commit d49914ee4ec93d58d90a12275a814415c189059c Author: Greg Kroah-Hartman Date: Wed Aug 17 15:16:21 2022 +0200 Linux 5.19.2 Link: https://lore.kernel.org/r/20220815180439.416659447@linuxfoundation.org Tested-by: Shuah Khan Tested-by: Ronald Warsow Tested-by: Bagas Sanjaya Tested-by: Ron Economos Link: https://lore.kernel.org/r/20220816124610.393032991@linuxfoundation.org Tested-by: Linux Kernel Functional Testing Tested-by: Ron Economos Tested-by: Guenter Roeck Tested-by: Jiri Slaby Tested-by: Justin M. Forbes Signed-off-by: Greg Kroah-Hartman commit 95b05bd36fe017e30cd1405c7750768f63715cf9 Author: Paul Chaignon Date: Mon Jul 25 16:31:58 2022 +0200 vxlan: Use ip_tunnel_key flow flags in route lookups commit 7e2fb8bc7ef6c7a63ca95751b90162dece0b3f4c upstream. Use the new ip_tunnel_key field with the flow flags in the IPv4 route lookups for the encapsulated packet. This will be used by the bpf_skb_set_tunnel_key helper in a subsequent commit. Signed-off-by: Paul Chaignon Signed-off-by: Daniel Borkmann Reviewed-by: Nikolay Aleksandrov Acked-by: Martin KaFai Lau Link: https://lore.kernel.org/bpf/1ffc95c3d60182fd5ec0cf6602083f8f68afe98f.1658759380.git.paul@isovalent.com Signed-off-by: Greg Kroah-Hartman commit 3229787d4ee8cd70872c85f2297370b6eb87b63f Author: Paul Chaignon Date: Mon Jul 25 16:32:15 2022 +0200 geneve: Use ip_tunnel_key flow flags in route lookups commit 861396ac0b47780210b72c4fea359540965a4970 upstream. Use the new ip_tunnel_key field with the flow flags in the IPv4 route lookups for the encapsulated packet. This will be used by the bpf_skb_set_tunnel_key helper in the subsequent commit. Signed-off-by: Paul Chaignon Signed-off-by: Daniel Borkmann Reviewed-by: Nikolay Aleksandrov Acked-by: Martin KaFai Lau Link: https://lore.kernel.org/bpf/fcc2e0eea01e8ea465a180126366ec20596ba530.1658759380.git.paul@isovalent.com Signed-off-by: Greg Kroah-Hartman commit 49a407af0c52d760b34579e50a63aa85134c90ee Author: Amadeusz Sławiński Date: Fri Jul 22 13:19:59 2022 +0200 ASoC: Intel: avs: Use lookup table to create modules commit 1e744351bcb9c4cee81300de5a6097100d835386 upstream. As reported by Nathan, when building avs driver using clang with: CONFIG_COMPILE_TEST=y CONFIG_FORTIFY_SOURCE=y CONFIG_KASAN=y CONFIG_PCI=y CONFIG_SOUND=y CONFIG_SND=y CONFIG_SND_SOC=y CONFIG_SND_SOC_INTEL_AVS=y there are reports of too big stack use, like: sound/soc/intel/avs/path.c:815:18: error: stack frame size (2176) exceeds limit (2048) in 'avs_path_create' [-Werror,-Wframe-larger-than] struct avs_path *avs_path_create(struct avs_dev *adev, u32 dma_id, ^ 1 error generated. This is apparently caused by inlining many calls to guid_equal which inlines fortified memcpy, using 2 size_t variables. Instead of hardcoding many calls to guid_equal, use lookup table with one call, this improves stack usage. Link: https://lore.kernel.org/alsa-devel/YtlzY9aYdbS4Y3+l@dev-arch.thelio-3990X/T/ Link: https://github.com/ClangBuiltLinux/linux/issues/1642 Signed-off-by: Amadeusz Sławiński Reported-by: Nathan Chancellor Build-tested-by: Nathan Chancellor Reviewed-by: Cezary Rojewski Link: https://lore.kernel.org/r/20220722111959.2588597-1-amadeuszx.slawinski@linux.intel.com Signed-off-by: Mark Brown Cc: Naresh Kamboju Signed-off-by: Greg Kroah-Hartman commit 8422e81ff42d996e397dd413634a026af3169b27 Author: Luiz Augusto von Dentz Date: Mon Aug 1 13:52:07 2022 -0700 Bluetooth: L2CAP: Fix l2cap_global_chan_by_psm regression commit 332f1795ca202489c665a75e62e18ff6284de077 upstream. The patch d0be8347c623: "Bluetooth: L2CAP: Fix use-after-free caused by l2cap_chan_put" from Jul 21, 2022, leads to the following Smatch static checker warning: net/bluetooth/l2cap_core.c:1977 l2cap_global_chan_by_psm() error: we previously assumed 'c' could be null (see line 1996) Fixes: d0be8347c623 ("Bluetooth: L2CAP: Fix use-after-free caused by l2cap_chan_put") Reported-by: Dan Carpenter Signed-off-by: Luiz Augusto von Dentz Signed-off-by: Greg Kroah-Hartman commit 2905cd48c18448ef509ef05f168202e19904ff5c Author: Pavel Begunkov Date: Thu Aug 4 15:13:46 2022 +0100 io_uring: mem-account pbuf buckets commit cc18cc5e82033d406f54144ad6f8092206004684 upstream. Potentially, someone may create as many pbuf bucket as there are indexes in an xarray without any other restrictions bounding our memory usage, put memory needed for the buckets under memory accounting. Cc: Signed-off-by: Pavel Begunkov Link: https://lore.kernel.org/r/d34c452e45793e978d26e2606211ec9070d329ea.1659622312.git.asml.silence@gmail.com Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman commit ee57f8bba81111ef6f1ac829834b186a97674077 Author: Russell Currey Date: Wed Aug 10 15:43:31 2022 +1000 powerpc/kexec: Fix build failure from uninitialised variable commit 83ee9f23763a432a4077bf20624ee35de87bce99 upstream. clang 14 won't build because ret is uninitialised and can be returned if both prop and fdtprop are NULL. Drop the ret variable and return an error in that failure case. Fixes: b1fc44eaa9ba ("pseries/iommu/ddw: Fix kdump to work in absence of ibm,dma-window") Suggested-by: Christophe Leroy Signed-off-by: Russell Currey Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/20220810054331.373761-1-ruscur@russell.cc Signed-off-by: Greg Kroah-Hartman commit 2f49bfbba326b576008af83fffe8f4f039e5d87e Author: Alexander Gordeev Date: Sat Aug 6 09:29:46 2022 +0200 Revert "s390/smp: enforce lowcore protection on CPU restart" commit 953503751a426413ea8aee2299ae3ee971b70d9b upstream. This reverts commit 6f5c672d17f583b081e283927f5040f726c54598. This breaks normal crash dump when CPU0 is offline. Signed-off-by: Alexander Gordeev Signed-off-by: Greg Kroah-Hartman commit bd27cff9db4f32762d37cda5dd22b9b6adfcb4f5 Author: Vladimir Oltean Date: Thu Aug 4 23:28:17 2022 +0300 net: dsa: felix: fix min gate len calculation for tc when its first gate is closed commit 7e4babffa6f340a74c820d44d44d16511e666424 upstream. min_gate_len[tc] is supposed to track the shortest interval of continuously open gates for a traffic class. For example, in the following case: TC 76543210 t0 00000001b 200000 ns t1 00000010b 200000 ns min_gate_len[0] and min_gate_len[1] should be 200000, while min_gate_len[2-7] should be 0. However what happens is that min_gate_len[0] is 200000, but min_gate_len[1] ends up being 0 (despite gate_len[1] being 200000 at the point where the logic detects the gate close event for TC 1). The problem is that the code considers a "gate close" event whenever it sees that there is a 0 for that TC (essentially it's level rather than edge triggered). By doing that, any time a gate is seen as closed without having been open prior, gate_len, which is 0, will be written into min_gate_len. Once min_gate_len becomes 0, it's impossible for it to track anything higher than that (the length of actually open intervals). To fix this, we make the writing to min_gate_len[tc] be edge-triggered, which avoids writes for gates that are closed in consecutive intervals. However what this does is it makes us need to special-case the permanently closed gates at the end. Fixes: 55a515b1f5a9 ("net: dsa: felix: drop oversized frames with tc-taprio instead of hanging the port") Signed-off-by: Vladimir Oltean Link: https://lore.kernel.org/r/20220804202817.1677572-1-vladimir.oltean@nxp.com Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman commit 4ee7e7dd1f9931cbba720c0df83fcdf03bc0f75a Author: Steven Rostedt (Google) Date: Tue Jul 19 18:20:04 2022 -0400 tracing: Use a copy of the va_list for __assign_vstr() commit 3a2dcbaf4d31023106975d6ae75b6df080c454cb upstream. If an instance of tracing enables the same trace event as another instance, or the top level instance, or even perf, then the va_list passed into some tracepoints can be used more than once. As va_list can only be traversed once, this can cause issues: # cat /sys/kernel/tracing/instances/qla2xxx/trace cat-56106 [012] ..... 2419873.470098: ql_dbg_log: qla2xxx [0000:05:00.0]-1054:14: Entered (null). cat-56106 [012] ..... 2419873.470101: ql_dbg_log: qla2xxx [0000:05:00.0]-1000:14: Entered ×+<96>²Ü<98>^H. cat-56106 [012] ..... 2419873.470102: ql_dbg_log: qla2xxx [0000:05:00.0]-1006:14: Prepare to issue mbox cmd=0xde589000. # cat /sys/kernel/tracing/trace cat-56106 [012] ..... 2419873.470097: ql_dbg_log: qla2xxx [0000:05:00.0]-1054:14: Entered qla2x00_get_firmware_state. cat-56106 [012] ..... 2419873.470100: ql_dbg_log: qla2xxx [0000:05:00.0]-1000:14: Entered qla2x00_mailbox_command. cat-56106 [012] ..... 2419873.470102: ql_dbg_log: qla2xxx [0000:05:00.0]-1006:14: Prepare to issue mbox cmd=0x69. The instance version is corrupted because the top level instance iterated the va_list first. Use va_copy() in the __assign_vstr() macro to make sure that each trace event for each use case gets a fresh va_list. Link: https://lore.kernel.org/all/259d53a5-958e-6508-4e45-74dba2821242@marvell.com/ Link: https://lkml.kernel.org/r/20220719182004.21daa83e@gandalf.local.home Fixes: 0563231f93c6d ("tracing/events: Add __vstring() and __assign_vstr() helper macros") Reported-by: Arun Easi Signed-off-by: Steven Rostedt (Google) Signed-off-by: Greg Kroah-Hartman commit 4c94e37453ea293ab3196bed6d2b1b0e733518f0 Author: Johannes Berg Date: Mon Jun 27 12:49:03 2022 +0200 wifi: cfg80211: remove chandef check in cfg80211_cac_event() commit d6f671c8a339d5b655acfacb8be6918c744fbabf upstream. The current check only worked for AP mode, but we can do radar detection in mesh as well (for example). We could try to check this using wdev_chandef(), but we also don't really care since the chandef is passed in and we have no need to use it anymore (since we added the argument in commit d2859df5e7f0 ("cfg80211/mac80211: DFS setup chandef for cac event")). Change-Id: I856e4344d5e64ff4d2eead0b4c53b11f264be9b8 Fixes: 7b0a0e3c3a88 ("wifi: cfg80211: do some rework towards MLO link APIs") Signed-off-by: Johannes Berg Signed-off-by: Greg Kroah-Hartman commit 07f8ea3000f302759c32496cbb81403f6db676ed Author: Johannes Berg Date: Mon Jun 27 12:49:03 2022 +0200 wifi: nl80211: acquire wdev mutex earlier in start_ap commit c2653990d5729a445296d6d04395be5dea8e282e upstream. We need to hold the wdev mutex already in order to call nl80211_parse_tx_bitrate_mask(), so acquire it earlier. Fixes: 7b0a0e3c3a88 ("wifi: cfg80211: do some rework towards MLO link APIs") Signed-off-by: Johannes Berg Signed-off-by: Greg Kroah-Hartman commit d94f6d8453330eb26375fc6ed09017bd7b60375d Author: Johannes Berg Date: Mon Jun 27 12:49:03 2022 +0200 wifi: nl80211: relax wdev mutex check in wdev_chandef() commit 31177127e067eb73d5ca46ce32a410e41333d42f upstream. In many cases we might get here from driver code that's not really set up to care about the locking, and for the non-MLO cases we really don't care so much about it. So relax the checking here for now, perhaps we should even remove it completely since we might not really care if we point to an invalid link's chandef and can require the caller to check the link validity first. Fixes: 7b0a0e3c3a88 ("wifi: cfg80211: do some rework towards MLO link APIs") Signed-off-by: Johannes Berg Signed-off-by: Greg Kroah-Hartman commit 05330210d27994a5e2f64f01f621acb0623273aa Author: Johannes Berg Date: Mon Jun 27 12:43:37 2022 +0200 wifi: nl80211: hold wdev mutex for tid config commit 206bbcf76121664e95a42e1c014c3fe168d07a3d upstream. We need wdev_chandef() in this code, which now requires the wdev mutex due to the per-link nature. Hold it here to make sure we can access the link. Reported-by: syzbot+b4e9aa0f32ffd9902442@syzkaller.appspotmail.com Fixes: 7b0a0e3c3a88 ("wifi: cfg80211: do some rework towards MLO link APIs") Signed-off-by: Johannes Berg Signed-off-by: Greg Kroah-Hartman commit d658df243d3e997468bdf78cd03ebe44151973d5 Author: Johannes Berg Date: Mon Jun 27 12:36:03 2022 +0200 wifi: cfg80211: handle IBSS in channel switch commit 77e7b6ba78edf817bddfa97fadb15a971992b1ee upstream. Prior to commit 7b0a0e3c3a88 ("wifi: cfg80211: do some rework towards MLO link APIs") the interface type didn't really matter here, but now we need to handle all of the possible cases. Add IBSS ("ADHOC") and handle it. Fixes: 7b0a0e3c3a88 ("wifi: cfg80211: do some rework towards MLO link APIs") Reported-by: syzbot+90d912872157e63589e4@syzkaller.appspotmail.com Signed-off-by: Johannes Berg Signed-off-by: Greg Kroah-Hartman commit af37d2080c2a8598a54945fc6df60e266c9dc43b Author: Paolo Abeni Date: Thu Jun 30 15:17:56 2022 -0700 mptcp: refine memory scheduling commit 69d93daec026cdda98e29e8edb12534bfa5b1a9b upstream. Similar to commit 7c80b038d23e ("net: fix sk_wmem_schedule() and sk_rmem_schedule() errors"), let the MPTCP receive path schedule exactly the required amount of memory. Signed-off-by: Paolo Abeni Signed-off-by: Mat Martineau Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit d729f0ee99a3c4ef8d515bd1a78dcafb86f3b8f8 Author: Greg Kroah-Hartman Date: Mon Jun 27 16:36:57 2022 +0200 Revert "devcoredump: remove the useless gfp_t parameter in dev_coredumpv and dev_coredumpm" commit 38a523a2946d3a0961d141d477a1ee2b1f3bdbb1 upstream. This reverts commit 77515ebaf01920e2db49e04672ef669a7c2907f2 as it causes build problems in linux-next. It needs to be reintroduced in a way that can allow the api to evolve and not require a "flag day" to catch all users. Link: https://lore.kernel.org/r/20220623160723.7a44b573@canb.auug.org.au Cc: Duoming Zhou Cc: Brian Norris Cc: Johannes Berg Reported-by: Stephen Rothwell Signed-off-by: Greg Kroah-Hartman commit 2d03f321a589bcbf84141b943dbe033acae79b0e Author: Greg Kroah-Hartman Date: Mon Jun 27 16:35:59 2022 +0200 Revert "mwifiex: fix sleep in atomic context bugs caused by dev_coredumpv" commit 5f8954e099b8ae96e7de1bb95950e00c85bedd40 upstream. This reverts commit a52ed4866d2b90dd5e4ae9dabd453f3ed8fa3cbc as it causes build problems in linux-next. It needs to be reintroduced in a way that can allow the api to evolve and not require a "flag day" to catch all users. Link: https://lore.kernel.org/r/20220623160723.7a44b573@canb.auug.org.au Cc: Duoming Zhou Cc: Brian Norris Cc: Johannes Berg Reported-by: Stephen Rothwell Signed-off-by: Greg Kroah-Hartman commit cbfe2d7bbcb7b50f7da42cd22fef5ed5a388dc68 Author: Eric Dumazet Date: Thu Jun 23 19:35:40 2022 +0000 raw: fix a typo in raw_icmp_error() commit 97a4d46b1516250d640c1ae0c9e7129d160d6a1c upstream. I accidentally broke IPv4 traceroute, by swapping iph->saddr and iph->daddr. Probably because raw_icmp_error() and raw_v4_input() use different order for iph->saddr and iph->daddr. Fixes: ba44f8182ec2 ("raw: use more conventional iterators") Reported-by: John Sperbeck Signed-off-by: Eric Dumazet Link: https://lore.kernel.org/r/20220623193540.2851799-1-edumazet@google.com Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman commit 3476fa73bd0f9dc8f38f238273a43a13d3a09b15 Author: Eric Dumazet Date: Wed Jun 22 03:23:03 2022 +0000 raw: remove unused variables from raw6_icmp_error() commit c4fceb46add65481ef0dfb79cad24c3c269b4cad upstream. saddr and daddr are set but not used. Fixes: ba44f8182ec2 ("raw: use more conventional iterators") Reported-by: kernel test robot Signed-off-by: Eric Dumazet Acked-by: Jonathan Lemon Link: https://lore.kernel.org/r/20220622032303.159394-1-edumazet@google.com Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman commit 3a6b9f3577718c8e19374110705bb61bed3e314d Author: Jason A. Donenfeld Date: Mon Jun 20 09:52:43 2022 +0200 crypto: lib/blake2s - reduce stack frame usage in self test commit d6c14da474bf260d73953fbf7992c98d9112aec7 upstream. Using 3 blocks here doesn't give us much more than using 2, and it causes a stack frame size warning on certain compiler/config/arch combinations: lib/crypto/blake2s-selftest.c: In function 'blake2s_selftest': >> lib/crypto/blake2s-selftest.c:632:1: warning: the frame size of 1088 bytes is larger than 1024 bytes [-Wframe-larger-than=] 632 | } | ^ So this patch just reduces the block from 3 to 2, which makes the warning go away. Reported-by: kernel test robot Link: https://lore.kernel.org/linux-crypto/202206200851.gE3MHCgd-lkp@intel.com Fixes: 2d16803c562e ("crypto: blake2s - remove shash module") Signed-off-by: Jason A. Donenfeld Signed-off-by: Herbert Xu Signed-off-by: Greg Kroah-Hartman commit 1d9f9dcd661f163487b9a7c88667ee6b9698bc21 Author: Eric Dumazet Date: Tue Jun 14 10:17:33 2022 -0700 tcp: fix over estimation in sk_forced_mem_schedule() commit c4ee118561a0f74442439b7b5b486db1ac1ddfeb upstream. sk_forced_mem_schedule() has a bug similar to ones fixed in commit 7c80b038d23e ("net: fix sk_wmem_schedule() and sk_rmem_schedule() errors") While this bug has little chance to trigger in old kernels, we need to fix it before the following patch. Fixes: d83769a580f1 ("tcp: fix possible deadlock in tcp_send_fin()") Signed-off-by: Eric Dumazet Acked-by: Soheil Hassas Yeganeh Reviewed-by: Shakeel Butt Reviewed-by: Wei Wang Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 62ceb22d7770e2a32ef8d4517f8393d7e2de1d87 Author: Robert Foss Date: Mon May 23 18:15:19 2022 +0200 Revert "drm/bridge: anx7625: Use DPI bus type" commit 61922beba36adea8702fe8069b309c806f6608af upstream. This reverts commit a77c2af0994e24ee36c7ffb6dc852770bdf06fb1. This patch depends on the patches just aplied to the media tree, and will not build without them, which leaves drm-misc-next in a broken state. Let's revert the two latter patches until rc1 has been branched, and rc1 has been backmerged into drm-misc-next. Signed-off-by: Robert Foss Acked-by: Daniel Vetter Link: https://patchwork.freedesktop.org/patch/msgid/20220523161520.354687-1-robert.foss@linaro.org Signed-off-by: Greg Kroah-Hartman commit ee3f18d90e80e79449d575fa3e7a6b775e9fc35e Author: Thadeu Lima de Souza Cascardo Date: Tue Aug 9 14:05:18 2022 -0300 net_sched: cls_route: remove from list when handle is 0 commit 9ad36309e2719a884f946678e0296be10f0bb4c1 upstream. When a route filter is replaced and the old filter has a 0 handle, the old one won't be removed from the hashtable, while it will still be freed. The test was there since before commit 1109c00547fc ("net: sched: RCU cls_route"), when a new filter was not allocated when there was an old one. The old filter was reused and the reinserting would only be necessary if an old filter was replaced. That was still wrong for the same case where the old handle was 0. Remove the old filter from the list independently from its handle value. This fixes CVE-2022-2588, also reported as ZDI-CAN-17440. Reported-by: Zhenpeng Lin Signed-off-by: Thadeu Lima de Souza Cascardo Reviewed-by: Kamal Mostafa Cc: Acked-by: Jamal Hadi Salim Link: https://lore.kernel.org/r/20220809170518.164662-1-cascardo@canonical.com Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman commit 0e5ca33839fc5479c9a9d28a8d7bc5cef4a3a61e Author: Naveen N. Rao Date: Tue Aug 9 15:29:07 2022 +0530 powerpc64/ftrace: Fix ftrace for clang builds commit cb928ac192128c842f4c1cfc8b6780b95719d65f upstream. Clang doesn't support -mprofile-kernel ABI, so guard the checks against CONFIG_DYNAMIC_FTRACE_WITH_REGS, rather than the elf ABI version. Fixes: 23b44fc248f4 ("powerpc/ftrace: Make __ftrace_make_{nop/call}() common to PPC32 and PPC64") Cc: stable@vger.kernel.org # v5.19+ Reported-by: Nick Desaulniers Reported-by: Ondrej Mosnacek Signed-off-by: Naveen N. Rao Tested-by: Ondrej Mosnacek Acked-by: Nick Desaulniers Signed-off-by: Michael Ellerman Link: https://github.com/llvm/llvm-project/issues/57031 Link: https://github.com/ClangBuiltLinux/linux/issues/1682 Link: https://lore.kernel.org/r/20220809095907.418764-1-naveen.n.rao@linux.vnet.ibm.com Signed-off-by: Greg Kroah-Hartman commit bb0be69e1da56b8bcc1205460bc8faabac37755a Author: Christophe Leroy Date: Tue Aug 2 11:02:36 2022 +0200 powerpc: Fix eh field when calling lwarx on PPC32 commit 18db466a9a306406dab3b134014d9f6ed642471c upstream. Commit 9401f4e46cf6 ("powerpc: Use lwarx/ldarx directly instead of PPC_LWARX/LDARX macros") properly handled the eh field of lwarx in asm/bitops.h but failed to clear it for PPC32 in asm/simple_spinlock.h So, do as in arch_atomic_try_cmpxchg_lock(), set it to 1 if PPC64 but set it to 0 if PPC32. For that use IS_ENABLED(CONFIG_PPC64) which returns 1 when CONFIG_PPC64 is set and 0 otherwise. Fixes: 9401f4e46cf6 ("powerpc: Use lwarx/ldarx directly instead of PPC_LWARX/LDARX macros") Cc: stable@vger.kernel.org # v5.15+ Reported-by: Pali Rohár Signed-off-by: Christophe Leroy Tested-by: Pali Rohár Reviewed-by: Segher Boessenkool [mpe: Use symbolic names, use 'n' constraint per Segher] Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/a1176e19e627dd6a1b8d24c6c457a8ab874b7d12.1659430931.git.christophe.leroy@csgroup.eu Signed-off-by: Greg Kroah-Hartman commit 8acd0e8d0360fe9ff1f70b7456a10dd83280969a Author: SeongJae Park Date: Fri Jul 15 22:51:08 2022 +0000 xen-blkfront: Apply 'feature_persistent' parameter when connect commit 402c43ea6b34a1b371ffeed9adf907402569eaf5 upstream. In some use cases[1], the backend is created while the frontend doesn't support the persistent grants feature, but later the frontend can be changed to support the feature and reconnect. In the past, 'blkback' enabled the persistent grants feature since it unconditionally checked if frontend supports the persistent grants feature for every connect ('connect_ring()') and decided whether it should use persistent grans or not. However, commit aac8a70db24b ("xen-blkback: add a parameter for disabling of persistent grants") has mistakenly changed the behavior. It made the frontend feature support check to not be repeated once it shown the 'feature_persistent' as 'false', or the frontend doesn't support persistent grants. Similar behavioral change has made on 'blkfront' by commit 74a852479c68 ("xen-blkfront: add a parameter for disabling of persistent grants"). This commit changes the behavior of the parameter to make effect for every connect, so that the previous behavior of 'blkfront' can be restored. [1] https://lore.kernel.org/xen-devel/CAJwUmVB6H3iTs-C+U=v-pwJB7-_ZRHPxHzKRJZ22xEPW7z8a=g@mail.gmail.com/ Fixes: 74a852479c68 ("xen-blkfront: add a parameter for disabling of persistent grants") Cc: # 5.10.x Signed-off-by: SeongJae Park Reviewed-by: Maximilian Heyne Reviewed-by: Juergen Gross Link: https://lore.kernel.org/r/20220715225108.193398-4-sj@kernel.org Signed-off-by: Juergen Gross Signed-off-by: Greg Kroah-Hartman commit f7a9a465a90126a715d1d107bf9d9301587040a6 Author: Maximilian Heyne Date: Fri Jul 15 22:51:07 2022 +0000 xen-blkback: Apply 'feature_persistent' parameter when connect commit e94c6101e151b019b8babc518ac2a6ada644a5a1 upstream. In some use cases[1], the backend is created while the frontend doesn't support the persistent grants feature, but later the frontend can be changed to support the feature and reconnect. In the past, 'blkback' enabled the persistent grants feature since it unconditionally checked if frontend supports the persistent grants feature for every connect ('connect_ring()') and decided whether it should use persistent grans or not. However, commit aac8a70db24b ("xen-blkback: add a parameter for disabling of persistent grants") has mistakenly changed the behavior. It made the frontend feature support check to not be repeated once it shown the 'feature_persistent' as 'false', or the frontend doesn't support persistent grants. This commit changes the behavior of the parameter to make effect for every connect, so that the previous workflow can work again as expected. [1] https://lore.kernel.org/xen-devel/CAJwUmVB6H3iTs-C+U=v-pwJB7-_ZRHPxHzKRJZ22xEPW7z8a=g@mail.gmail.com/ Reported-by: Andrii Chepurnyi Fixes: aac8a70db24b ("xen-blkback: add a parameter for disabling of persistent grants") Cc: # 5.10.x Signed-off-by: Maximilian Heyne Signed-off-by: SeongJae Park Reviewed-by: Maximilian Heyne Reviewed-by: Juergen Gross Link: https://lore.kernel.org/r/20220715225108.193398-3-sj@kernel.org Signed-off-by: Juergen Gross Signed-off-by: Greg Kroah-Hartman commit 59bb16373e49c5889e8e76adb2a2f4ea9ec9c13a Author: SeongJae Park Date: Fri Jul 15 22:51:06 2022 +0000 xen-blkback: fix persistent grants negotiation commit fc9be616bb8f3ed9cf560308f86904f5c06be205 upstream. Persistent grants feature can be used only when both backend and the frontend supports the feature. The feature was always supported by 'blkback', but commit aac8a70db24b ("xen-blkback: add a parameter for disabling of persistent grants") has introduced a parameter for disabling it runtime. To avoid the parameter be updated while being used by 'blkback', the commit caches the parameter into 'vbd->feature_gnt_persistent' in 'xen_vbd_create()', and then check if the guest also supports the feature and finally updates the field in 'connect_ring()'. However, 'connect_ring()' could be called before 'xen_vbd_create()', so later execution of 'xen_vbd_create()' can wrongly overwrite 'true' to 'vbd->feature_gnt_persistent'. As a result, 'blkback' could try to use 'persistent grants' feature even if the guest doesn't support the feature. This commit fixes the issue by moving the parameter value caching to 'xen_blkif_alloc()', which allocates the 'blkif'. Because the struct embeds 'vbd' object, which will be used by 'connect_ring()' later, this should be called before 'connect_ring()' and therefore this should be the right and safe place to do the caching. Fixes: aac8a70db24b ("xen-blkback: add a parameter for disabling of persistent grants") Cc: # 5.10.x Signed-off-by: Maximilian Heyne Signed-off-by: SeongJae Park Reviewed-by: Maximilian Heyne Reviewed-by: Juergen Gross Link: https://lore.kernel.org/r/20220715225108.193398-2-sj@kernel.org Signed-off-by: Juergen Gross Signed-off-by: Greg Kroah-Hartman commit 9a0af34f6e492769d1e2f9da037f011ab8456d05 Author: Mårten Lindahl Date: Mon Aug 1 15:57:03 2022 +0200 tpm: Add check for Failure mode for TPM2 modules [ Upstream commit 863ed94c589fcd1984f4e3080f069d30508044bb ] In commit 0aa698787aa2 ("tpm: Add Upgrade/Reduced mode support for TPM2 modules") it was said that: "If the TPM is in Failure mode, it will successfully respond to both tpm2_do_selftest() and tpm2_startup() calls. Although, will fail to answer to tpm2_get_cc_attrs_tbl(). Use this fact to conclude that TPM is in Failure mode." But a check was never added in the commit when calling tpm2_get_cc_attrs_tbl() to conclude that the TPM is in Failure mode. This commit corrects this by adding a check. Fixes: 0aa698787aa2 ("tpm: Add Upgrade/Reduced mode support for TPM2 modules") Cc: stable@vger.kernel.org # v5.17+ Signed-off-by: Mårten Lindahl Reviewed-by: Jarkko Sakkinen Signed-off-by: Jarkko Sakkinen Signed-off-by: Sasha Levin commit b75337943f4213d7eb853f1d2570c4f8a4b0ce9e Author: Huacai Chen Date: Mon Jul 11 09:17:38 2022 +0800 tpm: eventlog: Fix section mismatch for DEBUG_SECTION_MISMATCH [ Upstream commit bed4593645366ad7362a3aa7bc0d100d8d8236a8 ] If DEBUG_SECTION_MISMATCH enabled, __calc_tpm2_event_size() will not be inlined, this cause section mismatch like this: WARNING: modpost: vmlinux.o(.text.unlikely+0xe30c): Section mismatch in reference from the variable L0 to the function .init.text:early_ioremap() The function L0() references the function __init early_memremap(). This is often because L0 lacks a __init annotation or the annotation of early_ioremap is wrong. Fix it by using __always_inline instead of inline for the called-once function __calc_tpm2_event_size(). Fixes: 44038bc514a2 ("tpm: Abstract crypto agile event size calculations") Cc: stable@vger.kernel.org # v5.3 Reported-by: WANG Xuerui Signed-off-by: Huacai Chen Signed-off-by: Jarkko Sakkinen Signed-off-by: Sasha Levin commit 26ad6b0aef0c807cfc738e23339f4ce2aab7be95 Author: Tianjia Zhang Date: Tue Jun 28 11:37:20 2022 +0800 KEYS: asymmetric: enforce SM2 signature use pkey algo [ Upstream commit 0815291a8fd66cdcf7db1445d4d99b0d16065829 ] The signature verification of SM2 needs to add the Za value and recalculate sig->digest, which requires the detection of the pkey_algo in public_key_verify_signature(). As Eric Biggers said, the pkey_algo field in sig is attacker-controlled and should be use pkey->pkey_algo instead of sig->pkey_algo, and secondly, if sig->pkey_algo is NULL, it will also cause signature verification failure. The software_key_determine_akcipher() already forces the algorithms are matched, so the SM3 algorithm is enforced in the SM2 signature, although this has been checked, we still avoid using any algorithm information in the signature as input. Fixes: 215525639631 ("X.509: support OSCCA SM2-with-SM3 certificate verification") Reported-by: Eric Biggers Cc: stable@vger.kernel.org # v5.10+ Signed-off-by: Tianjia Zhang Reviewed-by: Jarkko Sakkinen Signed-off-by: Jarkko Sakkinen Signed-off-by: Sasha Levin commit 96fa141fa295ae9428da73c56c9852053b575c04 Author: Jan Kara Date: Tue Jul 12 12:54:24 2022 +0200 ext4: fix race when reusing xattr blocks [ Upstream commit 65f8b80053a1b2fd602daa6814e62d6fa90e5e9b ] When ext4_xattr_block_set() decides to remove xattr block the following race can happen: CPU1 CPU2 ext4_xattr_block_set() ext4_xattr_release_block() new_bh = ext4_xattr_block_cache_find() lock_buffer(bh); ref = le32_to_cpu(BHDR(bh)->h_refcount); if (ref == 1) { ... mb_cache_entry_delete(); unlock_buffer(bh); ext4_free_blocks(); ... ext4_forget(..., bh, ...); jbd2_journal_revoke(..., bh); ext4_journal_get_write_access(..., new_bh, ...) do_get_write_access() jbd2_journal_cancel_revoke(..., new_bh); Later the code in ext4_xattr_block_set() finds out the block got freed and cancels reusal of the block but the revoke stays canceled and so in case of block reuse and journal replay the filesystem can get corrupted. If the race works out slightly differently, we can also hit assertions in the jbd2 code. Fix the problem by making sure that once matching mbcache entry is found, code dropping the last xattr block reference (or trying to modify xattr block in place) waits until the mbcache entry reference is dropped. This way code trying to reuse xattr block is protected from someone trying to drop the last reference to xattr block. Reported-and-tested-by: Ritesh Harjani CC: stable@vger.kernel.org Fixes: 82939d7999df ("ext4: convert to mbcache2") Signed-off-by: Jan Kara Link: https://lore.kernel.org/r/20220712105436.32204-5-jack@suse.cz Signed-off-by: Theodore Ts'o Signed-off-by: Sasha Levin commit 0e7e91701e4e443bdfb9775b0924c69bbb318860 Author: Jan Kara Date: Tue Jul 12 12:54:23 2022 +0200 ext4: unindent codeblock in ext4_xattr_block_set() [ Upstream commit fd48e9acdf26d0cbd80051de07d4a735d05d29b2 ] Remove unnecessary else (and thus indentation level) from a code block in ext4_xattr_block_set(). It will also make following code changes easier. No functional changes. CC: stable@vger.kernel.org Fixes: 82939d7999df ("ext4: convert to mbcache2") Signed-off-by: Jan Kara Link: https://lore.kernel.org/r/20220712105436.32204-4-jack@suse.cz Signed-off-by: Theodore Ts'o Signed-off-by: Sasha Levin commit 458aee4a6e5be7ad862ee27dfaf07ce552d84f32 Author: Jan Kara Date: Tue Jul 12 12:54:22 2022 +0200 ext4: remove EA inode entry from mbcache on inode eviction [ Upstream commit 6bc0d63dad7f9f54d381925ee855b402f652fa39 ] Currently we remove EA inode from mbcache as soon as its xattr refcount drops to zero. However there can be pending attempts to reuse the inode and thus refcount handling code has to handle the situation when refcount increases from zero anyway. So save some work and just keep EA inode in mbcache until it is getting evicted. At that moment we are sure following iget() of EA inode will fail anyway (or wait for eviction to finish and load things from the disk again) and so removing mbcache entry at that moment is fine and simplifies the code a bit. CC: stable@vger.kernel.org Fixes: 82939d7999df ("ext4: convert to mbcache2") Signed-off-by: Jan Kara Link: https://lore.kernel.org/r/20220712105436.32204-3-jack@suse.cz Signed-off-by: Theodore Ts'o Signed-off-by: Sasha Levin commit 9d96996de0d2bc53f617086864b3b990089d9d8b Author: Lukas Czerner Date: Mon Jul 4 16:27:21 2022 +0200 ext4: make sure ext4_append() always allocates new block [ Upstream commit b8a04fe77ef1360fbf73c80fddbdfeaa9407ed1b ] ext4_append() must always allocate a new block, otherwise we run the risk of overwriting existing directory block corrupting the directory tree in the process resulting in all manner of problems later on. Add a sanity check to see if the logical block is already allocated and error out if it is. Cc: stable@kernel.org Signed-off-by: Lukas Czerner Reviewed-by: Andreas Dilger Link: https://lore.kernel.org/r/20220704142721.157985-2-lczerner@redhat.com Signed-off-by: Theodore Ts'o Signed-off-by: Sasha Levin commit 193fc6f0de44a884fd4db82a9a368dafcd2c9bed Author: Lukas Czerner Date: Mon Jul 4 16:27:20 2022 +0200 ext4: check if directory block is within i_size [ Upstream commit 65f8ea4cd57dbd46ea13b41dc8bac03176b04233 ] Currently ext4 directory handling code implicitly assumes that the directory blocks are always within the i_size. In fact ext4_append() will attempt to allocate next directory block based solely on i_size and the i_size is then appropriately increased after a successful allocation. However, for this to work it requires i_size to be correct. If, for any reason, the directory inode i_size is corrupted in a way that the directory tree refers to a valid directory block past i_size, we could end up corrupting parts of the directory tree structure by overwriting already used directory blocks when modifying the directory. Fix it by catching the corruption early in __ext4_read_dirblock(). Addresses Red-Hat-Bugzilla: #2070205 CVE: CVE-2022-1184 Signed-off-by: Lukas Czerner Cc: stable@vger.kernel.org Reviewed-by: Andreas Dilger Link: https://lore.kernel.org/r/20220704142721.157985-1-lczerner@redhat.com Signed-off-by: Theodore Ts'o Signed-off-by: Sasha Levin commit ac5aca9a8085639210c045afe046c13e34b71a28 Author: Bagas Sanjaya Date: Sun Jun 19 14:29:39 2022 +0700 Documentation: ext4: fix cell spacing of table heading on blockmap table [ Upstream commit 442ec1e5bb7c46c72c41898e13a5744c84cadf51 ] Commit 3103084afcf234 ("ext4, doc: remove unnecessary escaping") removes redundant underscore escaping, however the cell spacing in heading row of blockmap table became not aligned anymore, hence triggers malformed table warning: Documentation/filesystems/ext4/blockmap.rst:3: WARNING: Malformed table. +---------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | i.i_block Offset | Where It Points | ... The warning caused the table not being loaded. Realign the heading row cell by adding missing space at the first cell to fix the warning. Fixes: 3103084afcf234 ("ext4, doc: remove unnecessary escaping") Cc: stable@kernel.org Cc: Andreas Dilger Cc: Jonathan Corbet Cc: Wang Jianjian Cc: linux-ext4@vger.kernel.org Cc: linux-kernel@vger.kernel.org Signed-off-by: Bagas Sanjaya Link: https://lore.kernel.org/r/20220619072938.7334-1-bagasdotme@gmail.com Signed-off-by: Theodore Ts'o Signed-off-by: Sasha Levin commit fa6482f374fda29a71ad44d76d35b4842d43cda4 Author: Ye Bin Date: Fri Jun 17 09:39:35 2022 +0800 ext4: fix warning in ext4_iomap_begin as race between bmap and write [ Upstream commit 51ae846cff568c8c29921b1b28eb2dfbcd4ac12d ] We got issue as follows: ------------[ cut here ]------------ WARNING: CPU: 3 PID: 9310 at fs/ext4/inode.c:3441 ext4_iomap_begin+0x182/0x5d0 RIP: 0010:ext4_iomap_begin+0x182/0x5d0 RSP: 0018:ffff88812460fa08 EFLAGS: 00010293 RAX: ffff88811f168000 RBX: 0000000000000000 RCX: ffffffff97793c12 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003 RBP: ffff88812c669160 R08: ffff88811f168000 R09: ffffed10258cd20f R10: ffff88812c669077 R11: ffffed10258cd20e R12: 0000000000000001 R13: 00000000000000a4 R14: 000000000000000c R15: ffff88812c6691ee FS: 00007fd0d6ff3740(0000) GS:ffff8883af180000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fd0d6dda290 CR3: 0000000104a62000 CR4: 00000000000006e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: iomap_apply+0x119/0x570 iomap_bmap+0x124/0x150 ext4_bmap+0x14f/0x250 bmap+0x55/0x80 do_vfs_ioctl+0x952/0xbd0 __x64_sys_ioctl+0xc6/0x170 do_syscall_64+0x33/0x40 entry_SYSCALL_64_after_hwframe+0x44/0xa9 Above issue may happen as follows: bmap write bmap ext4_bmap iomap_bmap ext4_iomap_begin ext4_file_write_iter ext4_buffered_write_iter generic_perform_write ext4_da_write_begin ext4_da_write_inline_data_begin ext4_prepare_inline_data ext4_create_inline_data ext4_set_inode_flag(inode, EXT4_INODE_INLINE_DATA); if (WARN_ON_ONCE(ext4_has_inline_data(inode))) ->trigger bug_on To solved above issue hold inode lock in ext4_bamp. Signed-off-by: Ye Bin Link: https://lore.kernel.org/r/20220617013935.397596-1-yebin10@huawei.com Signed-off-by: Theodore Ts'o Cc: stable@kernel.org Signed-off-by: Sasha Levin commit a5e274ec0a0c13638c64694a340bcd4cb7b348fa Author: Baokun Li Date: Thu Jun 16 10:13:58 2022 +0800 ext4: correct the misjudgment in ext4_iget_extra_inode [ Upstream commit fd7e672ea98b95b9d4c9dae316639f03c16a749d ] Use the EXT4_INODE_HAS_XATTR_SPACE macro to more accurately determine whether the inode have xattr space. Cc: stable@kernel.org Signed-off-by: Baokun Li Reviewed-by: Ritesh Harjani (IBM) Reviewed-by: Jan Kara Link: https://lore.kernel.org/r/20220616021358.2504451-5-libaokun1@huawei.com Signed-off-by: Theodore Ts'o Signed-off-by: Sasha Levin commit a926d0b0fa3acd848042c2f83fbc75e2bb65f654 Author: Baokun Li Date: Thu Jun 16 10:13:57 2022 +0800 ext4: correct max_inline_xattr_value_size computing [ Upstream commit c9fd167d57133c5b748d16913c4eabc55e531c73 ] If the ext4 inode does not have xattr space, 0 is returned in the get_max_inline_xattr_value_size function. Otherwise, the function returns a negative value when the inode does not contain EXT4_STATE_XATTR. Cc: stable@kernel.org Signed-off-by: Baokun Li Reviewed-by: Ritesh Harjani (IBM) Reviewed-by: Jan Kara Link: https://lore.kernel.org/r/20220616021358.2504451-4-libaokun1@huawei.com Signed-off-by: Theodore Ts'o Signed-off-by: Sasha Levin commit 52e6feee51b859c52af61f8a75cfdad70238c100 Author: Baokun Li Date: Thu Jun 16 10:13:56 2022 +0800 ext4: fix use-after-free in ext4_xattr_set_entry [ Upstream commit 67d7d8ad99beccd9fe92d585b87f1760dc9018e3 ] Hulk Robot reported a issue: ================================================================== BUG: KASAN: use-after-free in ext4_xattr_set_entry+0x18ab/0x3500 Write of size 4105 at addr ffff8881675ef5f4 by task syz-executor.0/7092 CPU: 1 PID: 7092 Comm: syz-executor.0 Not tainted 4.19.90-dirty #17 Call Trace: [...] memcpy+0x34/0x50 mm/kasan/kasan.c:303 ext4_xattr_set_entry+0x18ab/0x3500 fs/ext4/xattr.c:1747 ext4_xattr_ibody_inline_set+0x86/0x2a0 fs/ext4/xattr.c:2205 ext4_xattr_set_handle+0x940/0x1300 fs/ext4/xattr.c:2386 ext4_xattr_set+0x1da/0x300 fs/ext4/xattr.c:2498 __vfs_setxattr+0x112/0x170 fs/xattr.c:149 __vfs_setxattr_noperm+0x11b/0x2a0 fs/xattr.c:180 __vfs_setxattr_locked+0x17b/0x250 fs/xattr.c:238 vfs_setxattr+0xed/0x270 fs/xattr.c:255 setxattr+0x235/0x330 fs/xattr.c:520 path_setxattr+0x176/0x190 fs/xattr.c:539 __do_sys_lsetxattr fs/xattr.c:561 [inline] __se_sys_lsetxattr fs/xattr.c:557 [inline] __x64_sys_lsetxattr+0xc2/0x160 fs/xattr.c:557 do_syscall_64+0xdf/0x530 arch/x86/entry/common.c:298 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x459fe9 RSP: 002b:00007fa5e54b4c08 EFLAGS: 00000246 ORIG_RAX: 00000000000000bd RAX: ffffffffffffffda RBX: 000000000051bf60 RCX: 0000000000459fe9 RDX: 00000000200003c0 RSI: 0000000020000180 RDI: 0000000020000140 RBP: 000000000051bf60 R08: 0000000000000001 R09: 0000000000000000 R10: 0000000000001009 R11: 0000000000000246 R12: 0000000000000000 R13: 00007ffc73c93fc0 R14: 000000000051bf60 R15: 00007fa5e54b4d80 [...] ================================================================== Above issue may happen as follows: ------------------------------------- ext4_xattr_set ext4_xattr_set_handle ext4_xattr_ibody_find >> s->end < s->base >> no EXT4_STATE_XATTR >> xattr_check_inode is not executed ext4_xattr_ibody_set ext4_xattr_set_entry >> size_t min_offs = s->end - s->base >> UAF in memcpy we can easily reproduce this problem with the following commands: mkfs.ext4 -F /dev/sda mount -o debug_want_extra_isize=128 /dev/sda /mnt touch /mnt/file setfattr -n user.cat -v `seq -s z 4096|tr -d '[:digit:]'` /mnt/file In ext4_xattr_ibody_find, we have the following assignment logic: header = IHDR(inode, raw_inode) = raw_inode + EXT4_GOOD_OLD_INODE_SIZE + i_extra_isize is->s.base = IFIRST(header) = header + sizeof(struct ext4_xattr_ibody_header) is->s.end = raw_inode + s_inode_size In ext4_xattr_set_entry min_offs = s->end - s->base = s_inode_size - EXT4_GOOD_OLD_INODE_SIZE - i_extra_isize - sizeof(struct ext4_xattr_ibody_header) last = s->first free = min_offs - ((void *)last - s->base) - sizeof(__u32) = s_inode_size - EXT4_GOOD_OLD_INODE_SIZE - i_extra_isize - sizeof(struct ext4_xattr_ibody_header) - sizeof(__u32) In the calculation formula, all values except s_inode_size and i_extra_size are fixed values. When i_extra_size is the maximum value s_inode_size - EXT4_GOOD_OLD_INODE_SIZE, min_offs is -4 and free is -8. The value overflows. As a result, the preceding issue is triggered when memcpy is executed. Therefore, when finding xattr or setting xattr, check whether there is space for storing xattr in the inode to resolve this issue. Cc: stable@kernel.org Reported-by: Hulk Robot Signed-off-by: Baokun Li Reviewed-by: Ritesh Harjani (IBM) Reviewed-by: Jan Kara Link: https://lore.kernel.org/r/20220616021358.2504451-3-libaokun1@huawei.com Signed-off-by: Theodore Ts'o Signed-off-by: Sasha Levin commit 4cdc284ffadd6a989f24107ee7f09be43b748fbb Author: Baokun Li Date: Thu Jun 16 10:13:55 2022 +0800 ext4: add EXT4_INODE_HAS_XATTR_SPACE macro in xattr.h [ Upstream commit 179b14152dcb6a24c3415200603aebca70ff13af ] When adding an xattr to an inode, we must ensure that the inode_size is not less than EXT4_GOOD_OLD_INODE_SIZE + extra_isize + pad. Otherwise, the end position may be greater than the start position, resulting in UAF. Signed-off-by: Baokun Li Reviewed-by: Jan Kara Reviewed-by: Ritesh Harjani (IBM) Link: https://lore.kernel.org/r/20220616021358.2504451-2-libaokun1@huawei.com Signed-off-by: Theodore Ts'o Signed-off-by: Sasha Levin commit 1d637e9b6374bf101d2ff7f28ec3d32dd2f49670 Author: Eric Whitney Date: Wed Jun 15 12:05:30 2022 -0400 ext4: fix extent status tree race in writeback error recovery path [ Upstream commit 7f0d8e1d607c1a4fa9a27362a108921d82230874 ] A race can occur in the unlikely event ext4 is unable to allocate a physical cluster for a delayed allocation in a bigalloc file system during writeback. Failure to allocate a cluster forces error recovery that includes a call to mpage_release_unused_pages(). That function removes any corresponding delayed allocated blocks from the extent status tree. If a new delayed write is in progress on the same cluster simultaneously, resulting in the addition of an new extent containing one or more blocks in that cluster to the extent status tree, delayed block accounting can be thrown off if that delayed write then encounters a similar cluster allocation failure during future writeback. Write lock the i_data_sem in mpage_release_unused_pages() to fix this problem. Ext4's block/cluster accounting code for bigalloc relies on i_data_sem for mutual exclusion, as is found in the delayed write path, and the locking in mpage_release_unused_pages() is missing. Cc: stable@kernel.org Reported-by: Ye Bin Signed-off-by: Eric Whitney Link: https://lore.kernel.org/r/20220615160530.1928801-1-enwlinux@gmail.com Signed-off-by: Theodore Ts'o Signed-off-by: Sasha Levin commit 86f73cfa98b20e864e11f4a6c82a045f6952d6d5 Author: Theodore Ts'o Date: Wed Jun 29 00:00:25 2022 -0400 ext4: update s_overhead_clusters in the superblock during an on-line resize [ Upstream commit de394a86658ffe4e89e5328fd4993abfe41b7435 ] When doing an online resize, the on-disk superblock on-disk wasn't updated. This means that when the file system is unmounted and remounted, and the on-disk overhead value is non-zero, this would result in the results of statfs(2) to be incorrect. This was partially fixed by Commits 10b01ee92df5 ("ext4: fix overhead calculation to account for the reserved gdt blocks"), 85d825dbf489 ("ext4: force overhead calculation if the s_overhead_cluster makes no sense"), and eb7054212eac ("ext4: update the cached overhead value in the superblock"). However, since it was too expensive to forcibly recalculate the overhead for bigalloc file systems at every mount, this didn't fix the problem for bigalloc file systems. This commit should address the problem when resizing file systems with the bigalloc feature enabled. Signed-off-by: Theodore Ts'o Cc: stable@kernel.org Reviewed-by: Andreas Dilger Link: https://lore.kernel.org/r/20220629040026.112371-1-tytso@mit.edu Signed-off-by: Theodore Ts'o Signed-off-by: Sasha Levin commit c0afc0d79d5e31942c3b8da3022d1f035a2b2cad Author: Zhang Yi Date: Thu Jun 30 17:01:00 2022 +0800 ext4: fix reading leftover inlined symlinks [ Upstream commit 5a57bca9050d740ca37184302e23d0e7633e3ebc ] Since commit 6493792d3299 ("ext4: convert symlink external data block mapping to bdev"), create new symlink with inline_data is not supported, but it missing to handle the leftover inlined symlinks, which could cause below error message and fail to read symlink. ls: cannot read symbolic link 'foo': Structure needs cleaning EXT4-fs error (device sda): ext4_map_blocks:605: inode #12: block 2021161080: comm ls: lblock 0 mapped to illegal pblock 2021161080 (length 1) Fix this regression by adding ext4_read_inline_link(), which read the inline data directly and convert it through a kmalloced buffer. Fixes: 6493792d3299 ("ext4: convert symlink external data block mapping to bdev") Cc: stable@kernel.org Reported-by: Torge Matthies Signed-off-by: Zhang Yi Tested-by: Torge Matthies Link: https://lore.kernel.org/r/20220630090100.2769490-1-yi.zhang@huawei.com Signed-off-by: Theodore Ts'o Signed-off-by: Sasha Levin commit 0ab3e0d31a4e3ea8dd123399c648c2c3ed844c2d Author: Steven Rostedt (Google) Date: Sun Jul 31 01:59:28 2022 -0400 tracing: Use a struct alignof to determine trace event field alignment [ Upstream commit 4c3d2f9388d36eb28640a220a6f908328442d873 ] alignof() gives an alignment of types as they would be as standalone variables. But alignment in structures might be different, and when building the fields of events, the alignment must be the actual alignment otherwise the field offsets may not match what they actually are. This caused trace-cmd to crash, as libtraceevent did not check if the field offset was bigger than the event. The write_msr and read_msr events on 32 bit had their fields incorrect, because it had a u64 field between two ints. alignof(u64) would give 8, but the u64 field was at a 4 byte alignment. Define a macro as: ALIGN_STRUCTFIELD(type) ((int)(offsetof(struct {char a; type b;}, b))) which gives the actual alignment of types in a structure. Link: https://lkml.kernel.org/r/20220731015928.7ab3a154@rorschach.local.home Cc: Ingo Molnar Cc: Andrew Morton Cc: Peter Zijlstra Cc: Thomas Gleixner Cc: Masami Hiramatsu Cc: stable@vger.kernel.org Fixes: 04ae87a52074e ("ftrace: Rework event_create_dir()") Signed-off-by: Steven Rostedt (Google) Signed-off-by: Sasha Levin commit b6679e3c90dd76a52de0ce99984809e5ed0023e5 Author: Steven Rostedt (Google) Date: Sun Jul 24 19:16:50 2022 -0400 batman-adv: tracing: Use the new __vstring() helper [ Upstream commit 9abc291812d784bd4a26c01af4ebdbf9f2dbf0bb ] Instead of open coding a __dynamic_array() with a fixed length (which defeats the purpose of the dynamic array in the first place). Use the new __vstring() helper that will use a va_list and only write enough of the string into the ring buffer that is needed. Link: https://lkml.kernel.org/r/20220724191650.236b1355@rorschach.local.home Cc: Marek Lindner Cc: Ingo Molnar Cc: Andrew Morton Cc: Simon Wunderlich Cc: Antonio Quartulli Cc: "David S. Miller" Cc: Eric Dumazet Cc: Jakub Kicinski Cc: Paolo Abeni Cc: b.a.t.m.a.n@lists.open-mesh.org Cc: netdev@vger.kernel.org Acked-by: Sven Eckelmann Signed-off-by: Steven Rostedt (Google) Signed-off-by: Sasha Levin commit cec22fc5292253aae2c3804ed5e80ff82660c61d Author: Miaohe Lin Date: Sat Jul 23 15:38:04 2022 +0800 hugetlb_cgroup: fix wrong hugetlb cgroup numa stat [ Upstream commit 2727cfe4072a35ce813e3708f74c135de7da8897 ] We forget to set cft->private for numa stat file. As a result, numa stat of hstates[0] is always showed for all hstates. Encode the hstates index into cft->private to fix this issue. Link: https://lkml.kernel.org/r/20220723073804.53035-1-linmiaohe@huawei.com Fixes: f47761999052 ("hugetlb: add hugetlb.*.numa_stat file") Signed-off-by: Miaohe Lin Acked-by: Muchun Song Cc: Kees Cook Cc: Mike Kravetz Cc: Mina Almasry Cc: Shakeel Butt Cc: Signed-off-by: Andrew Morton Signed-off-by: Sasha Levin commit 700aa4e11a3c4d2a44d06758db431a013d9e1b61 Author: Jianglei Nie Date: Thu Jul 14 14:37:46 2022 +0800 mm/damon/reclaim: fix potential memory leak in damon_reclaim_init() [ Upstream commit 188043c7f4f2bd662f2a55957d684fffa543e600 ] damon_reclaim_init() allocates a memory chunk for ctx with damon_new_ctx(). When damon_select_ops() fails, ctx is not released, which will lead to a memory leak. We should release the ctx with damon_destroy_ctx() when damon_select_ops() fails to fix the memory leak. Link: https://lkml.kernel.org/r/20220714063746.2343549-1-niejianglei2021@163.com Fixes: 4d69c3457821 ("mm/damon/reclaim: use damon_select_ops() instead of damon_{v,p}a_set_operations()") Signed-off-by: Jianglei Nie Reviewed-by: SeongJae Park Cc: Signed-off-by: Andrew Morton Signed-off-by: Sasha Levin commit 3990e5b2be3d57325bcaf83da889e5ae212c97eb Author: Mike Snitzer Date: Wed Jul 20 13:58:04 2022 -0400 dm: fix dm-raid crash if md_handle_request() splits bio [ Upstream commit 9dd1cd3220eca534f2d47afad7ce85f4c40118d8 ] Commit ca522482e3eaf ("dm: pass NULL bdev to bio_alloc_clone") introduced the optimization to _not_ perform bio_associate_blkg()'s relatively costly work when DM core clones its bio. But in doing so it exposed the possibility for DM's cloned bio to alter DM target behavior (e.g. crash) if a target were to issue IO without first calling bio_set_dev(). The DM raid target can trigger an MD crash due to its need to split the DM bio that is passed to md_handle_request(). The split will recurse to submit_bio_noacct() using a bio with an uninitialized ->bi_blkg. This NULL bio->bi_blkg causes blk_throtl_bio() to dereference a NULL blkg_to_tg(bio->bi_blkg). Fix this in DM core by adding a new 'needs_bio_set_dev' target flag that will make alloc_tio() call bio_set_dev() on behalf of the target. dm-raid is the only target that requires this flag. bio_set_dev() initializes the DM cloned bio's ->bi_blkg, using bio_associate_blkg, before passing the bio to md_handle_request(). Long-term fix would be to audit and refactor MD code to rely on DM to split its bio, using dm_accept_partial_bio(), but there are MD raid personalities (e.g. raid1 and raid10) whose implementation are tightly coupled to handling the bio splitting inline. Fixes: ca522482e3eaf ("dm: pass NULL bdev to bio_alloc_clone") Cc: stable@vger.kernel.org Signed-off-by: Mike Snitzer Signed-off-by: Sasha Levin commit 2a9faa704d83ff0b04387e385efd8ae21cd95af6 Author: Mikulas Patocka Date: Sun Jul 24 14:33:52 2022 -0400 dm raid: fix address sanitizer warning in raid_resume [ Upstream commit 7dad24db59d2d2803576f2e3645728866a056dab ] There is a KASAN warning in raid_resume when running the lvm test lvconvert-raid.sh. The reason for the warning is that mddev->raid_disks is greater than rs->raid_disks, so the loop touches one entry beyond the allocated length. Cc: stable@vger.kernel.org Signed-off-by: Mikulas Patocka Signed-off-by: Mike Snitzer Signed-off-by: Sasha Levin commit b4c6c07c92b6cba2bf3cb2dfa722debeaf8a8abe Author: Mikulas Patocka Date: Sun Jul 24 14:31:35 2022 -0400 dm raid: fix address sanitizer warning in raid_status [ Upstream commit 1fbeea217d8f297fe0e0956a1516d14ba97d0396 ] There is this warning when using a kernel with the address sanitizer and running this testsuite: https://gitlab.com/cki-project/kernel-tests/-/tree/main/storage/swraid/scsi_raid ================================================================== BUG: KASAN: slab-out-of-bounds in raid_status+0x1747/0x2820 [dm_raid] Read of size 4 at addr ffff888079d2c7e8 by task lvcreate/13319 CPU: 0 PID: 13319 Comm: lvcreate Not tainted 5.18.0-0.rc3. #1 Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011 Call Trace: dump_stack_lvl+0x6a/0x9c print_address_description.constprop.0+0x1f/0x1e0 print_report.cold+0x55/0x244 kasan_report+0xc9/0x100 raid_status+0x1747/0x2820 [dm_raid] dm_ima_measure_on_table_load+0x4b8/0xca0 [dm_mod] table_load+0x35c/0x630 [dm_mod] ctl_ioctl+0x411/0x630 [dm_mod] dm_ctl_ioctl+0xa/0x10 [dm_mod] __x64_sys_ioctl+0x12a/0x1a0 do_syscall_64+0x5b/0x80 The warning is caused by reading conf->max_nr_stripes in raid_status. The code in raid_status reads mddev->private, casts it to struct r5conf and reads the entry max_nr_stripes. However, if we have different raid type than 4/5/6, mddev->private doesn't point to struct r5conf; it may point to struct r0conf, struct r1conf, struct r10conf or struct mpconf. If we cast a pointer to one of these structs to struct r5conf, we will be reading invalid memory and KASAN warns about it. Fix this bug by reading struct r5conf only if raid type is 4, 5 or 6. Cc: stable@vger.kernel.org Signed-off-by: Mikulas Patocka Signed-off-by: Mike Snitzer Signed-off-by: Sasha Levin commit f91b4038b636d9c85ab3de5cfd8d5688aef5c0a6 Author: Sean Christopherson Date: Fri Jul 22 22:44:08 2022 +0000 KVM: nVMX: Attempt to load PERF_GLOBAL_CTRL on nVMX xfer iff it exists [ Upstream commit 4496a6f9b45e8cd83343ad86a3984d614e22cf54 ] Attempt to load PERF_GLOBAL_CTRL during nested VM-Enter/VM-Exit if and only if the MSR exists (according to the guest vCPU model). KVM has very misguided handling of VM_{ENTRY,EXIT}_LOAD_IA32_PERF_GLOBAL_CTRL and attempts to force the nVMX MSR settings to match the vPMU model, i.e. to hide/expose the control based on whether or not the MSR exists from the guest's perspective. KVM's modifications fail to handle the scenario where the vPMU is hidden from the guest _after_ being exposed to the guest, e.g. by userspace doing multiple KVM_SET_CPUID2 calls, which is allowed if done before any KVM_RUN. nested_vmx_pmu_refresh() is called if and only if there's a recognized vPMU, i.e. KVM will leave the bits in the allow state and then ultimately reject the MSR load and WARN. KVM should not force the VMX MSRs in the first place. KVM taking control of the MSRs was a misguided attempt at mimicking what commit 5f76f6f5ff96 ("KVM: nVMX: Do not expose MPX VMX controls when guest MPX disabled", 2018-10-01) did for MPX. However, the MPX commit was a workaround for another KVM bug and not something that should be imitated (and it should never been done in the first place). In other words, KVM's ABI _should_ be that userspace has full control over the MSRs, at which point triggering the WARN that loading the MSR must not fail is trivial. The intent of the WARN is still valid; KVM has consistency checks to ensure that vmcs12->{guest,host}_ia32_perf_global_ctrl is valid. The problem is that '0' must be considered a valid value at all times, and so the simple/obvious solution is to just not actually load the MSR when it does not exist. It is userspace's responsibility to provide a sane vCPU model, i.e. KVM is well within its ABI and Intel's VMX architecture to skip the loads if the MSR does not exist. Fixes: 03a8871add95 ("KVM: nVMX: Expose load IA32_PERF_GLOBAL_CTRL VM-{Entry,Exit} control") Cc: stable@vger.kernel.org Signed-off-by: Sean Christopherson Message-Id: <20220722224409.1336532-5-seanjc@google.com> Signed-off-by: Paolo Bonzini Signed-off-by: Sasha Levin commit 9863e9fc8ac2c13c786a26d49a69ae22201cffaf Author: Sean Christopherson Date: Fri Jul 22 22:44:07 2022 +0000 KVM: VMX: Add helper to check if the guest PMU has PERF_GLOBAL_CTRL [ Upstream commit b663f0b5f3d665c261256d1f76e98f077c6e56af ] Add a helper to check of the guest PMU has PERF_GLOBAL_CTRL, which is unintuitive _and_ diverges from Intel's architecturally defined behavior. Even worse, KVM currently implements the check using two different (but equivalent) checks, _and_ there has been at least one attempt to add a _third_ flavor. Cc: stable@vger.kernel.org Signed-off-by: Sean Christopherson Message-Id: <20220722224409.1336532-4-seanjc@google.com> Signed-off-by: Paolo Bonzini Signed-off-by: Sasha Levin commit c08044267e7976a921294ade05cf986efb0c4f99 Author: Sean Christopherson Date: Sat Jun 11 00:57:51 2022 +0000 Revert "KVM: x86/pmu: Accept 0 for absent PMU MSRs when host-initiated if !enable_pmu" [ Upstream commit 5d4283df5a0fc8299fba9443c33d219939eccc2d ] Eating reads and writes to all "PMU" MSRs when there is no PMU is wildly broken as it results in allowing accesses to _any_ MSR on Intel CPUs as intel_is_valid_msr() returns true for all host_initiated accesses. A revert of commit d1c88a402056 ("KVM: x86: always allow host-initiated writes to PMU MSRs") will soon follow. This reverts commit 8e6a58e28b34e8d247e772159b8fa8f6bae39192. Signed-off-by: Sean Christopherson Message-Id: <20220611005755.753273-4-seanjc@google.com> Signed-off-by: Paolo Bonzini Signed-off-by: Sasha Levin commit 6a74a619d5ec9d5ea1a529d532a389889aabe61e Author: Like Xu Date: Wed Jun 1 11:19:23 2022 +0800 KVM: x86/pmu: Accept 0 for absent PMU MSRs when host-initiated if !enable_pmu [ Upstream commit 8e6a58e28b34e8d247e772159b8fa8f6bae39192 ] Whenever an MSR is part of KVM_GET_MSR_INDEX_LIST, as is the case for MSR_K7_EVNTSEL0 or MSR_F15H_PERF_CTL0, it has to be always retrievable and settable with KVM_GET_MSR and KVM_SET_MSR. Accept a zero value for these MSRs to obey the contract. Signed-off-by: Like Xu Message-Id: <20220601031925.59693-1-likexu@tencent.com> Signed-off-by: Paolo Bonzini Signed-off-by: Sasha Levin commit d577d6f536108d8d1e7203b968675480a03b140f Author: Like Xu Date: Mon May 9 18:22:02 2022 +0800 KVM: x86/pmu: Ignore pmu->global_ctrl check if vPMU doesn't support global_ctrl [ Upstream commit 98defd2e17803263f49548fea930cfc974d505aa ] MSR_CORE_PERF_GLOBAL_CTRL is introduced as part of Architecture PMU V2, as indicated by Intel SDM 19.2.2 and the intel_is_valid_msr() function. So in the absence of global_ctrl support, all PMCs are enabled as AMD does. Signed-off-by: Like Xu Message-Id: <20220509102204.62389-1-likexu@tencent.com> Signed-off-by: Paolo Bonzini Signed-off-by: Sasha Levin commit 979ec20a64d9d2687dfaf844d4df93fcbb6fcc2b Author: Sean Christopherson Date: Fri Jul 22 22:44:06 2022 +0000 KVM: VMX: Mark all PERF_GLOBAL_(OVF)_CTRL bits reserved if there's no vPMU [ Upstream commit 93255bf92939d948bc86d81c6bb70bb0fecc5db1 ] Mark all MSR_CORE_PERF_GLOBAL_CTRL and MSR_CORE_PERF_GLOBAL_OVF_CTRL bits as reserved if there is no guest vPMU. The nVMX VM-Entry consistency checks do not check for a valid vPMU prior to consuming the masks via kvm_valid_perf_global_ctrl(), i.e. may incorrectly allow a non-zero mask to be loaded via VM-Enter or VM-Exit (well, attempted to be loaded, the actual MSR load will be rejected by intel_is_valid_msr()). Fixes: f5132b01386b ("KVM: Expose a version 2 architectural PMU to a guests") Cc: stable@vger.kernel.org Signed-off-by: Sean Christopherson Message-Id: <20220722224409.1336532-3-seanjc@google.com> Signed-off-by: Paolo Bonzini Signed-off-by: Sasha Levin commit eb8f7dee28ccae389380694013487a55cff4bcc9 Author: Like Xu Date: Mon Apr 11 18:19:34 2022 +0800 KVM: x86/pmu: Introduce the ctrl_mask value for fixed counter [ Upstream commit 2c985527dd8d283e786ad7a67e532ef7f6f00fac ] The mask value of fixed counter control register should be dynamic adjusted with the number of fixed counters. This patch introduces a variable that includes the reserved bits of fixed counter control registers. This is a generic code refactoring. Co-developed-by: Luwei Kang Signed-off-by: Luwei Kang Signed-off-by: Like Xu Acked-by: Peter Zijlstra (Intel) Message-Id: <20220411101946.20262-6-likexu@tencent.com> Signed-off-by: Paolo Bonzini Signed-off-by: Sasha Levin commit fc1f79039743738432c913078f3fd38046c0d072 Author: Sumanth Korikkar Date: Tue Jul 26 18:57:59 2022 +0200 s390/unwind: fix fgraph return address recovery [ Upstream commit ded466e1806686794b403ebf031133bbaca76bb2 ] When HAVE_FUNCTION_GRAPH_RET_ADDR_PTR is defined, the return address to the fgraph caller is recovered by tagging it along with the stack pointer of ftrace stack. This makes the stack unwinding more reliable. When the fgraph return address is modified to return_to_handler, ftrace_graph_ret_addr tries to restore it to the original value using tagged stack pointer. Fix this by passing tagged sp to ftrace_graph_ret_addr. Fixes: d81675b60d09 ("s390/unwind: recover kretprobe modified return address in stacktrace") Cc: # 5.18 Reviewed-by: Vasily Gorbik Signed-off-by: Sumanth Korikkar Signed-off-by: Alexander Gordeev Signed-off-by: Sasha Levin commit 0a4dbde507541e6d14659fdcd257b51d908d4a98 Author: Jason A. Donenfeld Date: Thu Jul 28 00:32:18 2022 +1000 powerpc/powernv/kvm: Use darn for H_RANDOM on Power9 [ Upstream commit 7ef3d06f1bc4a5e62273726f3dc2bd258ae1c71f ] The existing logic in KVM to support guests calling H_RANDOM only works on Power8, because it looks for an RNG in the device tree, but on Power9 we just use darn. In addition the existing code needs to work in real mode, so we have the special cased powernv_get_random_real_mode() to deal with that. Instead just have KVM call ppc_md.get_random_seed(), and do the real mode check inside of there, that way we use whatever RNG is available, including darn on Power9. Fixes: e928e9cb3601 ("KVM: PPC: Book3S HV: Add fast real-mode H_RANDOM implementation.") Cc: stable@vger.kernel.org # v4.1+ Signed-off-by: Jason A. Donenfeld Tested-by: Sachin Sant [mpe: Rebase on previous commit, update change log appropriately] Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/20220727143219.2684192-2-mpe@ellerman.id.au Signed-off-by: Sasha Levin commit 71fe2aff460ef33b12ddb6fd9a8b924257bb5682 Author: Rafael J. Wysocki Date: Thu Jul 21 19:41:10 2022 +0200 ACPI: CPPC: Do not prevent CPPC from working in the future [ Upstream commit 4f4179fcf420873002035cf1941d844c9e0e7cb3 ] There is a problem with the current revision checks in is_cppc_supported() that they essentially prevent the CPPC support from working if a new _CPC package format revision being a proper superset of the v3 and only causing _CPC to return a package with more entries (while retaining the types and meaning of the entries defined by the v3) is introduced in the future and used by the platform firmware. In that case, as long as the number of entries in the _CPC return package is at least CPPC_V3_NUM_ENT, it should be perfectly fine to use the v3 support code and disregard the additional package entries added by the new package format revision. For this reason, drop is_cppc_supported() altogether, put the revision checks directly into acpi_cppc_processor_probe() so they are easier to follow and rework them to take the case mentioned above into account. Fixes: 4773e77cdc9b ("ACPI / CPPC: Add support for CPPC v3") Cc: 4.18+ # 4.18+ Signed-off-by: Rafael J. Wysocki Signed-off-by: Sasha Levin commit 725cbee29674e895d54ecf80e126b39ef3aa4147 Author: Artem Bityutskiy Date: Sat Jul 16 09:26:55 2022 +0300 intel_idle: make SPR C1 and C1E be independent [ Upstream commit 1548fac47a114b42063def551eb152a536ed9697 ] This patch partially reverts the changes made by the following commit: da0e58c038e6 intel_idle: add 'preferred_cstates' module argument As that commit describes, on early Sapphire Rapids Xeon platforms the C1 and C1E states were mutually exclusive, so that users could only have either C1 and C6, or C1E and C6. However, Intel firmware engineers managed to remove this limitation and make C1 and C1E to be completely independent, just like on previous Xeon platforms. Therefore, this patch: * Removes commentary describing the old, and now non-existing SPR C1E limitation. * Marks SPR C1E as available by default. * Removes the 'preferred_cstates' parameter handling for SPR. Both C1 and C1E will be available regardless of 'preferred_cstates' value. We expect that all SPR systems are shipping with new firmware, which includes the C1/C1E improvement. Cc: v5.18+ # v5.18+ Signed-off-by: Artem Bityutskiy Signed-off-by: Rafael J. Wysocki Signed-off-by: Sasha Levin commit 746118c58dff0346b7d2087fffa91e07e22601c9 Author: Filipe Manana Date: Sun Jul 17 22:05:05 2022 +0100 btrfs: join running log transaction when logging new name [ Upstream commit 723df2bcc9e166ac7fb82b3932a53e09415dfcde ] When logging a new name, in case of a rename, we pin the log before changing it. We then either delete a directory entry from the log or insert a key range item to mark the old name for deletion on log replay. However when doing one of those log changes we may have another task that started writing out the log (at btrfs_sync_log()) and it started before we pinned the log root. So we may end up changing a log tree while its writeback is being started by another task syncing the log. This can lead to inconsistencies in a log tree and other unexpected results during log replay, because we can get some committed node pointing to a node/leaf that ends up not getting written to disk before the next log commit. The problem, conceptually, started to happen in commit 88d2beec7e53fc ("btrfs: avoid logging all directory changes during renames"), because there we started to update the log without joining its current transaction first. However the problem only became visible with commit 259c4b96d78dda ("btrfs: stop doing unnecessary log updates during a rename"), and that is because we used to pin the log at btrfs_rename() and then before entering btrfs_log_new_name(), when unlinking the old dentry, we ended up at btrfs_del_inode_ref_in_log() and btrfs_del_dir_entries_in_log(). Both of them join the current log transaction, effectively waiting for any log transaction writeout (due to acquiring the root's log_mutex). This made it safe even after leaving the current log transaction, because we remained with the log pinned when we called btrfs_log_new_name(). Then in commit 259c4b96d78dda ("btrfs: stop doing unnecessary log updates during a rename"), we removed the log pinning from btrfs_rename() and stopped calling btrfs_del_inode_ref_in_log() and btrfs_del_dir_entries_in_log() during the rename, and started to do all the needed work at btrfs_log_new_name(), but without joining the current log transaction, only pinning the log, which is racy because another task may have started writeout of the log tree right before we pinned the log. Both commits landed in kernel 5.18, so it doesn't make any practical difference which should be blamed, but I'm blaming the second commit only because with the first one, by chance, the problem did not happen due to the fact we joined the log transaction after pinning the log and unpinned it only after calling btrfs_log_new_name(). So make btrfs_log_new_name() join the current log transaction instead of pinning it, so that we never do log updates if it's writeout is starting. Fixes: 259c4b96d78dda ("btrfs: stop doing unnecessary log updates during a rename") CC: stable@vger.kernel.org # 5.18+ Reported-by: Zygo Blaxell Tested-by: Zygo Blaxell Reviewed-by: Josef Bacik Signed-off-by: Filipe Manana Signed-off-by: David Sterba Signed-off-by: Sasha Levin commit 5022f4039a4d05a0b1f09c4fb14c957d608f7f0b Author: Naohiro Aota Date: Sat Jul 9 08:18:50 2022 +0900 btrfs: zoned: wait until zone is finished when allocation didn't progress [ Upstream commit 2ce543f478433a0eec0f72090d7e814f1d53d456 ] When the allocated position doesn't progress, we cannot submit IOs to finish a block group, but there should be ongoing IOs that will finish a block group. So, in that case, we wait for a zone to be finished and retry the allocation after that. Introduce a new flag BTRFS_FS_NEED_ZONE_FINISH for fs_info->flags to indicate we need a zone finish to have proceeded. The flag is set when the allocator detected it cannot activate a new block group. And, it is cleared once a zone is finished. CC: stable@vger.kernel.org # 5.16+ Fixes: afba2bc036b0 ("btrfs: zoned: implement active zone tracking") Signed-off-by: Naohiro Aota Signed-off-by: David Sterba Signed-off-by: Sasha Levin commit b6735eff2a6feaaf4eee4ab7b1614c994fcbba21 Author: Naohiro Aota Date: Sat Jul 9 08:18:49 2022 +0900 btrfs: zoned: write out partially allocated region [ Upstream commit 898793d992c23dac6126a6a94ad893eae1a2c9df ] cow_file_range() works in an all-or-nothing way: if it fails to allocate an extent for a part of the given region, it gives up all the region including the successfully allocated parts. On cow_file_range(), run_delalloc_zoned() writes data for the region only when it successfully allocate all the region. This all-or-nothing allocation and write-out are problematic when available space in all the block groups are get tight with the active zone restriction. btrfs_reserve_extent() try hard to utilize the left space in the active block groups and gives up finally and fails with -ENOSPC. However, if we send IOs for the successfully allocated region, we can finish a zone and can continue on the rest of the allocation on a newly allocated block group. This patch implements the partial write-out for run_delalloc_zoned(). With this patch applied, cow_file_range() returns -EAGAIN to tell the caller to do something to progress the further allocation, and tells the successfully allocated region with done_offset. Furthermore, the zoned extent allocator returns -EAGAIN to tell cow_file_range() going back to the caller side. Actually, we still need to wait for an IO to complete to continue the allocation. The next patch implements that part. CC: stable@vger.kernel.org # 5.16+ Fixes: afba2bc036b0 ("btrfs: zoned: implement active zone tracking") Signed-off-by: Naohiro Aota Signed-off-by: David Sterba Signed-off-by: Sasha Levin commit 25934c5214abb6636f67380fe3628d77d53f4725 Author: Naohiro Aota Date: Sat Jul 9 08:18:48 2022 +0900 btrfs: zoned: activate necessary block group [ Upstream commit b6a98021e4019c562a23ad151a7e40adfa9f91e5 ] There are two places where allocating a chunk is not enough. These two places are trying to ensure the space by allocating a chunk. To meet the condition for active_total_bytes, we also need to activate a block group there. CC: stable@vger.kernel.org # 5.16+ Fixes: afba2bc036b0 ("btrfs: zoned: implement active zone tracking") Signed-off-by: Naohiro Aota Signed-off-by: David Sterba Signed-off-by: Sasha Levin commit 407b66b662bb2c05dd033c9a2db808f01fb0244a Author: Naohiro Aota Date: Sat Jul 9 08:18:47 2022 +0900 btrfs: zoned: activate metadata block group on flush_space [ Upstream commit b0931513913633044ed6e3800334c28433c007b0 ] For metadata space on zoned filesystem, reaching ALLOC_CHUNK{,_FORCE} means we don't have enough space left in the active_total_bytes. Before allocating a new chunk, we can try to activate an existing block group in this case. Also, allocating a chunk is not enough to grant a ticket for metadata space on zoned filesystem we need to activate the block group to increase the active_total_bytes. btrfs_zoned_activate_one_bg() implements the activation feature. It will activate a block group by (maybe) finishing a block group. It will give up activating a block group if it cannot finish any block group. CC: stable@vger.kernel.org # 5.16+ Fixes: afba2bc036b0 ("btrfs: zoned: implement active zone tracking") Signed-off-by: Naohiro Aota Signed-off-by: David Sterba Signed-off-by: Sasha Levin commit 33ed56fe558b5a5b0ec1d08016f800741ec26e36 Author: Naohiro Aota Date: Sat Jul 9 08:18:45 2022 +0900 btrfs: zoned: introduce space_info->active_total_bytes [ Upstream commit 6a921de589926a350634e6e279f43fa5b9dbf5ba ] The active_total_bytes, like the total_bytes, accounts for the total bytes of active block groups in the space_info. With an introduction of active_total_bytes, we can check if the reserved bytes can be written to the block groups without activating a new block group. The check is necessary for metadata allocation on zoned filesystem. We cannot finish a block group, which may require waiting for the current transaction, from the metadata allocation context. Instead, we need to ensure the ongoing allocation (reserved bytes) fits in active block groups. Signed-off-by: Naohiro Aota Signed-off-by: David Sterba Signed-off-by: Sasha Levin commit 17aa1f2aa331f28a7e81f1b7f8445d3fb124eb89 Author: Stefan Roesch Date: Tue Feb 8 11:31:20 2022 -0800 btrfs: store chunk size in space-info struct [ Upstream commit f6fca3917b4d99d8c13901738afec35f570a3c2f ] The chunk size is stored in the btrfs_space_info structure. It is initialized at the start and is then used. A new API is added to update the current chunk size. This API is used to be able to expose the chunk_size as a sysfs setting. Signed-off-by: Stefan Roesch Reviewed-by: David Sterba [ rename and merge helpers, switch atomic type to u64, style fixes ] Signed-off-by: David Sterba Signed-off-by: Sasha Levin commit 0f43e4fc06e0cd2aee2922726732e917e459efc4 Author: Naohiro Aota Date: Sat Jul 9 08:18:46 2022 +0900 btrfs: zoned: disable metadata overcommit for zoned [ Upstream commit 79417d040f4f77b19c701bccc23013b9cdac358d ] The metadata overcommit makes the space reservation flexible but it is also harmful to active zone tracking. Since we cannot finish a block group from the metadata allocation context, we might not activate a new block group and might not be able to actually write out the overcommit reservations. So, disable metadata overcommit for zoned filesystems. We will ensure the reservations are under active_total_bytes in the following patches. CC: stable@vger.kernel.org # 5.16+ Fixes: afba2bc036b0 ("btrfs: zoned: implement active zone tracking") Signed-off-by: Naohiro Aota Reviewed-by: Johannes Thumshirn Signed-off-by: David Sterba Signed-off-by: Sasha Levin commit f6ad412c647ac32e3ed2750b99c87c119daea9bb Author: Naohiro Aota Date: Sat Jul 9 08:18:44 2022 +0900 btrfs: zoned: finish least available block group on data bg allocation [ Upstream commit 393f646e34c18b85d0f41272bfcbd475ae3a0d34 ] When we run out of active zones and no sufficient space is left in any block groups, we need to finish one block group to make room to activate a new block group. However, we cannot do this for metadata block groups because we can cause a deadlock by waiting for a running transaction commit. So, do that only for a data block group. Furthermore, the block group to be finished has two requirements. First, the block group must not have reserved bytes left. Having reserved bytes means we have an allocated region but did not yet send bios for it. If that region is allocated by the thread calling btrfs_zone_finish(), it results in a deadlock. Second, the block group to be finished must not be a SYSTEM block group. Finishing a SYSTEM block group easily breaks further chunk allocation by nullifying the SYSTEM free space. In a certain case, we cannot find any zone finish candidate or btrfs_zone_finish() may fail. In that case, we fall back to split the allocation bytes and fill the last spaces left in the block groups. CC: stable@vger.kernel.org # 5.16+ Fixes: afba2bc036b0 ("btrfs: zoned: implement active zone tracking") Reviewed-by: Johannes Thumshirn Signed-off-by: Naohiro Aota Signed-off-by: David Sterba Signed-off-by: Sasha Levin commit 615535d5315392dc0ce316664a5d8226d22066bb Author: Naohiro Aota Date: Sat Jul 9 08:18:43 2022 +0900 btrfs: let can_allocate_chunk return error [ Upstream commit bb9950d3df7169a673c594d38fb74e241ed4fb2a ] For the later patch, convert the return type from bool to int and return errors. No functional changes. Reviewed-by: Johannes Thumshirn Signed-off-by: Naohiro Aota Signed-off-by: David Sterba Signed-off-by: Sasha Levin commit d798edf59909acfbd89576198396dc7fb2e98e65 Author: Naohiro Aota Date: Sat Jul 9 08:18:41 2022 +0900 btrfs: convert count_max_extents() to use fs_info->max_extent_size [ Upstream commit 7d7672bc5d1038c745716c397d892d21e29de71c ] If count_max_extents() uses BTRFS_MAX_EXTENT_SIZE to calculate the number of extents needed, btrfs release the metadata reservation too much on its way to write out the data. Now that BTRFS_MAX_EXTENT_SIZE is replaced with fs_info->max_extent_size, convert count_max_extents() to use it instead, and fix the calculation of the metadata reservation. CC: stable@vger.kernel.org # 5.12+ Fixes: d8e3fb106f39 ("btrfs: zoned: use ZONE_APPEND write for zoned mode") Signed-off-by: Naohiro Aota Signed-off-by: David Sterba Signed-off-by: Sasha Levin commit 096e8eb9639b342bc35f9b741cf05e26d0106e92 Author: Naohiro Aota Date: Sat Jul 9 08:18:40 2022 +0900 btrfs: replace BTRFS_MAX_EXTENT_SIZE with fs_info->max_extent_size [ Upstream commit f7b12a62f008a3041f42f2426983e59a6a0a3c59 ] On zoned filesystem, data write out is limited by max_zone_append_size, and a large ordered extent is split according the size of a bio. OTOH, the number of extents to be written is calculated using BTRFS_MAX_EXTENT_SIZE, and that estimated number is used to reserve the metadata bytes to update and/or create the metadata items. The metadata reservation is done at e.g, btrfs_buffered_write() and then released according to the estimation changes. Thus, if the number of extent increases massively, the reserved metadata can run out. The increase of the number of extents easily occurs on zoned filesystem if BTRFS_MAX_EXTENT_SIZE > max_zone_append_size. And, it causes the following warning on a small RAM environment with disabling metadata over-commit (in the following patch). [75721.498492] ------------[ cut here ]------------ [75721.505624] BTRFS: block rsv 1 returned -28 [75721.512230] WARNING: CPU: 24 PID: 2327559 at fs/btrfs/block-rsv.c:537 btrfs_use_block_rsv+0x560/0x760 [btrfs] [75721.581854] CPU: 24 PID: 2327559 Comm: kworker/u64:10 Kdump: loaded Tainted: G W 5.18.0-rc2-BTRFS-ZNS+ #109 [75721.597200] Hardware name: Supermicro Super Server/H12SSL-NT, BIOS 2.0 02/22/2021 [75721.607310] Workqueue: btrfs-endio-write btrfs_work_helper [btrfs] [75721.616209] RIP: 0010:btrfs_use_block_rsv+0x560/0x760 [btrfs] [75721.646649] RSP: 0018:ffffc9000fbdf3e0 EFLAGS: 00010286 [75721.654126] RAX: 0000000000000000 RBX: 0000000000004000 RCX: 0000000000000000 [75721.663524] RDX: 0000000000000004 RSI: 0000000000000008 RDI: fffff52001f7be6e [75721.672921] RBP: ffffc9000fbdf420 R08: 0000000000000001 R09: ffff889f8d1fc6c7 [75721.682493] R10: ffffed13f1a3f8d8 R11: 0000000000000001 R12: ffff88980a3c0e28 [75721.692284] R13: ffff889b66590000 R14: ffff88980a3c0e40 R15: ffff88980a3c0e8a [75721.701878] FS: 0000000000000000(0000) GS:ffff889f8d000000(0000) knlGS:0000000000000000 [75721.712601] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [75721.720726] CR2: 000055d12e05c018 CR3: 0000800193594000 CR4: 0000000000350ee0 [75721.730499] Call Trace: [75721.735166] [75721.739886] btrfs_alloc_tree_block+0x1e1/0x1100 [btrfs] [75721.747545] ? btrfs_alloc_logged_file_extent+0x550/0x550 [btrfs] [75721.756145] ? btrfs_get_32+0xea/0x2d0 [btrfs] [75721.762852] ? btrfs_get_32+0xea/0x2d0 [btrfs] [75721.769520] ? push_leaf_left+0x420/0x620 [btrfs] [75721.776431] ? memcpy+0x4e/0x60 [75721.781931] split_leaf+0x433/0x12d0 [btrfs] [75721.788392] ? btrfs_get_token_32+0x580/0x580 [btrfs] [75721.795636] ? push_for_double_split.isra.0+0x420/0x420 [btrfs] [75721.803759] ? leaf_space_used+0x15d/0x1a0 [btrfs] [75721.811156] btrfs_search_slot+0x1bc3/0x2790 [btrfs] [75721.818300] ? lock_downgrade+0x7c0/0x7c0 [75721.824411] ? free_extent_buffer.part.0+0x107/0x200 [btrfs] [75721.832456] ? split_leaf+0x12d0/0x12d0 [btrfs] [75721.839149] ? free_extent_buffer.part.0+0x14f/0x200 [btrfs] [75721.846945] ? free_extent_buffer+0x13/0x20 [btrfs] [75721.853960] ? btrfs_release_path+0x4b/0x190 [btrfs] [75721.861429] btrfs_csum_file_blocks+0x85c/0x1500 [btrfs] [75721.869313] ? rcu_read_lock_sched_held+0x16/0x80 [75721.876085] ? lock_release+0x552/0xf80 [75721.881957] ? btrfs_del_csums+0x8c0/0x8c0 [btrfs] [75721.888886] ? __kasan_check_write+0x14/0x20 [75721.895152] ? do_raw_read_unlock+0x44/0x80 [75721.901323] ? _raw_write_lock_irq+0x60/0x80 [75721.907983] ? btrfs_global_root+0xb9/0xe0 [btrfs] [75721.915166] ? btrfs_csum_root+0x12b/0x180 [btrfs] [75721.921918] ? btrfs_get_global_root+0x820/0x820 [btrfs] [75721.929166] ? _raw_write_unlock+0x23/0x40 [75721.935116] ? unpin_extent_cache+0x1e3/0x390 [btrfs] [75721.942041] btrfs_finish_ordered_io.isra.0+0xa0c/0x1dc0 [btrfs] [75721.949906] ? try_to_wake_up+0x30/0x14a0 [75721.955700] ? btrfs_unlink_subvol+0xda0/0xda0 [btrfs] [75721.962661] ? rcu_read_lock_sched_held+0x16/0x80 [75721.969111] ? lock_acquire+0x41b/0x4c0 [75721.974982] finish_ordered_fn+0x15/0x20 [btrfs] [75721.981639] btrfs_work_helper+0x1af/0xa80 [btrfs] [75721.988184] ? _raw_spin_unlock_irq+0x28/0x50 [75721.994643] process_one_work+0x815/0x1460 [75722.000444] ? pwq_dec_nr_in_flight+0x250/0x250 [75722.006643] ? do_raw_spin_trylock+0xbb/0x190 [75722.013086] worker_thread+0x59a/0xeb0 [75722.018511] kthread+0x2ac/0x360 [75722.023428] ? process_one_work+0x1460/0x1460 [75722.029431] ? kthread_complete_and_exit+0x30/0x30 [75722.036044] ret_from_fork+0x22/0x30 [75722.041255] [75722.045047] irq event stamp: 0 [75722.049703] hardirqs last enabled at (0): [<0000000000000000>] 0x0 [75722.057610] hardirqs last disabled at (0): [] copy_process+0x1c1a/0x66b0 [75722.067533] softirqs last enabled at (0): [] copy_process+0x1c59/0x66b0 [75722.077423] softirqs last disabled at (0): [<0000000000000000>] 0x0 [75722.085335] ---[ end trace 0000000000000000 ]--- To fix the estimation, we need to introduce fs_info->max_extent_size to replace BTRFS_MAX_EXTENT_SIZE, which allow setting the different size for regular vs zoned filesystem. Set fs_info->max_extent_size to BTRFS_MAX_EXTENT_SIZE by default. On zoned filesystem, it is set to fs_info->max_zone_append_size. CC: stable@vger.kernel.org # 5.12+ Fixes: d8e3fb106f39 ("btrfs: zoned: use ZONE_APPEND write for zoned mode") Reviewed-by: Johannes Thumshirn Signed-off-by: Naohiro Aota Signed-off-by: David Sterba Signed-off-by: Sasha Levin commit 506e8ae2193622da433c1eca4b0878a36c00ef47 Author: Naohiro Aota Date: Sat Jul 9 08:18:39 2022 +0900 btrfs: zoned: revive max_zone_append_bytes [ Upstream commit c2ae7b772ef4e86c5ddf3fd47bf59045ae96a414 ] This patch is basically a revert of commit 5a80d1c6a270 ("btrfs: zoned: remove max_zone_append_size logic"), but without unnecessary ASSERT and check. The max_zone_append_size will be used as a hint to estimate the number of extents to cover delalloc/writeback region in the later commits. The size of a ZONE APPEND bio is also limited by queue_max_segments(), so this commit considers it to calculate max_zone_append_size. Technically, a bio can be larger than queue_max_segments() * PAGE_SIZE if the pages are contiguous. But, it is safe to consider "queue_max_segments() * PAGE_SIZE" as an upper limit of an extent size to calculate the number of extents needed to write data. Reviewed-by: Johannes Thumshirn Signed-off-by: Naohiro Aota Signed-off-by: David Sterba Signed-off-by: Sasha Levin commit bf764bdc37283d84a3558bc43ee4e84a73bc04fa Author: Naohiro Aota Date: Sat Jul 9 08:18:38 2022 +0900 block: add bdev_max_segments() helper [ Upstream commit 65ea1b66482f415d51cd46515b02477257330339 ] Add bdev_max_segments() like other queue parameters. Reviewed-by: Johannes Thumshirn Reviewed-by: Jens Axboe Reviewed-by: Christoph Hellwig Signed-off-by: Naohiro Aota Signed-off-by: David Sterba Signed-off-by: Sasha Levin commit 3e36602adace358397ea38c0dfae11336321b9f8 Author: Nikolay Borisov Date: Thu Jun 23 10:55:47 2022 +0300 btrfs: properly flag filesystem with BTRFS_FEATURE_INCOMPAT_BIG_METADATA [ Upstream commit e26b04c4c91925dba57324db177a24e18e2d0013 ] Commit 6f93e834fa7c seemingly inadvertently moved the code responsible for flagging the filesystem as having BIG_METADATA to a place where setting the flag was essentially lost. This means that filesystems created with kernels containing this bug (starting with 5.15) can potentially be mounted by older (pre-3.4) kernels. In reality chances for this happening are low because there are other incompat flags introduced in the mean time. Still the correct behavior is to set INCOMPAT_BIG_METADATA flag and persist this in the superblock. Fixes: 6f93e834fa7c ("btrfs: fix upper limit for max_inline for page size 64K") CC: stable@vger.kernel.org # 5.4+ Reviewed-by: Qu Wenruo Signed-off-by: Nikolay Borisov Reviewed-by: David Sterba Signed-off-by: David Sterba Signed-off-by: Sasha Levin commit ff04ffd79cba85fee7bc2271e9020abdd836678d Author: Josef Bacik Date: Mon Jun 13 18:31:17 2022 -0400 btrfs: reset block group chunk force if we have to wait [ Upstream commit 1314ca78b2c35d3e7d0f097268a2ee6dc0d369ef ] If you try to force a chunk allocation, but you race with another chunk allocation, you will end up waiting on the chunk allocation that just occurred and then allocate another chunk. If you have many threads all doing this at once you can way over-allocate chunks. Fix this by resetting force to NO_FORCE, that way if we think we need to allocate we can, otherwise we don't force another chunk allocation if one is already happening. Reviewed-by: Filipe Manana CC: stable@vger.kernel.org # 5.4+ Signed-off-by: Josef Bacik Signed-off-by: David Sterba Signed-off-by: Sasha Levin commit 9fff2b774e93b1b76f3e103d3ca11b6c24d5eeeb Author: Naohiro Aota Date: Tue Jun 21 15:41:01 2022 +0900 btrfs: fix error handling of fallback uncompress write [ Upstream commit 71aa147b4d9d81fa65afa6016f50d7818b64a54f ] When cow_file_range() fails in the middle of the allocation loop, it unlocks the pages but leaves the ordered extents intact. Thus, we need to call btrfs_cleanup_ordered_extents() to finish the created ordered extents. Also, we need to call end_extent_writepage() if locked_page is available because btrfs_cleanup_ordered_extents() never processes the region on the locked_page. Furthermore, we need to set the mapping as error if locked_page is unavailable before unlocking the pages, so that the errno is properly propagated to the user space. CC: stable@vger.kernel.org # 5.18+ Reviewed-by: Filipe Manana Signed-off-by: Naohiro Aota Signed-off-by: David Sterba Signed-off-by: Sasha Levin commit e160aa87c87a9c4e0c8d1430235f715a3a91e2cd Author: Naohiro Aota Date: Tue Jun 21 15:40:59 2022 +0900 btrfs: ensure pages are unlocked on cow_file_range() failure [ Upstream commit 9ce7466f372d83054c7494f6b3e4b9abaf3f0355 ] There is a hung_task report on zoned btrfs like below. https://github.com/naota/linux/issues/59 [726.328648] INFO: task rocksdb:high0:11085 blocked for more than 241 seconds. [726.329839] Not tainted 5.16.0-rc1+ #1 [726.330484] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. [726.331603] task:rocksdb:high0 state:D stack: 0 pid:11085 ppid: 11082 flags:0x00000000 [726.331608] Call Trace: [726.331611] [726.331614] __schedule+0x2e5/0x9d0 [726.331622] schedule+0x58/0xd0 [726.331626] io_schedule+0x3f/0x70 [726.331629] __folio_lock+0x125/0x200 [726.331634] ? find_get_entries+0x1bc/0x240 [726.331638] ? filemap_invalidate_unlock_two+0x40/0x40 [726.331642] truncate_inode_pages_range+0x5b2/0x770 [726.331649] truncate_inode_pages_final+0x44/0x50 [726.331653] btrfs_evict_inode+0x67/0x480 [726.331658] evict+0xd0/0x180 [726.331661] iput+0x13f/0x200 [726.331664] do_unlinkat+0x1c0/0x2b0 [726.331668] __x64_sys_unlink+0x23/0x30 [726.331670] do_syscall_64+0x3b/0xc0 [726.331674] entry_SYSCALL_64_after_hwframe+0x44/0xae [726.331677] RIP: 0033:0x7fb9490a171b [726.331681] RSP: 002b:00007fb943ffac68 EFLAGS: 00000246 ORIG_RAX: 0000000000000057 [726.331684] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fb9490a171b [726.331686] RDX: 00007fb943ffb040 RSI: 000055a6bbe6ec20 RDI: 00007fb94400d300 [726.331687] RBP: 00007fb943ffad00 R08: 0000000000000000 R09: 0000000000000000 [726.331688] R10: 0000000000000031 R11: 0000000000000246 R12: 00007fb943ffb000 [726.331690] R13: 00007fb943ffb040 R14: 0000000000000000 R15: 00007fb943ffd260 [726.331693] While we debug the issue, we found running fstests generic/551 on 5GB non-zoned null_blk device in the emulated zoned mode also had a similar hung issue. Also, we can reproduce the same symptom with an error injected cow_file_range() setup. The hang occurs when cow_file_range() fails in the middle of allocation. cow_file_range() called from do_allocation_zoned() can split the give region ([start, end]) for allocation depending on current block group usages. When btrfs can allocate bytes for one part of the split regions but fails for the other region (e.g. because of -ENOSPC), we return the error leaving the pages in the succeeded regions locked. Technically, this occurs only when @unlock == 0. Otherwise, we unlock the pages in an allocated region after creating an ordered extent. Considering the callers of cow_file_range(unlock=0) won't write out the pages, we can unlock the pages on error exit from cow_file_range(). So, we can ensure all the pages except @locked_page are unlocked on error case. In summary, cow_file_range now behaves like this: - page_started == 1 (return value) - All the pages are unlocked. IO is started. - unlock == 1 - All the pages except @locked_page are unlocked in any case - unlock == 0 - On success, all the pages are locked for writing out them - On failure, all the pages except @locked_page are unlocked Fixes: 42c011000963 ("btrfs: zoned: introduce dedicated data write path for zoned filesystems") CC: stable@vger.kernel.org # 5.12+ Reviewed-by: Filipe Manana Signed-off-by: Naohiro Aota Signed-off-by: David Sterba Signed-off-by: Sasha Levin commit 77cf0352146ae283f878403fd59d2438f7c017c4 Author: Josef Bacik Date: Mon Jun 13 15:09:48 2022 -0400 btrfs: tree-log: make the return value for log syncing consistent [ Upstream commit f31f09f6be1c6c1a673e0566e258281a7bbaaa51 ] Currently we will return 1 or -EAGAIN if we decide we need to commit the transaction rather than sync the log. In practice this doesn't really matter, we interpret any !0 and !BTRFS_NO_LOG_SYNC as needing to commit the transaction. However this makes it hard to figure out what the correct thing to do is. Fix this up by defining BTRFS_LOG_FORCE_COMMIT and using this in all the places where we want to force the transaction to be committed. CC: stable@vger.kernel.org # 5.15+ Reviewed-by: Filipe Manana Signed-off-by: Josef Bacik Reviewed-by: David Sterba Signed-off-by: David Sterba Signed-off-by: Sasha Levin commit 0c9bb1acd1d103a3070b2126870eb52761d606ce Author: Jinke Han Date: Wed Jul 20 17:36:16 2022 +0800 block: don't allow the same type rq_qos add more than once [ Upstream commit 14a6e2eb7df5c7897c15b109cba29ab0c4a791b6 ] In our test of iocost, we encountered some list add/del corruptions of inner_walk list in ioc_timer_fn. The reason can be described as follows: cpu 0 cpu 1 ioc_qos_write ioc_qos_write ioc = q_to_ioc(queue); if (!ioc) { ioc = kzalloc(); ioc = q_to_ioc(queue); if (!ioc) { ioc = kzalloc(); ... rq_qos_add(q, rqos); } ... rq_qos_add(q, rqos); ... } When the io.cost.qos file is written by two cpus concurrently, rq_qos may be added to one disk twice. In that case, there will be two iocs enabled and running on one disk. They own different iocgs on their active list. In the ioc_timer_fn function, because of the iocgs from two iocs have the same root iocg, the root iocg's walk_list may be overwritten by each other and this leads to list add/del corruptions in building or destroying the inner_walk list. And so far, the blk-rq-qos framework works in case that one instance for one type rq_qos per queue by default. This patch make this explicit and also fix the crash above. Signed-off-by: Jinke Han Reviewed-by: Muchun Song Acked-by: Tejun Heo Cc: Link: https://lore.kernel.org/r/20220720093616.70584-1-hanjinke.666@bytedance.com Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit b480d1e9a8c11ecc1c99dc01814b28e3103bd0a0 Author: Chen Zhongjin Date: Tue May 10 17:46:39 2022 +0800 locking/csd_lock: Change csdlock_debug from early_param to __setup [ Upstream commit 9c9b26b0df270d4f9246e483a44686fca951a29c ] The csdlock_debug kernel-boot parameter is parsed by the early_param() function csdlock_debug(). If set, csdlock_debug() invokes static_branch_enable() to enable csd_lock_wait feature, which triggers a panic on arm64 for kernels built with CONFIG_SPARSEMEM=y and CONFIG_SPARSEMEM_VMEMMAP=n. With CONFIG_SPARSEMEM_VMEMMAP=n, __nr_to_section is called in static_key_enable() and returns NULL, resulting in a NULL dereference because mem_section is initialized only later in sparse_init(). This is also a problem for powerpc because early_param() functions are invoked earlier than jump_label_init(), also resulting in static_key_enable() failures. These failures cause the warning "static key 'xxx' used before call to jump_label_init()". Thus, early_param is too early for csd_lock_wait to run static_branch_enable(), so changes it to __setup to fix these. Fixes: 8d0968cc6b8f ("locking/csd_lock: Add boot parameter for controlling CSD lock debugging") Cc: stable@vger.kernel.org Reported-by: Chen jingwen Signed-off-by: Chen Zhongjin Signed-off-by: Paul E. McKenney Signed-off-by: Sasha Levin commit 141c2785d940c88998d5b704bbf2e2c72b4f9cf0 Author: Jason A. Donenfeld Date: Sun Jul 17 23:53:34 2022 +0200 timekeeping: contribute wall clock to rng on time change [ Upstream commit b8ac29b40183a6038919768b5d189c9bd91ce9b4 ] The rng's random_init() function contributes the real time to the rng at boot time, so that events can at least start in relation to something particular in the real world. But this clock might not yet be set that point in boot, so nothing is contributed. In addition, the relation between minor clock changes from, say, NTP, and the cycle counter is potentially useful entropic data. This commit addresses this by mixing in a time stamp on calls to settimeofday and adjtimex. No entropy is credited in doing so, so it doesn't make initialization faster, but it is still useful input to have. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Cc: stable@vger.kernel.org Reviewed-by: Thomas Gleixner Reviewed-by: Eric Biggers Signed-off-by: Jason A. Donenfeld Signed-off-by: Sasha Levin commit e2632767927ee651298b52498ca373ab6dd9be9d Author: Pali Rohár Date: Tue Nov 2 18:12:58 2021 +0100 ARM: Marvell: Update PCIe fixup [ Upstream commit fdaa3725831972284ef2779ddba00491d9dbbfca ] - The code relies on rc_pci_fixup being called, which only happens when CONFIG_PCI_QUIRKS is enabled, so add that to Kconfig. Omitting this causes a booting failure with a non-obvious cause. - Update rc_pci_fixup to set the class properly, copying the more modern style from other places - Correct the rc_pci_fixup comment This patch just re-applies commit 1dc831bf53fd ("ARM: Kirkwood: Update PCI-E fixup") for all other Marvell ARM platforms which have same buggy PCIe controller and do not use pci-mvebu.c controller driver yet. Long-term goal for these Marvell ARM platforms should be conversion to pci-mvebu.c controller driver and removal of these fixups in arch code. Signed-off-by: Pali Rohár Cc: Jason Gunthorpe Cc: stable@vger.kernel.org Signed-off-by: Gregory CLEMENT Signed-off-by: Sasha Levin commit 783bc69cc2e0023d30301eeeba2f53a9abaa5dcc Author: Tyler Hicks Date: Sun Jul 10 09:14:02 2022 -0500 net/9p: Initialize the iounit field during fid creation [ Upstream commit aa7aeee169480e98cf41d83c01290a37e569be6d ] Ensure that the fid's iounit field is set to zero when a new fid is created. Certain 9P operations, such as OPEN and CREATE, allow the server to reply with an iounit size which the client code assigns to the p9_fid struct shortly after the fid is created by p9_fid_create(). On the other hand, an XATTRWALK operation doesn't allow for the server to specify an iounit value. The iounit field of the newly allocated p9_fid struct remained uninitialized in that case. Depending on allocation patterns, the iounit value could have been something reasonable that was carried over from previously freed fids or, in the worst case, could have been arbitrary values from non-fid related usages of the memory location. The bug was detected in the Windows Subsystem for Linux 2 (WSL2) kernel after the uninitialized iounit field resulted in the typical sequence of two getxattr(2) syscalls, one to get the size of an xattr and another after allocating a sufficiently sized buffer to fit the xattr value, to hit an unexpected ERANGE error in the second call to getxattr(2). An uninitialized iounit field would sometimes force rsize to be smaller than the xattr value size in p9_client_read_once() and the 9P server in WSL refused to chunk up the READ on the attr_fid and, instead, returned ERANGE to the client. The virtfs server in QEMU seems happy to chunk up the READ and this problem goes undetected there. Link: https://lkml.kernel.org/r/20220710141402.803295-1-tyhicks@linux.microsoft.com Fixes: ebf46264a004 ("fs/9p: Add support user. xattr") Cc: stable@vger.kernel.org Signed-off-by: Tyler Hicks Reviewed-by: Christian Schoenebeck Signed-off-by: Dominique Martinet Signed-off-by: Sasha Levin commit e4dbe24f4bfd8377e7ba79fdcdb7c4d6eb1c6790 Author: Luo Meng Date: Thu Jul 14 19:28:25 2022 +0800 dm thin: fix use-after-free crash in dm_sm_register_threshold_callback [ Upstream commit 3534e5a5ed2997ca1b00f44a0378a075bd05e8a3 ] Fault inject on pool metadata device reports: BUG: KASAN: use-after-free in dm_pool_register_metadata_threshold+0x40/0x80 Read of size 8 at addr ffff8881b9d50068 by task dmsetup/950 CPU: 7 PID: 950 Comm: dmsetup Tainted: G W 5.19.0-rc6 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-1.fc33 04/01/2014 Call Trace: dump_stack_lvl+0x34/0x44 print_address_description.constprop.0.cold+0xeb/0x3f4 kasan_report.cold+0xe6/0x147 dm_pool_register_metadata_threshold+0x40/0x80 pool_ctr+0xa0a/0x1150 dm_table_add_target+0x2c8/0x640 table_load+0x1fd/0x430 ctl_ioctl+0x2c4/0x5a0 dm_ctl_ioctl+0xa/0x10 __x64_sys_ioctl+0xb3/0xd0 do_syscall_64+0x35/0x80 entry_SYSCALL_64_after_hwframe+0x46/0xb0 This can be easily reproduced using: echo offline > /sys/block/sda/device/state dd if=/dev/zero of=/dev/mapper/thin bs=4k count=10 dmsetup load pool --table "0 20971520 thin-pool /dev/sda /dev/sdb 128 0 0" If a metadata commit fails, the transaction will be aborted and the metadata space maps will be destroyed. If a DM table reload then happens for this failed thin-pool, a use-after-free will occur in dm_sm_register_threshold_callback (called from dm_pool_register_metadata_threshold). Fix this by in dm_pool_register_metadata_threshold() by returning the -EINVAL error if the thin-pool is in fail mode. Also fail pool_ctr() with a new error message: "Error registering metadata threshold". Fixes: ac8c3f3df65e4 ("dm thin: generate event when metadata threshold passed") Cc: stable@vger.kernel.org Reported-by: Hulk Robot Signed-off-by: Luo Meng Signed-off-by: Mike Snitzer Signed-off-by: Sasha Levin commit 351db9a0357428384ba15fc1968f39d5e7693f6b Author: Steven Rostedt (Google) Date: Tue Jul 5 18:44:54 2022 -0400 tracing/events: Add __vstring() and __assign_vstr() helper macros [ Upstream commit 0563231f93c6d1f582b168a47753b345c1e20d81 ] There's several places that open code the following logic: TP_STRUCT__entry(__dynamic_array(char, msg, MSG_MAX)), TP_fast_assign(vsnprintf(__get_str(msg), MSG_MAX, vaf->fmt, *vaf->va);) To load a string created by variable array va_list. The main issue with this approach is that "MSG_MAX" usage in the __dynamic_array() portion. That actually just reserves the MSG_MAX in the event, and even wastes space because there's dynamic meta data also saved in the event to denote the offset and size of the dynamic array. It would have been better to just use a static __array() field. Instead, create __vstring() and __assign_vstr() that work like __string and __assign_str() but instead of taking a destination string to copy, take a format string and a va_list pointer and fill in the values. It uses the helper: #define __trace_event_vstr_len(fmt, va) \ ({ \ va_list __ap; \ int __ret; \ \ va_copy(__ap, *(va)); \ __ret = vsnprintf(NULL, 0, fmt, __ap) + 1; \ va_end(__ap); \ \ min(__ret, TRACE_EVENT_STR_MAX); \ }) To figure out the length to store the string. It may be slightly slower as it needs to run the vsnprintf() twice, but it now saves space on the ring buffer. Link: https://lkml.kernel.org/r/20220705224749.053570613@goodmis.org Cc: Dennis Dalessandro Cc: Ingo Molnar Cc: Andrew Morton Cc: Jason Gunthorpe Cc: Leon Romanovsky Cc: Kalle Valo Cc: "David S. Miller" Cc: Eric Dumazet Cc: Jakub Kicinski Cc: Paolo Abeni Cc: Arend van Spriel Cc: Franky Lin Cc: Hante Meuleman Cc: Gregory Greenman Cc: Peter Chen Cc: Greg Kroah-Hartman Cc: Mathias Nyman Cc: Chunfeng Yun Cc: Bin Liu Cc: Marek Lindner Cc: Simon Wunderlich Cc: Antonio Quartulli Cc: Sven Eckelmann Cc: Johannes Berg Cc: Jim Cromie Signed-off-by: Steven Rostedt (Google) Signed-off-by: Sasha Levin commit 90bafcad8c28d7a0a024e684551e7b4368ff6943 Author: Michal Suchanek Date: Thu Jul 14 21:40:27 2022 +0800 kexec, KEYS, s390: Make use of built-in and secondary keyring for signature verification [ Upstream commit 0828c4a39be57768b8788e8cbd0d84683ea757e5 ] commit e23a8020ce4e ("s390/kexec_file: Signature verification prototype") adds support for KEXEC_SIG verification with keys from platform keyring but the built-in keys and secondary keyring are not used. Add support for the built-in keys and secondary keyring as x86 does. Fixes: e23a8020ce4e ("s390/kexec_file: Signature verification prototype") Cc: stable@vger.kernel.org Cc: Philipp Rudo Cc: kexec@lists.infradead.org Cc: keyrings@vger.kernel.org Cc: linux-security-module@vger.kernel.org Signed-off-by: Michal Suchanek Reviewed-by: "Lee, Chun-Yi" Acked-by: Baoquan He Signed-off-by: Coiby Xu Acked-by: Heiko Carstens Signed-off-by: Mimi Zohar Signed-off-by: Sasha Levin commit b302cdef14ccc823888e6853ef3809f01f321017 Author: Coiby Xu Date: Thu Jul 14 21:40:24 2022 +0800 kexec: clean up arch_kexec_kernel_verify_sig [ Upstream commit 689a71493bd2f31c024f8c0395f85a1fd4b2138e ] Before commit 105e10e2cf1c ("kexec_file: drop weak attribute from functions"), there was already no arch-specific implementation of arch_kexec_kernel_verify_sig. With weak attribute dropped by that commit, arch_kexec_kernel_verify_sig is completely useless. So clean it up. Note later patches are dependent on this patch so it should be backported to the stable tree as well. Cc: stable@vger.kernel.org Suggested-by: Eric W. Biederman Reviewed-by: Michal Suchanek Acked-by: Baoquan He Signed-off-by: Coiby Xu [zohar@linux.ibm.com: reworded patch description "Note"] Link: https://lore.kernel.org/linux-integrity/20220714134027.394370-1-coxu@redhat.com/ Signed-off-by: Mimi Zohar Signed-off-by: Sasha Levin commit 08f7483635ae536ec12682234a7efea7f5d052d8 Author: Naveen N. Rao Date: Fri Jul 1 13:04:04 2022 +0530 kexec_file: drop weak attribute from functions [ Upstream commit 65d9a9a60fd71be964effb2e94747a6acb6e7015 ] As requested (http://lkml.kernel.org/r/87ee0q7b92.fsf@email.froward.int.ebiederm.org), this series converts weak functions in kexec to use the #ifdef approach. Quoting the 3e35142ef99fe ("kexec_file: drop weak attribute from arch_kexec_apply_relocations[_add]") changelog: : Since commit d1bcae833b32f1 ("ELF: Don't generate unused section symbols") : [1], binutils (v2.36+) started dropping section symbols that it thought : were unused. This isn't an issue in general, but with kexec_file.c, gcc : is placing kexec_arch_apply_relocations[_add] into a separate : .text.unlikely section and the section symbol ".text.unlikely" is being : dropped. Due to this, recordmcount is unable to find a non-weak symbol in : .text.unlikely to generate a relocation record against. This patch (of 2); Drop __weak attribute from functions in kexec_file.c: - arch_kexec_kernel_image_probe() - arch_kimage_file_post_load_cleanup() - arch_kexec_kernel_image_load() - arch_kexec_locate_mem_hole() - arch_kexec_kernel_verify_sig() arch_kexec_kernel_image_load() calls into kexec_image_load_default(), so drop the static attribute for the latter. arch_kexec_kernel_verify_sig() is not overridden by any architecture, so drop the __weak attribute. Link: https://lkml.kernel.org/r/cover.1656659357.git.naveen.n.rao@linux.vnet.ibm.com Link: https://lkml.kernel.org/r/2cd7ca1fe4d6bb6ca38e3283c717878388ed6788.1656659357.git.naveen.n.rao@linux.vnet.ibm.com Signed-off-by: Naveen N. Rao Suggested-by: Eric Biederman Signed-off-by: Andrew Morton Signed-off-by: Mimi Zohar Signed-off-by: Sasha Levin commit 7c5917256d7984926e21a80f6b957c69d6e674fd Author: Mikulas Patocka Date: Wed Jul 13 07:09:04 2022 -0400 dm writecache: set a default MAX_WRITEBACK_JOBS [ Upstream commit ca7dc242e358e46d963b32f9d9dd829785a9e957 ] dm-writecache has the capability to limit the number of writeback jobs in progress. However, this feature was off by default. As such there were some out-of-memory crashes observed when lowering the low watermark while the cache is full. This commit enables writeback limit by default. It is set to 256MiB or 1/16 of total system memory, whichever is smaller. Cc: stable@vger.kernel.org Signed-off-by: Mikulas Patocka Signed-off-by: Mike Snitzer Signed-off-by: Sasha Levin commit 374eece193d05937345be6af1ef28dfb2473049b Author: Robert Marko Date: Thu Jun 23 17:50:03 2022 +0200 PCI: qcom: Power on PHY before IPQ8074 DBI register accesses [ Upstream commit a0e43bb9973b06ce5c666f0901e104e2037c1b34 ] Currently the Gen2 port in IPQ8074 will cause the system to hang as it accesses DBI registers in qcom_pcie_init_2_3_3(), and those are only accesible after phy_power_on(). Move the DBI read/writes to a new qcom_pcie_post_init_2_3_3(), which is executed after phy_power_on(). Link: https://lore.kernel.org/r/20220623155004.688090-1-robimarko@gmail.com Fixes: a0fd361db8e5 ("PCI: dwc: Move "dbi", "dbi2", and "addr_space" resource setup into common code") Signed-off-by: Robert Marko Signed-off-by: Bjorn Helgaas Reviewed-by: Dmitry Baryshkov Cc: stable@vger.kernel.org # v5.11+ Signed-off-by: Sasha Levin commit 54bc741a876ccca0f58b826d2dfa578cce8174ea Author: Mohamed Khalfella Date: Mon May 9 18:14:41 2022 +0000 PCI/AER: Iterate over error counters instead of error strings [ Upstream commit 5e6ae050955b566484f3cc6a66e3925eae87a0ed ] Previously we iterated over AER stat *names*, e.g., aer_correctable_error_string[32], but the actual stat *counters* may not be that large, e.g., pdev->aer_stats->dev_cor_errs[16], which means that we printed junk in the sysfs stats files. Iterate over the stat counter arrays instead of the names to avoid this junk. Also, added a build time check to make sure all counters have entries in strings array. Fixes: 0678e3109a3c ("PCI/AER: Simplify __aer_print_error()") Link: https://lore.kernel.org/r/20220509181441.31884-1-mkhalfella@purestorage.com Reported-by: Meeta Saggi Signed-off-by: Mohamed Khalfella Signed-off-by: Bjorn Helgaas Reviewed-by: Meeta Saggi Reviewed-by: Eric Badger Cc: stable@vger.kernel.org Signed-off-by: Sasha Levin commit c2304c50f4d94f56c2e326f25c9dc8cf2ba6f5fa Author: Alexander Lobakin Date: Tue Jul 12 17:38:36 2022 +0200 iommu/vt-d: avoid invalid memory access via node_online(NUMA_NO_NODE) [ Upstream commit b0b0b77ea611e3088e9523e60860f4f41b62b235 ] KASAN reports: [ 4.668325][ T0] BUG: KASAN: wild-memory-access in dmar_parse_one_rhsa (arch/x86/include/asm/bitops.h:214 arch/x86/include/asm/bitops.h:226 include/asm-generic/bitops/instrumented-non-atomic.h:142 include/linux/nodemask.h:415 drivers/iommu/intel/dmar.c:497) [ 4.676149][ T0] Read of size 8 at addr 1fffffff85115558 by task swapper/0/0 [ 4.683454][ T0] [ 4.685638][ T0] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.19.0-rc3-00004-g0e862838f290 #1 [ 4.694331][ T0] Hardware name: Supermicro SYS-5018D-FN4T/X10SDV-8C-TLN4F, BIOS 1.1 03/02/2016 [ 4.703196][ T0] Call Trace: [ 4.706334][ T0] [ 4.709133][ T0] ? dmar_parse_one_rhsa (arch/x86/include/asm/bitops.h:214 arch/x86/include/asm/bitops.h:226 include/asm-generic/bitops/instrumented-non-atomic.h:142 include/linux/nodemask.h:415 drivers/iommu/intel/dmar.c:497) after converting the type of the first argument (@nr, bit number) of arch_test_bit() from `long` to `unsigned long`[0]. Under certain conditions (for example, when ACPI NUMA is disabled via command line), pxm_to_node() can return %NUMA_NO_NODE (-1). It is valid 'magic' number of NUMA node, but not valid bit number to use in bitops. node_online() eventually descends to test_bit() without checking for the input, assuming it's on caller side (which might be good for perf-critical tasks). There, -1 becomes %ULONG_MAX which leads to an insane array index when calculating bit position in memory. For now, add an explicit check for @node being not %NUMA_NO_NODE before calling test_bit(). The actual logics didn't change here at all. [0] https://github.com/norov/linux/commit/0e862838f290147ea9c16db852d8d494b552d38d Fixes: ee34b32d8c29 ("dmar: support for parsing Remapping Hardware Static Affinity structure") Cc: stable@vger.kernel.org # 2.6.33+ Reported-by: kernel test robot Signed-off-by: Alexander Lobakin Reviewed-by: Andy Shevchenko Reviewed-by: Lu Baolu Signed-off-by: Yury Norov Signed-off-by: Sasha Levin commit 010fc77570b5858a054b2d9baad1feec1cbf6d6d Author: Sean Christopherson Date: Thu May 12 22:27:14 2022 +0000 KVM: x86: Signal #GP, not -EPERM, on bad WRMSR(MCi_CTL/STATUS) [ Upstream commit 2368048bf5c2ec4b604ac3431564071e89a0bc71 ] Return '1', not '-1', when handling an illegal WRMSR to a MCi_CTL or MCi_STATUS MSR. The behavior of "all zeros' or "all ones" for CTL MSRs is architectural, as is the "only zeros" behavior for STATUS MSRs. I.e. the intent is to inject a #GP, not exit to userspace due to an unhandled emulation case. Returning '-1' gets interpreted as -EPERM up the stack and effecitvely kills the guest. Fixes: 890ca9aefa78 ("KVM: Add MCE support") Fixes: 9ffd986c6e4e ("KVM: X86: #GP when guest attempts to write MCi_STATUS register w/o 0") Cc: stable@vger.kernel.org Signed-off-by: Sean Christopherson Reviewed-by: Jim Mattson Link: https://lore.kernel.org/r/20220512222716.4112548-2-seanjc@google.com Signed-off-by: Sasha Levin commit 4b9637cd89d9f87364e35657a2489002320de71f Author: Lev Kujawski Date: Sat May 21 08:15:11 2022 +0000 KVM: set_msr_mce: Permit guests to ignore single-bit ECC errors [ Upstream commit 0471a7bd1bca2a47a5f378f2222c5cf39ce94152 ] Certain guest operating systems (e.g., UNIXWARE) clear bit 0 of MC1_CTL to ignore single-bit ECC data errors. Single-bit ECC data errors are always correctable and thus are safe to ignore because they are informational in nature rather than signaling a loss of data integrity. Prior to this patch, these guests would crash upon writing MC1_CTL, with resultant error messages like the following: error: kvm run failed Operation not permitted EAX=fffffffe EBX=fffffffe ECX=00000404 EDX=ffffffff ESI=ffffffff EDI=00000001 EBP=fffdaba4 ESP=fffdab20 EIP=c01333a5 EFL=00000246 [---Z-P-] CPL=0 II=0 A20=1 SMM=0 HLT=0 ES =0108 00000000 ffffffff 00c09300 DPL=0 DS [-WA] CS =0100 00000000 ffffffff 00c09b00 DPL=0 CS32 [-RA] SS =0108 00000000 ffffffff 00c09300 DPL=0 DS [-WA] DS =0108 00000000 ffffffff 00c09300 DPL=0 DS [-WA] FS =0000 00000000 ffffffff 00c00000 GS =0000 00000000 ffffffff 00c00000 LDT=0118 c1026390 00000047 00008200 DPL=0 LDT TR =0110 ffff5af0 00000067 00008b00 DPL=0 TSS32-busy GDT= ffff5020 000002cf IDT= ffff52f0 000007ff CR0=8001003b CR2=00000000 CR3=0100a000 CR4=00000230 DR0=00000000 DR1=00000000 DR2=00000000 DR3=00000000 DR6=ffff0ff0 DR7=00000400 EFER=0000000000000000 Code=08 89 01 89 51 04 c3 8b 4c 24 08 8b 01 8b 51 04 8b 4c 24 04 <0f> 30 c3 f7 05 a4 6d ff ff 10 00 00 00 74 03 0f 31 c3 33 c0 33 d2 c3 8d 74 26 00 0f 31 c3 Signed-off-by: Lev Kujawski Message-Id: <20220521081511.187388-1-lkujaw@member.fsf.org> Signed-off-by: Paolo Bonzini Signed-off-by: Sasha Levin commit cb604d1c53e6993ea766f44b7e830699fe6ae796 Author: Alexander Shishkin Date: Tue Jul 5 11:26:37 2022 +0300 intel_th: pci: Add Raptor Lake-S CPU support [ Upstream commit ff46a601afc5a66a81c3945b83d0a2caeb88e8bc ] Add support for the Trace Hub in Raptor Lake-S CPU. Reviewed-by: Andy Shevchenko Cc: stable Signed-off-by: Alexander Shishkin Link: https://lore.kernel.org/r/20220705082637.59979-7-alexander.shishkin@linux.intel.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit c0fd76f69b720b9038752bf180e0bb0825587238 Author: Alexander Shishkin Date: Tue Jul 5 11:26:36 2022 +0300 intel_th: pci: Add Raptor Lake-S PCH support [ Upstream commit 23e2de5826e2fc4dd43e08bab3a2ea1a5338b063 ] Add support for the Trace Hub in Raptor Lake-S PCH. Reviewed-by: Andy Shevchenko Cc: stable Signed-off-by: Alexander Shishkin Link: https://lore.kernel.org/r/20220705082637.59979-6-alexander.shishkin@linux.intel.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 03c14650165d1a96da117485efb8c255570f078d Author: Alexander Shishkin Date: Tue Jul 5 11:26:35 2022 +0300 intel_th: pci: Add Meteor Lake-P support [ Upstream commit 802a9a0b1d91274ef10d9fe429b4cc1e8c200aef ] Add support for the Trace Hub in Meteor Lake-P. Reviewed-by: Andy Shevchenko Cc: stable Signed-off-by: Alexander Shishkin Link: https://lore.kernel.org/r/20220705082637.59979-5-alexander.shishkin@linux.intel.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 4f2d7b46d6b53c07f44a4f8f8f4438888f0e9e87 Author: Sudeep Holla Date: Fri Jul 1 17:03:10 2022 +0100 firmware: arm_scpi: Ensure scpi_info is not assigned if the probe fails [ Upstream commit 689640efc0a2c4e07e6f88affe6d42cd40cc3f85 ] When scpi probe fails, at any point, we need to ensure that the scpi_info is not set and will remain NULL until the probe succeeds. If it is not taken care, then it could result use-after-free as the value is exported via get_scpi_ops() and could refer to a memory allocated via devm_kzalloc() but freed when the probe fails. Link: https://lore.kernel.org/r/20220701160310.148344-1-sudeep.holla@arm.com Cc: stable@vger.kernel.org # 4.19+ Reported-by: huhai Reviewed-by: Jackie Liu Signed-off-by: Sudeep Holla Signed-off-by: Sasha Levin commit 071b21aac7896306d293f83667afac774ec2cacb Author: Jason A. Donenfeld Date: Sat May 28 21:44:07 2022 +0200 crypto: blake2s - remove shash module [ Upstream commit 2d16803c562ecc644803d42ba98a8e0aef9c014e ] BLAKE2s has no currently known use as an shash. Just remove all of this unnecessary plumbing. Removing this shash was something we talked about back when we were making BLAKE2s a built-in, but I simply never got around to doing it. So this completes that project. Importantly, this fixs a bug in which the lib code depends on crypto_simd_disabled_for_test, causing linker errors. Also add more alignment tests to the selftests and compare SIMD and non-SIMD compression functions, to make up for what we lose from testmgr.c. Reported-by: gaochao Cc: Eric Biggers Cc: Ard Biesheuvel Cc: stable@vger.kernel.org Fixes: 6048fdcc5f26 ("lib/crypto: blake2s: include as built-in") Signed-off-by: Jason A. Donenfeld Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin commit 6013ce2472f33d4ae184418de110fd1c263a060d Author: Jitao Shi Date: Fri May 20 10:00:06 2022 +0800 drm/mediatek: Keep dsi as LP00 before dcs cmds transfer [ Upstream commit 39e8d062b03c3dc257d880d82bd55cdd9e185a3b ] To comply with the panel sequence, hold the mipi signal to LP00 before the dcs cmds transmission, and pull the mipi signal high from LP00 to LP11 until the start of the dcs cmds transmission. The normal panel timing is : (1) pp1800 DC pull up (2) avdd & avee AC pull high (3) lcm_reset pull high -> pull low -> pull high (4) Pull MIPI signal high (LP11) -> initial code -> send video data (HS mode) The power-off sequence is reversed. If dsi is not in cmd mode, then dsi will pull the mipi signal high in the mtk_output_dsi_enable function. The delay in lane_ready func is the reaction time of dsi_rx after pulling up the mipi signal. Fixes: 2dd8075d2185 ("drm/mediatek: mtk_dsi: Use the drm_panel_bridge API") Link: https://patchwork.kernel.org/project/linux-mediatek/patch/1653012007-11854-4-git-send-email-xinlei.lee@mediatek.com/ Cc: # 5.10.x: 7f6335c6a258: drm/mediatek: Modify dsi funcs to atomic operations Cc: # 5.10.x: cde7e2e35c28: drm/mediatek: Separate poweron/poweroff from enable/disable and define new funcs Cc: # 5.10.x Signed-off-by: Jitao Shi Signed-off-by: Xinlei Lee Reviewed-by: AngeloGioacchino Del Regno Reviewed-by: Rex-BC Chen Signed-off-by: Chun-Kuang Hu Signed-off-by: Sasha Levin commit 03c8facf9dcbee13e169b8b6d82af55ab4119173 Author: Phil Auld Date: Fri Jul 15 09:49:24 2022 -0400 drivers/base: fix userspace break from using bin_attributes for cpumap and cpulist commit 7ee951acd31a88f941fd6535fbdee3a1567f1d63 upstream. Using bin_attributes with a 0 size causes fstat and friends to return that 0 size. This breaks userspace code that retrieves the size before reading the file. Rather than reverting 75bd50fa841 ("drivers/base/node.c: use bin_attribute to break the size limitation of cpumap ABI") let's put in a size value at compile time. For cpulist the maximum size is on the order of NR_CPUS * (ceil(log10(NR_CPUS)) + 1)/2 which for 8192 is 20480 (8192 * 5)/2. In order to get near that you'd need a system with every other CPU on one node. For example: (0,2,4,8, ... ). To simplify the math and support larger NR_CPUS in the future we are using (NR_CPUS * 7)/2. We also set it to a min of PAGE_SIZE to retain the older behavior for smaller NR_CPUS. The cpumap file the size works out to be NR_CPUS/4 + NR_CPUS/32 - 1 (or NR_CPUS * 9/32 - 1) including the ","s. Add a set of macros for these values to cpumask.h so they can be used in multiple places. Apply these to the handful of such files in drivers/base/topology.c as well as node.c. As an example, on an 80 cpu 4-node system (NR_CPUS == 8192): before: -r--r--r--. 1 root root 0 Jul 12 14:08 system/node/node0/cpulist -r--r--r--. 1 root root 0 Jul 11 17:25 system/node/node0/cpumap after: -r--r--r--. 1 root root 28672 Jul 13 11:32 system/node/node0/cpulist -r--r--r--. 1 root root 4096 Jul 13 11:31 system/node/node0/cpumap CONFIG_NR_CPUS = 16384 -r--r--r--. 1 root root 57344 Jul 13 14:03 system/node/node0/cpulist -r--r--r--. 1 root root 4607 Jul 13 14:02 system/node/node0/cpumap The actual number of cpus doesn't matter for the reported size since they are based on NR_CPUS. Fixes: 75bd50fa841d ("drivers/base/node.c: use bin_attribute to break the size limitation of cpumap ABI") Fixes: bb9ec13d156e ("topology: use bin_attribute to break the size limitation of cpumap ABI") Cc: Greg Kroah-Hartman Cc: "Rafael J. Wysocki" Cc: Yury Norov Cc: stable@vger.kernel.org Acked-by: Yury Norov (for include/linux/cpumask.h) Signed-off-by: Phil Auld Link: https://lore.kernel.org/r/20220715134924.3466194-1-pauld@redhat.com Signed-off-by: Greg Kroah-Hartman commit e622f144b624655aeb59667854552f717aa26c3e Author: Guo Ren Date: Sun Jul 31 22:34:24 2022 -0400 csky: abiv1: Fixup compile error commit 45fef4c4b9c94e86d9c13f0b2e7e71bb32254509 upstream. LD vmlinux.o arch/csky/lib/string.o: In function `memmove': string.c:(.text+0x108): multiple definition of `memmove' lib/string.o:string.c:(.text+0x7e8): first defined here arch/csky/lib/string.o: In function `memset': string.c:(.text+0x148): multiple definition of `memset' lib/string.o:string.c:(.text+0x2ac): first defined here scripts/Makefile.vmlinux_o:68: recipe for target 'vmlinux.o' failed make[4]: *** [vmlinux.o] Error 1 Fixes: e4df2d5e852a ("csky: Add C based string functions") Signed-off-by: Guo Ren Signed-off-by: Guo Ren Cc: Signed-off-by: Greg Kroah-Hartman commit 504090815c1ad3fd3fa34618b54d706727f8911c Author: David Collins Date: Mon Jun 27 16:55:12 2022 -0700 spmi: trace: fix stack-out-of-bound access in SPMI tracing functions commit 2af28b241eea816e6f7668d1954f15894b45d7e3 upstream. trace_spmi_write_begin() and trace_spmi_read_end() both call memcpy() with a length of "len + 1". This leads to one extra byte being read beyond the end of the specified buffer. Fix this out-of-bound memory access by using a length of "len" instead. Here is a KASAN log showing the issue: BUG: KASAN: stack-out-of-bounds in trace_event_raw_event_spmi_read_end+0x1d0/0x234 Read of size 2 at addr ffffffc0265b7540 by task thermal@2.0-ser/1314 ... Call trace: dump_backtrace+0x0/0x3e8 show_stack+0x2c/0x3c dump_stack_lvl+0xdc/0x11c print_address_description+0x74/0x384 kasan_report+0x188/0x268 kasan_check_range+0x270/0x2b0 memcpy+0x90/0xe8 trace_event_raw_event_spmi_read_end+0x1d0/0x234 spmi_read_cmd+0x294/0x3ac spmi_ext_register_readl+0x84/0x9c regmap_spmi_ext_read+0x144/0x1b0 [regmap_spmi] _regmap_raw_read+0x40c/0x754 regmap_raw_read+0x3a0/0x514 regmap_bulk_read+0x418/0x494 adc5_gen3_poll_wait_hs+0xe8/0x1e0 [qcom_spmi_adc5_gen3] ... __arm64_sys_read+0x4c/0x60 invoke_syscall+0x80/0x218 el0_svc_common+0xec/0x1c8 ... addr ffffffc0265b7540 is located in stack of task thermal@2.0-ser/1314 at offset 32 in frame: adc5_gen3_poll_wait_hs+0x0/0x1e0 [qcom_spmi_adc5_gen3] this frame has 1 object: [32, 33) 'status' Memory state around the buggy address: ffffffc0265b7400: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 ffffffc0265b7480: 04 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 >ffffffc0265b7500: 00 00 00 00 f1 f1 f1 f1 01 f3 f3 f3 00 00 00 00 ^ ffffffc0265b7580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffffffc0265b7600: f1 f1 f1 f1 01 f2 07 f2 f2 f2 01 f3 00 00 00 00 ================================================================== Fixes: a9fce374815d ("spmi: add command tracepoints for SPMI") Cc: stable@vger.kernel.org Reviewed-by: Stephen Boyd Acked-by: Steven Rostedt (Google) Signed-off-by: David Collins Link: https://lore.kernel.org/r/20220627235512.2272783-1-quic_collinsd@quicinc.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Greg Kroah-Hartman commit 6fc0b164bbc3c772152b67038464a6324fb688ce Author: Al Viro Date: Mon Jul 4 17:26:29 2022 -0400 __follow_mount_rcu(): verify that mount_lock remains unchanged commit 20aac6c60981f5bfacd66661d090d907bf1482f0 upstream. Validate mount_lock seqcount as soon as we cross into mount in RCU mode. Sure, ->mnt_root is pinned and will remain so until we do rcu_read_unlock() anyway, and we will eventually fail to unlazy if the mount_lock had been touched, but we might run into a hard error (e.g. -ENOENT) before trying to unlazy. And it's possible to end up with RCU pathwalk racing with rename() and umount() in a way that would fail with -ENOENT while non-RCU pathwalk would've succeeded with any timings. Once upon a time we hadn't needed that, but analysis had been subtle, brittle and went out of window as soon as RENAME_EXCHANGE had been added. It's narrow, hard to hit and won't get you anything other than stray -ENOENT that could be arranged in much easier way with the same priveleges, but it's a bug all the same. Cc: stable@kernel.org X-sky-is-falling: unlikely Fixes: da1ce0670c14 "vfs: add cross-rename" Signed-off-by: Al Viro Signed-off-by: Greg Kroah-Hartman commit 950ce0155696e0219d441e87fdba8224d725eddb Author: Xie Shaowen Date: Tue Aug 2 15:20:33 2022 +0800 Input: gscps2 - check return value of ioremap() in gscps2_probe() commit e61b3125a4f036b3c6b87ffd656fc1ab00440ae9 upstream. The function ioremap() in gscps2_probe() can fail, so its return value should be checked. Fixes: 4bdc0d676a643 ("remove ioremap_nocache and devm_ioremap_nocache") Cc: # v5.6+ Reported-by: Hacash Robot Signed-off-by: Xie Shaowen Signed-off-by: Helge Deller Signed-off-by: Greg Kroah-Hartman commit b2fc1723eb65abb83e00d5f011de670296af0b28 Author: Thadeu Lima de Souza Cascardo Date: Tue Aug 9 14:07:51 2022 -0300 posix-cpu-timers: Cleanup CPU timers before freeing them during exec commit e362359ace6f87c201531872486ff295df306d13 upstream. Commit 55e8c8eb2c7b ("posix-cpu-timers: Store a reference to a pid not a task") started looking up tasks by PID when deleting a CPU timer. When a non-leader thread calls execve, it will switch PIDs with the leader process. Then, as it calls exit_itimers, posix_cpu_timer_del cannot find the task because the timer still points out to the old PID. That means that armed timers won't be disarmed, that is, they won't be removed from the timerqueue_list. exit_itimers will still release their memory, and when that list is later processed, it leads to a use-after-free. Clean up the timers from the de-threaded task before freeing them. This prevents a reported use-after-free. Fixes: 55e8c8eb2c7b ("posix-cpu-timers: Store a reference to a pid not a task") Signed-off-by: Thadeu Lima de Souza Cascardo Signed-off-by: Thomas Gleixner Reviewed-by: Thomas Gleixner Cc: Link: https://lore.kernel.org/r/20220809170751.164716-1-cascardo@canonical.com Signed-off-by: Greg Kroah-Hartman commit 508b99039bc4338cfe336ab1c7e2371e2e41824f Author: Bharath SM Date: Thu Aug 11 19:46:11 2022 +0000 SMB3: fix lease break timeout when multiple deferred close handles for the same file. commit 9e31678fb403eae0f4fe37c6374be098835c73cd upstream. Solution is to send lease break ack immediately even in case of deferred close handles to avoid lease break request timing out and let deferred closed handle gets closed as scheduled. Later patches could optimize cases where we then close some of these handles sooner for the cases where lease break is to 'none' Cc: stable@kernel.org Signed-off-by: Bharath SM Signed-off-by: Steve French Signed-off-by: Greg Kroah-Hartman commit 799e4f9aab8044eece95d58dadf3242527bedccc Author: Alexander Lobakin Date: Fri Jul 15 17:15:36 2022 +0200 x86/olpc: fix 'logical not is only applied to the left hand side' commit 3a2ba42cbd0b669ce3837ba400905f93dd06c79f upstream. The bitops compile-time optimization series revealed one more problem in olpc-xo1-sci.c:send_ebook_state(), resulted in GCC warnings: arch/x86/platform/olpc/olpc-xo1-sci.c: In function 'send_ebook_state': arch/x86/platform/olpc/olpc-xo1-sci.c:83:63: warning: logical not is only applied to the left hand side of comparison [-Wlogical-not-parentheses] 83 | if (!!test_bit(SW_TABLET_MODE, ebook_switch_idev->sw) == state) | ^~ arch/x86/platform/olpc/olpc-xo1-sci.c:83:13: note: add parentheses around left hand side expression to silence this warning Despite this code working as intended, this redundant double negation of boolean value, together with comparing to `char` with no explicit conversion to bool, makes compilers think the author made some unintentional logical mistakes here. Make it the other way around and negate the char instead to silence the warnings. Fixes: d2aa37411b8e ("x86/olpc/xo1/sci: Produce wakeup events for buttons and switches") Cc: stable@vger.kernel.org # 3.5+ Reported-by: Guenter Roeck Reported-by: kernel test robot Reviewed-and-tested-by: Guenter Roeck Signed-off-by: Alexander Lobakin Signed-off-by: Yury Norov Signed-off-by: Greg Kroah-Hartman commit 663cdda2716b70751df9c7e60b81bd0850fdfe3c Author: Masami Hiramatsu (Google) Date: Tue Aug 2 15:04:16 2022 +0900 x86/kprobes: Update kcb status flag after singlestepping commit dec8784c9088b131a1523f582c2194cfc8107dc0 upstream. Fix kprobes to update kcb (kprobes control block) status flag to KPROBE_HIT_SSDONE even if the kp->post_handler is not set. This bug may cause a kernel panic if another INT3 user runs right after kprobes because kprobe_int3_handler() misunderstands the INT3 is kprobe's single stepping INT3. Fixes: 6256e668b7af ("x86/kprobes: Use int3 instead of debug trap for single-step") Reported-by: Daniel Müller Signed-off-by: Masami Hiramatsu (Google) Signed-off-by: Ingo Molnar Tested-by: Daniel Müller Cc: stable@vger.kernel.org Link: https://lore.kernel.org/all/20220727210136.jjgc3lpqeq42yr3m@muellerd-fedora-PC2BDTX9 Link: https://lore.kernel.org/r/165942025658.342061.12452378391879093249.stgit@devnote2 Signed-off-by: Greg Kroah-Hartman commit 7353c797f79443395dd56f1ac9e2ef58eca02abb Author: Steven Rostedt (Google) Date: Tue Jul 26 10:18:51 2022 -0400 ftrace/x86: Add back ftrace_expected assignment commit ac6c1b2ca77e722a1e5d651f12f437f2f237e658 upstream. When a ftrace_bug happens (where ftrace fails to modify a location) it is helpful to have what was at that location as well as what was expected to be there. But with the conversion to text_poke() the variable that assigns the expected for debugging was dropped. Unfortunately, I noticed this when I needed it. Add it back. Link: https://lkml.kernel.org/r/20220726101851.069d2e70@gandalf.local.home Cc: "x86@kernel.org" Cc: Peter Zijlstra Cc: Thomas Gleixner Cc: Ingo Molnar Cc: Borislav Petkov Cc: "H. Peter Anvin" Cc: Andrew Morton Cc: stable@vger.kernel.org Fixes: 768ae4406a5c ("x86/ftrace: Use text_poke()") Signed-off-by: Steven Rostedt (Google) Signed-off-by: Greg Kroah-Hartman commit 4a1d77bafcbe5fa4be87df459a88c9468673a5b4 Author: Kim Phillips Date: Mon Aug 8 09:32:33 2022 -0500 x86/bugs: Enable STIBP for IBPB mitigated RETBleed commit e6cfcdda8cbe81eaf821c897369a65fec987b404 upstream. AMD's "Technical Guidance for Mitigating Branch Type Confusion, Rev. 1.0 2022-07-12" whitepaper, under section 6.1.2 "IBPB On Privileged Mode Entry / SMT Safety" says: Similar to the Jmp2Ret mitigation, if the code on the sibling thread cannot be trusted, software should set STIBP to 1 or disable SMT to ensure SMT safety when using this mitigation. So, like already being done for retbleed=unret, and now also for retbleed=ibpb, force STIBP on machines that have it, and report its SMT vulnerability status accordingly. [ bp: Remove the "we" and remove "[AMD]" applicability parameter which doesn't work here. ] Fixes: 3ebc17006888 ("x86/bugs: Add retbleed=ibpb") Signed-off-by: Kim Phillips Signed-off-by: Borislav Petkov Cc: stable@vger.kernel.org # 5.10, 5.15, 5.19 Link: https://bugzilla.kernel.org/show_bug.cgi?id=206537 Link: https://lore.kernel.org/r/20220804192201.439596-1-kim.phillips@amd.com Signed-off-by: Greg Kroah-Hartman commit b662279708751baea3f55c5c158614c3f5dee2ee Author: Paulo Alcantara Date: Mon Aug 8 13:41:18 2022 -0300 cifs: fix lock length calculation commit 773891ffd4d628d05c4e22f34541e4779ee7a076 upstream. The lock length was wrongly set to 0 when fl_end == OFFSET_MAX, thus failing to lock the whole file when l_start=0 and l_len=0. This fixes test 2 from cthon04. Before patch: $ ./cthon04/lock/tlocklfs -t 2 /mnt Creating parent/child synchronization pipes. Test #1 - Test regions of an unlocked file. Parent: 1.1 - F_TEST [ 0, 1] PASSED. Parent: 1.2 - F_TEST [ 0, ENDING] PASSED. Parent: 1.3 - F_TEST [ 0,7fffffffffffffff] PASSED. Parent: 1.4 - F_TEST [ 1, 1] PASSED. Parent: 1.5 - F_TEST [ 1, ENDING] PASSED. Parent: 1.6 - F_TEST [ 1,7fffffffffffffff] PASSED. Parent: 1.7 - F_TEST [7fffffffffffffff, 1] PASSED. Parent: 1.8 - F_TEST [7fffffffffffffff, ENDING] PASSED. Parent: 1.9 - F_TEST [7fffffffffffffff,7fffffffffffffff] PASSED. Test #2 - Try to lock the whole file. Parent: 2.0 - F_TLOCK [ 0, ENDING] PASSED. Child: 2.1 - F_TEST [ 0, 1] FAILED! Child: **** Expected EACCES, returned success... Child: **** Probably implementation error. ** CHILD pass 1 results: 0/0 pass, 0/0 warn, 1/1 fail (pass/total). Parent: Child died ** PARENT pass 1 results: 10/10 pass, 0/0 warn, 0/0 fail (pass/total). After patch: $ ./cthon04/lock/tlocklfs -t 2 /mnt Creating parent/child synchronization pipes. Test #2 - Try to lock the whole file. Parent: 2.0 - F_TLOCK [ 0, ENDING] PASSED. Child: 2.1 - F_TEST [ 0, 1] PASSED. Child: 2.2 - F_TEST [ 0, ENDING] PASSED. Child: 2.3 - F_TEST [ 0,7fffffffffffffff] PASSED. Child: 2.4 - F_TEST [ 1, 1] PASSED. Child: 2.5 - F_TEST [ 1, ENDING] PASSED. Child: 2.6 - F_TEST [ 1,7fffffffffffffff] PASSED. Child: 2.7 - F_TEST [7fffffffffffffff, 1] PASSED. Child: 2.8 - F_TEST [7fffffffffffffff, ENDING] PASSED. Child: 2.9 - F_TEST [7fffffffffffffff,7fffffffffffffff] PASSED. Parent: 2.10 - F_ULOCK [ 0, ENDING] PASSED. ** PARENT pass 1 results: 2/2 pass, 0/0 warn, 0/0 fail (pass/total). ** CHILD pass 1 results: 9/9 pass, 0/0 warn, 0/0 fail (pass/total). Fixes: d80c69846ddf ("cifs: fix signed integer overflow when fl_end is OFFSET_MAX") Reported-by: Xiaoli Feng Cc: Signed-off-by: Paulo Alcantara (SUSE) Reviewed-by: Ronnie Sahlberg Signed-off-by: Steve French Signed-off-by: Greg Kroah-Hartman commit b76d3c729ce07a14822fbe6c64081d10b78e7bf2 Author: Arun Easi Date: Wed Jun 15 22:35:03 2022 -0700 scsi: qla2xxx: Fix losing FCP-2 targets during port perturbation tests commit 58d1c124cd79ea686b512043c5bd515590b2ed95 upstream. When a mix of FCP-2 (tape) and non-FCP-2 targets are present, FCP-2 target state was incorrectly transitioned when both of the targets were gone. Fix this by ignoring state transition for FCP-2 targets. Link: https://lore.kernel.org/r/20220616053508.27186-7-njavali@marvell.com Fixes: 44c57f205876 ("scsi: qla2xxx: Changes to support FCP2 Target") Cc: stable@vger.kernel.org Signed-off-by: Arun Easi Signed-off-by: Nilesh Javali Signed-off-by: Martin K. Petersen Signed-off-by: Greg Kroah-Hartman commit 326777057854f7e09a7ec191dc8fafc11e10d240 Author: Arun Easi Date: Wed Jun 15 22:35:04 2022 -0700 scsi: qla2xxx: Fix losing target when it reappears during delete commit 118b0c863c8f5629cc5271fc24d72d926e0715d9 upstream. FC target disappeared during port perturbation tests due to a race that tramples target state. Fix the issue by adding state checks before proceeding. Link: https://lore.kernel.org/r/20220616053508.27186-8-njavali@marvell.com Fixes: 44c57f205876 ("scsi: qla2xxx: Changes to support FCP2 Target") Cc: stable@vger.kernel.org Signed-off-by: Arun Easi Signed-off-by: Nilesh Javali Signed-off-by: Martin K. Petersen Signed-off-by: Greg Kroah-Hartman commit 11e9db717bf1c84f8a16095d43c3c38c3901be17 Author: Arun Easi Date: Wed Jun 15 22:35:06 2022 -0700 scsi: qla2xxx: Fix losing FCP-2 targets on long port disable with I/Os commit 2416ccd3815ba1613e10a6da0a24ef21acfe5633 upstream. FCP-2 devices were not coming back online once they were lost, login retries exhausted, and then came back up. Fix this by accepting RSCN when the device is not online. Link: https://lore.kernel.org/r/20220616053508.27186-10-njavali@marvell.com Fixes: 44c57f205876 ("scsi: qla2xxx: Changes to support FCP2 Target") Cc: stable@vger.kernel.org Signed-off-by: Arun Easi Signed-off-by: Nilesh Javali Signed-off-by: Martin K. Petersen Signed-off-by: Greg Kroah-Hartman commit dc07af0e7c65654de12ce4881e508873a95c5c5b Author: Quinn Tran Date: Wed Jun 15 22:35:00 2022 -0700 scsi: qla2xxx: Wind down adapter after PCIe error commit d3117c83ba316b3200d9f2fe900f2b9a5525a25c upstream. Put adapter into a wind down state if OS does not make any attempt to recover the adapter after PCIe error. Link: https://lore.kernel.org/r/20220616053508.27186-4-njavali@marvell.com Cc: stable@vger.kernel.org Signed-off-by: Quinn Tran Signed-off-by: Nilesh Javali Signed-off-by: Martin K. Petersen Signed-off-by: Greg Kroah-Hartman commit c3a824d061aa45872260f4f88f64448e24cfee6c Author: Quinn Tran Date: Wed Jun 15 22:35:07 2022 -0700 scsi: qla2xxx: Fix erroneous mailbox timeout after PCI error injection commit f260694e6463b63ae550aad25ddefe94cb1904da upstream. Clear wait for mailbox interrupt flag to prevent stale mailbox: Feb 22 05:22:56 ltcden4-lp7 kernel: qla2xxx [0135:90:00.1]-500a:4: LOOP UP detected (16 Gbps). Feb 22 05:22:59 ltcden4-lp7 kernel: qla2xxx [0135:90:00.1]-d04c:4: MBX Command timeout for cmd 69, ... To fix the issue, driver needs to clear the MBX_INTR_WAIT flag on purging the mailbox. When the stale mailbox completion does arrive, it will be dropped. Link: https://lore.kernel.org/r/20220616053508.27186-11-njavali@marvell.com Fixes: b6faaaf796d7 ("scsi: qla2xxx: Serialize mailbox request") Cc: Naresh Bannoth Cc: Kyle Mahlkuch Cc: stable@vger.kernel.org Reported-by: Naresh Bannoth Tested-by: Naresh Bannoth Signed-off-by: Quinn Tran Signed-off-by: Nilesh Javali Signed-off-by: Martin K. Petersen Signed-off-by: Greg Kroah-Hartman commit 79b2ac420c3a551d04ffda51a4222dca800bd0d9 Author: Arun Easi Date: Wed Jun 15 22:34:58 2022 -0700 scsi: qla2xxx: Fix excessive I/O error messages by default commit bff4873c709085e09d0ffae0c25b8e65256e3205 upstream. Disable printing I/O error messages by default. The messages will be printed only when logging was enabled. Link: https://lore.kernel.org/r/20220616053508.27186-2-njavali@marvell.com Fixes: 8e2d81c6b5be ("scsi: qla2xxx: Fix excessive messages during device logout") Cc: stable@vger.kernel.org Signed-off-by: Arun Easi Signed-off-by: Nilesh Javali Signed-off-by: Martin K. Petersen Signed-off-by: Greg Kroah-Hartman commit 7dcd49c42b14717dd668fd73b503d241fdf82439 Author: Arun Easi Date: Wed Jun 15 22:35:02 2022 -0700 scsi: qla2xxx: Fix crash due to stale SRB access around I/O timeouts commit c39587bc0abaf16593f7abcdf8aeec3c038c7d52 upstream. Ensure SRB is returned during I/O timeout error escalation. If that is not possible fail the escalation path. Following crash stack was seen: BUG: unable to handle kernel paging request at 0000002f56aa90f8 IP: qla_chk_edif_rx_sa_delete_pending+0x14/0x30 [qla2xxx] Call Trace: ? qla2x00_status_entry+0x19f/0x1c50 [qla2xxx] ? qla2x00_start_sp+0x116/0x1170 [qla2xxx] ? dma_pool_alloc+0x1d6/0x210 ? mempool_alloc+0x54/0x130 ? qla24xx_process_response_queue+0x548/0x12b0 [qla2xxx] ? qla_do_work+0x2d/0x40 [qla2xxx] ? process_one_work+0x14c/0x390 Link: https://lore.kernel.org/r/20220616053508.27186-6-njavali@marvell.com Fixes: d74595278f4a ("scsi: qla2xxx: Add multiple queue pair functionality.") Cc: stable@vger.kernel.org Signed-off-by: Arun Easi Signed-off-by: Nilesh Javali Signed-off-by: Martin K. Petersen Signed-off-by: Greg Kroah-Hartman commit b16f0327fff2b76e49218665abf9b02983fbc7fa Author: Quinn Tran Date: Wed Jun 15 22:35:01 2022 -0700 scsi: qla2xxx: Turn off multi-queue for 8G adapters commit 5304673bdb1635e27555bd636fd5d6956f1cd552 upstream. For 8G adapters, multi-queue was enabled accidentally. Make sure multi-queue is not enabled. Link: https://lore.kernel.org/r/20220616053508.27186-5-njavali@marvell.com Cc: stable@vger.kernel.org Signed-off-by: Quinn Tran Signed-off-by: Nilesh Javali Signed-off-by: Martin K. Petersen Signed-off-by: Greg Kroah-Hartman commit 182726ce801f498dc638134a24f5f3074016396c Author: Arun Easi Date: Tue Jul 12 22:20:42 2022 -0700 scsi: qla2xxx: Fix discovery issues in FC-AL topology commit 47ccb113cead905bdc236571bf8ac6fed90321b3 upstream. A direct attach tape device, when gets swapped with another, was not discovered. Fix this by looking at loop map and reinitialize link if there are devices present. Link: https://lore.kernel.org/linux-scsi/baef87c3-5dad-3b47-44c1-6914bfc90108@cybernetics.com/ Link: https://lore.kernel.org/r/20220713052045.10683-8-njavali@marvell.com Cc: stable@vger.kernel.org Reported-by: Tony Battersby Tested-by: Tony Battersby Reviewed-by: Himanshu Madhani Signed-off-by: Arun Easi Signed-off-by: Nilesh Javali Signed-off-by: Martin K. Petersen Signed-off-by: Greg Kroah-Hartman commit bff616494e42a73ecfaf2a86b3ad51f1ea06aaea Author: Quinn Tran Date: Tue Jul 12 22:20:41 2022 -0700 scsi: qla2xxx: Fix imbalance vha->vref_count commit 63fa7f2644b4b48e1913af33092c044bf48e9321 upstream. vref_count took an extra decrement in the task management path. Add an extra ref count to compensate the imbalance. Link: https://lore.kernel.org/r/20220713052045.10683-7-njavali@marvell.com Cc: stable@vger.kernel.org Reviewed-by: Himanshu Madhani Signed-off-by: Quinn Tran Signed-off-by: Nilesh Javali Signed-off-by: Martin K. Petersen Signed-off-by: Greg Kroah-Hartman commit 484ca52c1ca249493899c77fac4eb2552b20bc6e Author: Steffen Maier Date: Fri Jul 29 18:25:29 2022 +0200 scsi: zfcp: Fix missing auto port scan and thus missing target ports commit 4da8c5f76825269f28d6a89fa752934a4bcb6dfa upstream. Case (1): The only waiter on wka_port->completion_wq is zfcp_fc_wka_port_get() trying to open a WKA port. As such it should only be woken up by WKA port *open* responses, not by WKA port close responses. Case (2): A close WKA port response coming in just after having sent a new open WKA port request and before blocking for the open response with wait_event() in zfcp_fc_wka_port_get() erroneously renders the wait_event a NOP because the close handler overwrites wka_port->status. Hence the wait_event condition is erroneously true and it does not enter blocking state. With non-negligible probability, the following time space sequence happens depending on timing without this fix: user process ERP thread zfcp work queue tasklet system work queue ============ ========== =============== ======= ================= $ echo 1 > online zfcp_ccw_set_online zfcp_ccw_activate zfcp_erp_adapter_reopen msleep scan backoff zfcp_erp_strategy | ... | zfcp_erp_action_cleanup | ... | queue delayed scan_work | queue ns_up_work | ns_up_work: | zfcp_fc_wka_port_get | open wka request | open response | GSPN FC-GS | RSPN FC-GS [NPIV-only] | zfcp_fc_wka_port_put | (--wka->refcount==0) | sched delayed wka->work | ~~~Case (1)~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ zfcp_erp_wait flush scan_work | wka->work: | wka->status=CLOSING | close wka request | scan_work: | zfcp_fc_wka_port_get | (wka->status==CLOSING) | wka->status=OPENING | open wka request | wait_event | | close response | | wka->status=OFFLINE | | wake_up /*WRONG*/ ~~~Case (2)~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | wka->work: | wka->status=CLOSING | close wka request zfcp_erp_wait flush scan_work | scan_work: | zfcp_fc_wka_port_get | (wka->status==CLOSING) | wka->status=OPENING | open wka request | close response | wka->status=OFFLINE | wake_up /*WRONG&NOP*/ | wait_event /*NOP*/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | (wka->status!=ONLINE) | return -EIO | return early open response wka->status=ONLINE wake_up /*NOP*/ So we erroneously end up with no automatic port scan. This is a big problem when it happens during boot. The timing is influenced by v3.19 commit 18f87a67e6d6 ("zfcp: auto port scan resiliency"). Fix it by fully mutually excluding zfcp_fc_wka_port_get() and zfcp_fc_wka_port_offline(). For that to work, we make the latter block until we got the response for a close WKA port. In order not to penalize the system workqueue, we move wka_port->work to our own adapter workqueue. Note that before v2.6.30 commit 828bc1212a68 ("[SCSI] zfcp: Set WKA-port to offline on adapter deactivation"), zfcp did block in zfcp_fc_wka_port_offline() as well, but with a different condition. While at it, make non-functional cleanups to improve code reading in zfcp_fc_wka_port_get(). If we cannot send the WKA port open request, don't rely on the subsequent wait_event condition to immediately let this case pass without blocking. Also don't want to rely on the additional condition handling the refcount to be skipped just to finally return with -EIO. Link: https://lore.kernel.org/r/20220729162529.1620730-1-maier@linux.ibm.com Fixes: 5ab944f97e09 ("[SCSI] zfcp: attach and release SAN nameserver port on demand") Cc: #v2.6.28+ Reviewed-by: Benjamin Block Signed-off-by: Steffen Maier Signed-off-by: Martin K. Petersen Signed-off-by: Greg Kroah-Hartman commit 9e786e19303d3f2f1440d117c8649c38e6253b29 Author: Peter Wang Date: Wed Jul 27 11:05:26 2022 +0800 scsi: ufs: core: Correct ufshcd_shutdown() flow commit 00511d2abf5708ad05dd5d1c36adb2468d274698 upstream. After ufshcd_wl_shutdown() set device power off and link off, ufshcd_shutdown() could turn off clock/power. Also remove pm_runtime_get_sync. The reason why it is safe to remove pm_runtime_get_sync() is because: - ufshcd_wl_shutdown() -> pm_runtime_get_sync() will resume hba->dev too. - device resume(turn on clk/power) is not required, even if device is in RPM_SUSPENDED. Link: https://lore.kernel.org/r/20220727030526.31022-1-peter.wang@mediatek.com Fixes: b294ff3e3449 ("scsi: ufs: core: Enable power management for wlun") Cc: # 5.15.x Reviewed-by: Stanley Chu Signed-off-by: Peter Wang Signed-off-by: Martin K. Petersen Signed-off-by: Greg Kroah-Hartman commit e2d7cacc6a2a1d77e7e20a492daf458a12cf19e0 Author: Zheyu Ma Date: Thu Aug 4 20:41:25 2022 +0800 video: fbdev: s3fb: Check the size of screen before memset_io() [ Upstream commit 6ba592fa014f21f35a8ee8da4ca7b95a018f13e8 ] In the function s3fb_set_par(), the value of 'screen_size' is calculated by the user input. If the user provides the improper value, the value of 'screen_size' may larger than 'info->screen_size', which may cause the following bug: [ 54.083733] BUG: unable to handle page fault for address: ffffc90003000000 [ 54.083742] #PF: supervisor write access in kernel mode [ 54.083744] #PF: error_code(0x0002) - not-present page [ 54.083760] RIP: 0010:memset_orig+0x33/0xb0 [ 54.083782] Call Trace: [ 54.083788] s3fb_set_par+0x1ec6/0x4040 [ 54.083806] fb_set_var+0x604/0xeb0 [ 54.083836] do_fb_ioctl+0x234/0x670 Fix the this by checking the value of 'screen_size' before memset_io(). Fixes: a268422de8bf ("fbdev driver for S3 Trio/Virge") Signed-off-by: Zheyu Ma Signed-off-by: Helge Deller Signed-off-by: Sasha Levin commit 2ce61c39c2a0b8ec82f48e0f7136f0dac105ae75 Author: Zheyu Ma Date: Thu Aug 4 20:41:24 2022 +0800 video: fbdev: arkfb: Check the size of screen before memset_io() [ Upstream commit 96b550971c65d54d64728d8ba973487878a06454 ] In the function arkfb_set_par(), the value of 'screen_size' is calculated by the user input. If the user provides the improper value, the value of 'screen_size' may larger than 'info->screen_size', which may cause the following bug: [ 659.399066] BUG: unable to handle page fault for address: ffffc90003000000 [ 659.399077] #PF: supervisor write access in kernel mode [ 659.399079] #PF: error_code(0x0002) - not-present page [ 659.399094] RIP: 0010:memset_orig+0x33/0xb0 [ 659.399116] Call Trace: [ 659.399122] arkfb_set_par+0x143f/0x24c0 [ 659.399130] fb_set_var+0x604/0xeb0 [ 659.399161] do_fb_ioctl+0x234/0x670 [ 659.399189] fb_ioctl+0xdd/0x130 Fix the this by checking the value of 'screen_size' before memset_io(). Fixes: 681e14730c73 ("arkfb: new framebuffer driver for ARK Logic cards") Signed-off-by: Zheyu Ma Signed-off-by: Helge Deller Signed-off-by: Sasha Levin commit c7a3f41e4b133d4dd25bc996b69039b19a34d69d Author: Zheyu Ma Date: Thu Aug 4 20:41:23 2022 +0800 video: fbdev: vt8623fb: Check the size of screen before memset_io() [ Upstream commit ec0754c60217248fa77cc9005d66b2b55200ac06 ] In the function vt8623fb_set_par(), the value of 'screen_size' is calculated by the user input. If the user provides the improper value, the value of 'screen_size' may larger than 'info->screen_size', which may cause the following bug: [ 583.339036] BUG: unable to handle page fault for address: ffffc90005000000 [ 583.339049] #PF: supervisor write access in kernel mode [ 583.339052] #PF: error_code(0x0002) - not-present page [ 583.339074] RIP: 0010:memset_orig+0x33/0xb0 [ 583.339110] Call Trace: [ 583.339118] vt8623fb_set_par+0x11cd/0x21e0 [ 583.339146] fb_set_var+0x604/0xeb0 [ 583.339181] do_fb_ioctl+0x234/0x670 [ 583.339209] fb_ioctl+0xdd/0x130 Fix the this by checking the value of 'screen_size' before memset_io(). Fixes: 558b7bd86c32 ("vt8623fb: new framebuffer driver for VIA VT8623") Signed-off-by: Zheyu Ma Signed-off-by: Helge Deller Signed-off-by: Sasha Levin commit 6dab0119adcc3beb833555a478e710fb6a709a85 Author: Jaewook Kim Date: Wed Aug 3 17:53:58 2022 +0900 f2fs: do not allow to decompress files have FI_COMPRESS_RELEASED [ Upstream commit 90be48bd9d29ece3965e5e8b21499b6db166e57b ] If a file has FI_COMPRESS_RELEASED, all writes for it should not be allowed. However, as of now, in case of compress_mode=user, writes triggered by IOCTLs like F2FS_IOC_DE/COMPRESS_FILE are allowed unexpectly, which could crash that file. To fix it, let's do not allow F2FS_IOC_DE/COMPRESS_IOCTL if a file already has FI_COMPRESS_RELEASED flag. This is the reproduction process: 1. $ touch ./file 2. $ chattr +c ./file 3. $ dd if=/dev/random of=./file bs=4096 count=30 conv=notrunc 4. $ dd if=/dev/zero of=./file bs=4096 count=34 seek=30 conv=notrunc 5. $ sync 6. $ do_compress ./file ; call F2FS_IOC_COMPRESS_FILE 7. $ get_compr_blocks ./file ; call F2FS_IOC_GET_COMPRESS_BLOCKS 8. $ release ./file ; call F2FS_IOC_RELEASE_COMPRESS_BLOCKS 9. $ do_compress ./file ; call F2FS_IOC_COMPRESS_FILE again 10. $ get_compr_blocks ./file ; call F2FS_IOC_GET_COMPRESS_BLOCKS again This reproduction process is tested in 128kb cluster size. You can find compr_blocks has a negative value. Fixes: 5fdb322ff2c2b ("f2fs: add F2FS_IOC_DECOMPRESS_FILE and F2FS_IOC_COMPRESS_FILE") Signed-off-by: Junbeom Yeom Signed-off-by: Sungjong Seo Signed-off-by: Youngjin Gil Signed-off-by: Jaewook Kim Reviewed-by: Chao Yu Signed-off-by: Jaegeuk Kim Signed-off-by: Sasha Levin commit 68d27da7659d432142d9d82ab166d868717b8a2c Author: Andrea Righi Date: Thu Jul 14 09:49:15 2022 +0200 x86/entry: Build thunk_$(BITS) only if CONFIG_PREEMPTION=y [ Upstream commit de979c83574abf6e78f3fa65b716515c91b2613d ] With CONFIG_PREEMPTION disabled, arch/x86/entry/thunk_$(BITS).o becomes an empty object file. With some old versions of binutils (i.e., 2.35.90.20210113-1ubuntu1) the GNU assembler doesn't generate a symbol table for empty object files and objtool fails with the following error when a valid symbol table cannot be found: arch/x86/entry/thunk_64.o: warning: objtool: missing symbol table To prevent this from happening, build thunk_$(BITS).o only if CONFIG_PREEMPTION is enabled. BugLink: https://bugs.launchpad.net/bugs/1911359 Fixes: 320100a5ffe5 ("x86/entry: Remove the TRACE_IRQS cruft") Signed-off-by: Andrea Righi Signed-off-by: Ingo Molnar Link: https://lore.kernel.org/r/Ys/Ke7EWjcX+ZlXO@arighi-desktop Signed-off-by: Sasha Levin commit 302f7b0fc337746f41c69eb08522907f6a90c643 Author: Mel Gorman Date: Thu Aug 4 10:21:19 2022 +0100 sched/core: Do not requeue task on CPU excluded from cpus_mask [ Upstream commit 751d4cbc43879229dbc124afefe240b70fd29a85 ] The following warning was triggered on a large machine early in boot on a distribution kernel but the same problem should also affect mainline. WARNING: CPU: 439 PID: 10 at ../kernel/workqueue.c:2231 process_one_work+0x4d/0x440 Call Trace: rescuer_thread+0x1f6/0x360 kthread+0x156/0x180 ret_from_fork+0x22/0x30 Commit c6e7bd7afaeb ("sched/core: Optimize ttwu() spinning on p->on_cpu") optimises ttwu by queueing a task that is descheduling on the wakelist, but does not check if the task descheduling is still allowed to run on that CPU. In this warning, the problematic task is a workqueue rescue thread which checks if the rescue is for a per-cpu workqueue and running on the wrong CPU. While this is early in boot and it should be possible to create workers, the rescue thread may still used if the MAYDAY_INITIAL_TIMEOUT is reached or MAYDAY_INTERVAL and on a sufficiently large machine, the rescue thread is being used frequently. Tracing confirmed that the task should have migrated properly using the stopper thread to handle the migration. However, a parallel wakeup from udev running on another CPU that does not share CPU cache observes p->on_cpu and uses task_cpu(p), queues the task on the old CPU and triggers the warning. Check that the wakee task that is descheduling is still allowed to run on its current CPU and if not, wait for the descheduling to complete and select an allowed CPU. Fixes: c6e7bd7afaeb ("sched/core: Optimize ttwu() spinning on p->on_cpu") Signed-off-by: Mel Gorman Signed-off-by: Ingo Molnar Link: https://lore.kernel.org/r/20220804092119.20137-1-mgorman@techsingularity.net Signed-off-by: Sasha Levin commit 72f5b286d2b756a7e86212ad572a922568a4d62c Author: Tianchen Ding Date: Thu Jun 9 07:34:12 2022 +0800 sched: Remove the limitation of WF_ON_CPU on wakelist if wakee cpu is idle [ Upstream commit f3dd3f674555bd9455c5ae7fafce0696bd9931b3 ] Wakelist can help avoid cache bouncing and offload the overhead of waker cpu. So far, using wakelist within the same llc only happens on WF_ON_CPU, and this limitation could be removed to further improve wakeup performance. The commit 518cd6234178 ("sched: Only queue remote wakeups when crossing cache boundaries") disabled queuing tasks on wakelist when the cpus share llc. This is because, at that time, the scheduler must send IPIs to do ttwu_queue_wakelist. Nowadays, ttwu_queue_wakelist also supports TIF_POLLING, so this is not a problem now when the wakee cpu is in idle polling. Benefits: Queuing the task on idle cpu can help improving performance on waker cpu and utilization on wakee cpu, and further improve locality because the wakee cpu can handle its own rq. This patch helps improving rt on our real java workloads where wakeup happens frequently. Consider the normal condition (CPU0 and CPU1 share same llc) Before this patch: CPU0 CPU1 select_task_rq() idle rq_lock(CPU1->rq) enqueue_task(CPU1->rq) notify CPU1 (by sending IPI or CPU1 polling) resched() After this patch: CPU0 CPU1 select_task_rq() idle add to wakelist of CPU1 notify CPU1 (by sending IPI or CPU1 polling) rq_lock(CPU1->rq) enqueue_task(CPU1->rq) resched() We see CPU0 can finish its work earlier. It only needs to put task to wakelist and return. While CPU1 is idle, so let itself handle its own runqueue data. This patch brings no difference about IPI. This patch only takes effect when the wakee cpu is: 1) idle polling 2) idle not polling For 1), there will be no IPI with or without this patch. For 2), there will always be an IPI before or after this patch. Before this patch: waker cpu will enqueue task and check preempt. Since "idle" will be sure to be preempted, waker cpu must send a resched IPI. After this patch: waker cpu will put the task to the wakelist of wakee cpu, and send an IPI. Benchmark: We've tested schbench, unixbench, and hachbench on both x86 and arm64. On x86 (Intel Xeon Platinum 8269CY): schbench -m 2 -t 8 Latency percentiles (usec) before after 50.0000th: 8 6 75.0000th: 10 7 90.0000th: 11 8 95.0000th: 12 8 *99.0000th: 13 10 99.5000th: 15 11 99.9000th: 18 14 Unixbench with full threads (104) before after Dhrystone 2 using register variables 3011862938 3009935994 -0.06% Double-Precision Whetstone 617119.3 617298.5 0.03% Execl Throughput 27667.3 27627.3 -0.14% File Copy 1024 bufsize 2000 maxblocks 785871.4 784906.2 -0.12% File Copy 256 bufsize 500 maxblocks 210113.6 212635.4 1.20% File Copy 4096 bufsize 8000 maxblocks 2328862.2 2320529.1 -0.36% Pipe Throughput 145535622.8 145323033.2 -0.15% Pipe-based Context Switching 3221686.4 3583975.4 11.25% Process Creation 101347.1 103345.4 1.97% Shell Scripts (1 concurrent) 120193.5 123977.8 3.15% Shell Scripts (8 concurrent) 17233.4 17138.4 -0.55% System Call Overhead 5300604.8 5312213.6 0.22% hackbench -g 1 -l 100000 before after Time 3.246 2.251 On arm64 (Ampere Altra): schbench -m 2 -t 8 Latency percentiles (usec) before after 50.0000th: 14 10 75.0000th: 19 14 90.0000th: 22 16 95.0000th: 23 16 *99.0000th: 24 17 99.5000th: 24 17 99.9000th: 28 25 Unixbench with full threads (80) before after Dhrystone 2 using register variables 3536194249 3537019613 0.02% Double-Precision Whetstone 629383.6 629431.6 0.01% Execl Throughput 65920.5 65846.2 -0.11% File Copy 1024 bufsize 2000 maxblocks 1063722.8 1064026.8 0.03% File Copy 256 bufsize 500 maxblocks 322684.5 318724.5 -1.23% File Copy 4096 bufsize 8000 maxblocks 2348285.3 2328804.8 -0.83% Pipe Throughput 133542875.3 131619389.8 -1.44% Pipe-based Context Switching 3215356.1 3576945.1 11.25% Process Creation 108520.5 120184.6 10.75% Shell Scripts (1 concurrent) 122636.3 121888 -0.61% Shell Scripts (8 concurrent) 17462.1 17381.4 -0.46% System Call Overhead 4429998.9 4435006.7 0.11% hackbench -g 1 -l 100000 before after Time 4.217 2.916 Our patch has improvement on schbench, hackbench and Pipe-based Context Switching of unixbench when there exists idle cpus, and no obvious regression on other tests of unixbench. This can help improve rt in scenes where wakeup happens frequently. Signed-off-by: Tianchen Ding Signed-off-by: Peter Zijlstra (Intel) Reviewed-by: Valentin Schneider Link: https://lore.kernel.org/r/20220608233412.327341-3-dtcccc@linux.alibaba.com Signed-off-by: Sasha Levin commit 31ef9288a5938ebbf577b10b40087d5745be544f Author: Tianchen Ding Date: Thu Jun 9 07:34:11 2022 +0800 sched: Fix the check of nr_running at queue wakelist [ Upstream commit 28156108fecb1f808b21d216e8ea8f0d205a530c ] The commit 2ebb17717550 ("sched/core: Offload wakee task activation if it the wakee is descheduling") checked rq->nr_running <= 1 to avoid task stacking when WF_ON_CPU. Per the ordering of writes to p->on_rq and p->on_cpu, observing p->on_cpu (WF_ON_CPU) in ttwu_queue_cond() implies !p->on_rq, IOW p has gone through the deactivate_task() in __schedule(), thus p has been accounted out of rq->nr_running. As such, the task being the only runnable task on the rq implies reading rq->nr_running == 0 at that point. The benchmark result is in [1]. [1] https://lore.kernel.org/all/e34de686-4e85-bde1-9f3c-9bbc86b38627@linux.alibaba.com/ Suggested-by: Valentin Schneider Signed-off-by: Tianchen Ding Signed-off-by: Peter Zijlstra (Intel) Reviewed-by: Valentin Schneider Link: https://lore.kernel.org/r/20220608233412.327341-2-dtcccc@linux.alibaba.com Signed-off-by: Sasha Levin commit 035f2184fed3cc825d8083a5e62d45a5e99b21d0 Author: Florian Fainelli Date: Mon Jul 25 10:37:54 2022 -0700 tools/thermal: Fix possible path truncations [ Upstream commit 6c58cf40e3a1d2f47c09d3489857e9476316788a ] A build with -D_FORTIFY_SOURCE=2 enabled will produce the following warnings: sysfs.c:63:30: warning: '%s' directive output may be truncated writing up to 255 bytes into a region of size between 0 and 255 [-Wformat-truncation=] snprintf(filepath, 256, "%s/%s", path, filename); ^~ Bump up the buffer to PATH_MAX which is the limit and account for all of the possible NUL and separators that could lead to exceeding the allocated buffer sizes. Fixes: 94f69966faf8 ("tools/thermal: Introduce tmon, a tool for thermal subsystem") Signed-off-by: Florian Fainelli Signed-off-by: Rafael J. Wysocki Signed-off-by: Sasha Levin commit 15661642511b2b192077684a89f42a8d95d54286 Author: Zheyu Ma Date: Wed Aug 3 17:23:12 2022 +0800 video: fbdev: arkfb: Fix a divide-by-zero bug in ark_set_pixclock() [ Upstream commit 2f1c4523f7a3aaabe7e53d3ebd378292947e95c8 ] Since the user can control the arguments of the ioctl() from the user space, under special arguments that may result in a divide-by-zero bug in: drivers/video/fbdev/arkfb.c:784: ark_set_pixclock(info, (hdiv * info->var.pixclock) / hmul); with hdiv=1, pixclock=1 and hmul=2 you end up with (1*1)/2 = (int) 0. and then in: drivers/video/fbdev/arkfb.c:504: rv = dac_set_freq(par->dac, 0, 1000000000 / pixclock); we'll get a division-by-zero. The following log can reveal it: divide error: 0000 [#1] PREEMPT SMP KASAN PTI RIP: 0010:ark_set_pixclock drivers/video/fbdev/arkfb.c:504 [inline] RIP: 0010:arkfb_set_par+0x10fc/0x24c0 drivers/video/fbdev/arkfb.c:784 Call Trace: fb_set_var+0x604/0xeb0 drivers/video/fbdev/core/fbmem.c:1034 do_fb_ioctl+0x234/0x670 drivers/video/fbdev/core/fbmem.c:1110 fb_ioctl+0xdd/0x130 drivers/video/fbdev/core/fbmem.c:1189 Fix this by checking the argument of ark_set_pixclock() first. Fixes: 681e14730c73 ("arkfb: new framebuffer driver for ARK Logic cards") Signed-off-by: Zheyu Ma Signed-off-by: Helge Deller Signed-off-by: Sasha Levin commit ee9463233a366725878d8c333519fd6cd2a8a65e Author: Siddh Raman Pant Date: Sun Jul 31 21:39:13 2022 +0530 x86/numa: Use cpumask_available instead of hardcoded NULL check [ Upstream commit 625395c4a0f4775e0fe00f616888d2e6c1ba49db ] GCC-12 started triggering a new warning: arch/x86/mm/numa.c: In function ‘cpumask_of_node’: arch/x86/mm/numa.c:916:39: warning: the comparison will always evaluate as ‘false’ for the address of ‘node_to_cpumask_map’ will never be NULL [-Waddress] 916 | if (node_to_cpumask_map[node] == NULL) { | ^~ node_to_cpumask_map is of type cpumask_var_t[]. When CONFIG_CPUMASK_OFFSTACK is set, cpumask_var_t is typedef'd to a pointer for dynamic allocation, else to an array of one element. The "wicked game" can be checked on line 700 of include/linux/cpumask.h. The original code in debug_cpumask_set_cpu() and cpumask_of_node() were probably written by the original authors with CONFIG_CPUMASK_OFFSTACK=y (i.e. dynamic allocation) in mind, checking if the cpumask was available via a direct NULL check. When CONFIG_CPUMASK_OFFSTACK is not set, GCC gives the above warning while compiling the kernel. Fix that by using cpumask_available(), which does the NULL check when CONFIG_CPUMASK_OFFSTACK is set, otherwise returns true. Use it wherever such checks are made. Conditional definitions of cpumask_available() can be found along with the definition of cpumask_var_t. Check the cpumask.h reference mentioned above. Fixes: c032ef60d1aa ("cpumask: convert node_to_cpumask_map[] to cpumask_var_t") Fixes: de2d9445f162 ("x86: Unify node_to_cpumask_map handling between 32 and 64bit") Signed-off-by: Siddh Raman Pant Signed-off-by: Ingo Molnar Link: https://lore.kernel.org/r/20220731160913.632092-1-code@siddh.me Signed-off-by: Sasha Levin commit f56607b44c9896e51678a7e8cdd3a5479f4b4548 Author: Waiman Long Date: Tue Aug 2 21:54:51 2022 -0400 sched, cpuset: Fix dl_cpu_busy() panic due to empty cs->cpus_allowed [ Upstream commit b6e8d40d43ae4dec00c8fea2593eeea3114b8f44 ] With cgroup v2, the cpuset's cpus_allowed mask can be empty indicating that the cpuset will just use the effective CPUs of its parent. So cpuset_can_attach() can call task_can_attach() with an empty mask. This can lead to cpumask_any_and() returns nr_cpu_ids causing the call to dl_bw_of() to crash due to percpu value access of an out of bound CPU value. For example: [80468.182258] BUG: unable to handle page fault for address: ffffffff8b6648b0 : [80468.191019] RIP: 0010:dl_cpu_busy+0x30/0x2b0 : [80468.207946] Call Trace: [80468.208947] cpuset_can_attach+0xa0/0x140 [80468.209953] cgroup_migrate_execute+0x8c/0x490 [80468.210931] cgroup_update_dfl_csses+0x254/0x270 [80468.211898] cgroup_subtree_control_write+0x322/0x400 [80468.212854] kernfs_fop_write_iter+0x11c/0x1b0 [80468.213777] new_sync_write+0x11f/0x1b0 [80468.214689] vfs_write+0x1eb/0x280 [80468.215592] ksys_write+0x5f/0xe0 [80468.216463] do_syscall_64+0x5c/0x80 [80468.224287] entry_SYSCALL_64_after_hwframe+0x44/0xae Fix that by using effective_cpus instead. For cgroup v1, effective_cpus is the same as cpus_allowed. For v2, effective_cpus is the real cpumask to be used by tasks within the cpuset anyway. Also update task_can_attach()'s 2nd argument name to cs_effective_cpus to reflect the change. In addition, a check is added to task_can_attach() to guard against the possibility that cpumask_any_and() may return a value >= nr_cpu_ids. Fixes: 7f51412a415d ("sched/deadline: Fix bandwidth check/update when migrating tasks between exclusive cpusets") Signed-off-by: Waiman Long Signed-off-by: Ingo Molnar Acked-by: Juri Lelli Link: https://lore.kernel.org/r/20220803015451.2219567-1-longman@redhat.com Signed-off-by: Sasha Levin commit 32d8d832e31bf9312f7e91811d42eed6a2e1bcb9 Author: Michael Ellerman Date: Wed Aug 3 16:29:41 2022 +1000 powerpc/64e: Fix kexec build error [ Upstream commit 4cfa6ff24a9744ba484521c38bea613134fbfcb3 ] When building ppc64_book3e_allmodconfig the build fails with: arch/powerpc/kexec/file_load_64.c:1063:14: error: implicit declaration of function ‘firmware_has_feature’ 1063 | if (!firmware_has_feature(FW_FEATURE_LPAR)) | ^~~~~~~~~~~~~~~~~~~~ Add a direct include of asm/firmware.h to fix the error. Fixes: b1fc44eaa9ba ("pseries/iommu/ddw: Fix kdump to work in absence of ibm,dma-window") Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/20220803063152.1249270-1-mpe@ellerman.id.au Signed-off-by: Sasha Levin commit 4971147c532464896e02631cc29082725499cfe0 Author: Douglas Anderson Date: Tue Aug 2 13:23:09 2022 -0700 tty: serial: qcom-geni-serial: Fix %lu -> %u in print statements [ Upstream commit 0fec518018cc5ceffa706370b6e3acbbb1e3c798 ] When we multiply an unsigned int by a u32 we still end up with an unsigned int. That means we should specify "%u" not "%lu" in the format code. NOTE: this fix was chosen instead of somehow promoting the value to "unsigned long" since the max baud rate from the earlier call to uart_get_baud_rate() is 4000000 and the max sampling rate is 32. 4000000 * 32 = 0x07a12000, not even close to overflowing 32-bits. Fixes: c474c775716e ("tty: serial: qcom-geni-serial: Fix get_clk_div_rate() which otherwise could return a sub-optimal clock rate.") Reported-by: Mark Brown Signed-off-by: Douglas Anderson Link: https://lore.kernel.org/r/20220802132250.1.Iea061e14157a17e114dbe2eca764568a02d6b889@changeid Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 33d3905b22dee22983ca3751ae2effe1d47e7d7e Author: Josh Poimboeuf Date: Thu Jul 21 11:01:23 2022 -0700 scripts/faddr2line: Fix vmlinux detection on arm64 [ Upstream commit b6a5068854cfe372da7dee3224dcf023ed5b00cb ] Since commit dcea997beed6 ("faddr2line: Fix overlapping text section failures, the sequel"), faddr2line is completely broken on arm64. For some reason, on arm64, the vmlinux ELF object file type is ET_DYN rather than ET_EXEC. Check for both when determining whether the object is vmlinux. Modules and vmlinux.o have type ET_REL on all arches. Fixes: dcea997beed6 ("faddr2line: Fix overlapping text section failures, the sequel") Reported-by: John Garry Signed-off-by: Josh Poimboeuf Signed-off-by: Ingo Molnar Tested-by: John Garry Link: https://lore.kernel.org/r/dad1999737471b06d6188ce4cdb11329aa41682c.1658426357.git.jpoimboe@kernel.org Signed-off-by: Sasha Levin commit cca32a4d21ee6340df258780690d1975cb01f614 Author: Arnaldo Carvalho de Melo Date: Tue Aug 2 15:13:22 2022 -0300 genelf: Use HAVE_LIBCRYPTO_SUPPORT, not the never defined HAVE_LIBCRYPTO [ Upstream commit 91cea6be90e436c55cde8770a15e4dac9d3032d0 ] When genelf was introduced it tested for HAVE_LIBCRYPTO not HAVE_LIBCRYPTO_SUPPORT, which is the define the feature test for openssl defines, fix it. This also adds disables the deprecation warning, someone has to fix this to build with openssl 3.0 before the warning becomes a hard error. Fixes: 9b07e27f88b9cd78 ("perf inject: Add jitdump mmap injection support") Reported-by: 谭梓煊 Cc: Alexei Starovoitov Cc: Andrii Nakryiko Cc: Daniel Borkmann Cc: Jiri Olsa Cc: John Fastabend Cc: KP Singh Cc: Martin KaFai Lau Cc: Nick Terrell Cc: Song Liu Cc: Stephane Eranian Link: http://lore.kernel.org/lkml/YulpPqXSOG0Q4J1o@kernel.org Signed-off-by: Arnaldo Carvalho de Melo Signed-off-by: Sasha Levin commit 3d7b948081a9603670b1389f6a51a2180e366d11 Author: Michael Ellerman Date: Tue Aug 2 20:38:32 2022 +1000 powerpc/pci: Fix PHB numbering when using opal-phbid [ Upstream commit f4b39e88b42d13366b831270306326b5c20971ca ] The recent change to the PHB numbering logic has a logic error in the handling of "ibm,opal-phbid". When an "ibm,opal-phbid" property is present, &prop is written to and ret is set to zero. The following call to of_alias_get_id() is skipped because ret == 0. But then the if (ret >= 0) is true, and the body of that if statement sets prop = ret which throws away the value that was just read from "ibm,opal-phbid". Fix the logic by only doing the ret >= 0 check in the of_alias_get_id() case. Fixes: 0fe1e96fef0a ("powerpc/pci: Prefer PCI domain assignment via DT 'linux,pci-domain' and alias") Reviewed-by: Pali Rohár Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/20220802105723.1055178-1-mpe@ellerman.id.au Signed-off-by: Sasha Levin commit 866a978c75350f24b2d1df80d953f1e050a9dec0 Author: Chenyi Qiang Date: Tue Aug 2 11:32:06 2022 +0800 x86/bus_lock: Don't assume the init value of DEBUGCTLMSR.BUS_LOCK_DETECT to be zero [ Upstream commit ffa6482e461ff550325356ae705b79e256702ea9 ] It's possible that this kernel has been kexec'd from a kernel that enabled bus lock detection, or (hypothetically) BIOS/firmware has set DEBUGCTLMSR_BUS_LOCK_DETECT. Disable bus lock detection explicitly if not wanted. Fixes: ebb1064e7c2e ("x86/traps: Handle #DB for bus lock") Signed-off-by: Chenyi Qiang Signed-off-by: Ingo Molnar Reviewed-by: Tony Luck Link: https://lore.kernel.org/r/20220802033206.21333-1-chenyi.qiang@intel.com Signed-off-by: Sasha Levin commit 16a544f1e013ba0660612f3fe35393b143b19a84 Author: Chen Zhongjin Date: Mon Aug 1 11:37:19 2022 +0800 kprobes: Forbid probing on trampoline and BPF code areas [ Upstream commit 28f6c37a2910f565b4f5960df52b2eccae28c891 ] kernel_text_address() treats ftrace_trampoline, kprobe_insn_slot and bpf_text_address as valid kprobe addresses - which is not ideal. These text areas are removable and changeable without any notification to kprobes, and probing on them can trigger unexpected behavior: https://lkml.org/lkml/2022/7/26/1148 Considering that jump_label and static_call text are already forbiden to probe, kernel_text_address() should be replaced with core_kernel_text() and is_module_text_address() to check other text areas which are unsafe to kprobe. [ mingo: Rewrote the changelog. ] Fixes: 5b485629ba0d ("kprobes, extable: Identify kprobes trampolines as kernel text area") Fixes: 74451e66d516 ("bpf: make jited programs visible in traces") Signed-off-by: Chen Zhongjin Signed-off-by: Ingo Molnar Acked-by: Masami Hiramatsu (Google) Link: https://lore.kernel.org/r/20220801033719.228248-1-chenzhongjin@huawei.com Signed-off-by: Sasha Levin commit 32adf0c85fa9d8a0f85dde5a614c372c49e97e84 Author: Ian Rogers Date: Sun Jul 31 09:49:23 2022 -0700 perf symbol: Fail to read phdr workaround [ Upstream commit 6d518ac7be6223811ab947897273b1bbef846180 ] The perf jvmti agent doesn't create program headers, in this case fallback on section headers as happened previously. Committer notes: To test this, from a public post by Ian: 1) download a Java workload dacapo-9.12-MR1-bach.jar from https://sourceforge.net/projects/dacapobench/ 2) build perf such as "make -C tools/perf O=/tmp/perf NO_LIBBFD=1" it should detect Java and create /tmp/perf/libperf-jvmti.so 3) run perf with the jvmti agent: perf record -k 1 java -agentpath:/tmp/perf/libperf-jvmti.so -jar dacapo-9.12-MR1-bach.jar -n 10 fop 4) run perf inject: perf inject -i perf.data -o perf-injected.data -j 5) run perf report perf report -i perf-injected.data | grep org.apache.fop With this patch reverted I see lots of symbols like: 0.00% java jitted-388040-4656.so [.] org.apache.fop.fo.FObj.bind(org.apache.fop.fo.PropertyList) With the patch (2d86612aacb7805f ("perf symbol: Correct address for bss symbols")) I see lots of: dso__load_sym_internal: failed to find program header for symbol: Lorg/apache/fop/fo/FObj;bind(Lorg/apache/fop/fo/PropertyList;)V st_value: 0x40 Fixes: 2d86612aacb7805f ("perf symbol: Correct address for bss symbols") Reviewed-by: Leo Yan Signed-off-by: Ian Rogers Tested-by: Leo Yan Cc: Alexander Shishkin Cc: Jiri Olsa Cc: Leo Yan Cc: Mark Rutland Cc: Namhyung Kim Cc: Peter Zijlstra Cc: Stephane Eranian Link: http://lore.kernel.org/lkml/20220731164923.691193-1-irogers@google.com Signed-off-by: Arnaldo Carvalho de Melo Signed-off-by: Sasha Levin commit af41cff4ada533b1cf40de6c468ba164fd32c22d Author: Miaoqian Lin Date: Sun Jun 5 10:51:29 2022 +0400 powerpc/cell/axon_msi: Fix refcount leak in setup_msi_msg_address [ Upstream commit df5d4b616ee76abc97e5bd348e22659c2b095b1c ] of_get_next_parent() returns a node pointer with refcount incremented, we should use of_node_put() on it when not need anymore. Add missing of_node_put() in the error path to avoid refcount leak. Fixes: ce21b3c9648a ("[CELL] add support for MSI on Axon-based Cell systems") Signed-off-by: Miaoqian Lin Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/20220605065129.63906-1-linmq006@gmail.com Signed-off-by: Sasha Levin commit 79b8eae24b7ee157bda07695d802be8576983fa8 Author: Miaoqian Lin Date: Sun Jun 5 09:32:23 2022 +0400 powerpc/xive: Fix refcount leak in xive_get_max_prio [ Upstream commit 255b650cbec6849443ce2e0cdd187fd5e61c218c ] of_find_node_by_path() returns a node pointer with refcount incremented, we should use of_node_put() on it when done. Add missing of_node_put() to avoid refcount leak. Fixes: eac1e731b59e ("powerpc/xive: guest exploitation of the XIVE interrupt controller") Signed-off-by: Miaoqian Lin Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/20220605053225.56125-1-linmq006@gmail.com Signed-off-by: Sasha Levin commit 4288eb035ba4ddb53245e9365c919bb51ac00c2c Author: Miaoqian Lin Date: Fri Jun 3 16:15:42 2022 +0400 powerpc/spufs: Fix refcount leak in spufs_init_isolated_loader [ Upstream commit 6ac059dacffa8ab2f7798f20e4bd3333890c541c ] of_find_node_by_path() returns remote device nodepointer with refcount incremented, we should use of_node_put() on it when done. Add missing of_node_put() to avoid refcount leak. Fixes: 0afacde3df4c ("[POWERPC] spufs: allow isolated mode apps by starting the SPE loader") Signed-off-by: Miaoqian Lin Acked-by: Arnd Bergmann Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/20220603121543.22884-1-linmq006@gmail.com Signed-off-by: Sasha Levin commit ae497726cd090673a4d20ac725ccc2de8067a7a5 Author: Matthew Wilcox (Oracle) Date: Mon Jul 18 20:06:24 2022 +0100 cifs: Fix memory leak when using fscache [ Upstream commit c6f62f81b488d00afaa86bae26c6ce9ab12c709e ] If we hit the 'index == next_cached' case, we leak a refcount on the struct page. Fix this by using readahead_folio() which takes care of the refcount for you. Fixes: 0174ee9947bd ("cifs: Implement cache I/O by accessing the cache directly") Cc: David Howells Cc: Jeff Layton Signed-off-by: Matthew Wilcox (Oracle) Signed-off-by: Steve French Signed-off-by: Sasha Levin commit e0a6bb00d11088f4ce5cc374d57042cee538a91d Author: Chao Liu Date: Mon Jul 25 18:16:33 2022 +0800 f2fs: fix to remove F2FS_COMPR_FL and tag F2FS_NOCOMP_FL at the same time [ Upstream commit 8ee236dcaa690d09ca612622e8bc8d09c302021d ] If the inode has the compress flag, it will fail to use 'chattr -c +m' to remove its compress flag and tag no compress flag. However, the same command will be successful when executed again, as shown below: $ touch foo.txt $ chattr +c foo.txt $ chattr -c +m foo.txt chattr: Invalid argument while setting flags on foo.txt $ chattr -c +m foo.txt $ f2fs_io getflags foo.txt get a flag on foo.txt ret=0, flags=nocompression,inline_data Fix this by removing some checks in f2fs_setflags_common() that do not affect the original logic. I go through all the possible scenarios, and the results are as follows. Bold is the only thing that has changed. +---------------+-----------+-----------+----------+ | | file flags | + command +-----------+-----------+----------+ | | no flag | compr | nocompr | +---------------+-----------+-----------+----------+ | chattr +c | compr | compr | -EINVAL | | chattr -c | no flag | no flag | nocompr | | chattr +m | nocompr | -EINVAL | nocompr | | chattr -m | no flag | compr | no flag | | chattr +c +m | -EINVAL | -EINVAL | -EINVAL | | chattr +c -m | compr | compr | compr | | chattr -c +m | nocompr | *nocompr* | nocompr | | chattr -c -m | no flag | no flag | no flag | +---------------+-----------+-----------+----------+ Link: https://lore.kernel.org/linux-f2fs-devel/20220621064833.1079383-1-chaoliu719@gmail.com/ Fixes: 4c8ff7095bef ("f2fs: support data compression") Reviewed-by: Chao Yu Signed-off-by: Chao Liu Signed-off-by: Jaegeuk Kim Signed-off-by: Sasha Levin commit fdafb1b1f1c1cdeec2e7b5733b439202363ada32 Author: Chao Yu Date: Tue Jul 12 11:17:15 2022 +0800 f2fs: fix to check inline_data during compressed inode conversion [ Upstream commit 7165841d578e0592848e09dc9d131aa30be44e1b ] When converting inode to compressed one via ioctl, it needs to check inline_data, since inline_data flag and compressed flag are incompatible. Fixes: 4c8ff7095bef ("f2fs: support data compression") Signed-off-by: Chao Yu Signed-off-by: Jaegeuk Kim Signed-off-by: Sasha Levin commit cf544749b65e5d358af4b148a6f4167daa9a12af Author: Chao Yu Date: Wed Jul 6 14:30:15 2022 +0800 f2fs: fix to invalidate META_MAPPING before DIO write [ Upstream commit 67ca06872eb02944b4c6f92cffa9242e92c63109 ] Quoted from commit e3b49ea36802 ("f2fs: invalidate META_MAPPING before IPU/DIO write") " Encrypted pages during GC are read and cached in META_MAPPING. However, due to cached pages in META_MAPPING, there is an issue where newly written pages are lost by IPU or DIO writes. Thread A - f2fs_gc() Thread B /* phase 3 */ down_write(i_gc_rwsem) ra_data_block() ---- (a) up_write(i_gc_rwsem) f2fs_direct_IO() : - down_read(i_gc_rwsem) - __blockdev_direct_io() - get_data_block_dio_write() - f2fs_dio_submit_bio() ---- (b) - up_read(i_gc_rwsem) /* phase 4 */ down_write(i_gc_rwsem) move_data_block() ---- (c) up_write(i_gc_rwsem) (a) In phase 3 of f2fs_gc(), up-to-date page is read from storage and cached in META_MAPPING. (b) In thread B, writing new data by IPU or DIO write on same blkaddr as read in (a). cached page in META_MAPPING become out-dated. (c) In phase 4 of f2fs_gc(), out-dated page in META_MAPPING is copied to new blkaddr. In conclusion, the newly written data in (b) is lost. To address this issue, invalidating pages in META_MAPPING before IPU or DIO write. " In previous commit, we missed to cover extent cache hit case, and passed wrong value for parameter @end of invalidate_mapping_pages(), fix both issues. Fixes: 6aa58d8ad20a ("f2fs: readahead encrypted block during GC") Fixes: e3b49ea36802 ("f2fs: invalidate META_MAPPING before IPU/DIO write") Cc: Hyeong-Jun Kim Signed-off-by: Chao Yu Signed-off-by: Jaegeuk Kim Signed-off-by: Sasha Levin commit e330968494736db78108da5e416851e7fee4ab73 Author: Kan Liang Date: Thu Jul 21 14:57:02 2022 +0800 perf stat: Revert "perf stat: Add default hybrid events" [ Upstream commit ace3e31e653e79cae9b047e85f567e6b44c98532 ] This reverts commit Fixes: ac2dc29edd21f9ec ("perf stat: Add default hybrid events") Between this patch and the reverted patch, the commit 6c1912898ed21bef ("perf parse-events: Rename parse_events_error functions") and the commit 07eafd4e053a41d7 ("perf parse-event: Add init and exit to parse_event_error") clean up the parse_events_error_*() codes. The related change is also reverted. The reverted patch is hard to be extended to support new default events, e.g., Topdown events, and the existing "--detailed" option on a hybrid platform. A new solution will be proposed in the following patch to enable the perf stat default on a hybrid platform. Signed-off-by: Kan Liang Acked-by: Ian Rogers Acked-by: Namhyung Kim Cc: Alexander Shishkin Cc: Andi Kleen Cc: Ingo Molnar Cc: Jiri Olsa Cc: Peter Zijlstra Link: https://lore.kernel.org/r/20220721065706.2886112-2-zhengjun.xing@linux.intel.com Signed-off-by: Xing Zhengjun Signed-off-by: Arnaldo Carvalho de Melo Signed-off-by: Sasha Levin commit 2afd4b24668d75ccf12051cb47e563a90944e653 Author: Alexander Gordeev Date: Wed Jul 20 07:24:03 2022 +0200 s390/smp: enforce lowcore protection on CPU restart [ Upstream commit 6f5c672d17f583b081e283927f5040f726c54598 ] As result of commit 915fea04f932 ("s390/smp: enable DAT before CPU restart callback is called") the low-address protection bit gets mistakenly unset in control register 0 save area of the absolute zero memory. That area is used when manual PSW restart happened to hit an offline CPU. In this case the low-address protection for that CPU will be dropped. Reviewed-by: Heiko Carstens Fixes: 915fea04f932 ("s390/smp: enable DAT before CPU restart callback is called") Signed-off-by: Alexander Gordeev Signed-off-by: Sasha Levin commit 7a7dc82fa4413bdf418f53bf46445c9608fd48f7 Author: Sherry Sun Date: Mon Jul 25 13:01:15 2022 +0800 tty: serial: fsl_lpuart: correct the count of break characters [ Upstream commit 707f816f25590c20e056b3bd4a17ce69b03fe856 ] The LPUART can't distinguish between a break signal and a framing error, so need to count the break characters if there is a framing error and received data is zero instead of the parity error. Fixes: 5541a9bacfe5 ("serial: fsl_lpuart: handle break and make sysrq work") Reviewed-by: Michael Walle Signed-off-by: Sherry Sun Link: https://lore.kernel.org/r/20220725050115.12396-1-sherry.sun@nxp.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit b820594fba897f4d4ad424819b2c24cc6202454a Author: Vijaya Krishna Nivarthi Date: Sat Jul 16 00:25:43 2022 +0530 tty: serial: qcom-geni-serial: Fix get_clk_div_rate() which otherwise could return a sub-optimal clock rate. [ Upstream commit c474c775716edd46a51bf8161142bbd1545f8733 ] In the logic around call to clk_round_rate(), for some corner conditions, get_clk_div_rate() could return an sub-optimal clock rate. Also, if an exact clock rate was not found lowest clock was being returned. Search for suitable clock rate in 2 steps a) exact match or within 2% tolerance b) within 5% tolerance This also takes care of corner conditions. Fixes: c2194bc999d4 ("tty: serial: qcom-geni-serial: Remove uart frequency table. Instead, find suitable frequency with call to clk_round_rate") Reviewed-by: Douglas Anderson Signed-off-by: Vijaya Krishna Nivarthi Link: https://lore.kernel.org/r/1657911343-1909-1-git-send-email-quic_vnivarth@quicinc.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit b720d76cd36ea54f3ab216733884b8db50b20abf Author: Guo Mengqi Date: Fri Jul 15 10:33:12 2022 +0800 serial: 8250_bcm2835aux: Add missing clk_disable_unprepare() [ Upstream commit b9f1736e475dba0d6da48fdcb831248ab1597886 ] The error path when get clock frequency fails in bcm2835aux_serial driver does not correctly disable the clock. This flaw was found using a static analysis tool "Hulk Robot", which reported the following warning when analyzing linux-next/master: drivers/tty/serial/8250/8250_bcm2835aux.c: warning: clk_disable_unprepare_missing.cocci The cocci script checks for the existence of clk_disable_unprepare() paired with clk_prepare_enable(). Add the missing clk_disable_unprepare() to the error path. Fixes: fcc446c8aa63 ("serial: 8250_bcm2835aux: Add ACPI support") Reported-by: Hulk Robot Reviewed-by: Florian Fainelli Signed-off-by: Guo Mengqi Link: https://lore.kernel.org/r/20220715023312.37808-1-guomengqi3@huawei.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit b5de92e1bb7f303f9903d354659025e4d7e58ef8 Author: Rashmica Gupta Date: Fri Jun 17 14:39:35 2022 +1000 selftests/powerpc: Fix matrix multiply assist test [ Upstream commit cd1e64935f79e31d666172c52c951ca97152b783 ] The ISA states: "when ACC[i] contains defined data, the contents of VSRs 4×i to 4×i+3 are undefined until either a VSX Move From ACC instruction is used to copy the contents of ACC[i] to VSRs 4×i to 4×i+3 or some other instruction directly writes to one of these VSRs." We aren't doing this. This test only works on Power10 because the hardware implementation happens to map ACC0 to VSRs 0-3, but will fail on any other implementation that doesn't do this. So add xxmfacc between writing to the accumulator and accessing the VSRs. Fixes: 3527e1ab9a79 ("selftests/powerpc: Add matrix multiply assist (MMA) test") Signed-off-by: Rashmica Gupta Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/20220617043935.428083-1-rashmica@linux.ibm.com Signed-off-by: Sasha Levin commit f35c7f506fb96a23a1961c7314c5931ec8bc473e Author: Pali Rohár Date: Wed Jul 6 12:21:48 2022 +0200 powerpc/pci: Prefer PCI domain assignment via DT 'linux,pci-domain' and alias [ Upstream commit 0fe1e96fef0a5c53b4c0d1500d356f3906000f81 ] Other Linux architectures use DT property 'linux,pci-domain' for specifying fixed PCI domain of PCI controller specified in Device-Tree. And lot of Freescale powerpc boards have defined numbered pci alias in Device-Tree for every PCIe controller which number specify preferred PCI domain. So prefer usage of DT property 'linux,pci-domain' (via function of_get_pci_domain_nr()) and DT pci alias (via function of_alias_get_id()) on powerpc architecture for assigning PCI domain to PCI controller. Fixes: 63a72284b159 ("powerpc/pci: Assign fixed PHB number based on device-tree properties") Signed-off-by: Pali Rohár Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/20220706102148.5060-2-pali@kernel.org Signed-off-by: Sasha Levin commit 114ed51117be7d8029e38712dce6f6aef9aa3574 Author: Alexey Kardashevskiy Date: Thu Jul 14 18:11:19 2022 +1000 powerpc/iommu: Fix iommu_table_in_use for a small default DMA window case [ Upstream commit d80f6de9d601c30b53c17f00cb7cfe3169f2ddad ] The existing iommu_table_in_use() helper checks if the kernel is using any of TCEs. There are some reserved TCEs: 1) the very first one if DMA window starts from 0 to avoid having a zero but still valid DMA handle; 2) it_reserved_start..it_reserved_end to exclude MMIO32 window in case the default window spans across that - this is the default for the first DMA window on PowerNV. When 1) is the case and 2) is not the helper does not skip 1) and returns wrong status. This only seems occurring when passing through a PCI device to a nested guest (not something we support really well) so it has not been seen before. This fixes the bug by adding a special case for no MMIO32 reservation. Fixes: 3c33066a2190 ("powerpc/kernel/iommu: Add new iommu_table_in_use() helper") Signed-off-by: Alexey Kardashevskiy Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/20220714081119.3714605-1-aik@ozlabs.ru Signed-off-by: Sasha Levin commit 58942f672c6d04b6a3cd7866cb459671df881538 Author: Alexey Kardashevskiy Date: Wed Jun 29 16:06:14 2022 +1000 pseries/iommu/ddw: Fix kdump to work in absence of ibm,dma-window [ Upstream commit b1fc44eaa9ba31e28c4125d6b9205a3582b47b5d ] The pseries platform uses 32bit default DMA window (always 4K pages) and optional 64bit DMA window available via DDW ("Dynamic DMA Windows"), 64K or 2M pages. For ages the default one was not removed and a huge window was created in addition. Things changed with SRIOV-enabled PowerVM which creates a default-and-bigger DMA window in 64bit space (still using 4K pages) for IOV VFs so certain OSes do not need to use the DDW API in order to utilize all available TCE budget. Linux on the other hand removes the default window and creates a bigger one (with more TCEs or/and a bigger page size - 64K/2M) in a bid to map the entire RAM, and if the new window size is smaller than that - it still uses this new bigger window. The result is that the default window is removed but the "ibm,dma-window" property is not. When kdump is invoked, the existing code tries reusing the existing 64bit DMA window which location and parameters are stored in the device tree but this fails as the new property does not make it to the kdump device tree blob. So the code falls back to the default window which does not exist anymore although the device tree says that it does. The result of that is that PCI devices become unusable and cannot be used for kdumping. This preserves the DMA64 and DIRECT64 properties in the device tree blob for the crash kernel. Since the crash kernel setup is done after device drivers are loaded and probed, the proper DMA config is stored at least for boot time devices. Because DDW window is optional and the code configures the default window first, the existing code creates an IOMMU table descriptor for the non-existing default DMA window. It is harmless for kdump as it does not touch the actual window (only reads what is mapped and marks those IO pages as used) but it is bad for kexec which clears it thinking it is a smaller default window rather than a bigger DDW window. This removes the "ibm,dma-window" property from the device tree after a bigger window is created and the crash kernel setup picks it up. Fixes: 381ceda88c4c ("powerpc/pseries/iommu: Make use of DDW for indirect mapping") Signed-off-by: Alexey Kardashevskiy Acked-by: Hari Bathini Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/20220629060614.1680476-1-aik@ozlabs.ru Signed-off-by: Sasha Levin commit f762d98f0830d062a10876caea0bd45f2fd2294f Author: Christophe Leroy Date: Fri Jul 8 09:11:05 2022 +0200 video: fbdev: offb: Include missing linux/platform_device.h [ Upstream commit ebef8abc963b9e537c0a0d619dd8faf1b8f2b183 ] A lot of drivers were getting platform and of headers indirectly via headers like asm/pci.h or asm/prom.h Most of them were fixed during 5.19 cycle but a newissue was introduced by commit 52b1b46c39ae ("of: Create platform devices for OF framebuffers") Include missing platform_device.h to allow cleaning asm/pci.h Fixes: 52b1b46c39ae ("of: Create platform devices for OF framebuffers") Signed-off-by: Christophe Leroy Acked-by: Helge Deller Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/f75b383673663e27f6b57e50b4abfb9fe3780b00.1657264228.git.christophe.leroy@csgroup.eu Signed-off-by: Sasha Levin commit 39691e151e5ef411a415723c760e68d6a4f3cc5a Author: Christophe Leroy Date: Mon Jul 11 16:19:29 2022 +0200 powerpc/32: Do not allow selection of e5500 or e6500 CPUs on PPC32 [ Upstream commit 9be013b2a9ecb29b5168e4b9db0e48ed53acf37c ] Commit 0e00a8c9fd92 ("powerpc: Allow CPU selection also on PPC32") enlarged the CPU selection logic to PPC32 by removing depend to PPC64, and failed to restrict that depend to E5500_CPU and E6500_CPU. Fortunately that got unnoticed because -mcpu=8540 will override the -mcpu=e500mc64 or -mpcu=e6500 as they are ealier, but that's fragile and may no be right in the future. Add back the depend PPC64 on E5500_CPU and E6500_CPU. Fixes: 0e00a8c9fd92 ("powerpc: Allow CPU selection also on PPC32") Signed-off-by: Christophe Leroy Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/8abab4888da69ff78b73a56f64d9678a7bf684e9.1657549153.git.christophe.leroy@csgroup.eu Signed-off-by: Sasha Levin commit fbe72bebba775244f5f54e0df1f278a42819bf0e Author: Christophe Leroy Date: Fri Jul 1 08:06:15 2022 +0200 powerpc/32s: Fix boot failure with KASAN + SMP + JUMP_LABEL_FEATURE_CHECK_DEBUG [ Upstream commit 6042a1652d643d1d34fa89bb314cb102960c0800 ] Since commit 4291d085b0b0 ("powerpc/32s: Make pte_update() non atomic on 603 core"), pte_update() has been using mmu_has_feature(MMU_FTR_HPTE_TABLE) to avoid a useless atomic operation on 603 cores. When kasan_early_init() sets up the early zero shadow, it uses __set_pte_at(). On book3s/32, __set_pte_at() calls pte_update() when CONFIG_SMP is selected in order to ensure the preservation of _PAGE_HASHPTE in case of concurrent update of the PTE. But that's too early for mmu_has_feature(), so when CONFIG_JUMP_LABEL_FEATURE_CHECK_DEBUG is selected, mmu_has_feature() calls printk(). That's too early to call printk() because KASAN early zero shadow page is not set up yet. It leads to a deadlock. However, when kasan_early_init() is called, there is only one CPU running and no risk of concurrent PTE update. So __set_pte_at() can be called with the 'percpu' flag. With that flag set, the PTE is written directly instead of being written via pte_update(). Fixes: 4291d085b0b0 ("powerpc/32s: Make pte_update() non atomic on 603 core") Reported-by: Erhard Furtner Signed-off-by: Christophe Leroy Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/2ee707512b8b212b079b877f4ceb525a1606a3fb.1656655567.git.christophe.leroy@csgroup.eu Signed-off-by: Sasha Levin commit e16c3ac0dc6be3358692e549a568e38b2875cfea Author: Christophe Leroy Date: Tue Jun 14 12:34:08 2022 +0200 powerpc/32: Call mmu_mark_initmem_nx() regardless of data block mapping. [ Upstream commit 980bbf7ca72012d317617fcdbfabe8708e4cef29 ] mark_initmem_nx() calls either mmu_mark_initmem_nx() or set_memory_attr() based on return from v_block_mapped() of _sinittext. But we can now handle text and data independently, so that text may be mapped by block even when data is mapped by pages. On the 8xx for instance, at startup 32Mbytes of memory are pinned in TLB. So the pinned entries need to go away for sinittext. In next patch a BAT will be set to also covers sinittext on book3s/32. So it will also be needed to call mmu_mark_initmem_nx() even when data above sinittext is not mapped with BATs. As this is highly dependent on the platform, call mmu_mark_initmem_nx() regardless of data block mapping. Then the platform will know what to do. Modify 8xx mmu_mark_initmem_nx() so that inittext mapping is modified only when pagealloc debug and kfence are not active, otherwise inittext is mapped with standard pages. And don't do anything on kernel text which is already mapped with PAGE_KERNEL_TEXT. Fixes: da1adea07576 ("powerpc/8xx: Allow STRICT_KERNEL_RwX with pinned TLB") Signed-off-by: Christophe Leroy Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/db3fc14f3bfa6215b0786ef58a6e2bc1e1f964d7.1655202804.git.christophe.leroy@csgroup.eu Signed-off-by: Sasha Levin commit e7da0b9764742b3e5064cbaf8154a50694ede28c Author: Claudiu Beznea Date: Wed Jul 27 12:08:13 2022 +0300 ASoC: mchp-spdifrx: disable end of block interrupt on failures [ Upstream commit 768ac4f12ca0fda935f58eb8c5120e9d795bc6e3 ] Disable end of block interrupt in case of wait for completion timeout or errors to undo previously enable operation (done in mchp_spdifrx_isr_blockend_en()). Otherwise we can end up with an unbalanced reference counter for this interrupt. Fixes: ef265c55c1ac ("ASoC: mchp-spdifrx: add driver for SPDIF RX") Signed-off-by: Claudiu Beznea Link: https://lore.kernel.org/r/20220727090814.2446111-2-claudiu.beznea@microchip.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 4a0ed3a0fbe3c29eead5a4154350112de9ceb212 Author: Rustam Subkhankulov Date: Mon Jul 18 15:43:43 2022 +0300 video: fbdev: sis: fix typos in SiS_GetModeID() [ Upstream commit 3eb8fccc244bfb41a7961969e4db280d44911226 ] The second operand of a '&&' operator has no impact on expression result for cases 400 and 512 in SiS_GetModeID(). Judging by the logic and the names of the variables, in both cases a typo was made. Found by Linux Verification Center (linuxtesting.org) with SVACE. Signed-off-by: Rustam Subkhankulov Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Helge Deller Signed-off-by: Sasha Levin commit a88ab277cca99aeb9a3b2b7db358f1a6dd528b0c Author: Liang He Date: Tue Jul 19 16:25:46 2022 +0800 video: fbdev: amba-clcd: Fix refcount leak bugs [ Upstream commit 26c2b7d9fac42eb8317f3ceefa4c1a9a9170ca69 ] In clcdfb_of_init_display(), we should call of_node_put() for the references returned by of_graph_get_next_endpoint() and of_graph_get_remote_port_parent() which have increased the refcount. Besides, we should call of_node_put() both in fail path or when the references are not used anymore. Fixes: d10715be03bd ("video: ARM CLCD: Add DT support") Signed-off-by: Liang He Signed-off-by: Helge Deller Signed-off-by: Sasha Levin commit 5529988d6ced06ea77798210f64839c29b1e24bd Author: Yong Zhi Date: Mon Jul 25 14:49:08 2022 -0500 ASoC: Intel: sof_rt5682: Perform quirk check first in card late probe [ Upstream commit 371a3f01fc1862c23fae35cb2c98ffb2eec143f1 ] The check of sof_rt5682_quirk should not be skipped unless the HDMI handling code exits with error, fix by moving the quirk check to the front. Fixes: 94d2d0897474 ("ASoC: Intel: Boards: tgl_max98373: add dai_trigger function") Reviewed-by: Ranjani Sridharan Signed-off-by: Yong Zhi Signed-off-by: Pierre-Louis Bossart Link: https://lore.kernel.org/r/20220725194909.145418-10-pierre-louis.bossart@linux.intel.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit cf9e5cc2a663349df1eef728f65e6a6325490a15 Author: William Dean Date: Fri Jul 22 11:09:38 2022 +0800 watchdog: armada_37xx_wdt: check the return value of devm_ioremap() in armada_37xx_wdt_probe() [ Upstream commit 2d27e52841092e5831dd41f313028c668d816eb0 ] The function devm_ioremap() in armada_37xx_wdt_probe() can fail, so its return value should be checked. Fixes: 54e3d9b518c8a ("watchdog: Add support for Armada 37xx CPU watchdog") Reported-by: Hacash Robot Signed-off-by: William Dean Reviewed-by: Marek Beh=C3=BAn Reviewed-by: Guenter Roeck Link: https://lore.kernel.org/r/20220722030938.2925156-1-williamsukatube@163.com Signed-off-by: Guenter Roeck Signed-off-by: Wim Van Sebroeck Signed-off-by: Sasha Levin commit ee1fb8f75abe361413913e3a6e93c8c0a4d83cd9 Author: Jean Delvare Date: Tue Jun 21 15:28:40 2022 +0200 watchdog: sp5100_tco: Fix a memory leak of EFCH MMIO resource [ Upstream commit c6d9c0798ed366a09a9e53d71edcd2266e34a6eb ] Unlike release_mem_region(), a call to release_resource() does not free the resource, so it has to be freed explicitly to avoid a memory leak. Signed-off-by: Jean Delvare Fixes: 0578fff4aae5 ("Watchdog: sp5100_tco: Add initialization using EFCH MMIO") Cc: Terry Bowman Cc: Wim Van Sebroeck Cc: Guenter Roeck Reviewed-by: Guenter Roeck Link: https://lore.kernel.org/r/20220621152840.420a0f4c@endymion.delvare Signed-off-by: Guenter Roeck Signed-off-by: Wim Van Sebroeck Signed-off-by: Sasha Levin commit f52959044f798dea767709e19abf462b986e523c Author: Jiasheng Jiang Date: Thu May 26 16:03:03 2022 +0800 watchdog: f71808e_wdt: Add check for platform_driver_register [ Upstream commit 97d5ec548150764946f38632e62e79759832b54b ] As platform_driver_register() could fail, it should be better to deal with the return value in order to maintain the code consisitency. Fixes: 27e0fe00a5c6 ("watchdog: f71808e_wdt: refactor to platform device/driver pair") Signed-off-by: Jiasheng Jiang Reviewed-by: Guenter Roeck https://lore.kernel.org/r/20220526080303.1005063-1-jiasheng@iscas.ac.cn Signed-off-by: Guenter Roeck Signed-off-by: Wim Van Sebroeck Signed-off-by: Sasha Levin commit 9a49540d29ca603a3fba327bbe8ff2d8327530ba Author: Liang He Date: Fri Jul 22 22:18:01 2022 +0800 ASoC: audio-graph-card2: Add of_node_put() in fail path [ Upstream commit 8ebc4dd8250fd1cb5da2869c0fe6ae3686fe41e9 ] In asoc_simple_parse_dai(), we should call of_node_put() for the reference returned by of_graph_get_port_parent() in fail path. Fixes: 6e5f68fe3f2d ("ASoC: add Audio Graph Card2 driver") Signed-off-by: Liang He Link: https://lore.kernel.org/r/20220722141801.1304854-1-windhl@126.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 375613cc7b8d344ddbf29a92d6c7c25e54ecf421 Author: Liang He Date: Thu Jul 21 22:43:08 2022 +0800 ASoC: audio-graph-card: Add of_node_put() in fail path [ Upstream commit 65fb8e2ef3531a6e950060fca6e551c923fb0f0e ] In asoc_simple_parse_dai(), we should call of_node_put() for the reference returned by of_graph_get_port_parent() in fail path. Fixes: ae30a694da4c ("ASoC: simple-card-utils: add asoc_simple_card_parse_dai()") Signed-off-by: Liang He Link: https://lore.kernel.org/r/20220721144308.1301587-1-windhl@126.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit d355da79bcdf3c6a397e4e26e4af062db12708a8 Author: Xie Yongji Date: Mon Jul 18 16:50:12 2022 +0800 fuse: Remove the control interface for virtio-fs [ Upstream commit c64797809a64c73497082aa05e401a062ec1af34 ] The commit 15c8e72e88e0 ("fuse: allow skipping control interface and forced unmount") tries to remove the control interface for virtio-fs since it does not support aborting requests which are being processed. But it doesn't work now. This patch fixes it by skipping creating the control interface if fuse_conn->no_control is set. Fixes: 15c8e72e88e0 ("fuse: allow skipping control interface and forced unmount") Signed-off-by: Xie Yongji Signed-off-by: Miklos Szeredi Signed-off-by: Sasha Levin commit f36974f93d00a97c25f8129e84855cb3efb7f886 Author: Christophe JAILLET Date: Thu Jul 21 11:02:22 2022 +0200 ASoC: qcom: q6dsp: Fix an off-by-one in q6adm_alloc_copp() [ Upstream commit 673f58f62ca6fc98979d1cf3fe89c3ff33f29b2e ] find_first_zero_bit() returns MAX_COPPS_PER_PORT at max here. So 'idx' should be tested with ">=" or the test can't match. Fixes: 7b20b2be51e1 ("ASoC: qdsp6: q6adm: Add q6adm driver") Signed-off-by: Christophe JAILLET Link: https://lore.kernel.org/r/0fca3271649736053eb9649d87e1ca01b056be40.1658394124.git.christophe.jaillet@wanadoo.fr Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 19582e76b2095c5fa5eb009b6eee6b19219d6ac5 Author: Shengjiu Wang Date: Thu Jul 21 18:29:53 2022 +0800 ASoC: imx-card: use snd_pcm_format_t type for asrc_format [ Upstream commit 409a8652e909e323c715f3088e6c3133e37c8881 ] Fix sparse warning: sound/soc/fsl/imx-card.c:653:59: sparse: warning: incorrect type in assignment (different base types) sound/soc/fsl/imx-card.c:653:59: sparse: expected unsigned int [usertype] asrc_format sound/soc/fsl/imx-card.c:653:59: sparse: got restricted snd_pcm_format_t [usertype] sound/soc/fsl/imx-card.c:655:59: sparse: warning: incorrect type in assignment (different base types) sound/soc/fsl/imx-card.c:655:59: sparse: expected unsigned int [usertype] asrc_format sound/soc/fsl/imx-card.c:655:59: sparse: got restricted snd_pcm_format_t [usertype] Fixes: aa736700f42f ("ASoC: imx-card: Add imx-card machine driver") Signed-off-by: Shengjiu Wang Link: https://lore.kernel.org/r/1658399393-28777-6-git-send-email-shengjiu.wang@nxp.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 7a62705535202adcc25ef5cae5a12c4ec2540651 Author: Shengjiu Wang Date: Thu Jul 21 18:29:52 2022 +0800 ASoC: fsl_easrc: use snd_pcm_format_t type for sample_format [ Upstream commit de27216cf2d645c2fd14e513707bdcd54e5b1de4 ] Fix sparse warning: sound/soc/fsl/fsl_easrc.c:562:33: sparse: warning: restricted snd_pcm_format_t degrades to integer sound/soc/fsl/fsl_easrc.c:563:34: sparse: warning: restricted snd_pcm_format_t degrades to integer sound/soc/fsl/fsl_easrc.c:565:38: sparse: warning: restricted snd_pcm_format_t degrades to integer sound/soc/fsl/fsl_easrc.c:566:39: sparse: warning: restricted snd_pcm_format_t degrades to integer sound/soc/fsl/fsl_easrc.c:608:33: sparse: warning: restricted snd_pcm_format_t degrades to integer sound/soc/fsl/fsl_easrc.c:609:34: sparse: warning: restricted snd_pcm_format_t degrades to integer sound/soc/fsl/fsl_easrc.c:615:40: sparse: warning: restricted snd_pcm_format_t degrades to integer sound/soc/fsl/fsl_easrc.c:616:41: sparse: warning: restricted snd_pcm_format_t degrades to integer sound/soc/fsl/fsl_easrc.c:1465:51: sparse: warning: incorrect type in assignment (different base types) sound/soc/fsl/fsl_easrc.c:1465:51: sparse: expected unsigned int sample_format sound/soc/fsl/fsl_easrc.c:1465:51: sparse: got restricted snd_pcm_format_t [usertype] format sound/soc/fsl/fsl_easrc.c:1467:52: sparse: warning: incorrect type in assignment (different base types) sound/soc/fsl/fsl_easrc.c:1467:52: sparse: expected unsigned int sample_format sound/soc/fsl/fsl_easrc.c:1467:52: sparse: got restricted snd_pcm_format_t [usertype] asrc_format sound/soc/fsl/fsl_easrc.c:1470:52: sparse: warning: incorrect type in assignment (different base types) sound/soc/fsl/fsl_easrc.c:1470:52: sparse: expected unsigned int sample_format sound/soc/fsl/fsl_easrc.c:1470:52: sparse: got restricted snd_pcm_format_t [usertype] format sound/soc/fsl/fsl_easrc.c:1472:51: sparse: warning: incorrect type in assignment (different base types) sound/soc/fsl/fsl_easrc.c:1472:51: sparse: expected unsigned int sample_format sound/soc/fsl/fsl_easrc.c:1472:51: sparse: got restricted snd_pcm_format_t [usertype] asrc_format sound/soc/fsl/fsl_easrc.c:1484:41: sparse: warning: incorrect type in argument 2 (different base types) sound/soc/fsl/fsl_easrc.c:1484:41: sparse: expected restricted snd_pcm_format_t [usertype] *in_raw_format sound/soc/fsl/fsl_easrc.c:1484:41: sparse: got unsigned int * sound/soc/fsl/fsl_easrc.c:1485:41: sparse: warning: incorrect type in argument 3 (different base types) sound/soc/fsl/fsl_easrc.c:1485:41: sparse: expected restricted snd_pcm_format_t [usertype] *out_raw_format sound/soc/fsl/fsl_easrc.c:1485:41: sparse: got unsigned int * sound/soc/fsl/fsl_easrc.c:1937:60: sparse: warning: incorrect type in argument 3 (different base types) sound/soc/fsl/fsl_easrc.c:1937:60: sparse: expected unsigned int [usertype] *out_value sound/soc/fsl/fsl_easrc.c:1937:60: sparse: got restricted snd_pcm_format_t * sound/soc/fsl/fsl_easrc.c:1943:49: sparse: warning: restricted snd_pcm_format_t degrades to integer Fixes: 955ac624058f ("ASoC: fsl_easrc: Add EASRC ASoC CPU DAI drivers") Signed-off-by: Shengjiu Wang Link: https://lore.kernel.org/r/1658399393-28777-5-git-send-email-shengjiu.wang@nxp.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit cbb116843f29780b965d26c5b83e4c6564a148a1 Author: Shengjiu Wang Date: Thu Jul 21 18:29:51 2022 +0800 ASoC: fsl-asoc-card: force cast the asrc_format type [ Upstream commit 6c7b077dad62178c33f9a3ae17f90d6b0bf6e2e5 ] Fix sparse warning: sound/soc/fsl/fsl-asoc-card.c:833:45: sparse: warning: incorrect type in argument 3 (different base types) sound/soc/fsl/fsl-asoc-card.c:833:45: sparse: expected unsigned int [usertype] *out_value sound/soc/fsl/fsl-asoc-card.c:833:45: sparse: got restricted snd_pcm_format_t * Fixes: 859e364302c5 ("ASoC: fsl-asoc-card: Support new property fsl, asrc-format") Signed-off-by: Shengjiu Wang Link: https://lore.kernel.org/r/1658399393-28777-4-git-send-email-shengjiu.wang@nxp.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 78bbb972d25831708089744cdbb45ee975580b99 Author: Shengjiu Wang Date: Thu Jul 21 18:29:50 2022 +0800 ASoC: fsl_asrc: force cast the asrc_format type [ Upstream commit c49932726de24405d45516b3f8ad2735714fdf05 ] Fix sparse warning: sound/soc/fsl/fsl_asrc.c:1177:60: sparse: warning: incorrect type in argument 3 (different base types) sound/soc/fsl/fsl_asrc.c:1177:60: sparse: expected unsigned int [usertype] *out_value sound/soc/fsl/fsl_asrc.c:1177:60: sparse: got restricted snd_pcm_format_t * sound/soc/fsl/fsl_asrc.c:1200:47: sparse: warning: restricted snd_pcm_format_t degrades to integer Fixes: 4520af41fd21 ("ASoC: fsl_asrc: Support new property fsl,asrc-format") Signed-off-by: Shengjiu Wang Link: https://lore.kernel.org/r/1658399393-28777-3-git-send-email-shengjiu.wang@nxp.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit a06d8ce519a0a69227211bedd24649f0aa3cbf21 Author: Thomas Richter Date: Wed Jul 20 14:34:19 2022 +0200 perf test: Fix test case 83 ('perf stat CSV output linter') on s390 [ Upstream commit 87abe344cd280802f431998fabfd35d2d340ca90 ] Perf test case 83: perf stat CSV output linter might fail on s390. The reason for this is the output of the command ./perf stat -x, -A -a --no-merge true which depends on a .config file setting. When CONFIG_SCHED_TOPOLOGY is set, the output of above perf command is CPU0,1.50,msec,cpu-clock,1502781,100.00,1.052,CPUs utilized When CONFIG_SCHED_TOPOLOGY is *NOT* set the output of above perf command is 0.95,msec,cpu-clock,949800,100.00,1.060,CPUs utilized Fix the test case to accept both output formats. Output before: # perf test 83 83: perf stat CSV output linter : FAILED! # Output after: # ./perf test 83 83: perf stat CSV output linter : Ok # Fixes: ec906102e5b7d339 ("perf test: Fix "perf stat CSV output linter" test on s390") Signed-off-by: Thomas Richter Acked-by: Ian Rogers Acked-by: Sumanth Korikkar Cc: Heiko Carstens Cc: Sven Schnelle Cc: Vasily Gorbik Link: https://lore.kernel.org/r/20220720123419.220953-1-tmricht@linux.ibm.com Signed-off-by: Arnaldo Carvalho de Melo Signed-off-by: Sasha Levin commit 22272ced5f8e1df72594f17fa13fc45dbd87769f Author: Alexander Gordeev Date: Tue Jul 19 07:16:33 2022 +0200 s390/zcore: fix race when reading from hardware system area [ Upstream commit 9ffed254d938c9e99eb7761c7f739294c84e0367 ] Memory buffer used for reading out data from hardware system area is not protected against concurrent access. Reported-by: Matthew Wilcox Fixes: 411ed3225733 ("[S390] zfcpdump support.") Acked-by: Heiko Carstens Tested-by: Alexander Egorenkov Link: https://lore.kernel.org/r/e68137f0f9a0d2558f37becc20af18e2939934f6.1658206891.git.agordeev@linux.ibm.com Signed-off-by: Alexander Gordeev Signed-off-by: Sasha Levin commit 8108b1f01892f38898d4d00135397b824534ab2d Author: Alexander Gordeev Date: Fri Jul 15 12:59:33 2022 +0200 s390/crash: fix incorrect number of bytes to copy to user space [ Upstream commit f6749da17a34eb08c9665f072ce7c812ff68aad2 ] The number of bytes in a chunk is correctly calculated, but instead the total number of bytes is passed to copy_to_user_real() function. Reported-by: Matthew Wilcox Fixes: df9694c7975f ("s390/dump: streamline oldmem copy functions") Signed-off-by: Alexander Gordeev Signed-off-by: Sasha Levin commit 951183192aa4035267ec59ade6ad8c4dda26382d Author: Sunil V L Date: Fri May 27 10:47:40 2022 +0530 riscv: spinwait: Fix hartid variable type [ Upstream commit c029e487e7c00e5594a4ae946952605db34e359b ] The hartid variable is of type int but compared with ULONG_MAX(INVALID_HARTID). This issue is fixed by changing the hartid variable type to unsigned long. Fixes: c78f94f35cf6 ("RISC-V: Use __cpu_up_stack/task_pointer only for spinwait method") Signed-off-by: Sunil V L Reviewed-by: Atish Patra Link: https://lore.kernel.org/r/20220527051743.2829940-3-sunilvl@ventanamicro.com Signed-off-by: Palmer Dabbelt Signed-off-by: Sasha Levin commit babbfc492c315d9c7084db3906de1e80c5ab542d Author: Adrian Hunter Date: Mon Jul 11 12:31:44 2022 +0300 perf tools: Fix dso_id inode generation comparison [ Upstream commit 68566a7cf56bf3148797c218ed45a9de078ef47c ] Synthesized MMAP events have zero ino_generation, so do not compare them to DSOs with a real ino_generation otherwise we end up with a DSO without a build id. Fixes: 0e3149f86b99ddab ("perf dso: Move dso_id from 'struct map' to 'struct dso'") Signed-off-by: Adrian Hunter Cc: Andi Kleen Cc: Ian Rogers Cc: Jiri Olsa Cc: kvm@vger.kernel.org Cc: Namhyung Kim Link: https://lore.kernel.org/r/20220711093218.10967-2-adrian.hunter@intel.com [ Added clarification to the comment from Ian + more detailed explanation from Adrian ] Signed-off-by: Arnaldo Carvalho de Melo Signed-off-by: Sasha Levin commit fac821e8edea387e7d1f2143756a8ff526a96d69 Author: Liang He Date: Tue Jul 19 20:49:55 2022 +0800 iommu/arm-smmu: qcom_iommu: Add of_node_put() when breaking out of loop [ Upstream commit a91eb6803c1c715738682fece095145cbd68fe0b ] In qcom_iommu_has_secure_context(), we should call of_node_put() for the reference 'child' when breaking out of for_each_child_of_node() which will automatically increase and decrease the refcount. Fixes: d051f28c8807 ("iommu/qcom: Initialize secure page table") Signed-off-by: Liang He Link: https://lore.kernel.org/r/20220719124955.1242171-1-windhl@126.com Signed-off-by: Will Deacon Signed-off-by: Sasha Levin commit 58031dde446e047723692943fc0450a07cd12fd8 Author: Mario Limonciello Date: Mon Jul 18 16:34:02 2022 -0500 ASoC: amd: yc: Decrease level of error message [ Upstream commit 393a40b50fe976a121b15752d2dd6151c7a92126 ] On a number of platforms that contain acp3x controller a new ERR level message is showing up: `acp6x pci device not found` This is because ACP3x and ACP6x share same PCI ID but can be identified by PCI revision. As this is expected behavior for a system with ACP3x decrease message to debug. Fixes: b1630fcbfde6c ("ASoC: amd: yc: add new YC platform varaint support") Cc: Vijendar Mukunda Signed-off-by: Mario Limonciello Link: https://lore.kernel.org/r/20220718213402.19497-1-mario.limonciello@amd.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit a29c40814039535b950149311986a5f348b5db14 Author: Miaoqian Lin Date: Wed Jun 1 08:32:22 2022 +0400 mfd: max77620: Fix refcount leak in max77620_initialise_fps [ Upstream commit 1520669c8255bd637c6b248b2be910e2688d38dd ] of_get_child_by_name() returns a node pointer with refcount incremented, we should use of_node_put() on it when not need anymore. Add missing of_node_put() to avoid refcount leak. Fixes: 327156c59360 ("mfd: max77620: Add core driver for MAX77620/MAX20024") Signed-off-by: Miaoqian Lin Reviewed-by: Krzysztof Kozlowski Signed-off-by: Lee Jones Link: https://lore.kernel.org/r/20220601043222.64441-1-linmq006@gmail.com Signed-off-by: Sasha Levin commit d9384f4b9d5354d38fda24a6c9079b87585c0267 Author: Uwe Kleine-König Date: Mon May 30 21:24:28 2022 +0200 mfd: t7l66xb: Drop platform disable callback [ Upstream commit 128ac294e1b437cb8a7f2ff8ede1cde9082bddbe ] None of the in-tree instantiations of struct t7l66xb_platform_data provides a disable callback. So better don't dereference this function pointer unconditionally. As there is no user, drop it completely instead of calling it conditional. This is a preparation for making platform remove callbacks return void. Fixes: 1f192015ca5b ("mfd: driver for the T7L66XB TMIO SoC") Signed-off-by: Uwe Kleine-König Signed-off-by: Lee Jones Link: https://lore.kernel.org/r/20220530192430.2108217-3-u.kleine-koenig@pengutronix.de Signed-off-by: Sasha Levin commit bcc3c1780b276bade65fffa523bf5e0b6412280a Author: Sibi Sankar Date: Tue Jul 5 17:38:19 2022 +0530 remoteproc: sysmon: Wait for SSCTL service to come up [ Upstream commit 47c04e00eff86a81cd357c3feed04c86089bcb85 ] The SSCTL service comes up after a finite time when the remote Q6 comes out of reset. Any graceful shutdowns requested during this period will be a NOP and abrupt tearing down of the glink channel might lead to pending transactions on the remote Q6 side and will ultimately lead to a fatal error. Fix this by waiting for the SSCTL service when a graceful shutdown is requested. Fixes: 1fb82ee806d1 ("remoteproc: qcom: Introduce sysmon") Reviewed-by: Matthias Kaehlcke Signed-off-by: Sibi Sankar Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/1657022900-2049-7-git-send-email-quic_sibis@quicinc.com Signed-off-by: Sasha Levin commit 1c4dca58bbb61f592d39449caab857aad8ed6ed8 Author: Siddharth Gupta Date: Tue Jul 5 17:38:17 2022 +0530 remoteproc: qcom: pas: Check if coredump is enabled [ Upstream commit 7b6ece968fca4ec9e42d34caff7e06dc84c45717 ] Client drivers need to check if coredump is enabled for the rproc before continuing with coredump generation. This change adds a check in the PAS driver. Fixes: 8ed8485c4f05 ("remoteproc: qcom: Add capability to collect minidumps") Signed-off-by: Siddharth Gupta Signed-off-by: Sibi Sankar Reviewed-by: Konrad Dybcio Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/1657022900-2049-5-git-send-email-quic_sibis@quicinc.com Signed-off-by: Sasha Levin commit 233221d284534a9cd41345b80c2e21354866351e Author: Zhihao Cheng Date: Wed Jul 13 21:00:29 2022 +0800 proc: fix a dentry lock race between release_task and lookup [ Upstream commit d919a1e79bac890421537cf02ae773007bf55e6b ] Commit 7bc3e6e55acf06 ("proc: Use a list of inodes to flush from proc") moved proc_flush_task() behind __exit_signal(). Then, process systemd can take long period high cpu usage during releasing task in following concurrent processes: systemd ps kernel_waitid stat(/proc/tgid) do_wait filename_lookup wait_consider_task lookup_fast release_task __exit_signal __unhash_process detach_pid __change_pid // remove task->pid_links d_revalidate -> pid_revalidate // 0 d_invalidate(/proc/tgid) shrink_dcache_parent(/proc/tgid) d_walk(/proc/tgid) spin_lock_nested(/proc/tgid/fd) // iterating opened fd proc_flush_pid | d_invalidate (/proc/tgid/fd) | shrink_dcache_parent(/proc/tgid/fd) | shrink_dentry_list(subdirs) ↓ shrink_lock_dentry(/proc/tgid/fd) --> race on dentry lock Function d_invalidate() will remove dentry from hash firstly, but why does proc_flush_pid() process dentry '/proc/tgid/fd' before dentry '/proc/tgid'? That's because proc_pid_make_inode() adds proc inode in reverse order by invoking hlist_add_head_rcu(). But proc should not add any inodes under '/proc/tgid' except '/proc/tgid/task/pid', fix it by adding inode into 'pid->inodes' only if the inode is /proc/tgid or /proc/tgid/task/pid. Performance regression: Create 200 tasks, each task open one file for 50,000 times. Kill all tasks when opened files exceed 10,000,000 (cat /proc/sys/fs/file-nr). Before fix: $ time killall -wq aa real 4m40.946s # During this period, we can see 'ps' and 'systemd' taking high cpu usage. After fix: $ time killall -wq aa real 1m20.732s # During this period, we can see 'systemd' taking high cpu usage. Link: https://lkml.kernel.org/r/20220713130029.4133533-1-chengzhihao1@huawei.com Fixes: 7bc3e6e55acf06 ("proc: Use a list of inodes to flush from proc") Link: https://bugzilla.kernel.org/show_bug.cgi?id=216054 Signed-off-by: Zhihao Cheng Signed-off-by: Zhang Yi Suggested-by: Brian Foster Reviewed-by: Brian Foster Cc: Al Viro Cc: Alexey Dobriyan Cc: Eric Biederman Cc: Matthew Wilcox Cc: Baoquan He Cc: Kalesh Singh Cc: Yu Kuai Signed-off-by: Andrew Morton Signed-off-by: Sasha Levin commit 80741a6a34a111a83d035bfa558440f5e181b093 Author: Tetsuo Handa Date: Wed Jun 22 14:46:31 2022 +0900 lib/smp_processor_id: fix imbalanced instrumentation_end() call [ Upstream commit bd27acaac24e4b252ee28dddcabaee80456d0faf ] Currently instrumentation_end() won't be called if printk_ratelimit() returned false. Link: https://lkml.kernel.org/r/a636d8e0-ad32-5888-acac-671f7f553bb3@I-love.SAKURA.ne.jp Fixes: 126f21f0e8d46e2c ("lib/smp_processor_id: Move it into noinstr section") Signed-off-by: Tetsuo Handa Cc: Thomas Gleixner Cc: Alexandre Chartre Cc: Peter Zijlstra Signed-off-by: Andrew Morton Signed-off-by: Sasha Levin commit 438be61de8d233c99fbca5ca74bc6f67e281c389 Author: Dan Carpenter Date: Fri Jun 24 08:30:04 2022 +0300 kfifo: fix kfifo_to_user() return type [ Upstream commit 045ed31e23aea840648c290dbde04797064960db ] The kfifo_to_user() macro is supposed to return zero for success or negative error codes. Unfortunately, there is a signedness bug so it returns unsigned int. This only affects callers which try to save the result in ssize_t and as far as I can see the only place which does that is line6_hwdep_read(). TL;DR: s/_uint/_int/. Link: https://lkml.kernel.org/r/YrVL3OJVLlNhIMFs@kili Fixes: 144ecf310eb5 ("kfifo: fix kfifo_alloc() to return a signed int value") Signed-off-by: Dan Carpenter Cc: Stefani Seibold Cc: Randy Dunlap Signed-off-by: Andrew Morton Signed-off-by: Sasha Levin commit 11f6fec9a014e15e7ec2e3f8c82b22d990c5e1b2 Author: Emil Renner Berthing Date: Tue Jul 5 23:01:40 2022 +0200 leds: pwm-multicolor: Don't show -EPROBE_DEFER as errors [ Upstream commit 399e7aa82105ea46d8998fa535b047541c48030f ] When requesting a PWM it might return -EPROBE_DEFER if it hasn't probed yet. This is not an error, so just propagate the -EPROBE_DEFER without logging anything. There is already dev_err_probe for exactly this situation. Fixes: 9fa2762110dd ("leds: Add PWM multicolor driver") Signed-off-by: Emil Renner Berthing Reviewed-by: Geert Uytterhoeven Signed-off-by: Pavel Machek Signed-off-by: Sasha Levin commit 43e42c25a232a6862e7d2f292a069ac828559030 Author: Miaoqian Lin Date: Wed May 11 16:07:37 2022 +0400 rpmsg: qcom_smd: Fix refcount leak in qcom_smd_parse_edge [ Upstream commit 65382585f067d4256ba087934f30f85c9b6984de ] of_parse_phandle() returns a node pointer with refcount incremented, we should use of_node_put() on it when done. Fixes: 53e2822e56c7 ("rpmsg: Introduce Qualcomm SMD backend") Signed-off-by: Miaoqian Lin Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20220511120737.57374-1-linmq006@gmail.com Signed-off-by: Sasha Levin commit b976cd24e87f673a3d2ef01d7c44eddc5e38b593 Author: Florian Fainelli Date: Thu Jul 14 15:25:12 2022 -0700 MIPS: Fixed __debug_virt_addr_valid() [ Upstream commit 8a2b456665d1e797123669581524cbb095fb003b ] It is permissible for kernel code to call virt_to_phys() against virtual addresses that are in KSEG0 or KSEG1 and we need to be dealing with both types. Rewrite the test condition to ensure that the kernel virtual addresses are above PAGE_OFFSET which they must be, and below KSEG2 where the non-linear mapping starts. For EVA, there is not much that we can do given the linear address range that is offered, so just return any virtual address as being valid. Finally, when HIGHMEM is not enabled, all virtual addresses are assumed to be valid as well. Fixes: dfad83cb7193 ("MIPS: Add support for CONFIG_DEBUG_VIRTUAL") Signed-off-by: Florian Fainelli Reviewed-by: Serge Semin Signed-off-by: Thomas Bogendoerfer Signed-off-by: Sasha Levin commit 34b9a188557c1d5a50e07cf228d054101aee0af3 Author: Hangyu Hua Date: Wed Jul 13 09:55:11 2022 +0900 net: 9p: fix refcount leak in p9_read_work() error handling [ Upstream commit 4ac7573e1f9333073fa8d303acc941c9b7ab7f61 ] p9_req_put need to be called when m->rreq->rc.sdata is NULL to avoid temporary refcount leak. Link: https://lkml.kernel.org/r/20220712104438.30800-1-hbh25y@gmail.com Fixes: 728356dedeff ("9p: Add refcount to p9_req_t") Signed-off-by: Hangyu Hua [Dominique: commit wording adjustments, p9_req_put argument fixes for rebase] Signed-off-by: Dominique Martinet Signed-off-by: Sasha Levin commit c9d5188f5151742eba9b7b671b1739e1304abe07 Author: Kent Overstreet Date: Sun Jul 3 21:08:18 2022 -0400 9p: Add client parameter to p9_req_put() [ Upstream commit 8b11ff098af42b1fa57fc817daadd53c8b244a0c ] This is to aid in adding mempools, in the next patch. Link: https://lkml.kernel.org/r/20220704014243.153050-2-kent.overstreet@gmail.com Signed-off-by: Kent Overstreet Cc: Eric Van Hensbergen Cc: Latchesar Ionkov Signed-off-by: Dominique Martinet Signed-off-by: Sasha Levin commit 2b38ea66703f230b5dbf884696907ac0b9509b24 Author: Kent Overstreet Date: Sun Jul 3 21:02:49 2022 -0400 9p: Drop kref usage [ Upstream commit 6cda12864cb0f99810a5809e11e3ee5b102c9a47 ] An upcoming patch is going to require passing the client through p9_req_put() -> p9_req_free(), but that's awkward with the kref indirection - so this patch switches to using refcount_t directly. Link: https://lkml.kernel.org/r/20220704014243.153050-1-kent.overstreet@gmail.com Signed-off-by: Kent Overstreet Cc: Eric Van Hensbergen Cc: Latchesar Ionkov Signed-off-by: Dominique Martinet Signed-off-by: Sasha Levin commit 59cb621ace216d4daa47fb63c366ba635af667b3 Author: Sam Protsenko Date: Thu Jul 14 19:55:46 2022 +0300 iommu/exynos: Handle failed IOMMU device registration properly [ Upstream commit fce398d2d02c0a9a2bedf7c7201b123e153e8963 ] If iommu_device_register() fails in exynos_sysmmu_probe(), the previous calls have to be cleaned up. In this case, the iommu_device_sysfs_add() should be cleaned up, by calling its remove counterpart call. Fixes: d2c302b6e8b1 ("iommu/exynos: Make use of iommu_device_register interface") Signed-off-by: Sam Protsenko Reviewed-by: Krzysztof Kozlowski Acked-by: Marek Szyprowski Link: https://lore.kernel.org/r/20220714165550.8884-3-semen.protsenko@linaro.org Signed-off-by: Joerg Roedel Signed-off-by: Sasha Levin commit fe831fcc9ab32a0e2ce036e37420a713caa3f361 Author: Doug Berger Date: Wed Jul 13 20:13:15 2022 -0700 serial: 8250_bcm7271: Save/restore RTS in suspend/resume [ Upstream commit 3182efd036c1b955403d131258234896cbd9fbeb ] Commit 9cabe26e65a8 ("serial: 8250_bcm7271: UART errors after resuming from S2") prevented an early enabling of RTS during resume, but it did not actively restore the RTS state after resume. Fixes: 9cabe26e65a8 ("serial: 8250_bcm7271: UART errors after resuming from S2") Signed-off-by: Doug Berger Signed-off-by: Florian Fainelli Link: https://lore.kernel.org/r/20220714031316.404918-1-f.fainelli@gmail.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 27e070151cd39e72150a977a17b3de0d5ed7571d Author: Dan Carpenter Date: Fri Jul 8 16:48:36 2022 +0300 ASoC: SOF: ipc-msg-injector: fix copy in sof_msg_inject_ipc4_dfs_write() [ Upstream commit fa9b878ff86f4adccddf62492a5894fbdb04f97d ] There are two bugs that have to do with when we copy the payload: size = simple_write_to_buffer(ipc4_msg->data_ptr, priv->max_msg_size, ppos, buffer, count); The value of "*ppos" was supposed to be zero but it is sizeof(ipc4_msg->header_u64) so it will copy the data into the middle of the "ipc4_msg->data_ptr" buffer instead of to the start. The second problem is "buffer" should be "buffer + sizeof(ipc4_msg->header_u64)". This function is used for fuzz testing so the data is normally random and this bug likely does not affect anyone very much. In this context, it's simpler and more appropriate to use copy_from_user() instead of simple_write_to_buffer() so I have re-written the function. Fixes: 066c67624d8c ("ASoC: SOF: ipc-msg-injector: Add support for IPC4 messages") Signed-off-by: Dan Carpenter Link: https://lore.kernel.org/r/Ysg1tB2FKLnRMsel@kili Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 1e7fe6906e9755d9e0242f9619c894ecd82fb9da Author: Liang He Date: Wed Jul 13 18:20:13 2022 +0800 ASoC: mt6359: Fix refcount leak bug [ Upstream commit a8d5df69e2ec702d979f7d04ed519caf8691a032 ] In mt6359_parse_dt() and mt6359_accdet_parse_dt(), we should call of_node_put() for the reference returned by of_get_child_by_name() which has increased the refcount. Fixes: 683530285316 ("ASoC: mt6359: fix failed to parse DT properties") Fixes: eef07b9e0925 ("ASoC: mediatek: mt6359: add MT6359 accdet jack driver") Signed-off-by: Liang He Link: https://lore.kernel.org/r/20220713102013.367336-1-windhl@126.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 7a63a8c253bf57dfd9fa3ee2a7f1a3727505f947 Author: Liang He Date: Wed Jul 13 15:12:00 2022 +0800 ASoc: audio-graph-card2: Fix refcount leak bug in __graph_get_type() [ Upstream commit eda26893dabfc6da7a1e1ff5f8628ed9faab3ab9 ] We should call of_node_put() for the reference before its replacement as it returned by of_get_parent() which has increased the refcount. Besides, we should also call of_node_put() before return. Fixes: c8c74939f791 ("ASoC: audio-graph-card2: add Multi CPU/Codec support") Signed-off-by: Liang He Link: https://lore.kernel.org/r/20220713071200.366729-1-windhl@126.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 6d90c0829fe73c478e63fe90b4cec716271fb6e1 Author: Yang Yingliang Date: Tue May 17 21:34:50 2022 +0800 cpufreq: mediatek: fix error return code in mtk_cpu_dvfs_info_init() [ Upstream commit 72d67d6b3447303a441a8cedc34f7224b75f64b5 ] If regulator_get_voltage() fails, it should return the error code in mtk_cpu_dvfs_info_init(). Fixes: 0daa47325bae ("cpufreq: mediatek: Link CCI device to CPU") Reported-by: Hulk Robot Signed-off-by: Yang Yingliang Reviewed-by: AngeloGioacchino Del Regno Reviewed-by: Rex-BC Chen Signed-off-by: Viresh Kumar Signed-off-by: Sasha Levin commit c2eddfcafcffaf1b9245ea0dde9143bbfb47d5d1 Author: Peter Ujfalusi Date: Tue Jul 12 16:01:03 2022 +0300 ASoC: SOF: ipc3-topology: Prevent double freeing of ipc_control_data via load_bytes [ Upstream commit d5bd47f3ca124058a8e87eae4508afeda2132611 ] We have sanity checks for byte controls and if any of the fail the locally allocated scontrol->ipc_control_data is freed up, but not set to NULL. On a rollback path of the error the higher level code will also try to free the scontrol->ipc_control_data which will eventually going to lead to memory corruption as double freeing memory is not a good thing. Fixes: b5cee8feb1d4 ("ASoC: SOF: topology: Make control parsing IPC agnostic") Reported-by: Seppo Ingalsuo Signed-off-by: Peter Ujfalusi Reviewed-by: Seppo Ingalsuo Reviewed-by: Ranjani Sridharan Reviewed-by: Pierre-Louis Bossart Link: https://lore.kernel.org/r/20220712130103.31514-1-peter.ujfalusi@linux.intel.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit ee20cdbedeb274629715aed2e74c7e9ff1bce3c2 Author: Alexander Lobakin Date: Mon Jul 11 20:09:29 2022 +0200 lib/bitmap: fix off-by-one in bitmap_to_arr64() [ Upstream commit 428bc098635680a664779f26f24fe9197d186172 ] GENMASK*() family takes the first and the last bits of the mask *including* them. So, with the current code bitmap_to_arr64() doesn't clear the tail properly: nbits % exp mask must be 1 GENMASK(1, 0) 0x3 0x1 ... 63 GENMASK(63, 0) 0xffffffffffffffff 0x7fffffffffffffff This was found by making the function always available instead of 32-bit BE systems only (for reusing in some new functionality). Turn the number of bits into the last bit set by subtracting 1. @nbits is already checked to be positive beforehand. Fixes: 0a97953fd221 ("lib: add bitmap_{from,to}_arr64") Signed-off-by: Alexander Lobakin Reviewed-by: Andy Shevchenko Signed-off-by: Yury Norov Signed-off-by: Sasha Levin commit 4e43ae1055c8eb7f896e7e6058c356df42c6ab7f Author: Robin Murphy Date: Tue Jul 12 08:46:45 2022 +0200 swiotlb: fail map correctly with failed io_tlb_default_mem [ Upstream commit c51ba246cb172c9e947dc6fb8868a1eaf0b2a913 ] In the failure case of trying to use a buffer which we'd previously failed to allocate, the "!mem" condition is no longer sufficient since io_tlb_default_mem became static and assigned by default. Update the condition to work as intended per the rest of that conversion. Fixes: 463e862ac63e ("swiotlb: Convert io_default_tlb_mem to static allocation") Signed-off-by: Robin Murphy Signed-off-by: Christoph Hellwig Signed-off-by: Sasha Levin commit 4d9985f7935a1a957c6defd33c4545b04cfdc644 Author: YC Hung Date: Fri Jul 8 15:39:04 2022 -0500 ASoC: SOF: mediatek: fix mt8195 StatvectorSel wrong setting [ Upstream commit 99bad468846f7a255dcfc95454401c83ae02e89b ] Fix StatVectorSel wrong setting. Fixes: b7f6503830 ("ASoC: SOF: mediatek: Add fw loader and mt8195 dsp ops to load firmware") Signed-off-by: Pierre-Louis Bossart Signed-off-by: YC Hung Reviewed-by: Li-Yu Yu Reviewed-by: Ranjani Sridharan Reviewed-by: KuanHsun Cheng Reviewed-by: Péter Ujfalusi Link: https://lore.kernel.org/r/20220708203904.29214-3-pierre-louis.bossart@linux.intel.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 6712456b97a8b119c8e37150f24615693dc98a7f Author: Florian Fainelli Date: Thu Jul 7 13:27:58 2022 -0700 MIPS: vdso: Utilize __pa() for gic_pfn [ Upstream commit 8baa65126e19af5ee9f3c07e7bb53da41c39e4b1 ] The GIC user offset is mapped into every process' virtual address and is therefore part of the hot-path of arch_setup_additional_pages(). Utilize __pa() such that we are more optimal even when CONFIG_DEBUG_VIRTUAL is enabled, and while at it utilize PFN_DOWN() instead of open-coding the right shift by PAGE_SHIFT. Reported-by: Greg Ungerer Suggested-by: Serge Semin Fixes: dfad83cb7193 ("MIPS: Add support for CONFIG_DEBUG_VIRTUAL") Signed-off-by: Florian Fainelli Acked-by: Greg Ungerer Tested-by: Greg Ungerer Signed-off-by: Thomas Bogendoerfer Signed-off-by: Sasha Levin commit 24578ae33973ee1947e7138863c2e8c6cb134616 Author: Daniel Starke Date: Thu Jul 7 13:32:23 2022 +0200 tty: n_gsm: fix missing corner cases in gsmld_poll() [ Upstream commit 7e5b4322cde067e1d0f1bf8f490e93f664a7c843 ] gsmld_poll() currently fails to handle the following corner cases correctly: - remote party closed the associated tty Add the missing checks and map those to EPOLLHUP. Reorder the checks to group them by their reaction. Fixes: e1eaea46bb40 ("tty: n_gsm line discipline") Signed-off-by: Daniel Starke Link: https://lore.kernel.org/r/20220707113223.3685-4-daniel.starke@siemens.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 96114c3b26956f536275bc0267d1ba91bfb8782c Author: Daniel Starke Date: Thu Jul 7 13:32:22 2022 +0200 tty: n_gsm: fix flow control handling in tx path [ Upstream commit 59ff0680ecbfec742b1e0381e7cc46b41eb06647 ] The current implementation constipates all transmission paths during flow control except for flow control frames. However, these may not be located at the beginning of the transmission queue of the control channel. Ensure that flow control frames in the transmission queue for the control channel are always handled even if constipated by skipping through other messages. Fixes: 0af021678d5d ("tty: n_gsm: fix deadlock and link starvation in outgoing data path") Signed-off-by: Daniel Starke Link: https://lore.kernel.org/r/20220707113223.3685-3-daniel.starke@siemens.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit e5e39b524473d86b022b9d45e680f2a66626cb17 Author: Daniel Starke Date: Thu Jul 7 13:32:21 2022 +0200 tty: n_gsm: fix DM command [ Upstream commit 18a948c7d90995d127785e308fa7b701df4c499f ] n_gsm is based on the 3GPP 07.010 and its newer version is the 3GPP 27.010. See https://portal.3gpp.org/desktopmodules/Specifications/SpecificationDetails.aspx?specificationId=1516 The changes from 07.010 to 27.010 are non-functional. Therefore, I refer to the newer 27.010 here. Chapter 5.3.3 defines the DM response. There exists no DM command. However, the current implementation incorrectly sends DM as command in case of unexpected UIH frames in gsm_queue(). Correct this behavior by always sending DM as response. Fixes: e1eaea46bb40 ("tty: n_gsm line discipline") Signed-off-by: Daniel Starke Link: https://lore.kernel.org/r/20220707113223.3685-2-daniel.starke@siemens.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 9a5143207cad34d13a3f6a912adabad53384a8ad Author: Daniel Starke Date: Thu Jul 7 13:32:20 2022 +0200 tty: n_gsm: fix wrong T1 retry count handling [ Upstream commit f30e10caa80aa1f35508bc17fc302dbbde9a833c ] n_gsm is based on the 3GPP 07.010 and its newer version is the 3GPP 27.010. See https://portal.3gpp.org/desktopmodules/Specifications/SpecificationDetails.aspx?specificationId=1516 The changes from 07.010 to 27.010 are non-functional. Therefore, I refer to the newer 27.010 here. Chapter 5.7.3 states that the valid range for the maximum number of retransmissions (N2) is from 0 to 255 (both including). gsm_dlci_t1() handles this number incorrectly by performing N2 - 1 retransmission attempts. Setting N2 to zero results in more than 255 retransmission attempts. Fix gsm_dlci_t1() to comply with 3GPP 27.010. Fixes: e1eaea46bb40 ("tty: n_gsm line discipline") Signed-off-by: Daniel Starke Link: https://lore.kernel.org/r/20220707113223.3685-1-daniel.starke@siemens.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 233be4375a883de45fb9d431e0e4b4b7d28de91a Author: Uwe Kleine-König Date: Mon Jul 4 10:51:19 2022 +0200 serial: 8250_fsl: Don't report FE, PE and OE twice [ Upstream commit 9d3aaceb73acadf134596a2f8db9c451c1332d3d ] Some Freescale 8250 implementations have the problem that a single long break results in one irq per character frame time. The code in fsl8250_handle_irq() that is supposed to handle that uses the BI bit in lsr_saved_flags to detect such a situation and then skip the second received character. However it also stores other error bits and so after a single frame error the character received in the next irq handling is passed to the upper layer with a frame error, too. So after a spike on the data line (which is correctly recognized as a frame error) the following valid character is thrown away, because the driver reports a frame error for that one, too. To weaken this problem restrict saving LSR to only the BI bit. Note however that the handling is still broken: - lsr_saved_flags is updated using orig_lsr which is the LSR content for the first received char, but there might be more in the FIFO, so a character is thrown away that is received later and not necessarily the one following the break. - The doubled break might be the 2nd and 3rd char in the FIFO, so the workaround doesn't catch these, because serial8250_rx_chars() doesn't handle the workaround. - lsr_saved_flags might have set UART_LSR_BI at the entry of fsl8250_handle_irq() which doesn't originate from fsl8250_handle_irq()'s "up->lsr_saved_flags |= orig_lsr & UART_LSR_BI;" but from e.g. from serial8250_tx_empty(). - For a long or a short break this isn't about two characters, but more or only a single one. Fixes: 9deaa53ac7fa ("serial: add irq handler for Freescale 16550 errata.") Acked-by: Ilpo Järvinen Signed-off-by: Uwe Kleine-König Link: https://lore.kernel.org/r/20220704085119.55900-1-u.kleine-koenig@pengutronix.de Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit d4145731e3f875145f21eb780777f7bf2252a476 Author: Kuninori Morimoto Date: Fri Jul 1 05:18:14 2022 +0000 ASoC: audio-graph-card2.c: use of_property_read_u32() for rate [ Upstream commit 817a62108dfacebd548e38451bf0e7eee023e97f ] Audio Graph Card2 is using of_get_property(), but it should use of_property_read_u32() to getting rate. Otherwise the setting will be strange value. This patch fixup it. Fixes: c3a15c92a67b701 ("ASoC: audio-graph-card2: add Codec2Codec support") Signed-off-by: Kuninori Morimoto Link: https://lore.kernel.org/r/87h741s961.wl-kuninori.morimoto.gx@renesas.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 8c8d8ff760947ee0f2b7c9220888cea714238154 Author: Eric Farman Date: Thu Jul 7 15:57:29 2022 +0200 vfio/ccw: Do not change FSM state in subchannel event [ Upstream commit cffcc109fd682075dee79bade3d60a07152a8fd1 ] The routine vfio_ccw_sch_event() is tasked with handling subchannel events, specifically machine checks, on behalf of vfio-ccw. It correctly calls cio_update_schib(), and if that fails (meaning the subchannel is gone) it makes an FSM event call to mark the subchannel Not Operational. If that worked, however, then it decides that if the FSM state was already Not Operational (implying the subchannel just came back), then it should simply change the FSM to partially- or fully-open. Remove this trickery, since a subchannel returning will require more probing than simply "oh all is well again" to ensure it works correctly. Fixes: bbe37e4cb8970 ("vfio: ccw: introduce a finite state machine") Signed-off-by: Eric Farman Reviewed-by: Matthew Rosato Link: https://lore.kernel.org/r/20220707135737.720765-4-farman@linux.ibm.com Signed-off-by: Alex Williamson Signed-off-by: Sasha Levin commit b9c7dddf384e2ed7e38fc351408acc409348735e Author: Eric Farman Date: Thu Jul 7 15:57:28 2022 +0200 vfio/ccw: Fix FSM state if mdev probe fails [ Upstream commit f6c876d67e956de8d69349b0ee43bc7277c09e5c ] The FSM is in STANDBY state when arriving in vfio_ccw_mdev_probe(), and this routine converts it to IDLE as part of its processing. The error exit sets it to IDLE (again) but clears the private->mdev pointer. The FSM should of course be managing the state itself, but the correct thing for vfio_ccw_mdev_probe() to do would be to put the state back the way it found it. The corresponding check of private->mdev in vfio_ccw_sch_io_todo() can be removed, since the distinction is unnecessary at this point. Fixes: 3bf1311f351ef ("vfio/ccw: Convert to use vfio_register_emulated_iommu_dev()") Signed-off-by: Eric Farman Reviewed-by: Jason Gunthorpe Reviewed-by: Matthew Rosato Link: https://lore.kernel.org/r/20220707135737.720765-3-farman@linux.ibm.com Signed-off-by: Alex Williamson Signed-off-by: Sasha Levin commit 46580fbbc52c0a3088fa8fa2d0d7d1818c84c0f0 Author: Michael Kawano Date: Thu Jul 7 15:57:27 2022 +0200 vfio/ccw: Remove UUID from s390 debug log [ Upstream commit 3566ee1d776c1393393564b2514f9cd52a49c16e ] As vfio-ccw devices are created/destroyed, the uuid of the associated mdevs that are recorded in $S390DBF/vfio_ccw_msg/sprintf get lost. This is because a pointer to the UUID is stored instead of the UUID itself, and that memory may have been repurposed if/when the logs are examined. The result is usually garbage UUID data in the logs, though there is an outside chance of an oops happening here. Simply remove the UUID from the traces, as the subchannel number will provide useful configuration information for problem determination, and is stored directly into the log instead of a pointer. As we were the only consumer of mdev_uuid(), remove that too. Cc: Kirti Wankhede Signed-off-by: Michael Kawano Fixes: 60e05d1cf0875 ("vfio-ccw: add some logging") Fixes: b7701dfbf9832 ("vfio-ccw: Register a chp_event callback for vfio-ccw") [farman: reworded commit message, added Fixes: tags] Signed-off-by: Eric Farman Reviewed-by: Jason Gunthorpe Reviewed-by: Matthew Rosato Reviewed-by: Kirti Wankhede Link: https://lore.kernel.org/r/20220707135737.720765-2-farman@linux.ibm.com Signed-off-by: Alex Williamson Signed-off-by: Sasha Levin commit 606f14d93ac65c58b5015c202fd4cbd3dea9c988 Author: Sireesh Kodali Date: Thu May 26 19:47:39 2022 +0530 remoteproc: qcom: wcnss: Fix handling of IRQs [ Upstream commit bed0adac1ded4cb486ba19a3a7e730fbd9a1c9c6 ] The wcnss_get_irq function is expected to return a value > 0 in the event that an IRQ is succssfully obtained, but it instead returns 0. This causes the stop and ready IRQs to never actually be used despite being defined in the device-tree. This patch fixes that. Fixes: aed361adca9f ("remoteproc: qcom: Introduce WCNSS peripheral image loader") Signed-off-by: Sireesh Kodali Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20220526141740.15834-2-sireeshkodali1@gmail.com Signed-off-by: Sasha Levin commit 0114dd51475c484b347984e4028e13cb1a01faad Author: Shengjiu Wang Date: Wed Jul 6 17:42:55 2022 +0800 ASoC: imx-card: Fix DSD/PDM mclk frequency [ Upstream commit c0fabd12a8570cb932f13d9388f3d887ad44369b ] The DSD/PDM rate not only DSD64/128/256/512, which are the multiple rate of 44.1kHz, but also support the multiple rate of 8kHz, so can't force all mclk frequency to be 22579200Hz, need to assign the frequency according to rate. Fixes: aa736700f42f ("ASoC: imx-card: Add imx-card machine driver") Signed-off-by: Shengjiu Wang Link: https://lore.kernel.org/r/1657100575-8261-1-git-send-email-shengjiu.wang@nxp.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit eaba8754c2d2645a7a38b3fd67a5614037a64ec1 Author: Tiezhu Yang Date: Mon Jun 27 15:07:13 2022 +0800 MIPS: Loongson64: Fix section mismatch warning [ Upstream commit 08472f6ebdc23334ad11dcd761d2d52c32897793 ] prom_init_numa_memory() is annotated __init and not used by any module, thus don't export it. Remove not needed EXPORT_SYMBOL for prom_init_numa_memory() to fix the following section mismatch warning: LD vmlinux.o MODPOST vmlinux.symvers WARNING: modpost: vmlinux.o(___ksymtab+prom_init_numa_memory+0x0): Section mismatch in reference from the variable __ksymtab_prom_init_numa_memory to the function .init.text:prom_init_numa_memory() The symbol prom_init_numa_memory is exported and annotated __init Fix this by removing the __init annotation of prom_init_numa_memory or drop the export. This is build on Linux 5.19-rc4. Fixes: 6fbde6b492df ("MIPS: Loongson64: Move files to the top-level directory") Signed-off-by: Tiezhu Yang Reviewed-by: Huacai Chen Signed-off-by: Thomas Bogendoerfer Signed-off-by: Sasha Levin commit fc90b34c227c07751aebd52b77d38e92391a6c73 Author: Liang He Date: Sat Jul 2 10:01:09 2022 +0800 ASoC: qcom: Fix missing of_node_put() in asoc_qcom_lpass_cpu_platform_probe() [ Upstream commit f507c0c67dac57d2bcd5dcae4b6139b0305d8957 ] We should call of_node_put() for the reference 'dsp_of_node' returned by of_parse_phandle() which will increase the refcount. Fixes: 9bae4880acee ("ASoC: qcom: move ipq806x specific bits out of lpass driver.") Co-authored-by: Miaoqian Lin Signed-off-by: Liang He Link: https://lore.kernel.org/r/20220702020109.263980-1-windhl@126.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit bd5f447061a11a603a97c9810de1b814e283bd2d Author: Daniel Starke Date: Fri Jul 1 14:23:32 2022 +0200 tty: n_gsm: fix resource allocation order in gsm_activate_mux() [ Upstream commit 7349660438603ed19282e75949561406531785a5 ] Within gsm_activate_mux() all timers and locks are initiated before the actual resource for the control channel is allocated. This can lead to race conditions. Allocate the control channel DLCI object first to avoid race conditions. Fixes: e1eaea46bb40 ("tty: n_gsm line discipline") Signed-off-by: Daniel Starke Link: https://lore.kernel.org/r/20220701122332.2039-2-daniel.starke@siemens.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 7962a4b900099cf90e02859bb297f2c618d8d940 Author: Daniel Starke Date: Fri Jul 1 14:23:31 2022 +0200 tty: n_gsm: fix deadlock and link starvation in outgoing data path [ Upstream commit 0af021678d5d30c31f5a6b631f404ead3575212a ] The current implementation queues up new control and user packets as needed and processes this queue down to the ldisc in the same code path. That means that the upper and the lower layer are hard coupled in the code. Due to this deadlocks can happen as seen below while transmitting data, especially during ldisc congestion. Furthermore, the data channels starve the control channel on high transmission load on the ldisc. Introduce an additional control channel data queue to prevent timeouts and link hangups during ldisc congestion. This is being processed before the user channel data queue in gsm_data_kick(), i.e. with the highest priority. Put the queue to ldisc data path into a workqueue and trigger it whenever new data has been put into the transmission queue. Change gsm_dlci_data_sweep() accordingly to fill up the transmission queue until TX_THRESH_HI. This solves the locking issue, keeps latency low and provides good performance on high data load. Note that now all packets from a DLCI are removed from the internal queue if the associated DLCI was closed. This ensures that no data is sent by the introduced write task to an already closed DLCI. BUG: spinlock recursion on CPU#0, test_v24_loop/124 lock: serial8250_ports+0x3a8/0x7500, .magic: dead4ead, .owner: test_v24_loop/124, .owner_cpu: 0 CPU: 0 PID: 124 Comm: test_v24_loop Tainted: G O 5.18.0-rc2 #3 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 Call Trace: dump_stack_lvl+0x34/0x44 do_raw_spin_lock+0x76/0xa0 _raw_spin_lock_irqsave+0x72/0x80 uart_write_room+0x3b/0xc0 gsm_data_kick+0x14b/0x240 [n_gsm] gsmld_write_wakeup+0x35/0x70 [n_gsm] tty_wakeup+0x53/0x60 tty_port_default_wakeup+0x1b/0x30 serial8250_tx_chars+0x12f/0x220 serial8250_handle_irq.part.0+0xfe/0x150 serial8250_default_handle_irq+0x48/0x80 serial8250_interrupt+0x56/0xa0 __handle_irq_event_percpu+0x78/0x1f0 handle_irq_event+0x34/0x70 handle_fasteoi_irq+0x90/0x1e0 __common_interrupt+0x69/0x100 common_interrupt+0x48/0xc0 asm_common_interrupt+0x1e/0x40 RIP: 0010:__do_softirq+0x83/0x34e Code: 2a 0a ff 0f b7 ed c7 44 24 10 0a 00 00 00 48 c7 c7 51 2a 64 82 e8 2d e2 d5 ff 65 66 c7 05 83 af 1e 7e 00 00 fb b8 ff ff ff ff <49> c7 c2 40 61 80 82 0f bc c5 41 89 c4 41 83 c4 01 0f 84 e6 00 00 RSP: 0018:ffffc90000003f98 EFLAGS: 00000286 RAX: 00000000ffffffff RBX: 0000000000000000 RCX: 0000000000000000 RDX: 0000000000000000 RSI: ffffffff82642a51 RDI: ffffffff825bb5e7 RBP: 0000000000000200 R08: 00000008de3271a8 R09: 0000000000000000 R10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000000 R13: 0000000000000030 R14: 0000000000000000 R15: 0000000000000000 ? __do_softirq+0x73/0x34e irq_exit_rcu+0xb5/0x100 common_interrupt+0xa4/0xc0 asm_common_interrupt+0x1e/0x40 RIP: 0010:_raw_spin_unlock_irqrestore+0x2e/0x50 Code: 00 55 48 89 fd 48 83 c7 18 53 48 89 f3 48 8b 74 24 10 e8 85 28 36 ff 48 89 ef e8 cd 58 36 ff 80 e7 02 74 01 fb bf 01 00 00 00 3d 97 33 ff 65 8b 05 96 23 2b 7e 85 c0 74 03 5b 5d c3 0f 1f 44 RSP: 0018:ffffc9000020fd08 EFLAGS: 00000202 RAX: 0000000000000000 RBX: 0000000000000246 RCX: 0000000000000000 RDX: 0000000000000004 RSI: ffffffff8257fd74 RDI: 0000000000000001 RBP: ffff8880057de3a0 R08: 00000008de233000 R09: 0000000000000000 R10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000000 R13: 0000000000000100 R14: 0000000000000202 R15: ffff8880057df0b8 ? _raw_spin_unlock_irqrestore+0x23/0x50 gsmtty_write+0x65/0x80 [n_gsm] n_tty_write+0x33f/0x530 ? swake_up_all+0xe0/0xe0 file_tty_write.constprop.0+0x1b1/0x320 ? n_tty_flush_buffer+0xb0/0xb0 new_sync_write+0x10c/0x190 vfs_write+0x282/0x310 ksys_write+0x68/0xe0 do_syscall_64+0x3b/0x90 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7f3e5e35c15c Code: 8b 7c 24 08 89 c5 e8 c5 ff ff ff 89 ef 89 44 24 08 e8 58 bc 02 00 8b 44 24 08 48 83 c4 10 5d c3 48 63 ff b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 76 10 48 8b 15 fd fc 05 00 f7 d8 64 89 02 48 83 RSP: 002b:00007ffcee77cd18 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 00007ffcee77cd70 RCX: 00007f3e5e35c15c RDX: 0000000000000100 RSI: 00007ffcee77cd90 RDI: 0000000000000003 RBP: 0000000000000100 R08: 0000000000000000 R09: 7efefefefefefeff R10: 00007f3e5e3bddeb R11: 0000000000000246 R12: 00007ffcee77ce8f R13: 0000000000000001 R14: 000056214404e010 R15: 00007ffcee77cd90 Fixes: e1eaea46bb40 ("tty: n_gsm line discipline") Signed-off-by: Daniel Starke Link: https://lore.kernel.org/r/20220701122332.2039-1-daniel.starke@siemens.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 5320aa45f526ddd3374e6226842467b788894b34 Author: Daniel Starke Date: Fri Jul 1 08:16:52 2022 +0200 tty: n_gsm: fix race condition in gsmld_write() [ Upstream commit 32dd59f96924f45e33bc79854f7a00679c0fa28e ] The function may be used by the user directly and also by the n_gsm internal functions. They can lead into a race condition which results in interleaved frames if both are writing at the same time. The receiving side is not able to decode those interleaved frames correctly. Add a lock around the low side tty write to avoid race conditions and frame interleaving between user originated writes and n_gsm writes. Fixes: e1eaea46bb40 ("tty: n_gsm line discipline") Signed-off-by: Daniel Starke Link: https://lore.kernel.org/r/20220701061652.39604-9-daniel.starke@siemens.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 51556905dda5596649147f8704f64a58dfccd19b Author: Daniel Starke Date: Fri Jul 1 08:16:50 2022 +0200 tty: n_gsm: fix packet re-transmission without open control channel [ Upstream commit 4fae831b3a71fc5a44cc5c7d0b8c1267ee7659f5 ] In the current implementation control packets are re-transmitted even if the control channel closed down during T2. This is wrong. Check whether the control channel is open before re-transmitting any packets. Note that control channel open/close is handled by T1 and not T2 and remains unaffected by this. Fixes: e1eaea46bb40 ("tty: n_gsm line discipline") Signed-off-by: Daniel Starke Link: https://lore.kernel.org/r/20220701061652.39604-7-daniel.starke@siemens.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 2012b064f9895e0958f3c8612fa2c120efd32bbd Author: Daniel Starke Date: Fri Jul 1 08:16:48 2022 +0200 tty: n_gsm: fix non flow control frames during mux flow off [ Upstream commit bec0224816d19abe4fe503586d16d51890540615 ] n_gsm is based on the 3GPP 07.010 and its newer version is the 3GPP 27.010. See https://portal.3gpp.org/desktopmodules/Specifications/SpecificationDetails.aspx?specificationId=1516 The changes from 07.010 to 27.010 are non-functional. Therefore, I refer to the newer 27.010 here. Chapter 5.4.6.3.6 states that FCoff stops the transmission on all channels except the control channel. This is already implemented in gsm_data_kick(). However, chapter 5.4.8.1 explains that this shall result in the same behavior as software flow control on the ldisc in advanced option mode. That means only flow control frames shall be sent during flow off. The current implementation does not consider this case. Change gsm_data_kick() to send only flow control frames if constipated to abide the standard. gsm_read_ea_val() and gsm_is_flow_ctrl_msg() are introduced as helper functions for this. It is planned to use gsm_read_ea_val() in later code cleanups for other functions, too. Fixes: c01af4fec2c8 ("n_gsm : Flow control handling in Mux driver") Signed-off-by: Daniel Starke Link: https://lore.kernel.org/r/20220701061652.39604-5-daniel.starke@siemens.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 692e847a8e6607909c4a3f98ab16ccee7849bd11 Author: Daniel Starke Date: Fri Jul 1 08:16:47 2022 +0200 tty: n_gsm: fix missing timer to handle stalled links [ Upstream commit c568f7086c6e771c77aad13d727c70ef70e07243 ] The current implementation does not handle the situation that no data is in the internal queue and needs to be sent out while the user tty fifo is full. Add a timer that moves more data from user tty down to the internal queue which is then serialized on the ldisc. This timer is triggered if no data was moved from a user tty to the internal queue within 10 * T1. Fixes: e1eaea46bb40 ("tty: n_gsm line discipline") Signed-off-by: Daniel Starke Link: https://lore.kernel.org/r/20220701061652.39604-4-daniel.starke@siemens.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit e5e1eed82338fba33e8d02c841cc26055c2614c9 Author: Daniel Starke Date: Fri Jul 1 08:16:46 2022 +0200 tty: n_gsm: fix wrong queuing behavior in gsm_dlci_data_output() [ Upstream commit 556fc8ac06513cced381588d6d58c184d95cc4fe ] 1) The function drains the fifo for the given user tty/DLCI without considering 'TX_THRESH_HI' and different to gsm_dlci_data_output_framed(), which moves only one packet from the user side to the internal transmission queue. We can only handle one packet at a time here if we want to allow DLCI priority handling in gsm_dlci_data_sweep() to avoid link starvation. 2) Furthermore, the additional header octet from convergence layer type 2 is not counted against MTU. It is part of the UI/UIH frame message which needs to be limited to MTU. Hence, it is wrong not to consider this octet. 3) Finally, the waiting user tty is not informed about freed space in its send queue. Take at most one packet worth of data out of the DLCI fifo to fix 1). Limit the max user data size per packet to MTU - 1 in case of convergence layer type 2 to leave space for the control signal octet which is added in the later part of the function. This fixes 2). Add tty_port_tty_wakeup() to wake up the user tty if new write space has been made available to fix 3). Fixes: 268e526b935e ("tty/n_gsm: avoid fifo overflow in gsm_dlci_data_output") Signed-off-by: Daniel Starke Link: https://lore.kernel.org/r/20220701061652.39604-3-daniel.starke@siemens.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 5e59c010c6862da329db17acca086afd8bea1aa8 Author: Daniel Starke Date: Fri Jul 1 08:16:45 2022 +0200 tty: n_gsm: fix tty registration before control channel open [ Upstream commit 01aecd917114577c423f07cec0d186ad007d76fc ] The current implementation registers/deregisters the user ttys at mux attach/detach. That means that the user devices are available before any control channel is open. However, user channel initialization requires an open control channel. Furthermore, the user is not informed if the mux restarts due to configuration changes. Put the registration/deregistration procedure into separate function to improve readability. Move registration to mux activation and deregistration to mux cleanup to keep the user devices only open as long as a control channel exists. The user will be informed via the device driver if the mux was reconfigured in a way that required a mux re-activation. This makes it necessary to add T2 initialization to gsmld_open() for the ldisc open code path (not the reconfiguration code path) to avoid deletion of an uninitialized T2 at mux cleanup. Fixes: d50f6dcaf22a ("tty: n_gsm: expose gsmtty device nodes at ldisc open time") Signed-off-by: Daniel Starke Link: https://lore.kernel.org/r/20220701061652.39604-2-daniel.starke@siemens.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 07a07c87c0d2a16f145e38a726432f3d845e4445 Author: Daniel Starke Date: Fri Jul 1 08:16:44 2022 +0200 tty: n_gsm: fix user open not possible at responder until initiator open [ Upstream commit ac77f0077c3265197d378158c85a55eee6d21508 ] After setting up the control channel on both sides the responder side may want to open a virtual tty to listen on until the initiator starts an application on a user channel. The current implementation allows the open() but no other operation, like termios. These fail with EINVAL. The responder sided application has no means to detect an open by the initiator sided application this way. And the initiator sided applications usually expect the responder sided application to listen on the user channel upon open. Set the user channel into half-open state on responder side once a user application opens the virtual tty to allow IO operations on it. Furthermore, keep the user channel constipated until the initiator side opens it to give the responder sided application the chance to detect the new connection and to avoid data loss if the responder sided application starts sending before the user channel is open. Fixes: e1eaea46bb40 ("tty: n_gsm line discipline") Signed-off-by: Daniel Starke Link: https://lore.kernel.org/r/20220701061652.39604-1-daniel.starke@siemens.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 5e512be069fa8d495391fed1f53f500af74da3af Author: Alexander Lobakin Date: Fri Jun 24 14:13:11 2022 +0200 net/ice: fix initializing the bitmap in the switch code [ Upstream commit 2f7ee2a72ccec8b85a05c4644d7ec9f40c1c50c8 ] Kbuild spotted the following bug during the testing of one of the optimizations: In file included from include/linux/cpumask.h:12, [...] from drivers/net/ethernet/intel/ice/ice_switch.c:4: drivers/net/ethernet/intel/ice/ice_switch.c: In function 'ice_find_free_recp_res_idx.constprop': include/linux/bitmap.h:447:22: warning: 'possible_idx[0]' is used uninitialized [-Wuninitialized] 447 | *map |= GENMASK(start + nbits - 1, start); | ^~ In file included from drivers/net/ethernet/intel/ice/ice.h:7, from drivers/net/ethernet/intel/ice/ice_lib.h:7, from drivers/net/ethernet/intel/ice/ice_switch.c:4: drivers/net/ethernet/intel/ice/ice_switch.c:4929:24: note: 'possible_idx[0]' was declared here 4929 | DECLARE_BITMAP(possible_idx, ICE_MAX_FV_WORDS); | ^~~~~~~~~~~~ include/linux/types.h:11:23: note: in definition of macro 'DECLARE_BITMAP' 11 | unsigned long name[BITS_TO_LONGS(bits)] | ^~~~ %ICE_MAX_FV_WORDS is 48, so bitmap_set() here was initializing only 48 bits, leaving a junk in the rest 16. It was previously hidden due to that filling 48 bits makes bitmap_set() call external __bitmap_set(), but after making it use plain bit arithmetics on small bitmaps, compilers started seeing the issue. It was still working because those 16 weren't used anywhere anyhow. bitmap_{clear,set}() are not really intended to initialize bitmaps, rather to modify already initialized ones, as they don't do anything past the passed number of bits. The correct function to do this in that particular case is bitmap_fill(), so use it here. It will do `*possible_idx = ~0UL` instead of `*possible_idx |= GENMASK(47, 0)`, not leaving anything in an undefined state. Fixes: fd2a6b71e300 ("ice: create advanced switch recipe") Reported-by: kernel test robot Signed-off-by: Alexander Lobakin Signed-off-by: Yury Norov Signed-off-by: Sasha Levin commit bba6b12d73d36e0ddbc2c3ac5668a667b00d4345 Author: Yishai Hadas Date: Tue Jun 28 18:59:10 2022 +0300 vfio: Split migration ops from main device ops [ Upstream commit 6e97eba8ad8748fabb795cffc5d9e1a7dcfd7367 ] vfio core checks whether the driver sets some migration op (e.g. set_state/get_state) and accordingly calls its op. However, currently mlx5 driver sets the above ops without regards to its migration caps. This might lead to unexpected usage/Oops if user space may call to the above ops even if the driver doesn't support migration. As for example, the migration state_mutex is not initialized in that case. The cleanest way to manage that seems to split the migration ops from the main device ops, this will let the driver setting them separately from the main ops when it's applicable. As part of that, validate ops construction on registration and include a check for VFIO_MIGRATION_STOP_COPY since the uAPI claims it must be set in migration_flags. HISI driver was changed as well to match this scheme. This scheme may enable down the road to come with some extra group of ops (e.g. DMA log) that can be set without regards to the other options based on driver caps. Fixes: 6fadb021266d ("vfio/mlx5: Implement vfio_pci driver for mlx5 devices") Reviewed-by: Kevin Tian Signed-off-by: Yishai Hadas Link: https://lore.kernel.org/r/20220628155910.171454-3-yishaih@nvidia.com Signed-off-by: Alex Williamson Signed-off-by: Sasha Levin commit 74b28771699892df6b6bcb336c3e3542abf2216d Author: Yishai Hadas Date: Tue Jun 28 18:59:09 2022 +0300 vfio/mlx5: Protect mlx5vf_disable_fds() upon close device [ Upstream commit 2b1c1906286fa547845f5385ee72db74b2b0251d ] Protect mlx5vf_disable_fds() upon close device to be called under the state mutex as done in all other places. This will prevent a race with any other flow which calls mlx5vf_disable_fds() as of health/recovery upon MLX5_PF_NOTIFY_DISABLE_VF event. Encapsulate this functionality in a separate function named mlx5vf_cmd_close_migratable() to consider migration caps and for further usage upon close device. Fixes: 6fadb021266d ("vfio/mlx5: Implement vfio_pci driver for mlx5 devices") Reviewed-by: Kevin Tian Signed-off-by: Yishai Hadas Link: https://lore.kernel.org/r/20220628155910.171454-2-yishaih@nvidia.com Signed-off-by: Alex Williamson Signed-off-by: Sasha Levin commit 8d201dedc793be2dcaf4a44adc7eaa09fdc0213b Author: Srinivas Kandagatla Date: Thu Jun 30 14:00:22 2022 +0100 ASoC: codecs: wsa881x: handle timeouts in resume path [ Upstream commit cf6af24b54903f9f70c29b3e5b19cb72cc862d60 ] Currently we do not check if SoundWire slave initialization timeout expired before continuing to access its registers. Its possible that the registers are not accessible if timeout is expired. Handle this by returning timeout in resume path. Reported-by: Pierre-Louis Bossart Fixes: 8dd552458361 ("ASoC: codecs: wsa881x: add runtime pm support") Signed-off-by: Srinivas Kandagatla Reviewed-by: Pierre-Louis Bossart Link: https://lore.kernel.org/r/20220630130023.9308-1-srinivas.kandagatla@linaro.org Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 317a412812d8051af618cbc0ff75f216130e767c Author: Ilpo Järvinen Date: Tue Jun 28 12:01:28 2022 +0300 serial: 8250_dw: Take port lock while accessing LSR [ Upstream commit b9491b2e45d71eb64245560e208897af95ffbf95 ] Accessing LSR requires port lock because it mutates lsr_saved_flags in serial_lsr_in(). Fixes: 197eb5c416ff ("serial: 8250_dw: Use serial_lsr_in() in dw8250_handle_irq()") Reviewed-by: Andy Shevchenko Signed-off-by: Ilpo Järvinen Link: https://lore.kernel.org/r/c5879db7-bee9-93f-526e-872a292442@linux.intel.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 1fbdfbaa3cc3ad9a331bdd49d9b64f8bd49d922e Author: Tom Rix Date: Wed Jun 29 14:53:45 2022 -0400 ASoC: samsung: change gpiod_speaker_power and rx1950_audio from global to static variables [ Upstream commit d2294461b90e0c5b3bbfaaf2c8baff4fd3e2bb13 ] sparse reports sound/soc/samsung/rx1950_uda1380.c:131:18: warning: symbol 'gpiod_speaker_power' was not declared. Should it be static? sound/soc/samsung/rx1950_uda1380.c:231:24: warning: symbol 'rx1950_audio' was not declared. Should it be static? Both gpiod_speaker_power and rx1950_audio are only used in rx1950_uda1380.c, so their storage class specifiers should be static. Fixes: 83d74e354200 ("ASoC: samsung: rx1950: turn into platform driver") Signed-off-by: Tom Rix Reviewed-by: Krzysztof Kozlowski Link: https://lore.kernel.org/r/20220629185345.910406-1-trix@redhat.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 33a44de3fa198164f96f331d7fd998c28acf2d4e Author: Kuninori Morimoto Date: Wed Jun 22 05:54:06 2022 +0000 ASoC: soc-core.c: fixup snd_soc_of_get_dai_link_cpus() [ Upstream commit 586fb2641371cf7f23a401ab1c79b17e3ec457f4 ] commit 900dedd7e47cc3f ("ASoC: Introduce snd_soc_of_get_dai_link_cpus") adds new snd_soc_of_get_dai_link_cpus(), but it is using "codec" everywhere. It is very strange, and is issue when error case. It should call cpu instead of codec in error case. This patch tidyup it. Fixes: 900dedd7e47cc3f ("ASoC: Introduce snd_soc_of_get_dai_link_cpus") Signed-off-by: Kuninori Morimoto Reviewed-by: Martin Povišer Link: https://lore.kernel.org/r/87zgi5p7k1.wl-kuninori.morimoto.gx@renesas.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 7e83af3dd4a3afca8f83ffde518cafd52f45b830 Author: Athira Rajeev Date: Sun May 22 19:52:56 2022 +0530 powerpc/perf: Optimize clearing the pending PMI and remove WARN_ON for PMI check in power_pmu_disable [ Upstream commit 890005a7d98f7452cfe86dcfb2aeeb7df01132ce ] commit 2c9ac51b850d ("powerpc/perf: Fix PMU callbacks to clear pending PMI before resetting an overflown PMC") added a new function "pmi_irq_pending" in hw_irq.h. This function is to check if there is a PMI marked as pending in Paca (PACA_IRQ_PMI).This is used in power_pmu_disable in a WARN_ON. The intention here is to provide a warning if there is PMI pending, but no counter is found overflown. During some of the perf runs, below warning is hit: WARNING: CPU: 36 PID: 0 at arch/powerpc/perf/core-book3s.c:1332 power_pmu_disable+0x25c/0x2c0 Modules linked in: ----- NIP [c000000000141c3c] power_pmu_disable+0x25c/0x2c0 LR [c000000000141c8c] power_pmu_disable+0x2ac/0x2c0 Call Trace: [c000000baffcfb90] [c000000000141c8c] power_pmu_disable+0x2ac/0x2c0 (unreliable) [c000000baffcfc10] [c0000000003e2f8c] perf_pmu_disable+0x4c/0x60 [c000000baffcfc30] [c0000000003e3344] group_sched_out.part.124+0x44/0x100 [c000000baffcfc80] [c0000000003e353c] __perf_event_disable+0x13c/0x240 [c000000baffcfcd0] [c0000000003dd334] event_function+0xc4/0x140 [c000000baffcfd20] [c0000000003d855c] remote_function+0x7c/0xa0 [c000000baffcfd50] [c00000000026c394] flush_smp_call_function_queue+0xd4/0x300 [c000000baffcfde0] [c000000000065b24] smp_ipi_demux_relaxed+0xa4/0x100 [c000000baffcfe20] [c0000000000cb2b0] xive_muxed_ipi_action+0x20/0x40 [c000000baffcfe40] [c000000000207c3c] __handle_irq_event_percpu+0x8c/0x250 [c000000baffcfee0] [c000000000207e2c] handle_irq_event_percpu+0x2c/0xa0 [c000000baffcff10] [c000000000210a04] handle_percpu_irq+0x84/0xc0 [c000000baffcff40] [c000000000205f14] generic_handle_irq+0x54/0x80 [c000000baffcff60] [c000000000015740] __do_irq+0x90/0x1d0 [c000000baffcff90] [c000000000016990] __do_IRQ+0xc0/0x140 [c0000009732f3940] [c000000bafceaca8] 0xc000000bafceaca8 [c0000009732f39d0] [c000000000016b78] do_IRQ+0x168/0x1c0 [c0000009732f3a00] [c0000000000090c8] hardware_interrupt_common_virt+0x218/0x220 This means that there is no PMC overflown among the active events in the PMU, but there is a PMU pending in Paca. The function "any_pmc_overflown" checks the PMCs on active events in cpuhw->n_events. Code snippet: <<>> if (any_pmc_overflown(cpuhw)) clear_pmi_irq_pending(); else WARN_ON(pmi_irq_pending()); <<>> Here the PMC overflown is not from active event. Example: When we do perf record, default cycles and instructions will be running on PMC6 and PMC5 respectively. It could happen that overflowed event is currently not active and pending PMI is for the inactive event. Debug logs from trace_printk: <<>> any_pmc_overflown: idx is 5: pmc value is 0xd9a power_pmu_disable: PMC1: 0x0, PMC2: 0x0, PMC3: 0x0, PMC4: 0x0, PMC5: 0xd9a, PMC6: 0x80002011 <<>> Here active PMC (from idx) is PMC5 , but overflown PMC is PMC6(0x80002011). When we handle PMI interrupt for such cases, if the PMC overflown is from inactive event, it will be ignored. Reference commit: commit bc09c219b2e6 ("powerpc/perf: Fix finding overflowed PMC in interrupt") Patch addresses two changes: 1) Fix 1 : Removal of warning ( WARN_ON(pmi_irq_pending()); ) We were printing warning if no PMC is found overflown among active PMU events, but PMI pending in PACA. But this could happen in cases where PMC overflown is not in active PMC. An inactive event could have caused the overflow. Hence the warning is not needed. To know pending PMI is from an inactive event, we need to loop through all PMC's which will cause more SPR reads via mfspr and increase in context switch. Also in existing function: perf_event_interrupt, already we ignore PMI's overflown when it is from an inactive PMC. 2) Fix 2: optimization in clearing pending PMI. Currently we check for any active PMC overflown before clearing PMI pending in Paca. This is causing additional SPR read also. From point 1, we know that if PMI pending in Paca from inactive cases, that is going to be ignored during replay. Hence if there is pending PMI in Paca, just clear it irrespective of PMC overflown or not. In summary, remove the any_pmc_overflown check entirely in power_pmu_disable. ie If there is a pending PMI in Paca, clear it, since we are in pmu_disable. There could be cases where PMI is pending because of inactive PMC ( which later when replayed also will get ignored ), so WARN_ON could give false warning. Hence removing it. Fixes: 2c9ac51b850d ("powerpc/perf: Fix PMU callbacks to clear pending PMI before resetting an overflown PMC") Signed-off-by: Athira Rajeev Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/20220522142256.24699-1-atrajeev@linux.vnet.ibm.com Signed-off-by: Sasha Levin commit f2ed174e16c30a74e379758e2da8c5e700da1327 Author: Krzysztof Kozlowski Date: Mon Jun 27 16:19:00 2022 +0200 ASoC: samsung: h1940_uda1380: include proepr GPIO consumer header [ Upstream commit bd10b0dafdcf0ec1677cad70101e1f97b9e28f2e ] h1940_uda1380 uses gpiod*/GPIOD* so it should include GPIO consumer header. Fixes: 9666e27f90b9 ("ASoC: samsung: h1940: turn into platform driver") Signed-off-by: Krzysztof Kozlowski Link: https://lore.kernel.org/r/20220627141900.470469-1-krzysztof.kozlowski@linaro.org Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 21c09fb18c5a135d639d5b6f05ea5df49676f1f3 Author: Michael Ellerman Date: Mon Jun 20 09:31:03 2022 +1000 selftests/powerpc: Skip energy_scale_info test on older firmware [ Upstream commit 4228a996b072d36f3baafb4afdc2d2d66d2cbadf ] Older machines don't have the firmware feature that enables the code this test is testing. Skip the test if the sysfs directory doesn't exist. Also use the FAIL_IF() macro to provide more verbose error reporting if an error is encountered. Fixes: 57201d657eb7 ("selftest/powerpc: Add PAPR sysfs attributes sniff test") Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/20220619233103.2666171-1-mpe@ellerman.id.au Signed-off-by: Sasha Levin commit c29335612ff44df979678a38e1f55c62004f421c Author: Hangyu Hua Date: Fri Jun 24 10:41:20 2022 +0800 rpmsg: Fix possible refcount leak in rpmsg_register_device_override() [ Upstream commit d7bd416d35121c95fe47330e09a5c04adbc5f928 ] rpmsg_register_device_override need to call put_device to free vch when driver_set_override fails. Fix this by adding a put_device() to the error path. Fixes: bb17d110cbf2 ("rpmsg: Fix calling device_lock() on non-initialized device") Reviewed-by: Krzysztof Kozlowski Signed-off-by: Hangyu Hua Link: https://lore.kernel.org/r/20220624024120.11576-1-hbh25y@gmail.com Signed-off-by: Mathieu Poirier Signed-off-by: Sasha Levin commit 4df1129d46a9b085a06b1b200955855ea82da209 Author: Alexey Kardashevskiy Date: Wed Jun 22 15:52:35 2022 +1000 KVM: PPC: Book3s: Fix warning about xics_rm_h_xirr_x [ Upstream commit a784101f77b1bef4b40f4ad68af3f54fcfa5321b ] This fixes "no previous prototype": arch/powerpc/kvm/book3s_hv_rm_xics.c:482:15: warning: no previous prototype for 'xics_rm_h_xirr_x' [-Wmissing-prototypes] Reported by the kernel test robot. Fixes: b22af9041927 ("KVM: PPC: Book3s: Remove real mode interrupt controller hcalls handlers") Signed-off-by: Alexey Kardashevskiy Reviewed-by: Greg Kurz Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/20220622055235.1139204-1-aik@ozlabs.ru Signed-off-by: Sasha Levin commit 16da9f84e26f89e58cac194ff19fefd9de27d975 Author: Miaoqian Lin Date: Thu May 12 08:55:58 2022 +0400 remoteproc: imx_rproc: Fix refcount leak in imx_rproc_addr_init [ Upstream commit 61afafe8b938bc74841cf4b1a73dd08b9d287c5a ] of_parse_phandle() returns a node pointer with refcount incremented, we should use of_node_put() on it when not needed anymore. This function has two paths missing of_node_put(). Fixes: 6e962bfe56b9 ("remoteproc: imx_rproc: add missing of_node_put") Fixes: a0ff4aa6f010 ("remoteproc: imx_rproc: add a NXP/Freescale imx_rproc driver") Signed-off-by: Miaoqian Lin Link: https://lore.kernel.org/r/20220512045558.7142-1-linmq006@gmail.com Signed-off-by: Mathieu Poirier Signed-off-by: Sasha Levin commit 55404cf492886019f4ac1e99e1f5c4d839e135ee Author: Chen Zhongjin Date: Tue May 31 09:28:54 2022 +0800 profiling: fix shift too large makes kernel panic [ Upstream commit 0fe6ee8f123a4dfb529a5aff07536bb481f34043 ] 2d186afd04d6 ("profiling: fix shift-out-of-bounds bugs") limits shift value by [0, BITS_PER_LONG -1], which means [0, 63]. However, syzbot found that the max shift value should be the bit number of (_etext - _stext). If shift is outside of this, the "buffer_bytes" will be zero and will cause kzalloc(0). Then the kernel panics due to dereferencing the returned pointer 16. This can be easily reproduced by passing a large number like 60 to enable profiling and then run readprofile. LOGS: BUG: kernel NULL pointer dereference, address: 0000000000000010 #PF: supervisor write access in kernel mode #PF: error_code(0x0002) - not-present page PGD 6148067 P4D 6148067 PUD 6142067 PMD 0 PREEMPT SMP CPU: 4 PID: 184 Comm: readprofile Not tainted 5.18.0+ #162 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.15.0-0-g2dd4b9b3f840-prebuilt.qemu.org 04/01/2014 RIP: 0010:read_profile+0x104/0x220 RSP: 0018:ffffc900006fbe80 EFLAGS: 00000202 RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000 RDX: ffff888006150000 RSI: 0000000000000001 RDI: ffffffff82aba4a0 RBP: 000000000188bb60 R08: 0000000000000010 R09: ffff888006151000 R10: 0000000000000000 R11: 0000000000000000 R12: ffffffff82aba4a0 R13: 0000000000000000 R14: ffffc900006fbf08 R15: 0000000000020c30 FS: 000000000188a8c0(0000) GS:ffff88803ed00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000010 CR3: 0000000006144000 CR4: 00000000000006e0 Call Trace: proc_reg_read+0x56/0x70 vfs_read+0x9a/0x1b0 ksys_read+0xa1/0xe0 ? fpregs_assert_state_consistent+0x1e/0x40 do_syscall_64+0x3a/0x80 entry_SYSCALL_64_after_hwframe+0x46/0xb0 RIP: 0033:0x4d4b4e RSP: 002b:00007ffebb668d58 EFLAGS: 00000246 ORIG_RAX: 0000000000000000 RAX: ffffffffffffffda RBX: 000000000188a8a0 RCX: 00000000004d4b4e RDX: 0000000000000400 RSI: 000000000188bb60 RDI: 0000000000000003 RBP: 0000000000000003 R08: 000000000000006e R09: 0000000000000000 R10: 0000000000000041 R11: 0000000000000246 R12: 000000000188bb60 R13: 0000000000000400 R14: 0000000000000000 R15: 000000000188bb60 Modules linked in: CR2: 0000000000000010 Killed ---[ end trace 0000000000000000 ]--- Check prof_len in profile_init() to prevent it be zero. Link: https://lkml.kernel.org/r/20220531012854.229439-1-chenzhongjin@huawei.com Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Chen Zhongjin Signed-off-by: Andrew Morton Signed-off-by: Sasha Levin commit 36e594072bf25857ac062a542ec9fd0e95b83fe5 Author: Joe Lawrence Date: Thu Jun 2 16:32:33 2022 -0400 selftests/livepatch: better synchronize test_klp_callbacks_busy [ Upstream commit 55eb9a6c8bf3e2099863118ef53e02d9f44f85a8 ] The test_klp_callbacks_busy module conditionally blocks a future livepatch transition by busy waiting inside its workqueue function, busymod_work_func(). After scheduling this work, a test livepatch is loaded, introducing the transition under test. Both events are marked in the kernel log for later verification, but there is no synchronization to ensure that busymod_work_func() logs its function entry message before subsequent selftest commands log their own messages. This can lead to a rare test failure due to unexpected ordering like: # --- expected # +++ result # @@ -1,7 +1,7 @@ # % modprobe test_klp_callbacks_busy block_transition=Y # test_klp_callbacks_busy: test_klp_callbacks_busy_init # -test_klp_callbacks_busy: busymod_work_func enter # % modprobe test_klp_callbacks_demo # +test_klp_callbacks_busy: busymod_work_func enter # livepatch: enabling patch 'test_klp_callbacks_demo' # livepatch: 'test_klp_callbacks_demo': initializing patching transition # test_klp_callbacks_demo: pre_patch_callback: vmlinux Force the module init function to wait until busymod_work_func() has started (and logged its message), before exiting to the next selftest steps. Fixes: 547840bd5ae5 ("selftests/livepatch: simplify test-klp-callbacks busy target tests") Signed-off-by: Joe Lawrence Reviewed-by: Petr Mladek Signed-off-by: Petr Mladek Link: https://lore.kernel.org/r/20220602203233.979681-1-joe.lawrence@redhat.com Signed-off-by: Sasha Levin commit 3f83c4cf1b78331c23876977aa7b9151aff2f9e1 Author: Miaoqian Lin Date: Sun Jun 5 12:33:34 2022 +0400 remoteproc: k3-r5: Fix refcount leak in k3_r5_cluster_of_init [ Upstream commit fa220c05d282e7479abe08b54e3bdffd06c25e97 ] Every iteration of for_each_available_child_of_node() decrements the reference count of the previous node. When breaking early from a for_each_available_child_of_node() loop, we need to explicitly call of_node_put() on the child node. Add missing of_node_put() to avoid refcount leak. Fixes: 6dedbd1d5443 ("remoteproc: k3-r5: Add a remoteproc driver for R5F subsystem") Signed-off-by: Miaoqian Lin Acked-by: Suman Anna Link: https://lore.kernel.org/r/20220605083334.23942-1-linmq006@gmail.com Signed-off-by: Mathieu Poirier Signed-off-by: Sasha Levin commit e0a25be0d4cc8e0c578ca7ae31d399983d104ad2 Author: AngeloGioacchino Del Regno Date: Wed May 25 11:12:01 2022 +0200 rpmsg: mtk_rpmsg: Fix circular locking dependency [ Upstream commit 353d9214682e65c55cdffad8c82139a3321c5f13 ] During execution of the worker that's used to register rpmsg devices we are safely locking the channels mutex but, when creating a new endpoint for such devices, we are registering a IPI on the SCP, which then makes the SCP to trigger an interrupt, lock its own mutex and in turn register more subdevices. This creates a circular locking dependency situation, as the mtk_rpmsg channels_lock will then depend on the SCP IPI lock. [ 15.447736] ====================================================== [ 15.460158] WARNING: possible circular locking dependency detected [ 15.460161] 5.17.0-next-20220324+ #399 Not tainted [ 15.460165] ------------------------------------------------------ [ 15.460166] kworker/0:3/155 is trying to acquire lock: [ 15.460170] ffff5b4d0eaf1308 (&scp->ipi_desc[i].lock){+.+.}-{4:4}, at: scp_ipi_lock+0x34/0x50 [mtk_scp_ipi] [ 15.504958] [] but task is already holding lock: [ 15.504960] ffff5b4d0e8f1918 (&mtk_subdev->channels_lock){+.+.}-{4:4}, at: mtk_register_device_work_function+0x50/0x1cc [mtk_rpmsg] [ 15.504978] [] which lock already depends on the new lock. [ 15.504980] [] the existing dependency chain (in reverse order) is: [ 15.504982] [] -> #1 (&mtk_subdev->channels_lock){+.+.}-{4:4}: [ 15.504990] lock_acquire+0x68/0x84 [ 15.504999] __mutex_lock+0xa4/0x3e0 [ 15.505007] mutex_lock_nested+0x40/0x70 [ 15.505012] mtk_rpmsg_ns_cb+0xe4/0x134 [mtk_rpmsg] [ 15.641684] mtk_rpmsg_ipi_handler+0x38/0x64 [mtk_rpmsg] [ 15.641693] scp_ipi_handler+0xbc/0x180 [mtk_scp] [ 15.663905] mt8192_scp_irq_handler+0x44/0xa4 [mtk_scp] [ 15.663915] scp_irq_handler+0x6c/0xa0 [mtk_scp] [ 15.685779] irq_thread_fn+0x34/0xa0 [ 15.685785] irq_thread+0x18c/0x240 [ 15.685789] kthread+0x104/0x110 [ 15.709579] ret_from_fork+0x10/0x20 [ 15.709586] [] -> #0 (&scp->ipi_desc[i].lock){+.+.}-{4:4}: [ 15.731271] __lock_acquire+0x11e4/0x1910 [ 15.740367] lock_acquire.part.0+0xd8/0x220 [ 15.749813] lock_acquire+0x68/0x84 [ 15.757861] __mutex_lock+0xa4/0x3e0 [ 15.766084] mutex_lock_nested+0x40/0x70 [ 15.775006] scp_ipi_lock+0x34/0x50 [mtk_scp_ipi] [ 15.785503] scp_ipi_register+0x40/0xa4 [mtk_scp_ipi] [ 15.796697] scp_register_ipi+0x1c/0x30 [mtk_scp] [ 15.807194] mtk_rpmsg_create_ept+0xa0/0x108 [mtk_rpmsg] [ 15.818912] rpmsg_create_ept+0x44/0x60 [ 15.827660] cros_ec_rpmsg_probe+0x15c/0x1f0 [ 15.837282] rpmsg_dev_probe+0x128/0x1d0 [ 15.846203] really_probe.part.0+0xa4/0x2a0 [ 15.855649] __driver_probe_device+0xa0/0x150 [ 15.865443] driver_probe_device+0x48/0x150 [ 15.877157] __device_attach_driver+0xc0/0x12c [ 15.889359] bus_for_each_drv+0x80/0xe0 [ 15.900330] __device_attach+0xe4/0x190 [ 15.911303] device_initial_probe+0x1c/0x2c [ 15.922969] bus_probe_device+0xa8/0xb0 [ 15.933927] device_add+0x3a8/0x8a0 [ 15.944193] device_register+0x28/0x40 [ 15.954970] rpmsg_register_device+0x5c/0xa0 [ 15.966782] mtk_register_device_work_function+0x148/0x1cc [mtk_rpmsg] [ 15.983146] process_one_work+0x294/0x664 [ 15.994458] worker_thread+0x7c/0x45c [ 16.005069] kthread+0x104/0x110 [ 16.014789] ret_from_fork+0x10/0x20 [ 16.025201] [] other info that might help us debug this: [ 16.047769] Possible unsafe locking scenario: [ 16.063942] CPU0 CPU1 [ 16.075166] ---- ---- [ 16.086376] lock(&mtk_subdev->channels_lock); [ 16.097592] lock(&scp->ipi_desc[i].lock); [ 16.113188] lock(&mtk_subdev->channels_lock); [ 16.129482] lock(&scp->ipi_desc[i].lock); [ 16.140020] [] *** DEADLOCK *** [ 16.158282] 4 locks held by kworker/0:3/155: [ 16.168978] #0: ffff5b4d00008748 ((wq_completion)events){+.+.}-{0:0}, at: process_one_work+0x1fc/0x664 [ 16.190017] #1: ffff80000953bdc8 ((work_completion)(&mtk_subdev->register_work)){+.+.}-{0:0}, at: process_one_work+0x1fc/0x664 [ 16.215269] #2: ffff5b4d0e8f1918 (&mtk_subdev->channels_lock){+.+.}-{4:4}, at: mtk_register_device_work_function+0x50/0x1cc [mtk_rpmsg] [ 16.242131] #3: ffff5b4d05964190 (&dev->mutex){....}-{4:4}, at: __device_attach+0x44/0x190 To solve this, simply unlock the channels_lock mutex before calling mtk_rpmsg_register_device() and relock it right after, as safety is still ensured by the locking mechanism that happens right after through SCP. Fixes: 7017996951fd ("rpmsg: add rpmsg support for mt8183 SCP.") Signed-off-by: AngeloGioacchino Del Regno Link: https://lore.kernel.org/r/20220525091201.14210-1-angelogioacchino.delregno@collabora.com Signed-off-by: Mathieu Poirier Signed-off-by: Sasha Levin commit 86f340c39bd052b23d62a54b649687fe27e97c68 Author: Shengjiu Wang Date: Sat May 21 11:35:05 2022 +0800 rpmsg: char: Add mutex protection for rpmsg_eptdev_open() [ Upstream commit abe13e9a561d6b3e82b21362c0d6dd3ecd8a5b13 ] There is no mutex protection for rpmsg_eptdev_open(), especially for eptdev->ept read and write operation. It may cause issues when multiple instances call rpmsg_eptdev_open() in parallel,the return state may be success or EBUSY. Fixes: 964e8bedd5a1 ("rpmsg: char: Return an error if device already open") Signed-off-by: Shengjiu Wang Link: https://lore.kernel.org/r/1653104105-16779-1-git-send-email-shengjiu.wang@nxp.com Signed-off-by: Mathieu Poirier Signed-off-by: Sasha Levin commit 1618c25fb078937f60531d3ad58db5b6df85fa4c Author: Charles Keepax Date: Tue Jun 14 14:10:22 2022 +0100 ASoC: cs35l45: Add endianness flag in snd_soc_component_driver [ Upstream commit d919630fe77904931277e663c902582ea6f4e4cf ] The endianness flag is used on the CODEC side to specify an ambivalence to endian, typically because it is lost over the hardware link. This device receives audio over an I2S DAI and as such should have endianness applied. Fixes: 0d463d016000 ("ASoC: cs35l45: Add driver for Cirrus Logic CS35L45 Smart Amp") Signed-off-by: Charles Keepax Link: https://lore.kernel.org/r/20220614131022.778057-1-ckeepax@opensource.cirrus.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 4e2103e82f806e26b4f94fb083447a878d77881c Author: Srinivas Kandagatla Date: Thu Jun 9 12:19:01 2022 +0100 ASoC: codecs: wcd9335: move gains from SX_TLV to S8_TLV [ Upstream commit 2fbe0953732e06b471cdedbf6f615b84235580d8 ] move all the digital gains form using SX_TLV to S8_TLV, these gains are actually 8 bit gains with 7th signed bit and ranges from -84dB to +40dB rest of the Qualcomm wcd codecs uses these properly. Fixes: 8c4f021d806a ("ASoC: wcd9335: add basic controls") Signed-off-by: Srinivas Kandagatla Link: https://lore.kernel.org/r/20220609111901.318047-3-srinivas.kandagatla@linaro.org Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 24d2d825cf872e21d28fba0ec9fc64874f749ef1 Author: Srinivas Kandagatla Date: Thu Jun 9 12:19:00 2022 +0100 ASoC: codecs: msm8916-wcd-digital: move gains from SX_TLV to S8_TLV [ Upstream commit 5babb012c847beb6c8c7108fd78f650b7a2c6054 ] move all the digital gains form using SX_TLV to S8_TLV, these gains are actually 8 bit gains with 7th signed bit and ranges from -84dB to +40dB rest of the Qualcomm wcd codecs uses these properly. Fixes: ef8a4757a6db ("ASoC: msm8916-wcd-digital: Add sidetone support") Fixes: 150db8c5afa1 ("ASoC: codecs: Add msm8916-wcd digital codec") Signed-off-by: Srinivas Kandagatla Link: https://lore.kernel.org/r/20220609111901.318047-2-srinivas.kandagatla@linaro.org Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit f32d8cb34b941df7ceb29a7c8d447f6add4250bc Author: Peter Ujfalusi Date: Fri Jun 10 11:35:44 2022 +0300 ASoC: SOF: make ctx_store and ctx_restore as optional [ Upstream commit 03f69725749f453b9a4d454a92805f8eb5f095c2 ] Commit 657774acd00f ("ASoC: SOF: Make sof_suspend/resume IPC agnostic") did not marked ctx_store and ctx_restore as Optional. Fixes: 657774acd00f ("ASoC: SOF: Make sof_suspend/resume IPC agnostic") Signed-off-by: Peter Ujfalusi Reviewed-by: Ranjani Sridharan Reviewed-by: Bard Liao Reviewed-by: Pierre-Louis Bossart Link: https://lore.kernel.org/r/20220610083549.16773-2-peter.ujfalusi@linux.intel.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 610a3a8a6ce2579cf635fad5efd2adac2b715261 Author: Ilpo Järvinen Date: Wed Jun 8 12:54:31 2022 +0300 serial: 8250_dw: Store LSR into lsr_saved_flags in dw8250_tx_wait_empty() [ Upstream commit af14f3007e2dca0d112f10f6717ba43093f74e81 ] Make sure LSR flags are preserved in dw8250_tx_wait_empty(). This function is called from a low-level out function and therefore cannot call serial_lsr_in() as it would lead to infinite recursion. It is borderline if the flags need to be saved here at all since this code relates to writing LCR register which usually implies no important characters should be arriving. Fixes: 914eaf935ec7 ("serial: 8250_dw: Allow TX FIFO to drain before writing to UART_LCR") Reviewed-by: Andy Shevchenko Signed-off-by: Ilpo Järvinen Link: https://lore.kernel.org/r/20220608095431.18376-7-ilpo.jarvinen@linux.intel.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 3de3d9c97135b6b3a630823ecf8aa329acb8b9f7 Author: Ilpo Järvinen Date: Wed Jun 8 12:54:30 2022 +0300 serial: 8250_dw: Use serial_lsr_in() in dw8250_handle_irq() [ Upstream commit 197eb5c416ff0e52d152e6ff59b4e759d2f3e10d ] dw8250_handle_irq() reads LSR under a few conditions, convert both to use serial_lsr_in() in order to preserve LSR flags properly across reads. Fixes: 424d79183af0 ("serial: 8250_dw: Avoid "too much work" from bogus rx timeout interrupt") Fixes: aa63d786cea2 ("serial: 8250: dw: Add support for DMA flow controlling devices") Cc: Douglas Anderson Cc: Phil Edworthy Cc: Miquel Raynal Reviewed-by: Andy Shevchenko Signed-off-by: Ilpo Järvinen Link: https://lore.kernel.org/r/20220608095431.18376-6-ilpo.jarvinen@linux.intel.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 4ac5b078741c020cee5ff1da5cef79c05bb09a73 Author: Ilpo Järvinen Date: Wed Jun 8 12:54:28 2022 +0300 serial: 8250: Get preserved flags using serial_lsr_in() [ Upstream commit 6a4241e8f9b17aa17f55842d6478f280c22d2b44 ] serial8250_handle_irq() assumes it's the first to read LSR register. However, there are 8250 drivers which perform LSR read in their own irq handler prior to calling serial8250_handle_irq(). As not all flags are preserved across LSR reads, use serial_lsr_in() helper to get all the preserved flags. This commit might fix other commits too besides the ones for DW UART mentioned below. It's just not clear to me which of the other devices clear some of the LSR flags on read. AFAIK, nobody has complained about this problem (either against DW or other devices) so it might not have that bad impact in the end. Fixes: 424d79183af0 ("serial: 8250_dw: Avoid "too much work" from bogus rx timeout interrupt") Fixes: aa63d786cea2 ("serial: 8250: dw: Add support for DMA flow controlling devices") Reviewed-by: Andy Shevchenko Signed-off-by: Ilpo Järvinen Link: https://lore.kernel.org/r/20220608095431.18376-4-ilpo.jarvinen@linux.intel.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 623e3648c57144f614cb098ebdf5ccfc4f0c49d8 Author: Ilpo Järvinen Date: Wed Jun 8 12:54:27 2022 +0300 serial: 8250: Create serial_lsr_in() [ Upstream commit bdb70c424df1543bc02ee2639aecebd20318c599 ] LSR register readers need to be careful in order to not lose bits that are not preserved across reads. Create a helper that takes care of storing the non-preserved bits into lsr_save_flags. Reviewed-by: Andy Shevchenko Signed-off-by: Ilpo Järvinen Link: https://lore.kernel.org/r/20220608095431.18376-3-ilpo.jarvinen@linux.intel.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 597bcd854aa34a06c53dd79f30b1e151726d3904 Author: Yang Yingliang Date: Wed May 25 10:12:04 2022 +0800 serial: pic32: fix missing clk_disable_unprepare() on error in pic32_uart_startup() [ Upstream commit 6f3cdf2bf1ba9b70de6c2921a415951a0d59873b ] Fix the missing clk_disable_unprepare() before return from pic32_uart_startup() in the error handling case. Fixes: 157b9394709e ("serial: pic32_uart: Add PIC32 UART driver") Reported-by: Hulk Robot Reviewed-by: Jiri Slaby Signed-off-by: Yang Yingliang Link: https://lore.kernel.org/r/20220525021204.2407631-1-yangyingliang@huawei.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 5ec83aa7a9e5bcca80ccd49978916feb4e0ffc07 Author: Miaoqian Lin Date: Fri Jun 3 16:42:41 2022 +0400 ASoC: mediatek: mt8173-rt5650: Fix refcount leak in mt8173_rt5650_dev_probe [ Upstream commit efe2178d1a32492f99e7f1f2568eea5c88a85729 ] of_parse_phandle() returns a node pointer with refcount incremented, we should use of_node_put() on it when not need anymore. Fix refcount leak in some error paths. Fixes: 0f83f9296d5c ("ASoC: mediatek: Add machine driver for ALC5650 codec") Signed-off-by: Miaoqian Lin Link: https://lore.kernel.org/r/20220603124243.31358-1-linmq006@gmail.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit b32aa0f960706d22cef1a9997096cd32ca2ef3ba Author: Jiasheng Jiang Date: Tue May 31 17:47:12 2022 +0800 ASoC: codecs: da7210: add check for i2c_add_driver [ Upstream commit 82fa8f581a954ddeec1602bed9f8b4a09d100e6e ] As i2c_add_driver could return error if fails, it should be better to check the return value. However, if the CONFIG_I2C and CONFIG_SPI_MASTER are both true, the return value of i2c_add_driver will be covered by spi_register_driver. Therefore, it is necessary to add check and return error if fails. Fixes: aa0e25caafb7 ("ASoC: da7210: Add support for spi regmap") Signed-off-by: Jiasheng Jiang Link: https://lore.kernel.org/r/20220531094712.2376759-1-jiasheng@iscas.ac.cn Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 38dc6faef05f33b4c889be8b7d65878e465c1c4b Author: Miaoqian Lin Date: Fri Jun 3 12:34:15 2022 +0400 ASoC: mt6797-mt6351: Fix refcount leak in mt6797_mt6351_dev_probe [ Upstream commit 7472eb8d7dd12b6b9b1a4f4527719cc9c7f5965f ] of_parse_phandle() returns a node pointer with refcount incremented, we should use of_node_put() on it when not need anymore. Add missing of_node_put() to avoid refcount leak. Fixes: f0ab0bf250da ("ASoC: add mt6797-mt6351 driver and config option") Signed-off-by: Miaoqian Lin Link: https://lore.kernel.org/r/20220603083417.9011-1-linmq006@gmail.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit db305f1c33d2807900f8b82063442ff88a42e157 Author: Randy Dunlap Date: Sun Jun 5 09:31:23 2022 -0700 ASoC: max98390: use linux/gpio/consumer.h to fix build [ Upstream commit aa7407f807b250eca7697e5fe9a699bc6c2fab71 ] Change the header file to fix build errors in max98390.c: ../sound/soc/codecs/max98390.c: In function 'max98390_i2c_probe': ../sound/soc/codecs/max98390.c:1076:22: error: implicit declaration of function 'devm_gpiod_get_optional'; did you mean 'devm_regulator_get_optional'? [-Werror=implicit-function-declaration] 1076 | reset_gpio = devm_gpiod_get_optional(&i2c->dev, ../sound/soc/codecs/max98390.c:1077:55: error: 'GPIOD_OUT_HIGH' undeclared (first use in this function); did you mean 'GPIOF_INIT_HIGH'? 1077 | "reset", GPIOD_OUT_HIGH); ../sound/soc/codecs/max98390.c:1077:55: note: each undeclared identifier is reported only once for each function it appears in ../sound/soc/codecs/max98390.c:1083:17: error: implicit declaration of function 'gpiod_set_value_cansleep'; did you mean 'gpio_set_value_cansleep'? [-Werror=implicit-function-declaration] 1083 | gpiod_set_value_cansleep(reset_gpio, 0); Fixes: 397ff0249606 ("ASoC: max98390: Add reset gpio control") Signed-off-by: Randy Dunlap Reported-by: kernel test robot Cc: Steve Lee Cc: Mark Brown Cc: Liam Girdwood Cc: Jaroslav Kysela Cc: Takashi Iwai Cc: alsa-devel@alsa-project.org Link: https://lore.kernel.org/r/20220605163123.23537-1-rdunlap@infradead.org Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 58567ed2878f70e0ded242cb529fb4a7618ea9f8 Author: Miaoqian Lin Date: Thu Jun 2 07:41:42 2022 +0400 ASoC: mediatek: mt8173: Fix refcount leak in mt8173_rt5650_rt5676_dev_probe [ Upstream commit ae4f11c1ed2d67192fdf3d89db719ee439827c11 ] of_parse_phandle() returns a node pointer with refcount incremented, we should use of_node_put() on it when not need anymore. Fix missing of_node_put() in error paths. Fixes: 94319ba10eca ("ASoC: mediatek: Use platform_of_node for machine drivers") Signed-off-by: Miaoqian Lin Link: https://lore.kernel.org/r/20220602034144.60159-1-linmq006@gmail.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 94caca0bd221ce87d8a5568a4cc7e06ecc35f9c3 Author: Fabio Estevam Date: Wed May 25 22:05:43 2022 -0300 ASoC: imx-audmux: Silence a clang warning [ Upstream commit 2f4a8171da06609bb6a063630ed546ee3d93dad7 ] Change the of_device_get_match_data() cast to (uintptr_t) to silence the following clang warning: sound/soc/fsl/imx-audmux.c:301:16: warning: cast to smaller integer type 'enum imx_audmux_type' from 'const void *' [-Wvoid-pointer-to-enum-cast] Reported-by: kernel test robot Fixes: 6a8b8b582db1 ("ASoC: imx-audmux: Remove unused .id_table") Signed-off-by: Fabio Estevam Link: https://lore.kernel.org/r/20220526010543.1164793-1-festevam@gmail.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit daa1da970dc7648262f16b4c355bc7f5f1e7d75b Author: Miaoqian Lin Date: Fri Jun 3 17:06:39 2022 +0400 ASoC: samsung: Fix error handling in aries_audio_probe [ Upstream commit 3e2649c5e8643bea0867bb1dd970fedadb0eb7f3 ] of_get_child_by_name() returns a node pointer with refcount incremented, we should use of_node_put() on it when not need anymore. This function is missing of_node_put(cpu) in the error path. Fix this by goto out label. of_node_put() will check NULL pointer. Fixes: 7a3a7671fa6c ("ASoC: samsung: Add driver for Aries boards") Signed-off-by: Miaoqian Lin Reviewed-by: Krzysztof Kozlowski Link: https://lore.kernel.org/r/20220603130640.37624-1-linmq006@gmail.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit ca6c9244e6c9827a0b2fe8808c5e7b1ee8ab7104 Author: Miaoqian Lin Date: Fri Jun 3 17:10:43 2022 +0400 ASoC: cros_ec_codec: Fix refcount leak in cros_ec_codec_platform_probe [ Upstream commit 0a034d93ee929a9ea89f3fa5f1d8492435b9ee6e ] of_parse_phandle() returns a node pointer with refcount incremented, we should use of_node_put() on it when not need anymore. Add missing of_node_put() to avoid refcount leak. Fixes: b6bc07d4360d ("ASoC: cros_ec_codec: support WoV") Signed-off-by: Miaoqian Lin Reviewed-by: Tzung-Bi Shih Reviewed-by: Guenter Roeck Link: https://lore.kernel.org/r/20220603131043.38907-1-linmq006@gmail.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 426ac3e29201ba1a138b7471d6f17df9f7d28925 Author: Tang Bin Date: Tue May 24 20:31:51 2022 +0800 opp: Fix error check in dev_pm_opp_attach_genpd() [ Upstream commit 4ea9496cbc959eb5c78f3e379199aca9ef4e386b ] dev_pm_domain_attach_by_name() may return NULL in some cases, so IS_ERR() doesn't meet the requirements. Thus fix it. Fixes: 6319aee10e53 ("opp: Attach genpds to devices from within OPP core") Signed-off-by: Tang Bin [ Viresh: Replace ENODATA with ENODEV ] Signed-off-by: Viresh Kumar Signed-off-by: Sasha Levin commit c50dd37d05ca9ad3a5a27c7e43eeb0419d14a87f Author: Nathan Chancellor Date: Wed Aug 3 09:24:22 2022 -0700 usb: cdns3: Don't use priv_dev uninitialized in cdns3_gadget_ep_enable() [ Upstream commit 78acd4ca433425e6dd4032cfc2156c60e34931f2 ] Clang warns: drivers/usb/cdns3/cdns3-gadget.c:2290:11: error: variable 'priv_dev' is uninitialized when used here [-Werror,-Wuninitialized] dev_dbg(priv_dev->dev, "usbss: invalid parameters\n"); ^~~~~~~~ include/linux/dev_printk.h:155:18: note: expanded from macro 'dev_dbg' dynamic_dev_dbg(dev, dev_fmt(fmt), ##__VA_ARGS__) ^~~ include/linux/dynamic_debug.h:167:7: note: expanded from macro 'dynamic_dev_dbg' dev, fmt, ##__VA_ARGS__) ^~~ include/linux/dynamic_debug.h:152:56: note: expanded from macro '_dynamic_func_call' __dynamic_func_call(__UNIQUE_ID(ddebug), fmt, func, ##__VA_ARGS__) ^~~~~~~~~~~ include/linux/dynamic_debug.h:134:15: note: expanded from macro '__dynamic_func_call' func(&id, ##__VA_ARGS__); \ ^~~~~~~~~~~ drivers/usb/cdns3/cdns3-gadget.c:2278:31: note: initialize the variable 'priv_dev' to silence this warning struct cdns3_device *priv_dev; ^ = NULL 1 error generated. The priv_dev assignment was moved below the if statement to avoid potentially dereferencing ep before it was checked but priv_dev is used in the dev_dbg() call. To fix this, move the priv_dev and comp_desc assignments back to their original spot and hoist the ep check above those assignments with a call to pr_debug() instead of dev_dbg(). Fixes: c3ffc9c4ca44 ("usb: cdns3: change place of 'priv_ep' assignment in cdns3_gadget_ep_dequeue(), cdns3_gadget_ep_enable()") Link: https://github.com/ClangBuiltLinux/linux/issues/1680 Signed-off-by: Nathan Chancellor Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin commit ddd896792e1718cb84c96f3e618270589b6886dc Author: Zhihao Cheng Date: Fri Jul 15 20:51:52 2022 +0800 jbd2: fix assertion 'jh->b_frozen_data == NULL' failure when journal aborted [ Upstream commit 4a734f0869f970b8a9b65062ea40b09a5da9dba8 ] Following process will fail assertion 'jh->b_frozen_data == NULL' in jbd2_journal_dirty_metadata(): jbd2_journal_commit_transaction unlink(dir/a) jh->b_transaction = trans1 jh->b_jlist = BJ_Metadata journal->j_running_transaction = NULL trans1->t_state = T_COMMIT unlink(dir/b) handle->h_trans = trans2 do_get_write_access jh->b_modified = 0 jh->b_frozen_data = frozen_buffer jh->b_next_transaction = trans2 jbd2_journal_dirty_metadata is_handle_aborted is_journal_aborted // return false --> jbd2 abort <-- while (commit_transaction->t_buffers) if (is_journal_aborted) jbd2_journal_refile_buffer __jbd2_journal_refile_buffer WRITE_ONCE(jh->b_transaction, jh->b_next_transaction) WRITE_ONCE(jh->b_next_transaction, NULL) __jbd2_journal_file_buffer(jh, BJ_Reserved) J_ASSERT_JH(jh, jh->b_frozen_data == NULL) // assertion failure ! The reproducer (See detail in [Link]) reports: ------------[ cut here ]------------ kernel BUG at fs/jbd2/transaction.c:1629! invalid opcode: 0000 [#1] PREEMPT SMP CPU: 2 PID: 584 Comm: unlink Tainted: G W 5.19.0-rc6-00115-g4a57a8400075-dirty #697 RIP: 0010:jbd2_journal_dirty_metadata+0x3c5/0x470 RSP: 0018:ffffc90000be7ce0 EFLAGS: 00010202 Call Trace: __ext4_handle_dirty_metadata+0xa0/0x290 ext4_handle_dirty_dirblock+0x10c/0x1d0 ext4_delete_entry+0x104/0x200 __ext4_unlink+0x22b/0x360 ext4_unlink+0x275/0x390 vfs_unlink+0x20b/0x4c0 do_unlinkat+0x42f/0x4c0 __x64_sys_unlink+0x37/0x50 do_syscall_64+0x35/0x80 After journal aborting, __jbd2_journal_refile_buffer() is executed with holding @jh->b_state_lock, we can fix it by moving 'is_handle_aborted()' into the area protected by @jh->b_state_lock. Link: https://bugzilla.kernel.org/show_bug.cgi?id=216251 Fixes: 470decc613ab20 ("[PATCH] jbd2: initial copy of files from jbd") Signed-off-by: Zhihao Cheng Link: https://lore.kernel.org/r/20220715125152.4022726-1-chengzhihao1@huawei.com Signed-off-by: Theodore Ts'o Signed-off-by: Sasha Levin commit 21197733e629ecc6c50959e408065dc94c0807a4 Author: Li Lingfeng Date: Fri Jun 17 14:25:15 2022 +0800 ext4: recover csum seed of tmp_inode after migrating to extents [ Upstream commit 07ea7a617d6b278fb7acedb5cbe1a81ce2de7d0c ] When migrating to extents, the checksum seed of temporary inode need to be replaced by inode's, otherwise the inode checksums will be incorrect when swapping the inodes data. However, the temporary inode can not match it's checksum to itself since it has lost it's own checksum seed. mkfs.ext4 -F /dev/sdc mount /dev/sdc /mnt/sdc xfs_io -fc "pwrite 4k 4k" -c "fsync" /mnt/sdc/testfile chattr -e /mnt/sdc/testfile chattr +e /mnt/sdc/testfile umount /dev/sdc fsck -fn /dev/sdc ======== ... Pass 1: Checking inodes, blocks, and sizes Inode 13 passes checks, but checksum does not match inode. Fix? no ... ======== The fix is simple, save the checksum seed of temporary inode, and recover it after migrating to extents. Fixes: e81c9302a6c3 ("ext4: set csum seed in tmp inode while migrating to extents") Signed-off-by: Li Lingfeng Reviewed-by: Jan Kara Link: https://lore.kernel.org/r/20220617062515.2113438-1-lilingfeng3@huawei.com Signed-off-by: Theodore Ts'o Signed-off-by: Sasha Levin commit d65c93290045e868e104d2aee781ea36d4356666 Author: Zhang Yi Date: Sat Jun 11 21:04:26 2022 +0800 jbd2: fix outstanding credits assert in jbd2_journal_commit_transaction() [ Upstream commit a89573ce4ad32f19f43ec669771726817e185be0 ] We catch an assert problem in jbd2_journal_commit_transaction() when doing fsstress and request falut injection tests. The problem is happened in a race condition between jbd2_journal_commit_transaction() and ext4_end_io_end(). Firstly, ext4_writepages() writeback dirty pages and start reserved handle, and then the journal was aborted due to some previous metadata IO error, jbd2_journal_abort() start to commit current running transaction, the committing procedure could be raced by ext4_end_io_end() and lead to subtract j_reserved_credits twice from commit_transaction->t_outstanding_credits, finally the t_outstanding_credits is mistakenly smaller than t_nr_buffers and trigger assert. kjournald2 kworker jbd2_journal_commit_transaction() write_unlock(&journal->j_state_lock); atomic_sub(j_reserved_credits, t_outstanding_credits); //sub once jbd2_journal_start_reserved() start_this_handle() //detect aborted journal jbd2_journal_free_reserved() //get running transaction read_lock(&journal->j_state_lock) __jbd2_journal_unreserve_handle() atomic_sub(j_reserved_credits, t_outstanding_credits); //sub again read_unlock(&journal->j_state_lock); journal->j_running_transaction = NULL; J_ASSERT(t_nr_buffers <= t_outstanding_credits) //bomb!!! Fix this issue by using journal->j_state_lock to protect the subtraction in jbd2_journal_commit_transaction(). Fixes: 96f1e0974575 ("jbd2: avoid long hold times of j_state_lock while committing a transaction") Signed-off-by: Zhang Yi Reviewed-by: Jan Kara Link: https://lore.kernel.org/r/20220611130426.2013258-1-yi.zhang@huawei.com Signed-off-by: Theodore Ts'o Signed-off-by: Sasha Levin commit 38fb0d7f39a1e5fcf539f09463028f4f76ff3d50 Author: Keith Busch Date: Tue Jul 12 08:32:54 2022 -0700 block: ensure iov_iter advances for added pages [ Upstream commit 325347d965e7ccf5424a05398807a6d801846612 ] There are cases where a bio may not accept additional pages, and the iov needs to advance to the last data length that was accepted. The zone append used to handle this correctly, but was inadvertently broken when the setup was made common with the normal r/w case. Fixes: 576ed9135489c ("block: use bio_add_page in bio_iov_iter_get_pages") Fixes: c58c0074c54c2 ("block/bio: remove duplicate append pages code") Signed-off-by: Keith Busch Link: https://lore.kernel.org/r/20220712153256.2202024-1-kbusch@fb.com Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit 70edccb32b60b8ff2b4ea5126c2ae17e642fed37 Author: Keith Busch Date: Fri Jun 10 12:58:21 2022 -0700 block/bio: remove duplicate append pages code [ Upstream commit c58c0074c54c2e2bb3bb0d5a4d8896bb660cc8bc ] The getting pages setup for zone append and normal IO are identical. Use common code for each. Signed-off-by: Keith Busch Reviewed-by: Johannes Thumshirn Reviewed-by: Christoph Hellwig Link: https://lore.kernel.org/r/20220610195830.3574005-3-kbusch@fb.com Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit e731baf1af61ff28f061158e2b44ced28f7ebf49 Author: Christoph Hellwig Date: Thu Jul 21 07:56:35 2022 +0200 nvme: catch -ENODEV from nvme_revalidate_zones again [ Upstream commit e06b425bc835ead08b9fd935bf5e47eef473e7a0 ] nvme_revalidate_zones can also return -ENODEV if e.g. zone sizes aren't constant or not a power of two. In that case we should jump to marking the gendisk hidden and only support pass through. Fixes: 602e57c9799c ("nvme: also mark passthrough-only namespaces ready in nvme_update_ns_info") Reported-by: Joel Granados Signed-off-by: Christoph Hellwig Reviewed-by: Joel Granados Reviewed-by: Sagi Grimberg Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit 32bf5d3c61f4de402f1b97bca5dfaf8d6c11d10f Author: Nick Bowler Date: Wed Jul 20 23:57:35 2022 -0400 nvme: define compat_ioctl again to unbreak 32-bit userspace. [ Upstream commit a25d4261582cf00dad884c194d21084836663d3d ] Commit 89b3d6e60550 ("nvme: simplify the compat ioctl handling") removed the initialization of compat_ioctl from the nvme block_device_operations structures. Presumably the expectation was that 32-bit ioctls would be directed through the regular handler but this is not the case: failing to assign .compat_ioctl actually means that the compat case is disabled entirely, and any attempt to submit nvme ioctls from 32-bit userspace fails outright with -ENOTTY. For example: % smartctl -x /dev/nvme0n1 [...] Read NVMe Identify Controller failed: NVME_IOCTL_ADMIN_CMD: Inappropriate ioctl for device The blkdev_compat_ptr_ioctl helper can be used to direct compat calls through the main ioctl handler and makes things work again. Fixes: 89b3d6e60550 ("nvme: simplify the compat ioctl handling") Signed-off-by: Nick Bowler Reviewed-by: Guixin Liu Signed-off-by: Christoph Hellwig Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit 4e8fee340f1f1285d9673576a852c07fc48c030a Author: Bean Huo Date: Fri Jul 15 23:27:21 2022 +0200 nvme: use command_id instead of req->tag in trace_nvme_complete_rq() [ Upstream commit 679c54f2de672b7d79d02f8c4ad483ff6dd8ce2e ] Use command_id instead of req->tag in trace_nvme_complete_rq(), because of commit e7006de6c238 ("nvme: code command_id with a genctr for use authentication after release"), cmd->common.command_id is set to ((genctl & 0xf)< 12 | req->tag), no longer req->tag, which makes cid in trace_nvme_complete_rq and trace_nvme_setup_cmd are not the same. Fixes: e7006de6c238 ("nvme: code command_id with a genctr for use authentication after release") Signed-off-by: Bean Huo Signed-off-by: Christoph Hellwig Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit ebe02fcbbe23ee78e4da480b6f924ae7beb98488 Author: Christoph Hellwig Date: Sun Jun 19 08:05:48 2022 +0200 mtip32xx: fix device removal [ Upstream commit e8b58ef09e84c15cf782b01cfc73cc5b1180d519 ] Use the proper helper to mark a surpise removal, remove the gendisk as soon as possible when removing the device and implement the ->free_disk callback to ensure the private data is alive as long as the gendisk has references. Signed-off-by: Christoph Hellwig Reviewed-by: Hannes Reinecke Link: https://lore.kernel.org/r/20220619060552.1850436-3-hch@lst.de Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit 9502680c58d3587cf8c4ea9b95d1fdf95c6e6452 Author: Yu Kuai Date: Sat Jul 23 16:24:27 2022 +0800 nbd: add missing definition of pr_fmt [ Upstream commit bc9da6dd0630efd81b5c72ff6fa0169aa029a73f ] commit 1243172d5894 ("nbd: use pr_err to output error message") tries to define pr_fmt and use short pr_err() to output error message, however, the definition is missed. This patch also remove existing "nbd:" inside pr_err(). Fixes: 1243172d5894 ("nbd: use pr_err to output error message") Signed-off-by: Yu Kuai Reviewed-by: Josef Bacik Link: https://lore.kernel.org/r/20220723082427.3890655-1-yukuai1@huaweicloud.com Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit e11ad527774c1190c1bb58f908e8f7ede55cb9f4 Author: Dan Carpenter Date: Fri Jul 15 11:12:14 2022 +0300 null_blk: fix ida error handling in null_add_dev() [ Upstream commit ee452a8d984f94fa8e894f003a52e776e4572881 ] There needs to be some error checking if ida_simple_get() fails. Also call ida_free() if there are errors later. Fixes: 94bc02e30fb8 ("nullb: use ida to manage index") Signed-off-by: Dan Carpenter Link: https://lore.kernel.org/r/YtEhXsr6vJeoiYhd@kili Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit bd629539b205f8233d28102bd2aea8df7672a0c5 Author: Md Haris Iqbal Date: Thu Jul 7 16:31:21 2022 +0200 block/rnbd-srv: Set keep_id to true after mutex_trylock [ Upstream commit 4bc14f3101364877dd59085f39e068a2a7ec9f2d ] After setting keep_id if the mutex trylock fails, the keep_id stays set for the rest of the sess_dev lifetime. Therefore, set keep_id to true after mutex_trylock succeeds, so that a failure of trylock does'nt touch keep_id. Fixes: b168e1d85cf3 ("block/rnbd-srv: Prevent a deadlock generated by accessing sysfs in parallel") Cc: gi-oh.kim@ionos.com Signed-off-by: Md Haris Iqbal Signed-off-by: Jack Wang Link: https://lore.kernel.org/r/20220707143122.460362-2-haris.iqbal@ionos.com Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit f05b7cf02123aaf99db78abfe638efefdbe15555 Author: Zhu Yanjun Date: Sun Jul 31 02:36:21 2022 -0400 RDMA/rxe: Fix error unwind in rxe_create_qp() [ Upstream commit fd5382c5805c4bcb50fd25b7246247d3f7114733 ] In the function rxe_create_qp(), rxe_qp_from_init() is called to initialize qp, internally things like the spin locks are not setup until rxe_qp_init_req(). If an error occures before this point then the unwind will call rxe_cleanup() and eventually to rxe_qp_do_cleanup()/rxe_cleanup_task() which will oops when trying to access the uninitialized spinlock. Move the spinlock initializations earlier before any failures. Fixes: 8700e3e7c485 ("Soft RoCE driver") Link: https://lore.kernel.org/r/20220731063621.298405-1-yanjun.zhu@linux.dev Reported-by: syzbot+833061116fa28df97f3b@syzkaller.appspotmail.com Signed-off-by: Zhu Yanjun Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit 5fd7eefeee9b4f6d96aa749112037f5ebc2b640b Author: Maor Gottlieb Date: Sun Jul 31 11:29:08 2022 +0300 RDMA/mlx5: Add missing check for return value in get namespace flow [ Upstream commit c9776457bd5eaad4ce4ecb17af8d8f3cc6957c0b ] Add missing check for return value when calling to mlx5_ib_ft_type_to_namespace, even though it can't really fail in this specific call. Fixes: 52438be44112 ("RDMA/mlx5: Allow inserting a steering rule to the FDB") Link: https://lore.kernel.org/r/7b9ceda217d9368a51dc47a46b769bad4af9ac92.1659256069.git.leonro@nvidia.com Reviewed-by: Itay Aveksis Signed-off-by: Maor Gottlieb Signed-off-by: Leon Romanovsky Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit d6d4b5f13b88a3755f81bb24009604b14fc6c6dd Author: Xu Qiang Date: Mon Aug 1 12:05:06 2022 +0000 of/fdt: declared return type does not match actual return type [ Upstream commit 7913145afa51bbed9eaf8e5b4ee55fa9884a71e5 ] The commit 649cab56de8e (“of: properly check for error returned by fdt_get_name()”) changed the return value type from bool to int, but forgot to change the return value simultaneously. populate_node was only called in unflatten_dt_nodes, and returns with values greater than or equal to 0 were discarded without further processing. Considering that return 0 usually indicates success, return 0 instead of return true. Fixes: 649cab56de8e (“of: properly check for error returned by fdt_get_name()”) Signed-off-by: Xu Qiang Signed-off-by: Rob Herring Link: https://lore.kernel.org/r/20220801120506.11461-2-xuqiang36@huawei.com Signed-off-by: Sasha Levin commit 4ef616730a967138fd0d784eab1d55437207773f Author: Andrei Vagin Date: Fri Jul 22 16:02:40 2022 -0700 selftests: kvm: set rax before vmcall [ Upstream commit 281106f938d3daaea6f8b6723a8217a2a1ef6936 ] kvm_hypercall has to place the hypercall number in rax. Trace events show that kvm_pv_test doesn't work properly: kvm_pv_test-53132: kvm_hypercall: nr 0x0 a0 0x0 a1 0x0 a2 0x0 a3 0x0 kvm_pv_test-53132: kvm_hypercall: nr 0x0 a0 0x0 a1 0x0 a2 0x0 a3 0x0 kvm_pv_test-53132: kvm_hypercall: nr 0x0 a0 0x0 a1 0x0 a2 0x0 a3 0x0 With this change, it starts working as expected: kvm_pv_test-54285: kvm_hypercall: nr 0x5 a0 0x0 a1 0x0 a2 0x0 a3 0x0 kvm_pv_test-54285: kvm_hypercall: nr 0xa a0 0x0 a1 0x0 a2 0x0 a3 0x0 kvm_pv_test-54285: kvm_hypercall: nr 0xb a0 0x0 a1 0x0 a2 0x0 a3 0x0 Signed-off-by: Andrei Vagin Message-Id: <20220722230241.1944655-5-avagin@google.com> Fixes: ac4a4d6de22e ("selftests: kvm: test enforcement of paravirtual cpuid features") Signed-off-by: Paolo Bonzini Signed-off-by: Sasha Levin commit 86dc66ace193aa9489b12aedc3db3245bb605e9a Author: Juergen Gross Date: Wed Jun 22 08:38:38 2022 +0200 xen: don't require virtio with grants for non-PV guests [ Upstream commit 251e90e7e346a23742b90e2c4db19d322e071d99 ] Commit fa1f57421e0b ("xen/virtio: Enable restricted memory access using Xen grant mappings") introduced a new requirement for using virtio devices: the backend now needs to support the VIRTIO_F_ACCESS_PLATFORM feature. This is an undue requirement for non-PV guests, as those can be operated with existing backends without any problem, as long as those backends are running in dom0. Per default allow virtio devices without grant support for non-PV guests. On Arm require VIRTIO_F_ACCESS_PLATFORM for devices having been listed in the device tree to use grants. Add a new config item to always force use of grants for virtio. Fixes: fa1f57421e0b ("xen/virtio: Enable restricted memory access using Xen grant mappings") Reported-by: Viresh Kumar Signed-off-by: Juergen Gross Reviewed-by: Oleksandr Tyshchenko Tested-by: Oleksandr Tyshchenko # Arm64 guest using Xen Reviewed-by: Stefano Stabellini Link: https://lore.kernel.org/r/20220622063838.8854-4-jgross@suse.com Signed-off-by: Juergen Gross Signed-off-by: Sasha Levin commit e5f57aaccbd3e17e9c0c2080cc4193221230868b Author: Juergen Gross Date: Wed Jun 22 08:38:36 2022 +0200 virtio: replace restricted mem access flag with callback [ Upstream commit a603002eea8213eec5211be5a85db8340aea06d0 ] Instead of having a global flag to require restricted memory access for all virtio devices, introduce a callback which can select that requirement on a per-device basis. For convenience add a common function returning always true, which can be used for use cases like SEV. Per default use a callback always returning false. As the callback needs to be set in early init code already, add a virtio anchor which is builtin in case virtio is enabled. Signed-off-by: Juergen Gross Tested-by: Oleksandr Tyshchenko # Arm64 guest using Xen Reviewed-by: Stefano Stabellini Link: https://lore.kernel.org/r/20220622063838.8854-2-jgross@suse.com Signed-off-by: Juergen Gross Signed-off-by: Sasha Levin commit b737d48db8fe1887a77d61998a8219583183a2ef Author: Andreas Schwab Date: Mon Jul 25 17:12:18 2022 +0200 rtla: Fix double free [ Upstream commit 4f753c3be52c1d930afc0fe3169baa605dbaf611 ] Avoid double free by making trace_instance_destroy indempotent. When trace_instance_init fails, it calls trace_instance_destroy, but its only caller osnoise_destroy_tool calls it again. Link: https://lkml.kernel.org/r/mvmilnlkyzx.fsf_-_@suse.de Fixes: 0605bf009f18 ("rtla: Add osnoise tool") Signed-off-by: Andreas Schwab Acked-by: Daniel Bristot de Oliveira Signed-off-by: Steven Rostedt (Google) Signed-off-by: Sasha Levin commit 4927a4161caa7417e8bce8118854b42d1b040c65 Author: Daniel Bristot de Oliveira Date: Wed Jul 13 23:32:19 2022 +0200 rtla: Fix Makefile when called from -C tools/ [ Upstream commit c7d8a598c5b1e21a0957f5dec2ef4139d2d1a23a ] Sedat Dilek reported an error on rtla Makefile when running: $ make -C tools/ clean [...] make[2]: Entering directory '/home/dileks/src/linux-kernel/git/tools/tracing/rtla' [...] '/home/dileks/src/linux-kernel/git/Documentation/tools/rtla' /bin/sh: 1: test: rtla-make[2]:: unexpected operator <------ The problem rm: cannot remove '/home/dileks/src/linux-kernel/git': Is a directory make[2]: *** [Makefile:120: clean] Error 1 make[2]: Leaving directory This occurred because the rtla calls kernel's Makefile to get the version in silence mode, e.g., $ make -sC ../../.. kernelversion 5.19.0-rc4 But the -s is being ignored when rtla's makefile is called indirectly, so the output looks like this: $ make -C ../../.. kernelversion make: Entering directory '/root/linux' 5.19.0-rc4 make: Leaving directory '/root/linux' Using 'grep -v make' avoids this problem, e.g., $ make -C ../../.. kernelversion | grep -v make 5.19.0-rc4 Thus, add | grep -v make. Link: https://lkml.kernel.org/r/870c02d4d97a921f02a31fa3b229fc549af61a20.1657747763.git.bristot@kernel.org Fixes: 8619e32825fd ("rtla: Follow kernel version") Reported-by: Sedat Dilek Tested-by: Sedat Dilek Signed-off-by: Daniel Bristot de Oliveira Signed-off-by: Steven Rostedt (Google) Signed-off-by: Sasha Levin commit c6bc611f371d5a7800dfe21a609dd184f333d237 Author: Dan Carpenter Date: Tue Jul 19 12:04:14 2022 +0300 selftest/vm: uninitialized variable in main() [ Upstream commit 360b420dbded8ad5b70a41de98e77354dd9e7d36 ] Initialize "length" to zero by default. Link: https://lkml.kernel.org/r/YtZzjvHXVXMXxpXO@kili Fixes: ff712a627f72 ("selftests/vm: cleanup hugetlb file after mremap test") Signed-off-by: Dan Carpenter Reviewed-by: Mina Almasry Reviewed-by: Muchun Song Cc: Mike Kravetz Cc: Shuah Khan Signed-off-by: Andrew Morton Signed-off-by: Sasha Levin commit 8d958b6356320788549ff2bdaebc2fd89cd76217 Author: Dan Carpenter Date: Tue Jul 19 12:42:48 2022 +0300 tools/testing/selftests/vm/hugetlb-madvise.c: silence uninitialized variable warning [ Upstream commit 3d5367a0426da61c7cb616cc85b6239467e261dd ] This code just reads from memory without caring about the data itself. However static checkers complain that "tmp" is never properly initialized. Initialize it to zero and change the name to "dummy" to show that we don't care about the value stored in it. Link: https://lkml.kernel.org/r/YtZ8mKJmktA2GaHB@kili Fixes: c4b6cb884011 ("selftests/vm: add hugetlb madvise MADV_DONTNEED MADV_REMOVE test") Signed-off-by: Dan Carpenter Acked-by: Souptick Joarder (HPE) Reviewed-by: Mike Kravetz Cc: Shuah Khan Signed-off-by: Andrew Morton Signed-off-by: Sasha Levin commit aa0d3fb4e8533a9888c65ff8c71094d8a595ae84 Author: Adam Sindelar Date: Mon Jul 4 19:33:51 2022 +0200 selftests/vm: fix errno handling in mrelease_test [ Upstream commit 3b8e7f5c42d1aa44f71fd219717c80e34101361e ] mrelease_test should return KSFT_SKIP when process_mrelease is not defined, but due to a perror call consuming the errno, it returns KSFT_FAIL. This patch decides the exit code before calling perror. [adam@wowsignal.io: fix remaining instances of errno mishandling] Link: https://lkml.kernel.org/r/20220706141602.10159-1-adam@wowsignal.io Link: https://lkml.kernel.org/r/20220704173351.19595-1-adam@wowsignal.io Fixes: 33776141b812 ("selftests: vm: add process_mrelease tests") Signed-off-by: Adam Sindelar Reviewed-by: David Vernet Reviewed-by: Suren Baghdasaryan Cc: Shuah Khan Signed-off-by: Andrew Morton Signed-off-by: Sasha Levin commit 28e414bd9d16cd3a8099346764d2395c0efb3e99 Author: Miaohe Lin Date: Sat Jun 18 16:20:27 2022 +0800 mm/mmap.c: fix missing call to vm_unacct_memory in mmap_region [ Upstream commit 7f82f922319ede486540e8746769865b9508d2c2 ] Since the beginning, charged is set to 0 to avoid calling vm_unacct_memory twice because vm_unacct_memory will be called by above unmap_region. But since commit 4f74d2c8e827 ("vm: remove 'nr_accounted' calculations from the unmap_vmas() interfaces"), unmap_region doesn't call vm_unacct_memory anymore. So charged shouldn't be set to 0 now otherwise the calling to paired vm_unacct_memory will be missed and leads to imbalanced account. Link: https://lkml.kernel.org/r/20220618082027.43391-1-linmiaohe@huawei.com Fixes: 4f74d2c8e827 ("vm: remove 'nr_accounted' calculations from the unmap_vmas() interfaces") Signed-off-by: Miaohe Lin Signed-off-by: Andrew Morton Signed-off-by: Sasha Levin commit 1ec3f76a436d750fd5023caec5da0494fc2870d2 Author: Liam R. Howlett Date: Mon Jun 20 21:09:09 2022 -0400 android: binder: stop saving a pointer to the VMA [ Upstream commit a43cfc87caaf46710c8027a8c23b8a55f1078f19 ] Do not record a pointer to a VMA outside of the mmap_lock for later use. This is unsafe and there are a number of failure paths *after* the recorded VMA pointer may be freed during setup. There is no callback to the driver to clear the saved pointer from generic mm code. Furthermore, the VMA pointer may become stale if any number of VMA operations end up freeing the VMA so saving it was fragile to being with. Instead, change the binder_alloc struct to record the start address of the VMA and use vma_lookup() to get the vma when needed. Add lockdep mmap_lock checks on updates to the vma pointer to ensure the lock is held and depend on that lock for synchronization of readers and writers - which was already the case anyways, so the smp_wmb()/smp_rmb() was not necessary. [akpm@linux-foundation.org: fix drivers/android/binder_alloc_selftest.c] Link: https://lkml.kernel.org/r/20220621140212.vpkio64idahetbyf@revolver Fixes: da1b9564e85b ("android: binder: fix the race mmap and alloc_new_buf_locked") Reported-by: syzbot+58b51ac2b04e388ab7b0@syzkaller.appspotmail.com Signed-off-by: Liam R. Howlett Cc: Minchan Kim Cc: Christian Brauner (Microsoft) Cc: Greg Kroah-Hartman Cc: Hridya Valsaraju Cc: Joel Fernandes Cc: Martijn Coenen Cc: Suren Baghdasaryan Cc: Todd Kjos Cc: Matthew Wilcox (Oracle) Signed-off-by: Andrew Morton Signed-off-by: Sasha Levin commit 388326bb1c32fcd09371c1d494af71471ef3a04b Author: Bart Van Assche Date: Wed Jul 27 12:34:15 2022 -0700 RDMA/srpt: Fix a use-after-free [ Upstream commit b5605148e6ce36bb21020d49010b617693933128 ] Change the LIO port members inside struct srpt_port from regular members into pointers. Allocate the LIO port data structures from inside srpt_make_tport() and free these from inside srpt_make_tport(). Keep struct srpt_device as long as either an RDMA port or a LIO target port is associated with it. This patch decouples the lifetime of struct srpt_port (controlled by the RDMA core) and struct srpt_port_id (controlled by LIO). This patch fixes the following KASAN complaint: BUG: KASAN: use-after-free in srpt_enable_tpg+0x31/0x70 [ib_srpt] Read of size 8 at addr ffff888141cc34b8 by task check/5093 Call Trace: show_stack+0x4e/0x53 dump_stack_lvl+0x51/0x66 print_address_description.constprop.0.cold+0xea/0x41e print_report.cold+0x90/0x205 kasan_report+0xb9/0xf0 __asan_load8+0x69/0x90 srpt_enable_tpg+0x31/0x70 [ib_srpt] target_fabric_tpg_base_enable_store+0xe2/0x140 [target_core_mod] configfs_write_iter+0x18b/0x210 new_sync_write+0x1f2/0x2f0 vfs_write+0x3e3/0x540 ksys_write+0xbb/0x140 __x64_sys_write+0x42/0x50 do_syscall_64+0x34/0x80 entry_SYSCALL_64_after_hwframe+0x46/0xb0 Link: https://lore.kernel.org/r/20220727193415.1583860-4-bvanassche@acm.org Reported-by: Li Zhijian Tested-by: Li Zhijian Fixes: a42d985bd5b2 ("ib_srpt: Initial SRP Target merge for v3.3-rc1") Signed-off-by: Bart Van Assche Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit 7c448f82908e499281076c729a2467aadccdd310 Author: Bart Van Assche Date: Wed Jul 27 12:34:14 2022 -0700 RDMA/srpt: Introduce a reference count in struct srpt_device [ Upstream commit aa7dfbb41b5a60ab90e244d6f586b8cb5c791c3e ] This will be used to keep struct srpt_device around as long as either the RDMA port exists or a LIO target port is associated with the struct srpt_device. Link: https://lore.kernel.org/r/20220727193415.1583860-3-bvanassche@acm.org Signed-off-by: Bart Van Assche Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit 5267f0490620479ab68067d70ba7f412e88bedec Author: Bart Van Assche Date: Wed Jul 27 12:34:13 2022 -0700 RDMA/srpt: Duplicate port name members [ Upstream commit b03b1ae2a3125d4475452e4f19f5d3a6e910ff6e ] Prepare for decoupling the lifetimes of struct srpt_port and struct srpt_port_id by duplicating the port name into struct srpt_port. Link: https://lore.kernel.org/r/20220727193415.1583860-2-bvanassche@acm.org Signed-off-by: Bart Van Assche Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit 23939304042315fcb3342ace31afbc72df1a8e54 Author: Dan Carpenter Date: Wed Jul 20 21:23:38 2022 +0300 platform/olpc: Fix uninitialized data in debugfs write [ Upstream commit 40ec787e1adf302c11668d4cc69838f4d584187d ] The call to: size = simple_write_to_buffer(cmdbuf, sizeof(cmdbuf), ppos, buf, size); will succeed if at least one byte is written to the "cmdbuf" buffer. The "*ppos" value controls which byte is written. Another problem is that this code does not check for errors so it's possible for the entire buffer to be uninitialized. Inintialize the struct to zero to prevent reading uninitialized stack data. Debugfs is normally only writable by root so the impact of this bug is very minimal. Fixes: 6cca83d498bd ("Platform: OLPC: move debugfs support from x86 EC driver") Signed-off-by: Dan Carpenter Link: https://lore.kernel.org/r/YthIKn+TfZSZMEcM@kili Reviewed-by: Hans de Goede Signed-off-by: Hans de Goede Signed-off-by: Sasha Levin commit 95ab0d267eeeb420b478b03aa06617ecc151e9da Author: Vadim Pasternak Date: Tue Jul 19 18:35:40 2022 +0300 platform/mellanox: mlxreg-lc: Fix error flow and extend verbosity [ Upstream commit b4b830a34d8046633231b7fe87f6f2cb6240dc9f ] Fix error flow: - Clean-up client object in case of probing failure. - Prevent running remove routine in case of probing failure. Probing and removing are invoked by hotplug events raised upon line card insertion and removing. If probing procedure failed all data is cleared and there is nothing to do in remove routine. Fixes: 62f9529b8d5c ("platform/mellanox: mlxreg-lc: Add initial support for Nvidia line card devices") Signed-off-by: Vadim Pasternak Link: https://lore.kernel.org/r/20220719153540.61304-1-vadimp@nvidia.com Reviewed-by: Hans de Goede Signed-off-by: Hans de Goede Signed-off-by: Sasha Levin commit 341dd8c53ea4bbb859e28ed595852dd730626c8d Author: Hans de Goede Date: Thu Jul 28 20:06:35 2022 +0200 platform/x86: pmc_atom: Match all Lex BayTrail boards with critclk_systems DMI table [ Upstream commit c9d959fc32a5f9312282817052d8986614f2dc08 ] The critclk_systems[] DMI match table already contains 2 Lex BayTrail boards and patches were just submitted to add 3 more entries for the following models: 3I380NX, 3I380A, 3I380CW. Looking at: https://www.lex.com.tw/products/embedded-ipc-board/ we can see that Lex BayTrail makes many embedded boards with multiple ethernet boards and none of their products are battery powered so we don't need to worry (too much) about power consumption when suspended. Add a new DMI match which simply matches all Lex BayTrail boards and drop the 2 existing board specific quirks. Fixes: 648e921888ad ("clk: x86: Stop marking clocks as CLK_IS_CRITICAL") Reported-by: Michael Schöne Reported-by: Paul Spooren Reported-by: Matwey V. Kornilov Signed-off-by: Hans de Goede Signed-off-by: Sasha Levin commit 385de404e2b1e957fe158aec800011ded0391b46 Author: Dan Carpenter Date: Mon Jul 18 16:17:17 2022 +0300 tools/power/x86/intel-speed-select: Fix off by one check [ Upstream commit d9f74d98bbec978edbf860f729b531281ba0d8ff ] Change > MAX_DIE_PER_PACKAGE to >= MAX_DIE_PER_PACKAGE to prevent accessing one element beyond the end of the array. Fixes: 7fd786dfbd2c ("tools/power/x86/intel-speed-select: OOB daemon mode") Signed-off-by: Dan Carpenter Reviewed-by: Hans de Goede Signed-off-by: Hans de Goede Signed-off-by: Sasha Levin commit a2bcf77490131faef1cb9d6a54ae97b61d4715f4 Author: Sean Christopherson Date: Tue Jun 7 21:36:00 2022 +0000 KVM: nVMX: Set UMIP bit CR4_FIXED1 MSR when emulating UMIP [ Upstream commit a910b5ab6b250a88fff1866bf708642d83317466 ] Make UMIP an "allowed-1" bit CR4_FIXED1 MSR when KVM is emulating UMIP. KVM emulates UMIP for both L1 and L2, and so should enumerate that L2 is allowed to have CR4.UMIP=1. Not setting the bit doesn't immediately break nVMX, as KVM does set/clear the bit in CR4_FIXED1 in response to a guest CPUID update, i.e. KVM will correctly (dis)allow nested VM-Entry based on whether or not UMIP is exposed to L1. That said, KVM should enumerate the bit as being allowed from time zero, e.g. userspace will see the wrong value if the MSR is read before CPUID is written. Fixes: 0367f205a3b7 ("KVM: vmx: add support for emulating UMIP") Signed-off-by: Sean Christopherson Message-Id: <20220607213604.3346000-12-seanjc@google.com> Signed-off-by: Paolo Bonzini Signed-off-by: Sasha Levin commit 6ae6abe240306f878557d6eadd950a2e2561f59f Author: Peter Suti Date: Wed Jul 27 09:35:50 2022 +0200 staging: fbtft: core: set smem_len before fb_deferred_io_init call [ Upstream commit 81e878887ff82a7dd42f22951391069a5d520627 ] The fbtft_framebuffer_alloc() calls fb_deferred_io_init() before initializing info->fix.smem_len. It is set to zero by the framebuffer_alloc() function. It will trigger a WARN_ON() at the start of fb_deferred_io_init() and the function will not do anything. Fixes: 856082f021a2 ("fbdev: defio: fix the pagelist corruption") Signed-off-by: Peter Suti Link: https://lore.kernel.org/r/20220727073550.1491126-1-peter.suti@streamunlimited.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 56a7f5974f25e2c9bd644a807e11f9e6a087341c Author: Patrice Chotard Date: Wed Jun 29 15:30:13 2022 +0200 mtd: spi-nor: fix spi_nor_spimem_setup_op() call in spi_nor_erase_{sector,chip}() [ Upstream commit f8cd9f632f4415b1e8838bdca8ab42cfb37a6584 ] For erase operations, reg_proto must be used as indicated in struct spi_nor description in spi-nor.h. This issue was found when DT property spi-tx-bus-width is set to 4. In this case the spi_mem_op->addr.buswidth is set to 4 for erase command which is not correct. Tested on stm32mp157c-ev1 board with mx66l51235f spi-nor. Fixes: 0e30f47232ab ("mtd: spi-nor: add support for DTR protocol") Signed-off-by: Patrice Chotard [ta: use nor->reg_proto in spi_nor_controller_ops_erase()] Signed-off-by: Tudor Ambarus Tested-by: Alexander Sverdlin Reviewed-by: Pratyush Yadav Link: https://lore.kernel.org/r/20220629133013.3382393-1-patrice.chotard@foss.st.com Signed-off-by: Sasha Levin commit eb82c0382285ee17a9966aaab27b8becb08eb1ac Author: Andrey Strachuk Date: Mon Jul 18 19:00:52 2022 +0300 usb: cdns3: change place of 'priv_ep' assignment in cdns3_gadget_ep_dequeue(), cdns3_gadget_ep_enable() [ Upstream commit c3ffc9c4ca44bfe9562166793d133e1fb0630ea6 ] If 'ep' is NULL, result of ep_to_cdns3_ep(ep) is invalid pointer and its dereference with priv_ep->cdns3_dev may cause panic. Found by Linux Verification Center (linuxtesting.org) with SVACE. Fixes: 7733f6c32e36 ("usb: cdns3: Add Cadence USB3 DRD Driver") Acked-by: Peter Chen Signed-off-by: Andrey Strachuk Link: https://lore.kernel.org/r/20220718160052.4188-1-strochuk@ispras.ru Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 371a8af4f26e06b4d51d893b4436f520b48d07fd Author: Alexey Sheplyakov Date: Fri Jul 22 18:17:00 2022 +0400 usb: xhci_plat_remove: avoid NULL dereference [ Upstream commit d7de14d74d6551f0d097430f9893ce82ad17e5b8 ] Since commit 4736ebd7fcaff1eb8481c140ba494962847d6e0a ("usb: host: xhci-plat: omit shared hcd if either root hub has no ports") xhci->shared_hcd can be NULL, which causes the following Oops on reboot: [ 710.124450] systemd-shutdown[1]: Rebooting. [ 710.298861] xhci-hcd xhci-hcd.2.auto: remove, state 4 [ 710.304217] usb usb3: USB disconnect, device number 1 [ 710.317441] xhci-hcd xhci-hcd.2.auto: USB bus 3 deregistered [ 710.323280] xhci-hcd xhci-hcd.2.auto: remove, state 1 [ 710.328401] usb usb2: USB disconnect, device number 1 [ 710.333515] usb 2-3: USB disconnect, device number 2 [ 710.467649] xhci-hcd xhci-hcd.2.auto: USB bus 2 deregistered [ 710.475450] Unable to handle kernel NULL pointer dereference at virtual address 00000000000003b8 [ 710.484425] Mem abort info: [ 710.487265] ESR = 0x0000000096000004 [ 710.491060] EC = 0x25: DABT (current EL), IL = 32 bits [ 710.496427] SET = 0, FnV = 0 [ 710.499525] EA = 0, S1PTW = 0 [ 710.502716] FSC = 0x04: level 0 translation fault [ 710.507648] Data abort info: [ 710.510577] ISV = 0, ISS = 0x00000004 [ 710.514462] CM = 0, WnR = 0 [ 710.517480] user pgtable: 4k pages, 48-bit VAs, pgdp=00000008b0050000 [ 710.523976] [00000000000003b8] pgd=0000000000000000, p4d=0000000000000000 [ 710.530961] Internal error: Oops: 96000004 [#1] PREEMPT SMP [ 710.536551] Modules linked in: rfkill input_leds snd_soc_simple_card snd_soc_simple_card_utils snd_soc_nau8822 designware_i2s snd_soc_core dw_hdmi_ahb_audio snd_pcm_dmaengine arm_ccn panfrost ac97_bus gpu_sched snd_pcm at24 fuse configfs sdhci_of_dwcmshc sdhci_pltfm sdhci nvme led_class mmc_core nvme_core bt1_pvt polynomial tp_serio snd_seq_midi snd_seq_midi_event snd_seq snd_timer snd_rawmidi snd_seq_device snd soundcore efivarfs ipv6 [ 710.575286] CPU: 7 PID: 1 Comm: systemd-shutdow Not tainted 5.19.0-rc7-00043-gfd8619f4fd54 #1 [ 710.583822] Hardware name: T-Platforms TF307-MB/BM1BM1-A, BIOS 5.6 07/06/2022 [ 710.590972] pstate: 40000005 (nZcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 710.597949] pc : usb_remove_hcd+0x34/0x1e4 [ 710.602067] lr : xhci_plat_remove+0x74/0x140 [ 710.606351] sp : ffff800009f3b7c0 [ 710.609674] x29: ffff800009f3b7c0 x28: ffff000800960040 x27: 0000000000000000 [ 710.616833] x26: ffff800008dc22a0 x25: 0000000000000000 x24: 0000000000000000 [ 710.623992] x23: 0000000000000000 x22: ffff000805465810 x21: ffff000805465800 [ 710.631149] x20: ffff000800f80000 x19: 0000000000000000 x18: ffffffffffffffff [ 710.638307] x17: ffff000805096000 x16: ffff00080633b800 x15: ffff000806537a1c [ 710.645465] x14: 0000000000000001 x13: 0000000000000000 x12: ffff00080378d6f0 [ 710.652621] x11: ffff00080041a900 x10: ffff800009b204e8 x9 : ffff8000088abaa4 [ 710.659779] x8 : ffff000800960040 x7 : ffff800009409000 x6 : 0000000000000001 [ 710.666936] x5 : ffff800009241000 x4 : ffff800009241440 x3 : 0000000000000000 [ 710.674094] x2 : ffff000800960040 x1 : ffff000800960040 x0 : 0000000000000000 [ 710.681251] Call trace: [ 710.683704] usb_remove_hcd+0x34/0x1e4 [ 710.687467] xhci_plat_remove+0x74/0x140 [ 710.691400] platform_remove+0x34/0x70 [ 710.695165] device_remove+0x54/0x90 [ 710.698753] device_release_driver_internal+0x200/0x270 [ 710.703992] device_release_driver+0x24/0x30 [ 710.708273] bus_remove_device+0xe0/0x16c [ 710.712293] device_del+0x178/0x390 [ 710.715797] platform_device_del.part.0+0x24/0x90 [ 710.720514] platform_device_unregister+0x30/0x50 [ 710.725232] dwc3_host_exit+0x20/0x30 [ 710.728907] dwc3_remove+0x174/0x1b0 [ 710.732494] platform_remove+0x34/0x70 [ 710.736254] device_remove+0x54/0x90 [ 710.739840] device_release_driver_internal+0x200/0x270 [ 710.745078] device_release_driver+0x24/0x30 [ 710.749359] bus_remove_device+0xe0/0x16c [ 710.753380] device_del+0x178/0x390 [ 710.756881] platform_device_del.part.0+0x24/0x90 [ 710.761598] platform_device_unregister+0x30/0x50 [ 710.766314] of_platform_device_destroy+0xe8/0x100 [ 710.771119] device_for_each_child_reverse+0x70/0xc0 [ 710.776099] of_platform_depopulate+0x48/0x90 [ 710.780468] __dwc3_of_simple_teardown+0x28/0xe0 [ 710.785099] dwc3_of_simple_shutdown+0x20/0x30 [ 710.789555] platform_shutdown+0x30/0x40 [ 710.793490] device_shutdown+0x138/0x32c [ 710.797425] __do_sys_reboot+0x1c4/0x2ac [ 710.801362] __arm64_sys_reboot+0x30/0x40 [ 710.805383] invoke_syscall+0x50/0x120 [ 710.809146] el0_svc_common.constprop.0+0x68/0x124 [ 710.813950] do_el0_svc+0x3c/0xcc [ 710.817275] el0_svc+0x60/0x12c [ 710.820428] el0t_64_sync_handler+0xc0/0x13c [ 710.824710] el0t_64_sync+0x18c/0x190 [ 710.828386] Code: a9025bf5 f942c420 f9001fe0 d2800000 (b943ba62) [ 710.834498] ---[ end trace 0000000000000000 ]--- [ 710.875958] pstore: crypto_comp_compress failed, ret = -22! [ 710.895047] Kernel panic - not syncing: Attempted to kill init! exitcode=0x0000000b [ 710.902757] Kernel Offset: disabled [ 710.906255] CPU features: 0x800,00004811,00001082 [ 710.910971] Memory Limit: none [ 710.927474] ---[ end Kernel panic - not syncing: Attempted to kill init! exitcode=0x0000000b ]--- To avoid the problem check for NULL in usb_remove_hcd. Fixes: 4736ebd7fcaf ("usb: host: xhci-plat: omit shared hcd if either root hub has no ports") Signed-off-by: Alexey Sheplyakov Link: https://lore.kernel.org/r/20220722141700.1271439-1-asheplyakov@basealt.ru Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit d293cf992a10a77d915a83d0784ba037a9b341cd Author: Johan Hovold Date: Mon Jul 25 10:44:57 2022 +0200 USB: serial: fix tty-port initialized comments [ Upstream commit 688ee1d1785c1359f9040f615dd8e6054962bce2 ] Fix up the tty-port initialized comments which got truncated and obfuscated when replacing the old ASYNCB_INITIALIZED flag. Fixes: d41861ca19c9 ("tty: Replace ASYNC_INITIALIZED bit and update atomically") Reviewed-by: Greg Kroah-Hartman Signed-off-by: Johan Hovold Signed-off-by: Sasha Levin commit e2e80c37e00de388dfde42e7a9d5d8709ef1619a Author: Basavaraj Natikar Date: Sat Jul 23 11:40:33 2022 +0530 HID: amd_sfh: Handle condition of "no sensors" [ Upstream commit 5d4d0f15657535f6a122ab26d47230b5c2b944af ] Add a check for num_hid_devices to handle special case the situation of "no sensors". Fixes: 4b2c53d93a4b ("SFH:Transport Driver to add support of AMD Sensor Fusion Hub (SFH)") Signed-off-by: Basavaraj Natikar Signed-off-by: Jiri Kosina Signed-off-by: Sasha Levin commit a0dfb4e7b28a66571194d748db580cba25978fd3 Author: Vidya Sagar Date: Thu Jul 21 19:50:50 2022 +0530 PCI: tegra194: Fix link up retry sequence [ Upstream commit e05fd6ae77c3e2cc0dba283005d24b6d56d2b1fa ] Add the missing DLF capability offset while clearing DL_FEATURE_EXCHANGE_EN bit during link up retry. Link: https://lore.kernel.org/r/20220721142052.25971-15-vidyas@nvidia.com Fixes: 56e15a238d92 ("PCI: tegra: Add Tegra194 PCIe support") Signed-off-by: Vidya Sagar Signed-off-by: Bjorn Helgaas Signed-off-by: Sasha Levin commit ebe2d576ce0294870a3f036e37204336e7b69a4a Author: Vidya Sagar Date: Thu Jul 21 19:50:46 2022 +0530 PCI: tegra194: Fix Root Port interrupt handling [ Upstream commit 6646e99bcec627e866bc84365af37942c72b4b76 ] As part of Root Port interrupt handling, level-0 register is read first and based on the bits set in that, corresponding level-1 registers are read for further interrupt processing. Since both these values are currently read into the same 'val' variable, checking level-0 bits the second time around is happening on the 'val' variable value of level-1 register contents instead of freshly reading the level-0 value again. Fix by using different variables to store level-0 and level-1 registers contents. Link: https://lore.kernel.org/r/20220721142052.25971-11-vidyas@nvidia.com Fixes: 56e15a238d92 ("PCI: tegra: Add Tegra194 PCIe support") Signed-off-by: Vidya Sagar Signed-off-by: Bjorn Helgaas Signed-off-by: Sasha Levin commit 50bf45181c1d565d289fca490001f83d813123bb Author: Bob Pearson Date: Thu Jun 30 14:04:22 2022 -0500 RDMA/rxe: Fix rnr retry behavior [ Upstream commit 445fd4f4fb76d513de6b05b08b3a4d0bb980fc80 ] Currently the completer tasklet when retransmit timer or the rnr timer fires the same flag (qp->req.need_retry) is set so that if either timer fires it will attempt to perform a retry flow on the send queue. This has the effect of responding to an RNR NAK at the first retransmit timer event which might not allow the requested rnr timeout. This patch adds a new flag (qp->req.wait_for_rnr_timer) which, if set, prevents a retry flow until the rnr nak timer fires. This patch fixes rnr retry errors which can be observed by running the pyverbs test_rdmacm_async_traffic_external_qp multiple times. With this patch applied they do not occur. Link: https://lore.kernel.org/linux-rdma/a8287823-1408-4273-bc22-99a0678db640@gmail.com/ Link: https://lore.kernel.org/linux-rdma/2bafda9e-2bb6-186d-12a1-179e8f6a2678@talpey.com/ Fixes: 8700e3e7c485 ("Soft RoCE driver") Link: https://lore.kernel.org/r/20220630190425.2251-6-rpearsonhpe@gmail.com Signed-off-by: Bob Pearson Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit fca288d87f6fc350e4f3c412caa3a12f3cec40fc Author: Md Haris Iqbal Date: Thu Jul 7 09:30:06 2022 +0200 RDMA/rxe: For invalidate compare according to set keys in mr [ Upstream commit 174e7b137042f19b5ce88beb4fc0ff4ec6b0c72a ] The 'rkey' input can be an lkey or rkey, and in rxe the lkey or rkey have the same value, including the variant bits. So, if mr->rkey is set, compare the invalidate key with it, otherwise compare with the mr->lkey. Since we already did a lookup on the non-varient bits to get this far, the check's only purpose is to confirm that the wqe has the correct variant bits. Fixes: 001345339f4c ("RDMA/rxe: Separate HW and SW l/rkeys") Link: https://lore.kernel.org/r/20220707073006.328737-1-haris.phnx@gmail.com Signed-off-by: Md Haris Iqbal Reviewed-by: Bob Pearson Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit 467a6c2e8e3de13cb7f314582cab7cf0af824247 Author: Artem Borisov Date: Tue Jul 19 17:53:24 2022 +0300 HID: alps: Declare U1_UNICORN_LEGACY support [ Upstream commit 1117d182c5d72abd7eb8b7d5e7b8c3373181c3ab ] U1_UNICORN_LEGACY id was added to the driver, but was not declared in the device id table, making it impossible to use. Fixes: 640e403 ("HID: alps: Add AUI1657 device ID") Signed-off-by: Artem Borisov Signed-off-by: Jiri Kosina Signed-off-by: Sasha Levin commit 3d56b64a0669da1436fe46a65040da84e3c5258a Author: Liang He Date: Tue Jul 19 17:52:16 2022 +0800 mmc: cavium-thunderx: Add of_node_put() when breaking out of loop [ Upstream commit 7ee480795e41db314f2c445c65ed854a5d6e8e32 ] In thunder_mmc_probe(), we should call of_node_put() when breaking out of for_each_child_of_node() which has increased and decreased the refcount during each iteration. Fixes: 166bac38c3c5 ("mmc: cavium: Add MMC PCI driver for ThunderX SOCs") Signed-off-by: Liang He Acked-by: Robert Richter Link: https://lore.kernel.org/r/20220719095216.1241601-2-windhl@126.com Signed-off-by: Ulf Hansson Signed-off-by: Sasha Levin commit baad60b572da40ed913903022d790e8b03f1faac Author: Liang He Date: Tue Jul 19 17:52:15 2022 +0800 mmc: cavium-octeon: Add of_node_put() when breaking out of loop [ Upstream commit 19bbb49acf8d7a03cb83e05624363741a4c3ec6f ] In octeon_mmc_probe(), we should call of_node_put() when breaking out of for_each_child_of_node() which has increased and decreased the refcount during each iteration. Fixes: 01d95843335c ("mmc: cavium: Add MMC support for Octeon SOCs.") Signed-off-by: Liang He Acked-by: Robert Richter Link: https://lore.kernel.org/r/20220719095216.1241601-1-windhl@126.com Signed-off-by: Ulf Hansson Signed-off-by: Sasha Levin commit f22dc8bd31c4a391a98054c78ae540ca617ee3b9 Author: Liang He Date: Tue Jul 19 17:10:51 2022 +0800 mmc: core: quirks: Add of_node_put() when breaking out of loop [ Upstream commit 883c1d6fa4368a63cae2d6ae2d9c91141c60e233 ] In mmc_fixup_of_compatible_match(), we should call of_node_put() when breaking out of for_each_child_of_node() which will increase and decrease the refcount during one iteration. Fixes: b360b1102670 ("mmc: core: allow to match the device tree to apply quirks") Signed-off-by: Liang He Link: https://lore.kernel.org/r/20220719091051.1210806-1-windhl@126.com Signed-off-by: Ulf Hansson Signed-off-by: Sasha Levin commit 2c5760339afaf9bdd1adb0f13bc5250feb62a4a6 Author: Bob Pearson Date: Thu Jul 14 15:46:20 2022 -0500 RDMA/rxe: Fix mw bind to allow any consumer key portion [ Upstream commit 1603f89935ec86d40a7667e1250392626976ccc2 ] The current implementation of rxe_check_bind_mw() in rxe_mw.c is incorrect since it requires the new key portion provided by the mw consumer to be different than the previous key portion. This is not required by the IBA. Remove the test. Link: https://lore.kernel.org/linux-rdma/fb4614e7-4cac-0dc7-3ef7-766dfd10e8f2@gmail.com/ Fixes: 32a577b4c3a9 ("Add support for bind MW work requests") Link: https://lore.kernel.org/r/20220714204619.13396-1-rpearsonhpe@gmail.com Signed-off-by: Bob Pearson Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit e5cee618792284d37431c5f71b8e43bbf81782f5 Author: Antonio Borneo Date: Tue Jul 19 14:28:31 2022 +0200 scripts/gdb: fix 'lx-dmesg' on 32 bits arch [ Upstream commit e3c8d33e0d62175c31ca7ab7ab01b18f0b6318d3 ] The type atomic_long_t can have size 4 or 8 bytes, depending on CONFIG_64BIT; it's only content, the field 'counter', is either an int or a s64 value. Current code incorrectly uses the fixed size utils.read_u64() to read the field 'counter' inside atomic_long_t. On 32 bits architectures reading the last element 'tail_id' of the struct prb_desc_ring: struct prb_desc_ring { ... atomic_long_t tail_id; }; causes the utils.read_u64() to access outside the boundary of the struct and the gdb command 'lx-dmesg' exits with error: Python Exception : index out of range Error occurred in Python: index out of range Query the really used atomic_long_t counter type size. Link: https://lore.kernel.org/r/20220617143758.137307-1-antonio.borneo@foss.st.com Fixes: e60768311af8 ("scripts/gdb: update for lockless printk ringbuffer") Signed-off-by: Antonio Borneo [pmladek@suse.com: Query the really used atomic_long_t counter type size] Tested-by: Antonio Borneo Reviewed-by: John Ogness Signed-off-by: Petr Mladek Link: https://lore.kernel.org/r/20220719122831.19890-1-pmladek@suse.com Signed-off-by: Sasha Levin commit 2b7d3d525eeed64fd93b1c3e206569e2704f7b2a Author: Fabio Estevam Date: Wed Jul 6 08:13:27 2022 -0300 dmaengine: imx-dma: Cast of_device_get_match_data() with (uintptr_t) [ Upstream commit c3266ee185b59e5aab3e0f982e5b7f95d31555a7 ] Change the of_device_get_match_data() cast to (uintptr_t) to silence the following clang warning: drivers/dma/imx-dma.c:1048:20: warning: cast to smaller integer type 'enum imx_dma_type' from 'const void *' [-Wvoid-pointer-to-enum-cast] Reported-by: kernel test robot Fixes: 0ab785c894e6 ("dmaengine: imx-dma: Remove unused .id_table") Signed-off-by: Fabio Estevam Link: https://lore.kernel.org/r/20220706111327.940764-1-festevam@gmail.com Signed-off-by: Vinod Koul Signed-off-by: Sasha Levin commit 7af0350b25d5cc6ba6d2b16f8a63526f321bb523 Author: Basavaraj Natikar Date: Tue Jul 12 23:48:26 2022 +0530 HID: amd_sfh: Add NULL check for hid device [ Upstream commit 06aa2a43c307cf4096f422dcb575e5d2913e528f ] On removal of hid device during SFH set report may cause NULL pointer exception. Hence add NULL check for hid device before accessing. Fixes: 4b2c53d93a4b ("SFH:Transport Driver to add support of AMD Sensor Fusion Hub (SFH)") Signed-off-by: Basavaraj Natikar Signed-off-by: Jiri Kosina Signed-off-by: Sasha Levin commit 3c0f8a59f2cc8841ee6653399a77f4f3e6e9a270 Author: Harshit Mogalapalli Date: Mon Jun 20 09:28:24 2022 -0700 HID: mcp2221: prevent a buffer overflow in mcp_smbus_write() [ Upstream commit 62ac2473553a00229e67bdf3cb023b62cf7f5a9a ] Smatch Warning: drivers/hid/hid-mcp2221.c:388 mcp_smbus_write() error: __memcpy() '&mcp->txbuf[5]' too small (59 vs 255) drivers/hid/hid-mcp2221.c:388 mcp_smbus_write() error: __memcpy() 'buf' too small (34 vs 255) The 'len' variable can take a value between 0-255 as it can come from data->block[0] and it is user data. So add an bound check to prevent a buffer overflow in memcpy(). Fixes: 67a95c21463d ("HID: mcp2221: add usb to i2c-smbus host bridge") Signed-off-by: Harshit Mogalapalli Signed-off-by: Jiri Kosina Signed-off-by: Sasha Levin commit b41b0bfdc98326e451b821f00393fa8d95576fac Author: Dan Carpenter Date: Thu Jul 7 17:54:45 2022 +0300 iio: adc: max1027: unlock on error path in max1027_read_single_value() [ Upstream commit 06ee60eb507f00fb3643876ec05318c63332dc88 ] If max1027_wait_eoc() fails then call iio_device_release_direct_mode() before returning. Fixes: a0e831653ef9 ("iio: adc: max1027: Introduce an end of conversion helper") Signed-off-by: Dan Carpenter Link: https://lore.kernel.org/r/YsbztVuAXnau2cIZ@kili Signed-off-by: Jonathan Cameron Signed-off-by: Sasha Levin commit dd5e0e25fb3983773ca958e429cf900db79b6927 Author: Liang He Date: Mon Jul 11 20:52:38 2022 +0800 gpio: gpiolib-of: Fix refcount bugs in of_mm_gpiochip_add_data() [ Upstream commit 5d07a692f9562f9c06e62cce369e9dd108173a0f ] We should use of_node_get() when a new reference of device_node is created. It is noted that the old reference stored in 'mm_gc->gc.of_node' should also be decreased. This patch is based on the fact that there is a call site in function 'qe_add_gpiochips()' of src file 'drivers\soc\fsl\qe\gpio.c'. In this function, of_mm_gpiochip_add_data() is contained in an iteration of for_each_compatible_node() which will automatically increase and decrease the refcount. So we need additional of_node_get() for the reference escape in of_mm_gpiochip_add_data(). Fixes: a19e3da5bc5f ("of/gpio: Kill of_gpio_chip and add members directly to gpio_chip") Signed-off-by: Liang He Signed-off-by: Bartosz Golaszewski Signed-off-by: Sasha Levin commit a9055dfe437efae77e28e57205437c878a03ccb7 Author: Jianglei Nie Date: Mon Jul 11 15:07:18 2022 +0800 RDMA/hfi1: fix potential memory leak in setup_base_ctxt() [ Upstream commit aa2a1df3a2c85f855af7d54466ac10bd48645d63 ] setup_base_ctxt() allocates a memory chunk for uctxt->groups with hfi1_alloc_ctxt_rcv_groups(). When init_user_ctxt() fails, uctxt->groups is not released, which will lead to a memory leak. We should release the uctxt->groups with hfi1_free_ctxt_rcv_groups() when init_user_ctxt() fails. Fixes: e87473bc1b6c ("IB/hfi1: Only set fd pointer when base context is completely initialized") Link: https://lore.kernel.org/r/20220711070718.2318320-1-niejianglei2021@163.com Signed-off-by: Jianglei Nie Acked-by: Dennis Dalessandro Signed-off-by: Leon Romanovsky Signed-off-by: Sasha Levin commit ebf55177909f3810465e2d042dabdd2bf12c0dca Author: Bryan O'Donoghue Date: Tue Jul 12 13:59:17 2022 +0100 clk: qcom: gcc-msm8939: Fix weird field spacing in ftbl_gcc_camss_cci_clk [ Upstream commit 2bc308ebc453ba22f3f120f777b9ac48f973ee80 ] Adding a new item to this frequency table I see the existing indentation is incorrect. Fixes: 1664014e4679 ("clk: qcom: gcc-msm8939: Add MSM8939 Generic Clock Controller") Signed-off-by: Bryan O'Donoghue Reviewed-by: Konrad Dybcio Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20220712125922.3461675-2-bryan.odonoghue@linaro.org Signed-off-by: Sasha Levin commit 94d80c6d7017211e604f7503d575223cf82ddfa8 Author: Bjorn Andersson Date: Wed Jul 13 14:28:18 2022 -0700 clk: qcom: gdsc: Bump parent usage count when GDSC is found enabled [ Upstream commit 41fff779d7948147f2440c4bb134cdf8b45b22d7 ] When a GDSC is found to be enabled at boot the pm_runtime state will be unbalanced as the GDSC is later turned off. Fix this by increasing the usage counter on the power-domain, in line with how we handled the regulator state. Fixes: 1b771839de05 ("clk: qcom: gdsc: enable optional power domain support") Signed-off-by: Bjorn Andersson Acked-by: Stephen Boyd Link: https://lore.kernel.org/r/20220713212818.130277-1-bjorn.andersson@linaro.org Signed-off-by: Sasha Levin commit 3f3ea0aeb26195fbc0efeb29299a8223ac129adb Author: Abel Vesa Date: Wed Jul 13 17:32:00 2022 +0300 clk: qcom: Drop mmcx gdsc supply for dispcc and videocc [ Upstream commit b1ec8b53c9ae5fae33d60e9638d39ca5346b941b ] Both dispcc and videocc use mmcx power domain now. Lets drop the supply mmcx from every gdsc. Cc: Dmitry Baryshkov Fixes: 266e5cf39a0f ("arm64: dts: qcom: sm8250: remove mmcx regulator") Signed-off-by: Abel Vesa Reviewed-by: Dmitry Baryshkov Reviewed-by: Bjorn Andersson Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20220713143200.3686765-1-abel.vesa@linaro.org Signed-off-by: Sasha Levin commit 64f5669fa7143f62890f2136af513c8286f5d9b7 Author: Gwendal Grignou Date: Mon Jul 11 07:47:16 2022 -0700 iio: cros: Register FIFO callback after sensor is registered [ Upstream commit 0b4ae3f6d1210c11f9baf159009c7227eacf90f2 ] Instead of registering callback to process sensor events right at initialization time, wait for the sensor to be register in the iio subsystem. Events can come at probe time (in case the kernel rebooted abruptly without switching the sensor off for instance), and be sent to IIO core before the sensor is fully registered. Fixes: aa984f1ba4a4 ("iio: cros_ec: Register to cros_ec_sensorhub when EC supports FIFO") Reported-by: Douglas Anderson Signed-off-by: Gwendal Grignou Reviewed-by: Douglas Anderson Link: https://lore.kernel.org/r/20220711144716.642617-1-gwendal@chromium.org Signed-off-by: Jonathan Cameron Signed-off-by: Sasha Levin commit 8598b9d0a364c1663c96fc0fab9df0d36c809aea Author: Zhu Yanjun Date: Tue Jul 5 18:54:14 2022 -0400 RDMA/rxe: Fix BUG: KASAN: null-ptr-deref in rxe_qp_do_cleanup [ Upstream commit 37da51efe6eaa0560f46803c8c436a48a2084da7 ] The function rxe_create_qp calls rxe_qp_from_init. If some error occurs, the error handler of function rxe_qp_from_init will set both scq and rcq to NULL. Then rxe_create_qp calls rxe_put to handle qp. In the end, rxe_qp_do_cleanup is called by rxe_put. rxe_qp_do_cleanup directly accesses scq and rcq before checking them. This will cause null-ptr-deref error. The call graph is as below: rxe_create_qp { ... rxe_qp_from_init { ... err1: ... qp->rcq = NULL; <---rcq is set to NULL qp->scq = NULL; <---scq is set to NULL ... } qp_init: rxe_put{ ... rxe_qp_do_cleanup { ... atomic_dec(&qp->scq->num_wq); <--- scq is accessed ... atomic_dec(&qp->rcq->num_wq); <--- rcq is accessed } } Fixes: 4703b4f0d94a ("RDMA/rxe: Enforce IBA C11-17") Link: https://lore.kernel.org/r/20220705225414.315478-1-yanjun.zhu@linux.dev Signed-off-by: Zhu Yanjun Reviewed-by: Bob Pearson Reviewed-by: Md Haris Iqbal Signed-off-by: Leon Romanovsky Signed-off-by: Sasha Levin commit 1434de50a5d9dab91c8ce031bc23b3e2178379c5 Author: Cheng Xu Date: Thu Jul 14 09:30:47 2022 +0800 RDMA/siw: Fix duplicated reported IW_CM_EVENT_CONNECT_REPLY event [ Upstream commit 3056fc6c32e613b760422b94c7617ac9a24a4721 ] If siw_recv_mpa_rr returns -EAGAIN, it means that the MPA reply hasn't been received completely, and should not report IW_CM_EVENT_CONNECT_REPLY in this case. This may trigger a call trace in iw_cm. A simple way to trigger this: server: ib_send_lat client: ib_send_lat -R The call trace looks like this: kernel BUG at drivers/infiniband/core/iwcm.c:894! invalid opcode: 0000 [#1] PREEMPT SMP NOPTI <...> Workqueue: iw_cm_wq cm_work_handler [iw_cm] Call Trace: cm_work_handler+0x1dd/0x370 [iw_cm] process_one_work+0x1e2/0x3b0 worker_thread+0x49/0x2e0 ? rescuer_thread+0x370/0x370 kthread+0xe5/0x110 ? kthread_complete_and_exit+0x20/0x20 ret_from_fork+0x1f/0x30 Fixes: 6c52fdc244b5 ("rdma/siw: connection management") Link: https://lore.kernel.org/r/dae34b5fd5c2ea2bd9744812c1d2653a34a94c67.1657706960.git.chengyou@linux.alibaba.com Signed-off-by: Cheng Xu Signed-off-by: Leon Romanovsky Signed-off-by: Sasha Levin commit 94569c55422a5df31851b43b3c892631b541191c Author: Haoyue Xu Date: Thu Jul 14 21:43:51 2022 +0800 RDMA/hns: Fix incorrect clearing of interrupt status register [ Upstream commit ecb4db5c3590aa956b4b2c352081a5b632d1f9f9 ] The driver will clear all the interrupts in the same area when the driver handles the interrupt of type AEQ overflow. It should only set the interrupt status bit of type AEQ overflow. Fixes: a5073d6054f7 ("RDMA/hns: Add eq support of hip08") Link: https://lore.kernel.org/r/20220714134353.16700-4-liangwenpeng@huawei.com Signed-off-by: Haoyue Xu Signed-off-by: Wenpeng Liang Signed-off-by: Leon Romanovsky Signed-off-by: Sasha Levin commit b4c9f7db9f0148423557539af0fdf513338efe08 Author: Jianglei Nie Date: Thu Jul 14 14:15:05 2022 +0800 RDMA/qedr: Fix potential memory leak in __qedr_alloc_mr() [ Upstream commit b3236a64ddd125a455ef5b5316c1b9051b732974 ] __qedr_alloc_mr() allocates a memory chunk for "mr->info.pbl_table" with init_mr_info(). When rdma_alloc_tid() and rdma_register_tid() fail, "mr" is released while "mr->info.pbl_table" is not released, which will lead to a memory leak. We should release the "mr->info.pbl_table" with qedr_free_pbl() when error occurs to fix the memory leak. Fixes: e0290cce6ac0 ("qedr: Add support for memory registeration verbs") Link: https://lore.kernel.org/r/20220714061505.2342759-1-niejianglei2021@163.com Signed-off-by: Jianglei Nie Acked-by: Michal Kalderon  Signed-off-by: Leon Romanovsky Signed-off-by: Sasha Levin commit 9890ddd4768b6d22192a748275a7331659dd66d4 Author: Md Haris Iqbal Date: Tue Jul 12 12:31:12 2022 +0200 RDMA/rtrs-clt: Replace list_next_or_null_rr_rcu with an inline function [ Upstream commit c14adff285ad1bb8eefc5d8fc202ceb1f7e3a2f1 ] removes list_next_or_null_rr_rcu macro to fix below warnings. That macro is used only twice. CHECK:MACRO_ARG_REUSE: Macro argument reuse 'head' - possible side-effects? CHECK:MACRO_ARG_REUSE: Macro argument reuse 'ptr' - possible side-effects? CHECK:MACRO_ARG_REUSE: Macro argument reuse 'memb' - possible side-effects? Replaces that macro with an inline function. Fixes: 6a98d71daea1 ("RDMA/rtrs: client: main functionality") Cc: jinpu.wang@ionos.com Link: https://lore.kernel.org/r/20220712103113.617754-5-haris.iqbal@ionos.com Signed-off-by: Md Haris Iqbal Suggested-by: Jason Gunthorpe Signed-off-by: Jack Wang Signed-off-by: Leon Romanovsky Signed-off-by: Sasha Levin commit a14aeefc9853c4ab03c87a423709dc2ee3138370 Author: Jack Wang Date: Tue Jul 12 12:31:09 2022 +0200 RDMA/rtrs-srv: Fix modinfo output for stringify [ Upstream commit ed6e53820ee4f68ed927de17e5675ff2a07a47e2 ] stringify works with define, not enum. Fixes: 91fddedd439c ("RDMA/rtrs: private headers with rtrs protocol structs and helpers") Cc: jinpu.wang@ionos.com Link: https://lore.kernel.org/r/20220712103113.617754-2-haris.iqbal@ionos.com Signed-off-by: Jack Wang Signed-off-by: Md Haris Iqbal Reviewed-by: Aleksei Marov Signed-off-by: Leon Romanovsky Signed-off-by: Sasha Levin commit c12c824822dcfeae35a2fc351b2975147ef611b5 Author: Mustafa Ismail Date: Tue Jul 5 18:08:15 2022 -0500 RDMA/irdma: Fix setting of QP context err_rq_idx_valid field [ Upstream commit 3a844596ed71b7c12ac602f6f6b7b0f17e4d6a90 ] Setting err_rq_idx_valid field in QP context when the AE source of the AEQE is not associated with an RQ causes the firmware flush to fail. Set err_rq_idx_valid field in QP context only if it is associated with an RQ. Additionally, cleanup the redundant setting of this field in irdma_process_aeq. Fixes: 44d9e52977a1 ("RDMA/irdma: Implement device initialization definitions") Link: https://lore.kernel.org/r/20220705230815.265-8-shiraz.saleem@intel.com Signed-off-by: Mustafa Ismail Signed-off-by: Shiraz Saleem Signed-off-by: Leon Romanovsky Signed-off-by: Sasha Levin commit f420fa0def4700176cb87517928dfb290a60ce31 Author: Mustafa Ismail Date: Tue Jul 5 18:08:14 2022 -0500 RDMA/irdma: Fix VLAN connection with wildcard address [ Upstream commit 82ab2b52654c43ba24a3f6603fec40874cc5a7e5 ] When an application listens on a wildcard address, and there are VLAN and non-VLAN IP addresses, iWARP connection establishemnt can fail if the listen node VLAN ID does not match. Fix this by checking the vlan_id only if not a wildcard listen node. Fixes: 146b9756f14c ("RDMA/irdma: Add connection manager") Link: https://lore.kernel.org/r/20220705230815.265-7-shiraz.saleem@intel.com Signed-off-by: Mustafa Ismail Signed-off-by: Shiraz Saleem Signed-off-by: Leon Romanovsky Signed-off-by: Sasha Levin commit 350ac793a03c8a30a3f2b27fc282cd1c67070763 Author: Mustafa Ismail Date: Tue Jul 5 18:08:13 2022 -0500 RDMA/irdma: Fix a window for use-after-free [ Upstream commit 8ecef7890b3aea78c8bbb501a4b5b8134367b821 ] During a destroy CQ an interrupt may cause processing of a CQE after CQ resources are freed by irdma_cq_free_rsrc(). Fix this by moving the call to irdma_cq_free_rsrc() after the irdma_sc_cleanup_ceqes(), which is called under the cq_lock. Fixes: b48c24c2d710 ("RDMA/irdma: Implement device supported verb APIs") Link: https://lore.kernel.org/r/20220705230815.265-6-shiraz.saleem@intel.com Signed-off-by: Bartosz Sobczak Signed-off-by: Mustafa Ismail Signed-off-by: Shiraz Saleem Signed-off-by: Leon Romanovsky Signed-off-by: Sasha Levin commit 6cb78e41ce2e36d6f9fee21cecfc020c441328fe Author: Patrick Wang Date: Tue Jul 5 19:31:58 2022 +0800 mm: percpu: use kmemleak_ignore_phys() instead of kmemleak_free() [ Upstream commit a317ebccaa3609917a2c021af870cf3fa607ab0c ] Kmemleak recently added a rbtree to store the objects allocted with physical address. Those objects can't be freed with kmemleak_free(). According to the comments, percpu allocations are tracked by kmemleak separately. Kmemleak_free() was used to avoid the unnecessary tracking. If kmemleak_free() fails, those objects would be scanned by kmemleak, which is unnecessary but shouldn't lead to other effects. Use kmemleak_ignore_phys() instead of kmemleak_free() for those objects. Link: https://lkml.kernel.org/r/20220705113158.127600-1-patrick.wang.shcn@gmail.com Fixes: 0c24e061196c ("mm: kmemleak: add rbtree and store physical address for objects allocated with PA") Signed-off-by: Patrick Wang Cc: Dennis Zhou Cc: Tejun Heo Cc: Christoph Lameter Cc: Catalin Marinas Signed-off-by: Andrew Morton Signed-off-by: Sasha Levin commit 7974b2039c52e247029a052c77fdd324890e7400 Author: Christopher Obbard Date: Thu Jun 23 09:58:42 2022 +0100 um: random: Don't initialise hwrng struct with zero [ Upstream commit 9e70cbd11b03889c92462cf52edb2bd023c798fa ] Initialising the hwrng struct with zeros causes a compile-time sparse warning: $ ARCH=um make -j10 W=1 C=1 CF='-fdiagnostic-prefix -D__CHECK_ENDIAN__' ... CHECK arch/um/drivers/random.c arch/um/drivers/random.c:31:31: sparse: warning: Using plain integer as NULL pointer Fix the warning by not initialising the hwrng struct with zeros as it is initialised anyway during module init. Fixes: 72d3e093afae ("um: random: Register random as hwrng-core device") Reported-by: kernel test robot Signed-off-by: Christopher Obbard Signed-off-by: Richard Weinberger Signed-off-by: Sasha Levin commit 9e3d119d5d6c7f51cba5feb9481f8e88f16c24bd Author: Kalesh Singh Date: Fri Jul 15 16:58:24 2022 -0700 KVM: arm64: Fix hypervisor address symbolization [ Upstream commit ed6313a93fd11d2015ad17046f3c418bf6a8dab1 ] With CONFIG_RANDOMIZE_BASE=y vmlinux addresses will resolve incorrectly from kallsyms. Fix this by adding the KASLR offset before printing the symbols. Fixes: 6ccf9cb557bd ("KVM: arm64: Symbolize the nVHE HYP addresses") Reported-by: Fuad Tabba Signed-off-by: Kalesh Singh Signed-off-by: Marc Zyngier Link: https://lore.kernel.org/r/20220715235824.2549012-1-kaleshsingh@google.com Signed-off-by: Sasha Levin commit 1be95546e8223aa7f72ea669c6a0150bed991e57 Author: Peng Fan Date: Sun Jul 3 17:11:26 2022 +0800 interconnect: imx: fix max_node_id [ Upstream commit bd734481e172b4827af09c9ab06c51d2ab7201e6 ] max_node_id not equal to the ARRAY_SIZE of node array, need increase 1, otherwise xlate will fail for the last entry. And rename max_node_id to num_nodes to reflect the reality. Fixes: f0d8048525d7d ("interconnect: Add imx core driver") Reviewed-by: Laurent Pinchart Signed-off-by: Peng Fan Link: https://lore.kernel.org/r/20220703091132.1412063-5-peng.fan@oss.nxp.com Signed-off-by: Georgi Djakov Signed-off-by: Sasha Levin commit 305a0aa6717dbbb180a7b84ba258f3bb720f978a Author: Samuel Holland Date: Fri Jul 8 01:14:34 2022 -0500 phy: rockchip-inno-usb2: Ignore OTG IRQs in host mode [ Upstream commit fd7d47484125c7d04578de9294faa7fec6e5df0a ] When the OTG port is fixed to host mode, the driver does not request its IRQs, nor does it enable those IRQs in hardware. Similarly, the driver should ignore the OTG port IRQs when handling the shared interrupt. Otherwise, it would update the extcon based on an ID pin which may be in an undefined state, or try to queue a uninitialized work item. Fixes: 6a98df08ccd5 ("phy: rockchip-inno-usb2: Fix muxed interrupt support") Reported-by: Frank Wunderlich Signed-off-by: Samuel Holland Tested-by: Peter Geis Tested-by: Frank Wunderlich Link: https://lore.kernel.org/r/20220708061434.38115-1-samuel@sholland.org Signed-off-by: Vinod Koul Signed-off-by: Sasha Levin commit d29787a42e24f58bc5f42a03d99524556474db77 Author: Fabrice Gasnier Date: Wed Jul 13 15:39:53 2022 +0200 phy: stm32: fix error return in stm32_usbphyc_phy_init [ Upstream commit 32b378a9179ae4db61cfc5d502717214e6cd1e1c ] Error code is overridden, in case the PLL doesn't lock. So, the USB initialization can continue. This leads to a platform freeze. This can be avoided by returning proper error code to avoid USB probe freezing the platform. It also displays proper errors in log. Fixes: 5b1af71280ab ("phy: stm32: rework PLL Lock detection") Signed-off-by: Fabrice Gasnier Link: https://lore.kernel.org/r/20220713133953.595134-1-fabrice.gasnier@foss.st.com Signed-off-by: Vinod Koul Signed-off-by: Sasha Levin commit 043dc5d046b26227f24a8ac7905b7906dbb9c7d5 Author: Dan Carpenter Date: Fri Jul 8 16:46:38 2022 +0300 eeprom: idt_89hpesx: uninitialized data in idt_dbgfs_csr_write() [ Upstream commit 71d46f1ff2212ced4852c7e77c5176382a1bdcec ] The simple_write_to_buffer() function will return positive/success if it is able to write a single byte anywhere within the buffer. However that potentially leaves a lot of the buffer uninitialized. In this code it's better to return 0 if the offset is non-zero. This code is not written to support partial writes. And then return -EFAULT if the buffer is not completely initialized. Fixes: cfad6425382e ("eeprom: Add IDT 89HPESx EEPROM/CSR driver") Reviewed-by: Serge Semin Signed-off-by: Dan Carpenter Link: https://lore.kernel.org/r/Ysg1Pu/nzSMe3r1q@kili Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 216055fa5e20c8cc59f6ce317fcd9bcd467a4dd0 Author: Johan Hovold Date: Wed Jul 13 15:13:36 2022 +0200 usb: dwc3: qcom: fix missing optional irq warnings [ Upstream commit 69bb3520db7cecbccc9e497fc568fa5465c9d43f ] Not all platforms have all of the four currently supported wakeup interrupts so use the optional irq helpers when looking up interrupts to avoid printing error messages when an optional interrupt is not found: dwc3-qcom a6f8800.usb: error -ENXIO: IRQ hs_phy_irq not found Fixes: a4333c3a6ba9 ("usb: dwc3: Add Qualcomm DWC3 glue driver") Reviewed-by: Andrew Halaney Signed-off-by: Johan Hovold Link: https://lore.kernel.org/r/20220713131340.29401-4-johan+linaro@kernel.org Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit e3cb5a27c6b240faa2e0f79e08aac4aa6ee3ac56 Author: Rohith Kollalsi Date: Thu Jul 14 10:26:25 2022 +0530 usb: dwc3: core: Do not perform GCTL_CORE_SOFTRESET during bootup [ Upstream commit 07903626d98853e605fe63e5ce149f1b7314bbea ] According to the programming guide, it is recommended to perform a GCTL_CORE_SOFTRESET only when switching the mode from device to host or host to device. However, it is found that during bootup when __dwc3_set_mode() is called for the first time, GCTL_CORESOFTRESET is done with suspendable bit(BIT 17) of DWC3_GUSB3PIPECTL set. This some times leads to issues like controller going into bad state and controller registers reading value zero. Until GCTL_CORESOFTRESET is done and run/stop bit is set core initialization is not complete. Setting suspendable bit of DWC3_GUSB3PIPECTL and then performing GCTL_CORESOFTRESET is therefore not recommended. Avoid this by only performing the reset if current_dr_role is set, that is, when doing subsequent role switching. Fixes: f88359e1588b ("usb: dwc3: core: Do core softreset when switch mode") Signed-off-by: Rohith Kollalsi Link: https://lore.kernel.org/r/20220714045625.20377-1-quic_rkollals@quicinc.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit d0a97d94b7c3184486e93221f0e2acbe4a89501b Author: Thinh Nguyen Date: Wed Jun 15 17:24:32 2022 -0700 usb: dwc3: core: Deprecate GCTL.CORESOFTRESET [ Upstream commit afbd04e66e5d16ca3c7ea2e3c56eca25558eacf3 ] Synopsys IP DWC_usb32 and DWC_usb31 version 1.90a and above deprecated GCTL.CORESOFTRESET. The DRD mode switching flow is updated to remove the GCTL soft reset. Add version checks to prevent using deprecated setting in mode switching flow. Signed-off-by: Thinh Nguyen Link: https://lore.kernel.org/r/9df529fde6e55f5508321b6bc26e92848044ef2b.1655338967.git.Thinh.Nguyen@synopsys.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 3503305225ca24c3229414c769323fb8bf39b4bf Author: Liang He Date: Wed Jul 13 20:05:28 2022 +0800 usb: aspeed-vhub: Fix refcount leak bug in ast_vhub_init_desc() [ Upstream commit 220fafb4ed04187e9c17be4152da5a7f2ffbdd8c ] We should call of_node_put() for the reference returned by of_get_child_by_name() which has increased the refcount. Fixes: 30d2617fd7ed ("usb: gadget: aspeed: allow to set usb strings in device tree") Signed-off-by: Liang He Link: https://lore.kernel.org/r/20220713120528.368168-1-windhl@126.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 8e8769e7fa792653cdd6fb42d8e1e5f3397374fc Author: Randy Dunlap Date: Fri Jul 8 18:36:01 2022 -0700 usb: gadget: udc: amd5536 depends on HAS_DMA [ Upstream commit 8097cf2fb3b2205257f1c76f4808e3398d66b6d9 ] USB_AMD5536UDC should depend on HAS_DMA since it selects USB_SNP_CORE, which depends on HAS_DMA and since 'select' does not follow any dependency chains. Fixes this kconfig warning: WARNING: unmet direct dependencies detected for USB_SNP_CORE Depends on [n]: USB_SUPPORT [=y] && USB_GADGET [=y] && (USB_AMD5536UDC [=y] || USB_SNP_UDC_PLAT [=n]) && HAS_DMA [=n] Selected by [y]: - USB_AMD5536UDC [=y] && USB_SUPPORT [=y] && USB_GADGET [=y] && USB_PCI [=y] Fixes: 97b3ffa233b9 ("usb: gadget: udc: amd5536: split core and PCI layer") Cc: Raviteja Garimella Cc: Felipe Balbi Cc: linux-usb@vger.kernel.org Cc: Greg Kroah-Hartman Signed-off-by: Randy Dunlap Link: https://lore.kernel.org/r/20220709013601.7536-1-rdunlap@infradead.org Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 70cee09b16dc73e637a5fd1656ef685a5199f523 Author: Yang Yingliang Date: Thu Jul 7 10:32:29 2022 +0800 xtensa: iss: fix handling error cases in iss_net_configure() [ Upstream commit 628ccfc8f5f79dd548319408fcc53949fe97b258 ] The 'pdev' and 'netdev' need to be released in error cases of iss_net_configure(). Change the return type of iss_net_configure() to void, because it's not used. Fixes: 7282bee78798 ("[PATCH] xtensa: Architecture support for Tensilica Xtensa Part 8") Reported-by: Hulk Robot Signed-off-by: Yang Yingliang Signed-off-by: Max Filippov Signed-off-by: Sasha Levin commit 462a15a38345ae21bd089f1cb37197a77e7bb22e Author: Max Filippov Date: Thu Jul 7 00:23:16 2022 -0700 xtensa: iss/network: provide release() callback [ Upstream commit 8864fb8359682912ee99235db7db916733a1fd7b ] Provide release() callback for the platform device embedded into struct iss_net_private and registered in the iss_net_configure so that platform_device_unregister could be called for it. Signed-off-by: Max Filippov Signed-off-by: Sasha Levin commit e240328df6add0791464ed3555664897c075d473 Author: Mahesh Rajashekhara Date: Fri Jul 8 13:47:36 2022 -0500 scsi: smartpqi: Fix DMA direction for RAID requests [ Upstream commit 69695aeaa6621bc49cdd7a8e5a8d1042461e496e ] Correct a SOP READ and WRITE DMA flags for some requests. This update corrects DMA direction issues with SCSI commands removed from the controller's internal lookup table. Currently, SCSI READ BLOCK LIMITS (0x5) was removed from the controller lookup table and exposed a DMA direction flag issue. SCSI READ BLOCK LIMITS was recently removed from our controller lookup table so the controller uses the respective IU flag field to set the DMA data direction. Since the DMA direction is incorrect the FW never completes the request causing a hang. Some SCSI commands which use SCSI READ BLOCK LIMITS * sg_map * mt -f /dev/stX status After updating controller firmware, users may notice their tape units failing. This patch resolves the issue. Also, the AIO path DMA direction is correct. The DMA direction flag is a day-one bug with no reported BZ. Fixes: 6c223761eb54 ("smartpqi: initial commit of Microsemi smartpqi driver") Link: https://lore.kernel.org/r/165730605618.177165.9054223644512926624.stgit@brunhilda Reviewed-by: Scott Benesh Reviewed-by: Scott Teel Reviewed-by: Mike McGowen Reviewed-by: Kevin Barnett Signed-off-by: Mahesh Rajashekhara Signed-off-by: Don Brace Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit a86857e9d30956dae8b24a56a297d734580f921e Author: Christian Marangi Date: Sat Jul 9 00:27:43 2022 +0200 PCI: qcom: Set up rev 2.1.0 PARF_PHY before enabling clocks [ Upstream commit 38f897ae3d44900f627cad708a15db498ce2ca31 ] We currently enable clocks BEFORE we write to PARF_PHY_CTRL reg to enable clocks and resets. This causes the driver to never set to a ready state with the error 'Phy link never came up'. This is caused by the PHY clock getting enabled before setting the required bits in the PARF regs. A workaround for this was set but with this new discovery we can drop the workaround and use a proper solution to the problem by just enabling the clock only AFTER the PARF_PHY_CTRL bit is set. This correctly sets up the PCIe link and makes it usable even when a bootloader leaves the PCIe link in an undefined state. Fixes: 82a823833f4e ("PCI: qcom: Add Qualcomm PCIe controller driver") Link: https://lore.kernel.org/r/20220708222743.27019-1-ansuelsmth@gmail.com Signed-off-by: Christian Marangi Signed-off-by: Bjorn Helgaas Signed-off-by: Sasha Levin commit 65e393fddc5379b2c41ca7e73cd4bb9572c4d90e Author: Stefan Roese Date: Tue Jan 25 08:18:19 2022 +0100 PCI/portdrv: Don't disable AER reporting in get_port_device_capability() [ Upstream commit 8795e182b02dc87e343c79e73af6b8b7f9c5e635 ] AER reporting is currently disabled in the DevCtl registers of all non Root Port PCIe devices on systems using pcie_ports_native || host->native_aer, disabling AER completely in such systems. This is because 2bd50dd800b5 ("PCI: PCIe: Disable PCIe port services during port initialization"), added a call to pci_disable_pcie_error_reporting() *after* the AER setup was completed for the PCIe device tree. Here a longer analysis about the current status of AER enabling / disabling upon bootup provided by Bjorn: pcie_portdrv_probe pcie_port_device_register get_port_device_capability pci_disable_pcie_error_reporting clear CERE NFERE FERE URRE # <-- disable for RP USP DSP pcie_device_init device_register # new AER service device aer_probe aer_enable_rootport # RP only set_downstream_devices_error_reporting set_device_error_reporting # self (RP) if (RP || USP || DSP) pci_enable_pcie_error_reporting set CERE NFERE FERE URRE # <-- enable for RP pci_walk_bus set_device_error_reporting if (RP || USP || DSP) pci_enable_pcie_error_reporting set CERE NFERE FERE URRE # <-- enable for USP DSP In a typical Root Port -> Endpoint hierarchy, the above: - Disables Error Reporting for the Root Port, - Enables Error Reporting for the Root Port, - Does NOT enable Error Reporting for the Endpoint because it is not a Root Port or Switch Port. In a deeper Root Port -> Upstream Switch Port -> Downstream Switch Port -> Endpoint hierarchy: - Disables Error Reporting for the Root Port, - Enables Error Reporting for the Root Port, - Enables Error Reporting for both Switch Ports, - Does NOT enable Error Reporting for the Endpoint because it is not a Root Port or Switch Port, - Disables Error Reporting for the Switch Ports when pcie_portdrv_probe() claims them. AER does not re-enable it because these are not Root Ports. Remove this call to pci_disable_pcie_error_reporting() from get_port_device_capability(), leaving the already enabled AER configuration intact. With this change, AER is enabled in the Root Port and the PCIe switch upstream and downstream ports. Only the PCIe Endpoints don't have AER enabled yet. A follow-up patch will take care of this Endpoint enabling. Fixes: 2bd50dd800b5 ("PCI: PCIe: Disable PCIe port services during port initialization") Link: https://lore.kernel.org/r/20220125071820.2247260-3-sr@denx.de Signed-off-by: Stefan Roese Signed-off-by: Bjorn Helgaas Reviewed-by: Pali Rohár Cc: Rafael J. Wysocki Cc: Bharat Kumar Gogada Cc: Michal Simek Cc: Yao Hongbo Cc: Naveen Naidu Signed-off-by: Sasha Levin commit 63c71e83d5b6ab8adb5fcebef977052048016957 Author: Claudio Imbrenda Date: Tue Jun 28 15:56:02 2022 +0200 KVM: s390: pv: leak the topmost page table when destroy fails [ Upstream commit faa2f72cb3569256480c5540d242c84e99965160 ] Each secure guest must have a unique ASCE (address space control element); we must avoid that new guests use the same page for their ASCE, to avoid errors. Since the ASCE mostly consists of the address of the topmost page table (plus some flags), we must not return that memory to the pool unless the ASCE is no longer in use. Only a successful Destroy Secure Configuration UVC will make the ASCE reusable again. If the Destroy Configuration UVC fails, the ASCE cannot be reused for a secure guest (either for the ASCE or for other memory areas). To avoid a collision, it must not be used again. This is a permanent error and the page becomes in practice unusable, so we set it aside and leak it. On failure we already leak other memory that belongs to the ultravisor (i.e. the variable and base storage for a guest) and not leaking the topmost page table was an oversight. This error (and thus the leakage) should not happen unless the hardware is broken or KVM has some unknown serious bug. Signed-off-by: Claudio Imbrenda Fixes: 29b40f105ec8d55 ("KVM: s390: protvirt: Add initial vm and cpu lifecycle handling") Reviewed-by: Janosch Frank Link: https://lore.kernel.org/r/20220628135619.32410-2-imbrenda@linux.ibm.com Message-Id: <20220628135619.32410-2-imbrenda@linux.ibm.com> Signed-off-by: Janosch Frank Signed-off-by: Sasha Levin commit ef892ef0831be4e0798e78c7f2b27d83089b93e7 Author: Christian Loehle Date: Fri Jul 1 12:43:09 2022 +0000 mmc: block: Add single read for 4k sector cards [ Upstream commit b3fa3e6dccc465969721b8bd2824213bd235efeb ] Cards with 4k native sector size may only be read 4k-aligned, accommodate for this in the single read recovery and use it. Fixes: 81196976ed946 (mmc: block: Add blk-mq support) Signed-off-by: Christian Loehle Acked-by: Adrian Hunter Reviewed-by: Avri Altman Link: https://lore.kernel.org/r/cf4f316274c5474586d0d99b17db4a4c@hyperstone.com Signed-off-by: Ulf Hansson Signed-off-by: Sasha Levin commit dfca1e217298ca5cdc4aba9c0ac49e8d3e2bf776 Author: Liang He Date: Sat Jul 2 09:44:49 2022 +0800 of: device: Fix missing of_node_put() in of_dma_set_restricted_buffer [ Upstream commit d17e37c41b7ed38459957a5d2968ba61516fd5c2 ] We should use of_node_put() for the reference 'node' returned by of_parse_phandle() which will increase the refcount. Fixes: fec9b625095f ("of: Add plumbing for restricted DMA pool") Co-authored-by: Miaoqian Lin Signed-off-by: Liang He Signed-off-by: Rob Herring Link: https://lore.kernel.org/r/20220702014449.263772-1-windhl@126.com Signed-off-by: Sasha Levin commit 98b2ddfa9471e6bf19054e6541cb3118ee94361a Author: Eugen Hristev Date: Thu Jun 30 12:09:26 2022 +0300 mmc: sdhci-of-at91: fix set_uhs_signaling rewriting of MC1R [ Upstream commit 5987e6ded29d52e42fc7b06aa575c60a25eee38e ] In set_uhs_signaling, the DDR bit is being set by fully writing the MC1R register. This can lead to accidental erase of certain bits in this register. Avoid this by doing a read-modify-write operation. Fixes: d0918764c17b ("mmc: sdhci-of-at91: fix MMC_DDR_52 timing selection") Signed-off-by: Eugen Hristev Tested-by: Karl Olsen Acked-by: Adrian Hunter Link: https://lore.kernel.org/r/20220630090926.15061-1-eugen.hristev@microchip.com Signed-off-by: Ulf Hansson Signed-off-by: Sasha Levin commit 39be95d1ff7b44c1e969af72ba9da7332dfcc1da Author: Christophe JAILLET Date: Sat Jun 25 14:55:56 2022 +0200 memstick/ms_block: Fix a memory leak [ Upstream commit 54eb7a55be6779c4d0c25eaf5056498a28595049 ] 'erased_blocks_bitmap' is never freed. As it is allocated at the same time as 'used_blocks_bitmap', it is likely that it should be freed also at the same time. Add the corresponding bitmap_free() in msb_data_clear(). Fixes: 0ab30494bc4f ("memstick: add support for legacy memorysticks") Signed-off-by: Christophe JAILLET Link: https://lore.kernel.org/r/b3b78926569445962ea5c3b6e9102418a9effb88.1656155715.git.christophe.jaillet@wanadoo.fr Signed-off-by: Ulf Hansson Signed-off-by: Sasha Levin commit 8bb0c5a19f063cf6a29c0faa4d4bb33c38a3ddcb Author: Christophe JAILLET Date: Sat Jun 25 14:55:25 2022 +0200 memstick/ms_block: Fix some incorrect memory allocation [ Upstream commit 2e531bc3e0d86362fcd8a577b3278d9ef3cc2ba0 ] Some functions of the bitmap API take advantage of the fact that a bitmap is an array of long. So, to make sure this assertion is correct, allocate bitmaps with bitmap_zalloc() instead of kzalloc()+hand-computed number of bytes. While at it, also use bitmap_free() instead of kfree() to keep the semantic. Fixes: 0ab30494bc4f ("memstick: add support for legacy memorysticks") Signed-off-by: Christophe JAILLET Link: https://lore.kernel.org/r/dbf633c48c24ae6d95f852557e8d8b3bbdef65fe.1656155715.git.christophe.jaillet@wanadoo.fr Signed-off-by: Ulf Hansson Signed-off-by: Sasha Levin commit a42d829b75241f084253e7e28564db1f871ef12c Author: Lad Prabhakar Date: Fri Jun 24 19:14:37 2022 +0100 mmc: renesas_sdhi: Get the reset handle early in the probe [ Upstream commit 0dac1e498f8130fdacfdd5289e3a7ac87ec1b9ad ] In case of devm_reset_control_get_optional_exclusive() failure we returned directly instead of jumping to the error path to roll back initialization. This patch moves devm_reset_control_get_optional_exclusive() early in the probe so that we have the reset handle prior to initialization of the hardware. Fixes: b4d86f37eacb7 ("mmc: renesas_sdhi: do hard reset if possible") Reported-by: Pavel Machek Signed-off-by: Lad Prabhakar Reviewed-by: Geert Uytterhoeven Reviewed-by: Wolfram Sang Link: https://lore.kernel.org/r/20220624181438.4355-2-prabhakar.mahadev-lad.rj@bp.renesas.com Signed-off-by: Ulf Hansson Signed-off-by: Sasha Levin commit e972c9f132f8f94d23d8b5b7ec892a8e44859226 Author: Fabio Estevam Date: Wed May 25 22:00:22 2022 -0300 mmc: mxcmmc: Silence a clang warning [ Upstream commit 7dc65e3c0ef4b746a583b7c58f99873fddf5ccfa ] Change the of_device_get_match_data() cast to (uintptr_t) to silence the following clang warning: drivers/mmc/host/mxcmmc.c:1028:18: warning: cast to smaller integer type 'enum mxcmci_type' from 'const void *' [-Wvoid-pointer-to-enum-cast] Reported-by: kernel test robot Fixes: 8223e885e74b ("mmc: mxc: Convert the driver to DT-only") Signed-off-by: Fabio Estevam Link: https://lore.kernel.org/r/20220526010022.1163483-1-festevam@gmail.com Signed-off-by: Ulf Hansson Signed-off-by: Sasha Levin commit 8b902840f6a3584f702bcb59834691b30f3d7c5a Author: Miaoqian Lin Date: Mon May 23 18:42:54 2022 +0400 mmc: sdhci-of-esdhc: Fix refcount leak in esdhc_signal_voltage_switch [ Upstream commit b5899a3e2f783a27b268e38d37f9b24c71bddf45 ] of_find_matching_node() returns a node pointer with refcount incremented, we should use of_node_put() on it when not need anymore. Add missing of_node_put() to avoid refcount leak. of_node_put() checks null pointer. Fixes: ea35645a3c66 ("mmc: sdhci-of-esdhc: add support for signal voltage switch") Signed-off-by: Miaoqian Lin Link: https://lore.kernel.org/r/20220523144255.10310-1-linmq006@gmail.com Signed-off-by: Ulf Hansson Signed-off-by: Sasha Levin commit 517a646109292bf7e4844cb45ed3e6b5de5de726 Author: Bhupesh Sharma Date: Sun May 15 03:31:16 2022 +0530 dt-bindings: mmc: sdhci-msm: Fix issues in yaml bindings [ Upstream commit 8574adf5222d786b747022c6edcbcdddf409a139 ] Rob pointed some remaining issues in the sdhci-msm yaml bindings (via [1]). Fix the same by first using the 'mmc-controller.yaml' as 'ref' and thereafter also fix the issues reported by 'make dtbs_check' check. [1]. https://lore.kernel.org/linux-arm-msm/YnLmNCwNfoqZln12@robh.at.kernel.org/ Fixes: a45537723f4b ("dt-bindings: mmc: sdhci-msm: Convert bindings to yaml") Cc: Bjorn Andersson Cc: Rob Herring Cc: Ulf Hansson Signed-off-by: Bhupesh Sharma Link: https://lore.kernel.org/r/20220514220116.1008254-1-bhupesh.sharma@linaro.org Signed-off-by: Ulf Hansson Signed-off-by: Sasha Levin commit ca766e26941ccefb5ed6988ab44e72be6bf2b9fc Author: Dan Carpenter Date: Wed May 25 15:25:06 2022 +0300 habanalabs: fix double unlock on error in map_device_va() [ Upstream commit a43a9f67774adbd575d10ec88824016fbe034777 ] If hl_mmu_prefetch_cache_range() fails then this code calls mutex_unlock(&ctx->mmu_lock) when it's no longer holding the mutex. Fixes: 9e495e24003e ("habanalabs: do MMU prefetch as deferred work") Signed-off-by: Dan Carpenter Reviewed-by: Oded Gabbay Signed-off-by: Oded Gabbay Signed-off-by: Sasha Levin commit e76a9f68081738f8569c8a7162abb8a67ac9be59 Author: jianchunfu Date: Wed Jun 15 15:33:48 2022 +0800 rtla/utils: Use calloc and check the potential memory allocation failure [ Upstream commit b5f37a0b6f667f5c72340ca9dcd7703f261cb981 ] Replace malloc with calloc and add memory allocating check of mon_cpus before used. Link: https://lkml.kernel.org/r/20220615073348.6891-1-jianchunfu@cmss.chinamobile.com Fixes: 7d0dc9576dc3 ("rtla/timerlat: Add --dma-latency option") Signed-off-by: jianchunfu Acked-by: Daniel Bristot de Oliveira Signed-off-by: Steven Rostedt (Google) Signed-off-by: Sasha Levin commit f10541e2d75ded6046fe1c56733c6d4a8c1ab0d6 Author: Duoming Zhou Date: Sun Jul 10 18:30:02 2022 +0800 staging: rtl8192u: Fix sleep in atomic context bug in dm_fsync_timer_callback [ Upstream commit 6a0c054930d554ad8f8044ef1fc856d9da391c81 ] There are sleep in atomic context bugs when dm_fsync_timer_callback is executing. The root cause is that the memory allocation functions with GFP_KERNEL or GFP_NOIO parameters are called in dm_fsync_timer_callback which is a timer handler. The call paths that could trigger bugs are shown below: (interrupt context) dm_fsync_timer_callback write_nic_byte kzalloc(sizeof(data), GFP_KERNEL); //may sleep usb_control_msg kmalloc(.., GFP_NOIO); //may sleep write_nic_dword kzalloc(sizeof(data), GFP_KERNEL); //may sleep usb_control_msg kmalloc(.., GFP_NOIO); //may sleep This patch uses delayed work to replace timer and moves the operations that may sleep into the delayed work in order to mitigate bugs. Fixes: 8fc8598e61f6 ("Staging: Added Realtek rtl8192u driver to staging") Signed-off-by: Duoming Zhou Link: https://lore.kernel.org/r/20220710103002.63283-1-duoming@zju.edu.cn Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 13ac27023f602a81aeb46e93ce88f4fbc341a9bc Author: Carlos Llamas Date: Fri Jul 1 18:20:41 2022 +0000 binder: fix redefinition of seq_file attributes [ Upstream commit b7e241bbff24f9e106bf616408fd58bcedc44bae ] The patchset in [1] exported some definitions to binder_internal.h in order to make the debugfs entries such as 'stats' and 'transaction_log' available in a binderfs instance. However, the DEFINE_SHOW_ATTRIBUTE macro expands into a static function/variable pair, which in turn get redefined each time a source file includes this internal header. This problem was made evident after a report from the kernel test robot where several W=1 build warnings are seen in downstream kernels. See the following example: include/../drivers/android/binder_internal.h:111:23: warning: 'binder_stats_fops' defined but not used [-Wunused-const-variable=] 111 | DEFINE_SHOW_ATTRIBUTE(binder_stats); | ^~~~~~~~~~~~ include/linux/seq_file.h:174:37: note: in definition of macro 'DEFINE_SHOW_ATTRIBUTE' 174 | static const struct file_operations __name ## _fops = { \ | ^~~~~~ This patch fixes the above issues by moving back the definitions into binder.c and instead creates an array of the debugfs entries which is more convenient to share with binderfs and iterate through. [1] https://lore.kernel.org/all/20190903161655.107408-1-hridya@google.com/ Fixes: 0e13e452dafc ("binder: Add stats, state and transactions files") Fixes: 03e2e07e3814 ("binder: Make transaction_log available in binderfs") Reported-by: kernel test robot Signed-off-by: Carlos Llamas Link: https://lore.kernel.org/r/20220701182041.2134313-1-cmllamas@google.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 4914c50670b6a531e2cb17cd984cc565b4681312 Author: Alexander Shishkin Date: Tue Jul 5 11:26:34 2022 +0300 intel_th: msu: Fix vmalloced buffers [ Upstream commit ac12ad3ccf6d386e64a9d6a890595a2509d24edd ] After commit f5ff79fddf0e ("dma-mapping: remove CONFIG_DMA_REMAP") there's a chance of DMA buffer getting allocated via vmalloc(), which messes up the mmapping code: > RIP: msc_mmap_fault [intel_th_msu] > Call Trace: > > __do_fault > do_fault ... Fix this by accounting for vmalloc possibility. Fixes: ba39bd830605 ("intel_th: msu: Switch over to scatterlist") Reviewed-by: Andy Shevchenko Signed-off-by: Alexander Shishkin Link: https://lore.kernel.org/r/20220705082637.59979-4-alexander.shishkin@linux.intel.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit e1d427d46269db0ac024905128bbb8aa34f565e3 Author: Jiasheng Jiang Date: Tue Jul 5 11:26:33 2022 +0300 intel_th: msu-sink: Potential dereference of null pointer [ Upstream commit 82f76a4a720791d889de775b5f7541d601efc8bd ] The return value of dma_alloc_coherent() needs to be checked. To avoid use of null pointer in sg_set_buf() in case of the failure of alloc. Fixes: f220df66f676 ("intel_th: msu-sink: An example msu buffer "sink"") Reviewed-by: Andy Shevchenko Signed-off-by: Jiasheng Jiang Signed-off-by: Alexander Shishkin Link: https://lore.kernel.org/r/20220705082637.59979-3-alexander.shishkin@linux.intel.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit fae9da7d4c2ccad3792de03e3cac1fe2bfabb73d Author: Christophe JAILLET Date: Tue Jul 5 11:26:32 2022 +0300 intel_th: Fix a resource leak in an error handling path [ Upstream commit 086c28ab7c5699256aced0049aae9c42f1410313 ] If an error occurs after calling 'pci_alloc_irq_vectors()', 'pci_free_irq_vectors()' must be called as already done in the remove function. Fixes: 7b7036d47c35 ("intel_th: pci: Use MSI interrupt signalling") Reviewed-by: Andy Shevchenko Signed-off-by: Christophe JAILLET Signed-off-by: Alexander Shishkin Link: https://lore.kernel.org/r/20220705082637.59979-2-alexander.shishkin@linux.intel.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 8cc35cd5ae3afc048ebe230f7c4558ddbaf4d276 Author: James Smart Date: Fri Jul 1 14:14:21 2022 -0700 scsi: lpfc: Revert RSCN_MEMENTO workaround for misbehaved configuration [ Upstream commit ffc566411aded3c12c63e1310fb23830e9608c59 ] The RSCN_MEMENTO logic was to workaround a target that does not register both FCP and NVMe FC4 types at the same time. This caused the configuration to not produce a second RSCN for the NVMe FC4 type registration in a timely manner. The intention of the RSCN_MEMENTO flag was to always signal to try NVMe PRLI. However, there are other FCP-only target arrays in correctly behaved configurations that reject the NVMe PRLI followed by a LOGO leading to never rediscovering the target after an issue_lip (as LOGO causes a repeat of PLOGI/PRLIs). Revert the RSCN_MEMENTO patch as it is causing correctly behaved configs to fail while it exists only to succeed on a misbehaved config. Link: https://lore.kernel.org/r/20220701211425.2708-9-jsmart2021@gmail.com Fixes: 1045592fc968 ("scsi: lpfc: Introduce FC_RSCN_MEMENTO flag for tracking post RSCN completion") Co-developed-by: Justin Tee Signed-off-by: Justin Tee Signed-off-by: James Smart Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit 873fb210f1c77ecce659fa3a97f310ed5a9d07ed Author: Dan Carpenter Date: Wed Jun 22 09:21:55 2022 +0300 scsi: qla2xxx: Check correct variable in qla24xx_async_gffid() [ Upstream commit 7c33e477bd883f79cccec418980cb8f7f2d50347 ] There is a copy and paste bug here. It should check ".rsp" instead of ".req". The error message is copy and pasted as well so update that too. Link: https://lore.kernel.org/r/YrK1A/t3L6HKnswO@kili Fixes: 9c40c36e75ff ("scsi: qla2xxx: edif: Reduce Initiator-Initiator thrashing") Signed-off-by: Dan Carpenter Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit b7a75acd73434af28e1f93deaed48ba6c38f4463 Author: Dmitry Baryshkov Date: Tue Jul 5 12:42:53 2022 +0300 phy: qcom-qmp: fix the QSERDES_V5_COM_CMN_MODE register [ Upstream commit 488987b2d5cade4e7680f7e81590435a848d1fa9 ] Change QSERDES_V5_COM_CMN_MODE to be defined to 0x1a0 rather than 0x1a4. The only user of this register name (sm8450_qmp_gen4x2_pcie_serdes_tbl) should use the 0x1a0 register, as stated in the downstream dtsi tree. Fixes: 2c91bf6bf290 ("phy: qcom-qmp: Add SM8450 PCIe1 PHY support") Signed-off-by: Dmitry Baryshkov Link: https://lore.kernel.org/r/20220705094320.1313312-2-dmitry.baryshkov@linaro.org Signed-off-by: Vinod Koul Signed-off-by: Sasha Levin commit 81d54873b64bf75d34f8f4f46dd5b559e989ecd9 Author: Shunsuke Mie Date: Wed Jun 22 13:09:24 2022 +0900 PCI: endpoint: Don't stop controller when unbinding endpoint function [ Upstream commit 1bc2b7bfba6e2f64edf5e246f3af2967261f6c3d ] Unbinding an endpoint function from the endpoint controller shouldn't stop the controller. This is especially a problem for multi-function endpoints where other endpoints may still be active. Don't stop the controller when unbinding one of its endpoints. Normally the controller is stopped via configfs. Fixes: 349e7a85b25f ("PCI: endpoint: functions: Add an EP function to test PCI") Link: https://lore.kernel.org/r/20220622040924.113279-1-mie@igel.co.jp Signed-off-by: Shunsuke Mie Signed-off-by: Bjorn Helgaas Acked-by: Kishon Vijay Abraham I Signed-off-by: Sasha Levin commit a93b3f1e11971a91b6441b6d47488f4492cc113f Author: Viacheslav Mitrofanov Date: Fri Jul 1 11:29:42 2022 +0300 dmaengine: sf-pdma: Add multithread support for a DMA channel [ Upstream commit b2cc5c465c2cb8ab697c3fd6583c614e3f6cfbcc ] When we get a DMA channel and try to use it in multiple threads it will cause oops and hanging the system. % echo 64 > /sys/module/dmatest/parameters/threads_per_chan % echo 10000 > /sys/module/dmatest/parameters/iterations % echo 1 > /sys/module/dmatest/parameters/run [ 89.480664] Unable to handle kernel NULL pointer dereference at virtual address 00000000000000a0 [ 89.488725] Oops [#1] [ 89.494708] CPU: 2 PID: 1008 Comm: dma0chan0-copy0 Not tainted 5.17.0-rc5 [ 89.509385] epc : vchan_find_desc+0x32/0x46 [ 89.513553] ra : sf_pdma_tx_status+0xca/0xd6 This happens because of data race. Each thread rewrite channels's descriptor as soon as device_prep_dma_memcpy() is called. It leads to the situation when the driver thinks that it uses right descriptor that actually is freed or substituted for other one. With current fixes a descriptor changes its value only when it has been used. A new descriptor is acquired from vc->desc_issued queue that is already filled with descriptors that are ready to be sent. Threads have no direct access to DMA channel descriptor. Now it is just possible to queue a descriptor for further processing. Fixes: 6973886ad58e ("dmaengine: sf-pdma: add platform DMA support for HiFive Unleashed A00") Signed-off-by: Viacheslav Mitrofanov Link: https://lore.kernel.org/r/20220701082942.12835-1-v.v.mitrofanov@yadro.com Signed-off-by: Vinod Koul Signed-off-by: Sasha Levin commit 101e55e02cc84be6eb9e69edc25b56e68e67e137 Author: Quentin Perret Date: Tue Jul 5 14:23:10 2022 +0000 KVM: arm64: Don't return from void function [ Upstream commit 1c3ace2b8b3995d3213c5e2d2aca01a0577a3b0f ] Although harmless, the return statement in kvm_unexpected_el2_exception is rather confusing as the function itself has a void return type. The C standard is also pretty clear that "A return statement with an expression shall not appear in a function whose return type is void". Given that this return statement does not seem to add any actual value, let's not pointlessly violate the standard. Build-tested with GCC 10 and CLANG 13 for good measure, the disassembled code is identical with or without the return statement. Fixes: e9ee186bb735 ("KVM: arm64: Add kvm_extable for vaxorcism code") Signed-off-by: Quentin Perret Signed-off-by: Marc Zyngier Link: https://lore.kernel.org/r/20220705142310.3847918-1-qperret@google.com Signed-off-by: Sasha Levin commit 432b30f08ca3303d2ebb22352cb04c4b6cfefe65 Author: Pierre-Louis Bossart Date: Tue Jun 21 17:56:38 2022 -0500 soundwire: revisit driver bind/unbind and callbacks [ Upstream commit bd29c00edd0a5dac8b6e7332bb470cd50f92e893 ] In the SoundWire probe, we store a pointer from the driver ops into the 'slave' structure. This can lead to kernel oopses when unbinding codec drivers, e.g. with the following sequence to remove machine driver and codec driver. /sbin/modprobe -r snd_soc_sof_sdw /sbin/modprobe -r snd_soc_rt711 The full details can be found in the BugLink below, for reference the two following examples show different cases of driver ops/callbacks being invoked after the driver .remove(). kernel: BUG: kernel NULL pointer dereference, address: 0000000000000150 kernel: Workqueue: events cdns_update_slave_status_work [soundwire_cadence] kernel: RIP: 0010:mutex_lock+0x19/0x30 kernel: Call Trace: kernel: ? sdw_handle_slave_status+0x426/0xe00 [soundwire_bus 94ff184bf398570c3f8ff7efe9e32529f532e4ae] kernel: ? newidle_balance+0x26a/0x400 kernel: ? cdns_update_slave_status_work+0x1e9/0x200 [soundwire_cadence 1bcf98eebe5ba9833cd433323769ac923c9c6f82] kernel: BUG: unable to handle page fault for address: ffffffffc07654c8 kernel: Workqueue: pm pm_runtime_work kernel: RIP: 0010:sdw_bus_prep_clk_stop+0x6f/0x160 [soundwire_bus] kernel: Call Trace: kernel: kernel: sdw_cdns_clock_stop+0xb5/0x1b0 [soundwire_cadence 1bcf98eebe5ba9833cd433323769ac923c9c6f82] kernel: intel_suspend_runtime+0x5f/0x120 [soundwire_intel aca858f7c87048d3152a4a41bb68abb9b663a1dd] kernel: ? dpm_sysfs_remove+0x60/0x60 This was not detected earlier in Intel tests since the tests first remove the parent PCI device and shut down the bus. The sequence above is a corner case which keeps the bus operational but without a driver bound. While trying to solve this kernel oopses, it became clear that the existing SoundWire bus does not deal well with the unbind case. Commit 528be501b7d4a ("soundwire: sdw_slave: add probe_complete structure and new fields") added a 'probed' status variable and a 'probe_complete' struct completion. This status is however not reset on remove and likewise the 'probe complete' is not re-initialized, so the bind/unbind/bind test cases would fail. The timeout used before the 'update_status' callback was also a bad idea in hindsight, there should really be no timing assumption as to if and when a driver is bound to a device. An initial draft was based on device_lock() and device_unlock() was tested. This proved too complicated, with deadlocks created during the suspend-resume sequences, which also use the same device_lock/unlock() as the bind/unbind sequences. On a CometLake device, a bad DSDT/BIOS caused spurious resumes and the use of device_lock() caused hangs during suspend. After multiple weeks or testing and painful reverse-engineering of deadlocks on different devices, we looked for alternatives that did not interfere with the device core. A bus notifier was used successfully to keep track of DRIVER_BOUND and DRIVER_UNBIND events. This solved the bind-unbind-bind case in tests, but it can still be defeated with a theoretical corner case where the memory is freed by a .remove while the callback is in use. The notifier only helps make sure the driver callbacks are valid, but not that the memory allocated in probe remains valid while the callbacks are invoked. This patch suggests the introduction of a new 'sdw_dev_lock' mutex protecting probe/remove and all driver callbacks. Since this mutex is 'local' to SoundWire only, it does not interfere with existing locks and does not create deadlocks. In addition, this patch removes the 'probe_complete' completion, instead we directly invoke the 'update_status' from the probe routine. That removes any sort of timing dependency and a much better support for the device/driver model, the driver could be bound before the bus started, or eons after the bus started and the hardware would be properly initialized in all cases. BugLink: https://github.com/thesofproject/linux/issues/3531 Fixes: 56d4fe31af77 ("soundwire: Add MIPI DisCo property helpers") Fixes: 528be501b7d4a ("soundwire: sdw_slave: add probe_complete structure and new fields") Signed-off-by: Pierre-Louis Bossart Reviewed-by: Rander Wang Reviewed-by: Ranjani Sridharan Reviewed-by: Bard Liao Reviewed-by: Péter Ujfalusi Link: https://lore.kernel.org/r/20220621225641.221170-2-pierre-louis.bossart@linux.intel.com Signed-off-by: Vinod Koul Signed-off-by: Sasha Levin commit 70ae9224e83b1c734290eb7239785aded899d248 Author: Pierre-Louis Bossart Date: Fri Jun 10 09:51:05 2022 +0800 soundwire: bus_type: fix remove and shutdown support [ Upstream commit df6407782964dc7e35ad84230abb38f46314b245 ] The bus sdw_drv_remove() and sdw_drv_shutdown() helpers are used conditionally, if the driver provides these routines. These helpers already test if the driver provides a .remove or .shutdown callback, so there's no harm in invoking the sdw_drv_remove() and sdw_drv_shutdown() unconditionally. In addition, the current code is imbalanced with dev_pm_domain_attach() called from sdw_drv_probe(), but dev_pm_domain_detach() called from sdw_drv_remove() only if the driver provides a .remove callback. Fixes: 9251345dca24b ("soundwire: Add SoundWire bus type") Signed-off-by: Pierre-Louis Bossart Reviewed-by: Rander Wang Signed-off-by: Bard Liao Link: https://lore.kernel.org/r/20220610015105.25987-1-yung-chuan.liao@linux.intel.com Signed-off-by: Vinod Koul Signed-off-by: Sasha Levin commit ccf4269bddbe8d120d0c5492c141f9e009e076ee Author: Serge Semin Date: Fri Jun 24 17:34:16 2022 +0300 PCI: dwc: Always enable CDM check if "snps,enable-cdm-check" exists [ Upstream commit ec7b952f453ce7eabe7e1bea584626934d44f668 ] If the "snps,enable-cdm-check" property exists, we should enable the CDM check. But previously dw_pcie_setup() could exit before doing so if the "num-lanes" property was absent or invalid. Move the CDM enable earlier so we do it regardless of whether "num-lanes" is present. [bhelgaas: commit log] Fixes: 07f123def73e ("PCI: dwc: Add support to enable CDM register check") Link: https://lore.kernel.org/r/20220624143428.8334-7-Sergey.Semin@baikalelectronics.ru Signed-off-by: Serge Semin Signed-off-by: Bjorn Helgaas Reviewed-by: Vidya Sagar Reviewed-by: Rob Herring Reviewed-by: Manivannan Sadhasivam Signed-off-by: Sasha Levin commit 3b453f5d06d1f1d6b20a75ea51dc7b53ae78f479 Author: Serge Semin Date: Fri Jun 24 17:34:15 2022 +0300 PCI: dwc: Deallocate EPC memory on dw_pcie_ep_init() errors [ Upstream commit 8161e9626b50892eaedbd8070ecb1586ecedb109 ] If dw_pcie_ep_init() fails to perform any action after the EPC memory is initialized and the MSI memory region is allocated, the latter parts won't be undone thus causing a memory leak. Add a cleanup-on-error path to fix these leaks. [bhelgaas: commit log] Fixes: 2fd0c9d966cc ("PCI: designware-ep: Pre-allocate memory for MSI in dw_pcie_ep_init") Link: https://lore.kernel.org/r/20220624143428.8334-6-Sergey.Semin@baikalelectronics.ru Tested-by: Manivannan Sadhasivam Signed-off-by: Serge Semin Signed-off-by: Bjorn Helgaas Reviewed-by: Rob Herring Reviewed-by: Manivannan Sadhasivam Signed-off-by: Sasha Levin commit d71475e422e7347467e855028842e1920c594840 Author: Serge Semin Date: Fri Jun 24 17:34:14 2022 +0300 PCI: dwc: Set INCREASE_REGION_SIZE flag based on limit address [ Upstream commit 777e7c3ab73036105e6fc4a67ed950179dbffbab ] We program the 64-bit ATU limit address (in PCIE_ATU_LIMIT/ PCIE_ATU_UPPER_LIMIT or PCIE_ATU_UNR_LOWER_LIMIT/PCIE_ATU_UNR_UPPER_LIMIT), but in addition, the PCIE_ATU_INCREASE_REGION_SIZE bit must be set if the upper 32 bits of the limit address differ from the upper 32 bits of the base address (see [1,2]). 5b4cf0f65324 ("PCI: dwc: Add upper limit address for outbound iATU") set PCIE_ATU_INCREASE_REGION_SIZE, but only when the *size* was greater than 4GB. It did not set it when a smaller region crossed a 4GB boundary, e.g., [mem 0x0_f0000000-0x1_0fffffff]. Set PCIE_ATU_INCREASE_REGION_SIZE whenever PCIE_ATU_UPPER_LIMIT is greater than PCIE_ATU_UPPER_BASE. [1] DesignWare Cores PCI Express Controller Databook - DWC PCIe Root Port, v5.40a, March 2019, fig.3-36, p.175 [2] DesignWare Cores PCI Express Controller Databook - DWC PCIe Root Port, v5.40a, March 2019, fig.3-37, p.176 [bhelgaas: commit log] Fixes: 5b4cf0f65324 ("PCI: dwc: Add upper limit address for outbound iATU") Link: https://lore.kernel.org/r/20220624143428.8334-5-Sergey.Semin@baikalelectronics.ru Tested-by: Manivannan Sadhasivam Signed-off-by: Serge Semin Signed-off-by: Bjorn Helgaas Reviewed-by: Manivannan Sadhasivam Reviewed-by: Rob Herring Signed-off-by: Sasha Levin commit 36dbdb257b3f52b6943db01c7842626adb2317a3 Author: Serge Semin Date: Fri Jun 24 17:34:13 2022 +0300 PCI: dwc: Disable outbound windows only for controllers using iATU [ Upstream commit d60a2e281e9de2b2f67343b2e39417ca0f4fd54e ] Some DWC-based controllers (e.g., pcie-al.c and pci-keystone.c, identified by the fact that they override the default dw_child_pcie_ops) use their own address translation approach instead of the DWC internal ATU (iATU). For those controllers, skip disabling the iATU outbound windows. [bhelgaas: commit log, update multiple window comment] Fixes: 458ad06c4cdd ("PCI: dwc: Ensure all outbound ATU windows are reset") Link: https://lore.kernel.org/r/20220624143428.8334-4-Sergey.Semin@baikalelectronics.ru Tested-by: Manivannan Sadhasivam Signed-off-by: Serge Semin Signed-off-by: Bjorn Helgaas Reviewed-by: Manivannan Sadhasivam Reviewed-by: Rob Herring Signed-off-by: Sasha Levin commit e711668aae0f668d2344385514a9cd3315254de4 Author: Serge Semin Date: Fri Jun 24 17:34:12 2022 +0300 PCI: dwc: Add unroll iATU space support to dw_pcie_disable_atu() [ Upstream commit d1cf738f2b65a5640234e1da90a68d3523fbed83 ] dw_pcie_disable_atu() was introduced by f8aed6ec624f ("PCI: dwc: designware: Add EP mode support") and supported only the viewport version of the iATU CSRs. DW PCIe IP cores v4.80a and newer also support unrolled iATU/eDMA space. Callers of dw_pcie_disable_atu(), including pci_epc_ops.clear_bar(), pci_epc_ops.unmap_addr(), and dw_pcie_setup_rc(), don't work correctly when it is enabled. Add dw_pcie_disable_atu() support for controllers with unrolled iATU CSRs enabled. [bhelgaas: commit log] Fixes: f8aed6ec624f ("PCI: dwc: designware: Add EP mode support") Link: https://lore.kernel.org/r/20220624143428.8334-3-Sergey.Semin@baikalelectronics.ru Tested-by: Manivannan Sadhasivam Signed-off-by: Serge Semin Signed-off-by: Bjorn Helgaas Reviewed-by: Manivannan Sadhasivam Reviewed-by: Rob Herring Signed-off-by: Sasha Levin commit 8b3d4d24fc8616dd62279fdeb7390477961a2085 Author: Serge Semin Date: Fri Jun 24 17:34:11 2022 +0300 PCI: dwc: Stop link on host_init errors and de-initialization [ Upstream commit 113fa857b74c947137d845e7e635afcf6a59c43a ] It's logically correct to undo everything that was done when an error is discovered or in the corresponding cleanup counterpart. Otherwise the host controller will be left in an undetermined state. Since the link is set up in the host_init method, deactivate it there in the cleanup-on-error block and stop the link in the antagonistic routine - dw_pcie_host_deinit(). Link deactivation is platform-specific and should be implemented in dw_pcie_ops.stop_link(). Fixes: 886a9c134755 ("PCI: dwc: Move link handling into common code") Link: https://lore.kernel.org/r/20220624143428.8334-2-Sergey.Semin@baikalelectronics.ru Tested-by: Manivannan Sadhasivam Signed-off-by: Serge Semin Signed-off-by: Bjorn Helgaas Reviewed-by: Manivannan Sadhasivam Reviewed-by: Rob Herring Signed-off-by: Sasha Levin commit 14b1f65f2f3ca4570da273e8794f17b67854ed0b Author: Peter Geis Date: Tue Jun 21 20:31:40 2022 -0400 phy: rockchip-inno-usb2: Sync initial otg state [ Upstream commit 8dc60f8da22fdbaa1fafcfb5ff6d24bc9eff56aa ] The initial otg state for the phy defaults to device mode. The actual state isn't detected until an ID IRQ fires. Fix this by syncing the ID state during initialization. Fixes: 51a9b2c03dd3 ("phy: rockchip-inno-usb2: Handle ID IRQ") Signed-off-by: Peter Geis Reviewed-by: Samuel Holland Link: https://lore.kernel.org/r/20220622003140.30365-1-pgwipeout@gmail.com Signed-off-by: Vinod Koul Signed-off-by: Sasha Levin commit c49616d1f9cf33ed0162dbc0c63e4d0f16e515f5 Author: Andy Shevchenko Date: Mon Jun 13 19:08:48 2022 +0300 phy: ti: tusb1210: Don't check for write errors when powering on [ Upstream commit d4a0a189b72a7c98e4256292b18b67c69fbc9343 ] On some platforms, like Intel Merrifield, the writing values during power on may timeout: tusb1210 dwc3.0.auto.ulpi: error -110 writing val 0x41 to reg 0x80 phy phy-dwc3.0.auto.ulpi.0: phy poweron failed --> -110 dwc3 dwc3.0.auto: error -ETIMEDOUT: failed to initialize core dwc3: probe of dwc3.0.auto failed with error -110 which effectively fails the probe of the USB controller. Drop the check as it was before the culprit commit (see Fixes tag). Fixes: 09a3512681b3 ("phy: ti: tusb1210: Improve ulpi_read()/_write() error checking") Signed-off-by: Andy Shevchenko Acked-by: Hans de Goede Tested-by: Ferry Toth Link: https://lore.kernel.org/r/20220613160848.82746-1-andriy.shevchenko@linux.intel.com Signed-off-by: Vinod Koul Signed-off-by: Sasha Levin commit d1b5113674c3e95bb53c601ce2ea4719e851c74d Author: Tianyu Li Date: Wed Jun 1 17:32:11 2022 +0800 mm/mempolicy: fix get_nodes out of bound access [ Upstream commit 000eca5d044d1ee23b4ca311793cf3fc528da6c6 ] When user specified more nodes than supported, get_nodes will access nmask array out of bounds. Link: https://lkml.kernel.org/r/20220601093211.2970565-1-tianyu.li@arm.com Fixes: e130242dc351 ("mm: simplify compat numa syscalls") Signed-off-by: Tianyu Li Cc: Arnd Bergmann Cc: Mark Rutland Signed-off-by: Andrew Morton Signed-off-by: Sasha Levin commit 02b8b1b5a98bbc77b8b0e902090fe7b43b974784 Author: Andrey Konovalov Date: Thu Jun 9 20:18:47 2022 +0200 kasan: fix zeroing vmalloc memory with HW_TAGS [ Upstream commit 6c2f761dad7851d8088b91063ccaea3c970efe78 ] HW_TAGS KASAN skips zeroing page_alloc allocations backing vmalloc mappings via __GFP_SKIP_ZERO. Instead, these pages are zeroed via kasan_unpoison_vmalloc() by passing the KASAN_VMALLOC_INIT flag. The problem is that __kasan_unpoison_vmalloc() does not zero pages when either kasan_vmalloc_enabled() or is_vmalloc_or_module_addr() fail. Thus: 1. Change __vmalloc_node_range() to only set KASAN_VMALLOC_INIT when __GFP_SKIP_ZERO is set. 2. Change __kasan_unpoison_vmalloc() to always zero pages when the KASAN_VMALLOC_INIT flag is set. 3. Add WARN_ON() asserts to check that KASAN_VMALLOC_INIT cannot be set in other early return paths of __kasan_unpoison_vmalloc(). Also clean up the comment in __kasan_unpoison_vmalloc. Link: https://lkml.kernel.org/r/4bc503537efdc539ffc3f461c1b70162eea31cf6.1654798516.git.andreyknvl@google.com Fixes: 23689e91fb22 ("kasan, vmalloc: add vmalloc tagging for HW_TAGS") Signed-off-by: Andrey Konovalov Cc: Marco Elver Cc: Alexander Potapenko Cc: Dmitry Vyukov Cc: Andrey Ryabinin Signed-off-by: Andrew Morton Signed-off-by: Sasha Levin commit 35530c1639815cd7848bd6c53d62cf2a40fbfeef Author: Andrey Konovalov Date: Thu Jun 9 20:18:46 2022 +0200 mm: introduce clear_highpage_kasan_tagged commit d9da8f6cf55eeca642c021912af1890002464c64 upstream. Add a clear_highpage_kasan_tagged() helper that does clear_highpage() on a page potentially tagged by KASAN. This helper is used by the following patch. Link: https://lkml.kernel.org/r/4471979b46b2c487787ddcd08b9dc5fedd1b6ffd.1654798516.git.andreyknvl@google.com Signed-off-by: Andrey Konovalov Cc: Alexander Potapenko Cc: Andrey Ryabinin Cc: Dmitry Vyukov Cc: Marco Elver Signed-off-by: Andrew Morton Cc: Jiri Slaby Signed-off-by: Greg Kroah-Hartman commit 0a5f45aeca9f5082a676ed99d31590f695cf4285 Author: Miaohe Lin Date: Mon May 30 19:30:16 2022 +0800 mm/migration: fix potential pte_unmap on an not mapped pte [ Upstream commit ad1ac596e8a8c4b06715dfbd89853eb73c9886b2 ] __migration_entry_wait and migration_entry_wait_on_locked assume pte is always mapped from caller. But this is not the case when it's called from migration_entry_wait_huge and follow_huge_pmd. Add a hugetlbfs variant that calls hugetlb_migration_entry_wait(ptep == NULL) to fix this issue. Link: https://lkml.kernel.org/r/20220530113016.16663-5-linmiaohe@huawei.com Fixes: 30dad30922cc ("mm: migration: add migrate_entry_wait_huge()") Signed-off-by: Miaohe Lin Suggested-by: David Hildenbrand Reviewed-by: David Hildenbrand Cc: Alistair Popple Cc: Christoph Hellwig Cc: Christoph Lameter Cc: David Howells Cc: Huang Ying Cc: kernel test robot Cc: Mike Kravetz Cc: Muchun Song Cc: Oscar Salvador Cc: Peter Xu Signed-off-by: Andrew Morton Signed-off-by: Sasha Levin commit b39dbd9b674b81406e2a58966838eed27404d8c9 Author: Miaohe Lin Date: Mon May 30 19:30:15 2022 +0800 mm/migration: return errno when isolate_huge_page failed [ Upstream commit 7ce82f4c3f3ead13a9d9498768e3b1a79975c4d8 ] We might fail to isolate huge page due to e.g. the page is under migration which cleared HPageMigratable. We should return errno in this case rather than always return 1 which could confuse the user, i.e. the caller might think all of the memory is migrated while the hugetlb page is left behind. We make the prototype of isolate_huge_page consistent with isolate_lru_page as suggested by Huang Ying and rename isolate_huge_page to isolate_hugetlb as suggested by Muchun to improve the readability. Link: https://lkml.kernel.org/r/20220530113016.16663-4-linmiaohe@huawei.com Fixes: e8db67eb0ded ("mm: migrate: move_pages() supports thp migration") Signed-off-by: Miaohe Lin Suggested-by: Huang Ying Reported-by: kernel test robot (build error) Cc: Alistair Popple Cc: Christoph Hellwig Cc: Christoph Lameter Cc: David Hildenbrand Cc: David Howells Cc: Mike Kravetz Cc: Muchun Song Cc: Oscar Salvador Cc: Peter Xu Signed-off-by: Andrew Morton Signed-off-by: Sasha Levin commit 42c3e36ee76e39d84be0da7fc91da8e35ac33bb8 Author: Yang Shi Date: Sun Jul 3 18:08:36 2022 -0700 mm: rmap: use the correct parameter name for DEFINE_PAGE_VMA_WALK [ Upstream commit 507db7927cd181d409dd495c8384b8e14c21c600 ] The parameter used by DEFINE_PAGE_VMA_WALK is _page not page, fix the parameter name. It didn't cause any build error, it is probably because the only caller is write_protect_page() from ksm.c, which pass in page. Link: https://lkml.kernel.org/r/20220512174551.81279-1-shy828301@gmail.com Fixes: 2aff7a4755be ("mm: Convert page_vma_mapped_walk to work on PFNs") Signed-off-by: Yang Shi Reviewed-by: Muchun Song Reviewed-by: Matthew Wilcox (Oracle) Cc: Muchun Song Signed-off-by: Andrew Morton Signed-off-by: Sasha Levin commit 4a9f35b8729c5bf13ea671c908c17ed74c48fc50 Author: Yushan Zhou Date: Thu Jun 30 16:25:12 2022 +0800 kernfs: fix potential NULL dereference in __kernfs_remove [ Upstream commit 72b5d5aef246a0387cefa23121dd90901c7a691a ] When lockdep is enabled, lockdep_assert_held_write would cause potential NULL pointer dereference. Fix the following smatch warnings: fs/kernfs/dir.c:1353 __kernfs_remove() warn: variable dereferenced before check 'kn' (see line 1346) Fixes: 393c3714081a ("kernfs: switch global kernfs_rwsem lock to per-fs lock") Signed-off-by: Yushan Zhou Link: https://lore.kernel.org/r/20220630082512.3482581-1-zys.zljxml@gmail.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit a0c4d1ebfaee6af04e00b6a8d9cbfe1d26506a3e Author: Nikita Travkin Date: Sun Jun 12 19:59:53 2022 +0500 clk: qcom: clk-rcg2: Make sure to not write d=0 to the NMD register [ Upstream commit d0696770cef35a1fd16ea2167e2198c18aa6fbfe ] Sometimes calculation of d value may result in 0 because of the rounding after integer division. This causes the following error: [ 113.969689] camss_gp1_clk_src: rcg didn't update its configuration. [ 113.969754] WARNING: CPU: 3 PID: 35 at drivers/clk/qcom/clk-rcg2.c:122 update_config+0xc8/0xdc Make sure that D value is never zero. Fixes: 7f891faf596e ("clk: qcom: clk-rcg2: Add support for duty-cycle for RCG") Signed-off-by: Nikita Travkin Reviewed-by: Stephen Boyd Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20220612145955.385787-3-nikita@trvn.ru Signed-off-by: Sasha Levin commit 23526845a84b3c7fa20c9cc860d3b34e1513ab14 Author: Nikita Travkin Date: Sun Jun 12 19:59:52 2022 +0500 clk: qcom: clk-rcg2: Fail Duty-Cycle configuration if MND divider is not enabled. [ Upstream commit bdafb609c3bb848d710ad9cd4debd2ee9d6a4049 ] In cases when MND is not enabled (e.g. when only Half Integer Divider is used), setting D registers makes no effect. Fail instead of making ineffective write. Fixes: 7f891faf596e ("clk: qcom: clk-rcg2: Add support for duty-cycle for RCG") Signed-off-by: Nikita Travkin Reviewed-by: Stephen Boyd Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20220612145955.385787-2-nikita@trvn.ru Signed-off-by: Sasha Levin commit c29bc42790e83d41c51f50568590870f49711878 Author: Vladimir Zapolskiy Date: Fri May 20 00:41:33 2022 +0300 clk: qcom: camcc-sm8250: Fix topology around titan_top power domain [ Upstream commit f8acf01a6a4f84baf05181e24bd48def4ba23f5b ] On SM8250 two found VFE GDSC power domains shall not be operated, if titan top is turned off, thus the former power domains will be set as subdomains by a GDSC registration routine. Fixes: 5d66ca79b58c ("clk: qcom: Add camera clock controller driver for SM8250") Signed-off-by: Vladimir Zapolskiy Reviewed-by: Robert Foss Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20220519214133.1728979-3-vladimir.zapolskiy@linaro.org Signed-off-by: Sasha Levin commit 5467cdf879c70493905580fe6c846202c4f7d8b5 Author: Vladimir Zapolskiy Date: Fri May 20 00:41:32 2022 +0300 clk: qcom: camcc-sdm845: Fix topology around titan_top power domain [ Upstream commit 103dd2338bbff567bce7acd00fc5a09c806b38ec ] On SDM845 two found VFE GDSC power domains shall not be operated, if titan top is turned off, thus the former power domains will be set as subdomains by a GDSC registration routine. Fixes: 78412c262004 ("clk: qcom: Add camera clock controller driver for SDM845") Signed-off-by: Vladimir Zapolskiy Reviewed-by: Robert Foss Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20220519214133.1728979-2-vladimir.zapolskiy@linaro.org Signed-off-by: Sasha Levin commit a86b76f573b9d383e3cd3922d60e736d2f528fad Author: Robert Marko Date: Sun May 15 23:00:43 2022 +0200 clk: qcom: ipq8074: set BRANCH_HALT_DELAY flag for UBI clocks [ Upstream commit 2bd357e698207e2e65db03007e4be65bf9d6a7b3 ] Currently, attempting to enable the UBI clocks will cause the stuck at off warning to be printed and clk_enable will fail. [ 14.936694] gcc_ubi1_ahb_clk status stuck at 'off' Downstream 5.4 QCA kernel has fixed this by seting the BRANCH_HALT_DELAY flag on UBI clocks, so lets do the same. Fixes: 5736294aef83 ("clk: qcom: ipq8074: add NSS clocks") Signed-off-by: Robert Marko Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20220515210048.483898-6-robimarko@gmail.com Signed-off-by: Sasha Levin commit 950d25e77894220d5fb256190197fb941badf1e0 Author: Robert Marko Date: Sun May 15 23:00:40 2022 +0200 clk: qcom: ipq8074: fix NSS port frequency tables [ Upstream commit 0e9e61a2815b5cd34f1b495b2d72e8127ce9b794 ] NSS port 5 and 6 frequency tables are currently broken and are causing a wide ranges of issue like 1G not working at all on port 6 or port 5 being clocked with 312 instead of 125 MHz as UNIPHY1 gets selected. So, update the frequency tables with the ones from the downstream QCA 5.4 based kernel which has already fixed this. Fixes: 7117a51ed303 ("clk: qcom: ipq8074: add NSS ethernet port clocks") Signed-off-by: Robert Marko Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20220515210048.483898-3-robimarko@gmail.com Signed-off-by: Sasha Levin commit abd86837d72e054aaf5e05edf5af74fa4602a2cf Author: Robert Marko Date: Sun May 15 23:00:39 2022 +0200 clk: qcom: ipq8074: SW workaround for UBI32 PLL lock [ Upstream commit 3401ea2856ef84f39b75f0dc5ebcaeda81cb90ec ] UBI32 Huayra PLL fails to lock in 5 us in some SoC silicon and thus it will cause the wait_for_pll() to timeout and thus return the error indicating that the PLL failed to lock. This is bug in Huayra PLL HW for which SW workaround is to set bit 26 of TEST_CTL register. This is ported from the QCA 5.4 based downstream kernel. Fixes: b8e7e519625f ("clk: qcom: ipq8074: add remaining PLL’s") Signed-off-by: Robert Marko Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20220515210048.483898-2-robimarko@gmail.com Signed-off-by: Sasha Levin commit 2086f388fa9e3020cecaad2c45406745265f073a Author: Robert Marko Date: Sun May 15 23:00:38 2022 +0200 clk: qcom: ipq8074: fix NSS core PLL-s [ Upstream commit ca41ec1b30434636c56c5600b24a8d964d359d9c ] Like in IPQ6018 the NSS related Alpha PLL-s require initial configuration to work. So, obtain the regmap that is required for the Alpha PLL configuration and thus utilize the qcom_cc_really_probe() as we already have the regmap. Then utilize the Alpha PLL configs from the downstream QCA 5.4 based kernel to configure them. This fixes the UBI32 and NSS crypto PLL-s failing to get enabled by the kernel. Fixes: b8e7e519625f ("clk: qcom: ipq8074: add remaining PLL’s") Signed-off-by: Robert Marko Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20220515210048.483898-1-robimarko@gmail.com Signed-off-by: Sasha Levin commit 0073eda15921a3212fdf8f6f716e31a2edb7db36 Author: Bob Pearson Date: Mon May 23 17:32:52 2022 -0500 RDMA/rxe: Fix deadlock in rxe_do_local_ops() [ Upstream commit 7cb33d1bc1ac8e51fd88928f96674d392f8e07c4 ] When a local operation (invalidate mr, reg mr, bind mw) is finished there will be no ack packet coming from a responder to cause the wqe to be completed. This may happen anyway if a subsequent wqe performs IO. Currently if the wqe is signalled the completer tasklet is scheduled immediately but not otherwise. This leads to a deadlock if the next wqe has the fence bit set in send flags and the operation is not signalled. This patch removes the condition that the wqe must be signalled in order to schedule the completer tasklet which is the simplest fix for this deadlock and is fairly low cost. This is the analog for local operations of always setting the ackreq bit in all last or only request packets even if the operation is not signalled. Link: https://lore.kernel.org/r/20220523223251.15350-1-rpearsonhpe@gmail.com Reported-by: Jenny Hack Fixes: c1a411268a4b ("RDMA/rxe: Move local ops to subroutine") Signed-off-by: Bob Pearson Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit 3065415763069b3cd3f7d1277d763e77b570e12e Author: Bob Pearson Date: Mon Jun 6 09:38:34 2022 -0500 RDMA/rxe: Add a responder state for atomic reply [ Upstream commit 0ed5493e430a1d887eb62b45c75dd5d6bb2dcf48 ] Add a responder state for atomic reply similar to read reply and rename process_atomic() rxe_atomic_reply(). In preparation for merging the normal and retry atomic responder flows. Link: https://lore.kernel.org/r/20220606143836.3323-3-rpearsonhpe@gmail.com Signed-off-by: Bob Pearson Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit 1dd6ea298dc65a00b1d8542530a26c2b9c4511de Author: Sergey Shtylyov Date: Thu Jun 30 15:46:45 2022 +0300 usb: host: xhci: use snprintf() in xhci_decode_trb() [ Upstream commit 1ce69c35b86038dd11d3a6115a04501c5b89a940 ] Commit cbf286e8ef83 ("xhci: fix unsafe memory usage in xhci tracing") apparently missed one sprintf() call in xhci_decode_trb() -- replace it with the snprintf() call as well... Found by Linux Verification Center (linuxtesting.org) with the SVACE static analysis tool. Fixes: cbf286e8ef83 ("xhci: fix unsafe memory usage in xhci tracing") Signed-off-by: Sergey Shtylyov Signed-off-by: Mathias Nyman Link: https://lore.kernel.org/r/20220630124645.1805902-2-mathias.nyman@linux.intel.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 8444b1369fef7f9c3f57fa74c96a9e2dd3a5d8f0 Author: Bryan O'Donoghue Date: Wed May 4 17:38:35 2022 +0100 clk: qcom: gcc-msm8939: Point MM peripherals to system_mm_noc clock [ Upstream commit 05eed0990927aa9634682fec58660e30f7b7ae30 ] Qcom docs indciate the following peripherals operating from System NOC MM not from System NOC clocks. - MDP - VFE - JPEGe - Venus Switch over the relevant parent pointers. Fixes: 1664014e4679 ("clk: qcom: gcc-msm8939: Add MSM8939 Generic Clock Controller") Signed-off-by: Bryan O'Donoghue Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20220504163835.40130-5-bryan.odonoghue@linaro.org Signed-off-by: Sasha Levin commit b410b931ff3d64cf5df52d3e3725a1840866314d Author: Bryan O'Donoghue Date: Wed May 4 17:38:34 2022 +0100 clk: qcom: gcc-msm8939: Add missing system_mm_noc_bfdcd_clk_src [ Upstream commit dd363e2f7196278e7a30f509a0e8a841cb763b14 ] The msm8939 has an additional higher operating point for the multi-media peripherals. The higher throughput MM componets operate off of the system-mm noc not the system noc. system_mm_noc_bfdcd_clk_src is the source clock for the higher frequency capable system noc mm. Maximum frequency for the MM SNOC is 400 MHz. Fixes: 1664014e4679 ("clk: qcom: gcc-msm8939: Add MSM8939 Generic Clock Controller") Signed-off-by: Bryan O'Donoghue Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20220504163835.40130-4-bryan.odonoghue@linaro.org Signed-off-by: Sasha Levin commit f17eb596f9f7aaffbbbe81b99aa8f703fc5f97ca Author: Bryan O'Donoghue Date: Wed May 4 17:38:33 2022 +0100 clk: qcom: gcc-msm8939: Fix bimc_ddr_clk_src rcgr base address [ Upstream commit 63d42708320d6d2ca9ed505123d50ff4a542c36f ] Reviewing qcom docs for the 8939 we can see the command rcgr is pointing to the wrong address. bimc_ddr_clk_src_rcgr is @ 0x01832024 not 0x01832004. Fixes: 1664014e4679 ("clk: qcom: gcc-msm8939: Add MSM8939 Generic Clock Controller") Signed-off-by: Bryan O'Donoghue Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20220504163835.40130-3-bryan.odonoghue@linaro.org Signed-off-by: Sasha Levin commit 8a1f5c67422dd91c5a514acb18a735168bfe8d81 Author: Bryan O'Donoghue Date: Wed May 4 17:38:32 2022 +0100 clk: qcom: gcc-msm8939: Add missing SYSTEM_MM_NOC_BFDCD_CLK_SRC [ Upstream commit 07e7fcf1714c5f9930ad27613fea940aedba68da ] When adding in the indexes for this clock-controller we missed SYSTEM_MM_NOC_BFDCD_CLK_SRC. Add it in now. Fixes: 4c71d6abc4fc ("clk: qcom: Add DT bindings for MSM8939 GCC") Cc: Rob Herring Cc: Krzysztof Kozlowski Cc: devicetree@vger.kernel.org Signed-off-by: Bryan O'Donoghue Acked-by: Krzysztof Kozlowski Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20220504163835.40130-2-bryan.odonoghue@linaro.org Signed-off-by: Sasha Levin commit 38b4908e767f6ae1a82ae589298da115ddd87516 Author: Neal Liu Date: Tue Jun 28 10:14:36 2022 +0800 usb: gadget: f_mass_storage: Make CD-ROM emulation works with Windows OS [ Upstream commit 3b91edd624ab1ab694deef513a45eb9e9d49d75f ] Add read TOC with format 1 to support CD-ROM emulation with Windows OS. This patch is tested on Windows OS Server 2019. Fixes: 89ada0fe669a ("usb: gadget: f_mass_storage: Make CD-ROM emulation work with Mac OS-X") Reviewed-by: Alan Stern Signed-off-by: Neal Liu Link: https://lore.kernel.org/r/20220628021436.3252262-1-neal_liu@aspeedtech.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 517ce24958f06bbcaf4e32aa664187e3feb1a135 Author: Mike Leach Date: Tue Jun 28 18:30:04 2022 +0100 coresight: syscfg: Update load and unload operations [ Upstream commit 8add26f7ef33bba7984cb6ff7911c6aa970fe55a ] The configfs system is a source of access to the config information in the configuration and feature lists. This can result in additional LOCKDEP issues as a result of the mutex ordering between the config list mutex (cscfg_mutex) and the configfs system mutexes. As such we need to adjust how load/unload operations work to ensure correct operation. 1) Previously the cscfg_mutex was held throughout the load/unload operation. This is now only held during configuration list manipulations, resulting in a multi-stage load/unload process. 2) All operations that manipulate the configfs representation of the configurations and features are now separated out and run without the cscfg_mutex being held. This avoids circular lock_dep issue with the built-in configfs mutexes and semaphores 3) As the load and unload is now multi-stage, some parts under the cscfg_mutex and others not: i) A flag indicating a load / unload operation in progress is used to serialise load / unload operations. ii) activating any configuration not possible when unload is in progress. iii) Configurations have an "available" flag set only after the last load stage for the configuration is complete. Activation of the configuration not possible till flag is set. 4) Following load/unload rules remain: i) Unload prevented while any configuration is active remains. ii) Unload in strict reverse order of load. iii) Existing configurations can be activated while a new load operation is underway. (by definition there can be no dependencies between an existing configuration and a new loading one due to ii) above.) Fixes: eb2ec49606c2 ("coresight: syscfg: Update load API for config loadable modules") Reported-by: Suzuki Poulose Signed-off-by: Mike Leach Reviewed-and-tested-by: Suzuki K Poulose Link: https://lore.kernel.org/r/20220628173004.30002-3-mike.leach@linaro.org Signed-off-by: Mathieu Poirier Signed-off-by: Sasha Levin commit 471a84356c357190484992254bd493f8f3eb491f Author: Mike Leach Date: Tue Jun 28 18:30:03 2022 +0100 coresight: configfs: Fix unload of configurations on module exit [ Upstream commit 199380decc5f9188a9e65676031950f1734aaffe ] Any loaded configurations must be correctly unloaded on coresight module exit, or issues can arise with nested locking in the configfs directory code if built with CONFIG_LOCKDEP. Prior to this patch, the preloaded configuration configfs directory entries were being unloaded by the recursive code in configfs_unregister_subsystem(). However, when built with CONFIG_LOCKDEP, this caused a nested lock warning, which was not mitigated by the LOCKDEP dependent code in fs/configfs/dir.c designed to prevent this, due to the different directory levels for the root of the directory being removed. As the preloaded (and all other) configurations are registered after configfs_register_subsystem(), we now explicitly unload them before the call to configfs_unregister_subsystem(). The new routine cscfg_unload_cfgs_on_exit() iterates through the load owner list to unload any remaining configurations that were not unloaded by the user before the module exits. This covers both the CSCFG_OWNER_PRELOAD and CSCFG_OWNER_MODULE owner types, and will be extended to cover future load owner types for CoreSight configurations. Fixes: eb2ec49606c2 ("coresight: syscfg: Update load API for config loadable modules") Reported-by: Suzuki Poulose Signed-off-by: Mike Leach Reviewed-and-tested-by: Suzuki K Poulose Link: https://lore.kernel.org/r/20220628173004.30002-2-mike.leach@linaro.org Signed-off-by: Mathieu Poirier Signed-off-by: Sasha Levin commit 9007c92c1b490374f5f2c7cb379c10e7ed2b3cb6 Author: Christian Marangi Date: Sat Apr 30 07:44:57 2022 +0200 clk: qcom: clk-krait: unlock spin after mux completion [ Upstream commit df83d2c9e72910416f650ade1e07cc314ff02731 ] Unlock spinlock after the mux switch is completed to prevent any corner case of mux request while the switch still needs to be done. Fixes: 4d7dc77babfe ("clk: qcom: Add support for Krait clocks") Signed-off-by: Ansuel Smith Reviewed-by: Dmitry Baryshkov Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20220430054458.31321-3-ansuelsmth@gmail.com Signed-off-by: Sasha Levin commit 37f908038402c9b8325763f306a1c65d88757e15 Author: Zhang Wensheng Date: Wed Jun 22 15:43:27 2022 +0800 driver core: fix potential deadlock in __driver_attach [ Upstream commit 70fe758352cafdee72a7b13bf9db065f9613ced8 ] In __driver_attach function, There are also AA deadlock problem, like the commit b232b02bf3c2 ("driver core: fix deadlock in __device_attach"). stack like commit b232b02bf3c2 ("driver core: fix deadlock in __device_attach"). list below: In __driver_attach function, The lock holding logic is as follows: ... __driver_attach if (driver_allows_async_probing(drv)) device_lock(dev) // get lock dev async_schedule_dev(__driver_attach_async_helper, dev); // func async_schedule_node async_schedule_node_domain(func) entry = kzalloc(sizeof(struct async_entry), GFP_ATOMIC); /* when fail or work limit, sync to execute func, but __driver_attach_async_helper will get lock dev as will, which will lead to A-A deadlock. */ if (!entry || atomic_read(&entry_count) > MAX_WORK) { func; else queue_work_node(node, system_unbound_wq, &entry->work) device_unlock(dev) As above show, when it is allowed to do async probes, because of out of memory or work limit, async work is not be allowed, to do sync execute instead. it will lead to A-A deadlock because of __driver_attach_async_helper getting lock dev. Reproduce: and it can be reproduce by make the condition (if (!entry || atomic_read(&entry_count) > MAX_WORK)) untenable, like below: [ 370.785650] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. [ 370.787154] task:swapper/0 state:D stack: 0 pid: 1 ppid: 0 flags:0x00004000 [ 370.788865] Call Trace: [ 370.789374] [ 370.789841] __schedule+0x482/0x1050 [ 370.790613] schedule+0x92/0x1a0 [ 370.791290] schedule_preempt_disabled+0x2c/0x50 [ 370.792256] __mutex_lock.isra.0+0x757/0xec0 [ 370.793158] __mutex_lock_slowpath+0x1f/0x30 [ 370.794079] mutex_lock+0x50/0x60 [ 370.794795] __device_driver_lock+0x2f/0x70 [ 370.795677] ? driver_probe_device+0xd0/0xd0 [ 370.796576] __driver_attach_async_helper+0x1d/0xd0 [ 370.797318] ? driver_probe_device+0xd0/0xd0 [ 370.797957] async_schedule_node_domain+0xa5/0xc0 [ 370.798652] async_schedule_node+0x19/0x30 [ 370.799243] __driver_attach+0x246/0x290 [ 370.799828] ? driver_allows_async_probing+0xa0/0xa0 [ 370.800548] bus_for_each_dev+0x9d/0x130 [ 370.801132] driver_attach+0x22/0x30 [ 370.801666] bus_add_driver+0x290/0x340 [ 370.802246] driver_register+0x88/0x140 [ 370.802817] ? virtio_scsi_init+0x116/0x116 [ 370.803425] scsi_register_driver+0x1a/0x30 [ 370.804057] init_sd+0x184/0x226 [ 370.804533] do_one_initcall+0x71/0x3a0 [ 370.805107] kernel_init_freeable+0x39a/0x43a [ 370.805759] ? rest_init+0x150/0x150 [ 370.806283] kernel_init+0x26/0x230 [ 370.806799] ret_from_fork+0x1f/0x30 To fix the deadlock, move the async_schedule_dev outside device_lock, as we can see, in async_schedule_node_domain, the parameter of queue_work_node is system_unbound_wq, so it can accept concurrent operations. which will also not change the code logic, and will not lead to deadlock. Fixes: ef0ff68351be ("driver core: Probe devices asynchronously instead of the driver") Signed-off-by: Zhang Wensheng Link: https://lore.kernel.org/r/20220622074327.497102-1-zhangwensheng5@huawei.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit c4eb8f43965b729886229551445a493c4b06e211 Author: Christophe JAILLET Date: Wed Jun 15 07:33:44 2022 +0200 misc: rtsx: Fix an error handling path in rtsx_pci_probe() [ Upstream commit 44fd1917314e9d4f53dd95dd65df1c152f503d3a ] If an error occurs after a successful idr_alloc() call, the corresponding resource must be released with idr_remove() as already done in the .remove function. Update the error handling path to add the missing idr_remove() call. Fixes: ada8a8a13b13 ("mfd: Add realtek pcie card reader driver") Signed-off-by: Christophe JAILLET Link: https://lore.kernel.org/r/e8dc41716cbf52fb37a12e70d8972848e69df6d6.1655271216.git.christophe.jaillet@wanadoo.fr Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 18a32f18062bc9bdb39e546f896eff85c30d8aa9 Author: Vladimir Zapolskiy Date: Wed May 18 13:35:54 2022 +0300 clk: qcom: camcc-sm8250: Fix halt on boot by reducing driver's init level [ Upstream commit c4f40351901a10cd662ac2c081396d8fb04f584d ] Access to I/O of SM8250 camera clock controller IP depends on enabled GCC_CAMERA_AHB_CLK clock supplied by global clock controller, the latter one is inited on subsys level, so, to satisfy the dependency, it would make sense to deprive the init level of camcc-sm8250 driver. If both drivers are compiled as built-in, there is a change that a board won't boot up due to a race, which happens on the same init level. Fixes: 5d66ca79b58c ("clk: qcom: Add camera clock controller driver for SM8250") Signed-off-by: Vladimir Zapolskiy Reviewed-by: Bryan O'Donoghue Tested-by: Bryan O'Donoghue Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20220518103554.949511-1-vladimir.zapolskiy@linaro.org Signed-off-by: Sasha Levin commit 864548b1ccdfeda5d9e675901de55648383166c6 Author: Mark Brown Date: Mon Jun 20 16:23:13 2022 +0100 mtd: dataflash: Add SPI ID table [ Upstream commit ac4f83482afbfd927d0fe118151b747cf175e724 ] Currently autoloading for SPI devices does not use the DT ID table, it uses SPI modalises. Supporting OF modalises is going to be difficult if not impractical, an attempt was made but has been reverted, so ensure that module autoloading works for this driver by adding an id_table listing the SPI IDs for everything. Fixes: 96c8395e2166 ("spi: Revert modalias changes") Signed-off-by: Mark Brown Signed-off-by: Miquel Raynal Link: https://lore.kernel.org/linux-mtd/20220620152313.708768-1-broonie@kernel.org Signed-off-by: Sasha Levin commit 219f5478099cefc92e0f3dcea213b81b2de70e51 Author: Geert Uytterhoeven Date: Fri Jun 17 11:26:51 2022 +0200 mtd: hyperbus: rpc-if: Fix RPM imbalance in probe error path [ Upstream commit c223a38d62e57aa60a890ea7247e3c58a54478e6 ] If rpcif_hw_init() fails, Runtime PM is left enabled. Fixes: b04cc0d912eb80d3 ("memory: renesas-rpc-if: Add support for RZ/G2L") Signed-off-by: Geert Uytterhoeven Reviewed-by: Wolfram Sang Reviewed-by: Lad Prabhakar Reviewed-by: Sergey Shtylyov Signed-off-by: Miquel Raynal Link: https://lore.kernel.org/linux-mtd/f3070e1af480cb252ae183d479a593dbbf947685.1655457790.git.geert+renesas@glider.be Signed-off-by: Sasha Levin commit 43bfa481072d5261584a1d9f69a87196d5b4b6e3 Author: Ben Gardon Date: Mon Jun 13 21:25:20 2022 +0000 KVM: x86: Fix errant brace in KVM capability handling [ Upstream commit 1c4dc57328bf218e999951824dce75c6125c4f3c ] The braces around the KVM_CAP_XSAVE2 block also surround the KVM_CAP_PMU_CAPABILITY block, likely the result of a merge issue. Simply move the curly brace back to where it belongs. Fixes: ba7bb663f5547 ("KVM: x86: Provide per VM capability for disabling PMU virtualization") Reviewed-by: David Matlack Reviewed-by: Peter Xu Signed-off-by: Ben Gardon Message-Id: <20220613212523.3436117-8-bgardon@google.com> Signed-off-by: Paolo Bonzini Signed-off-by: Sasha Levin commit 82f7fac052c396974151aa96359c695073db821b Author: Serge Semin Date: Tue May 24 10:21:57 2022 -0500 dmaengine: dw-edma: Fix eDMA Rd/Wr-channels and DMA-direction semantics [ Upstream commit c1e33979171da63cf47e56243ccb8ba82363c7d3 ] In accordance with [1, 2] the DW eDMA controller has been created to be part of the DW PCIe Root Port and DW PCIe End-point controllers and to offload the transferring of large blocks of data between application and remote PCIe domains leaving the system CPU free for other tasks. In the first case (eDMA being part of DW PCIe Root Port) the eDMA controller is always accessible via the CPU DBI interface and never over the PCIe wire. The latter case is more complex. Depending on the DW PCIe End-Point IP-core synthesize parameters it's possible to have the eDMA registers accessible not only from the application CPU side, but also via mapping the eDMA CSRs over a dedicated endpoint BAR. So based on the specifics denoted above the eDMA driver is supposed to support two types of the DMA controller setups: 1) eDMA embedded into the DW PCIe Root Port/End-point and accessible over the local CPU from the application side. 2) eDMA embedded into the DW PCIe End-point and accessible via the PCIe wire with MWr/MRd TLPs generated by the CPU PCIe host controller. Since the CPU memory resides different sides in these cases the semantics of the MEM_TO_DEV and DEV_TO_MEM operations is flipped with respect to the Tx and Rx DMA channels. So MEM_TO_DEV/DEV_TO_MEM corresponds to the Tx/Rx channels in setup 1) and to the Rx/Tx channels in case of setup 2). The DW eDMA driver has supported the case 2) since e63d79d1ffcd ("dmaengine: Add Synopsys eDMA IP core driver") in the framework of the drivers/dma/dw-edma/dw-edma-pcie.c driver. The case 1) support was added later by bd96f1b2f43a ("dmaengine: dw-edma: support local dma device transfer semantics"). Afterwards the driver was supposed to cover the both possible eDMA setups, but the latter commit turned out to be not fully correct. The problem was that the commit together with the new functionality support also changed the channel direction semantics so the eDMA Read-channel (corresponding to the DMA_DEV_TO_MEM direction for case 1) now uses the sgl/cyclic base addresses as the Source addresses of the DMA transfers and dma_slave_config.dst_addr as the Destination address of the DMA transfers. Similarly the eDMA Write-channel (corresponding to the DMA_MEM_TO_DEV direction for case 1) now uses dma_slave_config.src_addr as a source address of the DMA transfers and sgl/cyclic base address as the Destination address of the DMA transfers. This contradicts the logic of the DMA-interface, which implies that DEV side is supposed to belong to the PCIe device memory and MEM - to the CPU/Application memory. Indeed it seems irrational to have the SG-list defined in the PCIe bus space, while expecting a contiguous buffer allocated in the CPU memory. Moreover the passed SG-list and cyclic DMA buffers are supposed to be mapped in a way so to be seen by the DW eDMA Application (CPU) interface. So in order to have the correct DW eDMA interface we need to invert the eDMA Rd/Wr-channels and DMA-slave directions semantics by selecting the src/dst addresses based on the DMA transfer direction instead of using the channel direction capability. [1] DesignWare Cores PCI Express Controller Databook - DWC PCIe Root Port, v.5.40a, March 2019, p.1092 [2] DesignWare Cores PCI Express Controller Databook - DWC PCIe Endpoint, v.5.40a, March 2019, p.1189 Co-developed-by: Manivannan Sadhasivam Fixes: bd96f1b2f43a ("dmaengine: dw-edma: support local dma device transfer semantics") Link: https://lore.kernel.org/r/20220524152159.2370739-7-Frank.Li@nxp.com Tested-by: Manivannan Sadhasivam Signed-off-by: Manivannan Sadhasivam Signed-off-by: Serge Semin Signed-off-by: Frank Li Signed-off-by: Bjorn Helgaas Acked-By: Vinod Koul Signed-off-by: Sasha Levin commit 984be156c3b51f0da8598dba4926ee0e027ee268 Author: Mike Christie Date: Thu Jun 16 17:27:38 2022 -0500 scsi: iscsi: Fix session removal on shutdown [ Upstream commit 31500e902759322ba3c64b60dabae2704e738df8 ] When the system is shutting down, iscsid is not running so we will not get a response to the ISCSI_ERR_INVALID_HOST error event. The system shutdown will then hang waiting on userspace to remove the session. This has libiscsi force the destruction of the session from the kernel when iscsi_host_remove() is called from a driver's shutdown callout. This fixes a regression added in qedi boot with commit d1f2ce77638d ("scsi: qedi: Fix host removal with running sessions") which made qedi use the common session removal function that waits on userspace instead of rolling its own kernel based removal. Link: https://lore.kernel.org/r/20220616222738.5722-7-michael.christie@oracle.com Fixes: d1f2ce77638d ("scsi: qedi: Fix host removal with running sessions") Tested-by: Nilesh Javali Reviewed-by: Lee Duncan Reviewed-by: Nilesh Javali Signed-off-by: Mike Christie Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit 9bb43a58d195d47579692211c65bb116b2a7c6f4 Author: Mike Christie Date: Thu Jun 16 17:27:36 2022 -0500 scsi: iscsi: Add helper to remove a session from the kernel [ Upstream commit bb42856bfd54fda1cbc7c470fcf5db1596938f4f ] During qedi shutdown we need to stop the iSCSI layer from sending new nops as pings and from responding to target ones and make sure there is no running connection cleanups. Commit d1f2ce77638d ("scsi: qedi: Fix host removal with running sessions") converted the driver to use the libicsi helper to drive session removal, so the above issues could be handled. The problem is that during system shutdown iscsid will not be running so when we try to remove the root session we will hang waiting for userspace to reply. Add a helper that will drive the destruction of sessions like these during system shutdown. Link: https://lore.kernel.org/r/20220616222738.5722-5-michael.christie@oracle.com Tested-by: Nilesh Javali Reviewed-by: Nilesh Javali Signed-off-by: Mike Christie Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit 0ccf5a803820ee5516b706a4a8fe8aefc2e6679a Author: Mike Christie Date: Thu Jun 16 17:27:34 2022 -0500 scsi: iscsi: Allow iscsi_if_stop_conn() to be called from kernel [ Upstream commit 3328333b47f4163504267440ec0a36087a407a5f ] iscsi_if_stop_conn() is only called from the userspace interface but in a subsequent commit we will want to call it from the kernel interface to allow drivers like qedi to remove sessions from inside the kernel during shutdown. This removes the iscsi_uevent code from iscsi_if_stop_conn() so we can call it in a new helper. Link: https://lore.kernel.org/r/20220616222738.5722-3-michael.christie@oracle.com Tested-by: Nilesh Javali Reviewed-by: Nilesh Javali Signed-off-by: Mike Christie Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit c8e8b8b9f23a0c68855ecfc756b96be6c9946ec1 Author: Duoming Zhou Date: Tue Jun 7 11:26:26 2022 +0800 mwifiex: fix sleep in atomic context bugs caused by dev_coredumpv [ Upstream commit a52ed4866d2b90dd5e4ae9dabd453f3ed8fa3cbc ] There are sleep in atomic context bugs when uploading device dump data in mwifiex. The root cause is that dev_coredumpv could not be used in atomic contexts, because it calls dev_set_name which include operations that may sleep. The call tree shows execution paths that could lead to bugs: (Interrupt context) fw_dump_timer_fn mwifiex_upload_device_dump dev_coredumpv(..., GFP_KERNEL) dev_coredumpm() kzalloc(sizeof(*devcd), gfp); //may sleep dev_set_name kobject_set_name_vargs kvasprintf_const(GFP_KERNEL, ...); //may sleep kstrdup(s, GFP_KERNEL); //may sleep The corresponding fail log is shown below: [ 135.275938] usb 1-1: == mwifiex dump information to /sys/class/devcoredump start [ 135.281029] BUG: sleeping function called from invalid context at include/linux/sched/mm.h:265 ... [ 135.293613] Call Trace: [ 135.293613] [ 135.293613] dump_stack_lvl+0x57/0x7d [ 135.293613] __might_resched.cold+0x138/0x173 [ 135.293613] ? dev_coredumpm+0xca/0x2e0 [ 135.293613] kmem_cache_alloc_trace+0x189/0x1f0 [ 135.293613] ? devcd_match_failing+0x30/0x30 [ 135.293613] dev_coredumpm+0xca/0x2e0 [ 135.293613] ? devcd_freev+0x10/0x10 [ 135.293613] dev_coredumpv+0x1c/0x20 [ 135.293613] ? devcd_match_failing+0x30/0x30 [ 135.293613] mwifiex_upload_device_dump+0x65/0xb0 [ 135.293613] ? mwifiex_dnld_fw+0x1b0/0x1b0 [ 135.293613] call_timer_fn+0x122/0x3d0 [ 135.293613] ? msleep_interruptible+0xb0/0xb0 [ 135.293613] ? lock_downgrade+0x3c0/0x3c0 [ 135.293613] ? __next_timer_interrupt+0x13c/0x160 [ 135.293613] ? lockdep_hardirqs_on_prepare+0xe/0x220 [ 135.293613] ? mwifiex_dnld_fw+0x1b0/0x1b0 [ 135.293613] __run_timers.part.0+0x3f8/0x540 [ 135.293613] ? call_timer_fn+0x3d0/0x3d0 [ 135.293613] ? arch_restore_msi_irqs+0x10/0x10 [ 135.293613] ? lapic_next_event+0x31/0x40 [ 135.293613] run_timer_softirq+0x4f/0xb0 [ 135.293613] __do_softirq+0x1c2/0x651 ... [ 135.293613] RIP: 0010:default_idle+0xb/0x10 [ 135.293613] RSP: 0018:ffff888006317e68 EFLAGS: 00000246 [ 135.293613] RAX: ffffffff82ad8d10 RBX: ffff888006301cc0 RCX: ffffffff82ac90e1 [ 135.293613] RDX: ffffed100d9ff1b4 RSI: ffffffff831ad140 RDI: ffffffff82ad8f20 [ 135.293613] RBP: 0000000000000003 R08: 0000000000000000 R09: ffff88806cff8d9b [ 135.293613] R10: ffffed100d9ff1b3 R11: 0000000000000001 R12: ffffffff84593410 [ 135.293613] R13: 0000000000000000 R14: 0000000000000000 R15: 1ffff11000c62fd2 ... [ 135.389205] usb 1-1: == mwifiex dump information to /sys/class/devcoredump end This patch uses delayed work to replace timer and moves the operations that may sleep into a delayed work in order to mitigate bugs, it was tested on Marvell 88W8801 chip whose port is usb and the firmware is usb8801_uapsta.bin. The following is the result after using delayed work to replace timer. [ 134.936453] usb 1-1: == mwifiex dump information to /sys/class/devcoredump start [ 135.043344] usb 1-1: == mwifiex dump information to /sys/class/devcoredump end As we can see, there is no bug now. Fixes: f5ecd02a8b20 ("mwifiex: device dump support for usb interface") Reviewed-by: Brian Norris Signed-off-by: Duoming Zhou Link: https://lore.kernel.org/r/b63b77fc84ed3e8a6bef02378e17c7c71a0bc3be.1654569290.git.duoming@zju.edu.cn Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit e6a4d422002bf46bca0ae350782e03da5fd28188 Author: Duoming Zhou Date: Tue Jun 7 11:26:25 2022 +0800 devcoredump: remove the useless gfp_t parameter in dev_coredumpv and dev_coredumpm [ Upstream commit 77515ebaf01920e2db49e04672ef669a7c2907f2 ] The dev_coredumpv() and dev_coredumpm() could not be used in atomic context, because they call kvasprintf_const() and kstrdup() with GFP_KERNEL parameter. The process is shown below: dev_coredumpv(.., gfp_t gfp) dev_coredumpm(.., gfp_t gfp) dev_set_name kobject_set_name_vargs kvasprintf_const(GFP_KERNEL, ...); //may sleep kstrdup(s, GFP_KERNEL); //may sleep This patch removes gfp_t parameter of dev_coredumpv() and dev_coredumpm() and changes the gfp_t parameter of kzalloc() in dev_coredumpm() to GFP_KERNEL in order to show they could not be used in atomic context. Fixes: 833c95456a70 ("device coredump: add new device coredump class") Reviewed-by: Brian Norris Reviewed-by: Johannes Berg Signed-off-by: Duoming Zhou Link: https://lore.kernel.org/r/df72af3b1862bac7d8e793d1f3931857d3779dfd.1654569290.git.duoming@zju.edu.cn Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 2b1a324933bdda27b00c877d3cd3a6bac3a01440 Author: Sean Christopherson Date: Tue Apr 19 11:35:28 2022 -0700 KVM: selftests: Use vm_create_with_vcpus() in max_guest_memory_test [ Upstream commit 3468fd7d883110e481dfb8c8c7b802dc252ab186 ] Use vm_create_with_vcpus() in max_guest_memory_test and reference vCPUs by their 'struct kvm_vcpu' object instead of their ID. Signed-off-by: Sean Christopherson Signed-off-by: Paolo Bonzini Signed-off-by: Sasha Levin commit 5bb7f541d07dc63131519ae13a3bdee022ab054e Author: Sean Christopherson Date: Wed Feb 16 12:40:18 2022 -0800 KVM: selftests: Convert s390x/diag318_test_handler away from VCPU_ID [ Upstream commit 7cdcdfe50d8d68b7b9ba2e1b0345ff47fdda390f ] Convert diag318_test_handler to use vm_create_with_vcpus() and pass around a 'struct kvm_vcpu' object instead of passing around vCPU IDs. Note, this is a "functional" change in the sense that the test now creates a vCPU with vcpu_id==0 instead of vcpu_id==6. The non-zero VCPU_ID was 100% arbitrary and added little to no validation coverage. If testing non-zero vCPU IDs is desirable for generic tests, that can be done in the future by tweaking the VM creation helpers. Signed-off-by: Sean Christopherson Signed-off-by: Paolo Bonzini Signed-off-by: Sasha Levin commit d225591d016bf1dc544d7f1d69bd336c21836cc7 Author: Sean Christopherson Date: Fri Apr 29 01:04:09 2022 +0000 KVM: Don't set Accessed/Dirty bits for ZERO_PAGE [ Upstream commit a1040b0d42acf69bb4f6dbdc54c2dcd78eea1de5 ] Don't set Accessed/Dirty bits for a struct page with PG_reserved set, i.e. don't set A/D bits for the ZERO_PAGE. The ZERO_PAGE (or pages depending on the architecture) should obviously never be written, and similarly there's no point in marking it accessed as the page will never be swapped out or reclaimed. The comment in page-flags.h is quite clear that PG_reserved pages should be managed only by their owner, and strictly following that mandate also simplifies KVM's logic. Fixes: 7df003c85218 ("KVM: fix overflow of zero page refcount with ksm running") Signed-off-by: Sean Christopherson Message-Id: <20220429010416.2788472-4-seanjc@google.com> Signed-off-by: Paolo Bonzini Signed-off-by: Sasha Levin commit e4aed16c42adabdf9743933eb3b4d30b6a8f3434 Author: Miaohe Lin Date: Thu Jun 9 20:13:05 2022 +0800 mm/memremap: fix memunmap_pages() race with get_dev_pagemap() [ Upstream commit 1e57ffb6e3fd9583268c6462c4e3853575b21701 ] Think about the below scene: CPU1 CPU2 memunmap_pages percpu_ref_exit __percpu_ref_exit free_percpu(percpu_count); /* percpu_count is freed here! */ get_dev_pagemap xa_load(&pgmap_array, PHYS_PFN(phys)) /* pgmap still in the pgmap_array */ percpu_ref_tryget_live(&pgmap->ref) if __ref_is_percpu /* __PERCPU_REF_ATOMIC_DEAD not set yet */ this_cpu_inc(*percpu_count) /* access freed percpu_count here! */ ref->percpu_count_ptr = __PERCPU_REF_ATOMIC_DEAD; /* too late... */ pageunmap_range To fix the issue, do percpu_ref_exit() after pgmap_array is emptied. So we won't do percpu_ref_tryget_live() against a being freed percpu_ref. Link: https://lkml.kernel.org/r/20220609121305.2508-1-linmiaohe@huawei.com Fixes: b7b3c01b1915 ("mm/memremap_pages: support multiple ranges per invocation") Signed-off-by: Miaohe Lin Cc: Dan Williams Signed-off-by: Andrew Morton Signed-off-by: Sasha Levin commit 7e71aafa652acbb358b157e4be867c00d3847654 Author: Miaohe Lin Date: Thu Jun 9 21:08:35 2022 +0800 lib/test_hmm: avoid accessing uninitialized pages [ Upstream commit ed913b055a74b723976f8e885a3395162a0371e6 ] If make_device_exclusive_range() fails or returns pages marked for exclusive access less than required, remaining fields of pages will left uninitialized. So dmirror_atomic_map() will access those yet uninitialized fields of pages. To fix it, do dmirror_atomic_map() iff all pages are marked for exclusive access (we will break if mapped is less than required anyway) so we won't access those uninitialized fields of pages. Link: https://lkml.kernel.org/r/20220609130835.35110-1-linmiaohe@huawei.com Fixes: b659baea7546 ("mm: selftests for exclusive device memory") Signed-off-by: Miaohe Lin Cc: Jerome Glisse Cc: Alistair Popple Cc: Jason Gunthorpe Cc: Ralph Campbell Signed-off-by: Andrew Morton Signed-off-by: Sasha Levin commit 6d8682d45df46bfed5f4983bd9d6e2b64c453f92 Author: Dongliang Mu Date: Thu Jun 9 15:06:56 2022 +0800 RDMA/rxe: fix xa_alloc_cycle() error return value check again [ Upstream commit 1a685940e6200e9def6e34bbaa19dd31dc5aeaf8 ] Currently rxe_alloc checks ret to indicate error, but 1 is also a valid return and just indicates that the allocation succeeded with a wrap. Fix this by modifying the check to be < 0. Link: https://lore.kernel.org/r/20220609070656.1446121-1-dzm91@hust.edu.cn Fixes: 3225717f6dfa ("RDMA/rxe: Replace red-black trees by xarrays") Signed-off-by: Dongliang Mu Reviewed-by: Bob Pearson Signed-off-by: Leon Romanovsky Signed-off-by: Sasha Levin commit 5067b776620e197f5bd54426b3d66d8f9b029777 Author: Peng Fan Date: Thu Jun 9 21:29:01 2022 +0800 clk: imx: clk-fracn-gppll: correct rdiv [ Upstream commit f300cb7fccf69ba1835b983c76d70deb818ad194 ] According to Reference Manual: 000b - Divide by 1 001b - Divide by 1 010b - Divide by 2 011b - Divide by 3 100b - Divide by 4 101b - Divide by 5 110b - Divide by 6 111b - Divide by 7 So only need increase rdiv by 1 when the register value is 0. Fixes: 1b26cb8a77a4 ("clk: imx: support fracn gppll") Signed-off-by: Peng Fan Reviewed-by: Jacky Bai Reviewed-by: Abel Vesa Link: https://lore.kernel.org/r/20220609132902.3504651-7-peng.fan@oss.nxp.com Signed-off-by: Abel Vesa Signed-off-by: Sasha Levin commit 10348c6693b106e6f2c86189a9151b13ee100294 Author: Liu Ying Date: Thu Jun 9 21:29:00 2022 +0800 clk: imx: clk-fracn-gppll: Return rate in rate table properly in ->recalc_rate() [ Upstream commit 5ebaf9f7da5bb2dc56d394eabfcbe46dc6b1ea8d ] The PLL parameters in rate table should be directly compared with those read from PLL registers instead of the cooked ones. Fixes: 1b26cb8a77a4 ("clk: imx: support fracn gppll") Cc: Abel Vesa Cc: Michael Turquette Cc: Stephen Boyd Cc: Shawn Guo Cc: Sascha Hauer Cc: Pengutronix Kernel Team Cc: Fabio Estevam Cc: NXP Linux Team Cc: Peng Fan Signed-off-by: Liu Ying Reviewed-by: Peng Fan Reviewed-by: Abel Vesa Link: https://lore.kernel.org/r/20220609132902.3504651-6-peng.fan@oss.nxp.com Signed-off-by: Abel Vesa Signed-off-by: Sasha Levin commit e0fad1a5362c51e1237f8448f3bb64f3c697f9de Author: Peng Fan Date: Thu Jun 9 21:28:59 2022 +0800 clk: imx: clk-fracn-gppll: fix mfd value [ Upstream commit 044034efbeea05f65c09d2ba15ceeab53b60e947 ] According to spec: A value of 0 is disallowed and should not be programmed in this register Fix to 1. Fixes: 1b26cb8a77a4 ("clk: imx: support fracn gppll") Signed-off-by: Peng Fan Reviewed-by: Jacky Bai Reviewed-by: Abel Vesa Link: https://lore.kernel.org/r/20220609132902.3504651-5-peng.fan@oss.nxp.com Signed-off-by: Abel Vesa Signed-off-by: Sasha Levin commit c94e191f791a51c28033ed9fe36eae7b7cd8c0de Author: Peng Fan Date: Thu Jun 9 21:28:57 2022 +0800 clk: imx93: correct nic_media parent [ Upstream commit 1e3c837a663e9a12c4afabb3279d18cb5110a8f4 ] NIC_MEDIA sources from media_axi_root, not media_apb_root. Fixes: 24defbe194b6 ("clk: imx: add i.MX93 clk") Signed-off-by: Peng Fan Reviewed-by: Abel Vesa Link: https://lore.kernel.org/r/20220609132902.3504651-3-peng.fan@oss.nxp.com Signed-off-by: Abel Vesa Signed-off-by: Sasha Levin commit bcf40bc61c2d1047b8398f9f76fac84e94f7adec Author: Haibo Chen Date: Thu Jun 9 21:28:56 2022 +0800 clk: imx93: use adc_root as the parent clock of adc1 [ Upstream commit 18d6d8fe4f24938985844d52c481b86fcce9d102 ] When debug, find after system boot up, all adc register operation will trigger system hang, this is because the internal adc ipg clock is gate off. In dts, only reference the IMX93_CLK_ADC1_GATE, which is adc1, no one touch the adc_root, so adc_root will be gate off automatically after system boot up. Fixes: 24defbe194b6 ("clk: imx: add i.MX93 clk") Signed-off-by: Haibo Chen Signed-off-by: Jacky Bai Signed-off-by: Peng Fan Reviewed-by: Peng Fan Reviewed-by: Abel Vesa Link: https://lore.kernel.org/r/20220609132902.3504651-2-peng.fan@oss.nxp.com Signed-off-by: Abel Vesa Signed-off-by: Sasha Levin commit 9e969b0b91a835a01398d81036d60a04aa000ea5 Author: Rex-BC Chen Date: Mon May 23 17:33:29 2022 +0800 clk: mediatek: reset: Fix written reset bit offset [ Upstream commit edabcf71d100fd433a0fc2d0c97057c446c33b2a ] Original assert/deassert bit is BIT(0), but it's more resonable to modify them to BIT(id % 32) which is based on id. This patch will not influence any previous driver because the reset is only used for thermal. The id (MT8183_INFRACFG_AO_THERM_SW_RST) is 0. Fixes: 64ebb57a3df6 ("clk: reset: Modify reset-controller driver") Signed-off-by: Rex-BC Chen Reviewed-by: Chen-Yu Tsai Reviewed-by: AngeloGioacchino Del Regno Reviewed-by: Nícolas F. R. A. Prado Tested-by: Nícolas F. R. A. Prado Link: https://lore.kernel.org/r/20220523093346.28493-3-rex-bc.chen@mediatek.com Signed-off-by: Stephen Boyd Signed-off-by: Sasha Levin commit 4fe070b5d5af15301c970c525e908895822f7633 Author: Jonathan Cameron Date: Sun May 8 18:57:12 2022 +0100 iio: temp: maxim_thermocouple: Fix alignment for DMA safety [ Upstream commit 10897f34309b3c7bc14698407436c82d11c07f47 ] ____cacheline_aligned is an insufficient guarantee for non-coherent DMA on platforms with 128 byte cachelines above L1. Switch to the updated IIO_DMA_MINALIGN definition Fixes: 1f25ca11d84a ("iio: temperature: add support for Maxim thermocouple chips") Signed-off-by: Jonathan Cameron Cc: Matt Ranostay Acked-by: Nuno Sá Link: https://lore.kernel.org/r/20220508175712.647246-93-jic23@kernel.org Signed-off-by: Sasha Levin commit 4f7a71a85c8e39bcd0fee3ec1d109f40f05184bd Author: Jonathan Cameron Date: Sun May 8 18:57:11 2022 +0100 iio: temp: max31865: Fix alignment for DMA safety [ Upstream commit ecdef5b8317cdf18acb46223e087f04a226fa619 ] ____cacheline_aligned is an insufficient guarantee for non-coherent DMA on platforms with 128 byte cachelines above L1. Switch to the updated IIO_DMA_MINALIGN definition Fixes: e112dc4e18ea ("iio: temperature: Add MAX31865 RTD Support") Signed-off-by: Jonathan Cameron Cc: Navin Sankar Velliangiri Acked-by: Nuno Sá Link: https://lore.kernel.org/r/20220508175712.647246-92-jic23@kernel.org Signed-off-by: Sasha Levin commit 114ffd465579162368a463b70390e36057af303d Author: Jonathan Cameron Date: Sun May 8 18:57:10 2022 +0100 iio: temp: ltc2983: Fix alignment for DMA safety [ Upstream commit 732f2cb2fbb51bd5bc03a114bd102ab3b2f537fe ] ____cacheline_aligned is an insufficient guarantee for non-coherent DMA on platforms with 128 byte cachelines above L1. Switch to the updated IIO_DMA_MINALIGN definition. Fixes: f110f3188e56 ("iio: temperature: Add support for LTC2983") Signed-off-by: Jonathan Cameron Acked-by: Nuno Sá Link: https://lore.kernel.org/r/20220508175712.647246-91-jic23@kernel.org Signed-off-by: Sasha Levin commit 3af5ec85f49d86ba225fdf043a2675e2733e4735 Author: Jonathan Cameron Date: Sun May 8 18:57:09 2022 +0100 iio: resolver: ad2s90: Fix alignment for DMA safety [ Upstream commit faa05ecb1349070d874810e161b653c2220e0006 ] ____cacheline_aligned is an insufficient guarantee for non-coherent DMA on platforms with 128 byte cachelines above L1. Switch to the updated IIO_DMA_MINALIGN definition. Fixes tag is probably not where the issue was first introduced, but is likely to be far beyond the point where anyone considers backporting this fix. Fixes: 58f08b0af857 ("staging:iio:resolver:ad2s90 general cleanup") Signed-off-by: Jonathan Cameron Acked-by: Nuno Sá Link: https://lore.kernel.org/r/20220508175712.647246-90-jic23@kernel.org Signed-off-by: Sasha Levin commit c00e752df981f442af8e1e87a6f3a5d630b7ecdd Author: Jonathan Cameron Date: Sun May 8 18:57:08 2022 +0100 iio: resolver: ad2s1200: Fix alignment for DMA safety [ Upstream commit 37882314d3bdc2ae775ebb9fa8ed7a94cd1aad61 ] ____cacheline_aligned is an insufficient guarantee for non-coherent DMA on platforms with 128 byte cachelines above L1. Switch to the updated IIO_DMA_MINALIGN definition. Fixes tag is probably not where the issue was first introduced, but is likely to be as far as anyone considers backporting this fix. Fixes: 0bd3d338f61b ("staging: iio: ad2s1200: Improve readability with be16_to_cpup") Signed-off-by: Jonathan Cameron Acked-by: Nuno Sá Link: https://lore.kernel.org/r/20220508175712.647246-89-jic23@kernel.org Signed-off-by: Sasha Levin commit 59ee01f39242e76de27f935505f02122af97f386 Author: Jonathan Cameron Date: Sun May 8 18:57:06 2022 +0100 iio: proximity: as3935: Fix alignment for DMA safety [ Upstream commit 2386c0f8c5b740873a4b9126c3706601b127fe22 ] ____cacheline_aligned is an insufficient guarantee for non-coherent DMA on platforms with 128 byte cachelines above L1. Switch to the updated IIO_DMA_MINALIGN definition. Fixes: 24ddb0e4bba4 ("iio: Add AS3935 lightning sensor support") Signed-off-by: Jonathan Cameron Cc: Matt Ranostay Acked-by: Nuno Sá Link: https://lore.kernel.org/r/20220508175712.647246-87-jic23@kernel.org Signed-off-by: Sasha Levin commit 5179a573724f9612beee56056c12c44a6874bab6 Author: Jonathan Cameron Date: Sun May 8 18:57:04 2022 +0100 iio: potentiometer: mcp4131: Fix alignment for DMA safety [ Upstream commit 4842e5de6f39ebf2c0f6da9e6a0cb751c7108507 ] ____cacheline_aligned is an insufficient guarantee for non-coherent DMA on platforms with 128 byte cachelines above L1. Switch to the updated IIO_DMA_MINALIGN definition. Fixes: 22d199a53910 ("iio: potentiometer: add driver for Microchip MCP413X/414X/415X/416X/423X/424X/425X/426X") Signed-off-by: Jonathan Cameron Acked-by: Nuno Sá Link: https://lore.kernel.org/r/20220508175712.647246-85-jic23@kernel.org Signed-off-by: Sasha Levin commit 51143f66752745405c2fcb075808699421d7c0d4 Author: Jonathan Cameron Date: Sun May 8 18:57:03 2022 +0100 iio: potentiometer: mcp41010: Fix alignment for DMA safety [ Upstream commit c5f78f4d2168ba21324095b0d46d4353c2eace4d ] ____cacheline_aligned is an insufficient guarantee for non-coherent DMA on platforms with 128 byte cachelines above L1. Switch to the updated IIO_DMA_MINALIGN definition. Fixes: 092cb71a604e ("iio: potentiometer: Add driver for Microchip MCP41xxx/42xxx") Signed-off-by: Jonathan Cameron Acked-by: Nuno Sá Link: https://lore.kernel.org/r/20220508175712.647246-84-jic23@kernel.org Signed-off-by: Sasha Levin commit 903e5ff430d678facab4fe2ed37bd2f65f194ce1 Author: Jonathan Cameron Date: Sun May 8 18:57:02 2022 +0100 iio: potentiometer: max5481: Fix alignment for DMA safety [ Upstream commit ec1ac1c0e7a14657d729159ccfbea72f434bdaf1 ] ____cacheline_aligned is an insufficient guarantee for non-coherent DMA on platforms with 128 byte cachelines above L1. Switch to the updated IIO_DMA_MINALIGN definition. Fixes: df1fd2de118e ("iio: max5481: Add support for Maxim digital potentiometers") Signed-off-by: Jonathan Cameron Acked-by: Nuno Sá Link: https://lore.kernel.org/r/20220508175712.647246-83-jic23@kernel.org Signed-off-by: Sasha Levin commit b39859bf3e10ae5e04794e4e257306503db644e5 Author: Jonathan Cameron Date: Sun May 8 18:57:01 2022 +0100 iio: potentiometer: ad5272: Fix alignment for DMA safety [ Upstream commit da803652534271dbb4af0802bd678c759e27e6de ] ____cacheline_aligned is an insufficient guarantee for non-coherent DMA on platforms with 128 byte cachelines above L1. Switch to the updated IIO_DMA_MINALIGN definition. Fixes: 79e8a32d2aa9 ("iio: ad5272: Add support for Analog Devices digital potentiometers") Signed-off-by: Jonathan Cameron Reviewed-by: Phil Reid Acked-by: Nuno Sá Link: https://lore.kernel.org/r/20220508175712.647246-82-jic23@kernel.org Signed-off-by: Sasha Levin commit 669a1aca327459fb36266d7e352c0febd2011a5a Author: Jonathan Cameron Date: Sun May 8 18:57:00 2022 +0100 iio: potentiometer: ad5110: Fix alignment for DMA safety [ Upstream commit b5841c38cb2f7e54b0787b3e0326a6b21b89ea3e ] ____cacheline_aligned is an insufficient guarantee for non-coherent DMA on platforms with 128 byte cachelines above L1. Switch to the updated IIO_DMA_MINALIGN definition. Fixes: d03a74bfacce ("iio: potentiometer: Add driver support for AD5110") Signed-off-by: Jonathan Cameron Cc: Mugilraj Dhavachelvan Acked-by: Nuno Sá Link: https://lore.kernel.org/r/20220508175712.647246-81-jic23@kernel.org Signed-off-by: Sasha Levin commit ad602e33470842b7ee50a87d930f16201b4c4892 Author: Jonathan Cameron Date: Sun May 8 18:56:59 2022 +0100 iio: imu: mpu6050: Fix alignment for DMA safety [ Upstream commit 54e03562bb960e78af050d2e550c28d77642ee44 ] ____cacheline_aligned is an insufficient guarantee for non-coherent DMA on platforms with 128 byte cachelines above L1. Switch to the updated IIO_DMA_MINALIGN definition. Fixes: 6b0cc5dce072 ("iio:imu:inv_mpu6050 Fix dma and ts alignment and data leak issues.") Signed-off-by: Jonathan Cameron Acked-by: Jean-Baptiste Maneyrol Acked-by: Nuno Sá Link: https://lore.kernel.org/r/20220508175712.647246-80-jic23@kernel.org Signed-off-by: Sasha Levin commit c5cf267aa73f4ebdd354849f26ca0fb582401c1d Author: Jonathan Cameron Date: Sun May 8 18:56:58 2022 +0100 iio: imu: inv_icm42600: Fix alignment for DMA safety in buffer code. [ Upstream commit b0aa05065a0c1d1bffa10923dbc36f7193babbb7 ] Second fix for this driver due to different introducing patches. ____cacheline_aligned is an insufficient guarantee for non-coherent DMA on platforms with 128 byte cachelines above L1. Switch to the updated IIO_DMA_MINALIGN definition. Fixes: 7f85e42a6c54 ("iio: imu: inv_icm42600: add buffer support in iio devices") Signed-off-by: Jonathan Cameron Cc: Jean-Baptiste Maneyrol Acked-by: Jean-Baptiste Maneyrol Acked-by: Nuno Sá Link: https://lore.kernel.org/r/20220508175712.647246-79-jic23@kernel.org Signed-off-by: Sasha Levin commit bc0f8830ff2eb1332abc8b7f7b6d71e4048714db Author: Jonathan Cameron Date: Sun May 8 18:56:57 2022 +0100 iio: imu: inv_icm42600: Fix alignment for DMA safety [ Upstream commit 848847702bd10bf0bf547e38adc44c14e9742784 ] Partial fix for this driver as a second instance was introduced in a later patch. ____cacheline_aligned is an insufficient guarantee for non-coherent DMA on platforms with 128 byte cachelines above L1. Switch to the updated IIO_DMA_MINALIGN definition. Fixes: a095fadb443b ("iio: imu: inv_icm42600: add gyroscope IIO device") Signed-off-by: Jonathan Cameron Acked-by: Jean-Baptiste Maneyrol Acked-by: Nuno Sá Link: https://lore.kernel.org/r/20220508175712.647246-78-jic23@kernel.org Signed-off-by: Sasha Levin commit 750b892f6d08a390bd477378fe6162f9ab513f4f Author: Jonathan Cameron Date: Sun May 8 18:56:56 2022 +0100 iio: imu: fxos8700: Fix alignment for DMA safety [ Upstream commit c9a8417a13ed9c81383662fca8a4b89f84d31e78 ] ____cacheline_aligned is an insufficient guarantee for non-coherent DMA on platforms with 128 byte cachelines above L1. Switch to the updated IIO_DMA_MINALIGN definition. Fixes: 84e5ddd5c46e ("iio: imu: Add support for the FXOS8700 IMU") Signed-off-by: Jonathan Cameron Cc: Robert Jones Acked-by: Nuno Sá Link: https://lore.kernel.org/r/20220508175712.647246-77-jic23@kernel.org Signed-off-by: Sasha Levin commit 48f034120d1e43cf15af9e913e2656dc1bed1c65 Author: Jonathan Cameron Date: Sun May 8 18:56:55 2022 +0100 iio: gyro: fxas210002c: Fix alignment for DMA safety [ Upstream commit 3aafe923987cb4a15e16f03c6185ed4b6a78ca00 ] ____cacheline_aligned is an insufficient guarantee for non-coherent DMA on platforms with 128 byte cachelines above L1. Switch to the updated IIO_DMA_MINALIGN definition. Updated the comment to 'may' require. Fixes: a0701b6263ae ("iio: gyro: add core driver for fxas21002c") Signed-off-by: Jonathan Cameron Reviewed-by: Rui Miguel Silva Acked-by: Nuno Sá Link: https://lore.kernel.org/r/20220508175712.647246-76-jic23@kernel.org Signed-off-by: Sasha Levin commit dd8e2a2b9f63b1121134fe28c14c8ffd6554b7c4 Author: Jonathan Cameron Date: Sun May 8 18:56:54 2022 +0100 iio: gyro: adxrs450: Fix alignment for DMA safety [ Upstream commit 966d2f4ee7f6e189df47abf67223266ad31e201f ] ____cacheline_aligned is an insufficient guarantee for non-coherent DMA on platforms with 128 byte cachelines above L1. Switch to the updated IIO_DMA_MINALIGN definition. Fixes tag is inaccurate but unlikely anyone will be interested in backporting beyond that point. Fixes: 53ac8500ba9b ("staging:iio:adxrs450: Move header file contents to main file") Signed-off-by: Jonathan Cameron Acked-by: Nuno Sá Link: https://lore.kernel.org/r/20220508175712.647246-75-jic23@kernel.org Signed-off-by: Sasha Levin commit d10b2c4c9a77ba26a92d4d195f58904efee14d56 Author: Jonathan Cameron Date: Sun May 8 18:56:53 2022 +0100 iio: gyro: adis16130: Fix alignment for DMA safety [ Upstream commit ff3211b2ba9afac80ceb795d148831dd879b30b7 ] ____cacheline_aligned is an insufficient guarantee for non-coherent DMA on platforms with 128 byte cachelines above L1. Switch to the updated IIO_DMA_MINALIGN definition. Fixes: 8e67875141b2 ("staging:iio:gyro: adis16130 cleanup, move to abi and bug fixes.") Signed-off-by: Jonathan Cameron Acked-by: Nuno Sá Link: https://lore.kernel.org/r/20220508175712.647246-74-jic23@kernel.org Signed-off-by: Sasha Levin commit 3caad4fd0e3eb8b999de6918dce1c96dbe33e125 Author: Jonathan Cameron Date: Sun May 8 18:56:52 2022 +0100 iio: gyro: adis16080: Fix alignment for DMA safety [ Upstream commit ae6eeb534924ecc2afd5a394964fd6de0ca54d39 ] ____cacheline_aligned is an insufficient guarantee for non-coherent DMA on platforms with 128 byte cachelines above L1. Switch to the updated IIO_DMA_MINALIGN definition. Fixes tag is inaccurate but unlikely anyone will backport this beyond that point so I haven't chased the history futher than 2013. Fixes: 3c80372dae17 ("staging:iio:adis16080: be16 cleanups") Signed-off-by: Jonathan Cameron Acked-by: Nuno Sá Link: https://lore.kernel.org/r/20220508175712.647246-73-jic23@kernel.org Signed-off-by: Sasha Levin commit e525b311339556974710ff40cb1d241eec40889e Author: Jonathan Cameron Date: Sun May 8 18:56:51 2022 +0100 iio: frequency: adrf6780: Fix alignment for DMA safety [ Upstream commit 9a5b11884cb72780cb824cac8aab47094654a84f ] ____cacheline_aligned is an insufficient guarantee for non-coherent DMA on platforms with 128 byte cachelines above L1. Switch to the updated IIO_DMA_MINALIGN definition. Fixes: 63aaf6d06d87 ("iio: frequency: adrf6780: add support for ADRF6780") Signed-off-by: Jonathan Cameron Cc: Antoniu Miclaus Acked-by: Nuno Sá Link: https://lore.kernel.org/r/20220508175712.647246-72-jic23@kernel.org Signed-off-by: Sasha Levin commit 40e10f398c676291f8440330ea972f447729b2cd Author: Jonathan Cameron Date: Sun May 8 18:56:50 2022 +0100 iio: frequency: admv4420: Fix alignment for DMA safety [ Upstream commit f890aaac771bd015c348eddb967b4027e88344c0 ] ____cacheline_aligned is an insufficient guarantee for non-coherent DMA on platforms with 128 byte cachelines above L1. Switch to the updated IIO_DMA_MINALIGN definition. Fixes: b59c04155901 ("iio: frequency: admv4420.c: Add support for ADMV4420") Signed-off-by: Jonathan Cameron Acked-by: Nuno Sá Link: https://lore.kernel.org/r/20220508175712.647246-71-jic23@kernel.org Signed-off-by: Sasha Levin commit 99994f124d9d68d011df60380879ab4320e9adf8 Author: Jonathan Cameron Date: Sun May 8 18:56:49 2022 +0100 iio: frequency: admv1014: Fix alignment for DMA safety [ Upstream commit a3e38a557a54df0edea791d7eb623515bb86e39a ] ____cacheline_aligned is an insufficient guarantee for non-coherent DMA on platforms with 128 byte cachelines above L1. Switch to the updated IIO_DMA_MINALIGN definition. Fixes: f4eb9ac7842f ("iio: frequency: admv1014: add support for ADMV1014") Signed-off-by: Jonathan Cameron Cc: Antoniu Miclaus Acked-by: Nuno Sá Link: https://lore.kernel.org/r/20220508175712.647246-70-jic23@kernel.org Signed-off-by: Sasha Levin commit 817d7b7436ae273659c9257676d4699b84176e79 Author: Jonathan Cameron Date: Sun May 8 18:56:48 2022 +0100 iio: frequency: admv1013: Fix alignment for DMA safety [ Upstream commit b3f3f8d264b9be0cb3e50e89e3f8789a948a43bb ] ____cacheline_aligned is an insufficient guarantee for non-coherent DMA on platforms with 128 byte cachelines above L1. Switch to the updated IIO_DMA_MINALIGN definition. Fixes: da35a7b526d9 ("iio: frequency: admv1013: add support for ADMV1013") Signed-off-by: Jonathan Cameron Cc: Antoniu Miclaus Acked-by: Nuno Sá Link: https://lore.kernel.org/r/20220508175712.647246-69-jic23@kernel.org Signed-off-by: Sasha Levin commit ce119d7b52001d7d2a817f7ee89ebf7b34cd8159 Author: Jonathan Cameron Date: Sun May 8 18:56:47 2022 +0100 iio: frequency: adf4371: Fix alignment for DMA safety [ Upstream commit 0bb5675befe666eeed71ad808426cf2ec1c9a714 ] ____cacheline_aligned is an insufficient guarantee for non-coherent DMA on platforms with 128 byte cachelines above L1. Switch to the updated IIO_DMA_MINALIGN definition. Fixes: 7f699bd14913 ("iio: frequency: adf4371: Add support for ADF4371 PLL") Signed-off-by: Jonathan Cameron Acked-by: Nuno Sá Link: https://lore.kernel.org/r/20220508175712.647246-68-jic23@kernel.org Signed-off-by: Sasha Levin commit 0d9ce7682d9a4f5c9951e7e78fd46125a3d9cce7 Author: Jonathan Cameron Date: Sun May 8 18:56:46 2022 +0100 iio: frequency: adf4350: Fix alignment for DMA safety [ Upstream commit 389b8972eb2a614cb3189e5fa55b1b7f66142c71 ] ____cacheline_aligned is an insufficient guarantee for non-coherent DMA on platforms with 128 byte cachelines above L1. Switch to the updated IIO_DMA_MINALIGN definition. Updated help text to 'may' require buffers to be in their own cacheline. Fixes: e31166f0fd48 ("iio: frequency: New driver for Analog Devices ADF4350/ADF4351 Wideband Synthesizers") Signed-off-by: Jonathan Cameron Acked-by: Nuno Sá Link: https://lore.kernel.org/r/20220508175712.647246-67-jic23@kernel.org Signed-off-by: Sasha Levin commit cc7b3068c795663b75bec8806520e6a9d117985c Author: Jonathan Cameron Date: Sun May 8 18:56:45 2022 +0100 iio: frequency: ad9523: Fix alignment for DMA safety [ Upstream commit 8ff2eb625c353b1491d9f89f1dfd52e7aef5734c ] ____cacheline_aligned is an insufficient guarantee for non-coherent DMA on platforms with 128 byte cachelines above L1. Switch to the updated IIO_DMA_MINALIGN definition. Updated help text to 'may' require buffers to be in their own cacheline. Fixes: cd1678f96329 ("iio: frequency: New driver for AD9523 SPI Low Jitter Clock Generator") Signed-off-by: Jonathan Cameron Acked-by: Nuno Sá Link: https://lore.kernel.org/r/20220508175712.647246-66-jic23@kernel.org Signed-off-by: Sasha Levin commit 33fcddee1999dad22cc7b36fdbe282ad73d9ec9b Author: Jonathan Cameron Date: Sun May 8 18:56:44 2022 +0100 iio: dac: ti-dac7612: Fix alignment for DMA safety [ Upstream commit b9ac08b3282a95fcefb057c2886028a6807725d8 ] ____cacheline_aligned is an insufficient guarantee for non-coherent DMA on platforms with 128 byte cachelines above L1. Switch to the updated IIO_DMA_MINALIGN definition. Updated help text to 'may' require buffers to be in their own cacheline. Fixes: 977724d20584 ("iio:dac:ti-dac7612: Add driver for Texas Instruments DAC7612") Signed-off-by: Jonathan Cameron Cc: Ricardo Ribalda Acked-by: Nuno Sá Link: https://lore.kernel.org/r/20220508175712.647246-65-jic23@kernel.org Signed-off-by: Sasha Levin commit d8aa41f4d8e63ebc688f2589c25387a8728408e4 Author: Jonathan Cameron Date: Sun May 8 18:56:43 2022 +0100 iio: dac: ti-dac7311: Fix alignment for DMA safety [ Upstream commit 3637c49ed54632d7c221af718d2d7b1d381d4b6e ] ____cacheline_aligned is an insufficient guarantee for non-coherent DMA on platforms with 128 byte cachelines above L1. Switch to the updated IIO_DMA_MINALIGN definition. Fixes: 7a02ef7907d8 ("iio:dac:ti-dac7311 Add driver for Texas Instrument DAC7311") Signed-off-by: Jonathan Cameron Cc: Charles-Antoine Couret Acked-by: Nuno Sá Link: https://lore.kernel.org/r/20220508175712.647246-64-jic23@kernel.org Signed-off-by: Sasha Levin commit 450562e3d562b050892bda17fb0c590e8b4a4b7f Author: Jonathan Cameron Date: Sun May 8 18:56:42 2022 +0100 iio: dac: ti-dac5571: Fix alignment for DMA safety [ Upstream commit 58e22371539e01c742be5c30295f591a6a17e348 ] ____cacheline_aligned is an insufficient guarantee for non-coherent DMA on platforms with 128 byte cachelines above L1. Switch to the updated IIO_DMA_MINALIGN definition. Fixes: df38a4a72a3b ("iio: dac: add TI DAC5571 family support") Signed-off-by: Jonathan Cameron Cc: Sean Nyekjaer Acked-by: Nuno Sá Link: https://lore.kernel.org/r/20220508175712.647246-63-jic23@kernel.org Signed-off-by: Sasha Levin commit c8942b7c25d50ee3bf294f093aa86784bcdaa134 Author: Jonathan Cameron Date: Sun May 8 18:56:41 2022 +0100 iio: dac: ti-dac082s085: Fix alignment for DMA safety [ Upstream commit 03a0cc77f164e4e59b970d50c6e9a6caf06dae80 ] ____cacheline_aligned is an insufficient guarantee for non-coherent DMA on platforms with 128 byte cachelines above L1. Switch to the updated IIO_DMA_MINALIGN definition. Fixes: 61011264c1af ("iio: dac: Add Texas Instruments 8/10/12-bit 2/4-channel DAC driver") Signed-off-by: Jonathan Cameron Acked-by: Nuno Sá Link: https://lore.kernel.org/r/20220508175712.647246-62-jic23@kernel.org Signed-off-by: Sasha Levin commit 7aa18f077fb0730ee50bbdecaeadc2b7808a4886 Author: Jonathan Cameron Date: Sun May 8 18:56:40 2022 +0100 iio: dac: mcp4922: Fix alignment for DMA safety [ Upstream commit e66bf04797f1f95a2402414c00e64d00f63d31ec ] ____cacheline_aligned is an insufficient guarantee for non-coherent DMA on platforms with 128 byte cachelines above L1. Switch to the updated IIO_DMA_MINALIGN definition. Fixes: 1b791fadf3a1 ("iio: dac: mcp4902/mcp4912/mcp4922 dac driver") Signed-off-by: Jonathan Cameron Acked-by: Nuno Sá Acked-by: Michael Welling Link: https://lore.kernel.org/r/20220508175712.647246-61-jic23@kernel.org Signed-off-by: Sasha Levin commit 21cd3bb91b1eca9886d54c7ab7e12a4209dd7aee Author: Jonathan Cameron Date: Sun May 8 18:56:39 2022 +0100 iio: dac: ltc2688: Fix alignment for DMA safety [ Upstream commit 2030708377a219b548a9a36da57d3852382baf1d ] ____cacheline_aligned is an insufficient guarantee for non-coherent DMA on platforms with 128 byte cachelines above L1. Switch to the updated IIO_DMA_MINALIGN definition. Update the comment to include 'may'. Fixes: 832cb9eeb931 ("iio: dac: add support for ltc2688") Signed-off-by: Jonathan Cameron Acked-by: Nuno Sá Link: https://lore.kernel.org/r/20220508175712.647246-60-jic23@kernel.org Signed-off-by: Sasha Levin commit 8e23928dcb35f1f2e9bddb726b69b2ade05549a5 Author: Jonathan Cameron Date: Sun May 8 18:56:38 2022 +0100 iio: dac: ad8801: Fix alignment for DMA safety [ Upstream commit 1c20292c6b60cfc60a5e652174b8063e5cc03fec ] ____cacheline_aligned is an insufficient guarantee for non-coherent DMA on platforms with 128 byte cachelines above L1. Switch to the updated IIO_DMA_MINALIGN definition. Fixes: 7f270bc9a2d9 ("iio: dac: AD8801: add Analog Devices AD8801/AD8803 support") Signed-off-by: Jonathan Cameron Acked-by: Nuno Sá Link: https://lore.kernel.org/r/20220508175712.647246-59-jic23@kernel.org Signed-off-by: Sasha Levin commit 1d62ff49669f05ca633e489d4e7489ba975bd8f1 Author: Jonathan Cameron Date: Sun May 8 18:56:37 2022 +0100 iio: dac: ad7303: Fix alignment for DMA safety [ Upstream commit 69e51448ddfb9062efdf83e2d3179498e0aeb293 ] ____cacheline_aligned is an insufficient guarantee for non-coherent DMA on platforms with 128 byte cachelines above L1. Switch to the updated IIO_DMA_MINALIGN definition. Update the comment to include 'may'. Fixes: f83478240e74 ("iio:dac: Add support for the AD7303") Signed-off-by: Jonathan Cameron Acked-by: Nuno Sá Link: https://lore.kernel.org/r/20220508175712.647246-58-jic23@kernel.org Signed-off-by: Sasha Levin commit 6819e3ac1aeae360d23499c07b5cd45b6b21dfdf Author: Jonathan Cameron Date: Sun May 8 18:56:36 2022 +0100 iio: dac: ad7293: Fix alignment for DMA safety [ Upstream commit 8482468b30bdb16d4a764f995d7a63d94fa0cf40 ] ____cacheline_aligned is an insufficient guarantee for non-coherent DMA on platforms with 128 byte cachelines above L1. Switch to the updated IIO_DMA_MINALIGN definition. Fixes: 0bb12606c05f ("iio:dac:ad7293: add support for AD7293") Signed-off-by: Jonathan Cameron Cc: Antoniu Miclaus Acked-by: Nuno Sá Link: https://lore.kernel.org/r/20220508175712.647246-57-jic23@kernel.org Signed-off-by: Sasha Levin commit 3b4f0dca7956172caa03330761c32bcdcec56a7e Author: Jonathan Cameron Date: Sun May 8 18:56:35 2022 +0100 iio: dac: ad5791: Fix alignment for DMA saftey [ Upstream commit b2d5e9de77c8774a5a6cff59d928f2fa38cbc642 ] ____cacheline_aligned is an insufficient guarantee for non-coherent DMA on platforms with 128 byte cachelines above L1. Switch to the updated IIO_DMA_MINALIGN definition. Fixes: 791bb52a0cd2 ("iio:ad5791: Do not store transfer buffers on the stack") Signed-off-by: Jonathan Cameron Acked-by: Nuno Sá Link: https://lore.kernel.org/r/20220508175712.647246-56-jic23@kernel.org Signed-off-by: Sasha Levin commit 369235dc62c402437747f9c8347b37d59aed1303 Author: Jonathan Cameron Date: Sun May 8 18:56:34 2022 +0100 iio: dac: ad5770r: Fix alignment for DMA safety [ Upstream commit 27f2261d16d01858b8e5baca5a1a515b040429c4 ] ____cacheline_aligned is an insufficient guarantee for non-coherent DMA on platforms with 128 byte cachelines above L1. Switch to the updated IIO_DMA_MINALIGN definition. Fixes: cbbb819837f6 ("iio: dac: ad5770r: Add AD5770R support") Signed-off-by: Jonathan Cameron Cc: Alexandru Tachici Acked-by: Nuno Sá Link: https://lore.kernel.org/r/20220508175712.647246-55-jic23@kernel.org Signed-off-by: Sasha Levin commit 4d20fe3d45c1372af9ff236a5a6f7d53075f6d05 Author: Jonathan Cameron Date: Sun May 8 18:56:33 2022 +0100 iio: dac: ad5766: Fix alignment for DMA safety [ Upstream commit c32be7f035ae430ba9c142b03ceb9f935b09ed6b ] ____cacheline_aligned is an insufficient guarantee for non-coherent DMA on platforms with 128 byte cachelines above L1. Switch to the updated IIO_DMA_MINALIGN definition. Fixes: fd9373e41b9b ("iio: dac: ad5766: add driver support for AD5766") Signed-off-by: Jonathan Cameron Acked-by: Nuno Sá Link: https://lore.kernel.org/r/20220508175712.647246-54-jic23@kernel.org Signed-off-by: Sasha Levin commit 49713818d578ac378ce2979156ebdbf28474f99d Author: Jonathan Cameron Date: Sun May 8 18:56:32 2022 +0100 iio: dac: ad5764: Fix alignment for DMA safety [ Upstream commit b378722a3e9bb51318c0de7eeb4d71f2fcd6987f ] ____cacheline_aligned is an insufficient guarantee for non-coherent DMA on platforms with 128 byte cachelines above L1. Switch to the updated IIO_DMA_MINALIGN definition. Update the comment to include 'may'. Fixes: 68b14d7ea956 ("staging:iio:dac: Add AD5764 driver") Signed-off-by: Jonathan Cameron Acked-by: Nuno Sá Link: https://lore.kernel.org/r/20220508175712.647246-53-jic23@kernel.org Signed-off-by: Sasha Levin commit c0c4bb0311b47a4c26d093bbd22d08d7eebb57af Author: Jonathan Cameron Date: Sun May 8 18:56:31 2022 +0100 iio: dac: ad5761: Fix alignment for DMA safety [ Upstream commit 7d12a61187aed57863c41032acbc1fae516d6e49 ] ____cacheline_aligned is an insufficient guarantee for non-coherent DMA on platforms with 128 byte cachelines above L1. Switch to the updated IIO_DMA_MINALIGN definition. Update the comment to include 'may'. Fixes: 131497acd88a ("iio: add ad5761 DAC driver") Signed-off-by: Jonathan Cameron Acked-by: Nuno Sá Link: https://lore.kernel.org/r/20220508175712.647246-52-jic23@kernel.org Signed-off-by: Sasha Levin commit 2d3a77561c42659a9f53c6c36f0d7e284854942b Author: Jonathan Cameron Date: Sun May 8 18:56:30 2022 +0100 iio: dac: ad5755: Fix alignment for DMA safety [ Upstream commit d0c167ceff2d833ee493dd58164dc87bd36e48aa ] ____cacheline_aligned is an insufficient guarantee for non-coherent DMA on platforms with 128 byte cachelines above L1. Switch to the updated IIO_DMA_MINALIGN definition. Update the comment to include 'may'. Fixes: c499d029d805 ("iio:dac: Add ad5755 driver") Signed-off-by: Jonathan Cameron Acked-by: Nuno Sá Link: https://lore.kernel.org/r/20220508175712.647246-51-jic23@kernel.org Signed-off-by: Sasha Levin commit 3a5423cc991ab9f8175352391bfb50a2069f443e Author: Jonathan Cameron Date: Sun May 8 18:56:29 2022 +0100 iio: dac: ad5686: Fix alignment for DMA safety [ Upstream commit 444e38927d9af093de7cdc6afbb7afdc3485da2d ] ____cacheline_aligned is an insufficient guarantee for non-coherent DMA on platforms with 128 byte cachelines above L1. Switch to the updated IIO_DMA_MINALIGN definition. Update the comment to include 'may'. Fixes: 0357e488b825 ("iio:dac:ad5686: Refactor the driver") Signed-off-by: Jonathan Cameron Acked-by: Nuno Sá Link: https://lore.kernel.org/r/20220508175712.647246-50-jic23@kernel.org Signed-off-by: Sasha Levin commit 9748b6c196e86d7047f168e2550ce8f277e8325a Author: Jonathan Cameron Date: Sun May 8 18:56:28 2022 +0100 iio: dac: ad5592r: Fix alignment for DMA safety [ Upstream commit 4a4a79c06caeec47003bcbee1cf3094479f26e24 ] ____cacheline_aligned is an insufficient guarantee for non-coherent DMA on platforms with 128 byte cachelines above L1. Switch to the updated IIO_DMA_MINALIGN definition. Fixes: 56ca9db862bf ("iio: dac: Add support for the AD5592R/AD5593R ADCs/DACs") Signed-off-by: Jonathan Cameron Cc: Paul Cercueil Acked-by: Nuno Sá Link: https://lore.kernel.org/r/20220508175712.647246-49-jic23@kernel.org Signed-off-by: Sasha Levin commit cee702a2792da21b88f6b7a1663f0c800f82c1f6 Author: Jonathan Cameron Date: Sun May 8 18:56:27 2022 +0100 iio: dac: ad5504: Fix alignment for DMA safety [ Upstream commit 00b9737caa5aaed5cf45a7c7498edf5957efa3b2 ] ____cacheline_aligned is an insufficient guarantee for non-coherent DMA on platforms with 128 byte cachelines above L1. Switch to the updated IIO_DMA_MINALIGN definition. Fixes: 0dbe59c7a788 ("iio:ad5504: Do not store transfer buffers on the stack") Signed-off-by: Jonathan Cameron Cc: Lars-Peter Clausen Acked-by: Nuno Sá Link: https://lore.kernel.org/r/20220508175712.647246-48-jic23@kernel.org Signed-off-by: Sasha Levin commit 2179debf1e24406ce294e2d4162e97d0e048531c Author: Jonathan Cameron Date: Sun May 8 18:56:26 2022 +0100 iio: dac: ad5449: Fix alignment for DMA safety [ Upstream commit 678d536bb454e3bbedcaa68208550ac9dc1cc066 ] ____cacheline_aligned is an insufficient guarantee for non-coherent DMA on platforms with 128 byte cachelines above L1. Switch to the updated IIO_DMA_MINALIGN definition. Update the comment to include 'may'. Fixes: 8341dc04dfb3 ("iio:dac: Add support for the ad5449") Signed-off-by: Jonathan Cameron Cc: Lars-Peter Clausen Acked-by: Nuno Sá Link: https://lore.kernel.org/r/20220508175712.647246-47-jic23@kernel.org Signed-off-by: Sasha Levin commit a0bc019a086eec664ca4aecdb2bb1c03accb38dc Author: Jonathan Cameron Date: Sun May 8 18:56:25 2022 +0100 iio: dac: ad5421: Fix alignment for DMA safety [ Upstream commit d2b240d3d31c66df4d2da54c75ff8e27a0e006c3 ] ____cacheline_aligned is an insufficient guarantee for non-coherent DMA on platforms with 128 byte cachelines above L1. Switch to the updated IIO_DMA_MINALIGN definition. Update the comment to include 'may'. Fixes: 5691b23489db ("staging:iio:dac: Add AD5421 driver") Signed-off-by: Jonathan Cameron Cc: Lars-Peter Clausen Acked-by: Nuno Sá Link: https://lore.kernel.org/r/20220508175712.647246-46-jic23@kernel.org Signed-off-by: Sasha Levin commit 9f7a41a64a4b638bf09ce3421ff8756d27c65323 Author: Jonathan Cameron Date: Sun May 8 18:56:24 2022 +0100 iio: dac: ad5360: Fix alignment for DMA safety [ Upstream commit 94ec314e1bd686b669c24385ce2dbc967eb74147 ] ____cacheline_aligned is an insufficient guarantee for non-coherent DMA on platforms with 128 byte cachelines above L1. Switch to the updated IIO_DMA_MINALIGN definition. Update the comment to include 'may'. Fixes: a3e2940c24d3 ("staging:iio:dac: Add AD5360 driver") Signed-off-by: Jonathan Cameron Cc: Lars-Peter Clausen Acked-by: Nuno Sá Link: https://lore.kernel.org/r/20220508175712.647246-45-jic23@kernel.org Signed-off-by: Sasha Levin commit cec6ad48e0ad7b658e756f97c5a274772e07e47e Author: Jonathan Cameron Date: Sun May 8 18:56:23 2022 +0100 iio: dac: ad5064: Fix alignment for DMA safety [ Upstream commit 8779b88c214fa0f8fdfb9c54a124f468884d356a ] ____cacheline_aligned is an insufficient guarantee for non-coherent DMA on platforms with 128 byte cachelines above L1. Switch to the updated IIO_DMA_MINALIGN definition. Update the comment to include 'may'. Fixes: 6a17a0768f77 ("iio:dac:ad5064: Add support for the ad5629r and ad5669r") Signed-off-by: Jonathan Cameron Cc: Lars-Peter Clausen Acked-by: Nuno Sá Link: https://lore.kernel.org/r/20220508175712.647246-44-jic23@kernel.org Signed-off-by: Sasha Levin commit 465b1ba3c5276198a5e8a2b0ff12961dad813342 Author: Jonathan Cameron Date: Sun May 8 18:56:22 2022 +0100 iio: common: ssp: Fix alignment for DMA safety [ Upstream commit 314d2b1978bb3d20b1ec239f4e28c394da493f36 ] ____cacheline_aligned is an insufficient guarantee for non-coherent DMA on platforms with 128 byte cachelines above L1. Switch to the updated IIO_DMA_MINALIGN definition. Fixes: 50dd64d57eee ("iio: common: ssp_sensors: Add sensorhub driver") Signed-off-by: Jonathan Cameron Acked-by: Nuno Sá Link: https://lore.kernel.org/r/20220508175712.647246-43-jic23@kernel.org Signed-off-by: Sasha Levin commit dfa45bd7e0924771f8cf980b638dec5010debccc Author: Jonathan Cameron Date: Sun May 8 18:56:21 2022 +0100 iio: amplifiers: ad8366: Fix alignment for DMA safety [ Upstream commit 026bffa458d029a5f15ac3f82a9bb0f64aca403d ] ____cacheline_aligned is an insufficient guarantee for non-coherent DMA on platforms with 128 byte cachelines above L1. Switch to the updated IIO_DMA_MINALIGN definition. Update the comment to include 'may'. Fixes: e71d42e03c60 ("iio: amplifiers: New driver for AD8366 Dual-Digital Variable Gain Amplifier") Signed-off-by: Jonathan Cameron Acked-by: Nuno Sá Link: https://lore.kernel.org/r/20220508175712.647246-42-jic23@kernel.org Signed-off-by: Sasha Levin commit 5e6b52de1d4f53fa6aa7a95105ddeaa4f2e1e4bb Author: Jonathan Cameron Date: Sun May 8 18:56:20 2022 +0100 iio: addac: ad74413r: Fix alignment for DMA safety [ Upstream commit 00eb2b8a077062557772234019ecd6045b8b6298 ] ____cacheline_aligned is an insufficient guarantee for non-coherent DMA on platforms with 128 byte cachelines above L1. Switch to the updated IIO_DMA_MINALIGN definition. Update the comment to include 'may'. Fixes: fea251b6a5db ("iio: addac: add AD74413R driver") Signed-off-by: Jonathan Cameron Cc: Cosmin Tanislav Acked-by: Nuno Sá Link: https://lore.kernel.org/r/20220508175712.647246-41-jic23@kernel.org Signed-off-by: Sasha Levin commit aebea06fb01cbe1307ffe3a2d8673c4f176d1a3b Author: Jonathan Cameron Date: Sun May 8 18:56:19 2022 +0100 iio: adc: ti-tlc4541: Fix alignment for DMA safety [ Upstream commit 62fa19bf484bfeb52c56b7c6d6a6b1222c597f9c ] ____cacheline_aligned is an insufficient guarantee for non-coherent DMA on platforms with 128 byte cachelines above L1. Switch to the updated IIO_DMA_MINALIGN definition. Update the comment to include 'may'. Fixes: ac2bec9d587c ("iio: adc: tlc4541: add support for TI tlc4541 adc") Signed-off-by: Jonathan Cameron Acked-by: Nuno Sá Link: https://lore.kernel.org/r/20220508175712.647246-40-jic23@kernel.org Signed-off-by: Sasha Levin commit 5e89d89ff3100117e5b929f9463627ea7b8017b8 Author: Jonathan Cameron Date: Sun May 8 18:56:18 2022 +0100 iio: adc: ti-ads8688: Fix alignment for DMA safety [ Upstream commit a2105d87eb8eb03591515df10102e04a1c9e0e46 ] ____cacheline_aligned is an insufficient guarantee for non-coherent DMA on platforms with 128 byte cachelines above L1. Switch to the updated IIO_DMA_MINALIGN definition. Fixes: 3e87e7838328 ("iio: adc: Add TI ADS8688") Signed-off-by: Jonathan Cameron Acked-by: Nuno Sá Link: https://lore.kernel.org/r/20220508175712.647246-39-jic23@kernel.org Signed-off-by: Sasha Levin commit 24e662ec317150071aec7cf742310b77d01bf281 Author: Jonathan Cameron Date: Sun May 8 18:56:17 2022 +0100 iio: adc: ti-ads8344: Fix alignment for DMA safety [ Upstream commit 8966b11e5a14aaabc747ee97a7942fd50a681402 ] ____cacheline_aligned is an insufficient guarantee for non-coherent DMA on platforms with 128 byte cachelines above L1. Switch to the updated IIO_DMA_MINALIGN definition. Fixes: 8dd2d7c0fed7 ("iio: adc: Add driver for the TI ADS8344 A/DC chips") Signed-off-by: Jonathan Cameron Acked-by: Nuno Sá Link: https://lore.kernel.org/r/20220508175712.647246-38-jic23@kernel.org Signed-off-by: Sasha Levin commit 4120691d18a94ac4645225e6620423fa6b0ea9e0 Author: Jonathan Cameron Date: Sun May 8 18:56:16 2022 +0100 iio: adc: ti-ads7950: Fix alignment for DMA safety [ Upstream commit dd54ba8b2469f6ae665c529623a9454ce5293ca8 ] ____cacheline_aligned is an insufficient guarantee for non-coherent DMA on platforms with 128 byte cachelines above L1. Switch to the updated IIO_DMA_MINALIGN definition. Update the comment to include 'may'. Fixes: 902c4b2446d4 ("iio: adc: New driver for TI ADS7950 chips") Signed-off-by: Jonathan Cameron Acked-by: David Lechner Acked-by: Nuno Sá Link: https://lore.kernel.org/r/20220508175712.647246-37-jic23@kernel.org Signed-off-by: Sasha Levin commit 0c27b6ca864a75dbee27235d2b910c9f1d63607b Author: Jonathan Cameron Date: Sun May 8 18:56:15 2022 +0100 iio: adc: ti-ads131e08: Fix alignment for DMA safety [ Upstream commit 55afdd050c063ae4b8dbd566107a030c00d005fd ] ____cacheline_aligned is an insufficient guarantee for non-coherent DMA on platforms with 128 byte cachelines above L1. Switch to the updated IIO_DMA_MINALIGN definition. Fixes: d935eddd2799 ("iio: adc: Add driver for Texas Instruments ADS131E0x ADC family") Signed-off-by: Jonathan Cameron Cc: Tomislav Denis Acked-by: Nuno Sá Link: https://lore.kernel.org/r/20220508175712.647246-36-jic23@kernel.org Signed-off-by: Sasha Levin commit 6f0ef2b9d417ccaed0048cdb7ee90189a2efdc23 Author: Jonathan Cameron Date: Sun May 8 18:56:14 2022 +0100 iio: adc: ti-ads124s08: Fix alignment for DMA safety [ Upstream commit 7df19bd26cc0b85ff997cc9e2aaea712836b5460 ] ____cacheline_aligned is an insufficient guarantee for non-coherent DMA on platforms with 128 byte cachelines above L1. Switch to the updated IIO_DMA_MINALIGN definition. Fixes: e717f8c6dfec ("iio: adc: Add the TI ads124s08 ADC code") Signed-off-by: Jonathan Cameron Acked-by: Nuno Sá Link: https://lore.kernel.org/r/20220508175712.647246-35-jic23@kernel.org Signed-off-by: Sasha Levin commit 43e9bfc827e46c549e0c6a795eb002ac6b16ae57 Author: Jonathan Cameron Date: Sun May 8 18:56:13 2022 +0100 iio: adc: ti-adc161s626: Fix alignment for DMA safety [ Upstream commit 3a828f204a110dc9f253c4cf3c1103d00a0681da ] ____cacheline_aligned is an insufficient guarantee for non-coherent DMA on platforms with 128 byte cachelines above L1. Switch to the updated IIO_DMA_MINALIGN definition. Fixes: 4d671b71beef ("iio: adc: ti-adc161s626: add support for TI 1-channel differential ADCs") Signed-off-by: Jonathan Cameron Cc: Matt Ranostay Acked-by: Nuno Sá Link: https://lore.kernel.org/r/20220508175712.647246-34-jic23@kernel.org Signed-off-by: Sasha Levin commit 117923572e4a734a0ff37e15a7fe5d8db8940ff7 Author: Jonathan Cameron Date: Sun May 8 18:56:12 2022 +0100 iio: adc: ti-adc128s052: Fix alignment for DMA safety [ Upstream commit 23c81e7a7e5204a08b553d07362d3082926663b8 ] ____cacheline_aligned is an insufficient guarantee for non-coherent DMA on platforms with 128 byte cachelines above L1. Switch to the updated IIO_DMA_MINALIGN definition. Fixes: 913b86468674 ("iio: adc: Add TI ADC128S052") Signed-off-by: Jonathan Cameron Acked-by: Nuno Sá Link: https://lore.kernel.org/r/20220508175712.647246-33-jic23@kernel.org Signed-off-by: Sasha Levin commit f2755ff2152b32a5c40e894c52674406fb498c23 Author: Jonathan Cameron Date: Sun May 8 18:56:11 2022 +0100 iio: adc: ti-adc12138: Fix alignment for DMA safety [ Upstream commit 76890c3bce6003caf53b283c49a210280cb8ea33 ] ____cacheline_aligned is an insufficient guarantee for non-coherent DMA on platforms with 128 byte cachelines above L1. Switch to the updated IIO_DMA_MINALIGN definition. Fixes: 50a6edb1b6e0 ("iio: adc: add ADC12130/ADC12132/ADC12138 ADC driver") Signed-off-by: Jonathan Cameron Cc: Akinobu Mita Acked-by: Nuno Sá Link: https://lore.kernel.org/r/20220508175712.647246-32-jic23@kernel.org Signed-off-by: Sasha Levin commit 98ac354ba4d6e636173d4bb55fd7fb6c600c1143 Author: Jonathan Cameron Date: Sun May 8 18:56:10 2022 +0100 iio: adc: ti-adc108s102: Fix alignment for DMA safety [ Upstream commit 6909fe17888b66ea53ebb15640f82b97daa587a0 ] ____cacheline_aligned is an insufficient guarantee for non-coherent DMA on platforms with 128 byte cachelines above L1. Switch to the updated IIO_DMA_MINALIGN definition. Dual fixes tags as two cases that were introduced in different patches. One of those patches is a fix however and likely to have been backported to stable kernels. Note the second alignment marking is likely to be unnecessary, but is left for now to keep this fix simple. Fixes: 3691e5a69449 ("iio: adc: add driver for the ti-adc084s021 chip") Fixes: cbe5c6977604 ("iio: adc: ti-adc108s102: Fix alignment of buffer pushed to iio buffers.") Signed-off-by: Jonathan Cameron Acked-by: Nuno Sá Link: https://lore.kernel.org/r/20220508175712.647246-31-jic23@kernel.org Signed-off-by: Sasha Levin commit 345f2fcfdcf1acb65a63b008d859525aa71adeea Author: Jonathan Cameron Date: Sun May 8 18:56:09 2022 +0100 iio: adc: ti-adc084s021: Fix alignment for DMA safety [ Upstream commit bb102fd600d1d6c0020a4514197c0604c4a218d9 ] ____cacheline_aligned is an insufficient guarantee for non-coherent DMA on platforms with 128 byte cachelines above L1. Switch to the updated IIO_DMA_MINALIGN definition. Update the comment to include 'may'. Fixes: 3691e5a69449 ("iio: adc: add driver for the ti-adc084s021 chip") Signed-off-by: Jonathan Cameron Acked-by: Nuno Sá Acked-by: Mårten Lindahl Link: https://lore.kernel.org/r/20220508175712.647246-30-jic23@kernel.org Signed-off-by: Sasha Levin commit 0de700a5d5f790ccc72c78d2aa8bf78992e1089b Author: Jonathan Cameron Date: Sun May 8 18:56:08 2022 +0100 iio: adc: ti-adc0832: Fix alignment for DMA safety [ Upstream commit 1e6bb81c23a84a078736a0f2a52bd765863e94ed ] ____cacheline_aligned is an insufficient guarantee for non-coherent DMA on platforms with 128 byte cachelines above L1. Switch to the updated IIO_DMA_MINALIGN definition. Fixes: efc945fb729c ("iio: adc: add support for ADC0831/ADC0832/ADC0834/ADC0838 chips") Signed-off-by: Jonathan Cameron Cc: Akinobu Mita Acked-by: Nuno Sá Link: https://lore.kernel.org/r/20220508175712.647246-29-jic23@kernel.org Signed-off-by: Sasha Levin commit e603984229746fa1672ceb8338f5b7ea3623364b Author: Jonathan Cameron Date: Sun May 8 18:56:07 2022 +0100 iio: adc: mcp320x: Fix alignment for DMA safety [ Upstream commit e770f78036ce4327caf285873f4b20564a8b4f0f ] ____cacheline_aligned is an insufficient guarantee for non-coherent DMA on platforms with 128 byte cachelines above L1. Switch to the updated IIO_DMA_MINALIGN definition. Worth noting the fixes tag refers to the same issue being observed on a platform that probably had only 64 byte cachelines. Fixes: 0e81bc99a082 ("iio: mcp320x: Fix occasional incorrect readings") Signed-off-by: Jonathan Cameron Cc: Michael Welling Acked-by: Nuno Sá Link: https://lore.kernel.org/r/20220508175712.647246-28-jic23@kernel.org Signed-off-by: Sasha Levin commit b4f25b4a89bb5ebcd6504a942f3d885b249e6c4a Author: Jonathan Cameron Date: Sun May 8 18:56:06 2022 +0100 iio: adc: max1241: Fix alignment for DMA safety [ Upstream commit 9d7019e43ee67a48cef63f8f23f002233064d390 ] ____cacheline_aligned is an insufficient guarantee for non-coherent DMA on platforms with 128 byte cachelines above L1. Switch to the updated IIO_DMA_MINALIGN definition. Fixes: 8a80a71d9020 ("iio: adc: Add MAX1241 driver") Signed-off-by: Jonathan Cameron Acked-by: Alexandru Lazar Acked-by: Nuno Sá Link: https://lore.kernel.org/r/20220508175712.647246-27-jic23@kernel.org Signed-off-by: Sasha Levin commit 78904462780cdce8f5756d6d13be7c58c42f5841 Author: Jonathan Cameron Date: Sun May 8 18:56:05 2022 +0100 iio: adc: max1118: Fix alignment for DMA safety [ Upstream commit f746ab0bac5b335b09143dcd01db6f9f26d0c9ec ] ____cacheline_aligned is an insufficient guarantee for non-coherent DMA on platforms with 128 byte cachelines above L1. Switch to the updated IIO_DMA_MINALIGN definition. Fixes: a9e9c7153e96 ("iio: adc: add max1117/max1118/max1119 ADC driver") Signed-off-by: Jonathan Cameron Cc: Akinobu Mita Acked-by: Nuno Sá Link: https://lore.kernel.org/r/20220508175712.647246-26-jic23@kernel.org Signed-off-by: Sasha Levin commit 24c3652d0036bf02717f2e29979c49e9fa2a8122 Author: Jonathan Cameron Date: Sun May 8 18:56:04 2022 +0100 iio: adc: max11100: Fix alignment for DMA safety [ Upstream commit 51f30d63145cc84cb8a8e0ec96f9a8b73e6b5448 ] ____cacheline_aligned is an insufficient guarantee for non-coherent DMA on platforms with 128 byte cachelines above L1. Switch to the updated IIO_DMA_MINALIGN definition. Update the comment to include 'may'. Fixes: a8e7e88df9ec ("iio: adc: Add Maxim MAX11100 driver") Signed-off-by: Jonathan Cameron Acked-by: Jacopo Mondi Acked-by: Nuno Sá Link: https://lore.kernel.org/r/20220508175712.647246-25-jic23@kernel.org Signed-off-by: Sasha Levin commit 68427acc936fcf95db86c58a6de7a768be96bd17 Author: Jonathan Cameron Date: Sun May 8 18:56:03 2022 +0100 iio: adc: max1027: Fix alignment for DMA safety [ Upstream commit e754fb7e7a05e3838c9aa044b4114869dd0d1e17 ] ____cacheline_aligned is an insufficient guarantee for non-coherent DMA on platforms with 128 byte cachelines above L1. Switch to the updated IIO_DMA_MINALIGN definition. Fixes: fc167f624833 ("iio: add support of the max1027") Signed-off-by: Jonathan Cameron Acked-by: Nuno Sá Link: https://lore.kernel.org/r/20220508175712.647246-24-jic23@kernel.org Signed-off-by: Sasha Levin commit f48a263998a6d9222b51b9d2a673249061de0e49 Author: Jonathan Cameron Date: Sun May 8 18:56:02 2022 +0100 iio: adc: ltc2497: Fix alignment for DMA safety [ Upstream commit 6ebf401d555ee1e75e779b865d38e171db0aa1f2 ] ____cacheline_aligned is an insufficient guarantee for non-coherent DMA on platforms with 128 byte cachelines above L1. Switch to the updated IIO_DMA_MINALIGN definition. Update the comment to include 'may'. Fixes: bc82222fcca1 ("iio:adc: Driver for Linear Technology LTC2497 ADC") Signed-off-by: Jonathan Cameron Cc: Michael Hennerich Acked-by: Nuno Sá Link: https://lore.kernel.org/r/20220508175712.647246-23-jic23@kernel.org Signed-off-by: Sasha Levin commit 0bd54a894e6a02442ba6335e125de0c90fe0fcdb Author: Jonathan Cameron Date: Sun May 8 18:56:01 2022 +0100 iio: adc: ltc2496: Fix alignment for DMA safety [ Upstream commit 1673b7ca2dc1fb3b8d7c94a112496c02d34ae449 ] ____cacheline_aligned is an insufficient guarantee for non-coherent DMA on platforms with 128 byte cachelines above L1. Switch to the updated IIO_DMA_MINALIGN definition. Update the comment to include 'may'. Fixes: e4c5c4dfaa88 ("iio: adc: new driver to support Linear technology's ltc2496") Signed-off-by: Jonathan Cameron Cc: Uwe Kleine-König Acked-by: Nuno Sá Link: https://lore.kernel.org/r/20220508175712.647246-22-jic23@kernel.org Signed-off-by: Sasha Levin commit 3ad6dfff2c987f7ff77ae741074364f3788da2cf Author: Jonathan Cameron Date: Sun May 8 18:56:00 2022 +0100 iio: adc: hi8435: Fix alignment for DMA safety [ Upstream commit 48e4ae96b0b10f93de23b86fd34e573c44e95ab3 ] ____cacheline_aligned is an insufficient guarantee for non-coherent DMA on platforms with 128 byte cachelines above L1. Switch to the updated IIO_DMA_MINALIGN definition. Fixes: 72aa29ce0a59 ("iio: adc: hi8435: Holt HI-8435 threshold detector") Signed-off-by: Jonathan Cameron Acked-by: Nuno Sá Link: https://lore.kernel.org/r/20220508175712.647246-21-jic23@kernel.org Signed-off-by: Sasha Levin commit cfddd869daa1027875a5c4212ee13f925b837343 Author: Jonathan Cameron Date: Sun May 8 18:55:59 2022 +0100 iio: adc: ad7949: Fix alignment for DMA safety [ Upstream commit 9c6c7eff7d4a53efd4d0818f8664259a1862665a ] ____cacheline_aligned is an insufficient guarantee for non-coherent DMA on platforms with 128 byte cachelines above L1. Switch to the updated IIO_DMA_MINALIGN definition. Note the fixes tag predates some changes to this line of code so automated application of this fix may fail. Fixes: 7f40e0614317 ("iio:adc:ad7949: Add AD7949 ADC driver family") Signed-off-by: Jonathan Cameron Cc: Charles-Antoine Couret Acked-by: Nuno Sá Link: https://lore.kernel.org/r/20220508175712.647246-20-jic23@kernel.org Signed-off-by: Sasha Levin commit a221cace0356a2aa2ddb8fd8376e08109e69f0e2 Author: Jonathan Cameron Date: Sun May 8 18:55:58 2022 +0100 iio: adc: ad7923: Fix alignment for DMA safety [ Upstream commit 908af45d7057345bc910940a9340f7a1d8935875 ] ____cacheline_aligned is an insufficient guarantee for non-coherent DMA on platforms with 128 byte cachelines above L1. Switch to the updated IIO_DMA_MINALIGN definition. Update the comment to include 'may'. Note that some other fixes have applied to this line of code that may complicate automated backporting. Signed-off-by: Jonathan Cameron Fixes: 0eac259db28f ("IIO ADC support for AD7923") Acked-by: Nuno Sá Link: https://lore.kernel.org/r/20220508175712.647246-19-jic23@kernel.org Signed-off-by: Sasha Levin commit c97a60f0cca6f85d75dce43976f8751dd8eec968 Author: Jonathan Cameron Date: Sun May 8 18:55:57 2022 +0100 iio: adc: ad7887: Fix alignment for DMA safety [ Upstream commit b330ea6bc52468e183ced79189ff064f36c64aa7 ] ____cacheline_aligned is an insufficient guarantee for non-coherent DMA on platforms with 128 byte cachelines above L1. Switch to the updated IIO_DMA_MINALIGN definition. Update the comment to include 'may'. Fixes tag is clearly not where this was introduced but it is very unlikely anyone will back port it past that point. Fixes: 65dd3d3d7a9b ("staging:iio:ad7887: Squash everything into one file") Signed-off-by: Jonathan Cameron Cc: Lars-Peter Clausen Acked-by: Nuno Sá Link: https://lore.kernel.org/r/20220508175712.647246-18-jic23@kernel.org Signed-off-by: Sasha Levin commit c02e8accbadf211578365312d332fc840731a152 Author: Jonathan Cameron Date: Sun May 8 18:55:56 2022 +0100 iio: adc: ad7768-1: Fix alignment for DMA safety [ Upstream commit 211f810f8fae05c1f78e531b2b113ea1ab3d1ce7 ] ____cacheline_aligned is an insufficient guarantee for non-coherent DMA on platforms with 128 byte cachelines above L1. Switch to the updated IIO_DMA_MINALIGN definition. Update the comment to reflect that separate cachelines 'may' be required. Fixes: a5f8c7da3dbe ("iio: adc: Add AD7768-1 ADC basic support") Signed-off-by: Jonathan Cameron Acked-by: Nuno Sá Link: https://lore.kernel.org/r/20220508175712.647246-17-jic23@kernel.org Signed-off-by: Sasha Levin commit caf94260df34c2a69e9f348ad22611b020cf97e9 Author: Jonathan Cameron Date: Sun May 8 18:55:55 2022 +0100 iio: adc: ad7766: Fix alignment for DMA safety [ Upstream commit 009ae227a1dace2d4d27c804e5bd65907e1d0557 ] ____cacheline_aligned is an insufficient guarantee for non-coherent DMA on platforms with 128 byte cachelines above L1. Switch to the updated IIO_DMA_MINALIGN definition. Update the comment to reflect the fact DMA safety 'may' require separate cachelines. Fixes: aa16c6bd0e09 ("iio:adc: Add support for AD7766/AD7767") Signed-off-by: Jonathan Cameron Cc: Lars-Peter Clausen Acked-by: Nuno Sá Link: https://lore.kernel.org/r/20220508175712.647246-16-jic23@kernel.org Signed-off-by: Sasha Levin commit b724a7797dd702ebee99b0a81624f05df986b193 Author: Jonathan Cameron Date: Sun May 8 18:55:54 2022 +0100 iio: adc: ad7606: Fix alignment for DMA safety [ Upstream commit 6268c6eebb13f228d418f9adaca848b3ed5b3cf9 ] ____cacheline_aligned is an insufficient guarantee for non-coherent DMA on platforms with 128 byte cachelines above L1. Switch to the updated IIO_ALIGN definition. Update the comment to reflect the fact DMA safety 'may' require separate cachelines. Fixes: 7989b4bb23fe ("iio: adc: ad7616: Add support for AD7616 ADC") Signed-off-by: Jonathan Cameron Acked-by: Nuno Sá Link: https://lore.kernel.org/r/20220508175712.647246-15-jic23@kernel.org Signed-off-by: Sasha Levin commit 50d616f228598fb07323f8f07ae073e5d9a00193 Author: Jonathan Cameron Date: Sun May 8 18:55:53 2022 +0100 iio: adc: ad7476: Fix alignment for DMA safety [ Upstream commit 58b74555afc8affe4ae4f57d396349158433fc80 ] ____cacheline_aligned is an insufficient guarantee for non-coherent DMA on platforms with 128 byte cachelines above L1. Switch to the updated IIO_DMA_MINALIGN definition. Update the comment to reflect that DMA safety 'may' require separate cachelines. Fixes tag is unlikely to be the actual introdution of the problem but is far enough back to cover any likely backporting. Fixes: 7a28fe3c93d6 ("staging:iio:ad7476: Squash driver into a single file.") Signed-off-by: Jonathan Cameron Acked-by: Nuno Sá Link: https://lore.kernel.org/r/20220508175712.647246-14-jic23@kernel.org Signed-off-by: Sasha Levin commit 259dca64b269664d0413e7c6d9ec5aa6ed6ac674 Author: Jonathan Cameron Date: Sun May 8 18:55:52 2022 +0100 iio: adc: ad7298: Fix alignment for DMA safety [ Upstream commit 585c9772f883da3ac425e2e8277b2aaceb201f38 ] ____cacheline_aligned is an insufficient guarantee for non-coherent DMA on platforms with 128 byte cachelines above L1. Switch to the updated IIO_DMA_MINALIGN definition. Fixes: be7fd3b86ad2 ("iio:adc:ad7298 make the tx and rx buffers __be16") Signed-off-by: Jonathan Cameron Acked-by: Nuno Sá Link: https://lore.kernel.org/r/20220508175712.647246-13-jic23@kernel.org Signed-off-by: Sasha Levin commit 1c7097744e3a9f2004317effc03d57bd01223ca7 Author: Jonathan Cameron Date: Sun May 8 18:55:51 2022 +0100 iio: adc: ad7292: Fix alignment for DMA safety [ Upstream commit 98295a206d04633bae31f279de11ff7d04724bce ] ____cacheline_aligned is an insufficient guarantee for non-coherent DMA on platforms with 128 byte cachelines above L1. Switch to the updated IIO_DMA_MINALIGN definition. Fixes: 506d2e317a0a ("iio: adc: Add driver support for AD7292") Signed-off-by: Jonathan Cameron Acked-by: Marcelo Schmitt Acked-by: Nuno Sá Link: https://lore.kernel.org/r/20220508175712.647246-12-jic23@kernel.org Signed-off-by: Sasha Levin commit 891103bc83a83100bbbc6dc921594f7c91f70163 Author: Jonathan Cameron Date: Sun May 8 18:55:50 2022 +0100 iio: adc: ad7280a: Fix alignment for DMA safety [ Upstream commit 4e2008429588b857bbc13d048b67b931a8d84816 ] ____cacheline_aligned is an insufficient guarantee for non-coherent DMA on platforms with 128 byte cachelines above L1. Switch to the updated IIO_DMA_MINALIGN definition. Fixes: 003f1d48de52 ("staging:iio:adc:ad7280a: Split buff[2] into tx and rx parts") Signed-off-by: Jonathan Cameron Acked-by: Nuno Sá Link: https://lore.kernel.org/r/20220508175712.647246-11-jic23@kernel.org Signed-off-by: Sasha Levin commit 5c07468ffea904f3095fec06c5fd32952c09610b Author: Jonathan Cameron Date: Sun May 8 18:55:49 2022 +0100 iio: adc: ad7266: Fix alignment for DMA safety [ Upstream commit b990cdfe7536a8da7e134d516350402981300016 ] ____cacheline_aligned is an insufficient guarantee for non-coherent DMA on platforms with 128 byte cachelines above L1. Switch to the updated IIO_DMA_MINALIGN definition. Update the comment to reflect that DMA safety 'may' require separate cachelines. Fixes: 54e018da3141 ("iio:ad7266: Mark transfer buffer as __be16") Signed-off-by: Jonathan Cameron Acked-by: Nuno Sá Link: https://lore.kernel.org/r/20220508175712.647246-10-jic23@kernel.org Signed-off-by: Sasha Levin commit 83278867c4fdd7ed4ad9e4e2fb9566a5b61571d8 Author: Jonathan Cameron Date: Sun May 8 18:55:48 2022 +0100 iio: accel: sca3300: Fix alignment for DMA safety [ Upstream commit b1d3a806630dbbf3b4d75a2e850adccf4f4439e7 ] ____cacheline_aligned is insufficient guarantee for non-coherent DMA. Switch to the updated IIO_DMA_MINALIGN definition. Fixes: 9cc9806e22178 ("iio: accel: Add driver for Murata SCA3300 accelerometer") Signed-off-by: Jonathan Cameron Reviewed-by: Tomas Melin Acked-by: Nuno Sá Link: https://lore.kernel.org/r/20220508175712.647246-9-jic23@kernel.org Signed-off-by: Sasha Levin commit a9c2ffa21e95da99e0f950b2d076036b9e6a394b Author: Jonathan Cameron Date: Sun May 8 18:55:47 2022 +0100 iio: accel: sca3000: Fix alignment for DMA safety [ Upstream commit a263456f0e27ec2f00d25119757f4d4bd656b2e9 ] ____cacheline_aligned is insufficient guarantee for non-coherent DMA. Switch to the updated IIO_DMA_MINALIGN definition. The second alignment marking is left in place to avoid doing more than the simple fix in this patch. Fixes: ced5c03d360ae ("staging:iio:accel:sca3000 merge files into one.") Fixes: 152a6a884ae13 ("staging:iio:accel:sca3000 move to hybrid hard / soft buffer design.") Signed-off-by: Jonathan Cameron Acked-by: Nuno Sá Link: https://lore.kernel.org/r/20220508175712.647246-8-jic23@kernel.org Signed-off-by: Sasha Levin commit 9e004dc744f8cc0f520517a589149c6d7e4a3367 Author: Jonathan Cameron Date: Sun May 8 18:55:45 2022 +0100 iio: accel: bma220: Fix alignment for DMA safety [ Upstream commit 38e71240e2ff97184cdcdaf877cf62d3f16678e2 ] ____cacheline_aligned is insufficient guarantee for non-coherent DMA. Switch to the updated IIO_DMA_MINALIGN definition. Fixes: bf2a5600a3ebc ("iio: accel: Add support for Bosch BMA220") Signed-off-by: Jonathan Cameron Acked-by: Nuno Sá Link: https://lore.kernel.org/r/20220508175712.647246-6-jic23@kernel.org Signed-off-by: Sasha Levin commit ab7828ae679e42b414e083941597b13fda1c048f Author: Jonathan Cameron Date: Sun May 8 18:55:44 2022 +0100 iio: accel: adxl367: Fix alignment for DMA safety [ Upstream commit e1f956a804df9074fb5de557563d153ae25252e7 ] ____cacheline_aligned is insufficient guarantee for non-coherent DMA. Switch to the updated IIO_DMA_MINALIGN definition. Update comment to reflect that DMA safety may require separate cachelines. Fixes: cbab791c5e2a5 ("iio: accel: add ADXL367 driver") Signed-off-by: Jonathan Cameron Cc: Cosmin Tanislav Acked-by: Nuno Sá Link: https://lore.kernel.org/r/20220508175712.647246-5-jic23@kernel.org Signed-off-by: Sasha Levin commit f6cc98ecb494943072b3ce94e393e513dd0ca94e Author: Jonathan Cameron Date: Sun May 8 18:55:43 2022 +0100 iio: accel: adxl355: Fix alignment for DMA safety [ Upstream commit 46403dcf3a7cbd24b86f809fd79962f4d6b137c5 ] ____cacheline_aligned is insufficient guarantee for non-coherent DMA. Switch to the updated IIO_DMA_MINALIGN definition. Fixes: 327a0eaf19d53 ("iio: accel: adxl355: Add triggered buffer support") Signed-off-by: Jonathan Cameron Cc: Puranjay Mohan Acked-by: Nuno Sá Link: https://lore.kernel.org/r/20220508175712.647246-4-jic23@kernel.org Signed-off-by: Sasha Levin commit 425e34d72cf103ba854d87e63da385ed9ca69a14 Author: Jonathan Cameron Date: Sun May 8 18:55:42 2022 +0100 iio: accel: adxl313: Fix alignment for DMA safety [ Upstream commit f68a0445ee86e48dafbfdea50163ad6fc6dba268 ] ____cacheline_aligned is insufficient guarantee for non-coherent DMA. Switch to the updated IIO_DMA_MINALIGN definition. Fixes: 636d44633039 ("iio: accel: Add driver support for ADXL313") Signed-off-by: Jonathan Cameron Acked-by: Nuno Sá Link: https://lore.kernel.org/r/20220508175712.647246-3-jic23@kernel.org Signed-off-by: Sasha Levin commit 4fd60ffe4dba282cadf762b34b5cd6dcd51f38a6 Author: Jonathan Cameron Date: Sun May 8 18:55:41 2022 +0100 iio: core: Fix IIO_ALIGN and rename as it was not sufficiently large [ Upstream commit 12c4efe3509b8018e76ea3ebda8227cb53bf5887 ] Discussion of the series: https://lore.kernel.org/all/20220405135758.774016-1-catalin.marinas@arm.com/ mm, arm64: Reduce ARCH_KMALLOC_MINALIGN brought to my attention that our current IIO usage of L1CACHE_ALIGN is insufficient as their are Arm platforms out their with non coherent DMA and larger cache lines at at higher levels of their cache hierarchy. Rename the define to make it's purpose more explicit. It will be used much more widely going forwards (to replace incorrect ____cacheline_aligned markings. Note this patch will greatly reduce the padding on some architectures that have smaller requirements for DMA safe buffers. The history of changing values of ARCH_KMALLOC_MINALIGN via ARCH_DMA_MINALIGN on arm64 is rather complex. I'm not tagging this as fixing a particular patch from that route as it's not clear what to tag. Most recently a change to bring them back inline was reverted because of some Qualcomm Kryo cores with an L2 cache with 128-byte lines sitting above the point of coherency. c1132702c71f Revert "arm64: cache: Lower ARCH_DMA_MINALIGN to 64 (L1_CACHE_BYTES)" That reverts: 65688d2a05de arm64: cache: Lower ARCH_DMA_MINALIGN to 64 (L1_CACHE_BYTES) which refers to the change originally being motivated by Thunder x1 performance rather than correctness. Fixes: 6f7c8ee585e9d ("staging:iio: Add ability to allocate private data space to iio_allocate_device") Signed-off-by: Jonathan Cameron Acked-by: Nuno Sá Link: https://lore.kernel.org/r/20220508175712.647246-2-jic23@kernel.org Signed-off-by: Sasha Levin commit 0b2a557a136b463d7ef9036d319fab98d45aed00 Author: Jagath Jog J Date: Thu May 5 19:00:15 2022 +0530 iio: accel: bma400: Add triggered buffer support [ Upstream commit ffe0ab6a96988daa8b316290c15e1c7bbb9d4211 ] Added trigger buffer support to read continuous acceleration and temperature data from device with data ready interrupt which is mapped to INT1 pin. Signed-off-by: Jagath Jog J Reviewed-by: Andy Shevchenko Link: https://lore.kernel.org/r/20220505133021.22362-5-jagathjog1996@gmail.com Signed-off-by: Jonathan Cameron Signed-off-by: Sasha Levin commit f349ecf3ce13a69f8c3c0f12b0822f7faa7beee4 Author: Jagath Jog J Date: Thu May 5 19:00:14 2022 +0530 iio: accel: bma400: conversion to device-managed function [ Upstream commit 12c99f859fd3da5fc8f8491826e7023001f54821 ] This is a conversion to device-managed by using devm_iio_device_register() inside probe function. Previously the bma400 was not put into power down mode in some error paths in probe where it now is, but that should cause no harm. The dev_set_drvdata() call, bma400_remove() function and hooks in the I2C and SPI driver struct is removed as devm_iio_device_register() function is used to automatically unregister on driver detach. Signed-off-by: Jagath Jog J Reviewed-by: Andy Shevchenko Link: https://lore.kernel.org/r/20220505133021.22362-4-jagathjog1996@gmail.com Signed-off-by: Jonathan Cameron Signed-off-by: Sasha Levin commit 9158b263330b253236ef8997c4cf14e3ac9ee2ff Author: Jagath Jog J Date: Thu May 5 19:00:13 2022 +0530 iio: accel: bma400: Reordering of header files [ Upstream commit 1bd2dc6ea863690aee5c45ebf09c9194c7a42c0d ] Reordering of header files and removing the iio/sysfs.h since custom attributes are not being used in the driver. Signed-off-by: Jagath Jog J Reviewed-by: Andy Shevchenko Link: https://lore.kernel.org/r/20220505133021.22362-3-jagathjog1996@gmail.com Signed-off-by: Jonathan Cameron Signed-off-by: Sasha Levin commit f0205ca7df14995e1e3c0c67d883a5c6909f2f44 Author: Gwendal Grignou Date: Fri Apr 29 15:01:36 2022 -0700 iio: sx9324: Fix register field spelling [ Upstream commit 0b24034c7ffa20bcfb4fdfece1df770ec5b0a634 ] Field for PROX_CTRL4 should contain PROX_CTRL4. Fixes: 4c18a890dff8d ("iio:proximity:sx9324: Add SX9324 support") Signed-off-by: Gwendal Grignou Reviewed-by: Stephen Boyd Link: https://lore.kernel.org/r/20220429220144.1476049-3-gwendal@chromium.org Signed-off-by: Jonathan Cameron Signed-off-by: Sasha Levin commit 2cbdd3e2e59788127d240841db0e94e2e544813e Author: Stephen Boyd Date: Tue Jun 14 00:57:26 2022 -0700 platform/chrome: cros_ec: Always expose last resume result [ Upstream commit 74bb746407bf0d7c7d126c7731dbcd66d467619b ] The last resume result exposing logic in cros_ec_sleep_event() incorrectly requires S0ix support, which doesn't work on ARM based systems where S0ix doesn't exist. That's because cros_ec_sleep_event() only reports the last resume result when the EC indicates the last sleep event was an S0ix resume. On ARM systems, the last sleep event is always S3 resume, but the EC can still detect sleep hang events in case some other part of the AP is blocking sleep. Always expose the last resume result if the EC supports it so that this works on all devices regardless of S0ix support. This fixes sleep hang detection on ARM based chromebooks like Trogdor. Cc: Rajat Jain Cc: Matthias Kaehlcke Cc: Hsin-Yi Wang Cc: Tzung-Bi Shih Reviewed-by: Guenter Roeck Reviewed-by: Evan Green Fixes: 7235560ac77a ("platform/chrome: Add support for v1 of host sleep event") Signed-off-by: Stephen Boyd Signed-off-by: Tzung-Bi Shih Link: https://lore.kernel.org/r/20220614075726.2729987-1-swboyd@chromium.org Signed-off-by: Sasha Levin commit c2e83fa42a1280bff18092881335c47b868c96b5 Author: Jagath Jog J Date: Thu May 5 19:00:12 2022 +0530 iio: accel: bma400: Fix the scale min and max macro values [ Upstream commit 747c7cf1592e226d40543231b26502b332d0ea2f ] Changing the scale macro values to match the bma400 sensitivity for 1 LSB of all the available ranges. Fixes: 465c811f1f20 ("iio: accel: Add driver for the BMA400") Signed-off-by: Jagath Jog J Reviewed-by: Andy Shevchenko Link: https://lore.kernel.org/r/20220505133021.22362-2-jagathjog1996@gmail.com Signed-off-by: Jonathan Cameron Signed-off-by: Sasha Levin commit 637e64b296728f0879a53b1dea502e87825d2d3e Author: Quinn Tran Date: Wed Jun 8 04:58:47 2022 -0700 scsi: qla2xxx: edif: Reduce N2N thrashing at app_start time [ Upstream commit 37be3f9d6993a721bc019f03c97ea0fe66319997 ] For N2N + remote WWPN is bigger than local adapter, remote adapter will login to local adapter while authentication application is not running. When authentication application starts, the current session in FW needs to to be invalidated. Make sure the old session is torn down before triggering a relogin. Link: https://lore.kernel.org/r/20220608115849.16693-9-njavali@marvell.com Fixes: 4de067e5df12 ("scsi: qla2xxx: edif: Add N2N support for EDIF") Reviewed-by: Himanshu Madhani Signed-off-by: Quinn Tran Signed-off-by: Nilesh Javali Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit 412eb699641fc8de5bcad8e5bb52ffad5bccd5ad Author: Quinn Tran Date: Wed Jun 8 04:58:46 2022 -0700 scsi: qla2xxx: edif: Fix no logout on delete for N2N [ Upstream commit ec538eb838f334453b10e7e9b260f0c358018a37 ] The driver failed to send implicit logout on session delete. For edif, this failed to flush any lingering SA index in FW. Set a flag to turn on implicit logout early in the session recovery to make sure the logout will go out in case of error. Link: https://lore.kernel.org/r/20220608115849.16693-8-njavali@marvell.com Fixes: 4de067e5df12 ("scsi: qla2xxx: edif: Add N2N support for EDIF") Reviewed-by: Himanshu Madhani Signed-off-by: Quinn Tran Signed-off-by: Nilesh Javali Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit f65746b1cc3028b20545dcbec2da63bd9add6901 Author: Quinn Tran Date: Wed Jun 8 04:58:45 2022 -0700 scsi: qla2xxx: edif: Fix session thrash [ Upstream commit a8fdfb0b39c2b31722c70bdf2272b949d5af4b7b ] Current code prematurely sends out PRLI before authentication application has given the OK to do so. This causes PRLI failure and session teardown. Prevents PRLI from going out before authentication app gives the OK. Link: https://lore.kernel.org/r/20220608115849.16693-7-njavali@marvell.com Fixes: 91f6f5fbe87b ("scsi: qla2xxx: edif: Reduce connection thrash") Reviewed-by: Himanshu Madhani Signed-off-by: Quinn Tran Signed-off-by: Nilesh Javali Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit 8f34bd281066ace4465bb9bc98697ceec47bf2b1 Author: Quinn Tran Date: Wed Jun 8 04:58:44 2022 -0700 scsi: qla2xxx: edif: Tear down session if keys have been removed [ Upstream commit d7e2e4a68fc047a025afcd200e6b7e1fbc8b1999 ] If all keys for a session have been deleted, trigger a session teardown. Link: https://lore.kernel.org/r/20220608115849.16693-6-njavali@marvell.com Fixes: dd30706e73b7 ("scsi: qla2xxx: edif: Add key update") Reviewed-by: Himanshu Madhani Signed-off-by: Quinn Tran Signed-off-by: Nilesh Javali Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit 003389c2fb2643333e092defb57c3e9caeb18524 Author: Quinn Tran Date: Wed Jun 8 04:58:43 2022 -0700 scsi: qla2xxx: edif: Fix no login after app start [ Upstream commit 24c796098f5395477f7f7ebf8e24f3f08a139f71 ] The scenario is this: User loaded driver but has not started authentication app. All sessions to secure device will exhaust all login attempts, fail, and in stay in deleted state. Then some time later the app is started. The driver will replenish the login retry count, trigger delete to prepare for secure login. After deletion, relogin is triggered. For the session that is already deleted, the delete trigger is a no-op. If none of the sessions trigger a relogin, no progress is made. Add a relogin trigger. Link: https://lore.kernel.org/r/20220608115849.16693-5-njavali@marvell.com Fixes: 7ebb336e45ef ("scsi: qla2xxx: edif: Add start + stop bsgs") Reviewed-by: Himanshu Madhani Signed-off-by: Quinn Tran Signed-off-by: Nilesh Javali Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit f95502bc5e521dacd668d72fb427220b1ddb78bc Author: Quinn Tran Date: Wed Jun 8 04:58:42 2022 -0700 scsi: qla2xxx: edif: Reduce disruption due to multiple app start [ Upstream commit 0dbfce5255fe8d069a1a3b712a25b263264cfa58 ] Multiple app start can trigger a session bounce. Make driver skip over session teardown if app start is seen more than once. Link: https://lore.kernel.org/r/20220608115849.16693-4-njavali@marvell.com Fixes: 7ebb336e45ef ("scsi: qla2xxx: edif: Add start + stop bsgs") Reviewed-by: Himanshu Madhani Signed-off-by: Quinn Tran Signed-off-by: Nilesh Javali Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit ba6202e0dacddbb944adaee1e831146d9cda8916 Author: Quinn Tran Date: Wed Jun 8 04:58:41 2022 -0700 scsi: qla2xxx: edif: Send LOGO for unexpected IKE message [ Upstream commit 2b659ed67a12f39f56d8dcad9b5d5a74d67c01b3 ] If the session is down and the local port continues to receive AUTH ELS messages, the driver needs to send back LOGO so that the remote device knows to tear down its session. Terminate and clean up the AUTH ELS exchange followed by a passthrough LOGO. Link: https://lore.kernel.org/r/20220608115849.16693-3-njavali@marvell.com Fixes: 225479296c4f ("scsi: qla2xxx: edif: Reject AUTH ELS on session down") Reviewed-by: Himanshu Madhani Signed-off-by: Quinn Tran Signed-off-by: Nilesh Javali Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit a470dc3c0affdb233a471cc89befe3600dea37fc Author: Thomas Gleixner Date: Mon Jun 6 17:23:45 2022 +0200 netfilter: xtables: Bring SPDX identifier back [ Upstream commit 20646f5b1e798bcc20044ae90ac3702f177bf254 ] Commit e2be04c7f995 ("License cleanup: add SPDX license identifier to uapi header files with a license") added the correct SPDX identifier to include/uapi/linux/netfilter/xt_IDLETIMER.h. A subsequent commit removed it for no reason and reintroduced the UAPI license incorrectness as the file is now missing the UAPI exception again. Add it back and remove the GPLv2 boilerplate while at it. Fixes: 68983a354a65 ("netfilter: xtables: Add snapshot of hardidletimer target") Cc: Manoj Basapathi Cc: Subash Abhinov Kasiviswanathan Cc: Pablo Neira Ayuso Cc: netfilter-devel@vger.kernel.org Signed-off-by: Thomas Gleixner Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit bec6ece7928fa4a2a97e57ff58ce82ab8f73eb27 Author: Miquel Raynal Date: Thu Jun 9 16:14:55 2022 +0200 dmaengine: dw: dmamux: Fix build without CONFIG_OF [ Upstream commit 7811f2e7fd6a30d96eaa1fccf57b07694a8cad27 ] When built without OF support, of_match_node() expands to NULL, which produces the following output: >> drivers/dma/dw/rzn1-dmamux.c:105:34: warning: unused variable 'rzn1_dmac_match' [-Wunused-const-variable] static const struct of_device_id rzn1_dmac_match[] = { One way to silence the warning is to enclose the structure definition with an #ifdef CONFIG_OF/#endif block. Fixes: 134d9c52fca2 ("dmaengine: dw: dmamux: Introduce RZN1 DMA router support") Reported-by: kernel test robot Signed-off-by: Miquel Raynal Reviewed-by: Andy Shevchenko Link: https://lore.kernel.org/r/20220609141455.300879-2-miquel.raynal@bootlin.com Signed-off-by: Vinod Koul Signed-off-by: Sasha Levin commit 29ed3385fc91aaa0605defb3a507d55c6d38d3bb Author: Miquel Raynal Date: Thu Jun 9 16:14:54 2022 +0200 dmaengine: dw: dmamux: Export the module device table [ Upstream commit 2717d33841957a0f5fb65fd8b37f9c2321593864 ] This is a tristate driver that can be built as a module, as a result, the OF match table should be exported with MODULE_DEVICE_TABLE(). Fixes: 134d9c52fca2 ("dmaengine: dw: dmamux: Introduce RZN1 DMA router support") Signed-off-by: Miquel Raynal Reviewed-by: Andy Shevchenko Link: https://lore.kernel.org/r/20220609141455.300879-1-miquel.raynal@bootlin.com Signed-off-by: Vinod Koul Signed-off-by: Sasha Levin commit 40aefcd2cbfc7da662f3fc5702f63119b1e37e34 Author: Tang Bin Date: Tue May 24 20:14:04 2022 +0800 usb: xhci: tegra: Fix error check [ Upstream commit 18fc7c435be3f17ea26a21b2e2312fcb9088e01f ] In the function tegra_xusb_powerdomain_init(), dev_pm_domain_attach_by_name() may return NULL in some cases, so IS_ERR() doesn't meet the requirements. Thus fix it. Fixes: 6494a9ad86de ("usb: xhci: tegra: Add genpd support") Signed-off-by: Tang Bin Link: https://lore.kernel.org/r/20220524121404.18376-1-tangbin@cmss.chinamobile.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 44de43152056ed83e3d996c57e3b6227dccb3e3a Author: Clément Léger Date: Tue Jun 7 15:34:54 2022 +0200 usb: host: ohci-at91: add support to enter suspend using SMC [ Upstream commit 1e073e3ed9ff9ec14e7e360ed89a81256d895588 ] When Linux is running under OP-TEE, the SFR is set as secured and thus the AT91_OHCIICR_USB_SUSPEND register isn't accessible. Add a SMC to do the appropriate call to suspend the controller. The SMC id is fetched from the device-tree property "microchip,suspend-smc-id". if present, then the syscon regmap is not used to enter suspend and a SMC is issued. Reviewed-by: Claudiu Beznea Acked-by: Alan Stern Signed-off-by: Clément Léger Link: https://lore.kernel.org/r/20220607133454.727063-1-clement.leger@bootlin.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit a9106aec8b54bfb6064d34183756da9f671f20ac Author: Dan Carpenter Date: Wed May 25 15:30:13 2022 +0300 usbip: vudc: Don't enable IRQs prematurely [ Upstream commit 62e4efe3375eb30292dabaec4481dc04550d3644 ] This code does: spin_unlock_irq(&udc->ud.lock); spin_unlock_irqrestore(&udc->lock, flags); which does not make sense. In theory, the first unlock could enable IRQs and then the second _irqrestore could disable them again. There would be a brief momemt where IRQs were enabled improperly. In real life, however, this function is always called with IRQs enabled and the bug does not affect runtime. Reviewed-by: Shuah Khan Signed-off-by: Dan Carpenter Link: https://lore.kernel.org/r/Yo4hVWcZNYzKEkIQ@kili Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit d9cf131087356cdc4a128deb441935f94a975fe9 Author: Tang Bin Date: Wed May 25 21:53:32 2022 +0800 usb: gadget: tegra-xudc: Fix error check in tegra_xudc_powerdomain_init() [ Upstream commit f08aa7c80dac27ee00fa6827f447597d2fba5465 ] dev_pm_domain_attach_by_name() may return NULL in some cases, so IS_ERR() doesn't meet the requirements. Thus fix it. Fixes: 49db427232fe ("usb: gadget: Add UDC driver for tegra XUSB device mode controller") Signed-off-by: Tang Bin Link: https://lore.kernel.org/r/20220525135332.23144-1-tangbin@cmss.chinamobile.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 50238c4b54c2ac6c2da7a84a4a2b0a570e3da0e2 Author: Miaoqian Lin Date: Fri Jun 3 18:12:30 2022 +0400 usb: ohci-nxp: Fix refcount leak in ohci_hcd_nxp_probe [ Upstream commit 302970b4cad3ebfda2c05ce06c322ccdc447d17e ] of_parse_phandle() returns a node pointer with refcount incremented, we should use of_node_put() on it when not need anymore. Add missing of_node_put() to avoid refcount leak. Fixes: 73108aa90cbf ("USB: ohci-nxp: Use isp1301 driver") Acked-by: Alan Stern Signed-off-by: Miaoqian Lin Link: https://lore.kernel.org/r/20220603141231.979-1-linmq006@gmail.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 8bdff7d446651e660073890f21ff770fe9966dbd Author: Laurent Pinchart Date: Wed Jun 8 20:49:18 2022 +0300 usb: gadget: uvc: Fix comment blocks style [ Upstream commit c5d337a358b3e41bb4f7abd99a79b68a28eafaa2 ] The UVC gadget driver historically uses the /* Comment * style */ for multi-line block comments, which is frowned upon. Patches for the driver are required to use the more standard /* * Comment * style */ style. This result in inconsistencies. Fix it by converting all remaining instances of the old style. Reviewed-by: Kieran Bingham Signed-off-by: Laurent Pinchart Link: https://lore.kernel.org/r/20220608174918.14656-1-laurent.pinchart@ideasonboard.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 960a8a35a6027a08c4b511435bf59609b5d5e5cd Author: Frank Li Date: Thu Jun 9 10:44:56 2022 -0500 usb: cdns3: fix random warning message when driver load [ Upstream commit 8659ab3d936fcf0084676f98b75b317017aa8f82 ] Warning log: [ 4.141392] Unexpected gfp: 0x4 (GFP_DMA32). Fixing up to gfp: 0xa20 (GFP_ATOMIC). Fix your code! [ 4.150340] CPU: 1 PID: 175 Comm: 1-0050 Not tainted 5.15.5-00039-g2fd9ae1b568c #20 [ 4.158010] Hardware name: Freescale i.MX8QXP MEK (DT) [ 4.163155] Call trace: [ 4.165600] dump_backtrace+0x0/0x1b0 [ 4.169286] show_stack+0x18/0x68 [ 4.172611] dump_stack_lvl+0x68/0x84 [ 4.176286] dump_stack+0x18/0x34 [ 4.179613] kmalloc_fix_flags+0x60/0x88 [ 4.183550] new_slab+0x334/0x370 [ 4.186878] ___slab_alloc.part.108+0x4d4/0x748 [ 4.191419] __slab_alloc.isra.109+0x30/0x78 [ 4.195702] kmem_cache_alloc+0x40c/0x420 [ 4.199725] dma_pool_alloc+0xac/0x1f8 [ 4.203486] cdns3_allocate_trb_pool+0xb4/0xd0 pool_alloc_page(struct dma_pool *pool, gfp_t mem_flags) { ... page = kmalloc(sizeof(*page), mem_flags); page->vaddr = dma_alloc_coherent(pool->dev, pool->allocation, &page->dma, mem_flags); ... } kmalloc was called with mem_flags, which is passed down in cdns3_allocate_trb_pool() and have GFP_DMA32 flags. kmall_fix_flags() report warning. GFP_DMA32 is not useful at all. dma_alloc_coherent() will handle DMA memory region correctly by pool->dev. GFP_DMA32 can be removed safely. Signed-off-by: Frank Li Link: https://lore.kernel.org/r/20220609154456.2871672-1-Frank.Li@nxp.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 3a50c917c67dd0bc39c14de4a8b75a1d50fdce66 Author: Miaoqian Lin Date: Thu Jun 2 15:08:49 2022 +0400 usb: host: Fix refcount leak in ehci_hcd_ppc_of_probe [ Upstream commit b5c5b13cb45e2c88181308186b0001992cb41954 ] of_find_compatible_node() returns a node pointer with refcount incremented, we should use of_node_put() on it when done. Add missing of_node_put() to avoid refcount leak. Fixes: 796bcae7361c ("USB: powerpc: Workaround for the PPC440EPX USBH_23 errata [take 3]") Acked-by: Alan Stern Signed-off-by: Miaoqian Lin Link: https://lore.kernel.org/r/20220602110849.58549-1-linmq006@gmail.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit e4974ae1bdcf3f2c92ae6d4d745a0c6e3d5da1c1 Author: Marco Pagani Date: Thu Jun 9 16:05:19 2022 +0200 fpga: altera-pr-ip: fix unsigned comparison with less than zero [ Upstream commit 2df84a757d87fd62869fc401119d429735377ec5 ] Fix the "comparison with less than zero" warning reported by cppcheck for the unsigned (size_t) parameter count of the alt_pr_fpga_write() function. Fixes: d201cc17a8a3 ("fpga pr ip: Core driver support for Altera Partial Reconfiguration IP") Reviewed-by: Tom Rix Acked-by: Xu Yilun Signed-off-by: Marco Pagani Link: https://lore.kernel.org/r/20220609140520.42662-1-marpagan@redhat.com Signed-off-by: Xu Yilun Signed-off-by: Sasha Levin commit e593e22786edd9eca058cf054d6a2e12c138da67 Author: Miaoqian Lin Date: Wed Jun 1 08:12:58 2022 +0400 PCI: mediatek-gen3: Fix refcount leak in mtk_pcie_init_irq_domains() [ Upstream commit bf038503d5fe90189743124233fe7aeb0984e961 ] of_get_child_by_name() returns a node pointer with refcount incremented, so we should use of_node_put() on it when we don't need it anymore. Add missing of_node_put() to avoid refcount leak. Fixes: 814cceebba9b ("PCI: mediatek-gen3: Add INTx support") Link: https://lore.kernel.org/r/20220601041259.56185-1-linmq006@gmail.com Signed-off-by: Miaoqian Lin Signed-off-by: Bjorn Helgaas Reviewed-by: Miles Chen Acked-by: Jianjun Wang Signed-off-by: Sasha Levin commit 23d4428145cedfa9a6ae8ef3f3114c84819b4957 Author: Uwe Kleine-König Date: Tue Jun 7 17:24:57 2022 +0200 mtd: st_spi_fsm: Disable clock only after device was unregistered [ Upstream commit cd043c613e21bb6f039057043da759471706adf5 ] Until mtd_device_unregister() returns the device is expected to be operational. So only disable the clock after the mtd is unregistered. Fixes: 1fefc8ecb834 ("mtd: st_spi_fsm: add missing clk_disable_unprepare() in stfsm_remove()") Signed-off-by: Uwe Kleine-König Signed-off-by: Miquel Raynal Link: https://lore.kernel.org/linux-mtd/20220607152458.232847-4-u.kleine-koenig@pengutronix.de Signed-off-by: Sasha Levin commit 13e83bf26a3314840133d17ff71dc6d4c80644ca Author: Uwe Kleine-König Date: Tue Jun 7 17:24:56 2022 +0200 mtd: st_spi_fsm: Warn about failure to unregister mtd device [ Upstream commit cfa7847f150c4343903d8ff2cd219418c1768205 ] mtd_device_unregister() shouldn't fail. Wail loudly if it does anyhow. This matches how other drivers (e.g. nand/raw/nandsim.c) use mtd_device_unregister(). By returning 0 in the platform remove callback a generic error message by the device core is suppressed, nothing else changes. This is a preparation for making platform remove callbacks return void. Signed-off-by: Uwe Kleine-König Signed-off-by: Miquel Raynal Link: https://lore.kernel.org/linux-mtd/20220607152458.232847-3-u.kleine-koenig@pengutronix.de Signed-off-by: Sasha Levin commit 38a787294b92471ed5785fd05543bf7e501c730b Author: Uwe Kleine-König Date: Fri Jun 3 23:07:51 2022 +0200 mtd: spear_smi: Drop if with an always false condition [ Upstream commit 279d719be39d8edb37c9178c15e167a94c7bc0a0 ] The remove callback is only called after probe completed successfully. In this case platform_set_drvdata() was called with a non-NULL argument and so dev is never NULL. This is a preparation for making platform remove callbacks return void. Signed-off-by: Uwe Kleine-König Signed-off-by: Miquel Raynal Link: https://lore.kernel.org/linux-mtd/20220603210758.148493-8-u.kleine-koenig@pengutronix.de Signed-off-by: Sasha Levin commit 5d7879ddc7a00fb9c3f25b300b9895b0975fdb06 Author: Uwe Kleine-König Date: Tue Jun 7 17:24:55 2022 +0200 mtd: st_spi_fsm: Add a clk_disable_unprepare() in .probe()'s error path [ Upstream commit 28607b426c3d050714f250d0faeb99d2e9106e90 ] For all but one error path clk_disable_unprepare() is already there. Add it to the one location where it's missing. Fixes: 481815a6193b ("mtd: st_spi_fsm: Handle clk_prepare_enable/clk_disable_unprepare.") Fixes: 69d5af8d016c ("mtd: st_spi_fsm: Obtain and use EMI clock") Signed-off-by: Uwe Kleine-König Signed-off-by: Miquel Raynal Link: https://lore.kernel.org/linux-mtd/20220607152458.232847-2-u.kleine-koenig@pengutronix.de Signed-off-by: Sasha Levin commit f9acee2cc3102ff4dd37266bf333840e813a061b Author: Uwe Kleine-König Date: Fri Jun 3 23:07:50 2022 +0200 mtd: spear_smi: Don't skip cleanup after mtd_device_unregister() failed [ Upstream commit 0057568b391488a5940635cbda562ea397bf4bdd ] If mtd_device_unregister() fails (which it doesn't when used correctly), the resources bound by the nand chip should be freed anyhow as returning an error value doesn't prevent the device getting unbound. Instead use WARN_ON on the return value similar to how other drivers do it. This is a preparation for making platform remove callbacks return void. Signed-off-by: Uwe Kleine-König Signed-off-by: Miquel Raynal Link: https://lore.kernel.org/linux-mtd/20220603210758.148493-7-u.kleine-koenig@pengutronix.de Signed-off-by: Sasha Levin commit 01bc3840d943cf725dea6ca13e11ffda82bad49a Author: Miaoqian Lin Date: Sun Jun 5 11:07:23 2022 +0400 mtd: parsers: ofpart: Fix refcount leak in bcm4908_partitions_fw_offset [ Upstream commit e607879b0da18c451de5e91daf239cc2f2f8ff2d ] of_find_node_by_path() returns a node pointer with refcount incremented, we should use of_node_put() on it when not need anymore. Add missing of_node_put() to avoid refcount leak. Fixes: bb17230c61a6 ("mtd: parsers: ofpart: support BCM4908 fixed partitions") Signed-off-by: Miaoqian Lin Signed-off-by: Miquel Raynal Link: https://lore.kernel.org/linux-mtd/20220605070726.5979-1-linmq006@gmail.com Signed-off-by: Sasha Levin commit e24af43d0cbe9f6aaa413c15ccce50bbbfd61e0e Author: Miaoqian Lin Date: Thu May 26 15:06:49 2022 +0400 mtd: partitions: Fix refcount leak in parse_redboot_of [ Upstream commit 9f7e62815cf3cbbcb1b8cb21649fb4dfdb3aa016 ] of_get_child_by_name() returns a node pointer with refcount incremented, we should use of_node_put() on it when not need anymore. Add missing of_node_put() to avoid refcount leak. Fixes: 237960880960 ("mtd: partitions: redboot: seek fis-index-block in the right node") Signed-off-by: Miaoqian Lin Reviewed-by: Linus Walleij Signed-off-by: Miquel Raynal Link: https://lore.kernel.org/linux-mtd/20220526110652.64849-1-linmq006@gmail.com Signed-off-by: Sasha Levin commit 692c85c91846052e957d3bc150ca8ba43a12ef07 Author: Duoming Zhou Date: Tue May 24 12:48:41 2022 +0800 mtd: sm_ftl: Fix deadlock caused by cancel_work_sync in sm_release [ Upstream commit a61528d997619a518ee8c51cf0ef0513021afaff ] There is a deadlock between sm_release and sm_cache_flush_work which is a work item. The cancel_work_sync in sm_release will not return until sm_cache_flush_work is finished. If we hold mutex_lock and use cancel_work_sync to wait the work item to finish, the work item also requires mutex_lock. As a result, the sm_release will be blocked forever. The race condition is shown below: (Thread 1) | (Thread 2) sm_release | mutex_lock(&ftl->mutex) | sm_cache_flush_work | mutex_lock(&ftl->mutex) cancel_work_sync | ... This patch moves del_timer_sync and cancel_work_sync out of mutex_lock in order to mitigate deadlock. Fixes: 7d17c02a01a1 ("mtd: Add new SmartMedia/xD FTL") Signed-off-by: Duoming Zhou Signed-off-by: Miquel Raynal Link: https://lore.kernel.org/linux-mtd/20220524044841.10517-1-duoming@zju.edu.cn Signed-off-by: Sasha Levin commit 26e427ac85c2b8d0d108cc80b6de34d33e2780c4 Author: Harshit Mogalapalli Date: Wed Jun 8 05:26:09 2022 -0700 HID: cp2112: prevent a buffer overflow in cp2112_xfer() [ Upstream commit 381583845d19cb4bd21c8193449385f3fefa9caf ] Smatch warnings: drivers/hid/hid-cp2112.c:793 cp2112_xfer() error: __memcpy() 'data->block[1]' too small (33 vs 255) drivers/hid/hid-cp2112.c:793 cp2112_xfer() error: __memcpy() 'buf' too small (64 vs 255) The 'read_length' variable is provided by 'data->block[0]' which comes from user and it(read_length) can take a value between 0-255. Add an upper bound to 'read_length' variable to prevent a buffer overflow in memcpy(). Fixes: 542134c0375b ("HID: cp2112: Fix I2C_BLOCK_DATA transactions") Signed-off-by: Harshit Mogalapalli Signed-off-by: Jiri Kosina Signed-off-by: Sasha Levin commit 0a5d731841408d2021ae47204eac24c804ad058e Author: Miaoqian Lin Date: Thu Jun 2 07:19:08 2022 +0400 PCI: tegra194: Fix PM error handling in tegra_pcie_config_ep() [ Upstream commit e8fbd344a5ea62663554b8546b6bf9f88b93785a ] pm_runtime_enable() will increase power disable depth. If dw_pcie_ep_init() fails, we should use pm_runtime_disable() to balance it with pm_runtime_enable(). Add missing pm_runtime_disable() for tegra_pcie_config_ep(). Fixes: c57247f940e8 ("PCI: tegra: Add support for PCIe endpoint mode in Tegra194") Link: https://lore.kernel.org/r/20220602031910.55859-1-linmq006@gmail.com Signed-off-by: Miaoqian Lin Signed-off-by: Bjorn Helgaas Reviewed-by: Vidya Sagar Signed-off-by: Sasha Levin commit 880ece912b958a0c92cc0baa8e906fb9b49a4b53 Author: Miaoqian Lin Date: Sun Jun 5 09:51:23 2022 +0400 PCI: microchip: Fix refcount leak in mc_pcie_init_irq_domains() [ Upstream commit f030304fdeb87ec8f1b518c73703214aec6cc24a ] of_get_next_child() returns a node pointer with refcount incremented, so we should use of_node_put() on it when we don't need it anymore. mc_pcie_init_irq_domains() only calls of_node_put() in the normal path, missing it in some error paths. Add missing of_node_put() to avoid refcount leak. Fixes: 6f15a9c9f941 ("PCI: microchip: Add Microchip PolarFire PCIe controller driver") Link: https://lore.kernel.org/r/20220605055123.59127-1-linmq006@gmail.com Signed-off-by: Miaoqian Lin Signed-off-by: Bjorn Helgaas Reviewed-by: Rob Herring Signed-off-by: Sasha Levin commit d4008e715f54c748eb9ef0919f7578a3f509cf14 Author: Chanho Park Date: Fri Jun 3 14:05:36 2022 +0900 phy: samsung: exynosautov9-ufs: correct TSRV register configurations [ Upstream commit f7fdc4db071f7ee7d408ea3f083222a060c76623 ] For exynos auto v9's UFS MPHY, We should use 0x50 offset of TSRV register configurations. So, it must be s/PHY_TRSV_REG_CFG/PHY_TRSV_REG_CFG_AUTOV9/g Fixes: d64519249e1d ("phy: samsung-ufs: support exynosauto ufs phy driver") Signed-off-by: Chanho Park Acked-by: Krzysztof Kozlowski Link: https://lore.kernel.org/r/20220603050536.61957-1-chanho61.park@samsung.com Signed-off-by: Vinod Koul Signed-off-by: Sasha Levin commit e1894c10009d7b3107edcf4185cbfda8c89f7eb5 Author: Sean Christopherson Date: Fri May 13 19:49:59 2022 +0000 KVM: x86/mmu: Drop RWX=0 SPTEs during ept_sync_page() [ Upstream commit 9fb3565743d58352f00964bf47213b88aff4bb82 ] All of sync_page()'s existing checks filter out only !PRESENT gPTE, because without execute-only, all upper levels are guaranteed to be at least READABLE. However, if EPT with execute-only support is in use by L1, KVM can create an SPTE that is shadow-present but guest-inaccessible (RWX=0) if the upper level combined permissions are R (or RW) and the leaf EPTE is changed from R (or RW) to X. Because the EPTE is considered present when viewed in isolation, and no reserved bits are set, FNAME(prefetch_invalid_gpte) will consider the GPTE valid, and cause a not-present SPTE to be created. The SPTE is "correct": the guest translation is inaccessible because the combined protections of all levels yield RWX=0, and KVM will just redirect any vmexits to the guest. If EPT A/D bits are disabled, KVM can mistake the SPTE for an access-tracked SPTE, but again such confusion isn't fatal, as the "saved" protections are also RWX=0. However, creating a useless SPTE in general means that KVM messed up something, even if this particular goof didn't manifest as a functional bug. So, drop SPTEs whose new protections will yield a RWX=0 SPTE, and add a WARN in make_spte() to detect creation of SPTEs that will result in RWX=0 protections. Fixes: d95c55687e11 ("kvm: mmu: track read permission explicitly for shadow EPT page tables") Cc: David Matlack Cc: Ben Gardon Signed-off-by: Sean Christopherson Message-Id: <20220513195000.99371-2-seanjc@google.com> Signed-off-by: Paolo Bonzini Signed-off-by: Sasha Levin commit 4158829aaa642373817d8d0adde5d49c465f87d2 Author: Sean Christopherson Date: Mon May 2 00:07:28 2022 +0200 KVM: SVM: Stuff next_rip on emulated INT3 injection if NRIPS is supported [ Upstream commit 3741aec4c38fa4123ab08ae552f05366d4fd05d8 ] If NRIPS is supported in hardware but disabled in KVM, set next_rip to the next RIP when advancing RIP as part of emulating INT3 injection. There is no flag to tell the CPU that KVM isn't using next_rip, and so leaving next_rip is left as is will result in the CPU pushing garbage onto the stack when vectoring the injected event. Reviewed-by: Maxim Levitsky Fixes: 66b7138f9136 ("KVM: SVM: Emulate nRIP feature when reinjecting INT3") Signed-off-by: Sean Christopherson Signed-off-by: Maciej S. Szmigiero Message-Id: Signed-off-by: Paolo Bonzini Signed-off-by: Sasha Levin commit ec6c9a27b27769eb5b9381f85bb950729e64491e Author: Sean Christopherson Date: Mon May 2 00:07:27 2022 +0200 KVM: SVM: Unwind "speculative" RIP advancement if INTn injection "fails" [ Upstream commit cd9e6da8048c5b40315ee2d929b6230ce1252c3c ] Unwind the RIP advancement done by svm_queue_exception() when injecting an INT3 ultimately "fails" due to the CPU encountering a VM-Exit while vectoring the injected event, even if the exception reported by the CPU isn't the same event that was injected. If vectoring INT3 encounters an exception, e.g. #NP, and vectoring the #NP encounters an intercepted exception, e.g. #PF when KVM is using shadow paging, then the #NP will be reported as the event that was in-progress. Note, this is still imperfect, as it will get a false positive if the INT3 is cleanly injected, no VM-Exit occurs before the IRET from the INT3 handler in the guest, the instruction following the INT3 generates an exception (directly or indirectly), _and_ vectoring that exception encounters an exception that is intercepted by KVM. The false positives could theoretically be solved by further analyzing the vectoring event, e.g. by comparing the error code against the expected error code were an exception to occur when vectoring the original injected exception, but SVM without NRIPS is a complete disaster, trying to make it 100% correct is a waste of time. Reviewed-by: Maxim Levitsky Fixes: 66b7138f9136 ("KVM: SVM: Emulate nRIP feature when reinjecting INT3") Signed-off-by: Sean Christopherson Signed-off-by: Maciej S. Szmigiero Message-Id: <450133cf0a026cb9825a2ff55d02cb136a1cb111.1651440202.git.maciej.szmigiero@oracle.com> Signed-off-by: Paolo Bonzini Signed-off-by: Sasha Levin commit bbafa6ea9c57dae427ada734a1cb776d5765817c Author: Quinn Tran Date: Mon Jun 6 21:46:26 2022 -0700 scsi: qla2xxx: edif: Fix n2n login retry for secure device [ Upstream commit aec55325ddec975216119da000092cb8664a3399 ] After initiator has burned up all login retries, target authentication application begins to run. This triggers a link bounce on target side. Initiator will attempt another login. Due to N2N, the PRLI [nvme | fcp] can fail because of the mode mismatch with target. This patch add a few more login retries to revive the connection. Link: https://lore.kernel.org/r/20220607044627.19563-11-njavali@marvell.com Fixes: 4de067e5df12 ("scsi: qla2xxx: edif: Add N2N support for EDIF") Signed-off-by: Quinn Tran Signed-off-by: Nilesh Javali Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit 2eba320770e2ea44b066e55a411569adbc09c2e9 Author: Quinn Tran Date: Mon Jun 6 21:46:25 2022 -0700 scsi: qla2xxx: edif: Fix n2n discovery issue with secure target [ Upstream commit 789d54a4178634850e441f60c0326124138e7269 ] User failed to see disk via n2n topology. Driver used up all login retries before authentication application started. When authentication application started, driver did not have enough login retries to connect securely. On app_start, driver will reset the login retry attempt count. Link: https://lore.kernel.org/r/20220607044627.19563-10-njavali@marvell.com Fixes: 4de067e5df12 ("scsi: qla2xxx: edif: Add N2N support for EDIF") Signed-off-by: Quinn Tran Signed-off-by: Nilesh Javali Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit 9f423067019949c3c70339f08b23171b9227e765 Author: Quinn Tran Date: Mon Jun 6 21:46:23 2022 -0700 scsi: qla2xxx: edif: Add retry for ELS passthrough [ Upstream commit 0b3f3143d473b489a7aa0779c43bcdb344bd3014 ] Relating to EDIF, when sending IKE message, updating key or deleting key, driver can encounter IOCB queue full. Add additional retries to reduce higher level recovery. Link: https://lore.kernel.org/r/20220607044627.19563-8-njavali@marvell.com Fixes: dd30706e73b7 ("scsi: qla2xxx: edif: Add key update") Signed-off-by: Quinn Tran Signed-off-by: Nilesh Javali Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit 8f5aa46923da7379a1c8b9e1f71ce43afaf45144 Author: Quinn Tran Date: Mon Jun 6 21:46:22 2022 -0700 scsi: qla2xxx: edif: Synchronize NPIV deletion with authentication application [ Upstream commit cf79716e6636400ae38c37bc8a652b1e522abbba ] Notify authentication application of a NPIV deletion event is about to occur. This allows app to perform cleanup. Link: https://lore.kernel.org/r/20220607044627.19563-7-njavali@marvell.com Fixes: 9efea843a906 ("scsi: qla2xxx: edif: Add detection of secure device") Signed-off-by: Quinn Tran Signed-off-by: Nilesh Javali Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit d2deafaef0330a863b5e046c1154b605588d19f7 Author: Quinn Tran Date: Mon Jun 6 21:46:21 2022 -0700 scsi: qla2xxx: edif: Fix potential stuck session in sa update [ Upstream commit e0fb8ce2bb9e52c846e54ad2c58b5b7beb13eb09 ] When a thread is in the process of reestablish a session, a flag is set to prevent multiple threads/triggers from doing the same task. This flag was left on, and any attempt to relogin was locked out. Clear this flag if the attempt has failed. Link: https://lore.kernel.org/r/20220607044627.19563-6-njavali@marvell.com Fixes: dd30706e73b7 ("scsi: qla2xxx: edif: Add key update") Signed-off-by: Quinn Tran Signed-off-by: Nilesh Javali Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit 47c7d335bc46114c8bb87deb1c3463eaca90c9f8 Author: Quinn Tran Date: Mon Jun 6 21:46:20 2022 -0700 scsi: qla2xxx: edif: Add bsg interface to read doorbell events [ Upstream commit 5ecd241bd7b1088a189581c0b560a13fe93621f6 ] Add bsg interface for app to read doorbell events. This interface lets driver know how much app can read based on return buffer size. When the next event(s) occur, driver will return the bsg_job with the event(s) in the return buffer. If there is no event to read, driver will hold on to the bsg_job up to few seconds as a way to control the polling interval. Link: https://lore.kernel.org/r/20220607044627.19563-5-njavali@marvell.com Fixes: dd30706e73b7 ("scsi: qla2xxx: edif: Add key update") Signed-off-by: Quinn Tran Signed-off-by: Nilesh Javali Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit 86facc27181275eab8009450cad23c08d53090a2 Author: Quinn Tran Date: Mon Jun 6 21:46:19 2022 -0700 scsi: qla2xxx: edif: Wait for app to ack on sess down [ Upstream commit df648afa39da9c4d3af99c6c03dc3e9c7dfa99b0 ] On session deletion, wait for app to acknowledge before moving on. This allows both app and driver to stay in sync. In addition, this gives a chance for authentication app to do any type of cleanup before moving on. Link: https://lore.kernel.org/r/20220607044627.19563-4-njavali@marvell.com Fixes: dd30706e73b7 ("scsi: qla2xxx: edif: Add key update") Signed-off-by: Quinn Tran Signed-off-by: Nilesh Javali Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit f02c787f7064ae17bb48dfc3dc4f013c03348add Author: Quinn Tran Date: Mon Jun 6 21:46:18 2022 -0700 scsi: qla2xxx: edif: bsg refactor [ Upstream commit 7a7b0b4865d3490f62d6ef1a3aa39fa2b47859a4 ] - Add version field to edif bsg for future enhancement. - Add version edif bsg version check - Remove unused interfaces and fields. Link: https://lore.kernel.org/r/20220607044627.19563-3-njavali@marvell.com Fixes: dd30706e73b7 ("scsi: qla2xxx: edif: Add key update") Signed-off-by: Quinn Tran Signed-off-by: Nilesh Javali Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit 733008cbbd44be0a3cb07c82e94ae1cc494bda43 Author: Quinn Tran Date: Mon Jun 6 21:46:17 2022 -0700 scsi: qla2xxx: edif: Reduce Initiator-Initiator thrashing [ Upstream commit 9c40c36e75ffd49952cd4ead0672defc4b4dbdf7 ] This patch uses GFFID switch command to scan whether remote device is Target or Initiator mode. Based on that info, driver will not pass up Initiator info to authentication application. This helps reduce unnecessary stress for authentication application to deal with unused connections. Link: https://lore.kernel.org/r/20220607044627.19563-2-njavali@marvell.com Fixes: 7ebb336e45ef ("scsi: qla2xxx: edif: Add start + stop bsgs") Signed-off-by: Quinn Tran Signed-off-by: Nilesh Javali Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit 1b2263d6c86fca8f30e18231778393bfc287bb27 Author: Vaibhav Jain Date: Tue May 31 09:44:46 2022 +0530 of: check previous kernel's ima-kexec-buffer against memory bounds [ Upstream commit cbf9c4b9617b6767886a913705ca14b7600c77db ] Presently ima_get_kexec_buffer() doesn't check if the previous kernel's ima-kexec-buffer lies outside the addressable memory range. This can result in a kernel panic if the new kernel is booted with 'mem=X' arg and the ima-kexec-buffer was allocated beyond that range by the previous kernel. The panic is usually of the form below: $ sudo kexec --initrd initrd vmlinux --append='mem=16G' BUG: Unable to handle kernel data access on read at 0xc000c01fff7f0000 Faulting instruction address: 0xc000000000837974 Oops: Kernel access of bad area, sig: 11 [#1] NIP [c000000000837974] ima_restore_measurement_list+0x94/0x6c0 LR [c00000000083b55c] ima_load_kexec_buffer+0xac/0x160 Call Trace: [c00000000371fa80] [c00000000083b55c] ima_load_kexec_buffer+0xac/0x160 [c00000000371fb00] [c0000000020512c4] ima_init+0x80/0x108 [c00000000371fb70] [c0000000020514dc] init_ima+0x4c/0x120 [c00000000371fbf0] [c000000000012240] do_one_initcall+0x60/0x2c0 [c00000000371fcc0] [c000000002004ad0] kernel_init_freeable+0x344/0x3ec [c00000000371fda0] [c0000000000128a4] kernel_init+0x34/0x1b0 [c00000000371fe10] [c00000000000ce64] ret_from_kernel_thread+0x5c/0x64 Instruction dump: f92100b8 f92100c0 90e10090 910100a0 4182050c 282a0017 3bc00000 40810330 7c0802a6 fb610198 7c9b2378 f80101d0 2c090001 40820614 e9240010 ---[ end trace 0000000000000000 ]--- Fix this issue by checking returned PFN range of previous kernel's ima-kexec-buffer with page_is_ram() to ensure correct memory bounds. Fixes: 467d27824920 ("powerpc: ima: get the kexec buffer passed by the previous kernel") Cc: Frank Rowand Cc: Prakhar Srivastava Cc: Lakshmi Ramasubramanian Cc: Thiago Jung Bauermann Cc: Rob Herring Cc: Ritesh Harjani Cc: Robin Murphy Signed-off-by: Vaibhav Jain Signed-off-by: Rob Herring Link: https://lore.kernel.org/r/20220531041446.3334259-1-vaibhav@linux.ibm.com Signed-off-by: Sasha Levin commit a04c62f42a9ac09171d218bbcc0fe85188bb324a Author: Biju Das Date: Tue May 31 08:16:57 2022 +0100 clk: renesas: rzg2l: Fix reset status function [ Upstream commit 02c96ed9e4cd1f47bfcd10296fec6b0b69d6b3c6 ] As per RZ/G2L HW(Rev.1.10) manual, reset monitor register value 0 means reset signal is not applied (deassert state) and 1 means reset signal is applied (assert state). reset_control_status() expects a positive value if the reset line is asserted. But rzg2l_cpg_status function returns zero for asserted state. This patch fixes the issue by adding double inverted logic, so that reset_control_status returns a positive value if the reset line is asserted. Fixes: ef3c613ccd68 ("clk: renesas: Add CPG core wrapper for RZ/G2L SoC") Signed-off-by: Biju Das Link: https://lore.kernel.org/r/20220531071657.104121-1-biju.das.jz@bp.renesas.com Signed-off-by: Geert Uytterhoeven Signed-off-by: Sasha Levin commit f1e715d4a457daddbd9c1bdad4b5b38aafcc056f Author: Christophe JAILLET Date: Fri May 20 18:41:40 2022 +0200 mtd: rawnand: meson: Fix a potential double free issue [ Upstream commit ec0da06337751b18f6dee06b6526e0f0d6e80369 ] When meson_nfc_nand_chip_cleanup() is called, it will call: meson_nfc_free_buffer(&meson_chip->nand); nand_cleanup(&meson_chip->nand); nand_cleanup() in turn will call nand_detach() which calls the .detach_chip() which is here meson_nand_detach_chip(). meson_nand_detach_chip() already calls meson_nfc_free_buffer(), so we could double free some memory. Fix it by removing the unneeded explicit call to meson_nfc_free_buffer(). Fixes: 8fae856c5350 ("mtd: rawnand: meson: add support for Amlogic NAND flash controller") Signed-off-by: Christophe JAILLET Acked-by: Liang Yang Signed-off-by: Miquel Raynal Link: https://lore.kernel.org/linux-mtd/ec15c358b8063f7c50ff4cd628cf0d2e14e43f49.1653064877.git.christophe.jaillet@wanadoo.fr Signed-off-by: Sasha Levin commit babd7b0124650ab71a6487e38588b8659b3aa2dc Author: Miaoqian Lin Date: Mon May 23 18:32:55 2022 +0400 mtd: maps: Fix refcount leak in ap_flash_init [ Upstream commit 77087a04c8fd554134bddcb8a9ff87b21f357926 ] of_find_matching_node() returns a node pointer with refcount incremented, we should use of_node_put() on it when not need anymore. Add missing of_node_put() to avoid refcount leak. Fixes: b0afd44bc192 ("mtd: physmap_of: add a hook for Versatile write protection") Signed-off-by: Miaoqian Lin Reviewed-by: Linus Walleij Signed-off-by: Miquel Raynal Link: https://lore.kernel.org/linux-mtd/20220523143255.4376-1-linmq006@gmail.com Signed-off-by: Sasha Levin commit f516fbb63873ee23cba5b7c3d239677c30f13df8 Author: Miaoqian Lin Date: Mon May 23 18:02:05 2022 +0400 mtd: maps: Fix refcount leak in of_flash_probe_versatile [ Upstream commit 33ec82a6d2b119938f26e5c8040ed5d92378eb54 ] of_find_matching_node_and_match() returns a node pointer with refcount incremented, we should use of_node_put() on it when not need anymore. Add missing of_node_put() to avoid refcount leak. Fixes: b0afd44bc192 ("mtd: physmap_of: add a hook for Versatile write protection") Signed-off-by: Miaoqian Lin Reviewed-by: Linus Walleij Signed-off-by: Miquel Raynal Link: https://lore.kernel.org/linux-mtd/20220523140205.48625-1-linmq006@gmail.com Signed-off-by: Sasha Levin commit 7e7963a5bd6ef50e42e9f710f2b3a7e02caaaed1 Author: Ralph Siemsen Date: Wed May 18 14:25:27 2022 -0400 clk: renesas: r9a06g032: Fix UART clkgrp bitsel [ Upstream commit 2dee50ab9e72a3cae75b65e5934c8dd3e9bf01bc ] There are two UART clock groups, each having a mux to select its upstream clock source. The register/bit definitions for accessing these two muxes appear to have been reversed since introduction. Correct them so as to match the hardware manual. Fixes: 4c3d88526eba ("clk: renesas: Renesas R9A06G032 clock driver") Signed-off-by: Ralph Siemsen Reviewed-by: Phil Edworthy Link: https://lore.kernel.org/r/20220518182527.1693156-1-ralph.siemsen@linaro.org Signed-off-by: Geert Uytterhoeven Signed-off-by: Sasha Levin commit ec254dac7a40a64e0a02f4cad0c354566ae73311 Author: Mario Limonciello Date: Thu May 12 13:18:48 2022 -0500 HID: amd_sfh: Don't show client init failed as error when discovery fails [ Upstream commit e51d8d3ea3d773334d2c047c8d1623dba66f592a ] When sensor discovery fails, this means that the system doesn't have any sensors connected and a user should only be notified at most one time. A message is already displayed at WARN level of "failed to discover, sensors not enabled". It's pointless to show that the client init failed at ERR level for the same condition. Check the return code and don't display this message in those conditions. Fixes: b5d7f43e97da ("HID: amd_sfh: Add support for sensor discovery") Reported-by: David Chang Signed-off-by: Mario Limonciello Acked-by: Basavaraj Natikar Signed-off-by: Jiri Kosina Signed-off-by: Sasha Levin commit cee111db30dca4c0f43443252041970cc2b73901 Author: Jason A. Donenfeld Date: Tue Aug 2 14:56:12 2022 +0200 wireguard: allowedips: don't corrupt stack when detecting overflow [ Upstream commit c31b14d86dfe7174361e8c6e5df6c2c3a4d5918c ] In case push_rcu() and related functions are buggy, there's a WARN_ON(len >= 128), which the selftest tries to hit by being tricky. In case it is hit, we shouldn't corrupt the kernel's stack, though; otherwise it may be hard to even receive the report that it's buggy. So conditionalize the stack write based on that WARN_ON()'s return value. Note that this never *actually* happens anyway. The WARN_ON() in the first place is bounded by IS_ENABLED(DEBUG), and isn't expected to ever actually hit. This is just a debugging sanity check. Additionally, hoist the constant 128 into a named enum, MAX_ALLOWEDIPS_BITS, so that it's clear why this value is chosen. Suggested-by: Linus Torvalds Link: https://lore.kernel.org/all/CAHk-=wjJZGA6w_DxA+k7Ejbqsq+uGK==koPai3sqdsfJqemvag@mail.gmail.com/ Fixes: e7096c131e51 ("net: WireGuard secure network tunnel") Signed-off-by: Jason A. Donenfeld Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit 953e57179462109e779a70b8ac5ce3315fb0f13a Author: Jason A. Donenfeld Date: Tue Aug 2 14:56:10 2022 +0200 wireguard: ratelimiter: use hrtimer in selftest [ Upstream commit 151c8e499f4705010780189377f85b57400ccbf5 ] Using msleep() is problematic because it's compared against ratelimiter.c's ktime_get_coarse_boottime_ns(), which means on systems with slow jiffies (such as UML's forced HZ=100), the result is inaccurate. So switch to using schedule_hrtimeout(). However, hrtimer gives us access only to the traditional posix timers, and none of the _COARSE variants. So now, rather than being too imprecise like jiffies, it's too precise. One solution would be to give it a large "range" value, but this will still fire early on a loaded system. A better solution is to align the timeout to the actual coarse timer, and then round up to the nearest tick, plus change. So add the timeout to the current coarse time, and then schedule_hrtimer() until the absolute computed time. This should hopefully reduce flakes in CI as well. Note that we keep the retry loop in case the entire function is running behind, because the test could still be scheduled out, by either the kernel or by the hypervisor's kernel, in which case restarting the test and hoping to not be scheduled out still helps. Fixes: e7096c131e51 ("net: WireGuard secure network tunnel") Suggested-by: Thomas Gleixner Signed-off-by: Jason A. Donenfeld Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit 13bd914aee08425a6b7dcaa8affefa91adc42507 Author: Maxim Mikityanskiy Date: Fri Jul 29 15:13:56 2022 +0300 net/mlx5e: xsk: Discard unaligned XSK frames on striding RQ [ Upstream commit 8eaa1d110800fac050bab44001732747a1c39894 ] Striding RQ uses MTT page mapping, where each page corresponds to an XSK frame. MTT pages have alignment requirements, and XSK frames don't have any alignment guarantees in the unaligned mode. Frames with improper alignment must be discarded, otherwise the packet data will be written at a wrong address. Fixes: 282c0c798f8e ("net/mlx5e: Allow XSK frames smaller than a page") Signed-off-by: Maxim Mikityanskiy Reviewed-by: Tariq Toukan Reviewed-by: Saeed Mahameed Reviewed-by: Maciej Fijalkowski Link: https://lore.kernel.org/r/20220729121356.3990867-1-maximmi@nvidia.com Signed-off-by: Paolo Abeni Signed-off-by: Sasha Levin commit af146dd5a20da35b243fc41900da259aff5cac41 Author: Maciej Żenczykowski Date: Sat Jul 30 16:01:13 2022 -0700 net: usb: make USB_RTL8153_ECM non user configurable [ Upstream commit f56530dcdb0684406661ac9f1accf48319d07600 ] This refixes: commit 7da17624e7948d5d9660b910f8079d26d26ce453 nt: usb: USB_RTL8153_ECM should not default to y In general, device drivers should not be enabled by default. which basically broke the commit it claimed to fix, ie: commit 657bc1d10bfc23ac06d5d687ce45826c760744f9 r8153_ecm: avoid to be prior to r8152 driver Avoid r8153_ecm is compiled as built-in, if r8152 driver is compiled as modules. Otherwise, the r8153_ecm would be used, even though the device is supported by r8152 driver. this commit amounted to: drivers/net/usb/Kconfig: +config USB_RTL8153_ECM + tristate "RTL8153 ECM support" + depends on USB_NET_CDCETHER && (USB_RTL8152 || USB_RTL8152=n) + default y + help + This option supports ECM mode for RTL8153 ethernet adapter, when + CONFIG_USB_RTL8152 is not set, or the RTL8153 device is not + supported by r8152 driver. drivers/net/usb/Makefile: -obj-$(CONFIG_USB_NET_CDCETHER) += cdc_ether.o r8153_ecm.o +obj-$(CONFIG_USB_NET_CDCETHER) += cdc_ether.o +obj-$(CONFIG_USB_RTL8153_ECM) += r8153_ecm.o And as can be seen it pulls a piece of the cdc_ether driver out into a separate config option to be able to make this piece modular in case cdc_ether is builtin, while r8152 is modular. While in general, device drivers should indeed not be enabled by default: this isn't a device driver per say, but rather this is support code for the CDCETHER (ECM) driver, and should thus be enabled if it is enabled. See also email thread at: https://www.spinics.net/lists/netdev/msg767649.html In: https://www.spinics.net/lists/netdev/msg768284.html Jakub wrote: And when we say "removed" we can just hide it from what's prompted to the user (whatever such internal options are called)? I believe this way we don't bring back Marek's complaint. Side note: these incorrect defaults will result in Android 13 on 5.15 GKI kernels lacking USB_RTL8153_ECM support while having USB_NET_CDCETHER (luckily we also have USB_RTL8150 and USB_RTL8152, so it's probably only an issue for very new RTL815x hardware with no native 5.15 driver). Fixes: 7da17624e7948d5d ("nt: usb: USB_RTL8153_ECM should not default to y") Cc: Geert Uytterhoeven Cc: Greg Kroah-Hartman Cc: Hayes Wang Cc: Jakub Kicinski Signed-off-by: Maciej Żenczykowski Link: https://lore.kernel.org/r/20220730230113.4138858-1-zenczykowski@gmail.com Signed-off-by: Paolo Abeni Signed-off-by: Sasha Levin commit 5fb702d5fa1a0bc150abdb0528489e2885f82da2 Author: Hangyu Hua Date: Fri Jul 29 19:00:27 2022 +0800 dccp: put dccp_qpolicy_full() and dccp_qpolicy_push() in the same lock [ Upstream commit a41b17ff9dacd22f5f118ee53d82da0f3e52d5e3 ] In the case of sk->dccps_qpolicy == DCCPQ_POLICY_PRIO, dccp_qpolicy_full will drop a skb when qpolicy is full. And the lock in dccp_sendmsg is released before sock_alloc_send_skb and then relocked after sock_alloc_send_skb. The following conditions may lead dccp_qpolicy_push to add skb to an already full sk_write_queue: thread1--->lock thread1--->dccp_qpolicy_full: queue is full. drop a skb thread1--->unlock thread2--->lock thread2--->dccp_qpolicy_full: queue is not full. no need to drop. thread2--->unlock thread1--->lock thread1--->dccp_qpolicy_push: add a skb. queue is full. thread1--->unlock thread2--->lock thread2--->dccp_qpolicy_push: add a skb! thread2--->unlock Fix this by moving dccp_qpolicy_full. Fixes: b1308dc015eb ("[DCCP]: Set TX Queue Length Bounds via Sysctl") Signed-off-by: Hangyu Hua Link: https://lore.kernel.org/r/20220729110027.40569-1-hbh25y@gmail.com Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit abb489f0335db333002fa025e79377932f4127c5 Author: Jian Shen Date: Fri Jul 29 18:17:55 2022 +0800 net: ionic: fix error check for vlan flags in ionic_set_nic_features() [ Upstream commit a86e86db5e6d72c82724a63ca1c5293409a21518 ] The prototype of input features of ionic_set_nic_features() is netdev_features_t, but the vlan_flags is using the private definition of ionic drivers. It should use the variable ctx.cmd.lif_setattr.features, rather than features to check the vlan flags. So fixes it. Fixes: beead698b173 ("ionic: Add the basic NDO callbacks for netdev support") Signed-off-by: Jian Shen Signed-off-by: Guangbin Huang Acked-by: Shannon Nelson Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit d6b6604f85abb06cc4604596a6b901f291752ecd Author: Jian Shen Date: Fri Jul 29 18:17:54 2022 +0800 net: ice: fix error NETIF_F_HW_VLAN_CTAG_FILTER check in ice_vsi_sync_fltr() [ Upstream commit 7dc839fe47611e6995f370cae37b9797cf7d2672 ] vsi->current_netdev_flags is used store the current net device flags, not the active netdevice features. So it should use vsi->netdev->featurs, rather than vsi->current_netdev_flags to check NETIF_F_HW_VLAN_CTAG_FILTER. Fixes: 1babaf77f49d ("ice: Advertise 802.1ad VLAN filtering and offloads for PF netdev") Signed-off-by: Jian Shen Signed-off-by: Guangbin Huang Acked-by: Tony Nguyen Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit bd26a6f32a8f9ff267259f6d39835a7db75855f2 Author: Eric Dumazet Date: Fri Jul 29 09:12:32 2022 +0000 net: rose: fix netdev reference changes [ Upstream commit 931027820e4dafabc78aff82af59f8c1c4bd3128 ] Bernard reported that trying to unload rose module would lead to infamous messages: unregistered_netdevice: waiting for rose0 to become free. Usage count = xx This patch solves the issue, by making sure each socket referring to a netdevice holds a reference count on it, and properly releases it in rose_release(). rose_dev_first() is also fixed to take a device reference before leaving the rcu_read_locked section. Following patch will add ref_tracker annotations to ease future bug hunting. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Reported-by: Bernard Pidoux Signed-off-by: Eric Dumazet Tested-by: Bernard Pidoux Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit 17297bf246c0d03fd28c887ed8d70da7b1bb03ed Author: Jakub Kicinski Date: Tue Jul 26 14:36:05 2022 -0700 netdevsim: Avoid allocation warnings triggered from user space [ Upstream commit d0b80a9edb1a029ff913e81b47540e57ad034329 ] We need to suppress warnings from sily map sizes. Also switch from GFP_USER to GFP_KERNEL_ACCOUNT, I'm pretty sure I misunderstood the flags when writing this code. Fixes: 395cacb5f1a0 ("netdevsim: bpf: support fake map offload") Reported-by: syzbot+ad24705d3fd6463b18c6@syzkaller.appspotmail.com Signed-off-by: Jakub Kicinski Signed-off-by: Andrii Nakryiko Link: https://lore.kernel.org/bpf/20220726213605.154204-1-kuba@kernel.org Signed-off-by: Sasha Levin commit 2eda04bd94741d4f6c904efb36dd061502b9bd3a Author: Przemyslaw Patynowski Date: Wed Jun 15 15:36:29 2022 +0200 iavf: Fix 'tc qdisc show' listing too many queues [ Upstream commit 93cb804edab1b9a5bb7bb7b6824012dbb20abf22 ] Fix tc qdisc show dev root displaying too many fq_codel qdiscs. tc_modify_qdisc, which is caller of ndo_setup_tc, expects driver to call netif_set_real_num_tx_queues, which prepares qdiscs. Without this patch, fq_codel qdiscs would not be adjusted to number of queues on VF. e.g.: tc qdisc show dev qdisc mq 0: root qdisc fq_codel 0: parent :4 limit 10240p flows 1024 quantum 1514 target 5ms interval 100ms memory_limit 32Mb ecn drop_batch 64 qdisc fq_codel 0: parent :3 limit 10240p flows 1024 quantum 1514 target 5ms interval 100ms memory_limit 32Mb ecn drop_batch 64 qdisc fq_codel 0: parent :2 limit 10240p flows 1024 quantum 1514 target 5ms interval 100ms memory_limit 32Mb ecn drop_batch 64 qdisc fq_codel 0: parent :1 limit 10240p flows 1024 quantum 1514 target 5ms interval 100ms memory_limit 32Mb ecn drop_batch 64 tc qdisc add dev root mqprio num_tc 2 map 1 0 0 0 0 0 0 0 queues 1@0 1@1 hw 1 mode channel shaper bw_rlimit max_rate 5000Mbit 150Mbit tc qdisc show dev qdisc mqprio 8003: root tc 2 map 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 queues:(0:0) (1:1) mode:channel shaper:bw_rlimit max_rate:5Gbit 150Mbit qdisc fq_codel 0: parent 8003:4 limit 10240p flows 1024 quantum 1514 target 5ms interval 100ms memory_limit 32Mb ecn drop_batch 64 qdisc fq_codel 0: parent 8003:3 limit 10240p flows 1024 quantum 1514 target 5ms interval 100ms memory_limit 32Mb ecn drop_batch 64 qdisc fq_codel 0: parent 8003:2 limit 10240p flows 1024 quantum 1514 target 5ms interval 100ms memory_limit 32Mb ecn drop_batch 64 qdisc fq_codel 0: parent 8003:1 limit 10240p flows 1024 quantum 1514 target 5ms interval 100ms memory_limit 32Mb ecn drop_batch 64 While after fix: tc qdisc add dev root mqprio num_tc 2 map 1 0 0 0 0 0 0 0 queues 1@0 1@1 hw 1 mode channel shaper bw_rlimit max_rate 5000Mbit 150Mbit tc qdisc show dev #should show 2, shows 4 qdisc mqprio 8004: root tc 2 map 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 queues:(0:0) (1:1) mode:channel shaper:bw_rlimit max_rate:5Gbit 150Mbit qdisc fq_codel 0: parent 8004:2 limit 10240p flows 1024 quantum 1514 target 5ms interval 100ms memory_limit 32Mb ecn drop_batch 64 qdisc fq_codel 0: parent 8004:1 limit 10240p flows 1024 quantum 1514 target 5ms interval 100ms memory_limit 32Mb ecn drop_batch 64 Fixes: d5b33d024496 ("i40evf: add ndo_setup_tc callback to i40evf") Signed-off-by: Przemyslaw Patynowski Co-developed-by: Grzegorz Szczurek Signed-off-by: Grzegorz Szczurek Co-developed-by: Kiran Patil Signed-off-by: Kiran Patil Signed-off-by: Jedrzej Jagielski Tested-by: Bharathi Sreenivas Signed-off-by: Tony Nguyen Signed-off-by: Sasha Levin commit 289ef53d71cad6d7a00369879092bec3b57974b6 Author: Przemyslaw Patynowski Date: Mon Jun 13 18:41:23 2022 -0400 iavf: Fix max_rate limiting [ Upstream commit ec60d54cb9a3d43a02c5612a03093c18233e6601 ] Fix max_rate option in TC, check for proper quanta boundaries. Check for minimum value provided and if it fits expected 50Mbps quanta. Without this patch, iavf could send settings for max_rate limiting that would be accepted from by PF even the max_rate option is less than expected 50Mbps quanta. It results in no rate limiting on traffic as rate limiting will be floored to 0. Example: tc qdisc add dev $vf root mqprio num_tc 3 map 0 2 1 queues \ 2@0 2@2 2@4 hw 1 mode channel shaper bw_rlimit \ max_rate 50Mbps 500Mbps 500Mbps Should limit TC0 to circa 50 Mbps tc qdisc add dev $vf root mqprio num_tc 3 map 0 2 1 queues \ 2@0 2@2 2@4 hw 1 mode channel shaper bw_rlimit \ max_rate 0Mbps 100Kbit 500Mbps Should return error Fixes: d5b33d024496 ("i40evf: add ndo_setup_tc callback to i40evf") Signed-off-by: Przemyslaw Patynowski Signed-off-by: Jun Zhang Tested-by: Bharathi Sreenivas Signed-off-by: Tony Nguyen Signed-off-by: Sasha Levin commit 8a79ab5706ceb370a2e4d2c2963e813cabce8c3a Author: William Dean Date: Sat Jul 23 14:37:56 2022 +0800 wifi: rtw88: check the return value of alloc_workqueue() [ Upstream commit 42bbf810e155efc6129a3a648ae5300f00b79d7b ] The function alloc_workqueue() in rtw_core_init() can fail, but there is no check of its return value. To fix this bug, its return value should be checked with new error handling code. Fixes: fe101716c7c9d ("rtw88: replace tx tasklet with work queue") Reported-by: Hacash Robot Signed-off-by: William Dean Reviewed-by: Ping-Ke Shih Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20220723063756.2956189-1-williamsukatube@163.com Signed-off-by: Sasha Levin commit ece188f236db01f5f60f1bc578bde5af2a816db2 Author: Ido Schimmel Date: Thu Jul 28 14:45:33 2022 +0300 netdevsim: fib: Fix reference count leak on route deletion failure [ Upstream commit 180a6a3ee60a7cb69ed1232388460644f6a21f00 ] As part of FIB offload simulation, netdevsim stores IPv4 and IPv6 routes and holds a reference on FIB info structures that in turn hold a reference on the associated nexthop device(s). In the unlikely case where we are unable to allocate memory to process a route deletion request, netdevsim will not release the reference from the associated FIB info structure, thereby preventing the associated nexthop device(s) from ever being removed [1]. Fix this by scheduling a work item that will flush netdevsim's FIB table upon route deletion failure. This will cause netdevsim to release its reference from all the FIB info structures in its table. Reported by Lucas Leong of Trend Micro Zero Day Initiative. Fixes: 0ae3eb7b4611 ("netdevsim: fib: Perform the route programming in a non-atomic context") Signed-off-by: Ido Schimmel Reviewed-by: Amit Cohen Reviewed-by: David Ahern Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit fb3ef2bad4cf1a818edb9e00bb9c234821dcd691 Author: Mike Manning Date: Mon Jul 25 19:14:42 2022 +0100 net: allow unbound socket for packets in VRF when tcp_l3mdev_accept set [ Upstream commit 944fd1aeacb627fa617f85f8e5a34f7ae8ea4d8e ] The commit 3c82a21f4320 ("net: allow binding socket in a VRF when there's an unbound socket") changed the inet socket lookup to avoid packets in a VRF from matching an unbound socket. This is to ensure the necessary isolation between the default and other VRFs for routing and forwarding. VRF-unaware processes running in the default VRF cannot access another VRF and have to be run with 'ip vrf exec '. This is to be expected with tcp_l3mdev_accept disabled, but could be reallowed when this sysctl option is enabled. So instead of directly checking dif and sdif in inet[6]_match, here call inet_sk_bound_dev_eq(). This allows a match on unbound socket for non-zero sdif i.e. for packets in a VRF, if tcp_l3mdev_accept is enabled. Fixes: 3c82a21f4320 ("net: allow binding socket in a VRF when there's an unbound socket") Signed-off-by: Mike Manning Link: https://lore.kernel.org/netdev/a54c149aed38fded2d3b5fdb1a6c89e36a083b74.camel@lasnet.de/ Reviewed-by: David Ahern Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 00b9a51766c87917770797bc8467e736d6c2404e Author: Kai Ye Date: Thu Jul 21 10:18:31 2022 +0800 crypto: hisilicon/sec - fix auth key size error [ Upstream commit 45f5d0176d8426cc1ab0bab84fbd8ef5c57526c6 ] The authentication algorithm supports a maximum of 128-byte keys. The allocated key memory is insufficient. Fixes: 2f072d75d1ab ("crypto: hisilicon - Add aead support on SEC2") Signed-off-by: Kai Ye Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin commit 0bab15d967f3e017f8ae71de868d697b48fcad87 Author: Pali Rohár Date: Tue Jul 19 09:54:03 2022 +0200 crypto: inside-secure - Add missing MODULE_DEVICE_TABLE for of [ Upstream commit fa4d57b85786ec0e16565c75a51c208834b0c24d ] Without MODULE_DEVICE_TABLE, crypto_safexcel.ko module is not automatically loaded on platforms where inside-secure crypto HW is specified in device tree (e.g. Armada 3720). So add missing MODULE_DEVICE_TABLE for of. Fixes: 1b44c5a60c13 ("crypto: inside-secure - add SafeXcel EIP197 crypto engine driver") Signed-off-by: Pali Rohár Acked-by: Marek Behún Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin commit afc385f3943ca1da36e2483cccd8a37a6fa69407 Author: Zhengchao Shao Date: Tue Jul 19 12:23:23 2022 +0800 crypto: hisilicon/hpre - don't use GFP_KERNEL to alloc mem during softirq [ Upstream commit 98dfa9343f37bdd4112966292751e3a93aaf2e56 ] The hpre encryption driver may be used to encrypt and decrypt packets during the rx softirq, it is not allowed to use GFP_KERNEL. Fixes: c8b4b477079d ("crypto: hisilicon - add HiSilicon HPRE accelerator") Signed-off-by: Zhengchao Shao Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin commit 4294df1374450912b2f64ee3cf575069fc784679 Author: Eric Dumazet Date: Wed Jul 27 22:18:21 2022 -0700 ax25: fix incorrect dev_tracker usage [ Upstream commit d7c4c9e075f8cc6d88d277bc24e5d99297f03c06 ] While investigating a separate rose issue [1], and enabling CONFIG_NET_DEV_REFCNT_TRACKER=y, Bernard reported an orthogonal ax25 issue [2] An ax25_dev can be used by one (or many) struct ax25_cb. We thus need different dev_tracker, one per struct ax25_cb. After this patch is applied, we are able to focus on rose. [1] https://lore.kernel.org/netdev/fb7544a1-f42e-9254-18cc-c9b071f4ca70@free.fr/ [2] [ 205.798723] reference already released. [ 205.798732] allocated in: [ 205.798734] ax25_bind+0x1a2/0x230 [ax25] [ 205.798747] __sys_bind+0xea/0x110 [ 205.798753] __x64_sys_bind+0x18/0x20 [ 205.798758] do_syscall_64+0x5c/0x80 [ 205.798763] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 205.798768] freed in: [ 205.798770] ax25_release+0x115/0x370 [ax25] [ 205.798778] __sock_release+0x42/0xb0 [ 205.798782] sock_close+0x15/0x20 [ 205.798785] __fput+0x9f/0x260 [ 205.798789] ____fput+0xe/0x10 [ 205.798792] task_work_run+0x64/0xa0 [ 205.798798] exit_to_user_mode_prepare+0x18b/0x190 [ 205.798804] syscall_exit_to_user_mode+0x26/0x40 [ 205.798808] do_syscall_64+0x69/0x80 [ 205.798812] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 205.798827] ------------[ cut here ]------------ [ 205.798829] WARNING: CPU: 2 PID: 2605 at lib/ref_tracker.c:136 ref_tracker_free.cold+0x60/0x81 [ 205.798837] Modules linked in: rose netrom mkiss ax25 rfcomm cmac algif_hash algif_skcipher af_alg bnep snd_hda_codec_hdmi nls_iso8859_1 i915 rtw88_8821ce rtw88_8821c x86_pkg_temp_thermal rtw88_pci intel_powerclamp rtw88_core snd_hda_codec_realtek snd_hda_codec_generic ledtrig_audio coretemp snd_hda_intel kvm_intel snd_intel_dspcfg mac80211 snd_hda_codec kvm i2c_algo_bit drm_buddy drm_dp_helper btusb drm_kms_helper snd_hwdep btrtl snd_hda_core btbcm joydev crct10dif_pclmul btintel crc32_pclmul ghash_clmulni_intel mei_hdcp btmtk intel_rapl_msr aesni_intel bluetooth input_leds snd_pcm crypto_simd syscopyarea processor_thermal_device_pci_legacy sysfillrect cryptd intel_soc_dts_iosf snd_seq sysimgblt ecdh_generic fb_sys_fops rapl libarc4 processor_thermal_device intel_cstate processor_thermal_rfim cec snd_timer ecc snd_seq_device cfg80211 processor_thermal_mbox mei_me processor_thermal_rapl mei rc_core at24 snd intel_pch_thermal intel_rapl_common ttm soundcore int340x_thermal_zone video [ 205.798948] mac_hid acpi_pad sch_fq_codel ipmi_devintf ipmi_msghandler drm msr parport_pc ppdev lp parport ramoops pstore_blk reed_solomon pstore_zone efi_pstore ip_tables x_tables autofs4 hid_generic usbhid hid i2c_i801 i2c_smbus r8169 xhci_pci ahci libahci realtek lpc_ich xhci_pci_renesas [last unloaded: ax25] [ 205.798992] CPU: 2 PID: 2605 Comm: ax25ipd Not tainted 5.18.11-F6BVP #3 [ 205.798996] Hardware name: To be filled by O.E.M. To be filled by O.E.M./CK3, BIOS 5.011 09/16/2020 [ 205.798999] RIP: 0010:ref_tracker_free.cold+0x60/0x81 [ 205.799005] Code: e8 d2 01 9b ff 83 7b 18 00 74 14 48 c7 c7 2f d7 ff 98 e8 10 6e fc ff 8b 7b 18 e8 b8 01 9b ff 4c 89 ee 4c 89 e7 e8 5d fd 07 00 <0f> 0b b8 ea ff ff ff e9 30 05 9b ff 41 0f b6 f7 48 c7 c7 a0 fa 4e [ 205.799008] RSP: 0018:ffffaf5281073958 EFLAGS: 00010286 [ 205.799011] RAX: 0000000080000000 RBX: ffff9a0bd687ebe0 RCX: 0000000000000000 [ 205.799014] RDX: 0000000000000001 RSI: 0000000000000282 RDI: 00000000ffffffff [ 205.799016] RBP: ffffaf5281073a10 R08: 0000000000000003 R09: fffffffffffd5618 [ 205.799019] R10: 0000000000ffff10 R11: 000000000000000f R12: ffff9a0bc53384d0 [ 205.799022] R13: 0000000000000282 R14: 00000000ae000001 R15: 0000000000000001 [ 205.799024] FS: 0000000000000000(0000) GS:ffff9a0d0f300000(0000) knlGS:0000000000000000 [ 205.799028] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 205.799031] CR2: 00007ff6b8311554 CR3: 000000001ac10004 CR4: 00000000001706e0 [ 205.799033] Call Trace: [ 205.799035] [ 205.799038] ? ax25_dev_device_down+0xd9/0x1b0 [ax25] [ 205.799047] ? ax25_device_event+0x9f/0x270 [ax25] [ 205.799055] ? raw_notifier_call_chain+0x49/0x60 [ 205.799060] ? call_netdevice_notifiers_info+0x52/0xa0 [ 205.799065] ? dev_close_many+0xc8/0x120 [ 205.799070] ? unregister_netdevice_many+0x13d/0x890 [ 205.799073] ? unregister_netdevice_queue+0x90/0xe0 [ 205.799076] ? unregister_netdev+0x1d/0x30 [ 205.799080] ? mkiss_close+0x7c/0xc0 [mkiss] [ 205.799084] ? tty_ldisc_close+0x2e/0x40 [ 205.799089] ? tty_ldisc_hangup+0x137/0x210 [ 205.799092] ? __tty_hangup.part.0+0x208/0x350 [ 205.799098] ? tty_vhangup+0x15/0x20 [ 205.799103] ? pty_close+0x127/0x160 [ 205.799108] ? tty_release+0x139/0x5e0 [ 205.799112] ? __fput+0x9f/0x260 [ 205.799118] ax25_dev_device_down+0xd9/0x1b0 [ax25] [ 205.799126] ax25_device_event+0x9f/0x270 [ax25] [ 205.799135] raw_notifier_call_chain+0x49/0x60 [ 205.799140] call_netdevice_notifiers_info+0x52/0xa0 [ 205.799146] dev_close_many+0xc8/0x120 [ 205.799152] unregister_netdevice_many+0x13d/0x890 [ 205.799157] unregister_netdevice_queue+0x90/0xe0 [ 205.799161] unregister_netdev+0x1d/0x30 [ 205.799165] mkiss_close+0x7c/0xc0 [mkiss] [ 205.799170] tty_ldisc_close+0x2e/0x40 [ 205.799173] tty_ldisc_hangup+0x137/0x210 [ 205.799178] __tty_hangup.part.0+0x208/0x350 [ 205.799184] tty_vhangup+0x15/0x20 [ 205.799188] pty_close+0x127/0x160 [ 205.799193] tty_release+0x139/0x5e0 [ 205.799199] __fput+0x9f/0x260 [ 205.799203] ____fput+0xe/0x10 [ 205.799208] task_work_run+0x64/0xa0 [ 205.799213] do_exit+0x33b/0xab0 [ 205.799217] ? __handle_mm_fault+0xc4f/0x15f0 [ 205.799224] do_group_exit+0x35/0xa0 [ 205.799228] __x64_sys_exit_group+0x18/0x20 [ 205.799232] do_syscall_64+0x5c/0x80 [ 205.799238] ? handle_mm_fault+0xba/0x290 [ 205.799242] ? debug_smp_processor_id+0x17/0x20 [ 205.799246] ? fpregs_assert_state_consistent+0x26/0x50 [ 205.799251] ? exit_to_user_mode_prepare+0x49/0x190 [ 205.799256] ? irqentry_exit_to_user_mode+0x9/0x20 [ 205.799260] ? irqentry_exit+0x33/0x40 [ 205.799263] ? exc_page_fault+0x87/0x170 [ 205.799268] ? asm_exc_page_fault+0x8/0x30 [ 205.799273] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 205.799277] RIP: 0033:0x7ff6b80eaca1 [ 205.799281] Code: Unable to access opcode bytes at RIP 0x7ff6b80eac77. [ 205.799283] RSP: 002b:00007fff6dfd4738 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 205.799287] RAX: ffffffffffffffda RBX: 00007ff6b8215a00 RCX: 00007ff6b80eaca1 [ 205.799290] RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000001 [ 205.799293] RBP: 0000000000000001 R08: ffffffffffffff80 R09: 0000000000000028 [ 205.799295] R10: 0000000000000000 R11: 0000000000000246 R12: 00007ff6b8215a00 [ 205.799298] R13: 0000000000000000 R14: 00007ff6b821aee8 R15: 00007ff6b821af00 [ 205.799304] Fixes: feef318c855a ("ax25: fix UAF bugs of net_device caused by rebinding operation") Reported-by: Bernard F6BVP Signed-off-by: Eric Dumazet Cc: Duoming Zhou Link: https://lore.kernel.org/r/20220728051821.3160118-1-eric.dumazet@gmail.com Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit e43f83cea9b46538ac5a2aa5fa226279788a2389 Author: Shay Drory Date: Mon Jun 27 16:05:31 2022 +0300 net/mlx5: Fix driver use of uninitialized timeout [ Upstream commit 42b4f7f66a43cdb9216e76e595c8a9af154806da ] Currently, driver is setting default values to all timeouts during function setup. The offending commit is using a timeout before function setup, meaning: the timeout is 0 (or garbage), since no value have been set. This may result in failure to probe the driver: mlx5_function_setup:1034:(pid 69850): Firmware over 4294967296 MS in pre-initializing state, aborting probe_one:1591:(pid 69850): mlx5_init_one failed with error code -16 Hence, set default values to timeouts during tout_init() Fixes: 37ca95e62ee2 ("net/mlx5: Increase FW pre-init timeout for health recovery") Signed-off-by: Shay Drory Reviewed-by: Moshe Shemesh Signed-off-by: Saeed Mahameed Signed-off-by: Sasha Levin commit 5097042888bbacc7ca78f8af524ff1fbd8d907e9 Author: Yevgeny Kliteynik Date: Mon Jul 25 00:06:12 2022 +0300 net/mlx5: DR, Fix SMFS steering info dump format [ Upstream commit 62d2664351ef37da34f6f3a3fd8ab34257d6fe30 ] Fix several issues in SMFS steering info dump: - Fix outdated macro value for matcher mask in the SMFS debug dump format. The existing value denotes the old format of the matcher mask, as it was used during the early stages of development, and it results in wrong parsing by the steering dump parser - wrong fields are shown in the parsed output. - Add the missing destination table to the dumped action. The missing dest table handle breaks the ability to associate between the "go to table" action and the actual table in the steering info. Fixes: 9222f0b27da2 ("net/mlx5: DR, Add support for dumping steering info") Signed-off-by: Yevgeny Kliteynik Signed-off-by: Muhammad Sammar Reviewed-by: Alex Vesker Signed-off-by: Saeed Mahameed Signed-off-by: Sasha Levin commit b04871077d26a64175fbcbc9664f30a27ab12c70 Author: Maher Sanalla Date: Sun Jul 24 11:28:21 2022 +0300 net/mlx5: Adjust log_max_qp to be 18 at most [ Upstream commit a6e9085d791f8306084fd5bc44dd3fdd4e1ac27b ] The cited commit limited log_max_qp to be 17 due to FW capabilities. Recently, it turned out that there are old FW versions that supported more than 17, so the cited commit caused a degradation. Thus, set the maximum log_max_qp back to 18 as it was before the cited commit. Fixes: 7f839965b2d7 ("net/mlx5: Update log_max_qp value to be 17 at most") Signed-off-by: Maher Sanalla Reviewed-by: Maor Gottlieb Signed-off-by: Saeed Mahameed Signed-off-by: Sasha Levin commit 0edd855cde3da5ef3267516f2acdb18589ef8ed7 Author: Vlad Buslov Date: Thu Jul 7 21:49:18 2022 +0200 net/mlx5e: Modify slow path rules to go to slow fdb [ Upstream commit c0063a43700fa8c98cac2637aa1afcf40bb9e403 ] While extending available range of supported chains/prios referenced commit also modified slow path rules to go to FT chain instead of actual slow FDB. However neither of existing users of the MLX5_ATTR_FLAG_SLOW_PATH flag (tunnel encap entries with invalid encap and flows with trap action) need to match on FT chain. After bridge offload was implemented packets of such flows can also be matched by bridge priority tables which is undesirable. Restore slow path flows implementation to redirect packets to slow_fdb. Fixes: 278d51f24330 ("net/mlx5: E-Switch, Increase number of chains and priorities") Signed-off-by: Vlad Buslov Reviewed-by: Roi Dayan Reviewed-by: Paul Blakey Signed-off-by: Saeed Mahameed Signed-off-by: Sasha Levin commit 57dd18ed74e9ef298b262d7ce5441ba38ce918ec Author: Maxim Mikityanskiy Date: Thu Jun 2 15:14:08 2022 +0300 net/mlx5e: Fix calculations related to max MPWQE size [ Upstream commit 677e78c8d44f326a73a77d71acf3a49ea562c1d9 ] Before commit 76c31e5f7585 ("net/mlx5e: Use FW limitation for max MPW WQEBBs"), the maximum size of MPWQE in WQEBBs was hardcoded as a driver constant. That commit started using the firmware capability that can further limit the size, however, it unintentionally changed a few things: 1. The calculation of MLX5E_MAX_KLM_PER_WQE used the size in DS, which was replaced by the size in WQEBBs, making the resulting value 4 times smaller. 2. MLX5E_TX_MPW_MAX_WQEBBS used to be aligned to the cache line size (either 64 or 128 bytes, i.e. 1 or 2 WQEBBs), but it's no longer the case if the firmware capability is smaller than the driver maximum. Fix both issues by using the correct units for MLX5E_MAX_KLM_PER_WQE and by aligning mlx5e_get_sw_max_sq_mpw_wqebbs after taking the minimum. Besides fixing the arithmetics in calculation of MLX5E_MAX_KLM_PER_WQE, also use appropriate constants: `size of BSF * num of DS per WQEBB * number of WQEBBs` (the calculation before the blamed commit) doesn't make much sense to calculate the WQE size in bytes, so just use `size of WQEBB * number of WQEBBs`. While at it, replace the types that hold the number of WQEBBs by u8. These values don't exceed 16, and it allows to fill holes in two structs. Fixes: 76c31e5f7585 ("net/mlx5e: Use FW limitation for max MPW WQEBBs") Signed-off-by: Maxim Mikityanskiy Reviewed-by: Tariq Toukan Signed-off-by: Saeed Mahameed Signed-off-by: Sasha Levin commit e68e4ca1df01657bda21ed0684d6dc81f47f2a36 Author: Maxim Mikityanskiy Date: Mon May 30 21:06:03 2022 +0300 net/mlx5e: xsk: Account for XSK RQ UMRs when calculating ICOSQ size [ Upstream commit 52586d2f56b3e4f528ca7268d65074e92c936681 ] ICOSQ is used to post UMR WQEs for both regular RQ and XSK RQ. However, space in ICOSQ is reserved only for the regular RQ, which may cause ICOSQ overflows when using XSK (the most risk is on activating channels). This commit fixes the issue by reserving space for XSK UMR WQEs as well. As XSK may be enabled without restarting the channel and recreating the ICOSQ, this space is reserved unconditionally. Fixes: db05815b36cb ("net/mlx5e: Add XSK zero-copy support") Signed-off-by: Maxim Mikityanskiy Reviewed-by: Tariq Toukan Signed-off-by: Saeed Mahameed Signed-off-by: Sasha Levin commit 0582154d7ce0b7f5193f382740eb64658f7f7718 Author: Maxim Mikityanskiy Date: Thu May 26 16:48:47 2022 +0300 net/mlx5e: Fix the value of MLX5E_MAX_RQ_NUM_MTTS [ Upstream commit 562696c3c62c7c23dd896e9447252ce9268cb812 ] MLX5E_MAX_RQ_NUM_MTTS should be the maximum value, so that MLX5_MTT_OCTW(MLX5E_MAX_RQ_NUM_MTTS) fits into u16. The current value of 1 << 17 results in MLX5_MTT_OCTW(1 << 17) = 1 << 16, which doesn't fit into u16. This commit replaces it with the maximum value that still fits u16. Fixes: 73281b78a37a ("net/mlx5e: Derive Striding RQ size from MTU") Signed-off-by: Maxim Mikityanskiy Reviewed-by: Tariq Toukan Signed-off-by: Saeed Mahameed Signed-off-by: Sasha Levin commit b84eb73fd8992a142113741abd4784c454605c75 Author: Maor Dickman Date: Mon Jul 18 09:44:13 2022 +0300 net/mlx5e: TC, Fix post_act to not match on in_port metadata [ Upstream commit 903f2194f74bbd289f3170114035d472a36a8ab4 ] The cited commit changed CT to use multi table actions post act infrastructure instead of using it own post act infrastructure, this broke decap during VF tunnel offload (Stack devices) with CT due to wrong match on in_port metadata in the post act table. This changed only broke VF tunnel offload because it modify the packet in_port metadata to be VF metadata and it isn't propagate the post act creation. Fixed by modify post act rules to match only on fte_id and not match on in_port metadata which isn't needed. Fixes: a81283263bb0 ("net/mlx5e: Use multi table support for CT and sample actions") Signed-off-by: Maor Dickman Reviewed-by: Roi Dayan Signed-off-by: Saeed Mahameed Signed-off-by: Sasha Levin commit 625fd7aebe64c7dbd357f837be3f1b7d6e6bb460 Author: Gal Pressman Date: Wed Jul 13 13:57:03 2022 +0300 net/mlx5e: Remove WARN_ON when trying to offload an unsupported TLS cipher/version [ Upstream commit 115d9f95ea7ab780ef315dc356bebba2e07cb731 ] The driver reports whether TX/RX TLS device offloads are supported, but not which ciphers/versions, these should be handled by returning -EOPNOTSUPP when .tls_dev_add() is called. Remove the WARN_ON kernel trace when the driver gets a request to offload a cipher/version that is not supported as it is expected. Fixes: d2ead1f360e8 ("net/mlx5e: Add kTLS TX HW offload support") Signed-off-by: Gal Pressman Reviewed-by: Tariq Toukan Reviewed-by: Maxim Mikityanskiy Signed-off-by: Saeed Mahameed Signed-off-by: Sasha Levin commit d080c5c5483960e229b57cee6e3d4f06a3ffd83c Author: Dan Carpenter Date: Tue Jul 26 18:15:31 2022 +0300 drm/amd/display: fix signedness bug in execute_synaptics_rc_command() [ Upstream commit 06ac561fb0edf868f7b292fb4a3c8ffbbb1e14bb ] The "ret" variable needs to be signed for the error handling to work. Fixes: 2ca97adccdc9 ("drm/amd/display: Add Synaptics Fifo Reset Workaround") Signed-off-by: Dan Carpenter Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit 7e48502e84fce4877a775ab62a128689fd3f5d8a Author: Ezequiel Garcia Date: Mon Jul 18 18:41:23 2022 -0300 hantro: Remove incorrect HEVC SPS validation [ Upstream commit df9ec2fc8e70e01532fd9161cd98711969561ff6 ] Currently, the driver tries to validat the HEVC SPS against the CAPTURE queue format (i.e. the decoded format). This is not correct, because typically the SPS control is set before the CAPTURE queue is negotiated. Fixes: 135ad96cb4d6b ("media: hantro: Be more accurate on pixel formats step_width constraints") Signed-off-by: Ezequiel Garcia Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 4f8e08e88e145e5c915e705d1df2f130eeece02a Author: Jernej Skrabec Date: Mon Jul 18 18:56:49 2022 +0200 media: cedrus: hevc: Add check for invalid timestamp [ Upstream commit 143201a6435bf65f0115435e9dc6d95c66b908e9 ] Not all DPB entries will be used most of the time. Unused entries will thus have invalid timestamps. They will produce negative buffer index which is not specifically handled. This works just by chance in current code. It will even produce bogus pointer, but since it's not used, it won't do any harm. Let's fix that brittle design by skipping writing DPB entry altogether if timestamp is invalid. Fixes: 86caab29da78 ("media: cedrus: Add HEVC/H.265 decoding support") Signed-off-by: Jernej Skrabec Reviewed-by: Ezequiel Garcia Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 5b92f406a5199b6b01dc664b9226d824ae2835f0 Author: Hangyu Hua Date: Mon Jun 20 17:23:50 2022 +0800 wifi: libertas: Fix possible refcount leak in if_usb_probe() [ Upstream commit 6fd57e1d120bf13d4dc6c200a7cf914e6347a316 ] usb_get_dev will be called before lbs_get_firmware_async which means that usb_put_dev need to be called when lbs_get_firmware_async fails. Fixes: ce84bb69f50e ("libertas USB: convert to asynchronous firmware loading") Signed-off-by: Hangyu Hua Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20220620092350.39960-1-hbh25y@gmail.com Link: https://lore.kernel.org/r/20220622113402.16969-1-colin.i.king@gmail.com Signed-off-by: Sasha Levin commit 182d3c1385f44ba7c508bf5b1292a7fe96ad4e9e Author: Jose Ignacio Tornos Martinez Date: Tue Jul 19 17:35:42 2022 +0200 wifi: iwlwifi: mvm: fix double list_add at iwl_mvm_mac_wake_tx_queue [ Upstream commit 14a3aacf517a9de725dd3219dbbcf741e31763c4 ] After successfull station association, if station queues are disabled for some reason, the related lists are not emptied. So if some new element is added to the list in iwl_mvm_mac_wake_tx_queue, it can match with the old one and produce a BUG like this: [ 46.535263] list_add corruption. prev->next should be next (ffff94c1c318a360), but was 0000000000000000. (prev=ffff94c1d02d3388). [ 46.535283] ------------[ cut here ]------------ [ 46.535284] kernel BUG at lib/list_debug.c:26! [ 46.535290] invalid opcode: 0000 [#1] PREEMPT SMP PTI [ 46.585304] CPU: 0 PID: 623 Comm: wpa_supplicant Not tainted 5.19.0-rc3+ #1 [ 46.592380] Hardware name: Dell Inc. Inspiron 660s/0478VN , BIOS A07 08/24/2012 [ 46.600336] RIP: 0010:__list_add_valid.cold+0x3d/0x3f [ 46.605475] Code: f2 4c 89 c1 48 89 fe 48 c7 c7 c8 40 67 93 e8 20 cc fd ff 0f 0b 48 89 d1 4c 89 c6 4c 89 ca 48 c7 c7 70 40 67 93 e8 09 cc fd ff <0f> 0b 48 89 fe 48 c7 c7 00 41 67 93 e8 f8 cb fd ff 0f 0b 48 89 d1 [ 46.624469] RSP: 0018:ffffb20800ab76d8 EFLAGS: 00010286 [ 46.629854] RAX: 0000000000000075 RBX: ffff94c1c318a0e0 RCX: 0000000000000000 [ 46.637105] RDX: 0000000000000201 RSI: ffffffff9365e100 RDI: 00000000ffffffff [ 46.644356] RBP: ffff94c1c5f43370 R08: 0000000000000075 R09: 3064316334396666 [ 46.651607] R10: 3364323064316334 R11: 39666666663d7665 R12: ffff94c1c5f43388 [ 46.658857] R13: ffff94c1d02d3388 R14: ffff94c1c318a360 R15: ffff94c1cf2289c0 [ 46.666108] FS: 00007f65634ff7c0(0000) GS:ffff94c1da200000(0000) knlGS:0000000000000000 [ 46.674331] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 46.680170] CR2: 00007f7dfe984460 CR3: 000000010e894003 CR4: 00000000000606f0 [ 46.687422] Call Trace: [ 46.689906] [ 46.691950] iwl_mvm_mac_wake_tx_queue+0xec/0x15c [iwlmvm] [ 46.697601] ieee80211_queue_skb+0x4b3/0x720 [mac80211] [ 46.702973] ? sta_info_get+0x46/0x60 [mac80211] [ 46.707703] ieee80211_tx+0xad/0x110 [mac80211] [ 46.712355] __ieee80211_tx_skb_tid_band+0x71/0x90 [mac80211] ... In order to avoid this problem, we must also remove the related lists when station queues are disabled. Fixes: cfbc6c4c5b91c ("iwlwifi: mvm: support mac80211 TXQs model") Reported-by: Takayuki Nagata Reported-by: Petr Stourac Tested-by: Petr Stourac Signed-off-by: Jose Ignacio Tornos Martinez Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20220719153542.81466-1-jtornosm@redhat.com Signed-off-by: Sasha Levin commit 409bd72e544fdf4809ea0dac337bb5a1f11a25a9 Author: Ammar Faizi Date: Mon Jul 25 20:49:11 2022 +0300 wifi: wil6210: debugfs: fix uninitialized variable use in `wil_write_file_wmi()` [ Upstream commit d578e0af3a003736f6c440188b156483d451b329 ] Commit 7a4836560a61 changes simple_write_to_buffer() with memdup_user() but it forgets to change the value to be returned that came from simple_write_to_buffer() call. It results in the following warning: warning: variable 'rc' is uninitialized when used here [-Wuninitialized] return rc; ^~ Remove rc variable and just return the passed in length if the memdup_user() succeeds. Cc: Dan Carpenter Reported-by: kernel test robot Fixes: 7a4836560a6198d245d5732e26f94898b12eb760 ("wifi: wil6210: debugfs: fix info leak in wil_write_file_wmi()") Fixes: ff974e4083341383d3dd4079e52ed30f57f376f0 ("wil6210: debugfs interface to send raw WMI command") Signed-off-by: Ammar Faizi Reviewed-by: Dan Carpenter Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20220724202452.61846-1-ammar.faizi@intel.com Signed-off-by: Sasha Levin commit e52d86e075ad72a54ebd0dab7746b21a4760b37b Author: Manikanta Pubbisetty Date: Mon Jul 25 20:49:10 2022 +0300 wifi: ath11k: Fix register write failure on QCN9074 [ Upstream commit 867f4eeee862d6568a0f142d6a38f8bb724ff80e ] Commit 56c8ccf331bd ("ath11k: Add register access logic for WCN6750") regressed QCN9074. With the above mentioned commit, writes are failing for some registers on QCN9074 although the device seems to work normally. ath11k_pci 0000:03:00.0: failed to set pcie link register0x01e0e0a8: 0xffffffff != 0x00000010 ath11k_pci 0000:03:00.0: failed to set sysclk: -110 PCIe devices in ath11k (QCA6390, WCN6855, QCN9074, WCN6750) use window concept for register accesses. There are two schemes, dynamic & static window. In dynamic window scheme, a single window(region in the BAR) is mapped either to CE or DP register windows at any give time. QCA6390 & WCN6855 follow this scheme for register accesses. In static window scheme, CE & DP register windows are statically mapped to separate regions with in the BAR so that there is no switching of register windows between CE & DP register accesses. QCN9074 & WCN6750 follow this scheme although the window start offsets are different for QCN9074 & WCN6750. QCN9074 uses 3rd & 2nd window for DP & CE register accesses respectively whereas WCN6750 uses 1st & 2nd window for DP & CE. In QCN9074, along with 2nd & 3rd windows, 1st window is also used for certain configurations which commit 56c8ccf331bd ("ath11k: Add register access logic for WCN6750") did not account for and hence the regression. Fix this by going back to the original way of accessing the registers on QCN9074. Since this diverges from WCN6750 way of accessing registers, it is required to register window_read32/window_write32() pci_ops for WCN6750. We can also get rid of dp_window_idx & ce_window_idx members in hw_params, so remove them. Also add a new API ath11k_pcic_register_pci_ops() for registering pci_ops to the ath11k core. This API checks for mandatory pci_ops() and reports error if those are missing. Also initialize unused pci_ops to NULL. Tested-on: WCN6750 hw1.0 AHB WLAN.MSL.1.0.1-00887-QCAMSLSWPLZ-1 Tested-on: QCN9074 hw1.0 PCI WLAN.HK.2.6.0.1-00861-QCAHKSWPL_SILICONZ-1 Fixes: 56c8ccf331bd ("ath11k: Add register access logic for WCN6750") Reported-by: Maxime Bizon Tested-by: Maxime Bizon Signed-off-by: Manikanta Pubbisetty Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20220608062954.27792-1-quic_mpubbise@quicinc.com Signed-off-by: Sasha Levin commit e6cf801a5d80da6f5bb7b781708827779794cde3 Author: Liang He Date: Fri Jul 22 09:24:01 2022 +0800 i2c: mux-gpmux: Add of_node_put() when breaking out of loop [ Upstream commit 6435319c34704994e19b0767f6a4e6f37439867b ] In i2c_mux_probe(), we should call of_node_put() when breaking out of for_each_child_of_node() which will automatically increase and decrease the refcount. Fixes: ac8498f0ce53 ("i2c: i2c-mux-gpmux: new driver") Signed-off-by: Liang He Acked-by: Peter Rosin Signed-off-by: Wolfram Sang Signed-off-by: Sasha Levin commit 7d68cf80fc6de6ff73bd9a22a45546f949a60495 Author: Joanne Koong Date: Fri Jul 22 15:01:05 2022 -0700 bpf: Fix bpf_xdp_pointer return pointer [ Upstream commit bbd52178e249fe893ef4a9b87cde5b6c473b0a7c ] For the case where offset + len == size, bpf_xdp_pointer should return a valid pointer to the addr because that access is permitted. We should only return NULL in the case where offset + len exceeds size. Fixes: 3f364222d032 ("net: xdp: introduce bpf_xdp_pointer utility routine") Signed-off-by: Joanne Koong Signed-off-by: Daniel Borkmann Acked-by: Martin KaFai Lau Acked-by: Lorenzo Bianconi Link: https://lore.kernel.org/bpf/20220722220105.2065466-1-joannelkoong@gmail.com Signed-off-by: Sasha Levin commit 51622648d65875765f2ab12710f417476cac3be8 Author: Paul Chaignon Date: Mon Jul 25 16:32:34 2022 +0200 bpf: Set flow flag to allow any source IP in bpf_tunnel_key [ Upstream commit b8fff748521c7178b9a7d32b5a34a81cec8396f3 ] Commit 26101f5ab6bd ("bpf: Add source ip in "struct bpf_tunnel_key"") added support for getting and setting the outer source IP of encapsulated packets via the bpf_skb_{get,set}_tunnel_key BPF helper. This change allows BPF programs to set any IP address as the source, including for example the IP address of a container running on the same host. In that last case, however, the encapsulated packets are dropped when looking up the route because the source IP address isn't assigned to any interface on the host. To avoid this, we need to set the FLOWI_FLAG_ANYSRC flag. Fixes: 26101f5ab6bd ("bpf: Add source ip in "struct bpf_tunnel_key"") Signed-off-by: Paul Chaignon Signed-off-by: Daniel Borkmann Reviewed-by: Nikolay Aleksandrov Acked-by: Martin KaFai Lau Link: https://lore.kernel.org/bpf/76873d384e21288abe5767551a0799ac93ec07fb.1658759380.git.paul@isovalent.com Signed-off-by: Sasha Levin commit 6bfa46d718db2efd446280c7f1f093598670a543 Author: Paul Chaignon Date: Mon Jul 25 16:31:37 2022 +0200 ip_tunnels: Add new flow flags field to ip_tunnel_key [ Upstream commit 451ef36bd229f8aa329cb2258a859b4c636d08ef ] This commit extends the ip_tunnel_key struct with a new field for the flow flags, to pass them to the route lookups. This new field will be populated and used in subsequent commits. Signed-off-by: Paul Chaignon Signed-off-by: Daniel Borkmann Reviewed-by: Nikolay Aleksandrov Acked-by: Martin KaFai Lau Link: https://lore.kernel.org/bpf/f8bfd4983bd06685a59b1e3ba76ca27496f51ef3.1658759380.git.paul@isovalent.com Signed-off-by: Sasha Levin commit 7470f4a1c204493f60444330b74a3ac948458a64 Author: Qu Wenruo Date: Wed Jun 1 13:54:28 2022 +0800 btrfs: update stripe_sectors::uptodate in steal_rbio [ Upstream commit 4d10046613333508d31fe926c545c8c0b620508a ] [BUG] With added debugging, it turns out the following write sequence would cause extra read which is unnecessary: # xfs_io -f -s -c "pwrite -b 32k 0 32k" -c "pwrite -b 32k 32k 32k" \ -c "pwrite -b 32k 64k 32k" -c "pwrite -b 32k 96k 32k" \ $mnt/file The debug message looks like this (btrfs header skipped): partial rmw, full stripe=389152768 opf=0x0 devid=3 type=1 offset=32768 physical=323059712 len=32768 partial rmw, full stripe=389152768 opf=0x0 devid=1 type=2 offset=0 physical=67174400 len=65536 full stripe rmw, full stripe=389152768 opf=0x1 devid=3 type=1 offset=0 physical=323026944 len=32768 full stripe rmw, full stripe=389152768 opf=0x1 devid=2 type=-1 offset=0 physical=323026944 len=32768 partial rmw, full stripe=298844160 opf=0x0 devid=1 type=1 offset=32768 physical=22052864 len=32768 partial rmw, full stripe=298844160 opf=0x0 devid=2 type=2 offset=0 physical=277872640 len=65536 full stripe rmw, full stripe=298844160 opf=0x1 devid=1 type=1 offset=0 physical=22020096 len=32768 full stripe rmw, full stripe=298844160 opf=0x1 devid=3 type=-1 offset=0 physical=277872640 len=32768 partial rmw, full stripe=389152768 opf=0x0 devid=3 type=1 offset=0 physical=323026944 len=32768 partial rmw, full stripe=389152768 opf=0x0 devid=1 type=2 offset=0 physical=67174400 len=65536 ^^^^ Still partial read, even 389152768 is already cached by the first. write. full stripe rmw, full stripe=389152768 opf=0x1 devid=3 type=1 offset=32768 physical=323059712 len=32768 full stripe rmw, full stripe=389152768 opf=0x1 devid=2 type=-1 offset=32768 physical=323059712 len=32768 partial rmw, full stripe=298844160 opf=0x0 devid=1 type=1 offset=0 physical=22020096 len=32768 partial rmw, full stripe=298844160 opf=0x0 devid=2 type=2 offset=0 physical=277872640 len=65536 ^^^^ Still partial read for 298844160. full stripe rmw, full stripe=298844160 opf=0x1 devid=1 type=1 offset=32768 physical=22052864 len=32768 full stripe rmw, full stripe=298844160 opf=0x1 devid=3 type=-1 offset=32768 physical=277905408 len=32768 This means every 32K writes, even they are in the same full stripe, still trigger read for previously cached data. This would cause extra RAID56 IO, making the btrfs raid56 cache useless. [CAUSE] Commit d4e28d9b5f04 ("btrfs: raid56: make steal_rbio() subpage compatible") tries to make steal_rbio() subpage compatible, but during that conversion, there is one thing missing. We no longer rely on PageUptodate(rbio->stripe_pages[i]), but rbio->stripe_nsectors[i].uptodate to determine if a sector is uptodate. This means, previously if we switch the pointer, everything is done, as the PageUptodate flag is still bound to that page. But now we have to manually mark the involved sectors uptodate, or later raid56_rmw_stripe() will find the stolen sector is not uptodate, and assemble the read bio for it, wasting IO. [FIX] We can easily fix the bug, by also update the rbio->stripe_sectors[].uptodate in steal_rbio(). With this fixed, now the same write pattern no longer leads to the same unnecessary read: partial rmw, full stripe=389152768 opf=0x0 devid=3 type=1 offset=32768 physical=323059712 len=32768 partial rmw, full stripe=389152768 opf=0x0 devid=1 type=2 offset=0 physical=67174400 len=65536 full stripe rmw, full stripe=389152768 opf=0x1 devid=3 type=1 offset=0 physical=323026944 len=32768 full stripe rmw, full stripe=389152768 opf=0x1 devid=2 type=-1 offset=0 physical=323026944 len=32768 partial rmw, full stripe=298844160 opf=0x0 devid=1 type=1 offset=32768 physical=22052864 len=32768 partial rmw, full stripe=298844160 opf=0x0 devid=2 type=2 offset=0 physical=277872640 len=65536 full stripe rmw, full stripe=298844160 opf=0x1 devid=1 type=1 offset=0 physical=22020096 len=32768 full stripe rmw, full stripe=298844160 opf=0x1 devid=3 type=-1 offset=0 physical=277872640 len=32768 ^^^ No more partial read, directly into the write path. full stripe rmw, full stripe=389152768 opf=0x1 devid=3 type=1 offset=32768 physical=323059712 len=32768 full stripe rmw, full stripe=389152768 opf=0x1 devid=2 type=-1 offset=32768 physical=323059712 len=32768 full stripe rmw, full stripe=298844160 opf=0x1 devid=1 type=1 offset=32768 physical=22052864 len=32768 full stripe rmw, full stripe=298844160 opf=0x1 devid=3 type=-1 offset=32768 physical=277905408 len=32768 Fixes: d4e28d9b5f04 ("btrfs: raid56: make steal_rbio() subpage compatible") Signed-off-by: Qu Wenruo Reviewed-by: David Sterba Signed-off-by: David Sterba Signed-off-by: Sasha Levin commit d238ff89bc196d3373e22770923a0ad72db8c81c Author: Bjorn Andersson Date: Sat Jul 16 20:50:25 2022 -0700 i2c: qcom-geni: Use the correct return value [ Upstream commit b3f0ceb7c2037c6e3affd7d9c84ac5f97af7a5b5 ] The introduction of GPI support moved things around and instead of returning the result from geni_i2c_xfer() the number of messages in the request was returned, ignoring the actual result. Fix this. Fixes: d8703554f4de ("i2c: qcom-geni: Add support for GPI DMA") Signed-off-by: Bjorn Andersson Reviewed-by: Andrew Halaney Reviewed-by: Vinod Koul Reviewed-by: Johan Hovold Signed-off-by: Wolfram Sang Signed-off-by: Sasha Levin commit e2c9b875ba1aa616e0d887734307bee63e08a7cd Author: Lars-Peter Clausen Date: Sun Jul 17 16:52:44 2022 +0200 i2c: cadence: Support PEC for SMBus block read [ Upstream commit 9fdf6d97f03035ad5298e2d1635036c74c2090ed ] SMBus packet error checking (PEC) is implemented by appending one additional byte of checksum data at the end of the message. This provides additional protection and allows to detect data corruption on the I2C bus. SMBus block reads support variable length reads. The first byte in the read message is the number of available data bytes. The combination of PEC and block read is currently not supported by the Cadence I2C driver. * When PEC is enabled the maximum transfer length for block reads increases from 33 to 34 bytes. * The I2C core smbus emulation layer relies on the driver updating the `i2c_msg` `len` field with the number of received bytes. The updated length is used when checking the PEC. Add support to the Cadence I2C driver for handling SMBus block reads with PEC. To determine the maximum transfer length uses the initial `len` value of the `i2c_msg`. When PEC is enabled this will be 2, when it is disabled it will be 1. Once a read transfer is done also increment the `len` field by the amount of received data bytes. This change has been tested with a UCM90320 PMBus power monitor, which requires block reads to access certain data fields, but also has PEC enabled by default. Fixes: df8eb5691c48 ("i2c: Add driver for Cadence I2C controller") Signed-off-by: Lars-Peter Clausen Tested-by: Shubhrajyoti Datta Signed-off-by: Wolfram Sang Signed-off-by: Sasha Levin commit c56eb69b46b5ea402e4a4b3b4bb2740c499edf56 Author: Ying Hsu Date: Mon Jul 4 18:33:24 2022 +0800 Bluetooth: Add default wakeup callback for HCI UART driver [ Upstream commit bee5395ced44c5a312348557eb2dfb0c2a7bfaa2 ] Bluetooth HCI devices indicate if they are able to wakeup in the wakeup callback since 'commit 4539ca67fe8e ("Bluetooth: Rename driver .prevent_wake to .wakeup")'. This patch adds a default wakeup callback for Bluetooth HCI UAR devices. It assumes Bluetooth HCI UART devices are wakeable for backward compatibility. For those who need a customized behavior, one can override it before calling hci_uart_register_device(). Fixes: 4539ca67fe8e ("Bluetooth: Rename driver .prevent_wake to .wakeup") Signed-off-by: Ying Hsu Reviewed-by: Alain Michaud Signed-off-by: Luiz Augusto von Dentz Signed-off-by: Sasha Levin commit 9f923a641731bd4e2e82b743e46d041ced5694f8 Author: Luiz Augusto von Dentz Date: Wed Jul 13 17:12:14 2022 -0700 Bluetooth: hci_sync: Fix not updating privacy_mode [ Upstream commit 0900b1c62f43e495d04ca4bebdf80b34f3c12432 ] When programming a new entry into the resolving list it shall default to network mode since the params may contain the mode programmed when the device was last added to the resolving list. Link: https://bugzilla.kernel.org/show_bug.cgi?id=209745 Fixes: 853b70b506a20 ("Bluetooth: hci_sync: Set Privacy Mode when updating the resolving list") Signed-off-by: Luiz Augusto von Dentz Tested-by: Zhengping Jiang Signed-off-by: Sasha Levin commit 8f3402853dc24153cb441c7db96504cc0129291b Author: Zhengping Jiang Date: Mon Jul 11 17:05:30 2022 -0700 Bluetooth: hci_sync: Fix resuming scan after suspend resume [ Upstream commit 68253f3cd715e819bc4bff2b0e6b21234e259d56 ] After resuming, remove setting scanning_paused to false, because it is checked and set to false in hci_resume_scan_sync. Also move setting the value to false before updating passive scan, because the value is used when resuming passive scan. Fixes: 3b42055388c30 (Bluetooth: hci_sync: Fix attempting to suspend with unfiltered passive scan) Signed-off-by: Zhengping Jiang Reviewed-by: Abhishek Pandit-Subedi Signed-off-by: Luiz Augusto von Dentz Signed-off-by: Sasha Levin commit a35f45f986a1d6cac43f27e462a2d0e69844d6d3 Author: Zhengping Jiang Date: Mon Jun 13 14:43:27 2022 -0700 Bluetooth: mgmt: Fix refresh cached connection info [ Upstream commit d7b2fdfb53ea09382941c0a4950dc9b00d51d1c7 ] Set the connection data before calling get_conn_info_sync, so it can be verified the connection is still connected, before refreshing cached values. Fixes: 47db6b42991e6 ("Bluetooth: hci_sync: Convert MGMT_OP_GET_CONN_INFO") Signed-off-by: Zhengping Jiang Signed-off-by: Luiz Augusto von Dentz Signed-off-by: Sasha Levin commit 3b382555706558f5c0587862b6dc03e96a252bba Author: Schspa Shi Date: Fri Jun 3 16:19:14 2022 +0800 Bluetooth: When HCI work queue is drained, only queue chained work [ Upstream commit 877afadad2dce8aae1f2aad8ce47e072d4f6165e ] The HCI command, event, and data packet processing workqueue is drained to avoid deadlock in commit 76727c02c1e1 ("Bluetooth: Call drain_workqueue() before resetting state"). There is another delayed work, which will queue command to this drained workqueue. Which results in the following error report: Bluetooth: hci2: command 0x040f tx timeout WARNING: CPU: 1 PID: 18374 at kernel/workqueue.c:1438 __queue_work+0xdad/0x1140 Workqueue: events hci_cmd_timeout RIP: 0010:__queue_work+0xdad/0x1140 RSP: 0000:ffffc90002cffc60 EFLAGS: 00010093 RAX: 0000000000000000 RBX: ffff8880b9d3ec00 RCX: 0000000000000000 RDX: ffff888024ba0000 RSI: ffffffff814e048d RDI: ffff8880b9d3ec08 RBP: 0000000000000008 R08: 0000000000000000 R09: 00000000b9d39700 R10: ffffffff814f73c6 R11: 0000000000000000 R12: ffff88807cce4c60 R13: 0000000000000000 R14: ffff8880796d8800 R15: ffff8880796d8800 FS: 0000000000000000(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000000c0174b4000 CR3: 000000007cae9000 CR4: 00000000003506e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: ? queue_work_on+0xcb/0x110 ? lockdep_hardirqs_off+0x90/0xd0 queue_work_on+0xee/0x110 process_one_work+0x996/0x1610 ? pwq_dec_nr_in_flight+0x2a0/0x2a0 ? rwlock_bug.part.0+0x90/0x90 ? _raw_spin_lock_irq+0x41/0x50 worker_thread+0x665/0x1080 ? process_one_work+0x1610/0x1610 kthread+0x2e9/0x3a0 ? kthread_complete_and_exit+0x40/0x40 ret_from_fork+0x1f/0x30 To fix this, we can add a new HCI_DRAIN_WQ flag, and don't queue the timeout workqueue while command workqueue is draining. Fixes: 76727c02c1e1 ("Bluetooth: Call drain_workqueue() before resetting state") Reported-by: syzbot+63bed493aebbf6872647@syzkaller.appspotmail.com Signed-off-by: Schspa Shi Signed-off-by: Marcel Holtmann Signed-off-by: Sasha Levin commit 223633ddf2d1686106455d8aa5cb27761088a4c1 Author: Jiasheng Jiang Date: Fri Jun 3 09:24:36 2022 +0800 Bluetooth: hci_intel: Add check for platform_driver_register [ Upstream commit ab2d2a982ff721f4b029282d9a40602ea46a745e ] As platform_driver_register() could fail, it should be better to deal with the return value in order to maintain the code consisitency. Fixes: 1ab1f239bf17 ("Bluetooth: hci_intel: Add support for platform driver") Signed-off-by: Jiasheng Jiang Signed-off-by: Marcel Holtmann Signed-off-by: Sasha Levin commit 2a299595090876b34a00efd87077b7a6f8b47035 Author: Vincent Mailhol Date: Fri Jul 22 01:00:32 2022 +0900 can: pch_can: pch_can_error(): initialize errc before using it [ Upstream commit 9950f11211331180269867aef848c7cf56861742 ] After commit 3a5c7e4611dd, the variable errc is accessed before being initialized, c.f. below W=2 warning: | In function 'pch_can_error', | inlined from 'pch_can_poll' at drivers/net/can/pch_can.c:739:4: | drivers/net/can/pch_can.c:501:29: warning: 'errc' may be used uninitialized [-Wmaybe-uninitialized] | 501 | cf->data[6] = errc & PCH_TEC; | | ^ | drivers/net/can/pch_can.c: In function 'pch_can_poll': | drivers/net/can/pch_can.c:484:13: note: 'errc' was declared here | 484 | u32 errc, lec; | | ^~~~ Moving errc initialization up solves this issue. Fixes: 3a5c7e4611dd ("can: pch_can: do not report txerr and rxerr during bus-off") Reported-by: Nathan Chancellor Signed-off-by: Vincent Mailhol Reviewed-by: Nathan Chancellor Link: https://lore.kernel.org/all/20220721160032.9348-1-mailhol.vincent@wanadoo.fr Signed-off-by: Marc Kleine-Budde Signed-off-by: Sasha Levin commit bb628a2a5eb77ba4fb6e979f8a1b5bbdf8105b45 Author: Dan Carpenter Date: Tue Jul 19 12:53:01 2022 +0300 libbpf: Fix str_has_sfx()'s return value [ Upstream commit 14229b8153a3ca51d97a22a18c68deeae64afce0 ] The return from strcmp() is inverted so it wrongly returns true instead of false and vice versa. Fixes: a1c9d61b19cb ("libbpf: Improve library identification for uprobe binary path resolution") Signed-off-by: Dan Carpenter Signed-off-by: Daniel Borkmann Acked-by: Martin KaFai Lau Cc: Alan Maguire Link: https://lore.kernel.org/bpf/YtZ+/dAA195d99ak@kili Signed-off-by: Sasha Levin commit f4303216f45266b949bfe7fa4586fb35eb65b8a2 Author: Vincent Mailhol Date: Tue Jul 19 23:35:48 2022 +0900 can: error: specify the values of data[5..7] of CAN error frames [ Upstream commit e70a3263a7eed768d5f947b8f2aff8d2a79c9d97 ] Currently, data[5..7] of struct can_frame, when used as a CAN error frame, are defined as being "controller specific". Device specific behaviours are problematic because it prevents someone from writing code which is portable between devices. As a matter of fact, data[5] is never used, data[6] is always used to report TX error counter and data[7] is always used to report RX error counter. can-utils also relies on this. This patch updates the comment in the uapi header to specify that data[5] is reserved (and thus should not be used) and that data[6..7] are used for error counters. Fixes: 0d66548a10cb ("[CAN]: Add PF_CAN core module") Link: https://lore.kernel.org/all/20220719143550.3681-11-mailhol.vincent@wanadoo.fr Signed-off-by: Vincent Mailhol Signed-off-by: Marc Kleine-Budde Signed-off-by: Sasha Levin commit 3dafe5f6a00b765a0afee611151129d3c7ee3fd2 Author: Vincent Mailhol Date: Tue Jul 19 23:35:47 2022 +0900 can: usb_8dev: do not report txerr and rxerr during bus-off [ Upstream commit aebe8a2433cd090ccdc222861f44bddb75eb01de ] During bus off, the error count is greater than 255 and can not fit in a u8. Fixes: 0024d8ad1639 ("can: usb_8dev: Add support for USB2CAN interface from 8 devices") Link: https://lore.kernel.org/all/20220719143550.3681-10-mailhol.vincent@wanadoo.fr Signed-off-by: Vincent Mailhol Signed-off-by: Marc Kleine-Budde Signed-off-by: Sasha Levin commit 46968be06cd181cea127b71c2342edc4bba8037f Author: Vincent Mailhol Date: Tue Jul 19 23:35:46 2022 +0900 can: kvaser_usb_leaf: do not report txerr and rxerr during bus-off [ Upstream commit a57732084e06791d37ea1ea447cca46220737abd ] During bus off, the error count is greater than 255 and can not fit in a u8. Fixes: 7259124eac7d1 ("can: kvaser_usb: Split driver into kvaser_usb_core.c and kvaser_usb_leaf.c") Link: https://lore.kernel.org/all/20220719143550.3681-9-mailhol.vincent@wanadoo.fr CC: Jimmy Assarsson Signed-off-by: Vincent Mailhol Signed-off-by: Marc Kleine-Budde Signed-off-by: Sasha Levin commit 7f41778a7c9c48d6f4d8adf670925e6334ae51b0 Author: Vincent Mailhol Date: Tue Jul 19 23:35:45 2022 +0900 can: kvaser_usb_hydra: do not report txerr and rxerr during bus-off [ Upstream commit 936e90595376e64b6247c72d3ea8b8b164b7ac96 ] During bus off, the error count is greater than 255 and can not fit in a u8. Fixes: aec5fb2268b7 ("can: kvaser_usb: Add support for Kvaser USB hydra family") Link: https://lore.kernel.org/all/20220719143550.3681-8-mailhol.vincent@wanadoo.fr CC: Jimmy Assarsson Signed-off-by: Vincent Mailhol Signed-off-by: Marc Kleine-Budde Signed-off-by: Sasha Levin commit d159bb5c279473599e633c19ade5646f97f6eabd Author: Vincent Mailhol Date: Tue Jul 19 23:35:44 2022 +0900 can: sun4i_can: do not report txerr and rxerr during bus-off [ Upstream commit 0ac15a8f661b941519379831d09bfb12271b23ee ] During bus off, the error count is greater than 255 and can not fit in a u8. Fixes: 0738eff14d81 ("can: Allwinner A10/A20 CAN Controller support - Kernel module") Link: https://lore.kernel.org/all/20220719143550.3681-7-mailhol.vincent@wanadoo.fr CC: Chen-Yu Tsai Signed-off-by: Vincent Mailhol Signed-off-by: Marc Kleine-Budde Signed-off-by: Sasha Levin commit f3d865a6b791abbc874739ed702ae64ad2607511 Author: Vincent Mailhol Date: Tue Jul 19 23:35:43 2022 +0900 can: hi311x: do not report txerr and rxerr during bus-off [ Upstream commit a22bd630cfff496b270211745536e50e98eb3a45 ] During bus off, the error count is greater than 255 and can not fit in a u8. Fixes: 57e83fb9b746 ("can: hi311x: Add Holt HI-311x CAN driver") Link: https://lore.kernel.org/all/20220719143550.3681-6-mailhol.vincent@wanadoo.fr Signed-off-by: Vincent Mailhol Signed-off-by: Marc Kleine-Budde Signed-off-by: Sasha Levin commit fedf098ae2ec9db53149431b5b9516899d5a75dc Author: Vincent Mailhol Date: Tue Jul 19 23:35:41 2022 +0900 can: sja1000: do not report txerr and rxerr during bus-off [ Upstream commit 164d7cb2d5a30f1b3a5ab4fab1a27731fb1494a8 ] During bus off, the error count is greater than 255 and can not fit in a u8. Fixes: 215db1856e83 ("can: sja1000: Consolidate and unify state change handling") Link: https://lore.kernel.org/all/20220719143550.3681-4-mailhol.vincent@wanadoo.fr Signed-off-by: Vincent Mailhol Signed-off-by: Marc Kleine-Budde Signed-off-by: Sasha Levin commit 076ead9a1274cab0cc2fa2d973643387cdd3d5a0 Author: Vincent Mailhol Date: Tue Jul 19 23:35:40 2022 +0900 can: rcar_can: do not report txerr and rxerr during bus-off [ Upstream commit a37b7245e831a641df360ca41db6a71c023d3746 ] During bus off, the error count is greater than 255 and can not fit in a u8. Fixes: fd1159318e55 ("can: add Renesas R-Car CAN driver") Link: https://lore.kernel.org/all/20220719143550.3681-3-mailhol.vincent@wanadoo.fr Signed-off-by: Vincent Mailhol Signed-off-by: Marc Kleine-Budde Signed-off-by: Sasha Levin commit ec232fbd49c7bcb4d406c86df4f49b9c37eb300b Author: Vincent Mailhol Date: Tue Jul 19 23:35:39 2022 +0900 can: pch_can: do not report txerr and rxerr during bus-off [ Upstream commit 3a5c7e4611ddcf0ef37a3a17296b964d986161a6 ] During bus off, the error count is greater than 255 and can not fit in a u8. Fixes: 0c78ab76a05c ("pch_can: Add setting TEC/REC statistics processing") Link: https://lore.kernel.org/all/20220719143550.3681-2-mailhol.vincent@wanadoo.fr Signed-off-by: Vincent Mailhol Signed-off-by: Marc Kleine-Budde Signed-off-by: Sasha Levin commit d43f85d3d0b8dc69c0e01b007dbe66df72cfcb38 Author: Dan Carpenter Date: Tue Jul 19 12:51:28 2022 +0300 libbpf: fix an snprintf() overflow check [ Upstream commit b77ffb30cfc5f58e957571d8541c6a7e3da19221 ] The snprintf() function returns the number of bytes it *would* have copied if there were enough space. So it can return > the sizeof(gen->attach_target). Fixes: 67234743736a ("libbpf: Generate loader program out of BPF ELF file.") Signed-off-by: Dan Carpenter Acked-by: Martin KaFai Lau Link: https://lore.kernel.org/r/YtZ+oAySqIhFl6/J@kili Signed-off-by: Alexei Starovoitov Signed-off-by: Sasha Levin commit 4a5ae176fd0be385553177a3f4812a5d30c97f94 Author: Dan Carpenter Date: Tue Jul 19 12:50:32 2022 +0300 selftests/bpf: fix a test for snprintf() overflow [ Upstream commit c5d22f4cfe8dfb93f1db0a1e7e2e7ebc41395d98 ] The snprintf() function returns the number of bytes which *would* have been copied if there were space. In other words, it can be > sizeof(pin_path). Fixes: c0fa1b6c3efc ("bpf: btf: Add BTF tests") Signed-off-by: Dan Carpenter Acked-by: Martin KaFai Lau Link: https://lore.kernel.org/r/YtZ+aD/tZMkgOUw+@kili Signed-off-by: Alexei Starovoitov Signed-off-by: Sasha Levin commit 20fd1c3156b5e30ca9ca282180f8136a86c595a2 Author: Andrii Nakryiko Date: Fri Jul 15 16:09:51 2022 -0700 libbpf: make RINGBUF map size adjustments more eagerly [ Upstream commit 597fbc4682969361dd141aaa58b8cc73a80da85d ] Make libbpf adjust RINGBUF map size (rounding it up to closest power-of-2 of page_size) more eagerly: during open phase when initializing the map and on explicit calls to bpf_map__set_max_entries(). Such approach allows user to check actual size of BPF ringbuf even before it's created in the kernel, but also it prevents various edge case scenarios where BPF ringbuf size can get out of sync with what it would be in kernel. One of them (reported in [0]) is during an attempt to pin/reuse BPF ringbuf. Move adjust_ringbuf_sz() helper closer to its first actual use. The implementation of the helper is unchanged. Also make detection of whether bpf_object is already loaded more robust by checking obj->loaded explicitly, given that map->fd can be < 0 even if bpf_object is already loaded due to ability to disable map creation with bpf_map__set_autocreate(map, false). [0] Closes: https://github.com/libbpf/libbpf/pull/530 Fixes: 0087a681fa8c ("libbpf: Automatically fix up BPF_MAP_TYPE_RINGBUF size, if necessary") Signed-off-by: Andrii Nakryiko Acked-by: Yonghong Song Link: https://lore.kernel.org/r/20220715230952.2219271-1-andrii@kernel.org Signed-off-by: Alexei Starovoitov Signed-off-by: Sasha Levin commit 3c7256b880b3a5aa1895fd169a34aa4224a11862 Author: Andrii Nakryiko Date: Thu Jul 14 22:31:43 2022 -0700 bpf: fix potential 32-bit overflow when accessing ARRAY map element [ Upstream commit 87ac0d600943994444e24382a87aa19acc4cd3d4 ] If BPF array map is bigger than 4GB, element pointer calculation can overflow because both index and elem_size are u32. Fix this everywhere by forcing 64-bit multiplication. Extract this formula into separate small helper and use it consistently in various places. Speculative-preventing formula utilizing index_mask trick is left as is, but explicit u64 casts are added in both places. Fixes: c85d69135a91 ("bpf: move memory size checks to bpf_map_charge_init()") Signed-off-by: Andrii Nakryiko Link: https://lore.kernel.org/r/20220715053146.1291891-2-andrii@kernel.org Signed-off-by: Alexei Starovoitov Signed-off-by: Sasha Levin commit 5b8a885e64ff5c5de9ffd734cebd85828e1e336a Author: Alex Deucher Date: Wed Jul 6 11:10:15 2022 -0400 drm/amdgpu: restore original stable pstate on ctx fini [ Upstream commit 958afce98c2c86732483458c03540d3c6ef45254 ] Save the original stable pstate on ctx init and restore it on ctx fini so that we restore a manually selected stable pstate on ctx exit. v2: fix init order (Alex) v3: don't add new variable to ctx struct (Evan) Fixes: c65b364c52ba ("drm/amdgpu/ctx: only reset stable pstate if the user changed it (v2)") Reviewed-by: Evan Quan Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit 4caf84498f76d08d272550c839b9db74742f7da5 Author: Alex Deucher Date: Mon Jul 11 22:04:56 2022 -0400 drm/amdgpu: use the same HDP flush registers for all nbio 2.3.x [ Upstream commit 98a90f1f0fdd112b85b16ef6ceee69f319ab9311 ] Align RDNA2.x with other asics. One HDP bit per SDMA instance, aligned with firmware. This is effectively a revert of commit 369b7d04baf3 ("drm/amdgpu/nbio2.3: don't use GPU_HDP_FLUSH bit 12"). On further discussions with the relevant hardware teams, re-align the bits for SDMA. Fixes: 369b7d04baf3 ("drm/amdgpu/nbio2.3: don't use GPU_HDP_FLUSH bit 12") Reviewed-by: Kent Russell Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit 26e5339704e4a8f8eb7a5272471f444be2c9c700 Author: Alex Deucher Date: Mon Jul 11 21:59:06 2022 -0400 drm/amdgpu: use the same HDP flush registers for all nbio 7.4.x [ Upstream commit 912db6a58738e8be502838eb6a88f207ba356cd7 ] Align aldebaran with all other asics. One HDP bit per SDMA instance, aligned with firmware. This is effectively a revert of commit a0f9f8546668 ("drm/amdgpu/nbio7.4: don't use GPU_HDP_FLUSH bit 12"). On further discussions with the relevant hardware teams, re-align the bits for SDMA. Fixes: a0f9f8546668 ("drm/amdgpu/nbio7.4: don't use GPU_HDP_FLUSH bit 12") Reviewed-by: Kent Russell Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit 8e6da6afcec4858ae14857483c9312528356ad80 Author: Rustam Subkhankulov Date: Thu Jul 14 16:48:31 2022 +0300 wifi: p54: add missing parentheses in p54_flush() [ Upstream commit bcfd9d7f6840b06d5988c7141127795cf405805e ] The assignment of the value to the variable total in the loop condition must be enclosed in additional parentheses, since otherwise, in accordance with the precedence of the operators, the conjunction will be performed first, and only then the assignment. Due to this error, a warning later in the function after the loop may not occur in the situation when it should. Found by Linux Verification Center (linuxtesting.org) with SVACE. Signed-off-by: Rustam Subkhankulov Fixes: 0d4171e2153b ("p54: implement flush callback") Acked-by: Christian Lamparter Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20220714134831.106004-1-subkhankulov@ispras.ru Signed-off-by: Sasha Levin commit a88db6a4e73bd2764d05a6b26f05a3948d0dd02f Author: Christophe JAILLET Date: Sun Jun 12 23:12:20 2022 +0200 wifi: p54: Fix an error handling path in p54spi_probe() [ Upstream commit 83781f0162d080fec7dcb911afd1bc2f5ad04471 ] If an error occurs after a successful call to p54spi_request_firmware(), it must be undone by a corresponding release_firmware() as already done in the error handling path of p54spi_request_firmware() and in the .remove() function. Add the missing call in the error handling path and remove it from p54spi_request_firmware() now that it is the responsibility of the caller to release the firmware Fixes: cd8d3d321285 ("p54spi: p54spi driver") Signed-off-by: Christophe JAILLET Acked-by: Christian Lamparter Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/297d2547ff2ee627731662abceeab9dbdaf23231.1655068321.git.christophe.jaillet@wanadoo.fr Signed-off-by: Sasha Levin commit 67470920cd3f3cb38699b1ad23234f96bead4d21 Author: Dan Carpenter Date: Fri Jul 15 13:35:18 2022 +0300 wifi: wil6210: debugfs: fix info leak in wil_write_file_wmi() [ Upstream commit 7a4836560a6198d245d5732e26f94898b12eb760 ] The simple_write_to_buffer() function will succeed if even a single byte is initialized. However, we need to initialize the whole buffer to prevent information leaks. Just use memdup_user(). Fixes: ff974e408334 ("wil6210: debugfs interface to send raw WMI command") Signed-off-by: Dan Carpenter Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/Ysg14NdKAZF/hcNG@kili Signed-off-by: Sasha Levin commit fd98ca30211e277f4506c15dcaaa49c2d0f7dea4 Author: Jernej Skrabec Date: Mon Jun 20 18:55:12 2022 +0100 media: cedrus: h265: Fix logic for not low delay flag [ Upstream commit f1a413902aa71044b6ec41265e5e28ebaf29a9ce ] Now that we know real purpose of "not low delay" flag, logic for applying this flag should be fixed too. According to vendor and reference implementation, low delay is signaled when POC of current frame is lower than POC of at least one reference of a slice. Implement mentioned logic and invert it to conform to flag meaning. Also don't apply flag for I frames. They don't have any reference. This fixes decoding of 3 reference bitstreams. Fixes: 86caab29da78 ("media: cedrus: Add HEVC/H.265 decoding support") Signed-off-by: Jernej Skrabec Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit dfacf78ed98c8e64ac39a5fd6aa9075bfccc3b3e Author: Benjamin Gaignard Date: Fri Jul 8 17:21:45 2022 +0100 media: uapi: HEVC: Change pic_order_cnt definition in v4l2_hevc_dpb_entry [ Upstream commit c4a179c7167ee16aad1267f9c99bc1ecff475585 ] The HEVC specification describes the following: "PicOrderCntVal is derived as follows: PicOrderCntVal = PicOrderCntMsb + slice_pic_order_cnt_lsb The value of PicOrderCntVal shall be in the range of −2^31 to 2^31 − 1, inclusive." To match with these definitions change __u16 pic_order_cnt[2] into __s32 pic_order_cnt_val. Change v4l2_ctrl_hevc_slice_params->slice_pic_order_cnt to __s32 too. Signed-off-by: Benjamin Gaignard Reviewed-by: Ezequiel Garcia Acked-by: Nicolas Dufresne Tested-by: Jernej Skrabec Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 78aed34aeb4f9a965d2d81e0304611c3b60d9108 Author: Jernej Skrabec Date: Mon Jun 20 18:55:11 2022 +0100 media: cedrus: h265: Fix flag name [ Upstream commit 104a70e1d0bcef28db13c4192b8729086089651c ] Bit 21 in register 0x24 (slice header info 1) actually represents negated version of low delay flag. This can be seen in vendor Cedar library source code. While this flag is not part of the standard, it can be found in reference HEVC implementation. Fix macro name and change it to flag. Fixes: 86caab29da78 ("media: cedrus: Add HEVC/H.265 decoding support") Signed-off-by: Jernej Skrabec Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit fd0a6e99b61e6c08fa5cf585d54fd956f70c73a6 Author: Jason A. Donenfeld Date: Wed Jun 29 15:06:58 2022 +0200 fs: check FMODE_LSEEK to control internal pipe splicing [ Upstream commit 97ef77c52b789ec1411d360ed99dca1efe4b2c81 ] The original direct splicing mechanism from Jens required the input to be a regular file because it was avoiding the special socket case. It also recognized blkdevs as being close enough to a regular file. But it forgot about chardevs, which behave the same way and work fine here. This is an okayish heuristic, but it doesn't totally work. For example, a few chardevs should be spliceable here. And a few regular files shouldn't. This patch fixes this by instead checking whether FMODE_LSEEK is set, which represents decently enough what we need rewinding for when splicing to internal pipes. Fixes: b92ce5589374 ("[PATCH] splice: add direct fd <-> fd splicing support") Cc: Jens Axboe Signed-off-by: Jason A. Donenfeld Signed-off-by: Al Viro Signed-off-by: Sasha Levin commit 3614c1981fe2bab91daa4386e9f3a30333ba8413 Author: Yang Yingliang Date: Wed Jun 22 05:42:43 2022 +0100 media: ov7251: add missing disable functions on error in ov7251_set_power_on() [ Upstream commit 7a9795b31049b7e233d050a82b00094155a695c7 ] Add the missing gpiod_set_value_cansleep() and clk_disable_unprepare() before return from ov7251_set_power_on() in the error handling case. Fixes: 9e1d3012cc10 ("media: i2c: Remove .s_power() from ov7251") Reported-by: Hulk Robot Signed-off-by: Yang Yingliang Reviewed-by: Andy Shevchenko Signed-off-by: Sakari Ailus Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 09dca689653123808a56a2895e43de3bc79942fe Author: Sakari Ailus Date: Tue Jul 5 18:40:54 2022 +0100 media: v4l: async: Also match secondary fwnode endpoints [ Upstream commit 46347e3ec61660562d4a4a933713e2c2b74598e2 ] For camera sensor devices the firmware information of which comes from non-DT (or some ACPI variants), the kernel makes the information visible to the drivers in a form similar to DT. This takes place through device's secondary fwnodes, in which case also the secondary fwnode needs to be heterogenously (endpoint vs. device) matched. Fixes: 1f391df44607 ("media: v4l2-async: Use endpoints in __v4l2_async_nf_add_fwnode_remote()") Signed-off-by: Sakari Ailus Reviewed-by: Laurent Pinchart Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 02653ba89f7e5dd1d744ab0e148ce260c0753ed9 Author: Johannes Berg Date: Mon Jun 27 12:49:03 2022 +0200 wifi: nl80211: acquire wdev mutex for dump_survey [ Upstream commit 284b38b6902a7154e3675482418a7b6df47808fe ] At least the quantenna driver calls wdev_chandef() here which now requires the lock, so acquire it. Fixes: 7b0a0e3c3a88 ("wifi: cfg80211: do some rework towards MLO link APIs") Signed-off-by: Johannes Berg Signed-off-by: Sasha Levin commit 1f319b976560c2c91eee098fdc0008d720ac3698 Author: Alexei Starovoitov Date: Thu Jul 14 14:16:37 2022 -0700 bpf: Fix subprog names in stack traces. [ Upstream commit 9c7c48d6a1e2eb5192ad5294c1c4dbd42a88e88b ] The commit 7337224fc150 ("bpf: Improve the info.func_info and info.func_info_rec_size behavior") accidently made bpf_prog_ksym_set_name() conservative for bpf subprograms. Fixed it so instead of "bpf_prog_tag_F" the stack traces print "bpf_prog_tag_full_subprog_name". Fixes: 7337224fc150 ("bpf: Improve the info.func_info and info.func_info_rec_size behavior") Reported-by: Tejun Heo Signed-off-by: Alexei Starovoitov Signed-off-by: Andrii Nakryiko Acked-by: Martin KaFai Lau Acked-by: Yonghong Song Link: https://lore.kernel.org/bpf/20220714211637.17150-1-alexei.starovoitov@gmail.com Signed-off-by: Sasha Levin commit 3693c9ee4556b8aa1dbb5d9d927f3aa281f156b2 Author: Wolfram Sang Date: Wed Jul 13 22:46:17 2022 +0200 selftests: timers: clocksource-switch: fix passing errors from child [ Upstream commit 4d8f52ac5fa9eede7b7aa2f2d67c841d9eeb655f ] The return value from system() is a waitpid-style integer. Do not return it directly because with the implicit masking in exit() it will always return 0. Access it with appropriate macros to really pass on errors. Fixes: 7290ce1423c3 ("selftests/timers: Add clocksource-switch test from timetest suite") Signed-off-by: Wolfram Sang Acked-by: John Stultz Signed-off-by: Shuah Khan Signed-off-by: Sasha Levin commit 78834a56e8440064d8c9656f6af65f0f0a895416 Author: Wolfram Sang Date: Wed Jul 13 22:46:13 2022 +0200 selftests: timers: valid-adjtimex: build fix for newer toolchains [ Upstream commit 9a162977d20436be5678a8e21a8e58eb4616d86a ] Toolchains with an include file 'sys/timex.h' based on 3.18 will have a 'clock_adjtime' definition added, so it can't be static in the code: valid-adjtimex.c:43:12: error: static declaration of ‘clock_adjtime’ follows non-static declaration Fixes: e03a58c320e1 ("kselftests: timers: Add adjtimex SETOFFSET validity tests") Signed-off-by: Wolfram Sang Acked-by: John Stultz Signed-off-by: Shuah Khan Signed-off-by: Sasha Levin commit 7d69764fa3442c7615a75c6b5c02eaa1f274bccf Author: David Gow Date: Wed Jul 13 07:25:27 2022 +0800 kunit: executor: Fix a memory leak on failure in kunit_filter_tests [ Upstream commit 94681e289bf5d10c9db9db143d1a22d8717205c5 ] It's possible that memory allocation for 'filtered' will fail, but for the copy of the suite to succeed. In this case, the copy could be leaked. Properly free 'copy' in the error case for the allocation of 'filtered' failing. Note that there may also have been a similar issue in kunit_filter_subsuites, before it was removed in "kunit: flatten kunit_suite*** to kunit_suite** in .kunit_test_suites". This was reported by clang-analyzer via the kernel test robot, here: https://lore.kernel.org/all/c8073b8e-7b9e-0830-4177-87c12f16349c@intel.com/ And by smatch via Dan Carpenter and the kernel test robot: https://lore.kernel.org/all/202207101328.ASjx88yj-lkp@intel.com/ Fixes: a02353f49162 ("kunit: bail out of test filtering logic quicker if OOM") Reported-by: kernel test robot Reported-by: kernel test robot Reported-by: Dan Carpenter Reviewed-by: Daniel Latypov Reviewed-by: Brendan Higgins Signed-off-by: David Gow Signed-off-by: Shuah Khan Signed-off-by: Sasha Levin commit 0607c8e8c9b68b803434f916ce20963c6fe553a1 Author: Anquan Wu Date: Tue Jul 12 11:15:40 2022 +0800 libbpf: Fix the name of a reused map [ Upstream commit bf3f00378524adae16628cbadbd11ba7211863bb ] BPF map name is limited to BPF_OBJ_NAME_LEN. A map name is defined as being longer than BPF_OBJ_NAME_LEN, it will be truncated to BPF_OBJ_NAME_LEN when a userspace program calls libbpf to create the map. A pinned map also generates a path in the /sys. If the previous program wanted to reuse the map, it can not get bpf_map by name, because the name of the map is only partially the same as the name which get from pinned path. The syscall information below show that map name "process_pinned_map" is truncated to "process_pinned_". bpf(BPF_OBJ_GET, {pathname="/sys/fs/bpf/process_pinned_map", bpf_fd=0, file_flags=0}, 144) = -1 ENOENT (No such file or directory) bpf(BPF_MAP_CREATE, {map_type=BPF_MAP_TYPE_HASH, key_size=4, value_size=4,max_entries=1024, map_flags=0, inner_map_fd=0, map_name="process_pinned_",map_ifindex=0, btf_fd=3, btf_key_type_id=6, btf_value_type_id=10,btf_vmlinux_value_type_id=0}, 72) = 4 This patch check that if the name of pinned map are the same as the actual name for the first (BPF_OBJ_NAME_LEN - 1), bpf map still uses the name which is included in bpf object. Fixes: 26736eb9a483 ("tools: libbpf: allow map reuse") Signed-off-by: Anquan Wu Signed-off-by: Andrii Nakryiko Link: https://lore.kernel.org/bpf/OSZP286MB1725CEA1C95C5CB8E7CCC53FB8869@OSZP286MB1725.JPNP286.PROD.OUTLOOK.COM Signed-off-by: Sasha Levin commit 53cc92e5406df9b48bfa60381ed294f90fdf1da6 Author: Yonglong Li Date: Mon Jul 11 17:47:18 2022 +0800 tcp: make retransmitted SKB fit into the send window [ Upstream commit 536a6c8e05f95e3d1118c40ae8b3022ee2d05d52 ] current code of __tcp_retransmit_skb only check TCP_SKB_CB(skb)->seq in send window, and TCP_SKB_CB(skb)->seq_end maybe out of send window. If receiver has shrunk his window, and skb is out of new window, it should retransmit a smaller portion of the payload. test packetdrill script: 0 socket(..., SOCK_STREAM, IPPROTO_TCP) = 3 +0 fcntl(3, F_GETFL) = 0x2 (flags O_RDWR) +0 fcntl(3, F_SETFL, O_RDWR|O_NONBLOCK) = 0 +0 connect(3, ..., ...) = -1 EINPROGRESS (Operation now in progress) +0 > S 0:0(0) win 65535 +.05 < S. 0:0(0) ack 1 win 6000 +0 > . 1:1(0) ack 1 +0 write(3, ..., 10000) = 10000 +0 > . 1:2001(2000) ack 1 win 65535 +0 > . 2001:4001(2000) ack 1 win 65535 +0 > . 4001:6001(2000) ack 1 win 65535 +.05 < . 1:1(0) ack 4001 win 1001 and tcpdump show: 192.168.226.67.55 > 192.0.2.1.8080: Flags [.], seq 1:2001, ack 1, win 65535, length 2000 192.168.226.67.55 > 192.0.2.1.8080: Flags [.], seq 2001:4001, ack 1, win 65535, length 2000 192.168.226.67.55 > 192.0.2.1.8080: Flags [P.], seq 4001:5001, ack 1, win 65535, length 1000 192.168.226.67.55 > 192.0.2.1.8080: Flags [.], seq 5001:6001, ack 1, win 65535, length 1000 192.0.2.1.8080 > 192.168.226.67.55: Flags [.], ack 4001, win 1001, length 0 192.168.226.67.55 > 192.0.2.1.8080: Flags [.], seq 5001:6001, ack 1, win 65535, length 1000 192.168.226.67.55 > 192.0.2.1.8080: Flags [P.], seq 4001:5001, ack 1, win 65535, length 1000 when cient retract window to 1001, send window is [4001,5002], but TLP send 5001-6001 packet which is out of send window. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Yonglong Li Signed-off-by: Eric Dumazet Link: https://lore.kernel.org/r/1657532838-20200-1-git-send-email-liyonglong@chinatelecom.cn Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit 60e66074812dde9cde3d99cdd3caa9e40f1a4516 Author: Song Liu Date: Tue Jul 5 17:26:12 2022 -0700 bpf, x86: fix freeing of not-finalized bpf_prog_pack [ Upstream commit 1d5f82d9dd477d5c66e0214a68c3e4f308eadd6d ] syzbot reported a few issues with bpf_prog_pack [1], [2]. This only happens with multiple subprogs. In jit_subprogs(), we first call bpf_int_jit_compile() on each sub program. And then, we call it on each sub program again. jit_data is not freed in the first call of bpf_int_jit_compile(). Similarly we don't call bpf_jit_binary_pack_finalize() in the first call of bpf_int_jit_compile(). If bpf_int_jit_compile() failed for one sub program, we will call bpf_jit_binary_pack_finalize() for this sub program. However, we don't have a chance to call it for other sub programs. Then we will hit "goto out_free" in jit_subprogs(), and call bpf_jit_free on some subprograms that haven't got bpf_jit_binary_pack_finalize() yet. At this point, bpf_jit_binary_pack_free() is called and the whole 2MB page is freed erroneously. Fix this with a custom bpf_jit_free() for x86_64, which calls bpf_jit_binary_pack_finalize() if necessary. Also, with custom bpf_jit_free(), bpf_prog_aux->use_bpf_prog_pack is not needed any more, remove it. Fixes: 1022a5498f6f ("bpf, x86_64: Use bpf_jit_binary_pack_alloc") [1] https://syzkaller.appspot.com/bug?extid=2f649ec6d2eea1495a8f [2] https://syzkaller.appspot.com/bug?extid=87f65c75f4a72db05445 Reported-by: syzbot+2f649ec6d2eea1495a8f@syzkaller.appspotmail.com Reported-by: syzbot+87f65c75f4a72db05445@syzkaller.appspotmail.com Signed-off-by: Song Liu Link: https://lore.kernel.org/r/20220706002612.4013790-1-song@kernel.org Signed-off-by: Alexei Starovoitov Signed-off-by: Sasha Levin commit 7018bd9fac6237e706d175d0a5926de9226c664a Author: Tony Ambardar Date: Fri Jun 17 12:57:34 2022 +0200 bpf, x64: Add predicate for bpf2bpf with tailcalls support in JIT [ Upstream commit 95acd8817e66d031d2e6ee7def3f1e1874819317 ] The BPF core/verifier is hard-coded to permit mixing bpf2bpf and tail calls for only x86-64. Change the logic to instead rely on a new weak function 'bool bpf_jit_supports_subprog_tailcalls(void)', which a capable JIT backend can override. Update the x86-64 eBPF JIT to reflect this. Signed-off-by: Tony Ambardar [jakub: drop MIPS bits and tweak patch subject] Signed-off-by: Jakub Sitnicki Signed-off-by: Daniel Borkmann Link: https://lore.kernel.org/bpf/20220617105735.733938-2-jakub@cloudflare.com Signed-off-by: Sasha Levin commit 1cbe7a02e7028e782fe2027a38d005f0641d2a35 Author: Jian Zhang Date: Tue Jul 12 13:56:11 2022 +0900 drm/exynos/exynos7_drm_decon: free resources when clk_set_parent() failed. [ Upstream commit 48b927770f8ad3f8cf4a024a552abf272af9f592 ] In exynos7_decon_resume, When it fails, we must use clk_disable_unprepare() to free resource that have been used. Fixes: 6f83d20838c09 ("drm/exynos: use DRM_DEV_ERROR to print out error message") Reported-by: Hulk Robot Signed-off-by: Jian Zhang Signed-off-by: Inki Dae Signed-off-by: Sasha Levin commit 1295dae30f30c3daa03005ed8958d44b17f037fd Author: Liu Jian Date: Tue Jun 28 20:36:16 2022 +0800 skmsg: Fix invalid last sg check in sk_msg_recvmsg() [ Upstream commit 9974d37ea75f01b47d16072b5dad305bd8d23fcc ] In sk_psock_skb_ingress_enqueue function, if the linear area + nr_frags + frag_list of the SKB has NR_MSG_FRAG_IDS blocks in total, skb_to_sgvec will return NR_MSG_FRAG_IDS, then msg->sg.end will be set to NR_MSG_FRAG_IDS, and in addition, (NR_MSG_FRAG_IDS - 1) is set to the last SG of msg. Recv the msg in sk_msg_recvmsg, when i is (NR_MSG_FRAG_IDS - 1), the sk_msg_iter_var_next(i) will change i to 0 (not NR_MSG_FRAG_IDS), the judgment condition "msg_rx->sg.start==msg_rx->sg.end" and "i != msg_rx->sg.end" can not work. As a result, the processed msg cannot be deleted from ingress_msg list. But the length of all the sge of the msg has changed to 0. Then the next recvmsg syscall will process the msg repeatedly, because the length of sge is 0, the -EFAULT error is always returned. Fixes: 604326b41a6f ("bpf, sockmap: convert to generic sk_msg interface") Signed-off-by: Liu Jian Signed-off-by: Daniel Borkmann Acked-by: John Fastabend Link: https://lore.kernel.org/bpf/20220628123616.186950-1-liujian56@huawei.com Signed-off-by: Sasha Levin commit f61a2101028de8f70843df2879b3b22662a5b411 Author: Liang He Date: Mon Jul 4 16:34:21 2022 +0800 mediatek: mt76: eeprom: fix missing of_node_put() in mt76_find_power_limits_node() [ Upstream commit 3bd53ea02d77917c2314ec7be9e2d05be22f87d3 ] We should use of_node_put() for the reference 'np' returned by of_get_child_by_name() which will increase the refcount. Fixes: 22b980badc0f ("mt76: add functions for parsing rate power limits from DT") Signed-off-by: Liang He Signed-off-by: Felix Fietkau Signed-off-by: Sasha Levin commit d2aacdcc9fa25603bdfc41904bfe09a80e0230e1 Author: Liang He Date: Mon Jul 4 16:34:20 2022 +0800 mediatek: mt76: mac80211: Fix missing of_node_put() in mt76_led_init() [ Upstream commit 0a14c1d0113f121151edf34333cdf212dd209190 ] We should use of_node_put() for the reference 'np' returned by of_get_child_by_name() which will increase the refcount. Fixes: 17f1de56df05 ("mt76: add common code shared between multiple chipsets") Signed-off-by: Liang He Signed-off-by: Felix Fietkau Signed-off-by: Sasha Levin commit c345cab0415edbcc172f5108d31d10e5fd39ed39 Author: Felix Fietkau Date: Fri Jun 24 20:57:47 2022 +0200 mt76: mt7615: fix throughput regression on DFS channels [ Upstream commit aac86cebb4a09e3fa2c07589f79f7d0e07e8c9a4 ] For some reason, mt7615 reacts badly to repeatedly enabling/disabling the radar detector without also switching the channel. This results in very bad throughput on DFS channels, because hw->conf.radar_enabled can get toggled a few times after CAC ends. Fix this by always leaving the DFS detector enabled on DFS channels and instead suppress unwanted detection events. Fixes: 2c86f6752046 ("mt76: mt7615: fix/rewrite the dfs state handling logic") Signed-off-by: Felix Fietkau Signed-off-by: Sasha Levin commit 622bccfef40cbee8749ee50c04c8b1495e268480 Author: Shayne Chen Date: Mon Jun 20 14:17:17 2022 +0800 mt76: mt7915: fix incorrect testmode ipg on band 1 caused by wmm_idx [ Upstream commit 6e744cfeee02c2d8676eb55d5b3720808812f41f ] Fix the issue that the measured inter packet gap didn't fit its setting value. Fixes: c2d3b1926f30 ("mt76: mt7915: add support for ipg in testmode") Signed-off-by: Shayne Chen Signed-off-by: Felix Fietkau Signed-off-by: Sasha Levin commit 6fd0447b942e1cdd4ea21643cdc8d2cc6a05916b Author: Lorenzo Bianconi Date: Tue Jun 7 11:28:40 2022 +0200 mt76: connac: move connac2_mac_write_txwi in mt76_connac module [ Upstream commit 182071cdd594bc79f42899c85afa995c370ef82d ] mac_write_txwi code is shared between connac2 devices (mt7915 and mt7921). Move it in connac module. Signed-off-by: Lorenzo Bianconi Signed-off-by: Felix Fietkau Signed-off-by: Sasha Levin commit d53211a55a87d9fdc5ea04c52924a99c66d546de Author: Lorenzo Bianconi Date: Tue Jun 7 11:28:39 2022 +0200 mt76: connac: move mac connac2 defs in mt76_connac2_mac.h [ Upstream commit 90211957a640e6933b236e06728578d252f7374f ] This is a preliminary patch to share connac2 mac txwi code. Signed-off-by: Lorenzo Bianconi Signed-off-by: Felix Fietkau Signed-off-by: Sasha Levin commit 6726332ec12038ae145f3a6a1aa425349343d9ba Author: Lorenzo Bianconi Date: Tue Jun 7 11:28:38 2022 +0200 mt76: mt7915: rely on mt76_dev in mt7915_mac_write_txwi signature [ Upstream commit d502e30020b85857ead0f9d392d24dba8c0f44cb ] This is a preliminary patch to share txwi configuration code. Signed-off-by: Lorenzo Bianconi Signed-off-by: Felix Fietkau Signed-off-by: Sasha Levin commit 9c2ea17b56cc56d978d231e1693b12e10032b4b6 Author: Lorenzo Bianconi Date: Tue Jun 7 11:28:37 2022 +0200 mt76: mt7921: rely on mt76_dev in mt7921_mac_write_txwi signature [ Upstream commit e00b3e407efeed81dc30a72e4041ff57bf7068d5 ] This is a preliminary patch to share txwi configuration code. Signed-off-by: Lorenzo Bianconi Signed-off-by: Felix Fietkau Signed-off-by: Sasha Levin commit c477e2f2026b722d9950a1b0ba99fc550fe0e9b9 Author: Deren Wu Date: Sat Jun 18 18:56:44 2022 +0800 mt76: mt7921: enlarge maximum VHT MPDU length to 11454 [ Upstream commit 31f3248a75932b111bc90c66b1f6c7d89eedca8e ] Enlarge maximum MPDU length to 11454 that both mt7921/mt7922 can support. After this fixing, we can get better performance. Fixes: 5c14a5f944b9 ("mt76: mt7921: introduce mt7921e support") Tested-by: Ming Yen Hsieh Signed-off-by: Deren Wu Signed-off-by: Felix Fietkau Signed-off-by: Sasha Levin commit fe9038ec34d1018a14de1c80e22acceff88fbe96 Author: Deren Wu Date: Thu Jun 16 23:57:43 2022 +0800 mt76: mt7921: fix aggregation subframes setting to HE max [ Upstream commit d5a50e6bd1972c481f82befa846dce0b9866f025 ] mt7921/mt7922 support HE max aggregation subframes 256 for both tx/rx. Get better throughput then before. Fixes: 94bb18b03d43 ("mt76: mt7921: fix max aggregation subframes setting") Tested-by: Ming Yen Hsieh Reviewed-by: Sean Wang Signed-off-by: Deren Wu Signed-off-by: Felix Fietkau Signed-off-by: Sasha Levin commit 8a8660892edbe70ed4c0b72f07308c97dc84ec8a Author: Deren Wu Date: Tue Jun 14 15:50:24 2022 +0800 mt76: mt7921s: fix possible sdio deadlock in command fail [ Upstream commit 364718c94ac2ea4e51958ac0aa15c9092c785a3a ] Move sdio_release_host() to final resource handing Fixes: b12deb5e86fa ("mt76: mt7921s: fix mt7921s_mcu_[fw|drv]_pmctrl") Reported-by: YN Chen Co-developed-by: Lorenzo Bianconi Signed-off-by: Lorenzo Bianconi Signed-off-by: Deren Wu Signed-off-by: Felix Fietkau Signed-off-by: Sasha Levin commit 5158d8cda35283ec62d4741509f4860394c5f149 Author: Lorenzo Bianconi Date: Mon Jun 13 14:07:08 2022 +0200 mt76: mt7921: do not update pm states in case of error [ Upstream commit f4a92547fb9818ff272e1e2f0c79cd6b0bc99ce8 ] Do not update pm stats if mt7921e_mcu_fw_pmctrl routine returns an error. Fixes: 36873246f78a2 ("mt76: mt7921: add awake and doze time accounting") Signed-off-by: Lorenzo Bianconi Signed-off-by: Felix Fietkau Signed-off-by: Sasha Levin commit 5f43e826d7bb132c2f67c6ef0bd332c3f85fc559 Author: Lorenzo Bianconi Date: Mon Jun 13 14:03:28 2022 +0200 mt76: mt7615: do not update pm stats in case of error [ Upstream commit 79717c4eeeae9dec894794fbe8af72f08f03ebdd ] Do not update pm stats if mt7615_mcu_fw_pmctrl returns an error. Fixes: abe912ae3cd42 ("mt76: mt7663: add awake and doze time accounting") Signed-off-by: Lorenzo Bianconi Signed-off-by: Felix Fietkau Signed-off-by: Sasha Levin commit ec62ee418ec3292841aaf4ab5f820497ebe90222 Author: Johannes Berg Date: Tue May 10 13:26:44 2022 +0200 wifi: mac80211: move some future per-link data to bss_conf [ Upstream commit d0a9123ef548def5c8880e83e5df948eb5b55c62 ] To add MLD, reuse the bss_conf structure later for per-link information, so move some things into it that are per link. Most transformations were done with the following spatch: @@ expression sdata; identifier var = { chanctx_conf, mu_mimo_owner, csa_active, color_change_active, color_change_color }; @@ -sdata->vif.var +sdata->vif.bss_conf.var @@ struct ieee80211_vif *vif; identifier var = { chanctx_conf, mu_mimo_owner, csa_active, color_change_active, color_change_color }; @@ -vif->var +vif->bss_conf.var Signed-off-by: Johannes Berg Signed-off-by: Sasha Levin commit 7a53ad13c09150076b7ddde96c2dfc5622c90b45 Author: Johannes Berg Date: Thu Apr 14 16:50:57 2022 +0200 wifi: cfg80211: do some rework towards MLO link APIs [ Upstream commit 7b0a0e3c3a88260b6fcb017e49f198463aa62ed1 ] In order to support multi-link operation with multiple links, start adding some APIs. The notable addition here is to have the link ID in a new nl80211 attribute, that will be used to differentiate the links in many nl80211 operations. So far, this patch adds the netlink NL80211_ATTR_MLO_LINK_ID attribute (as well as the NL80211_ATTR_MLO_LINKS attribute) and plugs it through the system in some places, checking the validity etc. along with other infrastructure needed for it. For now, I've decided to include only the over-the-air link ID in the API. I know we discussed that we eventually need to have to have other ways of identifying a link, but for local AP mode and auth/assoc commands as well as set_key etc. we'll use the OTA ID. Also included in this patch is some refactoring of the data structures in struct wireless_dev, splitting for the first time the data into type dependent pieces, to make reasoning about these things easier. Signed-off-by: Johannes Berg Signed-off-by: Sasha Levin commit bdefcd8f54948ecaf83716acb0d5fab4ff22fba0 Author: Johannes Berg Date: Thu May 19 17:57:53 2022 +0200 wifi: mac80211: reject WEP or pairwise keys with key ID > 3 [ Upstream commit 92ea8df110b8ca92f9664ec7bd76dea109115348 ] We don't really care too much right now since our data structures are set up to not have a problem with this, but clearly it's wrong to accept WEP and pairwise keys with key ID > 3. However, with MLD we need to split into per-link (GTK, IGTK, BIGTK) and per interface/MLD (including WEP) keys so make sure this is not a problem. Signed-off-by: Johannes Berg Signed-off-by: Sasha Levin commit ae7411046481d1e83fec0e5386e723d49c9d00b4 Author: Deren Wu Date: Wed Jun 8 20:53:25 2022 +0800 mt76: mt7921: not support beacon offload disable command [ Upstream commit c149d3a9058616ff942a6e44b6e968e18a84dd5a ] Beacon disable flow would be handled in bss stop handler automatically. Force return -EOPNOTSUPP in disable case. Fixes: 116c69603b01 ("mt76: mt7921: Add AP mode support") Reviewed-by: Sean Wang Signed-off-by: Deren Wu Signed-off-by: Felix Fietkau Signed-off-by: Sasha Levin commit 001614aa05c123446ceeeac156bac614f0e66189 Author: YN Chen Date: Sat May 28 09:28:54 2022 +0800 mt76: mt7921s: fix firmware download random fail [ Upstream commit a55a0c701c129f8e448f0ec1eb811dba728ace64 ] To avoid racing problems in chip, mt7921s should reacquire drv-own after firmware semaphore is released. Fixes: 78b217580c509 ("mt76: mt7921s: fix bus hang with wrong privilege") Signed-off-by: YN Chen Signed-off-by: Deren Wu Signed-off-by: Felix Fietkau Signed-off-by: Sasha Levin commit 2fe903bf69ebc6e9b79f44628d052516c99921db Author: Dan Carpenter Date: Thu May 19 16:57:22 2022 +0300 mt76: mt7915: fix endian bug in mt7915_rf_regval_set() [ Upstream commit f572dc969a59a80baa22bf2f7c9af0064402652f ] This code is supposed to set a u32 value, but casting will not work on big endian systems. Fixes: 0a17329ae9c1 ("mt76: mt7915: add debugfs knob for RF registers read/write") Signed-off-by: Dan Carpenter Signed-off-by: Felix Fietkau Signed-off-by: Sasha Levin commit 2f53ba46d8c97aca681adbe5098e1f84580c446d Author: Lorenzo Bianconi Date: Tue May 17 18:37:07 2022 +0200 mt76: mt76x02u: fix possible memory leak in __mt76x02u_mcu_send_msg [ Upstream commit cffd93411575afd987788e2ec3cb8eaff70f0215 ] Free the skb if mt76u_bulk_msg fails in __mt76x02u_mcu_send_msg routine. Fixes: 4c89ff2c74e39 ("mt76: split __mt76u_mcu_send_msg and mt76u_mcu_send_msg routines") Co-developed-by: Gergo Koteles Signed-off-by: Gergo Koteles Signed-off-by: Lorenzo Bianconi Signed-off-by: Felix Fietkau Signed-off-by: Sasha Levin commit ae0d6b4fb32cde4b963abc0729197a8f9d568088 Author: Lorenzo Bianconi Date: Tue May 17 18:05:59 2022 +0200 mt76: mt7915: fix endianness in mt7915_rf_regval_get [ Upstream commit 63907290faa916ffab1c8455141c79ca8e3a79bb ] Fix the following sparse warning in mt7915_rf_regval_get routine: drivers/net/wireless/mediatek/mt76/mt7915/debugfs.c:979:16: warning: cast to restricted __le32 Fixes: 0a17329ae9c1f ("mt76: mt7915: add debugfs knob for RF registers read/write") Signed-off-by: Lorenzo Bianconi Signed-off-by: Felix Fietkau Signed-off-by: Sasha Levin commit 7496e06d0e6f687e5eb855f6a01039cd0d70886a Author: Ming Qian Date: Fri Jul 8 09:56:50 2022 +0100 media: amphion: only insert the first sequence startcode for vc1l format [ Upstream commit e670f5d672ef3d00b0b8c69eff09a019e6dd4ef9 ] For format V4L2_PIX_FMT_VC1_ANNEX_L, the amphion vpu requires driver to help insert some custom startcode before sequence and frame. but only the first sequence startcode is needed, the extra startcode will cause decoding error. So after seek, we don't need to insert the sequence startcode. In other words, for V4L2_PIX_FMT_VC1_ANNEX_L, the vpu doesn't support dynamic resolution change. Fixes: 145e936380edb ("media: amphion: implement malone decoder rpc interface") Signed-off-by: Ming Qian Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 59dbfddc11aa6713b0a1227a561b2f88ebd6684a Author: Ming Qian Date: Fri Jul 1 06:50:04 2022 +0100 media: amphion: sync buffer status with firmware during abort [ Upstream commit d8f1eb105eab7aab36323c6b488dda479d5bd2da ] 1. prevent to allocate buffer to firmware during abort 2. release buffer when clear the slots Fixes: 6de8d628df6ef ("media: amphion: add v4l2 m2m vpu decoder stateful driver") Signed-off-by: Ming Qian Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 5597b3ab866158002c8e72ab08ae650c2a501337 Author: Ezequiel Garcia Date: Wed Jun 29 20:56:23 2022 +0100 media: hantro: Fix RK3399 H.264 format advertising [ Upstream commit 177d841fa19542eb35aa5ec9579c4abb989c9255 ] Commit 1f82f2df523cb ("media: hantro: Enable H.264 on Rockchip VDPU2") enabled H.264 on some SoCs with VDPU2 cores. This had the side-effect of exposing H.264 coded format as supported on RK3399. Fix this and clarify how the codec is explicitly disabled on RK3399 on this driver. Fixes: 1f82f2df523cb ("media: hantro: Enable H.264 on Rockchip VDPU2") Signed-off-by: Ezequiel Garcia Tested-by: Nicolas Dufresne Reviewed-by: Nicolas Dufresne Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 44cdc161d9db2bea33ffe0d88f3c5d0e66346856 Author: Benjamin Gaignard Date: Wed May 18 09:53:49 2022 +0100 media: hantro: Be more accurate on pixel formats step_width constraints [ Upstream commit 135ad96cb4d6bd6dace030846fe5c7ea890411ab ] On Hantro G2 decoder on IMX8MQ strides requirements aren't the same for NV12_4L4 and NV12 pixel formats. The first one use a 4 bytes padding while the last one needs 16 bytes. To be sure to provide the correct stride in all cases we need: - to relax the constraints on codec formats so set step_width to 4 - use capture queue format and not the output queue format when applying the pixel format constraints. - put the correct step_width constraints on each pixel format. Move HEVC SPS validation in hantro_hevc.c to be able to perform it when setting sps control and when starting to decode the bitstream. Add a new test in HEVC SPS validation function to check if resolution is still matching the hardware constraints. With this SAODBLK_A_MainConcept_4 and SAODBLK_B_MainConcept_4 conformance tests files are correctly decoded with both NV12 and NV12_4L4 pixel formats. These two files have a resolution of 1016x760. Add defines for the various used resolutions. For other variants than Hantro G2 on IMX8M keep the same step_width to avoid regressions. Fluster HEVC test score is now 128/147 vs 126/147 with the both pixel formats as decoder output. Fluster VP9 test score stay at 147/303. [hverkuil: fix trivial checkpatch warnings] Signed-off-by: Benjamin Gaignard Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 34e14ee5331078659231706e5a7fe89a243c7d23 Author: Ming Qian Date: Tue Jun 28 06:21:12 2022 +0100 media: amphion: defer setting last_buffer_dequeued until resolution changes are processed [ Upstream commit afba6e20801ad9a2f863c52c21e609e021269d83 ] Don't set last_buffer_dequeued during dynamic resolution change, otherwise it may be cleared in handling resolution change, as streamoff may be called in dynamic resolution change. Normally, this does not happen. But we encounter a special testcase, User issue V4L2_DEC_CMD_STOP after enqueue one buffer that only contains codec config header, but not any frame data. So VPU report the parsed resolution, then report the eos event. So driver should notify user to handle resolution change first, after it's handled, set the last_buffer_dequeued. then the user can exit decoding normally. Otherwise the user may be stalled. Fixes: 6de8d628df6ef ("media: amphion: add v4l2 m2m vpu decoder stateful driver") Signed-off-by: Ming Qian Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit eff68a9e24c3a73d37d481a968c575d60985049f Author: Chen-Yu Tsai Date: Mon Jul 4 09:49:30 2022 +0100 media: mediatek: vcodec: Initialize decoder parameters for each instance [ Upstream commit fe3d651627d61210c6905339e5281d3b9db75033 ] The decoder parameters are stored in each instance's context data. This needs to be initialized per-instance, but a previous fix incorrectly changed it to only be initialized for the first opened instance. This resulted in subsequent instances not correctly signaling the requirement for the Requests API. Fix this by calling the initializing function outside of the v4l2_fh_is_singular() conditional block. Fixes: faddaa735c20 ("media: mediatek: vcodec: Initialize decoder parameters after getting dec_capability") Signed-off-by: Chen-Yu Tsai Reviewed-by: Yunfei Dong Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit a891de07766c03fb7889f1a78ce2ab7dde297b23 Author: Chen-Yu Tsai Date: Wed Jul 6 09:21:37 2022 +0100 media: mediatek: vcodec: decoder: Drop max_{width,height} from mtk_vcodec_ctx [ Upstream commit e8d266d533b171387945f8a0bad1944a5609f63b ] This partially reverts commit b018be06f3c7 ("media: mediatek: vcodec: Read max resolution from dec_capability"). After the previous patches: - media: mediatek: vcodec: decoder: Fix 4K frame size enumeration - media: mediatek: vcodec: decoder: Skip alignment for default resolution - media: mediatek: vcodec: decoder: Fix resolution clamping in TRY_FMT the max_{width,height} fields in |struct mtk_vcodec_ctx| no longer have any real users. Remove them. Fixes: b018be06f3c7 ("media: mediatek: vcodec: Read max resolution from dec_capability") Signed-off-by: Chen-Yu Tsai Tested-by: AngeloGioacchino Del Regno Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 3bbdbc394f34c7e379716026a2e42f1033c13e2b Author: Chen-Yu Tsai Date: Wed Jul 6 09:21:35 2022 +0100 media: mediatek: vcodec: decoder: Skip alignment for default resolution [ Upstream commit 3b6a81a31370539f1fd0e9bdd315503aa154285e ] The default resolution of 64x64 is already aligned, according to the call to v4l_bound_align_image() in mtk_vcodec_dec_set_default_params(). Drop the redundant v4l_bound_align_image() call. This also removes one usage of ctx->max_{width,height}. Signed-off-by: Chen-Yu Tsai Tested-by: AngeloGioacchino Del Regno Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 3bfbe29952be9c0c6e352ccd00c262b5c6163788 Author: Chen-Yu Tsai Date: Wed Jul 6 09:21:36 2022 +0100 media: mediatek: vcodec: decoder: Fix resolution clamping in TRY_FMT [ Upstream commit d7abd054201377aa441411ca081bd903fba82ce0 ] In commit b018be06f3c7 ("media: mediatek: vcodec: Read max resolution from dec_capability"), TRY_FMT clamps the resolution to the maximum that was previously set either by default 1080p or the limit set by a previous S_FMT call. This does not make sense when doing TRY_FMT for the output side, which may have different capabilities. Instead, for the output side, find the maximum resolution based on the pixel format requested. For the capture side, find the maximum resolution based on the currently set output format. The maximum resolution is found from the list of per-format frame sizes, so the patch "media: mediatek: vcodec: dec: Fix 4K frame size enumeration" is needed. Fixes: b018be06f3c7 ("media: mediatek: vcodec: Read max resolution from dec_capability") Signed-off-by: Chen-Yu Tsai Tested-by: AngeloGioacchino Del Regno Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 325d2362cd86c411208873407d64940e31efc8b4 Author: Chen-Yu Tsai Date: Wed Jul 6 09:21:34 2022 +0100 media: mediatek: vcodec: decoder: Fix 4K frame size enumeration [ Upstream commit f1748f8f8174a65a885a8e6c0dc11658a6705ac2 ] This partially reverts commit b018be06f3c7 ("media: mediatek: vcodec: Read max resolution from dec_capability"). In this commit, the maximum resolution ended up being a function of both the firmware capability and the current set format. However, frame size enumeration for output (coded) formats should not depend on the format set, but should return supported resolutions for the format requested by userspace. Fix this so that the driver returns the supported resolutions correctly, even if the instance only has default settings, or if the output format is currently set to VP8F, which does not support 4K. This adds an copy of special casing for !VP8 and 4K support. The other existing copy will be removed when .max_{width,height} are removed from |struct mtk_vcodec_ctx| in a subsequent patch. Fixes: b018be06f3c7 ("media: mediatek: vcodec: Read max resolution from dec_capability") Signed-off-by: Chen-Yu Tsai Tested-by: AngeloGioacchino Del Regno Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 2090efd15725c9f81e3562cc607c87a3570a2799 Author: Hans de Goede Date: Sun Jun 12 17:05:54 2022 +0100 media: atomisp: revert "don't pass a pointer to a local variable" [ Upstream commit a3b36a8ce3d0c277fe243fa1be6bd3f606ed130f ] The gcc is warning about returning a pointer to a local variable is a false positive. The type of handle is "struct ia_css_rmgr_vbuf_handle **" and "h.vptr" is left to NULL, so the "if ((*handle)->vptr == 0x0)" check always succeeds when the "*handle = &h;" statement which gcc warns about executes. Leading to this statement being executed: rmgr_pop_handle(pool, handle); If that succeeds, then *handle has been set to point to one of the pre-allocated array of handles, so it no longer points to h. If that fails the following statement will be executed: /* Note that handle will change to an internally maintained one */ ia_css_rmgr_refcount_retain_vbuf(handle); Which allocated a new handle from the array of pre-allocated handles and then makes *handle point to this. So the address of h is actually never returned. The fix for the false-postive compiler warning actually breaks the code, the new: **handle = h; is part of a "if (pool->copy_on_write) { ... }" which means that the handle where *handle points to should be treated read-only, IOW **handle must never be set, instead *handle must be set to point to a new handle (with a copy of the contents of the old handle). The old code correctly did this and the new fixed code gets this wrong. Note there is another patch in this series, which fixes the warning in another way. Link: https://lore.kernel.org/linux-media/20220612160556.108264-2-hdegoede@redhat.com Fixes: fa1451374ebf ("media: atomisp: don't pass a pointer to a local variable") Signed-off-by: Hans de Goede Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 8516d329dca4c61bf76653c23e06998d07ca8414 Author: Rob Clark Date: Thu Jul 7 14:20:00 2022 -0700 drm/msm/dpu: Fix for non-visible planes [ Upstream commit cb77085b1f0a86ef9dfba86b5f3ed6c3340c2ea3 ] Fixes `kms_cursor_crc --run-subtest cursor-offscreen`.. when the cursor moves offscreen the plane becomes non-visible, so we need to skip over it in crtc atomic test and mixer setup. Signed-off-by: Rob Clark Fixes: 25fdd5933e4c ("drm/msm: Add SDM845 DPU support") Reviewed-by: Dmitry Baryshkov Reviewed-by: Abhinav Kumar Patchwork: https://patchwork.freedesktop.org/patch/492819/ Link: https://lore.kernel.org/r/20220707212003.1710163-1-robdclark@gmail.com Signed-off-by: Sasha Levin commit 70b148acab7095e577e5594b82a4665c3b51dcac Author: Ming Qian Date: Tue Jun 28 06:19:52 2022 +0100 media: amphion: release core lock before reset vpu core [ Upstream commit a621cc4bed97e49f5a8019f5215dec7e208a7c4d ] In reset vpu core, driver will wait for a response event, but if there are still some events unhandled, they will be handled first, driver may acquire core lock for that. So if we do reset in core lock, it may led to reset timeout. Fixes: 9f599f351e86a ("media: amphion: add vpu core driver") Signed-off-by: Ming Qian Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 4b8d0fa094aefe20e8d9558c5e9a7c25956cbcff Author: AngeloGioacchino Del Regno Date: Thu Jun 23 14:55:46 2022 +0100 media: platform: mtk-mdp: Fix mdp_ipi_comm structure alignment [ Upstream commit ab14c99c035da7156a3b66fa171171295bc4b89a ] The mdp_ipi_comm structure defines a command that is either PROCESS (start processing) or DEINIT (destroy instance); we are using this one to send PROCESS or DEINIT commands from Linux to an MDP instance through a VPU write but, while the first wants us to stay 4-bytes aligned, the VPU instead requires an 8-bytes data alignment. Keeping in mind that these commands are executed immediately after sending them (hence not chained with others before the VPU/MDP "actually" start executing), it is fine to simply add a padding of 4 bytes to this structure: this keeps the same performance as before, as we're still stack-allocating it, while avoiding hackery inside of mtk-vpu to ensure alignment bringing a definitely bigger performance impact. Fixes: c8eb2d7e8202 ("[media] media: Add Mediatek MDP Driver") Signed-off-by: AngeloGioacchino Del Regno Reviewed-by: Houlong Wei Reviewed-by: Irui Wang Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit a14dede1f9ad92047b56c588d9f358af0419888e Author: Zhengchao Shao Date: Fri Jul 1 09:59:54 2022 +0800 crypto: hisilicon - Kunpeng916 crypto driver don't sleep when in softirq [ Upstream commit 68740ab505431f268dc1ee26a54b871e75f0ddaa ] When kunpeng916 encryption driver is used to deencrypt and decrypt packets during the softirq, it is not allowed to use mutex lock. Fixes: 915e4e8413da ("crypto: hisilicon - SEC security accelerator driver") Signed-off-by: Zhengchao Shao Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin commit c9be45e4c69fde36522274f04d1aa0d097ae3958 Author: Zhengchao Shao Date: Fri Jul 1 09:55:11 2022 +0800 crypto: hisilicon/sec - don't sleep when in softirq [ Upstream commit 02884a4f12de11f54d4ca67a07dd1f111d96fdbd ] When kunpeng920 encryption driver is used to deencrypt and decrypt packets during the softirq, it is not allowed to use mutex lock. The kernel will report the following error: BUG: scheduling while atomic: swapper/57/0/0x00000300 Call trace: dump_backtrace+0x0/0x1e4 show_stack+0x20/0x2c dump_stack+0xd8/0x140 __schedule_bug+0x68/0x80 __schedule+0x728/0x840 schedule+0x50/0xe0 schedule_preempt_disabled+0x18/0x24 __mutex_lock.constprop.0+0x594/0x5dc __mutex_lock_slowpath+0x1c/0x30 mutex_lock+0x50/0x60 sec_request_init+0x8c/0x1a0 [hisi_sec2] sec_process+0x28/0x1ac [hisi_sec2] sec_skcipher_crypto+0xf4/0x1d4 [hisi_sec2] sec_skcipher_encrypt+0x1c/0x30 [hisi_sec2] crypto_skcipher_encrypt+0x2c/0x40 crypto_authenc_encrypt+0xc8/0xfc [authenc] crypto_aead_encrypt+0x2c/0x40 echainiv_encrypt+0x144/0x1a0 [echainiv] crypto_aead_encrypt+0x2c/0x40 esp_output_tail+0x348/0x5c0 [esp4] esp_output+0x120/0x19c [esp4] xfrm_output_one+0x25c/0x4d4 xfrm_output_resume+0x6c/0x1fc xfrm_output+0xac/0x3c0 xfrm4_output+0x64/0x130 ip_build_and_send_pkt+0x158/0x20c tcp_v4_send_synack+0xdc/0x1f0 tcp_conn_request+0x7d0/0x994 tcp_v4_conn_request+0x58/0x6c tcp_v6_conn_request+0xf0/0x100 tcp_rcv_state_process+0x1cc/0xd60 tcp_v4_do_rcv+0x10c/0x250 tcp_v4_rcv+0xfc4/0x10a4 ip_protocol_deliver_rcu+0xf4/0x200 ip_local_deliver_finish+0x58/0x70 ip_local_deliver+0x68/0x120 ip_sublist_rcv_finish+0x70/0x94 ip_list_rcv_finish.constprop.0+0x17c/0x1d0 ip_sublist_rcv+0x40/0xb0 ip_list_rcv+0x140/0x1dc __netif_receive_skb_list_core+0x154/0x28c __netif_receive_skb_list+0x120/0x1a0 netif_receive_skb_list_internal+0xe4/0x1f0 napi_complete_done+0x70/0x1f0 gro_cell_poll+0x9c/0xb0 napi_poll+0xcc/0x264 net_rx_action+0xd4/0x21c __do_softirq+0x130/0x358 irq_exit+0x11c/0x13c __handle_domain_irq+0x88/0xf0 gic_handle_irq+0x78/0x2c0 el1_irq+0xb8/0x140 arch_cpu_idle+0x18/0x40 default_idle_call+0x5c/0x1c0 cpuidle_idle_call+0x174/0x1b0 do_idle+0xc8/0x160 cpu_startup_entry+0x30/0x11c secondary_start_kernel+0x158/0x1e4 softirq: huh, entered softirq 3 NET_RX 0000000093774ee4 with preempt_count 00000100, exited with fffffe00? Fixes: 416d82204df4 ("crypto: hisilicon - add HiSilicon SEC V2 driver") Signed-off-by: Zhengchao Shao Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin commit 69d05f0a4b1da66e781a9325fc26780c8b6256c9 Author: Mateusz Jończyk Date: Wed Jul 6 22:01:44 2022 +0200 drm/radeon: avoid bogus "vram limit (0) must be a power of 2" warning [ Upstream commit 9da2902609f7519c48eda84f953f72fee53f2b71 ] I was getting the following message on boot on Linux 5.19-rc5: radeon 0000:01:05.0: vram limit (0) must be a power of 2 (I didn't use any radeon.vramlimit commandline parameter). This is caused by commit 8c2d34eb53b9 ("drm/radeon: use kernel is_power_of_2 rather than local version") which removed radeon_check_pot_argument() and converted its users to is_power_of_2(). The two functions differ in its handling of 0, which is the default value of radeon_vram_limit: radeon_check_pot_argument() "incorrectly" considered it a power of 2, while is_power_of_2() does not. An appropriate conditional silences the warning message. It is not necessary to add a similar test to other callers of is_power_of_2() in radeon_device.c. The matching commit in amdgpu: commit 761175078466 ("drm/amdgpu: use kernel is_power_of_2 rather than local version") is unaffected by this bug. Tested on Radeon HD 3200. Not ccing stable, this is not serious enough. Fixes: 8c2d34eb53b9 ("drm/radeon: use kernel is_power_of_2 rather than local version") Cc: Alex Deucher Cc: Christian König Cc: "Pan, Xinhui" Cc: David Airlie Cc: Daniel Vetter Cc: Jonathan Gray Signed-off-by: Mateusz Jończyk Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit 0b07f28c23ff50a7fa5dbc3f6b3b6bd53ac9fc70 Author: Rob Clark Date: Thu Jul 7 09:20:37 2022 -0700 drm/msm/mdp5: Fix global state lock backoff [ Upstream commit 92ef86ab513593c6329d04146e61f9a670e72fc5 ] We need to grab the lock after the early return for !hwpipe case. Otherwise, we could have hit contention yet still returned 0. Fixes an issue that the new CONFIG_DRM_DEBUG_MODESET_LOCK stuff flagged in CI: WARNING: CPU: 0 PID: 282 at drivers/gpu/drm/drm_modeset_lock.c:296 drm_modeset_lock+0xf8/0x154 Modules linked in: CPU: 0 PID: 282 Comm: kms_cursor_lega Tainted: G W 5.19.0-rc2-15930-g875cc8bc536a #1 Hardware name: Qualcomm Technologies, Inc. DB820c (DT) pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : drm_modeset_lock+0xf8/0x154 lr : drm_atomic_get_private_obj_state+0x84/0x170 sp : ffff80000cfab6a0 x29: ffff80000cfab6a0 x28: 0000000000000000 x27: ffff000083bc4d00 x26: 0000000000000038 x25: 0000000000000000 x24: ffff80000957ca58 x23: 0000000000000000 x22: ffff000081ace080 x21: 0000000000000001 x20: ffff000081acec18 x19: ffff80000cfabb80 x18: 0000000000000038 x17: 0000000000000000 x16: 0000000000000000 x15: fffffffffffea0d0 x14: 0000000000000000 x13: 284e4f5f4e524157 x12: 5f534b434f4c5f47 x11: ffff80000a386aa8 x10: 0000000000000029 x9 : ffff80000cfab610 x8 : 0000000000000029 x7 : 0000000000000014 x6 : 0000000000000000 x5 : 0000000000000001 x4 : ffff8000081ad904 x3 : 0000000000000029 x2 : ffff0000801db4c0 x1 : ffff80000cfabb80 x0 : ffff000081aceb58 Call trace: drm_modeset_lock+0xf8/0x154 drm_atomic_get_private_obj_state+0x84/0x170 mdp5_get_global_state+0x54/0x6c mdp5_pipe_release+0x2c/0xd4 mdp5_plane_atomic_check+0x2ec/0x414 drm_atomic_helper_check_planes+0xd8/0x210 drm_atomic_helper_check+0x54/0xb0 ... ---[ end trace 0000000000000000 ]--- drm_modeset_lock attempting to lock a contended lock without backoff: drm_modeset_lock+0x148/0x154 mdp5_get_global_state+0x30/0x6c mdp5_pipe_release+0x2c/0xd4 mdp5_plane_atomic_check+0x290/0x414 drm_atomic_helper_check_planes+0xd8/0x210 drm_atomic_helper_check+0x54/0xb0 drm_atomic_check_only+0x4b0/0x8f4 drm_atomic_commit+0x68/0xe0 Fixes: d59be579fa93 ("drm/msm/mdp5: Return error code in mdp5_pipe_release when deadlock is detected") Signed-off-by: Rob Clark Reviewed-by: Abhinav Kumar Patchwork: https://patchwork.freedesktop.org/patch/492701/ Link: https://lore.kernel.org/r/20220707162040.1594855-1-robdclark@gmail.com Signed-off-by: Sasha Levin commit dc74006c10accac7cbaa6e870c02c893577cc409 Author: Yixun Lan Date: Wed Jul 6 22:02:04 2022 +0800 libbpf, riscv: Use a0 for RC register [ Upstream commit 935dc35c75318fa213d26808ad8bb130fb0b486e ] According to the RISC-V calling convention register usage here [0], a0 is used as return value register, so rename it to make it consistent with the spec. [0] section 18.2, table 18.2 https://riscv.org/wp-content/uploads/2015/01/riscv-calling.pdf Fixes: 589fed479ba1 ("riscv, libbpf: Add RISC-V (RV64) support to bpf_tracing.h") Signed-off-by: Yixun Lan Signed-off-by: Daniel Borkmann Acked-by: Björn Töpel Acked-by: Amjad OULED-AMEUR Link: https://lore.kernel.org/bpf/20220706140204.47926-1-dlan@gentoo.org Signed-off-by: Sasha Levin commit 9c8b3f05fb18fba12f3fca80a378c9b8f3d04cd6 Author: Douglas Anderson Date: Fri Jun 10 12:47:31 2022 -0700 drm/msm: Avoid unclocked GMU register access in 6xx gpu_busy [ Upstream commit 6694482a70e9536efbf2ac233cbf0c302d6e2dae ] From testing on sc7180-trogdor devices, reading the GMU registers needs the GMU clocks to be enabled. Those clocks get turned on in a6xx_gmu_resume(). Confusingly enough, that function is called as a result of the runtime_pm of the GPU "struct device", not the GMU "struct device". Unfortunately the current a6xx_gpu_busy() grabs a reference to the GMU's "struct device". The fact that we were grabbing the wrong reference was easily seen to cause crashes that happen if we change the GPU's pm_runtime usage to not use autosuspend. It's also believed to cause some long tail GPU crashes even with autosuspend. We could look at changing it so that we do pm_runtime_get_if_in_use() on the GPU's "struct device", but then we run into a different problem. pm_runtime_get_if_in_use() will return 0 for the GPU's "struct device" the whole time when we're in the "autosuspend delay". That is, when we drop the last reference to the GPU but we're waiting a period before actually suspending then we'll think the GPU is off. One reason that's bad is that if the GPU didn't actually turn off then the cycle counter doesn't lose state and that throws off all of our calculations. Let's change the code to keep track of the suspend state of devfreq. msm_devfreq_suspend() is always called before we actually suspend the GPU and msm_devfreq_resume() after we resume it. This means we can use the suspended state to know if we're powered or not. NOTE: one might wonder when exactly our status function is called when devfreq is supposed to be disabled. The stack crawl I captured was: msm_devfreq_get_dev_status devfreq_simple_ondemand_func devfreq_update_target qos_notifier_call qos_max_notifier_call blocking_notifier_call_chain pm_qos_update_target freq_qos_apply apply_constraint __dev_pm_qos_update_request dev_pm_qos_update_request msm_devfreq_idle_work Fixes: eadf79286a4b ("drm/msm: Check for powered down HW in the devfreq callbacks") Signed-off-by: Douglas Anderson Reviewed-by: Rob Clark Patchwork: https://patchwork.freedesktop.org/patch/489124/ Link: https://lore.kernel.org/r/20220610124639.v4.1.Ie846c5352bc307ee4248d7cab998ab3016b85d06@changeid Signed-off-by: Rob Clark Signed-off-by: Sasha Levin commit e2be585bc9acc1d2b99538778c4f3ccd0c28fff8 Author: Hsin-Yi Wang Date: Wed Jul 6 20:52:53 2022 +0800 drm/bridge: anx7625: Fix NULL pointer crash when using edp-panel [ Upstream commit dfb02eb6bdf84697dbadd69a7df12db612ce4ed0 ] Move devm_of_dp_aux_populate_ep_devices() after pm runtime and i2c setup to avoid NULL pointer crash. edp-panel probe (generic_edp_panel_probe) calls pm_runtime_get_sync() to read EDID. At this time, bridge should have pm runtime enabled and i2c clients ready. Fixes: adca62ec370c ("drm/bridge: anx7625: Support reading edid through aux channel") Signed-off-by: Hsin-Yi Wang Reviewed-by: Xin Ji Signed-off-by: Robert Foss Link: https://patchwork.freedesktop.org/patch/msgid/20220706125254.2474095-4-hsinyi@chromium.org Signed-off-by: Sasha Levin commit 3ba59bbe4f306bb6ee15753db0a40564c0eb7909 Author: Qiao Ma Date: Tue Jul 5 19:22:23 2022 +0800 net: hinic: avoid kernel hung in hinic_get_stats64() [ Upstream commit 98f9fcdee35add80505b6c73f72de5f750d5c03c ] When using hinic device as a bond slave device, and reading device stats of master bond device, the kernel may hung. The kernel panic calltrace as follows: Kernel panic - not syncing: softlockup: hung tasks Call trace: native_queued_spin_lock_slowpath+0x1ec/0x31c dev_get_stats+0x60/0xcc dev_seq_printf_stats+0x40/0x120 dev_seq_show+0x1c/0x40 seq_read_iter+0x3c8/0x4dc seq_read+0xe0/0x130 proc_reg_read+0xa8/0xe0 vfs_read+0xb0/0x1d4 ksys_read+0x70/0xfc __arm64_sys_read+0x20/0x30 el0_svc_common+0x88/0x234 do_el0_svc+0x2c/0x90 el0_svc+0x1c/0x30 el0_sync_handler+0xa8/0xb0 el0_sync+0x148/0x180 And the calltrace of task that actually caused kernel hungs as follows: __switch_to+124 __schedule+548 schedule+72 schedule_timeout+348 __down_common+188 __down+24 down+104 hinic_get_stats64+44 [hinic] dev_get_stats+92 bond_get_stats+172 [bonding] dev_get_stats+92 dev_seq_printf_stats+60 dev_seq_show+24 seq_read_iter+964 seq_read+220 proc_reg_read+164 vfs_read+172 ksys_read+108 __arm64_sys_read+28 el0_svc_common+132 do_el0_svc+40 el0_svc+24 el0_sync_handler+164 el0_sync+324 When getting device stats from bond, kernel will call bond_get_stats(). It first holds the spinlock bond->stats_lock, and then call hinic_get_stats64() to collect hinic device's stats. However, hinic_get_stats64() calls `down(&nic_dev->mgmt_lock)` to protect its critical section, which may schedule current task out. And if system is under high pressure, the task cannot be woken up immediately, which eventually triggers kernel hung panic. Since previous patch has replaced hinic_dev.tx_stats/rx_stats with local variable in hinic_get_stats64(), there is nothing need to be protected by lock, so just removing down()/up() is ok. Fixes: edd384f682cc ("net-next/hinic: Add ethtool and stats") Signed-off-by: Qiao Ma Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit d6423b405c421204f68af136081b6e1511709d10 Author: Qiao Ma Date: Tue Jul 5 19:22:22 2022 +0800 net: hinic: fix bug that ethtool get wrong stats [ Upstream commit 67dffd3db98570af8ff54c934f7d14664c0d182a ] Function hinic_get_stats64() will do two operations: 1. reads stats from every hinic_rxq/txq and accumulates them 2. calls hinic_rxq/txq_clean_stats() to clean every rxq/txq's stats For hinic_get_stats64(), it could get right data, because it sums all data to nic_dev->rx_stats/tx_stats. But it is wrong for get_drv_queue_stats(), this function will read hinic_rxq's stats, which have been cleared to zero by hinic_get_stats64(). I have observed hinic's cleanup operation by using such command: > watch -n 1 "cat ethtool -S eth4 | tail -40" Result before: ... rxq7_pkts: 1 rxq7_bytes: 90 rxq7_errors: 0 rxq7_csum_errors: 0 rxq7_other_errors: 0 ... rxq9_pkts: 11 rxq9_bytes: 726 rxq9_errors: 0 rxq9_csum_errors: 0 rxq9_other_errors: 0 ... rxq11_pkts: 0 rxq11_bytes: 0 rxq11_errors: 0 rxq11_csum_errors: 0 rxq11_other_errors: 0 Result after a few seconds: ... rxq7_pkts: 0 rxq7_bytes: 0 rxq7_errors: 0 rxq7_csum_errors: 0 rxq7_other_errors: 0 ... rxq9_pkts: 2 rxq9_bytes: 132 rxq9_errors: 0 rxq9_csum_errors: 0 rxq9_other_errors: 0 ... rxq11_pkts: 1 rxq11_bytes: 170 rxq11_errors: 0 rxq11_csum_errors: 0 rxq11_other_errors: 0 To solve this problem, we just keep every queue's total stats in their own queue (aka hinic_{rxq|txq}), and simply sum all per-queue stats every time calling hinic_get_stats64(). With that solution, there is no need to clean per-queue stats now, and there is no need to maintain global hinic_dev.{tx|rx}_stats, too. Fixes: edd384f682cc ("net-next/hinic: Add ethtool and stats") Signed-off-by: Qiao Ma Reported-by: kernel test robot Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 7784a5b64200f301f16632071abe5184a952a983 Author: Christophe JAILLET Date: Sun Jun 26 18:27:45 2022 +0200 hinic: Use the bitmap API when applicable [ Upstream commit 7c2c57263af41cfd8b5022274e6801542831bb69 ] 'vlan_bitmap' is a bitmap and is used as such. So allocate it with devm_bitmap_zalloc() and its explicit bit size (i.e. VLAN_N_VID). This avoids the need of the VLAN_BITMAP_SIZE macro which: - needlessly has a 'nic_dev' parameter - should be "long" (and not byte) aligned, so that the bitmap semantic is respected This is in fact not an issue because VLAN_N_VID is 4096 at the time being, but devm_bitmap_zalloc() is less verbose and easier to understand. Signed-off-by: Christophe JAILLET Link: https://lore.kernel.org/r/6ff7b7d21414240794a77dc2456914412718a145.1656260842.git.christophe.jaillet@wanadoo.fr Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit c999b92841be29b3ed3a56c8a4c1b30597b029b0 Author: Vladimir Oltean Date: Mon Jul 4 22:02:41 2022 +0300 net: dsa: felix: build as module when tc-taprio is module [ Upstream commit 10ed11ab6399813eb652137db9c378433c28a95c ] felix_vsc9959.c calls taprio_offload_get() and taprio_offload_free(), symbols exported by net/sched/sch_taprio.c. As such, we must disallow building the Felix driver as built-in when the symbol exported by tc-taprio isn't present in the kernel image. Fixes: 1c9017e44af2 ("net: dsa: felix: keep reference on entire tc-taprio config") Signed-off-by: Vladimir Oltean Link: https://lore.kernel.org/r/20220704190241.1288847-2-vladimir.oltean@nxp.com Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit 76a2e36b9f2d7c98ce85cee48255210ae5cc37ad Author: Vladimir Oltean Date: Mon Jul 4 22:02:40 2022 +0300 net: sched: provide shim definitions for taprio_offload_{get,free} [ Upstream commit d7be266adbfd3aca6965ea6a0c36b2c3d8fc9fc8 ] All callers of taprio_offload_get() and taprio_offload_free() prior to the blamed commit are conditionally compiled based on CONFIG_NET_SCH_TAPRIO. felix_vsc9959.c is different; it provides vsc9959_qos_port_tas_set() even when taprio is compiled out. Provide shim definitions for the functions exported by taprio so that felix_vsc9959.c is able to compile. vsc9959_qos_port_tas_set() in that case is dead code anyway, and ocelot_port->taprio remains NULL, which is fine for the rest of the logic. Fixes: 1c9017e44af2 ("net: dsa: felix: keep reference on entire tc-taprio config") Reported-by: Colin Foster Signed-off-by: Vladimir Oltean Tested-by: Colin Foster Acked-by: Vinicius Costa Gomes Link: https://lore.kernel.org/r/20220704190241.1288847-1-vladimir.oltean@nxp.com Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit 09ecee270c8b8eaeb55604141b83b95d80efac20 Author: Rob Clark Date: Wed Jun 15 09:24:35 2022 -0700 drm/msm: Fix fence rollover issue [ Upstream commit 2311720a0182756f175fbf4afc1fb76ac487b587 ] And while we are at it, let's start the fence counter close to the rollover point so that if issues slip in, they are more obvious. Signed-off-by: Rob Clark Fixes: fde5de6cb461 ("drm/msm: move fence code to it's own file") Fixes: 5f3aee4ceb5b ("drm/msm: Handle fence rollover") Patchwork: https://patchwork.freedesktop.org/patch/489619/ Link: https://lore.kernel.org/r/20220615162435.3011793-1-robdclark@gmail.com [DB: fixed the conflict while applying the patch] Signed-off-by: Dmitry Baryshkov Signed-off-by: Sasha Levin commit 7d25a310048cdc65c7d4231b5f3b1f0a0ad8d35d Author: Hangyu Hua Date: Wed May 18 14:58:56 2022 +0800 drm: bridge: sii8620: fix possible off-by-one [ Upstream commit 21779cc21c732c5eff8ea1624be6590450baa30f ] The next call to sii8620_burst_get_tx_buf will result in off-by-one When ctx->burst.tx_count + size == ARRAY_SIZE(ctx->burst.tx_buf). The same thing happens in sii8620_burst_get_rx_buf. This patch also change tx_count and tx_buf to rx_count and rx_buf in sii8620_burst_get_rx_buf. It is unreasonable to check tx_buf's size and use rx_buf. Fixes: e19e9c692f81 ("drm/bridge/sii8620: add support for burst eMSC transmissions") Signed-off-by: Hangyu Hua Reviewed-by: Andrzej Hajda Signed-off-by: Robert Foss Link: https://patchwork.freedesktop.org/patch/msgid/20220518065856.18936-1-hbh25y@gmail.com Signed-off-by: Sasha Levin commit 9ff0274708fce8a556ef19c6a6f86e36848e254a Author: Dmitry Baryshkov Date: Thu Jun 9 14:31:48 2022 +0300 drm/msm/hdmi: fill the pwr_regs bulk regulators [ Upstream commit a18a44e9262d5c7f7fbccbc9458df64d69185d41 ] Conversion to use bulk regulator API omitted filling the pwr_regs with proper regulator IDs. This was left unnoticed, since none of my testing platforms has used the pwr_regs. Fix this by propagating regulator ids properly. Fixes: 31b3b1f5e352 ("drm/msm/hdmi: use bulk regulator API") Signed-off-by: Dmitry Baryshkov Reviewed-by: Stephen Boyd Patchwork: https://patchwork.freedesktop.org/patch/488847/ Link: https://lore.kernel.org/r/20220609113148.3149194-1-dmitry.baryshkov@linaro.org Signed-off-by: Dmitry Baryshkov Signed-off-by: Sasha Levin commit 829871d2428598fe8aa8d20057f87d3c2e211e17 Author: Abhinav Kumar Date: Thu Jun 16 12:01:24 2022 -0700 drm/msm/dpu: remove hard-coded linewidth limit for writeback [ Upstream commit 4edea8d305873336a626c5f4ce17cb8751059054 ] Remove the hard-coded limit for writeback and lets start using the one from catalog instead. changes in v3: - correct the Fixes tag Fixes: d7d0e73f7de3 ("drm/msm/dpu: introduce the dpu_encoder_phys_* for writeback") Signed-off-by: Abhinav Kumar Reviewed-by: Dmitry Baryshkov Patchwork: https://patchwork.freedesktop.org/patch/489888/ Link: https://lore.kernel.org/r/1655406084-17407-3-git-send-email-quic_abhinavk@quicinc.com Signed-off-by: Dmitry Baryshkov Signed-off-by: Sasha Levin commit 62c31466c867d9dade88e8feb21dfad7eb68eef7 Author: Abhinav Kumar Date: Thu Jun 16 12:01:23 2022 -0700 drm/msm/dpu: fix maxlinewidth for writeback block [ Upstream commit a370cc392e075de5a4b7f3fb27cdeec0d70b5893 ] Writeback block for sm8250 was using the default maxlinewidth of 2048. But this is not right as it supports upto 4096. This should have no effect on most resolutions as we are still limiting upto maxlinewidth of SSPP for adding the modes. Fix the maxlinewidth for writeback block on sm8250. changes in v3: - correct the Fixes tag Fixes: 53324b99bd7b ("drm/msm/dpu: add writeback blocks to the sm8250 DPU catalog") Signed-off-by: Abhinav Kumar Reviewed-by: Dmitry Baryshkov Patchwork: https://patchwork.freedesktop.org/patch/489887/ Link: https://lore.kernel.org/r/1655406084-17407-2-git-send-email-quic_abhinavk@quicinc.com Signed-off-by: Dmitry Baryshkov Signed-off-by: Sasha Levin commit 4adb1c10124ba1cf1a7050bfb91aff1a707f0c19 Author: Abhinav Kumar Date: Thu Jun 16 12:01:22 2022 -0700 drm/msm/dpu: move intf and wb assignment to dpu_encoder_setup_display() [ Upstream commit b4a624acabe99f2ea912e895529b8b37d1fa909d ] intf and wb resources are not dependent on the rm global state so need not be allocated during dpu_encoder_virt_atomic_mode_set(). Move the allocation of intf and wb resources to dpu_encoder_setup_display() so that we can utilize the hw caps even during atomic_check() phase. Since dpu_encoder_setup_display() already has protection against setting invalid intf_idx and wb_idx, these checks can now be dropped as well. changes in v2: - add phys->hw_intf and phys->hw_wb checks back changes in v3: - correct the Fixes tag Fixes: e02a559a720f ("drm/msm/dpu: make changes to dpu_encoder to support virtual encoder") Signed-off-by: Abhinav Kumar Reviewed-by: Dmitry Baryshkov Patchwork: https://patchwork.freedesktop.org/patch/489885/ Link: https://lore.kernel.org/r/1655406084-17407-1-git-send-email-quic_abhinavk@quicinc.com Signed-off-by: Dmitry Baryshkov Signed-off-by: Sasha Levin commit ecbc7aa0d6df0f4502f317c5bf58155872c148d2 Author: Guillaume Ranquet Date: Fri Jul 1 11:58:44 2022 +0800 drm/mediatek: dpi: Only enable dpi after the bridge is enabled [ Upstream commit aed61ef6beb911cc043af0f2f291167663995065 ] Enabling the dpi too early causes glitches on screen. Move the call to mtk_dpi_enable() at the end of the bridge_enable callback to ensure everything is setup properly before enabling dpi. Fixes: 9e629c17aa8d ("drm/mediatek: Add DPI sub driver") Signed-off-by: Guillaume Ranquet Signed-off-by: Bo-Chen Chen Tested-by: AngeloGioacchino Del Regno Link: https://patchwork.kernel.org/project/linux-mediatek/patch/20220701035845.16458-16-rex-bc.chen@mediatek.com/ Signed-off-by: Chun-Kuang Hu Signed-off-by: Sasha Levin commit 37157c7be48c6353d57b30555ed9225a0b646351 Author: Bo-Chen Chen Date: Fri Jul 1 11:58:33 2022 +0800 drm/mediatek: dpi: Remove output format of YUV [ Upstream commit c9ed0713b3c35fc45677707ba47f432cad95da56 ] DPI is not support output format as YUV, but there is the setting of configuring output YUV. Therefore, remove them in this patch. Fixes: 9e629c17aa8d ("drm/mediatek: Add DPI sub driver") Signed-off-by: Bo-Chen Chen Link: https://patchwork.kernel.org/project/linux-mediatek/patch/20220701035845.16458-5-rex-bc.chen@mediatek.com/ Signed-off-by: Chun-Kuang Hu Signed-off-by: Sasha Levin commit 295d7518d788534a534d03117cb6483f2f04207e Author: Christophe JAILLET Date: Sat Jun 18 19:08:05 2022 +0200 drm/rockchip: Fix an error handling path rockchip_dp_probe() [ Upstream commit 5074376822fe99fa4ce344b851c5016d00c0444f ] Should component_add() fail, we should call analogix_dp_remove() in the error handling path, as already done in the remove function. Fixes: 152cce0006ab ("drm/bridge: analogix_dp: Split bind() into probe() and real bind()") Signed-off-by: Christophe JAILLET Signed-off-by: Heiko Stuebner Link: https://patchwork.freedesktop.org/patch/msgid/b719d9061bb97eb85145fbd3c5e63f4549f2e13e.1655572071.git.christophe.jaillet@wanadoo.fr Signed-off-by: Sasha Levin commit 4d8f078e12a8e038ffb9bbb91c5603d6b53ff532 Author: Brian Norris Date: Fri Jun 17 17:26:52 2022 -0700 drm/rockchip: vop: Don't crash for invalid duplicate_state() [ Upstream commit 1449110b0dade8b638d2c17ab7c5b0ff696bfccb ] It's possible for users to try to duplicate the CRTC state even when the state doesn't exist. drm_atomic_helper_crtc_duplicate_state() (and other users of __drm_atomic_helper_crtc_duplicate_state()) already guard this with a WARN_ON() instead of crashing, so let's do that here too. Fixes: 4e257d9eee23 ("drm/rockchip: get rid of rockchip_drm_crtc_mode_config") Signed-off-by: Brian Norris Reviewed-by: Sean Paul Reviewed-by: Douglas Anderson Signed-off-by: Heiko Stuebner Link: https://patchwork.freedesktop.org/patch/msgid/20220617172623.1.I62db228170b1559ada60b8d3e1637e1688424926@changeid Signed-off-by: Sasha Levin commit c5ca189564205fff8b5a45181640f46b586b03e0 Author: Alaa Mohamed Date: Thu Jun 30 12:24:49 2022 +0200 selftests: net: fib_rule_tests: fix support for running individual tests [ Upstream commit 9c154ab47f5e5ff632d2b7af6342c027d7e04b92 ] parsing and usage of -t got missed in the previous patch. this patch fixes it Fixes: 816cda9ae531 ("selftests: net: fib_rule_tests: add support to select a test to run") Signed-off-by: Alaa Mohamed Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 03ddc692424a164e88466549c4140bd736526662 Author: Vladimir Oltean Date: Tue Jun 28 17:52:37 2022 +0300 net: dsa: felix: drop oversized frames with tc-taprio instead of hanging the port [ Upstream commit 55a515b1f5a97df5704a1788fe97a4a740be2b9e ] Currently, sending a packet into a time gate too small for it (or always closed) causes the queue system to hold the frame forever. Even worse, this frame isn't subject to aging either, because for that to happen, it needs to be scheduled for transmission in the first place. But the frame will consume buffer memory and frame references while it is forever held in the queue system. Before commit a4ae997adcbd ("net: mscc: ocelot: initialize watermarks to sane defaults"), this behavior was somewhat subtle, as the switch had a more intricately tuned default watermark configuration out of reset, which did not allow any single port and tc to consume the entire switch buffer space. Nonetheless, the held frames are still there, and they reduce the total backplane capacity of the switch. However, after the aforementioned commit, the behavior can be very clearly seen, since we deliberately allow each {port, tc} to consume the entire shared buffer of the switch minus the reservations (and we disable all reservations by default). That is to say, we allow a permanently closed tc-taprio gate to hang the entire switch. A careful inspection of the documentation shows that the QSYS:Q_MAX_SDU per-port-tc registers serve 2 purposes: one is for guard band calculation (when zero, this falls back to QSYS:PORT_MAX_SDU), and the other is to enable oversized frame dropping (when non-zero). Currently the QSYS:Q_MAX_SDU registers are all zero, so oversized frame dropping is disabled. The goal of the change is to enable it seamlessly. For that, we need to hook into the MTU change, tc-taprio change, and port link speed change procedures, since we depend on these variables. Frames are not dropped on egress due to a queue system oversize condition, instead that egress port is simply excluded from the mask of valid destination ports for the packet. If there are no destination ports at all, the ingress counter that increments is the generic "drop_tail" in ethtool -S. The issue exists in various forms since the tc-taprio offload was introduced. Fixes: de143c0e274b ("net: dsa: felix: Configure Time-Aware Scheduler via taprio offload") Reported-by: Richie Pearn Signed-off-by: Vladimir Oltean Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit 5d92f062ff1c48ea9e83b51951cca6d634652d67 Author: Vladimir Oltean Date: Tue Jun 28 17:52:35 2022 +0300 net: dsa: felix: keep reference on entire tc-taprio config [ Upstream commit 1c9017e44af2eee94b1001af18c401ae440ad77c ] In a future change we will need to remember the entire tc-taprio config on all ports rather than just the base time, so use the taprio_offload_get() helper function to replace ocelot_port->base_time with ocelot_port->taprio. Signed-off-by: Vladimir Oltean Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit a168d6cb2d33fcf3c4ba01b09041427d1b853d15 Author: Xiaoliang Yang Date: Fri Jun 17 11:24:23 2022 +0800 net: dsa: felix: update base time of time-aware shaper when adjusting PTP time [ Upstream commit 8670dc33f48bab4d7bb4b8d0232f17f4dae419ec ] When adjusting the PTP clock, the base time of the TAS configuration will become unreliable. We need reset the TAS configuration by using a new base time. For example, if the driver gets a base time 0 of Qbv configuration from user, and current time is 20000. The driver will set the TAS base time to be 20000. After the PTP clock adjustment, the current time becomes 10000. If the TAS base time is still 20000, it will be a future time, and TAS entry list will stop running. Another example, if the current time becomes to be 10000000 after PTP clock adjust, a large time offset can cause the hardware to hang. This patch introduces a tas_clock_adjust() function to reset the TAS module by using a new base time after the PTP clock adjustment. This can avoid issues above. Due to PTP clock adjustment can occur at any time, it may conflict with the TAS configuration. We introduce a new TAS lock to serialize the access to the TAS registers. Signed-off-by: Xiaoliang Yang Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 998b1428772ac6b788bbe706eb70bcb60c26c872 Author: Maciej Fijalkowski Date: Wed Jun 29 16:34:58 2022 +0200 selftests/xsk: Destroy BPF resources only when ctx refcount drops to 0 [ Upstream commit 39e940d4abfabb08b6937a315546b24d10be67e3 ] Currently, xsk_socket__delete frees BPF resources regardless of ctx refcount. Xdpxceiver has a test to verify whether underlying BPF resources would not be wiped out after closing XSK socket that was bound to interface with other active sockets. From library's xsk part perspective it also means that the internal xsk context is shared and its refcount is bumped accordingly. After a switch to loading XDP prog based on previously opened XSK socket, mentioned xdpxceiver test fails with: not ok 16 [xdpxceiver.c:swap_xsk_resources:1334]: ERROR: 9/"Bad file descriptor which means that in swap_xsk_resources(), xsk_socket__delete() released xskmap which in turn caused a failure of xsk_socket__update_xskmap(). To fix this, when deleting socket, decrement ctx refcount before releasing BPF resources and do so only when refcount dropped to 0 which means there are no more active sockets for this ctx so BPF resources can be freed safely. Fixes: 2f6324a3937f ("libbpf: Support shared umems between queues and devices") Signed-off-by: Maciej Fijalkowski Signed-off-by: Daniel Borkmann Acked-by: Magnus Karlsson Link: https://lore.kernel.org/bpf/20220629143458.934337-5-maciej.fijalkowski@intel.com Signed-off-by: Sasha Levin commit 5242f2230d9f6df1ea6a78050ed8261c9875e450 Author: Qian Cai Date: Fri Jun 24 07:13:38 2022 -0400 crypto: arm64/gcm - Select AEAD for GHASH_ARM64_CE [ Upstream commit fac76f2260893dde5aa05bb693b4c13e8ed0454b ] Otherwise, we could fail to compile. ld: arch/arm64/crypto/ghash-ce-glue.o: in function 'ghash_ce_mod_exit': ghash-ce-glue.c:(.exit.text+0x24): undefined reference to 'crypto_unregister_aead' ld: arch/arm64/crypto/ghash-ce-glue.o: in function 'ghash_ce_mod_init': ghash-ce-glue.c:(.init.text+0x34): undefined reference to 'crypto_register_aead' Fixes: 537c1445ab0b ("crypto: arm64/gcm - implement native driver using v8 Crypto Extensions") Signed-off-by: Qian Cai Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin commit b613fba57f3b6df5fa5f2b1f1b5de764af54bcb5 Author: Matthew Wilcox (Oracle) Date: Tue Jun 28 20:15:29 2022 -0400 mm: Account dirty folios properly during splits [ Upstream commit fb5c2029f8221e904e604938171c4a8ef169aadb ] If the last folio in a file is split as a result of truncation, we simply clear the dirty bits for the pages we're discarding. That causes NR_FILE_DIRTY (among other counters) to be thrown off and eventually Linux will hang in balance_dirty_pages_ratelimited() Reported-by: Dave Chinner Tested-by: Dave Chinner Tested-by: Darrick J. Wong Fixes: d68eccad3706 ("mm/filemap: Allow large folios to be added to the page cache") Signed-off-by: Matthew Wilcox (Oracle) Signed-off-by: Sasha Levin commit 392dea95fc802a84c90457c1c76df4a2349e7b1d Author: Dave Stevenson Date: Mon Jun 13 16:48:00 2022 +0200 drm/vc4: hdmi: Move pixel doubling from Pixelvalve to HDMI block [ Upstream commit 3650062e4281ab28a6f8c9d59606d0a6266be736 ] With the change to 2 pixels/clock, the pixel doubling in the PV results in doubling each pair of pixels, ie ABABCDCD instead of AABBCCDD. Move the pixel doubling to the HDMI block, however this means that DBLCLK modes now fall foul of requiring even values for all the horizontal timing parameters. As both 480i and 576i fail this, attempt to fix up DBLCLK modes that have odd timings values. Fixes: 8323989140f3 ("drm/vc4: hdmi: Support the BCM2711 HDMI controllers") Signed-off-by: Dave Stevenson Link: https://lore.kernel.org/r/20220613144800.326124-34-maxime@cerno.tech Signed-off-by: Maxime Ripard Signed-off-by: Sasha Levin commit ad1c50bd181f94dc8840eff5109839b9cabde12e Author: Dave Stevenson Date: Mon Jun 13 16:47:59 2022 +0200 drm/vc4: hdmi: Correct HDMI timing registers for interlaced modes [ Upstream commit fb10dc451c0f15e3c19798a2f41d357f3f7576f5 ] For interlaced modes the timings were not being correctly programmed into the HDMI block, so correct them. Fixes: 8323989140f3 ("drm/vc4: hdmi: Support the BCM2711 HDMI controllers") Signed-off-by: Dave Stevenson Link: https://lore.kernel.org/r/20220613144800.326124-33-maxime@cerno.tech Signed-off-by: Maxime Ripard Signed-off-by: Sasha Levin commit a868c24730534f4523c9e10af066d377c2bc6372 Author: Dom Cobley Date: Mon Jun 13 16:47:58 2022 +0200 drm/vc4: hdmi: Force modeset when bpc or format changes [ Upstream commit c94cd0620a922156c9ff9af9c3301b174b287677 ] Whenever the maximum BPC is changed, vc4_hdmi_encoder_compute_config() might pick up a different BPC or format depending on the display capabilities. That change will have a number of side effects, including the clock rates and whether the scrambling is enabled. However, only drm_crtc_state.connectors_changed will be set to true, since that properly only affects the connector. This means that while drm_atomic_crtc_needs_modeset() will return true, and thus drm_atomic_helper_commit_modeset_enables() will call our encoder atomic_enable() hook, mode_changed will be false. So crtc_set_mode() will not call our encoder .atomic_mode_set() hook. We use this hook in vc4 to set the vc4_hdmi_connector_state.output_bpc (and output_format), and will then reuse the value in .atomic_enable() to select whether or not scrambling should be enabled. However, since our clock rate is pre-computed during .atomic_check(), we end up with the clocks properly configured, but the scrambling disabled, leading to a blank screen. Let's set mode_changed to true in our HDMI driver to force the update of output_bpc, and thus prevent the issue entirely. Fixes: ba8c0faebbb0 ("drm/vc4: hdmi: Enable 10/12 bpc output") Signed-off-by: Dom Cobley Link: https://lore.kernel.org/r/20220613144800.326124-32-maxime@cerno.tech Signed-off-by: Maxime Ripard Signed-off-by: Sasha Levin commit f04bdc1f98627976c4d0656120cc200bcb34a0c9 Author: Mateusz Kwiatkowski Date: Mon Jun 13 16:47:57 2022 +0200 drm/vc4: hdmi: Fix timings for interlaced modes [ Upstream commit 0ee5a40152b15f200ed3a0d51e8aa782ea979c6a ] Increase the number of post-sync blanking lines on odd fields instead of decreasing it on even fields. This makes the total number of lines properly match the modelines. Additionally fix the value of PV_VCONTROL_ODD_DELAY, which did not take pixels_per_clock into account, causing some displays to invert the fields when driven by bcm2711. Fixes: 682e62c45406 ("drm/vc4: Fix support for interlaced modes on HDMI.") Signed-off-by: Mateusz Kwiatkowski Link: https://lore.kernel.org/r/20220613144800.326124-31-maxime@cerno.tech Signed-off-by: Maxime Ripard Signed-off-by: Sasha Levin commit b1a412c12da61ce6c6df3bfca3a9faf294a81a2a Author: Dave Stevenson Date: Mon Jun 13 16:47:50 2022 +0200 drm/vc4: hdmi: Move HDMI reset to pm_resume [ Upstream commit 467e30171b5b483922b1c24c573fa50787207cb6 ] The BCM2835-37 found in the RaspberryPi 0 to 3 have a power domain attached to the HDMI block, handled in Linux through runtime_pm. That power domain is shared with the VEC block, so even if we put our runtime_pm reference in the HDMI driver it would keep being on. If the VEC is disabled though, the power domain would be disabled and we would lose any initialization done in our bind implementation. That initialization involves calling the reset function and initializing the CEC registers. Let's move the initialization to our runtime_resume implementation so that we initialize everything properly if we ever need to. Fixes: c86b41214362 ("drm/vc4: hdmi: Move the HSM clock enable to runtime_pm") Signed-off-by: Dave Stevenson Link: https://lore.kernel.org/r/20220613144800.326124-24-maxime@cerno.tech Signed-off-by: Maxime Ripard Signed-off-by: Sasha Levin commit 0241244456c139de5281bc61cb720652ea690f8d Author: Dave Stevenson Date: Mon Jun 13 16:47:49 2022 +0200 drm/vc4: hdmi: Switch to pm_runtime_status_suspended [ Upstream commit fcef97e70094a33ded73b3eb9bef06698c6e9c12 ] If the controller isn't clocked or its domain powered up, the register accesses will either stall the CPU or return garbage, respectively. Thus, we had a warning in our register access function to complain when that kind of risky accesses were performed. In order to check the runtime_pm power state, we were using pm_runtime_active(), but it turns out that it will become active only once the runtime_resume hook has been executed. This prevents us from doing any WARN-free register access in our runtime_resume() implementation, while this is valid. Let's switch to pm_runtime_status_suspended() instead. Fixes: 14e193b95604 ("drm/vc4: hdmi: Warn if we access the controller while disabled") Signed-off-by: Dave Stevenson Link: https://lore.kernel.org/r/20220613144800.326124-23-maxime@cerno.tech Signed-off-by: Maxime Ripard Signed-off-by: Sasha Levin commit 6ecd49a51e4ba93f25a4788758f6410c304128ed Author: Dave Stevenson Date: Mon Jun 13 16:47:48 2022 +0200 drm/vc4: hdmi: Reset HDMI MISC_CONTROL register [ Upstream commit 35dc00c12a72700a9c4592afee7d136ecb280cbd ] The HDMI block can repeat pixels for double clocked modes, and the firmware is now configuring the block to do this as the PV is doing it incorrectly when at 2pixels/clock. If the kernel doesn't reset it then we end up with strange modes. Reset MISC_CONTROL. Fixes: 8323989140f3 ("drm/vc4: hdmi: Support the BCM2711 HDMI controllers") Signed-off-by: Dave Stevenson Link: https://lore.kernel.org/r/20220613144800.326124-22-maxime@cerno.tech Signed-off-by: Maxime Ripard Signed-off-by: Sasha Levin commit 6f2955c531e126d72edcb5098fcd7d5c72eaf1e9 Author: Dom Cobley Date: Mon Jun 13 16:47:47 2022 +0200 drm/vc4: hdmi: Avoid full hdmi audio fifo writes [ Upstream commit 1c594eeccf92368177c2e22f1d3ee4933dfb8567 ] We are getting occasional VC4_HD_MAI_CTL_ERRORF in HDMI_MAI_CTL which seem to correspond with audio dropouts. Reduce the threshold where we deassert DREQ to avoid the fifo overfilling Fixes: bb7d78568814 ("drm/vc4: Add HDMI audio support") Signed-off-by: Dom Cobley Link: https://lore.kernel.org/r/20220613144800.326124-21-maxime@cerno.tech Signed-off-by: Maxime Ripard Signed-off-by: Sasha Levin commit 70076808277032b1533e41099013acaf4b1caf0a Author: Dom Cobley Date: Mon Jun 13 16:47:46 2022 +0200 drm/vc4: hdmi: Clear unused infoframe packet RAM registers [ Upstream commit b6079d1578dc4b4b8050d613a5449a63def7d1dd ] Using a hdmi analyser the bytes in packet ram registers beyond the length were visible in the infoframes and it flagged the checksum as invalid. Zeroing unused words of packet RAM avoids this Fixes: 21317b3fba54 ("drm/vc4: Set up the AVI and SPD infoframes.") Signed-off-by: Dom Cobley Link: https://lore.kernel.org/r/20220613144800.326124-20-maxime@cerno.tech Signed-off-by: Maxime Ripard Signed-off-by: Sasha Levin commit f70c25cf34f91cc6f40e79a5b7565fd0272d7396 Author: Dave Stevenson Date: Mon Jun 13 16:47:45 2022 +0200 drm/vc4: hdmi: Add all the vc5 HDMI registers into the debugfs dumps [ Upstream commit 25eb441d55d479581a65bcc9de88bc1d86bf76c1 ] The vc5 HDMI registers hadn't been added into the debugfs register sets, therefore weren't dumped on request. Add them in. Fixes: 8323989140f3 ("drm/vc4: hdmi: Support the BCM2711 HDMI controllers") Signed-off-by: Dave Stevenson Link: https://lore.kernel.org/r/20220613144800.326124-19-maxime@cerno.tech Signed-off-by: Maxime Ripard Signed-off-by: Sasha Levin commit d84e417fa743867aa263e44f8c6eb95b6d2bbe9f Author: Dave Stevenson Date: Mon Jun 13 16:47:43 2022 +0200 drm/vc4: dsi: Add correct stop condition to vc4_dsi_encoder_disable iteration [ Upstream commit 7bcb9c8d0bc9f3cab8ac2634b056c2e6b63945ca ] vc4_dsi_encoder_disable is partially an open coded version of drm_bridge_chain_disable, but it missed a termination condition in the loop for ->disable which meant that no post_disable calls were made. Add in the termination clause. Fixes: 033bfe7538a1 ("drm/vc4: dsi: Fix bridge chain handling") Signed-off-by: Dave Stevenson Link: https://lore.kernel.org/r/20220613144800.326124-17-maxime@cerno.tech Signed-off-by: Maxime Ripard Signed-off-by: Sasha Levin commit 31878b91b7531aeafa3b9209afd4d2c339640f2d Author: Dave Stevenson Date: Mon Jun 13 16:47:42 2022 +0200 drm/vc4: dsi: Fix dsi0 interrupt support [ Upstream commit bc5b815e06f90cccdb6461aba1e49fdc2f3c8cd1 ] DSI0 seemingly had very little or no testing as a load of the register mappings were incorrect/missing, so host transfers always timed out due to enabling/checking incorrect bits in the interrupt enable and status registers. Fixes: 4078f5757144 ("drm/vc4: Add DSI driver") Signed-off-by: Dave Stevenson Link: https://lore.kernel.org/r/20220613144800.326124-16-maxime@cerno.tech Signed-off-by: Maxime Ripard Signed-off-by: Sasha Levin commit 8c43f2a534a641f943df6896f23de08310eff309 Author: Dave Stevenson Date: Mon Jun 13 16:47:41 2022 +0200 drm/vc4: dsi: Register dsi0 as the correct vc4 encoder type [ Upstream commit 4d9273c978d4c1af15d7874c10c732ec83d444d0 ] vc4_dsi was registering both dsi0 and dsi1 as VC4_ENCODER_TYPE_DSI1 which seemed to work OK for a single DSI display, but fails if there are two DSI displays connected. Update to register the correct type. Fixes: 4078f5757144 ("drm/vc4: Add DSI driver") Signed-off-by: Dave Stevenson Link: https://lore.kernel.org/r/20220613144800.326124-15-maxime@cerno.tech Signed-off-by: Maxime Ripard Signed-off-by: Sasha Levin commit cfb936735c5b6435fffd5b6e0a271934334bea0b Author: Dave Stevenson Date: Mon Jun 13 16:47:40 2022 +0200 drm/vc4: dsi: Correct pixel order for DSI0 [ Upstream commit edfe84ae0df16be1251b5a8e840d95f1f3827500 ] For slightly unknown reasons, dsi0 takes a different pixel format to dsi1, and that has to be set in the pixel valve. Amend the setup accordingly. Fixes: a86773d120d7 ("drm/vc4: Add support for feeding DSI encoders from the pixel valve.") Signed-off-by: Dave Stevenson Link: https://lore.kernel.org/r/20220613144800.326124-14-maxime@cerno.tech Signed-off-by: Maxime Ripard Signed-off-by: Sasha Levin commit 97f9d7fa09469cd8638d9036c21a9da926c8943e Author: Dave Stevenson Date: Mon Jun 13 16:47:39 2022 +0200 drm/vc4: dsi: Correct DSI divider calculations [ Upstream commit 3b45eee87da171caa28f61240ddb5c21170cda53 ] The divider calculations tried to find the divider just faster than the clock requested. However if it required a divider of 7 then the for loop aborted without handling the "error" case, and could end up with a clock lower than requested. The integer divider from parent PLL to DSI clock is also capable of going up to /255, not just /7 that the driver was trying. This allows for slower link frequencies on the DSI bus where the resolution permits. Correct the loop so that we always have a clock greater than requested, and covering the whole range of dividers. Fixes: 86c1b9eff3f2 ("drm/vc4: Adjust modes in DSI to work around the integer PLL divider.") Signed-off-by: Dave Stevenson Link: https://lore.kernel.org/r/20220613144800.326124-13-maxime@cerno.tech Signed-off-by: Maxime Ripard Signed-off-by: Sasha Levin commit a4b21735d272905b5aa33d36004b77e1f0649b9d Author: Dave Stevenson Date: Mon Jun 13 16:47:38 2022 +0200 drm/vc4: dsi: Release workaround buffer and DMA [ Upstream commit 89c4bbe2a01ea401c2b0fabc104720809084b77f ] On Pi0-3 the driver allocates a buffer and requests a DMA channel because the ARM can't write to DSI1's registers directly. However, we never release that buffer or channel. Let's add a device-managed action to release each. Fixes: 4078f5757144 ("drm/vc4: Add DSI driver") Signed-off-by: Dave Stevenson Link: https://lore.kernel.org/r/20220613144800.326124-12-maxime@cerno.tech Signed-off-by: Maxime Ripard Signed-off-by: Sasha Levin commit d5ab3cf692497fdebc94451fae14c0d09b7ebda8 Author: Dave Stevenson Date: Mon Jun 13 16:47:32 2022 +0200 drm/vc4: plane: Fix margin calculations for the right/bottom edges [ Upstream commit b7c3d6821627861f4ea3e1f2b595d0ed9e80aac8 ] The current plane margin calculation code clips the right and bottom edges of the range based using the left and top margins. This is obviously wrong, so let's fix it. Fixes: 666e73587f90 ("drm/vc4: Take margin setup into account when updating planes") Signed-off-by: Dave Stevenson Link: https://lore.kernel.org/r/20220613144800.326124-6-maxime@cerno.tech Signed-off-by: Maxime Ripard Signed-off-by: Sasha Levin commit ea86677f8bb7c2261f535c0082c3756c184d8f71 Author: Dom Cobley Date: Mon Jun 13 16:47:31 2022 +0200 drm/vc4: plane: Remove subpixel positioning check [ Upstream commit 517db1ab1566dba3093dbdb8de4263ba4aa66416 ] There is little harm in ignoring fractional coordinates (they just get truncated). Without this: modetest -M vc4 -F tiles,gradient -s 32:1920x1080-60 -P89@74:1920x1080*.1.1@XR24 is rejected. We have the same issue in Kodi when trying to use zoom options on video. Note: even if all coordinates are fully integer. e.g. src:[0,0,1920,1080] dest:[-10,-10,1940,1100] it will still get rejected as drm_atomic_helper_check_plane_state uses drm_rect_clip_scaled which transforms this to fractional src coords Fixes: 21af94cf1a4c ("drm/vc4: Add support for scaling of display planes.") Signed-off-by: Dom Cobley Link: https://lore.kernel.org/r/20220613144800.326124-5-maxime@cerno.tech Signed-off-by: Maxime Ripard Signed-off-by: Sasha Levin commit 0ed01803cc93d710722ae9acc8f0d3d396c015b8 Author: Maxime Ripard Date: Mon Jun 13 16:47:30 2022 +0200 drm/vc4: kms: Use maximum FIFO load for the HVS clock rate [ Upstream commit 1701a23a4ef0993964ccc2f2d5d13f83a5ff4c70 ] The core clock computation takes into account both the load due to the input (ie, planes) and its output (ie, encoders). However, while the input load needs to consider all the planes, and thus sum all of their associated loads, the output happens mostly in parallel. Therefore, we need to consider only the maximum of all the output loads, and not the sum like we were doing. This resulted in a clock rate way too high which could be discarded for being too high by the clock framework. Since recent changes, the clock framework will even downright reject it, leading to a core clock being too low for its current needs. Fixes: 16e101051f32 ("drm/vc4: Increase the core clock based on HVS load") Signed-off-by: Maxime Ripard Reviewed-by: Dave Stevenson Link: https://lore.kernel.org/r/20220613144800.326124-4-maxime@cerno.tech Signed-off-by: Sasha Levin commit 5d51e861e9a69b182a887fe026da300e0cd127be Author: Yunfei Dong Date: Fri Jun 17 08:25:21 2022 +0100 media: mediatek: vcodec: Fix non subdev architecture open power fail [ Upstream commit 083f54a7c9c66496b9d9f3c50dfdca24e6aa7012 ] According to subdev_bitmap bit value to open hardware power, need to set subdev_bitmap value for non subdev architecture. Fixes: c05bada35f01 ("media: mtk-vcodec: Add to support multi hardware decode") Signed-off-by: Yunfei Dong Reviewed-by: Chen-Yu Tsai Tested-by: Chen-Yu Tsai Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 8b412db51db24dfba22c96948580d4a12f831397 Author: Miaoqian Lin Date: Tue Jun 21 06:30:30 2022 +0100 media: tw686x: Fix memory leak in tw686x_video_init [ Upstream commit e0b212ec9d8177d6f7c404315293f6a085d6ee42 ] video_device_alloc() allocates memory for vdev, when video_register_device() fails, it doesn't release the memory and leads to memory leak, call video_device_release() to fix this. Fixes: 704a84ccdbf1 ("[media] media: Support Intersil/Techwell TW686x-based video capture cards") Signed-off-by: Miaoqian Lin Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit f560b10b148e7101adbfffe9affec0021b6ce100 Author: Jian Zhang Date: Mon Jun 20 09:34:23 2022 +0100 media: driver/nxp/imx-jpeg: fix a unexpected return value problem [ Upstream commit 5b304046a81eda221b5d06a9c62f7b5e45530fa5 ] In function mxc_jpeg_probe(), when devm_clk_get() fail, the return value will be unexpected, and it should be the devm_clk_get's error code. Fixes: 4c2e5156d9fa6 ("media: imx-jpeg: Add pm-runtime support for imx-jpeg") Reported-by: Hulk Robot Signed-off-by: Jian Zhang Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit d65abbfa69146ed6221c27ccf985d4779203fb77 Author: Chen-Yu Tsai Date: Mon Jun 20 07:33:49 2022 +0100 media: mediatek: vcodec: Skip SOURCE_CHANGE & EOS events for stateless [ Upstream commit e13ca460e20ed42fe57a3845b0bb9a82f81f05cd ] The stateless decoder API does not specify the usage of SOURCE_CHANGE and EOF events. These events are used by stateful decoders to signal changes in the bitstream. They do not make sense for stateless decoders. Do not handle subscription for these two types of events for stateless decoder instances. This fixes the last v4l2-compliance error: Control ioctls: fail: v4l2-test-controls.cpp(946): have_source_change || have_eos test VIDIOC_(UN)SUBSCRIBE_EVENT/DQEVENT: FAIL Fixes: 8cdc3794b2e3 ("media: mtk-vcodec: vdec: support stateless API") Signed-off-by: Chen-Yu Tsai Reviewed-by: Nicolas Dufresne Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 1db89ef68622ea5b9577c0199ccfc11b33439ae2 Author: Yunfei Dong Date: Sat Jun 18 08:29:29 2022 +0100 media: mediatek: vcodec: Initialize decoder parameters after getting dec_capability [ Upstream commit faddaa735c208560a3f419038e8d154a01b584e3 ] Need to get dec_capability from scp first, then initialize decoder supported format and other parameters according to dec_capability value. Fixes: fd00d90330d1 ("media: mtk-vcodec: vdec: move stateful ops into their own file") Signed-off-by: Yunfei Dong Reviewed-by: Chen-Yu Tsai Tested-by: Chen-Yu Tsai Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 14bc7f8081a8cf9e44b4a3d26c5e162f5caca6e0 Author: Arnd Bergmann Date: Thu Jun 16 09:52:42 2022 +0100 media: sta2x11: remove VIRT_TO_BUS dependency [ Upstream commit a157802359f7451ed8046b2b6dbaca187797e062 ] This driver does not use the virt_to_bus() function, though it depends on x86 specific fixups in the swiotlb code, which was last rewritten in commit e380a0394c36 ("x86/PCI: sta2x11: use default DMA address translation"). It is possible that the driver still fails to build on some architectures that are missing CONFIG_VIRT_TO_BUS, but it is always set on x86 machines with the STA2X11 platform enabled. More likely though is that it was never meant to depend on CONFIG_VIRT_TO_BUS, and the Kconfig dependency was kept from an out-of-tree version when the driver was originally merged. Fixes: efeb98b4e2b2 ("[media] STA2X11 VIP: new V4L2 driver") Signed-off-by: Arnd Bergmann Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit fc43574e06902232a0332465814ac4afc64fc878 Author: Ming Qian Date: Wed Jun 15 04:19:20 2022 +0100 media: v4l2-mem2mem: prevent pollerr when last_buffer_dequeued is set [ Upstream commit d4de27a9b1eadd33a2e40de87a646d1bf5fef756 ] If the last buffer was dequeued from the capture queue, signal userspace. DQBUF(CAPTURE) will return -EPIPE. But if output queue is empty and capture queue is empty, v4l2_m2m_poll_for_data will return EPOLLERR, This is very easy to happen in drain. When last_buffer_dequeued is set, we shouldn't return EPOLLERR, but return EPOLLIN | EPOLLRDNORM. Fixes: 1698a7f151126 ("media: v4l2-mem2mem: simplify poll logic") Signed-off-by: Ming Qian Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit d27fed11f40f338a87932ac73d95723199463014 Author: Niels Dossche Date: Tue Jun 14 18:50:02 2022 +0100 media: hdpvr: fix error value returns in hdpvr_read [ Upstream commit 359c27c6ddbde404f44a9c0d3ec88ccd1e2042f2 ] Error return values are supposed to be negative in hdpvr_read. Most error returns are currently handled via an unsigned integer "ret". When setting a negative error value to "ret", the value actually becomes a large positive value, because "ret" is unsigned. Later on, the "ret" value is returned. But as ssize_t is a 64-bit signed number, the error return value stays a large positive integer instead of a negative integer. This can cause an error value to be interpreted as the read size, which can cause a buffer overread for applications relying on the returned size. Fixes: 9aba42efe85b ("V4L/DVB (11096): V4L2 Driver for the Hauppauge HD PVR usb capture device") Signed-off-by: Niels Dossche Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 32c827e30bb44ae809950a9efab59e98e44d30e5 Author: Miaoqian Lin Date: Wed May 25 15:54:11 2022 +0400 drm/mcde: Fix refcount leak in mcde_dsi_bind [ Upstream commit 3a149169e4a2f9127022fec6ef5d71b4e804b3b9 ] Every iteration of for_each_available_child_of_node() decrements the reference counter of the previous node. There is no decrement when break out from the loop and results in refcount leak. Add missing of_node_put() to fix this. Fixes: 5fc537bfd000 ("drm/mcde: Add new driver for ST-Ericsson MCDE") Signed-off-by: Miaoqian Lin Signed-off-by: Linus Walleij Link: https://patchwork.freedesktop.org/patch/msgid/20220525115411.65455-1-linmq006@gmail.com Signed-off-by: Sasha Levin commit 08baa39c2a2e5fea68b405fce5752bd00f127388 Author: Ming Qian Date: Fri Jun 10 07:26:11 2022 +0100 media: amphion: output firmware error message [ Upstream commit 89e3f3fb3d9014efa59ed6bb526d5f1a00168452 ] Firmware may send the error event with some error message, and it help locate the firmware error, so output the error message if it exists Fixes: 61cbf1c1fa6d7 ("media: amphion: implement vpu core communication based on mailbox") Signed-off-by: Ming Qian Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit cea1fefd18f5bee4d887185f0f8c17b6e9eba1eb Author: Ming Qian Date: Fri Jun 10 03:00:57 2022 +0100 media: imx-jpeg: Disable slot interrupt when frame done [ Upstream commit 22a2bc88c139dc9757bdb1d0a3665ac27edc79a5 ] The interrupt STMBUF_HALF may be triggered after frame done. It may led to system hang if driver try to access the register after power off. Disable the slot interrupt when frame done. Fixes: 2db16c6ed72ce ("media: imx-jpeg: Add V4L2 driver for i.MX8 JPEG Encoder/Decoder") Signed-off-by: Ming Qian Reviewed-by: Mirela Rabulea Tested-by: Mirela Rabulea Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit c1e951701992b86aecb81124dd10ae96c58f536b Author: Jiasheng Jiang Date: Thu Jun 2 18:34:01 2022 +0800 drm: bridge: adv7511: Add check for mipi_dsi_driver_register [ Upstream commit 831463667b5f4f1e5bce9c3b94e9e794d2bc8923 ] As mipi_dsi_driver_register could return error if fails, it should be better to check the return value and return error if fails. Moreover, if i2c_add_driver fails, mipi_dsi_driver_register should be reverted. Fixes: 1e4d58cd7f88 ("drm/bridge: adv7533: Create a MIPI DSI device") Signed-off-by: Jiasheng Jiang Reviewed-by: Laurent Pinchart Signed-off-by: Sam Ravnborg Link: https://patchwork.freedesktop.org/patch/msgid/20220602103401.2980938-1-jiasheng@iscas.ac.cn Signed-off-by: Sasha Levin commit d87bbd10fc01b52c814113643f2707d2d10b0319 Author: Tom Lendacky Date: Thu Jun 16 10:26:18 2022 -0500 crypto: ccp - During shutdown, check SEV data pointer before using [ Upstream commit 1b05ece0c931536c0a38a9385e243a7962e933f6 ] On shutdown, each CCP device instance performs shutdown processing. However, __sev_platform_shutdown_locked() uses the controlling psp structure to obtain the pointer to the sev_device structure. However, during driver initialization, it is possible that an error can be received from the firmware that results in the sev_data pointer being cleared from the controlling psp structure. The __sev_platform_shutdown_locked() function does not check for this situation and will segfault. While not common, this scenario should be accounted for. Add a check for a NULL sev_device structure before attempting to use it. Fixes: 5441a07a127f ("crypto: ccp - shutdown SEV firmware on kexec") Signed-off-by: Tom Lendacky Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin commit 91d120d579e2c91a3bb0f60f1d24dc0d7f32601a Author: Jörn-Thorben Hinz Date: Tue Jun 21 09:01:16 2022 +0200 selftests/bpf: Fix rare segfault in sock_fields prog test [ Upstream commit 6dc7a0baf1a70b7d22662d38481824c14ddd80c5 ] test_sock_fields__detach() got called with a null pointer here when one of the CHECKs or ASSERTs up to the test_sock_fields__open_and_load() call resulted in a jump to the "done" label. A skeletons *__detach() is not safe to call with a null pointer, though. This led to a segfault. Go the easy route and only call test_sock_fields__destroy() which is null-pointer safe and includes detaching. Came across this while looking[1] to introduce the usage of bpf_tcp_helpers.h (included in progs/test_sock_fields.c) together with vmlinux.h. [1] https://lore.kernel.org/bpf/629bc069dd807d7ac646f836e9dca28bbc1108e2.camel@mailbox.tu-berlin.de/ Fixes: 8f50f16ff39d ("selftests/bpf: Extend verifier and bpf_sock tests for dst_port loads") Signed-off-by: Jörn-Thorben Hinz Signed-off-by: Andrii Nakryiko Reviewed-by: Jakub Sitnicki Reviewed-by: Martin KaFai Lau Acked-by: John Fastabend Link: https://lore.kernel.org/bpf/20220621070116.307221-1-jthinz@mailbox.tu-berlin.de Signed-off-by: Sasha Levin commit b7960089439aa7bd042b5823ea92d702341f7819 Author: YueHaibing Date: Sat Jun 11 12:16:12 2022 +0800 drm/display: Fix build error without CONFIG_OF [ Upstream commit 876271118aa41097d035c84f99648746b4a125f3 ] While CONFIG_OF is n but COMPILE_TEST is y, we got this: WARNING: unmet direct dependencies detected for DRM_DP_AUX_BUS Depends on [n]: HAS_IOMEM [=y] && DRM [=y] && OF [=n] Selected by [y]: - DRM_MSM [=y] && HAS_IOMEM [=y] && DRM [=y] && (ARCH_QCOM || SOC_IMX5 || COMPILE_TEST [=y]) && COMMON_CLK [=y] && IOMMU_SUPPORT [=y] && (QCOM_OCMEM [=n] || QCOM_OCMEM [=n]=n) && (QCOM_LLCC [=y] || QCOM_LLCC [=y]=n) && (QCOM_COMMAND_DB [=n] || QCOM_COMMAND_DB [=n]=n) Make DRM_DP_AUX_BUS depends on OF || COMPILE_TEST to fix this warning. Fixes: 1e0f66420b13 ("drm/display: Introduce a DRM display-helper module") Signed-off-by: YueHaibing Reviewed-by: Dmitry Baryshkov Reviewed-by: Abhinav Kumar Acked-by: Linus Walleij Signed-off-by: Linus Walleij Link: https://patchwork.freedesktop.org/patch/msgid/20220611041612.1976-1-yuehaibing@huawei.com Signed-off-by: Sasha Levin commit 6593952d5803d64fbd26f56adcdf1ca678ca6257 Author: Jian Shen Date: Wed Jun 22 21:50:02 2022 +0800 test_bpf: fix incorrect netdev features [ Upstream commit 9676feccacdb0571791c88b23e3b7ac4e7c9c457 ] The prototype of .features is netdev_features_t, it should use NETIF_F_LLTX and NETIF_F_HW_VLAN_STAG_TX, not NETIF_F_LLTX_BIT and NETIF_F_HW_VLAN_STAG_TX_BIT. Fixes: cf204a718357 ("bpf, testing: Introduce 'gso_linear_no_head_frag' skb_segment test") Signed-off-by: Jian Shen Acked-by: John Fastabend Link: https://lore.kernel.org/r/20220622135002.8263-1-shenjian15@huawei.com Signed-off-by: Alexei Starovoitov Signed-off-by: Sasha Levin commit 7e7472c62c6ded322afd9d5ac8bb20a08e7c5674 Author: Frederic Weisbecker Date: Fri Jun 10 15:03:57 2022 +0200 rcutorture: Fix ksoftirqd boosting timing and iteration [ Upstream commit 3002153a91a9732a6d1d0bb95138593c7da15743 ] The RCU priority boosting can fail in two situations: 1) If (nr_cpus= > maxcpus=), which means if the total number of CPUs is higher than those brought online at boot, then torture_onoff() may later bring up CPUs that weren't online on boot. Now since rcutorture initialization only boosts the ksoftirqds of the CPUs that have been set online on boot, the CPUs later set online by torture_onoff won't benefit from the boost, making RCU priority boosting fail. 2) The ksoftirqd kthreads are boosted after the creation of rcu_torture_boost() kthreads, which opens a window large enough for these rcu_torture_boost() kthreads to wait (despite running at FIFO priority) for ksoftirqds that are still running at SCHED_NORMAL priority. The issues can trigger for example with: ./kvm.sh --configs TREE01 --kconfig "CONFIG_RCU_BOOST=y" [ 34.968561] rcu-torture: !!! [ 34.968627] ------------[ cut here ]------------ [ 35.014054] WARNING: CPU: 4 PID: 114 at kernel/rcu/rcutorture.c:1979 rcu_torture_stats_print+0x5ad/0x610 [ 35.052043] Modules linked in: [ 35.069138] CPU: 4 PID: 114 Comm: rcu_torture_sta Not tainted 5.18.0-rc1 #1 [ 35.096424] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.14.0-0-g155821a-rebuilt.opensuse.org 04/01/2014 [ 35.154570] RIP: 0010:rcu_torture_stats_print+0x5ad/0x610 [ 35.198527] Code: 63 1b 02 00 74 02 0f 0b 48 83 3d 35 63 1b 02 00 74 02 0f 0b 48 83 3d 21 63 1b 02 00 74 02 0f 0b 48 83 3d 0d 63 1b 02 00 74 02 <0f> 0b 83 eb 01 0f 8e ba fc ff ff 0f 0b e9 b3 fc ff f82 [ 37.251049] RSP: 0000:ffffa92a0050bdf8 EFLAGS: 00010202 [ 37.277320] rcu: De-offloading 8 [ 37.290367] RAX: 0000000000000000 RBX: 0000000000000001 RCX: 0000000000000001 [ 37.290387] RDX: 0000000000000000 RSI: 00000000ffffbfff RDI: 00000000ffffffff [ 37.290398] RBP: 000000000000007b R08: 0000000000000000 R09: c0000000ffffbfff [ 37.290407] R10: 000000000000002a R11: ffffa92a0050bc18 R12: ffffa92a0050be20 [ 37.290417] R13: ffffa92a0050be78 R14: 0000000000000000 R15: 000000000001bea0 [ 37.290427] FS: 0000000000000000(0000) GS:ffff96045eb00000(0000) knlGS:0000000000000000 [ 37.290448] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 37.290460] CR2: 0000000000000000 CR3: 000000001dc0c000 CR4: 00000000000006e0 [ 37.290470] Call Trace: [ 37.295049] [ 37.295065] ? preempt_count_add+0x63/0x90 [ 37.295095] ? _raw_spin_lock_irqsave+0x12/0x40 [ 37.295125] ? rcu_torture_stats_print+0x610/0x610 [ 37.295143] rcu_torture_stats+0x29/0x70 [ 37.295160] kthread+0xe3/0x110 [ 37.295176] ? kthread_complete_and_exit+0x20/0x20 [ 37.295193] ret_from_fork+0x22/0x30 [ 37.295218] Fix this with boosting the ksoftirqds kthreads from the boosting hotplug callback itself and before the boosting kthreads are created. Fixes: ea6d962e80b6 ("rcutorture: Judge RCU priority boosting on grace periods, not callbacks") Signed-off-by: Frederic Weisbecker Signed-off-by: Paul E. McKenney Signed-off-by: Sasha Levin commit e887a99b380cce1bef800ee5bc32f45a5d2255df Author: Paul E. McKenney Date: Tue May 17 13:22:28 2022 -0700 torture: Adjust to again produce debugging information [ Upstream commit 5c92d7501699a5deb72a579f808500db5bb6f92a ] A recent change to the DEBUG_INFO Kconfig option means that simply adding CONFIG_DEBUG_INFO=y to the .config file and running "make oldconfig" no longer works. It is instead necessary to add CONFIG_DEBUG_INFO_NONE=n and (for example) CONFIG_DEBUG_INFO_DWARF_TOOLCHAIN_DEFAULT=y. This combination will then result in CONFIG_DEBUG_INFO being selected. This commit therefore updates the Kconfig options produced in response to the kvm.sh --gdb, --kasan, and --kcsan Kconfig options. Fixes: f9b3cd245784 ("Kconfig.debug: make DEBUG_INFO selectable from a choice") Signed-off-by: Paul E. McKenney Signed-off-by: Sasha Levin commit ca456c5104d47e021f749553ac25627e803c2d59 Author: Yifan Zhang Date: Mon Jun 20 16:24:58 2022 +0800 drm/amdkfd: correct sdma queue number of sdma 6.0.1 [ Upstream commit efb4fd107cfd9748f777a4e9015d803d3c9db68b ] sdma 6.0.1 has 8 queues instead of 2. Fixes: 26776a7031c423 ("drm/amdkfd: add GC 11.0.1 KFD support") Signed-off-by: Yifan Zhang Acked-by: Alex Deucher Reviewed-by: Tim Huang Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit 8530292afa33266ff2ca55a3532279c2a8e6a23d Author: Mario Limonciello Date: Mon Jun 13 23:53:52 2022 -0500 drm/amd: Don't show warning on reading vbios values for SMU13 3.1 [ Upstream commit 1320d6c7b0deb7219701a55397e93e6c73d00366 ] Some APUs with SMU13 are showing the following message: `amdgpu 0000:63:00.0: amdgpu: Unexpected and unhandled version: 3.1` This warning isn't relevant for smu info 3.1, as no bootup information is present in the table. Fixes: 593a54f18031 ("drm/amd/pm: correct the way for retrieving bootup clocks") Signed-off-by: Mario Limonciello Reviewed-by: Evan Quan Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit 35a59aee04e9417d6c68cbbab4e4a2b861fe89d9 Author: Alex Deucher Date: Wed Jun 15 12:02:08 2022 -0400 drm/radeon: fix incorrrect SPDX-License-Identifiers [ Upstream commit 1f43b8903f3aae4a26a603c36f6d5dd25d6edb51 ] radeon is MIT. This were incorrectly changed in commit b24413180f56 ("License cleanup: add SPDX GPL-2.0 license identifier to files with no license") and commit d198b34f3855 (".gitignore: add SPDX License Identifier") and: commit ec8f24b7faaf ("treewide: Add SPDX license identifier - Makefile/Kconfig") Fixes: d198b34f3855 (".gitignore: add SPDX License Identifier") Fixes: ec8f24b7faaf ("treewide: Add SPDX license identifier - Makefile/Kconfig") Fixes: b24413180f56 ("License cleanup: add SPDX GPL-2.0 license identifier to files with no license") Bug: https://gitlab.freedesktop.org/drm/amd/-/issues/2053 Reviewed-by: Christian König Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit 5abc81a138f873ab55223ec674afc3a3f945d60f Author: Ping-Ke Shih Date: Mon Jun 13 14:51:44 2022 +0800 wifi: rtw89: 8852a: rfk: fix div 0 exception [ Upstream commit 683a4647a7a3044868cfdc14c117525091b9fa0c ] The DPK is a kind of RF calibration whose algorithm is to fine tune parameters and calibrate, and check the result. If the result isn't good enough, it could adjust parameters and try again. This issue is to read and show the result, but it could be a negative calibration result that causes divisor 0 and core dump. So, fix it by phy_div() that does division only if divisor isn't zero; otherwise, zero is adopted. divide error: 0000 [#1] PREEMPT SMP NOPTI CPU: 1 PID: 728 Comm: wpa_supplicant Not tainted 5.10.114-16019-g462a1661811a #1 RIP: 0010:rtw8852a_dpk+0x14ae/0x288f [rtw89_core] RSP: 0018:ffffa9bb412a7520 EFLAGS: 00010246 RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000 RDX: 0000000000000000 RSI: 00000000000180fc RDI: ffffa141d01023c0 RBP: ffffa9bb412a76a0 R08: 0000000000001319 R09: 00000000ffffff92 R10: ffffffffc0292de3 R11: ffffffffc00d2f51 R12: 0000000000000000 R13: ffffa141d01023c0 R14: ffffffffc0290250 R15: ffffa141d0102638 FS: 00007fa99f5c2740(0000) GS:ffffa142e5e80000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000013e8e010 CR3: 0000000110d2c000 CR4: 0000000000750ee0 PKRU: 55555554 Call Trace: rtw89_core_sta_add+0x95/0x9c [rtw89_core ] rtw89_ops_sta_state+0x5d/0x108 [rtw89_core ] drv_sta_state+0x115/0x66f [mac80211 ] sta_info_insert_rcu+0x45c/0x713 [mac80211 ] sta_info_insert+0xf/0x1b [mac80211 ] ieee80211_prep_connection+0x9d6/0xb0c [mac80211 ] ieee80211_mgd_auth+0x2aa/0x352 [mac80211 ] cfg80211_mlme_auth+0x160/0x1f6 [cfg80211 ] nl80211_authenticate+0x2e5/0x306 [cfg80211 ] genl_rcv_msg+0x371/0x3a1 ? nl80211_stop_sched_scan+0xe5/0xe5 [cfg80211 ] ? genl_rcv+0x36/0x36 netlink_rcv_skb+0x8a/0xf9 genl_rcv+0x28/0x36 netlink_unicast+0x27b/0x3a0 netlink_sendmsg+0x2aa/0x469 sock_sendmsg_nosec+0x49/0x4d ____sys_sendmsg+0xe5/0x213 __sys_sendmsg+0xec/0x157 ? syscall_enter_from_user_mode+0xd7/0x116 do_syscall_64+0x43/0x55 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x7fa99f6e689b Fixes: e3ec7017f6a2 ("rtw89: add Realtek 802.11ax driver") Signed-off-by: Ping-Ke Shih Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20220613065144.15647-1-pkshih@realtek.com Signed-off-by: Sasha Levin commit b7c39b1a3d4b8d2ba8c13d5ae1303705b03b46d4 Author: Alexey Kodanev Date: Wed Jun 8 20:16:14 2022 +0300 wifi: iwlegacy: 4965: fix potential off-by-one overflow in il4965_rs_fill_link_cmd() [ Upstream commit a8eb8e6f7159c7c20c0ddac428bde3d110890aa7 ] As a result of the execution of the inner while loop, the value of 'idx' can be equal to LINK_QUAL_MAX_RETRY_NUM. However, this is not checked after the loop and 'idx' is used to write the LINK_QUAL_MAX_RETRY_NUM size array 'lq_cmd->rs_table[idx]' below in the outer loop. The fix is to check the new value of 'idx' inside the nested loop, and break both loops if index equals the size. Checking it at the start is now pointless, so let's remove it. Detected using the static analysis tool - Svace. Fixes: be663ab67077 ("iwlwifi: split the drivers for agn and legacy devices 3945/4965") Signed-off-by: Alexey Kodanev Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20220608171614.28891-1-aleksei.kodanev@bell-sw.com Signed-off-by: Sasha Levin commit cf8d8810f2e22be6f8aa5bfb4fdc44ef265f370f Author: Johannes Berg Date: Wed Jun 15 11:50:00 2022 +0200 wifi: mac80211: set STA deflink addresses [ Upstream commit 630c7e4621763220d23789fbb036e0cf227e0b22 ] We should set the STA deflink addresses in case no link is really added. Fixes: 046d2e7c50e3 ("mac80211: prepare sta handling for MLO support") Signed-off-by: Johannes Berg Signed-off-by: Sasha Levin commit b66ebac40f64336ae2d053883bee85261060bd27 Author: Pavel Skripkin Date: Mon Jun 13 21:43:59 2022 +0300 ath9k: fix use-after-free in ath9k_hif_usb_rx_cb [ Upstream commit 0ac4827f78c7ffe8eef074bc010e7e34bc22f533 ] Syzbot reported use-after-free Read in ath9k_hif_usb_rx_cb() [0]. The problem was in incorrect htc_handle->drv_priv initialization. Probable call trace which can trigger use-after-free: ath9k_htc_probe_device() /* htc_handle->drv_priv = priv; */ ath9k_htc_wait_for_target() <--- Failed ieee80211_free_hw() <--- priv pointer is freed ... ath9k_hif_usb_rx_cb() ath9k_hif_usb_rx_stream() RX_STAT_INC() <--- htc_handle->drv_priv access In order to not add fancy protection for drv_priv we can move htc_handle->drv_priv initialization at the end of the ath9k_htc_probe_device() and add helper macro to make all *_STAT_* macros NULL safe, since syzbot has reported related NULL deref in that macros [1] Link: https://syzkaller.appspot.com/bug?id=6ead44e37afb6866ac0c7dd121b4ce07cb665f60 [0] Link: https://syzkaller.appspot.com/bug?id=b8101ffcec107c0567a0cd8acbbacec91e9ee8de [1] Fixes: fb9987d0f748 ("ath9k_htc: Support for AR9271 chipset.") Reported-and-tested-by: syzbot+03110230a11411024147@syzkaller.appspotmail.com Reported-and-tested-by: syzbot+c6dde1f690b60e0b9fbe@syzkaller.appspotmail.com Signed-off-by: Pavel Skripkin Acked-by: Toke Høiland-Jørgensen Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/d57bbedc857950659bfacac0ab48790c1eda00c8.1655145743.git.paskripkin@gmail.com Signed-off-by: Sasha Levin commit 488b371e46b78cc739ccfe68a62fea99f9d1340c Author: Niklas Söderlund Date: Wed Jun 8 21:46:57 2022 +0100 media: rcar-vin: Fix channel routing for Ebisu [ Upstream commit 5b9b598453d3ae5fa66d7ab591008373a89b91a0 ] When converting to full Virtual Channel routing an error crept into the routing table for Ebisu (r8a77990). The routing information is used at probe time preventing rcar-vin from probing correctly on this SoC, solve by correcting the routing table. Fixes: 3e52419ec04f9769 ("media: rcar-{csi2,vin}: Move to full Virtual Channel routing per CSI-2 IP") Reported-by: Geert Uytterhoeven Signed-off-by: Niklas Söderlund Tested-by: Geert Uytterhoeven Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 9d6ee9fbb5c7c9d950e02340f2656d0d2bff49c7 Author: Ming Qian Date: Mon May 30 08:50:02 2022 +0100 media: imx-jpeg: Implement drain using v4l2-mem2mem helpers [ Upstream commit 4911c5acf9351c4caf692895c7cf6a4fa46c26b0 ] v4l2 m2m has supplied some helper function to handle drain, so the driver can use the helper function directly. Fixes: d8ebe298d008c ("media: imx-jpeg: Set V4L2_BUF_FLAG_LAST at eos") Signed-off-by: Ming Qian Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 447795ffb17cd60bb544e0abfc9399e180a14a2f Author: Ming Qian Date: Mon May 30 08:49:19 2022 +0100 media: imx-jpeg: Align upwards buffer size [ Upstream commit 9e7aa76cdb02923ee23a0ddd48f38bdc3512f92b ] The hardware can support any image size WxH, with arbitrary W (image width) and H (image height) dimensions. Align upwards buffer size for both encoder and decoder. and leave the picture resolution unchanged. For decoder, the risk of memory out of bounds can be avoided. For both encoder and decoder, the driver will lift the limitation of resolution alignment. For example, the decoder can support jpeg whose resolution is 227x149 the encoder can support nv12 1080P, won't change it to 1920x1072. Fixes: 2db16c6ed72ce ("media: imx-jpeg: Add V4L2 driver for i.MX8 JPEG Encoder/Decoder") Signed-off-by: Ming Qian Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 81fd8e69a689a93b7129db33e5bd0317694fb14b Author: Ming Qian Date: Mon May 30 08:48:37 2022 +0100 media: imx-jpeg: Leave a blank space before the configuration data [ Upstream commit 6285cdea19daf764bf00f662a59fc83ef67345cf ] There is a hardware bug that it will load the first 128 bytes of configuration data twice, it will led to some configure error. so shift the configuration data 128 bytes, and make the first 128 bytes all zero, then hardware will load the 128 zero twice, and ignore them as garbage. then the configuration data can be loaded correctly Fixes: 2db16c6ed72ce ("media: imx-jpeg: Add V4L2 driver for i.MX8 JPEG Encoder/Decoder") Signed-off-by: Ming Qian Reviewed-by: Mirela Rabulea Reviewed-by: Tommaso Merciai Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 111dac25a0bc3e89e17a0e3f27fedcdf59cf8d2d Author: Ming Qian Date: Mon May 30 08:47:31 2022 +0100 media: imx-jpeg: Correct some definition according specification [ Upstream commit 5a601f89e846c1b6005ab274d039e5036fc22015 ] the register CAST_NOMFRSIZE_LO should be equal to CAST_STATUS16 the register CAST_NOMFRSIZE_HI should be equal to CAST_STATUS17 the register CAST_OFBSIZE_LO should be equal to CAST_STATUS18 the register CAST_OFBSIZE_HI should be equal to CAST_STATUS19 Fixes: 2db16c6ed72ce ("media: imx-jpeg: Add V4L2 driver for i.MX8 JPEG Encoder/Decoder") Signed-off-by: Ming Qian Reviewed-by: Mirela Rabulea Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 9e4c0afd0d074c42a9e13ac222b5868b7a5a9a70 Author: Benjamin Gaignard Date: Tue May 24 12:59:45 2022 +0100 media: Hantro: Correct G2 init qp field [ Upstream commit 300065f966d30baa59a13849753305aac8c320c3 ] Documentation said that g2 init_qp field use bits 24 to 30 of the 8th register. Change the field mask to be able to set 7 bits and not only 6 of them. Conformance test INITQP_B_Main10_Sony_1 decoding is OK with this patch. Fixes: cb5dd5a0fa518 ("media: hantro: Introduce G2/HEVC decoder") Signed-off-by: Benjamin Gaignard Reviewed-by: Nicolas Dufresne Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 4c33a0d48eb15aee4bb4ce9cf1b1e060dc8f0b8b Author: Ming Qian Date: Thu Jun 9 10:27:59 2022 +0100 media: amphion: return error if format is unsupported by vpu [ Upstream commit a3a2efca36a3a1ddba229a7be7991e8b5de4ac35 ] return error if format is unsupported by vpu, otherwise the vpu will be stalled at decoding Fixes: 3cd084519c6f9 ("media: amphion: add vpu v4l2 m2m support") Signed-off-by: Ming Qian Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit d0b9fbe947359a57b459a3ae2ad06e8457539c77 Author: Zheyu Ma Date: Sat May 21 07:24:01 2022 +0100 media: tw686x: Register the irq at the end of probe [ Upstream commit fb730334e0f759d00f72168fbc555e5a95e35210 ] We got the following warning when booting the kernel: [ 3.243674] INFO: trying to register non-static key. [ 3.243922] The code is fine but needs lockdep annotation, or maybe [ 3.244230] you didn't initialize this object before use? [ 3.245642] Call Trace: [ 3.247836] lock_acquire+0xff/0x2d0 [ 3.248727] tw686x_audio_irq+0x1a5/0xcc0 [tw686x] [ 3.249211] tw686x_irq+0x1f9/0x480 [tw686x] The lock 'vc->qlock' will be initialized in tw686x_video_init(), but the driver registers the irq before calling the tw686x_video_init(), and we got the warning. Fix this by registering the irq at the end of probe Fixes: 704a84ccdbf1 ("[media] media: Support Intersil/Techwell TW686x-based video capture cards") Signed-off-by: Zheyu Ma Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 19923b72e0c4c121d1f7fae4310a3fafbda858da Author: Yang Yingliang Date: Mon May 9 15:04:59 2022 +0100 media: camss: csid: fix wrong size passed to devm_kmalloc_array() [ Upstream commit 4c25384d136642d72098e36201ca988533e73065 ] 'supplies' is a pointer, the real size of struct regulator_bulk_data should be pass to devm_kmalloc_array(). Fixes: 0d8140179715 ("media: camss: Add regulator_bulk support") Signed-off-by: Yang Yingliang Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit b3db99b49097d97949b0de071d47ccb27de23244 Author: Eugen Hristev Date: Tue May 3 12:12:16 2022 +0100 media: atmel: atmel-sama7g5-isc: fix warning in configs without OF [ Upstream commit b2bae4b8e637dd751d27918a6b27bd5abcd08859 ] All warnings (new ones prefixed by >>): >> drivers/media/platform/atmel/atmel-sama7g5-isc.c:610:34: warning: unused variable 'microchip_xisc_of_match' [-Wunused-const-variable] static const struct of_device_id microchip_xisc_of_match[] = { ^ 13 warnings generated. vim +/microchip_xisc_of_match +610 drivers/media/platform/atmel/atmel-sama7g5-isc.c 609 > 610 static const struct of_device_id microchip_xisc_of_match[] = { 611 { .compatible = "microchip,sama7g5-isc" }, 612 { } 613 }; 614 MODULE_DEVICE_TABLE(of, microchip_xisc_of_match); 615 Fixed warning by guarding the atmel_isc_of_match by CONFIG_OF. Reported-by: kernel test robot Fixes: c9aa973884a1 ("media: atmel: atmel-isc: add microchip-xisc driver") Signed-off-by: Eugen Hristev Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit a28d77fe77e6138e9be58a62fb80b79fd2e0beaa Author: Kuniyuki Iwashima Date: Sun Jun 19 16:29:26 2022 -0700 raw: Fix mixed declarations error in raw_icmp_error(). [ Upstream commit 5da39e31b1b0eb62b8ed369ad9615da850239e9e ] The trailing semicolon causes a compiler error, so let's remove it. net/ipv4/raw.c: In function ‘raw_icmp_error’: net/ipv4/raw.c:266:2: error: ISO C90 forbids mixed declarations and code [-Werror=declaration-after-statement] 266 | struct hlist_nulls_head *hlist; | ^~~~~~ Fixes: ba44f8182ec2 ("raw: use more conventional iterators") Signed-off-by: Kuniyuki Iwashima Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 04309b5f5d8dd77996b19ae6be8f42f9fc1679a0 Author: Eric Dumazet Date: Fri Jun 17 20:47:05 2022 -0700 raw: convert raw sockets to RCU [ Upstream commit 0daf07e527095e64ee8927ce297ab626643e9f51 ] Using rwlock in networking code is extremely risky. writers can starve if enough readers are constantly grabing the rwlock. I thought rwlock were at fault and sent this patch: https://lkml.org/lkml/2022/6/17/272 But Peter and Linus essentially told me rwlock had to be unfair. We need to get rid of rwlock in networking code. Without this fix, following script triggers soft lockups: for i in {1..48} do ping -f -n -q 127.0.0.1 & sleep 0.1 done Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Eric Dumazet Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit b5c20b86717e360b931aac472f9f5ca8760717d8 Author: Eric Dumazet Date: Fri Jun 17 20:47:04 2022 -0700 raw: use more conventional iterators [ Upstream commit ba44f8182ec299c5d1c8a72fc0fde4ec127b5a6d ] In order to prepare the following patch, I change raw v4 & v6 code to use more conventional iterators. Signed-off-by: Eric Dumazet Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit de3d723a3985f282a8c9e468d1e198616eb291c8 Author: Eric Dumazet Date: Fri Jun 17 21:04:15 2022 -0700 ping: convert to RCU lookups, get rid of rwlock [ Upstream commit dbca1596bbb08318f5e3b3b99f8ca0a0d3830a65 ] Using rwlock in networking code is extremely risky. writers can starve if enough readers are constantly grabing the rwlock. I thought rwlock were at fault and sent this patch: https://lkml.org/lkml/2022/6/17/272 But Peter and Linus essentially told me rwlock had to be unfair. We need to get rid of rwlock in networking code. Fixes: c319b4d76b9e ("net: ipv4: add IPPROTO_ICMP socket kind") Signed-off-by: Eric Dumazet Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 203a26661e378c3bea1fbca6af2bdd3fd8f5bd3d Author: Oleksij Rempel Date: Thu Jun 16 13:37:24 2022 +0200 net: ag71xx: fix discards 'const' qualifier warning [ Upstream commit 225b0ed27e6ac523e5e98e7395392446859c7f20 ] Current kernel will compile this driver with warnings. This patch will fix it. drivers/net/ethernet/atheros/ag71xx.c: In function 'ag71xx_fast_reset': drivers/net/ethernet/atheros/ag71xx.c:996:31: warning: passing argument 2 of 'ag71xx_hw_set _macaddr' discards 'const' qualifier from pointer target type [-Wdiscarded-qualifiers] 996 | ag71xx_hw_set_macaddr(ag, dev->dev_addr); | ~~~^~~~~~~~~~ drivers/net/ethernet/atheros/ag71xx.c:951:69: note: expected 'unsigned char *' but argument is of type 'const unsigned char *' 951 | static void ag71xx_hw_set_macaddr(struct ag71xx *ag, unsigned char *mac) | ~~~~~~~~~~~~~~~^~~ drivers/net/ethernet/atheros/ag71xx.c: In function 'ag71xx_open': drivers/net/ethernet/atheros/ag71xx.c:1441:32: warning: passing argument 2 of 'ag71xx_hw_se t_macaddr' discards 'const' qualifier from pointer target type [-Wdiscarded-qualifiers] 1441 | ag71xx_hw_set_macaddr(ag, ndev->dev_addr); | ~~~~^~~~~~~~~~ drivers/net/ethernet/atheros/ag71xx.c:951:69: note: expected 'unsigned char *' but argument is of type 'const unsigned char *' 951 | static void ag71xx_hw_set_macaddr(struct ag71xx *ag, unsigned char *mac) | ~~~~~~~~~~~~~~~^~~ Fixes: adeef3e32146 ("net: constify netdev->dev_addr") Signed-off-by: Oleksij Rempel Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit c402b8d5d304fe3616936349618e68ba520172e5 Author: Alexey Khoroshilov Date: Fri Jun 10 21:27:15 2022 +0300 crypto: sun8i-ss - fix infinite loop in sun8i_ss_setup_ivs() [ Upstream commit d61a7b3decf7f0cf4121a7204303deefd2c7151b ] There is no i decrement in while (i >= 0) loop. Found by Linux Verification Center (linuxtesting.org) with SVACE. Signed-off-by: Alexey Khoroshilov Fixes: 359e893e8af4 ("crypto: sun8i-ss - rework handling of IV") Acked-by: Corentin Labbe Tested-by: Corentin Labbe Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin commit 6e51cce3d9407d64e19ad4be13d85101a37c2878 Author: Eric Dumazet Date: Tue Jun 14 10:17:34 2022 -0700 tcp: fix possible freeze in tx path under memory pressure [ Upstream commit 849b425cd091e1804af964b771761cfbefbafb43 ] Blamed commit only dealt with applications issuing small writes. Issue here is that we allow to force memory schedule for the sk_buff allocation, but we have no guarantee that sendmsg() is able to copy some payload in it. In this patch, I make sure the socket can use up to tcp_wmem[0] bytes. For example, if we consider tcp_wmem[0] = 4096 (default on x86), and initial skb->truesize being 1280, tcp_sendmsg() is able to copy up to 2816 bytes under memory pressure. Before this patch a sendmsg() sending more than 2816 bytes would either block forever (if persistent memory pressure), or return -EAGAIN. For bigger MTU networks, it is advised to increase tcp_wmem[0] to avoid sending too small packets. v2: deal with zero copy paths. Fixes: 8e4d980ac215 ("tcp: fix behavior for epoll edge trigger") Signed-off-by: Eric Dumazet Acked-by: Soheil Hassas Yeganeh Reviewed-by: Wei Wang Reviewed-by: Shakeel Butt Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit f2a3adbc620cdd0c114f290e83f2ee61c1706a23 Author: Andrii Nakryiko Date: Thu Jun 16 21:55:12 2022 -0700 selftests/bpf: Don't force lld on non-x86 architectures [ Upstream commit 08c79c9cd67fffd0d5538ddbd3a97b0a865b5eb5 ] LLVM's lld linker doesn't have a universal architecture support (e.g., it definitely doesn't work on s390x), so be safe and force lld for urandom_read and liburandom_read.so only on x86 architectures. This should fix s390x CI runs. Fixes: 3e6fe5ce4d48 ("libbpf: Fix internal USDT address translation logic for shared libraries") Signed-off-by: Andrii Nakryiko Signed-off-by: Daniel Borkmann Link: https://lore.kernel.org/bpf/20220617045512.1339795-1-andrii@kernel.org Signed-off-by: Sasha Levin commit 91aab96835780767baa68d994bcee36c7a808ad9 Author: Andrii Nakryiko Date: Wed Jun 15 22:55:43 2022 -0700 libbpf: Fix internal USDT address translation logic for shared libraries [ Upstream commit 3e6fe5ce4d4860c3a111c246fddc6f31492f4fb0 ] Perform the same virtual address to file offset translation that libbpf is doing for executable ELF binaries also for shared libraries. Currently libbpf is making a simplifying and sometimes wrong assumption that for shared libraries relative virtual addresses inside ELF are always equal to file offsets. Unfortunately, this is not always the case with LLVM's lld linker, which now by default generates quite more complicated ELF segments layout. E.g., for liburandom_read.so from selftests/bpf, here's an excerpt from readelf output listing ELF segments (a.k.a. program headers): Type Offset VirtAddr PhysAddr FileSiz MemSiz Flg Align PHDR 0x000040 0x0000000000000040 0x0000000000000040 0x0001f8 0x0001f8 R 0x8 LOAD 0x000000 0x0000000000000000 0x0000000000000000 0x0005e4 0x0005e4 R 0x1000 LOAD 0x0005f0 0x00000000000015f0 0x00000000000015f0 0x000160 0x000160 R E 0x1000 LOAD 0x000750 0x0000000000002750 0x0000000000002750 0x000210 0x000210 RW 0x1000 LOAD 0x000960 0x0000000000003960 0x0000000000003960 0x000028 0x000029 RW 0x1000 Compare that to what is generated by GNU ld (or LLVM lld's with extra -znoseparate-code argument which disables this cleverness in the name of file size reduction): Type Offset VirtAddr PhysAddr FileSiz MemSiz Flg Align LOAD 0x000000 0x0000000000000000 0x0000000000000000 0x000550 0x000550 R 0x1000 LOAD 0x001000 0x0000000000001000 0x0000000000001000 0x000131 0x000131 R E 0x1000 LOAD 0x002000 0x0000000000002000 0x0000000000002000 0x0000ac 0x0000ac R 0x1000 LOAD 0x002dc0 0x0000000000003dc0 0x0000000000003dc0 0x000262 0x000268 RW 0x1000 You can see from the first example above that for executable (Flg == "R E") PT_LOAD segment (LOAD #2), Offset doesn't match VirtAddr columns. And it does in the second case (GNU ld output). This is important because all the addresses, including USDT specs, operate in a virtual address space, while kernel is expecting file offsets when performing uprobe attach. So such mismatches have to be properly taken care of and compensated by libbpf, which is what this patch is fixing. Also patch clarifies few function and variable names, as well as updates comments to reflect this important distinction (virtaddr vs file offset) and to ephasize that shared libraries are not all that different from executables in this regard. This patch also changes selftests/bpf Makefile to force urand_read and liburand_read.so to be built with Clang and LLVM's lld (and explicitly request this ELF file size optimization through -znoseparate-code linker parameter) to validate libbpf logic and ensure regressions don't happen in the future. I've bundled these selftests changes together with libbpf changes to keep the above description tied with both libbpf and selftests changes. Fixes: 74cc6311cec9 ("libbpf: Add USDT notes parsing and resolution logic") Signed-off-by: Andrii Nakryiko Signed-off-by: Daniel Borkmann Link: https://lore.kernel.org/bpf/20220616055543.3285835-1-andrii@kernel.org Signed-off-by: Sasha Levin commit 12b0606000d0828630c033bf0c74c748464fe87d Author: Xu Wang Date: Fri Dec 27 09:34:32 2019 +0000 i2c: Fix a potential use after free [ Upstream commit e4c72c06c367758a14f227c847f9d623f1994ecf ] Free the adap structure only after we are done using it. This patch just moves the put_device() down a bit to avoid the use after free. Fixes: 611e12ea0f12 ("i2c: core: manage i2c bus device refcount in i2c_[get|put]_adapter") Signed-off-by: Xu Wang [wsa: added comment to the code, added Fixes tag] Signed-off-by: Wolfram Sang Signed-off-by: Sasha Levin commit 56a1d1be57b956b5493ce6c18c993730dbbc11b8 Author: Zheng Bin Date: Mon Jun 13 23:06:53 2022 +0800 drm/bridge: it6505: Add missing CRYPTO_HASH dependency [ Upstream commit abf0ba5a34eae0d7359228f4319a6659676fbd0a ] The driver uses crypto hash functions so it needs to select CRYPTO_HASH. This fixes build errors: drivers/gpu/drm/bridge/ite-it6505.o: in function `it6505_hdcp_wait_ksv_list': ite-it6505.c:(.text+0x4c26): undefined reference to `crypto_alloc_shash' ite-it6505.c:(.text+0x4c6d): undefined reference to `crypto_shash_digest' ite-it6505.c:(.text+0x4c7d): undefined reference to `crypto_destroy_tfm' ite-it6505.c:(.text+0x4d69): undefined reference to `crypto_destroy_tfm' Fixes: b5c84a9edcd4 ("drm/bridge: add it6505 driver") Signed-off-by: Zheng Bin Reviewed-by: Robert Foss Signed-off-by: Robert Foss Link: https://patchwork.freedesktop.org/patch/msgid/20220613150653.1310029-1-zhengbin13@huawei.com Signed-off-by: Sasha Levin commit dbe871e3fe6aa747fb1b1a37d4d1dea9d50addea Author: Nícolas F. R. A. Prado Date: Mon Jun 13 12:37:05 2022 -0400 drm/bridge: anx7625: Zero error variable when panel bridge not present [ Upstream commit 3f49f7591e7150c502aa8d04354941ec2394153f ] While parsing the DT, the anx7625 driver checks for the presence of a panel bridge on endpoint 1. If it is missing, pdata->panel_bridge stores the error pointer and the function returns successfully without first cleaning that variable. This is an issue since other functions later check for the presence of a panel bridge by testing the trueness of that variable. In order to ensure proper behavior, zero out pdata->panel_bridge before returning when no panel bridge is found. Fixes: 9e82ea0fb1df ("drm/bridge: anx7625: switch to devm_drm_of_get_bridge") Signed-off-by: Nícolas F. R. A. Prado Reviewed-by: AngeloGioacchino Del Regno Signed-off-by: Robert Foss Link: https://patchwork.freedesktop.org/patch/msgid/20220613163705.1531721-1-nfraprado@collabora.com Signed-off-by: Sasha Levin commit 098f8dd9894c08bfacabc19eb24a20067dd2b92f Author: Marc Kleine-Budde Date: Sat Jun 11 16:20:58 2022 +0200 can: netlink: allow configuring of fixed data bit rates without need for do_set_data_bittiming callback [ Upstream commit ec30c109391c5eac9b1d689a61e4bfed88148947 ] This patch is similar to 7e193a42c37c ("can: netlink: allow configuring of fixed bit rates without need for do_set_bittiming callback") but for data bit rates instead of bit rates. Usually CAN devices support configurable data bit rates. The limits are defined by struct can_priv::data_bittiming_const. Another way is to implement the struct can_priv::do_set_data_bittiming callback. If the bit rate is configured via netlink, the can_changelink() function checks that either can_priv::data_bittiming_const or struct can_priv::do_set_data_bittiming is implemented. In commit 431af779256c ("can: dev: add CAN interface API for fixed bitrates") an API for configuring bit rates on CAN interfaces that only support fixed bit rates was added. The supported bit rates are defined by struct can_priv::bitrate_const. However the above mentioned commit forgot to add the struct can_priv::data_bitrate_const to the check in can_changelink(). In order to avoid to implement a no-op can_priv::do_set_data_bittiming callback on devices with fixed data bit rates, extend the check in can_changelink() accordingly. Link: https://lore.kernel.org/all/20220613143633.4151884-1-mkl@pengutronix.de Fixes: 431af779256c ("can: dev: add CAN interface API for fixed bitrates") Acked-by: Max Staudt Signed-off-by: Marc Kleine-Budde Signed-off-by: Sasha Levin commit 08f8288fc254450d180313195112f2325f1293a5 Author: Tales Lelo da Aparecida Date: Fri Apr 15 08:12:59 2022 -0300 drm/vkms: check plane_composer->map[0] before using it [ Upstream commit 24f6fe3226c6f9f1b8406311a96b59c6e650b707 ] Fix a copypasta error. The caller of compose_plane() already checks primary_composer->map. In contrast, plane_composer->map is never verified here before handling. Fixes: 7938f4218168 ("dma-buf-map: Rename to iosys-map") Reviewed-by: André Almeida Signed-off-by: Tales Lelo da Aparecida Signed-off-by: Melissa Wen Link: https://patchwork.freedesktop.org/patch/msgid/20220415111300.61013-2-tales.aparecida@gmail.com Signed-off-by: Sasha Levin commit ee746ecf1011b7918d65f39f339fd332f59e3f16 Author: Marc Kleine-Budde Date: Sat Jun 11 16:20:58 2022 +0200 can: netlink: allow configuring of fixed bit rates without need for do_set_bittiming callback [ Upstream commit 7e193a42c37cf40eba8ac5af2d5e8eeb8b9506f9 ] Usually CAN devices support configurable bit rates. The limits are defined by struct can_priv::bittiming_const. Another way is to implement the struct can_priv::do_set_bittiming callback. If the bit rate is configured via netlink, the can_changelink() function checks that either can_priv::bittiming_const or struct can_priv::do_set_bittiming is implemented. In commit 431af779256c ("can: dev: add CAN interface API for fixed bitrates") an API for configuring bit rates on CAN interfaces that only support fixed bit rates was added. The supported bit rates are defined by struct can_priv::bitrate_const. However the above mentioned commit forgot to add the struct can_priv::bitrate_const to the check in can_changelink(). In order to avoid to implement a no-op can_priv::do_set_bittiming callback on devices with fixed bit rates, extend the check in can_changelink() accordingly. Link: https://lore.kernel.org/all/20220611144248.3924903-1-mkl@pengutronix.de Fixes: 431af779256c ("can: dev: add CAN interface API for fixed bitrates") Reported-by: Max Staudt Signed-off-by: Marc Kleine-Budde Signed-off-by: Sasha Levin commit edf73dbfcfa1eea40bcb9cfe71b59f0ff48d9571 Author: Eric Dumazet Date: Wed Jun 8 23:34:10 2022 -0700 net: fix sk_wmem_schedule() and sk_rmem_schedule() errors [ Upstream commit 7c80b038d23e1f4c7fcc311f43f83b8c60e7fb80 ] If sk->sk_forward_alloc is 150000, and we need to schedule 150001 bytes, we want to allocate 1 byte more (rounded up to one page), instead of 150001 :/ Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Eric Dumazet Reviewed-by: Shakeel Butt Acked-by: Soheil Hassas Yeganeh Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit 2e1b1aa1cd82547f0454b0943ddb2621e6f6fa7e Author: Peng Wu Date: Thu Jun 2 07:22:34 2022 +0000 crypto: sun8i-ss - fix a NULL vs IS_ERR() check in sun8i_ss_hashkey [ Upstream commit 7e8df1fc2d669d04c1f8a9e2d61d7afba1b43df4 ] The crypto_alloc_shash() function never returns NULL. It returns error pointers. Fixes: 801b7d572c0a ("crypto: sun8i-ss - add hmac(sha1)") Signed-off-by: Peng Wu Reported-by: Hulk Robot Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin commit 0fdb5f86e75fcdac5cf487a4ff46b15ea7071c50 Author: Dan Carpenter Date: Wed May 18 20:33:54 2022 +0300 crypto: sun8i-ss - Fix error codes for dma_mapping_error() [ Upstream commit 6cb3f9b25c55928b95a02b9ed8e87ed653b3cce8 ] If there is a dma_mapping_error() then return negative error codes. Currently this code returns success. Fixes: 801b7d572c0a ("crypto: sun8i-ss - add hmac(sha1)") Signed-off-by: Dan Carpenter Acked-by: Corentin Labbe Tested-by: Corentin Labbe Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin commit 6a38eb8fbb90bbbcf40ca028bb69f3584b41a527 Author: Dan Carpenter Date: Wed May 18 20:33:44 2022 +0300 crypto: sun8i-ss - fix error codes in allocate_flows() [ Upstream commit d2765e1b9ac4b2d5a5d5bf17f468c9b3566c3770 ] These failure paths should return -ENOMEM. Currently they return success. Fixes: 359e893e8af4 ("crypto: sun8i-ss - rework handling of IV") Fixes: 8eec4563f152 ("crypto: sun8i-ss - do not allocate memory when handling hash requests") Signed-off-by: Dan Carpenter Acked-by: Corentin Labbe Tested-by: Corentin Labbe Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin commit 524d11a5b48899d2ae75f8d15fb50a9022467687 Author: Antonio Borneo Date: Tue Jun 7 23:31:44 2022 +0200 drm: adv7511: override i2c address of cec before accessing it [ Upstream commit 9cc4853e4781bf0dd0f35355dc92d97c9da02f5d ] Commit 680532c50bca ("drm: adv7511: Add support for i2c_new_secondary_device") allows a device tree node to override the default addresses of the secondary i2c devices. This is useful for solving address conflicts on the i2c bus. In adv7511_init_cec_regmap() the new i2c address of cec device is read from device tree and immediately accessed, well before it is written in the proper register to override the default address. This can cause an i2c error during probe and a consequent probe failure. Once the new i2c address is read from the device tree, override the default address before any attempt to access the cec. Tested with adv7533 and stm32mp157f. Signed-off-by: Antonio Borneo Fixes: 680532c50bca ("drm: adv7511: Add support for i2c_new_secondary_device") Reviewed-by: Kieran Bingham Signed-off-by: Robert Foss Link: https://patchwork.freedesktop.org/patch/msgid/20220607213144.427177-1-antonio.borneo@foss.st.com Signed-off-by: Sasha Levin commit e9d04d1c8db3c446f9cd0c9507b231ff768c9b81 Author: Andrii Nakryiko Date: Mon Jun 6 15:01:43 2022 -0700 libbpf: Fix uprobe symbol file offset calculation logic [ Upstream commit fe92833524e368e59bba9c57e00f7359f133667f ] Fix libbpf's bpf_program__attach_uprobe() logic of determining function's *file offset* (which is what kernel is actually expecting) when attaching uprobe/uretprobe by function name. Previously calculation was determining virtual address offset relative to base load address, which (offset) is not always the same as file offset (though very frequently it is which is why this went unnoticed for a while). Fixes: 433966e3ae04 ("libbpf: Support function name-based attach uprobes") Signed-off-by: Andrii Nakryiko Signed-off-by: Daniel Borkmann Cc: Riham Selim Cc: Alan Maguire Link: https://lore.kernel.org/bpf/20220606220143.3796908-1-andrii@kernel.org Signed-off-by: Sasha Levin commit 0cde00c48ea2bef890a0db7a788cd4bfad1573ac Author: Miaoqian Lin Date: Thu Jun 2 14:42:22 2022 +0400 drm/virtio: Fix NULL vs IS_ERR checking in virtio_gpu_object_shmem_init [ Upstream commit c24968734abfed81c8f93dc5f44a7b7a9aecadfa ] Since drm_prime_pages_to_sg() function return error pointers. The drm_gem_shmem_get_sg_table() function returns error pointers too. Using IS_ERR() to check the return value to fix this. Fixes: 2f2aa13724d5 ("drm/virtio: move virtio_gpu_mem_entry initialization to new function") Signed-off-by: Miaoqian Lin Link: http://patchwork.freedesktop.org/patch/msgid/20220602104223.54527-1-linmq006@gmail.com Signed-off-by: Gerd Hoffmann Signed-off-by: Sasha Levin commit 367882a5a9448b5e1ba756125308092d614cb96c Author: Xiaomeng Tong Date: Sun Mar 27 13:09:45 2022 +0800 virtio-gpu: fix a missing check to avoid NULL dereference [ Upstream commit bd63f11f4c3c46afec07d821f74736161ff6e526 ] 'cache_ent' could be set NULL inside virtio_gpu_cmd_get_capset() and it will lead to a NULL dereference by a lately use of it (i.e., ptr = cache_ent->caps_cache). Fix it with a NULL check. Fixes: 62fb7a5e10962 ("virtio-gpu: add 3d/virgl support") Signed-off-by: Xiaomeng Tong Reviewed-by: Chia-I Wu Link: http://patchwork.freedesktop.org/patch/msgid/20220327050945.1614-1-xiam0nd.tong@gmail.com [ kraxel: minor codestyle fixup ] Signed-off-by: Gerd Hoffmann Signed-off-by: Sasha Levin commit bf38b1eee1bf156acbe2162f710ffedad5842c45 Author: Fabio Estevam Date: Wed May 25 22:09:14 2022 -0300 i2c: mxs: Silence a clang warning [ Upstream commit 3d43273d7d1e1a5374d531e901d3c537b4c97bbf ] Change the of_device_get_match_data() cast to (uintptr_t) to silence the following clang warning: drivers/i2c/busses/i2c-mxs.c:802:18: warning: cast to smaller integer type 'enum mxs_i2c_devtype' from 'const void *' [-Wvoid-pointer-to-enum-cast] Reported-by: kernel test robot Fixes: c32abd8b5691 ("i2c: mxs: Remove unneeded platform_device_id") Signed-off-by: Fabio Estevam Signed-off-by: Wolfram Sang Signed-off-by: Sasha Levin commit 4ff1ee4c509d924688e2cc867effc7b7520dfb56 Author: Tali Perry Date: Wed May 25 11:23:39 2022 +0800 i2c: npcm: Correct slave role behavior [ Upstream commit d7aa1b149b8fc04d802879cf4662010aa4a42deb ] Correct the slave transaction logic to be compatible with the generic slave backend driver. Fixes: 56a1485b102e ("i2c: npcm7xx: Add Nuvoton NPCM I2C controller driver") Signed-off-by: Tali Perry Signed-off-by: Tyrone Ting Reviewed-by: Andy Shevchenko Signed-off-by: Wolfram Sang Signed-off-by: Sasha Levin commit 261aeadc7be4414fd05d7617a8b086a8d32c943b Author: Tali Perry Date: Wed May 25 11:23:38 2022 +0800 i2c: npcm: Remove own slave addresses 2:10 [ Upstream commit 47d506d1a28fd10a9fb1f33df5622d88fae72095 ] NPCM can support up to 10 own slave addresses. In practice, only one address is actually being used. In order to access addresses 2 and above, need to switch register banks. The switch needs spinlock. To avoid using spinlock for this useless feature removed support of SA >= 2. Also fix returned slave event enum. Remove some comment since the bank selection is not required. The bank selection is not required since the supported slave addresses are reduced. Fixes: 56a1485b102e ("i2c: npcm7xx: Add Nuvoton NPCM I2C controller driver") Signed-off-by: Tali Perry Signed-off-by: Tyrone Ting Reviewed-by: Andy Shevchenko Signed-off-by: Wolfram Sang Signed-off-by: Sasha Levin commit 308d0d5d98c294b1185d6d7da60b268e0fe30193 Author: Leung, Martin Date: Fri May 13 17:40:42 2022 -0400 drm/amdgpu/display: Prepare for new interfaces [ Upstream commit a820190204aef0739aa3a067d00273d117f9367c ] why: lut pipeline will be hooked up differently in some asics need to add new interfaces how: add them Reviewed-by: Krunoslav Kovac Acked-by: Jasdeep Dhillon Tested-by: Daniel Wheeler Signed-off-by: Martin Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit 3262e5c7523b2f9ba88b823d89663adad26a61e0 Author: ZhenGuo Yin Date: Mon Jun 6 10:36:13 2022 +0800 drm/amdgpu: fix scratch register access method in SRIOV [ Upstream commit 851dd8625320fb626b6ab6399b2402fd84abcdfb ] The scratch register should be accessed through MMIO instead of RLCG in SRIOV, since it being used in RLCG register access function. Fixes: d54762cc3e6a ("drm/amdgpu: nuke dynamic gfx scratch reg allocation") Signed-off-by: ZhenGuo Yin Reviewed-by: Alex Deucher Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit 2a71a3574fd1ec0048a7623152076f3db80e4753 Author: Bjorn Andersson Date: Wed Jun 1 16:38:18 2022 -0700 drm/bridge: lt9611uxc: Cancel only driver's work [ Upstream commit dfa687bffc8a4a21ed929c7dececf01b8f1f52ee ] During device remove care needs to be taken that no work is pending before it removes the underlying DRM bridge etc, but this can be done on the specific work rather than waiting for the flush of the system-wide workqueue. Fixes: bc6fa8676ebb ("drm/bridge/lontium-lt9611uxc: move HPD notification out of IRQ handler") Signed-off-by: Bjorn Andersson Reviewed-by: Neil Armstrong Signed-off-by: Robert Foss Link: https://patchwork.freedesktop.org/patch/msgid/20220601233818.1877963-1-bjorn.andersson@linaro.org Signed-off-by: Sasha Levin commit 013e67e7dd898170cbf54981cf1ed7616f822566 Author: Miaoqian Lin Date: Wed Jun 1 07:39:27 2022 +0400 drm/meson: encoder_hdmi: Fix refcount leak in meson_encoder_hdmi_init [ Upstream commit d82a5a4aae9d0203234737caed1bf470aa317568 ] of_graph_get_remote_node() returns remote device nodepointer with refcount incremented, we should use of_node_put() on it when done. Add missing of_node_put() to avoid refcount leak. Fixes: e67f6037ae1b ("drm/meson: split out encoder from meson_dw_hdmi") Signed-off-by: Miaoqian Lin Reviewed-by: Martin Blumenstingl Signed-off-by: Neil Armstrong Link: https://patchwork.freedesktop.org/patch/msgid/20220601033927.47814-3-linmq006@gmail.com Signed-off-by: Sasha Levin commit bb5ac08d5bd8626c318bd80a5063263daab8fdb6 Author: Miaoqian Lin Date: Wed Jun 1 07:39:26 2022 +0400 drm/meson: encoder_cvbs: Fix refcount leak in meson_encoder_cvbs_init [ Upstream commit 7d255ddbbf679aa47e041cbf68520fd985ed2279 ] of_graph_get_remote_node() returns remote device nodepointer with refcount incremented, we should use of_node_put() on it when done. Add missing of_node_put() to avoid refcount leak. Fixes: 318ba02cd8a8 ("drm/meson: encoder_cvbs: switch to bridge with ATTACH_NO_CONNECTOR") Signed-off-by: Miaoqian Lin Reviewed-by: Martin Blumenstingl Signed-off-by: Neil Armstrong Link: https://patchwork.freedesktop.org/patch/msgid/20220601033927.47814-2-linmq006@gmail.com Signed-off-by: Sasha Levin commit 69d9b8b59e3bb4ab2533ae5c66792313ecf7a6cf Author: Xinlei Lee Date: Fri May 20 10:00:07 2022 +0800 drm/mediatek: Add pull-down MIPI operation in mtk_dsi_poweroff function [ Upstream commit fa5d0a0205c34734c5b8daa77e39ac2817f63a10 ] In the dsi_enable function, mtk_dsi_rxtx_control is to pull up the MIPI signal operation. Before dsi_disable, MIPI should also be pulled down by writing a register instead of disabling dsi. If disable dsi without pulling the mipi signal low, the value of the register will still maintain the setting of the mipi signal being pulled high. After resume, even if the mipi signal is not pulled high, it will still be in the high state. Fixes: 2e54c14e310f ("drm/mediatek: Add DSI sub driver") Link: https://patchwork.kernel.org/project/linux-mediatek/patch/1653012007-11854-5-git-send-email-xinlei.lee@mediatek.com/ Signed-off-by: Jitao Shi Signed-off-by: Xinlei Lee Reviewed-by: Rex-BC Chen Signed-off-by: Chun-Kuang Hu Signed-off-by: Sasha Levin commit 3185bbeb5c0e3c9780e8cb90467ef1dd4ce3e4e4 Author: Jitao Shi Date: Fri May 20 10:00:05 2022 +0800 drm/mediatek: Separate poweron/poweroff from enable/disable and define new funcs [ Upstream commit cde7e2e35c2866d22a3a012e72a41052dfcc255d ] In order to match the changes of "Use the drm_panel_bridge API", the poweron/poweroff of dsi is extracted from enable/disable and defined as new funcs (atomic_pre_enable/atomic_post_disable). Since dsi_poweron is moved from dsi_enable to pre_enable function, in order to avoid poweron failure, the operation of dsi register fails to cause bus hang. Therefore, the protection mechanism is added to the dsi_enable function. Fixes: 2dd8075d2185 ("drm/mediatek: mtk_dsi: Use the drm_panel_bridge API") Link: https://patchwork.kernel.org/project/linux-mediatek/patch/1653012007-11854-3-git-send-email-xinlei.lee@mediatek.com/ Signed-off-by: Jitao Shi Signed-off-by: Xinlei Lee Reviewed-by: AngeloGioacchino Del Regno Reviewed-by: Rex-BC Chen Signed-off-by: Chun-Kuang Hu Signed-off-by: Sasha Levin commit ae5ed32c8e919990eefb4599814b4a67396176b7 Author: Xinlei Lee Date: Fri May 20 10:00:04 2022 +0800 drm/mediatek: Modify dsi funcs to atomic operations [ Upstream commit 7f6335c6a258edf4d5ff1b904bc033188dc7b48b ] Because .enable & .disable are deprecated. Use .atomic_enable & .atomic_disable instead. Link: https://patchwork.kernel.org/project/linux-mediatek/patch/1653012007-11854-2-git-send-email-xinlei.lee@mediatek.com/ Signed-off-by: Jitao Shi Signed-off-by: Xinlei Lee Reviewed-by: Rex-BC Chen Signed-off-by: Chun-Kuang Hu Signed-off-by: Sasha Levin commit 9faff03617afeced1c4e5daa89e79b3906374342 Author: Alexey Kodanev Date: Mon Jun 6 16:50:54 2022 +0300 drm/radeon: fix potential buffer overflow in ni_set_mc_special_registers() [ Upstream commit 136f614931a2bb73616b292cf542da3a18daefd5 ] The last case label can write two buffers 'mc_reg_address[j]' and 'mc_data[j]' with 'j' offset equal to SMC_NISLANDS_MC_REGISTER_ARRAY_SIZE since there are no checks for this value in both case labels after the last 'j++'. Instead of changing '>' to '>=' there, add the bounds check at the start of the second 'case' (the first one already has it). Also, remove redundant last checks for 'j' index bigger than array size. The expression is always false. Moreover, before or after the patch 'table->last' can be equal to SMC_NISLANDS_MC_REGISTER_ARRAY_SIZE and it seems it can be a valid value. Detected using the static analysis tool - Svace. Fixes: 69e0b57a91ad ("drm/radeon/kms: add dpm support for cayman (v5)") Signed-off-by: Alexey Kodanev Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit 2fd530d17d083784b0349bf63d2ccfde8ac86c8c Author: Manikanta Pubbisetty Date: Thu Jun 2 17:59:29 2022 +0530 ath11k: Avoid REO CMD failed prints during firmware recovery [ Upstream commit 0ab52b2bd7be8fd49c8ade7703c1faa15359c6c5 ] Currently when firmware recovery is in progress, we do not queue REO commands to the firmware, instead -ESHUTDOWN will be returned to the caller leading to a failure print on the console. The REO command in the problem scenario is sent for all tids of a peer in which case we will have 16 failure prints on the console for a single peer. For an AP usecase, this count would be even higher in a worst case scenario. Since these commands are bound to fail during firmware recovery, it is better to avoid printing these failures and thereby avoid message flooding on the console. Tested-on: WCN6750 hw1.0 AHB WLAN.MSL.1.0.1-00887-QCAMSLSWPLZ-1 Fixes: 8ee8d38ca472 ("ath11k: Fix crash during firmware recovery on reo cmd ring access") Signed-off-by: Manikanta Pubbisetty Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20220602122929.18896-1-quic_mpubbise@quicinc.com Signed-off-by: Sasha Levin commit deec1597f3b459ad6fee927169e43700b22e27f9 Author: Manikanta Pubbisetty Date: Thu Jun 2 17:26:21 2022 +0530 ath11k: Fix incorrect debug_mask mappings [ Upstream commit 9331f7d3c54a263bede5055e106e40b28d0bd937 ] Currently a couple of debug_mask entries are mapped to the same value, this could enable unintended driver logging. If enabling DP_TX logs was the intention, then this could also enable PCI logs flooding the dmesg buffer or vice versa. Fix this by correctly assigning the debug masks. Found during code review. Tested-on: WCN6750 hw1.0 AHB WLAN.MSL.1.0.1-00887-QCAMSLSWPLZ-1 Fixes: aa2092a9bab3f ("ath11k: add raw mode and software crypto support") Signed-off-by: Manikanta Pubbisetty Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20220602115621.15339-1-quic_mpubbise@quicinc.com Signed-off-by: Sasha Levin commit 1f1483361585ae7556492f50f83f038bbdf8c294 Author: Christian Marangi Date: Sat May 28 16:25:16 2022 +0200 ath11k: fix missing skb drop on htc_tx_completion error [ Upstream commit e5646fe3b7ef739c392e59da7db6adf5e1fdef42 ] On htc_tx_completion error the skb is not dropped. This is wrong since the completion_handler logic expect the skb to be consumed anyway even when an error is triggered. Not freeing the skb on error is a memory leak since the skb won't be freed anywere else. Correctly free the packet on eid >= ATH11K_HTC_EP_COUNT before returning. Tested-on: IPQ8074 hw2.0 AHB WLAN.HK.2.5.0.1-01208-QCAHKSWPL_SILICONZ-1 Fixes: f951380a6022 ("ath11k: Disabling credit flow for WMI path") Signed-off-by: Christian 'Ansuel' Marangi Reviewed-by: Jeff Johnson Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20220528142516.20819-2-ansuelsmth@gmail.com Signed-off-by: Sasha Levin commit 81bb39a0f2f385e91b2b2751f628388c3b450ddb Author: Yuze Chi Date: Thu Jun 2 22:51:56 2022 -0700 libbpf: Fix is_pow_of_2 [ Upstream commit 611edf1bacc51355ccb497915695db7f869cb382 ] Move the correct definition from linker.c into libbpf_internal.h. Fixes: 0087a681fa8c ("libbpf: Automatically fix up BPF_MAP_TYPE_RINGBUF size, if necessary") Reported-by: Yuze Chi Signed-off-by: Yuze Chi Signed-off-by: Ian Rogers Signed-off-by: Andrii Nakryiko Link: https://lore.kernel.org/bpf/20220603055156.2830463-1-irogers@google.com Signed-off-by: Sasha Levin commit 26f0067ae603d1ef2c7a1739d4419df0c03fab63 Author: Martin KaFai Lau Date: Wed Jun 1 16:40:50 2022 -0700 selftests/bpf: Fix tc_redirect_dtime [ Upstream commit e6ff92f41b65fce07365f1066fb13b5e42aca08d ] tc_redirect_dtime was reported flaky from time to time. It always fails at the udp test and complains about the bpf@tc-ingress got a skb->tstamp when handling udp packet. It is unexpected because the skb->tstamp should have been cleared when crossing different netns. The most likely cause is that the skb is actually a tcp packet from the earlier tcp test. It could be the final TCP_FIN handling. This patch tightens the skb->tstamp check in the bpf prog. It ensures the skb is the current testing traffic. First, it checks that skb matches the IPPROTO of the running test (i.e. tcp vs udp). Second, it checks the server port (dst_ns_port). The server port is unique for each test (50000 + test_enum). Also fixed a typo in test_udp_dtime(): s/P100/P101/ Fixes: c803475fd8dd ("bpf: selftests: test skb->tstamp in redirect_neigh") Reported-by: Andrii Nakryiko Signed-off-by: Martin KaFai Lau Signed-off-by: Andrii Nakryiko Acked-by: Song Liu Link: https://lore.kernel.org/bpf/20220601234050.2572671-1-kafai@fb.com Signed-off-by: Sasha Levin commit 993b2d0ea0bd6c5693c4d38fdd93f786f118175b Author: Lorenzo Bianconi Date: Wed May 25 11:44:27 2022 +0200 sample: bpf: xdp_router_ipv4: Allow the kernel to send arp requests [ Upstream commit 200a89e3e88786b52bc1dd5f26a310c097f4c6a7 ] Forward the packet to the kernel if the gw router mac address is missing in to trigger ARP discovery. Fixes: 85bf1f51691c ("samples: bpf: Convert xdp_router_ipv4 to XDP samples helper") Signed-off-by: Lorenzo Bianconi Signed-off-by: Andrii Nakryiko Link: https://lore.kernel.org/bpf/60bde5496d108089080504f58199bcf1143ea938.1653471558.git.lorenzo@kernel.org Signed-off-by: Sasha Levin commit a838592a9c492ba12d91c7c252899a49be8f4328 Author: Yuntao Wang Date: Sat May 21 23:13:29 2022 +0800 selftests/bpf: Fix test_run logic in fexit_stress.c [ Upstream commit eb7b36ce47f830a01ad9405e673b563cc3638d5d ] In the commit da00d2f117a0 ("bpf: Add test ops for BPF_PROG_TYPE_TRACING"), the bpf_fentry_test1 function was moved into bpf_prog_test_run_tracing(), which is the test_run function of the tracing BPF programs. Thus calling 'bpf_prog_test_run_opts(filter_fd, &topts)' will not trigger bpf_fentry_test1 function as filter_fd is a sk_filter BPF program. Fix it by replacing filter_fd with fexit_fd in the bpf_prog_test_run_opts() function. Fixes: da00d2f117a0 ("bpf: Add test ops for BPF_PROG_TYPE_TRACING") Signed-off-by: Yuntao Wang Signed-off-by: Andrii Nakryiko Link: https://lore.kernel.org/bpf/20220521151329.648013-1-ytcoode@gmail.com Signed-off-by: Sasha Levin commit 460a4a850bae8c09a20beaae4a0f09ceed4847a1 Author: Javier Martinez Canillas Date: Mon May 30 16:02:46 2022 +0200 drm/ssd130x: Only define a SPI device ID table when built as a module [ Upstream commit 01ece65132e2980ece4eca91105dfc9eed504881 ] The kernel test robot reports a compile warning due the ssd130x_spi_table variable being defined but not used. This happen when ssd130x-spi driver is built-in instead of being built as a module, i.e: CC drivers/gpu/drm/solomon/ssd130x-spi.o AR drivers/base/firmware_loader/built-in.a AR drivers/base/built-in.a CC kernel/trace/trace.o drivers/gpu/drm/solomon/ssd130x-spi.c:155:35: warning: ‘ssd130x_spi_table’ defined but not used [-Wunused-const-variable=] 155 | static const struct spi_device_id ssd130x_spi_table[] = { | ^~~~~~~~~~~~~~~~~ The driver shouldn't need a SPI device ID table and only have an OF device ID table, but the former is needed to workaround an issue in the SPI core. This always reports a MODALIAS of the form "spi:" even for devices registered through Device Trees. But the table is only needed when the driver built as a module to populate the .ko alias info. It's not needed when the driver is built-in the kernel. Fixes: 74373977d2ca ("drm/solomon: Add SSD130x OLED displays SPI support") Reported-by: kernel test robot Signed-off-by: Javier Martinez Canillas Reviewed-by: Nathan Chancellor Link: https://patchwork.freedesktop.org/patch/msgid/20220530140246.742469-1-javierm@redhat.com Signed-off-by: Sasha Levin commit 4815d57050fee69387dadb954c70a10b3835df0e Author: Yunhao Tian Date: Tue May 10 11:02:19 2022 +0800 drm/mipi-dbi: align max_chunk to 2 in spi_transfer [ Upstream commit 435c249008cba04ed6a7975e9411f3b934620204 ] In __spi_validate, there's a validation that no partial transfers are accepted (xfer->len % w_size must be zero). When max_chunk is not a multiple of bpw (e.g. max_chunk = 65535, bpw = 16), the transfer will be rejected. This patch aligns max_chunk to 2 bytes (the maximum value of bpw is 16), so that no partial transfer will occur. Fixes: d23d4d4dac01 ("drm/tinydrm: Move tinydrm_spi_transfer()") Signed-off-by: Yunhao Tian Signed-off-by: Noralf Trønnes Link: https://patchwork.freedesktop.org/patch/msgid/20220510030219.2486687-1-t123yh.xyz@gmail.com Signed-off-by: Sasha Levin commit 313aca98c5fd3f8bc3f213ccb8f8c2cc07e35dd5 Author: Johan Hovold Date: Mon May 23 16:32:58 2022 +0200 ath11k: fix IRQ affinity warning on shutdown [ Upstream commit 3bd0c69653ac636eae8872aacdcd4156f772f928 ] Make sure to clear the IRQ affinity hint also on shutdown to avoid triggering a WARN_ON_ONCE() in __free_irq() when stopping MHI while using a single MSI vector. Tested-on: WCN6855 hw2.0 PCI WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3 Fixes: e94b07493da3 ("ath11k: Set IRQ affinity to CPU0 in case of one MSI vector") Signed-off-by: Johan Hovold Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20220523143258.24818-1-johan+linaro@kernel.org Signed-off-by: Sasha Levin commit 307ce58270b3b50ca21cfcc910568429b06803f7 Author: Johan Hovold Date: Sun May 22 15:33:16 2022 +0300 ath11k: fix netdev open race [ Upstream commit d4ba1ff87b17e81686ada8f429300876f55f95ad ] Make sure to allocate resources needed before registering the device. This specifically avoids having a racing open() trigger a BUG_ON() in mod_timer() when ath11k_mac_op_start() is called before the mon_reap_timer as been set up. I did not see this issue with next-20220310, but I hit it on every probe with next-20220511. Perhaps some timing changed in between. Here's the backtrace: [ 51.346947] kernel BUG at kernel/time/timer.c:990! [ 51.346958] Internal error: Oops - BUG: 0 [#1] PREEMPT SMP ... [ 51.578225] Call trace: [ 51.583293] __mod_timer+0x298/0x390 [ 51.589518] mod_timer+0x14/0x20 [ 51.595368] ath11k_mac_op_start+0x41c/0x4a0 [ath11k] [ 51.603165] drv_start+0x38/0x60 [mac80211] [ 51.610110] ieee80211_do_open+0x29c/0x7d0 [mac80211] [ 51.617945] ieee80211_open+0x60/0xb0 [mac80211] [ 51.625311] __dev_open+0x100/0x1c0 [ 51.631420] __dev_change_flags+0x194/0x210 [ 51.638214] dev_change_flags+0x24/0x70 [ 51.644646] do_setlink+0x228/0xdb0 [ 51.650723] __rtnl_newlink+0x460/0x830 [ 51.657162] rtnl_newlink+0x4c/0x80 [ 51.663229] rtnetlink_rcv_msg+0x124/0x390 [ 51.669917] netlink_rcv_skb+0x58/0x130 [ 51.676314] rtnetlink_rcv+0x18/0x30 [ 51.682460] netlink_unicast+0x250/0x310 [ 51.688960] netlink_sendmsg+0x19c/0x3e0 [ 51.695458] ____sys_sendmsg+0x220/0x290 [ 51.701938] ___sys_sendmsg+0x7c/0xc0 [ 51.708148] __sys_sendmsg+0x68/0xd0 [ 51.714254] __arm64_sys_sendmsg+0x28/0x40 [ 51.720900] invoke_syscall+0x48/0x120 Tested-on: WCN6855 hw2.0 PCI WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3 Fixes: d5c65159f289 ("ath11k: driver for Qualcomm IEEE 802.11ax devices") Fixes: 840c36fa727a ("ath11k: dp: stop rx pktlog before suspend") Signed-off-by: Johan Hovold Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20220517103436.15867-1-johan+linaro@kernel.org Signed-off-by: Sasha Levin commit 24d7da5c978f76ec05bb5d7b75ba3a39115e8560 Author: Ajay Singh Date: Tue May 24 12:06:19 2022 +0000 wifi: wilc1000: use correct sequence of RESET for chip Power-UP/Down [ Upstream commit fcf690b0b47494df51d214db5c5a714a400b0257 ] For power-up sequence, WILC expects RESET set to high 5ms after making chip_en(enable) so corrected chip power-up sequence by making RESET high. For Power-Down sequence, the correct sequence make RESET and CHIP_EN low without any extra delay. Fixes: ec031ac4792c ("wilc1000: Add reset/enable GPIO support to SPI driver") Signed-off-by: Ajay Singh Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20220524120606.9675-1-ajay.kathat@microchip.com Signed-off-by: Sasha Levin commit 72efb32be108be4b8b914f13c0345596dcc5a6c2 Author: Dan Carpenter Date: Tue May 17 14:48:44 2022 +0300 wifi: rtlwifi: fix error codes in rtl_debugfs_set_write_h2c() [ Upstream commit b88d28146c30a8e14f0f012d56ebf19b68a348f4 ] If the copy_from_user() fails or the user gives invalid date then the correct thing to do is to return a negative error code. (Currently it returns success). I made a copy additional related cleanups: 1) There is no need to check "buffer" for NULL. That's handled by copy_from_user(). 2) The "h2c_len" variable cannot be negative because it is unsigned and because sscanf() does not return negative error codes. Fixes: 610247f46feb ("rtlwifi: Improve debugging by using debugfs") Signed-off-by: Dan Carpenter Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/YoOLnDkHgVltyXK7@kili Signed-off-by: Sasha Levin commit df59b91dd8af6057195066c5e0cff80affbf0b55 Author: Fabio Estevam Date: Wed May 25 18:53:16 2022 -0300 drm: bridge: adv7511: Move CEC definitions to adv7511_cec.c [ Upstream commit 91776af1d8deb8f36cbec6bf2bf24b661b2b5cbb ] ADV7511_REG_CEC_RX_FRAME_HDR[] and ADV7511_REG_CEC_RX_FRAME_LEN[] are only used inside adv7511_cec.c. Move their definitions to this file to avoid the following build warnings when CONFIG_DRM_I2C_ADV7511_CEC is not selected: drivers/gpu/drm/bridge/adv7511/adv7511.h:229:17: warning: 'ADV7511_REG_CEC_RX_FRAME_HDR' defined but not used [-Wunused-const-variable=] drivers/gpu/drm/bridge/adv7511/adv7511.h:235:17: warning: 'ADV7511_REG_CEC_RX_FRAME_LEN' defined but not used [-Wunused-const-variable=] Reported-by: kernel test robot Fixes: ab0af093bf90 ("drm: bridge: adv7511: use non-legacy mode for CEC RX") Signed-off-by: Fabio Estevam Reviewed-by: Alvin Šipraga Signed-off-by: Robert Foss Link: https://patchwork.freedesktop.org/patch/msgid/20220525215316.1133057-1-festevam@gmail.com Signed-off-by: Sasha Levin commit 2d5e9bce99df8ba6a340d5c6b1c649849cd5b5dc Author: Gao Chao Date: Tue May 24 10:45:51 2022 +0800 drm/panel: Fix build error when CONFIG_DRM_PANEL_SAMSUNG_ATNA33XC20=y && CONFIG_DRM_DISPLAY_HELPER=m [ Upstream commit a67664860f7833015a683ea295f7c79ac2901332 ] If CONFIG_DRM_PANEL_SAMSUNG_ATNA33XC20=y && CONFIG_DRM_DISPLAY_HELPER=m, bulding fails: drivers/gpu/drm/panel/panel-samsung-atna33xc20.o: In function `atana33xc20_probe': panel-samsung-atna33xc20.c:(.text+0x744): undefined reference to `drm_panel_dp_aux_backlight' make: *** [vmlinux] Error 1 Let CONFIG_DRM_PANEL_SAMSUNG_ATNA33XC20 select DRM_DISPLAY_DP_HELPER and CONFIG_DRM_DISPLAY_HELPER to fix this error. Fixes: 32ce3b320343 ("drm/panel: atna33xc20: Introduce the Samsung ATNA33XC20 panel") Reported-by: Hulk Robot Signed-off-by: Gao Chao Reviewed-by: Douglas Anderson Signed-off-by: Douglas Anderson Link: https://patchwork.freedesktop.org/patch/msgid/20220524024551.539-1-gaochao49@huawei.com Signed-off-by: Sasha Levin commit 9255a2b6d79e7dbb887503df527119ac15319f96 Author: Javier Martinez Canillas Date: Fri May 20 11:16:02 2022 +0200 drm/st7735r: Fix module autoloading for Okaya RH128128T [ Upstream commit 9ad6f181ad9a19a26bda73a7b199df44ccfcdaba ] The SPI core always reports a "MODALIAS=spi:", even if the device was registered via OF. This means that the st7735r.ko module won't autoload if a DT has a node with a compatible "okaya,rh128128t" string. In that case, kmod expects a "MODALIAS=of:N*T*Cokaya,rh128128t" uevent but instead will get a "MODALIAS=spi:rh128128t", which is not present in the list of aliases: $ modinfo drivers/gpu/drm/tiny/st7735r.ko | grep alias alias: of:N*T*Cokaya,rh128128tC* alias: of:N*T*Cokaya,rh128128t alias: of:N*T*Cjianda,jd-t18003-t01C* alias: of:N*T*Cjianda,jd-t18003-t01 alias: spi:jd-t18003-t01 To workaround this issue, add in the SPI table an entry for that device. Fixes: d1d511d516f7 ("drm: tiny: st7735r: Add support for Okaya RH128128T") Signed-off-by: Javier Martinez Canillas Reviewed-by: Geert Uytterhoeven Acked-by: David Lechner Link: https://patchwork.freedesktop.org/patch/msgid/20220520091602.179078-1-javierm@redhat.com Signed-off-by: Sasha Levin commit ab6360c30706d9943d895b5ce05891e4787a1555 Author: John Stultz Date: Wed May 11 01:26:12 2022 +0000 drm/bridge: lt9611: Use both bits for HDMI sensing [ Upstream commit 649eb3828fb22e829e222ebd83f4e11dc503a565 ] In commit 19cf41b64e3b ("lontium-lt9611: check a different register bit for HDMI sensing"), the bit flag used to detect HDMI cable connect was switched from BIT(2) to BIT(0) to improve compatibility with some monitors that didn't seem to set BIT(2). However, with that change, I've seen occasional issues where the detection failed, because BIT(2) was set, but not BIT(0). Unfortunately, as I understand it, the bits and their function was never clearly documented. So lets instead check both (BIT(2) | BIT(0)) when checking the register. Cc: Yongqin Liu Cc: Amit Pundir Cc: Peter Collingbourne Cc: Vinod Koul Cc: Bjorn Andersson Cc: Robert Foss Cc: kernel-team@android.com Fixes: 19cf41b64e3b ("lontium-lt9611: check a different register bit for HDMI sensing") Signed-off-by: John Stultz Reviewed-by: Robert Foss Signed-off-by: Robert Foss Link: https://patchwork.freedesktop.org/patch/msgid/20220511012612.3297577-2-jstultz@google.com Signed-off-by: Sasha Levin commit a056d7ccce73a9b9a35b037a64c927162b6458f4 Author: Jani Nikula Date: Tue May 3 12:23:46 2022 +0300 drm/edid: reset display info in drm_add_edid_modes() for NULL edid [ Upstream commit d10f7117aa43b0b0d1c4b878afafb6d151da441d ] If a NULL edid gets passed to drm_add_edid_modes(), we should probably also reset the display info. Cc: Ville Syrjälä Signed-off-by: Jani Nikula Reviewed-by: Ville Syrjälä Link: https://patchwork.freedesktop.org/patch/msgid/2ac1c55f94a08d5e72c0b518d956a11002ec85c1.1651569697.git.jani.nikula@intel.com Signed-off-by: Sasha Levin commit 620949b26c5a3f7874de2e9d1f0a2c5339cdfd76 Author: Manikanta Pubbisetty Date: Tue May 17 11:22:41 2022 +0530 ath11k: Init hw_params before setting up AHB resources [ Upstream commit bebcfd2534a63ab7e7325f5337662bc84ca038b6 ] As part of adding the support of WCN6750 to ath11k, bus_params were moved to hw_params and this regressed the initialization of WCN6750. By the time AHB resources are setup for WCN6750, hw_params will not be initialized and therefore initialization for WCN6750 will fail. This is applicable only for WCN6750, no other device is impacted. Fix this by moving the initialization of hw_params before setting up AHB resources. Tested-on: WCN6750 hw1.0 AHB WLAN.MSL.1.0.1-00887-QCAMSLSWPLZ-1 Fixes: 00402f49d26f ("ath11k: Add support for WCN6750 device") Signed-off-by: Manikanta Pubbisetty Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20220517055241.15885-1-quic_mpubbise@quicinc.com Signed-off-by: Sasha Levin commit 7b4fe5c024d750585970b4ef8811b7e6b7a412ce Author: Baochen Qiang Date: Tue May 17 08:48:44 2022 +0800 ath11k: Fix warning on variable 'sar' dereference before check [ Upstream commit 77bbbd5e0ed3b5998a353b0948584faa4f565f0e ] We are seeing below warning: warn: variable dereferenced before check 'sar' Fix it by moving ahead pointer check on 'sar'. Tested-on: WCN6855 hw2.0 PCI WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3 Fixes: 652f69ed9c1b ("ath11k: Add support for SAR") Reported-by: kernel test robot Reported-by: Dan Carpenter Signed-off-by: Baochen Qiang Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20220517004844.2412660-1-quic_bqiang@quicinc.com Signed-off-by: Sasha Levin commit a6b75715fa3352351ed56ebb3619ee411467da3b Author: Krzysztof Kozlowski Date: Wed May 18 10:27:26 2022 +0300 ath10k: do not enforce interrupt trigger type [ Upstream commit 1ee6c5abebd3cacf2ac4378d0ed4f57fd4850421 ] Interrupt line can be configured on different hardware in different way, even inverted. Therefore driver should not enforce specific trigger type - edge rising - but instead rely on Devicetree to configure it. All Qualcomm DTSI with WCN3990 define the interrupt type as level high, so the mismatch between DTSI and driver causes rebind issues: $ echo 18800000.wifi > /sys/bus/platform/drivers/ath10k_snoc/unbind $ echo 18800000.wifi > /sys/bus/platform/drivers/ath10k_snoc/bind [ 44.763114] irq: type mismatch, failed to map hwirq-446 for interrupt-controller@17a00000! [ 44.763130] ath10k_snoc 18800000.wifi: error -ENXIO: IRQ index 0 not found [ 44.763140] ath10k_snoc 18800000.wifi: failed to initialize resource: -6 Tested-on: WCN3990 hw1.0 SNOC WLAN.HL.3.2.0.c8-00009-QCAHLSWSC8180XMTPLZ-1 Tested-on: WCN3990 hw1.0 SNOC WLAN.HL.2.0-01387-QCAHLSWMTPLZ-1 Fixes: c963a683e701 ("ath10k: add resource init and deinit for WCN3990") Signed-off-by: Krzysztof Kozlowski Tested-by: Steev Klimaszewski Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20220513151516.357549-1-krzysztof.kozlowski@linaro.org Signed-off-by: Sasha Levin commit 9a3c206caadb23002f8dd6af016596c0903fe844 Author: Marek Vasut Date: Fri May 20 14:15:43 2022 +0200 drm/bridge: tc358767: Make sure Refclk clock are enabled [ Upstream commit 0b4c48f3e315d172e4cc06e10f2c8ba180788baf ] The Refclk may be supplied by SoC clock output instead of crystal oscillator, make sure the clock are enabled before any other action is performed with the bridge chip, otherwise it may either fail to operate at all, or miss reset GPIO toggle. Reviewed-by: Lucas Stach Fixes: 7caff0fc4296e ("drm/bridge: tc358767: Add DPI to eDP bridge driver") Signed-off-by: Marek Vasut Cc: Jonas Karlman Cc: Laurent Pinchart Cc: Lucas Stach Cc: Marek Vasut Cc: Maxime Ripard Cc: Neil Armstrong Cc: Robert Foss Cc: Sam Ravnborg Reviewed-by: Maxime Ripard Link: https://patchwork.freedesktop.org/patch/msgid/20220520121543.11550-1-marex@denx.de Signed-off-by: Sasha Levin commit a665b500d7ba9fd2fc4da4e1ed2d141a7407d168 Author: Marek Vasut Date: Thu May 19 11:51:36 2022 +0200 drm/bridge: tc358767: Handle dsi_lanes == 0 as invalid [ Upstream commit 0d662350928e6787d29ab205e47e5aa6f1f792f9 ] Handle empty data-lanes = < >; property, which translates to dsi_lanes = 0 as invalid. Reviewed-by: Andrzej Hajda Reviewed-by: Lucas Stach Fixes: bbfd3190b6562 ("drm/bridge: tc358767: Add DSI-to-DPI mode support") Signed-off-by: Marek Vasut Cc: Jonas Karlman Cc: Laurent Pinchart Cc: Lucas Stach Cc: Marek Vasut Cc: Maxime Ripard Cc: Neil Armstrong Cc: Robert Foss Cc: Sam Ravnborg Link: https://patchwork.freedesktop.org/patch/msgid/20220519095137.11896-1-marex@denx.de Signed-off-by: Sasha Levin commit 9c5d750da06edb504fca3ca6a0cd067a994070a2 Author: Douglas Anderson Date: Tue May 10 12:29:41 2022 -0700 drm/dp: Export symbol / kerneldoc fixes for DP AUX bus [ Upstream commit 39c28cdfb719f0e306b447f0827dfd712f81858b ] While working on the DP AUX bus code I found a few small things that should be fixed. Namely the non-devm version of of_dp_aux_populate_ep_devices() was missing an export. There was also an extra blank line in a kerneldoc and a kerneldoc that incorrectly documented a return value. Fix these. Fixes: aeb33699fc2c ("drm: Introduce the DP AUX bus") Signed-off-by: Douglas Anderson Reviewed-by: Dmitry Baryshkov Link: https://patchwork.freedesktop.org/patch/msgid/20220510122726.v3.1.Ia91f4849adfc5eb9da1eb37ba79aa65fb3c95a0f@changeid Signed-off-by: Sasha Levin commit bfcca6234b2a36d213f0cc1c127becc17680f7df Author: Miaoqian Lin Date: Wed May 11 09:40:51 2022 +0400 drm/meson: Fix refcount leak in meson_encoder_hdmi_init [ Upstream commit 7381076809586528e2a812a709e2758916318a99 ] of_find_device_by_node() takes reference, we should use put_device() to release it when not need anymore. Add missing put_device() in error path to avoid refcount leak. Fixes: 0af5e0b41110 ("drm/meson: encoder_hdmi: switch to bridge DRM_BRIDGE_ATTACH_NO_CONNECTOR") Signed-off-by: Miaoqian Lin Reviewed-by: Martin Blumenstingl Reviewed-by: Neil Armstrong Signed-off-by: Neil Armstrong Link: https://patchwork.freedesktop.org/patch/msgid/20220511054052.51981-1-linmq006@gmail.com Signed-off-by: Sasha Levin commit 131b4d4f22cc2af5af2b302b85a937a32973a139 Author: Thomas Zimmermann Date: Mon May 16 15:43:37 2022 +0200 drm/mgag200: Acquire I/O lock while reading EDID [ Upstream commit 5913ab941d6ea782e841234c76958c6872ea752d ] DDC operation conflicts with concurrent mode setting. Acquire the driver's I/O lock in get_modes to prevent this. This change should have been part of commit 931e3f3a0e99 ("drm/mgag200: Protect concurrent access to I/O registers with lock"), but apparently got lost somewhere. v3: * fix commit message to say 'drm/mgag200' (Jocelyn) Signed-off-by: Thomas Zimmermann Fixes: 931e3f3a0e99 ("drm/mgag200: Protect concurrent access to I/O registers with lock") Reviewed-by: Jocelyn Falempe Tested-by: Jocelyn Falempe Cc: Thomas Zimmermann Cc: Jocelyn Falempe Cc: Daniel Vetter Cc: Dave Airlie Cc: dri-devel@lists.freedesktop.org Link: https://patchwork.freedesktop.org/patch/msgid/20220516134343.6085-2-tzimmermann@suse.de Signed-off-by: Sasha Levin commit 63e2c558ad4a42b836ec051862a9807a1124c039 Author: Xin Ji Date: Fri Apr 22 16:47:18 2022 +0800 drm/bridge: anx7625: Use DPI bus type [ Upstream commit a77c2af0994e24ee36c7ffb6dc852770bdf06fb1 ] As V4L2_FWNODE_BUS_TYPE_PARALLEL not properly descript for DPI interface, this patch use new defined V4L2_FWNODE_BUS_TYPE_DPI for it. Fixes: fd0310b6fe7d ("drm/bridge: anx7625: add MIPI DPI input feature") Signed-off-by: Xin Ji Tested-by: Chen-Yu Tsai Acked-by: Robert Foss Reviewed-by: Robert Foss Signed-off-by: Robert Foss Link: https://patchwork.freedesktop.org/patch/msgid/20220422084720.959271-4-xji@analogixsemi.com Signed-off-by: Sasha Levin commit 58a3eb45e882704ae7bc397ecd94169f76c47eaf Author: Geert Uytterhoeven Date: Mon May 9 15:52:02 2022 +0200 drm: bridge: DRM_FSL_LDB should depend on ARCH_MXC [ Upstream commit a9ad5822366c5065e6a65fe5ff5090295ba98986 ] The Freescale i.MX8MP LDB bridge is only present on Freescale i.MX8MP SoCs. Hence add a dependency on ARCH_MXC, to prevent asking the user about this driver when configuring a kernel without i.MX SoC support. Fixes: 463db5c2ed4aed01 ("drm: bridge: ldb: Implement simple Freescale i.MX8MP LDB bridge") Signed-off-by: Geert Uytterhoeven Reviewed-by: Marek Vasut Signed-off-by: Robert Foss Link: https://patchwork.freedesktop.org/patch/msgid/449e08ca791a3ca308de5477c1bdc1f6eb1b34e7.1652104211.git.geert+renesas@glider.be Signed-off-by: Sasha Levin commit d6acd77e3b0560c23ec85e0675f686ed3fcc7968 Author: Dan Carpenter Date: Mon May 9 12:05:05 2022 +0300 drm/rockchip: vop2: unlock on error path in vop2_crtc_atomic_enable() [ Upstream commit 98526c5bbe3267d447ddd076b685439e3e1396c6 ] This error path needs an unlock before returning. Fixes: 604be85547ce ("drm/rockchip: Add VOP2 driver") Signed-off-by: Dan Carpenter Acked-by: Sascha Hauer Signed-off-by: Heiko Stuebner Link: https://patchwork.freedesktop.org/patch/msgid/YnjZQRV9lpub2ET8@kili Signed-off-by: Sasha Levin commit 7c242077ee327d4fbf12a9e62b8fbe1ad3105bd9 Author: Jani Nikula Date: Wed May 4 21:37:14 2022 +0300 drm/i915: remove unused GEM_DEBUG_DECL() and GEM_DEBUG_BUG_ON() [ Upstream commit 1b93ff4d0679190e8812cd0d0b3aebfcba1ed883 ] There are already too many choices here, take away the unused ones. Cc: Tvrtko Ursulin Signed-off-by: Jani Nikula Reviewed-by: Tvrtko Ursulin Link: https://patchwork.freedesktop.org/patch/msgid/20220504183716.987793-1-jani.nikula@intel.com Signed-off-by: Sasha Levin commit 14053d3e52c8b768f34e01423ad2450e7641641e Author: Marek Vasut Date: Wed May 4 03:26:01 2022 +0200 dt-bindings: display: bridge: ldb: Fill in reg property [ Upstream commit 16c8d76abe83d75b578d72ee22d25a52c764e14a ] Add missing reg and reg-names properties for both 'LDB_CTRL' and 'LVDS_CTRL' registers. Fixes: 463db5c2ed4ae ("drm: bridge: ldb: Implement simple Freescale i.MX8MP LDB bridge") Signed-off-by: Marek Vasut Cc: Laurent Pinchart Cc: Lucas Stach Cc: Maxime Ripard Cc: Peng Fan Cc: Rob Herring Cc: Robby Cai Cc: Robert Foss Cc: Sam Ravnborg Cc: Thomas Zimmermann Cc: devicetree@vger.kernel.org To: dri-devel@lists.freedesktop.org Reviewed-by: Rob Herring Signed-off-by: Robert Foss Link: https://patchwork.freedesktop.org/patch/msgid/20220504012601.423644-1-marex@denx.de Signed-off-by: Sasha Levin commit e66205ee2dd3cd3cbfcbdadaaa2206a716077a78 Author: Hongnan Li Date: Fri Jul 22 16:27:32 2022 +0800 erofs: update ctx->pos for every emitted dirent [ Upstream commit ecce9212d0fd7a2d4a4998f0c4623a66887e14c8 ] erofs_readdir update ctx->pos after filling a batch of dentries and it may cause dir/files duplication for NFS readdirplus which depends on ctx->pos to fill dir correctly. So update ctx->pos for every emitted dirent in erofs_fill_dentries to fix it. Also fix the update of ctx->pos when the initial file position has exceeded nameoff. Fixes: 3e917cc305c6 ("erofs: make filesystem exportable") Signed-off-by: Hongnan Li Signed-off-by: Jeffle Xu Reviewed-by: Gao Xiang Reviewed-by: Chao Yu Link: https://lore.kernel.org/r/20220722082732.30935-1-jefflexu@linux.alibaba.com Signed-off-by: Gao Xiang Signed-off-by: Sasha Levin commit 8aa69de3d0c2fd277e7dd9dd110b4d813887e0f9 Author: Uwe Kleine-König Date: Tue Jul 12 18:15:19 2022 +0200 pwm: lpc18xx: Fix period handling [ Upstream commit 8933d30c5f468d6cc1e4bf9bb535149da35f202e ] The calculation: val = (u64)NSEC_PER_SEC * LPC18XX_PWM_TIMER_MAX; do_div(val, lpc18xx_pwm->clk_rate); lpc18xx_pwm->max_period_ns = val; is bogus because with NSEC_PER_SEC = 1000000000, LPC18XX_PWM_TIMER_MAX = 0xffffffff and clk_rate < NSEC_PER_SEC this overflows the (on lpc18xx (i.e. ARM32) 32 bit wide) unsigned int .max_period_ns. This results (dependant of the actual clk rate) in an arbitrary limitation of the maximal period. E.g. for clkrate = 333333333 (Hz) we get max_period_ns = 9 instead of 12884901897. So make .max_period_ns an u64 and pass period and duty as u64 to not discard relevant digits. And also make use of mul_u64_u64_div_u64() which prevents all overflows assuming clk_rate < NSEC_PER_SEC. Fixes: 841e6f90bb78 ("pwm: NXP LPC18xx PWM/SCT driver") Signed-off-by: Uwe Kleine-König Signed-off-by: Thierry Reding Signed-off-by: Sasha Levin commit 11f19c910b77b7b0e0ea9b493ed5df409f080e54 Author: Uwe Kleine-König Date: Thu Jul 21 12:31:29 2022 +0200 pwm: sifive: Shut down hardware only after pwmchip_remove() completed [ Upstream commit 2375e964d541bb09158cd2dff67b5d74e8de61cd ] The PWMs are expected to be functional until pwmchip_remove() is called. So disable the clks only afterwards. Fixes: 9e37a53eb051 ("pwm: sifive: Add a driver for SiFive SoC PWM") Signed-off-by: Uwe Kleine-König Tested-by: Emil Renner Berthing Signed-off-by: Thierry Reding Signed-off-by: Sasha Levin commit f9a71b8079436166238b54cfd5b271b8829ae570 Author: Uwe Kleine-König Date: Thu Jul 21 12:31:28 2022 +0200 pwm: sifive: Ensure the clk is enabled exactly once per running PWM [ Upstream commit ace41d7564e655c39f709a78c035188a460c7cbd ] .apply() assumes the clk to be for a given PWM iff the PWM is enabled. So make sure this is the case when .probe() completes. And in .remove() disable the according number of times. This fixes a clk enable/disable imbalance, if some PWMs are already running at probe time. Fixes: 9e37a53eb051 (pwm: sifive: Add a driver for SiFive SoC PWM) Signed-off-by: Uwe Kleine-König Tested-by: Emil Renner Berthing Signed-off-by: Thierry Reding Signed-off-by: Sasha Levin commit 1d18eb5b9cec5ccbdeb8ea309b3abde2df519e38 Author: Uwe Kleine-König Date: Thu Jul 21 12:31:23 2022 +0200 pwm: sifive: Simplify offset calculation for PWMCMP registers [ Upstream commit 20550a61880fc55e68a0d290ad195b74729c0e7b ] Instead of explicitly using PWM_SIFIVE_PWMCMP0 + pwm->hwpwm * PWM_SIFIVE_SIZE_PWMCMP for each access to one of the PWMCMP registers, introduce a macro that takes the hwpwm id as parameter. For the register definition using a plain 4 instead of the cpp constant PWM_SIFIVE_SIZE_PWMCMP is easier to read, so define the offset macro without the constant. The latter can then be dropped as there are no users left. Signed-off-by: Uwe Kleine-König Tested-by: Emil Renner Berthing Signed-off-by: Thierry Reding Signed-off-by: Sasha Levin commit 0545bfd4c8f7736df17c494b2b1a63ae314acd85 Author: Mike Snitzer Date: Fri Jul 22 15:31:23 2022 -0400 dm: return early from dm_pr_call() if DM device is suspended [ Upstream commit e120a5f1e78fab6223544e425015f393d90d6f0d ] Otherwise PR ops may be issued while the broader DM device is being reconfigured, etc. Fixes: 9c72bad1f31a ("dm: call PR reserve/unreserve on each underlying device") Signed-off-by: Mike Snitzer Signed-off-by: Sasha Levin commit 2ebf6f5946817f33fb33e613e359229e98164eb3 Author: Colin Ian King Date: Tue Apr 26 14:16:07 2022 +0100 tools/power turbostat: Fix file pointer leak [ Upstream commit 5e5fd36c58d6c820f7292ee492c3731c9a104a41 ] Currently if a fscanf fails then an early return leaks an open file pointer. Fix this by fclosing the file before the return. Detected using static analysis with cppcheck: tools/power/x86/turbostat/turbostat.c:2039:3: error: Resource leak: fp [resourceLeak] Fixes: eae97e053fe3 ("tools/power turbostat: Support thermal throttle count print") Signed-off-by: Colin Ian King Acked-by: Chen Yu Reviewed-by: Tom Rix Signed-off-by: Len Brown Signed-off-by: Sasha Levin commit a765d1abee82d6d129c11014f1f50209f6db1d7b Author: Markus Mayer Date: Sun Jul 17 20:10:39 2022 -0700 thermal/tools/tmon: Include pthread and time headers in tmon.h [ Upstream commit 0cf51bfe999524377fbb71becb583b4ca6d07cfc ] Include sys/time.h and pthread.h in tmon.h, so that types "pthread_mutex_t" and "struct timeval tv" are known when tmon.h references them. Without these headers, compiling tmon against musl-libc will fail with these errors: In file included from sysfs.c:31:0: tmon.h:47:8: error: unknown type name 'pthread_mutex_t' extern pthread_mutex_t input_lock; ^~~~~~~~~~~~~~~ make[3]: *** [: sysfs.o] Error 1 make[3]: *** Waiting for unfinished jobs.... In file included from tui.c:31:0: tmon.h:54:17: error: field 'tv' has incomplete type struct timeval tv; ^~ make[3]: *** [: tui.o] Error 1 make[2]: *** [Makefile:83: tmon] Error 2 Signed-off-by: Markus Mayer Acked-by: Florian Fainelli Reviewed-by: Sumeet Pawnikar Acked-by: Alejandro González Tested-by: Alejandro González Fixes: 94f69966faf8 ("tools/thermal: Introduce tmon, a tool for thermal subsystem") Link: https://lore.kernel.org/r/20220718031040.44714-1-f.fainelli@gmail.com Signed-off-by: Daniel Lezcano Signed-off-by: Sasha Levin commit 1c8729942e7c1160a584138b0b5f897ed4f1f31d Author: YiFei Zhu Date: Thu May 26 22:34:07 2022 +0000 selftests/seccomp: Fix compile warning when CC=clang [ Upstream commit 3ce4b78f73e8e00fb86bad67ee7f6fe12019707e ] clang has -Wconstant-conversion by default, and the constant 0xAAAAAAAAA (9 As) being converted to an int, which is generally 32 bits, results in the compile warning: clang -Wl,-no-as-needed -Wall -isystem ../../../../usr/include/ -lpthread seccomp_bpf.c -lcap -o seccomp_bpf seccomp_bpf.c:812:67: warning: implicit conversion from 'long' to 'int' changes value from 45812984490 to -1431655766 [-Wconstant-conversion] int kill = kill_how == KILL_PROCESS ? SECCOMP_RET_KILL_PROCESS : 0xAAAAAAAAA; ~~~~ ^~~~~~~~~~~ 1 warning generated. -1431655766 is the expected truncation, 0xAAAAAAAA (8 As), so use this directly in the code to avoid the warning. Fixes: 3932fcecd962 ("selftests/seccomp: Add test for unknown SECCOMP_RET kill behavior") Signed-off-by: YiFei Zhu Signed-off-by: Kees Cook Link: https://lore.kernel.org/r/20220526223407.1686936-1-zhuyifei@google.com Signed-off-by: Sasha Levin commit 901e61b5e0f65d5ed1aee1fd3867122cc0d52c15 Author: Michal Koutný Date: Fri Jul 15 19:45:01 2022 +0200 io_uring: Don't require reinitable percpu_ref [ Upstream commit 48904229928d941ce1db181b991948387ab463cd ] The commit 8bb649ee1da3 ("io_uring: remove ring quiesce for io_uring_register") removed the worklow relying on reinit/resurrection of the percpu_ref, hence, initialization with that requested is a relic. This is based on code review, this causes no real bug (and theoretically can't). Technically it's a revert of commit 214828962dea ("io_uring: initialize percpu refcounters using PERCU_REF_ALLOW_REINIT") but since the flag omission is now justified, I'm not making this a revert. Fixes: 8bb649ee1da3 ("io_uring: remove ring quiesce for io_uring_register") Signed-off-by: Michal Koutný Acked-by: Roman Gushchin Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit 674147513db30edcb04a1c631a4b47a9b2deaa3c Author: Jens Axboe Date: Mon May 23 16:56:21 2022 -0600 io_uring: define a 'prep' and 'issue' handler for each opcode [ Upstream commit 0702e5364f643bc86683d9f585edfe76dbabae39 ] Rather than have two giant switches for doing request preparation and then for doing request issue, add a prep and issue handler for each of them in the io_op_defs[] request definition. Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit 95c74abe404de914464b5685bc00b33e40382b9a Author: Jens Axboe Date: Mon May 23 17:05:03 2022 -0600 io_uring: move to separate directory [ Upstream commit ed29b0b4fd835b058ddd151c49d021e28d631ee6 ] In preparation for splitting io_uring up a bit, move it into its own top level directory. It didn't really belong in fs/ anyway, as it's not a file system only API. This adds io_uring/ and moves the core files in there, and updates the MAINTAINERS file for the new location. Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit 90812dd1f7402dbb4304ff44bf8e4a62d993b6d8 Author: Peter Zijlstra Date: Fri Jun 17 16:52:06 2022 +0200 x86/extable: Fix ex_handler_msr() print condition [ Upstream commit a1a5482a2c6e38a3ebed32e571625c56a8cc41a6 ] On Fri, Jun 17, 2022 at 02:08:52PM +0300, Stephane Eranian wrote: > Some changes to the way invalid MSR accesses are reported by the > kernel is causing some problems with messages printed on the > console. > > We have seen several cases of ex_handler_msr() printing invalid MSR > accesses once but the callstack multiple times causing confusion on > the console. > The problem here is that another earlier commit (5.13): > > a358f40600b3 ("once: implement DO_ONCE_LITE for non-fast-path "do once" functionality") > > Modifies all the pr_*_once() calls to always return true claiming > that no caller is ever checking the return value of the functions. > > This is why we are seeing the callstack printed without the > associated printk() msg. Extract the ONCE_IF(cond) part into __ONCE_LTE_IF() and use that to implement DO_ONCE_LITE_IF() and fix the extable code. Fixes: a358f40600b3 ("once: implement DO_ONCE_LITE for non-fast-path "do once" functionality") Reported-by: Stephane Eranian Signed-off-by: Peter Zijlstra (Intel) Tested-by: Stephane Eranian Link: https://lkml.kernel.org/r/YqyVFsbviKjVGGZ9@worktop.programming.kicks-ass.net Signed-off-by: Sasha Levin commit 87666276569599739f506352bd43d8f4fb773e71 Author: Mel Gorman Date: Fri May 20 11:35:16 2022 +0100 sched/numa: Initialise numa_migrate_retry [ Upstream commit 70ce3ea9aa4ed901c8a90de667df5ef307766e71 ] On clone, numa_migrate_retry is inherited from the parent which means that the first NUMA placement of a task is non-deterministic. This affects when load balancing recognises numa tasks and whether to migrate "regular", "remote" or "all" tasks between NUMA scheduler domains. Signed-off-by: Mel Gorman Signed-off-by: Peter Zijlstra (Intel) Tested-by: K Prateek Nayak Link: https://lore.kernel.org/r/20220520103519.1863-2-mgorman@techsingularity.net Signed-off-by: Sasha Levin commit dcdb6272b7cdff39c870a61a46740baa80cef2a3 Author: Christian Göttsche Date: Wed Jun 15 17:25:04 2022 +0200 sched: only perform capability check on privileged operation [ Upstream commit 700a78335fc28a59c307f420857fd2d4521549f8 ] sched_setattr(2) issues via kernel/sched/core.c:__sched_setscheduler() a CAP_SYS_NICE audit event unconditionally, even when the requested operation does not require that capability / is unprivileged, i.e. for reducing niceness. This is relevant in connection with SELinux, where a capability check results in a policy decision and by default a denial message on insufficient permission is issued. It can lead to three undesired cases: 1. A denial message is generated, even in case the operation was an unprivileged one and thus the syscall succeeded, creating noise. 2. To avoid the noise from 1. the policy writer adds a rule to ignore those denial messages, hiding future syscalls, where the task performs an actual privileged operation, leading to hidden limited functionality of that task. 3. To avoid the noise from 1. the policy writer adds a rule to allow the task the capability CAP_SYS_NICE, while it does not need it, violating the principle of least privilege. Conduct privilged/unprivileged categorization first and perform a capable test (and at most once) only if needed. Signed-off-by: Christian Göttsche Signed-off-by: Peter Zijlstra (Intel) Link: https://lkml.kernel.org/r/20220615152505.310488-1-cgzones@googlemail.com Signed-off-by: Sasha Levin commit 32f346b7460ecd298c3f5cb566091205486cdc5a Author: Nicolas Saenz Julienne Date: Tue Jun 28 11:22:59 2022 +0200 nohz/full, sched/rt: Fix missed tick-reenabling bug in dequeue_task_rt() [ Upstream commit 5c66d1b9b30f737fcef85a0b75bfe0590e16b62a ] dequeue_task_rt() only decrements 'rt_rq->rt_nr_running' after having called sched_update_tick_dependency() preventing it from re-enabling the tick on systems that no longer have pending SCHED_RT tasks but have multiple runnable SCHED_OTHER tasks: dequeue_task_rt() dequeue_rt_entity() dequeue_rt_stack() dequeue_top_rt_rq() sub_nr_running() // decrements rq->nr_running sched_update_tick_dependency() sched_can_stop_tick() // checks rq->rt.rt_nr_running, ... __dequeue_rt_entity() dec_rt_tasks() // decrements rq->rt.rt_nr_running ... Every other scheduler class performs the operation in the opposite order, and sched_update_tick_dependency() expects the values to be updated as such. So avoid the misbehaviour by inverting the order in which the above operations are performed in the RT scheduler. Fixes: 76d92ac305f2 ("sched: Migrate sched to use new tick dependency mask model") Signed-off-by: Nicolas Saenz Julienne Signed-off-by: Peter Zijlstra (Intel) Reviewed-by: Valentin Schneider Reviewed-by: Phil Auld Link: https://lore.kernel.org/r/20220628092259.330171-1-nsaenzju@redhat.com Signed-off-by: Sasha Levin commit dc4e49f068cabdcb43ed1677a24266deecda0dbf Author: Anshuman Khandual Date: Thu Jul 14 11:43:02 2022 +0530 drivers/perf: arm_spe: Fix consistency of SYS_PMSCR_EL1.CX [ Upstream commit 92f2b8bafa3d6e89c750e9d301a8b7ab76aaa8b6 ] The arm_spe_pmu driver will enable SYS_PMSCR_EL1.CX in order to add CONTEXT packets into the traces, if the owner of the perf event runs with required capabilities i.e CAP_PERFMON or CAP_SYS_ADMIN via perfmon_capable() helper. The value of this bit is computed in the arm_spe_event_to_pmscr() function but the check for capabilities happens in the pmu event init callback i.e arm_spe_pmu_event_init(). This suggests that the value of the CX bit should remain consistent for the duration of the perf session. However, the function arm_spe_event_to_pmscr() may be called later during the event start callback i.e arm_spe_pmu_start() when the "current" process is not the owner of the perf session, hence the CX bit setting is currently not consistent. One way to fix this, is by caching the required value of the CX bit during the initialization of the PMU event, so that it remains consistent for the duration of the session. It uses currently unused 'event->hw.flags' element to cache perfmon_capable() value, which can be referred during event start callback to compute SYS_PMSCR_EL1.CX. This ensures consistent availability of context packets in the trace as per event owner capabilities. Drop BIT(SYS_PMSCR_EL1_CX_SHIFT) check in arm_spe_pmu_event_init(), because now CX bit cannot be set in arm_spe_event_to_pmscr() with perfmon_capable() disabled. Cc: Will Deacon Cc: Mark Rutland Cc: Alexey Budankov Cc: linux-arm-kernel@lists.infradead.org Cc: linux-kernel@vger.kernel.org Fixes: d5d9696b0380 ("drivers/perf: Add support for ARMv8.2 Statistical Profiling Extension") Reported-by: German Gomez Signed-off-by: Anshuman Khandual Reviewed-by: Suzuki K Poulose Link: https://lore.kernel.org/r/20220714061302.2715102-1-anshuman.khandual@arm.com Signed-off-by: Will Deacon Signed-off-by: Sasha Levin commit ddb603a99fa0b615982baec43b5caa59c8e5eb57 Author: Liang He Date: Fri Jul 15 21:03:30 2022 +0800 perf: RISC-V: Add of_node_put() when breaking out of for_each_of_cpu_node() [ Upstream commit 491f10d08fdae10a177edf6af4f43b83b293114b ] In pmu_sbi_setup_irqs(), we should call of_node_put() for the 'cpu' when breaking out of for_each_of_cput_node() as its refcount will be automatically increased and decreased during the iteration. Fixes: 4905ec2fb7e6 ("RISC-V: Add sscofpmf extension support") Signed-off-by: Liang He Reviewed-by: Atish Patra Reviewed-by: Andrew Jones Link: https://lore.kernel.org/r/20220715130330.443363-1-windhl@126.com Signed-off-by: Will Deacon Signed-off-by: Sasha Levin commit 9987e2d15f51c67534689ce22c01343f50634419 Author: Xu Qiang Date: Tue Jul 19 06:36:40 2022 +0000 irqdomain: Report irq number for NOMAP domains [ Upstream commit 6f194c99f466147148cc08452718b46664112548 ] When using a NOMAP domain, __irq_resolve_mapping() doesn't store the Linux IRQ number at the address optionally provided by the caller. While this isn't a huge deal (the returned value is guaranteed to the hwirq that was passed as a parameter), let's honour the letter of the API by writing the expected value. Fixes: d22558dd0a6c (“irqdomain: Introduce irq_resolve_mapping()”) Signed-off-by: Xu Qiang [maz: commit message] Signed-off-by: Marc Zyngier Link: https://lore.kernel.org/r/20220719063641.56541-2-xuqiang36@huawei.com Signed-off-by: Sasha Levin commit 24be04f0ebfad8cbb55fedee9aaa64828d5a913d Author: Stephan Gerhold Date: Tue Jul 12 14:44:18 2022 +0200 ARM: dts: qcom: msm8974: Disable remoteprocs by default [ Upstream commit 8d8be8dd7c1f5d50f84ecc7a6a41962da48c6164 ] The remoteproc configuration in qcom-msm8974.dtsi is incomplete because it lacks the regulator supplies that should be added in the board DT files. Some of the msm8974 boards are currently missing the regulator supplies and should have the remoteprocs disabled to avoid making use of the incomplete configuration. This also fixes dtbs_check warnings after moving "qcom,msm8974-mss-pil" to DT schema, which rightfully complains that the -supply properties are missing for some boards: qcom-apq8074-dragonboard.dtb: remoteproc@fc880000: 'pll-supply' is a required property From schema: remoteproc/qcom,msm8916-mss-pil.yaml remoteproc@fc880000: 'mss-supply' is a required property From schema: remoteproc/qcom,msm8916-mss-pil.yaml remoteproc@fc880000: 'oneOf' conditional failed, one must be fixed: 'power-domains' is a required property 'power-domain-names' is a required property, or 'cx-supply' is a required property 'mx-supply' is a required property Cc: Luca Weiss Cc: Konrad Dybcio Fixes: f300826d27be ("ARM: dts: qcom-msm8974: Sort and clean up nodes") Signed-off-by: Stephan Gerhold Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20220712124421.3129206-4-stephan.gerhold@kernkonzept.com Signed-off-by: Sasha Levin commit d9f1fa7c4ecf21cfdffdfe26507b93ff3f5960f0 Author: Sumit Garg Date: Mon Jul 11 14:00:38 2022 +0530 arm64: dts: qcom: qcs404: Fix incorrect USB2 PHYs assignment [ Upstream commit 58577966a42fc0b660b5e2c7c9e5a2241363ea83 ] Currently the DT for QCS404 SoC has setup for 2 USB2 PHYs with one each assigned to USB3 controller and USB2 controller. This assignment is incorrect which only works by luck: as when each USB HCI comes up it configures the *other* controllers PHY which is enough to make them happy. If, for any reason, we were to disable one of the controllers then both would stop working. This was a difficult inconsistency to be caught which was found while trying to enable USB support in u-boot. So with all the required drivers ported to u-boot, I couldn't get the same USB storage device enumerated in u-boot which was being enumerated fine by the kernel. The root cause of the problem came out to be that I wasn't enabling USB2 PHY: "usb2_phy_prim" in u-boot. Then I realised that via simply disabling the same USB2 PHY currently assigned to USB2 host controller in the kernel disabled enumeration for USB3 host controller as well. So fix this inconsistency by correctly assigning USB2 PHYs. Fixes: 9375e7d719b3 ("arm64: dts: qcom: qcs404: Add USB devices and PHYs") Signed-off-by: Sumit Garg Reviewed-by: Daniel Thompson Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20220711083038.1518529-1-sumit.garg@linaro.org Signed-off-by: Sasha Levin commit fd95595c2e2321e942f380b24e94d59d1b058d33 Author: Marijn Suijten Date: Sat May 7 17:36:27 2022 +0200 arm64: dts: qcom: msm8998: Make regulator voltages multiple of step-size [ Upstream commit 2aa54fa87cca1fa43870a9caf4fcce00eb087fa5 ] These voltages are not a multiple of the given step-size 8000 (with base voltage 1664000) in pm8998_pldo, resulting in PLDO regulators l18 and l22 failing to validate and in turn not probing the rpm-pm8998-regulator driver: l18: unsupportable voltage constraints 2856000-2848000uV qcom_rpm_smd_regulator rpm-glink:rpm-requests:pm8998-regulators: l18: devm_regulator_register() failed, ret=-22 Round the voltages down for the sake of erring on the safe side, leaving a comment in place to document this discrepancy wrt downstream sources. Fixes: 390883af89d2 ("arm64: dts: qcom: msm8998: Introduce support for Sony Yoshino platform") Reported-by: Konrad Dybcio Signed-off-by: Marijn Suijten Reviewed-by: Konrad Dybcio Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20220507153627.1478268-1-marijn.suijten@somainline.org Signed-off-by: Sasha Levin commit 51dabf18fc729936d7807735aabbce3eb09bebb8 Author: Parikshit Pareek Date: Mon Jul 11 14:09:57 2022 +0530 soc: qcom: socinfo: Fix the id of SA8540P SoC [ Upstream commit 5bed21af0005cc7d8bb05d2c4a63afbcede23382 ] Change the id of SA8540P to its correct value, i.e., 461. Also, map the id 460 to its correct values, i.e. SA8295P. Fixes: 76ee15ae1b13 ("soc: qcom: socinfo: Add some more PMICs and SoCs") Signed-off-by: Parikshit Pareek Reviewed-by: Eric Chanudet Tested-by: Eric Chanudet Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20220711083957.12091-1-quic_ppareek@quicinc.com Signed-off-by: Sasha Levin commit c1716ee4af7612a870046688c4c73d3a9714368d Author: Konrad Dybcio Date: Thu Jul 7 23:21:58 2022 +0200 soc: qcom: Make QCOM_RPMPD depend on PM [ Upstream commit a6232f2aa99ce470799992e99e0012945bb5308f ] QCOM_RPMPD requires PM_GENERIC_DOMAINS/_OF, which in turns requires CONFIG_PM. I forgot about the latter in my earlier patch (it's still in -next as of the time of committing, hence no Fixes: tag). Fix it. Reported-by: kernel test robot Signed-off-by: Konrad Dybcio Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20220707212158.32684-1-konrad.dybcio@somainline.org Signed-off-by: Sasha Levin commit fc7b19f547bc9e622060a0a9a39da2330aa21c53 Author: Liang He Date: Fri Jul 15 19:10:27 2022 +0800 regulator: of: Fix refcount leak bug in of_get_regulation_constraints() [ Upstream commit 66efb665cd5ad69b27dca8571bf89fc6b9c628a4 ] We should call the of_node_put() for the reference returned by of_get_child_by_name() which has increased the refcount. Fixes: 40e20d68bb3f ("regulator: of: Add support for parsing regulator_state for suspend state") Signed-off-by: Liang He Link: https://lore.kernel.org/r/20220715111027.391032-1-windhl@126.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 8cd41a4f28b6dd5319d9df10a3489b3307fdd3df Author: Mikulas Patocka Date: Mon Jul 11 16:31:52 2022 -0400 dm writecache: count number of blocks discarded, not number of discard bios [ Upstream commit 2ee73ef60db4d79b9f9b8cd501e8188b5179449f ] Change dm-writecache, so that it counts the number of blocks discarded instead of the number of discard bios. Make it consistent with the read and write statistics counters that were changed to count the number of blocks instead of bios. Fixes: e3a35d03407c ("dm writecache: add event counters") Signed-off-by: Mikulas Patocka Signed-off-by: Mike Snitzer Signed-off-by: Sasha Levin commit f06cbeff2352b7890071bbb6dc852b96bfa34a47 Author: Mikulas Patocka Date: Mon Jul 11 16:31:26 2022 -0400 dm writecache: count number of blocks written, not number of write bios [ Upstream commit b2676e1482af89714af6988ce5d31a84692e2530 ] Change dm-writecache, so that it counts the number of blocks written instead of the number of write bios. Bios can be split and requeued using the dm_accept_partial_bio function, so counting bios caused inaccurate results. Fixes: e3a35d03407c ("dm writecache: add event counters") Reported-by: Yu Kuai Signed-off-by: Mikulas Patocka Signed-off-by: Mike Snitzer Signed-off-by: Sasha Levin commit 5fef35fc1a1213a4c64a3fba22894acfa0675200 Author: Mikulas Patocka Date: Mon Jul 11 16:30:52 2022 -0400 dm writecache: count number of blocks read, not number of read bios [ Upstream commit 2c6e755b49d273243431f5f1184654e71221fc78 ] Change dm-writecache, so that it counts the number of blocks read instead of the number of read bios. Bios can be split and requeued using the dm_accept_partial_bio function, so counting bios caused inaccurate results. Fixes: e3a35d03407c ("dm writecache: add event counters") Reported-by: Yu Kuai Signed-off-by: Mikulas Patocka Signed-off-by: Mike Snitzer Signed-off-by: Sasha Levin commit d48fa0b50494ab29b349cfb41c27430e70df2b73 Author: Mikulas Patocka Date: Mon Jul 11 16:30:27 2022 -0400 dm writecache: return void from functions [ Upstream commit 9bc0c92e4b82adb017026dbb2aa816b1ac2bef31 ] The functions writecache_map_remap_origin and writecache_bio_copy_ssd only return a single value, thus they can be made to return void. This helps simplify the following IO accounting changes. Signed-off-by: Mikulas Patocka Signed-off-by: Mike Snitzer Signed-off-by: Sasha Levin commit f0762b6a3a40e3c2f551121a37448aa287309efc Author: Hsin-Yi Wang Date: Wed Jul 6 01:16:49 2022 +0800 PM: domains: Ensure genpd_debugfs_dir exists before remove [ Upstream commit 37101d3c719386040ded735a5ec06974f1d94d1f ] Both genpd_debug_add() and genpd_debug_remove() may be called indirectly by other drivers while genpd_debugfs_dir is not yet set. For example, drivers can call pm_genpd_init() in probe or pm_genpd_init() in probe fail/cleanup path: pm_genpd_init() --> genpd_debug_add() pm_genpd_remove() --> genpd_remove() --> genpd_debug_remove() At this time, genpd_debug_init() may not yet be called. genpd_debug_add() checks that if genpd_debugfs_dir is NULL, it will return directly. Make sure this is also checked in pm_genpd_remove(), otherwise components under debugfs root which has the same name as other components under pm_genpd may be accidentally removed, since NULL represents debugfs root. Fixes: 718072ceb211 ("PM: domains: create debugfs nodes when adding power domains") Signed-off-by: Hsin-Yi Wang Reviewed-by: Greg Kroah-Hartman Reviewed-by: AngeloGioacchino Del Regno Reviewed-by: Ulf Hansson Signed-off-by: Rafael J. Wysocki Signed-off-by: Sasha Levin commit f8c44af7dd2d023b9241f5bd530fa3b0778d97cc Author: Bart Van Assche Date: Thu Jul 14 11:06:36 2022 -0700 blktrace: Trace remapped requests correctly [ Upstream commit 22c80aac882f712897b88b7ea8f5a74ea19019df ] Trace the remapped operation and its flags instead of only the data direction of remapped operations. This issue was detected by analyzing the warnings reported by sparse related to the new blk_opf_t type. Reviewed-by: Jun'ichi Nomura Cc: Mike Snitzer Cc: Mike Christie Cc: Li Zefan Cc: Chaitanya Kulkarni Fixes: 1b9a9ab78b0a ("blktrace: use op accessors") Signed-off-by: Bart Van Assche Link: https://lore.kernel.org/r/20220714180729.1065367-11-bvanassche@acm.org Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit 20ee06b8914786640920cd019c0f5bd1c0932b1b Author: Linus Walleij Date: Tue Jul 12 23:46:24 2022 +0200 hwmon: (drivetemp) Add module alias [ Upstream commit 5918036cfa8ded7aa8094db70295011ce2275447 ] Adding a MODULE_ALIAS() to drivetemp will make the driver easier for modprobe to autoprobe. Signed-off-by: Linus Walleij Link: https://lore.kernel.org/r/20220712214624.1845158-1-linus.walleij@linaro.org Fixes: 5b46903d8bf3 ("hwmon: Driver for disk and solid state drives with temperature sensors") Signed-off-by: Guenter Roeck Signed-off-by: Sasha Levin commit 6b1e4b5c2c8739fe72eeea20883f89b3556bf605 Author: Armin Wolf Date: Sun Jun 5 00:02:00 2022 +0200 hwmon: (sch56xx-common) Add DMI override table [ Upstream commit fd2d53c367ae9983c2100ac733a834e0c79d7537 ] Some devices like the Fujitsu Celsius W380 do contain a working sch56xx hardware monitoring device, but do not contain the necessary DMI onboard device. Do not check for the presence of an suitable onboard device on these machines. The list of affected machines was created using data collected by the Linux Hardware Project. Tested on a Fujitsu Esprimo P720, but sadly not on a affected machine. Fixes: 393935baa45e (hwmon: (sch56xx-common) Add automatic module loading on supported devices) Signed-off-by: Armin Wolf Reviewed-by: Hans de Goede Link: https://lore.kernel.org/r/20220604220200.2567-1-W_Armin@gmx.de Signed-off-by: Guenter Roeck Signed-off-by: Sasha Levin commit 67f77172644260482fdafc03b6025847944701e5 Author: Yang Yingliang Date: Wed Jul 13 17:40:23 2022 +0800 spi: tegra20-slink: fix UAF in tegra_slink_remove() [ Upstream commit 7e9984d183bb1e99e766c5c2b950ff21f7f7b6c0 ] After calling spi_unregister_master(), the refcount of master will be decrease to 0, and it will be freed in spi_controller_release(), the device data also will be freed, so it will lead a UAF when using 'tspi'. To fix this, get the master before unregister and put it when finish using it. Fixes: 26c863418221 ("spi: tegra20-slink: Don't use resource-managed spi_register helper") Signed-off-by: Yang Yingliang Link: https://lore.kernel.org/r/20220713094024.1508869-1-yangyingliang@huawei.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 3c6bd448442b6c3f6843ac70d57201a13478dd47 Author: Yang Yingliang Date: Tue Jul 12 21:55:04 2022 +0800 spi: Fix simplification of devm_spi_register_controller [ Upstream commit 43cc5a0afe4184a7fafe1eba32b5a11bb69c9ce0 ] This reverts commit 59ebbe40fb51 ("spi: simplify devm_spi_register_controller"). If devm_add_action() fails in devm_add_action_or_reset(), devm_spi_unregister() will be called, it decreases the refcount of 'ctlr->dev' to 0, then it will cause uaf in the drivers that calling spi_put_controller() in error path. Fixes: 59ebbe40fb51 ("spi: simplify devm_spi_register_controller") Signed-off-by: Yang Yingliang Reviewed-by: Conor Dooley Link: https://lore.kernel.org/r/20220712135504.1055688-1-yangyingliang@huawei.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit c6079919817af4d90db81df5614ed6da017f91c5 Author: Nandhini Srikandan Date: Wed Jul 13 12:22:20 2022 +0800 spi: dw: Fix IP-core versions macro [ Upstream commit 5d76b7509cb223e94ff73a672273e58f1957ac68 ] Add the missing underscore in IP version macro to avoid compilation issue. The macro is used for IP version comparison in the current patchset. Fixes: 2cc8d9227bbb ("spi: dw: Introduce Synopsys IP-core versions interface") Signed-off-by: Nandhini Srikandan Acked-by: Serge Semin Link: https://lore.kernel.org/r/20220713042223.1458-2-nandhini.srikandan@intel.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 53f2de4b7b7048e5bf1b9081245f188e46615fe8 Author: Ming Lei Date: Mon Jul 11 17:08:08 2022 +0800 blk-mq: don't create hctx debugfs dir until q->debugfs_dir is created [ Upstream commit f3ec5d11554778c24ac8915e847223ed71d104fc ] blk_mq_debugfs_register_hctx() can be called by blk_mq_update_nr_hw_queues when gendisk isn't added yet, such as nvme tcp. Fixes the warning of 'debugfs: Directory 'hctx0' with parent '/' already present!' which can be observed reliably when running blktests nvme/005. Fixes: 6cfc0081b046 ("blk-mq: no need to check return value of debugfs_create functions") Reported-by: Yi Zhang Signed-off-by: Ming Lei Tested-by: Yi Zhang Reviewed-by: Christoph Hellwig Link: https://lore.kernel.org/r/20220711090808.259682-1-ming.lei@redhat.com Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit 8134a099d63b974e3e23ceb9ed975abc7207abd5 Author: Andy Shevchenko Date: Sun Jul 10 00:29:56 2022 +0300 spi: Return deferred probe error when controller isn't yet available [ Upstream commit 9c22ec4ac27bcc5a54dd406da168f403327a5b55 ] If the controller is not available, it might be in the future and we would like to re-probe the peripheral again. For that purpose return deferred probe. BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=215993 Fixes: 87e59b36e5e2 ("spi: Support selection of the index of the ACPI Spi Resource before alloc") Signed-off-by: Andy Shevchenko Link: https://lore.kernel.org/r/20220709212956.25530-1-andriy.shevchenko@linux.intel.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 4b3dd6659694cc8dba31e9efdcd834dc741e10d2 Author: Gao Xiang Date: Fri Jul 8 18:10:01 2022 +0800 erofs: avoid consecutive detection for Highmem memory [ Upstream commit 448b5a1548d87c246c3d0c3df8480d3c6eb6c11a ] Currently, vmap()s are avoided if physical addresses are consecutive for decompressed buffers. I observed that is very common for 4KiB pclusters since the numbers of decompressed pages are almost 2 or 3. However, such detection doesn't work for Highmem pages on 32-bit machines, let's fix it now. Reported-by: Liu Jinbao Fixes: 7fc45dbc938a ("staging: erofs: introduce generic decompression backend") Link: https://lore.kernel.org/r/20220708101001.21242-1-hsiangkao@linux.alibaba.com Signed-off-by: Gao Xiang Signed-off-by: Sasha Levin commit 96aa2a6a89618d850ef082e4268007e840c28769 Author: Yuwen Chen Date: Mon Jun 27 06:40:41 2022 +0800 erofs: wake up all waiters after z_erofs_lzma_head ready [ Upstream commit 2df7c4bd7c1d2bc5ece5e9ed19dbd386810c2a65 ] When the user mounts the erofs second times, the decompression thread may hung. The problem happens due to a sequence of steps like the following: 1) Task A called z_erofs_load_lzma_config which obtain all of the node from the z_erofs_lzma_head. 2) At this time, task B called the z_erofs_lzma_decompress and wanted to get a node. But the z_erofs_lzma_head was empty, the Task B had to sleep. 3) Task A release nodes and push nodes into the z_erofs_lzma_head. But task B was still sleeping. One example report when the hung happens: task:kworker/u3:1 state:D stack:14384 pid: 86 ppid: 2 flags:0x00004000 Workqueue: erofs_unzipd z_erofs_decompressqueue_work Call Trace: __schedule+0x281/0x760 schedule+0x49/0xb0 z_erofs_lzma_decompress+0x4bc/0x580 ? cpu_core_flags+0x10/0x10 z_erofs_decompress_pcluster+0x49b/0xba0 ? __update_load_avg_se+0x2b0/0x330 ? __update_load_avg_se+0x2b0/0x330 ? update_load_avg+0x5f/0x690 ? update_load_avg+0x5f/0x690 ? set_next_entity+0xbd/0x110 ? _raw_spin_unlock+0xd/0x20 z_erofs_decompress_queue.isra.0+0x2e/0x50 z_erofs_decompressqueue_work+0x30/0x60 process_one_work+0x1d3/0x3a0 worker_thread+0x45/0x3a0 ? process_one_work+0x3a0/0x3a0 kthread+0xe2/0x110 ? kthread_complete_and_exit+0x20/0x20 ret_from_fork+0x22/0x30 Signed-off-by: Yuwen Chen Fixes: 622ceaddb764 ("erofs: lzma compression support") Reviewed-by: Gao Xiang Link: https://lore.kernel.org/r/20220626224041.4288-1-chenyuwen1@meizu.com Signed-off-by: Gao Xiang Signed-off-by: Sasha Levin commit 4d0cf5bdea1a1c602f46360b879708b15c715a00 Author: Johan Hovold Date: Thu Jul 7 08:42:22 2022 +0200 arm64: dts: qcom: sc7280: fix PCIe clock reference [ Upstream commit 330fc08dbdd913ac37a31f8aec1a88f68e39ae39 ] The recent commit that dropped the PCIe PHY clock index failed to update the PCIe node reference. Fixes: 531c738fb360 ("arm64: dts: qcom: sc7280: drop PCIe PHY clock index") Reported-by: Dmitry Baryshkov Signed-off-by: Johan Hovold Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20220707064222.15717-1-johan+linaro@kernel.org Signed-off-by: Sasha Levin commit fe327fdc310750738ca3d9060a6f28ea60c928a3 Author: Tamás Szűcs Date: Sun Jun 12 14:59:45 2022 +0000 arm64: tegra: Fix SDMMC1 CD on P2888 [ Upstream commit b415bb7c976f1d595ed752001c0938f702645dab ] Hook SDMMC1 CD up with CVM GPIO02 (SOC_GPIO11) used for card detection on J4 (uSD socket) on the carrier. Fixes: ef633bfc21e9 ("arm64: tegra: Enable card detect for SD card on P2888") Signed-off-by: Tamás Szűcs Signed-off-by: Thierry Reding Signed-off-by: Sasha Levin commit 61b2143ac99fbc8ea9c84d19c14b0901fb9ad056 Author: Mikko Perttunen Date: Wed Jun 22 16:23:00 2022 +0300 arm64: tegra: Mark BPMP channels as no-memory-wc [ Upstream commit 61192a9d8a6367ae1b8234876941b037910a2459 ] The Tegra SYSRAM contains regions access to which is restricted to certain hardware blocks on the system, and speculative accesses to those will cause issues. Patch 'misc: sram: Only map reserved areas in Tegra SYSRAM' attempted to resolve this by only mapping the regions specified in the device tree on the assumption that there are no such restricted areas within the 64K-aligned area of memory that contains the memory we wish to map. Turns out this assumption is wrong, as there are such areas above the 4K pages described in the device trees. As such, we need to use the bigger hammer that is no-memory-wc, which causes the memory to be mapped as Device memory to which speculative accesses are disallowed. As such, the previous patch in the series, 'firmware: tegra: bpmp: do only aligned access to IPC memory area', is required with this patch to make the BPMP driver only issue aligned memory accesses as those are also required with Device memory. Fixes: fec29bf04994 ("misc: sram: Only map reserved areas in Tegra SYSRAM") Signed-off-by: Mikko Perttunen Reviewed-by: Yousaf Kaukab Signed-off-by: Thierry Reding Signed-off-by: Sasha Levin commit cbb73c1d32e78f942d5d20e4094f8a6413c40772 Author: Nick Hainke Date: Thu Jun 30 13:16:57 2022 +0200 arm64: dts: mt7622: fix BPI-R64 WPS button [ Upstream commit c98e6e683632386a3bd284acda4342e68aec4c41 ] The bananapi R64 (BPI-R64) experiences wrong WPS button signals. In OpenWrt pushing the WPS button while powering on the device will set it to recovery mode. Currently, this also happens without any user interaction. In particular, the wrong signals appear while booting the device or restarting it, e.g. after doing a system upgrade. If the device is in recovery mode the user needs to manually power cycle or restart it. The official BPI-R64 sources set the WPS button to GPIO_ACTIVE_LOW in the device tree. This setting seems to suppress the unwanted WPS button press signals. So this commit changes the button from GPIO_ACTIVE_HIGH to GPIO_ACTIVE_LOW. The official BPI-R64 sources can be found on https://github.com/BPI-SINOVOIP/BPI-R64-openwrt Fixes: 0b6286dd96c0 ("arm64: dts: mt7622: add bananapi BPI-R64 board") Suggested-by: INAGAKI Hiroshi Signed-off-by: Nick Hainke Link: https://lore.kernel.org/r/20220630111746.4098-1-vincent@systemli.org Signed-off-by: Matthias Brugger Signed-off-by: Sasha Levin commit 702d2a541af44e42ddfd49944f1ab09a328180c4 Author: Johan Hovold Date: Tue Jul 5 13:40:20 2022 +0200 arm64: dts: qcom: sm8250: add missing PCIe PHY clock-cells [ Upstream commit d9fd162ce764c227fcfd4242f6c1639895a9481f ] Add the missing '#clock-cells' properties to the PCIe QMP PHY nodes. Signed-off-by: Johan Hovold Fixes: e53bdfc00977 ("arm64: dts: qcom: sm8250: Add PCIe support") Reviewed-by: Dmitry Baryshkov Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20220705114032.22787-3-johan+linaro@kernel.org Signed-off-by: Sasha Levin commit 4ffad9357b9d92087ef8d426e258b1d5a6a46de2 Author: Johan Hovold Date: Tue Jul 5 13:40:19 2022 +0200 arm64: dts: qcom: sc7280: drop PCIe PHY clock index [ Upstream commit 531c738fb36069d60aff267a0b25533a35d59fd0 ] The QMP PCIe PHY provides a single clock so drop the redundant clock index. Signed-off-by: Johan Hovold Fixes: bd7d507935ca ("arm64: dts: qcom: sc7280: Add pcie clock support") Fixes: 92e0ee9f83b3 ("arm64: dts: qcom: sc7280: Add PCIe and PHY related nodes") Reviewed-by: Dmitry Baryshkov Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20220705114032.22787-2-johan+linaro@kernel.org Signed-off-by: Sasha Levin commit 531d21b4ce4c0f393d055d3989db6de8136430cf Author: Dmitry Baryshkov Date: Mon Jun 20 10:19:34 2022 +0300 arm64: dts: qcom: msm8996: correct #clock-cells for QMP PHY nodes [ Upstream commit b874fff9a7683df30e5aff16d5a85b1f8a43aa5d ] The commit 82d61e19fccb ("arm64: dts: qcom: msm8996: Move '#clock-cells' to QMP PHY child node") moved the '#clock-cells' properties to the child nodes. However it missed the fact that the property must have been set to <0> (as all pipe clocks use of_clk_hw_simple_get as the xlate function. Also the mentioned commit didn't add '#clock-cells' properties to second and third PCIe PHY nodes. Correct both these mistakes: - Set '#clock-cells' to <0>, - Add the property to pciephy_1 and pciephy_2 nodes. Fixes: 82d61e19fccb ("arm64: dts: qcom: msm8996: Move '#clock-cells' to QMP PHY child node") Signed-off-by: Dmitry Baryshkov Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20220620071936.1558906-3-dmitry.baryshkov@linaro.org Signed-off-by: Sasha Levin commit 5503176b7d158af2bbb6cbd6fb9d1a39d0b90bcd Author: Marijn Suijten Date: Sun May 8 12:03:34 2022 +0200 arm64: dts: qcom: sm6125: Append -state suffix to pinctrl nodes [ Upstream commit cbfb5668aece448877fa7826cde81c9d06f4a4ac ] According to qcom,sm6125-pinctrl.yaml all nodes inside the tlmm must be suffixed by -state: qcom/sm6125-sony-xperia-seine-pdx201.dtb: pinctrl@500000: 'sdc2-off', 'sdc2-on' do not match any of the regexes: '-state$', 'pinctrl-[0-9]+' The label names have been updated to match, going from sdc2_state_X to sdc2_X_state. Fixes: cff4bbaf2a2d ("arm64: dts: qcom: Add support for SM6125") Fixes: 82e1783890b7 ("arm64: dts: qcom: sm6125: Add support for Sony Xperia 10II") Signed-off-by: Marijn Suijten Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20220508100336.127176-2-marijn.suijten@somainline.org Signed-off-by: Sasha Levin commit eb007ca7cb59da69acffcc04a7145bdd7d225d60 Author: Marijn Suijten Date: Sun May 8 12:03:33 2022 +0200 arm64: dts: qcom: sm6125: Move sdc2 pinctrl from seine-pdx201 to sm6125 [ Upstream commit 6990640a93ba4e76dd62ca3ea1082a7354db09d7 ] Both the sdc2-on and sdc2-off pinctrl nodes are used by the sdhci@4784000 node in sm6125.dtsi. Surprisingly sdc2-off is defined in sm6125, yet its sdc2-on counterpart is only defined in board-specific DT for the Sony Seine PDX201 board/device resulting in an "undefined label &sdc2_state_on" error if sm6125.dtsi were included elsewhere. This sm6125 base dtsi should not rely on externally defined labels; the properties referencing it should then also be written externally. Since the sdc2-on pin configuration is board-independent just like sdc2-off, move it from seine-pdx201.dts into sm6125.dtsi. The SDCard-detect pin (gpio98) is however board-specific, and remains as an overwrite in seine-pdx201.dts for both the on and off state. As a drive-by cleanup, reorder bias- and drive-strength properties. Fixes: cff4bbaf2a2d ("arm64: dts: qcom: Add support for SM6125") Fixes: 82e1783890b7 ("arm64: dts: qcom: sm6125: Add support for Sony Xperia 10II") Signed-off-by: Marijn Suijten Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20220508100336.127176-1-marijn.suijten@somainline.org Signed-off-by: Sasha Levin commit 579ea4a0fab9b72e0768b1f332cb5b889baecdcb Author: Yang Yingliang Date: Tue Jun 28 16:49:03 2022 +0800 m68k: virt: Fix missing platform_device_unregister() on error in virt_platform_init() [ Upstream commit 566a2d6d8e429727832c7e347cbe736b12ad7297 ] Add the missing platform_device_unregister() before return from virt_platform_init() in the error handling case. Fixes: 05d51e42df06 ("m68k: Introduce a virtual m68k machine") Reported-by: Hulk Robot Signed-off-by: Yang Yingliang Reviewed-by: Laurent Vivier Link: https://lore.kernel.org/r/20220628084903.3147123-1-yangyingliang@huawei.com Signed-off-by: Geert Uytterhoeven Signed-off-by: Sasha Levin commit d3a380f723b01cbb0091b33c640d59597e9c8154 Author: Eric Auger Date: Thu Jun 30 11:40:59 2022 +0200 ACPI: VIOT: Fix ACS setup [ Upstream commit 3dcb861dbc6ab101838a1548b1efddd00ca3c3ec ] Currently acpi_viot_init() gets called after the pci device has been scanned and pci_enable_acs() has been called. So pci_request_acs() fails to be taken into account leading to wrong single iommu group topologies when dealing with multi-function root ports for instance. We cannot simply move the acpi_viot_init() earlier, similarly as the IORT init because the VIOT parsing relies on the pci scan. However we can detect VIOT is present earlier and in such a case, request ACS. Introduce a new acpi_viot_early_init() routine that allows to call pci_request_acs() before the scan. While at it, guard the call to pci_request_acs() with #ifdef CONFIG_PCI. Fixes: 3cf485540e7b ("ACPI: Add driver for the VIOT table") Signed-off-by: Eric Auger Reported-by: Jin Liu Reviewed-by: Jean-Philippe Brucker Tested-by: Jean-Philippe Brucker Signed-off-by: Rafael J. Wysocki Signed-off-by: Sasha Levin commit 53d19f5b11e7b732fd4cbfad5424c3b89daf03d9 Author: Chanho Park Date: Mon Jun 27 09:58:32 2022 +0900 arm64: dts: exynosautov9: correct spi11 pin names [ Upstream commit ba205449828f47f80532a1453beef5eed2982176 ] They should be started with "gpp5-". Fixes: 31bbac5263aa ("arm64: dts: exynos: add initial support for exynosautov9 SoC") Signed-off-by: Chanho Park Signed-off-by: Krzysztof Kozlowski Link: https://lore.kernel.org/r/20220627005832.8709-1-chanho61.park@samsung.com Signed-off-by: Sasha Levin commit 082018a4d5740a392209bc32d0225b659402799d Author: Kan Liang Date: Wed Jun 29 08:08:40 2022 -0700 perf/x86/intel: Fix PEBS data source encoding for ADL [ Upstream commit ccf170e9d8fdacfe435bbe3749c897c7d86d32f8 ] The PEBS data source encoding for the e-core is different from the p-core. Add the pebs_data_source[] in the struct x86_hybrid_pmu to store the data source encoding for each type of the core. Add intel_pmu_pebs_data_source_grt() for the e-core. There is nothing changed for the data source encoding of the p-core, which still reuse the intel_pmu_pebs_data_source_skl(). Fixes: f83d2f91d259 ("perf/x86/intel: Add Alder Lake Hybrid support") Signed-off-by: Kan Liang Signed-off-by: Peter Zijlstra (Intel) Reviewed-by: Andi Kleen Link: https://lkml.kernel.org/r/20220629150840.2235741-2-kan.liang@linux.intel.com Signed-off-by: Sasha Levin commit 34d1a1bf67756ab27c17fe24c0557aea54587656 Author: Kan Liang Date: Wed Jun 29 08:08:39 2022 -0700 perf/x86/intel: Fix PEBS memory access info encoding for ADL [ Upstream commit 39a41278f041e4b7ee6c83caefac845c9b19fc61 ] The PEBS memory access latency encoding for the e-core is slightly different from the p-core. The bit 4 is Lock, while the bit 5 is TLB access. Add a new flag to indicate the load/store latency event on a hybrid platform. Add a new function pointer to retrieve the latency data for a hybrid platform. Only implement the new flag and function for the e-core on ADL. Still use the existing PERF_X86_EVENT_PEBS_LDLAT/STLAT flag for the p-core on ADL. Factor out pebs_set_tlb_lock() to set the generic memory data source information of the TLB access and lock for both load and store latency. Move the intel_get_event_constraints() to ahead of the :ppp check, otherwise the new flag never gets a chance to be set for the :ppp events. Fixes: f83d2f91d259 ("perf/x86/intel: Add Alder Lake Hybrid support") Signed-off-by: Kan Liang Signed-off-by: Peter Zijlstra (Intel) Reviewed-by: Andi Kleen Link: https://lkml.kernel.org/r/20220629150840.2235741-1-kan.liang@linux.intel.com Signed-off-by: Sasha Levin commit 9cfed7bfb923a5de8eac24582713ba0fe76ab86b Author: Krzysztof Kozlowski Date: Tue Jun 7 19:18:48 2022 +0200 arm64: dts: qcom: msm8994: add required ranges to OCMEM [ Upstream commit 07f3c7a11dadbead580b6d6e7d86bcc87119fe74 ] The OCMEM bindings require ranges property. Fixes: 9d511d0a7926 ("arm64: dts: qcom: msm8994: Add OCMEM node") Signed-off-by: Krzysztof Kozlowski Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20220607171848.535128-14-krzysztof.kozlowski@linaro.org Signed-off-by: Sasha Levin commit 393114d80c910b5349f3ca9a291ccd6b21181f01 Author: Sireesh Kodali Date: Thu May 26 19:47:40 2022 +0530 arm64: dts: qcom: msm8916: Fix typo in pronto remoteproc node [ Upstream commit 5458d6f2827cd30218570f266b8d238417461f2f ] The smem-state properties for the pronto node were incorrectly labelled, reading `qcom,state*` rather than `qcom,smem-state*`. Fix that, allowing the stop state to be used. Fixes: 88106096cbf8 ("ARM: dts: msm8916: Add and enable wcnss node") Signed-off-by: Sireesh Kodali Reviewed-by: Krzysztof Kozlowski Reviewed-by: Stephan Gerhold Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20220526141740.15834-3-sireeshkodali1@gmail.com Signed-off-by: Sasha Levin commit cd25f585c69df24b1544d89dcb11509ebe098de7 Author: GONG, Ruiqi Date: Wed Jun 29 14:04:23 2022 +0800 stack: Declare {randomize_,}kstack_offset to fix Sparse warnings [ Upstream commit 375561bd6195a31bf4c109732bd538cb97a941f4 ] Fix the following Sparse warnings that got noticed when the PPC-dev patchwork was checking another patch (see the link below): init/main.c:862:1: warning: symbol 'randomize_kstack_offset' was not declared. Should it be static? init/main.c:864:1: warning: symbol 'kstack_offset' was not declared. Should it be static? Which in fact are triggered on all architectures that have HAVE_ARCH_RANDOMIZE_KSTACK_OFFSET support (for instances x86, arm64 etc). Link: https://lore.kernel.org/lkml/e7b0d68b-914d-7283-827c-101988923929@huawei.com/T/#m49b2d4490121445ce4bf7653500aba59eefcb67f Cc: Christophe Leroy Cc: Xiu Jianfeng Signed-off-by: GONG, Ruiqi Reviewed-by: Christophe Leroy Fixes: 39218ff4c625 ("stack: Optionally randomize kernel stack offset each syscall") Signed-off-by: Kees Cook Link: https://lore.kernel.org/r/20220629060423.2515693-1-gongruiqi1@huawei.com Signed-off-by: Sasha Levin commit f919fb3d3cf1136e464bf2c649fe820148f33666 Author: Kees Cook Date: Wed May 11 10:40:43 2022 -0700 lib: overflow: Do not define 64-bit tests on 32-bit [ Upstream commit 6a022dd29f2cefbac4895a34e2e1f14b2d12d819 ] The 64-bit overflow tests will trigger 64-bit division on 32-bit hosts, which is not currently used anywhere in the kernel, and tickles bugs in at least Clang 13 and earlier: https://github.com/ClangBuiltLinux/linux/issues/1636 In reality, there shouldn't be a reason to not build the 64-bit test cases on 32-bit systems, so these #ifdefs can be removed once the minimum Clang version reaches 13. In the meantime, silence W=1 warnings given by the current code: ../lib/overflow_kunit.c:191:19: warning: 's64_tests' defined but not used [-Wunused-const-variable=] 191 | DEFINE_TEST_ARRAY(s64) = { | ^~~ ../lib/overflow_kunit.c:24:11: note: in definition of macro 'DEFINE_TEST_ARRAY' 24 | } t ## _tests[] | ^ ../lib/overflow_kunit.c:94:19: warning: 'u64_tests' defined but not used [-Wunused-const-variable=] 94 | DEFINE_TEST_ARRAY(u64) = { | ^~~ ../lib/overflow_kunit.c:24:11: note: in definition of macro 'DEFINE_TEST_ARRAY' 24 | } t ## _tests[] | ^ Reported-by: kernel test robot Link: https://lore.kernel.org/lkml/202205110324.7GrtxG8u-lkp@intel.com Fixes: 455a35a6cdb6 ("lib: add runtime test of check_*_overflow functions") Cc: Rasmus Villemoes Cc: Nick Desaulniers Cc: Vitor Massaru Iha Cc: "Gustavo A. R. Silva" Tested-by: Daniel Latypov Link: https://lore.kernel.org/lkml/CAGS_qxokQAjQRip2vPi80toW7hmBnXf=KMTNT51B1wuDqSZuVQ@mail.gmail.com Signed-off-by: Kees Cook Signed-off-by: Sasha Levin commit aa6a7c9535132aee1f538aad6fea1f2ce05b685e Author: Yang Yingliang Date: Fri Jul 1 17:43:52 2022 +0800 bus: hisi_lpc: fix missing platform_device_put() in hisi_lpc_acpi_probe() [ Upstream commit 54872fea6a5ac967ec2272aea525d1438ac6735a ] In error case in hisi_lpc_acpi_probe() after calling platform_device_add(), hisi_lpc_acpi_remove() can't release the failed 'pdev', so it will be leak, call platform_device_put() to fix this problem. I'v constructed this error case and tested this patch on D05 board. Fixes: 99c0228d6ff1 ("HISI LPC: Re-Add ACPI child enumeration support") Reported-by: Hulk Robot Signed-off-by: Yang Yingliang Acked-by: John Garry Signed-off-by: Rafael J. Wysocki Signed-off-by: Sasha Levin commit d89c0e089f7b4b9466aab70f6db741bcdad9f602 Author: Krzysztof Kozlowski Date: Wed Jun 8 13:27:02 2022 +0200 ARM: dts: qcom: pm8841: add required thermal-sensor-cells [ Upstream commit e2759fa0676c9a32bbddb9aff955b54bb35066ad ] The PM8841 temperature sensor has to define thermal-sensor-cells. Fixes: dab8134ca072 ("ARM: dts: qcom: Add PM8841 functions device nodes") Signed-off-by: Krzysztof Kozlowski Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20220608112702.80873-2-krzysztof.kozlowski@linaro.org Signed-off-by: Sasha Levin commit 6f7698399f90a454caf0d457740d6c592ed536cb Author: Krzysztof Kozlowski Date: Tue Jun 7 19:18:41 2022 +0200 ARM: dts: qcom: msm8974: add required ranges to OCMEM [ Upstream commit 7a16ea7f3a5ec0f30b146b058c273b7a9c8ceadf ] The OCMEM bindings require ranges property. Fixes: a2cc991ed634 ("ARM: dts: qcom: msm8974: add ocmem node") Signed-off-by: Krzysztof Kozlowski Reviewed-by: Luca Weiss Tested-by: Luca Weiss Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20220607171848.535128-7-krzysztof.kozlowski@linaro.org Signed-off-by: Sasha Levin commit 591f0697ccbac33760d3bb1ad96a5ba2b76ae9f0 Author: Miaoqian Lin Date: Mon Jun 6 10:42:52 2022 +0400 soc: qcom: aoss: Fix refcount leak in qmp_cooling_devices_register [ Upstream commit e6e0951414a314e7db3e9e24fd924b3e15515288 ] Every iteration of for_each_available_child_of_node() decrements the reference count of the previous node. When breaking early from a for_each_available_child_of_node() loop, we need to explicitly call of_node_put() on the child node. Add missing of_node_put() to avoid refcount leak. Fixes: 05589b30b21a ("soc: qcom: Extend AOSS QMP driver to support resources that are used to wake up the SoC.") Signed-off-by: Miaoqian Lin Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20220606064252.42595-1-linmq006@gmail.com Signed-off-by: Sasha Levin commit ed40a48d0a9166edb22e2b8efafea822e93dd79a Author: Miaoqian Lin Date: Thu Jun 2 08:24:30 2022 +0400 soc: qcom: ocmem: Fix refcount leak in of_get_ocmem [ Upstream commit 92a563fcf14b3093226fb36f12e9b5cf630c5a5d ] of_parse_phandle() returns a node pointer with refcount incremented, we should use of_node_put() on it when not need anymore. Add missing of_node_put() to avoid refcount leak. of_node_put() will check NULL pointer. Fixes: 88c1e9404f1d ("soc: qcom: add OCMEM driver") Signed-off-by: Miaoqian Lin Reviewed-by: Brian Masney Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20220602042430.1114-1-linmq006@gmail.com Signed-off-by: Sasha Levin commit 6ef9abe3e50babd7e4eeb7fd6631fb7b47041e19 Author: Luca Weiss Date: Sun May 22 10:36:18 2022 +0200 ARM: dts: qcom-msm8974: fix irq type on blsp2_uart1 [ Upstream commit ab1489017aa7a9f02e24bee73cf9ec8079cd3909 ] IRQ_TYPE_NONE is invalid, so use the correct interrupt type. Signed-off-by: Luca Weiss Fixes: b05f82b152c9 ("ARM: dts: qcom: msm8974: Add blsp2_uart7 for bluetooth on sirius") Reviewed-by: Krzysztof Kozlowski Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20220522083618.17894-1-luca@z3ntu.xyz Signed-off-by: Sasha Levin commit 0a4fa4ce697987b71eafce17bb198961ed9070bd Author: Christian Marangi Date: Sat Apr 30 07:51:17 2022 +0200 ARM: dts: qcom: replace gcc PXO with pxo_board fixed clock [ Upstream commit eb9e93937756a05787977875830c0dc482cb57e0 ] Replace gcc PXO phandle to pxo_board fixed clock declared in the dts. gcc driver doesn't provide PXO_SRC as it's a fixed-clock. This cause a kernel panic if any driver actually try to use it. Fixes: 40cf5c884a96 ("ARM: dts: qcom: add L2CC and RPM for IPQ8064") Signed-off-by: Ansuel Smith Reviewed-by: Dmitry Baryshkov Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20220430055118.1947-2-ansuelsmth@gmail.com Signed-off-by: Sasha Levin commit 408ecbf8fcb7a71079099efd3d8ea2d48c384d03 Author: Dan Williams Date: Fri Jun 24 16:05:26 2022 -0700 ACPI: APEI: Fix _EINJ vs EFI_MEMORY_SP [ Upstream commit b13a3e5fd40b7d1b394c5ecbb5eb301a4c38e7b2 ] When a platform marks a memory range as "special purpose" it is not onlined as System RAM by default. However, it is still suitable for error injection. Add IORES_DESC_SOFT_RESERVED to einj_error_inject() as a permissible memory type in the sanity checking of the arguments to _EINJ. Fixes: 262b45ae3ab4 ("x86/efi: EFI soft reservation to E820 enumeration") Reviewed-by: Tony Luck Reported-by: Omar Avelar Signed-off-by: Dan Williams Signed-off-by: Rafael J. Wysocki Signed-off-by: Sasha Levin commit 7040e8bd46b2323a8771b09816e9b9c55202314f Author: Stephan Gerhold Date: Thu Jun 23 11:46:12 2022 +0200 regulator: qcom_smd: Fix pm8916_pldo range [ Upstream commit e8977917e116d1571dacb8e9864474551c1c12bd ] The PM8916 device specification [1] documents a programmable range of 1.75V to 3.337V with 12.5mV steps for the PMOS LDOs in PM8916. This range is also used when controlling the regulator directly using the qcom_spmi-regulator driver ("ult_pldo" there). However, for some reason the qcom_smd-regulator driver allows a much larger range for the same hardware component. This could be simply a typo, since the start of the range is essentially just missing a '1'. In practice this does not cause any major problems, since the driver just sends the actual voltage to the RPM firmware instead of making use of the incorrect voltage selector. Still, having the wrong range there is confusing and prevents the regulator core from validating requests correctly. [1]: https://developer.qualcomm.com/download/sd410/pm8916pm8916-1-power-management-ic-device-specification.pdf Fixes: 57d6567680ed ("regulator: qcom-smd: Add PM8916 support") Signed-off-by: Stephan Gerhold Link: https://lore.kernel.org/r/20220623094614.1410180-2-stephan.gerhold@kernkonzept.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit abb65882592cb2acc4a7037ae2f489216200b328 Author: Chris Paterson Date: Thu Jun 23 11:30:24 2022 +0100 arm64: dts: renesas: r9a07g054l2-smarc: Correct SoC name in comment [ Upstream commit d1273f541ab409242e08da6bb836bb564021274c ] This dts is for the RZ/V2L SMARC EVK, not RZ/G2L. Fixes: f91c4c74796a ("arm64: dts: renesas: Add initial device tree for RZ/V2L SMARC EVK") Signed-off-by: Chris Paterson Link: https://lore.kernel.org/r/20220623103024.24222-1-chris.paterson2@renesas.com Signed-off-by: Geert Uytterhoeven Signed-off-by: Sasha Levin commit 407cc96391008ee34136293f97d2785d1644b1a9 Author: Geert Uytterhoeven Date: Fri Jun 17 11:36:58 2022 +0200 arm64: dts: renesas: r8a779m8: Drop operating points above 1.5 GHz [ Upstream commit f48cb21a28c07d0754d5f2f85444cfb0e7b1fd05 ] The highest-performance mode for the Cortex-A57 CPU cores supported on R-Car H3Ne (R8A779M8) is the Power Optimized (1.5 GHz) mode. The Normal (1.6 GHz) and High Performance (1.7 GHz) modes are not supported. Hence drop the "turbo-mode" entries from the operating points table inherited from r8a77951.dtsi. Fixes: 6e87525d751fac57 ("arm64: dts: renesas: Add Renesas R8A779M8 SoC support") Signed-off-by: Geert Uytterhoeven Link: https://lore.kernel.org/r/aeb4530f7fbac8329b334dcb169382c836a5f32d.1655458564.git.geert+renesas@glider.be Signed-off-by: Sasha Levin commit 3b01353f1825151a29d08e0868b2bf01e1116ab5 Author: Miaoqian Lin Date: Sun Jun 5 12:28:07 2022 +0400 cpufreq: zynq: Fix refcount leak in zynq_get_revision [ Upstream commit d1ff2559cef0f6f8d97fba6337b28adb10689e16 ] of_find_compatible_node() returns a node pointer with refcount incremented, we should use of_node_put() on it when done. Add missing of_node_put() to avoid refcount leak. Fixes: 00f7dc636366 ("ARM: zynq: Add support for SOC_BUS") Signed-off-by: Miaoqian Lin Link: https://lore.kernel.org/r/20220605082807.21526-1-linmq006@gmail.com Signed-off-by: Michal Simek Signed-off-by: Sasha Levin commit d8b4cea8b38c4301348041c5d8273baa66fb3158 Author: Dmitry Baryshkov Date: Sat May 21 23:27:05 2022 +0300 arm64: dts: qcom: sdm636-sony-xperia-ganges-mermaid: correct sdc2 pinconf [ Upstream commit 3a04cec9cba393abfe70fc62e523f381c9baec2e ] Fix the device tree node in the &sdc2_state_on override. The sdm630 uses 'clk' rather than 'pinconf-clk'. Fixes: 4c1d849ec047 ("arm64: dts: qcom: sdm630-xperia: Retire sdm630-sony-xperia-ganges.dtsi") Reviewed-by: Konrad Dybcio Signed-off-by: Dmitry Baryshkov Reviewed-by: Marijn Suijten Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20220521202708.1509308-9-dmitry.baryshkov@linaro.org Signed-off-by: Sasha Levin commit 31a91afaac9d51a4b94c049633c5c300eea78e0a Author: Dmitry Baryshkov Date: Sat May 21 23:27:04 2022 +0300 arm64: dts: qcom: sdm630: fix gpu's interconnect path [ Upstream commit 3cd1c4f41d64a40ea6bc4575ae28e37542123d77 ] ICC path for the GPU incorrectly states <&gnoc 1 &bimc 5>, which is a path from SLAVE_GNOC_BIMC to SLAVE_EBI. According to the downstream kernel sources, the GPU uses MASTER_OXILI here, which is equivalent to <&bimc 1 ...>. While we are at it, use defined names instead of the numbers for this interconnect path. Fixes: 5cf69dcbec8b ("arm64: dts: qcom: sdm630: Add Adreno 508 GPU configuration") Reported-by: Marijn Suijten Reviewed-by: Marijn Suijten Signed-off-by: Dmitry Baryshkov Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20220521202708.1509308-8-dmitry.baryshkov@linaro.org Signed-off-by: Sasha Levin commit 665ac144cfc1d5a5a2d9749eb49dc23748f5b810 Author: Dmitry Baryshkov Date: Sat May 21 23:27:01 2022 +0300 arm64: dts: qcom: sdm630: fix the qusb2phy ref clock [ Upstream commit 924bbd8dd60e094344711c3526a5b308d71dc008 ] According to the downstram DT file, the qusb2phy ref clock should be GCC_RX0_USB2_CLKREF_CLK, not GCC_RX1_USB2_CLKREF_CLK. Fixes: c65a4ed2ea8b ("arm64: dts: qcom: sdm630: Add USB configuration") Cc: Konrad Dybcio Reviewed-by: Konrad Dybcio Reviewed-by: Marijn Suijten Signed-off-by: Dmitry Baryshkov Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20220521202708.1509308-5-dmitry.baryshkov@linaro.org Signed-off-by: Sasha Levin commit ebfdc8bd81e687f603180723e3c12aa6f2d68e4c Author: Dmitry Baryshkov Date: Sat May 21 23:27:00 2022 +0300 arm64: dts: qcom: sdm630: disable GPU by default [ Upstream commit 1c047919763b4548381d1ab3320af1df66ab83df ] The SoC's device tree file disables gpucc and adreno's SMMU by default. So let's disable the GPU too. Moreover it looks like SMMU might be not usable without additional patches (which means that GPU is unusable too). No board uses GPU at this moment. Fixes: 5cf69dcbec8b ("arm64: dts: qcom: sdm630: Add Adreno 508 GPU configuration") Reviewed-by: Konrad Dybcio Reviewed-by: Marijn Suijten Signed-off-by: Dmitry Baryshkov Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20220521202708.1509308-4-dmitry.baryshkov@linaro.org Signed-off-by: Sasha Levin commit c652e0f51665f3fa575449909bbd9d7b45dfab1c Author: Miaoqian Lin Date: Thu May 26 11:37:24 2022 +0400 ARM: OMAP2+: Fix refcount leak in omap3xxx_prm_late_init [ Upstream commit 942228fbf5d4901112178b93d41225be7c0dd9de ] of_find_matching_node() returns a node pointer with refcount incremented, we should use of_node_put() on it when not need anymore. Add missing of_node_put() to avoid refcount leak. Fixes: 1e037794f7f0 ("ARM: OMAP3+: PRM: register interrupt information from DT") Signed-off-by: Miaoqian Lin Message-Id: <20220526073724.21169-1-linmq006@gmail.com> Signed-off-by: Tony Lindgren Signed-off-by: Sasha Levin commit 507159facf002d113c4878fec67f37d62f187887 Author: Miaoqian Lin Date: Wed Jun 1 08:48:58 2022 +0400 ARM: OMAP2+: Fix refcount leak in omapdss_init_of [ Upstream commit 9705db1eff38d6b9114121f9e253746199b759c9 ] omapdss_find_dss_of_node() calls of_find_compatible_node() to get device node. of_find_compatible_node() returns a node pointer with refcount incremented, we should use of_node_put() on it when done. Add missing of_node_put() in later error path and normal path. Fixes: e0c827aca0730 ("drm/omap: Populate DSS children in omapdss driver") Signed-off-by: Miaoqian Lin Message-Id: <20220601044858.3352-1-linmq006@gmail.com> Reviewed-by: Laurent Pinchart Signed-off-by: Tony Lindgren Signed-off-by: Sasha Levin commit 93c55e0dff8617a5901f8b90e7f05259531c4a1a Author: Krzysztof Kozlowski Date: Sat May 7 21:49:12 2022 +0200 ARM: dts: qcom: mdm9615: add missing PMIC GPIO reg [ Upstream commit dc590cdc31f636ea15658f1206c3e380a53fb78e ] 'reg' property is required in SSBI children: qcom-mdm9615-wp8548-mangoh-green.dtb: gpio@150: 'reg' is a required property Fixes: 2c5e596524e7 ("ARM: dts: Add MDM9615 dtsi") Signed-off-by: Krzysztof Kozlowski Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20220507194913.261121-11-krzysztof.kozlowski@linaro.org Signed-off-by: Sasha Levin commit 905ce119d0ee5bdced19ccf89e1b2b9c3cd550ab Author: Marijn Suijten Date: Mon Jun 20 23:12:12 2022 +0200 arm64: dts: qcom: sdm845-akatsuki: Round down l22a regulator voltage [ Upstream commit 4148a9eeb15152865d60b0913d96beb7ca166f9a ] 2700000 is not a multiple of pmic4_pldo's step size of 8000 (with base voltage 1664000), resulting in pm8998-rpmh-regulators not probing. Just as we did with MSM8998's Sony Yoshino Poplar [1], round the voltages down to err on the cautious side and leave a comment in place to document this discrepancy wrt downstream sources. [1]: https://lore.kernel.org/linux-arm-msm/20220507153627.1478268-1-marijn.suijten@somainline.org/ Fixes: 30a7f99befc6 ("arm64: dts: qcom: Add support for SONY Xperia XZ2 / XZ2C / XZ3 (Tama platform)") Signed-off-by: Marijn Suijten Reviewed-by: Konrad Dybcio Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20220620211212.269956-1-marijn.suijten@somainline.org Signed-off-by: Sasha Levin commit f3edcfd871187ee33b8609054e47b60071ead032 Author: Keith Busch Date: Fri Jun 10 12:58:20 2022 -0700 block: fix infinite loop for invalid zone append [ Upstream commit b82d9fa257cb3725c49d94d2aeafc4677c34448a ] Returning 0 early from __bio_iov_append_get_pages() for the max_append_sectors warning just creates an infinite loop since 0 means success, and the bio will never fill from the unadvancing iov_iter. We could turn the return into an error value, but it will already be turned into an error value later on, so just remove the warning. Clearly no one ever hit it anyway. Fixes: 0512a75b98f84 ("block: Introduce REQ_OP_ZONE_APPEND") Signed-off-by: Keith Busch Reviewed-by: Damien Le Moal Reviewed-by: Christoph Hellwig Reviewed-by: Johannes Thumshirn Link: https://lore.kernel.org/r/20220610195830.3574005-2-kbusch@fb.com Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit 773feecf570e13148589b43991df7cd3786c1afd Author: Krzysztof Kozlowski Date: Mon Jun 27 11:45:41 2022 +0200 spi: s3c64xx: constify fsd_spi_port_config [ Upstream commit a813c47d22b0a0c51567292bc198a39bdcdc3799 ] All struct s3c64xx_spi_port_config should be const. Fixes: 4ebb15a15799 ("spi: s3c64xx: Add spi port configuration for Tesla FSD SoC") Signed-off-by: Krzysztof Kozlowski Link: https://lore.kernel.org/r/20220627094541.95166-1-krzysztof.kozlowski@linaro.org Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit e424ccda9c8b989df33f69006ab1ce89054cc034 Author: Michael Walle Date: Mon Apr 4 11:56:03 2022 +0200 soc: fsl: guts: machine variable might be unset [ Upstream commit ab3f045774f704c4e7b6a878102f4e9d4ae7bc74 ] If both the model and the compatible properties are missing, then machine will not be set. Initialize it with NULL. Fixes: 34c1c21e94ac ("soc: fsl: fix section mismatch build warnings") Signed-off-by: Michael Walle Acked-by: Arnd Bergmann Signed-off-by: Shawn Guo Signed-off-by: Sasha Levin commit ca18e97c52a73196a4bfe83c745f47ac218c91f0 Author: Stephen Boyd Date: Tue May 17 12:33:07 2022 -0700 arm64: dts: qcom: sc7180: Remove ipa_fw_mem node on trogdor [ Upstream commit e60414644cf3a703e10ed4429c15263095945ffe ] We don't use this carveout on trogdor boards, and having it defined in the sc7180 SoC file causes an overlap message to be printed at boot. OF: reserved mem: OVERLAP DETECTED! memory@86000000 (0x0000000086000000--0x000000008ec00000) overlaps with memory@8b700000 (0x000000008b700000--0x000000008b710000) Delete the node in the trogdor dtsi file to fix the overlap problem and remove the error message. Cc: Alex Elder Cc: Matthias Kaehlcke Fixes: 310b266655a3 ("arm64: dts: qcom: sc7180: define ipa_fw_mem node") Signed-off-by: Stephen Boyd Reviewed-by: Alex Elder Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20220517193307.3034602-1-swboyd@chromium.org Signed-off-by: Sasha Levin commit 86a2e3ecc91eea3b9e6d71e615034777e65e278b Author: Peter Zijlstra Date: Fri Jun 17 15:26:06 2022 +0200 locking/lockdep: Fix lockdep_init_map_*() confusion [ Upstream commit eae6d58d67d9739be5f7ae2dbead1d0ef6528243 ] Commit dfd5e3f5fe27 ("locking/lockdep: Mark local_lock_t") added yet another lockdep_init_map_*() variant, but forgot to update all the existing users of the most complicated version. This could lead to a loss of lock_type and hence an incorrect report. Given the relative rarity of both local_lock and these annotations, this is unlikely to happen in practise, still, best fix things. Fixes: dfd5e3f5fe27 ("locking/lockdep: Mark local_lock_t") Signed-off-by: Peter Zijlstra (Intel) Link: https://lkml.kernel.org/r/YqyEDtoan20K0CVD@worktop.programming.kicks-ass.net Signed-off-by: Sasha Levin commit 2f754c81c8b6981ce97bf2e6376e5e9b677eef74 Author: Alexandru Elisei Date: Fri Jun 17 12:13:32 2022 +0100 arm64: cpufeature: Allow different PMU versions in ID_DFR0_EL1 [ Upstream commit 506506cad3947b942425b119ffa2b06715d5d804 ] Commit b20d1ba3cf4b ("arm64: cpufeature: allow for version discrepancy in PMU implementations") made it possible to run Linux on a machine with PMUs with different versions without tainting the kernel. The patch relaxed the restriction only for the ID_AA64DFR0_EL1.PMUVer field, and missed doing the same for ID_DFR0_EL1.PerfMon , which also reports the PMU version, but for the AArch32 state. For example, with Linux running on two clusters with different PMU versions, the kernel is tainted when bringing up secondaries with the following message: [ 0.097027] smp: Bringing up secondary CPUs ... [..] [ 0.142805] Detected PIPT I-cache on CPU4 [ 0.142805] CPU features: SANITY CHECK: Unexpected variation in SYS_ID_DFR0_EL1. Boot CPU: 0x00000004011088, CPU4: 0x00000005011088 [ 0.143555] CPU features: Unsupported CPU feature variation detected. [ 0.143702] GICv3: CPU4: found redistributor 10000 region 0:0x000000002f180000 [ 0.143702] GICv3: CPU4: using allocated LPI pending table @0x00000008800d0000 [ 0.144888] CPU4: Booted secondary processor 0x0000010000 [0x410fd0f0] The boot CPU implements FEAT_PMUv3p1 (ID_DFR0_EL1.PerfMon, bits 27:24, is 0b0100), but CPU4, part of the other cluster, implements FEAT_PMUv3p4 (ID_DFR0_EL1.PerfMon = 0b0101). Treat the PerfMon field as FTR_NONSTRICT and FTR_EXACT to pass the sanity check and to match how PMUVer is treated for the 64bit ID register. Fixes: b20d1ba3cf4b ("arm64: cpufeature: allow for version discrepancy in PMU implementations") Signed-off-by: Alexandru Elisei Link: https://lore.kernel.org/r/20220617111332.203061-1-alexandru.elisei@arm.com Signed-off-by: Will Deacon Signed-off-by: Sasha Levin commit 10b49de3d9a635ac283fd707f85588577d7e452b Author: Mark Rutland Date: Wed May 11 14:17:33 2022 +0100 arm64: select TRACE_IRQFLAGS_NMI_SUPPORT [ Upstream commit 3381da254fab37ba08c4b7c4f19b4ee28b1a27ec ] Due to an oversight, on arm64 lockdep IRQ state tracking doesn't work as intended in NMI context. This demonstrably results in bogus warnings from lockdep, and in theory could mask a variety of issues. On arm64, we've consistently tracked IRQ flag state for NMIs (and saved/restored the state of the interrupted context) since commit: f0cd5ac1e4c53cb6 ("arm64: entry: fix NMI {user, kernel}->kernel transitions") That commit fixed most lockdep issues with NMI by virtue of the save/restore of the lockdep state of the interrupted context. However, for lockdep IRQ state tracking to consistently take effect in NMI context it has been necessary to select TRACE_IRQFLAGS_NMI_SUPPORT since commit: ed00495333ccc80f ("locking/lockdep: Fix TRACE_IRQFLAGS vs. NMIs") As arm64 does not select TRACE_IRQFLAGS_NMI_SUPPORT, this means that the lockdep state can be stale in NMI context, and some uses of that state can consume stale data. When an NMI is taken arm64 entry code will call arm64_enter_nmi(). This will enter NMI context via __nmi_enter() before calling lockdep_hardirqs_off() to inform lockdep that IRQs have been masked. Where TRACE_IRQFLAGS_NMI_SUPPORT is not selected, lockdep_hardirqs_off() will not update lockdep state if called in NMI context. Thus if IRQs were enabled in the original context, lockdep will continue to believe that IRQs are enabled despite the call to lockdep_hardirqs_off(). However, the lockdep_assert_*() checks do take effect in NMI context, and will consume the stale lockdep state. If an NMI is taken from a context which had IRQs enabled, and during the handling of the NMI something calls lockdep_assert_irqs_disabled(), this will result in a spurious warning based upon the stale lockdep state. This can be seen when using perf with GICv3 pseudo-NMIs. Within the perf NMI handler we may attempt a uaccess to record the userspace callchain, and is this faults the el1_abort() call in the nested context will call exit_to_kernel_mode() when returning, which has a lockdep_assert_irqs_disabled() assertion: | # ./perf record -a -g sh | ------------[ cut here ]------------ | WARNING: CPU: 0 PID: 164 at arch/arm64/kernel/entry-common.c:73 exit_to_kernel_mode+0x118/0x1ac | Modules linked in: | CPU: 0 PID: 164 Comm: perf Not tainted 5.18.0-rc5 #1 | Hardware name: linux,dummy-virt (DT) | pstate: 004003c5 (nzcv DAIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--) | pc : exit_to_kernel_mode+0x118/0x1ac | lr : el1_abort+0x80/0xbc | sp : ffff8000080039f0 | pmr_save: 000000f0 | x29: ffff8000080039f0 x28: ffff6831054e4980 x27: ffff683103adb400 | x26: 0000000000000000 x25: 0000000000000001 x24: 0000000000000001 | x23: 00000000804000c5 x22: 00000000000000c0 x21: 0000000000000001 | x20: ffffbd51e635ec44 x19: ffff800008003a60 x18: 0000000000000000 | x17: ffffaadf98d23000 x16: ffff800008004000 x15: 0000ffffd14f25c0 | x14: 0000000000000000 x13: 00000000000018eb x12: 0000000000000040 | x11: 000000000000001e x10: 000000002b820020 x9 : 0000000100110000 | x8 : 000000000045cac0 x7 : 0000ffffd14f25c0 x6 : ffffbd51e639b000 | x5 : 00000000000003e5 x4 : ffffbd51e58543b0 x3 : 0000000000000001 | x2 : ffffaadf98d23000 x1 : ffff6831054e4980 x0 : 0000000100110000 | Call trace: | exit_to_kernel_mode+0x118/0x1ac | el1_abort+0x80/0xbc | el1h_64_sync_handler+0xa4/0xd0 | el1h_64_sync+0x74/0x78 | __arch_copy_from_user+0xa4/0x230 | get_perf_callchain+0x134/0x1e4 | perf_callchain+0x7c/0xa0 | perf_prepare_sample+0x414/0x660 | perf_event_output_forward+0x80/0x180 | __perf_event_overflow+0x70/0x13c | perf_event_overflow+0x1c/0x30 | armv8pmu_handle_irq+0xe8/0x160 | armpmu_dispatch_irq+0x2c/0x70 | handle_percpu_devid_fasteoi_nmi+0x7c/0xbc | generic_handle_domain_nmi+0x3c/0x60 | gic_handle_irq+0x1dc/0x310 | call_on_irq_stack+0x2c/0x54 | do_interrupt_handler+0x80/0x94 | el1_interrupt+0xb0/0xe4 | el1h_64_irq_handler+0x18/0x24 | el1h_64_irq+0x74/0x78 | lockdep_hardirqs_off+0x50/0x120 | trace_hardirqs_off+0x38/0x214 | _raw_spin_lock_irq+0x98/0xa0 | pipe_read+0x1f8/0x404 | new_sync_read+0x140/0x150 | vfs_read+0x190/0x1dc | ksys_read+0xdc/0xfc | __arm64_sys_read+0x20/0x30 | invoke_syscall+0x48/0x114 | el0_svc_common.constprop.0+0x158/0x17c | do_el0_svc+0x28/0x90 | el0_svc+0x60/0x150 | el0t_64_sync_handler+0xa4/0x130 | el0t_64_sync+0x19c/0x1a0 | irq event stamp: 483 | hardirqs last enabled at (483): [] _raw_spin_unlock_irqrestore+0xa4/0xb0 | hardirqs last disabled at (482): [] _raw_spin_lock_irqsave+0xb0/0xb4 | softirqs last enabled at (468): [] put_cpu_fpsimd_context+0x28/0x70 | softirqs last disabled at (466): [] get_cpu_fpsimd_context+0x0/0x5c | ---[ end trace 0000000000000000 ]--- Note that as lockdep_assert_irqs_disabled() uses WARN_ON_ONCE(), and this uses a BRK, the warning is logged with the real PSTATE at the time of the warning, which clearly has DAIF.I set, meaning IRQs (and pseudo-NMIs) were definitely masked and the warning is spurious. Fix this by selecting TRACE_IRQFLAGS_NMI_SUPPORT such that the existing entry tracking takes effect, as we had originally intended when the arm64 entry code was fixed for transitions to/from NMI. Arguably the lockdep_assert_*() functions should have the same NMI checks as the rest of the code to prevent spurious warnings when TRACE_IRQFLAGS_NMI_SUPPORT is not selected, but the real fix for any architecture is to explicitly handle the transitions to/from NMI in the entry code. Fixes: f0cd5ac1e4c5 ("arm64: entry: fix NMI {user, kernel}->kernel transitions") Signed-off-by: Mark Rutland Cc: Catalin Marinas Cc: Ingo Molnar Cc: Peter Zijlstra (Intel) Cc: Thomas Gleixner Cc: Will Deacon Link: https://lore.kernel.org/r/20220511131733.4074499-3-mark.rutland@arm.com Signed-off-by: Will Deacon Signed-off-by: Sasha Levin commit 17e0c2d3c6ccbfdc1a960eedb3de5d76ce50d4c7 Author: Nícolas F. R. A. Prado Date: Fri Jun 17 19:31:50 2022 -0400 arm64: dts: mt8192: Fix idle-states entry-method [ Upstream commit 2e599740f7e423ee89fb027896cb2635dd43784f ] The entry-method property of the idle-states node should be "psci" as described in the idle-states binding, since this is already the value of enable-method in the CPU nodes. Fix it to get rid of a dtbs_check warning. Fixes: 9260918d3a4f ("arm64: dts: mt8192: Add cpu-idle-states") Signed-off-by: Nícolas F. R. A. Prado Reviewed-by: AngeloGioacchino Del Regno Link: https://lore.kernel.org/r/20220617233150.2466344-3-nfraprado@collabora.com Signed-off-by: Matthias Brugger Signed-off-by: Sasha Levin commit 6f24321f1274ed8f35e73fa396d6c09e4935900f Author: Nícolas F. R. A. Prado Date: Fri Jun 17 19:31:49 2022 -0400 arm64: dts: mt8192: Fix idle-states nodes naming scheme [ Upstream commit 399e23ad51caaf62400a531c9268ad3c453c3d76 ] Tweak the name of the idle-states subnodes so that they follow the binding pattern, getting rid of dtbs_check warnings. Only the usage of "-" in the name was necessary, but "off" was also exchanged for "sleep" since that seems to be a more common wording in other dts files. Fixes: 9260918d3a4f ("arm64: dts: mt8192: Add cpu-idle-states") Signed-off-by: Nícolas F. R. A. Prado Reviewed-by: AngeloGioacchino Del Regno Link: https://lore.kernel.org/r/20220617233150.2466344-2-nfraprado@collabora.com Signed-off-by: Matthias Brugger Signed-off-by: Sasha Levin commit 9b8a48c34e603b725473bab9718c1ea6dc204166 Author: Krzysztof Kozlowski Date: Sun May 29 12:49:27 2022 +0200 ARM: dts: ast2600-evb-a1: fix board compatible [ Upstream commit 33c39140cc298e0d4e36083cb9a665a837773a60 ] The AST2600 EVB A1 board should have dedicated compatible. Fixes: a72955180372 ("ARM: dts: aspeed: ast2600evb: Add dts file for A1 and A0") Signed-off-by: Krzysztof Kozlowski Link: https://lore.kernel.org/r/20220529104928.79636-6-krzysztof.kozlowski@linaro.org Signed-off-by: Sasha Levin commit 58f56c71ad3c5a7ae3b6922b60168114885b0114 Author: Krzysztof Kozlowski Date: Sun May 29 12:49:26 2022 +0200 ARM: dts: ast2600-evb: fix board compatible [ Upstream commit aa5e06208500a0db41473caebdee5a2e81d5a277 ] The AST2600 EVB board should have dedicated compatible. Fixes: 2ca5646b5c2f ("ARM: dts: aspeed: Add AST2600 and EVB") Signed-off-by: Krzysztof Kozlowski Link: https://lore.kernel.org/r/20220529104928.79636-5-krzysztof.kozlowski@linaro.org Signed-off-by: Sasha Levin commit 513283669e500c6f496aa66d34052c6ad6a7ac40 Author: Krzysztof Kozlowski Date: Sun May 29 12:49:25 2022 +0200 ARM: dts: ast2500-evb: fix board compatible [ Upstream commit 30b276fca5c0644f3cb17bceb1bd6a626c670184 ] The AST2500 EVB board should have dedicated compatible. Fixes: 02440622656d ("arm/dst: Add Aspeed ast2500 device tree") Signed-off-by: Krzysztof Kozlowski Link: https://lore.kernel.org/r/20220529104928.79636-4-krzysztof.kozlowski@linaro.org Signed-off-by: Sasha Levin commit 7b9dda6bc7d49f054c65a6602ee5b2c07d69c1b7 Author: Johan Hovold Date: Mon Jun 20 16:07:23 2022 +0200 x86/pmem: Fix platform-device leak in error path [ Upstream commit 229e73d46994f15314f58b2d39bf952111d89193 ] Make sure to free the platform device in the unlikely event that registration fails. Fixes: 7a67832c7e44 ("libnvdimm, e820: make CONFIG_X86_PMEM_LEGACY a tristate option") Signed-off-by: Johan Hovold Signed-off-by: Borislav Petkov Link: https://lore.kernel.org/r/20220620140723.9810-1-johan@kernel.org Signed-off-by: Sasha Levin commit 446838f3c93537b73ecedc3d9714c22a3d22e034 Author: Max Krummenacher Date: Wed Jun 15 13:49:50 2022 +0200 Revert "ARM: dts: imx6qdl-apalis: Avoid underscore in node name" [ Upstream commit 9c0919acb3fa7c1a24e384ff912f2d88f060c373 ] The STMPE MFD device binding requires the child node to have a fixed name, i.e. with '_', not '-'. Otherwise the stmpe_adc, stmpe_touchscreen drivers will not be probed. Fixes: 56086b5e804f ("ARM: dts: imx6qdl-apalis: Avoid underscore in node name") Reviewed-by: Ahmad Fatoum Signed-off-by: Max Krummenacher Signed-off-by: Shawn Guo Signed-off-by: Sasha Levin commit f22cc193e6928eaff93166406cb895c815b44762 Author: Geert Uytterhoeven Date: Wed Jun 15 16:04:26 2022 +0200 arm64: dts: renesas: Fix thermal-sensors on single-zone sensors [ Upstream commit 62e8a53431145e06e503b71625a34eaa87b72b2c ] "make dtbs_check": arch/arm64/boot/dts/renesas/r8a774c0-cat874.dtb: thermal-zones: cpu-thermal:thermal-sensors: [[74], [0]] is too long arch/arm64/boot/dts/renesas/r8a774c0-ek874.dtb: thermal-zones: cpu-thermal:thermal-sensors: [[79], [0]] is too long arch/arm64/boot/dts/renesas/r8a774c0-ek874-idk-2121wr.dtb: thermal-zones: cpu-thermal:thermal-sensors: [[82], [0]] is too long arch/arm64/boot/dts/renesas/r8a774c0-ek874-mipi-2.1.dtb: thermal-zones: cpu-thermal:thermal-sensors: [[87], [0]] is too long arch/arm64/boot/dts/renesas/r8a77990-ebisu.dtb: thermal-zones: cpu-thermal:thermal-sensors: [[105], [0]] is too long From schema: Documentation/devicetree/bindings/thermal/thermal-zones.yaml Indeed, the thermal sensors on R-Car E3 and RZ/G2E support only a single zone, hence #thermal-sensor-cells = <0>. Fix this by dropping the bogus zero cell from the thermal sensor specifiers. Fixes: 8fa7d18f9ee2dc20 ("arm64: dts: renesas: r8a77990: Create thermal zone to support IPA") Fixes: 8438bfda9d768157 ("arm64: dts: renesas: r8a774c0: Create thermal zone to support IPA") Signed-off-by: Geert Uytterhoeven Reviewed-by: Niklas Söderlund Link: https://lore.kernel.org/r/28b812fdd1fc3698311fac984ab8b91d3d655c1c.1655301684.git.geert+renesas@glider.be Signed-off-by: Sasha Levin commit d1fbbb5ded714b6610a16ec3d7e271a55291ccc4 Author: Liang He Date: Thu Jun 16 22:49:15 2022 +0800 soc: amlogic: Fix refcount leak in meson-secure-pwrc.c [ Upstream commit d18529a4c12f66d83daac78045ea54063bd43257 ] In meson_secure_pwrc_probe(), there is a refcount leak in one fail path. Signed-off-by: Liang He Acked-by: Martin Blumenstingl Fixes: b3dde5013e13 ("soc: amlogic: Add support for Secure power domains controller") Reviewed-by: Neil Armstrong Signed-off-by: Neil Armstrong Link: https://lore.kernel.org/r/20220616144915.3988071-1-windhl@126.com Signed-off-by: Sasha Levin commit b66dcf146d47201f33bde49466f0972f67008fac Author: Geert Uytterhoeven Date: Wed Jun 8 15:51:35 2022 +0200 soc: renesas: r8a779a0-sysc: Fix A2DP1 and A2CV[2357] PDR values [ Upstream commit bccceabb92ce8eb78bbf2de08308e2cc2761a2e5 ] The PDR values for the A2DP1 and A2CV[2357] power areas on R-Car V3U are incorrect (copied-and-pasted from A2DP0 and A2CV[0146]). Fix them. Reported-by: Renesas Vietnam via Yoshihiro Shimoda Fixes: 1b4298f000064cc2 ("soc: renesas: r8a779a0-sysc: Add r8a779a0 support") Signed-off-by: Geert Uytterhoeven Link: https://lore.kernel.org/r/87bc2e70ba4082970cf8c65871beae4be3503189.1654696188.git.geert+renesas@glider.be Signed-off-by: Sasha Levin commit 8885081ba0c82fc29d4a0d62a1c14d91fad64811 Author: Marcel Ziswiler Date: Mon May 16 15:47:24 2022 +0200 ARM: dts: imx7-colibri-eval-v3: correct can controller comment [ Upstream commit 32f054fef145878c5331f9dd343014970a15ebfa ] Correct CAN controller comment. It is a MCP2515 rather than a mpc258x. Fixes: 66d59b678a87 ("ARM: dts: imx7-colibri: add MCP2515 CAN controller") Signed-off-by: Marcel Ziswiler Signed-off-by: Shawn Guo Signed-off-by: Sasha Levin commit b4b34041c001c088a4c785b975c9e1fb56aae1e5 Author: Marcel Ziswiler Date: Mon May 16 15:47:17 2022 +0200 ARM: dts: imx7-colibri: move aliases, chosen, extcon and gpio-keys [ Upstream commit 0ef1969ea5699b00394e1a8c8c7f927b2d0bc5bb ] Move aliases, chosen, extcon and gpio-keys to module-level device tree given they are standard Colibri functionalities. Signed-off-by: Marcel Ziswiler Signed-off-by: Shawn Guo Signed-off-by: Sasha Levin commit 10e4b798330cf3472f0e9951b4f678fc9e828d7e Author: Oleksandr Suvorov Date: Mon May 16 15:47:16 2022 +0200 ARM: dts: imx7-colibri: improve wake-up with gpio key [ Upstream commit fd5d2974652c96935d94301af6eaf6b3585ab330 ] The pin GPIO1_IO01 externally pulls down, it is required to sequentially connect this pin (signal WAKE_MICO#) to +3v3 and then disconnect it to trigger a wakeup interrupt. Adding the flag GPIO_PULL_DOWN allows the system to be woken up just connecting the pin GPIO1_IO01 to +3v3. Signed-off-by: Oleksandr Suvorov Signed-off-by: Marcel Ziswiler Signed-off-by: Shawn Guo Signed-off-by: Sasha Levin commit b31d4563b8bf6331f96c57987f9980e47d49a3fc Author: Philippe Schenker Date: Mon May 16 15:47:14 2022 +0200 ARM: dts: imx7-colibri: add usb dual-role switching using extcon [ Upstream commit 136f88458d829987548b3321e7122e05acd78dd9 ] Add USB dual-role switching using extcon. Signed-off-by: Philippe Schenker Signed-off-by: Marcel Ziswiler Signed-off-by: Shawn Guo Signed-off-by: Sasha Levin commit 78130b0585e2e6f99f8278478593d36a536cafe5 Author: Marcel Ziswiler Date: Mon May 16 15:47:11 2022 +0200 ARM: dts: imx7-colibri: overhaul display/touch functionality [ Upstream commit dbeb8e72cc51536a70313e6d523dcb1429b40477 ] Rename display interface to match other modules to make it easier to use device tree overlays. The parallel RGB interface (lcdif) and all related stuff turn on in a device tree overlay. Keep them disabled in the main devicetree. As these subsystems are provided by module and not a part of boards, move their definitions into the module-level devicetree. Disable ad7879 touchscreen which turns on in a devic tree overlay. Remains it disabled in the main devicetree. Move Atmel MXT capacitive touch controller device tree nodes from carrier board to module level and add iomux pinctl groups for both the Capacitive Touch Adapter (using SODIMM 28/30) and the capacitive touch connector as found on later carrier boards (using SODIMM 106/107). Keep touchscreen and display nodes enabled for NAND based i.MX 7 modules, since device tree overlays are not yet supported. For the Colibri Evaluation Board keep the Capacitive Touch Adapter node disabled and PWM2, PWM3 enabled instead. For eMMC based modules keep nodes disabled to work in conjunction with device tree overlays. Add the iomuxc pinctrl group for the LVDS transceiver related signals to use it in a device tree overlay. While at it also alphabetically re=order them properties. Signed-off-by: Marcel Ziswiler Signed-off-by: Shawn Guo Signed-off-by: Sasha Levin commit 3c51318638fb60d713fd91cfb3ff18ef79e83355 Author: Marcel Ziswiler Date: Mon May 16 15:47:23 2022 +0200 ARM: dts: imx7d-colibri-emmc: add cpu1 supply [ Upstream commit ba28db60d34271e8a3cf4d7158d71607e8b1e57f ] Each cpu-core is supposed to list its supply separately, add supply for cpu1. Fixes: 2d7401f8632f ("ARM: dts: imx7d: Add cpu1 supply") Signed-off-by: Marcel Ziswiler Signed-off-by: Shawn Guo Signed-off-by: Sasha Levin commit 6f556550328ea44b574eb0c50184eb9fe38b24f4 Author: Guilherme G. Piccoli Date: Tue Jun 7 19:24:58 2022 -0300 ACPI: processor/idle: Annotate more functions to live in cpuidle section [ Upstream commit 409dfdcaffb266acfc1f33529a26b1443c9332d4 ] Commit 6727ad9e206c ("nmi_backtrace: generate one-line reports for idle cpus") introduced a new text section called cpuidle; with that, we have a mechanism to add idling functions in such section and skip them from nmi_backtrace output, since they're useless and potentially flooding for such report. Happens that inlining might cause some real idle functions to end-up outside of such section; this is currently the case of ACPI processor_idle driver; the functions acpi_idle_enter_* do inline acpi_idle_do_entry(), hence they stay out of the cpuidle section. Fix that by marking such functions to also live in the cpuidle section. Fixes: 6727ad9e206c ("nmi_backtrace: generate one-line reports for idle cpus") Signed-off-by: Guilherme G. Piccoli Signed-off-by: Rafael J. Wysocki Signed-off-by: Sasha Levin commit 02b658bfb26452f2c13e4577a13ab802f89a6642 Author: Miaoqian Lin Date: Thu May 26 12:13:25 2022 +0400 ARM: bcm: Fix refcount leak in bcm_kona_smc_init [ Upstream commit cb23389a2458c2e4bfd6c86a513cbbe1c4d35e76 ] of_find_matching_node() returns a node pointer with refcount incremented, we should use of_node_put() on it when not need anymore. Add missing of_node_put() to avoid refcount leak. Fixes: b8eb35fd594a ("ARM: bcm281xx: Add L2 cache enable code") Signed-off-by: Miaoqian Lin Signed-off-by: Florian Fainelli Signed-off-by: Sasha Levin commit d1f0f5a5b2fa4767e4e1ec56c3095291357b116b Author: Christophe JAILLET Date: Sun May 29 08:31:53 2022 +0200 spi: spi-altera-dfl: Fix an error handling path [ Upstream commit 8e3ca32f46994e74b7f43c57731150b2aedb2630 ] The spi_alloc_master() call is not undone in all error handling paths. Moreover, there is no .remove function to release the allocated memory. In order to fix both this issues, switch to devm_spi_alloc_master(). This allows further simplification of the probe. Fixes: ba2fc167e944 ("spi: altera: Add DFL bus driver for Altera API Controller") Signed-off-by: Christophe JAILLET Link: https://lore.kernel.org/r/0607bb59f4073f86abe5c585d35245aef0b045c6.1653805901.git.christophe.jaillet@wanadoo.fr Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 73dd39f55a5a2a793eaf73415f5da582b2d697eb Author: Geert Uytterhoeven Date: Wed May 11 12:14:06 2022 +0200 arm64: dts: renesas: beacon: Fix regulator node names [ Upstream commit 7512af9f78dedea7e04225f665dad6750df7d095 ] Currently there are two nodes named "regulator_camera". This causes the former to be overwritten by the latter. Fix this by renaming them to unique names, using the preferred hyphen instead of an underscore. While at it, update the name of the audio regulator (which was added in the same commit) to use a hyphen. Fixes: a1d8a344f1ca0709 ("arm64: dts: renesas: Introduce r8a774a1-beacon-rzg2m-kit") Signed-off-by: Geert Uytterhoeven Link: https://lore.kernel.org/r/a9ac82bdf108162487289d091c53a9b3de393f13.1652263918.git.geert+renesas@glider.be Signed-off-by: Sasha Levin commit 0c1757480a6a61b8c3164ed371c359edb3928f12 Author: Miaoqian Lin Date: Tue May 24 10:57:29 2022 +0400 meson-mx-socinfo: Fix refcount leak in meson_mx_socinfo_init [ Upstream commit a2106f38077e78afcb4bf98fdda3e162118cfb3d ] of_find_matching_node() returns a node pointer with refcount incremented, we should use of_node_put() on it when not need anymore. Add missing of_node_put() to avoid refcount leak. Fixes: 5e68c0fc8df8 ("soc: amlogic: Add Meson6/Meson8/Meson8b/Meson8m2 SoC Information driver") Signed-off-by: Miaoqian Lin Reviewed-by: Martin Blumenstingl Signed-off-by: Neil Armstrong Link: https://lore.kernel.org/r/20220524065729.33689-1-linmq006@gmail.com Signed-off-by: Sasha Levin commit 74e1beed470405d9e293a2760f54a00c15cf39c7 Author: Juri Lelli Date: Mon Jun 27 11:50:51 2022 +0200 wait: Fix __wait_event_hrtimeout for RT/DL tasks [ Upstream commit cceeeb6a6d02e7b9a74ddd27a3225013b34174aa ] Changes to hrtimer mode (potentially made by __hrtimer_init_sleeper on PREEMPT_RT) are not visible to hrtimer_start_range_ns, thus not accounted for by hrtimer_start_expires call paths. In particular, __wait_event_hrtimeout suffers from this problem as we have, for example: fs/aio.c::read_events wait_event_interruptible_hrtimeout __wait_event_hrtimeout hrtimer_init_sleeper_on_stack <- this might "mode |= HRTIMER_MODE_HARD" on RT if task runs at RT/DL priority hrtimer_start_range_ns WARN_ON_ONCE(!(mode & HRTIMER_MODE_HARD) ^ !timer->is_hard) fires since the latter doesn't see the change of mode done by init_sleeper Fix it by making __wait_event_hrtimeout call hrtimer_sleeper_start_expires, which is aware of the special RT/DL case, instead of hrtimer_start_range_ns. Reported-by: Bruno Goncalves Signed-off-by: Juri Lelli Signed-off-by: Thomas Gleixner Reviewed-by: Daniel Bristot de Oliveira Reviewed-by: Valentin Schneider Link: https://lore.kernel.org/r/20220627095051.42470-1-juri.lelli@redhat.com Signed-off-by: Sasha Levin commit 46cc4c076ac289a6a6702f99af94f67801ee08ab Author: Kees Cook Date: Wed Jun 8 14:40:24 2022 -0700 kasan: test: Silence GCC 12 warnings [ Upstream commit aaf50b1969d7933a51ea421b11432a7fb90974e3 ] GCC 12 continues to get smarter about array accesses. The KASAN tests are expecting to explicitly test out-of-bounds conditions at run-time, so hide the variable from GCC, to avoid warnings like: ../lib/test_kasan.c: In function 'ksize_uaf': ../lib/test_kasan.c:790:61: warning: array subscript 120 is outside array bounds of 'void[120]' [-Warray-bounds] 790 | KUNIT_EXPECT_KASAN_FAIL(test, ((volatile char *)ptr)[size]); | ~~~~~~~~~~~~~~~~~~~~~~^~~~~~ ../lib/test_kasan.c:97:9: note: in definition of macro 'KUNIT_EXPECT_KASAN_FAIL' 97 | expression; \ | ^~~~~~~~~~ Cc: Andrey Ryabinin Cc: Alexander Potapenko Cc: Andrey Konovalov Cc: Dmitry Vyukov Cc: Vincenzo Frascino Cc: kasan-dev@googlegroups.com Signed-off-by: Kees Cook Link: https://lore.kernel.org/r/20220608214024.1068451-1-keescook@chromium.org Signed-off-by: Sasha Levin commit c3d0c6adf283adef1d34cbda3d19c409ea7e0bc2 Author: Dylan Yudaken Date: Thu Jun 30 02:12:30 2022 -0700 io_uring: fix io_uring_cqe_overflow trace format [ Upstream commit 9b26e811e934eebda59362c9a03d082852552574 ] Make the trace format consistent with io_uring_complete for cflags Signed-off-by: Dylan Yudaken Link: https://lore.kernel.org/r/20220630091231.1456789-12-dylany@fb.com Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit dedd558d9765b72c66e5a53948e9f5abc3ece1f6 Author: Xiu Jianfeng Date: Tue Jun 14 10:14:49 2022 +0800 selinux: Add boundary check in put_entry() [ Upstream commit 15ec76fb29be31df2bccb30fc09875274cba2776 ] Just like next_entry(), boundary check is necessary to prevent memory out-of-bound access. Signed-off-by: Xiu Jianfeng Signed-off-by: Paul Moore Signed-off-by: Sasha Levin commit 1fc1f72aad2070d34022d0823e4cf09706b53f25 Author: Xiu Jianfeng Date: Mon Jun 13 21:59:53 2022 +0800 selinux: fix memleak in security_read_state_kernel() [ Upstream commit 73de1befcc53a7c68b0c5e76b9b5ac41c517760f ] In this function, it directly returns the result of __security_read_policy without freeing the allocated memory in *data, cause memory leak issue, so free the memory if __security_read_policy failed. Signed-off-by: Xiu Jianfeng [PM: subject line tweak] Signed-off-by: Paul Moore Signed-off-by: Sasha Levin commit f7042cf9dd40733f387b7cac021e626c74b8856f Author: Tetsuo Handa Date: Fri Jul 15 14:49:58 2022 +0900 PM: hibernate: defer device probing when resuming from hibernation [ Upstream commit 8386c414e27caba8501119948e9551e52b527f59 ] syzbot is reporting hung task at misc_open() [1], for there is a race window of AB-BA deadlock which involves probe_count variable. Currently wait_for_device_probe() from snapshot_open() from misc_open() can sleep forever with misc_mtx held if probe_count cannot become 0. When a device is probed by hub_event() work function, probe_count is incremented before the probe function starts, and probe_count is decremented after the probe function completed. There are three cases that can prevent probe_count from dropping to 0. (a) A device being probed stopped responding (i.e. broken/malicious hardware). (b) A process emulating a USB device using /dev/raw-gadget interface stopped responding for some reason. (c) New device probe requests keeps coming in before existing device probe requests complete. The phenomenon syzbot is reporting is (b). A process which is holding system_transition_mutex and misc_mtx is waiting for probe_count to become 0 inside wait_for_device_probe(), but the probe function which is called from hub_event() work function is waiting for the processes which are blocked at mutex_lock(&misc_mtx) to respond via /dev/raw-gadget interface. This patch mitigates (b) by deferring wait_for_device_probe() from snapshot_open() to snapshot_write() and snapshot_ioctl(). Please note that the possibility of (b) remains as long as any thread which is emulating a USB device via /dev/raw-gadget interface can be blocked by uninterruptible blocking operations (e.g. mutex_lock()). Please also note that (a) and (c) are not addressed. Regarding (c), we should change the code to wait for only one device which contains the image for resuming from hibernation. I don't know how to address (a), for use of timeout for wait_for_device_probe() might result in loss of user data in the image. Maybe we should require the userland to wait for the image device before opening /dev/snapshot interface. Link: https://syzkaller.appspot.com/bug?extid=358c9ab4c93da7b7238c [1] Reported-by: syzbot Signed-off-by: Tetsuo Handa Tested-by: syzbot Signed-off-by: Rafael J. Wysocki Signed-off-by: Sasha Levin commit 38639db75316c29f6430d813184dbe1fa3ecbe4e Author: Uwe Kleine-König Date: Mon Jul 25 21:43:44 2022 +0200 hwmon: (sht15) Fix wrong assumptions in device remove callback [ Upstream commit 7d4edccc9bbfe1dcdff641343f7b0c6763fbe774 ] Taking a lock at the beginning of .remove() doesn't prevent new readers. With the existing approach it can happen, that a read occurs just when the lock was taken blocking the reader until the lock is released at the end of the remove callback which then accessed *data that is already freed then. To actually fix this problem the hwmon core needs some adaption. Until this is implemented take the optimistic approach of assuming that all readers are gone after hwmon_device_unregister() and sysfs_remove_group() as most other drivers do. (And once the core implements that, taking the lock would deadlock.) So drop the lock, move the reset to after device unregistration to keep the device in a workable state until it's deregistered. Also add a error message in case the reset fails and return 0 anyhow. (Returning an error code, doesn't stop the platform device unregistration and only results in a little helpful error message before the devm cleanup handlers are called.) Signed-off-by: Uwe Kleine-König Link: https://lore.kernel.org/r/20220725194344.150098-1-u.kleine-koenig@pengutronix.de Signed-off-by: Guenter Roeck Signed-off-by: Sasha Levin commit a7cb43c8c2f908022f81fb6f7ca56e70f99beec1 Author: Hans de Goede Date: Thu Jul 14 21:16:11 2022 +0200 ACPI: video: Use native backlight on Dell Inspiron N4010 [ Upstream commit 03c440a26cba6cfa540d65924e9db86fcea362b2 ] The Dell Inspiron N4010 does not have ACPI backlight control, so acpi_video_get_backlight_type()'s heuristics return vendor as the type to use. But the vendor interface is broken, where as the native (intel_backlight) works well, add a quirk to use native. Link: https://lore.kernel.org/regressions/CALF=6jEe5G8+r1Wo0vvz4GjNQQhdkLT5p8uCHn6ZXhg4nsOWow@mail.gmail.com/ Reported-and-tested-by: Ben Greening Signed-off-by: Hans de Goede Signed-off-by: Rafael J. Wysocki Signed-off-by: Sasha Levin commit bfd4c6710d22c939bebc2f34e897e919a9f01ad5 Author: Lukasz Luba Date: Thu Jul 7 08:15:52 2022 +0100 PM: EM: convert power field to micro-Watts precision and align drivers [ Upstream commit ae6ccaa650380d243cf43d31c864c5ced2fd4612 ] The milli-Watts precision causes rounding errors while calculating efficiency cost for each OPP. This is especially visible in the 'simple' Energy Model (EM), where the power for each OPP is provided from OPP framework. This can cause some OPPs to be marked inefficient, while using micro-Watts precision that might not happen. Update all EM users which access 'power' field and assume the value is in milli-Watts. Solve also an issue with potential overflow in calculation of energy estimation on 32bit machine. It's needed now since the power value (thus the 'cost' as well) are higher. Example calculation which shows the rounding error and impact: power = 'dyn-power-coeff' * volt_mV * volt_mV * freq_MHz power_a_uW = (100 * 600mW * 600mW * 500MHz) / 10^6 = 18000 power_a_mW = (100 * 600mW * 600mW * 500MHz) / 10^9 = 18 power_b_uW = (100 * 605mW * 605mW * 600MHz) / 10^6 = 21961 power_b_mW = (100 * 605mW * 605mW * 600MHz) / 10^9 = 21 max_freq = 2000MHz cost_a_mW = 18 * 2000MHz/500MHz = 72 cost_a_uW = 18000 * 2000MHz/500MHz = 72000 cost_b_mW = 21 * 2000MHz/600MHz = 70 // <- artificially better cost_b_uW = 21961 * 2000MHz/600MHz = 73203 The 'cost_b_mW' (which is based on old milli-Watts) is misleadingly better that the 'cost_b_uW' (this patch uses micro-Watts) and such would have impact on the 'inefficient OPPs' information in the Cpufreq framework. This patch set removes the rounding issue. Signed-off-by: Lukasz Luba Acked-by: Daniel Lezcano Acked-by: Viresh Kumar Signed-off-by: Rafael J. Wysocki Signed-off-by: Sasha Levin commit 3d358d3d94abf025f635e7dac140a08e22730cbc Author: Armin Wolf Date: Sun Jun 12 06:18:06 2022 +0200 hwmon: (dell-smm) Add Dell XPS 13 7390 to fan control whitelist [ Upstream commit 385e5f57053ff293282fea84c1c27186d53f66e1 ] A user reported that the program dell-bios-fan-control worked on his Dell XPS 13 7390 to switch off automatic fan control. Since it uses the same mechanism as the dell_smm_hwmon module, add this model to the fan control whitelist. Compile-tested only. Signed-off-by: Armin Wolf Acked-by: Pali Rohár Link: https://lore.kernel.org/r/20220612041806.11367-1-W_Armin@gmx.de Signed-off-by: Guenter Roeck Signed-off-by: Sasha Levin commit bea971964a28b7c38bffaaa7d1ed2eb231ece8ce Author: Lv Ruyi Date: Tue Apr 19 01:36:48 2022 +0000 firmware: tegra: Fix error check return value of debugfs_create_file() [ Upstream commit afcdb8e55c91c6ff0700ab272fd0f74e899ab884 ] If an error occurs, debugfs_create_file() will return ERR_PTR(-ERROR), so use IS_ERR() to check it. Reported-by: Zeal Robot Signed-off-by: Lv Ruyi Signed-off-by: Thierry Reding Signed-off-by: Sasha Levin commit f80893ef01a056d344b6625bde83fcb9cefeb35b Author: Liang He Date: Fri Jul 1 20:18:04 2022 +0800 ARM: shmobile: rcar-gen2: Increase refcount for new reference [ Upstream commit 75a185fb92e58ccd3670258d8d3b826bd2fa6d29 ] In rcar_gen2_regulator_quirk(), for_each_matching_node_and_match() will automatically increase and decrease the refcount. However, we should call of_node_get() for the new reference created in 'quirk->np'. Besides, we also should call of_node_put() before the 'quirk' being freed. Signed-off-by: Liang He Link: https://lore.kernel.org/r/20220701121804.234223-1-windhl@126.com Signed-off-by: Geert Uytterhoeven Signed-off-by: Sasha Levin commit 77f77632999d5547ea36a06e6f3eaba4413356fd Author: Samuel Holland Date: Sat Jul 2 08:28:15 2022 -0500 arm64: dts: allwinner: a64: orangepi-win: Fix LED node name [ Upstream commit b8eb2df19fbf97aa1e950cf491232c2e3bef8357 ] "status" does not match any pattern in the gpio-leds binding. Rename the node to the preferred pattern. This fixes a `make dtbs_check` error. Signed-off-by: Samuel Holland Reviewed-by: Jernej Skrabec Signed-off-by: Jernej Skrabec Link: https://lore.kernel.org/r/20220702132816.46456-1-samuel@sholland.org Signed-off-by: Sasha Levin commit 7473b6549385ce358e2e7d04262428b444288322 Author: Robert Marko Date: Tue Jun 21 14:06:42 2022 +0200 arm64: dts: qcom: ipq8074: fix NAND node name [ Upstream commit b39961659ffc3c3a9e3d0d43b0476547b5f35d49 ] Per schema it should be nand-controller@79b0000 instead of nand@79b0000. Fix it to match nand-controller.yaml requirements. Signed-off-by: Robert Marko Reviewed-by: Krzysztof Kozlowski Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20220621120642.518575-1-robimarko@gmail.com Signed-off-by: Sasha Levin commit c9d8f42d18c2872cb07b1388f4e536226853e73f Author: Krzysztof Kozlowski Date: Wed May 4 15:19:15 2022 +0200 arm64: dts: qcom: add missing AOSS QMP compatible fallback [ Upstream commit 6ba93ba9f63fbc44c3a6af7fe6f2536d009cfd5a ] The AOSS QMP bindings expect all compatibles to be followed by fallback "qcom,aoss-qmp" because all of these are actually compatible with each other. This fixes dtbs_check warnings like: sm8250-hdk.dtb: power-controller@c300000: compatible: ['qcom,sm8250-aoss-qmp'] is too short Signed-off-by: Krzysztof Kozlowski Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20220504131923.214367-6-krzysztof.kozlowski@linaro.org Signed-off-by: Sasha Levin commit ce94c8fbdabeccd0078b865a16709ee47ca49044 Author: Gwendal Grignou Date: Thu Jun 23 15:31:19 2022 -0700 arm64: dts: qcom: sc7280: Rename sar sensor labels [ Upstream commit 9c54f1711fc2516faf1f8d31217462184157b429 ] To ease matching configuration of sysfs attributes for particular sensor, match label reported by iio 'label' attribute with the location label generated by ChromeOS config tool. Signed-off-by: Gwendal Grignou Reviewed-by: Douglas Anderson Reviewed-by: Stephen Boyd Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20220623223119.1858863-1-gwendal@chromium.org Signed-off-by: Sasha Levin commit 3c5bed5814c382f2e86e17ef2d490100a31885b7 Author: Manivannan Sadhasivam Date: Mon May 30 13:38:40 2022 +0530 ARM: dts: qcom: sdx55: Fix the IRQ trigger type for UART [ Upstream commit ae500b351ab0006d933d804a2b7507fe1e98cecc ] The trigger type should be LEVEL_HIGH. So fix it! Signed-off-by: Manivannan Sadhasivam Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20220530080842.37024-2-manivannan.sadhasivam@linaro.org Signed-off-by: Sasha Levin commit 05b23b33ee91adcda0af8d629d551f3d0edaacc5 Author: huhai Date: Thu Jun 23 21:21:27 2022 +0800 ACPI: LPSS: Fix missing check in register_device_clock() [ Upstream commit b4f1f61ed5928b1128e60e38d0dffa16966f06dc ] register_device_clock() misses a check for platform_device_register_simple(). Add a check to fix it. Signed-off-by: huhai Signed-off-by: Rafael J. Wysocki Signed-off-by: Sasha Levin commit f1a4111e8b6df57f4de8af444fdddf57e8acb760 Author: Manyi Li Date: Wed Jun 22 15:42:48 2022 +0800 ACPI: PM: save NVS memory for Lenovo G40-45 [ Upstream commit 4b7ef7b05afcde44142225c184bf43a0cd9e2178 ] [821d6f0359b0614792ab8e2fb93b503e25a65079] is to make machines produced from 2012 to now not saving NVS region to accelerate S3. But, Lenovo G40-45, a platform released in 2015, still needs NVS memory saving during S3. A quirk is introduced for this platform. Signed-off-by: Manyi Li Signed-off-by: Rafael J. Wysocki Signed-off-by: Sasha Levin commit 23c643bd71235f2494c9c4673abc0e2ca06d9e6b Author: Hans de Goede Date: Mon Jun 20 11:25:44 2022 +0200 ACPI: EC: Drop the EC_FLAGS_IGNORE_DSDT_GPE quirk [ Upstream commit f7090e0ef360d674f08a22fab90e4e209fb1f658 ] It seems that these quirks are no longer necessary since commit 69b957c26b32 ("ACPI: EC: Fix possible issues related to EC initialization order"), which has fixed this in a generic manner. There are 3 commits adding DMI entries with this quirk (adding multiple DMI entries per commit). 2/3 commits are from before the generic fix. Which leaves commit 6306f0431914 ("ACPI: EC: Make more Asus laptops use ECDT _GPE"), which was committed way after the generic fix. But this was just due to slow upstreaming of it. This commit stems from Endless from 15 Aug 2017 (committed upstream 20 May 2021): https://github.com/endlessm/linux/pull/288 The current code should work fine without this: 1. The EC_FLAGS_IGNORE_DSDT_GPE flag is only checked in ec_parse_device(), like this: if (boot_ec && boot_ec_is_ecdt && EC_FLAGS_IGNORE_DSDT_GPE) { ec->gpe = boot_ec->gpe; } else { /* parse GPE */ } 2. ec_parse_device() is only called from acpi_ec_add() and acpi_ec_dsdt_probe() 3. acpi_ec_dsdt_probe() starts with: if (boot_ec) return; so it only calls ec_parse_device() when boot_ec == NULL, meaning that the quirk never triggers for this call. So only the call in acpi_ec_add() matters. 4. acpi_ec_add() does the following after the ec_parse_device() call: if (boot_ec && ec->command_addr == boot_ec->command_addr && ec->data_addr == boot_ec->data_addr && !EC_FLAGS_TRUST_DSDT_GPE) { /* * Trust PNP0C09 namespace location rather than * ECDT ID. But trust ECDT GPE rather than _GPE * because of ASUS quirks, so do not change * boot_ec->gpe to ec->gpe. */ boot_ec->handle = ec->handle; acpi_handle_debug(ec->handle, "duplicated.\n"); acpi_ec_free(ec); ec = boot_ec; } The quirk only matters if boot_ec != NULL and EC_FLAGS_TRUST_DSDT_GPE is never set at the same time as EC_FLAGS_IGNORE_DSDT_GPE. That means that if the addresses match we always enter this if block and then only the ec->handle part of the data stored in ec by ec_parse_device() is used and the rest is thrown away, after which ec is made to point to boot_ec, at which point ec->gpe == boot_ec->gpe, so the same result as with the quirk set, independent of the value of the quirk. Also note the comment in this block which indicates that the gpe result from ec_parse_device() is deliberately not taken to deal with buggy Asus laptops and all DMI quirks setting EC_FLAGS_IGNORE_DSDT_GPE are for Asus laptops. Based on the above I believe that unless on some quirked laptops the ECDT and DSDT EC addresses do not match we can drop the quirk. I've checked dmesg output to ensure the ECDT and DSDT EC addresses match for quirked models using https://linux-hardware.org hw-probe reports. I've been able to confirm that the addresses match for the following models this way: GL702VMK, X505BA, X505BP, X550VXK, X580VD. Whereas for the following models I could find any dmesg output: FX502VD, FX502VE, X542BA, X542BP. Note the models without dmesg all were submitted in patches with a batch of models and other models from the same batch checkout ok. This, combined with that all the code adding the quirks was written before the generic fix makes me believe that it is safe to remove this quirk now. Signed-off-by: Hans de Goede Reviewed-by: Daniel Drake Signed-off-by: Rafael J. Wysocki Signed-off-by: Sasha Levin commit bd58acaf1585b49b9a28740213e606b48623bbbe Author: Hans de Goede Date: Mon Jun 20 11:25:43 2022 +0200 ACPI: EC: Remove duplicate ThinkPad X1 Carbon 6th entry from DMI quirks [ Upstream commit 0dd6db359e5f206cbf1dd1fd40dd211588cd2725 ] Somehow the "ThinkPad X1 Carbon 6th" entry ended up twice in the struct dmi_system_id acpi_ec_no_wakeup[] array. Remove one of the entries. Signed-off-by: Hans de Goede Signed-off-by: Rafael J. Wysocki Signed-off-by: Sasha Levin commit 37f0c89778576ce3d52f40c1e9e727fbddedb28e Author: Liang He Date: Sat Jun 18 10:06:03 2022 +0800 ARM: OMAP2+: pdata-quirks: Fix refcount leak bug [ Upstream commit 5cdbab96bab314c6f2f5e4e8b8a019181328bf5f ] In pdata_quirks_init_clocks(), the loop contains of_find_node_by_name() but without corresponding of_node_put(). Signed-off-by: Liang He Message-Id: <20220618020603.4055792-1-windhl@126.com> Signed-off-by: Tony Lindgren Signed-off-by: Sasha Levin commit 2629d171f3d6451724549d8d10d14ac6da37a7be Author: Liang He Date: Fri Jun 17 22:58:03 2022 +0800 ARM: OMAP2+: display: Fix refcount leak bug [ Upstream commit 50b87a32a79bca6e275918a711fb8cc55e16d739 ] In omapdss_init_fbdev(), of_find_node_by_name() will return a node pointer with refcount incremented. We should use of_node_put() when it is not used anymore. Signed-off-by: Liang He Message-Id: <20220617145803.4050918-1-windhl@126.com> Signed-off-by: Tony Lindgren Signed-off-by: Sasha Levin commit 863ea2ac6f75e5769818d6f4e938c92b0b91eec4 Author: Guo Mengqi Date: Fri Jun 24 08:56:14 2022 +0800 spi: synquacer: Add missing clk_disable_unprepare() [ Upstream commit 917e43de2a56d9b82576f1cc94748261f1988458 ] Add missing clk_disable_unprepare() in synquacer_spi_resume(). Reported-by: Hulk Robot Signed-off-by: Guo Mengqi Link: https://lore.kernel.org/r/20220624005614.49434-1-guomengqi3@huawei.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 49a7f92d70c0a3bb0366be3eae32da38cec262fb Author: David Heidelberg Date: Sun Jun 26 12:57:59 2022 +0200 arm64: dts: qcom: timer should use only 32-bit size [ Upstream commit 458ebdbb8e5d596a462d8125cec74142ff5dfa97 ] There's no reason the timer needs > 32-bits of address or size. Since we using 32-bit size, we need to define ranges properly. Fixes warnings as: ``` arch/arm64/boot/dts/qcom/sdm845-oneplus-fajita.dt.yaml: timer@17c90000: #size-cells:0:0: 1 was expected From schema: Documentation/devicetree/bindings/timer/arm,arch_timer_mmio.yaml ``` Signed-off-by: David Heidelberg Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20220626105800.35586-1-david@ixit.cz Signed-off-by: Sasha Levin commit bcfa4501972de307ab04518a91f1d52530a8fb19 Author: Linus Walleij Date: Sat Jun 11 22:51:38 2022 +0200 ARM: dts: ux500: Fix Gavini accelerometer mounting matrix [ Upstream commit e24c75f02a81d6ddac0072cbd7a03e799c19d558 ] This was fixed wrong so fix it. Now verified by using iio-sensor-proxy monitor-sensor test program. Link: https://lore.kernel.org/r/20220611205138.491513-1-linus.walleij@linaro.org Signed-off-by: Linus Walleij Signed-off-by: Sasha Levin commit a3f423e652994ae7d94182242d1df2b28842ea89 Author: Linus Walleij Date: Sat Jun 11 22:42:49 2022 +0200 ARM: dts: ux500: Fix Codina accelerometer mounting matrix [ Upstream commit 0b2152e428ab91533a02888ff24e52e788dc4637 ] This was fixed wrong so fix it again. Now verified by using iio-sensor-proxy monitor-sensor test program. Link: https://lore.kernel.org/r/20220611204249.472250-1-linus.walleij@linaro.org Signed-off-by: Linus Walleij Signed-off-by: Sasha Levin commit e9c316447c632af80322a725ca95ede4403e3347 Author: Linus Walleij Date: Thu Jun 9 10:35:16 2022 +0200 ARM: dts: ux500: Fix Janice accelerometer mounting matrix [ Upstream commit 013fda41c03e6bcb3dc416669187b609e9e5fdbc ] This was fixed wrong so fix it again. Now verified by using iio-sensor-proxy monitor-sensor test program. Link: https://lore.kernel.org/r/20220609083516.329281-1-linus.walleij@linaro.org Signed-off-by: Linus Walleij Signed-off-by: Sasha Levin commit dbb9381dcbe254988d66900dd22a9db40ff16292 Author: Christian Lamparter Date: Sat Jun 18 00:00:29 2022 +0200 ARM: dts: BCM5301X: Add DT for Meraki MR26 [ Upstream commit 935327a73553001f8d81375c76985d05f604507f ] Meraki MR26 is an EOL wireless access point featuring a PoE ethernet port and two dual-band 3x3 MIMO 802.11n radios and 1x1 dual-band WIFI dedicated to scanning. Thank you Amir for the unit and PSU. Hardware info: SOC : Broadcom BCM53015A1KFEBG (dual-core Cortex-A9 CPU at 800 MHz) RAM : SK Hynix Inc. H5TQ1G63EFR, 1 GBit DDR3 SDRAM = 128 MiB NAND : Spansion S34ML01G100TF100, 1 GBit SLC NAND Flash = 128 MiB ETH : 1 GBit Ethernet Port - PoE (TPS23754 PoE Interface) WIFI0 : Broadcom BCM43431KMLG, BCM43431 802.11 abgn (3x3:3) WIFI1 : Broadcom BCM43431KMLG, BCM43431 802.11 abgn (3x3:3) WIFI2 : Broadcom BCM43428 "Air Marshal" 802.11 abgn (1x1:1) BUTTON: One reset key behind a small hole next to the Ethernet Port LEDS : One amber (fault), one white (indicator) LED, separate RGB-LED MISC : Atmel AT24C64 8KiB EEPROM i2c : Ti INA219 26V, 12-bit, i2c output current/voltage/power monitor SERIAL: WARNING: The serial port needs a TTL/RS-232 3V3 level converter! The Serial setting is 115200-8-N-1. The board has a populated right angle 1x4 0.1" pinheader. The pinout is: VCC (next to J3, has the pin 1 indicator), RX, TX, GND. Odd stuff: - uboot does not support lzma compression, but gzip'd uImage/DTB work. - uboot claims to support FIT, but fails to pass the DTB to the kernel. Appending the dtb after the kernel image works. - RGB-controller is supported through an external userspace program. - The ubi partition contains a "board-config" volume. It stores the MAC Address (0x66 in binary) and Serial No. (0x7c alpha-numerical). - SoC's temperature sensor always reports that it is on fire. This causes the system to immediately shutdown! Looking at reported "418 degree Celsius" suggests that this sensor is not working. WIFI: b43 is able to initialize all three WIFIs @ 802.11bg. | b43-phy0: Broadcom 43431 WLAN found (core revision 29) | bcma-pci-bridge 0000:01:00.0: bus1: Switched to core: 0x812 | b43-phy0: Found PHY: Analog 9, Type 7 (HT), Revision 1 | b43-phy0: Found Radio: Manuf 0x17F, ID 0x2059, Revision 0, Version 1 | b43-phy0 warning: 5 GHz band is unsupported on this PHY | b43-phy1: Broadcom 43431 WLAN found (core revision 29) | bcma-pci-bridge 0001:01:00.0: bus2: Switched to core: 0x812 | b43-phy1: Found PHY: Analog 9, Type 7 (HT), Revision 1 | b43-phy1: Found Radio: Manuf 0x17F, ID 0x2059, Revision 0, Version 1 | b43-phy1 warning: 5 GHz band is unsupported on this PHY | b43-phy2: Broadcom 43228 WLAN found (core revision 30) | bcma-pci-bridge 0002:01:00.0: bus3: Switched to core: 0x812 | b43-phy2: Found PHY: Analog 9, Type 4 (N), Revision 16 | b43-phy2: Found Radio: Manuf 0x17F, ID 0x2057, Revision 9, Version 1 | Broadcom 43xx driver loaded [ Features: NL ] Signed-off-by: Christian Lamparter Signed-off-by: Florian Fainelli Signed-off-by: Sasha Levin commit 9496e3d49da5009cc83c44d137113ee32957c75f Author: Alexander Stein Date: Mon Jun 13 14:33:57 2022 +0200 ARM: dts: imx6ul: fix qspi node compatible [ Upstream commit 0c6cf86e1ab433b2d421880fdd9c6e954f404948 ] imx6ul is not compatible to imx6sx, both have different erratas. Fixes the dt_binding_check warning: spi@21e0000: compatible: 'oneOf' conditional failed, one must be fixed: ['fsl,imx6ul-qspi', 'fsl,imx6sx-qspi'] is too long Additional items are not allowed ('fsl,imx6sx-qspi' was unexpected) 'fsl,imx6ul-qspi' is not one of ['fsl,ls1043a-qspi'] 'fsl,imx6ul-qspi' is not one of ['fsl,imx8mq-qspi'] 'fsl,ls1021a-qspi' was expected 'fsl,imx7d-qspi' was expected Signed-off-by: Alexander Stein Signed-off-by: Shawn Guo Signed-off-by: Sasha Levin commit 47beb55c7c933e40e16a344a89d3e7cf9136231c Author: Alexander Stein Date: Mon Jun 13 14:33:56 2022 +0200 ARM: dts: imx6ul: fix lcdif node compatible [ Upstream commit 1a884d17ca324531634cce82e9f64c0302bdf7de ] In yaml binding "fsl,imx6ul-lcdif" is listed as compatible to imx6sx-lcdif, but not imx28-lcdif. Change the list accordingly. Fixes the dt_binding_check warning: lcdif@21c8000: compatible: 'oneOf' conditional failed, one must be fixed: ['fsl,imx6ul-lcdif', 'fsl,imx28-lcdif'] is too long Additional items are not allowed ('fsl,imx28-lcdif' was unexpected) 'fsl,imx6ul-lcdif' is not one of ['fsl,imx23-lcdif', 'fsl,imx28-lcdif', 'fsl,imx6sx-lcdif'] 'fsl,imx6sx-lcdif' was expected Signed-off-by: Alexander Stein Signed-off-by: Shawn Guo Signed-off-by: Sasha Levin commit 692cf9f9afa9a851c1225ea7d734cf0f78f290bc Author: Alexander Stein Date: Mon Jun 13 14:33:55 2022 +0200 ARM: dts: imx6ul: fix csi node compatible [ Upstream commit e0aca931a2c7c29c88ebf37f9c3cd045e083483d ] "fsl,imx6ul-csi" was never listed as compatible to "fsl,imx7-csi", neither in yaml bindings, nor previous txt binding. Remove the imx7 part. Fixes the dt schema check warning: csi@21c4000: compatible: 'oneOf' conditional failed, one must be fixed: ['fsl,imx6ul-csi', 'fsl,imx7-csi'] is too long Additional items are not allowed ('fsl,imx7-csi' was unexpected) 'fsl,imx8mm-csi' was expected Signed-off-by: Alexander Stein Signed-off-by: Shawn Guo Signed-off-by: Sasha Levin commit 53e75d22f84d4fa51f1ae92bcc301ce9f053fe1e Author: Alexander Stein Date: Mon Jun 13 14:33:53 2022 +0200 ARM: dts: imx6ul: fix keypad compatible [ Upstream commit 7d15e0c9a515494af2e3199741cdac7002928a0e ] According to binding, the compatible shall only contain imx6ul and imx21 compatibles. Fixes the dt_binding_check warning: keypad@20b8000: compatible: 'oneOf' conditional failed, one must be fixed: ['fsl,imx6ul-kpp', 'fsl,imx6q-kpp', 'fsl,imx21-kpp'] is too long Additional items are not allowed ('fsl,imx6q-kpp', 'fsl,imx21-kpp' were unexpected) Additional items are not allowed ('fsl,imx21-kpp' was unexpected) 'fsl,imx21-kpp' was expected Signed-off-by: Alexander Stein Signed-off-by: Shawn Guo Signed-off-by: Sasha Levin commit d538751225ab3d66570a9bc14aefe39f619c1f5d Author: Alexander Stein Date: Mon Jun 13 14:33:52 2022 +0200 ARM: dts: imx6ul: change operating-points to uint32-matrix [ Upstream commit edb67843983bbdf61b4c8c3c50618003d38bb4ae ] operating-points is a uint32-matrix as per opp-v1.yaml. Change it accordingly. While at it, change fsl,soc-operating-points as well, although there is no bindings file (yet). But they should have the same format. Fixes the dt_binding_check warning: cpu@0: operating-points:0: [696000, 1275000, 528000, 1175000, 396000, 1025000, 198000, 950000] is too long cpu@0: operating-points:0: Additional items are not allowed (528000, 1175000, 396000, 1025000, 198000, 950000 were unexpected) Signed-off-by: Alexander Stein Signed-off-by: Shawn Guo Signed-off-by: Sasha Levin commit 44269efa9142170da534ee6771ab5b446efbdf63 Author: Alexander Stein Date: Mon Jun 13 14:33:51 2022 +0200 ARM: dts: imx6ul: add missing properties for sram [ Upstream commit 5655699cf5cff9f4c4ee703792156bdd05d1addf ] All 3 properties are required by sram.yaml. Fixes the dtbs_check warning: sram@900000: '#address-cells' is a required property sram@900000: '#size-cells' is a required property sram@900000: 'ranges' is a required property Signed-off-by: Alexander Stein Signed-off-by: Shawn Guo Signed-off-by: Sasha Levin commit 6046e410c3840bce5f830206fffeb44fe63847ed Author: William Dean Date: Sat Jul 23 18:01:28 2022 +0800 irqchip/mips-gic: Check the return value of ioremap() in gic_of_init() [ Upstream commit 71349cc85e5930dce78ed87084dee098eba24b59 ] The function ioremap() in gic_of_init() can fail, so its return value should be checked. Reported-by: Hacash Robot Signed-off-by: William Dean Signed-off-by: Marc Zyngier Link: https://lore.kernel.org/r/20220723100128.2964304-1-williamsukatube@163.com Signed-off-by: Sasha Levin commit 2c14f578b5a0807cd1524e024c5cecfa680d43c9 Author: John Keeping Date: Fri Jul 8 17:27:02 2022 +0100 sched/core: Always flush pending blk_plug [ Upstream commit 401e4963bf45c800e3e9ea0d3a0289d738005fd4 ] With CONFIG_PREEMPT_RT, it is possible to hit a deadlock between two normal priority tasks (SCHED_OTHER, nice level zero): INFO: task kworker/u8:0:8 blocked for more than 491 seconds. Not tainted 5.15.49-rt46 #1 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:kworker/u8:0 state:D stack: 0 pid: 8 ppid: 2 flags:0x00000000 Workqueue: writeback wb_workfn (flush-7:0) [] (__schedule) from [] (schedule+0xdc/0x134) [] (schedule) from [] (rt_mutex_slowlock_block.constprop.0+0xb8/0x174) [] (rt_mutex_slowlock_block.constprop.0) from [] +(rt_mutex_slowlock.constprop.0+0xac/0x174) [] (rt_mutex_slowlock.constprop.0) from [] (fat_write_inode+0x34/0x54) [] (fat_write_inode) from [] (__writeback_single_inode+0x354/0x3ec) [] (__writeback_single_inode) from [] (writeback_sb_inodes+0x250/0x45c) [] (writeback_sb_inodes) from [] (__writeback_inodes_wb+0x7c/0xb8) [] (__writeback_inodes_wb) from [] (wb_writeback+0x2c8/0x2e4) [] (wb_writeback) from [] (wb_workfn+0x1a4/0x3e4) [] (wb_workfn) from [] (process_one_work+0x1fc/0x32c) [] (process_one_work) from [] (worker_thread+0x22c/0x2d8) [] (worker_thread) from [] (kthread+0x16c/0x178) [] (kthread) from [] (ret_from_fork+0x14/0x38) Exception stack(0xc10e3fb0 to 0xc10e3ff8) 3fa0: 00000000 00000000 00000000 00000000 3fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 3fe0: 00000000 00000000 00000000 00000000 00000013 00000000 INFO: task tar:2083 blocked for more than 491 seconds. Not tainted 5.15.49-rt46 #1 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:tar state:D stack: 0 pid: 2083 ppid: 2082 flags:0x00000000 [] (__schedule) from [] (schedule+0xdc/0x134) [] (schedule) from [] (io_schedule+0x14/0x24) [] (io_schedule) from [] (bit_wait_io+0xc/0x30) [] (bit_wait_io) from [] (__wait_on_bit_lock+0x54/0xa8) [] (__wait_on_bit_lock) from [] (out_of_line_wait_on_bit_lock+0x84/0xb0) [] (out_of_line_wait_on_bit_lock) from [] (fat_mirror_bhs+0xa0/0x144) [] (fat_mirror_bhs) from [] (fat_alloc_clusters+0x138/0x2a4) [] (fat_alloc_clusters) from [] (fat_alloc_new_dir+0x34/0x250) [] (fat_alloc_new_dir) from [] (vfat_mkdir+0x58/0x148) [] (vfat_mkdir) from [] (vfs_mkdir+0x68/0x98) [] (vfs_mkdir) from [] (do_mkdirat+0xb0/0xec) [] (do_mkdirat) from [] (ret_fast_syscall+0x0/0x1c) Exception stack(0xc2e1bfa8 to 0xc2e1bff0) bfa0: 01ee42f0 01ee4208 01ee42f0 000041ed 00000000 00004000 bfc0: 01ee42f0 01ee4208 00000000 00000027 01ee4302 00000004 000dcb00 01ee4190 bfe0: 000dc368 bed11924 0006d4b0 b6ebddfc Here the kworker is waiting on msdos_sb_info::s_lock which is held by tar which is in turn waiting for a buffer which is locked waiting to be flushed, but this operation is plugged in the kworker. The lock is a normal struct mutex, so tsk_is_pi_blocked() will always return false on !RT and thus the behaviour changes for RT. It seems that the intent here is to skip blk_flush_plug() in the case where a non-preemptible lock (such as a spinlock) has been converted to a rtmutex on RT, which is the case covered by the SM_RTLOCK_WAIT schedule flag. But sched_submit_work() is only called from schedule() which is never called in this scenario, so the check can simply be deleted. Looking at the history of the -rt patchset, in fact this change was present from v5.9.1-rt20 until being dropped in v5.13-rt1 as it was part of a larger patch [1] most of which was replaced by commit b4bfa3fcfe3b ("sched/core: Rework the __schedule() preempt argument"). As described in [1]: The schedule process must distinguish between blocking on a regular sleeping lock (rwsem and mutex) and a RT-only sleeping lock (spinlock and rwlock): - rwsem and mutex must flush block requests (blk_schedule_flush_plug()) even if blocked on a lock. This can not deadlock because this also happens for non-RT. There should be a warning if the scheduling point is within a RCU read section. - spinlock and rwlock must not flush block requests. This will deadlock if the callback attempts to acquire a lock which is already acquired. Similarly to being preempted, there should be no warning if the scheduling point is within a RCU read section. and with the tsk_is_pi_blocked() in the scheduler path, we hit the first issue. [1] https://git.kernel.org/pub/scm/linux/kernel/git/rt/linux-rt-devel.git/tree/patches/0022-locking-rtmutex-Use-custom-scheduling-function-for-s.patch?h=linux-5.10.y-rt-patches Signed-off-by: John Keeping Signed-off-by: Peter Zijlstra (Intel) Reviewed-by: Steven Rostedt (Google) Link: https://lkml.kernel.org/r/20220708162702.1758865-1-john@metanate.com Signed-off-by: Sasha Levin commit c1491d69334ad8c6de6c0350e26dd277ea634244 Author: Vincent Guittot Date: Fri Jul 8 17:44:01 2022 +0200 sched/fair: fix case with reduced capacity CPU [ Upstream commit c82a69629c53eda5233f13fc11c3c01585ef48a2 ] The capacity of the CPU available for CFS tasks can be reduced because of other activities running on the latter. In such case, it's worth trying to move CFS tasks on a CPU with more available capacity. The rework of the load balance has filtered the case when the CPU is classified to be fully busy but its capacity is reduced. Check if CPU's capacity is reduced while gathering load balance statistic and classify it group_misfit_task instead of group_fully_busy so we can try to move the load on another CPU. Reported-by: David Chen Reported-by: Zhang Qiao Signed-off-by: Vincent Guittot Signed-off-by: Peter Zijlstra (Intel) Tested-by: David Chen Tested-by: Zhang Qiao Link: https://lkml.kernel.org/r/20220708154401.21411-1-vincent.guittot@linaro.org Signed-off-by: Sasha Levin commit 4d4ccca64e84c6dc724232d2089f5bfcd704fa48 Author: Samuel Holland Date: Fri Jul 1 15:00:50 2022 -0500 genirq: GENERIC_IRQ_IPI depends on SMP [ Upstream commit 0f5209fee90b4544c58b4278d944425292789967 ] The generic IPI code depends on the IRQ affinity mask being allocated and initialized. This will not be the case if SMP is disabled. Fix up the remaining driver that selected GENERIC_IRQ_IPI in a non-SMP config. Reported-by: kernel test robot Signed-off-by: Samuel Holland Signed-off-by: Marc Zyngier Link: https://lore.kernel.org/r/20220701200056.46555-3-samuel@sholland.org Signed-off-by: Sasha Levin commit b1567b995a0cd7388fcd62ab8d66fdb686d7c8ff Author: Samuel Holland Date: Fri Jul 1 15:00:49 2022 -0500 irqchip/mips-gic: Only register IPI domain when SMP is enabled [ Upstream commit 8190cc572981f2f13b6ffc26c7cfa7899e5d3ccc ] The MIPS GIC irqchip driver may be selected in a uniprocessor configuration, but it unconditionally registers an IPI domain. Limit the part of the driver dealing with IPIs to only be compiled when GENERIC_IRQ_IPI is enabled, which corresponds to an SMP configuration. Reported-by: kernel test robot Signed-off-by: Samuel Holland Signed-off-by: Marc Zyngier Link: https://lore.kernel.org/r/20220701200056.46555-2-samuel@sholland.org Signed-off-by: Sasha Levin commit 8fa8237d2d2b7e512c4eea084518346b8d9ac1fa Author: Antonio Borneo Date: Thu May 12 18:05:44 2022 +0200 genirq: Don't return error on missing optional irq_request_resources() [ Upstream commit 95001b756467ecc9f5973eb5e74e97699d9bbdf1 ] Function irq_chip::irq_request_resources() is reported as optional in the declaration of struct irq_chip. If the parent irq_chip does not implement it, we should ignore it and return. Don't return error if the functions is missing. Signed-off-by: Antonio Borneo Signed-off-by: Marc Zyngier Link: https://lore.kernel.org/r/20220512160544.13561-1-antonio.borneo@foss.st.com Signed-off-by: Sasha Levin commit 21391488f2495dac362f1ee7c4209131364a96bf Author: Chen Yu Date: Mon Jun 13 00:34:28 2022 +0800 sched/fair: Introduce SIS_UTIL to search idle CPU based on sum of util_avg [ Upstream commit 70fb5ccf2ebb09a0c8ebba775041567812d45f86 ] [Problem Statement] select_idle_cpu() might spend too much time searching for an idle CPU, when the system is overloaded. The following histogram is the time spent in select_idle_cpu(), when running 224 instances of netperf on a system with 112 CPUs per LLC domain: @usecs: [0] 533 | | [1] 5495 | | [2, 4) 12008 | | [4, 8) 239252 | | [8, 16) 4041924 |@@@@@@@@@@@@@@ | [16, 32) 12357398 |@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ | [32, 64) 14820255 |@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@| [64, 128) 13047682 |@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ | [128, 256) 8235013 |@@@@@@@@@@@@@@@@@@@@@@@@@@@@ | [256, 512) 4507667 |@@@@@@@@@@@@@@@ | [512, 1K) 2600472 |@@@@@@@@@ | [1K, 2K) 927912 |@@@ | [2K, 4K) 218720 | | [4K, 8K) 98161 | | [8K, 16K) 37722 | | [16K, 32K) 6715 | | [32K, 64K) 477 | | [64K, 128K) 7 | | netperf latency usecs: ======= case load Lat_99th std% TCP_RR thread-224 257.39 ( 0.21) The time spent in select_idle_cpu() is visible to netperf and might have a negative impact. [Symptom analysis] The patch [1] from Mel Gorman has been applied to track the efficiency of select_idle_sibling. Copy the indicators here: SIS Search Efficiency(se_eff%): A ratio expressed as a percentage of runqueues scanned versus idle CPUs found. A 100% efficiency indicates that the target, prev or recent CPU of a task was idle at wakeup. The lower the efficiency, the more runqueues were scanned before an idle CPU was found. SIS Domain Search Efficiency(dom_eff%): Similar, except only for the slower SIS patch. SIS Fast Success Rate(fast_rate%): Percentage of SIS that used target, prev or recent CPUs. SIS Success rate(success_rate%): Percentage of scans that found an idle CPU. The test is based on Aubrey's schedtests tool, including netperf, hackbench, schbench and tbench. Test on vanilla kernel: schedstat_parse.py -f netperf_vanilla.log case load se_eff% dom_eff% fast_rate% success_rate% TCP_RR 28 threads 99.978 18.535 99.995 100.000 TCP_RR 56 threads 99.397 5.671 99.964 100.000 TCP_RR 84 threads 21.721 6.818 73.632 100.000 TCP_RR 112 threads 12.500 5.533 59.000 100.000 TCP_RR 140 threads 8.524 4.535 49.020 100.000 TCP_RR 168 threads 6.438 3.945 40.309 99.999 TCP_RR 196 threads 5.397 3.718 32.320 99.982 TCP_RR 224 threads 4.874 3.661 25.775 99.767 UDP_RR 28 threads 99.988 17.704 99.997 100.000 UDP_RR 56 threads 99.528 5.977 99.970 100.000 UDP_RR 84 threads 24.219 6.992 76.479 100.000 UDP_RR 112 threads 13.907 5.706 62.538 100.000 UDP_RR 140 threads 9.408 4.699 52.519 100.000 UDP_RR 168 threads 7.095 4.077 44.352 100.000 UDP_RR 196 threads 5.757 3.775 35.764 99.991 UDP_RR 224 threads 5.124 3.704 28.748 99.860 schedstat_parse.py -f schbench_vanilla.log (each group has 28 tasks) case load se_eff% dom_eff% fast_rate% success_rate% normal 1 mthread 99.152 6.400 99.941 100.000 normal 2 mthreads 97.844 4.003 99.908 100.000 normal 3 mthreads 96.395 2.118 99.917 99.998 normal 4 mthreads 55.288 1.451 98.615 99.804 normal 5 mthreads 7.004 1.870 45.597 61.036 normal 6 mthreads 3.354 1.346 20.777 34.230 normal 7 mthreads 2.183 1.028 11.257 21.055 normal 8 mthreads 1.653 0.825 7.849 15.549 schedstat_parse.py -f hackbench_vanilla.log (each group has 28 tasks) case load se_eff% dom_eff% fast_rate% success_rate% process-pipe 1 group 99.991 7.692 99.999 100.000 process-pipe 2 groups 99.934 4.615 99.997 100.000 process-pipe 3 groups 99.597 3.198 99.987 100.000 process-pipe 4 groups 98.378 2.464 99.958 100.000 process-pipe 5 groups 27.474 3.653 89.811 99.800 process-pipe 6 groups 20.201 4.098 82.763 99.570 process-pipe 7 groups 16.423 4.156 77.398 99.316 process-pipe 8 groups 13.165 3.920 72.232 98.828 process-sockets 1 group 99.977 5.882 99.999 100.000 process-sockets 2 groups 99.927 5.505 99.996 100.000 process-sockets 3 groups 99.397 3.250 99.980 100.000 process-sockets 4 groups 79.680 4.258 98.864 99.998 process-sockets 5 groups 7.673 2.503 63.659 92.115 process-sockets 6 groups 4.642 1.584 58.946 88.048 process-sockets 7 groups 3.493 1.379 49.816 81.164 process-sockets 8 groups 3.015 1.407 40.845 75.500 threads-pipe 1 group 99.997 0.000 100.000 100.000 threads-pipe 2 groups 99.894 2.932 99.997 100.000 threads-pipe 3 groups 99.611 4.117 99.983 100.000 threads-pipe 4 groups 97.703 2.624 99.937 100.000 threads-pipe 5 groups 22.919 3.623 87.150 99.764 threads-pipe 6 groups 18.016 4.038 80.491 99.557 threads-pipe 7 groups 14.663 3.991 75.239 99.247 threads-pipe 8 groups 12.242 3.808 70.651 98.644 threads-sockets 1 group 99.990 6.667 99.999 100.000 threads-sockets 2 groups 99.940 5.114 99.997 100.000 threads-sockets 3 groups 99.469 4.115 99.977 100.000 threads-sockets 4 groups 87.528 4.038 99.400 100.000 threads-sockets 5 groups 6.942 2.398 59.244 88.337 threads-sockets 6 groups 4.359 1.954 49.448 87.860 threads-sockets 7 groups 2.845 1.345 41.198 77.102 threads-sockets 8 groups 2.871 1.404 38.512 74.312 schedstat_parse.py -f tbench_vanilla.log case load se_eff% dom_eff% fast_rate% success_rate% loopback 28 threads 99.976 18.369 99.995 100.000 loopback 56 threads 99.222 7.799 99.934 100.000 loopback 84 threads 19.723 6.819 70.215 100.000 loopback 112 threads 11.283 5.371 55.371 99.999 loopback 140 threads 0.000 0.000 0.000 0.000 loopback 168 threads 0.000 0.000 0.000 0.000 loopback 196 threads 0.000 0.000 0.000 0.000 loopback 224 threads 0.000 0.000 0.000 0.000 According to the test above, if the system becomes busy, the SIS Search Efficiency(se_eff%) drops significantly. Although some benchmarks would finally find an idle CPU(success_rate% = 100%), it is doubtful whether it is worth it to search the whole LLC domain. [Proposal] It would be ideal to have a crystal ball to answer this question: How many CPUs must a wakeup path walk down, before it can find an idle CPU? Many potential metrics could be used to predict the number. One candidate is the sum of util_avg in this LLC domain. The benefit of choosing util_avg is that it is a metric of accumulated historic activity, which seems to be smoother than instantaneous metrics (such as rq->nr_running). Besides, choosing the sum of util_avg would help predict the load of the LLC domain more precisely, because SIS_PROP uses one CPU's idle time to estimate the total LLC domain idle time. In summary, the lower the util_avg is, the more select_idle_cpu() should scan for idle CPU, and vice versa. When the sum of util_avg in this LLC domain hits 85% or above, the scan stops. The reason to choose 85% as the threshold is that this is the imbalance_pct(117) when a LLC sched group is overloaded. Introduce the quadratic function: y = SCHED_CAPACITY_SCALE - p * x^2 and y'= y / SCHED_CAPACITY_SCALE x is the ratio of sum_util compared to the CPU capacity: x = sum_util / (llc_weight * SCHED_CAPACITY_SCALE) y' is the ratio of CPUs to be scanned in the LLC domain, and the number of CPUs to scan is calculated by: nr_scan = llc_weight * y' Choosing quadratic function is because: [1] Compared to the linear function, it scans more aggressively when the sum_util is low. [2] Compared to the exponential function, it is easier to calculate. [3] It seems that there is no accurate mapping between the sum of util_avg and the number of CPUs to be scanned. Use heuristic scan for now. For a platform with 112 CPUs per LLC, the number of CPUs to scan is: sum_util% 0 5 15 25 35 45 55 65 75 85 86 ... scan_nr 112 111 108 102 93 81 65 47 25 1 0 ... For a platform with 16 CPUs per LLC, the number of CPUs to scan is: sum_util% 0 5 15 25 35 45 55 65 75 85 86 ... scan_nr 16 15 15 14 13 11 9 6 3 0 0 ... Furthermore, to minimize the overhead of calculating the metrics in select_idle_cpu(), borrow the statistics from periodic load balance. As mentioned by Abel, on a platform with 112 CPUs per LLC, the sum_util calculated by periodic load balance after 112 ms would decay to about 0.5 * 0.5 * 0.5 * 0.7 = 8.75%, thus bringing a delay in reflecting the latest utilization. But it is a trade-off. Checking the util_avg in newidle load balance would be more frequent, but it brings overhead - multiple CPUs write/read the per-LLC shared variable and introduces cache contention. Tim also mentioned that, it is allowed to be non-optimal in terms of scheduling for the short-term variations, but if there is a long-term trend in the load behavior, the scheduler can adjust for that. When SIS_UTIL is enabled, the select_idle_cpu() uses the nr_scan calculated by SIS_UTIL instead of the one from SIS_PROP. As Peter and Mel suggested, SIS_UTIL should be enabled by default. This patch is based on the util_avg, which is very sensitive to the CPU frequency invariance. There is an issue that, when the max frequency has been clamp, the util_avg would decay insanely fast when the CPU is idle. Commit addca285120b ("cpufreq: intel_pstate: Handle no_turbo in frequency invariance") could be used to mitigate this symptom, by adjusting the arch_max_freq_ratio when turbo is disabled. But this issue is still not thoroughly fixed, because the current code is unaware of the user-specified max CPU frequency. [Test result] netperf and tbench were launched with 25% 50% 75% 100% 125% 150% 175% 200% of CPU number respectively. Hackbench and schbench were launched by 1, 2 ,4, 8 groups. Each test lasts for 100 seconds and repeats 3 times. The following is the benchmark result comparison between baseline:vanilla v5.19-rc1 and compare:patched kernel. Positive compare% indicates better performance. Each netperf test is a: netperf -4 -H 127.0.1 -t TCP/UDP_RR -c -C -l 100 netperf.throughput ======= case load baseline(std%) compare%( std%) TCP_RR 28 threads 1.00 ( 0.34) -0.16 ( 0.40) TCP_RR 56 threads 1.00 ( 0.19) -0.02 ( 0.20) TCP_RR 84 threads 1.00 ( 0.39) -0.47 ( 0.40) TCP_RR 112 threads 1.00 ( 0.21) -0.66 ( 0.22) TCP_RR 140 threads 1.00 ( 0.19) -0.69 ( 0.19) TCP_RR 168 threads 1.00 ( 0.18) -0.48 ( 0.18) TCP_RR 196 threads 1.00 ( 0.16) +194.70 ( 16.43) TCP_RR 224 threads 1.00 ( 0.16) +197.30 ( 7.85) UDP_RR 28 threads 1.00 ( 0.37) +0.35 ( 0.33) UDP_RR 56 threads 1.00 ( 11.18) -0.32 ( 0.21) UDP_RR 84 threads 1.00 ( 1.46) -0.98 ( 0.32) UDP_RR 112 threads 1.00 ( 28.85) -2.48 ( 19.61) UDP_RR 140 threads 1.00 ( 0.70) -0.71 ( 14.04) UDP_RR 168 threads 1.00 ( 14.33) -0.26 ( 11.16) UDP_RR 196 threads 1.00 ( 12.92) +186.92 ( 20.93) UDP_RR 224 threads 1.00 ( 11.74) +196.79 ( 18.62) Take the 224 threads as an example, the SIS search metrics changes are illustrated below: vanilla patched 4544492 +237.5% 15338634 sched_debug.cpu.sis_domain_search.avg 38539 +39686.8% 15333634 sched_debug.cpu.sis_failed.avg 128300000 -87.9% 15551326 sched_debug.cpu.sis_scanned.avg 5842896 +162.7% 15347978 sched_debug.cpu.sis_search.avg There is -87.9% less CPU scans after patched, which indicates lower overhead. Besides, with this patch applied, there is -13% less rq lock contention in perf-profile.calltrace.cycles-pp._raw_spin_lock.raw_spin_rq_lock_nested .try_to_wake_up.default_wake_function.woken_wake_function. This might help explain the performance improvement - Because this patch allows the waking task to remain on the previous CPU, rather than grabbing other CPUs' lock. Each hackbench test is a: hackbench -g $job --process/threads --pipe/sockets -l 1000000 -s 100 hackbench.throughput ========= case load baseline(std%) compare%( std%) process-pipe 1 group 1.00 ( 1.29) +0.57 ( 0.47) process-pipe 2 groups 1.00 ( 0.27) +0.77 ( 0.81) process-pipe 4 groups 1.00 ( 0.26) +1.17 ( 0.02) process-pipe 8 groups 1.00 ( 0.15) -4.79 ( 0.02) process-sockets 1 group 1.00 ( 0.63) -0.92 ( 0.13) process-sockets 2 groups 1.00 ( 0.03) -0.83 ( 0.14) process-sockets 4 groups 1.00 ( 0.40) +5.20 ( 0.26) process-sockets 8 groups 1.00 ( 0.04) +3.52 ( 0.03) threads-pipe 1 group 1.00 ( 1.28) +0.07 ( 0.14) threads-pipe 2 groups 1.00 ( 0.22) -0.49 ( 0.74) threads-pipe 4 groups 1.00 ( 0.05) +1.88 ( 0.13) threads-pipe 8 groups 1.00 ( 0.09) -4.90 ( 0.06) threads-sockets 1 group 1.00 ( 0.25) -0.70 ( 0.53) threads-sockets 2 groups 1.00 ( 0.10) -0.63 ( 0.26) threads-sockets 4 groups 1.00 ( 0.19) +11.92 ( 0.24) threads-sockets 8 groups 1.00 ( 0.08) +4.31 ( 0.11) Each tbench test is a: tbench -t 100 $job 127.0.0.1 tbench.throughput ====== case load baseline(std%) compare%( std%) loopback 28 threads 1.00 ( 0.06) -0.14 ( 0.09) loopback 56 threads 1.00 ( 0.03) -0.04 ( 0.17) loopback 84 threads 1.00 ( 0.05) +0.36 ( 0.13) loopback 112 threads 1.00 ( 0.03) +0.51 ( 0.03) loopback 140 threads 1.00 ( 0.02) -1.67 ( 0.19) loopback 168 threads 1.00 ( 0.38) +1.27 ( 0.27) loopback 196 threads 1.00 ( 0.11) +1.34 ( 0.17) loopback 224 threads 1.00 ( 0.11) +1.67 ( 0.22) Each schbench test is a: schbench -m $job -t 28 -r 100 -s 30000 -c 30000 schbench.latency_90%_us ======== case load baseline(std%) compare%( std%) normal 1 mthread 1.00 ( 31.22) -7.36 ( 20.25)* normal 2 mthreads 1.00 ( 2.45) -0.48 ( 1.79) normal 4 mthreads 1.00 ( 1.69) +0.45 ( 0.64) normal 8 mthreads 1.00 ( 5.47) +9.81 ( 14.28) *Consider the Standard Deviation, this -7.36% regression might not be valid. Also, a OLTP workload with a commercial RDBMS has been tested, and there is no significant change. There were concerns that unbalanced tasks among CPUs would cause problems. For example, suppose the LLC domain is composed of 8 CPUs, and 7 tasks are bound to CPU0~CPU6, while CPU7 is idle: CPU0 CPU1 CPU2 CPU3 CPU4 CPU5 CPU6 CPU7 util_avg 1024 1024 1024 1024 1024 1024 1024 0 Since the util_avg ratio is 87.5%( = 7/8 ), which is higher than 85%, select_idle_cpu() will not scan, thus CPU7 is undetected during scan. But according to Mel, it is unlikely the CPU7 will be idle all the time because CPU7 could pull some tasks via CPU_NEWLY_IDLE. lkp(kernel test robot) has reported a regression on stress-ng.sock on a very busy system. According to the sched_debug statistics, it might be caused by SIS_UTIL terminates the scan and chooses a previous CPU earlier, and this might introduce more context switch, especially involuntary preemption, which impacts a busy stress-ng. This regression has shown that, not all benchmarks in every scenario benefit from idle CPU scan limit, and it needs further investigation. Besides, there is slight regression in hackbench's 16 groups case when the LLC domain has 16 CPUs. Prateek mentioned that we should scan aggressively in an LLC domain with 16 CPUs. Because the cost to search for an idle one among 16 CPUs is negligible. The current patch aims to propose a generic solution and only considers the util_avg. Something like the below could be applied on top of the current patch to fulfill the requirement: if (llc_weight <= 16) nr_scan = nr_scan * 32 / llc_weight; For LLC domain with 16 CPUs, the nr_scan will be expanded to 2 times large. The smaller the CPU number this LLC domain has, the larger nr_scan will be expanded. This needs further investigation. There is also ongoing work[2] from Abel to filter out the busy CPUs during wakeup, to further speed up the idle CPU scan. And it could be a following-up optimization on top of this change. Suggested-by: Tim Chen Suggested-by: Peter Zijlstra Signed-off-by: Chen Yu Signed-off-by: Peter Zijlstra (Intel) Tested-by: Yicong Yang Tested-by: Mohini Narkhede Tested-by: K Prateek Nayak Link: https://lore.kernel.org/r/20220612163428.849378-1-yu.c.chen@intel.com Signed-off-by: Sasha Levin commit 5e63c5fe9123fa76ffaeff26c211308736ec3a07 Author: Jan Kara Date: Tue Jul 26 13:13:50 2022 +0200 ext2: Add more validity checks for inode counts [ Upstream commit fa78f336937240d1bc598db817d638086060e7e9 ] Add checks verifying number of inodes stored in the superblock matches the number computed from number of inodes per group. Also verify we have at least one block worth of inodes per group. This prevents crashes on corrupted filesystems. Reported-by: syzbot+d273f7d7f58afd93be48@syzkaller.appspotmail.com Signed-off-by: Jan Kara Signed-off-by: Sasha Levin commit 019aa3dd4ee3f78b7145c239c6bc273a20ecef9b Author: James Morse Date: Thu Jul 14 17:15:23 2022 +0100 arm64: errata: Remove AES hwcap for COMPAT tasks [ Upstream commit 44b3834b2eed595af07021b1c64e6f9bc396398b ] Cortex-A57 and Cortex-A72 have an erratum where an interrupt that occurs between a pair of AES instructions in aarch32 mode may corrupt the ELR. The task will subsequently produce the wrong AES result. The AES instructions are part of the cryptographic extensions, which are optional. User-space software will detect the support for these instructions from the hwcaps. If the platform doesn't support these instructions a software implementation should be used. Remove the hwcap bits on affected parts to indicate user-space should not use the AES instructions. Acked-by: Ard Biesheuvel Signed-off-by: James Morse Link: https://lore.kernel.org/r/20220714161523.279570-3-james.morse@arm.com Signed-off-by: Will Deacon Signed-off-by: Sasha Levin commit db1fae1a8acdde4adf780dcd6e0500ed77ca157e Author: Catalin Marinas Date: Fri Jun 10 16:21:41 2022 +0100 arm64: kasan: Revert "arm64: mte: reset the page tag in page->flags" [ Upstream commit 20794545c14692094a882d2221c251c4573e6adf ] This reverts commit e5b8d9218951e59df986f627ec93569a0d22149b. Pages mapped in user-space with PROT_MTE have the allocation tags either zeroed or copied/restored to some user values. In order for the kernel to access such pages via page_address(), resetting the tag in page->flags was necessary. This tag resetting was deferred to set_pte_at() -> mte_sync_page_tags() but it can race with another CPU reading the flags (via page_to_virt()): P0 (mte_sync_page_tags): P1 (memcpy from virt_to_page): Rflags!=0xff Wflags=0xff DMB (doesn't help) Wtags=0 Rtags=0 // fault Since now the post_alloc_hook() function resets the page->flags tag when unpoisoning is skipped for user pages (including the __GFP_ZEROTAGS case), revert the arm64 commit calling page_kasan_tag_reset(). Signed-off-by: Catalin Marinas Cc: Will Deacon Cc: Vincenzo Frascino Cc: Andrey Konovalov Cc: Peter Collingbourne Reviewed-by: Vincenzo Frascino Acked-by: Andrey Konovalov Link: https://lore.kernel.org/r/20220610152141.2148929-5-catalin.marinas@arm.com Signed-off-by: Will Deacon Signed-off-by: Sasha Levin commit 07022e07017ee5540f5559b0aeb916e8383c1e1a Author: haibinzhang (张海斌) Date: Sat Jul 2 05:43:19 2022 +0000 arm64: fix oops in concurrently setting insn_emulation sysctls [ Upstream commit af483947d472eccb79e42059276c4deed76f99a6 ] emulation_proc_handler() changes table->data for proc_dointvec_minmax and can generate the following Oops if called concurrently with itself: | Unable to handle kernel NULL pointer dereference at virtual address 0000000000000010 | Internal error: Oops: 96000006 [#1] SMP | Call trace: | update_insn_emulation_mode+0xc0/0x148 | emulation_proc_handler+0x64/0xb8 | proc_sys_call_handler+0x9c/0xf8 | proc_sys_write+0x18/0x20 | __vfs_write+0x20/0x48 | vfs_write+0xe4/0x1d0 | ksys_write+0x70/0xf8 | __arm64_sys_write+0x20/0x28 | el0_svc_common.constprop.0+0x7c/0x1c0 | el0_svc_handler+0x2c/0xa0 | el0_svc+0x8/0x200 To fix this issue, keep the table->data as &insn->current_mode and use container_of() to retrieve the insn pointer. Another mutex is used to protect against the current_mode update but not for retrieving insn_emulation as table->data is no longer changing. Co-developed-by: hewenliang Signed-off-by: hewenliang Signed-off-by: Haibin Zhang Reviewed-by: Catalin Marinas Link: https://lore.kernel.org/r/20220128090324.2727688-1-hewenliang4@huawei.com Link: https://lore.kernel.org/r/9A004C03-250B-46C5-BF39-782D7551B00E@tencent.com Signed-off-by: Will Deacon Signed-off-by: Sasha Levin commit 0fc07cf467691d4f1e9a28d551d2d350ede2d01a Author: Francis Laniel Date: Wed Jun 8 17:24:46 2022 +0100 arm64: Do not forget syscall when starting a new thread. [ Upstream commit de6921856f99c11d3986c6702d851e1328d4f7f6 ] Enable tracing of the execve*() system calls with the syscalls:sys_exit_execve tracepoint by removing the call to forget_syscall() when starting a new thread and preserving the value of regs->syscallno across exec. Signed-off-by: Francis Laniel Link: https://lore.kernel.org/r/20220608162447.666494-2-flaniel@linux.microsoft.com Signed-off-by: Will Deacon Signed-off-by: Sasha Levin commit 573a346f3cc22def000aede3c8f9cb219f31751c Author: Andrey Konovalov Date: Mon May 23 16:51:52 2022 +0200 arm64: stacktrace: use non-atomic __set_bit [ Upstream commit 446297b28a21244e4045026c4599d1b14a67e2ce ] Use the non-atomic version of set_bit() in arch/arm64/kernel/stacktrace.c, as there is no concurrent accesses to frame->prev_type. This speeds up stack trace collection and improves the boot time of Generic KASAN by 2-5%. Suggested-by: Mark Rutland Acked-by: Mark Rutland Signed-off-by: Andrey Konovalov Link: https://lore.kernel.org/r/23dfa36d1cc91e4a1059945b7834eac22fb9854d.1653317461.git.andreyknvl@google.com Signed-off-by: Will Deacon Signed-off-by: Sasha Levin commit 7710761991529814ecad0787dce61389d98334b0 Author: Andrey Konovalov Date: Mon May 23 16:51:51 2022 +0200 arm64: kasan: do not instrument stacktrace.c [ Upstream commit 802b91118d11227b527153849ea761b280691373 ] Disable KASAN instrumentation of arch/arm64/kernel/stacktrace.c. This speeds up Generic KASAN by 5-20%. As a side-effect, KASAN is now unable to detect bugs in the stack trace collection code. This is taken as an acceptable downside. Also replace READ_ONCE_NOCHECK() with READ_ONCE() in stacktrace.c. As the file is now not instrumented, there is no need to use the NOCHECK version of READ_ONCE(). Suggested-by: Mark Rutland Acked-by: Mark Rutland Signed-off-by: Andrey Konovalov Link: https://lore.kernel.org/r/c4c944a2a905e949760fbeb29258185087171708.1653317461.git.andreyknvl@google.com Signed-off-by: Will Deacon Signed-off-by: Sasha Levin commit 2c1fc32a9ab838fb1d0e782cc2b203d6e9b52eaf Author: Mark Rutland Date: Wed May 11 14:17:32 2022 +0100 arch: make TRACE_IRQFLAGS_NMI_SUPPORT generic [ Upstream commit 4510bffb4d0246cdcc1f14c7367c026b807a862d ] On most architectures, IRQ flag tracing is disabled in NMI context, and architectures need to define and select TRACE_IRQFLAGS_NMI_SUPPORT in order to enable this. Commit: 859d069ee1ddd878 ("lockdep: Prepare for NMI IRQ state tracking") Permitted IRQ flag tracing in NMI context, allowing lockdep to work in NMI context where an architecture had suitable entry logic. At the time, most architectures did not have such suitable entry logic, and this broke lockdep on such architectures. Thus, this was partially disabled in commit: ed00495333ccc80f ("locking/lockdep: Fix TRACE_IRQFLAGS vs. NMIs") ... with architectures needing to select TRACE_IRQFLAGS_NMI_SUPPORT to enable IRQ flag tracing in NMI context. Currently TRACE_IRQFLAGS_NMI_SUPPORT is defined under arch/x86/Kconfig.debug. Move it to arch/Kconfig so architectures can select it without having to provide their own definition. Since the regular TRACE_IRQFLAGS_SUPPORT is selected by arch/x86/Kconfig, the select of TRACE_IRQFLAGS_NMI_SUPPORT is moved there too. There should be no functional change as a result of this patch. Signed-off-by: Mark Rutland Cc: Catalin Marinas Cc: Ingo Molnar Cc: Peter Zijlstra (Intel) Cc: Thomas Gleixner Cc: Will Deacon Link: https://lore.kernel.org/r/20220511131733.4074499-2-mark.rutland@arm.com Signed-off-by: Will Deacon Signed-off-by: Sasha Levin commit 92b465c5fec3082a1a6fd7c3413b8f9a5a416c2a Author: Wyes Karny Date: Mon Jun 6 23:33:34 2022 +0530 x86: Handle idle=nomwait cmdline properly for x86_idle [ Upstream commit 8bcedb4ce04750e1ccc9a6b6433387f6a9166a56 ] When kernel is booted with idle=nomwait do not use MWAIT as the default idle state. If the user boots the kernel with idle=nomwait, it is a clear direction to not use mwait as the default idle state. However, the current code does not take this into consideration while selecting the default idle state on x86. Fix it by checking for the idle=nomwait boot option in prefer_mwait_c1_over_halt(). Also update the documentation around idle=nomwait appropriately. [ dhansen: tweak commit message ] Signed-off-by: Wyes Karny Signed-off-by: Dave Hansen Tested-by: Zhang Rui Link: https://lkml.kernel.org/r/fdc2dc2d0a1bc21c2f53d989ea2d2ee3ccbc0dbe.1654538381.git-series.wyes.karny@amd.com Signed-off-by: Sasha Levin commit 503dde612202affddb9c7a568edfb8b7b629c08d Author: Benjamin Segall Date: Wed Jun 15 14:24:23 2022 -0700 epoll: autoremove wakers even more aggressively commit a16ceb13961068f7209e34d7984f8e42d2c06159 upstream. If a process is killed or otherwise exits while having active network connections and many threads waiting on epoll_wait, the threads will all be woken immediately, but not removed from ep->wq. Then when network traffic scans ep->wq in wake_up, every wakeup attempt will fail, and will not remove the entries from the list. This means that the cost of the wakeup attempt is far higher than usual, does not decrease, and this also competes with the dying threads trying to actually make progress and remove themselves from the wq. Handle this by removing visited epoll wq entries unconditionally, rather than only when the wakeup succeeds - the structure of ep_poll means that the only potential loss is the timed_out->eavail heuristic, which now can race and result in a redundant ep_send_events attempt. (But only when incoming data and a timeout actually race, not on every timeout) Shakeel added: : We are seeing this issue in production with real workloads and it has : caused hard lockups. Particularly network heavy workloads with a lot : of threads in epoll_wait() can easily trigger this issue if they get : killed (oom-killed in our case). Link: https://lkml.kernel.org/r/xm26fsjotqda.fsf@google.com Signed-off-by: Ben Segall Tested-by: Shakeel Butt Cc: Alexander Viro Cc: Linus Torvalds Cc: Shakeel Butt Cc: Eric Dumazet Cc: Roman Penyaev Cc: Jason Baron Cc: Khazhismel Kumykov Cc: Heiher Cc: Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman commit 109539c9ba8497aad2948af4f09077f6a65059fe Author: Florian Westphal Date: Tue Aug 9 18:34:02 2022 +0200 netfilter: nf_tables: fix null deref due to zeroed list head commit 580077855a40741cf511766129702d97ff02f4d9 upstream. In nf_tables_updtable, if nf_tables_table_enable returns an error, nft_trans_destroy is called to free the transaction object. nft_trans_destroy() calls list_del(), but the transaction was never placed on a list -- the list head is all zeroes, this results in a null dereference: BUG: KASAN: null-ptr-deref in nft_trans_destroy+0x26/0x59 Call Trace: nft_trans_destroy+0x26/0x59 nf_tables_newtable+0x4bc/0x9bc [..] Its sane to assume that nft_trans_destroy() can be called on the transaction object returned by nft_trans_alloc(), so make sure the list head is initialised. Fixes: 55dd6f93076b ("netfilter: nf_tables: use new transaction infrastructure to handle table") Reported-by: mingi cho Signed-off-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso Signed-off-by: Greg Kroah-Hartman commit 2f07a81c5d89f8fa54869fcfad8e6f48a30659fd Author: Pablo Neira Ayuso Date: Mon Aug 8 19:30:07 2022 +0200 netfilter: nf_tables: disallow jump to implicit chain from set element commit f323ef3a0d49e147365284bc1f02212e617b7f09 upstream. Extend struct nft_data_desc to add a flag field that specifies nft_data_init() is being called for set element data. Use it to disallow jump to implicit chain from set element, only jump to chain via immediate expression is allowed. Fixes: d0e2c7de92c7 ("netfilter: nf_tables: add NFT_CHAIN_BINDING") Signed-off-by: Pablo Neira Ayuso Signed-off-by: Greg Kroah-Hartman commit 92c07fdb6b58c7b1c9f3f6c9f67ee3be139f836d Author: Pablo Neira Ayuso Date: Mon Aug 8 19:30:06 2022 +0200 netfilter: nf_tables: upfront validation of data via nft_data_init() commit 341b6941608762d8235f3fd1e45e4d7114ed8c2c upstream. Instead of parsing the data and then validate that type and length are correct, pass a description of the expected data so it can be validated upfront before parsing it to bail out earlier. This patch adds a new .size field to specify the maximum size of the data area. The .len field is optional and it is used as an input/output field, it provides the specific length of the expected data in the input path. If then .len field is not specified, then obtained length from the netlink attribute is stored. This is required by cmp, bitwise, range and immediate, which provide no netlink attribute that describes the data length. The immediate expression uses the destination register type to infer the expected data type. Relying on opencoded validation of the expected data might lead to subtle bugs as described in 7e6bc1f6cabc ("netfilter: nf_tables: stricter validation of element data"). Signed-off-by: Pablo Neira Ayuso Signed-off-by: Greg Kroah-Hartman commit c921bd1a7f00e1a05dadaac80339fb5be2687efb Author: Thadeu Lima de Souza Cascardo Date: Tue Aug 9 14:01:48 2022 -0300 netfilter: nf_tables: do not allow RULE_ID to refer to another chain commit 36d5b2913219ac853908b0f1c664345e04313856 upstream. When doing lookups for rules on the same batch by using its ID, a rule from a different chain can be used. If a rule is added to a chain but tries to be positioned next to a rule from a different chain, it will be linked to chain2, but the use counter on chain1 would be the one to be incremented. When looking for rules by ID, use the chain that was used for the lookup by name. The chain used in the context copied to the transaction needs to match that same chain. That way, struct nft_rule does not need to get enlarged with another member. Fixes: 1a94e38d254b ("netfilter: nf_tables: add NFTA_RULE_ID attribute") Fixes: 75dd48e2e420 ("netfilter: nf_tables: Support RULE_ID reference in new rule") Signed-off-by: Thadeu Lima de Souza Cascardo Cc: Signed-off-by: Pablo Neira Ayuso Signed-off-by: Greg Kroah-Hartman commit 58e863f64ee3d0879297e5e53b646e4b91e59620 Author: Thadeu Lima de Souza Cascardo Date: Tue Aug 9 14:01:47 2022 -0300 netfilter: nf_tables: do not allow CHAIN_ID to refer to another table commit 95f466d22364a33d183509629d0879885b4f547e upstream. When doing lookups for chains on the same batch by using its ID, a chain from a different table can be used. If a rule is added to a table but refers to a chain in a different table, it will be linked to the chain in table2, but would have expressions referring to objects in table1. Then, when table1 is removed, the rule will not be removed as its linked to a chain in table2. When expressions in the rule are processed or removed, that will lead to a use-after-free. When looking for chains by ID, use the table that was used for the lookup by name, and only return chains belonging to that same table. Fixes: 837830a4b439 ("netfilter: nf_tables: add NFTA_RULE_CHAIN_ID attribute") Signed-off-by: Thadeu Lima de Souza Cascardo Cc: Signed-off-by: Pablo Neira Ayuso Signed-off-by: Greg Kroah-Hartman commit 0d07039397527361850c554c192e749cfc879ea9 Author: Thadeu Lima de Souza Cascardo Date: Tue Aug 9 14:01:46 2022 -0300 netfilter: nf_tables: do not allow SET_ID to refer to another table commit 470ee20e069a6d05ae549f7d0ef2bdbcee6a81b2 upstream. When doing lookups for sets on the same batch by using its ID, a set from a different table can be used. Then, when the table is removed, a reference to the set may be kept after the set is freed, leading to a potential use-after-free. When looking for sets by ID, use the table that was used for the lookup by name, and only return sets belonging to that same table. This fixes CVE-2022-2586, also reported as ZDI-CAN-17470. Reported-by: Team Orca of Sea Security (@seasecresponse) Fixes: 958bee14d071 ("netfilter: nf_tables: use new transaction infrastructure to handle sets") Signed-off-by: Thadeu Lima de Souza Cascardo Cc: Signed-off-by: Pablo Neira Ayuso Signed-off-by: Greg Kroah-Hartman commit f9cb9c823a65e92425aa0f5ddb55e655331a15ce Author: Michael Grzeschik Date: Mon Jul 4 16:18:12 2022 +0200 usb: dwc3: gadget: fix high speed multiplier setting commit 8affe37c525d800a2628c4ecfaed13b77dc5634a upstream. For High-Speed Transfers the prepare_one_trb function is calculating the multiplier setting for the trb based on the length parameter of the trb currently prepared. This assumption is wrong. For trbs with a sg list, the length of the actual request has to be taken instead. Fixes: 40d829fb2ec6 ("usb: dwc3: gadget: Correct ISOC DATA PIDs for short packets") Cc: stable Signed-off-by: Michael Grzeschik Link: https://lore.kernel.org/r/20220704141812.1532306-3-m.grzeschik@pengutronix.de Signed-off-by: Greg Kroah-Hartman commit fd55d4aa346355e7f71267cd29f5138bae1449e2 Author: Michael Grzeschik Date: Mon Jul 4 16:18:11 2022 +0200 usb: dwc3: gadget: refactor dwc3_repare_one_trb commit 23385cec5f354794dadced7f28c31da7ae3eb54c upstream. The function __dwc3_prepare_one_trb has many parameters. Since it is only used in dwc3_prepare_one_trb there is no point in keeping the function. We merge both functions and get rid of the big list of parameters. Fixes: 40d829fb2ec6 ("usb: dwc3: gadget: Correct ISOC DATA PIDs for short packets") Cc: stable Signed-off-by: Michael Grzeschik Link: https://lore.kernel.org/r/20220704141812.1532306-2-m.grzeschik@pengutronix.de Signed-off-by: Greg Kroah-Hartman commit 33ece34cdf1d3a12f2031087b0dc08e9b766f01e Author: Kunihiko Hayashi Date: Tue Aug 2 22:36:47 2022 +0900 arm64: dts: uniphier: Fix USB interrupts for PXs3 SoC commit fe17b91a7777df140d0f1433991da67ba658796c upstream. An interrupt for USB device are shared with USB host. Set interrupt-names property to common "dwc_usb3" instead of "host" and "peripheral". Cc: stable@vger.kernel.org Fixes: d7b9beb830d7 ("arm64: dts: uniphier: Add USB3 controller nodes") Reported-by: Ryuta NAKANISHI Signed-off-by: Kunihiko Hayashi Signed-off-by: Arnd Bergmann Signed-off-by: Greg Kroah-Hartman commit ff4a0a2a0608e0d3bcf615d86eb3942ee326ebc0 Author: Kunihiko Hayashi Date: Tue Aug 2 22:36:25 2022 +0900 ARM: dts: uniphier: Fix USB interrupts for PXs2 SoC commit 9b0dc7abb5cc43a2dbf90690c3c6011dcadc574d upstream. An interrupt for USB device are shared with USB host. Set interrupt-names property to common "dwc_usb3" instead of "host" and "peripheral". Cc: stable@vger.kernel.org Fixes: 45be1573ad19 ("ARM: dts: uniphier: Add USB3 controller nodes") Reported-by: Ryuta NAKANISHI Signed-off-by: Kunihiko Hayashi Signed-off-by: Arnd Bergmann Signed-off-by: Greg Kroah-Hartman commit af64d4caeeb20df99bae80bf0bafecc946915a84 Author: Jose Alonso Date: Mon Aug 8 08:35:04 2022 -0300 Revert "net: usb: ax88179_178a needs FLAG_SEND_ZLP" commit 6fd2c17fb6e02a8c0ab51df1cfec82ce96b8e83d upstream. This reverts commit 36a15e1cb134c0395261ba1940762703f778438c. The usage of FLAG_SEND_ZLP causes problems to other firmware/hardware versions that have no issues. The FLAG_SEND_ZLP is not safe to use in this context. See: https://patchwork.ozlabs.org/project/netdev/patch/1270599787.8900.8.camel@Linuxdev4-laptop/#118378 The original problem needs another way to solve. Fixes: 36a15e1cb134 ("net: usb: ax88179_178a needs FLAG_SEND_ZLP") Cc: stable@vger.kernel.org Reported-by: Ronald Wahl Link: https://bugzilla.kernel.org/show_bug.cgi?id=216327 Link: https://bugs.archlinux.org/task/75491 Signed-off-by: Jose Alonso Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 4e5de1c54ecab1ac57455f5b3e152c0c5c29101f Author: Weitao Wang Date: Tue Jul 26 15:49:18 2022 +0800 USB: HCD: Fix URB giveback issue in tasklet function commit 26c6c2f8a907c9e3a2f24990552a4d77235791e6 upstream. Usb core introduce the mechanism of giveback of URB in tasklet context to reduce hardware interrupt handling time. On some test situation(such as FIO with 4KB block size), when tasklet callback function called to giveback URB, interrupt handler add URB node to the bh->head list also. If check bh->head list again after finish all URB giveback of local_list, then it may introduce a "dynamic balance" between giveback URB and add URB to bh->head list. This tasklet callback function may not exit for a long time, which will cause other tasklet function calls to be delayed. Some real-time applications(such as KB and Mouse) will see noticeable lag. In order to prevent the tasklet function from occupying the cpu for a long time at a time, new URBS will not be added to the local_list even though the bh->head list is not empty. But also need to ensure the left URB giveback to be processed in time, so add a member high_prio for structure giveback_urb_bh to prioritize tasklet and schelule this tasklet again if bh->head list is not empty. At the same time, we are able to prioritize tasklet through structure member high_prio. So, replace the local high_prio_bh variable with this structure member in usb_hcd_giveback_urb. Fixes: 94dfd7edfd5c ("USB: HCD: support giveback of URB in tasklet context") Cc: stable Reviewed-by: Alan Stern Signed-off-by: Weitao Wang Link: https://lore.kernel.org/r/20220726074918.5114-1-WeitaoWang-oc@zhaoxin.com Signed-off-by: Greg Kroah-Hartman commit e1da08e8cded83cb976813a16918985e347299fa Author: Linyu Yuan Date: Tue Jul 26 14:45:49 2022 +0800 usb: typec: ucsi: Acknowledge the GET_ERROR_STATUS command completion commit a7dc438b5e446afcd1b3b6651da28271400722f2 upstream. We found PPM will not send any notification after it report error status and OPM issue GET_ERROR_STATUS command to read the details about error. According UCSI spec, PPM may clear the Error Status Data after the OPM has acknowledged the command completion. This change add operation to acknowledge the command completion from PPM. Fixes: bdc62f2bae8f (usb: typec: ucsi: Simplified registration and I/O API) Cc: # 5.10 Signed-off-by: Jack Pham Signed-off-by: Linyu Yuan Link: https://lore.kernel.org/r/1658817949-4632-1-git-send-email-quic_linyyuan@quicinc.com Signed-off-by: Greg Kroah-Hartman commit bc57850fcb7e4cb91b6321d0ce83357cefd55c54 Author: Suzuki K Poulose Date: Tue Jun 14 22:40:24 2022 +0100 coresight: Clear the connection field properly commit 2af89ebacf299b7fba5f3087d35e8a286ec33706 upstream. coresight devices track their connections (output connections) and hold a reference to the fwnode. When a device goes away, we walk through the devices on the coresight bus and make sure that the references are dropped. This happens both ways: a) For all output connections from the device, drop the reference to the target device via coresight_release_platform_data() b) Iterate over all the devices on the coresight bus and drop the reference to fwnode if *this* device is the target of the output connection, via coresight_remove_conns()->coresight_remove_match(). However, the coresight_remove_match() doesn't clear the fwnode field, after dropping the reference, this causes use-after-free and additional refcount drops on the fwnode. e.g., if we have two devices, A and B, with a connection, A -> B. If we remove B first, B would clear the reference on B, from A via coresight_remove_match(). But when A is removed, it still has a connection with fwnode still pointing to B. Thus it tries to drops the reference in coresight_release_platform_data(), raising the bells like : [ 91.990153] ------------[ cut here ]------------ [ 91.990163] refcount_t: addition on 0; use-after-free. [ 91.990212] WARNING: CPU: 0 PID: 461 at lib/refcount.c:25 refcount_warn_saturate+0xa0/0x144 [ 91.990260] Modules linked in: coresight_funnel coresight_replicator coresight_etm4x(-) crct10dif_ce coresight ip_tables x_tables ipv6 [last unloaded: coresight_cpu_debug] [ 91.990398] CPU: 0 PID: 461 Comm: rmmod Tainted: G W T 5.19.0-rc2+ #53 [ 91.990418] Hardware name: ARM LTD ARM Juno Development Platform/ARM Juno Development Platform, BIOS EDK II Feb 1 2019 [ 91.990434] pstate: 600000c5 (nZCv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 91.990454] pc : refcount_warn_saturate+0xa0/0x144 [ 91.990476] lr : refcount_warn_saturate+0xa0/0x144 [ 91.990496] sp : ffff80000c843640 [ 91.990509] x29: ffff80000c843640 x28: ffff800009957c28 x27: ffff80000c8439a8 [ 91.990560] x26: ffff00097eff1990 x25: ffff8000092b6ad8 x24: ffff00097eff19a8 [ 91.990610] x23: ffff80000c8439a8 x22: 0000000000000000 x21: ffff80000c8439c2 [ 91.990659] x20: 0000000000000000 x19: ffff00097eff1a10 x18: ffff80000ab99c40 [ 91.990708] x17: 0000000000000000 x16: 0000000000000000 x15: ffff80000abf6fa0 [ 91.990756] x14: 000000000000001d x13: 0a2e656572662d72 x12: 657466612d657375 [ 91.990805] x11: 203b30206e6f206e x10: 6f69746964646120 x9 : ffff8000081aba28 [ 91.990854] x8 : 206e6f206e6f6974 x7 : 69646461203a745f x6 : 746e756f63666572 [ 91.990903] x5 : ffff00097648ec58 x4 : 0000000000000000 x3 : 0000000000000027 [ 91.990952] x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff00080260ba00 [ 91.991000] Call trace: [ 91.991012] refcount_warn_saturate+0xa0/0x144 [ 91.991034] kobject_get+0xac/0xb0 [ 91.991055] of_node_get+0x2c/0x40 [ 91.991076] of_fwnode_get+0x40/0x60 [ 91.991094] fwnode_handle_get+0x3c/0x60 [ 91.991116] fwnode_get_nth_parent+0xf4/0x110 [ 91.991137] fwnode_full_name_string+0x48/0xc0 [ 91.991158] device_node_string+0x41c/0x530 [ 91.991178] pointer+0x320/0x3ec [ 91.991198] vsnprintf+0x23c/0x750 [ 91.991217] vprintk_store+0x104/0x4b0 [ 91.991238] vprintk_emit+0x8c/0x360 [ 91.991257] vprintk_default+0x44/0x50 [ 91.991276] vprintk+0xcc/0xf0 [ 91.991295] _printk+0x68/0x90 [ 91.991315] of_node_release+0x13c/0x14c [ 91.991334] kobject_put+0x98/0x114 [ 91.991354] of_node_put+0x24/0x34 [ 91.991372] of_fwnode_put+0x40/0x5c [ 91.991390] fwnode_handle_put+0x38/0x50 [ 91.991411] coresight_release_platform_data+0x74/0xb0 [coresight] [ 91.991472] coresight_unregister+0x64/0xcc [coresight] [ 91.991525] etm4_remove_dev+0x64/0x78 [coresight_etm4x] [ 91.991563] etm4_remove_amba+0x1c/0x2c [coresight_etm4x] [ 91.991598] amba_remove+0x3c/0x19c Reproducible by: (Build all coresight components as modules): #!/bin/sh while true do for m in tmc stm cpu_debug etm4x replicator funnel do modprobe coresight_${m} done for m in tmc stm cpu_debug etm4x replicator funnel do rmmode coresight_${m} done done Cc: stable@vger.kernel.org Cc: Mathieu Poirier Cc: Mike Leach Cc: Leo Yan Signed-off-by: Suzuki K Poulose Fixes: 37ea1ffddffa ("coresight: Use fwnode handle instead of device names") Link: https://lore.kernel.org/r/20220614214024.3005275-1-suzuki.poulose@arm.com Signed-off-by: Mathieu Poirier Signed-off-by: Greg Kroah-Hartman commit 7d305823e02217b29d41fca67e3cef87fd7bd688 Author: Huacai Chen Date: Thu Jul 14 16:41:34 2022 +0800 MIPS: cpuinfo: Fix a warning for CONFIG_CPUMASK_OFFSTACK commit e1a534f5d074db45ae5cbac41d8912b98e96a006 upstream. When CONFIG_CPUMASK_OFFSTACK and CONFIG_DEBUG_PER_CPU_MAPS is selected, cpu_max_bits_warn() generates a runtime warning similar as below while we show /proc/cpuinfo. Fix this by using nr_cpu_ids (the runtime limit) instead of NR_CPUS to iterate CPUs. [ 3.052463] ------------[ cut here ]------------ [ 3.059679] WARNING: CPU: 3 PID: 1 at include/linux/cpumask.h:108 show_cpuinfo+0x5e8/0x5f0 [ 3.070072] Modules linked in: efivarfs autofs4 [ 3.076257] CPU: 0 PID: 1 Comm: systemd Not tainted 5.19-rc5+ #1052 [ 3.084034] Hardware name: Loongson Loongson-3A4000-7A1000-1w-V0.1-CRB/Loongson-LS3A4000-7A1000-1w-EVB-V1.21, BIOS Loongson-UDK2018-V2.0.04082-beta7 04/27 [ 3.099465] Stack : 9000000100157b08 9000000000f18530 9000000000cf846c 9000000100154000 [ 3.109127] 9000000100157a50 0000000000000000 9000000100157a58 9000000000ef7430 [ 3.118774] 90000001001578e8 0000000000000040 0000000000000020 ffffffffffffffff [ 3.128412] 0000000000aaaaaa 1ab25f00eec96a37 900000010021de80 900000000101c890 [ 3.138056] 0000000000000000 0000000000000000 0000000000000000 0000000000aaaaaa [ 3.147711] ffff8000339dc220 0000000000000001 0000000006ab4000 0000000000000000 [ 3.157364] 900000000101c998 0000000000000004 9000000000ef7430 0000000000000000 [ 3.167012] 0000000000000009 000000000000006c 0000000000000000 0000000000000000 [ 3.176641] 9000000000d3de08 9000000001639390 90000000002086d8 00007ffff0080286 [ 3.186260] 00000000000000b0 0000000000000004 0000000000000000 0000000000071c1c [ 3.195868] ... [ 3.199917] Call Trace: [ 3.203941] [<98000000002086d8>] show_stack+0x38/0x14c [ 3.210666] [<9800000000cf846c>] dump_stack_lvl+0x60/0x88 [ 3.217625] [<980000000023d268>] __warn+0xd0/0x100 [ 3.223958] [<9800000000cf3c90>] warn_slowpath_fmt+0x7c/0xcc [ 3.231150] [<9800000000210220>] show_cpuinfo+0x5e8/0x5f0 [ 3.238080] [<98000000004f578c>] seq_read_iter+0x354/0x4b4 [ 3.245098] [<98000000004c2e90>] new_sync_read+0x17c/0x1c4 [ 3.252114] [<98000000004c5174>] vfs_read+0x138/0x1d0 [ 3.258694] [<98000000004c55f8>] ksys_read+0x70/0x100 [ 3.265265] [<9800000000cfde9c>] do_syscall+0x7c/0x94 [ 3.271820] [<9800000000202fe4>] handle_syscall+0xc4/0x160 [ 3.281824] ---[ end trace 8b484262b4b8c24c ]--- Cc: stable@vger.kernel.org Signed-off-by: Huacai Chen Signed-off-by: Thomas Bogendoerfer Signed-off-by: Greg Kroah-Hartman commit 3fcad718b5c99a6ed74d9c0d7b6ec5a66acfe48d Author: Michael Ellerman Date: Thu Jul 28 00:32:17 2022 +1000 powerpc/powernv: Avoid crashing if rng is NULL commit 90b5d4fe0b3ba7f589c6723c6bfb559d9e83956a upstream. On a bare-metal Power8 system that doesn't have an "ibm,power-rng", a malicious QEMU and guest that ignore the absence of the KVM_CAP_PPC_HWRNG flag, and calls H_RANDOM anyway, will dereference a NULL pointer. In practice all Power8 machines have an "ibm,power-rng", but let's not rely on that, add a NULL check and early return in powernv_get_random_real_mode(). Fixes: e928e9cb3601 ("KVM: PPC: Book3S HV: Add fast real-mode H_RANDOM implementation.") Cc: stable@vger.kernel.org # v4.1+ Signed-off-by: Jason A. Donenfeld Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/20220727143219.2684192-1-mpe@ellerman.id.au Signed-off-by: Greg Kroah-Hartman commit 39e29d134ce2b3726e93a83a8cbc1a74c63ad839 Author: Christophe Leroy Date: Tue Jun 28 16:43:35 2022 +0200 powerpc/ptdump: Fix display of RW pages on FSL_BOOK3E commit dd8de84b57b02ba9c1fe530a6d916c0853f136bd upstream. On FSL_BOOK3E, _PAGE_RW is defined with two bits, one for user and one for supervisor. As soon as one of the two bits is set, the page has to be display as RW. But the way it is implemented today requires both bits to be set in order to display it as RW. Instead of display RW when _PAGE_RW bits are set and R otherwise, reverse the logic and display R when _PAGE_RW bits are all 0 and RW otherwise. This change has no impact on other platforms as _PAGE_RW is a single bit on all of them. Fixes: 8eb07b187000 ("powerpc/mm: Dump linux pagetables") Cc: stable@vger.kernel.org Signed-off-by: Christophe Leroy Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/0c33b96317811edf691e81698aaee8fa45ec3449.1656427391.git.christophe.leroy@csgroup.eu Signed-off-by: Greg Kroah-Hartman commit b80b14c6c09a9d3de02cfc036ad3349228496ffd Author: Pali Rohár Date: Wed Jul 6 12:10:43 2022 +0200 powerpc/fsl-pci: Fix Class Code of PCIe Root Port commit 0c551abfa004ce154d487d91777bf221c808a64f upstream. By default old pre-3.0 Freescale PCIe controllers reports invalid PCI Class Code 0x0b20 for PCIe Root Port. It can be seen by lspci -b output on P2020 board which has this pre-3.0 controller: $ lspci -bvnn 00:00.0 Power PC [0b20]: Freescale Semiconductor Inc P2020E [1957:0070] (rev 21) !!! Invalid class 0b20 for header type 01 Capabilities: [4c] Express Root Port (Slot-), MSI 00 Fix this issue by programming correct PCI Class Code 0x0604 for PCIe Root Port to the Freescale specific PCIe register 0x474. With this change lspci -b output is: $ lspci -bvnn 00:00.0 PCI bridge [0604]: Freescale Semiconductor Inc P2020E [1957:0070] (rev 21) (prog-if 00 [Normal decode]) Capabilities: [4c] Express Root Port (Slot-), MSI 00 Without any "Invalid class" error. So class code was properly reflected into standard (read-only) PCI register 0x08. Same fix is already implemented in U-Boot pcie_fsl.c driver in commit: http://source.denx.de/u-boot/u-boot/-/commit/d18d06ac35229345a0af80977a408cfbe1d1015b Fix activated by U-Boot stay active also after booting Linux kernel. But boards which use older U-Boot version without that fix are affected and still require this fix. So implement this class code fix also in kernel fsl_pci.c driver. Cc: stable@vger.kernel.org Signed-off-by: Pali Rohár Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/20220706101043.4867-1-pali@kernel.org Signed-off-by: Greg Kroah-Hartman commit 87784a09789aa03f56c6bdb5e3c71110bf57dbf2 Author: Christophe Leroy Date: Tue Jun 28 16:48:54 2022 +0200 powerpc/64e: Fix early TLB miss with KUAP commit 09317643117ade87c03158341e87466413fa8f1a upstream. With KUAP, the TLB miss handler bails out when an access to user memory is performed with a nul TID. But the normal TLB miss routine which is only used early during boot does the check regardless for all memory areas, not only user memory. By chance there is no early IO or vmalloc access, but when KASAN come we will start having early TLB misses. Fix it by creating a special branch for user accesses similar to the one in the 'bolted' TLB miss handlers. Unfortunately SPRN_MAS1 is now read too early and there are no registers available to preserve it so it will be read a second time. Fixes: 57bc963837f5 ("powerpc/kuap: Wire-up KUAP on book3e/64") Cc: stable@vger.kernel.org Signed-off-by: Christophe Leroy Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/8d6c5859a45935d6e1a336da4dc20be421e8cea7.1656427701.git.christophe.leroy@csgroup.eu Signed-off-by: Greg Kroah-Hartman commit 9f9bbe3cf758e04efdab2626c569269abd3d0a66 Author: Christophe Leroy Date: Sat Jun 11 08:51:57 2022 +0200 powerpc: Restore CONFIG_DEBUG_INFO in defconfigs commit 92f89ec1b534b6eca2b81bae97d30a786932f51a upstream. Commit f9b3cd245784 ("Kconfig.debug: make DEBUG_INFO selectable from a choice") broke the selection of CONFIG_DEBUG_INFO by powerpc defconfigs. It is now necessary to select one of the three DEBUG_INFO_DWARF* options to get DEBUG_INFO enabled. Replace DEBUG_INFO=y by DEBUG_INFO_DWARF_TOOLCHAIN_DEFAULT=y in all defconfigs using the following command: sed -i s/DEBUG_INFO=y/DEBUG_INFO_DWARF_TOOLCHAIN_DEFAULT=y/g `git grep -l DEBUG_INFO arch/powerpc/configs/` Fixes: f9b3cd245784 ("Kconfig.debug: make DEBUG_INFO selectable from a choice") Cc: stable@vger.kernel.org Signed-off-by: Christophe Leroy Reviewed-by: Kees Cook Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/98a4c2603bf9e4b776e219f5b8541d23aa24e854.1654930308.git.christophe.leroy@csgroup.eu Signed-off-by: Greg Kroah-Hartman commit 65e044ac89c11d3c4d764debab360a9e04e462ef Author: Alexander Lobakin Date: Fri Jun 24 14:13:05 2022 +0200 ia64, processor: fix -Wincompatible-pointer-types in ia64_get_irr() commit e5a16a5c4602c119262f350274021f90465f479d upstream. test_bit(), as any other bitmap op, takes `unsigned long *` as a second argument (pointer to the actual bitmap), as any bitmap itself is an array of unsigned longs. However, the ia64_get_irr() code passes a ref to `u64` as a second argument. This works with the ia64 bitops implementation due to that they have `void *` as the second argument and then cast it later on. This works with the bitmap API itself due to that `unsigned long` has the same size on ia64 as `u64` (`unsigned long long`), but from the compiler PoV those two are different. Define @irr as `unsigned long` to fix that. That implies no functional changes. Has been hidden for 16 years! Fixes: a58786917ce2 ("[IA64] avoid broken SAL_CACHE_FLUSH implementations") Cc: stable@vger.kernel.org # 2.6.16+ Reported-by: kernel test robot Signed-off-by: Alexander Lobakin Reviewed-by: Andy Shevchenko Reviewed-by: Yury Norov Signed-off-by: Yury Norov Signed-off-by: Greg Kroah-Hartman commit 6fe27b55af245ae9bb042e59e503a17244c88596 Author: Xiaomeng Tong Date: Thu Apr 14 05:14:15 2022 +0100 media: [PATCH] pci: atomisp_cmd: fix three missing checks on list iterator commit 09b204eb9de9fdf07d028c41c4331b5cfeb70dd7 upstream. The three bugs are here: __func__, s3a_buf->s3a_data->exp_id); __func__, md_buf->metadata->exp_id); __func__, dis_buf->dis_data->exp_id); The list iterator 's3a_buf/md_buf/dis_buf' will point to a bogus position containing HEAD if the list is empty or no element is found. This case must be checked before any use of the iterator, otherwise it will lead to a invalid memory access. To fix this bug, add an check. Use a new variable '*_iter' as the list iterator, while use the old variable '*_buf' as a dedicated pointer to point to the found element. Link: https://lore.kernel.org/linux-media/20220414041415.3342-1-xiam0nd.tong@gmail.com Cc: stable@vger.kernel.org Fixes: ad85094b293e4 ("Revert "media: staging: atomisp: Remove driver"") Signed-off-by: Xiaomeng Tong Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman commit d3b41aa5348a1959f206d36362400109048e0154 Author: Randy Dunlap Date: Wed Mar 30 02:56:52 2022 +0100 media: isl7998x: select V4L2_FWNODE to fix build error commit 81e005842d0b8167c059553a1c29c36d8a7a9329 upstream. Fix build error when VIDEO_ISL7998X=y and V4L2_FWNODE=m by selecting V4L2_FWNODE. microblaze-linux-ld: drivers/media/i2c/isl7998x.o: in function `isl7998x_probe': (.text+0x8f4): undefined reference to `v4l2_fwnode_endpoint_parse' Cc: stable@vger.kernel.org # 5.18 and above Fixes: 51ef2be546e2 ("media: i2c: isl7998x: Add driver for Intersil ISL7998x") Signed-off-by: Randy Dunlap Reported-by: kernel test robot Cc: Marek Vasut Cc: Pengutronix Kernel Team Reviewed-by: Michael Tretter Signed-off-by: Sakari Ailus Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman commit 546a2d5c10fa1c1145cdc4497b5019678ce05e22 Author: Jan Kara Date: Tue Jul 12 12:54:21 2022 +0200 mbcache: add functions to delete entry if unused commit 3dc96bba65f53daa217f0a8f43edad145286a8f5 upstream. Add function mb_cache_entry_delete_or_get() to delete mbcache entry if it is unused and also add a function to wait for entry to become unused - mb_cache_entry_wait_unused(). We do not share code between the two deleting function as one of them will go away soon. CC: stable@vger.kernel.org Fixes: 82939d7999df ("ext4: convert to mbcache2") Signed-off-by: Jan Kara Link: https://lore.kernel.org/r/20220712105436.32204-2-jack@suse.cz Signed-off-by: Theodore Ts'o Signed-off-by: Greg Kroah-Hartman commit 6f01f9e166c67bc680d835d4e8efc58353a4f849 Author: Jan Kara Date: Tue Jul 12 12:54:20 2022 +0200 mbcache: don't reclaim used entries commit 58318914186c157477b978b1739dfe2f1b9dc0fe upstream. Do not reclaim entries that are currently used by somebody from a shrinker. Firstly, these entries are likely useful. Secondly, we will need to keep such entries to protect pending increment of xattr block refcount. CC: stable@vger.kernel.org Fixes: 82939d7999df ("ext4: convert to mbcache2") Signed-off-by: Jan Kara Link: https://lore.kernel.org/r/20220712105436.32204-1-jack@suse.cz Signed-off-by: Theodore Ts'o Signed-off-by: Greg Kroah-Hartman commit 5f57843565131bb782388f9d993f9ee8f453dee1 Author: Mikulas Patocka Date: Tue Jul 26 04:33:12 2022 -0400 md-raid10: fix KASAN warning commit d17f744e883b2f8d13cca252d71cfe8ace346f7d upstream. There's a KASAN warning in raid10_remove_disk when running the lvm test lvconvert-raid-reshape.sh. We fix this warning by verifying that the value "number" is valid. BUG: KASAN: slab-out-of-bounds in raid10_remove_disk+0x61/0x2a0 [raid10] Read of size 8 at addr ffff889108f3d300 by task mdX_raid10/124682 CPU: 3 PID: 124682 Comm: mdX_raid10 Not tainted 5.19.0-rc6 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-2 04/01/2014 Call Trace: dump_stack_lvl+0x34/0x44 print_report.cold+0x45/0x57a ? __lock_text_start+0x18/0x18 ? raid10_remove_disk+0x61/0x2a0 [raid10] kasan_report+0xa8/0xe0 ? raid10_remove_disk+0x61/0x2a0 [raid10] raid10_remove_disk+0x61/0x2a0 [raid10] Buffer I/O error on dev dm-76, logical block 15344, async page read ? __mutex_unlock_slowpath.constprop.0+0x1e0/0x1e0 remove_and_add_spares+0x367/0x8a0 [md_mod] ? super_written+0x1c0/0x1c0 [md_mod] ? mutex_trylock+0xac/0x120 ? _raw_spin_lock+0x72/0xc0 ? _raw_spin_lock_bh+0xc0/0xc0 md_check_recovery+0x848/0x960 [md_mod] raid10d+0xcf/0x3360 [raid10] ? sched_clock_cpu+0x185/0x1a0 ? rb_erase+0x4d4/0x620 ? var_wake_function+0xe0/0xe0 ? psi_group_change+0x411/0x500 ? preempt_count_sub+0xf/0xc0 ? _raw_spin_lock_irqsave+0x78/0xc0 ? __lock_text_start+0x18/0x18 ? raid10_sync_request+0x36c0/0x36c0 [raid10] ? preempt_count_sub+0xf/0xc0 ? _raw_spin_unlock_irqrestore+0x19/0x40 ? del_timer_sync+0xa9/0x100 ? try_to_del_timer_sync+0xc0/0xc0 ? _raw_spin_lock_irqsave+0x78/0xc0 ? __lock_text_start+0x18/0x18 ? _raw_spin_unlock_irq+0x11/0x24 ? __list_del_entry_valid+0x68/0xa0 ? finish_wait+0xa3/0x100 md_thread+0x161/0x260 [md_mod] ? unregister_md_personality+0xa0/0xa0 [md_mod] ? _raw_spin_lock_irqsave+0x78/0xc0 ? prepare_to_wait_event+0x2c0/0x2c0 ? unregister_md_personality+0xa0/0xa0 [md_mod] kthread+0x148/0x180 ? kthread_complete_and_exit+0x20/0x20 ret_from_fork+0x1f/0x30 Allocated by task 124495: kasan_save_stack+0x1e/0x40 __kasan_kmalloc+0x80/0xa0 setup_conf+0x140/0x5c0 [raid10] raid10_run+0x4cd/0x740 [raid10] md_run+0x6f9/0x1300 [md_mod] raid_ctr+0x2531/0x4ac0 [dm_raid] dm_table_add_target+0x2b0/0x620 [dm_mod] table_load+0x1c8/0x400 [dm_mod] ctl_ioctl+0x29e/0x560 [dm_mod] dm_compat_ctl_ioctl+0x7/0x20 [dm_mod] __do_compat_sys_ioctl+0xfa/0x160 do_syscall_64+0x90/0xc0 entry_SYSCALL_64_after_hwframe+0x46/0xb0 Last potentially related work creation: kasan_save_stack+0x1e/0x40 __kasan_record_aux_stack+0x9e/0xc0 kvfree_call_rcu+0x84/0x480 timerfd_release+0x82/0x140 L __fput+0xfa/0x400 task_work_run+0x80/0xc0 exit_to_user_mode_prepare+0x155/0x160 syscall_exit_to_user_mode+0x12/0x40 do_syscall_64+0x42/0xc0 entry_SYSCALL_64_after_hwframe+0x46/0xb0 Second to last potentially related work creation: kasan_save_stack+0x1e/0x40 __kasan_record_aux_stack+0x9e/0xc0 kvfree_call_rcu+0x84/0x480 timerfd_release+0x82/0x140 __fput+0xfa/0x400 task_work_run+0x80/0xc0 exit_to_user_mode_prepare+0x155/0x160 syscall_exit_to_user_mode+0x12/0x40 do_syscall_64+0x42/0xc0 entry_SYSCALL_64_after_hwframe+0x46/0xb0 The buggy address belongs to the object at ffff889108f3d200 which belongs to the cache kmalloc-256 of size 256 The buggy address is located 0 bytes to the right of 256-byte region [ffff889108f3d200, ffff889108f3d300) The buggy address belongs to the physical page: page:000000007ef2a34c refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1108f3c head:000000007ef2a34c order:2 compound_mapcount:0 compound_pincount:0 flags: 0x4000000000010200(slab|head|zone=2) raw: 4000000000010200 0000000000000000 dead000000000001 ffff889100042b40 raw: 0000000000000000 0000000080200020 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff889108f3d200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff889108f3d280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff889108f3d300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ^ ffff889108f3d380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff889108f3d400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Signed-off-by: Mikulas Patocka Cc: stable@vger.kernel.org Signed-off-by: Song Liu Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman commit 7f82027b6b74553f7fe8541c0a04bfbd3557fb11 Author: Mikulas Patocka Date: Sun Jul 24 14:26:12 2022 -0400 md-raid: destroy the bitmap after destroying the thread commit e151db8ecfb019b7da31d076130a794574c89f6f upstream. When we ran the lvm test "shell/integrity-blocksize-3.sh" on a kernel with kasan, we got failure in write_page. The reason for the failure is that md_bitmap_destroy is called before destroying the thread and the thread may be waiting in the function write_page for the bio to complete. When the thread finishes waiting, it executes "if (test_bit(BITMAP_WRITE_ERROR, &bitmap->flags))", which triggers the kasan warning. Note that the commit 48df498daf62 that caused this bug claims that it is neede for md-cluster, you should check md-cluster and possibly find another bugfix for it. BUG: KASAN: use-after-free in write_page+0x18d/0x680 [md_mod] Read of size 8 at addr ffff889162030c78 by task mdX_raid1/5539 CPU: 10 PID: 5539 Comm: mdX_raid1 Not tainted 5.19.0-rc2 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-2 04/01/2014 Call Trace: dump_stack_lvl+0x34/0x44 print_report.cold+0x45/0x57a ? __lock_text_start+0x18/0x18 ? write_page+0x18d/0x680 [md_mod] kasan_report+0xa8/0xe0 ? write_page+0x18d/0x680 [md_mod] kasan_check_range+0x13f/0x180 write_page+0x18d/0x680 [md_mod] ? super_sync+0x4d5/0x560 [dm_raid] ? md_bitmap_file_kick+0xa0/0xa0 [md_mod] ? rs_set_dev_and_array_sectors+0x2e0/0x2e0 [dm_raid] ? mutex_trylock+0x120/0x120 ? preempt_count_add+0x6b/0xc0 ? preempt_count_sub+0xf/0xc0 md_update_sb+0x707/0xe40 [md_mod] md_reap_sync_thread+0x1b2/0x4a0 [md_mod] md_check_recovery+0x533/0x960 [md_mod] raid1d+0xc8/0x2a20 [raid1] ? var_wake_function+0xe0/0xe0 ? psi_group_change+0x411/0x500 ? preempt_count_sub+0xf/0xc0 ? _raw_spin_lock_irqsave+0x78/0xc0 ? __lock_text_start+0x18/0x18 ? raid1_end_read_request+0x2a0/0x2a0 [raid1] ? preempt_count_sub+0xf/0xc0 ? _raw_spin_unlock_irqrestore+0x19/0x40 ? del_timer_sync+0xa9/0x100 ? try_to_del_timer_sync+0xc0/0xc0 ? _raw_spin_lock_irqsave+0x78/0xc0 ? __lock_text_start+0x18/0x18 ? __list_del_entry_valid+0x68/0xa0 ? finish_wait+0xa3/0x100 md_thread+0x161/0x260 [md_mod] ? unregister_md_personality+0xa0/0xa0 [md_mod] ? _raw_spin_lock_irqsave+0x78/0xc0 ? prepare_to_wait_event+0x2c0/0x2c0 ? unregister_md_personality+0xa0/0xa0 [md_mod] kthread+0x148/0x180 ? kthread_complete_and_exit+0x20/0x20 ret_from_fork+0x1f/0x30 Allocated by task 5522: kasan_save_stack+0x1e/0x40 __kasan_kmalloc+0x80/0xa0 md_bitmap_create+0xa8/0xe80 [md_mod] md_run+0x777/0x1300 [md_mod] raid_ctr+0x249c/0x4a30 [dm_raid] dm_table_add_target+0x2b0/0x620 [dm_mod] table_load+0x1c8/0x400 [dm_mod] ctl_ioctl+0x29e/0x560 [dm_mod] dm_compat_ctl_ioctl+0x7/0x20 [dm_mod] __do_compat_sys_ioctl+0xfa/0x160 do_syscall_64+0x90/0xc0 entry_SYSCALL_64_after_hwframe+0x46/0xb0 Freed by task 5680: kasan_save_stack+0x1e/0x40 kasan_set_track+0x21/0x40 kasan_set_free_info+0x20/0x40 __kasan_slab_free+0xf7/0x140 kfree+0x80/0x240 md_bitmap_free+0x1c3/0x280 [md_mod] __md_stop+0x21/0x120 [md_mod] md_stop+0x9/0x40 [md_mod] raid_dtr+0x1b/0x40 [dm_raid] dm_table_destroy+0x98/0x1e0 [dm_mod] __dm_destroy+0x199/0x360 [dm_mod] dev_remove+0x10c/0x160 [dm_mod] ctl_ioctl+0x29e/0x560 [dm_mod] dm_compat_ctl_ioctl+0x7/0x20 [dm_mod] __do_compat_sys_ioctl+0xfa/0x160 do_syscall_64+0x90/0xc0 entry_SYSCALL_64_after_hwframe+0x46/0xb0 Signed-off-by: Mikulas Patocka Cc: stable@vger.kernel.org Fixes: 48df498daf62 ("md: move bitmap_destroy to the beginning of __md_stop") Signed-off-by: Song Liu Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman commit 65beb95f3251922fb07beabc61d689ffc25c9595 Author: Narendra Hadke Date: Tue Jul 26 11:12:21 2022 +0200 serial: mvebu-uart: uart2 error bits clearing commit a7209541239e5dd44d981289e5f9059222d40fd1 upstream. For mvebu uart2, error bits are not cleared on buffer read. This causes interrupt loop and system hang. Cc: stable@vger.kernel.org Reviewed-by: Yi Guo Reviewed-by: Nadav Haklai Signed-off-by: Narendra Hadke Signed-off-by: Pali Rohár Link: https://lore.kernel.org/r/20220726091221.12358-1-pali@kernel.org Signed-off-by: Greg Kroah-Hartman commit 1fdbbe246daf348adaa0739463384b16ceba1fc0 Author: Miklos Szeredi Date: Fri Apr 22 15:48:53 2022 +0200 fuse: fix deadlock between atomic O_TRUNC and page invalidation commit 2fdbb8dd01556e1501132b5ad3826e8f71e24a8b upstream. fuse_finish_open() will be called with FUSE_NOWRITE set in case of atomic O_TRUNC open(), so commit 76224355db75 ("fuse: truncate pagecache on atomic_o_trunc") replaced invalidate_inode_pages2() by truncate_pagecache() in such a case to avoid the A-A deadlock. However, we found another A-B-B-A deadlock related to the case above, which will cause the xfstests generic/464 testcase hung in our virtio-fs test environment. For example, consider two processes concurrently open one same file, one with O_TRUNC and another without O_TRUNC. The deadlock case is described below, if open(O_TRUNC) is already set_nowrite(acquired A), and is trying to lock a page (acquiring B), open() could have held the page lock (acquired B), and waiting on the page writeback (acquiring A). This would lead to deadlocks. open(O_TRUNC) ---------------------------------------------------------------- fuse_open_common inode_lock [C acquire] fuse_set_nowrite [A acquire] fuse_finish_open truncate_pagecache lock_page [B acquire] truncate_inode_page unlock_page [B release] fuse_release_nowrite [A release] inode_unlock [C release] ---------------------------------------------------------------- open() ---------------------------------------------------------------- fuse_open_common fuse_finish_open invalidate_inode_pages2 lock_page [B acquire] fuse_launder_page fuse_wait_on_page_writeback [A acquire & release] unlock_page [B release] ---------------------------------------------------------------- Besides this case, all calls of invalidate_inode_pages2() and invalidate_inode_pages2_range() in fuse code also can deadlock with open(O_TRUNC). Fix by moving the truncate_pagecache() call outside the nowrite protected region. The nowrite protection is only for delayed writeback (writeback_cache) case, where inode lock does not protect against truncation racing with writes on the server. Write syscalls racing with page cache truncation still get the inode lock protection. This patch also changes the order of filemap_invalidate_lock() vs. fuse_set_nowrite() in fuse_open_common(). This new order matches the order found in fuse_file_fallocate() and fuse_do_setattr(). Reported-by: Jiachen Zhang Tested-by: Jiachen Zhang Fixes: e4648309b85a ("fuse: truncate pending writes on O_TRUNC") Cc: Signed-off-by: Miklos Szeredi Signed-off-by: Greg Kroah-Hartman commit 4bd9d5d20f344d015422969302d12653c903c271 Author: Miklos Szeredi Date: Wed Apr 20 16:05:41 2022 +0200 fuse: write inode in fuse_release() commit 035ff33cf4db101250fb980a3941bf078f37a544 upstream. A race between write(2) and close(2) allows pages to be dirtied after fuse_flush -> write_inode_now(). If these pages are not flushed from fuse_release(), then there might not be a writable open file later. So any remaining dirty pages must be written back before the file is released. This is a partial revert of the blamed commit. Reported-by: syzbot+6e1efbd8efaaa6860e91@syzkaller.appspotmail.com Fixes: 36ea23374d1f ("fuse: write inode in fuse_vma_close() instead of fuse_release()") Cc: # v5.16 Signed-off-by: Miklos Szeredi Signed-off-by: Greg Kroah-Hartman commit ed2ac89f294efa9a21ce3e3dcf70aa58b17f7ad4 Author: Miklos Szeredi Date: Thu Jul 21 16:06:18 2022 +0200 fuse: ioctl: translate ENOSYS commit 02c0cab8e7345b06f1c0838df444e2902e4138d3 upstream. Overlayfs may fail to complete updates when a filesystem lacks fileattr/xattr syscall support and responds with an ENOSYS error code, resulting in an unexpected "Function not implemented" error. This bug may occur with FUSE filesystems, such as davfs2. Steps to reproduce: # install davfs2, e.g., apk add davfs2 mkdir /test mkdir /test/lower /test/upper /test/work /test/mnt yes '' | mount -t davfs -o ro http://some-web-dav-server/path \ /test/lower mount -t overlay -o upperdir=/test/upper,lowerdir=/test/lower \ -o workdir=/test/work overlay /test/mnt # when "some-file" exists in the lowerdir, this fails with "Function # not implemented", with dmesg showing "overlayfs: failed to retrieve # lower fileattr (/some-file, err=-38)" touch /test/mnt/some-file The underlying cause of this regresion is actually in FUSE, which fails to translate the ENOSYS error code returned by userspace filesystem (which means that the ioctl operation is not supported) to ENOTTY. Reported-by: Christian Kohlschütter Fixes: 72db82115d2b ("ovl: copy up sync/noatime fileattr flags") Fixes: 59efec7b9039 ("fuse: implement ioctl support") Cc: Signed-off-by: Miklos Szeredi Signed-off-by: Greg Kroah-Hartman commit 19d747bf8a3da525e30e30a17ff5cdccfc093251 Author: Miklos Szeredi Date: Thu Jul 21 16:06:18 2022 +0200 fuse: limit nsec commit 47912eaa061a6a81e4aa790591a1874c650733c0 upstream. Limit nanoseconds to 0..999999999. Fixes: d8a5ba45457e ("[PATCH] FUSE - core") Cc: Signed-off-by: Miklos Szeredi Signed-off-by: Greg Kroah-Hartman commit 8e33102309bd6839b2e2e158f93a7b378cb4655d Author: Namjae Jeon Date: Tue Aug 2 07:28:51 2022 +0900 ksmbd: fix heap-based overflow in set_ntacl_dacl() commit 8f0541186e9ad1b62accc9519cc2b7a7240272a7 upstream. The testcase use SMB2_SET_INFO_HE command to set a malformed file attribute under the label `security.NTACL`. SMB2_QUERY_INFO_HE command in testcase trigger the following overflow. [ 4712.003781] ================================================================== [ 4712.003790] BUG: KASAN: slab-out-of-bounds in build_sec_desc+0x842/0x1dd0 [ksmbd] [ 4712.003807] Write of size 1060 at addr ffff88801e34c068 by task kworker/0:0/4190 [ 4712.003813] CPU: 0 PID: 4190 Comm: kworker/0:0 Not tainted 5.19.0-rc5 #1 [ 4712.003850] Workqueue: ksmbd-io handle_ksmbd_work [ksmbd] [ 4712.003867] Call Trace: [ 4712.003870] [ 4712.003873] dump_stack_lvl+0x49/0x5f [ 4712.003935] print_report.cold+0x5e/0x5cf [ 4712.003972] ? ksmbd_vfs_get_sd_xattr+0x16d/0x500 [ksmbd] [ 4712.003984] ? cmp_map_id+0x200/0x200 [ 4712.003988] ? build_sec_desc+0x842/0x1dd0 [ksmbd] [ 4712.004000] kasan_report+0xaa/0x120 [ 4712.004045] ? build_sec_desc+0x842/0x1dd0 [ksmbd] [ 4712.004056] kasan_check_range+0x100/0x1e0 [ 4712.004060] memcpy+0x3c/0x60 [ 4712.004064] build_sec_desc+0x842/0x1dd0 [ksmbd] [ 4712.004076] ? parse_sec_desc+0x580/0x580 [ksmbd] [ 4712.004088] ? ksmbd_acls_fattr+0x281/0x410 [ksmbd] [ 4712.004099] smb2_query_info+0xa8f/0x6110 [ksmbd] [ 4712.004111] ? psi_group_change+0x856/0xd70 [ 4712.004148] ? update_load_avg+0x1c3/0x1af0 [ 4712.004152] ? asym_cpu_capacity_scan+0x5d0/0x5d0 [ 4712.004157] ? xas_load+0x23/0x300 [ 4712.004162] ? smb2_query_dir+0x1530/0x1530 [ksmbd] [ 4712.004173] ? _raw_spin_lock_bh+0xe0/0xe0 [ 4712.004179] handle_ksmbd_work+0x30e/0x1020 [ksmbd] [ 4712.004192] process_one_work+0x778/0x11c0 [ 4712.004227] ? _raw_spin_lock_irq+0x8e/0xe0 [ 4712.004231] worker_thread+0x544/0x1180 [ 4712.004234] ? __cpuidle_text_end+0x4/0x4 [ 4712.004239] kthread+0x282/0x320 [ 4712.004243] ? process_one_work+0x11c0/0x11c0 [ 4712.004246] ? kthread_complete_and_exit+0x30/0x30 [ 4712.004282] ret_from_fork+0x1f/0x30 This patch add the buffer validation for security descriptor that is stored by malformed SMB2_SET_INFO_HE command. and allocate large response buffer about SMB2_O_INFO_SECURITY file info class. Fixes: e2f34481b24d ("cifsd: add server-side procedures for SMB3") Cc: stable@vger.kernel.org Reported-by: zdi-disclosures@trendmicro.com # ZDI-CAN-17771 Reviewed-by: Hyunchul Lee Signed-off-by: Namjae Jeon Signed-off-by: Steve French Signed-off-by: Greg Kroah-Hartman commit 02ed2a9b7874e1fd08bbeccfe998df373a978b6f Author: Namjae Jeon Date: Thu Jul 28 21:57:08 2022 +0900 ksmbd: fix use-after-free bug in smb2_tree_disconect commit cf6531d98190fa2cf92a6d8bbc8af0a4740a223c upstream. smb2_tree_disconnect() freed the struct ksmbd_tree_connect, but it left the dangling pointer. It can be accessed again under compound requests. This bug can lead an oops looking something link: [ 1685.468014 ] BUG: KASAN: use-after-free in ksmbd_tree_conn_disconnect+0x131/0x160 [ksmbd] [ 1685.468068 ] Read of size 4 at addr ffff888102172180 by task kworker/1:2/4807 ... [ 1685.468130 ] Call Trace: [ 1685.468132 ] [ 1685.468135 ] dump_stack_lvl+0x49/0x5f [ 1685.468141 ] print_report.cold+0x5e/0x5cf [ 1685.468145 ] ? ksmbd_tree_conn_disconnect+0x131/0x160 [ksmbd] [ 1685.468157 ] kasan_report+0xaa/0x120 [ 1685.468194 ] ? ksmbd_tree_conn_disconnect+0x131/0x160 [ksmbd] [ 1685.468206 ] __asan_report_load4_noabort+0x14/0x20 [ 1685.468210 ] ksmbd_tree_conn_disconnect+0x131/0x160 [ksmbd] [ 1685.468222 ] smb2_tree_disconnect+0x175/0x250 [ksmbd] [ 1685.468235 ] handle_ksmbd_work+0x30e/0x1020 [ksmbd] [ 1685.468247 ] process_one_work+0x778/0x11c0 [ 1685.468251 ] ? _raw_spin_lock_irq+0x8e/0xe0 [ 1685.468289 ] worker_thread+0x544/0x1180 [ 1685.468293 ] ? __cpuidle_text_end+0x4/0x4 [ 1685.468297 ] kthread+0x282/0x320 [ 1685.468301 ] ? process_one_work+0x11c0/0x11c0 [ 1685.468305 ] ? kthread_complete_and_exit+0x30/0x30 [ 1685.468309 ] ret_from_fork+0x1f/0x30 Fixes: e2f34481b24d ("cifsd: add server-side procedures for SMB3") Cc: stable@vger.kernel.org Reported-by: zdi-disclosures@trendmicro.com # ZDI-CAN-17816 Signed-off-by: Namjae Jeon Reviewed-by: Hyunchul Lee Signed-off-by: Steve French Signed-off-by: Greg Kroah-Hartman commit 0f1c9908c8e18a98b3d6a80bf391bef8001d7fb7 Author: Hyunchul Lee Date: Thu Jul 28 23:41:51 2022 +0900 ksmbd: prevent out of bound read for SMB2_WRITE commit ac60778b87e45576d7bfdbd6f53df902654e6f09 upstream. OOB read memory can be written to a file, if DataOffset is 0 and Length is too large in SMB2_WRITE request of compound request. To prevent this, when checking the length of the data area of SMB2_WRITE in smb2_get_data_area_len(), let the minimum of DataOffset be the size of SMB2 header + the size of SMB2_WRITE header. This bug can lead an oops looking something like: [ 798.008715] BUG: KASAN: slab-out-of-bounds in copy_page_from_iter_atomic+0xd3d/0x14b0 [ 798.008724] Read of size 252 at addr ffff88800f863e90 by task kworker/0:2/2859 ... [ 798.008754] Call Trace: [ 798.008756] [ 798.008759] dump_stack_lvl+0x49/0x5f [ 798.008764] print_report.cold+0x5e/0x5cf [ 798.008768] ? __filemap_get_folio+0x285/0x6d0 [ 798.008774] ? copy_page_from_iter_atomic+0xd3d/0x14b0 [ 798.008777] kasan_report+0xaa/0x120 [ 798.008781] ? copy_page_from_iter_atomic+0xd3d/0x14b0 [ 798.008784] kasan_check_range+0x100/0x1e0 [ 798.008788] memcpy+0x24/0x60 [ 798.008792] copy_page_from_iter_atomic+0xd3d/0x14b0 [ 798.008795] ? pagecache_get_page+0x53/0x160 [ 798.008799] ? iov_iter_get_pages_alloc+0x1590/0x1590 [ 798.008803] ? ext4_write_begin+0xfc0/0xfc0 [ 798.008807] ? current_time+0x72/0x210 [ 798.008811] generic_perform_write+0x2c8/0x530 [ 798.008816] ? filemap_fdatawrite_wbc+0x180/0x180 [ 798.008820] ? down_write+0xb4/0x120 [ 798.008824] ? down_write_killable+0x130/0x130 [ 798.008829] ext4_buffered_write_iter+0x137/0x2c0 [ 798.008833] ext4_file_write_iter+0x40b/0x1490 [ 798.008837] ? __fsnotify_parent+0x275/0xb20 [ 798.008842] ? __fsnotify_update_child_dentry_flags+0x2c0/0x2c0 [ 798.008846] ? ext4_buffered_write_iter+0x2c0/0x2c0 [ 798.008851] __kernel_write+0x3a1/0xa70 [ 798.008855] ? __x64_sys_preadv2+0x160/0x160 [ 798.008860] ? security_file_permission+0x4a/0xa0 [ 798.008865] kernel_write+0xbb/0x360 [ 798.008869] ksmbd_vfs_write+0x27e/0xb90 [ksmbd] [ 798.008881] ? ksmbd_vfs_read+0x830/0x830 [ksmbd] [ 798.008892] ? _raw_read_unlock+0x2a/0x50 [ 798.008896] smb2_write+0xb45/0x14e0 [ksmbd] [ 798.008909] ? __kasan_check_write+0x14/0x20 [ 798.008912] ? _raw_spin_lock_bh+0xd0/0xe0 [ 798.008916] ? smb2_read+0x15e0/0x15e0 [ksmbd] [ 798.008927] ? memcpy+0x4e/0x60 [ 798.008931] ? _raw_spin_unlock+0x19/0x30 [ 798.008934] ? ksmbd_smb2_check_message+0x16af/0x2350 [ksmbd] [ 798.008946] ? _raw_spin_lock_bh+0xe0/0xe0 [ 798.008950] handle_ksmbd_work+0x30e/0x1020 [ksmbd] [ 798.008962] process_one_work+0x778/0x11c0 [ 798.008966] ? _raw_spin_lock_irq+0x8e/0xe0 [ 798.008970] worker_thread+0x544/0x1180 [ 798.008973] ? __cpuidle_text_end+0x4/0x4 [ 798.008977] kthread+0x282/0x320 [ 798.008982] ? process_one_work+0x11c0/0x11c0 [ 798.008985] ? kthread_complete_and_exit+0x30/0x30 [ 798.008989] ret_from_fork+0x1f/0x30 [ 798.008995] Fixes: e2f34481b24d ("cifsd: add server-side procedures for SMB3") Cc: stable@vger.kernel.org Reported-by: zdi-disclosures@trendmicro.com # ZDI-CAN-17817 Signed-off-by: Hyunchul Lee Acked-by: Namjae Jeon Signed-off-by: Steve French Signed-off-by: Greg Kroah-Hartman commit 9ec5086d14c587dce3b81fe984d7009584cd9170 Author: Hyunchul Lee Date: Thu Jul 28 21:58:53 2022 +0900 ksmbd: prevent out of bound read for SMB2_TREE_CONNNECT commit 824d4f64c20093275f72fc8101394d75ff6a249e upstream. if Status is not 0 and PathLength is long, smb_strndup_from_utf16 could make out of bound read in smb2_tree_connnect. This bug can lead an oops looking something like: [ 1553.882047] BUG: KASAN: slab-out-of-bounds in smb_strndup_from_utf16+0x469/0x4c0 [ksmbd] [ 1553.882064] Read of size 2 at addr ffff88802c4eda04 by task kworker/0:2/42805 ... [ 1553.882095] Call Trace: [ 1553.882098] [ 1553.882101] dump_stack_lvl+0x49/0x5f [ 1553.882107] print_report.cold+0x5e/0x5cf [ 1553.882112] ? smb_strndup_from_utf16+0x469/0x4c0 [ksmbd] [ 1553.882122] kasan_report+0xaa/0x120 [ 1553.882128] ? smb_strndup_from_utf16+0x469/0x4c0 [ksmbd] [ 1553.882139] __asan_report_load_n_noabort+0xf/0x20 [ 1553.882143] smb_strndup_from_utf16+0x469/0x4c0 [ksmbd] [ 1553.882155] ? smb_strtoUTF16+0x3b0/0x3b0 [ksmbd] [ 1553.882166] ? __kmalloc_node+0x185/0x430 [ 1553.882171] smb2_tree_connect+0x140/0xab0 [ksmbd] [ 1553.882185] handle_ksmbd_work+0x30e/0x1020 [ksmbd] [ 1553.882197] process_one_work+0x778/0x11c0 [ 1553.882201] ? _raw_spin_lock_irq+0x8e/0xe0 [ 1553.882206] worker_thread+0x544/0x1180 [ 1553.882209] ? __cpuidle_text_end+0x4/0x4 [ 1553.882214] kthread+0x282/0x320 [ 1553.882218] ? process_one_work+0x11c0/0x11c0 [ 1553.882221] ? kthread_complete_and_exit+0x30/0x30 [ 1553.882225] ret_from_fork+0x1f/0x30 [ 1553.882231] There is no need to check error request validation in server. This check allow invalid requests not to validate message. Fixes: e2f34481b24d ("cifsd: add server-side procedures for SMB3") Cc: stable@vger.kernel.org Reported-by: zdi-disclosures@trendmicro.com # ZDI-CAN-17818 Signed-off-by: Hyunchul Lee Acked-by: Namjae Jeon Signed-off-by: Steve French Signed-off-by: Greg Kroah-Hartman commit ff20f1875889dbe4a67c9298e609d7c88cf6456d Author: Namjae Jeon Date: Thu Jul 28 21:56:19 2022 +0900 ksmbd: fix memory leak in smb2_handle_negotiate commit aa7253c2393f6dcd6a1468b0792f6da76edad917 upstream. The allocated memory didn't free under an error path in smb2_handle_negotiate(). Fixes: e2f34481b24d ("cifsd: add server-side procedures for SMB3") Cc: stable@vger.kernel.org Reported-by: zdi-disclosures@trendmicro.com # ZDI-CAN-17815 Signed-off-by: Namjae Jeon Reviewed-by: Hyunchul Lee Signed-off-by: Steve French Signed-off-by: Greg Kroah-Hartman commit 9b9ed61d5ad7664f8cf1b12770f8062996f195bd Author: Srinivas Kandagatla Date: Wed Jul 6 10:56:44 2022 +0100 soundwire: qcom: Check device status before reading devid commit aa1262ca66957183ea1fb32a067e145b995f3744 upstream. As per hardware datasheet its recommended that we check the device status before reading devid assigned by auto-enumeration. Without this patch we see SoundWire devices with invalid enumeration addresses on the bus. Cc: stable@vger.kernel.org Fixes: a6e6581942ca ("soundwire: qcom: add auto enumeration support") Signed-off-by: Srinivas Kandagatla Link: https://lore.kernel.org/r/20220706095644.5852-1-srinivas.kandagatla@linaro.org Signed-off-by: Vinod Koul Signed-off-by: Greg Kroah-Hartman commit 84002f936a067951c53d21bfc8c9a1314fe279d1 Author: Bikash Hazarika Date: Tue Jul 12 22:20:38 2022 -0700 scsi: qla2xxx: Zero undefined mailbox IN registers commit 6c96a3c7d49593ef15805f5e497601c87695abc9 upstream. While requesting a new mailbox command, driver does not write any data to unused registers. Initialize the unused register value to zero while requesting a new mailbox command to prevent stale entry access by firmware. Link: https://lore.kernel.org/r/20220713052045.10683-4-njavali@marvell.com Cc: stable@vger.kernel.org Reviewed-by: Himanshu Madhani Signed-off-by: Bikash Hazarika Signed-off-by: Quinn Tran Signed-off-by: Nilesh Javali Signed-off-by: Martin K. Petersen Signed-off-by: Greg Kroah-Hartman commit 9d08698376c3c2e3986d5ae9d542bc6b2ed0e031 Author: Bikash Hazarika Date: Tue Jul 12 22:20:37 2022 -0700 scsi: qla2xxx: Fix incorrect display of max frame size commit cf3b4fb655796674e605268bd4bfb47a47c8bce6 upstream. Replace display field with the correct field. Link: https://lore.kernel.org/r/20220713052045.10683-3-njavali@marvell.com Fixes: 8777e4314d39 ("scsi: qla2xxx: Migrate NVME N2N handling into state machine") Cc: stable@vger.kernel.org Reviewed-by: Himanshu Madhani Signed-off-by: Bikash Hazarika Signed-off-by: Nilesh Javali Signed-off-by: Martin K. Petersen Signed-off-by: Greg Kroah-Hartman commit 03d8241112d5e3cccce1a01274a221099f07d2e1 Author: Tony Battersby Date: Mon Jul 11 10:51:32 2022 -0400 scsi: sg: Allow waiting for commands to complete on removed device commit 3455607fd7be10b449f5135c00dc306b85dc0d21 upstream. When a SCSI device is removed while in active use, currently sg will immediately return -ENODEV on any attempt to wait for active commands that were sent before the removal. This is problematic for commands that use SG_FLAG_DIRECT_IO since the data buffer may still be in use by the kernel when userspace frees or reuses it after getting ENODEV, leading to corrupted userspace memory (in the case of READ-type commands) or corrupted data being sent to the device (in the case of WRITE-type commands). This has been seen in practice when logging out of a iscsi_tcp session, where the iSCSI driver may still be processing commands after the device has been marked for removal. Change the policy to allow userspace to wait for active sg commands even when the device is being removed. Return -ENODEV only when there are no more responses to read. Link: https://lore.kernel.org/r/5ebea46f-fe83-2d0b-233d-d0dcb362dd0a@cybernetics.com Cc: Acked-by: Douglas Gilbert Signed-off-by: Tony Battersby Signed-off-by: Martin K. Petersen Signed-off-by: Greg Kroah-Hartman commit b0ab912836792e082032b2a9bfc382bc050e1bdf Author: James Smart Date: Fri Jul 1 14:14:17 2022 -0700 scsi: lpfc: Remove extra atomic_inc on cmd_pending in queuecommand after VMID commit 0948a9c5386095baae4012190a6b65aba684a907 upstream. VMID introduced an extra increment of cmd_pending, causing double-counting of the I/O. The normal increment ios performed in lpfc_get_scsi_buf. Link: https://lore.kernel.org/r/20220701211425.2708-5-jsmart2021@gmail.com Fixes: 33c79741deaf ("scsi: lpfc: vmid: Introduce VMID in I/O path") Cc: # v5.14+ Co-developed-by: Justin Tee Signed-off-by: Justin Tee Signed-off-by: James Smart Signed-off-by: Martin K. Petersen Signed-off-by: Greg Kroah-Hartman commit a1135205b0affd255510775a27df571aca84ab4b Author: Zheyu Ma Date: Sun Jul 17 08:42:41 2022 +0800 iio: light: isl29028: Fix the warning in isl29028_remove() commit 06674fc7c003b9d0aa1d37fef7ab2c24802cc6ad upstream. The driver use the non-managed form of the register function in isl29028_remove(). To keep the release order as mirroring the ordering in probe, the driver should use non-managed form in probe, too. The following log reveals it: [ 32.374955] isl29028 0-0010: remove [ 32.376861] general protection fault, probably for non-canonical address 0xdffffc0000000006: 0000 [#1] PREEMPT SMP KASAN PTI [ 32.377676] KASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037] [ 32.379432] RIP: 0010:kernfs_find_and_get_ns+0x28/0xe0 [ 32.385461] Call Trace: [ 32.385807] sysfs_unmerge_group+0x59/0x110 [ 32.386110] dpm_sysfs_remove+0x58/0xc0 [ 32.386391] device_del+0x296/0xe50 [ 32.386959] cdev_device_del+0x1d/0xd0 [ 32.387231] devm_iio_device_unreg+0x27/0xb0 [ 32.387542] devres_release_group+0x319/0x3d0 [ 32.388162] i2c_device_remove+0x93/0x1f0 Fixes: 2db5054ac28d ("staging: iio: isl29028: add runtime power management support") Signed-off-by: Zheyu Ma Link: https://lore.kernel.org/r/20220717004241.2281028-1-zheyuma97@gmail.com Cc: Signed-off-by: Jonathan Cameron Signed-off-by: Greg Kroah-Hartman commit 2c6431d406578e65475632138fb151884739841d Author: Fawzi Khaber Date: Mon Jul 18 15:07:06 2022 +0200 iio: fix iio_format_avail_range() printing for none IIO_VAL_INT commit 5e1f91850365de55ca74945866c002fda8f00331 upstream. iio_format_avail_range() should print range as follow [min, step, max], so the function was previously calling iio_format_list() with length = 3, length variable refers to the array size of values not the number of elements. In case of non IIO_VAL_INT values each element has integer part and decimal part. With length = 3 this would cause premature end of loop and result in printing only one element. Signed-off-by: Fawzi Khaber Signed-off-by: Jean-Baptiste Maneyrol Fixes: eda20ba1e25e ("iio: core: Consolidate iio_format_avail_{list,range}()") Link: https://lore.kernel.org/r/20220718130706.32571-1-jmaneyrol@invensense.com Cc: Signed-off-by: Jonathan Cameron Signed-off-by: Greg Kroah-Hartman commit 3e90479895476fc3cbeffe2bfe01fa35607eab73 Author: Jason A. Donenfeld Date: Wed Jul 13 01:12:21 2022 +0200 um: seed rng using host OS rng commit 0b9ba6135d7f18b82f3d8bebb55ded725ba88e0e upstream. UML generally does not provide access to special CPU instructions like RDRAND, and execution tends to be rather deterministic, with no real hardware interrupts, making good randomness really very hard, if not all together impossible. Not only is this a security eyebrow raiser, but it's also quite annoying when trying to do various pieces of UML-based automation that takes a long time to boot, if ever. Fix this by trivially calling getrandom() in the host and using that seed as "bootloader randomness", which initializes the rng immediately at UML boot. The old behavior can be restored the same way as on any other arch, by way of CONFIG_TRUST_BOOTLOADER_RANDOMNESS=n or random.trust_bootloader=0. So seen from that perspective, this just makes UML act like other archs, which is positive in its own right. Additionally, wire up arch_get_random_{int,long}() in the same way, so that reseeds can also make use of the host RNG, controllable by CONFIG_TRUST_CPU_RANDOMNESS and random.trust_cpu, per usual. Cc: stable@vger.kernel.org Acked-by: Johannes Berg Acked-By: Anton Ivanov Signed-off-by: Jason A. Donenfeld Signed-off-by: Greg Kroah-Hartman commit dacd09269aae84a12e67c68085cfc4dea4736e2b Author: Benjamin Beichler Date: Tue May 31 11:17:39 2022 +0000 um: Remove straying parenthesis commit c6496e0a4a90d8149203c16323cff3fa46e422e7 upstream. Commit e3a33af812c6 ("um: fix and optimize xor select template for CONFIG64 and timetravel mode") caused a build regression when CONFIG_XOR_BLOCKS and CONFIG_UML_TIME_TRAVEL_SUPPORT are selected. Fix it by removing the straying parenthesis. Cc: stable@vger.kernel.org Fixes: e3a33af812c6 ("um: fix and optimize xor select template for CONFIG64 and timetravel mode") Signed-off-by: Benjamin Beichler [rw: Added commit message] Signed-off-by: Richard Weinberger Signed-off-by: Greg Kroah-Hartman commit bb2c0e65f06cd4aa7094bc9aa7ee965166b39999 Author: Amit Kumar Mahapatra Date: Tue Jun 28 21:18:23 2022 +0530 mtd: rawnand: arasan: Update NAND bus clock instead of system clock commit 7499bfeedb47efc1ee4dc793b92c610d46e6d6a6 upstream. In current implementation the Arasan NAND driver is updating the system clock(i.e., anand->clk) in accordance to the timing modes (i.e., SDR or NVDDR). But as per the Arasan NAND controller spec the flash clock or the NAND bus clock(i.e., nfc->bus_clk), need to be updated instead. This patch keeps the system clock unchanged and updates the NAND bus clock as per the timing modes. Fixes: 197b88fecc50 ("mtd: rawnand: arasan: Add new Arasan NAND controller") CC: stable@vger.kernel.org # 5.8+ Signed-off-by: Amit Kumar Mahapatra Signed-off-by: Miquel Raynal Link: https://lore.kernel.org/linux-mtd/20220628154824.12222-2-amit.kumar-mahapatra@xilinx.com Signed-off-by: Greg Kroah-Hartman commit 37276f51bb4a06c9dda1e6b2a53f47f93147a4c1 Author: Olga Kitaina Date: Tue Jun 28 21:18:24 2022 +0530 mtd: rawnand: arasan: Fix clock rate in NV-DDR commit e16eceea863b417fd328588b1be1a79de0bc937f upstream. According to the Arasan NAND controller spec, the flash clock rate for SDR must be <= 100 MHz, while for NV-DDR it must be the same as the rate of the CLK line for the mode. The driver previously always set 100 MHz for NV-DDR, which would result in incorrect behavior for NV-DDR modes 0-4. The appropriate clock rate can be calculated from the NV-DDR timing parameters as 1/tCK, or for rates measured in picoseconds, 10^12 / nand_nvddr_timings->tCK_min. Fixes: 197b88fecc50 ("mtd: rawnand: arasan: Add new Arasan NAND controller") CC: stable@vger.kernel.org # 5.8+ Signed-off-by: Olga Kitaina Signed-off-by: Amit Kumar Mahapatra Signed-off-by: Miquel Raynal Link: https://lore.kernel.org/linux-mtd/20220628154824.12222-3-amit.kumar-mahapatra@xilinx.com Signed-off-by: Greg Kroah-Hartman commit 7e06e615279cdb44db144687d400a88d891dbbad Author: Qu Wenruo Date: Tue Jun 7 19:48:24 2022 +0800 btrfs: reject log replay if there is unsupported RO compat flag commit dc4d31684974d140250f3ee612c3f0cab13b3146 upstream. [BUG] If we have a btrfs image with dirty log, along with an unsupported RO compatible flag: log_root 30474240 ... compat_flags 0x0 compat_ro_flags 0x40000003 ( FREE_SPACE_TREE | FREE_SPACE_TREE_VALID | unknown flag: 0x40000000 ) Then even if we can only mount it RO, we will still cause metadata update for log replay: BTRFS info (device dm-1): flagging fs with big metadata feature BTRFS info (device dm-1): using free space tree BTRFS info (device dm-1): has skinny extents BTRFS info (device dm-1): start tree-log replay This is definitely against RO compact flag requirement. [CAUSE] RO compact flag only forces us to do RO mount, but we will still do log replay for plain RO mount. Thus this will result us to do log replay and update metadata. This can be very problematic for new RO compat flag, for example older kernel can not understand v2 cache, and if we allow metadata update on RO mount and invalidate/corrupt v2 cache. [FIX] Just reject the mount unless rescue=nologreplay is provided: BTRFS error (device dm-1): cannot replay dirty log with unsupport optional features (0x40000000), try rescue=nologreplay instead We don't want to set rescue=nologreply directly, as this would make the end user to read the old data, and cause confusion. Since the such case is really rare, we're mostly fine to just reject the mount with an error message, which also includes the proper workaround. CC: stable@vger.kernel.org #4.9+ Signed-off-by: Qu Wenruo Reviewed-by: David Sterba Signed-off-by: David Sterba Signed-off-by: Greg Kroah-Hartman commit be001f9da71eaa3b61e186fb88bde3279728bdca Author: Tadeusz Struk Date: Tue May 17 11:04:20 2022 -0700 bpf: Fix KASAN use-after-free Read in compute_effective_progs commit 4c46091ee985ae84c60c5e95055d779fcd291d87 upstream. Syzbot found a Use After Free bug in compute_effective_progs(). The reproducer creates a number of BPF links, and causes a fault injected alloc to fail, while calling bpf_link_detach on them. Link detach triggers the link to be freed by bpf_link_free(), which calls __cgroup_bpf_detach() and update_effective_progs(). If the memory allocation in this function fails, the function restores the pointer to the bpf_cgroup_link on the cgroup list, but the memory gets freed just after it returns. After this, every subsequent call to update_effective_progs() causes this already deallocated pointer to be dereferenced in prog_list_length(), and triggers KASAN UAF error. To fix this issue don't preserve the pointer to the prog or link in the list, but remove it and replace it with a dummy prog without shrinking the table. The subsequent call to __cgroup_bpf_detach() or __cgroup_bpf_detach() will correct it. Fixes: af6eea57437a ("bpf: Implement bpf_link-based cgroup BPF program attachment") Reported-by: Signed-off-by: Tadeusz Struk Signed-off-by: Andrii Nakryiko Cc: Link: https://syzkaller.appspot.com/bug?id=8ebf179a95c2a2670f7cf1ba62429ec044369db4 Link: https://lore.kernel.org/bpf/20220517180420.87954-1-tadeusz.struk@linaro.org Signed-off-by: Greg Kroah-Hartman commit 261027d9988c0256f9f0109b36bae4af62c509b9 Author: Leo Li Date: Tue Jul 12 12:30:29 2022 -0400 drm/amdgpu: Check BO's requested pinning domains against its preferred_domains commit f5ba14043621f4afdf3ad5f92ee2d8dbebbe4340 upstream. When pinning a buffer, we should check to see if there are any additional restrictions imposed by bo->preferred_domains. This will prevent the BO from being moved to an invalid domain when pinning. For example, this can happen if the user requests to create a BO in GTT domain for display scanout. amdgpu_dm will allow pinning to either VRAM or GTT domains, since DCN can scanout from either or. However, in amdgpu_bo_pin_restricted(), pinning to VRAM is preferred if there is adequate carveout. This can lead to pinning to VRAM despite the user requesting GTT placement for the BO. v2: Allow the kernel to override the domain, which can happen when exporting a BO to a V4L camera (for example). Signed-off-by: Leo Li Reviewed-by: Alex Deucher Reviewed-by: Christian König Signed-off-by: Alex Deucher Cc: stable@vger.kernel.org Signed-off-by: Greg Kroah-Hartman commit 82d87b12e191cba68ee06331433577cb48ddd043 Author: Dmitry Osipenko Date: Wed Jun 29 01:42:39 2022 +0300 drm/tegra: Fix vmapping of prime buffers commit c7860cbee9989882d2908682526a5ef617523cfe upstream. The code assumes that Tegra GEM is permanently vmapped, which is not true for the scattered buffers. After converting Tegra video decoder driver to V4L API, we're now getting a BUG_ON from dma-buf core on playing video using libvdpau-tegra on T30+ because tegra_gem_prime_vmap() sets vaddr to NULL. Older pre-V4L video decoder driver wasn't vmapping dma-bufs. Fix it by actually vmapping the exported GEMs. Cc: stable@vger.kernel.org Signed-off-by: Dmitry Osipenko Signed-off-by: Thierry Reding Signed-off-by: Greg Kroah-Hartman commit 54f0c628c634b94cffc1eda43e97f03f3c348b91 Author: Lyude Paul Date: Thu May 26 16:43:13 2022 -0400 drm/nouveau/kms: Fix failure path for creating DP connectors commit ca0367ca5d9216644b41f86348d6661f8d9e32d8 upstream. It looks like that when we moved nouveau over to using drm_dp_aux_init() and registering it's aux bus during late connector registration, we totally forgot to fix the failure codepath in nouveau_connector_create() - as it still seems to assume that drm_dp_aux_init() can fail (it can't). So, let's fix that and also add a missing check to ensure that we've properly allocated nv_connector->aux.name while we're at it. Signed-off-by: Lyude Paul Reviewed-by: David Airlie Fixes: fd43ad9d47e7 ("drm/nouveau/kms/nv50-: Move AUX adapter reg to connector late register/early unregister") Cc: # v5.14+ Link: https://patchwork.freedesktop.org/patch/msgid/20220526204313.656473-1-lyude@redhat.com Signed-off-by: Greg Kroah-Hartman commit 5c5b1707884e035c06e5c3fbaf393c6bc794784a Author: Lyude Paul Date: Thu Jul 14 13:42:33 2022 -0400 drm/nouveau/acpi: Don't print error when we get -EINPROGRESS from pm_runtime commit 53c26181950ddc3c8ace3c0939c89e9c4d8deeb9 upstream. Since this isn't actually a failure. Signed-off-by: Lyude Paul Reviewed-by: David Airlie Fixes: 79e765ad665d ("drm/nouveau/drm/nouveau: Prevent handling ACPI HPD events too early") Cc: # v4.19+ Link: https://patchwork.freedesktop.org/patch/msgid/20220714174234.949259-2-lyude@redhat.com Signed-off-by: Greg Kroah-Hartman commit c2bd8f52c6c479228aac78185df46d323c6e8dc2 Author: Lyude Paul Date: Thu Jul 14 13:42:34 2022 -0400 drm/nouveau: Don't pm_runtime_put_sync(), only pm_runtime_put_autosuspend() commit c96cfaf8fc02d4bb70727dfa7ce7841a3cff9be2 upstream. While trying to fix another issue, it occurred to me that I don't actually think there is any situation where we want pm_runtime_put() in nouveau to be synchronous. In fact, this kind of just seems like it would cause issues where we may unexpectedly block a thread we don't expect to be blocked. So, let's only use pm_runtime_put_autosuspend(). Changes since v1: * Use pm_runtime_put_autosuspend(), not pm_runtime_put() Signed-off-by: Lyude Paul Reviewed-by: David Airlie Fixes: 3a6536c51d5d ("drm/nouveau: Intercept ACPI_VIDEO_NOTIFY_PROBE") Cc: Hans de Goede Cc: # v4.10+ Link: https://patchwork.freedesktop.org/patch/msgid/20220714174234.949259-3-lyude@redhat.com Signed-off-by: Greg Kroah-Hartman commit f223ddb6be37e8a8d285b0cf6cef8eaa7ba75a5e Author: Timur Tabi Date: Wed May 11 11:37:16 2022 -0500 drm/nouveau: fix another off-by-one in nvbios_addr commit c441d28945fb113220d48d6c86ebc0b090a2b677 upstream. This check determines whether a given address is part of image 0 or image 1. Image 1 starts at offset image0_size, so that address should be included. Fixes: 4d4e9907ff572 ("drm/nouveau/bios: guard against out-of-bounds accesses to image") Cc: # v4.8+ Signed-off-by: Timur Tabi Reviewed-by: Karol Herbst Signed-off-by: Lyude Paul Link: https://patchwork.freedesktop.org/patch/msgid/20220511163716.3520591-1-ttabi@nvidia.com Signed-off-by: Greg Kroah-Hartman commit b1475e2400c9005459a2caf97286111ce61ad385 Author: Imre Deak Date: Tue Jun 14 12:45:37 2022 +0300 drm/dp/mst: Read the extended DPCD capabilities during system resume commit 7a710a8bc909313951eb9252d8419924c771d7c2 upstream. The WD22TB4 Thunderbolt dock at least will revert its DP_MAX_LINK_RATE from HBR3 to HBR2 after system suspend/resume if the DP_DP13_DPCD_REV registers are not read subsequently also as required. Fix this by reading DP_DP13_DPCD_REV registers as well, matching what is done during connector detection. While at it also fix up the same call in drm_dp_mst_dump_topology(). Cc: Lyude Paul Closes: https://gitlab.freedesktop.org/drm/intel/-/issues/5292 Signed-off-by: Imre Deak Reviewed-by: Jani Nikula Cc: # v5.14+ Reviewed-by: Lyude Paul Link: https://patchwork.freedesktop.org/patch/msgid/20220614094537.885472-1-imre.deak@intel.com Signed-off-by: Greg Kroah-Hartman commit f845dccb5334add531fe50384d7b411cd074a4ac Author: Thomas Zimmermann Date: Wed Jun 22 10:34:13 2022 +0200 drm/hyperv-drm: Include framebuffer and EDID headers commit 009a3a52791f31c57d755a73f6bc66fbdd8bd76c upstream. Fix a number of compile errors by including the correct header files. Examples are shown below. ../drivers/gpu/drm/hyperv/hyperv_drm_modeset.c: In function 'hyperv_blit_to_vram_rect': ../drivers/gpu/drm/hyperv/hyperv_drm_modeset.c:25:48: error: invalid use of undefined type 'struct drm_framebuffer' 25 | struct hyperv_drm_device *hv = to_hv(fb->dev); | ^~ ../drivers/gpu/drm/hyperv/hyperv_drm_modeset.c: In function 'hyperv_connector_get_modes': ../drivers/gpu/drm/hyperv/hyperv_drm_modeset.c:59:17: error: implicit declaration of function 'drm_add_modes_noedid' [-Werror=implicit-function-declaration] 59 | count = drm_add_modes_noedid(connector, | ^~~~~~~~~~~~~~~~~~~~ ../drivers/gpu/drm/hyperv/hyperv_drm_modeset.c:62:9: error: implicit declaration of function 'drm_set_preferred_mode'; did you mean 'drm_mm_reserve_node'? [-Werror=implicit-function-declaration] 62 | drm_set_preferred_mode(connector, hv->preferred_width, | ^~~~~~~~~~~~~~~~~~~~~~ Signed-off-by: Thomas Zimmermann Fixes: 76c56a5affeb ("drm/hyperv: Add DRM driver for hyperv synthetic video device") Fixes: 720cf96d8fec ("drm: Drop drm_framebuffer.h from drm_crtc.h") Fixes: 255490f9150d ("drm: Drop drm_edid.h from drm_crtc.h") Cc: Deepak Rawat Cc: Thomas Zimmermann Cc: Maarten Lankhorst Cc: Maxime Ripard Cc: linux-hyperv@vger.kernel.org Cc: dri-devel@lists.freedesktop.org Cc: # v5.14+ Acked-by: Maxime Ripard Reviewed-by: Ville Syrjälä Link: https://patchwork.freedesktop.org/patch/msgid/20220622083413.12573-1-tzimmermann@suse.de Signed-off-by: Greg Kroah-Hartman commit 9c49ac792c639dbec0728b513329a32461f72253 Author: Thomas Zimmermann Date: Tue Jun 21 12:46:17 2022 +0200 drm/fb-helper: Fix out-of-bounds access commit ae25885bdf59fde40726863c57fd20e4a0642183 upstream. Clip memory range to screen-buffer size to avoid out-of-bounds access in fbdev deferred I/O's damage handling. Fbdev's deferred I/O can only track pages. From the range of pages, the damage handler computes the clipping rectangle for the display update. If the fbdev screen buffer ends near the beginning of a page, that page could contain more scanlines. The damage handler would then track these non-existing scanlines as dirty and provoke an out-of-bounds access during the screen update. Hence, clip the maximum memory range to the size of the screen buffer. While at it, rename the variables min/max to min_off/max_off in drm_fb_helper_deferred_io(). This avoids confusion with the macros of the same name. Reported-by: Nuno Gonçalves Signed-off-by: Thomas Zimmermann Reviewed-by: Javier Martinez Canillas Tested-by: Nuno Gonçalves Fixes: 67b723f5b742 ("drm/fb-helper: Calculate damaged area in separate helper") Cc: Thomas Zimmermann Cc: Javier Martinez Canillas Cc: Maarten Lankhorst Cc: Maxime Ripard Cc: # v5.18+ Link: https://patchwork.freedesktop.org/patch/msgid/20220621104617.8817-1-tzimmermann@suse.de Signed-off-by: Greg Kroah-Hartman commit 071f693b43154823b372a486e028b6ecc1a77a3b Author: Paul Cercueil Date: Sun Jul 3 00:07:27 2022 +0100 drm/ingenic: Use the highest possible DMA burst size commit f0dce5c4fdaf9e98dd2755ffb1363822854b6287 upstream. Until now, when running at the maximum resolution of 1280x720 at 32bpp on the JZ4770 SoC the output was garbled, the X/Y position of the top-left corner of the framebuffer warping to a random position with the whole image being offset accordingly, every time a new frame was being submitted. This problem can be eliminated by using a bigger burst size for the DMA. Set in each soc_info structure the maximum burst size supported by the corresponding SoC, and use it in the driver. Set the new value using regmap_update_bits() instead of regmap_set_bits(), since we do want to override the old value of the burst size. (Note that regmap_set_bits() wasn't really valid before for the same reason, but it never seemed to be a problem). Cc: Fixes: 90b86fcc47b4 ("DRM: Add KMS driver for the Ingenic JZ47xx SoCs") Signed-off-by: Paul Cercueil Link: https://patchwork.freedesktop.org/patch/msgid/20220702230727.66704-1-paul@crapouillou.net Acked-by: Sam Ravnborg Tested-by: Christophe Branchereau Signed-off-by: Greg Kroah-Hartman commit 701373decc687be3482018bcb2c8506a96b87e77 Author: Phil Elwell Date: Mon Jun 13 16:47:44 2022 +0200 drm/vc4: hdmi: Disable audio if dmas property is present but empty commit db2b927f8668adf3ac765e0921cd2720f5c04172 upstream. The dmas property is used to hold the dmaengine channel used for audio output. Older device trees were missing that property, so if it's not there we disable the audio output entirely. However, some overlays have set an empty value to that property, mostly to workaround the fact that overlays cannot remove a property. Let's add a test for that case and if it's empty, let's disable it as well. Cc: Signed-off-by: Phil Elwell Link: https://lore.kernel.org/r/20220613144800.326124-18-maxime@cerno.tech Signed-off-by: Maxime Ripard Signed-off-by: Greg Kroah-Hartman commit 514b5bfcd3526d9af571a6871d19e30b77e28104 Author: Dmitry Osipenko Date: Thu Jun 30 23:00:57 2022 +0300 drm/shmem-helper: Add missing vunmap on error commit df4aaf015775221dde8a51ee09edb919981f091e upstream. The vmapping of dma-buf may succeed, but DRM SHMEM rejects the IOMEM mapping, and thus, drm_gem_shmem_vmap_locked() should unvmap the IOMEM before erroring out. Cc: stable@vger.kernel.org Fixes: 49a3f51dfeee ("drm/gem: Use struct dma_buf_map in GEM vmap ops and convert GEM backends") Signed-off-by: Dmitry Osipenko Signed-off-by: Daniel Vetter Link: https://patchwork.freedesktop.org/patch/msgid/20220630200058.1883506-2-dmitry.osipenko@collabora.com Signed-off-by: Greg Kroah-Hartman commit 2869c17ab6061abf78d1365203851f92fc0911a9 Author: Dmitry Osipenko Date: Thu Jun 30 23:04:04 2022 +0300 drm/gem: Properly annotate WW context on drm_gem_lock_reservations() error commit 2939deac1fa220bc82b89235f146df1d9b52e876 upstream. Use ww_acquire_fini() in the error code paths. Otherwise lockdep thinks that lock is held when lock's memory is freed after the drm_gem_lock_reservations() error. The ww_acquire_context needs to be annotated as "released", which fixes the noisy "WARNING: held lock freed!" splat of VirtIO-GPU driver with CONFIG_DEBUG_MUTEXES=y and enabled lockdep. Cc: stable@vger.kernel.org Fixes: 7edc3e3b975b5 ("drm: Add helpers for locking an array of BO reservations.") Reviewed-by: Thomas Hellström Reviewed-by: Christian König Signed-off-by: Dmitry Osipenko Signed-off-by: Daniel Vetter Link: https://patchwork.freedesktop.org/patch/msgid/20220630200405.1883897-2-dmitry.osipenko@collabora.com Signed-off-by: Greg Kroah-Hartman commit c99f19fce60836c02b5eb7c6f1277e13d0596780 Author: Mathew McBride Date: Wed Jul 6 07:42:36 2022 +0000 rtc: rx8025: fix 12/24 hour mode detection on RX-8035 commit 71af91565052214ad86f288e0d8ffb165f790995 upstream. The 12/24hr flag in the RX-8035 can be found in the hour register, instead of the CTRL1 on the RX-8025. This was overlooked when support for the RX-8035 was added, and was causing read errors when the hour register 'overflowed'. To deal with the relevant register not always being visible in the relevant functions, determine the 12/24 mode at startup and store it in the driver state. Signed-off-by: Mathew McBride Fixes: f120e2e33ac8 ("rtc: rx8025: implement RX-8035 support") Cc: stable@vger.kernel.org Signed-off-by: Alexandre Belloni Link: https://lore.kernel.org/r/20220706074236.24011-1-matt@traverse.com.au Signed-off-by: Greg Kroah-Hartman commit 91e11b151e950e50694a1b85b7e599698758a84b Author: Jason A. Donenfeld Date: Tue Aug 9 16:57:57 2022 +0200 wireguard: selftests: set CONFIG_NONPORTABLE on riscv32 commit 9019b4f6d9bd88524ecd95420cf9cd4aaed7a125 upstream. When the CONFIG_PORTABLE/CONFIG_NONPORTABLE switches were added, various configs were updated, but the wireguard config was forgotten about. This leads to unbootable test kernels, causing CI fails. Add CONFIG_NONPORTABLE=y to the wireguard test suite configuration for riscv32. Fixes: 44c1e84a38a0 ("RISC-V: Add CONFIG_{NON,}PORTABLE") Signed-off-by: Jason A. Donenfeld Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/20220809145757.83673-1-Jason@zx2c4.com Signed-off-by: Palmer Dabbelt Signed-off-by: Greg Kroah-Hartman commit 099e15195daeafb0bd4912ff77844a9b21f0a1eb Author: Atish Patra Date: Mon Jul 11 10:46:29 2022 -0700 RISC-V: Update user page mapping only once during start commit 133a6d1fe7d7ad8393af025c4dde379c0616661f upstream. Currently, riscv_pmu_event_set_period updates the userpage mapping. However, the caller of riscv_pmu_event_set_period should update the userpage mapping because the counter can not be updated/started from set_period function in counter overflow path. Invoke the perf_event_update_userpage at the caller so that it doesn't get invoked twice during counter start path. Fixes: f5bfa23f576f ("RISC-V: Add a perf core library for pmu drivers") Reviewed-by: Anup Patel Signed-off-by: Atish Patra Reviewed-by: Guo Ren Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/20220711174632.4186047-3-atishp@rivosinc.com Signed-off-by: Palmer Dabbelt Signed-off-by: Greg Kroah-Hartman commit fcc37c9de0ed6d078d94df4a7acde1075bcc5a1f Author: Atish Patra Date: Mon Jul 11 10:46:30 2022 -0700 RISC-V: Fix SBI PMU calls for RV32 commit 0209b5830bea42dd3ce33ab0397231e67ec3b751 upstream. Some of the SBI PMU calls does not pass 64bit arguments correctly and not under RV32 compile time flags. Currently, this doesn't create any incorrect results as RV64 ignores any value in the additional register and qemu doesn't support raw events. Fix those SBI calls in order to set correct values for RV32. Fixes: e9991434596f ("RISC-V: Add perf platform driver based on SBI PMU extension") Signed-off-by: Atish Patra Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/20220711174632.4186047-4-atishp@rivosinc.com Signed-off-by: Palmer Dabbelt Signed-off-by: Greg Kroah-Hartman commit a775c75190ffedc6f69c144b737cc860a8588e83 Author: Atish Patra Date: Mon Jul 11 10:46:28 2022 -0700 RISC-V: Fix counter restart during overflow for RV32 commit acc1b919f47926b089be21b8aaa29ec91fef0aa2 upstream. Pass the upper half of the initial value of the counter correctly for RV32. Fixes: 4905ec2fb7e6 ("RISC-V: Add sscofpmf extension support") Signed-off-by: Atish Patra Reviewed-by: Guo Ren Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/20220711174632.4186047-2-atishp@rivosinc.com Signed-off-by: Palmer Dabbelt Signed-off-by: Greg Kroah-Hartman commit f46e3ebf6de1114fcc4d91d0d6f876f1c3ab2796 Author: Xianting Tian Date: Thu Aug 11 15:41:48 2022 +0800 RISC-V: Add modules to virtual kernel memory layout dump commit f9293ad46d8ba9909187a37b7215324420ad4596 upstream. Modules always live before the kernel, MODULES_END is fixed but MODULES_VADDR isn't fixed, it depends on the kernel size. Let's add it to virtual kernel memory layout dump. As MODULES is only defined for CONFIG_64BIT, so we dump it when CONFIG_64BIT=y. eg, MODULES_VADDR - MODULES_END 0xffffffff01133000 - 0xffffffff80000000 Reviewed-by: Guo Ren Reviewed-by: Heiko Stuebner Signed-off-by: Xianting Tian Link: https://lore.kernel.org/r/20220811074150.3020189-5-xianting.tian@linux.alibaba.com Cc: stable@vger.kernel.org Fixes: 2bfc6cd81bd1 ("riscv: Move kernel mapping outside of linear mapping") Signed-off-by: Palmer Dabbelt Signed-off-by: Greg Kroah-Hartman commit 14b26f63a080eae57d3c49ed24e3f47309fc838d Author: Xianting Tian Date: Thu Aug 11 15:41:47 2022 +0800 RISC-V: Fixup schedule out issue in machine_crash_shutdown() commit ad943893d5f1d0aeea892bf7b781cf8062b36d58 upstream. Current task of executing crash kexec will be schedule out when panic is triggered by RCU Stall, as it needs to wait rcu completion. It lead to inability to enter the crash system. The implementation of machine_crash_shutdown() is non-standard for RISC-V according to other Arch's implementation(eg, x86, arm64), we need to send IPI to stop secondary harts. [224521.877268] rcu: INFO: rcu_preempt detected stalls on CPUs/tasks: [224521.883471] rcu: 0-...0: (3 GPs behind) idle=cfa/0/0x1 softirq=3968793/3968793 fqs=2495 [224521.891742] (detected by 2, t=5255 jiffies, g=60855593, q=328) [224521.897754] Task dump for CPU 0: [224521.901074] task:swapper/0 state:R running task stack: 0 pid: 0 ppid: 0 flags:0x00000008 [224521.911090] Call Trace: [224521.913638] [] __schedule+0x208/0x5ea [224521.918957] Kernel panic - not syncing: RCU Stall [224521.923773] bad: scheduling from the idle thread! [224521.928571] CPU: 2 PID: 0 Comm: swapper/2 Kdump: loaded Tainted: G O 5.10.113-yocto-standard #1 [224521.938658] Call Trace: [224521.941200] [] walk_stackframe+0x0/0xaa [224521.946689] [] show_stack+0x32/0x3e [224521.951830] [] dump_stack_lvl+0x7e/0xa2 [224521.957317] [] dump_stack+0x14/0x1c [224521.962459] [] dequeue_task_idle+0x2c/0x40 [224521.968207] [] __schedule+0x41e/0x5ea [224521.973520] [] schedule+0x34/0xe4 [224521.978487] [] schedule_timeout+0xc6/0x170 [224521.984234] [] wait_for_completion+0x98/0xf2 [224521.990157] [] __wait_rcu_gp+0x148/0x14a [224521.995733] [] synchronize_rcu+0x5c/0x66 [224522.001307] [] rcu_sync_enter+0x54/0xe6 [224522.006795] [] percpu_down_write+0x32/0x11c [224522.012629] [] _cpu_down+0x92/0x21a [224522.017771] [] smp_shutdown_nonboot_cpus+0x90/0x118 [224522.024299] [] machine_crash_shutdown+0x30/0x4a [224522.030483] [] __crash_kexec+0x62/0xa6 [224522.035884] [] panic+0xfa/0x2b6 [224522.040678] [] rcu_sched_clock_irq+0xc26/0xcb8 [224522.046774] [] update_process_times+0x62/0x8a [224522.052785] [] tick_sched_timer+0x9e/0x102 [224522.058533] [] __hrtimer_run_queues+0x16a/0x318 [224522.064716] [] hrtimer_interrupt+0xd4/0x228 [224522.070551] [] riscv_timer_interrupt+0x3c/0x48 [224522.076646] [] handle_percpu_devid_irq+0xb0/0x24c [224522.083004] [] __handle_domain_irq+0xa8/0x122 [224522.089014] [] riscv_intc_irq+0x38/0x60 [224522.094501] [] ret_from_exception+0x0/0xc [224522.100161] [] rcu_eqs_enter.constprop.0+0x8c/0xb8 With the patch, it can enter crash system when RCU Stall occur. Fixes: e53d28180d4d ("RISC-V: Add kdump support") Signed-off-by: Xianting Tian Link: https://lore.kernel.org/r/20220811074150.3020189-4-xianting.tian@linux.alibaba.com Cc: stable@vger.kernel.org Signed-off-by: Palmer Dabbelt Signed-off-by: Greg Kroah-Hartman commit 710559c0d73b3448a85ec79e43bc25df5b4ef1b4 Author: Xianting Tian Date: Thu Aug 11 15:41:46 2022 +0800 RISC-V: Fixup get incorrect user mode PC for kernel mode regs commit 59c026c359c30f116fef6ee958e24d04983efbb0 upstream. When use 'echo c > /proc/sysrq-trigger' to trigger kdump, riscv_crash_save_regs() will be called to save regs for vmcore, we found "epc" value 00ffffffa5537400 is not a valid kernel virtual address, but is a user virtual address. Other regs(eg, ra, sp, gp...) are correct kernel virtual address. Actually 0x00ffffffb0dd9400 is the user mode PC of 'PID: 113 Comm: sh', which is saved in the task's stack. [ 21.201701] CPU: 0 PID: 113 Comm: sh Kdump: loaded Not tainted 5.18.9 #45 [ 21.201979] Hardware name: riscv-virtio,qemu (DT) [ 21.202160] epc : 00ffffffa5537400 ra : ffffffff80088640 sp : ff20000010333b90 [ 21.202435] gp : ffffffff810dde38 tp : ff6000000226c200 t0 : ffffffff8032be7c [ 21.202707] t1 : 0720072007200720 t2 : 30203a7375746174 s0 : ff20000010333cf0 [ 21.202973] s1 : 0000000000000000 a0 : ff20000010333b98 a1 : 0000000000000001 [ 21.203243] a2 : 0000000000000010 a3 : 0000000000000000 a4 : 28c8f0aeffea4e00 [ 21.203519] a5 : 28c8f0aeffea4e00 a6 : 0000000000000009 a7 : ffffffff8035c9b8 [ 21.203794] s2 : ffffffff810df0a8 s3 : ffffffff810df718 s4 : ff20000010333b98 [ 21.204062] s5 : 0000000000000000 s6 : 0000000000000007 s7 : ffffffff80c4a468 [ 21.204331] s8 : 00ffffffef451410 s9 : 0000000000000007 s10: 00aaaaaac0510700 [ 21.204606] s11: 0000000000000001 t3 : ff60000001218f00 t4 : ff60000001218f00 [ 21.204876] t5 : ff60000001218000 t6 : ff200000103338b8 [ 21.205079] status: 0000000200000020 badaddr: 0000000000000000 cause: 0000000000000008 With the incorrect PC, the backtrace showed by crash tool as below, the first stack frame is abnormal, crash> bt PID: 113 TASK: ff60000002269600 CPU: 0 COMMAND: "sh" #0 [ff2000001039bb90] __efistub_.Ldebug_info0 at 00ffffffa5537400 <-- Abnormal #1 [ff2000001039bcf0] panic at ffffffff806578ba #2 [ff2000001039bd50] sysrq_reset_seq_param_set at ffffffff8038c030 #3 [ff2000001039bda0] __handle_sysrq at ffffffff8038c5f8 #4 [ff2000001039be00] write_sysrq_trigger at ffffffff8038cad8 #5 [ff2000001039be20] proc_reg_write at ffffffff801b7edc #6 [ff2000001039be40] vfs_write at ffffffff80152ba6 #7 [ff2000001039be80] ksys_write at ffffffff80152ece #8 [ff2000001039bed0] sys_write at ffffffff80152f46 With the patch, we can get current kernel mode PC, the output as below, [ 17.607658] CPU: 0 PID: 113 Comm: sh Kdump: loaded Not tainted 5.18.9 #42 [ 17.607937] Hardware name: riscv-virtio,qemu (DT) [ 17.608150] epc : ffffffff800078f8 ra : ffffffff8008862c sp : ff20000010333b90 [ 17.608441] gp : ffffffff810dde38 tp : ff6000000226c200 t0 : ffffffff8032be68 [ 17.608741] t1 : 0720072007200720 t2 : 666666666666663c s0 : ff20000010333cf0 [ 17.609025] s1 : 0000000000000000 a0 : ff20000010333b98 a1 : 0000000000000001 [ 17.609320] a2 : 0000000000000010 a3 : 0000000000000000 a4 : 0000000000000000 [ 17.609601] a5 : ff60000001c78000 a6 : 000000000000003c a7 : ffffffff8035c9a4 [ 17.609894] s2 : ffffffff810df0a8 s3 : ffffffff810df718 s4 : ff20000010333b98 [ 17.610186] s5 : 0000000000000000 s6 : 0000000000000007 s7 : ffffffff80c4a468 [ 17.610469] s8 : 00ffffffca281410 s9 : 0000000000000007 s10: 00aaaaaab5bb6700 [ 17.610755] s11: 0000000000000001 t3 : ff60000001218f00 t4 : ff60000001218f00 [ 17.611041] t5 : ff60000001218000 t6 : ff20000010333988 [ 17.611255] status: 0000000200000020 badaddr: 0000000000000000 cause: 0000000000000008 With the correct PC, the backtrace showed by crash tool as below, crash> bt PID: 113 TASK: ff6000000226c200 CPU: 0 COMMAND: "sh" #0 [ff20000010333b90] riscv_crash_save_regs at ffffffff800078f8 <--- Normal #1 [ff20000010333cf0] panic at ffffffff806578c6 #2 [ff20000010333d50] sysrq_reset_seq_param_set at ffffffff8038c03c #3 [ff20000010333da0] __handle_sysrq at ffffffff8038c604 #4 [ff20000010333e00] write_sysrq_trigger at ffffffff8038cae4 #5 [ff20000010333e20] proc_reg_write at ffffffff801b7ee8 #6 [ff20000010333e40] vfs_write at ffffffff80152bb2 #7 [ff20000010333e80] ksys_write at ffffffff80152eda #8 [ff20000010333ed0] sys_write at ffffffff80152f52 Fixes: e53d28180d4d ("RISC-V: Add kdump support") Co-developed-by: Guo Ren Signed-off-by: Xianting Tian Link: https://lore.kernel.org/r/20220811074150.3020189-3-xianting.tian@linux.alibaba.com Cc: stable@vger.kernel.org Signed-off-by: Palmer Dabbelt Signed-off-by: Greg Kroah-Hartman commit 09dff3955d75a974d3aea833aca9f7b720d68f94 Author: Xianting Tian Date: Thu Aug 11 15:41:45 2022 +0800 RISC-V: kexec: Fixup use of smp_processor_id() in preemptible context commit 357628e68f5c08ad578a718dc62a0031e06dbe91 upstream. Use __smp_processor_id() to avoid check the preemption context when CONFIG_DEBUG_PREEMPT enabled, as we will enter crash kernel and no return. Without the patch, [ 103.781044] sysrq: Trigger a crash [ 103.784625] Kernel panic - not syncing: sysrq triggered crash [ 103.837634] CPU1: off [ 103.889668] CPU2: off [ 103.933479] CPU3: off [ 103.939424] Starting crashdump kernel... [ 103.943442] BUG: using smp_processor_id() in preemptible [00000000] code: sh/346 [ 103.950884] caller is debug_smp_processor_id+0x1c/0x26 [ 103.956051] CPU: 0 PID: 346 Comm: sh Kdump: loaded Not tainted 5.10.113-00002-gce03f03bf4ec-dirty #149 [ 103.965355] Call Trace: [ 103.967805] [] walk_stackframe+0x0/0xa2 [ 103.973206] [] show_stack+0x32/0x3e [ 103.978258] [] dump_stack_lvl+0x72/0x8e [ 103.983655] [] dump_stack+0x14/0x1c [ 103.988705] [] check_preemption_disabled+0x9e/0xaa [ 103.995057] [] debug_smp_processor_id+0x1c/0x26 [ 104.001150] [] machine_kexec+0x22/0xd0 [ 104.006463] [] __crash_kexec+0x6a/0xa4 [ 104.011774] [] panic+0xfc/0x2b0 [ 104.016480] [] sysrq_reset_seq_param_set+0x0/0x70 [ 104.022745] [] __handle_sysrq+0x8c/0x154 [ 104.028229] [] write_sysrq_trigger+0x5a/0x6a [ 104.034061] [] proc_reg_write+0x58/0xd4 [ 104.039459] [] vfs_write+0x7e/0x254 [ 104.044509] [] ksys_write+0x58/0xbe [ 104.049558] [] sys_write+0xe/0x16 [ 104.054434] [] ret_from_syscall+0x0/0x2 [ 104.067863] Will call new kernel at ecc00000 from hart id 0 [ 104.074939] FDT image at fc5ee000 [ 104.079523] Bye... With the patch we can got clear output, [ 67.740553] sysrq: Trigger a crash [ 67.744166] Kernel panic - not syncing: sysrq triggered crash [ 67.809123] CPU1: off [ 67.865210] CPU2: off [ 67.909075] CPU3: off [ 67.919123] Starting crashdump kernel... [ 67.924900] Will call new kernel at ecc00000 from hart id 0 [ 67.932045] FDT image at fc5ee000 [ 67.935560] Bye... Fixes: 0e105f1d0037 ("riscv: use hart id instead of cpu id on machine_kexec") Reviewed-by: Guo Ren Reviewed-by: Heiko Stuebner Reviewed-by: Atish Patra Signed-off-by: Xianting Tian Link: https://lore.kernel.org/r/20220811074150.3020189-2-xianting.tian@linux.alibaba.com Cc: stable@vger.kernel.org Signed-off-by: Palmer Dabbelt Signed-off-by: Greg Kroah-Hartman commit cbb378edebd7397b024ec9778062ebff220282bb Author: Ben Dooks Date: Thu Jul 14 08:18:11 2022 +0100 RISC-V: Declare cpu_ops_spinwait in commit da6d2128e56a50a0d497c8e41ca1d33d88bcc0aa upstream. The cpu_ops_spinwait is used in a couple of places in arch/riscv and is causing a sparse warning due to no declaration. Add this to with the others to fix the following: arch/riscv/kernel/cpu_ops_spinwait.c:16:29: warning: symbol 'cpu_ops_spinwait' was not declared. Should it be static? Signed-off-by: Ben Dooks Link: https://lore.kernel.org/r/20220714071811.187491-1-ben.dooks@sifive.com [Palmer: Drop the extern from cpu_ops.c] Fixes: 2ffc48fc7071 ("RISC-V: Move spinwait booting method to its own config") Cc: stable@vger.kernel.org Signed-off-by: Palmer Dabbelt Signed-off-by: Greg Kroah-Hartman commit 899b5091e4aa112806af4427a421343bafe54f2f Author: Ben Dooks Date: Wed Jul 13 22:53:06 2022 +0100 RISC-V: cpu_ops_spinwait.c should include head.h commit e4aa991c05aedc3ead92d1352af86db74090dc3c upstream. Running sparse shows cpu_ops_spinwait.c is missing two definitions found in head.h, so include it to stop the following warnings: arch/riscv/kernel/cpu_ops_spinwait.c:15:6: warning: symbol '__cpu_spinwait_stack_pointer' was not declared. Should it be static? arch/riscv/kernel/cpu_ops_spinwait.c:16:6: warning: symbol '__cpu_spinwait_task_pointer' was not declared. Should it be static? Signed-off-by: Ben Dooks Link: https://lore.kernel.org/r/20220713215306.94675-1-ben.dooks@sifive.com Fixes: c78f94f35cf6 ("RISC-V: Use __cpu_up_stack/task_pointer only for spinwait method") Cc: stable@vger.kernel.org Signed-off-by: Palmer Dabbelt Signed-off-by: Greg Kroah-Hartman commit 306aee157d23f27c0c20de32b70a38352e6cafe3 Author: Mark Kettenis Date: Thu Jul 7 20:55:28 2022 +0200 riscv: dts: starfive: correct number of external interrupts commit a208acf0eac857dc8cdaddd63a4e18ed03f91786 upstream. The PLIC integrated on the Vic_U7_Core integrated on the StarFive JH7100 SoC actually supports 133 external interrupts. 127 of these are exposed to the outside world; the remainder are used by other devices that are part of the core-complex such as the L2 cache controller. But all 133 interrupts are external interrupts as far as the PLIC is concerned. Fix the property so that the driver can manage these additional interrupts, which is important since the interrupts for the L2 cache controller are enabled by default. Fixes: ec85362fb121 ("RISC-V: Add initial StarFive JH7100 device tree") Signed-off-by: Mark Kettenis Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/20220707185529.19509-1-kettenis@openbsd.org Signed-off-by: Palmer Dabbelt Signed-off-by: Greg Kroah-Hartman commit 4550f7ed4856c63cfc6b36a5cf76bec095801842 Author: Conor Dooley Date: Wed Aug 3 19:54:00 2022 +0100 dt-bindings: riscv: fix SiFive l2-cache's cache-sets commit b60cf8e59e61133b6c9514ff8d8c8d7049d040ef upstream. Fix device tree schema validation error messages for the SiFive Unmatched: ' cache-sets:0:0: 1024 was expected'. The existing bindings allow for just 1024 cache-sets but the fu740 on Unmatched the has 2048 cache-sets. The ISA itself permits any arbitrary power of two, however this is not supported by dt-schema. The RTL for the IP, to which the number of cache-sets is a tunable parameter, has been released publicly so speculatively adding a small number of "reasonable" values seems unwise also. Instead, as the binding only supports two distinct controllers: add 2048 and explicitly lock it to the fu740's l2 cache while limiting 1024 to the l2 cache on the fu540. Fixes: af951c3a113b ("dt-bindings: riscv: Update l2 cache DT documentation to add support for SiFive FU740") Reported-by: Atul Khare Signed-off-by: Conor Dooley Reviewed-by: Krzysztof Kozlowski Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/20220803185359.942928-1-mail@conchuod.ie Signed-off-by: Palmer Dabbelt Signed-off-by: Greg Kroah-Hartman commit 7e9ab8cb4fa54639424c10fbb645b5daef6f51ab Author: Chen Lifu Date: Wed Jun 15 09:47:14 2022 +0800 riscv: lib: uaccess: fix CSR_STATUS SR_SUM bit commit c08b4848f596fd95543197463b5162bd7bab2442 upstream. Since commit 5d8544e2d007 ("RISC-V: Generic library routines and assembly") and commit ebcbd75e3962 ("riscv: Fix the bug in memory access fixup code"), if __clear_user and __copy_user return from an fixup branch, CSR_STATUS SR_SUM bit will be set, it is a vulnerability, so that S-mode memory accesses to pages that are accessible by U-mode will success. Disable S-mode access to U-mode memory should clear SR_SUM bit. Fixes: 5d8544e2d007 ("RISC-V: Generic library routines and assembly") Fixes: ebcbd75e3962 ("riscv: Fix the bug in memory access fixup code") Signed-off-by: Chen Lifu Reviewed-by: Ben Dooks Link: https://lore.kernel.org/r/20220615014714.1650349-1-chenlifu@huawei.com Cc: stable@vger.kernel.org Signed-off-by: Palmer Dabbelt Signed-off-by: Greg Kroah-Hartman commit 73fc099eaefd9a92c83b6c07dad066411fd5a192 Author: Yipeng Zou Date: Thu Jul 21 14:58:20 2022 +0800 riscv:uprobe fix SR_SPIE set/clear handling commit 3dbe5829408bc1586f75b4667ef60e5aab0209c7 upstream. In riscv the process of uprobe going to clear spie before exec the origin insn,and set spie after that.But When access the page which origin insn has been placed a page fault may happen and irq was disabled in arch_uprobe_pre_xol function,It cause a WARN as follows. There is no need to clear/set spie in arch_uprobe_pre/post/abort_xol. We can just remove it. [ 31.684157] BUG: sleeping function called from invalid context at kernel/locking/rwsem.c:1488 [ 31.684677] in_atomic(): 0, irqs_disabled(): 1, non_block: 0, pid: 76, name: work [ 31.684929] preempt_count: 0, expected: 0 [ 31.685969] CPU: 2 PID: 76 Comm: work Tainted: G [ 31.686542] Hardware name: riscv-virtio,qemu (DT) [ 31.686797] Call Trace: [ 31.687053] [] dump_backtrace+0x30/0x38 [ 31.687699] [] show_stack+0x40/0x4c [ 31.688141] [] dump_stack_lvl+0x44/0x5c [ 31.688396] [] dump_stack+0x18/0x20 [ 31.688653] [] __might_resched+0x114/0x122 [ 31.688948] [] __might_sleep+0x50/0x7a [ 31.689435] [] down_read+0x30/0x130 [ 31.689728] [] do_page_fault+0x166/x446 [ 31.689997] [] ret_from_exception+0x0/0xc Fixes: 74784081aac8 ("riscv: Add uprobes supported") Signed-off-by: Yipeng Zou Reviewed-by: Guo Ren Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/20220721065820.245755-1-zouyipeng@huawei.com Signed-off-by: Palmer Dabbelt Signed-off-by: Greg Kroah-Hartman commit 844a857bbce3687af5fb1ba4c2e9243016766717 Author: Helge Deller Date: Mon Aug 1 17:36:15 2022 +0200 parisc: io_pgetevents_time64() needs compat syscall in 32-bit compat mode commit 6431e92fc827bdd2d28f79150d90415ba9ce0d21 upstream. For all syscalls in 32-bit compat mode on 64-bit kernels the upper 32-bits of the 64-bit registers are zeroed out, so a negative 32-bit signed value will show up as positive 64-bit signed value. This behaviour breaks the io_pgetevents_time64() syscall which expects signed 64-bit values for the "min_nr" and "nr" parameters. Fix this by switching to the compat_sys_io_pgetevents_time64() syscall, which uses "compat_long_t" types for those parameters. Cc: # v5.1+ Signed-off-by: Helge Deller Signed-off-by: Greg Kroah-Hartman commit 62eb0059d8d5b34f067d339174a675298ae38970 Author: William Dean Date: Fri Jul 22 10:57:09 2022 +0800 parisc: Check the return value of ioremap() in lba_driver_probe() commit cf59f34d7f978d14d6520fd80a78a5ad5cb8abf8 upstream. The function ioremap() in lba_driver_probe() can fail, so its return value should be checked. Fixes: 4bdc0d676a643 ("remove ioremap_nocache and devm_ioremap_nocache") Reported-by: Hacash Robot Signed-off-by: William Dean Signed-off-by: Helge Deller Cc: # v5.6+ Signed-off-by: Greg Kroah-Hartman commit 6f0c087a68e5ce6b1de8ba18ed59f14c606e74d5 Author: Helge Deller Date: Tue Jul 19 06:19:41 2022 +0200 parisc: Drop pa_swapper_pg_lock spinlock commit 3fbc9a7de0564c55d8a9584c9cd2c9dfe6bd6d43 upstream. This spinlock was dropped with commit b7795074a046 ("parisc: Optimize per-pagetable spinlocks") in kernel v5.12. Remove it to silence a sparse warning. Signed-off-by: Helge Deller Reported-by: kernel test robot Cc: # v5.12+ Signed-off-by: Greg Kroah-Hartman commit 5c9e6c5e86a09314fb52c01be03010715cbdc369 Author: Helge Deller Date: Mon Jul 18 17:06:47 2022 +0200 parisc: Fix device names in /proc/iomem commit cab56b51ec0e69128909cef4650e1907248d821b upstream. Fix the output of /proc/iomem to show the real hardware device name including the pa_pathname, e.g. "Merlin 160 Core Centronics [8:16:0]". Up to now only the pa_pathname ("[8:16.0]") was shown. Signed-off-by: Helge Deller Cc: # v4.9+ Signed-off-by: Greg Kroah-Hartman commit 247caf4a87f31f247573ff0d2f633ead605f121b Author: Jiachen Zhang Date: Thu Jul 28 19:49:15 2022 +0800 ovl: drop WARN_ON() dentry is NULL in ovl_encode_fh() commit dd524b7f317de8d31d638cbfdc7be4cf9b770e42 upstream. Some code paths cannot guarantee the inode have any dentry alias. So WARN_ON() all !dentry may flood the kernel logs. For example, when an overlayfs inode is watched by inotifywait (1), and someone is trying to read the /proc/$(pidof inotifywait)/fdinfo/INOTIFY_FD, at that time if the dentry has been reclaimed by kernel (such as echo 2 > /proc/sys/vm/drop_caches), there will be a WARN_ON(). The printed call stack would be like: ? show_mark_fhandle+0xf0/0xf0 show_mark_fhandle+0x4a/0xf0 ? show_mark_fhandle+0xf0/0xf0 ? seq_vprintf+0x30/0x50 ? seq_printf+0x53/0x70 ? show_mark_fhandle+0xf0/0xf0 inotify_fdinfo+0x70/0x90 show_fdinfo.isra.4+0x53/0x70 seq_show+0x130/0x170 seq_read+0x153/0x440 vfs_read+0x94/0x150 ksys_read+0x5f/0xe0 do_syscall_64+0x59/0x1e0 entry_SYSCALL_64_after_hwframe+0x44/0xa9 So let's drop WARN_ON() to avoid kernel log flooding. Reported-by: Hongbo Yin Signed-off-by: Jiachen Zhang Signed-off-by: Tianci Zhang Fixes: 8ed5eec9d6c4 ("ovl: encode pure upper file handles") Cc: # v4.16 Signed-off-by: Miklos Szeredi Signed-off-by: Greg Kroah-Hartman commit e11fb0a3a39bb42da35fa662c46ce7391f277436 Author: John Allen Date: Wed May 18 15:31:26 2022 +0000 crypto: ccp - Use kzalloc for sev ioctl interfaces to prevent kernel memory leak commit 13dc15a3f5fd7f884e4bfa8c011a0ae868df12ae upstream. For some sev ioctl interfaces, input may be passed that is less than or equal to SEV_FW_BLOB_MAX_SIZE, but larger than the data that PSP firmware returns. In this case, kmalloc will allocate memory that is the size of the input rather than the size of the data. Since PSP firmware doesn't fully overwrite the buffer, the sev ioctl interfaces with the issue may return uninitialized slab memory. Currently, all of the ioctl interfaces in the ccp driver are safe, but to prevent future problems, change all ioctl interfaces that allocate memory with kmalloc to use kzalloc and memset the data buffer to zero in sev_ioctl_do_platform_status. Fixes: 38103671aad3 ("crypto: ccp: Use the stack and common buffer for status commands") Fixes: e799035609e15 ("crypto: ccp: Implement SEV_PEK_CSR ioctl command") Fixes: 76a2b524a4b1d ("crypto: ccp: Implement SEV_PDH_CERT_EXPORT ioctl command") Fixes: d6112ea0cb344 ("crypto: ccp - introduce SEV_GET_ID2 command") Cc: stable@vger.kernel.org Reported-by: Andy Nguyen Suggested-by: David Rientjes Suggested-by: Peter Gonda Signed-off-by: John Allen Reviewed-by: Peter Gonda Acked-by: David Rientjes Signed-off-by: Herbert Xu Signed-off-by: Greg Kroah-Hartman commit c8f808dfcc49331bb0eb89871a9cd33c5aa5e973 Author: Al Viro Date: Sun Jun 12 19:50:29 2022 -0400 fix short copy handling in copy_mc_pipe_to_iter() commit c3497fd009ef2c59eea60d21c3ac22de3585ed7d upstream. Unlike other copying operations on ITER_PIPE, copy_mc_to_iter() can result in a short copy. In that case we need to trim the unused buffers, as well as the length of partially filled one - it's not enough to set ->head, ->iov_offset and ->count to reflect how much had we copied. Not hard to fix, fortunately... I'd put a helper (pipe_discard_from(pipe, head)) into pipe_fs_i.h, rather than iov_iter.c - it has nothing to do with iov_iter and having it will allow us to avoid an ugly kludge in fs/splice.c. We could put it into lib/iov_iter.c for now and move it later, but I don't see the point going that way... Cc: stable@kernel.org # 4.19+ Fixes: ca146f6f091e "lib/iov_iter: Fix pipe handling in _copy_to_iter_mcsafe()" Reviewed-by: Jeff Layton Reviewed-by: Christian Brauner (Microsoft) Signed-off-by: Al Viro Signed-off-by: Greg Kroah-Hartman commit f924211946291d52de29b6f93202dbf80cc14629 Author: Lukas Wunner Date: Fri Jul 1 22:47:51 2022 +0200 usbnet: smsc95xx: Fix deadlock on runtime resume commit 7b960c967f2aa01ab8f45c5a0bd78e754cffdeee upstream. Commit 05b35e7eb9a1 ("smsc95xx: add phylib support") amended smsc95xx_resume() to call phy_init_hw(). That function waits for the device to runtime resume even though it is placed in the runtime resume path, causing a deadlock. The problem is that phy_init_hw() calls down to smsc95xx_mdiobus_read(), which never uses the _nopm variant of usbnet_read_cmd(). Commit b4df480f68ae ("usbnet: smsc95xx: add reset_resume function with reset operation") causes a similar deadlock on resume if the device was already runtime suspended when entering system sleep: That's because the commit introduced smsc95xx_reset_resume(), which calls down to smsc95xx_reset(), which neglects to use _nopm accessors. Fix by auto-detecting whether a device access is performed by the suspend/resume task_struct and use the _nopm variant if so. This works because the PM core guarantees that suspend/resume callbacks are run in task context. Stacktrace for posterity: INFO: task kworker/2:1:49 blocked for more than 122 seconds. Workqueue: usb_hub_wq hub_event schedule rpm_resume __pm_runtime_resume usb_autopm_get_interface usbnet_read_cmd __smsc95xx_read_reg __smsc95xx_phy_wait_not_busy __smsc95xx_mdio_read smsc95xx_mdiobus_read __mdiobus_read mdiobus_read smsc_phy_reset phy_init_hw smsc95xx_resume usb_resume_interface usb_resume_both usb_runtime_resume __rpm_callback rpm_callback rpm_resume __pm_runtime_resume usb_autoresume_device hub_event process_one_work Fixes: b4df480f68ae ("usbnet: smsc95xx: add reset_resume function with reset operation") Signed-off-by: Lukas Wunner Cc: stable@vger.kernel.org # v3.16+ Cc: Andre Edich Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit db3b738ae5f726204876f4303c49cfdf4311403f Author: Lukas Wunner Date: Thu Jun 23 14:50:59 2022 +0200 usbnet: Fix linkwatch use-after-free on disconnect commit a69e617e533edddf3fa3123149900f36e0a6dc74 upstream. usbnet uses the work usbnet_deferred_kevent() to perform tasks which may sleep. On disconnect, completion of the work was originally awaited in ->ndo_stop(). But in 2003, that was moved to ->disconnect() by historic commit "[PATCH] USB: usbnet, prevent exotic rtnl deadlock": https://git.kernel.org/tglx/history/c/0f138bbfd83c The change was made because back then, the kernel's workqueue implementation did not allow waiting for a single work. One had to wait for completion of *all* work by calling flush_scheduled_work(), and that could deadlock when waiting for usbnet_deferred_kevent() with rtnl_mutex held in ->ndo_stop(). The commit solved one problem but created another: It causes a use-after-free in USB Ethernet drivers aqc111.c, asix_devices.c, ax88179_178a.c, ch9200.c and smsc75xx.c: * If the drivers receive a link change interrupt immediately before disconnect, they raise EVENT_LINK_RESET in their (non-sleepable) ->status() callback and schedule usbnet_deferred_kevent(). * usbnet_deferred_kevent() invokes the driver's ->link_reset() callback, which calls netif_carrier_{on,off}(). * That in turn schedules the work linkwatch_event(). Because usbnet_deferred_kevent() is awaited after unregister_netdev(), netif_carrier_{on,off}() may operate on an unregistered netdev and linkwatch_event() may run after free_netdev(), causing a use-after-free. In 2010, usbnet was changed to only wait for a single instance of usbnet_deferred_kevent() instead of *all* work by commit 23f333a2bfaf ("drivers/net: don't use flush_scheduled_work()"). Unfortunately the commit neglected to move the wait back to ->ndo_stop(). Rectify that omission at long last. Reported-by: Jann Horn Link: https://lore.kernel.org/netdev/CAG48ez0MHBbENX5gCdHAUXZ7h7s20LnepBF-pa5M=7Bi-jZrEA@mail.gmail.com/ Reported-by: Oleksij Rempel Link: https://lore.kernel.org/netdev/20220315113841.GA22337@pengutronix.de/ Signed-off-by: Lukas Wunner Cc: stable@vger.kernel.org Acked-by: Oliver Neukum Link: https://lore.kernel.org/r/d1c87ebe9fc502bffcd1576e238d685ad08321e4.1655987888.git.lukas@wunner.de Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman commit 730d67bfb916689123ca64e445c55bf2f407739b Author: Helge Deller Date: Thu Jun 2 22:08:38 2022 +0200 fbcon: Fix accelerated fbdev scrolling while logo is still shown commit 3866cba87dcd0162fb41e9b3b653d0af68fad5ec upstream. There is no need to directly skip over to the SCROLL_REDRAW case while the logo is still shown. When using DRM, this change has no effect because the code will reach the SCROLL_REDRAW case immediately anyway. But if you run an accelerated fbdev driver and have FRAMEBUFFER_CONSOLE_LEGACY_ACCELERATION enabled, console scrolling is slowed down by factors so that it feels as if you use a 9600 baud terminal. So, drop those unnecessary checks and speed up fbdev console acceleration during bootup. Cc: stable@vger.kernel.org # v5.10+ Acked-by: Daniel Vetter Signed-off-by: Helge Deller Link: https://patchwork.freedesktop.org/patch/msgid/YpkYxk7wsBPx3po+@p100 Signed-off-by: Greg Kroah-Hartman commit 26c1cdde54d7ecfb7543aa733d6cb7923ce38153 Author: Helge Deller Date: Thu Jun 2 22:06:28 2022 +0200 fbcon: Fix boundary checks for fbcon=vc:n1-n2 parameters commit cad564ca557f8d3bb3b1fa965d9a2b3f6490ec69 upstream. The user may use the fbcon=vc:- option to tell fbcon to take over the given range (n1...n2) of consoles. The value for n1 and n2 needs to be a positive number and up to (MAX_NR_CONSOLES - 1). The given values were not fully checked against those boundaries yet. To fix the issue, convert first_fb_vc and last_fb_vc to unsigned integers and check them against the upper boundary, and make sure that first_fb_vc is smaller than last_fb_vc. Cc: stable@vger.kernel.org # v4.19+ Reviewed-by: Daniel Vetter Signed-off-by: Helge Deller Link: https://patchwork.freedesktop.org/patch/msgid/YpkYRMojilrtZIgM@p100 Signed-off-by: Greg Kroah-Hartman commit ff58bd0db5cc0baca2442d18f45699293919abd0 Author: Rafael J. Wysocki Date: Fri Jul 29 17:39:07 2022 +0200 thermal: sysfs: Fix cooling_device_stats_setup() error code path commit d5a8aa5d7d80d21ab6b266f1bed4194b61746199 upstream. If cooling_device_stats_setup() fails to create the stats object, it must clear the last slot in cooling_device_attr_groups that was initially empty (so as to make it possible to add stats attributes to the cooling device attribute groups). Failing to do so may cause the stats attributes to be created by mistake for a device that doesn't have a stats object, because the slot in question might be populated previously during the registration of another cooling device. Fixes: 8ea229511e06 ("thermal: Add cooling device's statistics in sysfs") Reported-by: Di Shen Tested-by: Di Shen Cc: 4.17+ # 4.17+ Signed-off-by: Rafael J. Wysocki Signed-off-by: Greg Kroah-Hartman commit d082cb154f288294a7acb80277948c6e8e7942e3 Author: Yang Xu Date: Thu Jul 14 14:11:26 2022 +0800 fs: Add missing umask strip in vfs_tmpfile commit ac6800e279a22b28f4fc21439843025a0d5bf03e upstream. All creation paths except for O_TMPFILE handle umask in the vfs directly if the filesystem doesn't support or enable POSIX ACLs. If the filesystem does then umask handling is deferred until posix_acl_create(). Because, O_TMPFILE misses umask handling in the vfs it will not honor umask settings. Fix this by adding the missing umask handling. Link: https://lore.kernel.org/r/1657779088-2242-2-git-send-email-xuyang2018.jy@fujitsu.com Fixes: 60545d0d4610 ("[O_TMPFILE] it's still short a few helpers, but infrastructure should be OK now...") Cc: # 4.19+ Reported-by: Christian Brauner (Microsoft) Reviewed-by: Darrick J. Wong Reviewed-and-Tested-by: Jeff Layton Acked-by: Christian Brauner (Microsoft) Signed-off-by: Yang Xu Signed-off-by: Christian Brauner (Microsoft) Signed-off-by: Greg Kroah-Hartman commit 5db80480c5d56aec1ac6b9408832595777eeaf67 Author: David Howells Date: Mon Aug 8 09:52:35 2022 +0100 vfs: Check the truncate maximum size in inode_newsize_ok() commit e2ebff9c57fe4eb104ce4768f6ebcccf76bef849 upstream. If something manages to set the maximum file size to MAX_OFFSET+1, this can cause the xfs and ext4 filesystems at least to become corrupt. Ordinarily, the kernel protects against userspace trying this by checking the value early in the truncate() and ftruncate() system calls calls - but there are at least two places that this check is bypassed: (1) Cachefiles will round up the EOF of the backing file to DIO block size so as to allow DIO on the final block - but this might push the offset negative. It then calls notify_change(), but this inadvertently bypasses the checking. This can be triggered if someone puts an 8EiB-1 file on a server for someone else to try and access by, say, nfs. (2) ksmbd doesn't check the value it is given in set_end_of_file_info() and then calls vfs_truncate() directly - which also bypasses the check. In both cases, it is potentially possible for a network filesystem to cause a disk filesystem to be corrupted: cachefiles in the client's cache filesystem; ksmbd in the server's filesystem. nfsd is okay as it checks the value, but we can then remove this check too. Fix this by adding a check to inode_newsize_ok(), as called from setattr_prepare(), thereby catching the issue as filesystems set up to perform the truncate with minimal opportunity for bypassing the new check. Fixes: 1f08c925e7a3 ("cachefiles: Implement backing file wrangling") Fixes: f44158485826 ("cifsd: add file operations") Signed-off-by: David Howells Reported-by: Jeff Layton Tested-by: Jeff Layton Reviewed-by: Namjae Jeon Cc: stable@kernel.org Acked-by: Alexander Viro cc: Steve French cc: Hyunchul Lee cc: Chuck Lever cc: Dave Wysochanski Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit e0ef23e9b0ad18b9fd3741b0f1ad2282e4a18def Author: Tetsuo Handa Date: Tue Jul 19 14:49:39 2022 +0900 tty: vt: initialize unicode screen buffer commit af77c56aa35325daa2bc2bed5c2ebf169be61b86 upstream. syzbot reports kernel infoleak at vcs_read() [1], for buffer can be read immediately after resize operation. Initialize buffer using kzalloc(). ---------- #include #include #include #include int main(int argc, char *argv[]) { struct fb_var_screeninfo var = { }; const int fb_fd = open("/dev/fb0", 3); ioctl(fb_fd, FBIOGET_VSCREENINFO, &var); var.yres = 0x21; ioctl(fb_fd, FBIOPUT_VSCREENINFO, &var); return read(open("/dev/vcsu", O_RDONLY), &var, sizeof(var)) == -1; } ---------- Link: https://syzkaller.appspot.com/bug?extid=31a641689d43387f05d3 [1] Cc: stable Reported-by: syzbot Reviewed-by: Jiri Slaby Signed-off-by: Tetsuo Handa Link: https://lore.kernel.org/r/4ef053cf-e796-fb5e-58b7-3ae58242a4ad@I-love.SAKURA.ne.jp Signed-off-by: Greg Kroah-Hartman commit 9c5c8aaed50bf3478073ab51b8b1f3f5327d3cfa Author: Cameron Williams Date: Mon Jul 11 16:35:10 2022 +0100 tty: 8250: Add support for Brainboxes PX cards. commit ef5a03a26c87a760bc3d86b5af7b773e82f8b1b7 upstream. Add support for some of the Brainboxes PCIe (PX) range of serial cards, including the PX-101, PX-235/PX-246, PX-203/PX-257, PX-260/PX-701, PX-310, PX-313, PX-320/PX-324/PX-376/PX-387, PX-335/PX-346, PX-368, PX-420, PX-803 and PX-846. Signed-off-by: Cameron Williams Cc: stable Link: https://lore.kernel.org/r/AM5PR0202MB2564669252BDC59BF55A6E87C4879@AM5PR0202MB2564.eurprd02.prod.outlook.com Signed-off-by: Greg Kroah-Hartman commit 37268c7badd36f5381056d1651a6ee0b63b8ff3c Author: Huacai Chen Date: Tue Jul 12 12:25:57 2022 +0800 LoongArch: cpuinfo: Fix a warning for CONFIG_CPUMASK_OFFSTACK commit 28e112afa44ad0814120d41c68fa72372a2cd2c2 upstream. When CONFIG_CPUMASK_OFFSTACK and CONFIG_DEBUG_PER_CPU_MAPS is selected, cpu_max_bits_warn() generates a runtime warning similar as below while we show /proc/cpuinfo. Fix this by using nr_cpu_ids (the runtime limit) instead of NR_CPUS to iterate CPUs. [ 3.052463] ------------[ cut here ]------------ [ 3.059679] WARNING: CPU: 3 PID: 1 at include/linux/cpumask.h:108 show_cpuinfo+0x5e8/0x5f0 [ 3.070072] Modules linked in: efivarfs autofs4 [ 3.076257] CPU: 0 PID: 1 Comm: systemd Not tainted 5.19-rc5+ #1052 [ 3.084034] Hardware name: Loongson Loongson-3A5000-7A1000-1w-V0.1-CRB/Loongson-LS3A5000-7A1000-1w-EVB-V1.21, BIOS Loongson-UDK2018-V2.0.04082-beta7 04/27 [ 3.099465] Stack : 9000000100157b08 9000000000f18530 9000000000cf846c 9000000100154000 [ 3.109127] 9000000100157a50 0000000000000000 9000000100157a58 9000000000ef7430 [ 3.118774] 90000001001578e8 0000000000000040 0000000000000020 ffffffffffffffff [ 3.128412] 0000000000aaaaaa 1ab25f00eec96a37 900000010021de80 900000000101c890 [ 3.138056] 0000000000000000 0000000000000000 0000000000000000 0000000000aaaaaa [ 3.147711] ffff8000339dc220 0000000000000001 0000000006ab4000 0000000000000000 [ 3.157364] 900000000101c998 0000000000000004 9000000000ef7430 0000000000000000 [ 3.167012] 0000000000000009 000000000000006c 0000000000000000 0000000000000000 [ 3.176641] 9000000000d3de08 9000000001639390 90000000002086d8 00007ffff0080286 [ 3.186260] 00000000000000b0 0000000000000004 0000000000000000 0000000000071c1c [ 3.195868] ... [ 3.199917] Call Trace: [ 3.203941] [<90000000002086d8>] show_stack+0x38/0x14c [ 3.210666] [<9000000000cf846c>] dump_stack_lvl+0x60/0x88 [ 3.217625] [<900000000023d268>] __warn+0xd0/0x100 [ 3.223958] [<9000000000cf3c90>] warn_slowpath_fmt+0x7c/0xcc [ 3.231150] [<9000000000210220>] show_cpuinfo+0x5e8/0x5f0 [ 3.238080] [<90000000004f578c>] seq_read_iter+0x354/0x4b4 [ 3.245098] [<90000000004c2e90>] new_sync_read+0x17c/0x1c4 [ 3.252114] [<90000000004c5174>] vfs_read+0x138/0x1d0 [ 3.258694] [<90000000004c55f8>] ksys_read+0x70/0x100 [ 3.265265] [<9000000000cfde9c>] do_syscall+0x7c/0x94 [ 3.271820] [<9000000000202fe4>] handle_syscall+0xc4/0x160 [ 3.281824] ---[ end trace 8b484262b4b8c24c ]--- Cc: stable@vger.kernel.org Signed-off-by: Huacai Chen Signed-off-by: Greg Kroah-Hartman commit 27187e92998132cc1434f7e0c9087eb98186488a Author: Bedant Patnaik Date: Tue Aug 9 19:54:55 2022 +0530 ALSA: hda/realtek: Add a quirk for HP OMEN 15 (8786) mute LED commit 30267718fe2d4dbea49015b022f6f1fe16ca31ab upstream. Board ID 8786 seems to be another variant of the Omen 15 that needs ALC285_FIXUP_HP_MUTE_LED for working mute LED. Signed-off-by: Bedant Patnaik Cc: Link: https://lore.kernel.org/r/20220809142455.6473-1-bedant.patnaik@gmail.com Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit e24cb11883a04a4fc77c3f9afffefaf6162eae3a Author: Meng Tang Date: Fri Aug 5 15:45:34 2022 +0800 ALSA: hda/realtek: Add quirk for another Asus K42JZ model commit f882c4bef9cb914d9f7be171afb10ed26536bfa7 upstream. There is another Asus K42JZ model with the PCI SSID 1043:1313 that requires the quirk ALC269VB_FIXUP_ASUS_MIC_NO_PRESENCE. Add the corresponding entry to the quirk table. Signed-off-by: Meng Tang Cc: Link: https://lore.kernel.org/r/20220805074534.20003-1-tangmeng@uniontech.com Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit ec80fc5fa03b938a5b1db4f5855300088b2b8714 Author: Allen Ballway Date: Wed Aug 10 15:27:22 2022 +0000 ALSA: hda/cirrus - support for iMac 12,1 model commit 74bba640d69914cf832b87f6bbb700e5ba430672 upstream. The 12,1 model requires the same configuration as the 12,2 model to enable headphones but has a different codec SSID. Adds 12,1 SSID for matching quirk. [ re-sorted in SSID order by tiwai ] Signed-off-by: Allen Ballway Cc: Link: https://lore.kernel.org/r/20220810152701.1.I902c2e591bbf8de9acb649d1322fa1f291849266@changeid Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 5d83b450e217a1400cec07c1c2fb09f3c799aede Author: Meng Tang Date: Mon Aug 8 15:34:06 2022 +0800 ALSA: hda/conexant: Add quirk for LENOVO 20149 Notebook model commit f83bb2592482fe94c6eea07a8121763c80f36ce5 upstream. There is another LENOVO 20149 (Type1Sku0) Notebook model with CX20590, the device PCI SSID is 17aa:3977, which headphones are not responding, that requires the quirk CXT_PINCFG_LENOVO_NOTEBOOK. Add the corresponding entry to the quirk table. Signed-off-by: Meng Tang Cc: Link: https://lore.kernel.org/r/20220808073406.19460-1-tangmeng@uniontech.com Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 53283a3333c07e44475c3659c3700dc33400267f Author: Coleman Dietsch Date: Mon Aug 8 14:06:07 2022 -0500 KVM: x86/xen: Stop Xen timer before changing IRQ commit c036899136355758dcd88878145036ab4d9c1f26 upstream. Stop Xen timer (if it's running) prior to changing the IRQ vector and potentially (re)starting the timer. Changing the IRQ vector while the timer is still running can result in KVM injecting a garbage event, e.g. vm_xen_inject_timer_irqs() could see a non-zero xen.timer_pending from a previous timer but inject the new xen.timer_virq. Fixes: 536395260582 ("KVM: x86/xen: handle PV timers oneshot mode") Cc: stable@vger.kernel.org Link: https://syzkaller.appspot.com/bug?id=8234a9dfd3aafbf092cc5a7cd9842e3ebc45fc42 Reported-by: syzbot+e54f930ed78eb0f85281@syzkaller.appspotmail.com Signed-off-by: Coleman Dietsch Reviewed-by: Sean Christopherson Acked-by: David Woodhouse Message-Id: <20220808190607.323899-3-dietschc@csp.edu> Signed-off-by: Paolo Bonzini Signed-off-by: Greg Kroah-Hartman commit 9a9b5771e930f408c3419799000f76a9abaf2278 Author: Coleman Dietsch Date: Mon Aug 8 14:06:06 2022 -0500 KVM: x86/xen: Initialize Xen timer only once commit af735db31285fa699384c649be72a9f32ecbb665 upstream. Add a check for existing xen timers before initializing a new one. Currently kvm_xen_init_timer() is called on every KVM_XEN_VCPU_ATTR_TYPE_TIMER, which is causing the following ODEBUG crash when vcpu->arch.xen.timer is already set. ODEBUG: init active (active state 0) object type: hrtimer hint: xen_timer_callbac0 RIP: 0010:debug_print_object+0x16e/0x250 lib/debugobjects.c:502 Call Trace: __debug_object_init debug_hrtimer_init debug_init hrtimer_init kvm_xen_init_timer kvm_xen_vcpu_set_attr kvm_arch_vcpu_ioctl kvm_vcpu_ioctl vfs_ioctl Fixes: 536395260582 ("KVM: x86/xen: handle PV timers oneshot mode") Cc: stable@vger.kernel.org Link: https://syzkaller.appspot.com/bug?id=8234a9dfd3aafbf092cc5a7cd9842e3ebc45fc42 Reported-by: syzbot+e54f930ed78eb0f85281@syzkaller.appspotmail.com Signed-off-by: Coleman Dietsch Reviewed-by: Sean Christopherson Message-Id: <20220808190607.323899-2-dietschc@csp.edu> Signed-off-by: Paolo Bonzini Signed-off-by: Greg Kroah-Hartman commit e27e46d5e5c43aaf9c9edf6488f2b2af42143887 Author: Paolo Bonzini Date: Thu Aug 4 15:28:32 2022 +0200 KVM: x86: revalidate steal time cache if MSR value changes commit 901d3765fa804ce42812f1d5b1f3de2dfbb26723 upstream. Commit 7e2175ebd695 ("KVM: x86: Fix recording of guest steal time / preempted status", 2021-11-11) open coded the previous call to kvm_map_gfn, but in doing so it dropped the comparison between the cached guest physical address and the one in the MSR. This cause an incorrect cache hit if the guest modifies the steal time address while the memslots remain the same. This can happen with kexec, in which case the steal time data is written at the address used by the old kernel instead of the old one. While at it, rename the variable from gfn to gpa since it is a plain physical address and not a right-shifted one. Reported-by: Dave Young Reported-by: Xiaoying Yan Analyzed-by: Dr. David Alan Gilbert Cc: David Woodhouse Cc: stable@vger.kernel.org Fixes: 7e2175ebd695 ("KVM: x86: Fix recording of guest steal time / preempted status") Signed-off-by: Paolo Bonzini Signed-off-by: Greg Kroah-Hartman commit 0043fbede947f9290580bac28f0a404f021d8045 Author: Paolo Bonzini Date: Thu Aug 4 15:28:32 2022 +0200 KVM: x86: do not report preemption if the steal time cache is stale commit c3c28d24d910a746b02f496d190e0e8c6560224b upstream. Commit 7e2175ebd695 ("KVM: x86: Fix recording of guest steal time / preempted status", 2021-11-11) open coded the previous call to kvm_map_gfn, but in doing so it dropped the comparison between the cached guest physical address and the one in the MSR. This cause an incorrect cache hit if the guest modifies the steal time address while the memslots remain the same. This can happen with kexec, in which case the preempted bit is written at the address used by the old kernel instead of the old one. Cc: David Woodhouse Cc: stable@vger.kernel.org Fixes: 7e2175ebd695 ("KVM: x86: Fix recording of guest steal time / preempted status") Signed-off-by: Paolo Bonzini Signed-off-by: Greg Kroah-Hartman commit 16c6a078c2bb4986a2298f11478ef9ea62f8961e Author: Sean Christopherson Date: Wed Aug 3 22:49:56 2022 +0000 KVM: x86/mmu: Fully re-evaluate MMIO caching when SPTE masks change commit c3e0c8c2e8b17bae30d5978bc2decdd4098f0f99 upstream. Fully re-evaluate whether or not MMIO caching can be enabled when SPTE masks change; simply clearing enable_mmio_caching when a configuration isn't compatible with caching fails to handle the scenario where the masks are updated, e.g. by VMX for EPT or by SVM to account for the C-bit location, and toggle compatibility from false=>true. Snapshot the original module param so that re-evaluating MMIO caching preserves userspace's desire to allow caching. Use a snapshot approach so that enable_mmio_caching still reflects KVM's actual behavior. Fixes: 8b9e74bfbf8c ("KVM: x86/mmu: Use enable_mmio_caching to track if MMIO caching is enabled") Reported-by: Michael Roth Cc: Tom Lendacky Cc: stable@vger.kernel.org Tested-by: Michael Roth Signed-off-by: Sean Christopherson Reviewed-by: Kai Huang Message-Id: <20220803224957.1285926-3-seanjc@google.com> Signed-off-by: Paolo Bonzini Signed-off-by: Greg Kroah-Hartman commit 7f04ed0d95db3550a639c987d3177354b99cee1d Author: Sean Christopherson Date: Wed Aug 3 22:49:55 2022 +0000 KVM: x86: Tag kvm_mmu_x86_module_init() with __init commit 982bae43f11c37b51d2f1961bb25ef7cac3746fa upstream. Mark kvm_mmu_x86_module_init() with __init, the entire reason it exists is to initialize variables when kvm.ko is loaded, i.e. it must never be called after module initialization. Fixes: 1d0e84806047 ("KVM: x86/mmu: Resolve nx_huge_pages when kvm.ko is loaded") Cc: stable@vger.kernel.org Reviewed-by: Kai Huang Tested-by: Michael Roth Signed-off-by: Sean Christopherson Message-Id: <20220803224957.1285926-2-seanjc@google.com> Signed-off-by: Paolo Bonzini Signed-off-by: Greg Kroah-Hartman commit 1b36d36624e7210047d65efb11014e8c94f57d40 Author: Sean Christopherson Date: Wed Aug 3 22:49:57 2022 +0000 KVM: SVM: Disable SEV-ES support if MMIO caching is disable commit 0c29397ac1fdd64ae59941a477511a05e61a4754 upstream. Disable SEV-ES if MMIO caching is disabled as SEV-ES relies on MMIO SPTEs generating #NPF(RSVD), which are reflected by the CPU into the guest as a #VC. With SEV-ES, the untrusted host, a.k.a. KVM, doesn't have access to the guest instruction stream or register state and so can't directly emulate in response to a #NPF on an emulated MMIO GPA. Disabling MMIO caching means guest accesses to emulated MMIO ranges cause #NPF(!PRESENT), and those flavors of #NPF cause automatic VM-Exits, not #VC. Adjust KVM's MMIO masks to account for the C-bit location prior to doing SEV(-ES) setup, and document that dependency between adjusting the MMIO SPTE mask and SEV(-ES) setup. Fixes: b09763da4dd8 ("KVM: x86/mmu: Add module param to disable MMIO caching (for testing)") Reported-by: Michael Roth Tested-by: Michael Roth Cc: Tom Lendacky Cc: stable@vger.kernel.org Signed-off-by: Sean Christopherson Message-Id: <20220803224957.1285926-4-seanjc@google.com> Signed-off-by: Paolo Bonzini Signed-off-by: Greg Kroah-Hartman commit 6271f2854b9233702e236e576b885a876dde4889 Author: Sean Christopherson Date: Sat Jul 23 01:30:29 2022 +0000 KVM: x86/mmu: Treat NX as a valid SPTE bit for NPT commit 6c6ab524cfae0799e55c82b2c1d61f1af0156f8d upstream. Treat the NX bit as valid when using NPT, as KVM will set the NX bit when the NX huge page mitigation is enabled (mindblowing) and trigger the WARN that fires on reserved SPTE bits being set. KVM has required NX support for SVM since commit b26a71a1a5b9 ("KVM: SVM: Refuse to load kvm_amd if NX support is not available") for exactly this reason, but apparently it never occurred to anyone to actually test NPT with the mitigation enabled. ------------[ cut here ]------------ spte = 0x800000018a600ee7, level = 2, rsvd bits = 0x800f0000001fe000 WARNING: CPU: 152 PID: 15966 at arch/x86/kvm/mmu/spte.c:215 make_spte+0x327/0x340 [kvm] Hardware name: Google, Inc. Arcadia_IT_80/Arcadia_IT_80, BIOS 10.48.0 01/27/2022 RIP: 0010:make_spte+0x327/0x340 [kvm] Call Trace: tdp_mmu_map_handle_target_level+0xc3/0x230 [kvm] kvm_tdp_mmu_map+0x343/0x3b0 [kvm] direct_page_fault+0x1ae/0x2a0 [kvm] kvm_tdp_page_fault+0x7d/0x90 [kvm] kvm_mmu_page_fault+0xfb/0x2e0 [kvm] npf_interception+0x55/0x90 [kvm_amd] svm_invoke_exit_handler+0x31/0xf0 [kvm_amd] svm_handle_exit+0xf6/0x1d0 [kvm_amd] vcpu_enter_guest+0xb6d/0xee0 [kvm] ? kvm_pmu_trigger_event+0x6d/0x230 [kvm] vcpu_run+0x65/0x2c0 [kvm] kvm_arch_vcpu_ioctl_run+0x355/0x610 [kvm] kvm_vcpu_ioctl+0x551/0x610 [kvm] __se_sys_ioctl+0x77/0xc0 __x64_sys_ioctl+0x1d/0x20 do_syscall_64+0x44/0xa0 entry_SYSCALL_64_after_hwframe+0x46/0xb0 ---[ end trace 0000000000000000 ]--- Cc: stable@vger.kernel.org Signed-off-by: Sean Christopherson Message-Id: <20220723013029.1753623-1-seanjc@google.com> Signed-off-by: Paolo Bonzini Signed-off-by: Greg Kroah-Hartman commit 37aaaa28851ac008ad90213919c5589cb02a2439 Author: Sean Christopherson Date: Mon Jul 11 23:27:49 2022 +0000 KVM: x86: Set error code to segment selector on LLDT/LTR non-canonical #GP commit 2626206963ace9e8bf92b6eea5ff78dd674c555c upstream. When injecting a #GP on LLDT/LTR due to a non-canonical LDT/TSS base, set the error code to the selector. Intel SDM's says nothing about the #GP, but AMD's APM explicitly states that both LLDT and LTR set the error code to the selector, not zero. Note, a non-canonical memory operand on LLDT/LTR does generate a #GP(0), but the KVM code in question is specific to the base from the descriptor. Fixes: e37a75a13cda ("KVM: x86: Emulator ignores LDTR/TR extended base on LLDT/LTR") Cc: stable@vger.kernel.org Signed-off-by: Sean Christopherson Reviewed-by: Maxim Levitsky Link: https://lore.kernel.org/r/20220711232750.1092012-3-seanjc@google.com Signed-off-by: Sean Christopherson Signed-off-by: Greg Kroah-Hartman commit a9e394788e6a7f6b7a7ca726843312a4d2df6d9d Author: Sean Christopherson Date: Mon Jul 11 23:27:48 2022 +0000 KVM: x86: Mark TSS busy during LTR emulation _after_ all fault checks commit ec6e4d863258d4bfb36d48d5e3ef68140234d688 upstream. Wait to mark the TSS as busy during LTR emulation until after all fault checks for the LTR have passed. Specifically, don't mark the TSS busy if the new TSS base is non-canonical. Opportunistically drop the one-off !seg_desc.PRESENT check for TR as the only reason for the early check was to avoid marking a !PRESENT TSS as busy, i.e. the common !PRESENT is now done before setting the busy bit. Fixes: e37a75a13cda ("KVM: x86: Emulator ignores LDTR/TR extended base on LLDT/LTR") Reported-by: syzbot+760a73552f47a8cd0fd9@syzkaller.appspotmail.com Cc: stable@vger.kernel.org Cc: Tetsuo Handa Cc: Hou Wenlong Signed-off-by: Sean Christopherson Reviewed-by: Maxim Levitsky Link: https://lore.kernel.org/r/20220711232750.1092012-2-seanjc@google.com Signed-off-by: Sean Christopherson Signed-off-by: Greg Kroah-Hartman commit 15c0b55a366a6a908a221d75fb16c0d61652439b Author: Sean Christopherson Date: Tue Jun 7 21:35:52 2022 +0000 KVM: nVMX: Inject #UD if VMXON is attempted with incompatible CR0/CR4 commit c7d855c2aff2d511fd60ee2e356134c4fb394799 upstream. Inject a #UD if L1 attempts VMXON with a CR0 or CR4 that is disallowed per the associated nested VMX MSRs' fixed0/1 settings. KVM cannot rely on hardware to perform the checks, even for the few checks that have higher priority than VM-Exit, as (a) KVM may have forced CR0/CR4 bits in hardware while running the guest, (b) there may incompatible CR0/CR4 bits that have lower priority than VM-Exit, e.g. CR0.NE, and (c) userspace may have further restricted the allowed CR0/CR4 values by manipulating the guest's nested VMX MSRs. Note, despite a very strong desire to throw shade at Jim, commit 70f3aac964ae ("kvm: nVMX: Remove superfluous VMX instruction fault checks") is not to blame for the buggy behavior (though the comment...). That commit only removed the CR0.PE, EFLAGS.VM, and COMPATIBILITY mode checks (though it did erroneously drop the CPL check, but that has already been remedied). KVM may force CR0.PE=1, but will do so only when also forcing EFLAGS.VM=1 to emulate Real Mode, i.e. hardware will still #UD. Link: https://bugzilla.kernel.org/show_bug.cgi?id=216033 Fixes: ec378aeef9df ("KVM: nVMX: Implement VMXON and VMXOFF") Reported-by: Eric Li Cc: stable@vger.kernel.org Signed-off-by: Sean Christopherson Message-Id: <20220607213604.3346000-4-seanjc@google.com> Signed-off-by: Paolo Bonzini Signed-off-by: Greg Kroah-Hartman commit dee2cc52b8b7cb53a6b5e3e614a30c9c764d6700 Author: Sean Christopherson Date: Tue Jun 7 21:35:51 2022 +0000 KVM: nVMX: Account for KVM reserved CR4 bits in consistency checks commit ca58f3aa53d165afe4ab74c755bc2f6d168617ac upstream. Check that the guest (L2) and host (L1) CR4 values that would be loaded by nested VM-Enter and VM-Exit respectively are valid with respect to KVM's (L0 host) allowed CR4 bits. Failure to check KVM reserved bits would allow L1 to load an illegal CR4 (or trigger hardware VM-Fail or failed VM-Entry) by massaging guest CPUID to allow features that are not supported by KVM. Amusingly, KVM itself is an accomplice in its doom, as KVM adjusts L1's MSR_IA32_VMX_CR4_FIXED1 to allow L1 to enable bits for L2 based on L1's CPUID model. Note, although nested_{guest,host}_cr4_valid() are _currently_ used if and only if the vCPU is post-VMXON (nested.vmxon == true), that may not be true in the future, e.g. emulating VMXON has a bug where it doesn't check the allowed/required CR0/CR4 bits. Cc: stable@vger.kernel.org Fixes: 3899152ccbf4 ("KVM: nVMX: fix checks on CR{0,4} during virtual VMX operation") Signed-off-by: Sean Christopherson Message-Id: <20220607213604.3346000-3-seanjc@google.com> Signed-off-by: Paolo Bonzini Signed-off-by: Greg Kroah-Hartman commit df6cbd82e0a80610ba84d151f4b56e50cb33eb32 Author: Sean Christopherson Date: Tue Jun 7 21:35:54 2022 +0000 KVM: nVMX: Let userspace set nVMX MSR to any _host_ supported value commit f8ae08f9789ad59d318ea75b570caa454aceda81 upstream. Restrict the nVMX MSRs based on KVM's config, not based on the guest's current config. Using the guest's config to audit the new config prevents userspace from restoring the original config (KVM's config) if at any point in the past the guest's config was restricted in any way. Fixes: 62cc6b9dc61e ("KVM: nVMX: support restore of VMX capability MSRs") Cc: stable@vger.kernel.org Cc: David Matlack Signed-off-by: Sean Christopherson Message-Id: <20220607213604.3346000-6-seanjc@google.com> Signed-off-by: Paolo Bonzini Signed-off-by: Greg Kroah-Hartman commit cbbd3df6ede5f70a44361377c8977d9e0706da29 Author: Sean Christopherson Date: Tue Jun 7 21:35:50 2022 +0000 KVM: x86: Split kvm_is_valid_cr4() and export only the non-vendor bits commit c33f6f2228fe8517e38941a508e9f905f99ecba9 upstream. Split the common x86 parts of kvm_is_valid_cr4(), i.e. the reserved bits checks, into a separate helper, __kvm_is_valid_cr4(), and export only the inner helper to vendor code in order to prevent nested VMX from calling back into vmx_is_valid_cr4() via kvm_is_valid_cr4(). On SVM, this is a nop as SVM doesn't place any additional restrictions on CR4. On VMX, this is also currently a nop, but only because nested VMX is missing checks on reserved CR4 bits for nested VM-Enter. That bug will be fixed in a future patch, and could simply use kvm_is_valid_cr4() as-is, but nVMX has _another_ bug where VMXON emulation doesn't enforce VMX's restrictions on CR0/CR4. The cleanest and most intuitive way to fix the VMXON bug is to use nested_host_cr{0,4}_valid(). If the CR4 variant routes through kvm_is_valid_cr4(), using nested_host_cr4_valid() won't do the right thing for the VMXON case as vmx_is_valid_cr4() enforces VMX's restrictions if and only if the vCPU is post-VMXON. Cc: stable@vger.kernel.org Signed-off-by: Sean Christopherson Message-Id: <20220607213604.3346000-2-seanjc@google.com> Signed-off-by: Paolo Bonzini Signed-off-by: Greg Kroah-Hartman commit d2b2213dda1e8ab5a55718c4d00757de2f65e4a4 Author: Sean Christopherson Date: Fri Apr 29 21:00:22 2022 +0000 KVM: Do not incorporate page offset into gfn=>pfn cache user address commit 3ba2c95ea180740b16281fa43a3ee5f47279c0ed upstream. Don't adjust the userspace address in the gfn=>pfn cache by the page offset from the gpa. KVM should never use the user address directly, and all KVM operations that translate a user address to something else require the user address to be page aligned. Ignoring the offset will allow the cache to reuse a gfn=>hva translation in the unlikely event that the page offset of the gpa changes, but the gfn does not. And more importantly, not having to (un)adjust the user address will simplify a future bug fix. Cc: stable@vger.kernel.org Signed-off-by: Sean Christopherson Message-Id: <20220429210025.3293691-6-seanjc@google.com> Signed-off-by: Paolo Bonzini Signed-off-by: Greg Kroah-Hartman commit e7d52979638f672b0dd9c2b67807ce3af6130a2a Author: Sean Christopherson Date: Fri Apr 29 21:00:24 2022 +0000 KVM: Fix multiple races in gfn=>pfn cache refresh commit 58cd407ca4c6278cf9f9d09a2e663bf645b0c982 upstream. Rework the gfn=>pfn cache (gpc) refresh logic to address multiple races between the cache itself, and between the cache and mmu_notifier events. The existing refresh code attempts to guard against races with the mmu_notifier by speculatively marking the cache valid, and then marking it invalid if a mmu_notifier invalidation occurs. That handles the case where an invalidation occurs between dropping and re-acquiring gpc->lock, but it doesn't handle the scenario where the cache is refreshed after the cache was invalidated by the notifier, but before the notifier elevates mmu_notifier_count. The gpc refresh can't use the "retry" helper as its invalidation occurs _before_ mmu_notifier_count is elevated and before mmu_notifier_range_start is set/updated. CPU0 CPU1 ---- ---- gfn_to_pfn_cache_invalidate_start() | -> gpc->valid = false; kvm_gfn_to_pfn_cache_refresh() | |-> gpc->valid = true; hva_to_pfn_retry() | -> acquire kvm->mmu_lock kvm->mmu_notifier_count == 0 mmu_seq == kvm->mmu_notifier_seq drop kvm->mmu_lock return pfn 'X' acquire kvm->mmu_lock kvm_inc_notifier_count() drop kvm->mmu_lock() kernel frees pfn 'X' kvm_gfn_to_pfn_cache_check() | |-> gpc->valid == true caller accesses freed pfn 'X' Key off of mn_active_invalidate_count to detect that a pfncache refresh needs to wait for an in-progress mmu_notifier invalidation. While mn_active_invalidate_count is not guaranteed to be stable, it is guaranteed to be elevated prior to an invalidation acquiring gpc->lock, so either the refresh will see an active invalidation and wait, or the invalidation will run after the refresh completes. Speculatively marking the cache valid is itself flawed, as a concurrent kvm_gfn_to_pfn_cache_check() would see a valid cache with stale pfn/khva values. The KVM Xen use case explicitly allows/wants multiple users; even though the caches are allocated per vCPU, __kvm_xen_has_interrupt() can read a different vCPU (or vCPUs). Address this race by invalidating the cache prior to dropping gpc->lock (this is made possible by fixing the above mmu_notifier race). Complicating all of this is the fact that both the hva=>pfn resolution and mapping of the kernel address can sleep, i.e. must be done outside of gpc->lock. Fix the above races in one fell swoop, trying to fix each individual race is largely pointless and essentially impossible to test, e.g. closing one hole just shifts the focus to the other hole. Fixes: 982ed0de4753 ("KVM: Reinstate gfn_to_pfn_cache with invalidation support") Cc: stable@vger.kernel.org Cc: David Woodhouse Cc: Mingwei Zhang Signed-off-by: Sean Christopherson Message-Id: <20220429210025.3293691-8-seanjc@google.com> Signed-off-by: Paolo Bonzini Signed-off-by: Greg Kroah-Hartman commit ca4efed09557dd1f807845eadac7ea161bac36a1 Author: Sean Christopherson Date: Fri Apr 29 21:00:23 2022 +0000 KVM: Fully serialize gfn=>pfn cache refresh via mutex commit 93984f19e7bce4c18084a6ef3dacafb155b806ed upstream. Protect gfn=>pfn cache refresh with a mutex to fully serialize refreshes. The refresh logic doesn't protect against - concurrent unmaps, or refreshes with different GPAs (which may or may not happen in practice, for example if a cache is only used under vcpu->mutex; but it's allowed in the code) - a false negative on the memslot generation. If the first refresh sees a stale memslot generation, it will refresh the hva and generation before moving on to the hva=>pfn translation. If it then drops gpc->lock, a different user of the cache can come along, acquire gpc->lock, see that the memslot generation is fresh, and skip the hva=>pfn update due to the userspace address also matching (because it too was updated). The refresh path can already sleep during hva=>pfn resolution, so wrap the refresh with a mutex to ensure that any given refresh runs to completion before other callers can start their refresh. Cc: stable@vger.kernel.org Cc: Lai Jiangshan Signed-off-by: Sean Christopherson Message-Id: <20220429210025.3293691-7-seanjc@google.com> Signed-off-by: Paolo Bonzini Signed-off-by: Greg Kroah-Hartman commit 391931dafc5f34009239e6bd371f91e1a40e8980 Author: Sean Christopherson Date: Fri Apr 29 21:00:21 2022 +0000 KVM: Put the extra pfn reference when reusing a pfn in the gpc cache commit 3dddf65b4f4c451c345d34ae85bdf1791a746e49 upstream. Put the struct page reference to pfn acquired by hva_to_pfn() when the old and new pfns for a gfn=>pfn cache match. The cache already has a reference via the old/current pfn, and will only put one reference when the cache is done with the pfn. Fixes: 982ed0de4753 ("KVM: Reinstate gfn_to_pfn_cache with invalidation support") Cc: stable@vger.kernel.org Signed-off-by: Sean Christopherson Message-Id: <20220429210025.3293691-5-seanjc@google.com> Signed-off-by: Paolo Bonzini Signed-off-by: Greg Kroah-Hartman commit 81b640cc9b910403e61584260a14ca9585c7443b Author: Sean Christopherson Date: Fri Apr 29 21:00:20 2022 +0000 KVM: Drop unused @gpa param from gfn=>pfn cache's __release_gpc() helper commit 345b0fd6fe5f66dfe841bad0b39dd11a5672df68 upstream. Drop the @pga param from __release_gpc() and rename the helper to make it more obvious that the cache itself is not being released. The helper will be reused by a future commit to release a pfn+khva combination that is _never_ associated with the cache, at which point the current name would go from slightly misleading to blatantly wrong. No functional change intended. Cc: stable@vger.kernel.org Signed-off-by: Sean Christopherson Message-Id: <20220429210025.3293691-4-seanjc@google.com> Signed-off-by: Paolo Bonzini Signed-off-by: Greg Kroah-Hartman commit 86145725d4a93014ec22bfb97bd6309e14ebc1bb Author: Nico Boehr Date: Mon Jul 18 15:04:34 2022 +0200 KVM: s390: pv: don't present the ecall interrupt twice commit c3f0e5fd2d33d80c5a5a8b5e5d2bab2841709cc8 upstream. When the SIGP interpretation facility is present and a VCPU sends an ecall to another VCPU in enabled wait, the sending VCPU receives a 56 intercept (partial execution), so KVM can wake up the receiving CPU. Note that the SIGP interpretation facility will take care of the interrupt delivery and KVM's only job is to wake the receiving VCPU. For PV, the sending VCPU will receive a 108 intercept (pv notify) and should continue like in the non-PV case, i.e. wake the receiving VCPU. For PV and non-PV guests the interrupt delivery will occur through the SIGP interpretation facility on SIE entry when SIE finds the X bit in the status field set. However, in handle_pv_notification(), there was no special handling for SIGP, which leads to interrupt injection being requested by KVM for the next SIE entry. This results in the interrupt being delivered twice: once by the SIGP interpretation facility and once by KVM through the IICTL. Add the necessary special handling in handle_pv_notification(), similar to handle_partial_execution(), which simply wakes the receiving VCPU and leave interrupt delivery to the SIGP interpretation facility. In contrast to external calls, emergency calls are not interpreted but also cause a 108 intercept, which is why we still need to call handle_instruction() for SIGP orders other than ecall. Since kvm_s390_handle_sigp_pei() is now called for all SIGP orders which cause a 108 intercept - even if they are actually handled by handle_instruction() - move the tracepoint in kvm_s390_handle_sigp_pei() to avoid possibly confusing trace messages. Signed-off-by: Nico Boehr Cc: # 5.7 Fixes: da24a0cc58ed ("KVM: s390: protvirt: Instruction emulation") Reviewed-by: Claudio Imbrenda Reviewed-by: Janosch Frank Reviewed-by: Christian Borntraeger Link: https://lore.kernel.org/r/20220718130434.73302-1-nrb@linux.ibm.com Message-Id: <20220718130434.73302-1-nrb@linux.ibm.com> Signed-off-by: Claudio Imbrenda Signed-off-by: Greg Kroah-Hartman commit 2eee1dba70f57148fc7f8252613bfae6bd4b04e3 Author: Maciej S. Szmigiero Date: Mon May 2 00:07:26 2022 +0200 KVM: SVM: Don't BUG if userspace injects an interrupt with GIF=0 commit f17c31c48e5cde9895a491d91c424eeeada3e134 upstream. Don't BUG/WARN on interrupt injection due to GIF being cleared, since it's trivial for userspace to force the situation via KVM_SET_VCPU_EVENTS (even if having at least a WARN there would be correct for KVM internally generated injections). kernel BUG at arch/x86/kvm/svm/svm.c:3386! invalid opcode: 0000 [#1] SMP CPU: 15 PID: 926 Comm: smm_test Not tainted 5.17.0-rc3+ #264 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015 RIP: 0010:svm_inject_irq+0xab/0xb0 [kvm_amd] Code: <0f> 0b 0f 1f 00 0f 1f 44 00 00 80 3d ac b3 01 00 00 55 48 89 f5 53 RSP: 0018:ffffc90000b37d88 EFLAGS: 00010246 RAX: 0000000000000000 RBX: ffff88810a234ac0 RCX: 0000000000000006 RDX: 0000000000000000 RSI: ffffc90000b37df7 RDI: ffff88810a234ac0 RBP: ffffc90000b37df7 R08: ffff88810a1fa410 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 R13: ffff888109571000 R14: ffff88810a234ac0 R15: 0000000000000000 FS: 0000000001821380(0000) GS:ffff88846fdc0000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f74fc550008 CR3: 000000010a6fe000 CR4: 0000000000350ea0 Call Trace: inject_pending_event+0x2f7/0x4c0 [kvm] kvm_arch_vcpu_ioctl_run+0x791/0x17a0 [kvm] kvm_vcpu_ioctl+0x26d/0x650 [kvm] __x64_sys_ioctl+0x82/0xb0 do_syscall_64+0x3b/0xc0 entry_SYSCALL_64_after_hwframe+0x44/0xae Fixes: 219b65dcf6c0 ("KVM: SVM: Improve nested interrupt injection") Cc: stable@vger.kernel.org Co-developed-by: Sean Christopherson Signed-off-by: Sean Christopherson Signed-off-by: Maciej S. Szmigiero Message-Id: <35426af6e123cbe91ec7ce5132ce72521f02b1b5.1651440202.git.maciej.szmigiero@oracle.com> Signed-off-by: Paolo Bonzini Signed-off-by: Greg Kroah-Hartman commit 53221fa294812d034c7a66ff77e1d42a031674bb Author: Sean Christopherson Date: Tue Jun 14 21:58:28 2022 +0000 KVM: nVMX: Snapshot pre-VM-Enter DEBUGCTL for !nested_run_pending case commit 764643a6be07445308e492a528197044c801b3ba upstream. If a nested run isn't pending, snapshot vmcs01.GUEST_IA32_DEBUGCTL irrespective of whether or not VM_ENTRY_LOAD_DEBUG_CONTROLS is set in vmcs12. When restoring nested state, e.g. after migration, without a nested run pending, prepare_vmcs02() will propagate nested.vmcs01_debugctl to vmcs02, i.e. will load garbage/zeros into vmcs02.GUEST_IA32_DEBUGCTL. If userspace restores nested state before MSRs, then loading garbage is a non-issue as loading DEBUGCTL will also update vmcs02. But if usersepace restores MSRs first, then KVM is responsible for propagating L2's value, which is actually thrown into vmcs01, into vmcs02. Restoring L2 MSRs into vmcs01, i.e. loading all MSRs before nested state is all kinds of bizarre and ideally would not be supported. Sadly, some VMMs do exactly that and rely on KVM to make things work. Note, there's still a lurking SMM bug, as propagating vmcs01's DEBUGCTL to vmcs02 across RSM may corrupt L2's DEBUGCTL. But KVM's entire VMX+SMM emulation is flawed as SMI+RSM should not toouch _any_ VMCS when use the "default treatment of SMIs", i.e. when not using an SMI Transfer Monitor. Link: https://lore.kernel.org/all/Yobt1XwOfb5M6Dfa@google.com Fixes: 8fcc4b5923af ("kvm: nVMX: Introduce KVM_CAP_NESTED_STATE") Cc: stable@vger.kernel.org Signed-off-by: Sean Christopherson Message-Id: <20220614215831.3762138-3-seanjc@google.com> Signed-off-by: Paolo Bonzini Signed-off-by: Greg Kroah-Hartman commit 8f8aa303c4946f3ff9eadeb3e8b3fab657859672 Author: Sean Christopherson Date: Tue Jun 14 21:58:27 2022 +0000 KVM: nVMX: Snapshot pre-VM-Enter BNDCFGS for !nested_run_pending case commit fa578398a0ba2c079fa1170da21fa5baae0cedb2 upstream. If a nested run isn't pending, snapshot vmcs01.GUEST_BNDCFGS irrespective of whether or not VM_ENTRY_LOAD_BNDCFGS is set in vmcs12. When restoring nested state, e.g. after migration, without a nested run pending, prepare_vmcs02() will propagate nested.vmcs01_guest_bndcfgs to vmcs02, i.e. will load garbage/zeros into vmcs02.GUEST_BNDCFGS. If userspace restores nested state before MSRs, then loading garbage is a non-issue as loading BNDCFGS will also update vmcs02. But if usersepace restores MSRs first, then KVM is responsible for propagating L2's value, which is actually thrown into vmcs01, into vmcs02. Restoring L2 MSRs into vmcs01, i.e. loading all MSRs before nested state is all kinds of bizarre and ideally would not be supported. Sadly, some VMMs do exactly that and rely on KVM to make things work. Note, there's still a lurking SMM bug, as propagating vmcs01.GUEST_BNDFGS to vmcs02 across RSM may corrupt L2's BNDCFGS. But KVM's entire VMX+SMM emulation is flawed as SMI+RSM should not toouch _any_ VMCS when use the "default treatment of SMIs", i.e. when not using an SMI Transfer Monitor. Link: https://lore.kernel.org/all/Yobt1XwOfb5M6Dfa@google.com Fixes: 62cf9bd8118c ("KVM: nVMX: Fix emulation of VM_ENTRY_LOAD_BNDCFGS") Cc: stable@vger.kernel.org Cc: Lei Wang Signed-off-by: Sean Christopherson Message-Id: <20220614215831.3762138-2-seanjc@google.com> Signed-off-by: Paolo Bonzini Signed-off-by: Greg Kroah-Hartman commit fe1cdbc5cb2c9e72f68a3b13dc83b9064660acb7 Author: Ping Cheng Date: Fri May 13 14:52:37 2022 -0700 HID: wacom: Don't register pad_input for touch switch commit d6b675687a4ab4dba684716d97c8c6f81bf10905 upstream. Touch switch state is received through WACOM_PAD_FIELD. However, it is reported by touch_input. Don't register pad_input if no other pad events require the interface. Cc: stable@vger.kernel.org Signed-off-by: Ping Cheng Reviewed-by: Jason Gerecke Signed-off-by: Jiri Kosina Signed-off-by: Greg Kroah-Hartman commit 455287aff8c6f3c46a0cce12aa6f591af9af1d5a Author: Ping Cheng Date: Fri May 13 14:51:56 2022 -0700 HID: wacom: Only report rotation for art pen commit 7ccced33a0ba39b0103ae1dfbf7f1dffdc0a1bc2 upstream. The generic routine, wacom_wac_pen_event, turns rotation value 90 degree anti-clockwise before posting the events. This non-zero event trggers a non-zero ABS_Z event for non art pen tools. However, HID_DG_TWIST is only supported by art pen. [jkosina@suse.cz: fix build: add missing brace] Cc: stable@vger.kernel.org Signed-off-by: Ping Cheng Reviewed-by: Jason Gerecke Signed-off-by: Jiri Kosina Signed-off-by: Greg Kroah-Hartman commit 02b4d0ec5b8274761b171c4d659beb3ea405523b Author: Guenter Roeck Date: Tue Jul 12 15:17:05 2022 -0700 HID: nintendo: Add missing array termination commit ab5f3404b7762b88403fbddbdda6b1b464bd6cbc upstream. joycon_dpad_inputs_jc[] is unterminated. This may result in odd warnings such as input: input_set_capability: invalid code 3077588140 for type 1 or in kernel crashes in nintendo_hid_probe(). Terminate the array to fix the problem. Fixes: 2af16c1f846bd ("HID: nintendo: add nintendo switch controller driver") Cc: Daniel J. Ogorchock Signed-off-by: Guenter Roeck Reviewed-by: Dmitry Torokhov Cc: stable@vger.kernel.org Signed-off-by: Jiri Kosina Signed-off-by: Greg Kroah-Hartman commit 2531fefea55464ac64d38349054f180a0fae17c1 Author: Maximilian Luz Date: Thu May 26 01:08:27 2022 +0200 HID: hid-input: add Surface Go battery quirk commit db925d809011c37b246434fdce71209fc2e6c0c2 upstream. Similar to the Surface Go (1), the (Elantech) touchscreen/digitizer in the Surface Go 2 mistakenly reports the battery of the stylus. Instead of over the touchscreen device, battery information is provided via bluetooth and the touchscreen device reports an empty battery. Apply the HID_BATTERY_QUIRK_IGNORE quirk to ignore this battery and prevent the erroneous low battery warnings. Cc: stable@vger.kernel.org Signed-off-by: Maximilian Luz Signed-off-by: Jiri Kosina Signed-off-by: Greg Kroah-Hartman commit eb3ebbd26808be6871158934c85916944d094834 Author: Jeff Layton Date: Mon Aug 1 15:57:26 2022 -0400 lockd: detect and reject lock arguments that overflow commit 6930bcbfb6ceda63e298c6af6d733ecdf6bd4cde upstream. lockd doesn't currently vet the start and length in nlm4 requests like it should, and can end up generating lock requests with arguments that overflow when passed to the filesystem. The NLM4 protocol uses unsigned 64-bit arguments for both start and length, whereas struct file_lock tracks the start and end as loff_t values. By the time we get around to calling nlm4svc_retrieve_args, we've lost the information that would allow us to determine if there was an overflow. Start tracking the actual start and len for NLM4 requests in the nlm_lock. In nlm4svc_retrieve_args, vet these values to ensure they won't cause an overflow, and return NLM4_FBIG if they do. Link: https://bugzilla.linux-nfs.org/show_bug.cgi?id=392 Reported-by: Jan Kasiak Signed-off-by: Jeff Layton Signed-off-by: Chuck Lever Cc: # 5.14+ Signed-off-by: Greg Kroah-Hartman commit 56761b355ded0b32272da84383199c5ede931561 Author: Mikulas Patocka Date: Tue Aug 9 14:32:13 2022 -0400 add barriers to buffer_uptodate and set_buffer_uptodate commit d4252071b97d2027d246f6a82cbee4d52f618b47 upstream. Let's have a look at this piece of code in __bread_slow: get_bh(bh); bh->b_end_io = end_buffer_read_sync; submit_bh(REQ_OP_READ, 0, bh); wait_on_buffer(bh); if (buffer_uptodate(bh)) return bh; Neither wait_on_buffer nor buffer_uptodate contain any memory barrier. Consequently, if someone calls sb_bread and then reads the buffer data, the read of buffer data may be executed before wait_on_buffer(bh) on architectures with weak memory ordering and it may return invalid data. Fix this bug by adding a memory barrier to set_buffer_uptodate and an acquire barrier to buffer_uptodate (in a similar way as folio_test_uptodate and folio_mark_uptodate). Signed-off-by: Mikulas Patocka Reviewed-by: Matthew Wilcox (Oracle) Cc: stable@vger.kernel.org Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 24cdb1e7ee12e5292dc05e122075d5f8f74584cf Author: Johannes Berg Date: Wed Jul 13 21:16:45 2022 +0200 wifi: mac80211_hwsim: use 32-bit skb cookie commit cc5250cdb43d444061412df7fae72d2b4acbdf97 upstream. We won't really have enough skbs to need a 64-bit cookie, and on 32-bit platforms storing the 64-bit cookie into the void *rate_driver_data doesn't work anyway. Switch back to using just a 32-bit cookie and uintptr_t for the type to avoid compiler warnings about all this. Fixes: 4ee186fa7e40 ("wifi: mac80211_hwsim: fix race condition in pending packet") Signed-off-by: Johannes Berg Cc: Jeongik Cha Signed-off-by: Greg Kroah-Hartman commit ce943930c7a688e71d24bd95987459ade8982c63 Author: Johannes Berg Date: Mon Jul 11 13:14:24 2022 +0200 wifi: mac80211_hwsim: add back erroneously removed cast commit 58b6259d820d63c2adf1c7541b54cce5a2ae6073 upstream. The robots report that we're now casting to a differently sized integer, which is correct, and the previous patch had erroneously removed it. Reported-by: kernel test robot Fixes: 4ee186fa7e40 ("wifi: mac80211_hwsim: fix race condition in pending packet") Signed-off-by: Johannes Berg Cc: Jeongik Cha Signed-off-by: Greg Kroah-Hartman commit 6d4f073cb2e8091984a6507d310551d0ec08935d Author: Jeongik Cha Date: Mon Jul 4 17:43:54 2022 +0900 wifi: mac80211_hwsim: fix race condition in pending packet commit 4ee186fa7e40ae06ebbfbad77e249e3746e14114 upstream. A pending packet uses a cookie as an unique key, but it can be duplicated because it didn't use atomic operators. And also, a pending packet can be null in hwsim_tx_info_frame_received_nl due to race condition with mac80211_hwsim_stop. For this, * Use an atomic type and operator for a cookie * Add a lock around the loop for pending packets Signed-off-by: Jeongik Cha Link: https://lore.kernel.org/r/20220704084354.3556326-1-jeongik@google.com Signed-off-by: Johannes Berg Signed-off-by: Greg Kroah-Hartman commit a9fba9f20dc9c1da01e3b72fb109f3ef6d59ee84 Author: Zev Weiss Date: Tue Aug 9 22:26:46 2022 -0700 hwmon: (nct6775) Fix platform driver suspend regression commit f4e6960f4f16b1ca5da16cec7612ecc86402ac05 upstream. Commit c3963bc0a0cf ("hwmon: (nct6775) Split core and platform driver") introduced a slight change in nct6775_suspend() in order to avoid an otherwise-needless symbol export for nct6775_update_device(), replacing a call to that function with a simple dev_get_drvdata() instead. As it turns out, there is no guarantee that nct6775_update_device() is ever called prior to suspend. If this happens, the resume function ends up writing bad data into the various chip registers, which results in a crash shortly after resume. To fix the problem, just add the symbol export and return to using nct6775_update_device() as was employed previously. Reported-by: Zoltán Kővágó Tested-by: Zoltán Kővágó Fixes: c3963bc0a0cf ("hwmon: (nct6775) Split core and platform driver") Cc: stable@kernel.org Signed-off-by: Zev Weiss Link: https://lore.kernel.org/r/20220810052646.13825-1-zev@bewilderbeest.net [groeck: Updated description] Signed-off-by: Guenter Roeck Signed-off-by: Greg Kroah-Hartman commit 36d9ec95598f9d4d3449f2f5d98366a797b3af5a Author: syed sabakareem Date: Fri Jul 22 19:15:32 2022 +0530 ASoC: amd: yc: Update DMI table entries commit be0aa8d4b0fcb4532bf7973141e911998ab39508 upstream. Removed intel DMI product id's 21AW/21AX/21D8/21D9/21BN/21BQ in DMI table and updated DMI entry for AMD platform X13 Gen 3 platform 21CM/21CN. Link: https://bugzilla.kernel.org/show_bug.cgi?id=216267 Signed-off-by: syed sabakareem Reviewed-by: Mario Limonciello Reported-by: David Korth Fixes: fa991481b8b2 ("ASoC: amd: add YC machine driver using dmic") Link: https://lore.kernel.org/r/20220722134603.316668-1-Syed.SabaKareem@amd.com Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit 8d5b8e01e374d766c411adf4038bb48956db67c2 Author: Philipp Jungkamp Date: Fri Jul 29 18:21:03 2022 +0200 ALSA: hda/realtek: Add quirk for Lenovo Yoga9 14IAP7 commit 3790a3d6dbbc48e30586e9c3fc752a00e2e11946 upstream. The Lenovo Yoga 9 14IAP7 is set up similarly to the Thinkpad X1 7th and 8th Gen. It also has the speakers attached to NID 0x14 and the bass speakers to NID 0x17, but here the codec misreports the NID 0x17 as unconnected. The pincfg and hda verbs connect and activate the bass speaker amplifiers, but the generic driver will connect them to NID 0x06 which has no volume control. Set connection list/preferred connections is required to gain volume control. BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=208555 Signed-off-by: Philipp Jungkamp Cc: Link: https://lore.kernel.org/r/20220729162103.6062-1-p.jungkamp@gmx.net Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit a67e67732435f83c241788de6bea56b2df1e466d Author: Ivan Hasenkampf Date: Wed Aug 3 18:40:01 2022 +0200 ALSA: hda/realtek: Add quirk for HP Spectre x360 15-eb0xxx commit 24df5428ef9d1ca1edd54eca7eb667110f2dfae3 upstream. Fixes speaker output on HP Spectre x360 15-eb0xxx [ re-sorted in SSID order by tiwai ] Signed-off-by: Ivan Hasenkampf Cc: Link: https://lore.kernel.org/r/20220803164001.290394-1-ivan.hasenkampf@gmail.com Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 8438004a7fcb436cfdb66f0da95baf44ad6b5679 Author: Tim Crawford Date: Sat Jul 30 21:22:43 2022 -0600 ALSA: hda/realtek: Add quirk for Clevo NV45PZ commit be561ffad708f0cee18aee4231f80ffafaf7a419 upstream. Fixes headset detection on Clevo NV45PZ. Signed-off-by: Tim Crawford Cc: Link: https://lore.kernel.org/r/20220731032243.4300-1-tcrawford@system76.com Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit b0d4af0a4763ddc02344789ef2a281c494bc330d Author: Zheyu Ma Date: Fri Jul 15 09:05:15 2022 +0800 ALSA: bcd2000: Fix a UAF bug on the error path of probing commit ffb2759df7efbc00187bfd9d1072434a13a54139 upstream. When the driver fails in snd_card_register() at probe time, it will free the 'bcd2k->midi_out_urb' before killing it, which may cause a UAF bug. The following log can reveal it: [ 50.727020] BUG: KASAN: use-after-free in bcd2000_input_complete+0x1f1/0x2e0 [snd_bcd2000] [ 50.727623] Read of size 8 at addr ffff88810fab0e88 by task swapper/4/0 [ 50.729530] Call Trace: [ 50.732899] bcd2000_input_complete+0x1f1/0x2e0 [snd_bcd2000] Fix this by adding usb_kill_urb() before usb_free_urb(). Fixes: b47a22290d58 ("ALSA: MIDI driver for Behringer BCD2000 USB device") Signed-off-by: Zheyu Ma Cc: Link: https://lore.kernel.org/r/20220715010515.2087925-1-zheyuma97@gmail.com Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit a23e793af145c600d414e5f239cfc2244293ba49 Author: Takashi Iwai Date: Fri Jul 22 16:39:48 2022 +0200 ALSA: usb-audio: Add quirk for Behringer UMC202HD commit e086c37f876fd1f551e2b4f9be97d4a1923cd219 upstream. Just like other Behringer models, UMC202HD (USB ID 1397:0507) requires the quirk for the stable streaming, too. BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=215934 Cc: Link: https://lore.kernel.org/r/20220722143948.29804-1-tiwai@suse.de Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 755f49dd4191e1d100a2ce8d356498403280f010 Author: Jeff Layton Date: Fri Jul 29 17:01:07 2022 -0400 nfsd: eliminate the NFSD_FILE_BREAK_* flags commit 23ba98de6dcec665e15c0ca19244379bb0d30932 upstream. We had a report from the spring Bake-a-thon of data corruption in some nfstest_interop tests. Looking at the traces showed the NFS server allowing a v3 WRITE to proceed while a read delegation was still outstanding. Currently, we only set NFSD_FILE_BREAK_* flags if NFSD_MAY_NOT_BREAK_LEASE was set when we call nfsd_file_alloc. NFSD_MAY_NOT_BREAK_LEASE was intended to be set when finding files for COMMIT ops, where we need a writeable filehandle but don't need to break read leases. It doesn't make any sense to consult that flag when allocating a file since the file may be used on subsequent calls where we do want to break the lease (and the usage of it here seems to be reverse from what it should be anyway). Also, after calling nfsd_open_break_lease, we don't want to clear the BREAK_* bits. A lease could end up being set on it later (more than once) and we need to be able to break those leases as well. This means that the NFSD_FILE_BREAK_* flags now just mirror NFSD_MAY_{READ,WRITE} flags, so there's no need for them at all. Just drop those flags and unconditionally call nfsd_open_break_lease every time. Reported-by: Olga Kornieskaia Link: https://bugzilla.redhat.com/show_bug.cgi?id=2107360 Fixes: 65294c1f2c5e (nfsd: add a new struct file caching facility to nfsd) Cc: # 5.4.x : bb283ca18d1e NFSD: Clean up the show_nf_flags() macro Cc: # 5.4.x Signed-off-by: Jeff Layton Signed-off-by: Chuck Lever Signed-off-by: Greg Kroah-Hartman commit ed48237d6b0a22bd0b51afa83cd3f0acd75c67a8 Author: Trond Myklebust Date: Wed May 18 16:09:06 2022 -0400 pNFS/flexfiles: Report RDMA connection errors to the server commit 7836d75467e9d214bdf5c693b32721de729a6e38 upstream. The RPC/RDMA driver will return -EPROTO and -ENODEV as connection errors under certain circumstances. Make sure that we handle them and report them to the server. If not, we can end up cycling forever in a LAYOUTGET/LAYOUTRETURN loop. Fixes: a12f996d3413 ("NFSv4/pNFS: Use connections to a DS that are all of the same protocol family") Cc: stable@vger.kernel.org # 5.11.x Signed-off-by: Trond Myklebust Signed-off-by: Greg Kroah-Hartman commit 5c5639005dba9dfd799c8561e6679dae68f7823d Author: Nilesh Javali Date: Tue Jul 12 22:20:36 2022 -0700 scsi: Revert "scsi: qla2xxx: Fix disk failure to rediscover" commit 5bc7b01c513a4a9b4cfe306e8d1720cfcfd3b8a3 upstream. This fixes the regression of NVMe discovery failure during driver load time. This reverts commit 6a45c8e137d4e2c72eecf1ac7cf64f2fdfcead99. Link: https://lore.kernel.org/r/20220713052045.10683-2-njavali@marvell.com Cc: stable@vger.kernel.org Reviewed-by: Himanshu Madhani Signed-off-by: Nilesh Javali Signed-off-by: Martin K. Petersen Signed-off-by: Greg Kroah-Hartman commit fb78ef830e5e3ae597b97cb1f82453d7823b6f51 Author: Trond Myklebust Date: Wed May 18 16:37:56 2022 -0400 Revert "pNFS: nfs3_set_ds_client should set NFS_CS_NOPING" commit 9597152d98840c2517230740952df97cfcc07e2f upstream. This reverts commit c6eb58435b98bd843d3179664a0195ff25adb2c3. If a transport is down, then we want to fail over to other transports if they are listed in the GETDEVICEINFO reply. Fixes: c6eb58435b98 ("pNFS: nfs3_set_ds_client should set NFS_CS_NOPING") Cc: stable@vger.kernel.org # 5.11.x Signed-off-by: Trond Myklebust Signed-off-by: Greg Kroah-Hartman commit 98847832313dd8c87d1a2350ed964a17d9a7b6ab Author: Nick Desaulniers Date: Wed Aug 10 15:24:41 2022 -0700 x86: link vdso and boot with -z noexecstack --no-warn-rwx-segments commit ffcf9c5700e49c0aee42dcba9a12ba21338e8136 upstream. Users of GNU ld (BFD) from binutils 2.39+ will observe multiple instances of a new warning when linking kernels in the form: ld: warning: arch/x86/boot/pmjump.o: missing .note.GNU-stack section implies executable stack ld: NOTE: This behaviour is deprecated and will be removed in a future version of the linker ld: warning: arch/x86/boot/compressed/vmlinux has a LOAD segment with RWX permissions Generally, we would like to avoid the stack being executable. Because there could be a need for the stack to be executable, assembler sources have to opt-in to this security feature via explicit creation of the .note.GNU-stack feature (which compilers create by default) or command line flag --noexecstack. Or we can simply tell the linker the production of such sections is irrelevant and to link the stack as --noexecstack. LLVM's LLD linker defaults to -z noexecstack, so this flag isn't strictly necessary when linking with LLD, only BFD, but it doesn't hurt to be explicit here for all linkers IMO. --no-warn-rwx-segments is currently BFD specific and only available in the current latest release, so it's wrapped in an ld-option check. While the kernel makes extensive usage of ELF sections, it doesn't use permissions from ELF segments. Link: https://lore.kernel.org/linux-block/3af4127a-f453-4cf7-f133-a181cce06f73@kernel.dk/ Link: https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=ba951afb99912da01a6e8434126b8fac7aa75107 Link: https://github.com/llvm/llvm-project/issues/57009 Reported-and-tested-by: Jens Axboe Suggested-by: Fangrui Song Signed-off-by: Nick Desaulniers Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 8cd1b2413c5c570ff5218387ae94a83ef76bcb5b Author: Nick Desaulniers Date: Wed Aug 10 15:24:40 2022 -0700 Makefile: link with -z noexecstack --no-warn-rwx-segments commit 0d362be5b14200b77ecc2127936a5ff82fbffe41 upstream. Users of GNU ld (BFD) from binutils 2.39+ will observe multiple instances of a new warning when linking kernels in the form: ld: warning: vmlinux: missing .note.GNU-stack section implies executable stack ld: NOTE: This behaviour is deprecated and will be removed in a future version of the linker ld: warning: vmlinux has a LOAD segment with RWX permissions Generally, we would like to avoid the stack being executable. Because there could be a need for the stack to be executable, assembler sources have to opt-in to this security feature via explicit creation of the .note.GNU-stack feature (which compilers create by default) or command line flag --noexecstack. Or we can simply tell the linker the production of such sections is irrelevant and to link the stack as --noexecstack. LLVM's LLD linker defaults to -z noexecstack, so this flag isn't strictly necessary when linking with LLD, only BFD, but it doesn't hurt to be explicit here for all linkers IMO. --no-warn-rwx-segments is currently BFD specific and only available in the current latest release, so it's wrapped in an ld-option check. While the kernel makes extensive usage of ELF sections, it doesn't use permissions from ELF segments. Link: https://lore.kernel.org/linux-block/3af4127a-f453-4cf7-f133-a181cce06f73@kernel.dk/ Link: https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=ba951afb99912da01a6e8434126b8fac7aa75107 Link: https://github.com/llvm/llvm-project/issues/57009 Reported-and-tested-by: Jens Axboe Suggested-by: Fangrui Song Signed-off-by: Nick Desaulniers Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman