commit 3238bffaf9928c10173d88415f6815f6df3e7771 Author: Greg Kroah-Hartman Date: Fri Apr 8 14:40:45 2022 +0200 Linux 5.10.110 Link: https://lore.kernel.org/r/20220405070258.802373272@linuxfoundation.org Tested-by: Florian Fainelli Tested-by: Pavel Machek (CIP) Tested-by: Slade Watkins Tested-by: Jon Hunter Tested-by: Fox Chen Tested-by: Sudip Mukherjee Tested-by: Linux Kernel Functional Testing Tested-by: Bagas Sanjaya Link: https://lore.kernel.org/r/20220406133013.264188813@linuxfoundation.org Tested-by: Jon Hunter Tested-by: Fox Chen Tested-by: Shuah Khan Tested-by: Florian Fainelli Tested-by: Bagas Sanjaya Tested-by: Bagas Sanjaya Tested-by: Sudip Mukherjee Tested-by: Linux Kernel Functional Testing Link: https://lore.kernel.org/r/20220407183749.142181327@linuxfoundation.org Tested-by: Salvatore Bonaccorso Tested-by: Guenter Roeck Tested-by: Florian Fainelli Tested-by: Fox Chen Tested-by: Linux Kernel Functional Testing Tested-by: Hulk Robot Tested-by: Bagas Sanjaya Tested-by: Sudip Mukherjee Signed-off-by: Greg Kroah-Hartman commit cf342cbfb37ff0ee7d096367ec03c8f363788b43 Author: Marc Zyngier Date: Mon Mar 21 10:48:42 2022 +0000 PCI: xgene: Revert "PCI: xgene: Use inbound resources for setup" commit 1874b6d7ab1bdc900e8398026350313ac29caddb upstream. Commit 6dce5aa59e0b ("PCI: xgene: Use inbound resources for setup") killed PCIe on my XGene-1 box (a Mustang board). The machine itself is still alive, but half of its storage (over NVMe) is gone, and the NVMe driver just times out. Note that this machine boots with a device tree provided by the UEFI firmware (2016 vintage), which could well be non conformant with the spec, hence the breakage. With the patch reverted, the box boots 5.17-rc8 with flying colors. Link: https://lore.kernel.org/all/Yf2wTLjmcRj+AbDv@xps13.dannf Link: https://lore.kernel.org/r/20220321104843.949645-2-maz@kernel.org Fixes: 6dce5aa59e0b ("PCI: xgene: Use inbound resources for setup") Signed-off-by: Marc Zyngier Signed-off-by: Lorenzo Pieralisi Cc: stable@vger.kernel.org Cc: Rob Herring Cc: Toan Le Cc: Lorenzo Pieralisi Cc: Krzysztof Wilczyński Cc: Bjorn Helgaas Cc: Stéphane Graber Cc: dann frazier [dannf: minor context adjustment] Signed-off-by: dann frazier Signed-off-by: Greg Kroah-Hartman commit a25864c5bc20966cdc5ba5eb65b74b9b1e9ec8d2 Author: Vijay Balakrishna Date: Wed Mar 2 09:38:09 2022 -0800 arm64: Do not defer reserve_crashkernel() for platforms with no DMA memory zones commit 031495635b4668f94e964e037ca93d0d38bfde58 upstream. The following patches resulted in deferring crash kernel reservation to mem_init(), mainly aimed at platforms with DMA memory zones (no IOMMU), in particular Raspberry Pi 4. commit 1a8e1cef7603 ("arm64: use both ZONE_DMA and ZONE_DMA32") commit 8424ecdde7df ("arm64: mm: Set ZONE_DMA size based on devicetree's dma-ranges") commit 0a30c53573b0 ("arm64: mm: Move reserve_crashkernel() into mem_init()") commit 2687275a5843 ("arm64: Force NO_BLOCK_MAPPINGS if crashkernel reservation is required") Above changes introduced boot slowdown due to linear map creation for all the memory banks with NO_BLOCK_MAPPINGS, see discussion[1]. The proposed changes restore crash kernel reservation to earlier behavior thus avoids slow boot, particularly for platforms with IOMMU (no DMA memory zones). Tested changes to confirm no ~150ms boot slowdown on our SoC with IOMMU and 8GB memory. Also tested with ZONE_DMA and/or ZONE_DMA32 configs to confirm no regression to deferring scheme of crash kernel memory reservation. In both cases successfully collected kernel crash dump. [1] https://lore.kernel.org/all/9436d033-579b-55fa-9b00-6f4b661c2dd7@linux.microsoft.com/ Signed-off-by: Vijay Balakrishna Cc: stable@vger.kernel.org Reviewed-by: Pasha Tatashin Link: https://lore.kernel.org/r/1646242689-20744-1-git-send-email-vijayb@linux.microsoft.com [will: Add #ifdef CONFIG_KEXEC_CORE guards to fix 'crashk_res' references in allnoconfig build] Signed-off-by: Will Deacon Signed-off-by: Greg Kroah-Hartman commit 558564db44755dfb3e48b0d64de327d20981e950 Author: Eric W. Biederman Date: Tue Mar 8 13:04:19 2022 -0600 coredump: Use the vma snapshot in fill_files_note commit 390031c942116d4733310f0684beb8db19885fe6 upstream. Matthew Wilcox reported that there is a missing mmap_lock in file_files_note that could possibly lead to a user after free. Solve this by using the existing vma snapshot for consistency and to avoid the need to take the mmap_lock anywhere in the coredump code except for dump_vma_snapshot. Update the dump_vma_snapshot to capture vm_pgoff and vm_file that are neeeded by fill_files_note. Add free_vma_snapshot to free the captured values of vm_file. Reported-by: Matthew Wilcox Link: https://lkml.kernel.org/r/20220131153740.2396974-1-willy@infradead.org Cc: stable@vger.kernel.org Fixes: a07279c9a8cd ("binfmt_elf, binfmt_elf_fdpic: use a VMA list snapshot") Fixes: 2aa362c49c31 ("coredump: extend core dump note section to contain file names of mapped files") Reviewed-by: Kees Cook Signed-off-by: "Eric W. Biederman" Signed-off-by: Greg Kroah-Hartman commit b7933f145ad32bb5e084af55176ab6dcaa15a036 Author: Eric W. Biederman Date: Mon Jan 31 12:17:38 2022 -0600 coredump/elf: Pass coredump_params into fill_note_info commit 9ec7d3230717b4fe9b6c7afeb4811909c23fa1d7 upstream. Instead of individually passing cprm->siginfo and cprm->regs into fill_note_info pass all of struct coredump_params. This is preparation to allow fill_files_note to use the existing vma snapshot. Reviewed-by: Jann Horn Reviewed-by: Kees Cook Signed-off-by: "Eric W. Biederman" Signed-off-by: Greg Kroah-Hartman commit b043ae637a83585b2a497c2eb7ee49446fc68e98 Author: Eric W. Biederman Date: Tue Mar 8 13:01:19 2022 -0600 coredump: Remove the WARN_ON in dump_vma_snapshot commit 49c1866348f364478a0c4d3dd13fd08bb82d3a5b upstream. The condition is impossible and to the best of my knowledge has never triggered. We are in deep trouble if that conditions happens and we walk past the end of our allocated array. So delete the WARN_ON and the code that makes it look like the kernel can handle the case of walking past the end of it's vma_meta array. Reviewed-by: Jann Horn Reviewed-by: Kees Cook Signed-off-by: "Eric W. Biederman" Signed-off-by: Greg Kroah-Hartman commit 936c8be4d1447f36ac4d2a464bd03a5cd659c42f Author: Eric W. Biederman Date: Tue Mar 8 12:55:29 2022 -0600 coredump: Snapshot the vmas in do_coredump commit 95c5436a4883841588dae86fb0b9325f47ba5ad3 upstream. Move the call of dump_vma_snapshot and kvfree(vma_meta) out of the individual coredump routines into do_coredump itself. This makes the code less error prone and easier to maintain. Make the vma snapshot available to the coredump routines in struct coredump_params. This makes it easier to change and update what is captures in the vma snapshot and will be needed for fixing fill_file_notes. Reviewed-by: Jann Horn Reviewed-by: Kees Cook Signed-off-by: "Eric W. Biederman" Signed-off-by: Greg Kroah-Hartman commit 5318cdf4fd834856ce71238b064f35386f9ef528 Author: Hangyu Hua Date: Fri Mar 11 16:06:14 2022 +0800 can: usb_8dev: usb_8dev_start_xmit(): fix double dev_kfree_skb() in error path commit 3d3925ff6433f98992685a9679613a2cc97f3ce2 upstream. There is no need to call dev_kfree_skb() when usb_submit_urb() fails because can_put_echo_skb() deletes original skb and can_free_echo_skb() deletes the cloned skb. Fixes: 0024d8ad1639 ("can: usb_8dev: Add support for USB2CAN interface from 8 devices") Link: https://lore.kernel.org/all/20220311080614.45229-1-hbh25y@gmail.com Cc: stable@vger.kernel.org Signed-off-by: Hangyu Hua Signed-off-by: Marc Kleine-Budde Signed-off-by: Greg Kroah-Hartman commit 869016a2938ac44f7b2fb7fc22c89edad99eb9b3 Author: Marc Kleine-Budde Date: Thu Mar 17 08:57:35 2022 +0100 can: m_can: m_can_tx_handler(): fix use after free of skb commit 2e8e79c416aae1de224c0f1860f2e3350fa171f8 upstream. can_put_echo_skb() will clone skb then free the skb. Move the can_put_echo_skb() for the m_can version 3.0.x directly before the start of the xmit in hardware, similar to the 3.1.x branch. Fixes: 80646733f11c ("can: m_can: update to support CAN FD features") Link: https://lore.kernel.org/all/20220317081305.739554-1-mkl@pengutronix.de Cc: stable@vger.kernel.org Reported-by: Hangyu Hua Signed-off-by: Marc Kleine-Budde Signed-off-by: Greg Kroah-Hartman commit e90518d10c7dd59d5ebbe25b0f0083a7dbffa42f Author: Paolo Bonzini Date: Tue Mar 29 12:56:24 2022 -0400 KVM: x86/mmu: do compare-and-exchange of gPTE via the user address commit 2a8859f373b0a86f0ece8ec8312607eacf12485d upstream. FNAME(cmpxchg_gpte) is an inefficient mess. It is at least decent if it can go through get_user_pages_fast(), but if it cannot then it tries to use memremap(); that is not just terribly slow, it is also wrong because it assumes that the VM_PFNMAP VMA is contiguous. The right way to do it would be to do the same thing as hva_to_pfn_remapped() does since commit add6a0cd1c5b ("KVM: MMU: try to fix up page faults before giving up", 2016-07-05), using follow_pte() and fixup_user_fault() to determine the correct address to use for memremap(). To do this, one could for example extract hva_to_pfn() for use outside virt/kvm/kvm_main.c. But really there is no reason to do that either, because there is already a perfectly valid address to do the cmpxchg() on, only it is a userspace address. That means doing user_access_begin()/user_access_end() and writing the code in assembly to handle exceptions correctly. Worse, the guest PTE can be 8-byte even on i686 so there is the extra complication of using cmpxchg8b to account for. But at least it is an efficient mess. (Thanks to Linus for suggesting improvement on the inline assembly). Reported-by: Qiuhao Li Reported-by: Gaoning Pan Reported-by: Yongkang Jia Reported-by: syzbot+6cde2282daa792c49ab8@syzkaller.appspotmail.com Debugged-by: Tadeusz Struk Tested-by: Maxim Levitsky Cc: stable@vger.kernel.org Fixes: bd53cb35a3e9 ("X86/KVM: Handle PFNs outside of kernel reach when touching GPTEs") Signed-off-by: Paolo Bonzini Signed-off-by: Greg Kroah-Hartman commit e36c45263a30b5556f80d4e085637fe5693567fe Author: Martin Varghese Date: Mon Mar 28 11:11:48 2022 +0530 openvswitch: Fixed nd target mask field in the flow dump. commit f19c44452b58a84d95e209b847f5495d91c9983a upstream. IPv6 nd target mask was not getting populated in flow dump. In the function __ovs_nla_put_key the icmp code mask field was checked instead of icmp code key field to classify the flow as neighbour discovery. ufid:bdfbe3e5-60c2-43b0-a5ff-dfcac1c37328, recirc_id(0),dp_hash(0/0), skb_priority(0/0),in_port(ovs-nm1),skb_mark(0/0),ct_state(0/0), ct_zone(0/0),ct_mark(0/0),ct_label(0/0), eth(src=00:00:00:00:00:00/00:00:00:00:00:00, dst=00:00:00:00:00:00/00:00:00:00:00:00), eth_type(0x86dd), ipv6(src=::/::,dst=::/::,label=0/0,proto=58,tclass=0/0,hlimit=0/0,frag=no), icmpv6(type=135,code=0), nd(target=2001::2/::, sll=00:00:00:00:00:00/00:00:00:00:00:00, tll=00:00:00:00:00:00/00:00:00:00:00:00), packets:10, bytes:860, used:0.504s, dp:ovs, actions:ovs-nm2 Fixes: e64457191a25 (openvswitch: Restructure datapath.c and flow.c) Signed-off-by: Martin Varghese Link: https://lore.kernel.org/r/20220328054148.3057-1-martinvarghesenokia@gmail.com Signed-off-by: Paolo Abeni Signed-off-by: Greg Kroah-Hartman commit 415edc68b6522cc6b0fbe0a1a696416863c5c900 Author: Guilherme G. Piccoli Date: Wed Mar 23 16:07:03 2022 -0700 docs: sysctl/kernel: add missing bit to panic_print commit a1ff1de00db21ecb956213f046b79741b64c6b65 upstream. Patch series "Some improvements on panic_print". This is a mix of a documentation fix with some additions to the "panic_print" syscall / parameter. The goal here is being able to collect all CPUs backtraces during a panic event and also to enable "panic_print" in a kdump event - details of the reasoning and design choices in the patches. This patch (of 3): Commit de6da1e8bcf0 ("panic: add an option to replay all the printk message in buffer") added a new bit to the sysctl/kernel parameter "panic_print", but the documentation was added only in kernel-parameters.txt, not in the sysctl guide. Fix it here by adding bit 5 to sysctl admin-guide documentation. [rdunlap@infradead.org: fix table format warning] Link: https://lkml.kernel.org/r/20220109055635.6999-1-rdunlap@infradead.org Link: https://lkml.kernel.org/r/20211109202848.610874-1-gpiccoli@igalia.com Link: https://lkml.kernel.org/r/20211109202848.610874-2-gpiccoli@igalia.com Fixes: de6da1e8bcf0 ("panic: add an option to replay all the printk message in buffer") Signed-off-by: Guilherme G. Piccoli Reviewed-by: Feng Tang Cc: Luis Chamberlain Cc: Kees Cook Cc: Iurii Zaikin Cc: Samuel Iglesias Gonsalvez Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 272c74323dcc5b65e6e20f89c9283b3696ed36a7 Author: Anton Ivanov Date: Tue Feb 22 12:44:10 2022 +0000 um: Fix uml_mconsole stop/go commit 1a3a6a2a035bb6c3a7ef4c788d8fd69a7b2d6284 upstream. Moving to an EPOLL based IRQ controller broke uml_mconsole stop/go commands. This fixes it and restores stop/go functionality. Fixes: ff6a17989c08 ("Epoll based IRQ controller") Signed-off-by: Anton Ivanov Signed-off-by: Richard Weinberger Signed-off-by: Greg Kroah-Hartman commit c0a6a547388eaf2c6ff5ff5ff932db5482ff2721 Author: Kuldeep Singh Date: Sat Mar 26 09:53:09 2022 +0530 ARM: dts: spear13xx: Update SPI dma properties commit 31d3687d6017c7ce6061695361598d9cda70807a upstream. Reorder dmas and dma-names property for spi controller node to make it compliant with bindings. Fixes: 6e8887f60f60 ("ARM: SPEAr13xx: Pass generic DW DMAC platform data from DT") Signed-off-by: Kuldeep Singh Acked-by: Viresh Kumar Link: https://lore.kernel.org/r/20220326042313.97862-2-singh.kuldeep87k@gmail.com' Signed-off-by: Arnd Bergmann Signed-off-by: Greg Kroah-Hartman commit ea3912af8b8a954b79933d29e916d0a6e23b67e9 Author: Kuldeep Singh Date: Sat Mar 26 09:53:10 2022 +0530 ARM: dts: spear1340: Update serial node properties commit 583d6b0062640def86f3265aa1042ecb6672516e upstream. Reorder dma and dma-names property for serial node to make it compliant with bindings. Fixes: 6e8887f60f60 ("ARM: SPEAr13xx: Pass generic DW DMAC platform data from DT") Signed-off-by: Kuldeep Singh Acked-by: Viresh Kumar Link: https://lore.kernel.org/r/20220326042313.97862-3-singh.kuldeep87k@gmail.com' Signed-off-by: Arnd Bergmann Signed-off-by: Greg Kroah-Hartman commit 74f7971985bd06aea710cc5ed5f01d94ac3fc9fd Author: Amadeusz Sławiński Date: Wed Jan 12 18:00:29 2022 +0100 ASoC: topology: Allow TLV control to be either read or write commit feb00b736af64875560f371fe7f58b0b7f239046 upstream. There is no reason to force readwrite access on TLV controls. It can be either read, write or both. This is further evidenced in code where it performs following checks: if ((k->access & SNDRV_CTL_ELEM_ACCESS_TLV_READ) && !sbe->get) return -EINVAL; if ((k->access & SNDRV_CTL_ELEM_ACCESS_TLV_WRITE) && !sbe->put) return -EINVAL; Fixes: 1a3232d2f61d ("ASoC: topology: Add support for TLV bytes controls") Signed-off-by: Amadeusz Sławiński Reviewed-by: Cezary Rojewski Reviewed-by: Pierre-Louis Bossart Link: https://lore.kernel.org/r/20220112170030.569712-3-amadeuszx.slawinski@linux.intel.com Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit 3ca47556d92071b9194a53625779f33d2da226a6 Author: Zhihao Cheng Date: Mon Dec 27 11:22:42 2021 +0800 ubi: fastmap: Return error code if memory allocation fails in add_aeb() commit c3c07fc25f37c157fde041b3a0c3dfcb1590cbce upstream. Abort fastmap scanning and return error code if memory allocation fails in add_aeb(). Otherwise ubi will get wrong peb statistics information after scanning. Fixes: dbb7d2a88d2a7b ("UBI: Add fastmap core") Signed-off-by: Zhihao Cheng Signed-off-by: Richard Weinberger Signed-off-by: Greg Kroah-Hartman commit 7704f243cbbd1393cc42f40abebf6810bfc70f1b Author: Miquel Raynal Date: Thu Dec 16 12:16:33 2021 +0100 dt-bindings: spi: mxic: The interrupt property is not mandatory commit 90c204d3195a795f77f5bce767e311dd1c59ca17 upstream. The interrupt property is not mandatory at all, this property should not be part of the required properties list, so move it into the optional properties list. Fixes: 326e5c8d4a87 ("dt-binding: spi: Document Macronix controller bindings") Signed-off-by: Miquel Raynal Reviewed-by: Rob Herring Reviewed-by: Mark Brown Link: https://lore.kernel.org/linux-mtd/20211216111654.238086-8-miquel.raynal@bootlin.com Signed-off-by: Greg Kroah-Hartman commit 648ab1dcc119deeaa34292e26b31180e12f6ca05 Author: Miquel Raynal Date: Thu Dec 16 12:16:28 2021 +0100 dt-bindings: mtd: nand-controller: Fix a comment in the examples commit 0e7f1b557974ce297e5e4c9d4245720fbb489886 upstream. The controller properties should be in the controller 'parent' node, while properties in the children nodes are specific to the NAND *chip*. This error was already present during the yaml conversion. Fixes: 2d472aba15ff ("mtd: nand: document the NAND controller/NAND chip DT representation") Signed-off-by: Miquel Raynal Acked-by: Rob Herring Link: https://lore.kernel.org/linux-mtd/20211216111654.238086-3-miquel.raynal@bootlin.com Signed-off-by: Greg Kroah-Hartman commit 71917e45e1aa1ae5ef641677f98637975e8ae47b Author: Miquel Raynal Date: Thu Dec 16 12:16:27 2021 +0100 dt-bindings: mtd: nand-controller: Fix the reg property description commit 93f2ec9e401276fb4ea9903194a5bfcf175f9a2c upstream. The reg property of a NAND device always references the chip-selects. The ready/busy lines are described in the nand-rb property. I believe this was a harmless copy/paste error during the conversion to yaml. Fixes: 212e49693592 ("dt-bindings: mtd: Add YAML schemas for the generic NAND options") Signed-off-by: Miquel Raynal Acked-by: Rob Herring Link: https://lore.kernel.org/linux-mtd/20211216111654.238086-2-miquel.raynal@bootlin.com Signed-off-by: Greg Kroah-Hartman commit 73f2f37417b035d9607888be4fd23a9e709a85c6 Author: Hengqi Chen Date: Thu Mar 10 23:53:35 2022 +0800 bpf: Fix comment for helper bpf_current_task_under_cgroup() commit 58617014405ad5c9f94f464444f4972dabb71ca7 upstream. Fix the descriptions of the return values of helper bpf_current_task_under_cgroup(). Fixes: c6b5fb8690fa ("bpf: add documentation for eBPF helpers (42-50)") Signed-off-by: Hengqi Chen Signed-off-by: Daniel Borkmann Acked-by: Yonghong Song Link: https://lore.kernel.org/bpf/20220310155335.1278783-1-hengqi.chen@gmail.com Signed-off-by: Greg Kroah-Hartman commit 90805175a206f784b6a77f16f07b07f6803e286b Author: Namhyung Kim Date: Mon Mar 14 11:20:41 2022 -0700 bpf: Adjust BPF stack helper functions to accommodate skip > 0 commit ee2a098851bfbe8bcdd964c0121f4246f00ff41e upstream. Let's say that the caller has storage for num_elem stack frames. Then, the BPF stack helper functions walk the stack for only num_elem frames. This means that if skip > 0, one keeps only 'num_elem - skip' frames. This is because it sets init_nr in the perf_callchain_entry to the end of the buffer to save num_elem entries only. I believe it was because the perf callchain code unwound the stack frames until it reached the global max size (sysctl_perf_event_max_stack). However it now has perf_callchain_entry_ctx.max_stack to limit the iteration locally. This simplifies the code to handle init_nr in the BPF callstack entries and removes the confusion with the perf_event's __PERF_SAMPLE_CALLCHAIN_EARLY which sets init_nr to 0. Also change the comment on bpf_get_stack() in the header file to be more explicit what the return value means. Fixes: c195651e565a ("bpf: add bpf_get_stack helper") Signed-off-by: Namhyung Kim Signed-off-by: Alexei Starovoitov Acked-by: Yonghong Song Link: https://lore.kernel.org/bpf/30a7b5d5-6726-1cc2-eaee-8da2828a9a9c@oracle.com Link: https://lore.kernel.org/bpf/20220314182042.71025-1-namhyung@kernel.org Signed-off-by: Greg Kroah-Hartman Based-on-patch-by: Eugene Loh commit 86489492e87680c9c1c13a1a73ee278c13ecbab6 Author: Randy Dunlap Date: Tue Mar 22 14:47:52 2022 -0700 mm/usercopy: return 1 from hardened_usercopy __setup() handler commit 05fe3c103f7e6b8b4fca8a7001dfc9ed4628085b upstream. __setup() handlers should return 1 if the command line option is handled and 0 if not (or maybe never return 0; it just pollutes init's environment). This prevents: Unknown kernel command line parameters \ "BOOT_IMAGE=/boot/bzImage-517rc5 hardened_usercopy=off", will be \ passed to user space. Run /sbin/init as init process with arguments: /sbin/init with environment: HOME=/ TERM=linux BOOT_IMAGE=/boot/bzImage-517rc5 hardened_usercopy=off or hardened_usercopy=on but when "hardened_usercopy=foo" is used, there is no Unknown kernel command line parameter. Return 1 to indicate that the boot option has been handled. Print a warning if strtobool() returns an error on the option string, but do not mark this as in unknown command line option and do not cause init's environment to be polluted with this string. Link: https://lkml.kernel.org/r/20220222034249.14795-1-rdunlap@infradead.org Link: lore.kernel.org/r/64644a2f-4a20-bab3-1e15-3b2cdd0defe3@omprussia.ru Fixes: b5cb15d9372ab ("usercopy: Allow boot cmdline disabling of hardening") Signed-off-by: Randy Dunlap Reported-by: Igor Zhbanov Acked-by: Chris von Recklinghausen Cc: Kees Cook Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 81a04b9a32e40876dd41909542f1b23560cb99d3 Author: Randy Dunlap Date: Tue Mar 22 14:40:31 2022 -0700 mm/memcontrol: return 1 from cgroup.memory __setup() handler commit 460a79e18842caca6fa0c415de4a3ac1e671ac50 upstream. __setup() handlers should return 1 if the command line option is handled and 0 if not (or maybe never return 0; it just pollutes init's environment). The only reason that this particular __setup handler does not pollute init's environment is that the setup string contains a '.', as in "cgroup.memory". This causes init/main.c::unknown_boottoption() to consider it to be an "Unused module parameter" and ignore it. (This is for parsing of loadable module parameters any time after kernel init.) Otherwise the string "cgroup.memory=whatever" would be added to init's environment strings. Instead of relying on this '.' quirk, just return 1 to indicate that the boot option has been handled. Note that there is no warning message if someone enters: cgroup.memory=anything_invalid Link: https://lkml.kernel.org/r/20220222005811.10672-1-rdunlap@infradead.org Fixes: f7e1cb6ec51b0 ("mm: memcontrol: account socket memory in unified hierarchy memory controller") Signed-off-by: Randy Dunlap Reported-by: Igor Zhbanov Link: lore.kernel.org/r/64644a2f-4a20-bab3-1e15-3b2cdd0defe3@omprussia.ru Reviewed-by: Michal Koutný Cc: Johannes Weiner Cc: Michal Hocko Cc: Vladimir Davydov Cc: Roman Gushchin Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit f321621f5c84483a5b32e0f91d8624f2f95b4f24 Author: Randy Dunlap Date: Sat Mar 12 07:36:09 2022 +0100 ARM: 9187/1: JIVE: fix return value of __setup handler commit 8b2360c7157b462c4870d447d1e65d30ef31f9aa upstream. __setup() handlers should return 1 to obsolete_checksetup() in init/main.c to indicate that the boot option has been handled. A return of 0 causes the boot option/value to be listed as an Unknown kernel parameter and added to init's (limited) argument or environment strings. Also, error return codes don't mean anything to obsolete_checksetup() -- only non-zero (usually 1) or zero. So return 1 from jive_mtdset(). Fixes: 9db829f485c5 ("[ARM] JIVE: Initial machine support for Logitech Jive") Signed-off-by: Randy Dunlap Cc: Ben Dooks Cc: Krzysztof Kozlowski Cc: Alim Akhtar Cc: linux-arm-kernel@lists.infradead.org Cc: linux-samsung-soc@vger.kernel.org Cc: patches@armlinux.org.uk Signed-off-by: Russell King (Oracle) Signed-off-by: Greg Kroah-Hartman commit d57feed3b11404ff7fca19b3576aff30459d68bf Author: Randy Dunlap Date: Tue Mar 22 14:42:27 2022 -0700 mm/mmap: return 1 from stack_guard_gap __setup() handler commit e6d094936988910ce6e8197570f2753898830081 upstream. __setup() handlers should return 1 if the command line option is handled and 0 if not (or maybe never return 0; it just pollutes init's environment). This prevents: Unknown kernel command line parameters \ "BOOT_IMAGE=/boot/bzImage-517rc5 stack_guard_gap=100", will be \ passed to user space. Run /sbin/init as init process with arguments: /sbin/init with environment: HOME=/ TERM=linux BOOT_IMAGE=/boot/bzImage-517rc5 stack_guard_gap=100 Return 1 to indicate that the boot option has been handled. Note that there is no warning message if someone enters: stack_guard_gap=anything_invalid and 'val' and stack_guard_gap are both set to 0 due to the use of simple_strtoul(). This could be improved by using kstrtoxxx() and checking for an error. It appears that having stack_guard_gap == 0 is valid (if unexpected) since using "stack_guard_gap=0" on the kernel command line does that. Link: https://lkml.kernel.org/r/20220222005817.11087-1-rdunlap@infradead.org Link: lore.kernel.org/r/64644a2f-4a20-bab3-1e15-3b2cdd0defe3@omprussia.ru Fixes: 1be7107fbe18e ("mm: larger stack guard gap, between vmas") Signed-off-by: Randy Dunlap Reported-by: Igor Zhbanov Cc: Hugh Dickins Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 73f7cbb15191298ec58c0bee3202690d54aa72de Author: Sven Eckelmann Date: Sun Aug 8 19:56:17 2021 +0200 batman-adv: Check ptr for NULL before reducing its refcnt commit 6340dcbd619450c1bb55eb999e554e4f0e6dab0a upstream. The commit b37a46683739 ("netdevice: add the case if dev is NULL") changed the way how the NULL check for net_devices have to be handled when trying to reduce its reference counter. Before this commit, it was the responsibility of the caller to check whether the object is NULL or not. But it was changed to behave more like kfree. Now the callee has to handle the NULL-case. The batman-adv code was scanned via cocinelle for similar places. These were changed to use the paradigm @@ identifier E, T, R, C; identifier put; @@ void put(struct T *E) { + if (!E) + return; kref_put(&E->C, R); } Functions which were used in other sources files were moved to the header to allow the compiler to inline the NULL check and the kref_put call. Signed-off-by: Sven Eckelmann Signed-off-by: Simon Wunderlich Signed-off-by: Greg Kroah-Hartman commit f6da750bfaf40816139c073227df30ad0a11158e Author: Jiasheng Jiang Date: Thu Mar 10 11:00:41 2022 +0800 ASoC: soc-compress: Change the check for codec_dai commit ccb4214f7f2a8b75acf493f31128e464ee1a3536 upstream. It should be better to reverse the check on codec_dai and returned early in order to be easier to understand. Fixes: de2c6f98817f ("ASoC: soc-compress: prevent the potentially use of null pointer") Reported-by: kernel test robot Reported-by: Dan Carpenter Signed-off-by: Jiasheng Jiang Reviewed-by: Charles Keepax Link: https://lore.kernel.org/r/20220310030041.1556323-1-jiasheng@iscas.ac.cn Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit d3f786b7cf81284e5c13dabaf94bab2d0602a8af Author: Arınç ÜNAL Date: Tue Feb 15 11:17:24 2022 +0300 staging: mt7621-dts: fix pinctrl-0 items to be size-1 items on ethernet commit 25e4f5220efead592c83200241e098e757d37e1f upstream. Fix pinctrl-0 items under the ethernet node to be size-1 items. Current notation would be used on specifications with non-zero cells. Fixes: 0a93c0d75809 ("staging: mt7621-dts: fix pinctrl properties for ethernet") Reported-by: Sander Vanheule Signed-off-by: Arınç ÜNAL Link: https://lore.kernel.org/r/20220215081725.3463-1-arinc.unal@arinc9.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Greg Kroah-Hartman commit 12e380bb6f164dadc9e01b40b0be08ec31692a7f Author: Lv Ruyi Date: Tue Mar 29 10:40:04 2022 +0000 proc: bootconfig: Add null pointer check commit bed5b60bf67ccd8957b8c0558fead30c4a3f5d3f upstream. kzalloc is a memory allocation function which can return NULL when some internal memory errors happen. It is safer to add null pointer check. Link: https://lkml.kernel.org/r/20220329104004.2376879-1-lv.ruyi@zte.com.cn Cc: stable@vger.kernel.org Fixes: c1a3c36017d4 ("proc: bootconfig: Add /proc/bootconfig to show boot config list") Acked-by: Masami Hiramatsu Reported-by: Zeal Robot Signed-off-by: Lv Ruyi Signed-off-by: Steven Rostedt (Google) Signed-off-by: Greg Kroah-Hartman commit 90ec1b1538d4d5e9f0267ca16d30606b4701da50 Author: Oliver Hartkopp Date: Mon Mar 28 13:36:11 2022 +0200 can: isotp: restore accidentally removed MSG_PEEK feature [ Upstream commit e382fea8ae54f5bb62869c6b69b33993d43adeca ] In commit 42bf50a1795a ("can: isotp: support MSG_TRUNC flag when reading from socket") a new check for recvmsg flags has been introduced that only checked for the flags that are handled in isotp_recvmsg() itself. This accidentally removed the MSG_PEEK feature flag which is processed later in the call chain in __skb_try_recv_from_queue(). Add MSG_PEEK to the set of valid flags to restore the feature. Fixes: 42bf50a1795a ("can: isotp: support MSG_TRUNC flag when reading from socket") Link: https://github.com/linux-can/can-utils/issues/347#issuecomment-1079554254 Link: https://lore.kernel.org/all/20220328113611.3691-1-socketcan@hartkopp.net Reported-by: Derek Will Suggested-by: Derek Will Tested-by: Derek Will Signed-off-by: Oliver Hartkopp Signed-off-by: Marc Kleine-Budde Signed-off-by: Sasha Levin commit 16960ac92b84067ea1d0a2e6b8d7a5ba6fe32672 Author: Prashant Malani Date: Wed Jan 26 19:02:20 2022 +0000 platform/chrome: cros_ec_typec: Check for EC device commit ffebd90532728086007038986900426544e3df4e upstream. The Type C ACPI device on older Chromebooks is not generated correctly (since their EC firmware doesn't support the new commands required). In such cases, the crafted ACPI device doesn't have an EC parent, and it is therefore not useful (it shouldn't be generated in the first place since the EC firmware doesn't support any of the Type C commands). To handle devices which use these older firmware revisions, check for the parent EC device handle, and fail the probe if it's not found. Fixes: fdc6b21e2444 ("platform/chrome: Add Type C connector class driver") Reported-by: Alyssa Ross Reviewed-by: Tzung-Bi Shih Signed-off-by: Prashant Malani Acked-by: Heikki Krogerus Reviewed-by: Alyssa Ross Tested-by: Alyssa Ross Link: https://lore.kernel.org/r/20220126190219.3095419-1-pmalani@chromium.org Signed-off-by: Benson Leung Signed-off-by: Greg Kroah-Hartman commit e5b681822cac1f8093759b02e16c06b2c64b6788 Author: Rafael J. Wysocki Date: Tue Mar 22 17:02:05 2022 +0100 ACPI: CPPC: Avoid out of bounds access when parsing _CPC data commit 40d8abf364bcab23bc715a9221a3c8623956257b upstream. If the NumEntries field in the _CPC return package is less than 2, do not attempt to access the "Revision" element of that package, because it may not be present then. Fixes: 337aadff8e45 ("ACPI: Introduce CPU performance controls using CPPC") BugLink: https://lore.kernel.org/lkml/20220322143534.GC32582@xsang-OptiPlex-9020/ Reported-by: kernel test robot Signed-off-by: Rafael J. Wysocki Reviewed-by: Huang Rui Signed-off-by: Greg Kroah-Hartman commit 785a53373c22e3b75afcaffb99cbc9484dae9276 Author: Fangrui Song Date: Mon Mar 21 18:26:17 2022 -0700 riscv module: remove (NOLOAD) commit 60210a3d86dc57ce4a76a366e7841dda746a33f7 upstream. On ELF, (NOLOAD) sets the section type to SHT_NOBITS[1]. It is conceptually inappropriate for .plt, .got, and .got.plt sections which are always SHT_PROGBITS. In GNU ld, if PLT entries are needed, .plt will be SHT_PROGBITS anyway and (NOLOAD) will be essentially ignored. In ld.lld, since https://reviews.llvm.org/D118840 ("[ELF] Support (TYPE=) to customize the output section type"), ld.lld will report a `section type mismatch` error (later changed to a warning). Just remove (NOLOAD) to fix the warning. [1] https://lld.llvm.org/ELF/linker_script.html As of today, "The section should be marked as not loadable" on https://sourceware.org/binutils/docs/ld/Output-Section-Type.html is outdated for ELF. Link: https://github.com/ClangBuiltLinux/linux/issues/1597 Fixes: ab1ef68e5401 ("RISC-V: Add sections of PLT and GOT for kernel module") Reported-by: Nathan Chancellor Signed-off-by: Fangrui Song Signed-off-by: Palmer Dabbelt Signed-off-by: Greg Kroah-Hartman commit b27de7011cb3ba14b047be2cee0ed8278368665b Author: Pavel Begunkov Date: Fri Mar 25 16:36:31 2022 +0000 io_uring: fix memory leak of uid in files registration commit c86d18f4aa93e0e66cda0e55827cd03eea6bc5f8 upstream. When there are no files for __io_sqe_files_scm() to process in the range, it'll free everything and return. However, it forgets to put uid. Fixes: 08a451739a9b5 ("io_uring: allow sparse fixed file sets") Signed-off-by: Pavel Begunkov Link: https://lore.kernel.org/r/accee442376f33ce8aaebb099d04967533efde92.1648226048.git.asml.silence@gmail.com Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman commit 20499ed3c0411768912ac7f24a29ad3981b0d80b Author: Arnd Bergmann Date: Tue Nov 30 11:16:41 2021 +0100 ARM: iop32x: offset IRQ numbers by 1 commit 9d67412f24cc3a2c05f35f7c856addb07a2960ce upstream. iop32x is one of the last platforms to use IRQ 0, and this has apparently stopped working in a 2014 cleanup without anyone noticing. This interrupt is used for the DMA engine, so most likely this has not actually worked in the past 7 years, but it's also not essential for using this board. I'm splitting out this change from my GENERIC_IRQ_MULTI_HANDLER conversion so it can be backported if anyone cares. Fixes: a71b092a9c68 ("ARM: Convert handle_IRQ to use __handle_domain_irq") Signed-off-by: Arnd Bergmann [ardb: take +1 offset into account in mask/unmask and init as well] Signed-off-by: Ard Biesheuvel Tested-by: Marc Zyngier Tested-by: Vladimir Murzin # ARMv7M Reviewed-by: Linus Walleij Signed-off-by: Greg Kroah-Hartman commit 432b057f8e847ae5a2306515606f8d2defaca178 Author: Baokun Li Date: Fri Nov 5 17:30:22 2021 +0800 ubi: Fix race condition between ctrl_cdev_ioctl and ubi_cdev_ioctl commit 3cbf0e392f173ba0ce425968c8374a6aa3e90f2e upstream. Hulk Robot reported a KASAN report about use-after-free: ================================================================== BUG: KASAN: use-after-free in __list_del_entry_valid+0x13d/0x160 Read of size 8 at addr ffff888035e37d98 by task ubiattach/1385 [...] Call Trace: klist_dec_and_del+0xa7/0x4a0 klist_put+0xc7/0x1a0 device_del+0x4d4/0xed0 cdev_device_del+0x1a/0x80 ubi_attach_mtd_dev+0x2951/0x34b0 [ubi] ctrl_cdev_ioctl+0x286/0x2f0 [ubi] Allocated by task 1414: device_add+0x60a/0x18b0 cdev_device_add+0x103/0x170 ubi_create_volume+0x1118/0x1a10 [ubi] ubi_cdev_ioctl+0xb7f/0x1ba0 [ubi] Freed by task 1385: cdev_device_del+0x1a/0x80 ubi_remove_volume+0x438/0x6c0 [ubi] ubi_cdev_ioctl+0xbf4/0x1ba0 [ubi] [...] ================================================================== The lock held by ctrl_cdev_ioctl is ubi_devices_mutex, but the lock held by ubi_cdev_ioctl is ubi->device_mutex. Therefore, the two locks can be concurrent. ctrl_cdev_ioctl contains two operations: ubi_attach and ubi_detach. ubi_detach is bug-free because it uses reference counting to prevent concurrency. However, uif_init and uif_close in ubi_attach may race with ubi_cdev_ioctl. uif_init will race with ubi_cdev_ioctl as in the following stack. cpu1 cpu2 cpu3 _______________________|________________________|______________________ ctrl_cdev_ioctl ubi_attach_mtd_dev uif_init ubi_cdev_ioctl ubi_create_volume cdev_device_add ubi_add_volume // sysfs exist kill_volumes ubi_cdev_ioctl ubi_remove_volume cdev_device_del // first free ubi_free_volume cdev_del // double free cdev_device_del And uif_close will race with ubi_cdev_ioctl as in the following stack. cpu1 cpu2 cpu3 _______________________|________________________|______________________ ctrl_cdev_ioctl ubi_attach_mtd_dev uif_init ubi_cdev_ioctl ubi_create_volume cdev_device_add ubi_debugfs_init_dev //error goto out_uif; uif_close kill_volumes ubi_cdev_ioctl ubi_remove_volume cdev_device_del // first free ubi_free_volume // double free The cause of this problem is that commit 714fb87e8bc0 make device "available" before it becomes accessible via sysfs. Therefore, we roll back the modification. We will fix the race condition between ubi device creation and udev by removing ubi_get_device in vol_attribute_show and dev_attribute_show.This avoids accessing uninitialized ubi_devices[ubi_num]. ubi_get_device is used to prevent devices from being deleted during sysfs execution. However, now kernfs ensures that devices will not be deleted before all reference counting are released. The key process is shown in the following stack. device_del device_remove_attrs device_remove_groups sysfs_remove_groups sysfs_remove_group remove_files kernfs_remove_by_name kernfs_remove_by_name_ns __kernfs_remove kernfs_drain Fixes: 714fb87e8bc0 ("ubi: Fix race condition between ubi device creation and udev") Reported-by: Hulk Robot Signed-off-by: Baokun Li Signed-off-by: Richard Weinberger Signed-off-by: Greg Kroah-Hartman commit f28a857a61ebb7960fd6d54c4e126cccb7079620 Author: Jiaxin Yu Date: Sat Mar 19 20:03:25 2022 +0800 ASoC: mediatek: mt6358: add missing EXPORT_SYMBOLs commit a7663c89f4193dbf717572e46e5a3251940dbdc8 upstream. Fixes the following build errors when mt6358 is configured as module: >> ERROR: modpost: "mt6358_set_mtkaif_protocol" >> [sound/soc/mediatek/mt8186/mt8186-mt6366-rt1019-rt5682s.ko] undefined! >> ERROR: modpost: "mt6358_set_mtkaif_protocol" >> [sound/soc/mediatek/mt8186/mt8186-mt6366-da7219-max98357.ko] undefined! Fixes: 6a8d4198ca80 ("ASoC: mediatek: mt6358: add codec driver") Signed-off-by: Jiaxin Yu Reviewed-by: AngeloGioacchino Del Regno Link: https://lore.kernel.org/r/20220319120325.11882-1-jiaxin.yu@mediatek.com Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit ecfc3f8a635054e05dd0a73ca3ad7d46330bbcec Author: Jonathan Neuschäfer Date: Sat Feb 5 16:53:30 2022 +0100 pinctrl: nuvoton: npcm7xx: Use %zu printk format for ARRAY_SIZE() commit 9d0f18bca3b557ae5d2128661ac06d33b3f45c0a upstream. When compile-testing on 64-bit architectures, GCC complains about the mismatch of types between the %d format specifier and value returned by ARRAY_LENGTH(). Use %zu, which is correct everywhere. Reported-by: kernel test robot Fixes: 3b588e43ee5c7 ("pinctrl: nuvoton: add NPCM7xx pinctrl and GPIO driver") Signed-off-by: Jonathan Neuschäfer Reviewed-by: Andy Shevchenko Link: https://lore.kernel.org/r/20220205155332.1308899-2-j.neuschaefer@gmx.net Signed-off-by: Linus Walleij Signed-off-by: Greg Kroah-Hartman commit 503868a7c00632be41d7a93185229d9be50b5497 Author: Jonathan Neuschäfer Date: Sat Feb 5 16:53:31 2022 +0100 pinctrl: nuvoton: npcm7xx: Rename DS() macro to DSTR() commit 603501c16431c56f74eaef1ee1390f60a30c2187 upstream. The name "DS" is defined in arch/x86/um/shared/sysdep/ptrace_64.h, which results in a compiler warning when build-testing on ARCH=um. Rename this driver's "DS" macro to DSTR so avoid this collision. Reported-by: kernel test robot Fixes: 3b588e43ee5c7 ("pinctrl: nuvoton: add NPCM7xx pinctrl and GPIO driver") Signed-off-by: Jonathan Neuschäfer Reviewed-by: Andy Shevchenko Link: https://lore.kernel.org/r/20220205155332.1308899-3-j.neuschaefer@gmx.net Signed-off-by: Linus Walleij Signed-off-by: Greg Kroah-Hartman commit d9afc5146bd37e7d4bb3f425ec0aa97dfcbdcb71 Author: Miaoqian Lin Date: Wed Jan 5 09:21:13 2022 +0000 watchdog: rti-wdt: Add missing pm_runtime_disable() in probe function commit d055ef3a2c6919cff504ae3b710c96318d545fd2 upstream. If the probe fails, we should use pm_runtime_disable() to balance pm_runtime_enable(). Fixes: 2d63908bdbfb ("watchdog: Add K3 RTI watchdog support") Signed-off-by: Miaoqian Lin Reviewed-by: Guenter Roeck Link: https://lore.kernel.org/r/20220105092114.23932-1-linmq006@gmail.com Signed-off-by: Guenter Roeck Signed-off-by: Wim Van Sebroeck Signed-off-by: Greg Kroah-Hartman commit 402b53dc7c46eb602f444026c863a537f2791bcd Author: Chen-Yu Tsai Date: Tue Mar 8 18:09:46 2022 +0800 pinctrl: pinconf-generic: Print arguments for bias-pull-* commit 188e5834b930acd03ad3cf7c5e7aa24db9665a29 upstream. The bias-pull-* properties, or PIN_CONFIG_BIAS_PULL_* pin config parameters, accept optional arguments in ohms denoting the strength of the pin bias. Print these values out in debugfs as well. Fixes: eec450713e5c ("pinctrl: pinconf-generic: Add flag to print arguments") Signed-off-by: Chen-Yu Tsai Reviewed-by: AngeloGioacchino Del Regno Tested-by: AngeloGioacchino Del Regno Link: https://lore.kernel.org/r/20220308100956.2750295-2-wenst@chromium.org Signed-off-by: Linus Walleij Signed-off-by: Greg Kroah-Hartman commit 7169f60110915c8b53bffd43741fa020a75eb87a Author: Eric Dumazet Date: Mon Mar 28 18:07:04 2022 +0100 watch_queue: Free the page array when watch_queue is dismantled commit b490207017ba237d97b735b2aa66dc241ccd18f5 upstream. Commit 7ea1a0124b6d ("watch_queue: Free the alloc bitmap when the watch_queue is torn down") took care of the bitmap, but not the page array. BUG: memory leak unreferenced object 0xffff88810d9bc140 (size 32): comm "syz-executor335", pid 3603, jiffies 4294946994 (age 12.840s) hex dump (first 32 bytes): 40 a7 40 04 00 ea ff ff 00 00 00 00 00 00 00 00 @.@............. 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace: kmalloc_array include/linux/slab.h:621 [inline] kcalloc include/linux/slab.h:652 [inline] watch_queue_set_size+0x12f/0x2e0 kernel/watch_queue.c:251 pipe_ioctl+0x82/0x140 fs/pipe.c:632 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:874 [inline] __se_sys_ioctl fs/ioctl.c:860 [inline] __x64_sys_ioctl+0xfc/0x140 fs/ioctl.c:860 do_syscall_x64 arch/x86/entry/common.c:50 [inline] Reported-by: syzbot+25ea042ae28f3888727a@syzkaller.appspotmail.com Fixes: c73be61cede5 ("pipe: Add general notification queue support") Signed-off-by: Eric Dumazet Signed-off-by: David Howells Cc: Jann Horn Link: https://lore.kernel.org/r/20220322004654.618274-1-eric.dumazet@gmail.com/ Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit e64dc94990fddc326cd59a5f5bb19af1fbe6f7d3 Author: Herbert Xu Date: Thu Mar 17 10:55:13 2022 +1200 crypto: arm/aes-neonbs-cbc - Select generic cbc and aes commit c8bd296cca3434b13b28b074eaeb78a23284de77 upstream. The algorithm __cbc-aes-neonbs requires a fallback so we need to select the config options for them or otherwise it will fail to register on boot-up. Fixes: 00b99ad2bac2 ("crypto: arm/aes-neonbs - Use generic cbc...") Signed-off-by: Herbert Xu Signed-off-by: Greg Kroah-Hartman commit a16f5ae8ade1644250a934198431f3018663e57b Author: Robin Gong Date: Mon Feb 7 09:52:06 2022 +0800 mailbox: imx: fix wakeup failure from freeze mode commit 892cb524ae8a27bf5e42f711318371acd9a9f74a upstream. Since IRQF_NO_SUSPEND used for imx mailbox driver, that means this irq can't be used for wakeup source so that can't wakeup from freeze mode. Add pm_system_wakeup() to wakeup from freeze mode. Fixes: b7b2796b9b31e("mailbox: imx: ONLY IPC MU needs IRQF_NO_SUSPEND flag") Reviewed-by: Jacky Bai Reviewed-by: Peng Fan Signed-off-by: Robin Gong Signed-off-by: Peng Fan Signed-off-by: Jassi Brar Signed-off-by: Greg Kroah-Hartman commit 051360e51341cd17738d82c15a8226010c7cb7f6 Author: David Howells Date: Wed Mar 30 15:39:16 2022 +0100 rxrpc: Fix call timer start racing with call destruction commit 4a7f62f91933c8ae5308f9127fd8ea48188b6bc3 upstream. The rxrpc_call struct has a timer used to handle various timed events relating to a call. This timer can get started from the packet input routines that are run in softirq mode with just the RCU read lock held. Unfortunately, because only the RCU read lock is held - and neither ref or other lock is taken - the call can start getting destroyed at the same time a packet comes in addressed to that call. This causes the timer - which was already stopped - to get restarted. Later, the timer dispatch code may then oops if the timer got deallocated first. Fix this by trying to take a ref on the rxrpc_call struct and, if successful, passing that ref along to the timer. If the timer was already running, the ref is discarded. The timer completion routine can then pass the ref along to the call's work item when it queues it. If the timer or work item where already queued/running, the extra ref is discarded. Fixes: a158bdd3247b ("rxrpc: Fix call timeouts") Reported-by: Marc Dionne Signed-off-by: David Howells Reviewed-by: Marc Dionne Tested-by: Marc Dionne cc: linux-afs@lists.infradead.org Link: http://lists.infradead.org/pipermail/linux-afs/2022-March/005073.html Link: https://lore.kernel.org/r/164865115696.2943015.11097991776647323586.stgit@warthog.procyon.org.uk Signed-off-by: Paolo Abeni Signed-off-by: Greg Kroah-Hartman commit a94d98e06ebabeadcd346b5712bd4c22a74ce728 Author: Guangbin Huang Date: Wed Mar 30 21:45:06 2022 +0800 net: hns3: fix software vlan talbe of vlan 0 inconsistent with hardware commit 7ed258f12ec5ce855f15cdfb5710361dc82fe899 upstream. When user delete vlan 0, as driver will not delete vlan 0 for hardware in function hclge_set_vlan_filter_hw(), so vlan 0 in software vlan talbe should not be deleted. Fixes: fe4144d47eef ("net: hns3: sync VLAN filter entries when kill VLAN ID failed") Signed-off-by: Guangbin Huang Signed-off-by: Paolo Abeni Signed-off-by: Greg Kroah-Hartman commit c73af4bc8a9183dbdaba631df9cf42ea06e00f61 Author: Andrew Price Date: Tue Mar 22 19:05:51 2022 +0000 gfs2: Make sure FITRIM minlen is rounded up to fs block size commit 27ca8273fda398638ca994a207323a85b6d81190 upstream. Per fstrim(8) we must round up the minlen argument to the fs block size. The current calculation doesn't take into account devices that have a discard granularity and requested minlen less than 1 fs block, so the value can get shifted away to zero in the translation to fs blocks. The zero minlen passed to gfs2_rgrp_send_discards() then allows sb_issue_discard() to be called with nr_sects == 0 which returns -EINVAL and results in gfs2_rgrp_send_discards() returning -EIO. Make sure minlen is never < 1 fs block by taking the max of the requested minlen and the fs block size before comparing to the device's discard granularity and shifting to fs blocks. Fixes: 076f0faa764ab ("GFS2: Fix FITRIM argument handling") Signed-off-by: Andrew Price Signed-off-by: Andreas Gruenbacher Signed-off-by: Greg Kroah-Hartman commit 33c204266c12512f73ca3b6e1ec3c050e0beaf81 Author: Tom Rix Date: Sat Mar 26 12:42:36 2022 -0700 rtc: check if __rtc_read_time was successful commit 915593a7a663b2ad08b895a5f3ba8b19d89d4ebf upstream. Clang static analysis reports this issue interface.c:810:8: warning: Passed-by-value struct argument contains uninitialized data now = rtc_tm_to_ktime(tm); ^~~~~~~~~~~~~~~~~~~ tm is set by a successful call to __rtc_read_time() but its return status is not checked. Check if it was successful before setting the enabled flag. Move the decl of err to function scope. Fixes: 2b2f5ff00f63 ("rtc: interface: ignore expired timers when enqueuing new timers") Signed-off-by: Tom Rix Signed-off-by: Alexandre Belloni Link: https://lore.kernel.org/r/20220326194236.2916310-1-trix@redhat.com Signed-off-by: Greg Kroah-Hartman commit 381636f33fe4af41fec076c5d9346a7369bcb40e Author: Matthew Wilcox (Oracle) Date: Thu Mar 31 08:27:09 2022 -0400 XArray: Update the LRU list in xas_split() commit 3ed4bb77156da0bc732847c8c9df92454c1fbeea upstream. When splitting a value entry, we may need to add the new nodes to the LRU list and remove the parent node from the LRU list. The WARN_ON checks in shadow_lru_isolate() catch this oversight. This bug was latent until we stopped splitting folios in shrink_page_list() with commit 820c4e2e6f51 ("mm/vmscan: Free non-shmem folios without splitting them"). That allows the creation of large shadow entries, and subsequently when trying to page in a small page, we will split the large shadow entry in __filemap_add_folio(). Fixes: 8fc75643c5e1 ("XArray: add xas_split") Reported-by: Hugh Dickins Signed-off-by: Matthew Wilcox (Oracle) Signed-off-by: Greg Kroah-Hartman commit 3b9fabe8f6e80b884e830d3cf715be81534e8845 Author: Tom Rix Date: Sat Mar 19 08:31:28 2022 -0700 can: mcp251xfd: mcp251xfd_register_get_dev_id(): fix return of error value commit fa7b514d2b2894e052b8e94c7a29feb98e90093f upstream. Clang static analysis reports this issue: | mcp251xfd-core.c:1813:7: warning: The left operand | of '&' is a garbage value | FIELD_GET(MCP251XFD_REG_DEVID_ID_MASK, dev_id), | ^ ~~~~~~ dev_id is set in a successful call to mcp251xfd_register_get_dev_id(). Though the status of calls made by mcp251xfd_register_get_dev_id() are checked and handled, their status' are not returned. So return err. Fixes: 55e5b97f003e ("can: mcp25xxfd: add driver for Microchip MCP25xxFD SPI CAN") Link: https://lore.kernel.org/all/20220319153128.2164120-1-trix@redhat.com Signed-off-by: Tom Rix Signed-off-by: Marc Kleine-Budde Signed-off-by: Greg Kroah-Hartman commit ef0acc514123140157b19a9ff2e2de5d91d612bc Author: Pavel Skripkin Date: Sun Mar 13 13:09:03 2022 +0300 can: mcba_usb: properly check endpoint type commit 136bed0bfd3bc9c95c88aafff2d22ecb3a919f23 upstream. Syzbot reported warning in usb_submit_urb() which is caused by wrong endpoint type. We should check that in endpoint is actually present to prevent this warning. Found pipes are now saved to struct mcba_priv and code uses them directly instead of making pipes in place. Fail log: | usb 5-1: BOGUS urb xfer, pipe 3 != type 1 | WARNING: CPU: 1 PID: 49 at drivers/usb/core/urb.c:502 usb_submit_urb+0xed2/0x18a0 drivers/usb/core/urb.c:502 | Modules linked in: | CPU: 1 PID: 49 Comm: kworker/1:2 Not tainted 5.17.0-rc6-syzkaller-00184-g38f80f42147f #0 | Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-2 04/01/2014 | Workqueue: usb_hub_wq hub_event | RIP: 0010:usb_submit_urb+0xed2/0x18a0 drivers/usb/core/urb.c:502 | ... | Call Trace: | | mcba_usb_start drivers/net/can/usb/mcba_usb.c:662 [inline] | mcba_usb_probe+0x8a3/0xc50 drivers/net/can/usb/mcba_usb.c:858 | usb_probe_interface+0x315/0x7f0 drivers/usb/core/driver.c:396 | call_driver_probe drivers/base/dd.c:517 [inline] Fixes: 51f3baad7de9 ("can: mcba_usb: Add support for Microchip CAN BUS Analyzer") Link: https://lore.kernel.org/all/20220313100903.10868-1-paskripkin@gmail.com Reported-and-tested-by: syzbot+3bc1dce0cc0052d60fde@syzkaller.appspotmail.com Signed-off-by: Pavel Skripkin Reviewed-by: Vincent Mailhol Signed-off-by: Marc Kleine-Budde Signed-off-by: Greg Kroah-Hartman commit 0801a51d79389282c1271e623613b2e1886e071e Author: Hangyu Hua Date: Fri Mar 11 16:02:08 2022 +0800 can: mcba_usb: mcba_usb_start_xmit(): fix double dev_kfree_skb in error path commit 04c9b00ba83594a29813d6b1fb8fdc93a3915174 upstream. There is no need to call dev_kfree_skb() when usb_submit_urb() fails because can_put_echo_skb() deletes original skb and can_free_echo_skb() deletes the cloned skb. Fixes: 51f3baad7de9 ("can: mcba_usb: Add support for Microchip CAN BUS Analyzer") Link: https://lore.kernel.org/all/20220311080208.45047-1-hbh25y@gmail.com Signed-off-by: Hangyu Hua Signed-off-by: Marc Kleine-Budde Signed-off-by: Greg Kroah-Hartman commit 1ac49c8fd49fdf53d3cd8b77eb8ffda08d7fbe22 Author: Matthew Wilcox (Oracle) Date: Mon Mar 28 19:25:11 2022 -0400 XArray: Fix xas_create_range() when multi-order entry present commit 3e3c658055c002900982513e289398a1aad4a488 upstream. If there is already an entry present that is of order >= XA_CHUNK_SHIFT when we call xas_create_range(), xas_create_range() will misinterpret that entry as a node and dereference xa_node->parent, generally leading to a crash that looks something like this: general protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] PREEMPT SMP KASAN KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f] CPU: 0 PID: 32 Comm: khugepaged Not tainted 5.17.0-rc8-syzkaller-00003-g56e337f2cf13 #0 RIP: 0010:xa_parent_locked include/linux/xarray.h:1207 [inline] RIP: 0010:xas_create_range+0x2d9/0x6e0 lib/xarray.c:725 It's deterministically reproducable once you know what the problem is, but producing it in a live kernel requires khugepaged to hit a race. While the problem has been present since xas_create_range() was introduced, I'm not aware of a way to hit it before the page cache was converted to use multi-index entries. Fixes: 6b24ca4a1a8d ("mm: Use multi-index entries in the page cache") Reported-by: syzbot+0d2b0bf32ca5cfd09f2e@syzkaller.appspotmail.com Signed-off-by: Matthew Wilcox (Oracle) Signed-off-by: Greg Kroah-Hartman commit 49f77ab50a31ffad7b61fef01e42d8f105835cdb Author: Jason A. Donenfeld Date: Tue Mar 29 21:31:27 2022 -0400 wireguard: socket: ignore v6 endpoints when ipv6 is disabled commit 77fc73ac89be96ec8f39e8efa53885caa7cb3645 upstream. The previous commit fixed a memory leak on the send path in the event that IPv6 is disabled at compile time, but how did a packet even arrive there to begin with? It turns out we have previously allowed IPv6 endpoints even when IPv6 support is disabled at compile time. This is awkward and inconsistent. Instead, let's just ignore all things IPv6, the same way we do other malformed endpoints, in the case where IPv6 is disabled. Fixes: e7096c131e51 ("net: WireGuard secure network tunnel") Signed-off-by: Jason A. Donenfeld Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman commit 096f9d35cac0a0c95ffafc00db84786b665a4837 Author: Wang Hai Date: Tue Mar 29 21:31:26 2022 -0400 wireguard: socket: free skb in send6 when ipv6 is disabled commit bbbf962d9460194993ee1943a793a0a0af4a7fbf upstream. I got a memory leak report: unreferenced object 0xffff8881191fc040 (size 232): comm "kworker/u17:0", pid 23193, jiffies 4295238848 (age 3464.870s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace: [] slab_post_alloc_hook+0x84/0x3b0 [] kmem_cache_alloc_node+0x167/0x340 [] __alloc_skb+0x1db/0x200 [] wg_socket_send_buffer_to_peer+0x3d/0xc0 [] wg_packet_send_handshake_initiation+0xfa/0x110 [] wg_packet_handshake_send_worker+0x21/0x30 [] process_one_work+0x2e8/0x770 [] worker_thread+0x4a/0x4b0 [] kthread+0x120/0x160 [] ret_from_fork+0x1f/0x30 In function wg_socket_send_buffer_as_reply_to_skb() or wg_socket_send_ buffer_to_peer(), the semantics of send6() is required to free skb. But when CONFIG_IPV6 is disable, kfree_skb() is missing. This patch adds it to fix this bug. Signed-off-by: Wang Hai Fixes: e7096c131e51 ("net: WireGuard secure network tunnel") Signed-off-by: Jason A. Donenfeld Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman commit cd032f218c023d9f44b7a1c14752fce57023b21b Author: Jason A. Donenfeld Date: Tue Mar 29 21:31:24 2022 -0400 wireguard: queueing: use CFI-safe ptr_ring cleanup function commit ec59f128a9bd4255798abb1e06ac3b442f46ef68 upstream. We make too nuanced use of ptr_ring to entirely move to the skb_array wrappers, but we at least should avoid the naughty function pointer cast when cleaning up skbs. Otherwise RAP/CFI will honk at us. This patch uses the __skb_array_destroy_skb wrapper for the cleanup, rather than directly providing kfree_skb, which is what other drivers in the same situation do too. Reported-by: PaX Team Fixes: 886fcee939ad ("wireguard: receive: use ring buffer for incoming handshakes") Signed-off-by: Jason A. Donenfeld Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman commit 8a0c70c238c5233b1b55d18162ae20db52daa01c Author: Baokun Li Date: Tue Feb 15 12:07:36 2022 +0800 ubifs: rename_whiteout: correct old_dir size computing commit 705757274599e2e064dd3054aabc74e8af31a095 upstream. When renaming the whiteout file, the old whiteout file is not deleted. Therefore, we add the old dentry size to the old dir like XFS. Otherwise, an error may be reported due to `fscki->calc_sz != fscki->size` in check_indes. Fixes: 9e0a1fff8db56ea ("ubifs: Implement RENAME_WHITEOUT") Reported-by: Zhihao Cheng Signed-off-by: Baokun Li Signed-off-by: Richard Weinberger Signed-off-by: Greg Kroah-Hartman commit c34ae24a2590fee96a3a7735ba2fa6cc52306221 Author: Zhihao Cheng Date: Mon Dec 27 11:22:41 2021 +0800 ubifs: Fix to add refcount once page is set private commit 3b67db8a6ca83e6ff90b756d3da0c966f61cd37b upstream. MM defined the rule [1] very clearly that once page was set with PG_private flag, we should increment the refcount in that page, also main flows like pageout(), migrate_page() will assume there is one additional page reference count if page_has_private() returns true. Otherwise, we may get a BUG in page migration: page:0000000080d05b9d refcount:-1 mapcount:0 mapping:000000005f4d82a8 index:0xe2 pfn:0x14c12 aops:ubifs_file_address_operations [ubifs] ino:8f1 dentry name:"f30e" flags: 0x1fffff80002405(locked|uptodate|owner_priv_1|private|node=0| zone=1|lastcpupid=0x1fffff) page dumped because: VM_BUG_ON_PAGE(page_count(page) != 0) ------------[ cut here ]------------ kernel BUG at include/linux/page_ref.h:184! invalid opcode: 0000 [#1] SMP CPU: 3 PID: 38 Comm: kcompactd0 Not tainted 5.15.0-rc5 RIP: 0010:migrate_page_move_mapping+0xac3/0xe70 Call Trace: ubifs_migrate_page+0x22/0xc0 [ubifs] move_to_new_page+0xb4/0x600 migrate_pages+0x1523/0x1cc0 compact_zone+0x8c5/0x14b0 kcompactd+0x2bc/0x560 kthread+0x18c/0x1e0 ret_from_fork+0x1f/0x30 Before the time, we should make clean a concept, what does refcount means in page gotten from grab_cache_page_write_begin(). There are 2 situations: Situation 1: refcount is 3, page is created by __page_cache_alloc. TYPE_A - the write process is using this page TYPE_B - page is assigned to one certain mapping by calling __add_to_page_cache_locked() TYPE_C - page is added into pagevec list corresponding current cpu by calling lru_cache_add() Situation 2: refcount is 2, page is gotten from the mapping's tree TYPE_B - page has been assigned to one certain mapping TYPE_A - the write process is using this page (by calling page_cache_get_speculative()) Filesystem releases one refcount by calling put_page() in xxx_write_end(), the released refcount corresponds to TYPE_A (write task is using it). If there are any processes using a page, page migration process will skip the page by judging whether expected_page_refs() equals to page refcount. The BUG is caused by following process: PA(cpu 0) kcompactd(cpu 1) compact_zone ubifs_write_begin page_a = grab_cache_page_write_begin add_to_page_cache_lru lru_cache_add pagevec_add // put page into cpu 0's pagevec (refcnf = 3, for page creation process) ubifs_write_end SetPagePrivate(page_a) // doesn't increase page count ! unlock_page(page_a) put_page(page_a) // refcnt = 2 [...] PB(cpu 0) filemap_read filemap_get_pages add_to_page_cache_lru lru_cache_add __pagevec_lru_add // traverse all pages in cpu 0's pagevec __pagevec_lru_add_fn SetPageLRU(page_a) isolate_migratepages isolate_migratepages_block get_page_unless_zero(page_a) // refcnt = 3 list_add(page_a, from_list) migrate_pages(from_list) __unmap_and_move move_to_new_page ubifs_migrate_page(page_a) migrate_page_move_mapping expected_page_refs get 3 (migration[1] + mapping[1] + private[1]) release_pages put_page_testzero(page_a) // refcnt = 3 page_ref_freeze // refcnt = 0 page_ref_dec_and_test(0 - 1 = -1) page_ref_unfreeze VM_BUG_ON_PAGE(-1 != 0, page) UBIFS doesn't increase the page refcount after setting private flag, which leads to page migration task believes the page is not used by any other processes, so the page is migrated. This causes concurrent accessing on page refcount between put_page() called by other process(eg. read process calls lru_cache_add) and page_ref_unfreeze() called by migration task. Actually zhangjun has tried to fix this problem [2] by recalculating page refcnt in ubifs_migrate_page(). It's better to follow MM rules [1], because just like Kirill suggested in [2], we need to check all users of page_has_private() helper. Like f2fs does in [3], fix it by adding/deleting refcount when setting/clearing private for a page. BTW, according to [4], we set 'page->private' as 1 because ubifs just simply SetPagePrivate(). And, [5] provided a common helper to set/clear page private, ubifs can use this helper following the example of iomap, afs, btrfs, etc. Jump [6] to find a reproducer. [1] https://lore.kernel.org/lkml/2b19b3c4-2bc4-15fa-15cc-27a13e5c7af1@aol.com [2] https://www.spinics.net/lists/linux-mtd/msg04018.html [3] http://lkml.iu.edu/hypermail/linux/kernel/1903.0/03313.html [4] https://lore.kernel.org/linux-f2fs-devel/20210422154705.GO3596236@casper.infradead.org [5] https://lore.kernel.org/all/20200517214718.468-1-guoqing.jiang@cloud.ionos.com [6] https://bugzilla.kernel.org/show_bug.cgi?id=214961 Fixes: 1e51764a3c2ac0 ("UBIFS: add new flash file system") Signed-off-by: Zhihao Cheng Signed-off-by: Richard Weinberger Signed-off-by: Greg Kroah-Hartman commit 07a209fadee7b53b46858538e1177597273862e4 Author: Zhihao Cheng Date: Mon Dec 27 11:22:40 2021 +0800 ubifs: Fix read out-of-bounds in ubifs_wbuf_write_nolock() commit 4f2262a334641e05f645364d5ade1f565c85f20b upstream. Function ubifs_wbuf_write_nolock() may access buf out of bounds in following process: ubifs_wbuf_write_nolock(): aligned_len = ALIGN(len, 8); // Assume len = 4089, aligned_len = 4096 if (aligned_len <= wbuf->avail) ... // Not satisfy if (wbuf->used) { ubifs_leb_write() // Fill some data in avail wbuf len -= wbuf->avail; // len is still not 8-bytes aligned aligned_len -= wbuf->avail; } n = aligned_len >> c->max_write_shift; if (n) { n <<= c->max_write_shift; err = ubifs_leb_write(c, wbuf->lnum, buf + written, wbuf->offs, n); // n > len, read out of bounds less than 8(n-len) bytes } , which can be catched by KASAN: ========================================================= BUG: KASAN: slab-out-of-bounds in ecc_sw_hamming_calculate+0x1dc/0x7d0 Read of size 4 at addr ffff888105594ff8 by task kworker/u8:4/128 Workqueue: writeback wb_workfn (flush-ubifs_0_0) Call Trace: kasan_report.cold+0x81/0x165 nand_write_page_swecc+0xa9/0x160 ubifs_leb_write+0xf2/0x1b0 [ubifs] ubifs_wbuf_write_nolock+0x421/0x12c0 [ubifs] write_head+0xdc/0x1c0 [ubifs] ubifs_jnl_write_inode+0x627/0x960 [ubifs] wb_workfn+0x8af/0xb80 Function ubifs_wbuf_write_nolock() accepts that parameter 'len' is not 8 bytes aligned, the 'len' represents the true length of buf (which is allocated in 'ubifs_jnl_xxx', eg. ubifs_jnl_write_inode), so ubifs_wbuf_write_nolock() must handle the length read from 'buf' carefully to write leb safely. Fetch a reproducer in [Link]. Fixes: 1e51764a3c2ac0 ("UBIFS: add new flash file system") Link: https://bugzilla.kernel.org/show_bug.cgi?id=214785 Reported-by: Chengsong Ke Signed-off-by: Zhihao Cheng Signed-off-by: Richard Weinberger Signed-off-by: Greg Kroah-Hartman commit d07a2421693162d89a5c1033e0d1794c8a53dc8c Author: Zhihao Cheng Date: Mon Dec 27 11:22:39 2021 +0800 ubifs: setflags: Make dirtied_ino_d 8 bytes aligned commit 1b83ec057db16b4d0697dc21ef7a9743b6041f72 upstream. Make 'ui->data_len' aligned with 8 bytes before it is assigned to dirtied_ino_d. Since 8871d84c8f8b0c6b("ubifs: convert to fileattr") applied, 'setflags()' only affects regular files and directories, only xattr inode, symlink inode and special inode(pipe/char_dev/block_dev) have none- zero 'ui->data_len' field, so assertion '!(req->dirtied_ino_d & 7)' cannot fail in ubifs_budget_space(). To avoid assertion fails in future evolution(eg. setflags can operate special inodes), it's better to make dirtied_ino_d 8 bytes aligned, after all aligned size is still zero for regular files. Fixes: 1e51764a3c2ac05a ("UBIFS: add new flash file system") Signed-off-by: Zhihao Cheng Signed-off-by: Richard Weinberger Signed-off-by: Greg Kroah-Hartman commit 13b2a8151e3be5e03bc07236a2c55c156261d45a Author: Zhihao Cheng Date: Mon Dec 27 11:22:35 2021 +0800 ubifs: Add missing iput if do_tmpfile() failed in rename whiteout commit 716b4573026bcbfa7b58ed19fe15554bac66b082 upstream. whiteout inode should be put when do_tmpfile() failed if inode has been initialized. Otherwise we will get following warning during umount: UBIFS error (ubi0:0 pid 1494): ubifs_assert_failed [ubifs]: UBIFS assert failed: c->bi.dd_growth == 0, in fs/ubifs/super.c:1930 VFS: Busy inodes after unmount of ubifs. Self-destruct in 5 seconds. Fixes: 9e0a1fff8db56ea ("ubifs: Implement RENAME_WHITEOUT") Signed-off-by: Zhihao Cheng Suggested-by: Sascha Hauer Signed-off-by: Richard Weinberger Signed-off-by: Greg Kroah-Hartman commit 83e42a78428fc354f5e2049935b84c8d8d29b787 Author: Zhihao Cheng Date: Mon Dec 27 11:22:33 2021 +0800 ubifs: Fix deadlock in concurrent rename whiteout and inode writeback commit afd427048047e8efdedab30e8888044e2be5aa9c upstream. Following hung tasks: [ 77.028764] task:kworker/u8:4 state:D stack: 0 pid: 132 [ 77.028820] Call Trace: [ 77.029027] schedule+0x8c/0x1b0 [ 77.029067] mutex_lock+0x50/0x60 [ 77.029074] ubifs_write_inode+0x68/0x1f0 [ubifs] [ 77.029117] __writeback_single_inode+0x43c/0x570 [ 77.029128] writeback_sb_inodes+0x259/0x740 [ 77.029148] wb_writeback+0x107/0x4d0 [ 77.029163] wb_workfn+0x162/0x7b0 [ 92.390442] task:aa state:D stack: 0 pid: 1506 [ 92.390448] Call Trace: [ 92.390458] schedule+0x8c/0x1b0 [ 92.390461] wb_wait_for_completion+0x82/0xd0 [ 92.390469] __writeback_inodes_sb_nr+0xb2/0x110 [ 92.390472] writeback_inodes_sb_nr+0x14/0x20 [ 92.390476] ubifs_budget_space+0x705/0xdd0 [ubifs] [ 92.390503] do_rename.cold+0x7f/0x187 [ubifs] [ 92.390549] ubifs_rename+0x8b/0x180 [ubifs] [ 92.390571] vfs_rename+0xdb2/0x1170 [ 92.390580] do_renameat2+0x554/0x770 , are caused by concurrent rename whiteout and inode writeback processes: rename_whiteout(Thread 1) wb_workfn(Thread2) ubifs_rename do_rename lock_4_inodes (Hold ui_mutex) ubifs_budget_space make_free_space shrink_liability __writeback_inodes_sb_nr bdi_split_work_to_wbs (Queue new wb work) wb_do_writeback(wb work) __writeback_single_inode ubifs_write_inode LOCK(ui_mutex) ↑ wb_wait_for_completion (Wait wb work) <-- deadlock! Reproducer (Detail program in [Link]): 1. SYS_renameat2("/mp/dir/file", "/mp/dir/whiteout", RENAME_WHITEOUT) 2. Consume out of space before kernel(mdelay) doing budget for whiteout Fix it by doing whiteout space budget before locking ubifs inodes. BTW, it also fixes wrong goto tag 'out_release' in whiteout budget error handling path(It should at least recover dir i_size and unlock 4 ubifs inodes). Fixes: 9e0a1fff8db56ea ("ubifs: Implement RENAME_WHITEOUT") Link: https://bugzilla.kernel.org/show_bug.cgi?id=214733 Signed-off-by: Zhihao Cheng Signed-off-by: Richard Weinberger Signed-off-by: Greg Kroah-Hartman commit a90e2dbe66d2647ff95a0442ad2e86482d977fd8 Author: Zhihao Cheng Date: Mon Dec 27 11:22:32 2021 +0800 ubifs: rename_whiteout: Fix double free for whiteout_ui->data commit 40a8f0d5e7b3999f096570edab71c345da812e3e upstream. 'whiteout_ui->data' will be freed twice if space budget fail for rename whiteout operation as following process: rename_whiteout dev = kmalloc whiteout_ui->data = dev kfree(whiteout_ui->data) // Free first time iput(whiteout) ubifs_free_inode kfree(ui->data) // Double free! KASAN reports: ================================================================== BUG: KASAN: double-free or invalid-free in ubifs_free_inode+0x4f/0x70 Call Trace: kfree+0x117/0x490 ubifs_free_inode+0x4f/0x70 [ubifs] i_callback+0x30/0x60 rcu_do_batch+0x366/0xac0 __do_softirq+0x133/0x57f Allocated by task 1506: kmem_cache_alloc_trace+0x3c2/0x7a0 do_rename+0x9b7/0x1150 [ubifs] ubifs_rename+0x106/0x1f0 [ubifs] do_syscall_64+0x35/0x80 Freed by task 1506: kfree+0x117/0x490 do_rename.cold+0x53/0x8a [ubifs] ubifs_rename+0x106/0x1f0 [ubifs] do_syscall_64+0x35/0x80 The buggy address belongs to the object at ffff88810238bed8 which belongs to the cache kmalloc-8 of size 8 ================================================================== Let ubifs_free_inode() free 'whiteout_ui->data'. BTW, delete unused assignment 'whiteout_ui->data_len = 0', process 'ubifs_evict_inode() -> ubifs_jnl_delete_inode() -> ubifs_jnl_write_inode()' doesn't need it (because 'inc_nlink(whiteout)' won't be excuted by 'goto out_release', and the nlink of whiteout inode is 0). Fixes: 9e0a1fff8db56ea ("ubifs: Implement RENAME_WHITEOUT") Signed-off-by: Zhihao Cheng Signed-off-by: Richard Weinberger Signed-off-by: Greg Kroah-Hartman commit 0c307349fe060971625b856c92f0361b8ea9a120 Author: Ammar Faizi Date: Fri Feb 25 01:58:36 2022 +0700 ASoC: SOF: Intel: Fix NULL ptr dereference when ENOMEM commit b7fb0ae09009d076964afe4c1a2bde1ee2bd88a9 upstream. Do not call snd_dma_free_pages() when snd_dma_alloc_pages() returns -ENOMEM because it leads to a NULL pointer dereference bug. The dmesg says: [ T1387] sof-audio-pci-intel-tgl 0000:00:1f.3: error: memory alloc failed: -12 [ T1387] BUG: kernel NULL pointer dereference, address: 0000000000000000 [ T1387] #PF: supervisor read access in kernel mode [ T1387] #PF: error_code(0x0000) - not-present page [ T1387] PGD 0 P4D 0 [ T1387] Oops: 0000 [#1] PREEMPT SMP NOPTI [ T1387] CPU: 6 PID: 1387 Comm: alsa-sink-HDA A Tainted: G W 5.17.0-rc4-superb-owl-00055-g80d47f5de5e3 [ T1387] Hardware name: HP HP Laptop 14s-dq2xxx/87FD, BIOS F.15 09/15/2021 [ T1387] RIP: 0010:dma_free_noncontiguous+0x37/0x80 [ T1387] Code: [... snip ...] [ T1387] RSP: 0000:ffffc90002b87770 EFLAGS: 00010246 [ T1387] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000 [ T1387] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff888101db30d0 [ T1387] RBP: 00000000fffffff4 R08: 0000000000000000 R09: 0000000000000000 [ T1387] R10: 0000000000000000 R11: ffffc90002b874d0 R12: 0000000000000001 [ T1387] R13: 0000000000058000 R14: ffff888105260c68 R15: ffff888105260828 [ T1387] FS: 00007f42e2ffd640(0000) GS:ffff888466b80000(0000) knlGS:0000000000000000 [ T1387] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ T1387] CR2: 0000000000000000 CR3: 000000014acf0003 CR4: 0000000000770ee0 [ T1387] PKRU: 55555554 [ T1387] Call Trace: [ T1387] [ T1387] cl_stream_prepare+0x10a/0x120 [snd_sof_intel_hda_common 146addf995b9279ae7f509621078cccbe4f875e1] [... snip ...] [ T1387] Cc: Daniel Baluta Cc: Jaroslav Kysela Cc: Kai Vehmanen Cc: Keyon Jie Cc: Liam Girdwood Cc: Mark Brown Cc: Rander Wang Cc: Ranjani Sridharan Cc: Takashi Iwai Cc: sound-open-firmware@alsa-project.org Cc: alsa-devel@alsa-project.org Cc: linux-kernel@vger.kernel.org Cc: stable@vger.kernel.org # v5.2+ Fixes: d16046ffa6de040bf580a64d5f4d0aa18258a854 ("ASoC: SOF: Intel: Add Intel specific HDA firmware loader") Link: https://lore.kernel.org/lkml/20220224145124.15985-1-ammarfaizi2@gnuweeb.org/ # v1 Link: https://lore.kernel.org/lkml/20220224180850.34592-1-ammarfaizi2@gnuweeb.org/ # v2 Link: https://lore.kernel.org/lkml/20220224182818.40301-1-ammarfaizi2@gnuweeb.org/ # v3 Reviewed-by: Peter Ujfalusi Reviewed-by: Pierre-Louis Bossart Signed-off-by: Ammar Faizi Link: https://lore.kernel.org/r/20220224185836.44907-1-ammarfaizi2@gnuweeb.org Signed-off-by: Mark Brown [ammarfaizi2: Backport to Linux 5.10 LTS] Signed-off-by: Ammar Faizi Signed-off-by: Greg Kroah-Hartman commit 0fb470eb48892e131d10aa3be6915239e65758f3 Author: Yi Wang Date: Wed Mar 9 19:30:25 2022 +0800 KVM: SVM: fix panic on out-of-bounds guest IRQ commit a80ced6ea514000d34bf1239d47553de0d1ee89e upstream. As guest_irq is coming from KVM_IRQFD API call, it may trigger crash in svm_update_pi_irte() due to out-of-bounds: crash> bt PID: 22218 TASK: ffff951a6ad74980 CPU: 73 COMMAND: "vcpu8" #0 [ffffb1ba6707fa40] machine_kexec at ffffffff8565b397 #1 [ffffb1ba6707fa90] __crash_kexec at ffffffff85788a6d #2 [ffffb1ba6707fb58] crash_kexec at ffffffff8578995d #3 [ffffb1ba6707fb70] oops_end at ffffffff85623c0d #4 [ffffb1ba6707fb90] no_context at ffffffff856692c9 #5 [ffffb1ba6707fbf8] exc_page_fault at ffffffff85f95b51 #6 [ffffb1ba6707fc50] asm_exc_page_fault at ffffffff86000ace [exception RIP: svm_update_pi_irte+227] RIP: ffffffffc0761b53 RSP: ffffb1ba6707fd08 RFLAGS: 00010086 RAX: ffffb1ba6707fd78 RBX: ffffb1ba66d91000 RCX: 0000000000000001 RDX: 00003c803f63f1c0 RSI: 000000000000019a RDI: ffffb1ba66db2ab8 RBP: 000000000000019a R8: 0000000000000040 R9: ffff94ca41b82200 R10: ffffffffffffffcf R11: 0000000000000001 R12: 0000000000000001 R13: 0000000000000001 R14: ffffffffffffffcf R15: 000000000000005f ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018 #7 [ffffb1ba6707fdb8] kvm_irq_routing_update at ffffffffc09f19a1 [kvm] #8 [ffffb1ba6707fde0] kvm_set_irq_routing at ffffffffc09f2133 [kvm] #9 [ffffb1ba6707fe18] kvm_vm_ioctl at ffffffffc09ef544 [kvm] RIP: 00007f143c36488b RSP: 00007f143a4e04b8 RFLAGS: 00000246 RAX: ffffffffffffffda RBX: 00007f05780041d0 RCX: 00007f143c36488b RDX: 00007f05780041d0 RSI: 000000004008ae6a RDI: 0000000000000020 RBP: 00000000000004e8 R8: 0000000000000008 R9: 00007f05780041e0 R10: 00007f0578004560 R11: 0000000000000246 R12: 00000000000004e0 R13: 000000000000001a R14: 00007f1424001c60 R15: 00007f0578003bc0 ORIG_RAX: 0000000000000010 CS: 0033 SS: 002b Vmx have been fix this in commit 3a8b0677fc61 (KVM: VMX: Do not BUG() on out-of-bounds guest IRQ), so we can just copy source from that to fix this. Co-developed-by: Yi Liu Signed-off-by: Yi Liu Signed-off-by: Yi Wang Message-Id: <20220309113025.44469-1-wang.yi59@zte.com.cn> Cc: stable@vger.kernel.org Signed-off-by: Paolo Bonzini Signed-off-by: Greg Kroah-Hartman commit cd8c2d7c7c49597dd29da35c23048e10d7ad2059 Author: Li RongQing Date: Wed Mar 9 16:35:44 2022 +0800 KVM: x86: fix sending PV IPI commit c15e0ae42c8e5a61e9aca8aac920517cf7b3e94e upstream. If apic_id is less than min, and (max - apic_id) is greater than KVM_IPI_CLUSTER_SIZE, then the third check condition is satisfied but the new apic_id does not fit the bitmask. In this case __send_ipi_mask should send the IPI. This is mostly theoretical, but it can happen if the apic_ids on three iterations of the loop are for example 1, KVM_IPI_CLUSTER_SIZE, 0. Fixes: aaffcfd1e82 ("KVM: X86: Implement PV IPIs in linux guest") Signed-off-by: Li RongQing Message-Id: <1646814944-51801-1-git-send-email-lirongqing@baidu.com> Cc: stable@vger.kernel.org Signed-off-by: Paolo Bonzini Signed-off-by: Greg Kroah-Hartman commit eccfee44949d2d8ac9675d5b3f29cacaed5ba6c8 Author: David Matlack Date: Thu Mar 3 18:33:27 2022 +0000 KVM: Prevent module exit until all VMs are freed commit 5f6de5cbebee925a612856fce6f9182bb3eee0db upstream. Tie the lifetime the KVM module to the lifetime of each VM via kvm.users_count. This way anything that grabs a reference to the VM via kvm_get_kvm() cannot accidentally outlive the KVM module. Prior to this commit, the lifetime of the KVM module was tied to the lifetime of /dev/kvm file descriptors, VM file descriptors, and vCPU file descriptors by their respective file_operations "owner" field. This approach is insufficient because references grabbed via kvm_get_kvm() do not prevent closing any of the aforementioned file descriptors. This fixes a long standing theoretical bug in KVM that at least affects async page faults. kvm_setup_async_pf() grabs a reference via kvm_get_kvm(), and drops it in an asynchronous work callback. Nothing prevents the VM file descriptor from being closed and the KVM module from being unloaded before this callback runs. Fixes: af585b921e5d ("KVM: Halt vcpu if page it tries to access is swapped out") Fixes: 3d3aab1b973b ("KVM: set owner of cpu and vm file operations") Cc: stable@vger.kernel.org Suggested-by: Ben Gardon [ Based on a patch from Ben implemented for Google's kernel. ] Signed-off-by: David Matlack Message-Id: <20220303183328.1499189-2-dmatlack@google.com> Signed-off-by: Paolo Bonzini Signed-off-by: Greg Kroah-Hartman commit 09c771c45c1243e295470225aaee726693fdc242 Author: Vitaly Kuznetsov Date: Fri Mar 25 14:21:40 2022 +0100 KVM: x86: Forbid VMM to set SYNIC/STIMER MSRs when SynIC wasn't activated commit b1e34d325397a33d97d845e312d7cf2a8b646b44 upstream. Setting non-zero values to SYNIC/STIMER MSRs activates certain features, this should not happen when KVM_CAP_HYPERV_SYNIC{,2} was not activated. Note, it would've been better to forbid writing anything to SYNIC/STIMER MSRs, including zeroes, however, at least QEMU tries clearing HV_X64_MSR_STIMER0_CONFIG without SynIC. HV_X64_MSR_EOM MSR is somewhat 'special' as writing zero there triggers an action, this also should not happen when SynIC wasn't activated. Signed-off-by: Vitaly Kuznetsov Message-Id: <20220325132140.25650-4-vkuznets@redhat.com> Cc: stable@vger.kernel.org Signed-off-by: Paolo Bonzini Signed-off-by: Greg Kroah-Hartman commit aea4ffdcf30fc625d5775798ee9862957d0421cb Author: Gwendal Grignou Date: Fri Jan 21 16:13:01 2022 -0800 platform: chrome: Split trace include file commit eabd9a3807e17e211690e6c40f1405b427b64c48 upstream. cros_ec_trace.h defined 5 tracing events, 2 for cros_ec_proto and 3 for cros_ec_sensorhub_ring. These 2 files are in different kernel modules, the traces are defined twice in the kernel which leads to problem enabling only some traces. Move sensorhub traces from cros_ec_trace.h to cros_ec_sensorhub_trace.h and enable them only in cros_ec_sensorhub kernel module. Check we can now enable any single traces: without this patch, we can only enable all sensorhub traces or none. Fixes: d453ceb6549a ("platform/chrome: sensorhub: Add trace events for sample") Signed-off-by: Gwendal Grignou Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/20220122001301.640337-1-gwendal@chromium.org Signed-off-by: Benson Leung Signed-off-by: Greg Kroah-Hartman commit d3a913ba1fea148d2c809edd2f3ab83f838142b3 Author: Manish Rangankar Date: Thu Mar 10 01:26:02 2022 -0800 scsi: qla2xxx: Use correct feature type field during RFF_ID processing commit a7e05f7a1bcbe4ee055479242de46c5c16ab03b1 upstream. During SNS Register FC-4 Features (RFF_ID) the initiator driver was sending incorrect type field for NVMe supported device. Use correct feature type field. Link: https://lore.kernel.org/r/20220310092604.22950-12-njavali@marvell.com Fixes: e374f9f59281 ("scsi: qla2xxx: Migrate switch registration commands away from mailbox interface") Cc: stable@vger.kernel.org Reviewed-by: Himanshu Madhani Signed-off-by: Manish Rangankar Signed-off-by: Nilesh Javali Signed-off-by: Martin K. Petersen Signed-off-by: Greg Kroah-Hartman commit 633450063c1047d2977f0dbac2840a92484cdbb7 Author: Quinn Tran Date: Thu Mar 10 01:26:00 2022 -0800 scsi: qla2xxx: Reduce false trigger to login commit d2646eed7b19a206912f49101178cbbaa507256c upstream. While a session is in the middle of a relogin, a late RSCN can be delivered from switch. RSCN trigger fabric scan where the scan logic can trigger another session login while a login is in progress. Reduce the extra trigger to prevent multiple logins to the same session. Link: https://lore.kernel.org/r/20220310092604.22950-10-njavali@marvell.com Fixes: bee8b84686c4 ("scsi: qla2xxx: Reduce redundant ADISC command for RSCNs") Cc: stable@vger.kernel.org Reviewed-by: Himanshu Madhani Signed-off-by: Quinn Tran Signed-off-by: Nilesh Javali Signed-off-by: Martin K. Petersen Signed-off-by: Greg Kroah-Hartman commit dd48727cabe556db3e486885beac533438599c5d Author: Quinn Tran Date: Thu Mar 10 01:25:57 2022 -0800 scsi: qla2xxx: Fix N2N inconsistent PLOGI commit c13ce47c64ea8f14e77eecb40d1e7c2ac667f898 upstream. For N2N topology, ELS Passthrough is used to send PLOGI. On failure of ELS pass through PLOGI, driver flipped over to using LLIOCB PLOGI for N2N. This is not consistent. Delete the session to restart the connection where ELS pass through PLOGI would be used consistently. Link: https://lore.kernel.org/r/20220310092604.22950-7-njavali@marvell.com Fixes: c76ae845ea83 ("scsi: qla2xxx: Add error handling for PLOGI ELS passthrough") Cc: stable@vger.kernel.org Reviewed-by: Himanshu Madhani Signed-off-by: Quinn Tran Signed-off-by: Nilesh Javali Signed-off-by: Martin K. Petersen Signed-off-by: Greg Kroah-Hartman commit 0910a791a6d7fd331f231f48200e18babb519769 Author: Arun Easi Date: Thu Mar 10 01:25:55 2022 -0800 scsi: qla2xxx: Fix missed DMA unmap for NVMe ls requests commit c85ab7d9e27a80e48d5b7d7fb2fe2b0fdb2de523 upstream. At NVMe ELS request time, request structure is DMA mapped and never unmapped. Fix this by calling the unmap on ELS completion. Link: https://lore.kernel.org/r/20220310092604.22950-5-njavali@marvell.com Fixes: e84067d74301 ("scsi: qla2xxx: Add FC-NVMe F/W initialization and transport registration") Cc: stable@vger.kernel.org Reviewed-by: Himanshu Madhani Signed-off-by: Arun Easi Signed-off-by: Nilesh Javali Signed-off-by: Martin K. Petersen Signed-off-by: Greg Kroah-Hartman commit f296e888e921bb2c3615da4142024609ed6adbfa Author: Quinn Tran Date: Thu Mar 10 01:25:58 2022 -0800 scsi: qla2xxx: Fix hang due to session stuck commit c02aada06d19a215c8291bd968a99a270e96f734 upstream. User experienced device lost. The log shows Get port data base command was queued up, failed, and requeued again. Every time it is requeued, it set the FCF_ASYNC_ACTIVE. This prevents any recovery code from occurring because driver thinks a recovery is in progress for this session. In essence, this session is hung. The reason it gets into this place is the session deletion got in front of this call due to link perturbation. Break the requeue cycle and exit. The session deletion code will trigger a session relogin. Link: https://lore.kernel.org/r/20220310092604.22950-8-njavali@marvell.com Fixes: 726b85487067 ("qla2xxx: Add framework for async fabric discovery") Cc: stable@vger.kernel.org Reviewed-by: Himanshu Madhani Signed-off-by: Quinn Tran Signed-off-by: Nilesh Javali Signed-off-by: Martin K. Petersen Signed-off-by: Greg Kroah-Hartman commit edea037716ff45f4ea79d8349b20179f842c1813 Author: Quinn Tran Date: Thu Mar 10 01:25:52 2022 -0800 scsi: qla2xxx: Fix incorrect reporting of task management failure commit 58ca5999e0367d131de82a75257fbfd5aed0195d upstream. User experienced no task management error while target device is responding with error. The RSP_CODE field in the status IOCB is in little endian. Driver assumes it's big endian and it picked up erroneous data. Convert the data back to big endian as is on the wire. Link: https://lore.kernel.org/r/20220310092604.22950-2-njavali@marvell.com Fixes: faef62d13463 ("[SCSI] qla2xxx: Fix Task Management command asynchronous handling") Cc: stable@vger.kernel.org Reviewed-by: Himanshu Madhani Signed-off-by: Quinn Tran Signed-off-by: Nilesh Javali Signed-off-by: Martin K. Petersen Signed-off-by: Greg Kroah-Hartman commit 9dc104edd72917261b5ea80fc0ba86a0ad05e346 Author: Quinn Tran Date: Thu Mar 10 01:25:53 2022 -0800 scsi: qla2xxx: Fix disk failure to rediscover commit 6a45c8e137d4e2c72eecf1ac7cf64f2fdfcead99 upstream. User experienced some of the LUN failed to get rediscovered after long cable pull test. The issue is triggered by a race condition between driver setting session online state vs starting the LUN scan process at the same time. Current code set the online state after notifying the session is available. In this case, trigger to start the LUN scan process happened before driver could set the session in online state. LUN scan ends up with failure due to the session online check was failing. Set the online state before reporting of the availability of the session. Link: https://lore.kernel.org/r/20220310092604.22950-3-njavali@marvell.com Fixes: aecf043443d3 ("scsi: qla2xxx: Fix Remote port registration") Cc: stable@vger.kernel.org Reviewed-by: Himanshu Madhani Signed-off-by: Quinn Tran Signed-off-by: Nilesh Javali Signed-off-by: Martin K. Petersen Signed-off-by: Greg Kroah-Hartman commit f97316dd393bc8df1cc2af6295a97b876eecf252 Author: Saurav Kashyap Date: Sun Jan 9 21:02:15 2022 -0800 scsi: qla2xxx: Suppress a kernel complaint in qla_create_qpair() commit a60447e7d451df42c7bde43af53b34f10f34f469 upstream. [ 12.323788] BUG: using smp_processor_id() in preemptible [00000000] code: systemd-udevd/1020 [ 12.332297] caller is qla2xxx_create_qpair+0x32a/0x5d0 [qla2xxx] [ 12.338417] CPU: 7 PID: 1020 Comm: systemd-udevd Tainted: G I --------- --- 5.14.0-29.el9.x86_64 #1 [ 12.348827] Hardware name: Dell Inc. PowerEdge R610/0F0XJ6, BIOS 6.6.0 05/22/2018 [ 12.356356] Call Trace: [ 12.358821] dump_stack_lvl+0x34/0x44 [ 12.362514] check_preemption_disabled+0xd9/0xe0 [ 12.367164] qla2xxx_create_qpair+0x32a/0x5d0 [qla2xxx] [ 12.372481] qla2x00_probe_one+0xa3a/0x1b80 [qla2xxx] [ 12.377617] ? _raw_spin_lock_irqsave+0x19/0x40 [ 12.384284] local_pci_probe+0x42/0x80 [ 12.390162] ? pci_match_device+0xd7/0x110 [ 12.396366] pci_device_probe+0xfd/0x1b0 [ 12.402372] really_probe+0x1e7/0x3e0 [ 12.408114] __driver_probe_device+0xfe/0x180 [ 12.414544] driver_probe_device+0x1e/0x90 [ 12.420685] __driver_attach+0xc0/0x1c0 [ 12.426536] ? __device_attach_driver+0xe0/0xe0 [ 12.433061] ? __device_attach_driver+0xe0/0xe0 [ 12.439538] bus_for_each_dev+0x78/0xc0 [ 12.445294] bus_add_driver+0x12b/0x1e0 [ 12.451021] driver_register+0x8f/0xe0 [ 12.456631] ? 0xffffffffc07bc000 [ 12.461773] qla2x00_module_init+0x1be/0x229 [qla2xxx] [ 12.468776] do_one_initcall+0x44/0x200 [ 12.474401] ? load_module+0xad3/0xba0 [ 12.479908] ? kmem_cache_alloc_trace+0x45/0x410 [ 12.486268] do_init_module+0x5c/0x280 [ 12.491730] __do_sys_init_module+0x12e/0x1b0 [ 12.497785] do_syscall_64+0x3b/0x90 [ 12.503029] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 12.509764] RIP: 0033:0x7f554f73ab2e Link: https://lore.kernel.org/r/20220110050218.3958-15-njavali@marvell.com Cc: stable@vger.kernel.org Reviewed-by: Himanshu Madhani Signed-off-by: Saurav Kashyap Signed-off-by: Nilesh Javali Signed-off-by: Martin K. Petersen Signed-off-by: Greg Kroah-Hartman commit 0e4a89efc2234088aae988da4cba9837d372f182 Author: Joe Carnuccio Date: Sun Jan 9 21:02:17 2022 -0800 scsi: qla2xxx: Check for firmware dump already collected commit cfbafad7c6032d449a5a07f2d273acd2437bbc6a upstream. While allocating firmware dump, check if dump is already collected and do not re-allocate the buffer. Link: https://lore.kernel.org/r/20220110050218.3958-17-njavali@marvell.com Cc: stable@vger.kernel.org Signed-off-by: Joe Carnuccio Signed-off-by: Nilesh Javali Signed-off-by: Martin K. Petersen Signed-off-by: Greg Kroah-Hartman commit ef10a7530c34f4e4e4372f8509881767d5fc041d Author: Joe Carnuccio Date: Sun Jan 9 21:02:16 2022 -0800 scsi: qla2xxx: Add devids and conditionals for 28xx commit 0d6a536cb1fcabb6c3e9c94871c8d0b29bb5813b upstream. This is an update to the original 28xx adapter enablement. Add a bunch of conditionals that are applicable for 28xx. Link: https://lore.kernel.org/r/20220110050218.3958-16-njavali@marvell.com Fixes: ecc89f25e225 ("scsi: qla2xxx: Add Device ID for ISP28XX") Cc: stable@vger.kernel.org Signed-off-by: Joe Carnuccio Signed-off-by: Nilesh Javali Signed-off-by: Martin K. Petersen Signed-off-by: Greg Kroah-Hartman commit bad77c9a47b45e56ddabb323fc4831b831057c85 Author: Arun Easi Date: Sun Jan 9 21:02:11 2022 -0800 scsi: qla2xxx: Fix device reconnect in loop topology commit 8ad4be3d15cf144b5834bdb00d5bbe4050938dc7 upstream. A device logout in loop topology initiates a device connection teardown which loses the FW device handle. In loop topo, the device handle is not regrabbed leading to device login failures and eventually to loss of the device. Fix this by taking the main login path that does it. Link: https://lore.kernel.org/r/20220110050218.3958-11-njavali@marvell.com Cc: stable@vger.kernel.org Reviewed-by: Himanshu Madhani Signed-off-by: Arun Easi Signed-off-by: Nilesh Javali Signed-off-by: Martin K. Petersen Signed-off-by: Greg Kroah-Hartman commit 8b52e20c22c2113e5b8ef8bd8f3acae0dfd6e2d3 Author: Nilesh Javali Date: Sun Jan 9 21:02:12 2022 -0800 scsi: qla2xxx: Fix warning for missing error code commit 14cb838d245ae0d523b2f7804af5a02c22e79f5a upstream. Fix smatch-reported warning message: drivers/scsi/qla2xxx/qla_target.c:3324 qlt_xmit_response() warn: missing error code 'res' Link: https://lore.kernel.org/r/20220110050218.3958-12-njavali@marvell.com Fixes: 4a8f71014b4d ("scsi: qla2xxx: Fix unmap of already freed sgl") Cc: stable@vger.kernel.org Reviewed-by: Himanshu Madhani Signed-off-by: Nilesh Javali Signed-off-by: Martin K. Petersen Signed-off-by: Greg Kroah-Hartman commit 7c9745421d43f3178bbccb641cb458ba18e3b4c5 Author: Bikash Hazarika Date: Sun Jan 9 21:02:09 2022 -0800 scsi: qla2xxx: Fix wrong FDMI data for 64G adapter commit 1cfbbacbee2d6ea3816386a483e3c7a96e5bd657 upstream. Corrected transmission speed mask values for FC. Supported Speed: 16 32 20 Gb/s ===> Should be 64 instead of 20 Supported Speed: 16G 32G 48G ===> Should be 64G instead of 48G Link: https://lore.kernel.org/r/20220110050218.3958-9-njavali@marvell.com Cc: stable@vger.kernel.org Reviewed-by: Himanshu Madhani Signed-off-by: Bikash Hazarika Signed-off-by: Nilesh Javali Signed-off-by: Martin K. Petersen Signed-off-by: Greg Kroah-Hartman commit 7fef50214dd04427233a2e66cd624d468e67aecb Author: Quinn Tran Date: Sun Jan 9 21:02:07 2022 -0800 scsi: qla2xxx: Fix scheduling while atomic commit afd438ff874ca40b74321b3fa19bd61adfd7ca0c upstream. The driver makes a call into midlayer (fc_remote_port_delete) which can put the thread to sleep. The thread that originates the call is in interrupt context. The combination of the two trigger a crash. Schedule the call in non-interrupt context where it is more safe. kernel: BUG: scheduling while atomic: swapper/7/0/0x00010000 kernel: Call Trace: kernel: kernel: dump_stack+0x66/0x81 kernel: __schedule_bug.cold.90+0x5/0x1d kernel: __schedule+0x7af/0x960 kernel: schedule+0x28/0x80 kernel: schedule_timeout+0x26d/0x3b0 kernel: wait_for_completion+0xb4/0x140 kernel: ? wake_up_q+0x70/0x70 kernel: __wait_rcu_gp+0x12c/0x160 kernel: ? sdev_evt_alloc+0xc0/0x180 [scsi_mod] kernel: synchronize_sched+0x6c/0x80 kernel: ? call_rcu_bh+0x20/0x20 kernel: ? __bpf_trace_rcu_invoke_callback+0x10/0x10 kernel: sdev_evt_alloc+0xfd/0x180 [scsi_mod] kernel: starget_for_each_device+0x85/0xb0 [scsi_mod] kernel: ? scsi_init_io+0x360/0x3d0 [scsi_mod] kernel: scsi_init_io+0x388/0x3d0 [scsi_mod] kernel: device_for_each_child+0x54/0x90 kernel: fc_remote_port_delete+0x70/0xe0 [scsi_transport_fc] kernel: qla2x00_schedule_rport_del+0x62/0xf0 [qla2xxx] kernel: qla2x00_mark_device_lost+0x9c/0xd0 [qla2xxx] kernel: qla24xx_handle_plogi_done_event+0x55f/0x570 [qla2xxx] kernel: qla2x00_async_login_sp_done+0xd2/0x100 [qla2xxx] kernel: qla24xx_logio_entry+0x13a/0x3c0 [qla2xxx] kernel: qla24xx_process_response_queue+0x306/0x400 [qla2xxx] kernel: qla24xx_msix_rsp_q+0x3f/0xb0 [qla2xxx] kernel: __handle_irq_event_percpu+0x40/0x180 kernel: handle_irq_event_percpu+0x30/0x80 kernel: handle_irq_event+0x36/0x60 Link: https://lore.kernel.org/r/20220110050218.3958-7-njavali@marvell.com Cc: stable@vger.kernel.org Reviewed-by: Himanshu Madhani Signed-off-by: Quinn Tran Signed-off-by: Nilesh Javali Signed-off-by: Martin K. Petersen Signed-off-by: Greg Kroah-Hartman commit c45147018d7ea96e6231ef36b8fceba23ac57ea8 Author: Quinn Tran Date: Sun Jan 9 21:02:04 2022 -0800 scsi: qla2xxx: Fix stuck session in gpdb commit 725d3a0d31a51c0debf970011e05f585e805165b upstream. Fix stuck sessions in get port database. When a thread is in the process of re-establishing a session, a flag is set to prevent multiple threads / triggers from doing the same task. This flag was left on, where any attempt to relogin was locked out. Clear this flag, if the attempt has failed. Link: https://lore.kernel.org/r/20220110050218.3958-4-njavali@marvell.com Cc: stable@vger.kernel.org Reviewed-by: Himanshu Madhani Signed-off-by: Quinn Tran Signed-off-by: Nilesh Javali Signed-off-by: Martin K. Petersen Signed-off-by: Greg Kroah-Hartman commit 031547f4c6037313b4061691b3873b0c4cbaa832 Author: Anders Roxell Date: Thu Feb 24 17:22:14 2022 +0100 powerpc: Fix build errors with newer binutils commit 8667d0d64dd1f84fd41b5897fd87fa9113ae05e3 upstream. Building tinyconfig with gcc (Debian 11.2.0-16) and assembler (Debian 2.37.90.20220207) the following build error shows up: {standard input}: Assembler messages: {standard input}:1190: Error: unrecognized opcode: `stbcix' {standard input}:1433: Error: unrecognized opcode: `lwzcix' {standard input}:1453: Error: unrecognized opcode: `stbcix' {standard input}:1460: Error: unrecognized opcode: `stwcix' {standard input}:1596: Error: unrecognized opcode: `stbcix' ... Rework to add assembler directives [1] around the instruction. Going through them one by one shows that the changes should be safe. Like __get_user_atomic_128_aligned() is only called in p9_hmi_special_emu(), which according to the name is specific to power9. And __raw_rm_read*() are only called in things that are powernv or book3s_hv specific. [1] https://sourceware.org/binutils/docs/as/PowerPC_002dPseudo.html#PowerPC_002dPseudo Cc: stable@vger.kernel.org Co-developed-by: Arnd Bergmann Signed-off-by: Arnd Bergmann Signed-off-by: Anders Roxell Reviewed-by: Segher Boessenkool [mpe: Make commit subject more descriptive] Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/20220224162215.3406642-2-anders.roxell@linaro.org Signed-off-by: Greg Kroah-Hartman commit 68fa67e939d81e9886cba00606ea64825abf64dc Author: Anders Roxell Date: Thu Feb 24 17:22:15 2022 +0100 powerpc/lib/sstep: Fix build errors with newer binutils commit 8219d31effa7be5dbc7ff915d7970672e028c701 upstream. Building tinyconfig with gcc (Debian 11.2.0-16) and assembler (Debian 2.37.90.20220207) the following build error shows up: {standard input}: Assembler messages: {standard input}:10576: Error: unrecognized opcode: `stbcx.' {standard input}:10680: Error: unrecognized opcode: `lharx' {standard input}:10694: Error: unrecognized opcode: `lbarx' Rework to add assembler directives [1] around the instruction. The problem with this might be that we can trick a power6 into single-stepping through an stbcx. for instance, and it will execute that in kernel mode. [1] https://sourceware.org/binutils/docs/as/PowerPC_002dPseudo.html#PowerPC_002dPseudo Fixes: 350779a29f11 ("powerpc: Handle most loads and stores in instruction emulation code") Cc: stable@vger.kernel.org # v4.14+ Co-developed-by: Arnd Bergmann Signed-off-by: Arnd Bergmann Signed-off-by: Anders Roxell Reviewed-by: Segher Boessenkool Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/20220224162215.3406642-3-anders.roxell@linaro.org Signed-off-by: Greg Kroah-Hartman commit ad806b402268d5891fecbc16e3d6a2e0b64632c9 Author: Anders Roxell Date: Thu Feb 24 17:22:13 2022 +0100 powerpc/lib/sstep: Fix 'sthcx' instruction commit a633cb1edddaa643fadc70abc88f89a408fa834a upstream. Looks like there been a copy paste mistake when added the instruction 'stbcx' twice and one was probably meant to be 'sthcx'. Changing to 'sthcx' from 'stbcx'. Fixes: 350779a29f11 ("powerpc: Handle most loads and stores in instruction emulation code") Cc: stable@vger.kernel.org # v4.14+ Reported-by: Arnd Bergmann Signed-off-by: Anders Roxell Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/20220224162215.3406642-1-anders.roxell@linaro.org Signed-off-by: Greg Kroah-Hartman commit f39a3309393a4a484532f6ba745c6acbcfe06115 Author: Chen Jingwen Date: Wed Dec 29 11:52:26 2021 +0800 powerpc/kasan: Fix early region not updated correctly commit dd75080aa8409ce10d50fb58981c6b59bf8707d3 upstream. The shadow's page table is not updated when PTE_RPN_SHIFT is 24 and PAGE_SHIFT is 12. It not only causes false positives but also false negative as shown the following text. Fix it by bringing the logic of kasan_early_shadow_page_entry here. 1. False Positive: ================================================================== BUG: KASAN: vmalloc-out-of-bounds in pcpu_alloc+0x508/0xa50 Write of size 16 at addr f57f3be0 by task swapper/0/1 CPU: 0 PID: 1 Comm: swapper/0 Not tainted 5.15.0-12267-gdebe436e77c7 #1 Call Trace: [c80d1c20] [c07fe7b8] dump_stack_lvl+0x4c/0x6c (unreliable) [c80d1c40] [c02ff668] print_address_description.constprop.0+0x88/0x300 [c80d1c70] [c02ff45c] kasan_report+0x1ec/0x200 [c80d1cb0] [c0300b20] kasan_check_range+0x160/0x2f0 [c80d1cc0] [c03018a4] memset+0x34/0x90 [c80d1ce0] [c0280108] pcpu_alloc+0x508/0xa50 [c80d1d40] [c02fd7bc] __kmem_cache_create+0xfc/0x570 [c80d1d70] [c0283d64] kmem_cache_create_usercopy+0x274/0x3e0 [c80d1db0] [c2036580] init_sd+0xc4/0x1d0 [c80d1de0] [c00044a0] do_one_initcall+0xc0/0x33c [c80d1eb0] [c2001624] kernel_init_freeable+0x2c8/0x384 [c80d1ef0] [c0004b14] kernel_init+0x24/0x170 [c80d1f10] [c001b26c] ret_from_kernel_thread+0x5c/0x64 Memory state around the buggy address: f57f3a80: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f57f3b00: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 >f57f3b80: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 ^ f57f3c00: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f57f3c80: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 ================================================================== 2. False Negative (with KASAN tests): ================================================================== Before fix: ok 45 - kmalloc_double_kzfree # vmalloc_oob: EXPECTATION FAILED at lib/test_kasan.c:1039 KASAN failure expected in "((volatile char *)area)[3100]", but none occurred not ok 46 - vmalloc_oob not ok 1 - kasan ================================================================== After fix: ok 1 - kasan Fixes: cbd18991e24fe ("powerpc/mm: Fix an Oops in kasan_mmu_init()") Cc: stable@vger.kernel.org # 5.4.x Signed-off-by: Chen Jingwen Reviewed-by: Christophe Leroy Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/20211229035226.59159-1-chenjingwen6@huawei.com Signed-off-by: Greg Kroah-Hartman commit 89e5a426876094b721c44fdafca1b0bc992314c6 Author: Sean Christopherson Date: Sat Feb 26 00:15:20 2022 +0000 KVM: x86/mmu: Check for present SPTE when clearing dirty bit in TDP MMU commit 3354ef5a592d219364cf442c2f784ce7ad7629fd upstream. Explicitly check for present SPTEs when clearing dirty bits in the TDP MMU. This isn't strictly required for correctness, as setting the dirty bit in a defunct SPTE will not change the SPTE from !PRESENT to PRESENT. However, the guarded MMU_WARN_ON() in spte_ad_need_write_protect() would complain if anyone actually turned on KVM's MMU debugging. Fixes: a6a0b05da9f3 ("kvm: x86/mmu: Support dirty logging for the TDP MMU") Cc: Ben Gardon Signed-off-by: Sean Christopherson Reviewed-by: Ben Gardon Message-Id: <20220226001546.360188-3-seanjc@google.com> Cc: stable@vger.kernel.org Signed-off-by: Paolo Bonzini Signed-off-by: Greg Kroah-Hartman commit a3ad4530088d825251253d44d5d7d26ef015b58c Author: Matt Kramer Date: Tue Mar 22 13:48:17 2022 -0700 ALSA: hda/realtek: Add alc256-samsung-headphone fixup [ Upstream commit ef248d9bd616b04df8be25539a4dc5db4b6c56f4 ] This fixes the near-silence of the headphone jack on the ALC256-based Samsung Galaxy Book Flex Alpha (NP730QCJ). The magic verbs were found through trial and error, using known ALC298 hacks as inspiration. The fixup is auto-enabled only when the NP730QCJ is detected. It can be manually enabled using model=alc256-samsung-headphone. Signed-off-by: Matt Kramer Link: https://lore.kernel.org/r/3168355.aeNJFYEL58@linus Signed-off-by: Takashi Iwai Signed-off-by: Sasha Levin commit aa2ad067cd74175cefcab5256593939635e3c528 Author: Mauro Carvalho Chehab Date: Mon Mar 14 18:11:38 2022 +0100 media: atomisp: fix bad usage at error handling logic [ Upstream commit fc0b582c858ed73f94c8f3375c203ea46f1f7402 ] As warned by sparse: atomisp: drivers/staging/media/atomisp/pci/atomisp_acc.c:508 atomisp_acc_load_extensions() warn: iterator used outside loop: 'acc_fw' The acc_fw interactor is used outside the loop, at the error handling logic. On most cases, this is actually safe there, but, if atomisp_css_set_acc_parameters() has an error, an attempt to use it will pick an invalid value for acc_fw. Reported-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 2412a5d29411d404698a15cd2f2b965afd57acd6 Author: Ulf Hansson Date: Thu Mar 3 17:51:42 2022 +0100 mmc: host: Return an error when ->enable_sdio_irq() ops is missing [ Upstream commit d6c9219ca1139b74541b2a98cee47a3426d754a9 ] Even if the current WARN() notifies the user that something is severely wrong, we can still end up in a PANIC() when trying to invoke the missing ->enable_sdio_irq() ops. Therefore, let's also return an error code and prevent the host from being added. While at it, move the code into a separate function to prepare for subsequent changes and for further host caps validations. Signed-off-by: Ulf Hansson Link: https://lore.kernel.org/r/20220303165142.129745-1-ulf.hansson@linaro.org Signed-off-by: Sasha Levin commit 808990afd855e5ea64e91cd080f8cd814fad6342 Author: Dongliang Mu Date: Fri Feb 18 10:41:30 2022 +0100 media: hdpvr: initialize dev->worker at hdpvr_register_videodev [ Upstream commit 07922937e9a580825f9965c46fd15e23ba5754b6 ] hdpvr_register_videodev is responsible to initialize a worker in hdpvr_device. However, the worker is only initialized at hdpvr_start_streaming other than hdpvr_register_videodev. When hdpvr_probe does not initialize its worker, the hdpvr_disconnect will encounter one WARN in flush_work.The stack trace is as follows: hdpvr_disconnect+0xb8/0xf2 drivers/media/usb/hdpvr/hdpvr-core.c:425 usb_unbind_interface+0xbf/0x3a0 drivers/usb/core/driver.c:458 __device_release_driver drivers/base/dd.c:1206 [inline] device_release_driver_internal+0x22a/0x230 drivers/base/dd.c:1237 bus_remove_device+0x108/0x160 drivers/base/bus.c:529 device_del+0x1fe/0x510 drivers/base/core.c:3592 usb_disable_device+0xd1/0x1d0 drivers/usb/core/message.c:1419 usb_disconnect+0x109/0x330 drivers/usb/core/hub.c:2228 Fix this by moving the initialization of dev->worker to the starting of hdpvr_register_videodev Reported-by: syzkaller Signed-off-by: Dongliang Mu Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 32582f82df2ba352050e8fb6e097088a84756d29 Author: Pavel Skripkin Date: Thu Jan 20 20:37:30 2022 +0100 media: Revert "media: em28xx: add missing em28xx_close_extension" [ Upstream commit fde18c3bac3f964d8333ae53b304d8fee430502b ] This reverts commit 2c98b8a3458df03abdc6945bbef67ef91d181938. Reverted patch causes problems with Hauppauge WinTV dualHD as Maximilian reported [1]. Since quick solution didn't come up let's just revert it to make this device work with upstream kernels. Link: https://lore.kernel.org/all/6a72a37b-e972-187d-0322-16336e12bdc5@elbmurf.de/ [1] Reported-by: Maximilian Böhm Tested-by: Maximilian Böhm Signed-off-by: Pavel Skripkin Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit b1c28577529cdfad40c8242673285f1e1e4c314e Author: Zheyu Ma Date: Wed Mar 2 22:33:11 2022 +0800 video: fbdev: sm712fb: Fix crash in smtcfb_write() [ Upstream commit 4f01d09b2bbfbcb47b3eb305560a7f4857a32260 ] When the sm712fb driver writes three bytes to the framebuffer, the driver will crash: BUG: unable to handle page fault for address: ffffc90001ffffff RIP: 0010:smtcfb_write+0x454/0x5b0 Call Trace: vfs_write+0x291/0xd60 ? do_sys_openat2+0x27d/0x350 ? __fget_light+0x54/0x340 ksys_write+0xce/0x190 do_syscall_64+0x43/0x90 entry_SYSCALL_64_after_hwframe+0x44/0xae Fix it by removing the open-coded endianness fixup-code. Signed-off-by: Zheyu Ma Signed-off-by: Helge Deller Signed-off-by: Sasha Levin commit e7bb29df2a149f466c660209ea1aa3783b3e0e1c Author: Uwe Kleine-König Date: Mon Jul 26 22:01:58 2021 +0200 ARM: mmp: Fix failure to remove sram device [ Upstream commit 4036b29a146b2749af3bb213b003eb69f3e5ecc4 ] Make sure in .probe() to set driver data before the function is left to make it possible in .remove() to undo the actions done. This fixes a potential memory leak and stops returning an error code in .remove() that is ignored by the driver core anyhow. Signed-off-by: Uwe Kleine-König Reviewed-by: Greg Kroah-Hartman Signed-off-by: Arnd Bergmann Signed-off-by: Sasha Levin commit add823a9a5e2a206c313ab8afbd026d558a4c4e0 Author: Richard Leitner Date: Wed Dec 1 17:11:48 2021 +0100 ARM: tegra: tamonten: Fix I2C3 pad setting [ Upstream commit 0092c25b541a5422d7e71892a13c55ee91abc34b ] This patch fixes the tristate configuration for i2c3 function assigned to the dtf pins on the Tamonten Tegra20 SoM. Signed-off-by: Richard Leitner Signed-off-by: Thierry Reding Signed-off-by: Sasha Levin commit 08ec8450f3e5bffd1920d10842857c7de05576a0 Author: Arnd Bergmann Date: Wed Feb 16 13:48:06 2022 +0100 lib/test_lockup: fix kernel pointer check for separate address spaces [ Upstream commit 5a06fcb15b43d1f7bf740c672950122331cb5655 ] test_kernel_ptr() uses access_ok() to figure out if a given address points to user space instead of kernel space. However on architectures that set CONFIG_ALTERNATE_USER_ADDRESS_SPACE, a pointer can be valid for both, and the check always fails because access_ok() returns true. Make the check for user space pointers conditional on the type of address space layout. Signed-off-by: Arnd Bergmann Signed-off-by: Sasha Levin commit 40a5c93a747389de01ee7195c414cb424710ea6f Author: Arnd Bergmann Date: Mon Feb 14 20:22:10 2022 +0100 uaccess: fix type mismatch warnings from access_ok() [ Upstream commit 23fc539e81295b14b50c6ccc5baeb4f3d59d822d ] On some architectures, access_ok() does not do any argument type checking, so replacing the definition with a generic one causes a few warnings for harmless issues that were never caught before. Fix the ones that I found either through my own test builds or that were reported by the 0-day bot. Reported-by: kernel test robot Reviewed-by: Christoph Hellwig Acked-by: Dinh Nguyen Signed-off-by: Arnd Bergmann Signed-off-by: Sasha Levin commit a49b687a75d2d42301ec9a5fda356750827900e7 Author: Daniel González Cabanelas Date: Sun Feb 20 19:19:50 2022 +0100 media: cx88-mpeg: clear interrupt status register before streaming video [ Upstream commit 56cb61f70e547e1b0cdfe6ff5a1f1ce6242e6d96 ] Some cx88 video cards may have transport stream status interrupts set to 1 from cold start, causing errors like this: cx88xx: cx88_print_irqbits: core:irq mpeg [0x100000] ts_err?* cx8802: cx8802_mpeg_irq: mpeg:general errors: 0x00100000 According to CX2388x datasheet, the interrupt status register should be cleared before enabling IRQs to stream video. Fix it by clearing the Transport Stream Interrupt Status register. Signed-off-by: Daniel González Cabanelas Signed-off-by: Sasha Levin commit 460635026801b286e88c6bf96431e3aa4fa56558 Author: Shengjiu Wang Date: Thu Feb 10 19:19:12 2022 +0800 ASoC: soc-core: skip zero num_dai component in searching dai name [ Upstream commit f7d344a2bd5ec81fbd1ce76928fd059e57ec9bea ] In the case like dmaengine which's not a dai but as a component, the num_dai is zero, dmaengine component has the same component_of_node as cpu dai, when cpu dai component is not ready, but dmaengine component is ready, try to get cpu dai name, the snd_soc_get_dai_name() return -EINVAL, not -EPROBE_DEFER, that cause below error: asoc-simple-card : parse error -22 asoc-simple-card: probe of failed with error -22 The sound card failed to probe. So this patch fixes the issue above by skipping the zero num_dai component in searching dai name. Signed-off-by: Shengjiu Wang Link: https://lore.kernel.org/r/1644491952-7457-1-git-send-email-shengjiu.wang@nxp.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit a840fc067e8c1d3cc5c497ee569fc17e33beba08 Author: Richard Schleich Date: Tue Dec 21 23:48:30 2021 +0100 ARM: dts: bcm2711: Add the missing L1/L2 cache information [ Upstream commit 618682b350990f8f1bee718949c4b3858711eb58 ] This patch fixes the kernel warning "cacheinfo: Unable to detect cache hierarchy for CPU 0" for the bcm2711 on newer kernel versions. Signed-off-by: Richard Schleich Tested-by: Stefan Wahren [florian: Align and remove comments matching property values] Signed-off-by: Florian Fainelli Signed-off-by: Sasha Levin commit 681a317034b214c30177162235690a401158cf43 Author: Jing Yao Date: Thu Nov 4 11:52:29 2021 +0000 video: fbdev: udlfb: replace snprintf in show functions with sysfs_emit [ Upstream commit 81a998288956d09d7a7a2303d47e4d60ad55c401 ] Use sysfs_emit instead of scnprintf, snprintf or sprintf. Reported-by: Zeal Robot Signed-off-by: Jing Yao Signed-off-by: Helge Deller Signed-off-by: Sasha Levin commit a7c624abf694e9f8d13f50fd13e3d9c081416031 Author: Jing Yao Date: Fri Nov 5 08:20:44 2021 +0000 video: fbdev: omapfb: panel-tpo-td043mtea1: Use sysfs_emit() instead of snprintf() [ Upstream commit c07a039cbb96748f54c02995bae8131cc9a73b0a ] Use sysfs_emit instead of scnprintf, snprintf or sprintf. Reported-by: Zeal Robot Signed-off-by: Jing Yao Signed-off-by: Helge Deller Signed-off-by: Sasha Levin commit 543dae0a46b02ef9016d21099ea23b07dbd06ef5 Author: Jing Yao Date: Fri Nov 5 08:13:33 2021 +0000 video: fbdev: omapfb: panel-dsi-cm: Use sysfs_emit() instead of snprintf() [ Upstream commit f63658a59c3d439c8ad7b290f8ec270980e0f384 ] Use sysfs_emit instead of scnprintf, snprintf or sprintf. Reported-by: Zeal Robot Signed-off-by: Jing Yao Signed-off-by: Helge Deller Signed-off-by: Sasha Levin commit 910715c4b494b91fb5c0b83d399e06c6752da92a Author: Marcel Ziswiler Date: Fri Jan 28 17:00:56 2022 +0100 arm64: defconfig: build imx-sdma as a module [ Upstream commit e95622289f263662240544a9f0009b25c19e64d4 ] This avoids firmware load error and sysfs fallback reported as follows: [ 0.199448] imx-sdma 302c0000.dma-controller: Direct firmware load for imx/sdma/sdma-imx7d.bin failed with error -2 [ 0.199487] imx-sdma 302c0000.dma-controller: Falling back to sysfs fallback for: imx/sdma/sdma-imx7d.bin Signed-off-by: Marcel Ziswiler Signed-off-by: Shawn Guo Signed-off-by: Sasha Levin commit 14df2556a190583125a001dd9cfa57c8a5c10b8b Author: Abel Vesa Date: Thu Jan 27 16:10:51 2022 +0200 ARM: dts: imx7: Use audio_mclk_post_div instead audio_mclk_root_clk [ Upstream commit 4cb7df64c732b2b9918424095c11660c2a8c4a33 ] The audio_mclk_root_clk was added as a gate with the CCGR121 (0x4790), but according to the reference manual, there is no such gate. Moreover, the consumer driver of the mentioned clock might gate it and leave the ECSPI2 (the true owner of that gate) hanging. So lets use the audio_mclk_post_div, which is the parent. Signed-off-by: Abel Vesa Signed-off-by: Shawn Guo Signed-off-by: Sasha Levin commit c241cfd0a55f2d3f3fde158e4c5d17544f01e992 Author: Ard Biesheuvel Date: Sun Jan 23 20:18:33 2022 +0100 ARM: ftrace: avoid redundant loads or clobbering IP [ Upstream commit d11967870815b5ab89843980e35aab616c97c463 ] Tweak the ftrace return paths to avoid redundant loads of SP, as well as unnecessary clobbering of IP. This also fixes the inconsistency of using MOV to perform a function return, which is sub-optimal on recent micro-architectures but more importantly, does not perform an interworking return, unlike compiler generated function returns in Thumb2 builds. Let's fix this by popping PC from the stack like most ordinary code does. Signed-off-by: Ard Biesheuvel Reviewed-by: Steven Rostedt (Google) Signed-off-by: Sasha Levin commit 41082d6432e5d8cfaaa49a3864c88a16535f8e95 Author: Tsuchiya Yuto Date: Sun Oct 17 18:23:33 2021 +0200 media: atomisp: fix dummy_ptr check to avoid duplicate active_bo [ Upstream commit 127efdbc51fe6064336c0452ce9c910b3e107cf0 ] The dummy_ptr check in hmm_init() [1] results in the following "hmm_init Failed to create sysfs" error exactly once every two times on atomisp reload by rmmod/insmod (although atomisp module loads and works fine regardless of this error): [ 140.230662] sysfs: cannot create duplicate filename '/devices/pci0000:00/0000:00:03.0/active_bo' [ 140.230668] CPU: 1 PID: 2502 Comm: insmod Tainted: G C OE 5.15.0-rc4-1-surface-mainline #1 b8acf6eb64994414b2e20bad312a7a2c45f748f9 [ 140.230675] Hardware name: OEMB OEMB/OEMB, BIOS 1.51116.238 03/09/2015 [ 140.230678] Call Trace: [ 140.230687] dump_stack_lvl+0x46/0x5a [ 140.230702] sysfs_warn_dup.cold+0x17/0x24 [ 140.230710] sysfs_add_file_mode_ns+0x160/0x170 [ 140.230717] internal_create_group+0x126/0x390 [ 140.230723] hmm_init+0x5c/0x70 [atomisp 7a6a680bf400629363d2a6f58fd10e7299678b99] [ 140.230811] atomisp_pci_probe.cold+0x1136/0x148e [atomisp 7a6a680bf400629363d2a6f58fd10e7299678b99] [ 140.230875] local_pci_probe+0x45/0x80 [ 140.230882] ? pci_match_device+0xd7/0x130 [ 140.230887] pci_device_probe+0xfa/0x1b0 [ 140.230892] really_probe+0x1f5/0x3f0 [ 140.230899] __driver_probe_device+0xfe/0x180 [ 140.230903] driver_probe_device+0x1e/0x90 [ 140.230908] __driver_attach+0xc0/0x1c0 [ 140.230912] ? __device_attach_driver+0xe0/0xe0 [ 140.230915] ? __device_attach_driver+0xe0/0xe0 [ 140.230919] bus_for_each_dev+0x89/0xd0 [ 140.230924] bus_add_driver+0x12b/0x1e0 [ 140.230929] driver_register+0x8f/0xe0 [ 140.230933] ? 0xffffffffc153f000 [ 140.230937] do_one_initcall+0x57/0x220 [ 140.230945] do_init_module+0x5c/0x260 [ 140.230952] load_module+0x24bd/0x26a0 [ 140.230962] ? __do_sys_finit_module+0xae/0x110 [ 140.230966] __do_sys_finit_module+0xae/0x110 [ 140.230972] do_syscall_64+0x5c/0x80 [ 140.230979] ? syscall_exit_to_user_mode+0x23/0x40 [ 140.230983] ? do_syscall_64+0x69/0x80 [ 140.230988] ? exc_page_fault+0x72/0x170 [ 140.230991] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 140.230997] RIP: 0033:0x7f7fd5d8718d [ 140.231003] Code: b4 0c 00 0f 05 eb a9 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d b3 6c 0c 00 f7 d8 64 89 01 48 [ 140.231006] RSP: 002b:00007ffefc25f0e8 EFLAGS: 00000246 ORIG_RAX: 0000000000000139 [ 140.231012] RAX: ffffffffffffffda RBX: 000055ac3edcd7f0 RCX: 00007f7fd5d8718d [ 140.231015] RDX: 0000000000000000 RSI: 000055ac3d723270 RDI: 0000000000000003 [ 140.231017] RBP: 0000000000000000 R08: 0000000000000000 R09: 00007f7fd5e52380 [ 140.231019] R10: 0000000000000003 R11: 0000000000000246 R12: 000055ac3d723270 [ 140.231021] R13: 0000000000000000 R14: 000055ac3edd06e0 R15: 0000000000000000 [ 140.231038] atomisp-isp2 0000:00:03.0: hmm_init Failed to create sysfs The problem is that dummy_ptr == 0 is a valid value. So, change the logic which checks if dummy_ptr was allocated. At this point, atomisp now gives WARN_ON() in hmm_free() [2] on atomisp reload by rmmod/insmod. Again, the check is wrong there. So, change both checks for mmgr_EXCEPTION, which is the error value when HMM allocation fails, and initialize dummy_ptr with such value. [1] added on commit d9ab83953fa7 ("media: atomisp: don't cause a warn if probe failed") [2] added on commit b83cc378dfc4 ("atomisp: clean up the hmm init/cleanup indirections") Link: https://lore.kernel.org/linux-media/20211017162337.44860-3-kitakar@gmail.com Signed-off-by: Tsuchiya Yuto Co-developed-by: Mauro Carvalho Chehab Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit b554196e6d390af5d249be11cd86aa0ecf5bc0a9 Author: Hans de Goede Date: Sun Jan 16 22:52:04 2022 +0100 media: atomisp_gmin_platform: Add DMI quirk to not turn AXP ELDO2 regulator off on some boards [ Upstream commit 2c39a01154ea57d596470afa1d278e3be3b37f6a ] The TrekStor SurfTab duo W1 10.1 has a hw bug where turning eldo2 back on after having turned it off causes the CPLM3218 ambient-light-sensor on the front camera sensor's I2C bus to crash, hanging the bus. Add a DMI quirk table for systems on which to leave eldo2 on. Note an alternative fix is to turn off the CPLM3218 ambient-light-sensor as long as the camera sensor is being used, this is what Windows seems to do as a workaround (based on analyzing the DSDT). But that is not easy to do cleanly under Linux. Link: https://lore.kernel.org/linux-media/20220116215204.307649-10-hdegoede@redhat.com Signed-off-by: Hans de Goede Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 370b50492e54c1a442ecf699cbd2048ffbf513f1 Author: Charles Keepax Date: Thu Feb 3 11:50:25 2022 +0000 ASoC: madera: Add dependencies on MFD [ Upstream commit ec29170c724ca30305fc3a19ba2ee73ecac65509 ] The Madera CODECs use regmap_irq functions but nothing ensures that regmap_irq is built into the kernel. Add dependencies on the ASoC symbols for the relevant MFD component. There is no point in building the ASoC driver if the MFD doesn't support it and the MFD part contains the necessary dependencies to ensure everything is built into the kernel. Reported-by: Mark Brown Signed-off-by: Charles Keepax Link: https://lore.kernel.org/r/20220203115025.16464-1-ckeepax@opensource.cirrus.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 0020667edc06b5464ceaf82d478c80582250354a Author: Richard Schleich Date: Sat Dec 18 21:00:09 2021 +0100 ARM: dts: bcm2837: Add the missing L1/L2 cache information [ Upstream commit bdf8762da268d2a34abf517c36528413906e9cd5 ] This patch fixes the kernel warning "cacheinfo: Unable to detect cache hierarchy for CPU 0" for the bcm2837 on newer kernel versions. Signed-off-by: Richard Schleich Tested-by: Stefan Wahren [florian: Align and remove comments matching property values] Signed-off-by: Florian Fainelli Signed-off-by: Sasha Levin commit f040c0810291ec2fee9b2d5445f96c7eb24d9a7d Author: David Heidelberg Date: Sat Jan 8 18:42:28 2022 +0100 ARM: dts: qcom: fix gic_irq_domain_translate warnings for msm8960 [ Upstream commit 6f7e221e7a5cfc3299616543fce42b36e631497b ] IRQ types blindly copied from very similar APQ8064. Fixes warnings as: WARNING: CPU: 0 PID: 1 at drivers/irqchip/irq-gic.c:1080 gic_irq_domain_translate+0x118/0x120 ... Tested-by: LogicalErzor # boot-tested on Samsung S3 Signed-off-by: David Heidelberg Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20220108174229.60384-1-david@ixit.cz Signed-off-by: Sasha Levin commit da210b1b551c5f44ea255b18ed6ca103847801f3 Author: Yang Guang Date: Tue Nov 30 08:06:03 2021 +0800 video: fbdev: omapfb: acx565akm: replace snprintf with sysfs_emit [ Upstream commit 24565bc4115961db7ee64fcc7ad2a7437c0d0a49 ] coccinelle report: ./drivers/video/fbdev/omap2/omapfb/displays/panel-sony-acx565akm.c: 479:9-17: WARNING: use scnprintf or sprintf Use sysfs_emit instead of scnprintf or sprintf makes more sense. Reported-by: Zeal Robot Signed-off-by: Yang Guang Signed-off-by: Helge Deller Signed-off-by: Sasha Levin commit 8c7e2141fb89c620ab4e41512e262fbf25b8260d Author: George Kennedy Date: Wed Oct 27 15:30:13 2021 -0500 video: fbdev: cirrusfb: check pixclock to avoid divide by zero [ Upstream commit 5c6f402bdcf9e7239c6bc7087eda71ac99b31379 ] Do a sanity check on pixclock value to avoid divide by zero. If the pixclock value is zero, the cirrusfb driver will round up pixclock to get the derived frequency as close to maxclock as possible. Syzkaller reported a divide error in cirrusfb_check_pixclock. divide error: 0000 [#1] SMP KASAN PTI CPU: 0 PID: 14938 Comm: cirrusfb_test Not tainted 5.15.0-rc6 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-2 RIP: 0010:cirrusfb_check_var+0x6f1/0x1260 Call Trace: fb_set_var+0x398/0xf90 do_fb_ioctl+0x4b8/0x6f0 fb_ioctl+0xeb/0x130 __x64_sys_ioctl+0x19d/0x220 do_syscall_64+0x3a/0x80 entry_SYSCALL_64_after_hwframe+0x44/0xae Signed-off-by: George Kennedy Reviewed-by: Geert Uytterhoeven Signed-off-by: Helge Deller Signed-off-by: Sasha Levin commit 1e33f197468fbf3fb92b170860681ddb2d4fadeb Author: Evgeny Novikov Date: Wed Aug 11 19:58:26 2021 +0300 video: fbdev: w100fb: Reset global state [ Upstream commit 8738ddcac644964ae128ccd3d80d48773c8d528e ] w100fb_probe() did not reset the global state to its initial state. This can result in invocation of iounmap() even when there was not the appropriate successful call of ioremap(). For instance, this may be the case if first probe fails after two successful ioremap() while second probe fails when first ioremap() fails. The similar issue is with w100fb_remove(). The patch fixes both bugs. Found by Linux Driver Verification project (linuxtesting.org). Signed-off-by: Evgeny Novikov Co-developed-by: Kirill Shilimanov Signed-off-by: Kirill Shilimanov Signed-off-by: Helge Deller Signed-off-by: Sasha Levin commit 08dff482012758935c185532b1ad7d584785a86e Author: Tim Gardner Date: Mon Sep 27 09:45:02 2021 -0600 video: fbdev: nvidiafb: Use strscpy() to prevent buffer overflow [ Upstream commit 37a1a2e6eeeb101285cd34e12e48a881524701aa ] Coverity complains of a possible buffer overflow. However, given the 'static' scope of nvidia_setup_i2c_bus() it looks like that can't happen after examiniing the call sites. CID 19036 (#1 of 1): Copy into fixed size buffer (STRING_OVERFLOW) 1. fixed_size_dest: You might overrun the 48-character fixed-size string chan->adapter.name by copying name without checking the length. 2. parameter_as_source: Note: This defect has an elevated risk because the source argument is a parameter of the current function. 89 strcpy(chan->adapter.name, name); Fix this warning by using strscpy() which will silence the warning and prevent any future buffer overflows should the names used to identify the channel become much longer. Cc: Antonino Daplas Cc: linux-fbdev@vger.kernel.org Cc: dri-devel@lists.freedesktop.org Cc: linux-kernel@vger.kernel.org Signed-off-by: Tim Gardner Signed-off-by: Helge Deller Signed-off-by: Sasha Levin commit 99e3f83539cac6884a4df02cb204a57a184ea12b Author: Peiwei Hu Date: Wed Dec 29 02:15:18 2021 +0100 media: ir_toy: free before error exiting [ Upstream commit 52cdb013036391d9d87aba5b4fc49cdfc6ea4b23 ] Fix leak in error path. Signed-off-by: Peiwei Hu Signed-off-by: Sean Young Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit d658178b5ac2cc2bbf7507cb786d6581c9a42a1c Author: Hans Verkuil Date: Tue Dec 14 17:16:33 2021 +0100 media: staging: media: zoran: fix various V4L2 compliance errors [ Upstream commit 914941827aad5ecddf9bf3a6dee67fbec1af1fff ] This fixes several issues found with 'v4l2-compliance -s': 1) read()/write() is supported, but not reported in the capabilities 2) S_STD(G_STD()) failed: setting the same standard should just return 0. 3) G_PARM failed to set readbuffers. 4) different field values in the format vs. what v4l2_buffer reported. 5) zero the sequence number when starting streaming. 6) drop VB_USERPTR: makes no sense with dma_contig streaming. Signed-off-by: Hans Verkuil Signed-off-by: Corentin Labbe Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit bafec1a6ba4b187a7fcdcfce0faebdc623d4ef8e Author: Corentin Labbe Date: Tue Dec 14 17:16:32 2021 +0100 media: staging: media: zoran: calculate the right buffer number for zoran_reap_stat_com [ Upstream commit e3b86f4e558cea9eed71d894df2f19b10d60a207 ] On the case tmp_dcim=1, the index of buffer is miscalculated. This generate a NULL pointer dereference later. So let's fix the calcul and add a check to prevent this to reappear. Signed-off-by: Corentin Labbe Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit bd01629315ffd5b63da91d0bd529a77d30e55028 Author: Corentin Labbe Date: Tue Dec 14 17:16:26 2021 +0100 media: staging: media: zoran: move videodev alloc [ Upstream commit 82e3a496eb56da0b9f29fdc5b63cedb3289e91de ] Move some code out of zr36057_init() and create new functions for handling zr->video_dev. This permit to ease code reading and fix a zr->video_dev memory leak. Signed-off-by: Corentin Labbe Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit b230f2d9441a34c7f483d39ab78519bcf73cc2e0 Author: Dongliang Mu Date: Tue Mar 22 14:38:39 2022 -0700 ntfs: add sanity check on allocation size [ Upstream commit 714fbf2647b1a33d914edd695d4da92029c7e7c0 ] ntfs_read_inode_mount invokes ntfs_malloc_nofs with zero allocation size. It triggers one BUG in the __ntfs_malloc function. Fix this by adding sanity check on ni->attr_list_size. Link: https://lkml.kernel.org/r/20220120094914.47736-1-dzm91@hust.edu.cn Reported-by: syzbot+3c765c5248797356edaa@syzkaller.appspotmail.com Signed-off-by: Dongliang Mu Acked-by: Anton Altaparmakov Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin commit f7e8aff062629b5a126ae8d2501ccd6a643d3498 Author: Chao Yu Date: Wed Mar 16 18:20:00 2022 +0800 f2fs: compress: fix to print raw data size in error path of lz4 decompression [ Upstream commit d284af43f703760e261b1601378a0c13a19d5f1f ] In lz4_decompress_pages(), if size of decompressed data is not equal to expected one, we should print the size rather than size of target buffer for decompressed data, fix it. Signed-off-by: Chao Yu Signed-off-by: Jaegeuk Kim Signed-off-by: Sasha Levin commit d91d1e681c999de65809025ac86915e9cd1f52cf Author: Chuck Lever Date: Mon Feb 14 15:30:13 2022 -0500 NFSD: Fix nfsd_breaker_owns_lease() return values [ Upstream commit 50719bf3442dd6cd05159e9c98d020b3919ce978 ] These have been incorrect since the function was introduced. A proper kerneldoc comment is added since this function, though static, is part of an external interface. Reported-by: Dai Ngo Signed-off-by: Chuck Lever Signed-off-by: Sasha Levin commit 498b7088db71f9707359448cd6800bbb1882f4c3 Author: Chao Yu Date: Fri Mar 4 09:49:13 2022 +0800 f2fs: fix to do sanity check on curseg->alloc_type [ Upstream commit f41ee8b91c00770d718be2ff4852a80017ae9ab3 ] As Wenqing Liu reported in bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=215657 - Overview UBSAN: array-index-out-of-bounds in fs/f2fs/segment.c:3460:2 when mount and operate a corrupted image - Reproduce tested on kernel 5.17-rc4, 5.17-rc6 1. mkdir test_crash 2. cd test_crash 3. unzip tmp2.zip 4. mkdir mnt 5. ./single_test.sh f2fs 2 - Kernel dump [ 46.434454] loop0: detected capacity change from 0 to 131072 [ 46.529839] F2FS-fs (loop0): Mounted with checkpoint version = 7548c2d9 [ 46.738319] ================================================================================ [ 46.738412] UBSAN: array-index-out-of-bounds in fs/f2fs/segment.c:3460:2 [ 46.738475] index 231 is out of range for type 'unsigned int [2]' [ 46.738539] CPU: 2 PID: 939 Comm: umount Not tainted 5.17.0-rc6 #1 [ 46.738547] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.13.0-1ubuntu1.1 04/01/2014 [ 46.738551] Call Trace: [ 46.738556] [ 46.738563] dump_stack_lvl+0x47/0x5c [ 46.738581] ubsan_epilogue+0x5/0x50 [ 46.738592] __ubsan_handle_out_of_bounds+0x68/0x80 [ 46.738604] f2fs_allocate_data_block+0xdff/0xe60 [f2fs] [ 46.738819] do_write_page+0xef/0x210 [f2fs] [ 46.738934] f2fs_do_write_node_page+0x3f/0x80 [f2fs] [ 46.739038] __write_node_page+0x2b7/0x920 [f2fs] [ 46.739162] f2fs_sync_node_pages+0x943/0xb00 [f2fs] [ 46.739293] f2fs_write_checkpoint+0x7bb/0x1030 [f2fs] [ 46.739405] kill_f2fs_super+0x125/0x150 [f2fs] [ 46.739507] deactivate_locked_super+0x60/0xc0 [ 46.739517] deactivate_super+0x70/0xb0 [ 46.739524] cleanup_mnt+0x11a/0x200 [ 46.739532] __cleanup_mnt+0x16/0x20 [ 46.739538] task_work_run+0x67/0xa0 [ 46.739547] exit_to_user_mode_prepare+0x18c/0x1a0 [ 46.739559] syscall_exit_to_user_mode+0x26/0x40 [ 46.739568] do_syscall_64+0x46/0xb0 [ 46.739584] entry_SYSCALL_64_after_hwframe+0x44/0xae The root cause is we missed to do sanity check on curseg->alloc_type, result in out-of-bound accessing on sbi->block_count[] array, fix it. Signed-off-by: Chao Yu Signed-off-by: Jaegeuk Kim Signed-off-by: Sasha Levin commit 330d0e44fc5a47c27df958ecdd4693a3cb1d8b81 Author: Theodore Ts'o Date: Thu Mar 3 09:38:47 2022 -0500 ext4: don't BUG if someone dirty pages without asking ext4 first [ Upstream commit cc5095747edfb054ca2068d01af20be3fcc3634f ] [un]pin_user_pages_remote is dirtying pages without properly warning the file system in advance. A related race was noted by Jan Kara in 2018[1]; however, more recently instead of it being a very hard-to-hit race, it could be reliably triggered by process_vm_writev(2) which was discovered by Syzbot[2]. This is technically a bug in mm/gup.c, but arguably ext4 is fragile in that if some other kernel subsystem dirty pages without properly notifying the file system using page_mkwrite(), ext4 will BUG, while other file systems will not BUG (although data will still be lost). So instead of crashing with a BUG, issue a warning (since there may be potential data loss) and just mark the page as clean to avoid unprivileged denial of service attacks until the problem can be properly fixed. More discussion and background can be found in the thread starting at [2]. [1] https://lore.kernel.org/linux-mm/20180103100430.GE4911@quack2.suse.cz [2] https://lore.kernel.org/r/Yg0m6IjcNmfaSokM@google.com Reported-by: syzbot+d59332e2db681cf18f0318a06e994ebbb529a8db@syzkaller.appspotmail.com Reported-by: Lee Jones Signed-off-by: Theodore Ts'o Link: https://lore.kernel.org/r/YiDS9wVfq4mM2jGK@mit.edu Signed-off-by: Sasha Levin commit cd6d719534af993210306f8a13f9cb3e615f7c8d Author: Ritesh Harjani Date: Wed Feb 16 12:32:44 2022 +0530 ext4: fix ext4_mb_mark_bb() with flex_bg with fast_commit [ Upstream commit bfdc502a4a4c058bf4cbb1df0c297761d528f54d ] In case of flex_bg feature (which is by default enabled), extents for any given inode might span across blocks from two different block group. ext4_mb_mark_bb() only reads the buffer_head of block bitmap once for the starting block group, but it fails to read it again when the extent length boundary overflows to another block group. Then in this below loop it accesses memory beyond the block group bitmap buffer_head and results into a data abort. for (i = 0; i < clen; i++) if (!mb_test_bit(blkoff + i, bitmap_bh->b_data) == !state) already++; This patch adds this functionality for checking block group boundary in ext4_mb_mark_bb() and update the buffer_head(bitmap_bh) for every different block group. w/o this patch, I was easily able to hit a data access abort using Power platform. <...> [ 74.327662] EXT4-fs error (device loop3): ext4_mb_generate_buddy:1141: group 11, block bitmap and bg descriptor inconsistent: 21248 vs 23294 free clusters [ 74.533214] EXT4-fs (loop3): shut down requested (2) [ 74.536705] Aborting journal on device loop3-8. [ 74.702705] BUG: Unable to handle kernel data access on read at 0xc00000005e980000 [ 74.703727] Faulting instruction address: 0xc0000000007bffb8 cpu 0xd: Vector: 300 (Data Access) at [c000000015db7060] pc: c0000000007bffb8: ext4_mb_mark_bb+0x198/0x5a0 lr: c0000000007bfeec: ext4_mb_mark_bb+0xcc/0x5a0 sp: c000000015db7300 msr: 800000000280b033 dar: c00000005e980000 dsisr: 40000000 current = 0xc000000027af6880 paca = 0xc00000003ffd5200 irqmask: 0x03 irq_happened: 0x01 pid = 5167, comm = mount <...> enter ? for help [c000000015db7380] c000000000782708 ext4_ext_clear_bb+0x378/0x410 [c000000015db7400] c000000000813f14 ext4_fc_replay+0x1794/0x2000 [c000000015db7580] c000000000833f7c do_one_pass+0xe9c/0x12a0 [c000000015db7710] c000000000834504 jbd2_journal_recover+0x184/0x2d0 [c000000015db77c0] c000000000841398 jbd2_journal_load+0x188/0x4a0 [c000000015db7880] c000000000804de8 ext4_fill_super+0x2638/0x3e10 [c000000015db7a40] c0000000005f8404 get_tree_bdev+0x2b4/0x350 [c000000015db7ae0] c0000000007ef058 ext4_get_tree+0x28/0x40 [c000000015db7b00] c0000000005f6344 vfs_get_tree+0x44/0x100 [c000000015db7b70] c00000000063c408 path_mount+0xdd8/0xe70 [c000000015db7c40] c00000000063c8f0 sys_mount+0x450/0x550 [c000000015db7d50] c000000000035770 system_call_exception+0x4a0/0x4e0 [c000000015db7e10] c00000000000c74c system_call_common+0xec/0x250 Signed-off-by: Ritesh Harjani Reviewed-by: Jan Kara Link: https://lore.kernel.org/r/2609bc8f66fc15870616ee416a18a3d392a209c4.1644992609.git.riteshh@linux.ibm.com Signed-off-by: Theodore Ts'o Signed-off-by: Sasha Levin commit 69d2421b5527609387998d76cabd8d700c2f23c1 Author: Ritesh Harjani Date: Wed Feb 16 12:32:43 2022 +0530 ext4: correct cluster len and clusters changed accounting in ext4_mb_mark_bb [ Upstream commit a5c0e2fdf7cea535ba03259894dc184e5a4c2800 ] ext4_mb_mark_bb() currently wrongly calculates cluster len (clen) and flex_group->free_clusters. This patch fixes that. Identified based on code review of ext4_mb_mark_bb() function. Signed-off-by: Ritesh Harjani Reviewed-by: Jan Kara Link: https://lore.kernel.org/r/a0b035d536bafa88110b74456853774b64c8ac40.1644992609.git.riteshh@linux.ibm.com Signed-off-by: Theodore Ts'o Signed-off-by: Sasha Levin commit ecd384c436fd57195a2d178d5b85ab7060e35866 Author: Waiman Long Date: Thu Feb 10 22:55:26 2022 -0500 locking/lockdep: Iterate lock_classes directly when reading lockdep files [ Upstream commit fb7275acd6fb988313dddd8d3d19efa70d9015ad ] When dumping lock_classes information via /proc/lockdep, we can't take the lockdep lock as the lock hold time is indeterminate. Iterating over all_lock_classes without holding lock can be dangerous as there is a slight chance that it may branch off to other lists leading to infinite loop or even access invalid memory if changes are made to all_lock_classes list in parallel. To avoid this problem, iteration of lock classes is now done directly on the lock_classes array itself. The lock_classes_in_use bitmap is checked to see if the lock class is being used. To avoid iterating the full array all the times, a new max_lock_class_idx value is added to track the maximum lock_class index that is currently being used. We can theoretically take the lockdep lock for iterating all_lock_classes when other lockdep files (lockdep_stats and lock_stat) are accessed as the lock hold time will be shorter for them. For consistency, they are also modified to iterate the lock_classes array directly. Signed-off-by: Waiman Long Signed-off-by: Peter Zijlstra (Intel) Link: https://lkml.kernel.org/r/20220211035526.1329503-2-longman@redhat.com Signed-off-by: Sasha Levin commit 3ad817f1bd6242f10ae3d63acafed78956fd02f1 Author: Minghao Chi Date: Tue Mar 15 02:31:38 2022 +0000 spi: tegra20: Use of_device_get_match_data() [ Upstream commit c9839acfcbe20ce43d363c2a9d0772472d9921c0 ] Use of_device_get_match_data() to simplify the code. Reported-by: Zeal Robot Signed-off-by: Minghao Chi Link: https://lore.kernel.org/r/20220315023138.2118293-1-chi.minghao@zte.com.cn Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 1c200c8bce087fbc7c3a5b79bc9f547e05bfffe7 Author: Chris Leech Date: Tue Feb 15 18:22:49 2022 -0800 nvme-tcp: lockdep: annotate in-kernel sockets [ Upstream commit 841aee4d75f18fdfb53935080b03de0c65e9b92c ] Put NVMe/TCP sockets in their own class to avoid some lockdep warnings. Sockets created by nvme-tcp are not exposed to user-space, and will not trigger certain code paths that the general socket API exposes. Lockdep complains about a circular dependency between the socket and filesystem locks, because setsockopt can trigger a page fault with a socket lock held, but nvme-tcp sends requests on the socket while file system locks are held. ====================================================== WARNING: possible circular locking dependency detected 5.15.0-rc3 #1 Not tainted ------------------------------------------------------ fio/1496 is trying to acquire lock: (sk_lock-AF_INET){+.+.}-{0:0}, at: tcp_sendpage+0x23/0x80 but task is already holding lock: (&xfs_dir_ilock_class/5){+.+.}-{3:3}, at: xfs_ilock+0xcf/0x290 [xfs] which lock already depends on the new lock. other info that might help us debug this: chain exists of: sk_lock-AF_INET --> sb_internal --> &xfs_dir_ilock_class/5 Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(&xfs_dir_ilock_class/5); lock(sb_internal); lock(&xfs_dir_ilock_class/5); lock(sk_lock-AF_INET); *** DEADLOCK *** 6 locks held by fio/1496: #0: (sb_writers#13){.+.+}-{0:0}, at: path_openat+0x9fc/0xa20 #1: (&inode->i_sb->s_type->i_mutex_dir_key){++++}-{3:3}, at: path_openat+0x296/0xa20 #2: (sb_internal){.+.+}-{0:0}, at: xfs_trans_alloc_icreate+0x41/0xd0 [xfs] #3: (&xfs_dir_ilock_class/5){+.+.}-{3:3}, at: xfs_ilock+0xcf/0x290 [xfs] #4: (hctx->srcu){....}-{0:0}, at: hctx_lock+0x51/0xd0 #5: (&queue->send_mutex){+.+.}-{3:3}, at: nvme_tcp_queue_rq+0x33e/0x380 [nvme_tcp] This annotation lets lockdep analyze nvme-tcp controlled sockets independently of what the user-space sockets API does. Link: https://lore.kernel.org/linux-nvme/CAHj4cs9MDYLJ+q+2_GXUK9HxFizv2pxUryUR0toX974M040z7g@mail.gmail.com/ Signed-off-by: Chris Leech Signed-off-by: Christoph Hellwig Signed-off-by: Sasha Levin commit 7e4967e913ab822ed16e352f2ada9ac83fa0290f Author: John David Anglin Date: Wed Mar 9 21:14:36 2022 +0000 parisc: Fix handling off probe non-access faults [ Upstream commit e00b0a2ab8ec019c344e53bfc76e31c18bb587b7 ] Currently, the parisc kernel does not fully support non-access TLB fault handling for probe instructions. In the fast path, we set the target register to zero if it is not a shadowed register. The slow path is not implemented, so we call do_page_fault. The architecture indicates that non-access faults should not cause a page fault from disk. This change adds to code to provide non-access fault support for probe instructions. It also modifies the handling of faults on userspace so that if the address lies in a valid VMA and the access type matches that for the VMA, the probe target register is set to one. Otherwise, the target register is set to zero. This was done to make probe instructions more useful for userspace. Probe instructions are not very useful if they set the target register to zero whenever a page is not present in memory. Nominally, the purpose of the probe instruction is determine whether read or write access to a given address is allowed. This fixes a problem in function pointer comparison noticed in the glibc testsuite (stdio-common/tst-vfprintf-user-type). The same problem is likely in glibc (_dl_lookup_address). V2 adds flush and lpa instruction support to handle_nadtlb_fault. Signed-off-by: John David Anglin Signed-off-by: Helge Deller Signed-off-by: Sasha Levin commit ede1ef1a7de973321699736ef96d01a4b9a6fe9e Author: Dmitry Baryshkov Date: Sat Mar 5 14:02:14 2022 +0300 PM: core: keep irq flags in device_pm_check_callbacks() [ Upstream commit 524bb1da785a7ae43dd413cd392b5071c6c367f8 ] The function device_pm_check_callbacks() can be called under the spin lock (in the reported case it happens from genpd_add_device() -> dev_pm_domain_set(), when the genpd uses spinlocks rather than mutexes. However this function uncoditionally uses spin_lock_irq() / spin_unlock_irq(), thus not preserving the CPU flags. Use the irqsave/irqrestore instead. The backtrace for the reference: [ 2.752010] ------------[ cut here ]------------ [ 2.756769] raw_local_irq_restore() called with IRQs enabled [ 2.762596] WARNING: CPU: 4 PID: 1 at kernel/locking/irqflag-debug.c:10 warn_bogus_irq_restore+0x34/0x50 [ 2.772338] Modules linked in: [ 2.775487] CPU: 4 PID: 1 Comm: swapper/0 Tainted: G S 5.17.0-rc6-00384-ge330d0d82eff-dirty #684 [ 2.781384] Freeing initrd memory: 46024K [ 2.785839] pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 2.785841] pc : warn_bogus_irq_restore+0x34/0x50 [ 2.785844] lr : warn_bogus_irq_restore+0x34/0x50 [ 2.785846] sp : ffff80000805b7d0 [ 2.785847] x29: ffff80000805b7d0 x28: 0000000000000000 x27: 0000000000000002 [ 2.785850] x26: ffffd40e80930b18 x25: ffff7ee2329192b8 x24: ffff7edfc9f60800 [ 2.785853] x23: ffffd40e80930b18 x22: ffffd40e80930d30 x21: ffff7edfc0dffa00 [ 2.785856] x20: ffff7edfc09e3768 x19: 0000000000000000 x18: ffffffffffffffff [ 2.845775] x17: 6572206f74206465 x16: 6c696166203a3030 x15: ffff80008805b4f7 [ 2.853108] x14: 0000000000000000 x13: ffffd40e809550b0 x12: 00000000000003d8 [ 2.860441] x11: 0000000000000148 x10: ffffd40e809550b0 x9 : ffffd40e809550b0 [ 2.867774] x8 : 00000000ffffefff x7 : ffffd40e809ad0b0 x6 : ffffd40e809ad0b0 [ 2.875107] x5 : 000000000000bff4 x4 : 0000000000000000 x3 : 0000000000000000 [ 2.882440] x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff7edfc03a8000 [ 2.889774] Call trace: [ 2.892290] warn_bogus_irq_restore+0x34/0x50 [ 2.896770] _raw_spin_unlock_irqrestore+0x94/0xa0 [ 2.901690] genpd_unlock_spin+0x20/0x30 [ 2.905724] genpd_add_device+0x100/0x2d0 [ 2.909850] __genpd_dev_pm_attach+0xa8/0x23c [ 2.914329] genpd_dev_pm_attach_by_id+0xc4/0x190 [ 2.919167] genpd_dev_pm_attach_by_name+0x3c/0xd0 [ 2.924086] dev_pm_domain_attach_by_name+0x24/0x30 [ 2.929102] psci_dt_attach_cpu+0x24/0x90 [ 2.933230] psci_cpuidle_probe+0x2d4/0x46c [ 2.937534] platform_probe+0x68/0xe0 [ 2.941304] really_probe.part.0+0x9c/0x2fc [ 2.945605] __driver_probe_device+0x98/0x144 [ 2.950085] driver_probe_device+0x44/0x15c [ 2.954385] __device_attach_driver+0xb8/0x120 [ 2.958950] bus_for_each_drv+0x78/0xd0 [ 2.962896] __device_attach+0xd8/0x180 [ 2.966843] device_initial_probe+0x14/0x20 [ 2.971144] bus_probe_device+0x9c/0xa4 [ 2.975092] device_add+0x380/0x88c [ 2.978679] platform_device_add+0x114/0x234 [ 2.983067] platform_device_register_full+0x100/0x190 [ 2.988344] psci_idle_init+0x6c/0xb0 [ 2.992113] do_one_initcall+0x74/0x3a0 [ 2.996060] kernel_init_freeable+0x2fc/0x384 [ 3.000543] kernel_init+0x28/0x130 [ 3.004132] ret_from_fork+0x10/0x20 [ 3.007817] irq event stamp: 319826 [ 3.011404] hardirqs last enabled at (319825): [] __up_console_sem+0x78/0x84 [ 3.020332] hardirqs last disabled at (319826): [] el1_dbg+0x24/0x8c [ 3.028458] softirqs last enabled at (318312): [] _stext+0x410/0x588 [ 3.036678] softirqs last disabled at (318299): [] __irq_exit_rcu+0x158/0x174 [ 3.045607] ---[ end trace 0000000000000000 ]--- Signed-off-by: Dmitry Baryshkov Signed-off-by: Rafael J. Wysocki Signed-off-by: Sasha Levin commit 227718c8bbd5318ea660775f647d161531065cfe Author: Darren Hart Date: Tue Mar 8 10:50:48 2022 -0800 ACPI/APEI: Limit printable size of BERT table data [ Upstream commit 3f8dec116210ca649163574ed5f8df1e3b837d07 ] Platforms with large BERT table data can trigger soft lockup errors while attempting to print the entire BERT table data to the console at boot: watchdog: BUG: soft lockup - CPU#160 stuck for 23s! [swapper/0:1] Observed on Ampere Altra systems with a single BERT record of ~250KB. The original bert driver appears to have assumed relatively small table data. Since it is impractical to reassemble large table data from interwoven console messages, and the table data is available in /sys/firmware/acpi/tables/data/BERT limit the size for tables printed to the console to 1024 (for no reason other than it seemed like a good place to kick off the discussion, would appreciate feedback from existing users in terms of what size would maintain their current usage model). Alternatively, we could make printing a CONFIG option, use the bert_disable boot arg (or something similar), or use a debug log level. However, all those solutions require extra steps or change the existing behavior for small table data. Limiting the size preserves existing behavior on existing platforms with small table data, and eliminates the soft lockups for platforms with large table data, while still making it available. Signed-off-by: Darren Hart Signed-off-by: Rafael J. Wysocki Signed-off-by: Sasha Levin commit cc051f497eac9d8a0d816cd4bffa3415f2724871 Author: Paolo Valente Date: Thu Nov 25 19:15:10 2021 +0100 Revert "Revert "block, bfq: honor already-setup queue merges"" [ Upstream commit 15729ff8143f8135b03988a100a19e66d7cb7ecd ] A crash [1] happened to be triggered in conjunction with commit 2d52c58b9c9b ("block, bfq: honor already-setup queue merges"). The latter was then reverted by commit ebc69e897e17 ("Revert "block, bfq: honor already-setup queue merges""). Yet, the reverted commit was not the one introducing the bug. In fact, it actually triggered a UAF introduced by a different commit, and now fixed by commit d29bd41428cf ("block, bfq: reset last_bfqq_created on group change"). So, there is no point in keeping commit 2d52c58b9c9b ("block, bfq: honor already-setup queue merges") out. This commit restores it. [1] https://bugzilla.kernel.org/show_bug.cgi?id=214503 Reported-by: Holger Hoffstätte Signed-off-by: Paolo Valente Link: https://lore.kernel.org/r/20211125181510.15004-1-paolo.valente@linaro.org Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit 1b69302bfae38beeb6fe7ab600d8ddf6e0326930 Author: Paul Menzel Date: Tue Feb 8 16:21:48 2022 +0100 lib/raid6/test/Makefile: Use $(pound) instead of \# for Make 4.3 [ Upstream commit 633174a7046ec3b4572bec24ef98e6ee89bce14b ] Buidling raid6test on Ubuntu 21.10 (ppc64le) with GNU Make 4.3 shows the errors below: $ cd lib/raid6/test/ $ make :1:1: error: stray ‘\’ in program :1:2: error: stray ‘#’ in program :1:11: error: expected ‘=’, ‘,’, ‘;’, ‘asm’ or ‘__attribute__’ \ before ‘<’ token [...] The errors come from the HAS_ALTIVEC test, which fails, and the POWER optimized versions are not built. That’s also reason nobody noticed on the other architectures. GNU Make 4.3 does not remove the backslash anymore. From the 4.3 release announcment: > * WARNING: Backward-incompatibility! > Number signs (#) appearing inside a macro reference or function invocation > no longer introduce comments and should not be escaped with backslashes: > thus a call such as: > foo := $(shell echo '#') > is legal. Previously the number sign needed to be escaped, for example: > foo := $(shell echo '\#') > Now this latter will resolve to "\#". If you want to write makefiles > portable to both versions, assign the number sign to a variable: > H := \# > foo := $(shell echo '$H') > This was claimed to be fixed in 3.81, but wasn't, for some reason. > To detect this change search for 'nocomment' in the .FEATURES variable. So, do the same as commit 9564a8cf422d ("Kbuild: fix # escaping in .cmd files for future Make") and commit 929bef467771 ("bpf: Use $(pound) instead of \# in Makefiles") and define and use a $(pound) variable. Reference for the change in make: https://git.savannah.gnu.org/cgit/make.git/commit/?id=c6966b323811c37acedff05b57 Cc: Matt Brown Signed-off-by: Paul Menzel Signed-off-by: Song Liu Signed-off-by: Sasha Levin commit 1b87ce6a778eb8478e6fca5191bc4d9ff2361b08 Author: Rafael J. Wysocki Date: Mon Mar 7 20:28:26 2022 +0100 ACPICA: Avoid walking the ACPI Namespace if it is not there [ Upstream commit 0c9992315e738e7d6e927ef36839a466b080dba6 ] ACPICA commit b1c3656ef4950098e530be68d4b589584f06cddc Prevent acpi_ns_walk_namespace() from crashing when called with start_node equal to ACPI_ROOT_OBJECT if the Namespace has not been instantiated yet and acpi_gbl_root_node is NULL. For instance, this can happen if the kernel is run with "acpi=off" in the command line. Link: https://github.com/acpica/acpica/commit/b1c3656ef4950098e530be68d4b589584f06cddc Link: https://lore.kernel.org/linux-acpi/CAJZ5v0hJWW_vZ3wwajE7xT38aWjY7cZyvqMJpXHzUL98-SiCVQ@mail.gmail.com/ Reported-by: Hans de Goede Signed-off-by: Rafael J. Wysocki Signed-off-by: Sasha Levin commit df6e00b1a53c57dca82c63b5ecbcad5452231bc7 Author: Zhang Wensheng Date: Thu Mar 3 15:03:34 2022 +0800 bfq: fix use-after-free in bfq_dispatch_request [ Upstream commit ab552fcb17cc9e4afe0e4ac4df95fc7b30e8490a ] KASAN reports a use-after-free report when doing normal scsi-mq test [69832.239032] ================================================================== [69832.241810] BUG: KASAN: use-after-free in bfq_dispatch_request+0x1045/0x44b0 [69832.243267] Read of size 8 at addr ffff88802622ba88 by task kworker/3:1H/155 [69832.244656] [69832.245007] CPU: 3 PID: 155 Comm: kworker/3:1H Not tainted 5.10.0-10295-g576c6382529e #8 [69832.246626] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014 [69832.249069] Workqueue: kblockd blk_mq_run_work_fn [69832.250022] Call Trace: [69832.250541] dump_stack+0x9b/0xce [69832.251232] ? bfq_dispatch_request+0x1045/0x44b0 [69832.252243] print_address_description.constprop.6+0x3e/0x60 [69832.253381] ? __cpuidle_text_end+0x5/0x5 [69832.254211] ? vprintk_func+0x6b/0x120 [69832.254994] ? bfq_dispatch_request+0x1045/0x44b0 [69832.255952] ? bfq_dispatch_request+0x1045/0x44b0 [69832.256914] kasan_report.cold.9+0x22/0x3a [69832.257753] ? bfq_dispatch_request+0x1045/0x44b0 [69832.258755] check_memory_region+0x1c1/0x1e0 [69832.260248] bfq_dispatch_request+0x1045/0x44b0 [69832.261181] ? bfq_bfqq_expire+0x2440/0x2440 [69832.262032] ? blk_mq_delay_run_hw_queues+0xf9/0x170 [69832.263022] __blk_mq_do_dispatch_sched+0x52f/0x830 [69832.264011] ? blk_mq_sched_request_inserted+0x100/0x100 [69832.265101] __blk_mq_sched_dispatch_requests+0x398/0x4f0 [69832.266206] ? blk_mq_do_dispatch_ctx+0x570/0x570 [69832.267147] ? __switch_to+0x5f4/0xee0 [69832.267898] blk_mq_sched_dispatch_requests+0xdf/0x140 [69832.268946] __blk_mq_run_hw_queue+0xc0/0x270 [69832.269840] blk_mq_run_work_fn+0x51/0x60 [69832.278170] process_one_work+0x6d4/0xfe0 [69832.278984] worker_thread+0x91/0xc80 [69832.279726] ? __kthread_parkme+0xb0/0x110 [69832.280554] ? process_one_work+0xfe0/0xfe0 [69832.281414] kthread+0x32d/0x3f0 [69832.282082] ? kthread_park+0x170/0x170 [69832.282849] ret_from_fork+0x1f/0x30 [69832.283573] [69832.283886] Allocated by task 7725: [69832.284599] kasan_save_stack+0x19/0x40 [69832.285385] __kasan_kmalloc.constprop.2+0xc1/0xd0 [69832.286350] kmem_cache_alloc_node+0x13f/0x460 [69832.287237] bfq_get_queue+0x3d4/0x1140 [69832.287993] bfq_get_bfqq_handle_split+0x103/0x510 [69832.289015] bfq_init_rq+0x337/0x2d50 [69832.289749] bfq_insert_requests+0x304/0x4e10 [69832.290634] blk_mq_sched_insert_requests+0x13e/0x390 [69832.291629] blk_mq_flush_plug_list+0x4b4/0x760 [69832.292538] blk_flush_plug_list+0x2c5/0x480 [69832.293392] io_schedule_prepare+0xb2/0xd0 [69832.294209] io_schedule_timeout+0x13/0x80 [69832.295014] wait_for_common_io.constprop.1+0x13c/0x270 [69832.296137] submit_bio_wait+0x103/0x1a0 [69832.296932] blkdev_issue_discard+0xe6/0x160 [69832.297794] blk_ioctl_discard+0x219/0x290 [69832.298614] blkdev_common_ioctl+0x50a/0x1750 [69832.304715] blkdev_ioctl+0x470/0x600 [69832.305474] block_ioctl+0xde/0x120 [69832.306232] vfs_ioctl+0x6c/0xc0 [69832.306877] __se_sys_ioctl+0x90/0xa0 [69832.307629] do_syscall_64+0x2d/0x40 [69832.308362] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [69832.309382] [69832.309701] Freed by task 155: [69832.310328] kasan_save_stack+0x19/0x40 [69832.311121] kasan_set_track+0x1c/0x30 [69832.311868] kasan_set_free_info+0x1b/0x30 [69832.312699] __kasan_slab_free+0x111/0x160 [69832.313524] kmem_cache_free+0x94/0x460 [69832.314367] bfq_put_queue+0x582/0x940 [69832.315112] __bfq_bfqd_reset_in_service+0x166/0x1d0 [69832.317275] bfq_bfqq_expire+0xb27/0x2440 [69832.318084] bfq_dispatch_request+0x697/0x44b0 [69832.318991] __blk_mq_do_dispatch_sched+0x52f/0x830 [69832.319984] __blk_mq_sched_dispatch_requests+0x398/0x4f0 [69832.321087] blk_mq_sched_dispatch_requests+0xdf/0x140 [69832.322225] __blk_mq_run_hw_queue+0xc0/0x270 [69832.323114] blk_mq_run_work_fn+0x51/0x60 [69832.323942] process_one_work+0x6d4/0xfe0 [69832.324772] worker_thread+0x91/0xc80 [69832.325518] kthread+0x32d/0x3f0 [69832.326205] ret_from_fork+0x1f/0x30 [69832.326932] [69832.338297] The buggy address belongs to the object at ffff88802622b968 [69832.338297] which belongs to the cache bfq_queue of size 512 [69832.340766] The buggy address is located 288 bytes inside of [69832.340766] 512-byte region [ffff88802622b968, ffff88802622bb68) [69832.343091] The buggy address belongs to the page: [69832.344097] page:ffffea0000988a00 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88802622a528 pfn:0x26228 [69832.346214] head:ffffea0000988a00 order:2 compound_mapcount:0 compound_pincount:0 [69832.347719] flags: 0x1fffff80010200(slab|head) [69832.348625] raw: 001fffff80010200 ffffea0000dbac08 ffff888017a57650 ffff8880179fe840 [69832.354972] raw: ffff88802622a528 0000000000120008 00000001ffffffff 0000000000000000 [69832.356547] page dumped because: kasan: bad access detected [69832.357652] [69832.357970] Memory state around the buggy address: [69832.358926] ffff88802622b980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [69832.360358] ffff88802622ba00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [69832.361810] >ffff88802622ba80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [69832.363273] ^ [69832.363975] ffff88802622bb00: fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc [69832.375960] ffff88802622bb80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [69832.377405] ================================================================== In bfq_dispatch_requestfunction, it may have function call: bfq_dispatch_request __bfq_dispatch_request bfq_select_queue bfq_bfqq_expire __bfq_bfqd_reset_in_service bfq_put_queue kmem_cache_free In this function call, in_serv_queue has beed expired and meet the conditions to free. In the function bfq_dispatch_request, the address of in_serv_queue pointing to has been released. For getting the value of idle_timer_disabled, it will get flags value from the address which in_serv_queue pointing to, then the problem of use-after-free happens; Fix the problem by check in_serv_queue == bfqd->in_service_queue, to get the value of idle_timer_disabled if in_serve_queue is equel to bfqd->in_service_queue. If the space of in_serv_queue pointing has been released, this judge will aviod use-after-free problem. And if in_serv_queue may be expired or finished, the idle_timer_disabled will be false which would not give effects to bfq_update_dispatch_stats. Reported-by: Hulk Robot Signed-off-by: Zhang Wensheng Link: https://lore.kernel.org/r/20220303070334.3020168-1-zhangwensheng5@huawei.com Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit dd85ed4af8f5cb42990fb5f42c22d268028693a3 Author: Akira Kawata Date: Thu Jan 27 21:40:16 2022 +0900 fs/binfmt_elf: Fix AT_PHDR for unusual ELF files [ Upstream commit 0da1d5002745cdc721bc018b582a8a9704d56c42 ] BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=197921 As pointed out in the discussion of buglink, we cannot calculate AT_PHDR as the sum of load_addr and exec->e_phoff. : The AT_PHDR of ELF auxiliary vectors should point to the memory address : of program header. But binfmt_elf.c calculates this address as follows: : : NEW_AUX_ENT(AT_PHDR, load_addr + exec->e_phoff); : : which is wrong since e_phoff is the file offset of program header and : load_addr is the memory base address from PT_LOAD entry. : : The ld.so uses AT_PHDR as the memory address of program header. In normal : case, since the e_phoff is usually 64 and in the first PT_LOAD region, it : is the correct program header address. : : But if the address of program header isn't equal to the first PT_LOAD : address + e_phoff (e.g. Put the program header in other non-consecutive : PT_LOAD region), ld.so will try to read program header from wrong address : then crash or use incorrect program header. This is because exec->e_phoff is the offset of PHDRs in the file and the address of PHDRs in the memory may differ from it. This patch fixes the bug by calculating the address of program headers from PT_LOADs directly. Signed-off-by: Akira Kawata Reported-by: kernel test robot Acked-by: Kees Cook Signed-off-by: Kees Cook Link: https://lore.kernel.org/r/20220127124014.338760-2-akirakawata1@gmail.com Signed-off-by: Sasha Levin commit 9fc899ce5a203c726596e0a73fed636678abf5b5 Author: Souptick Joarder (HPE) Date: Fri Feb 18 22:03:03 2022 +0530 irqchip/nvic: Release nvic_base upon failure [ Upstream commit e414c25e3399b2b3d7337dc47abccab5c71b7c8f ] smatch warning was reported as below -> smatch warnings: drivers/irqchip/irq-nvic.c:131 nvic_of_init() warn: 'nvic_base' not released on lines: 97. Release nvic_base upon failure. Reported-by: kernel test robot Reported-by: Dan Carpenter Signed-off-by: Souptick Joarder (HPE) Signed-off-by: Marc Zyngier Link: https://lore.kernel.org/r/20220218163303.33344-1-jrdr.linux@gmail.com Signed-off-by: Sasha Levin commit 4bbd910de18babe0e58416f4ecf769c8e3fc7194 Author: Marc Zyngier Date: Thu Feb 24 10:12:25 2022 +0000 irqchip/qcom-pdc: Fix broken locking [ Upstream commit a6aca2f460e203781dc41391913cc5b54f4bc0ce ] pdc_enable_intr() serves as a primitive to qcom_pdc_gic_{en,dis}able, and has a raw spinlock for mutual exclusion, which is uses with interruptible primitives. This means that this critical section can itself be interrupted. Should the interrupt also be a PDC interrupt, and the endpoint driver perform an irq_disable() on that interrupt, we end-up in a deadlock. Fix this by using the irqsave/irqrestore variants of the locking primitives. Signed-off-by: Marc Zyngier Reviewed-by: Maulik Shah Link: https://lore.kernel.org/r/20220224101226.88373-5-maz@kernel.org Signed-off-by: Sasha Levin commit f038185b6a62e05c3258a4353c7183f8d1b24b1e Author: Casey Schaufler Date: Mon Feb 28 15:45:32 2022 -0800 Fix incorrect type in assignment of ipv6 port for audit [ Upstream commit a5cd1ab7ab679d252a6d2f483eee7d45ebf2040c ] Remove inappropriate use of ntohs() and assign the port value directly. Reported-by: kernel test robot Signed-off-by: Casey Schaufler Signed-off-by: Sasha Levin commit 012c572007c2e80e18ec905edb61748aab8717c6 Author: Chaitanya Kulkarni Date: Tue Feb 15 13:33:07 2022 -0800 loop: use sysfs_emit() in the sysfs xxx show() [ Upstream commit b27824d31f09ea7b4a6ba2c1b18bd328df3e8bed ] sprintf does not know the PAGE_SIZE maximum of the temporary buffer used for outputting sysfs content and it's possible to overrun the PAGE_SIZE buffer length. Use a generic sysfs_emit function that knows the size of the temporary buffer and ensures that no overrun is done for offset attribute in loop_attr_[offset|sizelimit|autoclear|partscan|dio]_show() callbacks. Signed-off-by: Chaitanya Kulkarni Reviewed-by: Himanshu Madhani Link: https://lore.kernel.org/r/20220215213310.7264-2-kch@nvidia.com Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit 448857f58009fd950f4d732e8f1e4fcf859cb4b1 Author: Richard Haines Date: Fri Feb 25 17:54:38 2022 +0000 selinux: allow FIOCLEX and FIONCLEX with policy capability [ Upstream commit 65881e1db4e948614d9eb195b8e1197339822949 ] These ioctls are equivalent to fcntl(fd, F_SETFD, flags), which SELinux always allows too. Furthermore, a failed FIOCLEX could result in a file descriptor being leaked to a process that should not have access to it. As this patch removes access controls, a policy capability needs to be enabled in policy to always allow these ioctls. Based-on-patch-by: Demi Marie Obenour Signed-off-by: Richard Haines [PM: subject line tweak] Signed-off-by: Paul Moore Signed-off-by: Sasha Levin commit 4b9b60b5bfc86b9ee7f02c822de4f13116e118c3 Author: Christian Göttsche Date: Thu Feb 17 15:21:25 2022 +0100 selinux: use correct type for context length [ Upstream commit b97df7c098c531010e445da88d02b7bf7bf59ef6 ] security_sid_to_context() expects a pointer to an u32 as the address where to store the length of the computed context. Reported by sparse: security/selinux/xfrm.c:359:39: warning: incorrect type in arg 4 (different signedness) security/selinux/xfrm.c:359:39: expected unsigned int [usertype] *scontext_len security/selinux/xfrm.c:359:39: got int * Signed-off-by: Christian Göttsche [PM: wrapped commit description] Signed-off-by: Paul Moore Signed-off-by: Sasha Levin commit 7507ead1e9d42957c2340f2c4a0e9d00034e3366 Author: Yu Kuai Date: Sat Jan 29 09:59:24 2022 +0800 block, bfq: don't move oom_bfqq [ Upstream commit 8410f70977734f21b8ed45c37e925d311dfda2e7 ] Our test report a UAF: [ 2073.019181] ================================================================== [ 2073.019188] BUG: KASAN: use-after-free in __bfq_put_async_bfqq+0xa0/0x168 [ 2073.019191] Write of size 8 at addr ffff8000ccf64128 by task rmmod/72584 [ 2073.019192] [ 2073.019196] CPU: 0 PID: 72584 Comm: rmmod Kdump: loaded Not tainted 4.19.90-yk #5 [ 2073.019198] Hardware name: QEMU KVM Virtual Machine, BIOS 0.0.0 02/06/2015 [ 2073.019200] Call trace: [ 2073.019203] dump_backtrace+0x0/0x310 [ 2073.019206] show_stack+0x28/0x38 [ 2073.019210] dump_stack+0xec/0x15c [ 2073.019216] print_address_description+0x68/0x2d0 [ 2073.019220] kasan_report+0x238/0x2f0 [ 2073.019224] __asan_store8+0x88/0xb0 [ 2073.019229] __bfq_put_async_bfqq+0xa0/0x168 [ 2073.019233] bfq_put_async_queues+0xbc/0x208 [ 2073.019236] bfq_pd_offline+0x178/0x238 [ 2073.019240] blkcg_deactivate_policy+0x1f0/0x420 [ 2073.019244] bfq_exit_queue+0x128/0x178 [ 2073.019249] blk_mq_exit_sched+0x12c/0x160 [ 2073.019252] elevator_exit+0xc8/0xd0 [ 2073.019256] blk_exit_queue+0x50/0x88 [ 2073.019259] blk_cleanup_queue+0x228/0x3d8 [ 2073.019267] null_del_dev+0xfc/0x1e0 [null_blk] [ 2073.019274] null_exit+0x90/0x114 [null_blk] [ 2073.019278] __arm64_sys_delete_module+0x358/0x5a0 [ 2073.019282] el0_svc_common+0xc8/0x320 [ 2073.019287] el0_svc_handler+0xf8/0x160 [ 2073.019290] el0_svc+0x10/0x218 [ 2073.019291] [ 2073.019294] Allocated by task 14163: [ 2073.019301] kasan_kmalloc+0xe0/0x190 [ 2073.019305] kmem_cache_alloc_node_trace+0x1cc/0x418 [ 2073.019308] bfq_pd_alloc+0x54/0x118 [ 2073.019313] blkcg_activate_policy+0x250/0x460 [ 2073.019317] bfq_create_group_hierarchy+0x38/0x110 [ 2073.019321] bfq_init_queue+0x6d0/0x948 [ 2073.019325] blk_mq_init_sched+0x1d8/0x390 [ 2073.019330] elevator_switch_mq+0x88/0x170 [ 2073.019334] elevator_switch+0x140/0x270 [ 2073.019338] elv_iosched_store+0x1a4/0x2a0 [ 2073.019342] queue_attr_store+0x90/0xe0 [ 2073.019348] sysfs_kf_write+0xa8/0xe8 [ 2073.019351] kernfs_fop_write+0x1f8/0x378 [ 2073.019359] __vfs_write+0xe0/0x360 [ 2073.019363] vfs_write+0xf0/0x270 [ 2073.019367] ksys_write+0xdc/0x1b8 [ 2073.019371] __arm64_sys_write+0x50/0x60 [ 2073.019375] el0_svc_common+0xc8/0x320 [ 2073.019380] el0_svc_handler+0xf8/0x160 [ 2073.019383] el0_svc+0x10/0x218 [ 2073.019385] [ 2073.019387] Freed by task 72584: [ 2073.019391] __kasan_slab_free+0x120/0x228 [ 2073.019394] kasan_slab_free+0x10/0x18 [ 2073.019397] kfree+0x94/0x368 [ 2073.019400] bfqg_put+0x64/0xb0 [ 2073.019404] bfqg_and_blkg_put+0x90/0xb0 [ 2073.019408] bfq_put_queue+0x220/0x228 [ 2073.019413] __bfq_put_async_bfqq+0x98/0x168 [ 2073.019416] bfq_put_async_queues+0xbc/0x208 [ 2073.019420] bfq_pd_offline+0x178/0x238 [ 2073.019424] blkcg_deactivate_policy+0x1f0/0x420 [ 2073.019429] bfq_exit_queue+0x128/0x178 [ 2073.019433] blk_mq_exit_sched+0x12c/0x160 [ 2073.019437] elevator_exit+0xc8/0xd0 [ 2073.019440] blk_exit_queue+0x50/0x88 [ 2073.019443] blk_cleanup_queue+0x228/0x3d8 [ 2073.019451] null_del_dev+0xfc/0x1e0 [null_blk] [ 2073.019459] null_exit+0x90/0x114 [null_blk] [ 2073.019462] __arm64_sys_delete_module+0x358/0x5a0 [ 2073.019467] el0_svc_common+0xc8/0x320 [ 2073.019471] el0_svc_handler+0xf8/0x160 [ 2073.019474] el0_svc+0x10/0x218 [ 2073.019475] [ 2073.019479] The buggy address belongs to the object at ffff8000ccf63f00 which belongs to the cache kmalloc-1024 of size 1024 [ 2073.019484] The buggy address is located 552 bytes inside of 1024-byte region [ffff8000ccf63f00, ffff8000ccf64300) [ 2073.019486] The buggy address belongs to the page: [ 2073.019492] page:ffff7e000333d800 count:1 mapcount:0 mapping:ffff8000c0003a00 index:0x0 compound_mapcount: 0 [ 2073.020123] flags: 0x7ffff0000008100(slab|head) [ 2073.020403] raw: 07ffff0000008100 ffff7e0003334c08 ffff7e00001f5a08 ffff8000c0003a00 [ 2073.020409] raw: 0000000000000000 00000000001c001c 00000001ffffffff 0000000000000000 [ 2073.020411] page dumped because: kasan: bad access detected [ 2073.020412] [ 2073.020414] Memory state around the buggy address: [ 2073.020420] ffff8000ccf64000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 2073.020424] ffff8000ccf64080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 2073.020428] >ffff8000ccf64100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 2073.020430] ^ [ 2073.020434] ffff8000ccf64180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 2073.020438] ffff8000ccf64200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 2073.020439] ================================================================== The same problem exist in mainline as well. This is because oom_bfqq is moved to a non-root group, thus root_group is freed earlier. Thus fix the problem by don't move oom_bfqq. Signed-off-by: Yu Kuai Reviewed-by: Jan Kara Acked-by: Paolo Valente Link: https://lore.kernel.org/r/20220129015924.3958918-4-yukuai3@huawei.com Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit 79b16d00de175166f52bdccea54c5ca5eb9296a2 Author: Marc Zyngier Date: Tue Feb 1 12:03:08 2022 +0000 pinctrl: npcm: Fix broken references to chip->parent_device [ Upstream commit f7e53e2255808ca3abcc8f38d18ad0823425e771 ] The npcm driver has a bunch of references to the irq_chip parent_device field, but never sets it. Fix it by fishing that reference from somewhere else, but it is obvious that these debug statements were never used. Also remove an unused field in a local data structure. Signed-off-by: Marc Zyngier Acked-by: Bartosz Golaszewski Link: https://lore.kernel.org/r/20220201120310.878267-11-maz@kernel.org Signed-off-by: Sasha Levin commit 9d1d8e5e42941d3a51f7cde3bee93c2b47838aaa Author: Kees Cook Date: Sun Feb 6 09:08:20 2022 -0800 gcc-plugins/stackleak: Exactly match strings instead of prefixes [ Upstream commit 27e9faf415dbf94af19b9c827842435edbc1fbbc ] Since STRING_CST may not be NUL terminated, strncmp() was used for check for equality. However, this may lead to mismatches for longer section names where the start matches the tested-for string. Test for exact equality by checking for the presences of NUL termination. Cc: Alexander Popov Signed-off-by: Kees Cook Signed-off-by: Sasha Levin commit b0f2f89d741ab1f2e0fcd14b5a5252fbbdeebb70 Author: Dave Stevenson Date: Mon Jan 24 17:01:22 2022 -0500 regulator: rpi-panel: Handle I2C errors/timing to the Atmel [ Upstream commit 5665eee7a3800430e7dc3ef6f25722476b603186 ] The Atmel is doing some things in the I2C ISR, during which period it will not respond to further commands. This is particularly true of the POWERON command. Increase delays appropriately, and retry should I2C errors be reported. Signed-off-by: Dave Stevenson Signed-off-by: Detlev Casanova Link: https://lore.kernel.org/r/20220124220129.158891-3-detlev.casanova@collabora.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 2784604c8c6fc523248f8f80a421c313a9d790b7 Author: Casey Schaufler Date: Thu Jan 27 04:51:00 2022 +0000 LSM: general protection fault in legacy_parse_param [ Upstream commit ecff30575b5ad0eda149aadad247b7f75411fd47 ] The usual LSM hook "bail on fail" scheme doesn't work for cases where a security module may return an error code indicating that it does not recognize an input. In this particular case Smack sees a mount option that it recognizes, and returns 0. A call to a BPF hook follows, which returns -ENOPARAM, which confuses the caller because Smack has processed its data. The SELinux hook incorrectly returns 1 on success. There was a time when this was correct, however the current expectation is that it return 0 on success. This is repaired. Reported-by: syzbot+d1e3b1d92d25abf97943@syzkaller.appspotmail.com Signed-off-by: Casey Schaufler Acked-by: James Morris Signed-off-by: Paul Moore Signed-off-by: Sasha Levin commit e600b5973e808848a23eeba3fdbb9b288e5558c1 Author: Linus Torvalds Date: Tue Mar 29 23:29:18 2022 -0700 fs: fix fd table size alignment properly [ Upstream commit d888c83fcec75194a8a48ccd283953bdba7b2550 ] Jason Donenfeld reports that my commit 1c24a186398f ("fs: fd tables have to be multiples of BITS_PER_LONG") doesn't work, and the reason is an embarrassing brown-paper-bag bug. Yes, we want to align the number of fds to BITS_PER_LONG, and yes, the reason they might not be aligned is because the incoming 'max_fd' argument might not be aligned. But aligining the argument - while simple - will cause a "infinitely big" maxfd (eg NR_OPEN_MAX) to just overflow to zero. Which most definitely isn't what we want either. The obvious fix was always just to do the alignment last, but I had moved it earlier just to make the patch smaller and the code look simpler. Duh. It certainly made _me_ look simple. Fixes: 1c24a186398f ("fs: fd tables have to be multiples of BITS_PER_LONG") Reported-and-tested-by: Jason A. Donenfeld Cc: Fedor Pchelkin Cc: Alexey Khoroshilov Cc: Christian Brauner Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin commit 327f07e3704c821ce33e54ef5046bdf69975cb86 Author: Dan Carpenter Date: Thu Mar 24 08:52:07 2022 +0300 lib/test: use after free in register_test_dev_kmod() [ Upstream commit dc0ce6cc4b133f5f2beb8b47dacae13a7d283c2c ] The "test_dev" pointer is freed but then returned to the caller. Fixes: d9c6a72d6fa2 ("kmod: add test driver to stress test the module loader") Signed-off-by: Dan Carpenter Signed-off-by: Luis Chamberlain Signed-off-by: Sasha Levin commit 00d2b9fe5e02b41c6e4d7a4c1171cc6dd3008617 Author: Linus Torvalds Date: Tue Mar 29 15:06:39 2022 -0700 fs: fd tables have to be multiples of BITS_PER_LONG [ Upstream commit 1c24a186398f59c80adb9a967486b65c1423a59d ] This has always been the rule: fdtables have several bitmaps in them, and as a result they have to be sized properly for bitmaps. We walk those bitmaps in chunks of 'unsigned long' in serveral cases, but even when we don't, we use the regular kernel bitops that are defined to work on arrays of 'unsigned long', not on some byte array. Now, the distinction between arrays of bytes and 'unsigned long' normally only really ends up being noticeable on big-endian systems, but Fedor Pchelkin and Alexey Khoroshilov reported that copy_fd_bitmaps() could be called with an argument that wasn't even a multiple of BITS_PER_BYTE. And then it fails to do the proper copy even on little-endian machines. The bug wasn't in copy_fd_bitmap(), but in sane_fdtable_size(), which didn't actually sanitize the fdtable size sufficiently, and never made sure it had the proper BITS_PER_LONG alignment. That's partly because the alignment historically came not from having to explicitly align things, but simply from previous fdtable sizes, and from count_open_files(), which counts the file descriptors by walking them one 'unsigned long' word at a time and thus naturally ends up doing sizing in the proper 'chunks of unsigned long'. But with the introduction of close_range(), we now have an external source of "this is how many files we want to have", and so sane_fdtable_size() needs to do a better job. This also adds that explicit alignment to alloc_fdtable(), although there it is mainly just for documentation at a source code level. The arithmetic we do there to pick a reasonable fdtable size already aligns the result sufficiently. In fact,clang notices that the added ALIGN() in that function doesn't actually do anything, and does not generate any extra code for it. It turns out that gcc ends up confusing itself by combining a previous constant-sized shift operation with the variable-sized shift operations in roundup_pow_of_two(). And probably due to that doesn't notice that the ALIGN() is a no-op. But that's a (tiny) gcc misfeature that doesn't matter. Having the explicit alignment makes sense, and would actually matter on a 128-bit architecture if we ever go there. This also adds big comments above both functions about how fdtable sizes have to have that BITS_PER_LONG alignment. Fixes: 60997c3d45d9 ("close_range: add CLOSE_RANGE_UNSHARE") Reported-by: Fedor Pchelkin Reported-by: Alexey Khoroshilov Link: https://lore.kernel.org/all/20220326114009.1690-1-aissur0002@gmail.com/ Tested-and-acked-by: Christian Brauner Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin commit 1752fcd4045b4b33fd80b8018848d739043e805a Author: Xiaomeng Tong Date: Mon Mar 28 11:24:31 2022 +0800 net: dsa: bcm_sf2_cfp: fix an incorrect NULL check on list iterator [ Upstream commit 6da69b1da130e7d96766042750cd9f902e890eba ] The bug is here: return rule; The list iterator value 'rule' will *always* be set and non-NULL by list_for_each_entry(), so it is incorrect to assume that the iterator value will be NULL if the list is empty or no element is found. To fix the bug, return 'rule' when found, otherwise return NULL. Fixes: ae7a5aff783c7 ("net: dsa: bcm_sf2: Keep copy of inserted rules") Reviewed-by: Vladimir Oltean Reviewed-by: Florian Fainelli Signed-off-by: Xiaomeng Tong Link: https://lore.kernel.org/r/20220328032431.22538-1-xiam0nd.tong@gmail.com Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit edb91a475da5d8243db9469528e2dc15599b497b Author: Trond Myklebust Date: Mon Mar 28 08:36:34 2022 -0400 NFSv4/pNFS: Fix another issue with a list iterator pointing to the head [ Upstream commit 7c9d845f0612e5bcd23456a2ec43be8ac43458f1 ] In nfs4_callback_devicenotify(), if we don't find a matching entry for the deviceid, we're left with a pointer to 'struct nfs_server' that actually points to the list of super blocks associated with our struct nfs_client. Furthermore, even if we have a valid pointer, nothing pins the super block, and so the struct nfs_server could end up getting freed while we're using it. Since all we want is a pointer to the struct pnfs_layoutdriver_type, let's skip all the iteration over super blocks, and just use APIs to find the layout driver directly. Reported-by: Xiaomeng Tong Fixes: 1be5683b03a7 ("pnfs: CB_NOTIFY_DEVICEID") Signed-off-by: Trond Myklebust Signed-off-by: Sasha Levin commit 5c94b6205e87411dbe9dc1ca088eb36b8837fb47 Author: Duoming Zhou Date: Sat Mar 26 18:43:46 2022 +0800 net/x25: Fix null-ptr-deref caused by x25_disconnect [ Upstream commit 7781607938c8371d4c2b243527430241c62e39c2 ] When the link layer is terminating, x25->neighbour will be set to NULL in x25_disconnect(). As a result, it could cause null-ptr-deref bugs in x25_sendmsg(),x25_recvmsg() and x25_connect(). One of the bugs is shown below. (Thread 1) | (Thread 2) x25_link_terminated() | x25_recvmsg() x25_kill_by_neigh() | ... x25_disconnect() | lock_sock(sk) ... | ... x25->neighbour = NULL //(1) | ... | x25->neighbour->extended //(2) The code sets NULL to x25->neighbour in position (1) and dereferences x25->neighbour in position (2), which could cause null-ptr-deref bug. This patch adds lock_sock() in x25_kill_by_neigh() in order to synchronize with x25_sendmsg(), x25_recvmsg() and x25_connect(). What`s more, the sock held by lock_sock() is not NULL, because it is extracted from x25_list and uses x25_list_lock to synchronize. Fixes: 4becb7ee5b3d ("net/x25: Fix x25_neigh refcnt leak when x25 disconnect") Signed-off-by: Duoming Zhou Reviewed-by: Lin Ma Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 4896c308a57d4f036af4b84ce6f61f97f5c5f23c Author: Tom Rix Date: Sat Mar 26 10:20:03 2022 -0700 qlcnic: dcb: default to returning -EOPNOTSUPP [ Upstream commit 1521db37f0d42334a88e8ff28198a27d1ed5cd7b ] Clang static analysis reports this issue qlcnic_dcb.c:382:10: warning: Assigned value is garbage or undefined mbx_out = *val; ^ ~~~~ val is set in the qlcnic_dcb_query_hw_capability() wrapper. If there is no query_hw_capability op in dcp, success is returned without setting the val. For this and similar wrappers, return -EOPNOTSUPP. Fixes: 14d385b99059 ("qlcnic: dcb: Query adapter DCB capabilities.") Signed-off-by: Tom Rix Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 2165d0ebfbacdda40483eaa8ec305b6e79d2a3b3 Author: Ido Schimmel Date: Thu Mar 24 22:05:14 2022 +0200 selftests: test_vxlan_under_vrf: Fix broken test case [ Upstream commit b50d3b46f84282d795ae3076111acb75ae1031f3 ] The purpose of the last test case is to test VXLAN encapsulation and decapsulation when the underlay lookup takes place in a non-default VRF. This is achieved by enslaving the physical device of the tunnel to a VRF. The binding of the VXLAN UDP socket to the VRF happens when the VXLAN device itself is opened, not when its physical device is opened. This was also mentioned in the cited commit ("tests that moving the underlay from a VRF to another works when down/up the VXLAN interface"), but the test did something else. Fix it by reopening the VXLAN device instead of its physical device. Before: # ./test_vxlan_under_vrf.sh Checking HV connectivity [ OK ] Check VM connectivity through VXLAN (underlay in the default VRF) [ OK ] Check VM connectivity through VXLAN (underlay in a VRF) [FAIL] After: # ./test_vxlan_under_vrf.sh Checking HV connectivity [ OK ] Check VM connectivity through VXLAN (underlay in the default VRF) [ OK ] Check VM connectivity through VXLAN (underlay in a VRF) [ OK ] Fixes: 03f1c26b1c56 ("test/net: Add script for VXLAN underlay in a VRF") Signed-off-by: Ido Schimmel Reviewed-by: David Ahern Link: https://lore.kernel.org/r/20220324200514.1638326-1-idosch@nvidia.com Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit f98dc124a4828f1f94e460d37a0756811ebe5142 Author: Florian Fainelli Date: Thu Mar 24 16:24:38 2022 -0700 net: phy: broadcom: Fix brcm_fet_config_init() [ Upstream commit bf8bfc4336f7a34e48b3bbd19b1542bf085bdc3d ] A Broadcom AC201 PHY (same entry as 5241) would be flagged by the Broadcom UniMAC MDIO controller as not completing the turn around properly since the PHY expects 65 MDC clock cycles to complete a write cycle, and the MDIO controller was only sending 64 MDC clock cycles as determined by looking at a scope shot. This would make the subsequent read fail with the UniMAC MDIO controller command field having MDIO_READ_FAIL set and we would abort the brcm_fet_config_init() function and thus not probe the PHY at all. After issuing a software reset, wait for at least 1ms which is well above the 1us reset delay advertised by the datasheet and issue a dummy read to let the PHY turn around the line properly. This read specifically ignores -EIO which would be returned by MDIO controllers checking for the line being turned around. If we have a genuine reaad failure, the next read of the interrupt status register would pick it up anyway. Fixes: d7a2ed9248a3 ("broadcom: Add AC131 phy support") Signed-off-by: Florian Fainelli Link: https://lore.kernel.org/r/20220324232438.1156812-1-f.fainelli@gmail.com Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit 3e7a483af3bb24e7b2d7722c5240980afb12d079 Author: Jian Shen Date: Thu Mar 24 20:54:47 2022 +0800 net: hns3: fix bug when PF set the duplicate MAC address for VFs [ Upstream commit ccb18f05535c96d26e2d559d402acb87700fc5a7 ] If the MAC address A is configured to vport A and then vport B. The MAC address of vport A in the hardware becomes invalid. If the address of vport A is changed to MAC address B, the driver needs to delete the MAC address A of vport A. Due to the MAC address A of vport A has become invalid in the hardware entry, so "-ENOENT" is returned. In this case, the "used_umv_size" value recorded in driver is not updated. As a result, the MAC entry status of the software is inconsistent with that of the hardware. Therefore, the driver updates the umv size even if the MAC entry cannot be found. Ensure that the software and hardware status is consistent. Fixes: ee4bcd3b7ae4 ("net: hns3: refactor the MAC address configure") Signed-off-by: Jian Shen Signed-off-by: Guangbin Huang Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit 3eb92660e69a7ebdc40ddb29b1dd1c53a521fe5a Author: Vladimir Oltean Date: Thu Mar 24 18:12:10 2022 +0200 net: enetc: report software timestamping via SO_TIMESTAMPING [ Upstream commit feb13dcb1818b775fbd9191f797be67cd605f03e ] Let user space properly determine that the enetc driver provides software timestamps. Fixes: 4caefbce06d1 ("enetc: add software timestamping") Signed-off-by: Vladimir Oltean Reviewed-by: Claudiu Manoil Link: https://lore.kernel.org/r/20220324161210.4122281-1-vladimir.oltean@nxp.com Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit e9445a7a59d84ed3ae6c85f299d2a6c4930b1ee9 Author: Juergen Gross Date: Fri Mar 25 15:20:02 2022 +0100 xen: fix is_xen_pmu() [ Upstream commit de2ae403b4c0e79a3410e63bc448542fbb9f9bfc ] is_xen_pmu() is taking the cpu number as parameter, but it is not using it. Instead it just tests whether the Xen PMU initialization on the current cpu did succeed. As this test is done by checking a percpu pointer, preemption needs to be disabled in order to avoid switching the cpu while doing the test. While resuming from suspend() this seems not to be the case: [ 88.082751] ACPI: PM: Low-level resume complete [ 88.087933] ACPI: EC: EC started [ 88.091464] ACPI: PM: Restoring platform NVS memory [ 88.097166] xen_acpi_processor: Uploading Xen processor PM info [ 88.103850] Enabling non-boot CPUs ... [ 88.108128] installing Xen timer for CPU 1 [ 88.112763] BUG: using smp_processor_id() in preemptible [00000000] code: systemd-sleep/7138 [ 88.122256] caller is is_xen_pmu+0x12/0x30 [ 88.126937] CPU: 0 PID: 7138 Comm: systemd-sleep Tainted: G W 5.16.13-2.fc32.qubes.x86_64 #1 [ 88.137939] Hardware name: Star Labs StarBook/StarBook, BIOS 7.97 03/21/2022 [ 88.145930] Call Trace: [ 88.148757] [ 88.151193] dump_stack_lvl+0x48/0x5e [ 88.155381] check_preemption_disabled+0xde/0xe0 [ 88.160641] is_xen_pmu+0x12/0x30 [ 88.164441] xen_smp_intr_init_pv+0x75/0x100 Fix that by replacing is_xen_pmu() by a simple boolean variable which reflects the Xen PMU initialization state on cpu 0. Modify xen_pmu_init() to return early in case it is being called for a cpu other than cpu 0 and the boolean variable not being set. Fixes: bf6dfb154d93 ("xen/PMU: PMU emulation code") Reported-by: Marek Marczykowski-Górecki Signed-off-by: Juergen Gross Reviewed-by: Boris Ostrovsky Link: https://lore.kernel.org/r/20220325142002.31789-1-jgross@suse.com Signed-off-by: Boris Ostrovsky Signed-off-by: Sasha Levin commit af0c3ced2468dd28d4dc599ba099adc892019a9b Author: Maxime Ripard Date: Fri Mar 25 17:11:42 2022 +0100 clk: Initialize orphan req_rate [ Upstream commit 5f7e2af00807f2117650e711a58b7f0e986ce1df ] When registering a clock that doesn't have a recalc_rate implementation, and doesn't have its parent registered yet, we initialize the clk_core rate and 'req_rate' fields to 0. The rate field is later updated when the parent is registered in clk_core_reparent_orphans_nolock() using __clk_recalc_rates(), but the 'req_rate' field is never updated. This leads to an issue in clk_set_rate_range() and clk_put(), since those functions will call clk_set_rate() with the content of 'req_rate' to provide drivers with the opportunity to change the rate based on the new boundaries. In this case, we would call clk_set_rate() with a rate of 0, effectively enforcing the minimum allowed for this clock whenever we would call one of those two functions, even though the actual rate might be within range. Let's fix this by setting 'req_rate' in clk_core_reparent_orphans_nolock() with the rate field content just updated by the call to __clk_recalc_rates(). Fixes: 1c8e600440c7 ("clk: Add rate constraints to clocks") Reported-by: Dmitry Osipenko Tested-by: Dmitry Osipenko # T30 Nexus7 Signed-off-by: Maxime Ripard Link: https://lore.kernel.org/r/20220325161144.1901695-2-maxime@cerno.tech [sboyd@kernel.org: Reword comment] Signed-off-by: Stephen Boyd Signed-off-by: Sasha Levin commit 845e734f975f031bb43f81ece2ab6621fb19632d Author: Konrad Dybcio Date: Sat Mar 19 18:49:40 2022 +0100 clk: qcom: gcc-msm8994: Fix gpll4 width [ Upstream commit 71021db1c532c2545ae53b9ee85b37b7154f51d4 ] The gpll4 postdiv is actually a div4, so make sure that Linux is aware of this. This fixes the following error messages: mmc1: Card appears overclocked; req 200000000 Hz, actual 343999999 Hz mmc1: Card appears overclocked; req 400000000 Hz, actual 687999999 Hz Fixes: aec89f78cf01 ("clk: qcom: Add support for msm8994 global clock controller") Signed-off-by: Konrad Dybcio Link: https://lore.kernel.org/r/20220319174940.341137-1-konrad.dybcio@somainline.org Tested-by: Petr Vorel Reviewed-by: Petr Vorel Signed-off-by: Stephen Boyd Signed-off-by: Sasha Levin commit e2a26253921920861f17fffcab1ec926807ad2ae Author: Daniel Thompson Date: Fri Jan 28 14:40:55 2022 +0000 kdb: Fix the putarea helper function [ Upstream commit c1cb81429df462eca1b6ba615cddd21dd3103c46 ] Currently kdb_putarea_size() uses copy_from_kernel_nofault() to write *to* arbitrary kernel memory. This is obviously wrong and means the memory modify ('mm') command is a serious risk to debugger stability: if we poke to a bad address we'll double-fault and lose our debug session. Fix this the (very) obvious way. Note that there are two Fixes: tags because the API was renamed and this patch will only trivially backport as far as the rename (and this is probably enough). Nevertheless Christoph's rename did not introduce this problem so I wanted to record that! Fixes: fe557319aa06 ("maccess: rename probe_kernel_{read,write} to copy_{from,to}_kernel_nofault") Fixes: 5d5314d6795f ("kdb: core for kgdb back end (1 of 2)") Signed-off-by: Daniel Thompson Reviewed-by: Douglas Anderson Link: https://lore.kernel.org/r/20220128144055.207267-1-daniel.thompson@linaro.org Signed-off-by: Sasha Levin commit a9fa7d48a1cdcb46f0dcf75c2d63fcb138e194f2 Author: Olga Kornievskaia Date: Thu Mar 24 10:38:42 2022 -0400 NFSv4.1: don't retry BIND_CONN_TO_SESSION on session error [ Upstream commit 1d15d121cc2ad4d016a7dc1493132a9696f91fc5 ] There is no reason to retry the operation if a session error had occurred in such case result structure isn't filled out. Fixes: dff58530c4ca ("NFSv4.1: fix handling of backchannel binding in BIND_CONN_TO_SESSION") Signed-off-by: Olga Kornievskaia Signed-off-by: Trond Myklebust Signed-off-by: Sasha Levin commit 8cd30d28da01e6c29fabca1494baba4f11191ac1 Author: Pablo Neira Ayuso Date: Mon Mar 21 11:38:32 2022 +0100 netfilter: nf_conntrack_tcp: preserve liberal flag in tcp options [ Upstream commit f2dd495a8d589371289981d5ed33e6873df94ecc ] Do not reset IP_CT_TCP_FLAG_BE_LIBERAL flag in out-of-sync scenarios coming before the TCP window tracking, otherwise such connections will fail in the window check. Update tcp_options() to leave this flag in place and add a new helper function to reset the tcp window state. Based on patch from Sven Auhagen. Fixes: c4832c7bbc3f ("netfilter: nf_ct_tcp: improve out-of-sync situation in TCP tracking") Tested-by: Sven Auhagen Signed-off-by: Pablo Neira Ayuso Signed-off-by: Sasha Levin commit fbd56a61ceee221feea7fc978404e8d458e948a2 Author: Pavel Skripkin Date: Sat Mar 19 22:30:00 2022 +0300 jfs: fix divide error in dbNextAG [ Upstream commit 2cc7cc01c15f57d056318c33705647f87dcd4aab ] Syzbot reported divide error in dbNextAG(). The problem was in missing validation check for malicious image. Syzbot crafted an image with bmp->db_numag equal to 0. There wasn't any validation checks, but dbNextAG() blindly use bmp->db_numag in divide expression Fix it by validating bmp->db_numag in dbMount() and return an error if image is malicious Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Reported-and-tested-by: syzbot+46f5c25af73eb8330eb6@syzkaller.appspotmail.com Signed-off-by: Pavel Skripkin Signed-off-by: Dave Kleikamp Signed-off-by: Sasha Levin commit acb96e62e690507e059fd8acd3d62858ef4a8366 Author: Randy Dunlap Date: Mon Feb 28 20:18:29 2022 -0800 driver core: dd: fix return value of __setup handler [ Upstream commit f2aad54703dbe630f9d8b235eb58e8c8cc78f37d ] When "driver_async_probe=nulltty" is used on the kernel boot command line, it causes an Unknown parameter message and the string is added to init's environment strings, polluting them. Unknown kernel command line parameters "BOOT_IMAGE=/boot/bzImage-517rc6 driver_async_probe=nulltty", will be passed to user space. Run /sbin/init as init process with arguments: /sbin/init with environment: HOME=/ TERM=linux BOOT_IMAGE=/boot/bzImage-517rc6 driver_async_probe=nulltty Change the return value of the __setup function to 1 to indicate that the __setup option has been handled. Link: lore.kernel.org/r/64644a2f-4a20-bab3-1e15-3b2cdd0defe3@omprussia.ru Fixes: 1ea61b68d0f8 ("async: Add cmdline option to specify drivers to be async probed") Cc: Feng Tang Cc: Greg Kroah-Hartman Cc: "Rafael J. Wysocki" Reported-by: Igor Zhbanov Reviewed-by: Feng Tang Signed-off-by: Randy Dunlap Link: https://lore.kernel.org/r/20220301041829.15137-1-rdunlap@infradead.org Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 89748be18f77498434981061cf2b019a9f7cdf9c Author: David Gow Date: Fri Feb 25 12:15:02 2022 +0800 firmware: google: Properly state IOMEM dependency [ Upstream commit 37fd83916da2e4cae03d350015c82a67b1b334c4 ] The Google Coreboot implementation requires IOMEM functions (memmremap, memunmap, devm_memremap), but does not specify this is its Kconfig. This results in build errors when HAS_IOMEM is not set, such as on some UML configurations: /usr/bin/ld: drivers/firmware/google/coreboot_table.o: in function `coreboot_table_probe': coreboot_table.c:(.text+0x311): undefined reference to `memremap' /usr/bin/ld: coreboot_table.c:(.text+0x34e): undefined reference to `memunmap' /usr/bin/ld: drivers/firmware/google/memconsole-coreboot.o: in function `memconsole_probe': memconsole-coreboot.c:(.text+0x12d): undefined reference to `memremap' /usr/bin/ld: memconsole-coreboot.c:(.text+0x17e): undefined reference to `devm_memremap' /usr/bin/ld: memconsole-coreboot.c:(.text+0x191): undefined reference to `memunmap' /usr/bin/ld: drivers/firmware/google/vpd.o: in function `vpd_section_destroy.isra.0': vpd.c:(.text+0x300): undefined reference to `memunmap' /usr/bin/ld: drivers/firmware/google/vpd.o: in function `vpd_section_init': vpd.c:(.text+0x382): undefined reference to `memremap' /usr/bin/ld: vpd.c:(.text+0x459): undefined reference to `memunmap' /usr/bin/ld: drivers/firmware/google/vpd.o: in function `vpd_probe': vpd.c:(.text+0x59d): undefined reference to `memremap' /usr/bin/ld: vpd.c:(.text+0x5d3): undefined reference to `memunmap' collect2: error: ld returned 1 exit status Fixes: a28aad66da8b ("firmware: coreboot: Collapse platform drivers into bus core") Acked-By: anton ivanov Acked-By: Julius Werner Signed-off-by: David Gow Link: https://lore.kernel.org/r/20220225041502.1901806-1-davidgow@google.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 3d934d7b9019adfa8522606895cab357e6e639d3 Author: Randy Dunlap Date: Mon Mar 7 19:32:55 2022 -0800 kgdbts: fix return value of __setup handler [ Upstream commit 96c9e802c64014a7716865332d732cc9c7f24593 ] __setup() handlers should return 1 to indicate that the boot option has been handled. A return of 0 causes the boot option/value to be listed as an Unknown kernel parameter and added to init's (limited) environment strings. So return 1 from kgdbts_option_setup(). Unknown kernel command line parameters "BOOT_IMAGE=/boot/bzImage-517rc7 kgdboc=kbd kgdbts=", will be passed to user space. Run /sbin/init as init process with arguments: /sbin/init with environment: HOME=/ TERM=linux BOOT_IMAGE=/boot/bzImage-517rc7 kgdboc=kbd kgdbts= Link: lore.kernel.org/r/64644a2f-4a20-bab3-1e15-3b2cdd0defe3@omprussia.ru Fixes: e8d31c204e36 ("kgdb: add kgdb internal test suite") Cc: kgdb-bugreport@lists.sourceforge.net Cc: Jason Wessel Cc: Daniel Thompson Cc: Douglas Anderson Cc: Arnd Bergmann Cc: Greg Kroah-Hartman Reported-by: Igor Zhbanov Reviewed-by: Douglas Anderson Signed-off-by: Randy Dunlap Link: https://lore.kernel.org/r/20220308033255.22118-1-rdunlap@infradead.org Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit f65ba8b98846753cad1231716243d3a3b41319f2 Author: Ilpo Järvinen Date: Mon Mar 14 11:14:32 2022 +0200 serial: 8250: fix XOFF/XON sending when DMA is used [ Upstream commit f58c252e30cf74f68b0054293adc03b5923b9f0e ] When 8250 UART is using DMA, x_char (XON/XOFF) is never sent to the wire. After this change, x_char is injected correctly. Create uart_xchar_out() helper for sending the x_char out and accounting related to it. It seems that almost every driver does these same steps with x_char. Except for 8250, however, almost all currently lack .serial_out so they cannot immediately take advantage of this new helper. The downside of this patch is that it might reintroduce the problems some devices faced with mixed DMA/non-DMA transfer which caused revert f967fc8f165f (Revert "serial: 8250_dma: don't bother DMA with small transfers"). However, the impact should be limited to cases with XON/XOFF (that didn't work with DMA capable devices to begin with so this problem is not very likely to cause a major issue, if any at all). Fixes: 9ee4b83e51f74 ("serial: 8250: Add support for dmaengine") Reported-by: Gilles Buloz Tested-by: Gilles Buloz Reviewed-by: Andy Shevchenko Signed-off-by: Ilpo Järvinen Link: https://lore.kernel.org/r/20220314091432.4288-2-ilpo.jarvinen@linux.intel.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 45e95a7bf8c4fd2e5408e89bafe7ccf2a52f7864 Author: Randy Dunlap Date: Tue Mar 8 19:30:18 2022 -0800 kgdboc: fix return value of __setup handler [ Upstream commit ab818c7aa7544bf8d2dd4bdf68878b17a02eb332 ] __setup() handlers should return 1 to obsolete_checksetup() in init/main.c to indicate that the boot option has been handled. A return of 0 causes the boot option/value to be listed as an Unknown kernel parameter and added to init's (limited) environment strings. So return 1 from kgdboc_option_setup(). Unknown kernel command line parameters "BOOT_IMAGE=/boot/bzImage-517rc7 kgdboc=kbd kgdbts=", will be passed to user space. Run /sbin/init as init process with arguments: /sbin/init with environment: HOME=/ TERM=linux BOOT_IMAGE=/boot/bzImage-517rc7 kgdboc=kbd kgdbts= Link: lore.kernel.org/r/64644a2f-4a20-bab3-1e15-3b2cdd0defe3@omprussia.ru Fixes: 1bd54d851f50 ("kgdboc: Passing ekgdboc to command line causes panic") Fixes: f2d937f3bf00 ("consoles: polling support, kgdboc") Cc: He Zhe Cc: Greg Kroah-Hartman Cc: Jiri Slaby Cc: kgdb-bugreport@lists.sourceforge.net Cc: Jason Wessel Cc: Daniel Thompson Cc: Douglas Anderson Cc: linux-serial@vger.kernel.org Reported-by: Igor Zhbanov Reviewed-by: Douglas Anderson Signed-off-by: Randy Dunlap Link: https://lore.kernel.org/r/20220309033018.17936-1-rdunlap@infradead.org Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 96038b1cf45e0351594c3e243d5cb57cdb96ad17 Author: Randy Dunlap Date: Mon Mar 7 18:42:28 2022 -0800 tty: hvc: fix return value of __setup handler [ Upstream commit 53819a0d97aace1425bb042829e3446952a9e8a9 ] __setup() handlers should return 1 to indicate that the boot option has been handled or 0 to indicate that it was not handled. Add a pr_warn() message if the option value is invalid and then always return 1. Link: lore.kernel.org/r/64644a2f-4a20-bab3-1e15-3b2cdd0defe3@omprussia.ru Fixes: 86b40567b917 ("tty: replace strict_strtoul() with kstrtoul()") Cc: Jingoo Han Cc: Greg Kroah-Hartman Cc: Jiri Slaby Cc: Michael Ellerman Cc: Julian Wiedmann Cc: Vasily Gorbik Cc: linuxppc-dev@lists.ozlabs.org Reported-by: Igor Zhbanov Signed-off-by: Randy Dunlap Link: https://lore.kernel.org/r/20220308024228.20477-1-rdunlap@infradead.org Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 566e30289d04aeb027f0258f8731542296e20aeb Author: Miaoqian Lin Date: Mon Mar 7 12:02:34 2022 +0000 pinctrl/rockchip: Add missing of_node_put() in rockchip_pinctrl_probe [ Upstream commit 89388f8730699c259f8090ec435fb43569efe4ac ] The device_node pointer is returned by of_parse_phandle() with refcount incremented. We should use of_node_put() on it when done. Fixes: 1e747e59cc4d ("pinctrl: rockchip: base regmap supplied by a syscon") Fixes: 14dee8677e19 ("pinctrl: rockchip: let pmu registers be supplied by a syscon") Signed-off-by: Miaoqian Lin Link: https://lore.kernel.org/r/20220307120234.28657-1-linmq006@gmail.com Signed-off-by: Linus Walleij Signed-off-by: Sasha Levin commit 669b05ff43bd7ed684379c6e2006a6dad5127b71 Author: Miaoqian Lin Date: Mon Mar 7 11:51:16 2022 +0000 pinctrl: nomadik: Add missing of_node_put() in nmk_pinctrl_probe [ Upstream commit c09ac191b1f97cfa06f394dbfd7a5db07986cefc ] This node pointer is returned by of_parse_phandle() with refcount incremented in this function. Calling of_node_put() to avoid the refcount leak. Fixes: 32e67eee670e ("pinctrl: nomadik: Allow prcm_base to be extracted from Device Tree") Signed-off-by: Miaoqian Lin Link: https://lore.kernel.org/r/20220307115116.25316-1-linmq006@gmail.com Signed-off-by: Linus Walleij Signed-off-by: Sasha Levin commit 9d095fe2fb8aae25e9062e17390ed32278cdb6df Author: Chen-Yu Tsai Date: Tue Mar 8 18:09:51 2022 +0800 pinctrl: mediatek: paris: Skip custom extra pin config dump for virtual GPIOs [ Upstream commit 1763933d377ecb05454f8d20e3c8922480db2ac0 ] Virtual GPIOs do not have any hardware state associated with them. Any attempt to read back hardware state for these pins result in error codes. Skip dumping extra pin config information for these virtual GPIOs. Fixes: 184d8e13f9b1 ("pinctrl: mediatek: Add support for pin configuration dump via debugfs.") Signed-off-by: Chen-Yu Tsai Reviewed-by: AngeloGioacchino Del Regno Link: https://lore.kernel.org/r/20220308100956.2750295-7-wenst@chromium.org Signed-off-by: Linus Walleij Signed-off-by: Sasha Levin commit 861946289d4a9f64269563469fa6a2f6a7c9240f Author: Chen-Yu Tsai Date: Tue Mar 8 18:09:49 2022 +0800 pinctrl: mediatek: paris: Fix pingroup pin config state readback [ Upstream commit 54fe55fb384ade630ef20b9a8b8f3b2a89ad97f2 ] mtk_pconf_group_get(), used to read back pingroup pin config state, simply returns a set of configs saved from a previous invocation of mtk_pconf_group_set(). This is an unfiltered, unvalidated set passed in from the pinconf core, which does not match the current hardware state. Since the driver library is designed to have one pin per group, pass through mtk_pconf_group_get() to mtk_pinconf_get(), to read back the current pin config state of the only pin in the group. Also drop the assignment of pin config state to the group. Fixes: 805250982bb5 ("pinctrl: mediatek: add pinctrl-paris that implements the vendor dt-bindings") Signed-off-by: Chen-Yu Tsai Reviewed-by: AngeloGioacchino Del Regno Link: https://lore.kernel.org/r/20220308100956.2750295-5-wenst@chromium.org Signed-off-by: Linus Walleij Signed-off-by: Sasha Levin commit 7675fb2aaf8846a33e318322a382c12ae040df8e Author: Chen-Yu Tsai Date: Tue Mar 8 18:09:48 2022 +0800 pinctrl: mediatek: paris: Fix "argument" argument type for mtk_pinconf_get() [ Upstream commit 19bce7ce0a593c7024030a0cda9e23facea3c93d ] For mtk_pinconf_get(), the "argument" argument is typically returned by pinconf_to_config_argument(), which holds the value for a given pinconf parameter. It certainly should not have the type of "enum pin_config_param", which describes the type of the pinconf parameter itself. Change the type to u32, which matches the return type of pinconf_to_config_argument(). Fixes: 805250982bb5 ("pinctrl: mediatek: add pinctrl-paris that implements the vendor dt-bindings") Signed-off-by: Chen-Yu Tsai Reviewed-by: AngeloGioacchino Del Regno Link: https://lore.kernel.org/r/20220308100956.2750295-4-wenst@chromium.org Signed-off-by: Linus Walleij Signed-off-by: Sasha Levin commit 901e192ac91e5cd4172bdf3e3ca0b4d778d98c2b Author: Chen-Yu Tsai Date: Tue Mar 8 18:09:47 2022 +0800 pinctrl: mediatek: paris: Fix PIN_CONFIG_BIAS_* readback [ Upstream commit 3e8c6bc608480010f360c4a59578d7841726137d ] When reading back pin bias settings, if the pin is not in the corresponding bias state, the function should return -EINVAL. Fix this in the mediatek-paris pinctrl library so that the read back state is not littered with bogus a "input bias disabled" combined with "pull up" or "pull down" states. Fixes: 805250982bb5 ("pinctrl: mediatek: add pinctrl-paris that implements the vendor dt-bindings") Signed-off-by: Chen-Yu Tsai Reviewed-by: AngeloGioacchino Del Regno Link: https://lore.kernel.org/r/20220308100956.2750295-3-wenst@chromium.org Signed-off-by: Linus Walleij Signed-off-by: Sasha Levin commit 72ea0fefea18b8b0e1309187098d4ec74bc057ac Author: Miaoqian Lin Date: Tue Mar 8 07:11:54 2022 +0000 pinctrl: mediatek: Fix missing of_node_put() in mtk_pctrl_init [ Upstream commit dab4df9ca919f59e5b9dd84385eaf34d4f20dbb0 ] The device_node pointer is returned by of_parse_phandle() with refcount incremented. We should use of_node_put() on it when done. Fixes: a6df410d420a ("pinctrl: mediatek: Add Pinctrl/GPIO driver for mt8135.") Signed-off-by: Miaoqian Lin Reviewed-by: AngeloGioacchino Del Regno Link: https://lore.kernel.org/r/20220308071155.21114-1-linmq006@gmail.com Signed-off-by: Linus Walleij Signed-off-by: Sasha Levin commit fddbfe43bf072a5351c6393abb62c8e9f31d7352 Author: Arınç ÜNAL Date: Fri Mar 11 12:03:20 2022 +0300 staging: mt7621-dts: fix GB-PC2 devicetree [ Upstream commit 5bc148649cf358d0cccf525452a4efbd4bc89a0f ] Fix the GB-PC2 devicetree. Refer to the schematics of the device for more information. GB-PC2 devicetree fixes: - Include mt7621.dtsi instead of gbpc1.dts. Add the missing definitions. - Remove gpio-leds node as the system LED is not wired to anywhere on the board and the power LED is directly wired to GND. - Remove uart3 pin group from gpio-pinmux node as it's not used as GPIO. - Use reg 7 for the external phy to be on par with Documentation/devicetree/bindings/net/dsa/mt7530.txt. - Use the status value "okay". Link: https://github.com/ngiger/GnuBee_Docs/blob/master/GB-PCx/Documents/GB-PC2_V1.1_schematic.pdf Reviewed-by: Sergio Paracuellos Signed-off-by: Arınç ÜNAL Link: https://lore.kernel.org/r/20220311090320.3068-2-arinc.unal@arinc9.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 00e0739ca1263d19d4d2590e00848f18fc54be65 Author: Arınç ÜNAL Date: Tue Jan 25 18:39:03 2022 +0300 staging: mt7621-dts: fix pinctrl properties for ethernet [ Upstream commit 0a93c0d75809582893e82039143591b9265b520e ] Add pinctrl properties with rgmii1 & mdio pins under ethernet node which was wrongfully put under an external phy node. GMAC1 will start working with this fix. Link: https://lore.kernel.org/netdev/02ecce91-7aad-4392-c9d7-f45ca1b31e0b@arinc9.com/T/ Move GB-PC2 specific phy_external node to its own device tree. Reviewed-by: Sergio Paracuellos Signed-off-by: Arınç ÜNAL Link: https://lore.kernel.org/r/20220125153903.1469-5-arinc.unal@arinc9.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 47c31fe8ca78388fa10568a8f173235f50922327 Author: Arınç ÜNAL Date: Tue Jan 25 18:39:00 2022 +0300 staging: mt7621-dts: fix formatting [ Upstream commit 7eeec44d33f6be7caca4fe9ca4e653cf315a36c1 ] Fix formatting on mt7621.dtsi. Reviewed-by: Sergio Paracuellos Signed-off-by: Arınç ÜNAL Link: https://lore.kernel.org/r/20220125153903.1469-2-arinc.unal@arinc9.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 59ec187d7c08e8739cf675b7445075fb4d338dd0 Author: Arınç ÜNAL Date: Fri Mar 11 12:03:19 2022 +0300 staging: mt7621-dts: fix LEDs and pinctrl on GB-PC1 devicetree [ Upstream commit 6256e18686158fa49e019297f990f1c1817aabf1 ] Fix LED and pinctrl definitions on the GB-PC1 devicetree. Refer to the schematics of the device for more information. LED fixes: - Change GPIO6 LED label from system to power as GPIO6 is connected to PLED. - Add default-on default-trigger to power LED. - Change GPIO8 LED label from status to system as GPIO8 is connected to SYS_LED. - Add disk-activity default-trigger to system LED. - Switch to the color:function naming scheme. - Remove lan1 and lan2 LEDs as they don't exist. Pinctrl fixes: - Claim state_default node under pinctrl node. - Change pinctrl0 node name to state-default. - Change gpio node name to gpio-pinmux to respect Documentation/devicetree/bindings/pinctrl/ralink,rt2880-pinmux.yaml. - Sort pin groups alphabetically. Misc fixes: - Fix formatting. - Use the status value "okay". - Define hexadecimal addresses in lower case. - Make hexadecimal addresses for memory easier to read. Link: https://github.com/ngiger/GnuBee_Docs/blob/master/GB-PCx/Documents/GB-PC1_V1.0_Schematic.pdf Tested-by: Sergio Paracuellos Signed-off-by: Arınç ÜNAL Link: https://lore.kernel.org/r/20220311090320.3068-1-arinc.unal@arinc9.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 942f68bf2950b4057804eff1c636bc3f6c7625d4 Author: Alexey Khoroshilov Date: Tue Feb 15 13:17:04 2022 +0300 NFS: remove unneeded check in decode_devicenotify_args() [ Upstream commit cb8fac6d2727f79f211e745b16c9abbf4d8be652 ] [You don't often get email from khoroshilov@ispras.ru. Learn why this is important at http://aka.ms/LearnAboutSenderIdentification.] Overflow check in not needed anymore after we switch to kmalloc_array(). Signed-off-by: Alexey Khoroshilov Fixes: a4f743a6bb20 ("NFSv4.1: Convert open-coded array allocation calls to kmalloc_array()") Signed-off-by: Trond Myklebust Signed-off-by: Sasha Levin commit e025c66387204945b2f2f9fbc3a91095cc6da3a2 Author: Miaoqian Lin Date: Wed Jan 12 10:45:01 2022 +0000 clk: tegra: tegra124-emc: Fix missing put_device() call in emc_ensure_emc_driver [ Upstream commit 6d6ef58c2470da85a99119f74d34216c8074b9f0 ] The reference taken by 'of_find_device_by_node()' must be released when not needed anymore. Add the corresponding 'put_device()' in the error handling path. Fixes: 2db04f16b589 ("clk: tegra: Add EMC clock driver") Signed-off-by: Miaoqian Lin Acked-by: Thierry Reding Link: https://lore.kernel.org/r/20220112104501.30655-1-linmq006@gmail.com Signed-off-by: Stephen Boyd Signed-off-by: Sasha Levin commit 54c8128297418099c812507520dbdd2f32f84c3e Author: Jonathan Neuschäfer Date: Fri Feb 18 01:09:20 2022 +0100 clk: clps711x: Terminate clk_div_table with sentinel element [ Upstream commit 8bed4ed5aa3431085d9d27afc35d684856460eda ] In order that the end of a clk_div_table can be detected, it must be terminated with a sentinel element (.div = 0). Fixes: 631c53478973d ("clk: Add CLPS711X clk driver") Signed-off-by: Jonathan Neuschäfer Link: https://lore.kernel.org/r/20220218000922.134857-5-j.neuschaefer@gmx.net Signed-off-by: Stephen Boyd Signed-off-by: Sasha Levin commit 9ff533033d8e3e1823ee2e512cd466b8979d9fc1 Author: Jonathan Neuschäfer Date: Fri Feb 18 01:09:18 2022 +0100 clk: loongson1: Terminate clk_div_table with sentinel element [ Upstream commit 3eb00f89162e80083dfcaa842468b510462cfeaa ] In order that the end of a clk_div_table can be detected, it must be terminated with a sentinel element (.div = 0). Fixes: b4626a7f4892 ("CLK: Add Loongson1C clock support") Signed-off-by: Jonathan Neuschäfer Reviewed-by: Philippe Mathieu-Daudé Link: https://lore.kernel.org/r/20220218000922.134857-3-j.neuschaefer@gmx.net Signed-off-by: Stephen Boyd Signed-off-by: Sasha Levin commit bb680cabf2429cd2465c0f52cd9a152349f4f282 Author: Jonathan Neuschäfer Date: Fri Feb 18 01:09:17 2022 +0100 clk: actions: Terminate clk_div_table with sentinel element [ Upstream commit d8a441e53e2434b1401e52dfd66b05263e442edc ] In order that the end of a clk_div_table can be detected, it must be terminated with a sentinel element (.div = 0). In owl-s900.s, the { 0, 8 } element was probably meant to be just that, so this patch changes { 0, 8 } to { 0, 0 }. Fixes: d47317ca4ade1 ("clk: actions: Add S700 SoC clock support") Fixes: d85d20053e195 ("clk: actions: Add S900 SoC clock support") Signed-off-by: Jonathan Neuschäfer Reviewed-by: Manivannan Sadhasivam Link: https://lore.kernel.org/r/20220218000922.134857-2-j.neuschaefer@gmx.net Signed-off-by: Stephen Boyd Signed-off-by: Sasha Levin commit 431f8a9cec07537050b59837f1111ff3f2609f0c Author: Dan Williams Date: Wed Mar 9 19:49:21 2022 -0800 nvdimm/region: Fix default alignment for small regions [ Upstream commit d9d290d7e659e9db3e4518040cc18b97f5535f4a ] In preparation for removing BLK aperture support the NVDIMM unit tests discovered that the default alignment can be set higher than the capacity of the region. Fall back to PAGE_SIZE in that case. Given this has not been seen in the wild, elide notifying -stable. Fixes: 2522afb86a8c ("libnvdimm/region: Introduce an 'align' attribute") Reviewed-by: Christoph Hellwig Link: https://lore.kernel.org/r/164688416128.2879318.17890707310125575258.stgit@dwillia2-desk3.amr.corp.intel.com Signed-off-by: Dan Williams Signed-off-by: Sasha Levin commit f7210ca29a783c94478da02368731e4c9cf7cdb7 Author: Miaoqian Lin Date: Tue Mar 8 06:45:21 2022 +0000 remoteproc: qcom_q6v5_mss: Fix some leaks in q6v5_alloc_memory_region [ Upstream commit 07a5dcc4bed9d7cae54adf5aa10ff9f037a3204b ] The device_node pointer is returned by of_parse_phandle() or of_get_child_by_name() with refcount incremented. We should use of_node_put() on it when done. This function only call of_node_put(node) when of_address_to_resource succeeds, missing error cases. Fixes: 278d744c46fd ("remoteproc: qcom: Fix potential device node leaks") Fixes: 051fb70fd4ea ("remoteproc: qcom: Driver for the self-authenticating Hexagon v5") Signed-off-by: Miaoqian Lin Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20220308064522.13804-1-linmq006@gmail.com Signed-off-by: Sasha Levin commit 7a494580a89b73662b1cfe2e3c1ee4bb8ff5b5d9 Author: Miaoqian Lin Date: Tue Mar 8 06:31:02 2022 +0000 remoteproc: qcom_wcnss: Add missing of_node_put() in wcnss_alloc_memory_region [ Upstream commit 8f90161a66bc3d6b9fe8dde4d9028d20eae1b62a ] The device_node pointer is returned by of_parse_phandle() with refcount incremented. We should use of_node_put() on it when done. Fixes: aed361adca9f ("remoteproc: qcom: Introduce WCNSS peripheral image loader") Signed-off-by: Miaoqian Lin Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20220308063102.10049-1-linmq006@gmail.com Signed-off-by: Sasha Levin commit 5c1d484d966115d3d27809a16241ea89519a78d5 Author: Miaoqian Lin Date: Tue Mar 8 03:12:19 2022 +0000 remoteproc: qcom: Fix missing of_node_put in adsp_alloc_memory_region [ Upstream commit 505b5b1616e200042999de715dbe7c1e2735cd65 ] The device_node pointer is returned by of_parse_phandle() with refcount incremented. We should use of_node_put() on it when done. Fixes: dc160e449122 ("remoteproc: qcom: Introduce Non-PAS ADSP PIL driver") Signed-off-by: Miaoqian Lin Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20220308031219.4718-1-linmq006@gmail.com Signed-off-by: Sasha Levin commit f95fd61dd85a86f15d431286d3c0297900fa51bd Author: Jie Hai Date: Wed Feb 16 15:21:01 2022 +0800 dmaengine: hisi_dma: fix MSI allocate fail when reload hisi_dma [ Upstream commit b95044b38425f563404234d96bbb20cc6360c7e1 ] Remove the loaded hisi_dma driver and reload it, the driver fails to work properly. The following error is reported in the kernel log: [ 1475.597609] hisi_dma 0000:7b:00.0: Failed to allocate MSI vectors! [ 1475.604915] hisi_dma: probe of 0000:7b:00.0 failed with error -28 As noted in "The MSI Driver Guide HOWTO"[1], the number of MSI interrupt must be a power of two. The Kunpeng DMA driver allocates 30 MSI interrupts. As a result, no space left on device is reported when the driver is reloaded and allocates interrupt vectors from the interrupt domain. This patch changes the number of interrupt vectors allocated by hisi_dma driver to 32 to avoid this problem. [1] https://www.kernel.org/doc/html/latest/PCI/msi-howto.html Fixes: e9f08b65250d ("dmaengine: hisilicon: Add Kunpeng DMA engine support") Signed-off-by: Jie Hai Acked-by: Zhou Wang Link: https://lore.kernel.org/r/20220216072101.34473-1-haijie1@huawei.com Signed-off-by: Vinod Koul Signed-off-by: Sasha Levin commit d047d68ff0316502d1b79f15e990c510faf6591c Author: Taniya Das Date: Sun Feb 27 23:25:36 2022 +0530 clk: qcom: clk-rcg2: Update the frac table for pixel clock [ Upstream commit b527358cb4cd58a8279c9062b0786f1fab628fdc ] Support the new numerator and denominator for pixel clock on SM8350 and support rgb101010, RGB888 use cases on SM8450. Fixes: 99cbd064b059f ("clk: qcom: Support display RCG clocks") Signed-off-by: Taniya Das Reviewed-by: Stephen Boyd Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20220227175536.3131-2-tdas@codeaurora.org Signed-off-by: Sasha Levin commit 334720f418f57b1d969dad2117b21f9388cb9395 Author: Taniya Das Date: Sun Feb 27 23:25:35 2022 +0530 clk: qcom: clk-rcg2: Update logic to calculate D value for RCG [ Upstream commit 58922910add18583d5273c2edcdb9fd7bf4eca02 ] The display pixel clock has a requirement on certain newer platforms to support M/N as (2/3) and the final D value calculated results in underflow errors. As the current implementation does not check for D value is within the accepted range for a given M & N value. Update the logic to calculate the final D value based on the range. Fixes: 99cbd064b059f ("clk: qcom: Support display RCG clocks") Signed-off-by: Taniya Das Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20220227175536.3131-1-tdas@codeaurora.org Signed-off-by: Sasha Levin commit 639744b2429f01c977e4d3771768d9f0e2617868 Author: Codrin Ciubotariu Date: Fri Mar 4 20:26:16 2022 +0200 clk: at91: sama7g5: fix parents of PDMCs' GCLK [ Upstream commit 1a944729d8635fa59638f24e8727d5ccaa0c8c19 ] Audio PLL can be used as parent by the GCLKs of PDMCs. Fixes: cb783bbbcf54 ("clk: at91: sama7g5: add clock support for sama7g5") Signed-off-by: Codrin Ciubotariu Reviewed-by: Claudiu Beznea Signed-off-by: Nicolas Ferre Link: https://lore.kernel.org/r/20220304182616.1920392-1-codrin.ciubotariu@microchip.com Signed-off-by: Sasha Levin commit 0553ecbce95e063679d257b9759bf9193bcd2f54 Author: Abel Vesa Date: Thu Jan 27 16:10:52 2022 +0200 clk: imx7d: Remove audio_mclk_root_clk [ Upstream commit eccac77ede3946c90143447cdc785dc16aec4b24 ] The audio_mclk_root_clk was added as a gate with the CCGR121 (0x4790), but according to the reference manual, there is no such gate. The CCGR121 belongs to ECSPI2 and it is not shared. Fixes: 8f6d8094b215b57 ("ARM: imx: add imx7d clk tree support") Reported-by: David Wolfe Signed-off-by: Abel Vesa Reviewed-by: Peng Fan Link: https://lore.kernel.org/r/20220127141052.1900174-2-abel.vesa@nxp.com Signed-off-by: Sasha Levin commit 867258d3f37da1ef2023d9857b0af533e745e050 Author: Randy Dunlap Date: Mon Feb 28 14:04:53 2022 -0800 dma-debug: fix return value of __setup handlers [ Upstream commit 80e4390981618e290616dbd06ea190d4576f219d ] When valid kernel command line parameters dma_debug=off dma_debug_entries=100 are used, they are reported as Unknown parameters and added to init's environment strings, polluting it. Unknown kernel command line parameters "BOOT_IMAGE=/boot/bzImage-517rc5 dma_debug=off dma_debug_entries=100", will be passed to user space. and Run /sbin/init as init process with arguments: /sbin/init with environment: HOME=/ TERM=linux BOOT_IMAGE=/boot/bzImage-517rc5 dma_debug=off dma_debug_entries=100 Return 1 from these __setup handlers to indicate that the command line option has been handled. Fixes: 59d3daafa1726 ("dma-debug: add kernel command line parameters") Signed-off-by: Randy Dunlap Reported-by: Igor Zhbanov Link: lore.kernel.org/r/64644a2f-4a20-bab3-1e15-3b2cdd0defe3@omprussia.ru Cc: Joerg Roedel Cc: Christoph Hellwig Cc: Marek Szyprowski Cc: iommu@lists.linux-foundation.org Cc: Robin Murphy Signed-off-by: Christoph Hellwig Signed-off-by: Sasha Levin commit 2f3885514e410a90123ee3b81b11529eb81efcea Author: Trond Myklebust Date: Thu Feb 24 10:59:37 2022 -0500 NFS: Return valid errors from nfs2/3_decode_dirent() [ Upstream commit 64cfca85bacde54caa64e0ab855c48734894fa37 ] Valid return values for decode_dirent() callback functions are: 0: Success -EBADCOOKIE: End of directory -EAGAIN: End of xdr_stream All errors need to map into one of those three values. Fixes: 573c4e1ef53a ("NFS: Simplify ->decode_dirent() calling sequence") Signed-off-by: Trond Myklebust Signed-off-by: Sasha Levin commit 7b59afe84ad916906beb0ec7eb04918260d1c552 Author: Jiasheng Jiang Date: Thu Feb 24 14:58:05 2022 +0800 habanalabs: Add check for pci_enable_device [ Upstream commit 9c27896ac1bb83ea5c461ce6f7089d02102a2b21 ] As the potential failure of the pci_enable_device(), it should be better to check the return value and return error if fails. Fixes: 70b2f993ea4a ("habanalabs: create common folder") Signed-off-by: Jiasheng Jiang Reviewed-by: Oded Gabbay Signed-off-by: Oded Gabbay Signed-off-by: Sasha Levin commit afcbc6375233d3b25cdf1bd60072df851b918bce Author: Jiasheng Jiang Date: Thu Feb 24 14:28:49 2022 +0800 iio: adc: Add check for devm_request_threaded_irq [ Upstream commit b30537a4cedcacf0ade2f33ebb7610178ed1e7d7 ] As the potential failure of the devm_request_threaded_irq(), it should be better to check the return value and return error if fails. Fixes: fa659a40b80b ("iio: adc: twl6030-gpadc: Use devm_* API family") Signed-off-by: Jiasheng Jiang Link: https://lore.kernel.org/r/20220224062849.3280966-1-jiasheng@iscas.ac.cn Signed-off-by: Jonathan Cameron Signed-off-by: Sasha Levin commit df2dc4cf71fa9bfc25115e69c41be97890aa1ece Author: Uwe Kleine-König Date: Tue Feb 15 17:02:36 2022 +0100 serial: 8250: Fix race condition in RTS-after-send handling [ Upstream commit dedab69fd650ea74710b2e626e63fd35584ef773 ] Set em485->active_timer = NULL isn't always enough to take out the stop timer. While there is a check that it acts in the right state (i.e. waiting for RTS-after-send to pass after sending some chars) but the following might happen: - CPU1: some chars send, shifter becomes empty, stop tx timer armed - CPU0: more chars send before RTS-after-send expired - CPU0: shifter empty irq, port lock taken - CPU1: tx timer triggers, waits for port lock - CPU0: em485->active_timer = &em485->stop_tx_timer, hrtimer_start(), releases lock() - CPU1: get lock, see em485->active_timer == &em485->stop_tx_timer, tear down RTS too early This fix bases on research done by Steffen Trumtrar. Fixes: b86f86e8e7c5 ("serial: 8250: fix potential deadlock in rs485-mode") Signed-off-by: Uwe Kleine-König Link: https://lore.kernel.org/r/20220215160236.344236-1-u.kleine-koenig@pengutronix.de Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 469ce5119f221ecf09549d0fadf340344df0309e Author: Trond Myklebust Date: Tue Feb 15 15:58:38 2022 -0500 NFS: Use of mapping_set_error() results in spurious errors [ Upstream commit 6c984083ec2453dfd3fcf98f392f34500c73e3f2 ] The use of mapping_set_error() in conjunction with calls to filemap_check_errors() is problematic because every error gets reported as either an EIO or an ENOSPC by filemap_check_errors() in functions such as filemap_write_and_wait() or filemap_write_and_wait_range(). In almost all cases, we prefer to use the more nuanced wb errors. Fixes: b8946d7bfb94 ("NFS: Revalidate the file mapping on all fatal writeback errors") Signed-off-by: Trond Myklebust Signed-off-by: Sasha Levin commit 659fe4d653a2d628a22d3b560e33b581e6b63625 Author: Andy Shevchenko Date: Wed Feb 23 17:12:40 2022 +0200 serial: 8250_lpss: Balance reference count for PCI DMA device [ Upstream commit 5318f70da7e82649d794fc27d8a127c22aa3566e ] The pci_get_slot() increases its reference count, the caller must decrement the reference count by calling pci_dev_put(). Fixes: 9a1870ce812e ("serial: 8250: don't use slave_id of dma_slave_config") Depends-on: a13e19cf3dc1 ("serial: 8250_lpss: split LPSS driver to separate module") Reported-by: Qing Wang Signed-off-by: Andy Shevchenko Link: https://lore.kernel.org/r/20220223151240.70248-1-andriy.shevchenko@linux.intel.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 0aebb3944ab1a4f74f3e3e4427f0eb5837d3489c Author: Andy Shevchenko Date: Tue Feb 15 12:09:20 2022 +0200 serial: 8250_mid: Balance reference count for PCI DMA device [ Upstream commit 67ec6dd0b257bd81b4e9fcac89b29da72f6265e5 ] The pci_get_slot() increases its reference count, the caller must decrement the reference count by calling pci_dev_put(). Fixes: 90b9aacf912a ("serial: 8250_pci: add Intel Tangier support") Fixes: f549e94effa1 ("serial: 8250_pci: add Intel Penwell ports") Reported-by: Qing Wang Signed-off-by: Andy Shevchenko Depends-on: d9eda9bab237 ("serial: 8250_pci: Intel MID UART support to its own driver") Link: https://lore.kernel.org/r/20220215100920.41984-1-andriy.shevchenko@linux.intel.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit c92bd51313bf91f721087052290d782c9d0666d4 Author: Liu Ying Date: Wed Feb 16 15:12:57 2022 +0800 phy: dphy: Correct lpx parameter and its derivatives(ta_{get,go,sure}) [ Upstream commit 3153fa38e38af566cf6454a03b1dbadaf6f323c0 ] According to the comment of the function phy_mipi_dphy_get_default_config(), it uses minimum D-PHY timings based on MIPI D-PHY specification. They are derived from the valid ranges specified in Section 6.9, Table 14, Page 41 of the D-PHY specification (v1.2). The table 14 explicitly mentions that the minimum T-LPX parameter is 50 nanoseconds and the minimum TA-SURE parameter is T-LPX nanoseconds. Likewise, the kernel doc of the 'lpx' and 'ta_sure' members of struct phy_configure_opts_mipi_dphy mentions that the minimum values are 50000 picoseconds and @lpx picoseconds respectively. Also, the function phy_mipi_dphy_config_validate() checks if cfg->lpx is less than 50000 picoseconds and if cfg->ta_sure is less than cfg->lpx, which hints the same minimum values. Without this patch, the function phy_mipi_dphy_get_default_config() wrongly sets cfg->lpx to 60000 picoseconds and cfg->ta_sure to 2 * cfg->lpx. So, let's correct them to 50000 picoseconds and cfg->lpx respectively. Note that I've only tested the patch with RM67191 DSI panel on i.MX8mq EVK. Help is needed to test with other i.MX8mq, Meson and Rockchip platforms, as I don't have the hardwares. Fixes: dddc97e82303 ("phy: dphy: Add configuration helpers") Cc: Andrzej Hajda Cc: Neil Armstrong Cc: Laurent Pinchart Cc: Kishon Vijay Abraham I Cc: Vinod Koul Cc: Heiko Stuebner Cc: Maxime Ripard Cc: Guido Günther Signed-off-by: Liu Ying Link: https://lore.kernel.org/r/20220216071257.1647703-1-victor.liu@nxp.com Signed-off-by: Vinod Koul Signed-off-by: Sasha Levin commit 80805f555e22baf5245204fff428974711537364 Author: Dirk Buchwalder Date: Thu Feb 10 18:31:00 2022 +0100 clk: qcom: ipq8074: Use floor ops for SDCC1 clock [ Upstream commit b77d8306d84f83d1da68028a68c91da9c867b6f6 ] Use floor ops on SDCC1 APPS clock in order to round down selected clock frequency and avoid overclocking SD/eMMC cards. For example, currently HS200 cards were failling tuning as they were actually being clocked at 384MHz instead of 192MHz. This caused some boards to disable 1.8V I/O and force the eMMC into the standard HS mode (50MHz) and that appeared to work despite the eMMC being overclocked to 96Mhz in that case. There was a previous commit to use floor ops on SDCC clocks, but it looks to have only covered SDCC2 clock. Fixes: 9607f6224b39 ("clk: qcom: ipq8074: add PCIE, USB and SDCC clocks") Signed-off-by: Dirk Buchwalder Signed-off-by: Robert Marko Reviewed-by: Stephen Boyd Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20220210173100.505128-1-robimarko@gmail.com Signed-off-by: Sasha Levin commit fd2601e3665e642d0887243e0fbe7bad69a088a6 Author: Geert Uytterhoeven Date: Mon Feb 21 17:21:58 2022 +0100 pinctrl: renesas: checker: Fix miscalculation of number of states [ Upstream commit de9b861018d46af27a5edff8b6baef35c0c0ad4f ] The checker failed to validate all enum IDs in the description of a register with fixed-width register fields, due to a miscalculation of the number of described states: each register field of n bits can have "1 << n" possible states, not "1". Increase SH_PFC_MAX_ENUMS accordingly, now more enum IDs are checked (SH-Mobile AG5 has more than 4000 enum IDs defined). Fixes: 12d057bad683b1c6 ("pinctrl: sh-pfc: checker: Add check for enum ID conflicts") Signed-off-by: Geert Uytterhoeven Link: https://lore.kernel.org/r/6d8a6a05564f38f9d20464c1c17f96e52740cf6a.1645460429.git.geert+renesas@glider.be Signed-off-by: Sasha Levin commit c5cf977515b5b59dc82b5c0206244d2c73ee4683 Author: Geert Uytterhoeven Date: Thu Dec 23 15:41:11 2021 +0100 pinctrl: renesas: r8a77470: Reduce size for narrow VIN1 channel [ Upstream commit 9e04a0eda84fccab0ac22a33825ad53f47c968c7 ] The second video-in channel on RZ/G1C has only 12 data lanes, but the pin control driver uses the vin_data union, which is meant for 24 data lanes, thus wasting space. Fix this by using the vin_data12 union instead. This reduces kernel size by 96 bytes. Fixes: 50f3f2d73e3426ba ("pinctrl: sh-pfc: Reduce kernel size for narrow VIN channels") Signed-off-by: Geert Uytterhoeven Link: https://lore.kernel.org/r/52716fa89139f6f92592633edb52804d4c5e18f0.1640269757.git.geert+renesas@glider.be Signed-off-by: Sasha Levin commit b5db33a81ee7acf557dabf03ada137e6e5d5a278 Author: Jonathan Cameron Date: Sun Feb 6 19:03:09 2022 +0000 staging:iio:adc:ad7280a: Fix handing of device address bit reversing. [ Upstream commit f281e4ddbbc0b60f061bc18a2834e9363ba85f9f ] The bit reversal was wrong for bits 1 and 3 of the 5 bits. Result is driver failure to probe if you have more than 2 daisy-chained devices. Discovered via QEMU based device emulation. Fixes tag is for when this moved from a macro to a function, but it was broken before that. Signed-off-by: Jonathan Cameron Fixes: 065a7c0b1fec ("Staging: iio: adc: ad7280a.c: Fixed Macro argument reuse") Reviewed-by: Marcelo Schmitt Link: https://lore.kernel.org/r/20220206190328.333093-2-jic23@kernel.org Signed-off-by: Sasha Levin commit f5b01abf5f6529936d2c7932f8567100faaae635 Author: Hans de Goede Date: Tue Feb 8 13:43:35 2022 +0100 iio: mma8452: Fix probe failing when an i2c_device_id is used [ Upstream commit a47ac019e7e8129b93a0b991e04b2a59872e053d ] The mma8452_driver declares both of_match_table and i2c_driver.id_table match-tables, but its probe() function only checked for of matches. Add support for i2c_device_id matches. This fixes the driver not loading on some x86 tablets (e.g. the Nextbook Ares 8) where the i2c_client is instantiated by platform code using an i2c_device_id. Drop of_match_ptr() protection to avoid unused warning. Fixes: c3cdd6e48e35 ("iio: mma8452: refactor for seperating chip specific data") Signed-off-by: Hans de Goede Link: https://lore.kernel.org/r/20220208124336.511884-1-hdegoede@redhat.com Signed-off-by: Jonathan Cameron Signed-off-by: Sasha Levin commit 8b89c9e68a01a19a1dd689a42aa65d545e931899 Author: Robert Marko Date: Mon Dec 20 12:41:19 2021 +0100 clk: qcom: ipq8074: fix PCI-E clock oops [ Upstream commit bf8f5182b8f59309809b41c1d1730ed9ca6134b1 ] Fix PCI-E clock related kernel oops that are caused by a missing clock parent. pcie0_rchng_clk_src has num_parents set to 2 but only one parent is actually set via parent_hws, it should also have "XO" defined. This will cause the kernel to panic on a NULL pointer in clk_core_get_parent_by_index(). So, to fix this utilize clk_parent_data to provide gcc_xo_gpll0 parent data. Since there is already an existing static const char * const gcc_xo_gpll0[] used to provide the same parents via parent_names convert those users to clk_parent_data as well. Without this earlycon is needed to even catch the OOPS as it will reset the board before serial is initialized with the following: [ 0.232279] Unable to handle kernel paging request at virtual address 0000a00000000000 [ 0.232322] Mem abort info: [ 0.239094] ESR = 0x96000004 [ 0.241778] EC = 0x25: DABT (current EL), IL = 32 bits [ 0.244908] SET = 0, FnV = 0 [ 0.250377] EA = 0, S1PTW = 0 [ 0.253236] FSC = 0x04: level 0 translation fault [ 0.256277] Data abort info: [ 0.261141] ISV = 0, ISS = 0x00000004 [ 0.264262] CM = 0, WnR = 0 [ 0.267820] [0000a00000000000] address between user and kernel address ranges [ 0.270954] Internal error: Oops: 96000004 [#1] SMP [ 0.278067] Modules linked in: [ 0.282751] CPU: 1 PID: 1 Comm: swapper/0 Not tainted 5.15.10 #0 [ 0.285882] Hardware name: Xiaomi AX3600 (DT) [ 0.292043] pstate: 20400005 (nzCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 0.296299] pc : clk_core_get_parent_by_index+0x68/0xec [ 0.303067] lr : __clk_register+0x1d8/0x820 [ 0.308273] sp : ffffffc01111b7d0 [ 0.312438] x29: ffffffc01111b7d0 x28: 0000000000000000 x27: 0000000000000040 [ 0.315919] x26: 0000000000000002 x25: 0000000000000000 x24: ffffff8000308800 [ 0.323037] x23: ffffff8000308850 x22: ffffff8000308880 x21: ffffff8000308828 [ 0.330155] x20: 0000000000000028 x19: ffffff8000309700 x18: 0000000000000020 [ 0.337272] x17: 000000005cc86990 x16: 0000000000000004 x15: ffffff80001d9d0a [ 0.344391] x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000006 [ 0.351508] x11: 0000000000000003 x10: 0101010101010101 x9 : 0000000000000000 [ 0.358626] x8 : 7f7f7f7f7f7f7f7f x7 : 6468626f5e626266 x6 : 17000a3a403c1b06 [ 0.365744] x5 : 061b3c403a0a0017 x4 : 0000000000000000 x3 : 0000000000000001 [ 0.372863] x2 : 0000a00000000000 x1 : 0000000000000001 x0 : ffffff8000309700 [ 0.379982] Call trace: [ 0.387091] clk_core_get_parent_by_index+0x68/0xec [ 0.389351] __clk_register+0x1d8/0x820 [ 0.394210] devm_clk_hw_register+0x5c/0xe0 [ 0.398030] devm_clk_register_regmap+0x44/0x8c [ 0.402198] qcom_cc_really_probe+0x17c/0x1d0 [ 0.406711] qcom_cc_probe+0x34/0x44 [ 0.411224] gcc_ipq8074_probe+0x18/0x30 [ 0.414869] platform_probe+0x68/0xe0 [ 0.418776] really_probe.part.0+0x9c/0x30c [ 0.422336] __driver_probe_device+0x98/0x144 [ 0.426329] driver_probe_device+0x44/0x11c [ 0.430842] __device_attach_driver+0xb4/0x120 [ 0.434836] bus_for_each_drv+0x68/0xb0 [ 0.439349] __device_attach+0xb0/0x170 [ 0.443081] device_initial_probe+0x14/0x20 [ 0.446901] bus_probe_device+0x9c/0xa4 [ 0.451067] device_add+0x35c/0x834 [ 0.454886] of_device_add+0x54/0x64 [ 0.458360] of_platform_device_create_pdata+0xc0/0x100 [ 0.462181] of_platform_bus_create+0x114/0x370 [ 0.467128] of_platform_bus_create+0x15c/0x370 [ 0.471641] of_platform_populate+0x50/0xcc [ 0.476155] of_platform_default_populate_init+0xa8/0xc8 [ 0.480324] do_one_initcall+0x50/0x1b0 [ 0.485877] kernel_init_freeable+0x234/0x29c [ 0.489436] kernel_init+0x24/0x120 [ 0.493948] ret_from_fork+0x10/0x20 [ 0.497253] Code: d50323bf d65f03c0 f94002a2 b4000302 (f9400042) [ 0.501079] ---[ end trace 4ca7e1129da2abce ]--- Fixes: f0cfcf1a ("clk: qcom: ipq8074: Add missing clocks for pcie") Signed-off-by: Robert Marko Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20211220114119.465247-1-robimarko@gmail.com Signed-off-by: Sasha Levin commit a70d5dbe2e4ead2f9ddce9895ea3b08d76b4a3ff Author: Libin Yang Date: Wed Jan 26 09:14:51 2022 +0800 soundwire: intel: fix wrong register name in intel_shim_wake [ Upstream commit 3957db3ae3dae6f8b8168791f154567fe49e1fd7 ] When clearing the sdw wakests status, we should use SDW_SHIM_WAKESTS. Fixes: 4a17c441c7cb ("soundwire: intel: revisit SHIM programming sequences.") Signed-off-by: Libin Yang Reviewed-by: Pierre-Louis Bossart Reviewed-by: Rander Wang Signed-off-by: Bard Liao Link: https://lore.kernel.org/r/20220126011451.27853-1-yung-chuan.liao@linux.intel.com Signed-off-by: Vinod Koul Signed-off-by: Sasha Levin commit 091704a9a7f4611dae2f2332319bcf1e862d64a1 Author: Luca Weiss Date: Sun Jan 30 12:45:35 2022 +0100 cpufreq: qcom-cpufreq-nvmem: fix reading of PVS Valid fuse [ Upstream commit 4a8a77abf0e2b6468ba0281e33384cbec5fb476a ] The fuse consists of 64 bits, with this statement we're supposed to get the upper 32 bits but it actually read out of bounds and got 0 instead of the desired value which lead to the "PVS bin not set." codepath being run resetting our pvs value. Fixes: a8811ec764f9 ("cpufreq: qcom: Add support for krait based socs") Signed-off-by: Luca Weiss Signed-off-by: Viresh Kumar Signed-off-by: Sasha Levin commit f90ad943221a59c6f795c42e2e794bca890b1189 Author: Christophe JAILLET Date: Sun Feb 6 09:39:54 2022 +0100 misc: alcor_pci: Fix an error handling path [ Upstream commit 5b3dc949f554379edcb8ef6111aa5ecb78feb798 ] A successful ida_simple_get() should be balanced by a corresponding ida_simple_remove(). Add the missing call in the error handling path of the probe. While at it, switch to ida_alloc()/ida_free() instead to ida_simple_get()/ida_simple_remove(). The latter is deprecated and more verbose. Fixes: 4f556bc04e3c ("misc: cardreader: add new Alcor Micro Cardreader PCI driver") Reviewed-by: Oleksij Rempel Signed-off-by: Christophe JAILLET Link: https://lore.kernel.org/r/918a9875b7f67b7f8f123c4446452603422e8c5e.1644136776.git.christophe.jaillet@wanadoo.fr Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 553541c4531ea6e6a69c9292a69ecb2e4c76d4b0 Author: Christophe JAILLET Date: Sun Jan 9 22:56:10 2022 +0100 fsi: Aspeed: Fix a potential double free [ Upstream commit 83ba7e895debc529803a7a258653f2fe9bf3bf40 ] A struct device can never be devm_alloc()'ed. Here, it is embedded in "struct fsi_master", and "struct fsi_master" is embedded in "struct fsi_master_aspeed". Since "struct device" is embedded, the data structure embedding it must be released with the release function, as is already done here. So use kzalloc() instead of devm_kzalloc() when allocating "aspeed" and update all error handling branches accordingly. This prevent a potential double free(). This also fix another issue if opb_readl() fails. Instead of a direct return, it now jumps in the error handling path. Fixes: 606397d67f41 ("fsi: Add ast2600 master driver") Suggested-by: Greg KH Suggested-by: Guenter Roeck Reviewed-by: Guenter Roeck Signed-off-by: Christophe JAILLET Link: https://lore.kernel.org/r/2c123f8b0a40dc1a061fae982169fe030b4f47e6.1641765339.git.christophe.jaillet@wanadoo.fr Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit cb212c3f0de7818cc0977e179707a079cbaab3d5 Author: Yangtao Li Date: Sat Dec 28 19:06:31 2019 +0000 fsi: aspeed: convert to devm_platform_ioremap_resource [ Upstream commit a3469912f4caeea32ecbe0bf472b14634fecb38e ] Use devm_platform_ioremap_resource() to simplify code. Signed-off-by: Yangtao Li Reviewed-by: Andrew Jeffery Link: https://lore.kernel.org/r/20191228190631.26777-1-tiny.windzz@gmail.com Signed-off-by: Joel Stanley Signed-off-by: Sasha Levin commit c0b3c06414c39ef473a9274f173c3737ddb09d7b Author: Uwe Kleine-König Date: Wed Nov 10 09:49:48 2021 +0100 pwm: lpc18xx-sct: Initialize driver data and hardware before pwmchip_add() [ Upstream commit 0401f24cd238ae200a23a13925f98de3d2c883b8 ] When a driver calls pwmchip_add() it has to be prepared to immediately get its callbacks called. So move allocation of driver data and hardware initialization before the call to pwmchip_add(). This fixes a potential NULL pointer exception and a race condition on register writes. Fixes: 841e6f90bb78 ("pwm: NXP LPC18xx PWM/SCT driver") Signed-off-by: Uwe Kleine-König Signed-off-by: Thierry Reding Signed-off-by: Sasha Levin commit 2cd05c38a27bee7fb42aa4d43174d68ac55dac0f Author: Jiri Slaby Date: Mon Jan 24 08:14:24 2022 +0100 mxser: fix xmit_buf leak in activate when LSR == 0xff [ Upstream commit cd3a4907ee334b40d7aa880c7ab310b154fd5cd4 ] When LSR is 0xff in ->activate() (rather unlike), we return an error. Provided ->shutdown() is not called when ->activate() fails, nothing actually frees the buffer in this case. Fix this by properly freeing the buffer in a designated label. We jump there also from the "!info->type" if now too. Fixes: 6769140d3047 ("tty: mxser: use the tty_port_open method") Signed-off-by: Jiri Slaby Link: https://lore.kernel.org/r/20220124071430.14907-6-jslaby@suse.cz Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 8513c93eadc6b1009de11033125b197bfe0ae3bd Author: Miaoqian Lin Date: Mon Mar 7 07:29:47 2022 +0000 mfd: asic3: Add missing iounmap() on error asic3_mfd_probe [ Upstream commit e84ee1a75f944a0fe3c277aaa10c426603d2b0bc ] Add the missing iounmap() before return from asic3_mfd_probe in the error handling case. Fixes: 64e8867ba809 ("mfd: tmio_mmc hardware abstraction for CNF area") Signed-off-by: Miaoqian Lin Signed-off-by: Lee Jones Link: https://lore.kernel.org/r/20220307072947.5369-1-linmq006@gmail.com Signed-off-by: Sasha Levin commit 084be6309f4f7d71cf7cbc4da6a6be513992b69f Author: Hoang Le Date: Mon Mar 21 11:22:29 2022 +0700 tipc: fix the timer expires after interval 100ms [ Upstream commit 6a7d8cff4a3301087dd139293e9bddcf63827282 ] In the timer callback function tipc_sk_timeout(), we're trying to reschedule another timeout to retransmit a setup request if destination link is congested. But we use the incorrect timeout value (msecs_to_jiffies(100)) instead of (jiffies + msecs_to_jiffies(100)), so that the timer expires immediately, it's irrelevant for original description. In this commit we correct the timeout value in sk_reset_timer() Fixes: 6787927475e5 ("tipc: buffer overflow handling in listener socket") Acked-by: Ying Xue Signed-off-by: Hoang Le Link: https://lore.kernel.org/r/20220321042229.314288-1-hoang.h.le@dektech.com.au Signed-off-by: Paolo Abeni Signed-off-by: Sasha Levin commit 5d8162371ce80542f882aaec24fad8bfd9724f9b Author: Aaron Conole Date: Fri Mar 18 08:43:19 2022 -0400 openvswitch: always update flow key after nat [ Upstream commit 60b44ca6bd7518dd38fa2719bc9240378b6172c3 ] During NAT, a tuple collision may occur. When this happens, openvswitch will make a second pass through NAT which will perform additional packet modification. This will update the skb data, but not the flow key that OVS uses. This means that future flow lookups, and packet matches will have incorrect data. This has been supported since 5d50aa83e2c8 ("openvswitch: support asymmetric conntrack"). That commit failed to properly update the sw_flow_key attributes, since it only called the ovs_ct_nat_update_key once, rather than each time ovs_ct_nat_execute was called. As these two operations are linked, the ovs_ct_nat_execute() function should always make sure that the sw_flow_key is updated after a successful call through NAT infrastructure. Fixes: 5d50aa83e2c8 ("openvswitch: support asymmetric conntrack") Cc: Dumitru Ceara Cc: Numan Siddique Signed-off-by: Aaron Conole Acked-by: Eelco Chaudron Link: https://lore.kernel.org/r/20220318124319.3056455-1-aconole@redhat.com Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit 4593c76a659d75d5c6bf2dbecefe01d24a2cb3e1 Author: Jakub Kicinski Date: Mon Mar 21 09:59:57 2022 -0700 tcp: ensure PMTU updates are processed during fastopen [ Upstream commit ed0c99dc0f499ff8b6e75b5ae6092ab42be1ad39 ] tp->rx_opt.mss_clamp is not populated, yet, during TFO send so we rise it to the local MSS. tp->mss_cache is not updated, however: tcp_v6_connect(): tp->rx_opt.mss_clamp = IPV6_MIN_MTU - headers; tcp_connect(): tcp_connect_init(): tp->mss_cache = min(mtu, tp->rx_opt.mss_clamp) tcp_send_syn_data(): tp->rx_opt.mss_clamp = tp->advmss After recent fixes to ICMPv6 PTB handling we started dropping PMTU updates higher than tp->mss_cache. Because of the stale tp->mss_cache value PMTU updates during TFO are always dropped. Thanks to Wei for helping zero in on the problem and the fix! Fixes: c7bb4b89033b ("ipv6: tcp: drop silly ICMPv6 packet too big messages") Reported-by: Andre Nash Reported-by: Neil Spring Reviewed-by: Wei Wang Acked-by: Yuchung Cheng Acked-by: Martin KaFai Lau Signed-off-by: Jakub Kicinski Reviewed-by: Eric Dumazet Link: https://lore.kernel.org/r/20220321165957.1769954-1-kuba@kernel.org Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit b26091a02093104259ca64aeca73601e56160d62 Author: Jeremy Linton Date: Wed Mar 9 22:53:58 2022 -0600 net: bcmgenet: Use stronger register read/writes to assure ordering [ Upstream commit 8d3ea3d402db94b61075617e71b67459a714a502 ] GCC12 appears to be much smarter about its dependency tracking and is aware that the relaxed variants are just normal loads and stores and this is causing problems like: [ 210.074549] ------------[ cut here ]------------ [ 210.079223] NETDEV WATCHDOG: enabcm6e4ei0 (bcmgenet): transmit queue 1 timed out [ 210.086717] WARNING: CPU: 1 PID: 0 at net/sched/sch_generic.c:529 dev_watchdog+0x234/0x240 [ 210.095044] Modules linked in: genet(E) nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct nft_chain_nat] [ 210.146561] ACPI CPPC: PCC check channel failed for ss: 0. ret=-110 [ 210.146927] CPU: 1 PID: 0 Comm: swapper/1 Tainted: G E 5.17.0-rc7G12+ #58 [ 210.153226] CPPC Cpufreq:cppc_scale_freq_workfn: failed to read perf counters [ 210.161349] Hardware name: Raspberry Pi Foundation Raspberry Pi 4 Model B/Raspberry Pi 4 Model B, BIOS EDK2-DEV 02/08/2022 [ 210.161353] pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 210.161358] pc : dev_watchdog+0x234/0x240 [ 210.161364] lr : dev_watchdog+0x234/0x240 [ 210.161368] sp : ffff8000080a3a40 [ 210.161370] x29: ffff8000080a3a40 x28: ffffcd425af87000 x27: ffff8000080a3b20 [ 210.205150] x26: ffffcd425aa00000 x25: 0000000000000001 x24: ffffcd425af8ec08 [ 210.212321] x23: 0000000000000100 x22: ffffcd425af87000 x21: ffff55b142688000 [ 210.219491] x20: 0000000000000001 x19: ffff55b1426884c8 x18: ffffffffffffffff [ 210.226661] x17: 64656d6974203120 x16: 0000000000000001 x15: 6d736e617274203a [ 210.233831] x14: 2974656e65676d63 x13: ffffcd4259c300d8 x12: ffffcd425b07d5f0 [ 210.241001] x11: 00000000ffffffff x10: ffffcd425b07d5f0 x9 : ffffcd4258bdad9c [ 210.248171] x8 : 00000000ffffdfff x7 : 000000000000003f x6 : 0000000000000000 [ 210.255341] x5 : 0000000000000000 x4 : 0000000000000000 x3 : 0000000000001000 [ 210.262511] x2 : 0000000000001000 x1 : 0000000000000005 x0 : 0000000000000044 [ 210.269682] Call trace: [ 210.272133] dev_watchdog+0x234/0x240 [ 210.275811] call_timer_fn+0x3c/0x15c [ 210.279489] __run_timers.part.0+0x288/0x310 [ 210.283777] run_timer_softirq+0x48/0x80 [ 210.287716] __do_softirq+0x128/0x360 [ 210.291392] __irq_exit_rcu+0x138/0x140 [ 210.295243] irq_exit_rcu+0x1c/0x30 [ 210.298745] el1_interrupt+0x38/0x54 [ 210.302334] el1h_64_irq_handler+0x18/0x24 [ 210.306445] el1h_64_irq+0x7c/0x80 [ 210.309857] arch_cpu_idle+0x18/0x2c [ 210.313445] default_idle_call+0x4c/0x140 [ 210.317470] cpuidle_idle_call+0x14c/0x1a0 [ 210.321584] do_idle+0xb0/0x100 [ 210.324737] cpu_startup_entry+0x30/0x8c [ 210.328675] secondary_start_kernel+0xe4/0x110 [ 210.333138] __secondary_switched+0x94/0x98 The assumption when these were relaxed seems to be that device memory would be mapped non reordering, and that other constructs (spinlocks/etc) would provide the barriers to assure that packet data and in memory rings/queues were ordered with respect to device register reads/writes. This itself seems a bit sketchy, but the real problem with GCC12 is that it is moving the actual reads/writes around at will as though they were independent operations when in truth they are not, but the compiler can't know that. When looking at the assembly dumps for many of these routines its possible to see very clean, but not strictly in program order operations occurring as the compiler would be free to do if these weren't actually register reads/write operations. Its possible to suppress the timeout with a liberal bit of dma_mb()'s sprinkled around but the device still seems unable to reliably send/receive data. A better plan is to use the safer readl/writel everywhere. Since this partially reverts an older commit, which notes the use of the relaxed variants for performance reasons. I would suggest that any performance problems with this commit are targeted at relaxing only the performance critical code paths after assuring proper barriers. Fixes: 69d2ea9c79898 ("net: bcmgenet: Use correct I/O accessors") Reported-by: Peter Robinson Signed-off-by: Jeremy Linton Acked-by: Peter Robinson Tested-by: Peter Robinson Acked-by: Florian Fainelli Link: https://lore.kernel.org/r/20220310045358.224350-1-jeremy.linton@arm.com Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit 9088614323f036a82f10aee0aec9e64304d6d427 Author: Bjorn Helgaas Date: Mon Mar 21 13:34:46 2022 -0500 PCI: Avoid broken MSI on SB600 USB devices [ Upstream commit 63cd736f449445edcd7f0bcc7d84453e9beec0aa ] Some ATI SB600 USB adapters advertise MSI, but if INTx is disabled by setting PCI_COMMAND_INTX_DISABLE, MSI doesn't work either. The PCI/PCIe specs do not require software to set PCI_COMMAND_INTX_DISABLE when enabling MSI, but Linux has done that for many years. Mick reported that 306c54d0edb6 ("usb: hcd: Try MSI interrupts on PCI devices") broke these devices. Prior to 306c54d0edb6, they used INTx. Starting with 306c54d0edb6, they use MSI, and and the fact that Linux sets PCI_COMMAND_INTX_DISABLE means both INTx and MSI are disabled on these devices. Avoid this SB600 defect by disabling MSI so we use INTx as before. Fixes: 306c54d0edb6 ("usb: hcd: Try MSI interrupts on PCI devices") Link: https://lore.kernel.org/r/20220321183446.1108325-1-helgaas@kernel.org Link: https://bugzilla.kernel.org/show_bug.cgi?id=215690 Link: https://lore.kernel.org/all/PxIByDyBRcsbpcmVhGSNDFAoUcMmb78ctXCkw6fbpx25TGlCHvA6SJjjFkNr1FfQZMntYPTNyvEnblxzAZ8a6jP9ddLpKeCN6Chi_2FuexU=@protonmail.com/ Link: https://lore.kernel.org/r/20220314101448.90074-1-andriy.shevchenko@linux.intel.com BugLink: https://lore.kernel.org/all/20200702143045.23429-1-andriy.shevchenko@linux.intel.com/ Reported-by: Mick Lorain Signed-off-by: Bjorn Helgaas Signed-off-by: Sasha Levin commit 75a4a97b7463029d95acb422d630a53ee3ff28f3 Author: Hangbin Liu Date: Mon Mar 21 10:41:49 2022 +0800 selftests/bpf/test_lirc_mode2.sh: Exit with proper code [ Upstream commit ec80906b0fbd7be11e3e960813b977b1ffe5f8fe ] When test_lirc_mode2_user exec failed, the test report failed but still exit with 0. Fix it by exiting with an error code. Another issue is for the LIRCDEV checking. With bash -n, we need to quote the variable, or it will always be true. So if test_lirc_mode2_user was not run, just exit with skip code. Fixes: 6bdd533cee9a ("bpf: add selftest for lirc_mode2 type program") Signed-off-by: Hangbin Liu Signed-off-by: Daniel Borkmann Link: https://lore.kernel.org/bpf/20220321024149.157861-1-liuhangbin@gmail.com Signed-off-by: Sasha Levin commit 0d3ad6142a05a3e0de5ff71438dd087ea0775266 Author: Peter Rosin Date: Wed Mar 2 12:22:35 2022 +0100 i2c: mux: demux-pinctrl: do not deactivate a master that is not active [ Upstream commit 1a22aabf20adf89cb216f566913196128766f25b ] Attempting to rollback the activation of the current master when the current master has not been activated is bad. priv->cur_chan and priv->cur_adap are both still zeroed out and the rollback may result in attempts to revert an of changeset that has not been applied and do result in calls to both del and put the zeroed out i2c_adapter. Maybe it crashes, or whatever, but it's bad in any case. Fixes: e9d1a0a41d44 ("i2c: mux: demux-pinctrl: Fix an error handling path in 'i2c_demux_pinctrl_probe()'") Signed-off-by: Peter Rosin Signed-off-by: Wolfram Sang Signed-off-by: Sasha Levin commit c483f8002d17dcac65284b920026cf544f022762 Author: Lucas Tanure Date: Tue Mar 1 07:26:00 2022 +0000 i2c: meson: Fix wrong speed use from probe [ Upstream commit cb13aa16f34f794a9cee2626862af8a95f0f0ee9 ] Having meson_i2c_set_clk_div after i2c_add_adapter causes issues for client drivers that try to use the bus before the requested speed is applied. The bus can be used just after i2c_add_adapter, so move i2c_add_adapter to the final step as meson_i2c_set_clk_div needs to be called before the bus is used. Fixes: 09af1c2fa490 ("i2c: meson: set clock divider in probe instead of setting it for each transfer") Signed-off-by: Lucas Tanure Reviewed-by: Neil Armstrong Signed-off-by: Wolfram Sang Signed-off-by: Sasha Levin commit b0898362188e05b2202656058cc32d98fabf3bac Author: Petr Machata Date: Thu Mar 17 15:53:06 2022 +0100 af_netlink: Fix shift out of bounds in group mask calculation [ Upstream commit 0caf6d9922192dd1afa8dc2131abfb4df1443b9f ] When a netlink message is received, netlink_recvmsg() fills in the address of the sender. One of the fields is the 32-bit bitfield nl_groups, which carries the multicast group on which the message was received. The least significant bit corresponds to group 1, and therefore the highest group that the field can represent is 32. Above that, the UB sanitizer flags the out-of-bounds shift attempts. Which bits end up being set in such case is implementation defined, but it's either going to be a wrong non-zero value, or zero, which is at least not misleading. Make the latter choice deterministic by always setting to 0 for higher-numbered multicast groups. To get information about membership in groups >= 32, userspace is expected to use nl_pktinfo control messages[0], which are enabled by NETLINK_PKTINFO socket option. [0] https://lwn.net/Articles/147608/ The way to trigger this issue is e.g. through monitoring the BRVLAN group: # bridge monitor vlan & # ip link add name br type bridge Which produces the following citation: UBSAN: shift-out-of-bounds in net/netlink/af_netlink.c:162:19 shift exponent 32 is too large for 32-bit type 'int' Fixes: f7fa9b10edbb ("[NETLINK]: Support dynamic number of multicast groups per netlink family") Signed-off-by: Petr Machata Reviewed-by: Ido Schimmel Link: https://lore.kernel.org/r/2bef6aabf201d1fc16cca139a744700cff9dcb04.1647527635.git.petrm@nvidia.com Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit 40f3b8dadae8e8509166e31198065bc8f6144ed2 Author: Guillaume Nault Date: Thu Mar 17 13:45:09 2022 +0100 ipv4: Fix route lookups when handling ICMP redirects and PMTU updates [ Upstream commit 544b4dd568e3b09c1ab38a759d3187e7abda11a0 ] The PMTU update and ICMP redirect helper functions initialise their fl4 variable with either __build_flow_key() or build_sk_flow_key(). These initialisation functions always set ->flowi4_scope with RT_SCOPE_UNIVERSE and might set the ECN bits of ->flowi4_tos. This is not a problem when the route lookup is later done via ip_route_output_key_hash(), which properly clears the ECN bits from ->flowi4_tos and initialises ->flowi4_scope based on the RTO_ONLINK flag. However, some helpers call fib_lookup() directly, without sanitising the tos and scope fields, so the route lookup can fail and, as a result, the ICMP redirect or PMTU update aren't taken into account. Fix this by extracting the ->flowi4_tos and ->flowi4_scope sanitisation code into ip_rt_fix_tos(), then use this function in handlers that call fib_lookup() directly. Note 1: We can't sanitise ->flowi4_tos and ->flowi4_scope in a central place (like __build_flow_key() or flowi4_init_output()), because ip_route_output_key_hash() expects non-sanitised values. When called with sanitised values, it can erroneously overwrite RT_SCOPE_LINK with RT_SCOPE_UNIVERSE in ->flowi4_scope. Therefore we have to be careful to sanitise the values only for those paths that don't call ip_route_output_key_hash(). Note 2: The problem is mostly about sanitising ->flowi4_tos. Having ->flowi4_scope initialised with RT_SCOPE_UNIVERSE instead of RT_SCOPE_LINK probably wasn't really a problem: sockets with the SOCK_LOCALROUTE flag set (those that'd result in RTO_ONLINK being set) normally shouldn't receive ICMP redirects or PMTU updates. Fixes: 4895c771c7f0 ("ipv4: Add FIB nexthop exceptions.") Signed-off-by: Guillaume Nault Reviewed-by: David Ahern Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit 70a6cf749d9ff9f463490248322e5343199bc267 Author: Yake Yang Date: Thu Mar 17 07:15:19 2022 +0800 Bluetooth: btmtksdio: Fix kernel oops in btmtksdio_interrupt [ Upstream commit b062a0b9c1dc1ff63094337dccfe1568d5b62023 ] Fix the following kernel oops in btmtksdio_interrrupt [ 14.339134] btmtksdio_interrupt+0x28/0x54 [ 14.339139] process_sdio_pending_irqs+0x68/0x1a0 [ 14.339144] sdio_irq_work+0x40/0x70 [ 14.339154] process_one_work+0x184/0x39c [ 14.339160] worker_thread+0x228/0x3e8 [ 14.339168] kthread+0x148/0x3ac [ 14.339176] ret_from_fork+0x10/0x30 That happened because hdev->power_on is already called before sdio_set_drvdata which btmtksdio_interrupt handler relies on is not properly set up. The details are shown as the below: hci_register_dev would run queue_work(hdev->req_workqueue, &hdev->power_on) as WQ_HIGHPRI workqueue_struct to complete the power-on sequeunce and thus hci_power_on may run before sdio_set_drvdata is done in btmtksdio_probe. The hci_dev_do_open in hci_power_on would initialize the device and enable the interrupt and thus it is possible that btmtksdio_interrupt is being called right before sdio_set_drvdata is filled out. When btmtksdio_interrupt is being called and sdio_set_drvdata is not filled , the kernel oops is going to happen because btmtksdio_interrupt access an uninitialized pointer. Fixes: 9aebfd4a2200 ("Bluetooth: mediatek: add support for MediaTek MT7663S and MT7668S SDIO devices") Reviewed-by: Mark Chen Co-developed-by: Sean Wang Signed-off-by: Sean Wang Signed-off-by: Yake Yang Signed-off-by: Marcel Holtmann Signed-off-by: Sasha Levin commit b441fcdff2ebaab6611cc4f83938f343843d291c Author: Niels Dossche Date: Wed Mar 16 16:33:50 2022 +0100 Bluetooth: call hci_le_conn_failed with hdev lock in hci_le_conn_failed [ Upstream commit 9fa6b4cda3b414e990f008f45f9bcecbcb54d4d1 ] hci_le_conn_failed function's documentation says that the caller must hold hdev->lock. The only callsite that does not hold that lock is hci_le_conn_failed. The other 3 callsites hold the hdev->lock very locally. The solution is to hold the lock during the call to hci_le_conn_failed. Fixes: 3c857757ef6e ("Bluetooth: Add directed advertising support through connect()") Signed-off-by: Niels Dossche Signed-off-by: Marcel Holtmann Signed-off-by: Sasha Levin commit 876cfe1380c372b8715618470072ff6188b23a81 Author: Jakub Sitnicki Date: Thu Mar 17 12:39:17 2022 +0100 selftests/bpf: Fix error reporting from sock_fields programs [ Upstream commit a4c9fe0ed4a13e25e43fcd44d9f89bc19ba8fbb7 ] The helper macro that records an error in BPF programs that exercise sock fields access has been inadvertently broken by adaptation work that happened in commit b18c1f0aa477 ("bpf: selftest: Adapt sock_fields test to use skel and global variables"). BPF_NOEXIST flag cannot be used to update BPF_MAP_TYPE_ARRAY. The operation always fails with -EEXIST, which in turn means the error never gets recorded, and the checks for errors always pass. Revert the change in update flags. Fixes: b18c1f0aa477 ("bpf: selftest: Adapt sock_fields test to use skel and global variables") Signed-off-by: Jakub Sitnicki Signed-off-by: Daniel Borkmann Acked-by: Martin KaFai Lau Link: https://lore.kernel.org/bpf/20220317113920.1068535-2-jakub@cloudflare.com Signed-off-by: Sasha Levin commit ac1ec6f319c02faebce514d07c11d2cac939c078 Author: Hangbin Liu Date: Tue Mar 15 14:26:18 2022 +0800 bareudp: use ipv6_mod_enabled to check if IPv6 enabled [ Upstream commit e077ed58c243afc197bc2a2ba0e1ff61135e4ec2 ] bareudp_create_sock() use AF_INET6 by default if IPv6 CONFIG enabled. But if user start kernel with ipv6.disable=1, the bareudp sock will created failed, which cause the interface open failed even with ethertype ip. e.g. # ip link add bareudp1 type bareudp dstport 2 ethertype ip # ip link set bareudp1 up RTNETLINK answers: Address family not supported by protocol Fix it by using ipv6_mod_enabled() to check if IPv6 enabled. There is no need to check IS_ENABLED(CONFIG_IPV6) as ipv6_mod_enabled() will return false when CONFIG_IPV6 no enabled in include/linux/ipv6.h. Reported-by: Jianlin Shi Fixes: 571912c69f0e ("net: UDP tunnel encapsulation module for tunnelling different protocols like MPLS, IP, NSH etc.") Signed-off-by: Hangbin Liu Link: https://lore.kernel.org/r/20220315062618.156230-1-liuhangbin@gmail.com Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit c037e135391c70d4a3304b5df012d404ad8d3d58 Author: Oliver Hartkopp Date: Wed Mar 16 17:42:58 2022 +0100 can: isotp: support MSG_TRUNC flag when reading from socket [ Upstream commit 42bf50a1795a1854d48717b7361dbdbce496b16b ] When providing the MSG_TRUNC flag via recvmsg() syscall the return value provides the real length of the packet or datagram, even when it was longer than the passed buffer. Fixes: e057dd3fc20f ("can: add ISO 15765-2:2016 transport protocol") Link: https://github.com/linux-can/can-utils/issues/347#issuecomment-1065932671 Link: https://lore.kernel.org/all/20220316164258.54155-3-socketcan@hartkopp.net Suggested-by: Derek Will Signed-off-by: Oliver Hartkopp Signed-off-by: Marc Kleine-Budde Signed-off-by: Sasha Levin commit f402c498651993de361f349ac0cedb9f8622319f Author: Oliver Hartkopp Date: Wed Mar 16 17:42:57 2022 +0100 can: isotp: return -EADDRNOTAVAIL when reading from unbound socket [ Upstream commit 30ffd5332e06316bd69a654c06aa033872979b7c ] When reading from an unbound can-isotp socket the syscall blocked indefinitely. As unbound sockets (without given CAN address information) do not make sense anyway we directly return -EADDRNOTAVAIL on read() analogue to the known behavior from sendmsg(). Fixes: e057dd3fc20f ("can: add ISO 15765-2:2016 transport protocol") Link: https://github.com/linux-can/can-utils/issues/349 Link: https://lore.kernel.org/all/20220316164258.54155-2-socketcan@hartkopp.net Suggested-by: Derek Will Signed-off-by: Oliver Hartkopp Signed-off-by: Marc Kleine-Budde Signed-off-by: Sasha Levin commit 8a9d996d4edd1fb28dd87a82ec40740de847ce9b Author: Dan Carpenter Date: Fri Mar 4 10:35:04 2022 +0300 USB: storage: ums-realtek: fix error code in rts51x_read_mem() [ Upstream commit b07cabb8361dc692522538205552b1b9dab134be ] The rts51x_read_mem() function should return negative error codes. Currently if the kmalloc() fails it returns USB_STOR_TRANSPORT_ERROR (3) which is treated as success by the callers. Fixes: 065e60964e29 ("ums_realtek: do not use stack memory for DMA") Acked-by: Alan Stern Signed-off-by: Dan Carpenter Link: https://lore.kernel.org/r/20220304073504.GA26464@kili Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit f9a666100955b3af5a083de2952bd1b2b4e3046a Author: Niklas Söderlund Date: Tue Mar 15 11:29:48 2022 +0100 samples/bpf, xdpsock: Fix race when running for fix duration of time [ Upstream commit 8fa42d78f6354bb96ad3a079dcbef528ca9fa9e0 ] When running xdpsock for a fix duration of time before terminating using --duration=, there is a race condition that may cause xdpsock to terminate immediately. When running for a fixed duration of time the check to determine when to terminate execution is in is_benchmark_done() and is being executed in the context of the poller thread, if (opt_duration > 0) { unsigned long dt = (get_nsecs() - start_time); if (dt >= opt_duration) benchmark_done = true; } However start_time is only set after the poller thread have been created. This leaves a small window when the poller thread is starting and calls is_benchmark_done() for the first time that start_time is not yet set. In that case start_time have its initial value of 0 and the duration check fails as it do not correlate correctly for the applications start time and immediately sets benchmark_done which in turn terminates the xdpsock application. Fix this by setting start_time before creating the poller thread. Fixes: d3f11b018f6c ("samples/bpf: xdpsock: Add duration option to specify how long to run") Signed-off-by: Niklas Söderlund Signed-off-by: Simon Horman Signed-off-by: Daniel Borkmann Link: https://lore.kernel.org/bpf/20220315102948.466436-1-niklas.soderlund@corigine.com Signed-off-by: Sasha Levin commit cd84ea3920aef936c559b63099ef0013ce6b2325 Author: Wang Yufen Date: Fri Mar 4 16:11:45 2022 +0800 bpf, sockmap: Fix double uncharge the mem of sk_msg [ Upstream commit 2486ab434b2c2a14e9237296db00b1e1b7ae3273 ] If tcp_bpf_sendmsg is running during a tear down operation, psock may be freed. tcp_bpf_sendmsg() tcp_bpf_send_verdict() sk_msg_return() tcp_bpf_sendmsg_redir() unlikely(!psock)) sk_msg_free() The mem of msg has been uncharged in tcp_bpf_send_verdict() by sk_msg_return(), and would be uncharged by sk_msg_free() again. When psock is null, we can simply returning an error code, this would then trigger the sk_msg_free_nocharge in the error path of __SK_REDIRECT and would have the side effect of throwing an error up to user space. This would be a slight change in behavior from user side but would look the same as an error if the redirect on the socket threw an error. This issue can cause the following info: WARNING: CPU: 0 PID: 2136 at net/ipv4/af_inet.c:155 inet_sock_destruct+0x13c/0x260 Call Trace: __sk_destruct+0x24/0x1f0 sk_psock_destroy+0x19b/0x1c0 process_one_work+0x1b3/0x3c0 worker_thread+0x30/0x350 ? process_one_work+0x3c0/0x3c0 kthread+0xe6/0x110 ? kthread_complete_and_exit+0x20/0x20 ret_from_fork+0x22/0x30 Fixes: 604326b41a6f ("bpf, sockmap: convert to generic sk_msg interface") Signed-off-by: Wang Yufen Signed-off-by: Daniel Borkmann Acked-by: John Fastabend Link: https://lore.kernel.org/bpf/20220304081145.2037182-5-wangyufen@huawei.com Signed-off-by: Sasha Levin commit 7b812a369e6416ab06d83cdd39d8e3f752781dd0 Author: Wang Yufen Date: Fri Mar 4 16:11:44 2022 +0800 bpf, sockmap: Fix more uncharged while msg has more_data [ Upstream commit 84472b436e760ba439e1969a9e3c5ae7c86de39d ] In tcp_bpf_send_verdict(), if msg has more data after tcp_bpf_sendmsg_redir(): tcp_bpf_send_verdict() tosend = msg->sg.size //msg->sg.size = 22220 case __SK_REDIRECT: sk_msg_return() //uncharged msg->sg.size(22220) sk->sk_forward_alloc tcp_bpf_sendmsg_redir() //after tcp_bpf_sendmsg_redir, msg->sg.size=11000 goto more_data; tosend = msg->sg.size //msg->sg.size = 11000 case __SK_REDIRECT: sk_msg_return() //uncharged msg->sg.size(11000) to sk->sk_forward_alloc The msg->sg.size(11000) has been uncharged twice, to fix we can charge the remaining msg->sg.size before goto more data. This issue can cause the following info: WARNING: CPU: 0 PID: 9860 at net/core/stream.c:208 sk_stream_kill_queues+0xd4/0x1a0 Call Trace: inet_csk_destroy_sock+0x55/0x110 __tcp_close+0x279/0x470 tcp_close+0x1f/0x60 inet_release+0x3f/0x80 __sock_release+0x3d/0xb0 sock_close+0x11/0x20 __fput+0x92/0x250 task_work_run+0x6a/0xa0 do_exit+0x33b/0xb60 do_group_exit+0x2f/0xa0 get_signal+0xb6/0x950 arch_do_signal_or_restart+0xac/0x2a0 ? vfs_write+0x237/0x290 exit_to_user_mode_prepare+0xa9/0x200 syscall_exit_to_user_mode+0x12/0x30 do_syscall_64+0x46/0x80 entry_SYSCALL_64_after_hwframe+0x44/0xae WARNING: CPU: 0 PID: 2136 at net/ipv4/af_inet.c:155 inet_sock_destruct+0x13c/0x260 Call Trace: __sk_destruct+0x24/0x1f0 sk_psock_destroy+0x19b/0x1c0 process_one_work+0x1b3/0x3c0 worker_thread+0x30/0x350 ? process_one_work+0x3c0/0x3c0 kthread+0xe6/0x110 ? kthread_complete_and_exit+0x20/0x20 ret_from_fork+0x22/0x30 Fixes: 604326b41a6f ("bpf, sockmap: convert to generic sk_msg interface") Signed-off-by: Wang Yufen Signed-off-by: Daniel Borkmann Acked-by: John Fastabend Link: https://lore.kernel.org/bpf/20220304081145.2037182-4-wangyufen@huawei.com Signed-off-by: Sasha Levin commit bec34a91eba3483e1830c02bdd36f8f968642047 Author: Wang Yufen Date: Fri Mar 4 16:11:43 2022 +0800 bpf, sockmap: Fix memleak in tcp_bpf_sendmsg while sk msg is full [ Upstream commit 9c34e38c4a870eb30b13f42f5b44f42e9d19ccb8 ] If tcp_bpf_sendmsg() is running while sk msg is full. When sk_msg_alloc() returns -ENOMEM error, tcp_bpf_sendmsg() goes to wait_for_memory. If partial memory has been alloced by sk_msg_alloc(), that is, msg_tx->sg.size is greater than osize after sk_msg_alloc(), memleak occurs. To fix we use sk_msg_trim() to release the allocated memory, then goto wait for memory. Other call paths of sk_msg_alloc() have the similar issue, such as tls_sw_sendmsg(), so handle sk_msg_trim logic inside sk_msg_alloc(), as Cong Wang suggested. This issue can cause the following info: WARNING: CPU: 3 PID: 7950 at net/core/stream.c:208 sk_stream_kill_queues+0xd4/0x1a0 Call Trace: inet_csk_destroy_sock+0x55/0x110 __tcp_close+0x279/0x470 tcp_close+0x1f/0x60 inet_release+0x3f/0x80 __sock_release+0x3d/0xb0 sock_close+0x11/0x20 __fput+0x92/0x250 task_work_run+0x6a/0xa0 do_exit+0x33b/0xb60 do_group_exit+0x2f/0xa0 get_signal+0xb6/0x950 arch_do_signal_or_restart+0xac/0x2a0 exit_to_user_mode_prepare+0xa9/0x200 syscall_exit_to_user_mode+0x12/0x30 do_syscall_64+0x46/0x80 entry_SYSCALL_64_after_hwframe+0x44/0xae WARNING: CPU: 3 PID: 2094 at net/ipv4/af_inet.c:155 inet_sock_destruct+0x13c/0x260 Call Trace: __sk_destruct+0x24/0x1f0 sk_psock_destroy+0x19b/0x1c0 process_one_work+0x1b3/0x3c0 kthread+0xe6/0x110 ret_from_fork+0x22/0x30 Fixes: 604326b41a6f ("bpf, sockmap: convert to generic sk_msg interface") Signed-off-by: Wang Yufen Signed-off-by: Daniel Borkmann Acked-by: John Fastabend Link: https://lore.kernel.org/bpf/20220304081145.2037182-3-wangyufen@huawei.com Signed-off-by: Sasha Levin commit c98d903ff9e79c210beddea4e6bc15ac38e25aa5 Author: Yongzhi Liu Date: Fri Mar 11 09:06:01 2022 -0800 RDMA/mlx5: Fix memory leak in error flow for subscribe event routine [ Upstream commit 087f9c3f2309ed183f7e4b85ae57121d8663224d ] In case the second xa_insert() fails, the obj_event is not released. Fix the error unwind flow to free that memory to avoid a memory leak. Fixes: 759738537142 ("IB/mlx5: Enable subscription for device events over DEVX") Link: https://lore.kernel.org/r/1647018361-18266-1-git-send-email-lyz_cs@pku.edu.cn Signed-off-by: Yongzhi Liu Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit a3587259ae553e41d1ce8c7435351a5d6b299a11 Author: Xin Xiong Date: Fri Mar 4 16:53:32 2022 +0800 mtd: rawnand: atmel: fix refcount issue in atmel_nand_controller_init [ Upstream commit fecbd4a317c95d73c849648c406bcf1b6a0ec1cf ] The reference counting issue happens in several error handling paths on a refcounted object "nc->dmac". In these paths, the function simply returns the error code, forgetting to balance the reference count of "nc->dmac", increased earlier by dma_request_channel(), which may cause refcount leaks. Fix it by decrementing the refcount of specific object in those error paths. Fixes: f88fc122cc34 ("mtd: nand: Cleanup/rework the atmel_nand driver") Co-developed-by: Xiyu Yang Signed-off-by: Xiyu Yang Co-developed-by: Xin Tan Signed-off-by: Xin Tan Signed-off-by: Xin Xiong Reviewed-by: Claudiu Beznea Signed-off-by: Miquel Raynal Link: https://lore.kernel.org/linux-mtd/20220304085330.3610-1-xiongx18@fudan.edu.cn Signed-off-by: Sasha Levin commit fa3d44424579972cc7c4fac3d9cf227798ebdfa0 Author: Yaliang Wang Date: Thu Mar 10 19:31:16 2022 +0800 MIPS: pgalloc: fix memory leak caused by pgd_free() [ Upstream commit 2bc5bab9a763d520937e4f3fe8df51c6a1eceb97 ] pgd page is freed by generic implementation pgd_free() since commit f9cb654cb550 ("asm-generic: pgalloc: provide generic pgd_free()"), however, there are scenarios that the system uses more than one page as the pgd table, in such cases the generic implementation pgd_free() won't be applicable anymore. For example, when PAGE_SIZE_4KB is enabled and MIPS_VA_BITS_48 is not enabled in a 64bit system, the macro "PGD_ORDER" will be set as "1", which will cause allocating two pages as the pgd table. Well, at the same time, the generic implementation pgd_free() just free one pgd page, which will result in the memory leak. The memory leak can be easily detected by executing shell command: "while true; do ls > /dev/null; grep MemFree /proc/meminfo; done" Fixes: f9cb654cb550 ("asm-generic: pgalloc: provide generic pgd_free()") Signed-off-by: Yaliang Wang Signed-off-by: Thomas Bogendoerfer Signed-off-by: Sasha Levin commit 8c4808ff9e10eb292c300affc0ee6325c923eb99 Author: Randy Dunlap Date: Fri Mar 11 20:20:26 2022 -0800 MIPS: RB532: fix return value of __setup handler [ Upstream commit 8755d57ba1ff910666572fab9e32890e8cc6ed3b ] __setup() handlers should return 1 to obsolete_checksetup() in init/main.c to indicate that the boot option has been handled. A return of 0 causes the boot option/value to be listed as an Unknown kernel parameter and added to init's (limited) argument or environment strings. Also, error return codes don't mean anything to obsolete_checksetup() -- only non-zero (usually 1) or zero. So return 1 from setup_kmac(). Fixes: 9e21c7e40b7e ("MIPS: RB532: Replace parse_mac_addr() with mac_pton().") Fixes: 73b4390fb234 ("[MIPS] Routerboard 532: Support for base system") Signed-off-by: Randy Dunlap From: Igor Zhbanov Link: lore.kernel.org/r/64644a2f-4a20-bab3-1e15-3b2cdd0defe3@omprussia.ru Cc: Thomas Bogendoerfer Cc: linux-mips@vger.kernel.org Cc: "David S. Miller" Cc: Jakub Kicinski Cc: Phil Sutter Cc: Florian Fainelli Cc: Ralf Baechle Cc: Daniel Walter Signed-off-by: Thomas Bogendoerfer Signed-off-by: Sasha Levin commit ef1728e3cb9e43f38ed10cde705a7ba2b4ad2d35 Author: Miaoqian Lin Date: Wed Mar 9 09:17:10 2022 +0000 mips: cdmm: Fix refcount leak in mips_cdmm_phys_base [ Upstream commit 4528668ca331f7ce5999b7746657b46db5b3b785 ] The of_find_compatible_node() function returns a node pointer with refcount incremented, We should use of_node_put() on it when done Add the missing of_node_put() to release the refcount. Fixes: 2121aa3e2312 ("mips: cdmm: Add mti,mips-cdmm dtb node support") Signed-off-by: Miaoqian Lin Acked-by: Serge Semin Signed-off-by: Thomas Bogendoerfer Signed-off-by: Sasha Levin commit 315772133a4b960859e4f5efe0e738e347188cdc Author: Miaoqian Lin Date: Tue Mar 8 07:02:38 2022 +0000 ath10k: Fix error handling in ath10k_setup_msa_resources [ Upstream commit 9747a78d5f758a5284751a10aee13c30d02bd5f1 ] The device_node pointer is returned by of_parse_phandle() with refcount incremented. We should use of_node_put() on it when done. This function only calls of_node_put() in the regular path. And it will cause refcount leak in error path. Fixes: 727fec790ead ("ath10k: Setup the msa resources before qmi init") Signed-off-by: Miaoqian Lin Reviewed-by: Jeff Johnson Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20220308070238.19295-1-linmq006@gmail.com Signed-off-by: Sasha Levin commit 71f311b1238009c070af21c80c6e34ce85d9e7e9 Author: Oliver Hartkopp Date: Wed Mar 9 13:04:16 2022 +0100 vxcan: enable local echo for sent CAN frames [ Upstream commit 259bdba27e32368b4404f69d613b1c1014c07cbf ] The vxcan driver provides a pair of virtual CAN interfaces to exchange CAN traffic between different namespaces - analogue to veth. In opposite to the vcan driver the local sent CAN traffic on this interface is not echo'ed back but only sent to the remote peer. This is unusual and can be easily fixed by removing IFF_ECHO from the netdevice flags that are set for vxcan interfaces by default at startup. Without IFF_ECHO set on driver level, the local sent CAN frames are echo'ed in af_can.c in can_send(). This patch makes vxcan interfaces adopt the same local echo behavior and procedures as known from the vcan interfaces. Fixes: a8f820a380a2 ("can: add Virtual CAN Tunnel driver (vxcan)") Link: https://lore.kernel.org/all/20220309120416.83514-5-socketcan@hartkopp.net Signed-off-by: Oliver Hartkopp Signed-off-by: Marc Kleine-Budde Signed-off-by: Sasha Levin commit 3c2a39784974fb7dc88cc27b71569d13e45fc4b2 Author: Hangyu Hua Date: Wed Feb 23 15:02:23 2022 +0800 powerpc: 8xx: fix a return value error in mpc8xx_pic_init [ Upstream commit 3fd46e551f67f4303c3276a0d6cd20baf2d192c4 ] mpc8xx_pic_init() should return -ENOMEM instead of 0 when irq_domain_add_linear() return NULL. This cause mpc8xx_pics_init to continue executing even if mpc8xx_pic_host is NULL. Fixes: cc76404feaed ("powerpc/8xx: Fix possible device node reference leak") Signed-off-by: Hangyu Hua Reviewed-by: Christophe Leroy Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/20220223070223.26845-1-hbh25y@gmail.com Signed-off-by: Sasha Levin commit 956fab99ad269831a1b32c7f4b762c31ad9364fb Author: Jia-Ju Bai Date: Wed Mar 2 18:24:21 2022 -0800 platform/x86: huawei-wmi: check the return value of device_create_file() [ Upstream commit c91a5b1c221a58d008485cf7d02ccce73108b119 ] The function device_create_file() in huawei_wmi_battery_add() can fail, so its return value should be checked. Fixes: 355a070b09ab ("platform/x86: huawei-wmi: Add battery charging thresholds") Reported-by: TOTE Robot Signed-off-by: Jia-Ju Bai Link: https://lore.kernel.org/r/20220303022421.313-1-baijiaju1990@gmail.com Reviewed-by: Hans de Goede Signed-off-by: Hans de Goede Signed-off-by: Sasha Levin commit 1ba28cb69218b01408b8793db68a9edaa8407d86 Author: Felix Maurer Date: Thu Mar 3 12:15:26 2022 +0100 selftests/bpf: Make test_lwt_ip_encap more stable and faster [ Upstream commit d23a8720327d33616f584d76c80824bfa4699be6 ] In test_lwt_ip_encap, the ingress IPv6 encap test failed from time to time. The failure occured when an IPv4 ping through the IPv6 GRE encapsulation did not receive a reply within the timeout. The IPv4 ping and the IPv6 ping in the test used different timeouts (1 sec for IPv4 and 6 sec for IPv6), probably taking into account that IPv6 might need longer to successfully complete. However, when IPv4 pings (with the short timeout) are encapsulated into the IPv6 tunnel, the delays of IPv6 apply. The actual reason for the long delays with IPv6 was that the IPv6 neighbor discovery sometimes did not complete in time. This was caused by the outgoing interface only having a tentative link local address, i.e., not having completed DAD for that lladdr. The ND was successfully retried after 1 sec but that was too late for the ping timeout. The IPv6 addresses for the test were already added with nodad. However, for the lladdrs, DAD was still performed. We now disable DAD in the test netns completely and just assume that the two lladdrs on each veth pair do not collide. This removes all the delays for IPv6 traffic in the test. Without the delays, we can now also reduce the delay of the IPv6 ping to 1 sec. This makes the whole test complete faster because we don't need to wait for the excessive timeout for each IPv6 ping that is supposed to fail. Fixes: 0fde56e4385b0 ("selftests: bpf: add test_lwt_ip_encap selftest") Signed-off-by: Felix Maurer Signed-off-by: Daniel Borkmann Link: https://lore.kernel.org/bpf/4987d549d48b4e316cd5b3936de69c8d4bc75a4f.1646305899.git.fmaurer@redhat.com Signed-off-by: Sasha Levin commit 08ab4067815eb92a4c752872404e2483c4a46273 Author: lic121 Date: Tue Mar 1 13:26:23 2022 +0000 libbpf: Unmap rings when umem deleted [ Upstream commit 9c6e6a80ee741adf6cb3cfd8eef7d1554f91fceb ] xsk_umem__create() does mmap for fill/comp rings, but xsk_umem__delete() doesn't do the unmap. This works fine for regular cases, because xsk_socket__delete() does unmap for the rings. But for the case that xsk_socket__create_shared() fails, umem rings are not unmapped. fill_save/comp_save are checked to determine if rings have already be unmapped by xsk. If fill_save and comp_save are NULL, it means that the rings have already been used by xsk. Then they are supposed to be unmapped by xsk_socket__delete(). Otherwise, xsk_umem__delete() does the unmap. Fixes: 2f6324a3937f ("libbpf: Support shared umems between queues and devices") Signed-off-by: Cheng Li Signed-off-by: Andrii Nakryiko Link: https://lore.kernel.org/bpf/20220301132623.GA19995@vscode.7~ Signed-off-by: Sasha Levin commit 6fa8edfc9020eb13a9f5a10792cb85a9b5c5d34f Author: Jiasheng Jiang Date: Thu Feb 24 10:23:31 2022 +0800 mfd: mc13xxx: Add check for mc13xxx_irq_request [ Upstream commit e477e51a41cb5d6034f3c5ea85a71ad4613996b9 ] As the potential failure of the devm_request_threaded_irq(), it should be better to check the return value of the mc13xxx_irq_request() and return error if fails. Fixes: 8e00593557c3 ("mfd: Add mc13892 support to mc13xxx") Signed-off-by: Jiasheng Jiang Signed-off-by: Lee Jones Link: https://lore.kernel.org/r/20220224022331.3208275-1-jiasheng@iscas.ac.cn Signed-off-by: Sasha Levin commit bcf93175ed84ead43bafed9722cd488d2b13b8cb Author: Jakob Koschel Date: Mon Feb 28 15:24:33 2022 +0100 powerpc/sysdev: fix incorrect use to determine if list is empty [ Upstream commit fa1321b11bd01752f5be2415e74a0e1a7c378262 ] 'gtm' will *always* be set by list_for_each_entry(). It is incorrect to assume that the iterator value will be NULL if the list is empty. Instead of checking the pointer it should be checked if the list is empty. Fixes: 83ff9dcf375c ("powerpc/sysdev: implement FSL GTM support") Signed-off-by: Jakob Koschel Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/20220228142434.576226-1-jakobkoschel@gmail.com Signed-off-by: Sasha Levin commit ab0a335b546e6a65d491999529e99ca88818a0d7 Author: Randy Dunlap Date: Fri Mar 4 08:24:27 2022 -0800 mips: DEC: honor CONFIG_MIPS_FP_SUPPORT=n [ Upstream commit 97bf0395c226907e1a9b908511a35192bf1e09bb ] Include the DECstation interrupt handler in opting out of FPU support. Fixes a linker error: mips-linux-ld: arch/mips/dec/int-handler.o: in function `fpu': (.text+0x148): undefined reference to `handle_fpe_int' Fixes: 183b40f992c8 ("MIPS: Allow FP support to be disabled") Signed-off-by: Randy Dunlap Reported-by: kernel test robot Cc: Paul Burton Cc: Thomas Bogendoerfer Cc: Maciej W. Rozycki Cc: linux-mips@vger.kernel.org Acked-by: Maciej W. Rozycki Signed-off-by: Thomas Bogendoerfer Signed-off-by: Sasha Levin commit bbd91cdb620ed74e4dcb85c3d2e9585a6b3aa0d5 Author: Robert Hancock Date: Fri Mar 4 20:24:37 2022 -0600 net: axienet: fix RX ring refill allocation failure handling [ Upstream commit 7a7d340ba4d9351e4c8847b898a2b996727a922a ] If a memory allocation error occurred during an attempt to refill a slot in the RX ring after the packet was received, the hardware tail pointer would still have been updated to point to or past the slot which remained marked as previously completed. This would likely result in the DMA engine raising an error when it eventually tried to use that slot again. If a slot cannot be refilled, then just stop processing and do not move the tail pointer past it. On the next attempt, we should skip receiving the packet from the empty slot and just try to refill it again. This failure mode has not actually been observed, but was found as part of other driver updates. Fixes: 8a3b7a252dca ("drivers/net/ethernet/xilinx: added Xilinx AXI Ethernet driver") Signed-off-by: Robert Hancock Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 9ec698984db29d86c4e6cb256ca2810c613da2d2 Author: Mark Tomlinson Date: Thu Aug 6 16:14:55 2020 +1200 PCI: Reduce warnings on possible RW1C corruption [ Upstream commit 92c45b63ce22c8898aa41806e8d6692bcd577510 ] For hardware that only supports 32-bit writes to PCI there is the possibility of clearing RW1C (write-one-to-clear) bits. A rate-limited messages was introduced by fb2659230120, but rate-limiting is not the best choice here. Some devices may not show the warnings they should if another device has just produced a bunch of warnings. Also, the number of messages can be a nuisance on devices which are otherwise working fine. Change the ratelimit to a single warning per bus. This ensures no bus is 'starved' of emitting a warning and also that there isn't a continuous stream of warnings. It would be preferable to have a warning per device, but the pci_dev structure is not available here, and a lookup from devfn would be far too slow. Suggested-by: Bjorn Helgaas Fixes: fb2659230120 ("PCI: Warn on possible RW1C corruption for sub-32 bit config writes") Link: https://lore.kernel.org/r/20200806041455.11070-1-mark.tomlinson@alliedtelesis.co.nz Signed-off-by: Mark Tomlinson Signed-off-by: Bjorn Helgaas Reviewed-by: Florian Fainelli Reviewed-by: Rob Herring Acked-by: Scott Branden Signed-off-by: Sasha Levin commit a84cb039d28231a7a2ffe3b79059c92415b956a4 Author: Mike Marciniszyn Date: Tue Feb 8 14:25:09 2022 -0500 IB/hfi1: Allow larger MTU without AIP [ Upstream commit b135e324d7a2e7fa0a7ef925076136e799b79f44 ] The AIP code signals the phys_mtu in the following query_port() fragment: props->phys_mtu = HFI1_CAP_IS_KSET(AIP) ? hfi1_max_mtu : ib_mtu_enum_to_int(props->max_mtu); Using the largest MTU possible should not depend on AIP. Fix by unconditionally using the hfi1_max_mtu value. Fixes: 6d72344cf6c4 ("IB/ipoib: Increase ipoib Datagram mode MTU's upper limit") Link: https://lore.kernel.org/r/1644348309-174874-1-git-send-email-mike.marciniszyn@cornelisnetworks.com Reviewed-by: Dennis Dalessandro Signed-off-by: Mike Marciniszyn Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit 48d23ef90116c8c702bfa4cad93744e4e5588d7d Author: Jiasheng Jiang Date: Thu Mar 3 17:43:22 2022 +0800 power: supply: wm8350-power: Add missing free in free_charger_irq [ Upstream commit 6dee930f6f6776d1e5a7edf542c6863b47d9f078 ] In free_charger_irq(), there is no free for 'WM8350_IRQ_CHG_FAST_RDY'. Therefore, it should be better to add it in order to avoid the memory leak. Fixes: 14431aa0c5a4 ("power_supply: Add support for WM8350 PMU") Signed-off-by: Jiasheng Jiang Acked-by: Charles Keepax Signed-off-by: Sebastian Reichel Signed-off-by: Sasha Levin commit 9d3dab40af719a1b192a80b19412a352b78975b0 Author: Jiasheng Jiang Date: Fri Mar 4 09:57:51 2022 +0800 power: supply: wm8350-power: Handle error for wm8350_register_irq [ Upstream commit b0b14b5ba11bec56fad344a4a0b2e16449cc8b94 ] As the potential failure of the wm8350_register_irq(), it should be better to check it and return error if fails. Also, use 'free_' in order to avoid same code. Fixes: 14431aa0c5a4 ("power_supply: Add support for WM8350 PMU") Signed-off-by: Jiasheng Jiang Acked-by: Charles Keepax Signed-off-by: Sebastian Reichel Signed-off-by: Sasha Levin commit 5cf1371628a43f1e7c1b9550e309431939fa1f22 Author: Robert Hancock Date: Thu Jan 27 11:50:13 2022 -0600 i2c: xiic: Make bus names unique [ Upstream commit 1d366c2f9df8279df2adbb60471f86fc40a1c39e ] This driver is for an FPGA logic core, so there can be arbitrarily many instances of the bus on a given system. Previously all of the I2C bus names were "xiic-i2c" which caused issues with lm_sensors when trying to map human-readable names to sensor inputs because it could not properly distinguish the busses, for example. Append the platform device name to the I2C bus name so it is unique between different instances. Fixes: e1d5b6598cdc ("i2c: Add support for Xilinx XPS IIC Bus Interface") Signed-off-by: Robert Hancock Tested-by: Michal Simek Signed-off-by: Wolfram Sang Signed-off-by: Sasha Levin commit f01e08083c9460d4855784a8b670c8dbbaa19088 Author: Anssi Hannula Date: Tue Feb 22 16:14:00 2022 +0200 hv_balloon: rate-limit "Unhandled message" warning [ Upstream commit 1d7286729aa616772be334eb908e11f527e1e291 ] For a couple of times I have encountered a situation where hv_balloon: Unhandled message: type: 12447 is being flooded over 1 million times per second with various values, filling the log and consuming cycles, making debugging difficult. Add rate limiting to the message. Most other Hyper-V drivers already have similar rate limiting in their message callbacks. The cause of the floods in my case was probably fixed by 96d9d1fa5cd5 ("Drivers: hv: balloon: account for vmbus packet header in max_pkt_size"). Fixes: 9aa8b50b2b3d ("Drivers: hv: Add Hyper-V balloon driver") Signed-off-by: Anssi Hannula Reviewed-by: Michael Kelley Link: https://lore.kernel.org/r/20220222141400.98160-1-anssi.hannula@bitwise.fi Signed-off-by: Wei Liu Signed-off-by: Sasha Levin commit ba2c6e353b11d909233cd898757ee2be1d46f915 Author: Hou Wenlong Date: Tue Feb 8 17:34:03 2022 +0800 KVM: x86/emulator: Defer not-present segment check in __load_segment_descriptor() [ Upstream commit ca85f002258fdac3762c57d12d5e6e401b6a41af ] Per Intel's SDM on the "Instruction Set Reference", when loading segment descriptor, not-present segment check should be after all type and privilege checks. But the emulator checks it first, then #NP is triggered instead of #GP if privilege fails and segment is not present. Put not-present segment check after type and privilege checks in __load_segment_descriptor(). Fixes: 38ba30ba51a00 (KVM: x86 emulator: Emulate task switch in emulator.c) Reviewed-by: Sean Christopherson Signed-off-by: Hou Wenlong Message-Id: <52573c01d369f506cadcf7233812427cf7db81a7.1644292363.git.houwenlong.hwl@antgroup.com> Signed-off-by: Paolo Bonzini Signed-off-by: Sasha Levin commit fa9089949daca632fcf9c50ba5754e440562f9b5 Author: Zhenzhong Duan Date: Thu Feb 10 17:45:06 2022 +0800 KVM: x86: Fix emulation in writing cr8 [ Upstream commit f66af9f222f08d5b11ea41c1bd6c07a0f12daa07 ] In emulation of writing to cr8, one of the lowest four bits in TPR[3:0] is kept. According to Intel SDM 10.8.6.1(baremetal scenario): "APIC.TPR[bits 7:4] = CR8[bits 3:0], APIC.TPR[bits 3:0] = 0"; and SDM 28.3(use TPR shadow): "MOV to CR8. The instruction stores bits 3:0 of its source operand into bits 7:4 of VTPR; the remainder of VTPR (bits 3:0 and bits 31:8) are cleared."; and AMD's APM 16.6.4: "Task Priority Sub-class (TPS)-Bits 3 : 0. The TPS field indicates the current sub-priority to be used when arbitrating lowest-priority messages. This field is written with zero when TPR is written using the architectural CR8 register."; so in KVM emulated scenario, clear TPR[3:0] to make a consistent behavior as in other scenarios. This doesn't impact evaluation and delivery of pending virtual interrupts because processor does not use the processor-priority sub-class to determine which interrupts to delivery and which to inhibit. Sub-class is used by hardware to arbitrate lowest priority interrupts, but KVM just does a round-robin style delivery. Fixes: b93463aa59d6 ("KVM: Accelerated apic support") Signed-off-by: Zhenzhong Duan Reviewed-by: Sean Christopherson Message-Id: <20220210094506.20181-1-zhenzhong.duan@intel.com> Signed-off-by: Paolo Bonzini Signed-off-by: Sasha Levin commit 3e7e73ae2bbd197e4212de41b7e9379ca3b5a6af Author: Michael Ellerman Date: Tue Feb 15 22:28:58 2022 +1100 powerpc/Makefile: Don't pass -mcpu=powerpc64 when building 32-bit [ Upstream commit 2863dd2db23e0407f6c50b8ba5c0e55abef894f1 ] When CONFIG_GENERIC_CPU=y (true for all our defconfigs) we pass -mcpu=powerpc64 to the compiler, even when we're building a 32-bit kernel. This happens because we have an ifdef CONFIG_PPC_BOOK3S_64/else block in the Makefile that was written before 32-bit supported GENERIC_CPU. Prior to that the else block only applied to 64-bit Book3E. The GCC man page says -mcpu=powerpc64 "[specifies] a pure ... 64-bit big endian PowerPC ... architecture machine [type], with an appropriate, generic processor model assumed for scheduling purposes." It's unclear how that interacts with -m32, which we are also passing, although obviously -m32 is taking precedence in some sense, as the 32-bit kernel only contains 32-bit instructions. This was noticed by inspection, not via any bug reports, but it does affect code generation. Comparing before/after code generation, there are some changes to instruction scheduling, and the after case (with -mcpu=powerpc64 removed) the compiler seems more keen to use r8. Fix it by making the else case only apply to Book3E 64, which excludes 32-bit. Fixes: 0e00a8c9fd92 ("powerpc: Allow CPU selection also on PPC32") Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/20220215112858.304779-1-mpe@ellerman.id.au Signed-off-by: Sasha Levin commit 05abd49972e1965d6ee88b9b7ad55865b4e7e73e Author: Daniel Henrique Barboza Date: Thu Feb 24 15:23:12 2022 -0300 powerpc/mm/numa: skip NUMA_NO_NODE onlining in parse_numa_properties() [ Upstream commit 749ed4a20657bcea66a6e082ca3dc0d228cbec80 ] Executing node_set_online() when nid = NUMA_NO_NODE results in an undefined behavior. node_set_online() will call node_set_state(), into __node_set(), into set_bit(), and since NUMA_NO_NODE is -1 we'll end up doing a negative shift operation inside arch/powerpc/include/asm/bitops.h. This potential UB was detected running a kernel with CONFIG_UBSAN. The behavior was introduced by commit 10f78fd0dabb ("powerpc/numa: Fix a regression on memoryless node 0"), where the check for nid > 0 was removed to fix a problem that was happening with nid = 0, but the result is that now we're trying to online NUMA_NO_NODE nids as well. Checking for nid >= 0 will allow node 0 to be onlined while avoiding this UB with NUMA_NO_NODE. Fixes: 10f78fd0dabb ("powerpc/numa: Fix a regression on memoryless node 0") Reported-by: Ping Fang Signed-off-by: Daniel Henrique Barboza Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/20220224182312.1012527-1-danielhb413@gmail.com Signed-off-by: Sasha Levin commit 3e04a837dba71593dc3c21ecbe142bb465e48a16 Author: Xu Kuohai Date: Tue Mar 1 00:32:49 2022 -0500 libbpf: Skip forward declaration when counting duplicated type names [ Upstream commit 4226961b0019b2e1612029e8950a9e911affc995 ] Currently if a declaration appears in the BTF before the definition, the definition is dumped as a conflicting name, e.g.: $ bpftool btf dump file vmlinux format raw | grep "'unix_sock'" [81287] FWD 'unix_sock' fwd_kind=struct [89336] STRUCT 'unix_sock' size=1024 vlen=14 $ bpftool btf dump file vmlinux format c | grep "struct unix_sock" struct unix_sock; struct unix_sock___2 { <--- conflict, the "___2" is unexpected struct unix_sock___2 *unix_sk; This causes a compilation error if the dump output is used as a header file. Fix it by skipping declaration when counting duplicated type names. Fixes: 351131b51c7a ("libbpf: add btf_dump API for BTF-to-C conversion") Signed-off-by: Xu Kuohai Signed-off-by: Daniel Borkmann Acked-by: Song Liu Link: https://lore.kernel.org/bpf/20220301053250.1464204-2-xukuohai@huawei.com Signed-off-by: Sasha Levin commit 6bb107332db28a0e9256c2d36a0902b85307612c Author: Christophe JAILLET Date: Sun Nov 7 22:16:36 2021 +0100 gpu: host1x: Fix a memory leak in 'host1x_remove()' [ Upstream commit 025c6643a81564f066d8381b9e2f4603e0f8438f ] Add a missing 'host1x_channel_list_free()' call in the remove function, as already done in the error handling path of the probe function. Fixes: 8474b02531c4 ("gpu: host1x: Refactor channel allocation code") Signed-off-by: Christophe JAILLET Signed-off-by: Thierry Reding Signed-off-by: Sasha Levin commit d1c7759304a123dc7519e69a661287963dd92b1f Author: Hou Tao Date: Sat Feb 26 20:19:06 2022 +0800 bpf, arm64: Feed byte-offset into bpf line info [ Upstream commit dda7596c109fc382876118627e29db7607cde35d ] insn_to_jit_off passed to bpf_prog_fill_jited_linfo() is calculated in instruction granularity instead of bytes granularity, but BPF line info requires byte offset. bpf_prog_fill_jited_linfo() will be the last user of ctx.offset before it is freed, so convert the offset into byte-offset before calling into bpf_prog_fill_jited_linfo() in order to fix the line info dump on arm64. Fixes: 37ab566c178d ("bpf: arm64: Enable arm64 jit to provide bpf_line_info") Suggested-by: Daniel Borkmann Signed-off-by: Hou Tao Signed-off-by: Daniel Borkmann Link: https://lore.kernel.org/bpf/20220226121906.5709-3-houtao1@huawei.com Signed-off-by: Sasha Levin commit 694398af5fea0f99b721aa9877d5f52b3f7f2790 Author: Hou Tao Date: Sat Feb 26 20:19:05 2022 +0800 bpf, arm64: Call build_prologue() first in first JIT pass [ Upstream commit 68e4f238b0e9d3670a1612ad900a6e98b2b3f7dd ] BPF line info needs ctx->offset to be the instruction offset in the whole JITed image instead of the body itself, so also call build_prologue() first in first JIT pass. Fixes: 37ab566c178d ("bpf: arm64: Enable arm64 jit to provide bpf_line_info") Signed-off-by: Hou Tao Signed-off-by: Daniel Borkmann Link: https://lore.kernel.org/bpf/20220226121906.5709-2-houtao1@huawei.com Signed-off-by: Sasha Levin commit 06a0001366ac0d31f3d5ae61b611173d26f22be8 Author: Nishanth Menon Date: Tue Sep 21 12:40:59 2021 -0500 drm/bridge: cdns-dsi: Make sure to to create proper aliases for dt [ Upstream commit ffb5c099aaa13ab7f73c29ea6ae26bce8d7575ae ] Add MODULE_DEVICE_TABLE to the device tree table to create required aliases needed for module to be loaded with device tree based platform. Fixes: e19233955d9e ("drm/bridge: Add Cadence DSI driver") Signed-off-by: Nishanth Menon Reviewed-by: Tomi Valkeinen Reviewed-by: Laurent Pinchart Signed-off-by: Tomi Valkeinen Link: https://patchwork.freedesktop.org/patch/msgid/20210921174059.17946-1-nm@ti.com Signed-off-by: Sasha Levin commit a3d53f00056149f4d15da12ac346c9e5649d9307 Author: Xiang Chen Date: Thu Feb 24 19:51:24 2022 +0800 scsi: hisi_sas: Change permission of parameter prot_mask [ Upstream commit c4e070457a93705e56ed06b3910d9e5fe56d3be3 ] Currently the permission of parameter prot_mask is 0x0, which means that the member does not appear in sysfs. Change it as other module parameters to 0444 for world-readable. [mkp: s/v3/v2/] Link: https://lore.kernel.org/r/1645703489-87194-2-git-send-email-john.garry@huawei.com Fixes: d6a9000b81be ("scsi: hisi_sas: Add support for DIF feature for v2 hw") Reported-by: Yihang Li Signed-off-by: Xiang Chen Signed-off-by: John Garry Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit 705c70399e062db96c782af66a40b3ac720bfa94 Author: Hans de Goede Date: Sat Feb 12 17:48:16 2022 +0100 power: supply: bq24190_charger: Fix bq24190_vbus_is_enabled() wrong false return [ Upstream commit f7731754fdce33dad19be746f647d6ac47c5d695 ] The datasheet says that the BQ24190_REG_POC_CHG_CONFIG bits can have a value of either 10(0x2) or 11(0x3) for OTG (5V boost regulator) mode. Sofar bq24190_vbus_is_enabled() was only checking for 10 but some BIOS-es uses 11 when enabling the regulator at boot. Make bq24190_vbus_is_enabled() also check for 11 so that it does not wrongly returns false when the bits are set to 11. Fixes: 66b6bef2c4e0 ("power: supply: bq24190_charger: Export 5V boost converter as regulator") Cc: Bastien Nocera Signed-off-by: Hans de Goede Reviewed-by: Andy Shevchenko Signed-off-by: Sebastian Reichel Signed-off-by: Sasha Levin commit 1e06710c43a090f14bb67714265a01cd1d7a37c5 Author: Miaoqian Lin Date: Mon Jan 10 06:53:16 2022 +0000 drm/tegra: Fix reference leak in tegra_dsi_ganged_probe [ Upstream commit 221e3638feb8bc42143833c9a704fa89b6c366bb ] The reference taken by 'of_find_device_by_node()' must be released when not needed anymore. Add put_device() call to fix this. Fixes: e94236cde4d5 ("drm/tegra: dsi: Add ganged mode support") Signed-off-by: Miaoqian Lin Signed-off-by: Thierry Reding Signed-off-by: Sasha Levin commit 9ffa07c699a72fc351620ee3cf6797d1a8abe37f Author: Zhang Yi Date: Sat Feb 12 13:05:32 2022 +0800 ext2: correct max file size computing [ Upstream commit 50b3a818991074177a56c87124c7a7bdf5fa4f67 ] We need to calculate the max file size accurately if the total blocks that can address by block tree exceed the upper_limit. But this check is not correct now, it only compute the total data blocks but missing metadata blocks are needed. So in the case of "data blocks < upper_limit && total blocks > upper_limit", we will get wrong result. Fortunately, this case could not happen in reality, but it's confused and better to correct the computing. bits data blocks metadatablocks upper_limit 10 16843020 66051 2147483647 11 134480396 263171 1073741823 12 1074791436 1050627 536870911 (*) 13 8594130956 4198403 268435455 (*) 14 68736258060 16785411 134217727 (*) 15 549822930956 67125251 67108863 (*) 16 4398314962956 268468227 33554431 (*) [*] Need to calculate in depth. Fixes: 1c2d14212b15 ("ext2: Fix underflow in ext2_max_size()") Link: https://lore.kernel.org/r/20220212050532.179055-1-yi.zhang@huawei.com Signed-off-by: Zhang Yi Signed-off-by: Jan Kara Signed-off-by: Sasha Levin commit 60605acf5bf857a93938ae5174be9836874b4608 Author: Randy Dunlap Date: Tue Feb 22 13:45:33 2022 -0800 TOMOYO: fix __setup handlers return values [ Upstream commit 39844b7e3084baecef52d1498b5fa81afa2cefa9 ] __setup() handlers should return 1 if the parameter is handled. Returning 0 causes the entire string to be added to init's environment strings (limited to 32 strings), unnecessarily polluting it. Using the documented strings "TOMOYO_loader=string1" and "TOMOYO_trigger=string2" causes an Unknown parameter message: Unknown kernel command line parameters "BOOT_IMAGE=/boot/bzImage-517rc5 TOMOYO_loader=string1 \ TOMOYO_trigger=string2", will be passed to user space. and these strings are added to init's environment string space: Run /sbin/init as init process with arguments: /sbin/init with environment: HOME=/ TERM=linux BOOT_IMAGE=/boot/bzImage-517rc5 TOMOYO_loader=string1 TOMOYO_trigger=string2 With this change, these __setup handlers act as expected, and init's environment is not polluted with these strings. Fixes: 0e4ae0e0dec63 ("TOMOYO: Make several options configurable.") Signed-off-by: Randy Dunlap Reported-by: Igor Zhbanov Link: https://lore.kernel.org/r/64644a2f-4a20-bab3-1e15-3b2cdd0defe3@omprussia.ru Cc: James Morris Cc: Kentaro Takeda Cc: tomoyo-dev-en@lists.osdn.me Cc: "Serge E. Hallyn" Signed-off-by: Tetsuo Handa Signed-off-by: Sasha Levin commit adb7c8d1de052e2ca23ead2ea3f862507f45e9c6 Author: Maíra Canal Date: Tue Feb 22 10:16:57 2022 -0300 drm/amd/display: Remove vupdate_int_entry definition [ Upstream commit 3679b8518cd213c25d555553ef212e233faf698c ] Remove the vupdate_int_entry definition and utilization to avoid the following warning by Clang: drivers/gpu/drm/amd/amdgpu/../display/dc/irq/dcn21/irq_service_dcn21.c:410:2: warning: initializer overrides prior initialization of this subobject [-Winitializer-overrides] vupdate_no_lock_int_entry(0), ^~~~~~~~~~~~~~~~~~~~~~~~~~~~ drivers/gpu/drm/amd/amdgpu/../display/dc/irq/dcn21/irq_service_dcn21.c:280:39: note: expanded from macro 'vupdate_no_lock_int_entry' [DC_IRQ_SOURCE_VUPDATE1 + reg_num] = {\ ^~ drivers/gpu/drm/amd/amdgpu/../display/dc/irq/dcn21/irq_service_dcn21.c:404:2: note: previous initialization is here vupdate_int_entry(0), ^~~~~~~~~~~~~~~~~~~~ drivers/gpu/drm/amd/amdgpu/../display/dc/irq/dcn21/irq_service_dcn21.c:269:39: note: expanded from macro 'vupdate_int_entry' [DC_IRQ_SOURCE_VUPDATE1 + reg_num] = {\ ^~ drivers/gpu/drm/amd/amdgpu/../display/dc/irq/dcn21/irq_service_dcn21.c:411:2: warning: initializer overrides prior initialization of this subobject [-Winitializer-overrides] vupdate_no_lock_int_entry(1), ^~~~~~~~~~~~~~~~~~~~~~~~~~~~ drivers/gpu/drm/amd/amdgpu/../display/dc/irq/dcn21/irq_service_dcn21.c:280:39: note: expanded from macro 'vupdate_no_lock_int_entry' [DC_IRQ_SOURCE_VUPDATE1 + reg_num] = {\ ^~ drivers/gpu/drm/amd/amdgpu/../display/dc/irq/dcn21/irq_service_dcn21.c:405:2: note: previous initialization is here vupdate_int_entry(1), ^~~~~~~~~~~~~~~~~~~~ drivers/gpu/drm/amd/amdgpu/../display/dc/irq/dcn21/irq_service_dcn21.c:269:39: note: expanded from macro 'vupdate_int_entry' [DC_IRQ_SOURCE_VUPDATE1 + reg_num] = {\ ^~ drivers/gpu/drm/amd/amdgpu/../display/dc/irq/dcn21/irq_service_dcn21.c:412:2: warning: initializer overrides prior initialization of this subobject [-Winitializer-overrides] vupdate_no_lock_int_entry(2), ^~~~~~~~~~~~~~~~~~~~~~~~~~~~ drivers/gpu/drm/amd/amdgpu/../display/dc/irq/dcn21/irq_service_dcn21.c:280:39: note: expanded from macro 'vupdate_no_lock_int_entry' [DC_IRQ_SOURCE_VUPDATE1 + reg_num] = {\ ^~ drivers/gpu/drm/amd/amdgpu/../display/dc/irq/dcn21/irq_service_dcn21.c:406:2: note: previous initialization is here vupdate_int_entry(2), ^~~~~~~~~~~~~~~~~~~~ drivers/gpu/drm/amd/amdgpu/../display/dc/irq/dcn21/irq_service_dcn21.c:269:39: note: expanded from macro 'vupdate_int_entry' [DC_IRQ_SOURCE_VUPDATE1 + reg_num] = {\ ^~ drivers/gpu/drm/amd/amdgpu/../display/dc/irq/dcn21/irq_service_dcn21.c:413:2: warning: initializer overrides prior initialization of this subobject [-Winitializer-overrides] vupdate_no_lock_int_entry(3), ^~~~~~~~~~~~~~~~~~~~~~~~~~~~ drivers/gpu/drm/amd/amdgpu/../display/dc/irq/dcn21/irq_service_dcn21.c:280:39: note: expanded from macro 'vupdate_no_lock_int_entry' [DC_IRQ_SOURCE_VUPDATE1 + reg_num] = {\ ^~ drivers/gpu/drm/amd/amdgpu/../display/dc/irq/dcn21/irq_service_dcn21.c:407:2: note: previous initialization is here vupdate_int_entry(3), ^~~~~~~~~~~~~~~~~~~~ drivers/gpu/drm/amd/amdgpu/../display/dc/irq/dcn21/irq_service_dcn21.c:269:39: note: expanded from macro 'vupdate_int_entry' [DC_IRQ_SOURCE_VUPDATE1 + reg_num] = {\ ^~ drivers/gpu/drm/amd/amdgpu/../display/dc/irq/dcn21/irq_service_dcn21.c:414:2: warning: initializer overrides prior initialization of this subobject [-Winitializer-overrides] vupdate_no_lock_int_entry(4), ^~~~~~~~~~~~~~~~~~~~~~~~~~~~ drivers/gpu/drm/amd/amdgpu/../display/dc/irq/dcn21/irq_service_dcn21.c:280:39: note: expanded from macro 'vupdate_no_lock_int_entry' [DC_IRQ_SOURCE_VUPDATE1 + reg_num] = {\ ^~ drivers/gpu/drm/amd/amdgpu/../display/dc/irq/dcn21/irq_service_dcn21.c:408:2: note: previous initialization is here vupdate_int_entry(4), ^~~~~~~~~~~~~~~~~~~~ drivers/gpu/drm/amd/amdgpu/../display/dc/irq/dcn21/irq_service_dcn21.c:269:39: note: expanded from macro 'vupdate_int_entry' [DC_IRQ_SOURCE_VUPDATE1 + reg_num] = {\ ^~ drivers/gpu/drm/amd/amdgpu/../display/dc/irq/dcn21/irq_service_dcn21.c:415:2: warning: initializer overrides prior initialization of this subobject [-Winitializer-overrides] vupdate_no_lock_int_entry(5), ^~~~~~~~~~~~~~~~~~~~~~~~~~~~ drivers/gpu/drm/amd/amdgpu/../display/dc/irq/dcn21/irq_service_dcn21.c:280:39: note: expanded from macro 'vupdate_no_lock_int_entry' [DC_IRQ_SOURCE_VUPDATE1 + reg_num] = {\ ^~ drivers/gpu/drm/amd/amdgpu/../display/dc/irq/dcn21/irq_service_dcn21.c:409:2: note: previous initialization is here vupdate_int_entry(5), ^~~~~~~~~~~~~~~~~~~~ drivers/gpu/drm/amd/amdgpu/../display/dc/irq/dcn21/irq_service_dcn21.c:269:39: note: expanded from macro 'vupdate_int_entry' [DC_IRQ_SOURCE_VUPDATE1 + reg_num] = {\ ^~ 6 warnings generated. Fixes: 688f97ed3f5e ("drm/amd/display: Add vupdate_no_lock interrupts for DCN2.1") Signed-off-by: Maíra Canal Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit e462b0f518e99589ef7f4b60c5054757e3bec51e Author: Aharon Landau Date: Tue Feb 15 19:55:30 2022 +0200 RDMA/mlx5: Fix the flow of a miss in the allocation of a cache ODP MR [ Upstream commit 2f0e60d5e9f96341a0c8a01be8878cdb3b29ff20 ] When an ODP MR cache entry is empty and trying to allocate it, increment the ent->miss counter and call to queue_adjust_cache_locked() to verify the entry is balanced. Fixes: aad719dcf379 ("RDMA/mlx5: Allow MRs to be created in the cache synchronously") Link: https://lore.kernel.org/r/09503e295276dcacc92cb1d8aef1ad0961c99dc1.1644947594.git.leonro@nvidia.com Signed-off-by: Aharon Landau Signed-off-by: Leon Romanovsky Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit 279f318bd7d6e04e6e0bc7b8cd8e190da8fa37a4 Author: Damien Le Moal Date: Sun Feb 20 12:17:55 2022 +0900 scsi: pm8001: Fix abort all task initialization [ Upstream commit 7f12845c8389855dbcc67baa068b6832dc4a396e ] In pm80xx_send_abort_all(), the n_elem field of the ccb used is not initialized to 0. This missing initialization sometimes lead to the task completion path seeing the ccb with a non-zero n_elem resulting in the execution of invalid dma_unmap_sg() calls in pm8001_ccb_task_free(), causing a crash such as: [ 197.676341] RIP: 0010:iommu_dma_unmap_sg+0x6d/0x280 [ 197.700204] RSP: 0018:ffff889bbcf89c88 EFLAGS: 00010012 [ 197.705485] RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffffff83d0bda0 [ 197.712687] RDX: 0000000000000002 RSI: 0000000000000000 RDI: ffff88810dffc0d0 [ 197.719887] RBP: 0000000000000000 R08: 0000000000000000 R09: ffff8881c790098b [ 197.727089] R10: ffffed1038f20131 R11: 0000000000000001 R12: 0000000000000000 [ 197.734296] R13: ffff88810dffc0d0 R14: 0000000000000010 R15: 0000000000000000 [ 197.741493] FS: 0000000000000000(0000) GS:ffff889bbcf80000(0000) knlGS:0000000000000000 [ 197.749659] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 197.755459] CR2: 00007f16c1b42734 CR3: 0000000004814000 CR4: 0000000000350ee0 [ 197.762656] Call Trace: [ 197.765127] [ 197.767162] pm8001_ccb_task_free+0x5f1/0x820 [pm80xx] [ 197.772364] ? do_raw_spin_unlock+0x54/0x220 [ 197.776680] pm8001_mpi_task_abort_resp+0x2ce/0x4f0 [pm80xx] [ 197.782406] process_oq+0xe85/0x7890 [pm80xx] [ 197.786817] ? lock_acquire+0x194/0x490 [ 197.790697] ? handle_irq_event+0x10e/0x1b0 [ 197.794920] ? mpi_sata_completion+0x2d70/0x2d70 [pm80xx] [ 197.800378] ? __wake_up_bit+0x100/0x100 [ 197.804340] ? lock_is_held_type+0x98/0x110 [ 197.808565] pm80xx_chip_isr+0x94/0x130 [pm80xx] [ 197.813243] tasklet_action_common.constprop.0+0x24b/0x2f0 [ 197.818785] __do_softirq+0x1b5/0x82d [ 197.822485] ? do_raw_spin_unlock+0x54/0x220 [ 197.826799] __irq_exit_rcu+0x17e/0x1e0 [ 197.830678] irq_exit_rcu+0xa/0x20 [ 197.834114] common_interrupt+0x78/0x90 [ 197.840051] [ 197.844236] [ 197.848397] asm_common_interrupt+0x1e/0x40 Avoid this issue by always initializing the ccb n_elem field to 0 in pm8001_send_abort_all(), pm8001_send_read_log() and pm80xx_send_abort_all(). Link: https://lore.kernel.org/r/20220220031810.738362-17-damien.lemoal@opensource.wdc.com Fixes: c6b9ef5779c3 ("[SCSI] pm80xx: NCQ error handling changes") Reviewed-by: Jack Wang Signed-off-by: Damien Le Moal Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit 780c668a2dd4e5e479a13295e056144f8954829c Author: Damien Le Moal Date: Sun Feb 20 12:17:54 2022 +0900 scsi: pm8001: Fix NCQ NON DATA command completion handling [ Upstream commit 1d6736c3e162061dc811c76e605f35ef3234bffa ] NCQ NON DATA is an NCQ command with the DMA_NONE DMA direction and so a register-device-to-host-FIS response is expected for it. However, for an IO_SUCCESS case, mpi_sata_completion() expects a set-device-bits-FIS for any ata task with an use_ncq field true, which includes NCQ NON DATA commands. Fix this to correctly treat NCQ NON DATA commands as non-data by also testing for the DMA_NONE DMA direction. Link: https://lore.kernel.org/r/20220220031810.738362-16-damien.lemoal@opensource.wdc.com Fixes: dbf9bfe61571 ("[SCSI] pm8001: add SAS/SATA HBA driver") Reviewed-by: Jack Wang Signed-off-by: Damien Le Moal Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit f7a3f9e4e81b96bb7d6ad6ab2e083f5508e9cfd9 Author: Damien Le Moal Date: Sun Feb 20 12:17:53 2022 +0900 scsi: pm8001: Fix NCQ NON DATA command task initialization [ Upstream commit aa028141ab0bc62c44a84d42f09db35d82df82a2 ] In the pm8001_chip_sata_req() and pm80xx_chip_sata_req() functions, all tasks with a DMA direction of DMA_NONE (no data transfer) are initialized using the ATAP value 0x04. However, NCQ NON DATA commands, while being DMA_NONE commands are NCQ commands and need to be initialized using the value 0x07 for ATAP, similarly to other NCQ commands. Make sure that NCQ NON DATA command tasks are initialized similarly to other NCQ commands by also testing the task "use_ncq" field in addition to the DMA direction. While at it, reorganize the code into a chain of if - else if - else to avoid useless affectations and debug messages. Link: https://lore.kernel.org/r/20220220031810.738362-15-damien.lemoal@opensource.wdc.com Fixes: dbf9bfe61571 ("[SCSI] pm8001: add SAS/SATA HBA driver") Reviewed-by: Jack Wang Signed-off-by: Damien Le Moal Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit f76bbee39eda6268b63bf3d165e6f629e77385f7 Author: Damien Le Moal Date: Sun Feb 20 12:17:50 2022 +0900 scsi: pm8001: Fix le32 values handling in pm80xx_chip_sata_req() [ Upstream commit fd6d0e376211d7ed759db96b0fbd9a1cee67d462 ] Make sure that the __le32 fields of struct sata_cmd are manipulated after applying the correct endian conversion. That is, use cpu_to_le32() for assigning values and le32_to_cpu() for consulting a field value. In particular, make sure that the calculations for the 4G boundary check are done using CPU endianness and *not* little endian values. With these fixes, many sparse warnings are removed. While at it, fix some code identation and add blank lines after variable declarations and in some other places to make this code more readable. Link: https://lore.kernel.org/r/20220220031810.738362-12-damien.lemoal@opensource.wdc.com Fixes: 0ecdf00ba6e5 ("[SCSI] pm80xx: 4G boundary fix.") Reviewed-by: Jack Wang Signed-off-by: Damien Le Moal Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit 6bc86bca3502a8b617ae563a5e40c6dc5fcbec10 Author: Damien Le Moal Date: Sun Feb 20 12:17:49 2022 +0900 scsi: pm8001: Fix le32 values handling in pm80xx_chip_ssp_io_req() [ Upstream commit 970404cc5744b1033b6ee601be4ef0e2d1fbcf72 ] Make sure that the __le32 fields of struct ssp_ini_io_start_req are manipulated after applying the correct endian conversion. That is, use cpu_to_le32() for assigning values and le32_to_cpu() for consulting a field value. In particular, make sure that the calculations for the 4G boundary check are done using CPU endianness and *not* little endian values. With these fixes, many sparse warnings are removed. While at it, add blank lines after variable declarations and in some other places to make this code more readable. Link: https://lore.kernel.org/r/20220220031810.738362-11-damien.lemoal@opensource.wdc.com Fixes: 0ecdf00ba6e5 ("[SCSI] pm80xx: 4G boundary fix.") Reviewed-by: Jack Wang Signed-off-by: Damien Le Moal Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit 27ccdcaa015d4194ceaa878c5d8df55ec68abd33 Author: Damien Le Moal Date: Sun Feb 20 12:17:48 2022 +0900 scsi: pm8001: Fix payload initialization in pm80xx_encrypt_update() [ Upstream commit f8b12dfb476dad38ce755aaf5e2df46f06f1822e ] All fields of the kek_mgmt_req structure have the type __le32. So make sure to use cpu_to_le32() to initialize them. This suppresses the sparse warning: warning: incorrect type in assignment (different base types) expected restricted __le32 [addressable] [assigned] [usertype] new_curidx_ksop got int Link: https://lore.kernel.org/r/20220220031810.738362-10-damien.lemoal@opensource.wdc.com Fixes: f5860992db55 ("[SCSI] pm80xx: Added SPCv/ve specific hardware functionalities and relevant changes in common files") Reviewed-by: Jack Wang Signed-off-by: Damien Le Moal Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit 6c0e850c2289e89a18c880be4a225f3770877c1a Author: Damien Le Moal Date: Sun Feb 20 12:17:47 2022 +0900 scsi: pm8001: Fix le32 values handling in pm80xx_set_sas_protocol_timer_config() [ Upstream commit ca374f5d92b8ae778f6a37dd3e7ed809bbf7a953 ] All fields of the SASProtocolTimerConfig structure have the __le32 type. As such, use cpu_to_le32() to initialize them. This change suppresses many sparse warnings: warning: incorrect type in assignment (different base types) expected restricted __le32 [addressable] [usertype] pageCode got int Note that the check to limit the value of the STP_IDLE_TMO field is removed as this field is initialized using the fixed (and small) value defined by the STP_IDLE_TIME macro. The pm8001_dbg() calls printing the values of the SASProtocolTimerConfig structure fileds are changed to use le32_to_cpu() to present the values in human readable form. Link: https://lore.kernel.org/r/20220220031810.738362-9-damien.lemoal@opensource.wdc.com Fixes: a6cb3d012b98 ("[SCSI] pm80xx: thermal, sas controller config and error handling update") Reviewed-by: Jack Wang Signed-off-by: Damien Le Moal Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit edde1ede761e94a09f2fe04792e34252799fab4c Author: Damien Le Moal Date: Sun Feb 20 12:17:46 2022 +0900 scsi: pm8001: Fix payload initialization in pm80xx_set_thermal_config() [ Upstream commit bb225b12dbcc82d53d637d10b8d70b64494f8c16 ] The fields of the set_ctrl_cfg_req structure have the __le32 type, so use cpu_to_le32() to assign them. This removes the sparse warnings: warning: incorrect type in assignment (different base types) expected restricted __le32 got unsigned int Link: https://lore.kernel.org/r/20220220031810.738362-8-damien.lemoal@opensource.wdc.com Fixes: 842784e0d15b ("pm80xx: Update For Thermal Page Code") Fixes: f5860992db55 ("[SCSI] pm80xx: Added SPCv/ve specific hardware functionalities and relevant changes in common files") Reviewed-by: John Garry Reviewed-by: Jack Wang Signed-off-by: Damien Le Moal Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit 257a55622cc6d526f6c9482a5ac5958c86b087be Author: Damien Le Moal Date: Sun Feb 20 12:17:45 2022 +0900 scsi: pm8001: Fix command initialization in pm8001_chip_ssp_tm_req() [ Upstream commit cd2268a180117aa8ebb23e090ba204324b2d0e93 ] The ds_ads_m field of struct ssp_ini_tm_start_req has the type __le32. Assigning a value to it should thus use cpu_to_le32(). This fixes the sparse warning: warning: incorrect type in assignment (different base types) expected restricted __le32 [addressable] [assigned] [usertype] ds_ads_m got int Link: https://lore.kernel.org/r/20220220031810.738362-7-damien.lemoal@opensource.wdc.com Fixes: dbf9bfe61571 ("[SCSI] pm8001: add SAS/SATA HBA driver") Reviewed-by: Jack Wang Signed-off-by: Damien Le Moal Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit f55a7bc38f74e17390a73cf1f6eaee9fb0518ca5 Author: Damien Le Moal Date: Sun Feb 20 12:17:43 2022 +0900 scsi: pm8001: Fix command initialization in pm80XX_send_read_log() [ Upstream commit 1a37b6738b58d86f6b144b3fc754ace0f2e0166d ] Since the sata_cmd struct is zeroed out before its fields are initialized, there is no need for using "|=" to initialize the ncqtag_atap_dir_m field. Using a standard assignment removes the sparse warning: warning: invalid assignment: |= Also, since the ncqtag_atap_dir_m field has type __le32, use cpu_to_le32() to generate the assigned value. Link: https://lore.kernel.org/r/20220220031810.738362-5-damien.lemoal@opensource.wdc.com Fixes: c6b9ef5779c3 ("[SCSI] pm80xx: NCQ error handling changes") Reviewed-by: John Garry Reviewed-by: Jack Wang Signed-off-by: Damien Le Moal Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit 5349cde1dfaae67554fec4e844ef9c0030a0dd87 Author: Aashish Sharma Date: Fri Feb 11 12:15:38 2022 +0000 dm crypt: fix get_key_size compiler warning if !CONFIG_KEYS [ Upstream commit 6fc51504388c1a1a53db8faafe9fff78fccc7c87 ] Explicitly convert unsigned int in the right of the conditional expression to int to match the left side operand and the return type, fixing the following compiler warning: drivers/md/dm-crypt.c:2593:43: warning: signed and unsigned type in conditional expression [-Wsign-compare] Fixes: c538f6ec9f56 ("dm crypt: add ability to use keys from the kernel key retention service") Signed-off-by: Aashish Sharma Signed-off-by: Mike Snitzer Signed-off-by: Sasha Levin commit d4862bea088c1e03ca56ec2a9272597046fb2d04 Author: Dmitry Baryshkov Date: Thu Feb 17 06:53:52 2022 +0300 drm/msm/dpu: fix dp audio condition [ Upstream commit 1e0505a5a7a2fea243f8e6d7e13fcde65f9e41bc ] DP audio enablement code which is comparing intf_type, DRM_MODE_ENCODER_TMDS (= 2) with DRM_MODE_CONNECTOR_DisplayPort (= 10). Which would never succeed. Fix it to check for DRM_MODE_ENCODER_TMDS. Fixes: d13e36d7d222 ("drm/msm/dp: add audio support for Display Port on MSM") Reviewed-by: Abhinav Kumar Reviewed-by: Bjorn Andersson Reviewed-by: Stephen Boyd Signed-off-by: Dmitry Baryshkov Link: https://lore.kernel.org/r/20220217035358.465904-2-dmitry.baryshkov@linaro.org Signed-off-by: Dmitry Baryshkov Signed-off-by: Sasha Levin commit 7b52fb813cd1b6b502848fb2f017f6e760299d6a Author: Dmitry Baryshkov Date: Sat Jan 22 00:06:14 2022 +0300 drm/msm/dpu: add DSPP blocks teardown [ Upstream commit d5c5e78f217172e87d8fb2c3418dd8b58b4adfcb ] Add missing calls to dpu_hw_dspp_destroy() to free resources allocated for DSPP hardware blocks. Fixes: e47616df008b ("drm/msm/dpu: add support for color processing blocks in dpu driver") Signed-off-by: Dmitry Baryshkov Reviewed-by: Stephen Boyd Reviewed-by: Abhinav Kumar Link: https://lore.kernel.org/r/20220121210618.3482550-3-dmitry.baryshkov@linaro.org Signed-off-by: Dmitry Baryshkov Signed-off-by: Sasha Levin commit 413c62697b61226a236c8b1f5cd64dcf42bcc12f Author: Kuogee Hsieh Date: Tue Jan 18 10:47:26 2022 -0800 drm/msm/dp: populate connector of struct dp_panel [ Upstream commit 5e602f5156910c7b19661699896cb6e3fb94fab9 ] DP CTS test case 4.2.2.6 has valid edid with bad checksum on purpose and expect DP source return correct checksum. During drm edid read, correct edid checksum is calculated and stored at connector::real_edid_checksum. The problem is struct dp_panel::connector never be assigned, instead the connector is stored in struct msm_dp::connector. When we run compliance testing test case 4.2.2.6 dp_panel_handle_sink_request() won't have a valid edid set in struct dp_panel::edid so we'll try to use the connectors real_edid_checksum and hit a NULL pointer dereference error because the connector pointer is never assigned. Changes in V2: -- populate panel connector at msm_dp_modeset_init() instead of at dp_panel_read_sink_caps() Changes in V3: -- remove unhelpful kernel crash trace commit text -- remove renaming dp_display parameter to dp Changes in V4: -- add more details to commit text Changes in v10: -- group into one series Changes in v11: -- drop drm/msm/dp: dp_link_parse_sink_count() return immediately if aux read Fixes: 7948fe12d47 ("drm/msm/dp: return correct edid checksum after corrupted edid checksum read") Signee-off-by: Kuogee Hsieh Reviewed-by: Bjorn Andersson Reviewed-by: Stephen Boyd Link: https://lore.kernel.org/r/1642531648-8448-3-git-send-email-quic_khsieh@quicinc.com Signed-off-by: Dmitry Baryshkov Signed-off-by: Sasha Levin commit 441a83ff270effab2ccdcee9ed441c8c1c250a28 Author: Dan Carpenter Date: Mon Aug 16 21:39:30 2021 +0300 iwlwifi: mvm: Fix an error code in iwl_mvm_up() [ Upstream commit 583d18336abdfb1b355270289ff8f6a2608ba905 ] Return -ENODEV instead of success on this error path. Fixes: dd36a507c806 ("iwlwifi: mvm: look for the first supported channel when add/remove phy ctxt") Signed-off-by: Dan Carpenter Link: https://lore.kernel.org/r/20210816183930.GA2068@kili Signed-off-by: Luca Coelho Signed-off-by: Sasha Levin commit c12692c3e97989103f0eb2891de64712ae5dc560 Author: Colin Ian King Date: Tue Sep 7 11:46:58 2021 +0100 iwlwifi: Fix -EIO error code that is never returned [ Upstream commit c305c94bdc18e45b5ad1db54da4269f8cbfdff6b ] Currently the error -EIO is being assinged to variable ret when the READY_BIT is not set but the function iwlagn_mac_start returns 0 rather than ret. Fix this by returning ret instead of 0. Addresses-Coverity: ("Unused value") Fixes: 7335613ae27a ("iwlwifi: move all mac80211 related functions to one place") Signed-off-by: Colin Ian King Link: https://lore.kernel.org/r/20210907104658.14706-1-colin.king@canonical.com Signed-off-by: Luca Coelho Signed-off-by: Sasha Levin commit ec376f5c11c88c0215d173599db8449cd4196759 Author: Tong Zhang Date: Fri Feb 11 23:11:11 2022 -0800 dax: make sure inodes are flushed before destroy cache [ Upstream commit a7e8de822e0b1979f08767c751f6c8a9c1d4ad86 ] A bug can be triggered by following command $ modprobe nd_pmem && modprobe -r nd_pmem [ 10.060014] BUG dax_cache (Not tainted): Objects remaining in dax_cache on __kmem_cache_shutdown() [ 10.060938] Slab 0x0000000085b729ac objects=9 used=1 fp=0x000000004f5ae469 flags=0x200000000010200(slab|head|node) [ 10.062433] Call Trace: [ 10.062673] dump_stack_lvl+0x34/0x44 [ 10.062865] slab_err+0x90/0xd0 [ 10.063619] __kmem_cache_shutdown+0x13b/0x2f0 [ 10.063848] kmem_cache_destroy+0x4a/0x110 [ 10.064058] __x64_sys_delete_module+0x265/0x300 This is caused by dax_fs_exit() not flushing inodes before destroy cache. To fix this issue, call rcu_barrier() before destroy cache. Signed-off-by: Tong Zhang Reviewed-by: Ira Weiny Reviewed-by: Christoph Hellwig Link: https://lore.kernel.org/r/20220212071111.148575-1-ztong0001@gmail.com Fixes: 7b6be8444e0f ("dax: refactor dax-fs into a generic provider of 'struct dax_device' instances") Signed-off-by: Dan Williams Signed-off-by: Sasha Levin commit 5e6b030ac345033bd9259f7a591c424213247000 Author: Håkon Bugge Date: Wed Feb 9 16:39:35 2022 +0100 IB/cma: Allow XRC INI QPs to set their local ACK timeout [ Upstream commit 748663c8ccf6b2e5a800de19127c2cc1c4423fd2 ] XRC INI QPs should be able to adjust their local ACK timeout. Fixes: 2c1619edef61 ("IB/cma: Define option to set ack timeout and pack tos_set") Link: https://lore.kernel.org/r/1644421175-31943-1-git-send-email-haakon.bugge@oracle.com Signed-off-by: Håkon Bugge Suggested-by: Avneesh Pant Reviewed-by: Leon Romanovsky Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit 9c384e1afa552c94b5684036d5a26fa6dc11c37e Author: Roman Li Date: Thu Dec 23 17:39:57 2021 -0500 drm/amd/display: Add affected crtcs to atomic state for dsc mst unplug [ Upstream commit 128f8ed5902a287a6bb4afe0ffdae8a80b2a64ec ] [Why] When display topology changed on DSC hub we add all crtcs with dsc support to atomic state. Refer to patch:"drm/amd/display: Trigger modesets on MST DSC connectors" However the original implementation may skip crtc if the topology change caused by unplug. That potentially could lead to no-lightup or corruption on DSC hub after unplug event on one of the connectors. [How] Update add_affected_mst_dsc_crtcs() to use old connector state if new connector state has no crtc (undergoes modeset due to unplug) Fixes: 44be939ff7ac58 ("drm/amd/display: Trigger modesets on MST DSC connectors") Reviewed-by: Hersen Wu Acked-by: Jasdeep Dhillon Signed-off-by: Roman Li Tested-by: Daniel Wheeler Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit 80b96ac9d2fb06a364737c8de4b46a7c22aab1b8 Author: Yiqing Yao Date: Mon Jan 24 16:11:20 2022 +0800 drm/amd/pm: enable pm sysfs write for one VF mode [ Upstream commit e610941c45bad75aa839af015c27d236ab6749e5 ] [why] pm sysfs should be writable in one VF mode as is in passthrough [how] do not remove write access on pm sysfs if device is in one VF mode Fixes: 11c9cc95f818 ("amdgpu/pm: Make sysfs pm attributes as read-only for VFs") Signed-off-by: Yiqing Yao Reviewed-by: Monk Liu Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit 06e778d1849d07093bb96b2c943b4c6055f215cf Author: Jiasheng Jiang Date: Thu Jan 6 10:43:02 2022 +0800 iommu/ipmmu-vmsa: Check for error num after setting mask [ Upstream commit 1fdbbfd5099f797a4dac05e7ef0192ba4a9c39b4 ] Because of the possible failure of the dma_supported(), the dma_set_mask_and_coherent() may return error num. Therefore, it should be better to check it and return the error if fails. Fixes: 1c894225bf5b ("iommu/ipmmu-vmsa: IPMMU device is 40-bit bus master") Signed-off-by: Jiasheng Jiang Reviewed-by: Nikita Yushchenko Link: https://lore.kernel.org/r/20220106024302.2574180-1-jiasheng@iscas.ac.cn Signed-off-by: Joerg Roedel Signed-off-by: Sasha Levin commit ab63b24ae632f8b5ff034c7baf8cf583991e02c0 Author: Dmitry Torokhov Date: Mon Jan 17 23:26:18 2022 -0800 HID: i2c-hid: fix GET/SET_REPORT for unnumbered reports [ Upstream commit a5e5e03e94764148a01757b2fa4737d3445c13a6 ] Internally kernel prepends all report buffers, for both numbered and unnumbered reports, with report ID, therefore to properly handle unnumbered reports we should prepend it ourselves. For the same reason we should skip the first byte of the buffer when calling i2c_hid_set_or_send_report() which then will take care of properly formatting the transfer buffer based on its separate report ID argument along with report payload. [jkosina@suse.cz: finalize trimmed sentence in changelog as spotted by Benjamin] Fixes: 9b5a9ae88573 ("HID: i2c-hid: implement ll_driver transport-layer callbacks") Signed-off-by: Dmitry Torokhov Tested-by: Benjamin Tissoires Signed-off-by: Jiri Kosina Signed-off-by: Sasha Levin commit 879356a6a05559582b0a7895d86d2d4359745c08 Author: Miaoqian Lin Date: Mon Jan 24 13:13:46 2022 +0000 power: supply: ab8500: Fix memory leak in ab8500_fg_sysfs_init [ Upstream commit 6a4760463dbc6b603690938c468839985189ce0a ] kobject_init_and_add() takes reference even when it fails. According to the doc of kobject_init_and_add(): If this function returns an error, kobject_put() must be called to properly clean up the memory associated with the object. Fix memory leak by calling kobject_put(). Fixes: 8c0984e5a753 ("power: move power supply drivers to power/supply") Signed-off-by: Miaoqian Lin Signed-off-by: Sebastian Reichel Signed-off-by: Sasha Levin commit f03ef518c1c1987b100b3195596542c9d44b2c99 Author: Neil Armstrong Date: Fri Feb 4 15:33:37 2022 +0100 drm/bridge: dw-hdmi: use safe format when first in bridge chain [ Upstream commit 1528038385c0a706aac9ac165eeb24044fef6825 ] When the dw-hdmi bridge is in first place of the bridge chain, this means there is no way to select an input format of the dw-hdmi HW component. Since introduction of display-connector, negotiation was broken since the dw-hdmi negotiation code only worked when the dw-hdmi bridge was in last position of the bridge chain or behind another bridge also supporting input & output format negotiation. Commit 7cd70656d128 ("drm/bridge: display-connector: implement bus fmts callbacks") was introduced to make negotiation work again by making display-connector act as a pass-through concerning input & output format negotiation. But in the case where the dw-hdmi is single in the bridge chain, for example on Renesas SoCs, with the display-connector bridge the dw-hdmi is no more single, breaking output format. Reported-by: Biju Das Bisected-by: Kieran Bingham Tested-by: Kieran Bingham Fixes: 6c3c719936da ("drm/bridge: synopsys: dw-hdmi: add bus format negociation") Signed-off-by: Neil Armstrong [narmstrong: add proper fixes commit] Reviewed-by: Robert Foss Link: https://patchwork.freedesktop.org/patch/msgid/20220204143337.89221-1-narmstrong@baylibre.com Signed-off-by: Sasha Levin commit e0e25e131d18445103b8c756e0bc05f953ce3d46 Author: Pali Rohár Date: Mon Jan 10 02:50:09 2022 +0100 PCI: aardvark: Fix reading PCI_EXP_RTSTA_PME bit on emulated bridge [ Upstream commit 735f5ae49e1b44742cc63ca9b5c1ffde3e94ba91 ] The emulated bridge returns incorrect value for PCI_EXP_RTSTA register during readout in advk_pci_bridge_emul_pcie_conf_read() function: the correct bit is BIT(16), but we are setting BIT(23), because the code does *value = (isr0 & PCIE_MSG_PM_PME_MASK) << 16 where PCIE_MSG_PM_PME_MASK is BIT(7). The code should probably have been something like *value = (!!(isr0 & PCIE_MSG_PM_PME_MASK)) << 16, but we are better of using an if() and using the proper macro for this bit. Link: https://lore.kernel.org/r/20220110015018.26359-15-kabel@kernel.org Fixes: 8a3ebd8de328 ("PCI: aardvark: Implement emulated root PCI bridge config space") Signed-off-by: Pali Rohár Signed-off-by: Marek Behún Signed-off-by: Lorenzo Pieralisi Signed-off-by: Sasha Levin commit b1af8b9ec032826fc532b93308215449229a9e10 Author: Christophe Leroy Date: Mon Dec 20 16:38:02 2021 +0000 livepatch: Fix build failure on 32 bits processors [ Upstream commit 2f293651eca3eacaeb56747dede31edace7329d2 ] Trying to build livepatch on powerpc/32 results in: kernel/livepatch/core.c: In function 'klp_resolve_symbols': kernel/livepatch/core.c:221:23: warning: cast to pointer from integer of different size [-Wint-to-pointer-cast] 221 | sym = (Elf64_Sym *)sechdrs[symndx].sh_addr + ELF_R_SYM(relas[i].r_info); | ^ kernel/livepatch/core.c:221:21: error: assignment to 'Elf32_Sym *' {aka 'struct elf32_sym *'} from incompatible pointer type 'Elf64_Sym *' {aka 'struct elf64_sym *'} [-Werror=incompatible-pointer-types] 221 | sym = (Elf64_Sym *)sechdrs[symndx].sh_addr + ELF_R_SYM(relas[i].r_info); | ^ kernel/livepatch/core.c: In function 'klp_apply_section_relocs': kernel/livepatch/core.c:312:35: error: passing argument 1 of 'klp_resolve_symbols' from incompatible pointer type [-Werror=incompatible-pointer-types] 312 | ret = klp_resolve_symbols(sechdrs, strtab, symndx, sec, sec_objname); | ^~~~~~~ | | | Elf32_Shdr * {aka struct elf32_shdr *} kernel/livepatch/core.c:193:44: note: expected 'Elf64_Shdr *' {aka 'struct elf64_shdr *'} but argument is of type 'Elf32_Shdr *' {aka 'struct elf32_shdr *'} 193 | static int klp_resolve_symbols(Elf64_Shdr *sechdrs, const char *strtab, | ~~~~~~~~~~~~^~~~~~~ Fix it by using the right types instead of forcing 64 bits types. Fixes: 7c8e2bdd5f0d ("livepatch: Apply vmlinux-specific KLP relocations early") Signed-off-by: Christophe Leroy Acked-by: Petr Mladek Acked-by: Joe Lawrence Acked-by: Miroslav Benes Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/5288e11b018a762ea3351cc8fb2d4f15093a4457.1640017960.git.christophe.leroy@csgroup.eu Signed-off-by: Sasha Levin commit 6f095441f808ee81e669ee03842c05f5c819b573 Author: Thomas Bracht Laumann Jespersen Date: Mon Jan 31 12:20:28 2022 +0100 scripts/dtc: Call pkg-config POSIXly correct [ Upstream commit a8b309ce9760943486e0585285e0125588a31650 ] Running with POSIXLY_CORRECT=1 in the environment the scripts/dtc build fails, because pkg-config doesn't output anything when the flags come after the arguments. Fixes: 067c650c456e ("dtc: Use pkg-config to locate libyaml") Signed-off-by: Thomas Bracht Laumann Jespersen Signed-off-by: Rob Herring Link: https://lore.kernel.org/r/20220131112028.7907-1-t@laumann.xyz Signed-off-by: Sasha Levin commit 080822563b35033595575ebf84568263ce8f6d61 Author: Tobias Waldekranz Date: Thu Feb 3 11:16:55 2022 +0100 net: dsa: mv88e6xxx: Enable port policy support on 6097 [ Upstream commit 585d42bb57bb358d48906660a8de273b078810b1 ] This chip has support for the same per-port policy actions found in later versions of LinkStreet devices. Fixes: f3a2cd326e44 ("net: dsa: mv88e6xxx: introduce .port_set_policy") Signed-off-by: Tobias Waldekranz Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 2ac4f049db6e8ea930f1e74520e5f5d3d8cbf454 Author: Lorenzo Bianconi Date: Sat Jan 22 15:58:58 2022 +0100 mt76: mt7615: check sta_rates pointer in mt7615_sta_rate_tbl_update [ Upstream commit 6a6f457ed5fdf6777536c20644a9e42128a50ec2 ] Check sta_rates pointer value in mt7615_sta_rate_tbl_update routine since minstrel_ht_update_rates can fail allocating rates array. Fixes: 04b8e65922f63 ("mt76: add mac80211 driver for MT7615 PCIe-based chipsets") Signed-off-by: Lorenzo Bianconi Signed-off-by: Felix Fietkau Signed-off-by: Sasha Levin commit 2430af124125b9be4bcffd2867dbba451daf4666 Author: Lorenzo Bianconi Date: Sat Jan 22 15:58:57 2022 +0100 mt76: mt7603: check sta_rates pointer in mt7603_sta_rate_tbl_update [ Upstream commit fc8e2c707ce11c8ec2e992885b0d53a5e04031ac ] Check sta_rates pointer value in mt7603_sta_rate_tbl_update routine since minstrel_ht_update_rates can fail allocating rates array. Fixes: c8846e1015022 ("mt76: add driver for MT7603E and MT7628/7688") Signed-off-by: Lorenzo Bianconi Signed-off-by: Felix Fietkau Signed-off-by: Sasha Levin commit 232c1cc9861100d87af25c9cebfbd1acbb5c41d8 Author: Lorenzo Bianconi Date: Wed Dec 22 17:06:36 2021 +0100 mt76: mt7915: use proper aid value in mt7915_mcu_sta_basic_tlv [ Upstream commit abdb8bc94be4cf68aa71c9a8ee0bad9b3e6f52d3 ] Similar to mt7915_mcu_wtbl_generic_tlv, rely on vif->bss_conf.aid for aid in sta mode and not on sta->aid. Fixes: e57b7901469fc ("mt76: add mac80211 driver for MT7915 PCIe-based chipsets") Signed-off-by: Lorenzo Bianconi Signed-off-by: Felix Fietkau Signed-off-by: Sasha Levin commit 253cc4aafc219692749edc581efbd9d218d7d990 Author: Lorenzo Bianconi Date: Wed Dec 22 12:52:17 2021 +0100 mt76: mt7915: use proper aid value in mt7915_mcu_wtbl_generic_tlv in sta mode [ Upstream commit a56b1b0f145ef2d6bb9312dedf3ab8558ef50a5b ] mac80211 provides aid in vif->bss_conf.aid for sta mode and not in sta->aid. Fix mt7915_mcu_wtbl_generic_tlv routine using proper value for aid in sta mode. Fixes: e57b7901469fc ("mt76: add mac80211 driver for MT7915 PCIe-based chipsets") Signed-off-by: Lorenzo Bianconi Signed-off-by: Felix Fietkau Signed-off-by: Sasha Levin commit b5d363ff171e208fd546ed718535002cc64a13c4 Author: Athira Rajeev Date: Wed Feb 2 09:48:37 2022 +0530 powerpc/perf: Don't use perf_hw_context for trace IMC PMU [ Upstream commit 0198322379c25215b2778482bf1221743a76e2b5 ] Trace IMC (In-Memory collection counters) in powerpc is useful for application level profiling. For trace_imc, presently task context (task_ctx_nr) is set to perf_hw_context. But perf_hw_context should only be used for CPU PMU. See commit 26657848502b ("perf/core: Verify we have a single perf_hw_context PMU"). So for trace_imc, even though it is per thread PMU, it is preferred to use sw_context in order to be able to do application level monitoring. Hence change the task_ctx_nr to use perf_sw_context. Fixes: 012ae244845f ("powerpc/perf: Trace imc PMU functions") Signed-off-by: Athira Rajeev Reviewed-by: Madhavan Srinivasan [mpe: Update subject & incorporate notes into change log, reflow comment] Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/20220202041837.65968-1-atrajeev@linux.vnet.ibm.com Signed-off-by: Sasha Levin commit c18b538617967581087fb946a556db42949b3ac4 Author: Fabiano Rosas Date: Tue Jan 25 12:57:32 2022 -0300 KVM: PPC: Book3S HV: Check return value of kvmppc_radix_init [ Upstream commit 69ab6ac380a00244575de02c406dcb9491bf3368 ] The return of the function is being shadowed by the call to kvmppc_uvmem_init. Fixes: ca9f4942670c ("KVM: PPC: Book3S HV: Support for running secure guests") Signed-off-by: Fabiano Rosas Reviewed-by: Nicholas Piggin Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/20220125155735.1018683-2-farosas@linux.ibm.com Signed-off-by: Sasha Levin commit 8b64c158a07bd64054b53a95db5f3103a9809675 Author: Maxim Kiselev Date: Fri Jan 21 12:14:47 2022 +0300 powerpc: dts: t1040rdb: fix ports names for Seville Ethernet switch [ Upstream commit 5ebb74749202a25da4b3cc2eb15470225a05527c ] On board rev A, the network interface labels for the switch ports written on the front panel are different than on rev B and later. This patch fixes network interface names for the switch ports according to labels that are written on the front panel of the board rev B. They start from ETH3 and end at ETH10. This patch also introduces a separate device tree for rev A. The main device tree is supposed to cover rev B and later. Fixes: e69eb0824d8c ("powerpc: dts: t1040rdb: add ports for Seville Ethernet switch") Signed-off-by: Maxim Kiselev Reviewed-by: Maxim Kochetkov Reviewed-by: Vladimir Oltean Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/20220121091447.3412907-1-bigunclemax@gmail.com Signed-off-by: Sasha Levin commit be703360ed355bdac1f3b472ebeb9c1a33e49b96 Author: Jiasheng Jiang Date: Thu Dec 30 10:29:26 2021 +0800 ray_cs: Check ioremap return value [ Upstream commit 7e4760713391ee46dc913194b33ae234389a174e ] As the possible failure of the ioremap(), the 'local->sram' and other two could be NULL. Therefore it should be better to check it in order to avoid the later dev_dbg. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Jiasheng Jiang Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20211230022926.1846757-1-jiasheng@iscas.ac.cn Signed-off-by: Sasha Levin commit 43f2fe2a6995f835a51eabd3be1773d7fc6d7b8b Author: Miaoqian Lin Date: Thu Jan 20 10:46:54 2022 +0000 power: reset: gemini-poweroff: Fix IRQ check in gemini_poweroff_probe [ Upstream commit ba18dad0fb880cd29aa97b6b75560ef14d1061ba ] platform_get_irq() returns negative error number instead 0 on failure. And the doc of platform_get_irq() provides a usage example: int irq = platform_get_irq(pdev, 0); if (irq < 0) return irq; Fix the check of return value to catch errors correctly. Fixes: f7a388d6cd1c ("power: reset: Add a driver for the Gemini poweroff") Signed-off-by: Miaoqian Lin Reviewed-by: Linus Walleij Signed-off-by: Sebastian Reichel Signed-off-by: Sasha Levin commit da71a1483b6c04e45d4eb6ac4eb9caffb0061975 Author: Alexander Lobakin Date: Wed Dec 8 15:06:55 2021 +0100 i40e: respect metadata on XSK Rx to skb [ Upstream commit 6dba29537c0f639b482bd8f8bbd50ab4ae74b48d ] For now, if the XDP prog returns XDP_PASS on XSK, the metadata will be lost as it doesn't get copied to the skb. Copy it along with the frame headers. Account its size on skb allocation, and when copying just treat it as a part of the frame and do a pull after to "move" it to the "reserved" zone. net_prefetch() xdp->data_meta and align the copy size to speed-up memcpy() a little and better match i40e_construct_skb(). Fixes: 0a714186d3c0 ("i40e: add AF_XDP zero-copy Rx support") Suggested-by: Jesper Dangaard Brouer Suggested-by: Maciej Fijalkowski Signed-off-by: Alexander Lobakin Reviewed-by: Michal Swiatkowski Tested-by: Kiran Bhandare Signed-off-by: Tony Nguyen Signed-off-by: Sasha Levin commit b2e48cd14110fff7d4b3552515dc73f09eaa76a7 Author: Alexander Lobakin Date: Wed Dec 8 15:06:54 2021 +0100 i40e: don't reserve excessive XDP_PACKET_HEADROOM on XSK Rx to skb [ Upstream commit bc97f9c6f988b31b728eb47a94ca825401dbeffe ] {__,}napi_alloc_skb() allocates and reserves additional NET_SKB_PAD + NET_IP_ALIGN for any skb. OTOH, i40e_construct_skb_zc() currently allocates and reserves additional `xdp->data - xdp->data_hard_start`, which is XDP_PACKET_HEADROOM for XSK frames. There's no need for that at all as the frame is post-XDP and will go only to the networking stack core. Pass the size of the actual data only to __napi_alloc_skb() and don't reserve anything. This will give enough headroom for stack processing. Fixes: 0a714186d3c0 ("i40e: add AF_XDP zero-copy Rx support") Signed-off-by: Alexander Lobakin Reviewed-by: Michal Swiatkowski Acked-by: Jesper Dangaard Brouer Tested-by: Kiran Bhandare Signed-off-by: Tony Nguyen Signed-off-by: Sasha Levin commit e8fe653fa7c63fc6fc6ad9016c84515298db8c60 Author: Fabiano Rosas Date: Tue Jan 25 18:56:52 2022 -0300 KVM: PPC: Fix vmx/vsx mixup in mmio emulation [ Upstream commit b99234b918c6e36b9aa0a5b2981e86b6bd11f8e2 ] The MMIO emulation code for vector instructions is duplicated between VSX and VMX. When emulating VMX we should check the VMX copy size instead of the VSX one. Fixes: acc9eb9305fe ("KVM: PPC: Reimplement LOAD_VMX/STORE_VMX instruction ...") Signed-off-by: Fabiano Rosas Reviewed-by: Nicholas Piggin Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/20220125215655.1026224-3-farosas@linux.ibm.com Signed-off-by: Sasha Levin commit 11cb9eba06c8f08305a8989086dedb271849f1a2 Author: Maor Gottlieb Date: Tue Jan 18 09:35:02 2022 +0200 RDMA/core: Set MR type in ib_reg_user_mr [ Upstream commit 32a88d16615c2be295571c29273c4ac94cb75309 ] Add missing assignment of MR type to IB_MR_TYPE_USER. Fixes: 33006bd4f37f ("IB/core: Introduce ib_reg_user_mr") Link: https://lore.kernel.org/r/be2e91bcd6e52dc36be289ae92f30d3a5cc6dcb1.1642491047.git.leonro@nvidia.com Signed-off-by: Maor Gottlieb Signed-off-by: Leon Romanovsky Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit 11f11ac281f0c0b363d2940204f28bae0422ed71 Author: Pavel Skripkin Date: Wed Jan 19 10:52:37 2022 +0200 ath9k_htc: fix uninit value bugs [ Upstream commit d1e0df1c57bd30871dd1c855742a7c346dbca853 ] Syzbot reported 2 KMSAN bugs in ath9k. All of them are caused by missing field initialization. In htc_connect_service() svc_meta_len and pad are not initialized. Based on code it looks like in current skb there is no service data, so simply initialize svc_meta_len to 0. htc_issue_send() does not initialize htc_frame_hdr::control array. Based on firmware code, it will initialize it by itself, so simply zero whole array to make KMSAN happy Fail logs: BUG: KMSAN: kernel-usb-infoleak in usb_submit_urb+0x6c1/0x2aa0 drivers/usb/core/urb.c:430 usb_submit_urb+0x6c1/0x2aa0 drivers/usb/core/urb.c:430 hif_usb_send_regout drivers/net/wireless/ath/ath9k/hif_usb.c:127 [inline] hif_usb_send+0x5f0/0x16f0 drivers/net/wireless/ath/ath9k/hif_usb.c:479 htc_issue_send drivers/net/wireless/ath/ath9k/htc_hst.c:34 [inline] htc_connect_service+0x143e/0x1960 drivers/net/wireless/ath/ath9k/htc_hst.c:275 ... Uninit was created at: slab_post_alloc_hook mm/slab.h:524 [inline] slab_alloc_node mm/slub.c:3251 [inline] __kmalloc_node_track_caller+0xe0c/0x1510 mm/slub.c:4974 kmalloc_reserve net/core/skbuff.c:354 [inline] __alloc_skb+0x545/0xf90 net/core/skbuff.c:426 alloc_skb include/linux/skbuff.h:1126 [inline] htc_connect_service+0x1029/0x1960 drivers/net/wireless/ath/ath9k/htc_hst.c:258 ... Bytes 4-7 of 18 are uninitialized Memory access of size 18 starts at ffff888027377e00 BUG: KMSAN: kernel-usb-infoleak in usb_submit_urb+0x6c1/0x2aa0 drivers/usb/core/urb.c:430 usb_submit_urb+0x6c1/0x2aa0 drivers/usb/core/urb.c:430 hif_usb_send_regout drivers/net/wireless/ath/ath9k/hif_usb.c:127 [inline] hif_usb_send+0x5f0/0x16f0 drivers/net/wireless/ath/ath9k/hif_usb.c:479 htc_issue_send drivers/net/wireless/ath/ath9k/htc_hst.c:34 [inline] htc_connect_service+0x143e/0x1960 drivers/net/wireless/ath/ath9k/htc_hst.c:275 ... Uninit was created at: slab_post_alloc_hook mm/slab.h:524 [inline] slab_alloc_node mm/slub.c:3251 [inline] __kmalloc_node_track_caller+0xe0c/0x1510 mm/slub.c:4974 kmalloc_reserve net/core/skbuff.c:354 [inline] __alloc_skb+0x545/0xf90 net/core/skbuff.c:426 alloc_skb include/linux/skbuff.h:1126 [inline] htc_connect_service+0x1029/0x1960 drivers/net/wireless/ath/ath9k/htc_hst.c:258 ... Bytes 16-17 of 18 are uninitialized Memory access of size 18 starts at ffff888027377e00 Fixes: fb9987d0f748 ("ath9k_htc: Support for AR9271 chipset.") Reported-by: syzbot+f83a1df1ed4f67e8d8ad@syzkaller.appspotmail.com Signed-off-by: Pavel Skripkin Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20220115122733.11160-1-paskripkin@gmail.com Signed-off-by: Sasha Levin commit 6e669baa3363406c4f600bce95756e58123b19c4 Author: Tom Rix Date: Mon Jan 24 12:18:12 2022 -0800 drm/amd/pm: return -ENOTSUPP if there is no get_dpm_ultimate_freq function [ Upstream commit 430e6a0212b2a0eb1de5e9d47a016fa79edf3978 ] clang static analysis reports this represenative problem amdgpu_smu.c:144:18: warning: The left operand of '*' is a garbage value return clk_freq * 100; ~~~~~~~~ ^ If there is no get_dpm_ultimate_freq function, smu_get_dpm_freq_range returns success without setting the output min,max parameters. So return an -ENOTSUPP error. Fixes: e5ef784b1e17 ("drm/amd/powerplay: revise calling chain on retrieving frequency range") Signed-off-by: Tom Rix Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit 19a7eba284790cfbba2945deb2363cf03ce41648 Author: Zhou Qingyang Date: Tue Jan 25 00:57:29 2022 +0800 drm/amd/display: Fix a NULL pointer dereference in amdgpu_dm_connector_add_common_modes() [ Upstream commit 588a70177df3b1777484267584ef38ab2ca899a2 ] In amdgpu_dm_connector_add_common_modes(), amdgpu_dm_create_common_mode() is assigned to mode and is passed to drm_mode_probed_add() directly after that. drm_mode_probed_add() passes &mode->head to list_add_tail(), and there is a dereference of it in list_add_tail() without recoveries, which could lead to NULL pointer dereference on failure of amdgpu_dm_create_common_mode(). Fix this by adding a NULL check of mode. This bug was found by a static analyzer. Builds with 'make allyesconfig' show no new warnings, and our static analyzer no longer warns about this code. Fixes: e7b07ceef2a6 ("drm/amd/display: Merge amdgpu_dm_types and amdgpu_dm") Signed-off-by: Zhou Qingyang Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit 9abee51534113368479bdb334472147f5a1780b1 Author: Zhou Qingyang Date: Tue Jan 25 00:58:55 2022 +0800 drm/nouveau/acr: Fix undefined behavior in nvkm_acr_hsfw_load_bl() [ Upstream commit 2343bcdb4747d4f418a4daf2e898b94f86c24a59 ] In nvkm_acr_hsfw_load_bl(), the return value of kmalloc() is directly passed to memcpy(), which could lead to undefined behavior on failure of kmalloc(). Fix this bug by using kmemdup() instead of kmalloc()+memcpy(). This bug was found by a static analyzer. Builds with 'make allyesconfig' show no new warnings, and our static analyzer no longer warns about this code. Fixes: 22dcda45a3d1 ("drm/nouveau/acr: implement new subdev to replace "secure boot"") Signed-off-by: Zhou Qingyang Reviewed-by: Lyude Paul Signed-off-by: Lyude Paul Link: https://patchwork.freedesktop.org/patch/msgid/20220124165856.57022-1-zhou1615@umn.edu Signed-off-by: Sasha Levin commit 47402eaf888e03d59c9294555f3d3cad1f810810 Author: Shannon Nelson Date: Mon Jan 24 10:52:57 2022 -0800 ionic: fix type complaint in ionic_dev_cmd_clean() [ Upstream commit bc0bf9de6f48268f4ee59e57fb42ac751be3ecda ] Sparse seems to have gotten a little more picky lately and we need to revisit this bit of code to make sparse happy. warning: incorrect type in initializer (different address spaces) expected union ionic_dev_cmd_regs *regs got union ionic_dev_cmd_regs [noderef] __iomem *dev_cmd_regs warning: incorrect type in argument 2 (different address spaces) expected void [noderef] __iomem * got unsigned int * warning: incorrect type in argument 1 (different address spaces) expected void volatile [noderef] __iomem * got union ionic_dev_cmd * Fixes: d701ec326a31 ("ionic: clean up sparse complaints") Signed-off-by: Shannon Nelson Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 1ba10e5c39d41ad2c410d9db13ca2bcbbc0286a2 Author: Maxime Ripard Date: Thu Jan 20 16:16:11 2022 +0100 drm/edid: Don't clear formats if using deep color [ Upstream commit 75478b3b393bcbdca4e6da76fe3a9f1a4133ec5d ] The current code, when parsing the EDID Deep Color depths, that the YUV422 cannot be used, referring to the HDMI 1.3 Specification. This specification, in its section 6.2.4, indeed states: For each supported Deep Color mode, RGB 4:4:4 shall be supported and optionally YCBCR 4:4:4 may be supported. YCBCR 4:2:2 is not permitted for any Deep Color mode. This indeed can be interpreted like the code does, but the HDMI 1.4 specification further clarifies that statement in its section 6.2.4: For each supported Deep Color mode, RGB 4:4:4 shall be supported and optionally YCBCR 4:4:4 may be supported. YCBCR 4:2:2 is also 36-bit mode but does not require the further use of the Deep Color modes described in section 6.5.2 and 6.5.3. This means that, even though YUV422 can be used with 12 bit per color, it shouldn't be treated as a deep color mode. This is also broken with YUV444 if it's supported by the display, but DRM_EDID_HDMI_DC_Y444 isn't set. In such a case, the code will clear color_formats of the YUV444 support set previously in drm_parse_cea_ext(), but will not set it back. Since the formats supported are already setup properly in drm_parse_cea_ext(), let's just remove the code modifying the formats in drm_parse_hdmi_deep_color_info() Fixes: d0c94692e0a3 ("drm/edid: Parse and handle HDMI deep color modes.") Signed-off-by: Maxime Ripard Reviewed-by: Ville Syrjälä Link: https://patchwork.freedesktop.org/patch/msgid/20220120151625.594595-3-maxime@cerno.tech Signed-off-by: Sasha Levin commit d99e7feaed4c715e7ac974866905b6919cfda8cd Author: Dario Binacchi Date: Tue Jan 18 10:54:32 2022 +0100 mtd: rawnand: gpmi: fix controller timings setting [ Upstream commit 2970bf5a32f079e1e9197411db4fe9faccb1503a ] Set the controller registers according to the real clock rate. The controller registers configuration (setup, hold, timeout, ... cycles) depends on the clock rate of the GPMI. Using the real rate instead of the ideal one, avoids that this inaccuracy (required_rate - real_rate) affects the registers setting. This patch has been tested on two custom boards with i.MX28 and i.MX6 SOCs: - i.MX28: required rate 100MHz, real rate 99.3MHz - i.MX6 required rate 100MHz, real rate 99MHz Fixes: b1206122069a ("mtd: rawnand: gpmi: use core timings instead of an empirical derivation") Co-developed-by: Michael Trimarchi Signed-off-by: Michael Trimarchi Signed-off-by: Dario Binacchi Tested-by: Sascha Hauer Reviewed-by: Sascha Hauer Signed-off-by: Miquel Raynal Link: https://lore.kernel.org/linux-mtd/20220118095434.35081-3-dario.binacchi@amarulasolutions.com Signed-off-by: Sasha Levin commit 364b2eee6233badedbb3745522c6e5eb5d3a60f3 Author: Jiasheng Jiang Date: Wed Jan 5 00:26:58 2022 +0800 mtd: onenand: Check for error irq [ Upstream commit 3e68f331c8c759c0daa31cc92c3449b23119a215 ] For the possible failure of the platform_get_irq(), the returned irq could be error number and will finally cause the failure of the request_irq(). Consider that platform_get_irq() can now in certain cases return -EPROBE_DEFER, and the consequences of letting request_irq() effectively convert that into -EINVAL, even at probe time rather than later on. So it might be better to check just now. Fixes: 2c22120fbd01 ("MTD: OneNAND: interrupt based wait support") Signed-off-by: Jiasheng Jiang Signed-off-by: Miquel Raynal Link: https://lore.kernel.org/linux-mtd/20220104162658.1988142-1-jiasheng@iscas.ac.cn Signed-off-by: Sasha Levin commit 96ea88eb9ba349c92be458e4e69031eb7c014091 Author: Pavel Skripkin Date: Thu Jan 13 16:27:04 2022 +0300 Bluetooth: hci_serdev: call init_rwsem() before p->open() [ Upstream commit 9d7cbe2b9cf5f650067df4f402fdd799d4bbb4e1 ] kvartet reported, that hci_uart_tx_wakeup() uses uninitialized rwsem. The problem was in wrong place for percpu_init_rwsem() call. hci_uart_proto::open() may register a timer whose callback may call hci_uart_tx_wakeup(). There is a chance, that hci_uart_register_device() thread won't be fast enough to call percpu_init_rwsem(). Fix it my moving percpu_init_rwsem() call before p->open(). INFO: trying to register non-static key. The code is fine but needs lockdep annotation, or maybe you didn't initialize this object before use? turning off the locking correctness validator. CPU: 2 PID: 18524 Comm: syz-executor.5 Not tainted 5.16.0-rc6 #9 ... Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 assign_lock_key kernel/locking/lockdep.c:951 [inline] register_lock_class+0x148d/0x1950 kernel/locking/lockdep.c:1263 __lock_acquire+0x106/0x57e0 kernel/locking/lockdep.c:4906 lock_acquire kernel/locking/lockdep.c:5637 [inline] lock_acquire+0x1ab/0x520 kernel/locking/lockdep.c:5602 percpu_down_read_trylock include/linux/percpu-rwsem.h:92 [inline] hci_uart_tx_wakeup+0x12e/0x490 drivers/bluetooth/hci_ldisc.c:124 h5_timed_event+0x32f/0x6a0 drivers/bluetooth/hci_h5.c:188 call_timer_fn+0x1a5/0x6b0 kernel/time/timer.c:1421 Fixes: d73e17281665 ("Bluetooth: hci_serdev: Init hci_uart proto_lock to avoid oops") Reported-by: Yiru Xu Signed-off-by: Pavel Skripkin Signed-off-by: Marcel Holtmann Signed-off-by: Sasha Levin commit b267a8118c2b171bf7d67b90ed64154eeab9fae0 Author: Pavel Skripkin Date: Thu Dec 30 17:26:49 2021 +0300 udmabuf: validate ubuf->pagecount [ Upstream commit 2b6dd600dd72573c23ea180b5b0b2f1813405882 ] Syzbot has reported GPF in sg_alloc_append_table_from_pages(). The problem was in ubuf->pages == ZERO_PTR. ubuf->pagecount is calculated from arguments passed from user-space. If user creates udmabuf with list.size == 0 then ubuf->pagecount will be also equal to zero; it causes kmalloc_array() to return ZERO_PTR. Fix it by validating ubuf->pagecount before passing it to kmalloc_array(). Fixes: fbb0de795078 ("Add udmabuf misc device") Reported-and-tested-by: syzbot+2c56b725ec547fa9cb29@syzkaller.appspotmail.com Signed-off-by: Pavel Skripkin Link: http://patchwork.freedesktop.org/patch/msgid/20211230142649.23022-1-paskripkin@gmail.com Signed-off-by: Gerd Hoffmann Signed-off-by: Sasha Levin commit 56722aa77b3bb9b53882182cb424514ed4287198 Author: Yafang Shao Date: Sat Jan 8 13:47:39 2022 +0000 libbpf: Fix possible NULL pointer dereference when destroying skeleton [ Upstream commit a32ea51a3f17ce6524c9fc19d311e708331c8b5f ] When I checked the code in skeleton header file generated with my own bpf prog, I found there may be possible NULL pointer dereference when destroying skeleton. Then I checked the in-tree bpf progs, finding that is a common issue. Let's take the generated samples/bpf/xdp_redirect_cpu.skel.h for example. Below is the generated code in xdp_redirect_cpu__create_skeleton(): xdp_redirect_cpu__create_skeleton struct bpf_object_skeleton *s; s = (struct bpf_object_skeleton *)calloc(1, sizeof(*s)); if (!s) goto error; ... error: bpf_object__destroy_skeleton(s); return -ENOMEM; After goto error, the NULL 's' will be deferenced in bpf_object__destroy_skeleton(). We can simply fix this issue by just adding a NULL check in bpf_object__destroy_skeleton(). Fixes: d66562fba1ce ("libbpf: Add BPF object skeleton support") Signed-off-by: Yafang Shao Signed-off-by: Andrii Nakryiko Link: https://lore.kernel.org/bpf/20220108134739.32541-1-laoar.shao@gmail.com Signed-off-by: Sasha Levin commit 4a9c268a404456ea2384298e9620dfd023bf503f Author: Jiasheng Jiang Date: Thu Jan 6 11:03:26 2022 +0800 drm/panfrost: Check for error num after setting mask [ Upstream commit 44ab30b056149bd59dd7989a593dd25ead6007fd ] Because of the possible failure of the dma_supported(), the dma_set_mask_and_coherent() may return error num. Therefore, it should be better to check it and return the error if fails. Fixes: f3ba91228e8e ("drm/panfrost: Add initial panfrost driver") Signed-off-by: Jiasheng Jiang [Steve: fix Fixes: line] Reviewed-by: Steven Price Signed-off-by: Steven Price Link: https://patchwork.freedesktop.org/patch/msgid/20220106030326.2620942-1-jiasheng@iscas.ac.cn Signed-off-by: Sasha Levin commit 5d1114ede5a1dfca02a59a8282f7b4cf38029454 Author: Wen Gong Date: Mon Jan 10 16:24:13 2022 +0200 ath10k: fix memory overwrite of the WoWLAN wakeup packet pattern [ Upstream commit e3fb3d4418fce5484dfe7995fcd94c18b10a431a ] In function ath10k_wow_convert_8023_to_80211(), it will do memcpy for the new->pattern, and currently the new->pattern and new->mask is same with the old, then the memcpy of new->pattern will also overwrite the old->pattern, because the header format of new->pattern is 802.11, its length is larger than the old->pattern which is 802.3. Then the operation of "Copy frame body" will copy a mistake value because the body memory has been overwrite when memcpy the new->pattern. Assign another empty value to new_pattern to avoid the overwrite issue. Tested-on: QCA6174 hw3.2 SDIO WLAN.RMH.4.4.1-00049 Fixes: fa3440fa2fa1 ("ath10k: convert wow pattern from 802.3 to 802.11") Signed-off-by: Wen Gong Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20211222031347.25463-1-quic_wgong@quicinc.com Signed-off-by: Sasha Levin commit fb2be762a49bea1fe5febfe8eb55167f205334b9 Author: Jagan Teki Date: Sun Jan 9 22:59:49 2022 +0530 drm: bridge: adv7511: Fix ADV7535 HPD enablement [ Upstream commit 3dbc84a595d17f64f14fcea00120d31e33e98880 ] Existing HPD enablement logic is not compatible with ADV7535 bridge, thus any runtime plug-in of HDMI cable is not working on these bridge designs. Unlike other ADV7511 family of bridges, the ADV7535 require HPD_OVERRIDE bit to set and reset for proper handling of HPD functionality. Fix it. Fixes: 8501fe4b14a3 ("drm: bridge: adv7511: Add support for ADV7535") Signed-off-by: Jagan Teki Signed-off-by: Robert Foss Link: https://patchwork.freedesktop.org/patch/msgid/20220109172949.168167-1-jagan@amarulasolutions.com Reviewed-by: Robert Foss Signed-off-by: Sasha Levin commit d9d61beb21d703e0d2d93314ca0b70d63c210378 Author: Miaoqian Lin Date: Wed Jan 5 10:48:26 2022 +0000 drm/bridge: nwl-dsi: Fix PM disable depth imbalance in nwl_dsi_probe [ Upstream commit b146e343a9e05605b491b1bf4a2b62a39d5638d8 ] The pm_runtime_enable will increase power disable depth. Thus a pairing decrement is needed on the error handling path to keep it balanced according to context. Fixes: 44cfc6233447 ("drm/bridge: Add NWL MIPI DSI host controller support") Signed-off-by: Miaoqian Lin Signed-off-by: Robert Foss Link: https://patchwork.freedesktop.org/patch/msgid/20220105104826.1418-1-linmq006@gmail.com Reviewed-by: Robert Foss Signed-off-by: Sasha Levin commit 064e7f75325c2425de0eeba2aebed326b700612d Author: Miaoqian Lin Date: Wed Jan 5 10:41:09 2022 +0000 drm/bridge: Add missing pm_runtime_disable() in __dw_mipi_dsi_probe [ Upstream commit 96211b7c56b109a52768e6cc5e23a1f79316eca0 ] If the probe fails, we should use pm_runtime_disable() to balance pm_runtime_enable(). Add missing pm_runtime_disable() for __dw_mipi_dsi_probe. Fixes: 46fc51546d44 ("drm/bridge/synopsys: Add MIPI DSI host controller bridge") Signed-off-by: Miaoqian Lin Signed-off-by: Robert Foss Link: https://patchwork.freedesktop.org/patch/msgid/20220105104113.31415-1-linmq006@gmail.com Reviewed-by: Robert Foss Signed-off-by: Sasha Levin commit d8db734df6e62c5cff6d7a3a1936f4831fac8bfc Author: Miaoqian Lin Date: Mon Dec 27 09:25:22 2021 +0000 drm/bridge: Fix free wrong object in sii8620_init_rcp_input_dev [ Upstream commit 7c442e76c06cb1bef16a6c523487438175584eea ] rc_dev is allocated by rc_allocate_device(), and doesn't assigned to ctx->rc_dev before calling rc_free_device(ctx->rc_dev). So it should call rc_free_device(rc_dev); Fixes: e25f1f7c94e1 ("drm/bridge/sii8620: add remote control support") Signed-off-by: Miaoqian Lin Reviewed-by: Robert Foss Signed-off-by: Robert Foss Link: https://patchwork.freedesktop.org/patch/msgid/20211227092522.21755-1-linmq006@gmail.com Signed-off-by: Sasha Levin commit ec3924eab53343c6f18224951f0a84ffd4276f42 Author: Martin Blumenstingl Date: Fri Dec 31 00:55:14 2021 +0100 drm/meson: osd_afbcd: Add an exit callback to struct meson_afbcd_ops [ Upstream commit 04b8a5d9cfd171f65df75f444b5617a372649edd ] Use this to simplify the driver shutdown. It will also come handy when fixing the error handling in meson_drv_bind_master(). Signed-off-by: Martin Blumenstingl Fixes: d1b5e41e13a7e9 ("drm/meson: Add AFBCD module driver") Acked-by: Neil Armstrong Signed-off-by: Neil Armstrong Link: https://patchwork.freedesktop.org/patch/msgid/20211230235515.1627522-2-martin.blumenstingl@googlemail.com Signed-off-by: Sasha Levin commit a1c665f5b7f9c8a7f2fe62b9076c8e4e3ea7a948 Author: Andre Przywara Date: Thu Mar 17 18:30:40 2022 +0000 ARM: configs: multi_v5_defconfig: re-enable CONFIG_V4L_PLATFORM_DRIVERS [ Upstream commit f5eb04d7a0e419d61f784de3ced708259ddb71d7 ] Commit 06b93644f4d1 ("media: Kconfig: add an option to filter in/out platform drivers") introduced CONFIG_MEDIA_PLATFORM_SUPPORT, to allow more fine grained control over the inclusion of certain Kconfig files. multi_v5_defconfig was selecting some drivers described in drivers/media/platform/Kconfig, which now wasn't included anymore. Explicitly set the new symbol in multi_v5_defconfig to bring those drivers back. This enables some new V4L2 and VIDEOBUF2 features, but as modules only. Fixes: 06b93644f4d1 ("media: Kconfig: add an option to filter in/out platform drivers") Signed-off-by: Andre Przywara Link: https://lore.kernel.org/r/20220317183043.948432-3-andre.przywara@arm.com' Signed-off-by: Arnd Bergmann Signed-off-by: Sasha Levin commit 1f24716e38220fc9e52e208d20591d2bc9b7f020 Author: Miaoqian Lin Date: Wed Mar 16 08:36:31 2022 +0000 ASoC: codecs: wcd934x: Add missing of_node_put() in wcd934x_codec_parse_data [ Upstream commit 9531a631379169d57756b2411178c6238655df88 ] The device_node pointer is returned by of_parse_phandle() with refcount incremented. We should use of_node_put() on it when done. This is similar to commit 64b92de9603f ("ASoC: wcd9335: fix a leaked reference by adding missing of_node_put") Fixes: a61f3b4f476e ("ASoC: wcd934x: add support to wcd9340/wcd9341 codec") Signed-off-by: Miaoqian Lin Link: https://lore.kernel.org/r/20220316083631.14103-1-linmq006@gmail.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit abefbf602c6a3c0ea5e9f87e91049915206e8f95 Author: Miaoqian Lin Date: Wed Mar 16 04:19:24 2022 +0000 ASoC: msm8916-wcd-analog: Fix error handling in pm8916_wcd_analog_spmi_probe [ Upstream commit 9ebd62d60edcd4d9c75485e5ccd0b79581ad3c49 ] In the error handling path, the clk_prepare_enable() function call should be balanced by a corresponding 'clk_disable_unprepare()' call , as already done in the remove function. Fixes: de66b3455023 ("ASoC: codecs: msm8916-wcd-analog: add MBHC support") Signed-off-by: Miaoqian Lin Link: https://lore.kernel.org/r/20220316041924.17560-1-linmq006@gmail.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 90ac679aa6a01841da90ec5a4aaa4b5e0badddf0 Author: Miaoqian Lin Date: Wed Mar 16 11:15:30 2022 +0000 ASoC: atmel: Fix error handling in sam9x5_wm8731_driver_probe [ Upstream commit 740dc3e846537c3743da98bf106f376023fd085c ] The device_node pointer is returned by of_parse_phandle() with refcount incremented. We should use of_node_put() on it when done. This function only calls of_node_put() in the regular path. And it will cause refcount leak in error path. Fixes: fdbcb3cba54b ("ASoC: atmel: machine driver for at91sam9x5-wm8731 boards") Signed-off-by: Miaoqian Lin Reviewed-by: Codrin Ciubotariu Link: https://lore.kernel.org/r/20220316111530.4551-1-linmq006@gmail.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit ec26e3ce3c711a41a088d984c85c5d6b2f8208f7 Author: Yang Yingliang Date: Wed Jun 2 22:16:19 2021 +0800 ASoC: atmel: sam9x5_wm8731: use devm_snd_soc_register_card() [ Upstream commit 6522a8486c00d130a32a57c6c8a365572958b4df ] Using devm_snd_soc_register_card() can make the code shorter and cleaner. Signed-off-by: Yang Yingliang Link: https://lore.kernel.org/r/20210602141619.323286-1-yangyingliang@huawei.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 541251b90338b9e804db5094faa2a567c9a44ccb Author: Jiasheng Jiang Date: Tue Mar 8 15:14:15 2022 +0800 mmc: davinci_mmc: Handle error for clk_enable [ Upstream commit 09e7af76db02c74f2a339b3cb2d95460fa2ddbe4 ] As the potential failure of the clk_enable(), it should be better to check it and return error if fails. Fixes: bbce5802afc5 ("davinci: mmc: updates to suspend/resume implementation") Signed-off-by: Jiasheng Jiang Link: https://lore.kernel.org/r/20220308071415.1093393-1-jiasheng@iscas.ac.cn Signed-off-by: Ulf Hansson Signed-off-by: Sasha Levin commit 19eb5c7957e6acf90c09a74230f113cbb35dbf9c Author: Miaoqian Lin Date: Mon Mar 7 08:45:22 2022 +0000 ASoC: msm8916-wcd-digital: Fix missing clk_disable_unprepare() in msm8916_wcd_digital_probe [ Upstream commit 375a347da4889f64d86e1ab7f4e6702b6e9bf299 ] Fix the missing clk_disable_unprepare() before return from msm8916_wcd_digital_probe in the error handling case. Fixes: 150db8c5afa1 ("ASoC: codecs: Add msm8916-wcd digital codec") Signed-off-by: Miaoqian Lin Link: https://lore.kernel.org/r/20220307084523.28687-1-linmq006@gmail.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 42042c7a3ddb4eb928061d03ebb34160153cc45c Author: Wang Wensheng Date: Thu Mar 10 09:19:02 2022 +0000 ASoC: imx-es8328: Fix error return code in imx_es8328_probe() [ Upstream commit 3b891513f95cba3944e72c1139ea706d04f3781b ] Fix to return a negative error code from the error handling case instead of 0, as done elsewhere in this function. Fixes: 7e7292dba215 ("ASoC: fsl: add imx-es8328 machine driver") Signed-off-by: Wang Wensheng Link: https://lore.kernel.org/r/20220310091902.129299-1-wangwensheng4@huawei.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit fe4db4ea210462f440a0c33fab12313be5340c3d Author: Shengjiu Wang Date: Thu Mar 10 10:37:43 2022 +0800 ASoC: fsl_spdif: Disable TX clock when stop [ Upstream commit 6ddf611219ba8f7c8fa0d26b39710a641e7d37a5 ] The TX clock source may be changed in next case, need to disable it when stop, otherwise the TX may not work after changing the clock source, error log is: aplay: pcm_write:2058: write error: Input/output error Fixes: a2388a498ad2 ("ASoC: fsl: Add S/PDIF CPU DAI driver") Signed-off-by: Shengjiu Wang Reviewed-by: Fabio Estevam Link: https://lore.kernel.org/r/1646879863-27711-1-git-send-email-shengjiu.wang@nxp.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 86b6cf989437e694fd0a15782b5a513853a739e0 Author: Miaoqian Lin Date: Tue Mar 8 02:01:44 2022 +0000 ASoC: mxs: Fix error handling in mxs_sgtl5000_probe [ Upstream commit 6ae0a4d8fec551ec581d620f0eb1fe31f755551c ] This function only calls of_node_put() in the regular path. And it will cause refcount leak in error paths. For example, when codec_np is NULL, saif_np[0] and saif_np[1] are not NULL, it will cause leaks. of_node_put() will check if the node pointer is NULL, so we can call it directly to release the refcount of regular pointers. Fixes: e968194b45c4 ("ASoC: mxs: add device tree support for mxs-sgtl5000") Signed-off-by: Miaoqian Lin Link: https://lore.kernel.org/r/20220308020146.26496-1-linmq006@gmail.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit c8c981cfc06dead13829a1bd89effc8b131a3ac8 Author: Codrin Ciubotariu Date: Mon Mar 7 14:21:57 2022 +0200 ASoC: dmaengine: do not use a NULL prepare_slave_config() callback [ Upstream commit 9a1e13440a4f2e7566fd4c5eae6a53e6400e08a4 ] Even if struct snd_dmaengine_pcm_config is used, prepare_slave_config() callback might not be set. Check if this callback is set before using it. Fixes: fa654e085300 ("ASoC: dmaengine-pcm: Provide default config") Signed-off-by: Codrin Ciubotariu Link: https://lore.kernel.org/r/20220307122202.2251639-2-codrin.ciubotariu@microchip.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit f452cff02531cbc423a61a99cfec62da1ae64363 Author: Miaoqian Lin Date: Tue Mar 8 02:33:23 2022 +0000 ASoC: SOF: Add missing of_node_put() in imx8m_probe [ Upstream commit 5575f7f49134c7386a684335c9007737c606d3b5 ] The device_node pointer is returned by of_parse_phandle() with refcount incremented. We should use of_node_put() on it when done. Fixes: afb93d716533 ("ASoC: SOF: imx: Add i.MX8M HW support") Signed-off-by: Miaoqian Lin Reviewed-by: Peter Ujfalusi Link: https://lore.kernel.org/r/20220308023325.31702-1-linmq006@gmail.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 0d82401d4650bc53cf3b54fc5dab6902d684f20b Author: Miaoqian Lin Date: Mon Mar 7 08:35:52 2022 +0000 ASoC: rockchip: i2s: Fix missing clk_disable_unprepare() in rockchip_i2s_probe [ Upstream commit f725d20579807a68afbe5dba69e78b8fa05f5ef0 ] Fix the missing clk_disable_unprepare() before return from rockchip_i2s_probe() in the error handling case. Fixes: 01605ad12875 ("ASoC: rockchip-i2s: enable "hclk" for rockchip I2S controller") Signed-off-by: Miaoqian Lin Link: https://lore.kernel.org/r/20220307083553.26009-1-linmq006@gmail.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 7e8b0fd0ebe000f0379fbe9e6264f0cbe7395ec1 Author: Yang Yingliang Date: Tue Jun 15 22:15:00 2021 +0800 ASoC: rockchip: i2s: Use devm_platform_get_and_ioremap_resource() [ Upstream commit 4ffbcd4ab0b6f77d29acde69dc25bd95318fae5e ] Use devm_platform_get_and_ioremap_resource() to simplify code. Signed-off-by: Yang Yingliang Link: https://lore.kernel.org/r/20210615141502.1683686-1-yangyingliang@huawei.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit b5664a584ea2e03035211da4f8b16dcd4a8e8eee Author: Hans Verkuil Date: Sun Mar 6 12:29:11 2022 +0100 ivtv: fix incorrect device_caps for ivtvfb [ Upstream commit 25e94139218c0293b4375233c14f2256d7dcfaa8 ] The VIDIOC_G_FBUF and related overlay ioctls no longer worked (-ENOTTY was returned). The root cause was the introduction of the caps field in ivtv-driver.h. While loading the ivtvfb module would update the video_device device_caps field with V4L2_CAP_VIDEO_OUTPUT_OVERLAY it would not update that caps field, and that's what the overlay ioctls would look at. It's a bad idea to keep information in two places, so drop the caps field and only use vdev.device_caps. Signed-off-by: Hans Verkuil Reported-by: Martin Dauskardt Fixes: 2161536516ed (media: media/pci: set device_caps in struct video_device) Signed-off-by: Sasha Levin commit ebd4f1501e0be05d36dc2a114af5b3067c41eadb Author: Jakob Koschel Date: Mon Feb 28 15:26:26 2022 +0100 media: saa7134: fix incorrect use to determine if list is empty [ Upstream commit 9f1f4b642451d35667a4dc6a9c0a89d954b530a3 ] 'dev' will *always* be set by list_for_each_entry(). It is incorrect to assume that the iterator value will be NULL if the list is empty. Instead of checking the pointer it should be checked if the list is empty. Fixes: 79dd0c69f05f ("V4L: 925: saa7134 alsa is now a standalone module") Signed-off-by: Jakob Koschel Signed-off-by: Hans Verkuil Signed-off-by: Sasha Levin commit dd67315994c4ace500fce779699477597d59f2a4 Author: Yang Yingliang Date: Wed Jun 16 10:36:45 2021 +0200 media: saa7134: convert list_for_each to entry variant [ Upstream commit 3f3475a5c77e9eabab43537f713b90f1d19258b7 ] Convert list_for_each() to list_for_each_entry() where applicable. Signed-off-by: Yang Yingliang Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 066d9b48f9492662946af933b3cada42f2a13f62 Author: Miaoqian Lin Date: Mon Mar 7 12:38:12 2022 +0000 video: fbdev: omapfb: Add missing of_node_put() in dvic_probe_of [ Upstream commit a58c22cfbbf62fefca090334bbd35fd132e92a23 ] The device_node pointer is returned by of_parse_phandle() with refcount incremented. We should use of_node_put() on it when done. Fixes: f76ee892a99e ("omapfb: copy omapdss & displays for omapfb") Signed-off-by: Miaoqian Lin Signed-off-by: Helge Deller Signed-off-by: Sasha Levin commit 20da8404e46468ba18f6a46fdc7ce7418afbc7af Author: Jiasheng Jiang Date: Wed Mar 2 14:28:44 2022 +0800 ASoC: fsi: Add check for clk_enable [ Upstream commit 405afed8a728f23cfaa02f75bbc8bdd6b7322123 ] As the potential failure of the clk_enable(), it should be better to check it and return error if fails. Fixes: ab6f6d85210c ("ASoC: fsi: add master clock control functions") Signed-off-by: Jiasheng Jiang Link: https://lore.kernel.org/r/20220302062844.46869-1-jiasheng@iscas.ac.cn Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit db1c00a025c67a3aad7b6bd36de310bf1c89ba0b Author: Jiasheng Jiang Date: Fri Mar 4 10:38:21 2022 +0800 ASoC: wm8350: Handle error for wm8350_register_irq [ Upstream commit db0350da8084ad549bca16cc0486c11cc70a1f9b ] As the potential failure of the wm8350_register_irq(), it should be better to check it and return error if fails. Also, use 'free_' in order to avoid the same code. Fixes: a6ba2b2dabb5 ("ASoC: Implement WM8350 headphone jack detection") Signed-off-by: Jiasheng Jiang Acked-by: Charles Keepax Link: https://lore.kernel.org/r/20220304023821.391936-1-jiasheng@iscas.ac.cn Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 662ee5ac6b451aa5a27b8eebd397f2f5c7f42cec Author: Miaoqian Lin Date: Mon Mar 7 12:45:39 2022 +0000 ASoC: atmel: Add missing of_node_put() in at91sam9g20ek_audio_probe [ Upstream commit f590797fa3c1bccdd19e55441592a23b46aef449 ] This node pointer is returned by of_parse_phandle() with refcount incremented in this function. Calling of_node_put() to avoid the refcount leak. Fixes: 531f67e41dcd ("ASoC: at91sam9g20ek-wm8731: convert to dt support") Signed-off-by: Miaoqian Lin Reviewed-by: Codrin Ciubotariu Link: https://lore.kernel.org/r/20220307124539.1743-1-linmq006@gmail.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 663e7a72871f89f7a10cc8d7b2f17f27c64e071d Author: Jiasheng Jiang Date: Fri Jan 14 07:28:40 2022 +0100 media: vidtv: Check for null return of vzalloc [ Upstream commit e6a21a14106d9718aa4f8e115b1e474888eeba44 ] As the possible failure of the vzalloc(), e->encoder_buf might be NULL. Therefore, it should be better to check it in order to guarantee the success of the initialization. If fails, we need to free not only 'e' but also 'e->name'. Also, if the allocation for ctx fails, we need to free 'e->encoder_buf' else. Fixes: f90cf6079bf6 ("media: vidtv: add a bridge driver") Signed-off-by: Jiasheng Jiang Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 4d68603cc4382174bc1e7d532e10675c48c6b257 Author: Dafna Hirschfeld Date: Tue Jan 25 09:02:11 2022 +0100 media: stk1160: If start stream fails, return buffers with VB2_BUF_STATE_QUEUED [ Upstream commit fbe04b49a54e31f4321d632270207f0e6304cd16 ] If the callback 'start_streaming' fails, then all queued buffers in the driver should be returned with state 'VB2_BUF_STATE_QUEUED'. Currently, they are returned with 'VB2_BUF_STATE_ERROR' which is wrong. Fix this. This also fixes the warning: [ 65.583633] WARNING: CPU: 5 PID: 593 at drivers/media/common/videobuf2/videobuf2-core.c:1612 vb2_start_streaming+0xd4/0x160 [videobuf2_common] [ 65.585027] Modules linked in: snd_usb_audio snd_hwdep snd_usbmidi_lib snd_rawmidi snd_soc_hdmi_codec dw_hdmi_i2s_audio saa7115 stk1160 videobuf2_vmalloc videobuf2_memops videobuf2_v4l2 videobuf2_common videodev mc crct10dif_ce panfrost snd_soc_simple_card snd_soc_audio_graph_card snd_soc_spdif_tx snd_soc_simple_card_utils gpu_sched phy_rockchip_pcie snd_soc_rockchip_i2s rockchipdrm analogix_dp dw_mipi_dsi dw_hdmi cec drm_kms_helper drm rtc_rk808 rockchip_saradc industrialio_triggered_buffer kfifo_buf rockchip_thermal pcie_rockchip_host ip_tables x_tables ipv6 [ 65.589383] CPU: 5 PID: 593 Comm: v4l2src0:src Tainted: G W 5.16.0-rc4-62408-g32447129cb30-dirty #14 [ 65.590293] Hardware name: Radxa ROCK Pi 4B (DT) [ 65.590696] pstate: 80000005 (Nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 65.591304] pc : vb2_start_streaming+0xd4/0x160 [videobuf2_common] [ 65.591850] lr : vb2_start_streaming+0x6c/0x160 [videobuf2_common] [ 65.592395] sp : ffff800012bc3ad0 [ 65.592685] x29: ffff800012bc3ad0 x28: 0000000000000000 x27: ffff800012bc3cd8 [ 65.593312] x26: 0000000000000000 x25: ffff00000d8a7800 x24: 0000000040045612 [ 65.593938] x23: ffff800011323000 x22: ffff800012bc3cd8 x21: ffff00000908a8b0 [ 65.594562] x20: ffff00000908a8c8 x19: 00000000fffffff4 x18: ffffffffffffffff [ 65.595188] x17: 000000040044ffff x16: 00400034b5503510 x15: ffff800011323f78 [ 65.595813] x14: ffff000013163886 x13: ffff000013163885 x12: 00000000000002ce [ 65.596439] x11: 0000000000000028 x10: 0000000000000001 x9 : 0000000000000228 [ 65.597064] x8 : 0101010101010101 x7 : 7f7f7f7f7f7f7f7f x6 : fefefeff726c5e78 [ 65.597690] x5 : ffff800012bc3990 x4 : 0000000000000000 x3 : ffff000009a34880 [ 65.598315] x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff000007cd99f0 [ 65.598940] Call trace: [ 65.599155] vb2_start_streaming+0xd4/0x160 [videobuf2_common] [ 65.599672] vb2_core_streamon+0x17c/0x1a8 [videobuf2_common] [ 65.600179] vb2_streamon+0x54/0x88 [videobuf2_v4l2] [ 65.600619] vb2_ioctl_streamon+0x54/0x60 [videobuf2_v4l2] [ 65.601103] v4l_streamon+0x3c/0x50 [videodev] [ 65.601521] __video_do_ioctl+0x1a4/0x428 [videodev] [ 65.601977] video_usercopy+0x320/0x828 [videodev] [ 65.602419] video_ioctl2+0x3c/0x58 [videodev] [ 65.602830] v4l2_ioctl+0x60/0x90 [videodev] [ 65.603227] __arm64_sys_ioctl+0xa8/0xe0 [ 65.603576] invoke_syscall+0x54/0x118 [ 65.603911] el0_svc_common.constprop.3+0x84/0x100 [ 65.604332] do_el0_svc+0x34/0xa0 [ 65.604625] el0_svc+0x1c/0x50 [ 65.604897] el0t_64_sync_handler+0x88/0xb0 [ 65.605264] el0t_64_sync+0x16c/0x170 [ 65.605587] ---[ end trace 578e0ba07742170d ]--- Fixes: 8ac456495a33d ("[media] stk1160: Stop device and unqueue buffers when start_streaming() fails") Signed-off-by: Dafna Hirschfeld Reviewed-by: Ezequiel Garcia Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit b02752d75300af193f59ce4d252cd5a14b543ef5 Author: Randy Dunlap Date: Fri Mar 4 22:40:36 2022 -0800 m68k: coldfire/device.c: only build for MCF_EDMA when h/w macros are defined [ Upstream commit e6e1e7b19fa132d23d09c465942aab4c110d3da9 ] When CONFIG_MCF_EDMA is set (due to COMPILE_TEST, not due to CONFIG_M5441x), coldfire/device.c has compile errors due to missing MCFEDMA_* symbols. In the .config file that was provided, CONFIG_M5206=y, not CONFIG_M5441x, so is not included in coldfire/device.c. Only build the MCF_EDMA code in coldfire/device.c if the MCFEDMA_* hardware macros are defined. Fixes these build errors: ../arch/m68k/coldfire/device.c:512:35: error: 'MCFEDMA_BASE' undeclared here (not in a function); did you mean 'MCFDMA_BASE1'? 512 | .start = MCFEDMA_BASE, ../arch/m68k/coldfire/device.c:513:50: error: 'MCFEDMA_SIZE' undeclared here (not in a function) 513 | .end = MCFEDMA_BASE + MCFEDMA_SIZE - 1, ../arch/m68k/coldfire/device.c:517:35: error: 'MCFEDMA_IRQ_INTR0' undeclared here (not in a function) 517 | .start = MCFEDMA_IRQ_INTR0, ../arch/m68k/coldfire/device.c:523:35: error: 'MCFEDMA_IRQ_INTR16' undeclared here (not in a function) 523 | .start = MCFEDMA_IRQ_INTR16, ../arch/m68k/coldfire/device.c:529:35: error: 'MCFEDMA_IRQ_INTR56' undeclared here (not in a function) 529 | .start = MCFEDMA_IRQ_INTR56, ../arch/m68k/coldfire/device.c:535:35: error: 'MCFEDMA_IRQ_ERR' undeclared here (not in a function) 535 | .start = MCFEDMA_IRQ_ERR, Fixes: d7e9d01ac292 ("m68k: add ColdFire mcf5441x eDMA platform support") Signed-off-by: Randy Dunlap Reported-by: kernel test robot Link: lore.kernel.org/r/202203030252.P752DK46-lkp@intel.com Cc: Angelo Dureghello Cc: Greg Ungerer Cc: Greg Ungerer Cc: Geert Uytterhoeven Cc: linux-m68k@lists.linux-m68k.org Cc: uclinux-dev@uclinux.org Signed-off-by: Greg Ungerer Signed-off-by: Sasha Levin commit 9ca3635a0af486647b1dfe1c9f5dabe4ca6b0427 Author: Rob Herring Date: Fri Mar 4 14:25:58 2022 -0600 arm64: dts: rockchip: Fix SDIO regulator supply properties on rk3399-firefly [ Upstream commit 37cbd3c522869247ed4525b5042ff4c6a276c813 ] A label reference without brackets is a path string, not a phandle as intended. Add the missing brackets. Fixes: a5002c41c383 ("arm64: dts: rockchip: add WiFi module support for Firefly-RK3399") Signed-off-by: Rob Herring Link: https://lore.kernel.org/r/20220304202559.317749-1-robh@kernel.org Signed-off-by: Heiko Stuebner Signed-off-by: Sasha Levin commit 7e6f5786621df060f8296f074efd275eaf20361a Author: Takashi Sakamoto Date: Fri Mar 4 21:56:47 2022 +0900 ALSA: firewire-lib: fix uninitialized flag for AV/C deferred transaction [ Upstream commit bf0cd60b7e33cf221fbe1114e4acb2c828b0af0d ] AV/C deferred transaction was supported at a commit 00a7bb81c20f ("ALSA: firewire-lib: Add support for deferred transaction") while 'deferrable' flag can be uninitialized for non-control/notify AV/C transactions. UBSAN reports it: kernel: ================================================================================ kernel: UBSAN: invalid-load in /build/linux-aa0B4d/linux-5.15.0/sound/firewire/fcp.c:363:9 kernel: load of value 158 is not a valid value for type '_Bool' kernel: CPU: 3 PID: 182227 Comm: irq/35-firewire Tainted: P OE 5.15.0-18-generic #18-Ubuntu kernel: Hardware name: Gigabyte Technology Co., Ltd. AX370-Gaming 5/AX370-Gaming 5, BIOS F42b 08/01/2019 kernel: Call Trace: kernel: kernel: show_stack+0x52/0x58 kernel: dump_stack_lvl+0x4a/0x5f kernel: dump_stack+0x10/0x12 kernel: ubsan_epilogue+0x9/0x45 kernel: __ubsan_handle_load_invalid_value.cold+0x44/0x49 kernel: fcp_response.part.0.cold+0x1a/0x2b [snd_firewire_lib] kernel: fcp_response+0x28/0x30 [snd_firewire_lib] kernel: fw_core_handle_request+0x230/0x3d0 [firewire_core] kernel: handle_ar_packet+0x1d9/0x200 [firewire_ohci] kernel: ? handle_ar_packet+0x1d9/0x200 [firewire_ohci] kernel: ? transmit_complete_callback+0x9f/0x120 [firewire_core] kernel: ar_context_tasklet+0xa8/0x2e0 [firewire_ohci] kernel: tasklet_action_common.constprop.0+0xea/0xf0 kernel: tasklet_action+0x22/0x30 kernel: __do_softirq+0xd9/0x2e3 kernel: ? irq_finalize_oneshot.part.0+0xf0/0xf0 kernel: do_softirq+0x75/0xa0 kernel: kernel: kernel: __local_bh_enable_ip+0x50/0x60 kernel: irq_forced_thread_fn+0x7e/0x90 kernel: irq_thread+0xba/0x190 kernel: ? irq_thread_fn+0x60/0x60 kernel: kthread+0x11e/0x140 kernel: ? irq_thread_check_affinity+0xf0/0xf0 kernel: ? set_kthread_struct+0x50/0x50 kernel: ret_from_fork+0x22/0x30 kernel: kernel: ================================================================================ This commit fixes the bug. The bug has no disadvantage for the non- control/notify AV/C transactions since the flag has an effect for AV/C response with INTERIM (0x0f) status which is not used for the transactions in AV/C general specification. Fixes: 00a7bb81c20f ("ALSA: firewire-lib: Add support for deferred transaction") Signed-off-by: Takashi Sakamoto Link: https://lore.kernel.org/r/20220304125647.78430-1-o-takashi@sakamocchi.jp Signed-off-by: Takashi Iwai Signed-off-by: Sasha Levin commit 64eee4127c23e29f2645139a3a6564ae4607c2e6 Author: Jia-Ju Bai Date: Fri Feb 25 05:25:52 2022 -0800 memory: emif: check the pointer temp in get_device_details() [ Upstream commit 5b5ab1bfa1898c6d52936a57c25c5ceba2cb2f87 ] The pointer temp is allocated by devm_kzalloc(), so it should be checked for error handling. Fixes: 7ec944538dde ("memory: emif: add basic infrastructure for EMIF driver") Signed-off-by: Jia-Ju Bai Link: https://lore.kernel.org/r/20220225132552.27894-1-baijiaju1990@gmail.com Signed-off-by: Krzysztof Kozlowski Signed-off-by: Sasha Levin commit 330a9b0d38e6609dc1cfe52f0b5a24c9ea71db9a Author: Jiasheng Jiang Date: Thu Feb 24 10:54:44 2022 +0800 memory: emif: Add check for setup_interrupts [ Upstream commit fd7bd80b46373887b390852f490f21b07e209498 ] As the potential failure of the devm_request_threaded_irq(), it should be better to check the return value of the setup_interrupts() and return error if fails. Fixes: 68b4aee35d1f ("memory: emif: add interrupt and temperature handling") Signed-off-by: Jiasheng Jiang Link: https://lore.kernel.org/r/20220224025444.3256530-1-jiasheng@iscas.ac.cn Signed-off-by: Krzysztof Kozlowski Signed-off-by: Sasha Levin commit 4639c1d97f385f4784f44d66a3da0672f4951ada Author: Jiasheng Jiang Date: Fri Oct 15 08:13:53 2021 +0000 ASoC: soc-compress: prevent the potentially use of null pointer [ Upstream commit de2c6f98817fa5decb9b7d3b3a8a3ab864c10588 ] There is one call trace that snd_soc_register_card() ->snd_soc_bind_card()->soc_init_pcm_runtime() ->snd_soc_dai_compress_new()->snd_soc_new_compress(). In the trace the 'codec_dai' transfers from card->dai_link, and we can see from the snd_soc_add_pcm_runtime() in snd_soc_bind_card() that, if value of card->dai_link->num_codecs is 0, then 'codec_dai' could be null pointer caused by index out of bound in 'asoc_rtd_to_codec(rtd, 0)'. And snd_soc_register_card() is called by various platforms. Therefore, it is better to add the check in the case of misusing. And because 'cpu_dai' has already checked in soc_init_pcm_runtime(), there is no need to check again. Adding the check as follow, then if 'codec_dai' is null, snd_soc_new_compress() will not pass through the check 'if (playback + capture != 1)', avoiding the leftover use of 'codec_dai'. Fixes: 467fece ("ASoC: soc-dai: move snd_soc_dai_stream_valid() to soc-dai.c") Signed-off-by: Jiasheng Jiang Reported-by: kernel test robot Reported-by: Dan Carpenter Link: https://lore.kernel.org/r/1634285633-529368-1-git-send-email-jiasheng@iscas.ac.cn Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit a6ee60d4a98f731a0ee2d4b02ddda1846706daf3 Author: Jiasheng Jiang Date: Tue Mar 1 16:47:42 2022 +0800 ASoC: dwc-i2s: Handle errors for clk_enable [ Upstream commit 45ea97d74313bae681328b0c36fa348036777644 ] As the potential failure of the clk_enable(), it should be better to check it, as same as clk_prepare_enable(). Fixes: c9afc1834e81 ("ASoC: dwc: Disallow building designware_pcm as a module") Signed-off-by: Jiasheng Jiang Link: https://lore.kernel.org/r/20220301084742.3751939-1-jiasheng@iscas.ac.cn Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 39bee81e30834f3bdf26c56fe219a23b2a540962 Author: Jiasheng Jiang Date: Tue Mar 1 17:06:37 2022 +0800 ASoC: atmel_ssc_dai: Handle errors for clk_enable [ Upstream commit f9e2ca0640e59d19af0ff285ee5591ed39069b09 ] As the potential failure of the clk_enable(), it should be better to check it and return error if fals. Fixes: cbaadf0f90d6 ("ASoC: atmel_ssc_dai: refactor the startup and shutdown") Signed-off-by: Jiasheng Jiang Link: https://lore.kernel.org/r/20220301090637.3776558-1-jiasheng@iscas.ac.cn Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit dc947d175c1742755103a8bbdfc84ec8e1ed1688 Author: Jiasheng Jiang Date: Tue Mar 1 16:17:17 2022 +0800 ASoC: mxs-saif: Handle errors for clk_enable [ Upstream commit 2ecf362d220317debf5da376e0390e9f7a3f7b29 ] As the potential failure of the clk_enable(), it should be better to check it, like mxs_saif_trigger(). Fixes: d0ba4c014934 ("ASoC: mxs-saif: set a base clock rate for EXTMASTER mode work") Signed-off-by: Jiasheng Jiang Link: https://lore.kernel.org/r/20220301081717.3727190-1-jiasheng@iscas.ac.cn Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit a754ea0de369fe61868fd96fe54cc4b3f7d66de6 Author: Randy Dunlap Date: Mon Feb 28 14:05:56 2022 -0800 printk: fix return value of printk.devkmsg __setup handler [ Upstream commit b665eae7a788c5e2bc10f9ac3c0137aa0ad1fc97 ] If an invalid option value is used with "printk.devkmsg=", it is silently ignored. If a valid option value is used, it is honored but the wrong return value (0) is used, indicating that the command line option had an error and was not handled. This string is not added to init's environment strings due to init/main.c::unknown_bootoption() checking for a '.' in the boot option string and then considering that string to be an "Unused module parameter". Print a warning message if a bad option string is used. Always return 1 from the __setup handler to indicate that the command line option has been handled. Fixes: 750afe7babd1 ("printk: add kernel parameter to control writes to /dev/kmsg") Signed-off-by: Randy Dunlap Reported-by: Igor Zhbanov Link: lore.kernel.org/r/64644a2f-4a20-bab3-1e15-3b2cdd0defe3@omprussia.ru Cc: Borislav Petkov Cc: Andrew Morton Cc: Petr Mladek Cc: Sergey Senozhatsky Cc: Steven Rostedt Cc: John Ogness Reviewed-by: John Ogness Reviewed-by: Sergey Senozhatsky Reviewed-by: Petr Mladek Signed-off-by: Petr Mladek Link: https://lore.kernel.org/r/20220228220556.23484-1-rdunlap@infradead.org Signed-off-by: Sasha Levin commit 87a265e292f8c87298c8a407a01b5f0e1907a4d5 Author: Frank Wunderlich Date: Tue Mar 1 16:24:18 2022 +0100 arm64: dts: broadcom: Fix sata nodename [ Upstream commit 55927cb44db43a57699fa652e2437a91620385dc ] After converting ahci-platform txt binding to yaml nodename is reported as not matching the standard: arch/arm64/boot/dts/broadcom/northstar2/ns2-svk.dt.yaml: ahci@663f2000: $nodename:0: 'ahci@663f2000' does not match '^sata(@.*)?$' Fix it to match binding. Fixes: ac9aae00f0fc ("arm64: dts: Add SATA3 AHCI and SATA3 PHY DT nodes for NS2") Signed-off-by: Frank Wunderlich Signed-off-by: Florian Fainelli Signed-off-by: Sasha Levin commit f63122803d66f3d579272c633dc9131804504423 Author: Kuldeep Singh Date: Mon Feb 28 16:39:03 2022 +0530 arm64: dts: ns2: Fix spi-cpol and spi-cpha property [ Upstream commit c953c764e505428f59ffe6afb1c73b89b5b1ac35 ] Broadcom ns2 platform has spi-cpol and spi-cpho properties set incorrectly. As per spi-slave-peripheral-prop.yaml, these properties are of flag or boolean type and not integer type. Fix the values. Fixes: d69dbd9f41a7c (arm64: dts: Add ARM PL022 SPI DT nodes for NS2) Signed-off-by: Kuldeep Singh CC: Ray Jui CC: Scott Branden CC: Florian Fainelli Signed-off-by: Sasha Levin commit 5d6a0dc6bad495817efcaa32ef209a6b4f86485d Author: Jiasheng Jiang Date: Mon Feb 28 10:28:39 2022 +0800 ALSA: spi: Add check for clk_enable() [ Upstream commit ca1697eb09208f0168d94b88b72f57505339cbe5 ] As the potential failure of the clk_enable(), it should be better to check it and return error if fails. Fixes: 3568459a5113 ("ALSA: at73c213: manage SSC clock") Signed-off-by: Jiasheng Jiang Link: https://lore.kernel.org/r/20220228022839.3547266-1-jiasheng@iscas.ac.cn Signed-off-by: Takashi Iwai Signed-off-by: Sasha Levin commit 039fae34f8cd906d2aa109f354ea815536872001 Author: Jiasheng Jiang Date: Mon Feb 28 11:15:40 2022 +0800 ASoC: ti: davinci-i2s: Add check for clk_enable() [ Upstream commit ed7c9fef11931fc5d32a83d68017ff390bf5c280 ] As the potential failure of the clk_enable(), it should be better to check it and return error if fails. Fixes: 5f9a50c3e55e ("ASoC: Davinci: McBSP: add device tree support for McBSP") Signed-off-by: Jiasheng Jiang Acked-by: Peter Ujfalusi Link: https://lore.kernel.org/r/20220228031540.3571959-1-jiasheng@iscas.ac.cn Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 94cb9fe5d86ed7e7e2f4e56dbb5aebe8cf7c7b0e Author: Jia-Ju Bai Date: Fri Feb 25 05:10:30 2022 -0800 ASoC: rt5663: check the return value of devm_kzalloc() in rt5663_parse_dp() [ Upstream commit 4d06f92f38b799295ae22c98be7a20cac3e2a1a7 ] The function devm_kzalloc() in rt5663_parse_dp() can fail, so its return value should be checked. Fixes: 457c25efc592 ("ASoC: rt5663: Add the function of impedance sensing") Reported-by: TOTE Robot Signed-off-by: Jia-Ju Bai Link: https://lore.kernel.org/r/20220225131030.27248-1-baijiaju1990@gmail.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 7ce3e6e1036e98eb3712b29433784061cfa0bbff Author: Arnd Bergmann Date: Tue Feb 15 15:37:37 2022 +0100 uaccess: fix nios2 and microblaze get_user_8() [ Upstream commit a97b693c3712f040c5802f32b2d685352e08cefa ] These two architectures implement 8-byte get_user() through a memcpy() into a four-byte variable, which won't fit. Use a temporary 64-bit variable instead here, and use a double cast the way that risc-v and openrisc do to avoid compile-time warnings. Fixes: 6a090e97972d ("arch/microblaze: support get_user() of size 8 bytes") Fixes: 5ccc6af5e88e ("nios2: Memory management") Reviewed-by: Christoph Hellwig Acked-by: Dinh Nguyen Signed-off-by: Arnd Bergmann Signed-off-by: Sasha Levin commit 19894751f65785ee8d9cf7d94853c8c1f76bceb7 Author: Srinivas Kandagatla Date: Tue Feb 22 18:32:12 2022 +0000 ASoC: codecs: wcd934x: fix return value of wcd934x_rx_hph_mode_put [ Upstream commit 4b0bec6088588a120d33db85b1f0d9f096d1df71 ] wcd934x_rx_hph_mode_put currently returns zero eventhough it changes the value. Fix this, so that change notifications are sent correctly. Fixes: 1cde8b822332 ("ASoC: wcd934x: add basic controls") Signed-off-by: Srinivas Kandagatla Link: https://lore.kernel.org/r/20220222183212.11580-10-srinivas.kandagatla@linaro.org Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit f126dcbe707486a50671fd0aad10f3f06f24347c Author: Jernej Skrabec Date: Mon Feb 14 20:08:39 2022 +0100 media: cedrus: h264: Fix neighbour info buffer size [ Upstream commit fecd363ae2d5042553370b0adf60c47e35c34a83 ] According to BSP library source, H264 neighbour info buffer size needs to be 32 kiB for H6. This is similar to H265 decoding, which also needs double buffer size in comparison to older Cedrus core generations. Increase buffer size to cover H6 needs. Since increase is not that big in absolute numbers, it doesn't make sense to complicate logic for older generations. Issue was discovered using iommu and cross checked with BSP library source. Fixes: 6eb9b758e307 ("media: cedrus: Add H264 decoding support") Signed-off-by: Jernej Skrabec Signed-off-by: Hans Verkuil Signed-off-by: Sasha Levin commit c011ae1665f8f589298837728933161d689bec67 Author: Jernej Skrabec Date: Sat Feb 12 08:42:41 2022 +0100 media: cedrus: H265: Fix neighbour info buffer size [ Upstream commit ee8b887329c78971967506f3ac79b9302c9f83c1 ] Neighbour info buffer size needs to be 794 kiB in H6. This is actually already indirectly mentioned in the comment, but smaller size is used nevertheless. Increase buffer size to cover H6 needs. Since increase is not that big in absolute numbers, it doesn't make sense to complicate logic for older generations. Bug was discovered using iommu, which reported access error when trying to play H265 video. Fixes: 86caab29da78 ("media: cedrus: Add HEVC/H.265 decoding support") Signed-off-by: Jernej Skrabec Signed-off-by: Hans Verkuil Signed-off-by: Sasha Levin commit 44973633b0064c46083833b55dd0a45e6235f8ca Author: Dan Carpenter Date: Wed Feb 2 20:52:01 2022 +0300 media: usb: go7007: s2250-board: fix leak in probe() [ Upstream commit 67e4550ecd6164bfbdff54c169e5bbf9ccfaf14d ] Call i2c_unregister_device(audio) on this error path. Fixes: d3b2ccd9e307 ("[media] s2250: convert to the control framework") Signed-off-by: Dan Carpenter Signed-off-by: Hans Verkuil Signed-off-by: Sasha Levin commit ec8a37b2d9a76a9443feb0af95bd06ac3df25444 Author: Dongliang Mu Date: Sat Jan 22 15:44:59 2022 +0800 media: em28xx: initialize refcount before kref_get [ Upstream commit c08eadca1bdfa099e20a32f8fa4b52b2f672236d ] The commit 47677e51e2a4("[media] em28xx: Only deallocate struct em28xx after finishing all extensions") adds kref_get to many init functions (e.g., em28xx_audio_init). However, kref_init is called too late in em28xx_usb_probe, since em28xx_init_dev before will invoke those init functions and call kref_get function. Then refcount bug occurs in my local syzkaller instance. Fix it by moving kref_init before em28xx_init_dev. This issue occurs not only in dev but also dev->dev_next. Fixes: 47677e51e2a4 ("[media] em28xx: Only deallocate struct em28xx after finishing all extensions") Reported-by: syzkaller Signed-off-by: Dongliang Mu Signed-off-by: Hans Verkuil Signed-off-by: Sasha Levin commit 1b46f57d516f9d2bcfe24991819d692cdac28c7f Author: Tom Rix Date: Thu Aug 12 19:01:46 2021 +0200 media: video/hdmi: handle short reads of hdmi info frame. [ Upstream commit 4a92fc6e55da5b87cecb572275deaff6ac9dd27e ] Calling hdmi_infoframe_unpack() with static sizeof(buffer) skips all the size checking done later in hdmi_infoframe_unpack(). A better value is the amount of data read into buffer. Fixes: 480b8b3e42c3 ("video/hdmi: Pass buffer size to infoframe unpack functions") Signed-off-by: Tom Rix Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 170ad3942b7b31fcc381270e2a4865febf18709e Author: Marek Vasut Date: Sun Feb 6 23:11:23 2022 +0100 ARM: dts: imx: Add missing LVDS decoder on M53Menlo [ Upstream commit 0c6f71176ea43d6f4003a4d57f7bb518c5ad6145 ] The M53Menlo display unit uses an LVDS-to-DPI bridge, TI DS90CF364A. Describe this bridge in DT, otherwise the DT incorrectly describes DPI panel attached directly to LVDS source. Fixes: 716be61d1869 ("ARM: dts: imx53: Add Menlosystems M53 board") Signed-off-by: Marek Vasut Cc: Shawn Guo Cc: Fabio Estevam Cc: NXP Linux Team Signed-off-by: Shawn Guo Signed-off-by: Sasha Levin commit 2a0eb50d9afd85a15f124ae9c8407f75cd19e7d7 Author: Paul Kocialkowski Date: Sat Feb 5 19:53:24 2022 +0100 ARM: dts: sun8i: v3s: Move the csi1 block to follow address order [ Upstream commit c4af51698c4fb4fc683f2ac67f482cdf9ba2cd13 ] The csi1 block node was mistakenly added before the gic node, although its address comes after the gic's. Move the node to its correct position. Fixes: 90e048101fa1 ("ARM: dts: sun8i: V3/V3s/S3/S3L: add CSI1 device node") Signed-off-by: Paul Kocialkowski Signed-off-by: Maxime Ripard Link: https://lore.kernel.org/r/20220205185429.2278860-2-paul.kocialkowski@bootlin.com Signed-off-by: Sasha Levin commit 77406ac6efe44aba8601ea13a39bc6c5037c0897 Author: Miaoqian Lin Date: Fri Jan 14 06:28:40 2022 +0000 soc: ti: wkup_m3_ipc: Fix IRQ check in wkup_m3_ipc_probe [ Upstream commit c3d66a164c726cc3b072232d3b6d87575d194084 ] platform_get_irq() returns negative error number instead 0 on failure. And the doc of platform_get_irq() provides a usage example: int irq = platform_get_irq(pdev, 0); if (irq < 0) return irq; Fix the check of return value to catch errors correctly. Fixes: cdd5de500b2c ("soc: ti: Add wkup_m3_ipc driver") Signed-off-by: Miaoqian Lin Signed-off-by: Nishanth Menon Acked-by: Dave Gerlach Link: https://lore.kernel.org/r/20220114062840.16620-1-linmq006@gmail.com Signed-off-by: Sasha Levin commit 18b2ec361a68b89248a13b22b4d572ccf5d5e54c Author: Christophe JAILLET Date: Thu Dec 23 17:23:00 2021 +0100 firmware: ti_sci: Fix compilation failure when CONFIG_TI_SCI_PROTOCOL is not defined [ Upstream commit 043cfff99a18933fda2fb2e163daee73cc07910b ] Remove an extra ";" which breaks compilation. Fixes: 53bf2b0e4e4c ("firmware: ti_sci: Add support for getting resource with subtype") Signed-off-by: Christophe JAILLET Signed-off-by: Nishanth Menon Link: https://lore.kernel.org/r/e6c3cb793e1a6a2a0ae2528d5a5650dfe6a4b6ff.1640276505.git.christophe.jaillet@wanadoo.fr Signed-off-by: Sasha Levin commit 8395a17ef6badd38778b63efd4656347ac8953a9 Author: Maulik Shah Date: Sun Jan 9 22:54:58 2022 +0530 arm64: dts: qcom: sm8150: Correct TCS configuration for apps rsc [ Upstream commit 17ac8af678b6da6a8f1df7da8ebf2c5198741827 ] Correct the TCS config by updating the number of TCSes for each type. Cc: devicetree@vger.kernel.org Fixes: d8cf9372b654 ("arm64: dts: qcom: sm8150: Add apps shared nodes") Signed-off-by: Maulik Shah Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/1641749107-31979-2-git-send-email-quic_mkshah@quicinc.com Signed-off-by: Sasha Levin commit d19248e23fbee6ec22bcb3cd94fbf043edbba3fe Author: David Heidelberg Date: Mon Dec 13 20:51:04 2021 +0100 arm64: dts: qcom: sdm845: fix microphone bias properties and values [ Upstream commit 625c24460dbbc3b6c9a148c0a30f0830893fc909 ] replace millivolt with correct microvolt and adjust value to the minimal value allowed by documentation. Found with `make qcom/sdm845-oneplus-fajita.dtb`. Fixes: arch/arm64/boot/dts/qcom/sdm845-oneplus-fajita.dt.yaml: codec@1: 'qcom,micbias1-microvolt' is a required property From schema: Documentation/devicetree/bindings/sound/qcom,wcd934x.yaml arch/arm64/boot/dts/qcom/sdm845-oneplus-fajita.dt.yaml: codec@1: 'qcom,micbias2-microvolt' is a required property From schema: Documentation/devicetree/bindings/sound/qcom,wcd934x.yaml arch/arm64/boot/dts/qcom/sdm845-oneplus-fajita.dt.yaml: codec@1: 'qcom,micbias3-microvolt' is a required property From schema: Documentation/devicetree/bindings/sound/qcom,wcd934x.yaml arch/arm64/boot/dts/qcom/sdm845-oneplus-fajita.dt.yaml: codec@1: 'qcom,micbias4-microvolt' is a required property From schema: Documentation/devicetree/bindings/sound/qcom,wcd934x.yaml arch/arm64/boot/dts/qcom/sdm845-oneplus-fajita.dt.yaml: codec@1: 'qcom,micbias1-millivolt', 'qcom,micbias2-millivolt', 'qcom,micbias3-millivolt', 'qcom,micbias4-millivolt' do not match any of the regexes: '^.*@[0-9a-f]+$', 'pinctrl-[0-9]+' Fixes: 27ca1de07dc3 ("arm64: dts: qcom: sdm845: add slimbus nodes") Signed-off-by: David Heidelberg Tested-by: Steev Klimaszewski Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20211213195105.114596-1-david@ixit.cz Signed-off-by: Sasha Levin commit 2042c6fbfb0fd44a18a1792a1cdabf936a3ae9a5 Author: Daniel Thompson Date: Thu Jan 27 17:35:54 2022 +0000 soc: qcom: aoss: remove spurious IRQF_ONESHOT flags [ Upstream commit 8030cb9a55688c1339edd284d9d6ce5f9fc75160 ] Quoting the header comments, IRQF_ONESHOT is "Used by threaded interrupts which need to keep the irq line disabled until the threaded handler has been run.". When applied to an interrupt that doesn't request a threaded irq then IRQF_ONESHOT has a lesser known (undocumented?) side effect, which it to disable the forced threading of the irq. For "normal" kernels (without forced threading) then, if there is no thread_fn, then IRQF_ONESHOT is a nop. In this case disabling forced threading is not appropriate for this driver because it calls wake_up_all() and this API cannot be called from no-thread interrupt handlers on PREEMPT_RT systems (deadlock risk, triggers sleeping-while-atomic warnings). Fix this by removing IRQF_ONESHOT. Fixes: 2209481409b7 ("soc: qcom: Add AOSS QMP driver") Signed-off-by: Daniel Thompson [bjorn: Added Fixes tag] Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20220127173554.158111-1-daniel.thompson@linaro.org Signed-off-by: Sasha Levin commit 5a990a65d4a3afc869346d21be5b63ffd6418176 Author: Miaoqian Lin Date: Fri Jan 7 07:31:26 2022 +0000 soc: qcom: ocmem: Fix missing put_device() call in of_get_ocmem [ Upstream commit 0ff027027e05a866491bbb53494f0e2a61354c85 ] The reference taken by 'of_find_device_by_node()' must be released when not needed anymore. Add the corresponding 'put_device()' in the error handling path. Fixes: 01f937ffc468 ("soc: qcom: ocmem: don't return NULL in of_get_ocmem") Signed-off-by: Miaoqian Lin Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20220107073126.2335-1-linmq006@gmail.com Signed-off-by: Sasha Levin commit b5d6eba71997b6d661935d2b15094ac7f9f6132d Author: Jiasheng Jiang Date: Fri Dec 31 17:44:19 2021 +0800 soc: qcom: rpmpd: Check for null return of devm_kcalloc [ Upstream commit 5a811126d38f9767a20cc271b34db7c8efc5a46c ] Because of the possible failure of the allocation, data->domains might be NULL pointer and will cause the dereference of the NULL pointer later. Therefore, it might be better to check it and directly return -ENOMEM without releasing data manually if fails, because the comment of the devm_kmalloc() says "Memory allocated with this function is automatically freed on driver detach.". Fixes: bbe3a66c3f5a ("soc: qcom: rpmpd: Add a Power domain driver to model corners") Signed-off-by: Jiasheng Jiang Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20211231094419.1941054-1-jiasheng@iscas.ac.cn Signed-off-by: Sasha Levin commit 0c11cb8db49a7945b21c7144f3d5ed8abd4e1b54 Author: Pavel Kubelun Date: Mon Dec 20 18:03:52 2021 +0100 ARM: dts: qcom: ipq4019: fix sleep clock [ Upstream commit 3d7e7980993d2c1ae42d3d314040fc2de6a9c45f ] It seems like sleep_clk was copied from ipq806x. Fix ipq40xx sleep_clk to the value QSDK defines. Link: https://source.codeaurora.org/quic/qsdk/oss/kernel/linux-msm/commit/?id=d92ec59973484acc86dd24b67f10f8911b4b4b7d Link: https://patchwork.kernel.org/comment/22721613/ Fixes: bec6ba4cdf2a ("qcom: ipq4019: Add basic board/dts support for IPQ4019 SoC") Suggested-by: Bjorn Andersson (clock-output-names) Signed-off-by: Pavel Kubelun Signed-off-by: Christian Lamparter (removed clock rename) Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20211220170352.34591-1-chunkeey@gmail.com Signed-off-by: Sasha Levin commit 22474dfd0c17772415b1f023f1a139b1797a0dfe Author: Marijn Suijten Date: Wed Dec 8 09:34:21 2021 +0100 firmware: qcom: scm: Remove reassignment to desc following initializer [ Upstream commit 7823e5aa5d1dd9ed5849923c165eb8f29ad23c54 ] Member assignments to qcom_scm_desc were moved into struct initializers in 57d3b816718c ("firmware: qcom_scm: Remove thin wrappers") including the case in qcom_scm_iommu_secure_ptbl_init, except that the - now duplicate - assignment to desc was left in place. While not harmful, remove this unnecessary extra reassignment. Fixes: 57d3b816718c ("firmware: qcom_scm: Remove thin wrappers") Signed-off-by: Marijn Suijten Reviewed-by: AngeloGioacchino Del Regno Reviewed-by: Alex Elder Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20211208083423.22037-2-marijn.suijten@somainline.org Signed-off-by: Sasha Levin commit bf4bad1114a396f441daa83a0e368b9a6a9ec8e6 Author: Dan Carpenter Date: Thu Sep 16 16:29:19 2021 +0300 video: fbdev: fbcvt.c: fix printing in fb_cvt_print_name() [ Upstream commit 78482af095abd9f4f29f1aa3fe575d25c6ae3028 ] This code has two bugs: 1) "cnt" is 255 but the size of the buffer is 256 so the last byte is not used. 2) If we try to print more than 255 characters then "cnt" will be negative and that will trigger a WARN() in snprintf(). The fix for this is to use scnprintf() instead of snprintf(). We can re-write this code to be cleaner: 1) Rename "offset" to "off" because that's shorter. 2) Get rid of the "cnt" variable and just use "size - off" directly. 3) Get rid of the "read" variable and just increment "off" directly. Fixes: 96fe6a2109db ("fbdev: Add VESA Coordinated Video Timings (CVT) support") Signed-off-by: Dan Carpenter Signed-off-by: Helge Deller Signed-off-by: Sasha Levin commit 6de6a64f23a67c16369f3d02c914e10df14c7332 Author: Dan Carpenter Date: Fri Dec 3 12:58:08 2021 +0300 video: fbdev: atmel_lcdfb: fix an error code in atmel_lcdfb_probe() [ Upstream commit fee5c1e4b789e41719af9fee0e2dd397cd31988f ] If "sinfo->config" is not found, then return -ENODEV. Don't return success. Fixes: b985172b328a ("video: atmel_lcdfb: add device tree suport") Signed-off-by: Dan Carpenter Acked-by: Nicolas Ferre Signed-off-by: Helge Deller Signed-off-by: Sasha Levin commit 64ec3e678d76419f207b9cdd338dda438ca10b1c Author: Wang Hai Date: Thu Oct 14 21:22:31 2021 +0800 video: fbdev: smscufx: Fix null-ptr-deref in ufx_usb_probe() [ Upstream commit 1791f487f877a9e83d81c8677bd3e7b259e7cb27 ] I got a null-ptr-deref report: BUG: kernel NULL pointer dereference, address: 0000000000000000 ... RIP: 0010:fb_destroy_modelist+0x38/0x100 ... Call Trace: ufx_usb_probe.cold+0x2b5/0xac1 [smscufx] usb_probe_interface+0x1aa/0x3c0 [usbcore] really_probe+0x167/0x460 ... ret_from_fork+0x1f/0x30 If fb_alloc_cmap() fails in ufx_usb_probe(), fb_destroy_modelist() will be called to destroy modelist in the error handling path. But modelist has not been initialized yet, so it will result in null-ptr-deref. Initialize modelist before calling fb_alloc_cmap() to fix this bug. Fixes: 3c8a63e22a08 ("Add support for SMSC UFX6000/7000 USB display adapters") Reported-by: Hulk Robot Signed-off-by: Wang Hai Acked-by: Thomas Zimmermann Signed-off-by: Helge Deller Signed-off-by: Sasha Levin commit 0dff86aeb191651f4bec56d66fab4d3d74d039ac Author: YueHaibing Date: Thu Dec 9 17:01:13 2021 +0800 video: fbdev: controlfb: Fix COMPILE_TEST build [ Upstream commit 567e44fb51b4f909ae58038a7301352eecea8426 ] If PPC_BOOK3S, PPC_PMAC and PPC32 is n, COMPILE_TEST build fails: drivers/video/fbdev/controlfb.c:70:0: error: "pgprot_cached_wthru" redefined [-Werror] #define pgprot_cached_wthru(prot) (prot) In file included from ./arch/powerpc/include/asm/pgtable.h:20:0, from ./include/linux/pgtable.h:6, from ./include/linux/mm.h:33, from drivers/video/fbdev/controlfb.c:37: ./arch/powerpc/include/asm/nohash/pgtable.h:243:0: note: this is the location of the previous definition #define pgprot_cached_wthru(prot) (__pgprot((pgprot_val(prot) & ~_PAGE_CACHE_CTL) | \ Fixes: a07a63b0e24d ("video: fbdev: controlfb: add COMPILE_TEST support") Signed-off-by: YueHaibing Signed-off-by: Helge Deller Signed-off-by: Sasha Levin commit ec1c20b02ae0bdce82b54b1b8a1e72e86d45f672 Author: Sam Ravnborg Date: Sun Dec 6 20:02:46 2020 +0100 video: fbdev: controlfb: Fix set but not used warnings [ Upstream commit 4aca4dbcac9d8eed8a8dc15b6883270a20a84218 ] The controlfb driver has a number of dummy defines for IO operations. They were introduced in commit a07a63b0e24d ("video: fbdev: controlfb: add COMPILE_TEST support"). The write variants did not use their value parameter in the dummy versions, resulting in set but not used warnings. Fix this by adding "(void)val" to silence the compiler. Signed-off-by: Sam Ravnborg Acked-by: Thomas Zimmermann Cc: Sam Ravnborg Cc: Bartlomiej Zolnierkiewicz Cc: "Gustavo A. R. Silva" Cc: Michael Ellerman Link: https://patchwork.freedesktop.org/patch/msgid/20201206190247.1861316-13-sam@ravnborg.org Signed-off-by: Sasha Levin commit f8bf19f7f3112f28b55222977687ce729cc217e3 Author: Z. Liu Date: Sun Dec 19 02:00:35 2021 +0800 video: fbdev: matroxfb: set maxvram of vbG200eW to the same as vbG200 to avoid black screen [ Upstream commit 62d89a7d49afe46e6b9bbe9e23b004ad848dbde4 ] Start from commit 11be60bd66d54 "matroxfb: add Matrox MGA-G200eW board support", when maxvram is 0x800000, monitor become black w/ error message said: "The current input timing is not supported by the monitor display. Please change your input timing to 1920x1080@60Hz ...". Fixes: 11be60bd66d5 ("matroxfb: add Matrox MGA-G200eW board support") Signed-off-by: Z. Liu Signed-off-by: Helge Deller Signed-off-by: Sasha Levin commit 3187a1d4d5c5d7ce128a537164bb95e40e6eba12 Author: Jammy Huang Date: Tue Jan 25 07:44:07 2022 +0100 media: aspeed: Correct value for h-total-pixels [ Upstream commit 4b732a0016853eaff35944f900b0db66f3914374 ] Previous reg-field, 0x98[11:0], stands for the period of the detected hsync signal. Use the correct reg, 0xa0, to get h-total in pixels. Fixes: d2b4387f3bdf ("media: platform: Add Aspeed Video Engine driver") Signed-off-by: Jammy Huang Reviewed-by: Joel Stanley Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 245561612b490969cf1f222cbec6365060bdbc72 Author: Chen-Yu Tsai Date: Fri Jan 7 10:34:49 2022 +0100 media: hantro: Fix overfill bottom register field name [ Upstream commit 89d78e0133e71ba324fb67ca776223fba4353418 ] The Hantro H1 hardware can crop off pixels from the right and bottom of the source frame. These are controlled with the H1_REG_IN_IMG_CTRL_OVRFLB and H1_REG_IN_IMG_CTRL_OVRFLR in the H1_REG_IN_IMG_CTRL register. The ChromeOS kernel driver that this was based on incorrectly added the _D4 suffix H1_REG_IN_IMG_CTRL_OVRFLB. This field crops the bottom of the input frame, and the number is _not_ divided by 4. [1] Correct the name to avoid confusion when crop support with the selection API is added. [1] https://chromium.googlesource.com/chromiumos/third_party/kernel/+/refs/ \ heads/chromeos-4.19/drivers/staging/media/hantro/hantro_h1_vp8_enc.c#377 Fixes: 775fec69008d ("media: add Rockchip VPU JPEG encoder driver") Fixes: a29add8c9bb2 ("media: rockchip/vpu: rename from rockchip to hantro") Signed-off-by: Chen-Yu Tsai Reviewed-by: Ezequiel Garcia Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 032b141a91a82a5f0107ce664a35b201e60c5ce1 Author: Jiasheng Jiang Date: Thu Jan 13 07:59:28 2022 +0100 media: meson: vdec: potential dereference of null pointer [ Upstream commit c8c80c996182239ff9b05eda4db50184cf3b2e99 ] As the possible failure of the kzalloc(), the 'new_ts' could be NULL pointer. Therefore, it should be better to check it in order to avoid the dereference of the NULL pointer. Also, the caller esparser_queue() needs to deal with the return value of the amvdec_add_ts(). Fixes: 876f123b8956 ("media: meson: vdec: bring up to compliance") Signed-off-by: Jiasheng Jiang Suggested-by: Neil Armstrong Reviewed-by: Neil Armstrong Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit d3e5106c6768f20e38a076a779f59869bf8a7df0 Author: Miaoqian Lin Date: Wed Jan 12 12:05:54 2022 +0100 media: coda: Fix missing put_device() call in coda_get_vdoa_data [ Upstream commit ca85d271531a1e1c86f24b892f57b7d0a3ddb5a6 ] The reference taken by 'of_find_device_by_node()' must be released when not needed anymore. Add the corresponding 'put_device()' in the error handling path. Fixes: e7f3c5481035 ("[media] coda: use VDOA for un-tiling custom macroblock format") Signed-off-by: Miaoqian Lin Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit c9f4586d9935eea511925ded48efef1b910887df Author: Pierre-Louis Bossart Date: Thu Feb 18 16:19:21 2021 -0600 ASoC: generic: simple-card-utils: remove useless assignment [ Upstream commit bd029fc86834760276171bd2301d6c43e45a65b0 ] cppcheck warning: sound/soc/generic/simple-card-utils.c:258:10: style: Variable 'ret' is assigned a value that is never used. [unreadVariable] int ret = 0; ^ Signed-off-by: Pierre-Louis Bossart Link: https://lore.kernel.org/r/20210218221921.88991-7-pierre-louis.bossart@linux.intel.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 2c357e027725b55f2300cb4744c9c5c67dfa5e01 Author: Robert Hancock Date: Thu Jan 20 13:58:27 2022 -0600 ASoC: xilinx: xlnx_formatter_pcm: Handle sysclk setting [ Upstream commit 1c5091fbe7e0d0804158200b7feac5123f7b4fbd ] This driver did not set the MM2S Fs Multiplier Register to the proper value for playback streams. This needs to be set to the sample rate to MCLK multiplier, or random stream underflows can occur on the downstream I2S transmitter. Store the sysclk value provided via the set_sysclk callback and use that in conjunction with the sample rate in the hw_params callback to calculate the proper value to set for this register. Fixes: 6f6c3c36f091 ("ASoC: xlnx: add pcm formatter platform driver") Signed-off-by: Robert Hancock Link: https://lore.kernel.org/r/20220120195832.1742271-2-robert.hancock@calian.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 712dd2ac267ae6600050dc82fe4f3d0c0617365b Author: Ondrej Zary Date: Sat Dec 25 22:58:44 2021 +0100 media: bttv: fix WARNING regression on tunerless devices [ Upstream commit ef058cc8b7193d15a771272359c7454839ae74ee ] Commit 2161536516ed ("media: media/pci: set device_caps in struct video_device") introduced a regression: V4L2_CAP_TUNER is always present in device_caps, even when the device has no tuner. This causes a warning: WARNING: CPU: 0 PID: 249 at drivers/media/v4l2-core/v4l2-ioctl.c:1102 v4l_querycap+0xa0/0xb0 [videodev] Fixes: 2161536516ed ("media: media/pci: set device_caps in struct video_device") Signed-off-by: Ondrej Zary Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit bc2573abc691a269b54a6c14a2660f26d88876a5 Author: Jiasheng Jiang Date: Wed Dec 15 06:21:57 2021 +0100 media: mtk-vcodec: potential dereference of null pointer [ Upstream commit e25a89f743b18c029bfbe5e1663ae0c7190912b0 ] The return value of devm_kzalloc() needs to be checked. To avoid use of null pointer in case of thefailure of alloc. Fixes: 46233e91fa24 ("media: mtk-vcodec: move firmware implementations into their own files") Signed-off-by: Jiasheng Jiang Reviewed-by: Tzung-Bi Shih Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 8a83731a09a5954b85b1ce49c01ff5c2a3465cb7 Author: Chen-Yu Tsai Date: Thu Dec 9 17:38:03 2021 +0100 media: v4l2-mem2mem: Apply DST_QUEUE_OFF_BASE on MMAP buffers across ioctls [ Upstream commit 8310ca94075e784bbb06593cd6c068ee6b6e4ca6 ] DST_QUEUE_OFF_BASE is applied to offset/mem_offset on MMAP capture buffers only for the VIDIOC_QUERYBUF ioctl, while the userspace fields (including offset/mem_offset) are filled in for VIDIOC_{QUERY,PREPARE,Q,DQ}BUF ioctls. This leads to differences in the values presented to userspace. If userspace attempts to mmap the capture buffer directly using values from DQBUF, it will fail. Move the code that applies the magic offset into a helper, and call that helper from all four ioctl entry points. [hverkuil: drop unnecessary '= 0' in v4l2_m2m_querybuf() for ret] Fixes: 7f98639def42 ("V4L/DVB: add memory-to-memory device helper framework for videobuf") Fixes: 908a0d7c588e ("[media] v4l: mem2mem: port to videobuf2") Signed-off-by: Chen-Yu Tsai Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit c76188715dfc73ae727bbcc13693a0d66fcab010 Author: Corentin Labbe Date: Tue Dec 14 17:16:29 2021 +0100 media: staging: media: zoran: fix usage of vb2_dma_contig_set_max_seg_size [ Upstream commit 241f5b67fb48def58643f279dfb8468bdd54b443 ] vb2_dma_contig_set_max_seg_size need to have a size in parameter and not a DMA_BIT_MASK(). While fixing this issue, also fix error handling of all DMA size setting. Reported-by: kernel test robot Fixes: d4ae3689226e5 ("media: zoran: device support only 32bit DMA address") Signed-off-by: Corentin Labbe Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit f622bd0758bd918076c7e6d1d63d2c6f27d354ed Author: Peng Liu Date: Tue Mar 22 14:48:19 2022 -0700 kunit: make kunit_test_timeout compatible with comment [ Upstream commit bdd015f7b71b92c2e4ecabac689642cc72553e04 ] In function kunit_test_timeout, it is declared "300 * MSEC_PER_SEC" represent 5min. However, it is wrong when dealing with arm64 whose default HZ = 250, or some other situations. Use msecs_to_jiffies to fix this, and kunit_test_timeout will work as desired. Link: https://lkml.kernel.org/r/20220309083753.1561921-3-liupeng256@huawei.com Fixes: 5f3e06208920 ("kunit: test: add support for test abort") Signed-off-by: Peng Liu Reviewed-by: Marco Elver Reviewed-by: Daniel Latypov Reviewed-by: Brendan Higgins Tested-by: Brendan Higgins Cc: Alexander Potapenko Cc: Dmitry Vyukov Cc: Wang Kefeng Cc: David Gow Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin commit 9e63bcb71df96c2edcfb85043629ab3a1b4b08d0 Author: Guillaume Tucker Date: Tue Mar 22 14:41:44 2022 -0700 selftests, x86: fix how check_cc.sh is being invoked [ Upstream commit ef696f93ed9778d570bd5ac58414421cdd4f1aab ] The $(CC) variable used in Makefiles could contain several arguments such as "ccache gcc". These need to be passed as a single string to check_cc.sh, otherwise only the first argument will be used as the compiler command. Without quotes, the $(CC) variable is passed as distinct arguments which causes the script to fail to build trivial programs. Fix this by adding quotes around $(CC) when calling check_cc.sh to pass the whole string as a single argument to the script even if it has several words such as "ccache gcc". Link: https://lkml.kernel.org/r/d0d460d7be0107a69e3c52477761a6fe694c1840.1646991629.git.guillaume.tucker@collabora.com Fixes: e9886ace222e ("selftests, x86: Rework x86 target architecture detection") Signed-off-by: Guillaume Tucker Tested-by: "kernelci.org bot" Reviewed-by: Guenter Roeck Cc: Shuah Khan Cc: Borislav Petkov Cc: Dave Hansen Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin commit d2c53e77b0431a0954f0655cc517abb6309f6a79 Author: Fengnan Chang Date: Fri Mar 18 09:23:04 2022 +0800 f2fs: fix compressed file start atomic write may cause data corruption [ Upstream commit 9b56adcf525522e9ffa52471260298d91fc1d395 ] When compressed file has blocks, f2fs_ioc_start_atomic_write will succeed, but compressed flag will be remained in inode. If write partial compreseed cluster and commit atomic write will cause data corruption. This is the reproduction process: Step 1: create a compressed file ,write 64K data , call fsync(), then the blocks are write as compressed cluster. Step2: iotcl(F2FS_IOC_START_ATOMIC_WRITE) --- this should be fail, but not. write page 0 and page 3. iotcl(F2FS_IOC_COMMIT_ATOMIC_WRITE) -- page 0 and 3 write as normal file, Step3: drop cache. read page 0-4 -- Since page 0 has a valid block address, read as non-compressed cluster, page 1 and 2 will be filled with compressed data or zero. The root cause is, after commit 7eab7a696827 ("f2fs: compress: remove unneeded read when rewrite whole cluster"), in step 2, f2fs_write_begin() only set target page dirty, and in f2fs_commit_inmem_pages(), we will write partial raw pages into compressed cluster, result in corrupting compressed cluster layout. Fixes: 4c8ff7095bef ("f2fs: support data compression") Fixes: 7eab7a696827 ("f2fs: compress: remove unneeded read when rewrite whole cluster") Reported-by: kernel test robot Reported-by: Dan Carpenter Signed-off-by: Fengnan Chang Reviewed-by: Chao Yu Signed-off-by: Jaegeuk Kim Signed-off-by: Sasha Levin commit 1c4d94e4f0b14a5a5cdf558e22af490aacb6a766 Author: Fengnan Chang Date: Tue Jun 22 19:50:59 2021 +0800 f2fs: compress: remove unneeded read when rewrite whole cluster [ Upstream commit 7eab7a6968278c735b1ca6387056a408f7960265 ] when we overwrite the whole page in cluster, we don't need read original data before write, because after write_end(), writepages() can help to load left data in that cluster. Signed-off-by: Fengnan Chang Signed-off-by: Chao Yu Acked-by: Chao Yu Signed-off-by: Jaegeuk Kim Signed-off-by: Sasha Levin commit 2c4741d1b0d236ce2f24d4677f8e23d6bd38ab61 Author: Filipe Manana Date: Thu Feb 17 12:12:07 2022 +0000 btrfs: fix unexpected error path when reflinking an inline extent [ Upstream commit 1f4613cdbe7739ce291554b316bff8e551383389 ] When reflinking an inline extent, we assert that its file offset is 0 and that its uncompressed length is not greater than the sector size. We then return an error if one of those conditions is not satisfied. However we use a return statement, which results in returning from btrfs_clone() without freeing the path and buffer that were allocated before, as well as not clearing the flag BTRFS_INODE_NO_DELALLOC_FLUSH for the destination inode. Fix that by jumping to the 'out' label instead, and also add a WARN_ON() for each condition so that in case assertions are disabled, we get to known which of the unexpected conditions triggered the error. Fixes: a61e1e0df9f321 ("Btrfs: simplify inline extent handling when doing reflinks") Signed-off-by: Filipe Manana Signed-off-by: David Sterba Signed-off-by: Sasha Levin commit 3ef3bc75cd3ebf1e7b84a5d588229bad0255b287 Author: Chao Yu Date: Thu Jan 27 13:44:49 2022 +0800 f2fs: fix to avoid potential deadlock [ Upstream commit 344150999b7fc88502a65bbb147a47503eca2033 ] Quoted from Jing Xia's report, there is a potential deadlock may happen between kworker and checkpoint as below: [T:writeback] [T:checkpoint] - wb_writeback - blk_start_plug bio contains NodeA was plugged in writeback threads - do_writepages -- sync write inodeB, inc wb_sync_req[DATA] - f2fs_write_data_pages - f2fs_write_single_data_page -- write last dirty page - f2fs_do_write_data_page - set_page_writeback -- clear page dirty flag and PAGECACHE_TAG_DIRTY tag in radix tree - f2fs_outplace_write_data - f2fs_update_data_blkaddr - f2fs_wait_on_page_writeback -- wait NodeA to writeback here - inode_dec_dirty_pages - writeback_sb_inodes - writeback_single_inode - do_writepages - f2fs_write_data_pages -- skip writepages due to wb_sync_req[DATA] - wbc->pages_skipped += get_dirty_pages() -- PAGECACHE_TAG_DIRTY is not set but get_dirty_pages() returns one - requeue_inode -- requeue inode to wb->b_dirty queue due to non-zero.pages_skipped - blk_finish_plug Let's try to avoid deadlock condition by forcing unplugging previous bio via blk_finish_plug(current->plug) once we'v skipped writeback in writepages() due to valid sbi->wb_sync_req[DATA/NODE]. Fixes: 687de7f1010c ("f2fs: avoid IO split due to mixed WB_SYNC_ALL and WB_SYNC_NONE") Signed-off-by: Zhiguo Niu Signed-off-by: Jing Xia Signed-off-by: Chao Yu Signed-off-by: Jaegeuk Kim Signed-off-by: Sasha Levin commit 85cc399b650f10378b2753a1a5e13442f44277be Author: Amir Goldstein Date: Thu Feb 24 18:17:05 2022 +0200 nfsd: more robust allocation failure handling in nfsd_file_cache_init [ Upstream commit 4d2eeafecd6c83b4444db3dc0ada201c89b1aa44 ] The nfsd file cache table can be pretty large and its allocation may require as many as 80 contigious pages. Employ the same fix that was employed for similar issue that was reported for the reply cache hash table allocation several years ago by commit 8f97514b423a ("nfsd: more robust allocation failure handling in nfsd_reply_cache_init"). Fixes: 65294c1f2c5e ("nfsd: add a new struct file caching facility to nfsd") Link: https://lore.kernel.org/linux-nfs/e3cdaeec85a6cfec980e87fc294327c0381c1778.camel@kernel.org/ Suggested-by: Jeff Layton Signed-off-by: Amir Goldstein Reviewed-by: Jeff Layton Signed-off-by: Chuck Lever Tested-by: Amir Goldstein Signed-off-by: Sasha Levin commit 1a11a873749c6375bb668953fa1a196d8538d26b Author: Jaegeuk Kim Date: Fri Feb 11 18:56:46 2022 -0800 f2fs: fix missing free nid in f2fs_handle_failed_inode [ Upstream commit 2fef99b8372c1ae3d8445ab570e888b5a358dbe9 ] This patch fixes xfstests/generic/475 failure. [ 293.680694] F2FS-fs (dm-1): May loss orphan inode, run fsck to fix. [ 293.685358] Buffer I/O error on dev dm-1, logical block 8388592, async page read [ 293.691527] Buffer I/O error on dev dm-1, logical block 8388592, async page read [ 293.691764] sh (7615): drop_caches: 3 [ 293.691819] sh (7616): drop_caches: 3 [ 293.694017] Buffer I/O error on dev dm-1, logical block 1, async page read [ 293.695659] sh (7618): drop_caches: 3 [ 293.696979] sh (7617): drop_caches: 3 [ 293.700290] sh (7623): drop_caches: 3 [ 293.708621] sh (7626): drop_caches: 3 [ 293.711386] sh (7628): drop_caches: 3 [ 293.711825] sh (7627): drop_caches: 3 [ 293.716738] sh (7630): drop_caches: 3 [ 293.719613] sh (7632): drop_caches: 3 [ 293.720971] sh (7633): drop_caches: 3 [ 293.727741] sh (7634): drop_caches: 3 [ 293.730783] sh (7636): drop_caches: 3 [ 293.732681] sh (7635): drop_caches: 3 [ 293.732988] sh (7637): drop_caches: 3 [ 293.738836] sh (7639): drop_caches: 3 [ 293.740568] sh (7641): drop_caches: 3 [ 293.743053] sh (7640): drop_caches: 3 [ 293.821889] ------------[ cut here ]------------ [ 293.824654] kernel BUG at fs/f2fs/node.c:3334! [ 293.826226] invalid opcode: 0000 [#1] PREEMPT SMP PTI [ 293.828713] CPU: 0 PID: 7653 Comm: umount Tainted: G OE 5.17.0-rc1-custom #1 [ 293.830946] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 [ 293.832526] RIP: 0010:f2fs_destroy_node_manager+0x33f/0x350 [f2fs] [ 293.833905] Code: e8 d6 3d f9 f9 48 8b 45 d0 65 48 2b 04 25 28 00 00 00 75 1a 48 81 c4 28 03 00 00 5b 41 5c 41 5d 41 5e 41 5f 5d c3 0f 0b [ 293.837783] RSP: 0018:ffffb04ec31e7a20 EFLAGS: 00010202 [ 293.839062] RAX: 0000000000000001 RBX: ffff9df947db2eb8 RCX: 0000000080aa0072 [ 293.840666] RDX: 0000000000000000 RSI: ffffe86c0432a140 RDI: ffffffffc0b72a21 [ 293.842261] RBP: ffffb04ec31e7d70 R08: ffff9df94ca85780 R09: 0000000080aa0072 [ 293.843909] R10: ffff9df94ca85700 R11: ffff9df94e1ccf58 R12: ffff9df947db2e00 [ 293.845594] R13: ffff9df947db2ed0 R14: ffff9df947db2eb8 R15: ffff9df947db2eb8 [ 293.847855] FS: 00007f5a97379800(0000) GS:ffff9dfa77c00000(0000) knlGS:0000000000000000 [ 293.850647] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 293.852940] CR2: 00007f5a97528730 CR3: 000000010bc76005 CR4: 0000000000370ef0 [ 293.854680] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 293.856423] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 293.858380] Call Trace: [ 293.859302] [ 293.860311] ? ttwu_do_wakeup+0x1c/0x170 [ 293.861800] ? ttwu_do_activate+0x6d/0xb0 [ 293.863057] ? _raw_spin_unlock_irqrestore+0x29/0x40 [ 293.864411] ? try_to_wake_up+0x9d/0x5e0 [ 293.865618] ? debug_smp_processor_id+0x17/0x20 [ 293.866934] ? debug_smp_processor_id+0x17/0x20 [ 293.868223] ? free_unref_page+0xbf/0x120 [ 293.869470] ? __free_slab+0xcb/0x1c0 [ 293.870614] ? preempt_count_add+0x7a/0xc0 [ 293.871811] ? __slab_free+0xa0/0x2d0 [ 293.872918] ? __wake_up_common_lock+0x8a/0xc0 [ 293.874186] ? __slab_free+0xa0/0x2d0 [ 293.875305] ? free_inode_nonrcu+0x20/0x20 [ 293.876466] ? free_inode_nonrcu+0x20/0x20 [ 293.877650] ? debug_smp_processor_id+0x17/0x20 [ 293.878949] ? call_rcu+0x11a/0x240 [ 293.880060] ? f2fs_destroy_stats+0x59/0x60 [f2fs] [ 293.881437] ? kfree+0x1fe/0x230 [ 293.882674] f2fs_put_super+0x160/0x390 [f2fs] [ 293.883978] generic_shutdown_super+0x7a/0x120 [ 293.885274] kill_block_super+0x27/0x50 [ 293.886496] kill_f2fs_super+0x7f/0x100 [f2fs] [ 293.887806] deactivate_locked_super+0x35/0xa0 [ 293.889271] deactivate_super+0x40/0x50 [ 293.890513] cleanup_mnt+0x139/0x190 [ 293.891689] __cleanup_mnt+0x12/0x20 [ 293.892850] task_work_run+0x64/0xa0 [ 293.894035] exit_to_user_mode_prepare+0x1b7/0x1c0 [ 293.895409] syscall_exit_to_user_mode+0x27/0x50 [ 293.896872] do_syscall_64+0x48/0xc0 [ 293.898090] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 293.899517] RIP: 0033:0x7f5a975cd25b Fixes: 7735730d39d7 ("f2fs: fix to propagate error from __get_meta_page()") Reviewed-by: Chao Yu Signed-off-by: Jaegeuk Kim Signed-off-by: Sasha Levin commit c0cffc1fb38dc08a8a7750119ee41bb78906bc42 Author: Adrian Hunter Date: Mon Jan 31 09:24:52 2022 +0200 perf/x86/intel/pt: Fix address filter config for 32-bit kernel [ Upstream commit e5524bf1047eb3b3f3f33b5f59897ba67b3ade87 ] Change from shifting 'unsigned long' to 'u64' to prevent the config bits being lost on a 32-bit kernel. Fixes: eadf48cab4b6b0 ("perf/x86/intel/pt: Add support for address range filtering in PT") Signed-off-by: Adrian Hunter Signed-off-by: Peter Zijlstra (Intel) Link: https://lore.kernel.org/r/20220131072453.2839535-5-adrian.hunter@intel.com Signed-off-by: Sasha Levin commit 13c8e37e1faf8b7a5d50815cb68de0d5f73e7ad7 Author: Adrian Hunter Date: Mon Jan 31 09:24:51 2022 +0200 perf/core: Fix address filter parser for multiple filters [ Upstream commit d680ff24e9e14444c63945b43a37ede7cd6958f9 ] Reset appropriate variables in the parser loop between parsing separate filters, so that they do not interfere with parsing the next filter. Fixes: 375637bc524952 ("perf/core: Introduce address range filtering") Signed-off-by: Adrian Hunter Signed-off-by: Peter Zijlstra (Intel) Link: https://lore.kernel.org/r/20220131072453.2839535-4-adrian.hunter@intel.com Signed-off-by: Sasha Levin commit a9faa5beda6b7df2a6b7958e62037b80c604d80d Author: Mathieu Desnoyers Date: Thu Jan 27 10:27:20 2022 -0500 rseq: Remove broken uapi field layout on 32-bit little endian [ Upstream commit bfdf4e6208051ed7165b2e92035b4bf11f43eb63 ] The rseq rseq_cs.ptr.{ptr32,padding} uapi endianness handling is entirely wrong on 32-bit little endian: a preprocessor logic mistake wrongly uses the big endian field layout on 32-bit little endian architectures. Fortunately, those ptr32 accessors were never used within the kernel, and only meant as a convenience for user-space. Remove those and replace the whole rseq_cs union by a __u64 type, as this is the only thing really needed to express the ABI. Document how 32-bit architectures are meant to interact with this field. Fixes: ec9c82e03a74 ("rseq: uapi: Declare rseq_cs field as union, update includes") Signed-off-by: Mathieu Desnoyers Signed-off-by: Peter Zijlstra (Intel) Link: https://lkml.kernel.org/r/20220127152720.25898-1-mathieu.desnoyers@efficios.com Signed-off-by: Sasha Levin commit f0250e05e5744899539a514b722ccc34430ede64 Author: Eric Dumazet Date: Tue Apr 13 13:33:52 2021 -0700 rseq: Optimise rseq_get_rseq_cs() and clear_rseq_cs() [ Upstream commit 5e0ccd4a3b01c5a71732a13186ca110a138516ea ] Commit ec9c82e03a74 ("rseq: uapi: Declare rseq_cs field as union, update includes") added regressions for our servers. Using copy_from_user() and clear_user() for 64bit values is suboptimal. We can use faster put_user() and get_user() on 64bit arches. Signed-off-by: Eric Dumazet Signed-off-by: Peter Zijlstra (Intel) Reviewed-by: Mathieu Desnoyers Link: https://lkml.kernel.org/r/20210413203352.71350-4-eric.dumazet@gmail.com Signed-off-by: Sasha Levin commit ecc17de4b99a016f96e2129e3e6e2c884d18cca6 Author: Qais Yousef Date: Thu Oct 28 12:50:05 2021 +0100 sched/core: Export pelt_thermal_tp [ Upstream commit 77cf151b7bbdfa3577b3c3f3a5e267a6c60a263b ] We can't use this tracepoint in modules without having the symbol exported first, fix that. Fixes: 765047932f15 ("sched/pelt: Add support to track thermal pressure") Signed-off-by: Qais Yousef Signed-off-by: Peter Zijlstra (Intel) Link: https://lkml.kernel.org/r/20211028115005.873539-1-qais.yousef@arm.com Signed-off-by: Sasha Levin commit 40732cab515d687dd34c081b55354504e339087b Author: Bharata B Rao Date: Tue Jan 18 10:35:15 2022 +0530 sched/debug: Remove mpol_get/put and task_lock/unlock from sched_show_numa [ Upstream commit 28c988c3ec29db74a1dda631b18785958d57df4f ] The older format of /proc/pid/sched printed home node info which required the mempolicy and task lock around mpol_get(). However the format has changed since then and there is no need for sched_show_numa() any more to have mempolicy argument, asssociated mpol_get/put and task_lock/unlock. Remove them. Fixes: 397f2378f1361 ("sched/numa: Fix numa balancing stats in /proc/pid/sched") Signed-off-by: Bharata B Rao Signed-off-by: Peter Zijlstra (Intel) Reviewed-by: Srikar Dronamraju Acked-by: Mel Gorman Link: https://lore.kernel.org/r/20220118050515.2973-1-bharata@amd.com Signed-off-by: Sasha Levin commit 2b5d41bcf28f5d8b3c7806d6e353970014d29927 Author: Chao Yu Date: Tue Jan 18 11:48:02 2022 +0800 f2fs: fix to enable ATGC correctly via gc_idle sysfs interface [ Upstream commit 7d19e3dab0002e527052b0aaf986e8c32e5537bf ] It needs to assign sbi->gc_mode with GC_IDLE_AT rather than GC_AT when user tries to enable ATGC via gc_idle sysfs interface, fix it. Fixes: 093749e296e2 ("f2fs: support age threshold based garbage collection") Cc: Zhipeng Tan Signed-off-by: Jicheng Shao Signed-off-by: Chao Yu Signed-off-by: Jaegeuk Kim Signed-off-by: Sasha Levin commit 9d92be1a09fbb3dd65600dbfe7eedb40e7228e4b Author: David Howells Date: Mon Mar 21 11:18:54 2022 +0000 watch_queue: Actually free the watch [ Upstream commit 3d8dcf278b1ee1eff1e90be848fa2237db4c07a7 ] free_watch() does everything barring actually freeing the watch object. Fix this by adding the missing kfree. kmemleak produces a report something like the following. Note that as an address can be seen in the first word, the watch would appear to have gone through call_rcu(). BUG: memory leak unreferenced object 0xffff88810ce4a200 (size 96): comm "syz-executor352", pid 3605, jiffies 4294947473 (age 13.720s) hex dump (first 32 bytes): e0 82 48 0d 81 88 ff ff 00 00 00 00 00 00 00 00 ..H............. 80 a2 e4 0c 81 88 ff ff 00 00 00 00 00 00 00 00 ................ backtrace: [] kmalloc include/linux/slab.h:581 [inline] [] kzalloc include/linux/slab.h:714 [inline] [] keyctl_watch_key+0xec/0x2e0 security/keys/keyctl.c:1800 [] __do_sys_keyctl+0x3c4/0x490 security/keys/keyctl.c:2016 [] do_syscall_x64 arch/x86/entry/common.c:50 [inline] [] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 [] entry_SYSCALL_64_after_hwframe+0x44/0xae Fixes: c73be61cede5 ("pipe: Add general notification queue support") Reported-and-tested-by: syzbot+6e2de48f06cdb2884bfc@syzkaller.appspotmail.com Signed-off-by: David Howells Signed-off-by: Sasha Levin commit 5ae75b4ed30322b42abaa75ef1b784addfdb7dc9 Author: David Howells Date: Mon Mar 21 08:11:52 2022 +0000 watch_queue: Fix NULL dereference in error cleanup [ Upstream commit a635415a064e77bcfbf43da413fd9dfe0bbed9cb ] In watch_queue_set_size(), the error cleanup code doesn't take account of the fact that __free_page() can't handle a NULL pointer when trying to free up buffer pages that did get allocated. Fix this by only calling __free_page() on the pages actually allocated. Without the fix, this can lead to something like the following: BUG: KASAN: null-ptr-deref in __free_pages+0x1f/0x1b0 mm/page_alloc.c:5473 Read of size 4 at addr 0000000000000034 by task syz-executor168/3599 ... Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 __kasan_report mm/kasan/report.c:446 [inline] kasan_report.cold+0x66/0xdf mm/kasan/report.c:459 check_region_inline mm/kasan/generic.c:183 [inline] kasan_check_range+0x13d/0x180 mm/kasan/generic.c:189 instrument_atomic_read include/linux/instrumented.h:71 [inline] atomic_read include/linux/atomic/atomic-instrumented.h:27 [inline] page_ref_count include/linux/page_ref.h:67 [inline] put_page_testzero include/linux/mm.h:717 [inline] __free_pages+0x1f/0x1b0 mm/page_alloc.c:5473 watch_queue_set_size+0x499/0x630 kernel/watch_queue.c:275 pipe_ioctl+0xac/0x2b0 fs/pipe.c:632 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:874 [inline] __se_sys_ioctl fs/ioctl.c:860 [inline] __x64_sys_ioctl+0x193/0x200 fs/ioctl.c:860 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae Fixes: c73be61cede5 ("pipe: Add general notification queue support") Reported-and-tested-by: syzbot+d55757faa9b80590767b@syzkaller.appspotmail.com Signed-off-by: David Howells Reviewed-by: Fabio M. De Francesco Signed-off-by: Sasha Levin commit 509565faed7e6a4d27b9df2b8f7ffeedae0067aa Author: Jens Axboe Date: Fri Mar 18 11:28:13 2022 -0600 io_uring: terminate manual loop iterator loop correctly for non-vecs [ Upstream commit 5e929367468c8f97cd1ffb0417316cecfebef94b ] The fix for not advancing the iterator if we're using fixed buffers is broken in that it can hit a condition where we don't terminate the loop. This results in io-wq looping forever, asking to read (or write) 0 bytes for every subsequent loop. Reported-by: Joel Jaeschke Link: https://github.com/axboe/liburing/issues/549 Fixes: 16c8d2df7ec0 ("io_uring: ensure symmetry in handling iter types in loop_rw_iter()") Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit 44a77e52bd791ffea565c49d7a5322bb9ea21ae8 Author: Randy Dunlap Date: Thu Mar 17 08:39:39 2022 -0700 clocksource: acpi_pm: fix return value of __setup handler [ Upstream commit 6a861abceecb68497dd82a324fee45a5332dcece ] __setup() handlers should return 1 to obsolete_checksetup() in init/main.c to indicate that the boot option has been handled. A return of 0 causes the boot option/value to be listed as an Unknown kernel parameter and added to init's (limited) environment strings. The __setup() handler interface isn't meant to handle negative return values -- they are non-zero, so they mean "handled" (like a return value of 1 does), but that's just a quirk. So return 1 from parse_pmtmr(). Also print a warning message if kstrtouint() returns an error. Fixes: 6b148507d3d0 ("pmtmr: allow command line override of ioport") Signed-off-by: Randy Dunlap Reported-by: Igor Zhbanov Link: lore.kernel.org/r/64644a2f-4a20-bab3-1e15-3b2cdd0defe3@omprussia.ru Signed-off-by: Rafael J. Wysocki Signed-off-by: Sasha Levin commit d678f002f0bc38f938b0b9574e5bfc717fc95902 Author: Brandon Wyman Date: Thu Mar 17 23:21:23 2022 +0000 hwmon: (pmbus) Add Vin unit off handling [ Upstream commit a5436af598779219b375c1977555c82def1c35d0 ] If there is an input undervoltage fault, reported in STATUS_INPUT command response, there is quite likely a "Unit Off For Insufficient Input Voltage" condition as well. Add a constant for bit 3 of STATUS_INPUT. Update the Vin limit attributes to include both bits in the mask for clearing faults. If an input undervoltage fault occurs, causing a unit off for insufficient input voltage, but the unit is off bit is not cleared, the STATUS_WORD will not be updated to clear the input fault condition. Including the unit is off bit (bit 3) allows for the input fault condition to completely clear. Signed-off-by: Brandon Wyman Link: https://lore.kernel.org/r/20220317232123.2103592-1-bjwyman@gmail.com Fixes: b4ce237b7f7d3 ("hwmon: (pmbus) Introduce infrastructure to detect sensors and limit registers") [groeck: Dropped unnecessary ()] Signed-off-by: Guenter Roeck Signed-off-by: Sasha Levin commit 7ca525b4cc658d9105efe45f5f97c2a9ab5b6dfa Author: Miaoqian Lin Date: Mon Mar 7 11:07:24 2022 +0000 hwrng: nomadik - Change clk_disable to clk_disable_unprepare [ Upstream commit 7f0f1f3ef62ed7a40e30aff28115bd94c4211d1d ] The corresponding API for clk_prepare_enable is clk_disable_unprepare, other than clk_disable_unprepare. Fix this by changing clk_disable to clk_disable_unprepare. Fixes: beca35d05cc2 ("hwrng: nomadik - use clk_prepare_enable()") Signed-off-by: Miaoqian Lin Reviewed-by: Linus Walleij Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin commit e4c777fd8c371b2a46b7541fbd92903d700def11 Author: Uwe Kleine-König Date: Tue Jan 26 17:58:34 2021 +0100 amba: Make the remove callback return void [ Upstream commit 3fd269e74f2feec973f45ee11d822faeda4fe284 ] All amba drivers return 0 in their remove callback. Together with the driver core ignoring the return value anyhow, it doesn't make sense to return a value here. Change the remove prototype to return void, which makes it explicit that returning an error value doesn't work as expected. This simplifies changing the core remove callback to return void, too. Reviewed-by: Ulf Hansson Reviewed-by: Arnd Bergmann Acked-by: Alexandre Belloni Acked-by: Dmitry Torokhov Acked-by: Krzysztof Kozlowski # for drivers/memory Acked-by: Mark Brown Acked-by: Linus Walleij Acked-by: Suzuki K Poulose # for hwtracing/coresight Acked-By: Vinod Koul # for dmaengine Acked-by: Guenter Roeck # for watchdog Acked-by: Wolfram Sang # for I2C Acked-by: Takashi Iwai # for sound Acked-by: Vladimir Zapolskiy # for memory/pl172 Acked-by: Greg Kroah-Hartman Link: https://lore.kernel.org/r/20210126165835.687514-5-u.kleine-koenig@pengutronix.de Signed-off-by: Uwe Kleine-König Signed-off-by: Sasha Levin commit 1c6ac39763bc2bbee789ad9f7f527066a50abb9a Author: Uwe Kleine-König Date: Tue Jan 26 17:58:33 2021 +0100 vfio: platform: simplify device removal [ Upstream commit 5b495ac8fe03b9e0d2e775f9064c3e2a340ff440 ] vfio_platform_remove_common() cannot return non-NULL in vfio_amba_remove() as the latter is only called if vfio_amba_probe() returned success. Diagnosed-by: Arnd Bergmann Acked-by: Eric Auger Link: https://lore.kernel.org/r/20210126165835.687514-4-u.kleine-koenig@pengutronix.de Signed-off-by: Uwe Kleine-König Signed-off-by: Sasha Levin commit c93017c8d5ebf55a4e453ac7c84cc84cf92ab570 Author: Jianglei Nie Date: Thu Mar 3 10:23:37 2022 +0800 crypto: ccree - Fix use after free in cc_cipher_exit() [ Upstream commit 3d950c34074ed74d2713c3856ba01264523289e6 ] kfree_sensitive(ctx_p->user.key) will free the ctx_p->user.key. But ctx_p->user.key is still used in the next line, which will lead to a use after free. We can call kfree_sensitive() after dev_dbg() to avoid the uaf. Fixes: 63ee04c8b491 ("crypto: ccree - add skcipher support") Signed-off-by: Jianglei Nie Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin commit 78622926fe01363d78b0f861bfa5c35223c0a645 Author: Dāvis Mosāns Date: Mon Feb 28 05:15:45 2022 +0200 crypto: ccp - ccp_dmaengine_unregister release dma channels [ Upstream commit 54cce8ecb9254f971b40a72911c6da403720a2d2 ] ccp_dmaengine_register adds dma_chan->device_node to dma_dev->channels list but ccp_dmaengine_unregister didn't remove them. That can cause crashes in various dmaengine methods that tries to use dma_dev->channels Fixes: 58ea8abf4904 ("crypto: ccp - Register the CCP as a DMA...") Signed-off-by: Dāvis Mosāns Acked-by: John Allen Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin commit 9eeee6f684e0cce69afbf2219fe29a793ac17d24 Author: Randy Dunlap Date: Sat Mar 5 18:46:20 2022 -0800 ACPI: APEI: fix return value of __setup handlers [ Upstream commit f3303ff649dbf7dcdc6a6e1a922235b12b3028f4 ] __setup() handlers should return 1 to indicate that the boot option has been handled. Returning 0 causes a boot option to be listed in the Unknown kernel command line parameters and also added to init's arg list (if no '=' sign) or environment list (if of the form 'a=b'). Unknown kernel command line parameters "erst_disable bert_disable hest_disable BOOT_IMAGE=/boot/bzImage-517rc6", will be passed to user space. Run /sbin/init as init process with arguments: /sbin/init erst_disable bert_disable hest_disable with environment: HOME=/ TERM=linux BOOT_IMAGE=/boot/bzImage-517rc6 Fixes: a3e2acc5e37b ("ACPI / APEI: Add Boot Error Record Table (BERT) support") Fixes: a08f82d08053 ("ACPI, APEI, Error Record Serialization Table (ERST) support") Fixes: 9dc966641677 ("ACPI, APEI, HEST table parsing") Signed-off-by: Randy Dunlap Reported-by: Igor Zhbanov Link: lore.kernel.org/r/64644a2f-4a20-bab3-1e15-3b2cdd0defe3@omprussia.ru Reviewed-by: "Huang, Ying" Signed-off-by: Rafael J. Wysocki Signed-off-by: Sasha Levin commit 0b45bf16593238fee3c01cb8c9841e68154e9318 Author: Guillaume Ranquet Date: Mon Mar 7 18:26:56 2022 +0100 clocksource/drivers/timer-of: Check return value of of_iomap in timer_of_base_init() [ Upstream commit 4467b8bad2401794fb89a0268c8c8257180bf60f ] of_base->base can either be iomapped using of_io_request_and_map() or of_iomap() depending whether or not an of_base->name has been set. Thus check of_base->base against NULL as of_iomap() does not return a PTR_ERR() in case of error. Fixes: 9aea417afa6b ("clocksource/drivers/timer-of: Don't request the resource by name") Signed-off-by: Guillaume Ranquet Link: https://lore.kernel.org/r/20220307172656.4836-1-granquet@baylibre.com Signed-off-by: Daniel Lezcano Signed-off-by: Sasha Levin commit b33c753cff6ca5e3302cf97d70c6b92fe17ebad1 Author: Claudiu Beznea Date: Fri Mar 4 15:35:57 2022 +0200 clocksource/drivers/timer-microchip-pit64b: Use notrace [ Upstream commit ff10ee97cb203262e88d9c8bc87369cbd4004a0c ] Use notrace for mchp_pit64b_sched_read_clk() to avoid recursive call of prepare_ftrace_return() when issuing: echo function_graph > /sys/kernel/debug/tracing/current_tracer Fixes: 625022a5f160 ("clocksource/drivers/timer-microchip-pit64b: Add Microchip PIT64B support") Signed-off-by: Claudiu Beznea Link: https://lore.kernel.org/r/20220304133601.2404086-3-claudiu.beznea@microchip.com Signed-off-by: Daniel Lezcano Signed-off-by: Sasha Levin commit db9d00461bdf9a0567a899f2980cf47f4217476d Author: Krzysztof Kozlowski Date: Sun Feb 20 11:38:15 2022 +0100 clocksource/drivers/exynos_mct: Handle DTS with higher number of interrupts [ Upstream commit ab8da93dc06d82f464c47ab30e6c75190702f369 ] The driver statically defines maximum number of interrupts it can handle, however it does not respect that limit when configuring them. When provided with a DTS with more interrupts than assumed, the driver will overwrite static array mct_irqs leading to silent memory corruption. Validate the interrupts coming from DTS to avoid this. This does not change the fact that such DTS might not boot at all, because it is simply incompatible, however at least some warning will be printed. Fixes: 36ba5d527e95 ("ARM: EXYNOS: add device tree support for MCT controller driver") Signed-off-by: Krzysztof Kozlowski Reviewed-by: Alim Akhtar Link: https://lore.kernel.org/r/20220220103815.135380-1-krzysztof.kozlowski@canonical.com Signed-off-by: Daniel Lezcano Signed-off-by: Sasha Levin commit d4e13c4a6f4186645260db86473a59871983ee5e Author: Marek Szyprowski Date: Mon Nov 1 21:35:30 2021 +0200 clocksource/drivers/exynos_mct: Refactor resources allocation [ Upstream commit 7cd925a8823d16de5614d3f0aabea9948747accd ] Move interrupts allocation from exynos4_timer_resources() into separate function together with the interrupt number parsing code from mct_init_dt(), so the code for managing interrupts is kept together. While touching exynos4_timer_resources() function, move of_iomap() to it. No functional changes. Signed-off-by: Marek Szyprowski Reviewed-by: Chanwoo Choi Tested-by: Chanwoo Choi Reviewed-by: Krzysztof Kozlowski Signed-off-by: Sam Protsenko Link: https://lore.kernel.org/r/20211101193531.15078-2-semen.protsenko@linaro.org Signed-off-by: Daniel Lezcano Signed-off-by: Sasha Levin commit 42d331a279d012680bc92a81ed7bc154094f4842 Author: Drew Fustini Date: Thu Feb 3 21:35:05 2022 -0800 clocksource/drivers/timer-ti-dm: Fix regression from errata i940 fix [ Upstream commit bceaae3bac0ce27c549bb050336d8d08abc2ee54 ] The existing fix for errata i940 causes a conflict for IPU2 which is using timer 3 and 4. From arch/arm/boot/dts/dra7-ipu-dsp-common.dtsi: &ipu2 { mboxes = <&mailbox6 &mbox_ipu2_ipc3x>; ti,timers = <&timer3>; ti,watchdog-timers = <&timer4>, <&timer9>; }; The conflict was noticed when booting mainline on the BeagleBoard X15 which has a TI AM5728 SoC: remoteproc remoteproc1: 55020000.ipu is available remoteproc remoteproc1: powering up 55020000.ipu remoteproc remoteproc1: Booting fw image dra7-ipu2-fw.xem4 omap-rproc 55020000.ipu: could not get timer platform device omap-rproc 55020000.ipu: omap_rproc_enable_timers failed: -19 remoteproc remoteproc1: can't start rproc 55020000.ipu: -19 This change modifies the errata fix to instead use timer 15 and 16 which resolves the timer conflict. It does not appear to introduce any latency regression. Results from cyclictest with original errata fix using dmtimer 3 and 4: # cyclictest --mlockall --smp --priority=80 --interval=200 --distance=0 policy: fifo: loadavg: 0.02 0.03 0.05 T: 0 ( 1449) P:80 I:200 C: 800368 Min: 0 Act: 32 Avg: 22 Max: 128 T: 1 ( 1450) P:80 I:200 C: 800301 Min: 0 Act: 12 Avg: 23 Max: 70 The results after the change to dmtimer 15 and 16: # cyclictest --mlockall --smp --priority=80 --interval=200 --distance=0 policy: fifo: loadavg: 0.36 0.19 0.07 T: 0 ( 1711) P:80 I:200 C: 759599 Min: 0 Act: 6 Avg: 22 Max: 108 T: 1 ( 1712) P:80 I:200 C: 759539 Min: 0 Act: 19 Avg: 23 Max: 79 Fixes: 25de4ce5ed02 ("clocksource/drivers/timer-ti-dm: Handle dra7 timer wrap errata i940") Link: https://lore.kernel.org/linux-omap/YfWsG0p6to3IJuvE@x1/ Suggested-by: Suman Anna Reviewed-by: Tony Lindgren Signed-off-by: Drew Fustini Link: https://lore.kernel.org/r/20220204053503.1409162-1-dfustini@baylibre.com Signed-off-by: Daniel Lezcano Signed-off-by: Sasha Levin commit aedff03da4a5bbef10c11253c4708a5b771a1fa3 Author: Petr Vorel Date: Wed Feb 23 16:11:15 2022 +0100 crypto: vmx - add missing dependencies [ Upstream commit 647d41d3952d726d4ae49e853a9eff68ebad3b3f ] vmx-crypto module depends on CRYPTO_AES, CRYPTO_CBC, CRYPTO_CTR or CRYPTO_XTS, thus add them. These dependencies are likely to be enabled, but if CRYPTO_DEV_VMX=y && !CRYPTO_MANAGER_DISABLE_TESTS and either of CRYPTO_AES, CRYPTO_CBC, CRYPTO_CTR or CRYPTO_XTS is built as module or disabled, alg_test() from crypto/testmgr.c complains during boot about failing to allocate the generic fallback implementations (2 == ENOENT): [ 0.540953] Failed to allocate xts(aes) fallback: -2 [ 0.541014] alg: skcipher: failed to allocate transform for p8_aes_xts: -2 [ 0.541120] alg: self-tests for p8_aes_xts (xts(aes)) failed (rc=-2) [ 0.544440] Failed to allocate ctr(aes) fallback: -2 [ 0.544497] alg: skcipher: failed to allocate transform for p8_aes_ctr: -2 [ 0.544603] alg: self-tests for p8_aes_ctr (ctr(aes)) failed (rc=-2) [ 0.547992] Failed to allocate cbc(aes) fallback: -2 [ 0.548052] alg: skcipher: failed to allocate transform for p8_aes_cbc: -2 [ 0.548156] alg: self-tests for p8_aes_cbc (cbc(aes)) failed (rc=-2) [ 0.550745] Failed to allocate transformation for 'aes': -2 [ 0.550801] alg: cipher: Failed to load transform for p8_aes: -2 [ 0.550892] alg: self-tests for p8_aes (aes) failed (rc=-2) Fixes: c07f5d3da643 ("crypto: vmx - Adding support for XTS") Fixes: d2e3ae6f3aba ("crypto: vmx - Enabling VMX module for PPC64") Suggested-by: Nicolai Stange Signed-off-by: Petr Vorel Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin commit 51939008ca5fe92b3f4b5b989eedef6dd8b8af04 Author: Corentin Labbe Date: Mon Feb 21 12:08:31 2022 +0000 crypto: amlogic - call finalize with bh disabled [ Upstream commit dba633342994ce47d347bcf5522ba28301247b79 ] Doing ipsec produces a spinlock recursion warning. This is due to not disabling BH during crypto completion function. Fixes: 48fe583fe541 ("crypto: amlogic - Add crypto accelerator for amlogic GXL") Signed-off-by: Corentin Labbe Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin commit 24857d87cc7459fcd234fa46cbc7136c23810ff1 Author: Corentin Labbe Date: Mon Feb 21 12:08:30 2022 +0000 crypto: sun8i-ce - call finalize with bh disabled [ Upstream commit f75a749b6d78aeae2ce90e14fcc4b7b3ba46126d ] Doing ipsec produces a spinlock recursion warning. This is due to not disabling BH during crypto completion function. Fixes: 06f751b61329 ("crypto: allwinner - Add sun8i-ce Crypto Engine") Signed-off-by: Corentin Labbe Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin commit bf4814d58b1b1589ec205ffb180f365023d9b4c6 Author: Corentin Labbe Date: Mon Feb 21 12:08:29 2022 +0000 crypto: sun8i-ss - call finalize with bh disabled [ Upstream commit b169b3766242b6f3336e24a6c8ee1522978b57a7 ] Doing ipsec produces a spinlock recursion warning. This is due to not disabling BH during crypto completion function. Fixes: f08fcced6d00 ("crypto: allwinner - Add sun8i-ss cryptographic offloader") Signed-off-by: Corentin Labbe Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin commit a4067ccb97e5eb7cf7da5132139d7678ab97cde0 Author: Claudiu Beznea Date: Mon Feb 21 09:59:23 2022 +0200 hwrng: atmel - disable trng on failure path [ Upstream commit a223ea9f89ab960eb254ba78429efd42eaf845eb ] Call atmel_trng_disable() on failure path of probe. Fixes: a1fa98d8116f ("hwrng: atmel - disable TRNG during suspend") Signed-off-by: Claudiu Beznea Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin commit b7940bef6f21f23955661d476c9760e6b046d21b Author: Jiasheng Jiang Date: Wed Mar 2 17:20:51 2022 +0800 spi: spi-zynqmp-gqspi: Handle error for dma_set_mask [ Upstream commit 13262fc26c1837c51a5131dbbdd67a2387f8bfc7 ] As the potential failure of the dma_set_mask(), it should be better to check it and return error if fails. Fixes: 126bdb606fd2 ("spi: spi-zynqmp-gqspi: return -ENOMEM if dma_map_single fails") Signed-off-by: Jiasheng Jiang Link: https://lore.kernel.org/r/20220302092051.121343-1-jiasheng@iscas.ac.cn Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 3928a04bc65ad2b25cd6d7e8103c18e367d74ff5 Author: Randy Dunlap Date: Mon Feb 28 14:05:44 2022 -0800 PM: suspend: fix return value of __setup handler [ Upstream commit 7a64ca17e4dd50d5f910769167f3553902777844 ] If an invalid option is given for "test_suspend=