mark it with a new flag defined as MGMT_DEV_FOUND_SCAN_RSP so userspace can tell it is a standalone SCAN_RSP. Link: https://lore.kernel.org/linux-bluetooth/CABBYNZ+CYMsDSPTxBn09Js3BcdC-x7vZFfyLJ3ppZGGwJKmUTw@mail.gmail.com/ Fixes: c70a7e4cc8d2 ("Bluetooth: Add support for Not Connectable flag for Device Found events") Signed-off-by: Luiz Augusto von Dentz Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit 90845ae29e68fe9091cbddacb347a50c60ec75e7 Author: Pauli Virtanen Date: Thu Jun 1 09:34:43 2023 +0300 Bluetooth: ISO: use hci_sync for setting CIG parameters [ Upstream commit 6b9545dc9f8ff01d8bc1229103960d9cd265343f ] When reconfiguring CIG after disconnection of the last CIS, LE Remove CIG shall be sent before LE Set CIG Parameters. Otherwise, it fails because CIG is in the inactive state and not configurable (Core v5.3 Vol 6 Part B Sec. 4.5.14.3). This ordering is currently wrong under suitable timing conditions, because LE Remove CIG is sent via the hci_sync queue and may be delayed, but Set CIG Parameters is via hci_send_cmd. Make the ordering well-defined by sending also Set CIG Parameters via hci_sync. Fixes: 26afbd826ee3 ("Bluetooth: Add initial implementation of CIS connections") Signed-off-by: Pauli Virtanen Signed-off-by: Luiz Augusto von Dentz Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit 9e65e361e3d41c910746f44778bd55d7563c4a0e Author: Johan Hovold Date: Wed May 31 11:04:23 2023 +0200 Bluetooth: fix invalid-bdaddr quirk for non-persistent setup [ Upstream commit 0cb7365850bacb8c2a9975cae672d65714d8daa1 ] Devices that lack persistent storage for the device address can indicate this by setting the HCI_QUIRK_INVALID_BDADDR which causes the controller to be marked as unconfigured until user space has set a valid address. Once configured, the device address must be set on every setup for controllers with HCI_QUIRK_NON_PERSISTENT_SETUP to avoid marking the controller as unconfigured and requiring the address to be set again. Fixes: 740011cfe948 ("Bluetooth: Add new quirk for non-persistent setup settings") Signed-off-by: Johan Hovold Signed-off-by: Luiz Augusto von Dentz Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit bd95be10a23e143d79008ad3fdbe239b6a39827f Author: Tobias Heider Date: Wed Jun 28 02:13:32 2023 +0200 Add MODULE_FIRMWARE() for FIRMWARE_TG357766. [ Upstream commit 046f753da6143ee16452966915087ec8b0de3c70 ] Fixes a bug where on the M1 mac mini initramfs-tools fails to include the necessary firmware into the initrd. Fixes: c4dab50697ff ("tg3: Download 57766 EEE service patch firmware") Signed-off-by: Tobias Heider Reviewed-by: Michael Chan Link: https://lore.kernel.org/r/ZJt7LKzjdz8+dClx@tobhe.de Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit 6028a6b3f9aeb233ad6435e1a566afaa2046743c Author: Vladimir Oltean Date: Tue Jun 27 12:42:07 2023 +0300 net: dsa: tag_sja1105: always prefer source port information from INCL_SRCPT [ Upstream commit c1ae02d876898b1b8ca1e12c6f84d7b406263800 ] Currently the sja1105 tagging protocol prefers using the source port information from the VLAN header if that is available, falling back to the INCL_SRCPT option if it isn't. The VLAN header is available for all frames except for META frames initiated by the switch (containing RX timestamps), and thus, the "if (is_link_local)" branch is practically dead. The tag_8021q source port identification has become more loose ("imprecise") and will report a plausible rather than exact bridge port, when under a bridge (be it VLAN-aware or VLAN-unaware). But link-local traffic always needs to know the precise source port. With incorrect source port reporting, for example PTP traffic over 2 bridged ports will all be seen on sockets opened on the first such port, which is incorrect. Now that the tagging protocol has been changed to make link-local frames always contain source port information, we can reverse the order of the checks so that we always give precedence to that information (which is always precise) in lieu of the tag_8021q VID which is only precise for a standalone port. Fixes: d7f9787a763f ("net: dsa: tag_8021q: add support for imprecise RX based on the VBID") Fixes: 91495f21fcec ("net: dsa: tag_8021q: replace the SVL bridging with VLAN-unaware IVL bridging") Signed-off-by: Vladimir Oltean Reviewed-by: Simon Horman Signed-off-by: Paolo Abeni Signed-off-by: Sasha Levin commit 89fd65ca2fb920a8ed76115b96c496f55a9f9183 Author: Vladimir Oltean Date: Tue Jun 27 12:42:06 2023 +0300 net: dsa: sja1105: always enable the INCL_SRCPT option [ Upstream commit b4638af8885af93cd70351081da1909c59342440 ] Link-local traffic on bridged SJA1105 ports is sometimes tagged by the hardware with source port information (when the port is under a VLAN aware bridge). The tag_8021q source port identification has become more loose ("imprecise") and will report a plausible rather than exact bridge port, when under a bridge (be it VLAN-aware or VLAN-unaware). But link-local traffic always needs to know the precise source port. Modify the driver logic (and therefore: the tagging protocol itself) to always include the source port information with link-local packets, regardless of whether the port is standalone, under a VLAN-aware or VLAN-unaware bridge. This makes it possible for the tagging driver to give priority to that information over the tag_8021q VLAN header. The big drawback with INCL_SRCPT is that it makes it impossible to distinguish between an original MAC DA of 01:80:C2:XX:YY:ZZ and 01:80:C2:AA:BB:ZZ, because the tagger just patches MAC DA bytes 3 and 4 with zeroes. Only if PTP RX timestamping is enabled, the switch will generate a META follow-up frame containing the RX timestamp and the original bytes 3 and 4 of the MAC DA. Those will be used to patch up the original packet. Nonetheless, in the absence of PTP RX timestamping, we have to live with this limitation, since it is more important to have the more precise source port information for link-local traffic. Fixes: d7f9787a763f ("net: dsa: tag_8021q: add support for imprecise RX based on the VBID") Fixes: 91495f21fcec ("net: dsa: tag_8021q: replace the SVL bridging with VLAN-unaware IVL bridging") Signed-off-by: Vladimir Oltean Reviewed-by: Simon Horman Signed-off-by: Paolo Abeni Signed-off-by: Sasha Levin commit 7095192c7477208d6c8a96511d8fb6812a49bf5c Author: Vladimir Oltean Date: Tue Jun 27 19:31:14 2023 +0300 net: dsa: felix: don't drop PTP frames with tag_8021q when RX timestamping is disabled [ Upstream commit 2edcfcbb3c5946609be1d8875473a240b170673b ] The driver implements a workaround for the fact that it doesn't have an IRQ source to tell it whether PTP frames are available through the extraction registers, for those frames to be processed and passed towards the network stack. That workaround is to configure the switch, through felix_hwtstamp_set() -> felix_update_trapping_destinations(), to create two copies of PTP packets: one sent over Ethernet to the DSA master, and one to be consumed through the aforementioned CPU extraction queue registers. The reason why we want PTP packets to be consumed through the CPU extraction registers in the first place is because we want to see their hardware RX timestamp. With tag_8021q, that is only visible that way, and it isn't visible with the copy of the packet that's transmitted over Ethernet. The problem with the workaround implementation is that it drops the packet received over Ethernet, in expectation of its copy being present in the CPU extraction registers. However, if felix_hwtstamp_set() hasn't run (aka PTP RX timestamping is disabled), the driver will drop the original PTP frame and there will be no copy of it in the CPU extraction registers. So, the network stack will simply not see any PTP frame. Look at the port's trapping configuration to see whether the driver has previously enabled the CPU extraction registers. If it hasn't, just don't RX timestamp the frame and let it be passed up the stack by DSA, which is perfectly fine. Fixes: 0a6f17c6ae21 ("net: dsa: tag_ocelot_8021q: add support for PTP timestamping") Signed-off-by: Vladimir Oltean Signed-off-by: Paolo Abeni Signed-off-by: Sasha Levin commit ad1fb7de4604c551c6ddc7301d0c69a4011efc8b Author: Vladimir Oltean Date: Tue Jun 27 19:31:13 2023 +0300 net: mscc: ocelot: don't keep PTP configuration of all ports in single structure [ Upstream commit 45d0fcb5bc9558d0bf3d2fa7fabc5d8a88d35439 ] In a future change, the driver will need to determine whether PTP RX timestamping is enabled on a port (including whether traps were set up on that port in particular) and that is currently not possible. The driver supports different RX filters (L2, L4) and kinds of TX timestamping (one-step, two-step) on its ports, but it saves all configuration in a single struct hwtstamp_config that is global to the switch. So, the latest timestamping configuration on one port (including a request to disable timestamping) affects what gets reported for all ports, even though the configuration itself is still individual to each port. The port timestamping configurations are only coupled because of the common structure, so replace the hwtstamp_config with a mask of trapped protocols saved per port. We also have the ptp_cmd to distinguish between one-step and two-step PTP timestamping, so with those 2 bits of information we can fully reconstruct a descriptive struct hwtstamp_config for each port, during the SIOCGHWTSTAMP ioctl. Fixes: 4e3b0468e6d7 ("net: mscc: PTP Hardware Clock (PHC) support") Fixes: 96ca08c05838 ("net: mscc: ocelot: set up traps for PTP packets") Signed-off-by: Vladimir Oltean Signed-off-by: Paolo Abeni Signed-off-by: Sasha Levin commit ad95418b5d8be248a5092a0b8c814736f52010f9 Author: Vladimir Oltean Date: Tue Jun 27 19:31:12 2023 +0300 net: mscc: ocelot: don't report that RX timestamping is enabled by default [ Upstream commit 4fd44b82b7aceaa35c2901c6546d2c4198e0799d ] PTP RX timestamping should be enabled when the user requests it, not by default. If it is enabled by default, it can be problematic when the ocelot driver is a DSA master, and it sidesteps what DSA tries to avoid through __dsa_master_hwtstamp_validate(). Additionally, after the change which made ocelot trap PTP packets only to the CPU at ocelot_hwtstamp_set() time, it is no longer even true that RX timestamping is enabled by default, because until ocelot_hwtstamp_set() is called, the PTP traps are actually not set up. So the rx_filter field of ocelot->hwtstamp_config reflects an incorrect reality. Fixes: 96ca08c05838 ("net: mscc: ocelot: set up traps for PTP packets") Fixes: 4e3b0468e6d7 ("net: mscc: PTP Hardware Clock (PHC) support") Signed-off-by: Vladimir Oltean Signed-off-by: Paolo Abeni Signed-off-by: Sasha Levin commit ce77da4747f56ffffb25b35f040931d6139e929c Author: Dmitry Baryshkov Date: Thu Jun 29 12:58:47 2023 +0300 spi: spi-geni-qcom: enable SPI_CONTROLLER_MUST_TX for GPI DMA mode [ Upstream commit d10005837be83906bbd2078c3b4f9dfcbd6c95b6 ] The GPI DMA mode requires for TX DMA to be prepared. Force SPI core to provide TX buffer even if the caller didn't provide one by setting the SPI_CONTROLLER_MUST_TX flag. Fixes: b59c122484ec ("spi: spi-geni-qcom: Add support for GPI dma") Signed-off-by: Dmitry Baryshkov Link: https://lore.kernel.org/r/20230629095847.3648597-1-dmitry.baryshkov@linaro.org Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 8148e4038447211247c4f111333b363fc9ed68e2 Author: Florian Westphal Date: Tue Jun 27 14:38:13 2023 +0200 net/sched: act_ipt: zero skb->cb before calling target [ Upstream commit 93d75d475c5dc3404292976147d063ee4d808592 ] xtables relies on skb being owned by ip stack, i.e. with ipv4 check in place skb->cb is supposed to be IPCB. I don't see an immediate problem (REJECT target cannot be used anymore now that PRE/POSTROUTING hook validation has been fixed), but better be safe than sorry. A much better patch would be to either mark act_ipt as "depends on BROKEN" or remove it altogether. I plan to do this for -next in the near future. This tc extension is broken in the sense that tc lacks an equivalent of NF_STOLEN verdict. With NF_STOLEN, target function takes complete ownership of skb, caller cannot dereference it anymore. ACT_STOLEN cannot be used for this: it has a different meaning, caller is allowed to dereference the skb. At this time NF_STOLEN won't be returned by any targets as far as I can see, but this may change in the future. It might be possible to work around this via list of allowed target extensions known to only return DROP or ACCEPT verdicts, but this is error prone/fragile. Existing selftest only validates xt_LOG and act_ipt is restricted to ipv4 so I don't think this action is used widely. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Florian Westphal Reviewed-by: Simon Horman Acked-by: Jamal Hadi Salim Signed-off-by: Paolo Abeni Signed-off-by: Sasha Levin commit c4394a69c773e495c033a5800d0650d342f0e76e Author: Florian Westphal Date: Tue Jun 27 14:38:12 2023 +0200 net/sched: act_ipt: add sanity checks on skb before calling target [ Upstream commit b2dc32dcba08bf55cec600caa76f4afd2e3614df ] Netfilter targets make assumptions on the skb state, for example iphdr is supposed to be in the linear area. This is normally done by IP stack, but in act_ipt case no such checks are made. Some targets can even assume that skb_dst will be valid. Make a minimum effort to check for this: - Don't call the targets eval function for non-ipv4 skbs. - Don't call the targets eval function for POSTROUTING emulation when the skb has no dst set. v3: use skb_protocol helper (Davide Caratti) Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Florian Westphal Reviewed-by: Simon Horman Acked-by: Jamal Hadi Salim Signed-off-by: Paolo Abeni Signed-off-by: Sasha Levin commit 8ed12339c99cb715d9c4c3091d82f85f17e3699e Author: Florian Westphal Date: Tue Jun 27 14:38:11 2023 +0200 net/sched: act_ipt: add sanity checks on table name and hook locations [ Upstream commit b4ee93380b3c891fea996af8d1d3ca0e36ad31f0 ] Looks like "tc" hard-codes "mangle" as the only supported table name, but on kernel side there are no checks. This is wrong. Not all xtables targets are safe to call from tc. E.g. "nat" targets assume skb has a conntrack object assigned to it. Normally those get called from netfilter nat core which consults the nat table to obtain the address mapping. "tc" userspace either sets PRE or POSTROUTING as hook number, but there is no validation of this on kernel side, so update netlink policy to reject bogus numbers. Some targets may assume skb_dst is set for input/forward hooks, so prevent those from being used. act_ipt uses the hook number in two places: 1. the state hook number, this is fine as-is 2. to set par.hook_mask The latter is a bit mask, so update the assignment to make xt_check_target() to the right thing. Followup patch adds required checks for the skb/packet headers before calling the targets evaluation function. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Florian Westphal Reviewed-by: Simon Horman Acked-by: Jamal Hadi Salim Signed-off-by: Paolo Abeni Signed-off-by: Sasha Levin commit f8d77336af38e71435f92c5f271fd0b40f33fe66 Author: Chengfeng Ye Date: Tue Jun 27 12:03:40 2023 +0000 sctp: fix potential deadlock on &net->sctp.addr_wq_lock [ Upstream commit 6feb37b3b06e9049e20dcf7e23998f92c9c5be9a ] As &net->sctp.addr_wq_lock is also acquired by the timer sctp_addr_wq_timeout_handler() in protocal.c, the same lock acquisition at sctp_auto_asconf_init() seems should disable irq since it is called from sctp_accept() under process context. Possible deadlock scenario: sctp_accept() -> sctp_sock_migrate() -> sctp_auto_asconf_init() -> spin_lock(&net->sctp.addr_wq_lock) -> sctp_addr_wq_timeout_handler() -> spin_lock_bh(&net->sctp.addr_wq_lock); (deadlock here) This flaw was found using an experimental static analysis tool we are developing for irq-related deadlock. The tentative patch fix the potential deadlock by spin_lock_bh(). Signed-off-by: Chengfeng Ye Fixes: 34e5b0118685 ("sctp: delay auto_asconf init until binding the first addr") Acked-by: Xin Long Link: https://lore.kernel.org/r/20230627120340.19432-1-dg573847474@gmail.com Signed-off-by: Paolo Abeni Signed-off-by: Sasha Levin commit f77b761bf05aa4c5957e88ed434c409039398a6f Author: Randy Dunlap Date: Thu Jun 8 04:54:35 2023 +0200 media: cec: i2c: ch7322: also select REGMAP [ Upstream commit 29f96ac23648b2259f42d40703c47dd18fd172ca ] Selecting only REGMAP_I2C can leave REGMAP unset, causing build errors, so also select REGMAP to prevent the build errors. ../drivers/media/cec/i2c/ch7322.c:158:21: error: variable 'ch7322_regmap' has initializer but incomplete type 158 | static const struct regmap_config ch7322_regmap = { ../drivers/media/cec/i2c/ch7322.c:159:10: error: 'const struct regmap_config' has no member named 'reg_bits' 159 | .reg_bits = 8, ../drivers/media/cec/i2c/ch7322.c:159:21: warning: excess elements in struct initializer 159 | .reg_bits = 8, ../drivers/media/cec/i2c/ch7322.c:160:10: error: 'const struct regmap_config' has no member named 'val_bits' 160 | .val_bits = 8, ../drivers/media/cec/i2c/ch7322.c:160:21: warning: excess elements in struct initializer 160 | .val_bits = 8, ../drivers/media/cec/i2c/ch7322.c:161:10: error: 'const struct regmap_config' has no member named 'max_register' 161 | .max_register = 0x7f, ../drivers/media/cec/i2c/ch7322.c:161:25: warning: excess elements in struct initializer 161 | .max_register = 0x7f, ../drivers/media/cec/i2c/ch7322.c:162:10: error: 'const struct regmap_config' has no member named 'disable_locking' 162 | .disable_locking = true, ../drivers/media/cec/i2c/ch7322.c:162:28: warning: excess elements in struct initializer 162 | .disable_locking = true, ../drivers/media/cec/i2c/ch7322.c: In function 'ch7322_probe': ../drivers/media/cec/i2c/ch7322.c:468:26: error: implicit declaration of function 'devm_regmap_init_i2c' [-Werror=implicit-function-declaration] 468 | ch7322->regmap = devm_regmap_init_i2c(client, &ch7322_regmap); ../drivers/media/cec/i2c/ch7322.c:468:24: warning: assignment to 'struct regmap *' from 'int' makes pointer from integer without a cast [-Wint-conversion] 468 | ch7322->regmap = devm_regmap_init_i2c(client, &ch7322_regmap); ../drivers/media/cec/i2c/ch7322.c: At top level: ../drivers/media/cec/i2c/ch7322.c:158:35: error: storage size of 'ch7322_regmap' isn't known 158 | static const struct regmap_config ch7322_regmap = { Link: https://lore.kernel.org/linux-media/20230608025435.29249-1-rdunlap@infradead.org Fixes: 21b9a47e0ec7 ("media: cec: i2c: ch7322: Add ch7322 CEC controller driver") Signed-off-by: Randy Dunlap Cc: Jeff Chase Cc: Hans Verkuil Cc: Joe Tessler Cc: Arnd Bergmann Cc: Mark Brown Cc: Masahiro Yamada Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 9f6293ad7f48b48f4c97d8fe79833f668a8b1fca Author: Arnd Bergmann Date: Fri Jun 23 17:23:09 2023 +0200 media: tc358746: select CONFIG_GENERIC_PHY [ Upstream commit 582d4ad468cbc6ef2db4689ff3bd5868d95402c9 ] The tc358746 driver selects CONFIG_GENERIC_PHY_MIPI_DPHY and links to that, but this fails when CONFIG_GENERIC_PHY is disabled, because Kbuild then never enters the drivers/phy directory for building object files: ERROR: modpost: "phy_mipi_dphy_get_default_config_for_hsclk" [drivers/media/i2c/tc358746.ko] undefined! Add an explicit 'select GENERIC_PHY' here to ensure that the directory is entered, and add another dependency on that symbol so make it more obvious what is going on if another driver has the same problem, as this will produce a Kconfig warning. Link: https://lore.kernel.org/linux-media/20230623152318.2276816-1-arnd@kernel.org Fixes: 80a21da360516 ("media: tc358746: add Toshiba TC358746 Parallel to CSI-2 bridge driver") Signed-off-by: Arnd Bergmann Reviewed-by: Marco Felsch Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit e975c524036575109a4b2a756b159f4f13bf6695 Author: Peng Fan Date: Thu Mar 23 12:00:24 2023 +0800 tools/virtio: fix build break for aarch64 [ Upstream commit 77b894f220cbd04301b3d941df8247106e67f8e4 ] "-mfunction-return=thunk -mindirect-branch-register" are only valid for x86. So introduce compiler operation check to avoid such issues Fixes: 0d0ed4006127 ("tools/virtio: enable to build with retpoline") Signed-off-by: Peng Fan Message-Id: <20230323040024.3809108-1-peng.fan@oss.nxp.com> Signed-off-by: Michael S. Tsirkin Signed-off-by: Sasha Levin commit 7b6a9ec3ed4d334e8f6ef6a776a15c9d73a36a29 Author: Dragos Tatulea Date: Thu May 4 16:50:52 2023 +0300 virtio-vdpa: Fix unchecked call to NULL set_vq_affinity [ Upstream commit fe37efba475375caa2dbc71cb06f53f7086277ef ] The referenced patch calls set_vq_affinity without checking if the op is valid. This patch adds the check. Fixes: 3dad56823b53 ("virtio-vdpa: Support interrupt affinity spreading mechanism") Reviewed-by: Gal Pressman Signed-off-by: Dragos Tatulea Message-Id: <20230504135053.2283816-1-dtatulea@nvidia.com> Signed-off-by: Michael S. Tsirkin Reviewed-by: Feng Liu Signed-off-by: Sasha Levin commit cabaaa0ee05ca2860d91cbaca661382e14170ae4 Author: Chao Yu Date: Tue Jun 6 14:19:01 2023 +0800 f2fs: check return value of freeze_super() [ Upstream commit 8bec7dd1b3f7d7769d433d67bde404de948a2d95 ] freeze_super() can fail, it needs to check its return value and do error handling in f2fs_resize_fs(). Fixes: 04f0b2eaa3b3 ("f2fs: ioctl for removing a range from F2FS") Fixes: b4b10061ef98 ("f2fs: refactor resize_fs to avoid meta updates in progress") Signed-off-by: Chao Yu Signed-off-by: Jaegeuk Kim Signed-off-by: Sasha Levin commit 77ea88751f686ecc8693e4240eb8cf1191692f1f Author: Vinay Belgaumkar Date: Tue Jun 20 18:42:57 2023 -0700 drm/i915/guc/slpc: Apply min softlimit correctly [ Upstream commit 3e49de73fb89272dea01ba420c7ccbcf6b96aed7 ] The scenario being fixed here is depicted in the following sequence- modprobe i915 echo 1 > /sys/class/drm/card0/gt/gt0/slpc_ignore_eff_freq echo 300 > /sys/class/drm/card0/gt_min_freq_mhz (RPn) cat /sys/class/drm/card0/gt_cur_freq_mhz --> cur == RPn as expected echo 1 > /sys/kernel/debug/dri/0/gt0/reset --> reset cat /sys/class/drm/card0/gt_min_freq_mhz --> cached freq is RPn cat /sys/class/drm/card0/gt_cur_freq_mhz --> it's not RPn, but RPe!! When SLPC reinitializes, it sets SLPC min freq to efficient frequency. Even if we disable efficient freq post that, we should restore the cached min freq (via H2G) for it to take effect. v2: Clarify commit message (Ashutosh) Fixes: 95ccf312a1e4 ("drm/i915/guc/slpc: Allow SLPC to use efficient frequency") Reviewed-by: Ashutosh Dixit Signed-off-by: Vinay Belgaumkar Signed-off-by: Daniele Ceraolo Spurio Link: https://patchwork.freedesktop.org/patch/msgid/20230621014257.1769564-1-vinay.belgaumkar@intel.com (cherry picked from commit da86b2b13f1d1ca26745b951ac94421f3137539a) Signed-off-by: Tvrtko Ursulin Signed-off-by: Sasha Levin commit 6902516030d83c6a427fad5b8c84c2bef6eb030c Author: Jouni Högander Date: Tue Jun 20 14:17:45 2023 +0300 drm/i915/psr: Use hw.adjusted mode when calculating io/fast wake times [ Upstream commit 5311892a0ad1d301aafd53ca0154091b3eb407ea ] Encoder compute config is changing hw.adjusted mode. Uapi.adjusted mode doesn't get updated before psr compute config gets called. This causes io and fast wake line calculation using adjusted mode containing values before encoder adjustments. Fix this by using hw.adjusted mode instead of uapi.adjusted mode. Cc: Stanislav Lisovskiy Signed-off-by: Jouni Högander Closes: https://gitlab.freedesktop.org/drm/intel/-/issues/8475 Fixes: cb42e8ede5b4 ("drm/i915/psr: Use calculated io and fast wake lines") Reviewed-by: Mika Kahola Link: https://patchwork.freedesktop.org/patch/msgid/20230620111745.2870706-1-jouni.hogander@intel.com (cherry picked from commit ef0af9db2a21257885116949f471fe5565b2f0ab) Signed-off-by: Tvrtko Ursulin Signed-off-by: Sasha Levin commit a7d66bf8e3264d2a3b6418a5c9e452f9f22fc356 Author: Christophe JAILLET Date: Thu Jun 8 21:11:42 2023 +0200 rtc: st-lpc: Release some resources in st_rtc_probe() in case of error [ Upstream commit 06c6e1b01d9261f03629cefd1f3553503291e6cf ] If an error occurs after clk_get(), the corresponding resources should be released. Use devm_clk_get() to fix it. Fixes: b5b2bdfc2893 ("rtc: st: Add new driver for ST's LPC RTC") Signed-off-by: Christophe JAILLET Link: https://lore.kernel.org/r/866af6adbc7454a7b4505eb6c28fbdc86ccff39e.1686251455.git.christophe.jaillet@wanadoo.fr Signed-off-by: Alexandre Belloni Signed-off-by: Sasha Levin commit a88994f0301dc3af61c413e9a050a8f8b328f6d5 Author: Jinke Han Date: Mon May 8 01:06:31 2023 +0800 blk-throttle: Fix io statistics for cgroup v1 [ Upstream commit ad7c3b41e86b59943a903d23c7b037d820e6270c ] After commit f382fb0bcef4 ("block: remove legacy IO schedulers"), blkio.throttle.io_serviced and blkio.throttle.io_service_bytes become the only stable io stats interface of cgroup v1, and these statistics are done in the blk-throttle code. But the current code only counts the bios that are actually throttled. When the user does not add the throttle limit, the io stats for cgroup v1 has nothing. I fix it according to the statistical method of v2, and made it count all ios accurately. Fixes: a7b36ee6ba29 ("block: move blk-throtl fast path inline") Tested-by: Andrea Righi Signed-off-by: Jinke Han Acked-by: Muchun Song Acked-by: Tejun Heo Link: https://lore.kernel.org/r/20230507170631.89607-1-hanjinke.666@bytedance.com Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit 4ed22bf4f23598523df70d80b9d9b2ba9a878f69 Author: Ian Rogers Date: Thu Jun 22 21:14:03 2023 -0700 perf bpf: Move the declaration of struct rq [ Upstream commit 5c45b210479bffe068d38902fcdcb52c4c60a264 ] struct rq is defined in vmlinux.h when the vmlinux.h is generated, this causes a redefinition failure if it is declared in lock_contention.bpf.c. Move the definition to vmlinux.h for consistency with the generated version. Fixes: 760ebc45746b ("perf lock contention: Add empty 'struct rq' to satisfy libbpf 'runqueue' type verification") Signed-off-by: Ian Rogers Acked-by: Andrii Nakryiko Acked-by: Namhyung Kim Acked-by: Jiri Olsa Cc: James Clark Cc: Mark Rutland Cc: Yang Jihong Cc: Peter Zijlstra Cc: Adrian Hunter Cc: Arnaldo Carvalho de Melo Cc: Alexander Shishkin Cc: Tiezhu Yang Cc: Ingo Molnar Cc: bpf@vger.kernel.org Link: https://lore.kernel.org/r/20230623041405.4039475-3-irogers@google.com Signed-off-by: Namhyung Kim Signed-off-by: Sasha Levin commit 8c59a155c887df06ebfb1346d4fa4d54403395ad Author: Li Nan Date: Fri Jun 9 17:43:20 2023 +0800 md/raid10: fix the condition to call bio_end_io_acct() [ Upstream commit 125bfc7cd750e68c99f1d446e2c22abea08c237f ] /sys/block/[device]/queue/iostats is used to control whether to count io stat. Write 0 to it will clear queue_flags QUEUE_FLAG_IO_STAT which means iostats is disabled. If we disable iostats and later endable it, the io issued during this period will be counted incorrectly, inflight will be decreased to -1. //T1 set iostats echo 0 > /sys/block/md0/queue/iostats clear QUEUE_FLAG_IO_STAT //T2 issue io if (QUEUE_FLAG_IO_STAT) -> false bio_start_io_acct inflight++ echo 1 > /sys/block/md0/queue/iostats set QUEUE_FLAG_IO_STAT //T3 io end if (QUEUE_FLAG_IO_STAT) -> true bio_end_io_acct inflight-- -> -1 Also, if iostats is enabled while issuing io but disabled while io end, inflight will never be decreased. Fix it by checking start_time when io end. If start_time is not 0, call bio_end_io_acct(). Fixes: 528bc2cf2fcc ("md/raid10: enable io accounting") Signed-off-by: Li Nan Signed-off-by: Song Liu Link: https://lore.kernel.org/r/20230609094320.2397604-1-linan666@huaweicloud.com Signed-off-by: Sasha Levin commit 9b2beba7feba3b915aaca15498edc74a917a88f1 Author: Shuijing Li Date: Wed May 31 11:10:01 2023 +0800 pwm: mtk_disp: Fix the disable flow of disp_pwm [ Upstream commit bc13d60e4e1e945b34769a4a4c2b172e8552abe5 ] There is a flow error in the original mtk_disp_pwm_apply() function. If this function is called when the clock is disabled, there will be a chance to operate the disp_pwm register, resulting in disp_pwm exception. Fix this accordingly. Fixes: 888a623db5d0 ("pwm: mtk-disp: Implement atomic API .apply()") Signed-off-by: Shuijing Li Reviewed-by: Matthias Brugger Tested-by: Fei Shao Acked-by: Uwe Kleine-König Reviewed-by: Alexandre Mergnat Reviewed-by: AngeloGioacchino Del Regno Signed-off-by: Thierry Reding Signed-off-by: Sasha Levin commit bdf3e642dc5585f43fa257ceb03848a690214274 Author: Dan Carpenter Date: Mon May 22 14:07:42 2023 +0300 pwm: ab8500: Fix error code in probe() [ Upstream commit cdcffafc4d845cc0c6392cba168c7a942734cce7 ] This code accidentally return positive EINVAL instead of negative -EINVAL. Fixes: eb41f334589d ("pwm: ab8500: Fix register offset calculation to not depend on probe order") Signed-off-by: Dan Carpenter Reviewed-by: Uwe Kleine-König Reviewed-by: Linus Walleij Signed-off-by: Thierry Reding Signed-off-by: Sasha Levin commit 44e7df11414d58bdc747e7e9c123c3e65f3bd304 Author: Marek Vasut Date: Fri May 12 18:47:36 2023 +0200 pwm: sysfs: Do not apply state to already disabled PWMs [ Upstream commit 38ba83598633373f47951384cfc389181c8d1bed ] If the PWM is exported but not enabled, do not call pwm_class_apply_state(). First of all, in this case, period may still be unconfigured and this would make pwm_class_apply_state() return -EINVAL, and then suspend would fail. Second, it makes little sense to apply state onto PWM that is not enabled before suspend. Failing case: " $ echo 1 > /sys/class/pwm/pwmchip4/export $ echo mem > /sys/power/state ... pwm pwmchip4: PM: dpm_run_callback(): pwm_class_suspend+0x1/0xa8 returns -22 pwm pwmchip4: PM: failed to suspend: error -22 PM: Some devices failed to suspend, or early wake event detected " Working case: " $ echo 1 > /sys/class/pwm/pwmchip4/export $ echo 100 > /sys/class/pwm/pwmchip4/pwm1/period $ echo 10 > /sys/class/pwm/pwmchip4/pwm1/duty_cycle $ echo mem > /sys/power/state ... " Do not call pwm_class_apply_state() in case the PWM is disabled to fix this issue. Fixes: 7fd4edc57bbae ("pwm: sysfs: Add suspend/resume support") Signed-off-by: Marek Vasut Fixes: ef2bf4997f7d ("pwm: Improve args checking in pwm_apply_state()") Reviewed-by: Brian Norris Reviewed-by: Uwe Kleine-König Signed-off-by: Thierry Reding Signed-off-by: Sasha Levin commit 2acc6fac21c13aaab57d7daa0320295dbd8d77dd Author: Fancy Fang Date: Fri May 5 14:58:39 2023 +0800 pwm: imx-tpm: force 'real_period' to be zero in suspend [ Upstream commit 661dfb7f46298e53f6c3deaa772fa527aae86193 ] During suspend, all the tpm registers will lose values. So the 'real_period' value of struct 'imx_tpm_pwm_chip' should be forced to be zero to force the period update code can be executed after system resume back. Signed-off-by: Fancy Fang Signed-off-by: Clark Wang Acked-by: Uwe Kleine-König Fixes: 738a1cfec2ed ("pwm: Add i.MX TPM PWM driver support") Signed-off-by: Thierry Reding Signed-off-by: Sasha Levin commit 3efba046f65be8922c4cdac63333cb517b687b72 Author: Yury Norov Date: Mon Feb 27 11:24:36 2023 -0800 lib/bitmap: drop optimization of bitmap_{from,to}_arr64 [ Upstream commit c1d2ba10f594046831d14b03f194e8d05e78abad ] bitmap_{from,to}_arr64() optimization is overly optimistic on 32-bit LE architectures when it's wired to bitmap_copy_clear_tail(). bitmap_copy_clear_tail() takes care of unused bits in the bitmap up to the next word boundary. But on 32-bit machines when copying bits from bitmap to array of 64-bit words, it's expected that the unused part of a recipient array must be cleared up to 64-bit boundary, so the last 4 bytes may stay untouched when nbits % 64 <= 32. While the copying part of the optimization works correct, that clear-tail trick makes corresponding tests reasonably fail: test_bitmap: bitmap_to_arr64(nbits == 1): tail is not safely cleared: 0xa5a5a5a500000001 (must be 0x0000000000000001) Fix it by removing bitmap_{from,to}_arr64() optimization for 32-bit LE arches. Reported-by: Guenter Roeck Link: https://lore.kernel.org/lkml/20230225184702.GA3587246@roeck-us.net/ Fixes: 0a97953fd221 ("lib: add bitmap_{from,to}_arr64") Signed-off-by: Yury Norov Tested-by: Guenter Roeck Reviewed-by: Andy Shevchenko Reviewed-by: Alexander Lobakin Signed-off-by: Sasha Levin commit 25cbee4f2d011df28822b9bb079aefaf93321a98 Author: Claudiu Beznea Date: Wed May 31 10:39:50 2023 +0300 phy: tegra: xusb: check return value of devm_kzalloc() [ Upstream commit 44faada0f38fc333d392af04c343b0e23f8f5d81 ] devm_kzalloc() returns a pointer to dynamically allocated memory. Pointer could be NULL in case allocation fails. Check pointer validity. Identified with coccinelle (kmerr.cocci script). Fixes: f67213cee2b3 ("phy: tegra: xusb: Add usb-role-switch support") Signed-off-by: Claudiu Beznea Acked-by: Thierry Reding Link: https://lore.kernel.org/r/20230531073950.145339-1-claudiu.beznea@microchip.com Signed-off-by: Vinod Koul Signed-off-by: Sasha Levin commit ddce2002e5b07108bf56039c41f7919e5d4d684c Author: Christophe JAILLET Date: Sat Jun 17 12:43:16 2023 +0200 mfd: stmpe: Only disable the regulators if they are enabled [ Upstream commit 104d32bd81f620bb9f67fbf7d1159c414e89f05f ] In stmpe_probe(), if some regulator_enable() calls fail, probing continues and there is only a dev_warn(). So, if stmpe_probe() is called the regulator may not be enabled. It is cleaner to test it before calling regulator_disable() in the remove function. Fixes: 9c9e321455fb ("mfd: stmpe: add optional regulators") Signed-off-by: Christophe JAILLET Reviewed-by: Linus Walleij Link: https://lore.kernel.org/r/8de3aaf297931d655b9ad6aed548f4de8b85425a.1686998575.git.christophe.jaillet@wanadoo.fr Signed-off-by: Lee Jones Signed-off-by: Sasha Levin commit 53a2894293e8633b38574eee3181a197c2871e1d Author: Neil Armstrong Date: Thu Jun 1 11:39:58 2023 +0200 phy: qcom: qmp-combo: fix Display Port PHY configuration for SM8550 [ Upstream commit 6cd52a2a06774c6c454ffef084c3d9b17618ca23 ] The SM8550 PHY also uses a different offset for the CMN_STATUS reg, use the right one for the v6 Display Port configuration. Fixes: 49742e9edab3 ("phy: qcom-qmp-combo: Add support for SM8550") Signed-off-by: Neil Armstrong Reviewed-by: Konrad Dybcio Link: https://lore.kernel.org/r/20230601-topic-sm8550-upstream-dp-phy-init-fix-v1-1-4e9da9f97991@linaro.org Signed-off-by: Vinod Koul Signed-off-by: Sasha Levin commit de55ce827a766bf49f506abde6f265bf002a76d6 Author: Yicong Yang Date: Wed Jun 21 17:28:04 2023 +0800 hwtracing: hisi_ptt: Fix potential sleep in atomic context [ Upstream commit 6c50384ef8b94a527445e3694ae6549e1f15d859 ] We're using pci_irq_vector() to obtain the interrupt number and then bind it to the CPU start perf under the protection of spinlock in pmu::start(). pci_irq_vector() might sleep since [1] because it will call msi_domain_get_virq() to get the MSI interrupt number and it needs to acquire dev->msi.data->mutex. Getting a mutex will sleep on contention. So use pci_irq_vector() in an atomic context is problematic. This patch cached the interrupt number in the probe() and uses the cached data instead to avoid potential sleep. [1] commit 82ff8e6b78fc ("PCI/MSI: Use msi_get_virq() in pci_get_vector()") Fixes: ff0de066b463 ("hwtracing: hisi_ptt: Add trace function support for HiSilicon PCIe Tune and Trace device") Reviewed-by: Jonathan Cameron Signed-off-by: Yicong Yang Signed-off-by: Suzuki K Poulose Link: https://lore.kernel.org/r/20230621092804.15120-6-yangyicong@huawei.com Signed-off-by: Sasha Levin commit f712198e4ba9e806e945c6b99791583b50808f70 Author: Dmitry Baryshkov Date: Sun May 7 20:53:35 2023 +0300 clk: qcom: mmcc-msm8974: fix MDSS_GDSC power flags [ Upstream commit 4e13c7a55cf752887f2b8d8008711dbbc64ea796 ] Using PWRSTS_RET on msm8974's MDSS_GDSC causes display to stop working. The gdsc doesn't fully come out of retention mode. Change it's pwrsts flags to PWRSTS_OFF_ON. Fixes: d399723950c4 ("clk: qcom: gdsc: Fix the handling of PWRSTS_RET support") Signed-off-by: Dmitry Baryshkov Reviewed-by: Rajendra Nayak Tested-by: Luca Weiss Link: https://lore.kernel.org/r/20230507175335.2321503-2-dmitry.baryshkov@linaro.org Signed-off-by: Bjorn Andersson Signed-off-by: Sasha Levin commit 96be1c8a3f7e5dfcf09643da101eb4e8697a5f17 Author: Claudiu Beznea Date: Thu Jun 15 13:25:46 2023 +0300 misc: fastrpc: check return value of devm_kasprintf() [ Upstream commit af2e19d82a116bc622eea84c9faadd5f7e20bec4 ] devm_kasprintf() returns a pointer to dynamically allocated memory. Pointer could be NULL in case allocation fails. Check pointer validity. Identified with coccinelle (kmerr.cocci script). Fixes: 3abe3ab3cdab ("misc: fastrpc: add secure domain support") Signed-off-by: Claudiu Beznea Link: https://lore.kernel.org/r/20230615102546.581899-1-claudiu.beznea@microchip.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 08e6cb1a9f8356bd9b031979dae7fd33de142c92 Author: Daniel Golle Date: Mon Jun 5 15:18:12 2023 +0100 cpufreq: mediatek: correct voltages for MT7622 and MT7623 [ Upstream commit f85534113f5ae90a52521cdb9e9977a43ee42626 ] The MT6380 regulator typically used together with MT7622 does not support the current maximum processor and SRAM voltage in the cpufreq driver (1360000uV). For MT7622 limit processor and SRAM supply voltages to 1350000uV to avoid having the tracking algorithm request unsupported voltages from the regulator. On MT7623 there is no separate SRAM supply and the maximum voltage used is 1300000uV. Create dedicated platform data for MT7623 to cover that case as well. Fixes: 0883426fd07e3 ("cpufreq: mediatek: Raise proc and sram max voltage for MT7622/7623") Suggested-by: Jia-wei Chang Signed-off-by: Daniel Golle Reviewed-by: AngeloGioacchino Del Regno Signed-off-by: Viresh Kumar Signed-off-by: Sasha Levin commit dc7e0192c470a53d847c79a2796f9ac429477a26 Author: Christian Borntraeger Date: Mon May 15 10:42:34 2023 +0200 KVM: s390/diag: fix racy access of physical cpu number in diag 9c handler [ Upstream commit 0bc380beb78aa352eadbc21d934dd9606fcee808 ] We do check for target CPU == -1, but this might change at the time we are going to use it. Hold the physical target CPU in a local variable to avoid out-of-bound accesses to the cpu arrays. Cc: Pierre Morel Fixes: 87e28a15c42c ("KVM: s390: diag9c (directed yield) forwarding") Reported-by: Marc Hartmayer Reviewed-by: Nico Boehr Reviewed-by: Pierre Morel Signed-off-by: Christian Borntraeger Signed-off-by: Janosch Frank Signed-off-by: Sasha Levin commit 5dfbcfc5caf0577e2e7316d2c05d90bc3d6dbc30 Author: Pierre Morel Date: Wed May 10 17:42:58 2023 +0200 KVM: s390: vsie: fix the length of APCB bitmap [ Upstream commit 246be7d2720ea9a795b576067ecc5e5c7a1e7848 ] bit_and() uses the count of bits as the woking length. Fix the previous implementation and effectively use the right bitmap size. Fixes: 19fd83a64718 ("KVM: s390: vsie: allow CRYCB FORMAT-1") Fixes: 56019f9aca22 ("KVM: s390: vsie: Allow CRYCB FORMAT-2") Signed-off-by: Pierre Morel Reviewed-by: Janosch Frank Link: https://lore.kernel.org/kvm/20230511094719.9691-1-pmorel@linux.ibm.com/ Signed-off-by: Janosch Frank Signed-off-by: Sasha Levin commit 77ad08c74e24a9a7e0bf3f9ee8bc6233160f3e45 Author: Amelie Delaunay Date: Fri Jun 9 11:28:04 2023 +0200 mfd: stmfx: Nullify stmfx->vdd in case of error [ Upstream commit 7c81582c0bccb4757186176f0ee12834597066ad ] Nullify stmfx->vdd in case devm_regulator_get_optional() returns an error. And simplify code by returning an error only if return code is not -ENODEV, which means there is no vdd regulator and it is not an issue. Fixes: d75846ed08e6 ("mfd: stmfx: Fix dev_err_probe() call in stmfx_chip_init()") Signed-off-by: Amelie Delaunay Link: https://lore.kernel.org/r/20230609092804.793100-2-amelie.delaunay@foss.st.com Signed-off-by: Lee Jones Signed-off-by: Sasha Levin commit 3711e3d4a0749f669b85a08581b0026b1c39c020 Author: Amelie Delaunay Date: Fri Jun 9 11:28:03 2023 +0200 mfd: stmfx: Fix error path in stmfx_chip_init [ Upstream commit f592cf624531286f8b52e40dcfc157a5a7fb115c ] In error path, disable vdd regulator if it exists, but don't overload ret. Because if regulator_disable() is successful, stmfx_chip_init will exit successfully while chip init failed. Fixes: 06252ade9156 ("mfd: Add ST Multi-Function eXpander (STMFX) core driver") Signed-off-by: Amelie Delaunay Link: https://lore.kernel.org/r/20230609092804.793100-1-amelie.delaunay@foss.st.com Signed-off-by: Lee Jones Signed-off-by: Sasha Levin commit 8bdd5c21ec02835bd445d022f4c23195aff407d2 Author: Laurentiu Tudor Date: Tue Jun 13 19:07:18 2023 +0300 bus: fsl-mc: don't assume child devices are all fsl-mc devices [ Upstream commit 303c9c63abb9390e906052863f82bb4e9824e5c0 ] Changes in VFIO caused a pseudo-device to be created as child of fsl-mc devices causing a crash [1] when trying to bind a fsl-mc device to VFIO. Fix this by checking the device type when enumerating fsl-mc child devices. [1] Modules linked in: Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP CPU: 6 PID: 1289 Comm: sh Not tainted 6.2.0-rc5-00047-g7c46948a6e9c #2 Hardware name: NXP Layerscape LX2160ARDB (DT) pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : mc_send_command+0x24/0x1f0 lr : dprc_get_obj_region+0xfc/0x1c0 sp : ffff80000a88b900 x29: ffff80000a88b900 x28: ffff48a9429e1400 x27: 00000000000002b2 x26: ffff48a9429e1718 x25: 0000000000000000 x24: 0000000000000000 x23: ffffd59331ba3918 x22: ffffd59331ba3000 x21: 0000000000000000 x20: ffff80000a88b9b8 x19: 0000000000000000 x18: 0000000000000001 x17: 7270642f636d2d6c x16: 73662e3030303030 x15: ffffffffffffffff x14: ffffd59330f1d668 x13: ffff48a8727dc389 x12: ffff48a8727dc386 x11: 0000000000000002 x10: 00008ceaf02f35d4 x9 : 0000000000000012 x8 : 0000000000000000 x7 : 0000000000000006 x6 : ffff80000a88bab0 x5 : 0000000000000000 x4 : 0000000000000000 x3 : ffff80000a88b9e8 x2 : ffff80000a88b9e8 x1 : 0000000000000000 x0 : ffff48a945142b80 Call trace: mc_send_command+0x24/0x1f0 dprc_get_obj_region+0xfc/0x1c0 fsl_mc_device_add+0x340/0x590 fsl_mc_obj_device_add+0xd0/0xf8 dprc_scan_objects+0x1c4/0x340 dprc_scan_container+0x38/0x60 vfio_fsl_mc_probe+0x9c/0xf8 fsl_mc_driver_probe+0x24/0x70 really_probe+0xbc/0x2a8 __driver_probe_device+0x78/0xe0 device_driver_attach+0x30/0x68 bind_store+0xa8/0x130 drv_attr_store+0x24/0x38 sysfs_kf_write+0x44/0x60 kernfs_fop_write_iter+0x128/0x1b8 vfs_write+0x334/0x448 ksys_write+0x68/0xf0 __arm64_sys_write+0x1c/0x28 invoke_syscall+0x44/0x108 el0_svc_common.constprop.1+0x94/0xf8 do_el0_svc+0x38/0xb0 el0_svc+0x20/0x50 el0t_64_sync_handler+0x98/0xc0 el0t_64_sync+0x174/0x178 Code: aa0103f4 a9025bf5 d5384100 b9400801 (79401260) ---[ end trace 0000000000000000 ]--- Fixes: 3c28a76124b2 ("vfio: Add struct device to vfio_device") Signed-off-by: Laurentiu Tudor Tested-by: Ioana Ciornei Reviewed-by: Ioana Ciornei Message-ID: <20230613160718.29500-1-laurentiu.tudor@nxp.com> Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 92bc4a26b037688f7510bdc8a78398b9c35bf366 Author: Phil Elwell Date: Sun Jun 11 15:03:09 2023 +0100 nvmem: rmem: Use NVMEM_DEVID_AUTO [ Upstream commit 09dd7b993eddb3b48634fd5ddf27aa799785a9ee ] It is reasonable to declare multiple nvmem blocks. Unless a unique 'id' is passed in for each block there may be name clashes. Avoid this by using the magic token NVMEM_DEVID_AUTO. Fixes: 5a3fa75a4d9c ("nvmem: Add driver to expose reserved memory as nvmem") Signed-off-by: Phil Elwell Signed-off-by: Ivan T. Ivanov Reviewed-by: Stefan Wahren Signed-off-by: Srinivas Kandagatla Message-ID: <20230611140330.154222-6-srinivas.kandagatla@linaro.org> Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 0dfaf543aac81a3457e5702808125fa6d52c408b Author: Mirsad Goran Todorovac Date: Tue Jun 6 09:08:10 2023 +0200 test_firmware: return ENOMEM instead of ENOSPC on failed memory allocation [ Upstream commit 7dae593cd226a0bca61201cf85ceb9335cf63682 ] In a couple of situations like name = kstrndup(buf, count, GFP_KERNEL); if (!name) return -ENOSPC; the error is not actually "No space left on device", but "Out of memory". It is semantically correct to return -ENOMEM in all failed kstrndup() and kzalloc() cases in this driver, as it is not a problem with disk space, but with kernel memory allocator failing allocation. The semantically correct should be: name = kstrndup(buf, count, GFP_KERNEL); if (!name) return -ENOMEM; Cc: Dan Carpenter Cc: Takashi Iwai Cc: Kees Cook Cc: "Luis R. Rodriguez" Cc: Scott Branden Cc: Hans de Goede Cc: Brian Norris Fixes: c92316bf8e948 ("test_firmware: add batched firmware tests") Fixes: 0a8adf584759c ("test: add firmware_class loader test") Fixes: 548193cba2a7d ("test_firmware: add support for firmware_request_platform") Fixes: eb910947c82f9 ("test: firmware_class: add asynchronous request trigger") Fixes: 061132d2b9c95 ("test_firmware: add test custom fallback trigger") Fixes: 7feebfa487b92 ("test_firmware: add support for request_firmware_into_buf") Signed-off-by: Mirsad Goran Todorovac Reviewed-by: Dan Carpenter Message-ID: <20230606070808.9300-1-mirsad.todorovac@alu.unizg.hr> Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 603bfb26090a73256503fa2f8a417123ac3a2cea Author: Alexander Stein Date: Sun Jun 11 15:03:06 2023 +0100 nvmem: imx-ocotp: Reverse MAC addresses on all i.MX derivates [ Upstream commit 8a00fc606312c68b98add8fe8e6f7a013ce29e78 ] Not just i.MX8M, but all i.MX6/7 (and subtypes) need to reverse the MAC address read from fuses. Exceptions are i.MX6SLL and i.MX7ULP which do not support ethernet at all. Fixes: d0221a780cbc ("nvmem: imx-ocotp: add support for post processing") Signed-off-by: Alexander Stein Tested-by: Richard Leitner # imx6q Signed-off-by: Srinivas Kandagatla Message-ID: <20230611140330.154222-3-srinivas.kandagatla@linaro.org> Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 94e0469149d463a3648c23d7604ea6e1349f7cdb Author: Yi Yingao Date: Tue May 9 16:52:36 2023 +0800 nvmem: sunplus-ocotp: release otp->clk before return [ Upstream commit 095bb8ba45f28ed15296eb5b7662e03e57d5e34e ] Smatch reports: drivers/nvmem/sunplus-ocotp.c:205 sp_ocotp_probe() warn: 'otp->clk' from clk_prepare() not released on lines: 196. In the function sp_ocotp_probe(struct platform_device *pdev), otp->clk may not be released before return. To fix this issue, using function clk_unprepare() to release otp->clk. Fixes: 8747ec2e9762 ("nvmem: Add driver for OCOTP in Sunplus SP7021") Signed-off-by: Yi Yingao Reviewed-by: Dongliang Mu Message-ID: <20230509085237.5917-1-m202271736@hust.edu.cn> Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit dd67388bd67cbeb95aa46f86d08690c029fcef04 Author: Nipun Gupta Date: Mon Jun 5 18:40:09 2023 +0530 cdx: fix driver managed dma support [ Upstream commit b8c5ff76059ded3758de3db83e04189a072ac01f ] The devices on cdx could be bound to drivers with the device DMA managed by kernel drivers or user-space applications. As multiple devices can be placed in the same IOMMU group, the DMA on these devices must either be entirely under kernel control or userspace control. Fix the CDX bus driver to acknowlege the driver_managed_dma flag and call the appropriate iommu APIs. Fixes: 2959ab247061 ("cdx: add the cdx bus driver") Signed-off-by: Nipun Gupta Reported-by: Alex Williamson Closes: https://lore.kernel.org/lkml/20230524134831.28dc97e2.alex.williamson@redhat.com/ Reviewed-by: Nikhil Agarwal Message-ID: <20230605131009.6869-1-nipun.gupta@amd.com> Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit f358776ab9d75a1828e51d9d27c5b602c88a2524 Author: Matti Vaittinen Date: Mon May 29 09:22:33 2023 +0300 drivers: fwnode: fix fwnode_irq_get[_byname]() [ Upstream commit 39d422555e43379516d4d13f5b7162a3dee6e646 ] The fwnode_irq_get() and the fwnode_irq_get_byname() return 0 upon device-tree IRQ mapping failure. This is contradicting the fwnode_irq_get_byname() function documentation and can potentially be a source of errors like: int probe(...) { ... irq = fwnode_irq_get_byname(); if (irq <= 0) return irq; ... } Here we do correctly check the return value from fwnode_irq_get_byname() but the driver probe will now return success. (There was already one such user in-tree). Change the fwnode_irq_get_byname() to work as documented and make also the fwnode_irq_get() follow same common convention returning a negative errno upon failure. Fixes: ca0acb511c21 ("device property: Add fwnode_irq_get_byname") Suggested-by: Sakari Ailus Suggested-by: Jonathan Cameron Signed-off-by: Matti Vaittinen Reviewed-by: Andy Shevchenko Reviewed-by: Jonathan Cameron Message-ID: <3e64fe592dc99e27ef9a0b247fc49fa26b6b8a58.1685340157.git.mazziesaccount@gmail.com> Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 85fd0afbfea603ae09578f6c2575e7e819000e10 Author: Tony Lindgren Date: Wed Jun 14 07:59:19 2023 +0300 serial: 8250_omap: Use force_suspend and resume for system suspend [ Upstream commit 20a41a62618df85f3a2981008edec5cadd785e0a ] We should not rely on autosuspend timeout for system suspend. Instead, let's use force_suspend and force_resume functions. Otherwise the serial port controller device may not be idled on suspend. As we are doing a register write on suspend to configure the serial port, we still need to runtime PM resume the port on suspend. While at it, let's switch to pm_runtime_resume_and_get() and check for errors returned. And let's add the missing line break before return to the suspend function while at it. Fixes: 09d8b2bdbc5c ("serial: 8250: omap: Provide ability to enable/disable UART as wakeup source") Signed-off-by: Tony Lindgren Tested-by: Dhruva Gole Message-ID: <20230614045922.4798-1-tony@atomide.com> Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit e8c07171d1681efe0be18e1b48476b244598bf01 Author: Greg Kroah-Hartman Date: Thu Jun 15 11:30:35 2023 +0200 Revert "usb: common: usb-conn-gpio: Set last role to unknown before initial detection" [ Upstream commit df49f2a0ac4a34c0cb4b5c233fcfa0add644c43c ] This reverts commit edd60d24bd858cef165274e4cd6cab43bdc58d15. Heikki reports that this should not be a global flag just to work around one broken driver and should be fixed differently, so revert it. Reported-by: Heikki Krogerus Fixes: edd60d24bd85 ("usb: common: usb-conn-gpio: Set last role to unknown before initial detection") Link: https://lore.kernel.org/r/ZImE4L3YgABnCIsP@kuha.fi.intel.com Cc: Prashanth K Cc: AngeloGioacchino Del Regno Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 2aa0b8ffd9643ed6c02a919acb4dd909e8e8a777 Author: Jiasheng Jiang Date: Fri Jun 9 09:48:18 2023 +0800 mfd: intel-lpss: Add missing check for platform_get_resource [ Upstream commit d918e0d5824495a75d00b879118b098fcab36fdb ] Add the missing check for platform_get_resource and return error if it fails. Fixes: 4b45efe85263 ("mfd: Add support for Intel Sunrisepoint LPSS devices") Signed-off-by: Jiasheng Jiang Signed-off-by: Lee Jones Link: https://lore.kernel.org/r/20230609014818.28475-1-jiasheng@iscas.ac.cn Signed-off-by: Sasha Levin commit 6e25e6fcef918063b676e4562336dbea66547fc7 Author: Christophe JAILLET Date: Sat May 20 09:10:54 2023 +0200 mfd: wcd934x: Fix an error handling path in wcd934x_slim_probe() [ Upstream commit f190b4891a3f9fac123a7afd378d4143a2723313 ] If devm_gpiod_get_optional() fails, some resources need to be released, as already done in the .remove() function. While at it, remove the unneeded error code from a dev_err_probe() call. It is already added in a human readable way by dev_err_probe() itself. Fixes: 6a0ee2a61a31 ("mfd: wcd934x: Replace legacy gpio interface for gpiod") Signed-off-by: Christophe JAILLET Link: https://lore.kernel.org/r/02d8447f6d1df52cc8357aae698152e9a9be67c6.1684565021.git.christophe.jaillet@wanadoo.fr Signed-off-by: Lee Jones Signed-off-by: Sasha Levin commit df2d221e934062b92c5a0d54f68aa5898151d614 Author: Daniel Bristot de Oliveira Date: Tue Jun 6 18:12:22 2023 +0200 rtla/hwnoise: Reduce runtime to 75% [ Upstream commit 7bc4d3089a50050d4df0af63423a5d907c3bdb1a ] osnoise runs 100% of time by default. It makes sense because osnoise is preemptive. hwnoise checks preemption once a second, so it reduces system progress. Reduce runtime to 75% to avoid problems by default. I added a Fixes as it might avoid problems for first time users as it lands on distros. Link: https://lkml.kernel.org/r/af0b7113ffc00031b9af4bb40ef5889a27dadf8c.1686066600.git.bristot@kernel.org Cc: William White Cc: Jonathan Corbet Tested-by: Juri Lelli Fixes: 1f428356c38d ("rtla: Add hwnoise tool") Signed-off-by: Daniel Bristot de Oliveira Signed-off-by: Steven Rostedt (Google) Signed-off-by: Sasha Levin commit 1eecbbf3d251370c9b3c92a2554059ee0c419973 Author: Christophe JAILLET Date: Sat Jun 10 15:32:52 2023 +0200 usb: dwc3-meson-g12a: Fix an error handling path in dwc3_meson_g12a_probe() [ Upstream commit 01052b91c9808e3c3b068ae2721cb728ec9aa4c0 ] If dwc3_meson_g12a_otg_init() fails, resources allocated by the previous of_platform_populate() call should be released, as already done in the error handling path. Fixes: 1e355f21d3fb ("usb: dwc3: Add Amlogic A1 DWC3 glue") Signed-off-by: Christophe JAILLET Reviewed-by: Martin Blumenstingl Reviewed-by: Neil Armstrong Message-ID: <9d28466de1808ccc756b4cc25fc72c482d133d13.1686403934.git.christophe.jaillet@wanadoo.fr> Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit c7d1adb395ea198bfb827470fe2a1a915c01bb03 Author: Prashanth K Date: Wed May 31 20:11:14 2023 +0530 usb: common: usb-conn-gpio: Set last role to unknown before initial detection [ Upstream commit edd60d24bd858cef165274e4cd6cab43bdc58d15 ] Currently if we bootup a device without cable connected, then usb-conn-gpio won't call set_role() since last_role is same as current role. This happens because during probe last_role gets initialised to zero. To avoid this, added a new constant in enum usb_role, last_role is set to USB_ROLE_UNKNOWN before performing initial detection. While at it, also handle default case for the usb_role switch in cdns3, intel-xhci-usb-role-switch & musb/jz4740 to avoid build warnings. Fixes: 4602f3bff266 ("usb: common: add USB GPIO based connection detection driver") Signed-off-by: Prashanth K Reviewed-by: AngeloGioacchino Del Regno Message-ID: <1685544074-17337-1-git-send-email-quic_prashk@quicinc.com> Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 1ddee43610ec65b0513c94ee33337a5c4a6ba0dd Author: Christophe JAILLET Date: Sun Jun 4 16:56:34 2023 +0200 usb: dwc3: qcom: Fix an error handling path in dwc3_qcom_probe() [ Upstream commit 4a944da707123686d372ec01ea60056902fadf35 ] If dwc3_qcom_create_urs_usb_platdev() fails, some resources still need to be released, as already done in the other error handling path of the probe. Fixes: c25c210f590e ("usb: dwc3: qcom: add URS Host support for sdm845 ACPI boot") Signed-off-by: Christophe JAILLET Reviewed-by: Andrew Halaney Message-ID: Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 3a8e53ac1009670d5759a7d9f8f0b18ef68405b4 Author: Christophe JAILLET Date: Sun Jun 4 17:04:37 2023 +0200 usb: dwc3: qcom: Release the correct resources in dwc3_qcom_remove() [ Upstream commit 8fd95da2cfb5046c4bb5a3cdc9eb7963ba8b10dd ] In the probe, some resources are allocated with dwc3_qcom_of_register_core() or dwc3_qcom_acpi_register_core(). The corresponding resources are already coorectly freed in the error handling path of the probe, but not in the remove function. Fix it. Fixes: 2bc02355f8ba ("usb: dwc3: qcom: Add support for booting with ACPI") Signed-off-by: Christophe JAILLET Reviewed-by: Andrew Halaney Message-ID: Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 8a46414dbbddab5ed82e3d550f930432db2dcc47 Author: Nico Boehr Date: Fri Mar 24 15:54:23 2023 +0100 KVM: s390: fix KVM_S390_GET_CMMA_BITS for GFNs in memslot holes [ Upstream commit 285cff4c0454340a4dc53f46e67f2cb1c293bd74 ] The KVM_S390_GET_CMMA_BITS ioctl may return incorrect values when userspace specifies a start_gfn outside of memslots. This can occur when a VM has multiple memslots with a hole in between: +-----+----------+--------+--------+ | ... | Slot N-1 | | Slot N | +-----+----------+--------+--------+ ^ ^ ^ ^ | | | | GFN A A+B | | A+B+C | A+B+C+D When userspace specifies a GFN in [A+B, A+B+C), it would expect to get the CMMA values of the first dirty page in Slot N. However, userspace may get a start_gfn of A+B+C+D with a count of 0, hence completely skipping over any dirty pages in slot N. The error is in kvm_s390_next_dirty_cmma(), which assumes gfn_to_memslot_approx() will return the memslot _below_ the specified GFN when the specified GFN lies outside a memslot. In reality it may return either the memslot below or above the specified GFN. When a memslot above the specified GFN is returned this happens: - ofs is calculated, but since the memslot's base_gfn is larger than the specified cur_gfn, ofs will underflow to a huge number. - ofs is passed to find_next_bit(). Since ofs will exceed the memslot's number of pages, the number of pages in the memslot is returned, completely skipping over all bits in the memslot userspace would be interested in. Fix this by resetting ofs to zero when a memslot _above_ cur_gfn is returned (cur_gfn < ms->base_gfn). Signed-off-by: Nico Boehr Reviewed-by: Claudio Imbrenda Fixes: afdad61615cc ("KVM: s390: Fix storage attributes migration with memory slots") Message-Id: <20230324145424.293889-2-nrb@linux.ibm.com> Signed-off-by: Claudio Imbrenda Signed-off-by: Janosch Frank Signed-off-by: Sasha Levin commit 908fa828b61f5bfbc105cc5ac0948d86d26a9111 Author: Chao Yu Date: Thu May 18 10:14:12 2023 +0800 f2fs: flush error flags in workqueue [ Upstream commit 901c12d144570ed2558f4a6806201453c5b01bea ] In IRQ context, it wakes up workqueue to record errors into on-disk superblock fields rather than in-memory fields. Fixes: 1aa161e43106 ("f2fs: fix scheduling while atomic in decompression path") Fixes: 95fa90c9e5a7 ("f2fs: support recording errors into superblock") Signed-off-by: Chao Yu Signed-off-by: Jaegeuk Kim Signed-off-by: Sasha Levin commit bd519deaa2a3b678476fd7f99430ba508b525ed0 Author: Jaegeuk Kim Date: Fri May 5 12:16:54 2023 -0700 f2fs: fix the wrong condition to determine atomic context [ Upstream commit 633c8b9409f564ce4b7f7944c595ffac27ed1ff4 ] Should use !in_task for irq context. Cc: stable@vger.kernel.org Fixes: 1aa161e43106 ("f2fs: fix scheduling while atomic in decompression path") Reviewed-by: Chao Yu Signed-off-by: Jaegeuk Kim Stable-dep-of: 901c12d14457 ("f2fs: flush error flags in workqueue") Signed-off-by: Sasha Levin commit ed1d478bf838820201f3fb67a1748fdf15954ea4 Author: Chao Yu Date: Sun Apr 23 23:49:15 2023 +0800 f2fs: support errors=remount-ro|continue|panic mountoption [ Upstream commit b62e71be2110d8b52bf5faf3c3ed7ca1a0c113a5 ] This patch supports errors=remount-ro|continue|panic mount option for f2fs. f2fs behaves as below in three different modes: mode continue remount-ro panic access ops normal noraml N/A syscall errors -EIO -EROFS N/A mount option rw ro N/A pending dir write keep keep N/A pending non-dir write drop keep N/A pending node write drop keep N/A pending meta write keep keep N/A By default it uses "continue" mode. [Yangtao helps to clean up function's name] Signed-off-by: Yangtao Li Signed-off-by: Chao Yu Signed-off-by: Jaegeuk Kim Stable-dep-of: 901c12d14457 ("f2fs: flush error flags in workqueue") Signed-off-by: Sasha Levin commit 5619e9aabbd2b369cde2114ad6f55f6eb3e0b5be Author: Chao Yu Date: Tue May 23 14:17:25 2023 +0800 f2fs: fix to avoid NULL pointer dereference f2fs_write_end_io() [ Upstream commit d8189834d4348ae608083e1f1f53792cfcc2a9bc ] butt3rflyh4ck reports a bug as below: When a thread always calls F2FS_IOC_RESIZE_FS to resize fs, if resize fs is failed, f2fs kernel thread would invoke callback function to update f2fs io info, it would call f2fs_write_end_io and may trigger null-ptr-deref in NODE_MAPPING. general protection fault, probably for non-canonical address KASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037] RIP: 0010:NODE_MAPPING fs/f2fs/f2fs.h:1972 [inline] RIP: 0010:f2fs_write_end_io+0x727/0x1050 fs/f2fs/data.c:370 bio_endio+0x5af/0x6c0 block/bio.c:1608 req_bio_endio block/blk-mq.c:761 [inline] blk_update_request+0x5cc/0x1690 block/blk-mq.c:906 blk_mq_end_request+0x59/0x4c0 block/blk-mq.c:1023 lo_complete_rq+0x1c6/0x280 drivers/block/loop.c:370 blk_complete_reqs+0xad/0xe0 block/blk-mq.c:1101 __do_softirq+0x1d4/0x8ef kernel/softirq.c:571 run_ksoftirqd kernel/softirq.c:939 [inline] run_ksoftirqd+0x31/0x60 kernel/softirq.c:931 smpboot_thread_fn+0x659/0x9e0 kernel/smpboot.c:164 kthread+0x33e/0x440 kernel/kthread.c:379 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308 The root cause is below race case can cause leaving dirty metadata in f2fs after filesystem is remount as ro: Thread A Thread B - f2fs_ioc_resize_fs - f2fs_readonly --- return false - f2fs_resize_fs - f2fs_remount - write_checkpoint - set f2fs as ro - free_segment_range - update meta_inode's data Then, if f2fs_put_super() fails to write_checkpoint due to readonly status, and meta_inode's dirty data will be writebacked after node_inode is put, finally, f2fs_write_end_io will access NULL pointer on sbi->node_inode. Thread A IRQ context - f2fs_put_super - write_checkpoint fails - iput(node_inode) - node_inode = NULL - iput(meta_inode) - write_inode_now - f2fs_write_meta_page - f2fs_write_end_io - NODE_MAPPING(sbi) : access NULL pointer on node_inode Fixes: b4b10061ef98 ("f2fs: refactor resize_fs to avoid meta updates in progress") Reported-by: butt3rflyh4ck Closes: https://lore.kernel.org/r/1684480657-2375-1-git-send-email-yangtiezhu@loongson.cn Tested-by: butt3rflyh4ck Signed-off-by: Chao Yu Signed-off-by: Jaegeuk Kim Signed-off-by: Sasha Levin commit e747ccff7a625d2c1b8f46837d1d8b886071ed49 Author: Chao Yu Date: Sun May 14 16:07:23 2023 +0800 f2fs: fix potential deadlock due to unpaired node_write lock use [ Upstream commit f082c6b205a06953f26c40bdc7621cc5a58ceb7c ] If S_NOQUOTA is cleared from inode during data page writeback of quota file, it may miss to unlock node_write lock, result in potential deadlock, fix to use the lock in paired. Kworker Thread - writepage if (IS_NOQUOTA()) f2fs_down_read(&sbi->node_write); - vfs_cleanup_quota_inode - inode->i_flags &= ~S_NOQUOTA; if (IS_NOQUOTA()) f2fs_up_read(&sbi->node_write); Fixes: 79963d967b49 ("f2fs: shrink node_write lock coverage") Signed-off-by: Chao Yu Signed-off-by: Jaegeuk Kim Signed-off-by: Sasha Levin commit 22cfc91c3be74fd04e660698ea3904a8f17287a1 Author: Bob Peterson Date: Mon Jun 12 12:26:23 2023 -0500 gfs2: Fix duplicate should_fault_in_pages() call [ Upstream commit c8ed1b35931245087968fd95b2ec3dfc50f77769 ] In gfs2_file_buffered_write(), we currently jump from the second call of function should_fault_in_pages() to above the first call, so should_fault_in_pages() is getting called twice in a row, causing it to accidentally fall back to single-page writes rather than trying the more efficient multi-page writes first. Fix that by moving the retry label to the correct place, behind the first call to should_fault_in_pages(). Fixes: e1fa9ea85ce8 ("gfs2: Stop using glock holder auto-demotion for now") Signed-off-by: Bob Peterson Signed-off-by: Andreas Gruenbacher Signed-off-by: Sasha Levin commit af687d9ff1fde3b083a4aab2dafcd772c53ae992 Author: Sergey Shtylyov Date: Thu Jun 1 23:22:17 2023 +0300 sh: Avoid using IRQ0 on SH3 and SH4 [ Upstream commit a8ac2961148e8c720dc760f2e06627cd5c55a154 ] IRQ0 is no longer returned by platform_get_irq() and its ilk -- they now return -EINVAL instead. However, the kernel code supporting SH3/4-based SoCs still maps the IRQ #s starting at 0 -- modify that code to start the IRQ #s from 16 instead. The patch should mostly affect the AP-SH4A-3A/AP-SH4AD-0A boards as they indeed are using IRQ0 for the SMSC911x compatible Ethernet chip. Fixes: ce753ad1549c ("platform: finally disallow IRQ0 in platform_get_irq() and its ilk") Signed-off-by: Sergey Shtylyov Reviewed-by: Geert Uytterhoeven Tested-by: Geert Uytterhoeven Reviewed-by: John Paul Adrian Glaubitz Tested-by: John Paul Adrian Glaubitz Link: https://lore.kernel.org/r/71105dbf-cdb0-72e1-f9eb-eeda8e321696@omp.ru Signed-off-by: John Paul Adrian Glaubitz Signed-off-by: Sasha Levin commit de0737c975925f28866326a2ca74ff88d9bc7552 Author: Hans de Goede Date: Sun Jun 4 17:14:03 2023 +0100 media: atomisp: ov2680: Stop using half pixelclock for binned modes [ Upstream commit 7d45a432251a30ed0252655177e708229b163291 ] Stop using half pixelclock for binned modes this fixes: 1. The exposure being twice as high for binned mods (due to the half clk) 2. The framerate being 15 fps instead of 30 fps The original code with fixed per mode register lists did use half pixel clk, but this should be combined with using half for the VTS value too. Using half VTS fixes the framerate issue, but this has the undesired side-effect of change the exposure ctrl range (half the range, double the amount of exposure per step). Link: https://lore.kernel.org/r/20230604161406.69369-3-hdegoede@redhat.com Signed-off-by: Hans de Goede Reviewed-by: Andy Shevchenko Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit c965ec6fdaf62ff65524efb50eb418a6c89cfcdf Author: Dan Carpenter Date: Fri May 26 12:53:23 2023 +0100 media: atomisp: gmin_platform: fix out_len in gmin_get_config_dsm_var() [ Upstream commit 1657f2934daf89e8d9fa4b2697008909eb22c73e ] Ideally, strlen(cur->string.pointer) and strlen(out) would be the same. But this code is using strscpy() to avoid a potential buffer overflow. So in the same way we should take the strlen() of the smaller string to avoid a buffer overflow in the caller, gmin_get_var_int(). Link: https://lore.kernel.org/r/26124bcd-8132-4483-9d67-225c87d424e8@kili.mountain Fixes: 387041cda44e ("media: atomisp: improve sensor detection code to use _DSM table") Signed-off-by: Dan Carpenter Signed-off-by: Hans de Goede Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit a8778b236f6a26e8a7ad2deb1ff6b44f67a08284 Author: Hans de Goede Date: Thu May 18 15:15:07 2023 +0100 media: atomisp: gc0310: Fix double free in gc0310_remove() [ Upstream commit 2746a966f9f05fdb0727f4e1e8f2d51ec79e071d ] gc0310_remove() must not call kfree(dev) since the gc0310_device struct is devm managed so explicitly freeing it causes a double free. While at it add a missing mutex_destroy() call for the input_lock. Link: https://lore.kernel.org/r/20230518153214.194976-6-hdegoede@redhat.com Fixes: 340b4dd6c183 ("media: atomisp: gc0310: Use devm_kzalloc() for data struct") Reviewed-by: Andy Shevchenko Signed-off-by: Hans de Goede Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 924277579816a061e4d570e8021f3619f80351cf Author: Rikard Falkeborn Date: Sat Sep 12 20:03:01 2020 +0100 media: venus: helpers: Fix ALIGN() of non power of two [ Upstream commit 927e78ac8bc58155316cf6f46026e1912bbbbcfc ] ALIGN() expects its second argument to be a power of 2, otherwise incorrect results are produced for some inputs. The output can be both larger or smaller than what is expected. For example, ALIGN(304, 192) equals 320 instead of 384, and ALIGN(65, 192) equals 256 instead of 192. However, nestling two ALIGN() as is done in this case seem to only produce results equal to or bigger than the expected result if ALIGN() had handled non powers of two, and that in turn results in framesizes that are either the correct size or too large. Fortunately, since 192 * 4 / 3 equals 256, it turns out that one ALIGN() is sufficient. Fixes: ab1eda449c6e ("media: venus: vdec: handle 10bit bitstreams") Signed-off-by: Rikard Falkeborn Signed-off-by: Stanimir Varbanov Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 6b7d296b63f127a69b8ad62d85dc27369b5790d7 Author: Stephan Gerhold Date: Mon May 15 22:57:10 2023 +0200 mfd: rt5033: Drop rt5033-battery sub-device [ Upstream commit 43db1344e0f8c1eb687a1d6cd5b0de3009ab66cb ] The fuel gauge in the RT5033 PMIC (rt5033-battery) has its own I2C bus and interrupt lines. Therefore, it is not part of the MFD device and needs to be specified separately in the device tree. Fixes: 0b271258544b ("mfd: rt5033: Add Richtek RT5033 driver core.") Signed-off-by: Stephan Gerhold Signed-off-by: Jakob Hauser Reviewed-by: Linus Walleij Signed-off-by: Lee Jones Link: https://lore.kernel.org/r/6a8a19bc67b5be3732882e8131ad2ffcb546ac03.1684182964.git.jahau@rocketmail.com Signed-off-by: Sasha Levin commit 7a34dc6dc1d04510fe0be2746548981d59492cdd Author: ChiYuan Huang Date: Thu Jun 1 14:24:36 2023 +0800 power: supply: rt9467: Make charger-enable control as logic level [ Upstream commit 5d80a86a99d524b0d89ff3906c6200b9f57b66f8 ] The current coding make 'charger-enable-gpio' control as real hardware level. This conflicts with the default binding example. For driver behavior, no need to use real hardware level, just logic level is enough. This change can make this flexibility keep in dts gpio active level about this pin. Fixes: 6f7f70e3a8dd ("power: supply: rt9467: Add Richtek RT9467 charger driver") Signed-off-by: ChiYuan Huang Reviewed-by: Krzysztof Kozlowski Signed-off-by: Sebastian Reichel Signed-off-by: Sasha Levin commit d0674d07e4fb77f233a7d94ed3ed50394ba0646c Author: Mike Leach Date: Fri May 12 14:30:54 2023 +0100 coresight: etm4x: Fix missing trctraceidr file in sysfs [ Upstream commit 9f37d3798026f9a7447d851a2cb356610852e426 ] The trace ID patchset adjusted the handling of the TRCTRACEIDR register sysfs to allocate on read. Although this was initally correct, the final version of the patch series introduced an error which resulted in the mgmt/trctraceidr file in sysfs not being visible. This patch fixes that issue. Fixes: df4871204e5d ("coresight: etm4x: Update ETM4 driver to use Trace ID API") Reported-by: Junhao He Link: https://lists.linaro.org/archives/list/coresight@lists.linaro.org/thread/KK3CVVMRHJWVUORKMFJRSXYCEDFKENQJ/ Signed-off-by: Mike Leach Signed-off-by: Suzuki K Poulose Link: https://lore.kernel.org/r/20230512133054.235073-1-mike.leach@linaro.org Signed-off-by: Sasha Levin commit bab5cd4fde9e19101d1722c05b1dc6f18dd03ac4 Author: James Clark Date: Tue Apr 25 15:35:28 2023 +0100 coresight: Fix loss of connection info when a module is unloaded [ Upstream commit c45b2835e7b205783bdfe08cc98fa86a7c5eeb74 ] child_fwnode should be a read only property based on the DT or ACPI. If it's cleared on the parent device when a child is unloaded, then when the child is loaded again the connection won't be remade. child_dev should be cleared instead which signifies that the connection should be remade when the child_fwnode registers a new coresight_device. Similarly the reference count shouldn't be decremented as long as the parent device exists. The correct place to drop the reference is in coresight_release_platform_data() which is already done. Reproducible on Juno with the following steps: # load all coresight modules. $ cd /sys/bus/coresight/devices/ $ echo 1 > tmc_etr0/enable_sink $ echo 1 > etm0/enable_source # Works fine ^ $ echo 0 > etm0/enable_source $ rmmod coresight-funnel $ modprobe coresight-funnel $ echo 1 > etm0/enable_source -bash: echo: write error: Invalid argument Fixes: 37ea1ffddffa ("coresight: Use fwnode handle instead of device names") Fixes: 2af89ebacf29 ("coresight: Clear the connection field properly") Tested-by: Suzuki K Poulose Reviewed-by: Mike Leach Signed-off-by: James Clark Signed-off-by: Suzuki K Poulose Link: https://lore.kernel.org/r/20230425143542.2305069-2-james.clark@arm.com Signed-off-by: Sasha Levin commit 3d3a2307ff88a7cf61d9fb1a17b8e272d2373543 Author: Clark Wang Date: Wed May 17 11:30:29 2023 +0800 i3c: master: svc: fix cpu schedule in spin lock [ Upstream commit 33beadb3b1ab74e69db2c49d9663f3a93a273943 ] pm_runtime_resume_and_get() may call sleep(). It cannot be used in svc_i3c_master_start_xfer_locked(), because it is in a spin lock. Move the pm runtime operations to svc_i3c_master_enqueue_xfer(). Signed-off-by: Clark Wang Fixes: 05be23ef78f7 ("i3c: master: svc: add runtime pm support") Reviewed-by: Miquel Raynal Link: https://lore.kernel.org/r/20230517033030.3068085-2-xiaoning.wang@nxp.com Signed-off-by: Alexandre Belloni Signed-off-by: Sasha Levin commit 5d77a4114430c507699e527e035f1af555526275 Author: Yue Zhao Date: Thu May 4 00:29:44 2023 +0800 lkdtm: replace ll_rw_block with submit_bh [ Upstream commit b290df06811852d4cc36f4b8a2a30c2063197a74 ] Function ll_rw_block was removed in commit 79f597842069 ("fs/buffer: remove ll_rw_block() helper"). There is no unified function to sumbit read or write buffer in block layer for now. Consider similar sematics, we can choose submit_bh() to replace ll_rw_block() as predefined crash point. In submit_bh(), it also takes read or write flag as the first argument and invoke submit_bio() to submit I/O request to block layer. Fixes: 79f597842069 ("fs/buffer: remove ll_rw_block() helper") Signed-off-by: Yue Zhao Acked-by: Kees Cook Link: https://lore.kernel.org/r/20230503162944.3969-1-findns94@gmail.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 0c5631b11678409eabfa12cee8a4f972fb7cd309 Author: Muchun Song Date: Tue May 23 10:40:17 2023 +0800 kernfs: fix missing kernfs_idr_lock to remove an ID from the IDR [ Upstream commit 30480b988f88c279752f3202a26b6fee5f586aef ] The root->ino_idr is supposed to be protected by kernfs_idr_lock, fix it. Fixes: 488dee96bb62 ("kernfs: allow creating kernfs objects with arbitrary uid/gid") Signed-off-by: Muchun Song Acked-by: Tejun Heo Link: https://lore.kernel.org/r/20230523024017.24851-1-songmuchun@bytedance.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit fc52289156d78e427052b22386c46070110535c2 Author: John Ogness Date: Thu May 25 11:37:58 2023 +0206 serial: 8250: lock port for UART_IER access in omap8250_irq() [ Upstream commit 25614735a647693c1260f253dc3ab32127697806 ] omap8250_irq() accesses UART_IER. This register is modified twice by each console write (serial8250_console_write()) under the port lock. omap8250_irq() must also take the port lock to guanentee synchronized access to UART_IER. Since the port lock is already being taken for the stop_rx() callback and since it is safe to call cancel_delayed_work() while holding the port lock, simply extend the port lock region to include UART_IER access. Fixes: 1fe0e1fa3209 ("serial: 8250_omap: Handle optional overrun-throttle-ms property") Signed-off-by: John Ogness Reviewed-by: Tony Lindgren Link: https://lore.kernel.org/r/20230525093159.223817-8-john.ogness@linutronix.de Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit ce73b6f8d92d91dbdce315a685c85f880543d1d8 Author: John Ogness Date: Thu May 25 11:37:55 2023 +0206 serial: core: lock port for start_rx() in uart_resume_port() [ Upstream commit 51e45fba14bf08b66bca764a083c7f2e2ff62f01 ] The only user of the start_rx() callback (qcom_geni) directly calls its own stop_rx() callback. Since stop_rx() requires that the port->lock is taken and interrupts are disabled, the start_rx() callback has the same requirement. Fixes: cfab87c2c271 ("serial: core: Introduce callback for start_rx and do stop_rx in suspend only if this callback implementation is present.") Signed-off-by: John Ogness Reviewed-by: Douglas Anderson Link: https://lore.kernel.org/r/20230525093159.223817-5-john.ogness@linutronix.de Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 27cd11322f9dfdd2d168052bb27e0e93a7c8bd1b Author: John Ogness Date: Thu May 25 11:37:54 2023 +0206 serial: 8250: lock port for stop_rx() in omap8250_irq() [ Upstream commit ca73a892c5bec4b08a2fa22b3015e98ed905abb7 ] The uarts_ops stop_rx() callback expects that the port->lock is taken and interrupts are disabled. Fixes: 1fe0e1fa3209 ("serial: 8250_omap: Handle optional overrun-throttle-ms property") Signed-off-by: John Ogness Reviewed-by: Tony Lindgren Link: https://lore.kernel.org/r/20230525093159.223817-4-john.ogness@linutronix.de Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit ece78f66a948741b1b0bca6536285fa6a74b9cc2 Author: John Ogness Date: Thu May 25 11:37:53 2023 +0206 serial: core: lock port for stop_rx() in uart_suspend_port() [ Upstream commit abcb0cf1f5b2d99b1d117a4dbce334120e358d6d ] The uarts_ops stop_rx() callback expects that the port->lock is taken and interrupts are disabled. Fixes: c9d2325cdb92 ("serial: core: Do stop_rx in suspend path for console if console_suspend is disabled") Signed-off-by: John Ogness Reviewed-by: Douglas Anderson Link: https://lore.kernel.org/r/20230525093159.223817-3-john.ogness@linutronix.de Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit a44696977dd3df53b4e2e8d21fec63d345dea8ce Author: Bhupesh Sharma Date: Thu May 18 02:47:51 2023 +0530 usb: misc: eud: Fix eud sysfs path (use 'qcom_eud') [ Upstream commit f16135918b5f8b510db014ecf0a069e34c02382e ] The eud sysfs enablement path is currently mentioned in the Documentation as: /sys/bus/platform/drivers/eud/.../enable Instead it should be: /sys/bus/platform/drivers/qcom_eud/.../enable Fix the same. Fixes: 9a1bf58ccd44 ("usb: misc: eud: Add driver support for Embedded USB Debugger(EUD)") Reviewed-by: Konrad Dybcio Acked-by: Manivannan Sadhasivam Signed-off-by: Bhupesh Sharma Link: https://lore.kernel.org/r/20230517211756.2483552-2-bhupesh.sharma@linaro.org Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit f996b241c925ec2baac8498474f746e23dd8c5d6 Author: Arnd Bergmann Date: Tue May 16 22:17:42 2023 +0200 usb: hide unused usbfs_notify_suspend/resume functions [ Upstream commit 8e6bd945e6dde64fbc60ec3fe252164493a8d3a2 ] The declaration is in an #ifdef, which causes warnings when building with 'make W=1' and without CONFIG_PM: drivers/usb/core/devio.c:742:6: error: no previous prototype for 'usbfs_notify_suspend' drivers/usb/core/devio.c:747:6: error: no previous prototype for 'usbfs_notify_resume' Use the same #ifdef check around the function definitions to avoid the warnings and slightly shrink the USB core. Fixes: 7794f486ed0b ("usbfs: Add ioctls for runtime power management") Signed-off-by: Arnd Bergmann Reviewed-by: Sebastian Reichel Acked-by: Alan Stern Link: https://lore.kernel.org/r/20230516202103.558301-1-arnd@kernel.org Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 38dbd6f72bfbeba009efe0e9ec1f3ff09f9e23fa Author: Li Yang Date: Thu Apr 20 22:08:31 2023 +0800 usb: phy: phy-tahvo: fix memory leak in tahvo_usb_probe() [ Upstream commit 342161c11403ea00e9febc16baab1d883d589d04 ] Smatch reports: drivers/usb/phy/phy-tahvo.c: tahvo_usb_probe() warn: missing unwind goto? After geting irq, if ret < 0, it will return without error handling to free memory. Just add error handling to fix this problem. Fixes: 0d45a1373e66 ("usb: phy: tahvo: add IRQ check") Signed-off-by: Li Yang Reviewed-by: Dongliang Mu Link: https://lore.kernel.org/r/20230420140832.9110-1-lidaxian@hust.edu.cn Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 95a99cac3dad20bca409a781eb2a52a8abeb58f9 Author: Andy Shevchenko Date: Wed Mar 22 16:39:53 2023 +0200 extcon: Fix kernel doc of property capability fields to avoid warnings [ Upstream commit 73346b9965ebda2feb7fef8629e9b28baee820e3 ] Kernel documentation has to be synchronized with a code, otherwise the validator is not happy: Function parameter or member 'usb_bits' not described in 'extcon_cable' Function parameter or member 'chg_bits' not described in 'extcon_cable' Function parameter or member 'jack_bits' not described in 'extcon_cable' Function parameter or member 'disp_bits' not described in 'extcon_cable' Describe the fields added in the past. Fixes: ceaa98f442cf ("extcon: Add the support for the capability of each property") Signed-off-by: Andy Shevchenko Signed-off-by: Chanwoo Choi Signed-off-by: Sasha Levin commit adae2c1a68e61fe57ae655c4bb852e3c156cbcae Author: Andy Shevchenko Date: Wed Mar 22 16:39:52 2023 +0200 extcon: Fix kernel doc of property fields to avoid warnings [ Upstream commit 7e77e0b7a9f4cdf91cb0950749b40c840ea63efc ] Kernel documentation has to be synchronized with a code, otherwise the validator is not happy: Function parameter or member 'usb_propval' not described in 'extcon_cable' Function parameter or member 'chg_propval' not described in 'extcon_cable' Function parameter or member 'jack_propval' not described in 'extcon_cable' Function parameter or member 'disp_propval' not described in 'extcon_cable' Describe the fields added in the past. Fixes: 067c1652e7a7 ("extcon: Add the support for extcon property according to extcon type") Signed-off-by: Andy Shevchenko Signed-off-by: Chanwoo Choi Signed-off-by: Sasha Levin commit 374447e3367767156405bedd230c5d391f4b7962 Author: Prashanth K Date: Fri May 5 14:48:37 2023 +0530 usb: gadget: u_serial: Add null pointer check in gserial_suspend [ Upstream commit 2f6ecb89fe8feb2b60a53325b0eeb9866d88909a ] Consider a case where gserial_disconnect has already cleared gser->ioport. And if gserial_suspend gets called afterwards, it will lead to accessing of gser->ioport and thus causing null pointer dereference. Avoid this by adding a null pointer check. Added a static spinlock to prevent gser->ioport from becoming null after the newly added null pointer check. Fixes: aba3a8d01d62 ("usb: gadget: u_serial: add suspend resume callbacks") Signed-off-by: Prashanth K Link: https://lore.kernel.org/r/1683278317-11774-1-git-send-email-quic_prashk@quicinc.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 134a7d4642f11daed6bbc378f930a54dd0322291 Author: Vladislav Efanov Date: Wed May 17 20:25:18 2023 +0300 usb: dwc3: qcom: Fix potential memory leak [ Upstream commit 097fb3ee710d4de83b8d4f5589e8ee13e0f0541e ] Function dwc3_qcom_probe() allocates memory for resource structure which is pointed by parent_res pointer. This memory is not freed. This leads to memory leak. Use stack memory to prevent memory leak. Found by Linux Verification Center (linuxtesting.org) with SVACE. Fixes: 2bc02355f8ba ("usb: dwc3: qcom: Add support for booting with ACPI") Signed-off-by: Vladislav Efanov Acked-by: Shawn Guo Link: https://lore.kernel.org/r/20230517172518.442591-1-VEfanov@ispras.ru Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit fefce5299e6487087b80938c42a2b9bf54089b2d Author: Krzysztof Kozlowski Date: Wed May 17 18:37:50 2023 +0200 soundwire: debugfs: fix unbalanced pm_runtime_put() [ Upstream commit 217f5e0de397fafc94d25a8f7baf71920bea4a04 ] If pm_runtime_resume_and_get() failed with -EACCES, the driver continued execution and finally called pm_runtime_put_autosuspend(). Since pm_runtime_resume_and_get() drops the usage counter on every error, this lead to double decrement of that counter. Fixes: b275bf45ba1d ("soundwire: debugfs: Switch to sdw_read_no_pm") Signed-off-by: Krzysztof Kozlowski Reviewed-by: Pierre-Louis Bossart Link: https://lore.kernel.org/r/20230517163750.997629-2-krzysztof.kozlowski@linaro.org Signed-off-by: Vinod Koul Signed-off-by: Sasha Levin commit 7c30688e34267c7f7259a29a912eca35efc369a0 Author: Krzysztof Kozlowski Date: Wed May 17 18:37:49 2023 +0200 soundwire: qcom: fix unbalanced pm_runtime_put() [ Upstream commit 9f9914b178a7935d2d94ee3e1bf55f2b42b18528 ] This reverts commit 57ed510b0547 ("soundwire: qcom: use pm_runtime_resume_and_get()") which introduced unbalanced pm_runtime_put(), when device did not have runtime PM enabled. If pm_runtime_resume_and_get() failed with -EACCES, the driver continued execution and finally called pm_runtime_put_autosuspend(). Since pm_runtime_resume_and_get() drops the usage counter on every error, this lead to double decrement of that counter visible in certain debugfs actions on unattached devices (still in reset state): $ cat /sys/kernel/debug/soundwire/master-0-0/sdw:0:0217:f001:00:0/registers qcom-soundwire 3210000.soundwire-controller: swrm_wait_for_wr_fifo_avail err write overflow soundwire sdw-master-0: trf on Slave 1 failed:-5 read addr e36 count 1 soundwire sdw:0:0217:f001:00:0: Runtime PM usage count underflow! Fixes: 57ed510b0547 ("soundwire: qcom: use pm_runtime_resume_and_get()") Signed-off-by: Krzysztof Kozlowski Reviewed-by: Pierre-Louis Bossart Link: https://lore.kernel.org/r/20230517163750.997629-1-krzysztof.kozlowski@linaro.org Signed-off-by: Vinod Koul Signed-off-by: Sasha Levin commit 0522fce83630f352af34100298e48f7d8a0ccea3 Author: Krzysztof Kozlowski Date: Tue Apr 18 11:54:44 2023 +0200 soundwire: qcom: use consistently 'ctrl' as state variable name [ Upstream commit 6f76e79153d588ebb00becbfc200ec3b983e353e ] The pointer to 'struct qcom_swrm_ctrl' was called sometimes 'swrm' and sometimes 'ctrl' variable. Choose one - 'ctrl' - so the code will be consistent and easier to read. No functional change. Reviewed-by: Srinivas Kandagagatla Tested-by: Srinivas Kandagagatla Reviewed-by: Konrad Dybcio Signed-off-by: Krzysztof Kozlowski Link: https://lore.kernel.org/r/20230418095447.577001-5-krzysztof.kozlowski@linaro.org Signed-off-by: Vinod Koul Stable-dep-of: 9f9914b178a7 ("soundwire: qcom: fix unbalanced pm_runtime_put()") Signed-off-by: Sasha Levin commit bbd3421a615952c3acbd9a62344c8a36eb6312b4 Author: Arnd Bergmann Date: Tue May 16 22:25:55 2023 +0200 staging: vchiq_arm: mark vchiq_platform_init() static [ Upstream commit e152c58d7a48194d6b530d8e004d650fd01568b6 ] This function has no callers from other files, and the declaration was removed a while ago, causing a W=1 warning: drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c:465:5: error: no previous prototype for 'vchiq_platform_init' Marking it static solves this problem but introduces a new warning since gcc determines that 'g_fragments_base' is never initialized in some kernel configurations: In file included from include/linux/string.h:254, from include/linux/bitmap.h:11, from include/linux/cpumask.h:12, from include/linux/mm_types_task.h:14, from include/linux/mm_types.h:5, from include/linux/buildid.h:5, from include/linux/module.h:14, from drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c:8: In function 'memcpy_to_page', inlined from 'free_pagelist' at drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c:433:4: include/linux/fortify-string.h:57:33: error: argument 2 null where non-null expected [-Werror=nonnull] include/linux/highmem.h:427:9: note: in expansion of macro 'memcpy' 427 | memcpy(to + offset, from, len); | ^~~~~~ Add a NULL pointer check for this in addition to the static annotation to avoid both. Fixes: 89cc4218f640 ("staging: vchiq_arm: drop unnecessary declarations") Signed-off-by: Arnd Bergmann Reviewed-by: Florian Fainelli Reviewed-by: Umang Jain Link: https://lore.kernel.org/r/20230516202603.560554-1-arnd@kernel.org Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit f8f7fdbece4871642c6141cc5ca4233baf983205 Author: Dmitry Baryshkov Date: Sun May 7 20:53:34 2023 +0300 clk: qcom: mmcc-msm8974: use clk_rcg2_shared_ops for mdp_clk_src clock [ Upstream commit 8fd492e77ff71f68f7311c22f7bc960182465cd7 ] The mdp_clk_src clock should not be turned off. Instead it should be 'parked' to the XO, as most of other mdp_clk_src clocks. Fix that by using the clk_rcg2_shared_ops. Fixes: d8b212014e69 ("clk: qcom: Add support for MSM8974's multimedia clock controller (MMCC)") Signed-off-by: Dmitry Baryshkov Tested-by: Luca Weiss Acked-by: Konrad Dybcio Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20230507175335.2321503-1-dmitry.baryshkov@linaro.org Signed-off-by: Sasha Levin commit 240e128ad423a3999bb69104b02ee86f95e5b2bb Author: Kathiravan T Date: Mon Apr 17 16:26:07 2023 +0530 clk: qcom: ipq5332: fix the order of SLEEP_CLK and XO clock [ Upstream commit 7510e80f4ac707efc7e964120525ef759a02f171 ] The order of DT_SLEEP_CLK and DT_XO are swapped and it is incorrect. Due to which the clocks for which the parent should be XO is having parent as SLEEP_CLK and vice versa. So fix the same by re-ordering the entries. Fixes: 3d89d52970fd ("clk: qcom: add Global Clock controller (GCC) driver for IPQ5332 SoC") Reported-by: Devi Priya Signed-off-by: Kathiravan T Reviewed-by: Konrad Dybcio Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20230417105607.4091-1-quic_kathirav@quicinc.com Signed-off-by: Sasha Levin commit 0dd0f81ce2897768a7ac60cb6798c481bcc50802 Author: Kathiravan T Date: Mon Apr 17 10:13:42 2023 +0530 clk: qcom: ipq5332: fix the src parameter in ftbl_gcc_apss_axi_clk_src [ Upstream commit 81c1ef89a45eccd5603f1e27e281d14fefcb81f9 ] 480MHz is derived from P_GPLL4_OUT_AUX not from P_GPLL4_OUT_MAIN. Update the freq_tbl with the correct src. Fixes: 3d89d52970fd ("clk: qcom: add Global Clock controller (GCC) driver for IPQ5332 SoC") Reported-by: Manikanta Mylavarapu Signed-off-by: Kathiravan T Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20230417044342.9406-1-quic_kathirav@quicinc.com Signed-off-by: Sasha Levin commit 6e4b73d1bcf41d763daa5f7e1cb8bd0a33370096 Author: Konrad Dybcio Date: Fri Apr 14 13:06:36 2023 +0200 clk: qcom: dispcc-qcm2290: Fix GPLL0_OUT_DIV handling [ Upstream commit 63d56adf04b5795e54440dc5b7afddecb2966863 ] GPLL0_OUT_DIV (.fw_name = "gcc_disp_gpll0_div_clk_src") was previously made to reuse the same parent enum entry as GPLL0_OUT_MAIN (.fw_name = "gcc_disp_gpll0_clk_src") in parent_map_2. Resolve it by introducing its own entry in the parent enum and correctly assigning it in disp_cc_parent_map_2[]. Fixes: cc517ea3333f ("clk: qcom: Add display clock controller driver for QCM2290") Signed-off-by: Konrad Dybcio Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20230412-topic-qcm_dispcc-v2-2-bce7dd512fe4@linaro.org Signed-off-by: Sasha Levin commit fed34a3f078144e114820891a2c1be0405daeb0a Author: Konrad Dybcio Date: Fri Apr 14 13:06:35 2023 +0200 clk: qcom: dispcc-qcm2290: Fix BI_TCXO_AO handling [ Upstream commit 92dfee0fc889b5b00ffb6b1de87ce64c483bcb7b ] BI_TCXO_AO (.fw_name = "bi_tcxo_ao") was previously made to reuse the same parent enum entry as BI_TCXO (.fw_name = "bi_tcxo") in parent_map_2. Resolve it by introducing its own entry in the parent enum and correctly assigning it in disp_cc_parent_map_2[]. Fixes: cc517ea3333f ("clk: qcom: Add display clock controller driver for QCM2290") Signed-off-by: Konrad Dybcio Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20230412-topic-qcm_dispcc-v2-1-bce7dd512fe4@linaro.org Signed-off-by: Sasha Levin commit 262bbc8ea9ba973ea6a298338581b55d7a0f319f Author: Robert Marko Date: Fri May 26 21:08:55 2023 +0200 clk: qcom: ipq6018: fix networking resets [ Upstream commit 349b5bed539b491b7894a5186a895751fd8ba6c7 ] Networking resets in IPQ6018 all use bitmask as they require multiple bits to be set and cleared instead of a single bit. So, current networking resets have the same register and bit 0 set which is clearly incorrect. Fixes: d9db07f088af ("clk: qcom: Add ipq6018 Global Clock Controller support") Signed-off-by: Robert Marko Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20230526190855.2941291-2-robimarko@gmail.com Signed-off-by: Sasha Levin commit 0270c9d68ce46736f65ca38864ad9458394ded0e Author: Yunfei Dong Date: Thu May 25 02:40:07 2023 +0100 media: mediatek: vcodec: using decoder status instead of core work count [ Upstream commit 2864e304faec04c2674328aad0e820a9cd84cdec ] Adding the definition of decoder status to separate different decoder period for core hardware. core_work_cnt is the number of core work queued to work queue, the control is very complex, leading to some unreasonable test result. Using parameter status to indicate whether queue core work to work queue. Fixes: 2e0ef56d81cb ("media: mediatek: vcodec: making sure queue_work successfully") Signed-off-by: Yunfei Dong Reviewed-by: AngeloGioacchino Del Regno Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit c5dcd7a19f1ed8fe98384f3a9444c7c53befd74e Author: Martin Kepplinger Date: Tue Apr 25 11:47:47 2023 +0200 media: hi846: fix usage of pm_runtime_get_if_in_use() [ Upstream commit 04fc06f6dc1592ed5d675311ac50d8fba5db62ab ] pm_runtime_get_if_in_use() does not only return nonzero values when the device is in use, it can return a negative errno too. And especially during resuming from system suspend, when runtime pm is not yet up again, -EAGAIN is being returned, so the subsequent pm_runtime_put() call results in a refcount underflow. Fix system-resume by handling -EAGAIN of pm_runtime_get_if_in_use(). Signed-off-by: Martin Kepplinger Fixes: e8c0882685f9 ("media: i2c: add driver for the SK Hynix Hi-846 8M pixel camera") Signed-off-by: Sakari Ailus Signed-off-by: Hans Verkuil Signed-off-by: Sasha Levin commit 7429f5f2a830f6a4f3efcaa41d16007e0afdbb35 Author: Geert Uytterhoeven Date: Wed Apr 26 12:18:24 2023 +0200 media: renesas: fdp1: Identify R-Car Gen2 versions [ Upstream commit 59a95979638664a905cd46845e7cac1b3ff942f7 ] On R-Car M2-W: rcar_fdp1 fe940000.fdp1: FDP1 Unidentifiable (0x02010101) rcar_fdp1 fe944000.fdp1: FDP1 Unidentifiable (0x02010101) Although the IP Internal Data Register on R-Car Gen2 is documented to contain all zeros, the actual register contents seem to match the FDP1 version ID of R-Car H3 ES1.*, which has just been removed. Fortunately this version is not used for any other purposes yet. Fix this by re-adding the ID, now using an R-Car Gen2-specific name. Fixes: af4273b43f2b ("media: renesas: fdp1: remove R-Car H3 ES1.* handling") Signed-off-by: Geert Uytterhoeven Reviewed-by: Wolfram Sang Reviewed-by: Laurent Pinchart Reviewed-by: Kieran Bingham Signed-off-by: Sakari Ailus Signed-off-by: Hans Verkuil Signed-off-by: Sasha Levin commit 875e2e156c061ad177a73cf7213bc5a4fec3cc25 Author: Daniel Scally Date: Tue May 2 11:35:46 2023 +0100 media: i2c: Correct format propagation for st-mipid02 [ Upstream commit 306c3190b30d4d6a098888b9d7d4cefaa0ddcb91 ] Format propagation in the st-mipid02 driver is incorrect in that when setting format for V4L2_SUBDEV_FORMAT_TRY on the source pad, the _active_ rather than _try_ format from the sink pad is propagated. This causes problems with format negotiation - update the function to propagate the correct format. Fixes: 642bb5e88fed ("media: st-mipid02: MIPID02 CSI-2 to PARALLEL bridge driver") Signed-off-by: Daniel Scally Signed-off-by: Sakari Ailus Signed-off-by: Hans Verkuil Signed-off-by: Sasha Levin commit b98186af3bf8dec7fed5e897d86595257a53d38f Author: Dan Carpenter Date: Wed Feb 22 16:59:51 2023 +0300 media: i2c: imx296: fix error checking in imx296_read_temperature() [ Upstream commit 1b3565dbc6aa124f34674e3dcf6966f663817e05 ] The "& IMX296_TMDOUT_MASK" means that "tmdout" can't be negative so the error checking will not work. Fixes: cb33db2b6ccf ("media: i2c: IMX296 camera sensor driver") Signed-off-by: Dan Carpenter Reviewed-by: Laurent Pinchart Signed-off-by: Sakari Ailus Signed-off-by: Hans Verkuil Signed-off-by: Sasha Levin commit ae65238d3f5a2df48341a7112820e04fb1017422 Author: Duoming Zhou Date: Tue May 23 07:59:32 2023 +0800 media: usb: siano: Fix warning due to null work_func_t function pointer [ Upstream commit 6f489a966fbeb0da63d45c2c66a8957eab604bf6 ] The previous commit ebad8e731c1c ("media: usb: siano: Fix use after free bugs caused by do_submit_urb") adds cancel_work_sync() in smsusb_stop_streaming(). But smsusb_stop_streaming() may be called, even if the work_struct surb->wq has not been initialized. As a result, the warning will occur. One of the processes that could lead to warning is shown below: smsusb_probe() smsusb_init_device() if (!dev->in_ep || !dev->out_ep || align < 0) { smsusb_term_device(intf); smsusb_stop_streaming() cancel_work_sync(&dev->surbs[i].wq); __cancel_work_timer() __flush_work() if (WARN_ON(!work->func)) // work->func is null The log reported by syzbot is shown below: WARNING: CPU: 0 PID: 897 at kernel/workqueue.c:3066 __flush_work+0x798/0xa80 kernel/workqueue.c:3063 Modules linked in: CPU: 0 PID: 897 Comm: kworker/0:2 Not tainted 6.2.0-rc1-syzkaller #0 RIP: 0010:__flush_work+0x798/0xa80 kernel/workqueue.c:3066 ... RSP: 0018:ffffc9000464ebf8 EFLAGS: 00010246 RAX: 1ffff11002dbb420 RBX: 0000000000000021 RCX: 1ffffffff204fa4e RDX: dffffc0000000000 RSI: 0000000000000001 RDI: ffff888016dda0e8 RBP: ffffc9000464ed98 R08: 0000000000000001 R09: ffffffff90253b2f R10: 0000000000000001 R11: 0000000000000000 R12: ffff888016dda0e8 R13: ffff888016dda0e8 R14: ffff888016dda100 R15: 0000000000000001 FS: 0000000000000000(0000) GS:ffff8880b9a00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007ffd4331efe8 CR3: 000000000b48e000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: __cancel_work_timer+0x315/0x460 kernel/workqueue.c:3160 smsusb_stop_streaming drivers/media/usb/siano/smsusb.c:182 [inline] smsusb_term_device+0xda/0x2d0 drivers/media/usb/siano/smsusb.c:344 smsusb_init_device+0x400/0x9ce drivers/media/usb/siano/smsusb.c:419 smsusb_probe+0xbbd/0xc55 drivers/media/usb/siano/smsusb.c:567 ... This patch adds check before cancel_work_sync(). If surb->wq has not been initialized, the cancel_work_sync() will not be executed. Reported-by: syzbot+27b0b464864741b18b99@syzkaller.appspotmail.com Fixes: ebad8e731c1c ("media: usb: siano: Fix use after free bugs caused by do_submit_urb") Signed-off-by: Duoming Zhou Signed-off-by: Hans Verkuil Signed-off-by: Sasha Levin commit 1b66bd39af616c16d86d134798c945609dd28d82 Author: Marek Vasut Date: Thu May 18 15:36:49 2023 +0200 media: videodev2.h: Fix struct v4l2_input tuner index comment [ Upstream commit 26ae58f65e64fa7ba61d64bae752e59e08380c6a ] VIDIOC_ENUMINPUT documentation describes the tuner field of struct v4l2_input as index: Documentation/userspace-api/media/v4l/vidioc-enuminput.rst " * - __u32 - ``tuner`` - Capture devices can have zero or more tuners (RF demodulators). When the ``type`` is set to ``V4L2_INPUT_TYPE_TUNER`` this is an RF connector and this field identifies the tuner. It corresponds to struct :c:type:`v4l2_tuner` field ``index``. For details on tuners see :ref:`tuner`. " Drivers I could find also use the 'tuner' field as an index, e.g.: drivers/media/pci/bt8xx/bttv-driver.c bttv_enum_input() drivers/media/usb/go7007/go7007-v4l2.c vidioc_enum_input() However, the UAPI comment claims this field is 'enum v4l2_tuner_type': include/uapi/linux/videodev2.h This field being 'enum v4l2_tuner_type' is unlikely as it seems to be never used that way in drivers, and documentation confirms it. It seem this comment got in accidentally in the commit which this patch fixes. Fix the UAPI comment to stop confusion. This was pointed out by Dmitry while reviewing VIDIOC_ENUMINPUT support for strace. Fixes: 6016af82eafc ("[media] v4l2: use __u32 rather than enums in ioctl() structs") Signed-off-by: Marek Vasut Signed-off-by: Hans Verkuil Signed-off-by: Sasha Levin commit 8351261ab42aef9a1fee6a36fef598d0add48f4f Author: Ming Qian Date: Sat May 6 16:47:35 2023 +0800 media: amphion: initiate a drain of the capture queue in dynamic resolution change [ Upstream commit 076b6289b2c12d76fab248659896682830fa7766 ] The last buffer from before the change must be marked with the V4L2_BUF_FLAG_LAST flag, similarly to the Drain sequence above. initiate a drain of the capture queue in dynamic resolution change Fixes: 6de8d628df6e ("media: amphion: add v4l2 m2m vpu decoder stateful driver") Signed-off-by: Ming Qian Signed-off-by: Hans Verkuil Signed-off-by: Sasha Levin commit 30f900102b5edf43be4715cba0c15e15a8841bfc Author: Daniel Lundberg Pedersen Date: Mon May 1 16:57:06 2023 +0200 media: videodev2.h: Fix p_s32 and p_s64 pointer types [ Upstream commit 3f6375a2d1956739c6c8ffa3a862c9278d346940 ] Use the intended pointer types for p_s32 and p_64 in the union of the struct v4l2_ext_control. Fixes: e77eb66342c7 ("videodev2.h: add p_s32 and p_s64 pointers") Signed-off-by: Daniel Lundberg Pedersen Signed-off-by: Hans Verkuil Signed-off-by: Sasha Levin commit 5916e82dfc848e9ec18f310695aeb80b5445264a Author: Christophe JAILLET Date: Tue Apr 25 15:25:46 2023 +0200 media: common: saa7146: Avoid a leak in vmalloc_to_sg() [ Upstream commit b2aa8ac6f97e26d788948fb60dcc5625c9633f4e ] Commit in Fixes turned a BUG() into a "normal" memory allocation failure. While at it, it introduced a memory leak. So fix it. Also update the comment on top of the function to reflect what has been change by the commit in Fixes. Fixes: 40e986c99624 ("media: common: saa7146: replace BUG_ON by WARN_ON") Signed-off-by: Christophe JAILLET Signed-off-by: Hans Verkuil Signed-off-by: Sasha Levin commit c67eaaaa7d8c155283b107fbad0af8ebdb77a8eb Author: Ming Qian Date: Fri Apr 14 09:55:43 2023 +0800 media: amphion: drop repeated codec data for vc1g format [ Upstream commit e1d2ccc2cdd6333584aa3d5386dc667d0837c48f ] For format V4L2_PIX_FMT_VC1_ANNEX_G, the separate codec data is required only once. The repeated codec data may introduce some decoding error. so drop the repeated codec data. It's amphion vpu's limitation Fixes: e670f5d672ef ("media: amphion: only insert the first sequence startcode for vc1l format") Signed-off-by: Ming Qian Tested-by: xiahong.bao Signed-off-by: Hans Verkuil Signed-off-by: Sasha Levin commit a129ec24f469b96fece9c9c9399e5e23d8cd0858 Author: Ming Qian Date: Fri Apr 14 09:55:42 2023 +0800 media: amphion: drop repeated codec data for vc1l format [ Upstream commit 668ee1a3a1870381225002c246972419b98e4253 ] For format V4L2_PIX_FMT_VC1_ANNEX_L, the codec data is replaced with startcode, and then driver drop it, otherwise it may led to decoding error. It's amphion vpu's limitation Driver has dropped the first codec data, but need to drop the repeated codec data too. Fixes: e670f5d672ef ("media: amphion: only insert the first sequence startcode for vc1l format") Signed-off-by: Ming Qian Tested-by: xiahong.bao Signed-off-by: Hans Verkuil Signed-off-by: Sasha Levin commit e8d76e4680c25ad829a9c5aec5c59f8e14257285 Author: Daniil Dulov Date: Tue Mar 14 10:04:49 2023 -0700 media: usb: Check az6007_read() return value [ Upstream commit fdaca63186f59fc664b346c45b76576624b48e57 ] If az6007_read() returns error, there is no sence to continue. Found by Linux Verification Center (linuxtesting.org) with SVACE. Fixes: 3af2f4f15a61 ("[media] az6007: Change the az6007 read/write routine parameter") Signed-off-by: Daniil Dulov Signed-off-by: Hans Verkuil Signed-off-by: Sasha Levin commit f17af9387102ea589db6ccadcc0a1fa3a07564cf Author: Konrad Dybcio Date: Mon Apr 3 19:48:07 2023 +0200 clk: qcom: gcc-qcm2290: Mark RCGs shared where applicable [ Upstream commit 7bf654a0d95e75b415f454e10627309d650762d0 ] The vast majority of shared RCGs were not marked as such. Fix it. Fixes: 496d1a13d405 ("clk: qcom: Add Global Clock Controller driver for QCM2290") Signed-off-by: Konrad Dybcio Acked-by: Shawn Guo Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20230403174807.345185-1-konrad.dybcio@linaro.org Signed-off-by: Sasha Levin commit 9846d09ed695b6b8dcfa556681458a184ebbc2a7 Author: Mantas Pucka Date: Tue Apr 25 12:11:49 2023 +0300 clk: qcom: gcc-ipq6018: Use floor ops for sdcc clocks [ Upstream commit 56e5ae0116aef87273cf1812d608645b076e4f02 ] SDCC clocks must be rounded down to avoid overclocking the controller. Fixes: d9db07f088af ("clk: qcom: Add ipq6018 Global Clock Controller support") Signed-off-by: Mantas Pucka Reviewed-by: Konrad Dybcio Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/1682413909-24927-1-git-send-email-mantas@8devices.com Signed-off-by: Sasha Levin commit f2bbe499787a0866ca071430cab310a1c45ea5b4 Author: Taniya Das Date: Mon May 1 19:59:32 2023 +0530 clk: qcom: camcc-sc7180: Add parent dependency to all camera GDSCs [ Upstream commit 3e4d179532423f299554cd0dedabdd9d2fdd238d ] Camera titan top GDSC is a parent supply to all other camera GDSCs. Titan top GDSC is required to be enabled before enabling any other camera GDSCs and it should be disabled only after all other camera GDSCs are disabled. Ensure this behavior by marking titan top GDSC as parent of all other camera GDSCs. Fixes: 15d09e830bbc ("clk: qcom: camcc: Add camera clock controller driver for SC7180") Signed-off-by: Taniya Das Acked-by: Stephen Boyd Reviewed-by: Bryan O'Donoghue Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20230501142932.13049-1-quic_tdas@quicinc.com Signed-off-by: Sasha Levin commit 63d99af987f33de8fdb4e2cb0f25e70d4478f5ff Author: Dmitry Baryshkov Date: Mon May 8 18:33:19 2023 +0300 clk: qcom: mmcc-msm8974: remove oxili_ocmemgx_clk [ Upstream commit 853c064b57491d739bfd0cc35ff75c5ea9c5e8f5 ] After the internal discussions, it looks like this clock is managed by RPM itself. Linux kernel should not touch it on its own, as this causes disagreement with RPM. Shutting down this clock causes the OCMEM<->GPU interface to stop working, resulting in GPU hangchecks/timeouts. Fixes: d8b212014e69 ("clk: qcom: Add support for MSM8974's multimedia clock controller (MMCC)") Suggested-by: Konrad Dybcio Signed-off-by: Dmitry Baryshkov Tested-by: Luca Weiss Reviewed-by: Konrad Dybcio Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20230508153319.2371645-1-dmitry.baryshkov@linaro.org Signed-off-by: Sasha Levin commit 4b91e2516b316abb765aaf65f7190c4c3236f827 Author: Kathiravan T Date: Mon May 8 22:01:45 2023 +0530 clk: qcom: gcc: ipq5332: Use floor ops for SDCC clocks [ Upstream commit a30e62bf6bf4d3230fa9164c7e174e32b9be7ba5 ] SDCC clocks must be rounded down to avoid overclocking the controller. Fixes: 3d89d52970fd ("clk: qcom: add Global Clock controller (GCC) driver for IPQ5332 SoC") Signed-off-by: Kathiravan T Reviewed-by: Konrad Dybcio Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20230508163145.9678-1-quic_kathirav@quicinc.com Signed-off-by: Sasha Levin commit 9ccc3c166ba2c9e034f0c3762d0557b9e314d837 Author: Konrad Dybcio Date: Fri Apr 7 22:14:49 2023 +0200 interconnect: qcom: rpm: Don't use clk_get_optional for bus clocks anymore [ Upstream commit 1ff7aedcdcdd4fe02201269ab428b09491e5cf6e ] Commit dd42ec8ea5b9 ("interconnect: qcom: rpm: Use _optional func for provider clocks") relaxed the requirements around probing bus clocks. This was a decent solution for making sure MSM8996 would still boot with old DTs, but now that there's a proper fix in place that both old and new DTs will be happy about, revert back to the safer variant of the function. Fixes: dd42ec8ea5b9 ("interconnect: qcom: rpm: Use _optional func for provider clocks") Signed-off-by: Konrad Dybcio Link: https://lore.kernel.org/r/20230228-topic-qos-v8-7-ee696a2c15a9@linaro.org Signed-off-by: Georgi Djakov Signed-off-by: Sasha Levin commit 49a1c6023a07f3eba3f033b1ca0dcdd250c0414f Author: Konrad Dybcio Date: Fri Apr 7 22:14:44 2023 +0200 interconnect: qcom: rpm: Rename icc provider num_clocks to num_bus_clocks [ Upstream commit 1a12928e25627e02126ad2d1c12cfdba79d6bd94 ] In preparation for handling non-scaling clocks that we still have to enable, rename num_clocks to more descriptive num_bus_clocks. Signed-off-by: Konrad Dybcio Link: https://lore.kernel.org/r/20230228-topic-qos-v8-2-ee696a2c15a9@linaro.org Signed-off-by: Georgi Djakov Stable-dep-of: 1ff7aedcdcdd ("interconnect: qcom: rpm: Don't use clk_get_optional for bus clocks anymore") Signed-off-by: Sasha Levin commit aeb8ec010a298c30d5bcf524a0d48afa5b93d1d4 Author: Tony Lindgren Date: Mon May 8 11:20:11 2023 +0300 serial: 8250: omap: Fix freeing of resources on failed register [ Upstream commit b9ab22c2bc8652324a803b3e2be69838920b4025 ] If serial8250_register_8250_port() fails, the SoC can hang as the deferred PMQoS work will still run as is not flushed and removed. Fixes: 61929cf0169d ("tty: serial: Add 8250-core based omap driver") Signed-off-by: Tony Lindgren Reviewed-by: Ilpo Järvinen Link: https://lore.kernel.org/r/20230508082014.23083-2-tony@atomide.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 307909ae1b4a64790ec086835c0feb31a8289c7e Author: Christophe JAILLET Date: Fri May 5 19:15:08 2023 +0200 usb: dwc2: Fix some error handling paths [ Upstream commit ada050c69108bc34be13ecc11f7fad0f20ebadc4 ] dwc2_driver_probe() calls dwc2_lowlevel_hw_init() which deassert some reset lines. Should an error happen in dwc2_lowlevel_hw_init() after calling reset_control_deassert() or in the probe after calling dwc2_lowlevel_hw_init(), the reset lines remain deasserted. Add some devm_add_action_or_reset() calls to re-assert the lines if needed. Update the remove function accordingly. This change is compile-tested only. Fixes: 83f8da562f8b ("usb: dwc2: Add reset control to dwc2") Signed-off-by: Christophe JAILLET Link: https://lore.kernel.org/r/c64537b5339342bd00f7c2152b8fc23792b9f95a.1683306479.git.christophe.jaillet@wanadoo.fr Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 1b0a2928d0a9a39ec96666054ca78ba7c610e634 Author: Basavaraj Natikar Date: Fri Apr 28 19:30:56 2023 +0530 xhci: Improve the XHCI system resume time [ Upstream commit 1c024241d018cf9fc17aa8d95c3fe77d671d7142 ] Avoid extra 120ms delay during system resume. The xHC controller may signal wake up to 120ms before showing which usb device caused the wake on the xHC port registers. The xhci driver therefore checks for port activity up to 120ms during resume, making sure that the hub driver can see the port change, and won't immediately runtime suspend back due to no port activity. This is however only needed for runtime resume as system resume will resume all child hubs and other child usb devices anyway. Fixes: 253f588c70f6 ("xhci: Improve detection of device initiated wake signal.") Signed-off-by: Basavaraj Natikar Acked-by: Mathias Nyman Link: https://lore.kernel.org/r/20230428140056.1318981-3-Basavaraj.Natikar@amd.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit f849bec6963b3acb213c216d789e803f823ab73b Author: Basavaraj Natikar Date: Fri Apr 28 19:30:55 2023 +0530 USB: Extend pci resume function to handle PM events [ Upstream commit 1f7d5520719dd1fed1a2947679f6cc26a55f1e6b ] Currently, the pci_resume method has only a flag indicating whether the system is resuming from hibernation. In order to handle all PM events like AUTO_RESUME (runtime resume from device in D3), RESUME (system resume from s2idle, S3 or S4 states) etc change the pci_resume method to handle all PM events. Signed-off-by: Basavaraj Natikar Acked-by: Alan Stern Acked-by: Mathias Nyman Link: https://lore.kernel.org/r/20230428140056.1318981-2-Basavaraj.Natikar@amd.com Signed-off-by: Greg Kroah-Hartman Stable-dep-of: 1c024241d018 ("xhci: Improve the XHCI system resume time") Signed-off-by: Sasha Levin commit e5dd3979c655680f2887c622bd3bfa7aabf15b26 Author: Christophe JAILLET Date: Tue Apr 25 15:11:19 2023 +0200 cpufreq: tegra194: Fix an error handling path in tegra194_cpufreq_probe() [ Upstream commit 9ab24b0486681ecc059ee766e00d9570c6311e08 ] If the probe needs to be deferred, some resources still need to be released. So branch to the error handling path instead of returning directly. Fixes: f41e1442ac5b ("cpufreq: tegra194: add OPP support and set bandwidth") Signed-off-by: Christophe JAILLET Reviewed-by: Sumit Gupta Acked-by: Thierry Reding Signed-off-by: Viresh Kumar Signed-off-by: Sasha Levin commit 2bef6a1b846a5ea6426fd8d93e5326805be2a9ee Author: John Paul Adrian Glaubitz Date: Wed May 3 14:57:41 2023 +0200 sh: j2: Use ioremap() to translate device tree address into kernel memory [ Upstream commit bc9d1f0cecd2407cfb2364a7d4be2f52d1d46a9d ] Addresses the following warning when building j2_defconfig: arch/sh/kernel/cpu/sh2/probe.c: In function 'scan_cache': arch/sh/kernel/cpu/sh2/probe.c:24:16: warning: cast to pointer from integer of different size [-Wint-to-pointer-cast] 24 | j2_ccr_base = (u32 __iomem *)of_flat_dt_translate_address(node); | Fixes: 5a846abad07f ("sh: add support for J-Core J2 processor") Reviewed-by: Geert Uytterhoeven Tested-by: Rob Landley Signed-off-by: John Paul Adrian Glaubitz Link: https://lore.kernel.org/r/20230503125746.331835-1-glaubitz@physik.fu-berlin.de Signed-off-by: John Paul Adrian Glaubitz Signed-off-by: Sasha Levin commit 77b23bd5e264209fad88e9055358dca38f9ef543 Author: Yangtao Li Date: Wed Apr 26 00:47:11 2023 +0800 f2fs: do not allow to defragment files have FI_COMPRESS_RELEASED [ Upstream commit 7cd2e5f75b86a1befa99834f3ed1d735eeff69e6 ] If a file has FI_COMPRESS_RELEASED, all writes for it should not be allowed. Fixes: 5fdb322ff2c2 ("f2fs: add F2FS_IOC_DECOMPRESS_FILE and F2FS_IOC_COMPRESS_FILE") Signed-off-by: Qi Han Signed-off-by: Yangtao Li Reviewed-by: Chao Yu Signed-off-by: Jaegeuk Kim Signed-off-by: Sasha Levin commit a55fa7ba371186a5a3f74cfbb81fba920fd15e10 Author: Konrad Dybcio Date: Wed Apr 19 12:41:06 2023 +0200 dt-bindings: power: reset: qcom-pon: Only allow reboot-mode pre-pmk8350 [ Upstream commit d41dab4c031edaa460a484113394327aa52dc0bd ] As pointed out by Shazad [1], PMICs using a separate HLOS+PBS scheme (so PMK8350 and newer) are expected to pass reboot mode data through SDAM, as the reboot mode registers are absent in the HLOS reg space. Limit the reboot-mode.yaml inclusion to PMICs without a separate PBS region. [1] https://lore.kernel.org/linux-arm-msm/12f13183-c381-25f7-459e-62e0c2b19498@quicinc.com/ Fixes: 03fccdc76dce ("dt-bindings: power: reset: qcom-pon: Add new compatible "qcom,pmk8350-pon"") Signed-off-by: Konrad Dybcio Acked-by: Rob Herring Signed-off-by: Sebastian Reichel Signed-off-by: Sasha Levin commit 884756f0203f9478391389465f8d6184223572be Author: Dan Carpenter Date: Wed May 19 17:17:45 2021 +0300 w1: fix loop in w1_fini() [ Upstream commit 83f3fcf96fcc7e5405b37d9424c7ef26bfa203f8 ] The __w1_remove_master_device() function calls: list_del(&dev->w1_master_entry); So presumably this can cause an endless loop. Fixes: 7785925dd8e0 ("[PATCH] w1: cleanups.") Signed-off-by: Dan Carpenter Signed-off-by: Krzysztof Kozlowski Signed-off-by: Sasha Levin commit fe64b9c6c847f114fd9b4e8b44c9fab619f19384 Author: Stefan Wahren Date: Thu Apr 27 13:21:52 2023 +0200 w1: w1_therm: fix locking behavior in convert_t [ Upstream commit dca5480ab7b77a889088ab7cac81934604510ac7 ] The commit 67b392f7b8ed ("w1_therm: optimizing temperature read timings") accidentially inverted the logic for lock handling of the bus mutex. Before: pullup -> release lock before sleep no pullup -> release lock after sleep After: pullup -> release lock after sleep no pullup -> release lock before sleep This cause spurious measurements of 85 degree (powerup value) on the Tarragon board with connected 1-w temperature sensor (w1_therm.w1_strong_pull=0). In the meantime a new feature for polling the conversion completion has been integrated in these branches with commit 021da53e65fd ("w1: w1_therm: Add sysfs entries to control conversion time and driver features"). But this feature isn't available for parasite power mode, so handle this separately. Link: https://lore.kernel.org/regressions/2023042645-attentive-amends-7b0b@gregkh/T/ Fixes: 67b392f7b8ed ("w1_therm: optimizing temperature read timings") Signed-off-by: Stefan Wahren Link: https://lore.kernel.org/r/20230427112152.12313-1-stefan.wahren@i2se.com Signed-off-by: Krzysztof Kozlowski Signed-off-by: Sasha Levin commit b056bd52c8fd0b781ad9278b603d8f4900a8083a Author: Thomas Gleixner Date: Thu Jun 29 21:35:19 2023 +0200 x86/efi: Make efi_set_virtual_address_map IBT safe [ Upstream commit 0303c9729afc4094ef53e552b7b8cff7436028d6 ] Niklāvs reported a boot regression on an Alderlake machine and bisected it to commit 9df9d2f0471b ("init: Invoke arch_cpu_finalize_init() earlier"). By moving the invocation of arch_cpu_finalize_init() further down he identified that efi_enter_virtual_mode() is the function which causes the boot hang. The main difference of the earlier invocation is that the boot CPU is already fully initialized and mitigations and alternatives are applied. But the only really interesting change turned out to be IBT, which is now enabled before efi_enter_virtual_mode(). "ibt=off" on the kernel command line cured the problem. Inspection of the involved calls in efi_enter_virtual_mode() unearthed that efi_set_virtual_address_map() is the only place in the kernel which invokes an EFI call without the IBT safe wrapper. This went obviously unnoticed so far as IBT was enabled later. Use arch_efi_call_virt() instead of efi_call() to cure that. Fixes: fe379fa4d199 ("x86/ibt: Disable IBT around firmware") Fixes: 9df9d2f0471b ("init: Invoke arch_cpu_finalize_init() earlier") Reported-by: Niklāvs Koļesņikovs Signed-off-by: Thomas Gleixner Reviewed-by: Ard Biesheuvel Link: https://bugzilla.kernel.org/show_bug.cgi?id=217602 Link: https://lore.kernel.org/r/87jzvm12q0.ffs@tglx Signed-off-by: Sasha Levin commit 1403a899153a12d93fd510e463fd6d0eafba4336 Author: Will Deacon Date: Wed Jun 28 16:56:05 2023 +0100 arm64: sme: Use STR P to clear FFR context field in streaming SVE mode [ Upstream commit 893b24181b4c4bf1fa2841b1ed192e5413a97cb1 ] The FFR is a predicate register which can vary between 16 and 256 bits in size depending upon the configured vector length. When saving the SVE state in streaming SVE mode, the FFR register is inaccessible and so commit 9f5848665788 ("arm64/sve: Make access to FFR optional") simply clears the FFR field of the in-memory context structure. Unfortunately, it achieves this using an unconditional 8-byte store and so if the SME vector length is anything other than 64 bytes in size we will either fail to clear the entire field or, worse, we will corrupt memory immediately following the structure. This has led to intermittent kfence splats in CI [1] and can trigger kmalloc Redzone corruption messages when running the 'fp-stress' kselftest: | ============================================================================= | BUG kmalloc-1k (Not tainted): kmalloc Redzone overwritten | ----------------------------------------------------------------------------- | | 0xffff000809bf1e22-0xffff000809bf1e27 @offset=7714. First byte 0x0 instead of 0xcc | Allocated in do_sme_acc+0x9c/0x220 age=2613 cpu=1 pid=531 | __kmalloc+0x8c/0xcc | do_sme_acc+0x9c/0x220 | ... Replace the 8-byte store with a store of a predicate register which has been zero-initialised with PFALSE, ensuring that the entire field is cleared in memory. [1] https://lore.kernel.org/r/CA+G9fYtU7HsV0R0dp4XEH5xXHSJFw8KyDf5VQrLLfMxWfxQkag@mail.gmail.com Cc: Mark Brown Cc: Mark Rutland Cc: Naresh Kamboju Fixes: 9f5848665788 ("arm64/sve: Make access to FFR optional") Reported-by: Linux Kernel Functional Testing Signed-off-by: Will Deacon Reviewed-by: Mark Brown Tested-by: Anders Roxell Link: https://lore.kernel.org/r/20230628155605.22296-1-will@kernel.org Signed-off-by: Catalin Marinas Signed-off-by: Sasha Levin commit bb62148ebd300618cd29c91539b777c253a01d04 Author: Arnd Bergmann Date: Mon Jun 19 10:19:38 2023 +0200 ksmbd: avoid field overflow warning [ Upstream commit 9cedc58bdbe9fff9aacd0ca19ee5777659f28fd7 ] clang warns about a possible field overflow in a memcpy: In file included from fs/smb/server/smb_common.c:7: include/linux/fortify-string.h:583:4: error: call to '__write_overflow_field' declared with 'warning' attribute: detected write beyond size of field (1st parameter); maybe use struct_group()? [-Werror,-Wattribute-warning] __write_overflow_field(p_size_field, size); It appears to interpret the "&out[baselen + 4]" as referring to a single byte of the character array, while the equivalen "out + baselen + 4" is seen as an offset into the array. I don't see that kind of warning elsewhere, so just go with the simple rework. Fixes: e2f34481b24d ("cifsd: add server-side procedures for SMB3") Signed-off-by: Arnd Bergmann Acked-by: Namjae Jeon Signed-off-by: Steve French Signed-off-by: Sasha Levin commit b9f3c6febfe0007f7aea526e14c889bdefbc9b2a Author: Paulo Alcantara Date: Mon Jun 26 16:04:17 2023 -0300 smb: client: fix shared DFS root mounts with different prefixes [ Upstream commit 3ae872de410751fe5e629e04da491a632d95201c ] When having two DFS root mounts that are connected to same namespace, same mount options but different prefix paths, we can't really use the shared @server->origin_fullpath when chasing DFS links in them. Move the origin_fullpath field to cifs_tcon structure so when having shared DFS root mounts with different prefix paths, and we need to chase any DFS links, dfs_get_automount_devname() will pick up the correct full path out of the @tcon that will be used for the new mount. Before patch mount.cifs //dom/dfs/dir /mnt/1 -o ... mount.cifs //dom/dfs /mnt/2 -o ... # shared server, ses, tcon # server: origin_fullpath=//dom/dfs/dir # @server->origin_fullpath + '/dir/link1' $ ls /mnt/2/dir/link1 ls: cannot open directory '/mnt/2/dir/link1': No such file or directory After patch mount.cifs //dom/dfs/dir /mnt/1 -o ... mount.cifs //dom/dfs /mnt/2 -o ... # shared server & ses # tcon_1: origin_fullpath=//dom/dfs/dir # tcon_2: origin_fullpath=//dom/dfs # @tcon_2->origin_fullpath + '/dir/link1' $ ls /mnt/2/dir/link1 dir0 dir1 dir10 dir3 dir5 dir6 dir7 dir9 target2_file.txt tsub Fixes: 8e3554150d6c ("cifs: fix sharing of DFS connections") Signed-off-by: Paulo Alcantara (SUSE) Signed-off-by: Steve French Signed-off-by: Sasha Levin commit 7546b904dedd4f162f702181f8b63491183b7b5b Author: Paulo Alcantara Date: Tue Jun 27 21:24:49 2023 -0300 smb: client: fix broken file attrs with nodfs mounts [ Upstream commit d439b29057e26464120fc6c18f97433aa003b5fe ] *_get_inode_info() functions expect -EREMOTE when query path info calls find a DFS link, regardless whether !CONFIG_CIFS_DFS_UPCALL or 'nodfs' mount option. Otherwise, those files will miss the fake DFS file attributes. Before patch $ mount.cifs //srv/dfs /mnt/1 -o ...,nodfs $ ls -l /mnt/1 ls: cannot access '/mnt/1/link': Operation not supported total 0 -rwxr-xr-x 1 root root 0 Jul 26 2022 dfstest2_file1.txt drwxr-xr-x 2 root root 0 Aug 8 2022 dir1 d????????? ? ? ? ? ? link After patch $ mount.cifs //srv/dfs /mnt/1 -o ...,nodfs $ ls -l /mnt/1 total 0 -rwxr-xr-x 1 root root 0 Jul 26 2022 dfstest2_file1.txt drwxr-xr-x 2 root root 0 Aug 8 2022 dir1 drwx--x--x 2 root root 0 Jun 26 20:29 link Fixes: c877ce47e137 ("cifs: reduce roundtrips on create/qinfo requests") Signed-off-by: Paulo Alcantara (SUSE) Signed-off-by: Steve French Signed-off-by: Sasha Levin commit a5133dbecf5be48291d1834b673d9d077f6e86a9 Author: Shyam Prasad N Date: Thu Jun 22 18:16:04 2023 +0000 cifs: do all necessary checks for credits within or before locking [ Upstream commit 326a8d04f147e2bf393f6f9cdb74126ee6900607 ] All the server credits and in-flight info is protected by req_lock. Once the req_lock is held, and we've determined that we have enough credits to continue, this lock cannot be dropped till we've made the changes to credits and in-flight count. However, we used to drop the lock in order to avoid deadlock with the recent srv_lock. This could cause the checks already made to be invalidated. Fixed it by moving the server status check to before locking req_lock. Fixes: d7d7a66aacd6 ("cifs: avoid use of global locks for high contention data") Signed-off-by: Shyam Prasad N Signed-off-by: Steve French Signed-off-by: Sasha Levin commit d017880782cf71f8820ee4a2002843893176501d Author: Shyam Prasad N Date: Thu Jun 22 18:16:03 2023 +0000 cifs: prevent use-after-free by freeing the cfile later [ Upstream commit 33f736187d08f6bc822117629f263b97d3df4165 ] In smb2_compound_op we have a possible use-after-free which can cause hard to debug problems later on. This was revealed during stress testing with KASAN enabled kernel. Fixing it by moving the cfile free call to a few lines below, after the usage. Fixes: 76894f3e2f71 ("cifs: improve symlink handling for smb2+") Reviewed-by: Paulo Alcantara (SUSE) Signed-off-by: Shyam Prasad N Signed-off-by: Steve French Signed-off-by: Sasha Levin commit 88ece45ab8a04f1b1b0e92b5569e3d500b53de24 Author: Ard Biesheuvel Date: Tue Jun 27 09:33:09 2023 +0200 efi/libstub: Disable PCI DMA before grabbing the EFI memory map [ Upstream commit 2e28a798c3092ea42b968fa16ac835969d124898 ] Currently, the EFI stub will disable PCI DMA as the very last thing it does before calling ExitBootServices(), to avoid interfering with the firmware's normal operation as much as possible. However, the stub will invoke DisconnectController() on all endpoints downstream of the PCI bridges it disables, and this may affect the layout of the EFI memory map, making it substantially more likely that ExitBootServices() will fail the first time around, and that the EFI memory map needs to be reloaded. This, in turn, increases the likelihood that the slack space we allocated is insufficient (and we can no longer allocate memory via boot services after having called ExitBootServices() once), causing the second call to GetMemoryMap (and therefore the boot) to fail. This makes the PCI DMA disable feature a bit more fragile than it already is, so let's make it more robust, by allocating the space for the EFI memory map after disabling PCI DMA. Fixes: 4444f8541dad16fe ("efi: Allow disabling PCI busmastering on bridges during boot") Reported-by: Glenn Washburn Acked-by: Matthew Garrett Signed-off-by: Ard Biesheuvel Signed-off-by: Sasha Levin commit a8c2d8d32421877cca439245f77bfbbf7cef21c6 Author: Masahiro Yamada Date: Mon Jun 26 03:16:23 2023 +0900 kbuild: deb-pkg: remove the CONFIG_MODULES check in buildeb [ Upstream commit 1240dabe8d58b4eff09e7edf1560da0360f997aa ] When CONFIG_MODULES is disabled for ARCH=um, 'make (bin)deb-pkg' fails with an error like follows: cp: cannot create regular file 'debian/linux-image/usr/lib/uml/modules/6.4.0-rc2+/System.map': No such file or directory Remove the CONFIG_MODULES check completely so ${pdir}/usr/lib/uml/modules will always be created and modules.builtin.(modinfo) will be installed under it for ARCH=um. Fixes: b611daae5efc ("kbuild: deb-pkg: split image and debug objects staging out into functions") Signed-off-by: Masahiro Yamada Signed-off-by: Sasha Levin commit 6061ac50f1e0436fd8329dc9ce6762862924a014 Author: Josh Triplett Date: Thu Jun 22 12:19:53 2023 -0700 kbuild: builddeb: always make modules_install, to install modules.builtin* [ Upstream commit 4243afdb932677a03770753be8c54b3190a512e8 ] Even for a non-modular kernel, the kernel builds modules.builtin and modules.builtin.modinfo, with information about the built-in modules. Tools such as initramfs-tools need these files to build a working initramfs on some systems, such as those requiring firmware. Now that `make modules_install` works even in non-modular kernels and installs these files, unconditionally invoke it when building a Debian package. Signed-off-by: Josh Triplett Reviewed-by: Nicolas Schier Signed-off-by: Masahiro Yamada Stable-dep-of: 1240dabe8d58 ("kbuild: deb-pkg: remove the CONFIG_MODULES check in buildeb") Signed-off-by: Sasha Levin commit e079d77347be6d0f9b3ec326cefbfdf157a6f418 Author: Vishal Verma Date: Wed Jun 14 11:17:41 2023 -0600 tools/testing/cxl: Fix command effects for inject/clear poison [ Upstream commit b46c5fa57cc60692412f616ac66ab624a941fdb3 ] The CXL spec (3.0, section 8.2.9.8.4) Lists Inject Poison and Clear Poison as having the effects of "Immediate Data Change". Fix this in the mock driver so that the command effect log is populated correctly. Fixes: 371c16101ee8 ("tools/testing/cxl: Mock the Inject Poison mailbox command") Cc: Alison Schofield Cc: Dan Williams Reviewed-by: Alison Schofield Reviewed-by: Jonathan Cameron Reviewed-by: Dave Jiang Signed-off-by: Vishal Verma Link: https://lore.kernel.org/r/20230602-vv-fw_update-v4-2-c6265bd7343b@intel.com Signed-off-by: Dan Williams Signed-off-by: Sasha Levin commit 8c6fdfb117fcc761d4785cfcee84457d35e03f3f Author: Dan Williams Date: Fri Jun 16 18:24:39 2023 -0700 cxl/region: Fix state transitions after reset failure [ Upstream commit adfe19738b71a893da62cb2e30bd6bdb4299ea67 ] Jonathan reports that failed attempts to reset a region (teardown its HDM decoder configuration) mistakenly advance the state of the region to "not committed". Revert to the previous state of the region on reset failure so that the reset can be re-attempted. Reported-by: Jonathan Cameron Closes: http://lore.kernel.org/r/20230316171441.0000205b@Huawei.com Fixes: 176baefb2eb5 ("cxl/hdm: Commit decoder state to hardware") Reviewed-by: Jonathan Cameron Reviewed-by: Dave Jiang Link: https://lore.kernel.org/r/168696507968.3590522.14484000711718573626.stgit@dwillia2-xfh.jf.intel.com Signed-off-by: Dan Williams Signed-off-by: Sasha Levin commit 78be41752ac505c0a7089fe75962e0023529eaf9 Author: Dan Williams Date: Fri Jun 16 18:24:34 2023 -0700 cxl/region: Flag partially torn down regions as unusable [ Upstream commit 2ab47045ac96a605e3037d479a7d5854570ee5bf ] cxl_region_decode_reset() walks all the decoders associated with a given region and disables them. Due to decoder ordering rules it is possible that a switch in the topology notices that a given decoder can not be shutdown before another region with a higher HPA is shutdown first. That can leave the region in a partially committed state. Capture that state in a new CXL_REGION_F_NEEDS_RESET flag and require that a successful cxl_region_decode_reset() attempt must be completed before cxl_region_probe() accepts the region. This is a corollary for the bug that Jonathan identified in "CXL/region : commit reset of out of order region appears to succeed." [1]. Cc: Jonathan Cameron Link: http://lore.kernel.org/r/20230316171441.0000205b@Huawei.com [1] Fixes: 176baefb2eb5 ("cxl/hdm: Commit decoder state to hardware") Reviewed-by: Dave Jiang Link: https://lore.kernel.org/r/168696507423.3590522.16254212607926684429.stgit@dwillia2-xfh.jf.intel.com Signed-off-by: Dan Williams Signed-off-by: Sasha Levin commit b84a56efb52726648e1bae6a06adcd2c7425d5a1 Author: Dan Williams Date: Fri Jun 16 18:24:28 2023 -0700 cxl/region: Move cache invalidation before region teardown, and before setup [ Upstream commit d1257d098a5a38753a0736a50db0a26a62377ad7 ] Vikram raised a concern with the theoretical case of a CPU sending MemClnEvict to a device that is not prepared to receive. MemClnEvict is a message that is sent after a CPU has taken ownership of a cacheline from accelerator memory (HDM-DB). In the case of hotplug or HDM decoder reconfiguration it is possible that the CPU is holding old contents for a new device that has taken over the physical address range being cached by the CPU. To avoid this scenario, invalidate caches prior to tearing down an HDM decoder configuration. Now, this poses another problem that it is possible for something to speculate into that space while the decode configuration is still up, so to close that gap also invalidate prior to establish new contents behind a given physical address range. With this change the cache invalidation is now explicit and need not be checked in cxl_region_probe(), and that obviates the need for CXL_REGION_F_INCOHERENT. Cc: Jonathan Cameron Fixes: d18bc74aced6 ("cxl/region: Manage CPU caches relative to DPA invalidation events") Reported-by: Vikram Sethi Closes: http://lore.kernel.org/r/BYAPR12MB33364B5EB908BF7239BB996BBD53A@BYAPR12MB3336.namprd12.prod.outlook.com Reviewed-by: Jonathan Cameron Reviewed-by: Dave Jiang Link: https://lore.kernel.org/r/168696506886.3590522.4597053660991916591.stgit@dwillia2-xfh.jf.intel.com Signed-off-by: Dan Williams Signed-off-by: Sasha Levin commit 99c515d032dfffd20ea6168a1166764c1c5cc7dd Author: Sami Tolvanen Date: Fri Jun 23 00:11:43 2023 +0000 kbuild: Disable GCOV for *.mod.o [ Upstream commit 25a21fbb934a0d989e1858f83c2ddf4cfb2ebe30 ] With GCOV_PROFILE_ALL, Clang injects __llvm_gcov_* functions to each object file, including the *.mod.o. As we filter out CC_FLAGS_CFI for *.mod.o, the compiler won't generate type hashes for the injected functions, and therefore indirectly calling them during module loading trips indirect call checking. Enabling CFI for *.mod.o isn't sufficient to fix this issue after commit 0c3e806ec0f9 ("x86/cfi: Add boot time hash randomization"), as *.mod.o aren't processed by objtool, which means any hashes emitted there won't be randomized. Therefore, in addition to disabling CFI for *.mod.o, also disable GCOV, as the object files don't otherwise contain any executable code. Fixes: cf68fffb66d6 ("add support for Clang CFI") Reported-by: Joe Fradley Signed-off-by: Sami Tolvanen Acked-by: Peter Zijlstra (Intel) Reviewed-by: Kees Cook Reviewed-by: Nick Desaulniers Signed-off-by: Masahiro Yamada Signed-off-by: Sasha Levin commit cb2d6b93a09b8932c59f8a1de4c5389a6e699dde Author: Sami Tolvanen Date: Fri Jun 23 00:11:42 2023 +0000 kbuild: Fix CFI failures with GCOV [ Upstream commit ddf56288eebd1fe82c46fc9f693b5b18045cddb6 ] With GCOV_PROFILE_ALL, Clang injects __llvm_gcov_* functions to each object file, and the functions are indirectly called during boot. However, when code is injected to object files that are not part of vmlinux.o, it's also not processed by objtool, which breaks CFI hash randomization as the hashes in these files won't be included in the .cfi_sites section and thus won't be randomized. Similarly to commit 42633ed852de ("kbuild: Fix CFI hash randomization with KASAN"), disable GCOV for .vmlinux.export.o and init/version-timestamp.o to avoid emitting unnecessary functions to object files that don't otherwise have executable code. Fixes: 0c3e806ec0f9 ("x86/cfi: Add boot time hash randomization") Reported-by: Joe Fradley Signed-off-by: Sami Tolvanen Acked-by: Peter Zijlstra (Intel) Reviewed-by: Kees Cook Reviewed-by: Nick Desaulniers Signed-off-by: Masahiro Yamada Signed-off-by: Sasha Levin commit 7e1f989055622fd086c5dfb291fc72adf5660b6f Author: Ding Hui Date: Mon May 15 10:13:07 2023 +0800 SUNRPC: Fix UAF in svc_tcp_listen_data_ready() commit fc80fc2d4e39137869da3150ee169b40bf879287 upstream. After the listener svc_sock is freed, and before invoking svc_tcp_accept() for the established child sock, there is a window that the newsock retaining a freed listener svc_sock in sk_user_data which cloning from parent. In the race window, if data is received on the newsock, we will observe use-after-free report in svc_tcp_listen_data_ready(). Reproduce by two tasks: 1. while :; do rpc.nfsd 0 ; rpc.nfsd; done 2. while :; do echo "" | ncat -4 127.0.0.1 2049 ; done KASAN report: ================================================================== BUG: KASAN: slab-use-after-free in svc_tcp_listen_data_ready+0x1cf/0x1f0 [sunrpc] Read of size 8 at addr ffff888139d96228 by task nc/102553 CPU: 7 PID: 102553 Comm: nc Not tainted 6.3.0+ #18 Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 11/12/2020 Call Trace: dump_stack_lvl+0x33/0x50 print_address_description.constprop.0+0x27/0x310 print_report+0x3e/0x70 kasan_report+0xae/0xe0 svc_tcp_listen_data_ready+0x1cf/0x1f0 [sunrpc] tcp_data_queue+0x9f4/0x20e0 tcp_rcv_established+0x666/0x1f60 tcp_v4_do_rcv+0x51c/0x850 tcp_v4_rcv+0x23fc/0x2e80 ip_protocol_deliver_rcu+0x62/0x300 ip_local_deliver_finish+0x267/0x350 ip_local_deliver+0x18b/0x2d0 ip_rcv+0x2fb/0x370 __netif_receive_skb_one_core+0x166/0x1b0 process_backlog+0x24c/0x5e0 __napi_poll+0xa2/0x500 net_rx_action+0x854/0xc90 __do_softirq+0x1bb/0x5de do_softirq+0xcb/0x100 ... Allocated by task 102371: kasan_save_stack+0x1e/0x40 kasan_set_track+0x21/0x30 __kasan_kmalloc+0x7b/0x90 svc_setup_socket+0x52/0x4f0 [sunrpc] svc_addsock+0x20d/0x400 [sunrpc] __write_ports_addfd+0x209/0x390 [nfsd] write_ports+0x239/0x2c0 [nfsd] nfsctl_transaction_write+0xac/0x110 [nfsd] vfs_write+0x1c3/0xae0 ksys_write+0xed/0x1c0 do_syscall_64+0x38/0x90 entry_SYSCALL_64_after_hwframe+0x72/0xdc Freed by task 102551: kasan_save_stack+0x1e/0x40 kasan_set_track+0x21/0x30 kasan_save_free_info+0x2a/0x50 __kasan_slab_free+0x106/0x190 __kmem_cache_free+0x133/0x270 svc_xprt_free+0x1e2/0x350 [sunrpc] svc_xprt_destroy_all+0x25a/0x440 [sunrpc] nfsd_put+0x125/0x240 [nfsd] nfsd_svc+0x2cb/0x3c0 [nfsd] write_threads+0x1ac/0x2a0 [nfsd] nfsctl_transaction_write+0xac/0x110 [nfsd] vfs_write+0x1c3/0xae0 ksys_write+0xed/0x1c0 do_syscall_64+0x38/0x90 entry_SYSCALL_64_after_hwframe+0x72/0xdc Fix the UAF by simply doing nothing in svc_tcp_listen_data_ready() if state != TCP_LISTEN, that will avoid dereferencing svsk for all child socket. Link: https://lore.kernel.org/lkml/20230507091131.23540-1-dinghui@sangfor.com.cn/ Fixes: fa9251afc33c ("SUNRPC: Call the default socket callbacks instead of open coding") Signed-off-by: Ding Hui Cc: Signed-off-by: Chuck Lever Signed-off-by: Greg Kroah-Hartman commit 532da3822a4fc5db7b112f87a7b7b52efeda4b97 Author: Filipe Manana Date: Thu Jun 8 11:27:41 2023 +0100 btrfs: do not BUG_ON() on tree mod log failure at balance_level() commit 39020d8abc7ec62c4de9b260e3d10d4a1c2478ce upstream. At balance_level(), instead of doing a BUG_ON() in case we fail to record tree mod log operations, do a transaction abort and return the error to the callers. There's really no need for the BUG_ON() as we can release all resources in this context, and we have to abort because other future tree searches that use the tree mod log (btrfs_search_old_slot()) may get inconsistent results if other operations modify the tree after that failure and before the tree mod log based search. CC: stable@vger.kernel.org # 5.4+ Reviewed-by: Qu Wenruo Signed-off-by: Filipe Manana Reviewed-by: David Sterba Signed-off-by: David Sterba Signed-off-by: Greg Kroah-Hartman commit 8ce9139aea5e60a247bde5af804312f54975f443 Author: Filipe Manana Date: Mon Jun 19 17:21:48 2023 +0100 btrfs: fix race when deleting free space root from the dirty cow roots list commit babebf023e661b90b1c78b2baa384fb03a226879 upstream. When deleting the free space tree we are deleting the free space root from the list fs_info->dirty_cowonly_roots without taking the lock that protects it, which is struct btrfs_fs_info::trans_lock. This unsynchronized list manipulation may cause chaos if there's another concurrent manipulation of this list, such as when adding a root to it with ctree.c:add_root_to_dirty_list(). This can result in all sorts of weird failures caused by a race, such as the following crash: [337571.278245] general protection fault, probably for non-canonical address 0xdead000000000108: 0000 [#1] PREEMPT SMP PTI [337571.278933] CPU: 1 PID: 115447 Comm: btrfs Tainted: G W 6.4.0-rc6-btrfs-next-134+ #1 [337571.279153] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014 [337571.279572] RIP: 0010:commit_cowonly_roots+0x11f/0x250 [btrfs] [337571.279928] Code: 85 38 06 00 (...) [337571.280363] RSP: 0018:ffff9f63446efba0 EFLAGS: 00010206 [337571.280582] RAX: ffff942d98ec2638 RBX: ffff9430b82b4c30 RCX: 0000000449e1c000 [337571.280798] RDX: dead000000000100 RSI: ffff9430021e4900 RDI: 0000000000036070 [337571.281015] RBP: ffff942d98ec2000 R08: ffff942d98ec2000 R09: 000000000000015b [337571.281254] R10: 0000000000000009 R11: 0000000000000001 R12: ffff942fe8fbf600 [337571.281476] R13: ffff942dabe23040 R14: ffff942dabe20800 R15: ffff942d92cf3b48 [337571.281723] FS: 00007f478adb7340(0000) GS:ffff94349fa40000(0000) knlGS:0000000000000000 [337571.281950] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [337571.282184] CR2: 00007f478ab9a3d5 CR3: 000000001e02c001 CR4: 0000000000370ee0 [337571.282416] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [337571.282647] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [337571.282874] Call Trace: [337571.283101] [337571.283327] ? __die_body+0x1b/0x60 [337571.283570] ? die_addr+0x39/0x60 [337571.283796] ? exc_general_protection+0x22e/0x430 [337571.284022] ? asm_exc_general_protection+0x22/0x30 [337571.284251] ? commit_cowonly_roots+0x11f/0x250 [btrfs] [337571.284531] btrfs_commit_transaction+0x42e/0xf90 [btrfs] [337571.284803] ? _raw_spin_unlock+0x15/0x30 [337571.285031] ? release_extent_buffer+0x103/0x130 [btrfs] [337571.285305] reset_balance_state+0x152/0x1b0 [btrfs] [337571.285578] btrfs_balance+0xa50/0x11e0 [btrfs] [337571.285864] ? __kmem_cache_alloc_node+0x14a/0x410 [337571.286086] btrfs_ioctl+0x249a/0x3320 [btrfs] [337571.286358] ? mod_objcg_state+0xd2/0x360 [337571.286577] ? refill_obj_stock+0xb0/0x160 [337571.286798] ? seq_release+0x25/0x30 [337571.287016] ? __rseq_handle_notify_resume+0x3ba/0x4b0 [337571.287235] ? percpu_counter_add_batch+0x2e/0xa0 [337571.287455] ? __x64_sys_ioctl+0x88/0xc0 [337571.287675] __x64_sys_ioctl+0x88/0xc0 [337571.287901] do_syscall_64+0x38/0x90 [337571.288126] entry_SYSCALL_64_after_hwframe+0x72/0xdc [337571.288352] RIP: 0033:0x7f478aaffe9b So fix this by locking struct btrfs_fs_info::trans_lock before deleting the free space root from that list. Fixes: a5ed91828518 ("Btrfs: implement the free space B-tree") CC: stable@vger.kernel.org # 4.14+ Signed-off-by: Filipe Manana Signed-off-by: David Sterba Signed-off-by: Greg Kroah-Hartman commit 3b25cadc7975db3e10c20d4905634e75d25476fd Author: Christian Loehle Date: Thu May 25 09:56:04 2023 +0000 mmc: block: ioctl: do write error check for spi commit 568898cbc8b570311b3b94a3202b8233f4168144 upstream. SPI doesn't have the usual PROG path we can check for error bits after moving back to TRAN. Instead it holds the line LOW until completion. We can then check if the card shows any errors or is in IDLE state, indicating the line is no longer LOW because the card was reset. Signed-off-by: Christian Loehle Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/55920f880c9742f486f64aa44e25508e@hyperstone.com Signed-off-by: Ulf Hansson Signed-off-by: Greg Kroah-Hartman commit baf4016ad4938ffac14f6955b0e460a44c0bfa85 Author: Demi Marie Obenour Date: Wed Jun 7 13:08:37 2023 -0400 block: increment diskseq on all media change events commit b90ecc0379eb7bbe79337b0c7289390a98752646 upstream. Currently, associating a loop device with a different file descriptor does not increment its diskseq. This allows the following race condition: 1. Program X opens a loop device 2. Program X gets the diskseq of the loop device. 3. Program X associates a file with the loop device. 4. Program X passes the loop device major, minor, and diskseq to something. 5. Program X exits. 6. Program Y detaches the file from the loop device. 7. Program Y attaches a different file to the loop device. 8. The opener finally gets around to opening the loop device and checks that the diskseq is what it expects it to be. Even though the diskseq is the expected value, the result is that the opener is accessing the wrong file. From discussions with Christoph Hellwig, it appears that disk_force_media_change() was supposed to call inc_diskseq(), but in fact it does not. Adding a Fixes: tag to indicate this. Christoph's Reported-by is because he stated that disk_force_media_change() calls inc_diskseq(), which is what led me to discover that it should but does not. Reported-by: Christoph Hellwig Signed-off-by: Demi Marie Obenour Fixes: e6138dc12de9 ("block: add a helper to raise a media changed event") Cc: stable@vger.kernel.org # 5.15+ Reviewed-by: Christoph Hellwig Link: https://lore.kernel.org/r/20230607170837.1559-1-demi@invisiblethingslab.com Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman commit 1e83e1db9c261295cc437f391e3594804d041646 Author: Michael Schmitz Date: Wed Jun 21 08:17:24 2023 +1200 block: change all __u32 annotations to __be32 in affs_hardblocks.h commit 95a55437dc49fb3342c82e61f5472a71c63d9ed0 upstream. The Amiga partition parser module uses signed int for partition sector address and count, which will overflow for disks larger than 1 TB. Use u64 as type for sector address and size to allow using disks up to 2 TB without LBD support, and disks larger than 2 TB with LBD. The RBD format allows to specify disk sizes up to 2^128 bytes (though native OS limitations reduce this somewhat, to max 2^68 bytes), so check for u64 overflow carefully to protect against overflowing sector_t. This bug was reported originally in 2012, and the fix was created by the RDB author, Joanne Dow . A patch had been discussed and reviewed on linux-m68k at that time but never officially submitted (now resubmitted as patch 1 of this series). Patch 3 (this series) adds additional error checking and warning messages. One of the error checks now makes use of the previously unused rdb_CylBlocks field, which causes a 'sparse' warning (cast to restricted __be32). Annotate all 32 bit fields in affs_hardblocks.h as __be32, as the on-disk format of RDB and partition blocks is always big endian. Reported-by: Martin Steigerwald Closes: https://bugzilla.kernel.org/show_bug.cgi?id=43511 Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Message-ID: <201206192146.09327.Martin@lichtvoll.de> Cc: # 5.2 Signed-off-by: Michael Schmitz Reviewed-by: Christoph Hellwig Reviewed-by: Geert Uytterhoeven Link: https://lore.kernel.org/r/20230620201725.7020-3-schmitzmic@gmail.com Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman commit dd976502acb15e778319afaf7c562edeb73785d0 Author: Michael Schmitz Date: Wed Jun 21 08:17:25 2023 +1200 block: add overflow checks for Amiga partition support commit b6f3f28f604ba3de4724ad82bea6adb1300c0b5f upstream. The Amiga partition parser module uses signed int for partition sector address and count, which will overflow for disks larger than 1 TB. Use u64 as type for sector address and size to allow using disks up to 2 TB without LBD support, and disks larger than 2 TB with LBD. The RBD format allows to specify disk sizes up to 2^128 bytes (though native OS limitations reduce this somewhat, to max 2^68 bytes), so check for u64 overflow carefully to protect against overflowing sector_t. Bail out if sector addresses overflow 32 bits on kernels without LBD support. This bug was reported originally in 2012, and the fix was created by the RDB author, Joanne Dow . A patch had been discussed and reviewed on linux-m68k at that time but never officially submitted (now resubmitted as patch 1 in this series). This patch adds additional error checking and warning messages. Reported-by: Martin Steigerwald Closes: https://bugzilla.kernel.org/show_bug.cgi?id=43511 Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Message-ID: <201206192146.09327.Martin@lichtvoll.de> Cc: # 5.2 Signed-off-by: Michael Schmitz Reviewed-by: Geert Uytterhoeven Reviewed-by: Christoph Hellwig Link: https://lore.kernel.org/r/20230620201725.7020-4-schmitzmic@gmail.com Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman commit ff5dbe898e6d2501926cd5e32e4fb950aef64f61 Author: Michael Schmitz Date: Wed Jun 21 08:17:23 2023 +1200 block: fix signed int overflow in Amiga partition support commit fc3d092c6bb48d5865fec15ed5b333c12f36288c upstream. The Amiga partition parser module uses signed int for partition sector address and count, which will overflow for disks larger than 1 TB. Use sector_t as type for sector address and size to allow using disks up to 2 TB without LBD support, and disks larger than 2 TB with LBD. This bug was reported originally in 2012, and the fix was created by the RDB author, Joanne Dow . A patch had been discussed and reviewed on linux-m68k at that time but never officially submitted. This patch differs from Joanne's patch only in its use of sector_t instead of unsigned int. No checking for overflows is done (see patch 3 of this series for that). Reported-by: Martin Steigerwald Closes: https://bugzilla.kernel.org/show_bug.cgi?id=43511 Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Message-ID: <201206192146.09327.Martin@lichtvoll.de> Cc: # 5.2 Signed-off-by: Michael Schmitz Tested-by: Martin Steigerwald Reviewed-by: Geert Uytterhoeven Reviewed-by: Christoph Hellwig Link: https://lore.kernel.org/r/20230620201725.7020-2-schmitzmic@gmail.com Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman commit ca456dfa515c13989ba25458bc170a56678c879f Author: John Johansen Date: Sat Apr 15 00:50:32 2023 -0700 apparmor: fix: kzalloc perms tables for shared dfas commit ec6851ae0ab4587e610e260ddda75f92f3389f91 upstream. Currently the permstables of the shared dfas are not shared, and need to be allocated and copied. In the future this should be addressed with a larger rework on dfa and pdb ref counts and structure sharing. BugLink: http://bugs.launchpad.net/bugs/2017903 Fixes: 217af7e2f4de ("apparmor: refactor profile rules and attachments") Cc: stable@vger.kernel.org Signed-off-by: John Johansen Reviewed-by: Jon Tourville Signed-off-by: Greg Kroah-Hartman commit 773ccad902f67583a58b5650a2f8d8daf2e76fac Author: Takashi Iwai Date: Mon Jul 3 13:24:30 2023 +0200 ALSA: pcm: Fix potential data race at PCM memory allocation helpers commit bd55842ed998a622ba6611fe59b3358c9f76773d upstream. The PCM memory allocation helpers have a sanity check against too many buffer allocations. However, the check is performed without a proper lock and the allocation isn't serialized; this allows user to allocate more memories than predefined max size. Practically seen, this isn't really a big problem, as it's more or less some "soft limit" as a sanity check, and it's not possible to allocate unlimitedly. But it's still better to address this for more consistent behavior. The patch covers the size check in do_alloc_pages() with the card->memory_mutex, and increases the allocated size there for preventing the further overflow. When the actual allocation fails, the size is decreased accordingly. Reported-by: BassCheck Reported-by: Tuo Li Link: https://lore.kernel.org/r/CADm8Tek6t0WedK+3Y6rbE5YEt19tML8BUL45N2ji4ZAz1KcN_A@mail.gmail.com Reviewed-by: Jaroslav Kysela Cc: Link: https://lore.kernel.org/r/20230703112430.30634-1-tiwai@suse.de Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 21d0ab5dc2bf4895711bc283505e9cb4d79f6910 Author: Takashi Iwai Date: Thu Jul 6 17:53:57 2023 +0200 ALSA: jack: Fix mutex call in snd_jack_report() commit 89dbb335cb6a627a4067bc42caa09c8bc3326d40 upstream. snd_jack_report() is supposed to be callable from an IRQ context, too, and it's indeed used in that way from virtsnd driver. The fix for input_dev race in commit 1b6a6fc5280e ("ALSA: jack: Access input_dev under mutex"), however, introduced a mutex lock in snd_jack_report(), and this resulted in a potential sleep-in-atomic. For addressing that problem, this patch changes the relevant code to use the object get/put and removes the mutex usage. That is, snd_jack_report(), it takes input_get_device() and leaves with input_put_device() for assuring the input_dev being assigned. Although the whole mutex could be reduced, we keep it because it can be still a protection for potential races between creation and deletion. Fixes: 1b6a6fc5280e ("ALSA: jack: Access input_dev under mutex") Reported-by: Dan Carpenter Closes: https://lore.kernel.org/r/cf95f7fe-a748-4990-8378-000491b40329@moroto.mountain Tested-by: Amadeusz Sławiński Cc: Link: https://lore.kernel.org/r/20230706155357.3470-1-tiwai@suse.de Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 84772bc5ca7abc55e5abbad29127abb1b0925535 Author: Werner Sembach Date: Wed Jun 28 17:54:34 2023 +0200 ALSA: hda/realtek: Add quirk for Clevo NPx0SNx commit 22065e4214c1196b54fc164892c2e193a743caf3 upstream. This applies a SND_PCI_QUIRK(...) to the Clevo NPx0SNx barebones fixing the microphone not being detected on the headset combo port. Signed-off-by: Werner Sembach Cc: Link: https://lore.kernel.org/r/20230628155434.584159-1-wse@tuxedocomputers.com Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit fdfe750bedef6d6ee5fd50613fb160861e98545c Author: Andy Chi Date: Mon Jun 26 21:03:00 2023 +0800 ALSA: hda/realtek: Enable mute/micmute LEDs and limit mic boost on EliteBook commit e94f1f96f108ba96c0ed8bf3fbdd8ee6a6703880 upstream. On HP EliteBook 835/845/845W G10, the audio LEDs can be enabled by ALC285_FIXUP_HP_MUTE_LED. So use it accordingly. Signed-off-by: Andy Chi Cc: Fixes: 3e10f6ca76c4 ("ALSA: hda/realtek: Add quirk for HP EliteBook G10 laptops") Link: https://lore.kernel.org/r/20230626130301.301712-1-andy.chi@canonical.com Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 8e246189dc744cd59f5a80bb9bcf7aab8d57bde5 Author: Martin Kaiser Date: Fri Jun 16 09:58:13 2023 +0100 hwrng: st - keep clock enabled while hwrng is registered [ Upstream commit 501e197a02d4aef157f53ba3a0b9049c3e52fedc ] The st-rng driver uses devres to register itself with the hwrng core, the driver will be unregistered from hwrng when its device goes out of scope. This happens after the driver's remove function is called. However, st-rng's clock is disabled in the remove function. There's a short timeframe where st-rng is still registered with the hwrng core although its clock is disabled. I suppose the clock must be active to access the hardware and serve requests from the hwrng core. Switch to devm_clk_get_enabled and let devres disable the clock and unregister the hwrng. This avoids the race condition. Fixes: 3e75241be808 ("hwrng: drivers - Use device-managed registration API") Signed-off-by: Martin Kaiser Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin commit e68183e2f232ebd30b5653270b6172979004710f Author: Tarun Sahu Date: Wed Jun 21 21:20:25 2023 +0530 dax/kmem: Pass valid argument to memory_group_register_static [ Upstream commit 46e66dab8565f742374e9cc4ff7d35f344d774e2 ] memory_group_register_static takes maximum number of pages as the argument while dev_dax_kmem_probe passes total_len (in bytes) as the argument. IIUC, I don't see any crash/panic impact as such. As, memory_group_register_static just set the max_pages limit which is used in auto_movable_zone_for_pfn to determine the zone. which might cause these condition to behave differently, This will be true always so jump will happen to kernel_zone ... if (!auto_movable_can_online_movable(NUMA_NO_NODE, group, nr_pages)) goto kernel_zone; ... kernel_zone: return default_kernel_zone_for_pfn(nid, pfn, nr_pages); Here, In below, zone_intersects compare range will be larger as nr_pages will be higher (derived from total_len passed in dev_dax_kmem_probe). ... static struct zone *default_kernel_zone_for_pfn(int nid, unsigned long start_pfn, unsigned long nr_pages) { struct pglist_data *pgdat = NODE_DATA(nid); int zid; for (zid = 0; zid < ZONE_NORMAL; zid++) { struct zone *zone = &pgdat->node_zones[zid]; if (zone_intersects(zone, start_pfn, nr_pages)) return zone; } return &pgdat->node_zones[ZONE_NORMAL]; } Incorrect zone will be returned here, which in later time might cause bigger problem. Fixes: eedf634aac3b ("dax/kmem: use a single static memory group for a single probed unit") Signed-off-by: Tarun Sahu Link: https://lore.kernel.org/r/20230621155025.370672-1-tsahu@linux.ibm.com Reviewed-by: Vishal Verma Signed-off-by: Vishal Verma Signed-off-by: Sasha Levin commit 60ef1f64d35cc83e2e4f7bce19439f133fb5d55b Author: Dan Williams Date: Fri Jun 2 23:14:05 2023 -0700 dax: Introduce alloc_dev_dax_id() [ Upstream commit 70aab281e18c68a1284bc387de127c2fc0bed3f8 ] The reference counting of dax_region objects is needlessly complicated, has lead to confusion [1], and has hidden a bug [2]. Towards cleaning up that mess introduce alloc_dev_dax_id() to minimize the holding of a dax_region reference to only what dev_dax_release() needs, the dax_region->ida. Part of the reason for the mess was the design to dereference a dax_region in all cases in free_dev_dax_id() even if the id was statically assigned by the upper level dax_region driver. Remove the need to call "is_static(dax_region)" by tracking whether the id is dynamic directly in the dev_dax instance itself. With that flag the dax_region pinning and release per dev_dax instance can move to alloc_dev_dax_id() and free_dev_dax_id() respectively. A follow-on cleanup address the unnecessary references in the dax_region setup and drivers. Fixes: 0f3da14a4f05 ("device-dax: introduce 'seed' devices") Link: http://lore.kernel.org/r/20221203095858.612027-1-liuyongqiang13@huawei.com [1] Link: http://lore.kernel.org/r/3cf0890b-4eb0-e70e-cd9c-2ecc3d496263@hpe.com [2] Reported-by: Yongqiang Liu Reported-by: Paul Cassella Reported-by: Ira Weiny Signed-off-by: Dan Williams Link: https://lore.kernel.org/r/168577284563.1672036.13493034988900989554.stgit@dwillia2-xfh.jf.intel.com Reviewed-by: Ira Weiny Signed-off-by: Vishal Verma Signed-off-by: Sasha Levin commit 7310b84821f043dcf77d5e6aa0ad55dc1e10a11d Author: Dan Williams Date: Fri Jun 2 23:13:54 2023 -0700 dax: Fix dax_mapping_release() use after free [ Upstream commit 6d24b170a9db0456f577b1ab01226a2254c016a8 ] A CONFIG_DEBUG_KOBJECT_RELEASE test of removing a device-dax region provider (like modprobe -r dax_hmem) yields: kobject: 'mapping0' (ffff93eb460e8800): kobject_release, parent 0000000000000000 (delayed 2000) [..] DEBUG_LOCKS_WARN_ON(1) WARNING: CPU: 23 PID: 282 at kernel/locking/lockdep.c:232 __lock_acquire+0x9fc/0x2260 [..] RIP: 0010:__lock_acquire+0x9fc/0x2260 [..] Call Trace: [..] lock_acquire+0xd4/0x2c0 ? ida_free+0x62/0x130 _raw_spin_lock_irqsave+0x47/0x70 ? ida_free+0x62/0x130 ida_free+0x62/0x130 dax_mapping_release+0x1f/0x30 device_release+0x36/0x90 kobject_delayed_cleanup+0x46/0x150 Due to attempting ida_free() on an ida object that has already been freed. Devices typically only hold a reference on their parent while registered. If a child needs a parent object to complete its release it needs to hold a reference that it drops from its release callback. Arrange for a dax_mapping to pin its parent dev_dax instance until dax_mapping_release(). Fixes: 0b07ce872a9e ("device-dax: introduce 'mapping' devices") Signed-off-by: Dan Williams Link: https://lore.kernel.org/r/168577283412.1672036.16111545266174261446.stgit@dwillia2-xfh.jf.intel.com Reviewed-by: Dave Jiang Reviewed-by: Fan Ni Reviewed-by: Ira Weiny Signed-off-by: Vishal Verma Signed-off-by: Sasha Levin commit 3b4c15171c3ce9120c81f5564b9367d8d0f4219c Author: Bharath SM Date: Sun Jun 18 19:02:24 2023 +0000 SMB3: Do not send lease break acknowledgment if all file handles have been closed [ Upstream commit da787d5b74983f7525d1eb4b9c0b4aff2821511a ] In case if all existing file handles are deferred handles and if all of them gets closed due to handle lease break then we dont need to send lease break acknowledgment to server, because last handle close will be considered as lease break ack. After closing deferred handels, we check for openfile list of inode, if its empty then we skip sending lease break ack. Fixes: 59a556aebc43 ("SMB3: drop reference to cfile before sending oplock break") Reviewed-by: Tom Talpey Signed-off-by: Bharath SM Signed-off-by: Steve French Signed-off-by: Sasha Levin commit 9591e55b6c80e345d376ef4c7ae695791c49a651 Author: Olga Kornievskaia Date: Sun Jun 18 17:32:25 2023 -0400 NFSv4.1: freeze the session table upon receiving NFS4ERR_BADSESSION [ Upstream commit c907e72f58ed979a24a9fdcadfbc447c51d5e509 ] When the client received NFS4ERR_BADSESSION, it schedules recovery and start the state manager thread which in turn freezes the session table and does not allow for any new requests to use the no-longer valid session. However, it is possible that before the state manager thread runs, a new operation would use the released slot that received BADSESSION and was therefore not updated its sequence number. Such re-use of the slot can lead the application errors. Fixes: 5c441544f045 ("NFSv4.x: Handle bad/dead sessions correctly in nfs41_sequence_process()") Signed-off-by: Olga Kornievskaia Signed-off-by: Trond Myklebust Signed-off-by: Sasha Levin commit 741cff5f586b475433701431bf8870ed28c5eac1 Author: Qi Zheng Date: Thu Jun 15 11:19:46 2023 +0000 NFSv4.2: fix wrong shrinker_id [ Upstream commit 7f7ab336898f281e58540ef781a8fb375acc32a9 ] Currently, the list_lru::shrinker_id corresponding to the nfs4_xattr shrinkers is wrong: >>> prog["nfs4_xattr_cache_lru"].shrinker_id (int)0 >>> prog["nfs4_xattr_entry_lru"].shrinker_id (int)0 >>> prog["nfs4_xattr_large_entry_lru"].shrinker_id (int)0 >>> prog["nfs4_xattr_cache_shrinker"].id (int)18 >>> prog["nfs4_xattr_entry_shrinker"].id (int)19 >>> prog["nfs4_xattr_large_entry_shrinker"].id (int)20 This is not what we expect, which will cause these shrinkers not to be found in shrink_slab_memcg(). We should assign shrinker::id before calling list_lru_init_memcg(), so that the corresponding list_lru::shrinker_id will be assigned the correct value like below: >>> prog["nfs4_xattr_cache_lru"].shrinker_id (int)16 >>> prog["nfs4_xattr_entry_lru"].shrinker_id (int)17 >>> prog["nfs4_xattr_large_entry_lru"].shrinker_id (int)18 >>> prog["nfs4_xattr_cache_shrinker"].id (int)16 >>> prog["nfs4_xattr_entry_shrinker"].id (int)17 >>> prog["nfs4_xattr_large_entry_shrinker"].id (int)18 So just do it. Fixes: 95ad37f90c33 ("NFSv4.2: add client side xattr caching.") Signed-off-by: Qi Zheng Signed-off-by: Trond Myklebust Signed-off-by: Sasha Levin commit ee238856c397d8a2284530601a388e51fe670273 Author: Hareshx Sankar Raj Date: Mon Jun 5 22:06:07 2023 +0100 crypto: qat - unmap buffers before free for RSA [ Upstream commit d776b25495f2c71b9dbf1f5e53b642215ba72f3c ] The callback function for RSA frees the memory allocated for the source and destination buffers before unmapping them. This sequence is wrong. Change the cleanup sequence to unmap the buffers before freeing them. Fixes: 3dfaf0071ed7 ("crypto: qat - remove dma_free_coherent() for RSA") Signed-off-by: Hareshx Sankar Raj Co-developed-by: Bolemx Sivanagaleela Signed-off-by: Bolemx Sivanagaleela Reviewed-by: Giovanni Cabiddu Reviewed-by: Andy Shevchenko Signed-off-by: Giovanni Cabiddu Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin commit 61bfff855343f7fc9f3af2710037369363845245 Author: Hareshx Sankar Raj Date: Mon Jun 5 22:06:06 2023 +0100 crypto: qat - unmap buffer before free for DH [ Upstream commit eb7713f5ca97697b92f225127440d1525119b8de ] The callback function for DH frees the memory allocated for the destination buffer before unmapping it. This sequence is wrong. Change the cleanup sequence to unmap the buffer before freeing it. Fixes: 029aa4624a7f ("crypto: qat - remove dma_free_coherent() for DH") Signed-off-by: Hareshx Sankar Raj Co-developed-by: Bolemx Sivanagaleela Signed-off-by: Bolemx Sivanagaleela Reviewed-by: Giovanni Cabiddu Reviewed-by: Andy Shevchenko Signed-off-by: Giovanni Cabiddu Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin commit 97046c12f7fbc2e88c6be87e152d805a0e8ae7bf Author: Masahiro Yamada Date: Mon Jun 12 00:50:50 2023 +0900 ARC: define ASM_NL and __ALIGN(_STR) outside #ifdef __ASSEMBLY__ guard [ Upstream commit 92e2921eeafdfca9acd9b83f07d2b7ca099bac24 ] ASM_NL is useful not only in *.S files but also in .c files for using inline assembler in C code. On ARC, however, ASM_NL is evaluated inconsistently. It is expanded to a backquote (`) in *.S files, but a semicolon (;) in *.c files because arch/arc/include/asm/linkage.h defines it inside #ifdef __ASSEMBLY__, so the definition for C code falls back to the default value defined in include/linux/linkage.h. If ASM_NL is used in inline assembler in .c files, it will result in wrong assembly code because a semicolon is not an instruction separator, but the start of a comment for ARC. Move ASM_NL (also __ALIGN and __ALIGN_STR) out of the #ifdef. Fixes: 9df62f054406 ("arch: use ASM_NL instead of ';' for assembler new line character in the macro") Fixes: 8d92e992a785 ("ARC: define __ALIGN_STR and __ALIGN symbols for ARC") Signed-off-by: Masahiro Yamada Signed-off-by: Sasha Levin commit 8b2e77050b91199453bf19d0517b047b7339a9e3 Author: Dan Carpenter Date: Thu Jun 8 11:23:40 2023 +0300 modpost: fix off by one in is_executable_section() [ Upstream commit 3a3f1e573a105328a2cca45a7cfbebabbf5e3192 ] The > comparison should be >= to prevent an out of bounds array access. Fixes: 52dc0595d540 ("modpost: handle relocations mismatch in __ex_table.") Signed-off-by: Dan Carpenter Signed-off-by: Masahiro Yamada Signed-off-by: Sasha Levin commit aec344a212441af56609e8edf44aa94363fd599f Author: Pierre-Clément Tosi Date: Tue Jun 6 17:35:53 2023 +0000 scripts/mksysmap: Fix badly escaped '$' [ Upstream commit ec336aa83162fe0f3d554baed2d4e2589b69ec6e ] The backslash characters escaping '$' in the command to sed (intended to prevent it from interpreting '$' as "end-of-line") are currently being consumed by the Shell (where they mean that sh should not evaluate what follows '$' as a variable name). This means that sed -e "/ \$/d" executes the script / $/d instead of the intended / \$/d So escape twice in mksysmap any '$' that actually needs to reach sed escaped so that the backslash survives the Shell. Fixes: c4802044a0a7 ("scripts/mksysmap: use sed with in-line comments") Fixes: 320e7c9d4494 ("scripts/kallsyms: move compiler-generated symbol patterns to mksysmap") Signed-off-by: Pierre-Clément Tosi Signed-off-by: Masahiro Yamada Signed-off-by: Sasha Levin commit e539c53e3f730cd99f6c22cea58ddacb94818913 Author: Bhupesh Sharma Date: Sat May 27 00:52:04 2023 +0530 dt-bindings: qcom-qce: Fix compatible combinations for SM8150 and IPQ4019 SoCs [ Upstream commit b3b266fa15552ba342831653f2b8b02c91451e73 ] Currently the compatible list available in 'qce' dt-bindings does not support SM8150 and IPQ4019 SoCs directly which may lead to potential 'dtbs_check' error(s). Fix the same. Fixes: 00f3bc2db351 ("dt-bindings: qcom-qce: Add new SoC compatible strings for Qualcomm QCE IP") Reviewed-by: Vladimir Zapolskiy Acked-by: Rob Herring Tested-by: Anders Roxell Tested-by: Linux Kernel Functional Testing Signed-off-by: Bhupesh Sharma Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin commit a4e975d4245a1741cdc7b3b143d865916fe845fd Author: Stephan Müller Date: Thu May 25 19:00:05 2023 +0200 crypto: jitter - correct health test during initialization [ Upstream commit d23659769ad1bf2cbafaa0efcbae20ef1a74f77e ] With the update of the permanent and intermittent health errors, the actual indicator for the health test indicates a potential error only for the one offending time stamp gathered in the current iteration round. The next iteration round will "overwrite" the health test result. Thus, the entropy collection loop in jent_gen_entropy checks for the health test failure upon each loop iteration. However, the initialization operation checked for the APT health test once for an APT window which implies it would not catch most errors. Thus, the check for all health errors is now invoked unconditionally during each loop iteration for the startup test. With the change, the error JENT_ERCT becomes unused as all health errors are only reported with the JENT_HEALTH return code. This allows the removal of the error indicator. Fixes: 3fde2fe99aa6 ("crypto: jitter - permanent and intermittent health errors" ) Reported-by: Joachim Vandersmissen Signed-off-by: Stephan Mueller Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin commit 83d83e6edffd0fd59e86167630304d0e43d99daa Author: Arnd Bergmann Date: Tue May 23 10:33:04 2023 +0200 crypto: marvell/cesa - Fix type mismatch warning [ Upstream commit efbc7764c4446566edb76ca05e903b5905673d2e ] Commit df8fc4e934c1 ("kbuild: Enable -fstrict-flex-arrays=3") uncovered a type mismatch in cesa 3des support that leads to a memcpy beyond the end of a structure: In function 'fortify_memcpy_chk', inlined from 'mv_cesa_des3_ede_setkey' at drivers/crypto/marvell/cesa/cipher.c:307:2: include/linux/fortify-string.h:583:25: error: call to '__write_overflow_field' declared with attribute warning: detected write beyond size of field (1st parameter); maybe use struct_group()? [-Werror=attribute-warning] 583 | __write_overflow_field(p_size_field, size); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This is probably harmless as the actual data that is copied has the correct type, but clearly worth fixing nonetheless. Fixes: 4ada48397823 ("crypto: marvell/cesa - add Triple-DES support") Cc: Kees Cook Cc: Gustavo A. R. Silva Signed-off-by: Arnd Bergmann Reviewed-by: Kees Cook Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin commit 8477b033fec8448d4f4fb0041323334a2fee4150 Author: Masahiro Yamada Date: Thu Jun 1 21:09:56 2023 +0900 modpost: fix section mismatch message for R_ARM_{PC24,CALL,JUMP24} [ Upstream commit 56a24b8ce6a7f9c4a21b2276a8644f6f3d8fc14d ] addend_arm_rel() processes R_ARM_PC24, R_ARM_CALL, R_ARM_JUMP24 in a wrong way. Here, test code. [test code for R_ARM_JUMP24] .section .init.text,"ax" bar: bx lr .section .text,"ax" .globl foo foo: b bar [test code for R_ARM_CALL] .section .init.text,"ax" bar: bx lr .section .text,"ax" .globl foo foo: push {lr} bl bar pop {pc} If you compile it with ARM multi_v7_defconfig, modpost will show the symbol name, (unknown). WARNING: modpost: vmlinux.o: section mismatch in reference: foo (section: .text) -> (unknown) (section: .init.text) (You need to use GNU linker instead of LLD to reproduce it.) Fix the code to make modpost show the correct symbol name. I imported (with adjustment) sign_extend32() from include/linux/bitops.h. The '+8' is the compensation for pc-relative instruction. It is documented in "ELF for the Arm Architecture" [1]. "If the relocation is pc-relative then compensation for the PC bias (the PC value is 8 bytes ahead of the executing instruction in Arm state and 4 bytes in Thumb state) must be encoded in the relocation by the object producer." [1]: https://github.com/ARM-software/abi-aa/blob/main/aaelf32/aaelf32.rst Fixes: 56a974fa2d59 ("kbuild: make better section mismatch reports on arm") Fixes: 6e2e340b59d2 ("ARM: 7324/1: modpost: Fix section warnings for ARM for many compilers") Signed-off-by: Masahiro Yamada Signed-off-by: Sasha Levin commit ec2791b3e500213ade9eeb2ab6582c46617ce049 Author: Masahiro Yamada Date: Thu Jun 1 21:09:55 2023 +0900 modpost: fix section mismatch message for R_ARM_ABS32 [ Upstream commit b7c63520f6703a25eebb4f8138fed764fcae1c6f ] addend_arm_rel() processes R_ARM_ABS32 in a wrong way. Here, test code. [test code 1] #include int __initdata foo; int get_foo(void) { return foo; } If you compile it with ARM versatile_defconfig, modpost will show the symbol name, (unknown). WARNING: modpost: vmlinux.o: section mismatch in reference: get_foo (section: .text) -> (unknown) (section: .init.data) (You need to use GNU linker instead of LLD to reproduce it.) If you compile it for other architectures, modpost will show the correct symbol name. WARNING: modpost: vmlinux.o: section mismatch in reference: get_foo (section: .text) -> foo (section: .init.data) For R_ARM_ABS32, addend_arm_rel() sets r->r_addend to a wrong value. I just mimicked the code in arch/arm/kernel/module.c. However, there is more difficulty for ARM. Here, test code. [test code 2] #include int __initdata foo; int get_foo(void) { return foo; } int __initdata bar; int get_bar(void) { return bar; } With this commit applied, modpost will show the following messages for ARM versatile_defconfig: WARNING: modpost: vmlinux.o: section mismatch in reference: get_foo (section: .text) -> foo (section: .init.data) WARNING: modpost: vmlinux.o: section mismatch in reference: get_bar (section: .text) -> foo (section: .init.data) The reference from 'get_bar' to 'foo' seems wrong. I have no solution for this because it is true in assembly level. In the following output, relocation at 0x1c is no longer associated with 'bar'. The two relocation entries point to the same symbol, and the offset to 'bar' is encoded in the instruction 'r0, [r3, #4]'. Disassembly of section .text: 00000000 : 0: e59f3004 ldr r3, [pc, #4] @ c 4: e5930000 ldr r0, [r3] 8: e12fff1e bx lr c: 00000000 .word 0x00000000 00000010 : 10: e59f3004 ldr r3, [pc, #4] @ 1c 14: e5930004 ldr r0, [r3, #4] 18: e12fff1e bx lr 1c: 00000000 .word 0x00000000 Relocation section '.rel.text' at offset 0x244 contains 2 entries: Offset Info Type Sym.Value Sym. Name 0000000c 00000c02 R_ARM_ABS32 00000000 .init.data 0000001c 00000c02 R_ARM_ABS32 00000000 .init.data When find_elf_symbol() gets into a situation where relsym->st_name is zero, there is no guarantee to get the symbol name as written in C. I am keeping the current logic because it is useful in many architectures, but the symbol name is not always correct depending on the optimization. I left some comments in find_tosym(). Fixes: 56a974fa2d59 ("kbuild: make better section mismatch reports on arm") Signed-off-by: Masahiro Yamada Signed-off-by: Sasha Levin commit caa3bcac6f74b1a151adabb3bfab2dd5508fe77b Author: Randy Dunlap Date: Fri May 19 15:33:34 2023 -0700 crypto: nx - fix build warnings when DEBUG_FS is not enabled [ Upstream commit b04b076fb56560b39d695ac3744db457e12278fd ] Fix build warnings when DEBUG_FS is not enabled by using an empty do-while loop instead of a value: In file included from ../drivers/crypto/nx/nx.c:27: ../drivers/crypto/nx/nx.c: In function 'nx_register_algs': ../drivers/crypto/nx/nx.h:173:33: warning: statement with no effect [-Wunused-value] 173 | #define NX_DEBUGFS_INIT(drv) (0) ../drivers/crypto/nx/nx.c:573:9: note: in expansion of macro 'NX_DEBUGFS_INIT' 573 | NX_DEBUGFS_INIT(&nx_driver); ../drivers/crypto/nx/nx.c: In function 'nx_remove': ../drivers/crypto/nx/nx.h:174:33: warning: statement with no effect [-Wunused-value] 174 | #define NX_DEBUGFS_FINI(drv) (0) ../drivers/crypto/nx/nx.c:793:17: note: in expansion of macro 'NX_DEBUGFS_FINI' 793 | NX_DEBUGFS_FINI(&nx_driver); Also, there is no need to build nx_debugfs.o when DEBUG_FS is not enabled, so change the Makefile to accommodate that. Fixes: ae0222b7289d ("powerpc/crypto: nx driver code supporting nx encryption") Fixes: aef7b31c8833 ("powerpc/crypto: Build files for the nx device driver") Signed-off-by: Randy Dunlap Cc: Breno Leitão Cc: Nayna Jain Cc: Paulo Flabiano Smorigo Cc: Herbert Xu Cc: "David S. Miller" Cc: linux-crypto@vger.kernel.org Cc: Michael Ellerman Cc: Nicholas Piggin Cc: Christophe Leroy Cc: linuxppc-dev@lists.ozlabs.org Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin commit 0fa2f933f431b0652cb3bd4a17bd66837cc41b05 Author: Masahiro Yamada Date: Mon May 15 00:27:19 2023 +0900 modpost: remove broken calculation of exception_table_entry size [ Upstream commit d0acc76a49aa917c1a455d11d32d34a01e8b2835 ] find_extable_entry_size() is completely broken. It has awesome comments about how to calculate sizeof(struct exception_table_entry). It was based on these assumptions: - struct exception_table_entry has two fields - both of the fields have the same size Then, we came up with this equation: (offset of the second field) * 2 == (size of struct) It was true for all architectures when commit 52dc0595d540 ("modpost: handle relocations mismatch in __ex_table.") was applied. Our mathematics broke when commit 548acf19234d ("x86/mm: Expand the exception table logic to allow new handling options") introduced the third field. Now, the definition of exception_table_entry is highly arch-dependent. For x86, sizeof(struct exception_table_entry) is apparently 12, but find_extable_entry_size() sets extable_entry_size to 8. I could fix it, but I do not see much value in this code. extable_entry_size is used just for selecting a slightly different error message. If the first field ("insn") references to a non-executable section, The relocation at %s+0x%lx references section "%s" which is not executable, IOW it is not possible for the kernel to fault at that address. Something is seriously wrong and should be fixed. If the second field ("fixup") references to a non-executable section, The relocation at %s+0x%lx references section "%s" which is not executable, IOW the kernel will fault if it ever tries to jump to it. Something is seriously wrong and should be fixed. Merge the two error messages rather than adding even more complexity. Change fatal() to error() to make it continue running and catch more possible errors. Fixes: 548acf19234d ("x86/mm: Expand the exception table logic to allow new handling options") Signed-off-by: Masahiro Yamada Signed-off-by: Sasha Levin commit 2fc91f156b3f3446a1bce80cf4adedcbf41271c2 Author: Herbert Xu Date: Thu May 4 11:59:32 2023 +0800 hwrng: virtio - Fix race on data_avail and actual data [ Upstream commit ac52578d6e8d300dd50f790f29a24169b1edd26c ] The virtio rng device kicks off a new entropy request whenever the data available reaches zero. When a new request occurs at the end of a read operation, that is, when the result of that request is only needed by the next reader, then there is a race between the writing of the new data and the next reader. This is because there is no synchronisation whatsoever between the writer and the reader. Fix this by writing data_avail with smp_store_release and reading it with smp_load_acquire when we first enter read. The subsequent reads are safe because they're either protected by the first load acquire, or by the completion mechanism. Also remove the redundant zeroing of data_idx in random_recv_done (data_idx must already be zero at this point) and data_avail in request_entropy (ditto). Reported-by: syzbot+726dc8c62c3536431ceb@syzkaller.appspotmail.com Fixes: f7f510ec1957 ("virtio: An entropy device, as suggested by hpa.") Signed-off-by: Herbert Xu Acked-by: Michael S. Tsirkin Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin commit e23972c9d94accd627e4a856e1e4b743d74dd838 Author: Eric Farman Date: Mon Jun 26 15:36:42 2023 +0200 vfio/mdev: Move the compat_class initialization to module init [ Upstream commit ff598081e5b9d0bdd6874bfe340811bbb75b35e4 ] The pointer to mdev_bus_compat_class is statically defined at the top of mdev_core, and was originally (commit 7b96953bc640 ("vfio: Mediated device Core driver") serialized by the parent_list_lock. The blamed commit removed this mutex, leaving the pointer initialization unserialized. As a result, the creation of multiple MDEVs in parallel (such as during boot) can encounter errors during the creation of the sysfs entries, such as: [ 8.337509] sysfs: cannot create duplicate filename '/class/mdev_bus' [ 8.337514] vfio_ccw 0.0.01d8: MDEV: Registered [ 8.337516] CPU: 13 PID: 946 Comm: driverctl Not tainted 6.4.0-rc7 #20 [ 8.337522] Hardware name: IBM 3906 M05 780 (LPAR) [ 8.337525] Call Trace: [ 8.337528] [<0000000162b0145a>] dump_stack_lvl+0x62/0x80 [ 8.337540] [<00000001622aeb30>] sysfs_warn_dup+0x78/0x88 [ 8.337549] [<00000001622aeca6>] sysfs_create_dir_ns+0xe6/0xf8 [ 8.337552] [<0000000162b04504>] kobject_add_internal+0xf4/0x340 [ 8.337557] [<0000000162b04d48>] kobject_add+0x78/0xd0 [ 8.337561] [<0000000162b04e0a>] kobject_create_and_add+0x6a/0xb8 [ 8.337565] [<00000001627a110e>] class_compat_register+0x5e/0x90 [ 8.337572] [<000003ff7fd815da>] mdev_register_parent+0x102/0x130 [mdev] [ 8.337581] [<000003ff7fdc7f2c>] vfio_ccw_sch_probe+0xe4/0x178 [vfio_ccw] [ 8.337588] [<0000000162a7833c>] css_probe+0x44/0x80 [ 8.337599] [<000000016279f4da>] really_probe+0xd2/0x460 [ 8.337603] [<000000016279fa08>] driver_probe_device+0x40/0xf0 [ 8.337606] [<000000016279fb78>] __device_attach_driver+0xc0/0x140 [ 8.337610] [<000000016279cbe0>] bus_for_each_drv+0x90/0xd8 [ 8.337618] [<00000001627a00b0>] __device_attach+0x110/0x190 [ 8.337621] [<000000016279c7c8>] bus_rescan_devices_helper+0x60/0xb0 [ 8.337626] [<000000016279cd48>] drivers_probe_store+0x48/0x80 [ 8.337632] [<00000001622ac9b0>] kernfs_fop_write_iter+0x138/0x1f0 [ 8.337635] [<00000001621e5e14>] vfs_write+0x1ac/0x2f8 [ 8.337645] [<00000001621e61d8>] ksys_write+0x70/0x100 [ 8.337650] [<0000000162b2bdc4>] __do_syscall+0x1d4/0x200 [ 8.337656] [<0000000162b3c828>] system_call+0x70/0x98 [ 8.337664] kobject: kobject_add_internal failed for mdev_bus with -EEXIST, don't try to register things with the same name in the same directory. [ 8.337668] kobject: kobject_create_and_add: kobject_add error: -17 [ 8.337674] vfio_ccw: probe of 0.0.01d9 failed with error -12 [ 8.342941] vfio_ccw_mdev aeb9ca91-10c6-42bc-a168-320023570aea: Adding to iommu group 2 Move the initialization of the mdev_bus_compat_class pointer to the init path, to match the cleanup in module exit. This way the code in mdev_register_parent() can simply link the new parent to it, rather than determining whether initialization is required first. Fixes: 89345d5177aa ("vfio/mdev: embedd struct mdev_parent in the parent data structure") Reported-by: Alexander Egorenkov Signed-off-by: Eric Farman Reviewed-by: Kevin Tian Reviewed-by: Christoph Hellwig Reviewed-by: Tony Krowiak Reviewed-by: Jason Gunthorpe Link: https://lore.kernel.org/r/20230626133642.2939168-1-farman@linux.ibm.com Signed-off-by: Alex Williamson Signed-off-by: Sasha Levin commit d1a21644254a66edb8ffceab7dcf7a68b1226ce7 Author: Xinghui Li Date: Thu Apr 20 17:43:31 2023 +0800 PCI: vmd: Fix uninitialized variable usage in vmd_enable_domain() [ Upstream commit 0c0206dc4f5ba2d18b15e24d2047487d6f73916b ] The ret variable in the vmd_enable_domain() function was used uninitialized when printing a warning message upon failure of the pci_reset_bus() function. Thus, fix the issue by assigning ret with the value returned from pci_reset_bus() before referencing it in the warning message. This was detected by Smatch: drivers/pci/controller/vmd.c:931 vmd_enable_domain() error: uninitialized symbol 'ret'. [kwilczynski: drop the second patch from the series, add missing reported by tag, commit log] Fixes: 0a584655ef89 ("PCI: vmd: Fix secondary bus reset for Intel bridges") Link: https://lore.kernel.org/all/202305270219.B96IiIfv-lkp@intel.com Link: https://lore.kernel.org/linux-pci/20230420094332.1507900-2-korantwork@gmail.com Reported-by: kernel test robot Reported-by: Dan Carpenter Signed-off-by: Xinghui Li Signed-off-by: Krzysztof Wilczyński Reviewed-by: Nirmal Patel Signed-off-by: Sasha Levin commit d66a530c103485ef60a19717df3e2317249354a4 Author: Yoshihiro Shimoda Date: Wed Apr 12 15:34:47 2023 +0900 PCI: endpoint: functions/pci-epf-test: Fix dma_chan direction [ Upstream commit 880d51c729a3fa944794feb19f605eefe55916fc ] In pci_epf_test_init_dma_chan() epf_test->dma_chan_rx is assigned from dma_request_channel() with DMA_DEV_TO_MEM as filter.dma_mask. However, in pci_epf_test_data_transfer() if the dir is DMA_DEV_TO_MEM, epf->dma_chan_rx should be used but instead we are using epf_test->dma_chan_tx. Fix it. Link: https://lore.kernel.org/r/20230412063447.2841177-1-yoshihiro.shimoda.uh@renesas.com Fixes: 8353813c88ef ("PCI: endpoint: Enable DMA tests for endpoints with DMA capabilities") Tested-by: Kunihiko Hayashi Signed-off-by: Yoshihiro Shimoda Signed-off-by: Lorenzo Pieralisi Signed-off-by: Bjorn Helgaas Reviewed-by: Frank Li Signed-off-by: Sasha Levin commit f07d1dcb36209d03d4ada11aa65463beea6ab688 Author: Shunsuke Mie Date: Thu Feb 2 19:38:32 2023 +0900 PCI: endpoint: Fix a Kconfig prompt of vNTB driver [ Upstream commit 37587673cda963ec950e4983db5023802f9b5ff2 ] vNTB driver and NTB driver have same Kconfig prompt. Changed to make it distinguishable. Link: https://lore.kernel.org/r/20230202103832.2038286-1-mie@igel.co.jp Fixes: e35f56bb0330 ("PCI: endpoint: Support NTB transfer between RC and EP") Signed-off-by: Shunsuke Mie Signed-off-by: Lorenzo Pieralisi Signed-off-by: Bjorn Helgaas Reviewed-by: Manivannan Sadhasivam Signed-off-by: Sasha Levin commit 764b6d8aa77c4e55439ebbde0a287bb5353f8542 Author: Song Shuai Date: Fri Jun 9 15:50:48 2023 +0800 riscv: hibernate: remove WARN_ON in save_processor_state [ Upstream commit 91afbaafd6b1f1846520efd2b158066a25a1a316 ] During hibernation or restoration, freeze_secondary_cpus checks num_online_cpus via BUG_ON, and the subsequent save_processor_state also does the checking with WARN_ON. In the case of CONFIG_PM_SLEEP_SMP=n, freeze_secondary_cpus is not defined, but the sole possible condition to disable CONFIG_PM_SLEEP_SMP is !SMP where num_online_cpus is always 1. We also don't have to check it in save_processor_state. So remove the unnecessary checking in save_processor_state. Fixes: c0317210012e ("RISC-V: Add arch functions to support hibernation/suspend-to-disk") Signed-off-by: Song Shuai Reviewed-by: Conor Dooley Link: https://lore.kernel.org/r/20230609075049.2651723-4-songshuaishuai@tinylab.org Signed-off-by: Palmer Dabbelt Signed-off-by: Sasha Levin commit 52fbbd37efe16932b487c1c3a99428491b8f1732 Author: Namhyung Kim Date: Thu Jun 22 16:53:57 2023 -0700 perf test: Set PERF_EXEC_PATH for script execution [ Upstream commit e4ef3ef1bc0a3d2535427da78b8095ef657eb474 ] The task-analyzer.py script (actually every other scripts too) requires PERF_EXEC_PATH env to find dependent libraries and scripts. For scripts test to run correctly, it needs to set PERF_EXEC_PATH to the perf tool source directory. Instead of blindly update the env, let's check the directory structure to make sure it points to the correct location. Fixes: e8478b84d6ba ("perf test: add new task-analyzer tests") Cc: Petar Gligoric Cc: Hagen Paul Pfeifer Cc: Aditya Gupta Cc: Peter Zijlstra Cc: Adrian Hunter Cc: Arnaldo Carvalho de Melo Cc: Jiri Olsa Cc: Ingo Molnar Acked-by: Ian Rogers Signed-off-by: Namhyung Kim Signed-off-by: Sasha Levin commit 2509e4d1e0f477ada859ea1ebc43edb86345705b Author: Aneesh Kumar K.V Date: Fri Jun 16 16:38:15 2023 +0530 powerpc/mm/dax: Fix the condition when checking if altmap vmemap can cross-boundary [ Upstream commit c8eebc4a99f15280654f23e914e746c40a516e50 ] Without this fix, the last subsection vmemmap can end up in memory even if the namespace is created with -M mem and has sufficient space in the altmap area. Fixes: cf387d9644d8 ("libnvdimm/altmap: Track namespace boundaries in altmap") Signed-off-by: Aneesh Kumar K.V Tested-by: Sachin Sant > Signed-off-by: Michael Ellerman Link: https://msgid.link/20230616110826.344417-6-aneesh.kumar@linux.ibm.com Signed-off-by: Sasha Levin commit b43bab8daf6d2fa2b0d312ac7c30c8d45d11a88c Author: Aneesh Kumar K.V Date: Fri Jun 16 16:38:13 2023 +0530 powerpc/book3s64/mm: Fix DirectMap stats in /proc/meminfo [ Upstream commit 0da90af431abc3f497a38ec9ef6e43b0d0dabe80 ] On memory unplug reduce DirectMap page count correctly. root@ubuntu-guest:# grep Direct /proc/meminfo DirectMap4k: 0 kB DirectMap64k: 0 kB DirectMap2M: 115343360 kB DirectMap1G: 0 kB Before fix: root@ubuntu-guest:# ndctl disable-namespace all disabled 1 namespace root@ubuntu-guest:# grep Direct /proc/meminfo DirectMap4k: 0 kB DirectMap64k: 0 kB DirectMap2M: 115343360 kB DirectMap1G: 0 kB After fix: root@ubuntu-guest:# ndctl disable-namespace all disabled 1 namespace root@ubuntu-guest:# grep Direct /proc/meminfo DirectMap4k: 0 kB DirectMap64k: 0 kB DirectMap2M: 104857600 kB DirectMap1G: 0 kB Fixes: a2dc009afa9a ("powerpc/mm/book3s/radix: Add mapping statistics") Signed-off-by: Aneesh Kumar K.V Tested-by: Sachin Sant > Signed-off-by: Michael Ellerman Link: https://msgid.link/20230616110826.344417-4-aneesh.kumar@linux.ibm.com Signed-off-by: Sasha Levin commit 489026d57a3c38c23e581780bbea66a0a5d7a369 Author: Tiezhu Yang Date: Sun Apr 23 09:42:26 2023 +0800 riscv: uprobes: Restore thread.bad_cause [ Upstream commit 58b1294dd1d65bb62f08dddbf418f954210c2057 ] thread.bad_cause is saved in arch_uprobe_pre_xol(), it should be restored in arch_uprobe_{post,abort}_xol() accordingly, otherwise the save operation is meaningless, this change is similar with x86 and powerpc. Signed-off-by: Tiezhu Yang Acked-by: Oleg Nesterov Reviewed-by: Guo Ren Fixes: 74784081aac8 ("riscv: Add uprobes supported") Link: https://lore.kernel.org/r/1682214146-3756-1-git-send-email-yangtiezhu@loongson.cn Signed-off-by: Palmer Dabbelt Signed-off-by: Sasha Levin commit 616464ae2e17072ef3265bb11d9babfcbb4c730d Author: Xi Pardee Date: Tue Jun 13 15:53:40 2023 -0700 platform/x86:intel/pmc: Update maps for Meteor Lake P/M platforms [ Upstream commit 9682cfd1973d01e43c2764c662e6d3291ddf770d ] Fix the IP name errors in the register maps used by the following debugfs attributes in the Meteor Lake SOC-M PMC. pfear_sts lpm_sts ltr_show Fixes: c5ad454a12c6 ("platform/x86: intel/pmc/core: Add Meteor Lake support to pmc core driver") Signed-off-by: Xi Pardee Signed-off-by: Rajvi Jingar Reviewed-by: Ilpo Järvinen Link: https://lore.kernel.org/r/20230613225347.2720665-2-rajvi.jingar@linux.intel.com Signed-off-by: Hans de Goede Signed-off-by: Sasha Levin commit d17d238b617db432e91601b106748b9494709e2d Author: Manivannan Sadhasivam Date: Mon Jun 19 20:34:02 2023 +0530 PCI: qcom: Disable write access to read only registers for IP v2.9.0 [ Upstream commit 200b8f85f2021362adcc8efb575652a2aa44c099 ] In the post init sequence of v2.9.0, write access to read only registers are not disabled after updating the registers. Fix it by disabling the access after register update. While at it, let's also add a newline after existing dw_pcie_dbi_ro_wr_en() guard function to align with rest of the driver. Link: https://lore.kernel.org/r/20230619150408.8468-4-manivannan.sadhasivam@linaro.org Fixes: 0cf7c2efe8ac ("PCI: qcom: Add IPQ60xx support") Signed-off-by: Manivannan Sadhasivam Signed-off-by: Lorenzo Pieralisi Reviewed-by: Dmitry Baryshkov Signed-off-by: Sasha Levin commit d7649e4d23e1678870be4fdab01a5e1e62e45683 Author: Manivannan Sadhasivam Date: Mon Jun 19 20:34:01 2023 +0530 PCI: qcom: Use DWC helpers for modifying the read-only DBI registers [ Upstream commit 60f0072d7fb7996b9a524ef0d152e21205473192 ] DWC core already exposes dw_pcie_dbi_ro_wr_{en/dis} helper APIs for enabling and disabling the write access to read only DBI registers. So let's use them instead of doing it manually. Also, the existing code doesn't disable the write access when it's done. This is also fixed now. Link: https://lore.kernel.org/r/20230619150408.8468-3-manivannan.sadhasivam@linaro.org Fixes: 5d76117f070d ("PCI: qcom: Add support for IPQ8074 PCIe controller") Signed-off-by: Manivannan Sadhasivam Signed-off-by: Lorenzo Pieralisi Reviewed-by: Dmitry Baryshkov Signed-off-by: Sasha Levin commit 88b6ad86a21997960d8420440c9b4d8427cdb7cd Author: Song Shuai Date: Mon May 22 10:50:20 2023 +0800 riscv: hibernation: Remove duplicate call of suspend_restore_csrs [ Upstream commit c6399b893043a5bb634de8677362f96684f1c0c8 ] The suspend_restore_csrs is called in both __hibernate_cpu_resume and the `else` of subsequent swsusp_arch_suspend. Removing the first call makes both suspend_{save,restore}_csrs left in swsusp_arch_suspend for clean code. Fixes: c0317210012e ("RISC-V: Add arch functions to support hibernation/suspend-to-disk") Reviewed-by: Conor Dooley Reviewed-by: JeeHeng Sia Signed-off-by: Song Shuai Link: https://lore.kernel.org/r/20230522025020.285042-1-songshuaishuai@tinylab.org Signed-off-by: Palmer Dabbelt Signed-off-by: Sasha Levin commit cc46085350ccae5f3a2a55a48ab93ebf328d5e24 Author: Aditya Gupta Date: Thu Jun 15 14:40:47 2023 +0530 powerpc: update ppc_save_regs to save current r1 in pt_regs [ Upstream commit b684c09f09e7a6af3794d4233ef785819e72db79 ] ppc_save_regs() skips one stack frame while saving the CPU register states. Instead of saving current R1, it pulls the previous stack frame pointer. When vmcores caused by direct panic call (such as `echo c > /proc/sysrq-trigger`), are debugged with gdb, gdb fails to show the backtrace correctly. On further analysis, it was found that it was because of mismatch between r1 and NIP. GDB uses NIP to get current function symbol and uses corresponding debug info of that function to unwind previous frames, but due to the mismatching r1 and NIP, the unwinding does not work, and it fails to unwind to the 2nd frame and hence does not show the backtrace. GDB backtrace with vmcore of kernel without this patch: --------- (gdb) bt #0 0xc0000000002a53e8 in crash_setup_regs (oldregs=, newregs=0xc000000004f8f8d8) at ./arch/powerpc/include/asm/kexec.h:69 #1 __crash_kexec (regs=) at kernel/kexec_core.c:974 #2 0x0000000000000063 in ?? () #3 0xc000000003579320 in ?? () --------- Further analysis revealed that the mismatch occurred because "ppc_save_regs" was saving the previous stack's SP instead of the current r1. This patch fixes this by storing current r1 in the saved pt_regs. GDB backtrace with vmcore of patched kernel: -------- (gdb) bt #0 0xc0000000002a53e8 in crash_setup_regs (oldregs=0x0, newregs=0xc00000000670b8d8) at ./arch/powerpc/include/asm/kexec.h:69 #1 __crash_kexec (regs=regs@entry=0x0) at kernel/kexec_core.c:974 #2 0xc000000000168918 in panic (fmt=fmt@entry=0xc000000001654a60 "sysrq triggered crash\n") at kernel/panic.c:358 #3 0xc000000000b735f8 in sysrq_handle_crash (key=) at drivers/tty/sysrq.c:155 #4 0xc000000000b742cc in __handle_sysrq (key=key@entry=99, check_mask=check_mask@entry=false) at drivers/tty/sysrq.c:602 #5 0xc000000000b7506c in write_sysrq_trigger (file=, buf=, count=2, ppos=) at drivers/tty/sysrq.c:1163 #6 0xc00000000069a7bc in pde_write (ppos=, count=, buf=, file=, pde=0xc00000000362cb40) at fs/proc/inode.c:340 #7 proc_reg_write (file=, buf=, count=, ppos=) at fs/proc/inode.c:352 #8 0xc0000000005b3bbc in vfs_write (file=file@entry=0xc000000006aa6b00, buf=buf@entry=0x61f498b4f60 , count=count@entry=2, pos=pos@entry=0xc00000000670bda0) at fs/read_write.c:582 #9 0xc0000000005b4264 in ksys_write (fd=, buf=0x61f498b4f60 , count=2) at fs/read_write.c:637 #10 0xc00000000002ea2c in system_call_exception (regs=0xc00000000670be80, r0=) at arch/powerpc/kernel/syscall.c:171 #11 0xc00000000000c270 in system_call_vectored_common () at arch/powerpc/kernel/interrupt_64.S:192 -------- Nick adds: So this now saves regs as though it was an interrupt taken in the caller, at the instruction after the call to ppc_save_regs, whereas previously the NIP was there, but R1 came from the caller's caller and that mismatch is what causes gdb's dwarf unwinder to go haywire. Signed-off-by: Aditya Gupta Fixes: d16a58f8854b1 ("powerpc: Improve ppc_save_regs()") Reivewed-by: Nicholas Piggin Signed-off-by: Michael Ellerman Link: https://msgid.link/20230615091047.90433-1-adityag@linux.ibm.com Signed-off-by: Sasha Levin commit 72990144e17e5e2cb378f1d9b10530b85b9bc382 Author: Colin Ian King Date: Thu Jun 8 10:58:49 2023 +0100 powerpc/powernv/sriov: perform null check on iov before dereferencing iov [ Upstream commit f4f913c980bc6abe0ccfe88fe3909c125afe4a2d ] Currently pointer iov is being dereferenced before the null check of iov which can lead to null pointer dereference errors. Fix this by moving the iov null check before the dereferencing. Detected using cppcheck static analysis: linux/arch/powerpc/platforms/powernv/pci-sriov.c:597:12: warning: Either the condition '!iov' is redundant or there is possible null pointer dereference: iov. [nullPointerRedundantCheck] num_vfs = iov->num_vfs; ^ Fixes: 052da31d45fc ("powerpc/powernv/sriov: De-indent setup and teardown") Signed-off-by: Colin Ian King Signed-off-by: Michael Ellerman Link: https://msgid.link/20230608095849.1147969-1-colin.i.king@gmail.com Signed-off-by: Sasha Levin commit 32a76e5f5fe19de976a1565afa8f8365dccc1fdf Author: Stanley Chu Date: Sat Jun 10 10:15:51 2023 +0800 scsi: ufs: core: mcq: Fix the incorrect OCS value for the device command [ Upstream commit 0fef6bb730c490fcdc4347dbd21646d3ffe62cf5 ] In MCQ mode, when a device command uses a hardware queue shared with other commands, a race condition may occur in the following scenario: 1. A device command is completed in CQx with CQE entry "e". 2. The interrupt handler copies the "cqe" pointer to "hba->dev_cmd.cqe" and completes "hba->dev_cmd.complete". 3. The "ufshcd_wait_for_dev_cmd()" function is awakened and retrieves the OCS value from "hba->dev_cmd.cqe". However, there is a possibility that the CQE entry "e" will be overwritten by newly completed commands in CQx, resulting in an incorrect OCS value being received by "ufshcd_wait_for_dev_cmd()". To avoid this race condition, the OCS value should be immediately copied to the struct "lrb" of the device command. Then "ufshcd_wait_for_dev_cmd()" can retrieve the OCS value from the struct "lrb". Fixes: 57b1c0ef89ac ("scsi: ufs: core: mcq: Add support to allocate multiple queues") Suggested-by: Can Guo Signed-off-by: Stanley Chu Link: https://lore.kernel.org/r/20230610021553.1213-2-powen.kao@mediatek.com Tested-by: Po-Wen Kao Reviewed-by: Bart Van Assche Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit 5b4af2dbf12558e7f445f451f9b63a0a0a199803 Author: Bart Van Assche Date: Wed May 31 15:40:47 2023 -0700 scsi: ufs: core: Remove a ufshcd_add_command_trace() call [ Upstream commit 72554035b9797e00e68cd866e6cefa7f0b2c6f76 ] ufshcd_add_command_trace() traces SCSI commands. Remove a ufshcd_add_command_trace() call from a code path that is not related to SCSI commands. Signed-off-by: Bart Van Assche Link: https://lore.kernel.org/r/20230531224050.25554-1-bvanassche@acm.org Reviewed-by: Avri Altman Reviewed-by: Bean Huo Signed-off-by: Martin K. Petersen Stable-dep-of: 0fef6bb730c4 ("scsi: ufs: core: mcq: Fix the incorrect OCS value for the device command") Signed-off-by: Sasha Levin commit 0ffde301f3a6941779d8c8f582ba0ef75930e60a Author: Namhyung Kim Date: Fri Jun 16 00:32:10 2023 -0700 perf stat: Reset aggr stats for each run [ Upstream commit ed4090a22c123b9b33368741253edddc6ff8d18f ] When it runs multiple times with -r option, it missed to reset the aggregation counters and the values were added up. The aggregation count has the values to be printed in the end. It should reset the counters at the beginning of each run. But the current code does that only when -I/--interval-print option is given. Fixes: 91f85f98da7ab8c3 ("perf stat: Display event stats using aggr counts") Reported-by: Jiri Olsa Signed-off-by: Namhyung Kim Cc: Adrian Hunter Cc: Andi Kleen Cc: Ian Rogers Cc: Ingo Molnar Cc: Kan Liang Cc: Namhyung Kim Cc: Peter Zijlstra Link: https://lore.kernel.org/r/20230616073211.1057936-1-namhyung@kernel.org Signed-off-by: Arnaldo Carvalho de Melo Signed-off-by: Sasha Levin commit 8a1fa202f47f39680a4305af744f499a324f8a03 Author: Claudiu Beznea Date: Thu Jun 15 13:53:33 2023 +0300 pinctrl: at91-pio4: check return value of devm_kasprintf() [ Upstream commit f6fd5d4ff8ca0b24cee1af4130bcb1fa96b61aa0 ] devm_kasprintf() returns a pointer to dynamically allocated memory. Pointer could be NULL in case allocation fails. Check pointer validity. Identified with coccinelle (kmerr.cocci script). Fixes: 776180848b57 ("pinctrl: introduce driver for Atmel PIO4 controller") Depends-on: 1c4e5c470a56 ("pinctrl: at91: use devm_kasprintf() to avoid potential leaks") Depends-on: 5a8f9cf269e8 ("pinctrl: at91-pio4: use proper format specifier for unsigned int") Signed-off-by: Claudiu Beznea Reviewed-by: Andy Shevchenko Link: https://lore.kernel.org/r/20230615105333.585304-4-claudiu.beznea@microchip.com Signed-off-by: Linus Walleij Signed-off-by: Sasha Levin commit 06478a293d52727e1d9919858d79fedaf480c195 Author: Claudiu Beznea Date: Thu Jun 15 13:53:32 2023 +0300 pinctrl: microchip-sgpio: check return value of devm_kasprintf() [ Upstream commit 310cd4c206cd04696ccbfd1927b5ab6973e8cc8e ] devm_kasprintf() returns a pointer to dynamically allocated memory. Pointer could be NULL in case allocation fails. Check pointer validity. Identified with coccinelle (kmerr.cocci script). Fixes: 7e5ea974e61c ("pinctrl: pinctrl-microchip-sgpio: Add pinctrl driver for Microsemi Serial GPIO") Signed-off-by: Claudiu Beznea Reviewed-by: Andy Shevchenko Link: https://lore.kernel.org/r/20230615105333.585304-3-claudiu.beznea@microchip.com Signed-off-by: Linus Walleij Signed-off-by: Sasha Levin commit 27d9a7585b594bb2f9bb1f65e0003814fcc69c75 Author: Xiaolei Wang Date: Fri May 5 07:37:36 2023 +0800 pinctrl: freescale: Fix a memory out of bounds when num_configs is 1 [ Upstream commit 9063777ca1e2e895c5fdd493ee0c3f18fa710ed4 ] The config passed in by pad wakeup is 1, when num_configs is 1, Configuration [1] should not be fetched, which will be detected by KASAN as a memory out of bounds condition. Modify to get configs[1] when num_configs is 2. Fixes: f60c9eac54af ("gpio: mxc: enable pad wakeup on i.MX8x platforms") Signed-off-by: Xiaolei Wang Reviewed-by: Peng Fan Link: https://lore.kernel.org/r/20230504233736.3766296-1-xiaolei.wang@windriver.com Signed-off-by: Linus Walleij Signed-off-by: Sasha Levin commit 421cd1544480f2458042fe7f4913a2069c4d7251 Author: Nicholas Piggin Date: Wed Jun 7 20:10:24 2023 +1000 powerpc/64s: Fix VAS mm use after free [ Upstream commit b4bda59b47879cce38a6ec5a01cd3cac702b5331 ] The refcount on mm is dropped before the coprocessor is detached. Reported-by: Sachin Sant Fixes: 7bc6f71bdff5f ("powerpc/vas: Define and use common vas_window struct") Fixes: b22f2d88e435c ("powerpc/pseries/vas: Integrate API with open/close windows") Signed-off-by: Nicholas Piggin Tested-by: Sachin Sant Signed-off-by: Michael Ellerman Link: https://msgid.link/20230607101024.14559-1-npiggin@gmail.com Signed-off-by: Sasha Levin commit f3daf02a41e3c11e1a473517a8a6169248fb8e7b Author: Ian Rogers Date: Tue Jun 13 16:54:16 2023 -0700 perf tool x86: Fix perf_env memory leak [ Upstream commit 99d4850062a84564f36923764bb93935ef2ed108 ] Found by leak sanitizer: ``` ==1632594==ERROR: LeakSanitizer: detected memory leaks Direct leak of 21 byte(s) in 1 object(s) allocated from: #0 0x7f2953a7077b in __interceptor_strdup ../../../../src/libsanitizer/asan/asan_interceptors.cpp:439 #1 0x556701d6fbbf in perf_env__read_cpuid util/env.c:369 #2 0x556701d70589 in perf_env__cpuid util/env.c:465 #3 0x55670204bba2 in x86__is_amd_cpu arch/x86/util/env.c:14 #4 0x5567020487a2 in arch__post_evsel_config arch/x86/util/evsel.c:83 #5 0x556701d8f78b in evsel__config util/evsel.c:1366 #6 0x556701ef5872 in evlist__config util/record.c:108 #7 0x556701cd6bcd in test__PERF_RECORD tests/perf-record.c:112 #8 0x556701cacd07 in run_test tests/builtin-test.c:236 #9 0x556701cacfac in test_and_print tests/builtin-test.c:265 #10 0x556701cadddb in __cmd_test tests/builtin-test.c:402 #11 0x556701caf2aa in cmd_test tests/builtin-test.c:559 #12 0x556701d3b557 in run_builtin tools/perf/perf.c:323 #13 0x556701d3bac8 in handle_internal_command tools/perf/perf.c:377 #14 0x556701d3be90 in run_argv tools/perf/perf.c:421 #15 0x556701d3c3f8 in main tools/perf/perf.c:537 #16 0x7f2952a46189 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 SUMMARY: AddressSanitizer: 21 byte(s) leaked in 1 allocation(s). ``` Fixes: f7b58cbdb3ff36eb ("perf mem/c2c: Add load store event mappings for AMD") Signed-off-by: Ian Rogers Acked-by: Ravi Bangoria Tested-by: Arnaldo Carvalho de Melo Cc: Adrian Hunter Cc: Alexander Shishkin Cc: Ingo Molnar Cc: Jiri Olsa Cc: Mark Rutland Cc: Namhyung Kim Cc: Peter Zijlstra Cc: Ravi Bangoria Link: https://lore.kernel.org/r/20230613235416.1650755-1-irogers@google.com Signed-off-by: Arnaldo Carvalho de Melo Signed-off-by: Sasha Levin commit 2e3cce0cabdcff21e799547491b452256bf03e82 Author: Ravi Bangoria Date: Tue Jun 13 15:25:04 2023 +0530 perf tool x86: Consolidate is_amd check into single function [ Upstream commit 0cd1ca4650c9cf5f318110f67d39cbebae3693b3 ] There are multiple places where x86 specific code determines AMD vs Intel arch and acts based on that. Consolidate those checks into a single function. Signed-off-by: Ravi Bangoria Acked-by: Ian Rogers Cc: Adrian Hunter Cc: Ali Saidi Cc: Ananth Narayan Cc: James Clark Cc: Jiri Olsa Cc: Kan Liang Cc: Leo Yan Cc: Madhavan Srinivasan Cc: Mark Rutland Cc: Namhyung Kim Cc: Peter Zijlstra Cc: Sandipan Das Cc: Santosh Shukla Link: https://lore.kernel.org/r/20230613095506.547-3-ravi.bangoria@amd.com Signed-off-by: Arnaldo Carvalho de Melo Stable-dep-of: 99d4850062a8 ("perf tool x86: Fix perf_env memory leak") Signed-off-by: Sasha Levin commit 419aa1b9bba490f73022ac60e787fc08e85329b7 Author: Michal Wilczynski Date: Tue Jun 13 11:43:10 2023 +0300 platform/x86/dell/dell-rbtn: Fix resources leaking on error path [ Upstream commit 966cca72ab20289083521a385fa56035d85a222d ] Currently rbtn_add() in case of failure is leaking resources. Fix this by adding a proper rollback. Move devm_kzalloc() before rbtn_acquire(), so it doesn't require rollback in case of failure. While at it, remove unnecessary assignment of NULL to device->driver_data and unnecessary whitespace, plus add a break for the default case in a switch. Suggested-by: Ilpo Järvinen Suggested-by: Pali Rohár Fixes: 817a5cdb40c8 ("dell-rbtn: Dell Airplane Mode Switch driver") Signed-off-by: Michal Wilczynski Reviewed-by: Andy Shevchenko Acked-by: Rafael J. Wysocki Reviewed-by: Pali Rohár Link: https://lore.kernel.org/r/20230613084310.2775896-1-michal.wilczynski@intel.com Reviewed-by: Hans de Goede Signed-off-by: Hans de Goede Signed-off-by: Sasha Levin commit 0c530479b472344b4e2bd861e0799bed4419aeb0 Author: Aditya Gupta Date: Tue Jun 13 22:11:45 2023 +0530 perf tests task_analyzer: Skip tests if no libtraceevent support [ Upstream commit c3ac3b0779770acd3ad7eecb5099ab4419ef2e2e ] Test "perf script task-analyzer tests" fails in environment with missing libtraceevent support, as perf record fails to create the perf.data file, which further tests depend on. Instead, when perf is not compiled with libtraceevent support, skip those tests instead of failing them, by checking the output of `perf record --dry-run` to see if it prints the error "libtraceevent is necessary for tracepoint support" For the following output, perf compiled with: `make NO_LIBTRACEEVENT=1` Before the patch: 108: perf script task-analyzer tests : test child forked, pid 24105 failed to open perf.data: No such file or directory (try 'perf record' first) FAIL: "invokation of perf script report task-analyzer command failed" Error message: "" FAIL: "test_basic" Error message: "Failed to find required string:'Comm'." failed to open perf.data: No such file or directory (try 'perf record' first) FAIL: "invokation of perf script report task-analyzer --ns --rename-comms-by-tids 0:random command failed" Error message: "" FAIL: "test_ns_rename" Error message: "Failed to find required string:'Comm'." failed to open perf.data: No such file or directory (try 'perf record' first) <...> perf script task-analyzer tests: FAILED! With this patch, the script instead returns 2 signifying SKIP, and after the patch: 108: perf script task-analyzer tests : test child forked, pid 26010 libtraceevent is necessary for tracepoint support WARN: Skipping tests. No libtraceevent support test child finished with -2 perf script task-analyzer tests: Skip Fixes: e8478b84d6ba9ccf ("perf test: Add new task-analyzer tests") Signed-off-by: Aditya Gupta Cc: Disha Goel Cc: Ian Rogers Cc: Jiri Olsa Cc: John Garry Cc: Madhavan Srinivasan Cc: Namhyung Kim Cc: Petar Gligoric Cc: Ravi Bangoria Cc: linuxppc-dev@lists.ozlabs.org Link: https://lore.kernel.org/r/20230613164145.50488-18-atrajeev@linux.vnet.ibm.com Signed-off-by: Athira Rajeev Signed-off-by: Kajol Jain Signed-off-by: Arnaldo Carvalho de Melo Signed-off-by: Sasha Levin commit e1748bd615e5434c9c68337420b249efcad54398 Author: Aditya Gupta Date: Tue Jun 13 22:11:43 2023 +0530 perf tests task_analyzer: Fix bad substitution ${$1} [ Upstream commit 5c4396efb53ef07d046a2e9456b240880e0c3076 ] ${$1} gives bad substitution error on sh, bash, and zsh. This seems like a typo, and this patch modifies it to $1, since that is what it's usage looks like from wherever `check_exec_0` is called. This issue due to ${$1} caused all function calls to give error in `find_str_or_fail` line, and so no test runs completely. But 'perf test "perf script task-analyzer tests"' wrongly reports that tests passed with the status OK, which is wrong considering the tests didn't even run completely Fixes: e8478b84d6ba9ccf ("perf test: add new task-analyzer tests") Signed-off-by: Aditya Gupta Signed-off-by: Athira Rajeev Signed-off-by: Kajol Jain Cc: Disha Goel Cc: Hagen Paul Pfeifer Cc: Ian Rogers Cc: Jiri Olsa Cc: John Garry Cc: Madhavan Srinivasan Cc: Namhyung Kim Cc: Petar Gligoric Cc: Ravi Bangoria Cc: linuxppc-dev@lists.ozlabs.org Link: https://lore.kernel.org/r/20230613164145.50488-16-atrajeev@linux.vnet.ibm.com Signed-off-by: Arnaldo Carvalho de Melo Signed-off-by: Sasha Levin commit feb0710a227272d0d24346f64effc81561abb027 Author: Kan Liang Date: Wed Jun 7 09:26:53 2023 -0700 perf metric: Fix no group check [ Upstream commit e4c4e8a538a0db071d291bc2dca487e1882a7d4f ] The no group check fails if there is more than one meticgroup in the metricgroup_no_group. The first parameter of the match_metric() should be the string, while the substring should be the second parameter. Fixes: ccc66c6092802d68 ("perf metric: JSON flag to not group events if gathering a metric group") Signed-off-by: Kan Liang Acked-by: Ian Rogers Cc: Adrian Hunter Cc: Ahmad Yasin Cc: Andi Kleen Cc: Ian Rogers Cc: Ingo Molnar Cc: Jiri Olsa Cc: Namhyung Kim Cc: Peter Zijlstra Cc: Stephane Eranian Link: https://lore.kernel.org/r/20230607162700.3234712-2-kan.liang@linux.intel.com Signed-off-by: Arnaldo Carvalho de Melo Signed-off-by: Sasha Levin commit b52376bb693da22cf73822ff2d6e6ca322d3a1be Author: Namhyung Kim Date: Mon Jun 12 16:41:01 2023 -0700 perf dwarf-aux: Fix off-by-one in die_get_varname() [ Upstream commit 3abfcfd847717d232e36963f31a361747c388fe7 ] The die_get_varname() returns "(unknown_type)" string if it failed to find a type for the variable. But it had a space before the opening parenthesis and it made the closing parenthesis cut off due to the off-by-one in the string length (14). Signed-off-by: Namhyung Kim Fixes: 88fd633cdfa19060 ("perf probe: No need to use formatting strbuf method") Cc: Adrian Hunter Cc: Ian Rogers Cc: Ingo Molnar Cc: Jiri Olsa Cc: Masami Hiramatsu Cc: Peter Zijlstra Link: https://lore.kernel.org/r/20230612234102.3909116-1-namhyung@kernel.org Signed-off-by: Arnaldo Carvalho de Melo Signed-off-by: Sasha Levin commit f9a52a0ea08514c1ade269d0d918ae1abc36c19b Author: David E. Box Date: Wed Jun 7 16:38:49 2023 -0700 platform/x86/intel/pmc/mtl: Put devices in D3 during resume [ Upstream commit f2b689ab2f8cc089cc7659c323f282e6a1fb6d64 ] An earlier commit placed some driverless devices in D3 during boot so that they don't block package cstate entry on Meteor Lake. Also place these devices in D3 after resume from suspend. Fixes: 336ba968d3e3 ("platform/x86/intel/pmc/mtl: Put GNA/IPU/VPU devices in D3") Signed-off-by: David E. Box Link: https://lore.kernel.org/r/20230607233849.239047-2-david.e.box@linux.intel.com Reviewed-by: Ilpo Järvinen Reviewed-by: Hans de Goede Signed-off-by: Hans de Goede Signed-off-by: Sasha Levin commit 7826682b777175c59e341f96998230ffb6ea89b9 Author: David E. Box Date: Wed Jun 7 16:38:48 2023 -0700 platform/x86/intel/pmc: Add resume callback [ Upstream commit 801e5dc9853fcc36164c502456078145d72b23c5 ] Add a resume callback to perform platform specific functions during resume from suspend. Signed-off-by: David E. Box Link: https://lore.kernel.org/r/20230607233849.239047-1-david.e.box@linux.intel.com Reviewed-by: Ilpo Järvinen Reviewed-by: Hans de Goede Signed-off-by: Hans de Goede Stable-dep-of: f2b689ab2f8c ("platform/x86/intel/pmc/mtl: Put devices in D3 during resume") Signed-off-by: Sasha Levin commit 9105734f764e2a55e569f52ed7706d208756b7d4 Author: Mark Pearson Date: Tue Jun 6 11:18:04 2023 -0400 platform/x86: thinkpad_acpi: Fix lkp-tests warnings for platform profiles [ Upstream commit f999e23ce66c1555d7b653fba171a88ecee53704 ] Fix issues identified in dytc_profile_refresh identified by lkp-tests. drivers/platform/x86/thinkpad_acpi.c:10538 dytc_profile_refresh() error: uninitialized symbol 'funcmode'. drivers/platform/x86/thinkpad_acpi.c:10531 dytc_profile_refresh() error: uninitialized symbol 'output'. drivers/platform/x86/thinkpad_acpi.c:10537 dytc_profile_refresh() error: uninitialized symbol 'output'. These issues should not lead to real problems in the field as the refresh function should only be called if MMC or PSC mode enabled. But good to fix. Thanks to Dan Carpenter and the lkp-tests project for flagging these. Reported-by: kernel test robot Reported-by: Dan Carpenter Closes: https://lore.kernel.org/r/202306011202.1hbgLRD4-lkp@intel.com/ Fixes: 1bc5d819f0b9 ("platform/x86: thinkpad_acpi: Fix profile modes on Intel platforms") Signed-off-by: Mark Pearson Link: https://lore.kernel.org/r/20230606151804.8819-1-mpearson-lenovo@squebb.ca Reviewed-by: Hans de Goede Signed-off-by: Hans de Goede Signed-off-by: Sasha Levin commit 8dd306534d894c72667bb189c853fd8e8d768e88 Author: Arnaldo Carvalho de Melo Date: Tue Jun 6 16:11:10 2023 -0300 perf script: Fix allocation of evsel->priv related to per-event dump files [ Upstream commit 36d3e4138e1b6cc9ab179f3f397b5548f8b1eaae ] When printing output we may want to generate per event files, where the --per-event-dump option should be used, creating perf.data.EVENT.dump files instead of printing to stdout. The callback thar processes event thus expects that evsel->priv->fp should point to either the per-event FILE descriptor or to stdout. The a3af66f51bd0bca7 ("perf script: Fix crash because of missing evsel->priv") changeset fixed a case where evsel->priv wasn't setup, thus set to NULL, causing a segfault when trying to access evsel->priv->fp. But it did it for the non --per-event-dump case by allocating a 'struct perf_evsel_script' just to set its ->fp to stdout. Since evsel->priv is only freed when --per-event-dump is used, we ended up with a memory leak, detected using ASAN. Fix it by using the same method as perf_script__setup_per_event_dump(), and reuse that static 'struct perf_evsel_script'. Also check if evsel_script__new() failed. Fixes: a3af66f51bd0bca7 ("perf script: Fix crash because of missing evsel->priv") Reported-by: Ian Rogers Tested-by: Ian Rogers Cc: Adrian Hunter Cc: Jiri Olsa Cc: Namhyung Kim Cc: Ravi Bangoria Link: https://lore.kernel.org/lkml/ZH+F0wGAWV14zvMP@kernel.org Signed-off-by: Arnaldo Carvalho de Melo Signed-off-by: Sasha Levin commit 4dac25939fd4c047e51ac83d4a9e5862979a9785 Author: Christophe Leroy Date: Mon Jun 5 10:58:35 2023 +0200 powerpc/signal32: Force inlining of __unsafe_save_user_regs() and save_tm_user_regs_unsafe() [ Upstream commit a03b1a0b19398a47489fdcef02ec19c2ba05a15d ] Looking at generated code for handle_signal32() shows calls to a function called __unsafe_save_user_regs.constprop.0 while user access is open. And that __unsafe_save_user_regs.constprop.0 function has two nops at the begining, allowing it to be traced, which is unexpected during user access open window. The solution could be to mark __unsafe_save_user_regs() no trace, but to be on the safe side the most efficient is to flag it __always_inline as already done for function __unsafe_restore_general_regs(). The function is relatively small and only called twice, so the size increase will remain in the noise. Do the same with save_tm_user_regs_unsafe() as it may suffer the same issue. Fixes: ef75e7318294 ("powerpc/signal32: Transform save_user_regs() and save_tm_user_regs() in 'unsafe' version") Signed-off-by: Christophe Leroy Signed-off-by: Michael Ellerman Link: https://msgid.link/7e469c8f01860a69c1ada3ca6a5e2aa65f0f74b2.1685955220.git.christophe.leroy@csgroup.eu Signed-off-by: Sasha Levin commit 227db6699ca5f98ccd59ad471bfa119b7f93c25c Author: Christophe Leroy Date: Mon Jun 5 10:55:26 2023 +0200 powerpc/interrupt: Don't read MSR from interrupt_exit_kernel_prepare() [ Upstream commit 0eb089a72fda3f7969e6277804bde75dc1474a14 ] A disassembly of interrupt_exit_kernel_prepare() shows a useless read of MSR register. This is shown by r9 being re-used immediately without doing anything with the value read. c000e0e0: 60 00 00 00 nop c000e0e4: 7d 3a c2 a6 mfmd_ap r9 c000e0e8: 7d 20 00 a6 mfmsr r9 c000e0ec: 7c 51 13 a6 mtspr 81,r2 c000e0f0: 81 3f 00 84 lwz r9,132(r31) c000e0f4: 71 29 80 00 andi. r9,r9,32768 This is due to the use of local_irq_save(). The flags read by local_irq_save() are never used, use local_irq_disable() instead. Fixes: 13799748b957 ("powerpc/64: use interrupt restart table to speed up return from interrupt") Signed-off-by: Christophe Leroy Reviewed-by: Nicholas Piggin Signed-off-by: Michael Ellerman Link: https://msgid.link/df36c6205ab64326fb1b991993c82057e92ace2f.1685955214.git.christophe.leroy@csgroup.eu Signed-off-by: Sasha Levin commit 5da37177faa8ce8a67ce104011b209606ae4d05c Author: Christophe Leroy Date: Fri May 12 17:31:17 2023 +0200 kcsan: Don't expect 64 bits atomic builtins from 32 bits architectures [ Upstream commit 353e7300a1db928e427462f2745f9a2cd1625b3d ] Activating KCSAN on a 32 bits architecture leads to the following link-time failure: LD .tmp_vmlinux.kallsyms1 powerpc64-linux-ld: kernel/kcsan/core.o: in function `__tsan_atomic64_load': kernel/kcsan/core.c:1273: undefined reference to `__atomic_load_8' powerpc64-linux-ld: kernel/kcsan/core.o: in function `__tsan_atomic64_store': kernel/kcsan/core.c:1273: undefined reference to `__atomic_store_8' powerpc64-linux-ld: kernel/kcsan/core.o: in function `__tsan_atomic64_exchange': kernel/kcsan/core.c:1273: undefined reference to `__atomic_exchange_8' powerpc64-linux-ld: kernel/kcsan/core.o: in function `__tsan_atomic64_fetch_add': kernel/kcsan/core.c:1273: undefined reference to `__atomic_fetch_add_8' powerpc64-linux-ld: kernel/kcsan/core.o: in function `__tsan_atomic64_fetch_sub': kernel/kcsan/core.c:1273: undefined reference to `__atomic_fetch_sub_8' powerpc64-linux-ld: kernel/kcsan/core.o: in function `__tsan_atomic64_fetch_and': kernel/kcsan/core.c:1273: undefined reference to `__atomic_fetch_and_8' powerpc64-linux-ld: kernel/kcsan/core.o: in function `__tsan_atomic64_fetch_or': kernel/kcsan/core.c:1273: undefined reference to `__atomic_fetch_or_8' powerpc64-linux-ld: kernel/kcsan/core.o: in function `__tsan_atomic64_fetch_xor': kernel/kcsan/core.c:1273: undefined reference to `__atomic_fetch_xor_8' powerpc64-linux-ld: kernel/kcsan/core.o: in function `__tsan_atomic64_fetch_nand': kernel/kcsan/core.c:1273: undefined reference to `__atomic_fetch_nand_8' powerpc64-linux-ld: kernel/kcsan/core.o: in function `__tsan_atomic64_compare_exchange_strong': kernel/kcsan/core.c:1273: undefined reference to `__atomic_compare_exchange_8' powerpc64-linux-ld: kernel/kcsan/core.o: in function `__tsan_atomic64_compare_exchange_weak': kernel/kcsan/core.c:1273: undefined reference to `__atomic_compare_exchange_8' powerpc64-linux-ld: kernel/kcsan/core.o: in function `__tsan_atomic64_compare_exchange_val': kernel/kcsan/core.c:1273: undefined reference to `__atomic_compare_exchange_8' 32 bits architectures don't have 64 bits atomic builtins. Only include DEFINE_TSAN_ATOMIC_OPS(64) on 64 bits architectures. Fixes: 0f8ad5f2e934 ("kcsan: Add support for atomic builtins") Suggested-by: Marco Elver Signed-off-by: Christophe Leroy Reviewed-by: Marco Elver Acked-by: Marco Elver Signed-off-by: Michael Ellerman Link: https://msgid.link/d9c6afc28d0855240171a4e0ad9ffcdb9d07fceb.1683892665.git.christophe.leroy@csgroup.eu Signed-off-by: Sasha Levin commit ee16d015d84a3b16de3a1af38ebf57db164b1083 Author: Jiasheng Jiang Date: Wed Jun 7 17:58:29 2023 +0800 pinctrl: npcm7xx: Add missing check for ioremap [ Upstream commit ad64639417161e90b30dda00486570eb150aeee5 ] Add check for ioremap() and return the error if it fails in order to guarantee the success of ioremap(). Fixes: 3b588e43ee5c ("pinctrl: nuvoton: add NPCM7xx pinctrl and GPIO driver") Signed-off-by: Jiasheng Jiang Reviewed-by: Andy Shevchenko Link: https://lore.kernel.org/r/20230607095829.1345-1-jiasheng@iscas.ac.cn Signed-off-by: Linus Walleij Signed-off-by: Sasha Levin commit cc76bc8db5ef29fba008eea7b0ddf842c46c4d51 Author: Wells Lu Date: Sun May 28 20:34:37 2023 +0800 pinctrl:sunplus: Add check for kmalloc [ Upstream commit 73f8ce7f961afcb3be49352efeb7c26cc1c00cc4 ] Fix Smatch static checker warning: potential null dereference 'configs'. (kmalloc returns null) Changes in v2: 1. Add free allocated memory before returned -ENOMEM. 2. Add call of_node_put() before returned -ENOMEM. Fixes: aa74c44be19c ("pinctrl: Add driver for Sunplus SP7021") Signed-off-by: Wells Lu Reviewed-by: Andy Shevchenko Link: https://lore.kernel.org/r/1685277277-12209-1-git-send-email-wellslutw@gmail.com [Rebased on the patch from Lu Hongfei] Signed-off-by: Linus Walleij Signed-off-by: Sasha Levin commit a750ee0825054ce74c43c241a8cebeb6b8bd0630 Author: Mark Pearson Date: Thu Jun 1 16:05:50 2023 -0400 platform/x86: think-lmi: Correct NVME password handling [ Upstream commit 4cebb42412248d28df6de01420cfac5654428d41 ] NVME passwords identifier have been standardised across the Lenovo systems and now use udrp and adrp (user and admin level) instead of unvp and mnvp. This should apparently be backwards compatible. Fixes: 640a5fa50a42 ("platform/x86: think-lmi: Opcode support") Signed-off-by: Mark Pearson Reviewed-by: Ilpo Järvinen Reviewed-by: Hans de Goede Link: https://lore.kernel.org/r/20230601200552.4396-6-mpearson-lenovo@squebb.ca Signed-off-by: Hans de Goede Signed-off-by: Sasha Levin commit ef6fd4d4ec3b53bce18e92516cf92410704b1130 Author: Mark Pearson Date: Thu Jun 1 16:05:47 2023 -0400 platform/x86: think-lmi: Correct System password interface [ Upstream commit 97eef5983372d7aee6549d644d788fd0c10d2b6e ] The system password identification was incorrect. This means that if the password was enabled it wouldn't be detected correctly; and setting it would not work. Also updated code to use TLMI_SMP_PWD instead of TLMI_SYS_PWD to be in sync with Lenovo documentation. Fixes: 640a5fa50a42 ("platform/x86: think-lmi: Opcode support") Signed-off-by: Mark Pearson Reviewed-by: Ilpo Järvinen Reviewed-by: Hans de Goede Link: https://lore.kernel.org/r/20230601200552.4396-3-mpearson-lenovo@squebb.ca Signed-off-by: Hans de Goede Signed-off-by: Sasha Levin commit 7e03cd33eb2e4f5090777030e8e8dcfa7a0d922f Author: Mark Pearson Date: Thu Jun 1 16:05:45 2023 -0400 platform/x86: think-lmi: mutex protection around multiple WMI calls [ Upstream commit c41e0121a1221894a1a9c4666156db9e1def4d6c ] When an attribute is being changed if the Admin account is enabled, or if a password is being updated then multiple WMI calls are needed. Add mutex protection to ensure no race conditions are introduced. Fixes: b49f72e7f96d ("platform/x86: think-lmi: Certificate authentication support") Signed-off-by: Mark Pearson Reviewed-by: Ilpo Järvinen Reviewed-by: Hans de Goede Link: https://lore.kernel.org/r/20230601200552.4396-1-mpearson-lenovo@squebb.ca Signed-off-by: Hans de Goede Signed-off-by: Sasha Levin commit b6462fafbe9eeebdafd1d1a4e1668eeca23b20bc Author: Xi Pardee Date: Wed May 31 17:47:06 2023 -0700 platform/x86:intel/pmc: Remove Meteor Lake S platform support [ Upstream commit 416a87c972b978d71ab828442d1d48e3bd194855 ] commit c5ad454a12c6 ("platform/x86: intel/pmc/core: Add Meteor Lake support to pmc core driver") was supposed to add support for Meter Lake P/M and mistakenly added support for Meteor Lake S instead. Meteor Lake P/M support was added later and MTL-S support needs to be removed since its currently assigned to the wrong register maps. Fixes: c5ad454a12c6 ("platform/x86: intel/pmc/core: Add Meteor Lake support to pmc core driver") Signed-off-by: Xi Pardee Signed-off-by: David E. Box Link: https://lore.kernel.org/r/20230601004706.871528-1-xi.pardee@intel.com Signed-off-by: Hans de Goede Signed-off-by: Sasha Levin commit 1a434752853e41503e3e7edcdb4bdc24a2dbe373 Author: Andy Shevchenko Date: Mon Jun 5 17:37:34 2023 +0300 pinctrl: cherryview: Return correct value if pin in push-pull mode [ Upstream commit 5835196a17be5cfdcad0b617f90cf4abe16951a4 ] Currently the getter returns ENOTSUPP on pin configured in the push-pull mode. Fix this by adding the missed switch case. Fixes: ccdf81d08dbe ("pinctrl: cherryview: add option to set open-drain pin config") Fixes: 6e08d6bbebeb ("pinctrl: Add Intel Cherryview/Braswell pin controller support") Acked-by: Mika Westerberg Signed-off-by: Andy Shevchenko Signed-off-by: Sasha Levin commit ef322de03241ee1dd0556df903a49b17b6060244 Author: Arnaldo Carvalho de Melo Date: Fri Jun 2 15:38:25 2023 -0300 perf bench: Add missing setlocale() call to allow usage of %'d style formatting [ Upstream commit 16203e9cd01896b4244100a8e3fb9f6e612ab2b1 ] Without this we were not getting the thousands separator for big numbers. Noticed while developing 'perf bench uprobe', but the use of %' predates that, for instance 'perf bench syscall' uses it. Before: # perf bench uprobe all # Running uprobe/baseline benchmark... # Executed 1000 usleep(1000) calls Total time: 1054082243ns 1054082.243000 nsecs/op # After: # perf bench uprobe all # Running uprobe/baseline benchmark... # Executed 1,000 usleep(1000) calls Total time: 1,053,715,144ns 1,053,715.144000 nsecs/op # Fixes: c2a08203052f8975 ("perf bench: Add basic syscall benchmark") Cc: Adrian Hunter Cc: Andre Fredette Cc: Clark Williams Cc: Dave Tucker Cc: Davidlohr Bueso Cc: Derek Barbosa Cc: Ian Rogers Cc: Jiri Olsa Cc: Namhyung Kim Cc: Tiezhu Yang Link: https://lore.kernel.org/lkml/ZH3lcepZ4tBYr1jv@kernel.org Signed-off-by: Arnaldo Carvalho de Melo Signed-off-by: Sasha Levin commit db103b83658c1fd8fe2e02f470d4856cd72be9a9 Author: Thierry Reding Date: Tue May 30 12:53:07 2023 +0200 pinctrl: tegra: Duplicate pinmux functions table [ Upstream commit fad57233501beb5bd25f037cb9128a533e710600 ] The function table is filled with group information based on other instance-specific data at runtime. However, the function table can be shared between multiple instances, causing the ->probe() function for one instance to overwrite the table of a previously probed instance. Fix this by sharing only the function names and allocating a separate function table for each instance. Fixes: 5a0047360743 ("pinctrl: tegra: Separate Tegra194 instances") Signed-off-by: Thierry Reding Link: https://lore.kernel.org/r/20230530105308.1292852-1-thierry.reding@gmail.com Signed-off-by: Linus Walleij Signed-off-by: Sasha Levin commit 49234a401e161a2f2698f4612ab792c49b3cad1b Author: Bart Van Assche Date: Wed May 24 13:36:20 2023 -0700 scsi: ufs: core: Fix handling of lrbp->cmd [ Upstream commit 549e91a9bbaa0ee480f59357868421a61d369770 ] ufshcd_queuecommand() may be called two times in a row for a SCSI command before it is completed. Hence make the following changes: - In the functions that submit a command, do not check the old value of lrbp->cmd nor clear lrbp->cmd in error paths. - In ufshcd_release_scsi_cmd(), do not clear lrbp->cmd. See also scsi_send_eh_cmnd(). This commit prevents that the following appears if a command times out: WARNING: at drivers/ufs/core/ufshcd.c:2965 ufshcd_queuecommand+0x6f8/0x9a8 Call trace: ufshcd_queuecommand+0x6f8/0x9a8 scsi_send_eh_cmnd+0x2c0/0x960 scsi_eh_test_devices+0x100/0x314 scsi_eh_ready_devs+0xd90/0x114c scsi_error_handler+0x2b4/0xb70 kthread+0x16c/0x1e0 Fixes: 5a0b0cb9bee7 ("[SCSI] ufs: Add support for sending NOP OUT UPIU") Signed-off-by: Bart Van Assche Link: https://lore.kernel.org/r/20230524203659.1394307-3-bvanassche@acm.org Acked-by: Adrian Hunter Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit 1aba31fdb39140ccdf3be20d8ee3fadb5f64b140 Author: Bart Van Assche Date: Wed May 24 13:36:19 2023 -0700 scsi: ufs: core: Increase the START STOP UNIT timeout from one to ten seconds [ Upstream commit fe8637f7708c16765ecf4035813efbfdd2c9be10 ] One UFS vendor asked to increase the UFS timeout from 1 s to 3 s. Another UFS vendor asked to increase the UFS timeout from 1 s to 10 s. Hence this patch that increases the UFS timeout to 10 s. This patch can cause the total timeout to exceed 20 s, the Android shutdown timeout. This is fine since the loop around ufshcd_execute_start_stop() exists to deal with unit attentions and because unit attentions are reported quickly. Fixes: dcd5b7637c6d ("scsi: ufs: Reduce the START STOP UNIT timeout") Fixes: 8f2c96420c6e ("scsi: ufs: core: Reduce the power mode change timeout") Acked-by: Adrian Hunter Reviewed-by: Stanley Chu Reviewed-by: Bean Huo Signed-off-by: Bart Van Assche Link: https://lore.kernel.org/r/20230524203659.1394307-2-bvanassche@acm.org Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit 6fb6b331cdf270a0b32df76ac40004221be5dec8 Author: Justin Tee Date: Tue May 23 11:32:01 2023 -0700 scsi: lpfc: Revise NPIV ELS unsol rcv cmpl logic to drop ndlp based on nlp_state [ Upstream commit 9914a3d033d3e1d836a43e93e9738e7dd44a096a ] When NPIV ports are zoned to devices that support both initiator and target mode, a remote device's initiated PRLI results in unintended final kref clean up of the device's ndlp structure. This disrupts NPIV ports' discovery for target devices that support both initiator and target mode. Modify the NPIV lpfc_drop_node clause such that we allow the ndlp to live so long as it was in NLP_STE_PLOGI_ISSUE, NLP_STE_REG_LOGIN_ISSUE, or NLP_STE_PRLI_ISSUE nlp_state. This allows lpfc's issued PRLI completion routine to determine if the final kref clean up should execute rather than a remote device's issued PRLI. Fixes: db651ec22524 ("scsi: lpfc: Correct used_rpi count when devloss tmo fires with no recovery") Signed-off-by: Justin Tee Link: https://lore.kernel.org/r/20230523183206.7728-5-justintee8345@gmail.com Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit 5cf374018fc5635c197e95fac00f9f50deeb91c6 Author: Sui Jingfeng Date: Wed May 31 18:27:44 2023 +0800 PCI: Add pci_clear_master() stub for non-CONFIG_PCI [ Upstream commit 2aa5ac633259843f656eb6ecff4cf01e8e810c5e ] Add a pci_clear_master() stub when CONFIG_PCI is not set so drivers that support both PCI and platform devices don't need #ifdefs or extra Kconfig symbols for the PCI parts. [bhelgaas: commit log] Fixes: 6a479079c072 ("PCI: Add pci_clear_master() as opposite of pci_set_master()") Link: https://lore.kernel.org/r/20230531102744.2354313-1-suijingfeng@loongson.cn Signed-off-by: Sui Jingfeng Signed-off-by: Bjorn Helgaas Reviewed-by: Geert Uytterhoeven Signed-off-by: Sasha Levin commit 0e5279a5c336a47b48edf3d71e08e816125c2e1f Author: Bart Van Assche Date: Mon May 29 13:26:39 2023 -0700 scsi: ufs: Declare ufshcd_{hold,release}() once [ Upstream commit 4b68b7f9c46d90c541d39c8b397a86ac0ca4c765 ] ufshcd_hold() and ufshcd_release are declared twice: once in drivers/ufs/core/ufshcd-priv.h and a second time in include/ufs/ufshcd.h. Remove the declarations from ufshcd-priv.h. Fixes: dd11376b9f1b ("scsi: ufs: Split the drivers/scsi/ufs directory") Signed-off-by: Bart Van Assche Link: https://lore.kernel.org/r/20230529202640.11883-5-bvanassche@acm.org Reviewed-by: Adrian Hunter Reviewed-by: Keoseong Park Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit 8b782acacd7275c5f85ffcb54c42d76e83d40070 Author: Wells Lu Date: Sun May 28 20:34:37 2023 +0800 pinctrl: sunplus: Add check for kmalloc [ Upstream commit a5961bed5429cf1134d7f539b4ed60317012f84d ] Fix Smatch static checker warning: potential null dereference 'configs'. (kmalloc returns null) Fixes: aa74c44be19c ("pinctrl: Add driver for Sunplus SP7021") Signed-off-by: Wells Lu Reviewed-by: Andy Shevchenko Link: https://lore.kernel.org/r/1685277277-12209-1-git-send-email-wellslutw@gmail.com Signed-off-by: Linus Walleij Signed-off-by: Sasha Levin commit 989923ece7977b170fdaae3cac278c964f30d2ef Author: Junyan Ye Date: Mon May 8 12:36:41 2023 +0800 PCI: ftpci100: Release the clock resources [ Upstream commit c60738de85f40b0b9f5cb23c21f9246e5a47908c ] Smatch reported: 1. drivers/pci/controller/pci-ftpci100.c:526 faraday_pci_probe() warn: 'clk' from clk_prepare_enable() not released on lines: 442,451,462,478,512,517. 2. drivers/pci/controller/pci-ftpci100.c:526 faraday_pci_probe() warn: 'p->bus_clk' from clk_prepare_enable() not released on lines: 451,462,478,512,517. The clock resource is obtained by devm_clk_get(), and then clk_prepare_enable() makes the clock resource ready for use. After that, clk_disable_unprepare() should be called to release the clock resource when it is no longer needed. However, while doing some error handling in faraday_pci_probe(), clk_disable_unprepare() is not called to release clk and p->bus_clk before returning. These return lines are exactly 442, 451, 462, 478, 512, 517. Fix this warning by replacing devm_clk_get() with devm_clk_get_enabled(), which is equivalent to devm_clk_get() + clk_prepare_enable(). And with devm_clk_get_enabled(), the clock will automatically be disabled, unprepared and freed when the device is unbound from the bus. Link: https://lore.kernel.org/r/20230508043641.23807-1-yejunyan@hust.edu.cn Fixes: b3c433efb8a3 ("PCI: faraday: Fix wrong pointer passed to PTR_ERR()") Fixes: 2eeb02b28579 ("PCI: faraday: Add clock handling") Fixes: 783a862563f7 ("PCI: faraday: Use pci_parse_request_of_pci_ranges()") Fixes: d3c68e0a7e34 ("PCI: faraday: Add Faraday Technology FTPCI100 PCI Host Bridge driver") Fixes: f1e8bd21e39e ("PCI: faraday: Convert IRQ masking to raw PCI config accessors") Signed-off-by: Junyan Ye Signed-off-by: Lorenzo Pieralisi Reviewed-by: Dongliang Mu Reviewed-by: Linus Walleij Signed-off-by: Sasha Levin commit f91d865682de76179c47d05ae58081d6fe031b7a Author: Ian Rogers Date: Fri May 26 12:44:42 2023 -0700 perf evsel: Don't let for_each_group() treat the head of the list as one of its nodes [ Upstream commit 797b9ec8c4bc9ec89f633a9b2c710b7b64753ca4 ] Address/memory sanitizer was reporting issues in evsel__group_pmu_name because the for_each_group_evsel loop didn't terminate when the head was reached, the head would then be cast and accessed as an evsel leading to invalid memory accesses. Fix for_each_group_member and for_each_group_evsel to terminate at the list head. Note, evsel__group_pmu_name no longer iterates the group, but the problem is present regardless. Fixes: 717e263fc354d53d ("perf report: Show group description when event group is enabled") Signed-off-by: Ian Rogers Cc: Adrian Hunter Cc: Alexander Shishkin Cc: Changbin Du Cc: Dmitrii Dolgov <9erthalion6@gmail.com> Cc: Ingo Molnar Cc: James Clark Cc: Jiri Olsa Cc: Kan Liang Cc: Mark Rutland Cc: Namhyung Kim Cc: Namhyung Kim Cc: Peter Zijlstra Cc: Rob Herring Cc: Sandipan Das Cc: Xing Zhengjun Link: https://lore.kernel.org/r/20230526194442.2355872-3-irogers@google.com Signed-off-by: Arnaldo Carvalho de Melo Signed-off-by: Sasha Levin commit d9316899666fe96a8784ea635840a0ae02a81e4e Author: Rongguang Wei Date: Fri May 12 10:15:18 2023 +0800 PCI: pciehp: Cancel bringup sequence if card is not present [ Upstream commit e8afd0d9fccc27c8ad263db5cf5952cfcf72d6fe ] If a PCIe hotplug slot has an Attention Button, the normal hot-add flow is: - Slot is empty and slot power is off - User inserts card in slot and presses Attention Button - OS blinks Power Indicator for 5 seconds - After 5 seconds, OS turns on Power Indicator, turns on slot power, and enumerates the device Previously, if a user pressed the Attention Button on an *empty* slot, pciehp logged the following messages and blinked the Power Indicator until a second button press: [0.000] pciehp: Button press: will power on in 5 sec [0.001] # Power Indicator starts blinking [5.001] # 5 second timeout; slot is empty, so we should cancel the request to power on and turn off Power Indicator [7.000] # Power Indicator still blinking [8.000] # possible card insertion [9.000] pciehp: Button press: canceling request to power on The first button press incorrectly left the slot in BLINKINGON_STATE, so the second was interpreted as a "cancel power on" event regardless of whether a card was present. If the slot is empty, turn off the Power Indicator and return from BLINKINGON_STATE to OFF_STATE after 5 seconds, effectively canceling the request to power on. Putting the slot in OFF_STATE also means the second button press will correctly request a slot power on if the slot is occupied. [bhelgaas: commit log] Link: https://lore.kernel.org/r/20230512021518.336460-1-clementwei90@163.com Fixes: d331710ea78f ("PCI: pciehp: Become resilient to missed events") Suggested-by: Lukas Wunner Signed-off-by: Rongguang Wei Signed-off-by: Bjorn Helgaas Reviewed-by: Lukas Wunner Signed-off-by: Sasha Levin commit 496f79fe9d21d2eac4f33e392fbc58c83ceb8dd2 Author: Dan Carpenter Date: Mon May 22 10:44:54 2023 +0300 pinctrl: at91: fix a couple NULL vs IS_ERR() checks [ Upstream commit 35216718c9ac2aef934ea9cd229572d4996807b2 ] The devm_kasprintf_strarray() function doesn't return NULL on error, it returns error pointers. Update the checks accordingly. Fixes: f494c1913cbb ("pinctrl: at91: use devm_kasprintf() to avoid potential leaks (part 2)") Signed-off-by: Dan Carpenter Reviewed-by: Claudiu Beznea Reviewed-by: Andy Shevchenko Acked-by: Ryan Wanner Link: https://lore.kernel.org/r/5697980e-f687-47a7-9db8-2af34ae464bd@kili.mountain Signed-off-by: Linus Walleij Signed-off-by: Sasha Levin commit 5ac55531d43a948185cac22ae80f59e79cd76b1d Author: Yuchen Yang Date: Fri May 5 22:12:55 2023 +0800 scsi: 3w-xxxx: Add error handling for initialization failure in tw_probe() [ Upstream commit 2e2fe5ac695a00ab03cab4db1f4d6be07168ed9d ] Smatch complains that: tw_probe() warn: missing error code 'retval' This patch adds error checking to tw_probe() to handle initialization failure. If tw_reset_sequence() function returns a non-zero value, the function will return -EINVAL to indicate initialization failure. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Yuchen Yang Link: https://lore.kernel.org/r/20230505141259.7730-1-u202114568@hust.edu.cn Reviewed-by: Dan Carpenter Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit 4203722d51afe3d239e03f15cc73efdf023a7103 Author: Ding Hui Date: Sun May 7 11:40:57 2023 +0800 PCI/ASPM: Disable ASPM on MFD function removal to avoid use-after-free [ Upstream commit 456d8aa37d0f56fc9e985e812496e861dcd6f2f2 ] Struct pcie_link_state->downstream is a pointer to the pci_dev of function 0. Previously we retained that pointer when removing function 0, and subsequent ASPM policy changes dereferenced it, resulting in a use-after-free warning from KASAN, e.g.: # echo 1 > /sys/bus/pci/devices/0000:03:00.0/remove # echo powersave > /sys/module/pcie_aspm/parameters/policy BUG: KASAN: slab-use-after-free in pcie_config_aspm_link+0x42d/0x500 Call Trace: kasan_report+0xae/0xe0 pcie_config_aspm_link+0x42d/0x500 pcie_aspm_set_policy+0x8e/0x1a0 param_attr_store+0x162/0x2c0 module_attr_store+0x3e/0x80 PCIe spec r6.0, sec 7.5.3.7, recommends that software program the same ASPM Control value in all functions of multi-function devices. Disable ASPM and free the pcie_link_state when any child function is removed so we can discard the dangling pcie_link_state->downstream pointer and maintain the same ASPM Control configuration for all functions. [bhelgaas: commit log and comment] Debugged-by: Zongquan Qin Suggested-by: Bjorn Helgaas Fixes: b5a0a9b59c81 ("PCI/ASPM: Read and set up L1 substate capabilities") Link: https://lore.kernel.org/r/20230507034057.20970-1-dinghui@sangfor.com.cn Signed-off-by: Ding Hui Signed-off-by: Bjorn Helgaas Signed-off-by: Sasha Levin commit f7d9d37d3602d21df1387ce487682128fe385b68 Author: Hans de Goede Date: Sun Apr 30 18:57:52 2023 +0200 platform/x86: lenovo-yogabook: Set default keyboard backligh brightness on probe() [ Upstream commit 9e6380d6573181c555ca1b5019b08d19a9ee581c ] Set default keyboard backlight brightness on probe(), this fixes the backlight being off after a rmmod + modprobe. Fixes: c0549b72d99d ("platform/x86: lenovo-yogabook-wmi: Add driver for Lenovo Yoga Book") Signed-off-by: Hans de Goede Link: https://lore.kernel.org/r/20230430165807.472798-5-hdegoede@redhat.com Signed-off-by: Sasha Levin commit 33858ecc7a069d10544397cfc7e9f2889db8e4a0 Author: Hans de Goede Date: Sun Apr 30 18:57:51 2023 +0200 platform/x86: lenovo-yogabook: Reprobe devices on remove() [ Upstream commit 711bcc0cb34e96a60e88d7b0260862781de3e530 ] Ensure that both the keyboard touchscreen and the digitizer have their driver bound after remove(). Without this modprobing lenovo-yogabook-wmi after a rmmod fails because lenovo-yogabook-wmi defers probing until both devices have their driver bound. Fixes: c0549b72d99d ("platform/x86: lenovo-yogabook-wmi: Add driver for Lenovo Yoga Book") Signed-off-by: Hans de Goede Link: https://lore.kernel.org/r/20230430165807.472798-4-hdegoede@redhat.com Signed-off-by: Sasha Levin commit 452a43b94920942324ba507455b61ac880bf257c Author: Hans de Goede Date: Sun Apr 30 18:57:50 2023 +0200 platform/x86: lenovo-yogabook: Fix work race on remove() [ Upstream commit 9148cd2eb4450a8e9c49c8a14201fb82f651128f ] When yogabook_wmi_remove() runs yogabook_wmi_work might still be running and using the devices which yogabook_wmi_remove() puts. To avoid this move to explicitly cancelling the work rather then using devm_work_autocancel(). This requires also making the yogabook_backside_hall_irq handler non devm managed, so that it cannot re-queue the work while yogabook_wmi_remove() runs. Fixes: c0549b72d99d ("platform/x86: lenovo-yogabook-wmi: Add driver for Lenovo Yoga Book") Signed-off-by: Hans de Goede Link: https://lore.kernel.org/r/20230430165807.472798-3-hdegoede@redhat.com Signed-off-by: Sasha Levin commit bdd1eaddd2ebc4d72c666ab9d290a8eed5325150 Author: Christophe JAILLET Date: Sun Apr 16 23:43:41 2023 +0200 pinctrl: bcm2835: Handle gpiochip_add_pin_range() errors [ Upstream commit cdf7e616120065007687fe1df0412154f259daec ] gpiochip_add_pin_range() can fail, so better return its error code than a hard coded '0'. Fixes: d2b67744fd99 ("pinctrl: bcm2835: implement hook for missing gpio-ranges") Signed-off-by: Christophe JAILLET Link: https://lore.kernel.org/r/98c3b5890bb72415145c9fe4e1d974711edae376.1681681402.git.christophe.jaillet@wanadoo.fr Signed-off-by: Linus Walleij Signed-off-by: Sasha Levin commit 271c9b2eb60149afbeab28cb39e52f73bde9900c Author: Jinhong Zhu Date: Tue May 2 22:00:21 2023 +0800 scsi: qedf: Fix NULL dereference in error handling [ Upstream commit f025312b089474a54e4859f3453771314d9e3d4f ] Smatch reported: drivers/scsi/qedf/qedf_main.c:3056 qedf_alloc_global_queues() warn: missing unwind goto? At this point in the function, nothing has been allocated so we can return directly. In particular the "qedf->global_queues" have not been allocated so calling qedf_free_global_queues() will lead to a NULL dereference when we check if (!gl[i]) and "gl" is NULL. Fixes: 61d8658b4a43 ("scsi: qedf: Add QLogic FastLinQ offload FCoE driver framework.") Signed-off-by: Jinhong Zhu Link: https://lore.kernel.org/r/20230502140022.2852-1-jinhongzhu@hust.edu.cn Reviewed-by: Dan Carpenter Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit 1c1e48042e327cbe9ca83a06aec42a7367bb92c4 Author: Nirmal Patel Date: Fri Feb 24 13:28:11 2023 -0700 PCI: vmd: Reset VMD config register between soft reboots [ Upstream commit b61cf04c49c3dfa70a0d6725d3eb40bf9b35cf71 ] VMD driver can disable or enable MSI remapping by changing VMCONFIG_MSI_REMAP register. This register needs to be set to the default value during soft reboots. Drives failed to enumerate when Windows boots after performing a soft reboot from Linux. Windows doesn't support MSI remapping disable feature and stale register value hinders Windows VMD driver initialization process. Adding vmd_shutdown function to make sure to set the VMCONFIG register to the default value. Link: https://lore.kernel.org/r/20230224202811.644370-1-nirmal.patel@linux.intel.com Fixes: ee81ee84f873 ("PCI: vmd: Disable MSI-X remapping when possible") Signed-off-by: Nirmal Patel Signed-off-by: Lorenzo Pieralisi Reviewed-by: Jon Derrick Signed-off-by: Sasha Levin commit a98eab570d05bd1b80a131784b28232ece2d8a38 Author: Siddharth Vadapalli Date: Wed Mar 15 12:38:00 2023 +0530 PCI: cadence: Fix Gen2 Link Retraining process [ Upstream commit 0e12f830236928b6fadf40d917a7527f0a048d2f ] The Link Retraining process is initiated to account for the Gen2 defect in the Cadence PCIe controller in J721E SoC. The errata corresponding to this is i2085, documented at: https://www.ti.com/lit/er/sprz455c/sprz455c.pdf The existing workaround implemented for the errata waits for the Data Link initialization to complete and assumes that the link retraining process at the Physical Layer has completed. However, it is possible that the Physical Layer training might be ongoing as indicated by the PCI_EXP_LNKSTA_LT bit in the PCI_EXP_LNKSTA register. Fix the existing workaround, to ensure that the Physical Layer training has also completed, in addition to the Data Link initialization. Link: https://lore.kernel.org/r/20230315070800.1615527-1-s-vadapalli@ti.com Fixes: 4740b969aaf5 ("PCI: cadence: Retrain Link to work around Gen2 training defect") Signed-off-by: Siddharth Vadapalli Signed-off-by: Lorenzo Pieralisi Reviewed-by: Vignesh Raghavendra Signed-off-by: Sasha Levin commit dbe65261fe1367dc307a89466a1a75c0d80b8233 Author: Jason Gunthorpe Date: Tue Jun 20 11:11:24 2023 -0300 iommufd: Call iopt_area_contig_done() under the lock [ Upstream commit dbe245cdf5189e88d680379ed13901356628b650 ] The iter internally holds a pointer to the area and iopt_area_contig_done() will dereference it. The pointer is not valid outside the iova_rwsem. syzkaller reports: BUG: KASAN: slab-use-after-free in iommufd_access_unpin_pages+0x363/0x370 Read of size 8 at addr ffff888022286e20 by task syz-executor669/5771 CPU: 0 PID: 5771 Comm: syz-executor669 Not tainted 6.4.0-rc5-syzkaller-00313-g4c605260bc60 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/25/2023 Call Trace: dump_stack_lvl+0xd9/0x150 print_address_description.constprop.0+0x2c/0x3c0 kasan_report+0x11c/0x130 iommufd_access_unpin_pages+0x363/0x370 iommufd_test_access_unmap+0x24b/0x390 iommufd_access_notify_unmap+0x24c/0x3a0 iopt_unmap_iova_range+0x4c4/0x5f0 iopt_unmap_all+0x27/0x50 iommufd_ioas_unmap+0x3d0/0x490 iommufd_fops_ioctl+0x317/0x4b0 __x64_sys_ioctl+0x197/0x210 do_syscall_64+0x39/0xb0 entry_SYSCALL_64_after_hwframe+0x63/0xcd RIP: 0033:0x7fec1dae3b19 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 11 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fec1da74308 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007fec1db6b438 RCX: 00007fec1dae3b19 RDX: 0000000020000100 RSI: 0000000000003b86 RDI: 0000000000000003 RBP: 00007fec1db6b430 R08: 00007fec1da74700 R09: 0000000000000000 R10: 00007fec1da74700 R11: 0000000000000246 R12: 00007fec1db6b43c R13: 00007fec1db39074 R14: 6d6f692f7665642f R15: 0000000000022000 Allocated by task 5770: kasan_save_stack+0x22/0x40 kasan_set_track+0x25/0x30 __kasan_kmalloc+0xa2/0xb0 iopt_alloc_area_pages+0x94/0x560 iopt_map_user_pages+0x205/0x4e0 iommufd_ioas_map+0x329/0x5f0 iommufd_fops_ioctl+0x317/0x4b0 __x64_sys_ioctl+0x197/0x210 do_syscall_64+0x39/0xb0 entry_SYSCALL_64_after_hwframe+0x63/0xcd Freed by task 5770: kasan_save_stack+0x22/0x40 kasan_set_track+0x25/0x30 kasan_save_free_info+0x2e/0x40 ____kasan_slab_free+0x160/0x1c0 slab_free_freelist_hook+0x8b/0x1c0 __kmem_cache_free+0xaf/0x2d0 iopt_unmap_iova_range+0x288/0x5f0 iopt_unmap_all+0x27/0x50 iommufd_ioas_unmap+0x3d0/0x490 iommufd_fops_ioctl+0x317/0x4b0 __x64_sys_ioctl+0x197/0x210 do_syscall_64+0x39/0xb0 entry_SYSCALL_64_after_hwframe+0x63/0xcd The parallel unmap free'd iter->area the instant the lock was released. Fixes: 51fe6141f0f6 ("iommufd: Data structure to provide IOVA to PFN mapping") Link: https://lore.kernel.org/r/2-v2-9a03761d445d+54-iommufd_syz2_jgg@nvidia.com Reviewed-by: Kevin Tian Reported-by: syzbot+6c8d756f238a75fc3eb8@syzkaller.appspotmail.com Closes: https://lore.kernel.org/r/000000000000905eba05fe38e9f2@google.com Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit 19d93648142a4cfe5bf36278f3beee582605cd01 Author: Jason Gunthorpe Date: Tue Jun 20 11:11:23 2023 -0300 iommufd: Do not access the area pointer after unlocking [ Upstream commit 804ca14d04df09bf7924bacc5ad22a4bed80c94f ] A concurrent unmap can trigger freeing of the area pointers while we are generating an unmapping notification for accesses. syzkaller reports: BUG: KASAN: slab-use-after-free in iopt_unmap_iova_range+0x5ba/0x5f0 Read of size 4 at addr ffff888075996184 by task syz-executor.2/31160 CPU: 1 PID: 31160 Comm: syz-executor.2 Not tainted 6.4.0-rc5-syzkaller-00313-g4c605260bc60 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/25/2023 Call Trace: dump_stack_lvl+0xd9/0x150 print_address_description.constprop.0+0x2c/0x3c0 kasan_report+0x11c/0x130 iopt_unmap_iova_range+0x5ba/0x5f0 iopt_unmap_all+0x27/0x50 iommufd_ioas_unmap+0x3d0/0x490 iommufd_fops_ioctl+0x317/0x4b0 __x64_sys_ioctl+0x197/0x210 do_syscall_64+0x39/0xb0 entry_SYSCALL_64_after_hwframe+0x63/0xcd RIP: 0033:0x7f0812c8c169 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f0813914168 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007f0812dabf80 RCX: 00007f0812c8c169 RDX: 0000000020000100 RSI: 0000000000003b86 RDI: 0000000000000005 RBP: 00007f0812ce7ca1 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007f0812ecfb1f R14: 00007f0813914300 R15: 0000000000022000 Allocated by task 31160: kasan_save_stack+0x22/0x40 kasan_set_track+0x25/0x30 __kasan_kmalloc+0xa2/0xb0 iopt_alloc_area_pages+0x94/0x560 iopt_map_user_pages+0x205/0x4e0 iommufd_ioas_map+0x329/0x5f0 iommufd_fops_ioctl+0x317/0x4b0 __x64_sys_ioctl+0x197/0x210 do_syscall_64+0x39/0xb0 entry_SYSCALL_64_after_hwframe+0x63/0xcd Freed by task 31161: kasan_save_stack+0x22/0x40 kasan_set_track+0x25/0x30 kasan_save_free_info+0x2e/0x40 ____kasan_slab_free+0x160/0x1c0 slab_free_freelist_hook+0x8b/0x1c0 __kmem_cache_free+0xaf/0x2d0 iopt_unmap_iova_range+0x288/0x5f0 iopt_unmap_all+0x27/0x50 iommufd_ioas_unmap+0x3d0/0x490 iommufd_fops_ioctl+0x317/0x4b0 __x64_sys_ioctl+0x197/0x210 do_syscall_64+0x39/0xb0 entry_SYSCALL_64_after_hwframe+0x63/0xcd The buggy address belongs to the object at ffff888075996100 which belongs to the cache kmalloc-cg-192 of size 192 The buggy address is located 132 bytes inside of freed 192-byte region [ffff888075996100, ffff8880759961c0) The buggy address belongs to the physical page: page:ffffea0001d66580 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x75996 memcg:ffff88801f1c2701 flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff) page_type: 0xffffffff() raw: 00fff00000000200 ffff88801244ddc0 dead000000000122 0000000000000000 raw: 0000000000000000 0000000080100010 00000001ffffffff ffff88801f1c2701 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x112cc0(GFP_USER|__GFP_NOWARN|__GFP_NORETRY), pid 31157, tgid 31154 (syz-executor.0), ts 1984547323469, free_ts 1983933451331 post_alloc_hook+0x2db/0x350 get_page_from_freelist+0xf41/0x2c00 __alloc_pages+0x1cb/0x4a0 alloc_pages+0x1aa/0x270 allocate_slab+0x25f/0x390 ___slab_alloc+0xa91/0x1400 __slab_alloc.constprop.0+0x56/0xa0 __kmem_cache_alloc_node+0x136/0x320 kmalloc_trace+0x26/0xe0 iommufd_test+0x1328/0x2c20 iommufd_fops_ioctl+0x317/0x4b0 __x64_sys_ioctl+0x197/0x210 do_syscall_64+0x39/0xb0 entry_SYSCALL_64_after_hwframe+0x63/0xcd page last free stack trace: free_unref_page_prepare+0x62e/0xcb0 free_unref_page_list+0xe3/0xa70 release_pages+0xcd8/0x1380 tlb_batch_pages_flush+0xa8/0x1a0 tlb_finish_mmu+0x14b/0x7e0 exit_mmap+0x2b2/0x930 __mmput+0x128/0x4c0 mmput+0x60/0x70 do_exit+0x9b0/0x29b0 do_group_exit+0xd4/0x2a0 get_signal+0x2318/0x25b0 arch_do_signal_or_restart+0x79/0x5c0 exit_to_user_mode_prepare+0x11f/0x240 syscall_exit_to_user_mode+0x1d/0x50 do_syscall_64+0x46/0xb0 entry_SYSCALL_64_after_hwframe+0x63/0xcd Precompute what is needed to call the access function and do not check the area's num_accesses again as the pointer may not be valid anymore. Use a counter instead. Fixes: 51fe6141f0f6 ("iommufd: Data structure to provide IOVA to PFN mapping") Link: https://lore.kernel.org/r/1-v2-9a03761d445d+54-iommufd_syz2_jgg@nvidia.com Reviewed-by: Kevin Tian Reported-by: syzbot+1ad12d16afca0e7d2dde@syzkaller.appspotmail.com Closes: https://lore.kernel.org/r/0000000000001d40fc05fe385332@google.com Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit 3373bf97d1e35b698c3969972783e54bede3e751 Author: Syed Saba Kareem Date: Thu Jun 22 20:53:38 2023 +0530 ASoC: amd: acp: clear pdm dma interrupt mask [ Upstream commit ad60672394bd1f95c58d3d9336902f47e05126fc ] Clear pdm dma interrupt mask in acp_dmic_shutdown(). 'Fixes: c32bd332ce5c9 ("ASoC: amd: acp: Add generic support for PDM controller on ACP")' Signed-off-by: Syed Saba Kareem Link: https://lore.kernel.org/r/Message-Id: <20230622152406.3709231-1-Syed.SabaKareem@amd.com> Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 1464588b5abaa4e6c18898616ab824f1cd000765 Author: Michael Walle Date: Fri Jun 16 15:18:40 2023 +0200 ARM: dts: lan966x: kontron-d10: fix SPI CS [ Upstream commit fcb79ee3f0b15ed15f35eca5f24e952fdced9c61 ] The pinctrl node was missing which change the pin mux to GPIO mode. Add it so we don't have to rely on the bootloader to set the correct mode. Fixes: 79d83b3a458e ("ARM: dts: lan966x: add basic Kontron KSwitch D10 support") Signed-off-by: Michael Walle Signed-off-by: Claudiu Beznea Link: https://lore.kernel.org/r/20230616-feature-d10-dt-cleanups-v1-2-50dd0452b8fe@kernel.org Signed-off-by: Sasha Levin commit 723dec22a335583609f61982dec69eb88501d767 Author: Michael Walle Date: Fri Jun 16 15:18:39 2023 +0200 ARM: dts: lan966x: kontron-d10: fix board reset [ Upstream commit bfcd5714f6424c03e385e0e9296dcd69855cfea7 ] The pinctrl node was missing which change the pin mux to GPIO mode. Add it. Fixes: 79d83b3a458e ("ARM: dts: lan966x: add basic Kontron KSwitch D10 support") Signed-off-by: Michael Walle [claudiu.beznea: moved pinctrl-* bindings after compatible] Signed-off-by: Claudiu Beznea Link: https://lore.kernel.org/r/20230616-feature-d10-dt-cleanups-v1-1-50dd0452b8fe@kernel.org Signed-off-by: Sasha Levin commit efbbda79b2881a04dcd0e8f28634933d79e17e49 Author: Fei Shao Date: Mon Jun 19 11:22:53 2023 +0800 clk: Fix memory leak in devm_clk_notifier_register() [ Upstream commit 7fb933e56f77a57ef7cfc59fc34cbbf1b1fa31ff ] devm_clk_notifier_register() allocates a devres resource for clk notifier but didn't register that to the device, so the notifier didn't get unregistered on device detach and the allocated resource was leaked. Fix the issue by registering the resource through devres_add(). This issue was found with kmemleak on a Chromebook. Fixes: 6d30d50d037d ("clk: add devm variant of clk_notifier_register") Signed-off-by: Fei Shao Link: https://lore.kernel.org/r/20230619112253.v2.1.I13f060c10549ef181603e921291bdea95f83033c@changeid Reviewed-by: Dan Carpenter Signed-off-by: Stephen Boyd Signed-off-by: Sasha Levin commit 1a0078fd910c05b81be6978a42973667b5ce84f2 Author: Claudiu Beznea Date: Wed Jun 14 15:15:09 2023 +0300 ASoC: imx-audmix: check return value of devm_kasprintf() [ Upstream commit 2f76e1d6ca524a888d29aafe29f2ad2003857971 ] devm_kasprintf() returns a pointer to dynamically allocated memory. Pointer could be NULL in case allocation fails. Check pointer validity. Identified with coccinelle (kmerr.cocci script). Fixes: b86ef5367761 ("ASoC: fsl: Add Audio Mixer machine driver") Signed-off-by: Claudiu Beznea Link: https://lore.kernel.org/r/20230614121509.443926-1-claudiu.beznea@microchip.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 1ecdc55e5cd9f70f8d7513802971d4cffb9f77af Author: Amir Goldstein Date: Mon Apr 3 11:29:59 2023 +0300 ovl: update of dentry revalidate flags after copy up [ Upstream commit b07d5cc93e1b28df47a72c519d09d0a836043613 ] After copy up, we may need to update d_flags if upper dentry is on a remote fs and lower dentries are not. Add helpers to allow incremental update of the revalidate flags. Fixes: bccece1ead36 ("ovl: allow remote upper") Reviewed-by: Gao Xiang Signed-off-by: Amir Goldstein Signed-off-by: Miklos Szeredi Signed-off-by: Sasha Levin commit 9e566a6b1f4230fbf7c22af5a5b332fd0cc858cb Author: Alexey Romanov Date: Sat Jun 10 12:04:14 2023 +0300 drivers: meson: secure-pwrc: always enable DMA domain [ Upstream commit 0bb4644d583789c97e74d3e3047189f0c59c4742 ] Starting from commit e45f243409db ("firmware: meson_sm: populate platform devices from sm device tree data") pwrc is probed successfully and disables unused pwr domains. By A1 SoC family design, any TEE requires DMA pwr domain always enabled. Fixes: b3dde5013e13 ("soc: amlogic: Add support for Secure power domains controller") Signed-off-by: Alexey Romanov Acked-by: Neil Armstrong Link: https://lore.kernel.org/r/20230610090414.90529-1-avromanov@sberdevices.ru [narmstrong: added fixes tag] Signed-off-by: Neil Armstrong Signed-off-by: Sasha Levin commit f8f1d6cee518d67b50fbcd6616f4eafb5a6f85c2 Author: Claudiu Beznea Date: Tue May 30 12:39:13 2023 +0300 clk: clocking-wizard: check return value of devm_kasprintf() [ Upstream commit b1356ed1a4461de06dfdc02bf549c3e8750162e5 ] devm_kasprintf() returns a pointer to dynamically allocated memory. Pointer could be NULL in case allocation fails. Check pointer validity. Identified with coccinelle (kmerr.cocci script). Fixes: 2046338dcbc6 ("ARM: mxs: Use soc bus infrastructure") Signed-off-by: Claudiu Beznea Link: https://lore.kernel.org/r/20230530093913.1656095-9-claudiu.beznea@microchip.com Signed-off-by: Stephen Boyd Signed-off-by: Sasha Levin commit 99c926e63488ee54c477268e2ba9b34fa160f18e Author: Claudiu Beznea Date: Tue May 30 12:39:12 2023 +0300 clk: ti: clkctrl: check return value of kasprintf() [ Upstream commit bd46cd0b802d9c9576ca78007aa084ae3e74907b ] kasprintf() returns a pointer to dynamically allocated memory. Pointer could be NULL in case allocation fails. Check pointer validity. Identified with coccinelle (kmerr.cocci script). Fixes: 852049594b9a ("clk: ti: clkctrl: convert subclocks to use proper names also") Fixes: 6c3090520554 ("clk: ti: clkctrl: Fix hidden dependency to node name") Signed-off-by: Claudiu Beznea Link: https://lore.kernel.org/r/20230530093913.1656095-8-claudiu.beznea@microchip.com Reviewed-by: Tony Lindgren Signed-off-by: Stephen Boyd Signed-off-by: Sasha Levin commit 9fd4fc509051f9334cdff7b94eebcff9e3295a72 Author: Claudiu Beznea Date: Tue May 30 12:39:11 2023 +0300 clk: keystone: sci-clk: check return value of kasprintf() [ Upstream commit b73ed981da6d25c921aaefa7ca3df85bbd85b7fc ] kasprintf() returns a pointer to dynamically allocated memory. Pointer could be NULL in case allocation fails. Check pointer validity. Identified with coccinelle (kmerr.cocci script). Fixes: b745c0794e2f ("clk: keystone: Add sci-clk driver support") Depends-on: 96488c09b0f4 ("clk: keystone: sci-clk: cut down the clock name length") Signed-off-by: Claudiu Beznea Link: https://lore.kernel.org/r/20230530093913.1656095-7-claudiu.beznea@microchip.com Reviewed-by: Tony Lindgren Signed-off-by: Stephen Boyd Signed-off-by: Sasha Levin commit 65bb582bda3348de2f073ac029a7a38cf1a7fe65 Author: Claudiu Beznea Date: Tue May 30 12:39:10 2023 +0300 clk: si5341: free unused memory on probe failure [ Upstream commit 267ad94b13c53d8c99a336f0841b1fa1595b1d0f ] Pointers from synth_clock_names[] should be freed at the end of probe either on probe success or failure path. Fixes: b7bbf6ec4940 ("clk: si5341: Allow different output VDD_SEL values") Fixes: 9b13ff4340df ("clk: si5341: Add sysfs properties to allow checking/resetting device faults") Signed-off-by: Claudiu Beznea Link: https://lore.kernel.org/r/20230530093913.1656095-6-claudiu.beznea@microchip.com Signed-off-by: Stephen Boyd Signed-off-by: Sasha Levin commit b5bea998a2b0de18a53ff65225eb92909c0d5545 Author: Claudiu Beznea Date: Tue May 30 12:39:09 2023 +0300 clk: si5341: check return value of {devm_}kasprintf() [ Upstream commit 36e4ef82016a2b785cf2317eade77e76699b7bff ] {devm_}kasprintf() returns a pointer to dynamically allocated memory. Pointer could be NULL in case allocation fails. Check pointer validity. Identified with coccinelle (kmerr.cocci script). Fixes: 3044a860fd09 ("clk: Add Si5341/Si5340 driver") Signed-off-by: Claudiu Beznea Link: https://lore.kernel.org/r/20230530093913.1656095-5-claudiu.beznea@microchip.com Signed-off-by: Stephen Boyd Signed-off-by: Sasha Levin commit a9d29dc9ba70c5982eab250f9d5c11ea2cefb69f Author: Claudiu Beznea Date: Tue May 30 12:39:08 2023 +0300 clk: si5341: return error if one synth clock registration fails [ Upstream commit 2560114c06d7a752b3f4639f28cece58fed11267 ] In case devm_clk_hw_register() fails for one of synth clocks the probe continues. Later on, when registering output clocks which have as parents all the synth clocks, in case there is registration failure for at least one synth clock the information passed to clk core for registering output clock is not right: init.num_parents is fixed but init.parents may contain an array with less parents. Fixes: 3044a860fd09 ("clk: Add Si5341/Si5340 driver") Signed-off-by: Claudiu Beznea Link: https://lore.kernel.org/r/20230530093913.1656095-4-claudiu.beznea@microchip.com Signed-off-by: Stephen Boyd Signed-off-by: Sasha Levin commit cc01bae3d41b182d5714ccfc8298c40986fddd71 Author: Claudiu Beznea Date: Tue May 30 12:39:07 2023 +0300 clk: cdce925: check return value of kasprintf() [ Upstream commit bb7d09ddbf361d51eae46f38e7c8a2b85914ea2a ] kasprintf() returns a pointer to dynamically allocated memory. Pointer could be NULL in case allocation fails. Check pointer validity. Identified with coccinelle (kmerr.cocci script). Fixes: 19fbbbbcd3a3 ("Add TI CDCE925 I2C controlled clock synthesizer driver") Depends-on: e665f029a283 ("clk: Convert to using %pOFn instead of device_node.name") Signed-off-by: Claudiu Beznea Link: https://lore.kernel.org/r/20230530093913.1656095-3-claudiu.beznea@microchip.com Signed-off-by: Stephen Boyd Signed-off-by: Sasha Levin commit 7f01290efc69db329c6799de801e21f75d28ca65 Author: Claudiu Beznea Date: Tue May 30 12:39:06 2023 +0300 clk: vc5: check memory returned by kasprintf() [ Upstream commit 144601f6228de5598f03e693822b60a95c367a17 ] kasprintf() returns a pointer to dynamically allocated memory. Pointer could be NULL in case allocation fails. Check pointer validity. Identified with coccinelle (kmerr.cocci script). Fixes: f491276a5168 ("clk: vc5: Allow Versaclock driver to support multiple instances") Signed-off-by: Claudiu Beznea Link: https://lore.kernel.org/r/20230530093913.1656095-2-claudiu.beznea@microchip.com Reviewed-by: Luca Ceresoli Signed-off-by: Stephen Boyd Signed-off-by: Sasha Levin commit 5c4a865c39b9082c9e2aba468c085e9b7dd99fb1 Author: AngeloGioacchino Del Regno Date: Thu Jun 15 14:20:51 2023 +0200 clk: mediatek: clk-mt8173-apmixedsys: Fix iomap not released issue [ Upstream commit b270ae61730e0ebccee39a21dd3311d6896a38ae ] In case of error after of_ioremap() the resource must be released: call iounmap() where appropriate to fix that. Fixes: 41138fbf876c ("clk: mediatek: mt8173: Migrate to platform driver and common probe") Signed-off-by: AngeloGioacchino Del Regno Link: https://lore.kernel.org/r/20230615122051.546985-4-angelogioacchino.delregno@collabora.com Reviewed-by: Chen-Yu Tsai Signed-off-by: Stephen Boyd Signed-off-by: Sasha Levin commit 8c07547b50bc910eb95a7f6311ace33141cba977 Author: AngeloGioacchino Del Regno Date: Thu Jun 15 14:20:50 2023 +0200 clk: mediatek: clk-mt8173-apmixedsys: Fix return value for of_iomap() error [ Upstream commit 3dc265b369ee61db999d6d1588e888eb21dc421e ] The of_iomap() function returns NULL in case of error so usage of PTR_ERR() is wrong! Change that to return -ENOMEM in case of failure. Fixes: 41138fbf876c ("clk: mediatek: mt8173: Migrate to platform driver and common probe") Signed-off-by: AngeloGioacchino Del Regno Link: https://lore.kernel.org/r/20230615122051.546985-3-angelogioacchino.delregno@collabora.com Reviewed-by: Chen-Yu Tsai Reviewed-by: Markus Schneider-Pargmann Signed-off-by: Stephen Boyd Signed-off-by: Sasha Levin commit 42cefcc44acfd6c1113e5e7222bac7ed1fd260cc Author: AngeloGioacchino Del Regno Date: Thu Jun 15 14:20:49 2023 +0200 clk: mediatek: clk-mtk: Grab iomem pointer for divider clocks [ Upstream commit 51821765e89906090753421580a61d25a4668186 ] In the rare case in which one of the clock drivers has divider clocks but not composite clocks, mtk_clk_simple_probe() would not io(re)map, hence passing a NULL pointer to mtk_clk_register_dividers(). To fix this issue, extend the `if` conditional to also check if any divider clocks are present. While at it, also make sure the iomem pointer is NULL if no composite/divider clocks are declared, as we are checking for that when iounmapping it in the error path. This hasn't been seen on any MediaTek clock driver as the current ones always declare composite clocks along with divider clocks, but this is still an important fix for a future potential KP. Fixes: 1fe074b1f112 ("clk: mediatek: Add divider clocks to mtk_clk_simple_{probe,remove}()") Signed-off-by: AngeloGioacchino Del Regno Link: https://lore.kernel.org/r/20230615122051.546985-2-angelogioacchino.delregno@collabora.com Reviewed-by: Chen-Yu Tsai Reviewed-by: Markus Schneider-Pargmann Signed-off-by: Stephen Boyd Signed-off-by: Sasha Levin commit 7174300e12eaa3d17660736e72d056510fc8e20b Author: Dmitry Baryshkov Date: Tue Jun 13 03:09:41 2023 +0300 drm/msm/dpu: correct MERGE_3D length [ Upstream commit 9a6c13b847d61b0c3796820ca6e976789df59cd8 ] Each MERGE_3D block has just two registers. Correct the block length accordingly. Fixes: 4369c93cf36b ("drm/msm/dpu: initial support for merge3D hardware block") Signed-off-by: Dmitry Baryshkov Reviewed-by: Abhinav Kumar Patchwork: https://patchwork.freedesktop.org/patch/542177/ Reviewed-by: Marijn Suijten Link: https://lore.kernel.org/r/20230613001004.3426676-3-dmitry.baryshkov@linaro.org Signed-off-by: Sasha Levin commit 4a76910c702b4974ba7feebb8f487b6c775f6bcc Author: Dmitry Baryshkov Date: Tue Jun 13 03:09:40 2023 +0300 drm/msm/dpu: fix sc7280 and sc7180 PINGPONG done interrupts [ Upstream commit 0b78be614c503ec03636f82cea52ad735c5085e7 ] During IRQ conversion we have lost the PP_DONE interrupts for sc7280 platform. This was left unnoticed, because this interrupt is only used for CMD outputs and probably no sc7[12]80 systems use DSI CMD panels. Fixes: 667e9985ee24 ("drm/msm/dpu: replace IRQ lookup with the data in hw catalog") Signed-off-by: Dmitry Baryshkov Reviewed-by: Abhinav Kumar Reviewed-by: Marijn Suijten Patchwork: https://patchwork.freedesktop.org/patch/542175/ Link: https://lore.kernel.org/r/20230613001004.3426676-2-dmitry.baryshkov@linaro.org Signed-off-by: Sasha Levin commit f955651c94485393981d94f997e76596c890e11f Author: Marijn Suijten Date: Thu Apr 27 00:37:28 2023 +0200 drm/msm/dpu: Disable pingpong TE on DPU 5.0.0 and above [ Upstream commit fe9d66cf6e8d2f6651e55ae57026464a080c2f2a ] Since hardware revision 5.0.0 the TE configuration moved out of the PINGPONG block into the INTF block. Writing these registers has no effect, and is omitted downstream via the DPU/SDE_PINGPONG_TE feature flag. This flag is only added to PINGPONG blocks used by hardware prior to 5.0.0. The existing PP_BLK_TE macro has been removed in favour of directly passing this feature flag, which has thus far been the only difference with PP_BLK. PP_BLK_DITHER has been left in place as its embedded feature flag already excludes this DPU_PINGPONG_TE bit and differs by setting the block length to zero, as it only contains a DITHER subblock. The code that writes to these registers in the INTF block will follow in subsequent patches. Signed-off-by: Marijn Suijten Reviewed-by: Konrad Dybcio Reviewed-by: Dmitry Baryshkov Patchwork: https://patchwork.freedesktop.org/patch/534240/ Link: https://lore.kernel.org/r/20230411-dpu-intf-te-v4-14-27ce1a5ab5c6@somainline.org Signed-off-by: Dmitry Baryshkov Stable-dep-of: 0b78be614c50 ("drm/msm/dpu: fix sc7280 and sc7180 PINGPONG done interrupts") Signed-off-by: Sasha Levin commit 82aaea40aa2517b2c24bad8d883b0dd9cf960df2 Author: Marijn Suijten Date: Thu Apr 27 00:37:27 2023 +0200 drm/msm/dpu: Move autorefresh disable from CMD encoder to pingpong [ Upstream commit 4a7c38ec7d8efe96c4d8b4d5fc0efb5b06db58e9 ] This autorefresh disable logic in the physical command-mode encoder consumes three callbacks to the pingpong block, and will explode in unnecessary complexity when the same callbacks need to be called on the interface block instead to accommodate INTF TE support. To clean this up, move the logic into the pingpong block under a disable_autorefresh callback, replacing the aforementioned three get_autorefresh, setup_autorefresh and get_vsync_info callbacks. The same logic will have to be replicated to the interface block when it receives INTF TE support, but it is less complex than constantly switching on a "has_intf_te" boolean to choose a callback. Suggested-by: Dmitry Baryshkov Signed-off-by: Marijn Suijten Reviewed-by: Dmitry Baryshkov Patchwork: https://patchwork.freedesktop.org/patch/534230/ Link: https://lore.kernel.org/r/20230411-dpu-intf-te-v4-13-27ce1a5ab5c6@somainline.org Signed-off-by: Dmitry Baryshkov Stable-dep-of: 0b78be614c50 ("drm/msm/dpu: fix sc7280 and sc7180 PINGPONG done interrupts") Signed-off-by: Sasha Levin commit d06fc6c07bd34cdf997ffc582858778f104f0ae0 Author: Marijn Suijten Date: Thu Apr 27 00:37:26 2023 +0200 drm/msm/dpu: Drop unused poll_timeout_wr_ptr PINGPONG callback [ Upstream commit a2623e72c52b2cf258b34675a8ff38c66e7d26fb ] This callback was migrated from downstream when DPU1 was first introduced to mainline, but never used by any component. Drop it to save some lines and unnecessary confusion. Suggested-by: Dmitry Baryshkov Signed-off-by: Marijn Suijten Reviewed-by: Konrad Dybcio Reviewed-by: Dmitry Baryshkov Patchwork: https://patchwork.freedesktop.org/patch/534215/ Link: https://lore.kernel.org/r/20230411-dpu-intf-te-v4-12-27ce1a5ab5c6@somainline.org Signed-off-by: Dmitry Baryshkov Stable-dep-of: 0b78be614c50 ("drm/msm/dpu: fix sc7280 and sc7180 PINGPONG done interrupts") Signed-off-by: Sasha Levin commit 9f40de4df625b3b7f26bc7c0ee0a853815aa6d23 Author: Luben Tuikov Date: Sat Jun 10 06:19:15 2023 -0400 drm/amdgpu: Fix usage of UMC fill record in RAS [ Upstream commit 71344a718a9fda8c551cdc4381d354f9a9907f6f ] The fixed commit listed in the Fixes tag below, introduced a bug in amdgpu_ras.c::amdgpu_reserve_page_direct(), in that when introducing the new amdgpu_umc_fill_error_record() and internally in that new function the physical address (argument "uint64_t retired_page"--wrong name) is right-shifted by AMDGPU_GPU_PAGE_SHIFT. Thus, in amdgpu_reserve_page_direct() when we pass "address" to that new function, we should NOT right-shift it, since this results, erroneously, in the page address to be 0 for first 2^(2*AMDGPU_GPU_PAGE_SHIFT) memory addresses. This commit fixes this bug. Cc: Tao Zhou Cc: Hawking Zhang Cc: Alex Deucher Fixes: 400013b268cb ("drm/amdgpu: add umc_fill_error_record to make code more simple") Signed-off-by: Luben Tuikov Link: https://lore.kernel.org/r/20230610113536.10621-1-luben.tuikov@amd.com Reviewed-by: Hawking Zhang Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit 0cae3d00303f179a8c1ef41343a9aeb55544bf59 Author: Srinivasan Shanmugam Date: Fri Jun 9 14:06:43 2023 +0530 drm/amdgpu: Fix memcpy() in sienna_cichlid_append_powerplay_table function. [ Upstream commit d50dc746ff72b9c48812dac3344fa87fbde940a3 ] Fixes the following gcc with W=1: In file included from ./include/linux/string.h:253, from ./include/linux/bitmap.h:11, from ./include/linux/cpumask.h:12, from ./arch/x86/include/asm/cpumask.h:5, from ./arch/x86/include/asm/msr.h:11, from ./arch/x86/include/asm/processor.h:22, from ./arch/x86/include/asm/cpufeature.h:5, from ./arch/x86/include/asm/thread_info.h:53, from ./include/linux/thread_info.h:60, from ./arch/x86/include/asm/preempt.h:7, from ./include/linux/preempt.h:78, from ./include/linux/spinlock.h:56, from ./include/linux/mmzone.h:8, from ./include/linux/gfp.h:7, from ./include/linux/firmware.h:7, from drivers/gpu/drm/amd/amdgpu/../pm/swsmu/smu11/sienna_cichlid_ppt.c:26: In function ‘fortify_memcpy_chk’, inlined from ‘sienna_cichlid_append_powerplay_table’ at drivers/gpu/drm/amd/amdgpu/../pm/swsmu/smu11/sienna_cichlid_ppt.c:444:2, inlined from ‘sienna_cichlid_setup_pptable’ at drivers/gpu/drm/amd/amdgpu/../pm/swsmu/smu11/sienna_cichlid_ppt.c:506:8, inlined from ‘sienna_cichlid_setup_pptable’ at drivers/gpu/drm/amd/amdgpu/../pm/swsmu/smu11/sienna_cichlid_ppt.c:494:12: ./include/linux/fortify-string.h:413:4: warning: call to ‘__read_overflow2_field’ declared with attribute warning: detected read beyond size of field (2nd parameter); maybe use struct_group()? [-Wattribute-warning] 413 | __read_overflow2_field(q_size_field, size); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ the compiler complains about the size calculation in the memcpy() - "sizeof(*smc_dpm_table) - sizeof(smc_dpm_table->table_header)" is much larger than what fits into table_member. Hence, reuse 'smu_memcpy_trailing' for nv1x Fixes: 7077b19a38240 ("drm/amd/pm: use macro to get pptable members") Suggested-by: Evan Quan Cc: Evan Quan Cc: Chengming Gui Cc: Christian König Cc: Alex Deucher Signed-off-by: Srinivasan Shanmugam Reviewed-by: Evan Quan Acked-by: Alex Deucher Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit 233e9bc700414805145537511dc2738894f16284 Author: Daniel Golle Date: Tue Jun 6 16:43:20 2023 +0100 arm64: dts: mt7986: increase bl2 partition on NAND of Bananapi R3 [ Upstream commit 3bfbff9b461e3506dfb5b2904e8c15a0aea39e07 ] The bootrom burned into the MT7986 SoC will try multiple locations on the SPI-NAND flash to load bl2 in case the bl2 image located at the the previously attempted offset is corrupt. Use 0x100000 instead of 0x80000 as partition size for bl2 on SPI-NAND, allowing for up to four redundant copies of bl2 (typically sized a bit less than 0x40000). Fixes: 8e01fb15b8157 ("arm64: dts: mt7986: add Bananapi R3") Signed-off-by: Daniel Golle Link: https://lore.kernel.org/r/ZH9UGF99RgzrHZ88@makrotopia.org Signed-off-by: Matthias Brugger Signed-off-by: Sasha Levin commit aaf2d638460a7d15b9ad5ce31b2a803ad7c49007 Author: Nícolas F. R. A. Prado Date: Fri Jun 2 14:35:15 2023 -0400 arm64: dts: mediatek: mt8192: Fix CPUs capacity-dmips-mhz [ Upstream commit a4366b5695c984b8a3fc8b31de9e758c8f6d1aed ] The capacity-dmips-mhz parameter was miscalculated: this SoC runs the first (Cortex-A55) cluster at a maximum of 2000MHz and the second (Cortex-A76) cluster at a maximum of 2200MHz. In order to calculate the right capacity-dmips-mhz, the following test was performed: 1. CPUFREQ governor was set to 'performance' on both clusters 2. Ran dhrystone with 500000000 iterations for 10 times on each cluster 3. Calculated the mean result for each cluster 4. Calculated DMIPS/MHz: dmips_mhz = dmips_per_second / cpu_mhz 5. Scaled results to 1024: result_c0 = dmips_mhz_c0 / dmips_mhz_c1 * 1024 The mean results for this SoC are: Cluster 0 (LITTLE): 12016411 Dhry/s Cluster 1 (BIG): 31702034 Dhry/s The calculated scaled results are: Cluster 0: 426.953226899238 (rounded to 427) Cluster 1: 1024 Fixes: 48489980e27e ("arm64: dts: Add Mediatek SoC MT8192 and evaluation board dts and Makefile") Signed-off-by: Nícolas F. R. A. Prado Reviewed-by: AngeloGioacchino Del Regno Link: https://lore.kernel.org/r/20230602183515.3778780-1-nfraprado@collabora.com Signed-off-by: Matthias Brugger Signed-off-by: Sasha Levin commit e9466f96772be2501c26b9890436c1cb07921893 Author: Allen-KH Cheng Date: Fri Mar 17 14:19:44 2023 +0800 arm64: dts: mediatek: Add cpufreq nodes for MT8192 [ Upstream commit 9d498cce9298a71e3896e2d1aee24a1a4c531d81 ] Add the cpufreq nodes for MT8192 SoC. Signed-off-by: Allen-KH Cheng Tested-by: Chen-Yu Tsai Reviewed-by: Nícolas F. R. A. Prado Tested-by: Nícolas F. R. A. Prado Reviewed-by: AngeloGioacchino Del Regno Tested-by: AngeloGioacchino Del Regno Link: https://lore.kernel.org/r/20230317061944.15434-1-allen-kh.cheng@mediatek.com Signed-off-by: Matthias Brugger Stable-dep-of: a4366b5695c9 ("arm64: dts: mediatek: mt8192: Fix CPUs capacity-dmips-mhz") Signed-off-by: Sasha Levin commit ca47d0dc00968358c136a1847cfed550cedfd1b5 Author: Bjorn Andersson Date: Mon Jun 12 15:02:59 2023 -0700 drm/msm/dp: Free resources after unregistering them [ Upstream commit fa0048a4b1fa7a50c8b0e514f5b428abdf69a6f8 ] The DP component's unbind operation walks through the submodules to unregister and clean things up. But if the unbind happens because the DP controller itself is being removed, all the memory for those submodules has just been freed. Change the order of these operations to avoid the many use-after-free that otherwise happens in this code path. Fixes: c943b4948b58 ("drm/msm/dp: add displayPort driver support") Signed-off-by: Bjorn Andersson Reviewed-by: Dmitry Baryshkov Patchwork: https://patchwork.freedesktop.org/patch/542166/ Link: https://lore.kernel.org/r/20230612220259.1884381-1-quic_bjorande@quicinc.com Signed-off-by: Dmitry Baryshkov Signed-off-by: Sasha Levin commit 2fde37445807e6e6d7981402d0bf1be0e5d81291 Author: Bjorn Andersson Date: Mon Jun 12 15:01:06 2023 -0700 drm/msm/dp: Drop aux devices together with DP controller [ Upstream commit a7bfb2ad2184a1fba78be35209b6019aa8cc8d4d ] Using devres to depopulate the aux bus made sure that upon a probe deferral the EDP panel device would be destroyed and recreated upon next attempt. But the struct device which the devres is tied to is the DPUs (drm_dev->dev), which may be happen after the DP controller is torn down. Indications of this can be seen in the commonly seen EDID-hexdump full of zeros in the log, or the occasional/rare KASAN fault where the panel's attempt to read the EDID information causes a use after free on DP resources. It's tempting to move the devres to the DP controller's struct device, but the resources used by the device(s) on the aux bus are explicitly torn down in the error path. The KASAN-reported use-after-free also remains, as the DP aux "module" explicitly frees its devres-allocated memory in this code path. As such, explicitly depopulate the aux bus in the error path, and in the component unbind path, to avoid these issues. Fixes: 2b57f726611e ("drm/msm/dp: fix aux-bus EP lifetime") Signed-off-by: Bjorn Andersson Reviewed-by: Dmitry Baryshkov Reviewed-by: Douglas Anderson Patchwork: https://patchwork.freedesktop.org/patch/542163/ Link: https://lore.kernel.org/r/20230612220106.1884039-1-quic_bjorande@quicinc.com Signed-off-by: Dmitry Baryshkov Signed-off-by: Sasha Levin commit ba3aa378df75f088ee19b90a670c6d4cb46a61c0 Author: Jessica Zhang Date: Fri Jun 9 15:57:17 2023 -0700 drm/msm/dsi: Remove incorrect references to slice_count [ Upstream commit 155fa3a91d64221eb0885fd221cc8085dbef908f ] Currently, slice_count is being used to calculate word count and pkt_per_line. Instead, these values should be calculated using slice per packet, which is not the same as slice_count. Slice count represents the number of slices per interface, and its value will not always match that of slice per packet. For example, it is possible to have cases where there are multiple slices per interface but the panel specifies only one slice per packet. Thus, use the default value of one slice per packet and remove slice_count from the aforementioned calculations. Fixes: 08802f515c3c ("drm/msm/dsi: Add support for DSC configuration") Fixes: bc6b6ff8135c ("drm/msm/dsi: Use DSC slice(s) packet size to compute word count") Reviewed-by: Marijn Suijten Signed-off-by: Jessica Zhang Patchwork: https://patchwork.freedesktop.org/patch/541965/ Link: https://lore.kernel.org/r/20230405-add-dsc-support-v6-5-95eab864d1b6@quicinc.com Signed-off-by: Dmitry Baryshkov Signed-off-by: Sasha Levin commit 76870037cd600565e1a24a7e9bfe3ac51bc18904 Author: Jessica Zhang Date: Wed May 24 10:45:20 2023 -0700 drm/msm/dpu: Fix slice_last_group_size calculation [ Upstream commit c223059e6f8340f7eac2319470984cbfc39c433b ] Correct the math for slice_last_group_size so that it matches the calculations downstream. Fixes: c110cfd1753e ("drm/msm/disp/dpu1: Add support for DSC") Reviewed-by: Dmitry Baryshkov Reviewed-by: Marijn Suijten Signed-off-by: Jessica Zhang Patchwork: https://patchwork.freedesktop.org/patch/539269/ Link: https://lore.kernel.org/r/20230329-rfc-msm-dsc-helper-v14-7-bafc7be95691@quicinc.com Signed-off-by: Dmitry Baryshkov Signed-off-by: Sasha Levin commit d28df937e4733f0b122f5638b1c3ce3826e2d877 Author: Dmitry Baryshkov Date: Mon Jun 12 21:25:33 2023 +0300 drm/msm/dpu: do not enable color-management if DSPPs are not available [ Upstream commit 3bcfc7b90465efd337d39b91b43972162f0d1908 ] We can not support color management without DSPP blocks being provided in the HW catalog. Do not enable color management for CRTCs if num_dspps is 0. Fixes: 4259ff7ae509 ("drm/msm/dpu: add support for pcc color block in dpu driver") Reported-by: Yongqin Liu Signed-off-by: Dmitry Baryshkov Reviewed-by: Abhinav Kumar Reviewed-by: Marijn Suijten Reviewed-by: Sumit Semwal Tested-by: Yongqin Liu Patchwork: https://patchwork.freedesktop.org/patch/542141/ Link: https://lore.kernel.org/r/20230612182534.3345805-1-dmitry.baryshkov@linaro.org Signed-off-by: Sasha Levin commit 228da1fa124470606ac19783e551f9d51a1e01b0 Author: Su Hui Date: Thu Jun 15 10:17:32 2023 +0800 ALSA: ac97: Fix possible NULL dereference in snd_ac97_mixer [ Upstream commit 79597c8bf64ca99eab385115743131d260339da5 ] smatch error: sound/pci/ac97/ac97_codec.c:2354 snd_ac97_mixer() error: we previously assumed 'rac97' could be null (see line 2072) remove redundant assignment, return error if rac97 is NULL. Fixes: da3cec35dd3c ("ALSA: Kill snd_assert() in sound/pci/*") Signed-off-by: Su Hui Link: https://lore.kernel.org/r/20230615021732.1972194-1-suhui@nfschina.com Signed-off-by: Takashi Iwai Signed-off-by: Sasha Levin commit 5513409e077dc39d20d83a93f8229ea295899732 Author: Nishanth Menon Date: Fri Jun 2 16:49:33 2023 -0500 arm64: dts: ti: k3-am69-sk: Fix main_i2c0 alias [ Upstream commit b38c6ced4ec5b3f6260ff6cc2b71e8a3d8c897d7 ] main_i2c0 is aliased as i2c0 which creates a problem for u-boot R5 SPL attempting to reuse the same definition in the common board detection logic as it looks for the first i2c instance as the bus on which to detect the eeprom to understand the board variant involved. Switch main_i2c0 to i2c3 alias allowing us to introduce wkup_i2c0 and potentially space for mcu_i2c instances in the gap for follow on patches. Fixes: 635fb18ba008 ("arch: arm64: dts: Add support for AM69 Starter Kit") Signed-off-by: Nishanth Menon Reviewed-by: Udit Kumar Link: https://lore.kernel.org/r/20230602214937.2349545-5-nm@ti.com Signed-off-by: Vignesh Raghavendra Signed-off-by: Sasha Levin commit 0857373fb663727cbf4ad368b1d46ea309ae15c5 Author: Thejasvi Konduru Date: Wed May 3 14:01:43 2023 +0530 arm64: dts: ti: k3-j784s4: Fix wakeup pinmux range and pinctrl node offsets [ Upstream commit 14462bd0b247d05070d48d0f02eb7ca2680ab7bd ] The wkup_pmx register region in j784s4 has multiple non-addressable regions, hence the existing wkup_pmx region is split as follows to avoid the non-addressable regions. The pinctrl node offsets are also corrected as per the newly split wkup_pmx* nodes. wkup_pmx0 -> 13 pins (WKUP_PADCONFIG 0 - 12) wkup_pmx1 -> 11 pins (WKUP_PADCONFIG 14 - 24) wkup_pmx2 -> 72 pins (WKUP_PADCONFIG 26 - 97) wkup_pmx3 -> 1 pin (WKUP_PADCONFIG 100) Fixes: 4664ebd8346a ("arm64: dts: ti: Add initial support for J784S4 SoC") Signed-off-by: Thejasvi Konduru Reviewed-by: Nishanth Menon Link: https://lore.kernel.org/r/20230503083143.32369-1-t-konduru@ti.com Signed-off-by: Vignesh Raghavendra Signed-off-by: Sasha Levin commit cb23a546ea205409ee8c5e293d726a70cca29c0a Author: Nishanth Menon Date: Fri Jun 2 16:49:30 2023 -0500 arm64: dts: ti: k3-j784s4-evm: Fix main_i2c0 alias [ Upstream commit c10a9df30e3401bd5a5ee43f1afd6c2b2ca75ad7 ] main_i2c0 is aliased as i2c0 which creates a problem for u-boot R5 SPL attempting to reuse the same definition in the common board detection logic as it looks for the first i2c instance as the bus on which to detect the eeprom to understand the board variant involved. Switch main_i2c0 to i2c3 alias allowing us to introduce wkup_i2c0 and potentially space for mcu_i2c instances in the gap for follow on patches. Fixes: e20a06aca5c9 ("arm64: dts: ti: Add support for J784S4 EVM board") Signed-off-by: Nishanth Menon Reviewed-by: Udit Kumar Link: https://lore.kernel.org/r/20230602214937.2349545-2-nm@ti.com Signed-off-by: Vignesh Raghavendra Signed-off-by: Sasha Levin commit dc01703241aac5bc78cbb4b2f4e5f3e260b91930 Author: Andrew Davis Date: Mon May 15 12:21:33 2023 -0500 arm64: dts: ti: k3-j721e-beagleboneai64: Fix mailbox node status [ Upstream commit 155e7635ed1f3814d94d12556a3a0fed41d05b76 ] Mailbox nodes are now disabled by default. The BeagleBoard AI64 DT addition went in at around the same time and must have missed that change so the mailboxes are not re-enabled. Do that here. Fixes: fae14a1cb8dd ("arm64: dts: ti: Add k3-j721e-beagleboneai64") Signed-off-by: Andrew Davis Reviewed-by: Nishanth Menon Link: https://lore.kernel.org/r/20230515172137.474626-1-afd@ti.com Signed-off-by: Vignesh Raghavendra Signed-off-by: Sasha Levin commit 4e59e355f9fcccd9edf65d09f769bb4c163a1c36 Author: Yuan Can Date: Fri Dec 9 09:41:24 2022 +0000 clk: tegra: tegra124-emc: Fix potential memory leak [ Upstream commit 53a06e5924c0d43c11379a08c5a78529c3e61595 ] The tegra and tegra needs to be freed in the error handling path, otherwise it will be leaked. Fixes: 2db04f16b589 ("clk: tegra: Add EMC clock driver") Signed-off-by: Yuan Can Link: https://lore.kernel.org/r/20221209094124.71043-1-yuancan@huawei.com Acked-by: Thierry Reding Signed-off-by: Stephen Boyd Signed-off-by: Sasha Levin commit f078a65ebf930f4305e3c415a8338d22391642c9 Author: Dan Carpenter Date: Thu May 11 20:01:20 2023 +0300 clk: clocking-wizard: Fix Oops in clk_wzrd_register_divider() [ Upstream commit 9c632a6396505a019ea6d12b5ab45e659a542a93 ] Smatch detected this potential error pointer dereference clk_wzrd_register_divider(). If devm_clk_hw_register() fails then it sets "hw" to an error pointer and then dereferences it on the next line. Return the error directly instead. Fixes: 5a853722eb32 ("staging: clocking-wizard: Add support for dynamic reconfiguration") Signed-off-by: Dan Carpenter Link: https://lore.kernel.org/r/f0e39b5c-4554-41e0-80d9-54ca3fabd060@kili.mountain Reviewed-by: Michal Simek Signed-off-by: Stephen Boyd Signed-off-by: Sasha Levin commit b75a0dae88ea12711bc5ef0590fd9e706b1e8e15 Author: Dan Carpenter Date: Fri Apr 21 13:41:01 2023 +0300 clk: bcm: rpi: Fix off by one in raspberrypi_discover_clocks() [ Upstream commit da2edb3e3c09fd1451b7f400ccd1070ef086619a ] Smatch detected an off by one in this code: drivers/clk/bcm/clk-raspberrypi.c:374 raspberrypi_discover_clocks() error: buffer overflow 'data->hws' 16 <= 16 The data->hws[] array has RPI_FIRMWARE_NUM_CLK_ID elements so the > comparison needs to changed to >=. Fixes: 12c90f3f27bb ("clk: bcm: rpi: Add variant structure") Signed-off-by: Dan Carpenter Link: https://lore.kernel.org/r/5a850b08-d2f5-4794-aceb-a6b468965139@kili.mountain Reviewed-by: Stefan Wahren Reviewed-by: Florian Fainelli Signed-off-by: Stephen Boyd Signed-off-by: Sasha Levin commit 38410af6e45a3d6b628bed65c19e765296775e37 Author: Abel Vesa Date: Thu Jun 1 13:38:17 2023 +0300 arm64: dts: qcom: sm8550: Add missing interconnect path to USB HC [ Upstream commit 11a1397bbf69e408223bb691858a0fcd295a8f76 ] The USB HC node is missing the interconnect paths, so add them. Fixes: 7f7e5c1b037f ("arm64: dts: qcom: sm8550: Add USB PHYs and controller nodes") Signed-off-by: Abel Vesa Reviewed-by: Konrad Dybcio Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20230601103817.4066446-1-abel.vesa@linaro.org Signed-off-by: Sasha Levin commit 968237d7dbe46abfe7da5351b1fd3cdcff265460 Author: Marijn Suijten Date: Tue Jun 6 23:14:18 2023 +0200 arm64: dts: qcom: sm8250-edo: Panel framebuffer is 2.5k instead of 4k [ Upstream commit 223ce29c8b7e5b00f01a68387aabeefd77d97f06 ] The framebuffer configuration for edo pdx203, written in edo dtsi (which is overwritten in pdx206 dts for its smaller panel) has to use a 1096x2560 configuration as this is what the panel (and framebuffer area) has been initialized to. Downstream userspace also has access to (and uses) this 2.5k mode by default, and only switches the panel to 4k when requested. This is similar to commit be8de06dc397 ("arm64: dts: qcom: sm8150-kumano: Panel framebuffer is 2.5k instead of 4k") which fixed the same for the previous generation Sony platform. Fixes: 69cdb97ef652 ("arm64: dts: qcom: sm8250: Add support for SONY Xperia 1 II / 5 II (Edo platform)") Signed-off-by: Marijn Suijten Reviewed-by: AngeloGioacchino Del Regno Reviewed-by: Konrad Dybcio Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20230606211418.587676-1-marijn.suijten@somainline.org Signed-off-by: Sasha Levin commit 5ad3d270816decb0bd95d70b9ef55c58f6913a93 Author: Konrad Dybcio Date: Wed May 31 15:22:42 2023 +0200 arm64: dts: qcom: sm8550: Flush RSC sleep & wake votes [ Upstream commit 4b2c7ac8e469ab7f92e50c34ad4012a77e79d078 ] The rpmh driver will cache sleep and wake votes until the cluster power-domain is about to enter idle, to avoid unnecessary writes. So associate the apps_rsc with the cluster pd, so that it can be notified about this event. Without this, only AMC votes are being commited. Fixes: ffc50b2d3828 ("arm64: dts: qcom: Add base SM8550 dtsi") Signed-off-by: Konrad Dybcio Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20230531-topic-rsc-v1-8-b4a985f57b8b@linaro.org Signed-off-by: Sasha Levin commit 4eccb0576bc2c332f80c40693fd5a367ca037f89 Author: Konrad Dybcio Date: Wed May 31 15:22:40 2023 +0200 arm64: dts: qcom: sdm845: Flush RSC sleep & wake votes [ Upstream commit 91e83140b5dd5598fbcfada3ee1f8b2b410c3731 ] The rpmh driver will cache sleep and wake votes until the cluster power-domain is about to enter idle, to avoid unnecessary writes. So associate the apps_rsc with the cluster pd, so that it can be notified about this event. Without this, only AMC votes are being commited. Fixes: c83545d95376 ("arm64: dts: sdm845: Add rpmh-rsc node") Signed-off-by: Konrad Dybcio Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20230531-topic-rsc-v1-6-b4a985f57b8b@linaro.org Signed-off-by: Sasha Levin commit 07810010445decc4cfffe8824e6d7a0d98bd11ec Author: Konrad Dybcio Date: Wed May 31 15:22:39 2023 +0200 arm64: dts: qcom: sdm670: Flush RSC sleep & wake votes [ Upstream commit 7b04cbd81b0e60c5151a310e7b730dc4a951a211 ] The rpmh driver will cache sleep and wake votes until the cluster power-domain is about to enter idle, to avoid unnecessary writes. So associate the apps_rsc with the cluster pd, so that it can be notified about this event. Without this, only AMC votes are being commited. Fixes: 07c8ded6e373 ("arm64: dts: qcom: add sdm670 and pixel 3a device trees") Signed-off-by: Konrad Dybcio Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20230531-topic-rsc-v1-5-b4a985f57b8b@linaro.org Signed-off-by: Sasha Levin commit bbf82306d3b8a597f522994577b2ee94b8813de2 Author: Konrad Dybcio Date: Wed May 31 15:22:37 2023 +0200 arm64: dts: qcom: qdu1000: Flush RSC sleep & wake votes [ Upstream commit ab033e7846f91953244d0626b28ce66412b813b3 ] The rpmh driver will cache sleep and wake votes until the cluster power-domain is about to enter idle, to avoid unnecessary writes. So associate the apps_rsc with the cluster pd, so that it can be notified about this event. Without this, only AMC votes are being commited. Fixes: 6bd20c54b589 ("arm64: dts: qcom: Add base QDU1000/QRU1000 DTSIs") Signed-off-by: Konrad Dybcio Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20230531-topic-rsc-v1-3-b4a985f57b8b@linaro.org Signed-off-by: Sasha Levin commit 47234e19b00816a8a7b278c7173f6d4e928c43c7 Author: Bosi Zhang Date: Sat Apr 22 08:43:31 2023 +0000 clk: mediatek: fix of_iomap memory leak [ Upstream commit 3db7285e044144fd88a356f5b641b9cd4b231a77 ] Smatch reports: drivers/clk/mediatek/clk-mtk.c:583 mtk_clk_simple_probe() warn: 'base' from of_iomap() not released on lines: 496. This problem was also found in linux-next. In mtk_clk_simple_probe(), base is not released when handling errors if clk_data is not existed, which may cause a leak. So free_base should be added here to release base. Fixes: c58cd0e40ffa ("clk: mediatek: Add mtk_clk_simple_probe() to simplify clock providers") Signed-off-by: Bosi Zhang Reviewed-by: Dongliang Mu Link: https://lore.kernel.org/r/20230422084331.47198-1-u201911157@hust.edu.cn Signed-off-by: Stephen Boyd Signed-off-by: Sasha Levin commit 92ce7629a11ae62292e1cfaa6132dab081fc80ee Author: Yuxing Liu Date: Wed May 3 07:06:07 2023 +0000 clk: imx: clk-imx8mp: improve error handling in imx8mp_clocks_probe() [ Upstream commit 878b02d5f3b56cb090dbe2c70c89273be144087f ] Replace of_iomap() and kzalloc() with devm_of_iomap() and devm_kzalloc() which can automatically release the related memory when the device or driver is removed or unloaded to avoid potential memory leak. In this case, iounmap(anatop_base) in line 427,433 are removed as manual release is not required. Besides, referring to clk-imx8mq.c, check the return code of of_clk_add_hw_provider, if it returns negtive, print error info and unregister hws, which makes the program more robust. Fixes: 9c140d992676 ("clk: imx: Add support for i.MX8MP clock driver") Signed-off-by: Yuxing Liu Reviewed-by: Dongliang Mu Reviewed-by: Abel Vesa Link: https://lore.kernel.org/r/20230503070607.2462-1-lyx2022@hust.edu.cn Signed-off-by: Abel Vesa Signed-off-by: Sasha Levin commit d17c16a2b2a6589c45b0bfb1b9914da80b72d89e Author: Zhanhao Hu Date: Thu Jun 1 03:38:25 2023 +0000 clk: imx93: fix memory leak and missing unwind goto in imx93_clocks_probe [ Upstream commit e02ba11b457647050cb16e7cad16cec3c252fade ] In function probe(), it returns directly without unregistered hws when error occurs. Fix this by adding 'goto unregister_hws;' on line 295 and line 310. Use devm_kzalloc() instead of kzalloc() to automatically free the memory using devm_kfree() when error occurs. Replace of_iomap() with devm_of_iomap() to automatically handle the unused ioremap region and delete 'iounmap(anatop_base);' in unregister_hws. Fixes: 24defbe194b6 ("clk: imx: add i.MX93 clk") Signed-off-by: Zhanhao Hu Reviewed-by: Abel Vesa Link: https://lore.kernel.org/r/20230601033825.336558-1-zero12113@hust.edu.cn Signed-off-by: Abel Vesa Signed-off-by: Sasha Levin commit d4fa5e47af1e7bb2bbcaac062b14216c00e92148 Author: Hao Luo Date: Tue Apr 11 09:51:07 2023 +0800 clk: imx: clk-imx8mn: fix memory leak in imx8mn_clocks_probe [ Upstream commit 188d070de9132667956f5aadd98d2bd87d3eac89 ] Use devm_of_iomap() instead of of_iomap() to automatically handle the unused ioremap region. If any error occurs, regions allocated by kzalloc() will leak, but using devm_kzalloc() instead will automatically free the memory using devm_kfree(). Fixes: daeb14545514 ("clk: imx: imx8mn: Switch to clk_hw based API") Fixes: 96d6392b54db ("clk: imx: Add support for i.MX8MN clock driver") Signed-off-by: Hao Luo Reviewed-by: Dongliang Mu Reviewed-by: Peng Fan Link: https://lore.kernel.org/r/20230411015107.2645-1-m202171776@hust.edu.cn Signed-off-by: Abel Vesa Signed-off-by: Sasha Levin commit 02e54db221bb001b32f839e0149ee8d890ab9aa1 Author: Kai Ma Date: Tue Apr 18 11:34:51 2023 +0000 clk: imx: clk-imxrt1050: fix memory leak in imxrt1050_clocks_probe [ Upstream commit 1b280598ab3bd8a2dc8b96a12530d5b1ee7a8f4a ] Use devm_of_iomap() instead of of_iomap() to automatically handle the unused ioremap region. If any error occurs, regions allocated by kzalloc() will leak, but using devm_kzalloc() instead will automatically free the memory using devm_kfree(). Also, fix error handling of hws by adding unregister_hws label, which unregisters remaining hws when iomap failed. Fixes: 7154b046d8f3 ("clk: imx: Add initial support for i.MXRT1050 clock driver") Signed-off-by: Kai Ma Reviewed-by: Peng Fan Acked-by: Jesse Taube Reviewed-by: Abel Vesa Link: https://lore.kernel.org/r/20230418113451.151312-1-kaima@hust.edu.cn Signed-off-by: Abel Vesa Signed-off-by: Sasha Levin commit ae86e657d587ec79d1adc552e228409632461ebc Author: Adam Ford Date: Sat May 6 14:53:25 2023 -0500 clk: imx: composite-8m: Add imx8m_divider_determine_rate [ Upstream commit 8208181fe536bba3b411508f81c4426fc9c71d9a ] Currently, certain clocks are derrived as a divider from their parent clock. For some clocks, even when CLK_SET_RATE_PARENT is set, the parent clock is not properly set which can lead to some relatively inaccurate clock values. Unlike imx/clk-composite-93 and imx/clk-divider-gate, it cannot rely on calling a standard determine_rate function, because the 8m composite clocks have a pre-divider and post-divider. Because of this, a custom determine_rate function is necessary to determine the maximum clock division which is equivalent to pre-divider * the post-divider. With this added, the system can attempt to adjust the parent rate when the proper flags are set which can lead to a more precise clock value. On the imx8mplus, no clock changes are present. On the Mini and Nano, this can help achieve more accurate lcdif clocks. When trying to get a pixel clock of 31.500MHz on an imx8m Nano, the clocks divided the 594MHz down, but left the parent rate untouched which caused a calulation error. Before: video_pll 594000000 video_pll_bypass 594000000 video_pll_out 594000000 disp_pixel 31263158 disp_pixel_clk 31263158 Variance = -236842 Hz After this patch: video_pll 31500000 video_pll_bypass 31500000 video_pll_out 31500000 disp_pixel 31500000 disp_pixel_clk 31500000 Variance = 0 Hz All other clocks rates and parent were the same. Similar results on imx8mm were found. Fixes: 690dccc4a0bf ("Revert "clk: imx: composite-8m: Add support to determine_rate"") Signed-off-by: Adam Ford Reviewed-by: Abel Vesa Tested-by: Fabio Estevam Link: https://lore.kernel.org/r/20230506195325.876871-1-aford173@gmail.com Signed-off-by: Abel Vesa Signed-off-by: Sasha Levin commit 1635eb05c31033cc78bf3e31a84b1e8a060c69f8 Author: Kashyap Desai Date: Fri Jun 9 04:01:39 2023 -0700 RDMA/bnxt_re: Avoid calling wake_up threads from spin_lock context [ Upstream commit 3099bcdc19b701f732f638ee45679858c08559bb ] bnxt_qplib_service_creq can be called from interrupt or tasklet or process context. So the function take irq variant of spin_lock. But when wake_up is invoked with the lock held, it is putting the calling context to sleep. [exception RIP: __wake_up_common+190] RIP: ffffffffb7539d7e RSP: ffffa73300207ad8 RFLAGS: 00000083 RAX: 0000000000000001 RBX: ffff91fa295f69b8 RCX: dead000000000200 RDX: ffffa733344af940 RSI: ffffa73336527940 RDI: ffffa73336527940 RBP: 000000000000001c R8: 0000000000000002 R9: 00000000000299c0 R10: 0000017230de82c5 R11: 0000000000000002 R12: ffffa73300207b28 R13: 0000000000000000 R14: ffffa733341bf928 R15: 0000000000000000 ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018 Call the wakeup after releasing the lock. Fixes: 1ac5a4047975 ("RDMA/bnxt_re: Add bnxt_re RoCE driver") Signed-off-by: Kashyap Desai Signed-off-by: Selvin Xavier Link: https://lore.kernel.org/r/1686308514-11996-3-git-send-email-selvin.xavier@broadcom.com Signed-off-by: Leon Romanovsky Signed-off-by: Sasha Levin commit 50d77c3739b2b15e9e1f1c9cbe50037d294800f8 Author: Kashyap Desai Date: Fri Jun 9 04:01:38 2023 -0700 RDMA/bnxt_re: wraparound mbox producer index [ Upstream commit 0af91306e17ef3d18e5f100aa58aa787869118af ] Driver is not handling the wraparound of the mbox producer index correctly. Currently the wraparound happens once u32 max is reached. Bit 31 of the producer index register is special and should be set only once for the first command. Because the producer index overflow setting bit31 after a long time, FW goes to initialization sequence and this causes FW hang. Fix is to wraparound the mbox producer index once it reaches u16 max. Fixes: cee0c7bba486 ("RDMA/bnxt_re: Refactor command queue management code") Fixes: 1ac5a4047975 ("RDMA/bnxt_re: Add bnxt_re RoCE driver") Signed-off-by: Kashyap Desai Signed-off-by: Selvin Xavier Link: https://lore.kernel.org/r/1686308514-11996-2-git-send-email-selvin.xavier@broadcom.com Signed-off-by: Leon Romanovsky Signed-off-by: Sasha Levin commit e2cc08870b8281cafceb86007f1427d057439caf Author: Dmitry Baryshkov Date: Sun Apr 9 04:13:29 2023 +0300 drm/msm/a5xx: really check for A510 in a5xx_gpu_init [ Upstream commit 736a9327365644b460e4498b1ce172ca411efcbc ] The commit 010c8bbad2cb ("drm: msm: adreno: Disable preemption on Adreno 510") added special handling for a510 (this SKU doesn't seem to support preemption, so the driver should clamp nr_rings to 1). However the gpu->revn is not yet set (it is set later, in adreno_gpu_init()) and thus the condition is always false. Check config->rev instead. Fixes: 010c8bbad2cb ("drm: msm: adreno: Disable preemption on Adreno 510") Reported-by: Adam Skladowski Signed-off-by: Dmitry Baryshkov Tested-by: Adam Skladowski Patchwork: https://patchwork.freedesktop.org/patch/531511/ Signed-off-by: Rob Clark Signed-off-by: Sasha Levin commit 6ffafbdca65d70586f5c881e222e757ac731cbca Author: Dmitry Baryshkov Date: Mon Apr 10 21:52:26 2023 +0300 drm/msm/a6xx: don't set IO_PGTABLE_QUIRK_ARM_OUTER_WBWA with coherent SMMU [ Upstream commit 38e27a6fbf2206b18417c5985dbcdeca0f2026b8 ] If the Adreno SMMU is dma-coherent, allocation will fail unless we disable IO_PGTABLE_QUIRK_ARM_OUTER_WBWA. Skip setting this quirk for the coherent SMMUs (like we have on sm8350 platform). Fixes: 54af0ceb7595 ("arm64: dts: qcom: sm8350: add GPU, GMU, GPU CC and SMMU nodes") Reported-by: David Heidelberg Signed-off-by: Dmitry Baryshkov Tested-by: David Heidelberg Reviewed-by: Konrad Dybcio Tested-by: Konrad Dybcio # SM8450 HDK Patchwork: https://patchwork.freedesktop.org/patch/531562/ Signed-off-by: Rob Clark Signed-off-by: Sasha Levin commit bc6dbf34dc4fb639522f3e8e66ef05997c0441ee Author: Chia-I Wu Date: Thu Jun 1 15:44:12 2023 -0700 amdgpu: validate offset_in_bo of drm_amdgpu_gem_va [ Upstream commit 9f0bcf49e9895cb005d78b33a5eebfa11711b425 ] This is motivated by OOB access in amdgpu_vm_update_range when offset_in_bo+map_size overflows. v2: keep the validations in amdgpu_vm_bo_map v3: add the validations to amdgpu_vm_bo_map/amdgpu_vm_bo_replace_map rather than to amdgpu_gem_va_ioctl Fixes: 9f7eb5367d00 ("drm/amdgpu: actually use the VM map parameters") Reviewed-by: Christian König Signed-off-by: Chia-I Wu Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit 87a21a850d225683851be886129023fd4df39110 Author: Bob Pearson Date: Tue May 30 17:13:32 2023 -0500 RDMA/rxe: Fix access checks in rxe_check_bind_mw [ Upstream commit 425e1c9018fdf25cb4531606cc92d9d01a55534f ] The subroutine rxe_check_bind_mw() in rxe_mw.c performs checks on the mw access flags before they are set so they always succeed. This patch instead checks the access flags passed in the send wqe. Fixes: 32a577b4c3a9 ("RDMA/rxe: Add support for bind MW work requests") Link: https://lore.kernel.org/r/20230530221334.89432-4-rpearsonhpe@gmail.com Signed-off-by: Bob Pearson Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit c62adbe98d09a6b579e00d72f4eaf00f56de9b75 Author: Geert Uytterhoeven Date: Tue May 23 17:10:59 2023 +0200 HID: uclogic: Modular KUnit tests should not depend on KUNIT=y [ Upstream commit 49904a0ebf23b15aad288a10f5354e7cd8193121 ] While KUnit tests that cannot be built as a loadable module must depend on "KUNIT=y", this is not true for modular tests, where it adds an unnecessary limitation. Fix this by relaxing the dependency to "KUNIT". Fixes: 08809e482a1c44d9 ("HID: uclogic: KUnit best practices and naming conventions") Signed-off-by: Geert Uytterhoeven Reviewed-by: David Gow Reviewed-by: José Expósito Signed-off-by: Jiri Kosina Signed-off-by: Sasha Levin commit 4968eec706d9f06c4a9d4f81242597339f6a70db Author: Nikita Zhandarovich Date: Fri May 19 08:33:27 2023 -0700 drm/radeon: fix possible division-by-zero errors [ Upstream commit 1becc57cd1a905e2aa0e1eca60d2a37744525c4a ] Function rv740_get_decoded_reference_divider() may return 0 due to unpredictable reference divider value calculated in radeon_atom_get_clock_dividers(). This will lead to division-by-zero error once that value is used as a divider in calculating 'clk_s'. While unlikely, this issue should nonetheless be prevented so add a sanity check for such cases by testing 'decoded_ref' value against 0. Found by Linux Verification Center (linuxtesting.org) with static analysis tool SVACE. v2: minor coding style fixes (Alex) In practice this should actually happen as the vbios should be properly populated. Fixes: 66229b200598 ("drm/radeon/kms: add dpm support for rv7xx (v4)") Signed-off-by: Nikita Zhandarovich Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit 13bd97c3488bf82d1ea4a852af6828e3e1ccefed Author: Aurabindo Pillai Date: Wed May 17 14:39:46 2023 -0400 drm/amd/display: Fix artifacting on eDP panels when engaging freesync video mode [ Upstream commit b18f05a0666aecd5cb19c26a8305bcfa4e9d6502 ] [Why] When freesync video mode is enabled, switching resolution from native mode to one of the freesync video compatible modes can trigger continous artifacts on some eDP panels when running under KDE. The articating can be seen in the attached bug report. [How] Fix this by restricting updates that require full commit by using the same checks for stream and scaling changes in the the enable pass of dm_update_crtc_state() along with the check for compatible timings for freesync vide mode. Bug: https://gitlab.freedesktop.org/drm/amd/-/issues/2162 Fixes: da5e14909776 ("drm/amd/display: Fix hang when skipping modeset") Signed-off-by: Aurabindo Pillai Reviewed-by: Rodrigo Siqueira Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit ca4da6c91298027992f9431a7164687f0610fd3c Author: Chen-Yu Tsai Date: Wed May 31 14:35:30 2023 +0800 soc: mediatek: SVS: Fix MT8192 GPU node name [ Upstream commit 95094495401bdf6a0649d220dfd095e6079b5e39 ] Device tree node names should be generic. The planned device node name for the GPU, according to the bindings and posted DT changes, is "gpu", not "mali". Fix the GPU node name in the SVS driver to follow. Fixes: 0bbb09b2af9d ("soc: mediatek: SVS: add mt8192 SVS GPU driver") Signed-off-by: Chen-Yu Tsai Reviewed-by: AngeloGioacchino Del Regno Reviewed-by: Alexandre Mergnat Link: https://lore.kernel.org/r/20230531063532.2240038-1-wenst@chromium.org Signed-off-by: Matthias Brugger Signed-off-by: Sasha Levin commit 069cfe458fefdb55fdbd570775c002fc81d50c38 Author: Daniil Dulov Date: Thu May 11 04:23:14 2023 -0700 drm/amdkfd: Fix potential deallocation of previously deallocated memory. [ Upstream commit cabbdea1f1861098991768d7bbf5a49ed1608213 ] Pointer mqd_mem_obj can be deallocated in kfd_gtt_sa_allocate(). The function then returns non-zero value, which causes the second deallocation. Found by Linux Verification Center (linuxtesting.org) with SVACE. Fixes: d1f8f0d17d40 ("drm/amdkfd: Move non-sdma mqd allocation out of init_mqd") Signed-off-by: Daniil Dulov Signed-off-by: Felix Kuehling Reviewed-by: Felix Kuehling Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit 355d3403526f0fa05c9c66a4a015aac20e47cb34 Author: Christophe JAILLET Date: Mon Apr 17 23:41:11 2023 +0200 drm/amd/display: Fix a test dml32_rq_dlg_get_rq_reg() [ Upstream commit bafc31166aa7df5fa26ae0ad8196d1717e6cdea9 ] It is likely p1_min_meta_chunk_bytes was expected here, instead of min_meta_chunk_bytes. Test the correct variable. Fixes: dda4fb85e433 ("drm/amd/display: DML changes for DCN32/321") Signed-off-by: Christophe JAILLET Signed-off-by: Hamza Mahfooz Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit 80d135aeeb1ca29c25c520cf018fe3e44596419c Author: Christophe JAILLET Date: Mon Apr 17 23:35:08 2023 +0200 drm/amd/display: Fix a test CalculatePrefetchSchedule() [ Upstream commit 960e27a5741cd3001996ff6ddfb3eb0ed3a4909d ] It is likely Height was expected here, instead of Width. Test the correct variable. Fixes: 17529ea2acfa ("drm/amd/display: Optimizations for DML math") Signed-off-by: Christophe JAILLET Signed-off-by: Hamza Mahfooz Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit 4524cd18e607b2e4a5245abdb0be8c085af871b3 Author: Maxime Ripard Date: Fri May 5 13:25:03 2023 +0200 clk: Export clk_hw_forward_rate_request() [ Upstream commit ed046ac74da0b5602566073023a1519b5ae657b7 ] Commit 262ca38f4b6e ("clk: Stop forwarding clk_rate_requests to the parent") introduced the public clk_hw_forward_rate_request() function, but didn't export the symbol. Make sure it's the case. Fixes: 262ca38f4b6e ("clk: Stop forwarding clk_rate_requests to the parent") Signed-off-by: Maxime Ripard Link: https://lore.kernel.org/r/20221018-clk-range-checks-fixes-v4-1-971d5077e7d2@cerno.tech Signed-off-by: Stephen Boyd Signed-off-by: Sasha Levin commit ebbdf35a23e9c5efbd126ca18443ba6a29d71347 Author: Christian Lamparter Date: Thu Jun 8 17:36:29 2023 +0200 ARM: dts: BCM5301X: fix duplex-full => full-duplex [ Upstream commit fd274b733bfdde3ca72f0fa2a37f032f3a8c402c ] this typo was found by the dtbs_check | ports:port@5:fixed-link: 'oneOf' conditional failed, | {'speed': [[1000]], 'duplex-full': True} is not of type 'array' | 'duplex-full' does not match any of the regexes: 'pinctrl-[0-]..." this should have been full-duplex; Fixes: 935327a73553 ("ARM: dts: BCM5301X: Add DT for Meraki MR26") Fixes: ec88a9c344d9 ("ARM: BCM5301X: Add DT for Meraki MR32") Signed-off-by: Christian Lamparter Link: https://lore.kernel.org/r/50522f45566951a9eabd22820647924cc6b4a264.1686238550.git.chunkeey@gmail.com Signed-off-by: Florian Fainelli Signed-off-by: Sasha Levin commit 732a1b28df8465c0c878b8c1b8ca54684fcf3a32 Author: Guenter Roeck Date: Fri Jun 2 14:34:47 2023 -0700 hwmon: (pmbus/adm1275) Fix problems with temperature monitoring on ADM1272 [ Upstream commit b153a0bb4199566abd337119207f82b59a8cd1ca ] The PMON_CONFIG register on ADM1272 is a 16 bit register. Writing a 8 bit value into it clears the upper 8 bits of the register, resulting in unexpected side effects. Fix by writing the 16 bit register value. Also, it has been reported that temperature readings are sometimes widely inaccurate, to the point where readings may result in device shutdown due to errant overtemperature faults. Improve by enabling temperature sampling. While at it, move the common code for ADM1272 and ADM1278 into a separate function, and clarify in the error message that an attempt was made to enable both VOUT and temperature monitoring. Last but not least, return the error code reported by the underlying I2C controller and not -ENODEV if updating the PMON_CONFIG register fails. After all, this does not indicate that the chip is not present, but an error in the communication with the chip. Fixes: 4ff0ce227a1e ("hwmon: (pmbus/adm1275) Add support for ADM1272") Fixes: 9da9c2dc57b2 ("hwmon: (adm1275) enable adm1272 temperature reporting") Signed-off-by: Guenter Roeck Link: https://lore.kernel.org/r/20230602213447.3557346-1-linux@roeck-us.net Signed-off-by: Guenter Roeck Signed-off-by: Sasha Levin commit be5baef9e67b8544cf2e61353548bedd008c0d22 Author: Tim Harvey Date: Tue Jun 6 08:30:04 2023 -0700 hwmon: (gsc-hwmon) fix fan pwm temperature scaling [ Upstream commit a6d80df47ee2c69db99e4f2f8871aa4db154620b ] The GSC fan pwm temperature register is in centidegrees celcius but the Linux hwmon convention is to use milidegrees celcius. Fix the scaling. Fixes: 3bce5377ef66 ("hwmon: Add Gateworks System Controller support") Signed-off-by: Tim Harvey Link: https://lore.kernel.org/r/20230606153004.1448086-1-tharvey@gateworks.com Signed-off-by: Guenter Roeck Signed-off-by: Sasha Levin commit e13f413b410c3f10533db030551ce6a2f0a1aa57 Author: Olivier Moysan Date: Tue Jun 6 13:56:04 2023 +0200 ARM: dts: stm32: fix i2s endpoint format property for stm32mp15xx-dkx [ Upstream commit 076c74c592cabe4a47537fe5205b5b678bed010d ] Use "dai-format" to configure DAI audio format as specified in audio-graph-port.yaml bindings. Fixes: 144d1ba70548 ("ARM: dts: stm32: Adapt STM32MP157 DK boards to stm32 DT diversity") Signed-off-by: Olivier Moysan Signed-off-by: Alexandre Torgue Signed-off-by: Sasha Levin commit 34cc2d955ee6d1bc73e12f30589a2b3a37689a1f Author: Dan Carpenter Date: Mon May 15 13:32:18 2023 +0300 accel/habanalabs: fix gaudi2_get_tpc_idle_status() return [ Upstream commit 9ec7639b5e124f273db20555cc38bd40057157b3 ] The gaudi2_get_tpc_idle_status() function returned the incorrect variable so it always returned true. Fixes: d85f0531b928 ("accel/habanalabs: break is_idle function into per-engine sub-routines") Signed-off-by: Dan Carpenter Reviewed-by: Oded Gabbay Signed-off-by: Oded Gabbay Signed-off-by: Sasha Levin commit 73bd578a61876663d640bcb08d075318fcddd6b7 Author: Marek Vasut Date: Tue Jun 6 20:01:12 2023 +0200 ARM: dts: stm32: Fix audio routing on STM32MP15xx DHCOM PDK2 [ Upstream commit e3f2778b1b6ced649bffdc7cbb05b80bb92f2108 ] The audio routing flow is not correct, the flow should be from source (second element in the pair) to sink (first element in the pair). The flow now is from "HP_OUT" to "Playback", where "Playback" is source and "HP_OUT" is sink, i.e. the direction is swapped and there is no direct link between the two either. Fill in the correct routing, where "HP_OUT" supplies the "Headphone Jack", "Line In Jack" supplies "LINE_IN" input, "Microphone Jack" supplies "MIC_IN" input and "Mic Bias" supplies "Microphone Jack". Fixes: 34e0c7847dcf ("ARM: dts: stm32: Add DH Electronics DHCOM STM32MP1 SoM and PDK2 board") Signed-off-by: Marek Vasut Signed-off-by: Alexandre Torgue Signed-off-by: Sasha Levin commit 1f161eef58ff6aba0374653315627b1db3b20b4e Author: Chris Morgan Date: Mon May 8 11:08:11 2023 -0500 arm64: dts: rockchip: Fix compatible for Bluetooth on rk3566-anbernic [ Upstream commit a325956fa7048906e26a4535ac2e87e111788fe8 ] The realtek Bluetooth module uses the same driver as the realtek,rtl8822cs-bt and the realtek,rtl8723bs-bt, however by selecting the 8723bs advanced power saving features are disabled that appear to interfere with normal operation of the bluetooth module. This change switches the compatible string to disable power saving. Without this patch evtest of a paired bluetooth controller fails, with this patch the controller operates as expected. Fixes: b6986b7920bb ("arm64: dts: rockchip: Update compatible for bluetooth") Signed-off-by: Chris Morgan Link: https://lore.kernel.org/r/20230508160811.3568213-3-macroalpha82@gmail.com Signed-off-by: Heiko Stuebner Signed-off-by: Sasha Levin commit ef9adbdd17a90a83e3853b57d8e508368f73361e Author: Caleb Connolly Date: Tue Jun 6 12:05:32 2023 -0700 Input: pm8941-powerkey - fix debounce on gen2+ PMICs [ Upstream commit 8c9cce9cb81b5fdc6e66bf3f129727b89e8daab7 ] Since PM8998/PM660, the power key debounce register was redefined to support shorter debounce times. On PM8941 the shortest debounce time (represented by register value 0) was 15625us, on PM8998 the shortest debounce time is 62us, with the default being 2ms. Adjust the bit shift to correctly program debounce on PM8998 and newer. Fixes: 68c581d5e7d8 ("Input: add Qualcomm PM8941 power key driver") Signed-off-by: Caleb Connolly Link: https://lore.kernel.org/r/20230529-pm8941-pwrkey-debounce-v1-2-c043a6d5c814@linaro.org Signed-off-by: Dmitry Torokhov Signed-off-by: Sasha Levin commit 861f5fcf895aa13b9b3d0a67106dfab4a9e722be Author: Keerthy Date: Wed Apr 19 09:30:06 2023 +0530 arm64: dts: ti: k3-j7200: Fix physical address of pin [ Upstream commit 3d011933000ed9054c649952d83162d24f020a93 ] wkup_pmx splits into multiple regions. Like wkup_pmx0 -> 13 pins (WKUP_PADCONFIG 0 - 12) wkup_pmx1 -> 2 pins (WKUP_PADCONFIG 14 - 15) wkup_pmx2 -> 59 pins (WKUP_PADCONFIG 26 - 84) wkup_pmx3 -> 8 pins (WKUP_PADCONFIG 93 - 100) With this split, pin offset needs to be adjusted to match with new pmx for all pins above wkup_pmx0. Example a pin under wkup_pmx1 should start from 0 instead of old offset(0x38 WKUP_PADCONFIG 14 offset) J7200 Datasheet (Table 6-106, Section 6.4 Pin Multiplexing) : https://www.ti.com/lit/ds/symlink/dra821u.pdf Fixes: 9ae21ac445e9 ("arm64: dts: ti: k3-j7200: Fix wakeup pinmux range") Signed-off-by: Keerthy Signed-off-by: Udit Kumar Link: https://lore.kernel.org/r/20230419040007.3022780-2-u-kumar1@ti.com Signed-off-by: Vignesh Raghavendra Signed-off-by: Sasha Levin commit ad1a932ea847237e6728bdd0f95e60f518ef7fde Author: Cristian Ciocaltea Date: Tue May 30 21:11:40 2023 +0300 arm64: dts: rockchip: Assign ES8316 MCLK rate on rk3588-rock-5b [ Upstream commit 28ee08cef4f838c343013330a3cd12674c4dd113 ] The I2S0_8CH_MCLKOUT clock rate on Rock 5B board defaults to 12 MHz and it is used to provide the master clock (MCLK) for the ES8316 audio codec. On sound card initialization, this limits the allowed sample rates according to the MCLK/LRCK ratios supported by the codec, which results in the following non-standard rates: 15625, 30000, 31250, 46875. Hence, the very first access of the sound card fails: Broken configuration for playback: no configurations available: Invalid argument Setting of hwparams failed: Invalid argument However, all subsequent attempts will succeed, as the audio graph card will request a correct clock frequency, based on the stream sample rate and the multiplication factor. Assign MCLK to 12.288 MHz, which allows the codec to advertise most of the standard sample rates. Fixes: 55529fe3f32d ("arm64: dts: rockchip: Add rk3588-rock-5b analog audio") Signed-off-by: Cristian Ciocaltea Link: https://lore.kernel.org/r/20230530181140.483936-4-cristian.ciocaltea@collabora.com Signed-off-by: Heiko Stuebner Signed-off-by: Sasha Levin commit b4e0f8df9ee4ab001db8e968da3354ef6ae4f58e Author: Ville Syrjälä Date: Wed May 31 16:56:25 2023 +0300 drm/i915: No 10bit gamma on desktop gen3 parts [ Upstream commit 19db2062094c75c64039d820c2547aad4dcfd905 ] Apparently desktop gen3 parts don't support the 10bit gamma mode at all. Stop claiming otherwise. As is the case with pipe A on gen3 mobile parts, the PIPECONF gamma mode bit can be set but it has no effect on the output. PNV seems to be the only slight exception, but generally the desktop PNV variant looks more like a mobile part so this is not entirely surprising. Fixes: 67630bacae23 ("drm/i915: Add 10bit gamma mode for gen2/3") Signed-off-by: Ville Syrjälä Reviewed-by: Uma Shankar Link: https://patchwork.freedesktop.org/patch/msgid/20230531135625.3467-1-ville.syrjala@linux.intel.com Signed-off-by: Sasha Levin commit be2caaed96c55bb1fcd55a25e60d7b309ff49f2d Author: Matt Roper Date: Tue May 23 12:56:07 2023 -0700 drm/i915/display: Make display responsible for probing its own IP [ Upstream commit 69d439818fe501e8c9e50d963a53cb596e36f9f7 ] Rather than selecting the display IP and feature flags at the same time the general PCI probing happens, move this step into the display code itself so that it can be more easily re-used outside of i915 (i.e., by the Xe driver). v2: - Make intel_display_device_probe() always return a non-NULL pointer and simplify copying of runtime_defaults. (Andrzej) v3: - Redefine INTEL_VGA_DEVICE/INTEL_QUANTA_DEVICE to eliminate a cast and an include of linux/mod_devicetable.h. (Jani) - Keep explicit memcpy for runtime defaults. (Jani) Cc: Andrzej Hajda Signed-off-by: Matt Roper Reviewed-by: Andrzej Hajda Acked-by: Jani Nikula Link: https://patchwork.freedesktop.org/patch/msgid/20230523195609.73627-5-matthew.d.roper@intel.com Stable-dep-of: 19db2062094c ("drm/i915: No 10bit gamma on desktop gen3 parts") Signed-off-by: Sasha Levin commit 6cebcb7244eb784bf3a8dd892dc1095062f27673 Author: Matt Roper Date: Tue May 23 12:56:06 2023 -0700 drm/i915/display: Move display runtime info to display structure [ Upstream commit 18e0deeed8c80d8ec0adfff3312252028739ce52 ] Move the runtime info specific to display into display-specific structures as has already been done with the constant display info. v2: - Rename __runtime to __runtime_defaults for more clarity on the purpose. (Andrzej) - Move introduction of DISPLAY_INFO() to previous patch. (Andrzej) - Drop NO_DISPLAY macro. (Andrzej) v3: - Use "{}" instead of "{ 0 }" for empty struct init. (Jani) Cc: Andrzej Hajda Signed-off-by: Matt Roper Reviewed-by: Andrzej Hajda Acked-by: Jani Nikula Link: https://patchwork.freedesktop.org/patch/msgid/20230523195609.73627-4-matthew.d.roper@intel.com Stable-dep-of: 19db2062094c ("drm/i915: No 10bit gamma on desktop gen3 parts") Signed-off-by: Sasha Levin commit 60ad0bef4ae45486c65a0f341c018aa73bc6dba6 Author: Matt Roper Date: Tue May 23 12:56:05 2023 -0700 drm/i915: Convert INTEL_INFO()->display to a pointer [ Upstream commit 5af5169d758275490ab00e209a09dc1d6b85e535 ] Rather than embeddeding the display's device info within the main device info structure, just provide a pointer to the display-specific structure. This is in preparation for moving the display device info definitions into the display code itself and for eventually allowing the pointer to be assigned at runtime on platforms that use GMD_ID for device identification. In the future, this will also eventually allow the same display device info structures to be used outside the current i915 code (e.g., from the Xe driver). v2: - Move introduction of DISPLAY_INFO() to this patch. (Andrzej) v3: - Also use DISPLAY_INFO() in intel_display_reg_defs.h. (Andrzej) - Use "{}" instead of "{ 0 }" for empty struct init. (Jani) Signed-off-by: Matt Roper Acked-by: Lucas De Marchi Reviewed-by: Andrzej Hajda Acked-by: Jani Nikula Link: https://patchwork.freedesktop.org/patch/msgid/20230523195609.73627-3-matthew.d.roper@intel.com Stable-dep-of: 19db2062094c ("drm/i915: No 10bit gamma on desktop gen3 parts") Signed-off-by: Sasha Levin commit 52a4dcf7adf8b7f242718c233e22d62a002195ea Author: Matt Roper Date: Tue May 23 12:56:04 2023 -0700 drm/i915/display: Move display device info to header under display/ [ Upstream commit 05aa8e0135094ae3d1e6837b5457a740266d7cfc ] Moving display-specific substructure definitions will help keep display more self-contained and make it easier to re-use in other drivers (i.e., Xe) in the future. Signed-off-by: Matt Roper Reviewed-by: Andrzej Hajda Reviewed-by: Lucas De Marchi Link: https://patchwork.freedesktop.org/patch/msgid/20230523195609.73627-2-matthew.d.roper@intel.com Stable-dep-of: 19db2062094c ("drm/i915: No 10bit gamma on desktop gen3 parts") Signed-off-by: Sasha Levin commit 49f12dcba5bd2722b4f52048b0fe2cfdf7205e4d Author: Jani Nikula Date: Tue Apr 11 13:56:43 2023 +0300 drm/i915: hide mkwrite_device_info() better [ Upstream commit 446a20c9ba622bb531f1705eab88b64d478ee434 ] The goal has been to just make device info a pointer to static const data, i.e. the static const structs in i915_pci.c. See [1]. However, there were issues with intel_device_info_runtime_init() clearing the display sub-struct of device info on the !HAS_DISPLAY() path, which consequently disables a lot of display functionality, like it should. Looks like we'd have to cover all those paths, and maybe sprinkle HAS_DISPLAY() checks in them, which we haven't gotten around to. In the mean time, hide mkwrite_device_info() better within intel_device_info.c by adding a intel_device_info_driver_create() for the very early initialization of the device info and initial runtime info. This also lets us declutter i915_drv.h a bit, and stops promoting mkwrite_device_info() as something that could be used. [1] https://lore.kernel.org/r/a0422f0a8ac055f65b7922bcd3119b180a41e79e.1655712106.git.jani.nikula@intel.com Signed-off-by: Jani Nikula Reviewed-by: Tvrtko Ursulin Link: https://patchwork.freedesktop.org/patch/msgid/20230411105643.292416-1-jani.nikula@intel.com Stable-dep-of: 19db2062094c ("drm/i915: No 10bit gamma on desktop gen3 parts") Signed-off-by: Sasha Levin commit 5e38c05d06f573af7eee07ab635f5a489258dd77 Author: Ville Syrjälä Date: Wed Mar 29 16:49:51 2023 +0300 drm/i915: Fix limited range csc matrix [ Upstream commit 404c3acda4b65924c05bc63242e94f954f84c165 ] Our current limited range matrix is a bit off. I think it was originally calculated with rounding, as if we wanted the normal pixel replication type of behaviour. That is, since the 8bpc max value is 0xeb we assumed the 16bpc max value should be 0xebeb, but what the HDMI spec actually says it should be is 0xeb00. So to get what we want we make the formula out = in * (235-16) << (12-8) / in_max + 16 << (12-8), with 12 being precision of the csc, 8 being the precision of the constants we used. The hardware takes its coefficients as floating point values, but the (235−16)/255 = ~.86, so exponent 0 is what we want anyway, so it works out perfectly without having to hardcode it in hex or start playing with floats. In terms of raw numbers we are feeding the hardware the post offset changes from 0x101 to 0x100, and the coefficient changes from 0xdc0 to 0xdb0 (~.860->~.855). So this should make everything come out just a tad darker. I already used better constants in lut_limited_range() earlier so the output of the two paths should be closer now. Signed-off-by: Ville Syrjälä Link: https://patchwork.freedesktop.org/patch/msgid/20230329135002.3096-2-ville.syrjala@linux.intel.com Reviewed-by: Ankit Nautiyal Stable-dep-of: 19db2062094c ("drm/i915: No 10bit gamma on desktop gen3 parts") Signed-off-by: Sasha Levin commit dcb706a93aa9d7974216ecbd57b6d632ffec31b6 Author: Bjorn Andersson Date: Mon May 22 18:04:41 2023 -0700 dt-bindings: arm-smmu: Fix SC8280XP Adreno binding [ Upstream commit 84b8a7fe29205016cffd4eff91b45830d318b53d ] The qcom,sc8280xp-smmu-500 Adreno SMMU binding has clocks, so fix up the binding to allow this. Fixes: 38db6b41b2f4 ("dt-bindings: arm-smmu: Add compatible for Qualcomm SC8280XP") Signed-off-by: Bjorn Andersson Acked-by: Conor Dooley Link: https://lore.kernel.org/r/20230523010441.63236-1-quic_bjorande@quicinc.com Signed-off-by: Will Deacon Signed-off-by: Sasha Levin commit 09ea1ae4a2ec17774892cfcff50f6d33dfa1e06f Author: Christophe JAILLET Date: Sun Jun 4 17:42:28 2023 +0200 fbdev: omapfb: lcd_mipid: Fix an error handling path in mipid_spi_probe() [ Upstream commit 79a3908d1ea6c35157a6d907b1a9d8ec06015e7a ] If 'mipid_detect()' fails, we must free 'md' to avoid a memory leak. Fixes: 66d2f99d0bb5 ("omapfb: add support for MIPI-DCS compatible LCDs") Signed-off-by: Christophe JAILLET Signed-off-by: Helge Deller Signed-off-by: Sasha Levin commit c5cf611bc2d06a3a2a28197ac39a5fe8cad47d62 Author: Kuogee Hsieh Date: Thu May 25 10:40:55 2023 -0700 drm/msm/dpu: always clear every individual pending flush mask [ Upstream commit 625cbb077007698060b12d0ae5657a4d8411b153 ] There are two tiers of pending flush control, top level and individual hardware block. Currently only the top level of flush mask is reset to 0 but the individual pending flush masks of particular hardware blocks are left at their previous values, eventually accumulating all possible bit values and typically flushing more than necessary. Reset all individual hardware block flush masks to 0 to avoid accidentally flushing them. Changes in V13: -- rewording commit text -- add an empty space line as suggested Changes in V14: -- add Fixes tag Fixes: 73bfb790ac78 ("msm:disp:dpu1: setup display datapath for SC7180 target") Signed-off-by: Kuogee Hsieh Reviewed-by: Dmitry Baryshkov Reviewed-by: Marijn Suijten Patchwork: https://patchwork.freedesktop.org/patch/539508/ Link: https://lore.kernel.org/r/1685036458-22683-8-git-send-email-quic_khsieh@quicinc.com Signed-off-by: Dmitry Baryshkov Signed-off-by: Sasha Levin commit 39d4953eb1577edeb28074b9b0eabf71d3e52cdd Author: Kuogee Hsieh Date: Thu May 25 10:40:49 2023 -0700 drm/msm/dpu: set DSC flush bit correctly at MDP CTL flush register [ Upstream commit 12cef323c903bd8b13d1f6ff24a9695c2cdc360b ] The CTL_FLUSH register should be programmed with the 22th bit (DSC_IDX) to flush the DSC hardware blocks, not the literal value of 22 (which corresponds to flushing VIG1, VIG2 and RGB1 instead). Changes in V12: -- split this patch out of "separate DSC flush update out of interface" Changes in V13: -- rewording the commit text Changes in V14: -- drop 'DSC" from "The DSC CTL_FLUSH register" at commit text Fixes: 77f6da90487c ("drm/msm/disp/dpu1: Add DSC support in hw_ctl") Signed-off-by: Kuogee Hsieh Reviewed-by: Marijn Suijten Patchwork: https://patchwork.freedesktop.org/patch/539496/ Link: https://lore.kernel.org/r/1685036458-22683-2-git-send-email-quic_khsieh@quicinc.com Signed-off-by: Dmitry Baryshkov Signed-off-by: Sasha Levin commit d3f8cec5bebc3ccad43625fc1686bf917aadaeb3 Author: Wolfram Sang Date: Thu May 25 10:48:22 2023 +0200 arm64: dts: renesas: ulcb-kf: Remove flow control for SCIF1 [ Upstream commit 1a2c4e5635177939a088d22fa35c6a7032725663 ] The schematics are misleading, the flow control is for HSCIF1. We need SCIF1 for GNSS/GPS which does not use flow control. Fixes: c6c816e22bc8 ("arm64: dts: ulcb-kf: enable SCIF1") Signed-off-by: Wolfram Sang Reviewed-by: Geert Uytterhoeven Link: https://lore.kernel.org/r/20230525084823.4195-2-wsa+renesas@sang-engineering.com Signed-off-by: Geert Uytterhoeven Signed-off-by: Sasha Levin commit 750b4a2f223cc5866282c5111643d98738fbadd1 Author: Geert Uytterhoeven Date: Tue May 23 17:35:16 2023 +0200 ARM: dts: iwg20d-q7-common: Fix backlight pwm specifier [ Upstream commit 0501fdec106a291c43b3c1b525cf22ab4c24b2d8 ] make dtbs_check: arch/arm/boot/dts/renesas/r8a7743-iwg20d-q7.dtb: backlight: pwms: [[58, 0, 5000000], [0]] is too long From schema: Documentation/devicetree/bindings/leds/backlight/pwm-backlight.yaml arch/arm/boot/dts/renesas/r8a7743-iwg20d-q7-dbcm-ca.dtb: backlight: pwms: [[67, 0, 5000000], [0]] is too long From schema: Documentation/devicetree/bindings/leds/backlight/pwm-backlight.yaml arch/arm/boot/dts/renesas/r8a7744-iwg20d-q7-dbcm-ca.dtb: backlight: pwms: [[67, 0, 5000000], [0]] is too long From schema: Documentation/devicetree/bindings/leds/backlight/pwm-backlight.yaml arch/arm/boot/dts/renesas/r8a7744-iwg20d-q7.dtb: backlight: pwms: [[58, 0, 5000000], [0]] is too long From schema: Documentation/devicetree/bindings/leds/backlight/pwm-backlight.yaml PWM specifiers referring to R-Car PWM Timer Controllers should contain only two cells. Fix this by dropping the bogus third cell. Fixes: 6f89dd9e9325d05b ("ARM: dts: iwg20d-q7-common: Add LCD support") Signed-off-by: Geert Uytterhoeven Link: https://lore.kernel.org/r/6e5c3167424a43faf8c1fa68d9667b3d87dc86d8.1684855911.git.geert+renesas@glider.be Signed-off-by: Sasha Levin commit 7683db01d921693102280db10fffb81c09989818 Author: Chengchang Tang Date: Tue May 23 20:16:40 2023 +0800 RDMA/hns: Fix hns_roce_table_get return value [ Upstream commit cf5b608fb0e369c473a8303cad6ddb386505e5b8 ] The return value of set_hem has been fixed to ENODEV, which will lead a diagnostic information missing. Fixes: 9a4435375cd1 ("IB/hns: Add driver files for hns RoCE driver") Link: https://lore.kernel.org/r/20230523121641.3132102-3-huangjunxian6@hisilicon.com Signed-off-by: Chengchang Tang Signed-off-by: Junxian Huang Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit 2c0445bc8dbdacda32b86fb6a8ecaf125035e320 Author: Brendan Cunningham Date: Fri May 19 12:32:16 2023 -0400 IB/hfi1: Fix wrong mmu_node used for user SDMA packet after invalidate [ Upstream commit c9358de193ecfb360c3ce75f27ce839ca0b0bc8c ] The hfi1 user SDMA pinned-page cache will leave a stale cache entry when the cache-entry's virtual address range is invalidated but that cache entry is in-use by an outstanding SDMA request. Subsequent user SDMA requests with buffers in or spanning the virtual address range of the stale cache entry will result in packets constructed from the wrong memory, the physical pages pointed to by the stale cache entry. To fix this, remove mmu_rb_node cache entries from the mmu_rb_handler cache independent of the cache entry's refcount. Add 'struct kref refcount' to struct mmu_rb_node and manage mmu_rb_node lifetime with kref_get() and kref_put(). mmu_rb_node.refcount makes sdma_mmu_node.refcount redundant. Remove 'atomic_t refcount' from struct sdma_mmu_node and change sdma_mmu_node code to use mmu_rb_node.refcount. Move the mmu_rb_handler destructor call after a wait-for-SDMA-request-completion call so mmu_rb_nodes that need mmu_rb_handler's workqueue to queue themselves up for destruction from an interrupt context may do so. Fixes: f48ad614c100 ("IB/hfi1: Move driver out of staging") Fixes: 00cbce5cbf88 ("IB/hfi1: Fix bugs with non-PAGE_SIZE-end multi-iovec user SDMA requests") Link: https://lore.kernel.org/r/168451393605.3700681.13493776139032178861.stgit@awfm-02.cornelisnetworks.com Reviewed-by: Dean Luick Signed-off-by: Brendan Cunningham Signed-off-by: Dennis Dalessandro Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit 71fb1072babaeda74561d99b713eb4363620faab Author: Arnd Bergmann Date: Tue May 23 13:18:45 2023 +0200 RDMA/irdma: avoid fortify-string warning in irdma_clr_wqes [ Upstream commit b002760f877c0d91ecd3c78565b52f4bbac379dd ] Commit df8fc4e934c1 ("kbuild: Enable -fstrict-flex-arrays=3") triggers a warning for fortified memset(): In function 'fortify_memset_chk', inlined from 'irdma_clr_wqes' at drivers/infiniband/hw/irdma/uk.c:103:4: include/linux/fortify-string.h:493:25: error: call to '__write_overflow_field' declared with attribute warning: detected write beyond size of field (1st parameter); maybe use struct_group()? [-Werror=attribute-warning] 493 | __write_overflow_field(p_size_field, size); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The problem here isthat the inner array only has four 8-byte elements, so clearing 4096 bytes overflows that. As this structure is part of an outer array, change the code to pass a pointer to the irdma_qp_quanta instead, and change the size argument for readability, matching the comment above it. Fixes: 551c46edc769 ("RDMA/irdma: Add user/kernel shared libraries") Link: https://lore.kernel.org/r/20230523111859.2197825-1-arnd@kernel.org Signed-off-by: Arnd Bergmann Acked-by: Shiraz Saleem Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit 7471870af6c1be9b5958572e008ce838f9c74ce1 Author: Randy Dunlap Date: Sun May 21 15:52:16 2023 -0700 soc/fsl/qe: fix usb.c build errors [ Upstream commit 7b1a78babd0d2cd27aa07255dee0c2d7ac0f31e3 ] Fix build errors in soc/fsl/qe/usb.c when QUICC_ENGINE is not set. This happens when PPC_EP88XC is set, which selects CPM1 & CPM. When CPM is set, USB_FSL_QE can be set without QUICC_ENGINE being set. When USB_FSL_QE is set, QE_USB deafults to y, which causes build errors when QUICC_ENGINE is not set. Making QE_USB depend on QUICC_ENGINE prevents QE_USB from defaulting to y. Fixes these build errors: drivers/soc/fsl/qe/usb.o: in function `qe_usb_clock_set': usb.c:(.text+0x1e): undefined reference to `qe_immr' powerpc-linux-ld: usb.c:(.text+0x2a): undefined reference to `qe_immr' powerpc-linux-ld: usb.c:(.text+0xbc): undefined reference to `qe_setbrg' powerpc-linux-ld: usb.c:(.text+0xca): undefined reference to `cmxgcr_lock' powerpc-linux-ld: usb.c:(.text+0xce): undefined reference to `cmxgcr_lock' Fixes: 5e41486c408e ("powerpc/QE: add support for QE USB clocks routing") Signed-off-by: Randy Dunlap Reported-by: kernel test robot Link: https://lore.kernel.org/all/202301101500.pillNv6R-lkp@intel.com/ Suggested-by: Michael Ellerman Cc: Christophe Leroy Cc: Leo Li Cc: Masahiro Yamada Cc: Nicolas Schier Cc: Qiang Zhao Cc: linuxppc-dev Cc: linux-arm-kernel@lists.infradead.org Cc: Kumar Gala Acked-by: Nicolas Schier Signed-off-by: Li Yang Signed-off-by: Sasha Levin commit a1abe77c3db634a348c8f75e86630d1a8f82346b Author: Martin Blumenstingl Date: Tue May 16 22:30:29 2023 +0200 ARM: dts: meson8: correct uart_B and uart_C clock references [ Upstream commit 98b503c7fb13a17a47d8ebf15fa8f7c10118e75c ] On Meson8 uart_B and uart_C do not work, because they are relying on incorrect clocks. Change the references of pclk to the correct CLKID (UART1 for uart_B and UART2 for uart_C), to allow use of the two uarts. This was originally reported by Hans-Frieder Vogt for Meson8b [0], but the same bug is also present in meson8.dtsi [0] https://lore.kernel.org/linux-amlogic/trinity-bf20bcb9-790b-4ab9-99e3-0831ef8257f4-1680878185420@3c-app-gmx-bap55/ Fixes: 57007bfb5469 ("ARM: dts: meson8: Fix the UART device-tree schema validation") Reported-by: Hans-Frieder Vogt # for meson8b.dtsi Signed-off-by: Martin Blumenstingl Link: https://lore.kernel.org/r/20230516203029.1031174-1-martin.blumenstingl@googlemail.com Signed-off-by: Neil Armstrong Signed-off-by: Sasha Levin commit 995a3881b043b9797b1c178718e25ac80d9be7ad Author: Cristian Ciocaltea Date: Tue May 30 21:11:39 2023 +0300 ASoC: es8316: Do not set rate constraints for unsupported MCLKs [ Upstream commit 60413129ee2b38a80347489270af7f6e1c1de4d0 ] When using the codec through the generic audio graph card, there are at least two calls of es8316_set_dai_sysclk(), with the effect of limiting the allowed sample rates according to the MCLK/LRCK ratios supported by the codec: 1. During audio card setup, to set the initial MCLK - see asoc_simple_init_dai(). 2. Before opening a stream, to update MCLK, according to the stream sample rate and the multiplication factor - see asoc_simple_hw_params(). In some cases the initial MCLK might be set to a frequency that doesn't match any of the supported ratios, e.g. 12287999 instead of 12288000, which is only 1 Hz below the supported clock, as that is what the hardware reports. This creates an empty list of rate constraints, which is further passed to snd_pcm_hw_constraint_list() via es8316_pcm_startup(), and causes the following error on the very first access of the sound card: $ speaker-test -D hw:Analog,0 -F S16_LE -c 2 -t wav Broken configuration for playback: no configurations available: Invalid argument Setting of hwparams failed: Invalid argument Note that all subsequent retries succeed thanks to the updated MCLK set at point 2 above, which uses a computed frequency value instead of a reading from the hardware registers. Normally this would have mitigated the issue, but es8316_pcm_startup() executes before the 2nd call to es8316_set_dai_sysclk(), hence it cannot make use of the updated constraints. Since es8316_pcm_hw_params() performs anyway a final validation of MCLK against the stream sample rate and the supported MCLK/LRCK ratios, fix the issue by ensuring that sysclk_constraints list is only set when at least one supported sample rate is autodetected by the codec. Fixes: b8b88b70875a ("ASoC: add es8316 codec driver") Signed-off-by: Cristian Ciocaltea Link: https://lore.kernel.org/r/20230530181140.483936-3-cristian.ciocaltea@collabora.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 8a2ca32f9df57941c96e3a0e550e3db77e087274 Author: Cristian Ciocaltea Date: Tue May 30 21:11:38 2023 +0300 ASoC: es8316: Increment max value for ALC Capture Target Volume control [ Upstream commit 6f073429037cd79d7311cd8236311c53f5ea8f01 ] The following error occurs when trying to restore a previously saved ALSA mixer state (tested on a Rock 5B board): $ alsactl --no-ucm -f /tmp/asound.state store hw:Analog $ alsactl --no-ucm -I -f /tmp/asound.state restore hw:Analog alsactl: set_control:1475: Cannot write control '2:0:0:ALC Capture Target Volume:0' : Invalid argument According to ES8316 datasheet, the register at address 0x2B, which is related to the above mixer control, contains by default the value 0xB0. Considering the corresponding ALC target bits (ALCLVL) are 7:4, the control is initialized with 11, which is one step above the maximum value allowed by the driver: ALCLVL | dB gain -------+-------- 0000 | -16.5 0001 | -15.0 0010 | -13.5 .... | ..... 0111 | -6.0 1000 | -4.5 1001 | -3.0 1010 | -1.5 .... | ..... 1111 | -1.5 The tests performed using the VU meter feature (--vumeter=TYPE) of arecord/aplay confirm the specs are correct and there is no measured gain if the 1011-1111 range would have been mapped to 0 dB: dB gain | VU meter % --------+----------- -6.0 | 30-31 -4.5 | 35-36 -3.0 | 42-43 -1.5 | 50-51 0.0 | 50-51 Increment the max value allowed for ALC Capture Target Volume control, so that it matches the hardware default. Additionally, update the related TLV to prevent an artificial extension of the dB gain range. Fixes: b8b88b70875a ("ASoC: add es8316 codec driver") Signed-off-by: Cristian Ciocaltea Link: https://lore.kernel.org/r/20230530181140.483936-2-cristian.ciocaltea@collabora.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 9a707ac99e43affaa3282108ffa498c418a3df46 Author: Dmitry Baryshkov Date: Sun May 7 22:07:33 2023 +0300 ARM: dts: qcom: apq8074-dragonboard: Set DMA as remotely controlled [ Upstream commit e60c230588d88036f974cec7e93361e2c4f62226 ] Add the qcom,controlled-remotely property for the blsp2_bam controller node. This board requires this, otherwise the board stalls during the boot for some reason (most probably because TZ mishandles the protection error and keeps on looping somewhere inside). Fixes: 62bc81792223 dts: msm8974: Add blsp2_bam dma node Signed-off-by: Dmitry Baryshkov Reviewed-by: Konrad Dybcio Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20230507190735.2333145-3-dmitry.baryshkov@linaro.org Signed-off-by: Sasha Levin commit e88c77ed9a28fe94fb7b50b0a3c13f12a3c9d938 Author: Krzysztof Kozlowski Date: Sat May 13 13:29:31 2023 +0200 memory: brcmstb_dpfe: fix testing array offset after use [ Upstream commit 1d9e93fad549bc38f593147479ee063f2872c170 ] Code should first check for valid value of array offset, then use it as the index. Fixes smatch warning: drivers/memory/brcmstb_dpfe.c:443 __send_command() error: testing array offset 'cmd' after use. Fixes: 2f330caff577 ("memory: brcmstb: Add driver for DPFE") Acked-by: Markus Mayer Reviewed-by: Florian Fainelli Link: https://lore.kernel.org/r/20230513112931.176066-1-krzysztof.kozlowski@linaro.org Signed-off-by: Krzysztof Kozlowski Signed-off-by: Sasha Levin commit e96627d8cafa5c87cc65d281b9a4d009e7af4dbf Author: Marek Vasut Date: Thu May 18 02:42:32 2023 +0200 ARM: dts: stm32: Shorten the AV96 HDMI sound card name [ Upstream commit 0cf765e598712addec34d0208cc1418c151fefb2 ] Fix the following error in kernel log due to too long sound card name: " asoc-audio-graph-card sound: ASoC: driver name too long 'STM32MP1-AV96-HDMI' -> 'STM32MP1-AV96-H' " Fixes: e027da342772 ("ARM: dts: stm32: Add bindings for audio on AV96") Signed-off-by: Marek Vasut Signed-off-by: Alexandre Torgue Signed-off-by: Sasha Levin commit d15921c876caa7388309499a46702492fe0a72f9 Author: Douglas Anderson Date: Mon May 15 13:13:54 2023 -0700 arm64: dts: mediatek: mt8195: Add mediatek,broken-save-restore-fw to cherry [ Upstream commit ea6c5f21efecbaa3a14cb21c5bc0e23c84473a11 ] Firmware shipped on mt8195 Chromebooks is affected by the GICR save/restore issue as described by the patch ("dt-bindings: interrupt-controller: arm,gic-v3: Add quirk for Mediatek SoCs w/ broken FW"). Add the quirk property. Fixes: 5eb2e303ec6b ("arm64: dts: mediatek: Introduce MT8195 Cherry platform's Tomato") Reviewed-by: Julius Werner Signed-off-by: Douglas Anderson Reviewed-by: AngeloGioacchino Del Regno Link: https://lore.kernel.org/r/20230515131353.v2.5.Ia0b6ebbaa351e3cd67e201355b9ae67783c7d718@changeid Signed-off-by: Matthias Brugger Signed-off-by: Sasha Levin commit 030f1a8d561e21d5017aadfb43a337f46cd87f5a Author: Douglas Anderson Date: Mon May 15 13:13:53 2023 -0700 arm64: dts: mediatek: mt8192: Add mediatek,broken-save-restore-fw to asurada [ Upstream commit d72cfbd6fcf7cd02084991eee47ecc9f4b4c1e69 ] Firmware shipped on mt8192 Chromebooks is affected by the GICR save/restore issue as described by the patch ("dt-bindings: interrupt-controller: arm,gic-v3: Add quirk for Mediatek SoCs w/ broken FW"). Add the quirk property. Fixes: 331fae2fc922 ("arm64: dts: mediatek: Introduce MT8192-based Asurada board family") Reviewed-by: Julius Werner Signed-off-by: Douglas Anderson Reviewed-by: AngeloGioacchino Del Regno Link: https://lore.kernel.org/r/20230515131353.v2.4.Ie7e600278ffbed55a1e5a58178203787b1449b35@changeid Signed-off-by: Matthias Brugger Signed-off-by: Sasha Levin commit b43580648240cdca074bb985b4842d439fc8eb6a Author: Douglas Anderson Date: Mon May 15 13:13:52 2023 -0700 arm64: dts: mediatek: mt8183: Add mediatek,broken-save-restore-fw to kukui [ Upstream commit 42127f578ebde652d1373e0233356fbd351675c4 ] Firmware shipped on mt8183 Chromebooks is affected by the GICR save/restore issue as described by the patch ("dt-bindings: interrupt-controller: arm,gic-v3: Add quirk for Mediatek SoCs w/ broken FW"). Add the quirk property. Fixes: cd894e274b74 ("arm64: dts: mt8183: Add krane-sku176 board") Reviewed-by: Julius Werner Signed-off-by: Douglas Anderson Reviewed-by: AngeloGioacchino Del Regno Link: https://lore.kernel.org/r/20230515131353.v2.3.I525a2ed4260046d43c885ee1275e91707743df1c@changeid Signed-off-by: Matthias Brugger Signed-off-by: Sasha Levin commit f4825ddd79fd215d838f76f4b54e204b4fddef8f Author: Krzysztof Kozlowski Date: Sun May 7 19:45:16 2023 +0200 arm64: dts: qcom: apq8096: fix fixed regulator name property [ Upstream commit c77612a07d18d4425fd8ddd532a8a9b8e1970c53 ] Correct the typo in 'regulator-name' property. apq8096-ifc6640.dtb: v1p05-regulator: 'regulator-name' is a required property apq8096-ifc6640.dtb: v1p05-regulator: Unevaluated properties are not allowed ('reglator-name' was unexpected) Fixes: 6cbdec2d3ca6 ("arm64: dts: qcom: msm8996: Introduce IFC6640") Signed-off-by: Krzysztof Kozlowski Reviewed-by: Konrad Dybcio Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20230507174516.264936-3-krzysztof.kozlowski@linaro.org Signed-off-by: Sasha Levin commit 9c6e6c80a4766fcfa1160a9000000e21b4f19dd5 Author: Luca Weiss Date: Fri Apr 7 09:45:44 2023 +0200 arm64: dts: qcom: pm7250b: add missing spmi-vadc include [ Upstream commit 83022f6484b11a60dbf9a95a88c7ef8e59c4b19c ] This file is using definitions from the spmi-vadc header, so we need to include it. Fixes: 11975b9b8135 ("arm64: dts: qcom: Add pm7250b PMIC") Signed-off-by: Luca Weiss Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20230407-pm7250b-sid-v1-1-fc648478cc25@fairphone.com Signed-off-by: Sasha Levin commit dcdc7ad503f7fc6c7102a1572f565be1a6282d8b Author: Arnd Bergmann Date: Tue May 16 17:31:04 2023 +0200 ARM: omap2: fix missing tick_broadcast() prototype [ Upstream commit 861bc1d2886d47bd57a2cbf2cda87fdbe3eb9d08 ] omap2 contains a hack to define tick_broadcast() on non-SMP configurations in place of the normal SMP definition. This one causes a warning because of a missing prototype: arch/arm/mach-omap2/board-generic.c:44:6: error: no previous prototype for 'tick_broadcast' Make sure to always include the header with the declaration. Fixes: d86ad463d670 ("ARM: OMAP2+: Fix regression for using local timer on non-SMP SoCs") Acked-by: Aaro Koskinen Link: https://lore.kernel.org/r/20230516153109.514251-9-arnd@kernel.org Signed-off-by: Arnd Bergmann Signed-off-by: Sasha Levin commit fddc878c8cbac90eb0ea62e3f8301ca6da683ba1 Author: Arnd Bergmann Date: Tue May 16 17:30:58 2023 +0200 ARM: ep93xx: fix missing-prototype warnings [ Upstream commit 419013740ea1e4343d8ade535d999f59fa28e460 ] ep93xx_clocksource_read() is only called from the file it is declared in, while ep93xx_timer_init() is declared in a header that is not included here. arch/arm/mach-ep93xx/timer-ep93xx.c:120:13: error: no previous prototype for 'ep93xx_timer_init' arch/arm/mach-ep93xx/timer-ep93xx.c:63:5: error: no previous prototype for 'ep93xx_clocksource_read' Fixes: 000bc17817bf ("ARM: ep93xx: switch to GENERIC_CLOCKEVENTS") Acked-by: Alexander Sverdlin Link: https://lore.kernel.org/r/20230516153109.514251-3-arnd@kernel.org Signed-off-by: Arnd Bergmann Signed-off-by: Sasha Levin commit 004132ef43b95cfbcadd75cddbfaf9581823bbb1 Author: Dario Binacchi Date: Tue May 16 10:50:39 2023 +0200 drm/panel: simple: fix active size for Ampire AM-480272H3TMQW-T01H [ Upstream commit f24b49550814fdee4a98b9552e35e243ccafd4a8 ] The previous setting was related to the overall dimension and not to the active display area. In the "PHYSICAL SPECIFICATIONS" section, the datasheet shows the following parameters: ---------------------------------------------------------- | Item | Specifications | unit | ---------------------------------------------------------- | Display area | 98.7 (W) x 57.5 (H) | mm | ---------------------------------------------------------- | Overall dimension | 105.5(W) x 67.2(H) x 4.96(D) | mm | ---------------------------------------------------------- Fixes: 966fea78adf2 ("drm/panel: simple: Add support for Ampire AM-480272H3TMQW-T01H") Signed-off-by: Dario Binacchi Reviewed-by: Neil Armstrong [narmstrong: fixed Fixes commit id length] Signed-off-by: Neil Armstrong Link: https://patchwork.freedesktop.org/patch/msgid/20230516085039.3797303-1-dario.binacchi@amarulasolutions.com Signed-off-by: Sasha Levin commit c4644cc1082e73d7de82ae66528b910f1b908891 Author: Adam Ford Date: Thu May 25 22:05:54 2023 -0500 drm: bridge: samsung-dsim: Fix PMS Calculator on imx8m[mnp] [ Upstream commit 54f1a83c72250b182fa7722b0c5f6eb5e769598d ] According to Table 13-45 of the i.MX8M Mini Reference Manual, the min and max values for M and the frequency range for the VCO_out calculator were incorrect. This information was contradicted in other parts of the mini, nano and plus manuals. After reaching out to my NXP Rep, when confronting him about discrepencies in the Nano manual, he responded with: "Yes it is definitely wrong, the one that is part of the NOTE in MIPI_DPHY_M_PLLPMS register table against PMS_P, PMS_M and PMS_S is not correct. I will report this to Doc team, the one customer should be take into account is the Table 13-40 DPHY PLL Parameters and the Note above." These updated values also match what is used in the NXP downstream kernel. To fix this, make new variables to hold the min and max values of m and the minimum value of VCO_out, and update the PMS calculator to use these new variables instead of using hard-coded values to keep the backwards compatibility with other parts using this driver. Fixes: 4d562c70c4dc ("drm: bridge: samsung-dsim: Add i.MX8M Mini/Nano support") Signed-off-by: Adam Ford Reviewed-by: Lucas Stach Tested-by: Chen-Yu Tsai Tested-by: Frieder Schrempf Reviewed-by: Frieder Schrempf Tested-by: Marek Szyprowski Reviewed-by: Jagan Teki Tested-by: Jagan Teki # imx8mm-icore Signed-off-by: Neil Armstrong Link: https://patchwork.freedesktop.org/patch/msgid/20230526030559.326566-3-aford173@gmail.com Signed-off-by: Sasha Levin commit 913821b25186ef6ad62d184faba16deef881abf8 Author: Frieder Schrempf Date: Wed May 3 18:33:07 2023 +0200 drm/bridge: ti-sn65dsi83: Fix enable/disable flow to meet spec [ Upstream commit dd9e329af7236e34c566d3705ea32a63069b9b13 ] The datasheet describes the following initialization flow including minimum delay times between each step: 1. DSI data lanes need to be in LP-11 and the clock lane in HS mode 2. toggle EN signal 3. initialize registers 4. enable PLL 5. soft reset 6. enable DSI stream 7. check error status register To meet this requirement we need to make sure the host bridge's pre_enable() is called first by using the pre_enable_prev_first flag. Furthermore we need to split enable() into pre_enable() which covers steps 2-5 from above and enable() which covers step 7 and is called after the host bridge's enable(). Signed-off-by: Frieder Schrempf Fixes: ceb515ba29ba ("drm/bridge: ti-sn65dsi83: Add TI SN65DSI83 and SN65DSI84 driver") Tested-by: Alexander Stein #TQMa8MxML/MBa8Mx Reviewed-by: Neil Armstrong Signed-off-by: Neil Armstrong Link: https://patchwork.freedesktop.org/patch/msgid/20230503163313.2640898-3-frieder@fris.de Signed-off-by: Sasha Levin commit bad174e652c182f4a36ad5383b4dd627b60c3ce3 Author: Stephan Gerhold Date: Wed May 17 20:48:41 2023 +0200 arm64: dts: qcom: apq8016-sbc: Fix 1.8V power rail on LS expansion [ Upstream commit 5500f823db38db073d30557af159b77fb1f2bf26 ] The 96Boards specification expects a 1.8V power rail on the low-speed expansion connector that is able to provide at least 0.18W / 100 mA. According to the DB410c hardware user manual this is done by connecting both L15 and L16 in parallel with up to 55mA each (for 110 mA total) [1]. Unfortunately the current regulator setup in the DB410c device tree does not implement the specification correctly and only provides 5 mA: - Only L15 is marked always-on, so L16 is never enabled. - Without specifying a load the regulator is put into LPM where it can only provide 5 mA. Fix this by: - Adding proper voltage constraints for L16. - Making L16 always-on. - Adding regulator-system-load for both L15 and L16. 100 mA should be available in total, so specify 50 mA for each. (The regulator hardware can only be in normal (55 mA) or low-power mode (5 mA) so this will actually result in the expected 110 mA total...) [1]: https://www.96boards.org/documentation/consumer/dragonboard/dragonboard410c/hardware-docs/hardware-user-manual.md.html#power-supplies Cc: Srinivas Kandagatla Fixes: 828dd5d66f0f ("arm64: dts: apq8016-sbc: make 1.8v available on LS expansion") Signed-off-by: Stephan Gerhold Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20230510-msm8916-regulators-v1-2-54d4960a05fc@gerhold.net Signed-off-by: Sasha Levin commit 957e97b51ecf32c9b852323bb7d2c431d0567475 Author: Stephan Gerhold Date: Wed May 17 20:48:40 2023 +0200 arm64: dts: qcom: apq8016-sbc: Fix regulator constraints [ Upstream commit e27654df20d77ad7549a3cf6739ebaa3aa59a088 ] For some reason DB410c has completely bogus regulator constraints that actually just correspond to the programmable voltages which are already provided by the regulator driver. Some of them are not just outside the recommended operating conditions of the APQ8016E SoC but even exceed the absolute maximum ratings, potentially risking permanent device damage. In practice it's not quite as dangerous thanks to the RPM firmware: It turns out that it has its own voltage constraints and silently clamps all regulator requests. For example, requesting 3.3V for L5 (allowed by the current regulator constraints!) still results in 1.8V being programmed in the actual regulator hardware. Experimentation with various voltages shows that the internal RPM voltage constraints roughly correspond to the safe "specified range" in the PM8916 Device Specification (rather than the "programmable range" used inside apq8016-sbc.dtsi right now). Combine those together with some fixed voltages used in the old msm-3.10 device tree from Qualcomm to give DB410c some actually valid voltage constraints. Cc: Srinivas Kandagatla Fixes: 4c7d53d16d77 ("arm64: dts: apq8016-sbc: add regulators support") Signed-off-by: Stephan Gerhold Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20230510-msm8916-regulators-v1-1-54d4960a05fc@gerhold.net Signed-off-by: Sasha Levin commit ad88ee56a3b1998621adaf602bca5ac205c17239 Author: Krzysztof Kozlowski Date: Wed Apr 19 23:18:56 2023 +0200 arm64: dts: qcom: sdm845-polaris: add missing touchscreen child node reg [ Upstream commit 4a0156b8862665a3e31c8280607388e3001ace3d ] Add missing reg property to touchscreen child node to fix dtbs W=1 warnings: Warning (unit_address_vs_reg): /soc@0/geniqup@ac0000/i2c@a98000/touchscreen@20/rmi4-f12@12: node has a unit name, but no reg or ranges property Fixes: be497abe19bf ("arm64: dts: qcom: Add support for Xiaomi Mi Mix2s") Signed-off-by: Krzysztof Kozlowski Reviewed-by: Konrad Dybcio Reviewed-by: Molly Sophia Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20230419211856.79332-18-krzysztof.kozlowski@linaro.org Signed-off-by: Sasha Levin commit 05b4bdd030da1924bfd2e30a87c80293f7de2c91 Author: Krzysztof Kozlowski Date: Wed Apr 19 23:18:55 2023 +0200 arm64: dts: qcom: sm8550: correct pinctrl unit address [ Upstream commit 950a4fe6ec8498799d1c7bd31a489a718f94a87e ] Match unit-address to reg entry to fix dtbs W=1 warnings: Warning (simple_bus_reg): /soc@0/pinctrl@f000000: simple-bus unit address format error, expected "f100000" Fixes: ffc50b2d3828 ("arm64: dts: qcom: Add base SM8550 dtsi") Signed-off-by: Krzysztof Kozlowski Reviewed-by: Konrad Dybcio Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20230419211856.79332-17-krzysztof.kozlowski@linaro.org Signed-off-by: Sasha Levin commit 4846ab444b65dd01dd36ffc4b669126a81c73053 Author: Krzysztof Kozlowski Date: Wed Apr 19 23:18:54 2023 +0200 arm64: dts: qcom: sm8550: correct crypto unit address [ Upstream commit 3cbf49ef16962ab6d99a3659cb34a33c5f147b50 ] Match unit-address to reg entry to fix dtbs W=1 warnings: Warning (simple_bus_reg): /soc@0/crypto@1de0000: simple-bus unit address format error, expected "1dfa000" Fixes: 433477c3bf0b ("arm64: dts: qcom: sm8550: add QCrypto nodes") Signed-off-by: Krzysztof Kozlowski Reviewed-by: Konrad Dybcio Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20230419211856.79332-16-krzysztof.kozlowski@linaro.org Signed-off-by: Sasha Levin commit e1cb852a904667ad3261c39390cb1c604fe97db6 Author: Krzysztof Kozlowski Date: Wed Apr 19 23:18:53 2023 +0200 arm64: dts: qcom: sm8350: correct USB phy unit address [ Upstream commit a560ab70c6e28ba784a824611d3f58969d8fadba ] Match unit-address to reg entry to fix dtbs W=1 warnings: Warning (simple_bus_reg): /soc@0/phy@88e9000: simple-bus unit address format error, expected "88e8000" Fixes: 2458a305e80e ("arm64: dts: qcom: sm8350: switch to combo usb3/dp phy") Signed-off-by: Krzysztof Kozlowski Reviewed-by: Konrad Dybcio Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20230419211856.79332-15-krzysztof.kozlowski@linaro.org Signed-off-by: Sasha Levin commit 8d468bfdd82313350cf82aaae6914d20376ce126 Author: Krzysztof Kozlowski Date: Wed Apr 19 23:18:52 2023 +0200 arm64: dts: qcom: sm8350: correct PCI phy unit address [ Upstream commit ab98c21bc9246f421a6ae70e69f1b73cea6f85e3 ] Match unit-address to reg entry to fix dtbs W=1 warnings: Warning (simple_bus_reg): /soc@0/phy@1c0f000: simple-bus unit address format error, expected "1c0e000" Fixes: 6daee40678a0 ("arm64: dts: qcom: sm8350: add PCIe devices") Signed-off-by: Krzysztof Kozlowski Reviewed-by: Konrad Dybcio Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20230419211856.79332-14-krzysztof.kozlowski@linaro.org Signed-off-by: Sasha Levin commit 09cc30c3249f675111836883d56d94649fb47837 Author: Krzysztof Kozlowski Date: Wed Apr 19 23:18:51 2023 +0200 arm64: dts: qcom: sm8350: correct DMA controller unit address [ Upstream commit 41d6bca799b3f40d4d3c22dd4545aeac7c210e33 ] Match unit-address to reg entry to fix dtbs W=1 warnings: Warning (simple_bus_reg): /soc@0/dma-controller@900000: simple-bus unit address format error, expected "9800000" Fixes: bc08fbf49bc8 ("arm64: dts: qcom: sm8350: Define GPI DMA engines") Signed-off-by: Krzysztof Kozlowski Reviewed-by: Konrad Dybcio Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20230419211856.79332-13-krzysztof.kozlowski@linaro.org Signed-off-by: Sasha Levin commit 6503a010d6000aa42d29de3c2cc78ab925776423 Author: Krzysztof Kozlowski Date: Wed Apr 19 23:18:50 2023 +0200 arm64: dts: qcom: sm6115: correct thermal-sensor unit address [ Upstream commit 2358b43256080459fcc5642265ed4fec75558f8c ] Match unit-address to reg entry to fix dtbs W=1 warnings: Warning (simple_bus_reg): /soc@0/thermal-sensor@4410000: simple-bus unit address format error, expected "4411000" Fixes: 7b74cba6b13f ("arm64: dts: qcom: sm6115: Add TSENS node") Signed-off-by: Krzysztof Kozlowski Reviewed-by: Konrad Dybcio Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20230419211856.79332-12-krzysztof.kozlowski@linaro.org Signed-off-by: Sasha Levin commit d82338b3f8b4d80ce496cf777cbc1acae3373ba8 Author: Krzysztof Kozlowski Date: Wed Apr 19 23:18:49 2023 +0200 arm64: dts: qcom: sdm845: correct camss unit address [ Upstream commit a05b913a27e46926ba60ba2bcacc7ec7a8403e4c ] Match unit-address to reg entry to fix dtbs W=1 warnings: Warning (simple_bus_reg): /soc@0/camss@a00000: simple-bus unit address format error, expected "acb3000" Fixes: d48a6698a6b7 ("arm64: dts: qcom: sdm845: Add CAMSS ISP node") Signed-off-by: Krzysztof Kozlowski Reviewed-by: Konrad Dybcio Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20230419211856.79332-11-krzysztof.kozlowski@linaro.org Signed-off-by: Sasha Levin commit 2805d76a3acf5d561d849078d1d9a67fd43a5883 Author: Krzysztof Kozlowski Date: Wed Apr 19 23:18:48 2023 +0200 arm64: dts: qcom: sdm630: correct camss unit address [ Upstream commit c8b7faa7e9913a94444b3f00b6480e53a174fcfd ] Match unit-address to reg entry to fix dtbs W=1 warnings: Warning (simple_bus_reg): /soc/camss@ca00000: simple-bus unit address format error, expected "ca00020" Fixes: f3d5d3cc6971 ("arm64: dts: qcom: sdm630: Configure the camera subsystem") Signed-off-by: Krzysztof Kozlowski Reviewed-by: Konrad Dybcio Reviewed-by: AngeloGioacchino Del Regno Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20230419211856.79332-10-krzysztof.kozlowski@linaro.org Signed-off-by: Sasha Levin commit 7aa761aad5f51ef25f419d2a67a4f647d407b322 Author: Krzysztof Kozlowski Date: Wed Apr 19 23:18:47 2023 +0200 arm64: dts: qcom: msm8996: correct camss unit address [ Upstream commit e959ced1d0e5ef0b1f66a0c2d0e1ae80790e5ca5 ] Match unit-address to reg entry to fix dtbs W=1 warnings: Warning (simple_bus_reg): /soc/camss@a00000: simple-bus unit address format error, expected "a34000" Fixes: e0531312e78f ("arm64: dts: qcom: msm8996: Add CAMSS support") Signed-off-by: Krzysztof Kozlowski Reviewed-by: Konrad Dybcio Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20230419211856.79332-9-krzysztof.kozlowski@linaro.org Signed-off-by: Sasha Levin commit 8bcc1565662dcf89d27921b5e3d06259016951eb Author: Krzysztof Kozlowski Date: Wed Apr 19 23:18:46 2023 +0200 arm64: dts: qcom: msm8994: correct SPMI unit address [ Upstream commit 24f0f6a8059c7108d4ee3476c95db1e7ff4feb79 ] Match unit-address to reg entry to fix dtbs W=1 warnings: Warning (simple_bus_reg): /soc/spmi@fc4c0000: simple-bus unit address format error, expected "fc4cf000" Fixes: b0ad598f8ec0 ("arm64: dts: qcom: msm8994: Add SPMI PMIC arbiter device") Signed-off-by: Krzysztof Kozlowski Reviewed-by: Konrad Dybcio Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20230419211856.79332-8-krzysztof.kozlowski@linaro.org Signed-off-by: Sasha Levin commit ed8be836eb12225897407c1c7495a0eb1b2638af Author: Krzysztof Kozlowski Date: Wed Apr 19 23:18:45 2023 +0200 arm64: dts: qcom: msm8976: correct MMC unit address [ Upstream commit 80284797a4cb8ceae71e3c403bafc6648263a060 ] Match unit-address to reg entry to fix dtbs W=1 warnings: Warning (simple_bus_reg): /soc@0/mmc@7824000: simple-bus unit address format error, expected "7824900" Warning (simple_bus_reg): /soc@0/mmc@7864000: simple-bus unit address format error, expected "7864900" Warning (simple_bus_reg): /soc@0/mmc@7a24000: simple-bus unit address format error, expected "7a24900" Fixes: 0484d3ce0902 ("arm64: dts: qcom: Add DTS for MSM8976 and MSM8956 SoCs") Signed-off-by: Krzysztof Kozlowski Reviewed-by: Marijn Suijten Reviewed-by: Konrad Dybcio Reviewed-by: AngeloGioacchino Del Regno Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20230419211856.79332-7-krzysztof.kozlowski@linaro.org Signed-off-by: Sasha Levin commit 97027b7777e94bf04f848bced1237b2b13963e03 Author: Krzysztof Kozlowski Date: Wed Apr 19 23:18:44 2023 +0200 arm64: dts: qcom: msm8953: correct WCNSS unit address [ Upstream commit 751038676e3075a5cb816034f7d5ba6e95f4486d ] Match unit-address to reg entry to fix dtbs W=1 warnings: Warning (simple_bus_reg): /soc@0/remoteproc@a21b000: simple-bus unit address format error, expected "a204000" Fixes: b12428640ebe ("arm64: dts: MSM8953: Add wcnss nodes") Signed-off-by: Krzysztof Kozlowski Reviewed-by: Konrad Dybcio Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20230419211856.79332-6-krzysztof.kozlowski@linaro.org Signed-off-by: Sasha Levin commit 402feaa3abb26bfcdf191efc74cab3e2544ac825 Author: Krzysztof Kozlowski Date: Wed Apr 19 23:18:43 2023 +0200 arm64: dts: qcom: msm8953: correct IOMMU unit address [ Upstream commit 1c06b93461ec9df8a5878947db4a9d2d1cb72855 ] Match unit-address to reg entry to fix dtbs W=1 warnings: Warning (simple_bus_reg): /soc@0/iommu@1e00000: simple-bus unit address format error, expected "1e20000" Fixes: c0b9575a3606 ("arm64: dts: qcom: msm8953: add APPS IOMMU") Signed-off-by: Krzysztof Kozlowski Reviewed-by: Konrad Dybcio Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20230419211856.79332-5-krzysztof.kozlowski@linaro.org Signed-off-by: Sasha Levin commit 473024132d51a846392fc605d8132ba7eaf469a2 Author: Krzysztof Kozlowski Date: Wed Apr 19 23:18:42 2023 +0200 arm64: dts: qcom: msm8916: correct WCNSS unit address [ Upstream commit 1f9a41bb0bba7b373c26a6f2cc8d35cc3159c861 ] Match unit-address to reg entry to fix dtbs W=1 warnings: Warning (simple_bus_reg): /soc@0/remoteproc@a21b000: simple-bus unit address format error, expected "a204000" Fixes: 88106096cbf8 ("ARM: dts: msm8916: Add and enable wcnss node") Signed-off-by: Krzysztof Kozlowski Reviewed-by: Konrad Dybcio Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20230419211856.79332-4-krzysztof.kozlowski@linaro.org Signed-off-by: Sasha Levin commit e85871a543cf545e871b240ad78a54c6621ca0b5 Author: Krzysztof Kozlowski Date: Wed Apr 19 23:18:41 2023 +0200 arm64: dts: qcom: msm8916: correct MMC unit address [ Upstream commit 72644bc76d5145c098c268829554a0b98fab1de1 ] Match unit-address to reg entry to fix dtbs W=1 warnings: Warning (simple_bus_reg): /soc@0/mmc@7824000: simple-bus unit address format error, expected "7824900" Warning (simple_bus_reg): /soc@0/mmc@7864000: simple-bus unit address format error, expected "7864900" Fixes: c4da5a561627 ("arm64: dts: qcom: Add msm8916 sdhci configuration nodes") Signed-off-by: Krzysztof Kozlowski Reviewed-by: Konrad Dybcio Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20230419211856.79332-3-krzysztof.kozlowski@linaro.org Signed-off-by: Sasha Levin commit 16943d473757f4db013f51053e71b244665e88f6 Author: Krzysztof Kozlowski Date: Wed Apr 19 23:18:40 2023 +0200 arm64: dts: qcom: msm8916: correct camss unit address [ Upstream commit 48798d992ce276cf0d57bf75318daf8eabd02aa4 ] Match unit-address to reg entry to fix dtbs W=1 warnings: Warning (simple_bus_reg): /soc@0/camss@1b00000: simple-bus unit address format error, expected "1b0ac00" Fixes: 58f479f90a7c ("arm64: dts: qcom: msm8916: Add CAMSS support") Signed-off-by: Krzysztof Kozlowski Reviewed-by: Konrad Dybcio Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20230419211856.79332-2-krzysztof.kozlowski@linaro.org Signed-off-by: Sasha Levin commit 49ef21f3a322a992801e408da5f5a9e74e8f8d3d Author: Krzysztof Kozlowski Date: Wed Apr 19 23:18:39 2023 +0200 arm64: dts: qcom: ipq6018: correct qrng unit address [ Upstream commit 085058786a7890dd44ec623fe5ac74db870f6b93 ] Match unit-address to reg entry to fix dtbs W=1 warnings: Warning (simple_bus_reg): /soc/qrng@e1000: simple-bus unit address format error, expected "e3000" Fixes: 5bf635621245 ("arm64: dts: ipq6018: Add a few device nodes") Signed-off-by: Krzysztof Kozlowski Reviewed-by: Konrad Dybcio Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20230419211856.79332-1-krzysztof.kozlowski@linaro.org Signed-off-by: Sasha Levin commit 112a5b53d98be5136369a2624de771555ae1c9ff Author: Dmitry Baryshkov Date: Sun Apr 9 21:21:45 2023 +0300 arm64: dts: qcom: pm8998: don't use GIC_SPI for SPMI interrupts [ Upstream commit d9ef7a805a709a0b07341857d97a25598a7f92da ] Unlike typical GIC interrupts, first cell for SPMI interrupts is the USID rather than GIC_SPI/GIC_PPI/GIC_LPI qualifier. Fix the resin interrupt to use USID value 0x0 rather than GIC_SPI define. Fixes: f86ae6f23a9e ("arm64: dts: qcom: sagit: add initial device tree for sagit") Signed-off-by: Dmitry Baryshkov Reviewed-by: Konrad Dybcio Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20230409182145.122895-1-dmitry.baryshkov@linaro.org Signed-off-by: Sasha Levin commit 64a724c183e9538109bc10ee43af2a137cae3c7e Author: Krzysztof Kozlowski Date: Mon Apr 10 19:52:32 2023 +0200 ARM: dts: qcom: msm8974: do not use underscore in node name (again) [ Upstream commit 311bbc884b2edcf584b67d331be85ce43b27586f ] Align RPM requests node with DT schema by using hyphen instead of underscore. Fixes: f300826d27be ("ARM: dts: qcom-msm8974: Sort and clean up nodes") Signed-off-by: Krzysztof Kozlowski Reviewed-by: Konrad Dybcio Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20230410175232.22317-1-krzysztof.kozlowski@linaro.org Signed-off-by: Sasha Levin commit 941403ad8b6e721a0e4a9b47c121aba36837f3ec Author: Linus Walleij Date: Sun Apr 30 21:38:24 2023 +0200 ARM/musb: omap2: Remove global GPIO numbers from TUSB6010 [ Upstream commit 8e0285ab95a9baf374f2c13eb152221c8ecb3f28 ] The TUSB6010 (MUSB) device is picking up some GPIO lines hardcoded by number and passing on to the TUSB6010 device when registering it. Instead of nasty workarounds, provide a GPIO descriptor table and then make the TUSB6010 MUSB glue driver pick up the GPIO lines directly, convert it to an IRQ and pass down to the MUSB driver. OMAP2 is the only system using the TUSB6010. Stash the GPIO descriptors in the glue layer and use then to power up and down the TUSB6010 on-demand, instead of using boardfile callbacks. Since the OMAP2 boards are the only boards using the .set_power() and .board_set_power() callbacks, we can just delete them as the power is now handled directly in the TUSB6010 glue code. Cc: Bin Liu Cc: linux-usb@vger.kernel.org Fixes: 92bf78b33b0b ("gpio: omap: use dynamic allocation of base") Acked-by: Greg Kroah-Hartman Signed-off-by: Linus Walleij Signed-off-by: Sasha Levin commit fb6ff53562e510c3851de4074c34950ddb20fea6 Author: Linus Walleij Date: Mon May 1 11:05:23 2023 +0200 ARM: omap2: Rewrite WLAN quirk to use GPIO descriptors [ Upstream commit 078dc5194c0ac1b8e2fc088be2168a1104e16f72 ] The OMAP2 platform data quirk is using the global GPIO numberspace to obtain two WLAN GPIOs to drive power and xcvr reset GPIO lines during start-up. Rewrite the quirk to use a GPIO descriptor table so we avoid using global GPIO numbers. This gets rid of the final dependency on the legacy header from the OMAP2/3 platforms. Fixes: 92bf78b33b0b ("gpio: omap: use dynamic allocation of base") Signed-off-by: Linus Walleij Signed-off-by: Sasha Levin commit b954f4b5f253ef50b4810133e8d4012da7c52048 Author: Linus Walleij Date: Mon May 1 11:05:22 2023 +0200 ARM: omap2: Get USB hub reset GPIO from descriptor [ Upstream commit 94075d16beefc2304e756e3b23d8ecf0f36eecd7 ] This switches the USB hub GPIO reset line handling in the OMAP2 pdata quirks over to using GPIO descriptors to avoid using the global GPIO numberspace. Since the GPIOs are exported and assumedly used by some kind of userspace we cannot simply use hogs in the device tree. Fixes: 92bf78b33b0b ("gpio: omap: use dynamic allocation of base") Signed-off-by: Linus Walleij Signed-off-by: Sasha Levin commit ad26fd4e08bf8ea43770f1116f50af0e632a788b Author: Linus Walleij Date: Mon May 1 11:05:21 2023 +0200 ARM/gpio: Push OMAP2 quirk down into TWL4030 driver [ Upstream commit d5f4fa60d63aa54ae33339895b88d8932b6037ed ] The TWL4030 GPIO driver has a custom platform data .set_up() callback to call back into the platform and do misc stuff such as hog and export a GPIO for WLAN PWR on a specific OMAP3 board. Avoid all the kludgery in the platform data and the boardfile and just put the quirks right into the driver. Make it conditional on OMAP3. I think the exported GPIO is used by some kind of userspace so ordinary DTS hogs will probably not work. Fixes: 92bf78b33b0b ("gpio: omap: use dynamic allocation of base") Signed-off-by: Linus Walleij Signed-off-by: Sasha Levin commit 8ba4b3fa2c1b09cf2d611caccdc3d165f5bc8b26 Author: Linus Walleij Date: Sun Apr 30 19:56:37 2023 +0200 ARM: omap1: Exorcise the legacy GPIO header [ Upstream commit c729baa8604226a8f878296bd145ab4046c80b12 ] After fixing all the offending users referencing the global GPIO numberspace in OMAP1, a few sites still remain including the legacy header for no reason. Delete the last remaining users, and OMAP1 is free from legacy GPIO dependencies. Fixes: 92bf78b33b0b ("gpio: omap: use dynamic allocation of base") Signed-off-by: Linus Walleij Signed-off-by: Sasha Levin commit f93c13d3a73e10d9c607010f50e1077b8723cd54 Author: Linus Walleij Date: Sun Apr 30 19:51:30 2023 +0200 ARM: omap1: Make serial wakeup GPIOs use descriptors [ Upstream commit df89de979f0e09e1896d59312362ce1657b848eb ] The code in serial.c looks up GPIOs corresponding to a line on the UART when muxed in as GPIO to use this as a wakeup on serial activity for OMAP1. Utilize the NULL device to define some board-specific GPIO lookups and use these to immediately look up the same GPIOs, set as input and convert to IRQ numbers, then set these to wakeup IRQs. This is ugly but should work. This is only needed on the OSK1 and Nokia 770 devices that use the OMAP16xx. Fixes: 92bf78b33b0b ("gpio: omap: use dynamic allocation of base") Signed-off-by: Linus Walleij Signed-off-by: Sasha Levin commit 7a27d54138b6551d825ad33984f3c13ed1a3488c Author: Linus Walleij Date: Sun Apr 30 11:12:54 2023 +0200 ARM: omap1: Fix up the Nokia 770 board device IRQs [ Upstream commit 084b6f216778b4109123b396b531f12ff6c354e9 ] The platform devices on the Nokia 770 is using some board-specific IRQs that get statically assigned to platform devices in the boardfile. This does not work with dynamic IRQ chip bases. Utilize the NULL device to define some board-specific GPIO lookups and use these to immediately look up the same GPIOs, convert to IRQ numbers and pass as resources to the devices. This is ugly but should work. Fixes: 92bf78b33b0b ("gpio: omap: use dynamic allocation of base") Signed-off-by: Linus Walleij Signed-off-by: Sasha Levin commit feb0ac7960911808a630dd702a39515442c8a9eb Author: Linus Walleij Date: Mon May 8 23:20:07 2023 +0200 ARM/mmc: Convert old mmci-omap to GPIO descriptors [ Upstream commit e519f0bb64efc2c9c8b67bb2d114dda458bdc34d ] A recent change to the OMAP driver making it use a dynamic GPIO base created problems with some old OMAP1 board files, among them Nokia 770, SX1 and also the OMAP2 Nokia n8x0. Fix up all instances of GPIOs being used for the MMC driver by pushing the handling of power, slot selection and MMC "cover" into the driver as optional GPIOs. This is maybe not the most perfect solution as the MMC framework have some central handlers for some of the stuff, but it at least makes the situtation better and solves the immediate issue. Fixes: 92bf78b33b0b ("gpio: omap: use dynamic allocation of base") Acked-by: Ulf Hansson Signed-off-by: Linus Walleij Signed-off-by: Sasha Levin commit 1a6d8fab9d4aa3de978c426b844978a8eafa63b8 Author: Linus Walleij Date: Mon May 8 23:20:06 2023 +0200 Input: ads7846 - Convert to use software nodes [ Upstream commit 767d83361aaa6a1ecb4d5b89eeb38a267239917a ] The Nokia 770 is using GPIOs from the global numberspace on the CBUS node to pass down to the LCD controller. This regresses when we let the OMAP GPIO driver use dynamic GPIO base. The Nokia 770 now has dynamic allocation of IRQ numbers, so this needs to be fixed for it to work. As this is the only user of LCD MIPID we can easily augment the driver to use a GPIO descriptor instead and resolve the issue. The platform data .shutdown() callback wasn't even used in the code, but we encode a shutdown asserting RESET in the remove() callback for completeness sake. The CBUS also has the ADS7846 touchscreen attached. Populate the devices on the Nokia 770 CBUS I2C using software nodes instead of platform data quirks. This includes the LCD and the ADS7846 touchscreen so the conversion just brings the LCD along with it as software nodes is an all-or-nothing design pattern. The ADS7846 has some limited support for using GPIO descriptors, let's convert it over completely to using device properties and then fix all remaining boardfile users to provide all platform data using software nodes. Dump the of includes and of_match_ptr() in the ADS7846 driver as part of the job. Since we have to move ADS7846 over to obtaining the GPIOs it is using exclusively from descriptors, we provide descriptor tables for the two remaining in-kernel boardfiles using ADS7846: - PXA Spitz - MIPS Alchemy DB1000 development board It was too hard for me to include software node conversion of these two remaining users at this time: the spitz is using a hscync callback in the platform data that would require further GPIO descriptor conversion of the Spitz, and moving the hsync callback down into the driver: it will just become too big of a job, but it can be done separately. The MIPS Alchemy DB1000 is simply something I cannot test, so take the easier approach of just providing some GPIO descriptors in this case as I don't want the patch to grow too intrusive. As we see that several device trees have incorrect polarity flags and just expect to bypass the gpiolib polarity handling, fix up all device trees too, in a separate patch. Suggested-by: Dmitry Torokhov Fixes: 92bf78b33b0b ("gpio: omap: use dynamic allocation of base") Acked-by: Dmitry Torokhov Reviewed-by: Dmitry Torokhov Signed-off-by: Linus Walleij Signed-off-by: Sasha Levin commit de83f3df9b0689bfc8e4857349a7152f9d4fc724 Author: Linus Walleij Date: Sun Apr 30 17:45:29 2023 +0200 ARM: omap1: Remove reliance on GPIO numbers from SX1 [ Upstream commit 480c82daa3e41873421dc2c9e2918ad7e21d7a0b ] It appears this happens because the OMAP driver now allocates GPIO numbers dynamically, so all that is references by number is a bit up in the air. Utilize the NULL device to define some board-specific GPIO lookups and use these to immediately look up the same GPIOs, convert to IRQ numbers and pass as resources to the devices. This is ugly but should work. Fixes: 92bf78b33b0b ("gpio: omap: use dynamic allocation of base") Signed-off-by: Linus Walleij Signed-off-by: Sasha Levin commit 0142c99a06e82977f22a162b313248ae679af62e Author: Linus Walleij Date: Sun Apr 30 11:56:23 2023 +0200 ARM: omap1: Remove reliance on GPIO numbers from PalmTE [ Upstream commit 4c40db6249ff1da335b276bdd6c3c3462efbc2ab ] It appears this happens because the OMAP driver now allocates GPIO numbers dynamically, so all that is references by number is a bit up in the air. Utilize the NULL device to define some board-specific GPIO lookups and use these to immediately look up the same GPIOs, convert to IRQ numbers and pass as resources to the devices. This is ugly but should work. Fixes: 92bf78b33b0b ("gpio: omap: use dynamic allocation of base") Signed-off-by: Linus Walleij Signed-off-by: Sasha Levin commit 2042e15fd73be8b1583534c46378867691dc7ec6 Author: Linus Walleij Date: Sun Apr 30 11:40:28 2023 +0200 ARM: omap1: Drop header on AMS Delta [ Upstream commit fa1ae0cd897b089b5cc05ab471518ad13db2d567 ] The AMS Delta board uses GPIO descriptors exclusively and does not have any dependencies on the legacy header, so just drop it. Acked-by: Janusz Krzysztofik Fixes: 92bf78b33b0b ("gpio: omap: use dynamic allocation of base") Signed-off-by: Linus Walleij Signed-off-by: Sasha Levin commit b64755e69629bd753578921a1139a7348ece37bc Author: Linus Walleij Date: Sun Apr 30 11:35:05 2023 +0200 ARM/mfd/gpio: Fixup TPS65010 regression on OMAP1 OSK1 [ Upstream commit c32c81f3dbdfd68f6ab20a29ad86f811aed36e4e ] Aaro reports problems on the OSK1 board after we altered the dynamic base for GPIO allocations. It appears this happens because the OMAP driver now allocates GPIO numbers dynamically, so all that is references by number is a bit up in the air. Let's bite the bullet and try to just move the gpio_chip in the tps65010 MFD driver over to using dynamic allocations. Alter everything in the OSK1 board file to use a GPIO descriptor table and lookups. Utilize the NULL device to define some board-specific GPIO lookups and use these to immediately look up the same GPIOs, convert to IRQ numbers and pass as resources to the devices. This is ugly but should work. The .setup() callback for tps65010 was used for some GPIO hogging, but since the OSK1 is the only user in the entire kernel we can alter the signatures to something that is helpful and make a clean transition. Fixes: 92bf78b33b0b ("gpio: omap: use dynamic allocation of base") Cc: Christophe Leroy Cc: andy.shevchenko@gmail.com Cc: Andreas Kemnade Acked-by: Lee Jones Reviewed-by: Lee Jones Reported-by: Aaro Koskinen Reviewed-by: Andy Shevchenko Signed-off-by: Linus Walleij Signed-off-by: Sasha Levin commit 686a663a364476d63a36bd76c2b1d301dd4150f8 Author: Nícolas F. R. A. Prado Date: Thu May 18 15:39:02 2023 -0400 drm/bridge: anx7625: Prevent endless probe loop [ Upstream commit 1464e48d69ab7a50a377c9d39f5e5eb3cee2722e ] During probe, the driver registers i2c dummy devices and populates the aux bus, which registers a device for the panel. After doing that, the driver can still defer probe if needed. This ordering of operations is troublesome however, because the deferred probe work will retry probing all pending devices every time a new device is registered. Therefore, if modules need to be loaded in order to satisfy the dependencies for this driver to complete probe, the kernel will stall, since it'll keep trying to probe the anx7625 driver, but never succeed, given that modules would only be loaded after the deferred probe work completes. Two changes are required to avoid this issue: * Move of_find_mipi_dsi_host_by_node(), which can defer probe, to before anx7625_register_i2c_dummy_clients() and devm_of_dp_aux_populate_ep_devices(), which register devices. * Make use of the done_probing callback when populating the aux bus, so that the bridge registration is only done after the panel is probed. This is required because the panel might need to defer probe, but the aux bus population needs the i2c dummy devices working, so this call couldn't just be moved to an earlier point in probe. One caveat is that if the panel is described outside the aux bus, the probe loop issue can still happen, but we don't have a way to avoid it in that case since there's no callback available. With this patch applied, it's possible to boot on mt8192-asurada-spherion with CONFIG_DRM_ANALOGIX_ANX7625=y CONFIG_MTK_MMSYS=m CONFIG_BACKLIGHT_PWM=y and also with CONFIG_DRM_ANALOGIX_ANX7625=y CONFIG_MTK_MMSYS=y CONFIG_BACKLIGHT_PWM=m Fixes: adca62ec370c ("drm/bridge: anx7625: Support reading edid through aux channel") Fixes: 269332997a16 ("drm/bridge: anx7625: Return -EPROBE_DEFER if the dsi host was not found") Reported-by: "kernelci.org bot" Signed-off-by: Nícolas F. R. A. Prado Reviewed-by: Robert Foss Signed-off-by: Robert Foss Link: https://patchwork.freedesktop.org/patch/msgid/20230518193902.891121-1-nfraprado@collabora.com Signed-off-by: Sasha Levin commit aae6dc2cab03971052bd71c27cf49aa9c32ef914 Author: Bhupesh Sharma Date: Tue May 16 13:29:07 2023 +0530 arm64: dts: qcom: qrb4210-rb2: Fix CD gpio for SDHC2 [ Upstream commit 14e6c47b628788a8c8634bc59b2dd50d68a74de3 ] Card-Detect (CD) gpio for SDHC2 is an active GPIO line. Fix the same. This allows the uSD card to be properly detected on the board. Fixes: 8d58a8c0d930 ("arm64: dts: qcom: Add base qrb4210-rb2 board dts") Reviewed-by: Dmitry Baryshkov Reviewed-by: Krzysztof Kozlowski Signed-off-by: Bhupesh Sharma Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20230516075908.2323372-3-bhupesh.sharma@linaro.org Signed-off-by: Sasha Levin commit 72dd3cdc961123997e15baadf8e07da92ccd8928 Author: Tony Lindgren Date: Wed May 17 13:32:25 2023 +0300 ARM: dts: gta04: Move model property out of pinctrl node [ Upstream commit 4ffec92e70ac5097b9f67ec154065305b16a3b46 ] The model property should be at the top level, let's move it out of the pinctrl node. Fixes: d2eaf949d2c3 ("ARM: dts: omap3-gta04a5one: define GTA04A5 variant with OneNAND") Cc: Andreas Kemnade Cc: H. Nikolaus Schaller Signed-off-by: Tony Lindgren Signed-off-by: Sasha Levin commit 355b82bc7726ac7e328ec5d5264ba1f3e829e33d Author: Biju Das Date: Thu May 18 16:23:34 2023 +0100 clk: renesas: rzg2l: Fix CPG_SIPLL5_CLK1 register write [ Upstream commit d1c20885d3b01e6a62e920af4b227abd294d22f3 ] As per the RZ/G2L HW(Rev.1.30 May2023) manual, there are no "write enable" bits in the CPG_SIPLL5_CLK1 register. So fix the CPG_SIPLL5_CLK register write by removing the "write enable" bits. Fixes: 1561380ee72f ("clk: renesas: rzg2l: Add FOUTPOSTDIV clk support") Signed-off-by: Biju Das Reviewed-by: Geert Uytterhoeven Link: https://lore.kernel.org/r/20230518152334.514922-1-biju.das.jz@bp.renesas.com [geert: Remove CPG_SIPLL5_CLK1_*_WEN bit definitions] Signed-off-by: Geert Uytterhoeven Signed-off-by: Sasha Levin commit 552a393f06562a1cb8604e220c78a71d90877a4e Author: Jean-Philippe Brucker Date: Mon May 15 12:39:50 2023 +0100 iommu/virtio: Return size mapped for a detached domain [ Upstream commit 7061b6af34686e7e2364b7240cfb061293218f2d ] When map() is called on a detached domain, the domain does not exist in the device so we do not send a MAP request, but we do update the internal mapping tree, to be replayed on the next attach. Since this constitutes a successful iommu_map() call, return *mapped in this case too. Fixes: 7e62edd7a33a ("iommu/virtio: Add map/unmap_pages() callbacks implementation") Signed-off-by: Jean-Philippe Brucker Reviewed-by: Jason Gunthorpe Link: https://lore.kernel.org/r/20230515113946.1017624-3-jean-philippe@linaro.org Signed-off-by: Joerg Roedel Signed-off-by: Sasha Levin commit 9455ed7835b51ae8f35f850f5bc5bc3653c5f987 Author: Jean-Philippe Brucker Date: Mon May 15 12:39:48 2023 +0100 iommu/virtio: Detach domain on endpoint release [ Upstream commit 809d0810e3520da669d231303608cdf5fe5c1a70 ] When an endpoint is released, for example a PCIe VF being destroyed or a function hot-unplugged, it should be detached from its domain. Send a DETACH request. Fixes: edcd69ab9a32 ("iommu: Add virtio-iommu driver") Reported-by: Akihiko Odaki Link: https://lore.kernel.org/all/15bf1b00-3aa0-973a-3a86-3fa5c4d41d2c@daynix.com/ Signed-off-by: Jean-Philippe Brucker Tested-by: Akihiko Odaki Link: https://lore.kernel.org/r/20230515113946.1017624-2-jean-philippe@linaro.org Signed-off-by: Joerg Roedel Signed-off-by: Sasha Levin commit d5791f3cc107b8c9791753926f1ea07a26bdf532 Author: Arnd Bergmann Date: Mon Apr 17 23:03:23 2023 +0200 drm/nouveau: dispnv50: fix missing-prototypes warning [ Upstream commit 504e72ed3a1b1c0d4450712a42ae6070d3a05a8e ] nv50_display_create() is declared in another header, along with a couple of declarations that are now outdated: drivers/gpu/drm/nouveau/dispnv50/disp.c:2517:1: error: no previous prototype for 'nv50_display_create' Fixes: ba801ef068c1 ("drm/nouveau/kms: display destroy/init/fini hooks can be static") Signed-off-by: Arnd Bergmann Reviewed-by: Karol Herbst Signed-off-by: Karol Herbst Link: https://patchwork.freedesktop.org/patch/msgid/20230417210329.2469722-1-arnd@kernel.org Signed-off-by: Sasha Levin commit c4353c4ca8ba650dff2c9479be6c1c8a7f1bc2e1 Author: Konrad Dybcio Date: Fri May 19 20:49:59 2023 +0200 drm/msm/dpu: Set DPU_DATA_HCTL_EN for in INTF_SC7180_MASK [ Upstream commit a7129231edf329a00e92dbd2d741f6da728a4a06 ] DPU5 and newer targets enable this unconditionally. Move it from the SC7280 mask to the SC7180 one. Fixes: 7e6ee55320f0 ("drm/msm/disp/dpu1: enable DATA_HCTL_EN for sc7280 target") Reviewed-by: Dmitry Baryshkov Reviewed-by: Marijn Suijten Signed-off-by: Konrad Dybcio Reviewed-by: Abhinav Kumar Patchwork: https://patchwork.freedesktop.org/patch/538159/ Link: https://lore.kernel.org/r/20230508-topic-hctl_en-v2-1-e7bea9f1f5dd@linaro.org [DB: removed BIT(DPU_INTF_DATA_COMPRESS), which is not yet merged] Signed-off-by: Dmitry Baryshkov Signed-off-by: Sasha Levin commit e15009d2d0cff640e76670f13c36fd6739ac695a Author: Marijn Suijten Date: Thu May 18 23:29:08 2023 +0200 drm/msm/dpu: Use V4.0 PCC DSPP sub-block in SC7[12]80 [ Upstream commit 853b292b92d50d1b30628c92229e93d670304e51 ] According to various downstream sources the PCC sub-block inside DSPP is version 4.0 since DPU 4.0 and higher, including SC7[12]80 at DPU version 6.2 and 7.2 respectively. After correcting the version this struct becomes identical to sm8150_dspp_sblk which is used all across the catalog: replace uses of sc7180_dspp_sblk with that and remove the struct definition for sc7180_dspp_sblk entirely. Fixes: 4259ff7ae509e ("drm/msm/dpu: add support for pcc color block in dpu driver") Signed-off-by: Marijn Suijten Reviewed-by: Dmitry Baryshkov Patchwork: https://patchwork.freedesktop.org/patch/537899/ Link: https://lore.kernel.org/r/20230518-dpu-sc7180-pcc-version-v1-1-ec9ca4949e3e@somainline.org Signed-off-by: Dmitry Baryshkov Signed-off-by: Sasha Levin commit eeb66735307b665308d5648cca230c35fa4acf4f Author: Arnaud Vrac Date: Wed Apr 19 16:41:15 2023 +0200 drm/msm/dpu: fix cursor block register bit offset in msm8998 hw catalog [ Upstream commit c95771905c494aa5c2abbb56b3e2f7d4aa3b34f9 ] This matches the value for both fbdev and sde implementations in the downstream msm-4.4 repository. Signed-off-by: Arnaud Vrac Fixes: 94391a14fc27 ("drm/msm/dpu1: Add MSM8998 to hw catalog") Reviewed-by: Dmitry Baryshkov Patchwork: https://patchwork.freedesktop.org/patch/532899/ Link: https://lore.kernel.org/r/20230419-dpu-tweaks-v1-8-d1bac46db075@freebox.fr Signed-off-by: Dmitry Baryshkov Signed-off-by: Sasha Levin commit db4df19bfd8b63770ffba145eeb997020a399f82 Author: Dmitry Baryshkov Date: Mon May 1 04:12:57 2023 +0300 drm/msm/dsi: don't allow enabling 14nm VCO with unprogrammed rate [ Upstream commit 1e0a97f84d73ea1182740f62069690c7f3271abb ] If the dispcc uses CLK_OPS_PARENT_ENABLE (e.g. on QCM2290), CCF can try enabling VCO before the rate has been programmed. This can cause clock lockups and/or other boot issues. Program the VCO to the minimal PLL rate if the read rate is 0 Hz. Cc: Konrad Dybcio Signed-off-by: Dmitry Baryshkov Reported-by: Vladimir Zapolskiy Reported-by: Konrad Dybcio Reviewed-by: Konrad Dybcio Fixes: f079f6d999cb ("drm/msm/dsi: Add PHY/PLL for 8x96") Patchwork: https://patchwork.freedesktop.org/patch/534813/ Link: https://lore.kernel.org/r/20230501011257.3460103-1-dmitry.baryshkov@linaro.org Signed-off-by: Dmitry Baryshkov Signed-off-by: Sasha Levin commit fb1da1d86ef25a4ae179fe21dcbdbfdb2193b8ec Author: Dmitry Baryshkov Date: Sat Apr 8 03:27:48 2023 +0300 drm/msm/dpu: enable DSPP_2/3 for LM_2/3 on sm8450 [ Upstream commit 800d28a4988d842d11e95d3dea491520ebf4991d ] Mark DSPP_2 and DSPP_3 as used for LM_2 and LM_3 Fixes: 100d7ef6995d ("drm/msm/dpu: add support for SM8450") Signed-off-by: Dmitry Baryshkov Reviewed-by: Abhinav Kumar Patchwork: https://patchwork.freedesktop.org/patch/531491/ Link: https://lore.kernel.org/r/20230408002750.2722304-3-dmitry.baryshkov@linaro.org Signed-off-by: Dmitry Baryshkov Signed-off-by: Sasha Levin commit cb893e0b8dda5fa98233b6b585c354514dd31660 Author: Kalesh AP Date: Thu May 18 23:48:15 2023 -0700 RDMA/bnxt_re: Fix to remove an unnecessary log [ Upstream commit 43774bc156614346fe5dacabc8e8c229167f2536 ] During destroy_qp, driver sets the qp handle in the existing CQEs belonging to the QP being destroyed to NULL. As a result, a poll_cq after destroy_qp can report unnecessary messages. Remove this noise from system logs. Fixes: 1ac5a4047975 ("RDMA/bnxt_re: Add bnxt_re RoCE driver") Link: https://lore.kernel.org/r/1684478897-12247-6-git-send-email-selvin.xavier@broadcom.com Signed-off-by: Kalesh AP Signed-off-by: Selvin Xavier Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit 3aa57b90614837ac8368040e9178c23d51e3432f Author: Kalesh AP Date: Thu May 18 23:48:14 2023 -0700 RDMA/bnxt_re: Remove a redundant check inside bnxt_re_update_gid [ Upstream commit b989f90cef0af48aa5679b6a75476371705ec53c ] The NULL check inside bnxt_re_update_gid() always return false. If sgid_tbl->tbl is not allocated, then dev_init would have failed. Fixes: 5fac5b1b297f ("RDMA/bnxt_re: Add vlan tag for untagged RoCE traffic when PFC is configured") Link: https://lore.kernel.org/r/1684478897-12247-5-git-send-email-selvin.xavier@broadcom.com Reviewed-by: Saravanan Vajravel Reviewed-by: Damodharam Ammepalli Reviewed-by: Ajit Khaparde Signed-off-by: Selvin Xavier Signed-off-by: Kalesh AP Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit 4f51da7d48cfa0439bb366bf3f781502c183d742 Author: Kalesh AP Date: Thu May 18 23:48:13 2023 -0700 RDMA/bnxt_re: Use unique names while registering interrupts [ Upstream commit ff2e4bfd162cf66a112a81509e419805add44d64 ] bnxt_re currently uses the names "bnxt_qplib_creq" and "bnxt_qplib_nq-0" while registering IRQs. There is no way to distinguish the IRQs of different device ports when there are multiple IB devices registered. This could make the scenarios worse where one want to pin IRQs of a device port to certain CPUs. Fixed the code to use unique names which has PCI BDF information while registering interrupts like: "bnxt_re-nq-0@pci:0000:65:00.0" and "bnxt_re-creq@pci:0000:65:00.1". Fixes: 1ac5a4047975 ("RDMA/bnxt_re: Add bnxt_re RoCE driver") Link: https://lore.kernel.org/r/1684478897-12247-4-git-send-email-selvin.xavier@broadcom.com Reviewed-by: Bhargava Chenna Marreddy Signed-off-by: Kalesh AP Signed-off-by: Selvin Xavier Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit de84f808aa256d88c35be9ad6ea40b3c30dec0c9 Author: Kalesh AP Date: Thu May 18 23:48:12 2023 -0700 RDMA/bnxt_re: Fix to remove unnecessary return labels [ Upstream commit 9b3ee47796f529e5bc31a355d6cb756d68a7079a ] If there is no cleanup needed then just return directly. This cleans up the code and improve readability. Fixes: 1ac5a4047975 ("RDMA/bnxt_re: Add bnxt_re RoCE driver") Link: https://lore.kernel.org/r/1684478897-12247-3-git-send-email-selvin.xavier@broadcom.com Reviewed-by: Kashyap Desai Reviewed-by: Saravanan Vajravel Signed-off-by: Kalesh AP Signed-off-by: Selvin Xavier Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit 280fa4f026ad2d41099d4d5f2062e8f82bafbbe6 Author: Selvin Xavier Date: Thu May 18 23:48:11 2023 -0700 RDMA/bnxt_re: Disable/kill tasklet only if it is enabled [ Upstream commit ab112ee7899d6171da5acd77a7ed7ae103f488de ] When the ulp hook to start the IRQ fails because the rings are not available, tasklets are not enabled. In this case when the driver is unloaded, driver calls CREQ tasklet_kill. This causes an indefinite hang as the tasklet is not enabled. Driver shouldn't call tasklet_kill if it is not enabled. So using the creq->requested and nq->requested flags to identify if both tasklets/irqs are registered. Checking this flag while scheduling the tasklet from ISR. Also, added a cleanup for disabling tasklet, in case request_irq fails during start_irq. Check for return value for bnxt_qplib_rcfw_start_irq and in case the bnxt_qplib_rcfw_start_irq fails, return bnxt_re_start_irq without attempting to start NQ IRQs. Fixes: 1ac5a4047975 ("RDMA/bnxt_re: Add bnxt_re RoCE driver") Link: https://lore.kernel.org/r/1684478897-12247-2-git-send-email-selvin.xavier@broadcom.com Signed-off-by: Kalesh AP Signed-off-by: Selvin Xavier Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit 3b4133ef9ee2f21e17e946481f21738a3b2e63ad Author: Nikita Zhandarovich Date: Wed May 10 07:35:37 2023 -0700 hwmon: (f71882fg) prevent possible division by zero [ Upstream commit 0babf89c9cca7e074d6e59893e462e4886f481cc ] In the unlikely event that something goes wrong with the device and its registers, the fan_from_reg() function may return 0. This value will cause a division-by-zero error in the show_pwm() function. To prevent this, test the value of fan_from_reg(data->fan_full_speed[nr]) against 0 before performing the division. If the division-by-zero error is avoided, assign 0 to the val variable. Found by Linux Verification Center (linuxtesting.org) with static analysis tool SVACE. Fixes: df9ec2dae094 ("hwmon: (f71882fg) Reorder symbols to get rid of a few forward declarations") Signed-off-by: Nikita Zhandarovich Link: https://lore.kernel.org/r/20230510143537.145060-1-n.zhandarovich@fintech.ru Signed-off-by: Guenter Roeck Signed-off-by: Sasha Levin commit 0a719f0e4b6f233979e219baff73923e76a96e09 Author: Dan Carpenter Date: Wed Apr 19 17:23:01 2023 +0300 clk: imx: scu: use _safe list iterator to avoid a use after free [ Upstream commit 632c60ecd25dbacee54d5581fe3aeb834b57010a ] This loop is freeing "clk" so it needs to use list_for_each_entry_safe(). Otherwise it dereferences a freed variable to get the next item on the loop. Fixes: 77d8f3068c63 ("clk: imx: scu: add two cells binding support") Signed-off-by: Dan Carpenter Reviewed-by: Abel Vesa Link: https://lore.kernel.org/r/0793fbd1-d2b5-4ec2-9403-3c39343a3e2d@kili.mountain Signed-off-by: Abel Vesa Signed-off-by: Sasha Levin commit 8c0a1d3c3b0ce6801dac8ba7d0d5744ca1667ce8 Author: Devi Priya Date: Tue Apr 25 14:10:05 2023 +0530 arm64: dts: qcom: ipq9574: Update the size of GICC & GICV regions [ Upstream commit 6fb45762691d12d9812c41d20b2f5db1412047ae ] Update the size of GICC and GICV regions to 8kB as the GICC_DIR & GICV_DIR registers lie in the second 4kB region. Also, add target CPU encoding. Fixes: 97cb36ff52a1 ("arm64: dts: qcom: Add ipq9574 SoC and AL02 board support") Signed-off-by: Devi Priya Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20230425084010.15581-2-quic_devipriy@quicinc.com Signed-off-by: Sasha Levin commit 09e82cb6f88f27e511018132fcced4a893827e25 Author: Alexander Stein Date: Wed May 17 14:21:06 2023 +0200 drm/bridge: tc358767: Switch to devm MIPI-DSI helpers [ Upstream commit f47d6140b7a4c858d82d263e7577ff6fb5279a9c ] DSI device registering and attaching needs to be undone upon deregistration. This fixes module unload/load. Fixes: bbfd3190b656 ("drm/bridge: tc358767: Add DSI-to-DPI mode support") Signed-off-by: Alexander Stein Reviewed-by: Robert Foss Signed-off-by: Robert Foss Link: https://patchwork.freedesktop.org/patch/msgid/20230517122107.1766673-1-alexander.stein@ew.tq-group.com Signed-off-by: Sasha Levin commit 1bd0ab15374ad601cd4f09c193c00725f584ab9c Author: Robert Marko Date: Tue Feb 21 11:50:37 2023 +0100 arm64: dts: microchip: sparx5: do not use PSCI on reference boards [ Upstream commit 70be83708c925b3f72c508e4756e48ad2330c830 ] PSCI is not implemented on SparX-5 at all, there is no ATF and U-boot that is shipped does not implement it as well. I have tried flashing the latest BSP 2022.12 U-boot which did not work. After contacting Microchip, they confirmed that there is no ATF for the SoC nor PSCI implementation which is unfortunate in 2023. So, disable PSCI as otherwise kernel crashes as soon as it tries probing PSCI with, and the crash is only visible if earlycon is used. Since PSCI is not implemented, switch core bringup to use spin-tables which are implemented in the vendor U-boot and actually work. Tested on PCB134 with eMMC (VSC5640EV). Fixes: 6694aee00a4b ("arm64: dts: sparx5: Add basic cpu support") Signed-off-by: Robert Marko Acked-by: Steen Hegelund Link: https://lore.kernel.org/r/20230221105039.316819-1-robert.marko@sartura.hr Signed-off-by: Krzysztof Kozlowski Signed-off-by: Sasha Levin commit 9445e468cf95e3a6f95a9ba14eb6c22936308103 Author: Tony Lindgren Date: Wed May 17 10:04:16 2023 +0300 bus: ti-sysc: Fix dispc quirk masking bool variables [ Upstream commit f620596fa347170852da499e778a5736d79a4b79 ] Fix warning drivers/bus/ti-sysc.c:1806 sysc_quirk_dispc() warn: masking a bool. While at it let's add a comment for what were doing to make the code a bit easier to follow. Fixes: 7324a7a0d5e2 ("bus: ti-sysc: Implement display subsystem reset quirk") Reported-by: Dan Carpenter Closes: https://lore.kernel.org/linux-omap/a8ec8a68-9c2c-4076-bf47-09fccce7659f@kili.mountain/ Signed-off-by: Tony Lindgren Signed-off-by: Sasha Levin commit d052f8853f864eecba5f60f181c0772e38b64405 Author: Marek Vasut Date: Fri May 5 23:37:29 2023 +0200 ARM: dts: stm32: Move ethernet MAC EEPROM from SoM to carrier boards [ Upstream commit 9660efc2af37f3c12dc6e6a5511ad99e0addc297 ] The ethernet MAC EEPROM is not populated on the SoM itself, it has to be populated on each carrier board. Move the EEPROM into the correct place in DTs, i.e. the carrier board DTs. Add label to the EEPROM too. Fixes: 7e76f82acd9e1 ("ARM: dts: stm32: Split Avenger96 into DHCOR SoM and Avenger96 board") Signed-off-by: Marek Vasut Signed-off-by: Alexandre Torgue Signed-off-by: Sasha Levin commit 2ed5be414424f9d111d9f471f643e19975da1f04 Author: Maíra Canal Date: Fri May 12 07:40:45 2023 -0300 drm/vkms: Fix RGB565 pixel conversion [ Upstream commit ab87f558dcfb2562c3497e89600dec798a446665 ] Currently, the pixel conversion isn't rounding the fixed-point values before assigning it to the RGB coefficients, which is causing the IGT pixel-format tests to fail. So, use the drm_fixp2int_round() fixed-point helper to round the values when assigning it to the RGB coefficients. Tested with igt@kms_plane@pixel-format and igt@kms_plane@pixel-format-source-clamping. [v2]: * Use drm_fixp2int_round() to fix the pixel conversion instead of casting the values to s32 (Melissa Wen). Fixes: 89b03aeaef16 ("drm/vkms: fix 32bit compilation error by replacing macros") Signed-off-by: Maíra Canal Reviewed-by: Arthur Grillo Signed-off-by: Maíra Canal Link: https://patchwork.freedesktop.org/patch/msgid/20230512104044.65034-2-mcanal@igalia.com Signed-off-by: Sasha Levin commit 559e23d20a5374df35365b491ebdc5cdee44a337 Author: Maíra Canal Date: Fri May 12 07:40:44 2023 -0300 drm: Add fixed-point helper to get rounded integer values [ Upstream commit 8b25320887d7feac98875546ea0f521628b745bb ] Create a new fixed-point helper to allow us to return the rounded value of our fixed point value. [v2]: * Create the function drm_fixp2int_round() (Melissa Wen). [v3]: * Use drm_fixp2int() instead of shifting manually (Arthur Grillo). Signed-off-by: Maíra Canal Reviewed-by: Arthur Grillo Signed-off-by: Maíra Canal Link: https://patchwork.freedesktop.org/patch/msgid/20230512104044.65034-1-mcanal@igalia.com Stable-dep-of: ab87f558dcfb ("drm/vkms: Fix RGB565 pixel conversion") Signed-off-by: Sasha Levin commit 3041ba47427e103bada6cef1375569b609b8c91e Author: Maíra Canal Date: Tue Apr 18 10:05:21 2023 -0300 drm/vkms: isolate pixel conversion functionality [ Upstream commit 322d716a3e8a74fb75cd0f657647be4df253fd2f ] Currently, the pixel conversion functions repeat the same loop to iterate the rows. Instead of repeating the same code for each pixel format, create a function to wrap the loop and isolate the pixel conversion functionality. Suggested-by: Arthur Grillo Signed-off-by: Maíra Canal Reviewed-by: Arthur Grillo Signed-off-by: Maíra Canal Link: https://patchwork.freedesktop.org/patch/msgid/20230418130525.128733-2-mcanal@igalia.com Stable-dep-of: ab87f558dcfb ("drm/vkms: Fix RGB565 pixel conversion") Signed-off-by: Sasha Levin commit 017786dd1122d2bcd8380113b9638040f1eb554f Author: Bard Liao Date: Fri May 12 12:33:02 2023 -0500 ASoC: Intel: sof_sdw: start set codec init function with an adr index [ Upstream commit f0c8d83ab1a3532ebeb1a89acb649be01657aed8 ] Currently, set_codec_init_func always start with link->adr_d[0] because we assumed all adr_d on the same link are the same devices. The assumption is no longer valid when different devices on the same sdw link are supported. Fixes: c8db7b50128b ("ASoC: Intel: sof_sdw: support different devices on the same sdw link") Signed-off-by: Bard Liao commit edd1975f85d15a189bf1af2fddb90cad5cb683c1 Author: Bard Liao Date: Fri May 12 12:32:59 2023 -0500 ASoC: Intel: sof_sdw: remove SOF_SDW_TGL_HDMI for MeteorLake devices [ Upstream commit 0db94947c9d3da16aa31d152b7d26fab78b02cb9 ] Topologies support three HDMI links on MeteorLake devices only. Fixes: 18489174e4fb ("ASoC: intel: sof_sdw: add RT711 SDCA card for MTL platform") Signed-off-by: Bard Liao commit 3d88f9b2d3c92560e3faec055a19c362cc7beb15 Author: Trevor Wu Date: Wed May 10 11:55:25 2023 +0800 ASoC: dt-bindings: mediatek,mt8188-afe: correct clock name [ Upstream commit 1e4fe75e9746be8e40c57132bb3fba1ce3dd24af ] The original clock names are different from the list in driver code. Correct the mismatched binding names in the patch. Because no mt8188 upstream dts exists, it doesn't affect the existing dts file. Fixes: 692d25b67e10 ("ASoC: dt-bindings: mediatek,mt8188-afe: add audio afe document") Signed-off-by: Trevor Wu commit 256aace3a5d8c987183ba4832dffb36f48ea7d3b Author: Dan Carpenter Date: Fri Apr 21 13:44:54 2023 +0300 driver: soc: xilinx: use _safe loop iterator to avoid a use after free [ Upstream commit c58da0ba3e5c86e51e2c1557afaf6f71e00c4533 ] The hash_for_each_possible() loop dereferences "eve_data" to get the next item on the list. However the loop frees eve_data so it leads to a use after free. Use hash_for_each_possible_safe() instead. Fixes: c7fdb2404f66 ("drivers: soc: xilinx: add xilinx event management driver") Signed-off-by: Dan Carpenter Link: https://lore.kernel.org/r/761e0e4a-4caf-4a71-8f47-1c6ad908a848@kili.mountain Signed-off-by: Michal Simek Signed-off-by: Sasha Levin commit 8d03a54a1311c4de71a358e38d0d4b926dd7e529 Author: Dmitry Baryshkov Date: Sun May 7 20:26:38 2023 +0300 drm/panel: sharp-ls043t1le01: adjust mode settings [ Upstream commit dee23b2c9e3ff46d59c5d45e1436eceb878e7c9a ] Using current settings causes panel flickering on APQ8074 dragonboard. Adjust panel settings to follow the vendor-provided mode. This also enables MIPI_DSI_MODE_VIDEO_SYNC_PULSE, which is also specified by the vendor dtsi for the mentioned dragonboard. Fixes: ee0172383190 ("drm/panel: Add Sharp LS043T1LE01 MIPI DSI panel") Signed-off-by: Dmitry Baryshkov Reviewed-by: Neil Armstrong Signed-off-by: Neil Armstrong Link: https://patchwork.freedesktop.org/patch/msgid/20230507172639.2320934-1-dmitry.baryshkov@linaro.org Signed-off-by: Sasha Levin commit d02b618730c9e967f84b9203734707478cd2ddd4 Author: XuDong Liu Date: Sun Apr 30 19:23:46 2023 +0800 drm: sun4i_tcon: use devm_clk_get_enabled in `sun4i_tcon_init_clocks` [ Upstream commit 123ee07ba5b7123e0ce0e0f9d64938026c16a2ce ] Smatch reports: drivers/gpu/drm/sun4i/sun4i_tcon.c:805 sun4i_tcon_init_clocks() warn: 'tcon->clk' from clk_prepare_enable() not released on lines: 792,801. In the function sun4i_tcon_init_clocks(), tcon->clk and tcon->sclk0 are not disabled in the error handling, which affects the release of these variable. Although sun4i_tcon_bind(), which calls sun4i_tcon_init_clocks(), use sun4i_tcon_free_clocks to disable the variables mentioned, but the error handling branch of sun4i_tcon_init_clocks() ignores the required disable process. To fix this issue, use the devm_clk_get_enabled to automatically balance enable and disabled calls. As original implementation use sun4i_tcon_free_clocks() to disable clk explicitly, we delete the related calls and error handling that are no longer needed. Fixes: 9026e0d122ac ("drm: Add Allwinner A10 Display Engine support") Fixes: b14e945bda8a ("drm/sun4i: tcon: Prepare and enable TCON channel 0 clock at init") Fixes: 8e9240472522 ("drm/sun4i: support TCONs without channel 1") Fixes: 34d698f6e349 ("drm/sun4i: Add has_channel_0 TCON quirk") Signed-off-by: XuDong Liu Reviewed-by: Dongliang Mu Signed-off-by: Maxime Ripard Link: https://patchwork.freedesktop.org/patch/msgid/20230430112347.4689-1-m202071377@hust.edu.cn Signed-off-by: Sasha Levin commit 4229dcd355d2f1011b713947782ed6812f1a30ff Author: Marek Vasut Date: Wed May 10 17:27:55 2023 -0700 Input: adxl34x - do not hardcode interrupt trigger type [ Upstream commit e96220bce5176ed2309f77f061dcc0430b82b25e ] Instead of hardcoding IRQ trigger type to IRQF_TRIGGER_HIGH, let's respect the settings specified in the firmware description. Fixes: e27c729219ad ("Input: add driver for ADXL345/346 Digital Accelerometers") Signed-off-by: Marek Vasut Acked-by: Michael Hennerich Link: https://lore.kernel.org/r/20230509203555.549158-1-marex@denx.de Signed-off-by: Dmitry Torokhov Signed-off-by: Sasha Levin commit 61b825e1b47f9a02fc3460ff891f5eccbe37b983 Author: Marek Vasut Date: Sun May 7 15:39:06 2023 +0200 clk: rs9: Fix .driver_data content in i2c_device_id [ Upstream commit ad527ca87e4ea42d7baad2ce710b44069287931b ] The .driver_data content in i2c_device_id table must match the .data content in of_device_id table, else device_get_match_data() would return bogus value on i2c_device_id match. Align the two tables. The i2c_device_id table is now converted from of_device_id using 's@.compatible = "renesas,\([^"]\+"\), .data = \(.*\)@"\1, .driver_data = (kernel_ulong_t)\2@' Fixes: 892e0ddea1aa ("clk: rs9: Add Renesas 9-series PCIe clock generator driver") Signed-off-by: Marek Vasut Link: https://lore.kernel.org/r/20230507133906.15061-3-marek.vasut+renesas@mailbox.org Reviewed-by: Geert Uytterhoeven Signed-off-by: Stephen Boyd Signed-off-by: Sasha Levin commit d5a58079ba5752f9276ad1edc70a615af61e9bcb Author: Marek Vasut Date: Sun May 7 15:39:05 2023 +0200 clk: vc7: Fix .driver_data content in i2c_device_id [ Upstream commit b5e10beeafaa3266559c582dde7534ae3fe8cefb ] The .driver_data content in i2c_device_id table must match the .data content in of_device_id table, else device_get_match_data() would return bogus value on i2c_device_id match. Align the two tables. The i2c_device_id table is now converted from of_device_id using 's@.compatible = "renesas,\([^"]\+"\), .data = \(.*\)@"\1, .driver_data = (kernel_ulong_t)\2@' Fixes: 48c5e98fedd9 ("clk: Renesas versaclock7 ccf device driver") Signed-off-by: Marek Vasut Link: https://lore.kernel.org/r/20230507133906.15061-2-marek.vasut+renesas@mailbox.org Reviewed-by: Geert Uytterhoeven Signed-off-by: Stephen Boyd Signed-off-by: Sasha Levin commit 45f4f86a3c9b588b88b7d1aa09fbf6ba901ff386 Author: Marek Vasut Date: Sun May 7 15:39:04 2023 +0200 clk: vc5: Fix .driver_data content in i2c_device_id [ Upstream commit be3471c5bd9b921c9adfab7948e8021611639164 ] The .driver_data content in i2c_device_id table must match the .data content in of_device_id table, else device_get_match_data() would return bogus value on i2c_device_id match. Align the two tables. The i2c_device_id table is now converted from of_device_id using 's@.compatible = "idt,\([^"]\+"\), .data = \(.*\)@"\1, .driver_data = (kernel_ulong_t)\2@' Fixes: 9adddb01ce5f ("clk: vc5: Add structure to describe particular chip features") Signed-off-by: Marek Vasut Link: https://lore.kernel.org/r/20230507133906.15061-1-marek.vasut+renesas@mailbox.org Reviewed-by: Luca Ceresoli Reviewed-by: Geert Uytterhoeven Signed-off-by: Stephen Boyd Signed-off-by: Sasha Levin commit fae3a7663348f98ddef59b8b07cc3d496c31d41d Author: hfdevel@gmx.net Date: Fri Apr 7 16:36:25 2023 +0200 ARM: dts: meson8b: correct uart_B and uart_C clock references [ Upstream commit d542ce8d4769cdef6a7bc3437e59cfed9c68f0e4 ] With the current device tree for meson8b, uarts B (e.g. available on pins 8/10 on Odroid-C1) and C (pins 3/5 on Odroid-C1) do not work, because they are relying on incorrect clocks. Change the references of pclk to the correct CLKID, to allow use of the two uarts. Fixes: 3375aa77135f ("ARM: dts: meson8b: Fix the UART device-tree schema validation") Signed-off-by: Hans-Frieder Vogt Reviewed-by: Martin Blumenstingl Link: https://lore.kernel.org/r/trinity-bf20bcb9-790b-4ab9-99e3-0831ef8257f4-1680878185420@3c-app-gmx-bap55 Signed-off-by: Neil Armstrong Signed-off-by: Sasha Levin commit a8175f0a58e41bf47c16f5a45413988f088b9b4e Author: Rafał Miłecki Date: Wed May 3 14:28:30 2023 +0200 ARM: dts: BCM5301X: Drop "clock-names" from the SPI node [ Upstream commit d3c8e2c5757153bbfad70019ec1decbca86f3def ] There is no such property in the SPI controller binding documentation. Also Linux driver doesn't look for it. This fixes: arch/arm/boot/dts/bcm4708-asus-rt-ac56u.dtb: spi@18029200: Unevaluated properties are not allowed ('clock-names' was unexpected) From schema: Documentation/devicetree/bindings/spi/brcm,spi-bcm-qspi.yaml Signed-off-by: Rafał Miłecki Link: https://lore.kernel.org/r/20230503122830.3200-1-zajec5@gmail.com Signed-off-by: Florian Fainelli Signed-off-by: Sasha Levin commit b4dfa2f5c7c72e34e5633ca844d19b16ed2bbc4b Author: Luc Ma Date: Mon May 8 08:09:16 2023 +0800 drm/vram-helper: fix function names in vram helper doc [ Upstream commit b8e392245105b50706f18418054821e71e637288 ] Refer to drmm_vram_helper_init() instead of the non-existent drmm_vram_helper_alloc_mm(). Fixes: a5f23a72355d ("drm/vram-helper: Managed vram helpers") Signed-off-by: Luc Ma Reviewed-by: Thomas Zimmermann Signed-off-by: Thomas Zimmermann Link: https://patchwork.freedesktop.org/patch/msgid/64583db2.630a0220.eb75d.8f51@mx.google.com Signed-off-by: Sasha Levin commit 7e448ca8cd236ef0c224686481fedac93bda930a Author: Dmitry Torokhov Date: Fri May 5 11:16:29 2023 -0700 Input: tests - fix input_test_match_device_id test [ Upstream commit c73b4db076faf827d0656665ef5e97b76926b60f ] Properly initialize input_device_id structure in input_test_match_device_id test to make sure it contains no garbage causing the test to randomly fail. Fixes: fdefcbdd6f36 ("Input: Add KUnit tests for some of the input core helper functions") Reported-by: Geert Uytterhoeven Tested-by: Geert Uytterhoeven Reviewed-by: Javier Martinez Canillas Link: https://lore.kernel.org/r/ZFLI7T2qZTGJ1UUK@google.com Signed-off-by: Dmitry Torokhov Signed-off-by: Sasha Levin commit 11f2abc0907a1f96fa5194f4cc37070130e5172d Author: Francesco Dolcini Date: Thu Apr 27 16:29:33 2023 +0200 drm/bridge: tc358768: fix THS_TRAILCNT computation [ Upstream commit bac7842cd179572e8e0fc2d7b5254e40c6e9e057 ] Correct computation of THS_TRAILCNT register. This register must be set to a value that ensure that THS_TRAIL > 60 ns + 4 x UI and THS_TRAIL > 8 x UI and THS_TRAIL < TEOT with TEOT = 105 ns + (12 x UI) with the actual value of THS_TRAIL being (1 + THS_TRAILCNT) x ByteClk cycle + ((1 to 2) + 2) xHSBYTECLK cycle + - (PHY output delay) with PHY output delay being about (8 + (5 to 6)) x MIPIBitClk cycle in the BitClk conversion. Fixes: ff1ca6397b1d ("drm/bridge: Add tc358768 driver") Signed-off-by: Francesco Dolcini Reviewed-by: Robert Foss Signed-off-by: Robert Foss Link: https://patchwork.freedesktop.org/patch/msgid/20230427142934.55435-9-francesco@dolcini.it Signed-off-by: Sasha Levin commit 7b395f69524d7d4ba2d9e110ea68e173bdecf33f Author: Francesco Dolcini Date: Thu Apr 27 16:29:32 2023 +0200 drm/bridge: tc358768: fix TXTAGOCNT computation [ Upstream commit 3666aad8185af8d0ce164fd3c4974235417d6d0b ] Correct computation of TXTAGOCNT register. This register must be set to a value that ensure that the TTA-GO period = (4 x TLPX) with the actual value of TTA-GO being 4 x (TXTAGOCNT + 1) x (HSByteClk cycle) Fixes: ff1ca6397b1d ("drm/bridge: Add tc358768 driver") Signed-off-by: Francesco Dolcini Reviewed-by: Robert Foss Signed-off-by: Robert Foss Link: https://patchwork.freedesktop.org/patch/msgid/20230427142934.55435-8-francesco@dolcini.it Signed-off-by: Sasha Levin commit 8b40dd9577901127b26a00db5038108d082610d2 Author: Francesco Dolcini Date: Thu Apr 27 16:29:31 2023 +0200 drm/bridge: tc358768: fix THS_ZEROCNT computation [ Upstream commit 77a089328da791118af9692543a5eedc79eb5fd4 ] Correct computation of THS_ZEROCNT register. This register must be set to a value that ensure that THS_PREPARE + THS_ZERO > 145ns + 10*UI with the actual value of (THS_PREPARE + THS_ZERO) being ((1 to 2) + 1 + (TCLK_ZEROCNT + 1) + (3 to 4)) x ByteClk cycle + + HSByteClk x (2 + (1 to 2)) + (PHY delay) with PHY delay being about (8 + (5 to 6)) x MIPIBitClk cycle in the BitClk conversion. Fixes: ff1ca6397b1d ("drm/bridge: Add tc358768 driver") Signed-off-by: Francesco Dolcini Reviewed-by: Robert Foss Signed-off-by: Robert Foss Link: https://patchwork.freedesktop.org/patch/msgid/20230427142934.55435-7-francesco@dolcini.it Signed-off-by: Sasha Levin commit 0b096afbc17a65398358c6f9b5f8307647933a42 Author: Francesco Dolcini Date: Thu Apr 27 16:29:30 2023 +0200 drm/bridge: tc358768: fix TCLK_TRAILCNT computation [ Upstream commit ee18698e212b1659dd0850d7e2ae0f22e16ed3d3 ] Correct computation of TCLK_TRAILCNT register. The driver does not implement non-continuous clock mode, so the actual value doesn't make a practical difference yet. However this change also ensures that the value does not write to reserved registers bits in case of under/overflow. This register must be set to a value that ensures that TCLK-TRAIL > 60ns and TEOT <= (105 ns + 12 x UI) with the actual value of TCLK-TRAIL being (TCLK_TRAILCNT + (1 to 2)) xHSByteClkCycle + (2 + (1 to 2)) * HSBYTECLKCycle - (PHY output delay) with PHY output delay being about (2 to 3) x MIPIBitClk cycle in the BitClk conversion. Fixes: ff1ca6397b1d ("drm/bridge: Add tc358768 driver") Signed-off-by: Francesco Dolcini Reviewed-by: Robert Foss Signed-off-by: Robert Foss Link: https://patchwork.freedesktop.org/patch/msgid/20230427142934.55435-2-francesco@dolcini.it Link: https://patchwork.freedesktop.org/patch/msgid/20230427142934.55435-3-francesco@dolcini.it Link: https://patchwork.freedesktop.org/patch/msgid/20230427142934.55435-4-francesco@dolcini.it Link: https://patchwork.freedesktop.org/patch/msgid/20230427142934.55435-5-francesco@dolcini.it Link: https://patchwork.freedesktop.org/patch/msgid/20230427142934.55435-2-francesco@dolcini.it Link: https://patchwork.freedesktop.org/patch/msgid/20230427142934.55435-3-francesco@dolcini.it Link: https://patchwork.freedesktop.org/patch/msgid/20230427142934.55435-4-francesco@dolcini.it Link: https://patchwork.freedesktop.org/patch/msgid/20230427142934.55435-5-francesco@dolcini.it Link: https://patchwork.freedesktop.org/patch/msgid/20230427142934.55435-2-francesco@dolcini.it Link: https://patchwork.freedesktop.org/patch/msgid/20230427142934.55435-3-francesco@dolcini.it Link: https://patchwork.freedesktop.org/patch/msgid/20230427142934.55435-4-francesco@dolcini.it Link: https://patchwork.freedesktop.org/patch/msgid/20230427142934.55435-5-francesco@dolcini.it Link: https://patchwork.freedesktop.org/patch/msgid/20230427142934.55435-2-francesco@dolcini.it Link: https://patchwork.freedesktop.org/patch/msgid/20230427142934.55435-3-francesco@dolcini.it Link: https://patchwork.freedesktop.org/patch/msgid/20230427142934.55435-4-francesco@dolcini.it Link: https://patchwork.freedesktop.org/patch/msgid/20230427142934.55435-5-francesco@dolcini.it Signed-off-by: Sasha Levin commit 62294711b5d209069065a79072549820d3924602 Author: Francesco Dolcini Date: Thu Mar 30 11:59:41 2023 +0200 drm/bridge: tc358768: Add atomic_get_input_bus_fmts() implementation [ Upstream commit cec5ccef85bd0128cf895612de54a9d21d2015d0 ] Add atomic_get_input_bus_fmts() implementation, tc358768 has a parallel RGB input interface with the actual bus format depending on the amount of parallel input data lines. Without this change when the tc358768 is used with less than 24bit the color mapping is completely wrong. Signed-off-by: Francesco Dolcini Reviewed-by: Robert Foss Signed-off-by: Robert Foss Link: https://patchwork.freedesktop.org/patch/msgid/20230330095941.428122-7-francesco@dolcini.it Stable-dep-of: ee18698e212b ("drm/bridge: tc358768: fix TCLK_TRAILCNT computation") Signed-off-by: Sasha Levin commit 2ef6070193ca97c12052d6a0ffe0c6258c48b5a8 Author: Francesco Dolcini Date: Thu Apr 27 16:29:29 2023 +0200 drm/bridge: tc358768: fix TCLK_ZEROCNT computation [ Upstream commit f9cf811374f42fca31ac34aaf59ee2ae72b89879 ] Correct computation of TCLK_ZEROCNT register. This register must be set to a value that ensure that (TCLK-PREPARECNT + TCLK-ZERO) > 300ns with the actual value of (TCLK-PREPARECNT + TCLK-ZERO) being (1 to 2) + (TCLK_ZEROCNT + 1)) x HSByteClkCycle + (PHY output delay) with PHY output delay being about (2 to 3) x MIPIBitClk cycle in the BitClk conversion. Fixes: ff1ca6397b1d ("drm/bridge: Add tc358768 driver") Signed-off-by: Francesco Dolcini Reviewed-by: Robert Foss Signed-off-by: Robert Foss Link: https://patchwork.freedesktop.org/patch/msgid/20230427142934.55435-5-francesco@dolcini.it Signed-off-by: Sasha Levin commit 08180c6b8d1bc4454508aff48f2eaac7fbac5138 Author: Francesco Dolcini Date: Thu Apr 27 16:29:28 2023 +0200 drm/bridge: tc358768: fix PLL target frequency [ Upstream commit ffd2e4bbea626d565b9817312b0fcfb382fecb88 ] Correctly compute the PLL target frequency, the current formula works correctly only when the input bus width is 24bit, actually to properly compute the PLL target frequency what is relevant is the bits-per-pixel on the DSI link. No regression expected since the DSI format is currently hard-coded as MIPI_DSI_FMT_RGB888. Fixes: ff1ca6397b1d ("drm/bridge: Add tc358768 driver") Signed-off-by: Francesco Dolcini Reviewed-by: Robert Foss Signed-off-by: Robert Foss Link: https://patchwork.freedesktop.org/patch/msgid/20230427142934.55435-4-francesco@dolcini.it Signed-off-by: Sasha Levin commit f8d8dd9e56d4f4231a460196d5980d25d7c1a085 Author: Francesco Dolcini Date: Thu Apr 27 16:29:27 2023 +0200 drm/bridge: tc358768: fix PLL parameters computation [ Upstream commit 6a4020b4c63911977aaf8047f904a300d15de739 ] According to Toshiba documentation the PLL input clock after the divider should be not less than 4MHz, fix the PLL parameters computation accordingly. Fixes: ff1ca6397b1d ("drm/bridge: Add tc358768 driver") Signed-off-by: Francesco Dolcini Reviewed-by: Robert Foss Signed-off-by: Robert Foss Link: https://patchwork.freedesktop.org/patch/msgid/20230427142934.55435-3-francesco@dolcini.it Signed-off-by: Sasha Levin commit 3a2be6a53595ccce36b17a1c0229363d0eeddefb Author: Francesco Dolcini Date: Thu Apr 27 16:29:26 2023 +0200 drm/bridge: tc358768: always enable HS video mode [ Upstream commit 75a8aeac2573ab258c53676eba9b3796ea691988 ] Always enable HS video mode setting the TXMD bit, without this change no video output is present with DSI sinks that are setting MIPI_DSI_MODE_LPM flag (tested with LT8912B DSI-HDMI bridge). Previously the driver was enabling HS mode only when the DSI sink was not explicitly setting the MIPI_DSI_MODE_LPM, however this is not correct. The MIPI_DSI_MODE_LPM is supposed to indicate that the sink is willing to receive data in low power mode, however clearing the TC358768_DSI_CONTROL_TXMD bit will make the TC358768 send video in LP mode that is not the intended behavior. Fixes: ff1ca6397b1d ("drm/bridge: Add tc358768 driver") Signed-off-by: Francesco Dolcini Reviewed-by: Robert Foss Signed-off-by: Robert Foss Link: https://patchwork.freedesktop.org/patch/msgid/20230427142934.55435-2-francesco@dolcini.it Signed-off-by: Sasha Levin commit ca9f55c85379911ca43a6f8af6d152366fdf2c33 Author: Alexander Stein Date: Thu May 4 08:53:16 2023 +0200 drm/bridge: ti-sn65dsi83: Fix enable error path [ Upstream commit 8a91b29f1f50ce7742cdbe5cf11d17f128511f3f ] If PLL locking failed, the regulator needs to be disabled again. Fixes: 5664e3c907e2 ("drm/bridge: ti-sn65dsi83: Add vcc supply regulator support") Signed-off-by: Alexander Stein Reviewed-by: Laurent Pinchart Signed-off-by: Robert Foss Link: https://patchwork.freedesktop.org/patch/msgid/20230504065316.2640739-1-alexander.stein@ew.tq-group.com Signed-off-by: Sasha Levin commit d7a431e72802ffe7096ec0232e6f016cb050921e Author: Geert Uytterhoeven Date: Tue May 2 09:42:29 2023 -0700 Input: tests - modular KUnit tests should not depend on KUNIT=y [ Upstream commit e0f41f836f5e861bdcaf4719f160b62dbb8e9485 ] While KUnit tests that cannot be built as a loadable module must depend on "KUNIT=y", this is not true for modular tests, where it adds an unnecessary limitation. Fix this by relaxing the dependency to "KUNIT". Fixes: fdefcbdd6f361841 ("Input: Add KUnit tests for some of the input core helper functions") Signed-off-by: Geert Uytterhoeven Reviewed-by: Javier Martinez Canillas Link: https://lore.kernel.org/r/483c4f520e4acc6357ebba3e605977b4c56374df.1683022164.git.geert+renesas@glider.be Signed-off-by: Dmitry Torokhov Signed-off-by: Sasha Levin commit 92b4948fc558fb387e58ed37c80f683791b1691c Author: Geert Uytterhoeven Date: Tue May 2 09:41:46 2023 -0700 Input: tests - fix use-after-free and refcount underflow in input_test_exit() [ Upstream commit fd75f3694b1dd5070408ea4a58ca7f8e0a3fcbcd ] With CONFIG_DEBUG_SLAB=y: # Subtest: input_core 1..3 input: Test input device as /devices/virtual/input/input1 8<--- cut here --- Unable to handle kernel paging request at virtual address 6b6b6dd7 when read ... __lock_acquire from lock_acquire+0x26c/0x300 lock_acquire from _raw_spin_lock_irqsave+0x50/0x64 _raw_spin_lock_irqsave from devres_remove+0x20/0x7c devres_remove from devres_destroy+0x8/0x24 devres_destroy from input_free_device+0x2c/0x60 input_free_device from kunit_try_run_case+0x70/0x94 [kunit] Without CONFIG_DEBUG_SLAB=y: KTAP version 1 # Subtest: input_core 1..3 input: Test input device as /devices/virtual/input/input1 ------------[ cut here ]------------ WARNING: CPU: 0 PID: 694 at lib/refcount.c:28 refcount_warn_saturate+0x54/0x100 refcount_t: underflow; use-after-free. ... Call Trace: [<0037cad4>] dump_stack+0xc/0x10 [<00377614>] __warn+0x7e/0xb4 [<0037768c>] warn_slowpath_fmt+0x42/0x62 [<001eee1c>] refcount_warn_saturate+0x54/0x100 [<000b1d34>] kfree_const+0x0/0x20 [<0036290a>] __kobject_del+0x0/0x6e [<001eee1c>] refcount_warn_saturate+0x54/0x100 [<00362a1a>] kobject_put+0xa2/0xb6 [<11965770>] kunit_generic_run_threadfn_adapter+0x0/0x1c [kunit] As per the comments for input_allocate_device() and input_register_device(), input_free_device() must be called only to free devices that have not been registered. input_unregister_device() already calls input_put_device(), thus leading to a use-after-free. Moreover, the kunit_suite.exit() method is called after every test case, even on failures. As the test itself already does cleanups in its failure paths, this may lead to a second use-after-free. Fix the first issue by dropping the call to input_allocate_device() from input_test_exit(). Fix the second issue by making the cleanup code conditional on a successful test. Fixes: fdefcbdd6f361841 ("Input: Add KUnit tests for some of the input core helper functions") Signed-off-by: Geert Uytterhoeven Reviewed-by: Javier Martinez Canillas Link: https://lore.kernel.org/r/957b3b309a44d39fb6e38b2a526b250f69ea3d2c.1683022164.git.geert+renesas@glider.be Signed-off-by: Dmitry Torokhov Signed-off-by: Sasha Levin commit 28dc11949357f10712bd641b724ab373a92318de Author: Duoming Zhou Date: Mon May 1 17:37:02 2023 -0700 Input: cyttsp4_core - change del_timer_sync() to timer_shutdown_sync() [ Upstream commit dbe836576f12743a7d2d170ad4ad4fd324c4d47a ] The watchdog_timer can schedule tx_timeout_task and watchdog_work can also arm watchdog_timer. The process is shown below: ----------- timer schedules work ------------ cyttsp4_watchdog_timer() //timer handler schedule_work(&cd->watchdog_work) ----------- work arms timer ------------ cyttsp4_watchdog_work() //workqueue callback function cyttsp4_start_wd_timer() mod_timer(&cd->watchdog_timer, ...) Although del_timer_sync() and cancel_work_sync() are called in cyttsp4_remove(), the timer and workqueue could still be rearmed. As a result, the possible use after free bugs could happen. The process is shown below: (cleanup routine) | (timer and workqueue routine) cyttsp4_remove() | cyttsp4_watchdog_timer() //timer cyttsp4_stop_wd_timer() | schedule_work() del_timer_sync() | | cyttsp4_watchdog_work() //worker | cyttsp4_start_wd_timer() | mod_timer() cancel_work_sync() | | cyttsp4_watchdog_timer() //timer | schedule_work() del_timer_sync() | kfree(cd) //FREE | | cyttsp4_watchdog_work() // reschedule! | cd-> //USE This patch changes del_timer_sync() to timer_shutdown_sync(), which could prevent rearming of the timer from the workqueue. Fixes: 17fb1563d69b ("Input: cyttsp4 - add core driver for Cypress TMA4XX touchscreen devices") Signed-off-by: Duoming Zhou Link: https://lore.kernel.org/r/20230421082919.8471-1-duoming@zju.edu.cn Signed-off-by: Dmitry Torokhov Signed-off-by: Sasha Levin commit 6ce0bc87416e3efb0d79579a2882680263a32d58 Author: Luca Weiss Date: Mon May 1 17:01:45 2023 -0700 Input: drv260x - sleep between polling GO bit [ Upstream commit efef661dfa6bf8cbafe4cd6a97433fcef0118967 ] When doing the initial startup there's no need to poll without any delay and spam the I2C bus. Let's sleep 15ms between each attempt, which is the same time as used in the vendor driver. Fixes: 7132fe4f5687 ("Input: drv260x - add TI drv260x haptics driver") Signed-off-by: Luca Weiss Link: https://lore.kernel.org/r/20230430-drv260x-improvements-v1-2-1fb28b4cc698@z3ntu.xyz Signed-off-by: Dmitry Torokhov Signed-off-by: Sasha Levin commit 1fef2b720171ac157c6c2cfe357a2dde43a03e40 Author: Markus Elfring Date: Sun Apr 16 17:30:46 2023 +0200 drm/bridge: it6505: Move a variable assignment behind a null pointer check in receive_timing_debugfs_show() [ Upstream commit 0be05a75de2916421e88e0d64b001984f54df0bd ] The address of a data structure member was determined before a corresponding null pointer check in the implementation of the function “receive_timing_debugfs_show”. Thus avoid the risk for undefined behaviour by moving the assignment for the variable “vid” behind the null pointer check. This issue was detected by using the Coccinelle software. Fixes: b5c84a9edcd4 ("drm/bridge: add it6505 driver") Signed-off-by: Markus Elfring Link: https://patchwork.freedesktop.org/patch/msgid/fa69384f-1485-142b-c4ee-3df54ac68a89@web.de Reviewed-by: Robert Foss Signed-off-by: Robert Foss Signed-off-by: Sasha Levin commit d75eddb703f821f377fd179945009547d99e737c Author: Vinay Belgaumkar Date: Tue Apr 25 17:39:41 2023 -0700 drm/i915/guc/slpc: Provide sysfs for efficient freq [ Upstream commit 55f9720dbf23ed640a51ea5564c22305efa8a467 ] SLPC enables use of efficient freq at init by default. It is possible for GuC to request frequencies that are higher than the 'software' max if user has set it lower than the efficient level. Scenarios/tests that require strict fixing of freq below the efficient level will need to disable it through this interface. v2: Keep just one interface to toggle sysfs. With this, user will be completely responsible for toggling efficient frequency if need be. There will be no implicit disabling when user sets min < RP1 (Ashutosh) v3: Remove unused label, review comments (Ashutosh) v4: Toggle efficient freq usage in SLPC selftest and checkpatch fixes v5: Review comments (Andi) and add a separate patch for selftest updates Fixes: 95ccf312a1e4 ("drm/i915/guc/slpc: Allow SLPC to use efficient frequency") Signed-off-by: Vinay Belgaumkar Reviewed-by: Rodrigo Vivi Reviewed-by: Ashutosh Dixit Reviewed-by: Andi Shyti Signed-off-by: John Harrison Link: https://patchwork.freedesktop.org/patch/msgid/20230426003942.1924347-1-vinay.belgaumkar@intel.com Signed-off-by: Sasha Levin commit d87d3f9707ca1ae34b785edb66d4b48ff4b897d7 Author: Nicholas Kazlauskas Date: Thu May 2 13:21:48 2019 -0400 drm/amd/display: Explicitly specify update type per plane info change [ Upstream commit 710cc1e7cd461446a9325c9bd1e9a54daa462952 ] [Why] The bit for flip addr is being set causing the determination for FAST vs MEDIUM to always return MEDIUM when plane info is provided as a surface update. This causes extreme stuttering for the typical atomic update path on Linux. [How] Don't use update_flags->raw for determining FAST vs MEDIUM. It's too fragile to changes like this. Explicitly specify the update type per update flag instead. It's not as clever as checking the bits itself but at least it's correct. Fixes: aa5fdb1ab5b6 ("drm/amd/display: Explicitly specify update type per plane info change") Reviewed-by: Rodrigo Siqueira Signed-off-by: Nicholas Kazlauskas Tested-by: Daniel Wheeler Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit e985e29f52842e5f55de1f776f847315e52021b6 Author: Nikita Zhandarovich Date: Thu Apr 13 08:12:28 2023 -0700 radeon: avoid double free in ci_dpm_init() [ Upstream commit 20c3dffdccbd494e0dd631d1660aeecbff6775f2 ] Several calls to ci_dpm_fini() will attempt to free resources that either have been freed before or haven't been allocated yet. This may lead to undefined or dangerous behaviour. For instance, if r600_parse_extended_power_table() fails, it might call r600_free_extended_power_table() as will ci_dpm_fini() later during error handling. Fix this by only freeing pointers to objects previously allocated. Found by Linux Verification Center (linuxtesting.org) with static analysis tool SVACE. Fixes: cc8dbbb4f62a ("drm/radeon: add dpm support for CI dGPUs (v2)") Co-developed-by: Natalia Petrova Signed-off-by: Nikita Zhandarovich Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit 12068e0daebb06bde5ae4a1a31cae3aa1b703083 Author: Arnd Bergmann Date: Tue Apr 18 00:07:18 2023 +0200 drm/amd/display: fix is_timing_changed() prototype [ Upstream commit 3306ba4b60b2f3d9ac6bddc587a4d702e1ba2224 ] Three functions in the amdgpu display driver cause -Wmissing-prototype warnings: drivers/gpu/drm/amd/amdgpu/../display/dc/core/dc_resource.c:1858:6: error: no previous prototype for 'is_timing_changed' [-Werror=missing-prototypes] is_timing_changed() is actually meant to be a global symbol, but needs a proper name and prototype. Fixes: 17ce8a6907f7 ("drm/amd/display: Add dsc pre-validation in atomic check") Reviewed-by: Aurabindo Pillai Signed-off-by: Arnd Bergmann Signed-off-by: Hamza Mahfooz Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit 8fd83056c5eacc1efb4a0c10ce34d4efad998031 Author: Wesley Chalmers Date: Wed Jun 10 11:49:16 2020 -0400 drm/amd/display: Add logging for display MALL refresh setting [ Upstream commit cd8f067a46d34dee3188da184912ae3d64d98444 ] [WHY] Add log entry for when display refresh from MALL settings are sent to SMU. Fixes: 1664641ea946 ("drm/amd/display: Add logger for SMU msg") Signed-off-by: Wesley Chalmers Acked-by: Aurabindo Pillai Tested-by: Daniel Wheeler Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit 3f6be5e1bc746f519d12a64cfcca43c217d5794d Author: Srinivasan Shanmugam Date: Mon Apr 17 22:30:01 2023 +0530 drm/amd/display: Unconditionally print when DP sink power state fails [ Upstream commit e4dfd94d5e3851df607b26ab5b20ad8d94f5ccff ] The previous 'commit ca9beb8aac68 ("drm/amd/display: Add logging when setting DP sink power state fails")', it is better to unconditionally print "failed to power up sink", because we are returning DC_ERROR_UNEXPECTED. Fixes: ca9beb8aac68 ("drm/amd/display: Add logging when setting DP sink power state fails") Cc: Aurabindo Pillai Cc: Fangzhi Zuo Signed-off-by: Srinivasan Shanmugam Reviewed-by: Aurabindo Pillai Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit 0f4773ce05022c385b01e21c65da6d8bc1acf39b Author: Dan Carpenter Date: Wed Mar 22 12:06:55 2023 +0300 drm/imx/lcdc: fix a NULL vs IS_ERR() bug in probe [ Upstream commit dae2f7b89a8436351a2982d0d96a8a56accca576 ] The devm_drm_dev_alloc() function returns error pointers. It never returns NULL. Fix the check. Fixes: c87e859cdeb5 ("drm/imx/lcdc: Implement DRM driver for imx25") Signed-off-by: Dan Carpenter Reviewed-by: Uwe Kleine-König Signed-off-by: Javier Martinez Canillas Link: https://patchwork.freedesktop.org/patch/msgid/d0a1fc55-3ef6-444e-b3ef-fdc937d8d57a@kili.mountain Signed-off-by: Sasha Levin commit 1e4e06b27cd986bc1aa6fde39089cd6d79dbd785 Author: Kuniyuki Iwashima Date: Mon Jun 26 09:43:13 2023 -0700 netlink: Add __sock_i_ino() for __netlink_diag_dump(). [ Upstream commit 25a9c8a4431c364f97f75558cb346d2ad3f53fbb ] syzbot reported a warning in __local_bh_enable_ip(). [0] Commit 8d61f926d420 ("netlink: fix potential deadlock in netlink_set_err()") converted read_lock(&nl_table_lock) to read_lock_irqsave() in __netlink_diag_dump() to prevent a deadlock. However, __netlink_diag_dump() calls sock_i_ino() that uses read_lock_bh() and read_unlock_bh(). If CONFIG_TRACE_IRQFLAGS=y, read_unlock_bh() finally enables IRQ even though it should stay disabled until the following read_unlock_irqrestore(). Using read_lock() in sock_i_ino() would trigger a lockdep splat in another place that was fixed in commit f064af1e500a ("net: fix a lockdep splat"), so let's add __sock_i_ino() that would be safe to use under BH disabled. [0]: WARNING: CPU: 0 PID: 5012 at kernel/softirq.c:376 __local_bh_enable_ip+0xbe/0x130 kernel/softirq.c:376 Modules linked in: CPU: 0 PID: 5012 Comm: syz-executor487 Not tainted 6.4.0-rc7-syzkaller-00202-g6f68fc395f49 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/27/2023 RIP: 0010:__local_bh_enable_ip+0xbe/0x130 kernel/softirq.c:376 Code: 45 bf 01 00 00 00 e8 91 5b 0a 00 e8 3c 15 3d 00 fb 65 8b 05 ec e9 b5 7e 85 c0 74 58 5b 5d c3 65 8b 05 b2 b6 b4 7e 85 c0 75 a2 <0f> 0b eb 9e e8 89 15 3d 00 eb 9f 48 89 ef e8 6f 49 18 00 eb a8 0f RSP: 0018:ffffc90003a1f3d0 EFLAGS: 00010046 RAX: 0000000000000000 RBX: 0000000000000201 RCX: 1ffffffff1cf5996 RDX: 0000000000000000 RSI: 0000000000000201 RDI: ffffffff8805c6f3 RBP: ffffffff8805c6f3 R08: 0000000000000001 R09: ffff8880152b03a3 R10: ffffed1002a56074 R11: 0000000000000005 R12: 00000000000073e4 R13: dffffc0000000000 R14: 0000000000000002 R15: 0000000000000000 FS: 0000555556726300(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000000000045ad50 CR3: 000000007c646000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: sock_i_ino+0x83/0xa0 net/core/sock.c:2559 __netlink_diag_dump+0x45c/0x790 net/netlink/diag.c:171 netlink_diag_dump+0xd6/0x230 net/netlink/diag.c:207 netlink_dump+0x570/0xc50 net/netlink/af_netlink.c:2269 __netlink_dump_start+0x64b/0x910 net/netlink/af_netlink.c:2374 netlink_dump_start include/linux/netlink.h:329 [inline] netlink_diag_handler_dump+0x1ae/0x250 net/netlink/diag.c:238 __sock_diag_cmd net/core/sock_diag.c:238 [inline] sock_diag_rcv_msg+0x31e/0x440 net/core/sock_diag.c:269 netlink_rcv_skb+0x165/0x440 net/netlink/af_netlink.c:2547 sock_diag_rcv+0x2a/0x40 net/core/sock_diag.c:280 netlink_unicast_kernel net/netlink/af_netlink.c:1339 [inline] netlink_unicast+0x547/0x7f0 net/netlink/af_netlink.c:1365 netlink_sendmsg+0x925/0xe30 net/netlink/af_netlink.c:1914 sock_sendmsg_nosec net/socket.c:724 [inline] sock_sendmsg+0xde/0x190 net/socket.c:747 ____sys_sendmsg+0x71c/0x900 net/socket.c:2503 ___sys_sendmsg+0x110/0x1b0 net/socket.c:2557 __sys_sendmsg+0xf7/0x1c0 net/socket.c:2586 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd RIP: 0033:0x7f5303aaabb9 Code: 28 c3 e8 2a 14 00 00 66 2e 0f 1f 84 00 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007ffc7506e548 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f5303aaabb9 RDX: 0000000000000000 RSI: 0000000020000180 RDI: 0000000000000003 RBP: 00007f5303a6ed60 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00007f5303a6edf0 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 Fixes: 8d61f926d420 ("netlink: fix potential deadlock in netlink_set_err()") Reported-by: syzbot+5da61cf6a9bc1902d422@syzkaller.appspotmail.com Link: https://syzkaller.appspot.com/bug?extid=5da61cf6a9bc1902d422 Suggested-by: Eric Dumazet Signed-off-by: Kuniyuki Iwashima Reviewed-by: Eric Dumazet Link: https://lore.kernel.org/r/20230626164313.52528-1-kuniyu@amazon.com Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit 3f9e79f31e51b7d5bf95c617540deb6cf2816a3f Author: Vladimir Oltean Date: Mon Jun 26 18:44:02 2023 +0300 net: dsa: avoid suspicious RCU usage for synced VLAN-aware MAC addresses [ Upstream commit d06f925f13976ab82167c93467c70a337a0a3cda ] When using the felix driver (the only one which supports UC filtering and MC filtering) as a DSA master for a random other DSA switch, one can see the following stack trace when the downstream switch ports join a VLAN-aware bridge: ============================= WARNING: suspicious RCU usage ----------------------------- net/8021q/vlan_core.c:238 suspicious rcu_dereference_protected() usage! stack backtrace: Workqueue: dsa_ordered dsa_slave_switchdev_event_work Call trace: lockdep_rcu_suspicious+0x170/0x210 vlan_for_each+0x8c/0x188 dsa_slave_sync_uc+0x128/0x178 __hw_addr_sync_dev+0x138/0x158 dsa_slave_set_rx_mode+0x58/0x70 __dev_set_rx_mode+0x88/0xa8 dev_uc_add+0x74/0xa0 dsa_port_bridge_host_fdb_add+0xec/0x180 dsa_slave_switchdev_event_work+0x7c/0x1c8 process_one_work+0x290/0x568 What it's saying is that vlan_for_each() expects rtnl_lock() context and it's not getting it, when it's called from the DSA master's ndo_set_rx_mode(). The caller of that - dsa_slave_set_rx_mode() - is the slave DSA interface's dsa_port_bridge_host_fdb_add() which comes from the deferred dsa_slave_switchdev_event_work(). We went to great lengths to avoid the rtnl_lock() context in that call path in commit 0faf890fc519 ("net: dsa: drop rtnl_lock from dsa_slave_switchdev_event_work"), and calling rtnl_lock() is simply not an option due to the possibility of deadlocking when calling dsa_flush_workqueue() from the call paths that do hold rtnl_lock() - basically all of them. So, when the DSA master calls vlan_for_each() from its ndo_set_rx_mode(), the state of the 8021q driver on this device is really not protected from concurrent access by anything. Looking at net/8021q/, I don't think that vlan_info->vid_list was particularly designed with RCU traversal in mind, so introducing an RCU read-side form of vlan_for_each() - vlan_for_each_rcu() - won't be so easy, and it also wouldn't be exactly what we need anyway. In general I believe that the solution isn't in net/8021q/ anyway; vlan_for_each() is not cut out for this task. DSA doesn't need rtnl_lock() to be held per se - since it's not a netdev state change that we're blocking, but rather, just concurrent additions/removals to a VLAN list. We don't even need sleepable context - the callback of vlan_for_each() just schedules deferred work. The proposed escape is to remove the dependency on vlan_for_each() and to open-code a non-sleepable, rtnl-free alternative to that, based on copies of the VLAN list modified from .ndo_vlan_rx_add_vid() and .ndo_vlan_rx_kill_vid(). Fixes: 64fdc5f341db ("net: dsa: sync unicast and multicast addresses for VLAN filters too") Signed-off-by: Vladimir Oltean Link: https://lore.kernel.org/r/20230626154402.3154454-1-vladimir.oltean@nxp.com Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit b83927b9562d2d2275f7f0a22100401f6303a082 Author: Cambda Zhu Date: Mon Jun 26 17:33:47 2023 +0800 ipvlan: Fix return value of ipvlan_queue_xmit() [ Upstream commit 8a9922e7be6d042fa00f894c376473b17a162b66 ] ipvlan_queue_xmit() should return NET_XMIT_XXX, but ipvlan_xmit_mode_l2/l3() returns rx_handler_result_t or NET_RX_XXX in some cases. ipvlan_rcv_frame() will only return RX_HANDLER_CONSUMED in ipvlan_xmit_mode_l2/l3() because 'local' is true. It's equal to NET_XMIT_SUCCESS. But dev_forward_skb() can return NET_RX_SUCCESS or NET_RX_DROP, and returning NET_RX_DROP(NET_XMIT_DROP) will increase both ipvlan and ipvlan->phy_dev drops counter. The skb to forward can be treated as xmitted successfully. This patch makes ipvlan_queue_xmit() return NET_XMIT_SUCCESS for forward skb. Fixes: 2ad7bf363841 ("ipvlan: Initial check-in of the IPVLAN driver.") Signed-off-by: Cambda Zhu Link: https://lore.kernel.org/r/20230626093347.7492-1-cambda@linux.alibaba.com Signed-off-by: Paolo Abeni Signed-off-by: Sasha Levin commit 9c959671abc7d4ffdf34eed10c64492d43cb6a3c Author: Pablo Neira Ayuso Date: Mon Jun 26 00:42:19 2023 +0200 netfilter: nf_tables: fix underflow in chain reference counter [ Upstream commit b389139f12f287b8ed2e2628b72df89a081f0b59 ] Set element addition error path decrements reference counter on chains twice: once on element release and again via nft_data_release(). Then, d6b478666ffa ("netfilter: nf_tables: fix underflow in object reference counter") incorrectly fixed this by removing the stateful object reference count decrement. Restore the stateful object decrement as in b91d90368837 ("netfilter: nf_tables: fix leaking object reference count") and let nft_data_release() decrement the chain reference counter, so this is done only once. Fixes: d6b478666ffa ("netfilter: nf_tables: fix underflow in object reference counter") Fixes: 628bd3e49cba ("netfilter: nf_tables: drop map element references from preparation phase") Signed-off-by: Pablo Neira Ayuso Signed-off-by: Sasha Levin commit b761dea6b8a28cedf42c15b2019323bf88c20352 Author: Pablo Neira Ayuso Date: Mon Jun 26 00:42:18 2023 +0200 netfilter: nf_tables: unbind non-anonymous set if rule construction fails [ Upstream commit 3e70489721b6c870252c9082c496703677240f53 ] Otherwise a dangling reference to a rule object that is gone remains in the set binding list. Fixes: 26b5a5712eb8 ("netfilter: nf_tables: add NFT_TRANS_PREPARE_ERROR to deal with bound set/chain") Signed-off-by: Pablo Neira Ayuso Signed-off-by: Sasha Levin commit 75a9544ec92a2dbad0763f80cf6f95c284968cd1 Author: Ilia.Gavrilov Date: Fri Jun 23 11:23:46 2023 +0000 netfilter: nf_conntrack_sip: fix the ct_sip_parse_numerical_param() return value. [ Upstream commit f188d30087480eab421cd8ca552fb15f55d57f4d ] ct_sip_parse_numerical_param() returns only 0 or 1 now. But process_register_request() and process_register_response() imply checking for a negative value if parsing of a numerical header parameter failed. The invocation in nf_nat_sip() looks correct: if (ct_sip_parse_numerical_param(...) > 0 && ...) { ... } Make the return value of the function ct_sip_parse_numerical_param() a tristate to fix all the cases a) return 1 if value is found; *val is set b) return 0 if value is not found; *val is unchanged c) return -1 on error; *val is undefined Found by InfoTeCS on behalf of Linux Verification Center (linuxtesting.org) with SVACE. Fixes: 0f32a40fc91a ("[NETFILTER]: nf_conntrack_sip: create signalling expectations") Signed-off-by: Ilia.Gavrilov Reviewed-by: Simon Horman Reviewed-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso Signed-off-by: Sasha Levin commit 8c0980493beed3a80d6329c44ab293dc8c032927 Author: Florian Westphal Date: Wed Jun 21 17:56:53 2023 +0200 netfilter: conntrack: dccp: copy entire header to stack buffer, not just basic one [ Upstream commit ff0a3a7d52ff7282dbd183e7fc29a1fe386b0c30 ] Eric Dumazet says: nf_conntrack_dccp_packet() has an unique: dh = skb_header_pointer(skb, dataoff, sizeof(_dh), &_dh); And nothing more is 'pulled' from the packet, depending on the content. dh->dccph_doff, and/or dh->dccph_x ...) So dccp_ack_seq() is happily reading stuff past the _dh buffer. BUG: KASAN: stack-out-of-bounds in nf_conntrack_dccp_packet+0x1134/0x11c0 Read of size 4 at addr ffff000128f66e0c by task syz-executor.2/29371 [..] Fix this by increasing the stack buffer to also include room for the extra sequence numbers and all the known dccp packet type headers, then pull again after the initial validation of the basic header. While at it, mark packets invalid that lack 48bit sequence bit but where RFC says the type MUST use them. Compile tested only. v2: first skb_header_pointer() now needs to adjust the size to only pull the generic header. (Eric) Heads-up: I intend to remove dccp conntrack support later this year. Fixes: 2bc780499aa3 ("[NETFILTER]: nf_conntrack: add DCCP protocol support") Reported-by: Eric Dumazet Signed-off-by: Florian Westphal Reviewed-by: Eric Dumazet Signed-off-by: Pablo Neira Ayuso Signed-off-by: Sasha Levin commit 6adea070d9402eb6f215bb540d9e002743074c55 Author: Jeremy Sowden Date: Mon Jun 19 20:06:57 2023 +0100 lib/ts_bm: reset initial match offset for every block of text [ Upstream commit 6f67fbf8192da80c4db01a1800c7fceaca9cf1f9 ] The `shift` variable which indicates the offset in the string at which to start matching the pattern is initialized to `bm->patlen - 1`, but it is not reset when a new block is retrieved. This means the implemen- tation may start looking at later and later positions in each successive block and miss occurrences of the pattern at the beginning. E.g., consider a HTTP packet held in a non-linear skb, where the HTTP request line occurs in the second block: [... 52 bytes of packet headers ...] GET /bmtest HTTP/1.1\r\nHost: www.example.com\r\n\r\n and the pattern is "GET /bmtest". Once the first block comprising the packet headers has been examined, `shift` will be pointing to somewhere near the end of the block, and so when the second block is examined the request line at the beginning will be missed. Reinitialize the variable for each new block. Fixes: 8082e4ed0a61 ("[LIB]: Boyer-Moore extension for textsearch infrastructure strike #2") Link: https://bugzilla.netfilter.org/show_bug.cgi?id=1390 Signed-off-by: Jeremy Sowden Signed-off-by: Pablo Neira Ayuso Signed-off-by: Sasha Levin commit e5207c1d69b1a9707615ab6ff9376e59fc096815 Author: Lin Ma Date: Sun Jun 25 17:10:07 2023 +0800 net: nfc: Fix use-after-free caused by nfc_llcp_find_local [ Upstream commit 6709d4b7bc2e079241fdef15d1160581c5261c10 ] This commit fixes several use-after-free that caused by function nfc_llcp_find_local(). For example, one UAF can happen when below buggy time window occurs. // nfc_genl_llc_get_params | // nfc_unregister_device | dev = nfc_get_device(idx); | device_lock(...) if (!dev) | dev->shutting_down = true; return -ENODEV; | device_unlock(...); | device_lock(...); | // nfc_llcp_unregister_device | nfc_llcp_find_local() nfc_llcp_find_local(...); | | local_cleanup() if (!local) { | rc = -ENODEV; | // nfc_llcp_local_put goto exit; | kref_put(.., local_release) } | | // local_release | list_del(&local->list) // nfc_genl_send_params | kfree() local->dev->idx !!!UAF!!! | | and the crash trace for the one of the discussed UAF like: BUG: KASAN: slab-use-after-free in nfc_genl_llc_get_params+0x72f/0x780 net/nfc/netlink.c:1045 Read of size 8 at addr ffff888105b0e410 by task 20114 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x72/0xa0 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:319 [inline] print_report+0xcc/0x620 mm/kasan/report.c:430 kasan_report+0xb2/0xe0 mm/kasan/report.c:536 nfc_genl_send_params net/nfc/netlink.c:999 [inline] nfc_genl_llc_get_params+0x72f/0x780 net/nfc/netlink.c:1045 genl_family_rcv_msg_doit.isra.0+0x1ee/0x2e0 net/netlink/genetlink.c:968 genl_family_rcv_msg net/netlink/genetlink.c:1048 [inline] genl_rcv_msg+0x503/0x7d0 net/netlink/genetlink.c:1065 netlink_rcv_skb+0x161/0x430 net/netlink/af_netlink.c:2548 genl_rcv+0x28/0x40 net/netlink/genetlink.c:1076 netlink_unicast_kernel net/netlink/af_netlink.c:1339 [inline] netlink_unicast+0x644/0x900 net/netlink/af_netlink.c:1365 netlink_sendmsg+0x934/0xe70 net/netlink/af_netlink.c:1913 sock_sendmsg_nosec net/socket.c:724 [inline] sock_sendmsg+0x1b6/0x200 net/socket.c:747 ____sys_sendmsg+0x6e9/0x890 net/socket.c:2501 ___sys_sendmsg+0x110/0x1b0 net/socket.c:2555 __sys_sendmsg+0xf7/0x1d0 net/socket.c:2584 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3f/0x90 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x72/0xdc RIP: 0033:0x7f34640a2389 RSP: 002b:00007f3463415168 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 00007f34641c1f80 RCX: 00007f34640a2389 RDX: 0000000000000000 RSI: 0000000020000240 RDI: 0000000000000006 RBP: 00007f34640ed493 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007ffe38449ecf R14: 00007f3463415300 R15: 0000000000022000 Allocated by task 20116: kasan_save_stack+0x22/0x50 mm/kasan/common.c:45 kasan_set_track+0x25/0x30 mm/kasan/common.c:52 ____kasan_kmalloc mm/kasan/common.c:374 [inline] __kasan_kmalloc+0x7f/0x90 mm/kasan/common.c:383 kmalloc include/linux/slab.h:580 [inline] kzalloc include/linux/slab.h:720 [inline] nfc_llcp_register_device+0x49/0xa40 net/nfc/llcp_core.c:1567 nfc_register_device+0x61/0x260 net/nfc/core.c:1124 nci_register_device+0x776/0xb20 net/nfc/nci/core.c:1257 virtual_ncidev_open+0x147/0x230 drivers/nfc/virtual_ncidev.c:148 misc_open+0x379/0x4a0 drivers/char/misc.c:165 chrdev_open+0x26c/0x780 fs/char_dev.c:414 do_dentry_open+0x6c4/0x12a0 fs/open.c:920 do_open fs/namei.c:3560 [inline] path_openat+0x24fe/0x37e0 fs/namei.c:3715 do_filp_open+0x1ba/0x410 fs/namei.c:3742 do_sys_openat2+0x171/0x4c0 fs/open.c:1356 do_sys_open fs/open.c:1372 [inline] __do_sys_openat fs/open.c:1388 [inline] __se_sys_openat fs/open.c:1383 [inline] __x64_sys_openat+0x143/0x200 fs/open.c:1383 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3f/0x90 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x72/0xdc Freed by task 20115: kasan_save_stack+0x22/0x50 mm/kasan/common.c:45 kasan_set_track+0x25/0x30 mm/kasan/common.c:52 kasan_save_free_info+0x2e/0x50 mm/kasan/generic.c:521 ____kasan_slab_free mm/kasan/common.c:236 [inline] ____kasan_slab_free mm/kasan/common.c:200 [inline] __kasan_slab_free+0x10a/0x190 mm/kasan/common.c:244 kasan_slab_free include/linux/kasan.h:162 [inline] slab_free_hook mm/slub.c:1781 [inline] slab_free_freelist_hook mm/slub.c:1807 [inline] slab_free mm/slub.c:3787 [inline] __kmem_cache_free+0x7a/0x190 mm/slub.c:3800 local_release net/nfc/llcp_core.c:174 [inline] kref_put include/linux/kref.h:65 [inline] nfc_llcp_local_put net/nfc/llcp_core.c:182 [inline] nfc_llcp_local_put net/nfc/llcp_core.c:177 [inline] nfc_llcp_unregister_device+0x206/0x290 net/nfc/llcp_core.c:1620 nfc_unregister_device+0x160/0x1d0 net/nfc/core.c:1179 virtual_ncidev_close+0x52/0xa0 drivers/nfc/virtual_ncidev.c:163 __fput+0x252/0xa20 fs/file_table.c:321 task_work_run+0x174/0x270 kernel/task_work.c:179 resume_user_mode_work include/linux/resume_user_mode.h:49 [inline] exit_to_user_mode_loop kernel/entry/common.c:171 [inline] exit_to_user_mode_prepare+0x108/0x110 kernel/entry/common.c:204 __syscall_exit_to_user_mode_work kernel/entry/common.c:286 [inline] syscall_exit_to_user_mode+0x21/0x50 kernel/entry/common.c:297 do_syscall_64+0x4c/0x90 arch/x86/entry/common.c:86 entry_SYSCALL_64_after_hwframe+0x72/0xdc Last potentially related work creation: kasan_save_stack+0x22/0x50 mm/kasan/common.c:45 __kasan_record_aux_stack+0x95/0xb0 mm/kasan/generic.c:491 kvfree_call_rcu+0x29/0xa80 kernel/rcu/tree.c:3328 drop_sysctl_table+0x3be/0x4e0 fs/proc/proc_sysctl.c:1735 unregister_sysctl_table.part.0+0x9c/0x190 fs/proc/proc_sysctl.c:1773 unregister_sysctl_table+0x24/0x30 fs/proc/proc_sysctl.c:1753 neigh_sysctl_unregister+0x5f/0x80 net/core/neighbour.c:3895 addrconf_notify+0x140/0x17b0 net/ipv6/addrconf.c:3684 notifier_call_chain+0xbe/0x210 kernel/notifier.c:87 call_netdevice_notifiers_info+0xb5/0x150 net/core/dev.c:1937 call_netdevice_notifiers_extack net/core/dev.c:1975 [inline] call_netdevice_notifiers net/core/dev.c:1989 [inline] dev_change_name+0x3c3/0x870 net/core/dev.c:1211 dev_ifsioc+0x800/0xf70 net/core/dev_ioctl.c:376 dev_ioctl+0x3d9/0xf80 net/core/dev_ioctl.c:542 sock_do_ioctl+0x160/0x260 net/socket.c:1213 sock_ioctl+0x3f9/0x670 net/socket.c:1316 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:870 [inline] __se_sys_ioctl fs/ioctl.c:856 [inline] __x64_sys_ioctl+0x19e/0x210 fs/ioctl.c:856 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3f/0x90 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x72/0xdc The buggy address belongs to the object at ffff888105b0e400 which belongs to the cache kmalloc-1k of size 1024 The buggy address is located 16 bytes inside of freed 1024-byte region [ffff888105b0e400, ffff888105b0e800) The buggy address belongs to the physical page: head:ffffea000416c200 order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0 flags: 0x200000000010200(slab|head|node=0|zone=2) raw: 0200000000010200 ffff8881000430c0 ffffea00044c7010 ffffea0004510e10 raw: 0000000000000000 00000000000a000a 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888105b0e300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff888105b0e380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff888105b0e400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff888105b0e480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888105b0e500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb In summary, this patch solves those use-after-free by 1. Re-implement the nfc_llcp_find_local(). The current version does not grab the reference when getting the local from the linked list. For example, the llcp_sock_bind() gets the reference like below: // llcp_sock_bind() local = nfc_llcp_find_local(dev); // A ..... \ | raceable ..... / llcp_sock->local = nfc_llcp_local_get(local); // B There is an apparent race window that one can drop the reference and free the local object fetched in (A) before (B) gets the reference. 2. Some callers of the nfc_llcp_find_local() do not grab the reference at all. For example, the nfc_genl_llc_{{get/set}_params/sdreq} functions. We add the nfc_llcp_local_put() for them. Moreover, we add the necessary error handling function to put the reference. 3. Add the nfc_llcp_remove_local() helper. The local object is removed from the linked list in local_release() when all reference is gone. This patch removes it when nfc_llcp_unregister_device() is called. Therefore, every caller of nfc_llcp_find_local() will get a reference even when the nfc_llcp_unregister_device() is called. This promises no use-after-free for the local object is ever possible. Fixes: 52feb444a903 ("NFC: Extend netlink interface for LTO, RW, and MIUX parameters support") Fixes: c7aa12252f51 ("NFC: Take a reference on the LLCP local pointer when creating a socket") Signed-off-by: Lin Ma Reviewed-by: Simon Horman Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit aba32b4c58112960c0c708703ca6b44dc8944082 Author: Edward Cree Date: Fri Jun 23 15:34:48 2023 +0100 sfc: fix crash when reading stats while NIC is resetting [ Upstream commit d1b355438b8325a486f087e506d412c4e852f37b ] efx_net_stats() (.ndo_get_stats64) can be called during an ethtool selftest, during which time nic_data->mc_stats is NULL as the NIC has been fini'd. In this case do not attempt to fetch the latest stats from the hardware, else we will crash on a NULL dereference: BUG: kernel NULL pointer dereference, address: 0000000000000038 RIP efx_nic_update_stats abridged calltrace: efx_ef10_update_stats_pf efx_net_stats dev_get_stats dev_seq_printf_stats Skipping the read is safe, we will simply give out stale stats. To ensure that the free in efx_ef10_fini_nic() does not race against efx_ef10_update_stats_pf(), which could cause a TOCTTOU bug, take the efx->stats_lock in fini_nic (it is already held across update_stats). Fixes: d3142c193dca ("sfc: refactor EF10 stats handling") Reviewed-by: Pieter Jansen van Vuuren Signed-off-by: Edward Cree Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 9b5fd0d08d7e2b401d50a9c19c4eab0d9992e9ef Author: David Howells Date: Fri Jun 23 23:55:10 2023 +0100 ocfs2: Fix use of slab data with sendpage [ Upstream commit 86d7bd6e66e9925f0f04a7bcf3c92c05fdfefb5a ] ocfs2 uses kzalloc() to allocate buffers for o2net_hand, o2net_keep_req and o2net_keep_resp and then passes these to sendpage. This isn't really allowed as the lifetime of slab objects is not controlled by page ref - though in this case it will probably work. sendmsg() with MSG_SPLICE_PAGES will, however, print a warning and give an error. Fix it to use folio_alloc() instead to allocate a buffer for the handshake message, keepalive request and reply messages. Fixes: 98211489d414 ("[PATCH] OCFS2: The Second Oracle Cluster Filesystem") Signed-off-by: David Howells cc: Mark Fasheh cc: Kurt Hackel cc: Joel Becker cc: Joseph Qi cc: ocfs2-devel@oss.oracle.com Link: https://lore.kernel.org/r/20230623225513.2732256-14-dhowells@redhat.com Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit 0f46802ed637b3f5d5081e688b6f7d9ba3a4f08a Author: Maxim Kochetkov Date: Thu Jun 22 22:22:45 2023 +0300 net: axienet: Move reset before 64-bit DMA detection [ Upstream commit f1bc9fc4a06de0108e0dca2a9a7e99ba1fc632f9 ] 64-bit DMA detection will fail if axienet was started before (by boot loader, boot ROM, etc). In this state axienet will not start properly. XAXIDMA_TX_CDESC_OFFSET + 4 register (MM2S_CURDESC_MSB) is used to detect 64-bit DMA capability here. But datasheet says: When DMACR.RS is 1 (axienet is in enabled state), CURDESC_PTR becomes Read Only (RO) and is used to fetch the first descriptor. So iowrite32()/ioread32() trick to this register to detect 64-bit DMA will not work. So move axienet reset before 64-bit DMA detection. Fixes: f735c40ed93c ("net: axienet: Autodetect 64-bit DMA capability") Signed-off-by: Maxim Kochetkov Reviewed-by: Robert Hancock Reviewed-by: Radhey Shyam Pandey Link: https://lore.kernel.org/r/20230622192245.116864-1-fido_max@inbox.ru Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit 58fa341327fdb4bdf92597fd8796a9abc8d20ea3 Author: Kuniyuki Iwashima Date: Thu Jun 22 14:32:31 2023 -0700 gtp: Fix use-after-free in __gtp_encap_destroy(). [ Upstream commit ce3aee7114c575fab32a5e9e939d4bbb3dcca79f ] syzkaller reported use-after-free in __gtp_encap_destroy(). [0] It shows the same process freed sk and touched it illegally. Commit e198987e7dd7 ("gtp: fix suspicious RCU usage") added lock_sock() and release_sock() in __gtp_encap_destroy() to protect sk->sk_user_data, but release_sock() is called after sock_put() releases the last refcnt. [0]: BUG: KASAN: slab-use-after-free in instrument_atomic_read_write include/linux/instrumented.h:96 [inline] BUG: KASAN: slab-use-after-free in atomic_try_cmpxchg_acquire include/linux/atomic/atomic-instrumented.h:541 [inline] BUG: KASAN: slab-use-after-free in queued_spin_lock include/asm-generic/qspinlock.h:111 [inline] BUG: KASAN: slab-use-after-free in do_raw_spin_lock include/linux/spinlock.h:186 [inline] BUG: KASAN: slab-use-after-free in __raw_spin_lock_bh include/linux/spinlock_api_smp.h:127 [inline] BUG: KASAN: slab-use-after-free in _raw_spin_lock_bh+0x75/0xe0 kernel/locking/spinlock.c:178 Write of size 4 at addr ffff88800dbef398 by task syz-executor.2/2401 CPU: 1 PID: 2401 Comm: syz-executor.2 Not tainted 6.4.0-rc5-01219-gfa0e21fa4443 #2 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x72/0xa0 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:351 [inline] print_report+0xcc/0x620 mm/kasan/report.c:462 kasan_report+0xb2/0xe0 mm/kasan/report.c:572 check_region_inline mm/kasan/generic.c:181 [inline] kasan_check_range+0x39/0x1c0 mm/kasan/generic.c:187 instrument_atomic_read_write include/linux/instrumented.h:96 [inline] atomic_try_cmpxchg_acquire include/linux/atomic/atomic-instrumented.h:541 [inline] queued_spin_lock include/asm-generic/qspinlock.h:111 [inline] do_raw_spin_lock include/linux/spinlock.h:186 [inline] __raw_spin_lock_bh include/linux/spinlock_api_smp.h:127 [inline] _raw_spin_lock_bh+0x75/0xe0 kernel/locking/spinlock.c:178 spin_lock_bh include/linux/spinlock.h:355 [inline] release_sock+0x1f/0x1a0 net/core/sock.c:3526 gtp_encap_disable_sock drivers/net/gtp.c:651 [inline] gtp_encap_disable+0xb9/0x220 drivers/net/gtp.c:664 gtp_dev_uninit+0x19/0x50 drivers/net/gtp.c:728 unregister_netdevice_many_notify+0x97e/0x1520 net/core/dev.c:10841 rtnl_delete_link net/core/rtnetlink.c:3216 [inline] rtnl_dellink+0x3c0/0xb30 net/core/rtnetlink.c:3268 rtnetlink_rcv_msg+0x450/0xb10 net/core/rtnetlink.c:6423 netlink_rcv_skb+0x15d/0x450 net/netlink/af_netlink.c:2548 netlink_unicast_kernel net/netlink/af_netlink.c:1339 [inline] netlink_unicast+0x700/0x930 net/netlink/af_netlink.c:1365 netlink_sendmsg+0x91c/0xe30 net/netlink/af_netlink.c:1913 sock_sendmsg_nosec net/socket.c:724 [inline] sock_sendmsg+0x1b7/0x200 net/socket.c:747 ____sys_sendmsg+0x75a/0x990 net/socket.c:2493 ___sys_sendmsg+0x11d/0x1c0 net/socket.c:2547 __sys_sendmsg+0xfe/0x1d0 net/socket.c:2576 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3f/0x90 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x72/0xdc RIP: 0033:0x7f1168b1fe5d Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 73 9f 1b 00 f7 d8 64 89 01 48 RSP: 002b:00007f1167edccc8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 00000000004bbf80 RCX: 00007f1168b1fe5d RDX: 0000000000000000 RSI: 00000000200002c0 RDI: 0000000000000003 RBP: 00000000004bbf80 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 000000000000000b R14: 00007f1168b80530 R15: 0000000000000000 Allocated by task 1483: kasan_save_stack+0x22/0x50 mm/kasan/common.c:45 kasan_set_track+0x25/0x30 mm/kasan/common.c:52 __kasan_slab_alloc+0x59/0x70 mm/kasan/common.c:328 kasan_slab_alloc include/linux/kasan.h:186 [inline] slab_post_alloc_hook mm/slab.h:711 [inline] slab_alloc_node mm/slub.c:3451 [inline] slab_alloc mm/slub.c:3459 [inline] __kmem_cache_alloc_lru mm/slub.c:3466 [inline] kmem_cache_alloc+0x16d/0x340 mm/slub.c:3475 sk_prot_alloc+0x5f/0x280 net/core/sock.c:2073 sk_alloc+0x34/0x6c0 net/core/sock.c:2132 inet6_create net/ipv6/af_inet6.c:192 [inline] inet6_create+0x2c7/0xf20 net/ipv6/af_inet6.c:119 __sock_create+0x2a1/0x530 net/socket.c:1535 sock_create net/socket.c:1586 [inline] __sys_socket_create net/socket.c:1623 [inline] __sys_socket_create net/socket.c:1608 [inline] __sys_socket+0x137/0x250 net/socket.c:1651 __do_sys_socket net/socket.c:1664 [inline] __se_sys_socket net/socket.c:1662 [inline] __x64_sys_socket+0x72/0xb0 net/socket.c:1662 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3f/0x90 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x72/0xdc Freed by task 2401: kasan_save_stack+0x22/0x50 mm/kasan/common.c:45 kasan_set_track+0x25/0x30 mm/kasan/common.c:52 kasan_save_free_info+0x2e/0x50 mm/kasan/generic.c:521 ____kasan_slab_free mm/kasan/common.c:236 [inline] ____kasan_slab_free mm/kasan/common.c:200 [inline] __kasan_slab_free+0x10c/0x1b0 mm/kasan/common.c:244 kasan_slab_free include/linux/kasan.h:162 [inline] slab_free_hook mm/slub.c:1781 [inline] slab_free_freelist_hook mm/slub.c:1807 [inline] slab_free mm/slub.c:3786 [inline] kmem_cache_free+0xb4/0x490 mm/slub.c:3808 sk_prot_free net/core/sock.c:2113 [inline] __sk_destruct+0x500/0x720 net/core/sock.c:2207 sk_destruct+0xc1/0xe0 net/core/sock.c:2222 __sk_free+0xed/0x3d0 net/core/sock.c:2233 sk_free+0x7c/0xa0 net/core/sock.c:2244 sock_put include/net/sock.h:1981 [inline] __gtp_encap_destroy+0x165/0x1b0 drivers/net/gtp.c:634 gtp_encap_disable_sock drivers/net/gtp.c:651 [inline] gtp_encap_disable+0xb9/0x220 drivers/net/gtp.c:664 gtp_dev_uninit+0x19/0x50 drivers/net/gtp.c:728 unregister_netdevice_many_notify+0x97e/0x1520 net/core/dev.c:10841 rtnl_delete_link net/core/rtnetlink.c:3216 [inline] rtnl_dellink+0x3c0/0xb30 net/core/rtnetlink.c:3268 rtnetlink_rcv_msg+0x450/0xb10 net/core/rtnetlink.c:6423 netlink_rcv_skb+0x15d/0x450 net/netlink/af_netlink.c:2548 netlink_unicast_kernel net/netlink/af_netlink.c:1339 [inline] netlink_unicast+0x700/0x930 net/netlink/af_netlink.c:1365 netlink_sendmsg+0x91c/0xe30 net/netlink/af_netlink.c:1913 sock_sendmsg_nosec net/socket.c:724 [inline] sock_sendmsg+0x1b7/0x200 net/socket.c:747 ____sys_sendmsg+0x75a/0x990 net/socket.c:2493 ___sys_sendmsg+0x11d/0x1c0 net/socket.c:2547 __sys_sendmsg+0xfe/0x1d0 net/socket.c:2576 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3f/0x90 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x72/0xdc The buggy address belongs to the object at ffff88800dbef300 which belongs to the cache UDPv6 of size 1344 The buggy address is located 152 bytes inside of freed 1344-byte region [ffff88800dbef300, ffff88800dbef840) The buggy address belongs to the physical page: page:00000000d31bfed5 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88800dbeed40 pfn:0xdbe8 head:00000000d31bfed5 order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0 memcg:ffff888008ee0801 flags: 0x100000000010200(slab|head|node=0|zone=1) page_type: 0xffffffff() raw: 0100000000010200 ffff88800c7a3000 dead000000000122 0000000000000000 raw: ffff88800dbeed40 0000000080160015 00000001ffffffff ffff888008ee0801 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff88800dbef280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff88800dbef300: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff88800dbef380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff88800dbef400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff88800dbef480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb Fixes: e198987e7dd7 ("gtp: fix suspicious RCU usage") Reported-by: syzkaller Signed-off-by: Kuniyuki Iwashima Reviewed-by: Pablo Neira Ayuso Link: https://lore.kernel.org/r/20230622213231.24651-1-kuniyu@amazon.com Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit 414a09badb48076b34a455d451776517bfb2c3ec Author: Sabrina Dubroca Date: Thu Jun 22 23:03:34 2023 +0200 selftests: rtnetlink: remove netdevsim device after ipsec offload test [ Upstream commit 5f789f103671fec3733ebe756e56adf15c90c21d ] On systems where netdevsim is built-in or loaded before the test starts, kci_test_ipsec_offload doesn't remove the netdevsim device it created during the test. Fixes: e05b2d141fef ("netdevsim: move netdev creation/destruction to dev probe") Signed-off-by: Sabrina Dubroca Reviewed-by: Simon Horman Reviewed-by: Jiri Pirko Link: https://lore.kernel.org/r/e1cb94f4f82f4eca4a444feec4488a1323396357.1687466906.git.sd@queasysnail.net Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit 536ad56748c79d369d56fe86eab3ffc022be8345 Author: Eric Dumazet Date: Thu Jun 22 18:15:03 2023 +0000 sch_netem: fix issues in netem_change() vs get_dist_table() [ Upstream commit 11b73313c12403f617b47752db0ab3deef201af7 ] In blamed commit, I missed that get_dist_table() was allocating memory using GFP_KERNEL, and acquiring qdisc lock to perform the swap of newly allocated table with current one. In this patch, get_dist_table() is allocating memory and copy user data before we acquire the qdisc lock. Then we perform swap operations while being protected by the lock. Note that after this patch netem_change() no longer can do partial changes. If an error is returned, qdisc conf is left unchanged. Fixes: 2174a08db80d ("sch_netem: acquire qdisc lock in netem_change()") Reported-by: syzbot Signed-off-by: Eric Dumazet Cc: Stephen Hemminger Acked-by: Jamal Hadi Salim Reviewed-by: Simon Horman Link: https://lore.kernel.org/r/20230622181503.2327695-1-edumazet@google.com Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit bc16fc63592c419357dd4c4d82d50762102a60ef Author: Eric Dumazet Date: Thu Jun 22 15:23:04 2023 +0000 bonding: do not assume skb mac_header is set [ Upstream commit 6a940abdef3162e5723f1495b8a49859d1708f79 ] Drivers must not assume in their ndo_start_xmit() that skbs have their mac_header set. skb->data is all what is needed. bonding seems to be one of the last offender as caught by syzbot: WARNING: CPU: 1 PID: 12155 at include/linux/skbuff.h:2907 skb_mac_offset include/linux/skbuff.h:2913 [inline] WARNING: CPU: 1 PID: 12155 at include/linux/skbuff.h:2907 bond_xmit_hash drivers/net/bonding/bond_main.c:4170 [inline] WARNING: CPU: 1 PID: 12155 at include/linux/skbuff.h:2907 bond_xmit_3ad_xor_slave_get drivers/net/bonding/bond_main.c:5149 [inline] WARNING: CPU: 1 PID: 12155 at include/linux/skbuff.h:2907 bond_3ad_xor_xmit drivers/net/bonding/bond_main.c:5186 [inline] WARNING: CPU: 1 PID: 12155 at include/linux/skbuff.h:2907 __bond_start_xmit drivers/net/bonding/bond_main.c:5442 [inline] WARNING: CPU: 1 PID: 12155 at include/linux/skbuff.h:2907 bond_start_xmit+0x14ab/0x19d0 drivers/net/bonding/bond_main.c:5470 Modules linked in: CPU: 1 PID: 12155 Comm: syz-executor.3 Not tainted 6.1.30-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/25/2023 RIP: 0010:skb_mac_header include/linux/skbuff.h:2907 [inline] RIP: 0010:skb_mac_offset include/linux/skbuff.h:2913 [inline] RIP: 0010:bond_xmit_hash drivers/net/bonding/bond_main.c:4170 [inline] RIP: 0010:bond_xmit_3ad_xor_slave_get drivers/net/bonding/bond_main.c:5149 [inline] RIP: 0010:bond_3ad_xor_xmit drivers/net/bonding/bond_main.c:5186 [inline] RIP: 0010:__bond_start_xmit drivers/net/bonding/bond_main.c:5442 [inline] RIP: 0010:bond_start_xmit+0x14ab/0x19d0 drivers/net/bonding/bond_main.c:5470 Code: 8b 7c 24 30 e8 76 dd 1a 01 48 85 c0 74 0d 48 89 c3 e8 29 67 2e fe e9 15 ef ff ff e8 1f 67 2e fe e9 10 ef ff ff e8 15 67 2e fe <0f> 0b e9 45 f8 ff ff e8 09 67 2e fe e9 dc fa ff ff e8 ff 66 2e fe RSP: 0018:ffffc90002fff6e0 EFLAGS: 00010283 RAX: ffffffff835874db RBX: 000000000000ffff RCX: 0000000000040000 RDX: ffffc90004dcf000 RSI: 00000000000000b5 RDI: 00000000000000b6 RBP: ffffc90002fff8b8 R08: ffffffff83586d16 R09: ffffffff83586584 R10: 0000000000000007 R11: ffff8881599fc780 R12: ffff88811b6a7b7e R13: 1ffff110236d4f6f R14: ffff88811b6a7ac0 R15: 1ffff110236d4f76 FS: 00007f2e9eb47700(0000) GS:ffff8881f6b00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000001b2e421000 CR3: 000000010e6d4000 CR4: 00000000003526e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: [] netdev_start_xmit include/linux/netdevice.h:4925 [inline] [] __dev_direct_xmit+0x4ef/0x850 net/core/dev.c:4380 [] dev_direct_xmit include/linux/netdevice.h:3043 [inline] [] packet_direct_xmit+0x18b/0x300 net/packet/af_packet.c:284 [] packet_snd net/packet/af_packet.c:3112 [inline] [] packet_sendmsg+0x4a22/0x64d0 net/packet/af_packet.c:3143 [] sock_sendmsg_nosec net/socket.c:716 [inline] [] sock_sendmsg net/socket.c:736 [inline] [] __sys_sendto+0x472/0x5f0 net/socket.c:2139 [] __do_sys_sendto net/socket.c:2151 [inline] [] __se_sys_sendto net/socket.c:2147 [inline] [] __x64_sys_sendto+0xe5/0x100 net/socket.c:2147 [] do_syscall_x64 arch/x86/entry/common.c:50 [inline] [] do_syscall_64+0x2f/0x50 arch/x86/entry/common.c:80 [] entry_SYSCALL_64_after_hwframe+0x63/0xcd Fixes: 7b8fc0103bb5 ("bonding: add a vlan+srcmac tx hashing option") Reported-by: syzbot Signed-off-by: Eric Dumazet Cc: Jarod Wilson Cc: Moshe Tal Cc: Jussi Maki Cc: Jay Vosburgh Cc: Andy Gospodarek Cc: Vladimir Oltean Link: https://lore.kernel.org/r/20230622152304.2137482-1-edumazet@google.com Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit 73862118bd9dec850aa8e775145647ddd23aedf8 Author: Eric Dumazet Date: Wed Jun 21 17:47:20 2023 +0000 netlink: do not hard code device address lenth in fdb dumps [ Upstream commit aa5406950726e336c5c9585b09799a734b6e77bf ] syzbot reports that some netdev devices do not have a six bytes address [1] Replace ETH_ALEN by dev->addr_len. [1] (Case of a device where dev->addr_len = 4) BUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:114 [inline] BUG: KMSAN: kernel-infoleak in copyout+0xb8/0x100 lib/iov_iter.c:169 instrument_copy_to_user include/linux/instrumented.h:114 [inline] copyout+0xb8/0x100 lib/iov_iter.c:169 _copy_to_iter+0x6d8/0x1d00 lib/iov_iter.c:536 copy_to_iter include/linux/uio.h:206 [inline] simple_copy_to_iter+0x68/0xa0 net/core/datagram.c:513 __skb_datagram_iter+0x123/0xdc0 net/core/datagram.c:419 skb_copy_datagram_iter+0x5c/0x200 net/core/datagram.c:527 skb_copy_datagram_msg include/linux/skbuff.h:3960 [inline] netlink_recvmsg+0x4ae/0x15a0 net/netlink/af_netlink.c:1970 sock_recvmsg_nosec net/socket.c:1019 [inline] sock_recvmsg net/socket.c:1040 [inline] ____sys_recvmsg+0x283/0x7f0 net/socket.c:2722 ___sys_recvmsg+0x223/0x840 net/socket.c:2764 do_recvmmsg+0x4f9/0xfd0 net/socket.c:2858 __sys_recvmmsg net/socket.c:2937 [inline] __do_sys_recvmmsg net/socket.c:2960 [inline] __se_sys_recvmmsg net/socket.c:2953 [inline] __x64_sys_recvmmsg+0x397/0x490 net/socket.c:2953 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd Uninit was stored to memory at: __nla_put lib/nlattr.c:1009 [inline] nla_put+0x1c6/0x230 lib/nlattr.c:1067 nlmsg_populate_fdb_fill+0x2b8/0x600 net/core/rtnetlink.c:4071 nlmsg_populate_fdb net/core/rtnetlink.c:4418 [inline] ndo_dflt_fdb_dump+0x616/0x840 net/core/rtnetlink.c:4456 rtnl_fdb_dump+0x14ff/0x1fc0 net/core/rtnetlink.c:4629 netlink_dump+0x9d1/0x1310 net/netlink/af_netlink.c:2268 netlink_recvmsg+0xc5c/0x15a0 net/netlink/af_netlink.c:1995 sock_recvmsg_nosec+0x7a/0x120 net/socket.c:1019 ____sys_recvmsg+0x664/0x7f0 net/socket.c:2720 ___sys_recvmsg+0x223/0x840 net/socket.c:2764 do_recvmmsg+0x4f9/0xfd0 net/socket.c:2858 __sys_recvmmsg net/socket.c:2937 [inline] __do_sys_recvmmsg net/socket.c:2960 [inline] __se_sys_recvmmsg net/socket.c:2953 [inline] __x64_sys_recvmmsg+0x397/0x490 net/socket.c:2953 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd Uninit was created at: slab_post_alloc_hook+0x12d/0xb60 mm/slab.h:716 slab_alloc_node mm/slub.c:3451 [inline] __kmem_cache_alloc_node+0x4ff/0x8b0 mm/slub.c:3490 kmalloc_trace+0x51/0x200 mm/slab_common.c:1057 kmalloc include/linux/slab.h:559 [inline] __hw_addr_create net/core/dev_addr_lists.c:60 [inline] __hw_addr_add_ex+0x2e5/0x9e0 net/core/dev_addr_lists.c:118 __dev_mc_add net/core/dev_addr_lists.c:867 [inline] dev_mc_add+0x9a/0x130 net/core/dev_addr_lists.c:885 igmp6_group_added+0x267/0xbc0 net/ipv6/mcast.c:680 ipv6_mc_up+0x296/0x3b0 net/ipv6/mcast.c:2754 ipv6_mc_remap+0x1e/0x30 net/ipv6/mcast.c:2708 addrconf_type_change net/ipv6/addrconf.c:3731 [inline] addrconf_notify+0x4d3/0x1d90 net/ipv6/addrconf.c:3699 notifier_call_chain kernel/notifier.c:93 [inline] raw_notifier_call_chain+0xe4/0x430 kernel/notifier.c:461 call_netdevice_notifiers_info net/core/dev.c:1935 [inline] call_netdevice_notifiers_extack net/core/dev.c:1973 [inline] call_netdevice_notifiers+0x1ee/0x2d0 net/core/dev.c:1987 bond_enslave+0xccd/0x53f0 drivers/net/bonding/bond_main.c:1906 do_set_master net/core/rtnetlink.c:2626 [inline] rtnl_newlink_create net/core/rtnetlink.c:3460 [inline] __rtnl_newlink net/core/rtnetlink.c:3660 [inline] rtnl_newlink+0x378c/0x40e0 net/core/rtnetlink.c:3673 rtnetlink_rcv_msg+0x16a6/0x1840 net/core/rtnetlink.c:6395 netlink_rcv_skb+0x371/0x650 net/netlink/af_netlink.c:2546 rtnetlink_rcv+0x34/0x40 net/core/rtnetlink.c:6413 netlink_unicast_kernel net/netlink/af_netlink.c:1339 [inline] netlink_unicast+0xf28/0x1230 net/netlink/af_netlink.c:1365 netlink_sendmsg+0x122f/0x13d0 net/netlink/af_netlink.c:1913 sock_sendmsg_nosec net/socket.c:724 [inline] sock_sendmsg net/socket.c:747 [inline] ____sys_sendmsg+0x999/0xd50 net/socket.c:2503 ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2557 __sys_sendmsg net/socket.c:2586 [inline] __do_sys_sendmsg net/socket.c:2595 [inline] __se_sys_sendmsg net/socket.c:2593 [inline] __x64_sys_sendmsg+0x304/0x490 net/socket.c:2593 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd Bytes 2856-2857 of 3500 are uninitialized Memory access of size 3500 starts at ffff888018d99104 Data copied to user address 0000000020000480 Fixes: d83b06036048 ("net: add fdb generic dump routine") Reported-by: syzbot Signed-off-by: Eric Dumazet Reviewed-by: Jiri Pirko Link: https://lore.kernel.org/r/20230621174720.1845040-1-edumazet@google.com Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit 1556ba034b95cfd4f75ea93c1a2679ae0444bba1 Author: Eric Dumazet Date: Wed Jun 21 15:43:37 2023 +0000 netlink: fix potential deadlock in netlink_set_err() [ Upstream commit 8d61f926d42045961e6b65191c09e3678d86a9cf ] syzbot reported a possible deadlock in netlink_set_err() [1] A similar issue was fixed in commit 1d482e666b8e ("netlink: disable IRQs for netlink_lock_table()") in netlink_lock_table() This patch adds IRQ safety to netlink_set_err() and __netlink_diag_dump() which were not covered by cited commit. [1] WARNING: possible irq lock inversion dependency detected 6.4.0-rc6-syzkaller-00240-g4e9f0ec38852 #0 Not tainted syz-executor.2/23011 just changed the state of lock: ffffffff8e1a7a58 (nl_table_lock){.+.?}-{2:2}, at: netlink_set_err+0x2e/0x3a0 net/netlink/af_netlink.c:1612 but this lock was taken by another, SOFTIRQ-safe lock in the past: (&local->queue_stop_reason_lock){..-.}-{2:2} and interrupts could create inverse lock ordering between them. other info that might help us debug this: Possible interrupt unsafe locking scenario: CPU0 CPU1 ---- ---- lock(nl_table_lock); local_irq_disable(); lock(&local->queue_stop_reason_lock); lock(nl_table_lock); lock(&local->queue_stop_reason_lock); *** DEADLOCK *** Fixes: 1d482e666b8e ("netlink: disable IRQs for netlink_lock_table()") Reported-by: syzbot+a7d200a347f912723e5c@syzkaller.appspotmail.com Link: https://syzkaller.appspot.com/bug?extid=a7d200a347f912723e5c Link: https://lore.kernel.org/netdev/000000000000e38d1605fea5747e@google.com/T/#u Signed-off-by: Eric Dumazet Cc: Johannes Berg Link: https://lore.kernel.org/r/20230621154337.1668594-1-edumazet@google.com Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit 723006bee372f8acaa287a5b2332b622ff3087c8 Author: Bartosz Golaszewski Date: Wed Jun 21 15:55:37 2023 +0200 net: stmmac: fix double serdes powerdown [ Upstream commit c4fc88ad2a765224a648db8ab35f125e120fe41b ] Commit 49725ffc15fc ("net: stmmac: power up/down serdes in stmmac_open/release") correctly added a call to the serdes_powerdown() callback to stmmac_release() but did not remove the one from stmmac_remove() which leads to a doubled call to serdes_powerdown(). This can lead to all kinds of problems: in the case of the qcom ethqos driver, it caused an unbalanced regulator disable splat. Fixes: 49725ffc15fc ("net: stmmac: power up/down serdes in stmmac_open/release") Signed-off-by: Bartosz Golaszewski Reviewed-by: Jiri Pirko Acked-by: Junxiao Chang Reviewed-by: Andrew Halaney Tested-by: Andrew Halaney Link: https://lore.kernel.org/r/20230621135537.376649-1-brgl@bgdev.pl Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit 9e108c8516ff1c7a4d2726e75ad300ba4f9faaff Author: Vinicius Costa Gomes Date: Wed Jun 7 14:32:32 2023 -0700 igc: Work around HW bug causing missing timestamps [ Upstream commit c789ad7cbebcac5d5f417296c140a1252c689524 ] There's an hardware issue that can cause missing timestamps. The bug is that the interrupt is only cleared if the IGC_TXSTMPH_0 register is read. The bug can cause a race condition if a timestamp is captured at the wrong time, and we will miss that timestamp. To reduce the time window that the problem is able to happen, in case no timestamp was ready, we read the "previous" value of the timestamp registers, and we compare with the "current" one, if it didn't change we can be reasonably sure that no timestamp was captured. If they are different, we use the new value as the captured timestamp. The HW bug is not easy to reproduce, got to reproduce it when smashing the NIC with timestamping requests from multiple applications (e.g. multiple ntpperf instances + ptp4l), after 10s of minutes. This workaround has more impact when multiple timestamp registers are used, and the IGC_TXSTMPH_0 register always need to be read, so the interrupt is cleared. Fixes: 2c344ae24501 ("igc: Add support for TX timestamping") Signed-off-by: Vinicius Costa Gomes Tested-by: Naama Meir Signed-off-by: Tony Nguyen Signed-off-by: Sasha Levin commit 5ed04b95c7ae0a76795dc2807216bc6df3435cf3 Author: Vinicius Costa Gomes Date: Wed Jun 7 14:32:31 2023 -0700 igc: Retrieve TX timestamp during interrupt handling [ Upstream commit afa141583d82725f682b2fa762cb36a07f58b3f3 ] When the interrupt is handled, the TXTT_0 bit in the TSYNCTXCTL register should already be set and the timestamp value already loaded in the appropriate register. This simplifies the handling, and reduces the latency for retrieving the TX timestamp, which increase the amount of TX timestamps that can be handled in a given time period. As the "work" function doesn't run in a workqueue anymore, rename it to something more sensible, a event handler. Using ntpperf[1] we can see the following performance improvements: Before: $ sudo ./ntpperf -i enp3s0 -m 10:22:22:22:22:21 -d 192.168.1.3 -s 172.18.0.0/16 -I -H -o -37 | responses | TX timestamp offset (ns) rate clients | lost invalid basic xleave | min mean max stddev 1000 100 0.00% 0.00% 0.00% 100.00% -56 +9 +52 19 1500 150 0.00% 0.00% 0.00% 100.00% -40 +30 +75 22 2250 225 0.00% 0.00% 0.00% 100.00% -11 +29 +72 15 3375 337 0.00% 0.00% 0.00% 100.00% -18 +40 +88 22 5062 506 0.00% 0.00% 0.00% 100.00% -19 +23 +77 15 7593 759 0.00% 0.00% 0.00% 100.00% +7 +47 +5168 43 11389 1138 0.00% 0.00% 0.00% 100.00% -11 +41 +5240 39 17083 1708 0.00% 0.00% 0.00% 100.00% +19 +60 +5288 50 25624 2562 0.00% 0.00% 0.00% 100.00% +1 +56 +5368 58 38436 3843 0.00% 0.00% 0.00% 100.00% -84 +12 +8847 66 57654 5765 0.00% 0.00% 100.00% 0.00% 86481 8648 0.00% 0.00% 100.00% 0.00% 129721 12972 0.00% 0.00% 100.00% 0.00% 194581 16384 0.00% 0.00% 100.00% 0.00% 291871 16384 27.35% 0.00% 72.65% 0.00% 437806 16384 50.05% 0.00% 49.95% 0.00% After: $ sudo ./ntpperf -i enp3s0 -m 10:22:22:22:22:21 -d 192.168.1.3 -s 172.18.0.0/16 -I -H -o -37 | responses | TX timestamp offset (ns) rate clients | lost invalid basic xleave | min mean max stddev 1000 100 0.00% 0.00% 0.00% 100.00% -44 +0 +61 19 1500 150 0.00% 0.00% 0.00% 100.00% -6 +39 +81 16 2250 225 0.00% 0.00% 0.00% 100.00% -22 +25 +69 15 3375 337 0.00% 0.00% 0.00% 100.00% -28 +15 +56 14 5062 506 0.00% 0.00% 0.00% 100.00% +7 +78 +143 27 7593 759 0.00% 0.00% 0.00% 100.00% -54 +24 +144 47 11389 1138 0.00% 0.00% 0.00% 100.00% -90 -33 +28 21 17083 1708 0.00% 0.00% 0.00% 100.00% -50 -2 +35 14 25624 2562 0.00% 0.00% 0.00% 100.00% -62 +7 +66 23 38436 3843 0.00% 0.00% 0.00% 100.00% -33 +30 +5395 36 57654 5765 0.00% 0.00% 100.00% 0.00% 86481 8648 0.00% 0.00% 100.00% 0.00% 129721 12972 0.00% 0.00% 100.00% 0.00% 194581 16384 19.50% 0.00% 80.50% 0.00% 291871 16384 35.81% 0.00% 64.19% 0.00% 437806 16384 55.40% 0.00% 44.60% 0.00% [1] https://github.com/mlichvar/ntpperf Signed-off-by: Vinicius Costa Gomes Reviewed-by: Kurt Kanzenbach Tested-by: Naama Meir Signed-off-by: Tony Nguyen Stable-dep-of: c789ad7cbebc ("igc: Work around HW bug causing missing timestamps") Signed-off-by: Sasha Levin commit 8af2af0ef2fc7512d339506918834a7cccbe795d Author: Vinicius Costa Gomes Date: Wed Jun 7 14:32:30 2023 -0700 igc: Check if hardware TX timestamping is enabled earlier [ Upstream commit ce58c7cc8b9910f2bc1d038d7ba60c3f011b2cb2 ] Before requesting a packet transmission to be hardware timestamped, check if the user has TX timestamping enabled. Fixes an issue that if a packet was internally forwarded to the NIC, and it had the SKBTX_HW_TSTAMP flag set, the driver would mark that timestamp as skipped. In reality, that timestamp was "not for us", as TX timestamp could never be enabled in the NIC. Checking if the TX timestamping is enabled earlier has a secondary effect that when TX timestamping is disabled, there's no need to check for timestamp timeouts. We should only take care to free any pending timestamp when TX timestamping is disabled, as that skb would never be released otherwise. Fixes: 2c344ae24501 ("igc: Add support for TX timestamping") Suggested-by: Vladimir Oltean Signed-off-by: Vinicius Costa Gomes Tested-by: Naama Meir Signed-off-by: Tony Nguyen Signed-off-by: Sasha Levin commit f4e452c3477d341728afe4c3f3c2a83a25be7daa Author: Vinicius Costa Gomes Date: Wed Jun 7 14:32:29 2023 -0700 igc: Fix race condition in PTP tx code [ Upstream commit 9c50e2b150c8ee0eee5f8154e2ad168cdd748877 ] Currently, the igc driver supports timestamping only one tx packet at a time. During the transmission flow, the skb that requires hardware timestamping is saved in adapter->ptp_tx_skb. Once hardware has the timestamp, an interrupt is delivered, and adapter->ptp_tx_work is scheduled. In igc_ptp_tx_work(), we read the timestamp register, update adapter->ptp_tx_skb, and notify the network stack. While the thread executing the transmission flow (the user process running in kernel mode) and the thread executing ptp_tx_work don't access adapter->ptp_tx_skb concurrently, there are two other places where adapter->ptp_tx_skb is accessed: igc_ptp_tx_hang() and igc_ptp_suspend(). igc_ptp_tx_hang() is executed by the adapter->watchdog_task worker thread which runs periodically so it is possible we have two threads accessing ptp_tx_skb at the same time. Consider the following scenario: right after __IGC_PTP_TX_IN_PROGRESS is set in igc_xmit_frame_ring(), igc_ptp_tx_hang() is executed. Since adapter->ptp_tx_start hasn't been written yet, this is considered a timeout and adapter->ptp_tx_skb is cleaned up. This patch fixes the issue described above by adding the ptp_tx_lock to protect access to ptp_tx_skb and ptp_tx_start fields from igc_adapter. Since igc_xmit_frame_ring() called in atomic context by the networking stack, ptp_tx_lock is defined as a spinlock, and the irq safe variants of lock/unlock are used. With the introduction of the ptp_tx_lock, the __IGC_PTP_TX_IN_PROGRESS flag doesn't provide much of a use anymore so this patch gets rid of it. Fixes: 2c344ae24501 ("igc: Add support for TX timestamping") Signed-off-by: Andre Guedes Signed-off-by: Vinicius Costa Gomes Reviewed-by: Kurt Kanzenbach Tested-by: Naama Meir Signed-off-by: Tony Nguyen Signed-off-by: Sasha Levin commit 97678c4718fa0ecdbff4ab0001de1e64a484d236 Author: Jimmy Assarsson Date: Mon May 29 15:42:38 2023 +0200 can: kvaser_pciefd: Set hardware timestamp on transmitted packets [ Upstream commit ec681b91befa982477e24a150dd6452427fe6473 ] Set hardware timestamp on transmitted packets. Fixes: 26ad340e582d ("can: kvaser_pciefd: Add driver for Kvaser PCIEcan devices") Signed-off-by: Jimmy Assarsson Reviewed-by: Vincent Mailhol Link: https://lore.kernel.org/all/20230529134248.752036-5-extja@kvaser.com Signed-off-by: Marc Kleine-Budde Signed-off-by: Sasha Levin commit aca3328e46feb2bec9d969588105ad6dce64b924 Author: Jimmy Assarsson Date: Mon May 29 15:42:37 2023 +0200 can: kvaser_pciefd: Add function to set skb hwtstamps [ Upstream commit 2d55e9f9b4427e1ad59b974f2267767aac3788d3 ] Add new function, kvaser_pciefd_set_skb_timestamp(), to set skb hwtstamps. Signed-off-by: Jimmy Assarsson Reviewed-by: Vincent Mailhol Link: https://lore.kernel.org/all/20230529134248.752036-4-extja@kvaser.com Signed-off-by: Marc Kleine-Budde Stable-dep-of: ec681b91befa ("can: kvaser_pciefd: Set hardware timestamp on transmitted packets") Signed-off-by: Sasha Levin commit bc3abed79bf3b1a6ce9cdf34dffa3a5f5a597584 Author: Vincent Mailhol Date: Sun Jun 11 11:57:26 2023 +0900 can: length: fix bitstuffing count [ Upstream commit 9fde4c557f78ee2f3626e92b4089ce9d54a2573a ] The Stuff Bit Count is always coded on 4 bits [1]. Update the Stuff Bit Count size accordingly. In addition, the CRC fields of CAN FD Frames contain stuff bits at fixed positions called fixed stuff bits [2]. The CRC field starts with a fixed stuff bit and then has another fixed stuff bit after each fourth bit [2], which allows us to derive this formula: FSB count = 1 + round_down(len(CRC field)/4) The length of the CRC field is [1]: len(CRC field) = len(Stuff Bit Count) + len(CRC) = 4 + len(CRC) with len(CRC) either 17 or 21 bits depending of the payload length. In conclusion, for CRC17: FSB count = 1 + round_down((4 + 17)/4) = 6 and for CRC 21: FSB count = 1 + round_down((4 + 21)/4) = 7 Add a Fixed Stuff bits (FSB) field with above values and update CANFD_FRAME_OVERHEAD_SFF and CANFD_FRAME_OVERHEAD_EFF accordingly. [1] ISO 11898-1:2015 section 10.4.2.6 "CRC field": The CRC field shall contain the CRC sequence followed by a recessive CRC delimiter. For FD Frames, the CRC field shall also contain the stuff count. Stuff count If FD Frames, the stuff count shall be at the beginning of the CRC field. It shall consist of the stuff bit count modulo 8 in a 3-bit gray code followed by a parity bit [...] [2] ISO 11898-1:2015 paragraph 10.5 "Frame coding": In the CRC field of FD Frames, the stuff bits shall be inserted at fixed positions; they are called fixed stuff bits. There shall be a fixed stuff bit before the first bit of the stuff count, even if the last bits of the preceding field are a sequence of five consecutive bits of identical value, there shall be only the fixed stuff bit, there shall not be two consecutive stuff bits. A further fixed stuff bit shall be inserted after each fourth bit of the CRC field [...] Fixes: 85d99c3e2a13 ("can: length: can_skb_get_frame_len(): introduce function to get data length of frame in data link layer") Suggested-by: Thomas Kopp Signed-off-by: Vincent Mailhol Reviewed-by: Thomas Kopp Link: https://lore.kernel.org/all/20230611025728.450837-2-mailhol.vincent@wanadoo.fr Signed-off-by: Marc Kleine-Budde Signed-off-by: Sasha Levin commit 4033f4e25c6f71c9e3120f2eb909802813692252 Author: Gilad Sever Date: Wed Jun 21 13:42:10 2023 +0300 bpf: Fix bpf socket lookup from tc/xdp to respect socket VRF bindings [ Upstream commit 9a5cb79762e0eda17ca15c2a6eaca4622383c21c ] When calling bpf_sk_lookup_tcp(), bpf_sk_lookup_udp() or bpf_skc_lookup_tcp() from tc/xdp ingress, VRF socket bindings aren't respoected, i.e. unbound sockets are returned, and bound sockets aren't found. VRF binding is determined by the sdif argument to sk_lookup(), however when called from tc the IP SKB control block isn't initialized and thus inet{,6}_sdif() always returns 0. Fix by calculating sdif for the tc/xdp flows by observing the device's l3 enslaved state. The cg/sk_skb hooking points which are expected to support inet{,6}_sdif() pass sdif=-1 which makes __bpf_skc_lookup() use the existing logic. Fixes: 6acc9b432e67 ("bpf: Add helper to retrieve socket in BPF") Signed-off-by: Gilad Sever Signed-off-by: Daniel Borkmann Reviewed-by: Shmulik Ladkani Reviewed-by: Eyal Birger Acked-by: Stanislav Fomichev Cc: David Ahern Link: https://lore.kernel.org/bpf/20230621104211.301902-4-gilad9366@gmail.com Signed-off-by: Sasha Levin commit 6b23751dc309fa1aea4a79199a8da6ca8a2384ec Author: Gilad Sever Date: Wed Jun 21 13:42:09 2023 +0300 bpf: Call __bpf_sk_lookup()/__bpf_skc_lookup() directly via TC hookpoint [ Upstream commit 97fbfeb86917bdbe9c41d5143e335a929147f405 ] skb->dev always exists in the tc flow. There is no need to use bpf_skc_lookup(), bpf_sk_lookup() from this code path. This change facilitates fixing the tc flow to be VRF aware. Signed-off-by: Gilad Sever Signed-off-by: Daniel Borkmann Reviewed-by: Shmulik Ladkani Reviewed-by: Eyal Birger Acked-by: Stanislav Fomichev Link: https://lore.kernel.org/bpf/20230621104211.301902-3-gilad9366@gmail.com Stable-dep-of: 9a5cb79762e0 ("bpf: Fix bpf socket lookup from tc/xdp to respect socket VRF bindings") Signed-off-by: Sasha Levin commit d1c131a8f0c895cf600c88c1fa903be1e0fbf253 Author: Gilad Sever Date: Wed Jun 21 13:42:08 2023 +0300 bpf: Factor out socket lookup functions for the TC hookpoint. [ Upstream commit 6e98730bc0b44acaf86eccc75f823128aa9c9e79 ] Change BPF helper socket lookup functions to use TC specific variants: bpf_tc_sk_lookup_tcp() / bpf_tc_sk_lookup_udp() / bpf_tc_skc_lookup_tcp() instead of sharing implementation with the cg / sk_skb hooking points. This allows introducing a separate logic for the TC flow. The tc functions are identical to the original code. Signed-off-by: Gilad Sever Signed-off-by: Daniel Borkmann Reviewed-by: Shmulik Ladkani Reviewed-by: Eyal Birger Acked-by: Stanislav Fomichev Link: https://lore.kernel.org/bpf/20230621104211.301902-2-gilad9366@gmail.com Stable-dep-of: 9a5cb79762e0 ("bpf: Fix bpf socket lookup from tc/xdp to respect socket VRF bindings") Signed-off-by: Sasha Levin commit 122c1028b2e413f986f15fac3a5afda0dba86c1d Author: Dmitry Antipov Date: Tue Jun 13 16:46:55 2023 +0300 wifi: ath9k: convert msecs to jiffies where needed [ Upstream commit 2aa083acea9f61be3280184384551178f510ff51 ] Since 'ieee80211_queue_delayed_work()' expects timeout in jiffies and not milliseconds, 'msecs_to_jiffies()' should be used in 'ath_restart_work()' and '__ath9k_flush()'. Fixes: d63ffc45c5d3 ("ath9k: rename tx_complete_work to hw_check_work") Signed-off-by: Dmitry Antipov Acked-by: Toke Høiland-Jørgensen Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20230613134655.248728-1-dmantipov@yandex.ru Signed-off-by: Sasha Levin commit 516e5634de3a78df6c12306c2cd70c1e6c83cce3 Author: Johannes Berg Date: Tue Jun 20 13:04:03 2023 +0300 wifi: iwlwifi: mvm: check only affected links [ Upstream commit de1076008148460fe273e6d39158faffcc954991 ] When hostapd starts up, it may start up with only one link while the other is still scanning for overlapping BSSes. A station might start to connect at this point, but we run into this warning instead. Since there's no need to check for _all_ links, restrict the check to just the affected links that the STA will be using. Fixes: 57974a55d995 ("wifi: iwlwifi: mvm: refactor iwl_mvm_mac_sta_state_common()") Reported-by: Miri Korenblit Signed-off-by: Johannes Berg Signed-off-by: Gregory Greenman Link: https://lore.kernel.org/r/20230620125813.c3d5a006ec21.Ib4715381f598f4c18d67cd9598ebd5cdbe7d2b09@changeid Signed-off-by: Johannes Berg Signed-off-by: Sasha Levin commit 16e603c36db1c5e34acc2b3653e30b41bcd112d8 Author: Johannes Berg Date: Tue Jun 20 13:04:01 2023 +0300 wifi: iwlwifi: mvm: indicate HW decrypt for beacon protection [ Upstream commit 2db72b8a700943aa54dce0aabe6ff1b72b615162 ] We've already done the 'decryption' here, so tell mac80211 it need not do it again. Fixes: b1fdc2505abc ("iwlwifi: mvm: advertise BIGTK client support if available") Signed-off-by: Johannes Berg Signed-off-by: Gregory Greenman Link: https://lore.kernel.org/r/20230620125813.a50cf68fbf2e.Ieceacbe3789d81ea02ae085ad8d1f8813a33c31b@changeid Signed-off-by: Johannes Berg Signed-off-by: Sasha Levin commit 32084eaa7479b6e470904fbff0c1efdb5ce3524b Author: Marek Vasut Date: Tue Jun 20 12:27:13 2023 +0200 mmc: Add MMC_QUIRK_BROKEN_SD_CACHE for Kingston Canvas Go Plus from 11/2019 [ Upstream commit c467c8f081859d4f4ca4eee4fba54bb5d85d6c97 ] This microSD card never clears Flush Cache bit after cache flush has been started in sd_flush_cache(). This leads e.g. to failure to mount file system. Add a quirk which disables the SD cache for this specific card from specific manufacturing date of 11/2019, since on newer dated cards from 05/2023 the cache flush works correctly. Fixes: 08ebf903af57 ("mmc: core: Fixup support for writeback-cache for eMMC and SD") Signed-off-by: Marek Vasut Link: https://lore.kernel.org/r/20230620102713.7701-1-marex@denx.de Signed-off-by: Ulf Hansson Signed-off-by: Sasha Levin commit b44fa6a2045f0b3df454fc83e752051d293095e3 Author: Douglas Anderson Date: Fri May 26 18:41:31 2023 -0700 watchdog/hardlockup: keep kernel.nmi_watchdog sysctl as 0444 if probe fails [ Upstream commit 9ec272c586b07d1abf73438524bd12b1df9c5f9b ] Patch series "watchdog: Cleanup / fixes after buddy series v5 reviews". This patch series attempts to finish resolving the feedback received from Petr Mladek on the v5 series I posted. Probably the only thing that wasn't fully as clean as Petr requested was the Kconfig stuff. I couldn't find a better way to express it without a more major overhaul. In the very least, I renamed "NON_ARCH" to "PERF_OR_BUDDY" in the hopes that will make it marginally better. Nothing in this series is terribly critical and even the bugfixes are small. However, it does cleanup a few things that were pointed out in review. This patch (of 10): The permissions for the kernel.nmi_watchdog sysctl have always been set at compile time despite the fact that a watchdog can fail to probe. Let's fix this and set the permissions based on whether the hardlockup detector actually probed. Link: https://lkml.kernel.org/r/20230527014153.2793931-1-dianders@chromium.org Link: https://lkml.kernel.org/r/20230526184139.1.I0d75971cc52a7283f495aac0bd5c3041aadc734e@changeid Fixes: a994a3147e4c ("watchdog/hardlockup/perf: Implement init time detection of perf") Signed-off-by: Douglas Anderson Reported-by: Petr Mladek Closes: https://lore.kernel.org/r/ZHCn4hNxFpY5-9Ki@alley Reviewed-by: Petr Mladek Cc: Christophe Leroy Cc: "David S. Miller" Cc: Michael Ellerman Cc: Nicholas Piggin Signed-off-by: Andrew Morton Signed-off-by: Sasha Levin commit 0fdf348651e36b4f7bfc5ea52247ebb019d9dd1b Author: Lecopzer Chen Date: Fri May 19 10:18:40 2023 -0700 watchdog/perf: adapt the watchdog_perf interface for async model [ Upstream commit 930d8f8dbab97cb05dba30e67a2dfa0c6dbf4bc7 ] When lockup_detector_init()->watchdog_hardlockup_probe(), PMU may be not ready yet. E.g. on arm64, PMU is not ready until device_initcall(armv8_pmu_driver_init). And it is deeply integrated with the driver model and cpuhp. Hence it is hard to push this initialization before smp_init(). But it is easy to take an opposite approach and try to initialize the watchdog once again later. The delayed probe is called using workqueues. It need to allocate memory and must be proceed in a normal context. The delayed probe is able to use if watchdog_hardlockup_probe() returns non-zero which means the return code returned when PMU is not ready yet. Provide an API - lockup_detector_retry_init() for anyone who needs to delayed init lockup detector if they had ever failed at lockup_detector_init(). The original assumption is: nobody should use delayed probe after lockup_detector_check() which has __init attribute. That is, anyone uses this API must call between lockup_detector_init() and lockup_detector_check(), and the caller must have __init attribute Link: https://lkml.kernel.org/r/20230519101840.v5.16.If4ad5dd5d09fb1309cebf8bcead4b6a5a7758ca7@changeid Reviewed-by: Petr Mladek Co-developed-by: Pingfan Liu Signed-off-by: Pingfan Liu Signed-off-by: Lecopzer Chen Signed-off-by: Douglas Anderson Suggested-by: Petr Mladek Cc: Andi Kleen Cc: Catalin Marinas Cc: Chen-Yu Tsai Cc: Christophe Leroy Cc: Colin Cross Cc: Daniel Thompson Cc: "David S. Miller" Cc: Guenter Roeck Cc: Ian Rogers Cc: Marc Zyngier Cc: Mark Rutland Cc: Masayoshi Mizuma Cc: Matthias Kaehlcke Cc: Michael Ellerman Cc: Nicholas Piggin Cc: Randy Dunlap Cc: "Ravi V. Shankar" Cc: Ricardo Neri Cc: Stephane Eranian Cc: Stephen Boyd Cc: Sumit Garg Cc: Tzung-Bi Shih Cc: Will Deacon Signed-off-by: Andrew Morton Stable-dep-of: 9ec272c586b0 ("watchdog/hardlockup: keep kernel.nmi_watchdog sysctl as 0444 if probe fails") Signed-off-by: Sasha Levin commit f9b02a122b6b756d229a06d1fcdfcea5437c7dec Author: Douglas Anderson Date: Fri May 19 10:18:36 2023 -0700 watchdog/hardlockup: rename some "NMI watchdog" constants/function [ Upstream commit df95d3085caa5b99a60eb033d7ad6c2ff2b43dbf ] Do a search and replace of: - NMI_WATCHDOG_ENABLED => WATCHDOG_HARDLOCKUP_ENABLED - SOFT_WATCHDOG_ENABLED => WATCHDOG_SOFTOCKUP_ENABLED - watchdog_nmi_ => watchdog_hardlockup_ - nmi_watchdog_available => watchdog_hardlockup_available - nmi_watchdog_user_enabled => watchdog_hardlockup_user_enabled - soft_watchdog_user_enabled => watchdog_softlockup_user_enabled - NMI_WATCHDOG_DEFAULT => WATCHDOG_HARDLOCKUP_DEFAULT Then update a few comments near where names were changed. This is specifically to make it less confusing when we want to introduce the buddy hardlockup detector, which isn't using NMIs. As part of this, we sanitized a few names for consistency. [trix@redhat.com: make variables static] Link: https://lkml.kernel.org/r/20230525162822.1.I0fb41d138d158c9230573eaa37dc56afa2fb14ee@changeid Link: https://lkml.kernel.org/r/20230519101840.v5.12.I91f7277bab4bf8c0cb238732ed92e7ce7bbd71a6@changeid Signed-off-by: Douglas Anderson Signed-off-by: Tom Rix Reviewed-by: Tom Rix Cc: Andi Kleen Cc: Catalin Marinas Cc: Chen-Yu Tsai Cc: Christophe Leroy Cc: Colin Cross Cc: Daniel Thompson Cc: "David S. Miller" Cc: Guenter Roeck Cc: Ian Rogers Cc: Lecopzer Chen Cc: Marc Zyngier Cc: Mark Rutland Cc: Masayoshi Mizuma Cc: Matthias Kaehlcke Cc: Michael Ellerman Cc: Nicholas Piggin Cc: Petr Mladek Cc: Pingfan Liu Cc: Randy Dunlap Cc: "Ravi V. Shankar" Cc: Ricardo Neri Cc: Stephane Eranian Cc: Stephen Boyd Cc: Sumit Garg Cc: Tzung-Bi Shih Cc: Will Deacon Signed-off-by: Andrew Morton Stable-dep-of: 9ec272c586b0 ("watchdog/hardlockup: keep kernel.nmi_watchdog sysctl as 0444 if probe fails") Signed-off-by: Sasha Levin commit e263c266781d2f7a76dc03abc8ba6934cf97e0d9 Author: Douglas Anderson Date: Fri May 19 10:18:32 2023 -0700 watchdog/hardlockup: move perf hardlockup checking/panic to common watchdog.c [ Upstream commit 81972551df9d168a8183b786ff4de06008469c2e ] The perf hardlockup detector works by looking at interrupt counts and seeing if they change from run to run. The interrupt counts are managed by the common watchdog code via its watchdog_timer_fn(). Currently the API between the perf detector and the common code is a function: is_hardlockup(). When the hard lockup detector sees that function return true then it handles printing out debug info and inducing a panic if necessary. Let's change the API a little bit in preparation for the buddy hardlockup detector. The buddy hardlockup detector wants to print nearly the same debug info and have nearly the same panic behavior. That means we want to move all that code to the common file. For now, the code in the common file will only be there if the perf hardlockup detector is enabled, but eventually it will be selected by a common config. Right now, this _just_ moves the code from the perf detector file to the common file and changes the names. It doesn't make the changes that the buddy hardlockup detector will need and doesn't do any style cleanups. A future patch will do cleanup to make it more obvious what changed. With the above, we no longer have any callers of is_hardlockup() outside of the "watchdog.c" file, so we can remove it from the header, make it static, and move it to the same "#ifdef" block as our new watchdog_hardlockup_check(). While doing this, it can be noted that even if no hardlockup detectors were configured the existing code used to still have the code for counting/checking "hrtimer_interrupts" even if the perf hardlockup detector wasn't configured. We didn't need to do that, so move all the "hrtimer_interrupts" counting to only be there if the perf hardlockup detector is configured as well. This change is expected to be a no-op. Link: https://lkml.kernel.org/r/20230519101840.v5.8.Id4133d3183e798122dc3b6205e7852601f289071@changeid Signed-off-by: Douglas Anderson Reviewed-by: Petr Mladek Cc: Andi Kleen Cc: Catalin Marinas Cc: Chen-Yu Tsai Cc: Christophe Leroy Cc: Colin Cross Cc: Daniel Thompson Cc: "David S. Miller" Cc: Guenter Roeck Cc: Ian Rogers Cc: Lecopzer Chen Cc: Marc Zyngier Cc: Mark Rutland Cc: Masayoshi Mizuma Cc: Matthias Kaehlcke Cc: Michael Ellerman Cc: Nicholas Piggin Cc: Pingfan Liu Cc: Randy Dunlap Cc: "Ravi V. Shankar" Cc: Ricardo Neri Cc: Stephane Eranian Cc: Stephen Boyd Cc: Sumit Garg Cc: Tzung-Bi Shih Cc: Will Deacon Signed-off-by: Andrew Morton Stable-dep-of: 9ec272c586b0 ("watchdog/hardlockup: keep kernel.nmi_watchdog sysctl as 0444 if probe fails") Signed-off-by: Sasha Levin commit a73123174bded3e8c6b467e6a5f781f2737dd2d8 Author: Lecopzer Chen Date: Fri May 19 10:18:28 2023 -0700 watchdog/hardlockup: change watchdog_nmi_enable() to void [ Upstream commit 730211182ed083898fa5feb4b28459ffac4c9615 ] Nobody cares about the return value of watchdog_nmi_enable(), changing its prototype to void. Link: https://lkml.kernel.org/r/20230519101840.v5.4.Ic3a19b592eb1ac4c6f6eade44ffd943e8637b6e5@changeid Signed-off-by: Pingfan Liu Signed-off-by: Lecopzer Chen Signed-off-by: Douglas Anderson Reviewed-by: Petr Mladek Acked-by: Nicholas Piggin Cc: Andi Kleen Cc: Catalin Marinas Cc: Chen-Yu Tsai Cc: Christophe Leroy Cc: Colin Cross Cc: Daniel Thompson Cc: "David S. Miller" Cc: Guenter Roeck Cc: Ian Rogers Cc: Marc Zyngier Cc: Mark Rutland Cc: Masayoshi Mizuma Cc: Matthias Kaehlcke Cc: Michael Ellerman Cc: Randy Dunlap Cc: "Ravi V. Shankar" Cc: Ricardo Neri Cc: Stephane Eranian Cc: Stephen Boyd Cc: Sumit Garg Cc: Tzung-Bi Shih Cc: Will Deacon Signed-off-by: Andrew Morton Stable-dep-of: 9ec272c586b0 ("watchdog/hardlockup: keep kernel.nmi_watchdog sysctl as 0444 if probe fails") Signed-off-by: Sasha Levin commit 629f2e61e3ed524a03e5e2d49c5cf1f823db4de5 Author: Lecopzer Chen Date: Fri May 19 10:18:27 2023 -0700 watchdog: remove WATCHDOG_DEFAULT [ Upstream commit 810b560e8985725dbd57bbb3f188c231365eb5ae ] No reference to WATCHDOG_DEFAULT, remove it. Link: https://lkml.kernel.org/r/20230519101840.v5.3.I6a729209a1320e0ad212176e250ff945b8f91b2a@changeid Signed-off-by: Pingfan Liu Signed-off-by: Lecopzer Chen Signed-off-by: Douglas Anderson Reviewed-by: Petr Mladek Cc: Andi Kleen Cc: Catalin Marinas Cc: Chen-Yu Tsai Cc: Christophe Leroy Cc: Colin Cross Cc: Daniel Thompson Cc: "David S. Miller" Cc: Guenter Roeck Cc: Ian Rogers Cc: Marc Zyngier Cc: Mark Rutland Cc: Masayoshi Mizuma Cc: Matthias Kaehlcke Cc: Michael Ellerman Cc: Nicholas Piggin Cc: Randy Dunlap Cc: "Ravi V. Shankar" Cc: Ricardo Neri Cc: Stephane Eranian Cc: Stephen Boyd Cc: Sumit Garg Cc: Tzung-Bi Shih Cc: Will Deacon Signed-off-by: Andrew Morton Stable-dep-of: 9ec272c586b0 ("watchdog/hardlockup: keep kernel.nmi_watchdog sysctl as 0444 if probe fails") Signed-off-by: Sasha Levin commit 4f2b64f6fed59bba1f9c2f7fe8290d29ea6323c8 Author: Mathieu Desnoyers Date: Mon May 15 10:35:36 2023 -0400 mm: move mm_count into its own cache line [ Upstream commit c1753fd02a0058ea43cbb31ab26d25be2f6cfe08 ] The mm_struct mm_count field is frequently updated by mmgrab/mmdrop performed by context switch. This causes false-sharing for surrounding mm_struct fields which are read-mostly. This has been observed on a 2sockets/112core/224cpu Intel Sapphire Rapids server running hackbench, and by the kernel test robot will-it-scale testcase. Move the mm_count field into its own cache line to prevent false-sharing with other mm_struct fields. Move mm_count to the first field of mm_struct to minimize the amount of padding required: rather than adding padding before and after the mm_count field, padding is only added after mm_count. Note that I noticed this odd comment in mm_struct: commit 2e3025434a6b ("mm: relocate 'write_protect_seq' in struct mm_struct") /* * With some kernel config, the current mmap_lock's offset * inside 'mm_struct' is at 0x120, which is very optimal, as * its two hot fields 'count' and 'owner' sit in 2 different * cachelines, and when mmap_lock is highly contended, both * of the 2 fields will be accessed frequently, current layout * will help to reduce cache bouncing. * * So please be careful with adding new fields before * mmap_lock, which can easily push the 2 fields into one * cacheline. */ struct rw_semaphore mmap_lock; This comment is rather odd for a few reasons: - It requires addition/removal of mm_struct fields to carefully consider field alignment of _other_ fields, - It expresses the wish to keep an "optimal" alignment for a specific kernel config. I suspect that the author of this comment may want to revisit this topic and perhaps introduce a split-struct approach for struct rw_semaphore, if the need is to place various fields of this structure in different cache lines. Link: https://lkml.kernel.org/r/20230515143536.114960-1-mathieu.desnoyers@efficios.com Fixes: 223baf9d17f2 ("sched: Fix performance regression introduced by mm_cid") Fixes: af7f588d8f73 ("sched: Introduce per-memory-map concurrency ID") Link: https://lore.kernel.org/lkml/7a0c1db1-103d-d518-ed96-1584a28fbf32@efficios.com Reported-by: kernel test robot Link: https://lore.kernel.org/oe-lkp/202305151017.27581d75-yujie.liu@intel.com Signed-off-by: Mathieu Desnoyers Reviewed-by: Aaron Lu Reviewed-by: John Hubbard Cc: Peter Zijlstra Cc: Olivier Dion Cc: Cc: Feng Tang Cc: Jason Gunthorpe Cc: Peter Xu Signed-off-by: Andrew Morton Signed-off-by: Sasha Levin commit b9edd2ba46f4dfd9a40e3f4b430bd3a72ae8c798 Author: Ilan Peer Date: Sun Jun 18 21:49:45 2023 +0300 wifi: ieee80211: Fix the common size calculation for reconfiguration ML [ Upstream commit ce6e1f600b0cfc563a7d607de702262a58cd835d ] The common information length is found in the first octet of the common information. Fixes: 0f48b8b88aa9 ("wifi: ieee80211: add definitions for multi-link element") Signed-off-by: Ilan Peer Signed-off-by: Gregory Greenman Link: https://lore.kernel.org/r/20230618214435.3c7ed4817338.I42ef706cb827b4dade6e4ffbb6e7f341eaccd398@changeid Signed-off-by: Johannes Berg Signed-off-by: Sasha Levin commit ecf7090752a1fc184e215373d8f47bbd81375a4d Author: Johannes Berg Date: Fri Jun 16 22:28:45 2023 +0200 wifi: cfg80211: fix regulatory disconnect with OCB/NAN [ Upstream commit e8c2af660ba0790afd14d5cbc2fd05c6dc85e207 ] Since regulatory disconnect was added, OCB and NAN interface types were added, which made it completely unusable for any driver that allowed OCB/NAN. Add OCB/NAN (though NAN doesn't do anything, we don't have any info) and also remove all the logic that opts out, so it won't be broken again if/when new interface types are added. Fixes: 6e0bd6c35b02 ("cfg80211: 802.11p OCB mode handling") Fixes: cb3b7d87652a ("cfg80211: add start / stop NAN commands") Signed-off-by: Johannes Berg Link: https://lore.kernel.org/r/20230616222844.2794d1625a26.I8e78a3789a29e6149447b3139df724a6f1b46fc3@changeid Signed-off-by: Johannes Berg Signed-off-by: Sasha Levin commit 7eb9dacc39bab3fa624653c2d26ae03cabfc83fd Author: Benjamin Berg Date: Fri Jun 16 09:54:04 2023 +0300 wifi: cfg80211: drop incorrect nontransmitted BSS update code [ Upstream commit 39432f8a3752a87a53fd8d5e51824a43aaae5cab ] The removed code ran for any BSS that was not included in the MBSSID element in order to update it. However, instead of using the correct inheritance rules, it would simply copy the elements from the transmitting AP. The result is that we would report incorrect elements in this case. After some discussions, it seems that there are likely not even APs actually using this feature. Either way, removing the code decreases complexity and makes the cfg80211 behaviour more correct. Fixes: 0b8fb8235be8 ("cfg80211: Parsing of Multiple BSSID information in scanning") Signed-off-by: Benjamin Berg Signed-off-by: Gregory Greenman Link: https://lore.kernel.org/r/20230616094949.cfd6d8db1f26.Ia1044902b86cd7d366400a4bfb93691b8f05d68c@changeid Signed-off-by: Johannes Berg Signed-off-by: Sasha Levin commit 392b6ad0aedc0cebdf11f42a703c1308c85197ea Author: Benjamin Berg Date: Fri Jun 16 09:54:03 2023 +0300 wifi: cfg80211: rewrite merging of inherited elements [ Upstream commit dfd9aa3e7a456d57b18021d66472ab7ff8373ab7 ] The cfg80211_gen_new_ie function merges the IEs using inheritance rules. Rewrite this function to fix issues around inheritance rules. In particular, vendor elements do not require any special handling, as they are either all inherited or overridden by the subprofile. Also, add fragmentation handling as this may be needed in some cases. This also changes the function to not require making a copy. The new version could be optimized a bit by explicitly tracking which IEs have been handled already rather than looking that up again every time. Note that a small behavioural change is the removal of the SSID special handling. This should be fine for the MBSSID element, as the SSID must be included in the subelement. Fixes: 0b8fb8235be8 ("cfg80211: Parsing of Multiple BSSID information in scanning") Signed-off-by: Benjamin Berg Signed-off-by: Gregory Greenman Link: https://lore.kernel.org/r/20230616094949.bc6152e146db.I2b5f3bc45085e1901e5b5192a674436adaf94748@changeid Signed-off-by: Johannes Berg Signed-off-by: Sasha Levin commit 798472de63af53655aed22dabfa792a63f4a759c Author: Nicolas Cavallari Date: Wed Jun 14 15:26:48 2023 +0200 wifi: mac80211: Remove "Missing iftype sband data/EHT cap" spam [ Upstream commit 6e21e7b8cd897193cee3c2649640efceb3004ba5 ] In mesh mode, ieee80211_chandef_he_6ghz_oper() is called by mesh_matches_local() for every received mesh beacon. On a 6 GHz mesh of a HE-only phy, this spams that the hardware does not have EHT capabilities, even if the received mesh beacon does not have an EHT element. Unlike HE, not supporting EHT in the 6 GHz band is not an error so do not print anything in this case. Fixes: 5dca295dd767 ("mac80211: Add initial support for EHT and 320 MHz channels") Signed-off-by: Nicolas Cavallari Reviewed-by: Simon Horman Link: https://lore.kernel.org/r/20230614132648.28995-1-nicolas.cavallari@green-communications.fr Signed-off-by: Johannes Berg Signed-off-by: Sasha Levin commit f71d0fc407dd028416bec002ddcc62f5acb0346a Author: Anjaneyulu Date: Wed Jun 14 12:41:32 2023 +0300 wifi: iwlwifi: pcie: fix NULL pointer dereference in iwl_pcie_irq_rx_msix_handler() [ Upstream commit 1902f1953b8ba100ee8705cb8a6f1a9795550eca ] rxq can be NULL only when trans_pcie->rxq is NULL and entry->entry is zero. For the case when entry->entry is not equal to 0, rxq won't be NULL even if trans_pcie->rxq is NULL. Modify checker to check for trans_pcie->rxq. Fixes: abc599efa67b ("iwlwifi: pcie: don't crash when rx queues aren't allocated in interrupt") Signed-off-by: Anjaneyulu Signed-off-by: Gregory Greenman Link: https://lore.kernel.org/r/20230614123446.5a5eb3889a4a.I375a1d58f16b48cd2044e7b7caddae512d7c86fd@changeid Signed-off-by: Johannes Berg Signed-off-by: Sasha Levin commit 172a371b60b02342a9564833dc4ef927109d0bd7 Author: Johannes Berg Date: Wed Jun 14 12:41:22 2023 +0300 wifi: iwlwifi: pull from TXQs with softirqs disabled [ Upstream commit 96fb6f47db24a712d650b0a9b9074873f273fb0e ] In mac80211, it's required that we pull from TXQs by calling ieee80211_tx_dequeue() only with softirqs disabled. However, in iwl_mvm_queue_state_change() we're often called with them enabled, e.g. from flush if anything was flushed, triggering a mac80211 warning. Fix that by disabling the softirqs across the TX call. Fixes: cfbc6c4c5b91 ("iwlwifi: mvm: support mac80211 TXQs model") Signed-off-by: Johannes Berg Signed-off-by: Gregory Greenman Link: https://lore.kernel.org/r/20230614123446.0feef7fa81db.I4dd62542d955b40dd8f0af34fa4accb9d0d17c7e@changeid Signed-off-by: Johannes Berg Signed-off-by: Sasha Levin commit 56b0c09d51800ae7c1730cbc6dd282ae3ddedc48 Author: Johannes Berg Date: Wed Jun 14 12:41:18 2023 +0300 wifi: iwlwifi: mvm: correctly access HE/EHT sband capa [ Upstream commit f912959875761084fda351e1257dcfa9d1fa3037 ] We can't just dereference the sband->iftype_data pointer, that's an array so we need to access the right entry. Use the previously introduced helper functions to do that. There are also cases, e.g. when loading with disable_11ax=1, where the pointer might be NULL but we still attempt to use it, causing a crash. Fixes: 529281bdf0fc ("iwlwifi: mvm: limit TLC according to our HE capabilities") Signed-off-by: Johannes Berg Signed-off-by: Gregory Greenman Link: https://lore.kernel.org/r/20230614123446.a1f2b17ee39b.I8808120be744be8804815ce9e3e24ce6d2b424e3@changeid Signed-off-by: Johannes Berg Signed-off-by: Sasha Levin commit 726bd484d500a54fcc9fcf8b32775d5cecb1e77b Author: Gregory Greenman Date: Tue Jun 13 15:57:19 2023 +0300 wifi: iwlwifi: mvm: add support for Extra EHT LTF [ Upstream commit 18c0ffb404db2093b6afdc8ae15f18ba3975e1ed ] Add support for Extra EHT LTF defined in 9.4.2.313 EHT Capabilities element. Signed-off-by: Gregory Greenman Link: https://lore.kernel.org/r/20230613155501.de019d7cc174.I806f0f6042b89274192701a60b4f7900822db666@changeid Signed-off-by: Johannes Berg Stable-dep-of: f91295987576 ("wifi: iwlwifi: mvm: correctly access HE/EHT sband capa") Signed-off-by: Sasha Levin commit cbebaa71dacf48effca3dff15e6c055fa46bad01 Author: Johannes Berg Date: Sun Jun 4 12:11:24 2023 +0300 wifi: mac80211: add helpers to access sband iftype data [ Upstream commit 1ec7291e247055fab3a088e1a333a31e7c06e2dd ] There's quite a bit of code accessing sband iftype data (HE, HE 6 GHz, EHT) and we always need to remember to use the ieee80211_vif_type_p2p() helper. Add new helpers to directly get it from the sband/vif rather than having to call ieee80211_vif_type_p2p(). Convert most code with the following spatch: @@ expression vif, sband; @@ -ieee80211_get_he_iftype_cap(sband, ieee80211_vif_type_p2p(vif)) +ieee80211_get_he_iftype_cap_vif(sband, vif) @@ expression vif, sband; @@ -ieee80211_get_eht_iftype_cap(sband, ieee80211_vif_type_p2p(vif)) +ieee80211_get_eht_iftype_cap_vif(sband, vif) @@ expression vif, sband; @@ -ieee80211_get_he_6ghz_capa(sband, ieee80211_vif_type_p2p(vif)) +ieee80211_get_he_6ghz_capa_vif(sband, vif) Signed-off-by: Johannes Berg Signed-off-by: Gregory Greenman Link: https://lore.kernel.org/r/20230604120651.db099f49e764.Ie892966c49e22c7b7ee1073bc684f142debfdc84@changeid Signed-off-by: Johannes Berg Stable-dep-of: f91295987576 ("wifi: iwlwifi: mvm: correctly access HE/EHT sband capa") Signed-off-by: Sasha Levin commit c36289e3c5e83286974ef68c20c821fd5b63801c Author: Ziyang Huang Date: Thu Jun 15 14:41:48 2023 +0300 wifi: ath11k: Add missing hw_ops->get_ring_selector() for IPQ5018 [ Upstream commit ce282d8de71f07f0056ea319541141152c65f552 ] During sending data after clients connected, hw_ops->get_ring_selector() will be called. But for IPQ5018, this member isn't set, and the following NULL pointer exception will be occurred: [ 38.840478] 8<--- cut here --- [ 38.840517] Unable to handle kernel NULL pointer dereference at virtual address 00000000 ... [ 38.923161] PC is at 0x0 [ 38.927930] LR is at ath11k_dp_tx+0x70/0x730 [ath11k] ... [ 39.063264] Process hostapd (pid: 1034, stack limit = 0x801ceb3d) [ 39.068994] Stack: (0x856a9a68 to 0x856aa000) ... [ 39.438467] [<7f323804>] (ath11k_dp_tx [ath11k]) from [<7f314e6c>] (ath11k_mac_op_tx+0x80/0x190 [ath11k]) [ 39.446607] [<7f314e6c>] (ath11k_mac_op_tx [ath11k]) from [<7f17dbe0>] (ieee80211_handle_wake_tx_queue+0x7c/0xc0 [mac80211]) [ 39.456162] [<7f17dbe0>] (ieee80211_handle_wake_tx_queue [mac80211]) from [<7f174450>] (ieee80211_probereq_get+0x584/0x704 [mac80211]) [ 39.467443] [<7f174450>] (ieee80211_probereq_get [mac80211]) from [<7f178c40>] (ieee80211_tx_prepare_skb+0x1f8/0x248 [mac80211]) [ 39.479334] [<7f178c40>] (ieee80211_tx_prepare_skb [mac80211]) from [<7f179e28>] (__ieee80211_subif_start_xmit+0x32c/0x3d4 [mac80211]) [ 39.491053] [<7f179e28>] (__ieee80211_subif_start_xmit [mac80211]) from [<7f17af08>] (ieee80211_tx_control_port+0x19c/0x288 [mac80211]) [ 39.502946] [<7f17af08>] (ieee80211_tx_control_port [mac80211]) from [<7f0fc704>] (nl80211_tx_control_port+0x174/0x1d4 [cfg80211]) [ 39.515017] [<7f0fc704>] (nl80211_tx_control_port [cfg80211]) from [<808ceac4>] (genl_rcv_msg+0x154/0x340) [ 39.526814] [<808ceac4>] (genl_rcv_msg) from [<808cdb74>] (netlink_rcv_skb+0xb8/0x11c) [ 39.536446] [<808cdb74>] (netlink_rcv_skb) from [<808ce1d0>] (genl_rcv+0x28/0x34) [ 39.544344] [<808ce1d0>] (genl_rcv) from [<808cd234>] (netlink_unicast+0x174/0x274) [ 39.551895] [<808cd234>] (netlink_unicast) from [<808cd510>] (netlink_sendmsg+0x1dc/0x440) [ 39.559362] [<808cd510>] (netlink_sendmsg) from [<808596e0>] (____sys_sendmsg+0x1a8/0x1fc) [ 39.567697] [<808596e0>] (____sys_sendmsg) from [<8085b1a8>] (___sys_sendmsg+0xa4/0xdc) [ 39.575941] [<8085b1a8>] (___sys_sendmsg) from [<8085b310>] (sys_sendmsg+0x44/0x74) [ 39.583841] [<8085b310>] (sys_sendmsg) from [<80300060>] (ret_fast_syscall+0x0/0x40) ... [ 39.620734] Code: bad PC value [ 39.625869] ---[ end trace 8aef983ad3cbc032 ]--- Fixes: ba60f2793d3a ("wifi: ath11k: initialize hw_ops for IPQ5018") Signed-off-by: Ziyang Huang Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/TYZPR01MB5556D6E3F63EAB5129D11420C953A@TYZPR01MB5556.apcprd01.prod.exchangelabs.com Signed-off-by: Sasha Levin commit 5fa5d8a9921dcbca944d435e00aca1f56d07fa39 Author: Ziyang Huang Date: Thu Jun 15 14:41:48 2023 +0300 wifi: ath11k: Restart firmware after cold boot calibration for IPQ5018 [ Upstream commit 80c5390e1f5e5b16d820512265530ef26073d8e0 ] Restart is required after cold boot calibration on IPQ5018. Otherwise, we get the following exception: [ 14.412829] qcom-q6-mpd cd00000.remoteproc: fatal error received: err_smem_ver.2.1: [ 14.412829] QC Image Version : QC_IMAGE_VERSION_STRING=WLAN.HK.2.6.0.1-00974-QCAHKSWPL_SILICONZ-1 [ 14.412829] Image Variant : IMAGE_VARIANT_STRING=5018.wlanfw2.map_spr_spr_evalQ [ 14.412829] DALSysLogEvent.c:174 Assertion 0 failed param0 :zero,param1 :zero,param2 :zero [ 14.412829] Thread ID : 0x00000048 Thread name : WLAN RT0 Process ID : 0x00000001 Process name :wlan0 [ 14.412829] [ 14.412829] Registers: [ 14.412829] SP : 0x4c81c120 [ 14.412829] FP : 0x4c81c138 [ 14.412829] PC : 0xb022c590 [ 14.412829] SSR : 0x00000000 [ 14.412829] BADVA : 0x00000000 [ 14.412829] LR : 0xb0008490 [ 14.412829] [ 14.412829] StackDump [ 14.412829] from:0x4c81c120 [ 14.412829] to: 0x00000000: [ 14.412829] [ 14.463006] remoteproc remoteproc0: crash detected in cd00000.remoteproc: type fatal error Fixes: 8dfe875aa24a ("wifi: ath11k: update hw params for IPQ5018") Signed-off-by: Ziyang Huang Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/TYZPR01MB55566969818BD4B49E770445C953A@TYZPR01MB5556.apcprd01.prod.exchangelabs.com Signed-off-by: Sasha Levin commit 9485d7243357f731195077511c36acf2ee50084a Author: Ziyang Huang Date: Thu Jun 15 14:41:47 2023 +0300 wifi: ath11k: Add missing ops config for IPQ5018 in ath11k_ahb_probe() [ Upstream commit 469ddb20cae61cad9c4f208a4c8682305905a511 ] Without this patch, the IPQ5018 WiFi will fail and print the following logs: [ 11.033179] ath11k c000000.wifi: unsupported device type 7 [ 11.033223] ath11k: probe of c000000.wifi failed with error -95 Fixes: 25edca7bb18a ("wifi: ath11k: add ipq5018 device support") Signed-off-by: Ziyang Huang Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/TYZPR01MB5556D7AA10ABEDDDD2D8F39EC953A@TYZPR01MB5556.apcprd01.prod.exchangelabs.com Signed-off-by: Sasha Levin commit da336c8bc9d24504bc80635647c64676439ba206 Author: Jiasheng Jiang Date: Tue Jun 13 12:19:40 2023 +0300 wifi: ath11k: Add missing check for ioremap [ Upstream commit 16e0077e14a73866e9b0f4a6bf4ad3d4a5cb0f2a ] Add check for ioremap() and return the error if it fails in order to guarantee the success of ioremap(), same as in ath11k_qmi_load_file_target_mem(). Fixes: 6ac04bdc5edb ("ath11k: Use reserved host DDR addresses from DT for PCI devices") Signed-off-by: Jiasheng Jiang Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20230608022858.27405-1-jiasheng@iscas.ac.cn Signed-off-by: Sasha Levin commit 69b1b7bbaaa9d80ff942b9324c3427b6e528853f Author: Edwin Peer Date: Sun Jun 11 13:51:08 2023 +0300 rtnetlink: extend RTEXT_FILTER_SKIP_STATS to IFLA_VF_INFO [ Upstream commit fa0e21fa44438a0e856d42224bfa24641d37b979 ] This filter already exists for excluding IPv6 SNMP stats. Extend its definition to also exclude IFLA_VF_INFO stats in RTM_GETLINK. This patch constitutes a partial fix for a netlink attribute nesting overflow bug in IFLA_VFINFO_LIST. By excluding the stats when the requester doesn't need them, the truncation of the VF list is avoided. While it was technically only the stats added in commit c5a9f6f0ab40 ("net/core: Add drop counters to VF statistics") breaking the camel's back, the appreciable size of the stats data should never have been included without due consideration for the maximum number of VFs supported by PCI. Fixes: 3b766cd83232 ("net/core: Add reading VF statistics through the PF netdevice") Fixes: c5a9f6f0ab40 ("net/core: Add drop counters to VF statistics") Signed-off-by: Edwin Peer Cc: Edwin Peer Signed-off-by: Gal Pressman Link: https://lore.kernel.org/r/20230611105108.122586-1-gal@nvidia.com Signed-off-by: Paolo Abeni Signed-off-by: Sasha Levin commit ff800b0c4797c6e97f09fcd93ca8b83040d77fb4 Author: Mukesh Sisodiya Date: Mon Jun 12 18:51:11 2023 +0300 wifi: iwlwifi: fw: print PC register value instead of address [ Upstream commit 2b69d242e29b891b11f1190201f4a08abb0c8342 ] The program counter address is read from the TLV and PC address is printed in debug messages. Read the value at PC address and print the value instead of the register address. Fixes: 5e31b3df86ec ("wifi: iwlwifi: dbg: print pc register data once fw dump occurred") Signed-off-by: Mukesh Sisodiya Signed-off-by: Gregory Greenman Link: https://lore.kernel.org/r/20230612184434.e5a5f18f1b2c.Ib6117a4e7f66a075913241cc81477c0059953d5d@changeid Signed-off-by: Johannes Berg Signed-off-by: Sasha Levin commit 3e3c05ab2f06dd40d042a4a19ff1cf0605aa524a Author: Mukesh Sisodiya Date: Mon Jun 12 18:51:04 2023 +0300 wifi: iwlwifi: mvm: Handle return value for iwl_mvm_sta_init [ Upstream commit 8d507812cb4bb3c3b05404a7dda70b32a1fc1324 ] sta_init function can fail and if it returns an error then driver should not send the request to fw to add a station. Fixes: 69aef848052b ("wifi: iwlwifi: mvm: refactor iwl_mvm_add_sta(), iwl_mvm_rm_sta()") Signed-off-by: Mukesh Sisodiya Signed-off-by: Gregory Greenman Link: https://lore.kernel.org/r/20230612184434.1ecd293539e8.I5ec6aab387bb2fe743a7402581beaeb9c801d31f@changeid Signed-off-by: Johannes Berg Signed-off-by: Sasha Levin commit 51e34127f221b1972141e98295a3dc058f1d97a8 Author: Ilan Peer Date: Sun Jun 11 12:14:28 2023 +0300 wifi: mac80211: Fix permissions for valid_links debugfs entry [ Upstream commit 4cacadc0dbd8013e6161aa8843d8e9d8ad435b47 ] The entry should be a read only one and not a write only one. Fix it. Fixes: 3d9011029227 ("wifi: mac80211: implement link switching") Signed-off-by: Ilan Peer Signed-off-by: Gregory Greenman Link: https://lore.kernel.org/r/20230611121219.c75316990411.I1565a7fcba8a37f83efffb0cc6b71c572b896e94@changeid [remove x16 change since it doesn't work yet] Signed-off-by: Johannes Berg Signed-off-by: Sasha Levin commit ae3c237881581e74dd911eb919771ee9c419fc5f Author: Eduard Zingerman Date: Tue Jun 13 18:38:23 2023 +0300 bpf: Verify scalar ids mapping in regsafe() using check_ids() [ Upstream commit 1ffc85d9298e0ca0137ba65c93a786143fe167b8 ] Make sure that the following unsafe example is rejected by verifier: 1: r9 = ... some pointer with range X ... 2: r6 = ... unbound scalar ID=a ... 3: r7 = ... unbound scalar ID=b ... 4: if (r6 > r7) goto +1 5: r6 = r7 6: if (r6 > X) goto ... commit 919dcc2e958a44fb531b26d6b5a55c8977283c0f Author: Eduard Zingerman Date: Tue Jun 13 18:38:21 2023 +0300 bpf: Use scalar ids in mark_chain_precision() [ Upstream commit 904e6ddf4133c52fdb9654c2cd2ad90f320d48b9 ] Change mark_chain_precision() to track precision in situations like below: r2 = unknown value ... --- state #0 --- ... r1 = r2 // r1 and r2 now share the same ID ... --- state #1 {r1.id = A, r2.id = A} --- ... if (r2 > 10) goto exit; // find_equal_scalars() assigns range to r1 ... --- state #2 {r1.id = A, r2.id = A} --- r3 = r10 r3 += r1 // need to mark both r1 and r2 At the beginning of the processing of each state, ensure that if a register with a scalar ID is marked as precise, all registers sharing this ID are also marked as precise. This property would be used by a follow-up change in regsafe(). Signed-off-by: Eduard Zingerman Signed-off-by: Andrii Nakryiko Acked-by: Andrii Nakryiko Link: https://lore.kernel.org/bpf/20230613153824.3324830-2-eddyz87@gmail.com Stable-dep-of: 1ffc85d9298e ("bpf: Verify scalar ids mapping in regsafe() using check_ids()") Signed-off-by: Sasha Levin commit 4351f69966390f4593f8f8bfe98ddafa2f1081e5 Author: Remi Pommarel Date: Fri Jun 9 11:37:44 2023 +0200 wifi: ath9k: Fix possible stall on ath9k_txq_list_has_key() [ Upstream commit 75086cc6dee046e3fbb3dba148b376d8802f83bc ] On EDMA capable hardware, ath9k_txq_list_has_key() can enter infinite loop if it is called while all txq_fifos have packets that use different key that the one we are looking for. Fix it by exiting the loop if all txq_fifos have been checked already. Because this loop is called under spin_lock_bh() (see ath_txq_lock) it causes the following rcu stall: rcu: INFO: rcu_sched self-detected stall on CPU ath10k_pci 0000:01:00.0: failed to read temperature -11 rcu: 1-....: (5254 ticks this GP) idle=189/1/0x4000000000000002 softirq=8442983/8442984 fqs=2579 (t=5257 jiffies g=17983297 q=334) Task dump for CPU 1: task:hostapd state:R running task stack: 0 pid: 297 ppid: 289 flags:0x0000000a Call trace: dump_backtrace+0x0/0x170 show_stack+0x1c/0x24 sched_show_task+0x140/0x170 dump_cpu_task+0x48/0x54 rcu_dump_cpu_stacks+0xf0/0x134 rcu_sched_clock_irq+0x8d8/0x9fc update_process_times+0xa0/0xec tick_sched_timer+0x5c/0xd0 __hrtimer_run_queues+0x154/0x320 hrtimer_interrupt+0x120/0x2f0 arch_timer_handler_virt+0x38/0x44 handle_percpu_devid_irq+0x9c/0x1e0 handle_domain_irq+0x64/0x90 gic_handle_irq+0x78/0xb0 call_on_irq_stack+0x28/0x38 do_interrupt_handler+0x54/0x5c el1_interrupt+0x2c/0x4c el1h_64_irq_handler+0x14/0x1c el1h_64_irq+0x74/0x78 ath9k_txq_has_key+0x1bc/0x250 [ath9k] ath9k_set_key+0x1cc/0x3dc [ath9k] drv_set_key+0x78/0x170 ieee80211_key_replace+0x564/0x6cc ieee80211_key_link+0x174/0x220 ieee80211_add_key+0x11c/0x300 nl80211_new_key+0x12c/0x330 genl_family_rcv_msg_doit+0xbc/0x11c genl_rcv_msg+0xd8/0x1c4 netlink_rcv_skb+0x40/0x100 genl_rcv+0x3c/0x50 netlink_unicast+0x1ec/0x2c0 netlink_sendmsg+0x198/0x3c0 ____sys_sendmsg+0x210/0x250 ___sys_sendmsg+0x78/0xc4 __sys_sendmsg+0x4c/0x90 __arm64_sys_sendmsg+0x28/0x30 invoke_syscall.constprop.0+0x60/0x100 do_el0_svc+0x48/0xd0 el0_svc+0x14/0x50 el0t_64_sync_handler+0xa8/0xb0 el0t_64_sync+0x158/0x15c This rcu stall is hard to reproduce as is, but changing ATH_TXFIFO_DEPTH from 8 to 2 makes it reasonably easy to reproduce. Fixes: ca2848022c12 ("ath9k: Postpone key cache entry deletion for TXQ frames reference it") Signed-off-by: Remi Pommarel Tested-by: Nicolas Escande Acked-by: Toke Høiland-Jørgensen Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20230609093744.1985-1-repk@triplefau.lt Signed-off-by: Sasha Levin commit a4b5c41534c9887873713e405b3a9fffa4f688cb Author: Eduard Zingerman Date: Sat Jun 10 01:16:37 2023 +0300 selftests/bpf: Fix invalid pointer check in get_xlated_program() [ Upstream commit b23ed4d74c4d583b5f621ee4c776699442833554 ] Dan Carpenter reported invalid check for calloc() result in test_verifier.c:get_xlated_program(): ./tools/testing/selftests/bpf/test_verifier.c:1365 get_xlated_program() warn: variable dereferenced before check 'buf' (see line 1364) ./tools/testing/selftests/bpf/test_verifier.c 1363 *cnt = xlated_prog_len / buf_element_size; 1364 *buf = calloc(*cnt, buf_element_size); 1365 if (!buf) { This should be if (!*buf) { 1366 perror("can't allocate xlated program buffer"); 1367 return -ENOMEM; This commit refactors the get_xlated_program() to avoid using double pointer type. Fixes: 933ff53191eb ("selftests/bpf: specify expected instructions in test_verifier tests") Reported-by: Dan Carpenter Signed-off-by: Eduard Zingerman Signed-off-by: Daniel Borkmann Closes: https://lore.kernel.org/bpf/ZH7u0hEGVB4MjGZq@moroto/ Link: https://lore.kernel.org/bpf/20230609221637.2631800-1-eddyz87@gmail.com Signed-off-by: Sasha Levin commit e0ca90430d1097c6667d90aa4cce14203c7a1c1c Author: Arnd Bergmann Date: Tue May 16 22:27:04 2023 +0200 memstick r592: make memstick_debug_get_tpc_name() static [ Upstream commit 434587df9f7fd68575f99a889cc5f2efc2eaee5e ] There are no other files referencing this function, apparently it was left global to avoid an 'unused function' warning when the only caller is left out. With a 'W=1' build, it causes a 'missing prototype' warning though: drivers/memstick/host/r592.c:47:13: error: no previous prototype for 'memstick_debug_get_tpc_name' [-Werror=missing-prototypes] Annotate the function as 'static __maybe_unused' to avoid both problems. Fixes: 926341250102 ("memstick: add driver for Ricoh R5C592 card reader") Signed-off-by: Arnd Bergmann Link: https://lore.kernel.org/r/20230516202714.560929-1-arnd@kernel.org Signed-off-by: Ulf Hansson Signed-off-by: Sasha Levin commit 9d409032d91e84e788865a5a5cb7d35b001f35ad Author: Douglas Anderson Date: Wed May 10 06:44:54 2023 -0700 mmc: mediatek: Avoid ugly error message when SDIO wakeup IRQ isn't used [ Upstream commit a3332b7aad346b14770797e03ddd02ebdb14db41 ] When I boot a kukui-kodama board, I see an ugly warning in my kernel log: mtk-msdc 11240000.mmc: error -ENXIO: IRQ sdio_wakeup not found It's pretty normal not to have an "sdio_wakeup" IRQ defined. In fact, no device trees in mainline seem to have it. Let's use the platform_get_irq_byname_optional() to avoid the error message. Fixes: 527f36f5efa4 ("mmc: mediatek: add support for SDIO eint wakup IRQ") Signed-off-by: Douglas Anderson Reviewed-by: Matthias Brugger Link: https://lore.kernel.org/r/20230510064434.1.I935404c5396e6bf952e99bb7ffb744c6f7fd430b@changeid Signed-off-by: Ulf Hansson Signed-off-by: Sasha Levin commit aed47599b4d3deb64833f0698314b0f48e2ca35a Author: Zhen Lei Date: Sat May 27 20:34:34 2023 +0800 kexec: fix a memory leak in crash_shrink_memory() [ Upstream commit 1cba6c4309f03de570202c46f03df3f73a0d4c82 ] Patch series "kexec: enable kexec_crash_size to support two crash kernel regions". When crashkernel=X fails to reserve region under 4G, it will fall back to reserve region above 4G and a region of the default size will also be reserved under 4G. Unfortunately, /sys/kernel/kexec_crash_size only supports one crash kernel region now, the user cannot sense the low memory reserved by reading /sys/kernel/kexec_crash_size. Also, low memory cannot be freed by writing this file. For example: resource_size(crashk_res) = 512M resource_size(crashk_low_res) = 256M The result of 'cat /sys/kernel/kexec_crash_size' is 512M, but it should be 768M. When we execute 'echo 0 > /sys/kernel/kexec_crash_size', the size of crashk_res becomes 0 and resource_size(crashk_low_res) is still 256 MB, which is incorrect. Since crashk_res manages the memory with high address and crashk_low_res manages the memory with low address, crashk_low_res is shrunken only when all crashk_res is shrunken. And because when there is only one crash kernel region, crashk_res is always used. Therefore, if all crashk_res is shrunken and crashk_low_res still exists, swap them. This patch (of 6): If the value of parameter 'new_size' is in the semi-open and semi-closed interval (crashk_res.end - KEXEC_CRASH_MEM_ALIGN + 1, crashk_res.end], the calculation result of ram_res is: ram_res->start = crashk_res.end + 1 ram_res->end = crashk_res.end The operation of insert_resource() fails, and ram_res is not added to iomem_resource. As a result, the memory of the control block ram_res is leaked. In fact, on all architectures, the start address and size of crashk_res are already aligned by KEXEC_CRASH_MEM_ALIGN. Therefore, we do not need to round up crashk_res.start again. Instead, we should round up 'new_size' in advance. Link: https://lkml.kernel.org/r/20230527123439.772-1-thunder.leizhen@huawei.com Link: https://lkml.kernel.org/r/20230527123439.772-2-thunder.leizhen@huawei.com Fixes: 6480e5a09237 ("kdump: add missing RAM resource in crash_shrink_memory()") Fixes: 06a7f711246b ("kexec: premit reduction of the reserved memory size") Signed-off-by: Zhen Lei Acked-by: Baoquan He Cc: Cong Wang Cc: Eric W. Biederman Cc: Michael Holzheu Signed-off-by: Andrew Morton Signed-off-by: Sasha Levin commit 0977d6244fd1ddbdd9405892090d26eb17e9d27b Author: Douglas Anderson Date: Fri May 19 10:18:26 2023 -0700 watchdog/perf: more properly prevent false positives with turbo modes [ Upstream commit 4379e59fe5665cfda737e45b8bf2f05321ef049c ] Currently, in the watchdog_overflow_callback() we first check to see if the watchdog had been touched and _then_ we handle the workaround for turbo mode. This order should be reversed. Specifically, "touching" the hardlockup detector's watchdog should avoid lockups being detected for one period that should be roughly the same regardless of whether we're running turbo or not. That means that we should do the extra accounting for turbo _before_ we look at (and clear) the global indicating that we've been touched. NOTE: this fix is made based on code inspection. I am not aware of any reports where the old code would have generated false positives. That being said, this order seems more correct and also makes it easier down the line to share code with the "buddy" hardlockup detector. Link: https://lkml.kernel.org/r/20230519101840.v5.2.I843b0d1de3e096ba111a179f3adb16d576bef5c7@changeid Fixes: 7edaeb6841df ("kernel/watchdog: Prevent false positives with turbo modes") Signed-off-by: Douglas Anderson Cc: Andi Kleen Cc: Catalin Marinas Cc: Chen-Yu Tsai Cc: Christophe Leroy Cc: Colin Cross Cc: Daniel Thompson Cc: "David S. Miller" Cc: Guenter Roeck Cc: Ian Rogers Cc: Lecopzer Chen Cc: Marc Zyngier Cc: Mark Rutland Cc: Masayoshi Mizuma Cc: Matthias Kaehlcke Cc: Michael Ellerman Cc: Nicholas Piggin Cc: Petr Mladek Cc: Pingfan Liu Cc: Randy Dunlap Cc: "Ravi V. Shankar" Cc: Ricardo Neri Cc: Stephane Eranian Cc: Stephen Boyd Cc: Sumit Garg Cc: Tzung-Bi Shih Cc: Will Deacon Signed-off-by: Andrew Morton Signed-off-by: Sasha Levin commit d6d30d4eb11788cc480cb903983bad813dd3f6a8 Author: Douglas Anderson Date: Fri May 19 10:18:25 2023 -0700 watchdog/perf: define dummy watchdog_update_hrtimer_threshold() on correct config [ Upstream commit 5e008df11c55228a86a1bae692cc2002503572c9 ] Patch series "watchdog/hardlockup: Add the buddy hardlockup detector", v5. This patch series adds the "buddy" hardlockup detector. In brief, the buddy hardlockup detector can detect hardlockups without arch-level support by having CPUs checkup on a "buddy" CPU periodically. Given the new design of this patch series, testing all combinations is fairly difficult. I've attempted to make sure that all combinations of CONFIG_ options are good, but it wouldn't surprise me if I missed something. I apologize in advance and I'll do my best to fix any problems that are found. This patch (of 18): The real watchdog_update_hrtimer_threshold() is defined in kernel/watchdog_hld.c. That file is included if CONFIG_HARDLOCKUP_DETECTOR_PERF and the function is defined in that file if CONFIG_HARDLOCKUP_CHECK_TIMESTAMP. The dummy version of the function in "nmi.h" didn't get that quite right. While this doesn't appear to be a huge deal, it's nice to make it consistent. It doesn't break builds because CHECK_TIMESTAMP is only defined by x86 so others don't get a double definition, and x86 uses perf lockup detector, so it gets the out of line version. Link: https://lkml.kernel.org/r/20230519101840.v5.18.Ia44852044cdcb074f387e80df6b45e892965d4a1@changeid Link: https://lkml.kernel.org/r/20230519101840.v5.1.I8cbb2f4fa740528fcfade4f5439b6cdcdd059251@changeid Fixes: 7edaeb6841df ("kernel/watchdog: Prevent false positives with turbo modes") Signed-off-by: Douglas Anderson Reviewed-by: Nicholas Piggin Reviewed-by: Petr Mladek Cc: Andi Kleen Cc: Catalin Marinas Cc: Chen-Yu Tsai Cc: Christophe Leroy Cc: Daniel Thompson Cc: "David S. Miller" Cc: Guenter Roeck Cc: Ian Rogers Cc: Lecopzer Chen Cc: Marc Zyngier Cc: Mark Rutland Cc: Masayoshi Mizuma Cc: Matthias Kaehlcke Cc: Michael Ellerman Cc: Pingfan Liu Cc: Randy Dunlap Cc: "Ravi V. Shankar" Cc: Ricardo Neri Cc: Stephane Eranian Cc: Stephen Boyd Cc: Sumit Garg Cc: Tzung-Bi Shih Cc: Will Deacon Cc: Colin Cross Signed-off-by: Andrew Morton Signed-off-by: Sasha Levin commit fae50430abe5a6df289c686dc9442184859ca161 Author: Haifeng Xu Date: Mon May 22 09:52:33 2023 +0000 selftests: cgroup: fix unexpected failure on test_memcg_low [ Upstream commit 19ab365762c6cc39dfdee9e13ab0d12fe4b5540d ] Since commit f079a020ba95 ("selftests: memcg: factor out common parts of memory.{low,min} tests"), the value used in second alloc_anon has changed from 148M to 170M. Because memory.low allows reclaiming page cache in child cgroups, so the memory.current is close to 30M instead of 50M. Therefore, adjust the expected value of parent cgroup. Link: https://lkml.kernel.org/r/20230522095233.4246-2-haifeng.xu@shopee.com Fixes: f079a020ba95 ("selftests: memcg: factor out common parts of memory.{low,min} tests") Signed-off-by: Haifeng Xu Cc: Johannes Weiner Cc: Michal Hocko Cc: Roman Gushchin Cc: Shakeel Butt Signed-off-by: Andrew Morton Signed-off-by: Sasha Levin commit 4ecf9c147213e7da17f4d764540a2808a1187580 Author: Karol Kolacinski Date: Thu Jun 1 14:15:03 2023 -0700 ice: handle extts in the miscellaneous interrupt thread [ Upstream commit 6e8b2c88fc8cf95ed09de25946b20b7536c88cd5 ] The ice_ptp_extts_work() and ice_ptp_periodic_work() functions are both scheduled on the same kthread worker, pf.ptp.kworker. The ice_ptp_periodic_work() function sends to the firmware to interact with the PHY, and must block to wait for responses. This can cause delay in responding to the PFINT_OICR_TSYN_EVNT interrupt cause, ultimately resulting in disruption to processing an input signal of the frequency is high enough. In our testing, even 100 Hz signals get disrupted. Fix this by instead processing the signal inside the miscellaneous interrupt thread prior to handling Tx timestamps. Use atomic bits in a new pf->misc_thread bitmap in order to safely communicate which tasks require processing within the ice_misc_intr_thread_fn(). This ensures the communication of desired tasks from the ice_misc_intr() are correctly processed without racing even in the event that the interrupt triggers again before the thread function exits. Fixes: 172db5f91d5f ("ice: add support for auxiliary input/output pins") Signed-off-by: Karol Kolacinski Signed-off-by: Jacob Keller Tested-by: Arpana Arland (A Contingent worker at Intel) Signed-off-by: Tony Nguyen Signed-off-by: Sasha Levin commit bf732fbbde8f56436a654f09f6b18723988d242c Author: Marek Vasut Date: Sun May 28 00:28:59 2023 +0200 wifi: rsi: Do not set MMC_PM_KEEP_POWER in shutdown [ Upstream commit e74f562328b03fbe9cf438f958464dff3a644dfc ] It makes no sense to set MMC_PM_KEEP_POWER in shutdown. The flag indicates to the MMC subsystem to keep the slot powered on during suspend, but in shutdown the slot should actually be powered off. Drop this call. Fixes: 063848c3e155 ("rsi: sdio: Add WOWLAN support for S5 shutdown state") Signed-off-by: Marek Vasut Reviewed-by: Simon Horman Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20230527222859.273768-1-marex@denx.de Signed-off-by: Sasha Levin commit b601468539c1d97539097bfc87ad11f1704b7eb7 Author: Marek Vasut Date: Sun May 28 00:28:33 2023 +0200 wifi: rsi: Do not configure WoWlan in shutdown hook if not enabled [ Upstream commit b241e260820b68c09586e8a0ae0fc23c0e3215bd ] In case WoWlan was never configured during the operation of the system, the hw->wiphy->wowlan_config will be NULL. rsi_config_wowlan() checks whether wowlan_config is non-NULL and if it is not, then WARNs about it. The warning is valid, as during normal operation the rsi_config_wowlan() should only ever be called with non-NULL wowlan_config. In shutdown this rsi_config_wowlan() should only ever be called if WoWlan was configured before by the user. Add checks for non-NULL wowlan_config into the shutdown hook. While at it, check whether the wiphy is also non-NULL before accessing wowlan_config . Drop the single-use wowlan_config variable, just inline it into function call. Fixes: 16bbc3eb8372 ("rsi: fix null pointer dereference during rsi_shutdown()") Signed-off-by: Marek Vasut Reviewed-by: Simon Horman Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20230527222833.273741-1-marex@denx.de Signed-off-by: Sasha Levin commit 6f228aa0d7c4b9c218da4e64bf96b9b3c7aca1ff Author: Vijaya Krishna Nivarthi Date: Wed May 17 17:48:14 2023 +0530 spi: spi-geni-qcom: Do not do DMA map/unmap inside driver, use framework instead [ Upstream commit 3a76c7ca9e77269dd10cf21465a055274cfa40c6 ] The spi geni driver in SE DMA mode, unlike GSI DMA, is not making use of DMA mapping functionality available in the framework. The driver does mapping internally which makes dma buffer fields available in spi_transfer struct superfluous while requiring additional members in spi_geni_master struct. Conform to the design by having framework handle map/unmap and do only DMA transfer in the driver; this also simplifies code a bit. Fixes: e5f0dfa78ac7 ("spi: spi-geni-qcom: Add support for SE DMA mode") Suggested-by: Douglas Anderson Signed-off-by: Vijaya Krishna Nivarthi Reviewed-by: Douglas Anderson Acked-by: Konrad Dybcio Link: https://lore.kernel.org/r/1684325894-30252-3-git-send-email-quic_vnivarth@quicinc.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit f6d60b61b7db11fb025dce3e7229b77c9b7e82e6 Author: Vijaya Krishna Nivarthi Date: Wed May 17 17:48:13 2023 +0530 soc: qcom: geni-se: Add interfaces geni_se_tx_init_dma() and geni_se_rx_init_dma() [ Upstream commit 6d6e57594957ee9131bc3802dfc8657ca6f78fee ] The geni_se_xx_dma_prep() interfaces necessarily do DMA mapping before initiating DMA transfers. This is not suitable for spi where framework is expected to handle map/unmap. Expose new interfaces geni_se_xx_init_dma() which do only DMA transfer. Signed-off-by: Vijaya Krishna Nivarthi Reviewed-by: Douglas Anderson Reviewed-by: Konrad Dybcio Link: https://lore.kernel.org/r/1684325894-30252-2-git-send-email-quic_vnivarth@quicinc.com Signed-off-by: Mark Brown Stable-dep-of: 3a76c7ca9e77 ("spi: spi-geni-qcom: Do not do DMA map/unmap inside driver, use framework instead") Signed-off-by: Sasha Levin commit 63b2a26ebd4b7e5dd43ee14c1a5f63f56d76988d Author: Jesper Dangaard Brouer Date: Tue Jun 6 13:30:47 2023 +0200 selftests/bpf: Fix check_mtu using wrong variable type [ Upstream commit 095641817e1bf6aa2560e025e47575188ee3edaf ] Dan Carpenter found via Smatch static checker, that unsigned 'mtu_lo' is never less than zero. Variable mtu_lo should have been an 'int', because read_mtu_device_lo() uses minus as error indications. Fixes: b62eba563229 ("selftests/bpf: Tests using bpf_check_mtu BPF-helper") Reported-by: Dan Carpenter Signed-off-by: Jesper Dangaard Brouer Signed-off-by: Daniel Borkmann Reviewed-by: Simon Horman Link: https://lore.kernel.org/bpf/168605104733.3636467.17945947801753092590.stgit@firesoul Signed-off-by: Sasha Levin commit e55f4fac48af172143bef89bebb3ccfb2d24b669 Author: Johannes Berg Date: Sun Jun 4 12:11:20 2023 +0300 wifi: mac80211: recalc min chandef for new STA links [ Upstream commit ba7af2654e3b7b810c750b3c6106f6f20b81cc88 ] When adding a new link to a station, this needs to cause a recalculation of the minimum chandef since otherwise we can have a higher bandwidth station connected on that link than the link is operating at. Do the appropriate recalc. Fixes: cb71f1d136a6 ("wifi: mac80211: add sta link addition/removal") Signed-off-by: Johannes Berg Signed-off-by: Gregory Greenman Link: https://lore.kernel.org/r/20230604120651.377adf3c789a.I91bf28f399e16e6ac1f83bacd1029a698b4e6685@changeid Signed-off-by: Johannes Berg Signed-off-by: Sasha Levin commit 009c4bfaab44530e63e0d648791a8a2c24f1b82b Author: Johannes Berg Date: Wed May 31 19:50:06 2023 +0300 wifi: iwlwifi: mvm: send time sync only if needed [ Upstream commit ead65aa2d5155728baec90f6404cd02618ef29d0 ] If there's no peer configured then there's no point in sending the command down to the firmware with an invalid peer address. Fixes: cf85123a210f ("wifi: iwlwifi: mvm: support enabling and disabling HW timestamping") Signed-off-by: Johannes Berg Signed-off-by: Gregory Greenman Link: https://lore.kernel.org/r/20230531194630.0fb9f81f1852.Idcc41b67d1fbb421e5ed9bac2177b948b7b4d1c9@changeid Signed-off-by: Johannes Berg Signed-off-by: Sasha Levin commit 6860a1ac54eb16a1ce5ccb53aa4b7bb62ab6b180 Author: Viktor Malik Date: Tue May 30 14:33:52 2023 +0200 tools/resolve_btfids: Fix setting HOSTCFLAGS [ Upstream commit edd75c802855271c8610f58a2fc9e54aefc49ce5 ] Building BPF selftests with custom HOSTCFLAGS yields an error: # make HOSTCFLAGS="-O2" [...] HOSTCC ./tools/testing/selftests/bpf/tools/build/resolve_btfids/main.o main.c:73:10: fatal error: linux/rbtree.h: No such file or directory 73 | #include | ^~~~~~~~~~~~~~~~ The reason is that tools/bpf/resolve_btfids/Makefile passes header include paths by extending HOSTCFLAGS which is overridden by setting HOSTCFLAGS in the make command (because of Makefile rules [1]). This patch fixes the above problem by passing the include paths via `HOSTCFLAGS_resolve_btfids` which is used by tools/build/Build.include and can be combined with overridding HOSTCFLAGS. [1] https://www.gnu.org/software/make/manual/html_node/Overriding.html Fixes: 56a2df7615fa ("tools/resolve_btfids: Compile resolve_btfids as host program") Signed-off-by: Viktor Malik Signed-off-by: Andrii Nakryiko Acked-by: Jiri Olsa Link: https://lore.kernel.org/bpf/20230530123352.1308488-1-vmalik@redhat.com Signed-off-by: Sasha Levin commit d906d1b940b9dbf0a3e821d6b32a51c369273d91 Author: Dave Marchevsky Date: Thu Jun 1 19:26:42 2023 -0700 bpf: Make bpf_refcount_acquire fallible for non-owning refs [ Upstream commit 7793fc3babe9fea908e57f7c187ea819f9fd7e95 ] This patch fixes an incorrect assumption made in the original bpf_refcount series [0], specifically that the BPF program calling bpf_refcount_acquire on some node can always guarantee that the node is alive. In that series, the patch adding failure behavior to rbtree_add and list_push_{front, back} breaks this assumption for non-owning references. Consider the following program: n = bpf_kptr_xchg(&mapval, NULL); /* skip error checking */ bpf_spin_lock(&l); if(bpf_rbtree_add(&t, &n->rb, less)) { bpf_refcount_acquire(n); /* Failed to add, do something else with the node */ } bpf_spin_unlock(&l); It's incorrect to assume that bpf_refcount_acquire will always succeed in this scenario. bpf_refcount_acquire is being called in a critical section here, but the lock being held is associated with rbtree t, which isn't necessarily the lock associated with the tree that the node is already in. So after bpf_rbtree_add fails to add the node and calls bpf_obj_drop in it, the program has no ownership of the node's lifetime. Therefore the node's refcount can be decr'd to 0 at any time after the failing rbtree_add. If this happens before the refcount_acquire above, the node might be free'd, and regardless refcount_acquire will be incrementing a 0 refcount. Later patches in the series exercise this scenario, resulting in the expected complaint from the kernel (without this patch's changes): refcount_t: addition on 0; use-after-free. WARNING: CPU: 1 PID: 207 at lib/refcount.c:25 refcount_warn_saturate+0xbc/0x110 Modules linked in: bpf_testmod(O) CPU: 1 PID: 207 Comm: test_progs Tainted: G O 6.3.0-rc7-02231-g723de1a718a2-dirty #371 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.15.0-0-g2dd4b9b3f840-prebuilt.qemu.org 04/01/2014 RIP: 0010:refcount_warn_saturate+0xbc/0x110 Code: 6f 64 f6 02 01 e8 84 a3 5c ff 0f 0b eb 9d 80 3d 5e 64 f6 02 00 75 94 48 c7 c7 e0 13 d2 82 c6 05 4e 64 f6 02 01 e8 64 a3 5c ff <0f> 0b e9 7a ff ff ff 80 3d 38 64 f6 02 00 0f 85 6d ff ff ff 48 c7 RSP: 0018:ffff88810b9179b0 EFLAGS: 00010082 RAX: 0000000000000000 RBX: 0000000000000002 RCX: 0000000000000000 RDX: 0000000000000202 RSI: 0000000000000008 RDI: ffffffff857c3680 RBP: ffff88810027d3c0 R08: ffffffff8125f2a4 R09: ffff88810b9176e7 R10: ffffed1021722edc R11: 746e756f63666572 R12: ffff88810027d388 R13: ffff88810027d3c0 R14: ffffc900005fe030 R15: ffffc900005fe048 FS: 00007fee0584a700(0000) GS:ffff88811b280000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00005634a96f6c58 CR3: 0000000108ce9002 CR4: 0000000000770ee0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: bpf_refcount_acquire_impl+0xb5/0xc0 (rest of output snipped) The patch addresses this by changing bpf_refcount_acquire_impl to use refcount_inc_not_zero instead of refcount_inc and marking bpf_refcount_acquire KF_RET_NULL. For owning references, though, we know the above scenario is not possible and thus that bpf_refcount_acquire will always succeed. Some verifier bookkeeping is added to track "is input owning ref?" for bpf_refcount_acquire calls and return false from is_kfunc_ret_null for bpf_refcount_acquire on owning refs despite it being marked KF_RET_NULL. Existing selftests using bpf_refcount_acquire are modified where necessary to NULL-check its return value. [0]: https://lore.kernel.org/bpf/20230415201811.343116-1-davemarchevsky@fb.com/ Fixes: d2dcc67df910 ("bpf: Migrate bpf_rbtree_add and bpf_list_push_{front,back} to possibly fail") Reported-by: Kumar Kartikeya Dwivedi Signed-off-by: Dave Marchevsky Link: https://lore.kernel.org/r/20230602022647.1571784-5-davemarchevsky@fb.com Signed-off-by: Alexei Starovoitov Signed-off-by: Sasha Levin commit f1263730f92745f65beebf104287e8e613e41153 Author: Dave Marchevsky Date: Thu Jun 1 19:26:41 2023 -0700 bpf: Fix __bpf_{list,rbtree}_add's beginning-of-node calculation [ Upstream commit cc0d76cafebbd3e1ffab9c4252d48ecc9e0737f6 ] Given the pointer to struct bpf_{rb,list}_node within a local kptr and the byte offset of that field within the kptr struct, the calculation changed by this patch is meant to find the beginning of the kptr so that it can be passed to bpf_obj_drop. Unfortunately instead of doing ptr_to_kptr = ptr_to_node_field - offset_bytes the calculation is erroneously doing ptr_to_ktpr = ptr_to_node_field - (offset_bytes * sizeof(struct bpf_rb_node)) or the bpf_list_node equivalent. This patch fixes the calculation. Fixes: d2dcc67df910 ("bpf: Migrate bpf_rbtree_add and bpf_list_push_{front,back} to possibly fail") Signed-off-by: Dave Marchevsky Link: https://lore.kernel.org/r/20230602022647.1571784-4-davemarchevsky@fb.com Signed-off-by: Alexei Starovoitov Signed-off-by: Sasha Levin commit 8885bfcff915a89ff5cb17d065eafe1a0f8b4eb6 Author: Dave Marchevsky Date: Thu Jun 1 19:26:40 2023 -0700 bpf: Set kptr_struct_meta for node param to list and rbtree insert funcs [ Upstream commit 2140a6e3422de22e6ebe77d4d18b6c0c9c425426 ] In verifier.c, fixup_kfunc_call uses struct bpf_insn_aux_data's kptr_struct_meta field to pass information about local kptr types to various helpers and kfuncs at runtime. The recent bpf_refcount series added a few functions to the set that need this information: * bpf_refcount_acquire * Needs to know where the refcount field is in order to increment * Graph collection insert kfuncs: bpf_rbtree_add, bpf_list_push_{front,back} * Were migrated to possibly fail by the bpf_refcount series. If insert fails, the input node is bpf_obj_drop'd. bpf_obj_drop needs the kptr_struct_meta in order to decr refcount and properly free special fields. Unfortunately the verifier handling of collection insert kfuncs was not modified to actually populate kptr_struct_meta. Accordingly, when the node input to those kfuncs is passed to bpf_obj_drop, it is done so without the information necessary to decr refcount. This patch fixes the issue by populating kptr_struct_meta for those kfuncs. Fixes: d2dcc67df910 ("bpf: Migrate bpf_rbtree_add and bpf_list_push_{front,back} to possibly fail") Signed-off-by: Dave Marchevsky Link: https://lore.kernel.org/r/20230602022647.1571784-3-davemarchevsky@fb.com Signed-off-by: Alexei Starovoitov Signed-off-by: Sasha Levin commit 85ed55cffb6e0474d8b86993a62fc40a6f6ec111 Author: Dave Marchevsky Date: Wed May 10 14:30:47 2023 -0700 bpf: Remove anonymous union in bpf_kfunc_call_arg_meta [ Upstream commit 4d585f48ee6b38c54c075b151c5efd2ff65f8ffd ] For kfuncs like bpf_obj_drop and bpf_refcount_acquire - which take user-defined types as input - the verifier needs to track the specific type passed in when checking a particular kfunc call. This requires tracking (btf, btf_id) tuple. In commit 7c50b1cb76ac ("bpf: Add bpf_refcount_acquire kfunc") I added an anonymous union with inner structs named after the specific kfuncs tracking this information, with the goal of making it more obvious which kfunc this data was being tracked / expected to be tracked on behalf of. In a recent series adding a new user of this tuple, Alexei mentioned that he didn't like this union usage as it doesn't really help with readability or bug-proofing ([0]). In an offline convo we agreed to have the tuple be fields (arg_btf, arg_btf_id), with comments in bpf_kfunc_call_arg_meta definition enumerating the uses of the fields by kfunc-specific handling logic. Such a pattern is used by struct bpf_reg_state without trouble. Accordingly, this patch removes the anonymous union in favor of arg_btf and arg_btf_id fields and comment enumerating their current uses. The patch also removes struct btf_and_id, which was only being used by the removed union's inner structs. This is a mechanical change, existing linked_list and rbtree tests will validate that correct (btf, btf_id) are being passed. [0]: https://lore.kernel.org/bpf/20230505021707.vlyiwy57vwxglbka@dhcp-172-26-102-232.dhcp.thefacebook.com Signed-off-by: Dave Marchevsky Link: https://lore.kernel.org/r/20230510213047.1633612-1-davemarchevsky@fb.com Signed-off-by: Alexei Starovoitov Stable-dep-of: 2140a6e3422d ("bpf: Set kptr_struct_meta for node param to list and rbtree insert funcs") Signed-off-by: Sasha Levin commit a1c6a38931fe119fe415c378e847eea58ceb94c5 Author: Youghandhar Chintala Date: Fri May 26 12:41:08 2023 +0300 wifi: ath10k: Trigger STA disconnect after reconfig complete on hardware restart [ Upstream commit 75bd32f5ce94bc365ba0b9b68bcf9de84a391d37 ] Currently, on WCN3990, the station disconnect after hardware recovery is not working as expected. This is because of setting the IEEE80211_SDATA_DISCONNECT_HW_RESTART flag very early in the hardware recovery process even before the driver invokes ieee80211_hw_restart(). On the contrary, mac80211 expects this flag to be set after ieee80211_hw_restart() is invoked for it to trigger station disconnect. Set the IEEE80211_SDATA_DISCONNECT_HW_RESTART flag in ath10k_reconfig_complete() instead to fix this. The other targets are not affected by this change, since the hardware params flag is not set. Tested-on: WCN3990 hw1.0 SNOC WLAN.HL.3.2.2.c10-00754-QCAHLSWMTPL-1 Fixes: 2c3fc50591ff ("ath10k: Trigger sta disconnect on hardware restart") Signed-off-by: Youghandhar Chintala Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20230518101515.3820-1-quic_youghand@quicinc.com Signed-off-by: Sasha Levin commit 00139f8a07025c64e3814b6045a96137bbeead04 Author: Jesper Dangaard Brouer Date: Tue May 30 16:30:41 2023 +0200 samples/bpf: xdp1 and xdp2 reduce XDPBUFSIZE to 60 [ Upstream commit 60548b825b082cedf89b275c21c28b1e1d030e50 ] Default samples/pktgen scripts send 60 byte packets as hardware adds 4-bytes FCS checksum, which fulfils minimum Ethernet 64 bytes frame size. XDP layer will not necessary have access to the 4-bytes FCS checksum. This leads to bpf_xdp_load_bytes() failing as it tries to copy 64-bytes from an XDP packet that only have 60-bytes available. Fixes: 772251742262 ("samples/bpf: fixup some tools to be able to support xdp multibuffer") Signed-off-by: Jesper Dangaard Brouer Signed-off-by: Daniel Borkmann Reviewed-by: Tariq Toukan Link: https://lore.kernel.org/bpf/168545704139.2996228.2516528552939485216.stgit@firesoul Signed-off-by: Sasha Levin commit b8e2885ebccfd26879583dcd524d25e47db2897c Author: Sascha Hauer Date: Wed May 24 12:39:34 2023 +0200 wifi: rtw88: usb: silence log flooding error message [ Upstream commit 1f1784a59caf3eefd127908a1a3cf224017ff9c7 ] When receiving more rx packets than the kernel can handle the driver drops the packets and issues an error message. This is bad for two reasons. The logs are flooded with myriads of messages, but then time consumed for printing messages in that critical code path brings down the device. After some time of excessive rx load the driver responds with: rtw_8822cu 1-1:1.2: failed to get tx report from firmware rtw_8822cu 1-1:1.2: firmware failed to report density after scan rtw_8822cu 1-1:1.2: firmware failed to report density after scan The device stops working until being replugged. Fix this by lowering the priority to debug level and also by ratelimiting it. Fixes: a82dfd33d1237 ("wifi: rtw88: Add common USB chip support") Signed-off-by: Sascha Hauer Reviewed-by: Ping-Ke Shih Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20230524103934.1019096-1-s.hauer@pengutronix.de Signed-off-by: Sasha Levin commit be2a546c30fe8d72efa032bee612363bb75314bd Author: Fedor Pchelkin Date: Wed May 17 18:03:17 2023 +0300 wifi: ath9k: don't allow to overwrite ENDPOINT0 attributes [ Upstream commit 061b0cb9327b80d7a0f63a33e7c3e2a91a71f142 ] A bad USB device is able to construct a service connection response message with target endpoint being ENDPOINT0 which is reserved for HTC_CTRL_RSVD_SVC and should not be modified to be used for any other services. Reject such service connection responses. Found by Linux Verification Center (linuxtesting.org) with Syzkaller. Fixes: fb9987d0f748 ("ath9k_htc: Support for AR9271 chipset.") Reported-by: syzbot+b68fbebe56d8362907e8@syzkaller.appspotmail.com Signed-off-by: Fedor Pchelkin Acked-by: Toke Høiland-Jørgensen Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20230516150427.79469-1-pchelkin@ispras.ru Signed-off-by: Sasha Levin commit 3730b25d2816f661ac5e7e8010e591ae8df6b663 Author: Christophe JAILLET Date: Sat May 20 10:13:22 2023 +0200 wifi: ray_cs: Fix an error handling path in ray_probe() [ Upstream commit 4f8d66a9fb2edcd05c1e563456a55a08910bfb37 ] Should ray_config() fail, some resources need to be released as already done in the remove function. While at it, remove a useless and erroneous comment. The probe is ray_probe(), not ray_attach(). Fixes: 15b99ac17295 ("[PATCH] pcmcia: add return value to _config() functions") Signed-off-by: Christophe JAILLET Reviewed-by: Simon Horman Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/8c544d18084f8b37dd108e844f7e79e85ff708ff.1684570373.git.christophe.jaillet@wanadoo.fr Signed-off-by: Sasha Levin commit eb1adc0d9dfe16b7eff57baa32547a909534f003 Author: Christophe JAILLET Date: Sat May 20 10:05:08 2023 +0200 wifi: wl3501_cs: Fix an error handling path in wl3501_probe() [ Upstream commit 391af06a02e7642039ac5f6c4b2c034ab0992b5d ] Should wl3501_config() fail, some resources need to be released as already done in the remove function. Fixes: 15b99ac17295 ("[PATCH] pcmcia: add return value to _config() functions") Signed-off-by: Christophe JAILLET Reviewed-by: Simon Horman Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/7cc9c9316489b7d69b36aeb0edd3123538500b41.1684569865.git.christophe.jaillet@wanadoo.fr Signed-off-by: Sasha Levin commit eb0eebfddaff3c350c6158fdfff9ee12a8ce3a3b Author: Christophe JAILLET Date: Sat May 20 09:53:14 2023 +0200 wifi: atmel: Fix an error handling path in atmel_probe() [ Upstream commit 6b92e4351a29af52c285fe235e6e4d1a75de04b2 ] Should atmel_config() fail, some resources need to be released as already done in the remove function. While at it, remove a useless and erroneous comment. The probe is atmel_probe(), not atmel_attach(). Fixes: 15b99ac17295 ("[PATCH] pcmcia: add return value to _config() functions") Signed-off-by: Christophe JAILLET Reviewed-by: Simon Horman Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/1e65f174607a83348034197fa7d603bab10ba4a9.1684569156.git.christophe.jaillet@wanadoo.fr Signed-off-by: Sasha Levin commit 9af2ef527b8a3dd8823f772db1bcb5b87bd56001 Author: Christophe JAILLET Date: Sat May 20 09:38:22 2023 +0200 wifi: orinoco: Fix an error handling path in orinoco_cs_probe() [ Upstream commit 67a81d911c01225f426cc6bee2373df044c1a9b7 ] Should orinoco_cs_config() fail, some resources need to be released as already done in the remove function. While at it, remove a useless and erroneous comment. The probe is orinoco_cs_probe(), not orinoco_cs_attach(). Fixes: 15b99ac17295 ("[PATCH] pcmcia: add return value to _config() functions") Signed-off-by: Christophe JAILLET Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/e24735ce4d82901d5f7ea08419eea53bfdde3d65.1684568286.git.christophe.jaillet@wanadoo.fr Signed-off-by: Sasha Levin commit cf8f2ced6486797810769e1fb81feab6c70d0938 Author: Christophe JAILLET Date: Sat May 20 09:29:46 2023 +0200 wifi: orinoco: Fix an error handling path in spectrum_cs_probe() [ Upstream commit 925244325159824385209e3e0e3f91fa6bf0646c ] Should spectrum_cs_config() fail, some resources need to be released as already done in the remove function. While at it, remove a useless and erroneous comment. The probe is spectrum_cs_probe(), not spectrum_cs_attach(). Fixes: 15b99ac17295 ("[PATCH] pcmcia: add return value to _config() functions") Signed-off-by: Christophe JAILLET Reviewed-by: Simon Horman Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/c0bc0c21c58ca477fc5521607615bafbf2aef8eb.1684567733.git.christophe.jaillet@wanadoo.fr Signed-off-by: Sasha Levin commit 809e3b6af94281b9e67645d8586cc79953020c48 Author: Geert Uytterhoeven Date: Thu May 25 13:13:59 2023 +0200 regulator: core: Streamline debugfs operations [ Upstream commit 08880713ceec023dd94d634f1e8902728c385939 ] If CONFIG_DEBUG_FS is not set: regulator: Failed to create debugfs directory ... regulator-dummy: Failed to create debugfs directory As per the comments for debugfs_create_dir(), errors returned by this function should be expected, and ignored: * If debugfs is not enabled in the kernel, the value -%ENODEV will be * returned. * * NOTE: it's expected that most callers should _ignore_ the errors returned * by this function. Other debugfs functions handle the fact that the "dentry" * passed to them could be an error and they don't crash in that case. * Drivers should generally work fine even if debugfs fails to init anyway. Adhere to the debugfs spirit, and streamline all operations by: 1. Demoting the importance of the printed error messages to debug level, like is already done in create_regulator(), 2. Further ignoring any returned errors, as by design, all debugfs functions are no-ops when passed an error pointer. Fixes: 2bf1c45be3b8f3a3 ("regulator: Fix error checking for debugfs_create_dir") Signed-off-by: Geert Uytterhoeven Link: https://lore.kernel.org/r/2f8bb6e113359ddfab7b59e4d4274bd4c06d6d0a.1685013051.git.geert+renesas@glider.be Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 9fc289a4a2b7135def5dd5cef2278c0df05b0033 Author: Geert Uytterhoeven Date: Thu May 25 13:13:58 2023 +0200 regulator: core: Fix more error checking for debugfs_create_dir() [ Upstream commit 2715bb11cfff964aa33946847f9527cfbd4874f5 ] In case of failure, debugfs_create_dir() does not return NULL, but an error pointer. Most incorrect error checks were fixed, but the one in create_regulator() was forgotten. Fix the remaining error check. Fixes: 2bf1c45be3b8f3a3 ("regulator: Fix error checking for debugfs_create_dir") Signed-off-by: Geert Uytterhoeven Link: https://lore.kernel.org/r/ee980a108b5854dd8ce3630f8f673e784e057d17.1685013051.git.geert+renesas@glider.be Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 982522df0d8ab70f0e1ba3f4c5e60a2240c6a692 Author: Sebastian Reichel Date: Thu May 4 19:36:15 2023 +0200 regulator: rk808: fix asynchronous probing [ Upstream commit 1b9e86d445a0f5c6d8dcbaf11508cb5dfb5848a8 ] If the probe routine fails with -EPROBE_DEFER after taking over the OF node from its parent driver, reprobing triggers pinctrl_bind_pins() and that will fail. Fix this by setting of_node_reused, so that the device does not try to setup pin muxing. For me this always happens once the driver is marked to prefer async probing and never happens without that flag. Fixes: 259b93b21a9f ("regulator: Set PROBE_PREFER_ASYNCHRONOUS for drivers that existed in 4.14") Signed-off-by: Sebastian Reichel Link: https://lore.kernel.org/r/20230504173618.142075-12-sebastian.reichel@collabora.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 56c1446975578a65579e5c6b320dd3b1dfb405d8 Author: Alexey Gladkov Date: Wed May 17 11:49:46 2023 +0200 selftests/bpf: Do not use sign-file as testcase [ Upstream commit f04a32b2c5b539e3c097cb5c7c1df12a8f4a0cf0 ] The sign-file utility (from scripts/) is used in prog_tests/verify_pkcs7_sig.c, but the utility should not be called as a test. Executing this utility produces the following error: selftests: /linux/tools/testing/selftests/bpf: urandom_read ok 16 selftests: /linux/tools/testing/selftests/bpf: urandom_read selftests: /linux/tools/testing/selftests/bpf: sign-file not ok 17 selftests: /linux/tools/testing/selftests/bpf: sign-file # exit=2 Also, urandom_read is mistakenly used as a test. It does not lead to an error, but should be moved over to TEST_GEN_FILES as well. The empty TEST_CUSTOM_PROGS can then be removed. Fixes: fc97590668ae ("selftests/bpf: Add test for bpf_verify_pkcs7_signature() kfunc") Signed-off-by: Alexey Gladkov Signed-off-by: Daniel Borkmann Reviewed-by: Roberto Sassu Acked-by: Stanislav Fomichev Link: https://lore.kernel.org/bpf/ZEuWFk3QyML9y5QQ@example.org Link: https://lore.kernel.org/bpf/88e3ab23029d726a2703adcf6af8356f7a2d3483.1684316821.git.legion@kernel.org Signed-off-by: Sasha Levin commit 6aa27775db63ba8c7c73891c7dfb71ddc230c48d Author: Yafang Shao Date: Mon May 15 13:08:47 2023 +0000 bpf: Fix memleak due to fentry attach failure [ Upstream commit 108598c39eefbedc9882273ac0df96127a629220 ] If it fails to attach fentry, the allocated bpf trampoline image will be left in the system. That can be verified by checking /proc/kallsyms. This meamleak can be verified by a simple bpf program as follows: SEC("fentry/trap_init") int fentry_run() { return 0; } It will fail to attach trap_init because this function is freed after kernel init, and then we can find the trampoline image is left in the system by checking /proc/kallsyms. $ tail /proc/kallsyms ffffffffc0613000 t bpf_trampoline_6442453466_1 [bpf] ffffffffc06c3000 t bpf_trampoline_6442453466_1 [bpf] $ bpftool btf dump file /sys/kernel/btf/vmlinux | grep "FUNC 'trap_init'" [2522] FUNC 'trap_init' type_id=119 linkage=static $ echo $((6442453466 & 0x7fffffff)) 2522 Note that there are two left bpf trampoline images, that is because the libbpf will fallback to raw tracepoint if -EINVAL is returned. Fixes: e21aa341785c ("bpf: Fix fexit trampoline.") Signed-off-by: Yafang Shao Signed-off-by: Daniel Borkmann Acked-by: Song Liu Cc: Jiri Olsa Link: https://lore.kernel.org/bpf/20230515130849.57502-2-laoar.shao@gmail.com Signed-off-by: Sasha Levin commit 7879707f5118b1299a8ef9adaa7e460da5644692 Author: Yafang Shao Date: Mon May 15 13:08:48 2023 +0000 bpf: Remove bpf trampoline selector [ Upstream commit 47e79cbeea4b3891ad476047f4c68543eb51c8e0 ] After commit e21aa341785c ("bpf: Fix fexit trampoline."), the selector is only used to indicate how many times the bpf trampoline image are updated and been displayed in the trampoline ksym name. After the trampoline is freed, the selector will start from 0 again. So the selector is a useless value to the user. We can remove it. If the user want to check whether the bpf trampoline image has been updated or not, the user can compare the address. Each time the trampoline image is updated, the address will change consequently. Jiri also pointed out another issue that perf is still using the old name "bpf_trampoline_%lu", so this change can fix the issue in perf. Fixes: e21aa341785c ("bpf: Fix fexit trampoline.") Signed-off-by: Yafang Shao Signed-off-by: Daniel Borkmann Acked-by: Song Liu Cc: Jiri Olsa Link: https://lore.kernel.org/bpf/ZFvOOlrmHiY9AgXE@krava Link: https://lore.kernel.org/bpf/20230515130849.57502-3-laoar.shao@gmail.com Signed-off-by: Sasha Levin commit fd2bb30e18d091e346b39510944b26e6dd04bfc3 Author: Alan Maguire Date: Fri May 12 12:31:34 2023 +0100 bpftool: JIT limited misreported as negative value on aarch64 [ Upstream commit 04cb8453a91c7c22f60ddadb6cef0d19abb33bb5 ] On aarch64, "bpftool feature" reports an incorrect BPF JIT limit: $ sudo /sbin/bpftool feature Scanning system configuration... bpf() syscall restricted to privileged users JIT compiler is enabled JIT compiler hardening is disabled JIT compiler kallsyms exports are enabled for root skipping kernel config, can't open file: No such file or directory Global memory limit for JIT compiler for unprivileged users is -201326592 bytes This is because /proc/sys/net/core/bpf_jit_limit reports $ sudo cat /proc/sys/net/core/bpf_jit_limit 68169519595520 ...and an int is assumed in read_procfs(). Change read_procfs() to return a long to avoid negative value reporting. Fixes: 7a4522bbef0c ("tools: bpftool: add probes for /proc/ eBPF parameters") Reported-by: Nicky Veitch Signed-off-by: Alan Maguire Signed-off-by: Daniel Borkmann Acked-by: Jiri Olsa Acked-by: Quentin Monnet Link: https://lore.kernel.org/bpf/20230512113134.58996-1-alan.maguire@oracle.com Signed-off-by: Sasha Levin commit 0b1a4ee53e8d4aa63c34a083ed34a98535f57a00 Author: Krzysztof Kozlowski Date: Sat May 13 13:52:04 2023 +0200 nfc: llcp: fix possible use of uninitialized variable in nfc_llcp_send_connect() [ Upstream commit 0d9b41daa5907756a31772d8af8ac5ff25cf17c1 ] If sock->service_name is NULL, the local variable service_name_tlv_length will not be assigned by nfc_llcp_build_tlv(), later leading to using value frmo the stack. Smatch warning: net/nfc/llcp_commands.c:442 nfc_llcp_send_connect() error: uninitialized symbol 'service_name_tlv_length'. Fixes: de9e5aeb4f40 ("NFC: llcp: Fix usage of llcp_add_tlv()") Signed-off-by: Krzysztof Kozlowski Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 7d555fbb2f0ac5463b7f064a4bf076c75db9c3ad Author: Joy Chakraborty Date: Fri May 12 10:47:45 2023 +0000 spi: dw: Round of n_bytes to power of 2 [ Upstream commit 9f34baf67e4d08908fd94ff29c825bb673295336 ] n_bytes variable in the driver represents the number of bytes per word that needs to be sent/copied to fifo. Bits/word can be between 8 and 32 bits from the client but in memory they are a power of 2, same is mentioned in spi.h header: " * @bits_per_word: Data transfers involve one or more words; word sizes * like eight or 12 bits are common. In-memory wordsizes are * powers of two bytes (e.g. 20 bit samples use 32 bits). * This may be changed by the device's driver, or left at the * default (0) indicating protocol words are eight bit bytes. * The spi_transfer.bits_per_word can override this for each transfer. " Hence, round of n_bytes to a power of 2 to avoid values like 3 which would generate unalligned/odd accesses to memory/fifo. * tested on Baikal-T1 based system with DW SPI-looped back interface transferring a chunk of data with DFS:8,12,16. Fixes: a51acc2400d4 ("spi: dw: Add support for 32-bits max xfer size") Suggested-by: Andy Shevchenko commit 6d902719dc3e6a210ab9650f54d8293acfa53c3a Author: Stanislav Fomichev Date: Thu May 11 10:04:53 2023 -0700 bpf: Don't EFAULT for {g,s}setsockopt with wrong optlen [ Upstream commit 29ebbba7d46136cba324264e513a1e964ca16c0a ] With the way the hooks implemented right now, we have a special condition: optval larger than PAGE_SIZE will expose only first 4k into BPF; any modifications to the optval are ignored. If the BPF program doesn't handle this condition by resetting optlen to 0, the userspace will get EFAULT. The intention of the EFAULT was to make it apparent to the developers that the program is doing something wrong. However, this inadvertently might affect production workloads with the BPF programs that are not too careful (i.e., returning EFAULT for perfectly valid setsockopt/getsockopt calls). Let's try to minimize the chance of BPF program screwing up userspace by ignoring the output of those BPF programs (instead of returning EFAULT to the userspace). pr_info_once those cases to the dmesg to help with figuring out what's going wrong. Fixes: 0d01da6afc54 ("bpf: implement getsockopt and setsockopt hooks") Suggested-by: Martin KaFai Lau Signed-off-by: Stanislav Fomichev Link: https://lore.kernel.org/r/20230511170456.1759459-2-sdf@google.com Signed-off-by: Martin KaFai Lau Signed-off-by: Sasha Levin commit 31c630e5770082291157497b44e6a7ed2f5bded9 Author: Andrii Nakryiko Date: Mon May 8 23:55:02 2023 -0700 libbpf: fix offsetof() and container_of() to work with CO-RE [ Upstream commit bdeeed3498c7871c17465bb4f11d1bc67f9098af ] It seems like __builtin_offset() doesn't preserve CO-RE field relocations properly. So if offsetof() macro is defined through __builtin_offset(), CO-RE-enabled BPF code using container_of() will be subtly and silently broken. To avoid this problem, redefine offsetof() and container_of() in the form that works with CO-RE relocations more reliably. Fixes: 5fbc220862fc ("tools/libpf: Add offsetof/container_of macro in bpf_helpers.h") Reported-by: Lennart Poettering Signed-off-by: Andrii Nakryiko Acked-by: Yonghong Song Link: https://lore.kernel.org/r/20230509065502.2306180-1-andrii@kernel.org Signed-off-by: Alexei Starovoitov Signed-off-by: Sasha Levin commit 04a4acef03bde0f170cbb80495361164efa92823 Author: Edward Cree Date: Thu May 11 20:47:28 2023 +0100 sfc: release encap match in efx_tc_flow_free() [ Upstream commit 28fa3ac487c6d30aaa10570481c27b6adfc492b3 ] When force-freeing leftover entries from our match_action_ht, call efx_tc_delete_rule(), which releases all the rule's resources, rather than open-coding it. The open-coded version was missing a call to release the rule's encap match (if any). It probably doesn't matter as everything's being torn down anyway, but it's cleaner this way and prevents further error messages potentially being logged by efx_tc_encap_match_free() later on. Move efx_tc_flow_free() further down the file to avoid introducing a forward declaration of efx_tc_delete_rule(). Fixes: 17654d84b47c ("sfc: add offloading of 'foreign' TC (decap) rules") Signed-off-by: Edward Cree Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 2bcfe6c4009e9a65a627882a7303952e1f74212f Author: Alexander Mikhalitsyn Date: Thu May 11 15:25:06 2023 +0200 sctp: add bpf_bypass_getsockopt proto callback [ Upstream commit 2598619e012cee5273a2821441b9a051ad931249 ] Implement ->bpf_bypass_getsockopt proto callback and filter out SCTP_SOCKOPT_PEELOFF, SCTP_SOCKOPT_PEELOFF_FLAGS and SCTP_SOCKOPT_CONNECTX3 socket options from running eBPF hook on them. SCTP_SOCKOPT_PEELOFF and SCTP_SOCKOPT_PEELOFF_FLAGS options do fd_install(), and if BPF_CGROUP_RUN_PROG_GETSOCKOPT hook returns an error after success of the original handler sctp_getsockopt(...), userspace will receive an error from getsockopt syscall and will be not aware that fd was successfully installed into a fdtable. As pointed by Marcelo Ricardo Leitner it seems reasonable to skip bpf getsockopt hook for SCTP_SOCKOPT_CONNECTX3 sockopt too. Because internaly, it triggers connect() and if error is masked then userspace will be confused. This patch was born as a result of discussion around a new SCM_PIDFD interface: https://lore.kernel.org/all/20230413133355.350571-3-aleksandr.mikhalitsyn@canonical.com/ Fixes: 0d01da6afc54 ("bpf: implement getsockopt and setsockopt hooks") Cc: Daniel Borkmann Cc: Christian Brauner Cc: Stanislav Fomichev Cc: Neil Horman Cc: Marcelo Ricardo Leitner Cc: Xin Long Cc: linux-sctp@vger.kernel.org Cc: linux-kernel@vger.kernel.org Cc: netdev@vger.kernel.org Suggested-by: Stanislav Fomichev Acked-by: Stanislav Fomichev Signed-off-by: Alexander Mikhalitsyn Acked-by: Xin Long Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit f22fd486a999d4010adaa2bacfed2aeb908b103a Author: Christophe JAILLET Date: Sat May 6 15:53:15 2023 +0200 wifi: mwifiex: Fix the size of a memory allocation in mwifiex_ret_802_11_scan() [ Upstream commit d9aef04fcfa81ee4fb2804a21a3712b7bbd936af ] The type of "mwifiex_adapter->nd_info" is "struct cfg80211_wowlan_nd_info", not "struct cfg80211_wowlan_nd_match". Use struct_size() to ease the computation of the needed size. The current code over-allocates some memory, so is safe. But it wastes 32 bytes. Fixes: 7d7f07d8c5d3 ("mwifiex: add wowlan net-detect support") Signed-off-by: Christophe JAILLET Reviewed-by: Simon Horman Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/7a6074fb056d2181e058a3cc6048d8155c20aec7.1683371982.git.christophe.jaillet@wanadoo.fr Signed-off-by: Sasha Levin commit 9ba1df0514c3162bbe154da750ae5258754fe4b8 Author: Dan Carpenter Date: Wed May 3 18:09:55 2023 +0300 wifi: rtw88: unlock on error path in rtw_ops_add_interface() [ Upstream commit e2ff1181b3d48257aab26bfd2165f3c7d271499f ] Call mutex_unlock(&rtwdev->mutex); before returning on this error path. Fixes: f0e741e4ddbc ("wifi: rtw88: add bitmap for dynamic port settings") Signed-off-by: Dan Carpenter Reviewed-by: Ping-Ke Shih Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/ddd10a74-5982-4f65-8c59-c1cca558d239@kili.mountain Signed-off-by: Sasha Levin commit db779efd33e0826a6e82680312ceabc36c45cbd1 Author: Amisha Patel Date: Fri Apr 21 18:10:20 2023 +0000 wifi: wilc1000: fix for absent RSN capabilities WFA testcase [ Upstream commit 9ce4bb09123e9754996e358bd808d39f5d112899 ] Mandatory WFA testcase CT_Security_WPA2Personal_STA_RSNEBoundsVerification-AbsentRSNCap, performs bounds verfication on Beacon and/or Probe response frames. It failed and observed the reason to be absence of cipher suite and AKM suite in RSN information. To fix this, enable the RSN flag before extracting RSN capabilities. Fixes: cd21d99e595e ("wifi: wilc1000: validate pairwise and authentication suite offsets") Signed-off-by: Amisha Patel Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20230421181005.4865-1-amisha.patel@microchip.com Signed-off-by: Sasha Levin commit 055ebc0c1ee0aef3e1521715b845688cd92fc6ca Author: Vijaya Krishna Nivarthi Date: Tue Apr 25 14:12:08 2023 +0530 spi: spi-geni-qcom: Correct CS_TOGGLE bit in SPI_TRANS_CFG [ Upstream commit 5fd7c99ecf45c8ee8a9b1268f0ffc91cc6271da2 ] The CS_TOGGLE bit when set is supposed to instruct FW to toggle CS line between words. The driver with intent of disabling this behaviour has been unsetting BIT(0). This has not caused any trouble so far because the original BIT(1) is untouched and BIT(0) likely wasn't being used. Correct this to prevent a potential future bug. Signed-off-by: Vijaya Krishna Nivarthi commit 7c08d1b0d1f75117cf82aeaef49ba9f861b3fb59 Author: Pengcheng Yang Date: Fri May 5 16:50:58 2023 +0800 samples/bpf: Fix buffer overflow in tcp_basertt [ Upstream commit f4dea9689c5fea3d07170c2cb0703e216f1a0922 ] Using sizeof(nv) or strlen(nv)+1 is correct. Fixes: c890063e4404 ("bpf: sample BPF_SOCKET_OPS_BASE_RTT program") Signed-off-by: Pengcheng Yang Link: https://lore.kernel.org/r/1683276658-2860-1-git-send-email-yangpc@wangsu.com Signed-off-by: Alexei Starovoitov Signed-off-by: Sasha Levin commit bce2dfae26debfcbba47a80e4d8069211e59dc39 Author: Dan Carpenter Date: Fri Apr 21 13:44:04 2023 +0300 wifi: rtw89: fix rtw89_read_chip_ver() for RTL8852B and RTL8851B [ Upstream commit 9d4f491b860ea6d04471c3342093b86a46eee63e ] The if statement is reversed so it will not record the chip version. This was detected using Smatch: drivers/net/wireless/realtek/rtw89/core.c:3593 rtw89_read_chip_ver() error: uninitialized symbol 'val'. Fixes: a6fb2bb84654 ("wifi: rtw89: read version of analog hardware") Signed-off-by: Dan Carpenter Acked-by: Ping-Ke Shih Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/e4d912a2-37f8-4068-8861-7b9494ae731b@kili.mountain Signed-off-by: Sasha Levin commit 660663763c72c4c46c7373ad786bcb379412f641 Author: Andrii Nakryiko Date: Thu May 4 21:33:13 2023 -0700 bpf: fix propagate_precision() logic for inner frames [ Upstream commit f655badf2a8fc028433d9583bf86a6b473721f09 ] Fix propagate_precision() logic to perform propagation of all necessary registers and stack slots across all active frames *in one batch step*. Doing this for each register/slot in each individual frame is wasteful, but the main problem is that backtracking of instruction in any frame except the deepest one just doesn't work. This is due to backtracking logic relying on jump history, and available jump history always starts (or ends, depending how you view it) in current frame. So, if prog A (frame #0) called subprog B (frame #1) and we need to propagate precision of, say, register R6 (callee-saved) within frame #0, we actually don't even know where jump history that corresponds to prog A even starts. We'd need to skip subprog part of jump history first to be able to do this. Luckily, with struct backtrack_state and __mark_chain_precision() handling bitmasks tracking/propagation across all active frames at the same time (added in previous patch), propagate_precision() can be both fixed and sped up by setting all the necessary bits across all frames and then performing one __mark_chain_precision() pass. This makes it unnecessary to skip subprog parts of jump history. We also improve logging along the way, to clearly specify which registers' and slots' precision markings are propagated within which frame. Each frame will have dedicated line and all registers and stack slots from that frame will be reported in format similar to precision backtrack regs/stack logging. E.g.: frame 1: propagating r1,r2,r3,fp-8,fp-16 frame 0: propagating r3,r9,fp-120 Fixes: 529409ea92d5 ("bpf: propagate precision across all frames, not just the last one") Signed-off-by: Andrii Nakryiko Link: https://lore.kernel.org/r/20230505043317.3629845-7-andrii@kernel.org Signed-off-by: Alexei Starovoitov Signed-off-by: Sasha Levin commit 41ad047df201696b8bc28cb9d518553b8b235fb7 Author: Andrii Nakryiko Date: Thu May 4 21:33:12 2023 -0700 bpf: maintain bitmasks across all active frames in __mark_chain_precision [ Upstream commit 1ef22b6865a73a8aed36d43375fe8c7b30869326 ] Teach __mark_chain_precision logic to maintain register/stack masks across all active frames when going from child state to parent state. Currently this should be mostly no-op, as precision backtracking usually bails out when encountering subprog entry/exit. It's not very apparent from the diff due to increased indentation, but the logic remains the same, except everything is done on specific `fr` frame index. Calls to bt_clear_reg() and bt_clear_slot() are replaced with frame-specific bt_clear_frame_reg() and bt_clear_frame_slot(), where frame index is passed explicitly, instead of using current frame number. We also adjust logging to emit affected frame number. And we also add better logging of human-readable register and stack slot masks, similar to previous patch. Signed-off-by: Andrii Nakryiko Link: https://lore.kernel.org/r/20230505043317.3629845-6-andrii@kernel.org Signed-off-by: Alexei Starovoitov Stable-dep-of: f655badf2a8f ("bpf: fix propagate_precision() logic for inner frames") Signed-off-by: Sasha Levin commit bd81fbd4221f306a091b90ba25739eb7f09673ca Author: Andrii Nakryiko Date: Thu May 4 21:33:11 2023 -0700 bpf: improve precision backtrack logging [ Upstream commit d9439c21a9e4769bfd83a03ab39056164d44ac31 ] Add helper to format register and stack masks in more human-readable format. Adjust logging a bit during backtrack propagation and especially during forcing precision fallback logic to make it clearer what's going on (with log_level=2, of course), and also start reporting affected frame depth. This is in preparation for having more than one active frame later when precision propagation between subprog calls is added. Signed-off-by: Andrii Nakryiko Link: https://lore.kernel.org/r/20230505043317.3629845-5-andrii@kernel.org Signed-off-by: Alexei Starovoitov Stable-dep-of: f655badf2a8f ("bpf: fix propagate_precision() logic for inner frames") Signed-off-by: Sasha Levin commit fc2778c42f99c7de52fc004157b3c3ee4dcc208a Author: Andrii Nakryiko Date: Thu May 4 21:33:10 2023 -0700 bpf: encapsulate precision backtracking bookkeeping [ Upstream commit 407958a0e980b9e1842ab87b5a1040521e1e24e9 ] Add struct backtrack_state and straightforward API around it to keep track of register and stack masks used and maintained during precision backtracking process. Having this logic separately allow to keep high-level backtracking algorithm cleaner, but also it sets us up to cleanly keep track of register and stack masks per frame, allowing (with some further logic adjustments) to perform precision backpropagation across multiple frames (i.e., subprog calls). Signed-off-by: Andrii Nakryiko Link: https://lore.kernel.org/r/20230505043317.3629845-4-andrii@kernel.org Signed-off-by: Alexei Starovoitov Stable-dep-of: f655badf2a8f ("bpf: fix propagate_precision() logic for inner frames") Signed-off-by: Sasha Levin commit 7e76a302ed0660493242e7f0f13567844676fea7 Author: Martin KaFai Lau Date: Thu Apr 27 18:36:38 2023 -0700 libbpf: btf_dump_type_data_check_overflow needs to consider BTF_MEMBER_BITFIELD_SIZE [ Upstream commit c39028b333f3a3a765c5c0b9726b8e38aedf0ba1 ] The btf_dump/struct_data selftest is failing with: [...] test_btf_dump_struct_data:FAIL:unexpected return value dumping fs_context unexpected unexpected return value dumping fs_context: actual -7 != expected 264 [...] The reason is in btf_dump_type_data_check_overflow(). It does not use BTF_MEMBER_BITFIELD_SIZE from the struct's member (btf_member). Instead, it is using the enum size which is 4. It had been working till the recent commit 4e04143c869c ("fs_context: drop the unused lsm_flags member") removed an integer member which also removed the 4 bytes padding at the end of the fs_context. Missing this 4 bytes padding exposed this bug. In particular, when btf_dump_type_data_check_overflow() reaches the member 'phase', -E2BIG is returned. The fix is to pass bit_sz to btf_dump_type_data_check_overflow(). In btf_dump_type_data_check_overflow(), it does a different size check when bit_sz is not zero. The current fs_context: [3600] ENUM 'fs_context_purpose' encoding=UNSIGNED size=4 vlen=3 'FS_CONTEXT_FOR_MOUNT' val=0 'FS_CONTEXT_FOR_SUBMOUNT' val=1 'FS_CONTEXT_FOR_RECONFIGURE' val=2 [3601] ENUM 'fs_context_phase' encoding=UNSIGNED size=4 vlen=7 'FS_CONTEXT_CREATE_PARAMS' val=0 'FS_CONTEXT_CREATING' val=1 'FS_CONTEXT_AWAITING_MOUNT' val=2 'FS_CONTEXT_AWAITING_RECONF' val=3 'FS_CONTEXT_RECONF_PARAMS' val=4 'FS_CONTEXT_RECONFIGURING' val=5 'FS_CONTEXT_FAILED' val=6 [3602] STRUCT 'fs_context' size=264 vlen=21 'ops' type_id=3603 bits_offset=0 'uapi_mutex' type_id=235 bits_offset=64 'fs_type' type_id=872 bits_offset=1216 'fs_private' type_id=21 bits_offset=1280 'sget_key' type_id=21 bits_offset=1344 'root' type_id=781 bits_offset=1408 'user_ns' type_id=251 bits_offset=1472 'net_ns' type_id=984 bits_offset=1536 'cred' type_id=1785 bits_offset=1600 'log' type_id=3621 bits_offset=1664 'source' type_id=42 bits_offset=1792 'security' type_id=21 bits_offset=1856 's_fs_info' type_id=21 bits_offset=1920 'sb_flags' type_id=20 bits_offset=1984 'sb_flags_mask' type_id=20 bits_offset=2016 's_iflags' type_id=20 bits_offset=2048 'purpose' type_id=3600 bits_offset=2080 bitfield_size=8 'phase' type_id=3601 bits_offset=2088 bitfield_size=8 'need_free' type_id=67 bits_offset=2096 bitfield_size=1 'global' type_id=67 bits_offset=2097 bitfield_size=1 'oldapi' type_id=67 bits_offset=2098 bitfield_size=1 Fixes: 920d16af9b42 ("libbpf: BTF dumper support for typed data") Signed-off-by: Martin KaFai Lau Signed-off-by: Daniel Borkmann Acked-by: Yonghong Song Link: https://lore.kernel.org/bpf/20230428013638.1581263-1-martin.lau@linux.dev Signed-off-by: Sasha Levin commit 75acec91aeaa07375cd5f418069e61b16d39bbad Author: Fedor Pchelkin Date: Wed Apr 26 17:35:01 2023 +0300 wifi: ath9k: avoid referencing uninit memory in ath9k_wmi_ctrl_rx [ Upstream commit f24292e827088bba8de7158501ac25a59b064953 ] For the reasons also described in commit b383e8abed41 ("wifi: ath9k: avoid uninit memory read in ath9k_htc_rx_msg()"), ath9k_htc_rx_msg() should validate pkt_len before accessing the SKB. For example, the obtained SKB may have been badly constructed with pkt_len = 8. In this case, the SKB can only contain a valid htc_frame_hdr but after being processed in ath9k_htc_rx_msg() and passed to ath9k_wmi_ctrl_rx() endpoint RX handler, it is expected to have a WMI command header which should be located inside its data payload. Implement sanity checking inside ath9k_wmi_ctrl_rx(). Otherwise, uninit memory can be referenced. Tested on Qualcomm Atheros Communications AR9271 802.11n . Found by Linux Verification Center (linuxtesting.org) with Syzkaller. Fixes: fb9987d0f748 ("ath9k_htc: Support for AR9271 chipset.") Reported-and-tested-by: syzbot+f2cb6e0ffdb961921e4d@syzkaller.appspotmail.com Signed-off-by: Fedor Pchelkin Acked-by: Toke Høiland-Jørgensen Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20230424183348.111355-1-pchelkin@ispras.ru Signed-off-by: Sasha Levin commit 5678b979551b9637bace60709f6692b25951cf30 Author: Peter Seiderer Date: Wed Apr 26 17:35:00 2023 +0300 wifi: ath9k: fix AR9003 mac hardware hang check register offset calculation [ Upstream commit 3e56c80931c7615250fe4bf83f93b57881969266 ] Fix ath9k_hw_verify_hang()/ar9003_hw_detect_mac_hang() register offset calculation (do not overflow the shift for the second register/queues above five, use the register layout described in the comments above ath9k_hw_verify_hang() instead). Fixes: 222e04830ff0 ("ath9k: Fix MAC HW hang check for AR9003") Reported-by: Gregg Wonderly Link: https://lore.kernel.org/linux-wireless/E3A9C354-0CB7-420C-ADEF-F0177FB722F4@seqtechllc.com/ Signed-off-by: Peter Seiderer Acked-by: Toke Høiland-Jørgensen Reviewed-by: Simon Horman Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20230422212423.26065-1-ps.report@gmx.net Signed-off-by: Sasha Levin commit c82c1a4dbe2dd43efef85290bee42ce658a79c02 Author: Jesper Dangaard Brouer Date: Tue Apr 18 15:30:42 2023 +0200 igc: Enable and fix RX hash usage by netstack [ Upstream commit 84214ab4689f962b4bfc47fc9a5838d25ac4274d ] When function igc_rx_hash() was introduced in v4.20 via commit 0507ef8a0372 ("igc: Add transmit and receive fastpath and interrupt handlers"), the hardware wasn't configured to provide RSS hash, thus it made sense to not enable net_device NETIF_F_RXHASH feature bit. The NIC hardware was configured to enable RSS hash info in v5.2 via commit 2121c2712f82 ("igc: Add multiple receive queues control supporting"), but forgot to set the NETIF_F_RXHASH feature bit. The original implementation of igc_rx_hash() didn't extract the associated pkt_hash_type, but statically set PKT_HASH_TYPE_L3. The largest portions of this patch are about extracting the RSS Type from the hardware and mapping this to enum pkt_hash_types. This was based on Foxville i225 software user manual rev-1.3.1 and tested on Intel Ethernet Controller I225-LM (rev 03). For UDP it's worth noting that RSS (type) hashing have been disabled both for IPv4 and IPv6 (see IGC_MRQC_RSS_FIELD_IPV4_UDP + IGC_MRQC_RSS_FIELD_IPV6_UDP) because hardware RSS doesn't handle fragmented pkts well when enabled (can cause out-of-order). This results in PKT_HASH_TYPE_L3 for UDP packets, and hash value doesn't include UDP port numbers. Not being PKT_HASH_TYPE_L4, have the effect that netstack will do a software based hash calc calling into flow_dissect, but only when code calls skb_get_hash(), which doesn't necessary happen for local delivery. For QA verification testing I wrote a small bpftrace prog: [0] https://github.com/xdp-project/xdp-project/blob/master/areas/hints/monitor_skb_hash_on_dev.bt Fixes: 2121c2712f82 ("igc: Add multiple receive queues control supporting") Signed-off-by: Jesper Dangaard Brouer Signed-off-by: Daniel Borkmann Acked-by: Song Yoong Siang Link: https://lore.kernel.org/bpf/168182464270.616355.11391652654430626584.stgit@firesoul Signed-off-by: Sasha Levin commit 130ef25f7004eec86ee61f7d110c1a2de336fed8 Author: Hao Jia Date: Tue Jun 13 16:20:11 2023 +0800 sched/core: Avoid multiple calling update_rq_clock() in __cfsb_csd_unthrottle() [ Upstream commit ebb83d84e49b54369b0db67136a5fe1087124dcc ] After commit 8ad075c2eb1f ("sched: Async unthrottling for cfs bandwidth"), we may update the rq clock multiple times in the loop of __cfsb_csd_unthrottle(). A prior (although less common) instance of this problem exists in unthrottle_offline_cfs_rqs(). Cure both by ensuring update_rq_clock() is called before the loop and setting RQCF_ACT_SKIP during the loop, to supress further updates. The alternative would be pulling update_rq_clock() out of unthrottle_cfs_rq(), but that gives an even bigger mess. Fixes: 8ad075c2eb1f ("sched: Async unthrottling for cfs bandwidth") Reviewed-By: Ben Segall Suggested-by: Vincent Guittot Signed-off-by: Hao Jia Signed-off-by: Peter Zijlstra (Intel) Reviewed-by: Vincent Guittot Link: https://lkml.kernel.org/r/20230613082012.49615-4-jiahao.os@bytedance.com Signed-off-by: Sasha Levin commit 065c81ae5817b245bb9feb6d54e027702740b49a Author: Jiasheng Jiang Date: Wed Jun 14 17:37:33 2023 +0800 pstore/ram: Add check for kstrdup [ Upstream commit d97038d5ec2062733c1e016caf9baaf68cf64ea1 ] Add check for the return value of kstrdup() and return the error if it fails in order to avoid NULL pointer dereference. Fixes: e163fdb3f7f8 ("pstore/ram: Regularize prz label allocation lifetime") Signed-off-by: Jiasheng Jiang Signed-off-by: Kees Cook Link: https://lore.kernel.org/r/20230614093733.36048-1-jiasheng@iscas.ac.cn Signed-off-by: Sasha Levin commit b02c26ccf6aafc427c11631f8836cc337c1aa37c Author: Roberto Sassu Date: Tue Jun 6 09:41:13 2023 +0200 ima: Fix build warnings [ Upstream commit 95526d13038c2bbddd567a4d8e39fac42484e182 ] Fix build warnings (function parameters description) for ima_collect_modsig(), ima_match_policy() and ima_parse_add_rule(). Fixes: 15588227e086 ("ima: Collect modsig") # v5.4+ Fixes: 2fe5d6def167 ("ima: integrity appraisal extension") # v5.14+ Fixes: 4af4662fa4a9 ("integrity: IMA policy") # v3.2+ Signed-off-by: Roberto Sassu Signed-off-by: Mimi Zohar Signed-off-by: Sasha Levin commit d19eecffa4a1d628c8b6c0b833efe6c7b7434b9b Author: Roberto Sassu Date: Tue Jun 6 09:41:12 2023 +0200 evm: Fix build warnings [ Upstream commit 996e0a97ebd7b11cb785794e2a83c20c1add9d92 ] Fix build warnings (function parameters description) for evm_read_protected_xattrs(), evm_set_key() and evm_verifyxattr(). Fixes: 7626676320f3 ("evm: provide a function to set the EVM key from the kernel") # v4.5+ Fixes: 8314b6732ae4 ("ima: Define new template fields xattrnames, xattrlengths and xattrvalues") # v5.14+ Fixes: 2960e6cb5f7c ("evm: additional parameter to pass integrity cache entry 'iint'") # v3.2+ Signed-off-by: Roberto Sassu Signed-off-by: Mimi Zohar Signed-off-by: Sasha Levin commit f9d43d2bf3eb1d00c4a508be018669062b87d0a8 Author: Roberto Sassu Date: Mon Mar 6 11:40:36 2023 +0100 evm: Complete description of evm_inode_setattr() [ Upstream commit b1de86d4248b273cb12c4cd7d20c08d459519f7d ] Add the description for missing parameters of evm_inode_setattr() to avoid the warning arising with W=n compile option. Fixes: 817b54aa45db ("evm: add evm_inode_setattr to prevent updating an invalid security.evm") # v3.2+ Fixes: c1632a0f1120 ("fs: port ->setattr() to pass mnt_idmap") # v6.3+ Signed-off-by: Roberto Sassu Reviewed-by: Stefan Berger Signed-off-by: Mimi Zohar Signed-off-by: Sasha Levin commit 1cea22f585776bf1c4f2cef1c6c06700fe63abb9 Author: Mark Rutland Date: Mon Jun 5 08:00:58 2023 +0100 locking/atomic: arm: fix sync ops [ Upstream commit dda5f312bb09e56e7a1c3e3851f2000eb2e9c879 ] The sync_*() ops on arch/arm are defined in terms of the regular bitops with no special handling. This is not correct, as UP kernels elide barriers for the fully-ordered operations, and so the required ordering is lost when such UP kernels are run under a hypervsior on an SMP system. Fix this by defining sync ops with the required barriers. Note: On 32-bit arm, the sync_*() ops are currently only used by Xen, which requires ARMv7, but the semantics can be implemented for ARMv6+. Fixes: e54d2f61528165bb ("xen/arm: sync_bitops") Signed-off-by: Mark Rutland Signed-off-by: Peter Zijlstra (Intel) Reviewed-by: Kees Cook Link: https://lore.kernel.org/r/20230605070124.3741859-2-mark.rutland@arm.com Signed-off-by: Sasha Levin commit 9c8a0dd056faee7f50475c7de49ccfe1af8d149c Author: Tetsuo Handa Date: Thu May 11 23:48:45 2023 +0900 reiserfs: Initialize sec->length in reiserfs_security_init(). [ Upstream commit d031f4e8b493df299123fbb4ec13db870584ed28 ] syzbot is reporting that sec->length is not initialized. Since security_inode_init_security() returns 0 when initxattrs is provided but call_int_hook(inode_init_security) returned -EOPNOTSUPP, control will reach to "if (sec->length && ...) {" without initializing sec->length. Reported-by: syzbot Closes: https://syzkaller.appspot.com/bug?extid=00a3779539a23cbee38c Signed-off-by: Tetsuo Handa Fixes: 52ca4b6435a4 ("reiserfs: Switch to security_inode_init_security()") Signed-off-by: Paul Moore Signed-off-by: Sasha Levin commit f2832652160c354c6fa7774f5d2d5a92b66bd312 Author: Juergen Gross Date: Mon Mar 6 13:32:59 2023 +0100 x86/mm: Fix __swp_entry_to_pte() for Xen PV guests [ Upstream commit 0f88130e8a6fd185b0aeb5d8e286083735f2585a ] Normally __swp_entry_to_pte() is never called with a value translating to a valid PTE. The only known exception is pte_swap_tests(), resulting in a WARN splat in Xen PV guests, as __pte_to_swp_entry() did translate the PFN of the valid PTE to a guest local PFN, while __swp_entry_to_pte() doesn't do the opposite translation. Fix that by using __pte() in __swp_entry_to_pte() instead of open coding the native variant of it. For correctness do the similar conversion for __swp_entry_to_pmd(). Fixes: 05289402d717 ("mm/debug_vm_pgtable: add tests validating arch helpers for core MM features") Signed-off-by: Juergen Gross Signed-off-by: Borislav Petkov (AMD) Link: https://lore.kernel.org/r/20230306123259.12461-1-jgross@suse.com Signed-off-by: Sasha Levin commit 97f0eabc9cab262a7d044eae24c596d7346de6cd Author: Ravi Bangoria Date: Thu May 4 16:30:01 2023 +0530 perf/ibs: Fix interface via core pmu events [ Upstream commit 2fad201fe38ff9a692acedb1990ece2c52a29f95 ] Although, IBS pmus can be invoked via their own interface, indirect IBS invocation via core pmu events is also supported with fixed set of events: cpu-cycles:p, r076:p (same as cpu-cycles:p) and r0C1:p (micro-ops) for user convenience. This indirect IBS invocation is broken since commit 66d258c5b048 ("perf/core: Optimize perf_init_event()"), which added RAW pmu under 'pmu_idr' list and thus if event_init() fails with RAW pmu, it started returning error instead of trying other pmus. Forward precise events from core pmu to IBS by overwriting 'type' and 'config' in the kernel copy of perf_event_attr. Overwriting will cause perf_init_event() to retry with updated 'type' and 'config', which will automatically forward event to IBS pmu. Without patch: $ sudo ./perf record -C 0 -e r076:p -- sleep 1 Error: The r076:p event is not supported. With patch: $ sudo ./perf record -C 0 -e r076:p -- sleep 1 [ perf record: Woken up 1 times to write data ] [ perf record: Captured and wrote 0.341 MB perf.data (37 samples) ] Fixes: 66d258c5b048 ("perf/core: Optimize perf_init_event()") Reported-by: Stephane Eranian Signed-off-by: Ravi Bangoria Signed-off-by: Peter Zijlstra (Intel) Link: https://lkml.kernel.org/r/20230504110003.2548-3-ravi.bangoria@amd.com Signed-off-by: Sasha Levin commit cca42d7bcc164590f97fb8dea26373d6970d2db4 Author: Mark Brown Date: Sat Jun 10 15:27:55 2023 +0100 selftests/ftace: Fix KTAP output ordering [ Upstream commit 8cd0d8633e2de4e6dd9ddae7980432e726220fdb ] The KTAP parser I used to test the KTAP output for ftracetest was overly robust and did not notice that the test number and pass/fail result were reversed. Fix this. Fixes: dbcf76390eb9 ("selftests/ftrace: Improve integration with kselftest runner") Signed-off-by: Mark Brown Acked-by: Masami Hiramatsu (Google) Acked-by: Steven Rostedt (Google) Signed-off-by: Shuah Khan Signed-off-by: Sasha Levin commit bded12a58c9e9ccffb77082a526c0933ceeae5f1 Author: Colin Ian King Date: Mon Apr 17 11:47:43 2023 +0100 kselftest: vDSO: Fix accumulation of uninitialized ret when CLOCK_REALTIME is undefined [ Upstream commit 375b9ff53cb6f9c042817b75f2be0a650626dc4f ] In the unlikely case that CLOCK_REALTIME is not defined, variable ret is not initialized and further accumulation of return values to ret can leave ret in an undefined state. Fix this by initialized ret to zero and changing the assignment of ret to an accumulation for the CLOCK_REALTIME case. Fixes: 03f55c7952c9 ("kselftest: Extend vDSO selftest to clock_getres") Signed-off-by: Colin Ian King Reviewed-by: Vincenzo Frascino Signed-off-by: Shuah Khan Signed-off-by: Sasha Levin commit 3461f979d4e8d778bff8f74f399e8a2edffa28d3 Author: Thomas Weißschuh Date: Tue May 30 11:18:00 2023 +0200 tools/nolibc: ensure fast64 integer types have 64 bits [ Upstream commit f9bf5944d37b75b8238349d4fb5b7a97bbecfc9d ] On 32bit platforms size_t is not enough to represent [u]int_fast64_t. Fixes: 3e9fd4e9a1d5 ("tools/nolibc: add integer types and integer limit macros") Signed-off-by: Thomas Weißschuh Signed-off-by: Willy Tarreau Signed-off-by: Paul E. McKenney Signed-off-by: Sasha Levin commit 6705a2ab8a66b5fa9a4c832dcef5efe91fe46c5d Author: Juergen Gross Date: Tue May 2 14:09:20 2023 +0200 x86/xen: Set MTRR state when running as Xen PV initial domain [ Upstream commit a153f254e5cdf8fa3a1df90a6ffed3063fede154 ] When running as Xen PV initial domain (aka dom0), MTRRs are disabled by the hypervisor, but the system should nevertheless use correct cache memory types. This has always kind of worked, as disabled MTRRs resulted in disabled PAT, too, so that the kernel avoided code paths resulting in inconsistencies. This bypassed all of the sanity checks the kernel is doing with enabled MTRRs in order to avoid memory mappings with conflicting memory types. This has been changed recently, leading to PAT being accepted to be enabled, while MTRRs stayed disabled. The result is that mtrr_type_lookup() no longer is accepting all memory type requests, but started to return WB even if UC- was requested. This led to driver failures during initialization of some devices. In reality MTRRs are still in effect, but they are under complete control of the Xen hypervisor. It is possible, however, to retrieve the MTRR settings from the hypervisor. In order to fix those problems, overwrite the MTRR state via mtrr_overwrite_state() with the MTRR data from the hypervisor, if the system is running as a Xen dom0. Fixes: 72cbc8f04fe2 ("x86/PAT: Have pat_enabled() properly reflect state when running on Xen") Signed-off-by: Juergen Gross Signed-off-by: Borislav Petkov (AMD) Reviewed-by: Boris Ostrovsky Tested-by: Michael Kelley Link: https://lore.kernel.org/r/20230502120931.20719-6-jgross@suse.com Signed-off-by: Borislav Petkov (AMD) Signed-off-by: Sasha Levin commit a23b0c61b7776b5dc12b323041eed6bf028fd8f0 Author: Juergen Gross Date: Tue May 2 14:09:17 2023 +0200 x86/mtrr: Replace size_or_mask and size_and_mask with a much easier concept [ Upstream commit d053b481a5f16dbd4f020c6b3ebdf9173fdef0e2 ] Replace size_or_mask and size_and_mask with the much easier concept of high reserved bits. While at it, instead of using constants in the MTRR code, use some new [ bp: - Drop mtrr_set_mask() - Unbreak long lines - Move struct mtrr_state_type out of the uapi header as it doesn't belong there. It also fixes a HDRTEST breakage "unknown type name ‘bool’" as Reported-by: kernel test robot - Massage. ] Signed-off-by: Juergen Gross Signed-off-by: Borislav Petkov (AMD) Link: https://lore.kernel.org/r/20230502120931.20719-3-jgross@suse.com Signed-off-by: Borislav Petkov (AMD) Stable-dep-of: a153f254e5cd ("x86/xen: Set MTRR state when running as Xen PV initial domain") Signed-off-by: Sasha Levin commit e170ba743539746259b605ec37cfc944336dcc2b Author: Juergen Gross Date: Tue May 2 14:09:19 2023 +0200 x86/hyperv: Set MTRR state when running as SEV-SNP Hyper-V guest [ Upstream commit c957f1f3c498bcce85c04e92e60afbae1fd10cde ] In order to avoid mappings using the UC- cache attribute, set the MTRR state to use WB caching as the default. This is needed in order to cope with the fact that PAT is enabled, while MTRRs are not supported by the hypervisor. Fixes: 90b926e68f50 ("x86/pat: Fix pat_x_mtrr_type() for MTRR disabled case") Signed-off-by: Juergen Gross Signed-off-by: Borislav Petkov (AMD) Tested-by: Michael Kelley Link: https://lore.kernel.org/r/20230502120931.20719-5-jgross@suse.com Signed-off-by: Borislav Petkov (AMD) Signed-off-by: Sasha Levin commit 81a3b5a5dc02e3ce922ac10a7a2ca9550154309f Author: Juergen Gross Date: Tue May 2 14:09:18 2023 +0200 x86/mtrr: Support setting MTRR state for software defined MTRRs [ Upstream commit 29055dc74287467bd7a053d60b4afe753832960d ] When running virtualized, MTRR access can be reduced (e.g. in Xen PV guests or when running as a SEV-SNP guest under Hyper-V). Typically, the hypervisor will not advertize the MTRR feature in CPUID data, resulting in no MTRR memory type information being available for the kernel. This has turned out to result in problems (Link tags below): - Hyper-V SEV-SNP guests using uncached mappings where they shouldn't - Xen PV dom0 mapping memory as WB which should be UC- instead Solve those problems by allowing an MTRR static state override, overwriting the empty state used today. In case such a state has been set, don't call get_mtrr_state() in mtrr_bp_init(). The set state will only be used by mtrr_type_lookup(), as in all other cases mtrr_enabled() is being checked, which will return false. Accept the overwrite call only for selected cases when running as a guest. Disable X86_FEATURE_MTRR in order to avoid any MTRR modifications by just refusing them. [ bp: Massage. ] Signed-off-by: Juergen Gross Signed-off-by: Borislav Petkov (AMD) Tested-by: Michael Kelley Link: https://lore.kernel.org/all/4fe9541e-4d4c-2b2a-f8c8-2d34a7284930@nerdbynature.de/ Link: https://lore.kernel.org/lkml/BYAPR21MB16883ABC186566BD4D2A1451D7FE9@BYAPR21MB1688.namprd21.prod.outlook.com Signed-off-by: Borislav Petkov (AMD) Stable-dep-of: c957f1f3c498 ("x86/hyperv: Set MTRR state when running as SEV-SNP Hyper-V guest") Signed-off-by: Sasha Levin commit 780091fe14c6bb3f430529300e8bb1f2f73ac4e4 Author: Juergen Gross Date: Tue May 2 14:09:16 2023 +0200 x86/mtrr: Remove physical address size calculation [ Upstream commit f6b980646b93a8c585b4ed991b8a34e8fc6ef847 ] The physical address width calculation in mtrr_bp_init() can easily be replaced with using the already available value x86_phys_bits from struct cpuinfo_x86. The same information source can be used in mtrr/cleanup.c, removing the need to pass that value on to mtrr_cleanup(). In print_mtrr_state() use x86_phys_bits instead of recalculating it from size_or_mask. Move setting of size_or_mask and size_and_mask into a dedicated new function in mtrr/generic.c, enabling to make those 2 variables static, as they are used in generic.c only now. Signed-off-by: Juergen Gross Signed-off-by: Borislav Petkov (AMD) Tested-by: Michael Kelley Link: https://lore.kernel.org/r/20230502120931.20719-2-jgross@suse.com Signed-off-by: Borislav Petkov (AMD) Stable-dep-of: c957f1f3c498 ("x86/hyperv: Set MTRR state when running as SEV-SNP Hyper-V guest") Signed-off-by: Sasha Levin commit 29b1da4f90fc42c91beb4e400d926194925ad31b Author: Qiuxu Zhuo Date: Wed Mar 22 19:42:41 2023 +0800 rcu/rcuscale: Stop kfree_scale_thread thread(s) after unloading rcuscale [ Upstream commit 23fc8df26dead16687ae6eb47b0561a4a832e2f6 ] Running the 'kfree_rcu_test' test case [1] results in a splat [2]. The root cause is the kfree_scale_thread thread(s) continue running after unloading the rcuscale module. This commit fixes that isue by invoking kfree_scale_cleanup() from rcu_scale_cleanup() when removing the rcuscale module. [1] modprobe rcuscale kfree_rcu_test=1 // After some time rmmod rcuscale rmmod torture [2] BUG: unable to handle page fault for address: ffffffffc0601a87 #PF: supervisor instruction fetch in kernel mode #PF: error_code(0x0010) - not-present page PGD 11de4f067 P4D 11de4f067 PUD 11de51067 PMD 112f4d067 PTE 0 Oops: 0010 [#1] PREEMPT SMP NOPTI CPU: 1 PID: 1798 Comm: kfree_scale_thr Not tainted 6.3.0-rc1-rcu+ #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 0.0.0 02/06/2015 RIP: 0010:0xffffffffc0601a87 Code: Unable to access opcode bytes at 0xffffffffc0601a5d. RSP: 0018:ffffb25bc2e57e18 EFLAGS: 00010297 RAX: 0000000000000000 RBX: ffffffffc061f0b6 RCX: 0000000000000000 RDX: 0000000000000000 RSI: ffffffff962fd0de RDI: ffffffff962fd0de RBP: ffffb25bc2e57ea8 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000001 R11: 0000000000000001 R12: 0000000000000000 R13: 0000000000000000 R14: 000000000000000a R15: 00000000001c1dbe FS: 0000000000000000(0000) GS:ffff921fa2200000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffffffffc0601a5d CR3: 000000011de4c006 CR4: 0000000000370ee0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: ? kvfree_call_rcu+0xf0/0x3a0 ? kthread+0xf3/0x120 ? kthread_complete_and_exit+0x20/0x20 ? ret_from_fork+0x1f/0x30 Modules linked in: rfkill sunrpc ... [last unloaded: torture] CR2: ffffffffc0601a87 ---[ end trace 0000000000000000 ]--- Fixes: e6e78b004fa7 ("rcuperf: Add kfree_rcu() performance Tests") Reviewed-by: Davidlohr Bueso Reviewed-by: Joel Fernandes (Google) Signed-off-by: Qiuxu Zhuo Signed-off-by: Paul E. McKenney Signed-off-by: Sasha Levin commit 3b7f0fff95d437bf88191c78460656cc545447fc Author: Qiuxu Zhuo Date: Wed Mar 22 19:42:40 2023 +0800 rcu/rcuscale: Move rcu_scale_*() after kfree_scale_cleanup() [ Upstream commit bf5ddd736509a7d9077c0b6793e6f0852214dbea ] This code-movement-only commit moves the rcu_scale_cleanup() and rcu_scale_shutdown() functions to follow kfree_scale_cleanup(). This is code movement is in preparation for a bug-fix patch that invokes kfree_scale_cleanup() from rcu_scale_cleanup(). Signed-off-by: Qiuxu Zhuo Signed-off-by: Paul E. McKenney Reviewed-by: Joel Fernandes (Google) Stable-dep-of: 23fc8df26dea ("rcu/rcuscale: Stop kfree_scale_thread thread(s) after unloading rcuscale") Signed-off-by: Sasha Levin commit ed621e24bbaa5055ce1d5015e3e4f1d0770258fa Author: Paul E. McKenney Date: Tue Mar 21 16:40:08 2023 -0700 rcutorture: Correct name of use_softirq module parameter [ Upstream commit b409afe0268faeb77267f028ea85f2d93438fced ] The BUSTED-BOOST and TREE03 scenarios specify a mythical tree.use_softirq module parameter, which means a failure to get full test coverage. This commit therefore corrects the name to rcutree.use_softirq. Fixes: e2b949d54392 ("rcutorture: Make TREE03 use real-time tree.use_softirq setting") Signed-off-by: Paul E. McKenney Reviewed-by: Joel Fernandes (Google) Signed-off-by: Sasha Levin commit a6ea37d9a9bdfe96fcd6e42c6e09a2b15aa2f82f Author: Paul E. McKenney Date: Wed Apr 26 11:11:29 2023 -0700 rcu-tasks: Stop rcu_tasks_invoke_cbs() from using never-onlined CPUs [ Upstream commit 401b0de3ae4fa49d1014c8941e26d9a25f37e7cf ] The rcu_tasks_invoke_cbs() function relies on queue_work_on() to silently fall back to WORK_CPU_UNBOUND when the specified CPU is offline. However, the queue_work_on() function's silent fallback mechanism relies on that CPU having been online at some time in the past. When queue_work_on() is passed a CPU that has never been online, workqueue lockups ensue, which can be bad for your kernel's general health and well-being. This commit therefore checks whether a given CPU has ever been online, and, if not substitutes WORK_CPU_UNBOUND in the subsequent call to queue_work_on(). Why not simply omit the queue_work_on() call entirely? Because this function is flooding callback-invocation notifications to all CPUs, and must deal with possibilities that include a sparse cpu_possible_mask. This commit also moves the setting of the rcu_data structure's ->beenonline field to rcu_cpu_starting(), which executes on the incoming CPU before that CPU has ever enabled interrupts. This ensures that the required workqueues are present. In addition, because the incoming CPU has not yet enabled its interrupts, there cannot yet have been any softirq handlers running on this CPU, which means that the WARN_ON_ONCE(!rdp->beenonline) within the RCU_SOFTIRQ handler cannot have triggered yet. Fixes: d363f833c6d88 ("rcu-tasks: Use workqueues for multiple rcu_tasks_invoke_cbs() invocations") Reported-by: Tejun Heo Signed-off-by: Paul E. McKenney Signed-off-by: Sasha Levin commit fa502fbd3fad2cd831d4b7a31a58f5ced2785eaa Author: Paul E. McKenney Date: Thu Apr 27 10:50:47 2023 -0700 rcu: Make rcu_cpu_starting() rely on interrupts being disabled [ Upstream commit 15d44dfa40305da1648de4bf001e91cc63148725 ] Currently, rcu_cpu_starting() is written so that it might be invoked with interrupts enabled. However, it is always called when interrupts are disabled, either by rcu_init(), notify_cpu_starting(), or from a call point prior to the call to notify_cpu_starting(). But why bother requiring that interrupts be disabled? The purpose is to allow the rcu_data structure's ->beenonline flag to be set after all early processing has completed for the incoming CPU, thus allowing this flag to be used to determine when workqueues have been set up for the incoming CPU, while still allowing this flag to be used as a diagnostic within rcu_core(). This commit therefore makes rcu_cpu_starting() rely on interrupts being disabled. Signed-off-by: Paul E. McKenney Stable-dep-of: 401b0de3ae4f ("rcu-tasks: Stop rcu_tasks_invoke_cbs() from using never-onlined CPUs") Signed-off-by: Sasha Levin commit 86daf6b55a5ef623e79cd6e20647a8a374c12552 Author: Daniel Latypov Date: Mon May 1 11:16:10 2023 -0700 kunit: tool: undo type subscripts for subprocess.Popen [ Upstream commit e30f65c4b3d671115bf2a9d9ef142285387f2aff ] Writing `subprocess.Popen[str]` requires python 3.9+. kunit.py has an assertion that the python version is 3.7+, so we should try to stay backwards compatible. This conflicts a bit with commit 1da2e6220e11 ("kunit: tool: fix pre-existing `mypy --strict` errors and update run_checks.py"), since mypy complains like so > kunit_kernel.py:95: error: Missing type parameters for generic type "Popen" [type-arg] Note: `mypy --strict --python-version 3.7` does not work. We could annotate each file with comments like `# mypy: disable-error-code="type-arg" but then we might still get nudged to break back-compat in other files. This patch adds a `mypy.ini` file since it seems like the only way to disable specific error codes for all our files. Note: run_checks.py doesn't need to specify `--config_file mypy.ini`, but I think being explicit is better, particularly since most kernel devs won't be familiar with how mypy works. Fixes: 695e26030858 ("kunit: tool: add subscripts for type annotations where appropriate") Reported-by: SeongJae Park Link: https://lore.kernel.org/linux-kselftest/20230501171520.138753-1-sj@kernel.org Signed-off-by: Daniel Latypov Tested-by: SeongJae Park Reviewed-by: David Gow Signed-off-by: Shuah Khan Signed-off-by: Sasha Levin commit 95fd352579074cb71872187df08ae1cdb58ba30b Author: Peng Fan Date: Tue May 16 16:37:45 2023 +0800 thermal/drivers/qoriq: Only enable supported sensors [ Upstream commit 9301575df2509ecf8bd66f601046afaff606b1d5 ] There are MAX 16 sensors, but not all of them supported. Such as i.MX8MQ, there are only 3 sensors. Enabling all 16 sensors will touch reserved bits from i.MX8MQ reference mannual, and TMU will stuck, temperature will not update anymore. Fixes: 45038e03d633 ("thermal: qoriq: Enable all sensors before registering them") Signed-off-by: Peng Fan Signed-off-by: Daniel Lezcano Link: https://lore.kernel.org/r/20230516083746.63436-3-peng.fan@oss.nxp.com Signed-off-by: Sasha Levin commit ec932415e735985dc091fba76234cc1c48c62bad Author: Christophe JAILLET Date: Sun May 14 20:46:05 2023 +0200 thermal/drivers/sun8i: Fix some error handling paths in sun8i_ths_probe() [ Upstream commit 89382022b370dfd34eaae9c863baa123fcd4d132 ] Should an error occur after calling sun8i_ths_resource_init() in the probe function, some resources need to be released, as already done in the .remove() function. Switch to the devm_clk_get_enabled() helper and add a new devm_action to turn sun8i_ths_resource_init() into a fully managed function. Move the place where reset_control_deassert() is called so that the recommended order of reset release/clock enable steps is kept. A64 manual states that: 3.3.6.4. Gating and reset Make sure that the reset signal has been released before the release of module clock gating; This fixes the issue and removes some LoC at the same time. Fixes: dccc5c3b6f30 ("thermal/drivers/sun8i: Add thermal driver for H6/H5/H3/A64/A83T/R40") Signed-off-by: Christophe JAILLET Acked-by: Maxime Ripard Signed-off-by: Daniel Lezcano Link: https://lore.kernel.org/r/a8ae84bd2dc4b55fe428f8e20f31438bf8bb6762.1684089931.git.christophe.jaillet@wanadoo.fr Signed-off-by: Sasha Levin commit 34832f584bc8bf04a72c00eab099910c5c7d011e Author: Stephan Gerhold Date: Wed Jun 7 12:47:46 2023 +0200 thermal/drivers/qcom/tsens-v0_1: Add mdm9607 correction offsets [ Upstream commit b6f739da0070c36655118618a173a59fa14c7adc ] According to the msm-3.18 vendor kernel from Qualcomm, mdm9607 needs "correction factors" to adjust for additional offsets observed after the factory calibration values in the fuses [1, 2]. The fixed offsets should be applied unless there is a special calibration mode value that indicates that no offsets are needed [3]. Note that the new calibration mode values are called differently in this patch compared to the vendor kernel: - TSENS_TWO_POINT_CALIB_N_WA -> ONE_PT_CALIB2_NO_OFFSET - TSENS_TWO_POINT_CALIB_N_OFFSET_WA -> TWO_PT_CALIB_NO_OFFSET This is because close inspection of the calibration function [3] reveals that TSENS_TWO_POINT_CALIB_N_WA is actually a "one point" calibration because the if statements skip all "point2" related code for it. [1]: https://git.codelinaro.org/clo/la/kernel/msm-3.18/-/commit/d9d2db1b82bf3f72f5de0803d55e6849eb5b671e [2]: https://git.codelinaro.org/clo/la/kernel/msm-3.18/-/commit/d75aef53a760e8ff7bac54049d00c8b2ee1b193e [3]: https://git.codelinaro.org/clo/la/kernel/msm-3.18/-/blob/LE.UM.4.3.2.r1-04200-9x07/drivers/thermal/msm-tsens.c#L2987-3136 Fixes: a2149ab815fc ("thermal/drivers/qcom/tsens-v0_1: Add support for MDM9607") Reviewed-by: Konrad Dybcio Reviewed-by: Dmitry Baryshkov Signed-off-by: Stephan Gerhold Signed-off-by: Daniel Lezcano Link: https://lore.kernel.org/r/20230508-msm8909-tsens-v5-3-5eb632235ba7@kernkonzept.com Signed-off-by: Sasha Levin commit a4f5546a7cebf60788df99b0abb8d60a49e28737 Author: Stephan Gerhold Date: Wed Jun 7 12:47:45 2023 +0200 thermal/drivers/qcom/tsens-v0_1: Fix mdm9607 slope values [ Upstream commit 6812d1dfbca99cd5032683354bf50e0002b2aa02 ] According to the msm-3.18 vendor kernel from Qualcomm [1], mdm9607 uses a non-standard slope value of 3000 (instead of 3200) for all sensors. Fill it properly similar to the 8939 code added recently. [1]: https://git.codelinaro.org/clo/la/kernel/msm-3.18/-/blob/LE.UM.4.3.2.r1-04200-9x07/arch/arm/boot/dts/qcom/mdm9607.dtsi#L875 Fixes: a2149ab815fc ("thermal/drivers/qcom/tsens-v0_1: Add support for MDM9607") Reviewed-by: Konrad Dybcio Reviewed-by: Dmitry Baryshkov Signed-off-by: Stephan Gerhold Signed-off-by: Daniel Lezcano Link: https://lore.kernel.org/r/20230508-msm8909-tsens-v5-2-5eb632235ba7@kernkonzept.com Signed-off-by: Sasha Levin commit 024b46be9eac4f3484eb2dee96b5c9ca6025893b Author: Matti Lehtimäki Date: Sun May 7 23:12:21 2023 +0300 thermal/drivers/qcom/tsens-v0_1: Add support for MSM8226 [ Upstream commit 598e1afca47fdbb302ce8d288b06bcc8728efc6c ] The MSM8226 TSENS IP has 6 thermal sensors in a TSENS v0.1 block. The thermal sensors use non-standard slope values. Signed-off-by: Matti Lehtimäki Reviewed-by: Dmitry Baryshkov Reviewed-by: Luca Weiss Signed-off-by: Daniel Lezcano Link: https://lore.kernel.org/r/20230507201225.89694-4-matti.lehtimaki@gmail.com Stable-dep-of: 6812d1dfbca9 ("thermal/drivers/qcom/tsens-v0_1: Fix mdm9607 slope values") Signed-off-by: Sasha Levin commit 07d48893997e50e8b2c8e9c09cd2f3691145b9e2 Author: Tero Kristo Date: Wed Jun 21 09:58:39 2023 +0300 cpufreq: intel_pstate: Fix energy_performance_preference for passive [ Upstream commit 03f44ffb3d5be2fceda375d92c70ab6de4df7081 ] If the intel_pstate driver is set to passive mode, then writing the same value to the energy_performance_preference sysfs twice will fail. This is caused by the wrong return value used (index of the matched energy_perf_string), instead of the length of the passed in parameter. Fix by forcing the internal return value to zero when the same preference is passed in by user. This same issue is not present when active mode is used for the driver. Fixes: f6ebbcf08f37 ("cpufreq: intel_pstate: Implement passive mode with HWP enabled") Reported-by: Niklas Neronin Signed-off-by: Tero Kristo Signed-off-by: Rafael J. Wysocki Signed-off-by: Sasha Levin commit 3b6e0e4f31537dfe31bcc9295525f4c38d6a01ee Author: Arnd Bergmann Date: Fri Jun 2 19:28:42 2023 +0100 ARM: 9303/1: kprobes: avoid missing-declaration warnings [ Upstream commit 1b9c3ddcec6a55e15d3e38e7405e2d078db02020 ] checker_stack_use_t32strd() and kprobe_handler() can be made static since they are not used from other files, while coverage_start_registers() and __kprobes_test_case() are used from assembler code, and just need a declaration to avoid a warning with the global definition. arch/arm/probes/kprobes/checkers-common.c:43:18: error: no previous prototype for 'checker_stack_use_t32strd' arch/arm/probes/kprobes/core.c:236:16: error: no previous prototype for 'kprobe_handler' arch/arm/probes/kprobes/test-core.c:723:10: error: no previous prototype for 'coverage_start_registers' arch/arm/probes/kprobes/test-core.c:918:14: error: no previous prototype for '__kprobes_test_case_start' arch/arm/probes/kprobes/test-core.c:952:14: error: no previous prototype for '__kprobes_test_case_end_16' arch/arm/probes/kprobes/test-core.c:967:14: error: no previous prototype for '__kprobes_test_case_end_32' Fixes: 6624cf651f1a ("ARM: kprobes: collects stack consumption for store instructions") Fixes: 454f3e132d05 ("ARM/kprobes: Remove jprobe arm implementation") Acked-by: Masami Hiramatsu (Google) Reviewed-by: Kees Cook Signed-off-by: Arnd Bergmann Signed-off-by: Russell King (Oracle) Signed-off-by: Sasha Levin commit dc2f28e1c7ac58d8daa6ccd508976fa31a65ae28 Author: Ulf Hansson Date: Tue May 30 11:55:36 2023 +0200 PM: domains: Move the verification of in-params from genpd_add_device() [ Upstream commit 4384a70c8813e8573d1841fd94eee873f80a7e1a ] Commit f38d1a6d0025 ("PM: domains: Allocate governor data dynamically based on a genpd governor") started to use the in-parameters in genpd_add_device(), without first doing a verification of them. This isn't really a big problem, as most callers do a verification already. Therefore, let's drop the verification from genpd_add_device() and make sure all the callers take care of it instead. Reported-by: Dan Carpenter Fixes: f38d1a6d0025 ("PM: domains: Allocate governor data dynamically based on a genpd governor") Signed-off-by: Ulf Hansson Signed-off-by: Rafael J. Wysocki Signed-off-by: Sasha Levin commit a6801b38cba960b42799f927cc02573396c2e96b Author: Zhang Rui Date: Tue Jun 6 22:00:00 2023 +0800 powercap: RAPL: Fix CONFIG_IOSF_MBI dependency [ Upstream commit 4658fe81b3f8afe8adf37734ec5fe595d90415c6 ] After commit 3382388d7148 ("intel_rapl: abstract RAPL common code"), accessing to IOSF_MBI interface is done in the RAPL common code. Thus it is the CONFIG_INTEL_RAPL_CORE that has dependency of CONFIG_IOSF_MBI, while CONFIG_INTEL_RAPL_MSR does not. This problem was not exposed previously because all the previous RAPL common code users, aka, the RAPL MSR and MMIO I/F drivers, have CONFIG_IOSF_MBI selected. Fix the CONFIG_IOSF_MBI dependency in RAPL code. This also fixes a build time failure when the RAPL TPMI I/F driver is introduced without selecting CONFIG_IOSF_MBI. x86_64-linux-ld: vmlinux.o: in function `set_floor_freq_atom': intel_rapl_common.c:(.text+0x2dac9b8): undefined reference to `iosf_mbi_write' x86_64-linux-ld: intel_rapl_common.c:(.text+0x2daca66): undefined reference to `iosf_mbi_read' Reference to iosf_mbi.h is also removed from the RAPL MSR I/F driver. Fixes: 3382388d7148 ("intel_rapl: abstract RAPL common code") Reported-by: Arnd Bergmann Link: https://lore.kernel.org/all/20230601213246.3271412-1-arnd@kernel.org Signed-off-by: Zhang Rui Signed-off-by: Rafael J. Wysocki Signed-off-by: Sasha Levin commit fb27405d60fcc6350a326d19edef3a700eab9495 Author: Sumeet Pawnikar Date: Thu Jun 8 08:00:06 2023 +0530 powercap: RAPL: fix invalid initialization for pl4_supported field [ Upstream commit d05b5e0baf424c8c4b4709ac11f66ab726c8deaf ] The current initialization of the struct x86_cpu_id via pl4_support_ids[] is partial and wrong. It is initializing "stepping" field with "X86_FEATURE_ANY" instead of "feature" field. Use X86_MATCH_INTEL_FAM6_MODEL macro instead of initializing each field of the struct x86_cpu_id for pl4_supported list of CPUs. This X86_MATCH_INTEL_FAM6_MODEL macro internally uses another macro X86_MATCH_VENDOR_FAM_MODEL_FEATURE for X86 based CPU matching with appropriate initialized values. Reported-by: Dave Hansen Link: https://lore.kernel.org/lkml/28ead36b-2d9e-1a36-6f4e-04684e420260@intel.com Fixes: eb52bc2ae5b8 ("powercap: RAPL: Add Power Limit4 support for Meteor Lake SoC") Fixes: b08b95cf30f5 ("powercap: RAPL: Add Power Limit4 support for Alder Lake-N and Raptor Lake-P") Fixes: 515755906921 ("powercap: RAPL: Add Power Limit4 support for RaptorLake") Fixes: 1cc5b9a411e4 ("powercap: Add Power Limit4 support for Alder Lake SoC") Fixes: 8365a898fe53 ("powercap: Add Power Limit4 support") Signed-off-by: Sumeet Pawnikar Signed-off-by: Rafael J. Wysocki Signed-off-by: Sasha Levin commit 48a7c3695942936d6528ab3e5f6e7f1ad798ba56 Author: Li Yang Date: Fri May 19 15:12:49 2023 -0500 APEI: GHES: correctly return NULL for ghes_get_devices() [ Upstream commit 9368aa1882ac7178adcd936cee5f0899dbf76dc4 ] Since 315bada690e0 ("EDAC: Check for GHES preference in the chipset-specific EDAC drivers"), vendor specific EDAC driver will not probe correctly when CONFIG_ACPI_APEI_GHES is enabled but no GHES device is present. Make ghes_get_devices() return NULL when the GHES device list is empty to fix the problem. Fixes: 9057a3f7ac36 ("EDAC/ghes: Prepare to make ghes_edac a proper module") Signed-off-by: Li Yang Reviewed-by: Tony Luck Signed-off-by: Rafael J. Wysocki Signed-off-by: Sasha Levin commit 480d56db8dcaded81d6128eaa9e93a3e48829fe7 Author: Robin Murphy Date: Mon Jun 5 18:01:31 2023 +0100 perf/arm_cspmu: Fix event attribute type [ Upstream commit 71e0cb32d5fc61468e83ed962379af71bba8237e ] ARM_CSPMU_EVENT_ATTR() defines a struct perf_pmu_events_attr, so arm_cspmu_sysfs_event_show() should not be interpreting it as struct dev_ext_attribute. Fixes: e37dfd65731d ("perf: arm_cspmu: Add support for ARM CoreSight PMU driver") Reviewed-by: Suzuki K Poulose Reviewed-and-tested-by: Ilkka Koskinen Signed-off-by: Robin Murphy Link: https://lore.kernel.org/r/27c0804af64007b2400abbc40278f642ee6a0a29.1685983270.git.robin.murphy@arm.com Signed-off-by: Will Deacon Signed-off-by: Sasha Levin commit 924c74c693092aeab0f17232ac8db939dfa7532e Author: Ilkka Koskinen Date: Thu Jun 8 13:37:42 2023 -0700 perf: arm_cspmu: Set irq affinitiy only if overflow interrupt is used [ Upstream commit 225d757012e0afa673d8c862e6fb39ed2f429b4d ] Don't try to set irq affinity if PMU doesn't have an overflow interrupt. Fixes: e37dfd65731d ("perf: arm_cspmu: Add support for ARM CoreSight PMU driver") Signed-off-by: Ilkka Koskinen Link: https://lore.kernel.org/r/20230608203742.3503486-1-ilkka@os.amperecomputing.com Signed-off-by: Will Deacon Signed-off-by: Sasha Levin commit b64569897d86b611befbb895d815280fea94e1ed Author: Junhao He Date: Thu Jun 8 19:43:26 2023 +0800 drivers/perf: hisi: Don't migrate perf to the CPU going to teardown [ Upstream commit 7a6a9f1c5a0a875a421db798d4b2ee022dc1ee1a ] The driver needs to migrate the perf context if the current using CPU going to teardown. By the time calling the cpuhp::teardown() callback the cpu_online_mask() hasn't updated yet and still includes the CPU going to teardown. In current driver's implementation we may migrate the context to the teardown CPU and leads to the below calltrace: ... [ 368.104662][ T932] task:cpuhp/0 state:D stack: 0 pid: 15 ppid: 2 flags:0x00000008 [ 368.113699][ T932] Call trace: [ 368.116834][ T932] __switch_to+0x7c/0xbc [ 368.120924][ T932] __schedule+0x338/0x6f0 [ 368.125098][ T932] schedule+0x50/0xe0 [ 368.128926][ T932] schedule_preempt_disabled+0x18/0x24 [ 368.134229][ T932] __mutex_lock.constprop.0+0x1d4/0x5dc [ 368.139617][ T932] __mutex_lock_slowpath+0x1c/0x30 [ 368.144573][ T932] mutex_lock+0x50/0x60 [ 368.148579][ T932] perf_pmu_migrate_context+0x84/0x2b0 [ 368.153884][ T932] hisi_pcie_pmu_offline_cpu+0x90/0xe0 [hisi_pcie_pmu] [ 368.160579][ T932] cpuhp_invoke_callback+0x2a0/0x650 [ 368.165707][ T932] cpuhp_thread_fun+0xe4/0x190 [ 368.170316][ T932] smpboot_thread_fn+0x15c/0x1a0 [ 368.175099][ T932] kthread+0x108/0x13c [ 368.179012][ T932] ret_from_fork+0x10/0x18 ... Use function cpumask_any_but() to find one correct active cpu to fixes this issue. Fixes: 8404b0fbc7fb ("drivers/perf: hisi: Add driver for HiSilicon PCIe PMU") Signed-off-by: Junhao He Reviewed-by: Jonathan Cameron Reviewed-by: Yicong Yang Acked-by: Mark Rutland Link: https://lore.kernel.org/r/20230608114326.27649-1-hejunhao3@huawei.com Signed-off-by: Will Deacon Signed-off-by: Sasha Levin commit 39b36d9243be9df7293768660d351b317f7a7458 Author: Kirill A. Shutemov Date: Tue Jun 6 12:56:21 2023 +0300 x86/tdx: Fix race between set_memory_encrypted() and load_unaligned_zeropad() [ Upstream commit 195edce08b63d293377f615f4f7f086715d2d212 ] tl;dr: There is a race in the TDX private<=>shared conversion code which could kill the TDX guest. Fix it by changing conversion ordering to eliminate the window. TDX hardware maintains metadata to track which pages are private and shared. Additionally, TDX guests use the guest x86 page tables to specify whether a given mapping is intended to be private or shared. Bad things happen when the intent and metadata do not match. So there are two thing in play: 1. "the page" -- the physical TDX page metadata 2. "the mapping" -- the guest-controlled x86 page table intent For instance, an unrecoverable exit to VMM occurs if a guest touches a private mapping that points to a shared physical page. In summary: * Private mapping => Private Page == OK (obviously) * Shared mapping => Shared Page == OK (obviously) * Private mapping => Shared Page == BIG BOOM! * Shared mapping => Private Page == OK-ish (It will read generate a recoverable #VE via handle_mmio()) Enter load_unaligned_zeropad(). It can touch memory that is adjacent but otherwise unrelated to the memory it needs to touch. It will cause one of those unrecoverable exits (aka. BIG BOOM) if it blunders into a shared mapping pointing to a private page. This is a problem when __set_memory_enc_pgtable() converts pages from shared to private. It first changes the mapping and second modifies the TDX page metadata. It's moving from: * Shared mapping => Shared Page == OK to: * Private mapping => Shared Page == BIG BOOM! This means that there is a window with a shared mapping pointing to a private page where load_unaligned_zeropad() can strike. Add a TDX handler for guest.enc_status_change_prepare(). This converts the page from shared to private *before* the page becomes private. This ensures that there is never a private mapping to a shared page. Leave a guest.enc_status_change_finish() in place but only use it for private=>shared conversions. This will delay updating the TDX metadata marking the page private until *after* the mapping matches the metadata. This also ensures that there is never a private mapping to a shared page. [ dhansen: rewrite changelog ] Fixes: 7dbde7631629 ("x86/mm/cpa: Add support for TDX shared memory") Signed-off-by: Kirill A. Shutemov Signed-off-by: Dave Hansen Reviewed-by: Kuppuswamy Sathyanarayanan Link: https://lore.kernel.org/all/20230606095622.1939-3-kirill.shutemov%40linux.intel.com Signed-off-by: Sasha Levin commit 5e9e4b386c48a95a95e116e63f665403fd77fd50 Author: Kirill A. Shutemov Date: Tue Jun 6 12:56:20 2023 +0300 x86/mm: Allow guest.enc_status_change_prepare() to fail [ Upstream commit 3f6819dd192ef4f0c568ec3e9d6d408b3fa1ad3d ] TDX code is going to provide guest.enc_status_change_prepare() that is able to fail. TDX will use the call to convert the GPA range from shared to private. This operation can fail. Add a way to return an error from the callback. Signed-off-by: Kirill A. Shutemov Signed-off-by: Dave Hansen Reviewed-by: Kuppuswamy Sathyanarayanan Link: https://lore.kernel.org/all/20230606095622.1939-2-kirill.shutemov%40linux.intel.com Stable-dep-of: 195edce08b63 ("x86/tdx: Fix race between set_memory_encrypted() and load_unaligned_zeropad()") Signed-off-by: Sasha Levin commit dafc70ae6beab16e21d89666fff4d9c353fcaa15 Author: Marc Zyngier Date: Sun May 28 09:02:05 2023 +0100 drivers/perf: apple_m1: Force 63bit counters for M2 CPUs [ Upstream commit 8be3593b9efa8903d2ee7bb9cdf57a8e56c66f36 ] Sidharth reports that on M2, the PMU never generates any interrupt when using 'perf record', which is a annoying as you get no sample. I'm temped to say "no sample, no problem", but others may have a different opinion. Upon investigation, it appears that the counters on M2 are significantly different from the ones on M1, as they count on 64 bits instead of 48. Which of course, in the fine M1 tradition, means that we can only use 63 bits, as the top bit is used to signal the interrupt... This results in having to introduce yet another flag to indicate yet another odd counter width. Who knows what the next crazy implementation will do... With this, perf can work out the correct offset, and 'perf record' works as intended. Tested on M2 and M2-Pro CPUs. Cc: Janne Grunau Cc: Hector Martin Cc: Mark Rutland Cc: Will Deacon Fixes: 7d0bfb7c9977 ("drivers/perf: apple_m1: Add Apple M2 support") Reported-by: Sidharth Kshatriya Tested-by: Sidharth Kshatriya Signed-off-by: Marc Zyngier Link: https://lore.kernel.org/r/20230528080205.288446-1-maz@kernel.org Signed-off-by: Will Deacon Signed-off-by: Sasha Levin commit a127be4b853e9882eb7cbfc254e44254afd0b3e5 Author: Robin Murphy Date: Wed May 24 17:44:32 2023 +0100 perf/arm-cmn: Fix DTC reset [ Upstream commit 71746c995cac92fcf6a65661b51211cf2009d7f0 ] It turns out that my naive DTC reset logic fails to work as intended, since, after checking with the hardware designers, the PMU actually needs to be fully enabled in order to correctly clear any pending overflows. Therefore, invert the sequence to start with turning on both enables so that we can reliably get the DTCs into a known state, then moving to our normal counters-stopped state from there. Since all the DTM counters have already been unpaired during the initial discovery pass, we just need to additionally reset the cycle counters to ensure that no other unexpected overflows occur during this period. Fixes: 0ba64770a2f2 ("perf: Add Arm CMN-600 PMU driver") Reported-by: Geoff Blake Signed-off-by: Robin Murphy Link: https://lore.kernel.org/r/0ea4559261ea394f827c9aee5168c77a60aaee03.1684946389.git.robin.murphy@arm.com Signed-off-by: Will Deacon Signed-off-by: Sasha Levin commit 353b83a403bb9dd5ffaa0aad8693d9361b9c9e88 Author: Nikita Zhandarovich Date: Tue Apr 18 06:07:43 2023 -0700 PM: domains: fix integer overflow issues in genpd_parse_state() [ Upstream commit e5d1c8722083f0332dcd3c85fa1273d85fb6bed8 ] Currently, while calculating residency and latency values, right operands may overflow if resulting values are big enough. To prevent this, albeit unlikely case, play it safe and convert right operands to left ones' type s64. Found by Linux Verification Center (linuxtesting.org) with static analysis tool SVACE. Fixes: 30f604283e05 ("PM / Domains: Allow domain power states to be read from DT") Signed-off-by: Nikita Zhandarovich Acked-by: Ulf Hansson Signed-off-by: Rafael J. Wysocki Signed-off-by: Sasha Levin commit 99744200f28b2cf5f50767447e51b4b4a977d145 Author: Feng Mingxi Date: Tue Apr 25 06:56:11 2023 +0000 clocksource/drivers/cadence-ttc: Fix memory leak in ttc_timer_probe [ Upstream commit 8b5bf64c89c7100c921bd807ba39b2eb003061ab ] Smatch reports: drivers/clocksource/timer-cadence-ttc.c:529 ttc_timer_probe() warn: 'timer_baseaddr' from of_iomap() not released on lines: 498,508,516. timer_baseaddr may have the problem of not being released after use, I replaced it with the devm_of_iomap() function and added the clk_put() function to cleanup the "clk_ce" and "clk_cs". Fixes: e932900a3279 ("arm: zynq: Use standard timer binding") Fixes: 70504f311d4b ("clocksource/drivers/cadence_ttc: Convert init function to return error") Signed-off-by: Feng Mingxi Reviewed-by: Dongliang Mu Acked-by: Michal Simek Signed-off-by: Daniel Lezcano Link: https://lore.kernel.org/r/20230425065611.702917-1-m202271825@hust.edu.cn Signed-off-by: Sasha Levin commit eb287ef3842621290f6bb1a4487a2c3090499269 Author: Ming Lei Date: Wed Jun 21 21:22:08 2023 +0800 blk-mq: don't insert passthrough request into sw queue [ Upstream commit 2293cae703cda162684ae966db6b1b4a11b5e88f ] In case of real io scheduler, q->elevator is set, so blk_mq_run_hw_queue() may just check if scheduler queue has request to dispatch, see __blk_mq_sched_dispatch_requests(). Then IO hang may be caused because all passthorugh requests may stay in sw queue. And any passthrough request should have been inserted to hctx->dispatch always. Reported-by: Guangwu Zhang Fixes: d97217e7f024 ("blk-mq: don't queue plugged passthrough requests into scheduler") Signed-off-by: Ming Lei Link: https://lore.kernel.org/r/20230621132208.1142318-1-ming.lei@redhat.com Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit ad87179a2088c77e078922ebe285f63872efcb1e Author: Christoph Hellwig Date: Wed May 31 09:53:54 2023 +0200 btrfs: fix file_offset for REQ_BTRFS_ONE_ORDERED bios that get split [ Upstream commit c731cd0b6d255e4855a7cac9f276864032ab2387 ] If a bio gets split, it needs to have a proper file_offset for checksum validation and repair to work properly. Based on feedback from Josef, commit 852eee62d31a ("btrfs: allow btrfs_submit_bio to split bios") skipped this adjustment for ONE_ORDERED bios. But if we actually ever need to split a ONE_ORDERED read bio, this will lead to a wrong file offset in the repair code. Right now the only user of the file_offset is logging of an error message so this is mostly harmless, but the wrong offset might be more problematic for additional users in the future. Fixes: 852eee62d31a ("btrfs: allow btrfs_submit_bio to split bios") Reviewed-by: Johannes Thumshirn Reviewed-by: Josef Bacik Signed-off-by: Christoph Hellwig Reviewed-by: David Sterba Signed-off-by: David Sterba Signed-off-by: Sasha Levin commit 82e3a2913bee4cc262600ce3b88276e23ed51aee Author: Christoph Hellwig Date: Wed May 31 08:05:02 2023 +0200 btrfs: don't treat zoned writeback as being from an async helper thread [ Upstream commit 7027f87108ce3d23ea542e1a9a79056530db4a87 ] When extent_write_locked_range was originally added, it was only used writing back compressed pages from an async helper thread. But it is now also used for writing back pages on zoned devices, where it is called directly from the ->writepage context. In this case we want to be able to pass on the writeback_control instead of creating a new one, and more importantly want to use all the normal cgroup interaction instead of potentially deferring writeback to another helper. Fixes: 898793d992c2 ("btrfs: zoned: write out partially allocated region") Reviewed-by: Josef Bacik Signed-off-by: Christoph Hellwig Reviewed-by: David Sterba Signed-off-by: David Sterba Signed-off-by: Sasha Levin commit 558c1b78d77dbda544f51b58665a6b9d36060c66 Author: Christoph Hellwig Date: Wed May 31 08:05:01 2023 +0200 btrfs: only call __extent_writepage_io from extent_write_locked_range [ Upstream commit eb34dceace983e304e00d4bf711cec0a603959ac ] __extent_writepage does a lot of things that make no sense for extent_write_locked_range, given that extent_write_locked_range itself is called from __extent_writepage either directly or through a workqueue, and all this work has already been done in the first invocation and the pages haven't been unlocked since. Call __extent_writepage_io directly instead and open code the logic tracked in btrfs_bio_ctrl::extent_locked. Reviewed-by: Josef Bacik Signed-off-by: Christoph Hellwig Reviewed-by: David Sterba Signed-off-by: David Sterba Stable-dep-of: 7027f87108ce ("btrfs: don't treat zoned writeback as being from an async helper thread") Signed-off-by: Sasha Levin commit 52f788a170e3035cd07b8a7dae043c71e58b9091 Author: Christoph Hellwig Date: Wed May 31 08:04:54 2023 +0200 btrfs: don't fail writeback when allocating the compression context fails [ Upstream commit 973fb26e81a9f59dfe45b079a698c0e238f7bf69 ] If cow_file_range_async fails to allocate the asynchronous writeback context, it currently returns an error and entirely fails the writeback. This is not a good idea as a writeback failure is a non-temporary error condition that will make the file system unusable. Just fall back to synchronous uncompressed writeback instead. This requires us to delay setting the BTRFS_INODE_HAS_ASYNC_EXTENT flag until we've committed to the async writeback. The compression checks INODE_NOCOMPRESS and FORCE_COMPRESS are moved from cow_file_range_async to the preceding checks btrfs_run_delalloc_range(). Reviewed-by: Josef Bacik Signed-off-by: Christoph Hellwig Reviewed-by: David Sterba Signed-off-by: David Sterba Stable-dep-of: 7027f87108ce ("btrfs: don't treat zoned writeback as being from an async helper thread") Signed-off-by: Sasha Levin commit 0e0e5d0b47686add639861bd1f187c02fac7240e Author: Christoph Hellwig Date: Wed May 31 08:04:50 2023 +0200 btrfs: fix range_end calculation in extent_write_locked_range [ Upstream commit 36614a3beba33a05ad78d4dcb9aa1d00e8a7d01f ] The range_end field in struct writeback_control is inclusive, just like the end parameter passed to extent_write_locked_range. Not doing this could cause extra writeout, which is harmless but suboptimal. Fixes: 771ed689d2cd ("Btrfs: Optimize compressed writeback and reads") CC: stable@vger.kernel.org # 5.9+ Reviewed-by: Josef Bacik Signed-off-by: Christoph Hellwig Reviewed-by: David Sterba Signed-off-by: David Sterba Stable-dep-of: 7027f87108ce ("btrfs: don't treat zoned writeback as being from an async helper thread") Signed-off-by: Sasha Levin commit 6db5fffba531387fad18eeaf5d8c3615a6a9eaef Author: Christoph Hellwig Date: Wed May 3 17:24:31 2023 +0200 btrfs: submit a writeback bio per extent_buffer [ Upstream commit 50b21d7a066f9a702b1d54ca11fc577302e875cb ] Stop trying to cluster writes of multiple extent_buffers into a single bio. There is no need for that as the blk_plug mechanism used all the way up in writeback_inodes_wb gives us the same I/O pattern even with multiple bios. Removing the clustering simplifies lock_extent_buffer_for_io a lot and will also allow passing the eb as private data to the end I/O handler. Reviewed-by: Johannes Thumshirn Reviewed-by: Josef Bacik Signed-off-by: Christoph Hellwig Reviewed-by: David Sterba Signed-off-by: David Sterba Stable-dep-of: 7027f87108ce ("btrfs: don't treat zoned writeback as being from an async helper thread") Signed-off-by: Sasha Levin commit aea3cea8ea964fb9d124760296b0cde656955645 Author: Christoph Hellwig Date: Wed May 3 17:24:30 2023 +0200 btrfs: return bool from lock_extent_buffer_for_io [ Upstream commit 9fdd160160f002ac2604c5b8f90598febad44ae7 ] lock_extent_buffer_for_io never returns a negative error value, so switch the return value to a simple bool. Reviewed-by: Johannes Thumshirn Reviewed-by: Josef Bacik Signed-off-by: Christoph Hellwig Reviewed-by: David Sterba [ keep noinline_for_stack ] Signed-off-by: David Sterba Stable-dep-of: 7027f87108ce ("btrfs: don't treat zoned writeback as being from an async helper thread") Signed-off-by: Sasha Levin commit 20409d5140a7060e226e789b2041f4186ec1ac66 Author: Christoph Hellwig Date: Wed May 3 17:24:26 2023 +0200 btrfs: don't use btrfs_bio_ctrl for extent buffer reading [ Upstream commit b78b98e06fb7f9860da5a7c28e1edbaefc2f7be1 ] The btrfs_bio_ctrl machinery is overkill for reading extent_buffers as we always operate on PAGE_SIZE chunks (or one smaller one for the subpage case) that are contiguous and are guaranteed to fit into a single bio. Replace it with open coded btrfs_bio_alloc, __bio_add_page and btrfs_submit_bio calls in a helper function shared between the subpage and node size >= PAGE_SIZE cases. Reviewed-by: Johannes Thumshirn Reviewed-by: Qu Wenruo Reviewed-by: Josef Bacik Signed-off-by: Christoph Hellwig Reviewed-by: David Sterba Signed-off-by: David Sterba Stable-dep-of: 7027f87108ce ("btrfs: don't treat zoned writeback as being from an async helper thread") Signed-off-by: Sasha Levin commit 110b32eea2a0c1b93d0727ab8ac55c43be35833b Author: Christoph Hellwig Date: Wed May 3 17:24:25 2023 +0200 btrfs: always read the entire extent_buffer [ Upstream commit e95382834cf885b478dbe14a66451b863eb35c94 ] Currently read_extent_buffer_pages skips pages that are already uptodate when reading in an extent_buffer. While this reduces the amount of data read, it increases the number of I/O operations as we now need to do multiple I/Os when reading an extent buffer with one or more uptodate pages in the middle of it. On any modern storage device, be that hard drives or SSDs this actually decreases I/O performance. Fortunately this case is pretty rare as the pages are always initially read together and then aged the same way. Besides simplifying the code a bit as-is this will allow for major simplifications to the I/O completion handler later on. Note that the case where all pages are uptodate is still handled by an optimized fast path that does not read any data from disk. Reviewed-by: Johannes Thumshirn Reviewed-by: Qu Wenruo Signed-off-by: Christoph Hellwig Reviewed-by: David Sterba Signed-off-by: David Sterba Stable-dep-of: 7027f87108ce ("btrfs: don't treat zoned writeback as being from an async helper thread") Signed-off-by: Sasha Levin commit 19920ea770bb521cae3811efa7eb8ab34d4e0aaa Author: Sebastian Andrzej Siewior Date: Tue Apr 18 16:38:54 2023 +0200 tracing/timer: Add missing hrtimer modes to decode_hrtimer_mode(). [ Upstream commit 2951580ba6adb082bb6b7154a5ecb24e7c1f7569 ] The trace output for the HRTIMER_MODE_.*_HARD modes is seen as a number since these modes are not decoded. The author was not aware of the fancy decoding function which makes the life easier. Extend decode_hrtimer_mode() with the additional HRTIMER_MODE_.*_HARD modes. Fixes: ae6683d815895 ("hrtimer: Introduce HARD expiry mode") Signed-off-by: Sebastian Andrzej Siewior Signed-off-by: Thomas Gleixner Reviewed-by: Mukesh Ojha Acked-by: Steven Rostedt (Google) Link: https://lore.kernel.org/r/20230418143854.8vHWQKLM@linutronix.de Signed-off-by: Sasha Levin commit 7fe63c29cb05582d3190b111579fa8eae77fe1a4 Author: Wen Yang Date: Fri May 5 00:12:53 2023 +0800 tick/rcu: Fix bogus ratelimit condition [ Upstream commit a7e282c77785c7eabf98836431b1f029481085ad ] The ratelimit logic in report_idle_softirq() is broken because the exit condition is always true: static int ratelimit; if (ratelimit < 10) return false; ---> always returns here ratelimit++; ---> no chance to run Make it check for >= 10 instead. Fixes: 0345691b24c0 ("tick/rcu: Stop allowing RCU_SOFTIRQ in idle") Signed-off-by: Wen Yang Signed-off-by: Thomas Gleixner Link: https://lore.kernel.org/r/tencent_5AAA3EEAB42095C9B7740BE62FBF9A67E007@qq.com Signed-off-by: Sasha Levin commit c1968bb8a28625cc95d2ad3ca872ab98c9c36d59 Author: Thomas Gleixner Date: Thu Jun 1 22:16:34 2023 +0200 posix-timers: Prevent RT livelock in itimer_delete() [ Upstream commit 9d9e522010eb5685d8b53e8a24320653d9d4cbbf ] itimer_delete() has a retry loop when the timer is concurrently expired. On non-RT kernels this just spin-waits until the timer callback has completed, except for posix CPU timers which have HAVE_POSIX_CPU_TIMERS_TASK_WORK enabled. In that case and on RT kernels the existing task could live lock when preempting the task which does the timer delivery. Replace spin_unlock() with an invocation of timer_wait_running() to handle it the same way as the other retry loops in the posix timer code. Fixes: ec8f954a40da ("posix-timers: Use a callback for cancel synchronization on PREEMPT_RT") Signed-off-by: Thomas Gleixner Reviewed-by: Frederic Weisbecker Link: https://lore.kernel.org/r/87v8g7c50d.ffs@tglx Signed-off-by: Sasha Levin commit a25bf14dfa69155d287570aeb374545dd9e63af5 Author: Gao Xiang Date: Thu Jun 1 19:23:41 2023 +0800 erofs: fix compact 4B support for 16k block size [ Upstream commit 001b8ccd0650727e54ec16ef72bf1b8eeab7168e ] In compact 4B, two adjacent lclusters are packed together as a unit to form on-disk indexes for effective random access, as below: (amortized = 4, vcnt = 2) _____________________________________________ |___@_____ encoded bits __________|_ blkaddr _| 0 . amortized * vcnt = 8 . . . . amortized * vcnt - 4 = 4 . . .____________________________. |_type (2 bits)_|_clusterofs_| Therefore, encoded bits for each pack are 32 bits (4 bytes). IOWs, since each lcluster can get 16 bits for its type and clusterofs, the maximum supported lclustersize for compact 4B format is 16k (14 bits). Fix this to enable compact 4B format for 16k lclusters (blocks), which is tested on an arm64 server with 16k page size. Fixes: 152a333a5895 ("staging: erofs: add compacted compression indexes support") Signed-off-by: Gao Xiang Link: https://lore.kernel.org/r/20230601112341.56960-1-hsiangkao@linux.alibaba.com Signed-off-by: Sasha Levin commit eba69ca6aa2da2d240611a95d5d770c2a762c862 Author: Chuck Lever Date: Mon Jun 12 10:10:20 2023 -0400 svcrdma: Prevent page release when nothing was received [ Upstream commit baf6d18b116b7dc84ed5e212c3a89f17cdc3f28c ] I noticed that svc_rqst_release_pages() was still unnecessarily releasing a page when svc_rdma_recvfrom() returns zero. Fixes: a53d5cb0646a ("svcrdma: Avoid releasing a page in svc_xprt_release()") Reviewed-by: Jeff Layton Signed-off-by: Chuck Lever Signed-off-by: Sasha Levin commit 58603214594c7b87a7f77d4a1e77d7918c99d437 Author: John Paul Adrian Glaubitz Date: Wed May 10 18:33:42 2023 +0200 irqchip/jcore-aic: Fix missing allocation of IRQ descriptors [ Upstream commit 4848229494a323eeaab62eee5574ef9f7de80374 ] The initialization function for the J-Core AIC aic_irq_of_init() is currently missing the call to irq_alloc_descs() which allocates and initializes all the IRQ descriptors. Add missing function call and return the error code from irq_alloc_descs() in case the allocation fails. Fixes: 981b58f66cfc ("irqchip/jcore-aic: Add J-Core AIC driver") Signed-off-by: John Paul Adrian Glaubitz Tested-by: Rob Landley Signed-off-by: Marc Zyngier Link: https://lore.kernel.org/r/20230510163343.43090-1-glaubitz@physik.fu-berlin.de Signed-off-by: Sasha Levin commit 927a892ff238749e28b67f5ce8d9dfef1d01bd26 Author: Antonio Borneo Date: Thu Jun 1 17:56:14 2023 +0200 irqchip/stm32-exti: Fix warning on initialized field overwritten [ Upstream commit 48f31e496488a25f443c0df52464da446fb1d10c ] While compiling with W=1, both gcc and clang complain about a tricky way to initialize an array by filling it with a non-zero value and then overrride some of the array elements. In this case the override is intentional, so just disable the specific warning for only this part of the code. Note: the flag "-Woverride-init" is recognized by both compilers, but the warning msg from clang reports "-Winitializer-overrides". The doc of clang clarifies that the two flags are synonyms, so use here only the flag name common on both compilers. Signed-off-by: Antonio Borneo Fixes: c297493336b7 ("irqchip/stm32-exti: Simplify irq description table") Signed-off-by: Marc Zyngier Link: https://lore.kernel.org/r/20230601155614.34490-1-antonio.borneo@foss.st.com Signed-off-by: Sasha Levin commit 32d07a6f57084955601d272adfc8f305b69bf467 Author: Christoph Hellwig Date: Wed Jun 14 16:03:38 2023 +0200 splice: don't call file_accessed in copy_splice_read [ Upstream commit 0b24be4691c9e6ea13ca70050d42a9f9032fa788 ] copy_splice_read calls into ->read_iter to read the data, which already calls file_accessed. Fixes: 33b3b041543e ("splice: Add a func to do a splice from an O_DIRECT file without ITER_PIPE") Signed-off-by: Christoph Hellwig Reviewed-by: Johannes Thumshirn Reviewed-by: Christian Brauner Reviewed-by: David Howells Link: https://lore.kernel.org/r/20230614140341.521331-2-hch@lst.de Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit 2b99ee760e6ea0f965f4edf5adf58e585bbf0a55 Author: Jianmin Lv Date: Wed Jun 14 19:59:36 2023 +0800 irqchip/loongson-eiointc: Fix irq affinity setting during resume [ Upstream commit fb07b8f83441febeb0daf199b5f18c6de9bbab03 ] The hierarchy of PCH PIC, PCH PCI MSI and EIONTC is as following: PCH PIC ------->| |---->EIOINTC PCH PCI MSI --->| so the irq_data list of irq_desc for IRQs on PCH PIC and PCH PCI MSI is like this: irq_desc->irq_data(domain: PCH PIC)->parent_data(domain: EIOINTC) irq_desc->irq_data(domain: PCH PCI MSI)->parent_data(domain: EIOINTC) In eiointc_resume(), the irq_data passed into eiointc_set_irq_affinity() should be matched to EIOINTC domain instead of PCH PIC or PCH PCI MSI domain, so fix it. Fixes: a90335c2dfb4 ("irqchip/loongson-eiointc: Add suspend/resume support") Reported-by: yangqiming Signed-off-by: Jianmin Lv Signed-off-by: Marc Zyngier Link: https://lore.kernel.org/r/20230614115936.5950-6-lvjianmin@loongson.cn Signed-off-by: Sasha Levin commit 942e81650b81b4ca62f1d8c61de455c9e7c7e6ca Author: Yu Kuai Date: Sat Jun 10 10:20:03 2023 +0800 block: fix blktrace debugfs entries leakage [ Upstream commit dd7de3704af9989b780693d51eaea49a665bd9c2 ] Commit 99d055b4fd4b ("block: remove per-disk debugfs files in blk_unregister_queue") moves blk_trace_shutdown() from blk_release_queue() to blk_unregister_queue(), this is safe if blktrace is created through sysfs, however, there is a regression in corner case. blktrace can still be enabled after del_gendisk() through ioctl if the disk is opened before del_gendisk(), and if blktrace is not shutdown through ioctl before closing the disk, debugfs entries will be leaked. Fix this problem by shutdown blktrace in disk_release(), this is safe because blk_trace_remove() is reentrant. Fixes: 99d055b4fd4b ("block: remove per-disk debugfs files in blk_unregister_queue") Signed-off-by: Yu Kuai Reviewed-by: Christoph Hellwig Link: https://lore.kernel.org/r/20230610022003.2557284-4-yukuai1@huaweicloud.com Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit fbbe89866799aecbe41e0ebb51d69ebe09a96076 Author: Yu Kuai Date: Mon May 29 21:11:03 2023 +0800 md/raid1-10: submit write io directly if bitmap is not enabled [ Upstream commit 7db922bae3abdf0a1db81ef7228cc0b996a0c1e3 ] Commit 6cce3b23f6f8 ("[PATCH] md: write intent bitmap support for raid10") add bitmap support, and it changed that write io is submitted through daemon thread because bitmap need to be updated before write io. And later, plug is used to fix performance regression because all the write io will go to demon thread, which means io can't be issued concurrently. However, if bitmap is not enabled, the write io should not go to daemon thread in the first place, and plug is not needed as well. Fixes: 6cce3b23f6f8 ("[PATCH] md: write intent bitmap support for raid10") Signed-off-by: Yu Kuai Signed-off-by: Song Liu Link: https://lore.kernel.org/r/20230529131106.2123367-5-yukuai1@huaweicloud.com Signed-off-by: Sasha Levin commit 18ce03c75e4e1c12d0705bc168bdea2eef1cdff7 Author: Yu Kuai Date: Mon May 29 21:11:02 2023 +0800 md/raid1-10: factor out a helper to submit normal write [ Upstream commit 8295efbe68c080047e98d9c0eb5cb933b238a8cb ] There are multiple places to do the same thing, factor out a helper to prevent redundant code, and the helper will be used in following patch as well. Signed-off-by: Yu Kuai Signed-off-by: Song Liu Link: https://lore.kernel.org/r/20230529131106.2123367-4-yukuai1@huaweicloud.com Stable-dep-of: 7db922bae3ab ("md/raid1-10: submit write io directly if bitmap is not enabled") Signed-off-by: Sasha Levin commit b2ac26d2987d6bf376828b8da203253b723ac0c4 Author: Yu Kuai Date: Mon May 29 21:11:01 2023 +0800 md/raid1-10: factor out a helper to add bio to plug [ Upstream commit 5ec6ca140a034682e421e2e808ef5ddfdfd65242 ] The code in raid1 and raid10 is identical, prepare to limit the number of plugged bios. Signed-off-by: Yu Kuai Signed-off-by: Song Liu Link: https://lore.kernel.org/r/20230529131106.2123367-3-yukuai1@huaweicloud.com Stable-dep-of: 7db922bae3ab ("md/raid1-10: submit write io directly if bitmap is not enabled") Signed-off-by: Sasha Levin commit 43c08b7569450f05f48f372de8c432de9f7aa938 Author: Li Nan Date: Fri Jun 2 17:18:39 2023 +0800 md/raid10: fix io loss while replacement replace rdev [ Upstream commit 2ae6aaf76912bae53c74b191569d2ab484f24bf3 ] When removing a disk with replacement, the replacement will be used to replace rdev. During this process, there is a brief window in which both rdev and replacement are read as NULL in raid10_write_request(). This will result in io not being submitted but it should be. //remove //write raid10_remove_disk raid10_write_request mirror->rdev = NULL read rdev -> NULL mirror->rdev = mirror->replacement mirror->replacement = NULL read replacement -> NULL Fix it by reading replacement first and rdev later, meanwhile, use smp_mb() to prevent memory reordering. Fixes: 475b0321a4df ("md/raid10: writes should get directed to replacement as well as original.") Signed-off-by: Li Nan Reviewed-by: Yu Kuai Signed-off-by: Song Liu Link: https://lore.kernel.org/r/20230602091839.743798-3-linan666@huaweicloud.com Signed-off-by: Sasha Levin commit 144c7fd008e0072b0b565f1157eec618de54ca8a Author: Li Nan Date: Sat May 27 15:22:15 2023 +0800 md/raid10: fix null-ptr-deref of mreplace in raid10_sync_request [ Upstream commit 34817a2441747b48e444cb0e05d84e14bc9443da ] There are two check of 'mreplace' in raid10_sync_request(). In the first check, 'need_replace' will be set and 'mreplace' will be used later if no-Faulty 'mreplace' exists, In the second check, 'mreplace' will be set to NULL if it is Faulty, but 'need_replace' will not be changed accordingly. null-ptr-deref occurs if Faulty is set between two check. Fix it by merging two checks into one. And replace 'need_replace' with 'mreplace' because their values are always the same. Fixes: ee37d7314a32 ("md/raid10: Fix raid10 replace hang when new added disk faulty") Signed-off-by: Li Nan Reviewed-by: Yu Kuai Signed-off-by: Song Liu Link: https://lore.kernel.org/r/20230527072218.2365857-2-linan666@huaweicloud.com Signed-off-by: Sasha Levin commit e83cb411aa1c6c9617db9329897f4506ba9e9b9d Author: Li Nan Date: Mon May 22 15:25:34 2023 +0800 md/raid10: fix wrong setting of max_corr_read_errors [ Upstream commit f8b20a405428803bd9881881d8242c9d72c6b2b2 ] There is no input check when echo md/max_read_errors and overflow might occur. Add check of input number. Fixes: 1e50915fe0bb ("raid: improve MD/raid10 handling of correctable read errors.") Signed-off-by: Li Nan Reviewed-by: Yu Kuai Signed-off-by: Song Liu Link: https://lore.kernel.org/r/20230522072535.1523740-3-linan666@huaweicloud.com Signed-off-by: Sasha Levin commit 138ad092e9c9be622f69ff3202fc942e8a8764f0 Author: Li Nan Date: Mon May 22 15:25:33 2023 +0800 md/raid10: fix overflow of md/safe_mode_delay [ Upstream commit 6beb489b2eed25978523f379a605073f99240c50 ] There is no input check when echo md/safe_mode_delay in safe_delay_store(). And msec might also overflow when HZ < 1000 in safe_delay_show(), Fix it by checking overflow in safe_delay_store() and use unsigned long conversion in safe_delay_show(). Fixes: 72e02075a33f ("md: factor out parsing of fixed-point numbers") Signed-off-by: Li Nan Signed-off-by: Song Liu Link: https://lore.kernel.org/r/20230522072535.1523740-2-linan666@huaweicloud.com Signed-off-by: Sasha Levin commit bea301c046110bf421a3ce153fb868cb8d618e90 Author: Li Nan Date: Mon May 15 21:48:05 2023 +0800 md/raid10: check slab-out-of-bounds in md_bitmap_get_counter [ Upstream commit 301867b1c16805aebbc306aafa6ecdc68b73c7e5 ] If we write a large number to md/bitmap_set_bits, md_bitmap_checkpage() will return -EINVAL because 'page >= bitmap->pages', but the return value was not checked immediately in md_bitmap_get_counter() in order to set *blocks value and slab-out-of-bounds occurs. Move check of 'page >= bitmap->pages' to md_bitmap_get_counter() and return directly if true. Fixes: ef4256733506 ("md/bitmap: optimise scanning of empty bitmaps.") Signed-off-by: Li Nan Reviewed-by: Yu Kuai Signed-off-by: Song Liu Link: https://lore.kernel.org/r/20230515134808.3936750-2-linan666@huaweicloud.com Signed-off-by: Sasha Levin commit 2ed9a89192e3192e5fea7ff6475c8722513f325e Author: Chaitanya Kulkarni Date: Fri Apr 28 00:31:15 2023 -0700 nvme-core: fix dev_pm_qos memleak [ Upstream commit 7ed5cf8e6d9bfb6a78d0471317edff14f0f2b4dd ] Call dev_pm_qos_hide_latency_tolerance() in the error unwind patch to avoid following kmemleak:- blktests (master) # kmemleak-clear; ./check nvme/044; blktests (master) # kmemleak-scan ; kmemleak-show nvme/044 (Test bi-directional authentication) [passed] runtime 2.111s ... 2.124s unreferenced object 0xffff888110c46240 (size 96): comm "nvme", pid 33461, jiffies 4345365353 (age 75.586s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace: [<0000000069ac2cec>] kmalloc_trace+0x25/0x90 [<000000006acc66d5>] dev_pm_qos_update_user_latency_tolerance+0x6f/0x100 [<00000000cc376ea7>] nvme_init_ctrl+0x38e/0x410 [nvme_core] [<000000007df61b4b>] 0xffffffffc05e88b3 [<00000000d152b985>] 0xffffffffc05744cb [<00000000f04a4041>] vfs_write+0xc5/0x3c0 [<00000000f9491baf>] ksys_write+0x5f/0xe0 [<000000001c46513d>] do_syscall_64+0x3b/0x90 [<00000000ecf348fe>] entry_SYSCALL_64_after_hwframe+0x72/0xdc Link: https://lore.kernel.org/linux-nvme/CAHj4cs-nDaKzMx2txO4dbE+Mz9ePwLtU0e3egz+StmzOUgWUrA@mail.gmail.com/ Fixes: f50fff73d620 ("nvme: implement In-Band authentication") Signed-off-by: Chaitanya Kulkarni Tested-by: Yi Zhang Reviewed-by: Christoph Hellwig Reviewed-by: Sagi Grimberg Signed-off-by: Keith Busch Signed-off-by: Sasha Levin commit 282416eaf5cc87536c89bc7dfd49837e73efa4ce Author: Chaitanya Kulkarni Date: Fri Apr 28 00:31:14 2023 -0700 nvme-core: add missing fault-injection cleanup [ Upstream commit 3a12a0b868a512fcada564699d00f5e652c0998c ] Add missing fault-injection cleanup in nvme_init_ctrl() in the error unwind path that also fixes following message for blktests:- linux-block (for-next) # grep debugfs debugfs-err.log [ 147.853464] debugfs: Directory 'nvme1' with parent '/' already present! [ 147.853973] nvme1: failed to create debugfs attr [ 148.802490] debugfs: Directory 'nvme1' with parent '/' already present! [ 148.803244] nvme1: failed to create debugfs attr [ 148.877304] debugfs: Directory 'nvme1' with parent '/' already present! [ 148.877775] nvme1: failed to create debugfs attr [ 149.816652] debugfs: Directory 'nvme1' with parent '/' already present! [ 149.818011] nvme1: failed to create debugfs attr Signed-off-by: Chaitanya Kulkarni Tested-by: Yi Zhang Reviewed-by: Christoph Hellwig Reviewed-by: Sagi Grimberg Signed-off-by: Keith Busch Stable-dep-of: 7ed5cf8e6d9b ("nvme-core: fix dev_pm_qos memleak") Signed-off-by: Sasha Levin commit 6ec30a62789913b1bd0f0d44ea4d0d2d5608b1e8 Author: Chaitanya Kulkarni Date: Fri Apr 28 00:31:13 2023 -0700 nvme-core: fix memory leak in dhchap_ctrl_secret [ Upstream commit 99c2dcc8ffc24e210a3aa05c204d92f3ef460b05 ] Free dhchap_secret in nvme_ctrl_dhchap_ctrl_secret_store() before we return when nvme_auth_generate_key() returns error. Fixes: f50fff73d620 ("nvme: implement In-Band authentication") Signed-off-by: Chaitanya Kulkarni Reviewed-by: Christoph Hellwig Reviewed-by: Sagi Grimberg Signed-off-by: Keith Busch Signed-off-by: Sasha Levin commit 6a5eda5017959541ab82c5d56bcf784b8294e298 Author: Chaitanya Kulkarni Date: Fri Apr 28 00:31:12 2023 -0700 nvme-core: fix memory leak in dhchap_secret_store [ Upstream commit a836ca33c5b07d34dd5347af9f64d25651d12674 ] Free dhchap_secret in nvme_ctrl_dhchap_secret_store() before we return fix following kmemleack:- unreferenced object 0xffff8886376ea800 (size 64): comm "check", pid 22048, jiffies 4344316705 (age 92.199s) hex dump (first 32 bytes): 44 48 48 43 2d 31 3a 30 30 3a 6e 78 72 35 4b 67 DHHC-1:00:nxr5Kg 75 58 34 75 6f 41 78 73 4a 61 34 63 2f 68 75 4c uX4uoAxsJa4c/huL backtrace: [<0000000030ce5d4b>] __kmalloc+0x4b/0x130 [<000000009be1cdc1>] nvme_ctrl_dhchap_secret_store+0x8f/0x160 [nvme_core] [<00000000ac06c96a>] kernfs_fop_write_iter+0x12b/0x1c0 [<00000000437e7ced>] vfs_write+0x2ba/0x3c0 [<00000000f9491baf>] ksys_write+0x5f/0xe0 [<000000001c46513d>] do_syscall_64+0x3b/0x90 [<00000000ecf348fe>] entry_SYSCALL_64_after_hwframe+0x72/0xdc unreferenced object 0xffff8886376eaf00 (size 64): comm "check", pid 22048, jiffies 4344316736 (age 92.168s) hex dump (first 32 bytes): 44 48 48 43 2d 31 3a 30 30 3a 6e 78 72 35 4b 67 DHHC-1:00:nxr5Kg 75 58 34 75 6f 41 78 73 4a 61 34 63 2f 68 75 4c uX4uoAxsJa4c/huL backtrace: [<0000000030ce5d4b>] __kmalloc+0x4b/0x130 [<000000009be1cdc1>] nvme_ctrl_dhchap_secret_store+0x8f/0x160 [nvme_core] [<00000000ac06c96a>] kernfs_fop_write_iter+0x12b/0x1c0 [<00000000437e7ced>] vfs_write+0x2ba/0x3c0 [<00000000f9491baf>] ksys_write+0x5f/0xe0 [<000000001c46513d>] do_syscall_64+0x3b/0x90 [<00000000ecf348fe>] entry_SYSCALL_64_after_hwframe+0x72/0xdc Fixes: f50fff73d620 ("nvme: implement In-Band authentication") Signed-off-by: Chaitanya Kulkarni Tested-by: Yi Zhang Reviewed-by: Christoph Hellwig Reviewed-by: Sagi Grimberg Signed-off-by: Keith Busch Signed-off-by: Sasha Levin commit e9b824ca7a55b01bc64522054331c438fcaf0635 Author: NeilBrown Date: Sat Jun 3 07:14:14 2023 +1000 lockd: drop inappropriate svc_get() from locked_get() [ Upstream commit 665e89ab7c5af1f2d260834c861a74b01a30f95f ] The below-mentioned patch was intended to simplify refcounting on the svc_serv used by locked. The goal was to only ever have a single reference from the single thread. To that end we dropped a call to lockd_start_svc() (except when creating thread) which would take a reference, and dropped the svc_put(serv) that would drop that reference. Unfortunately we didn't also remove the svc_get() from lockd_create_svc() in the case where the svc_serv already existed. So after the patch: - on the first call the svc_serv was allocated and the one reference was given to the thread, so there are no extra references - on subsequent calls svc_get() was called so there is now an extra reference. This is clearly not consistent. The inconsistency is also clear in the current code in lockd_get() takes *two* references, one on nlmsvc_serv and one by incrementing nlmsvc_users. This clearly does not match lockd_put(). So: drop that svc_get() from lockd_get() (which used to be in lockd_create_svc(). Reported-by: Ido Schimmel Closes: https://lore.kernel.org/linux-nfs/ZHsI%2FH16VX9kJQX1@shredder/T/#u Fixes: b73a2972041b ("lockd: move lockd_start_svc() call into lockd_create_svc()") Signed-off-by: NeilBrown Tested-by: Ido Schimmel Signed-off-by: Chuck Lever Signed-off-by: Sasha Levin commit 3cace7e4ac7aed6eb80f29a5924e30d437b3b7d6 Author: Yu Kuai Date: Sat Jun 10 10:30:43 2023 +0800 blk-mq: fix potential io hang by wrong 'wake_batch' [ Upstream commit 4f1731df60f9033669f024d06ae26a6301260b55 ] In __blk_mq_tag_busy/idle(), updating 'active_queues' and calculating 'wake_batch' is not atomic: t1: t2: _blk_mq_tag_busy blk_mq_tag_busy inc active_queues // assume 1->2 inc active_queues // 2 -> 3 blk_mq_update_wake_batch // calculate based on 3 blk_mq_update_wake_batch /* calculate based on 2, while active_queues is actually 3. */ Fix this problem by protecting them wih 'tags->lock', this is not a hot path, so performance should not be concerned. And now that all writers are inside the lock, switch 'actives_queues' from atomic to unsigned int. Fixes: 180dccb0dba4 ("blk-mq: fix tag_get wait task can't be awakened") Signed-off-by: Yu Kuai Reviewed-by: Jan Kara Link: https://lore.kernel.org/r/20230610023043.2559121-1-yukuai1@huaweicloud.com Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit cef10b632e83e177d4bde64a51ff43b5920b038f Author: Arnd Bergmann Date: Tue Jan 17 18:13:56 2023 +0100 virt: sevguest: Add CONFIG_CRYPTO dependency [ Upstream commit 84b9b44b99780d35fe72ac63c4724f158771e898 ] This driver fails to link when CRYPTO is disabled, or in a loadable module: WARNING: unmet direct dependencies detected for CRYPTO_GCM WARNING: unmet direct dependencies detected for CRYPTO_AEAD2 Depends on [m]: CRYPTO [=m] Selected by [y]: - SEV_GUEST [=y] && VIRT_DRIVERS [=y] && AMD_MEM_ENCRYPT [=y] x86_64-linux-ld: crypto/aead.o: in function `crypto_register_aeads': Fixes: fce96cf04430 ("virt: Add SEV-SNP guest driver") Signed-off-by: Arnd Bergmann Signed-off-by: Borislav Petkov (AMD) Link: https://lore.kernel.org/r/20230117171416.2715125-1-arnd@kernel.org Signed-off-by: Sasha Levin commit abbce7f82613ea5eeefd0fc3c1c8e449b9cef2a2 Author: Waiman Long Date: Tue Jun 6 14:07:24 2023 -0400 blk-cgroup: Reinit blkg_iostat_set after clearing in blkcg_reset_stats() [ Upstream commit 3d2af77e31ade05ff7ccc3658c3635ec1bea0979 ] When blkg_alloc() is called to allocate a blkcg_gq structure with the associated blkg_iostat_set's, there are 2 fields within blkg_iostat_set that requires proper initialization - blkg & sync. The former field was introduced by commit 3b8cc6298724 ("blk-cgroup: Optimize blkcg_rstat_flush()") while the later one was introduced by commit f73316482977 ("blk-cgroup: reimplement basic IO stats using cgroup rstat"). Unfortunately those fields in the blkg_iostat_set's are not properly re-initialized when they are cleared in v1's blkcg_reset_stats(). This can lead to a kernel panic due to NULL pointer access of the blkg pointer. The missing initialization of sync is less problematic and can be a problem in a debug kernel due to missing lockdep initialization. Fix these problems by re-initializing them after memory clearing. Fixes: 3b8cc6298724 ("blk-cgroup: Optimize blkcg_rstat_flush()") Fixes: f73316482977 ("blk-cgroup: reimplement basic IO stats using cgroup rstat") Signed-off-by: Waiman Long Reviewed-by: Ming Lei Acked-by: Tejun Heo Link: https://lore.kernel.org/r/20230606180724.2455066-1-longman@redhat.com Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit fe3592a1fc6735a17749439ce2afdc6ebf7735e1 Author: Tom Lendacky Date: Tue Jun 6 09:51:22 2023 -0500 x86/sev: Fix calculation of end address based on number of pages [ Upstream commit 5dee19b6b2b194216919b99a1f5af2949a754016 ] When calculating an end address based on an unsigned int number of pages, any value greater than or equal to 0x100000 that is shift PAGE_SHIFT bits results in a 0 value, resulting in an invalid end address. Change the number of pages variable in various routines from an unsigned int to an unsigned long to calculate the end address correctly. Fixes: 5e5ccff60a29 ("x86/sev: Add helper for validating pages in early enc attribute changes") Fixes: dc3f3d2474b8 ("x86/mm: Validate memory when changing the C-bit") Signed-off-by: Tom Lendacky Signed-off-by: Borislav Petkov (AMD) Link: https://lore.kernel.org/r/6a6e4eea0e1414402bac747744984fa4e9c01bb6.1686063086.git.thomas.lendacky@amd.com Signed-off-by: Sasha Levin commit 3376c4fe2db4aea2dc721a27a999c41fdb45b54f Author: Li Nan Date: Sat May 27 17:19:04 2023 +0800 blk-iocost: use spin_lock_irqsave in adjust_inuse_and_calc_cost [ Upstream commit 8d211554679d0b23702bd32ba04aeac0c1c4f660 ] adjust_inuse_and_calc_cost() use spin_lock_irq() and IRQ will be enabled when unlock. DEADLOCK might happen if we have held other locks and disabled IRQ before invoking it. Fix it by using spin_lock_irqsave() instead, which can keep IRQ state consistent with before when unlock. ================================ WARNING: inconsistent lock state 5.10.0-02758-g8e5f91fd772f #26 Not tainted -------------------------------- inconsistent {IN-HARDIRQ-W} -> {HARDIRQ-ON-W} usage. kworker/2:3/388 [HC0[0]:SC0[0]:HE0:SE1] takes: ffff888118c00c28 (&bfqd->lock){?.-.}-{2:2}, at: spin_lock_irq ffff888118c00c28 (&bfqd->lock){?.-.}-{2:2}, at: bfq_bio_merge+0x141/0x390 {IN-HARDIRQ-W} state was registered at: __lock_acquire+0x3d7/0x1070 lock_acquire+0x197/0x4a0 __raw_spin_lock_irqsave _raw_spin_lock_irqsave+0x3b/0x60 bfq_idle_slice_timer_body bfq_idle_slice_timer+0x53/0x1d0 __run_hrtimer+0x477/0xa70 __hrtimer_run_queues+0x1c6/0x2d0 hrtimer_interrupt+0x302/0x9e0 local_apic_timer_interrupt __sysvec_apic_timer_interrupt+0xfd/0x420 run_sysvec_on_irqstack_cond sysvec_apic_timer_interrupt+0x46/0xa0 asm_sysvec_apic_timer_interrupt+0x12/0x20 irq event stamp: 837522 hardirqs last enabled at (837521): [] __raw_spin_unlock_irqrestore hardirqs last enabled at (837521): [] _raw_spin_unlock_irqrestore+0x3d/0x40 hardirqs last disabled at (837522): [] __raw_spin_lock_irq hardirqs last disabled at (837522): [] _raw_spin_lock_irq+0x43/0x50 softirqs last enabled at (835852): [] __do_softirq+0x558/0x8ec softirqs last disabled at (835845): [] asm_call_irq_on_stack+0xf/0x20 other info that might help us debug this: Possible unsafe locking scenario: CPU0 ---- lock(&bfqd->lock); lock(&bfqd->lock); *** DEADLOCK *** 3 locks held by kworker/2:3/388: #0: ffff888107af0f38 ((wq_completion)kthrotld){+.+.}-{0:0}, at: process_one_work+0x742/0x13f0 #1: ffff8881176bfdd8 ((work_completion)(&td->dispatch_work)){+.+.}-{0:0}, at: process_one_work+0x777/0x13f0 #2: ffff888118c00c28 (&bfqd->lock){?.-.}-{2:2}, at: spin_lock_irq #2: ffff888118c00c28 (&bfqd->lock){?.-.}-{2:2}, at: bfq_bio_merge+0x141/0x390 stack backtrace: CPU: 2 PID: 388 Comm: kworker/2:3 Not tainted 5.10.0-02758-g8e5f91fd772f #26 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014 Workqueue: kthrotld blk_throtl_dispatch_work_fn Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x107/0x167 print_usage_bug valid_state mark_lock_irq.cold+0x32/0x3a mark_lock+0x693/0xbc0 mark_held_locks+0x9e/0xe0 __trace_hardirqs_on_caller lockdep_hardirqs_on_prepare.part.0+0x151/0x360 trace_hardirqs_on+0x5b/0x180 __raw_spin_unlock_irq _raw_spin_unlock_irq+0x24/0x40 spin_unlock_irq adjust_inuse_and_calc_cost+0x4fb/0x970 ioc_rqos_merge+0x277/0x740 __rq_qos_merge+0x62/0xb0 rq_qos_merge bio_attempt_back_merge+0x12c/0x4a0 blk_mq_sched_try_merge+0x1b6/0x4d0 bfq_bio_merge+0x24a/0x390 __blk_mq_sched_bio_merge+0xa6/0x460 blk_mq_sched_bio_merge blk_mq_submit_bio+0x2e7/0x1ee0 __submit_bio_noacct_mq+0x175/0x3b0 submit_bio_noacct+0x1fb/0x270 blk_throtl_dispatch_work_fn+0x1ef/0x2b0 process_one_work+0x83e/0x13f0 process_scheduled_works worker_thread+0x7e3/0xd80 kthread+0x353/0x470 ret_from_fork+0x1f/0x30 Fixes: b0853ab4a238 ("blk-iocost: revamp in-period donation snapbacks") Signed-off-by: Li Nan Acked-by: Tejun Heo Reviewed-by: Yu Kuai Link: https://lore.kernel.org/r/20230527091904.3001833-1-linan666@huaweicloud.com Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit 3cfecc78ff8e380a287be0cf3de1a1d2fe31eb31 Author: Eric Biggers Date: Sat Jun 3 19:21:01 2023 -0700 fsverity: don't use bio_first_page_all() in fsverity_verify_bio() [ Upstream commit d1f0c5ea04cd0a93309de0246278f0b22394692d ] bio_first_page_all(bio)->mapping->host is not compatible with large folios, since the first page of the bio is not necessarily the head page of the folio, and therefore it might not have the mapping pointer set. Therefore, move the dereference of ->mapping->host into verify_data_blocks(), which works with a folio. (Like the commit that this Fixes, this hasn't actually been tested with large folios yet, since the filesystems that use fs/verity/ don't support that yet. But based on code review, I think this is needed.) Fixes: 5d0f0e57ed90 ("fsverity: support verifying data from large folios") Link: https://lore.kernel.org/r/20230604022101.48342-1-ebiggers@kernel.org Reviewed-by: Matthew Wilcox (Oracle) Signed-off-by: Eric Biggers Signed-off-by: Sasha Levin commit 636d815cc35aa7967525d3b2a95ad02775847fd7 Author: Eric Biggers Date: Mon May 15 22:12:16 2023 -0700 fsverity: use shash API instead of ahash API [ Upstream commit 8fcd94add6c5c93ed3b9314456e8420914401530 ] The "ahash" API, like the other scatterlist-based crypto APIs such as "skcipher", comes with some well-known limitations. First, it can't easily be used with vmalloc addresses. Second, the request struct can't be allocated on the stack. This adds complexity and a possible failure point that needs to be worked around, e.g. using a mempool. The only benefit of ahash over "shash" is that ahash is needed to access traditional memory-to-memory crypto accelerators, i.e. drivers/crypto/. However, this style of crypto acceleration has largely fallen out of favor and been superseded by CPU-based acceleration or inline crypto engines. Also, ahash needs to be used asynchronously to take full advantage of such hardware, but fs/verity/ has never done this. On all systems that aren't actually using one of these ahash-only crypto accelerators, ahash just adds unnecessary overhead as it sits between the user and the underlying shash algorithms. Also, XFS is planned to cache fsverity Merkle tree blocks in the existing XFS buffer cache. As a result, it will be possible for a single Merkle tree block to be split across discontiguous pages (https://lore.kernel.org/r/20230405233753.GU3223426@dread.disaster.area). This data will need to be hashed. It is easiest to work with a vmapped address in this case. However, ahash is incompatible with this. Therefore, let's convert fs/verity/ from ahash to shash. This simplifies the code, and it should also slightly improve performance for everyone who wasn't actually using one of these ahash-only crypto accelerators, i.e. almost everyone (or maybe even everyone)! Link: https://lore.kernel.org/r/20230516052306.99600-1-ebiggers@kernel.org Reviewed-by: Christoph Hellwig Acked-by: Ard Biesheuvel Signed-off-by: Eric Biggers Stable-dep-of: d1f0c5ea04cd ("fsverity: don't use bio_first_page_all() in fsverity_verify_bio()") Signed-off-by: Sasha Levin commit b646da604aaa6604409a6be9cc2dfdd09e8d8b71 Author: Shawn Wang Date: Mon May 15 14:04:48 2023 +0800 x86/resctrl: Only show tasks' pid in current pid namespace [ Upstream commit 2997d94b5dd0e8b10076f5e0b6f18410c73e28bd ] When writing a task id to the "tasks" file in an rdtgroup, rdtgroup_tasks_write() treats the pid as a number in the current pid namespace. But when reading the "tasks" file, rdtgroup_tasks_show() shows the list of global pids from the init namespace, which is confusing and incorrect. To be more robust, let the "tasks" file only show pids in the current pid namespace. Fixes: e02737d5b826 ("x86/intel_rdt: Add tasks files") Signed-off-by: Shawn Wang Signed-off-by: Borislav Petkov (AMD) Acked-by: Reinette Chatre Acked-by: Fenghua Yu Tested-by: Reinette Chatre Link: https://lore.kernel.org/all/20230116071246.97717-1-shawnwang@linux.alibaba.com/ Signed-off-by: Sasha Levin commit 10c2b98a40d9044a3e97f4697ca6213bad7e19c2 Author: Gao Xiang Date: Sat May 27 04:14:56 2023 +0800 erofs: kill hooked chains to avoid loops on deduplicated compressed images [ Upstream commit 967c28b23f6c89bb8eef6a046ea88afe0d7c1029 ] After heavily stressing EROFS with several images which include a hand-crafted image of repeated patterns for more than 46 days, I found two chains could be linked with each other almost simultaneously and form a loop so that the entire loop won't be submitted. As a consequence, the corresponding file pages will remain locked forever. It can be _only_ observed on data-deduplicated compressed images. For example, consider two chains with five pclusters in total: Chain 1: 2->3->4->5 -- The tail pcluster is 5; Chain 2: 5->1->2 -- The tail pcluster is 2. Chain 2 could link to Chain 1 with pcluster 5; and Chain 1 could link to Chain 2 at the same time with pcluster 2. Since hooked chains are all linked locklessly now, I have no idea how to simply avoid the race. Instead, let's avoid hooked chains completely until I could work out a proper way to fix this and end users finally tell us that it's needed to add it back. Actually, this optimization can be found with multi-threaded workloads (especially even more often on deduplicated compressed images), yet I'm not sure about the overall system impacts of not having this compared with implementation complexity. Fixes: 267f2492c8f7 ("erofs: introduce multi-reference pclusters (fully-referenced)") Signed-off-by: Gao Xiang Reviewed-by: Yue Hu Link: https://lore.kernel.org/r/20230526201459.128169-4-hsiangkao@linux.alibaba.com Signed-off-by: Sasha Levin commit 0a29084050fbabd8d44f865957cfca9c6149d2c4 Author: David Howells Date: Mon May 22 14:49:48 2023 +0100 splice: Fix filemap_splice_read() to use the correct inode [ Upstream commit c37222082f23c456664d1c3182a714670ab8f9a4 ] Fix filemap_splice_read() to use file->f_mapping->host, not file->f_inode, as the source of the file size because in the case of a block device, file->f_inode points to the block-special file (which is typically 0 length) and not the backing store. Fixes: 07073eb01c5f ("splice: Add a func to do a splice from a buffered file without ITER_PIPE") Signed-off-by: David Howells Reviewed-by: Christoph Hellwig Reviewed-by: Christian Brauner cc: Steve French cc: Jens Axboe cc: Al Viro cc: David Hildenbrand cc: John Hubbard cc: linux-mm@kvack.org cc: linux-block@vger.kernel.org cc: linux-fsdevel@vger.kernel.org Link: https://lore.kernel.org/r/20230522135018.2742245-2-dhowells@redhat.com Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit 16398b4638b5cd8c1dc95fc940a1591a801d53ce Author: Yu Kuai Date: Fri Apr 14 16:40:08 2023 +0800 block/rq_qos: protect rq_qos apis with a new lock [ Upstream commit a13bd91be22318768d55470cbc0b0f4488ef9edf ] commit 50e34d78815e ("block: disable the elevator int del_gendisk") move rq_qos_exit() from disk_release() to del_gendisk(), this will introduce some problems: 1) If rq_qos_add() is triggered by enabling iocost/iolatency through cgroupfs, then it can concurrent with del_gendisk(), it's not safe to write 'q->rq_qos' concurrently. 2) Activate cgroup policy that is relied on rq_qos will call rq_qos_add() and blkcg_activate_policy(), and if rq_qos_exit() is called in the middle, null-ptr-dereference will be triggered in blkcg_activate_policy(). 3) blkg_conf_open_bdev() can call blkdev_get_no_open() first to find the disk, then if rq_qos_exit() from del_gendisk() is done before rq_qos_add(), then memory will be leaked. This patch add a new disk level mutex 'rq_qos_mutex': 1) The lock will protect rq_qos_exit() directly. 2) For wbt that doesn't relied on blk-cgroup, rq_qos_add() can only be called from disk initialization for now because wbt can't be destructed until rq_qos_exit(), so it's safe not to protect wbt for now. Hoever, in case that rq_qos dynamically destruction is supported in the furture, this patch also protect rq_qos_add() from wbt_init() directly, this is enough because blk-sysfs already synchronize writers with disk removal. 3) For iocost and iolatency, in order to synchronize disk removal and cgroup configuration, the lock is held after blkdev_get_no_open() from blkg_conf_open_bdev(), and is released in blkg_conf_exit(). In order to fix the above memory leak, disk_live() is checked after holding the new lock. Fixes: 50e34d78815e ("block: disable the elevator int del_gendisk") Signed-off-by: Yu Kuai Acked-by: Tejun Heo Link: https://lore.kernel.org/r/20230414084008.2085155-1-yukuai1@huaweicloud.com Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit d2e52518a16117ccb7db3d312da430715999bf8f Author: Bart Van Assche Date: Wed May 17 10:42:21 2023 -0700 block: Fix the type of the second bdev_op_is_zoned_write() argument [ Upstream commit 3ddbe2a7e0d4a155a805f69c906c9beed30d4cc4 ] Change the type of the second argument of bdev_op_is_zoned_write() from blk_opf_t into enum req_op because this function expects an operation without flags as second argument. Reviewed-by: Johannes Thumshirn Reviewed-by: Pankaj Raghav Reviewed-by: Christoph Hellwig Reviewed-by: Damien Le Moal Reviewed-by: Hannes Reinecke Cc: Ming Lei Fixes: 8cafdb5ab94c ("block: adapt blk_mq_plug() to not plug for writes that require a zone lock") Signed-off-by: Bart Van Assche Link: https://lore.kernel.org/r/20230517174230.897144-4-bvanassche@acm.org Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit f2c4eff13173e32d97666239a8551bce74791503 Author: Ming Lei Date: Thu May 18 07:30:59 2023 +0200 blk-mq: don't queue plugged passthrough requests into scheduler [ Upstream commit d97217e7f024bbe9aa62aea070771234c2879358 ] Passthrough requests should never be queued to the I/O scheduler, as scheduling these opaque requests doesn't make sense, and I/O schedulers might require req->bio to be always valid. We never let passthrough requests insert into the scheduler before commit 1c2d2fff6dc0 ("block: wire-up support for passthrough plugging"), restore this behavior even for passthrough requests issued under a plug. [hch: use blk_mq_insert_requests for passthrough requests, fix up the commit message and comments] Reported-by: Guangwu Zhang Closes: https://lore.kernel.org/linux-block/CAGS2=YosaYaUTEMU3uaf+y=8MqSrhL7sYsJn8EwbaM=76p_4Qg@mail.gmail.com/ Investigated-by: Yu Kuai Fixes: 1c2d2fff6dc0 ("block: wire-up support for passthrough plugging") Signed-off-by: Ming Lei Signed-off-by: Christoph Hellwig Link: https://lore.kernel.org/r/20230518053101.760632-2-hch@lst.de Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit 79769887fd0449a201c92dda99019a23c40055d8 Author: Alexander Gordeev Date: Fri May 26 14:30:29 2023 +0200 s390/kasan: fix insecure W+X mapping warning [ Upstream commit 2ed8b509753a0454b52b2d72e982265472c8d861 ] Since commit 3b5c3f000c2e ("s390/kasan: move shadow mapping to decompressor") the decompressor establishes mappings for the shadow memory and sets initial protection attributes to RWX. The decompressed kernel resets protection to RW+NX later on. In case a shadow memory range is not aligned on page boundary (e.g. as result of mem= kernel command line parameter use), the "Checked W+X mappings: FAILED, 1 W+X pages found" warning hits. Reported-by: Vasily Gorbik Fixes: 557b19709da9 ("s390/kasan: move shadow mapping to decompressor") Reviewed-by: Vasily Gorbik Signed-off-by: Alexander Gordeev Signed-off-by: Sasha Levin commit b953ddcbb1bb7d26ecf12b144b73e36ff4f7e0b1 Author: Arnd Bergmann Date: Tue May 16 21:56:12 2023 +0200 fs: pipe: reveal missing function protoypes [ Upstream commit 247c8d2f9837a3e29e3b6b7a4aa9c36c37659dd4 ] A couple of functions from fs/pipe.c are used both internally and for the watch queue code, but the declaration is only visible when the latter is enabled: fs/pipe.c:1254:5: error: no previous prototype for 'pipe_resize_ring' fs/pipe.c:758:15: error: no previous prototype for 'account_pipe_buffers' fs/pipe.c:764:6: error: no previous prototype for 'too_many_pipe_buffers_soft' fs/pipe.c:771:6: error: no previous prototype for 'too_many_pipe_buffers_hard' fs/pipe.c:777:6: error: no previous prototype for 'pipe_is_unprivileged_user' Make the visible unconditionally to avoid these warnings. Fixes: c73be61cede5 ("pipe: Add general notification queue support") Signed-off-by: Arnd Bergmann Message-Id: <20230516195629.551602-1-arnd@kernel.org> Signed-off-by: Christian Brauner Signed-off-by: Sasha Levin commit 4538616b518d8fd259c8316e47c5909e9713b331 Author: Hersen Wu Date: Mon Jun 26 13:40:58 2023 -0400 Revert "drm/amd/display: edp do not add non-edid timings" commit d6149086b45e150c170beaa4546495fd1880724c upstream. This change causes regression when eDP and external display in mirror mode. When external display supports low resolution than eDP, use eDP timing to driver external display may cause corruption on external display. This reverts commit e749dd10e5f292061ad63d2b030194bf7d7d452c. Cc: stable@vger.kernel.org Link: https://gitlab.freedesktop.org/drm/amd/-/issues/2655 Signed-off-by: Hersen Wu Reviewed-by: Mario Limonciello Signed-off-by: Alex Deucher Signed-off-by: Greg Kroah-Hartman commit f59fcf7987195a066b4b2dd6c95c28d5d0de85b1 Author: Sean Nyekjaer Date: Mon Jun 5 12:32:21 2023 +0200 iio: accel: fxls8962af: fixup buffer scan element type commit d1cfbd52ede5e5fabc09992894c5733b4057f159 upstream. Scan elements for x,y,z channels is little endian and requires no bit shifts. LE vs. BE is controlled in register SENS_CONFIG2 and bit LE_BE, default value is LE. Fixes: a3e0b51884ee ("iio: accel: add support for FXLS8962AF/FXLS8964AF accelerometers") Signed-off-by: Sean Nyekjaer Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/20230605103223.1400980-1-sean@geanix.com Signed-off-by: Jonathan Cameron Signed-off-by: Greg Kroah-Hartman commit 04d566faefb6938c8bb4c8a785cfd45d2dfa873c Author: Sean Nyekjaer Date: Mon Jun 5 12:32:22 2023 +0200 iio: accel: fxls8962af: errata bug only applicable for FXLS8962AF commit b410a9307bc3a7cdee3c930c98f6fc9cf1d2c484 upstream. Remove special errata handling if FXLS8964AF is used. Fixes: af959b7b96b8 ("iio: accel: fxls8962af: fix errata bug E3 - I2C burst reads") Signed-off-by: Sean Nyekjaer Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/20230605103223.1400980-2-sean@geanix.com Signed-off-by: Jonathan Cameron Signed-off-by: Greg Kroah-Hartman commit 90d8789805d4e30368b32be1a575dfd3e7d46602 Author: Fabrizio Lamarque Date: Tue May 30 09:53:08 2023 +0200 iio: adc: ad7192: Fix internal/external clock selection commit f7d9e21dd274b97dc0a8dbc136a2ea8506063a96 upstream. Fix wrong selection of internal clock when mclk is defined. Resolve a logical inversion introduced in c9ec2cb328e3. Fixes: c9ec2cb328e3 ("iio: adc: ad7192: use devm_clk_get_optional() for mclk") Signed-off-by: Fabrizio Lamarque Reviewed-by: Nuno Sa Cc: Link: https://lore.kernel.org/r/20230530075311.400686-3-fl.scratchpad@gmail.com Signed-off-by: Jonathan Cameron Signed-off-by: Greg Kroah-Hartman commit 30e469ad6a5b00eca28880084a45e80e35e60a24 Author: Fabrizio Lamarque Date: Tue May 30 09:53:07 2023 +0200 iio: adc: ad7192: Fix null ad7192_state pointer access commit 9e58e3a6f8e1c483c86a04903b7b7aa0923e4426 upstream. Pointer to indio_dev structure is obtained via spi_get_drvdata() at the beginning of function ad7192_setup(), but the spi->dev->driver_data member is not initialized, hence a NULL pointer is returned. Fix by changing ad7192_setup() signature to take pointer to struct iio_dev, and get ad7192_state pointer via st = iio_priv(indio_dev); Fixes: bd5dcdeb3fd0 ("iio: adc: ad7192: convert to device-managed functions") Signed-off-by: Fabrizio Lamarque Reviewed-by: Nuno Sa Cc: Link: https://lore.kernel.org/r/20230530075311.400686-2-fl.scratchpad@gmail.com Signed-off-by: Jonathan Cameron Signed-off-by: Greg Kroah-Hartman commit 17459c67841adbf83ada9847d460ce8c133b7ea6 Author: Rasmus Villemoes Date: Wed May 3 12:50:41 2023 +0200 iio: addac: ad74413: don't set DIN_SINK for functions other than digital input commit a4cba07e64e6ec22d9504a1a45d29afa863dc19c upstream. Apparently, despite the name Digital Input Configuration Register, the settings in the DIN_CONFIGx registers also affect other channel functions. In particular, setting a non-zero value in the DIN_SINK field breaks the resistance measurement function. Now, one can of course argue that specifying a drive-strength-microamp property along with a adi,ch-func which is not one of the digital input functions is a bug in the device tree. However, we have a rather complicated setup with instances of ad74412r on external hardware modules, and have set a default drive-strength-microamp in our DT fragments describing those, merely modifying the adi,ch-func settings to reflect however the modules have been wired up. And restricting this setting to just being done for digital input doesn't make the driver any more complex. Fixes: 504eb485589d1 (iio: ad74413r: wire up support for drive-strength-microamp property) Signed-off-by: Rasmus Villemoes Link: https://lore.kernel.org/r/20230503105042.453755-1-linux@rasmusvillemoes.dk Cc: Signed-off-by: Jonathan Cameron Signed-off-by: Greg Kroah-Hartman commit 2fb980d751aeb6c0b48ca4668597f10191aee80a Author: Fabrizio Lamarque Date: Tue May 30 09:53:10 2023 +0200 dt-bindings: iio: ad7192: Add mandatory reference voltage source commit c6dab7245604862d86f0b6d764919f470584d24f upstream. Add required reference voltage (VRef) supply regulator. AD7192 requires three independent voltage sources: DVdd, AVdd and VRef (on REFINx pin pairs). Fixes: b581f748cce0 ("staging: iio: adc: ad7192: move out of staging") Signed-off-by: Fabrizio Lamarque Acked-by: Conor Dooley Cc: Link: https://lore.kernel.org/r/20230530075311.400686-5-fl.scratchpad@gmail.com Signed-off-by: Jonathan Cameron Signed-off-by: Greg Kroah-Hartman commit 8b36533ca65d51c4e3e8e4e5ab25fce1abbeb85d Author: Alvin Šipraga Date: Wed Mar 15 15:15:47 2023 +0100 extcon: usbc-tusb320: Unregister typec port on driver removal commit 3adbaa30d973093a4f37927baf9596cca51b593d upstream. The driver can register a typec port if suitable firmware properties are present. But if the driver is removed through sysfs unbind, rmmod or similar, then it does not clean up after itself and the typec port device remains registered. This can be seen in sysfs, where stale typec ports get left over in /sys/class/typec. In order to fix this we have to add an i2c_driver remove function and call typec_unregister_port(), which is a no-op in the case where no typec port is created and the pointer remains NULL. In the process we should also put the fwnode_handle when the typec port isn't registered anymore, including if an error occurs during probe. The typec subsystem does not increase or decrease the reference counter for us, so we track it in the driver's private data. Note that the conditional check on TYPEC_PWR_MODE_PD was removed in the probe path because a call to tusb320_set_adv_pwr_mode() will perform an even more robust validation immediately after, hence there is no functional change here. Fixes: bf7571c00dca ("extcon: usbc-tusb320: Add USB TYPE-C support") Cc: stable@vger.kernel.org Signed-off-by: Alvin Šipraga Signed-off-by: Chanwoo Choi Signed-off-by: Greg Kroah-Hartman commit 82187460347ad58fd6b06d2883da73c3f2df9631 Author: EJ Hsu Date: Fri Jun 9 14:29:32 2023 +0800 phy: tegra: xusb: Clear the driver reference in usb-phy dev commit c0c2fcb1325d0d4f3b322b5ee49385f8eca2560d upstream. For the dual-role port, it will assign the phy dev to usb-phy dev and use the port dev driver as the dev driver of usb-phy. When we try to destroy the port dev, it will destroy its dev driver as well. But we did not remove the reference from usb-phy dev. This might cause the use-after-free issue in KASAN. Fixes: e8f7d2f409a1 ("phy: tegra: xusb: Add usb-phy support") Cc: stable@vger.kernel.org Signed-off-by: EJ Hsu Signed-off-by: Haotien Hsu Acked-by: Thierry Reding Acked-by: Jon Hunter Link: https://lore.kernel.org/r/20230609062932.3276509-1-haotienh@nvidia.com Signed-off-by: Vinod Koul Signed-off-by: Greg Kroah-Hartman commit fd4173920c27878656005ca0587efd97499e5da2 Author: Krishna Kurapati Date: Sun Jun 18 17:39:49 2023 +0530 usb: dwc3: gadget: Propagate core init errors to UDC during pullup commit c0aabed9cabe057309779a9e26fe86a113d24dad upstream. In scenarios where pullup relies on resume (get sync) to initialize the controller and set the run stop bit, then core_init is followed by gadget_resume which will eventually set run stop bit. But in cases where the core_init fails, the return value is not sent back to udc appropriately. So according to UDC the controller has started but in reality we never set the run stop bit. On systems like Android, there are uevents sent to HAL depending on whether the configfs_bind / configfs_disconnect were invoked. In the above mentioned scnenario, if the core init fails, the run stop won't be set and the cable plug-out won't result in generation of any disconnect event and userspace would never get any uevent regarding cable plug out and we never call pullup(0) again. Furthermore none of the next Plug-In/Plug-Out's would be known to configfs. Return back the appropriate result to UDC to let the userspace/ configfs know that the pullup failed so they can take appropriate action. Fixes: 77adb8bdf422 ("usb: dwc3: gadget: Allow runtime suspend if UDC unbinded") Cc: stable Signed-off-by: Krishna Kurapati Acked-by: Thinh Nguyen Message-ID: <20230618120949.14868-1-quic_kriskura@quicinc.com> Signed-off-by: Greg Kroah-Hartman commit 39fddb00547d475d22f05b7ddfbaf70b8167085c Author: Davide Tronchin Date: Thu Jun 22 11:29:21 2023 +0200 USB: serial: option: add LARA-R6 01B PIDs commit ffa5f7a3bf28c1306eef85d4056539c2d4b8eb09 upstream. The new LARA-R6 product variant identified by the "01B" string can be configured (by AT interface) in three different USB modes: * Default mode (Vendor ID: 0x1546 Product ID: 0x1311) with 4 serial interfaces * RmNet mode (Vendor ID: 0x1546 Product ID: 0x1312) with 4 serial interfaces and 1 RmNet virtual network interface * CDC-ECM mode (Vendor ID: 0x1546 Product ID: 0x1313) with 4 serial interface and 1 CDC-ECM virtual network interface The first 4 interfaces of all the 3 USB configurations (default, RmNet, CDC-ECM) are the same. In default mode LARA-R6 01B exposes the following interfaces: If 0: Diagnostic If 1: AT parser If 2: AT parser If 3: AT parser/alternative functions In RmNet mode LARA-R6 01B exposes the following interfaces: If 0: Diagnostic If 1: AT parser If 2: AT parser If 3: AT parser/alternative functions If 4: RMNET interface In CDC-ECM mode LARA-R6 01B exposes the following interfaces: If 0: Diagnostic If 1: AT parser If 2: AT parser If 3: AT parser/alternative functions If 4: CDC-ECM interface Signed-off-by: Davide Tronchin Link: https://lore.kernel.org/r/20230622092921.12651-1-davide.tronchin.94@gmail.com Cc: stable@vger.kernel.org Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit 25e73018b4093e0cfbcec5dc4a4bb86d0b69ed56 Author: ndesaulniers@google.com Date: Mon Apr 17 15:00:05 2023 -0700 start_kernel: Add __no_stack_protector function attribute commit 514ca14ed5444b911de59ed3381dfd195d99fe4b upstream. Back during the discussion of commit a9a3ed1eff36 ("x86: Fix early boot crash on gcc-10, third try") we discussed the need for a function attribute to control the omission of stack protectors on a per-function basis; at the time Clang had support for no_stack_protector but GCC did not. This was fixed in gcc-11. Now that the function attribute is available, let's start using it. Callers of boot_init_stack_canary need to use this function attribute unless they're compiled with -fno-stack-protector, otherwise the canary stored in the stack slot of the caller will differ upon the call to boot_init_stack_canary. This will lead to a call to __stack_chk_fail() then panic. Link: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=94722 Link: https://lore.kernel.org/all/20200316130414.GC12561@hirez.programming.kicks-ass.net/ Tested-by: Nathan Chancellor Acked-by: Michael Ellerman (powerpc) Acked-by: Miguel Ojeda Acked-by: Peter Zijlstra (Intel) Signed-off-by: Nick Desaulniers Link: https://lore.kernel.org/r/20230412-no_stackp-v2-1-116f9fe4bbe7@google.com Signed-off-by: Josh Poimboeuf Signed-off-by: Greg Kroah-Hartman Signed-off-by: ndesaulniers@google.com