commit 883d1a9562083922c6d293e9adad8cca4626adf3 Author: Greg Kroah-Hartman Date: Thu Jan 25 15:27:52 2024 -0800 Linux 6.1.75 Link: https://lore.kernel.org/r/20240122235751.480367507@linuxfoundation.org Tested-by: SeongJae Park Tested-by: Allen Pais Tested-by: Sven Joachim Tested-by: Yann Sionneau Link: https://lore.kernel.org/r/20240123174510.372863442@linuxfoundation.org Tested-by: SeongJae Park Tested-by: Salvatore Bonaccorso Tested-by: Florian Fainelli Tested-by: Kelsey Steele Tested-by: Ron Economos Tested-by: Conor Dooley Tested-by: Jon Hunter Tested-by: Yann Sionneau Tested-by: Linux Kernel Functional Testing Tested-by: Allen Pais Tested-by: kernelci.org bot Tested-by: Miguel Ojeda Signed-off-by: Greg Kroah-Hartman commit cfa46838285814c3a27faacf7357f0a65bb5d152 Author: Song Liu Date: Thu Jan 25 00:21:31 2024 -0800 Revert "Revert "md/raid5: Wait for MD_SB_CHANGE_PENDING in raid5d"" This reverts commit bed9e27baf52a09b7ba2a3714f1e24e17ced386d. The original set [1][2] was expected to undo a suboptimal fix in [2], and replace it with a better fix [1]. However, as reported by Dan Moulding [2] causes an issue with raid5 with journal device. Revert [2] for now to close the issue. We will follow up on another issue reported by Juxiao Bi, as [2] is expected to fix it. We believe this is a good trade-off, because the latter issue happens less freqently. In the meanwhile, we will NOT revert [1], as it contains the right logic. [1] commit d6e035aad6c0 ("md: bypass block throttle for superblock update") [2] commit bed9e27baf52 ("Revert "md/raid5: Wait for MD_SB_CHANGE_PENDING in raid5d"") Reported-by: Dan Moulding Closes: https://lore.kernel.org/linux-raid/20240123005700.9302-1-dan@danm.net/ Fixes: bed9e27baf52 ("Revert "md/raid5: Wait for MD_SB_CHANGE_PENDING in raid5d"") Cc: stable@vger.kernel.org # v5.19+ Cc: Junxiao Bi Cc: Yu Kuai Signed-off-by: Song Liu Signed-off-by: Greg Kroah-Hartman commit f854bff46abe4b26abd60f82f98be787399bec27 Author: Sjoerd Simons Date: Tue Nov 28 22:35:06 2023 +0100 arm64: dts: armada-3720-turris-mox: set irq type for RTC commit fca8a117c1c9a0f8b8feed117db34cf58134dc2c upstream. The rtc on the mox shares its interrupt line with the moxtet bus. Set the interrupt type to be consistent between both devices. This ensures correct setup of the interrupt line regardless of probing order. Signed-off-by: Sjoerd Simons Cc: # v6.2+ Fixes: 21aad8ba615e ("arm64: dts: armada-3720-turris-mox: Add missing interrupt for RTC") Reviewed-by: Marek Behún Signed-off-by: Gregory CLEMENT Signed-off-by: Greg Kroah-Hartman commit 17062a768c2e9f693c9278360bcb9fdb5f19d24c Author: Mimi Zohar Date: Wed Jan 24 14:21:44 2024 -0500 Revert "KEYS: encrypted: Add check for strsep" commit 1ed4b563100230ea68821a2b25a3d9f25388a3e6 upstream. This reverts commit b4af096b5df5dd131ab796c79cedc7069d8f4882. New encrypted keys are created either from kernel-generated random numbers or user-provided decrypted data. Revert the change requiring user-provided decrypted data. Reported-by: Vishal Verma Signed-off-by: Mimi Zohar Signed-off-by: Greg Kroah-Hartman commit b1cc57f976fede33516df78e8bffdee26af017a0 Author: Alexandre Ghiti Date: Tue Dec 12 20:54:00 2023 +0100 riscv: Fix wrong usage of lm_alias() when splitting a huge linear mapping commit c29fc621e1a49949a14c7fa031dd4760087bfb29 upstream. lm_alias() can only be used on kernel mappings since it explicitly uses __pa_symbol(), so simply fix this by checking where the address belongs to before. Fixes: 311cd2f6e253 ("riscv: Fix set_memory_XX() and set_direct_map_XX() by splitting huge linear mappings") Reported-by: syzbot+afb726d49f84c8d95ee1@syzkaller.appspotmail.com Closes: https://lore.kernel.org/linux-riscv/000000000000620dd0060c02c5e1@google.com/ Signed-off-by: Alexandre Ghiti Reviewed-by: Charlie Jenkins Link: https://lore.kernel.org/r/20231212195400.128457-1-alexghiti@rivosinc.com Signed-off-by: Palmer Dabbelt Signed-off-by: Greg Kroah-Hartman commit 9025ee1079291fac79c7fcc20086e9f0015f86f4 Author: Matthew Wilcox (Oracle) Date: Mon Aug 14 15:41:00 2023 +0100 block: Remove special-casing of compound pages commit 1b151e2435fc3a9b10c8946c6aebe9f3e1938c55 upstream. The special casing was originally added in pre-git history; reproducing the commit log here: > commit a318a92567d77 > Author: Andrew Morton > Date: Sun Sep 21 01:42:22 2003 -0700 > > [PATCH] Speed up direct-io hugetlbpage handling > > This patch short-circuits all the direct-io page dirtying logic for > higher-order pages. Without this, we pointlessly bounce BIOs up to > keventd all the time. In the last twenty years, compound pages have become used for more than just hugetlb. Rewrite these functions to operate on folios instead of pages and remove the special case for hugetlbfs; I don't think it's needed any more (and if it is, we can put it back in as a call to folio_test_hugetlb()). This was found by inspection; as far as I can tell, this bug can lead to pages used as the destination of a direct I/O read not being marked as dirty. If those pages are then reclaimed by the MM without being dirtied for some other reason, they won't be written out. Then when they're faulted back in, they will not contain the data they should. It'll take a pretty unusual setup to produce this problem with several races all going the wrong way. This problem predates the folio work; it could for example have been triggered by mmaping a THP in tmpfs and using that as the target of an O_DIRECT read. Fixes: 800d8c63b2e98 ("shmem: add huge pages support") Cc: Signed-off-by: Matthew Wilcox (Oracle) Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman commit 2c46871ac49f20a8193af4c2e2f36e1649a54206 Author: Marek Szyprowski Date: Wed Nov 8 17:43:53 2023 +0100 i2c: s3c24xx: fix transferring more than one message in polling mode [ Upstream commit 990489e1042c6c5d6bccf56deca68f8dbeed8180 ] To properly handle ACK on the bus when transferring more than one message in polling mode, move the polling handling loop from s3c24xx_i2c_message_start() to s3c24xx_i2c_doxfer(). This way i2c_s3c_irq_nextbyte() is always executed till the end, properly acknowledging the IRQ bits and no recursive calls to i2c_s3c_irq_nextbyte() are made. While touching this, also fix finishing transfers in polling mode by using common code path and always waiting for the bus to become idle and disabled. Fixes: 117053f77a5a ("i2c: s3c2410: Add polling mode support") Signed-off-by: Marek Szyprowski Reviewed-by: Andi Shyti Signed-off-by: Wolfram Sang Signed-off-by: Sasha Levin commit 63892860b01987dccdeb38da2c51b145b89953df Author: Marek Szyprowski Date: Wed Nov 8 17:43:52 2023 +0100 i2c: s3c24xx: fix read transfers in polling mode [ Upstream commit 0d9cf23ed55d7ba3ab26d617a3ae507863674c8f ] To properly handle read transfers in polling mode, no waiting for the ACK state is needed as it will never come. Just wait a bit to ensure start state is on the bus and continue processing next bytes. Fixes: 117053f77a5a ("i2c: s3c2410: Add polling mode support") Signed-off-by: Marek Szyprowski Reviewed-by: Chanho Park Reviewed-by: Andi Shyti Signed-off-by: Wolfram Sang Signed-off-by: Sasha Levin commit 380540bb06bb1d1b12bdc947d1b8f56cda6b5663 Author: Nikita Zhandarovich Date: Wed Jan 17 09:21:02 2024 -0800 ipv6: mcast: fix data-race in ipv6_mc_down / mld_ifc_work [ Upstream commit 2e7ef287f07c74985f1bf2858bedc62bd9ebf155 ] idev->mc_ifc_count can be written over without proper locking. Originally found by syzbot [1], fix this issue by encapsulating calls to mld_ifc_stop_work() (and mld_gq_stop_work() for good measure) with mutex_lock() and mutex_unlock() accordingly as these functions should only be called with mc_lock per their declarations. [1] BUG: KCSAN: data-race in ipv6_mc_down / mld_ifc_work write to 0xffff88813a80c832 of 1 bytes by task 3771 on cpu 0: mld_ifc_stop_work net/ipv6/mcast.c:1080 [inline] ipv6_mc_down+0x10a/0x280 net/ipv6/mcast.c:2725 addrconf_ifdown+0xe32/0xf10 net/ipv6/addrconf.c:3949 addrconf_notify+0x310/0x980 notifier_call_chain kernel/notifier.c:93 [inline] raw_notifier_call_chain+0x6b/0x1c0 kernel/notifier.c:461 __dev_notify_flags+0x205/0x3d0 dev_change_flags+0xab/0xd0 net/core/dev.c:8685 do_setlink+0x9f6/0x2430 net/core/rtnetlink.c:2916 rtnl_group_changelink net/core/rtnetlink.c:3458 [inline] __rtnl_newlink net/core/rtnetlink.c:3717 [inline] rtnl_newlink+0xbb3/0x1670 net/core/rtnetlink.c:3754 rtnetlink_rcv_msg+0x807/0x8c0 net/core/rtnetlink.c:6558 netlink_rcv_skb+0x126/0x220 net/netlink/af_netlink.c:2545 rtnetlink_rcv+0x1c/0x20 net/core/rtnetlink.c:6576 netlink_unicast_kernel net/netlink/af_netlink.c:1342 [inline] netlink_unicast+0x589/0x650 net/netlink/af_netlink.c:1368 netlink_sendmsg+0x66e/0x770 net/netlink/af_netlink.c:1910 ... write to 0xffff88813a80c832 of 1 bytes by task 22 on cpu 1: mld_ifc_work+0x54c/0x7b0 net/ipv6/mcast.c:2653 process_one_work kernel/workqueue.c:2627 [inline] process_scheduled_works+0x5b8/0xa30 kernel/workqueue.c:2700 worker_thread+0x525/0x730 kernel/workqueue.c:2781 ... Fixes: 2d9a93b4902b ("mld: convert from timer to delayed work") Reported-by: syzbot+a9400cabb1d784e49abf@syzkaller.appspotmail.com Link: https://lore.kernel.org/all/000000000000994e09060ebcdffb@google.com/ Signed-off-by: Nikita Zhandarovich Acked-by: Taehee Yoo Reviewed-by: Eric Dumazet Reviewed-by: Hangbin Liu Link: https://lore.kernel.org/r/20240117172102.12001-1-n.zhandarovich@fintech.ru Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit 8f7f03e8cd3363e5e12dd42036c21e50207975b2 Author: Amit Cohen Date: Wed Jan 17 16:04:21 2024 +0100 selftests: mlxsw: qos_pfc: Adjust the test to support 8 lanes [ Upstream commit b34f4de6d30cbaa8fed905a5080b6eace8c84dc7 ] 'qos_pfc' test checks PFC behavior. The idea is to limit the traffic using a shaper somewhere in the flow of the packets. In this area, the buffer is smaller than the buffer at the beginning of the flow, so it fills up until there is no more space left. The test configures there PFC which is supposed to notice that the headroom is filling up and send PFC Xoff to indicate the transmitter to stop sending traffic for the priorities sharing this PG. The Xon/Xoff threshold is auto-configured and always equal to 2*(MTU rounded up to cell size). Even after sending the PFC Xoff packet, traffic will keep arriving until the transmitter receives and processes the PFC packet. This amount of traffic is known as the PFC delay allowance. Currently the buffer for the delay traffic is configured as 100KB. The MTU in the test is 10KB, therefore the threshold for Xoff is about 20KB. This allows 80KB extra to be stored in this buffer. 8-lane ports use two buffers among which the configured buffer is split, the Xoff threshold then applies to each buffer in parallel. The test does not take into account the behavior of 8-lane ports, when the ports are configured to 400Gbps with 8 lanes or 800Gbps with 8 lanes, packets are dropped and the test fails. Check if the relevant ports use 8 lanes, in such case double the size of the buffer, as the headroom is split half-half. Cc: Shuah Khan Fixes: bfa804784e32 ("selftests: mlxsw: Add a PFC test") Signed-off-by: Amit Cohen Reviewed-by: Ido Schimmel Signed-off-by: Petr Machata Acked-by: Paolo Abeni Link: https://lore.kernel.org/r/23ff11b7dff031eb04a41c0f5254a2b636cd8ebb.1705502064.git.petrm@nvidia.com Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit 13e6065fed5e3ce5e18542a49f3936c6c7da9ab6 Author: Amit Cohen Date: Wed Jan 17 16:04:16 2024 +0100 mlxsw: spectrum_acl_erp: Fix error flow of pool allocation failure [ Upstream commit 6d6eeabcfaba2fcadf5443b575789ea606f9de83 ] Lately, a bug was found when many TC filters are added - at some point, several bugs are printed to dmesg [1] and the switch is crashed with segmentation fault. The issue starts when gen_pool_free() fails because of unexpected behavior - a try to free memory which is already freed, this leads to BUG() call which crashes the switch and makes many other bugs. Trying to track down the unexpected behavior led to a bug in eRP code. The function mlxsw_sp_acl_erp_table_alloc() gets a pointer to the allocated index, sets the value and returns an error code. When gen_pool_alloc() fails it returns address 0, we track it and return -ENOBUFS outside, BUT the call for gen_pool_alloc() already override the index in erp_table structure. This is a problem when such allocation is done as part of table expansion. This is not a new table, which will not be used in case of allocation failure. We try to expand eRP table and override the current index (non-zero) with zero. Then, it leads to an unexpected behavior when address 0 is freed twice. Note that address 0 is valid in erp_table->base_index and indeed other tables use it. gen_pool_alloc() fails in case that there is no space left in the pre-allocated pool, in our case, the pool is limited to ACL_MAX_ERPT_BANK_SIZE, which is read from hardware. When more than max erp entries are required, we exceed the limit and return an error, this error leads to "Failed to migrate vregion" print. Fix this by changing erp_table->base_index only in case of a successful allocation. Add a test case for such a scenario. Without this fix it causes segmentation fault: $ TESTS="max_erp_entries_test" ./tc_flower.sh ./tc_flower.sh: line 988: 1560 Segmentation fault tc filter del dev $h2 ingress chain $i protocol ip pref $i handle $j flower &>/dev/null [1]: kernel BUG at lib/genalloc.c:508! invalid opcode: 0000 [#1] PREEMPT SMP CPU: 6 PID: 3531 Comm: tc Not tainted 6.7.0-rc5-custom-ga6893f479f5e #1 Hardware name: Mellanox Technologies Ltd. MSN4700/VMOD0010, BIOS 5.11 07/12/2021 RIP: 0010:gen_pool_free_owner+0xc9/0xe0 ... Call Trace: __mlxsw_sp_acl_erp_table_other_dec+0x70/0xa0 [mlxsw_spectrum] mlxsw_sp_acl_erp_mask_destroy+0xf5/0x110 [mlxsw_spectrum] objagg_obj_root_destroy+0x18/0x80 [objagg] objagg_obj_destroy+0x12c/0x130 [objagg] mlxsw_sp_acl_erp_mask_put+0x37/0x50 [mlxsw_spectrum] mlxsw_sp_acl_ctcam_region_entry_remove+0x74/0xa0 [mlxsw_spectrum] mlxsw_sp_acl_ctcam_entry_del+0x1e/0x40 [mlxsw_spectrum] mlxsw_sp_acl_tcam_ventry_del+0x78/0xd0 [mlxsw_spectrum] mlxsw_sp_flower_destroy+0x4d/0x70 [mlxsw_spectrum] mlxsw_sp_flow_block_cb+0x73/0xb0 [mlxsw_spectrum] tc_setup_cb_destroy+0xc1/0x180 fl_hw_destroy_filter+0x94/0xc0 [cls_flower] __fl_delete+0x1ac/0x1c0 [cls_flower] fl_destroy+0xc2/0x150 [cls_flower] tcf_proto_destroy+0x1a/0xa0 ... mlxsw_spectrum3 0000:07:00.0: Failed to migrate vregion mlxsw_spectrum3 0000:07:00.0: Failed to migrate vregion Fixes: f465261aa105 ("mlxsw: spectrum_acl: Implement common eRP core") Signed-off-by: Amit Cohen Signed-off-by: Ido Schimmel Signed-off-by: Petr Machata Acked-by: Paolo Abeni Link: https://lore.kernel.org/r/4cfca254dfc0e5d283974801a24371c7b6db5989.1705502064.git.petrm@nvidia.com Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit 31944f4264cd401875d310f31a352cf9be1692bb Author: Christoph Hellwig Date: Wed Jan 17 18:59:01 2024 +0100 loop: fix the the direct I/O support check when used on top of block devices [ Upstream commit baa7d536077dcdfe2b70c476a8873d1745d3de0f ] __loop_update_dio only checks the alignment requirement for block backed file systems, but misses them for the case where the loop device is created directly on top of another block device. Due to this creating a loop device with default option plus the direct I/O flag on a > 512 byte sector size file system will lead to incorrect I/O being submitted to the lower block device and a lot of error from the lock layer. This can be seen with xfstests generic/563. Fix the code in __loop_update_dio by factoring the alignment check into a helper, and calling that also for the struct block_device of a block device inode. Also remove the TODO comment talking about dynamically switching between buffered and direct I/O, which is a would be a recipe for horrible performance and occasional data loss. Fixes: 2e5ab5f379f9 ("block: loop: prepare for supporing direct IO") Signed-off-by: Christoph Hellwig Reviewed-by: Ming Lei Link: https://lore.kernel.org/r/20240117175901.871796-1-hch@lst.de Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit f2cc7d90a8c2ee152db182d1e955dae34ce1cf3d Author: Ludvig Pärsson Date: Wed Jan 17 13:03:14 2024 +0100 ethtool: netlink: Add missing ethnl_ops_begin/complete [ Upstream commit f1172f3ee3a98754d95b968968920a7d03fdebcc ] Accessing an ethernet device that is powered off or clock gated might cause the CPU to hang. Add ethnl_ops_begin/complete in ethnl_set_features() to protect against this. Fixes: 0980bfcd6954 ("ethtool: set netdev features with FEATURES_SET request") Signed-off-by: Ludvig Pärsson Link: https://lore.kernel.org/r/20240117-etht2-v2-1-1a96b6e8c650@axis.com Signed-off-by: Paolo Abeni Signed-off-by: Sasha Levin commit 7809296dc17272d4223fe5785b3b7fcfb8223735 Author: Christophe JAILLET Date: Sat Nov 25 13:05:04 2023 +0100 kdb: Fix a potential buffer overflow in kdb_local() [ Upstream commit 4f41d30cd6dc865c3cbc1a852372321eba6d4e4c ] When appending "[defcmd]" to 'kdb_prompt_str', the size of the string already in the buffer should be taken into account. An option could be to switch from strncat() to strlcat() which does the correct test to avoid such an overflow. However, this actually looks as dead code, because 'defcmd_in_progress' can't be true here. See a more detailed explanation at [1]. [1]: https://lore.kernel.org/all/CAD=FV=WSh7wKN7Yp-3wWiDgX4E3isQ8uh0LCzTmd1v9Cg9j+nQ@mail.gmail.com/ Fixes: 5d5314d6795f ("kdb: core for kgdb back end (1 of 2)") Signed-off-by: Christophe JAILLET Reviewed-by: Douglas Anderson Signed-off-by: Sasha Levin commit 50ee63b800c6997d3a21619cb32018924d689263 Author: Fedor Pchelkin Date: Mon Jan 15 17:39:22 2024 +0300 ipvs: avoid stat macros calls from preemptible context [ Upstream commit d6938c1c76c64f42363d0d1f051e1b4641c2ad40 ] Inside decrement_ttl() upon discovering that the packet ttl has exceeded, __IP_INC_STATS and __IP6_INC_STATS macros can be called from preemptible context having the following backtrace: check_preemption_disabled: 48 callbacks suppressed BUG: using __this_cpu_add() in preemptible [00000000] code: curl/1177 caller is decrement_ttl+0x217/0x830 CPU: 5 PID: 1177 Comm: curl Not tainted 6.7.0+ #34 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 04/01/2014 Call Trace: dump_stack_lvl+0xbd/0xe0 check_preemption_disabled+0xd1/0xe0 decrement_ttl+0x217/0x830 __ip_vs_get_out_rt+0x4e0/0x1ef0 ip_vs_nat_xmit+0x205/0xcd0 ip_vs_in_hook+0x9b1/0x26a0 nf_hook_slow+0xc2/0x210 nf_hook+0x1fb/0x770 __ip_local_out+0x33b/0x640 ip_local_out+0x2a/0x490 __ip_queue_xmit+0x990/0x1d10 __tcp_transmit_skb+0x288b/0x3d10 tcp_connect+0x3466/0x5180 tcp_v4_connect+0x1535/0x1bb0 __inet_stream_connect+0x40d/0x1040 inet_stream_connect+0x57/0xa0 __sys_connect_file+0x162/0x1a0 __sys_connect+0x137/0x160 __x64_sys_connect+0x72/0xb0 do_syscall_64+0x6f/0x140 entry_SYSCALL_64_after_hwframe+0x6e/0x76 RIP: 0033:0x7fe6dbbc34e0 Use the corresponding preemption-aware variants: IP_INC_STATS and IP6_INC_STATS. Found by Linux Verification Center (linuxtesting.org). Fixes: 8d8e20e2d7bb ("ipvs: Decrement ttl") Signed-off-by: Fedor Pchelkin Acked-by: Julian Anastasov Acked-by: Simon Horman Signed-off-by: Pablo Neira Ayuso Signed-off-by: Sasha Levin commit 4a45e7e7d2a628341790819fc5b030f15a00613a Author: Pablo Neira Ayuso Date: Mon Jan 15 12:50:29 2024 +0100 netfilter: nf_tables: reject NFT_SET_CONCAT with not field length description [ Upstream commit 113661e07460a6604aacc8ae1b23695a89e7d4b3 ] It is still possible to set on the NFT_SET_CONCAT flag by specifying a set size and no field description, report EINVAL in such case. Fixes: 1b6345d4160e ("netfilter: nf_tables: check NFT_SET_CONCAT flag if field_count is specified") Signed-off-by: Pablo Neira Ayuso Signed-off-by: Sasha Levin commit b56bce52f9f6bc79197ddd00f9db16e5d46cacde Author: Pablo Neira Ayuso Date: Mon Jan 15 00:14:38 2024 +0100 netfilter: nf_tables: skip dead set elements in netlink dump [ Upstream commit 6b1ca88e4bb63673dc9f9c7f23c899f22c3cb17a ] Delete from packet path relies on the garbage collector to purge elements with NFT_SET_ELEM_DEAD_BIT on. Skip these dead elements from nf_tables_dump_setelem() path, I very rarely see tests/shell/testcases/maps/typeof_maps_add_delete reports [DUMP FAILED] showing a mismatch in the expected output with an element that should not be there. If the netlink dump happens before GC worker run, it might show dead elements in the ruleset listing. nft_rhash_get() already skips dead elements in nft_rhash_cmp(), therefore, it already does not show the element when getting a single element via netlink control plane. Fixes: 5f68718b34a5 ("netfilter: nf_tables: GC transaction API to avoid race with control plane") Signed-off-by: Pablo Neira Ayuso Signed-off-by: Sasha Levin commit 9cb084df01e198119de477ac691d682fb01e80f3 Author: Pablo Neira Ayuso Date: Sun Jan 14 23:53:39 2024 +0100 netfilter: nf_tables: do not allow mismatch field size and set key length [ Upstream commit 3ce67e3793f48c1b9635beb9bb71116ca1e51b58 ] The set description provides the size of each field in the set whose sum should not mismatch the set key length, bail out otherwise. I did not manage to crash nft_set_pipapo with mismatch fields and set key length so far, but this is UB which must be disallowed. Fixes: f3a2181e16f1 ("netfilter: nf_tables: Support for sets with multiple ranged fields") Signed-off-by: Pablo Neira Ayuso Signed-off-by: Sasha Levin commit 7ae19ee81ca56b13c50a78de6c47d5b8fdc9d97b Author: Pavel Tikhomirov Date: Thu Jan 11 23:06:40 2024 +0800 netfilter: bridge: replace physindev with physinif in nf_bridge_info [ Upstream commit 9874808878d9eed407e3977fd11fee49de1e1d86 ] An skb can be added to a neigh->arp_queue while waiting for an arp reply. Where original skb's skb->dev can be different to neigh's neigh->dev. For instance in case of bridging dnated skb from one veth to another, the skb would be added to a neigh->arp_queue of the bridge. As skb->dev can be reset back to nf_bridge->physindev and used, and as there is no explicit mechanism that prevents this physindev from been freed under us (for instance neigh_flush_dev doesn't cleanup skbs from different device's neigh queue) we can crash on e.g. this stack: arp_process neigh_update skb = __skb_dequeue(&neigh->arp_queue) neigh_resolve_output(..., skb) ... br_nf_dev_xmit br_nf_pre_routing_finish_bridge_slow skb->dev = nf_bridge->physindev br_handle_frame_finish Let's use plain ifindex instead of net_device link. To peek into the original net_device we will use dev_get_by_index_rcu(). Thus either we get device and are safe to use it or we don't get it and drop skb. Fixes: c4e70a87d975 ("netfilter: bridge: rename br_netfilter.c to br_netfilter_hooks.c") Suggested-by: Florian Westphal Signed-off-by: Pavel Tikhomirov Signed-off-by: Pablo Neira Ayuso Signed-off-by: Sasha Levin commit 754ca18ed3f21236b8faa66f958869fc45c5e02c Author: Pavel Tikhomirov Date: Thu Jan 11 23:06:39 2024 +0800 netfilter: propagate net to nf_bridge_get_physindev [ Upstream commit a54e72197037d2c9bfcd70dddaac8c8ccb5b41ba ] This is a preparation patch for replacing physindev with physinif on nf_bridge_info structure. We will use dev_get_by_index_rcu to resolve device, when needed, and it requires net to be available. Signed-off-by: Pavel Tikhomirov Reviewed-by: Simon Horman Signed-off-by: Pablo Neira Ayuso Stable-dep-of: 9874808878d9 ("netfilter: bridge: replace physindev with physinif in nf_bridge_info") Signed-off-by: Sasha Levin commit 3f1f50527707caff754219296b3735b9fba10495 Author: Pavel Tikhomirov Date: Thu Jan 11 23:06:38 2024 +0800 netfilter: nf_queue: remove excess nf_bridge variable [ Upstream commit aeaa44075f8e49e2e0ad4507d925e690b7950145 ] We don't really need nf_bridge variable here. And nf_bridge_info_exists is better replacement for nf_bridge_info_get in case we are only checking for existence. Signed-off-by: Pavel Tikhomirov Reviewed-by: Simon Horman Signed-off-by: Pablo Neira Ayuso Stable-dep-of: 9874808878d9 ("netfilter: bridge: replace physindev with physinif in nf_bridge_info") Signed-off-by: Sasha Levin commit 52d01a40b73851ee3aa4432b80dd12dc34998870 Author: Pavel Tikhomirov Date: Thu Jan 11 23:06:37 2024 +0800 netfilter: nfnetlink_log: use proper helper for fetching physinif [ Upstream commit c3f9fd54cd87233f53bdf0e191a86b3a5e960e02 ] We don't use physindev in __build_packet_message except for getting physinif from it. So let's switch to nf_bridge_get_physinif to get what we want directly. Signed-off-by: Pavel Tikhomirov Reviewed-by: Simon Horman Signed-off-by: Pablo Neira Ayuso Stable-dep-of: 9874808878d9 ("netfilter: bridge: replace physindev with physinif in nf_bridge_info") Signed-off-by: Sasha Levin commit dfa01315c31510784d07be3cf8f4af624f6eff5b Author: Pablo Neira Ayuso Date: Wed Jan 10 00:42:37 2024 +0100 netfilter: nft_limit: do not ignore unsupported flags [ Upstream commit 91a139cee1202a4599a380810d93c69b5bac6197 ] Bail out if userspace provides unsupported flags, otherwise future extensions to the limit expression will be silently ignored by the kernel. Fixes: c7862a5f0de5 ("netfilter: nft_limit: allow to invert matching criteria") Signed-off-by: Pablo Neira Ayuso Signed-off-by: Sasha Levin commit f00f11aae1c25d4e7fce9abcfbd5f0acf2ab5e60 Author: Pablo Neira Ayuso Date: Wed Jan 3 23:34:58 2024 +0100 netfilter: nf_tables: reject invalid set policy [ Upstream commit 0617c3de9b4026b87be12b0cb5c35f42c7c66fcb ] Report -EINVAL in case userspace provides a unsupported set backend policy. Fixes: c50b960ccc59 ("netfilter: nf_tables: implement proper set selection") Signed-off-by: Pablo Neira Ayuso Signed-off-by: Sasha Levin commit 2f32d518a1b8d12b778115ec240e7afe6254e259 Author: Paolo Abeni Date: Tue Jan 16 18:18:47 2024 +0100 mptcp: relax check on MPC passive fallback [ Upstream commit c0f5aec28edf98906d28f08daace6522adf9ee7a ] While testing the blamed commit below, I was able to miss (!) packetdrill failures in the fastopen test-cases. On passive fastopen the child socket is created by incoming TCP MPC syn, allow for both MPC_SYN and MPC_ACK header. Fixes: 724b00c12957 ("mptcp: refine opt_mp_capable determination") Reviewed-by: Matthieu Baerts Signed-off-by: Paolo Abeni Reviewed-by: Eric Dumazet Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 4631c2dd69d928bca396f9f58baeddf85e14ced5 Author: Hengqi Chen Date: Wed Jan 17 12:43:13 2024 +0800 LoongArch: BPF: Prevent out-of-bounds memory access [ Upstream commit 36a87385e31c9343af9a4756598e704741250a67 ] The test_tag test triggers an unhandled page fault: # ./test_tag [ 130.640218] CPU 0 Unable to handle kernel paging request at virtual address ffff80001b898004, era == 9000000003137f7c, ra == 9000000003139e70 [ 130.640501] Oops[#3]: [ 130.640553] CPU: 0 PID: 1326 Comm: test_tag Tainted: G D O 6.7.0-rc4-loong-devel-gb62ab1a397cf #47 61985c1d94084daa2432f771daa45b56b10d8d2a [ 130.640764] Hardware name: QEMU QEMU Virtual Machine, BIOS unknown 2/2/2022 [ 130.640874] pc 9000000003137f7c ra 9000000003139e70 tp 9000000104cb4000 sp 9000000104cb7a40 [ 130.641001] a0 ffff80001b894000 a1 ffff80001b897ff8 a2 000000006ba210be a3 0000000000000000 [ 130.641128] a4 000000006ba210be a5 00000000000000f1 a6 00000000000000b3 a7 0000000000000000 [ 130.641256] t0 0000000000000000 t1 00000000000007f6 t2 0000000000000000 t3 9000000004091b70 [ 130.641387] t4 000000006ba210be t5 0000000000000004 t6 fffffffffffffff0 t7 90000000040913e0 [ 130.641512] t8 0000000000000005 u0 0000000000000dc0 s9 0000000000000009 s0 9000000104cb7ae0 [ 130.641641] s1 00000000000007f6 s2 0000000000000009 s3 0000000000000095 s4 0000000000000000 [ 130.641771] s5 ffff80001b894000 s6 ffff80001b897fb0 s7 9000000004090c50 s8 0000000000000000 [ 130.641900] ra: 9000000003139e70 build_body+0x1fcc/0x4988 [ 130.642007] ERA: 9000000003137f7c build_body+0xd8/0x4988 [ 130.642112] CRMD: 000000b0 (PLV0 -IE -DA +PG DACF=CC DACM=CC -WE) [ 130.642261] PRMD: 00000004 (PPLV0 +PIE -PWE) [ 130.642353] EUEN: 00000003 (+FPE +SXE -ASXE -BTE) [ 130.642458] ECFG: 00071c1c (LIE=2-4,10-12 VS=7) [ 130.642554] ESTAT: 00010000 [PIL] (IS= ECode=1 EsubCode=0) [ 130.642658] BADV: ffff80001b898004 [ 130.642719] PRID: 0014c010 (Loongson-64bit, Loongson-3A5000) [ 130.642815] Modules linked in: [last unloaded: bpf_testmod(O)] [ 130.642924] Process test_tag (pid: 1326, threadinfo=00000000f7f4015f, task=000000006499f9fd) [ 130.643062] Stack : 0000000000000000 9000000003380724 0000000000000000 0000000104cb7be8 [ 130.643213] 0000000000000000 25af8d9b6e600558 9000000106250ea0 9000000104cb7ae0 [ 130.643378] 0000000000000000 0000000000000000 9000000104cb7be8 90000000049f6000 [ 130.643538] 0000000000000090 9000000106250ea0 ffff80001b894000 ffff80001b894000 [ 130.643685] 00007ffffb917790 900000000313ca94 0000000000000000 0000000000000000 [ 130.643831] ffff80001b894000 0000000000000ff7 0000000000000000 9000000100468000 [ 130.643983] 0000000000000000 0000000000000000 0000000000000040 25af8d9b6e600558 [ 130.644131] 0000000000000bb7 ffff80001b894048 0000000000000000 0000000000000000 [ 130.644276] 9000000104cb7be8 90000000049f6000 0000000000000090 9000000104cb7bdc [ 130.644423] ffff80001b894000 0000000000000000 00007ffffb917790 90000000032acfb0 [ 130.644572] ... [ 130.644629] Call Trace: [ 130.644641] [<9000000003137f7c>] build_body+0xd8/0x4988 [ 130.644785] [<900000000313ca94>] bpf_int_jit_compile+0x228/0x4ec [ 130.644891] [<90000000032acfb0>] bpf_prog_select_runtime+0x158/0x1b0 [ 130.645003] [<90000000032b3504>] bpf_prog_load+0x760/0xb44 [ 130.645089] [<90000000032b6744>] __sys_bpf+0xbb8/0x2588 [ 130.645175] [<90000000032b8388>] sys_bpf+0x20/0x2c [ 130.645259] [<9000000003f6ab38>] do_syscall+0x7c/0x94 [ 130.645369] [<9000000003121c5c>] handle_syscall+0xbc/0x158 [ 130.645507] [ 130.645539] Code: 380839f6 380831f9 28412bae <24000ca6> 004081ad 0014cb50 004083e8 02bff34c 58008e91 [ 130.645729] [ 130.646418] ---[ end trace 0000000000000000 ]--- On my machine, which has CONFIG_PAGE_SIZE_16KB=y, the test failed at loading a BPF prog with 2039 instructions: prog = (struct bpf_prog *)ffff80001b894000 insn = (struct bpf_insn *)(prog->insnsi)ffff80001b894048 insn + 2039 = (struct bpf_insn *)ffff80001b898000 <- end of the page In the build_insn() function, we are trying to access next instruction unconditionally, i.e. `(insn + 1)->imm`. The address lies in the next page and can be not owned by the current process, thus an page fault is inevitable and then segfault. So, let's access next instruction only under `dst = imm64` context. With this fix, we have: # ./test_tag test_tag: OK (40945 tests) Fixes: bbfddb904df6f82 ("LoongArch: BPF: Avoid declare variables in switch-case") Tested-by: Tiezhu Yang Signed-off-by: Hengqi Chen Signed-off-by: Huacai Chen Signed-off-by: Sasha Levin commit ca65da8da1e9fbd8feeb60ba6b2ebcb23a1073de Author: Kunwu Chan Date: Thu Jan 11 15:20:18 2024 +0800 net: dsa: vsc73xx: Add null pointer check to vsc73xx_gpio_probe [ Upstream commit 776dac5a662774f07a876b650ba578d0a62d20db ] devm_kasprintf() returns a pointer to dynamically allocated memory which can be NULL upon failure. Fixes: 05bd97fc559d ("net: dsa: Add Vitesse VSC73xx DSA router driver") Signed-off-by: Kunwu Chan Suggested-by: Jakub Kicinski Reviewed-by: Simon Horman Link: https://lore.kernel.org/r/20240111072018.75971-1-chentao@kylinos.cn Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit 4108b86e324da42f7ed425bd71632fd844300dc8 Author: Hao Sun Date: Mon Jan 15 09:20:27 2024 +0100 bpf: Reject variable offset alu on PTR_TO_FLOW_KEYS [ Upstream commit 22c7fa171a02d310e3a3f6ed46a698ca8a0060ed ] For PTR_TO_FLOW_KEYS, check_flow_keys_access() only uses fixed off for validation. However, variable offset ptr alu is not prohibited for this ptr kind. So the variable offset is not checked. The following prog is accepted: func#0 @0 0: R1=ctx() R10=fp0 0: (bf) r6 = r1 ; R1=ctx() R6_w=ctx() 1: (79) r7 = *(u64 *)(r6 +144) ; R6_w=ctx() R7_w=flow_keys() 2: (b7) r8 = 1024 ; R8_w=1024 3: (37) r8 /= 1 ; R8_w=scalar() 4: (57) r8 &= 1024 ; R8_w=scalar(smin=smin32=0, smax=umax=smax32=umax32=1024,var_off=(0x0; 0x400)) 5: (0f) r7 += r8 mark_precise: frame0: last_idx 5 first_idx 0 subseq_idx -1 mark_precise: frame0: regs=r8 stack= before 4: (57) r8 &= 1024 mark_precise: frame0: regs=r8 stack= before 3: (37) r8 /= 1 mark_precise: frame0: regs=r8 stack= before 2: (b7) r8 = 1024 6: R7_w=flow_keys(smin=smin32=0,smax=umax=smax32=umax32=1024,var_off =(0x0; 0x400)) R8_w=scalar(smin=smin32=0,smax=umax=smax32=umax32=1024, var_off=(0x0; 0x400)) 6: (79) r0 = *(u64 *)(r7 +0) ; R0_w=scalar() 7: (95) exit This prog loads flow_keys to r7, and adds the variable offset r8 to r7, and finally causes out-of-bounds access: BUG: unable to handle page fault for address: ffffc90014c80038 [...] Call Trace: bpf_dispatcher_nop_func include/linux/bpf.h:1231 [inline] __bpf_prog_run include/linux/filter.h:651 [inline] bpf_prog_run include/linux/filter.h:658 [inline] bpf_prog_run_pin_on_cpu include/linux/filter.h:675 [inline] bpf_flow_dissect+0x15f/0x350 net/core/flow_dissector.c:991 bpf_prog_test_run_flow_dissector+0x39d/0x620 net/bpf/test_run.c:1359 bpf_prog_test_run kernel/bpf/syscall.c:4107 [inline] __sys_bpf+0xf8f/0x4560 kernel/bpf/syscall.c:5475 __do_sys_bpf kernel/bpf/syscall.c:5561 [inline] __se_sys_bpf kernel/bpf/syscall.c:5559 [inline] __x64_sys_bpf+0x73/0xb0 kernel/bpf/syscall.c:5559 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x3f/0x110 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x63/0x6b Fix this by rejecting ptr alu with variable offset on flow_keys. Applying the patch rejects the program with "R7 pointer arithmetic on flow_keys prohibited". Fixes: d58e468b1112 ("flow_dissector: implements flow dissector BPF hook") Signed-off-by: Hao Sun Signed-off-by: Daniel Borkmann Acked-by: Yonghong Song Link: https://lore.kernel.org/bpf/20240115082028.9992-1-sunhao.th@gmail.com Signed-off-by: Sasha Levin commit f1ec1b6c5c469754c99abe2606147ccaa280e794 Author: Qiang Ma Date: Fri Jan 12 10:12:49 2024 +0800 net: stmmac: ethtool: Fixed calltrace caused by unbalanced disable_irq_wake calls [ Upstream commit a23aa04042187cbde16f470b49d4ad60d32e9206 ] We found the following dmesg calltrace when testing the GMAC NIC notebook: [9.448656] ------------[ cut here ]------------ [9.448658] Unbalanced IRQ 43 wake disable [9.448673] WARNING: CPU: 3 PID: 1083 at kernel/irq/manage.c:688 irq_set_irq_wake+0xe0/0x128 [9.448717] CPU: 3 PID: 1083 Comm: ethtool Tainted: G O 4.19 #1 [9.448773] ... [9.448774] Call Trace: [9.448781] [<9000000000209b5c>] show_stack+0x34/0x140 [9.448788] [<9000000000d52700>] dump_stack+0x98/0xd0 [9.448794] [<9000000000228610>] __warn+0xa8/0x120 [9.448797] [<9000000000d2fb60>] report_bug+0x98/0x130 [9.448800] [<900000000020a418>] do_bp+0x248/0x2f0 [9.448805] [<90000000002035f4>] handle_bp_int+0x4c/0x78 [9.448808] [<900000000029ea40>] irq_set_irq_wake+0xe0/0x128 [9.448813] [<9000000000a96a7c>] stmmac_set_wol+0x134/0x150 [9.448819] [<9000000000be6ed0>] dev_ethtool+0x1368/0x2440 [9.448824] [<9000000000c08350>] dev_ioctl+0x1f8/0x3e0 [9.448827] [<9000000000bb2a34>] sock_ioctl+0x2a4/0x450 [9.448832] [<900000000046f044>] do_vfs_ioctl+0xa4/0x738 [9.448834] [<900000000046f778>] ksys_ioctl+0xa0/0xe8 [9.448837] [<900000000046f7d8>] sys_ioctl+0x18/0x28 [9.448840] [<9000000000211ab4>] syscall_common+0x20/0x34 [9.448842] ---[ end trace 40c18d9aec863c3e ]--- Multiple disable_irq_wake() calls will keep decreasing the IRQ wake_depth, When wake_depth is 0, calling disable_irq_wake() again, will report the above calltrace. Due to the need to appear in pairs, we cannot call disable_irq_wake() without calling enable_irq_wake(). Fix this by making sure there are no unbalanced disable_irq_wake() calls. Fixes: 3172d3afa998 ("stmmac: support wake up irq from external sources (v3)") Signed-off-by: Qiang Ma Reviewed-by: Simon Horman Link: https://lore.kernel.org/r/20240112021249.24598-1-maqianga@uniontech.com Signed-off-by: Paolo Abeni Signed-off-by: Sasha Levin commit 359fadf5f770632f03d1948db94a0c413f2d635e Author: Dafna Hirschfeld Date: Sun Jan 7 15:07:00 2024 +0200 drm/amdkfd: fixes for HMM mem allocation [ Upstream commit 02eed83abc1395a1207591aafad9bcfc5cb1abcb ] Fix err return value and reset pgmap->type after checking it. Fixes: c83dee9b6394 ("drm/amdkfd: add SPM support for SVM") Reviewed-by: Felix Kuehling Signed-off-by: Dafna Hirschfeld Signed-off-by: Felix Kuehling Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit 81b86a10b8b69cddc7a2605274e9e75f15c9f080 Author: Deepak R Varma Date: Fri Dec 23 02:45:00 2022 +0530 drm/amdkfd: Use resource_size() helper function [ Upstream commit 9d086e0ddaeb08876f4df3a1485166bfd7483252 ] Use the resource_size() function instead of a open coded computation resource size. It makes the code more readable. Issue identified using resource_size.cocci coccinelle semantic patch. Signed-off-by: Deepak R Varma Signed-off-by: Felix Kuehling Reviewed-by: Felix Kuehling Signed-off-by: Alex Deucher Stable-dep-of: 02eed83abc13 ("drm/amdkfd: fixes for HMM mem allocation") Signed-off-by: Sasha Levin commit 1c3aa875db9a762f9ae560ec099ad80445dc4a00 Author: Michal Simek Date: Fri Jan 12 12:32:58 2024 +0100 dt-bindings: gpio: xilinx: Fix node address in gpio [ Upstream commit 314c020c4ed3de72b15603eb6892250bc4b51702 ] Node address doesn't match reg property which is not correct. Fixes: ba96b2e7974b ("dt-bindings: gpio: gpio-xilinx: Convert Xilinx axi gpio binding to YAML") Signed-off-by: Michal Simek Reviewed-by: Krzysztof Kozlowski Signed-off-by: Bartosz Golaszewski Signed-off-by: Sasha Levin commit 24e00f0fa9fcdb51b61ccb7cfc25f147aedc9ca0 Author: Nikita Yushchenko Date: Sat Jan 13 10:22:21 2024 +0600 net: ravb: Fix dma_addr_t truncation in error case [ Upstream commit e327b2372bc0f18c30433ac40be07741b59231c5 ] In ravb_start_xmit(), ravb driver uses u32 variable to store result of dma_map_single() call. Since ravb hardware has 32-bit address fields in descriptors, this works properly when mapping is successful - it is platform's job to provide mapping addresses that fit into hardware limitations. However, in failure case dma_map_single() returns DMA_MAPPING_ERROR constant that is 64-bit when dma_addr_t is 64-bit. Storing this constant in u32 leads to truncation, and further call to dma_mapping_error() fails to notice the error. Fix that by storing result of dma_map_single() in a dma_addr_t variable. Fixes: c156633f1353 ("Renesas Ethernet AVB driver proper") Signed-off-by: Nikita Yushchenko Reviewed-by: Niklas Söderlund Reviewed-by: Sergey Shtylyov Reviewed-by: Florian Fainelli Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 615501d41bbd0e2c419ff6db65c61623a10f4523 Author: Eric Dumazet Date: Fri Jan 12 10:44:27 2024 +0000 udp: annotate data-races around up->pending [ Upstream commit 482521d8e0c6520429478aa6866cd44128b33d5d ] up->pending can be read without holding the socket lock, as pointed out by syzbot [1] Add READ_ONCE() in lockless contexts, and WRITE_ONCE() on write side. [1] BUG: KCSAN: data-race in udpv6_sendmsg / udpv6_sendmsg write to 0xffff88814e5eadf0 of 4 bytes by task 15547 on cpu 1: udpv6_sendmsg+0x1405/0x1530 net/ipv6/udp.c:1596 inet6_sendmsg+0x63/0x80 net/ipv6/af_inet6.c:657 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg net/socket.c:745 [inline] __sys_sendto+0x257/0x310 net/socket.c:2192 __do_sys_sendto net/socket.c:2204 [inline] __se_sys_sendto net/socket.c:2200 [inline] __x64_sys_sendto+0x78/0x90 net/socket.c:2200 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x44/0x110 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x63/0x6b read to 0xffff88814e5eadf0 of 4 bytes by task 15551 on cpu 0: udpv6_sendmsg+0x22c/0x1530 net/ipv6/udp.c:1373 inet6_sendmsg+0x63/0x80 net/ipv6/af_inet6.c:657 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg net/socket.c:745 [inline] ____sys_sendmsg+0x37c/0x4d0 net/socket.c:2586 ___sys_sendmsg net/socket.c:2640 [inline] __sys_sendmmsg+0x269/0x500 net/socket.c:2726 __do_sys_sendmmsg net/socket.c:2755 [inline] __se_sys_sendmmsg net/socket.c:2752 [inline] __x64_sys_sendmmsg+0x57/0x60 net/socket.c:2752 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x44/0x110 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x63/0x6b value changed: 0x00000000 -> 0x0000000a Reported by Kernel Concurrency Sanitizer on: CPU: 0 PID: 15551 Comm: syz-executor.1 Tainted: G W 6.7.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023 Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Reported-by: syzbot+8d482d0e407f665d9d10@syzkaller.appspotmail.com Link: https://lore.kernel.org/netdev/0000000000009e46c3060ebcdffd@google.com/ Signed-off-by: Eric Dumazet Reviewed-by: Jiri Pirko Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 33cf52b6e53a6aa55883aa7fb9ceffceff8488a6 Author: Jens Axboe Date: Fri Jan 12 09:12:20 2024 -0700 block: ensure we hold a queue reference when using queue limits [ Upstream commit 7b4f36cd22a65b750b4cb6ac14804fb7d6e6c67d ] q_usage_counter is the only thing preventing us from the limits changing under us in __bio_split_to_limits, but blk_mq_submit_bio doesn't hold it while calling into it. Move the splitting inside the region where we know we've got a queue reference. Ideally this could still remain a shared section of code, but let's keep the fix simple and defer any refactoring here to later. Reported-by: Christoph Hellwig Fixes: 900e08075202 ("block: move queue enter logic into blk_mq_submit_bio()") Reviewed-by: Christoph Hellwig Reviewed-by: Ming Lei Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit fdf3df297f4d239b2811220dc9917c6bf5597c3d Author: Eric Dumazet Date: Thu Jan 11 19:49:17 2024 +0000 mptcp: refine opt_mp_capable determination [ Upstream commit 724b00c12957973656d312dce2a110c75ae2c680 ] OPTIONS_MPTCP_MPC is a combination of three flags. It would be better to be strict about testing what flag is expected, at least for code readability. mptcp_parse_option() already makes the distinction. - subflow_check_req() should use OPTION_MPTCP_MPC_SYN. - mptcp_subflow_init_cookie_req() should use OPTION_MPTCP_MPC_ACK. - subflow_finish_connect() should use OPTION_MPTCP_MPC_SYNACK - subflow_syn_recv_sock should use OPTION_MPTCP_MPC_ACK Suggested-by: Paolo Abeni Signed-off-by: Eric Dumazet Reviewed-by: Simon Horman Acked-by: Paolo Abeni Reviewed-by: Mat Martineau Fixes: 74c7dfbee3e1 ("mptcp: consolidate in_opt sub-options fields in a bitmask") Link: https://lore.kernel.org/r/20240111194917.4044654-6-edumazet@google.com Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit c0749c8770a9ddee1c363811c1197bdd9928cc4a Author: Eric Dumazet Date: Thu Jan 11 19:49:16 2024 +0000 mptcp: use OPTION_MPTCP_MPJ_SYN in subflow_check_req() [ Upstream commit 66ff70df1a919a066942844bb095d6fcb748d78d ] syzbot reported that subflow_check_req() was using uninitialized data in subflow_check_req() [1] This is because mp_opt.token is only set when OPTION_MPTCP_MPJ_SYN is also set. While we are are it, fix mptcp_subflow_init_cookie_req() to test for OPTION_MPTCP_MPJ_ACK. [1] BUG: KMSAN: uninit-value in subflow_token_join_request net/mptcp/subflow.c:91 [inline] BUG: KMSAN: uninit-value in subflow_check_req+0x1028/0x15d0 net/mptcp/subflow.c:209 subflow_token_join_request net/mptcp/subflow.c:91 [inline] subflow_check_req+0x1028/0x15d0 net/mptcp/subflow.c:209 subflow_v6_route_req+0x269/0x410 net/mptcp/subflow.c:367 tcp_conn_request+0x153a/0x4240 net/ipv4/tcp_input.c:7164 subflow_v6_conn_request+0x3ee/0x510 tcp_rcv_state_process+0x2e1/0x4ac0 net/ipv4/tcp_input.c:6659 tcp_v6_do_rcv+0x11bf/0x1fe0 net/ipv6/tcp_ipv6.c:1669 tcp_v6_rcv+0x480b/0x4fb0 net/ipv6/tcp_ipv6.c:1900 ip6_protocol_deliver_rcu+0xda6/0x2a60 net/ipv6/ip6_input.c:438 ip6_input_finish net/ipv6/ip6_input.c:483 [inline] NF_HOOK include/linux/netfilter.h:314 [inline] ip6_input+0x15d/0x430 net/ipv6/ip6_input.c:492 dst_input include/net/dst.h:461 [inline] ip6_rcv_finish+0x5db/0x870 net/ipv6/ip6_input.c:79 NF_HOOK include/linux/netfilter.h:314 [inline] ipv6_rcv+0xda/0x390 net/ipv6/ip6_input.c:310 __netif_receive_skb_one_core net/core/dev.c:5532 [inline] __netif_receive_skb+0x1a6/0x5a0 net/core/dev.c:5646 netif_receive_skb_internal net/core/dev.c:5732 [inline] netif_receive_skb+0x58/0x660 net/core/dev.c:5791 tun_rx_batched+0x3ee/0x980 drivers/net/tun.c:1555 tun_get_user+0x53af/0x66d0 drivers/net/tun.c:2002 tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2048 call_write_iter include/linux/fs.h:2020 [inline] new_sync_write fs/read_write.c:491 [inline] vfs_write+0x8ef/0x1490 fs/read_write.c:584 ksys_write+0x20f/0x4c0 fs/read_write.c:637 __do_sys_write fs/read_write.c:649 [inline] __se_sys_write fs/read_write.c:646 [inline] __x64_sys_write+0x93/0xd0 fs/read_write.c:646 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x44/0x110 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x63/0x6b Local variable mp_opt created at: subflow_check_req+0x6d/0x15d0 net/mptcp/subflow.c:145 subflow_v6_route_req+0x269/0x410 net/mptcp/subflow.c:367 CPU: 1 PID: 5924 Comm: syz-executor.3 Not tainted 6.7.0-rc8-syzkaller-00055-g5eff55d725a4 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023 Fixes: f296234c98a8 ("mptcp: Add handling of incoming MP_JOIN requests") Reported-by: syzbot Signed-off-by: Eric Dumazet Cc: Florian Westphal Cc: Peter Krystad Cc: Matthieu Baerts Cc: Mat Martineau Cc: Geliang Tang Reviewed-by: Simon Horman Acked-by: Paolo Abeni Reviewed-by: Mat Martineau Link: https://lore.kernel.org/r/20240111194917.4044654-5-edumazet@google.com Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit 51e4cb032d49ce094605f27e45eabebc0408893c Author: Eric Dumazet Date: Thu Jan 11 19:49:15 2024 +0000 mptcp: use OPTION_MPTCP_MPJ_SYNACK in subflow_finish_connect() [ Upstream commit be1d9d9d38da922bd4beeec5b6dd821ff5a1dfeb ] subflow_finish_connect() uses four fields (backup, join_id, thmac, none) that may contain garbage unless OPTION_MPTCP_MPJ_SYNACK has been set in mptcp_parse_option() Fixes: f296234c98a8 ("mptcp: Add handling of incoming MP_JOIN requests") Signed-off-by: Eric Dumazet Cc: Florian Westphal Cc: Peter Krystad Cc: Matthieu Baerts Cc: Mat Martineau Cc: Geliang Tang Reviewed-by: Simon Horman Acked-by: Paolo Abeni Reviewed-by: Mat Martineau Link: https://lore.kernel.org/r/20240111194917.4044654-4-edumazet@google.com Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit 081273082df838822a37b07eeeabf5b034ad98b3 Author: Eric Dumazet Date: Thu Jan 11 19:49:14 2024 +0000 mptcp: strict validation before using mp_opt->hmac [ Upstream commit c1665273bdc7c201766c65e561c06711f2e050dc ] mp_opt->hmac contains uninitialized data unless OPTION_MPTCP_MPJ_ACK was set in mptcp_parse_option(). We must refine the condition before we call subflow_hmac_valid(). Fixes: f296234c98a8 ("mptcp: Add handling of incoming MP_JOIN requests") Signed-off-by: Eric Dumazet Cc: Florian Westphal Cc: Peter Krystad Cc: Matthieu Baerts Cc: Mat Martineau Cc: Geliang Tang Reviewed-by: Simon Horman Acked-by: Paolo Abeni Reviewed-by: Mat Martineau Link: https://lore.kernel.org/r/20240111194917.4044654-3-edumazet@google.com Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit 67feafe7a3dde680bce87a9d22702dc2d1a271e3 Author: Eric Dumazet Date: Thu Jan 11 19:49:13 2024 +0000 mptcp: mptcp_parse_option() fix for MPTCPOPT_MP_JOIN [ Upstream commit 89e23277f9c16df6f9f9c1a1a07f8f132339c15c ] mptcp_parse_option() currently sets OPTIONS_MPTCP_MPJ, for the three possible cases handled for MPTCPOPT_MP_JOIN option. OPTIONS_MPTCP_MPJ is the combination of three flags: - OPTION_MPTCP_MPJ_SYN - OPTION_MPTCP_MPJ_SYNACK - OPTION_MPTCP_MPJ_ACK This is a problem, because backup, join_id, token, nonce and/or hmac fields could be left uninitialized in some cases. Distinguish the three cases, as following patches will need this step. Fixes: f296234c98a8 ("mptcp: Add handling of incoming MP_JOIN requests") Signed-off-by: Eric Dumazet Cc: Florian Westphal Cc: Peter Krystad Cc: Matthieu Baerts Cc: Mat Martineau Cc: Geliang Tang Reviewed-by: Simon Horman Acked-by: Paolo Abeni Reviewed-by: Mat Martineau Link: https://lore.kernel.org/r/20240111194917.4044654-2-edumazet@google.com Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit cb183a586e349f6aca313de68e0d84ef762f12e3 Author: Claudiu Beznea Date: Fri Jan 5 10:52:42 2024 +0200 net: phy: micrel: populate .soft_reset for KSZ9131 [ Upstream commit e398822c4751017fe401f57409488f5948d12fb5 ] The RZ/G3S SMARC Module has 2 KSZ9131 PHYs. In this setup, the KSZ9131 PHY is used with the ravb Ethernet driver. It has been discovered that when bringing the Ethernet interface down/up continuously, e.g., with the following sh script: $ while :; do ifconfig eth0 down; ifconfig eth0 up; done the link speed and duplex are wrong after interrupting the bring down/up operation even though the Ethernet interface is up. To recover from this state the following configuration sequence is necessary (executed manually): $ ifconfig eth0 down $ ifconfig eth0 up The behavior has been identified also on the Microchip SAMA7G5-EK board which runs the macb driver and uses the same PHY. The order of PHY-related operations in ravb_open() is as follows: ravb_open() -> ravb_phy_start() -> ravb_phy_init() -> of_phy_connect() -> phy_connect_direct() -> phy_attach_direct() -> phy_init_hw() -> phydev->drv->soft_reset() phydev->drv->config_init() phydev->drv->config_intr() phy_resume() kszphy_resume() The order of PHY-related operations in ravb_close is as follows: ravb_close() -> phy_stop() -> phy_suspend() -> kszphy_suspend() -> genphy_suspend() // set BMCR_PDOWN bit in MII_BMCR In genphy_suspend() setting the BMCR_PDWN bit in MII_BMCR switches the PHY to Software Power-Down (SPD) mode (according to the KSZ9131 datasheet). Thus, when opening the interface after it has been previously closed (via ravb_close()), the phydev->drv->config_init() and phydev->drv->config_intr() reach the KSZ9131 PHY driver via the ksz9131_config_init() and kszphy_config_intr() functions. KSZ9131 specifies that the MII management interface remains operational during SPD (Software Power-Down), but (according to manual): - Only access to the standard registers (0 through 31) is supported. - Access to MMD address spaces other than MMD address space 1 is possible if the spd_clock_gate_override bit is set. - Access to MMD address space 1 is not possible. The spd_clock_gate_override bit is not used in the KSZ9131 driver. ksz9131_config_init() configures RGMII delay, pad skews and LEDs by accessesing MMD registers other than those in address space 1. The datasheet for the KSZ9131 does not specify what happens if registers from an unsupported address space are accessed while the PHY is in SPD. To fix the issue the .soft_reset method has been instantiated for KSZ9131, too. This resets the PHY to the default state before doing any configurations to it, thus switching it out of SPD. Fixes: bff5b4b37372 ("net: phy: micrel: add Microchip KSZ9131 initial driver") Signed-off-by: Claudiu Beznea Reviewed-by: Maxime Chevallier Reviewed-by: Andrew Lunn Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit ecf0ebf0e618323feeabae6cb12908eef69df047 Author: Taehee Yoo Date: Sun Jan 7 14:42:41 2024 +0000 amt: do not use overwrapped cb area [ Upstream commit bec161add35b478a7746bf58bcdea6faa19129ef ] amt driver uses skb->cb for storing tunnel information. This job is worked before TC layer and then amt driver load tunnel info from skb->cb after TC layer. So, its cb area should not be overwrapped with CB area used by TC. In order to not use cb area used by TC, it skips the biggest cb structure used by TC, which was qdisc_skb_cb. But it's not anymore. Currently, biggest structure of TC's CB is tc_skb_cb. So, it should skip size of tc_skb_cb instead of qdisc_skb_cb. Fixes: ec624fe740b4 ("net/sched: Extend qdisc control block with tc control block") Signed-off-by: Taehee Yoo Acked-by: Paolo Abeni Reviewed-by: Jamal Hadi Salim Link: https://lore.kernel.org/r/20240107144241.4169520-1-ap420073@gmail.com Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit c96da963de02aae7b5fd6abdecdaa88ff34355a8 Author: Sanjuán García, Jorge Date: Fri Jan 5 08:55:43 2024 +0000 net: ethernet: ti: am65-cpsw: Fix max mtu to fit ethernet frames [ Upstream commit 64e47d8afb5ca533b27efc006405e5bcae2c4a7b ] The value of AM65_CPSW_MAX_PACKET_SIZE represents the maximum length of a received frame. This value is written to the register AM65_CPSW_PORT_REG_RX_MAXLEN. The maximum MTU configured on the network device should then leave some room for the ethernet headers and frame check. Otherwise, if the network interface is configured to its maximum mtu possible, the frames will be larger than AM65_CPSW_MAX_PACKET_SIZE and will get dropped as oversized. The switch supports ethernet frame sizes between 64 and 2024 bytes (including VLAN) as stated in the technical reference manual, so define AM65_CPSW_MAX_PACKET_SIZE with that maximum size. Fixes: 93a76530316a ("net: ethernet: ti: introduce am65x/j721e gigabit eth subsystem driver") Signed-off-by: Jorge Sanjuan Garcia Reviewed-by: Horatiu Vultur Reviewed-by: Siddharth Vadapalli Link: https://lore.kernel.org/r/20240105085530.14070-2-jorge.sanjuangarcia@duagon.com Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit ee1dc3bf86f2df777038506b139371a9add02534 Author: Lin Ma Date: Wed Jan 10 14:14:00 2024 +0800 net: qualcomm: rmnet: fix global oob in rmnet_policy [ Upstream commit b33fb5b801c6db408b774a68e7c8722796b59ecc ] The variable rmnet_link_ops assign a *bigger* maxtype which leads to a global out-of-bounds read when parsing the netlink attributes. See bug trace below: ================================================================== BUG: KASAN: global-out-of-bounds in validate_nla lib/nlattr.c:386 [inline] BUG: KASAN: global-out-of-bounds in __nla_validate_parse+0x24af/0x2750 lib/nlattr.c:600 Read of size 1 at addr ffffffff92c438d0 by task syz-executor.6/84207 CPU: 0 PID: 84207 Comm: syz-executor.6 Tainted: G N 6.1.0 #3 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x8b/0xb3 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:284 [inline] print_report+0x172/0x475 mm/kasan/report.c:395 kasan_report+0xbb/0x1c0 mm/kasan/report.c:495 validate_nla lib/nlattr.c:386 [inline] __nla_validate_parse+0x24af/0x2750 lib/nlattr.c:600 __nla_parse+0x3e/0x50 lib/nlattr.c:697 nla_parse_nested_deprecated include/net/netlink.h:1248 [inline] __rtnl_newlink+0x50a/0x1880 net/core/rtnetlink.c:3485 rtnl_newlink+0x64/0xa0 net/core/rtnetlink.c:3594 rtnetlink_rcv_msg+0x43c/0xd70 net/core/rtnetlink.c:6091 netlink_rcv_skb+0x14f/0x410 net/netlink/af_netlink.c:2540 netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline] netlink_unicast+0x54e/0x800 net/netlink/af_netlink.c:1345 netlink_sendmsg+0x930/0xe50 net/netlink/af_netlink.c:1921 sock_sendmsg_nosec net/socket.c:714 [inline] sock_sendmsg+0x154/0x190 net/socket.c:734 ____sys_sendmsg+0x6df/0x840 net/socket.c:2482 ___sys_sendmsg+0x110/0x1b0 net/socket.c:2536 __sys_sendmsg+0xf3/0x1c0 net/socket.c:2565 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3b/0x90 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd RIP: 0033:0x7fdcf2072359 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fdcf13e3168 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 00007fdcf219ff80 RCX: 00007fdcf2072359 RDX: 0000000000000000 RSI: 0000000020000200 RDI: 0000000000000003 RBP: 00007fdcf20bd493 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007fffbb8d7bdf R14: 00007fdcf13e3300 R15: 0000000000022000 The buggy address belongs to the variable: rmnet_policy+0x30/0xe0 The buggy address belongs to the physical page: page:0000000065bdeb3c refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x155243 flags: 0x200000000001000(reserved|node=0|zone=2) raw: 0200000000001000 ffffea00055490c8 ffffea00055490c8 0000000000000000 raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffffffff92c43780: f9 f9 f9 f9 00 00 00 02 f9 f9 f9 f9 00 00 00 07 ffffffff92c43800: f9 f9 f9 f9 00 00 00 05 f9 f9 f9 f9 06 f9 f9 f9 >ffffffff92c43880: f9 f9 f9 f9 00 00 00 00 00 00 f9 f9 f9 f9 f9 f9 ^ ffffffff92c43900: 00 00 00 00 00 00 00 00 07 f9 f9 f9 f9 f9 f9 f9 ffffffff92c43980: 00 00 00 07 f9 f9 f9 f9 00 00 00 05 f9 f9 f9 f9 According to the comment of `nla_parse_nested_deprecated`, the maxtype should be len(destination array) - 1. Hence use `IFLA_RMNET_MAX` here. Fixes: 14452ca3b5ce ("net: qualcomm: rmnet: Export mux_id and flags to netlink") Signed-off-by: Lin Ma Reviewed-by: Subash Abhinov Kasiviswanathan Reviewed-by: Simon Horman Reviewed-by: Jiri Pirko Link: https://lore.kernel.org/r/20240110061400.3356108-1-linma@zju.edu.cn Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit 93eb80c5c946dd701d93872fc92ac3639c9752d1 Author: Niklas Schnelle Date: Tue Nov 28 16:22:49 2023 +0100 s390/pci: fix max size calculation in zpci_memcpy_toio() [ Upstream commit 80df7d6af7f6d229b34cf237b2cc9024c07111cd ] The zpci_get_max_write_size() helper is used to determine the maximum size a PCI store or load can use at a given __iomem address. For the PCI block store the following restrictions apply: 1. The dst + len must not cross a 4K boundary in the (pseudo-)MMIO space 2. len must not exceed ZPCI_MAX_WRITE_SIZE 3. len must be a multiple of 8 bytes 4. The src address must be double word (8 byte) aligned 5. The dst address must be double word (8 byte) aligned Otherwise only a normal PCI store which takes its src value from a register can be used. For these PCI store restriction 1 still applies. Similarly 1 also applies to PCI loads. It turns out zpci_max_write_size() instead implements stricter conditions which prevents PCI block stores from being used where they can and should be used. In particular instead of conditions 4 and 5 it wrongly enforces both dst and src to be size aligned. This indirectly covers condition 1 but also prevents many legal PCI block stores. On top of the functional shortcomings the zpci_get_max_write_size() is misnamed as it is used for both read and write size calculations. Rename it to zpci_get_max_io_size() and implement the listed conditions explicitly. Reviewed-by: Matthew Rosato Fixes: cd24834130ac ("s390/pci: base support") Signed-off-by: Niklas Schnelle [agordeev@linux.ibm.com replaced spaces with tabs] Signed-off-by: Alexander Gordeev Signed-off-by: Sasha Levin commit cad471227a37c0c7c080bfc9ed01b53750e82afe Author: AngeloGioacchino Del Regno Date: Thu Jan 11 11:52:26 2024 +0100 ASoC: mediatek: sof-common: Add NULL check for normal_link string [ Upstream commit e3b3ec967a7d93b9010a5af9a2394c8b5c8f31ed ] It's not granted that all entries of struct sof_conn_stream declare a `normal_link` (a non-SOF, direct link) string, and this is the case for SoCs that support only SOF paths (hence do not support both direct and SOF usecases). For example, in the case of MT8188 there is no normal_link string in any of the sof_conn_stream entries and there will be more drivers doing that in the future. To avoid possible NULL pointer KPs, add a NULL check for `normal_link`. Fixes: 0caf1120c583 ("ASoC: mediatek: mt8195: extract SOF common code") Signed-off-by: AngeloGioacchino Del Regno Link: https://msgid.link/r/20240111105226.117603-1-angelogioacchino.delregno@collabora.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 69f0bebe9166f389ac508b3d5536d6dff93273e2 Author: Jianjun Wang Date: Mon Oct 23 16:14:23 2023 +0800 PCI: mediatek-gen3: Fix translation window size calculation [ Upstream commit 9ccc1318cf4bd90601f221268e42c3374703d681 ] When using the fls() helper, the translation table should be a power of two; otherwise, the resulting value will not be correct. For example, given fls(0x3e00000) - 1 = 25, the PCIe translation window size will be set to 0x2000000 instead of the expected size 0x3e00000. Fix the translation window by splitting the MMIO space into multiple tables if its size is not a power of two. [kwilczynski: commit log] Link: https://lore.kernel.org/linux-pci/20231023081423.18559-1-jianjun.wang@mediatek.com Fixes: d3bf75b579b9 ("PCI: mediatek-gen3: Add MediaTek Gen3 driver for MT8192") Signed-off-by: Jianjun Wang Signed-off-by: Krzysztof Wilczyński Signed-off-by: Bjorn Helgaas Reviewed-by: AngeloGioacchino Del Regno Signed-off-by: Sasha Levin commit 94667790e5e316201d4b9a5072af00e14ad492f0 Author: Siddharth Vadapalli Date: Wed Sep 27 09:48:45 2023 +0530 PCI: keystone: Fix race condition when initializing PHYs [ Upstream commit c12ca110c613a81cb0f0099019c839d078cd0f38 ] The PCI driver invokes the PHY APIs using the ks_pcie_enable_phy() function. The PHY in this case is the Serdes. It is possible that the PCI instance is configured for two lane operation across two different Serdes instances, using one lane of each Serdes. In such a configuration, if the reference clock for one Serdes is provided by the other Serdes, it results in a race condition. After the Serdes providing the reference clock is initialized by the PCI driver by invoking its PHY APIs, it is not guaranteed that this Serdes remains powered on long enough for the PHY APIs based initialization of the dependent Serdes. In such cases, the PLL of the dependent Serdes fails to lock due to the absence of the reference clock from the former Serdes which has been powered off by the PM Core. Fix this by obtaining reference to the PHYs before invoking the PHY initialization APIs and releasing reference after the initialization is complete. Link: https://lore.kernel.org/linux-pci/20230927041845.1222080-1-s-vadapalli@ti.com Fixes: 49229238ab47 ("PCI: keystone: Cleanup PHY handling") Signed-off-by: Siddharth Vadapalli Signed-off-by: Krzysztof Wilczyński Acked-by: Ravi Gunasekaran Signed-off-by: Sasha Levin commit 11923a8df8edd9f85481490882a8abd50851df40 Author: Maurizio Lombardi Date: Fri Jan 5 09:14:44 2024 +0100 nvmet-tcp: Fix the H2C expected PDU len calculation [ Upstream commit 9a1abc24850eb759e36a2f8869161c3b7254c904 ] The nvmet_tcp_handle_h2c_data_pdu() function should take into consideration the possibility that the header digest and/or the data digests are enabled when calculating the expected PDU length, before comparing it to the value stored in cmd->pdu_len. Fixes: efa56305908b ("nvmet-tcp: Fix a kernel panic when host sends an invalid H2C PDU length") Signed-off-by: Maurizio Lombardi Reviewed-by: Sagi Grimberg Signed-off-by: Keith Busch Signed-off-by: Sasha Levin commit fb711858e669e8780d2c454e5c29ca0fcb4dc039 Author: Arnd Bergmann Date: Wed Jan 3 16:56:56 2024 +0100 nvme: trace: avoid memcpy overflow warning [ Upstream commit a7de1dea76cd6a3707707af4ea2f8bc3cdeaeb11 ] A previous patch introduced a struct_group() in nvme_common_command to help stringop fortification figure out the length of the fields, but one function is not currently using them: In file included from drivers/nvme/target/core.c:7: In file included from include/linux/string.h:254: include/linux/fortify-string.h:592:4: error: call to '__read_overflow2_field' declared with 'warning' attribute: detected read beyond size of field (2nd parameter); maybe use struct_group()? [-Werror,-Wattribute-warning] __read_overflow2_field(q_size_field, size); ^ Change this one to use the correct field name to avoid the warning. Fixes: 5c629dc9609dc ("nvme: use struct group for generic command dwords") Signed-off-by: Arnd Bergmann Signed-off-by: Keith Busch Signed-off-by: Sasha Levin commit cac037db24732433989160c88b36f6db011be2e5 Author: Arnd Bergmann Date: Wed Jan 3 16:56:55 2024 +0100 nvmet: re-fix tracing strncpy() warning [ Upstream commit 4ee7ffeb4ce50c80bc4504db6f39b25a2df6bcf4 ] An earlier patch had tried to address a warning about a string copy with missing zero termination: drivers/nvme/target/trace.h:52:3: warning: ‘strncpy’ specified bound 32 equals destination size [-Wstringop-truncation] The new version causes a different warning with some compiler versions, notably gcc-9 and gcc-10, and also misses the zero padding that was apparently done intentionally in the original code: drivers/nvme/target/trace.h:56:2: error: 'strncpy' specified bound depends on the length of the source argument [-Werror=stringop-overflow=] Change it to use strscpy_pad() with the original length, which will give a properly padded and zero-terminated string as well as avoiding the warning. Fixes: d86481e924a7 ("nvmet: use min of device_path and disk len") Signed-off-by: Arnd Bergmann Signed-off-by: Keith Busch Signed-off-by: Sasha Levin commit e92fe6f51b1d788f9db6163dabcee9c16894607e Author: Christoph Niedermaier Date: Sun Dec 24 10:32:09 2023 +0100 serial: imx: Correct clock error message in function probe() [ Upstream commit 3e189470cad27d41a3a9dc02649f965b7ed1c90f ] Correct the clock error message by changing the clock name. Fixes: 1e512d45332b ("serial: imx: add error messages when .probe fails") Signed-off-by: Christoph Niedermaier Reviewed-by: Uwe Kleine-König Link: https://lore.kernel.org/r/20231224093209.2612-1-cniedermaier@dh-electronics.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 938b88a2d9ca6793fa55c81b8b4c17d09633ec54 Author: Chunfeng Yun Date: Thu Jan 4 14:16:39 2024 +0800 usb: xhci-mtk: fix a short packet issue of gen1 isoc-in transfer [ Upstream commit 017dbfc05c31284150819890b4cc86a699cbdb71 ] For Gen1 isoc-in transfer, host still send out unexpected ACK after device finish the burst with a short packet, this will cause an exception on the connected device, such as, a usb 4k camera. It can be fixed by setting rxfifo depth less than 4k bytes, prefer to use 3k here, the side-effect is that may cause performance drop about 10%, including bulk transfer. Fixes: 926d60ae64a6 ("usb: xhci-mtk: modify the SOF/ITP interval for mt8195") Reviewed-by: AngeloGioacchino Del Regno Signed-off-by: Chunfeng Yun Link: https://lore.kernel.org/r/20240104061640.7335-2-chunfeng.yun@mediatek.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 9d4fa5fe2b1d56662afd14915a73b4d0783ffa45 Author: Fedor Pchelkin Date: Thu Dec 28 19:07:43 2023 +0300 apparmor: avoid crash when parsed profile name is empty [ Upstream commit 55a8210c9e7d21ff2644809699765796d4bfb200 ] When processing a packed profile in unpack_profile() described like "profile :ns::samba-dcerpcd /usr/lib*/samba/{,samba/}samba-dcerpcd {...}" a string ":samba-dcerpcd" is unpacked as a fully-qualified name and then passed to aa_splitn_fqname(). aa_splitn_fqname() treats ":samba-dcerpcd" as only containing a namespace. Thus it returns NULL for tmpname, meanwhile tmpns is non-NULL. Later aa_alloc_profile() crashes as the new profile name is NULL now. general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN NOPTI KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] CPU: 6 PID: 1657 Comm: apparmor_parser Not tainted 6.7.0-rc2-dirty #16 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-3-gd478f380-rebuilt.opensuse.org 04/01/2014 RIP: 0010:strlen+0x1e/0xa0 Call Trace: ? strlen+0x1e/0xa0 aa_policy_init+0x1bb/0x230 aa_alloc_profile+0xb1/0x480 unpack_profile+0x3bc/0x4960 aa_unpack+0x309/0x15e0 aa_replace_profiles+0x213/0x33c0 policy_update+0x261/0x370 profile_replace+0x20e/0x2a0 vfs_write+0x2af/0xe00 ksys_write+0x126/0x250 do_syscall_64+0x46/0xf0 entry_SYSCALL_64_after_hwframe+0x6e/0x76 ---[ end trace 0000000000000000 ]--- RIP: 0010:strlen+0x1e/0xa0 It seems such behaviour of aa_splitn_fqname() is expected and checked in other places where it is called (e.g. aa_remove_profiles). Well, there is an explicit comment "a ns name without a following profile is allowed" inside. AFAICS, nothing can prevent unpacked "name" to be in form like ":samba-dcerpcd" - it is passed from userspace. Deny the whole profile set replacement in such case and inform user with EPROTO and an explaining message. Found by Linux Verification Center (linuxtesting.org). Fixes: 04dc715e24d0 ("apparmor: audit policy ns specified in policy load") Signed-off-by: Fedor Pchelkin Signed-off-by: John Johansen Signed-off-by: Sasha Levin commit 3a461018710f3545193b583eb66d030fa93b3eab Author: Jim Harris Date: Fri Nov 3 20:18:34 2023 +0000 cxl/region: fix x9 interleave typo [ Upstream commit c7ad3dc3649730af483ee1e78be5d0362da25bfe ] CXL supports x3, x6 and x12 - not x9. Fixes: 80d10a6cee050 ("cxl/region: Add interleave geometry attributes") Signed-off-by: Jim Harris Reviewed-by: Dave Jiang Reviewed-by: Fan Ni Link: https://lore.kernel.org/r/169904271254.204936.8580772404462743630.stgit@ubuntu Signed-off-by: Dan Williams Signed-off-by: Sasha Levin commit 16cbe4bad847e415cccbb077ae07d2e94c5d5361 Author: Ian Rogers Date: Wed Dec 6 17:46:55 2023 -0800 perf env: Avoid recursively taking env->bpf_progs.lock [ Upstream commit 9c51f8788b5d4e9f46afbcf563255cfd355690b3 ] Add variants of perf_env__insert_bpf_prog_info(), perf_env__insert_btf() and perf_env__find_btf prefixed with __ to indicate the env->bpf_progs.lock is assumed held. Call these variants when the lock is held to avoid recursively taking it and potentially having a thread deadlock with itself. Fixes: f8dfeae009effc0b ("perf bpf: Show more BPF program info in print_bpf_prog_info()") Signed-off-by: Ian Rogers Acked-by: Jiri Olsa Acked-by: Song Liu Cc: Adrian Hunter Cc: Alexander Shishkin Cc: Huacai Chen Cc: Ingo Molnar Cc: K Prateek Nayak Cc: Kan Liang Cc: Mark Rutland Cc: Ming Wang Cc: Namhyung Kim Cc: Peter Zijlstra Cc: Ravi Bangoria Link: https://lore.kernel.org/r/20231207014655.1252484-1-irogers@google.com Signed-off-by: Arnaldo Carvalho de Melo Signed-off-by: Sasha Levin commit 83ccd15717ee2b6143df72df39685f0c832e3451 Author: Maurizio Lombardi Date: Fri Dec 22 16:17:49 2023 +0100 nvmet-tcp: fix a crash in nvmet_req_complete() [ Upstream commit 0849a5441358cef02586fb2d60f707c0db195628 ] in nvmet_tcp_handle_h2c_data_pdu(), if the host sends a data_offset different from rbytes_done, the driver ends up calling nvmet_req_complete() passing a status error. The problem is that at this point cmd->req is not yet initialized, the kernel will crash after dereferencing a NULL pointer. Fix the bug by replacing the call to nvmet_req_complete() with nvmet_tcp_fatal_error(). Fixes: 872d26a391da ("nvmet-tcp: add NVMe over TCP target driver") Reviewed-by: Keith Busch Reviewed-by: Sagi Grimberg Signed-off-by: Maurizio Lombardi Signed-off-by: Keith Busch Signed-off-by: Sasha Levin commit 2871aa407007f6f531fae181ad252486e022df42 Author: Maurizio Lombardi Date: Fri Dec 22 16:17:48 2023 +0100 nvmet-tcp: Fix a kernel panic when host sends an invalid H2C PDU length [ Upstream commit efa56305908ba20de2104f1b8508c6a7401833be ] If the host sends an H2CData command with an invalid DATAL, the kernel may crash in nvmet_tcp_build_pdu_iovec(). Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 lr : nvmet_tcp_io_work+0x6ac/0x718 [nvmet_tcp] Call trace: process_one_work+0x174/0x3c8 worker_thread+0x2d0/0x3e8 kthread+0x104/0x110 Fix the bug by raising a fatal error if DATAL isn't coherent with the packet size. Also, the PDU length should never exceed the MAXH2CDATA parameter which has been communicated to the host in nvmet_tcp_handle_icreq(). Fixes: 872d26a391da ("nvmet-tcp: add NVMe over TCP target driver") Signed-off-by: Maurizio Lombardi Reviewed-by: Sagi Grimberg Signed-off-by: Keith Busch Signed-off-by: Sasha Levin commit 8ed3eb92a56e335fd601593d0db4b39a234a42a7 Author: Christophe JAILLET Date: Thu Oct 20 21:21:09 2022 +0200 vdpa: Fix an error handling path in eni_vdpa_probe() [ Upstream commit c1b9f2c66eed3261db76cccd8a22a9affae8dcbf ] After a successful vp_legacy_probe() call, vp_legacy_remove() should be called in the error handling path, as already done in the remove function. Add the missing call. Fixes: e85087beedca ("eni_vdpa: add vDPA driver for Alibaba ENI") Signed-off-by: Christophe JAILLET Message-Id: Signed-off-by: Michael S. Tsirkin Acked-by: Jason Wang Signed-off-by: Sasha Levin commit b2cb99d26e15710124c2d82536094eca997cdf2b Author: Nícolas F. R. A. Prado Date: Wed Dec 6 15:17:24 2023 -0800 spmi: mtk-pmif: Serialize PMIF status check and command submission [ Upstream commit f200fff8d019f2754f91f5d715652e3e3fdf3604 ] Before writing the read or write command to the SPMI arbiter through the PMIF interface, the current status of the channel is checked to ensure it is idle. However, since the status only changes from idle when the command is written, it is possible for two concurrent calls to determine that the channel is idle and simultaneously send their commands. At this point the PMIF interface hangs, with the status register no longer being updated, and thus causing all subsequent operations to time out. This was observed on the mt8195-cherry-tomato-r2 machine, particularly after commit 46600ab142f8 ("regulator: Set PROBE_PREFER_ASYNCHRONOUS for drivers between 5.10 and 5.15") was applied, since then the two MT6315 devices present on the SPMI bus would probe assynchronously and sometimes (during probe or at a later point) read the bus simultaneously, breaking the PMIF interface and consequently slowing down the whole system. To fix the issue at its root cause, introduce locking around the channel status check and the command write, so that both become an atomic operation, preventing race conditions between two (or more) SPMI bus read/write operations. A spinlock is used since this is a fast bus, as indicated by the usage of the atomic variant of readl_poll, and '.fast_io = true' being used in the mt6315 driver, so spinlocks are already used for the regmap access. Fixes: b45b3ccef8c0 ("spmi: mediatek: Add support for MT6873/8192") Signed-off-by: Nícolas F. R. A. Prado Link: https://lore.kernel.org/r/20230724154739.493724-1-nfraprado@collabora.com Reviewed-by: AngeloGioacchino Del Regno Reviewed-by: Alexandre Mergnat Signed-off-by: Stephen Boyd Link: https://lore.kernel.org/r/20231206231733.4031901-2-sboyd@kernel.org Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 28a45e15c8fb20b333fc2f1e22978f0b938b243b Author: Oliver Neukum Date: Thu Dec 7 14:26:30 2023 +0100 usb: cdc-acm: return correct error code on unsupported break [ Upstream commit 66aad7d8d3ec5a3a8ec2023841bcec2ded5f65c9 ] In ACM support for sending breaks to devices is optional. If a device says that it doenot support sending breaks, the host must respect that. Given the number of optional features providing tty operations for each combination is not practical and errors need to be returned dynamically if unsupported features are requested. In case a device does not support break, we want the tty layer to treat that like it treats drivers that statically cannot support sending a break. It ignores the inability and does nothing. This patch uses EOPNOTSUPP to indicate that. Signed-off-by: Oliver Neukum Fixes: 9e98966c7bb94 ("tty: rework break handling") Link: https://lore.kernel.org/r/20231207132639.18250-1-oneukum@suse.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 8fd48981a79fad62ddbc958875a3ba931bf23f85 Author: Jiri Slaby (SUSE) Date: Tue Sep 19 10:51:56 2023 +0200 tty: use 'if' in send_break() instead of 'goto' [ Upstream commit 24f2cd019946fc2e88e632d2e24a34c2cc3f2be4 ] Now, the "jumped-over" code is simple enough to be put inside an 'if'. Do so to make it 'goto'-less. Signed-off-by: "Jiri Slaby (SUSE)" Link: https://lore.kernel.org/r/20230919085156.1578-16-jirislaby@kernel.org Signed-off-by: Greg Kroah-Hartman Stable-dep-of: 66aad7d8d3ec ("usb: cdc-acm: return correct error code on unsupported break") Signed-off-by: Sasha Levin commit 50608b54ad36e7418acd0f359fb9a47c32c9427a Author: Jiri Slaby (SUSE) Date: Tue Sep 19 10:51:55 2023 +0200 tty: don't check for signal_pending() in send_break() [ Upstream commit fd99392b643b824813df2edbaebe26a2136d31e6 ] msleep_interruptible() will check on its own. So no need to do the check in send_break() before calling the above. Signed-off-by: "Jiri Slaby (SUSE)" Link: https://lore.kernel.org/r/20230919085156.1578-15-jirislaby@kernel.org Signed-off-by: Greg Kroah-Hartman Stable-dep-of: 66aad7d8d3ec ("usb: cdc-acm: return correct error code on unsupported break") Signed-off-by: Sasha Levin commit 6f0cd560ff56236751f9655110653f16011bf94c Author: Jiri Slaby (SUSE) Date: Tue Sep 19 10:51:54 2023 +0200 tty: early return from send_break() on TTY_DRIVER_HARDWARE_BREAK [ Upstream commit 66619686d187b4a6395316b7f39881e945dce4bc ] If the driver sets TTY_DRIVER_HARDWARE_BREAK, we leave ops->break_ctl() to the driver and return from send_break(). But we do it using a local variable and keep the code flowing through the end of the function. Instead, do 'return' immediately with the ops->break_ctl()'s return value. This way, we don't have to stuff the 'else' branch of the 'if' with the software break handling. And we can re-indent the function too. Signed-off-by: "Jiri Slaby (SUSE)" Link: https://lore.kernel.org/r/20230919085156.1578-14-jirislaby@kernel.org Signed-off-by: Greg Kroah-Hartman Stable-dep-of: 66aad7d8d3ec ("usb: cdc-acm: return correct error code on unsupported break") Signed-off-by: Sasha Levin commit 8e426f249993f7e84d8aa29eae039d3fe2748d2b Author: Jiri Slaby (SUSE) Date: Thu Aug 10 11:14:39 2023 +0200 tty: change tty_write_lock()'s ndelay parameter to bool [ Upstream commit af815336556df28f800669c58ab3bdad7d786b98 ] It's a yes-no parameter, so convert it to bool to be obvious. Signed-off-by: "Jiri Slaby (SUSE)" Link: https://lore.kernel.org/r/20230810091510.13006-6-jirislaby@kernel.org Signed-off-by: Greg Kroah-Hartman Stable-dep-of: 66aad7d8d3ec ("usb: cdc-acm: return correct error code on unsupported break") Signed-off-by: Sasha Levin commit ed863a4d48fbddadf3b817be65c00c3bce47a243 Author: Namhyung Kim Date: Mon Dec 11 23:05:44 2023 -0800 perf genelf: Set ELF program header addresses properly [ Upstream commit 1af478903fc48c1409a8dd6b698383b62387adf1 ] The text section starts after the ELF headers so PHDR.p_vaddr and others should have the correct addresses. Fixes: babd04386b1df8c3 ("perf jit: Include program header in ELF files") Reviewed-by: Ian Rogers Signed-off-by: Namhyung Kim Cc: Adrian Hunter Cc: Fangrui Song Cc: Ingo Molnar Cc: Jiri Olsa Cc: Lieven Hey Cc: Milian Wolff Cc: Pablo Galindo Cc: Peter Zijlstra Link: https://lore.kernel.org/r/20231212070547.612536-2-namhyung@kernel.org Signed-off-by: Arnaldo Carvalho de Melo Signed-off-by: Sasha Levin commit 4cb5213213894dc8264557035f40057595760121 Author: Yicong Yang Date: Thu Dec 7 16:16:35 2023 +0800 perf hisi-ptt: Fix one memory leakage in hisi_ptt_process_auxtrace_event() [ Upstream commit 1bc479d665bc25a9a4e8168d5b400a47491511f9 ] ASan complains a memory leakage in hisi_ptt_process_auxtrace_event() that the data buffer is not freed. Since currently we only support the raw dump trace mode, the data buffer is used only within this function. So fix this by freeing the data buffer before going out. Fixes: 5e91e57e68090c0e ("perf auxtrace arm64: Add support for parsing HiSilicon PCIe Trace packet") Reviewed-by: Ian Rogers Signed-off-by: Yicong Yang Acked-by: Namhyung Kim Cc: Adrian Hunter Cc: Alexander Shishkin Cc: Ingo Molnar Cc: Jiri Olsa Cc: Jonathan Cameron Cc: Junhao He Cc: Mark Rutland Cc: Peter Zijlstra Cc: Qi Liu Link: https://lore.kernel.org/r/20231207081635.8427-3-yangyicong@huawei.com Signed-off-by: Arnaldo Carvalho de Melo Signed-off-by: Sasha Levin commit 8f02951cee26f6e5eda8e4e71b904d4dde1a0786 Author: Yicong Yang Date: Thu Dec 7 16:16:34 2023 +0800 perf header: Fix one memory leakage in perf_event__fprintf_event_update() [ Upstream commit 813900d19b923fc1b241c1ce292472f68066092b ] When dump the raw trace by `perf report -D` ASan reports a memory leakage in perf_event__fprintf_event_update(). It shows that we allocated a temporary cpumap for dumping the CPUs but doesn't release it and it's not used elsewhere. Fix this by free the cpumap after the dumping. Fixes: c853f9394b7bc189 ("perf tools: Add perf_event__fprintf_event_update function") Reviewed-by: Ian Rogers Signed-off-by: Yicong Yang Acked-by: Namhyung Kim Cc: Adrian Hunter Cc: Alexander Shishkin Cc: Ingo Molnar Cc: Jiri Olsa Cc: Jonathan Cameron Cc: Junhao He Cc: Mark Rutland Cc: Peter Zijlstra Cc: linuxarm@huawei.com Link: https://lore.kernel.org/r/20231207081635.8427-2-yangyicong@huawei.com Signed-off-by: Arnaldo Carvalho de Melo Signed-off-by: Sasha Levin commit eeeb3861c2821c096eb9324c8d264d3f343bdad6 Author: Nuno Sa Date: Thu Dec 7 13:39:27 2023 +0100 iio: adc: ad9467: fix scale setting [ Upstream commit b73f08bb7fe5a0901646ca5ceaa1e7a2d5ee6293 ] When reading in_voltage_scale we can get something like: root@analog:/sys/bus/iio/devices/iio:device2# cat in_voltage_scale 0.038146 However, when reading the available options: root@analog:/sys/bus/iio/devices/iio:device2# cat in_voltage_scale_available 2000.000000 2100.000006 2200.000007 2300.000008 2400.000009 2500.000010 which does not make sense. Moreover, when trying to set a new scale we get an error because there's no call to __ad9467_get_scale() to give us values as given when reading in_voltage_scale. Fix it by computing the available scales during probe and properly pass the list when .read_available() is called. While at it, change to use .read_available() from iio_info. Also note that to properly fix this, adi-axi-adc.c has to be changed accordingly. Fixes: ad6797120238 ("iio: adc: ad9467: add support AD9467 ADC") Signed-off-by: Nuno Sa Reviewed-by: David Lechner Link: https://lore.kernel.org/r/20231207-iio-backend-prep-v2-4-a4a33bc4d70e@analog.com Signed-off-by: Jonathan Cameron Signed-off-by: Sasha Levin commit e2b405b9853bf956a2091e8f059da248e3e652b7 Author: Nuno Sa Date: Thu Dec 7 13:39:25 2023 +0100 iio: adc: ad9467: don't ignore error codes [ Upstream commit e072e149cfb827e0ab4cafb0547e9658e35393cd ] Make sure functions that return errors are not ignored. Fixes: ad6797120238 ("iio: adc: ad9467: add support AD9467 ADC") Reviewed-by: David Lechner Signed-off-by: Nuno Sa Link: https://lore.kernel.org/r/20231207-iio-backend-prep-v2-2-a4a33bc4d70e@analog.com Signed-off-by: Jonathan Cameron Signed-off-by: Sasha Levin commit 89398709ae50e246ba49d797ac382de65bdd7ac0 Author: Nuno Sa Date: Thu Dec 7 13:39:24 2023 +0100 iio: adc: ad9467: fix reset gpio handling [ Upstream commit 76f028539cf360f750efd8cde560edda298e4c6b ] The reset gpio was being handled with inverted polarity. This means that as far as gpiolib is concerned we were actually leaving the pin asserted (in theory, this would mean reset). However, inverting the polarity in devicetree made things work. Fix it by doing it the proper way and how gpiolib expects it to be done. While at it, moved the handling to it's own function and dropped 'reset_gpio' from the 'struct ad9467_state' as we only need it during probe. On top of that, refactored things so that we now request the gpio asserted (i.e in reset) and then de-assert it. Also note that we now use gpiod_set_value_cansleep() instead of gpiod_direction_output() as we already request the pin as output. Fixes: ad6797120238 ("iio: adc: ad9467: add support AD9467 ADC") Reviewed-by: David Lechner Signed-off-by: Nuno Sa Link: https://lore.kernel.org/r/20231207-iio-backend-prep-v2-1-a4a33bc4d70e@analog.com Signed-off-by: Jonathan Cameron Signed-off-by: Sasha Levin commit f33bdf21e1aebd80c3258ccc25dfbe02a9848e80 Author: Zhao Mengmeng Date: Tue Dec 5 21:56:05 2023 -0500 selftests/sgx: Skip non X86_64 platform [ Upstream commit 981cf568a8644161c2f15c02278ebc2834b51ba6 ] When building whole selftests on arm64, rsync gives an erorr about sgx: rsync: [sender] link_stat "/root/linux-next/tools/testing/selftests/sgx/test_encl.elf" failed: No such file or directory (2) rsync error: some files/attrs were not transferred (see previous errors) (code 23) at main.c(1327) [sender=3.2.5] The root casue is sgx only used on X86_64, and shall be skipped on other platforms. Fix this by moving TEST_CUSTOM_PROGS and TEST_FILES inside the if check, then the build result will be "Skipping non-existent dir: sgx". Fixes: 2adcba79e69d ("selftests/x86: Add a selftest for SGX") Signed-off-by: Zhao Mengmeng Signed-off-by: Dave Hansen Reviewed-by: Jarkko Sakkinen Link: https://lore.kernel.org/all/20231206025605.3965302-1-zhaomzhao%40126.com Signed-off-by: Sasha Levin commit bf92b8210198f22940a5a9fc1ff0103658b79dbb Author: Jo Van Bulck Date: Thu Oct 5 17:38:44 2023 +0200 selftests/sgx: Include memory clobber for inline asm in test enclave [ Upstream commit 853a57a43ebdb8c024160c1a0990bae85f4bcc2f ] Add the "memory" clobber to the EMODPE and EACCEPT asm blocks to tell the compiler the assembly code accesses to the secinfo struct. This ensures the compiler treats the asm block as a memory barrier and the write to secinfo will be visible to ENCLU. Fixes: 20404a808593 ("selftests/sgx: Add test for EPCM permission changes") Signed-off-by: Jo Van Bulck Signed-off-by: Dave Hansen Reviewed-by: Kai Huang Reviewed-by: Jarkko Sakkinen Link: https://lore.kernel.org/all/20231005153854.25566-4-jo.vanbulck%40cs.kuleuven.be Signed-off-by: Sasha Levin commit 2cfae256a13095ed3fe78d7ec4e91ce5cf9d5536 Author: Jo Van Bulck Date: Thu Oct 5 17:38:43 2023 +0200 selftests/sgx: Fix uninitialized pointer dereferences in encl_get_entry [ Upstream commit b84fc2e0139ba4b23b8039bd7cfd242894fe8f8b ] Ensure sym_tab and sym_names are zero-initialized and add an early-out condition in the unlikely (erroneous) case that the enclave ELF file would not contain a symbol table. This addresses -Werror=maybe-uninitialized compiler warnings for gcc -O2. Fixes: 33c5aac3bf32 ("selftests/sgx: Test complete changing of page type flow") Signed-off-by: Jo Van Bulck Signed-off-by: Dave Hansen Reviewed-by: Jarkko Sakkinen Link: https://lore.kernel.org/all/20231005153854.25566-3-jo.vanbulck%40cs.kuleuven.be Signed-off-by: Sasha Levin commit eb41e7e8b4b3d462fd2d60ac1d7ec8d6da66cd33 Author: Jo Van Bulck Date: Thu Oct 5 17:38:42 2023 +0200 selftests/sgx: Fix uninitialized pointer dereference in error path [ Upstream commit 79eba8c924f7decfa71ddf187d38cb9f5f2cd7b3 ] Ensure ctx is zero-initialized, such that the encl_measure function will not call EVP_MD_CTX_destroy with an uninitialized ctx pointer in case of an early error during key generation. Fixes: 2adcba79e69d ("selftests/x86: Add a selftest for SGX") Signed-off-by: Jo Van Bulck Signed-off-by: Dave Hansen Reviewed-by: Jarkko Sakkinen Acked-by: Kai Huang Link: https://lore.kernel.org/all/20231005153854.25566-2-jo.vanbulck%40cs.kuleuven.be Signed-off-by: Sasha Levin commit 63ee7be01a3f7d28b1ea8b8d7944f12bb7b0ed06 Author: Paul Geurts Date: Fri Nov 24 14:11:10 2023 +0100 serial: imx: fix tx statemachine deadlock [ Upstream commit 78d60dae9a0c9f09aa3d6477c94047df2fe6f7b0 ] When using the serial port as RS485 port, the tx statemachine is used to control the RTS pin to drive the RS485 transceiver TX_EN pin. When the TTY port is closed in the middle of a transmission (for instance during userland application crash), imx_uart_shutdown disables the interface and disables the Transmission Complete interrupt. afer that, imx_uart_stop_tx bails on an incomplete transmission, to be retriggered by the TC interrupt. This interrupt is disabled and therefore the tx statemachine never transitions out of SEND. The statemachine is in deadlock now, and the TX_EN remains low, making the interface useless. imx_uart_stop_tx now checks for incomplete transmission AND whether TC interrupts are enabled before bailing to be retriggered. This makes sure the state machine handling is reached, and is properly set to WAIT_AFTER_SEND. Fixes: cb1a60923609 ("serial: imx: implement rts delaying for rs485") Signed-off-by: Paul Geurts Tested-by: Rasmus Villemoes Tested-by: Eberhard Stoll Link: https://lore.kernel.org/r/AM0PR09MB26758F651BC1B742EB45775995B8A@AM0PR09MB2675.eurprd09.prod.outlook.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 3f9ec4227e4406298e864e15b8b61421686a716c Author: Sakari Ailus Date: Thu Nov 9 12:10:09 2023 +0200 software node: Let args be NULL in software_node_get_reference_args [ Upstream commit 1eaea4b3604eb9ca7d9a1e73d88fc121bb4061f5 ] fwnode_get_property_reference_args() may not be called with args argument NULL and while OF already supports this. Add the missing NULL check. The purpose is to be able to count the references. Fixes: b06184acf751 ("software node: Add software_node_get_reference_args()") Signed-off-by: Sakari Ailus Reviewed-by: Andy Shevchenko Reviewed-by: Heikki Krogerus Link: https://lore.kernel.org/r/20231109101010.1329587-3-sakari.ailus@linux.intel.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 893c3ca250b04d254785a0f9a51101967e34d1ac Author: Sakari Ailus Date: Thu Nov 9 12:10:08 2023 +0200 acpi: property: Let args be NULL in __acpi_node_get_property_reference [ Upstream commit bef52aa0f3de1b7d8c258c13b16e577361dabf3a ] fwnode_get_property_reference_args() may not be called with args argument NULL on ACPI, OF already supports this. Add the missing NULL checks and document this. The purpose is to be able to count the references. Fixes: 977d5ad39f3e ("ACPI: Convert ACPI reference args to generic fwnode reference args") Signed-off-by: Sakari Ailus Reviewed-by: Andy Shevchenko Reviewed-by: Heikki Krogerus Link: https://lore.kernel.org/r/20231109101010.1329587-2-sakari.ailus@linux.intel.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 76be69716cad648239d94e8367624df6f24e3beb Author: Gregory Price Date: Mon Oct 30 00:42:39 2023 -0400 base/node.c: initialize the accessor list before registering [ Upstream commit 48b5928e18dc27e05cab3dc4c78cd8a15baaf1e5 ] The current code registers the node as available in the node array before initializing the accessor list. This makes it so that anything which might access the accessor list as a result of allocations will cause an undefined memory access. In one example, an extension to access hmat data during interleave caused this undefined access as a result of a bulk allocation that occurs during node initialization but before the accessor list is initialized. Initialize the accessor list before making the node generally available to the global system. Fixes: 08d9dbe72b1f ("node: Link memory nodes to their compute nodes") Signed-off-by: Gregory Price Link: https://lore.kernel.org/r/20231030044239.971756-1-gregory.price@memverge.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit d5ef7480d64397dc5b91fd1d19d2c4e520870cf1 Author: Arnaldo Carvalho de Melo Date: Thu Nov 30 14:11:45 2023 -0300 libapi: Add missing linux/types.h header to get the __u64 type on io.h [ Upstream commit af76b2dec0984a079d8497bfa37d29a9b55932e1 ] There are functions using __u64, so we need to have the linux/types.h header otherwise we'll break when its not included before api/io.h. Fixes: e95770af4c4a280f ("tools api: Add a lightweight buffered reading api") Reviewed-by: Ian Rogers Cc: Adrian Hunter Cc: Jiri Olsa Cc: Namhyung Kim Link: https://lore.kernel.org/lkml/ZWjDPL+IzPPsuC3X@kernel.org Signed-off-by: Arnaldo Carvalho de Melo Signed-off-by: Sasha Levin commit d74173bda29aba58f822175d983d07c8ed335494 Author: Uwe Kleine-König Date: Fri Nov 10 16:29:29 2023 +0100 serial: 8250: omap: Don't skip resource freeing if pm_runtime_resume_and_get() failed [ Upstream commit ad90d0358bd3b4554f243a425168fc7cebe7d04e ] Returning an error code from .remove() makes the driver core emit the little helpful error message: remove callback returned a non-zero value. This will be ignored. and then remove the device anyhow. So all resources that were not freed are leaked in this case. Skipping serial8250_unregister_port() has the potential to keep enough of the UART around to trigger a use-after-free. So replace the error return (and with it the little helpful error message) by a more useful error message and continue to cleanup. Fixes: e3f0c638f428 ("serial: 8250: omap: Fix unpaired pm_runtime_put_sync() in omap8250_remove()") Signed-off-by: Uwe Kleine-König Reviewed-by: Tony Lindgren Link: https://lore.kernel.org/r/20231110152927.70601-2-u.kleine-koenig@pengutronix.de Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit e6fce099c9b4895ee67c53f021ca99da07f7a134 Author: Su Hui Date: Thu Nov 16 12:18:23 2023 +0800 power: supply: bq256xx: fix some problem in bq256xx_hw_init [ Upstream commit b55d073e6501dc6077edaa945a6dad8ac5c8bbab ] smatch complains that there is a buffer overflow and clang complains 'ret' is never read. Smatch error: drivers/power/supply/bq256xx_charger.c:1578 bq256xx_hw_init() error: buffer overflow 'bq256xx_watchdog_time' 4 <= 4 Clang static checker: Value stored to 'ret' is never read. Add check for buffer overflow and error code from regmap_update_bits(). Fixes: 32e4978bb920 ("power: supply: bq256xx: Introduce the BQ256XX charger driver") Signed-off-by: Su Hui Link: https://lore.kernel.org/r/20231116041822.1378758-1-suhui@nfschina.com Signed-off-by: Sebastian Reichel Signed-off-by: Sasha Levin commit ddd3fe99b4fa65c5cb78a6076fb4be5bff431c25 Author: Jan Palus Date: Sat Nov 11 23:17:04 2023 +0100 power: supply: cw2015: correct time_to_empty units in sysfs [ Upstream commit f37669119423ca852ca855b24732f25c0737aa57 ] RRT_ALRT register holds remaining battery time in minutes therefore it needs to be scaled accordingly when exposing TIME_TO_EMPTY via sysfs expressed in seconds Fixes: b4c7715c10c1 ("power: supply: add CellWise cw2015 fuel gauge driver") Signed-off-by: Jan Palus Link: https://lore.kernel.org/r/20231111221704.5579-1-jpalus@fastmail.com Signed-off-by: Sebastian Reichel Signed-off-by: Sasha Levin commit 559e25126c1516818352b49eea3ad55d7ff2887d Author: Christophe JAILLET Date: Wed Jan 10 19:09:46 2024 +0100 MIPS: Alchemy: Fix an out-of-bound access in db1550_dev_setup() [ Upstream commit 3c1e5abcda64bed0c7bffa65af2316995f269a61 ] When calling spi_register_board_info(), Fixes: f869d42e580f ("MIPS: Alchemy: Improved DB1550 support, with audio and serial busses.") Signed-off-by: Christophe JAILLET Signed-off-by: Thomas Bogendoerfer Signed-off-by: Sasha Levin commit 2504864be6fdcc2829babd01d22d3061fd21a9ac Author: Christophe JAILLET Date: Wed Jan 10 19:07:36 2024 +0100 MIPS: Alchemy: Fix an out-of-bound access in db1200_dev_setup() [ Upstream commit 89c4b588d11e9acf01d604de4b0c715884f59213 ] When calling spi_register_board_info(), we should pass the number of elements in 'db1200_spi_devs', not 'db1200_i2c_devs'. Fixes: 63323ec54a7e ("MIPS: Alchemy: Extended DB1200 board support.") Signed-off-by: Christophe JAILLET Signed-off-by: Thomas Bogendoerfer Signed-off-by: Sasha Levin commit 69e9a6944df730353fb350057c37918fae2746ac Author: Frederik Haxel Date: Tue Dec 12 14:01:13 2023 +0100 riscv: Fixed wrong register in XIP_FIXUP_FLASH_OFFSET macro [ Upstream commit 5daa3726410288075ba73c336bb2e80d6b06aa4d ] During the refactoring, a bug was introduced in the rarly used XIP_FIXUP_FLASH_OFFSET macro. Fixes: bee7fbc38579 ("RISC-V CPU Idle Support") Fixes: e7681beba992 ("RISC-V: Split out the XIP fixups into their own file") Signed-off-by: Frederik Haxel Link: https://lore.kernel.org/r/20231212130116.848530-3-haxel@fzi.de Signed-off-by: Palmer Dabbelt Signed-off-by: Sasha Levin commit add57b5298bd4afe5ced536bdfecf0858eae0ee4 Author: Alexandre Ghiti Date: Wed Dec 13 14:40:27 2023 +0100 riscv: Fix set_direct_map_default_noflush() to reset _PAGE_EXEC [ Upstream commit b8b2711336f03ece539de61479d6ffc44fb603d3 ] When resetting the linear mapping permissions, we must make sure that we clear the X bit so that do not end up with WX mappings (since we set PAGE_KERNEL). Fixes: 395a21ff859c ("riscv: add ARCH_HAS_SET_DIRECT_MAP support") Signed-off-by: Alexandre Ghiti Link: https://lore.kernel.org/r/20231213134027.155327-3-alexghiti@rivosinc.com Signed-off-by: Palmer Dabbelt Signed-off-by: Sasha Levin commit b4f4d427653f3260c35698a7ad0ad6804cd9630b Author: Alexandre Ghiti Date: Wed Nov 8 08:59:30 2023 +0100 riscv: Fix set_memory_XX() and set_direct_map_XX() by splitting huge linear mappings [ Upstream commit 311cd2f6e25380cff0abc2884dc6a3d33bc9b5c3 ] When STRICT_KERNEL_RWX is set, any change of permissions on any kernel mapping (vmalloc/modules/kernel text...etc) should be applied on its linear mapping alias. The problem is that the riscv kernel uses huge mappings for the linear mapping and walk_page_range_novma() does not split those huge mappings. So this patchset implements such split in order to apply fine-grained permissions on the linear mapping. Below is the difference before and after (the first PUD mapping is split into PTE/PMD mappings): Before: ---[ Linear mapping ]--- 0xffffaf8000080000-0xffffaf8000200000 0x0000000080080000 1536K PTE D A G . . W R V 0xffffaf8000200000-0xffffaf8077c00000 0x0000000080200000 1914M PMD D A G . . W R V 0xffffaf8077c00000-0xffffaf8078800000 0x00000000f7c00000 12M PMD D A G . . . R V 0xffffaf8078800000-0xffffaf8078c00000 0x00000000f8800000 4M PMD D A G . . W R V 0xffffaf8078c00000-0xffffaf8079200000 0x00000000f8c00000 6M PMD D A G . . . R V 0xffffaf8079200000-0xffffaf807e600000 0x00000000f9200000 84M PMD D A G . . W R V 0xffffaf807e600000-0xffffaf807e716000 0x00000000fe600000 1112K PTE D A G . . W R V 0xffffaf807e717000-0xffffaf807e71a000 0x00000000fe717000 12K PTE D A G . . W R V 0xffffaf807e71d000-0xffffaf807e71e000 0x00000000fe71d000 4K PTE D A G . . W R V 0xffffaf807e722000-0xffffaf807e800000 0x00000000fe722000 888K PTE D A G . . W R V 0xffffaf807e800000-0xffffaf807fe00000 0x00000000fe800000 22M PMD D A G . . W R V 0xffffaf807fe00000-0xffffaf807ff54000 0x00000000ffe00000 1360K PTE D A G . . W R V 0xffffaf807ff55000-0xffffaf8080000000 0x00000000fff55000 684K PTE D A G . . W R V 0xffffaf8080000000-0xffffaf8400000000 0x0000000100000000 14G PUD D A G . . W R V After: ---[ Linear mapping ]--- 0xffffaf8000080000-0xffffaf8000200000 0x0000000080080000 1536K PTE D A G . . W R V 0xffffaf8000200000-0xffffaf8077c00000 0x0000000080200000 1914M PMD D A G . . W R V 0xffffaf8077c00000-0xffffaf8078800000 0x00000000f7c00000 12M PMD D A G . . . R V 0xffffaf8078800000-0xffffaf8078a00000 0x00000000f8800000 2M PMD D A G . . W R V 0xffffaf8078a00000-0xffffaf8078c00000 0x00000000f8a00000 2M PTE D A G . . W R V 0xffffaf8078c00000-0xffffaf8079200000 0x00000000f8c00000 6M PMD D A G . . . R V 0xffffaf8079200000-0xffffaf807e600000 0x00000000f9200000 84M PMD D A G . . W R V 0xffffaf807e600000-0xffffaf807e716000 0x00000000fe600000 1112K PTE D A G . . W R V 0xffffaf807e717000-0xffffaf807e71a000 0x00000000fe717000 12K PTE D A G . . W R V 0xffffaf807e71d000-0xffffaf807e71e000 0x00000000fe71d000 4K PTE D A G . . W R V 0xffffaf807e722000-0xffffaf807e800000 0x00000000fe722000 888K PTE D A G . . W R V 0xffffaf807e800000-0xffffaf807fe00000 0x00000000fe800000 22M PMD D A G . . W R V 0xffffaf807fe00000-0xffffaf807ff54000 0x00000000ffe00000 1360K PTE D A G . . W R V 0xffffaf807ff55000-0xffffaf8080000000 0x00000000fff55000 684K PTE D A G . . W R V 0xffffaf8080000000-0xffffaf8080800000 0x0000000100000000 8M PMD D A G . . W R V 0xffffaf8080800000-0xffffaf8080af6000 0x0000000100800000 3032K PTE D A G . . W R V 0xffffaf8080af6000-0xffffaf8080af8000 0x0000000100af6000 8K PTE D A G . X . R V 0xffffaf8080af8000-0xffffaf8080c00000 0x0000000100af8000 1056K PTE D A G . . W R V 0xffffaf8080c00000-0xffffaf8081a00000 0x0000000100c00000 14M PMD D A G . . W R V 0xffffaf8081a00000-0xffffaf8081a40000 0x0000000101a00000 256K PTE D A G . . W R V 0xffffaf8081a40000-0xffffaf8081a44000 0x0000000101a40000 16K PTE D A G . X . R V 0xffffaf8081a44000-0xffffaf8081a52000 0x0000000101a44000 56K PTE D A G . . W R V 0xffffaf8081a52000-0xffffaf8081a54000 0x0000000101a52000 8K PTE D A G . X . R V ... 0xffffaf809e800000-0xffffaf80c0000000 0x000000011e800000 536M PMD D A G . . W R V 0xffffaf80c0000000-0xffffaf8400000000 0x0000000140000000 13G PUD D A G . . W R V Note that this also fixes memfd_secret() syscall which uses set_direct_map_invalid_noflush() and set_direct_map_default_noflush() to remove the pages from the linear mapping. Below is the kernel page table while a memfd_secret() syscall is running, you can see all the !valid page table entries in the linear mapping: ... 0xffffaf8082240000-0xffffaf8082241000 0x0000000102240000 4K PTE D A G . . W R . 0xffffaf8082241000-0xffffaf8082250000 0x0000000102241000 60K PTE D A G . . W R V 0xffffaf8082250000-0xffffaf8082252000 0x0000000102250000 8K PTE D A G . . W R . 0xffffaf8082252000-0xffffaf8082256000 0x0000000102252000 16K PTE D A G . . W R V 0xffffaf8082256000-0xffffaf8082257000 0x0000000102256000 4K PTE D A G . . W R . 0xffffaf8082257000-0xffffaf8082258000 0x0000000102257000 4K PTE D A G . . W R V 0xffffaf8082258000-0xffffaf8082259000 0x0000000102258000 4K PTE D A G . . W R . 0xffffaf8082259000-0xffffaf808225a000 0x0000000102259000 4K PTE D A G . . W R V 0xffffaf808225a000-0xffffaf808225c000 0x000000010225a000 8K PTE D A G . . W R . 0xffffaf808225c000-0xffffaf8082266000 0x000000010225c000 40K PTE D A G . . W R V 0xffffaf8082266000-0xffffaf8082268000 0x0000000102266000 8K PTE D A G . . W R . 0xffffaf8082268000-0xffffaf8082284000 0x0000000102268000 112K PTE D A G . . W R V 0xffffaf8082284000-0xffffaf8082288000 0x0000000102284000 16K PTE D A G . . W R . 0xffffaf8082288000-0xffffaf808229c000 0x0000000102288000 80K PTE D A G . . W R V 0xffffaf808229c000-0xffffaf80822a0000 0x000000010229c000 16K PTE D A G . . W R . 0xffffaf80822a0000-0xffffaf80822a5000 0x00000001022a0000 20K PTE D A G . . W R V 0xffffaf80822a5000-0xffffaf80822a6000 0x00000001022a5000 4K PTE D A G . . . R V 0xffffaf80822a6000-0xffffaf80822ab000 0x00000001022a6000 20K PTE D A G . . W R V ... And when the memfd_secret() fd is released, the linear mapping is correctly reset: ... 0xffffaf8082240000-0xffffaf80822a5000 0x0000000102240000 404K PTE D A G . . W R V 0xffffaf80822a5000-0xffffaf80822a6000 0x00000001022a5000 4K PTE D A G . . . R V 0xffffaf80822a6000-0xffffaf80822af000 0x00000001022a6000 36K PTE D A G . . W R V ... Signed-off-by: Alexandre Ghiti Link: https://lore.kernel.org/r/20231108075930.7157-3-alexghiti@rivosinc.com Signed-off-by: Palmer Dabbelt Stable-dep-of: b8b2711336f0 ("riscv: Fix set_direct_map_default_noflush() to reset _PAGE_EXEC") Signed-off-by: Sasha Levin commit d2ebb8143b6b5d0a5eeebf071ba1fd411490de95 Author: Alexandre Ghiti Date: Wed Dec 13 14:40:26 2023 +0100 riscv: Fix module_alloc() that did not reset the linear mapping permissions [ Upstream commit 749b94b08005929bbc636df21a23322733166e35 ] After unloading a module, we must reset the linear mapping permissions, see the example below: Before unloading a module: 0xffffaf809d65d000-0xffffaf809d6dc000 0x000000011d65d000 508K PTE . .. .. D A G . . W R V 0xffffaf809d6dc000-0xffffaf809d6dd000 0x000000011d6dc000 4K PTE . .. .. D A G . . . R V 0xffffaf809d6dd000-0xffffaf809d6e1000 0x000000011d6dd000 16K PTE . .. .. D A G . . W R V 0xffffaf809d6e1000-0xffffaf809d6e7000 0x000000011d6e1000 24K PTE . .. .. D A G . X . R V After unloading a module: 0xffffaf809d65d000-0xffffaf809d6e1000 0x000000011d65d000 528K PTE . .. .. D A G . . W R V 0xffffaf809d6e1000-0xffffaf809d6e7000 0x000000011d6e1000 24K PTE . .. .. D A G . X W R V The last mapping is not reset and we end up with WX mappings in the linear mapping. So add VM_FLUSH_RESET_PERMS to our module_alloc() definition. Fixes: 0cff8bff7af8 ("riscv: avoid the PIC offset of static percpu data in module beyond 2G limits") Signed-off-by: Alexandre Ghiti Link: https://lore.kernel.org/r/20231213134027.155327-2-alexghiti@rivosinc.com Signed-off-by: Palmer Dabbelt Signed-off-by: Sasha Levin commit 890cfe5337e0aaf03ece1429db04d23c88da72e7 Author: Alexandre Ghiti Date: Thu Dec 14 10:19:26 2023 +0100 riscv: Check if the code to patch lies in the exit section [ Upstream commit 420370f3ae3d3b883813fd3051a38805160b2b9f ] Otherwise we fall through to vmalloc_to_page() which panics since the address does not lie in the vmalloc region. Fixes: 043cb41a85de ("riscv: introduce interfaces to patch kernel code") Signed-off-by: Alexandre Ghiti Reviewed-by: Charlie Jenkins Link: https://lore.kernel.org/r/20231214091926.203439-1-alexghiti@rivosinc.com Signed-off-by: Palmer Dabbelt Signed-off-by: Sasha Levin commit 9ad0ab0bbc210df0b7d8efdb0da39971437fc13a Author: Serge Semin Date: Sat Dec 2 14:14:19 2023 +0300 mips: Fix incorrect max_low_pfn adjustment [ Upstream commit 0f5cc249ff73552d3bd864e62f85841dafaa107d ] max_low_pfn variable is incorrectly adjusted if the kernel is built with high memory support and the later is detected in a running system, so the memory which actually can be directly mapped is getting into the highmem zone. See the ZONE_NORMAL range on my MIPS32r5 system: > Zone ranges: > DMA [mem 0x0000000000000000-0x0000000000ffffff] > Normal [mem 0x0000000001000000-0x0000000007ffffff] > HighMem [mem 0x0000000008000000-0x000000020fffffff] while the zones are supposed to look as follows: > Zone ranges: > DMA [mem 0x0000000000000000-0x0000000000ffffff] > Normal [mem 0x0000000001000000-0x000000001fffffff] > HighMem [mem 0x0000000020000000-0x000000020fffffff] Even though the physical memory within the range [0x08000000;0x20000000] belongs to MMIO on our system, we don't really want it to be considered as high memory since on MIPS32 that range still can be directly mapped. Note there might be other problems caused by the max_low_pfn variable misconfiguration. For instance high_memory variable is initialize with virtual address corresponding to the max_low_pfn PFN, and by design it must define the upper bound on direct map memory, then end of the normal zone. That in its turn potentially may cause problems in accessing the memory by means of the /dev/mem and /dev/kmem devices. Let's fix the discovered misconfiguration then. It turns out the commit a94e4f24ec83 ("MIPS: init: Drop boot_mem_map") didn't introduce the max_low_pfn adjustment quite correct. If the kernel is built with high memory support and the system is equipped with high memory, the max_low_pfn variable will need to be initialized with PFN of the most upper directly reachable memory address so the zone normal would be correctly setup. On MIPS that PFN corresponds to PFN_DOWN(HIGHMEM_START). If the system is built with no high memory support and one is detected in the running system, we'll just need to adjust the max_pfn variable to discard the found high memory from the system and leave the max_low_pfn as is, since the later will be less than PFN_DOWN(HIGHMEM_START) anyway by design of the for_each_memblock() loop performed a bit early in the bootmem_init() method. Fixes: a94e4f24ec83 ("MIPS: init: Drop boot_mem_map") Signed-off-by: Serge Semin Signed-off-by: Thomas Bogendoerfer Signed-off-by: Sasha Levin commit 1961a29b89e8166647728fb815e5d9a81c543c4d Author: Serge Semin Date: Sat Dec 2 14:14:18 2023 +0300 mips: dmi: Fix early remap on MIPS32 [ Upstream commit 0d0a3748a2cb38f9da1f08d357688ebd982eb788 ] dmi_early_remap() has been defined as ioremap_cache() which on MIPS32 gets to be converted to the VM-based mapping. DMI early remapping is performed at the setup_arch() stage with no VM available. So calling the dmi_early_remap() for MIPS32 causes the system to crash at the early boot time. Fix that by converting dmi_early_remap() to the uncached remapping which is always available on both 32 and 64-bits MIPS systems. Note this change shall not cause any regressions on the current DMI support implementation because on the early boot-up stage neither MIPS32 nor MIPS64 has the cacheable ioremapping support anyway. Fixes: be8fa1cb444c ("MIPS: Add support for Desktop Management Interface (DMI)") Signed-off-by: Serge Semin Signed-off-by: Thomas Bogendoerfer Signed-off-by: Sasha Levin commit e3411940637c136487371b00102a4e695f77e3e4 Author: Andy Shevchenko Date: Mon Dec 11 13:14:41 2023 +0200 mfd: intel-lpss: Fix the fractional clock divider flags [ Upstream commit 03d790f04fb2507173913cad9c213272ac983a60 ] The conversion to CLK_FRAC_DIVIDER_POWER_OF_TWO_PS uses wrong flags in the parameters and hence miscalculates the values in the clock divider. Fix this by applying the flag to the proper parameter. Fixes: 82f53f9ee577 ("clk: fractional-divider: Introduce POWER_OF_TWO_PS flag") Signed-off-by: Andy Shevchenko Reported-by: Alex Vinarskis Link: https://lore.kernel.org/r/20231211111441.3910083-1-andriy.shevchenko@linux.intel.com Signed-off-by: Lee Jones Signed-off-by: Sasha Levin commit 7fdc6c187ea0cfbc7b29f6540d1e9e3637e2fb66 Author: Dang Huynh Date: Fri Nov 3 18:42:03 2023 +0700 leds: aw2013: Select missing dependency REGMAP_I2C [ Upstream commit 75469bb0537ad2ab0fc1fb6e534a79cfc03f3b3f ] The AW2013 driver uses devm_regmap_init_i2c, so REGMAP_I2C needs to be selected. Otherwise build process may fail with: ld: drivers/leds/leds-aw2013.o: in function `aw2013_probe': leds-aw2013.c:345: undefined reference to `__devm_regmap_init_i2c' Signed-off-by: Dang Huynh Acked-by: Nikita Travkin Fixes: 59ea3c9faf32 ("leds: add aw2013 driver") Link: https://lore.kernel.org/r/20231103114203.1108922-1-danct12@riseup.net Signed-off-by: Lee Jones Signed-off-by: Sasha Levin commit 527e8c5f3d00299822612c495d5adf1f8f43c001 Author: Kunwu Chan Date: Mon Dec 4 17:24:43 2023 +0800 mfd: syscon: Fix null pointer dereference in of_syscon_register() [ Upstream commit 41673c66b3d0c09915698fec5c13b24336f18dd1 ] kasprintf() returns a pointer to dynamically allocated memory which can be NULL upon failure. Fixes: e15d7f2b81d2 ("mfd: syscon: Use a unique name with regmap_config") Signed-off-by: Kunwu Chan Reviewed-by: Arnd Bergmann Link: https://lore.kernel.org/r/20231204092443.2462115-1-chentao@kylinos.cn Signed-off-by: Lee Jones Signed-off-by: Sasha Levin commit ac3b65cbc68deeabc6100e7bac254416675a7052 Author: Randy Dunlap Date: Tue Nov 7 01:36:03 2023 +0100 ARM: 9330/1: davinci: also select PINCTRL [ Upstream commit f54e8634d1366926c807e2af6125b33cff555fa7 ] kconfig warns when PINCTRL_SINGLE is selected but PINCTRL is not set, so also set PINCTRL for ARCH_DAVINCI. This prevents a kconfig/build warning: WARNING: unmet direct dependencies detected for PINCTRL_SINGLE Depends on [n]: PINCTRL [=n] && OF [=y] && HAS_IOMEM [=y] Selected by [y]: - ARCH_DAVINCI [=y] && ARCH_MULTI_V5 [=y] Closes: lore.kernel.org/r/202311070548.0f6XfBrh-lkp@intel.com Fixes: f962396ce292 ("ARM: davinci: support multiplatform build for ARM v5") Signed-off-by: Randy Dunlap Reported-by: kernel test robot Cc: Bartosz Golaszewski Cc: Arnd Bergmann Cc: linux-arm-kernel@lists.infradead.org Cc: patches@armlinux.org.uk Signed-off-by: Russell King (Oracle) Signed-off-by: Sasha Levin commit d2ba8eea74af63f6104c1044a881ede07218a111 Author: Hugo Villeneuve Date: Thu Dec 21 18:18:10 2023 -0500 serial: sc16is7xx: set safe default SPI clock frequency commit 3ef79cd1412236d884ab0c46b4d1921380807b48 upstream. 15 MHz is supported only by 76x variants. If the SPI clock frequency is not specified, use a safe default clock value of 4 MHz that is supported by all variants. Also use HZ_PER_MHZ macro to improve readability. Fixes: 2c837a8a8f9f ("sc16is7xx: spi interface is added") Cc: Signed-off-by: Hugo Villeneuve Link: https://lore.kernel.org/r/20231221231823.2327894-4-hugo@hugovil.com Signed-off-by: Greg Kroah-Hartman commit 4f61154a683de9bf31254ea4e5820b00fe3bdf0d Author: Hugo Villeneuve Date: Thu Dec 21 18:18:09 2023 -0500 serial: sc16is7xx: add check for unsupported SPI modes during probe commit 6d710b769c1f5f0d55c9ad9bb49b7dce009ec103 upstream. The original comment is confusing because it implies that variants other than the SC16IS762 supports other SPI modes beside SPI_MODE_0. Extract from datasheet: The SC16IS762 differs from the SC16IS752 in that it supports SPI clock speeds up to 15 Mbit/s instead of the 4 Mbit/s supported by the SC16IS752... In all other aspects, the SC16IS762 is functionally and electrically the same as the SC16IS752. The same is also true of the SC16IS760 variant versus the SC16IS740 and SC16IS750 variants. For all variants, only SPI mode 0 is supported. Change comment and abort probing if the specified SPI mode is not SPI_MODE_0. Fixes: 2c837a8a8f9f ("sc16is7xx: spi interface is added") Cc: Signed-off-by: Hugo Villeneuve Link: https://lore.kernel.org/r/20231221231823.2327894-3-hugo@hugovil.com Signed-off-by: Greg Kroah-Hartman commit f09b277f736c0e9f4b991b29116441d4ca10d09a Author: Jason Gerecke Date: Tue Dec 19 13:33:43 2023 -0800 HID: wacom: Correct behavior when processing some confidence == false touches commit 502296030ec6b0329e00f9fb15018e170cc63037 upstream. There appear to be a few different ways that Wacom devices can deal with confidence: 1. If the device looses confidence in a touch, it will first clear the tipswitch flag in one report, and then clear the confidence flag in a second report. This behavior is used by e.g. DTH-2452. 2. If the device looses confidence in a touch, it will clear both the tipswitch and confidence flags within the same report. This behavior is used by some AES devices. 3. If the device looses confidence in a touch, it will clear *only* the confidence bit. The tipswitch bit will remain set so long as the touch is tracked. This behavior may be used in future devices. The driver does not currently handle situation 3 properly. Touches that loose confidence will remain "in prox" and essentially frozen in place until the tipswitch bit is finally cleared. Not only does this result in userspace seeing a stuck touch, but it also prevents pen arbitration from working properly (the pen won't send events until all touches are up, but we don't currently process events from non-confident touches). This commit centralizes the checking of the confidence bit in the wacom_wac_finger_slot() function and has 'prox' depend on it. In the case where situation 3 is encountered, the treat the touch as though it was removed, allowing both userspace and the pen arbitration to act normally. Signed-off-by: Tatsunosuke Tobita Signed-off-by: Ping Cheng Signed-off-by: Jason Gerecke Fixes: 7fb0413baa7f ("HID: wacom: Use "Confidence" flag to prevent reporting invalid contacts") Cc: stable@vger.kernel.org Signed-off-by: Jiri Kosina Signed-off-by: Greg Kroah-Hartman commit 710bd468604b949d222e48eb3b8ce1782aa96d58 Author: Marcelo Schmitt Date: Sat Dec 16 14:46:11 2023 -0300 iio: adc: ad7091r: Pass iio_dev to event handler commit a25a7df518fc71b1ba981d691e9322e645d2689c upstream. Previous version of ad7091r event handler received the ADC state pointer and retrieved the iio device from driver data field with dev_get_drvdata(). However, no driver data have ever been set, which led to null pointer dereference when running the event handler. Pass the iio device to the event handler and retrieve the ADC state struct from it so we avoid the null pointer dereference and save the driver from filling the driver data field. Fixes: ca69300173b6 ("iio: adc: Add support for AD7091R5 ADC") Signed-off-by: Marcelo Schmitt Link: https://lore.kernel.org/r/5024b764107463de9578d5b3b0a3d5678e307b1a.1702746240.git.marcelo.schmitt1@gmail.com Cc: Signed-off-by: Jonathan Cameron Signed-off-by: Greg Kroah-Hartman commit dba788e25f05209adf2b0175eb1691dc89fb1ba6 Author: Oliver Upton Date: Thu Jan 4 18:32:32 2024 +0000 KVM: arm64: vgic-its: Avoid potential UAF in LPI translation cache commit ad362fe07fecf0aba839ff2cc59a3617bd42c33f upstream. There is a potential UAF scenario in the case of an LPI translation cache hit racing with an operation that invalidates the cache, such as a DISCARD ITS command. The root of the problem is that vgic_its_check_cache() does not elevate the refcount on the vgic_irq before dropping the lock that serializes refcount changes. Have vgic_its_check_cache() raise the refcount on the returned vgic_irq and add the corresponding decrement after queueing the interrupt. Cc: stable@vger.kernel.org Signed-off-by: Oliver Upton Signed-off-by: Marc Zyngier Link: https://lore.kernel.org/r/20240104183233.3560639-1-oliver.upton@linux.dev Signed-off-by: Greg Kroah-Hartman commit 8a4f6a176a43e204141f17520b96b84f4820165e Author: Marc Zyngier Date: Sun Dec 17 11:15:09 2023 +0000 KVM: arm64: vgic-v4: Restore pending state on host userspace write commit 7b95382f965133ef61ce44aaabc518c16eb46909 upstream. When the VMM writes to ISPENDR0 to set the state pending state of an SGI, we fail to convey this to the HW if this SGI is already backed by a GICv4.1 vSGI. This is a bit of a corner case, as this would only occur if the vgic state is changed on an already running VM, but this can apparently happen across a guest reset driven by the VMM. Fix this by always writing out the pending_latch value to the HW, and reseting it to false. Reported-by: Kunkun Jiang Signed-off-by: Marc Zyngier Reviewed-by: Zenghui Yu Cc: stable@vger.kernel.org # 5.10+ Link: https://lore.kernel.org/r/7e7f2c0c-448b-10a9-8929-4b8f4f6e2a32@huawei.com Signed-off-by: Greg Kroah-Hartman commit 455ebc191068f39c6cc02cf63b6007e8ec8f88ca Author: Kirill A. Shutemov Date: Tue Dec 5 03:45:01 2023 +0300 x86/kvm: Do not try to disable kvmclock if it was not enabled commit 1c6d984f523f67ecfad1083bb04c55d91977bb15 upstream. kvm_guest_cpu_offline() tries to disable kvmclock regardless if it is present in the VM. It leads to write to a MSR that doesn't exist on some configurations, namely in TDX guest: unchecked MSR access error: WRMSR to 0x12 (tried to write 0x0000000000000000) at rIP: 0xffffffff8110687c (kvmclock_disable+0x1c/0x30) kvmclock enabling is gated by CLOCKSOURCE and CLOCKSOURCE2 KVM paravirt features. Do not disable kvmclock if it was not enabled. Signed-off-by: Kirill A. Shutemov Fixes: c02027b5742b ("x86/kvm: Disable kvmclock on all CPUs on shutdown") Reviewed-by: Sean Christopherson Reviewed-by: Vitaly Kuznetsov Cc: Paolo Bonzini Cc: Wanpeng Li Cc: stable@vger.kernel.org Message-Id: <20231205004510.27164-6-kirill.shutemov@linux.intel.com> Signed-off-by: Paolo Bonzini Signed-off-by: Greg Kroah-Hartman commit 88f4dd8b9f58369d521234cfe7db84f198b9b827 Author: qizhong cheng Date: Mon Dec 11 17:49:23 2023 +0800 PCI: mediatek: Clear interrupt status before dispatching handler commit 4e11c29873a8a296a20f99b3e03095e65ebf897d upstream. We found a failure when using the iperf tool during WiFi performance testing, where some MSIs were received while clearing the interrupt status, and these MSIs cannot be serviced. The interrupt status can be cleared even if the MSI status remains pending. As such, given the edge-triggered interrupt type, its status should be cleared before being dispatched to the handler of the underling device. [kwilczynski: commit log, code comment wording] Link: https://lore.kernel.org/linux-pci/20231211094923.31967-1-jianjun.wang@mediatek.com Fixes: 43e6409db64d ("PCI: mediatek: Add MSI support for MT2712 and MT7622") Signed-off-by: qizhong cheng Signed-off-by: Jianjun Wang Signed-off-by: Krzysztof Wilczyński [bhelgaas: rewrap comment] Signed-off-by: Bjorn Helgaas Reviewed-by: AngeloGioacchino Del Regno Cc: Signed-off-by: Greg Kroah-Hartman commit 0c883bc9fa299039707de72ad5cc8fb58b73fbeb Author: Niklas Cassel Date: Tue Nov 28 14:22:30 2023 +0100 PCI: dwc: endpoint: Fix dw_pcie_ep_raise_msix_irq() alignment support commit 2217fffcd63f86776c985d42e76daa43a56abdf1 upstream. Commit 6f5e193bfb55 ("PCI: dwc: Fix dw_pcie_ep_raise_msix_irq() to get correct MSI-X table address") modified dw_pcie_ep_raise_msix_irq() to support iATUs which require a specific alignment. However, this support cannot have been properly tested. The whole point is for the iATU to map an address that is aligned, using dw_pcie_ep_map_addr(), and then let the writel() write to ep->msi_mem + aligned_offset. Thus, modify the address that is mapped such that it is aligned. With this change, dw_pcie_ep_raise_msix_irq() matches the logic in dw_pcie_ep_raise_msi_irq(). Link: https://lore.kernel.org/linux-pci/20231128132231.2221614-1-nks@flawful.org Fixes: 6f5e193bfb55 ("PCI: dwc: Fix dw_pcie_ep_raise_msix_irq() to get correct MSI-X table address") Signed-off-by: Niklas Cassel Signed-off-by: Krzysztof Wilczyński Reviewed-by: Manivannan Sadhasivam Cc: stable@vger.kernel.org # 5.7 Cc: Kishon Vijay Abraham I Signed-off-by: Greg Kroah-Hartman commit d3c08d1015fae93ec912e6ca985e4f2ecf9323e7 Author: Tadeusz Struk Date: Mon Nov 13 19:03:25 2023 +0100 PCI/P2PDMA: Remove reference to pci_p2pdma_map_sg() commit 9a000a72af75886e5de13f4edef7f0d788622e7d upstream. Update Documentation/driver-api/pci/p2pdma.rst doc and remove references to obsolete p2pdma mapping functions. Fixes: 0d06132fc84b ("PCI/P2PDMA: Remove pci_p2pdma_[un]map_sg()") Link: https://lore.kernel.org/r/20231113180325.444692-1-tstruk@gmail.com Signed-off-by: Tadeusz Struk Signed-off-by: Bjorn Helgaas Reviewed-by: Logan Gunthorpe Cc: stable@kernel.org Signed-off-by: Greg Kroah-Hartman commit 970c0899a4ac35b642ca10e43b6ae26073f9bcdd Author: Huang Ying Date: Fri Dec 8 11:06:36 2023 +0800 cxl/port: Fix decoder initialization when nr_targets > interleave_ways commit d6488fee66472b468ed88d265b14aa3f04dc3bdf upstream. The decoder_populate_targets() helper walks all of the targets in a port and makes sure they can be looked up in @target_map. Where @target_map is a lookup table from target position to target id (corresponding to a cxl_dport instance). However @target_map is only responsible for conveying the active dport instances as indicated by interleave_ways. When nr_targets > interleave_ways it results in decoder_populate_targets() walking off the end of the valid entries in @target_map. Given target_map is initialized to 0 it results in the dport lookup failing if position 0 is not mapped to a dport with an id of 0: cxl_port port3: Failed to populate active decoder targets cxl_port port3: Failed to add decoder cxl_port port3: Failed to add decoder3.0 cxl_bus_probe: cxl_port port3: probe: -6 This bug also highlights that when the decoder's ->targets[] array is written in cxl_port_setup_targets() it is missing a hold of the targets_lock to synchronize against sysfs readers of the target list. A fix for that is saved for a later patch. Fixes: a5c258021689 ("cxl/bus: Populate the target list at decoder create") Cc: Signed-off-by: Huang, Ying [djbw: rewrite the changelog, find the Fixes: tag] Co-developed-by: Dan Williams Reviewed-by: Alison Schofield Reviewed-by: Dave Jiang Signed-off-by: Dan Williams Signed-off-by: Greg Kroah-Hartman commit 23f974910862e9b959a4a35b019bcd8c7e295eb4 Author: Nicolas Dichtel Date: Mon Jan 8 10:41:02 2024 +0100 Revert "net: rtnetlink: Enslave device before bringing it up" commit ec4ffd100ffb396eca13ebe7d18938ea80f399c3 upstream. This reverts commit a4abfa627c3865c37e036bccb681619a50d3d93c. The patch broke: > ip link set dummy0 up > ip link set dummy0 master bond0 down This last command is useful to be able to enslave an interface with only one netlink message. After discussion, there is no good reason to support: > ip link set dummy0 down > ip link set dummy0 master bond0 up because the bond interface already set the slave up when it is up. Cc: stable@vger.kernel.org Fixes: a4abfa627c38 ("net: rtnetlink: Enslave device before bringing it up") Signed-off-by: Nicolas Dichtel Reviewed-by: Jiri Pirko Reviewed-by: Hangbin Liu Link: https://lore.kernel.org/r/20240108094103.2001224-2-nicolas.dichtel@6wind.com Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman commit f2ddfc7d3a9c90ca5d7747489d820d93bbea9fef Author: David Lin Date: Fri Dec 15 08:51:18 2023 +0800 wifi: mwifiex: configure BSSID consistently when starting AP commit f0dd488e11e71ac095df7638d892209c629d9af2 upstream. AP BSSID configuration is missing at AP start. Without this fix, FW returns STA interface MAC address after first init. When hostapd restarts, it gets MAC address from netdev before driver sets STA MAC to netdev again. Now MAC address between hostapd and net interface are different causes STA cannot connect to AP. After that MAC address of uap0 mlan0 become the same. And issue disappears after following hostapd restart (another issue is AP/STA MAC address become the same). This patch fixes the issue cleanly. Signed-off-by: David Lin Fixes: 12190c5d80bd ("mwifiex: add cfg80211 start_ap and stop_ap handlers") Cc: stable@vger.kernel.org Reviewed-by: Francesco Dolcini Tested-by: Rafael Beims # Verdin iMX8MP/SD8997 SD Acked-by: Brian Norris Signed-off-by: Kalle Valo Link: https://msgid.link/20231215005118.17031-1-yu-hao.lin@nxp.com Signed-off-by: Greg Kroah-Hartman commit 54e1864b13f1628962a670bc643f438ca5b29866 Author: Ilpo Järvinen Date: Fri Nov 24 10:47:17 2023 +0200 wifi: rtlwifi: Convert LNKCTL change to PCIe cap RMW accessors commit 5894d0089cbc146063dcc0239a78ede0a8142efb upstream. The rtlwifi driver comes with custom code to write into PCIe Link Control register. RMW access for the Link Control register requires locking that is already provided by the standard PCIe capability accessors. Convert the custom RMW code writing into LNKCTL register to standard RMW capability accessors. The accesses are changed to cover the full LNKCTL register instead of touching just a single byte of the register. Fixes: 0c8173385e54 ("rtl8192ce: Add new driver") Cc: stable@vger.kernel.org Signed-off-by: Ilpo Järvinen Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20231124084725.12738-3-ilpo.jarvinen@linux.intel.com Signed-off-by: Greg Kroah-Hartman commit 0075a5d69df6f471bf24651d688b7d7a32b5c44e Author: Ilpo Järvinen Date: Fri Nov 24 10:47:16 2023 +0200 wifi: rtlwifi: Remove bogus and dangerous ASPM disable/enable code commit b3943b3c2971444364e03224cfc828c5789deada upstream. Ever since introduction in the commit 0c8173385e54 ("rtl8192ce: Add new driver") the rtlwifi code has, according to comments, attempted to disable/enable ASPM of the upstream bridge by writing into its LNKCTL register. However, the code has never been correct because it performs the writes to the device instead of the upstream bridge. Worse yet, the offset where the PCIe capabilities reside is derived from the offset of the upstream bridge. As a result, the write will use an offset on the device that does not relate to the LNKCTL register making the ASPM disable/enable code outright dangerous. Because of those problems, there is no indication that the driver needs disable/enable ASPM on the upstream bridge. As the Capabilities offset is not correctly calculated for the write to target device's LNKCTL register, the code is not disabling/enabling device's ASPM either. Therefore, just remove the upstream bridge related ASPM disable/enable code entirely. The upstream bridge related ASPM code was the only user of the struct mp_adapter members num4bytes, pcibridge_pciehdr_offset, and pcibridge_linkctrlreg so those are removed as well. Note: This change does not remove the code related to changing the device's ASPM on purpose (which is independent of this flawed code related to upstream bridge's ASPM). Suggested-by: Bjorn Helgaas Fixes: 0c8173385e54 ("rtl8192ce: Add new driver") Fixes: 886e14b65a8f ("rtlwifi: Eliminate raw reads and writes from PCIe portion") Cc: stable@vger.kernel.org Signed-off-by: Ilpo Järvinen Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20231124084725.12738-2-ilpo.jarvinen@linux.intel.com Signed-off-by: Greg Kroah-Hartman commit debfa60412aff170bf0962ce87216962d46c3c9a Author: Christian Marangi Date: Wed Oct 18 15:09:37 2023 +0200 wifi: mt76: fix broken precal loading from MTD for mt7915 commit e874a79250b39447765ac13272b67ac36ccf2a75 upstream. Commit 495184ac91bb ("mt76: mt7915: add support for applying pre-calibration data") was fundamentally broken and never worked. The idea (before NVMEM support) was to expand the MTD function and pass an additional offset. For normal EEPROM load the offset would always be 0. For the purpose of precal loading, an offset was passed that was internally the size of EEPROM, since precal data is right after the EEPROM. Problem is that the offset value passed is never handled and is actually overwrite by offset = be32_to_cpup(list); ret = mtd_read(mtd, offset, len, &retlen, eep); resulting in the passed offset value always ingnored. (and even passing garbage data as precal as the start of the EEPROM is getting read) Fix this by adding to the current offset value, the offset from DT to correctly read the piece of data at the requested location. Cc: stable@vger.kernel.org Fixes: 495184ac91bb ("mt76: mt7915: add support for applying pre-calibration data") Signed-off-by: Christian Marangi Signed-off-by: Felix Fietkau Signed-off-by: Greg Kroah-Hartman commit 1edce43f4799392427c1d42498c94226bba22a4d Author: Isaac J. Manjarres Date: Fri Dec 8 15:41:40 2023 -0800 iommu/dma: Trace bounce buffer usage when mapping buffers commit a63c357b9fd56ad5fe64616f5b22835252c6a76a upstream. When commit 82612d66d51d ("iommu: Allow the dma-iommu api to use bounce buffers") was introduced, it did not add the logic for tracing the bounce buffer usage from iommu_dma_map_page(). All of the users of swiotlb_tbl_map_single() trace their bounce buffer usage, except iommu_dma_map_page(). This makes it difficult to track SWIOTLB usage from that function. Thus, trace bounce buffer usage from iommu_dma_map_page(). Fixes: 82612d66d51d ("iommu: Allow the dma-iommu api to use bounce buffers") Cc: stable@vger.kernel.org # v5.15+ Cc: Tom Murphy Cc: Lu Baolu Cc: Saravana Kannan Signed-off-by: Isaac J. Manjarres Link: https://lore.kernel.org/r/20231208234141.2356157-1-isaacmanjarres@google.com Signed-off-by: Joerg Roedel Signed-off-by: Greg Kroah-Hartman commit cc7e8482c61aba063ae3382f8fffd077fb62d3bc Author: Rob Clark Date: Sun Dec 10 10:06:53 2023 -0800 iommu/arm-smmu-qcom: Add missing GMU entry to match table commit afc95681c3068956fed1241a1ff1612c066c75ac upstream. In some cases the firmware expects cbndx 1 to be assigned to the GMU, so we also want the default domain for the GMU to be an identy domain. This way it does not get a context bank assigned. Without this, both of_dma_configure() and drm/msm's iommu_domain_attach() will trigger allocating and configuring a context bank. So GMU ends up attached to both cbndx 1 and later cbndx 2. This arrangement seemingly confounds and surprises the firmware if the GPU later triggers a translation fault, resulting (on sc8280xp / lenovo x13s, at least) in the SMMU getting wedged and the GPU stuck without memory access. Cc: stable@vger.kernel.org Signed-off-by: Rob Clark Tested-by: Johan Hovold Reviewed-by: Robin Murphy Link: https://lore.kernel.org/r/20231210180655.75542-1-robdclark@gmail.com Signed-off-by: Will Deacon Signed-off-by: Greg Kroah-Hartman commit 516ecb243625a56f49bead2abcad20321845f155 Author: Xi Ruoyao Date: Wed Jan 17 12:43:08 2024 +0800 LoongArch: Fix and simplify fcsr initialization on execve() commit c2396651309eba291c15e32db8fbe44c738b5921 upstream. There has been a lingering bug in LoongArch Linux systems causing some GCC tests to intermittently fail (see Closes link). I've made a minimal reproducer: zsh% cat measure.s .align 4 .globl _start _start: movfcsr2gr $a0, $fcsr0 bstrpick.w $a0, $a0, 16, 16 beqz $a0, .ok break 0 .ok: li.w $a7, 93 syscall 0 zsh% cc mesaure.s -o measure -nostdlib zsh% echo $((1.0/3)) 0.33333333333333331 zsh% while ./measure; do ; done This while loop should not stop as POSIX is clear that execve must set fenv to the default, where FCSR should be zero. But in fact it will just stop after running for a while (normally less than 30 seconds). Note that "$((1.0/3))" is needed to reproduce this issue because it raises FE_INVALID and makes fcsr0 non-zero. The problem is we are currently relying on SET_PERSONALITY2() to reset current->thread.fpu.fcsr. But SET_PERSONALITY2() is executed before start_thread which calls lose_fpu(0). We can see if kernel preempt is enabled, we may switch to another thread after SET_PERSONALITY2() but before lose_fpu(0). Then bad thing happens: during the thread switch the value of the fcsr0 register is stored into current->thread.fpu.fcsr, making it dirty again. The issue can be fixed by setting current->thread.fpu.fcsr after lose_fpu(0) because lose_fpu() clears TIF_USEDFPU, then the thread switch won't touch current->thread.fpu.fcsr. The only other architecture setting FCSR in SET_PERSONALITY2() is MIPS. I've ran a similar test on MIPS with mainline kernel and it turns out MIPS is buggy, too. Anyway MIPS do this for supporting different FP flavors (NaN encodings, etc.) which do not exist on LoongArch. So for LoongArch, we can simply remove the current->thread.fpu.fcsr setting from SET_PERSONALITY2() and do it in start_thread(), after lose_fpu(0). The while loop failing with the mainline kernel has survived one hour after this change on LoongArch. Fixes: 803b0fc5c3f2baa ("LoongArch: Add process management") Closes: https://github.com/loongson-community/discussions/issues/7 Link: https://lore.kernel.org/linux-mips/7a6aa1bbdbbe2e63ae96ff163fab0349f58f1b9e.camel@xry111.site/ Cc: stable@vger.kernel.org Signed-off-by: Xi Ruoyao Signed-off-by: Huacai Chen Signed-off-by: Greg Kroah-Hartman commit 6cc9c0af0aa06f781fa515a1734b1a4239dfd2c0 Author: Jiri Olsa Date: Wed Jan 3 20:05:46 2024 +0100 bpf: Fix re-attachment branch in bpf_tracing_prog_attach commit 715d82ba636cb3629a6e18a33bb9dbe53f9936ee upstream. The following case can cause a crash due to missing attach_btf: 1) load rawtp program 2) load fentry program with rawtp as target_fd 3) create tracing link for fentry program with target_fd = 0 4) repeat 3 In the end we have: - prog->aux->dst_trampoline == NULL - tgt_prog == NULL (because we did not provide target_fd to link_create) - prog->aux->attach_btf == NULL (the program was loaded with attach_prog_fd=X) - the program was loaded for tgt_prog but we have no way to find out which one BUG: kernel NULL pointer dereference, address: 0000000000000058 Call Trace: ? __die+0x20/0x70 ? page_fault_oops+0x15b/0x430 ? fixup_exception+0x22/0x330 ? exc_page_fault+0x6f/0x170 ? asm_exc_page_fault+0x22/0x30 ? bpf_tracing_prog_attach+0x279/0x560 ? btf_obj_id+0x5/0x10 bpf_tracing_prog_attach+0x439/0x560 __sys_bpf+0x1cf4/0x2de0 __x64_sys_bpf+0x1c/0x30 do_syscall_64+0x41/0xf0 entry_SYSCALL_64_after_hwframe+0x6e/0x76 Return -EINVAL in this situation. Fixes: f3a95075549e0 ("bpf: Allow trampoline re-attach for tracing and lsm programs") Cc: stable@vger.kernel.org Signed-off-by: Jiri Olsa Acked-by: Jiri Olsa Acked-by: Song Liu Signed-off-by: Dmitrii Dolgov <9erthalion6@gmail.com> Link: https://lore.kernel.org/r/20240103190559.14750-4-9erthalion6@gmail.com Signed-off-by: Alexei Starovoitov Signed-off-by: Greg Kroah-Hartman commit 96860d9ad462db61f4eeb09934235c38eab655c4 Author: Gui-Dong Han <2045gemini@gmail.com> Date: Fri Dec 22 23:12:41 2023 +0800 Bluetooth: Fix atomicity violation in {min,max}_key_size_set commit da9065caa594d19b26e1a030fd0cc27bd365d685 upstream. In min_key_size_set(): if (val > hdev->le_max_key_size || val < SMP_MIN_ENC_KEY_SIZE) return -EINVAL; hci_dev_lock(hdev); hdev->le_min_key_size = val; hci_dev_unlock(hdev); In max_key_size_set(): if (val > SMP_MAX_ENC_KEY_SIZE || val < hdev->le_min_key_size) return -EINVAL; hci_dev_lock(hdev); hdev->le_max_key_size = val; hci_dev_unlock(hdev); The atomicity violation occurs due to concurrent execution of set_min and set_max funcs.Consider a scenario where setmin writes a new, valid 'min' value, and concurrently, setmax writes a value that is greater than the old 'min' but smaller than the new 'min'. In this case, setmax might check against the old 'min' value (before acquiring the lock) but write its value after the 'min' has been updated by setmin. This leads to a situation where the 'max' value ends up being smaller than the 'min' value, which is an inconsistency. This possible bug is found by an experimental static analysis tool developed by our team, BassCheck[1]. This tool analyzes the locking APIs to extract function pairs that can be concurrently executed, and then analyzes the instructions in the paired functions to identify possible concurrency bugs including data races and atomicity violations. The above possible bug is reported when our tool analyzes the source code of Linux 5.17. To resolve this issue, it is suggested to encompass the validity checks within the locked sections in both set_min and set_max funcs. The modification ensures that the validation of 'val' against the current min/max values is atomic, thus maintaining the integrity of the settings. With this patch applied, our tool no longer reports the bug, with the kernel configuration allyesconfig for x86_64. Due to the lack of associated hardware, we cannot test the patch in runtime testing, and just verify it according to the code logic. [1] https://sites.google.com/view/basscheck/ Fixes: 18f81241b74f ("Bluetooth: Move {min,max}_key_size debugfs ...") Cc: stable@vger.kernel.org Signed-off-by: Gui-Dong Han <2045gemini@gmail.com> Signed-off-by: Luiz Augusto von Dentz Signed-off-by: Greg Kroah-Hartman commit 7c02ca55428796cd73b9c39e5b52a85b232f2d51 Author: Stefan Berger Date: Sun Nov 19 20:12:48 2023 -0500 rootfs: Fix support for rootfstype= when root= is given commit 21528c69a0d8483f7c6345b1a0bc8d8975e9a172 upstream. Documentation/filesystems/ramfs-rootfs-initramfs.rst states: If CONFIG_TMPFS is enabled, rootfs will use tmpfs instead of ramfs by default. To force ramfs, add "rootfstype=ramfs" to the kernel command line. This currently does not work when root= is provided since then saved_root_name contains a string and rootfstype= is ignored. Therefore, ramfs is currently always chosen when root= is provided. The current behavior for rootfs's filesystem is: root= | rootfstype= | chosen rootfs filesystem ------------+-------------+-------------------------- unspecified | unspecified | tmpfs unspecified | tmpfs | tmpfs unspecified | ramfs | ramfs provided | ignored | ramfs rootfstype= should be respected regardless whether root= is given, as shown below: root= | rootfstype= | chosen rootfs filesystem ------------+-------------+-------------------------- unspecified | unspecified | tmpfs (as before) unspecified | tmpfs | tmpfs (as before) unspecified | ramfs | ramfs (as before) provided | unspecified | ramfs (compatibility with before) provided | tmpfs | tmpfs (new) provided | ramfs | ramfs (new) This table represents the new behavior. Fixes: 6e19eded3684 ("initmpfs: use initramfs if rootfstype= or root= specified") Cc: Signed-off-by: Rob Landley Link: https://lore.kernel.org/lkml/8244c75f-445e-b15b-9dbf-266e7ca666e2@landley.net/ Reviewed-and-Tested-by: Mimi Zohar Signed-off-by: Stefan Berger Link: https://lore.kernel.org/r/20231120011248.396012-1-stefanb@linux.ibm.com Signed-off-by: Greg Kroah-Hartman commit f5c29a3a7e683510771fc58accf264c206e6e87a Author: Bart Van Assche Date: Sun Jan 7 16:12:23 2024 -0800 md/raid1: Use blk_opf_t for read and write operations commit 7dab24554dedd4e6f408af8eb2d25c89997a6a1f upstream. Use the type blk_opf_t for read and write operations instead of int. This patch does not affect the generated code but fixes the following sparse warning: drivers/md/raid1.c:1993:60: sparse: sparse: incorrect type in argument 5 (different base types) expected restricted blk_opf_t [usertype] opf got int rw Cc: Song Liu Cc: Jens Axboe Fixes: 3c5e514db58f ("md/raid1: Use the new blk_opf_t type") Cc: stable@vger.kernel.org # v6.0+ Reported-by: kernel test robot Closes: https://lore.kernel.org/oe-kbuild-all/202401080657.UjFnvQgX-lkp@intel.com/ Signed-off-by: Bart Van Assche Signed-off-by: Song Liu Link: https://lore.kernel.org/r/20240108001223.23835-1-bvanassche@acm.org Signed-off-by: Greg Kroah-Hartman commit 7b85554c7c2aee91171e038e4d5442ffa130b282 Author: Uwe Kleine-König Date: Tue Jan 9 22:34:31 2024 +0100 pwm: Fix out-of-bounds access in of_pwm_single_xlate() commit a297d07b9a1e4fb8cda25a4a2363a507d294b7c9 upstream. With args->args_count == 2 args->args[2] is not defined. Actually the flags are contained in args->args[1]. Fixes: 3ab7b6ac5d82 ("pwm: Introduce single-PWM of_xlate function") Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/243908750d306e018a3d4bf2eb745d53ab50f663.1704835845.git.u.kleine-koenig@pengutronix.de Signed-off-by: Uwe Kleine-König Signed-off-by: Greg Kroah-Hartman commit 00e29df1b44dfbeb06d2df9b7d8927ed1d00720c Author: Uwe Kleine-König Date: Sat Jan 6 15:13:03 2024 +0100 pwm: jz4740: Don't use dev_err_probe() in .request() commit 9320fc509b87b4d795fb37112931e2f4f8b5c55f upstream. dev_err_probe() is only supposed to be used in probe functions. While it probably doesn't hurt, both the EPROBE_DEFER handling and calling device_set_deferred_probe_reason() are conceptually wrong in the request callback. So replace the call by dev_err() and a separate return statement. This effectively reverts commit c0bfe9606e03 ("pwm: jz4740: Simplify with dev_err_probe()"). Reviewed-by: Krzysztof Kozlowski Link: https://lore.kernel.org/r/20240106141302.1253365-2-u.kleine-koenig@pengutronix.de Fixes: c0bfe9606e03 ("pwm: jz4740: Simplify with dev_err_probe()") Cc: stable@vger.kernel.org Signed-off-by: Uwe Kleine-König Signed-off-by: Greg Kroah-Hartman commit a372f1d01bc11aa85773a02353cd01aaf16dc18e Author: Pablo Neira Ayuso Date: Fri Jan 12 23:28:45 2024 +0100 netfilter: nf_tables: check if catch-all set element is active in next generation commit b1db244ffd041a49ecc9618e8feb6b5c1afcdaa7 upstream. When deactivating the catch-all set element, check the state in the next generation that represents this transaction. This bug uncovered after the recent removal of the element busy mark a2dd0233cbc4 ("netfilter: nf_tables: remove busy mark and gc batch API"). Fixes: aaa31047a6d2 ("netfilter: nftables: add catch-all set element support") Cc: stable@vger.kernel.org Reported-by: lonial con Signed-off-by: Pablo Neira Ayuso Signed-off-by: Greg Kroah-Hartman commit c6350b5cb78e9024c49eaee6fdb914ad2903a5fe Author: Matthew Wilcox (Oracle) Date: Tue Jan 16 21:29:59 2024 +0000 block: Fix iterating over an empty bio with bio_for_each_folio_all commit 7bed6f3d08b7af27b7015da8dc3acf2b9c1f21d7 upstream. If the bio contains no data, bio_first_folio() calls page_folio() on a NULL pointer and oopses. Move the test that we've reached the end of the bio from bio_next_folio() to bio_first_folio(). Reported-by: syzbot+8b23309d5788a79d3eea@syzkaller.appspotmail.com Reported-by: syzbot+004c1e0fced2b4bc3dcc@syzkaller.appspotmail.com Fixes: 640d1930bef4 ("block: Add bio_for_each_folio_all()") Cc: stable@vger.kernel.org Signed-off-by: Matthew Wilcox (Oracle) Link: https://lore.kernel.org/r/20240116212959.3413014-1-willy@infradead.org [axboe: add unlikely() to error case] Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman commit ef31cc87794731ffcb578a195a2c47d744e25fb8 Author: Min Li Date: Thu Jun 29 14:25:17 2023 +0000 block: add check that partition length needs to be aligned with block size commit 6f64f866aa1ae6975c95d805ed51d7e9433a0016 upstream. Before calling add partition or resize partition, there is no check on whether the length is aligned with the logical block size. If the logical block size of the disk is larger than 512 bytes, then the partition size maybe not the multiple of the logical block size, and when the last sector is read, bio_truncate() will adjust the bio size, resulting in an IO error if the size of the read command is smaller than the logical block size.If integrity data is supported, this will also result in a null pointer dereference when calling bio_integrity_free. Cc: Signed-off-by: Min Li Reviewed-by: Damien Le Moal Reviewed-by: Chaitanya Kulkarni Reviewed-by: Christoph Hellwig Link: https://lore.kernel.org/r/20230629142517.121241-1-min15.li@samsung.com Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman commit 0c8d252d0a20a412ec30859afef6393aecfdd3cd Author: Mario Limonciello Date: Fri Nov 24 09:56:32 2023 -0600 drm/amd: Enable PCIe PME from D3 commit bd1f6a31e7762ebc99b97f3eda5e5ea3708fa792 upstream. When dGPU is put into BOCO it may be in D3cold but still able send PME on display hotplug event. For this to work it must be enabled as wake source from D3. When runpm is enabled use pci_wake_from_d3() to mark wakeup as enabled by default. Cc: stable@vger.kernel.org # 6.1+ Signed-off-by: Mario Limonciello Acked-by: Alex Deucher Signed-off-by: Alex Deucher Signed-off-by: Greg Kroah-Hartman commit f49a30a24f9b2370f0f24b85110a41c445719c5c Author: Chandrakanth patil Date: Sun Nov 26 11:01:33 2023 +0530 scsi: mpi3mr: Block PEL Enable Command on Controller Reset and Unrecoverable State commit f8fb3f39148e8010479e4b2003ba4728818ec661 upstream. If a controller reset is underway or the controller is in an unrecoverable state, the PEL enable management command will be returned as EAGAIN or EFAULT. Cc: # v6.1+ Co-developed-by: Sathya Prakash Signed-off-by: Sathya Prakash Signed-off-by: Chandrakanth patil Link: https://lore.kernel.org/r/20231126053134.10133-4-chandrakanth.patil@broadcom.com Signed-off-by: Martin K. Petersen Signed-off-by: Greg Kroah-Hartman commit 546e981eead2ff27548cef82c6fab5a045517794 Author: Chandrakanth patil Date: Sun Nov 26 11:01:31 2023 +0530 scsi: mpi3mr: Refresh sdev queue depth after controller reset commit e5aab848dfdf7996d20ece4d28d2733c732c5e5a upstream. After a controller reset, the firmware may modify the device queue depth. Therefore, update the device queue depth accordingly. Cc: # v5.15+ Co-developed-by: Sathya Prakash Signed-off-by: Sathya Prakash Signed-off-by: Chandrakanth patil Link: https://lore.kernel.org/r/20231126053134.10133-2-chandrakanth.patil@broadcom.com Signed-off-by: Martin K. Petersen Signed-off-by: Greg Kroah-Hartman commit 3378333263b793aee2b45da240820ec5e0ab5098 Author: Amir Goldstein Date: Thu Nov 23 11:20:00 2023 +0200 scsi: target: core: add missing file_{start,end}_write() commit 0db1d53937fafa8bb96e077375691e16902f4899 upstream. The callers of vfs_iter_write() are required to hold file_start_write(). file_start_write() is a no-op for the S_ISBLK() case, but it is really needed when the backing file is a regular file. We are going to move file_{start,end}_write() into vfs_iter_write(), but we need to fix this first, so that the fix could be backported to stable kernels. Suggested-by: Christoph Hellwig Link: https://lore.kernel.org/r/ZV8ETIpM+wZa33B5@infradead.org/ Cc: Signed-off-by: Amir Goldstein Link: https://lore.kernel.org/r/20231123092000.2665902-1-amir73il@gmail.com Acked-by: Martin K. Petersen Reviewed-by: Christoph Hellwig Reviewed-by: Jens Axboe Signed-off-by: Christian Brauner Signed-off-by: Greg Kroah-Hartman commit 01644b861681eb3ee9ab1fac1b8bda86ae1f68bc Author: Bart Van Assche Date: Mon Dec 18 14:52:14 2023 -0800 scsi: ufs: core: Simplify power management during async scan commit daf7795406bf307997366f694888bd317ae5b5fa upstream. ufshcd_init() calls pm_runtime_get_sync() before it calls async_schedule(). ufshcd_async_scan() calls pm_runtime_put_sync() directly or indirectly from ufshcd_add_lus(). Simplify ufshcd_async_scan() by always calling pm_runtime_put_sync() from ufshcd_async_scan(). Cc: Signed-off-by: Bart Van Assche Link: https://lore.kernel.org/r/20231218225229.2542156-2-bvanassche@acm.org Reviewed-by: Can Guo Reviewed-by: Manivannan Sadhasivam Signed-off-by: Martin K. Petersen Signed-off-by: Greg Kroah-Hartman commit 81f444f22816a82ada2cc787a2845cffc8c584a6 Author: Nam Cao Date: Mon Dec 18 10:57:31 2023 +0100 fbdev: flush deferred IO before closing commit 33cd6ea9c0673517cdb06ad5c915c6f22e9615fc upstream. When framebuffer gets closed, the queued deferred IO gets cancelled. This can cause some last display data to vanish. This is problematic for users who send a still image to the framebuffer, then close the file: the image may never appear. To ensure none of display data get lost, flush the queued deferred IO first before closing. Another possible solution is to delete the cancel_delayed_work_sync() instead. The difference is that the display may appear some time after closing. However, the clearing of page mapping after this needs to be removed too, because the page mapping is used by the deferred work. It is not completely obvious whether it is okay to not clear the page mapping. For a patch intended for stable trees, go with the simple and obvious solution. Fixes: 60b59beafba8 ("fbdev: mm: Deferred IO support") Cc: stable@vger.kernel.org Signed-off-by: Nam Cao Reviewed-by: Sebastian Andrzej Siewior Signed-off-by: Helge Deller Signed-off-by: Greg Kroah-Hartman commit ccbee2843edd60bde3104d919b0a586bac631258 Author: Nam Cao Date: Mon Dec 18 10:57:30 2023 +0100 fbdev: flush deferred work in fb_deferred_io_fsync() commit 15e4c1f462279b4e128f27de48133e0debe9e0df upstream. The driver's fsync() is supposed to flush any pending operation to hardware. It is implemented in this driver by cancelling the queued deferred IO first, then schedule it for "immediate execution" by calling schedule_delayed_work() again with delay=0. However, setting delay=0 only means the work is scheduled immediately, it does not mean the work is executed immediately. There is no guarantee that the work is finished after schedule_delayed_work() returns. After this driver's fsync() returns, there can still be pending work. Furthermore, if close() is called by users immediately after fsync(), the pending work gets cancelled and fsync() may do nothing. To ensure that the deferred IO completes, use flush_delayed_work() instead. Write operations to this driver either write to the device directly, or invoke schedule_delayed_work(); so by flushing the workqueue, it can be guaranteed that all previous writes make it to the device. Fixes: 5e841b88d23d ("fb: fsync() method for deferred I/O flush.") Cc: stable@vger.kernel.org Signed-off-by: Nam Cao Reviewed-by: Sebastian Andrzej Siewior Signed-off-by: Helge Deller Signed-off-by: Greg Kroah-Hartman commit d6cc8dd231b8f843217688a0cffd206d5140b0a6 Author: Jens Axboe Date: Thu Dec 21 08:49:18 2023 -0700 io_uring/rw: ensure io->bytes_done is always initialized commit 0a535eddbe0dc1de4386046ab849f08aeb2f8faf upstream. If IOSQE_ASYNC is set and we fail importing an iovec for a readv or writev request, then we leave ->bytes_done uninitialized and hence the eventual failure CQE posted can potentially have a random res value rather than the expected -EINVAL. Setup ->bytes_done before potentially failing, so we have a consistent value if we fail the request early. Cc: stable@vger.kernel.org Reported-by: xingwei lee Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman commit c866866c795296d3637ab0d48a3d8a3ef5d6f4a3 Author: Namjae Jeon Date: Mon Jan 15 10:24:54 2024 +0900 ksmbd: only v2 leases handle the directory commit 77bebd186442a7d703b796784db7495129cc3e70 upstream. When smb2 leases is disable, ksmbd can send oplock break notification and cause wait oplock break ack timeout. It may appear like hang when accessing a directory. This patch make only v2 leases handle the directory. Cc: stable@vger.kernel.org Signed-off-by: Namjae Jeon Signed-off-by: Steve French Signed-off-by: Greg Kroah-Hartman commit 380965e48e9c32ee4263c023e1d830ea7e462ed1 Author: Namjae Jeon Date: Sat Jan 13 15:30:07 2024 +0900 ksmbd: fix UAF issue in ksmbd_tcp_new_connection() commit 38d20c62903d669693a1869aa68c4dd5674e2544 upstream. The race is between the handling of a new TCP connection and its disconnection. It leads to UAF on `struct tcp_transport` in ksmbd_tcp_new_connection() function. Cc: stable@vger.kernel.org Reported-by: zdi-disclosures@trendmicro.com # ZDI-CAN-22991 Signed-off-by: Namjae Jeon Signed-off-by: Steve French Signed-off-by: Greg Kroah-Hartman commit 6eb8015492bcc84e40646390e50a862b2c0529c9 Author: Namjae Jeon Date: Sat Jan 13 15:11:41 2024 +0900 ksmbd: validate mech token in session setup commit 92e470163d96df8db6c4fa0f484e4a229edb903d upstream. If client send invalid mech token in session setup request, ksmbd validate and make the error if it is invalid. Cc: stable@vger.kernel.org Reported-by: zdi-disclosures@trendmicro.com # ZDI-CAN-22890 Signed-off-by: Namjae Jeon Signed-off-by: Steve French Signed-off-by: Greg Kroah-Hartman commit 0914dc8041d437d9c0306cb7516fae3e35c382a3 Author: Bin Li Date: Wed Jan 17 23:41:23 2024 +0800 ALSA: hda/realtek: Enable headset mic on Lenovo M70 Gen5 commit fb3c007fde80d9d3b4207943e74c150c9116cead upstream. Lenovo M70 Gen5 is equipped with ALC623, and it needs ALC283_FIXUP_HEADSET_MIC quirk to make its headset mic work. Signed-off-by: Bin Li Cc: Link: https://lore.kernel.org/r/20240117154123.21578-1-bin.li@canonical.com Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 5648a0087f55e7aefc2fa38c21fa26325b4ae543 Author: Yo-Jung Lin Date: Tue Jan 16 10:07:19 2024 +0800 ALSA: hda/realtek: Enable mute/micmute LEDs and limit mic boost on HP ZBook commit b018cee7369896c7a15bfdbe88f168f3dbd8ba27 upstream. On some HP ZBooks, the audio LEDs can be enabled by ALC236_FIXUP_HP_MUTE_LED_MICMUTE_VREF. So use it accordingly. Signed-off-by: Yo-Jung Lin Cc: Link: https://lore.kernel.org/r/20240116020722.27236-1-leo.lin@canonical.com Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 3253abcd9b2d44602c154f6c8e2b48b241daeda9 Author: Çağhan Demir Date: Mon Jan 15 20:23:03 2024 +0300 ALSA: hda/relatek: Enable Mute LED on HP Laptop 15s-fq2xxx commit bc7863d18677df66b2c7a0e172c91296ff380f11 upstream. This HP Laptop uses ALC236 codec with COEF 0x07 idx 1 controlling the mute LED. This patch enables the already existing quirk for this device. Signed-off-by: Çağhan Demir Cc: Link: https://lore.kernel.org/r/20240115172303.4718-1-caghandemir@marun.edu.tr Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 29f6eccbcf7b2d9658fab0c43bb74cd82f341720 Author: Takashi Iwai Date: Fri Jan 12 12:10:23 2024 +0100 ALSA: oxygen: Fix right channel of capture volume mixer commit a03cfad512ac24a35184d7d87ec0d5489e1cb763 upstream. There was a typo in oxygen mixer code that didn't update the right channel value properly for the capture volume. Let's fix it. This trivial fix was originally reported on Bugzilla. Fixes: a3601560496d ("[ALSA] oxygen: add front panel controls") Cc: Link: https://bugzilla.kernel.org/show_bug.cgi?id=156561 Link: https://lore.kernel.org/r/20240112111023.6208-1-tiwai@suse.de Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 104f95698cad038caa8f7496be67f738d8ace9cb Author: Zack Rusin Date: Thu Sep 28 00:13:55 2023 -0400 drm/vmwgfx: Keep a gem reference to user bos in surfaces commit 91398b413d03660fd5828f7b4abc64e884b98069 upstream. Surfaces can be backed (i.e. stored in) memory objects (mob's) which are created and managed by the userspace as GEM buffers. Surfaces grab only a ttm reference which means that the gem object can be deleted underneath us, especially in cases where prime buffer export is used. Make sure that all userspace surfaces which are backed by gem objects hold a gem reference to make sure they're not deleted before vmw surfaces are done with them, which fixes: ------------[ cut here ]------------ refcount_t: underflow; use-after-free. WARNING: CPU: 2 PID: 2632 at lib/refcount.c:28 refcount_warn_saturate+0xfb/0x150 Modules linked in: overlay vsock_loopback vmw_vsock_virtio_transport_common vmw_vsock_vmci_transport vsock snd_ens1371 snd_ac97_codec ac97_bus snd_pcm gameport> CPU: 2 PID: 2632 Comm: vmw_ref_count Not tainted 6.5.0-rc2-vmwgfx #1 Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 11/12/2020 RIP: 0010:refcount_warn_saturate+0xfb/0x150 Code: eb 9e 0f b6 1d 8b 5b a6 01 80 fb 01 0f 87 ba e4 80 00 83 e3 01 75 89 48 c7 c7 c0 3c f9 a3 c6 05 6f 5b a6 01 01 e8 15 81 98 ff <0f> 0b e9 6f ff ff ff 0f b> RSP: 0018:ffffbdc34344bba0 EFLAGS: 00010286 RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000027 RDX: ffff960475ea1548 RSI: 0000000000000001 RDI: ffff960475ea1540 RBP: ffffbdc34344bba8 R08: 0000000000000003 R09: 65646e75203a745f R10: ffffffffa5b32b20 R11: 72657466612d6573 R12: ffff96037d6a6400 R13: ffff9603484805b0 R14: 000000000000000b R15: ffff9603bed06060 FS: 00007f5fd8520c40(0000) GS:ffff960475e80000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f5fda755000 CR3: 000000010d012005 CR4: 00000000003706e0 Call Trace: ? show_regs+0x6e/0x80 ? refcount_warn_saturate+0xfb/0x150 ? __warn+0x91/0x150 ? refcount_warn_saturate+0xfb/0x150 ? report_bug+0x19d/0x1b0 ? handle_bug+0x46/0x80 ? exc_invalid_op+0x1d/0x80 ? asm_exc_invalid_op+0x1f/0x30 ? refcount_warn_saturate+0xfb/0x150 drm_gem_object_handle_put_unlocked+0xba/0x110 [drm] drm_gem_object_release_handle+0x6e/0x80 [drm] drm_gem_handle_delete+0x6a/0xc0 [drm] ? __pfx_vmw_bo_unref_ioctl+0x10/0x10 [vmwgfx] vmw_bo_unref_ioctl+0x33/0x40 [vmwgfx] drm_ioctl_kernel+0xbc/0x160 [drm] drm_ioctl+0x2d2/0x580 [drm] ? __pfx_vmw_bo_unref_ioctl+0x10/0x10 [vmwgfx] ? do_vmi_munmap+0xee/0x180 vmw_generic_ioctl+0xbd/0x180 [vmwgfx] vmw_unlocked_ioctl+0x19/0x20 [vmwgfx] __x64_sys_ioctl+0x99/0xd0 do_syscall_64+0x5d/0x90 ? syscall_exit_to_user_mode+0x2a/0x50 ? do_syscall_64+0x6d/0x90 ? handle_mm_fault+0x16e/0x2f0 ? exit_to_user_mode_prepare+0x34/0x170 ? irqentry_exit_to_user_mode+0xd/0x20 ? irqentry_exit+0x3f/0x50 ? exc_page_fault+0x8e/0x190 entry_SYSCALL_64_after_hwframe+0x6e/0xd8 RIP: 0033:0x7f5fda51aaff Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <41> 89 c0 3d 00 f0 ff ff 7> RSP: 002b:00007ffd536a4d30 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007ffd536a4de0 RCX: 00007f5fda51aaff RDX: 00007ffd536a4de0 RSI: 0000000040086442 RDI: 0000000000000003 RBP: 0000000040086442 R08: 000055fa603ada50 R09: 0000000000000000 R10: 0000000000000001 R11: 0000000000000246 R12: 00007ffd536a51b8 R13: 0000000000000003 R14: 000055fa5ebb4c80 R15: 00007f5fda90f040 ---[ end trace 0000000000000000 ]--- A lot of the analyis on the bug was done by Murray McAllister and Ian Forbes. Reported-by: Murray McAllister Cc: Ian Forbes Signed-off-by: Zack Rusin Fixes: a950b989ea29 ("drm/vmwgfx: Do not drop the reference to the handle too soon") Cc: # v6.2+ Reviewed-by: Martin Krastev Link: https://patchwork.freedesktop.org/patch/msgid/20230928041355.737635-1-zack@kde.org Signed-off-by: Jocelyn Falempe Signed-off-by: Greg Kroah-Hartman commit 5a4087a907769aeb9990a9bfa5076ccc505a2ce0 Author: Zack Rusin Date: Fri Aug 18 00:13:01 2023 -0400 drm/vmwgfx: Fix possible invalid drm gem put calls commit f9e96bf1905479f18e83a3a4c314a8dfa56ede2c upstream. vmw_bo_unreference sets the input buffer to null on exit, resulting in null ptr deref's on the subsequent drm gem put calls. This went unnoticed because only very old userspace would be exercising those paths but it wouldn't be hard to hit on old distros with brand new kernels. Introduce a new function that abstracts unrefing of user bo's to make the code cleaner and more explicit. Signed-off-by: Zack Rusin Reported-by: Ian Forbes Fixes: 9ef8d83e8e25 ("drm/vmwgfx: Do not drop the reference to the handle too soon") Cc: # v6.4+ Reviewed-by: Maaz Mombasawala Link: https://patchwork.freedesktop.org/patch/msgid/20230818041301.407636-1-zack@kde.org Signed-off-by: Jocelyn Falempe Signed-off-by: Greg Kroah-Hartman commit a71776bbd87e5bb1f6fb1c25a2abfc98fa950405 Author: Lino Sanfilippo Date: Wed Jan 3 07:18:17 2024 +0100 serial: omap: do not override settings for RS485 support commit 51f93776b84dee23e44a7be880736669a01cec2b upstream. The drivers RS485 support is deactivated if there is no RTS GPIO available. This is done by nullifying the ports rs485_supported struct. After that however the settings in serial_omap_rs485_supported are assigned to the same structure unconditionally, which results in an unintended reactivation of RS485 support. Fix this by moving the assignment to the beginning of serial_omap_probe_rs485() and thus before uart_get_rs485_mode() gets called. Also replace the assignment of rs485_config() to have the complete RS485 setup in one function. Fixes: e2752ae3cfc9 ("serial: omap: Disallow RS-485 if rts-gpio is not specified") Cc: Signed-off-by: Lino Sanfilippo Reviewed-by: Ilpo Järvinen Link: https://lore.kernel.org/r/20240103061818.564-7-l.sanfilippo@kunbus.com Signed-off-by: Greg Kroah-Hartman commit b5a2232ba8215d21a3cfb69938b52d953dfc1c7d Author: Lino Sanfilippo Date: Wed Jan 3 07:18:18 2024 +0100 serial: 8250_exar: Set missing rs485_supported flag commit 0c2a5f471ce58bca8f8ab5fcb911aff91eaaa5eb upstream. The UART supports an auto-RTS mode in which the RTS pin is automatically activated during transmission. So mark this mode as being supported even if RTS is not controlled by the driver but the UART. Also the serial core expects now at least one of both modes rts-on-send or rts-after-send to be supported. This is since during sanitization unsupported flags are deleted from a RS485 configuration set by userspace. However if the configuration ends up with both flags unset, the core prints a warning since it considers such a configuration invalid (see uart_sanitize_serial_rs485()). Cc: Reviewed-by: Ilpo Järvinen Signed-off-by: Lino Sanfilippo Link: https://lore.kernel.org/r/20240103061818.564-8-l.sanfilippo@kunbus.com Signed-off-by: Greg Kroah-Hartman commit 36b0710502a56775d2c727ac26267d9a34fdab28 Author: Christoph Niedermaier Date: Tue Dec 26 12:36:47 2023 +0100 serial: imx: Ensure that imx_uart_rs485_config() is called with enabled clock commit 7c45eaa813476bd195ac1227a64b52f9cf2e2030 upstream. There are register accesses in the function imx_uart_rs485_config(). The clock must be enabled for these accesses. This was ensured by calling it via the function uart_rs485_config() in the probe() function within the range where the clock is enabled. With the commit 7c7f9bc986e6 ("serial: Deassert Transmit Enable on probe in driver-specific way") it was removed from the probe() function and is now only called through the function uart_add_one_port() which is located at the end of the probe() function. But the clock is already switched off in this area. To ensure that the clock is enabled during register access, move the disabling of the clock to the very end of the probe() function. To avoid leaking enabled clocks on error also add an error path for exiting with disabling the clock. Fixes: 7c7f9bc986e6 ("serial: Deassert Transmit Enable on probe in driver-specific way") Cc: stable Signed-off-by: Christoph Niedermaier Reviewed-by: Lukas Wunner Link: https://lore.kernel.org/r/20231226113647.39376-1-cniedermaier@dh-electronics.com Signed-off-by: Greg Kroah-Hartman commit d5f13c1d01e45891031f401b537682d6cce1077b Author: Lino Sanfilippo Date: Wed Jan 3 07:18:16 2024 +0100 serial: core, imx: do not set RS485 enabled if it is not supported commit 74eab89b26ac433ad857292f4707b43c1a8f0209 upstream. If the imx driver cannot support RS485 it nullifies the ports rs485_supported structure. But it still calls uart_get_rs485_mode() which may set the RS485_ENABLED flag nevertheless. This may lead to an attempt to configure RS485 even if it is not supported when the flag is evaluated in uart_configure_port() at port startup. Avoid this by bailing out of uart_get_rs485_mode() if the RS485_ENABLED flag is not supported by the caller. With this fix a check for RTS availability is now obsolete in the imx driver, since it can not evaluate to true any more. So remove this check. Furthermore the explicit nullifcation of rs485_supported is not needed, since the memory has already been set to zeros at allocation. So remove this, too. Fixes: 00d7a00e2a6f ("serial: imx: Fill in rs485_supported") Cc: Shawn Guo Cc: Sascha Hauer Cc: Suggested-by: Uwe Kleine-König Signed-off-by: Lino Sanfilippo Reviewed-by: Ilpo Järvinen Link: https://lore.kernel.org/r/20240103061818.564-6-l.sanfilippo@kunbus.com Signed-off-by: Greg Kroah-Hartman commit dac0dd3d803c60b5a0a2388697dfe097711a6766 Author: Stefan Wahren Date: Wed Dec 20 12:43:34 2023 +0100 serial: 8250_bcm2835aux: Restore clock error handling commit 83e571f054cd742eb9a46d46ef05193904adf53f upstream. The commit fcc446c8aa63 ("serial: 8250_bcm2835aux: Add ACPI support") dropped the error handling for clock acquiring. But even an optional clock needs this. Fixes: fcc446c8aa63 ("serial: 8250_bcm2835aux: Add ACPI support") Cc: stable Signed-off-by: Stefan Wahren Reviewed-by: Florian Fainelli Link: https://lore.kernel.org/r/20231220114334.4712-1-wahrenst@gmx.net Signed-off-by: Greg Kroah-Hartman commit 15000d6f293620742753bf41afb52f3ab4a17c74 Author: Lino Sanfilippo Date: Wed Jan 3 07:18:15 2024 +0100 serial: core: make sure RS485 cannot be enabled when it is not supported commit c73986913fa47e71e0b1ad7f039f6444915e8810 upstream. Some uart drivers specify a rs485_config() function and then decide later to disable RS485 support for some reason (e.g. imx and ar933). In these cases userspace may be able to activate RS485 via TIOCSRS485 nevertheless, since in uart_set_rs485_config() an existing rs485_config() function indicates that RS485 is supported. Make sure that this is not longer possible by checking the uarts rs485_supported.flags instead and bailing out if SER_RS485_ENABLED is not set. Furthermore instead of returning an empty structure return -ENOTTY if the RS485 configuration is requested via TIOCGRS485 but RS485 is not supported. This has a small impact on userspace visibility but it is consistent with the -ENOTTY error for TIOCGRS485. Fixes: e849145e1fdd ("serial: ar933x: Fill in rs485_supported") Fixes: 55e18c6b6d42 ("serial: imx: Remove serial_rs485 sanitization") Cc: Shawn Guo Cc: Sascha Hauer Cc: Reviewed-by: Ilpo Järvinen Signed-off-by: Lino Sanfilippo Link: https://lore.kernel.org/r/20240103061818.564-5-l.sanfilippo@kunbus.com Signed-off-by: Greg Kroah-Hartman commit f790bd27a74b6aa792e7ddb2564d49c916c596eb Author: Lino Sanfilippo Date: Wed Jan 3 07:18:14 2024 +0100 serial: core: fix sanitizing check for RTS settings commit 4afeced55baa391490b61ed9164867e2927353ed upstream. Among other things uart_sanitize_serial_rs485() tests the sanity of the RTS settings in a RS485 configuration that has been passed by userspace. If RTS-on-send and RTS-after-send are both set or unset the configuration is adjusted and RTS-after-send is disabled and RTS-on-send enabled. This however makes only sense if both RTS modes are actually supported by the driver. With commit be2e2cb1d281 ("serial: Sanitize rs485_struct") the code does take the driver support into account but only checks if one of both RTS modes are supported. This may lead to the errorneous result of RTS-on-send being set even if only RTS-after-send is supported. Fix this by changing the implemented logic: First clear all unsupported flags in the RS485 configuration, then adjust an invalid RTS setting by taking into account which RTS mode is supported. Cc: Fixes: be2e2cb1d281 ("serial: Sanitize rs485_struct") Reviewed-by: Ilpo Järvinen Signed-off-by: Lino Sanfilippo Link: https://lore.kernel.org/r/20240103061818.564-4-l.sanfilippo@kunbus.com Signed-off-by: Greg Kroah-Hartman commit 974a0a694416eb58f17d2e937a4c3628eea82de1 Author: Gui-Dong Han <2045gemini@gmail.com> Date: Fri Jan 5 13:24:12 2024 +0800 usb: mon: Fix atomicity violation in mon_bin_vma_fault commit 2dd23cc4d0e6aa55cf9fb3b05f2f4165b01de81c upstream. In mon_bin_vma_fault(): offset = vmf->pgoff << PAGE_SHIFT; if (offset >= rp->b_size) return VM_FAULT_SIGBUS; chunk_idx = offset / CHUNK_SIZE; pageptr = rp->b_vec[chunk_idx].pg; The code is executed without holding any lock. In mon_bin_vma_close(): spin_lock_irqsave(&rp->b_lock, flags); rp->mmap_active--; spin_unlock_irqrestore(&rp->b_lock, flags); In mon_bin_ioctl(): spin_lock_irqsave(&rp->b_lock, flags); if (rp->mmap_active) { ... } else { ... kfree(rp->b_vec); rp->b_vec = vec; rp->b_size = size; ... } spin_unlock_irqrestore(&rp->b_lock, flags); Concurrent execution of mon_bin_vma_fault() with mon_bin_vma_close() and mon_bin_ioctl() could lead to atomicity violations. mon_bin_vma_fault() accesses rp->b_size and rp->b_vec without locking, risking array out-of-bounds access or use-after-free bugs due to possible modifications in mon_bin_ioctl(). This possible bug is found by an experimental static analysis tool developed by our team, BassCheck[1]. This tool analyzes the locking APIs to extract function pairs that can be concurrently executed, and then analyzes the instructions in the paired functions to identify possible concurrency bugs including data races and atomicity violations. The above possible bug is reported when our tool analyzes the source code of Linux 6.2. To address this issue, it is proposed to add a spin lock pair in mon_bin_vma_fault() to ensure atomicity. With this patch applied, our tool never reports the possible bug, with the kernel configuration allyesconfig for x86_64. Due to the lack of associated hardware, we cannot test the patch in runtime testing, and just verify it according to the code logic. [1] https://sites.google.com/view/basscheck/ Fixes: 19e6317d24c2 ("usb: mon: Fix a deadlock in usbmon between ...") Cc: Signed-off-by: Gui-Dong Han <2045gemini@gmail.com> Link: https://lore.kernel.org/r/20240105052412.9377-1-2045gemini@gmail.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Greg Kroah-Hartman commit 206e2ddeb7dff23c8861a3486ee11a6d4ad3c8bf Author: RD Babiera Date: Wed Jan 3 18:17:55 2024 +0000 usb: typec: class: fix typec_altmode_put_partner to put plugs commit 5962ded777d689cd8bf04454273e32228d7fb71f upstream. When typec_altmode_put_partner is called by a plug altmode upon release, the port altmode the plug belongs to will not remove its reference to the plug. The check to see if the altmode being released is a plug evaluates against the released altmode's partner instead of the calling altmode, so change adev in typec_altmode_put_partner to properly refer to the altmode being released. Because typec_altmode_set_partner calls get_device() on the port altmode, add partner_adev that points to the port altmode in typec_put_partner to call put_device() on. typec_altmode_set_partner is not called for port altmodes, so add a check in typec_altmode_release to prevent typec_altmode_put_partner() calls on port altmode release. Fixes: 8a37d87d72f0 ("usb: typec: Bus type for alternate modes") Cc: Co-developed-by: Christian A. Ehrhardt Signed-off-by: Christian A. Ehrhardt Signed-off-by: RD Babiera Tested-by: Christian A. Ehrhardt Acked-by: Heikki Krogerus Link: https://lore.kernel.org/r/20240103181754.2492492-2-rdbabiera@google.com Signed-off-by: Greg Kroah-Hartman commit d0320b9ac6b45a726fc86ada8e4ea1830b7a72fb Author: Heikki Krogerus Date: Tue Jan 2 11:11:41 2024 +0200 Revert "usb: typec: class: fix typec_altmode_put_partner to put plugs" commit 9c6b789e954fae73c548f39332bcc56bdf0d4373 upstream. This reverts commit b17b7fe6dd5c6ff74b38b0758ca799cdbb79e26e. That commit messed up the reference counting, so it needs to be rethought. Fixes: b17b7fe6dd5c ("usb: typec: class: fix typec_altmode_put_partner to put plugs") Cc: Cc: RD Babiera Reported-by: Chris Bainbridge Closes: https://lore.kernel.org/lkml/CAP-bSRb3SXpgo_BEdqZB-p1K5625fMegRZ17ZkPE1J8ZYgEHDg@mail.gmail.com/ Signed-off-by: Heikki Krogerus Link: https://lore.kernel.org/r/20240102091142.2136472-1-heikki.krogerus@linux.intel.com Signed-off-by: Greg Kroah-Hartman commit 097cdc78c659d3ee408d5b315a8e41ab51903e79 Author: Frank Li Date: Sun Dec 24 10:38:15 2023 -0500 usb: cdns3: Fix uvc fail when DMA cross 4k boundery since sg enabled commit 40c304109e866a7dc123661a5c8ca72f6b5e14e0 upstream. Supposed DMA cross 4k bounder problem should be fixed at DEV_VER_V2, but still met problem when do ISO transfer if sg enabled. Data pattern likes below when sg enabled, package size is 1k and mult is 2 [UVC Header(8B) ] [data(3k - 8)] ... The received data at offset 0xd000 will get 0xc000 data, len 0x70. Error happen position as below pattern: 0xd000: wrong 0xe000: wrong 0xf000: correct 0x10000: wrong 0x11000: wrong 0x12000: correct ... To avoid DMA cross 4k bounder at ISO transfer, reduce burst len according to start DMA address's alignment. Cc: Fixes: 7733f6c32e36 ("usb: cdns3: Add Cadence USB3 DRD Driver") Signed-off-by: Frank Li Link: https://lore.kernel.org/r/20231224153816.1664687-4-Frank.Li@nxp.com Signed-off-by: Greg Kroah-Hartman commit 45c766231e6bc292825c8308aebf387862d0fe3a Author: Frank Li Date: Sun Dec 24 10:38:14 2023 -0500 usb: cdns3: fix iso transfer error when mult is not zero commit 92f02efa1d86d7dcaef7f38a5fe3396c4e88a93c upstream. ISO basic transfer is ITP(SOF) Package_0 Package_1 ... Package_n CDNS3 DMA start dma transfer from memmory to internal FIFO when get SOF, controller will transfer data to usb bus from internal FIFO when get IN token. According USB spec defination: Maximum number of packets = (bMaxBurst + 1) * (Mult + 1) Internal memory should be the same as (bMaxBurst + 1) * (Mult + 1). DMA don't fetch data advance when ISO transfer, so only reserve (bMaxBurst + 1) * (Mult + 1) internal memory for ISO transfer. Need save Mult and bMaxBurst information and set it into EP_CFG register, otherwise only 1 package is sent by controller, other package will be lost. Cc: Fixes: 7733f6c32e36 ("usb: cdns3: Add Cadence USB3 DRD Driver") Signed-off-by: Frank Li Link: https://lore.kernel.org/r/20231224153816.1664687-3-Frank.Li@nxp.com Signed-off-by: Greg Kroah-Hartman commit 3f2bf7cac03d0e18aecfd98a2cc82e1eb9c7992a Author: Frank Li Date: Sun Dec 24 10:38:13 2023 -0500 usb: cdns3: fix uvc failure work since sg support enabled commit 1b8be5ecff26201bafb0a554c74e91571299fb94 upstream. When IP version >= DEV_VER_V2, gadget:sg_supported is true. So uvc gadget function driver will use sg to equeue data, first is 8bytes header, the second is 1016bytes data. cdns3_prepare_trb: ep2in: trb 0000000000ac755f, dma buf: 0xbf455000, size: 8, burst: 128 ctrl: 0x00000415 (C=1, T=0, ISP, CHAIN, Normal) cdns3_prepare_trb: ep2in: trb 00000000a574e693, dma buf: 0xc0200fe0, size: 1016, burst: 128 ctrl: 0x00000405 (C=1, T=0, ISP, Normal) But cdns3_ep_run_transfer() can't correctly handle this case, which only support one TRB for ISO transfer. The controller requires duplicate the TD for each SOF if priv_ep->interval is not 1. DMA will read data from DDR to internal FIFO when get SOF. Send data to bus when receive IN token. DMA always refill FIFO when get SOF regardless host send IN token or not. If host send IN token later, some frames data will be lost. Fixed it by below major steps: 1. Calculate numembers of TRB base on sg_nums and priv_ep->interval. 2. Remove CHAIN flags for each end TRB of TD when duplicate TD. 3. The controller requires LINK TRB must be first TRB of TD. When check there are not enough TRBs lefts, just fill LINK TRB for left TRBs. .... CHAIN_TRB DATA_TRB, CHAIN_TRB DATA_TRB, LINK_TRB ... LINK_TRB ^End of TRB List Cc: Fixes: 7733f6c32e36 ("usb: cdns3: Add Cadence USB3 DRD Driver") Signed-off-by: Frank Li Link: https://lore.kernel.org/r/20231224153816.1664687-2-Frank.Li@nxp.com Signed-off-by: Greg Kroah-Hartman commit e894b1b038abad80311b2dfcccd5b72ba3b38708 Author: Xu Yang Date: Thu Dec 28 19:07:52 2023 +0800 usb: chipidea: wait controller resume finished for wakeup irq commit 128d849074d05545becf86e713715ce7676fc074 upstream. After the chipidea driver introduce extcon for id and vbus, it's able to wakeup from another irq source, in case the system with extcon ID cable, wakeup from usb ID cable and device removal, the usb device disconnect irq may come firstly before the extcon notifier while system resume, so we will get 2 "wakeup" irq, one for usb device disconnect; and one for extcon ID cable change(real wakeup event), current driver treat them as 2 successive wakeup irq so can't handle it correctly, then finally the usb irq can't be enabled. This patch adds a check to bypass further usb events before controller resume finished to fix it. Fixes: 1f874edcb731 ("usb: chipidea: add runtime power management support") cc: Acked-by: Peter Chen Signed-off-by: Xu Yang Signed-off-by: Li Jun Link: https://lore.kernel.org/r/20231228110753.1755756-2-xu.yang_2@nxp.com Signed-off-by: Greg Kroah-Hartman commit 3450197e9a75f1baaf341abbb83bc474b4a171aa Author: Thinh Nguyen Date: Fri Dec 22 22:11:33 2023 +0000 Revert "usb: dwc3: don't reset device side if dwc3 was configured as host-only" commit afe28cd686aeb77e8d9140d50fb1cf06a7ecb731 upstream. This reverts commit e835c0a4e23c38531dcee5ef77e8d1cf462658c7. Don't omit soft-reset. During initialization, the driver may need to perform a soft reset to ensure the phy is ready when the controller updates the GCTL.PRTCAPDIR or other settings by issuing phy soft-reset. Many platforms often have access to DCTL register for soft-reset despite being host-only. If there are actual reported issues from the platforms that don't expose DCTL registers, then we will need to revisit (perhaps to teach dwc3 to perform xhci's soft-reset USBCMD.HCRST). Cc: Fixes: e835c0a4e23c ("usb: dwc3: don't reset device side if dwc3 was configured as host-only") Signed-off-by: Thinh Nguyen Link: https://lore.kernel.org/r/7668ab11a48f260820825274976eb41fec7f54d1.1703282469.git.Thinh.Nguyen@synopsys.com Signed-off-by: Greg Kroah-Hartman commit 598f9d5a3b35be50a01c1070083160c06722e819 Author: Thinh Nguyen Date: Fri Dec 22 22:11:27 2023 +0000 Revert "usb: dwc3: Soft reset phy on probe for host" commit 7059fbebcb00554c3f31e5b5d93ef6d2d96dc7b4 upstream. This reverts commit 8bea147dfdf823eaa8d3baeccc7aeb041b41944b. The phy soft reset GUSB2PHYCFG.PHYSOFTRST only applies to UTMI phy, not ULPI. This fix is incomplete. Cc: Fixes: 8bea147dfdf8 ("usb: dwc3: Soft reset phy on probe for host") Reported-by: Köry Maincent Closes: https://lore.kernel.org/linux-usb/20231205151959.5236c231@kmaincent-XPS-13-7390 Signed-off-by: Thinh Nguyen Link: https://lore.kernel.org/r/29a26593a60eba727de872a3e580a674807b3339.1703282469.git.Thinh.Nguyen@synopsys.com Signed-off-by: Greg Kroah-Hartman commit d5c4a04205dfe6cccc7e9ed1c1a197133d3d7ad4 Author: Uttkarsh Aggarwal Date: Fri Dec 22 15:17:04 2023 +0530 usb: dwc: ep0: Update request status in dwc3_ep0_stall_restart commit e9d40b215e38480fd94c66b06d79045717a59e9c upstream. Current implementation blocks the running operations when Plug-out and Plug-In is performed continuously, process gets stuck in dwc3_thread_interrupt(). Code Flow: CPU1 ->Gadget_start ->dwc3_interrupt ->dwc3_thread_interrupt ->dwc3_process_event_buf ->dwc3_process_event_entry ->dwc3_endpoint_interrupt ->dwc3_ep0_interrupt ->dwc3_ep0_inspect_setup ->dwc3_ep0_stall_and_restart By this time if pending_list is not empty, it will get the next request on the given list and calls dwc3_gadget_giveback which will unmap request and call its complete() callback to notify upper layers that it has completed. Currently dwc3_gadget_giveback status is set to -ECONNRESET, whereas it should be -ESHUTDOWN based on condition if not dwc->connected is true. Cc: Fixes: d742220b3577 ("usb: dwc3: ep0: giveback requests on stall_and_restart") Signed-off-by: Uttkarsh Aggarwal Link: https://lore.kernel.org/r/20231222094704.20276-1-quic_uaggarwa@quicinc.com Signed-off-by: Greg Kroah-Hartman commit 789eade47fd90d71c47d5991cc2eb8e39452f0bd Author: Xu Yang Date: Thu Dec 28 19:07:53 2023 +0800 usb: phy: mxs: remove CONFIG_USB_OTG condition for mxs_phy_is_otg_host() commit ff2b89de471da942a4d853443688113a44fd35ed upstream. When CONFIG_USB_OTG is not set, mxs_phy_is_otg_host() will always return false. This behaviour is wrong. Since phy.last_event will always be set for either host or device mode. Therefore, CONFIG_USB_OTG condition can be removed. Fixes: 5eda42aebb76 ("usb: phy: mxs: fix getting wrong state with mxs_phy_is_otg_host()") cc: Acked-by: Peter Chen Signed-off-by: Xu Yang Link: https://lore.kernel.org/r/20231228110753.1755756-3-xu.yang_2@nxp.com Signed-off-by: Greg Kroah-Hartman commit c952654e1a27ebfabbec4c128fd3b638a38f7b36 Author: Heiko Carstens Date: Mon Jan 15 17:35:55 2024 +0100 tick-sched: Fix idle and iowait sleeptime accounting vs CPU hotplug commit 71fee48fb772ac4f6cfa63dbebc5629de8b4cc09 upstream. When offlining and onlining CPUs the overall reported idle and iowait times as reported by /proc/stat jump backward and forward: cpu 132 0 176 225249 47 6 6 21 0 0 cpu0 80 0 115 112575 33 3 4 18 0 0 cpu1 52 0 60 112673 13 3 1 2 0 0 cpu 133 0 177 226681 47 6 6 21 0 0 cpu0 80 0 116 113387 33 3 4 18 0 0 cpu 133 0 178 114431 33 6 6 21 0 0 <---- jump backward cpu0 80 0 116 114247 33 3 4 18 0 0 cpu1 52 0 61 183 0 3 1 2 0 0 <---- idle + iowait start with 0 cpu 133 0 178 228956 47 6 6 21 0 0 <---- jump forward cpu0 81 0 117 114929 33 3 4 18 0 0 Reason for this is that get_idle_time() in fs/proc/stat.c has different sources for both values depending on if a CPU is online or offline: - if a CPU is online the values may be taken from its per cpu tick_cpu_sched structure - if a CPU is offline the values are taken from its per cpu cpustat structure The problem is that the per cpu tick_cpu_sched structure is set to zero on CPU offline. See tick_cancel_sched_timer() in kernel/time/tick-sched.c. Therefore when a CPU is brought offline and online afterwards both its idle and iowait sleeptime will be zero, causing a jump backward in total system idle and iowait sleeptime. In a similar way if a CPU is then brought offline again the total idle and iowait sleeptimes will jump forward. It looks like this behavior was introduced with commit 4b0c0f294f60 ("tick: Cleanup NOHZ per cpu data on cpu down"). This was only noticed now on s390, since we switched to generic idle time reporting with commit be76ea614460 ("s390/idle: remove arch_cpu_idle_time() and corresponding code"). Fix this by preserving the values of idle_sleeptime and iowait_sleeptime members of the per-cpu tick_sched structure on CPU hotplug. Fixes: 4b0c0f294f60 ("tick: Cleanup NOHZ per cpu data on cpu down") Reported-by: Gerald Schaefer Signed-off-by: Heiko Carstens Signed-off-by: Thomas Gleixner Reviewed-by: Frederic Weisbecker Link: https://lore.kernel.org/r/20240115163555.1004144-1-hca@linux.ibm.com Signed-off-by: Greg Kroah-Hartman commit 9ccf64e763aca088b0d25c1274af42b1a6a45135 Author: Michael Ellerman Date: Fri Dec 15 23:44:49 2023 +1100 powerpc/64s: Increase default stack size to 32KB commit 18f14afe281648e31ed35c9ad2fcb724c4838ad9 upstream. There are reports of kernels crashing due to stack overflow while running OpenShift (Kubernetes). The primary contributor to the stack usage seems to be openvswitch, which is used by OVN-Kubernetes (based on OVN (Open Virtual Network)), but NFS also contributes in some stack traces. There may be some opportunities to reduce stack usage in the openvswitch code, but doing so potentially require tradeoffs vs performance, and also requires testing across architectures. Looking at stack usage across the kernel (using -fstack-usage), shows that ppc64le stack frames are on average 50-100% larger than the equivalent function built for x86-64. Which is not surprising given the minimum stack frame size is 32 bytes on ppc64le vs 16 bytes on x86-64. So increase the default stack size to 32KB for the modern 64-bit Book3S platforms, ie. pseries (virtualised) and powernv (bare metal). That leaves the older systems like G5s, and the AmigaOne (pasemi) with a 16KB stack which should be sufficient on those machines. Signed-off-by: Michael Ellerman Signed-off-by: Aneesh Kumar K.V (IBM) Link: https://msgid.link/20231215124449.317597-1-mpe@ellerman.id.au Signed-off-by: Greg Kroah-Hartman commit 7ac029af00606c6e6e60f02a8ca0c85ad22f6399 Author: Tony Lindgren Date: Tue Nov 14 09:29:30 2023 +0200 clocksource/drivers/timer-ti-dm: Fix make W=n kerneldoc warnings commit b99a212a7697c542b460adaa15d4a98abf8223f0 upstream. Kernel test robot reports of kerneldoc related warnings that happen with make W=n for "parameter or member not described". These were caused by changes to function parameter names with earlier commits where the kerneldoc parts were not updated. Fixes: 49cd16bb573e ("clocksource/drivers/timer-ti-dm: Simplify register writes with dmtimer_write()") Fixes: a6e543f61531 ("clocksource/drivers/timer-ti-dm: Move struct omap_dm_timer fields to driver") Reported-by: kernel test robot Closes: https://lore.kernel.org/oe-kbuild-all/202311040403.DzIiBuwU-lkp@intel.com/ Closes: https://lore.kernel.org/oe-kbuild-all/202311040606.XL5OcR9O-lkp@intel.com/ Signed-off-by: Tony Lindgren Reviewed-by: Randy Dunlap Tested-by: Randy Dunlap Signed-off-by: Daniel Lezcano Link: https://lore.kernel.org/r/20231114072930.40615-1-tony@atomide.com Signed-off-by: Greg Kroah-Hartman commit 6696f76c32ff67fec26823fc2df46498e70d9bf3 Author: Carlos Llamas Date: Fri Dec 1 17:21:32 2023 +0000 binder: fix race between mmput() and do_exit() commit 9a9ab0d963621d9d12199df9817e66982582d5a5 upstream. Task A calls binder_update_page_range() to allocate and insert pages on a remote address space from Task B. For this, Task A pins the remote mm via mmget_not_zero() first. This can race with Task B do_exit() and the final mmput() refcount decrement will come from Task A. Task A | Task B ------------------+------------------ mmget_not_zero() | | do_exit() | exit_mm() | mmput() mmput() | exit_mmap() | remove_vma() | fput() | In this case, the work of ____fput() from Task B is queued up in Task A as TWA_RESUME. So in theory, Task A returns to userspace and the cleanup work gets executed. However, Task A instead sleep, waiting for a reply from Task B that never comes (it's dead). This means the binder_deferred_release() is blocked until an unrelated binder event forces Task A to go back to userspace. All the associated death notifications will also be delayed until then. In order to fix this use mmput_async() that will schedule the work in the corresponding mm->async_put_work WQ instead of Task A. Fixes: 457b9a6f09f0 ("Staging: android: add binder driver") Reviewed-by: Alice Ryhl Signed-off-by: Carlos Llamas Link: https://lore.kernel.org/r/20231201172212.1813387-4-cmllamas@google.com Signed-off-by: Greg Kroah-Hartman commit 437360133cbd1e9fb88b122e84fff0df08f18e23 Author: Jan Beulich Date: Mon Jan 8 10:17:16 2024 +0100 xen-netback: don't produce zero-size SKB frags commit c7ec4f2d684e17d69bbdd7c4324db0ef5daac26a upstream. While frontends may submit zero-size requests (wasting a precious slot), core networking code as of at least 3ece782693c4b ("sock: skb_copy_ubufs support for compound pages") can't deal with SKBs when they have all zero-size fragments. Respond to empty requests right when populating fragments; all further processing is fragment based and hence won't encounter these empty requests anymore. In a way this should have been that way from the beginning: When no data is to be transferred for a particular request, there's not even a point in validating the respective grant ref. That's no different from e.g. passing NULL into memcpy() when at the same time the size is 0. This is XSA-448 / CVE-2023-46838. Cc: stable@vger.kernel.org Signed-off-by: Jan Beulich Reviewed-by: Juergen Gross Reviewed-by: Paul Durrant Signed-off-by: Greg Kroah-Hartman commit 3ed5f55599c146208444514a20c1e05b0a871950 Author: Hans de Goede Date: Tue Jan 16 21:43:25 2024 +0100 Input: atkbd - use ab83 as id when skipping the getid command commit 58f65f9db7e0de366a5a115c2e2c0703858bba69 upstream. Barnabás reported that the change to skip the getid command when the controller is in translated mode on laptops caused the Version field of his "AT Translated Set 2 keyboard" input device to change from ab83 to abba, breaking a custom hwdb entry for this keyboard. Use the standard ab83 id for keyboards when getid is skipped (rather then that getid fails) to avoid reporting a different Version to userspace then before skipping the getid. Fixes: 936e4d49ecbc ("Input: atkbd - skip ATKBD_CMD_GETID in translated mode") Reported-by: Barnabás Pőcze Closes: https://lore.kernel.org/linux-input/W1ydwoG2fYv85Z3C3yfDOJcVpilEvGge6UGa9kZh8zI2-qkHXp7WLnl2hSkFz63j-c7WupUWI5TLL6n7Lt8DjRuU-yJBwLYWrreb1hbnd6A=@protonmail.com/ Signed-off-by: Hans de Goede Link: https://lore.kernel.org/r/20240116204325.7719-1-hdegoede@redhat.com Signed-off-by: Dmitry Torokhov Signed-off-by: Greg Kroah-Hartman commit 45e565b55b2fc0f731f1b66a706f74301c7cd7f3 Author: Stefan Wiehler Date: Mon Nov 6 13:12:07 2023 +0100 mips/smp: Call rcutree_report_cpu_starting() earlier commit 55702ec9603ebeffb15e6f7b113623fe1d8872f4 upstream. rcutree_report_cpu_starting() must be called before clockevents_register_device() to avoid the following lockdep splat triggered by calling list_add() when CONFIG_PROVE_RCU_LIST=y: WARNING: suspicious RCU usage ... ----------------------------- kernel/locking/lockdep.c:3680 RCU-list traversed in non-reader section!! other info that might help us debug this: RCU used illegally from offline CPU! rcu_scheduler_active = 1, debug_locks = 1 no locks held by swapper/1/0. ... Call Trace: [] show_stack+0x64/0x158 [] dump_stack_lvl+0x90/0xc4 [] __lock_acquire+0x1404/0x2940 [] lock_acquire+0x14c/0x448 [] _raw_spin_lock_irqsave+0x50/0x88 [] clockevents_register_device+0x60/0x1e8 [] r4k_clockevent_init+0x220/0x3a0 [] start_secondary+0x50/0x3b8 raw_smp_processor_id() is required in order to avoid calling into lockdep before RCU has declared the CPU to be watched for readers. See also commit 29368e093921 ("x86/smpboot: Move rcu_cpu_starting() earlier"), commit de5d9dae150c ("s390/smp: move rcu_cpu_starting() earlier") and commit 99f070b62322 ("powerpc/smp: Call rcu_cpu_starting() earlier"). Signed-off-by: Stefan Wiehler Reviewed-by: Huacai Chen Signed-off-by: Thomas Bogendoerfer Signed-off-by: Greg Kroah-Hartman commit 16e1d4fa136979a49723f485bd8bf081bd335ccc Author: Carlos Llamas Date: Fri Dec 1 17:21:34 2023 +0000 binder: fix unused alloc->free_async_space commit c6d05e0762ab276102246d24affd1e116a46aa0c upstream. Each transaction is associated with a 'struct binder_buffer' that stores the metadata about its buffer area. Since commit 74310e06be4d ("android: binder: Move buffer out of area shared with user space") this struct is no longer embedded within the buffer itself but is instead allocated on the heap to prevent userspace access to this driver-exclusive info. Unfortunately, the space of this struct is still being accounted for in the total buffer size calculation, specifically for async transactions. This results in an additional 104 bytes added to every async buffer request, and this area is never used. This wasted space can be substantial. If we consider the maximum mmap buffer space of SZ_4M, the driver will reserve half of it for async transactions, or 0x200000. This area should, in theory, accommodate up to 262,144 buffers of the minimum 8-byte size. However, after adding the extra 'sizeof(struct binder_buffer)', the total number of buffers drops to only 18,724, which is a sad 7.14% of the actual capacity. This patch fixes the buffer size calculation to enable the utilization of the entire async buffer space. This is expected to reduce the number of -ENOSPC errors that are seen on the field. Fixes: 74310e06be4d ("android: binder: Move buffer out of area shared with user space") Signed-off-by: Carlos Llamas Reviewed-by: Alice Ryhl Link: https://lore.kernel.org/r/20231201172212.1813387-6-cmllamas@google.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Greg Kroah-Hartman commit c5255d122938c04d2078f3e9a49fa1f478c2573e Author: Carlos Llamas Date: Fri Dec 1 17:21:33 2023 +0000 binder: fix async space check for 0-sized buffers commit 3091c21d3e9322428691ce0b7a0cfa9c0b239eeb upstream. Move the padding of 0-sized buffers to an earlier stage to account for this round up during the alloc->free_async_space check. Fixes: 74310e06be4d ("android: binder: Move buffer out of area shared with user space") Reviewed-by: Alice Ryhl Signed-off-by: Carlos Llamas Link: https://lore.kernel.org/r/20231201172212.1813387-5-cmllamas@google.com Signed-off-by: Greg Kroah-Hartman commit 66b35787976daeaeb1cc2b6b465d34bc58caed25 Author: David Howells Date: Wed Jan 10 21:11:40 2024 +0000 keys, dns: Fix size check of V1 server-list header commit acc657692aed438e9931438f8c923b2b107aebf9 upstream. Fix the size check added to dns_resolver_preparse() for the V1 server-list header so that it doesn't give EINVAL if the size supplied is the same as the size of the header struct (which should be valid). This can be tested with: echo -n -e '\0\0\01\xff\0\0' | keyctl padd dns_resolver desc @p which will give "add_key: Invalid argument" without this fix. Fixes: 1997b3cb4217 ("keys, dns: Fix missing size check of V1 server-list header") Reported-by: Pengfei Xu Link: https://lore.kernel.org/r/ZZ4fyY4r3rqgZL+4@xpf.sh.intel.com/ Signed-off-by: David Howells Signed-off-by: Linus Torvalds Cc: Petr Vorel Signed-off-by: Greg Kroah-Hartman commit 60a9a5fca6bf5c55022cbe0f196486e8cd8b8d5b Author: Jordan Rome Date: Sat Nov 11 18:30:10 2023 -0800 selftests/bpf: Add assert for user stacks in test_task_stack commit 727a92d62fd6a382b4c5972008e45667e707b0e4 upstream. This is a follow up to: commit b8e3a87a627b ("bpf: Add crosstask check to __bpf_get_stack"). This test ensures that the task iterator only gets a single user stack (for the current task). Signed-off-by: Jordan Rome Signed-off-by: Andrii Nakryiko Acked-by: Stanislav Fomichev Link: https://lore.kernel.org/bpf/20231112023010.144675-1-linux@jordanrome.com Signed-off-by: Greg Kroah-Hartman commit 3590da14e16394f34d8bb649dc805d8e995ed7c8 Author: Geert Uytterhoeven Date: Thu Jan 11 09:50:25 2024 +0100 of: unittest: Fix of_count_phandle_with_args() expected value message [ Upstream commit 716089b417cf98d01f0dc1b39f9c47e1d7b4c965 ] The expected result value for the call to of_count_phandle_with_args() was updated from 7 to 8, but the accompanying error message was forgotten. Fixes: 4dde83569832f937 ("of: Fix double free in of_parse_phandle_with_args_map") Signed-off-by: Geert Uytterhoeven Link: https://lore.kernel.org/r/20240111085025.2073894-1-geert+renesas@glider.be Signed-off-by: Rob Herring Signed-off-by: Sasha Levin commit 581ade6be57b45af134833313ad4a2751d73ad0d Author: Dario Binacchi Date: Sat Nov 11 11:41:50 2023 +0100 fbdev: imxfb: fix left margin setting [ Upstream commit 5758844105f7dd9a0a04990cd92499a1a593dd36 ] The previous setting did not take into account the CSTN mode. For the H_WAIT_2 bitfield (bits 0-7) of the LCDC Horizontal Configuration Register (LCDCR), the IMX25RM manual states that: In TFT mode, it specifies the number of SCLK periods between the end of HSYNC and the beginning of OE signal, and the total delay time equals (H_WAIT_2 + 3) of SCLK periods. In CSTN mode, it specifies the number of SCLK periods between the end of HSYNC and the first display data in each line, and the total delay time equals (H_WAIT_2 + 2) of SCLK periods. The patch handles both cases. Fixes: 4e47382fbca9 ("fbdev: imxfb: warn about invalid left/right margin") Fixes: 7e8549bcee00 ("imxfb: Fix margin settings") Signed-off-by: Dario Binacchi Signed-off-by: Helge Deller Signed-off-by: Sasha Levin commit b9d760dae5b10e73369b769073525acd7b3be2bd Author: Christian A. Ehrhardt Date: Fri Dec 29 11:54:11 2023 +0100 of: Fix double free in of_parse_phandle_with_args_map [ Upstream commit 4dde83569832f9377362e50f7748463340c5db6b ] In of_parse_phandle_with_args_map() the inner loop that iterates through the map entries calls of_node_put(new) to free the reference acquired by the previous iteration of the inner loop. This assumes that the value of "new" is NULL on the first iteration of the inner loop. Make sure that this is true in all iterations of the outer loop by setting "new" to NULL after its value is assigned to "cur". Extend the unittest to detect the double free and add an additional test case that actually triggers this path. Fixes: bd6f2fd5a1 ("of: Support parsing phandle argument lists through a nexus node") Cc: Stephen Boyd Signed-off-by: "Christian A. Ehrhardt" Link: https://lore.kernel.org/r/20231229105411.1603434-1-lk@c--e.de Signed-off-by: Rob Herring Signed-off-by: Sasha Levin commit 676af10d0cdf6b05c0d7993b1e088351fc5d1e13 Author: Li Nan Date: Fri Dec 8 14:56:47 2023 +0800 ksmbd: validate the zero field of packet header [ Upstream commit 516b3eb8c8065f7465f87608d37a7ed08298c7a5 ] The SMB2 Protocol requires that "The first byte of the Direct TCP transport packet header MUST be zero (0x00)"[1]. Commit 1c1bcf2d3ea0 ("ksmbd: validate smb request protocol id") removed the validation of this 1-byte zero. Add the validation back now. [1]: [MS-SMB2] - v20230227, page 30. https://winprotocoldoc.blob.core.windows.net/productionwindowsarchives/MS-SMB2/%5bMS-SMB2%5d-230227.pdf Fixes: 1c1bcf2d3ea0 ("ksmbd: validate smb request protocol id") Signed-off-by: Li Nan Acked-by: Tom Talpey Acked-by: Namjae Jeon Signed-off-by: Steve French Signed-off-by: Sasha Levin commit 222618b737484634b73c40c553bd28c4ce764620 Author: Mirsad Todorovac Date: Sun Jan 7 18:37:04 2024 +0100 kselftest/alsa - mixer-test: Fix the print format specifier warning [ Upstream commit 3f47c1ebe5ca9c5883e596c7888dec4bec0176d8 ] The GCC 13.2.0 compiler issued the following warning: mixer-test.c: In function ‘ctl_value_index_valid’: mixer-test.c:322:79: warning: format ‘%lld’ expects argument of type ‘long long int’, \ but argument 5 has type ‘long int’ [-Wformat=] 322 | ksft_print_msg("%s.%d value %lld more than maximum %lld\n", | ~~~^ | | | long long int | %ld 323 | ctl->name, index, int64_val, 324 | snd_ctl_elem_info_get_max(ctl->info)); | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | long int Fixing the format specifier as advised by the compiler suggestion removes the warning. Fixes: 3f48b137d88e7 ("kselftest: alsa: Factor out check that values meet constraints") Cc: Mark Brown Cc: Jaroslav Kysela Cc: Takashi Iwai Cc: Shuah Khan Cc: linux-sound@vger.kernel.org Cc: linux-kselftest@vger.kernel.org Cc: linux-kernel@vger.kernel.org Signed-off-by: Mirsad Todorovac Acked-by: Mark Brown Link: https://lore.kernel.org/r/20240107173704.937824-3-mirsad.todorovac@alu.unizg.hr Signed-off-by: Takashi Iwai Signed-off-by: Sasha Levin commit b77ae4f8c142a0180bc9cb7fee7954f051b18c6d Author: Mirsad Todorovac Date: Sun Jan 7 18:37:02 2024 +0100 kselftest/alsa - mixer-test: fix the number of parameters to ksft_exit_fail_msg() [ Upstream commit 8c51c13dc63d46e754c44215eabc0890a8bd9bfb ] Minor fix in the number of arguments to error reporting function in the test program as reported by GCC 13.2.0 warning. mixer-test.c: In function ‘find_controls’: mixer-test.c:169:44: warning: too many arguments for format [-Wformat-extra-args] 169 | ksft_exit_fail_msg("snd_ctl_poll_descriptors() failed for %d\n", | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The number of arguments in call to ksft_exit_fail_msg() doesn't correspond to the format specifiers, so this is adjusted resembling the sibling calls to the error function. Fixes: b1446bda56456 ("kselftest: alsa: Check for event generation when we write to controls") Cc: Mark Brown Cc: Jaroslav Kysela Cc: Takashi Iwai Cc: Shuah Khan Cc: linux-sound@vger.kernel.org Cc: linux-kselftest@vger.kernel.org Cc: linux-kernel@vger.kernel.org Signed-off-by: Mirsad Todorovac Acked-by: Mark Brown Link: https://lore.kernel.org/r/20240107173704.937824-2-mirsad.todorovac@alu.unizg.hr Signed-off-by: Takashi Iwai Signed-off-by: Sasha Levin commit 74416a207fcf257385abc72602b64d9f0d9790cc Author: Zhipeng Lu Date: Sun Dec 24 16:22:47 2023 +0800 drm/amd/pm/smu7: fix a memleak in smu7_hwmgr_backend_init [ Upstream commit 2f3be3ca779b11c332441b10e00443a2510f4d7b ] The hwmgr->backend, (i.e. data) allocated by kzalloc is not freed in the error-handling paths of smu7_get_evv_voltages and smu7_update_edc_leakage_table. However, it did be freed in the error-handling of phm_initializa_dynamic_state_adjustment_rule_settings, by smu7_hwmgr_backend_fini. So the lack of free in smu7_get_evv_voltages and smu7_update_edc_leakage_table is considered a memleak in this patch. Fixes: 599a7e9fe1b6 ("drm/amd/powerplay: implement smu7 hwmgr to manager asics with smu ip version 7.") Fixes: 8f0804c6b7d0 ("drm/amd/pm: add edc leakage controller setting") Signed-off-by: Zhipeng Lu Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit 4525525cb7161d08f95d0e47025323dd10214313 Author: Srinivasan Shanmugam Date: Thu Dec 21 07:16:23 2023 +0530 drm/amdkfd: Confirm list is non-empty before utilizing list_first_entry in kfd_topology.c [ Upstream commit 499839eca34ad62d43025ec0b46b80e77065f6d8 ] Before using list_first_entry, make sure to check that list is not empty, if list is empty return -ENODATA. Fixes the below: drivers/gpu/drm/amd/amdgpu/../amdkfd/kfd_topology.c:1347 kfd_create_indirect_link_prop() warn: can 'gpu_link' even be NULL? drivers/gpu/drm/amd/amdgpu/../amdkfd/kfd_topology.c:1428 kfd_add_peer_prop() warn: can 'iolink1' even be NULL? drivers/gpu/drm/amd/amdgpu/../amdkfd/kfd_topology.c:1433 kfd_add_peer_prop() warn: can 'iolink2' even be NULL? Fixes: 0f28cca87e9a ("drm/amdkfd: Extend KFD device topology to surface peer-to-peer links") Cc: Felix Kuehling Cc: Christian König Cc: Alex Deucher Signed-off-by: Srinivasan Shanmugam Suggested-by: Felix Kuehling Suggested-by: Lijo Lazar Reviewed-by: Felix Kuehling Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit a9f68a23ca42da7e712d92fd9ee578aa3a37d984 Author: Sergey Gorenko Date: Tue Dec 19 09:23:11 2023 +0200 IB/iser: Prevent invalidating wrong MR [ Upstream commit 2f1888281e67205bd80d3e8f54dbd519a9653f26 ] The iser_reg_resources structure has two pointers to MR but only one mr_valid field. The implementation assumes that we use only *sig_mr when pi_enable is true. Otherwise, we use only *mr. However, it is only sometimes correct. Read commands without protection information occur even when pi_enble is true. For example, the following SCSI commands have a Data-In buffer but never have protection information: READ CAPACITY (16), INQUIRY, MODE SENSE(6), MAINTENANCE IN. So, we use *sig_mr for some SCSI commands and *mr for the other SCSI commands. In most cases, it works fine because the remote invalidation is applied. However, there are two cases when the remote invalidation is not applicable. 1. Small write commands when all data is sent as an immediate. 2. The target does not support the remote invalidation feature. The lazy invalidation is used if the remote invalidation is impossible. Since, at the lazy invalidation, we always invalidate the MR we want to use, the wrong MR may be invalidated. To fix the issue, we need a field per MR that indicates the MR needs invalidation. Since the ib_mr structure already has such a field, let's use ib_mr.need_inval instead of iser_reg_resources.mr_valid. Fixes: b76a439982f8 ("IB/iser: Use IB_WR_REG_MR_INTEGRITY for PI handover") Link: https://lore.kernel.org/r/20231219072311.40989-1-sergeygo@nvidia.com Acked-by: Max Gurtovoy Signed-off-by: Sergey Gorenko Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit 96dc4d204a124c8ba259a4cdf53c6505dafc93c2 Author: Peter Robinson Date: Wed Dec 20 13:59:47 2023 +0000 mmc: sdhci_omap: Fix TI SoC dependencies [ Upstream commit 09f164d393a6671e5ff8342ba6b3cb7fe3f20208 ] The sdhci_omap is specific to older TI SoCs, update the dependencies for those SoCs and compile testing. While we're at it update the text to reflect the wider range of supported TI SoCS the driver now supports. Fixes: 7d326930d352 ("mmc: sdhci-omap: Add OMAP SDHCI driver") Signed-off-by: Peter Robinson Link: https://lore.kernel.org/r/20231220135950.433588-2-pbrobinson@gmail.com Signed-off-by: Ulf Hansson Signed-off-by: Sasha Levin commit 5aa65e5f20c6a32181962247e2eb7a0e99b679bf Author: Peter Robinson Date: Wed Dec 20 13:59:46 2023 +0000 mmc: sdhci_am654: Fix TI SoC dependencies [ Upstream commit cb052da7f031b0d2309a4895ca236afb3b4bbf50 ] The sdhci_am654 is specific to recent TI SoCs, update the dependencies for those SoCs and compile testing. While we're at it update the text to reflect the wider range of supported TI SoCS the driver now supports. Fixes: 41fd4caeb00b ("mmc: sdhci_am654: Add Initial Support for AM654 SDHCI driver") Signed-off-by: Peter Robinson Link: https://lore.kernel.org/r/20231220135950.433588-1-pbrobinson@gmail.com Signed-off-by: Ulf Hansson Signed-off-by: Sasha Levin commit d8d8897d65061cbe36bf2909057338303a904810 Author: Geoffrey D. Bennett Date: Wed Dec 20 04:07:52 2023 +1030 ALSA: scarlett2: Add clamp() in scarlett2_mixer_ctl_put() [ Upstream commit 04f8f053252b86c7583895c962d66747ecdc61b7 ] Ensure the value passed to scarlett2_mixer_ctl_put() is between 0 and SCARLETT2_MIXER_MAX_VALUE so we don't attempt to access outside scarlett2_mixer_values[]. Signed-off-by: Geoffrey D. Bennett Fixes: 9e4d5c1be21f ("ALSA: usb-audio: Scarlett Gen 2 mixer interface") Link: https://lore.kernel.org/r/3b19fb3da641b587749b85fe1daa1b4e696c0c1b.1703001053.git.g@b4.vu Signed-off-by: Takashi Iwai Signed-off-by: Sasha Levin commit cda7762bea857e6951315a2f7d0632ea1850ed43 Author: Geoffrey D. Bennett Date: Wed Dec 20 04:07:37 2023 +1030 ALSA: scarlett2: Add missing error checks to *_ctl_get() [ Upstream commit 50603a67daef161c78c814580d57f7f0be57167e ] The *_ctl_get() functions which call scarlett2_update_*() were not checking the return value. Fix to check the return value and pass to the caller. Signed-off-by: Geoffrey D. Bennett Fixes: 9e4d5c1be21f ("ALSA: usb-audio: Scarlett Gen 2 mixer interface") Link: https://lore.kernel.org/r/32a5fdc83b05fa74e0fcdd672fbf71d75c5f0a6d.1703001053.git.g@b4.vu Signed-off-by: Takashi Iwai Signed-off-by: Sasha Levin commit be0b1be4ace2f927cdb7c464f8ab70161a0880c9 Author: Geoffrey D. Bennett Date: Fri Oct 27 04:36:16 2023 +1030 ALSA: scarlett2: Allow passing any output to line_out_remap() [ Upstream commit 2190b9aea4eb92ccf3176e35c17c959e40f1a81b ] Line outputs 3 & 4 on the Gen 3 18i8 are internally the analogue 7 and 8 outputs, and this renumbering is hidden from the user by line_out_remap(). By allowing higher values (representing non-analogue outputs) to be passed to line_out_remap(), repeated code from scarlett2_mux_src_enum_ctl_get() and scarlett2_mux_src_enum_ctl_put() can be removed. Signed-off-by: Geoffrey D. Bennett Link: https://lore.kernel.org/r/3b70267931f5994628ab27306c73cddd17b93c8f.1698342632.git.g@b4.vu Signed-off-by: Takashi Iwai Stable-dep-of: 50603a67daef ("ALSA: scarlett2: Add missing error checks to *_ctl_get()") Signed-off-by: Sasha Levin commit be96acd3eaa790d10a5b33e65267f52d02f6ad88 Author: Geoffrey D. Bennett Date: Wed Dec 20 04:07:21 2023 +1030 ALSA: scarlett2: Add missing error check to scarlett2_usb_set_config() [ Upstream commit ca459dfa7d4ed9098fcf13e410963be6ae9b6bf3 ] scarlett2_usb_set_config() calls scarlett2_usb_get() but was not checking the result. Return the error if it fails rather than continuing with an invalid value. Signed-off-by: Geoffrey D. Bennett Fixes: 9e15fae6c51a ("ALSA: usb-audio: scarlett2: Allow bit-level access to config") Link: https://lore.kernel.org/r/def110c5c31dbdf0a7414d258838a0a31c0fab67.1703001053.git.g@b4.vu Signed-off-by: Takashi Iwai Signed-off-by: Sasha Levin commit 6232b7505c2ca08144b550ca50dc25e60e0002f3 Author: Geoffrey D. Bennett Date: Wed Dec 20 04:07:00 2023 +1030 ALSA: scarlett2: Add missing error check to scarlett2_config_save() [ Upstream commit 5f6ff6931a1c0065a55448108940371e1ac8075f ] scarlett2_config_save() was ignoring the return value from scarlett2_usb(). As this function is not called from user-space we can't return the error, so call usb_audio_err() instead. Signed-off-by: Geoffrey D. Bennett Fixes: 9e4d5c1be21f ("ALSA: usb-audio: Scarlett Gen 2 mixer interface") Link: https://lore.kernel.org/r/bf0a15332d852d7825fa6da87d2a0d9c0b702053.1703001053.git.g@b4.vu Signed-off-by: Takashi Iwai Signed-off-by: Sasha Levin commit 74341edb7d180f768010f3991242eefa97cd808f Author: Hans de Goede Date: Sun Nov 26 22:40:18 2023 +0100 ASoC: rt5645: Drop double EF20 entry from dmi_platform_data[] [ Upstream commit 51add1687f39292af626ac3c2046f49241713273 ] dmi_platform_data[] first contains a DMI entry matching: DMI_MATCH(DMI_PRODUCT_NAME, "EF20"), and then contains an identical entry except for the match being: DMI_MATCH(DMI_PRODUCT_NAME, "EF20EA"), Since these are partial (non exact) DMI matches the first match will also match any board with "EF20EA" in their DMI product-name, drop the second, redundant, entry. Fixes: a4dae468cfdd ("ASoC: rt5645: Add ACPI-defined GPIO for ECS EF20 series") Cc: Chris Chiu Signed-off-by: Hans de Goede Link: https://msgid.link/r/20231126214024.300505-2-hdegoede@redhat.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 40fe0903fa0f7bcb77f8c7b84e72f694142cf5c7 Author: Philipp Zabel Date: Thu Oct 19 22:07:04 2023 +0200 pwm: stm32: Fix enable count for clk in .probe() [ Upstream commit 19f1016ea9600ed89bc24247c36ff5934ad94fbb ] Make the driver take over hardware state without disabling in .probe() and enable the clock for each enabled channel. Signed-off-by: Philipp Zabel [ukleinek: split off from a patch that also implemented .get_state()] Signed-off-by: Uwe Kleine-König Fixes: 7edf7369205b ("pwm: Add driver for STM32 plaftorm") Reviewed-by: Fabrice Gasnier Signed-off-by: Thierry Reding Signed-off-by: Sasha Levin commit 0d554b420cab817b8dd41fbac39812e53315da21 Author: Philipp Zabel Date: Thu Oct 19 22:07:02 2023 +0200 pwm: stm32: Use hweight32 in stm32_pwm_detect_channels [ Upstream commit 41fa8f57c0d269243fe3bde2bce71e82c884b9ad ] Use hweight32() to count the CCxE bits in stm32_pwm_detect_channels(). Since the return value is assigned to chip.npwm, change it to unsigned int as well. Signed-off-by: Philipp Zabel Signed-off-by: Uwe Kleine-König Reviewed-by: Fabrice Gasnier Signed-off-by: Thierry Reding Stable-dep-of: 19f1016ea960 ("pwm: stm32: Fix enable count for clk in .probe()") Signed-off-by: Sasha Levin commit ade959ed672526b651beeac4ac18414f35222db6 Author: Uwe Kleine-König Date: Fri Dec 2 19:35:18 2022 +0100 pwm: stm32: Use regmap_clear_bits and regmap_set_bits where applicable [ Upstream commit 632ae5d7eb348b3ef88552ec0999260b6f9d6ab1 ] Found using coccinelle and the following semantic patch: @@ expression map, reg, bits; @@ - regmap_update_bits(map, reg, bits, bits) + regmap_set_bits(map, reg, bits) @@ expression map, reg, bits; @@ - regmap_update_bits(map, reg, bits, 0) + regmap_clear_bits(map, reg, bits) Tested-by: Fabrice Gasnier Link: https://lore.kernel.org/r/20221115111347.3705732-6-u.kleine-koenig@pengutronix.de Signed-off-by: Uwe Kleine-König Signed-off-by: Thierry Reding Stable-dep-of: 19f1016ea960 ("pwm: stm32: Fix enable count for clk in .probe()") Signed-off-by: Sasha Levin commit c4b1f10f1456ae9f5b3da24e59e37dcfbbc59378 Author: Théo Lebrun Date: Mon Dec 18 18:14:16 2023 +0100 clk: fixed-rate: fix clk_hw_register_fixed_rate_with_accuracy_parent_hw [ Upstream commit ee0cf5e07f44a10fce8f1bfa9db226c0b5ecf880 ] Add missing comma and remove extraneous NULL argument. The macro is currently used by no one which explains why the typo slipped by. Fixes: 2d34f09e79c9 ("clk: fixed-rate: Add support for specifying parents via DT/pointers") Signed-off-by: Théo Lebrun Link: https://lore.kernel.org/r/20231218-mbly-clk-v1-1-44ce54108f06@bootlin.com Signed-off-by: Stephen Boyd Signed-off-by: Sasha Levin commit 6d98d249175e568f72ca94cbd6f959bc4476414e Author: Xingyuan Mo Date: Fri Dec 8 21:00:59 2023 +0800 accel/habanalabs: fix information leak in sec_attest_info() [ Upstream commit a9f07790a4b2250f0140e9a61c7f842fd9b618c7 ] This function may copy the pad0 field of struct hl_info_sec_attest to user mode which has not been initialized, resulting in leakage of kernel heap data to user mode. To prevent this, use kzalloc() to allocate and zero out the buffer, which can also eliminate other uninitialized holes, if any. Fixes: 0c88760f8f5e ("habanalabs/gaudi2: add secured attestation info uapi") Signed-off-by: Xingyuan Mo Reviewed-by: Oded Gabbay Signed-off-by: Oded Gabbay Signed-off-by: Sasha Levin commit 7ac0adc7df2f94827e8e498c23a57356cb87a85d Author: Nícolas F. R. A. Prado Date: Tue Nov 21 09:29:27 2023 -0500 drm/mediatek: dp: Add phy_mtk_dp module as pre-dependency [ Upstream commit c8048dd0b07df68724805254b9e994d99e9a7af4 ] The mtk_dp driver registers a phy device which is handled by the phy_mtk_dp driver and assumes that the phy probe will complete synchronously, proceeding to make use of functionality exposed by that driver right away. This assumption however is false when the phy driver is built as a module, causing the mtk_dp driver to fail probe in this case. Add the phy_mtk_dp module as a pre-dependency to the mtk_dp module to ensure the phy module has been loaded before the dp, so that the phy probe happens synchrounously and the mtk_dp driver can probe successfully even with the phy driver built as a module. Suggested-by: AngeloGioacchino Del Regno Fixes: f70ac097a2cf ("drm/mediatek: Add MT8195 Embedded DisplayPort driver") Signed-off-by: Nícolas F. R. A. Prado Reviewed-by: AngeloGioacchino Del Regno Reviewed-by: Guillaume Ranquet Link: https://patchwork.kernel.org/project/dri-devel/patch/20231121142938.460846-1-nfraprado@collabora.com/ Signed-off-by: Chun-Kuang Hu Signed-off-by: Sasha Levin commit f930dbdc95433879b0a7ae15fb4fa892cd6b9222 Author: Su Hui Date: Wed Nov 1 11:16:36 2023 +0800 clk: si5341: fix an error code problem in si5341_output_clk_set_rate [ Upstream commit 5607068ae5ab02c3ac9cabc6859d36e98004c341 ] regmap_bulk_write() return zero or negative error code, return the value of regmap_bulk_write() rather than '0'. Fixes: 3044a860fd09 ("clk: Add Si5341/Si5340 driver") Acked-by: Mike Looijmans Signed-off-by: Su Hui Link: https://lore.kernel.org/r/20231101031633.996124-1-suhui@nfschina.com Signed-off-by: Stephen Boyd Signed-off-by: Sasha Levin commit 24961a5dc7590fd2ee0b41167996a229c172d44b Author: Vignesh Raghavendra Date: Wed Dec 13 19:31:10 2023 +0530 watchdog: rti_wdt: Drop runtime pm reference count when watchdog is unused [ Upstream commit c1a6edf3b541e44e78f10bc6024df779715723f1 ] Call runtime_pm_put*() if watchdog is not already started during probe and re enable it in watchdog start as required. On K3 SoCs, watchdogs and their corresponding CPUs are under same power-domain, so if the reference count of unused watchdogs aren't dropped, it will lead to CPU hotplug failures as Device Management firmware won't allow to turn off the power-domain due to dangling reference count. Fixes: 2d63908bdbfb ("watchdog: Add K3 RTI watchdog support") Signed-off-by: Vignesh Raghavendra Tested-by: Manorit Chawdhry Reviewed-by: Guenter Roeck Link: https://lore.kernel.org/r/20231213140110.938129-1-vigneshr@ti.com Signed-off-by: Guenter Roeck Signed-off-by: Wim Van Sebroeck Signed-off-by: Sasha Levin commit 6317445623a2b7ce194806424ef7f48a28db0d72 Author: Stefan Wahren Date: Sun Nov 12 18:32:51 2023 +0100 watchdog: bcm2835_wdt: Fix WDIOC_SETTIMEOUT handling [ Upstream commit f33f5b1fd1be5f5106d16f831309648cb0f1c31d ] Users report about the unexpected behavior for setting timeouts above 15 sec on Raspberry Pi. According to watchdog-api.rst the ioctl WDIOC_SETTIMEOUT shouldn't fail because of hardware limitations. But looking at the code shows that max_timeout based on the register value PM_WDOG_TIME_SET, which is the maximum. Since 664a39236e71 ("watchdog: Introduce hardware maximum heartbeat in watchdog core") the watchdog core is able to handle this problem. This fix has been tested with watchdog-test from selftests. Link: https://bugzilla.kernel.org/show_bug.cgi?id=217374 Fixes: 664a39236e71 ("watchdog: Introduce hardware maximum heartbeat in watchdog core") Signed-off-by: Stefan Wahren Reviewed-by: Florian Fainelli Reviewed-by: Guenter Roeck Link: https://lore.kernel.org/r/20231112173251.4827-1-wahrenst@gmx.net Signed-off-by: Guenter Roeck Signed-off-by: Wim Van Sebroeck Signed-off-by: Sasha Levin commit 3bde94e858ba6442464ed1d69ec9b8d2ce2fba6d Author: Jerry Hoemann Date: Wed Dec 13 14:53:38 2023 -0700 watchdog/hpwdt: Only claim UNKNOWN NMI if from iLO [ Upstream commit dced0b3e51dd2af3730efe14dd86b5e3173f0a65 ] Avoid unnecessary crashes by claiming only NMIs that are due to ERROR signalling or generated by the hpwdt hardware device. The code does this, but only for iLO5. The intent was to preserve legacy, Gen9 and earlier, semantics of using hpwdt for error containtment as hardware/firmware would signal fatal IO errors as an NMI with the expectation of hpwdt crashing the system. Howerver, these IO errors should be received by hpwdt as an NMI_IO_CHECK. So the test is overly permissive and should not be limited to only ilo5. We need to enable this protection for future iLOs not matching the current PCI IDs. Fixes: 62290a5c194b ("watchdog: hpwdt: Claim NMIs generated by iLO5") Signed-off-by: Jerry Hoemann Reviewed-by: Guenter Roeck Link: https://lore.kernel.org/r/20231213215340.495734-2-jerry.hoemann@hpe.com Signed-off-by: Guenter Roeck Signed-off-by: Wim Van Sebroeck Signed-off-by: Sasha Levin commit 06b854238ee54e3c90b37858718c04f55c9b67b1 Author: Curtis Klein Date: Tue Dec 5 11:05:22 2023 -0800 watchdog: set cdev owner before adding [ Upstream commit 38d75297745f04206db9c29bdd75557f0344c7cc ] When the new watchdog character device is registered, it becomes available for opening. This creates a race where userspace may open the device before the character device's owner is set. This results in an imbalance in module_get calls as the cdev_get in cdev_open will not increment the reference count on the watchdog driver module. This causes problems when the watchdog character device is released as the module loader's reference will also be released. This makes it impossible to open the watchdog device later on as it now appears that the module is being unloaded. The open will fail with -ENXIO from chrdev_open. The legacy watchdog device will fail with -EBUSY from the try_module_get in watchdog_open because it's module owner is the watchdog core module so it can still be opened but it will fail to get a refcount on the underlying watchdog device driver. Fixes: 72139dfa2464 ("watchdog: Fix the race between the release of watchdog_core_data and cdev") Signed-off-by: Curtis Klein Reviewed-by: Guenter Roeck Link: https://lore.kernel.org/r/20231205190522.55153-1-curtis.klein@hpe.com Signed-off-by: Guenter Roeck Signed-off-by: Wim Van Sebroeck Signed-off-by: Sasha Levin commit c249ef9d0978afda091747c50f4db0c7788bb7f2 Author: Jay Buddhabhatti Date: Wed Nov 29 03:29:16 2023 -0800 drivers: clk: zynqmp: update divider round rate logic [ Upstream commit 1fe15be1fb613534ecbac5f8c3f8744f757d237d ] Currently zynqmp divider round rate is considering single parent and calculating rate and parent rate accordingly. But if divider clock flag is set to SET_RATE_PARENT then its not trying to traverse through all parent rate and not selecting best parent rate from that. So use common divider_round_rate() which is traversing through all clock parents and its rate and calculating proper parent rate. Fixes: 3fde0e16d016 ("drivers: clk: Add ZynqMP clock driver") Signed-off-by: Jay Buddhabhatti Link: https://lore.kernel.org/r/20231129112916.23125-3-jay.buddhabhatti@amd.com Signed-off-by: Stephen Boyd Signed-off-by: Sasha Levin commit b61ca9c34c84adccaff57a004b097f143c4dc524 Author: Jay Buddhabhatti Date: Wed Nov 29 03:29:15 2023 -0800 drivers: clk: zynqmp: calculate closest mux rate [ Upstream commit b782921ddd7f84f524723090377903f399fdbbcb ] Currently zynqmp clock driver is not calculating closest mux rate and because of that Linux is not setting proper frequency for CPU and not able to set given frequency for dynamic frequency scaling. E.g., In current logic initial acpu clock parent and frequency as below apll1 0 0 0 2199999978 0 0 50000 Y acpu0_mux 0 0 0 2199999978 0 0 50000 Y acpu0_idiv1 0 0 0 2199999978 0 0 50000 Y acpu0 0 0 0 2199999978 0 0 50000 Y After changing acpu frequency to 549999994 Hz using CPU freq scaling its selecting incorrect parent which is not closest frequency. rpll_to_xpd 0 0 0 1599999984 0 0 50000 Y acpu0_mux 0 0 0 1599999984 0 0 50000 Y acpu0_div1 0 0 0 533333328 0 0 50000 Y acpu0 0 0 0 533333328 0 0 50000 Y Parent should remain same since 549999994 = 2199999978 / 4. So use __clk_mux_determine_rate_closest() generic function to calculate closest rate for mux clock. After this change its selecting correct parent and correct clock rate. apll1 0 0 0 2199999978 0 0 50000 Y acpu0_mux 0 0 0 2199999978 0 0 50000 Y acpu0_div1 0 0 0 549999995 0 0 50000 Y acpu0 0 0 0 549999995 0 0 50000 Y Fixes: 3fde0e16d016 ("drivers: clk: Add ZynqMP clock driver") Signed-off-by: Jay Buddhabhatti Link: https://lore.kernel.org/r/20231129112916.23125-2-jay.buddhabhatti@amd.com Signed-off-by: Stephen Boyd Signed-off-by: Sasha Levin commit 74aeef7e4354d817196b813a4808755b40a16359 Author: Satya Priya Kakitapalli Date: Fri Dec 1 15:20:26 2023 +0530 clk: qcom: videocc-sm8150: Add missing PLL config property [ Upstream commit 71f130c9193f613d497f7245365ed05ffdb0a401 ] When the driver was ported upstream, PLL test_ctl_hi1 register value was omitted. Add it to ensure the PLLs are fully configured. Fixes: 5658e8cf1a8a ("clk: qcom: add video clock controller driver for SM8150") Signed-off-by: Satya Priya Kakitapalli Reviewed-by: Konrad Dybcio Link: https://lore.kernel.org/r/20231201-videocc-8150-v3-3-56bec3a5e443@quicinc.com Signed-off-by: Bjorn Andersson Signed-off-by: Sasha Levin commit 52d741c95d4a9c6f0b2c33bb153d773cb0c1e354 Author: Satya Priya Kakitapalli Date: Fri Dec 1 15:20:25 2023 +0530 clk: qcom: videocc-sm8150: Update the videocc resets [ Upstream commit 1fd9a939db24d2f66e48f8bca3e3654add3fa205 ] Add all the available resets for the video clock controller on sm8150. Fixes: 5658e8cf1a8a ("clk: qcom: add video clock controller driver for SM8150") Signed-off-by: Satya Priya Kakitapalli Reviewed-by: Bryan O'Donoghue Reviewed-by: Konrad Dybcio Link: https://lore.kernel.org/r/20231201-videocc-8150-v3-2-56bec3a5e443@quicinc.com Signed-off-by: Bjorn Andersson Signed-off-by: Sasha Levin commit 52e2ebc06435306b8d999da4f2a2c90a7183b0b1 Author: Satya Priya Kakitapalli Date: Fri Dec 1 15:20:24 2023 +0530 dt-bindings: clock: Update the videocc resets for sm8150 [ Upstream commit 3185f96968eedd117ec72ee7b87ead44b6d1bbbd ] Add all the available resets for the video clock controller on sm8150. Signed-off-by: Satya Priya Kakitapalli Acked-by: Krzysztof Kozlowski Link: https://lore.kernel.org/r/20231201-videocc-8150-v3-1-56bec3a5e443@quicinc.com Signed-off-by: Bjorn Andersson Stable-dep-of: 1fd9a939db24 ("clk: qcom: videocc-sm8150: Update the videocc resets") Signed-off-by: Sasha Levin commit 4f31f357e52578931100cf643a9009c1496e9b63 Author: Zhiguo Niu Date: Tue Dec 12 10:15:27 2023 +0800 f2fs: fix to check return value of f2fs_recover_xattr_data [ Upstream commit 86d7d57a3f096c8349b32a0cd5f6f314e4416a6d ] Should check return value of f2fs_recover_xattr_data in __f2fs_setxattr rather than doing invalid retry if error happen. Also just do set_page_dirty in f2fs_recover_xattr_data when page is changed really. Fixes: 50a472bbc79f ("f2fs: do not return EFSCORRUPTED, but try to run online repair") Signed-off-by: Zhiguo Niu Reviewed-by: Chao Yu Signed-off-by: Jaegeuk Kim Signed-off-by: Sasha Levin commit 2c6537c58bce1a7caeabd43d2380eb2737545521 Author: Zhipeng Lu Date: Fri Dec 15 00:59:38 2023 +0800 drm/amd/pm: fix a double-free in amdgpu_parse_extended_power_table [ Upstream commit a6582701178a47c4d0cb2188c965c59c0c0647c8 ] The amdgpu_free_extended_power_table is called in every error-handling paths of amdgpu_parse_extended_power_table. However, after the following call chain of returning: amdgpu_parse_extended_power_table |-> kv_dpm_init / si_dpm_init (the only two caller of amdgpu_parse_extended_power_table) |-> kv_dpm_sw_init / si_dpm_sw_init (the only caller of kv_dpm_init / si_dpm_init, accordingly) |-> kv_dpm_fini / si_dpm_fini (goto dpm_failed in xx_dpm_sw_init) |-> amdgpu_free_extended_power_table As above, the amdgpu_free_extended_power_table is called twice in this returning chain and thus a double-free is triggered. Similarily, the last kfree in amdgpu_parse_extended_power_table also cause a double free with amdgpu_free_extended_power_table in kv_dpm_fini. Fixes: 84176663e70d ("drm/amd/pm: create a new holder for those APIs used only by legacy ASICs(si/kv)") Signed-off-by: Zhipeng Lu Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit 4e26e2d485fbbbd313ba30ed59f4db953a192300 Author: Zhipeng Lu Date: Fri Dec 15 00:58:42 2023 +0800 gpu/drm/radeon: fix two memleaks in radeon_vm_init [ Upstream commit c2709b2d6a537ca0fa0f1da36fdaf07e48ef447d ] When radeon_bo_create and radeon_vm_clear_bo fail, the vm->page_tables allocated before need to be freed. However, neither radeon_vm_init itself nor its caller have done such deallocation. Fixes: 6d2f2944e95e ("drm/radeon: use normal BOs for the page tables v4") Signed-off-by: Zhipeng Lu Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit 35fa2394d26e919f63600ce631e6aefc95ec2706 Author: Zhipeng Lu Date: Fri Dec 15 00:24:58 2023 +0800 drivers/amd/pm: fix a use-after-free in kv_parse_power_table [ Upstream commit 28dd788382c43b330480f57cd34cde0840896743 ] When ps allocated by kzalloc equals to NULL, kv_parse_power_table frees adev->pm.dpm.ps that allocated before. However, after the control flow goes through the following call chains: kv_parse_power_table |-> kv_dpm_init |-> kv_dpm_sw_init |-> kv_dpm_fini The adev->pm.dpm.ps is used in the for loop of kv_dpm_fini after its first free in kv_parse_power_table and causes a use-after-free bug. Fixes: a2e73f56fa62 ("drm/amdgpu: Add support for CIK parts") Signed-off-by: Zhipeng Lu Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit f957a1be647f7fc65926cbf572992ec2747a93f2 Author: Zhipeng Lu Date: Thu Dec 14 23:24:11 2023 +0800 drm/amd/pm: fix a double-free in si_dpm_init [ Upstream commit ac16667237a82e2597e329eb9bc520d1cf9dff30 ] When the allocation of adev->pm.dpm.dyn_state.vddc_dependency_on_dispclk.entries fails, amdgpu_free_extended_power_table is called to free some fields of adev. However, when the control flow returns to si_dpm_sw_init, it goes to label dpm_failed and calls si_dpm_fini, which calls amdgpu_free_extended_power_table again and free those fields again. Thus a double-free is triggered. Fixes: 841686df9f7d ("drm/amdgpu: add SI DPM support (v4)") Signed-off-by: Zhipeng Lu Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit 591e77fedc767785dfb5b7232d922a2008c3ebaf Author: Alex Deucher Date: Mon Nov 27 17:26:29 2023 -0500 drm/amdgpu/debugfs: fix error code when smc register accessors are NULL [ Upstream commit afe58346d5d3887b3e49ff623d2f2e471f232a8d ] Should be -EOPNOTSUPP. Fixes: 5104fdf50d32 ("drm/amdgpu: Fix a null pointer access when the smc_rreg pointer is NULL") Reviewed-by: Christian König Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit 3ec6ce0651e22e3927252c7dd370d39c3f13f9c8 Author: Hsiao Chien Sung Date: Thu Dec 14 13:58:46 2023 +0800 drm/mediatek: Fix underrun in VDO1 when switches off the layer [ Upstream commit 73b5ab27ab2ee616f2709dc212c2b0007894a12e ] Do not reset Merge while using CMDQ because reset API doesn't wait for frame done event as CMDQ does and could lead to underrun when the layer is switching off. Fixes: aaf94f7c3ae6 ("drm/mediatek: Add display merge async reset control") Reviewed-by: CK Hu Reviewed-by: AngeloGioacchino Del Regno Signed-off-by: Hsiao Chien Sung Link: https://patchwork.kernel.org/project/dri-devel/patch/20231214055847.4936-23-shawn.sung@mediatek.com/ Signed-off-by: Chun-Kuang Hu Signed-off-by: Sasha Levin commit 518efe60bbdd98638e698413722f42985ef4d7f5 Author: Hsiao Chien Sung Date: Thu Dec 14 13:58:44 2023 +0800 drm/mediatek: Return error if MDP RDMA failed to enable the clock [ Upstream commit 21b287146adf39304193e4c49198021e06a28ded ] Return the result of clk_prepare_enable() instead of always returns 0. Fixes: f8946e2b6bb2 ("drm/mediatek: Add display MDP RDMA support for MT8195") Reviewed-by: CK Hu Reviewed-by: AngeloGioacchino Del Regno Signed-off-by: Hsiao Chien Sung Link: https://patchwork.kernel.org/project/dri-devel/patch/20231214055847.4936-21-shawn.sung@mediatek.com/ Signed-off-by: Chun-Kuang Hu Signed-off-by: Sasha Levin commit aa3e61cf89b4d7fc4ad46679d8cef5d41f9fd424 Author: Jessica Zhang Date: Wed Dec 13 13:30:18 2023 -0800 drm/msm/dpu: Drop enable and frame_count parameters from dpu_hw_setup_misr() [ Upstream commit 3313c23f3eab698bc6b904520ee608fc0f7b03d0 ] Drop the enable and frame_count parameters from dpu_hw_setup_misr() as they are always set to the same values. In addition, replace MISR_FRAME_COUNT_MASK with MISR_FRAME_COUNT as frame_count is always set to the same value. Fixes: 7b37523fb1d1 ("drm/msm/dpu: Move MISR methods to dpu_hw_util") Signed-off-by: Jessica Zhang Reviewed-by: Abhinav Kumar Reviewed-by: Dmitry Baryshkov Patchwork: https://patchwork.freedesktop.org/patch/572009/ Link: https://lore.kernel.org/r/20231213-encoder-fixup-v4-2-6da6cd1bf118@quicinc.com Signed-off-by: Dmitry Baryshkov Signed-off-by: Sasha Levin commit 08d7e291af1d6c6ee7800ce4e1137bd299bce2b2 Author: Jessica Zhang Date: Wed Dec 13 13:30:17 2023 -0800 drm/msm/dpu: Set input_sel bit for INTF [ Upstream commit 980fffd0c69e5df0f67ee089d405899d532aeeab ] Set the input_sel bit for encoders as it was missed in the initial implementation. Reported-by: Rob Clark Closes: https://gitlab.freedesktop.org/drm/msm/-/issues/39 Fixes: 91143873a05d ("drm/msm/dpu: Add MISR register support for interface") Signed-off-by: Jessica Zhang Reviewed-by: Abhinav Kumar Patchwork: https://patchwork.freedesktop.org/patch/572007/ Link: https://lore.kernel.org/r/20231213-encoder-fixup-v4-1-6da6cd1bf118@quicinc.com Signed-off-by: Dmitry Baryshkov Signed-off-by: Sasha Levin commit 9570ae0e1d3c94df448ca35e5df0a473573aabc0 Author: Claudiu Beznea Date: Thu Dec 7 09:06:50 2023 +0200 clk: renesas: rzg2l: Check reset monitor registers [ Upstream commit da235d2fac212d0add570e755feb1167a830bc99 ] The hardware manual of both RZ/G2L and RZ/G3S specifies that the reset monitor registers need to be interrogated when the reset signals are toggled (chapters "Procedures for Supplying and Stopping Reset Signals" and "Procedure for Activating Modules"). Without this, there is a chance that different modules (e.g. Ethernet) are not ready after their reset signal is toggled, leading to failures (on probe or resume from deep sleep states). The same indications are available for RZ/V2M for TYPE-B reset controls. Fixes: ef3c613ccd68 ("clk: renesas: Add CPG core wrapper for RZ/G2L SoC") Fixes: 8090bea32484 ("clk: renesas: rzg2l: Add support for RZ/V2M reset monitor reg") Signed-off-by: Claudiu Beznea Reviewed-by: Geert Uytterhoeven Link: https://lore.kernel.org/r/20231207070700.4156557-2-claudiu.beznea.uj@bp.renesas.com Signed-off-by: Geert Uytterhoeven Signed-off-by: Sasha Levin commit 3e1dd6a1b4fa80ce1d4e6607ec9f040da5117996 Author: Claudiu Beznea Date: Mon Nov 20 09:00:11 2023 +0200 clk: renesas: rzg2l-cpg: Reuse code in rzg2l_cpg_reset() [ Upstream commit 5f9e29b9159a41fcf6733c3b59fa46a90ce3ae20 ] Code in rzg2l_cpg_reset() is equivalent with the combined code of rzg2l_cpg_assert() and rzg2l_cpg_deassert(). There is no need to have different versions thus re-use rzg2l_cpg_assert() and rzg2l_cpg_deassert(). Signed-off-by: Claudiu Beznea Reviewed-by: Geert Uytterhoeven Link: https://lore.kernel.org/r/20231120070024.4079344-2-claudiu.beznea.uj@bp.renesas.com Signed-off-by: Geert Uytterhoeven Stable-dep-of: da235d2fac21 ("clk: renesas: rzg2l: Check reset monitor registers") Signed-off-by: Sasha Levin commit 2db77604221c4f162a6d6506b9d27f1f92505424 Author: Christophe JAILLET Date: Mon Oct 30 08:20:26 2023 +0100 media: dvb-frontends: m88ds3103: Fix a memory leak in an error handling path of m88ds3103_probe() [ Upstream commit 5b2f885e2f6f482d05c23f04c8240f7b4fc5bdb5 ] If an error occurs after a successful i2c_mux_add_adapter(), then i2c_mux_del_adapters() should be called to free some resources, as already done in the remove function. Fixes: e6089feca460 ("media: m88ds3103: Add support for ds3103b demod") Signed-off-by: Christophe JAILLET Signed-off-by: Hans Verkuil Signed-off-by: Sasha Levin commit 74e3f165d39e704b391b30bbb653ef26a09a28f8 Author: Dan Carpenter Date: Tue Oct 31 12:53:33 2023 +0300 media: dvbdev: drop refcount on error path in dvb_device_open() [ Upstream commit a2dd235df435a05d389240be748909ada91201d2 ] If call to file->f_op->open() fails, then call dvb_device_put(dvbdev). Fixes: 0fc044b2b5e2 ("media: dvbdev: adopts refcnt to avoid UAF") Signed-off-by: Dan Carpenter Signed-off-by: Hans Verkuil Signed-off-by: Sasha Levin commit 4d6e15a5eabe07dc7613b7b6cf6d626334764324 Author: Chao Yu Date: Sun Dec 10 19:35:47 2023 +0800 f2fs: fix to update iostat correctly in f2fs_filemap_fault() [ Upstream commit bb34cc6ca87ff78f9fb5913d7619dc1389554da6 ] In f2fs_filemap_fault(), it fixes to update iostat info only if VM_FAULT_LOCKED is tagged in return value of filemap_fault(). Fixes: 8b83ac81f428 ("f2fs: support read iostat") Signed-off-by: Chao Yu Signed-off-by: Jaegeuk Kim Signed-off-by: Sasha Levin commit 8835766027c66238361bae5ef5c1eaf5eddee1c5 Author: Chao Yu Date: Sun Dec 10 19:35:44 2023 +0800 f2fs: fix to check compress file in f2fs_move_file_range() [ Upstream commit fb9b65340c818875ea86464faf3c744bdce0055c ] f2fs_move_file_range() doesn't support migrating compressed cluster data, let's add the missing check condition and return -EOPNOTSUPP for the case until we support it. Fixes: 4c8ff7095bef ("f2fs: support data compression") Signed-off-by: Chao Yu Signed-off-by: Jaegeuk Kim Signed-off-by: Sasha Levin commit 9bfd5ea71521d0e522ba581c6ccc5db93759c0c3 Author: Chao Yu Date: Sun Dec 10 19:35:43 2023 +0800 f2fs: fix to wait on block writeback for post_read case [ Upstream commit 55fdc1c24a1d6229fe0ecf31335fb9a2eceaaa00 ] If inode is compressed, but not encrypted, it missed to call f2fs_wait_on_block_writeback() to wait for GCed page writeback in IPU write path. Thread A GC-Thread - f2fs_gc - do_garbage_collect - gc_data_segment - move_data_block - f2fs_submit_page_write migrate normal cluster's block via meta_inode's page cache - f2fs_write_single_data_page - f2fs_do_write_data_page - f2fs_inplace_write_data - f2fs_submit_page_bio IRQ - f2fs_read_end_io IRQ old data overrides new data due to out-of-order GC and common IO. - f2fs_read_end_io Fixes: 4c8ff7095bef ("f2fs: support data compression") Signed-off-by: Chao Yu Signed-off-by: Jaegeuk Kim Signed-off-by: Sasha Levin commit e67911d2caeb1ec2228e84ea0dc34b78945beb6c Author: Chris Morgan Date: Fri Dec 8 09:48:45 2023 -0600 drm/panel: st7701: Fix AVCL calculation [ Upstream commit 799825aa87200ade1ba21db853d1c2ff720dcfe0 ] The AVCL register, according to the datasheet, comes in increments of -0.2v between -4.4v (represented by 0x0) to -5.0v (represented by 0x3). The current calculation is done by adding the defined AVCL value in mV to -4400 and then dividing by 200 to get the register value. Unfortunately if I subtract -4400 from -4400 I get -8800, which divided by 200 gives me -44. If I instead subtract -4400 from -4400 I get 0, which divided by 200 gives me 0. Based on the datasheet this is the expected register value. Fixes: 83b7a8e7e88e ("drm/panel/panel-sitronix-st7701: Parametrize voltage and timing") Signed-off-by: Chris Morgan Reviewed-by: Neil Armstrong Link: https://lore.kernel.org/r/20231208154847.130615-2-macroalpha82@gmail.com Signed-off-by: Neil Armstrong Link: https://patchwork.freedesktop.org/patch/msgid/20231208154847.130615-2-macroalpha82@gmail.com Signed-off-by: Sasha Levin commit bb17cc851e3af08cf1bd06bdc334867c517326bb Author: Tomi Valkeinen Date: Wed Nov 22 16:50:07 2023 +0100 media: rkisp1: Fix media device memory leak [ Upstream commit 452f604a4683654f4d9472b3126d8da61d748443 ] Add missing calls to media_device_cleanup() to fix memory leak. Link: https://lore.kernel.org/r/20231122-rkisp-fixes-v2-1-78bfb63cdcf8@ideasonboard.com Fixes: d65dd85281fb ("media: staging: rkisp1: add Rockchip ISP1 base driver") Reviewed-by: Tommaso Merciai Signed-off-by: Tomi Valkeinen Signed-off-by: Laurent Pinchart Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 690b7c356f1e33d8bb8211a49e06208f7977db5b Author: Mehdi Djait Date: Wed Nov 15 17:44:07 2023 +0100 media: dt-bindings: media: rkisp1: Fix the port description for the parallel interface [ Upstream commit 25bf28b25a2afa1864b7143259443160d9163ea0 ] The bus-type belongs to the endpoint's properties and should therefore be moved. Link: https://lore.kernel.org/r/20231115164407.99876-1-mehdi.djait@bootlin.com Fixes: 6a0eaa25bf36 ("media: dt-bindings: media: rkisp1: Add port for parallel interface") Signed-off-by: Mehdi Djait Acked-by: Conor Dooley Signed-off-by: Laurent Pinchart Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 438193dcc27b679d542a6882cafc6033eebe81bf Author: Tomi Valkeinen Date: Wed Nov 22 16:21:34 2023 +0100 media: imx-mipi-csis: Fix clock handling in remove() [ Upstream commit 5705b0e0eb550ff834125a46a4ef99b62093d83d ] The driver always calls mipi_csis_runtime_suspend() and mipi_csis_clk_disable() in remove(). This causes multiple WARNs from the kernel, as the clocks get disabled too many times. Fix the remove() to call mipi_csis_runtime_suspend() and mipi_csis_clk_disable() in a way that reverses what is done in probe(). Link: https://lore.kernel.org/r/20231122-imx-csis-v2-1-e44b8dc4cb66@ideasonboard.com Fixes: 7807063b862b ("media: staging/imx7: add MIPI CSI-2 receiver subdev for i.MX7") Signed-off-by: Tomi Valkeinen Signed-off-by: Laurent Pinchart Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit df2adafa6213b97bea1b9fbbb38f0e0e883b42eb Author: Satya Priya Kakitapalli Date: Wed Nov 22 09:58:14 2023 +0530 clk: qcom: gpucc-sm8150: Update the gpu_cc_pll1 config [ Upstream commit 6ebd9a4f8b8d2b35cf965a04849c4ba763722f13 ] Update the test_ctl_hi_val and test_ctl_hi1_val of gpu_cc_pll1 as per latest HW recommendation. Fixes: 0cef71f2ccc8 ("clk: qcom: Add graphics clock controller driver for SM8150") Signed-off-by: Satya Priya Kakitapalli Reviewed-by: Konrad Dybcio Link: https://lore.kernel.org/r/20231122042814.4158076-1-quic_skakitap@quicinc.com Signed-off-by: Bjorn Andersson Signed-off-by: Sasha Levin commit 40a156cf08c9e09510c3e80e24237f9c67cc2ba3 Author: Chengchang Tang Date: Thu Dec 7 19:42:31 2023 +0800 RDMA/hns: Fix memory leak in free_mr_init() [ Upstream commit 288f535951aa81ed674f5e5477ab11b9d9351b8c ] When a reserved QP fails to be created, the memory of the remaining created reserved QPs is leaked. Fixes: 70f92521584f ("RDMA/hns: Use the reserved loopback QPs to free MR before destroying MPT") Signed-off-by: Chengchang Tang Signed-off-by: Junxian Huang Link: https://lore.kernel.org/r/20231207114231.2872104-6-huangjunxian6@hisilicon.com Signed-off-by: Leon Romanovsky Signed-off-by: Sasha Levin commit dada3fdb4ec95bdca33129b736a8ae202b898499 Author: Zhipeng Lu Date: Fri Dec 1 21:22:55 2023 +0800 media: cx231xx: fix a memleak in cx231xx_init_isoc [ Upstream commit 5d3c8990e2bbf929cb211563dadd70708f42e4e6 ] The dma_q->p_left_data alloced by kzalloc should be freed in all the following error handling paths. However, it hasn't been freed in the allocation error paths of dev->video_mode.isoc_ctl.urb and dev->video_mode.isoc_ctl.transfer_buffer. On the other hand, the dma_q->p_left_data did be freed in the error-handling paths after that of dev->video_mode.isoc_ctl.urb and dev->video_mode.isoc_ctl.transfer_buffer, by calling cx231xx_uninit_isoc(dev). So the same free operation should be done in error-handling paths of those two allocation. Fixes: 64fbf4445526 ("[media] cx231xx: Added support for Carraera, Shelby, RDx_253S and VIDEO_GRABBER") Signed-off-by: Zhipeng Lu Signed-off-by: Hans Verkuil Signed-off-by: Sasha Levin commit b075ed8dcc2c2b3f0e761d8557c4cca9a7e2b6e5 Author: Tomi Valkeinen Date: Fri Nov 3 15:14:06 2023 +0200 drm/bridge: tc358767: Fix return value on error case [ Upstream commit 32bd29b619638256c5b75fb021d6d9f12fc4a984 ] If the hpd_pin is invalid, the driver returns 'ret'. But 'ret' contains 0, instead of an error value. Return -EINVAL instead. Fixes: f25ee5017e4f ("drm/bridge: tc358767: add IRQ and HPD support") Acked-by: Maxime Ripard Signed-off-by: Tomi Valkeinen Link: https://patchwork.freedesktop.org/patch/msgid/20231103-uninit-fixes-v2-4-c22b2444f5f5@ideasonboard.com Signed-off-by: Sasha Levin commit 9a3b2263705d931a99ba9b2e0356596a8f36d068 Author: Tomi Valkeinen Date: Fri Nov 3 15:14:05 2023 +0200 drm/bridge: cdns-mhdp8546: Fix use of uninitialized variable [ Upstream commit 155d6fb61270dd297f128731cd155080deee8f3a ] 'ret' could be uninitialized at the end of the function, although it's not clear if that can happen in practice. Fixes: 6a3608eae6d3 ("drm: bridge: cdns-mhdp8546: Enable HDCP") Acked-by: Maxime Ripard Signed-off-by: Tomi Valkeinen Link: https://patchwork.freedesktop.org/patch/msgid/20231103-uninit-fixes-v2-3-c22b2444f5f5@ideasonboard.com Signed-off-by: Sasha Levin commit 60c23f9aeb26cdb64a65eac9d184d5db61531e6c Author: Zhipeng Lu Date: Mon Dec 4 18:21:54 2023 +0800 drm/radeon/trinity_dpm: fix a memleak in trinity_parse_power_table [ Upstream commit 28c28d7f77c06ac2c0b8f9c82bc04eba22912b3b ] The rdev->pm.dpm.ps allocated by kcalloc should be freed in every following error-handling path. However, in the error-handling of rdev->pm.power_state[i].clock_info the rdev->pm.dpm.ps is not freed, resulting in a memleak in this function. Fixes: d70229f70447 ("drm/radeon/kms: add dpm support for trinity asics") Signed-off-by: Zhipeng Lu Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit 0f19543097c20c0c9fd968ec4bcfb160a78c1ae0 Author: Zhipeng Lu Date: Mon Dec 4 16:57:56 2023 +0800 drm/radeon/dpm: fix a memleak in sumo_parse_power_table [ Upstream commit 0737df9ed0997f5b8addd6e2b9699a8c6edba2e4 ] The rdev->pm.dpm.ps allocated by kcalloc should be freed in every following error-handling path. However, in the error-handling of rdev->pm.power_state[i].clock_info the rdev->pm.dpm.ps is not freed, resulting in a memleak in this function. Fixes: 80ea2c129c76 ("drm/radeon/kms: add dpm support for sumo asics (v2)") Signed-off-by: Zhipeng Lu Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit c4ff55408187f2595066967047363ca84e76db85 Author: Yang Yingliang Date: Thu Nov 30 15:50:16 2023 +0800 drm/radeon: check the alloc_workqueue return value in radeon_crtc_init() [ Upstream commit 7a2464fac80d42f6f8819fed97a553e9c2f43310 ] check the alloc_workqueue return value in radeon_crtc_init() to avoid null-ptr-deref. Fixes: fa7f517cb26e ("drm/radeon: rework page flip handling v4") Signed-off-by: Yang Yingliang Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit 048cbfd6050a359a893e961baa4727288bf8ffd1 Author: AngeloGioacchino Del Regno Date: Mon Dec 4 12:42:13 2023 +0100 drm/panfrost: Ignore core_mask for poweroff and disable PWRTRANS irq [ Upstream commit a4f5892914ca7709ea6d191f0edace93a5935966 ] Some SoCs may be equipped with a GPU containing two core groups and this is exactly the case of Samsung's Exynos 5422 featuring an ARM Mali-T628 MP6 GPU: the support for this GPU in Panfrost is partial, as this driver currently supports using only one core group and that's reflected on all parts of it, including the power on (and power off, previously to this patch) function. The issue with this is that even though executing the soft reset operation should power off all cores unconditionally, on at least one platform we're seeing a crash that seems to be happening due to an interrupt firing which may be because we are calling power transition only on the first core group, leaving the second one unchanged, or because ISR execution was pending before entering the panfrost_gpu_power_off() function and executed after powering off the GPU cores, or all of the above. Finally, solve this by: - Avoid to enable the power transition interrupt on reset; and - Ignoring the core_mask and ask the GPU to poweroff both core groups Fixes: 22aa1a209018 ("drm/panfrost: Really power off GPU cores in panfrost_gpu_power_off()") Reviewed-by: Boris Brezillon Reviewed-by: Steven Price Signed-off-by: AngeloGioacchino Del Regno Tested-by: Marek Szyprowski Signed-off-by: Boris Brezillon Link: https://patchwork.freedesktop.org/patch/msgid/20231204114215.54575-2-angelogioacchino.delregno@collabora.com Signed-off-by: Sasha Levin commit c32ee7286f5b21a5389c82daf278ca593f001903 Author: Brent Lu Date: Mon Dec 4 15:41:58 2023 -0600 ASoC: Intel: glk_rt5682_max98357a: fix board id mismatch [ Upstream commit 486ede0df82dd74472c6f5651e38ff48f7f766c1 ] The drv_name in enumeration table for ALC5682I-VS codec does not match the board id string in machine driver. Modify the entry of "10EC5682" to enumerate "RTL5682" as well and remove invalid entry. Fixes: 88b4d77d6035 ("ASoC: Intel: glk_rt5682_max98357a: support ALC5682I-VS codec") Reported-by: Curtis Malainey Reviewed-by: Curtis Malainey Reviewed-by: Bard Liao Signed-off-by: Brent Lu Signed-off-by: Pierre-Louis Bossart Link: https://lore.kernel.org/r/20231204214200.203100-4-pierre-louis.bossart@linux.intel.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 7682ef5c144ac4f0db61b82da5684b3dae13589d Author: Dmitry Baryshkov Date: Sun Dec 3 01:55:52 2023 +0300 drm/drv: propagate errors from drm_modeset_register_all() [ Upstream commit 5f8dec200923a76dc57187965fd59c1136f5d085 ] In case the drm_modeset_register_all() function fails, its error code will be ignored. Instead make the drm_dev_register() bail out in case of such an error. Fixes: 79190ea2658a ("drm: Add callbacks for late registering") Reviewed-by: Neil Armstrong Signed-off-by: Dmitry Baryshkov Signed-off-by: Maxime Ripard Link: https://patchwork.freedesktop.org/patch/msgid/20231202225552.1283638-1-dmitry.baryshkov@linaro.org Signed-off-by: Sasha Levin commit 19b01c6c19a0511d83d1b930b08cf34cbe8b6e0f Author: Konrad Dybcio Date: Tue Jun 20 13:43:20 2023 +0200 drm/msm/dsi: Use pm_runtime_resume_and_get to prevent refcnt leaks [ Upstream commit 3d07a411b4faaf2b498760ccf12888f8de529de0 ] This helper has been introduced to avoid programmer errors (missing _put calls leading to dangling refcnt) when using pm_runtime_get, use it. While at it, start checking the return value. Signed-off-by: Konrad Dybcio Reviewed-by: Dmitry Baryshkov Fixes: 5c8290284402 ("drm/msm/dsi: Split PHY drivers to separate files") Patchwork: https://patchwork.freedesktop.org/patch/543350/ Link: https://lore.kernel.org/r/20230620-topic-dsiphy_rpm-v2-1-a11a751f34f0@linaro.org Signed-off-by: Dmitry Baryshkov Signed-off-by: Sasha Levin commit b234ecad200bca72342e646b3f747c1e1f71c100 Author: Dmitry Baryshkov Date: Tue Nov 28 00:54:01 2023 +0300 drm/msm/mdp4: flush vblank event on disable [ Upstream commit c6721b3c6423d8a348ae885a0f4c85e14f9bf85c ] Flush queued events when disabling the crtc. This avoids timeouts when we come back and wait for dependencies (like the previous frame's flip_done). Fixes: c8afe684c95c ("drm/msm: basic KMS driver for snapdragon") Signed-off-by: Dmitry Baryshkov Reviewed-by: Abhinav Kumar Patchwork: https://patchwork.freedesktop.org/patch/569127/ Link: https://lore.kernel.org/r/20231127215401.4064128-1-dmitry.baryshkov@linaro.org Signed-off-by: Sasha Levin commit 982eb772e185506613093854ae22d961f737d8e5 Author: Linus Walleij Date: Fri Dec 1 14:20:32 2023 +0100 ASoC: cs35l34: Fix GPIO name and drop legacy include [ Upstream commit a6122b0b4211d132934ef99e7b737910e6d54d2f ] This driver includes the legacy GPIO APIs and but does not use any symbols from any of them. Drop the includes. Further the driver is requesting "reset-gpios" rather than just "reset" from the GPIO framework. This is wrong because the gpiolib core will add "-gpios" before processing the request from e.g. device tree. Drop the suffix. The last problem means that the optional RESET GPIO has never been properly retrieved and used even if it existed, but nobody noticed. Fixes: c1124c09e103 ("ASoC: cs35l34: Initial commit of the cs35l34 CODEC driver.") Acked-by: Charles Keepax Signed-off-by: Linus Walleij Link: https://lore.kernel.org/r/20231201-descriptors-sound-cirrus-v2-3-ee9f9d4655eb@linaro.org Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 940484c05564eced814e48d2d35f59c7d822477b Author: Linus Walleij Date: Fri Dec 1 14:20:31 2023 +0100 ASoC: cs35l33: Fix GPIO name and drop legacy include [ Upstream commit 50678d339d670a92658e5538ebee30447c88ccb3 ] This driver includes the legacy GPIO APIs and but does not use any symbols from any of them. Drop the includes. Further the driver is requesting "reset-gpios" rather than just "reset" from the GPIO framework. This is wrong because the gpiolib core will add "-gpios" before processing the request from e.g. device tree. Drop the suffix. The last problem means that the optional RESET GPIO has never been properly retrieved and used even if it existed, but nobody noticed. Fixes: 3333cb7187b9 ("ASoC: cs35l33: Initial commit of the cs35l33 CODEC driver.") Acked-by: Charles Keepax Signed-off-by: Linus Walleij Link: https://lore.kernel.org/r/20231201-descriptors-sound-cirrus-v2-2-ee9f9d4655eb@linaro.org Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 2da8e2034600d6ea2073c7bf1251e7b4745800f1 Author: Tomi Valkeinen Date: Thu Nov 9 09:38:01 2023 +0200 drm/tidss: Fix dss reset [ Upstream commit bc288a927815efcf9d7f4a54d4d89c5df478c635 ] The probe function calls dispc_softreset() before runtime PM is enabled and without enabling any of the DSS clocks. This happens to work by luck, and we need to make sure the DSS HW is active and the fclk is enabled. To fix the above, add a new function, dispc_init_hw(), which does: - pm_runtime_set_active() - clk_prepare_enable(fclk) - dispc_softreset(). This ensures that the reset can be successfully accomplished. Note that we use pm_runtime_set_active(), not the normal pm_runtime_get(). The reason for this is that at this point we haven't enabled the runtime PM yet and also we don't want the normal resume callback to be called: the dispc resume callback does some initial HW setup, and it expects that the HW was off (no video ports are streaming). If the bootloader has enabled the DSS and has set up a boot time splash-screen, the DSS would be enabled and streaming which might lead to issues with the normal resume callback. Fixes: c9b2d923befd ("drm/tidss: Soft Reset DISPC on startup") Reviewed-by: Aradhya Bhatia Link: https://lore.kernel.org/r/20231109-tidss-probe-v2-8-ac91b5ea35c0@ideasonboard.com Signed-off-by: Tomi Valkeinen Signed-off-by: Sasha Levin commit 553574c023b3ffd4aac9568cac7ea5199b19abf9 Author: Tomi Valkeinen Date: Thu Nov 9 09:37:59 2023 +0200 drm/tidss: Check for K2G in in dispc_softreset() [ Upstream commit 151825150cf9c2e9fb90763d35b9dff3783628ac ] K2G doesn't have softreset feature. Instead of having every caller of dispc_softreset() check for K2G, move the check into dispc_softreset(), and make dispc_softreset() return 0 in case of K2G. Reviewed-by: Laurent Pinchart Reviewed-by: Aradhya Bhatia Link: https://lore.kernel.org/r/20231109-tidss-probe-v2-6-ac91b5ea35c0@ideasonboard.com Signed-off-by: Tomi Valkeinen Stable-dep-of: bc288a927815 ("drm/tidss: Fix dss reset") Signed-off-by: Sasha Levin commit f099c742caa1e2dd8ee59b5c58a26b54eeeb2e29 Author: Tomi Valkeinen Date: Thu Nov 9 09:37:58 2023 +0200 drm/tidss: Return error value from from softreset [ Upstream commit aceafbb5035c4bfc75a321863ed1e393d644d2d2 ] Return an error value from dispc_softreset() so that the caller can handle the errors. Reviewed-by: Aradhya Bhatia Link: https://lore.kernel.org/r/20231109-tidss-probe-v2-5-ac91b5ea35c0@ideasonboard.com Signed-off-by: Tomi Valkeinen Stable-dep-of: bc288a927815 ("drm/tidss: Fix dss reset") Signed-off-by: Sasha Levin commit 10a437c604403d704fadeb3d0ddd1ed91321159d Author: Tomi Valkeinen Date: Thu Nov 9 09:37:57 2023 +0200 drm/tidss: Move reset to the end of dispc_init() [ Upstream commit 36d1e0852680aa038e2428d450673390111b165c ] We do a DSS reset in the middle of the dispc_init(). While that happens to work now, we should really make sure that e..g the fclk, which is acquired only later in the function, is enabled when doing a reset. This will be handled in a later patch, but for now, let's move the dispc_softreset() call to the end of dispc_init(), which is a sensible place for it anyway. Reviewed-by: Laurent Pinchart Reviewed-by: Aradhya Bhatia Link: https://lore.kernel.org/r/20231109-tidss-probe-v2-4-ac91b5ea35c0@ideasonboard.com Signed-off-by: Tomi Valkeinen Stable-dep-of: bc288a927815 ("drm/tidss: Fix dss reset") Signed-off-by: Sasha Levin commit da72ff8def7c4522764a2d663cfc1f9a63da0c56 Author: Nikita Zhandarovich Date: Tue Aug 8 11:04:16 2023 -0700 drm/radeon: check return value of radeon_ring_lock() [ Upstream commit 71225e1c930942cb1e042fc08c5cc0c4ef30e95e ] In the unlikely event of radeon_ring_lock() failing, its errno return value should be processed. This patch checks said return value and prints a debug message in case of an error. Found by Linux Verification Center (linuxtesting.org) with static analysis tool SVACE. Fixes: 48c0c902e2e6 ("drm/radeon/kms: add support for CP setup on SI") Signed-off-by: Nikita Zhandarovich Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit e6667551ed5e3fd77cb2ef662df966e81f65bdd2 Author: Nikita Zhandarovich Date: Wed Nov 29 07:22:12 2023 -0800 drm/radeon/r100: Fix integer overflow issues in r100_cs_track_check() [ Upstream commit b5c5baa458faa5430c445acd9a17481274d77ccf ] It may be possible, albeit unlikely, to encounter integer overflow during the multiplication of several unsigned int variables, the result being assigned to a variable 'size' of wider type. Prevent this potential behaviour by converting one of the multiples to unsigned long. Found by Linux Verification Center (linuxtesting.org) with static analysis tool SVACE. Fixes: 0242f74d29df ("drm/radeon: clean up CS functions in r100.c") Signed-off-by: Nikita Zhandarovich Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit 9ac2845a2eee1ac9ee9af846bbe64cb6e00fd386 Author: Nikita Zhandarovich Date: Wed Nov 29 07:22:30 2023 -0800 drm/radeon/r600_cs: Fix possible int overflows in r600_cs_check_reg() [ Upstream commit 39c960bbf9d9ea862398759e75736cfb68c3446f ] While improbable, there may be a chance of hitting integer overflow when the result of radeon_get_ib_value() gets shifted left. Avoid it by casting one of the operands to larger data type (u64). Found by Linux Verification Center (linuxtesting.org) with static analysis tool SVACE. Fixes: 1729dd33d20b ("drm/radeon/kms: r600 CS parser fixes") Signed-off-by: Nikita Zhandarovich Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit f0145860c20be6bae6785c7a2249577674702ac7 Author: Chao Yu Date: Tue Nov 28 17:25:16 2023 +0800 f2fs: fix to avoid dirent corruption [ Upstream commit 53edb549565f55ccd0bdf43be3d66ce4c2d48b28 ] As Al reported in link[1]: f2fs_rename() ... if (old_dir != new_dir && !whiteout) f2fs_set_link(old_inode, old_dir_entry, old_dir_page, new_dir); else f2fs_put_page(old_dir_page, 0); You want correct inumber in the ".." link. And cross-directory rename does move the source to new parent, even if you'd been asked to leave a whiteout in the old place. [1] https://lore.kernel.org/all/20231017055040.GN800259@ZenIV/ With below testcase, it may cause dirent corruption, due to it missed to call f2fs_set_link() to update ".." link to new directory. - mkdir -p dir/foo - renameat2 -w dir/foo bar [ASSERT] (__chk_dots_dentries:1421) --> Bad inode number[0x4] for '..', parent parent ino is [0x3] [FSCK] other corrupted bugs [Fail] Fixes: 7e01e7ad746b ("f2fs: support RENAME_WHITEOUT") Cc: Jan Kara Reported-by: Al Viro Signed-off-by: Chao Yu Reviewed-by: Jan Kara Signed-off-by: Jaegeuk Kim Signed-off-by: Sasha Levin commit 4bab3ad44d61a09bed0d74a4f57c12b4d5e25696 Author: Dario Binacchi Date: Fri Nov 24 10:42:30 2023 +0100 drm/bridge: Fix typo in post_disable() description [ Upstream commit 288b039db225676e0c520c981a1b5a2562d893a3 ] s/singals/signals/ Fixes: 199e4e967af4 ("drm: Extract drm_bridge.h") Signed-off-by: Dario Binacchi Signed-off-by: Robert Foss Link: https://patchwork.freedesktop.org/patch/msgid/20231124094253.658064-1-dario.binacchi@amarulasolutions.com Signed-off-by: Sasha Levin commit dab1227007a50a514f008e64faaea6b735192f96 Author: Paul Kocialkowski Date: Thu Nov 9 21:16:40 2023 +0100 media: rkvdec: Hook the (TRY_)DECODER_CMD stateless ioctls [ Upstream commit 1fb7b5ab62113b29ce331464048d8c39e58fd08a ] The (TRY_)DECODER_CMD ioctls are used to support flushing when holding capture buffers is supported. This is the case of this driver but the ioctls were never hooked to the ioctl ops. Add them to correctly support flushing. Fixes: ed7bb87d3d03 ("media: rkvdec: Enable capture buffer holding for H264") Signed-off-by: Paul Kocialkowski Reviewed-by: Daniel Almeida Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 563f34c24c0ce953d569a6d8708a9c511f78da46 Author: Paul Kocialkowski Date: Thu Nov 9 21:16:39 2023 +0100 media: verisilicon: Hook the (TRY_)DECODER_CMD stateless ioctls [ Upstream commit 6c0d9e12b1d12bbd95484e4b99f63feeb423765f ] The (TRY_)DECODER_CMD ioctls are used to support flushing when holding capture buffers is supported. This is the case of this driver but the ioctls were never hooked to the ioctl ops. Add them to correctly support flushing. Fixes: 340ce50f75a6 ("media: hantro: Enable HOLD_CAPTURE_BUF for H.264") Signed-off-by: Paul Kocialkowski Reviewed-by: Daniel Almeida Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 32b4b2dde3d49c4bda37f9fc91a91e542160b209 Author: Zheng Wang Date: Mon Nov 6 15:48:09 2023 +0100 media: mtk-jpeg: Remove cancel worker in mtk_jpeg_remove to avoid the crash of multi-core JPEG devices [ Upstream commit d8212c5c87c143ca01b78f6bf61244af07e0058e ] This patch reverts commit c677d7ae8314 ("media: mtk-jpeg: Fix use after free bug due to uncanceled work"). The job_timeout_work is initialized only for the single-core JPEG device so it will cause the crash for multi-core JPEG devices. Fix it by removing the cancel_delayed_work_sync function. Fixes: c677d7ae8314 ("media: mtk-jpeg: Fix use after free bug due to uncanceled work") Signed-off-by: Zheng Wang Signed-off-by: Dmitry Osipenko Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit f211621debcdc61d91233dcdc04d18bf3710505b Author: kyrie wu Date: Thu Sep 29 17:08:11 2022 +0800 media: mtk-jpegdec: export jpeg decoder functions [ Upstream commit 08d530a8da706f157e9dcb4d9b7b4f0eff908ab9 ] mtk jpeg decoder is built as a module, export some functions to make them visible by other modules. Signed-off-by: kyrie wu Signed-off-by: irui wang Signed-off-by: Hans Verkuil Stable-dep-of: d8212c5c87c1 ("media: mtk-jpeg: Remove cancel worker in mtk_jpeg_remove to avoid the crash of multi-core JPEG devices") Signed-off-by: Sasha Levin commit 30773ea47d41773f9611ffb4ebc9bda9d19a9e7e Author: Ricardo B. Marliere Date: Fri Oct 13 01:09:12 2023 +0200 media: pvrusb2: fix use after free on context disconnection [ Upstream commit ded85b0c0edd8f45fec88783d7555a5b982449c1 ] Upon module load, a kthread is created targeting the pvr2_context_thread_func function, which may call pvr2_context_destroy and thus call kfree() on the context object. However, that might happen before the usb hub_event handler is able to notify the driver. This patch adds a sanity check before the invalid read reported by syzbot, within the context disconnection call stack. Reported-and-tested-by: syzbot+621409285c4156a009b3@syzkaller.appspotmail.com Closes: https://lore.kernel.org/all/000000000000a02a4205fff8eb92@google.com/ Fixes: e5be15c63804 ("V4L/DVB (7711): pvrusb2: Fix race on module unload") Signed-off-by: Ricardo B. Marliere Acked-by: Mike Isely Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 4019c809688dabd8be7a9464fa08cbe8652c0bda Author: Tomi Valkeinen Date: Tue Sep 19 10:12:50 2023 +0300 drm/tilcdc: Fix irq free on unload [ Upstream commit 38360bf96d816e175bc602c4ee76953cd303b71d ] The driver only frees the reserved irq if priv->irq_enabled is set to true. However, the driver mistakenly sets priv->irq_enabled to false, instead of true, in tilcdc_irq_install(), and thus the driver never frees the irq, causing issues on loading the driver a second time. Fixes: b6366814fa77 ("drm/tilcdc: Convert to Linux IRQ interfaces") Cc: Thomas Zimmermann Reviewed-by: Aradhya Bhatia Signed-off-by: Tomi Valkeinen Link: https://patchwork.freedesktop.org/patch/msgid/20230919-lcdc-v1-1-ba60da7421e1@ideasonboard.com Signed-off-by: Sasha Levin commit 81f1bd85960b7a089a91e679ff7cd2524390bbf1 Author: Uwe Kleine-König Date: Thu Nov 2 17:56:42 2023 +0100 drm/bridge: tpd12s015: Drop buggy __exit annotation for remove function [ Upstream commit ce3e112e7ae854249d8755906acc5f27e1542114 ] With tpd12s015_remove() marked with __exit this function is discarded when the driver is compiled as a built-in. The result is that when the driver unbinds there is no cleanup done which results in resource leakage or worse. Fixes: cff5e6f7e83f ("drm/bridge: Add driver for the TI TPD12S015 HDMI level shifter") Signed-off-by: Uwe Kleine-König Signed-off-by: Thomas Zimmermann Link: https://patchwork.freedesktop.org/patch/msgid/20231102165640.3307820-19-u.kleine-koenig@pengutronix.de Signed-off-by: Sasha Levin commit 37b400c8030c3aaee939d2c7024083c2c89e7b32 Author: Abhinav Singh Date: Tue Nov 14 00:43:03 2023 +0530 drm/nouveau/fence:: fix warning directly dereferencing a rcu pointer [ Upstream commit 5f35a624c1e30b5bae5023b3c256e94e0ad4f806 ] Fix a sparse warning with this message "warning:dereference of noderef expression". In this context it means we are dereferencing a __rcu tagged pointer directly. We should not be directly dereferencing a rcu pointer. To get a normal (non __rcu tagged pointer) from a __rcu tagged pointer we are using the function unrcu_pointer(...). The non __rcu tagged pointer then can be dereferenced just like a normal pointer. I tested with qemu with this command qemu-system-x86_64 \ -m 2G \ -smp 2 \ -kernel bzImage \ -append "console=ttyS0 root=/dev/sda earlyprintk=serial net.ifnames=0" \ -drive file=bullseye.img,format=raw \ -net user,host=10.0.2.10,hostfwd=tcp:127.0.0.1:10021-:22 \ -net nic,model=e1000 \ -enable-kvm \ -nographic \ -pidfile vm.pid \ 2>&1 | tee vm.log with lockdep enabled. Fixes: 0ec5f02f0e2c ("drm/nouveau: prevent stale fence->channel pointers, and protect with rcu") Signed-off-by: Abhinav Singh Signed-off-by: Danilo Krummrich Link: https://patchwork.freedesktop.org/patch/msgid/20231113191303.3277733-1-singhabhinav9051571833@gmail.com Signed-off-by: Sasha Levin commit dbea48e9169d34048b5de6acc9f265a52ca5e044 Author: Chris Morgan Date: Fri Nov 17 13:44:02 2023 -0600 drm/panel-elida-kd35t133: hold panel in reset for unprepare [ Upstream commit 03c5b2a5f6c39fe4e090346536cf1c14ee18b61e ] For devices like the Anbernic RG351M and RG351P the panel is wired to an always on regulator. When the device suspends and wakes up, there are some slight artifacts on the screen that go away over time. If instead we hold the panel in reset status after it is unprepared, this does not happen. Fixes: 5b6603360c12 ("drm/panel: add panel driver for Elida KD35T133 panels") Signed-off-by: Chris Morgan Reviewed-by: Jessica Zhang Link: https://lore.kernel.org/r/20231117194405.1386265-3-macroalpha82@gmail.com Signed-off-by: Neil Armstrong Link: https://patchwork.freedesktop.org/patch/msgid/20231117194405.1386265-3-macroalpha82@gmail.com Signed-off-by: Sasha Levin commit 019bba28d1e884b38408b635d54d3c7f868d0233 Author: Junxian Huang Date: Tue Nov 14 20:34:47 2023 +0800 RDMA/hns: Fix inappropriate err code for unsupported operations [ Upstream commit f45b83ad39f8033e717b1eee57e81811113d5a84 ] EOPNOTSUPP is more situable than EINVAL for allocating XRCD while XRC is not supported and unsupported resizing SRQ. Fixes: 32548870d438 ("RDMA/hns: Add support for XRC on HIP09") Fixes: 221109e64316 ("RDMA/hns: Add interception for resizing SRQs") Signed-off-by: Junxian Huang Link: https://lore.kernel.org/r/20231114123449.1106162-2-huangjunxian6@hisilicon.com Signed-off-by: Leon Romanovsky Signed-off-by: Sasha Levin commit a867b891f9efe1b116f53864abfa7b457eed1f0d Author: Leon Romanovsky Date: Mon Nov 13 11:28:02 2023 +0200 RDMA/usnic: Silence uninitialized symbol smatch warnings [ Upstream commit b9a85e5eec126d6ae6c362f94b447c223e8fe6e4 ] The patch 1da177e4c3f4: "Linux-2.6.12-rc2" from Apr 16, 2005 (linux-next), leads to the following Smatch static checker warning: drivers/infiniband/hw/mthca/mthca_cmd.c:644 mthca_SYS_EN() error: uninitialized symbol 'out'. drivers/infiniband/hw/mthca/mthca_cmd.c 636 int mthca_SYS_EN(struct mthca_dev *dev) 637 { 638 u64 out; 639 int ret; 640 641 ret = mthca_cmd_imm(dev, 0, &out, 0, 0, CMD_SYS_EN, CMD_TIME_CLASS_D); We pass out here and it gets used without being initialized. err = mthca_cmd_post(dev, in_param, out_param ? *out_param : 0, ^^^^^^^^^^ in_modifier, op_modifier, op, context->token, 1); It's the same in mthca_cmd_wait() and mthca_cmd_poll(). Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Reported-by: Dan Carpenter Closes: https://lore.kernel.org/all/533bc3df-8078-4397-b93d-d1f6cec9b636@moroto.mountain Link: https://lore.kernel.org/r/c559cb7113158c02d75401ac162652072ef1b5f0.1699867650.git.leon@kernel.org Signed-off-by: Leon Romanovsky Signed-off-by: Sasha Levin commit d260b65b2b0d1a0bedad5ed9d0d943d14ae0e058 Author: AngeloGioacchino Del Regno Date: Thu Nov 2 15:15:07 2023 +0100 drm/panfrost: Really power off GPU cores in panfrost_gpu_power_off() [ Upstream commit 22aa1a209018dc2eca78745f7666db63637cd5dc ] The layout of the registers {TILER,SHADER,L2}_PWROFF_LO, used to request powering off cores, is the same as the {TILER,SHADER,L2}_PWRON_LO ones: this means that in order to request poweroff of cores, we are supposed to write a bitmask of cores that should be powered off! This means that the panfrost_gpu_power_off() function has always been doing nothing. Fix powering off the GPU by writing a bitmask of the cores to poweroff to the relevant PWROFF_LO registers and then check that the transition (from ON to OFF) has finished by polling the relevant PWRTRANS_LO registers. While at it, in order to avoid code duplication, move the core mask logic from panfrost_gpu_power_on() to a new panfrost_get_core_mask() function, used in both poweron and poweroff. Fixes: f3ba91228e8e ("drm/panfrost: Add initial panfrost driver") Signed-off-by: AngeloGioacchino Del Regno Reviewed-by: Steven Price Signed-off-by: Steven Price Link: https://patchwork.freedesktop.org/patch/msgid/20231102141507.73481-1-angelogioacchino.delregno@collabora.com Signed-off-by: Sasha Levin commit 8578a795baaed28f7e065d37dcbe6e267f958bd6 Author: Tomi Valkeinen Date: Wed Sep 20 15:57:17 2023 +0300 Revert "drm/omapdrm: Annotate dma-fence critical section in commit path" [ Upstream commit 9d7c8c066916f231ca0ed4e4fce6c4b58ca3e451 ] This reverts commit 250aa22920cd5d956a5d3e9c6a43d671c2bae217. The DMA-fence annotations cause a lockdep warning (see below). As per https://patchwork.freedesktop.org/patch/462170/ it sounds like the annotations don't work correctly. ====================================================== WARNING: possible circular locking dependency detected 6.5.0-rc2+ #2 Not tainted ------------------------------------------------------ kmstest/219 is trying to acquire lock: c4705838 (&hdmi->lock){+.+.}-{3:3}, at: hdmi5_bridge_mode_set+0x1c/0x50 but task is already holding lock: c11e1128 (dma_fence_map){++++}-{0:0}, at: omap_atomic_commit_tail+0x14/0xbc which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #2 (dma_fence_map){++++}-{0:0}: __dma_fence_might_wait+0x48/0xb4 dma_resv_lockdep+0x1b8/0x2bc do_one_initcall+0x68/0x3b0 kernel_init_freeable+0x260/0x34c kernel_init+0x14/0x140 ret_from_fork+0x14/0x28 -> #1 (fs_reclaim){+.+.}-{0:0}: fs_reclaim_acquire+0x70/0xa8 __kmem_cache_alloc_node+0x3c/0x368 kmalloc_trace+0x28/0x58 _drm_do_get_edid+0x7c/0x35c hdmi5_bridge_get_edid+0xc8/0x1ac drm_bridge_connector_get_modes+0x64/0xc0 drm_helper_probe_single_connector_modes+0x170/0x528 drm_client_modeset_probe+0x208/0x1334 __drm_fb_helper_initial_config_and_unlock+0x30/0x548 omap_fbdev_client_hotplug+0x3c/0x6c drm_client_register+0x58/0x94 pdev_probe+0x544/0x6b0 platform_probe+0x58/0xbc really_probe+0xd8/0x3fc __driver_probe_device+0x94/0x1f4 driver_probe_device+0x2c/0xc4 __device_attach_driver+0xa4/0x11c bus_for_each_drv+0x84/0xdc __device_attach+0xac/0x20c bus_probe_device+0x8c/0x90 device_add+0x588/0x7e0 platform_device_add+0x110/0x24c platform_device_register_full+0x108/0x15c dss_bind+0x90/0xc0 try_to_bring_up_aggregate_device+0x1e0/0x2c8 __component_add+0xa4/0x174 hdmi5_probe+0x1c8/0x270 platform_probe+0x58/0xbc really_probe+0xd8/0x3fc __driver_probe_device+0x94/0x1f4 driver_probe_device+0x2c/0xc4 __device_attach_driver+0xa4/0x11c bus_for_each_drv+0x84/0xdc __device_attach+0xac/0x20c bus_probe_device+0x8c/0x90 deferred_probe_work_func+0x8c/0xd8 process_one_work+0x2ac/0x6e4 worker_thread+0x30/0x4ec kthread+0x100/0x124 ret_from_fork+0x14/0x28 -> #0 (&hdmi->lock){+.+.}-{3:3}: __lock_acquire+0x145c/0x29cc lock_acquire.part.0+0xb4/0x258 __mutex_lock+0x90/0x950 mutex_lock_nested+0x1c/0x24 hdmi5_bridge_mode_set+0x1c/0x50 drm_bridge_chain_mode_set+0x48/0x5c crtc_set_mode+0x188/0x1d0 omap_atomic_commit_tail+0x2c/0xbc commit_tail+0x9c/0x188 drm_atomic_helper_commit+0x158/0x18c drm_atomic_commit+0xa4/0xe8 drm_mode_atomic_ioctl+0x9a4/0xc38 drm_ioctl+0x210/0x4a8 sys_ioctl+0x138/0xf00 ret_fast_syscall+0x0/0x1c other info that might help us debug this: Chain exists of: &hdmi->lock --> fs_reclaim --> dma_fence_map Possible unsafe locking scenario: CPU0 CPU1 ---- ---- rlock(dma_fence_map); lock(fs_reclaim); lock(dma_fence_map); lock(&hdmi->lock); *** DEADLOCK *** 3 locks held by kmstest/219: #0: f1011de4 (crtc_ww_class_acquire){+.+.}-{0:0}, at: drm_mode_atomic_ioctl+0xf0/0xc38 #1: c47059c8 (crtc_ww_class_mutex){+.+.}-{3:3}, at: modeset_lock+0xf8/0x230 #2: c11e1128 (dma_fence_map){++++}-{0:0}, at: omap_atomic_commit_tail+0x14/0xbc stack backtrace: CPU: 1 PID: 219 Comm: kmstest Not tainted 6.5.0-rc2+ #2 Hardware name: Generic DRA74X (Flattened Device Tree) unwind_backtrace from show_stack+0x10/0x14 show_stack from dump_stack_lvl+0x58/0x70 dump_stack_lvl from check_noncircular+0x164/0x198 check_noncircular from __lock_acquire+0x145c/0x29cc __lock_acquire from lock_acquire.part.0+0xb4/0x258 lock_acquire.part.0 from __mutex_lock+0x90/0x950 __mutex_lock from mutex_lock_nested+0x1c/0x24 mutex_lock_nested from hdmi5_bridge_mode_set+0x1c/0x50 hdmi5_bridge_mode_set from drm_bridge_chain_mode_set+0x48/0x5c drm_bridge_chain_mode_set from crtc_set_mode+0x188/0x1d0 crtc_set_mode from omap_atomic_commit_tail+0x2c/0xbc omap_atomic_commit_tail from commit_tail+0x9c/0x188 commit_tail from drm_atomic_helper_commit+0x158/0x18c drm_atomic_helper_commit from drm_atomic_commit+0xa4/0xe8 drm_atomic_commit from drm_mode_atomic_ioctl+0x9a4/0xc38 drm_mode_atomic_ioctl from drm_ioctl+0x210/0x4a8 drm_ioctl from sys_ioctl+0x138/0xf00 sys_ioctl from ret_fast_syscall+0x0/0x1c Exception stack(0xf1011fa8 to 0xf1011ff0) 1fa0: 00466d58 be9ab510 00000003 c03864bc be9ab510 be9ab4e0 1fc0: 00466d58 be9ab510 c03864bc 00000036 00466ef0 00466fc0 00467020 00466f20 1fe0: b6bc7ef4 be9ab4d0 b6bbbb00 b6cb2cc0 Fixes: 250aa22920cd ("drm/omapdrm: Annotate dma-fence critical section in commit path") Reviewed-by: Aradhya Bhatia Signed-off-by: Tomi Valkeinen Link: https://patchwork.freedesktop.org/patch/msgid/20230920-dma-fence-annotation-revert-v1-2-7ebf6f7f5bf6@ideasonboard.com Signed-off-by: Sasha Levin commit 3e6bf96561f5623d88d156d8e62b66b6b9c16c9e Author: Tomi Valkeinen Date: Wed Sep 20 15:57:16 2023 +0300 Revert "drm/tidss: Annotate dma-fence critical section in commit path" [ Upstream commit ca34d816558c3e4c3f8fe037b5a6b16c944693de ] This reverts commit 4d56a4f08391857ba93465de489707b66adad114. The DMA-fence annotations cause a lockdep warning (see below). As per https://patchwork.freedesktop.org/patch/462170/ it sounds like the annotations don't work correctly. ====================================================== WARNING: possible circular locking dependency detected 6.6.0-rc2+ #1 Not tainted ------------------------------------------------------ kmstest/733 is trying to acquire lock: ffff8000819377f0 (fs_reclaim){+.+.}-{0:0}, at: __kmem_cache_alloc_node+0x58/0x2d4 but task is already holding lock: ffff800081a06aa0 (dma_fence_map){++++}-{0:0}, at: tidss_atomic_commit_tail+0x20/0xc0 [tidss] which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #2 (dma_fence_map){++++}-{0:0}: __dma_fence_might_wait+0x5c/0xd0 dma_resv_lockdep+0x1a4/0x32c do_one_initcall+0x84/0x2fc kernel_init_freeable+0x28c/0x4c4 kernel_init+0x24/0x1dc ret_from_fork+0x10/0x20 -> #1 (mmu_notifier_invalidate_range_start){+.+.}-{0:0}: fs_reclaim_acquire+0x70/0xe4 __kmem_cache_alloc_node+0x58/0x2d4 kmalloc_trace+0x38/0x78 __kthread_create_worker+0x3c/0x150 kthread_create_worker+0x64/0x8c workqueue_init+0x1e8/0x2f0 kernel_init_freeable+0x11c/0x4c4 kernel_init+0x24/0x1dc ret_from_fork+0x10/0x20 -> #0 (fs_reclaim){+.+.}-{0:0}: __lock_acquire+0x1370/0x20d8 lock_acquire+0x1e8/0x308 fs_reclaim_acquire+0xd0/0xe4 __kmem_cache_alloc_node+0x58/0x2d4 __kmalloc_node_track_caller+0x58/0xf0 kmemdup+0x34/0x60 regmap_bulk_write+0x64/0x2c0 tc358768_bridge_pre_enable+0x8c/0x12d0 [tc358768] drm_atomic_bridge_call_pre_enable+0x68/0x80 [drm] drm_atomic_bridge_chain_pre_enable+0x50/0x158 [drm] drm_atomic_helper_commit_modeset_enables+0x164/0x264 [drm_kms_helper] tidss_atomic_commit_tail+0x58/0xc0 [tidss] commit_tail+0xa0/0x188 [drm_kms_helper] drm_atomic_helper_commit+0x1a8/0x1c0 [drm_kms_helper] drm_atomic_commit+0xa8/0xe0 [drm] drm_mode_atomic_ioctl+0x9ec/0xc80 [drm] drm_ioctl_kernel+0xc4/0x170 [drm] drm_ioctl+0x234/0x4b0 [drm] drm_compat_ioctl+0x110/0x12c [drm] __arm64_compat_sys_ioctl+0x128/0x150 invoke_syscall+0x48/0x110 el0_svc_common.constprop.0+0x40/0xe0 do_el0_svc_compat+0x1c/0x38 el0_svc_compat+0x48/0xb4 el0t_32_sync_handler+0xb0/0x138 el0t_32_sync+0x194/0x198 other info that might help us debug this: Chain exists of: fs_reclaim --> mmu_notifier_invalidate_range_start --> dma_fence_map Possible unsafe locking scenario: CPU0 CPU1 ---- ---- rlock(dma_fence_map); lock(mmu_notifier_invalidate_range_start); lock(dma_fence_map); lock(fs_reclaim); *** DEADLOCK *** 3 locks held by kmstest/733: #0: ffff800082e5bba0 (crtc_ww_class_acquire){+.+.}-{0:0}, at: drm_mode_atomic_ioctl+0x118/0xc80 [drm] #1: ffff000004224c88 (crtc_ww_class_mutex){+.+.}-{3:3}, at: modeset_lock+0xdc/0x1a0 [drm] #2: ffff800081a06aa0 (dma_fence_map){++++}-{0:0}, at: tidss_atomic_commit_tail+0x20/0xc0 [tidss] stack backtrace: CPU: 0 PID: 733 Comm: kmstest Not tainted 6.6.0-rc2+ #1 Hardware name: Toradex Verdin AM62 on Verdin Development Board (DT) Call trace: dump_backtrace+0x98/0x118 show_stack+0x18/0x24 dump_stack_lvl+0x60/0xac dump_stack+0x18/0x24 print_circular_bug+0x288/0x368 check_noncircular+0x168/0x17c __lock_acquire+0x1370/0x20d8 lock_acquire+0x1e8/0x308 fs_reclaim_acquire+0xd0/0xe4 __kmem_cache_alloc_node+0x58/0x2d4 __kmalloc_node_track_caller+0x58/0xf0 kmemdup+0x34/0x60 regmap_bulk_write+0x64/0x2c0 tc358768_bridge_pre_enable+0x8c/0x12d0 [tc358768] drm_atomic_bridge_call_pre_enable+0x68/0x80 [drm] drm_atomic_bridge_chain_pre_enable+0x50/0x158 [drm] drm_atomic_helper_commit_modeset_enables+0x164/0x264 [drm_kms_helper] tidss_atomic_commit_tail+0x58/0xc0 [tidss] commit_tail+0xa0/0x188 [drm_kms_helper] drm_atomic_helper_commit+0x1a8/0x1c0 [drm_kms_helper] drm_atomic_commit+0xa8/0xe0 [drm] drm_mode_atomic_ioctl+0x9ec/0xc80 [drm] drm_ioctl_kernel+0xc4/0x170 [drm] drm_ioctl+0x234/0x4b0 [drm] drm_compat_ioctl+0x110/0x12c [drm] __arm64_compat_sys_ioctl+0x128/0x150 invoke_syscall+0x48/0x110 el0_svc_common.constprop.0+0x40/0xe0 do_el0_svc_compat+0x1c/0x38 el0_svc_compat+0x48/0xb4 el0t_32_sync_handler+0xb0/0x138 el0t_32_sync+0x194/0x198 Fixes: 4d56a4f08391 ("drm/tidss: Annotate dma-fence critical section in commit path") Reviewed-by: Aradhya Bhatia Signed-off-by: Tomi Valkeinen Link: https://patchwork.freedesktop.org/patch/msgid/20230920-dma-fence-annotation-revert-v1-1-7ebf6f7f5bf6@ideasonboard.com Signed-off-by: Sasha Levin commit 544d223d71f9004d0997f7b01f024142b770ea51 Author: Arnd Bergmann Date: Mon Jan 8 12:00:36 2024 +0100 ARM: davinci: always select CONFIG_CPU_ARM926T [ Upstream commit 40974ee421b4d1fc74ac733d86899ce1b83d8f65 ] The select was lost by accident during the multiplatform conversion. Any davinci-only arm-linux-gnueabi-ld: arch/arm/mach-davinci/sleep.o: in function `CACHE_FLUSH': (.text+0x168): undefined reference to `arm926_flush_kern_cache_all' Fixes: f962396ce292 ("ARM: davinci: support multiplatform build for ARM v5") Acked-by: Bartosz Golaszewski Link: https://lore.kernel.org/r/20240108110055.1531153-1-arnd@kernel.org Signed-off-by: Arnd Bergmann Signed-off-by: Sasha Levin commit 62a1fedeb14c7ac0947ef33fadbabd35ed2400a2 Author: Eric Dumazet Date: Fri Jan 5 17:03:13 2024 +0000 ip6_tunnel: fix NEXTHDR_FRAGMENT handling in ip6_tnl_parse_tlv_enc_lim() [ Upstream commit d375b98e0248980681e5e56b712026174d617198 ] syzbot pointed out [1] that NEXTHDR_FRAGMENT handling is broken. Reading frag_off can only be done if we pulled enough bytes to skb->head. Currently we might access garbage. [1] BUG: KMSAN: uninit-value in ip6_tnl_parse_tlv_enc_lim+0x94f/0xbb0 ip6_tnl_parse_tlv_enc_lim+0x94f/0xbb0 ipxip6_tnl_xmit net/ipv6/ip6_tunnel.c:1326 [inline] ip6_tnl_start_xmit+0xab2/0x1a70 net/ipv6/ip6_tunnel.c:1432 __netdev_start_xmit include/linux/netdevice.h:4940 [inline] netdev_start_xmit include/linux/netdevice.h:4954 [inline] xmit_one net/core/dev.c:3548 [inline] dev_hard_start_xmit+0x247/0xa10 net/core/dev.c:3564 __dev_queue_xmit+0x33b8/0x5130 net/core/dev.c:4349 dev_queue_xmit include/linux/netdevice.h:3134 [inline] neigh_connected_output+0x569/0x660 net/core/neighbour.c:1592 neigh_output include/net/neighbour.h:542 [inline] ip6_finish_output2+0x23a9/0x2b30 net/ipv6/ip6_output.c:137 ip6_finish_output+0x855/0x12b0 net/ipv6/ip6_output.c:222 NF_HOOK_COND include/linux/netfilter.h:303 [inline] ip6_output+0x323/0x610 net/ipv6/ip6_output.c:243 dst_output include/net/dst.h:451 [inline] ip6_local_out+0xe9/0x140 net/ipv6/output_core.c:155 ip6_send_skb net/ipv6/ip6_output.c:1952 [inline] ip6_push_pending_frames+0x1f9/0x560 net/ipv6/ip6_output.c:1972 rawv6_push_pending_frames+0xbe8/0xdf0 net/ipv6/raw.c:582 rawv6_sendmsg+0x2b66/0x2e70 net/ipv6/raw.c:920 inet_sendmsg+0x105/0x190 net/ipv4/af_inet.c:847 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg net/socket.c:745 [inline] ____sys_sendmsg+0x9c2/0xd60 net/socket.c:2584 ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638 __sys_sendmsg net/socket.c:2667 [inline] __do_sys_sendmsg net/socket.c:2676 [inline] __se_sys_sendmsg net/socket.c:2674 [inline] __x64_sys_sendmsg+0x307/0x490 net/socket.c:2674 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x44/0x110 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x63/0x6b Uninit was created at: slab_post_alloc_hook+0x129/0xa70 mm/slab.h:768 slab_alloc_node mm/slub.c:3478 [inline] __kmem_cache_alloc_node+0x5c9/0x970 mm/slub.c:3517 __do_kmalloc_node mm/slab_common.c:1006 [inline] __kmalloc_node_track_caller+0x118/0x3c0 mm/slab_common.c:1027 kmalloc_reserve+0x249/0x4a0 net/core/skbuff.c:582 pskb_expand_head+0x226/0x1a00 net/core/skbuff.c:2098 __pskb_pull_tail+0x13b/0x2310 net/core/skbuff.c:2655 pskb_may_pull_reason include/linux/skbuff.h:2673 [inline] pskb_may_pull include/linux/skbuff.h:2681 [inline] ip6_tnl_parse_tlv_enc_lim+0x901/0xbb0 net/ipv6/ip6_tunnel.c:408 ipxip6_tnl_xmit net/ipv6/ip6_tunnel.c:1326 [inline] ip6_tnl_start_xmit+0xab2/0x1a70 net/ipv6/ip6_tunnel.c:1432 __netdev_start_xmit include/linux/netdevice.h:4940 [inline] netdev_start_xmit include/linux/netdevice.h:4954 [inline] xmit_one net/core/dev.c:3548 [inline] dev_hard_start_xmit+0x247/0xa10 net/core/dev.c:3564 __dev_queue_xmit+0x33b8/0x5130 net/core/dev.c:4349 dev_queue_xmit include/linux/netdevice.h:3134 [inline] neigh_connected_output+0x569/0x660 net/core/neighbour.c:1592 neigh_output include/net/neighbour.h:542 [inline] ip6_finish_output2+0x23a9/0x2b30 net/ipv6/ip6_output.c:137 ip6_finish_output+0x855/0x12b0 net/ipv6/ip6_output.c:222 NF_HOOK_COND include/linux/netfilter.h:303 [inline] ip6_output+0x323/0x610 net/ipv6/ip6_output.c:243 dst_output include/net/dst.h:451 [inline] ip6_local_out+0xe9/0x140 net/ipv6/output_core.c:155 ip6_send_skb net/ipv6/ip6_output.c:1952 [inline] ip6_push_pending_frames+0x1f9/0x560 net/ipv6/ip6_output.c:1972 rawv6_push_pending_frames+0xbe8/0xdf0 net/ipv6/raw.c:582 rawv6_sendmsg+0x2b66/0x2e70 net/ipv6/raw.c:920 inet_sendmsg+0x105/0x190 net/ipv4/af_inet.c:847 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg net/socket.c:745 [inline] ____sys_sendmsg+0x9c2/0xd60 net/socket.c:2584 ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638 __sys_sendmsg net/socket.c:2667 [inline] __do_sys_sendmsg net/socket.c:2676 [inline] __se_sys_sendmsg net/socket.c:2674 [inline] __x64_sys_sendmsg+0x307/0x490 net/socket.c:2674 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x44/0x110 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x63/0x6b CPU: 0 PID: 7345 Comm: syz-executor.3 Not tainted 6.7.0-rc8-syzkaller-00024-gac865f00af29 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023 Fixes: fbfa743a9d2a ("ipv6: fix ip6_tnl_parse_tlv_enc_lim()") Reported-by: syzbot Signed-off-by: Eric Dumazet Cc: Willem de Bruijn Reviewed-by: Willem de Bruijn Reviewed-by: David Ahern Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 1b481cb53601856027ce1cc30b3874778d318f14 Author: Asmaa Mnebhi Date: Fri Jan 5 11:00:14 2024 -0500 mlxbf_gige: Enable the GigE port in mlxbf_gige_open [ Upstream commit a460f4a684511e007bbf1700758a41f05d9981e6 ] At the moment, the GigE port is enabled in the mlxbf_gige_probe function. If the mlxbf_gige_open is not executed, this could cause pause frames to increase in the case where there is high backgroud traffic. This results in clogging the port. So move enabling the OOB port to mlxbf_gige_open. Fixes: f92e1869d74e ("Add Mellanox BlueField Gigabit Ethernet driver") Reviewed-by: David Thompson Signed-off-by: Asmaa Mnebhi Reviewed-by: Florian Fainelli Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 7ad5e7a35c3f55738fec0dd2b64bbefdfb992045 Author: Asmaa Mnebhi Date: Fri Jan 5 10:59:46 2024 -0500 mlxbf_gige: Fix intermittent no ip issue [ Upstream commit ef210ef85d5cb543ce34a57803ed856d0c8c08c2 ] Although the link is up, there is no ip assigned on setups with high background traffic. Nothing is transmitted nor received. The RX error count keeps on increasing. After several minutes, the RX error count stagnates and the GigE interface finally gets an ip. The issue is that mlxbf_gige_rx_init() is called before phy_start(). As soon as the RX DMA is enabled in mlxbf_gige_rx_init(), the RX CI reaches the max of 128, and becomes equal to RX PI. RX CI doesn't decrease since the code hasn't ran phy_start yet. Bring the PHY up before starting the RX. Fixes: f92e1869d74e ("Add Mellanox BlueField Gigabit Ethernet driver") Reviewed-by: David Thompson Signed-off-by: Asmaa Mnebhi Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 0b5b831122fc3789fff75be433ba3e4dd7b779d4 Author: Tao Liu Date: Thu Dec 28 16:14:57 2023 +0800 net/sched: act_ct: fix skb leak and crash on ooo frags [ Upstream commit 3f14b377d01d8357eba032b4cabc8c1149b458b6 ] act_ct adds skb->users before defragmentation. If frags arrive in order, the last frag's reference is reset in: inet_frag_reasm_prepare skb_morph which is not straightforward. However when frags arrive out of order, nobody unref the last frag, and all frags are leaked. The situation is even worse, as initiating packet capture can lead to a crash[0] when skb has been cloned and shared at the same time. Fix the issue by removing skb_get() before defragmentation. act_ct returns TC_ACT_CONSUMED when defrag failed or in progress. [0]: [ 843.804823] ------------[ cut here ]------------ [ 843.809659] kernel BUG at net/core/skbuff.c:2091! [ 843.814516] invalid opcode: 0000 [#1] PREEMPT SMP [ 843.819296] CPU: 7 PID: 0 Comm: swapper/7 Kdump: loaded Tainted: G S 6.7.0-rc3 #2 [ 843.824107] Hardware name: XFUSION 1288H V6/BC13MBSBD, BIOS 1.29 11/25/2022 [ 843.828953] RIP: 0010:pskb_expand_head+0x2ac/0x300 [ 843.833805] Code: 8b 70 28 48 85 f6 74 82 48 83 c6 08 bf 01 00 00 00 e8 38 bd ff ff 8b 83 c0 00 00 00 48 03 83 c8 00 00 00 e9 62 ff ff ff 0f 0b <0f> 0b e8 8d d0 ff ff e9 b3 fd ff ff 81 7c 24 14 40 01 00 00 4c 89 [ 843.843698] RSP: 0018:ffffc9000cce07c0 EFLAGS: 00010202 [ 843.848524] RAX: 0000000000000002 RBX: ffff88811a211d00 RCX: 0000000000000820 [ 843.853299] RDX: 0000000000000640 RSI: 0000000000000000 RDI: ffff88811a211d00 [ 843.857974] RBP: ffff888127d39518 R08: 00000000bee97314 R09: 0000000000000000 [ 843.862584] R10: 0000000000000000 R11: ffff8881109f0000 R12: 0000000000000880 [ 843.867147] R13: ffff888127d39580 R14: 0000000000000640 R15: ffff888170f7b900 [ 843.871680] FS: 0000000000000000(0000) GS:ffff889ffffc0000(0000) knlGS:0000000000000000 [ 843.876242] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 843.880778] CR2: 00007fa42affcfb8 CR3: 000000011433a002 CR4: 0000000000770ef0 [ 843.885336] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 843.889809] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 843.894229] PKRU: 55555554 [ 843.898539] Call Trace: [ 843.902772] [ 843.906922] ? __die_body+0x1e/0x60 [ 843.911032] ? die+0x3c/0x60 [ 843.915037] ? do_trap+0xe2/0x110 [ 843.918911] ? pskb_expand_head+0x2ac/0x300 [ 843.922687] ? do_error_trap+0x65/0x80 [ 843.926342] ? pskb_expand_head+0x2ac/0x300 [ 843.929905] ? exc_invalid_op+0x50/0x60 [ 843.933398] ? pskb_expand_head+0x2ac/0x300 [ 843.936835] ? asm_exc_invalid_op+0x1a/0x20 [ 843.940226] ? pskb_expand_head+0x2ac/0x300 [ 843.943580] inet_frag_reasm_prepare+0xd1/0x240 [ 843.946904] ip_defrag+0x5d4/0x870 [ 843.950132] nf_ct_handle_fragments+0xec/0x130 [nf_conntrack] [ 843.953334] tcf_ct_act+0x252/0xd90 [act_ct] [ 843.956473] ? tcf_mirred_act+0x516/0x5a0 [act_mirred] [ 843.959657] tcf_action_exec+0xa1/0x160 [ 843.962823] fl_classify+0x1db/0x1f0 [cls_flower] [ 843.966010] ? skb_clone+0x53/0xc0 [ 843.969173] tcf_classify+0x24d/0x420 [ 843.972333] tc_run+0x8f/0xf0 [ 843.975465] __netif_receive_skb_core+0x67a/0x1080 [ 843.978634] ? dev_gro_receive+0x249/0x730 [ 843.981759] __netif_receive_skb_list_core+0x12d/0x260 [ 843.984869] netif_receive_skb_list_internal+0x1cb/0x2f0 [ 843.987957] ? mlx5e_handle_rx_cqe_mpwrq_rep+0xfa/0x1a0 [mlx5_core] [ 843.991170] napi_complete_done+0x72/0x1a0 [ 843.994305] mlx5e_napi_poll+0x28c/0x6d0 [mlx5_core] [ 843.997501] __napi_poll+0x25/0x1b0 [ 844.000627] net_rx_action+0x256/0x330 [ 844.003705] __do_softirq+0xb3/0x29b [ 844.006718] irq_exit_rcu+0x9e/0xc0 [ 844.009672] common_interrupt+0x86/0xa0 [ 844.012537] [ 844.015285] [ 844.017937] asm_common_interrupt+0x26/0x40 [ 844.020591] RIP: 0010:acpi_safe_halt+0x1b/0x20 [ 844.023247] Code: ff 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 65 48 8b 04 25 00 18 03 00 48 8b 00 a8 08 75 0c 66 90 0f 00 2d 81 d0 44 00 fb f4 c3 0f 1f 00 89 fa ec 48 8b 05 ee 88 ed 00 a9 00 00 00 80 75 11 [ 844.028900] RSP: 0018:ffffc90000533e70 EFLAGS: 00000246 [ 844.031725] RAX: 0000000000004000 RBX: 0000000000000001 RCX: 0000000000000000 [ 844.034553] RDX: ffff889ffffc0000 RSI: ffffffff828b7f20 RDI: ffff88a090f45c64 [ 844.037368] RBP: ffff88a0901a2800 R08: ffff88a090f45c00 R09: 00000000000317c0 [ 844.040155] R10: 00ec812281150475 R11: ffff889fffff0e04 R12: ffffffff828b7fa0 [ 844.042962] R13: ffffffff828b7f20 R14: 0000000000000001 R15: 0000000000000000 [ 844.045819] acpi_idle_enter+0x7b/0xc0 [ 844.048621] cpuidle_enter_state+0x7f/0x430 [ 844.051451] cpuidle_enter+0x2d/0x40 [ 844.054279] do_idle+0x1d4/0x240 [ 844.057096] cpu_startup_entry+0x2a/0x30 [ 844.059934] start_secondary+0x104/0x130 [ 844.062787] secondary_startup_64_no_verify+0x16b/0x16b [ 844.065674] Fixes: b57dc7c13ea9 ("net/sched: Introduce action ct") Signed-off-by: Tao Liu Link: https://lore.kernel.org/r/20231228081457.936732-1-taoliu828@163.com Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit b91d31de9a431a079f4eea97bf81c7d8aaef369d Author: Eric Dumazet Date: Tue Dec 19 17:00:17 2023 +0000 sctp: fix busy polling [ Upstream commit a562c0a2d651e040681b0bfce9b4d229ac3b0b8c ] Busy polling while holding the socket lock makes litle sense, because incoming packets wont reach our receive queue. Fixes: 8465a5fcd1ce ("sctp: add support for busy polling to sctp protocol") Reported-by: Jacob Moroni Signed-off-by: Eric Dumazet Cc: Marcelo Ricardo Leitner Cc: Xin Long Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 9233a88f4b71d91bc4f88d347006e8a26ebcce9a Author: Eric Dumazet Date: Tue Dec 12 14:55:50 2023 +0000 sctp: support MSG_ERRQUEUE flag in recvmsg() [ Upstream commit 4746b36b1abe11ca32987b2d21e1e770deab17cc ] For some reason sctp_poll() generates EPOLLERR if sk->sk_error_queue is not empty but recvmsg() can not drain the error queue yet. This is needed to better support timestamping. I had to export inet_recv_error(), since sctp can be compiled as a module. Signed-off-by: Eric Dumazet Cc: Marcelo Ricardo Leitner Cc: Willem de Bruijn Acked-by: Xin Long Link: https://lore.kernel.org/r/20231212145550.3872051-1-edumazet@google.com Signed-off-by: Jakub Kicinski Stable-dep-of: a562c0a2d651 ("sctp: fix busy polling") Signed-off-by: Sasha Levin commit 3c0bd2b06656c93a979b77af3aadfc3c2d807bce Author: John Fastabend Date: Thu Dec 21 15:23:23 2023 -0800 bpf: sockmap, fix proto update hook to avoid dup calls [ Upstream commit 16b2f264983dc264c1560cc0170e760dec1bf54f ] When sockets are added to a sockmap or sockhash we allocate and init a psock. Then update the proto ops with sock_map_init_proto the flow is sock_hash_update_common sock_map_link psock = sock_map_psock_get_checked() <-returns existing psock sock_map_init_proto(sk, psock) <- updates sk_proto If the socket is already in a map this results in the sock_map_init_proto being called multiple times on the same socket. We do this because when a socket is added to multiple maps this might result in a new set of BPF programs being attached to the socket requiring an updated ops struct. This creates a rule where it must be safe to call psock_update_sk_prot multiple times. When we added a fix for UAF through unix sockets in patch 4dd9a38a753fc we broke this rule by adding a sock_hold in that path to ensure the sock is not released. The result is if a af_unix stream sock is placed in multiple maps it results in a memory leak because we call sock_hold multiple times with only a single sock_put on it. Fixes: 8866730aed51 ("bpf, sockmap: af_unix stream sockets need to hold ref for pair sock") Reported-by: Xingwei Lee Signed-off-by: John Fastabend Signed-off-by: Martin KaFai Lau Reviewed-by: Jakub Sitnicki Link: https://lore.kernel.org/r/20231221232327.43678-2-john.fastabend@gmail.com Signed-off-by: Sasha Levin commit 6e9429f9c66c4b15fb214a0cb8bce657ef98daaf Author: Christoph Hellwig Date: Wed Dec 27 09:23:02 2023 +0000 null_blk: don't cap max_hw_sectors to BLK_DEF_MAX_SECTORS [ Upstream commit 9a9525de865410047fa962867b4fcd33943b206f ] null_blk has some rather odd capping of the max_hw_sectors value to BLK_DEF_MAX_SECTORS, which doesn't make sense - max_hw_sector is the hardware limit, and BLK_DEF_MAX_SECTORS despite the confusing name is the default cap for the max_sectors field used for normal file system I/O. Remove all the capping, and simply leave it to the block layer or user to take up or not all of that for file system I/O. Fixes: ea17fd354ca8 ("null_blk: Allow controlling max_hw_sectors limit") Signed-off-by: Christoph Hellwig Link: https://lore.kernel.org/r/20231227092305.279567-2-hch@lst.de Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit a623d31805eab7da9eda300e275bd8bf7e92a98c Author: Keith Busch Date: Thu Jan 5 12:51:45 2023 -0800 block: make BLK_DEF_MAX_SECTORS unsigned [ Upstream commit 0a26f327e46c203229e72c823dfec71a2b405ec5 ] This is used as an unsigned value, so define it that way to avoid having to cast it. Suggested-by: Christoph Hellwig Signed-off-by: Keith Busch Reviewed-by: Christoph Hellwig Reviewed-by: Bart Van Assche Reviewed-by: Martin K. Petersen Link: https://lore.kernel.org/r/20230105205146.3610282-2-kbusch@meta.com Signed-off-by: Jens Axboe Stable-dep-of: 9a9525de8654 ("null_blk: don't cap max_hw_sectors to BLK_DEF_MAX_SECTORS") Signed-off-by: Sasha Levin commit 33f93ce22ee1fa63bc2d102eb4195b7f8bb915ff Author: Francesco Dolcini Date: Mon Dec 11 17:40:19 2023 +0100 Bluetooth: btmtkuart: fix recv_buf() return value [ Upstream commit 64057f051f20c2a2184b9db7f8037d928d68a4f4 ] Serdev recv_buf() callback is supposed to return the amount of bytes consumed, therefore an int in between 0 and count. Do not return negative number in case of issue, just print an error and return count. This fixes a WARN in ttyport_receive_buf(). Link: https://lore.kernel.org/all/087be419-ec6b-47ad-851a-5e1e3ea5cfcc@kernel.org/ Fixes: 7237c4c9ec92 ("Bluetooth: mediatek: Add protocol support for MediaTek serial devices") Signed-off-by: Francesco Dolcini Signed-off-by: Luiz Augusto von Dentz Signed-off-by: Sasha Levin commit 81f3b6ea314c926702a6beb8b98e22c11595a9ba Author: Luiz Augusto von Dentz Date: Thu Nov 30 14:58:03 2023 +0100 Bluetooth: Fix bogus check for re-auth no supported with non-ssp [ Upstream commit d03376c185926098cb4d668d6458801eb785c0a5 ] This reverts 19f8def031bfa50c579149b200bfeeb919727b27 "Bluetooth: Fix auth_complete_evt for legacy units" which seems to be working around a bug on a broken controller rather then any limitation imposed by the Bluetooth spec, in fact if there ws not possible to re-auth the command shall fail not succeed. Fixes: 19f8def031bf ("Bluetooth: Fix auth_complete_evt for legacy units") Signed-off-by: Luiz Augusto von Dentz Signed-off-by: Sasha Levin commit 55c88a7efb025b353da2ac62a46068a5a32c7907 Author: Florian Westphal Date: Mon Nov 27 11:00:37 2023 +0100 netfilter: nf_tables: mark newset as dead on transaction abort [ Upstream commit 08e4c8c5919fd405a4d709b4ba43d836894a26eb ] If a transaction is aborted, we should mark the to-be-released NEWSET dead, just like commit path does for DEL and DESTROYSET commands. In both cases all remaining elements will be released via set->ops->destroy(). The existing abort code does NOT post the actual release to the work queue. Also the entire __nf_tables_abort() function is wrapped in gc_seq begin/end pair. Therefore, async gc worker will never try to release the pending set elements, as gc sequence is always stale. It might be possible to speed up transaction aborts via work queue too, this would result in a race and a possible use-after-free. So fix this before it becomes an issue. Fixes: 5f68718b34a5 ("netfilter: nf_tables: GC transaction API to avoid race with control plane") Signed-off-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso Signed-off-by: Sasha Levin commit 68aebba59e9e0839fdad882ac9e2a704b7a24a22 Author: Johannes Berg Date: Tue Dec 19 21:58:52 2023 +0200 wifi: iwlwifi: mvm: send TX path flush in rfkill [ Upstream commit 2afc3dad39ea84a072d04ff40a417234326adc47 ] If we want to drop packets, that's surely a good thing to do when we want to enter rfkill. Send this command despite rfkill so we can successfully clean up everything, we need to handle it separately since it has CMD_WANT_SKB, so it's not going to automatically return success when in rfkill. Fixes: d4e3a341b87b ("iwlwifi: mvm: add support for new flush queue response") Signed-off-by: Johannes Berg Reviewed-by: Gregory Greenman Signed-off-by: Miri Korenblit Link: https://msgid.link/20231219215605.c528a6fa6cec.Ibe5e9560359ccc0fba60c35e01de285c376748a2@changeid Signed-off-by: Johannes Berg Signed-off-by: Sasha Levin commit 6cc82456e391421a158fd380e89ee46e6f90a260 Author: Johannes Berg Date: Tue Dec 19 21:58:49 2023 +0200 wifi: iwlwifi: mvm: set siso/mimo chains to 1 in FW SMPS request [ Upstream commit b1a2e5c310e063560760806d2cc5d2233c596067 ] The firmware changed their mind, don't set the chains to zero, instead set them to 1 as we normally would for connections to APs that don't use MIMO. Fixes: 2a7ce54ccc23 ("iwlwifi: mvm: honour firmware SMPS requests") Signed-off-by: Johannes Berg Reviewed-by: Luciano Coelho Signed-off-by: Miri Korenblit Link: https://msgid.link/20231219215605.7f031f1a127f.Idc816e0f604b07d22a9d5352bc23c445512fad14@changeid Signed-off-by: Johannes Berg Signed-off-by: Sasha Levin commit 8915946cde3ef82f1862b85fb224a6b25f5ebe5b Author: Su Hui Date: Tue Dec 19 14:57:37 2023 +0800 wifi: rtlwifi: rtl8192se: using calculate_bit_shift() [ Upstream commit ac32b9317063b101a8ff3d3e885f76f87a280419 ] Using calculate_bit_shift() to replace _rtl92s_phy_calculate_bit_shift(). And fix the undefined bitwise shift behavior problem. Fixes: d15853163bea ("rtlwifi: rtl8192se: Merge phy routines") Signed-off-by: Su Hui Signed-off-by: Kalle Valo Link: https://msgid.link/20231219065739.1895666-10-suhui@nfschina.com Signed-off-by: Sasha Levin commit 62badccc7c99feafc8768e20d0235aa72a7b972a Author: Su Hui Date: Tue Dec 19 14:57:36 2023 +0800 wifi: rtlwifi: rtl8192ee: using calculate_bit_shift() [ Upstream commit 63526897fc0d086069bcab67c3a112caaec751cb ] Using calculate_bit_shift() to replace _rtl92ee_phy_calculate_bit_shift(). And fix the undefined bitwise shift behavior problem. Fixes: b1a3bfc97cd9 ("rtlwifi: rtl8192ee: Move driver from staging to the regular tree") Signed-off-by: Su Hui Signed-off-by: Kalle Valo Link: https://msgid.link/20231219065739.1895666-9-suhui@nfschina.com Signed-off-by: Sasha Levin commit a277e8e9feaf27c1005fc4e20ff43a025cfd08ca Author: Su Hui Date: Tue Dec 19 14:57:35 2023 +0800 wifi: rtlwifi: rtl8192de: using calculate_bit_shift() [ Upstream commit b8b2baad2e652042cf8b6339939ac2f4e6f53de4 ] Using calculate_bit_shift() to replace _rtl92d_phy_calculate_bit_shift(). And fix the undefined bitwise shift behavior problem. Fixes: 7274a8c22980 ("rtlwifi: rtl8192de: Merge phy routines") Signed-off-by: Su Hui Signed-off-by: Kalle Valo Link: https://msgid.link/20231219065739.1895666-8-suhui@nfschina.com Signed-off-by: Sasha Levin commit b716c8483c227c79b0a296cd6beb9b4230ccf50f Author: Su Hui Date: Tue Dec 19 14:57:34 2023 +0800 wifi: rtlwifi: rtl8192ce: using calculate_bit_shift() [ Upstream commit 3d03e8231031bcc65a48cd88ef9c71b6524ce70b ] Using calculate_bit_shift() to replace _rtl92c_phy_calculate_bit_shift(). And fix the undefined bitwise shift behavior problem. Fixes: 0c8173385e54 ("rtl8192ce: Add new driver") Signed-off-by: Su Hui Signed-off-by: Kalle Valo Link: https://msgid.link/20231219065739.1895666-7-suhui@nfschina.com Signed-off-by: Sasha Levin commit d938e470b2d695825d2474802c6a6513f24bcdc1 Author: Su Hui Date: Tue Dec 19 14:57:33 2023 +0800 wifi: rtlwifi: rtl8192cu: using calculate_bit_shift() [ Upstream commit f4088c8fcbabadad9dd17d17ae9ba24e9e3221ec ] Using calculate_bit_shift() to replace _rtl92c_phy_calculate_bit_shift(). And fix an undefined bitwise shift behavior problem. Fixes: f0a39ae738d6 ("rtlwifi: rtl8192cu: Add routine phy") Signed-off-by: Su Hui Signed-off-by: Kalle Valo Link: https://msgid.link/20231219065739.1895666-6-suhui@nfschina.com Signed-off-by: Sasha Levin commit 35fb6b757408fa3825f82acfd8509eb4f14b5e7b Author: Su Hui Date: Tue Dec 19 14:57:32 2023 +0800 wifi: rtlwifi: rtl8192c: using calculate_bit_shift() [ Upstream commit 1dedc3a6699d827d345019e921b8d8f37f694333 ] Using calculate_bit_shift() to replace _rtl92c_phy_calculate_bit_shift(). And fix the undefined bitwise shift behavior problem. Fixes: 4295cd254af3 ("rtlwifi: Move common parts of rtl8192ce/phy.c") Signed-off-by: Su Hui Signed-off-by: Kalle Valo Link: https://msgid.link/20231219065739.1895666-5-suhui@nfschina.com Signed-off-by: Sasha Levin commit 937f65a1251cca82e0f754408c44f41e8721691d Author: Su Hui Date: Tue Dec 19 14:57:31 2023 +0800 wifi: rtlwifi: rtl8188ee: phy: using calculate_bit_shift() [ Upstream commit 969bc926f04b438676768aeffffffb050e480b62 ] Using calculate_bit_shift() to replace _rtl88e_phy_calculate_bit_shift(). And fix the undefined bitwise shift behavior problem. Fixes: f0eb856e0b6c ("rtlwifi: rtl8188ee: Add new driver") Signed-off-by: Su Hui Signed-off-by: Kalle Valo Link: https://msgid.link/20231219065739.1895666-4-suhui@nfschina.com Signed-off-by: Sasha Levin commit dd9e3d9513e6cac58b687d1709497d4b502feafe Author: Su Hui Date: Tue Dec 19 14:57:29 2023 +0800 wifi: rtlwifi: add calculate_bit_shift() [ Upstream commit 52221dfddbbfb5b4e029bb2efe9bb7da33ec1e46 ] There are many same functions like _rtl88e_phy_calculate_bit_shift(), _rtl92c_phy_calculate_bit_shift() and so on. And these functions can cause undefined bitwise shift behavior. Add calculate_bit_shift() to replace them and fix undefined behavior in subsequent patches. Signed-off-by: Su Hui Acked-by: Ping-Ke Shih Signed-off-by: Kalle Valo Link: https://msgid.link/20231219065739.1895666-2-suhui@nfschina.com Stable-dep-of: 969bc926f04b ("wifi: rtlwifi: rtl8188ee: phy: using calculate_bit_shift()") Signed-off-by: Sasha Levin commit ce9b43e58c362ed123c606ef9bdc74a31a01e788 Author: Konrad Dybcio Date: Mon Jan 2 10:46:27 2023 +0100 arm64: dts: qcom: ipq6018: Fix up indentation [ Upstream commit c2596b717e9d96ae57c45481acfbafe9d3d54e56 ] The dwc3 subnode was indented using spaces for some reason and other properties were not exactly properly indented. Fix it. Signed-off-by: Konrad Dybcio Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20230102094642.74254-3-konrad.dybcio@linaro.org Stable-dep-of: 5c0dbe8b0584 ("arm64: dts: qcom: ipq6018: fix clock rates for GCC_USB0_MOCK_UTMI_CLK") Signed-off-by: Sasha Levin commit 20fb17328b3669f6055e1878f2852f4c9758cf63 Author: Konrad Dybcio Date: Mon Jan 2 10:46:26 2023 +0100 arm64: dts: qcom: ipq6018: Pad addresses to 8 hex digits [ Upstream commit 647380e41520c7dbd651ebf0d9fd7dfa4928f42d ] Some addresses were 7-hex-digits long, or less. Fix that. Signed-off-by: Konrad Dybcio Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20230102094642.74254-2-konrad.dybcio@linaro.org Stable-dep-of: 5c0dbe8b0584 ("arm64: dts: qcom: ipq6018: fix clock rates for GCC_USB0_MOCK_UTMI_CLK") Signed-off-by: Sasha Levin commit ba71baee6e087fe4451dd96baef8e9f2641f1f6f Author: Konrad Dybcio Date: Mon Dec 12 12:10:29 2022 +0100 arm64: dts: qcom: ipq6018: Use lowercase hex [ Upstream commit 0431dba3733bf52dacf7382e7b0c1b4c0b59e88d ] Use lowercase hex, as that's the preferred and overwhermingly present style. Signed-off-by: Konrad Dybcio Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20221212111037.98160-2-konrad.dybcio@linaro.org Stable-dep-of: 5c0dbe8b0584 ("arm64: dts: qcom: ipq6018: fix clock rates for GCC_USB0_MOCK_UTMI_CLK") Signed-off-by: Sasha Levin commit cb65c2caa1f61ac54645f5888f66b88c521060f5 Author: Christian Marangi Date: Thu Nov 3 22:21:25 2022 +0100 arm64: dts: qcom: ipq6018: improve pcie phy pcs reg table [ Upstream commit 08f399a818b0eff552b1f23c3171950a58aea78f ] This is not a fix on its own but more a cleanup. Phy qmp pcie driver currently have a workaround to handle pcs_misc not declared and add 0x400 offset to the pcs reg if pcs_misc is not declared. Correctly declare pcs_misc reg and reduce PCS size to the common value of 0x1f0 as done for every other qmp based pcie phy device. Signed-off-by: Christian Marangi Reviewed-by: Vinod Koul Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20221103212125.17156-2-ansuelsmth@gmail.com Stable-dep-of: 5c0dbe8b0584 ("arm64: dts: qcom: ipq6018: fix clock rates for GCC_USB0_MOCK_UTMI_CLK") Signed-off-by: Sasha Levin commit 45d8d80cdaa261dee46b680777566d743bd02254 Author: Chukun Pan Date: Mon Dec 18 23:08:05 2023 +0800 arm64: dts: qcom: ipq6018: fix clock rates for GCC_USB0_MOCK_UTMI_CLK [ Upstream commit 5c0dbe8b058436ad5daecb19c60869f832607ea3 ] The downstream QSDK kernel [1] and GCC_USB1_MOCK_UTMI_CLK are both 24MHz. Adjust GCC_USB0_MOCK_UTMI_CLK to 24MHz to avoid the following error: clk: couldn't set gcc_usb0_mock_utmi_clk clk rate to 20000000 (-22), current rate: 24000000 1. https://git.codelinaro.org/clo/qsdk/oss/kernel/linux-ipq-5.4/-/commit/486c8485f59 Fixes: 5726079cd486 ("arm64: dts: ipq6018: Use reference clock to set dwc3 period") Signed-off-by: Chukun Pan Link: https://lore.kernel.org/r/20231218150805.1228160-1-amadeus@jmu.edu.cn Signed-off-by: Bjorn Andersson Signed-off-by: Sasha Levin commit ab23e4ef892642fab2688451c1389b5337e0fcd6 Author: Konrad Dybcio Date: Mon Dec 18 15:38:33 2023 +0100 arm64: dts: qcom: sc7280: Mark SDHCI hosts as cache-coherent [ Upstream commit 827f5fc8d912203c1f971e47d61130b13c6820ba ] The SDHCI hosts on SC7280 are cache-coherent, just like on most fairly recent Qualcomm SoCs. Mark them as such. Fixes: 298c81a7d44f ("arm64: dts: qcom: sc7280: Add nodes for eMMC and SD card") Signed-off-by: Konrad Dybcio Link: https://lore.kernel.org/r/20231218-topic-7280_dmac_sdhci-v1-1-97af7efd64a1@linaro.org Signed-off-by: Bjorn Andersson Signed-off-by: Sasha Levin commit e765363ecfa8888aee715d0d5f369b82a49d85f2 Author: Li Nan Date: Tue Dec 19 15:59:42 2023 +0800 block: add check of 'minors' and 'first_minor' in device_add_disk() [ Upstream commit 4c434392c4777881d01beada6701eff8c76b43fe ] 'first_minor' represents the starting minor number of disks, and 'minors' represents the number of partitions in the device. Neither of them can be greater than MINORMASK + 1. Commit e338924bd05d ("block: check minor range in device_add_disk()") only added the check of 'first_minor + minors'. However, their sum might be less than MINORMASK but their values are wrong. Complete the checks now. Fixes: e338924bd05d ("block: check minor range in device_add_disk()") Signed-off-by: Li Nan Reviewed-by: Christoph Hellwig Link: https://lore.kernel.org/r/20231219075942.840255-1-linan666@huaweicloud.com Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit a4529948df7a3670606f005260fd2d636dc688d2 Author: Dmitry Baryshkov Date: Fri Dec 15 19:40:35 2023 +0200 arm64: dts: qcom: sm8150-hdk: fix SS USB regulators [ Upstream commit a509adf05b2aac31b22781f5aa09e4768a5b6c39 ] The SM8150-HDK uses two different regulators to power up SuperSpeed USB PHYs. The L5A regulator is used for the second USB host, while the first (OTG) USB host uses different regulator, L18A. Fix the regulator for the usb_1 QMPPHY and (to remove possible confusion) drop the usb_ss_dp_core_1/_2 labels. Fixes: 0ab1b2d10afe ("arm64: dts: qcom: add sm8150 hdk dts") Reviewed-by: Konrad Dybcio Signed-off-by: Dmitry Baryshkov Link: https://lore.kernel.org/r/20231215174152.315403-4-dmitry.baryshkov@linaro.org Signed-off-by: Bjorn Andersson Signed-off-by: Sasha Levin commit bf5e9d28a8e7404cd9ef93ed430e87a52e21c8ca Author: Atul Dhudase Date: Wed Dec 6 21:02:51 2023 +0530 soc: qcom: llcc: Fix dis_cap_alloc and retain_on_pc configuration [ Upstream commit eed6e57e9f3e2beac37563eb6a0129549daa330e ] Commit c14e64b46944 ("soc: qcom: llcc: Support chipsets that can write to llcc") add the support for chipset where capacity based allocation and retention through power collapse can be programmed based on content of SCT table mentioned in the llcc driver where the target like sdm845 where the entire programming related to it is controlled in firmware. However, the commit introduces a bug where capacity/retention register get overwritten each time it gets programmed for each slice and that results in misconfiguration of the register based on SCT table and that is not expected behaviour instead it should be read modify write to retain the configuration of other slices. This issue is totally caught from code review and programming test and not through any power/perf numbers so, it is not known what impact this could make if we don't have this change however, this feature are for these targets and they should have been programmed accordingly as per their configuration mentioned in SCT table like others bits information. This change brings one difference where it keeps capacity/retention bits of the slices that are not mentioned in SCT table in unknown state where as earlier it was initialized to zero. Fixes: c14e64b46944 ("soc: qcom: llcc: Support chipsets that can write to llcc") Signed-off-by: Atul Dhudase Signed-off-by: Mukesh Ojha Reviewed-by: Douglas Anderson Link: https://lore.kernel.org/r/1701876771-10695-1-git-send-email-quic_mojha@quicinc.com Signed-off-by: Bjorn Andersson Signed-off-by: Sasha Levin commit aaf0fc13bed9fa1a07eeb69f9d0ed9735e198fb2 Author: Joakim Zhang Date: Thu Dec 14 16:25:26 2023 +0800 dma-mapping: clear dev->dma_mem to NULL after freeing it [ Upstream commit b07bc2347672cc8c7293c64499f1488278c5ca3d ] Reproduced with below sequence: dma_declare_coherent_memory()->dma_release_coherent_memory() ->dma_declare_coherent_memory()->"return -EBUSY" error It will return -EBUSY from the dma_assign_coherent_memory() in dma_declare_coherent_memory(), the reason is that dev->dma_mem pointer has not been set to NULL after it's freed. Fixes: cf65a0f6f6ff ("dma-mapping: move all DMA mapping code to kernel/dma") Signed-off-by: Joakim Zhang Signed-off-by: Christoph Hellwig Signed-off-by: Sasha Levin commit 542da27eac4f5e1b78d959e59e0ad3bd17846602 Author: Arseniy Krasnov Date: Thu Dec 14 15:52:28 2023 +0300 virtio/vsock: fix logic which reduces credit update messages [ Upstream commit 93b80887668226180ea5f5349cc728ca6dc700ab ] Add one more condition for sending credit update during dequeue from stream socket: when number of bytes in the rx queue is smaller than SO_RCVLOWAT value of the socket. This is actual for non-default value of SO_RCVLOWAT (e.g. not 1) - idea is to "kick" peer to continue data transmission, because we need at least SO_RCVLOWAT bytes in our rx queue to wake up user for reading data (in corner case it is also possible to stuck both tx and rx sides, this is why 'Fixes' is used). Fixes: b89d882dc9fc ("vsock/virtio: reduce credit update messages") Signed-off-by: Arseniy Krasnov Reviewed-by: Stefano Garzarella Acked-by: Michael S. Tsirkin Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit f69365e3a7cab819099249c50b39f4450fdddc60 Author: Leone Fernando Date: Wed Dec 13 17:19:35 2023 +0100 ipmr: support IP_PKTINFO on cache report IGMP msg [ Upstream commit bb7403655b3c3eb245d0ee330047cd3e20b3c4af ] In order to support IP_PKTINFO on those packets, we need to call ipv4_pktinfo_prepare. When sending mrouted/pimd daemons a cache report IGMP msg, it is unnecessary to set dst on the newly created skb. It used to be necessary on older versions until commit d826eb14ecef ("ipv4: PKTINFO doesnt need dst reference") which changed the way IP_PKTINFO struct is been retrieved. Changes from v1: 1. Undo changes in ipv4_pktinfo_prepare function. use it directly and copy the control block. Fixes: d826eb14ecef ("ipv4: PKTINFO doesnt need dst reference") Signed-off-by: Leone Fernando Reviewed-by: Eric Dumazet Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 0c867561cee2d7fad50b4a80d9b5a38b6d5ac76f Author: Hangbin Liu Date: Wed Dec 13 14:08:49 2023 +0800 selftests/net: fix grep checking for fib_nexthop_multiprefix [ Upstream commit a33e9da3470499e9ff476138f271fb52d6bfe767 ] When running fib_nexthop_multiprefix test I saw all IPv6 test failed. e.g. ]# ./fib_nexthop_multiprefix.sh TEST: IPv4: host 0 to host 1, mtu 1300 [ OK ] TEST: IPv6: host 0 to host 1, mtu 1300 [FAIL] With -v it shows COMMAND: ip netns exec h0 /usr/sbin/ping6 -s 1350 -c5 -w5 2001:db8:101::1 PING 2001:db8:101::1(2001:db8:101::1) 1350 data bytes From 2001:db8:100::64 icmp_seq=1 Packet too big: mtu=1300 --- 2001:db8:101::1 ping statistics --- 1 packets transmitted, 0 received, +1 errors, 100% packet loss, time 0ms Route get 2001:db8:101::1 via 2001:db8:100::64 dev eth0 src 2001:db8:100::1 metric 1024 expires 599sec mtu 1300 pref medium Searching for: 2001:db8:101::1 from :: via 2001:db8:100::64 dev eth0 src 2001:db8:100::1 .* mtu 1300 The reason is when CONFIG_IPV6_SUBTREES is not enabled, rt6_fill_node() will not put RTA_SRC info. After fix: ]# ./fib_nexthop_multiprefix.sh TEST: IPv4: host 0 to host 1, mtu 1300 [ OK ] TEST: IPv6: host 0 to host 1, mtu 1300 [ OK ] Fixes: 735ab2f65dce ("selftests: Add test with multiple prefixes using single nexthop") Signed-off-by: Hangbin Liu Link: https://lore.kernel.org/r/20231213060856.4030084-7-liuhangbin@gmail.com Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit c458be39093d01a8c54312de6bd0be84e8c1601e Author: Ahmad Fatoum Date: Wed Nov 22 19:52:34 2023 +0100 ARM: dts: stm32: don't mix SCMI and non-SCMI board compatibles [ Upstream commit bfc3c6743de0ecb169026c36cbdbc0d12d22a528 ] The binding erroneously decreed that the SCMI variants of the ST evaluation kits are compatible with the non-SCMI variants. This is not correct, as a kernel or bootloader compatible with the non-SCMI variant is not necessarily able to function, when direct access to resources is replaced by having to talk SCMI to the secure monitor. The binding has been adjusted to reflect thus, so synchronize the device trees now. Fixes: 5b7e58313a77 ("ARM: dts: stm32: Add SCMI version of STM32 boards (DK1/DK2/ED1/EV1)") Signed-off-by: Ahmad Fatoum Signed-off-by: Alexandre Torgue Signed-off-by: Sasha Levin commit fdbe94c524f299c1e9c7bb09999f822d459d8d1b Author: Yihang Li Date: Thu Dec 14 11:45:16 2023 +0800 scsi: hisi_sas: Correct the number of global debugfs registers [ Upstream commit 73e33f969ef05328766b23a99b2c07bfff765009 ] In function debugfs_debugfs_snapshot_global_reg_v3_hw() it uses debugfs_axi_reg.count (which is the number of axi debugfs registers) to acquire the number of global debugfs registers. Use debugfs_global_reg.count to acquire the number of global debugfs registers instead. Fixes: 623a4b6d5c2a ("scsi: hisi_sas: Move debugfs code to v3 hw driver") Signed-off-by: Yihang Li Signed-off-by: Xiang Chen Link: https://lore.kernel.org/r/1702525516-51258-6-git-send-email-chenxiang66@hisilicon.com Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit 6491d9ea9326d2935c81c63ed0e14e60def40fe2 Author: Yihang Li Date: Thu Dec 14 11:45:15 2023 +0800 scsi: hisi_sas: Rollback some operations if FLR failed [ Upstream commit 7ea3e7763c50b20a8bd25cf524ea0c6463de69be ] We obtain the semaphore and set HISI_SAS_RESETTING_BIT in hisi_sas_reset_prepare_v3_hw(), block the scsi host and set HISI_SAS_REJECT_CMD_BIT in hisi_sas_controller_reset_prepare(), released them in hisi_sas_controller_reset_done(). However, if the HW reset failure in FLR results in early return, the semaphore and flag bits will not be release. Rollback some operations including clearing flags / releasing semaphore when FLR is failed. Fixes: e5ea48014adc ("scsi: hisi_sas: Implement handlers of PCIe FLR for v3 hw") Signed-off-by: Yihang Li Signed-off-by: Xiang Chen Link: https://lore.kernel.org/r/1702525516-51258-5-git-send-email-chenxiang66@hisilicon.com Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit 3d5a4fa56d0c91edd3af0c2ac528642178b5a85b Author: Yihang Li Date: Thu Dec 14 11:45:13 2023 +0800 scsi: hisi_sas: Replace with standard error code return value [ Upstream commit d34ee535705eb43885bc0f561c63046f697355ad ] In function hisi_sas_controller_prereset(), -ENOSYS (Function not implemented) should be returned if the driver does not support .soft_reset. Returns -EPERM (Operation not permitted) if HISI_SAS_RESETTING_BIT is already be set. In function _suspend_v3_hw(), returns -EPERM (Operation not permitted) if HISI_SAS_RESETTING_BIT is already be set. Fixes: 4522204ab218 ("scsi: hisi_sas: tidy host controller reset function a bit") Signed-off-by: Yihang Li Signed-off-by: Xiang Chen Link: https://lore.kernel.org/r/1702525516-51258-3-git-send-email-chenxiang66@hisilicon.com Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit 35657d1ba8264bd5b6782b7c2567334bfe39859c Author: Adam Ford Date: Tue Nov 28 14:02:16 2023 -0600 arm64: dts: imx8mm: Reduce GPU to nominal speed [ Upstream commit 1f794d3eed5345413c2b0cf1bcccc92d77681220 ] When the GPU nodes were added, the GPU_PLL_OUT was configured for 1000MHz, but this requires the SoC to run in overdrive mode which requires an elevated voltage operating point. Since this may run some boards out of spec, the default clock should be set to 800MHz for nominal operating mode. Boards that run at the higher voltage can update their clocks accordingly. Fixes: 4523be8e46be ("arm64: dts: imx8mm: Add GPU nodes for 2D and 3D core") Signed-off-by: Adam Ford Signed-off-by: Shawn Guo Signed-off-by: Sasha Levin commit a4210a686a75ece87d041c4c022d3b09fbcaac13 Author: Geert Uytterhoeven Date: Wed Dec 13 10:32:25 2023 +0100 arm64: dts: renesas: white-hawk-cpu: Fix missing serial console pin control [ Upstream commit fc67495680f60e88bb8ca43421c1dd628928d581 ] The pin control description for the serial console was added, but not enabled, due to missing pinctrl properties in the serial port device node. Fixes: 7a8d590de8132853 ("arm64: dts: renesas: white-hawk-cpu: Add serial port pin control") Signed-off-by: Geert Uytterhoeven Link: https://lore.kernel.org/r/8a51516581cd71ecbfa174af9c7cebad1fc83c5b.1702459865.git.geert+renesas@glider.be Signed-off-by: Sasha Levin commit 9f5b79cf125b002c466c8ab295c850f4e1c93f1a Author: Li Nan Date: Mon Dec 11 15:53:56 2023 +0800 block: Set memalloc_noio to false on device_add_disk() error path [ Upstream commit 5fa3d1a00c2d4ba14f1300371ad39d5456e890d7 ] On the error path of device_add_disk(), device's memalloc_noio flag was set but not cleared. As the comment of pm_runtime_set_memalloc_noio(), "The function should be called between device_add() and device_del()". Clear this flag before device_del() now. Fixes: 25e823c8c37d ("block/genhd.c: apply pm_runtime_set_memalloc_noio on block devices") Signed-off-by: Li Nan Reviewed-by: Christoph Hellwig Link: https://lore.kernel.org/r/20231211075356.1839282-1-linan666@huaweicloud.com Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit 4196b45370bdd28225693aadc80bd4241fca0174 Author: YiFei Zhu Date: Tue Dec 12 18:29:11 2023 +0000 selftests/bpf: Relax time_tai test for equal timestamps in tai_forward [ Upstream commit e1ba7f64b192f083b4423644be03bb9e3dc8ae84 ] We're observing test flakiness on an arm64 platform which might not have timestamps as precise as x86. The test log looks like: test_time_tai:PASS:tai_open 0 nsec test_time_tai:PASS:test_run 0 nsec test_time_tai:PASS:tai_ts1 0 nsec test_time_tai:PASS:tai_ts2 0 nsec test_time_tai:FAIL:tai_forward unexpected tai_forward: actual 1702348135471494160 <= expected 1702348135471494160 test_time_tai:PASS:tai_gettime 0 nsec test_time_tai:PASS:tai_future_ts1 0 nsec test_time_tai:PASS:tai_future_ts2 0 nsec test_time_tai:PASS:tai_range_ts1 0 nsec test_time_tai:PASS:tai_range_ts2 0 nsec #199 time_tai:FAIL This patch changes ASSERT_GT to ASSERT_GE in the tai_forward assertion so that equal timestamps are permitted. Fixes: 64e15820b987 ("selftests/bpf: Add BPF-helper test for CLOCK_TAI access") Signed-off-by: YiFei Zhu Signed-off-by: Andrii Nakryiko Link: https://lore.kernel.org/bpf/20231212182911.3784108-1-zhuyifei@google.com Signed-off-by: Sasha Levin commit 0c9318d49e501a5d50b02bd91a4813bde2353488 Author: Ming Yen Hsieh Date: Wed Nov 22 11:06:44 2023 +0800 wifi: mt76: mt7921: fix country count limitation for CLC [ Upstream commit fa6ad88e023ddfa6c5dcdb466d159e89f451e305 ] Due to the increase in the number of power tables for 6Ghz on CLC, the variable nr_country is no longer sufficient to represent the total quantity. Therefore, we have switched to calculating the length of clc buf to obtain the correct power table. Additionally, the version number has been incremented to 1. Fixes: 23bdc5d8cadf ("wifi: mt76: mt7921: introduce Country Location Control support") Signed-off-by: Ming Yen Hsieh Signed-off-by: Felix Fietkau Signed-off-by: Sasha Levin commit fe002eeda420ae453a4b1aacdd3b3d1436711d5d Author: Moudy Ho Date: Mon Oct 30 17:48:38 2023 +0800 arm64: dts: mediatek: mt8183: correct MDP3 DMA-related nodes [ Upstream commit 188ffcd7fea79af3cac441268fc99f60e87f03b3 ] In order to generalize the node names, the DMA-related nodes corresponding to MT8183 MDP3 need to be corrected. Fixes: 60a2fb8d202a ("arm64: dts: mt8183: add MediaTek MDP3 nodes") Signed-off-by: Moudy Ho Reviewed-by: AngeloGioacchino Del Regno Signed-off-by: AngeloGioacchino Del Regno Signed-off-by: Sasha Levin commit 9c91f5849885d0ebc853eb5480adeb99f44d8ada Author: Moudy Ho Date: Tue Oct 31 16:33:42 2023 +0800 dt-bindings: media: mediatek: mdp3: correct RDMA and WROT node with generic names [ Upstream commit f5f185bf7c42f6ca885202fefc40fc871d08a722 ] The DMA-related nodes RDMA/WROT in MDP3 should be changed to generic names. In addition, fix improper space indent in example. Fixes: 4ad7b39623ab ("media: dt-binding: mediatek: add bindings for MediaTek MDP3 components") Signed-off-by: Moudy Ho Acked-by: Rob Herring Reviewed-by: AngeloGioacchino Del Regno Signed-off-by: AngeloGioacchino Del Regno Signed-off-by: Sasha Levin commit ba5e58dacf8cdeebeffe0f05954b5bb1967d8694 Author: Johan Hovold Date: Thu Nov 30 18:56:34 2023 +0100 arm64: dts: hisilicon: hikey970-pmic: fix regulator cells properties [ Upstream commit 44ab3ee76a5a977864ba0bb6c352dcf6206804e0 ] The Hi6421 PMIC regulator child nodes do not have unit addresses so drop the incorrect '#address-cells' and '#size-cells' properties. Fixes: 6219b20e1ecd ("arm64: dts: hisilicon: Add support for Hikey 970 PMIC") Signed-off-by: Johan Hovold Signed-off-by: Wei Xu Signed-off-by: Sasha Levin commit b1d4d54d32ce6342f5faffe71bae736540ce7cb5 Author: Andrei Matei Date: Wed Dec 6 23:11:48 2023 -0500 bpf: Fix verification of indirect var-off stack access [ Upstream commit a833a17aeac73b33f79433d7cee68d5cafd71e4f ] This patch fixes a bug around the verification of possibly-zero-sized stack accesses. When the access was done through a var-offset stack pointer, check_stack_access_within_bounds was incorrectly computing the maximum-offset of a zero-sized read to be the same as the register's min offset. Instead, we have to take in account the register's maximum possible value. The patch also simplifies how the max offset is checked; the check is now simpler than for min offset. The bug was allowing accesses to erroneously pass the check_stack_access_within_bounds() checks, only to later crash in check_stack_range_initialized() when all the possibly-affected stack slots are iterated (this time with a correct max offset). check_stack_range_initialized() is relying on check_stack_access_within_bounds() for its accesses to the stack-tracking vector to be within bounds; in the case of zero-sized accesses, we were essentially only verifying that the lowest possible slot was within bounds. We would crash when the max-offset of the stack pointer was >= 0 (which shouldn't pass verification, and hopefully is not something anyone's code attempts to do in practice). Thanks Hao for reporting! Fixes: 01f810ace9ed3 ("bpf: Allow variable-offset stack access") Reported-by: Hao Sun Signed-off-by: Andrei Matei Signed-off-by: Andrii Nakryiko Acked-by: Eduard Zingerman Acked-by: Andrii Nakryiko Link: https://lore.kernel.org/bpf/20231207041150.229139-2-andreimatei1@gmail.com Closes: https://lore.kernel.org/bpf/CACkBjsZGEUaRCHsmaX=h-efVogsRfK1FPxmkgb0Os_frnHiNdw@mail.gmail.com/ Signed-off-by: Sasha Levin commit 4054b2b1e6def22f7e54e9776ce746427f0f0faf Author: Wang Zhao Date: Fri Nov 17 20:54:49 2023 +0800 wifi: mt76: mt7921s: fix workqueue problem causes STA association fail [ Upstream commit 92184eae1d5ad804884e2c6e289d885b9e3194d1 ] The ieee80211_queue_work function queues work into the mac80211 local->workqueue, which is widely used for mac80211 internal work processes. In the mt76 driver, both the mt76-sido-status and mt76-sdio-net threads enqueue workers to the workqueue with this function. However, in some cases, when two workers are enqueued to the workqueue almost simultaneously, the second worker may not be scheduled immediately and may get stuck for a while. This can cause timing issues. To avoid these timing conflicts caused by worker scheduling, replace the worker with an independent thread. Fixes: 48fab5bbef40 ("mt76: mt7921: introduce mt7921s support") Signed-off-by: Wang Zhao Signed-off-by: Deren Wu Signed-off-by: Felix Fietkau Signed-off-by: Sasha Levin commit 4486b2e5dbe5f41067f2740720edb42c7b71abd3 Author: Johan Hovold Date: Mon Nov 20 17:43:25 2023 +0100 arm64: dts: qcom: sc7280: fix usb_2 wakeup interrupt types [ Upstream commit 24f8aba9a7c77c7e9d814a5754798e8346c7dd28 ] The DP/DM wakeup interrupts are edge triggered and which edge to trigger on depends on use-case and whether a Low speed or Full/High speed device is connected. Note that only triggering on rising edges can be used to detect resume events but not disconnect events. Fixes: bb9efa59c665 ("arm64: dts: qcom: sc7280: Add USB related nodes") Signed-off-by: Johan Hovold Link: https://lore.kernel.org/r/20231120164331.8116-6-johan+linaro@kernel.org Signed-off-by: Bjorn Andersson Signed-off-by: Sasha Levin commit 361b4175ddcabe014f48c9abadb1c9d4a1078531 Author: Konrad Dybcio Date: Mon Nov 20 13:12:54 2023 +0100 arm64: dts: qcom: sc7280: Mark Adreno SMMU as DMA coherent [ Upstream commit 31edad478534186a2718be9206ce7b19f2735f6e ] The SMMUs on sc7280 are cache-coherent. APPS_SMMU is marked as such, mark the GPU one as well. Fixes: 96c471970b7b ("arm64: dts: qcom: sc7280: Add gpu support") Reviewed-by: Akhil P Oommen Signed-off-by: Konrad Dybcio Link: https://lore.kernel.org/r/20230926-topic-a643-v2-3-06fa3d899c0a@linaro.org Signed-off-by: Bjorn Andersson Signed-off-by: Sasha Levin commit a16a476b5c0d725106021b11dcf71840db98e4d8 Author: Konrad Dybcio Date: Mon Nov 20 13:12:53 2023 +0100 arm64: dts: qcom: sc7280: Fix up GPU SIDs [ Upstream commit 94085049fdad7a36fe14dd55e72e712fe55d6bca ] GPU_SMMU SID 1 is meant for Adreno LPAC (Low Priority Async Compute). On platforms that support it (in firmware), it is necessary to describe that link, or Adreno register access will hang the board. The current settings are functionally identical, *but* due to what is likely hardcoded security policies, the secure firmware rejects them, resulting in the board hanging. To avoid that, alter the settings such that SID 0 and 1 are described separately. Fixes: 96c471970b7b ("arm64: dts: qcom: sc7280: Add gpu support") Signed-off-by: Konrad Dybcio Link: https://lore.kernel.org/r/20230926-topic-a643-v2-2-06fa3d899c0a@linaro.org Signed-off-by: Bjorn Andersson Signed-off-by: Sasha Levin commit 9e1dafa5c3656081dbf4bd12a957a3f6c905810d Author: Nia Espera Date: Sat Nov 11 23:07:40 2023 +0100 arm64: dts: qcom: sm8350: Fix DMA0 address [ Upstream commit 01a9e9eb6cdbce175ddea3cbe1163daed6d54344 ] DMA0 node downstream is specified at 0x900000, so fix the typo. Without this, enabling any i2c node using DMA0 causes a hang. Fixes: bc08fbf49bc8 ("arm64: dts: qcom: sm8350: Define GPI DMA engines") Fixes: 41d6bca799b3 ("arm64: dts: qcom: sm8350: correct DMA controller unit address") Reviewed-by: Konrad Dybcio Signed-off-by: Nia Espera Link: https://lore.kernel.org/r/20231111-nia-sm8350-for-upstream-v4-2-3a638b02eea5@igalia.com Signed-off-by: Bjorn Andersson Signed-off-by: Sasha Levin commit 1623432c6a74d46383e62c0563d0a669904b86e7 Author: Krzysztof Kozlowski Date: Sat Nov 11 10:56:16 2023 +0100 arm64: dts: qcom: sdm845-db845c: correct LED panic indicator [ Upstream commit 0c90c75e663246203a2b7f6dd9e08a110f4c3c43 ] There is no "panic-indicator" default trigger but a property with that name: sdm845-db845c.dtb: leds: led-0: Unevaluated properties are not allowed ('linux,default-trigger' was unexpected) Fixes: 3f72e2d3e682 ("arm64: dts: qcom: Add Dragonboard 845c") Signed-off-by: Krzysztof Kozlowski Reviewed-by: Konrad Dybcio Link: https://lore.kernel.org/r/20231111095617.16496-1-krzysztof.kozlowski@linaro.org Signed-off-by: Bjorn Andersson Signed-off-by: Sasha Levin commit 773c09af312f428dcaf5105ad27d13aa5cb67e01 Author: Krzysztof Kozlowski Date: Sat Nov 11 10:46:23 2023 +0100 arm64: dts: qcom: qrb5165-rb5: correct LED panic indicator [ Upstream commit dc6b5562acbac0285ab3b2dad23930b6434bdfc6 ] There is no "panic-indicator" default trigger but a property with that name: qrb5165-rb5.dtb: leds: led-user4: Unevaluated properties are not allowed ('linux,default-trigger' was unexpected) Fixes: b5cbd84e499a ("arm64: dts: qcom: qrb5165-rb5: Add onboard LED support") Signed-off-by: Krzysztof Kozlowski Reviewed-by: Manivannan Sadhasivam Reviewed-by: Konrad Dybcio Link: https://lore.kernel.org/r/20231111094623.12476-1-krzysztof.kozlowski@linaro.org Signed-off-by: Bjorn Andersson Signed-off-by: Sasha Levin commit 9435bbc8d9ead08181d6862416c292c55237b392 Author: Artem Chernyshev Date: Tue Nov 28 14:10:08 2023 +0300 scsi: fnic: Return error if vmalloc() failed [ Upstream commit f5f27a332a14f43463aa0075efa3a0c662c0f4a8 ] In fnic_init_module() exists redundant check for return value from fnic_debugfs_init(), because at moment it only can return zero. It make sense to process theoretical vmalloc() failure. Found by Linux Verification Center (linuxtesting.org) with SVACE. Fixes: 9730ddfb123d ("scsi: fnic: remove redundant assignment of variable rc") Signed-off-by: Artem Chernyshev Link: https://lore.kernel.org/r/20231128111008.2280507-1-artem.chernyshev@red-soft.ru Reviewed-by: Karan Tilak Kumar Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit fc3e3c50a0a4cac1463967c110686189e4a59104 Author: Andrii Nakryiko Date: Tue Dec 5 10:42:41 2023 -0800 bpf: fix check for attempt to corrupt spilled pointer [ Upstream commit ab125ed3ec1c10ccc36bc98c7a4256ad114a3dae ] When register is spilled onto a stack as a 1/2/4-byte register, we set slot_type[BPF_REG_SIZE - 1] (plus potentially few more below it, depending on actual spill size). So to check if some stack slot has spilled register we need to consult slot_type[7], not slot_type[0]. To avoid the need to remember and double-check this in the future, just use is_spilled_reg() helper. Fixes: 27113c59b6d0 ("bpf: Check the other end of slot_type for STACK_SPILL") Signed-off-by: Andrii Nakryiko Link: https://lore.kernel.org/r/20231205184248.1502704-4-andrii@kernel.org Signed-off-by: Alexei Starovoitov Signed-off-by: Sasha Levin commit 50e9fbddcbc20254d4dc907d33a774e935be477a Author: Hangbin Liu Date: Sat Dec 2 10:00:59 2023 +0800 selftests/net: specify the interface when do arping [ Upstream commit 7f770d28f2e5abfd442ad689ba1129dd66593529 ] When do arping, the interface need to be specified. Or we will get error: Interface "lo" is not ARPable. And the test failed. ]# ./arp_ndisc_untracked_subnets.sh TEST: test_arp: accept_arp=0 [ OK ] TEST: test_arp: accept_arp=1 [FAIL] TEST: test_arp: accept_arp=2 same_subnet=0 [ OK ] TEST: test_arp: accept_arp=2 same_subnet=1 [FAIL] After fix: ]# ./arp_ndisc_untracked_subnets.sh TEST: test_arp: accept_arp=0 [ OK ] TEST: test_arp: accept_arp=1 [ OK ] TEST: test_arp: accept_arp=2 same_subnet=0 [ OK ] TEST: test_arp: accept_arp=2 same_subnet=1 [ OK ] Fixes: 0ea7b0a454ca ("selftests: net: arp_ndisc_untracked_subnets: test for arp_accept and accept_untracked_na") Signed-off-by: Hangbin Liu Signed-off-by: Paolo Abeni Signed-off-by: Sasha Levin commit 62fca83303d608ad4fec3f7428c8685680bb01b0 Author: Hou Tao Date: Mon Dec 4 22:04:22 2023 +0800 bpf: Defer the free of inner map when necessary [ Upstream commit 876673364161da50eed6b472d746ef88242b2368 ] When updating or deleting an inner map in map array or map htab, the map may still be accessed by non-sleepable program or sleepable program. However bpf_map_fd_put_ptr() decreases the ref-counter of the inner map directly through bpf_map_put(), if the ref-counter is the last one (which is true for most cases), the inner map will be freed by ops->map_free() in a kworker. But for now, most .map_free() callbacks don't use synchronize_rcu() or its variants to wait for the elapse of a RCU grace period, so after the invocation of ops->map_free completes, the bpf program which is accessing the inner map may incur use-after-free problem. Fix the free of inner map by invoking bpf_map_free_deferred() after both one RCU grace period and one tasks trace RCU grace period if the inner map has been removed from the outer map before. The deferment is accomplished by using call_rcu() or call_rcu_tasks_trace() when releasing the last ref-counter of bpf map. The newly-added rcu_head field in bpf_map shares the same storage space with work field to reduce the size of bpf_map. Fixes: bba1dc0b55ac ("bpf: Remove redundant synchronize_rcu.") Fixes: 638e4b825d52 ("bpf: Allows per-cpu maps and map-in-map in sleepable programs") Signed-off-by: Hou Tao Link: https://lore.kernel.org/r/20231204140425.1480317-5-houtao@huaweicloud.com Signed-off-by: Alexei Starovoitov Signed-off-by: Sasha Levin commit e05b322c82d2e8e140d081de4695d70710b09007 Author: Hou Tao Date: Mon Dec 4 22:04:20 2023 +0800 bpf: Add map and need_defer parameters to .map_fd_put_ptr() [ Upstream commit 20c20bd11a0702ce4dc9300c3da58acf551d9725 ] map is the pointer of outer map, and need_defer needs some explanation. need_defer tells the implementation to defer the reference release of the passed element and ensure that the element is still alive before the bpf program, which may manipulate it, exits. The following three cases will invoke map_fd_put_ptr() and different need_defer values will be passed to these callers: 1) release the reference of the old element in the map during map update or map deletion. The release must be deferred, otherwise the bpf program may incur use-after-free problem, so need_defer needs to be true. 2) release the reference of the to-be-added element in the error path of map update. The to-be-added element is not visible to any bpf program, so it is OK to pass false for need_defer parameter. 3) release the references of all elements in the map during map release. Any bpf program which has access to the map must have been exited and released, so need_defer=false will be OK. These two parameters will be used by the following patches to fix the potential use-after-free problem for map-in-map. Signed-off-by: Hou Tao Link: https://lore.kernel.org/r/20231204140425.1480317-3-houtao@huaweicloud.com Signed-off-by: Alexei Starovoitov Stable-dep-of: 876673364161 ("bpf: Defer the free of inner map when necessary") Signed-off-by: Sasha Levin commit a6fb03a9c9c88941d35c63b83f3319731bf685a2 Author: Anton Protopopov Date: Thu Jul 6 13:39:28 2023 +0000 bpf: add percpu stats for bpf_map elements insertions/deletions [ Upstream commit 25954730461af01f66afa9e17036b051986b007e ] Add a generic percpu stats for bpf_map elements insertions/deletions in order to keep track of both, the current (approximate) number of elements in a map and per-cpu statistics on update/delete operations. To expose these stats a particular map implementation should initialize the counter and adjust it as needed using the 'bpf_map_*_elem_count' helpers provided by this commit. Signed-off-by: Anton Protopopov Link: https://lore.kernel.org/r/20230706133932.45883-2-aspsk@isovalent.com Signed-off-by: Alexei Starovoitov Stable-dep-of: 876673364161 ("bpf: Defer the free of inner map when necessary") Signed-off-by: Sasha Levin commit 10108826191ab30388e8ae9d54505a628f78a7ec Author: Paul E. McKenney Date: Fri Oct 14 19:39:43 2022 +0800 rcu-tasks: Provide rcu_trace_implies_rcu_gp() [ Upstream commit e6c86c513f440bec5f1046539c7e3c6c653842da ] As an accident of implementation, an RCU Tasks Trace grace period also acts as an RCU grace period. However, this could change at any time. This commit therefore creates an rcu_trace_implies_rcu_gp() that currently returns true to codify this accident. Code relying on this accident must call this function to verify that this accident is still happening. Reported-by: Hou Tao Signed-off-by: Paul E. McKenney Cc: Alexei Starovoitov Cc: Martin KaFai Lau Link: https://lore.kernel.org/r/20221014113946.965131-2-houtao@huaweicloud.com Signed-off-by: Alexei Starovoitov Stable-dep-of: 876673364161 ("bpf: Defer the free of inner map when necessary") Signed-off-by: Sasha Levin commit db44bac18a1330d3bbed5f07a8ff3d2892656678 Author: Douglas Anderson Date: Mon Nov 6 14:43:35 2023 -0800 arm64: dts: qcom: sm6350: Make watchdog bark interrupt edge triggered [ Upstream commit 5b84bb2b8d86595544fc8272364b0f1a34b68a4f ] As described in the patch ("arm64: dts: qcom: sc7180: Make watchdog bark interrupt edge triggered"), the Qualcomm watchdog timer's bark interrupt should be configured as edge triggered. Make the change. Fixes: 5f82b9cda61e ("arm64: dts: qcom: Add SM6350 device tree") Reviewed-by: Guenter Roeck Reviewed-by: Stephen Boyd Signed-off-by: Douglas Anderson Link: https://lore.kernel.org/r/20231106144335.v2.8.Ic1d4402e99c70354d501ccd98105e908a902f671@changeid Signed-off-by: Bjorn Andersson Signed-off-by: Sasha Levin commit 8e335e7759c0c59eed8f17357ef0e4a16b24a0ad Author: Douglas Anderson Date: Mon Nov 6 14:43:34 2023 -0800 arm64: dts: qcom: sc8280xp: Make watchdog bark interrupt edge triggered [ Upstream commit 6c4a9c7ea486da490400c84ba2768c90d228c283 ] As described in the patch ("arm64: dts: qcom: sc7180: Make watchdog bark interrupt edge triggered"), the Qualcomm watchdog timer's bark interrupt should be configured as edge triggered. Make the change. Fixes: 152d1faf1e2f ("arm64: dts: qcom: add SC8280XP platform") Reviewed-by: Guenter Roeck Reviewed-by: Stephen Boyd Signed-off-by: Douglas Anderson Link: https://lore.kernel.org/r/20231106144335.v2.7.I1c8ab71570f6906fd020decb80675f05fbe1fe74@changeid Signed-off-by: Bjorn Andersson Signed-off-by: Sasha Levin commit 66cdbc4e80ff22a45eeee2f2c47ddff1993a7146 Author: Douglas Anderson Date: Mon Nov 6 14:43:32 2023 -0800 arm64: dts: qcom: sm8250: Make watchdog bark interrupt edge triggered [ Upstream commit 735d80e2e8e5d073ae8b1fff8b1589ea284aa5af ] As described in the patch ("arm64: dts: qcom: sc7180: Make watchdog bark interrupt edge triggered"), the Qualcomm watchdog timer's bark interrupt should be configured as edge triggered. Make the change. Fixes: 46a4359f9156 ("arm64: dts: qcom: sm8250: Add watchdog bark interrupt") Reviewed-by: Guenter Roeck Reviewed-by: Stephen Boyd Signed-off-by: Douglas Anderson Link: https://lore.kernel.org/r/20231106144335.v2.5.I2910e7c10493d896841e9785c1817df9b9a58701@changeid Signed-off-by: Bjorn Andersson Signed-off-by: Sasha Levin commit 385f30d448c3f4590b87e58c8c3cb304664fcb1c Author: Douglas Anderson Date: Mon Nov 6 14:43:31 2023 -0800 arm64: dts: qcom: sm8150: Make watchdog bark interrupt edge triggered [ Upstream commit 9204e9a4099212c850e1703c374ef4538080825b ] As described in the patch ("arm64: dts: qcom: sc7180: Make watchdog bark interrupt edge triggered"), the Qualcomm watchdog timer's bark interrupt should be configured as edge triggered. Make the change. Fixes: b094c8f8dd2a ("arm64: dts: qcom: sm8150: Add watchdog bark interrupt") Reviewed-by: Guenter Roeck Reviewed-by: Stephen Boyd Signed-off-by: Douglas Anderson Link: https://lore.kernel.org/r/20231106144335.v2.4.I23d0aa6c8f1fec5c26ad9b3c610df6f4c5392850@changeid Signed-off-by: Bjorn Andersson Signed-off-by: Sasha Levin commit 5e8267cbc0fa9cdb146e7f754835bb4b0cb1fd22 Author: Douglas Anderson Date: Mon Nov 6 14:43:30 2023 -0800 arm64: dts: qcom: sdm845: Make watchdog bark interrupt edge triggered [ Upstream commit 263b348499454f38d36b9442c3cf9279c571bb54 ] As described in the patch ("arm64: dts: qcom: sc7180: Make watchdog bark interrupt edge triggered"), the Qualcomm watchdog timer's bark interrupt should be configured as edge triggered. Make the change. Fixes: 36c436b03c58 ("arm64: dts: qcom: sdm845: Add watchdog bark interrupt") Reviewed-by: Guenter Roeck Reviewed-by: Stephen Boyd Signed-off-by: Douglas Anderson Link: https://lore.kernel.org/r/20231106144335.v2.3.I16675ebe5517c68453a1bd7f4334ff885f806c03@changeid Signed-off-by: Bjorn Andersson Signed-off-by: Sasha Levin commit bc9a45a06a75e06584452075c88ace8da148f84b Author: Douglas Anderson Date: Mon Nov 6 14:43:29 2023 -0800 arm64: dts: qcom: sc7280: Make watchdog bark interrupt edge triggered [ Upstream commit 6897fac411db7b43243f67d4fd4d3f95abf7f656 ] As described in the patch ("arm64: dts: qcom: sc7180: Make watchdog bark interrupt edge triggered"), the Qualcomm watchdog timer's bark interrupt should be configured as edge triggered. Make the change. Fixes: 0e51f883daa9 ("arm64: dts: qcom: sc7280: Add APSS watchdog node") Reviewed-by: Guenter Roeck Reviewed-by: Stephen Boyd Signed-off-by: Douglas Anderson Link: https://lore.kernel.org/r/20231106144335.v2.2.I11f77956d2492c88aca0ef5462123f225caf4fb4@changeid Signed-off-by: Bjorn Andersson Signed-off-by: Sasha Levin commit 30d0c5fe2c26e1a0a49418b83b16d0a57ad2532b Author: Luca Weiss Date: Tue Sep 19 14:45:55 2023 +0200 arm64: dts: qcom: sc7280: Mark some nodes as 'reserved' [ Upstream commit 6da24ba932082bae110feb917a64bb54637fa7c0 ] With the standard Qualcomm TrustZone setup, components such as lpasscc, pdc_reset and watchdog shouldn't be touched by Linux. Mark them with the status 'reserved' and reenable them in the chrome-common dtsi. Signed-off-by: Luca Weiss Link: https://lore.kernel.org/r/20230919-fp5-initial-v2-1-14bb7cedadf5@fairphone.com Signed-off-by: Bjorn Andersson Stable-dep-of: 6897fac411db ("arm64: dts: qcom: sc7280: Make watchdog bark interrupt edge triggered") Signed-off-by: Sasha Levin commit 0200f1b6bab84090cd88d31892a7b9af8c5141f7 Author: Douglas Anderson Date: Mon Nov 6 14:43:28 2023 -0800 arm64: dts: qcom: sc7180: Make watchdog bark interrupt edge triggered [ Upstream commit 7ac90b4cf107a3999b30844d7899e0331686b33b ] On sc7180 when the watchdog timer fires your logs get filled with: watchdog0: pretimeout event watchdog0: pretimeout event watchdog0: pretimeout event ... watchdog0: pretimeout event If you're using console-ramoops to debug crashes the above gets quite annoying since it blows away any other log messages that might have been there. The issue is that the "bark" interrupt (AKA the "pretimeout" interrupt) remains high until the watchdog is pet. Since we've got things configured as "level" triggered we'll keep getting interrupted over and over. Let's switch to edge triggered. Now we'll get one interrupt when the "bark" interrupt goes off and won't get another one until the "bark" interrupt is cleared and asserts again. This matches how many older Qualcomm SoCs have things configured. Fixes: 28cc13e4060c ("arm64: dts: qcom: sc7180: Add watchdog bark interrupt") Reviewed-by: Guenter Roeck Reviewed-by: Stephen Boyd Signed-off-by: Douglas Anderson Link: https://lore.kernel.org/r/20231106144335.v2.1.Ic7577567baff921347d423b722de8b857602efb1@changeid Signed-off-by: Bjorn Andersson Signed-off-by: Sasha Levin commit 22529f0ac27443a23e62e4197b03f73beb83fa19 Author: Krzysztof Kozlowski Date: Sun Sep 24 20:31:03 2023 +0200 ARM: dts: qcom: sdx65: correct SPMI node name [ Upstream commit a900ad783f507cb396e402827052e70c0c565ae9 ] Node names should not have vendor prefixes: qcom-sdx65-mtp.dtb: qcom,spmi@c440000: $nodename:0: 'qcom,spmi@c440000' does not match '^spmi@.* Reviewed-by: Konrad Dybcio Signed-off-by: Krzysztof Kozlowski Reviewed-by: Dmitry Baryshkov Link: https://lore.kernel.org/r/20230924183103.49487-3-krzysztof.kozlowski@linaro.org Signed-off-by: Bjorn Andersson Signed-off-by: Sasha Levin commit be1f34b93f5afb5d9906a3246f8af6336abe8f65 Author: Andrii Nakryiko Date: Sat Dec 2 09:56:57 2023 -0800 bpf: enforce precision of R0 on callback return [ Upstream commit 0acd03a5bd188b0c501d285d938439618bd855c4 ] Given verifier checks actual value, r0 has to be precise, so we need to propagate precision properly. r0 also has to be marked as read, otherwise subsequent state comparisons will ignore such register as unimportant and precision won't really help here. Fixes: 69c087ba6225 ("bpf: Add bpf_for_each_map_elem() helper") Acked-by: Eduard Zingerman Acked-by: Shung-Hsi Yu Signed-off-by: Andrii Nakryiko Link: https://lore.kernel.org/r/20231202175705.885270-4-andrii@kernel.org Signed-off-by: Alexei Starovoitov Signed-off-by: Sasha Levin commit f9f2d957a8ea93c73182aebf7de30935a58c027d Author: Yu Kuai Date: Wed Nov 29 10:02:34 2023 +0800 md: synchronize flush io with array reconfiguration [ Upstream commit fa2bbff7b0b4e211fec5e5686ef96350690597b5 ] Currently rcu is used to protect iterating rdev from submit_flushes(): submit_flushes remove_and_add_spares synchronize_rcu pers->hot_remove_disk() rcu_read_lock() rdev_for_each_rcu if (rdev->raid_disk >= 0) rdev->radi_disk = -1; atomic_inc(&rdev->nr_pending) rcu_read_unlock() bi = bio_alloc_bioset() bi->bi_end_io = md_end_flush bi->private = rdev submit_bio // issue io for removed rdev Fix this problem by grabbing 'acive_io' before iterating rdev, make sure that remove_and_add_spares() won't concurrent with submit_flushes(). Fixes: a2826aa92e2e ("md: support barrier requests on all personalities.") Signed-off-by: Yu Kuai Signed-off-by: Song Liu Link: https://lore.kernel.org/r/20231129020234.1586910-1-yukuai1@huaweicloud.com Signed-off-by: Sasha Levin commit b21a16909b49d3ffcc10a062297be47daa194e97 Author: Jeroen van Ingen Schenau Date: Thu Nov 30 13:03:53 2023 +0100 selftests/bpf: Fix erroneous bitmask operation [ Upstream commit b6a3451e0847d5d70fb5fa2b2a80ab9f80bf2c7b ] xdp_synproxy_kern.c is a BPF program that generates SYN cookies on allowed TCP ports and sends SYNACKs to clients, accelerating synproxy iptables module. Fix the bitmask operation when checking the status of an existing conntrack entry within tcp_lookup() function. Do not AND with the bit position number, but with the bitmask value to check whether the entry found has the IPS_CONFIRMED flag set. Fixes: fb5cd0ce70d4 ("selftests/bpf: Add selftests for raw syncookie helpers") Signed-off-by: Jeroen van Ingen Schenau Signed-off-by: Daniel Borkmann Tested-by: Minh Le Hoang Link: https://lore.kernel.org/xdp-newbies/CAAi1gX7owA+Tcxq-titC-h-KPM7Ri-6ZhTNMhrnPq5gmYYwKow@mail.gmail.com/T/#u Link: https://lore.kernel.org/bpf/20231130120353.3084-1-jeroen.vaningenschenau@novoserve.com Signed-off-by: Sasha Levin commit ff9935181e5a9bdc96f30662bbfed84dca7c404a Author: Tomi Valkeinen Date: Mon Nov 6 11:57:48 2023 +0200 arm64: dts: ti: k3-am65-main: Fix DSS irq trigger type [ Upstream commit b57160859263c083c49482b0d083a586b1517f78 ] DSS irq trigger type is set to IRQ_TYPE_EDGE_RISING in the DT file, but the TRM says it is level triggered. For some reason triggering on rising edge results in double the amount of expected interrupts, e.g. for normal page flipping test the number of interrupts per second is 2 * fps. It is as if the IRQ triggers on both edges. There are no other side effects to this issue than slightly increased CPU & power consumption due to the extra interrupt. Switching to IRQ_TYPE_LEVEL_HIGH is correct and fixes the issue, so let's do that. Fixes: fc539b90eda2 ("arm64: dts: ti: am654: Add DSS node") Signed-off-by: Tomi Valkeinen Reviewed-by: Aradhya Bhatia Link: https://lore.kernel.org/r/20231106-am65-dss-clk-edge-v1-1-4a959fec0e1e@ideasonboard.com Signed-off-by: Nishanth Menon Signed-off-by: Sasha Levin commit e9e59f3ee5c576aee49384d61a095c0edca3505c Author: Nitin Yadav Date: Fri Oct 27 12:29:30 2023 +0530 arm64: dts: ti: k3-am62a-main: Fix GPIO pin count in DT nodes [ Upstream commit 7dc4af358cc382c5d20bd5b726e53ef0f526eb6d ] Fix number of gpio pins in main_gpio0 & main_gpio1 DT nodes according to AM62A7 datasheet[0]. [0] https://www.ti.com/lit/gpn/am62a3 Section: 6.3.10 GPIO (Page No. 52-55) Fixes: 5fc6b1b62639 ("arm64: dts: ti: Introduce AM62A7 family of SoCs") Signed-off-by: Nitin Yadav Link: https://lore.kernel.org/r/20231027065930.1187405-1-n-yadav@ti.com Signed-off-by: Nishanth Menon Signed-off-by: Sasha Levin commit 436785a207ed3b901ea05061d645ea0267d6a8c0 Author: Su Hui Date: Mon Nov 27 09:35:13 2023 +0800 wifi: rtlwifi: rtl8821ae: phy: fix an undefined bitwise shift behavior [ Upstream commit bc8263083af60e7e57c6120edbc1f75d6c909a35 ] Clang static checker warns: drivers/net/wireless/realtek/rtlwifi/rtl8821ae/phy.c:184:49: The result of the left shift is undefined due to shifting by '32', which is greater or equal to the width of type 'u32'. [core.UndefinedBinaryOperatorResult] If the value of the right operand is negative or is greater than or equal to the width of the promoted left operand, the behavior is undefined.[1][2] For example, when using different gcc's compilation optimization options (-O0 or -O2), the result of '(u32)data << 32' is different. One is 0, the other is old value of data. Let _rtl8821ae_phy_calculate_bit_shift()'s return value less than 32 to fix this problem. Warn if bitmask is zero. [1] https://stackoverflow.com/questions/11270492/what-does-the-c-standard-say-about-bitshifting-more-bits-than-the-width-of-type [2] https://www.open-std.org/jtc1/sc22/wg14/www/docs/n1256.pdf Fixes: 21e4b0726dc6 ("rtlwifi: rtl8821ae: Move driver from staging to regular tree") Signed-off-by: Su Hui Acked-by: Ping-Ke Shih Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20231127013511.26694-2-suhui@nfschina.com Signed-off-by: Sasha Levin commit 6824ed5d5ab62888bd33a385c34efb82cadf9bf8 Author: Dmitry Rokosov Date: Fri Mar 24 17:55:57 2023 +0300 firmware: meson_sm: populate platform devices from sm device tree data [ Upstream commit e45f243409db98d610248c843b25435e7fb0baf3 ] In some meson boards, secure monitor device has children, for example, power secure controller. By default, secure monitor isn't the bus in terms of device tree subsystem, so the of_platform initialization code doesn't populate its device tree data. As a result, secure monitor's children aren't probed at all. Run the 'of_platform_populate()' routine manually to resolve such issues. Signed-off-by: Dmitry Rokosov Acked-by: Martin Blumenstingl Link: https://lore.kernel.org/r/20230324145557.27797-1-ddrokosov@sberdevices.ru Signed-off-by: Neil Armstrong Stable-dep-of: d8385d7433f9 ("firmware: meson-sm: unmap out_base shmem in error path") Signed-off-by: Sasha Levin commit 00ac00ce8d90d035cc1c8a625a7bfa3cca3671ee Author: Christophe JAILLET Date: Mon Oct 30 11:12:26 2023 +0100 firmware: ti_sci: Fix an off-by-one in ti_sci_debugfs_create() [ Upstream commit 964946b88887089f447a9b6a28c39ee97dc76360 ] The ending NULL is not taken into account by strncat(), so switch to snprintf() to correctly build 'debug_name'. Using snprintf() also makes the code more readable. Fixes: aa276781a64a ("firmware: Add basic support for TI System Control Interface (TI-SCI) protocol") Signed-off-by: Christophe JAILLET Reviewed-by: Dan Carpenter Link: https://lore.kernel.org/r/7158db0a4d7b19855ddd542ec61b666973aad8dc.1698660720.git.christophe.jaillet@wanadoo.fr Signed-off-by: Nishanth Menon Signed-off-by: Sasha Levin commit ac7c503bd5efb3710032f4ec77e522370b421d4a Author: Peter Delevoryas Date: Tue Nov 14 10:07:34 2023 -0600 net/ncsi: Fix netlink major/minor version numbers [ Upstream commit 3084b58bfd0b9e4b5e034f31f31b42977db35f12 ] The netlink interface for major and minor version numbers doesn't actually return the major and minor version numbers. It reports a u32 that contains the (major, minor, update, alpha1) components as the major version number, and then alpha2 as the minor version number. For whatever reason, the u32 byte order was reversed (ntohl): maybe it was assumed that the encoded value was a single big-endian u32, and alpha2 was the minor version. The correct way to get the supported NC-SI version from the network controller is to parse the Get Version ID response as described in 8.4.44 of the NC-SI spec[1]. Get Version ID Response Packet Format Bits +--------+--------+--------+--------+ Bytes | 31..24 | 23..16 | 15..8 | 7..0 | +-------+--------+--------+--------+--------+ | 0..15 | NC-SI Header | +-------+--------+--------+--------+--------+ | 16..19| Response code | Reason code | +-------+--------+--------+--------+--------+ |20..23 | Major | Minor | Update | Alpha1 | +-------+--------+--------+--------+--------+ |24..27 | reserved | Alpha2 | +-------+--------+--------+--------+--------+ | .... other stuff .... | The major, minor, and update fields are all binary-coded decimal (BCD) encoded [2]. The spec provides examples below the Get Version ID response format in section 8.4.44.1, but for practical purposes, this is an example from a live network card: root@bmc:~# ncsi-util 0x15 NC-SI Command Response: cmd: GET_VERSION_ID(0x15) Response: COMMAND_COMPLETED(0x0000) Reason: NO_ERROR(0x0000) Payload length = 40 20: 0xf1 0xf1 0xf0 0x00 <<<<<<<<< (major, minor, update, alpha1) 24: 0x00 0x00 0x00 0x00 <<<<<<<<< (_, _, _, alpha2) 28: 0x6d 0x6c 0x78 0x30 32: 0x2e 0x31 0x00 0x00 36: 0x00 0x00 0x00 0x00 40: 0x16 0x1d 0x07 0xd2 44: 0x10 0x1d 0x15 0xb3 48: 0x00 0x17 0x15 0xb3 52: 0x00 0x00 0x81 0x19 This should be parsed as "1.1.0". "f" in the upper-nibble means to ignore it, contributing zero. If both nibbles are "f", I think the whole field is supposed to be ignored. Major and minor are "required", meaning they're not supposed to be "ff", but the update field is "optional" so I think it can be ff. I think the simplest thing to do is just set the major and minor to zero instead of juggling some conditional logic or something. bcd2bin() from "include/linux/bcd.h" seems to assume both nibbles are 0-9, so I've provided a custom BCD decoding function. Alpha1 and alpha2 are ISO/IEC 8859-1 encoded, which just means ASCII characters as far as I can tell, although the full encoding table for non-alphabetic characters is slightly different (I think). I imagine the alpha fields are just supposed to be alphabetic characters, but I haven't seen any network cards actually report a non-zero value for either. If people wrote software against this netlink behavior, and were parsing the major and minor versions themselves from the u32, then this would definitely break their code. [1] https://www.dmtf.org/sites/default/files/standards/documents/DSP0222_1.0.0.pdf [2] https://en.wikipedia.org/wiki/Binary-coded_decimal [2] https://en.wikipedia.org/wiki/ISO/IEC_8859-1 Signed-off-by: Peter Delevoryas Fixes: 138635cc27c9 ("net/ncsi: NCSI response packet handler") Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 12db013dc91d5149892b7aae3582a6865b2a23ca Author: Dmitry Baryshkov Date: Thu Sep 28 14:02:35 2023 +0300 ARM: dts: qcom: apq8064: correct XOADC register address [ Upstream commit 554557542e709e190eff8a598f0cde02647d533a ] The XOADC is present at the address 0x197 rather than just 197. It doesn't change a lot (since the driver hardcodes all register addresses), but the DT should present correct address anyway. Fixes: c4b70883ee33 ("ARM: dts: add XOADC and IIO HWMON to APQ8064") Reviewed-by: Konrad Dybcio Reviewed-by: Krzysztof Kozlowski Signed-off-by: Dmitry Baryshkov Link: https://lore.kernel.org/r/20230928110309.1212221-3-dmitry.baryshkov@linaro.org Signed-off-by: Bjorn Andersson Signed-off-by: Sasha Levin commit 638f381ab2d801e81dccb24d62fc13f708513765 Author: Arnd Bergmann Date: Wed Nov 8 16:34:03 2023 +0100 wifi: libertas: stop selecting wext [ Upstream commit 8170b04c2c92eee52ea50b96db4c54662197e512 ] Libertas no longer references the iw_handler infrastructure or wext_spy, so neither of the 'select' statements are used any more. Fixes: e86dc1ca4676 ("Libertas: cfg80211 support") Signed-off-by: Arnd Bergmann Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20231108153409.1065286-1-arnd@kernel.org Signed-off-by: Sasha Levin commit 7dd918d877fac3a7c8ab7e6e4a0f08d62b9948e4 Author: Luca Weiss Date: Fri Oct 27 08:57:18 2023 +0200 wifi: ath11k: Defer on rproc_get failure [ Upstream commit 2a3ec40b98b46c339adb57313d3b933ee5e7a8e8 ] If we already have gotten the rproc_handle (meaning the "qcom,rproc" property is defined in the devicetree), it's a valid state that the remoteproc module hasn't probed yet so we should defer probing instead of just failing to probe. This resolves a race condition when the ath11k driver probes and fails before the wpss remoteproc driver has probed, like the following: [ 6.232360] ath11k 17a10040.wifi: failed to get rproc [ 6.232366] ath11k 17a10040.wifi: failed to get rproc: -22 [ 6.232478] ath11k: probe of 17a10040.wifi failed with error -22 ... [ 6.252415] remoteproc remoteproc2: 8a00000.remoteproc is available [ 6.252776] remoteproc remoteproc2: powering up 8a00000.remoteproc [ 6.252781] remoteproc remoteproc2: Booting fw image qcom/qcm6490/fairphone5/wpss.mdt, size 7188 So, defer the probe if we hit that so we can retry later once the wpss remoteproc is available. Tested-on: WCN6750 hw1.0 AHB WLAN.MSL.1.0.1-01264-QCAMSLSWPLZ-1.37886.3 Fixes: d5c65159f289 ("ath11k: driver for Qualcomm IEEE 802.11ax devices") Signed-off-by: Luca Weiss Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20231027-ath11k-rproc-defer-v1-1-f6b6a812cd18@fairphone.com Signed-off-by: Sasha Levin commit 799a914e483a23f7826d230b09e0b1164d282b60 Author: Jordan Rome Date: Wed Nov 8 03:23:34 2023 -0800 bpf: Add crosstask check to __bpf_get_stack [ Upstream commit b8e3a87a627b575896e448021e5c2f8a3bc19931 ] Currently get_perf_callchain only supports user stack walking for the current task. Passing the correct *crosstask* param will return 0 frames if the task passed to __bpf_get_stack isn't the current one instead of a single incorrect frame/address. This change passes the correct *crosstask* param but also does a preemptive check in __bpf_get_stack if the task is current and returns -EOPNOTSUPP if it is not. This issue was found using bpf_get_task_stack inside a BPF iterator ("iter/task"), which iterates over all tasks. bpf_get_task_stack works fine for fetching kernel stacks but because get_perf_callchain relies on the caller to know if the requested *task* is the current one (via *crosstask*) it was failing in a confusing way. It might be possible to get user stacks for all tasks utilizing something like access_process_vm but that requires the bpf program calling bpf_get_task_stack to be sleepable and would therefore be a breaking change. Fixes: fa28dcb82a38 ("bpf: Introduce helper bpf_get_task_stack()") Signed-off-by: Jordan Rome Signed-off-by: Andrii Nakryiko Link: https://lore.kernel.org/bpf/20231108112334.3433136-1-jordalgo@meta.com Signed-off-by: Sasha Levin commit 1959a560ac4e09ab6d7e44340e29d41c370c22c2 Author: Florian Lehner Date: Sun Nov 5 09:58:01 2023 +0100 bpf, lpm: Fix check prefixlen before walking trie [ Upstream commit 9b75dbeb36fcd9fc7ed51d370310d0518a387769 ] When looking up an element in LPM trie, the condition 'matchlen == trie->max_prefixlen' will never return true, if key->prefixlen is larger than trie->max_prefixlen. Consequently all elements in the LPM trie will be visited and no element is returned in the end. To resolve this, check key->prefixlen first before walking the LPM trie. Fixes: b95a5c4db09b ("bpf: add a longest prefix match trie map implementation") Signed-off-by: Florian Lehner Signed-off-by: Andrii Nakryiko Link: https://lore.kernel.org/bpf/20231105085801.3742-1-dev@der-flo.net Signed-off-by: Alexei Starovoitov Signed-off-by: Sasha Levin commit cd1896b9224ec6fbb9151c7a0a6e0a112ee29f2b Author: Chih-Kang Chang Date: Fri Nov 3 10:08:51 2023 +0800 wifi: rtw88: fix RX filter in FIF_ALLMULTI flag [ Upstream commit 53ee0b3b99edc6a47096bffef15695f5a895386f ] The broadcast packets will be filtered in the FIF_ALLMULTI flag in the original code, which causes beacon packets to be filtered out and disconnection. Therefore, we fix it. Fixes: e3037485c68e ("rtw88: new Realtek 802.11ac driver") Signed-off-by: Chih-Kang Chang Signed-off-by: Ping-Ke Shih Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20231103020851.102238-1-pkshih@realtek.com Signed-off-by: Sasha Levin commit fdd93641633f2b7227fc9e0a28132986c365d0a9 Author: Dan Carpenter Date: Mon Oct 30 12:03:23 2023 +0300 wifi: plfxlc: check for allocation failure in plfxlc_usb_wreq_async() [ Upstream commit 40018a8fa9aa63ca5b26e803502138158fb0ff96 ] Check for if the usb_alloc_urb() failed. Fixes: 68d57a07bfe5 ("wireless: add plfxlc driver for pureLiFi X, XL, XC devices") Signed-off-by: Dan Carpenter Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/e8d4a19a-f251-4101-a89b-607345e938cb@moroto.mountain Signed-off-by: Sasha Levin commit a058f0c432e0b2b40c3957453764cb939980157e Author: Trond Myklebust Date: Fri Nov 17 06:25:13 2023 -0500 pNFS: Fix the pnfs block driver's calculation of layoutget size [ Upstream commit 8a6291bf3b0eae1bf26621e6419a91682f2d6227 ] Instead of relying on the value of the 'bytes_left' field, we should calculate the layout size based on the offset of the request that is being written out. Reported-by: Benjamin Coddington Signed-off-by: Trond Myklebust Fixes: 954998b60caa ("NFS: Fix error handling for O_DIRECT write scheduling") Reviewed-by: Benjamin Coddington Tested-by: Benjamin Coddington Reviewed-by: Christoph Hellwig Signed-off-by: Anna Schumaker Signed-off-by: Sasha Levin commit b10370b1ea0b573113ea3bf1324b21df4576fa16 Author: Olga Kornievskaia Date: Fri Dec 1 14:42:03 2023 -0500 SUNRPC: fix _xprt_switch_find_current_entry logic [ Upstream commit 98b4e5137504a5bd9346562b1310cdc13486603b ] Fix the logic for picking current transport entry. Fixes: 95d0d30c66b8 ("SUNRPC create an iterator to list only OFFLINE xprts") Signed-off-by: Olga Kornievskaia Signed-off-by: Anna Schumaker Signed-off-by: Sasha Levin commit 19f28fa8be4e5fce69eb4020910cea7df9a940cc Author: Trond Myklebust Date: Wed Nov 15 13:55:29 2023 -0500 NFSv4.1/pnfs: Ensure we handle the error NFS4ERR_RETURNCONFLICT [ Upstream commit 037e56a22ff37f9a9c2330b66cff55d3d1ff9b90 ] Once the client has processed the CB_LAYOUTRECALL, but has not yet successfully returned the layout, the server is supposed to switch to returning NFS4ERR_RETURNCONFLICT. This patch ensures that we handle that return value correctly. Fixes: 183d9e7b112a ("pnfs: rework LAYOUTGET retry handling") Signed-off-by: Trond Myklebust Signed-off-by: Anna Schumaker Signed-off-by: Sasha Levin commit 83f2d54ca33c60854bf73082ee366001e0712901 Author: Benjamin Coddington Date: Tue Dec 5 10:05:01 2023 -0500 blocklayoutdriver: Fix reference leak of pnfs_device_node [ Upstream commit 1530827b90025cdf80c9b0d07a166d045a0a7b81 ] The error path for blocklayout's device lookup is missing a reference drop for the case where a lookup finds the device, but the device is marked with NFS_DEVICEID_UNAVAILABLE. Fixes: b3dce6a2f060 ("pnfs/blocklayout: handle transient devices") Signed-off-by: Benjamin Coddington Signed-off-by: Anna Schumaker Signed-off-by: Sasha Levin commit 23ba22557aac98f11edeaf932ea4579c2e621c0e Author: Arnd Bergmann Date: Mon Nov 6 22:02:59 2023 +0100 csky: fix arch_jump_label_transform_static override [ Upstream commit ca8e45c8048a2c9503c74751d25414601f730580 ] The arch_jump_label_transform_static() function in csky was originally meant to override the generic __weak function, but that got changed to an #ifndef check. This showed up as a missing-prototype warning: arch/csky/kernel/jump_label.c:43:6: error: no previous prototype for 'arch_jump_label_transform_static' [-Werror=missing-prototypes] Change the method to use the new method of having a #define and a prototype for the global function. Fixes: 7e6b9db27de9 ("jump_label: make initial NOP patching the special case") Fixes: 4e8bb4ba5a55 ("csky: Add jump-label implementation") Reviewed-by: Guo Ren Signed-off-by: Arnd Bergmann Signed-off-by: Sasha Levin commit 4df0c942d04a67df174195ad8082f6e30e7f71a5 Author: Chengming Zhou Date: Wed Dec 27 09:35:23 2023 +0000 crypto: scomp - fix req->dst buffer overflow [ Upstream commit 744e1885922a9943458954cfea917b31064b4131 ] The req->dst buffer size should be checked before copying from the scomp_scratch->dst to avoid req->dst buffer overflow problem. Fixes: 1ab53a77b772 ("crypto: acomp - add driver-side scomp interface") Reported-by: syzbot+3eff5e51bf1db122a16e@syzkaller.appspotmail.com Closes: https://lore.kernel.org/all/0000000000000b05cd060d6b5511@google.com/ Signed-off-by: Chengming Zhou Reviewed-by: Barry Song Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin commit 490adf8be7d016d68cd6a22c09dc888fb957c96b Author: Ovidiu Panait Date: Sun Dec 24 10:21:36 2023 +0200 crypto: sahara - do not resize req->src when doing hash operations [ Upstream commit a3c6f4f4d249cecaf2f34471aadbfb4f4ef57298 ] When testing sahara sha256 speed performance with tcrypt (mode=404) on imx53-qsrb board, multiple "Invalid numbers of src SG." errors are reported. This was traced to sahara_walk_and_recalc() resizing req->src and causing the subsequent dma_map_sg() call to fail. Now that the previous commit fixed sahara_sha_hw_links_create() to take into account the actual request size, rather than relying on sg->length values, the resize operation is no longer necessary. Therefore, remove sahara_walk_and_recalc() and simplify associated logic. Fixes: 5a2bb93f5992 ("crypto: sahara - add support for SHA1/256") Signed-off-by: Ovidiu Panait Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin commit eae15c43beb61cbd2af8061908b11013b1040ebb Author: Ovidiu Panait Date: Sun Dec 24 10:21:35 2023 +0200 crypto: sahara - fix processing hash requests with req->nbytes < sg->length [ Upstream commit 7bafa74d1ba35dcc173e1ce915e983d65905f77e ] It's not always the case that the entire sg entry needs to be processed. Currently, when nbytes is less than sg->length, "Descriptor length" errors are encountered. To fix this, take the actual request size into account when populating the hw links. Fixes: 5a2bb93f5992 ("crypto: sahara - add support for SHA1/256") Signed-off-by: Ovidiu Panait Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin commit 6fc95767954ad847d9475de41ddff0dd07b2fe2f Author: Ovidiu Panait Date: Sun Dec 24 10:21:34 2023 +0200 crypto: sahara - improve error handling in sahara_sha_process() [ Upstream commit 5deff027fca49a1eb3b20359333cf2ae562a2343 ] sahara_sha_hw_data_descriptor_create() returns negative error codes on failure, so make sure the errors are correctly handled / propagated. Fixes: 5a2bb93f5992 ("crypto: sahara - add support for SHA1/256") Signed-off-by: Ovidiu Panait Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin commit 5834cafc1d203c84cb14bf2fec7808e33d32444d Author: Ovidiu Panait Date: Sun Dec 24 10:21:33 2023 +0200 crypto: sahara - fix wait_for_completion_timeout() error handling [ Upstream commit 2dba8e1d1a7957dcbe7888846268538847b471d1 ] The sg lists are not unmapped in case of timeout errors. Fix this. Fixes: 5a2bb93f5992 ("crypto: sahara - add support for SHA1/256") Fixes: 5de8875281e1 ("crypto: sahara - Add driver for SAHARA2 accelerator.") Signed-off-by: Ovidiu Panait Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin commit 8b355e0478103ceaf54e3df0989cd0d6939b0836 Author: Ovidiu Panait Date: Sun Dec 24 10:21:32 2023 +0200 crypto: sahara - fix ahash reqsize [ Upstream commit efcb50f41740ac55e6ccc4986c1a7740e21c62b4 ] Set the reqsize for sha algorithms to sizeof(struct sahara_sha_reqctx), the extra space is not needed. Fixes: 5a2bb93f5992 ("crypto: sahara - add support for SHA1/256") Signed-off-by: Ovidiu Panait Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin commit a75ba66b69046ed0c7035fcbacd889dca630fa1c Author: Ovidiu Panait Date: Sun Dec 24 10:21:31 2023 +0200 crypto: sahara - handle zero-length aes requests [ Upstream commit d1d6351e37aac14b32a291731d0855996c459d11 ] In case of a zero-length input, exit gracefully from sahara_aes_crypt(). Fixes: 5de8875281e1 ("crypto: sahara - Add driver for SAHARA2 accelerator.") Signed-off-by: Ovidiu Panait Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin commit 0545801b3076d3fe6125329835ab8a41d34438ba Author: Ovidiu Panait Date: Fri Dec 1 19:06:25 2023 +0200 crypto: sahara - avoid skcipher fallback code duplication [ Upstream commit 01d70a4bbff20ea05cadb4c208841985a7cc6596 ] Factor out duplicated skcipher fallback handling code to a helper function sahara_aes_fallback(). Also, keep a single check if fallback is required in sahara_aes_crypt(). Signed-off-by: Ovidiu Panait Signed-off-by: Herbert Xu Stable-dep-of: d1d6351e37aa ("crypto: sahara - handle zero-length aes requests") Signed-off-by: Sasha Levin commit 635308e6042f8972d9c77dae6eef3bbac8808d79 Author: wangyangxin Date: Mon Dec 11 19:42:15 2023 +0800 crypto: virtio - Wait for tasklet to complete on device remove [ Upstream commit 67cc511e8d436456cc98033e6d4ba83ebfc8e672 ] The scheduled tasklet needs to be executed on device remove. Fixes: fed93fb62e05 ("crypto: virtio - Handle dataq logic with tasklet") Signed-off-by: wangyangxin Signed-off-by: Gonglei Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin commit d69d7804cf9e2ba171a27e5f98bc266f13d0414a Author: Osama Muhammad Date: Mon Nov 6 21:21:29 2023 +0500 gfs2: Fix kernel NULL pointer dereference in gfs2_rgrp_dump [ Upstream commit 8877243beafa7c6bfc42022cbfdf9e39b25bd4fa ] Syzkaller has reported a NULL pointer dereference when accessing rgd->rd_rgl in gfs2_rgrp_dump(). This can happen when creating rgd->rd_gl fails in read_rindex_entry(). Add a NULL pointer check in gfs2_rgrp_dump() to prevent that. Reported-and-tested-by: syzbot+da0fc229cc1ff4bb2e6d@syzkaller.appspotmail.com Link: https://syzkaller.appspot.com/bug?extid=da0fc229cc1ff4bb2e6d Fixes: 72244b6bc752 ("gfs2: improve debug information when lvb mismatches are found") Signed-off-by: Osama Muhammad Signed-off-by: Andreas Gruenbacher Signed-off-by: Sasha Levin commit caae86077dd335079d7809b2a753c9fea70d26cd Author: Christian Brauner Date: Wed Nov 22 12:17:37 2023 -0500 fs: indicate request originates from old mount API [ Upstream commit f67d922edb4e95a4a56d07d5d40a76dd4f23a85b ] We already communicate to filesystems when a remount request comes from the old mount API as some filesystems choose to implement different behavior in the new mount API than the old mount API to e.g., take the chance to fix significant API bugs. Allow the same for regular mount requests. Fixes: b330966f79fb ("fuse: reject options on reconfigure via fsconfig(2)") Reviewed-by: Christoph Hellwig Reviewed-by: Johannes Thumshirn Reviewed-by: Anand Jain Signed-off-by: Christian Brauner Signed-off-by: Josef Bacik Reviewed-by: David Sterba Signed-off-by: David Sterba Signed-off-by: Sasha Levin commit 9c285df949b5079368e65a5057228775ac533725 Author: Gao Xiang Date: Wed Nov 29 02:04:31 2023 +0800 erofs: fix memory leak on short-lived bounced pages [ Upstream commit 93d6fda7f926451a0fa1121b9558d75ca47e861e ] Both MicroLZMA and DEFLATE algorithms can use short-lived pages on demand for the overlapped inplace I/O decompression. However, those short-lived pages are actually added to `be->compressed_pages`. Thus, it should be checked instead of `pcl->compressed_bvecs`. The LZ4 algorithm doesn't work like this, so it won't be impacted. Fixes: 67139e36d970 ("erofs: introduce `z_erofs_parse_in_bvecs'") Reviewed-by: Yue Hu Reviewed-by: Chao Yu Signed-off-by: Gao Xiang Link: https://lore.kernel.org/r/20231128180431.4116991-1-hsiangkao@linux.alibaba.com Signed-off-by: Sasha Levin commit 48dcfc42ce705b652c0619cb99846afc43029de9 Author: Sergey Shtylyov Date: Sun Nov 5 23:29:36 2023 +0300 pstore: ram_core: fix possible overflow in persistent_ram_init_ecc() [ Upstream commit 86222a8fc16ec517de8da2604d904c9df3a08e5d ] In persistent_ram_init_ecc(), on 64-bit arches DIV_ROUND_UP() will return 64-bit value since persistent_ram_zone::buffer_size has type size_t which is derived from the 64-bit *unsigned long*, while the ecc_blocks variable this value gets assigned to has (always 32-bit) *int* type. Even if that value fits into *int* type, an overflow is still possible when calculating the size_t typed ecc_total variable further below since there's no cast to any 64-bit type before multiplication. Declaring the ecc_blocks variable as *size_t* should fix this mess... Found by Linux Verification Center (linuxtesting.org) with the SVACE static analysis tool. Fixes: 9cc05ad97c57 ("staging: android: persistent_ram: refactor ecc support") Signed-off-by: Sergey Shtylyov Link: https://lore.kernel.org/r/20231105202936.25694-1-s.shtylyov@omp.ru Signed-off-by: Kees Cook Signed-off-by: Sasha Levin commit d7e4268a510b84faa2b357fae4fb54ab3d65cc10 Author: Zhiqi Song Date: Sat Dec 2 17:17:22 2023 +0800 crypto: hisilicon/zip - save capability registers in probe process [ Upstream commit 2ff0ad847951d61c2d8b309e1ccefb26c57dcc7b ] Pre-store the valid value of the zip alg support related capability register in hisi_zip_qm_init(), which will be called by hisi_zip_probe(). It can reduce the number of capability register queries and avoid obtaining incorrect values in abnormal scenarios, such as reset failed and the memory space disabled. Fixes: db700974b69d ("crypto: hisilicon/zip - support zip capability") Signed-off-by: Zhiqi Song Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin commit a384d7dc4e098dbc3a18c644ffe56f9275a109fd Author: Zhiqi Song Date: Sat Dec 2 17:17:21 2023 +0800 crypto: hisilicon/sec2 - save capability registers in probe process [ Upstream commit f1115b0096c3163592e04e74f5a7548c25bda957 ] Pre-store the valid value of the sec alg support related capability register in sec_qm_init(), which will be called by probe process. It can reduce the number of capability register queries and avoid obtaining incorrect values in abnormal scenarios, such as reset failed and the memory space disabled. Fixes: 921715b6b782 ("crypto: hisilicon/sec - get algorithm bitmap from registers") Signed-off-by: Zhiqi Song Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin commit fc6b944de141368126d54b7fac0fead700f96dc0 Author: Zhiqi Song Date: Sat Dec 2 17:17:20 2023 +0800 crypto: hisilicon/hpre - save capability registers in probe process [ Upstream commit cf8b5156bbc8c9376f699e8d35e9464b739e33ff ] Pre-store the valid value of hpre alg support related capability register in hpre_qm_init(), which will be called by hpre_probe(). It can reduce the number of capability register queries and avoid obtaining incorrect values in abnormal scenarios, such as reset failed and the memory space disabled. Fixes: f214d59a0603 ("crypto: hisilicon/hpre - support hpre capability") Signed-off-by: Zhiqi Song Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin commit 4705731fc5fa147300bf1caf4afda74b13764dce Author: Wenkai Lin Date: Sat Dec 2 17:17:18 2023 +0800 crypto: hisilicon/qm - add a function to set qm algs [ Upstream commit f76f0d7f20672611974d3cc705996751fc403734 ] Extract a public function to set qm algs and remove the similar code for setting qm algs in each module. Signed-off-by: Wenkai Lin Signed-off-by: Hao Fang Signed-off-by: Zhiqi Song Signed-off-by: Herbert Xu Stable-dep-of: cf8b5156bbc8 ("crypto: hisilicon/hpre - save capability registers in probe process") Signed-off-by: Sasha Levin commit 11d7a339056612c1670a9615d3dfe627d54cfaee Author: Chenghai Huang Date: Fri Nov 24 13:49:24 2023 +0800 crypto: hisilicon/zip - add zip comp high perf mode configuration [ Upstream commit a9864bae1806499ebf3757a9e71dddde5b9c48c6 ] To meet specific application scenarios, the function of switching between the high performance mode and the high compression mode is added. Use the perf_mode=0/1 configuration to set the compression high perf mode, 0(default, high compression mode), 1(high performance mode). These two modes only apply to the compression direction and are compatible with software algorithm in both directions. Signed-off-by: Chenghai Huang Signed-off-by: Herbert Xu Stable-dep-of: cf8b5156bbc8 ("crypto: hisilicon/hpre - save capability registers in probe process") Signed-off-by: Sasha Levin commit 6412f039ac874352eb7ceab6c36462180c34b4e3 Author: Zhiqi Song Date: Sat Dec 2 17:17:19 2023 +0800 crypto: hisilicon/qm - save capability registers in qm init process [ Upstream commit cabe13d0bd2efb8dd50ed2310f57b33e1a69a0d4 ] In previous capability register implementation, qm irq related values were read from capability registers dynamically when needed. But in abnormal scenario, e.g. the core is timeout and the device needs to soft reset and reset failed after disabling the MSE, the device can not be removed normally, causing the following call trace: | Call trace: | pci_irq_vector+0xfc/0x140 | hisi_qm_uninit+0x278/0x3b0 [hisi_qm] | hpre_remove+0x16c/0x1c0 [hisi_hpre] | pci_device_remove+0x6c/0x264 | device_release_driver_internal+0x1ec/0x3e0 | device_release_driver+0x3c/0x60 | pci_stop_bus_device+0xfc/0x22c | pci_stop_and_remove_bus_device+0x38/0x70 | pci_iov_remove_virtfn+0x108/0x1c0 | sriov_disable+0x7c/0x1e4 | pci_disable_sriov+0x4c/0x6c | hisi_qm_sriov_disable+0x90/0x160 [hisi_qm] | hpre_remove+0x1a8/0x1c0 [hisi_hpre] | pci_device_remove+0x6c/0x264 | device_release_driver_internal+0x1ec/0x3e0 | driver_detach+0x168/0x2d0 | bus_remove_driver+0xc0/0x230 | driver_unregister+0x58/0xdc | pci_unregister_driver+0x40/0x220 | hpre_exit+0x34/0x64 [hisi_hpre] | __arm64_sys_delete_module+0x374/0x620 [...] | Call trace: | free_msi_irqs+0x25c/0x300 | pci_disable_msi+0x19c/0x264 | pci_free_irq_vectors+0x4c/0x70 | hisi_qm_pci_uninit+0x44/0x90 [hisi_qm] | hisi_qm_uninit+0x28c/0x3b0 [hisi_qm] | hpre_remove+0x16c/0x1c0 [hisi_hpre] | pci_device_remove+0x6c/0x264 [...] The reason for this call trace is that when the MSE is disabled, the value of capability registers in the BAR space become invalid. This will make the subsequent unregister process get the wrong irq vector through capability registers and get the wrong irq number by pci_irq_vector(). So add a capability table structure to pre-store the valid value of the irq information capability register in qm init process, avoid obtaining invalid capability register value after the MSE is disabled. Fixes: 3536cc55cada ("crypto: hisilicon/qm - support get device irq information from hardware registers") Signed-off-by: Zhiqi Song Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin commit d1f82d72104af95e46f0626ddf8d46cd42e46642 Author: Ovidiu Panait Date: Fri Dec 1 19:06:23 2023 +0200 crypto: sahara - fix error handling in sahara_hw_descriptor_create() [ Upstream commit ee6e6f0a7f5b39d50a5ef5fcc006f4f693db18a7 ] Do not call dma_unmap_sg() for scatterlists that were not mapped successfully. Fixes: 5de8875281e1 ("crypto: sahara - Add driver for SAHARA2 accelerator.") Signed-off-by: Ovidiu Panait Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin commit 435303ad8a07e4d51c1b4bad998f5cfc3d9c29c1 Author: Ovidiu Panait Date: Fri Dec 1 19:06:22 2023 +0200 crypto: sahara - fix processing requests with cryptlen < sg->length [ Upstream commit 5b8668ce3452827d27f8c34ff6ba080a8f983ed0 ] It's not always the case that the entire sg entry needs to be processed. Currently, when cryptlen is less than sg->legth, "Descriptor length" errors are encountered. The error was noticed when testing xts(sahara-ecb-aes) with arbitrary sized input data. To fix this, take the actual request size into account when populating the hw links. Fixes: 5de8875281e1 ("crypto: sahara - Add driver for SAHARA2 accelerator.") Signed-off-by: Ovidiu Panait Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin commit e7e8fbfe6dd7372ff356551b722c34cf269c83a8 Author: Ovidiu Panait Date: Fri Dec 1 19:06:21 2023 +0200 crypto: sahara - fix ahash selftest failure [ Upstream commit afffcf3db98b9495114b79d5381f8cc3f69476fb ] update() calls should not modify the result buffer, so add an additional check for "rctx->last" to make sure that only the final hash value is copied into the buffer. Fixes the following selftest failure: alg: ahash: sahara-sha256 update() used result buffer on test vector 3, cfg="init+update+final aligned buffer" Fixes: 5a2bb93f5992 ("crypto: sahara - add support for SHA1/256") Signed-off-by: Ovidiu Panait Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin commit 1f912803623820e3fd9cd4c3f9c6b516b963485e Author: Ovidiu Panait Date: Fri Dec 1 19:06:20 2023 +0200 crypto: sahara - fix cbc selftest failure [ Upstream commit 9f10bc28c0fb676ae58aa3bfa358db8f5de124bb ] The kernel crypto API requires that all CBC implementations update the IV buffer to contain the last ciphertext block. This fixes the following cbc selftest error: alg: skcipher: sahara-cbc-aes encryption test failed (wrong output IV) on test vector 0, cfg="in-place (one sglist)" Fixes: 5de8875281e1 ("crypto: sahara - Add driver for SAHARA2 accelerator.") Signed-off-by: Ovidiu Panait Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin commit eecf2e1e0c5fc4ff34e10584f07671f09b518b29 Author: Ovidiu Panait Date: Fri Dec 1 19:06:19 2023 +0200 crypto: sahara - remove FLAGS_NEW_KEY logic [ Upstream commit 8fd183435728b139248a77978ea3732039341779 ] Remove the FLAGS_NEW_KEY logic as it has the following issues: - the wrong key may end up being used when there are multiple data streams: t1 t2 setkey() encrypt() setkey() encrypt() encrypt() <--- key from t2 is used - switching between encryption and decryption with the same key is not possible, as the hdr flags are only updated when a new setkey() is performed With this change, the key is always sent along with the cryptdata when performing encryption/decryption operations. Fixes: 5de8875281e1 ("crypto: sahara - Add driver for SAHARA2 accelerator.") Signed-off-by: Ovidiu Panait Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin commit 4c0ac81a172a69a7733290915276672787e904ec Author: Nikita Zhandarovich Date: Fri Dec 1 04:49:29 2023 -0800 crypto: safexcel - Add error handling for dma_map_sg() calls [ Upstream commit 87e02063d07708cac5bfe9fd3a6a242898758ac8 ] Macro dma_map_sg() may return 0 on error. This patch enables checks in case of the macro failure and ensures unmapping of previously mapped buffers with dma_unmap_sg(). Found by Linux Verification Center (linuxtesting.org) with static analysis tool SVACE. Fixes: 49186a7d9e46 ("crypto: inside_secure - Avoid dma map if size is zero") Signed-off-by: Nikita Zhandarovich Reviewed-by: Antoine Tenart Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin commit d5d4dfc73bed7860f9574255e1ce1b3801ed0881 Author: Herbert Xu Date: Tue Nov 28 16:25:49 2023 +0800 crypto: af_alg - Disallow multiple in-flight AIO requests [ Upstream commit 67b164a871af1d736f131fd6fe78a610909f06f3 ] Having multiple in-flight AIO requests results in unpredictable output because they all share the same IV. Fix this by only allowing one request at a time. Fixes: 83094e5e9e49 ("crypto: af_alg - add async support to algif_aead") Fixes: a596999b7ddf ("crypto: algif - change algif_skcipher to be asynchronous") Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin commit f3a11fdd02b32e214e9477c5cd7a710654320641 Author: Dinghao Liu Date: Mon Nov 27 11:47:10 2023 +0800 crypto: ccp - fix memleak in ccp_init_dm_workarea [ Upstream commit a1c95dd5bc1d6a5d7a75a376c2107421b7d6240d ] When dma_map_single() fails, wa->address is supposed to be freed by the callers of ccp_init_dm_workarea() through ccp_dm_free(). However, many of the call spots don't expect to have to call ccp_dm_free() on failure of ccp_init_dm_workarea(), which may lead to a memleak. Let's free wa->address in ccp_init_dm_workarea() when dma_map_single() fails. Fixes: 63b945091a07 ("crypto: ccp - CCP device driver and interface support") Signed-off-by: Dinghao Liu Acked-by: Tom Lendacky Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin commit baa79033e17b3a6b7bf6bde63cee566d63a5f8a4 Author: Chen Ni Date: Mon Nov 27 02:03:01 2023 +0000 crypto: sa2ul - Return crypto_aead_setkey to transfer the error [ Upstream commit ce852f1308ac738e61c5b2502517deea593a1554 ] Return crypto_aead_setkey() in order to transfer the error if it fails. Fixes: d2c8ac187fc9 ("crypto: sa2ul - Add AEAD algorithm support") Signed-off-by: Chen Ni Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin commit ae4747dab2eab95a68bb2f6c7e904bff0424e1b1 Author: Gonglei (Arei) Date: Mon Nov 20 11:49:45 2023 +0000 crypto: virtio - Handle dataq logic with tasklet [ Upstream commit fed93fb62e05c38152b0fc1dc9609639e63eed76 ] Doing ipsec produces a spinlock recursion warning. This is due to crypto_finalize_request() being called in the upper half. Move virtual data queue processing of virtio-crypto driver to tasklet. Fixes: dbaf0624ffa57 ("crypto: add virtio-crypto driver") Reported-by: Halil Pasic Signed-off-by: wangyangxin Signed-off-by: Gonglei Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin commit e973b045c16272aaeb87e9a99e04ca2156bf17e8 Author: Mickaël Salaün Date: Wed Jan 3 17:34:15 2024 +0100 selinux: Fix error priority for bind with AF_UNSPEC on PF_INET6 socket [ Upstream commit bbf5a1d0e5d0fb3bdf90205aa872636122692a50 ] The IPv6 network stack first checks the sockaddr length (-EINVAL error) before checking the family (-EAFNOSUPPORT error). This was discovered thanks to commit a549d055a22e ("selftests/landlock: Add network tests"). Cc: Eric Paris Cc: Konstantin Meskhidze Cc: Paul Moore Cc: Stephen Smalley Reported-by: Muhammad Usama Anjum Closes: https://lore.kernel.org/r/0584f91c-537c-4188-9e4f-04f192565667@collabora.com Fixes: 0f8db8cc73df ("selinux: add AF_UNSPEC and INADDR_ANY checks to selinux_socket_bind()") Signed-off-by: Mickaël Salaün Tested-by: Muhammad Usama Anjum Signed-off-by: Paul Moore Signed-off-by: Sasha Levin commit 5389407bba1eab1266c6d83e226fb0840cb98dd5 Author: ZhaoLong Wang Date: Wed Dec 20 10:46:19 2023 +0800 mtd: Fix gluebi NULL pointer dereference caused by ftl notifier [ Upstream commit a43bdc376deab5fff1ceb93dca55bcab8dbdc1d6 ] If both ftl.ko and gluebi.ko are loaded, the notifier of ftl triggers NULL pointer dereference when trying to access ‘gluebi->desc’ in gluebi_read(). ubi_gluebi_init ubi_register_volume_notifier ubi_enumerate_volumes ubi_notify_all gluebi_notify nb->notifier_call() gluebi_create mtd_device_register mtd_device_parse_register add_mtd_device blktrans_notify_add not->add() ftl_add_mtd tr->add_mtd() scan_header mtd_read mtd_read_oob mtd_read_oob_std gluebi_read mtd->read() gluebi->desc - NULL Detailed reproduction information available at the Link [1], In the normal case, obtain gluebi->desc in the gluebi_get_device(), and access gluebi->desc in the gluebi_read(). However, gluebi_get_device() is not executed in advance in the ftl_add_mtd() process, which leads to NULL pointer dereference. The solution for the gluebi module is to run jffs2 on the UBI volume without considering working with ftl or mtdblock [2]. Therefore, this problem can be avoided by preventing gluebi from creating the mtdblock device after creating mtd partition of the type MTD_UBIVOLUME. Fixes: 2ba3d76a1e29 ("UBI: make gluebi a separate module") Link: https://bugzilla.kernel.org/show_bug.cgi?id=217992 [1] Link: https://lore.kernel.org/lkml/441107100.23734.1697904580252.JavaMail.zimbra@nod.at/ [2] Signed-off-by: ZhaoLong Wang Reviewed-by: Zhihao Cheng Acked-by: Richard Weinberger Signed-off-by: Miquel Raynal Link: https://lore.kernel.org/linux-mtd/20231220024619.2138625-1-wangzhaolong1@huawei.com Signed-off-by: Sasha Levin commit 030a1147eda8f457c67a48384989459cdf8d9291 Author: Richard Fitzgerald Date: Mon Oct 30 10:47:58 2023 +0000 kunit: debugfs: Fix unchecked dereference in debugfs_print_results() [ Upstream commit 34dfd5bb2e5507e69d9b6d6c90f546600c7a4977 ] Move the call to kunit_suite_has_succeeded() after the check that the kunit_suite pointer is valid. This was found by smatch: lib/kunit/debugfs.c:66 debugfs_print_results() warn: variable dereferenced before check 'suite' (see line 63) Signed-off-by: Richard Fitzgerald Reported-by: Dan Carpenter Fixes: 38289a26e1b8 ("kunit: fix debugfs code to use enum kunit_status, not bool") Reviewed-by: Rae Moar Signed-off-by: Shuah Khan Signed-off-by: Sasha Levin commit b841208b7e85517a99f8b52a10d1fb5cdfcddc70 Author: Tony Luck Date: Tue Dec 12 13:22:39 2023 -0800 ACPI: extlog: Clear Extended Error Log status when RAS_CEC handled the error [ Upstream commit 38c872a9e96f72f2947affc0526cc05659367d3d ] When both CONFIG_RAS_CEC and CONFIG_ACPI_EXTLOG are enabled, Linux does not clear the status word of the BIOS supplied error record for corrected errors. This may prevent logging of subsequent uncorrected errors. Fix by clearing the status. Fixes: 23ba710a0864 ("x86/mce: Fix all mce notifiers to update the mce->kflags bitmask") Reported-by: Erwin Tsaur Signed-off-by: Tony Luck Signed-off-by: Rafael J. Wysocki Signed-off-by: Sasha Levin commit b412c486a35896266a5021af979422a16d20fa15 Author: Andy Shevchenko Date: Mon Dec 11 13:14:29 2023 +0200 ACPI: LPSS: Fix the fractional clock divider flags [ Upstream commit 3ebccf1d1ca74bbb78e6f8c38d1d172e468d91f8 ] The conversion to CLK_FRAC_DIVIDER_POWER_OF_TWO_PS uses wrong flags in the parameters and hence miscalculates the values in the clock divider. Fix this by applying the flag to the proper parameter. Fixes: 82f53f9ee577 ("clk: fractional-divider: Introduce POWER_OF_TWO_PS flag") Reported-by: Alex Vinarskis Signed-off-by: Andy Shevchenko Signed-off-by: Rafael J. Wysocki Signed-off-by: Sasha Levin commit 5980041cba21b094c231fd95d0e4074d2fb7256a Author: Wolfram Sang Date: Tue Dec 12 09:12:38 2023 +0100 spi: sh-msiof: Enforce fixed DTDL for R-Car H3 [ Upstream commit e5c7bcb499840551cfbe85c6df177ebc50432bf0 ] Documentation says only DTDL of 200 is allowed for this SoC. Fixes: 4286db8456f4 ("spi: sh-msiof: Add R-Car Gen 2 and 3 fallback bindings") Signed-off-by: Wolfram Sang Reviewed-by: Geert Uytterhoeven Reviewed-by: Yoshihiro Shimoda Link: https://msgid.link/r/20231212081239.14254-1-wsa+renesas@sang-engineering.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit ea6b597fcaca99562fa56a473bcbbbd79b40af03 Author: Ard Biesheuvel Date: Fri Dec 8 17:39:28 2023 +0100 efivarfs: Free s_fs_info on unmount [ Upstream commit 547713d502f7b4b8efccd409cff84d731a23853b ] Now that we allocate a s_fs_info struct on fs context creation, we should ensure that we free it again when the superblock goes away. Fixes: 5329aa5101f7 ("efivarfs: Add uid/gid mount options") Signed-off-by: Ard Biesheuvel Signed-off-by: Sasha Levin commit d4a9aa7db574a0da64307729cc031fb68597aa8b Author: Ilias Apalodimas Date: Tue Nov 7 14:40:56 2023 +0900 efivarfs: force RO when remounting if SetVariable is not supported [ Upstream commit 0e8d2444168dd519fea501599d150e62718ed2fe ] If SetVariable at runtime is not supported by the firmware we never assign a callback for that function. At the same time mount the efivarfs as RO so no one can call that. However, we never check the permission flags when someone remounts the filesystem as RW. As a result this leads to a crash looking like this: $ mount -o remount,rw /sys/firmware/efi/efivars $ efi-updatevar -f PK.auth PK [ 303.279166] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 [ 303.280482] Mem abort info: [ 303.280854] ESR = 0x0000000086000004 [ 303.281338] EC = 0x21: IABT (current EL), IL = 32 bits [ 303.282016] SET = 0, FnV = 0 [ 303.282414] EA = 0, S1PTW = 0 [ 303.282821] FSC = 0x04: level 0 translation fault [ 303.283771] user pgtable: 4k pages, 48-bit VAs, pgdp=000000004258c000 [ 303.284913] [0000000000000000] pgd=0000000000000000, p4d=0000000000000000 [ 303.286076] Internal error: Oops: 0000000086000004 [#1] PREEMPT SMP [ 303.286936] Modules linked in: qrtr tpm_tis tpm_tis_core crct10dif_ce arm_smccc_trng rng_core drm fuse ip_tables x_tables ipv6 [ 303.288586] CPU: 1 PID: 755 Comm: efi-updatevar Not tainted 6.3.0-rc1-00108-gc7d0c4695c68 #1 [ 303.289748] Hardware name: Unknown Unknown Product/Unknown Product, BIOS 2023.04-00627-g88336918701d 04/01/2023 [ 303.291150] pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 303.292123] pc : 0x0 [ 303.292443] lr : efivar_set_variable_locked+0x74/0xec [ 303.293156] sp : ffff800008673c10 [ 303.293619] x29: ffff800008673c10 x28: ffff0000037e8000 x27: 0000000000000000 [ 303.294592] x26: 0000000000000800 x25: ffff000002467400 x24: 0000000000000027 [ 303.295572] x23: ffffd49ea9832000 x22: ffff0000020c9800 x21: ffff000002467000 [ 303.296566] x20: 0000000000000001 x19: 00000000000007fc x18: 0000000000000000 [ 303.297531] x17: 0000000000000000 x16: 0000000000000000 x15: 0000aaaac807ab54 [ 303.298495] x14: ed37489f673633c0 x13: 71c45c606de13f80 x12: 47464259e219acf4 [ 303.299453] x11: ffff000002af7b01 x10: 0000000000000003 x9 : 0000000000000002 [ 303.300431] x8 : 0000000000000010 x7 : ffffd49ea8973230 x6 : 0000000000a85201 [ 303.301412] x5 : 0000000000000000 x4 : ffff0000020c9800 x3 : 00000000000007fc [ 303.302370] x2 : 0000000000000027 x1 : ffff000002467400 x0 : ffff000002467000 [ 303.303341] Call trace: [ 303.303679] 0x0 [ 303.303938] efivar_entry_set_get_size+0x98/0x16c [ 303.304585] efivarfs_file_write+0xd0/0x1a4 [ 303.305148] vfs_write+0xc4/0x2e4 [ 303.305601] ksys_write+0x70/0x104 [ 303.306073] __arm64_sys_write+0x1c/0x28 [ 303.306622] invoke_syscall+0x48/0x114 [ 303.307156] el0_svc_common.constprop.0+0x44/0xec [ 303.307803] do_el0_svc+0x38/0x98 [ 303.308268] el0_svc+0x2c/0x84 [ 303.308702] el0t_64_sync_handler+0xf4/0x120 [ 303.309293] el0t_64_sync+0x190/0x194 [ 303.309794] Code: ???????? ???????? ???????? ???????? (????????) [ 303.310612] ---[ end trace 0000000000000000 ]--- Fix this by adding a .reconfigure() function to the fs operations which we can use to check the requested flags and deny anything that's not RO if the firmware doesn't implement SetVariable at runtime. Fixes: f88814cc2578 ("efi/efivars: Expose RT service availability via efivars abstraction") Signed-off-by: Ilias Apalodimas Signed-off-by: Ard Biesheuvel Signed-off-by: Sasha Levin commit 321b3a5592c8a9d6b654c7c64833ea67dbb33149 Author: Gavrilov Ilia Date: Thu Nov 23 09:25:54 2023 +0000 calipso: fix memory leak in netlbl_calipso_add_pass() [ Upstream commit ec4e9d630a64df500641892f4e259e8149594a99 ] If IPv6 support is disabled at boot (ipv6.disable=1), the calipso_init() -> netlbl_calipso_ops_register() function isn't called, and the netlbl_calipso_ops_get() function always returns NULL. In this case, the netlbl_calipso_add_pass() function allocates memory for the doi_def variable but doesn't free it with the calipso_doi_free(). BUG: memory leak unreferenced object 0xffff888011d68180 (size 64): comm "syz-executor.1", pid 10746, jiffies 4295410986 (age 17.928s) hex dump (first 32 bytes): 00 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace: [<...>] kmalloc include/linux/slab.h:552 [inline] [<...>] netlbl_calipso_add_pass net/netlabel/netlabel_calipso.c:76 [inline] [<...>] netlbl_calipso_add+0x22e/0x4f0 net/netlabel/netlabel_calipso.c:111 [<...>] genl_family_rcv_msg_doit+0x22f/0x330 net/netlink/genetlink.c:739 [<...>] genl_family_rcv_msg net/netlink/genetlink.c:783 [inline] [<...>] genl_rcv_msg+0x341/0x5a0 net/netlink/genetlink.c:800 [<...>] netlink_rcv_skb+0x14d/0x440 net/netlink/af_netlink.c:2515 [<...>] genl_rcv+0x29/0x40 net/netlink/genetlink.c:811 [<...>] netlink_unicast_kernel net/netlink/af_netlink.c:1313 [inline] [<...>] netlink_unicast+0x54b/0x800 net/netlink/af_netlink.c:1339 [<...>] netlink_sendmsg+0x90a/0xdf0 net/netlink/af_netlink.c:1934 [<...>] sock_sendmsg_nosec net/socket.c:651 [inline] [<...>] sock_sendmsg+0x157/0x190 net/socket.c:671 [<...>] ____sys_sendmsg+0x712/0x870 net/socket.c:2342 [<...>] ___sys_sendmsg+0xf8/0x170 net/socket.c:2396 [<...>] __sys_sendmsg+0xea/0x1b0 net/socket.c:2429 [<...>] do_syscall_64+0x30/0x40 arch/x86/entry/common.c:46 [<...>] entry_SYSCALL_64_after_hwframe+0x61/0xc6 Found by InfoTeCS on behalf of Linux Verification Center (linuxtesting.org) with Syzkaller Fixes: cb72d38211ea ("netlabel: Initial support for the CALIPSO netlink protocol.") Signed-off-by: Gavrilov Ilia [PM: merged via the LSM tree at Jakub Kicinski request] Signed-off-by: Paul Moore Signed-off-by: Sasha Levin commit 71f47a52baef1aea08199895661d6dd973ea048c Author: Alexandra Diupina Date: Tue Dec 5 18:12:20 2023 +0300 cpufreq: scmi: process the result of devm_of_clk_add_hw_provider() [ Upstream commit c4a5118a3ae1eadc687d84eef9431f9e13eb015c ] devm_of_clk_add_hw_provider() may return an errno, so add a return value check Found by Linux Verification Center (linuxtesting.org) with SVACE. Fixes: 8410e7f3b31e ("cpufreq: scmi: Fix OPP addition failure with a dummy clock provider") Signed-off-by: Alexandra Diupina Signed-off-by: Viresh Kumar Signed-off-by: Sasha Levin commit 04fc66dd2be4fa69b741a0ba8e2fa7e0a0cccd22 Author: Rob Herring Date: Fri Mar 10 08:47:02 2023 -0600 cpufreq: Use of_property_present() for testing DT property presence [ Upstream commit b8f3a396a7ee43e6079176cc0fb8de2b95a23681 ] It is preferred to use typed property access functions (i.e. of_property_read_ functions) rather than low-level of_get_property/of_find_property functions for reading properties. As part of this, convert of_get_property/of_find_property calls to the recently added of_property_present() helper when we just want to test for presence of a property and nothing more. Signed-off-by: Rob Herring Signed-off-by: Viresh Kumar Stable-dep-of: c4a5118a3ae1 ("cpufreq: scmi: process the result of devm_of_clk_add_hw_provider()") Signed-off-by: Sasha Levin commit 79de65ac39d75ef68062d6a1fd0d719015af0898 Author: Rob Herring Date: Thu Feb 9 15:35:01 2023 -0600 of: Add of_property_present() helper [ Upstream commit 9cbad37ce8122de32a1529e394b468bc101c9e7f ] Add an of_property_present() function similar to fwnode_property_present(). of_property_read_bool() could be used directly, but it is cleaner to not use it on non-boolean properties. Reviewed-by: Frank Rowand Tested-by: Frank Rowand Link: https://lore.kernel.org/all/20230215215547.691573-1-robh@kernel.org/ Signed-off-by: Rob Herring Stable-dep-of: c4a5118a3ae1 ("cpufreq: scmi: process the result of devm_of_clk_add_hw_provider()") Signed-off-by: Sasha Levin commit 426710a2bc2f71aefecf498d1a66f4a581e3e804 Author: David E. Box Date: Wed Nov 29 14:21:13 2023 -0800 platform/x86/intel/vsec: Fix xa_alloc memory leak [ Upstream commit 8cbcc1dbf8a62c730fadd60de761e0658547a589 ] Commit 936874b77dd0 ("platform/x86/intel/vsec: Add PCI error recovery support to Intel PMT") added an xarray to track the list of vsec devices to be recovered after a PCI error. But it did not provide cleanup for the list leading to a memory leak that was caught by kmemleak. Do xa_alloc() before devm_add_action_or_reset() so that the list may be cleaned up with xa_erase() in the release function. Fixes: 936874b77dd0 ("platform/x86/intel/vsec: Add PCI error recovery support to Intel PMT") Signed-off-by: David E. Box Reviewed-by: Ilpo Järvinen Link: https://lore.kernel.org/r/20231129222132.2331261-2-david.e.box@linux.intel.com [hdegoede@redhat.com: Add missing xa_erase() on error-exit Signed-off-by: Hans de Goede Signed-off-by: Sasha Levin commit 0ff5cd92bbd5d0afc39a067a114b4f884117c3a0 Author: Srinivas Pandruvada Date: Tue Feb 7 04:58:21 2023 -0800 platform/x86/intel/vsec: Use mutex for ida_alloc() and ida_free() [ Upstream commit 9a90ea7d378486aa358330dafc7e8c3b27de4d84 ] ID alloc and free functions don't have in built protection for parallel invocation of ida_alloc() and ida_free(). With the current flow in the vsec driver, there is no such scenario. But add mutex protection for potential future changes. Suggested-by: Hans de Goede Signed-off-by: Srinivas Pandruvada Link: https://lore.kernel.org/r/20230207125821.3837799-1-srinivas.pandruvada@linux.intel.com Reviewed-by: Hans de Goede Signed-off-by: Hans de Goede Stable-dep-of: 8cbcc1dbf8a6 ("platform/x86/intel/vsec: Fix xa_alloc memory leak") Signed-off-by: Sasha Levin commit 1fa4a1e1258d1f45d34f153277f998915a61a264 Author: Srinivas Pandruvada Date: Wed Feb 1 17:07:34 2023 -0800 platform/x86/intel/vsec: Support private data [ Upstream commit 4ec5d0231d2e4aebe41152d57c6b4f1e7ea14f08 ] Add fields to struct intel_vsec_device, so that core module (which creates aux bus devices) can pass private data to the client drivers. For example there is one vsec device instance per CPU package. On a multi package system, this private data can be used to pass the package ID. This package id can be used by client drivers to change power settings for a specific CPU package by targeting MMIO space of the correct PCI device. Signed-off-by: Srinivas Pandruvada Acked-by: David E. Box Link: https://lore.kernel.org/r/20230202010738.2186174-4-srinivas.pandruvada@linux.intel.com Reviewed-by: Hans de Goede Signed-off-by: Hans de Goede Stable-dep-of: 8cbcc1dbf8a6 ("platform/x86/intel/vsec: Fix xa_alloc memory leak") Signed-off-by: Sasha Levin commit 3c48b2a7ce497db52d73bcc16e9001943ea745b3 Author: Srinivas Pandruvada Date: Wed Feb 1 17:07:33 2023 -0800 platform/x86/intel/vsec: Enhance and Export intel_vsec_add_aux() [ Upstream commit 251a41116aebdbb7ff00fbc635b1c1a0f08119e6 ] Remove static for intel_vsec_add_aux() and export this interface so that it can be used by other vsec related modules. This driver creates aux devices by parsing PCI-VSEC, which allows individual drivers to load on those devices. Those driver may further create more devices on aux bus by parsing the PCI MMIO region. For example, TPMI (Topology Aware Register and PM Capsule Interface) creates device nodes for power management features by parsing MMIO region. When TPMI driver creates devices, it can reuse existing function intel_vsec_add_aux() to create aux devices with TPMI device as the parent. Signed-off-by: Srinivas Pandruvada Acked-by: David E. Box Link: https://lore.kernel.org/r/20230202010738.2186174-3-srinivas.pandruvada@linux.intel.com Reviewed-by: Hans de Goede Signed-off-by: Hans de Goede Stable-dep-of: 8cbcc1dbf8a6 ("platform/x86/intel/vsec: Fix xa_alloc memory leak") Signed-off-by: Sasha Levin commit c25f1555e03ac877d09c05f3b6235ff8fe827ec1 Author: Chen Ni Date: Wed Nov 8 07:36:27 2023 +0000 KEYS: encrypted: Add check for strsep [ Upstream commit b4af096b5df5dd131ab796c79cedc7069d8f4882 ] Add check for strsep() in order to transfer the error. Fixes: cd3bc044af48 ("KEYS: encrypted: Instantiate key with user-provided decrypted data") Signed-off-by: Chen Ni Signed-off-by: Mimi Zohar Signed-off-by: Sasha Levin commit 72222dfd76a79d9666ab3117fcdd44ca8cd0c4de Author: Nikita Kiryushin Date: Thu Nov 9 21:08:59 2023 +0300 ACPI: LPIT: Avoid u32 multiplication overflow [ Upstream commit 56d2eeda87995245300836ee4dbd13b002311782 ] In lpit_update_residency() there is a possibility of overflow in multiplication, if tsc_khz is large enough (> UINT_MAX/1000). Change multiplication to mul_u32_u32(). Found by Linux Verification Center (linuxtesting.org) with SVACE. Fixes: eeb2d80d502a ("ACPI / LPIT: Add Low Power Idle Table (LPIT) support") Signed-off-by: Nikita Kiryushin Signed-off-by: Rafael J. Wysocki Signed-off-by: Sasha Levin commit 2124c5bc22948fc4d09a23db4a8acdccc7d21e95 Author: Nikita Kiryushin Date: Thu Nov 9 16:49:25 2023 +0300 ACPI: video: check for error while searching for backlight device parent [ Upstream commit ccd45faf4973746c4f30ea41eec864e5cf191099 ] If acpi_get_parent() called in acpi_video_dev_register_backlight() fails, for example, because acpi_ut_acquire_mutex() fails inside acpi_get_parent), this can lead to incorrect (uninitialized) acpi_parent handle being passed to acpi_get_pci_dev() for detecting the parent pci device. Check acpi_get_parent() result and set parent device only in case of success. Found by Linux Verification Center (linuxtesting.org) with SVACE. Fixes: 9661e92c10a9 ("acpi: tie ACPI backlight devices to PCI devices if possible") Signed-off-by: Nikita Kiryushin Signed-off-by: Rafael J. Wysocki Signed-off-by: Sasha Levin commit 08f7142e224fd9308eb19d7f1072e39586b9af8f Author: Ronald Monthero Date: Sat Nov 18 18:31:51 2023 +1000 mtd: rawnand: Increment IFC_TIMEOUT_MSECS for nand controller response [ Upstream commit 923fb6238cb3ac529aa2bf13b3b1e53762186a8b ] Under heavy load it is likely that the controller is done with its own task but the thread unlocking the wait is not scheduled in time. Increasing IFC_TIMEOUT_MSECS allows the controller to respond within allowable timeslice of 1 sec. fsl,ifc-nand 7e800000.nand: Controller is not responding [<804b2047>] (nand_get_device) from [<804b5335>] (nand_write_oob+0x1b/0x4a) [<804b5335>] (nand_write_oob) from [<804a3585>] (mtd_write+0x41/0x5c) [<804a3585>] (mtd_write) from [<804c1d47>] (ubi_io_write+0x17f/0x22c) [<804c1d47>] (ubi_io_write) from [<804c047b>] (ubi_eba_write_leb+0x5b/0x1d0) Fixes: 82771882d960 ("NAND Machine support for Integrated Flash Controller") Reviewed-by: Miquel Raynal Reviewed-by: Andy Shevchenko Signed-off-by: Ronald Monthero Signed-off-by: Miquel Raynal Link: https://lore.kernel.org/linux-mtd/20231118083156.776887-1-debug.penguin32@gmail.com Signed-off-by: Sasha Levin commit a35ab02c85c11d3db6d291a715c634a758843d56 Author: Amit Kumar Mahapatra Date: Mon Nov 6 20:23:55 2023 +0530 spi: spi-zynqmp-gqspi: fix driver kconfig dependencies [ Upstream commit 424a8166764e462258fdccaaefbdeb07517c8b21 ] ZynqMP GQSPI driver no longer uses spi-master framework. It had been converted to use spi-mem framework. So remove driver dependency from spi-master and replace it with spi-mem. Fixes: 1c26372e5aa9 ("spi: spi-zynqmp-gqspi: Update driver to use spi-mem framework") Signed-off-by: Amit Kumar Mahapatra Signed-off-by: Radhey Shyam Pandey Link: https://lore.kernel.org/r/1699282435-884917-1-git-send-email-radhey.shyam.pandey@amd.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit a2da3f9b1a1019c887ee1d164475a8fcdb0a3fec Author: Kunwu Chan Date: Sun Nov 26 17:37:19 2023 +0800 powerpc/imc-pmu: Add a null pointer check in update_events_in_group() [ Upstream commit 0a233867a39078ebb0f575e2948593bbff5826b3 ] kasprintf() returns a pointer to dynamically allocated memory which can be NULL upon failure. Fixes: 885dcd709ba9 ("powerpc/perf: Add nest IMC PMU support") Signed-off-by: Kunwu Chan Signed-off-by: Michael Ellerman Link: https://msgid.link/20231126093719.1440305-1-chentao@kylinos.cn Signed-off-by: Sasha Levin commit f152a6bfd187f67afeffc9fd68cbe46f51439be0 Author: Kunwu Chan Date: Sun Nov 26 17:57:39 2023 +0800 powerpc/powernv: Add a null pointer check in opal_powercap_init() [ Upstream commit e123015c0ba859cf48aa7f89c5016cc6e98e018d ] kasprintf() returns a pointer to dynamically allocated memory which can be NULL upon failure. Fixes: b9ef7b4b867f ("powerpc: Convert to using %pOFn instead of device_node.name") Signed-off-by: Kunwu Chan Signed-off-by: Michael Ellerman Link: https://msgid.link/20231126095739.1501990-1-chentao@kylinos.cn Signed-off-by: Sasha Levin commit 9a523e1da6d88c2034f946adfa4f74b236c95ca9 Author: Kunwu Chan Date: Mon Nov 27 11:07:55 2023 +0800 powerpc/powernv: Add a null pointer check in opal_event_init() [ Upstream commit 8649829a1dd25199bbf557b2621cedb4bf9b3050 ] kasprintf() returns a pointer to dynamically allocated memory which can be NULL upon failure. Fixes: 2717a33d6074 ("powerpc/opal-irqchip: Use interrupt names if present") Signed-off-by: Kunwu Chan Signed-off-by: Michael Ellerman Link: https://msgid.link/20231127030755.1546750-1-chentao@kylinos.cn Signed-off-by: Sasha Levin commit ed8d023cfa97b559db58c0e1afdd2eec7a83d8f2 Author: Kunwu Chan Date: Fri Dec 8 16:59:37 2023 +0800 powerpc/powernv: Add a null pointer check to scom_debug_init_one() [ Upstream commit 9a260f2dd827bbc82cc60eb4f4d8c22707d80742 ] kasprintf() returns a pointer to dynamically allocated memory which can be NULL upon failure. Add a null pointer check, and release 'ent' to avoid memory leaks. Fixes: bfd2f0d49aef ("powerpc/powernv: Get rid of old scom_controller abstraction") Signed-off-by: Kunwu Chan Signed-off-by: Michael Ellerman Link: https://msgid.link/20231208085937.107210-1-chentao@kylinos.cn Signed-off-by: Sasha Levin commit 327d4f2d667661baaf9387fb8e987da864621f92 Author: Michael Ellerman Date: Wed Nov 29 00:27:44 2023 +1100 selftests/powerpc: Fix error handling in FPU/VMX preemption tests [ Upstream commit 9dbd5927408c4a0707de73ae9dd9306b184e8fee ] The FPU & VMX preemption tests do not check for errors returned by the low-level asm routines, preempt_fpu() / preempt_vsx() respectively. That means any register corruption detected by the asm routines does not result in a test failure. Fix it by returning the return value of the asm routines from the pthread child routines. Fixes: e5ab8be68e44 ("selftests/powerpc: Test preservation of FPU and VMX regs across preemption") Signed-off-by: Michael Ellerman Link: https://msgid.link/20231128132748.1990179-1-mpe@ellerman.id.au Signed-off-by: Sasha Levin commit 026fd977dc50ff4a5e09bfb0603557f104d3f3a0 Author: Nathan Lynch Date: Tue Nov 14 11:01:53 2023 -0600 powerpc/pseries/memhp: Fix access beyond end of drmem array [ Upstream commit bd68ffce69f6cf8ddd3a3c32549d1d2275e49fc5 ] dlpar_memory_remove_by_index() may access beyond the bounds of the drmem lmb array when the LMB lookup fails to match an entry with the given DRC index. When the search fails, the cursor is left pointing to &drmem_info->lmbs[drmem_info->n_lmbs], which is one element past the last valid entry in the array. The debug message at the end of the function then dereferences this pointer: pr_debug("Failed to hot-remove memory at %llx\n", lmb->base_addr); This was found by inspection and confirmed with KASAN: pseries-hotplug-mem: Attempting to hot-remove LMB, drc index 1234 ================================================================== BUG: KASAN: slab-out-of-bounds in dlpar_memory+0x298/0x1658 Read of size 8 at addr c000000364e97fd0 by task bash/949 dump_stack_lvl+0xa4/0xfc (unreliable) print_report+0x214/0x63c kasan_report+0x140/0x2e0 __asan_load8+0xa8/0xe0 dlpar_memory+0x298/0x1658 handle_dlpar_errorlog+0x130/0x1d0 dlpar_store+0x18c/0x3e0 kobj_attr_store+0x68/0xa0 sysfs_kf_write+0xc4/0x110 kernfs_fop_write_iter+0x26c/0x390 vfs_write+0x2d4/0x4e0 ksys_write+0xac/0x1a0 system_call_exception+0x268/0x530 system_call_vectored_common+0x15c/0x2ec Allocated by task 1: kasan_save_stack+0x48/0x80 kasan_set_track+0x34/0x50 kasan_save_alloc_info+0x34/0x50 __kasan_kmalloc+0xd0/0x120 __kmalloc+0x8c/0x320 kmalloc_array.constprop.0+0x48/0x5c drmem_init+0x2a0/0x41c do_one_initcall+0xe0/0x5c0 kernel_init_freeable+0x4ec/0x5a0 kernel_init+0x30/0x1e0 ret_from_kernel_user_thread+0x14/0x1c The buggy address belongs to the object at c000000364e80000 which belongs to the cache kmalloc-128k of size 131072 The buggy address is located 0 bytes to the right of allocated 98256-byte region [c000000364e80000, c000000364e97fd0) ================================================================== pseries-hotplug-mem: Failed to hot-remove memory at 0 Log failed lookups with a separate message and dereference the cursor only when it points to a valid entry. Signed-off-by: Nathan Lynch Fixes: 51925fb3c5c9 ("powerpc/pseries: Implement memory hotplug remove in the kernel") Signed-off-by: Michael Ellerman Link: https://msgid.link/20231114-pseries-memhp-fixes-v1-1-fb8f2bb7c557@linux.ibm.com Signed-off-by: Sasha Levin commit 63df75d38342b5d7c16f7ea769d4d268e74c849e Author: Randy Dunlap Date: Thu Nov 30 21:51:59 2023 -0800 powerpc/44x: select I2C for CURRITUCK [ Upstream commit 4a74197b65e69c46fe6e53f7df2f4d6ce9ffe012 ] Fix build errors when CURRITUCK=y and I2C is not builtin (=m or is not set). Fixes these build errors: powerpc-linux-ld: arch/powerpc/platforms/44x/ppc476.o: in function `avr_halt_system': ppc476.c:(.text+0x58): undefined reference to `i2c_smbus_write_byte_data' powerpc-linux-ld: arch/powerpc/platforms/44x/ppc476.o: in function `ppc47x_device_probe': ppc476.c:(.init.text+0x18): undefined reference to `i2c_register_driver' Fixes: 2a2c74b2efcb ("IBM Akebono: Add the Akebono platform") Signed-off-by: Randy Dunlap Reported-by: kernel test robot Closes: lore.kernel.org/r/202312010820.cmdwF5X9-lkp@intel.com Signed-off-by: Michael Ellerman Link: https://msgid.link/20231201055159.8371-1-rdunlap@infradead.org Signed-off-by: Sasha Levin commit 2fc51c4b7dd296ea71c174c800e591d4a5610b4a Author: Masahiro Yamada Date: Tue Nov 21 08:23:32 2023 +0900 powerpc: add crtsavres.o to always-y instead of extra-y [ Upstream commit 1b1e38002648819c04773647d5242990e2824264 ] crtsavres.o is linked to modules. However, as explained in commit d0e628cd817f ("kbuild: doc: clarify the difference between extra-y and always-y"), 'make modules' does not build extra-y. For example, the following command fails: $ make ARCH=powerpc LLVM=1 KBUILD_MODPOST_WARN=1 mrproper ps3_defconfig modules [snip] LD [M] arch/powerpc/platforms/cell/spufs/spufs.ko ld.lld: error: cannot open arch/powerpc/lib/crtsavres.o: No such file or directory make[3]: *** [scripts/Makefile.modfinal:56: arch/powerpc/platforms/cell/spufs/spufs.ko] Error 1 make[2]: *** [Makefile:1844: modules] Error 2 make[1]: *** [/home/masahiro/workspace/linux-kbuild/Makefile:350: __build_one_by_one] Error 2 make: *** [Makefile:234: __sub-make] Error 2 Signed-off-by: Masahiro Yamada Fixes: baa25b571a16 ("powerpc/64: Do not link crtsavres.o in vmlinux") Reviewed-by: Nicholas Piggin Signed-off-by: Michael Ellerman Link: https://msgid.link/20231120232332.4100288-1-masahiroy@kernel.org Signed-off-by: Sasha Levin commit 16b88e68b85d5520c28498bb847358ff6300cb90 Author: Masahiro Yamada Date: Thu Jan 19 17:22:50 2023 +0900 powerpc: remove checks for binutils older than 2.25 [ Upstream commit 54a11654de163994e32b24e3aa90ef81f4a3184d ] Commit e4412739472b ("Documentation: raise minimum supported version of binutils to 2.25") allows us to remove the checks for old binutils. There is no more user for ld-ifversion. Remove it as well. Signed-off-by: Masahiro Yamada Reviewed-by: Nicholas Piggin Signed-off-by: Michael Ellerman Link: https://msgid.link/20230119082250.151485-1-masahiroy@kernel.org Stable-dep-of: 1b1e38002648 ("powerpc: add crtsavres.o to always-y instead of extra-y") Signed-off-by: Sasha Levin commit 9dbac9fdae6e3b411fc4c3fca3bf48f70609c398 Author: Arnd Bergmann Date: Wed Nov 22 23:19:53 2023 +0100 EDAC/thunderx: Fix possible out-of-bounds string access [ Upstream commit 475c58e1a471e9b873e3e39958c64a2d278275c8 ] Enabling -Wstringop-overflow globally exposes a warning for a common bug in the usage of strncat(): drivers/edac/thunderx_edac.c: In function 'thunderx_ocx_com_threaded_isr': drivers/edac/thunderx_edac.c:1136:17: error: 'strncat' specified bound 1024 equals destination size [-Werror=stringop-overflow=] 1136 | strncat(msg, other, OCX_MESSAGE_SIZE); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ... 1145 | strncat(msg, other, OCX_MESSAGE_SIZE); ... 1150 | strncat(msg, other, OCX_MESSAGE_SIZE); ... Apparently the author of this driver expected strncat() to behave the way that strlcat() does, which uses the size of the destination buffer as its third argument rather than the length of the source buffer. The result is that there is no check on the size of the allocated buffer. Change it to strlcat(). [ bp: Trim compiler output, fixup commit message. ] Fixes: 41003396f932 ("EDAC, thunderx: Add Cavium ThunderX EDAC driver") Signed-off-by: Arnd Bergmann Signed-off-by: Borislav Petkov (AMD) Reviewed-by: Gustavo A. R. Silva Link: https://lore.kernel.org/r/20231122222007.3199885-1-arnd@kernel.org Signed-off-by: Sasha Levin commit c9275305d61aed0ca5ce742be9ada3328033c5be Author: Yazen Ghannam Date: Sat Nov 18 13:32:29 2023 -0600 x86/mce/inject: Clear test status value [ Upstream commit 6175b407756b22e7fdc771181b7d832ebdedef5c ] AMD systems generally allow MCA "simulation" where MCA registers can be written with valid data and the full MCA handling flow can be tested by software. However, the platform on Scalable MCA systems, can prevent software from writing data to the MCA registers. There is no architectural way to determine this configuration. Therefore, the MCE injection module will check for this behavior by writing and reading back a test status value. This is done during module init, and the check can run on any CPU with any valid MCA bank. If MCA_STATUS writes are ignored by the platform, then there are no side effects on the hardware state. If the writes are not ignored, then the test status value will remain in the hardware MCA_STATUS register. It is likely that the value will not be overwritten by hardware or software, since the tested CPU and bank are arbitrary. Therefore, the user may see a spurious, synthetic MCA error reported whenever MCA is polled for this CPU. Clear the test value immediately after writing it. It is very unlikely that a valid MCA error is logged by hardware during the test. Errors that cause an #MC won't be affected. Fixes: 891e465a1bd8 ("x86/mce: Check whether writes to MCA_STATUS are getting ignored") Signed-off-by: Yazen Ghannam Signed-off-by: Borislav Petkov (AMD) Link: https://lore.kernel.org/r/20231118193248.1296798-2-yazen.ghannam@amd.com Signed-off-by: Sasha Levin commit 0be645792c117aeece953684cc4b841c660ecde5 Author: Colin Ian King Date: Thu Nov 2 17:49:01 2023 +0000 x86/lib: Fix overflow when counting digits [ Upstream commit a24d61c609813963aacc9f6ec8343f4fcaac7243 ] tl;dr: The num_digits() function has a theoretical overflow issue. But it doesn't affect any actual in-tree users. Fix it by using a larger type for one of the local variables. Long version: There is an overflow in variable m in function num_digits when val is >= 1410065408 which leads to the digit calculation loop to iterate more times than required. This results in either more digits being counted or in some cases (for example where val is 1932683193) the value of m eventually overflows to zero and the while loop spins forever). Currently the function num_digits is currently only being used for small values of val in the SMP boot stage for digit counting on the number of cpus and NUMA nodes, so the overflow is never encountered. However it is useful to fix the overflow issue in case the function is used for other purposes in the future. (The issue was discovered while investigating the digit counting performance in various kernel helper functions rather than any real-world use-case). The simplest fix is to make m a long long, the overhead in multiplication speed for a long long is very minor for small values of val less than 10000 on modern processors. The alternative fix is to replace the multiplication with a constant division by 10 loop (this compiles down to an multiplication and shift) without needing to make m a long long, but this is slightly slower than the fix in this commit when measured on a range of x86 processors). [ dhansen: subject and changelog tweaks ] Fixes: 646e29a1789a ("x86: Improve the printout of the SMP bootup CPU table") Signed-off-by: Colin Ian King Signed-off-by: Dave Hansen Link: https://lore.kernel.org/all/20231102174901.2590325-1-colin.i.king%40gmail.com Signed-off-by: Sasha Levin