commit 5c7587f69194bc9fc714953ab4c7203e6e68885b Author: Sasha Levin Date: Sun Mar 24 14:37:29 2024 -0400 Linux 6.6.23 Tested-by: SeongJae Park Tested-by: Linux Kernel Functional Testing Tested-by: Florian Fainelli Tested-by: Ron Economos Tested-by: Takeshi Ogasawara Signed-off-by: Sasha Levin commit 5ad5dcfd7543d8478878a04dfbf638bd4aa39b81 Author: Ard Biesheuvel Date: Fri Mar 22 17:01:45 2024 +0100 x86/efistub: Don't clear BSS twice in mixed mode [ Upstream commit df7ecce842b846a04d087ba85fdb79a90e26a1b0 ] Clearing BSS should only be done once, at the very beginning. efi_pe_entry() is the entrypoint from the firmware, which may not clear BSS and so it is done explicitly. However, efi_pe_entry() is also used as an entrypoint by the mixed mode startup code, in which case BSS will already have been cleared, and doing it again at this point will corrupt global variables holding the firmware's GDT/IDT and segment selectors. So make the memset() conditional on whether the EFI stub is running in native mode. Fixes: b3810c5a2cc4a666 ("x86/efistub: Clear decompressor BSS in native EFI entrypoint") Signed-off-by: Ard Biesheuvel Signed-off-by: Sasha Levin commit ae863aa18493d287c96de239d7b4ee3e5e977ce2 Author: Ard Biesheuvel Date: Fri Mar 15 16:26:16 2024 +0100 x86/efistub: Clear decompressor BSS in native EFI entrypoint [ Upstream commit b3810c5a2cc4a6665f7a65bed5393c75ce3f3aa2 ] The EFI stub on x86 no longer invokes the decompressor as a subsequent boot stage, but calls into the decompression code directly while running in the context of the EFI boot services. This means that when using the native EFI entrypoint (as opposed to the EFI handover protocol, which clears BSS explicitly), the firmware PE image loader is being relied upon to ensure that BSS is zeroed before the EFI stub is entered from the firmware. As Radek's report proves, this is a bad idea. Not all loaders do this correctly, which means some global variables that should be statically initialized to 0x0 may have junk in them. So clear BSS explicitly when entering via efi_pe_entry(). Note that zeroing BSS from C code is not generally safe, but in this case, the following assignment and dereference of a global pointer variable ensures that the memset() cannot be deferred or reordered. Cc: # v6.1+ Reported-by: Radek Podgorny Closes: https://lore.kernel.org/all/a99a831a-8ad5-4cb0-bff9-be637311f771@podgorny.cz Signed-off-by: Ard Biesheuvel Signed-off-by: Sasha Levin commit 31423f464fdd2778e0116df9c6fc1ca8dc89ec5f Author: Mikulas Patocka Date: Thu Mar 21 17:48:45 2024 +0100 dm-integrity: align the outgoing bio in integrity_recheck [ Upstream commit b4d78cfeb30476239cf08f4f40afc095c173d6e3 ] It is possible to set up dm-integrity with smaller sector size than the logical sector size of the underlying device. In this situation, dm-integrity guarantees that the outgoing bios have the same alignment as incoming bios (so, if you create a filesystem with 4k block size, dm-integrity would send 4k-aligned bios to the underlying device). This guarantee was broken when integrity_recheck was implemented. integrity_recheck sends bio that is aligned to ic->sectors_per_block. So if we set up integrity with 512-byte sector size on a device with logical block size 4k, we would be sending unaligned bio. This triggered a bug in one of our internal tests. This commit fixes it by determining the actual alignment of the incoming bio and then makes sure that the outgoing bio in integrity_recheck has the same alignment. Fixes: c88f5e553fe3 ("dm-integrity: recheck the integrity tag after a failure") Signed-off-by: Mikulas Patocka Signed-off-by: Mike Snitzer Signed-off-by: Sasha Levin commit 5cfcea64883486d79c695afdc502e32eb1b71587 Author: Hongyu Jin Date: Wed Jan 24 13:35:53 2024 +0800 dm io: Support IO priority [ Upstream commit 6e5f0f6383b4896c7e9b943d84b136149d0f45e9 ] Some IO will dispatch from kworker with different io_context settings than the submitting task, we may need to specify a priority to avoid losing priority. Add IO priority parameter to dm_io() and update all callers. Co-developed-by: Yibin Ding Signed-off-by: Yibin Ding Signed-off-by: Hongyu Jin Reviewed-by: Eric Biggers Reviewed-by: Mikulas Patocka Signed-off-by: Mike Snitzer Stable-dep-of: b4d78cfeb304 ("dm-integrity: align the outgoing bio in integrity_recheck") Signed-off-by: Sasha Levin commit b6dfcdbc80371e19c17246c56ff019227cbed7b7 Author: Ido Schimmel Date: Wed Mar 20 08:57:17 2024 +0200 selftests: forwarding: Fix ping failure due to short timeout [ Upstream commit e4137851d4863a9bdc6aabc613bcb46c06d91e64 ] The tests send 100 pings in 0.1 second intervals and force a timeout of 11 seconds, which is borderline (especially on debug kernels), resulting in random failures in netdev CI [1]. Fix by increasing the timeout to 20 seconds. It should not prolong the test unless something is wrong, in which case the test will rightfully fail. [1] # selftests: net/forwarding: vxlan_bridge_1d_port_8472_ipv6.sh # INFO: Running tests with UDP port 8472 # TEST: ping: local->local [ OK ] # TEST: ping: local->remote 1 [FAIL] # Ping failed [...] Fixes: b07e9957f220 ("selftests: forwarding: Add VxLAN tests with a VLAN-unaware bridge for IPv6") Fixes: 728b35259e28 ("selftests: forwarding: Add VxLAN tests with a VLAN-aware bridge for IPv6") Reported-by: Paolo Abeni Closes: https://lore.kernel.org/netdev/24a7051fdcd1f156c3704bca39e4b3c41dfc7c4b.camel@redhat.com/ Signed-off-by: Ido Schimmel Reviewed-by: Hangbin Liu Reviewed-by: Jiri Pirko Link: https://lore.kernel.org/r/20240320065717.4145325-1-idosch@nvidia.com Signed-off-by: Paolo Abeni Signed-off-by: Sasha Levin commit 62b1f837b15cf3ec2835724bdf8577e47d14c753 Author: Fei Shao Date: Thu Mar 21 15:08:57 2024 +0800 spi: spi-mt65xx: Fix NULL pointer access in interrupt handler [ Upstream commit a20ad45008a7c82f1184dc6dee280096009ece55 ] The TX buffer in spi_transfer can be a NULL pointer, so the interrupt handler may end up writing to the invalid memory and cause crashes. Add a check to trans->tx_buf before using it. Fixes: 1ce24864bff4 ("spi: mediatek: Only do dma for 4-byte aligned buffers") Signed-off-by: Fei Shao Reviewed-by: AngeloGioacchino Del Regno Link: https://msgid.link/r/20240321070942.1587146-2-fshao@chromium.org Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 79846fdcc548d617b0b321addc6a3821d3b75b20 Author: Quan Tian Date: Thu Mar 7 01:24:02 2024 +0800 netfilter: nf_tables: Fix a memory leak in nf_tables_updchain [ Upstream commit 7eaf837a4eb5f74561e2486972e7f5184b613f6e ] If nft_netdev_register_hooks() fails, the memory associated with nft_stats is not freed, causing a memory leak. This patch fixes it by moving nft_stats_alloc() down after nft_netdev_register_hooks() succeeds. Fixes: b9703ed44ffb ("netfilter: nf_tables: support for adding new devices to an existing netdev chain") Signed-off-by: Quan Tian Signed-off-by: Pablo Neira Ayuso Signed-off-by: Sasha Levin commit 16f55acf58e2681300c2abfef322f4495a6f1397 Author: Arınç ÜNAL Date: Thu Mar 14 12:33:42 2024 +0300 net: dsa: mt7530: fix handling of all link-local frames [ Upstream commit 69ddba9d170bdaee1dc0eb4ced38d7e4bb7b92af ] Currently, the MT753X switches treat frames with :01-0D and :0F MAC DAs as regular multicast frames, therefore flooding them to user ports. On page 205, section "8.6.3 Frame filtering" of the active standard, IEEE Std 802.1Q™-2022, it is stated that frames with 01:80:C2:00:00:00-0F as MAC DA must only be propagated to C-VLAN and MAC Bridge components. That means VLAN-aware and VLAN-unaware bridges. On the switch designs with CPU ports, these frames are supposed to be processed by the CPU (software). So we make the switch only forward them to the CPU port. And if received from a CPU port, forward to a single port. The software is responsible of making the switch conform to the latter by setting a single port as destination port on the special tag. This switch intellectual property cannot conform to this part of the standard fully. Whilst the REV_UN frame tag covers the remaining :04-0D and :0F MAC DAs, it also includes :22-FF which the scope of propagation is not supposed to be restricted for these MAC DAs. Set frames with :01-03 MAC DAs to be trapped to the CPU port(s). Add a comment for the remaining MAC DAs. Note that the ingress port must have a PVID assigned to it for the switch to forward untagged frames. A PVID is set by default on VLAN-aware and VLAN-unaware ports. However, when the network interface that pertains to the ingress port is attached to a vlan_filtering enabled bridge, the user can remove the PVID assignment from it which would prevent the link-local frames from being trapped to the CPU port. I am yet to see a way to forward link-local frames while preventing other untagged frames from being forwarded too. Fixes: b8f126a8d543 ("net-next: dsa: add dsa support for Mediatek MT7530 switch") Signed-off-by: Arınç ÜNAL Signed-off-by: Paolo Abeni Signed-off-by: Sasha Levin commit 25a2f73ee7d1bb4aa8e8ecf724661d61f44b9d5c Author: Arınç ÜNAL Date: Thu Mar 14 12:33:41 2024 +0300 net: dsa: mt7530: fix link-local frames that ingress vlan filtering ports [ Upstream commit e8bf353577f382c7066c661fed41b2adc0fc7c40 ] Whether VLAN-aware or not, on every VID VLAN table entry that has the CPU port as a member of it, frames are set to egress the CPU port with the VLAN tag stacked. This is so that VLAN tags can be appended after hardware special tag (called DSA tag in the context of Linux drivers). For user ports on a VLAN-unaware bridge, frame ingressing the user port egresses CPU port with only the special tag. For user ports on a VLAN-aware bridge, frame ingressing the user port egresses CPU port with the special tag and the VLAN tag. This causes issues with link-local frames, specifically BPDUs, because the software expects to receive them VLAN-untagged. There are two options to make link-local frames egress untagged. Setting CONSISTENT or UNTAGGED on the EG_TAG bits on the relevant register. CONSISTENT means frames egress exactly as they ingress. That means egressing with the VLAN tag they had at ingress or egressing untagged if they ingressed untagged. Although link-local frames are not supposed to be transmitted VLAN-tagged, if they are done so, when egressing through a CPU port, the special tag field will be broken. BPDU egresses CPU port with VLAN tag egressing stacked, received on software: 00:01:25.104821 AF Unknown (382365846), length 106: | STAG | | VLAN | 0x0000: 0000 6c27 614d 4143 0001 0000 8100 0001 ..l'aMAC........ 0x0010: 0026 4242 0300 0000 0000 0000 6c27 614d .&BB........l'aM 0x0020: 4143 0000 0000 0000 6c27 614d 4143 0000 AC......l'aMAC.. 0x0030: 0000 1400 0200 0f00 0000 0000 0000 0000 ................ BPDU egresses CPU port with VLAN tag egressing untagged, received on software: 00:23:56.628708 AF Unknown (25215488), length 64: | STAG | 0x0000: 0000 6c27 614d 4143 0001 0000 0026 4242 ..l'aMAC.....&BB 0x0010: 0300 0000 0000 0000 6c27 614d 4143 0000 ........l'aMAC.. 0x0020: 0000 0000 6c27 614d 4143 0000 0000 1400 ....l'aMAC...... 0x0030: 0200 0f00 0000 0000 0000 0000 ............ BPDU egresses CPU port with VLAN tag egressing tagged, received on software: 00:01:34.311963 AF Unknown (25215488), length 64: | Mess | 0x0000: 0000 6c27 614d 4143 0001 0001 0026 4242 ..l'aMAC.....&BB 0x0010: 0300 0000 0000 0000 6c27 614d 4143 0000 ........l'aMAC.. 0x0020: 0000 0000 6c27 614d 4143 0000 0000 1400 ....l'aMAC...... 0x0030: 0200 0f00 0000 0000 0000 0000 ............ To prevent confusing the software, force the frame to egress UNTAGGED instead of CONSISTENT. This way, frames can't possibly be received TAGGED by software which would have the special tag field broken. VLAN Tag Egress Procedure For all frames, one of these options set the earliest in this order will apply to the frame: - EG_TAG in certain registers for certain frames. This will apply to frame with matching MAC DA or EtherType. - EG_TAG in the address table. This will apply to frame at its incoming port. - EG_TAG in the PVC register. This will apply to frame at its incoming port. - EG_CON and [EG_TAG per port] in the VLAN table. This will apply to frame at its outgoing port. - EG_TAG in the PCR register. This will apply to frame at its outgoing port. EG_TAG in certain registers for certain frames: PPPoE Discovery_ARP/RARP: PPP_EG_TAG and ARP_EG_TAG in the APC register. IGMP_MLD: IGMP_EG_TAG and MLD_EG_TAG in the IMC register. BPDU and PAE: BPDU_EG_TAG and PAE_EG_TAG in the BPC register. REV_01 and REV_02: R01_EG_TAG and R02_EG_TAG in the RGAC1 register. REV_03 and REV_0E: R03_EG_TAG and R0E_EG_TAG in the RGAC2 register. REV_10 and REV_20: R10_EG_TAG and R20_EG_TAG in the RGAC3 register. REV_21 and REV_UN: R21_EG_TAG and RUN_EG_TAG in the RGAC4 register. With this change, it can be observed that a bridge interface with stp_state and vlan_filtering enabled will properly block ports now. Fixes: b8f126a8d543 ("net-next: dsa: add dsa support for Mediatek MT7530 switch") Signed-off-by: Arınç ÜNAL Signed-off-by: Paolo Abeni Signed-off-by: Sasha Levin commit 5fcee137dbd948db3c843ae79d6885702c68e1a1 Author: Yan Zhai Date: Tue Mar 19 13:44:40 2024 -0700 bpf: report RCU QS in cpumap kthread [ Upstream commit 00bf63122459e87193ee7f1bc6161c83a525569f ] When there are heavy load, cpumap kernel threads can be busy polling packets from redirect queues and block out RCU tasks from reaching quiescent states. It is insufficient to just call cond_resched() in such context. Periodically raise a consolidated RCU QS before cond_resched fixes the problem. Fixes: 6710e1126934 ("bpf: introduce new bpf cpu map type BPF_MAP_TYPE_CPUMAP") Reviewed-by: Jesper Dangaard Brouer Signed-off-by: Yan Zhai Acked-by: Paul E. McKenney Acked-by: Jesper Dangaard Brouer Link: https://lore.kernel.org/r/c17b9f1517e19d813da3ede5ed33ee18496bb5d8.1710877680.git.yan@cloudflare.com Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit e92971a7ed42a36e03ddec6cd602a5c25e2f4bc5 Author: Yan Zhai Date: Tue Mar 19 13:44:37 2024 -0700 net: report RCU QS on threaded NAPI repolling [ Upstream commit d6dbbb11247c71203785a2c9da474c36f4b19eae ] NAPI threads can keep polling packets under load. Currently it is only calling cond_resched() before repolling, but it is not sufficient to clear out the holdout of RCU tasks, which prevent BPF tracing programs from detaching for long period. This can be reproduced easily with following set up: ip netns add test1 ip netns add test2 ip -n test1 link add veth1 type veth peer name veth2 netns test2 ip -n test1 link set veth1 up ip -n test1 link set lo up ip -n test2 link set veth2 up ip -n test2 link set lo up ip -n test1 addr add 192.168.1.2/31 dev veth1 ip -n test1 addr add 1.1.1.1/32 dev lo ip -n test2 addr add 192.168.1.3/31 dev veth2 ip -n test2 addr add 2.2.2.2/31 dev lo ip -n test1 route add default via 192.168.1.3 ip -n test2 route add default via 192.168.1.2 for i in `seq 10 210`; do for j in `seq 10 210`; do ip netns exec test2 iptables -I INPUT -s 3.3.$i.$j -p udp --dport 5201 done done ip netns exec test2 ethtool -K veth2 gro on ip netns exec test2 bash -c 'echo 1 > /sys/class/net/veth2/threaded' ip netns exec test1 ethtool -K veth1 tso off Then run an iperf3 client/server and a bpftrace script can trigger it: ip netns exec test2 iperf3 -s -B 2.2.2.2 >/dev/null& ip netns exec test1 iperf3 -c 2.2.2.2 -B 1.1.1.1 -u -l 1500 -b 3g -t 100 >/dev/null& bpftrace -e 'kfunc:__napi_poll{@=count();} interval:s:1{exit();}' Report RCU quiescent states periodically will resolve the issue. Fixes: 29863d41bb6e ("net: implement threaded-able napi poll loop support") Reviewed-by: Jesper Dangaard Brouer Signed-off-by: Yan Zhai Acked-by: Paul E. McKenney Acked-by: Jesper Dangaard Brouer Link: https://lore.kernel.org/r/4c3b0d3f32d3b18949d75b18e5e1d9f13a24f025.1710877680.git.yan@cloudflare.com Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit c2619021451216fd7be9d6695ec1cf826ab3dc71 Author: Yan Zhai Date: Tue Mar 19 13:44:34 2024 -0700 rcu: add a helper to report consolidated flavor QS [ Upstream commit 1a77557d48cff187a169c2aec01c0dd78a5e7e50 ] When under heavy load, network processing can run CPU-bound for many tens of seconds. Even in preemptible kernels (non-RT kernel), this can block RCU Tasks grace periods, which can cause trace-event removal to take more than a minute, which is unacceptably long. This commit therefore creates a new helper function that passes through both RCU and RCU-Tasks quiescent states every 100 milliseconds. This hard-coded value suffices for current workloads. Suggested-by: Paul E. McKenney Reviewed-by: Jesper Dangaard Brouer Signed-off-by: Yan Zhai Reviewed-by: Paul E. McKenney Acked-by: Jesper Dangaard Brouer Link: https://lore.kernel.org/r/90431d46ee112d2b0af04dbfe936faaca11810a5.1710877680.git.yan@cloudflare.com Signed-off-by: Jakub Kicinski Stable-dep-of: d6dbbb11247c ("net: report RCU QS on threaded NAPI repolling") Signed-off-by: Sasha Levin commit 4d37f12707ee965d338028732575f0b85f6d9e4f Author: Pablo Neira Ayuso Date: Thu Mar 14 18:51:38 2024 +0100 netfilter: nf_tables: do not compare internal table flags on updates [ Upstream commit 4a0e7f2decbf9bd72461226f1f5f7dcc4b08f139 ] Restore skipping transaction if table update does not modify flags. Fixes: 179d9ba5559a ("netfilter: nf_tables: fix table flag updates") Signed-off-by: Pablo Neira Ayuso Signed-off-by: Sasha Levin commit ff90050771412b91e928093ccd8736ae680063c2 Author: Pablo Neira Ayuso Date: Sun Mar 10 10:02:41 2024 +0100 netfilter: nft_set_pipapo: release elements in clone only from destroy path [ Upstream commit b0e256f3dd2ba6532f37c5c22e07cb07a36031ee ] Clone already always provides a current view of the lookup table, use it to destroy the set, otherwise it is possible to destroy elements twice. This fix requires: 212ed75dc5fb ("netfilter: nf_tables: integrate pipapo into commit protocol") which came after: 9827a0e6e23b ("netfilter: nft_set_pipapo: release elements in clone from abort path"). Fixes: 9827a0e6e23b ("netfilter: nft_set_pipapo: release elements in clone from abort path") Signed-off-by: Pablo Neira Ayuso Signed-off-by: Sasha Levin commit dc29dd00705a62c77de75b6d752259b869aac49d Author: Subbaraya Sundeep Date: Mon Mar 18 14:59:58 2024 +0530 octeontx2-af: Use separate handlers for interrupts [ Upstream commit 50e60de381c342008c0956fd762e1c26408f372c ] For PF to AF interrupt vector and VF to AF vector same interrupt handler is registered which is causing race condition. When two interrupts are raised to two CPUs at same time then two cores serve same event corrupting the data. Fixes: 7304ac4567bc ("octeontx2-af: Add mailbox IRQ and msg handlers") Signed-off-by: Subbaraya Sundeep Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 85724ee6e274e6991f7b84b029e2d574ea8ccdd8 Author: Subbaraya Sundeep Date: Mon Mar 18 14:59:57 2024 +0530 octeontx2-pf: Send UP messages to VF only when VF is up. [ Upstream commit dfcf6355f53b1796cf7fd50a4f27b18ee6a3497a ] When PF sending link status messages to VF, it is possible that by the time link_event_task work function is executed VF might have brought down. Hence before sending VF link status message check whether VF is up to receive it. Fixes: ad513ed938c9 ("octeontx2-vf: Link event notification support") Signed-off-by: Subbaraya Sundeep Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit b96b278c821355c017a21988a731043b79b7618a Author: Subbaraya Sundeep Date: Mon Mar 18 14:59:56 2024 +0530 octeontx2-pf: Use default max_active works instead of one [ Upstream commit 7558ce0d974ced1dc07edc1197f750fe28c52e57 ] Only one execution context for the workqueue used for PF and VFs mailbox communication is incorrect since multiple works are queued simultaneously by all the VFs and PF link UP messages. Hence use default number of execution contexts by passing zero as max_active to alloc_workqueue function. With this fix in place, modify UP messages also to wait until completion. Fixes: d424b6c02415 ("octeontx2-pf: Enable SRIOV and added VF mbox handling") Signed-off-by: Subbaraya Sundeep Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 1a2ce88ab3a953f0bb8551158bdcb0d1e115ab51 Author: Subbaraya Sundeep Date: Mon Mar 18 14:59:55 2024 +0530 octeontx2-pf: Wait till detach_resources msg is complete [ Upstream commit cbf2f24939a5dafce6de4dd4422e543ce8f610cf ] During VF driver remove, a message is sent to detach VF resources to PF but VF is not waiting until message is complete. Also mailbox interrupts need to be turned off after the detach resource message is complete. This patch fixes that problem. Fixes: 05fcc9e08955 ("octeontx2-pf: Attach NIX and NPA block LFs") Signed-off-by: Subbaraya Sundeep Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit c6354b85fa7c9d537ddfca52e7ee35e0d1aae294 Author: Subbaraya Sundeep Date: Mon Mar 18 14:59:54 2024 +0530 octeontx2: Detect the mbox up or down message via register [ Upstream commit a88e0f936ba9a301c78f6eacfd38737d003c130b ] A single line of interrupt is used to receive up notifications and down reply messages from AF to PF (similarly from PF to its VF). PF acts as bridge and forwards VF messages to AF and sends respsones back from AF to VF. When an async event like link event is received by up message when PF is in middle of forwarding VF message then mailbox errors occur because PF state machine is corrupted. Since VF is a separate driver or VF driver can be in a VM it is not possible to serialize from the start of communication at VF. Hence to differentiate between type of messages at PF this patch makes sender to set mbox data register with distinct values for up and down messages. Sender also checks whether previous interrupt is received before triggering current interrupt by waiting for mailbox data register to become zero. Fixes: 5a6d7c9daef3 ("octeontx2-pf: Mailbox communication with AF") Signed-off-by: Subbaraya Sundeep Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 7d8c7bc99a3307342e0281dd7df1d717dd5e0ed1 Author: Jiri Pirko Date: Mon Mar 18 10:19:08 2024 +0100 devlink: fix port new reply cmd type [ Upstream commit 78a2f5e6c15d8dcbd6495bb9635c7cb89235dfc5 ] Due to a c&p error, port new reply fills-up cmd with wrong value, any other existing port command replies and notifications. Fix it by filling cmd with value DEVLINK_CMD_PORT_NEW. Skimmed through devlink userspace implementations, none of them cares about this cmd value. Reported-by: Chenyuan Yang Closes: https://lore.kernel.org/all/ZfZcDxGV3tSy4qsV@cy-server/ Fixes: cd76dcd68d96 ("devlink: Support add and delete devlink port") Signed-off-by: Jiri Pirko Reviewed-by: Parav Pandit Reviewed-by: Kalesh AP Link: https://lore.kernel.org/r/20240318091908.2736542-1-jiri@resnulli.us Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit 3a9f78b297e08ca8e88ae3ecff1f6fe2766dc5eb Author: Thinh Tran Date: Fri Mar 15 15:55:35 2024 -0500 net/bnx2x: Prevent access to a freed page in page_pool [ Upstream commit d27e2da94a42655861ca4baea30c8cd65546f25d ] Fix race condition leading to system crash during EEH error handling During EEH error recovery, the bnx2x driver's transmit timeout logic could cause a race condition when handling reset tasks. The bnx2x_tx_timeout() schedules reset tasks via bnx2x_sp_rtnl_task(), which ultimately leads to bnx2x_nic_unload(). In bnx2x_nic_unload() SGEs are freed using bnx2x_free_rx_sge_range(). However, this could overlap with the EEH driver's attempt to reset the device using bnx2x_io_slot_reset(), which also tries to free SGEs. This race condition can result in system crashes due to accessing freed memory locations in bnx2x_free_rx_sge() 799 static inline void bnx2x_free_rx_sge(struct bnx2x *bp, 800 struct bnx2x_fastpath *fp, u16 index) 801 { 802 struct sw_rx_page *sw_buf = &fp->rx_page_ring[index]; 803 struct page *page = sw_buf->page; .... where sw_buf was set to NULL after the call to dma_unmap_page() by the preceding thread. EEH: Beginning: 'slot_reset' PCI 0011:01:00.0#10000: EEH: Invoking bnx2x->slot_reset() bnx2x: [bnx2x_io_slot_reset:14228(eth1)]IO slot reset initializing... bnx2x 0011:01:00.0: enabling device (0140 -> 0142) bnx2x: [bnx2x_io_slot_reset:14244(eth1)]IO slot reset --> driver unload Kernel attempted to read user page (0) - exploit attempt? (uid: 0) BUG: Kernel NULL pointer dereference on read at 0x00000000 Faulting instruction address: 0xc0080000025065fc Oops: Kernel access of bad area, sig: 11 [#1] ..... Call Trace: [c000000003c67a20] [c00800000250658c] bnx2x_io_slot_reset+0x204/0x610 [bnx2x] (unreliable) [c000000003c67af0] [c0000000000518a8] eeh_report_reset+0xb8/0xf0 [c000000003c67b60] [c000000000052130] eeh_pe_report+0x180/0x550 [c000000003c67c70] [c00000000005318c] eeh_handle_normal_event+0x84c/0xa60 [c000000003c67d50] [c000000000053a84] eeh_event_handler+0xf4/0x170 [c000000003c67da0] [c000000000194c58] kthread+0x1c8/0x1d0 [c000000003c67e10] [c00000000000cf64] ret_from_kernel_thread+0x5c/0x64 To solve this issue, we need to verify page pool allocations before freeing. Fixes: 4cace675d687 ("bnx2x: Alloc 4k fragment for each rx ring buffer element") Signed-off-by: Thinh Tran Reviewed-by: Jiri Pirko Link: https://lore.kernel.org/r/20240315205535.1321-1-thinhtr@linux.ibm.com Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit 338580a7fb9b0930bb38098007e89cc0fc496bf7 Author: Mikulas Patocka Date: Mon Mar 18 18:35:06 2024 +0100 dm-integrity: fix a memory leak when rechecking the data [ Upstream commit 55e565c42dce81a4e49c13262d5bc4eb4c2e588a ] Memory for the "checksums" pointer will leak if the data is rechecked after checksum failure (because the associated kfree won't happen due to 'goto skip_io'). Fix this by freeing the checksums memory before recheck, and just use the "checksum_onstack" memory for storing checksum during recheck. Fixes: c88f5e553fe3 ("dm-integrity: recheck the integrity tag after a failure") Signed-off-by: Mikulas Patocka Signed-off-by: Mike Snitzer Signed-off-by: Sasha Levin commit 4a73b5ac78ebc9c35a0f9664e5fcfd9df60e28a9 Author: Nikita Kiryushin Date: Fri Mar 15 20:50:52 2024 +0300 net: phy: fix phy_read_poll_timeout argument type in genphy_loopback [ Upstream commit 32fa4366cc4da1c97b725a0066adf43c6b298f37 ] read_poll_timeout inside phy_read_poll_timeout can set val negative in some cases (for example, __mdiobus_read inside phy_read can return -EOPNOTSUPP). Supposedly, commit 4ec732951702 ("net: phylib: fix phy_read*_poll_timeout()") should fix problems with wrong-signed vals, but I do not see how as val is sent to phy_read as is and __val = phy_read (not val) is checked for sign. Change val type for signed to allow better error handling as done in other phy_read_poll_timeout callers. This will not fix any error handling by itself, but allows, for example, to modify cond with appropriate sign check or check resulting val separately. Found by Linux Verification Center (linuxtesting.org) with SVACE. Fixes: 014068dcb5b1 ("net: phy: genphy_loopback: add link speed configuration") Signed-off-by: Nikita Kiryushin Reviewed-by: Russell King (Oracle) Link: https://lore.kernel.org/r/20240315175052.8049-1-kiryushin@ancud.ru Signed-off-by: Paolo Abeni Signed-off-by: Sasha Levin commit 3006137ed68a2442926fb0ef1115fcb69f066214 Author: Xiubo Li Date: Wed Feb 21 09:16:12 2024 +0800 ceph: stop copying to iter at EOF on sync reads [ Upstream commit 1065da21e5df9d843d2c5165d5d576be000142a6 ] If EOF is encountered, ceph_sync_read() return value is adjusted down according to i_size, but the "to" iter is advanced by the actual number of bytes read. Then, when retrying, the remainder of the range may be skipped incorrectly. Ensure that the "to" iter is advanced only until EOF. [ idryomov: changelog ] Fixes: c3d8e0b5de48 ("ceph: return the real size read when it hits EOF") Reported-by: Frank Hsiao Signed-off-by: Xiubo Li Reviewed-by: Ilya Dryomov Tested-by: Frank Hsiao Signed-off-by: Ilya Dryomov Signed-off-by: Sasha Levin commit a4cbcc4c4546480d69574fdff6a70842a43c2903 Author: Tobias Brunner Date: Fri Mar 15 15:35:40 2024 +0100 ipv4: raw: Fix sending packets from raw sockets via IPsec tunnels [ Upstream commit c9b3b81716c5b92132a6c1d4ac3c48a7b44082ab ] Since the referenced commit, the xfrm_inner_extract_output() function uses the protocol field to determine the address family. So not setting it for IPv4 raw sockets meant that such packets couldn't be tunneled via IPsec anymore. IPv6 raw sockets are not affected as they already set the protocol since 9c9c9ad5fae7 ("ipv6: set skb->protocol on tcp, raw and ip6_append_data genereated skbs"). Fixes: f4796398f21b ("xfrm: Remove inner/outer modes from output path") Signed-off-by: Tobias Brunner Reviewed-by: David Ahern Reviewed-by: Nicolas Dichtel Link: https://lore.kernel.org/r/c5d9a947-eb19-4164-ac99-468ea814ce20@strongswan.org Signed-off-by: Paolo Abeni Signed-off-by: Sasha Levin commit 0f25725d62d9a82a6ada342cc1d06c620b201ec9 Author: Felix Maurer Date: Fri Mar 15 13:04:52 2024 +0100 hsr: Handle failures in module init [ Upstream commit 3cf28cd492308e5f63ed00b29ea03ca016264376 ] A failure during registration of the netdev notifier was not handled at all. A failure during netlink initialization did not unregister the netdev notifier. Handle failures of netdev notifier registration and netlink initialization. Both functions should only return negative values on failure and thereby lead to the hsr module not being loaded. Fixes: f421436a591d ("net/hsr: Add support for the High-availability Seamless Redundancy protocol (HSRv0)") Signed-off-by: Felix Maurer Reviewed-by: Shigeru Yoshida Reviewed-by: Breno Leitao Link: https://lore.kernel.org/r/3ce097c15e3f7ace98fc7fd9bcbf299f092e63d1.1710504184.git.fmaurer@redhat.com Signed-off-by: Paolo Abeni Signed-off-by: Sasha Levin commit 4a4dffdff9ea6201665f5d0a5042011d09bd527f Author: Yewon Choi Date: Fri Mar 15 18:28:38 2024 +0900 rds: introduce acquire/release ordering in acquire/release_in_xmit() [ Upstream commit 1422f28826d2a0c11e5240b3e951c9e214d8656e ] acquire/release_in_xmit() work as bit lock in rds_send_xmit(), so they are expected to ensure acquire/release memory ordering semantics. However, test_and_set_bit/clear_bit() don't imply such semantics, on top of this, following smp_mb__after_atomic() does not guarantee release ordering (memory barrier actually should be placed before clear_bit()). Instead, we use clear_bit_unlock/test_and_set_bit_lock() here. Fixes: 0f4b1c7e89e6 ("rds: fix rds_send_xmit() serialization") Fixes: 1f9ecd7eacfd ("RDS: Pass rds_conn_path to rds_send_xmit()") Signed-off-by: Yewon Choi Reviewed-by: Michal Kubiak Link: https://lore.kernel.org/r/ZfQUxnNTO9AJmzwc@libra05 Signed-off-by: Paolo Abeni Signed-off-by: Sasha Levin commit 78739d72f16b2d7d549f713f1dfebd678d32484b Author: Nikita Zhandarovich Date: Thu Mar 14 16:49:06 2024 -0600 wireguard: receive: annotate data-race around receiving_counter.counter [ Upstream commit bba045dc4d996d03dce6fe45726e78a1a1f6d4c3 ] Syzkaller with KCSAN identified a data-race issue when accessing keypair->receiving_counter.counter. Use READ_ONCE() and WRITE_ONCE() annotations to mark the data race as intentional. BUG: KCSAN: data-race in wg_packet_decrypt_worker / wg_packet_rx_poll write to 0xffff888107765888 of 8 bytes by interrupt on cpu 0: counter_validate drivers/net/wireguard/receive.c:321 [inline] wg_packet_rx_poll+0x3ac/0xf00 drivers/net/wireguard/receive.c:461 __napi_poll+0x60/0x3b0 net/core/dev.c:6536 napi_poll net/core/dev.c:6605 [inline] net_rx_action+0x32b/0x750 net/core/dev.c:6738 __do_softirq+0xc4/0x279 kernel/softirq.c:553 do_softirq+0x5e/0x90 kernel/softirq.c:454 __local_bh_enable_ip+0x64/0x70 kernel/softirq.c:381 __raw_spin_unlock_bh include/linux/spinlock_api_smp.h:167 [inline] _raw_spin_unlock_bh+0x36/0x40 kernel/locking/spinlock.c:210 spin_unlock_bh include/linux/spinlock.h:396 [inline] ptr_ring_consume_bh include/linux/ptr_ring.h:367 [inline] wg_packet_decrypt_worker+0x6c5/0x700 drivers/net/wireguard/receive.c:499 process_one_work kernel/workqueue.c:2633 [inline] ... read to 0xffff888107765888 of 8 bytes by task 3196 on cpu 1: decrypt_packet drivers/net/wireguard/receive.c:252 [inline] wg_packet_decrypt_worker+0x220/0x700 drivers/net/wireguard/receive.c:501 process_one_work kernel/workqueue.c:2633 [inline] process_scheduled_works+0x5b8/0xa30 kernel/workqueue.c:2706 worker_thread+0x525/0x730 kernel/workqueue.c:2787 ... Fixes: a9e90d9931f3 ("wireguard: noise: separate receive counter from send counter") Reported-by: syzbot+d1de830e4ecdaac83d89@syzkaller.appspotmail.com Signed-off-by: Nikita Zhandarovich Signed-off-by: Jason A. Donenfeld Reviewed-by: Jiri Pirko Signed-off-by: Paolo Abeni Signed-off-by: Sasha Levin commit e142169aca5546ae6619c39a575cda8105362100 Author: Xuan Zhuo Date: Fri Feb 23 15:18:33 2024 +0800 virtio: packed: fix unmap leak for indirect desc table [ Upstream commit d5c0ed17fea60cca9bc3bf1278b49ba79242bbcd ] When use_dma_api and premapped are true, then the do_unmap is false. Because the do_unmap is false, vring_unmap_extra_packed is not called by detach_buf_packed. if (unlikely(vq->do_unmap)) { curr = id; for (i = 0; i < state->num; i++) { vring_unmap_extra_packed(vq, &vq->packed.desc_extra[curr]); curr = vq->packed.desc_extra[curr].next; } } So the indirect desc table is not unmapped. This causes the unmap leak. So here, we check vq->use_dma_api instead. Synchronously, dma info is updated based on use_dma_api judgment This bug does not occur, because no driver use the premapped with indirect. Fixes: b319940f83c2 ("virtio_ring: skip unmap for premapped") Signed-off-by: Xuan Zhuo Message-Id: <20240223071833.26095-1-xuanzhuo@linux.alibaba.com> Signed-off-by: Michael S. Tsirkin Signed-off-by: Sasha Levin commit bf6f4d5d8c6f65be018462006df9a8779a34b9c5 Author: Jonah Palmer Date: Fri Feb 16 09:25:02 2024 -0500 vdpa/mlx5: Allow CVQ size changes [ Upstream commit 749a4016839270163efc36ecddddd01de491a16b ] The MLX driver was not updating its control virtqueue size at set_vq_num and instead always initialized to MLX5_CVQ_MAX_ENT (16) at setup_cvq_vring. Qemu would try to set the size to 64 by default, however, because the CVQ size always was initialized to 16, an error would be thrown when sending >16 control messages (as used-ring entry 17 is initialized to 0). For example, starting a guest with x-svq=on and then executing the following command would produce the error below: # for i in {1..20}; do ifconfig eth0 hw ether XX:xx:XX:xx:XX:XX; done qemu-system-x86_64: Insufficient written data (0) [ 435.331223] virtio_net virtio0: Failed to set mac address by vq command. SIOCSIFHWADDR: Invalid argument Acked-by: Dragos Tatulea Acked-by: Eugenio Pérez Signed-off-by: Jonah Palmer Message-Id: <20240216142502.78095-1-jonah.palmer@oracle.com> Signed-off-by: Michael S. Tsirkin Tested-by: Lei Yang Fixes: 5262912ef3cf ("vdpa/mlx5: Add support for control VQ and MAC setting") Signed-off-by: Sasha Levin commit cddd85da38b9d92eca0e4248b64332eb096f35f9 Author: Steve Sistare Date: Fri Feb 9 14:30:07 2024 -0800 vdpa_sim: reset must not run [ Upstream commit 9588e7fc511f9c55b9835f14916e90ab940061b7 ] vdpasim_do_reset sets running to true, which is wrong, as it allows vdpasim_kick_vq to post work requests before the device has been configured. To fix, do not set running until VIRTIO_CONFIG_S_DRIVER_OK is set. Fixes: 0c89e2a3a9d0 ("vdpa_sim: Implement suspend vdpa op") Signed-off-by: Steve Sistare Reviewed-by: Eugenio Pérez Acked-by: Jason Wang Message-Id: <1707517807-137331-1-git-send-email-steven.sistare@oracle.com> Signed-off-by: Michael S. Tsirkin Signed-off-by: Sasha Levin commit 296e6678a432aaff0b8c6a6a17b9b2b193556c71 Author: Arthur Grillo Date: Sat Mar 16 13:25:20 2024 -0300 drm: Fix drm_fixp2int_round() making it add 0.5 [ Upstream commit 807f96abdf14c80f534c78f2d854c2590963345c ] As well noted by Pekka[1], the rounding of drm_fixp2int_round is wrong. To round a number, you need to add 0.5 to the number and floor that, drm_fixp2int_round() is adding 0.0000076. Make it add 0.5. [1]: https://lore.kernel.org/all/20240301135327.22efe0dd.pekka.paalanen@collabora.com/ Fixes: 8b25320887d7 ("drm: Add fixed-point helper to get rounded integer values") Suggested-by: Pekka Paalanen Reviewed-by: Harry Wentland Reviewed-by: Melissa Wen Signed-off-by: Arthur Grillo Signed-off-by: Melissa Wen Link: https://patchwork.freedesktop.org/patch/msgid/20240316-drm_fixed-v2-1-c1bc2665b5ed@riseup.net Signed-off-by: Sasha Levin commit 720a92c24d4e319c4fb5b72fe55f44e1172ad6cb Author: Adam Butcher Date: Mon Mar 18 17:50:52 2024 +0000 spi: spi-imx: fix off-by-one in mx51 CPU mode burst length [ Upstream commit cf6d79a0f5769b5f4d9579ddaf88d2c30b03b873 ] c712c05e46c8 ("spi: imx: fix the burst length at DMA mode and CPU mode") corrects three cases of setting the ECSPI burst length but erroneously leaves the in-range CPU case one bit to big (in that field a value of 0 means 1 bit). The effect was that transmissions that should have been 8-bit bytes appeared as 9-bit causing failed communication with SPI devices. Link: https://lore.kernel.org/all/20240201105451.507005-1-carlos.song@nxp.com/ Link: https://lore.kernel.org/all/20240204091912.36488-1-carlos.song@nxp.com/ Fixes: c712c05e46c8 ("spi: imx: fix the burst length at DMA mode and CPU mode") Signed-off-by: Adam Butcher Link: https://msgid.link/r/20240318175119.3334-1-adam@jessamine.co.uk Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 5c1e6df309ca4fdf5ff4d799f4fd9e6c5e16b5f7 Author: Arınç ÜNAL Date: Thu Mar 14 12:28:35 2024 +0300 net: dsa: mt7530: prevent possible incorrect XTAL frequency selection [ Upstream commit f490c492e946d8ffbe65ad4efc66de3c5ede30a4 ] On MT7530, the HT_XTAL_FSEL field of the HWTRAP register stores a 2-bit value that represents the frequency of the crystal oscillator connected to the switch IC. The field is populated by the state of the ESW_P4_LED_0 and ESW_P4_LED_0 pins, which is done right after reset is deasserted. ESW_P4_LED_0 ESW_P3_LED_0 Frequency ----------------------------------------- 0 0 Reserved 0 1 20MHz 1 0 40MHz 1 1 25MHz On MT7531, the XTAL25 bit of the STRAP register stores this. The LAN0LED0 pin is used to populate the bit. 25MHz when the pin is high, 40MHz when it's low. These pins are also used with LEDs, therefore, their state can be set to something other than the bootstrapping configuration. For example, a link may be established on port 3 before the DSA subdriver takes control of the switch which would set ESW_P3_LED_0 to high. Currently on mt7530_setup() and mt7531_setup(), 1000 - 1100 usec delay is described between reset assertion and deassertion. Some switch ICs in real life conditions cannot always have these pins set back to the bootstrapping configuration before reset deassertion in this amount of delay. This causes wrong crystal frequency to be selected which puts the switch in a nonfunctional state after reset deassertion. The tests below are conducted on an MT7530 with a 40MHz crystal oscillator by Justin Swartz. With a cable from an active peer connected to port 3 before reset, an incorrect crystal frequency (0b11 = 25MHz) is selected: [1] [3] [5] : : : _____________________________ __________________ ESW_P4_LED_0 |_______| _____________________________ ESW_P3_LED_0 |__________________________ : : : : : : [4]...: : : [2]................: [1] Reset is asserted. [2] Period of 1000 - 1100 usec. [3] Reset is deasserted. [4] Period of 315 usec. HWTRAP register is populated with incorrect XTAL frequency. [5] Signals reflect the bootstrapped configuration. Increase the delay between reset_control_assert() and reset_control_deassert(), and gpiod_set_value_cansleep(priv->reset, 0) and gpiod_set_value_cansleep(priv->reset, 1) to 5000 - 5100 usec. This amount ensures a higher possibility that the switch IC will have these pins back to the bootstrapping configuration before reset deassertion. With a cable from an active peer connected to port 3 before reset, the correct crystal frequency (0b10 = 40MHz) is selected: [1] [2-1] [3] [5] : : : : _____________________________ __________________ ESW_P4_LED_0 |_______| ___________________ _______ ESW_P3_LED_0 |_________| |__________________ : : : : : : [2-2]...: [4]...: [2]................: [1] Reset is asserted. [2] Period of 5000 - 5100 usec. [2-1] ESW_P3_LED_0 goes low. [2-2] Remaining period of 5000 - 5100 usec. [3] Reset is deasserted. [4] Period of 310 usec. HWTRAP register is populated with bootstrapped XTAL frequency. [5] Signals reflect the bootstrapped configuration. ESW_P3_LED_0 low period before reset deassertion: 5000 usec - 5100 usec TEST RESET HOLD # (usec) --------------------- 1 5410 2 5440 3 4375 4 5490 5 5475 6 4335 7 4370 8 5435 9 4205 10 4335 11 3750 12 3170 13 4395 14 4375 15 3515 16 4335 17 4220 18 4175 19 4175 20 4350 Min 3170 Max 5490 Median 4342.500 Avg 4466.500 Revert commit 2920dd92b980 ("net: dsa: mt7530: disable LEDs before reset"). Changing the state of pins via reset assertion is simpler and more efficient than doing so by setting the LED controller off. Fixes: b8f126a8d543 ("net-next: dsa: add dsa support for Mediatek MT7530 switch") Fixes: c288575f7810 ("net: dsa: mt7530: Add the support of MT7531 switch") Co-developed-by: Justin Swartz Signed-off-by: Justin Swartz Signed-off-by: Arınç ÜNAL Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 8c1901e75ccc89da56e4cb534d314c07e4fdec26 Author: Ignat Korchagin Date: Wed Mar 13 19:37:58 2024 +0100 net: veth: do not manipulate GRO when using XDP [ Upstream commit d7db7775ea2e31502d46427f5efd385afc4ff1eb ] Commit d3256efd8e8b ("veth: allow enabling NAPI even without XDP") tried to fix the fact that GRO was not possible without XDP, because veth did not use NAPI without XDP. However, it also introduced the behaviour that GRO is always enabled, when XDP is enabled. While it might be desired for most cases, it is confusing for the user at best as the GRO flag suddenly changes, when an XDP program is attached. It also introduces some complexities in state management as was partially addressed in commit fe9f801355f0 ("net: veth: clear GRO when clearing XDP even when down"). But the biggest problem is that it is not possible to disable GRO at all, when an XDP program is attached, which might be needed for some use cases. Fix this by not touching the GRO flag on XDP enable/disable as the code already supports switching to NAPI if either GRO or XDP is requested. Link: https://lore.kernel.org/lkml/20240311124015.38106-1-ignat@cloudflare.com/ Fixes: d3256efd8e8b ("veth: allow enabling NAPI even without XDP") Fixes: fe9f801355f0 ("net: veth: clear GRO when clearing XDP even when down") Signed-off-by: Ignat Korchagin Reviewed-by: Toke Høiland-Jørgensen Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 6312d88f9f67ddd121ad18544a8044a82f053799 Author: Leon Romanovsky Date: Tue Mar 12 13:55:22 2024 +0200 xfrm: Allow UDP encapsulation only in offload modes [ Upstream commit 773bb766ca4a05bf363203030b72b10088869224 ] The missing check of x->encap caused to the situation where GSO packets were created with UDP encapsulation. As a solution return the encap check for non-offloaded SA. Fixes: 983a73da1f99 ("xfrm: Pass UDP encapsulation in TX packet offload") Closes: https://lore.kernel.org/all/a650221ae500f0c7cf496c61c96c1b103dcb6f67.camel@redhat.com Reported-by: Paolo Abeni Signed-off-by: Leon Romanovsky Signed-off-by: Steffen Klassert Signed-off-by: Sasha Levin commit 2c02c5059c78a52d170bdee4a369b470de6deb37 Author: Eric Dumazet Date: Thu Mar 14 14:18:16 2024 +0000 packet: annotate data-races around ignore_outgoing [ Upstream commit 6ebfad33161afacb3e1e59ed1c2feefef70f9f97 ] ignore_outgoing is read locklessly from dev_queue_xmit_nit() and packet_getsockopt() Add appropriate READ_ONCE()/WRITE_ONCE() annotations. syzbot reported: BUG: KCSAN: data-race in dev_queue_xmit_nit / packet_setsockopt write to 0xffff888107804542 of 1 bytes by task 22618 on cpu 0: packet_setsockopt+0xd83/0xfd0 net/packet/af_packet.c:4003 do_sock_setsockopt net/socket.c:2311 [inline] __sys_setsockopt+0x1d8/0x250 net/socket.c:2334 __do_sys_setsockopt net/socket.c:2343 [inline] __se_sys_setsockopt net/socket.c:2340 [inline] __x64_sys_setsockopt+0x66/0x80 net/socket.c:2340 do_syscall_64+0xd3/0x1d0 entry_SYSCALL_64_after_hwframe+0x6d/0x75 read to 0xffff888107804542 of 1 bytes by task 27 on cpu 1: dev_queue_xmit_nit+0x82/0x620 net/core/dev.c:2248 xmit_one net/core/dev.c:3527 [inline] dev_hard_start_xmit+0xcc/0x3f0 net/core/dev.c:3547 __dev_queue_xmit+0xf24/0x1dd0 net/core/dev.c:4335 dev_queue_xmit include/linux/netdevice.h:3091 [inline] batadv_send_skb_packet+0x264/0x300 net/batman-adv/send.c:108 batadv_send_broadcast_skb+0x24/0x30 net/batman-adv/send.c:127 batadv_iv_ogm_send_to_if net/batman-adv/bat_iv_ogm.c:392 [inline] batadv_iv_ogm_emit net/batman-adv/bat_iv_ogm.c:420 [inline] batadv_iv_send_outstanding_bat_ogm_packet+0x3f0/0x4b0 net/batman-adv/bat_iv_ogm.c:1700 process_one_work kernel/workqueue.c:3254 [inline] process_scheduled_works+0x465/0x990 kernel/workqueue.c:3335 worker_thread+0x526/0x730 kernel/workqueue.c:3416 kthread+0x1d1/0x210 kernel/kthread.c:388 ret_from_fork+0x4b/0x60 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:243 value changed: 0x00 -> 0x01 Reported by Kernel Concurrency Sanitizer on: CPU: 1 PID: 27 Comm: kworker/u8:1 Tainted: G W 6.8.0-syzkaller-08073-g480e035fc4c7 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024 Workqueue: bat_events batadv_iv_send_outstanding_bat_ogm_packet Fixes: fa788d986a3a ("packet: add sockopt to ignore outgoing packets") Reported-by: syzbot+c669c1136495a2e7c31f@syzkaller.appspotmail.com Closes: https://lore.kernel.org/netdev/CANn89i+Z7MfbkBLOv=p7KZ7=K1rKHO4P1OL5LYDCtBiyqsa9oQ@mail.gmail.com/T/#t Signed-off-by: Eric Dumazet Cc: Willem de Bruijn Reviewed-by: Willem de Bruijn Reviewed-by: Jason Xing Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit cfbb3abadc330eee433e4f35124ee19f644254b7 Author: Juergen Gross Date: Wed Mar 13 08:14:09 2024 +0100 xen/events: increment refcnt only if event channel is refcounted [ Upstream commit d277f9d82802223f242cd9b60c988cfdda1d6be0 ] In bind_evtchn_to_irq_chip() don't increment the refcnt of the event channel blindly. In case the event channel is NOT refcounted, issue a warning instead. Add an additional safety net by doing the refcnt increment only if the caller has specified IRQF_SHARED in the irqflags parameter. Fixes: 9e90e58c11b7 ("xen: evtchn: Allow shared registration of IRQ handers") Signed-off-by: Juergen Gross Reviewed-by: Oleksandr Tyshchenko Link: https://lore.kernel.org/r/20240313071409.25913-3-jgross@suse.com Signed-off-by: Juergen Gross Signed-off-by: Sasha Levin commit 99e425032c6ec13584d3cd33846e0c7307501b47 Author: Juergen Gross Date: Wed Mar 13 08:14:08 2024 +0100 xen/evtchn: avoid WARN() when unbinding an event channel [ Upstream commit 51c23bd691c0f1fb95b29731c356c6fd69925d17 ] When unbinding a user event channel, the related handler might be called a last time in case the kernel was built with CONFIG_DEBUG_SHIRQ. This might cause a WARN() in the handler. Avoid that by adding an "unbinding" flag to struct user_event which will short circuit the handler. Fixes: 9e90e58c11b7 ("xen: evtchn: Allow shared registration of IRQ handers") Reported-by: Demi Marie Obenour Tested-by: Demi Marie Obenour Signed-off-by: Juergen Gross Reviewed-by: Oleksandr Tyshchenko Link: https://lore.kernel.org/r/20240313071409.25913-2-jgross@suse.com Signed-off-by: Juergen Gross Signed-off-by: Sasha Levin commit f0f52af461df524d7b396bbe61c1f263808802dc Author: Alexandre Ghiti Date: Mon Mar 4 09:02:47 2024 +0100 riscv: Fix compilation error with FAST_GUP and rv32 [ Upstream commit 2bb7e0c49302feec1c2f777bbfe8726169986ed8 ] By surrounding the definition of pte_leaf_size() with a ifdef napot as it should have been. Fixes: e0fe5ab4192c ("riscv: Fix pte_leaf_size() for NAPOT") Signed-off-by: Alexandre Ghiti Reviewed-by: Randy Dunlap Tested-by: Randy Dunlap # build-tested Link: https://lore.kernel.org/r/20240304080247.387710-1-alexghiti@rivosinc.com Signed-off-by: Palmer Dabbelt Signed-off-by: Sasha Levin commit 4cbc5e93bf6eb238cfaa9b839083cd66d2914ce4 Author: Pavel Begunkov Date: Fri Mar 15 15:29:51 2024 +0000 io_uring: fix poll_remove stalled req completion [ Upstream commit 5e3afe580a9f5ca173a6bd55ffe10948796ef7e5 ] Taking the ctx lock is not enough to use the deferred request completion infrastructure, it'll get queued into the list but no one would expect it there, so it will sit there until next io_submit_flush_completions(). It's hard to care about the cancellation path, so complete it via tw. Fixes: ef7dfac51d8ed ("io_uring/poll: serialize poll linked timer start with poll removal") Signed-off-by: Pavel Begunkov Link: https://lore.kernel.org/r/c446740bc16858f8a2a8dcdce899812f21d15f23.1710514702.git.asml.silence@gmail.com Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit 943c14ece95eb1cf98d477462aebcbfdfd714633 Author: Daniel Golle Date: Wed Mar 13 22:50:40 2024 +0000 net: ethernet: mtk_eth_soc: fix PPE hanging issue [ Upstream commit ea80e3ed09ab2c2b75724faf5484721753e92c31 ] A patch to resolve an issue was found in MediaTek's GPL-licensed SDK: In the mtk_ppe_stop() function, the PPE scan mode is not disabled before disabling the PPE. This can potentially lead to a hang during the process of disabling the PPE. Without this patch, the PPE may experience a hang during the reboot test. Link: https://git01.mediatek.com/plugins/gitiles/openwrt/feeds/mtk-openwrt-feeds/+/b40da332dfe763932a82f9f62a4709457a15dd6c Fixes: ba37b7caf1ed ("net: ethernet: mtk_eth_soc: add support for initializing the PPE") Suggested-by: Bc-bocun Chen Signed-off-by: Daniel Golle Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 1f32abb474c1c9bdb21d9eda74c325a0b3a162e5 Author: Daniel Golle Date: Wed Mar 13 22:50:18 2024 +0000 net: mediatek: mtk_eth_soc: clear MAC_MCR_FORCE_LINK only when MAC is up [ Upstream commit f1b85ef15a99f06ed48871ce933d591127d2dcc0 ] Clearing bit MAC_MCR_FORCE_LINK which forces the link down too early can result in MAC ending up in a broken/blocked state. Fix this by handling this bit in the .mac_link_up and .mac_link_down calls instead of in .mac_finish. Fixes: b8fc9f30821e ("net: ethernet: mediatek: Add basic PHYLINK support") Suggested-by: Mason-cw Chang Signed-off-by: Daniel Golle Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit ff2f90f88d78559802466ad1c84ac5bda4416b3a Author: Chunguang Xu Date: Mon Mar 11 10:09:27 2024 +0800 nvme: fix reconnection fail due to reserved tag allocation [ Upstream commit de105068fead55ed5c07ade75e9c8e7f86a00d1d ] We found a issue on production environment while using NVMe over RDMA, admin_q reconnect failed forever while remote target and network is ok. After dig into it, we found it may caused by a ABBA deadlock due to tag allocation. In my case, the tag was hold by a keep alive request waiting inside admin_q, as we quiesced admin_q while reset ctrl, so the request maked as idle and will not process before reset success. As fabric_q shares tagset with admin_q, while reconnect remote target, we need a tag for connect command, but the only one reserved tag was held by keep alive command which waiting inside admin_q. As a result, we failed to reconnect admin_q forever. In order to fix this issue, I think we should keep two reserved tags for admin queue. Fixes: ed01fee283a0 ("nvme-fabrics: only reserve a single tag") Signed-off-by: Chunguang Xu Reviewed-by: Sagi Grimberg Reviewed-by: Chaitanya Kulkarni Reviewed-by: Christoph Hellwig Signed-off-by: Keith Busch Signed-off-by: Sasha Levin commit dd3ffa27270e0e3cfdb72c9469ae0b0ec88f1e06 Author: Duanqiang Wen Date: Wed Mar 13 16:06:34 2024 +0800 net: txgbe: fix clk_name exceed MAX_DEV_ID limits [ Upstream commit e30cef001da259e8df354b813015d0e5acc08740 ] txgbe register clk which name is i2c_designware.pci_dev_id(), clk_name will be stored in clk_lookup_alloc. If PCIe bus number is larger than 0x39, clk_name size will be larger than 20 bytes. It exceeds clk_lookup_alloc MAX_DEV_ID limits. So the driver shortened clk_name. Fixes: b63f20485e43 ("net: txgbe: Register fixed rate clock") Signed-off-by: Duanqiang Wen Reviewed-by: Michal Kubiak Link: https://lore.kernel.org/r/20240313080634.459523-1-duanqiangwen@net-swift.com Signed-off-by: Paolo Abeni Signed-off-by: Sasha Levin commit 39cc316fb3bc5e7c9dc5eed314fe510d119c6862 Author: Shigeru Yoshida Date: Wed Mar 13 00:27:19 2024 +0900 hsr: Fix uninit-value access in hsr_get_node() [ Upstream commit ddbec99f58571301679addbc022256970ca3eac6 ] KMSAN reported the following uninit-value access issue [1]: ===================================================== BUG: KMSAN: uninit-value in hsr_get_node+0xa2e/0xa40 net/hsr/hsr_framereg.c:246 hsr_get_node+0xa2e/0xa40 net/hsr/hsr_framereg.c:246 fill_frame_info net/hsr/hsr_forward.c:577 [inline] hsr_forward_skb+0xe12/0x30e0 net/hsr/hsr_forward.c:615 hsr_dev_xmit+0x1a1/0x270 net/hsr/hsr_device.c:223 __netdev_start_xmit include/linux/netdevice.h:4940 [inline] netdev_start_xmit include/linux/netdevice.h:4954 [inline] xmit_one net/core/dev.c:3548 [inline] dev_hard_start_xmit+0x247/0xa10 net/core/dev.c:3564 __dev_queue_xmit+0x33b8/0x5130 net/core/dev.c:4349 dev_queue_xmit include/linux/netdevice.h:3134 [inline] packet_xmit+0x9c/0x6b0 net/packet/af_packet.c:276 packet_snd net/packet/af_packet.c:3087 [inline] packet_sendmsg+0x8b1d/0x9f30 net/packet/af_packet.c:3119 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg net/socket.c:745 [inline] __sys_sendto+0x735/0xa10 net/socket.c:2191 __do_sys_sendto net/socket.c:2203 [inline] __se_sys_sendto net/socket.c:2199 [inline] __x64_sys_sendto+0x125/0x1c0 net/socket.c:2199 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x6d/0x140 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x63/0x6b Uninit was created at: slab_post_alloc_hook+0x129/0xa70 mm/slab.h:768 slab_alloc_node mm/slub.c:3478 [inline] kmem_cache_alloc_node+0x5e9/0xb10 mm/slub.c:3523 kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:560 __alloc_skb+0x318/0x740 net/core/skbuff.c:651 alloc_skb include/linux/skbuff.h:1286 [inline] alloc_skb_with_frags+0xc8/0xbd0 net/core/skbuff.c:6334 sock_alloc_send_pskb+0xa80/0xbf0 net/core/sock.c:2787 packet_alloc_skb net/packet/af_packet.c:2936 [inline] packet_snd net/packet/af_packet.c:3030 [inline] packet_sendmsg+0x70e8/0x9f30 net/packet/af_packet.c:3119 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg net/socket.c:745 [inline] __sys_sendto+0x735/0xa10 net/socket.c:2191 __do_sys_sendto net/socket.c:2203 [inline] __se_sys_sendto net/socket.c:2199 [inline] __x64_sys_sendto+0x125/0x1c0 net/socket.c:2199 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x6d/0x140 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x63/0x6b CPU: 1 PID: 5033 Comm: syz-executor334 Not tainted 6.7.0-syzkaller-00562-g9f8413c4a66f #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023 ===================================================== If the packet type ID field in the Ethernet header is either ETH_P_PRP or ETH_P_HSR, but it is not followed by an HSR tag, hsr_get_skb_sequence_nr() reads an invalid value as a sequence number. This causes the above issue. This patch fixes the issue by returning NULL if the Ethernet header is not followed by an HSR tag. Fixes: f266a683a480 ("net/hsr: Better frame dispatch") Reported-and-tested-by: syzbot+2ef3a8ce8e91b5a50098@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=2ef3a8ce8e91b5a50098 [1] Signed-off-by: Shigeru Yoshida Link: https://lore.kernel.org/r/20240312152719.724530-1-syoshida@redhat.com Signed-off-by: Paolo Abeni Signed-off-by: Sasha Levin commit aba8659caf88017507419feea06069f529329ea6 Author: William Tu Date: Sat Mar 9 20:31:47 2024 +0200 vmxnet3: Fix missing reserved tailroom [ Upstream commit e127ce7699c1e05279ee5ee61f00893e7bfa9671 ] Use rbi->len instead of rcd->len for non-dataring packet. Found issue: XDP_WARN: xdp_update_frame_from_buff(line:278): Driver BUG: missing reserved tailroom WARNING: CPU: 0 PID: 0 at net/core/xdp.c:586 xdp_warn+0xf/0x20 CPU: 0 PID: 0 Comm: swapper/0 Tainted: G W O 6.5.1 #1 RIP: 0010:xdp_warn+0xf/0x20 ... ? xdp_warn+0xf/0x20 xdp_do_redirect+0x15f/0x1c0 vmxnet3_run_xdp+0x17a/0x400 [vmxnet3] vmxnet3_process_xdp+0xe4/0x760 [vmxnet3] ? vmxnet3_tq_tx_complete.isra.0+0x21e/0x2c0 [vmxnet3] vmxnet3_rq_rx_complete+0x7ad/0x1120 [vmxnet3] vmxnet3_poll_rx_only+0x2d/0xa0 [vmxnet3] __napi_poll+0x20/0x180 net_rx_action+0x177/0x390 Reported-by: Martin Zaharinov Tested-by: Martin Zaharinov Link: https://lore.kernel.org/netdev/74BF3CC8-2A3A-44FF-98C2-1E20F110A92E@gmail.com/ Fixes: 54f00cce1178 ("vmxnet3: Add XDP support.") Signed-off-by: William Tu Link: https://lore.kernel.org/r/20240309183147.28222-1-witu@nvidia.com Signed-off-by: Paolo Abeni Signed-off-by: Sasha Levin commit 856baaa100cd288d3685eedae9a129c996e7e755 Author: Kuniyuki Iwashima Date: Fri Mar 8 12:16:23 2024 -0800 tcp: Fix refcnt handling in __inet_hash_connect(). [ Upstream commit 04d9d1fc428ac9f581d55118d67e0cb546701feb ] syzbot reported a warning in sk_nulls_del_node_init_rcu(). The commit 66b60b0c8c4a ("dccp/tcp: Unhash sk from ehash for tb2 alloc failure after check_estalblished().") tried to fix an issue that an unconnected socket occupies an ehash entry when bhash2 allocation fails. In such a case, we need to revert changes done by check_established(), which does not hold refcnt when inserting socket into ehash. So, to revert the change, we need to __sk_nulls_add_node_rcu() instead of sk_nulls_add_node_rcu(). Otherwise, sock_put() will cause refcnt underflow and leak the socket. [0]: WARNING: CPU: 0 PID: 23948 at include/net/sock.h:799 sk_nulls_del_node_init_rcu+0x166/0x1a0 include/net/sock.h:799 Modules linked in: CPU: 0 PID: 23948 Comm: syz-executor.2 Not tainted 6.8.0-rc6-syzkaller-00159-gc055fc00c07b #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024 RIP: 0010:sk_nulls_del_node_init_rcu+0x166/0x1a0 include/net/sock.h:799 Code: e8 7f 71 c6 f7 83 fb 02 7c 25 e8 35 6d c6 f7 4d 85 f6 0f 95 c0 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc e8 1b 6d c6 f7 90 <0f> 0b 90 eb b2 e8 10 6d c6 f7 4c 89 e7 be 04 00 00 00 e8 63 e7 d2 RSP: 0018:ffffc900032d7848 EFLAGS: 00010246 RAX: ffffffff89cd0035 RBX: 0000000000000001 RCX: 0000000000040000 RDX: ffffc90004de1000 RSI: 000000000003ffff RDI: 0000000000040000 RBP: 1ffff1100439ac26 R08: ffffffff89ccffe3 R09: 1ffff1100439ac28 R10: dffffc0000000000 R11: ffffed100439ac29 R12: ffff888021cd6140 R13: dffffc0000000000 R14: ffff88802a9bf5c0 R15: ffff888021cd6130 FS: 00007f3b823f16c0(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f3b823f0ff8 CR3: 000000004674a000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: __inet_hash_connect+0x140f/0x20b0 net/ipv4/inet_hashtables.c:1139 dccp_v6_connect+0xcb9/0x1480 net/dccp/ipv6.c:956 __inet_stream_connect+0x262/0xf30 net/ipv4/af_inet.c:678 inet_stream_connect+0x65/0xa0 net/ipv4/af_inet.c:749 __sys_connect_file net/socket.c:2048 [inline] __sys_connect+0x2df/0x310 net/socket.c:2065 __do_sys_connect net/socket.c:2075 [inline] __se_sys_connect net/socket.c:2072 [inline] __x64_sys_connect+0x7a/0x90 net/socket.c:2072 do_syscall_64+0xf9/0x240 entry_SYSCALL_64_after_hwframe+0x6f/0x77 RIP: 0033:0x7f3b8167dda9 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f3b823f10c8 EFLAGS: 00000246 ORIG_RAX: 000000000000002a RAX: ffffffffffffffda RBX: 00007f3b817abf80 RCX: 00007f3b8167dda9 RDX: 000000000000001c RSI: 0000000020000040 RDI: 0000000000000003 RBP: 00007f3b823f1120 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001 R13: 000000000000000b R14: 00007f3b817abf80 R15: 00007ffd3beb57b8 Reported-by: syzbot+12c506c1aae251e70449@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=12c506c1aae251e70449 Fixes: 66b60b0c8c4a ("dccp/tcp: Unhash sk from ehash for tb2 alloc failure after check_estalblished().") Signed-off-by: Kuniyuki Iwashima Reviewed-by: Eric Dumazet Link: https://lore.kernel.org/r/20240308201623.65448-1-kuniyu@amazon.com Signed-off-by: Paolo Abeni Signed-off-by: Sasha Levin commit 0b6f39c175ba5f0ef72bdb3b9d2a06ad78621d62 Author: Gabriel Krisman Bertazi Date: Wed Mar 13 17:39:12 2024 -0400 io_uring: Fix release of pinned pages when __io_uaddr_map fails [ Upstream commit 67d1189d1095d471ed7fa426c7e384a7140a5dd7 ] Looking at the error path of __io_uaddr_map, if we fail after pinning the pages for any reasons, ret will be set to -EINVAL and the error handler won't properly release the pinned pages. I didn't manage to trigger it without forcing a failure, but it can happen in real life when memory is heavily fragmented. Signed-off-by: Gabriel Krisman Bertazi Fixes: 223ef4743164 ("io_uring: don't allow IORING_SETUP_NO_MMAP rings on highmem pages") Link: https://lore.kernel.org/r/20240313213912.1920-1-krisman@suse.de Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit 9d47d2e7f82dec7cab09996bdb9062786eb827f6 Author: Sibi Sankar Date: Tue Mar 12 16:07:23 2024 +0530 cpufreq: Fix per-policy boost behavior on SoCs using cpufreq_boost_set_sw() [ Upstream commit f37a4d6b4a2c77414e8b9d25dd5ee31537ce9b00 ] In the existing code, per-policy flags don't have any impact i.e. if cpufreq_driver boost is enabled and boost is disabled for one or more of the policies, the cpufreq driver will behave as if boost is enabled. Fix this by incorporating per-policy boost flag in the policy->max computation used in cpufreq_frequency_table_cpuinfo and setting the default per-policy boost to mirror the cpufreq_driver boost flag. Fixes: 218a06a79d9a ("cpufreq: Support per-policy performance boost") Reported-by: Dietmar Eggemann Reviewed-by: Viresh Kumar Reviewed-by: Dhruva Gole Signed-off-by: Sibi Sankar Tested-by:Yipeng Zou Reviewed-by: Yipeng Zou Signed-off-by: Rafael J. Wysocki Signed-off-by: Sasha Levin commit fa92366e413fdb87379ebd0e11eae24259c68028 Author: Arnd Bergmann Date: Fri Feb 9 20:34:36 2024 +0100 soc: fsl: dpio: fix kcalloc() argument order [ Upstream commit 72ebb41b88f9d7c10c5e159e0507074af0a22fe2 ] A previous bugfix added a call to kcalloc(), which starting in gcc-14 causes a harmless warning about the argument order: drivers/soc/fsl/dpio/dpio-service.c: In function 'dpaa2_io_service_enqueue_multiple_desc_fq': drivers/soc/fsl/dpio/dpio-service.c:526:29: error: 'kcalloc' sizes specified with 'sizeof' in the earlier argument and not in the later argument [-Werror=calloc-transposed-args] 526 | ed = kcalloc(sizeof(struct qbman_eq_desc), 32, GFP_KERNEL); | ^~~~~~ drivers/soc/fsl/dpio/dpio-service.c:526:29: note: earlier argument should specify number of elements, later size of each element Since the two are only multiplied, the order does not change the behavior, so just fix it now to shut up the compiler warning. Dmity independently came up with the same fix. Fixes: 5c4a5999b245 ("soc: fsl: dpio: avoid stack usage warning") Reported-by: Dmitry Antipov Signed-off-by: Arnd Bergmann Signed-off-by: Sasha Levin commit 6915b1b28fe57e92c78e664366dc61c4f15ff03b Author: Eric Dumazet Date: Mon Mar 11 20:46:28 2024 +0000 net/sched: taprio: proper TCA_TAPRIO_TC_ENTRY_INDEX check [ Upstream commit 343041b59b7810f9cdca371f445dd43b35c740b1 ] taprio_parse_tc_entry() is not correctly checking TCA_TAPRIO_TC_ENTRY_INDEX attribute: int tc; // Signed value tc = nla_get_u32(tb[TCA_TAPRIO_TC_ENTRY_INDEX]); if (tc >= TC_QOPT_MAX_QUEUE) { NL_SET_ERR_MSG_MOD(extack, "TC entry index out of range"); return -ERANGE; } syzbot reported that it could fed arbitary negative values: UBSAN: shift-out-of-bounds in net/sched/sch_taprio.c:1722:18 shift exponent -2147418108 is negative CPU: 0 PID: 5066 Comm: syz-executor367 Not tainted 6.8.0-rc7-syzkaller-00136-gc8a5c731fd12 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x1e7/0x2e0 lib/dump_stack.c:106 ubsan_epilogue lib/ubsan.c:217 [inline] __ubsan_handle_shift_out_of_bounds+0x3c7/0x420 lib/ubsan.c:386 taprio_parse_tc_entry net/sched/sch_taprio.c:1722 [inline] taprio_parse_tc_entries net/sched/sch_taprio.c:1768 [inline] taprio_change+0xb87/0x57d0 net/sched/sch_taprio.c:1877 taprio_init+0x9da/0xc80 net/sched/sch_taprio.c:2134 qdisc_create+0x9d4/0x1190 net/sched/sch_api.c:1355 tc_modify_qdisc+0xa26/0x1e40 net/sched/sch_api.c:1776 rtnetlink_rcv_msg+0x885/0x1040 net/core/rtnetlink.c:6617 netlink_rcv_skb+0x1e3/0x430 net/netlink/af_netlink.c:2543 netlink_unicast_kernel net/netlink/af_netlink.c:1341 [inline] netlink_unicast+0x7ea/0x980 net/netlink/af_netlink.c:1367 netlink_sendmsg+0xa3b/0xd70 net/netlink/af_netlink.c:1908 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg+0x221/0x270 net/socket.c:745 ____sys_sendmsg+0x525/0x7d0 net/socket.c:2584 ___sys_sendmsg net/socket.c:2638 [inline] __sys_sendmsg+0x2b0/0x3a0 net/socket.c:2667 do_syscall_64+0xf9/0x240 entry_SYSCALL_64_after_hwframe+0x6f/0x77 RIP: 0033:0x7f1b2dea3759 Code: 48 83 c4 28 c3 e8 d7 19 00 00 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007ffd4de452f8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 00007f1b2def0390 RCX: 00007f1b2dea3759 RDX: 0000000000000000 RSI: 00000000200007c0 RDI: 0000000000000004 RBP: 0000000000000003 R08: 0000555500000000 R09: 0000555500000000 R10: 0000555500000000 R11: 0000000000000246 R12: 00007ffd4de45340 R13: 00007ffd4de45310 R14: 0000000000000001 R15: 00007ffd4de45340 Fixes: a54fc09e4cba ("net/sched: taprio: allow user input of per-tc max SDU") Reported-and-tested-by: syzbot+a340daa06412d6028918@syzkaller.appspotmail.com Signed-off-by: Eric Dumazet Cc: Vladimir Oltean Reviewed-by: Michal Kubiak Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 517a2390cd8d8b55d29b5692410c12c91076fd70 Author: Mete Durlu Date: Wed Mar 6 12:31:52 2024 +0100 s390/vtime: fix average steal time calculation [ Upstream commit 367c50f78451d3bd7ad70bc5c89f9ba6dec46ca9 ] Current average steal timer calculation produces volatile and inflated values. The only user of this value is KVM so far and it uses that to decide whether or not to yield the vCPU which is seeing steal time. KVM compares average steal timer to a threshold and if the threshold is past then it does not allow CPU polling and yields it to host, else it keeps the CPU by polling. Since KVM's steal time threshold is very low by default (%10) it most likely is not effected much by the bloated average steal timer values because the operating region is pretty small. However there might be new users in the future who might rely on this number. Fix average steal timer calculation by changing the formula from: avg_steal_timer = avg_steal_timer / 2 + steal_timer; to the following: avg_steal_timer = (avg_steal_timer + steal_timer) / 2; This ensures that avg_steal_timer is actually a naive average of steal timer values. It now closely follows steal timer values but of course in a smoother manner. Fixes: 152e9b8676c6 ("s390/vtime: steal time exponential moving average") Signed-off-by: Mete Durlu Acked-by: Heiko Carstens Acked-by: Christian Borntraeger Signed-off-by: Heiko Carstens Signed-off-by: Sasha Levin commit 32eeb4b5ecd8864fa3c08892416ec9824ab2f4c8 Author: Linu Cherian Date: Tue Mar 12 12:36:22 2024 +0530 octeontx2-af: Use matching wake_up API variant in CGX command interface [ Upstream commit e642921dfeed1e15e73f78f2c3b6746f72b6deb2 ] Use wake_up API instead of wake_up_interruptible, since wait_event_timeout API is used for waiting on command completion. Fixes: 1463f382f58d ("octeontx2-af: Add support for CGX link management") Signed-off-by: Linu Cherian Signed-off-by: Sunil Goutham Signed-off-by: Subbaraya Sundeep Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit f901ee07853ce97e9f1104c7c898fbbe447f0279 Author: Kuniyuki Iwashima Date: Fri Mar 8 12:01:22 2024 -0800 rds: tcp: Fix use-after-free of net in reqsk_timer_handler(). [ Upstream commit 2a750d6a5b365265dbda33330a6188547ddb5c24 ] syzkaller reported a warning of netns tracker [0] followed by KASAN splat [1] and another ref tracker warning [1]. syzkaller could not find a repro, but in the log, the only suspicious sequence was as follows: 18:26:22 executing program 1: r0 = socket$inet6_mptcp(0xa, 0x1, 0x106) ... connect$inet6(r0, &(0x7f0000000080)={0xa, 0x4001, 0x0, @loopback}, 0x1c) (async) The notable thing here is 0x4001 in connect(), which is RDS_TCP_PORT. So, the scenario would be: 1. unshare(CLONE_NEWNET) creates a per netns tcp listener in rds_tcp_listen_init(). 2. syz-executor connect()s to it and creates a reqsk. 3. syz-executor exit()s immediately. 4. netns is dismantled. [0] 5. reqsk timer is fired, and UAF happens while freeing reqsk. [1] 6. listener is freed after RCU grace period. [2] Basically, reqsk assumes that the listener guarantees netns safety until all reqsk timers are expired by holding the listener's refcount. However, this was not the case for kernel sockets. Commit 740ea3c4a0b2 ("tcp: Clean up kernel listener's reqsk in inet_twsk_purge()") fixed this issue only for per-netns ehash. Let's apply the same fix for the global ehash. [0]: ref_tracker: net notrefcnt@0000000065449cc3 has 1/1 users at sk_alloc (./include/net/net_namespace.h:337 net/core/sock.c:2146) inet6_create (net/ipv6/af_inet6.c:192 net/ipv6/af_inet6.c:119) __sock_create (net/socket.c:1572) rds_tcp_listen_init (net/rds/tcp_listen.c:279) rds_tcp_init_net (net/rds/tcp.c:577) ops_init (net/core/net_namespace.c:137) setup_net (net/core/net_namespace.c:340) copy_net_ns (net/core/net_namespace.c:497) create_new_namespaces (kernel/nsproxy.c:110) unshare_nsproxy_namespaces (kernel/nsproxy.c:228 (discriminator 4)) ksys_unshare (kernel/fork.c:3429) __x64_sys_unshare (kernel/fork.c:3496) do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:129) ... WARNING: CPU: 0 PID: 27 at lib/ref_tracker.c:179 ref_tracker_dir_exit (lib/ref_tracker.c:179) [1]: BUG: KASAN: slab-use-after-free in inet_csk_reqsk_queue_drop (./include/net/inet_hashtables.h:180 net/ipv4/inet_connection_sock.c:952 net/ipv4/inet_connection_sock.c:966) Read of size 8 at addr ffff88801b370400 by task swapper/0/0 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 Call Trace: dump_stack_lvl (lib/dump_stack.c:107 (discriminator 1)) print_report (mm/kasan/report.c:378 mm/kasan/report.c:488) kasan_report (mm/kasan/report.c:603) inet_csk_reqsk_queue_drop (./include/net/inet_hashtables.h:180 net/ipv4/inet_connection_sock.c:952 net/ipv4/inet_connection_sock.c:966) reqsk_timer_handler (net/ipv4/inet_connection_sock.c:979 net/ipv4/inet_connection_sock.c:1092) call_timer_fn (./arch/x86/include/asm/jump_label.h:27 ./include/linux/jump_label.h:207 ./include/trace/events/timer.h:127 kernel/time/timer.c:1701) __run_timers.part.0 (kernel/time/timer.c:1752 kernel/time/timer.c:2038) run_timer_softirq (kernel/time/timer.c:2053) __do_softirq (./arch/x86/include/asm/jump_label.h:27 ./include/linux/jump_label.h:207 ./include/trace/events/irq.h:142 kernel/softirq.c:554) irq_exit_rcu (kernel/softirq.c:427 kernel/softirq.c:632 kernel/softirq.c:644) sysvec_apic_timer_interrupt (arch/x86/kernel/apic/apic.c:1076 (discriminator 14)) Allocated by task 258 on cpu 0 at 83.612050s: kasan_save_stack (mm/kasan/common.c:48) kasan_save_track (mm/kasan/common.c:68) __kasan_slab_alloc (mm/kasan/common.c:343) kmem_cache_alloc (mm/slub.c:3813 mm/slub.c:3860 mm/slub.c:3867) copy_net_ns (./include/linux/slab.h:701 net/core/net_namespace.c:421 net/core/net_namespace.c:480) create_new_namespaces (kernel/nsproxy.c:110) unshare_nsproxy_namespaces (kernel/nsproxy.c:228 (discriminator 4)) ksys_unshare (kernel/fork.c:3429) __x64_sys_unshare (kernel/fork.c:3496) do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:129) Freed by task 27 on cpu 0 at 329.158864s: kasan_save_stack (mm/kasan/common.c:48) kasan_save_track (mm/kasan/common.c:68) kasan_save_free_info (mm/kasan/generic.c:643) __kasan_slab_free (mm/kasan/common.c:265) kmem_cache_free (mm/slub.c:4299 mm/slub.c:4363) cleanup_net (net/core/net_namespace.c:456 net/core/net_namespace.c:446 net/core/net_namespace.c:639) process_one_work (kernel/workqueue.c:2638) worker_thread (kernel/workqueue.c:2700 kernel/workqueue.c:2787) kthread (kernel/kthread.c:388) ret_from_fork (arch/x86/kernel/process.c:153) ret_from_fork_asm (arch/x86/entry/entry_64.S:250) The buggy address belongs to the object at ffff88801b370000 which belongs to the cache net_namespace of size 4352 The buggy address is located 1024 bytes inside of freed 4352-byte region [ffff88801b370000, ffff88801b371100) [2]: WARNING: CPU: 0 PID: 95 at lib/ref_tracker.c:228 ref_tracker_free (lib/ref_tracker.c:228 (discriminator 1)) Modules linked in: Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 RIP: 0010:ref_tracker_free (lib/ref_tracker.c:228 (discriminator 1)) ... Call Trace: __sk_destruct (./include/net/net_namespace.h:353 net/core/sock.c:2204) rcu_core (./arch/x86/include/asm/preempt.h:26 kernel/rcu/tree.c:2165 kernel/rcu/tree.c:2433) __do_softirq (./arch/x86/include/asm/jump_label.h:27 ./include/linux/jump_label.h:207 ./include/trace/events/irq.h:142 kernel/softirq.c:554) irq_exit_rcu (kernel/softirq.c:427 kernel/softirq.c:632 kernel/softirq.c:644) sysvec_apic_timer_interrupt (arch/x86/kernel/apic/apic.c:1076 (discriminator 14)) Reported-by: syzkaller Suggested-by: Eric Dumazet Fixes: 467fa15356ac ("RDS-TCP: Support multiple RDS-TCP listen endpoints, one per netns.") Signed-off-by: Kuniyuki Iwashima Reviewed-by: Eric Dumazet Link: https://lore.kernel.org/r/20240308200122.64357-3-kuniyu@amazon.com Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit 363ceb44305dec14fc1171ae513b7828cf972e57 Author: Eric Dumazet Date: Fri Mar 8 12:01:21 2024 -0800 tcp: Fix NEW_SYN_RECV handling in inet_twsk_purge() [ Upstream commit 1c4e97dd2d3c9a3e84f7e26346aa39bc426d3249 ] inet_twsk_purge() uses rcu to find TIME_WAIT and NEW_SYN_RECV objects to purge. These objects use SLAB_TYPESAFE_BY_RCU semantic and need special care. We need to use refcount_inc_not_zero(&sk->sk_refcnt). Reuse the existing correct logic I wrote for TIME_WAIT, because both structures have common locations for sk_state, sk_family, and netns pointer. If after the refcount_inc_not_zero() the object fields longer match the keys, use sock_gen_put(sk) to release the refcount. Then we can call inet_twsk_deschedule_put() for TIME_WAIT, inet_csk_reqsk_queue_drop_and_put() for NEW_SYN_RECV sockets, with BH disabled. Then we need to restart the loop because we had drop rcu_read_lock(). Fixes: 740ea3c4a0b2 ("tcp: Clean up kernel listener's reqsk in inet_twsk_purge()") Link: https://lore.kernel.org/netdev/CANn89iLvFuuihCtt9PME2uS1WJATnf5fKjDToa1WzVnRzHnPfg@mail.gmail.com/T/#u Signed-off-by: Eric Dumazet Link: https://lore.kernel.org/r/20240308200122.64357-2-kuniyu@amazon.com Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit 123c3bcc04cf7d8efda207a920c7a64b5881e485 Author: Dave Airlie Date: Mon Mar 11 17:20:37 2024 +1000 nouveau: reset the bo resource bus info after an eviction [ Upstream commit f35c9af45ea7a4b1115b193d84858b14d13517fc ] Later attempts to refault the bo won't happen and the whole GPU does to lunch. I think Christian's refactoring of this code out to the driver broke this not very well tested path. Fixes: 141b15e59175 ("drm/nouveau: move io_reserve_lru handling into the driver v5") Cc: Christian König Signed-off-by: Dave Airlie Acked-by: Christian König Signed-off-by: Danilo Krummrich Link: https://patchwork.freedesktop.org/patch/msgid/20240311072037.287905-1-airlied@gmail.com Signed-off-by: Sasha Levin commit a982368a13becfe7c36af92bf7d3a59178cdc86a Author: Luca Ceresoli Date: Tue Mar 5 15:36:28 2024 +0100 ASoC: rockchip: i2s-tdm: Fix inaccurate sampling rates [ Upstream commit 9e2ab4b18ebd46813fc3459207335af4d368e323 ] The sample rates set by the rockchip_i2s_tdm driver in master mode are inaccurate up to 5% in several cases, due to the driver logic to configure clocks and a nasty interaction with the Common Clock Framework. To understand what happens, here is the relevant section of the clock tree (slightly simplified), along with the names used in the driver: vpll0 _OR_ vpll1 "mclk_root" clk_i2s2_8ch_tx_src "mclk_parent" clk_i2s2_8ch_tx_mux clk_i2s2_8ch_tx "mclk" or "mclk_tx" This is what happens when playing back e.g. at 192 kHz using audio-graph-card (when recording the same applies, only s/tx/rx/): 0. at probe, rockchip_i2s_tdm_set_sysclk() stores the passed frequency in i2s_tdm->mclk_tx_freq (*) which is 50176000, and that is never modified afterwards 1. when playback is started, rockchip_i2s_tdm_hw_params() is called and does the following two calls 2. rockchip_i2s_tdm_calibrate_mclk(): 2a. selects mclk_root0 (vpll0) as a parent for mclk_parent (mclk_tx_src), which is OK because the vpll0 rate is a good for 192000 (and sumbultiple) rates 2b. sets the mclk_root frequency based on ppm calibration computations 2c. sets mclk_tx_src to 49152000 (= 256 * 192000), which is also OK as it is a multiple of the required bit clock 3. rockchip_i2s_tdm_set_mclk() 3a. calls clk_set_rate() to set the rate of mclk_tx (clk_i2s2_8ch_tx) to the value of i2s_tdm->mclk_tx_freq (*), i.e. 50176000 which is not a multiple of the sampling frequency -- this is not OK 3a1. clk_set_rate() reacts by reparenting clk_i2s2_8ch_tx_src to vpll1 -- this is not OK because the default vpll1 rate can be divided to get 44.1 kHz and related rates, not 192 kHz The result is that the driver does a lot of ad-hoc decisions about clocks and ends up in using the wrong parent at an unoptimal rate. Step 0 is one part of the problem: unless the card driver calls set_sysclk at each stream start, whatever rate is set in mclk_tx_freq during boot will be taken and used until reboot. Moreover the driver does not care if its value is not a multiple of any audio frequency. Another part of the problem is that the whole reparenting and clock rate setting logic is conflicting with the CCF algorithms to achieve largely the same goal: selecting the best parent and setting the closest clock rate. And it turns out that only calling once clk_set_rate() on clk_i2s2_8ch_tx picks the correct vpll and sets the correct rate. The fix is based on removing the custom logic in the driver to select the parent and set the various clocks, and just let the Clock Framework do it all. As a side effect, the set_sysclk() op becomes useless because we now let the CCF compute the appropriate value for the sampling rate. It also implies that the whole calibration logic is now dead code and so it is removed along with the "PCM Clock Compensation in PPM" kcontrol, which has always been broken anyway. The handling of the 4 optional clocks also becomes dead code and is removed. The actual rates have been tested playing 30 seconds of audio at various sampling rates before and after this change using sox: time play -r -n synth 30 sine 950 gain -3 The time reported in the table below is the 'real' value reported by the 'time' command in the above command line. rate before after --------- ------ ------ 8000 Hz 30.60s 30.63s 11025 Hz 30.45s 30.51s 16000 Hz 30.47s 30.50s 22050 Hz 30.78s 30.41s 32000 Hz 31.02s 30.43s 44100 Hz 30.78s 30.41s 48000 Hz 29.81s 30.45s 88200 Hz 30.78s 30.41s 96000 Hz 29.79s 30.42s 176400 Hz 27.40s 30.41s 192000 Hz 29.79s 30.42s While the tests are running the clock tree confirms that: * without the patch, vpll1 is always used and clk_i2s2_8ch_tx always produces 50176000 Hz, which cannot be divided for most audio rates except the slowest ones, generating inaccurate rates * with the patch: - for 192000 Hz vpll0 is used - for 176400 Hz vpll1 is used - clk_i2s2_8ch_tx always produces (256 * ) Hz Tested on the RK3308 using the internal audio codec. Fixes: 081068fd6414 ("ASoC: rockchip: add support for i2s-tdm controller") Signed-off-by: Luca Ceresoli Link: https://msgid.link/r/20240305-rk3308-audio-codec-v4-1-312acdbe628f@bootlin.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit da83ed350e4604b976e94239b08d8e2e7eaee7ea Author: Alexander Sverdlin Date: Tue Mar 12 12:20:48 2024 +0100 spi: lpspi: Avoid potential use-after-free in probe() [ Upstream commit 2ae0ab0143fcc06190713ed81a6486ed0ad3c861 ] fsl_lpspi_probe() is allocating/disposing memory manually with spi_alloc_host()/spi_alloc_target(), but uses devm_spi_register_controller(). In case of error after the latter call the memory will be explicitly freed in the probe function by spi_controller_put() call, but used afterwards by "devm" management outside probe() (spi_unregister_controller() <- devm_spi_unregister() below). Unable to handle kernel NULL pointer dereference at virtual address 0000000000000070 ... Call trace: kernfs_find_ns kernfs_find_and_get_ns sysfs_remove_group sysfs_remove_groups device_remove_attrs device_del spi_unregister_controller devm_spi_unregister release_nodes devres_release_all really_probe driver_probe_device __device_attach_driver bus_for_each_drv __device_attach device_initial_probe bus_probe_device deferred_probe_work_func process_one_work worker_thread kthread ret_from_fork Fixes: 5314987de5e5 ("spi: imx: add lpspi bus driver") Signed-off-by: Alexander Sverdlin Link: https://msgid.link/r/20240312112050.2503643-1-alexander.sverdlin@siemens.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit e627c433c83d543d75e06fa72021f7a401c4992f Author: Jens Axboe Date: Mon Mar 11 13:30:43 2024 -0600 io_uring: don't save/restore iowait state [ Upstream commit 6f0974eccbf78baead1735722c4f1ee3eb9422cd ] This kind of state is per-syscall, and since we're doing the waiting off entering the io_uring_enter(2) syscall, there's no way that iowait can already be set for this case. Simplify it by setting it if we need to, and always clearing it to 0 when done. Fixes: 7b72d661f1f2 ("io_uring: gate iowait schedule on having pending requests") Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit 2584d6bbc2bca1819059907990fcbec8228b2090 Author: Peng Fan Date: Mon Feb 26 08:36:57 2024 +0800 thermal/drivers/qoriq: Fix getting tmu range [ Upstream commit 4d0642074c67ed9928e9d68734ace439aa06e403 ] TMU Version 1 has 4 TTRCRs, while TMU Version >=2 has 16 TTRCRs. So limit the len to 4 will report "invalid range data" for i.MX93. This patch drop the local array with allocated ttrcr array and able to support larger tmu ranges. Fixes: f12d60c81fce ("thermal/drivers/qoriq: Support version 2.1") Tested-by: Sascha Hauer Signed-off-by: Peng Fan Signed-off-by: Daniel Lezcano Link: https://lore.kernel.org/r/20240226003657.3012880-1-peng.fan@oss.nxp.com Signed-off-by: Sasha Levin commit 2db869da91afd48e5b9ec76814709be49662b07d Author: Christophe JAILLET Date: Sun Jan 28 09:38:10 2024 +0100 thermal/drivers/mediatek/lvts_thermal: Fix a memory leak in an error handling path [ Upstream commit ca93bf607a44c1f009283dac4af7df0d9ae5e357 ] If devm_krealloc() fails, then 'efuse' is leaking. So free it to avoid a leak. Fixes: f5f633b18234 ("thermal/drivers/mediatek: Add the Low Voltage Thermal Sensor driver") Signed-off-by: Christophe JAILLET Reviewed-by: Matthias Brugger Reviewed-by: AngeloGioacchino Del Regno Signed-off-by: Daniel Lezcano Link: https://lore.kernel.org/r/481d345233862d58c3c305855a93d0dbc2bbae7e.1706431063.git.christophe.jaillet@wanadoo.fr Signed-off-by: Sasha Levin commit 13eccd707039043412cfdd0d80628fad6774c26f Author: Uwe Kleine-König Date: Sun Mar 10 15:38:51 2024 +0100 ASoC: tlv320adc3xxx: Don't strip remove function when driver is builtin [ Upstream commit f31e0d0c2cad23e0cc48731634f85bb2d8707790 ] Using __exit for the remove function results in the remove callback being discarded with SND_SOC_TLV320ADC3XXX=y. When such a device gets unbound (e.g. using sysfs or hotplug), the driver is just removed without the cleanup being performed. This results in resource leaks. Fix it by compiling in the remove callback unconditionally. This also fixes a W=1 modpost warning: WARNING: modpost: sound/soc/codecs/snd-soc-tlv320adc3xxx: section mismatch in reference: adc3xxx_i2c_driver+0x10 (section: .data) -> adc3xxx_i2c_remove (section: .exit.text) (which only happens with SND_SOC_TLV320ADC3XXX=m). Fixes: e9a3b57efd28 ("ASoC: codec: tlv320adc3xxx: New codec driver") Signed-off-by: Uwe Kleine-König Reviewed-by: Geert Uytterhoeven Link: https://msgid.link/r/20240310143852.397212-2-u.kleine-koenig@pengutronix.de Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 3d6af30f177f8c3417437ca963992075f6c18bec Author: Saurabh Sengar Date: Sun Mar 3 00:01:36 2024 -0800 x86/hyperv: Use per cpu initial stack for vtl context [ Upstream commit 2b4b90e053a29057fb05ba81acce26bddce8d404 ] Currently, the secondary CPUs in Hyper-V VTL context lack support for parallel startup. Therefore, relying on the single initial_stack fetched from the current task structure suffices for all vCPUs. However, common initial_stack risks stack corruption when parallel startup is enabled. In order to facilitate parallel startup, use the initial_stack from the per CPU idle thread instead of the current task. Fixes: 3be1bc2fe9d2 ("x86/hyperv: VTL support for Hyper-V") Signed-off-by: Saurabh Sengar Reviewed-by: Michael Kelley Link: https://lore.kernel.org/r/1709452896-13342-1-git-send-email-ssengar@linux.microsoft.com Signed-off-by: Wei Liu Message-ID: <1709452896-13342-1-git-send-email-ssengar@linux.microsoft.com> Signed-off-by: Sasha Levin commit 68c001047b83baa483d624696d20d28c8fd78d51 Author: Colin Ian King Date: Thu Mar 7 18:17:34 2024 +0000 usb: gadget: net2272: Use irqflags in the call to net2272_probe_fin [ Upstream commit 600556809f04eb3bbccd05218215dcd7b285a9a9 ] Currently the variable irqflags is being set but is not being used, it appears it should be used in the call to net2272_probe_fin rather than IRQF_TRIGGER_LOW being used. Kudos to Uwe Kleine-König for suggesting the fix. Cleans up clang scan build warning: drivers/usb/gadget/udc/net2272.c:2610:15: warning: variable 'irqflags' set but not used [-Wunused-but-set-variable] Fixes: ceb80363b2ec ("USB: net2272: driver for PLX NET2272 USB device controller") Signed-off-by: Colin Ian King Acked-by: Alan Stern Link: https://lore.kernel.org/r/20240307181734.2034407-1-colin.i.king@gmail.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 40f0170f227845eb5d5cda3e575946fbb268d2ca Author: Dan Carpenter Date: Mon Mar 4 10:04:48 2024 +0300 staging: greybus: fix get_channel_from_mode() failure path [ Upstream commit 34164202a5827f60a203ca9acaf2d9f7d432aac8 ] The get_channel_from_mode() function is supposed to return the channel which matches the mode. But it has a bug where if it doesn't find a matching channel then it returns the last channel. It should return NULL instead. Also remove an unnecessary NULL check on "channel". Fixes: 2870b52bae4c ("greybus: lights: add lights implementation") Signed-off-by: Dan Carpenter Reviewed-by: Rui Miguel Silva Reviewed-by: Alex Elder Link: https://lore.kernel.org/r/379c0cb4-39e0-4293-8a18-c7b1298e5420@moroto.mountain Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit da19b8c892bf5e4fbbdfc0ce52f784bbdabae00e Author: Andy Shevchenko Date: Mon Feb 19 17:04:57 2024 +0200 serial: 8250_exar: Don't remove GPIO device on suspend [ Upstream commit 73b5a5c00be39e23b194bad10e1ea8bb73eee176 ] It seems a copy&paste mistake that suspend callback removes the GPIO device. There is no counterpart of this action, means once suspended there is no more GPIO device available untile full unbind-bind cycle is performed. Remove suspicious GPIO device removal in suspend. Fixes: d0aeaa83f0b0 ("serial: exar: split out the exar code from 8250_pci") Signed-off-by: Andy Shevchenko Link: https://lore.kernel.org/r/20240219150627.2101198-2-andriy.shevchenko@linux.intel.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit b2725efd184c0e221913d2edb862395f2c62cb5f Author: Randy Dunlap Date: Mon Feb 12 21:02:58 2024 -0800 rtc: mt6397: select IRQ_DOMAIN instead of depending on it [ Upstream commit 544c42f798e1651dcb04fb0395219bf0f1c2607e ] IRQ_DOMAIN is a hidden (not user visible) symbol. Users cannot set it directly thru "make *config", so drivers should select it instead of depending on it if they need it. Relying on it being set for a dependency is risky. Consistently using "select" or "depends on" can also help reduce Kconfig circular dependency issues. Therefore, change the use of "depends on" for IRQ_DOMAIN to "select" for RTC_DRV_MT6397. Fixes: 04d3ba70a3c9 ("rtc: mt6397: add IRQ domain dependency") Cc: Arnd Bergmann Cc: Eddie Huang Cc: Sean Wang Cc: Matthias Brugger Cc: linux-arm-kernel@lists.infradead.org Cc: linux-mediatek@lists.infradead.org Cc: Alessandro Zummo Cc: Alexandre Belloni Cc: linux-rtc@vger.kernel.org Cc: Marc Zyngier Cc: Philipp Zabel Cc: Peter Rosin Reviewed-by: AngeloGioacchino Del Regno Signed-off-by: Randy Dunlap Link: https://lore.kernel.org/r/20240213050258.6167-1-rdunlap@infradead.org Signed-off-by: Alexandre Belloni Signed-off-by: Sasha Levin commit ca5e22042c5958c5870be412460914e00fd39455 Author: Yang Jihong Date: Mon Jan 8 12:19:06 2024 +0000 hwtracing: hisi_ptt: Move type check to the beginning of hisi_ptt_pmu_event_init() [ Upstream commit 06226d120a28f146abd3637799958a4dc4dbb7a1 ] When perf_init_event() calls perf_try_init_event() to init pmu driver, searches for the next pmu driver only when the return value is -ENOENT. Therefore, hisi_ptt_pmu_event_init() needs to check the type at the beginning of the function. Otherwise, in the case of perf-task mode, perf_try_init_event() returns -EOPNOTSUPP and skips subsequent pmu drivers, causes perf_init_event() to fail. Fixes: ff0de066b463 ("hwtracing: hisi_ptt: Add trace function support for HiSilicon PCIe Tune and Trace device") Signed-off-by: Yang Jihong Reviewed-by: Yicong Yang Signed-off-by: Suzuki K Poulose Link: https://lore.kernel.org/r/20240108121906.3514820-1-yangjihong1@huawei.com Signed-off-by: Sasha Levin commit 0c92547708147fc8269c04699885c2fe7d8e0255 Author: Dan Carpenter Date: Wed Feb 21 09:20:19 2024 +0300 bus: mhi: ep: check the correct variable in mhi_ep_register_controller() [ Upstream commit 27711860c54ccb5e80719df684f49f0bf3f8fb51 ] There is a copy and paste bug here so it checks "ev_ring_el_cache" instead of "ring_item_cache". Fixes: 62210a26cd4f ("bus: mhi: ep: Use slab allocator where applicable") Signed-off-by: Dan Carpenter Reviewed-by: Manivannan Sadhasivam Link: https://lore.kernel.org/r/bebcd822-d465-45da-adae-5435ec93e6d4@moroto.mountain Signed-off-by: Manivannan Sadhasivam Signed-off-by: Sasha Levin commit 9066bec62f52a6a08941689879b79c512a28fed2 Author: Matti Vaittinen Date: Mon Feb 12 13:20:09 2024 +0200 iio: gts-helper: Fix division loop [ Upstream commit bb76cc45dcdfcd962a5994b8fe19ab74fc6c3c3a ] The loop based 64bit division may run for a long time when dividend is a lot bigger than the divider. Replace the division loop by the div64_u64() which implementation may be significantly faster. Tested-by: Subhajit Ghosh Signed-off-by: Matti Vaittinen Fixes: 38416c28e168 ("iio: light: Add gain-time-scale helpers") Link: https://lore.kernel.org/r/Zcn-6e-0-nh2WcfU@drtxq0yyyyyyyyyyyyyby-3.rev.dnainternet.fi Signed-off-by: Jonathan Cameron Signed-off-by: Sasha Levin commit 3328ff75f642b57d98dfa3fe4bd1f2f05cb0454c Author: Masahiro Yamada Date: Sat Feb 3 00:57:59 2024 +0900 kconfig: fix infinite loop when expanding a macro at the end of file [ Upstream commit af8bbce92044dc58e4cc039ab94ee5d470a621f5 ] A macro placed at the end of a file with no newline causes an infinite loop. [Test Kconfig] $(info,hello) \ No newline at end of file I realized that flex-provided input() returns 0 instead of EOF when it reaches the end of a file. Fixes: 104daea149c4 ("kconfig: reference environment variables directly and remove 'option env='") Signed-off-by: Masahiro Yamada Signed-off-by: Sasha Levin commit afce13580a161afa61f198c2d097182af3504288 Author: Mao Jinlong Date: Wed Jan 31 02:54:19 2024 -0800 coresight: etm4x: Set skip_power_up in etm4_init_arch_data function [ Upstream commit 1bbe0a247e5d72f723daeecf41596bfa99e199f1 ] skip_power_up is used in etm4_init_arch_data when set lpoverride. So need to set the value of it before calling using it. Fixes: 5214b563588e ("coresight: etm4x: Add support for sysreg only devices") Signed-off-by: Mao Jinlong Signed-off-by: Suzuki K Poulose Link: https://lore.kernel.org/r/20240131105423.9519-1-quic_jinlmao@quicinc.com Signed-off-by: Sasha Levin commit b7bcc2c269ced2dac1309d07029dd3205973bd00 Author: James Clark Date: Mon Jan 29 15:40:32 2024 +0000 coresight: Fix issue where a source device's helpers aren't disabled [ Upstream commit f68bbe4dcfa303164922bc331d2e8d38ed2d4f23 ] The linked commit reverts the change that accidentally used some sysfs enable/disable functions from Perf which broke the refcounting, but it also removes the fact that the sysfs disable function disabled the helpers. Add a new wrapper function that does both which is used by both Perf and sysfs, and label the sysfs disable function appropriately. The naming of all of the functions will be tidied up later to avoid this happening again. Fixes: 287e82cf69aa ("coresight: Fix crash when Perf and sysfs modes are used concurrently") Signed-off-by: James Clark Link: https://lore.kernel.org/r/20240129154050.569566-2-james.clark@arm.com Signed-off-by: Suzuki K Poulose Signed-off-by: Sasha Levin commit e23d162e4d81b974212ec9c293a6a4572696c82a Author: Rafał Miłecki Date: Thu Jan 11 12:56:36 2024 +0100 arm64: dts: broadcom: bcmbca: bcm4908: drop invalid switch cells [ Upstream commit 27058b95fbb784406ea4c40b20caa3f04937140c ] Ethernet switch does not have addressable subnodes. This fixes: arch/arm64/boot/dts/broadcom/bcmbca/bcm4908-asus-gt-ac5300.dtb: ethernet-switch@0: '#address-cells', '#size-cells' do not match any of the regexes: 'pinctrl-[0-9]+' from schema $id: http://devicetree.org/schemas/net/dsa/brcm,sf2.yaml# Fixes: 527a3ac9bdf8 ("arm64: dts: broadcom: bcm4908: describe internal switch") Signed-off-by: Rafał Miłecki Link: https://lore.kernel.org/r/20240111115636.12095-1-zajec5@gmail.com Signed-off-by: Florian Fainelli Signed-off-by: Sasha Levin commit e0d4a4d37362f01ed57541b484c29ac017280808 Author: Tudor Ambarus Date: Fri Jan 19 10:45:08 2024 +0000 tty: serial: samsung: fix tx_empty() to return TIOCSER_TEMT [ Upstream commit 314c2b399288f0058a8c5b6683292cbde5f1531b ] The core expects for tx_empty() either TIOCSER_TEMT when the tx is empty or 0 otherwise. s3c24xx_serial_txempty_nofifo() might return 0x4, and at least uart_get_lsr_info() tries to clear exactly TIOCSER_TEMT (BIT(1)). Fix tx_empty() to return TIOCSER_TEMT. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Tudor Ambarus Reviewed-by: Sam Protsenko Link: https://lore.kernel.org/r/20240119104526.1221243-2-tudor.ambarus@linaro.org Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 2ab4e1f70c238ab3c6e692f3109978a9595cbbf6 Author: Hugo Villeneuve Date: Thu Jan 18 10:22:01 2024 -0500 serial: max310x: fix syntax error in IRQ error message [ Upstream commit 8ede8c6f474255b2213cccd7997b993272a8e2f9 ] Replace g with q. Helpful when grepping thru source code or logs for "request" keyword. Fixes: f65444187a66 ("serial: New serial driver MAX310X") Reviewed-by: Andy Shevchenko Signed-off-by: Hugo Villeneuve Link: https://lore.kernel.org/r/20240118152213.2644269-6-hugo@hugovil.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 6d99e673264dd344523baffe3143383dfee83bb0 Author: Jiri Slaby (SUSE) Date: Mon Jan 22 12:03:17 2024 +0100 tty: vt: fix 20 vs 0x20 typo in EScsiignore [ Upstream commit 0e6a92f67c8a94707f7bb27ac29e2bdf3e7c167d ] The if (c >= 20 && c <= 0x3f) test added in commit 7a99565f8732 is wrong. 20 is DC4 in ascii and it makes no sense to consider that as the bottom limit. Instead, it should be 0x20 as in the other test in the commit above. This is supposed to NOT change anything as we handle interesting 20-0x20 asciis far before this if. So for sakeness, change to 0x20 (which is SPACE). Signed-off-by: "Jiri Slaby (SUSE)" Fixes: 7a99565f8732 ("vt: ignore csi sequences with intermediate characters.") Cc: Martin Hostettler Link: https://lore.kernel.org/all/ZaP45QY2WEsDqoxg@neutronstar.dyndns.org/ Tested-by: Helge Deller # parisc STI console Link: https://lore.kernel.org/r/20240122110401.7289-4-jirislaby@kernel.org Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 0255a3b17b1cb68ef9d4b36e101d301383f7a3c6 Author: Sean Anderson Date: Tue Jan 23 17:51:09 2024 -0500 usb: phy: generic: Get the vbus supply [ Upstream commit 75fd6485cccef269ac9eb3b71cf56753341195ef ] While support for working with a vbus was added, the regulator was never actually gotten (despite what was documented). Fix this by actually getting the supply from the device tree. Fixes: 7acc9973e3c4 ("usb: phy: generic: add vbus support") Signed-off-by: Sean Anderson Link: https://lore.kernel.org/r/20240123225111.1629405-3-sean.anderson@seco.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 330e860a08a0e9a1094b8e8b5eca507ada17d462 Author: Petre Rodan Date: Fri Dec 29 11:24:32 2023 +0200 iio: pressure: mprls0025pa fix off-by-one enum [ Upstream commit 9e65506ca9c7ff716c8441a33417820ad61d3a16 ] Fix off-by-one error in transfer-function property. The honeywell,transfer-function property takes values between 1-3 so make sure the proper enum gets used. Fixes: 713337d9143ed ("iio: pressure: Honeywell mprls0025pa pressure sensor") Co-developed-by: Andreas Klinger Signed-off-by: Andreas Klinger Signed-off-by: Petre Rodan Link: https://lore.kernel.org/r/20231229092445.30180-5-petre.rodan@subdimension.ro Signed-off-by: Jonathan Cameron Signed-off-by: Sasha Levin commit f01a856edc7015c0e5a275f58c753c20e8d654b7 Author: Arnaud Pouliquen Date: Wed Jan 17 14:53:12 2024 +0100 remoteproc: stm32: Fix incorrect type assignment returned by stm32_rproc_get_loaded_rsc_tablef [ Upstream commit c77b35ce66af25bdd6fde60b62e35b9b316ea5c2 ] The sparse tool complains about the remove of the _iomem attribute. stm32_rproc.c:660:17: warning: cast removes address space '__iomem' of expression Add '__force' to explicitly specify that the cast is intentional. This conversion is necessary to cast to addresses pointer, which are then managed by the remoteproc core as a pointer to a resource_table structure. Fixes: 8a471396d21c ("remoteproc: stm32: Move resource table setup to rproc_ops") Signed-off-by: Arnaud Pouliquen Link: https://lore.kernel.org/r/20240117135312.3381936-3-arnaud.pouliquen@foss.st.com Signed-off-by: Mathieu Poirier Signed-off-by: Sasha Levin commit b82db393a953909e82e450328e89bc6dc5ab87c7 Author: Arnaud Pouliquen Date: Wed Jan 17 14:53:11 2024 +0100 remoteproc: stm32: Fix incorrect type in assignment for va [ Upstream commit 32381bbccba4c21145c571701f8f7fb1d9b3a92e ] The sparse tool complains about the attribute conversion between a _iomem void * and a void *: stm32_rproc.c:122:12: sparse: sparse: incorrect type in assignment (different address spaces) @@ expected void *va @@ got void [noderef] __iomem * @@ stm32_rproc.c:122:12: sparse: expected void *va stm32_rproc.c:122:12: sparse: got void [noderef] __iomem * Add '__force' to explicitly specify that the cast is intentional. This conversion is necessary to cast to virtual addresses pointer,used, by the remoteproc core. Reported-by: kernel test robot Closes: https://lore.kernel.org/oe-kbuild-all/202312150052.HCiNKlqB-lkp@intel.com/ Fixes: 13140de09cc2 ("remoteproc: stm32: add an ST stm32_rproc driver") Signed-off-by: Arnaud Pouliquen Link: https://lore.kernel.org/r/20240117135312.3381936-2-arnaud.pouliquen@foss.st.com Signed-off-by: Mathieu Poirier Signed-off-by: Sasha Levin commit 9c4c28ba316ef2e4498649bba1c217738e600905 Author: Alexander Usyskin Date: Tue Feb 20 22:00:20 2024 +0200 mei: gsc_proxy: match component when GSC is on different bus commit a0776c214d47ea4f7aaef138095beaa41cff03ef upstream. On Arrow Lake S systems, MEI is no longer strictly connected to bus 0, while graphics remain exclusively on bus 0. Adapt the component matching logic to accommodate this change: Original behavior: Required both MEI and graphics to be on the same bus 0. New behavior: Only enforces graphics to be on bus 0 (integrated), allowing MEI to reside on any bus. This ensures compatibility with Arrow Lake S and maintains functionality for the legacy systems. Fixes: 1dd924f6885b ("mei: gsc_proxy: add gsc proxy driver") Cc: stable@vger.kernel.org # v6.3+ Signed-off-by: Alexander Usyskin Signed-off-by: Tomas Winkler Link: https://lore.kernel.org/r/20240220200020.231192-1-tomas.winkler@intel.com Signed-off-by: Greg Kroah-Hartman commit 631cc575ebc44cd4b99f0daa7969eb84fe6f4c62 Author: Ian Abbott Date: Wed Feb 14 10:07:25 2024 +0000 comedi: comedi_test: Prevent timers rescheduling during deletion commit f53641a6e849034a44bf80f50245a75d7a376025 upstream. The comedi_test devices have a couple of timers (ai_timer and ao_timer) that can be started to simulate hardware interrupts. Their expiry functions normally reschedule the timer. The driver code calls either del_timer_sync() or del_timer() to delete the timers from the queue, but does not currently prevent the timers from rescheduling themselves so synchronized deletion may be ineffective. Add a couple of boolean members (one for each timer: ai_timer_enable and ao_timer_enable) to the device private data structure to indicate whether the timers are allowed to reschedule themselves. Set the member to true when adding the timer to the queue, and to false when deleting the timer from the queue in the waveform_ai_cancel() and waveform_ao_cancel() functions. The del_timer_sync() function is also called from the waveform_detach() function, but the timer enable members will already be set to false when that function is called, so no change is needed there. Fixes: 403fe7f34e33 ("staging: comedi: comedi_test: fix timer race conditions") Cc: stable@vger.kernel.org # 4.4+ Signed-off-by: Ian Abbott Link: https://lore.kernel.org/r/20240214100747.16203-1-abbotti@mev.co.uk Signed-off-by: Greg Kroah-Hartman commit f263cf1626b551307550c220c0111b166966bc18 Author: Muhammad Usama Anjum Date: Fri Mar 1 19:43:48 2024 +0500 io_uring/net: correct the type of variable [ Upstream commit 86bcacc957fc2d0403aa0e652757eec59a5fd7ca ] The namelen is of type int. It shouldn't be made size_t which is unsigned. The signed number is needed for error checking before use. Fixes: c55978024d12 ("io_uring/net: move receive multishot out of the generic msghdr path") Signed-off-by: Muhammad Usama Anjum Link: https://lore.kernel.org/r/20240301144349.2807544-1-usama.anjum@collabora.com Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit 7ca651b4ec4a049f5a46a0e5ff921b86b91c47c5 Author: Josef Bacik Date: Mon Mar 11 11:11:53 2024 -0400 nfs: fix panic when nfs4_ff_layout_prepare_ds() fails [ Upstream commit 719fcafe07c12646691bd62d7f8d94d657fa0766 ] We've been seeing the following panic in production BUG: kernel NULL pointer dereference, address: 0000000000000065 PGD 2f485f067 P4D 2f485f067 PUD 2cc5d8067 PMD 0 RIP: 0010:ff_layout_cancel_io+0x3a/0x90 [nfs_layout_flexfiles] Call Trace: ? __die+0x78/0xc0 ? page_fault_oops+0x286/0x380 ? __rpc_execute+0x2c3/0x470 [sunrpc] ? rpc_new_task+0x42/0x1c0 [sunrpc] ? exc_page_fault+0x5d/0x110 ? asm_exc_page_fault+0x22/0x30 ? ff_layout_free_layoutreturn+0x110/0x110 [nfs_layout_flexfiles] ? ff_layout_cancel_io+0x3a/0x90 [nfs_layout_flexfiles] ? ff_layout_cancel_io+0x6f/0x90 [nfs_layout_flexfiles] pnfs_mark_matching_lsegs_return+0x1b0/0x360 [nfsv4] pnfs_error_mark_layout_for_return+0x9e/0x110 [nfsv4] ? ff_layout_send_layouterror+0x50/0x160 [nfs_layout_flexfiles] nfs4_ff_layout_prepare_ds+0x11f/0x290 [nfs_layout_flexfiles] ff_layout_pg_init_write+0xf0/0x1f0 [nfs_layout_flexfiles] __nfs_pageio_add_request+0x154/0x6c0 [nfs] nfs_pageio_add_request+0x26b/0x380 [nfs] nfs_do_writepage+0x111/0x1e0 [nfs] nfs_writepages_callback+0xf/0x30 [nfs] write_cache_pages+0x17f/0x380 ? nfs_pageio_init_write+0x50/0x50 [nfs] ? nfs_writepages+0x6d/0x210 [nfs] ? nfs_writepages+0x6d/0x210 [nfs] nfs_writepages+0x125/0x210 [nfs] do_writepages+0x67/0x220 ? generic_perform_write+0x14b/0x210 filemap_fdatawrite_wbc+0x5b/0x80 file_write_and_wait_range+0x6d/0xc0 nfs_file_fsync+0x81/0x170 [nfs] ? nfs_file_mmap+0x60/0x60 [nfs] __x64_sys_fsync+0x53/0x90 do_syscall_64+0x3d/0x90 entry_SYSCALL_64_after_hwframe+0x46/0xb0 Inspecting the core with drgn I was able to pull this >>> prog.crashed_thread().stack_trace()[0] #0 at 0xffffffffa079657a (ff_layout_cancel_io+0x3a/0x84) in ff_layout_cancel_io at fs/nfs/flexfilelayout/flexfilelayout.c:2021:27 >>> prog.crashed_thread().stack_trace()[0]['idx'] (u32)1 >>> prog.crashed_thread().stack_trace()[0]['flseg'].mirror_array[1].mirror_ds (struct nfs4_ff_layout_ds *)0xffffffffffffffed This is clear from the stack trace, we call nfs4_ff_layout_prepare_ds() which could error out initializing the mirror_ds, and then we go to clean it all up and our check is only for if (!mirror->mirror_ds). This is inconsistent with the rest of the users of mirror_ds, which have if (IS_ERR_OR_NULL(mirror_ds)) to keep from tripping over this exact scenario. Fix this up in ff_layout_cancel_io() to make sure we don't panic when we get an error. I also spot checked all the other instances of checking mirror_ds and we appear to be doing the correct checks everywhere, only unconditionally dereferencing mirror_ds when we know it would be valid. Signed-off-by: Josef Bacik Fixes: b739a5bd9d9f ("NFSv4/flexfiles: Cancel I/O if the layout is recalled or revoked") Reviewed-by: Jeff Layton Signed-off-by: Trond Myklebust Signed-off-by: Sasha Levin commit 106e14ca55a0acb3236ee98813a1d243f8aa2d05 Author: David Howells Date: Wed Mar 13 11:08:41 2024 +0000 afs: Revert "afs: Hide silly-rename files from userspace" [ Upstream commit 0aec3847d044273733285dcff90afda89ad461d2 ] This reverts commit 57e9d49c54528c49b8bffe6d99d782ea051ea534. This undoes the hiding of .__afsXXXX silly-rename files. The problem with hiding them is that rm can't then manually delete them. This also reverts commit 5f7a07646655fb4108da527565dcdc80124b14c4 ("afs: Fix endless loop in directory parsing") as that's a bugfix for the above. Fixes: 57e9d49c5452 ("afs: Hide silly-rename files from userspace") Reported-by: Markus Suvanto Link: https://lists.infradead.org/pipermail/linux-afs/2024-February/008102.html Signed-off-by: David Howells Link: https://lore.kernel.org/r/3085695.1710328121@warthog.procyon.org.uk Reviewed-by: Jeffrey E Altman cc: Marc Dionne cc: linux-afs@lists.infradead.org Signed-off-by: Christian Brauner Signed-off-by: Sasha Levin commit 7be89bd65f1634bed75e8112707026bce17f8405 Author: Sandipan Das Date: Mon Jan 29 16:36:26 2024 +0530 perf/x86/amd/core: Avoid register reset when CPU is dead [ Upstream commit ad8c91282c95f801c37812d59d2d9eba6899b384 ] When bringing a CPU online, some of the PMC and LBR related registers are reset. The same is done when a CPU is taken offline although that is unnecessary. This currently happens in the "cpu_dead" callback which is also incorrect as the callback runs on a control CPU instead of the one that is being taken offline. This also affects hibernation and suspend to RAM on some platforms as reported in the link below. Fixes: 21d59e3e2c40 ("perf/x86/amd/core: Detect PerfMonV2 support") Reported-by: Mario Limonciello Signed-off-by: Sandipan Das Signed-off-by: Ingo Molnar Cc: Peter Zijlstra Link: https://lore.kernel.org/r/550a026764342cf7e5812680e3e2b91fe662b5ac.1706526029.git.sandipan.das@amd.com Signed-off-by: Sasha Levin commit b386f5dda0a807b8f3f045cca1dc7e65929e9459 Author: Chao Yu Date: Fri Mar 8 11:50:57 2024 +0800 f2fs: zone: fix to remove pow2 check condition for zoned block device [ Upstream commit 11bec96afbfbc4679863db55258de440d786821e ] Commit 2e2c6e9b72ce ("f2fs: remove power-of-two limitation of zoned device") missed to remove pow2 check condition in init_blkz_info(), fix it. Fixes: 2e2c6e9b72ce ("f2fs: remove power-of-two limitation of zoned device") Signed-off-by: Feng Song Signed-off-by: Yongpeng Yang Signed-off-by: Chao Yu Signed-off-by: Jaegeuk Kim Signed-off-by: Sasha Levin commit c92f2927df860a60ba815d3ee610a944b92a8694 Author: Chao Yu Date: Fri Mar 8 09:08:34 2024 +0800 f2fs: fix to truncate meta inode pages forcely [ Upstream commit 9f0c4a46be1fe9b97dbe66d49204c1371e3ece65 ] Below race case can cause data corruption: Thread A GC thread - gc_data_segment - ra_data_block - locked meta_inode page - f2fs_inplace_write_data - invalidate_mapping_pages : fail to invalidate meta_inode page due to lock failure or dirty|writeback status - f2fs_submit_page_bio : write last dirty data to old blkaddr - move_data_block - load old data from meta_inode page - f2fs_submit_page_write : write old data to new blkaddr Because invalidate_mapping_pages() will skip invalidating page which has unclear status including locked, dirty, writeback and so on, so we need to use truncate_inode_pages_range() instead of invalidate_mapping_pages() to make sure meta_inode page will be dropped. Fixes: 6aa58d8ad20a ("f2fs: readahead encrypted block during GC") Fixes: e3b49ea36802 ("f2fs: invalidate META_MAPPING before IPU/DIO write") Signed-off-by: Chao Yu Signed-off-by: Jaegeuk Kim Signed-off-by: Sasha Levin commit cfd217f6464dad7308e34b319d20dbbe37151f3f Author: Chao Yu Date: Sun Dec 10 17:20:39 2023 +0800 f2fs: introduce f2fs_invalidate_internal_cache() for cleanup [ Upstream commit 4e4f1eb9949b10cb7d76370fd27d41f20ef2b32b ] Just cleanup, no logic changes. Signed-off-by: Chao Yu Signed-off-by: Jaegeuk Kim Stable-dep-of: 9f0c4a46be1f ("f2fs: fix to truncate meta inode pages forcely") Signed-off-by: Sasha Levin commit f0bf89e84c3afb79d7a3a9e4bc853ad6a3245c0a Author: Xiuhong Wang Date: Wed Mar 6 11:47:46 2024 +0800 f2fs: compress: fix reserve_cblocks counting error when out of space [ Upstream commit 2f6d721e14b69d6e1251f69fa238b48e8374e25f ] When a file only needs one direct_node, performing the following operations will cause the file to be unrepairable: unisoc # ./f2fs_io compress test.apk unisoc #df -h | grep dm-48 /dev/block/dm-48 112G 112G 1.2M 100% /data unisoc # ./f2fs_io release_cblocks test.apk 924 unisoc # df -h | grep dm-48 /dev/block/dm-48 112G 112G 4.8M 100% /data unisoc # dd if=/dev/random of=file4 bs=1M count=3 3145728 bytes (3.0 M) copied, 0.025 s, 120 M/s unisoc # df -h | grep dm-48 /dev/block/dm-48 112G 112G 1.8M 100% /data unisoc # ./f2fs_io reserve_cblocks test.apk F2FS_IOC_RESERVE_COMPRESS_BLOCKS failed: No space left on device adb reboot unisoc # df -h | grep dm-48 /dev/block/dm-48 112G 112G 11M 100% /data unisoc # ./f2fs_io reserve_cblocks test.apk 0 This is because the file has only one direct_node. After returning to -ENOSPC, reserved_blocks += ret will not be executed. As a result, the reserved_blocks at this time is still 0, which is not the real number of reserved blocks. Therefore, fsck cannot be set to repair the file. After this patch, the fsck flag will be set to fix this problem. unisoc # df -h | grep dm-48 /dev/block/dm-48 112G 112G 1.8M 100% /data unisoc # ./f2fs_io reserve_cblocks test.apk F2FS_IOC_RESERVE_COMPRESS_BLOCKS failed: No space left on device adb reboot then fsck will be executed unisoc # df -h | grep dm-48 /dev/block/dm-48 112G 112G 11M 100% /data unisoc # ./f2fs_io reserve_cblocks test.apk 924 Fixes: c75488fb4d82 ("f2fs: introduce F2FS_IOC_RESERVE_COMPRESS_BLOCKS") Signed-off-by: Xiuhong Wang Signed-off-by: Zhiguo Niu Reviewed-by: Chao Yu Signed-off-by: Jaegeuk Kim Signed-off-by: Sasha Levin commit 4d1a3b791c5dabdebc1b0e2b01ee643fb6223472 Author: Xiuhong Wang Date: Wed Mar 6 11:47:45 2024 +0800 f2fs: compress: relocate some judgments in f2fs_reserve_compress_blocks [ Upstream commit b7d797d241c154d73ec5523f87f3b06d4f299da1 ] The following f2fs_io test will get a "0" result instead of -EINVAL, unisoc # ./f2fs_io compress file unisoc # ./f2fs_io reserve_cblocks file 0 it's not reasonable, so the judgement of atomic_read(&F2FS_I(inode)->i_compr_blocks) should be placed after the judgement of is_inode_flag_set(inode, FI_COMPRESS_RELEASED). Fixes: c75488fb4d82 ("f2fs: introduce F2FS_IOC_RESERVE_COMPRESS_BLOCKS") Signed-off-by: Xiuhong Wang Signed-off-by: Zhiguo Niu Reviewed-by: Chao Yu Signed-off-by: Jaegeuk Kim Signed-off-by: Sasha Levin commit cda2f3d1754a36467cf6bd282df03180d54716c3 Author: Olga Kornievskaia Date: Tue Feb 20 18:25:34 2024 -0500 NFSv4.1/pnfs: fix NFS with TLS in pnfs [ Upstream commit a35518cae4b325632840bc8c3aa9ad9bac430038 ] Currently, even though xprtsec=tls is specified and used for operations to MDS, any operations that go to DS travel over unencrypted connection. Or additionally, if more than 1 DS can serve the data, then trunked connections are also done unencrypted. IN GETDEVINCEINFO, we get an entry for the DS which carries a protocol type (which is TCP), then nfs4_set_ds_client() gets called with TCP instead of TCP with TLS. Currently, each trunked connection is created and uses clp->cl_hostname value which if TLS is used would get passed up in the handshake upcall, but instead we need to pass in the appropriate trunked address value. Fixes: c8407f2e560c ("NFS: Add an "xprtsec=" NFS mount option") Signed-off-by: Olga Kornievskaia Signed-off-by: Trond Myklebust Signed-off-by: Sasha Levin commit 7f029d2438a0c99cf7e643882969a3dfe873bb53 Author: Christophe JAILLET Date: Sun Feb 18 22:16:53 2024 +0100 NFS: Fix an off by one in root_nfs_cat() [ Upstream commit 698ad1a538da0b6bf969cfee630b4e3a026afb87 ] The intent is to check if 'dest' is truncated or not. So, >= should be used instead of >, because strlcat() returns the length of 'dest' and 'src' excluding the trailing NULL. Fixes: 56463e50d1fc ("NFS: Use super.c for NFSROOT mount option parsing") Signed-off-by: Christophe JAILLET Reviewed-by: Benjamin Coddington Signed-off-by: Trond Myklebust Signed-off-by: Sasha Levin commit ad27382f8495f8ef6d2c66c413d756bfd13c0598 Author: Dave Wysochanski Date: Wed Jan 31 11:10:06 2024 -0500 NFS: Fix nfs_netfs_issue_read() xarray locking for writeback interrupt [ Upstream commit fd5860ab6341506004219b080aea40213b299d2e ] The loop inside nfs_netfs_issue_read() currently does not disable interrupts while iterating through pages in the xarray to submit for NFS read. This is not safe though since after taking xa_lock, another page in the mapping could be processed for writeback inside an interrupt, and deadlock can occur. The fix is simple and clean if we use xa_for_each_range(), which handles the iteration with RCU while reducing code complexity. The problem is easily reproduced with the following test: mount -o vers=3,fsc 127.0.0.1:/export /mnt/nfs dd if=/dev/zero of=/mnt/nfs/file1.bin bs=4096 count=1 echo 3 > /proc/sys/vm/drop_caches dd if=/mnt/nfs/file1.bin of=/dev/null umount /mnt/nfs On the console with a lockdep-enabled kernel a message similar to the following will be seen: ================================ WARNING: inconsistent lock state 6.7.0-lockdbg+ #10 Not tainted -------------------------------- inconsistent {IN-SOFTIRQ-W} -> {SOFTIRQ-ON-W} usage. test5/1708 [HC0[0]:SC0[0]:HE1:SE1] takes: ffff888127baa598 (&xa->xa_lock#4){+.?.}-{3:3}, at: nfs_netfs_issue_read+0x1b2/0x4b0 [nfs] {IN-SOFTIRQ-W} state was registered at: lock_acquire+0x144/0x380 _raw_spin_lock_irqsave+0x4e/0xa0 __folio_end_writeback+0x17e/0x5c0 folio_end_writeback+0x93/0x1b0 iomap_finish_ioend+0xeb/0x6a0 blk_update_request+0x204/0x7f0 blk_mq_end_request+0x30/0x1c0 blk_complete_reqs+0x7e/0xa0 __do_softirq+0x113/0x544 __irq_exit_rcu+0xfe/0x120 irq_exit_rcu+0xe/0x20 sysvec_call_function_single+0x6f/0x90 asm_sysvec_call_function_single+0x1a/0x20 pv_native_safe_halt+0xf/0x20 default_idle+0x9/0x20 default_idle_call+0x67/0xa0 do_idle+0x2b5/0x300 cpu_startup_entry+0x34/0x40 start_secondary+0x19d/0x1c0 secondary_startup_64_no_verify+0x18f/0x19b irq event stamp: 176891 hardirqs last enabled at (176891): [] _raw_spin_unlock_irqrestore+0x44/0x60 hardirqs last disabled at (176890): [] _raw_spin_lock_irqsave+0x79/0xa0 softirqs last enabled at (176646): [] __irq_exit_rcu+0xfe/0x120 softirqs last disabled at (176633): [] __irq_exit_rcu+0xfe/0x120 other info that might help us debug this: Possible unsafe locking scenario: CPU0 ---- lock(&xa->xa_lock#4); lock(&xa->xa_lock#4); *** DEADLOCK *** 2 locks held by test5/1708: #0: ffff888127baa498 (&sb->s_type->i_mutex_key#22){++++}-{4:4}, at: nfs_start_io_read+0x28/0x90 [nfs] #1: ffff888127baa650 (mapping.invalidate_lock#3){.+.+}-{4:4}, at: page_cache_ra_unbounded+0xa4/0x280 stack backtrace: CPU: 6 PID: 1708 Comm: test5 Kdump: loaded Not tainted 6.7.0-lockdbg+ Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-1.fc39 04/01/2014 Call Trace: dump_stack_lvl+0x5b/0x90 mark_lock+0xb3f/0xd20 __lock_acquire+0x77b/0x3360 _raw_spin_lock+0x34/0x80 nfs_netfs_issue_read+0x1b2/0x4b0 [nfs] netfs_begin_read+0x77f/0x980 [netfs] nfs_netfs_readahead+0x45/0x60 [nfs] nfs_readahead+0x323/0x5a0 [nfs] read_pages+0xf3/0x5c0 page_cache_ra_unbounded+0x1c8/0x280 filemap_get_pages+0x38c/0xae0 filemap_read+0x206/0x5e0 nfs_file_read+0xb7/0x140 [nfs] vfs_read+0x2a9/0x460 ksys_read+0xb7/0x140 Fixes: 000dbe0bec05 ("NFS: Convert buffered read paths to use netfs when fscache is enabled") Suggested-by: Jeff Layton Signed-off-by: Dave Wysochanski Reviewed-by: Jeff Layton Reviewed-by: David Howells Signed-off-by: Trond Myklebust Signed-off-by: Sasha Levin commit f83f1bdac289637b2cc5b247b86d9ac2bc29abaf Author: Jeff LaBundy Date: Wed Mar 6 23:40:21 2024 -0600 Input: iqs7222 - add support for IQS7222D v1.1 and v1.2 [ Upstream commit 992cf65674778e22436807796b2df927de21bb75 ] The vendor has introduced two new revisions with slightly different memory maps; update the driver to support them. Fixes: dd24e202ac72 ("Input: iqs7222 - add support for Azoteq IQS7222D") Signed-off-by: Jeff LaBundy Link: https://lore.kernel.org/r/ZelTRYX3fenMQuhF@nixie71 Signed-off-by: Dmitry Torokhov Signed-off-by: Sasha Levin commit 304bc00ee1984b67c298441dde9b3e48047f4bc1 Author: Konstantin Taranov Date: Mon Mar 4 05:52:40 2024 -0800 RDMA/mana_ib: Fix bug in creation of dma regions [ Upstream commit e02497fb654689049ba8b46f098f17d5f19e0b3c ] Use ib_umem_dma_offset() helper to calculate correct dma offset. Fixes: 0266a177631d ("RDMA/mana_ib: Add a driver for Microsoft Azure Network Adapter") Signed-off-by: Konstantin Taranov Link: https://lore.kernel.org/r/1709560361-26393-2-git-send-email-kotaranov@linux.microsoft.com Signed-off-by: Leon Romanovsky Signed-off-by: Sasha Levin commit fa36f5ff74f0daf536647d418cafc0f19d5b116c Author: Chao Yu Date: Mon Feb 26 15:35:38 2024 +0800 f2fs: ro: compress: fix to avoid caching unaligned extent [ Upstream commit 4b99ecd304290c4ef55666a62c89dfb2dbf0b2cd ] Mapping info from dump.f2fs: i_addr[0x2d] cluster flag [0xfffffffe : 4294967294] i_addr[0x2e] [0x 10428 : 66600] i_addr[0x2f] [0x 10429 : 66601] i_addr[0x30] [0x 1042a : 66602] f2fs_io fiemap 37 1 /mnt/f2fs/disk-58390c8c.raw Previsouly, it missed to align fofs and ofs_in_node to cluster_size, result in adding incorrect read extent cache, fix it. Before: f2fs_update_read_extent_tree_range: dev = (253,48), ino = 5, pgofs = 37, len = 4, blkaddr = 66600, c_len = 3 After: f2fs_update_read_extent_tree_range: dev = (253,48), ino = 5, pgofs = 36, len = 4, blkaddr = 66600, c_len = 3 Fixes: 94afd6d6e525 ("f2fs: extent cache: support unaligned extent") Signed-off-by: Chao Yu Signed-off-by: Jaegeuk Kim Signed-off-by: Sasha Levin commit e690dddae437221b0d524a73b65617597c96b751 Author: Chao Yu Date: Sun Feb 25 14:36:28 2024 +0800 f2fs: fix to use correct segment type in f2fs_allocate_data_block() [ Upstream commit 7324858237829733dec9c670170df2377c5ca6e2 ] @type in f2fs_allocate_data_block() indicates log header's type, it can be CURSEG_COLD_DATA_PINNED or CURSEG_ALL_DATA_ATGC, rather than type of data/node, however IS_DATASEG()/IS_NODESEG() only accept later one, fix it. Fixes: 093749e296e2 ("f2fs: support age threshold based garbage collection") Signed-off-by: Chao Yu Signed-off-by: Jaegeuk Kim Signed-off-by: Sasha Levin commit 490510e6082f4a57a4301b0f688699d5dd9b64d4 Author: Ben Wolsieffer Date: Wed Feb 28 13:27:23 2024 -0500 watchdog: stm32_iwdg: initialize default timeout [ Upstream commit dbd7c0088b7f44aa0b9276ed3449df075a7b5b54 ] The driver never sets a default timeout value, therefore it is initialized to zero. When CONFIG_WATCHDOG_HANDLE_BOOT_ENABLED is enabled, the watchdog is started during probe. The kernel is supposed to automatically ping the watchdog from this point until userspace takes over, but this does not happen if the configured timeout is zero. A zero timeout causes watchdog_need_worker() to return false, so the heartbeat worker does not run and the system therefore resets soon after the driver is probed. This patch fixes this by setting an arbitrary non-zero default timeout. The default could be read from the hardware instead, but I didn't see any reason to add this complexity. This has been tested on an STM32F746. Fixes: 85fdc63fe256 ("drivers: watchdog: stm32_iwdg: set WDOG_HW_RUNNING at probe") Signed-off-by: Ben Wolsieffer Reviewed-by: Guenter Roeck Link: https://lore.kernel.org/r/20240228182723.12855-1-ben.wolsieffer@hefring.com Signed-off-by: Guenter Roeck Signed-off-by: Wim Van Sebroeck Signed-off-by: Sasha Levin commit 281481d64418df0d3f56b61f3bcef586771cd881 Author: Ji Sheng Teoh Date: Fri Jan 19 16:27:21 2024 +0800 watchdog: starfive: Check pm_runtime_enabled() before decrementing usage counter [ Upstream commit 8bc22a2f1bf0f402029087fcb53130233a544fed ] In the probe function, pm_runtime_put_sync() will fail on platform with runtime PM disabled. Check if runtime PM is enabled before calling pm_runtime_put_sync() to fix it. Fixes: db728ea9c7be ("drivers: watchdog: Add StarFive Watchdog driver") Signed-off-by: Xingyu Wu Signed-off-by: Ley Foon Tan Signed-off-by: Ji Sheng Teoh Reviewed-by: Guenter Roeck Link: https://lore.kernel.org/r/20240119082722.1133024-1-jisheng.teoh@starfivetech.com Signed-off-by: Guenter Roeck Signed-off-by: Wim Van Sebroeck Signed-off-by: Sasha Levin commit eb1845a8cdb92d099063132812d50cdcf2f28633 Author: Jaegeuk Kim Date: Fri Feb 23 12:32:05 2024 -0800 f2fs: check number of blocks in a current section [ Upstream commit 7af2df0f67a1469762e59be3726a803882d83f6f ] In cfd66bb715fd ("f2fs: fix deadloop in foreground GC"), we needed to check the number of blocks in a section instead of the segment. Fixes: cfd66bb715fd ("f2fs: fix deadloop in foreground GC") Reviewed-by: Chao Yu Signed-off-by: Jaegeuk Kim Signed-off-by: Sasha Levin commit 41e8018b45ec3993ec2ee6cc45dc18a244d83be0 Author: Chao Yu Date: Mon Feb 19 10:28:44 2024 +0800 f2fs: compress: fix to check compress flag w/ .i_sem lock [ Upstream commit ea59b12ac69774c08aa95cd5b6100700ea0cce97 ] It needs to check compress flag w/ .i_sem lock, otherwise, compressed inode may be disabled after the check condition, it's not needed to set compress option on non-compress inode. Fixes: e1e8debec656 ("f2fs: add F2FS_IOC_SET_COMPRESS_OPTION ioctl") Signed-off-by: Chao Yu Signed-off-by: Jaegeuk Kim Signed-off-by: Sasha Levin commit 26e177cffce2880b7e85578ef1947fef4e01f9e7 Author: Jorge Mora Date: Thu Jan 25 07:51:28 2024 -0700 NFSv4.2: fix listxattr maximum XDR buffer size [ Upstream commit bcac8bff90a6ee1629f90669cdb9d28fb86049b0 ] Switch order of operations to avoid creating a short XDR buffer: e.g., buflen = 12, old xdrlen = 12, new xdrlen = 20. Having a short XDR buffer leads to lxa_maxcount be a few bytes less than what is needed to retrieve the whole list when using a buflen as returned by a call with size = 0: buflen = listxattr(path, NULL, 0); buf = malloc(buflen); buflen = listxattr(path, buf, buflen); For a file with one attribute (name = '123456'), the first call with size = 0 will return buflen = 12 ('user.123456\x00'). The second call with size = 12, sends LISTXATTRS with lxa_maxcount = 12 + 8 (cookie) + 4 (array count) = 24. The XDR buffer needs 8 (cookie) + 4 (array count) + 4 (name count) + 6 (name len) + 2 (padding) + 4 (eof) = 28 which is 4 bytes shorter than the lxa_maxcount provided in the call. Fixes: 04a5da690e8f ("NFSv4.2: define limits and sizes for user xattr handling") Signed-off-by: Jorge Mora Reviewed-by: Benjamin Coddington Signed-off-by: Trond Myklebust Signed-off-by: Sasha Levin commit 79cdcc765969d23f4e3d6ea115660c3333498768 Author: Jorge Mora Date: Thu Jan 25 07:56:12 2024 -0700 NFSv4.2: fix nfs4_listxattr kernel BUG at mm/usercopy.c:102 [ Upstream commit 251a658bbfceafb4d58c76b77682c8bf7bcfad65 ] A call to listxattr() with a buffer size = 0 returns the actual size of the buffer needed for a subsequent call. When size > 0, nfs4_listxattr() does not return an error because either generic_listxattr() or nfs4_listxattr_nfs4_label() consumes exactly all the bytes then size is 0 when calling nfs4_listxattr_nfs4_user() which then triggers the following kernel BUG: [ 99.403778] kernel BUG at mm/usercopy.c:102! [ 99.404063] Internal error: Oops - BUG: 00000000f2000800 [#1] SMP [ 99.408463] CPU: 0 PID: 3310 Comm: python3 Not tainted 6.6.0-61.fc40.aarch64 #1 [ 99.415827] Call trace: [ 99.415985] usercopy_abort+0x70/0xa0 [ 99.416227] __check_heap_object+0x134/0x158 [ 99.416505] check_heap_object+0x150/0x188 [ 99.416696] __check_object_size.part.0+0x78/0x168 [ 99.416886] __check_object_size+0x28/0x40 [ 99.417078] listxattr+0x8c/0x120 [ 99.417252] path_listxattr+0x78/0xe0 [ 99.417476] __arm64_sys_listxattr+0x28/0x40 [ 99.417723] invoke_syscall+0x78/0x100 [ 99.417929] el0_svc_common.constprop.0+0x48/0xf0 [ 99.418186] do_el0_svc+0x24/0x38 [ 99.418376] el0_svc+0x3c/0x110 [ 99.418554] el0t_64_sync_handler+0x120/0x130 [ 99.418788] el0t_64_sync+0x194/0x198 [ 99.418994] Code: aa0003e3 d000a3e0 91310000 97f49bdb (d4210000) Issue is reproduced when generic_listxattr() returns 'system.nfs4_acl', thus calling lisxattr() with size = 16 will trigger the bug. Add check on nfs4_listxattr() to return ERANGE error when it is called with size > 0 and the return value is greater than size. Fixes: 012a211abd5d ("NFSv4.2: hook in the user extended attribute handlers") Signed-off-by: Jorge Mora Reviewed-by: Benjamin Coddington Signed-off-by: Trond Myklebust Signed-off-by: Sasha Levin commit 5e5038413d5762fc1b950ca1191d5593fe8196f2 Author: Christophe JAILLET Date: Tue Oct 24 23:58:20 2023 +0200 net: sunrpc: Fix an off by one in rpc_sockaddr2uaddr() [ Upstream commit d6f4de70f73a106986ee315d7d512539f2f3303a ] The intent is to check if the strings' are truncated or not. So, >= should be used instead of >, because strlcat() and snprintf() return the length of the output, excluding the trailing NULL. Fixes: a02d69261134 ("SUNRPC: Provide functions for managing universal addresses") Signed-off-by: Christophe JAILLET Reviewed-by: Benjamin Coddington Signed-off-by: Trond Myklebust Signed-off-by: Sasha Levin commit 9deb2010aa9fd92ecb775cf7543fe2facd5e1cd3 Author: Chao Yu Date: Tue Feb 13 00:08:18 2024 +0800 f2fs: compress: fix to check zstd compress level correctly in mount option [ Upstream commit e39602da752cd1d0462e3fa04074146f6f2803f6 ] f2fs only support to config zstd compress level w/ a positive number due to layout design, but since commit e0c1b49f5b67 ("lib: zstd: Upgrade to latest upstream zstd version 1.4.10"), zstd supports negative compress level, so that zstd_min_clevel() may return a negative number, then w/ below mount option, .compress_level can be configed w/ a negative number, which is not allowed to f2fs, let's add check condition to avoid it. mount -o compress_algorithm=zstd:4294967295 /dev/sdx /mnt/f2fs Fixes: 00e120b5e4b5 ("f2fs: assign default compression level") Signed-off-by: Chao Yu Signed-off-by: Jaegeuk Kim Signed-off-by: Sasha Levin commit 7525dec4b34c80b3015c3f2ac143fd2bfc1febc3 Author: Chao Yu Date: Wed Feb 7 15:05:48 2024 +0800 f2fs: fix to create selinux label during whiteout initialization [ Upstream commit 40b2d55e045222dd6de2a54a299f682e0f954b03 ] #generic/700 - output mismatch (see /media/fstests/results//generic/700.out.bad) # --- tests/generic/700.out 2023-03-28 10:40:42.735529223 +0000 # +++ /media/fstests/results//generic/700.out.bad 2024-02-06 04:37:56.000000000 +0000 # @@ -1,2 +1,4 @@ # QA output created by 700 # +/mnt/scratch_f2fs/f1: security.selinux: No such attribute # +/mnt/scratch_f2fs/f2: security.selinux: No such attribute # Silence is golden # ... # (Run 'diff -u /media/fstests/tests/generic/700.out /media/fstests/results//generic/700.out.bad' to see the entire diff) HINT: You _MAY_ be missing kernel fix: 70b589a37e1a xfs: add selinux labels to whiteout inodes Previously, it missed to create selinux labels during whiteout inode initialization, fix this issue. Fixes: 7e01e7ad746b ("f2fs: support RENAME_WHITEOUT") Signed-off-by: Chao Yu Signed-off-by: Jaegeuk Kim Signed-off-by: Sasha Levin commit a2b6d56416ddd3a80d717d05730c7fa5914ac943 Author: Arnd Bergmann Date: Thu Feb 22 13:44:06 2024 +0100 scsi: bfa: Fix function pointer type mismatch for hcb_qe->cbfn [ Upstream commit b69600231f751304db914c63b937f7098ed2895c ] Some callback functions used here take a boolean argument, others take a status argument. This breaks KCFI type checking, so clang now warns about the function pointer cast: drivers/scsi/bfa/bfad_bsg.c:2138:29: error: cast from 'void (*)(void *, enum bfa_status)' to 'bfa_cb_cbfn_t' (aka 'void (*)(void *, enum bfa_boolean)') converts to incompatible function type [-Werror,-Wcast-function-type-strict] Assuming the code is actually correct here and the callers always match the argument types of the callee, rework this to replace the explicit cast with a union of the two pointer types. This does not change the behavior of the code, so if something is actually broken here, a larger rework may be necessary. Fixes: 37ea0558b87a ("[SCSI] bfa: Added support to collect and reset fcport stats") Fixes: 3ec4f2c8bff2 ("[SCSI] bfa: Added support to configure QOS and collect stats.") Reviewed-by: Kees Cook Signed-off-by: Arnd Bergmann Link: https://lore.kernel.org/r/20240222124433.2046570-1-arnd@kernel.org Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit fd8de72924144c80d20ac6b219b19dd6ed04aade Author: Alexey Kodanev Date: Wed Feb 21 11:32:04 2024 +0000 RDMA/rtrs-clt: Check strnlen return len in sysfs mpath_policy_store() [ Upstream commit 7a7b7f575a25aa68ee934ee8107294487efcb3fe ] strnlen() may return 0 (e.g. for "\0\n" string), it's better to check the result of strnlen() before using 'len - 1' expression for the 'buf' array index. Detected using the static analysis tool - Svace. Fixes: dc3b66a0ce70 ("RDMA/rtrs-clt: Add a minimum latency multipath policy") Signed-off-by: Alexey Kodanev Link: https://lore.kernel.org/r/20240221113204.147478-1-aleksei.kodanev@bell-sw.com Acked-by: Jack Wang Signed-off-by: Leon Romanovsky Signed-off-by: Sasha Levin commit 034977c33b4ad137f0013745a7313a75a3da0254 Author: Shifeng Li Date: Fri Feb 2 19:53:13 2024 -0800 RDMA/device: Fix a race between mad_client and cm_client init [ Upstream commit 7a8bccd8b29c321ac181369b42b04fecf05f98e2 ] The mad_client will be initialized in enable_device_and_get(), while the devices_rwsem will be downgraded to a read semaphore. There is a window that leads to the failed initialization for cm_client, since it can not get matched mad port from ib_mad_port_list, and the matched mad port will be added to the list after that. mad_client | cm_client ------------------|-------------------------------------------------------- ib_register_device| enable_device_and_get down_write(&devices_rwsem) xa_set_mark(&devices, DEVICE_REGISTERED) downgrade_write(&devices_rwsem) | |ib_cm_init |ib_register_client(&cm_client) |down_read(&devices_rwsem) |xa_for_each_marked (&devices, DEVICE_REGISTERED) |add_client_context |cm_add_one |ib_register_mad_agent |ib_get_mad_port |__ib_get_mad_port |list_for_each_entry(entry, &ib_mad_port_list, port_list) |return NULL |up_read(&devices_rwsem) | add_client_context| ib_mad_init_device| ib_mad_port_open | list_add_tail(&port_priv->port_list, &ib_mad_port_list) up_read(&devices_rwsem) | Fix it by using down_write(&devices_rwsem) in ib_register_client(). Fixes: d0899892edd0 ("RDMA/device: Provide APIs from the core code to help unregistration") Link: https://lore.kernel.org/r/20240203035313.98991-1-lishifeng@sangfor.com.cn Suggested-by: Jason Gunthorpe Signed-off-by: Shifeng Li Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit 522e5e4770620cb72bc34fd041d595cc08cda522 Author: Luoyouming Date: Mon Feb 19 14:18:05 2024 +0800 RDMA/hns: Fix mis-modifying default congestion control algorithm [ Upstream commit d20a7cf9f714f0763efb56f0f2eeca1cb91315ed ] Commit 27c5fd271d8b ("RDMA/hns: The UD mode can only be configured with DCQCN") adds a check of congest control alorithm for UD. But that patch causes a problem: hr_dev->caps.congest_type is global, used by all QPs, so modifying this field to DCQCN for UD QPs causes other QPs unable to use any other algorithm except DCQCN. Revert the modification in commit 27c5fd271d8b ("RDMA/hns: The UD mode can only be configured with DCQCN"). Add a new field cong_type to struct hns_roce_qp and configure DCQCN for UD QPs. Fixes: 27c5fd271d8b ("RDMA/hns: The UD mode can only be configured with DCQCN") Fixes: f91696f2f053 ("RDMA/hns: Support congestion control type selection according to the FW") Signed-off-by: Luoyouming Signed-off-by: Junxian Huang Link: https://lore.kernel.org/r/20240219061805.668170-1-huangjunxian6@hisilicon.com Signed-off-by: Leon Romanovsky Signed-off-by: Sasha Levin commit 076acd671fc6ebca768156cfe0c598793edfcaff Author: Dylan Hung Date: Fri Jan 19 13:45:47 2024 +0800 i3c: dw: Disable IBI IRQ depends on hot-join and SIR enabling [ Upstream commit 10201396ef6455a68ac671fa0163205d327ebb70 ] Disable IBI IRQ signal and status only when hot-join and SIR enabling of all target devices attached to the bus are disabled. Fixes: e389b1d72a62 ("i3c: dw: Add support for in-band interrupts") Signed-off-by: Dylan Hung Link: https://lore.kernel.org/r/20240119054547.983693-1-dylan_hung@aspeedtech.com Signed-off-by: Alexandre Belloni Signed-off-by: Sasha Levin commit ccb6998cbc7d7bb24ae1dabefcf516d7619d9c38 Author: Arnd Bergmann Date: Tue Feb 13 11:05:00 2024 +0100 scsi: csiostor: Avoid function pointer casts [ Upstream commit 9f3dbcb5632d6876226031d552ef6163bb3ad215 ] csiostor uses function pointer casts to keep the csio_ln_ev state machine hidden, but this causes warnings about control flow integrity (KCFI) violations in clang-16 and higher: drivers/scsi/csiostor/csio_lnode.c:1098:33: error: cast from 'void (*)(struct csio_lnode *, enum csio_ln_ev)' to 'csio_sm_state_t' (aka 'void (*)(void *, unsigned int)') converts to incompatible function type [-Werror,-Wcast-function-type-strict] 1098 | return (csio_get_state(ln) == ((csio_sm_state_t)csio_lns_ready)); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ drivers/scsi/csiostor/csio_lnode.c:1369:29: error: cast from 'void (*)(struct csio_lnode *, enum csio_ln_ev)' to 'csio_sm_state_t' (aka 'void (*)(void *, unsigned int)') converts to incompatible function type [-Werror,-Wcast-function-type-strict] 1369 | if (csio_get_state(ln) == ((csio_sm_state_t)csio_lns_uninit)) { | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ drivers/scsi/csiostor/csio_lnode.c:1373:29: error: cast from 'void (*)(struct csio_lnode *, enum csio_ln_ev)' to 'csio_sm_state_t' (aka 'void (*)(void *, unsigned int)') converts to incompatible function type [-Werror,-Wcast-function-type-strict] 1373 | if (csio_get_state(ln) == ((csio_sm_state_t)csio_lns_ready)) { | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ drivers/scsi/csiostor/csio_lnode.c:1377:29: error: cast from 'void (*)(struct csio_lnode *, enum csio_ln_ev)' to 'csio_sm_state_t' (aka 'void (*)(void *, unsigned int)') converts to incompatible function type [-Werror,-Wcast-function-type-strict] 1377 | if (csio_get_state(ln) == ((csio_sm_state_t)csio_lns_offline)) { | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Move the enum into a shared header so the correct types can be used without the need for casts. Fixes: a3667aaed569 ("[SCSI] csiostor: Chelsio FCoE offload driver") Signed-off-by: Arnd Bergmann Link: https://lore.kernel.org/r/20240213100518.457623-1-arnd@kernel.org Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit 8844b2f8a3f0c428b74672f9726f9950b1a7764c Author: Chao Yu Date: Wed Jan 24 22:49:15 2024 +0800 f2fs: fix to avoid potential panic during recovery [ Upstream commit 21ec68234826b1b54ab980a8df6e33c74cfbee58 ] During recovery, if FAULT_BLOCK is on, it is possible that f2fs_reserve_new_block() will return -ENOSPC during recovery, then it may trigger panic. Also, if fault injection rate is 1 and only FAULT_BLOCK fault type is on, it may encounter deadloop in loop of block reservation. Let's change as below to fix these issues: - remove bug_on() to avoid panic. - limit the loop count of block reservation to avoid potential deadloop. Fixes: 956fa1ddc132 ("f2fs: fix to check return value of f2fs_reserve_new_block()") Reported-by: Zhiguo Niu Signed-off-by: Chao Yu Signed-off-by: Jaegeuk Kim Signed-off-by: Sasha Levin commit 5e59e199f3a617a4e3340df642313d8a3664d654 Author: Chao Yu Date: Mon Jan 22 10:23:13 2024 +0800 f2fs: compress: fix to cover f2fs_disable_compressed_file() w/ i_sem [ Upstream commit 2f9420d3a94aeebd92db88f00f4f2f1a3bd3f6cf ] - f2fs_disable_compressed_file - check inode_has_data - f2fs_file_mmap - mkwrite - f2fs_get_block_locked : update metadata in compressed inode's disk layout - fi->i_flags &= ~F2FS_COMPR_FL - clear_inode_flag(inode, FI_COMPRESSED_FILE); we should use i_sem lock to prevent above race case. Fixes: 4c8ff7095bef ("f2fs: support data compression") Signed-off-by: Chao Yu Signed-off-by: Jaegeuk Kim Signed-off-by: Sasha Levin commit 8e2ea8b04cb8d976110c4568509e67d6a39b2889 Author: Wenjie Qi Date: Tue Jan 16 22:11:38 2024 +0800 f2fs: fix NULL pointer dereference in f2fs_submit_page_write() [ Upstream commit c2034ef6192a65a986a45c2aa2ed05824fdc0e9f ] BUG: kernel NULL pointer dereference, address: 0000000000000014 RIP: 0010:f2fs_submit_page_write+0x6cf/0x780 [f2fs] Call Trace: ? show_regs+0x6e/0x80 ? __die+0x29/0x70 ? page_fault_oops+0x154/0x4a0 ? prb_read_valid+0x20/0x30 ? __irq_work_queue_local+0x39/0xd0 ? irq_work_queue+0x36/0x70 ? do_user_addr_fault+0x314/0x6c0 ? exc_page_fault+0x7d/0x190 ? asm_exc_page_fault+0x2b/0x30 ? f2fs_submit_page_write+0x6cf/0x780 [f2fs] ? f2fs_submit_page_write+0x736/0x780 [f2fs] do_write_page+0x50/0x170 [f2fs] f2fs_outplace_write_data+0x61/0xb0 [f2fs] f2fs_do_write_data_page+0x3f8/0x660 [f2fs] f2fs_write_single_data_page+0x5bb/0x7a0 [f2fs] f2fs_write_cache_pages+0x3da/0xbe0 [f2fs] ... It is possible that other threads have added this fio to io->bio and submitted the io->bio before entering f2fs_submit_page_write(). At this point io->bio = NULL. If is_end_zone_blkaddr(sbi, fio->new_blkaddr) of this fio is true, then an NULL pointer dereference error occurs at bio_get(io->bio). The original code for determining zone end was after "out:", which would have missed some fio who is zone end. I've moved this code before "skip:" to make sure it's done for each fio. Fixes: e067dc3c6b9c ("f2fs: maintain six open zones for zoned devices") Signed-off-by: Wenjie Qi Reviewed-by: Chao Yu Signed-off-by: Jaegeuk Kim Signed-off-by: Sasha Levin commit 10b19ea7146d094d417d516b9000357550079f80 Author: Chao Yu Date: Mon Jan 29 19:27:40 2024 +0800 f2fs: zone: fix to wait completion of last bio in zone correctly [ Upstream commit 536af8211586af09c5bea1c15ad28ddec5f66a97 ] It needs to check last zone_pending_bio and wait IO completion before traverse next fio in io->io_list, otherwise, bio in next zone may be submitted before all IO completion in current zone. Fixes: e067dc3c6b9c ("f2fs: maintain six open zones for zoned devices") Cc: Daeho Jeong Signed-off-by: Chao Yu Reviewed-by: Daeho Jeong Signed-off-by: Jaegeuk Kim Signed-off-by: Sasha Levin commit 0386408036bfc8b50296d9e544ff91c4d52af2db Author: Chao Yu Date: Sat Jan 13 03:41:31 2024 +0800 f2fs: fix to remove unnecessary f2fs_bug_on() to avoid panic [ Upstream commit b896e302f79678451a94769ddd9e52e954c64fbb ] verify_blkaddr() will trigger panic once we inject fault into f2fs_is_valid_blkaddr(), fix to remove this unnecessary f2fs_bug_on(). Fixes: 18792e64c86d ("f2fs: support fault injection for f2fs_is_valid_blkaddr()") Reviewed-by: Daeho Jeong Signed-off-by: Chao Yu Signed-off-by: Jaegeuk Kim Signed-off-by: Sasha Levin commit bc1e39928c26df9e628f756398017e123827b976 Author: Chao Yu Date: Sat Jan 13 03:41:30 2024 +0800 f2fs: compress: fix to avoid inconsistence bewteen i_blocks and dnode [ Upstream commit 54607494875edd636aff3c21ace3ad9a7da758a9 ] In reserve_compress_blocks(), we update blkaddrs of dnode in prior to inc_valid_block_count(), it may cause inconsistent status bewteen i_blocks and blkaddrs once inc_valid_block_count() fails. To fix this issue, it needs to reverse their invoking order. Fixes: c75488fb4d82 ("f2fs: introduce F2FS_IOC_RESERVE_COMPRESS_BLOCKS") Reviewed-by: Daeho Jeong Signed-off-by: Chao Yu Signed-off-by: Jaegeuk Kim Signed-off-by: Sasha Levin commit eb6d30bca0f23a4cc1d1f342d016e563c13a9b6c Author: Chao Yu Date: Sun Dec 10 17:20:38 2023 +0800 f2fs: update blkaddr in __set_data_blkaddr() for cleanup [ Upstream commit 59d0d4c3eae0f3dd8886ed59f89f21fa09e324f5 ] This patch allows caller to pass blkaddr to f2fs_set_data_blkaddr() and let __set_data_blkaddr() inside f2fs_set_data_blkaddr() to update dn->data_blkaddr w/ last value of blkaddr. Just cleanup, no logic changes. Signed-off-by: Chao Yu Signed-off-by: Jaegeuk Kim Stable-dep-of: 54607494875e ("f2fs: compress: fix to avoid inconsistence bewteen i_blocks and dnode") Signed-off-by: Sasha Levin commit dcd6b38ba2e860039c8098ad96cee7ccdaeeec23 Author: Chao Yu Date: Sun Dec 10 17:20:37 2023 +0800 f2fs: introduce get_dnode_addr() to clean up codes [ Upstream commit 2020cd48e41cb8470bb1ca0835033d13d3178425 ] Just cleanup, no logic changes. Signed-off-by: Chao Yu Signed-off-by: Jaegeuk Kim Stable-dep-of: 54607494875e ("f2fs: compress: fix to avoid inconsistence bewteen i_blocks and dnode") Signed-off-by: Sasha Levin commit 5690754e40892bb282ff5656c4e95d44f6639ad2 Author: Chao Yu Date: Sun Dec 10 17:20:36 2023 +0800 f2fs: delete obsolete FI_DROP_CACHE [ Upstream commit bb6e1c8fa5b9b95bbb8e39b6105f8f6550e070fc ] FI_DROP_CACHE was introduced in commit 1e84371ffeef ("f2fs: change atomic and volatile write policies") for volatile write feature, after commit 7bc155fec5b3 ("f2fs: kill volatile write support"), we won't support volatile write, let's delete related codes. Signed-off-by: Chao Yu Signed-off-by: Jaegeuk Kim Stable-dep-of: 54607494875e ("f2fs: compress: fix to avoid inconsistence bewteen i_blocks and dnode") Signed-off-by: Sasha Levin commit eaf3389c8545487c520d104f9596d810e51301bb Author: Chao Yu Date: Sun Dec 10 17:20:35 2023 +0800 f2fs: delete obsolete FI_FIRST_BLOCK_WRITTEN [ Upstream commit a53936361330e4c55c0654605178281387d9c761 ] Commit 3c6c2bebef79 ("f2fs: avoid punch_hole overhead when releasing volatile data") introduced FI_FIRST_BLOCK_WRITTEN as below reason: This patch is to avoid some punch_hole overhead when releasing volatile data. If volatile data was not written yet, we just can make the first page as zero. After commit 7bc155fec5b3 ("f2fs: kill volatile write support"), we won't support volatile write, but it missed to remove obsolete FI_FIRST_BLOCK_WRITTEN, delete it in this patch. Signed-off-by: Chao Yu Signed-off-by: Jaegeuk Kim Stable-dep-of: 54607494875e ("f2fs: compress: fix to avoid inconsistence bewteen i_blocks and dnode") Signed-off-by: Sasha Levin commit d415e1c965992e9bffa32c7dbf9143ca2ce884ae Author: Sheng Yong Date: Sat Jan 13 03:41:29 2024 +0800 f2fs: compress: fix to check unreleased compressed cluster [ Upstream commit eb8fbaa53374e0a2d4381190abfe708481517bbb ] Compressed cluster may not be released due to we can fail in release_compress_blocks(), fix to handle reserved compressed cluster correctly in reserve_compress_blocks(). Fixes: 4c8ff7095bef ("f2fs: support data compression") Signed-off-by: Sheng Yong Signed-off-by: Chao Yu Signed-off-by: Jaegeuk Kim Signed-off-by: Sasha Levin commit 75abfd61392b1db391bde6d738a30d685b843286 Author: Chao Yu Date: Sat Jan 13 03:41:28 2024 +0800 f2fs: compress: fix to cover normal cluster write with cp_rwsem [ Upstream commit fd244524c2cf07b5f4c3fe8abd6a99225c76544b ] When we overwrite compressed cluster w/ normal cluster, we should not unlock cp_rwsem during f2fs_write_raw_pages(), otherwise data will be corrupted if partial blocks were persisted before CP & SPOR, due to cluster metadata wasn't updated atomically. Fixes: 4c8ff7095bef ("f2fs: support data compression") Reviewed-by: Daeho Jeong Signed-off-by: Chao Yu Signed-off-by: Jaegeuk Kim Signed-off-by: Sasha Levin commit 82704e598d7b33c7e45526e34d3c585426319bed Author: Chao Yu Date: Sat Jan 13 03:41:27 2024 +0800 f2fs: compress: fix to guarantee persisting compressed blocks by CP [ Upstream commit 8a430dd49e9cb021372b0ad91e60aeef9c6ced00 ] If data block in compressed cluster is not persisted with metadata during checkpoint, after SPOR, the data may be corrupted, let's guarantee to write compressed page by checkpoint. Fixes: 4c8ff7095bef ("f2fs: support data compression") Reviewed-by: Daeho Jeong Signed-off-by: Chao Yu Signed-off-by: Jaegeuk Kim Signed-off-by: Sasha Levin commit 85570b91e4820a0db9d9432098778cafafa7d217 Author: William Kucharski Date: Fri Feb 2 02:15:49 2024 -0700 RDMA/srpt: Do not register event handler until srpt device is fully setup [ Upstream commit c21a8870c98611e8f892511825c9607f1e2cd456 ] Upon rare occasions, KASAN reports a use-after-free Write in srpt_refresh_port(). This seems to be because an event handler is registered before the srpt device is fully setup and a race condition upon error may leave a partially setup event handler in place. Instead, only register the event handler after srpt device initialization is complete. Fixes: a42d985bd5b2 ("ib_srpt: Initial SRP Target merge for v3.3-rc1") Signed-off-by: William Kucharski Link: https://lore.kernel.org/r/20240202091549.991784-2-william.kucharski@oracle.com Reviewed-by: Bart Van Assche Signed-off-by: Leon Romanovsky Signed-off-by: Sasha Levin commit b9ad0e9217a1703479cf8d75a2893386159cc0ca Author: Mustafa Ismail Date: Wed Jan 31 17:39:53 2024 -0600 RDMA/irdma: Remove duplicate assignment [ Upstream commit 926e8ea4b8dac84f6d14a4b60d0653f1f2ba9431 ] Remove the unneeded assignment of the qp_num which is already set in irdma_create_qp(). Fixes: b48c24c2d710 ("RDMA/irdma: Implement device supported verb APIs") Signed-off-by: Mustafa Ismail Signed-off-by: Shiraz Saleem Signed-off-by: Sindhu Devale Link: https://lore.kernel.org/r/20240131233953.400483-1-sindhu.devale@intel.com Signed-off-by: Leon Romanovsky Signed-off-by: Sasha Levin commit 22cad1b841a63635a38273b799b4791f202ade72 Author: Johan Carlsson Date: Wed Mar 13 09:15:09 2024 +0100 ALSA: usb-audio: Stop parsing channels bits when all channels are found. [ Upstream commit a39d51ff1f52cd0b6fe7d379ac93bd8b4237d1b7 ] If a usb audio device sets more bits than the amount of channels it could write outside of the map array. Signed-off-by: Johan Carlsson Fixes: 04324ccc75f9 ("ALSA: usb-audio: add channel map support") Message-ID: <20240313081509.9801-1-johan.carlsson@teenage.engineering> Signed-off-by: Takashi Iwai Signed-off-by: Sasha Levin commit de4bfe60b030c9f30f0caefa07e6c6c0d7f9fd9b Author: Gergo Koteles Date: Fri Mar 8 18:41:44 2024 +0100 ALSA: hda/tas2781: restore power state after system_resume [ Upstream commit 9fc91a6fe37c78ef301aed4251f7e50b8524e72d ] After system_resume the amplifers will remain off, even if they were on before system_suspend. Use playback_started bool to save the playback state, and restore power state based on it. Fixes: 5be27f1e3ec9 ("ALSA: hda/tas2781: Add tas2781 HDA driver") Signed-off-by: Gergo Koteles Signed-off-by: Takashi Iwai Message-ID: <1742b61901781826f6e6212ffe1d21af542d134a.1709918447.git.soyer@irl.hu> Signed-off-by: Sasha Levin commit ee4a82135de3cc47ca71a3cfd626bee8f3ff6ee6 Author: Gergo Koteles Date: Sat Dec 30 01:13:41 2023 +0100 ALSA: hda/tas2781: configure the amp after firmware load [ Upstream commit 68f7f3ff6c2a0998be9dc07622bd0d16fd1fda20 ] Make the amp available immediately after a module load to avoid having to wait for a PCM hook action. (eg. unloading & loading the module while listening music) Signed-off-by: Gergo Koteles Link: https://lore.kernel.org/r/7f2f65d9212aa16edd4db8725489ae59dbe74c66.1703895108.git.soyer@irl.hu Signed-off-by: Takashi Iwai Stable-dep-of: 9fc91a6fe37c ("ALSA: hda/tas2781: restore power state after system_resume") Signed-off-by: Sasha Levin commit 93cc238b7f56a028b8ec96a4419cfa56b9235121 Author: Gergo Koteles Date: Fri Mar 8 18:41:43 2024 +0100 ALSA: hda/tas2781: do not call pm_runtime_force_* in system_resume/suspend [ Upstream commit 5f51de7e30c7282162a631af8a425b54a4576346 ] The runtime_resume function calls prmg_load and apply_calibration functions, but system_resume also calls them, so calling pm_runtime_force_resume before reset is unnecessary. For consistency, do not call the pm_runtime_force_suspend in system_suspend, as runtime_suspend does the same. Fixes: 5be27f1e3ec9 ("ALSA: hda/tas2781: Add tas2781 HDA driver") Signed-off-by: Gergo Koteles Signed-off-by: Takashi Iwai Message-ID: Signed-off-by: Sasha Levin commit 939dbde009508ee258928e32c994c68afcc918a3 Author: Gergo Koteles Date: Sat Dec 30 01:09:42 2023 +0100 ALSA: hda/tas2781: add ptrs to calibration functions [ Upstream commit 76f5f55c45b906710c9565a7e68c8d782c46b394 ] Make calibration functions configurable to support different calibration data storage modes. Signed-off-by: Gergo Koteles Link: https://lore.kernel.org/r/5859c77ffef752b8a9784713b412d815d7e2688c.1703891777.git.soyer@irl.hu Signed-off-by: Takashi Iwai Stable-dep-of: 5f51de7e30c7 ("ALSA: hda/tas2781: do not call pm_runtime_force_* in system_resume/suspend") Signed-off-by: Sasha Levin commit c27f8b739f9ba2e57dbbf4d9cfe8909a6e847bfd Author: Gergo Koteles Date: Fri Mar 8 18:41:42 2024 +0100 ALSA: hda/tas2781: do not reset cur_* values in runtime_suspend [ Upstream commit bec7760a6c5fa59593dac264fa0c628e46815986 ] The amplifier doesn't loose register state in software shutdown mode, so there is no need to reset the cur_* values. Without these resets, the amplifier can be turned on after runtime_suspend without waiting for the program and profile to be restored. Fixes: 5be27f1e3ec9 ("ALSA: hda/tas2781: Add tas2781 HDA driver") Signed-off-by: Gergo Koteles Signed-off-by: Takashi Iwai Message-ID: Signed-off-by: Sasha Levin commit e965f1152b0c8e051308597d0e3885695ecd11f6 Author: Gergo Koteles Date: Fri Mar 8 18:41:41 2024 +0100 ALSA: hda/tas2781: add lock to system_suspend [ Upstream commit c58e6ed55a1bb9811d6d936d001b068bb0419467 ] Add the missing lock around tasdevice_tuning_switch(). Fixes: 5be27f1e3ec9 ("ALSA: hda/tas2781: Add tas2781 HDA driver") Signed-off-by: Gergo Koteles Signed-off-by: Takashi Iwai Message-ID: Signed-off-by: Sasha Levin commit 5796fe3fa432a1747f9c08010319f31d4f08ee5b Author: Gergo Koteles Date: Fri Mar 8 18:41:40 2024 +0100 ALSA: hda/tas2781: use dev_dbg in system_resume [ Upstream commit c850c9121cc8de867ce3ac36b9ae9d05f62bef14 ] The system_resume function uses dev_info for tracing, but the other pm functions use dev_dbg. Use dev_dbg as the other pm functions. Fixes: 5be27f1e3ec9 ("ALSA: hda/tas2781: Add tas2781 HDA driver") Signed-off-by: Gergo Koteles Signed-off-by: Takashi Iwai Message-ID: <140f3c689c9eb5874e6eb48a570fcd8207f06a41.1709918447.git.soyer@irl.hu> Signed-off-by: Sasha Levin commit cf850ab86f6f229d98584b96bcf59be118e187f9 Author: Athaariq Ardhiansyah Date: Sun Mar 10 20:58:44 2024 +0700 ALSA: hda/realtek: fix ALC285 issues on HP Envy x360 laptops [ Upstream commit c062166995c9e57d5cd508b332898f79da319802 ] Realtek codec on HP Envy laptop series are heavily modified by vendor. Therefore, need intervention to make it work properly. The patch fixes: - B&O soundbar speakers (between lid and keyboard) activation - Enable LED on mute button - Add missing process coefficient which affects the output amplifier - Volume control synchronization between B&O soundbar and side speakers - Unmute headset output on several HP Envy models - Auto-enable headset mic when plugged This patch was tested on HP Envy x360 13-AR0107AU with Realtek ALC285 The only unsolved problem is output amplifier of all built-in speakers is too weak, which causes volume of built-in speakers cannot be loud as vendor's proprietary driver due to missing _DSD parameter in the firmware. The solution is currently on research. Expected to has another patch in the future. Potential fix to related issues, need test before close those issues: - https://bugzilla.kernel.org/show_bug.cgi?id=189331 - https://bugzilla.kernel.org/show_bug.cgi?id=216632 - https://bugzilla.kernel.org/show_bug.cgi?id=216311 - https://bugzilla.kernel.org/show_bug.cgi?id=213507 Signed-off-by: Athaariq Ardhiansyah Message-ID: <20240310140249.3695-1-foss@athaariq.my.id> Signed-off-by: Takashi Iwai Signed-off-by: Sasha Levin commit e45deec35bf7f1f4f992a707b2d04a8c162f2240 Author: David Howells Date: Thu Feb 22 11:20:26 2024 +0000 cifs: Fix writeback data corruption [ Upstream commit f3dc1bdb6b0b0693562c7c54a6c28bafa608ba3c ] cifs writeback doesn't correctly handle the case where cifs_extend_writeback() hits a point where it is considering an additional folio, but this would overrun the wsize - at which point it drops out of the xarray scanning loop and calls xas_pause(). The problem is that xas_pause() advances the loop counter - thereby skipping that page. What needs to happen is for xas_reset() to be called any time we decide we don't want to process the page we're looking at, but rather send the request we are building and start a new one. Fix this by copying and adapting the netfslib writepages code as a temporary measure, with cifs writeback intending to be offloaded to netfslib in the near future. This also fixes the issue with the use of filemap_get_folios_tag() causing retry of a bunch of pages which the extender already dealt with. This can be tested by creating, say, a 64K file somewhere not on cifs (otherwise copy-offload may get underfoot), mounting a cifs share with a wsize of 64000, copying the file to it and then comparing the original file and the copy: dd if=/dev/urandom of=/tmp/64K bs=64k count=1 mount //192.168.6.1/test /mnt -o user=...,pass=...,wsize=64000 cp /tmp/64K /mnt/64K cmp /tmp/64K /mnt/64K Without the fix, the cmp fails at position 64000 (or shortly thereafter). Fixes: d08089f649a0 ("cifs: Change the I/O paths to use an iterator rather than a page list") Signed-off-by: David Howells cc: Steve French cc: Paulo Alcantara cc: Ronnie Sahlberg cc: Shyam Prasad N cc: Tom Talpey cc: Jeff Layton cc: linux-cifs@vger.kernel.org cc: samba-technical@lists.samba.org cc: netfs@lists.linux.dev cc: linux-fsdevel@vger.kernel.org Signed-off-by: Steve French Signed-off-by: Sasha Levin commit d3c792357cda808333d46e32d75fc84bd701ae23 Author: David Howells Date: Tue Jan 9 17:54:35 2024 +0000 cifs: Don't use certain unnecessary folio_*() functions [ Upstream commit c40497d82387188f14d9adc4caa58ee1cb1999e1 ] Filesystems should use folio->index and folio->mapping, instead of folio_index(folio), folio_mapping() and folio_file_mapping() since they know that it's in the pagecache. Change this automagically with: perl -p -i -e 's/folio_mapping[(]([^)]*)[)]/\1->mapping/g' fs/smb/client/*.c perl -p -i -e 's/folio_file_mapping[(]([^)]*)[)]/\1->mapping/g' fs/smb/client/*.c perl -p -i -e 's/folio_index[(]([^)]*)[)]/\1->index/g' fs/smb/client/*.c Reported-by: Matthew Wilcox Signed-off-by: David Howells cc: Jeff Layton cc: Steve French cc: Paulo Alcantara cc: Ronnie Sahlberg cc: Shyam Prasad N cc: Tom Talpey cc: linux-cifs@vger.kernel.org cc: linux-fsdevel@vger.kernel.org Stable-dep-of: f3dc1bdb6b0b ("cifs: Fix writeback data corruption") Signed-off-by: Sasha Levin commit 2e411c57562f81144431caa45ba33c7d6da86037 Author: Matthew Wilcox (Oracle) Date: Wed Nov 8 20:46:04 2023 +0000 smb: do not test the return value of folio_start_writeback() [ Upstream commit a9540e35624d1475f47dbf6353eed8b99936d36e ] In preparation for removing the return value entirely, stop testing it in smb. Link: https://lkml.kernel.org/r/20231108204605.745109-4-willy@infradead.org Signed-off-by: Matthew Wilcox (Oracle) Cc: David Howells Cc: Steve French Signed-off-by: Andrew Morton Stable-dep-of: f3dc1bdb6b0b ("cifs: Fix writeback data corruption") Signed-off-by: Sasha Levin commit 57541d8c89c0934dbb42c484cee531c952714b40 Author: Jonathan Bell Date: Sat Feb 17 14:37:22 2024 +0100 PCI: brcmstb: Fix broken brcm_pcie_mdio_write() polling [ Upstream commit 039741a8d7c9a01c1bc84a5ac5aa770a5e138a30 ] The MDIO_WT_DONE() macro tests bit 31, which is always 0 (== done) as readw_poll_timeout_atomic() does a 16-bit read. Replace with the readl variant. [kwilczynski: commit log] Fixes: ca5dcc76314d ("PCI: brcmstb: Replace status loops with read_poll_timeout_atomic()") Link: https://lore.kernel.org/linux-pci/20240217133722.14391-1-wahrenst@gmx.net Signed-off-by: Jonathan Bell Signed-off-by: Stefan Wahren Signed-off-by: Krzysztof Wilczyński Acked-by: Florian Fainelli Signed-off-by: Sasha Levin commit 0801c893fd48cdba66a3c8f44c3fe43cc67d3b85 Author: Duoming Zhou Date: Fri Mar 1 16:44:37 2024 +0800 clk: zynq: Prevent null pointer dereference caused by kmalloc failure [ Upstream commit 7938e9ce39d6779d2f85d822cc930f73420e54a6 ] The kmalloc() in zynq_clk_setup() will return null if the physical memory has run out. As a result, if we use snprintf() to write data to the null address, the null pointer dereference bug will happen. This patch uses a stack variable to replace the kmalloc(). Fixes: 0ee52b157b8e ("clk: zynq: Add clock controller driver") Suggested-by: Michal Simek Suggested-by: Stephen Boyd Signed-off-by: Duoming Zhou Link: https://lore.kernel.org/r/20240301084437.16084-1-duoming@zju.edu.cn Acked-by: Michal Simek Signed-off-by: Stephen Boyd Signed-off-by: Sasha Levin commit a5d9b1aa61b401867b9066d54086b3e4ee91f8ed Author: Bryan O'Donoghue Date: Sat Mar 2 00:52:14 2024 +0000 clk: Fix clk_core_get NULL dereference [ Upstream commit e97fe4901e0f59a0bfd524578fe3768f8ca42428 ] It is possible for clk_core_get to dereference a NULL in the following sequence: clk_core_get() of_clk_get_hw_from_clkspec() __of_clk_get_hw_from_provider() __clk_get_hw() __clk_get_hw() can return NULL which is dereferenced by clk_core_get() at hw->core. Prior to commit dde4eff47c82 ("clk: Look for parents with clkdev based clk_lookups") the check IS_ERR_OR_NULL() was performed which would have caught the NULL. Reading the description of this function it talks about returning NULL but that cannot be so at the moment. Update the function to check for hw before dereferencing it and return NULL if hw is NULL. Fixes: dde4eff47c82 ("clk: Look for parents with clkdev based clk_lookups") Signed-off-by: Bryan O'Donoghue Link: https://lore.kernel.org/r/20240302-linux-next-24-03-01-simple-clock-fixes-v1-1-25f348a5982b@linaro.org Signed-off-by: Stephen Boyd Signed-off-by: Sasha Levin commit 73f06dadb60b685c3f2ba9107e7b05eb7df9a481 Author: Sam Ravnborg Date: Sat Feb 24 18:42:28 2024 +0100 sparc32: Fix section mismatch in leon_pci_grpci [ Upstream commit 24338a6ae13cb743ced77da1b3a12c83f08a0c96 ] Passing a datastructre marked _initconst to platform_driver_register() is wrong. Drop the __initconst notation. This fixes the following warnings: WARNING: modpost: vmlinux: section mismatch in reference: grpci1_of_driver+0x30 (section: .data) -> grpci1_of_match (section: .init.rodata) WARNING: modpost: vmlinux: section mismatch in reference: grpci2_of_driver+0x30 (section: .data) -> grpci2_of_match (section: .init.rodata) Signed-off-by: Sam Ravnborg Cc: "David S. Miller" Cc: Andreas Larsson Fixes: 4154bb821f0b ("sparc: leon: grpci1: constify of_device_id") Fixes: 03949b1cb9f1 ("sparc: leon: grpci2: constify of_device_id") Tested-by: Randy Dunlap # build-tested Reviewed-by: Andreas Larsson Tested-by: Andreas Larsson Signed-off-by: Andreas Larsson Link: https://lore.kernel.org/r/20240224-sam-fix-sparc32-all-builds-v2-7-1f186603c5c4@ravnborg.org Signed-off-by: Sasha Levin commit 26343bc16089a03611f8c78cadfc432f6677e253 Author: Daniel Thompson Date: Tue Feb 20 15:35:26 2024 +0000 backlight: lp8788: Fully initialize backlight_properties during probe [ Upstream commit 392346827fbe8a7fd573dfb145170d7949f639a6 ] props is stack allocated and the fields that are not explcitly set by the probe function need to be zeroed or we'll get undefined behaviour (especially so power/blank states)! Fixes: c5a51053cf3b ("backlight: add new lp8788 backlight driver") Signed-off-by: Daniel Thompson Link: https://lore.kernel.org/r/20240220153532.76613-4-daniel.thompson@linaro.org Signed-off-by: Lee Jones Signed-off-by: Sasha Levin commit 7117253138bd7c61d96dbc307be1ef1e6e3503b4 Author: Daniel Thompson Date: Tue Feb 20 15:35:25 2024 +0000 backlight: lm3639: Fully initialize backlight_properties during probe [ Upstream commit abb5a5d951fbea3feb5c4ba179b89bb96a1d3462 ] props is stack allocated and the fields that are not explcitly set by the probe function need to be zeroed or we'll get undefined behaviour (especially so power/blank states)! Fixes: 0f59858d5119 ("backlight: add new lm3639 backlight driver") Signed-off-by: Daniel Thompson Link: https://lore.kernel.org/r/20240220153532.76613-3-daniel.thompson@linaro.org Signed-off-by: Lee Jones Signed-off-by: Sasha Levin commit 6b97127d3fe14343d1afc900ec5a8ee1e13a3589 Author: Daniel Thompson Date: Tue Feb 20 15:35:24 2024 +0000 backlight: da9052: Fully initialize backlight_properties during probe [ Upstream commit 0285e9efaee8276305db5c52a59baf84e9731556 ] props is stack allocated and the fields that are not explcitly set by the probe function need to be zeroed or we'll get undefined behaviour (especially so power/blank states)! Fixes: 6ede3d832aaa ("backlight: add driver for DA9052/53 PMIC v1") Signed-off-by: Daniel Thompson Link: https://lore.kernel.org/r/20240220153532.76613-2-daniel.thompson@linaro.org Signed-off-by: Lee Jones Signed-off-by: Sasha Levin commit 099d15c6b501ce2d85fef4c767d018579da23f1f Author: Luca Weiss Date: Tue Feb 20 00:11:20 2024 +0100 backlight: lm3630a: Don't set bl->props.brightness in get_brightness [ Upstream commit 4bf7ddd2d2f0f8826f25f74c7eba4e2c323a1446 ] There's no need to set bl->props.brightness, the get_brightness function is just supposed to return the current brightness and not touch the struct. With that done we can also remove the 'goto out' and just return the value. Fixes: 0c2a665a648e ("backlight: add Backlight driver for lm3630 chip") Signed-off-by: Luca Weiss Reviewed-by: Daniel Thompson Link: https://lore.kernel.org/r/20240220-lm3630a-fixups-v1-2-9ca62f7e4a33@z3ntu.xyz Signed-off-by: Lee Jones Signed-off-by: Sasha Levin commit 28a2568eb11536398bcde4675626dde99c73c2fe Author: Luca Weiss Date: Tue Feb 20 00:11:19 2024 +0100 backlight: lm3630a: Initialize backlight_properties on init [ Upstream commit ad9aeb0e3aa90ebdad5fabf9c21783740eb95907 ] The backlight_properties struct should be initialized to zero before using, otherwise there will be some random values in the struct. Fixes: 0c2a665a648e ("backlight: add Backlight driver for lm3630 chip") Signed-off-by: Luca Weiss Reviewed-by: Daniel Thompson Link: https://lore.kernel.org/r/20240220-lm3630a-fixups-v1-1-9ca62f7e4a33@z3ntu.xyz Signed-off-by: Lee Jones Signed-off-by: Sasha Levin commit f582a249103045b2fae8ebe2e7bcc1cab3c0b75a Author: Jianhua Lu Date: Mon Jan 29 20:28:29 2024 +0800 backlight: ktz8866: Correct the check for of_property_read_u32 [ Upstream commit f1ac3c9825f99c93a9833beee6b78aa386e55b0b ] of_property_read_u32 returns 0 when success, so reverse the return value to get the true value. Fixes: f8449c8f7355 ("backlight: ktz8866: Add support for Kinetic KTZ8866 backlight") Signed-off-by: Jianhua Lu Reviewed-by: Daniel Thompson Link: https://lore.kernel.org/r/20240129122829.16248-1-lujianhua000@gmail.com Signed-off-by: Lee Jones Signed-off-by: Sasha Levin commit f3dfffb3447455e9afb9c5858a4eb16ad90f0346 Author: Ondrej Jirman Date: Sat Feb 17 20:11:30 2024 +0100 leds: sgm3140: Add missing timer cleanup and flash gpio control [ Upstream commit 205c29887a333ee4b37596e6533373e38cb23947 ] Enabling strobe and then setting brightness to 0 causes the driver to enter invalid state after strobe end timer fires. We should cancel strobe mode resources when changing brightness (aka torch mode). Fixes: cef8ec8cbd21 ("leds: add sgm3140 driver") Signed-off-by: Ondrej Jirman Link: https://lore.kernel.org/r/20240217191133.1757553-1-megi@xff.cz Signed-off-by: Lee Jones Signed-off-by: Sasha Levin commit e3f63060736fa6ffbf1827c5bb95e34d200473c3 Author: George Stark Date: Thu Dec 14 20:36:05 2023 +0300 leds: aw2013: Unlock mutex before destroying it [ Upstream commit 6969d0a2ba1adc9ba6a49b9805f24080896c255c ] In the probe() callback in case of error mutex is destroyed being locked which is not allowed so unlock the mutex before destroying. Fixes: 59ea3c9faf32 ("leds: add aw2013 driver") Signed-off-by: George Stark Reviewed-by: Andy Shevchenko Link: https://lore.kernel.org/r/20231214173614.2820929-2-gnstark@salutedevices.com Signed-off-by: Lee Jones Signed-off-by: Sasha Levin commit ffc331a37e29616238e5d391ed455fb01f424aa7 Author: Michael Ellerman Date: Tue Mar 5 23:34:08 2024 +1100 powerpc/embedded6xx: Fix no previous prototype for avr_uart_send() etc. [ Upstream commit 20933531be0577cdd782216858c26150dbc7936f ] Move the prototypes into mpc10x.h which is included by all the relevant C files, fixes: arch/powerpc/platforms/embedded6xx/ls_uart.c:59:6: error: no previous prototype for 'avr_uart_configure' arch/powerpc/platforms/embedded6xx/ls_uart.c:82:6: error: no previous prototype for 'avr_uart_send' Signed-off-by: Michael Ellerman Link: https://msgid.link/20240305123410.3306253-1-mpe@ellerman.id.au Signed-off-by: Sasha Levin commit 8ee19caaaa6476649ea68408d7325bacbf33f82f Author: Maciej Strozek Date: Fri Mar 1 10:15:47 2024 +0000 mfd: cs42l43: Fix wrong GPIO_FN_SEL and SPI_CLK_CONFIG1 defaults [ Upstream commit 78334c343bef528b911da83a6b041d15a1a72efb ] Two regs have wrong values in existing fields, change them to match the datasheet. Fixes: ace6d1448138 ("mfd: cs42l43: Add support for cs42l43 core driver") Signed-off-by: Maciej Strozek Reviewed-by: Charles Keepax Link: https://lore.kernel.org/r/20240301101547.2136948-1-mstrozek@opensource.cirrus.com Signed-off-by: Lee Jones Signed-off-by: Sasha Levin commit 8c61e3beb03ef7c27132da6ce0ef29472646e4cf Author: Changbin Du Date: Tue Feb 27 10:35:46 2024 +0800 modules: wait do_free_init correctly [ Upstream commit 8f8cd6c0a43ed637e620bbe45a8d0e0c2f4d5130 ] The synchronization here is to ensure the ordering of freeing of a module init so that it happens before W+X checking. It is worth noting it is not that the freeing was not happening, it is just that our sanity checkers raced against the permission checkers which assume init memory is already gone. Commit 1a7b7d922081 ("modules: Use vmalloc special flag") moved calling do_free_init() into a global workqueue instead of relying on it being called through call_rcu(..., do_free_init), which used to allowed us call do_free_init() asynchronously after the end of a subsequent grace period. The move to a global workqueue broke the gaurantees for code which needed to be sure the do_free_init() would complete with rcu_barrier(). To fix this callers which used to rely on rcu_barrier() must now instead use flush_work(&init_free_wq). Without this fix, we still could encounter false positive reports in W+X checking since the rcu_barrier() here can not ensure the ordering now. Even worse, the rcu_barrier() can introduce significant delay. Eric Chanudet reported that the rcu_barrier introduces ~0.1s delay on a PREEMPT_RT kernel. [ 0.291444] Freeing unused kernel memory: 5568K [ 0.402442] Run /sbin/init as init process With this fix, the above delay can be eliminated. Link: https://lkml.kernel.org/r/20240227023546.2490667-1-changbin.du@huawei.com Fixes: 1a7b7d922081 ("modules: Use vmalloc special flag") Signed-off-by: Changbin Du Tested-by: Eric Chanudet Acked-by: Luis Chamberlain Cc: Xiaoyi Su Signed-off-by: Andrew Morton Signed-off-by: Sasha Levin commit 1fc5edeb3c6ec33179a81476e9d8fb1e47ad5a59 Author: Paloma Arellano Date: Thu Feb 22 11:39:47 2024 -0800 drm/msm/dpu: add division of drm_display_mode's hskew parameter [ Upstream commit 551ee0f210991d25f336bc27262353bfe99d3eed ] Setting up the timing engine when the physical encoder has a split role neglects dividing the drm_display_mode's hskew parameter. Let's fix this since this must also be done in preparation for implementing YUV420 over DP. Fixes: 25fdd5933e4c ("drm/msm: Add SDM845 DPU support") Signed-off-by: Paloma Arellano Reviewed-by: Dmitry Baryshkov Patchwork: https://patchwork.freedesktop.org/patch/579605/ Link: https://lore.kernel.org/r/20240222194025.25329-3-quic_parellan@quicinc.com Signed-off-by: Dmitry Baryshkov Signed-off-by: Sasha Levin commit b8db7d833ff4faaa468fca620a0428674f9ee26c Author: Gabor Juhos Date: Sun Feb 25 18:32:56 2024 +0100 clk: qcom: gcc-ipq5018: fix register offset for GCC_UBI0_AXI_ARES reset [ Upstream commit 7d474b43087aa356d714d39870c90d77fc6f1186 ] The current register offset used for the GCC_UBI0_AXI_ARES reset seems wrong. Or at least, the downstream driver uses [1] the same offset which is used for other the GCC_UBI0_*_ARES resets. Change the code to use the same offset used in the downstream driver and also specify the reset bit explicitly to use the same format as the followup entries. 1. https://git.codelinaro.org/clo/qsdk/oss/kernel/linux-ipq-5.4/-/blob/NHSS.QSDK.12.4.r4/drivers/clk/qcom/gcc-ipq5018.c?ref_type=heads#L3773 Fixes: e3fdbef1bab8 ("clk: qcom: Add Global Clock controller (GCC) driver for IPQ5018") Signed-off-by: Gabor Juhos Reviewed-by: Dmitry Baryshkov Reviewed-by: Kathiravan Thirumoorthy Link: https://lore.kernel.org/r/20240225-gcc-ipq5018-register-fixes-v1-3-3c191404d9f0@gmail.com Signed-off-by: Bjorn Andersson Signed-off-by: Sasha Levin commit 3ad0f41621750f048e3c6ca9097044d962912597 Author: Gabor Juhos Date: Sun Feb 25 18:32:55 2024 +0100 clk: qcom: gcc-ipq5018: fix 'halt_reg' offset of 'gcc_pcie1_pipe_clk' [ Upstream commit 11b752ac5a07cbfd95592fac5237a02f45662926 ] The following table shows the values of the 'halt_reg' and the 'enable_reg' fields from the pcie clocks defined in the current driver: clock halt_reg enable_reg gcc_pcie0_ahb_clk 0x75010 0x75010 gcc_pcie0_aux_clk 0x75014 0x75014 gcc_pcie0_axi_m_clk 0x75008 0x75008 gcc_pcie0_axi_s_bridge_clk 0x75048 0x75048 gcc_pcie0_axi_s_clk 0x7500c 0x7500c gcc_pcie0_pipe_clk 0x75018 0x75018 gcc_pcie1_ahb_clk 0x76010 0x76010 gcc_pcie1_aux_clk 0x76014 0x76014 gcc_pcie1_axi_m_clk 0x76008 0x76008 gcc_pcie1_axi_s_bridge_clk 0x76048 0x76048 gcc_pcie1_axi_s_clk 0x7600c 0x7600c gcc_pcie1_pipe_clk 8* 0x76018 Based on the table, it is quite likely that the pcie0 and the pci1 clocks are using the same register layout, however it seems that the value of the 'halt_reg' field in the 'gcc_pcie1_pipe_clk' clock is wrong. In the downstream driver [1], the same '0x76018' value is used for both the 'halt_reg' and for the 'enable_reg' fields of the 'gcc_pcie1_pipe_clk' clock. Update the current driver to use the same value used downstream as probably that is the correct value. 1. https://git.codelinaro.org/clo/qsdk/oss/kernel/linux-ipq-5.4/-/blob/NHSS.QSDK.12.4.r4/drivers/clk/qcom/gcc-ipq5018.c?ref_type=heads#L2316 Fixes: e3fdbef1bab8 ("clk: qcom: Add Global Clock controller (GCC) driver for IPQ5018") Signed-off-by: Gabor Juhos Reviewed-by: Dmitry Baryshkov Reviewed-by: Kathiravan Thirumoorthy Link: https://lore.kernel.org/r/20240225-gcc-ipq5018-register-fixes-v1-2-3c191404d9f0@gmail.com Signed-off-by: Bjorn Andersson Signed-off-by: Sasha Levin commit 40c37683535beec56abd67b7034891615f5fde8d Author: Gabor Juhos Date: Sun Feb 25 18:32:54 2024 +0100 clk: qcom: gcc-ipq5018: fix 'enable_reg' offset of 'gcc_gmac0_sys_clk' [ Upstream commit f982adcc1b1c02a3114f68ac73c811cbfabe90fa ] The value of the 'enable_reg' field in the 'gcc_gmac0_sys_clk' clock definition seems wrong as it is greater than the 'max_register' value defined in the regmap configuration. Additionally, all other gmac specific branch clock definitions within the driver uses the same value both for the 'enable_reg' and for the 'halt_reg' fields. Due to the lack of documentation the correct value is not known. Looking into the downstream driver does not help either, as that uses the same (presumably wrong) value [1]. Nevertheless, change the 'enable_reg' field of 'gcc_gmac0_sys_clk' to use the value from the 'halt_reg' field so it follows the pattern used in other gmac clock definitions. The change is based on the assumption that the register layout of this clock is the same as the other gmac clocks. 1. https://git.codelinaro.org/clo/qsdk/oss/kernel/linux-ipq-5.4/-/blob/NHSS.QSDK.12.4.r4/drivers/clk/qcom/gcc-ipq5018.c?ref_type=heads#L1889 Fixes: e3fdbef1bab8 ("clk: qcom: Add Global Clock controller (GCC) driver for IPQ5018") Signed-off-by: Gabor Juhos Reviewed-by: Dmitry Baryshkov Reviewed-by: Kathiravan Thirumoorthy Link: https://lore.kernel.org/r/20240225-gcc-ipq5018-register-fixes-v1-1-3c191404d9f0@gmail.com Signed-off-by: Bjorn Andersson Signed-off-by: Sasha Levin commit c2c3bdaee224c70c02b952a789fd917a52e82dc9 Author: Kajol Jain Date: Thu Feb 29 17:58:47 2024 +0530 powerpc/hv-gpci: Fix the H_GET_PERF_COUNTER_INFO hcall return value checks [ Upstream commit ad86d7ee43b22aa2ed60fb982ae94b285c1be671 ] Running event hv_gpci/dispatch_timebase_by_processor_processor_time_in_timebase_cycles,phys_processor_idx=0/ in one of the system throws below error: ---Logs--- # perf list | grep hv_gpci/dispatch_timebase_by_processor_processor_time_in_timebase_cycles hv_gpci/dispatch_timebase_by_processor_processor_time_in_timebase_cycles,phys_processor_idx=?/[Kernel PMU event] # perf stat -v -e hv_gpci/dispatch_timebase_by_processor_processor_time_in_timebase_cycles,phys_processor_idx=0/ sleep 2 Using CPUID 00800200 Control descriptor is not initialized Warning: hv_gpci/dispatch_timebase_by_processor_processor_time_in_timebase_cycles,phys_processor_idx=0/ event is not supported by the kernel. failed to read counter hv_gpci/dispatch_timebase_by_processor_processor_time_in_timebase_cycles,phys_processor_idx=0/ Performance counter stats for 'system wide': hv_gpci/dispatch_timebase_by_processor_processor_time_in_timebase_cycles,phys_processor_idx=0/ 2.000700771 seconds time elapsed The above error is because of the hcall failure as required permission "Enable Performance Information Collection" is not set. Based on current code, single_gpci_request function did not check the error type incase hcall fails and by default returns EINVAL. But we can have other reasons for hcall failures like H_AUTHORITY/H_PARAMETER with detail_rc as GEN_BUF_TOO_SMALL, for which we need to act accordingly. Fix this issue by adding new checks in the single_gpci_request and h_gpci_event_init functions. Result after fix patch changes: # perf stat -e hv_gpci/dispatch_timebase_by_processor_processor_time_in_timebase_cycles,phys_processor_idx=0/ sleep 2 Error: No permission to enable hv_gpci/dispatch_timebase_by_processor_processor_time_in_timebase_cycles,phys_processor_idx=0/ event. Fixes: 220a0c609ad1 ("powerpc/perf: Add support for the hv gpci (get performance counter info) interface") Reported-by: Akanksha J N Signed-off-by: Kajol Jain Signed-off-by: Michael Ellerman Link: https://msgid.link/20240229122847.101162-1-kjain@linux.ibm.com Signed-off-by: Sasha Levin commit 1699fb915b9f61794d559b55114c09a390aaf234 Author: Qiheng Lin Date: Thu Dec 8 21:34:49 2022 +0800 powerpc/pseries: Fix potential memleak in papr_get_attr() [ Upstream commit cda9c0d556283e2d4adaa9960b2dc19b16156bae ] `buf` is allocated in papr_get_attr(), and krealloc() of `buf` could fail. We need to free the original `buf` in the case of failure. Fixes: 3c14b73454cf ("powerpc/pseries: Interface to represent PAPR firmware attributes") Signed-off-by: Qiheng Lin Signed-off-by: Michael Ellerman Link: https://msgid.link/20221208133449.16284-1-linqiheng@huawei.com Signed-off-by: Sasha Levin commit 30d1366b48140cf890b54bb7e891b05bf6b62ae1 Author: Maciej Strozek Date: Thu Feb 29 15:56:14 2024 +0000 mfd: cs42l43: Fix wrong register defaults [ Upstream commit c9e1e505cde1a8ddd0968b4d54ec2ea1937dfe00 ] A few regs have unnecessary values in defaults, change them to match the datasheet Fixes: ace6d1448138 ("mfd: cs42l43: Add support for cs42l43 core driver") Signed-off-by: Maciej Strozek Link: https://lore.kernel.org/r/20240229155616.118457-1-mstrozek@opensource.cirrus.com Signed-off-by: Lee Jones Signed-off-by: Sasha Levin commit a3dd12b64ae8373a41a216a0b621df224210860a Author: Hsin-Yi Wang Date: Fri Feb 23 13:23:29 2024 -0800 drm/mediatek: Fix a null pointer crash in mtk_drm_crtc_finish_page_flip [ Upstream commit c958e86e9cc1b48cac004a6e245154dfba8e163b ] It's possible that mtk_crtc->event is NULL in mtk_drm_crtc_finish_page_flip(). pending_needs_vblank value is set by mtk_crtc->event, but in mtk_drm_crtc_atomic_flush(), it's is not guarded by the same lock in mtk_drm_finish_page_flip(), thus a race condition happens. Consider the following case: CPU1 CPU2 step 1: mtk_drm_crtc_atomic_begin() mtk_crtc->event is not null, step 1: mtk_drm_crtc_atomic_flush: mtk_drm_crtc_update_config( !!mtk_crtc->event) step 2: mtk_crtc_ddp_irq -> mtk_drm_finish_page_flip: lock mtk_crtc->event set to null, pending_needs_vblank set to false unlock pending_needs_vblank set to true, step 2: mtk_crtc_ddp_irq -> mtk_drm_finish_page_flip called again, pending_needs_vblank is still true //null pointer Instead of guarding the entire mtk_drm_crtc_atomic_flush(), it's more efficient to just check if mtk_crtc->event is null before use. Fixes: 119f5173628a ("drm/mediatek: Add DRM Driver for Mediatek SoC MT8173.") Signed-off-by: Hsin-Yi Wang Reviewed-by: CK Hu Link: https://patchwork.kernel.org/project/dri-devel/patch/20240223212404.3709690-1-hsinyi@chromium.org/ Signed-off-by: Chun-Kuang Hu Signed-off-by: Sasha Levin commit 37e0f758e0573fefab300cfd602a4a0a1709678c Author: Théo Lebrun Date: Wed Feb 28 12:28:03 2024 +0100 gpio: nomadik: fix offset bug in nmk_pmx_set() [ Upstream commit 53cf6b72e074864b94ade97dcb6f30b5ac1a82dc ] Previously, the statement looked like: slpm[x] &= ~BIT(g->grp.pins[i]); Where: - slpm is a unsigned int pointer; - g->grp.pins[i] is a pin number. It can grow to more than 32. The expected shift amount is a pin bank offset. This bug does not occur on every group or pin: the altsetting must be NMK_GPIO_ALT_C and the pin must be 32 or above. It might have occured. For example, in pinctrl-nomadik-db8500.c, pin group i2c3_c_2 has the right altsetting and pins 229 and 230. Fixes: dbfe8ca259e1 ("pinctrl/nomadik: implement pin multiplexing") Reviewed-by: Linus Walleij Signed-off-by: Théo Lebrun Link: https://lore.kernel.org/r/20240228-mbly-gpio-v2-5-3ba757474006@bootlin.com Signed-off-by: Linus Walleij Signed-off-by: Sasha Levin commit 310ae9eb3d2a13345f2590e7581fd45d97323a02 Author: Asad Kamal Date: Wed Feb 28 12:24:15 2024 +0800 drm/amd/pm: Fix esm reg mask use to get pcie speed [ Upstream commit b485b899e5b8f83723833feca30a1a1e3df778df ] Fix mask used for esm ctrl register to get pcie link speed on smu_v11_0_3, smu_v13_0_2 & smu_v13_0_6 Fixes: 511a95552ec8 ("drm/amd/pm: Add SMU 13.0.6 support") Fixes: c05d1c401572 ("drm/amd/swsmu: add aldebaran smu13 ip support (v3)") Fixes: f1c378593153 ("drm/amd/powerplay: add Arcturus support for gpu metrics export") Signed-off-by: Asad Kamal Reviewed-by: Lijo Lazar Reviewed-by: Le Ma Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit 4f14cbcd0b5c9bb198753baad8d9243393fe7554 Author: Maxime Ripard Date: Thu Feb 22 19:13:47 2024 +0100 drm/tests: helpers: Include missing drm_drv header [ Upstream commit 73984daf07a1a89ace8f0db6dd2d640654ebbbee ] We have a few functions declared in our kunit helpers header, some of them dereferencing the struct drm_driver. However, we don't include the drm_drv.h header file defining that structure, leading to compilation errors if we don't include both headers. Fixes: d98780310719 ("drm/tests: helpers: Allow to pass a custom drm_driver") Reviewed-by: Maíra Canal Signed-off-by: Maxime Ripard Link: https://patchwork.freedesktop.org/patch/msgid/20240222-kms-hdmi-connector-state-v7-1-8f4af575fce2@kernel.org Signed-off-by: Sasha Levin commit e55093c542d9c5b1cdca528b3ed8812c47fd2a25 Author: Stephen Boyd Date: Thu Feb 22 22:40:29 2024 -0800 arm64: ftrace: Don't forbid CALL_OPS+CC_OPTIMIZE_FOR_SIZE with Clang [ Upstream commit a743f26d03a96593c0f3d05dc26b388f45de67c9 ] Per commit b3f11af9b2ce ("arm64: ftrace: forbid CALL_OPS with CC_OPTIMIZE_FOR_SIZE"), GCC is silently ignoring `-falign-functions=N` when passed `-Os`, causing functions to be improperly aligned. This doesn't seem to be a problem with Clang though, where enabling CALL_OPS with CC_OPTIMIZE_FOR_SIZE doesn't spit out any warnings at boot about misaligned patch-sites. Only forbid CALL_OPS if GCC is used and we're optimizing for size so that CALL_OPS can be used with clang optimizing for size. Cc: Jason Ling Cc: Florian Fainelli Cc: Mark Rutland Cc: Nathan Chancellor Cc: Nick Desaulniers Cc: Bill Wendling Cc: Justin Stitt Cc: llvm@lists.linux.dev Fixes: b3f11af9b2ce ("arm64: ftrace: forbid CALL_OPS with CC_OPTIMIZE_FOR_SIZE") Signed-off-by: Stephen Boyd Reviewed-by: Nathan Chancellor Link: https://lore.kernel.org/r/20240223064032.3463229-1-swboyd@chromium.org Signed-off-by: Catalin Marinas Signed-off-by: Sasha Levin commit 7334b815d2029764cefb2cac84afe3916369d1db Author: Arnd Bergmann Date: Sat Feb 24 13:10:22 2024 +0100 media: mediatek: vcodec: avoid -Wcast-function-type-strict warning [ Upstream commit bfb1b99802ef16045402deb855c197591dc78886 ] The ipi handler here tries hard to maintain const-ness of its argument, but by doing that causes a warning about function type casts: drivers/media/platform/mediatek/vcodec/common/mtk_vcodec_fw_vpu.c:38:32: error: cast from 'mtk_vcodec_ipi_handler' (aka 'void (*)(void *, unsigned int, void *)') to 'ipi_handler_t' (aka 'void (*)(const void *, unsigned int, void *)') converts to incompatible function type [-Werror,-Wcast-function-type-strict] 38 | ipi_handler_t handler_const = (ipi_handler_t)handler; | ^~~~~~~~~~~~~~~~~~~~~~ Remove the hack and just use a non-const argument. Fixes: bf1d556ad4e0 ("media: mtk-vcodec: abstract firmware interface") Signed-off-by: Arnd Bergmann Reviewed-by: Ricardo Ribalda Signed-off-by: Hans Verkuil Signed-off-by: Sasha Levin commit 7393c681f9aa05ffe2385e8716989565eed2fe06 Author: Zhipeng Lu Date: Wed Feb 21 13:17:04 2024 +0800 media: ttpci: fix two memleaks in budget_av_attach [ Upstream commit d0b07f712bf61e1a3cf23c87c663791c42e50837 ] When saa7146_register_device and saa7146_vv_init fails, budget_av_attach should free the resources it allocates, like the error-handling of ttpci_budget_init does. Besides, there are two fixme comment refers to such deallocations. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Zhipeng Lu Signed-off-by: Hans Verkuil Signed-off-by: Sasha Levin commit f31c1cc37411f5f7bcb266133f9a7e1b4bdf2975 Author: Zhipeng Lu Date: Wed Feb 21 12:37:13 2024 +0800 media: go7007: fix a memleak in go7007_load_encoder [ Upstream commit b9b683844b01d171a72b9c0419a2d760d946ee12 ] In go7007_load_encoder, bounce(i.e. go->boot_fw), is allocated without a deallocation thereafter. After the following call chain: saa7134_go7007_init |-> go7007_boot_encoder |-> go7007_load_encoder |-> kfree(go) go is freed and thus bounce is leaked. Fixes: 95ef39403f89 ("[media] go7007: remember boot firmware") Signed-off-by: Zhipeng Lu Signed-off-by: Hans Verkuil Signed-off-by: Sasha Levin commit 8fad9c5bb00d3a9508d18bbfe832e33a47377730 Author: Arnd Bergmann Date: Fri Feb 16 17:31:44 2024 +0100 media: dvb-frontends: avoid stack overflow warnings with clang [ Upstream commit 7a4cf27d1f0538f779bf31b8c99eda394e277119 ] A previous patch worked around a KASAN issue in stv0367, now a similar problem showed up with clang: drivers/media/dvb-frontends/stv0367.c:1222:12: error: stack frame size (3624) exceeds limit (2048) in 'stv0367ter_set_frontend' [-Werror,-Wframe-larger-than] 1214 | static int stv0367ter_set_frontend(struct dvb_frontend *fe) Rework the stv0367_writereg() function to be simpler and mark both register access functions as noinline_for_stack so the temporary i2c_msg structures do not get duplicated on the stack when KASAN_STACK is enabled. Fixes: 3cd890dbe2a4 ("media: dvb-frontends: fix i2c access helpers for KASAN") Signed-off-by: Arnd Bergmann Reviewed-by: Justin Stitt Signed-off-by: Hans Verkuil Signed-off-by: Sasha Levin commit 8e60b99f6b7ccb3badeb512f5eb613ad45904592 Author: Edward Adam Davis Date: Fri Feb 16 15:30:47 2024 +0800 media: pvrusb2: fix uaf in pvr2_context_set_notify [ Upstream commit 0a0b79ea55de8514e1750884e5fec77f9fdd01ee ] [Syzbot reported] BUG: KASAN: slab-use-after-free in pvr2_context_set_notify+0x2c4/0x310 drivers/media/usb/pvrusb2/pvrusb2-context.c:35 Read of size 4 at addr ffff888113aeb0d8 by task kworker/1:1/26 CPU: 1 PID: 26 Comm: kworker/1:1 Not tainted 6.8.0-rc1-syzkaller-00046-gf1a27f081c1f #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024 Workqueue: usb_hub_wq hub_event Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xd9/0x1b0 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:377 [inline] print_report+0xc4/0x620 mm/kasan/report.c:488 kasan_report+0xda/0x110 mm/kasan/report.c:601 pvr2_context_set_notify+0x2c4/0x310 drivers/media/usb/pvrusb2/pvrusb2-context.c:35 pvr2_context_notify drivers/media/usb/pvrusb2/pvrusb2-context.c:95 [inline] pvr2_context_disconnect+0x94/0xb0 drivers/media/usb/pvrusb2/pvrusb2-context.c:272 Freed by task 906: kasan_save_stack+0x33/0x50 mm/kasan/common.c:47 kasan_save_track+0x14/0x30 mm/kasan/common.c:68 kasan_save_free_info+0x3f/0x60 mm/kasan/generic.c:640 poison_slab_object mm/kasan/common.c:241 [inline] __kasan_slab_free+0x106/0x1b0 mm/kasan/common.c:257 kasan_slab_free include/linux/kasan.h:184 [inline] slab_free_hook mm/slub.c:2121 [inline] slab_free mm/slub.c:4299 [inline] kfree+0x105/0x340 mm/slub.c:4409 pvr2_context_check drivers/media/usb/pvrusb2/pvrusb2-context.c:137 [inline] pvr2_context_thread_func+0x69d/0x960 drivers/media/usb/pvrusb2/pvrusb2-context.c:158 [Analyze] Task A set disconnect_flag = !0, which resulted in Task B's condition being met and releasing mp, leading to this issue. [Fix] Place the disconnect_flag assignment operation after all code in pvr2_context_disconnect() to avoid this issue. Reported-and-tested-by: syzbot+ce750e124675d4599449@syzkaller.appspotmail.com Fixes: e5be15c63804 ("V4L/DVB (7711): pvrusb2: Fix race on module unload") Signed-off-by: Edward Adam Davis Signed-off-by: Hans Verkuil Signed-off-by: Sasha Levin commit bf13e50a4b760a0155d4cce869dac8480c5ae839 Author: Srinivasan Shanmugam Date: Sat Feb 24 07:48:52 2024 +0530 drm/amdgpu: Fix missing break in ATOM_ARG_IMM Case of atom_get_src_int() [ Upstream commit 7cf1ad2fe10634238b38442a851d89514cb14ea2 ] Missing break statement in the ATOM_ARG_IMM case of a switch statement, adds the missing break statement, ensuring that the program's control flow is as intended. Fixes the below: drivers/gpu/drm/amd/amdgpu/atom.c:323 atom_get_src_int() warn: ignoring unreachable code. Fixes: d38ceaf99ed0 ("drm/amdgpu: add core driver (v4)") Cc: Jammy Zhou Cc: Christian König Cc: Alex Deucher Signed-off-by: Srinivasan Shanmugam Reviewed-by: Alex Deucher Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit 54bec46280c1d8296d5767a76cb1a2bf00187b50 Author: Basavaraj Natikar Date: Wed Feb 14 20:11:42 2024 +0530 HID: amd_sfh: Avoid disabling the interrupt [ Upstream commit c1db0073212ef39d5a46c2aea5e49bf884375ce4 ] HP ProBook x360 435 G7 using older version of firmware which doesn't support disabling the interrupt for all commands. Hence avoid disabling the interrupt for that particular model. Link: https://bugzilla.kernel.org/show_bug.cgi?id=218104 Fixes: b300667b33b2 ("HID: amd_sfh: Disable the interrupt for all command") Co-developed-by: Akshata MukundShetty Signed-off-by: Akshata MukundShetty Signed-off-by: Basavaraj Natikar Signed-off-by: Jiri Kosina Signed-off-by: Sasha Levin commit c691d69fed1eb8e676bcfc70266a6af6bd71bc81 Author: Basavaraj Natikar Date: Wed Feb 14 20:11:41 2024 +0530 HID: amd_sfh: Update HPD sensor structure elements [ Upstream commit bbf0dec30696638b8bdc28cb2f5bf23f8d760b52 ] HPD sensor data is not populating properly because of wrong order of HPD sensor structure elements. So update the order of structure elements to match the HPD sensor data received from the firmware. Fixes: 24a31ea94922 ("HID: amd_sfh: Add initial support for HPD sensor") Co-developed-by: Akshata MukundShetty Signed-off-by: Akshata MukundShetty Signed-off-by: Basavaraj Natikar Signed-off-by: Jiri Kosina Signed-off-by: Sasha Levin commit dfde5becadf6c1146f7ee1a6e162ec030dede92c Author: Christophe JAILLET Date: Sat Aug 26 23:32:45 2023 +0200 perf pmu: Fix a potential memory leak in perf_pmu__lookup() [ Upstream commit ef5de1613d7d92bdc975e6beb34bb0fa94f34078 ] The commit in Fixes has reordered some code, but missed an error handling path. 'goto err' now, in order to avoid a memory leak in case of error. Fixes: f63a536f03a2 ("perf pmu: Merge JSON events with sysfs at load time") Signed-off-by: Christophe JAILLET Reviewed-by: Ian Rogers Cc: kernel-janitors@vger.kernel.org Signed-off-by: Namhyung Kim Link: https://lore.kernel.org/r/9538b2b634894c33168dfe9d848d4df31fd4d801.1693085544.git.christophe.jaillet@wanadoo.fr Signed-off-by: Sasha Levin commit 05173ef70742026af8ddcf1d4c3df66cb4b9c0d9 Author: Jerome Brunet Date: Fri Feb 23 18:51:08 2024 +0100 ASoC: meson: axg-tdm-interface: add frame rate constraint [ Upstream commit 59c6a3a43b221cc2a211181b1298e43b2c2df782 ] According to Amlogic datasheets for the SoCs supported by this driver, the maximum bit clock rate is 100MHz. The tdm interface allows the rates listed by the DAI driver, regardless of the number slots or their width. However, these will impact the bit clock rate. Hitting the 100MHz limit is very unlikely for most use cases but it is possible. For example with 32 slots / 32 bits wide, the maximum rate is no longer 384kHz but ~96kHz. Add the constraint accordingly if the component is not already active. If it is active, the rate is already constrained by the first stream rate. Fixes: d60e4f1e4be5 ("ASoC: meson: add tdm interface driver") Signed-off-by: Jerome Brunet Link: https://msgid.link/r/20240223175116.2005407-3-jbrunet@baylibre.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 923d95bae79aeb1a3b6b9d1d18ad6527a8ff5dec Author: Jerome Brunet Date: Fri Feb 23 18:51:07 2024 +0100 ASoC: meson: axg-tdm-interface: fix mclk setup without mclk-fs [ Upstream commit e3741a8d28a1137f8b19ae6f3d6e3be69a454a0a ] By default, when mclk-fs is not provided, the tdm-interface driver requests an MCLK that is 4x the bit clock, SCLK. However there is no justification for this: * If the codec needs MCLK for its operation, mclk-fs is expected to be set according to the codec requirements. * If the codec does not need MCLK the minimum is 2 * SCLK, because this is minimum the divider between SCLK and MCLK can do. Multiplying by 4 may cause problems because the PLL limit may be reached sooner than it should, so use 2x instead. Fixes: d60e4f1e4be5 ("ASoC: meson: add tdm interface driver") Signed-off-by: Jerome Brunet Link: https://msgid.link/r/20240223175116.2005407-2-jbrunet@baylibre.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 8529c215360ba076590e7d4f03cb6636e401587a Author: Arnd Bergmann Date: Tue Feb 13 11:00:09 2024 +0100 mtd: rawnand: lpc32xx_mlc: fix irq handler prototype [ Upstream commit 347b828882e6334690e7003ce5e2fe5f233dc508 ] clang-16 warns about mismatched function prototypes: drivers/mtd/nand/raw/lpc32xx_mlc.c:783:29: error: cast from 'irqreturn_t (*)(int, struct lpc32xx_nand_host *)' (aka 'enum irqreturn (*)(int, struct lpc32xx_nand_host *)') to 'irq_handler_t' (aka 'enum irqreturn (*)(int, void *)') converts to incompatible function type [-Werror,-Wcast-function-type-strict] Change the interrupt handler to the normal way of just passing a void* pointer and converting it inside the function.. Fixes: 70f7cb78ec53 ("mtd: add LPC32xx MLC NAND driver") Signed-off-by: Arnd Bergmann Signed-off-by: Miquel Raynal Link: https://lore.kernel.org/linux-mtd/20240213100146.455811-1-arnd@kernel.org Signed-off-by: Sasha Levin commit 6853209fd36afa7bf596505b3e93787188efc828 Author: Baruch Siach Date: Thu Feb 8 12:34:18 2024 +0200 mtd: maps: physmap-core: fix flash size larger than 32-bit [ Upstream commit 3884f03edd34887514a0865a80769cd5362d5c3b ] mtd-ram can potentially be larger than 4GB. get_bitmask_order() uses fls() that is not guaranteed to work with values larger than 32-bit. Specifically on aarch64 fls() returns 0 when all 32 LSB bits are clear. Use fls64() instead. Fixes: ba32ce95cbd987 ("mtd: maps: Merge gpio-addr-flash.c into physmap-core.c") Signed-off-by: Baruch Siach Signed-off-by: Miquel Raynal Link: https://lore.kernel.org/linux-mtd/9fbf3664ce00f8b07867f1011834015f21d162a5.1707388458.git.baruch@tkos.co.il Signed-off-by: Sasha Levin commit e0cbea9a3c59865beb821e36f66b0b82f37c8b23 Author: Shengjiu Wang Date: Fri Feb 23 18:15:51 2024 +0800 clk: imx: imx8mp: Fix SAI_MCLK_SEL definition [ Upstream commit 13269dc6c70444528f0093585e3559cd2f38850a ] There is SAI1, SAI2, SAI3, SAI5, SAI6, SAI7 existing in this block control, the order is discontinuous. The definition of SAI_MCLK_SEL(n) is not match with the usage of CLK_SAIn(n). So define SAI##n##_MCLK_SEL separately to fix the issue. Fixes: 6cd95f7b151c ("clk: imx: imx8mp: Add audiomix block control") Signed-off-by: Shengjiu Wang Reviewed-by: Abel Vesa Link: https://lore.kernel.org/r/1708683351-8504-1-git-send-email-shengjiu.wang@nxp.com Signed-off-by: Abel Vesa Signed-off-by: Sasha Levin commit 1dce1cee24889dc8122101bc62354652ef6e78d5 Author: Tomi Valkeinen Date: Tue Feb 13 10:16:37 2024 +0200 drm/tidss: Fix sync-lost issue with two displays [ Upstream commit c079e2e113f2ec2803ba859bbb442a6ab82c96bd ] A sync lost issue can be observed with two displays, when moving a plane from one disabled display to an another disabled display, and then enabling the display to which the plane was moved to. The exact requirements for this to trigger are not clear. It looks like the issue is that the layers are left enabled in the first display's OVR registers. Even if the corresponding VP is disabled, it still causes an issue, as if the disabled VP and its OVR would still be in use, leading to the same VID being used by two OVRs. However, this is just speculation based on testing the DSS behavior. Experimentation shows that as a workaround, we can disable all the layers in the OVR when disabling a VP. There should be no downside to this, as the OVR is anyway effectively disabled if its VP is disabled, and it seems to solve the sync lost issue. However, there may be a bigger issue in play here, related to J721e erratum i2097 ("DSS: Disabling a Layer Connected to Overlay May Result in Synclost During the Next Frame"). Experimentation also shows that the OVR's CHANNELIN field has similar issue. So we may need to revisit this when we find out more about the core issue. Fixes: 32a1795f57ee ("drm/tidss: New driver for TI Keystone platform Display SubSystem") Reviewed-by: Aradhya Bhatia Signed-off-by: Tomi Valkeinen Link: https://patchwork.freedesktop.org/patch/msgid/20240213-tidss-fixes-v1-2-d709e8dfa505@ideasonboard.com Signed-off-by: Sasha Levin commit 7a3cb96d72f466fa0ccbea47e8223a995a2a144c Author: Tomi Valkeinen Date: Tue Feb 13 10:16:36 2024 +0200 drm/tidss: Fix initial plane zpos values [ Upstream commit 3ec948ccb2c4b99e8fbfdd950adbe92ea577b395 ] When the driver sets up the zpos property it sets the default zpos value to the HW id of the plane. That is fine as such, but as on many DSS versions the driver arranges the DRM planes in a different order than the HW planes (to keep the non-scalable planes first), this leads to odd initial zpos values. An example is J721e, where the initial zpos values for DRM planes are 1, 3, 0, 2. In theory the userspace should configure the zpos values properly when using multiple planes, and in that sense the initial zpos values shouldn't matter, but there's really no reason not to fix this and help the userspace apps which don't handle zpos perfectly. In particular, some versions of Weston seem to have issues dealing with the planes with the current default zpos values. So let's change the zpos values for the DRM planes to 0, 1, 2, 3. Another option would be to configure the planes marked as primary planes to zpos 0. On a two display system this would give us plane zpos values of 0, 0, 1, 2. The end result and behavior would be very similar in this option, and I'm not aware that this would actually help us in any way. So, to keep the code simple, I opted for the 0, 1, 2, 3 values. Fixes: 32a1795f57ee ("drm/tidss: New driver for TI Keystone platform Display SubSystem") Reviewed-by: Aradhya Bhatia Signed-off-by: Tomi Valkeinen Link: https://patchwork.freedesktop.org/patch/msgid/20240213-tidss-fixes-v1-1-d709e8dfa505@ideasonboard.com Signed-off-by: Sasha Levin commit f104e56294762def1895f314530ddace51a187d7 Author: Randy Dunlap Date: Sat Feb 17 08:55:13 2024 -0800 crypto: jitter - fix CRYPTO_JITTERENTROPY help text [ Upstream commit e63df1ec9a16dd9e13e9068243e64876de06f795 ] Correct various small problems in the help text: a. change 2 spaces to ", " b. finish an incomplete sentence c. change non-working URL to working URL Fixes: a9a98d49da52 ("crypto: Kconfig - simplify compression/RNG entries") Closes: https://bugzilla.kernel.org/show_bug.cgi?id=218458 Signed-off-by: Randy Dunlap Cc: Bagas Sanjaya Cc: Robert Elliott Cc: Christoph Biedl Cc: Herbert Xu Cc: "David S. Miller" Cc: linux-crypto@vger.kernel.org Acked-by: Bagas Sanjaya Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin commit 7c5001d9d8e453ff83021ef6e69f3488bf80e940 Author: Damian Muszynski Date: Fri Feb 16 18:21:54 2024 +0100 crypto: qat - fix ring to service map for dcc in 4xxx [ Upstream commit df018f82002a8b4dc407bc9a6f416b9241d14415 ] If a device is configured for data compression chaining (dcc), half of the engines are loaded with the symmetric crypto image and the rest are loaded with the compression image. However, in such configuration all rings can handle compression requests. Fix the ring to service mapping so that when a device is configured for dcc, the ring to service mapping reports that all rings in a bank can be used for compression. Fixes: a238487f7965 ("crypto: qat - fix ring to service map for QAT GEN4") Signed-off-by: Damian Muszynski Reviewed-by: Giovanni Cabiddu Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin commit 9ca3af17808d7886886631791c1994f5377cd05e Author: Jie Wang Date: Fri Dec 15 05:01:44 2023 -0500 crypto: qat - relocate and rename get_service_enabled() [ Upstream commit 4db87a5f9e3026d72e03bbdf1dac1dc5303e37f7 ] Move the function get_service_enabled() from adf_4xxx_hw_data.c to adf_cfg_services.c and rename it as adf_get_service_enabled(). This function is not specific to the 4xxx and will be used by other QAT drivers. This does not introduce any functional change. Signed-off-by: Jie Wang Reviewed-by: Giovanni Cabiddu Signed-off-by: Herbert Xu Stable-dep-of: df018f82002a ("crypto: qat - fix ring to service map for dcc in 4xxx") Signed-off-by: Sasha Levin commit a3eb010943ae7c9ce311711ef210fd68b906938c Author: Giovanni Cabiddu Date: Fri Oct 20 15:52:51 2023 +0100 crypto: qat - move adf_cfg_services [ Upstream commit 03c76e8e7a8d0d465838b8eaffcc07bdcc364f4d ] The file adf_cfg_services.h cannot be included in header files since it instantiates the structure adf_cfg_services. Move that structure to its own file and export the symbol. This does not introduce any functional change. Signed-off-by: Giovanni Cabiddu Reviewed-by: Damian Muszynski Signed-off-by: Herbert Xu Stable-dep-of: df018f82002a ("crypto: qat - fix ring to service map for dcc in 4xxx") Signed-off-by: Sasha Levin commit f5aa20882eea6932e364615621de97006a6cb57e Author: Adam Guerin Date: Fri Feb 16 15:19:57 2024 +0000 crypto: qat - avoid division by zero [ Upstream commit f99fb7d660f7c818105803f1f1915396a14d18ad ] Check if delta_us is not zero and return -EINVAL if it is. delta_us is unlikely to be zero as there is a sleep between the reads of the two timestamps. This is to fix the following warning when compiling the QAT driver using clang scan-build: drivers/crypto/intel/qat/qat_common/adf_clock.c:87:9: warning: Division by zero [core.DivideZero] 87 | temp = DIV_ROUND_CLOSEST_ULL(temp, delta_us); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Fixes: e2980ba57e79 ("crypto: qat - add measure clock frequency") Signed-off-by: Adam Guerin Reviewed-by: Giovanni Cabiddu Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin commit 6a28ba59e4771483d1e85ca11ded5944071406af Author: Mario Limonciello Date: Tue Feb 13 11:34:28 2024 -0600 crypto: ccp - Avoid discarding errors in psp_send_platform_access_msg() [ Upstream commit 0e8fca2f12ceb77c3a6b6f210135031f264aa612 ] Errors can potentially occur in the "processing" of PSP commands or commands can be processed successfully but still return an error code in the header. This second case was being discarded because PSP communication worked but the command returned an error code in the payload header. Capture both cases and return them to the caller as -EIO for the caller to investigate. The caller can detect the latter by looking at `req->header->status`. Reported-and-tested-by: Tim Van Patten Fixes: 7ccc4f4e2e50 ("crypto: ccp - Add support for an interface for platform features") Signed-off-by: Mario Limonciello Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin commit 7baf1151c336e862245c278c3a8e5fbe144d93fd Author: Arnd Bergmann Date: Tue Feb 13 14:49:46 2024 +0100 crypto: arm/sha - fix function cast warnings [ Upstream commit 53cc9baeb9bc2a187eb9c9790d30995148852b12 ] clang-16 warns about casting between incompatible function types: arch/arm/crypto/sha256_glue.c:37:5: error: cast from 'void (*)(u32 *, const void *, unsigned int)' (aka 'void (*)(unsigned int *, const void *, unsigned int)') to 'sha256_block_fn *' (aka 'void (*)(struct sha256_state *, const unsigned char *, int)') converts to incompatible function type [-Werror,-Wcast-function-type-strict] 37 | (sha256_block_fn *)sha256_block_data_order); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ arch/arm/crypto/sha512-glue.c:34:3: error: cast from 'void (*)(u64 *, const u8 *, int)' (aka 'void (*)(unsigned long long *, const unsigned char *, int)') to 'sha512_block_fn *' (aka 'void (*)(struct sha512_state *, const unsigned char *, int)') converts to incompatible function type [-Werror,-Wcast-function-type-strict] 34 | (sha512_block_fn *)sha512_block_data_order); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Fix the prototypes for the assembler functions to match the typedef. The code already relies on the digest being the first part of the state structure, so there is no change in behavior. Fixes: c80ae7ca3726 ("crypto: arm/sha512 - accelerated SHA-512 using ARM generic ASM and NEON") Fixes: b59e2ae3690c ("crypto: arm/sha256 - move SHA-224/256 ASM/NEON implementation to base layer") Signed-off-by: Arnd Bergmann Reviewed-by: Ard Biesheuvel Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin commit f88698d6459c2c9f60f9fa4d0d7a852c28ffa8f6 Author: Mark Rutland Date: Fri Jan 26 14:56:05 2024 +0000 perf print-events: make is_event_supported() more robust [ Upstream commit 25412c0364f7110faa6053c73e3fd47ca956b8c3 ] Currently the perf tool doesn't detect support for extended event types on Apple M1/M2 systems, and will not auto-expand plain PERF_EVENT_TYPE hardware events into per-PMU events. This is due to the detection of extended event types not handling mandatory filters required by the M1/M2 PMU driver. PMU drivers and the core perf_events code can require that perf_event_attr::exclude_* filters are configured in a specific way and may reject certain configurations of filters, for example: (a) Many PMUs lack support for any event filtering, and require all perf_event_attr::exclude_* bits to be clear. This includes Alpha's CPU PMU, and ARM CPU PMUs prior to the introduction of PMUv2 in ARMv7, (b) When /proc/sys/kernel/perf_event_paranoid >= 2, the perf core requires that perf_event_attr::exclude_kernel is set. (c) The Apple M1/M2 PMU requires that perf_event_attr::exclude_guest is set as the hardware PMU does not count while a guest is running (but might be extended in future to do so). In is_event_supported(), we try to account for cases (a) and (b), first attempting to open an event without any filters, and if this fails, retrying with perf_event_attr::exclude_kernel set. We do not account for case (c), or any other filters that drivers could theoretically require to be set. Thus is_event_supported() will fail to detect support for any events targeting an Apple M1/M2 PMU, even where events would be supported with perf_event_attr:::exclude_guest set. Since commit: 82fe2e45cdb00de4 ("perf pmus: Check if we can encode the PMU number in perf_event_attr.type") ... we use is_event_supported() to detect support for extended types, with the PMU ID encoded into the perf_event_attr::type. As above, on an Apple M1/M2 system this will always fail to detect that the event is supported, and consequently we fail to detect support for extended types even when these are supported, as they have been since commit: 5c816728651ae425 ("arm_pmu: Add PERF_PMU_CAP_EXTENDED_HW_TYPE capability") Due to this, the perf tool will not automatically expand plain PERF_TYPE_HARDWARE events into per-PMU events, even when all the necessary kernel support is present. This patch updates is_event_supported() to additionally try opening events with perf_event_attr::exclude_guest set, allowing support for events to be detected on Apple M1/M2 systems. I believe that this is sufficient for all contemporary CPU PMU drivers, though in future it may be necessary to check for other combinations of filter bits. I've deliberately changed the check to not expect a specific error code for missing filters, as today ;the kernel may return a number of different error codes for missing filters (e.g. -EACCESS, -EINVAL, or -EOPNOTSUPP) depending on why and where the filter configuration is rejected, and retrying for any error is more robust. Note that this does not remove the need for commit: a24d9d9dc096fc0d ("perf parse-events: Make legacy events lower priority than sysfs/JSON") ... which is still necessary so that named-pmu/event/ events work on kernels without extended type support, even if the event name happens to be the same as a PERF_EVENT_TYPE_HARDWARE event (e.g. as is the case for the M1/M2 PMU's 'cycles' and 'instructions' events). Fixes: 82fe2e45cdb00de4 ("perf pmus: Check if we can encode the PMU number in perf_event_attr.type") Signed-off-by: Mark Rutland Tested-by: Ian Rogers Tested-by: James Clark Tested-by: Marc Zyngier Cc: Hector Martin Cc: James Clark Cc: John Garry Cc: Leo Yan Cc: Mike Leach Cc: Suzuki K Poulose Cc: Thomas Richter Cc: Will Deacon Cc: linux-arm-kernel@lists.infradead.org Signed-off-by: Namhyung Kim Link: https://lore.kernel.org/r/20240126145605.1005472-1-mark.rutland@arm.com Signed-off-by: Sasha Levin commit 18421148eed79fa253cff7fba06221079252961b Author: Peter Griffin Date: Tue Feb 20 11:50:12 2024 +0000 mfd: altera-sysmgr: Call of_node_put() only when of_parse_phandle() takes a ref [ Upstream commit e28c28a34ee9fa2ea671a20e5e7064e6220d55e7 ] of_parse_phandle() returns a device_node with refcount incremented, which the callee needs to call of_node_put() on when done. We should only call of_node_put() when the property argument is provided though as otherwise nothing has taken a reference on the node. Fixes: f36e789a1f8d ("mfd: altera-sysmgr: Add SOCFPGA System Manager") Signed-off-by: Peter Griffin Link: https://lore.kernel.org/r/20240220115012.471689-4-peter.griffin@linaro.org Signed-off-by: Lee Jones Signed-off-by: Sasha Levin commit 1b01e66c1ce4769adebc5218133a09545e54859f Author: Peter Griffin Date: Tue Feb 20 11:50:10 2024 +0000 mfd: syscon: Call of_node_put() only when of_parse_phandle() takes a ref [ Upstream commit d2b0680cf3b05490b579e71b0df6e07451977745 ] of_parse_phandle() returns a device_node with refcount incremented, which the callee needs to call of_node_put() on when done. We should only call of_node_put() when the property argument is provided though as otherwise nothing has taken a reference on the node. Fixes: 45330bb43421 ("mfd: syscon: Allow property as NULL in syscon_regmap_lookup_by_phandle") Signed-off-by: Peter Griffin Link: https://lore.kernel.org/r/20240220115012.471689-2-peter.griffin@linaro.org Signed-off-by: Lee Jones Signed-off-by: Sasha Levin commit 81d998e183113845cef5740a88b32f9dc9f02fae Author: Alexander Stein Date: Wed Feb 21 08:15:50 2024 +0100 media: i2c: imx290: Fix IMX920 typo [ Upstream commit 6fc62efa266b0918c7b226f45c2eccfcf99a6d8e ] Replace IMX920 by IMX290. Fixes: b4ab57b07c5b9 ("media: i2c: imx290: Add crop selection targets support") Signed-off-by: Alexander Stein Reviewed-by: Manivannan Sadhasivam Reviewed-by: Laurent Pinchart Signed-off-by: Sakari Ailus Signed-off-by: Hans Verkuil Signed-off-by: Sasha Levin commit 069e1bd0ad2d7ac26a36b54c1cbe9314da307019 Author: Sakari Ailus Date: Wed Feb 7 14:17:09 2024 +0200 media: ivsc: csi: Swap SINK and SOURCE pads [ Upstream commit 48f5fd8967f8dd01679fc1618b0cba02095cddc5 ] This patch swaps SINK and SOURCE pads of the MEI CSI sub-device. While this does change the UAPI by swapping the pads, the driver has never been usable in upstream kernel as the Intel IPU6 driver it depends on any functionality has not yet been merged. Fixes: 29006e196a56 ("media: pci: intel: ivsc: Add CSI submodule") Signed-off-by: Sakari Ailus Signed-off-by: Hans Verkuil Signed-off-by: Sasha Levin commit f33bf922d49d472b8d6900df89535c6f0ba86271 Author: Fedor Pchelkin Date: Fri Dec 15 12:33:55 2023 +0300 drm/tegra: put drm_gem_object ref on error in tegra_fb_create [ Upstream commit 32e5a120a5105bce01561978ee55aee8e40ac0dc ] Inside tegra_fb_create(), drm_gem_object_lookup() increments ref count of the found object. But if the following size check fails then the last found object's ref count should be put there as the unreferencing loop can't detect this situation. Found by Linux Verification Center (linuxtesting.org). Fixes: de2ba664c30f ("gpu: host1x: drm: Add memory manager and fb") Signed-off-by: Fedor Pchelkin Signed-off-by: Thierry Reding Link: https://patchwork.freedesktop.org/patch/msgid/20231215093356.12067-1-pchelkin@ispras.ru Signed-off-by: Sasha Levin commit 6ff01b314149d1cf59caebc29384f0beed21cba4 Author: Daniel Golle Date: Sun Feb 18 03:11:15 2024 +0000 clk: mediatek: mt7981-topckgen: flag SGM_REG_SEL as critical [ Upstream commit aa690050c00a251ab69e3c5204d582833d0b958c ] Without the SGM_REG_SEL clock enabled the cpu freezes if trying to access registers used by MT7981 clock drivers itself. Mark SGM_REG_SEL as critical to make sure it is always enabled to prevent freezes on boot even if the Ethernet driver which prepares and enables the clock is not loaded or probed at a later point. Fixes: 813c3b53b55b ("clk: mediatek: add MT7981 clock support") Signed-off-by: Daniel Golle Link: https://lore.kernel.org/r/fc157139e6b7f8dfb6430ac7191ba754027705e8.1708221995.git.daniel@makrotopia.org Reviewed-by: AngeloGioacchino Del Regno Signed-off-by: Stephen Boyd Signed-off-by: Sasha Levin commit 56b8f242ebaf8e44def4a66067135417431b42f2 Author: Chen-Yu Tsai Date: Mon Feb 19 18:51:24 2024 +0800 clk: mediatek: mt8183: Correct parent of CLK_INFRA_SSPM_32K_SELF [ Upstream commit a65083fa663a335008e34f65e184041174a9dc7e ] CLK_INFRA_SSPM_32K_SELF has the "f_f26m_ck" clock assigned as its parent. This is inconsistent as the clock is part of a group that are all gates without dividers, and this makes the kernel think it runs at 26 MHz. After clarification from MediaTek engineers, the correct parent is actually the system 32 KHz clock. Fixes: 1eb8d61ac5c9 ("clk: mediatek: mt8183: Add back SSPM related clocks") Signed-off-by: Chen-Yu Tsai Link: https://lore.kernel.org/r/20240219105125.956278-1-wenst@chromium.org Reviewed-by: AngeloGioacchino Del Regno Signed-off-by: Stephen Boyd Signed-off-by: Sasha Levin commit de3340533bd68a7b3d6be1841b8eb3fa6c762fe6 Author: Christophe JAILLET Date: Sun Jan 7 09:29:28 2024 +0100 clk: mediatek: mt7622-apmixedsys: Fix an error handling path in clk_mt8135_apmixed_probe() [ Upstream commit a32e88f2b20259f5fe4f8eed598bbc85dc4879ed ] 'clk_data' is allocated with mtk_devm_alloc_clk_data(). So calling mtk_free_clk_data() explicitly in the remove function would lead to a double-free. Remove the redundant call. Fixes: c50e2ea6507b ("clk: mediatek: mt7622-apmixedsys: Add .remove() callback for module build") Signed-off-by: Christophe JAILLET Link: https://lore.kernel.org/r/2c553c2a5077757e4f7af0bb895acc43881cf62c.1704616152.git.christophe.jaillet@wanadoo.fr Reviewed-by: AngeloGioacchino Del Regno Signed-off-by: Stephen Boyd Signed-off-by: Sasha Levin commit 19a66e36c228b78c7593820fb4326a26fc8d6b10 Author: Christophe JAILLET Date: Sun Jan 7 09:12:17 2024 +0100 clk: mediatek: mt8135: Fix an error handling path in clk_mt8135_apmixed_probe() [ Upstream commit 03c1c51eba6be49b42816af9db114553131af6c8 ] If an error occurs after mtk_alloc_clk_data(), mtk_free_clk_data() should be called, as already done in the remove function. Fixes: 54b7026f011e ("clk: mediatek: mt8135-apmixedsys: Convert to platform_driver and module") Signed-off-by: Christophe JAILLET Link: https://lore.kernel.org/r/6cd6af61e5a91598068227f1f68cfcfde1507453.1704615011.git.christophe.jaillet@wanadoo.fr Reviewed-by: AngeloGioacchino Del Regno Signed-off-by: Stephen Boyd Signed-off-by: Sasha Levin commit 95d1f1228c1bb54803ae57525b76db60e99b37e4 Author: Christophe JAILLET Date: Sun Jan 21 16:16:24 2024 +0100 clk: hisilicon: hi3559a: Fix an erroneous devm_kfree() [ Upstream commit 64c6a38136b74a2f18c42199830975edd9fbc379 ] 'p_clk' is an array allocated just before the for loop for all clk that need to be registered. It is incremented at each loop iteration. If a clk_register() call fails, 'p_clk' may point to something different from what should be freed. The best we can do, is to avoid this wrong release of memory. Fixes: 6c81966107dc ("clk: hisilicon: Add clock driver for hi3559A SoC") Signed-off-by: Christophe JAILLET Link: https://lore.kernel.org/r/773fc8425c3b8f5b0ca7c1d89f15b65831a85ca9.1705850155.git.christophe.jaillet@wanadoo.fr Signed-off-by: Stephen Boyd Signed-off-by: Sasha Levin commit 0c55334f731eb6bfa932185051af63d9ad406935 Author: Christophe JAILLET Date: Wed Jan 10 19:58:21 2024 +0100 clk: hisilicon: hi3519: Release the correct number of gates in hi3519_clk_unregister() [ Upstream commit 74e39f526d95c0c119ada1874871ee328c59fbee ] The gates are stored in 'hi3519_gate_clks', not 'hi3519_mux_clks'. This is also in line with how hisi_clk_register_gate() is called in the probe. Fixes: 224b3b262c52 ("clk: hisilicon: hi3519: add driver remove path and fix some issues") Signed-off-by: Christophe JAILLET Link: https://lore.kernel.org/r/c3f1877c9a0886fa35c949c8f0ef25547f284f18.1704912510.git.christophe.jaillet@wanadoo.fr Signed-off-by: Stephen Boyd Signed-off-by: Sasha Levin commit 93664eb8d640c31b3b7bc31d470b99e3c193253d Author: Geert Uytterhoeven Date: Wed Feb 21 12:13:59 2024 +0100 pinctrl: renesas: Allow the compiler to optimize away sh_pfc_pm [ Upstream commit a6f06b909fee72c679c565adfa7f080f9595e336 ] The conversion to DEFINE_NOIRQ_DEV_PM_OPS() lost the ability of the compiler to optimize away the struct dev_pm_ops object when it is not needed. Fix this by replacing the use of pm_sleep_ptr() by a custom wrapper. Fixes: 727eb02eb753375e ("pinctrl: renesas: Switch to use DEFINE_NOIRQ_DEV_PM_OPS() helper") Signed-off-by: Geert Uytterhoeven Reviewed-by: Andy Shevchenko Link: https://lore.kernel.org/r/6238a78e32fa21f0c795406b6cba7bce7af92577.1708513940.git.geert+renesas@glider.be Signed-off-by: Sasha Levin commit 1dee290109e39b66ed6cd6adcd3d0a5ee8b0efda Author: Jörg Wedekind Date: Mon Feb 19 14:28:11 2024 +0100 PCI: Mark 3ware-9650SE Root Port Extended Tags as broken [ Upstream commit baf67aefbe7d7deafa59ca49612d163f8889934c ] Per PCIe r6.1, sec 2.2.6.2 and 7.5.3.4, a Requester may not use 8-bit Tags unless its Extended Tag Field Enable is set, but all Receivers/Completers must handle 8-bit Tags correctly regardless of their Extended Tag Field Enable. Some devices do not handle 8-bit Tags as Completers, so add a quirk for them. If we find such a device, we disable Extended Tags for the entire hierarchy to make peer-to-peer DMA possible. The 3ware 9650SE seems to have issues with handling 8-bit tags. Mark it as broken. This fixes PCI Parity Errors like : 3w-9xxx: scsi0: ERROR: (0x06:0x000C): PCI Parity Error: clearing. 3w-9xxx: scsi0: ERROR: (0x06:0x000D): PCI Abort: clearing. 3w-9xxx: scsi0: ERROR: (0x06:0x000E): Controller Queue Error: clearing. 3w-9xxx: scsi0: ERROR: (0x06:0x0010): Microcontroller Error: clearing. Link: https://lore.kernel.org/r/20240219132811.8351-1-joerg@wedekind.de Fixes: 60db3a4d8cc9 ("PCI: Enable PCIe Extended Tags if supported") Closes: https://bugzilla.kernel.org/show_bug.cgi?id=202425 Signed-off-by: Jörg Wedekind Signed-off-by: Bjorn Helgaas Signed-off-by: Sasha Levin commit 87a5a9169c40b0596462cb3933242cbbb734c373 Author: AngeloGioacchino Del Regno Date: Thu Feb 15 09:53:09 2024 +0100 drm/mediatek: dsi: Fix DSI RGB666 formats and definitions [ Upstream commit fae6f815505301b92d9113764f4d76d0bfe45607 ] The register bits definitions for RGB666 formats are wrong in multiple ways: first, in the DSI_PS_SEL bits region, the Packed 18-bits RGB666 format is selected with bit 1, while the Loosely Packed one is bit 2, and second - the definition name "LOOSELY_PS_18BIT_RGB666" is wrong because the loosely packed format is 24 bits instead! Either way, functions mtk_dsi_ps_control_vact() and mtk_dsi_ps_control() do not even agree on the DSI_PS_SEL bit to set in DSI_PSCTRL: one sets loosely packed (24) on RGB666, the other sets packed (18), and the other way around for RGB666_PACKED. Fixing this entire stack of issues is done in one go: - Use the correct bit for the Loosely Packed RGB666 definition - Rename LOOSELY_PS_18BIT_RGB666 to LOOSELY_PS_24BIT_RGB666 - Change ps_bpp_mode in mtk_dsi_ps_control_vact() to set: - Loosely Packed, 24-bits for MIPI_DSI_FMT_RGB666 - Packed, 18-bits for MIPI_DSI_FMT_RGB666_PACKED Fixes: 2e54c14e310f ("drm/mediatek: Add DSI sub driver") Reviewed-by: Alexandre Mergnat Reviewed-by: CK Hu Signed-off-by: AngeloGioacchino Del Regno Link: https://patchwork.kernel.org/project/dri-devel/patch/20240215085316.56835-3-angelogioacchino.delregno@collabora.com/ Signed-off-by: Chun-Kuang Hu Signed-off-by: Sasha Levin commit d4d8162d725dbbc2a65857516fac5ab7578e6846 Author: Douglas Anderson Date: Fri Feb 16 12:31:12 2024 -0800 drm/panel: boe-tv101wum-nl6: make use of prepare_prev_first [ Upstream commit 42a7a16bedc991190310a02dd202e29cfac52525 ] The panel on sc7180-trogdor-wormdingler and sc7180-trogdor-quackingstick hasn't been coming up since commit 9e15123eca79 ("drm/msm/dsi: Stop unconditionally powering up DSI hosts at modeset"). Let's add "prepare_prev_first" as has been done for many other DSI panels. Fixes: 9e15123eca79 ("drm/msm/dsi: Stop unconditionally powering up DSI hosts at modeset") Signed-off-by: Douglas Anderson Reviewed-by: Jessica Zhang Link: https://lore.kernel.org/r/20240216123111.1.I71c103720909790e1ec5a3f5bd96b18ab7b596fa@changeid Signed-off-by: Neil Armstrong Link: https://patchwork.freedesktop.org/patch/msgid/20240216123111.1.I71c103720909790e1ec5a3f5bd96b18ab7b596fa@changeid Signed-off-by: Sasha Levin commit f610c46771ef1047e46d61807aa7c69cd29e63d8 Author: Srinivasan Shanmugam Date: Thu Feb 15 18:38:16 2024 +0530 drm/amd/display: Add 'replay' NULL check in 'edp_set_replay_allow_active()' [ Upstream commit f6aed043ee5d75b3d1bfc452b1a9584b63c8f76b ] In the first if statement, we're checking if 'replay' is NULL. But in the second if statement, we're not checking if 'replay' is NULL again before calling replay->funcs->replay_set_power_opt(). if (replay == NULL && force_static) return false; ... if (link->replay_settings.replay_feature_enabled && replay->funcs->replay_set_power_opt) { replay->funcs->replay_set_power_opt(replay, *power_opts, panel_inst); link->replay_settings.replay_power_opt_active = *power_opts; } If 'replay' is NULL, this will cause a null pointer dereference. Fixes the below found by smatch: drivers/gpu/drm/amd/amdgpu/../display/dc/link/protocols/link_edp_panel_control.c:895 edp_set_replay_allow_active() error: we previously assumed 'replay' could be null (see line 887) Fixes: c7ddc0a800bc ("drm/amd/display: Add Functions to enable Freesync Panel Replay") Cc: Bhawanpreet Lakha Cc: Roman Li Cc: Rodrigo Siqueira Cc: Aurabindo Pillai Cc: Tom Chung Suggested-by: Tom Chung Signed-off-by: Srinivasan Shanmugam Reviewed-by: Tom Chung Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit 8863d8097a0f7fae875fcb7eb5332f364e827d3c Author: Konrad Dybcio Date: Wed Jan 3 21:20:18 2024 +0100 clk: qcom: dispcc-sdm845: Adjust internal GDSC wait times [ Upstream commit 117e7dc697c2739d754db8fe0c1e2d4f1f5d5f82 ] SDM845 downstream uses non-default values for GDSC internal waits. Program them accordingly to avoid surprises. Fixes: 81351776c9fb ("clk: qcom: Add display clock controller driver for SDM845") Signed-off-by: Konrad Dybcio Tested-by: Caleb Connolly # OnePlus 6 Link: https://lore.kernel.org/r/20240103-topic-845gdsc-v1-1-368efbe1a61d@linaro.org Signed-off-by: Bjorn Andersson Signed-off-by: Sasha Levin commit 5b8d21f7edfd9c38c8f788b6baebf62801c285b0 Author: Arnd Bergmann Date: Tue Feb 13 11:04:27 2024 +0100 media: pvrusb2: fix pvr2_stream_callback casts [ Upstream commit 30baa4a96b23add91a87305baaeba82c4e109e1f ] clang-16 complains about a control flow integrity (KCFI) issue in pvrusb2, which casts three different prototypes into pvr2_stream_callback: drivers/media/usb/pvrusb2/pvrusb2-v4l2.c:1070:30: error: cast from 'void (*)(struct pvr2_v4l2_fh *)' to 'pvr2_stream_callback' (aka 'void (*)(void *)') converts to incompatible function type [-Werror,-Wcast-function-type-strict] 1070 | pvr2_stream_set_callback(sp,(pvr2_stream_callback)pvr2_v4l2_notify,fh); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ drivers/media/usb/pvrusb2/pvrusb2-context.c:110:6: error: cast from 'void (*)(struct pvr2_context *)' to 'void (*)(void *)' converts to incompatible function type [-Werror,-Wcast-function-type-strict] 110 | (void (*)(void *))pvr2_context_notify, | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ drivers/media/usb/pvrusb2/pvrusb2-dvb.c:152:6: error: cast from 'void (*)(struct pvr2_dvb_adapter *)' to 'pvr2_stream_callback' (aka 'void (*)(void *)') converts to incompatible function type [-Werror,-Wcast-function-type-strict] 152 | (pvr2_stream_callback) pvr2_dvb_notify, adap); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Change the functions to actually take a void* argument so the cast is no longer needed. Fixes: bb8ce9d9143c ("V4L/DVB (7682): pvrusb2-dvb: finish up stream & buffer handling") Signed-off-by: Arnd Bergmann Signed-off-by: Hans Verkuil Signed-off-by: Sasha Levin commit 1ff1f8c388f60a308b453b4762dcb81e726f1a3a Author: Daniil Dulov Date: Sun Feb 11 07:07:25 2024 -0800 media: pvrusb2: remove redundant NULL check [ Upstream commit 95ac1210fb2753f968ebce0730d4fbc553c2a3dc ] Pointer dip->stream cannot be NULL due to a shift, thus remove redundant NULL check. Found by Linux Verification Center (linuxtesting.org) with SVACE. Fixes: c74e0062684b ("V4L/DVB (5059): Pvrusb2: Be smarter about mode restoration") Signed-off-by: Daniil Dulov Signed-off-by: Hans Verkuil Signed-off-by: Sasha Levin commit 79159e7c485e16c2cccb740c3a8c01026e1710fa Author: Daniil Dulov Date: Sun Feb 11 07:07:05 2024 -0800 media: go7007: add check of return value of go7007_read_addr() [ Upstream commit 0b70530ee740861f4776ff724fcc25023df1799a ] If go7007_read_addr() returns error channel is not assigned a value. In this case go to allocfail. Found by Linux Verification Center (linuxtesting.org) with SVACE. Fixes: 866b8695d67e ("Staging: add the go7007 video driver") Signed-off-by: Daniil Dulov Signed-off-by: Hans Verkuil Signed-off-by: Sasha Levin commit d164ddc21e986dd9ad614b4b01746e5457aeb24f Author: Lucas Stach Date: Wed Jan 31 13:00:33 2024 +0100 media: imx: csc/scaler: fix v4l2_ctrl_handler memory leak [ Upstream commit 4797a3dd46f220e6d83daf54d70c5b33db6deb01 ] Free the memory allocated in v4l2_ctrl_handler_init on release. Fixes: a8ef0488cc59 ("media: imx: add csc/scaler mem2mem device") Signed-off-by: Lucas Stach Reviewed-by: Philipp Zabel Signed-off-by: Hans Verkuil Signed-off-by: Sasha Levin commit 8b50270c4aa0f2c0264b043bc985c620518996a2 Author: Jernej Skrabec Date: Sat Dec 16 14:34:22 2023 +0100 media: sun8i-di: Fix chroma difference threshold [ Upstream commit 856525e8db272b0ce6d9c6e6c2eeb97892b485a6 ] While there is no good explanation what this value does, vendor driver uses value 31 for it. Align driver with it. Fixes: a4260ea49547 ("media: sun4i: Add H3 deinterlace driver") Signed-off-by: Jernej Skrabec Signed-off-by: Hans Verkuil Signed-off-by: Sasha Levin commit 9fd05afd5eef92fa013ef93629c5650018ad94eb Author: Jernej Skrabec Date: Sat Dec 16 14:34:21 2023 +0100 media: sun8i-di: Fix power on/off sequences [ Upstream commit cff104e33bad38f4b2c8d58816a7accfaa2879f9 ] According to user manual, reset line should be deasserted before clocks are enabled. Also fix power down sequence to be reverse of that. Fixes: a4260ea49547 ("media: sun4i: Add H3 deinterlace driver") Signed-off-by: Jernej Skrabec Signed-off-by: Hans Verkuil Signed-off-by: Sasha Levin commit 5e56f933d24ef34b167f647809d919ec355222df Author: Jernej Skrabec Date: Sat Dec 16 14:34:20 2023 +0100 media: sun8i-di: Fix coefficient writes [ Upstream commit 794b581f8c6eb7b60fe468ccb96dd3cd38ff779f ] Currently coefficients are applied only once, since they don't change. However, this is done before enable bit is set and thus it doesn't get applied properly. Fix that by applying coefficients after enable bit is set. While this means that it will be done evey time, it doesn't bring much time penalty. Fixes: a4260ea49547 ("media: sun4i: Add H3 deinterlace driver") Signed-off-by: Jernej Skrabec Signed-off-by: Hans Verkuil Signed-off-by: Sasha Levin commit 0bf19d8047360e6772c9f5ac977569b43360fa03 Author: Jernej Skrabec Date: Sat Dec 16 14:09:25 2023 +0100 media: cedrus: h265: Fix configuring bitstream size [ Upstream commit 3a11887f7f11a6bb1f05e7f67b3ea20dadfec443 ] bit_size field holds size of slice, not slice + header. Because of HW quirks, driver can't program in just slice, but also preceding header. But that means that currently used bit_size is wrong (too small). Instead, just use size of whole buffer. There is no harm in doing this. Fixes: 86caab29da78 ("media: cedrus: Add HEVC/H.265 decoding support") Suggested-by: Paul Kocialkowski Signed-off-by: Jernej Skrabec Signed-off-by: Hans Verkuil Signed-off-by: Sasha Levin commit a039690d323221eb5865f1f31db3ec264e7a14b6 Author: Yang Yingliang Date: Fri Dec 1 11:30:56 2023 +0800 NTB: fix possible name leak in ntb_register_device() [ Upstream commit aebfdfe39b9327a3077d0df8db3beb3160c9bdd0 ] If device_register() fails in ntb_register_device(), the device name allocated by dev_set_name() should be freed. As per the comment in device_register(), callers should use put_device() to give up the reference in the error path. So fix this by calling put_device() in the error path so that the name can be freed in kobject_cleanup(). As a result of this, put_device() in the error path of ntb_register_device() is removed and the actual error is returned. Fixes: a1bd3baeb2f1 ("NTB: Add NTB hardware abstraction layer") Signed-off-by: Yang Yingliang Reviewed-by: Ilpo Järvinen Reviewed-by: Manivannan Sadhasivam Reviewed-by: Dave Jiang Link: https://lore.kernel.org/r/20231201033057.1399131-1-yangyingliang@huaweicloud.com [mani: reworded commit message] Signed-off-by: Manivannan Sadhasivam Signed-off-by: Sasha Levin commit fad132306512579a24f955db3f3bad2fbaf9f660 Author: Dmitry Baryshkov Date: Wed Feb 14 10:37:08 2024 +0200 drm: ci: use clk_ignore_unused for apq8016 [ Upstream commit aa1267e673fe5307cf00d02add4017d2878598b6 ] If the ADV7511 bridge driver is compiled as a module, while DRM_MSM is built-in, the clk_disable_unused congests with the runtime PM handling of the DSI PHY for the clk_prepare_lock(). This causes apq8016 runner to fail without completing any jobs ([1]). Drop the BM_CMDLINE which duplicate the command line from the .baremetal-igt-arm64 clause and enforce the clk_ignore_unused kernelarg instead to make apq8016 runner work. [1] https://gitlab.freedesktop.org/drm/msm/-/jobs/54990475 Fixes: 0119c894ab0d ("drm: Add initial ci/ subdirectory") Reviewed-by: Javier Martinez Canillas Signed-off-by: Dmitry Baryshkov Acked-by: Helen Koike Signed-off-by: Helen Koike Link: https://patchwork.freedesktop.org/patch/msgid/20240214083708.2323967-1-dmitry.baryshkov@linaro.org Signed-off-by: Sasha Levin commit ced7df8b3c5c4751244cad79011e86cf1f809153 Author: Dan Carpenter Date: Fri Feb 9 16:02:16 2024 +0300 ASoC: SOF: Add some bounds checking to firmware data [ Upstream commit 98f681b0f84cfc3a1d83287b77697679e0398306 ] Smatch complains about "head->full_size - head->header_size" can underflow. To some extent, we're always going to have to trust the firmware a bit. However, it's easy enough to add a check for negatives, and let's add a upper bounds check as well. Fixes: d2458baa799f ("ASoC: SOF: ipc3-loader: Implement firmware parsing and loading") Signed-off-by: Dan Carpenter Link: https://msgid.link/r/5593d147-058c-4de3-a6f5-540ecb96f6f8@moroto.mountain Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit c9901903edfb612a48b3d25cf84fa98b142124e7 Author: Christophe Leroy Date: Tue Feb 13 14:58:37 2024 +0100 powerpc: Force inlining of arch_vmap_p{u/m}d_supported() [ Upstream commit c5aebb53b32460bc52680dd4e2a2f6b84d5ea521 ] arch_vmap_pud_supported() and arch_vmap_pmd_supported() are expected to constant-fold to false when RADIX is not enabled. Force inlining in order to avoid following failure which leads to unexpected call of non-existing pud_set_huge() and pmd_set_huge() on powerpc 8xx. In function 'pud_huge_tests', inlined from 'debug_vm_pgtable' at mm/debug_vm_pgtable.c:1399:2: ./arch/powerpc/include/asm/vmalloc.h:9:33: warning: inlining failed in call to 'arch_vmap_pud_supported.isra': call is unlikely and code size would grow [-Winline] 9 | #define arch_vmap_pud_supported arch_vmap_pud_supported | ^~~~~~~~~~~~~~~~~~~~~~~ ./arch/powerpc/include/asm/vmalloc.h:10:20: note: in expansion of macro 'arch_vmap_pud_supported' 10 | static inline bool arch_vmap_pud_supported(pgprot_t prot) | ^~~~~~~~~~~~~~~~~~~~~~~ ./arch/powerpc/include/asm/vmalloc.h:9:33: note: called from here 9 | #define arch_vmap_pud_supported arch_vmap_pud_supported mm/debug_vm_pgtable.c:458:14: note: in expansion of macro 'arch_vmap_pud_supported' 458 | if (!arch_vmap_pud_supported(args->page_prot) || | ^~~~~~~~~~~~~~~~~~~~~~~ Reported-by: kernel test robot Closes: https://lore.kernel.org/oe-kbuild-all/202402131836.OU1TDuoi-lkp@intel.com/ Fixes: 8309c9d71702 ("powerpc: inline huge vmap supported functions") Signed-off-by: Christophe Leroy Signed-off-by: Michael Ellerman Link: https://msgid.link/bbd84ad52bf377e8d3b5865a906f2dc5d99964ba.1707832677.git.christophe.leroy@csgroup.eu Signed-off-by: Sasha Levin commit d6585d694fb4cfa0ff6f3d52e5f8e03e8514c10b Author: Jerome Brunet Date: Tue Feb 13 22:58:04 2024 +0100 ASoC: meson: t9015: fix function pointer type mismatch [ Upstream commit 5ad992c71b6a8e8a547954addc7af9fbde6ca10a ] clang-16 warns about casting functions to incompatible types, as is done here to call clk_disable_unprepare: sound/soc/meson/t9015.c:274:4: error: cast from 'void (*)(struct clk *)' to 'void (*)(void *)' converts to incompatible function type [-Werror,-Wcast-function-type-strict] 274 | (void(*)(void *))clk_disable_unprepare, The pattern of getting, enabling and setting a disable callback for a clock can be replaced with devm_clk_get_enabled(), which also fixes this warning. Fixes: 33901f5b9b16 ("ASoC: meson: add t9015 internal DAC driver") Reported-by: Arnd Bergmann Signed-off-by: Jerome Brunet Reviewed-by: Justin Stitt Link: https://msgid.link/r/20240213215807.3326688-3-jbrunet@baylibre.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit b188c9e1d5d26ce1ca7223a2677f48f387543a22 Author: Jerome Brunet Date: Tue Feb 13 22:58:03 2024 +0100 ASoC: meson: aiu: fix function pointer type mismatch [ Upstream commit 98ac85a00f31d2e9d5452b825a9ed0153d934043 ] clang-16 warns about casting functions to incompatible types, as is done here to call clk_disable_unprepare: sound/soc/meson/aiu.c:243:12: error: cast from 'void (*)(struct clk *)' to 'void (*)(void *)' converts to incompatible function type [-Werror,-Wcast-function-type-strict] 243 | (void(*)(void *))clk_disable_unprepare, The pattern of getting, enabling and setting a disable callback for a clock can be replaced with devm_clk_get_enabled(), which also fixes this warning. Fixes: 6ae9ca9ce986 ("ASoC: meson: aiu: add i2s and spdif support") Reported-by: Arnd Bergmann Signed-off-by: Jerome Brunet Reviewed-by: Justin Stitt Link: https://msgid.link/r/20240213215807.3326688-2-jbrunet@baylibre.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 0bbe598b583007527f63f71e90868b0ba3ed2b94 Author: Ian Rogers Date: Fri Feb 9 12:49:47 2024 -0800 perf metric: Don't remove scale from counts [ Upstream commit 6d6be5eb45b423a37d746d3ee0fd0c78f76ead9f ] Counts were switched from the scaled saved value form to the aggregated count to avoid double accounting. When this happened the removing of scaling for a count should have been removed, however, it wasn't and this wasn't observed as it normally doesn't matter because a counter's scale is 1. A problem was observed with RAPL events that are scaled. Fixes: 37cc8ad77cf8 ("perf metric: Directly use counts rather than saved_value") Signed-off-by: Ian Rogers Reviewed-by: Kan Liang Cc: K Prateek Nayak Cc: James Clark Cc: Kaige Ye Cc: John Garry Signed-off-by: Namhyung Kim Link: https://lore.kernel.org/r/20240209204947.3873294-5-irogers@google.com Signed-off-by: Sasha Levin commit 40ae9bb1ddc71d23d241bbd4af1252e3537b5ac2 Author: Ian Rogers Date: Fri Feb 9 12:49:46 2024 -0800 perf stat: Avoid metric-only segv [ Upstream commit 2543947c77e0e224bda86b4e7220c2f6714da463 ] Cycles is recognized as part of a hard coded metric in stat-shadow.c, it may call print_metric_only with a NULL fmt string leading to a segfault. Handle the NULL fmt explicitly. Fixes: 088519f318be ("perf stat: Move the display functions to stat-display.c") Signed-off-by: Ian Rogers Reviewed-by: Kan Liang Cc: K Prateek Nayak Cc: James Clark Cc: Kaige Ye Cc: John Garry Signed-off-by: Namhyung Kim Link: https://lore.kernel.org/r/20240209204947.3873294-4-irogers@google.com Signed-off-by: Sasha Levin commit e40ef597e57c83cf7bd4e44a8bdad82043704673 Author: Ian Rogers Date: Fri Feb 9 12:49:45 2024 -0800 perf expr: Fix "has_event" function for metric style events [ Upstream commit 6dd76680b925228312756c13b9b983661b552a64 ] Events in metrics cannot use '/' as a separator, it would be recognized as a divide, so they use '@'. The '@' is recognized in the metricgroups code and changed to '/', do the same in the has_event function so that the parsing is only tried without the @s. Fixes: 4a4a9bf9075f ("perf expr: Add has_event function") Signed-off-by: Ian Rogers Reviewed-by: Kan Liang Cc: K Prateek Nayak Cc: James Clark Cc: Kaige Ye Cc: John Garry Signed-off-by: Namhyung Kim Link: https://lore.kernel.org/r/20240209204947.3873294-3-irogers@google.com Signed-off-by: Sasha Levin commit 435e7f647428b9fde70b905c0f7ddb89f54e10ed Author: Takashi Iwai Date: Tue Feb 13 14:53:43 2024 +0100 ALSA: seq: fix function cast warnings [ Upstream commit d7bf73809849463f76de42aad62c850305dd6c5d ] clang-16 points out a control flow integrity (kcfi) issue when event callbacks get converted to incompatible types: sound/core/seq/seq_midi.c:135:30: error: cast from 'int (*)(struct snd_rawmidi_substream *, const char *, int)' to 'snd_seq_dump_func_t' (aka 'int (*)(void *, void *, int)') converts to incompatible function type [-Werror,-Wcast-function-type-strict] 135 | snd_seq_dump_var_event(ev, (snd_seq_dump_func_t)dump_midi, substream); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ sound/core/seq/seq_virmidi.c:83:31: error: cast from 'int (*)(struct snd_rawmidi_substream *, const unsigned char *, int)' to 'snd_seq_dump_func_t' (aka 'int (*)(void *, void *, int)') converts to incompatible function type [-Werror,-Wcast-function-type-strict] 83 | snd_seq_dump_var_event(ev, (snd_seq_dump_func_t)snd_rawmidi_receive, vmidi->substream); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ For addressing those errors, introduce wrapper functions that are used for callbacks and bridge to the actual function call with pointer cast. The code was originally added with the initial ALSA merge in linux-2.5.4. [ the patch description shamelessly copied from Arnd's original patch -- tiwai ] Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Reported-by: Arnd Bergmann Link: https://lore.kernel.org/r/20240213101020.459183-1-arnd@kernel.org Link: https://lore.kernel.org/r/20240213135343.16411-1-tiwai@suse.de Signed-off-by: Takashi Iwai Signed-off-by: Sasha Levin commit 427322dccd987ccb916087c84856a7d126a34687 Author: Geert Uytterhoeven Date: Thu Jan 25 16:45:13 2024 +0100 clk: renesas: r8a779f0: Correct PFC/GPIO parent clock [ Upstream commit d1b32a83a02d9433dbd8c5f4d6fc44aa597755bd ] According to the R-Car S4 Series Hardware User’s Manual Rev.0.81, the parent clock of the Pin Function (PFC/GPIO) module clock is the CP clock. As this clock is not documented to exist on R-Car S4, use the CPEX clock instead. Fixes: 73421f2a48e6bd1d ("clk: renesas: r8a779f0: Add PFC clock") Signed-off-by: Geert Uytterhoeven Link: https://lore.kernel.org/r/f88ec4aede0eaf0107c8bb7b28ba719ac6cd418f.1706197415.git.geert+renesas@glider.be Signed-off-by: Sasha Levin commit 78dd26a1c1b3b475b5110525c26d749630109bc9 Author: Geert Uytterhoeven Date: Thu Jan 25 16:43:26 2024 +0100 clk: renesas: r8a779g0: Correct PFC/GPIO parent clocks [ Upstream commit abb3fa662b8f8eaed1590b0e7a4e19eda467cdd3 ] According to the R-Car V4H Series Hardware User’s Manual Rev.1.00, the parent clock of the Pin Function (PFC/GPIO) module clocks is the CP clock. Fix this by adding the missing CP clock, and correcting the PFC parents. Fixes: f2afa78d5a0c0b0b ("dt-bindings: clock: Add r8a779g0 CPG Core Clock Definitions") Fixes: 36ff366033f0dde1 ("clk: renesas: r8a779g0: Add PFC/GPIO clocks") Signed-off-by: Geert Uytterhoeven Link: https://lore.kernel.org/r/5401fccd204dc90b44f0013e7f53b9eff8df8214.1706197297.git.geert+renesas@glider.be Signed-off-by: Sasha Levin commit e040f1fbe9abae91b12b074cfc3bbb5367b79811 Author: Nikita Zhandarovich Date: Tue Feb 6 08:50:56 2024 -0800 drm/amd/display: fix NULL checks for adev->dm.dc in amdgpu_dm_fini() [ Upstream commit 2a3cfb9a24a28da9cc13d2c525a76548865e182c ] Since 'adev->dm.dc' in amdgpu_dm_fini() might turn out to be NULL before the call to dc_enable_dmub_notifications(), check beforehand to ensure there will not be a possible NULL-ptr-deref there. Also, since commit 1e88eb1b2c25 ("drm/amd/display: Drop CONFIG_DRM_AMD_DC_HDCP") there are two separate checks for NULL in 'adev->dm.dc' before dc_deinit_callbacks() and dc_dmub_srv_destroy(). Clean up by combining them all under one 'if'. Found by Linux Verification Center (linuxtesting.org) with static analysis tool SVACE. Fixes: 81927e2808be ("drm/amd/display: Support for DMUB AUX") Signed-off-by: Nikita Zhandarovich Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit 6fc5fb8ebef803285a8f71e298e8a658d836a492 Author: Nikita Zhandarovich Date: Tue Feb 6 08:48:14 2024 -0800 drm/radeon/ni: Fix wrong firmware size logging in ni_init_microcode() [ Upstream commit c4891d979c7668b195a0a75787967ec95a24ecef ] Clean up a typo in pr_err() erroneously printing NI MC 'rdev->mc_fw->size' during SMC firmware load. Log 'rdev->smc_fw->size' instead. Found by Linux Verification Center (linuxtesting.org) with static analysis tool SVACE. Fixes: 6596afd48af4 ("drm/radeon/kms: add dpm support for btc (v3)") Signed-off-by: Nikita Zhandarovich Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit fd0ce43cbde387bfdc66f4d919ea11992ab3ca40 Author: Marijn Suijten Date: Sun Feb 4 18:45:27 2024 +0100 drm/msm/dpu: Only enable DSC_MODE_MULTIPLEX if dsc_merge is enabled [ Upstream commit 06267d22f9ee6fd34150b6dcdb2fa6983e1a85bc ] When the topology calls for two interfaces on the current fixed topology of 2 DSC blocks, or uses 1 DSC block for a single interface (e.g. SC7280 with only one DSC block), there should be no merging of DSC output. This is already represented by the return value of dpu_encoder_use_dsc_merge(), but not yet used to correctly configure this flag. Fixes: 58dca9810749 ("drm/msm/disp/dpu1: Add support for DSC in encoder") Signed-off-by: Marijn Suijten Reviewed-by: Dmitry Baryshkov Patchwork: https://patchwork.freedesktop.org/patch/577067/ Link: https://lore.kernel.org/r/20240204-dpu-dsc-multiplex-v1-1-080963233c52@somainline.org Signed-off-by: Dmitry Baryshkov Signed-off-by: Sasha Levin commit 3bb4f4b162760536287eee298810bb5b89512f36 Author: Abhinav Kumar Date: Wed Jan 31 16:47:36 2024 -0800 drm/msm/dpu: fix the programming of INTF_CFG2_DATA_HCTL_EN [ Upstream commit 2f4a67a3894e15c135125cb54edc5b43abc1b70e ] Currently INTF_CFG2_DATA_HCTL_EN is coupled with the enablement of widebus but this is incorrect because we should be enabling this bit independent of widebus except for cases where compression is enabled in one pixel per clock mode. Fix this by making the condition checks more explicit and enabling INTF_CFG2_DATA_HCTL_EN for all other cases when supported by DPU. Fixes: 3309a7563971 ("drm/msm/dpu: revise timing engine programming to support widebus feature") Suggested-by: Dmitry Baryshkov Signed-off-by: Abhinav Kumar Reviewed-by: Dmitry Baryshkov Patchwork: https://patchwork.freedesktop.org/patch/576722/ Link: https://lore.kernel.org/r/20240201004737.2478-1-quic_abhinavk@quicinc.com Signed-off-by: Dmitry Baryshkov Signed-off-by: Sasha Levin commit e2326c8ae3a61af3d5cb841e761b0791923d968c Author: Adam Skladowski Date: Sun Jan 21 20:41:01 2024 +0100 dt-bindings: msm: qcom, mdss: Include ommited fam-b compatible [ Upstream commit 3b63880de42bd3cb79c2a99949135a8f2441c088 ] During conversion 28nm-hpm-fam-b compat got lost, add it. Signed-off-by: Adam Skladowski Fixes: f7d46c5efee2 ("dt-bindings: display/msm: split qcom, mdss bindings") Acked-by: Krzysztof Kozlowski Patchwork: https://patchwork.freedesktop.org/patch/575290/ Link: https://lore.kernel.org/r/20240121194221.13513-4-a39.skl@gmail.com Signed-off-by: Dmitry Baryshkov Signed-off-by: Sasha Levin commit 149ad69e002d769d477d0a19229ad392301f3f30 Author: Ian Rogers Date: Wed Jan 31 16:15:02 2024 -0800 perf srcline: Add missed addr2line closes [ Upstream commit c7ba9d18ae47924a6ea6a47ca139779f58eb83c0 ] The child_process for addr2line sets in and out to -1 so that pipes get created. It is the caller's responsibility to close the pipes, finish_command doesn't do it. Add the missed closes. Fixes: b3801e791231 ("perf srcline: Simplify addr2line subprocess") Signed-off-by: Ian Rogers Cc: Ravi Bangoria Cc: James Clark Cc: Nick Desaulniers Cc: Nathan Chancellor Cc: Kan Liang Cc: John Garry Cc: Tom Rix Cc: llvm@lists.linux.dev Signed-off-by: Namhyung Kim Link: https://lore.kernel.org/r/20240201001504.1348511-8-irogers@google.com Signed-off-by: Sasha Levin commit 3e72d9d98036c42a957fdce86478a96d8d934bdf Author: Yang Jihong Date: Tue Feb 6 08:32:28 2024 +0000 perf thread_map: Free strlist on normal path in thread_map__new_by_tid_str() [ Upstream commit 1eb3d924e3c0b8c27388b0583a989d757866efb6 ] slist needs to be freed in both error path and normal path in thread_map__new_by_tid_str(). Fixes: b52956c961be3a04 ("perf tools: Allow multiple threads or processes in record, stat, top") Reviewed-by: Arnaldo Carvalho de Melo Signed-off-by: Yang Jihong Signed-off-by: Namhyung Kim Link: https://lore.kernel.org/r/20240206083228.172607-6-yangjihong1@huawei.com Signed-off-by: Sasha Levin commit cfd9b1db6475e9e38970d055a5ddcf3222f2a32a Author: Randy Dunlap Date: Wed Feb 7 08:13:22 2024 -0800 drivers/ps3: select VIDEO to provide cmdline functions [ Upstream commit 7edd06233958d9086a9e3eb723a8768d3c5a9ce1 ] When VIDEO is not set, there is a build error. Fix that by selecting VIDEO for PS3_PS3AV. ERROR: modpost: ".video_get_options" [drivers/ps3/ps3av_mod.ko] undefined! Fixes: dae7fbf43fd0 ("driver/ps3: Include