LKML Archive on lore.kernel.org
help / color / mirror / Atom feed
* [PATCH 5.15 000/917] 5.15.3-rc1 review
@ 2021-11-15 16:51 Greg Kroah-Hartman
2021-11-15 16:51 ` [PATCH 5.15 001/917] xhci: Fix USB 3.1 enumeration issues by increasing roothub power-on-good delay Greg Kroah-Hartman
` (919 more replies)
0 siblings, 920 replies; 945+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-15 16:51 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, torvalds, akpm, linux, shuah, patches,
lkft-triage, pavel, jonathanh, f.fainelli, stable
This is the start of the stable review cycle for the 5.15.3 release.
There are 917 patches in this series, all will be posted as a response
to this one. If anyone has any issues with these being applied, please
let me know.
Responses should be made by Wed, 17 Nov 2021 16:52:23 +0000.
Anything received after that time might be too late.
The whole patch series can be found in one patch at:
https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.15.3-rc1.gz
or in the git tree and branch at:
git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.15.y
and the diffstat can be found below.
thanks,
greg k-h
-------------
Pseudo-Shortlog of commits:
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Linux 5.15.3-rc1
Mario Limonciello <mario.limonciello@amd.com>
drm/amd/display: Look at firmware version to determine using dmub on dcn21
Trond Myklebust <trond.myklebust@hammerspace.com>
SUNRPC: Partial revert of commit 6f9f17287e78
Pali Rohár <pali@kernel.org>
PCI: aardvark: Fix PCIe Max Payload Size setting
Pali Rohár <pali@kernel.org>
PCI: Add PCI_EXP_DEVCTL_PAYLOAD_* macros
Jernej Skrabec <jernej.skrabec@gmail.com>
drm/sun4i: Fix macros in sun8i_csc.h
Xiaoming Ni <nixiaoming@huawei.com>
powerpc/85xx: fix timebase sync issue when CONFIG_HOTPLUG_CPU=n
Nathan Lynch <nathanl@linux.ibm.com>
powerpc/pseries/mobility: ignore ibm, platform-facilities updates
Nicholas Piggin <npiggin@gmail.com>
powerpc/64s/interrupt: Fix check_return_regs_valid() false positive
Russell Currey <ruscur@russell.cc>
powerpc/security: Use a mutex for interrupt exit code patching
Vasant Hegde <hegdevasant@linux.vnet.ibm.com>
powerpc/powernv/prd: Unregister OPAL_MSG_PRD2 notifier during module unload
Nicholas Piggin <npiggin@gmail.com>
powerpc/32e: Ignore ESR in instruction storage interrupt handler
Hari Bathini <hbathini@linux.ibm.com>
powerpc/bpf: Fix write protecting JIT code
Gustavo A. R. Silva <gustavoars@kernel.org>
powerpc/vas: Fix potential NULL pointer dereference
Miquel Raynal <miquel.raynal@bootlin.com>
mtd: rawnand: au1550nd: Keep the driver compatible with on-die ECC engines
Miquel Raynal <miquel.raynal@bootlin.com>
mtd: rawnand: plat_nand: Keep the driver compatible with on-die ECC engines
Miquel Raynal <miquel.raynal@bootlin.com>
mtd: rawnand: orion: Keep the driver compatible with on-die ECC engines
Miquel Raynal <miquel.raynal@bootlin.com>
mtd: rawnand: pasemi: Keep the driver compatible with on-die ECC engines
Miquel Raynal <miquel.raynal@bootlin.com>
mtd: rawnand: gpio: Keep the driver compatible with on-die ECC engines
Miquel Raynal <miquel.raynal@bootlin.com>
mtd: rawnand: mpc5121: Keep the driver compatible with on-die ECC engines
Miquel Raynal <miquel.raynal@bootlin.com>
mtd: rawnand: xway: Keep the driver compatible with on-die ECC engines
Miquel Raynal <miquel.raynal@bootlin.com>
mtd: rawnand: ams-delta: Keep the driver compatible with on-die ECC engines
Miquel Raynal <miquel.raynal@bootlin.com>
mtd: rawnand: fsmc: Fix use of SM ORDER
Dong Aisheng <aisheng.dong@nxp.com>
remoteproc: imx_rproc: Fix rsc-table name
Dong Aisheng <aisheng.dong@nxp.com>
remoteproc: imx_rproc: Fix ignoring mapping vdev regions
Dong Aisheng <aisheng.dong@nxp.com>
remoteproc: Fix the wrong default value of is_iomem
Peng Fan <peng.fan@nxp.com>
remoteproc: elf_loader: Fix loading segment when is_iomem true
Halil Pasic <pasic@linux.ibm.com>
s390/cio: make ccw_device_dma_* more robust
Harald Freudenberger <freude@linux.ibm.com>
s390/ap: Fix hanging ioctl caused by orphaned replies
Sven Schnelle <svens@linux.ibm.com>
s390/tape: fix timer initialization in tape_std_assign()
Vineeth Vijayan <vneethv@linux.ibm.com>
s390/cio: check the subchannel validity for dev_busid
Thomas Richter <tmricht@linux.ibm.com>
s390/cpumf: cpum_cf PMU displays invalid value after hotplug remove
Rafael J. Wysocki <rafael.j.wysocki@intel.com>
PM: sleep: Avoid calling put_device() under dpm_list_mtx
Coly Li <colyli@suse.de>
bcache: Revert "bcache: use bvec_virt"
Coly Li <colyli@suse.de>
bcache: fix use-after-free problem in bcache_device_free()
Marek Vasut <marex@denx.de>
video: backlight: Drop maximum brightness override for brightness zero
Jack Andersen <jackoalan@gmail.com>
mfd: dln2: Add cell for initializing DLN2 ADC
Rongwei Wang <rongwei.wang@linux.alibaba.com>
mm, thp: fix incorrect unmap behavior for private pages
Rongwei Wang <rongwei.wang@linux.alibaba.com>
mm, thp: lock filemap when truncating page cache
Michal Hocko <mhocko@suse.com>
mm, oom: do not trigger out_of_memory from the #PF
Vasily Averin <vvs@virtuozzo.com>
mm, oom: pagefault_out_of_memory: don't force global OOM for dying tasks
Vasily Averin <vvs@virtuozzo.com>
memcg: prohibit unconditional exceeding the limit of dying tasks
Matthew Wilcox (Oracle) <willy@infradead.org>
mm/filemap.c: remove bogus VM_BUG_ON
Dominique Martinet <asmadeus@codewreck.org>
9p/net: fix missing error check in p9_check_errors
Daniel Borkmann <daniel@iogearbox.net>
net, neigh: Enable state migration between NUD_PERMANENT and NTF_USE
Anatolij Gustschin <agust@denx.de>
dmaengine: bestcomm: fix system boot lockups
Kishon Vijay Abraham I <kishon@ti.com>
dmaengine: ti: k3-udma: Set r/tchan or rflow to NULL if request fail
Kishon Vijay Abraham I <kishon@ti.com>
dmaengine: ti: k3-udma: Set bchan to NULL if a channel request fail
Namjae Jeon <linkinjeon@kernel.org>
ksmbd: don't need 8byte alignment for request length in ksmbd_check_message
Marios Makassikis <mmakassikis@freebox.fr>
ksmbd: Fix buffer length check in fsctl_validate_negotiate_info()
Shin'ichiro Kawasaki <shinichiro.kawasaki@wdc.com>
block: Hold invalidate_lock in BLKRESETZONE ioctl
Shin'ichiro Kawasaki <shinichiro.kawasaki@wdc.com>
block: Hold invalidate_lock in BLKZEROOUT ioctl
Shin'ichiro Kawasaki <shinichiro.kawasaki@wdc.com>
block: Hold invalidate_lock in BLKDISCARD ioctl
Matthew Brost <matthew.brost@intel.com>
drm/i915/guc: Fix blocked context accounting
Gao Xiang <hsiangkao@linux.alibaba.com>
erofs: fix unsafe pagevec reuse of hooked pclusters
Xiubo Li <xiubli@redhat.com>
ceph: fix mdsmap decode when there are MDS's beyond max_mds
Dongliang Mu <mudongliangabcd@gmail.com>
f2fs: fix UAF in f2fs_available_free_memory
Daeho Jeong <daehojeong@google.com>
f2fs: include non-compressed blocks in compr_written_block
Jaegeuk Kim <jaegeuk@kernel.org>
f2fs: should use GFP_NOFS for directory inodes
Guo Ren <guoren@linux.alibaba.com>
irqchip/sifive-plic: Fixup EOI failed when masked
Michael Pratt <mpratt@google.com>
posix-cpu-timers: Clear task::posix_cputimers_work in copy_process()
Paolo Bonzini <pbonzini@redhat.com>
KVM: x86: move guest_pv_has out of user_access section
Thomas Gleixner <tglx@linutronix.de>
PCI/MSI: Destroy sysfs before freeing entries
Thomas Gleixner <tglx@linutronix.de>
PCI/MSI: Move non-mask check back into low level accessors
Dave Jones <davej@codemonkey.org.uk>
x86/mce: Add errata workaround for Skylake SKX37
Maciej W. Rozycki <macro@orcam.me.uk>
MIPS: Fix assembly error from MIPSr2 code used within MIPS_ISA_ARCH_LEVEL
Masahiro Yamada <masahiroy@kernel.org>
MIPS: fix *-pkg builds for loongson2ef platform
Masahiro Yamada <masahiroy@kernel.org>
MIPS: fix duplicated slashes for Platform file path
John David Anglin <dave.anglin@bell.net>
parisc: Flush kernel data mapping in set_pte_at() when installing pte for user page
Helge Deller <deller@gmx.de>
parisc: Fix backtrace to always include init funtion names
Arnd Bergmann <arnd@arndb.de>
ARM: 9156/1: drop cc-option fallbacks for architecture selection
Michał Mirosław <mirq-linux@rere.qmqm.pl>
ARM: 9155/1: fix early early_iounmap()
Steve French <stfrench@microsoft.com>
smb3: do not error on fsync when readonly
Linus Torvalds <torvalds@linux-foundation.org>
thermal: int340x: fix build on 32-bit targets
Willem de Bruijn <willemb@google.com>
selftests/net: udpgso_bench_rx: fix port argument
Rahul Lakkireddy <rahul.lakkireddy@chelsio.com>
cxgb4: fix eeprom len when diagnostics not implemented
Dust Li <dust.li@linux.alibaba.com>
net/smc: fix sk_refcnt underflow on linkdown and fallback
Eiichi Tsukata <eiichi.tsukata@nutanix.com>
vsock: prevent unnecessary refcnt inc for nonblocking connect
Marek Behún <kabel@kernel.org>
net: marvell: mvpp2: Fix wrong SerDes reconfiguration order
Christophe JAILLET <christophe.jaillet@wanadoo.fr>
net: ethernet: ti: cpsw_ale: Fix access to un-initialized memory
Vladimir Oltean <vladimir.oltean@nxp.com>
net: stmmac: allow a tc-taprio base-time of zero
Guangbin Huang <huangguangbin2@huawei.com>
net: hns3: allow configure ETS bandwidth of all TCs
Yufeng Mo <moyufeng@huawei.com>
net: hns3: fix kernel crash when unload VF while it is being reset
Jie Wang <wangjie125@huawei.com>
net: hns3: fix pfc packet number incorrect after querying pfc parameters
Jie Wang <wangjie125@huawei.com>
net: hns3: fix ROCE base interrupt vector initialization bug
Eric Dumazet <edumazet@google.com>
net/sched: sch_taprio: fix undefined behavior in ktime_mono_to_any
Marek Behún <kabel@kernel.org>
net: dsa: mv88e6xxx: Don't support >1G speeds on 6191X on ports other than 10
Evan Quan <evan.quan@amd.com>
drm/amdgpu: fix uvd crash on Polaris12 during driver unloading
Muchun Song <songmuchun@bytedance.com>
seq_file: fix passing wrong private data
Andrew Halaney <ahalaney@redhat.com>
init: make unknown command line param message clearer
Imre Deak <imre.deak@intel.com>
drm/i915/fb: Fix rounding error in subsampled plane size calculation
Dan Carpenter <dan.carpenter@oracle.com>
gve: Fix off by one in gve_tx_timeout()
Arnd Bergmann <arnd@arndb.de>
dmaengine: stm32-dma: avoid 64-bit division in stm32_dma_get_max_width
Amelie Delaunay <amelie.delaunay@foss.st.com>
dmaengine: stm32-dma: fix burst in case of unaligned memory address
Jussi Maki <joamaki@gmail.com>
bpf, sockmap: sk_skb data_end access incorrect when src_reg = dst_reg
John Fastabend <john.fastabend@gmail.com>
bpf: sockmap, strparser, and tls are reusing qdisc_skb_cb and colliding
John Fastabend <john.fastabend@gmail.com>
bpf, sockmap: Fix race in ingress receive verdict with redirect to self
John Fastabend <john.fastabend@gmail.com>
bpf, sockmap: Remove unhash handler for BPF sockmap usage
Arnd Bergmann <arnd@arndb.de>
arm64: pgtable: make __pte_to_phys/__phys_to_pte_val inline functions
Reiji Watanabe <reijiw@google.com>
arm64: arm64_ftr_reg->name may not be a human-readable string
Christophe JAILLET <christophe.jaillet@wanadoo.fr>
litex_liteeth: Fix a double free in the remove function
Chengfeng Ye <cyeaa@connect.ust.hk>
nfc: pn533: Fix double free when pn533_fill_fragment_skbs() fails
Eric Dumazet <edumazet@google.com>
llc: fix out-of-bound array index in llc_sk_dev_hash()
Ian Rogers <irogers@google.com>
perf bpf: Add missing free to bpf_event__print_bpf_prog_info()
Dan Carpenter <dan.carpenter@oracle.com>
zram: off by one in read_block_state()
Miaohe Lin <linmiaohe@huawei.com>
mm/zsmalloc.c: close race window between zs_pool_dec_isolated() and zs_unregister_migration()
Marc Kleine-Budde <mkl@pengutronix.de>
can: mcp251xfd: mcp251xfd_chip_start(): fix error handling for mcp251xfd_chip_rx_int_enable()
Vincent Mailhol <mailhol.vincent@wanadoo.fr>
can: etas_es58x: es58x_rx_err_msg(): fix memory leak in error path
Alex Deucher <alexander.deucher@amd.com>
drm/amdgpu/powerplay: fix sysfs_emit/sysfs_emit_at handling
Fabio Estevam <festevam@gmail.com>
Revert "drm/imx: Annotate dma-fence critical section in commit path"
Arnd Bergmann <arnd@arndb.de>
drm: fb_helper: improve CONFIG_FB dependency
Hangbin Liu <liuhangbin@gmail.com>
selftests/bpf/xdp_redirect_multi: Limit the tests in netns
Hangbin Liu <liuhangbin@gmail.com>
selftests/bpf/xdp_redirect_multi: Give tcpdump a chance to terminate cleanly
Hangbin Liu <liuhangbin@gmail.com>
selftests/bpf/xdp_redirect_multi: Use arping to accurate the arp number
Hangbin Liu <liuhangbin@gmail.com>
selftests/bpf/xdp_redirect_multi: Put the logs to tmp folder
Mehrdad Arshad Rad <arshad.rad@gmail.com>
libbpf: Fix lookup_and_delete_elem_flags error reporting
Rafael J. Wysocki <rafael.j.wysocki@intel.com>
ACPI: PM: Fix device wakeup power reference counting error
Kai Song <songkai01@inspur.com>
mfd: altera-sysmgr: Fix a mistake caused by resource_size conversion
Mark Brown <broonie@kernel.org>
mfd: sprd: Add SPI device ID table
Mark Brown <broonie@kernel.org>
mfd: cpcap: Add SPI device ID table
Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
mfd: core: Add missing of_node_put for loop iteration
Takashi Iwai <tiwai@suse.de>
ALSA: memalloc: Catch call with NULL snd_dma_buffer pointer
Arnd Bergmann <arnd@arndb.de>
octeontx2-pf: select CONFIG_NET_DEVLINK
Huang Guobin <huangguobin4@huawei.com>
bonding: Fix a use-after-free problem when bond_sysfs_slave_add() failed
Jason Gunthorpe <jgg@ziepe.ca>
drm/ttm: remove ttm_bo_vm_insert_huge()
Luis Chamberlain <mcgrof@kernel.org>
block: fix device_add_disk() kobject_create_and_add() error handling
Heiner Kallweit <hkallweit1@gmail.com>
net: phy: fix duplex out of sync problem while changing settings
Rafael J. Wysocki <rafael.j.wysocki@intel.com>
cpufreq: intel_pstate: Clear HWP desired on suspend/shutdown and offline
Selvin Xavier <selvin.xavier@broadcom.com>
PCI: Do not enable AtomicOps on VFs
Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>
ataflop: remove ataflop_probe_lock mutex
Luis Chamberlain <mcgrof@kernel.org>
block/ataflop: provide a helper for cleanup up an atari disk
Luis Chamberlain <mcgrof@kernel.org>
block/ataflop: add registration bool before calling del_gendisk()
Luis Chamberlain <mcgrof@kernel.org>
block/ataflop: use the blk_cleanup_disk() helper
Luis Chamberlain <mcgrof@kernel.org>
nvdimm/pmem: cleanup the disk if pmem_release_disk() is yet assigned
Chenyuan Mi <cymi20@fudan.edu.cn>
drm/nouveau/svm: Fix refcount leak bug and missing check against null bug
Andrea Righi <andrea.righi@canonical.com>
selftests: net: properly support IPv6 in GSO GRE test
Avri Altman <avri.altman@wdc.com>
scsi: ufs: ufshpb: Properly handle max-single-cmd
Bean Huo <beanhuo@micron.com>
scsi: ufs: core: Fix NULL pointer dereference
Daejun Park <daejun7.park@samsung.com>
scsi: ufs: ufshpb: Use proper power management API
Jackie Liu <liuyun01@kylinos.cn>
scsi: bsg: Fix errno when scsi_bsg_register_queue() fails
Luis Chamberlain <mcgrof@kernel.org>
nvdimm/btt: do not call del_gendisk() if not needed
Christophe JAILLET <christophe.jaillet@wanadoo.fr>
PCI: j721e: Fix j721e_pcie_probe() error path
Hans de Goede <hdegoede@redhat.com>
ACPI: PMIC: Fix intel_pmic_regs_handler() read accesses
Daniel Thompson <daniel.thompson@linaro.org>
kdb: Adopt scheduler's task classification
Brett Creeley <brett.creeley@intel.com>
ice: Fix not stopping Tx queues for VFs
Sylwester Dziedziuch <sylwesterx.dziedziuch@intel.com>
ice: Fix replacing VF hardware MAC to existing MAC filter
Vladimir Oltean <vladimir.oltean@nxp.com>
net: dsa: felix: fix broken VLAN-tagged PTP under VLAN-aware bridge
Ziyang Xuan <william.xuanziyang@huawei.com>
net: vlan: fix a UAF in vlan_dev_real_dev()
Stafford Horne <shorne@gmail.com>
openrisc: fix SMP tlb flush NULL pointer dereference
Jakub Kicinski <kuba@kernel.org>
ethtool: fix ethtool msg len calculation for pause stats
Hangbin Liu <liuhangbin@gmail.com>
kselftests/net: add missed toeplitz.sh/toeplitz_client.sh to Makefile
Hangbin Liu <liuhangbin@gmail.com>
kselftests/net: add missed vrf_strict_mode_test.sh test to Makefile
Hangbin Liu <liuhangbin@gmail.com>
kselftests/net: add missed SRv6 tests
Hangbin Liu <liuhangbin@gmail.com>
kselftests/net: add missed setup_loopback.sh/setup_veth.sh to Makefile
Hangbin Liu <liuhangbin@gmail.com>
kselftests/net: add missed icmp.sh test to Makefile
Maxim Kiselev <bigunclemax@gmail.com>
net: davinci_emac: Fix interrupt pacing disable
Beld Zhang <beldzhang@gmail.com>
io-wq: fix max-workers not correctly set on multi-node system
Yu Kuai <yukuai3@huawei.com>
nbd: fix possible overflow for 'first_minor' in nbd_dev_add()
Yu Kuai <yukuai3@huawei.com>
nbd: fix max value for 'first_minor'
YueHaibing <yuehaibing@huawei.com>
xen-pciback: Fix return in pm_ctrl_init()
Sander Vanheule <sander@svanheule.net>
gpio: realtek-otto: fix GPIO line IRQ offset
Christophe JAILLET <christophe.jaillet@wanadoo.fr>
i2c: xlr: Fix a resource leak in the error handling path of 'xlr_i2c_probe()'
Dave Jiang <dave.jiang@intel.com>
dmaengine: idxd: fix resource leak on dmaengine driver disable
Trond Myklebust <trond.myklebust@hammerspace.com>
NFSv4: Fix a regression in nfs_set_open_stateid_locked()
Quinn Tran <qutran@marvell.com>
scsi: qla2xxx: edif: Fix EDIF bsg
Quinn Tran <qutran@marvell.com>
scsi: qla2xxx: edif: Increase ELS payload
Quinn Tran <qutran@marvell.com>
scsi: qla2xxx: edif: Flush stale events and msgs on session down
Quinn Tran <qutran@marvell.com>
scsi: qla2xxx: edif: Fix app start delay
Quinn Tran <qutran@marvell.com>
scsi: qla2xxx: edif: Fix app start fail
Quinn Tran <qutran@marvell.com>
scsi: qla2xxx: Turn off target reset during issue_lip
Quinn Tran <qutran@marvell.com>
scsi: qla2xxx: Fix gnl list corruption
Quinn Tran <qutran@marvell.com>
scsi: qla2xxx: Relogin during fabric disturbance
Dmitry Bogdanov <d.bogdanov@yadro.com>
scsi: target: core: Remove from tmr_list during LUN unlink
Jackie Liu <liuyun01@kylinos.cn>
ar7: fix kernel builds for compiler test
Ahmad Fatoum <a.fatoum@pengutronix.de>
watchdog: f71808e_wdt: fix inaccurate report in WDIOC_GETTIMEOUT
Randy Dunlap <rdunlap@infradead.org>
m68k: set a default value for MEMORY_RESERVE
Eric W. Biederman <ebiederm@xmission.com>
signal/sh: Use force_sig(SIGKILL) instead of do_group_exit(SIGKILL)
Dave Jiang <dave.jiang@intel.com>
dmaengine: idxd: reconfig device after device reset command
Dave Jiang <dave.jiang@intel.com>
dmanegine: idxd: fix resource free ordering on driver removal
Dongliang Mu <mudongliangabcd@gmail.com>
dmaengine: tegra210-adma: fix pm runtime unbalance
Lars-Peter Clausen <lars@metafoo.de>
dmaengine: dmaengine_desc_callback_valid(): Check for `callback_result`
Florian Westphal <fw@strlen.de>
netfilter: nfnetlink_queue: fix OOB when mac header was cleared
Robert-Ionut Alexa <robert-ionut.alexa@nxp.com>
soc: fsl: dpaa2-console: free buffer before returning from dpaa2_console_read
Geert Uytterhoeven <geert@linux-m68k.org>
auxdisplay: ht16k33: Fix frame buffer device blanking
Geert Uytterhoeven <geert@linux-m68k.org>
auxdisplay: ht16k33: Connect backlight to fbdev
Geert Uytterhoeven <geert@linux-m68k.org>
auxdisplay: img-ascii-lcd: Fix lock-up when displaying empty string
Alexey Gladkov <legion@kernel.org>
Fix user namespace leak
Trond Myklebust <trond.myklebust@hammerspace.com>
NFS: Fix an Oops in pnfs_mark_request_commit()
Trond Myklebust <trond.myklebust@hammerspace.com>
NFS: Fix up commit deadlocks
Amelie Delaunay <amelie.delaunay@foss.st.com>
dmaengine: stm32-dma: fix stm32_dma_get_max_width
Claudiu Beznea <claudiu.beznea@microchip.com>
dmaengine: at_xdmac: fix AT_XDMAC_CC_PERID() macro
Claudiu Beznea <claudiu.beznea@microchip.com>
dmaengine: at_xdmac: call at_xdmac_axi_config() on resume path
Dan Carpenter <dan.carpenter@oracle.com>
rtc: rv3032: fix error handling in rv3032_clkout_set_rate()
Christophe JAILLET <christophe.jaillet@wanadoo.fr>
remoteproc: Fix a memory leak in an error handling path in 'rproc_handle_vdev()'
Zev Weiss <zev@bewilderbeest.net>
mtd: core: don't remove debugfs directory if device is in use
Miquel Raynal <miquel.raynal@bootlin.com>
mtd: rawnand: arasan: Prevent an unsupported configuration
Kunihiko Hayashi <hayashi.kunihiko@socionext.com>
PCI: uniphier: Serialize INTx masking/unmasking and fix the bit operation
Evgeny Novikov <novikov@ispras.ru>
mtd: spi-nor: hisi-sfc: Remove excessive clk_disable_unprepare()
Guido Günther <agx@sigxcpu.org>
drm/bridge: nwl-dsi: Add atomic_get_input_bus_fmts
John Keeping <john@metanate.com>
Input: st1232 - increase "wait ready" timeout
Jia-Ju Bai <baijiaju1990@gmail.com>
fs: orangefs: fix error return code of orangefs_revalidate_lookup()
Kees Cook <keescook@chromium.org>
sparc: Add missing "FORCE" target when using if_changed
Trond Myklebust <trond.myklebust@hammerspace.com>
NFS: Fix deadlocks in nfs_scan_commit_list()
YueHaibing <yuehaibing@huawei.com>
opp: Fix return in _opp_add_static_v2()
Pali Rohár <pali@kernel.org>
PCI: aardvark: Fix preserving PCI_EXP_RTCTL_CRSSVE flag on emulated bridge
Marek Behún <kabel@kernel.org>
PCI: aardvark: Don't spam about PIO Response Status
Alex Xu (Hello71) <alex_y_xu@yahoo.ca>
drm/plane-helper: fix uninitialized variable reference
Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
drm/bridge/lontium-lt9611uxc: fix provided connector suport
Baptiste Lepers <baptiste.lepers@gmail.com>
pnfs/flexfiles: Fix misplaced barrier in nfs4_ff_layout_prepare_ds
Trond Myklebust <trond.myklebust@hammerspace.com>
NFS: Fix dentry verifier races
Trond Myklebust <trond.myklebust@hammerspace.com>
NFS: Ignore the directory size when marking for revalidation
Trond Myklebust <trond.myklebust@hammerspace.com>
NFS: Don't set NFS_INO_DATA_INVAL_DEFER and NFS_INO_INVALID_DATA
Trond Myklebust <trond.myklebust@hammerspace.com>
NFS: Default change_attr_type to NFS4_CHANGE_TYPE_IS_UNDEFINED
Kewei Xu <kewei.xu@mediatek.com>
i2c: mediatek: fixing the incorrect register offset
Mark Brown <broonie@kernel.org>
Input: ariel-pwrbutton - add SPI device ID table
Mark Brown <broonie@kernel.org>
rtc: mcp795: Add SPI ID table
Dave Jiang <dave.jiang@intel.com>
dmaengine: idxd: move out percpu_ref_exit() to ensure it's outside submission
Heiner Kallweit <hkallweit1@gmail.com>
i2c: i801: Use PCI bus rescan mutex to protect P2SB access
Dong Aisheng <aisheng.dong@nxp.com>
remoteproc: imx_rproc: Fix TCM io memory type
Mark Brown <broonie@kernel.org>
rtc: pcf2123: Add SPI ID table
Mark Brown <broonie@kernel.org>
rtc: ds1390: Add SPI ID table
Mark Brown <broonie@kernel.org>
rtc: ds1302: Add SPI ID table
J. Bruce Fields <bfields@redhat.com>
nfsd: don't alloc under spinlock in rpc_parse_scope_id
Evgeny Novikov <novikov@ispras.ru>
mtd: rawnand: intel: Fix potential buffer overflow in probe
Arnaud Pouliquen <arnaud.pouliquen@foss.st.com>
rpmsg: Fix rpmsg_create_ept return when RPMSG config is not defined
Tom Rix <trix@redhat.com>
apparmor: fix error check
Aharon Landau <aharonl@nvidia.com>
RDMA/core: Require the driver to set the IOVA correctly during rereg_mr
Hans de Goede <hdegoede@redhat.com>
power: supply: bq27xxx: Fix kernel crash on IRQ handler register error
Geert Uytterhoeven <geert+renesas@glider.be>
mips: cm: Convert to bitfield API to fix out-of-bounds access
Parav Pandit <parav@nvidia.com>
vdpa/mlx5: Fix clearing of VIRTIO_NET_F_MAC feature bit
Xuan Zhuo <xuanzhuo@linux.alibaba.com>
virtio_ring: check desc == NULL when using indirect with packed
Geert Uytterhoeven <geert@linux-m68k.org>
serial: cpm_uart: Protect udbg definitions by CONFIG_SERIAL_CPM_CONSOLE
Christophe JAILLET <christophe.jaillet@wanadoo.fr>
ASoC: rsnd: Fix an error handling path in 'rsnd_node_count()'
Yixing Liu <liuyixing1@huawei.com>
RDMA/hns: Modify the value of MAX_LP_MSG_LEN to meet hardware compatibility
Haoyue Xu <xuhaoyue1@hisilicon.com>
RDMA/hns: Fix initial arm_st of CQ
Richard Fitzgerald <rf@opensource.cirrus.com>
ASoC: cs42l42: Correct configuring of switch inversion from ts-inv
Christophe Leroy <christophe.leroy@csgroup.eu>
powerpc: Don't provide __kernel_map_pages() without ARCH_SUPPORTS_DEBUG_PAGEALLOC
Logan Gunthorpe <logang@deltatee.com>
iommu/dma: Fix incorrect error return on iommu deferred attach
Takashi Sakamoto <o-takashi@sakamocchi.jp>
ALSA: oxfw: fix functional regression for Mackie Onyx 1640i in v5.14 or later
Denis Kirjanov <kda@linux-powerpc.org>
powerpc/xmon: fix task state output
Bixuan Cui <cuibixuan@linux.alibaba.com>
powerpc/44x/fsp2: add missing of_node_put
Christophe Leroy <christophe.leroy@csgroup.eu>
powerpc/book3e: Fix set_memory_x() and set_memory_nx()
Christophe Leroy <christophe.leroy@csgroup.eu>
powerpc/nohash: Fix __ptep_set_access_flags() and ptep_set_wrprotect()
Andrej Shadura <andrew.shadura@collabora.co.uk>
HID: u2fzero: properly handle timeouts in usb_submit_urb
Andrej Shadura <andrew.shadura@collabora.co.uk>
HID: u2fzero: clarify error check and length calculations
Claudiu Beznea <claudiu.beznea@microchip.com>
clk: at91: clk-master: fix prescaler logic
Claudiu Beznea <claudiu.beznea@microchip.com>
clk: at91: clk-master: check if div or pres is zero
Claudiu Beznea <claudiu.beznea@microchip.com>
clk: at91: sam9x60-pll: use DIV_ROUND_CLOSEST_ULL
Anssi Hannula <anssi.hannula@bitwise.fi>
serial: xilinx_uartps: Fix race condition causing stuck TX
Yang Yingliang <yangyingliang@huawei.com>
phy: Sparx5 Eth SerDes: Fix return value check in sparx5_serdes_probe()
Sandeep Maheswaram <quic_c_sanm@quicinc.com>
phy: qcom-snps: Correct the FSEL_MASK
Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
phy: qcom-qmp: another fix for the sc8180x PCIe definition
Dan Carpenter <dan.carpenter@oracle.com>
phy: ti: gmii-sel: check of_get_address() for failure
Vladimir Zapolskiy <vladimir.zapolskiy@linaro.org>
phy: qcom-qusb2: Fix a memory leak on probe
Mark Brown <broonie@kernel.org>
ASoC: topology: Fix stub for snd_soc_tplg_component_remove()
Rahul Tanwar <rtanwar@maxlinear.com>
pinctrl: equilibrium: Fix function addition in multiple groups
Vladimir Zapolskiy <vladimir.zapolskiy@linaro.org>
arm64: dts: qcom: sdm845: Fix Qualcomm crypto engine bus clock
Bhupesh Sharma <bhupesh.sharma@linaro.org>
arm64: dts: qcom: sdm845: Use RPMH_CE_CLK macro directly
Marijn Suijten <marijn.suijten@somainline.org>
arm64: dts: qcom: pmi8994: Fix "eternal"->"external" typo in WLED node
Wan Jiabing <wanjiabing@vivo.com>
soc: qcom: apr: Add of_node_put() before return
Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
soc: qcom: rpmhpd: fix sm8350_mxc's peer domain
Guru Das Srinagesh <quic_gurus@quicinc.com>
firmware: qcom_scm: Fix error retval in __qcom_scm_is_call_available()
Jack Pham <jackp@codeaurora.org>
usb: dwc3: gadget: Skip resizing EP's TX FIFO if already resized
Christophe Leroy <christophe.leroy@csgroup.eu>
powerpc/booke: Disable STRICT_KERNEL_RWX, DEBUG_PAGEALLOC and KFENCE
Amelie Delaunay <amelie.delaunay@foss.st.com>
usb: dwc2: drd: reset current session before setting the new one
Amelie Delaunay <amelie.delaunay@foss.st.com>
usb: dwc2: drd: fix dwc2_drd_role_sw_set when clock could be disabled
Amelie Delaunay <amelie.delaunay@foss.st.com>
usb: dwc2: drd: fix dwc2_force_mode call in dwc2_ovr_init
Stefan Agner <stefan@agner.ch>
serial: imx: fix detach/attach of serial console
James Smart <jsmart2021@gmail.com>
scsi: lpfc: Wait for successful restart of SLI3 adapter during host sg_reset
Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
scsi: ufs: ufshcd-pltfrm: Fix memory leak due to probe defer
Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
soundwire: bus: stop dereferencing invalid slave pointer
Nuno Sá <nuno.sa@analog.com>
iio: adis: do not disabe IRQs in 'adis_init()'
Randy Dunlap <rdunlap@infradead.org>
usb: typec: STUSB160X should select REGMAP_I2C
Yang Yingliang <yangyingliang@huawei.com>
iio: buffer: Fix double-free in iio_buffers_alloc_sysfs_and_mask()
Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
soc: qcom: socinfo: add two missing PMIC IDs
Bjorn Andersson <bjorn.andersson@linaro.org>
soc: qcom: rpmhpd: Make power_on actually enable the domain
Richard Fitzgerald <rf@opensource.cirrus.com>
ASoC: cs42l42: Defer probe if request_threaded_irq() returns EPROBE_DEFER
Richard Fitzgerald <rf@opensource.cirrus.com>
ASoC: cs42l42: Correct some register default values
Richard Fitzgerald <rf@opensource.cirrus.com>
ASoC: cs42l42: Always configure both ASP TX channels
Olivier Moysan <olivier.moysan@foss.st.com>
ARM: dts: stm32: fix AV96 board SAI2 pin muxing on stm32mp15
Olivier Moysan <olivier.moysan@foss.st.com>
ARM: dts: stm32: fix SAI sub nodes register range
Fabrice Gasnier <fabrice.gasnier@foss.st.com>
ARM: dts: stm32: fix STUSB1600 Type-C irq level on stm32mp15xx-dkx
Marek Vasut <marex@denx.de>
ARM: dts: stm32: Reduce DHCOR SPI NOR frequency to 50 MHz
Geert Uytterhoeven <geert+renesas@glider.be>
pinctrl: renesas: checker: Fix off-by-one bug in drive register check
Athira Rajeev <atrajeev@linux.vnet.ibm.cm>
powerpc/perf: Fix cycles/instructions as PM_CYC/PM_INST_CMPL in power10
Andrew Halaney <ahalaney@redhat.com>
dyndbg: make dyndbg a known cli param
Logan Gunthorpe <logang@deltatee.com>
RDMA/core: Set sgtable nents when using ib_dma_virt_map_sg()
Vegard Nossum <vegard.nossum@oracle.com>
staging: ks7010: select CRYPTO_HASH/CRYPTO_MICHAEL_MIC
Nikita Yushchenko <nikita.yoush@cogentembedded.com>
staging: most: dim2: do not double-register the same device
Randy Dunlap <rdunlap@infradead.org>
usb: musb: select GENERIC_PHY instead of depending on it
Leon Romanovsky <leon@kernel.org>
RDMA/mlx4: Return missed an error if device doesn't support steering
Dan Carpenter <dan.carpenter@oracle.com>
scsi: csiostor: Uninitialized data in csio_ln_vnp_read_cbfn()
Yang Yingliang <yangyingliang@huawei.com>
power: supply: max17040: fix null-ptr-deref in max17040_probe()
Jakob Hauser <jahau@rocketmail.com>
power: supply: rt5033_battery: Change voltage values to µV
Dan Carpenter <dan.carpenter@oracle.com>
usb: gadget: hid: fix error code in do_config()
Andy Shevchenko <andriy.shevchenko@linux.intel.com>
serial: 8250_dw: Drop wrong use of ACPI_PTR()
Nathan Lynch <nathanl@linux.ibm.com>
powerpc/paravirt: correct preempt debug splat in vcpu_is_preempted()
Nathan Lynch <nathanl@linux.ibm.com>
powerpc: fix unbalanced node refcount in check_kvm_guest()
Christophe Leroy <christophe.leroy@csgroup.eu>
video: fbdev: chipsfb: use memset_io() instead of memset()
Christophe Leroy <christophe.leroy@csgroup.eu>
powerpc/mem: Fix arch/powerpc/mm/mem.c:53:12: error: no previous prototype for 'create_section_mapping'
Clément Léger <clement.leger@bootlin.com>
clk: at91: check pmc node status before registering syscore ops
Dongliang Mu <mudongliangabcd@gmail.com>
memory: fsl_ifc: fix leak of irq and nand_irq in fsl_ifc_ctrl_probe
Christophe JAILLET <christophe.jaillet@wanadoo.fr>
soc/tegra: Fix an error handling path in tegra_powergate_power_up()
Mark Brown <broonie@kernel.org>
iio: st_pressure_spi: Add missing entries SPI to device ID table
Ranjani Sridharan <ranjani.sridharan@linux.intel.com>
ASoC: SOF: topology: do not power down primary core during topology removal
Andreas Kemnade <andreas@kemnade.info>
arm: dts: omap3-gta04a4: accelerometer irq fix
Yang Yingliang <yangyingliang@huawei.com>
driver core: Fix possible memory leak in device_link_add()
Igor Pylypiv <ipylypiv@google.com>
scsi: pm80xx: Fix misleading log statement in pm8001_mpi_get_nvmd_resp()
Sumit Saxena <sumit.saxena@broadcom.com>
scsi: megaraid_sas: Fix concurrent access to ISR between IRQ polling and real interrupt
Bart Van Assche <bvanassche@google.com>
scsi: ufs: core: Stop clearing UNIT ATTENTIONS
Bean Huo <beanhuo@micron.com>
scsi: ufs: core: Fix ufshcd_probe_hba() prototype to match the definition
Claudiu Beznea <claudiu.beznea@microchip.com>
power: reset: at91-reset: check properly the return value of devm_of_iomap
Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
soundwire: debugfs: use controller id and link_id for debugfs
Takashi Iwai <tiwai@suse.de>
ALSA: usb-audio: Fix possible race at sync of urb completions
Takashi Iwai <tiwai@suse.de>
ALSA: hda: Use position buffer for SKL+ again
Takashi Iwai <tiwai@suse.de>
ALSA: hda: Reduce udelay() at SKL+ position reporting
David Stevens <stevensd@chromium.org>
iommu/dma: Fix arch_sync_dma for map
David Stevens <stevensd@chromium.org>
iommu/dma: Fix sync_sg with swiotlb
Stephan Gerhold <stephan@gerhold.net>
arm64: dts: qcom: pm8916: Remove wrong reg-names for rtc@6000
Arnd Bergmann <arnd@arndb.de>
iommu/mediatek: Fix out-of-range warning with clang
Geert Uytterhoeven <geert+renesas@glider.be>
arm64: dts: renesas: beacon: Fix Ethernet PHY mode
Stephan Gerhold <stephan@gerhold.net>
arm64: dts: qcom: msm8916: Fix Secondary MI2S bit clock
Yassine Oudjana <y.oudjana@protonmail.com>
ASoC: wcd9335: Use correct version to initialize Class H
Biju Das <biju.das.jz@bp.renesas.com>
pinctrl: renesas: rzg2l: Fix missing port register 21h
Dongliang Mu <mudongliangabcd@gmail.com>
JFS: fix memleak in jfs_mount
Jackie Liu <liuyun01@kylinos.cn>
MIPS: loongson64: make CPU_LOONGSON64 depends on MIPS_FP_SUPPORT
Tong Zhang <ztong0001@gmail.com>
scsi: dc395: Fix error case unwinding
Kuogee Hsieh <khsieh@codeaurora.org>
arm64: dts: qcom: sc7280: fix display port phy reg property
Naina Mehta <nainmeht@codeaurora.org>
soc: qcom: llcc: Disable MMUHWT retention
Douglas Anderson <dianders@chromium.org>
arm64: dts: qcom: sc7180: Base dynamic CPU power coefficients in reality
Peter Rosin <peda@axentia.se>
ARM: dts: at91: tse850: the emac<->phy interface is rmii
Tony Lindgren <tony@atomide.com>
bus: ti-sysc: Fix timekeeping_suspended warning on resume
Anand Moon <linux.amoon@gmail.com>
arm64: dts: meson-sm1: Fix the pwm regulator supply properties
Anand Moon <linux.amoon@gmail.com>
arm64: dts: meson-g12b: Fix the pwm regulator supply properties
Anand Moon <linux.amoon@gmail.com>
arm64: dts: meson-g12a: Fix the pwm regulator supply properties
Kishon Vijay Abraham I <kishon@ti.com>
arm64: dts: ti: j7200-main: Fix "bus-range" upto 256 bus number for PCIe
Kishon Vijay Abraham I <kishon@ti.com>
arm64: dts: ti: j7200-main: Fix "vendor-id"/"device-id" properties of pcie node
Kishon Vijay Abraham I <kishon@ti.com>
arm64: dts: ti: k3-j721e-main: Fix "bus-range" upto 256 bus number for PCIe
Kishon Vijay Abraham I <kishon@ti.com>
arm64: dts: ti: k3-j721e-main: Fix "max-virtual-functions" in PCIe EP nodes
Selvin Xavier <selvin.xavier@broadcom.com>
RDMA/bnxt_re: Fix query SRQ failure
Marijn Suijten <marijn.suijten@somainline.org>
ARM: dts: qcom: msm8974: Add xo_board reference clock to DSI0 PHY
Alex Bee <knaerzche@gmail.com>
arm64: dts: rockchip: Fix GPU register width for RK3328
Jackie Liu <liuyun01@kylinos.cn>
ARM: s3c: irq-s3c24xx: Fix return value check for s3c24xx_init_intc()
James Smart <jsmart2021@gmail.com>
scsi: lpfc: Fix NVMe I/O failover to non-optimized path
Quinn Tran <qutran@marvell.com>
scsi: qla2xxx: edif: Use link event to wake up app
Ajish Koshy <Ajish.Koshy@microchip.com>
scsi: pm80xx: Fix lockup in outbound queue management
Christophe JAILLET <christophe.jaillet@wanadoo.fr>
clk: mvebu: ap-cpu-clk: Fix a memory leak in error handling paths
Rafał Miłecki <rafal@milecki.pl>
arm64: dts: broadcom: bcm4908: Fix UART clock name
Rafał Miłecki <rafal@milecki.pl>
ARM: dts: BCM5301X: Fix memory nodes names
Junji Wei <weijunji@bytedance.com>
RDMA/rxe: Fix wrong port_cap_flags
Alexandru Ardelean <aardelean@deviqon.com>
iio: st_sensors: disable regulators after device unregistration
Dongjin Kim <tobetter@gmail.com>
arm64: dts: meson: sm1: add Ethernet PHY reset line for ODROID-C4/HC4
Pavel Skripkin <paskripkin@gmail.com>
staging: r8188eu: fix memory leak in rtw_set_key
Hector.Yuan <hector.yuan@mediatek.com>
cpufreq: Fix parameter in parse_perf_domain()
Frank Rowand <frank.rowand@sony.com>
of: unittest: fix EXPECT text for gpio hog errors
Alexei Starovoitov <ast@kernel.org>
bpf: Fix propagation of signed bounds from 64-bit min/max into 32-bit.
Alexei Starovoitov <ast@kernel.org>
bpf: Fix propagation of bounds from 64-bit min/max into 32-bit and var_off.
Dan Schatzberg <schatzberg.dan@gmail.com>
cgroup: Fix rootcg cpu.stat guest double counting
Liu Jian <liujian56@huawei.com>
skmsg: Lose offset info in sk_psock_skb_ingress
Geliang Tang <geliang.tang@suse.com>
selftests: mptcp: fix proto type in link_failure tests
Sukadev Bhattiprolu <sukadev@linux.ibm.com>
ibmvnic: delay complete()
Sukadev Bhattiprolu <sukadev@linux.ibm.com>
ibmvnic: Process crqs after enabling interrupts
Sukadev Bhattiprolu <sukadev@linux.ibm.com>
ibmvnic: don't stop queue in xmit
Jakub Kicinski <kuba@kernel.org>
udp6: allow SO_MARK ctrl msg to affect routing
Andrea Righi <andrea.righi@canonical.com>
selftests/bpf: Fix fclose/pclose mismatch in test_progs
Daniel Jordan <daniel.m.jordan@oracle.com>
crypto: pcrypt - Delay write to padata->info
Nikolay Aleksandrov <nikolay@nvidia.com>
selftests: net: bridge: update IGMP/MLD membership interval value
Ivan Vecera <ivecera@redhat.com>
net: bridge: fix uninitialized variables when BRIDGE_CFM is disabled
Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
net: phylink: avoid mvneta warning when setting pause parameters
Yinjun Zhang <yinjun.zhang@corigine.com>
nfp: fix potential deadlock when canceling dim work
Yinjun Zhang <yinjun.zhang@corigine.com>
nfp: fix NULL pointer access when scheduling dim work
Christophe JAILLET <christophe.jaillet@wanadoo.fr>
ipmi: kcs_bmc: Fix a memory leak in the error handling path of 'kcs_bmc_serio_add_device()'
Shyam Sundar S K <Shyam-sundar.S-k@amd.com>
net: amd-xgbe: Toggle PLL settings during rate change
Xin Long <lucien.xin@gmail.com>
sctp: return true only for pathmtu update in sctp_transport_pl_toobig
Xin Long <lucien.xin@gmail.com>
sctp: subtract sctphdr len in sctp_transport_pl_hlen
Xin Long <lucien.xin@gmail.com>
sctp: reset probe_timer in sctp_transport_pl_update
Xin Long <lucien.xin@gmail.com>
sctp: allow IP fragmentation when PLPMTUD enters Error state
Kumar Kartikeya Dwivedi <memxor@gmail.com>
selftests/bpf: Fix memory leak in test_ima
Kumar Kartikeya Dwivedi <memxor@gmail.com>
selftests/bpf: Fix fd cleanup in sk_lookup test
Alex Deucher <alexander.deucher@amd.com>
drm/amdgpu/gmc6: fix DMA mask from 44 to 40 bits
Lang Yu <lang.yu@amd.com>
drm/amdgpu: fix a potential memory leak in amdgpu_device_fini_sw()
Loic Poulain <loic.poulain@linaro.org>
wcn36xx: Channel list update before hardware scan
Eric Dumazet <edumazet@google.com>
bpf: Fixes possible race in update_prog_stats() for 32bit arches
Eric Dumazet <edumazet@google.com>
bpf: Avoid races in __bpf_prog_run() for 32bit arches
Loic Poulain <loic.poulain@linaro.org>
wcn36xx: Fix discarded frames due to wrong sequence number
Benjamin Li <benl@squareup.com>
wcn36xx: add proper DMA memory barriers in rx path
Wang Hai <wanghai38@huawei.com>
libertas: Fix possible memory leak in probe and disconnect
Wang Hai <wanghai38@huawei.com>
libertas_tf: Fix possible memory leak in probe and disconnect
Janis Schoetterl-Glausch <scgl@linux.ibm.com>
KVM: s390: Fix handle_sske page fault handling
Tiezhu Yang <yangtiezhu@loongson.cn>
samples/kretprobes: Fix return value if register_kretprobe() failed
Peter Zijlstra <peterz@infradead.org>
x86: Fix __get_wchan() for !STACKTRACE
Kees Cook <keescook@chromium.org>
sched: Add wrapper for get_wchan() to keep task blocked
Lad Prabhakar <prabhakar.mahadev-lad.rj@bp.renesas.com>
spi: spi-rpc-if: Check return value of rpcif_sw_init()
Zhang Rui <rui.zhang@intel.com>
cpufreq: intel_pstate: Fix cpu->pstate.turbo_freq initialization
Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
tracing: Fix missing trace_boot_init_histograms kstrdup NULL checks
Jon Maxwell <jmaxwell37@gmail.com>
tcp: don't free a FIN sk_buff in tcp_remove_empty_skb()
Ilya Leoshkevich <iii@linux.ibm.com>
libbpf: Fix endianness detection in BPF_CORE_READ_BITFIELD_PROBED()
Mark Brown <broonie@kernel.org>
tpm_tis_spi: Add missing SPI ID
Hao Wu <hao.wu@rubrik.com>
tpm: fix Atmel TPM crash caused by too frequent queries
Andrii Nakryiko <andrii@kernel.org>
libbpf: Fix off-by-one bug in bpf_core_apply_relo()
Yu Kuai <yukuai3@huawei.com>
blk-cgroup: synchronize blkg creation against policy deactivation
Michael Schmitz <schmitzmic@gmail.com>
block: ataflop: more blk-mq refactoring fixes
Abinaya Kalaiselvan <akalaise@codeaurora.org>
ath10k: fix module load regression with iram-recovery feature
Arnd Bergmann <arnd@arndb.de>
ARM: 9142/1: kasan: work around LPAE build warning
Vladimir Oltean <vladimir.oltean@nxp.com>
net: dsa: avoid refcount warnings when ->port_{fdb,mdb}_del returns error
Mark Rutland <mark.rutland@arm.com>
irq: mips: avoid nested irq_enter()
Claudio Imbrenda <imbrenda@linux.ibm.com>
KVM: s390: pv: avoid stalls for kvm_s390_pv_init_vm
Claudio Imbrenda <imbrenda@linux.ibm.com>
KVM: s390: pv: avoid double free of sida page
David Hildenbrand <david@redhat.com>
s390/uv: fully validate the VMA before calling follow_page()
David Hildenbrand <david@redhat.com>
s390/mm: fix VMA and page table handling code in storage key handling functions
David Hildenbrand <david@redhat.com>
s390/mm: validate VMA in PGSTE manipulation functions
David Hildenbrand <david@redhat.com>
s390/gmap: don't unconditionally call pte_unmap_unlock() in __gmap_zap()
David Hildenbrand <david@redhat.com>
s390/gmap: validate VMA in __gmap_zap()
Nick Hainke <vincent@systemli.org>
mt76: mt7615: mt7622: fix ibss and meshpoint
Andrii Nakryiko <andrii@kernel.org>
libbpf: Fix BTF header parsing checks
Andrii Nakryiko <andrii@kernel.org>
libbpf: Fix overflow in BTF sanity checks
Quentin Monnet <quentin@isovalent.com>
bpftool: Avoid leaking the JSON writer prepared for program metadata
Mauricio Vásquez <mauricio@kinvolk.io>
libbpf: Fix memory leak in btf__dedup()
Jim Mattson <jmattson@google.com>
KVM: selftests: Fix nested SVM tests when built with clang
Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>
smackfs: use netlbl_cfg_cipsov4_del() for deleting cipso_v4_doi
Horia Geantă <horia.geanta@nxp.com>
crypto: tcrypt - fix skcipher multi-buffer tests for 1420B blocks
Jessica Zhang <jesszhan@codeaurora.org>
drm/msm/dsi: fix wrong type in msm_dsi_host
Jessica Zhang <jesszhan@codeaurora.org>
drm/msm: Fix potential NULL dereference in DPU SSPP
Joerg Roedel <jroedel@suse.de>
x86/sev: Fix stack type check in vc_switch_off_ist()
Kees Cook <keescook@chromium.org>
clocksource/drivers/timer-ti-dm: Select TIMER_OF
Anders Roxell <anders.roxell@linaro.org>
PM: hibernate: fix sparse warnings
Max Gurtovoy <mgurtovoy@nvidia.com>
nvme-rdma: fix error code in nvme_rdma_setup_ctrl
Ye Bin <yebin10@huawei.com>
nbd: Fix use-after-free in pid_show
Stefan Agner <stefan@agner.ch>
phy: micrel: ksz8041nl: do not use power down mode
Tim Gardner <tim.gardner@canonical.com>
net: enetc: unmap DMA in enetc_send_cmd()
Johannes Berg <johannes.berg@intel.com>
iwlwifi: pnvm: read EFI data only if long enough
Johannes Berg <johannes.berg@intel.com>
iwlwifi: pnvm: don't kmemdup() more than we have
Johannes Berg <johannes.berg@intel.com>
iwlwifi: mvm: reset PM state on unsuccessful resume
Jonas Dreßler <verdre@v0yd.nl>
mwifiex: Send DELBA requests according to spec
Ziyang Xuan <william.xuanziyang@huawei.com>
rsi: stop thread firstly in rsi_91x_init() error handling
Shayne Chen <shayne.chen@mediatek.com>
mt76: mt7915: fix muar_idx in mt7915_mcu_alloc_sta_req()
Shayne Chen <shayne.chen@mediatek.com>
mt76: mt7915: fix sta_rec_wtbl tag len
Lorenzo Bianconi <lorenzo@kernel.org>
mt76: connac: fix possible NULL pointer dereference in mt76_connac_get_phy_mode_v2
Ryder Lee <ryder.lee@mediatek.com>
mt76: mt7615: fix monitor mode tear down crash
Sean Wang <sean.wang@mediatek.com>
mt76: mt7921: fix retrying release semaphore without end
Lorenzo Bianconi <lorenzo@kernel.org>
mt76: mt7915: fix possible infinite loop release semaphore
Ryder Lee <ryder.lee@mediatek.com>
mt76: mt7615: fix hwmon temp sensor mem use-after-free
Ben Greear <greearb@candelatech.com>
mt76: mt7915: fix hwmon temp sensor mem use-after-free
Lorenzo Bianconi <lorenzo@kernel.org>
mt76: mt7921: always wake device if necessary in debugfs
Sean Wang <sean.wang@mediatek.com>
mt76: mt7921: fix kernel warning from cfg80211_calculate_bitrate
Sean Wang <sean.wang@mediatek.com>
mt76: mt7921: fix firmware usage of RA info using legacy rates
Sean Wang <sean.wang@mediatek.com>
mt76: mt7921: report HE MU radiotap
Lorenzo Bianconi <lorenzo@kernel.org>
mt76: overwrite default reg_ops if necessary
Leon Yen <Leon.Yen@mediatek.com>
mt76: connac: fix GTK rekey offload failure on WPA mixed mode
Deren Wu <deren.wu@mediatek.com>
mt76: mt7921: fix dma hang in rmmod
Shayne Chen <shayne.chen@mediatek.com>
mt76: mt7915: fix bit fields for HT rate idx
Shayne Chen <shayne.chen@mediatek.com>
mt76: mt7915: fix potential overflow of eeprom page index
Deren Wu <deren.wu@mediatek.com>
mt76: mt7921: Fix out of order process by invalid event pkt
Lorenzo Bianconi <lorenzo@kernel.org>
mt76: mt76x02: fix endianness warnings in mt76x02_mac.c
Lorenzo Bianconi <lorenzo@kernel.org>
mt76: mt7921: fix survey-dump reporting
Sean Wang <sean.wang@mediatek.com>
mt76: fix build error implicit enumeration conversion
Leon Yen <Leon.Yen@mediatek.com>
mt76: connac: fix mt76_connac_gtk_rekey_tlv usage
Dan Carpenter <dan.carpenter@oracle.com>
mt76: mt7915: fix info leak in mt7915_mcu_set_pre_cal()
Lorenzo Bianconi <lorenzo@kernel.org>
mt76: mt7615: fix endianness warning in mt7615_mac_write_txwi
Lorenzo Bianconi <lorenzo@kernel.org>
mt76: mt7921: fix endianness warning in mt7921_update_txs
Lorenzo Bianconi <lorenzo@kernel.org>
mt76: mt7915: fix endianness warning in mt7915_mac_add_txs_skb
Lorenzo Bianconi <lorenzo@kernel.org>
mt76: mt7921: fix endianness in mt7921_mcu_tx_done_event
Lang Yu <lang.yu@amd.com>
drm/amdkfd: Fix an inappropriate error handling in allloc memory of gpu
Rafael J. Wysocki <rafael.j.wysocki@intel.com>
ACPI: PM: Fix sharing of wakeup power resources
Rafael J. Wysocki <rafael.j.wysocki@intel.com>
ACPI: PM: Turn off unused wakeup power resources
Fei Shao <fshao@chromium.org>
mailbox: mtk-cmdq: Fix local clock ID usage
Fei Shao <fshao@chromium.org>
mailbox: mtk-cmdq: Validate alias_id on probe
Nathan Chancellor <nathan@kernel.org>
platform/x86: thinkpad_acpi: Fix bitwise vs. logical warning
Andrea Righi <andrea.righi@canonical.com>
blk-wbt: prevent NULL pointer dereference in wb_timer_fn
Michael Schmitz <schmitzmic@gmail.com>
block: ataflop: fix breakage introduced at blk-mq refactoring
Bixuan Cui <cuibixuan@huawei.com>
io-wq: Remove duplicate code in io_workqueue_create()
Christophe JAILLET <christophe.jaillet@wanadoo.fr>
mmc: mxs-mmc: disable regulator on error and in the remove function
Sean Young <sean@mess.org>
media: ir_toy: assignment to be16 should be of correct type
Randy Dunlap <rdunlap@infradead.org>
media: ivtv: fix build for UML
jason-jh.lin <jason-jh.lin@mediatek.com>
mailbox: Remove WARN_ON for async_cb.cb in cmdq_exec_done
Jackie Liu <liuyun01@kylinos.cn>
thermal/drivers/qcom/lmh: make QCOM_LMH depends on QCOM_SCM
Jakub Kicinski <kuba@kernel.org>
net: stream: don't purge sk_error_queue in sk_stream_kill_queues()
Dan Carpenter <dan.carpenter@oracle.com>
drm/msm: uninitialized variable in msm_gem_import()
Dan Carpenter <dan.carpenter@oracle.com>
drm/msm: fix potential NULL dereference in cleanup
Dan Carpenter <dan.carpenter@oracle.com>
drm/msm: unlock on error in get_sched_entity()
Dan Carpenter <dan.carpenter@oracle.com>
drm/msm: potential error pointer dereference in init()
Dan Carpenter <dan.carpenter@oracle.com>
drm/msm: Fix potential Oops in a6xx_gmu_rpmh_init()
Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
drm/msm/dsi: do not enable irq handler before powering up the host
Ziyang Xuan <william.xuanziyang@huawei.com>
thermal/core: fix a UAF bug in __thermal_cooling_device_register()
Ovidiu Panait <ovidiu.panait@windriver.com>
crypto: octeontx2 - set assoclen in aead_do_fallback()
Eric Dumazet <edumazet@google.com>
tcp: switch orphan_count to bare per-cpu counters
Qi Zheng <zhengqi.arch@bytedance.com>
x86: Fix get_wchan() to support the ORC unwinder
Randy Dunlap <rdunlap@infradead.org>
net: tulip: winbond-840: fix build for UML
Randy Dunlap <rdunlap@infradead.org>
net: intel: igc_ptp: fix build for UML
Randy Dunlap <rdunlap@infradead.org>
net: fealnx: fix build for UML
Zhang Qiao <zhangqiao22@huawei.com>
kernel/sched: Fix sched_fork() access an invalid sched_task_group
Sven Eckelmann <seckelmann@datto.com>
ath10k: fix max antenna gain unit
Zev Weiss <zev@bewilderbeest.net>
hwmon: (pmbus/lm25066) Let compiler determine outer dimension of lm25066_coeff
Yang Yingliang <yangyingliang@huawei.com>
hwmon: Fix possible memleak in __hwmon_device_register()
Daniel Borkmann <daniel@iogearbox.net>
net, neigh: Fix NTF_EXT_LEARNED in combination with NTF_USE
Dan Carpenter <dan.carpenter@oracle.com>
memstick: jmb38x_ms: use appropriate free function in jmb38x_ms_alloc_host()
Arnd Bergmann <arnd@arndb.de>
memstick: avoid out-of-range warning
Tony Lindgren <tony@atomide.com>
mmc: sdhci-omap: Fix context restore
Tony Lindgren <tony@atomide.com>
mmc: sdhci-omap: Fix NULL pointer exception if regulator is not configured
Catherine Sullivan <csully@google.com>
gve: Track RX buffer allocation failures
John Fraker <jfraker@google.com>
gve: Recover from queue stall due to missed IRQ
Dan Carpenter <dan.carpenter@oracle.com>
b43: fix a lower bounds test
Dan Carpenter <dan.carpenter@oracle.com>
b43legacy: fix a lower bounds test
liqiong <liqiong@nfschina.com>
ima: fix deadlock when traversing "ima_default_rules".
Markus Schneider-Pargmann <msp@baylibre.com>
hwrng: mtk - Force runtime pm ops for sleep ops
Giovanni Cabiddu <giovanni.cabiddu@intel.com>
crypto: qat - disregard spurious PFVF interrupts
Giovanni Cabiddu <giovanni.cabiddu@intel.com>
crypto: qat - detect PFVF collision after ACK
Arnd Bergmann <arnd@arndb.de>
crypto: ccree - avoid out-of-range warnings from clang
Evgeny Novikov <novikov@ispras.ru>
media: dvb-frontends: mn88443x: Handle errors of clk_prepare_enable()
Mansur Alisha Shaik <mansur@codeaurora.org>
media: venus: fix vpp frequency calculation for decoder
Pablo Neira Ayuso <pablo@netfilter.org>
netfilter: nft_dynset: relax superfluous check on set updates
Peter Zijlstra <peterz@infradead.org>
rcu: Fix rcu_dynticks_curr_cpu_in_eqs() vs noinstr
Peter Zijlstra <peterz@infradead.org>
rcu: Always inline rcu_dynticks_task*_{enter,exit}()
Yazen Ghannam <yazen.ghannam@amd.com>
EDAC/amd64: Handle three rank interleaving mode
Borislav Petkov <bp@suse.de>
x86/insn: Use get_unaligned() instead of memcpy()
Vincent Donnefort <vincent.donnefort@arm.com>
PM: EM: Fix inefficient states detection
Linus Lüssing <ll@simonwunderlich.de>
ath9k: Fix potential interrupt storm on queue reset
Stephen Boyd <swboyd@chromium.org>
ath10k: Don't always treat modem stop events as crashes
Colin Ian King <colin.king@canonical.com>
media: em28xx: Don't use ops->suspend if it is NULL
Anel Orazgaliyeva <anelkz@amazon.de>
cpuidle: Fix kobject memory leaks in error paths
Arnd Bergmann <arnd@arndb.de>
drm: fb_helper: fix CONFIG_FB dependency
Arnd Bergmann <arnd@arndb.de>
crypto: ecc - fix CRYPTO_DEFAULT_RNG dependency
Punit Agrawal <punitagrawal@gmail.com>
kprobes: Do not use local variable when creating debugfs file
Yee Lee <yee.lee@mediatek.com>
scs: Release kasan vmalloc poison in scs_free process
Eugen Hristev <eugen.hristev@microchip.com>
media: atmel: fix the ispck initialization
Colin Ian King <colin.king@canonical.com>
media: cx23885: Fix snd_card_free call on null card pointer
Kees Cook <keescook@chromium.org>
media: tm6000: Avoid card name truncation
Kees Cook <keescook@chromium.org>
media: si470x: Avoid card name truncation
Kees Cook <keescook@chromium.org>
media: radio-wl1273: Avoid card name truncation
Ondrej Jirman <megous@megous.com>
media: sun6i-csi: Allow the video device to be open multiple times
Randy Dunlap <rdunlap@infradead.org>
media: i2c: ths8200 needs V4L2_ASYNC
Christophe JAILLET <christophe.jaillet@wanadoo.fr>
media: imx-jpeg: Fix the error handling path of 'mxc_jpeg_probe()'
Christophe JAILLET <christophe.jaillet@wanadoo.fr>
media: mtk-vpu: Fix a resource leak in the error handling path of 'mtk_vpu_probe()'
Tom Rix <trix@redhat.com>
media: TDA1997x: handle short reads of hdmi info frame.
Dafna Hirschfeld <dafna.hirschfeld@collabora.com>
media: mtk-vcodec: venc: fix return value when start_streaming fails
Ricardo Ribalda <ribalda@chromium.org>
media: v4l2-ioctl: S_CTRL output the right value
Sakari Ailus <sakari.ailus@linux.intel.com>
media: imx258: Fix getting clock frequency
Pavel Skripkin <paskripkin@gmail.com>
media: dvb-usb: fix ununit-value in az6027_rc_query
Evgeny Novikov <novikov@ispras.ru>
media: ttusb-dec: avoid release of non-acquired mutex
Colin Ian King <colin.king@canonical.com>
media: cxd2880-spi: Fix a null pointer dereference on error handling path
Christophe JAILLET <christophe.jaillet@wanadoo.fr>
media: meson-ge2d: Fix rotation parameter changes detection in 'ge2d_s_ctrl()'
Pavel Skripkin <paskripkin@gmail.com>
media: em28xx: add missing em28xx_close_extension
Kumar Kartikeya Dwivedi <memxor@gmail.com>
libbpf: Fix skel_internal.h to set errno on loader retval < 0
Arnd Bergmann <arnd@arndb.de>
drm/amdgpu: fix warning for overflow check
Sudarshan Rajagopalan <quic_sudaraja@quicinc.com>
arm64: mm: update max_pfn after memory hotplug
Matthew Auld <matthew.auld@intel.com>
drm/ttm: stop calling tt_swapin in vm_access
Fabio Estevam <festevam@denx.de>
ath10k: sdio: Add missing BH locking around napi_schdule()
Loic Poulain <loic.poulain@linaro.org>
ath10k: Fix missing frame timestamp for beacon/probe-resp
Arnd Bergmann <arnd@arndb.de>
gve: DQO: avoid unused variable warnings
Baochen Qiang <bqiang@codeaurora.org>
ath11k: Fix memory leak in ath11k_qmi_driver_event_work
Pradeep Kumar Chitrapu <pradeepc@codeaurora.org>
ath11k: fix packet drops due to incorrect 6 GHz freq value in rx status
Sriram R <srirrama@codeaurora.org>
ath11k: Avoid race during regd updates
Dan Carpenter <dan.carpenter@oracle.com>
ath11k: fix some sleeping in atomic bugs
Johan Almbladh <johan.almbladh@anyfinetworks.com>
bpf/tests: Fix error in tail call limit tests
Linus Walleij <linus.walleij@linaro.org>
net: dsa: rtl8366: Fix a bug in deleting VLANs
Linus Walleij <linus.walleij@linaro.org>
net: dsa: rtl8366rb: Fix off-by-one bug
Leon Romanovsky <leon@kernel.org>
net/mlx5: Accept devlink user input after driver initialization complete
Johannes Berg <johannes.berg@intel.com>
cfg80211: always free wiphy specific regdomain
Johannes Berg <johannes.berg@intel.com>
mac80211: twt: don't use potentially unaligned pointer
Kees Cook <keescook@chromium.org>
fortify: Fix dropped strcpy() compile-time write overflow check
Florian Westphal <fw@strlen.de>
mptcp: do not shrink snd_nxt when recovering
Jiasheng Jiang <jiasheng@iscas.ac.cn>
rxrpc: Fix _usecs_to_jiffies() by using usecs_to_jiffies()
Leon Romanovsky <leon@kernel.org>
qed: Don't ignore devlink allocation failures
Leon Romanovsky <leon@kernel.org>
bnxt_en: Check devlink allocation and registration status
Hans de Goede <hdegoede@redhat.com>
Bluetooth: hci_h5: Fix (runtime)suspend issues on RTL8723BS HCIs
Giovanni Cabiddu <giovanni.cabiddu@intel.com>
crypto: qat - power up 4xxx device
Michael Walle <michael@walle.cc>
crypto: caam - disable pkc for non-E SoCs
Guchun Chen <guchun.chen@amd.com>
drm/amdgpu: move amdgpu_virt_release_full_gpu to fini_early stage
Harry Wentland <harry.wentland@amd.com>
drm/amd/display: Pass display_pipe_params_st as const in DML
Andrey Grodzovsky <andrey.grodzovsky@amd.com>
drm/amdgpu: Fix crash on device remove/driver unload
Dinghao Liu <dinghao.liu@zju.edu.cn>
Bluetooth: btmtkuart: fix a memleak in mtk_hci_wmt_sync
Ajay Singh <ajay.kathat@microchip.com>
wilc1000: fix possible memory leak in cfg_scan_result()
Bryan O'Donoghue <bryan.odonoghue@linaro.org>
wcn36xx: Fix Antenna Diversity Switching
Waiman Long <longman@redhat.com>
cgroup: Make rebind_subsystems() disable v2 controllers all at once
Yoshitaka Ikeda <ikeda@nskint.co.jp>
spi: Fixed division by zero warning
Alex Bee <knaerzche@gmail.com>
drm: bridge: it66121: Fix return value it66121_probe
Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
net: phylink: don't call netif_carrier_off() with NULL netdev
Yajun Deng <yajun.deng@linux.dev>
net: net_namespace: Fix undefined member in key_remove_domain()
Sebastian Andrzej Siewior <bigeasy@linutronix.de>
lockdep: Let lock_is_held_type() detect recursive read as read
liuyuntao <liuyuntao10@huawei.com>
virtio-gpu: fix possible memory allocation failure
Nathan Chancellor <nathan@kernel.org>
crypto: sm4 - Do not change section of ck and sbox
Iago Toral Quiroga <itoral@igalia.com>
drm/v3d: fix wait for TMU write combiner flush
Leon Romanovsky <leon@kernel.org>
net/mlx5: Publish and unpublish all devlink parameters at once
Peter Zijlstra <peterz@infradead.org>
objtool: Handle __sanitize_cov*() tail calls
Peter Zijlstra <peterz@infradead.org>
x86/xen: Mark cpu_bringup_and_idle() as dead_end_function
Aleksander Jan Bajkowski <olek2@wp.pl>
MIPS: lantiq: dma: fix burst length for DEU
Neeraj Upadhyay <neeraju@codeaurora.org>
rcu: Fix existing exp request check in sync_sched_exp_online_cleanup()
Pavel Skripkin <paskripkin@gmail.com>
Bluetooth: hci_uart: fix GPF in h5_recv
Toke Høiland-Jørgensen <toke@redhat.com>
libbpf: Don't crash on object files with no symbol tables
Desmond Cheong Zhi Xi <desmondcheongzx@gmail.com>
Bluetooth: fix init and cleanup of sco_conn.timeout_work
Paul Cercueil <paul@crapouillou.net>
drm/bridge: it66121: Wait for next bridge to be probed
Paul Cercueil <paul@crapouillou.net>
drm/bridge: it66121: Initialize {device,vendor}_ids
Kan Liang <kan.liang@linux.intel.com>
perf/x86/intel/uncore: Fix Intel SPR M3UPI event constraints
Kan Liang <kan.liang@linux.intel.com>
perf/x86/intel/uncore: Fix Intel SPR M2PCIE event constraints
Kan Liang <kan.liang@linux.intel.com>
perf/x86/intel/uncore: Fix Intel SPR IIO event constraints
Kan Liang <kan.liang@linux.intel.com>
perf/x86/intel/uncore: Fix Intel SPR CHA event constraints
Robert Foss <robert.foss@linaro.org>
drm/bridge: anx7625: Propagate errors from sp_tx_rst_aux()
Imre Deak <imre.deak@intel.com>
fbdev/efifb: Release PCI device's runtime PM ref during FB destroy
Andrii Nakryiko <andrii@kernel.org>
selftests/bpf: Fix strobemeta selftest regression
Pablo Neira Ayuso <pablo@netfilter.org>
netfilter: conntrack: set on IPS_ASSURED if flows enters internal stream state
Sven Schnelle <svens@stackframe.org>
parisc/kgdb: add kgdb_roundup() to make kgdb work with idle polling
Sven Schnelle <svens@stackframe.org>
parisc/unwind: fix unwinder when CONFIG_64BIT is enabled
Gao Xiang <hsiangkao@linux.alibaba.com>
erofs: don't trigger WARN() when decompression fails
Helge Deller <deller@gmx.de>
task_stack: Fix end_of_stack() for architectures with upwards-growing stack
Sven Schnelle <svens@stackframe.org>
parisc: fix warning in flush_tlb_all
Stephane Eranian <eranian@google.com>
perf/x86/intel: Fix ICL/SPR INST_RETIRED.PREC_DIST encodings
Shuah Khan <skhan@linuxfoundation.org>
selftests/core: fix conflicting types compile error for close_range()
Anson Jacob <Anson.Jacob@amd.com>
drm/amd/display: dcn20_resource_construct reduce scope of FPU enabled
Vitaly Kuznetsov <vkuznets@redhat.com>
x86/hyperv: Protect set_hv_tscchange_cb() against getting preempted
Eric Dumazet <edumazet@google.com>
inet: remove races in inet{6}_getname()
王贇 <yun.wang@linux.alibaba.com>
ftrace: do CPU checking after preemption disabled
Bryan O'Donoghue <bryan.odonoghue@linaro.org>
Revert "wcn36xx: Enable firmware link monitoring"
Loic Poulain <loic.poulain@linaro.org>
wcn36xx: Fix packet drop on resume
Loic Poulain <loic.poulain@linaro.org>
wcn36xx: Correct band/freq reporting on RX
Yang Yingliang <yangyingliang@huawei.com>
spi: bcm-qspi: Fix missing clk_disable_unprepare() on error in bcm_qspi_probe()
Josef Bacik <josef@toxicpanda.com>
btrfs: do not take the uuid_mutex in btrfs_rm_device
Sidong Yang <realwakka@gmail.com>
btrfs: reflink: initialize return value to 0 in btrfs_extent_same()
Vladimir Oltean <vladimir.oltean@nxp.com>
net: dsa: flush switchdev workqueue when leaving the bridge
Hui Wang <hui.wang@canonical.com>
ACPI: resources: Add one more Medion model in IRQ override quirk
Stefan Schaeckeler <schaecsn@gmx.net>
ACPI: AC: Quirk GK45 to skip reading _PSR
Eric Dumazet <edumazet@google.com>
net: annotate data-race in neigh_output()
Florian Westphal <fw@strlen.de>
vrf: run conntrack only in context of lower/physdev for locally generated packets
Viktor Rosendahl <Viktor.Rosendahl@bmw.de>
tools/latency-collector: Use correct size when writing queue_full_warning
Arnd Bergmann <arnd@arndb.de>
ARM: 9136/1: ARMv7-M uses BE-8, not BE-32
Andreas Gruenbacher <agruenba@redhat.com>
gfs2: Fix glock_hash_walk bugs
Andreas Gruenbacher <agruenba@redhat.com>
gfs2: Cancel remote delete work asynchronously
Marc Kleine-Budde <mkl@pengutronix.de>
can: bittiming: can_fixup_bittiming(): change type of tseg1 and alltseg to unsigned int
Vladimir Oltean <vladimir.oltean@nxp.com>
net: dsa: lantiq_gswip: serialize access to the PCE table
Stephen Suryaputra <ssuryaextr@gmail.com>
gre/sit: Don't generate link-local addr if addr_gen_mode is IN6_ADDR_GEN_MODE_NONE
Masami Hiramatsu <mhiramat@kernel.org>
ARM: clang: Do not rely on lr register for stacktrace
Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>
smackfs: use __GFP_NOFAIL for smk_cipso_doi()
Johannes Berg <johannes.berg@intel.com>
iwlwifi: mvm: disable RX-diversity in powersave
Jiri Olsa <jolsa@redhat.com>
selftests/bpf: Fix perf_buffer test on system with offline cpus
Shuah Khan <skhan@linuxfoundation.org>
selftests: kvm: fix mismatched fclose() after popen()
Ye Bin <yebin10@huawei.com>
PM: hibernate: Get block device exclusively in swsusp_check()
Nick Desaulniers <ndesaulniers@google.com>
arm64: vdso32: suppress error message for 'make mrproper'
David Yang <davidcomponentone@gmail.com>
samples/bpf: Fix application of sizeof to pointer
Hannes Reinecke <hare@suse.de>
nvme: drop scan_lock and always kick requeue list when removing namespaces
Israel Rukshin <israelr@nvidia.com>
nvmet-tcp: fix use-after-free when a port is removed
Israel Rukshin <israelr@nvidia.com>
nvmet-rdma: fix use-after-free when a port is removed
Israel Rukshin <israelr@nvidia.com>
nvmet: fix use-after-free when a port is removed
Alex Deucher <alexander.deucher@amd.com>
drm/amdgpu/pm: properly handle sclk for profiling modes on vangogh
Michael Tretter <m.tretter@pengutronix.de>
media: allegro: ignore interrupt if mailbox is not initialized
Jens Axboe <axboe@kernel.dk>
block: remove inaccurate requeue check
Yaara Baruch <yaara.baruch@intel.com>
iwlwifi: change all JnP to NO-160 configuration
Zheyu Ma <zheyuma97@gmail.com>
mwl8k: Fix use-after-free in mwl8k_fw_state_machine()
Ryder Lee <ryder.lee@mediatek.com>
mt76: mt7915: fix an off-by-one bound check
Kalesh Singh <kaleshsingh@google.com>
tracing/cfi: Fix cmp_entries_* functions signature mismatch
Menglong Dong <imagedong@tencent.com>
workqueue: make sysfs of unbound kworker cpumask more clever
Lasse Collin <lasse.collin@tukaani.org>
lib/xz: Validate the value before assigning it to an enum variable
Lasse Collin <lasse.collin@tukaani.org>
lib/xz: Avoid overlapping memcpy() with invalid input with in-place decompression
Yanfei Xu <yanfei.xu@windriver.com>
locking/rwsem: Disable preemption for spinning region
Zheyu Ma <zheyuma97@gmail.com>
memstick: r592: Fix a UAF bug when removing the driver
Xiao Ni <xni@redhat.com>
md: update superblock after changing rdev flags in state_store
Luis Chamberlain <mcgrof@kernel.org>
floppy: fix calling platform_device_unregister() on invalid drives
Jens Axboe <axboe@kernel.dk>
block: bump max plugged deferred size from 16 to 32
Ansuel Smith <ansuelsmth@gmail.com>
thermal/drivers/tsens: Add timeout to get_temp_tsens_valid
Tim Gardner <tim.gardner@canonical.com>
drm/msm: prevent NULL dereference in msm_gpu_crashstate_capture()
Yuanzheng Song <songyuanzheng@huawei.com>
thermal/core: Fix null pointer dereference in thermal_release()
Kees Cook <keescook@chromium.org>
leaking_addresses: Always print a trailing newline
Matthias Schiffer <matthias.schiffer@ew.tq-group.com>
net: phy: micrel: make *-skew-ps check more lenient
Yifan Zhang <yifan1.zhang@amd.com>
drm/amdkfd: fix resume error when iommu disabled in Picasso
Aurabindo Pillai <aurabindo.pillai@amd.com>
drm/amd/display: fix null pointer deref when plugging in display
Rafael J. Wysocki <rafael.j.wysocki@intel.com>
ACPI: scan: Release PM resources blocked by unused objects
André Almeida <andrealmeid@collabora.com>
ACPI: battery: Accept charges over the design capacity as full
Andreas Gruenbacher <agruenba@redhat.com>
iov_iter: Fix iov_iter_get_pages{,_alloc} page fault return value
Xin Xiong <xiongx18@fudan.edu.cn>
mmc: moxart: Fix reference count leaks in moxart_probe
Will Deacon <will@kernel.org>
KVM: arm64: Propagate errors from __pkvm_prot_finalize hypercall
Tuo Li <islituo@gmail.com>
ath: dfs_pattern_detector: Fix possible null-pointer dereference in channel_detector_create()
Steven Rostedt (VMware) <rostedt@goodmis.org>
tracing: Disable "other" permission bits in the tracefs files
Steven Rostedt (VMware) <rostedt@goodmis.org>
tracefs: Have tracefs directories not set OTH permission bits by default
Alex Sierra <alex.sierra@amd.com>
drm/amdkfd: rm BO resv on validation to avoid deadlock
Antoine Tenart <atenart@kernel.org>
net-sysfs: try not to restart the syscall if it will fail eventually
Anant Thazhemadam <anant.thazhemadam@gmail.com>
media: usb: dvd-usb: fix uninit-value bug in dibusb_read_eeprom_byte()
Ricardo Ribalda <ribalda@chromium.org>
media: ipu3-imgu: VIDIOC_QUERYCAP: Fix bus_info
Ricardo Ribalda <ribalda@chromium.org>
media: ipu3-imgu: imgu_fmt: Handle properly try
Mirela Rabulea <mirela.rabulea@nxp.com>
media: imx-jpeg: Fix possible null pointer dereference
Wojciech Drewek <wojciech.drewek@intel.com>
ice: Move devlink port to PF/VF struct
Vincent Donnefort <vincent.donnefort@arm.com>
cpufreq: Make policy min/max hard requirements
Rafael J. Wysocki <rafael.j.wysocki@intel.com>
ACPICA: Avoid evaluating methods too early during system resume
Li Zhijian <lizhijian@cn.fujitsu.com>
kselftests/sched: cleanup the child processes
Josh Don <joshdon@google.com>
fs/proc/uptime.c: Fix idle time reporting in /proc/uptime
Corey Minyard <cminyard@mvista.com>
ipmi: Disable some operations during a panic
Nadezda Lutovinova <lutovinova@ispras.ru>
media: rcar-csi2: Add checking to rcsi2_start_receiver()
Hans de Goede <hdegoede@redhat.com>
brcmfmac: Add DMI nvram filename quirk for Cyberbook T116 tablet
Zong-Zhe Yang <kevin_yang@realtek.com>
rtw88: fix RX clock gate setting while fifo dump
Randy Dunlap <rdunlap@infradead.org>
ia64: don't do IA64_CMPXCHG_DEBUG without CONFIG_PRINTK
Rajat Asthana <rajatasthana4@gmail.com>
media: mceusb: return without resubmitting URB in case of -EPROTO error.
Niklas Söderlund <niklas.soderlund+renesas@ragnatech.se>
media: rcar-vin: Use user provided buffers when starting
Martin Kepplinger <martink@posteo.de>
media: imx: set a media_device bus_info string
Sergey Senozhatsky <senozhatsky@chromium.org>
media: videobuf2: rework vb2_mem_ops API
Nadezda Lutovinova <lutovinova@ispras.ru>
media: s5p-mfc: Add checking to s5p_mfc_probe().
Tuo Li <islituo@gmail.com>
media: s5p-mfc: fix possible null-pointer dereference in s5p_mfc_probe()
Evgeny Novikov <novikov@ispras.ru>
media: vidtv: Fix memory leak in remove
Ricardo Ribalda <ribalda@chromium.org>
media: uvcvideo: Set unique vdev name based in type
Ricardo Ribalda <ribalda@chromium.org>
media: uvcvideo: Return -EIO for control errors
Ricardo Ribalda <ribalda@chromium.org>
media: uvcvideo: Set capability in s_param
Dmitriy Ulitin <ulitin@ispras.ru>
media: stm32: Potential NULL pointer dereference in dcmi_irq_thread()
Evgeny Novikov <novikov@ispras.ru>
media: atomisp: Fix error handling in probe
Zheyu Ma <zheyuma97@gmail.com>
media: netup_unidvb: handle interrupt properly according to the firmware
Dirk Bender <d.bender@phytec.de>
media: mt9p031: Fix corrupted frame after restarting stream
Rakesh Babu <rsaladi2@marvell.com>
octeontx2-pf: Enable promisc/allmulti match MCAM entries.
Alagu Sankar <alagusankar@silex-india.com>
ath10k: high latency fixes for beacon buffer
Baochen Qiang <bqiang@codeaurora.org>
ath11k: Change DMA_FROM_DEVICE to DMA_TO_DEVICE when map reinjected packets
Wen Gong <wgong@codeaurora.org>
ath11k: add handler for scan event WMI_SCAN_EVENT_DEQUEUED
Sriram R <srirrama@codeaurora.org>
ath11k: Avoid reg rules update during firmware recovery
Johannes Berg <johannes.berg@intel.com>
leds: trigger: use RCU to protect the led_cdevs list
Petr Machata <petrm@nvidia.com>
selftests: net: fib_nexthops: Wait before checking reported idle time
Herbert Xu <herbert@gondor.apana.org.au>
crypto: api - Fix built-in testing dependency failures
Jimmy Kizito <Jimmy.Kizito@amd.com>
drm/amd/display: Fix null pointer dereference for encoders
Andrey Grodzovsky <andrey.grodzovsky@amd.com>
drm/amdgpu: Fix MMIO access page fault
Eric Biggers <ebiggers@google.com>
fscrypt: allow 256-bit master keys with AES-256-XTS
Mark Brown <broonie@kernel.org>
spi: Check we have a spi_device_id for each DT compatible
Jonas Dreßler <verdre@v0yd.nl>
mwifiex: Properly initialize private structure on interface type changes
Jonas Dreßler <verdre@v0yd.nl>
mwifiex: Run SET_BSS_MODE when changing from P2P to STATION vif-type
Peter Zijlstra <peterz@infradead.org>
x86: Increase exception stack sizes
Peter Zijlstra <peterz@infradead.org>
x86/mm/64: Improve stack overflow warnings
Shreyansh Chouhan <chouhan.shreyansh630@gmail.com>
crypto: aesni - check walk.nbytes instead of err
Seevalamuthu Mariappan <seevalam@codeaurora.org>
ath11k: Align bss_chan_info structure with firmware
Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
smackfs: Fix use-after-free in netlbl_catmap_walk()
Paul E. McKenney <paulmck@kernel.org>
rcu-tasks: Move RTGS_WAIT_CBS to beginning of rcu_tasks_kthread() loop
Hui Wang <hui.wang@canonical.com>
ACPI: resources: Add DMI-based legacy IRQ override quirk
Jakub Kicinski <kuba@kernel.org>
net: sched: update default qdisc visibility after Tx queue cnt changes
Peter Zijlstra <peterz@infradead.org>
locking/lockdep: Avoid RCU-induced noinstr fail
Aleksander Jan Bajkowski <olek2@wp.pl>
MIPS: lantiq: dma: reset correct number of channel
Aleksander Jan Bajkowski <olek2@wp.pl>
MIPS: lantiq: dma: add small delay after reset
James Zhu <James.Zhu@amd.com>
drm/amdgpu: move iommu_resume before ip init/resume
Barnabás Pőcze <pobrn@protonmail.com>
platform/x86: wmi: do not fail if disabling fails
Scott Wood <swood@redhat.com>
rcutorture: Avoid problematic critical section nesting on PREEMPT_RT
Simon Ser <contact@emersion.fr>
drm/panel-orientation-quirks: add Valve Steam Deck
Desmond Cheong Zhi Xi <desmondcheongzx@gmail.com>
Bluetooth: call sock_hold earlier in sco_conn_del
Wang ShaoBo <bobo.shaobowang@huawei.com>
Bluetooth: fix use-after-free error in lock_sock_nested()
Takashi Iwai <tiwai@suse.de>
Bluetooth: sco: Fix lock_sock() blockage by memcpy_from_msg()
Hans de Goede <hdegoede@redhat.com>
drm: panel-orientation-quirks: Add quirk for the Samsung Galaxy Book 10.6
Hans de Goede <hdegoede@redhat.com>
drm: panel-orientation-quirks: Add quirk for KD Kurio Smart C15200 2-in-1
Hans de Goede <hdegoede@redhat.com>
drm: panel-orientation-quirks: Update the Lenovo Ideapad D330 quirk (v2)
Charan Teja Reddy <charante@codeaurora.org>
dma-buf: WARN on dmabuf release with pending attachments
Kai Vehmanen <kai.vehmanen@linux.intel.com>
component: do not leave master devres group open after bind
Sebastian Krzyszkowiak <sebastian.krzyszkowiak@puri.sm>
power: supply: max17042_battery: Clear status bits in interrupt handler
Johan Hovold <johan@kernel.org>
USB: chipidea: fix interrupt deadlock
Johan Hovold <johan@kernel.org>
USB: iowarrior: fix control-message timeouts
Johan Hovold <johan@kernel.org>
most: fix control-message timeouts
Johan Hovold <johan@kernel.org>
Revert "serial: 8250: Fix reporting real baudrate value in c_ospeed field"
Pali Rohár <pali@kernel.org>
serial: 8250: Fix reporting real baudrate value in c_ospeed field
Jens Axboe <axboe@kernel.dk>
io-wq: serialize hash clear with wakeup
Namjae Jeon <linkinjeon@kernel.org>
ksmbd: set unique value to volume serial field in FS_VOLUME_INFORMATION
Johan Hovold <johan@kernel.org>
serial: 8250: fix racy uartclk update
Wang Hai <wanghai38@huawei.com>
USB: serial: keyspan: fix memleak on probe errors
Mihail Chindris <mihail.chindris@analog.com>
Documentation:devicetree:bindings:iio:dac: Fix val
Nuno Sá <nuno.sa@analog.com>
iio: ad5770r: make devicetree property reading consistent
Pekka Korpinen <pekka.korpinen@iki.fi>
iio: dac: ad5446: Fix ad5622_write() return value
Mihail Chindris <mihail.chindris@analog.com>
drivers: iio: dac: ad5766: Fix dt property name
Yang Yingliang <yangyingliang@huawei.com>
iio: buffer: Fix memory leak in iio_buffer_register_legacy_sysfs_groups()
Yang Yingliang <yangyingliang@huawei.com>
iio: buffer: Fix memory leak in __iio_buffer_alloc_sysfs_and_mask()
Yang Yingliang <yangyingliang@huawei.com>
iio: buffer: Fix memory leak in iio_buffers_alloc_sysfs_and_mask()
Yang Yingliang <yangyingliang@huawei.com>
iio: buffer: check return value of kstrdup_const()
Suzuki K Poulose <suzuki.poulose@arm.com>
coresight: trbe: Defer the probe on offline CPUs
Suzuki K Poulose <suzuki.poulose@arm.com>
coresight: trbe: Fix incorrect access of the sink specific data
Tao Zhang <quic_taozha@quicinc.com>
coresight: cti: Correct the parameter for pm_runtime_put
Yang Yingliang <yangyingliang@huawei.com>
pinctrl: core: fix possible memory leak in pinctrl_enable()
Robert Marko <robert.marko@sartura.hr>
mfd: simple-mfd-i2c: Select MFD_CORE to fix build error
Paulo Alcantara <pc@cjr.nz>
cifs: set a minimum of 120s for next dns resolution
Shyam Prasad N <sprasad@microsoft.com>
cifs: To match file servers, make sure the server hostname matches
Zhang Yi <yi.zhang@huawei.com>
quota: correct error number in free_dqentry()
Zhang Yi <yi.zhang@huawei.com>
quota: check block number when reading the block in quota file
Pali Rohár <pali@kernel.org>
PCI: aardvark: Fix support for PCI_ROM_ADDRESS1 on emulated bridge
Pali Rohár <pali@kernel.org>
PCI: aardvark: Set PCI Bridge Class Code to PCI Bridge
Pali Rohár <pali@kernel.org>
PCI: aardvark: Fix support for PCI_BRIDGE_CTL_BUS_RESET on emulated bridge
Pali Rohár <pali@kernel.org>
PCI: aardvark: Fix support for bus mastering and PCI_COMMAND on emulated bridge
Marek Behún <kabel@kernel.org>
PCI: aardvark: Read all 16-bits from PCIE_MSI_PAYLOAD_REG
Marek Behún <kabel@kernel.org>
PCI: aardvark: Fix return value of MSI domain .alloc() method
Pali Rohár <pali@kernel.org>
PCI: aardvark: Fix configuring Reference clock
Pali Rohár <pali@kernel.org>
PCI: aardvark: Fix reporting Data Link Layer Link Active
Pali Rohár <pali@kernel.org>
PCI: aardvark: Do not unmask unused interrupts
Pali Rohár <pali@kernel.org>
PCI: aardvark: Fix checking for link up via LTSSM state
Pali Rohár <pali@kernel.org>
PCI: aardvark: Do not clear status bits of masked interrupts
Dan Williams <dan.j.williams@intel.com>
cxl/pci: Fix NULL vs ERR_PTR confusion
Li Chen <lchen@ambarella.com>
PCI: cadence: Add cdns_plat_pcie_probe() missing return
Marek Behún <kabel@kernel.org>
PCI: pci-bridge-emul: Fix emulation of W1C bits
Miklos Szeredi <mszeredi@redhat.com>
ovl: fix filattr copy-up failure
yangerkun <yangerkun@huawei.com>
ovl: fix use after free in struct ovl_aio_req
Juergen Gross <jgross@suse.com>
xen/balloon: add late_initcall_sync() for initial ballooning done
Arnd Bergmann <arnd@arndb.de>
ifb: fix building without CONFIG_NET_CLS_ACT
Pali Rohár <pali@kernel.org>
serial: core: Fix initializing and restoring termios speed
Steven Rostedt (VMware) <rostedt@goodmis.org>
ring-buffer: Protect ring_buffer_reset() from reentrancy
Pavel Begunkov <asml.silence@gmail.com>
io_uring: honour zeroes as io-wq worker limits
Xiaoming Ni <nixiaoming@huawei.com>
powerpc/85xx: Fix oops when mpc85xx_smp_guts_ids node cannot be found
Oleksij Rempel <linux@rempel-privat.de>
iio: adc: tsc2046: fix scan interval warning
Zhang Changzhong <zhangchangzhong@huawei.com>
can: j1939: j1939_tp_cmd_recv(): check the dst address of TP.CM_BAM
Zhang Changzhong <zhangchangzhong@huawei.com>
can: j1939: j1939_can_recv(): ignore messages with invalid source address
Zhang Changzhong <zhangchangzhong@huawei.com>
can: j1939: j1939_tp_cmd_recv(): ignore abort message in the BAM transport
Marc Kleine-Budde <mkl@pengutronix.de>
can: mcp251xfd: mcp251xfd_irq(): add missing can_rx_offload_threaded_irq_finish() in case of bus off
Stephane Grosjean <s.grosjean@peak-system.com>
can: peak_usb: always ask for BERR reporting for PCAN-USB devices
Sean Christopherson <seanjc@google.com>
KVM: nVMX: Handle dynamic MSR intercept toggling
Sean Christopherson <seanjc@google.com>
KVM: nVMX: Query current VMCS when determining if MSR bitmaps are in use
Sean Christopherson <seanjc@google.com>
KVM: x86: Add helper to consolidate core logic of SET_CPUID{2} flows
David Woodhouse <dwmw2@infradead.org>
KVM: x86: Fix recording of guest steal time / preempted status
Mark Rutland <mark.rutland@arm.com>
KVM: arm64: Extract ESR_ELx.EC only
Yang Yingliang <yangyingliang@huawei.com>
iio: core: check return value when calling dev_set_name()
Yang Yingliang <yangyingliang@huawei.com>
iio: core: fix double free in iio_device_unregister_sysfs()
Henrik Grimler <henrik@grimler.se>
power: supply: max17042_battery: use VFSOC for capacity when no rsns
Sebastian Krzyszkowiak <sebastian.krzyszkowiak@puri.sm>
power: supply: max17042_battery: Prevent int underflow in set_soc_threshold
Eugene Syromiatnikov <esyr@redhat.com>
mctp: handle the struct sockaddr_mctp padding fields
Miquel Raynal <miquel.raynal@bootlin.com>
mtd: rawnand: socrates: Keep the driver compatible with on-die ECC engines
Meng Li <Meng.Li@windriver.com>
soc: fsl: dpio: use the combined functions to protect critical zone
Meng Li <Meng.Li@windriver.com>
soc: fsl: dpio: replace smp_processor_id with raw_smp_processor_id
David Virag <virag.david003@gmail.com>
soc: samsung: exynos-pmu: Fix compilation when nothing selects CONFIG_MFD_CORE
Eric W. Biederman <ebiederm@xmission.com>
signal: Add SA_IMMUTABLE to ensure forced siganls do not get changed
Eric W. Biederman <ebiederm@xmission.com>
signal/mips: Update (_save|_restore)_fp_context to fail with -EFAULT
Wolfram Sang <wsa+renesas@sang-engineering.com>
memory: renesas-rpc-if: Correct QSPI data transfer in Manual mode
Eric W. Biederman <ebiederm@xmission.com>
signal: Remove the bogus sigkill_pending in ptrace_stop
Dmitry Osipenko <digetx@gmail.com>
ASoC: tegra: Restore AC97 support
Dmitry Osipenko <digetx@gmail.com>
ASoC: tegra: Set default card name for Trimslice
Alok Prasad <palok@marvell.com>
RDMA/qedr: Fix NULL deref for query_qp on the GSI QP
Kan Liang <kan.liang@linux.intel.com>
perf/x86/intel/uncore: Fix Intel ICX IIO event constraints
Kan Liang <kan.liang@linux.intel.com>
perf/x86/intel/uncore: Fix invalid unit check
Kan Liang <kan.liang@linux.intel.com>
perf/x86/intel/uncore: Support extra IMC channel on Ice Lake server
Marek Vasut <marex@denx.de>
rsi: Fix module dev_oper_mode parameter description
Martin Fuzzey <martin.fuzzey@flowbird.group>
rsi: fix rate mask set leading to P2P failure
Martin Fuzzey <martin.fuzzey@flowbird.group>
rsi: fix key enabled check causing unwanted encryption for vap_id > 0
Martin Fuzzey <martin.fuzzey@flowbird.group>
rsi: fix occasional initialisation failure with BT coex
Benjamin Li <benl@squareup.com>
wcn36xx: handle connection loss indication
Christian König <christian.koenig@amd.com>
dma-buf: fix and rework dma_buf_poll v7
Reimar Döffinger <Reimar.Doeffinger@gmx.de>
libata: fix checking of DMA state
Jonas Dreßler <verdre@v0yd.nl>
mwifiex: Try waking the firmware until we get an interrupt
Jonas Dreßler <verdre@v0yd.nl>
mwifiex: Read a PCI register after writing the TX ring write pointer
Rafael J. Wysocki <rafael.j.wysocki@intel.com>
PM: sleep: Do not let "syscore" devices runtime-suspend during system transitions
Loic Poulain <loic.poulain@linaro.org>
wcn36xx: Fix (QoS) null data frame bitrate/modulation
Loic Poulain <loic.poulain@linaro.org>
wcn36xx: Fix tx_status mechanism
Loic Poulain <loic.poulain@linaro.org>
wcn36xx: Fix HT40 capability for 2Ghz band
Maximilian Luz <luzmaximilian@gmail.com>
HID: surface-hid: Allow driver matching for target ID 1 devices
Maximilian Luz <luzmaximilian@gmail.com>
HID: surface-hid: Use correct event registry for managing HID events
Felix Fietkau <nbd@nbd.name>
mt76: mt7615: fix skb use-after-free on mac reset
Maximilian Luz <luzmaximilian@gmail.com>
platform/surface: aggregator_registry: Add support for Surface Laptop Studio
Lukas Wunner <lukas@wunner.de>
ifb: Depend on netfilter alternatively to tc
Austin Kim <austin.kim@lge.com>
evm: mark evm_fixmode as __ro_after_init
Johan Hovold <johan@kernel.org>
rtl8187: fix control-message timeouts
Ingmar Klein <ingmar_klein@web.de>
PCI: Mark Atheros QCA6174 to avoid bus reset
Johan Hovold <johan@kernel.org>
ath10k: fix division by zero in send path
Johan Hovold <johan@kernel.org>
ath10k: fix control-message timeout
Johan Hovold <johan@kernel.org>
ath6kl: fix control-message timeout
Johan Hovold <johan@kernel.org>
ath6kl: fix division by zero in send path
Johan Hovold <johan@kernel.org>
mwifiex: fix division by zero in fw download path
Eric Badger <ebadger@purestorage.com>
EDAC/sb_edac: Fix top-of-high-memory value for Broadwell/Haswell
Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
regulator: dt-bindings: samsung,s5m8767: correct s5m8767,pmic-buck-default-dvs-idx property
Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
regulator: s5m8767: do not use reset value as DVS voltage if GPIO DVS is disabled
Zev Weiss <zev@bewilderbeest.net>
hwmon: (pmbus/lm25066) Add offset coefficients
Guoqing Jiang <guoqing.jiang@linux.dev>
md/raid1: only allocate write behind bio for WriteMostly device
Corey Minyard <cminyard@mvista.com>
ipmi:watchdog: Set panic count to proper value on a panic
Ondrej Mosnacek <omosnace@redhat.com>
selinux: fix race condition when computing ocontext SIDs
Masami Hiramatsu <mhiramat@kernel.org>
ia64: kprobes: Fix to pass correct trampoline address to the handler
Laurent Vivier <lvivier@redhat.com>
KVM: PPC: Tick accounting should defer vtime accounting 'til after IRQ handling
Andreas Gruenbacher <agruenba@redhat.com>
powerpc/kvm: Fix kvm_use_magic_page
Sean Christopherson <seanjc@google.com>
KVM: VMX: Unregister posted interrupt wakeup handler on hardware unsetup
Sean Christopherson <seanjc@google.com>
KVM: x86/mmu: Drop a redundant, broken remote TLB flush
Anand Jain <anand.jain@oracle.com>
btrfs: call btrfs_check_rw_degradable only if there is a missing device
Filipe Manana <fdmanana@suse.com>
btrfs: fix lost error handling when replaying directory deletes
Li Zhang <zhanglikernel@gmail.com>
btrfs: clear MISSING device status bit in btrfs_close_one_device
Peter Zijlstra <peterz@infradead.org>
x86/iopl: Fake iopl(3) CLI/STI usage
Sean Christopherson <seanjc@google.com>
x86/irq: Ensure PI wakeup handler is unregistered before module unload
Jane Malalane <jane.malalane@citrix.com>
x86/cpu: Fix migration safety with X86_BUG_NULL_SEL
Tom Lendacky <thomas.lendacky@amd.com>
x86/sme: Use #define USE_EARLY_PGTABLE_L5 in mem_encrypt_identity.c
Miklos Szeredi <mszeredi@redhat.com>
fuse: fix page stealing
yangerkun <yangerkun@huawei.com>
ext4: refresh the ext4_ext_path struct after dropping i_data_sem.
yangerkun <yangerkun@huawei.com>
ext4: ensure enough credits in ext4_ext_shift_path_extents
Shaoying Xu <shaoyi@amazon.com>
ext4: fix lazy initialization next schedule time computation in more granular unit
Eric Whitney <enwlinux@gmail.com>
Revert "ext4: enforce buffer head state assertion in ext4_da_map_blocks"
Takashi Iwai <tiwai@suse.de>
ALSA: timer: Unconditionally unlink slave instances, too
Wang Wensheng <wangwensheng4@huawei.com>
ALSA: timer: Fix use-after-free problem
Takashi Iwai <tiwai@suse.de>
ALSA: PCM: Fix NULL dereference at mmap checks
Takashi Iwai <tiwai@suse.de>
ALSA: pci: rme: Fix unaligned buffer addresses
Austin Kim <austin.kim@lge.com>
ALSA: synth: missing check for possible NULL after the call to kstrdup
Takashi Iwai <tiwai@suse.de>
ALSA: hda: Free card instance properly at probe errors
Alexander Tsoy <alexander@tsoy.me>
ALSA: usb-audio: Add registration quirk for JBL Quantum 400
Jason Ormes <skryking@gmail.com>
ALSA: usb-audio: Line6 HX-Stomp XL USB_ID for 48k-fixed quirk
Pavel Skripkin <paskripkin@gmail.com>
ALSA: mixer: fix deadlock in snd_mixer_oss_set_volume
Takashi Iwai <tiwai@suse.de>
ALSA: mixer: oss: Fix racy access to slots
Johan Hovold <johan@kernel.org>
ALSA: line6: fix control and interrupt message timeouts
Johan Hovold <johan@kernel.org>
ALSA: 6fire: fix control and bulk message timeouts
Johan Hovold <johan@kernel.org>
ALSA: ua101: fix division by zero at probe
Kai-Heng Feng <kai.heng.feng@canonical.com>
ALSA: hda/realtek: Add quirk for HP EliteBook 840 G7 mute LED
Takashi Iwai <tiwai@suse.de>
ALSA: hda/realtek: Add quirk for ASUS UX550VE
Jaroslav Kysela <perex@perex.cz>
ALSA: hda/realtek: Add a quirk for Acer Spin SP513-54N
Jeremy Soller <jeremy@system76.com>
ALSA: hda/realtek: Headset fixup for Clevo NH77HJQ
Tim Crawford <tcrawford@system76.com>
ALSA: hda/realtek: Add quirk for Clevo PC70HS
Takashi Iwai <tiwai@suse.de>
ALSA: hda/realtek: Add a quirk for HP OMEN 15 mute LED
Johnathon Clark <john.clark@cantab.net>
ALSA: hda/realtek: Fix mic mute LED for the HP Spectre x360 14
Ricardo Ribalda <ribalda@chromium.org>
media: v4l2-ioctl: Fix check_ext_ctrls
Sean Young <sean@mess.org>
media: ir-kbd-i2c: improve responsiveness of hauppauge zilog receivers
Chen-Yu Tsai <wenst@chromium.org>
media: rkvdec: Support dynamic resolution changes
Sean Young <sean@mess.org>
media: ite-cir: IR receiver stop working after receive overflow
Chen-Yu Tsai <wenst@chromium.org>
media: rkvdec: Do not override sizeimage for output format
Tang Bin <tangbin@cmss.chinamobile.com>
crypto: s5p-sss - Add error handling in s5p_aes_probe()
jing yangyang <cgel.zte@gmail.com>
firmware/psci: fix application of sizeof to pointer
Dan Carpenter <dan.carpenter@oracle.com>
tpm: Check for integer overflow in tpm2_map_response_body()
Helge Deller <deller@gmx.de>
parisc: Fix ptrace check on syscall return
Helge Deller <deller@gmx.de>
parisc: Fix set_fixmap() on PA1.x CPUs
Pavel Begunkov <asml.silence@gmail.com>
io-wq: remove worker to owner tw dependency
Sungjong Seo <sj1557.seo@samsung.com>
exfat: fix incorrect loading of i_blocks for large files
Christian Löhle <CLoehle@hyperstone.com>
mmc: dw_mmc: Dont wait for DRTO on Write RSP error
Derong Liu <derong.liu@mediatek.com>
mmc: mtk-sd: Add wait dma stop done flow
Ziyang Xuan <william.xuanziyang@huawei.com>
char: xillybus: fix msg_ep UAF in xillyusb_probe()
Ben Skeggs <bskeggs@redhat.com>
ce/gf100: fix incorrect CE0 address calculation on some GPUs
Quinn Tran <qutran@marvell.com>
scsi: qla2xxx: Fix use after free in eh_abort path
Arun Easi <aeasi@marvell.com>
scsi: qla2xxx: Fix kernel crash when accessing port_speed sysfs file
Arun Easi <aeasi@marvell.com>
scsi: qla2xxx: Fix crash in NVMe abort path
James Smart <jsmart2021@gmail.com>
scsi: lpfc: Fix FCP I/O flush functionality for TMF routines
James Smart <jsmart2021@gmail.com>
scsi: lpfc: Don't release final kref on Fport node while ABTS outstanding
Tadeusz Struk <tadeusz.struk@linaro.org>
scsi: core: Remove command size deduction from scsi_setup_scsi_cmnd()
Ewan D. Milne <emilne@redhat.com>
scsi: core: Avoid leaving shost->last_reset with stale value if EH does not run
Tadeusz Struk <tadeusz.struk@linaro.org>
scsi: scsi_ioctl: Validate command size
Jan Kara <jack@suse.cz>
ocfs2: fix data corruption on truncate
Damien Le Moal <damien.lemoal@opensource.wdc.com>
libata: fix read log timeout value
Takashi Iwai <tiwai@suse.de>
Input: i8042 - Add quirk for Fujitsu Lifebook T725
Phoenix Huang <phoenix@emc.com.tw>
Input: elantench - fix misreporting trackpoint coordinates
Johan Hovold <johan@kernel.org>
Input: iforce - fix control-message timeout
Nehal Bakulchandra Shah <Nehal-Bakulchandra.shah@amd.com>
usb: xhci: Enable runtime-pm by default on AMD Yellow Carp platform
Mathias Nyman <mathias.nyman@linux.intel.com>
xhci: Fix USB 3.1 enumeration issues by increasing roothub power-on-good delay
-------------
Diffstat:
Documentation/admin-guide/kernel-parameters.txt | 7 +
.../devicetree/bindings/iio/dac/adi,ad5766.yaml | 2 +-
.../bindings/regulator/samsung,s5m8767.txt | 23 +-
Documentation/filesystems/fscrypt.rst | 10 +-
Makefile | 4 +-
arch/alpha/include/asm/processor.h | 2 +-
arch/alpha/kernel/process.c | 5 +-
arch/arc/include/asm/processor.h | 2 +-
arch/arc/kernel/stacktrace.c | 4 +-
arch/arm/Makefile | 22 +-
arch/arm/boot/dts/at91-tse850-3.dts | 2 +-
arch/arm/boot/dts/bcm4708-netgear-r6250.dts | 2 +-
arch/arm/boot/dts/bcm4709-asus-rt-ac87u.dts | 2 +-
arch/arm/boot/dts/bcm4709-buffalo-wxr-1900dhp.dts | 2 +-
arch/arm/boot/dts/bcm4709-linksys-ea9200.dts | 2 +-
arch/arm/boot/dts/bcm4709-netgear-r7000.dts | 2 +-
arch/arm/boot/dts/bcm4709-netgear-r8000.dts | 2 +-
arch/arm/boot/dts/bcm4709-tplink-archer-c9-v1.dts | 2 +-
arch/arm/boot/dts/bcm47094-luxul-xwc-2000.dts | 2 +-
arch/arm/boot/dts/bcm53016-meraki-mr32.dts | 2 +-
arch/arm/boot/dts/bcm94708.dts | 2 +-
arch/arm/boot/dts/bcm94709.dts | 2 +-
arch/arm/boot/dts/omap3-gta04.dtsi | 2 +-
arch/arm/boot/dts/qcom-msm8974.dtsi | 4 +-
arch/arm/boot/dts/stm32mp15-pinctrl.dtsi | 8 +-
arch/arm/boot/dts/stm32mp151.dtsi | 16 +-
arch/arm/boot/dts/stm32mp15xx-dhcor-som.dtsi | 2 +-
arch/arm/boot/dts/stm32mp15xx-dkx.dtsi | 2 +-
arch/arm/include/asm/processor.h | 2 +-
arch/arm/kernel/process.c | 4 +-
arch/arm/kernel/stacktrace.c | 3 +-
arch/arm/mach-s3c/irq-s3c24xx.c | 22 +-
arch/arm/mm/Kconfig | 2 +-
arch/arm/mm/kasan_init.c | 2 +-
arch/arm/mm/mmu.c | 4 +-
arch/arm64/boot/dts/amlogic/meson-g12a-sei510.dts | 2 +-
arch/arm64/boot/dts/amlogic/meson-g12a-u200.dts | 2 +-
arch/arm64/boot/dts/amlogic/meson-g12a-x96-max.dts | 2 +-
.../boot/dts/amlogic/meson-g12b-khadas-vim3.dtsi | 4 +-
.../boot/dts/amlogic/meson-g12b-odroid-n2.dtsi | 4 +-
arch/arm64/boot/dts/amlogic/meson-g12b-w400.dtsi | 4 +-
.../boot/dts/amlogic/meson-sm1-bananapi-m5.dts | 2 +-
.../boot/dts/amlogic/meson-sm1-khadas-vim3l.dts | 2 +-
arch/arm64/boot/dts/amlogic/meson-sm1-odroid.dtsi | 6 +-
arch/arm64/boot/dts/amlogic/meson-sm1-sei610.dts | 2 +-
arch/arm64/boot/dts/broadcom/bcm4908/bcm4908.dtsi | 2 +-
arch/arm64/boot/dts/qcom/msm8916.dtsi | 8 +-
arch/arm64/boot/dts/qcom/pm8916.dtsi | 1 -
arch/arm64/boot/dts/qcom/pmi8994.dtsi | 2 +-
.../arm64/boot/dts/qcom/sc7180-trogdor-coachz.dtsi | 2 +-
.../arm64/boot/dts/qcom/sc7180-trogdor-pompom.dtsi | 8 +-
arch/arm64/boot/dts/qcom/sc7180.dtsi | 52 ++---
arch/arm64/boot/dts/qcom/sc7280.dtsi | 8 +-
arch/arm64/boot/dts/qcom/sdm845.dtsi | 6 +-
.../arm64/boot/dts/renesas/beacon-renesom-som.dtsi | 1 +
arch/arm64/boot/dts/rockchip/rk3328.dtsi | 2 +-
arch/arm64/boot/dts/ti/k3-j7200-main.dtsi | 6 +-
arch/arm64/boot/dts/ti/k3-j721e-main.dtsi | 16 +-
arch/arm64/include/asm/esr.h | 1 +
arch/arm64/include/asm/pgtable.h | 12 +-
arch/arm64/include/asm/processor.h | 2 +-
arch/arm64/kernel/cpufeature.c | 10 +-
arch/arm64/kernel/process.c | 4 +-
arch/arm64/kernel/vdso32/Makefile | 3 +-
arch/arm64/kvm/arm.c | 30 ++-
arch/arm64/kvm/hyp/hyp-entry.S | 2 +-
arch/arm64/kvm/hyp/nvhe/host.S | 2 +-
arch/arm64/mm/mmu.c | 5 +
arch/csky/include/asm/processor.h | 2 +-
arch/csky/kernel/stacktrace.c | 5 +-
arch/h8300/include/asm/processor.h | 2 +-
arch/h8300/kernel/process.c | 5 +-
arch/hexagon/include/asm/processor.h | 2 +-
arch/hexagon/kernel/process.c | 4 +-
arch/ia64/Kconfig.debug | 2 +-
arch/ia64/include/asm/processor.h | 2 +-
arch/ia64/kernel/kprobes.c | 9 +-
arch/ia64/kernel/process.c | 5 +-
arch/m68k/Kconfig.machine | 1 +
arch/m68k/include/asm/processor.h | 2 +-
arch/m68k/kernel/process.c | 4 +-
arch/microblaze/include/asm/processor.h | 2 +-
arch/microblaze/kernel/process.c | 2 +-
arch/mips/Kbuild.platforms | 2 +-
arch/mips/Kconfig | 1 +
arch/mips/Makefile | 2 +
arch/mips/include/asm/cmpxchg.h | 5 +-
arch/mips/include/asm/mips-cm.h | 12 +-
arch/mips/include/asm/processor.h | 2 +-
arch/mips/kernel/mips-cm.c | 21 +-
arch/mips/kernel/process.c | 8 +-
arch/mips/kernel/r2300_fpu.S | 4 +-
arch/mips/kernel/syscall.c | 9 -
arch/mips/lantiq/xway/dma.c | 23 +-
arch/nds32/include/asm/processor.h | 2 +-
arch/nds32/kernel/process.c | 7 +-
arch/nios2/include/asm/processor.h | 2 +-
arch/nios2/kernel/process.c | 5 +-
arch/openrisc/include/asm/processor.h | 2 +-
arch/openrisc/kernel/dma.c | 4 +-
arch/openrisc/kernel/process.c | 2 +-
arch/openrisc/kernel/smp.c | 6 +-
arch/parisc/include/asm/pgtable.h | 10 +-
arch/parisc/include/asm/processor.h | 2 +-
arch/parisc/kernel/cache.c | 4 +-
arch/parisc/kernel/entry.S | 2 +-
arch/parisc/kernel/process.c | 5 +-
arch/parisc/kernel/smp.c | 19 +-
arch/parisc/kernel/unwind.c | 21 +-
arch/parisc/kernel/vmlinux.lds.S | 3 +-
arch/parisc/mm/fixmap.c | 5 +-
arch/parisc/mm/init.c | 4 +-
arch/powerpc/Kconfig | 6 +-
arch/powerpc/include/asm/nohash/32/pgtable.h | 19 +-
arch/powerpc/include/asm/nohash/32/pte-8xx.h | 22 ++
arch/powerpc/include/asm/nohash/64/pgtable.h | 5 -
arch/powerpc/include/asm/nohash/pte-book3e.h | 18 +-
arch/powerpc/include/asm/paravirt.h | 18 +-
arch/powerpc/include/asm/processor.h | 2 +-
arch/powerpc/kernel/firmware.c | 7 +-
arch/powerpc/kernel/head_booke.h | 15 +-
arch/powerpc/kernel/interrupt.c | 2 +-
arch/powerpc/kernel/kvm.c | 2 +-
arch/powerpc/kernel/process.c | 9 +-
arch/powerpc/kvm/book3s_hv.c | 30 ++-
arch/powerpc/kvm/booke.c | 16 +-
arch/powerpc/lib/feature-fixups.c | 11 +
arch/powerpc/mm/mem.c | 2 +-
arch/powerpc/mm/nohash/tlb_low_64e.S | 8 +-
arch/powerpc/mm/pgtable_32.c | 2 +-
arch/powerpc/net/bpf_jit_comp.c | 2 +-
arch/powerpc/perf/power10-events-list.h | 8 +-
arch/powerpc/perf/power10-pmu.c | 44 ++--
arch/powerpc/platforms/44x/fsp2.c | 2 +
arch/powerpc/platforms/85xx/Makefile | 4 +-
arch/powerpc/platforms/85xx/mpc85xx_pm_ops.c | 7 +-
arch/powerpc/platforms/85xx/smp.c | 12 +-
arch/powerpc/platforms/book3s/vas-api.c | 4 +-
arch/powerpc/platforms/powernv/opal-prd.c | 12 +-
arch/powerpc/platforms/pseries/mobility.c | 34 +++
arch/powerpc/xmon/xmon.c | 3 +-
arch/riscv/include/asm/processor.h | 2 +-
arch/riscv/kernel/stacktrace.c | 12 +-
arch/s390/include/asm/processor.h | 2 +-
arch/s390/kernel/perf_cpum_cf.c | 4 +-
arch/s390/kernel/process.c | 4 +-
arch/s390/kernel/uv.c | 2 +-
arch/s390/kvm/priv.c | 2 +
arch/s390/kvm/pv.c | 21 +-
arch/s390/mm/gmap.c | 11 +-
arch/s390/mm/pgtable.c | 70 ++++--
arch/sh/include/asm/processor_32.h | 2 +-
arch/sh/kernel/cpu/fpu.c | 10 +-
arch/sh/kernel/process_32.c | 5 +-
arch/sparc/boot/Makefile | 8 +-
arch/sparc/include/asm/processor_32.h | 2 +-
arch/sparc/include/asm/processor_64.h | 2 +-
arch/sparc/kernel/process_32.c | 5 +-
arch/sparc/kernel/process_64.c | 5 +-
arch/um/include/asm/processor-generic.h | 2 +-
arch/um/kernel/process.c | 5 +-
arch/x86/crypto/aesni-intel_glue.c | 2 +-
arch/x86/events/intel/core.c | 5 +-
arch/x86/events/intel/ds.c | 5 +-
arch/x86/events/intel/uncore_discovery.h | 2 +-
arch/x86/events/intel/uncore_snbep.c | 16 +-
arch/x86/hyperv/hv_init.c | 5 +-
arch/x86/include/asm/insn-eval.h | 1 +
arch/x86/include/asm/irq_stack.h | 37 ++-
arch/x86/include/asm/kvm_host.h | 2 +-
arch/x86/include/asm/page_64_types.h | 2 +-
arch/x86/include/asm/processor.h | 3 +-
arch/x86/include/asm/stacktrace.h | 10 +
arch/x86/include/asm/traps.h | 6 +-
arch/x86/kernel/cpu/amd.c | 2 +
arch/x86/kernel/cpu/common.c | 44 +++-
arch/x86/kernel/cpu/cpu.h | 1 +
arch/x86/kernel/cpu/hygon.c | 2 +
arch/x86/kernel/cpu/mce/intel.c | 5 +-
arch/x86/kernel/dumpstack_64.c | 6 +
arch/x86/kernel/irq.c | 4 +-
arch/x86/kernel/process.c | 66 ++----
arch/x86/kernel/traps.c | 60 +++--
arch/x86/kvm/cpuid.c | 47 ++--
arch/x86/kvm/mmu/mmu.c | 6 +-
arch/x86/kvm/vmx/nested.c | 103 ++++----
arch/x86/kvm/vmx/vmx.c | 68 +-----
arch/x86/kvm/vmx/vmx.h | 63 +++++
arch/x86/kvm/x86.c | 108 ++++++---
arch/x86/lib/insn-eval.c | 2 +-
arch/x86/lib/insn.c | 5 +-
arch/x86/mm/fault.c | 20 +-
arch/x86/mm/mem_encrypt_identity.c | 9 +
arch/xtensa/include/asm/processor.h | 2 +-
arch/xtensa/kernel/process.c | 5 +-
block/blk-cgroup.c | 10 +
block/blk-mq.c | 5 +-
block/blk-wbt.c | 3 +
block/blk-zoned.c | 15 +-
block/blk.h | 6 +
block/genhd.c | 8 +-
block/ioctl.c | 24 +-
crypto/Kconfig | 2 +-
crypto/algapi.c | 73 ++++--
crypto/api.c | 52 ++++-
crypto/internal.h | 10 +
crypto/pcrypt.c | 12 +-
crypto/tcrypt.c | 5 +-
drivers/acpi/ac.c | 19 ++
drivers/acpi/acpica/acglobal.h | 2 +
drivers/acpi/acpica/hwesleep.c | 8 +-
drivers/acpi/acpica/hwsleep.c | 11 +-
drivers/acpi/acpica/hwxfsleep.c | 7 +
drivers/acpi/battery.c | 2 +-
drivers/acpi/glue.c | 25 ++
drivers/acpi/internal.h | 1 +
drivers/acpi/pmic/intel_pmic.c | 51 ++--
drivers/acpi/power.c | 86 +++----
drivers/acpi/resource.c | 56 ++++-
drivers/acpi/scan.c | 6 +
drivers/ata/libata-core.c | 2 +-
drivers/ata/libata-eh.c | 8 +
drivers/auxdisplay/ht16k33.c | 66 +++---
drivers/auxdisplay/img-ascii-lcd.c | 10 +
drivers/base/component.c | 5 +-
drivers/base/core.c | 4 +-
drivers/base/power/main.c | 93 +++++---
drivers/block/ataflop.c | 141 ++++++-----
drivers/block/floppy.c | 9 +-
drivers/block/nbd.c | 24 +-
drivers/block/zram/zram_drv.c | 2 +-
drivers/bluetooth/btmtkuart.c | 13 +-
drivers/bluetooth/hci_h5.c | 28 ++-
drivers/bus/ti-sysc.c | 65 +++++-
drivers/char/hw_random/mtk-rng.c | 9 +-
drivers/char/ipmi/ipmi_msghandler.c | 10 +-
drivers/char/ipmi/ipmi_watchdog.c | 25 +-
drivers/char/ipmi/kcs_bmc_serio.c | 4 +-
drivers/char/tpm/tpm2-space.c | 3 +
drivers/char/tpm/tpm_tis_core.c | 26 ++-
drivers/char/tpm/tpm_tis_core.h | 4 +
drivers/char/tpm/tpm_tis_spi_main.c | 1 +
drivers/char/xillybus/xillyusb.c | 1 +
drivers/clk/at91/clk-master.c | 6 +-
drivers/clk/at91/clk-sam9x60-pll.c | 4 +-
drivers/clk/at91/pmc.c | 5 +
drivers/clk/mvebu/ap-cpu-clk.c | 14 +-
drivers/clocksource/Kconfig | 1 +
drivers/cpufreq/cpufreq.c | 7 +
drivers/cpufreq/intel_pstate.c | 35 ++-
drivers/cpuidle/sysfs.c | 5 +-
drivers/crypto/caam/caampkc.c | 19 +-
drivers/crypto/caam/regs.h | 3 +
drivers/crypto/ccree/cc_driver.c | 3 +-
drivers/crypto/marvell/octeontx2/otx2_cptvf_algs.c | 1 +
drivers/crypto/qat/qat_4xxx/adf_4xxx_hw_data.c | 31 +++
drivers/crypto/qat/qat_4xxx/adf_4xxx_hw_data.h | 10 +
drivers/crypto/qat/qat_common/adf_accel_devices.h | 1 +
drivers/crypto/qat/qat_common/adf_init.c | 5 +
drivers/crypto/qat/qat_common/adf_pf2vf_msg.c | 13 ++
drivers/crypto/qat/qat_common/adf_vf_isr.c | 6 +
drivers/crypto/s5p-sss.c | 2 +
drivers/cxl/pci.c | 2 +-
drivers/dma-buf/dma-buf.c | 153 ++++++------
drivers/dma/at_xdmac.c | 53 +++--
drivers/dma/bestcomm/ata.c | 2 +-
drivers/dma/bestcomm/bestcomm.c | 22 +-
drivers/dma/bestcomm/fec.c | 4 +-
drivers/dma/bestcomm/gen_bd.c | 4 +-
drivers/dma/dmaengine.h | 2 +-
drivers/dma/idxd/device.c | 3 +-
drivers/dma/idxd/dma.c | 5 +-
drivers/dma/idxd/init.c | 14 +-
drivers/dma/stm32-dma.c | 23 +-
drivers/dma/tegra210-adma.c | 2 +-
drivers/dma/ti/k3-udma.c | 32 ++-
drivers/edac/amd64_edac.c | 22 +-
drivers/edac/sb_edac.c | 2 +-
drivers/firmware/psci/psci_checker.c | 2 +-
drivers/firmware/qcom_scm.c | 2 +-
drivers/gpio/gpio-realtek-otto.c | 2 +-
drivers/gpu/drm/Kconfig | 5 +-
drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c | 2 +-
drivers/gpu/drm/amd/amdgpu/amdgpu_bo_list.c | 2 +-
drivers/gpu/drm/amd/amdgpu/amdgpu_bo_list.h | 2 +-
drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 15 +-
drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c | 2 +-
drivers/gpu/drm/amd/amdgpu/gmc_v6_0.c | 4 +-
drivers/gpu/drm/amd/amdgpu/uvd_v3_1.c | 24 +-
drivers/gpu/drm/amd/amdgpu/uvd_v4_2.c | 24 +-
drivers/gpu/drm/amd/amdgpu/uvd_v5_0.c | 24 +-
drivers/gpu/drm/amd/amdgpu/uvd_v6_0.c | 24 +-
drivers/gpu/drm/amd/amdgpu/uvd_v7_0.c | 32 +--
drivers/gpu/drm/amd/amdgpu/vce_v2_0.c | 19 +-
drivers/gpu/drm/amd/amdgpu/vce_v3_0.c | 28 +--
drivers/gpu/drm/amd/amdgpu/vce_v4_0.c | 44 ++--
drivers/gpu/drm/amd/amdgpu/vcn_v2_0.c | 8 +-
drivers/gpu/drm/amd/amdgpu/vcn_v2_5.c | 17 +-
drivers/gpu/drm/amd/amdkfd/kfd_device.c | 1 +
drivers/gpu/drm/amd/amdkfd/kfd_svm.c | 7 +-
drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 9 +-
drivers/gpu/drm/amd/display/dc/core/dc_link_dp.c | 2 +-
.../drm/amd/display/dc/dcn10/dcn10_hw_sequencer.c | 2 +-
.../gpu/drm/amd/display/dc/dcn20/dcn20_resource.c | 18 +-
drivers/gpu/drm/amd/display/dc/dcn30/dcn30_hwseq.c | 3 +-
.../display/dc/dml/dcn20/display_rq_dlg_calc_20.c | 6 +-
.../display/dc/dml/dcn20/display_rq_dlg_calc_20.h | 4 +-
.../dc/dml/dcn20/display_rq_dlg_calc_20v2.c | 6 +-
.../dc/dml/dcn20/display_rq_dlg_calc_20v2.h | 4 +-
.../display/dc/dml/dcn21/display_rq_dlg_calc_21.c | 62 ++---
.../display/dc/dml/dcn21/display_rq_dlg_calc_21.h | 4 +-
.../display/dc/dml/dcn30/display_rq_dlg_calc_30.c | 72 +++---
.../display/dc/dml/dcn30/display_rq_dlg_calc_30.h | 4 +-
.../display/dc/dml/dcn31/display_rq_dlg_calc_31.c | 68 +++---
.../display/dc/dml/dcn31/display_rq_dlg_calc_31.h | 4 +-
.../gpu/drm/amd/display/dc/dml/display_mode_lib.h | 4 +-
.../gpu/drm/amd/pm/powerplay/hwmgr/smu10_hwmgr.c | 8 +-
.../gpu/drm/amd/pm/powerplay/hwmgr/smu7_hwmgr.c | 10 +-
.../gpu/drm/amd/pm/powerplay/hwmgr/smu8_hwmgr.c | 2 +
.../gpu/drm/amd/pm/powerplay/hwmgr/smu_helper.h | 13 ++
.../gpu/drm/amd/pm/powerplay/hwmgr/vega10_hwmgr.c | 12 +-
.../gpu/drm/amd/pm/powerplay/hwmgr/vega12_hwmgr.c | 4 +
.../gpu/drm/amd/pm/powerplay/hwmgr/vega20_hwmgr.c | 14 +-
drivers/gpu/drm/amd/pm/swsmu/smu11/vangogh_ppt.c | 89 +++----
drivers/gpu/drm/bridge/analogix/anx7625.c | 12 +-
drivers/gpu/drm/bridge/ite-it66121.c | 21 +-
drivers/gpu/drm/bridge/lontium-lt9611uxc.c | 9 +-
drivers/gpu/drm/bridge/nwl-dsi.c | 35 +++
drivers/gpu/drm/drm_panel_orientation_quirks.c | 35 ++-
drivers/gpu/drm/drm_plane_helper.c | 1 -
drivers/gpu/drm/i915/display/intel_fb.c | 5 +-
drivers/gpu/drm/i915/gt/uc/intel_guc_submission.c | 2 +-
drivers/gpu/drm/imx/imx-drm-core.c | 2 -
drivers/gpu/drm/msm/adreno/a6xx_gmu.c | 6 +-
drivers/gpu/drm/msm/disp/dpu1/dpu_hw_sspp.c | 8 +-
drivers/gpu/drm/msm/disp/dpu1/dpu_kms.c | 4 +
drivers/gpu/drm/msm/dsi/dsi.h | 2 +
drivers/gpu/drm/msm/dsi/dsi_host.c | 72 +++---
drivers/gpu/drm/msm/dsi/dsi_manager.c | 16 ++
drivers/gpu/drm/msm/msm_gem.c | 5 +-
drivers/gpu/drm/msm/msm_gpu.c | 2 +-
drivers/gpu/drm/msm/msm_submitqueue.c | 1 +
drivers/gpu/drm/nouveau/nouveau_gem.c | 2 +-
drivers/gpu/drm/nouveau/nouveau_svm.c | 4 +
drivers/gpu/drm/nouveau/nvkm/engine/ce/gt215.c | 2 +-
drivers/gpu/drm/nouveau/nvkm/engine/device/base.c | 3 +-
drivers/gpu/drm/radeon/radeon_gem.c | 2 +-
drivers/gpu/drm/sun4i/sun8i_csc.h | 4 +-
drivers/gpu/drm/ttm/ttm_bo_vm.c | 99 +-------
drivers/gpu/drm/v3d/v3d_gem.c | 4 +-
drivers/gpu/drm/virtio/virtgpu_vq.c | 8 +-
drivers/gpu/drm/vmwgfx/vmwgfx_drv.h | 4 -
drivers/gpu/drm/vmwgfx/vmwgfx_page_dirty.c | 72 +-----
drivers/gpu/drm/vmwgfx/vmwgfx_ttm_glue.c | 3 -
drivers/hid/hid-u2fzero.c | 10 +-
drivers/hid/surface-hid/surface_hid.c | 4 +-
drivers/hwmon/hwmon.c | 6 +-
drivers/hwmon/pmbus/lm25066.c | 25 +-
drivers/hwtracing/coresight/coresight-cti-core.c | 2 +-
drivers/hwtracing/coresight/coresight-trbe.c | 10 +-
drivers/i2c/busses/i2c-i801.c | 5 +-
drivers/i2c/busses/i2c-mt65xx.c | 2 +-
drivers/i2c/busses/i2c-xlr.c | 6 +-
drivers/iio/accel/st_accel_i2c.c | 4 +-
drivers/iio/accel/st_accel_spi.c | 4 +-
drivers/iio/adc/ti-tsc2046.c | 2 +-
drivers/iio/dac/ad5446.c | 9 +-
drivers/iio/dac/ad5766.c | 6 +-
drivers/iio/dac/ad5770r.c | 2 +-
drivers/iio/gyro/st_gyro_i2c.c | 4 +-
drivers/iio/gyro/st_gyro_spi.c | 4 +-
drivers/iio/imu/adis.c | 4 +-
drivers/iio/industrialio-buffer.c | 28 ++-
drivers/iio/industrialio-core.c | 9 +-
drivers/iio/magnetometer/st_magn_i2c.c | 4 +-
drivers/iio/magnetometer/st_magn_spi.c | 4 +-
drivers/iio/pressure/st_pressure_i2c.c | 4 +-
drivers/iio/pressure/st_pressure_spi.c | 8 +-
drivers/infiniband/core/uverbs_cmd.c | 3 -
drivers/infiniband/hw/bnxt_re/qplib_fp.c | 3 +-
drivers/infiniband/hw/hns/hns_roce_hw_v2.c | 6 +-
drivers/infiniband/hw/mlx4/qp.c | 4 +-
drivers/infiniband/hw/qedr/verbs.c | 15 +-
drivers/infiniband/sw/rxe/rxe_param.h | 2 +-
drivers/input/joystick/iforce/iforce-usb.c | 2 +-
drivers/input/misc/ariel-pwrbutton.c | 7 +
drivers/input/mouse/elantech.c | 13 ++
drivers/input/serio/i8042-x86ia64io.h | 14 ++
drivers/input/touchscreen/st1232.c | 2 +-
drivers/iommu/dma-iommu.c | 52 ++---
drivers/iommu/mtk_iommu.c | 4 +-
drivers/irqchip/irq-bcm6345-l1.c | 2 +-
drivers/irqchip/irq-sifive-plic.c | 8 +-
drivers/leds/led-triggers.c | 41 ++--
drivers/mailbox/mtk-cmdq-mailbox.c | 11 +-
drivers/md/bcache/btree.c | 2 +-
drivers/md/bcache/super.c | 2 +-
drivers/md/md.c | 11 +-
drivers/md/raid1.c | 2 +-
drivers/media/common/videobuf2/videobuf2-core.c | 42 ++--
.../media/common/videobuf2/videobuf2-dma-contig.c | 36 +--
drivers/media/common/videobuf2/videobuf2-dma-sg.c | 33 +--
drivers/media/common/videobuf2/videobuf2-vmalloc.c | 30 +--
drivers/media/dvb-frontends/mn88443x.c | 18 +-
drivers/media/i2c/Kconfig | 1 +
drivers/media/i2c/imx258.c | 12 +-
drivers/media/i2c/ir-kbd-i2c.c | 1 +
drivers/media/i2c/mt9p031.c | 28 ++-
drivers/media/i2c/tda1997x.c | 8 +-
drivers/media/pci/cx23885/cx23885-alsa.c | 3 +-
drivers/media/pci/ivtv/ivtvfb.c | 4 +-
drivers/media/pci/netup_unidvb/netup_unidvb_core.c | 27 ++-
drivers/media/platform/allegro-dvt/allegro-core.c | 9 +
drivers/media/platform/atmel/atmel-isc-base.c | 25 +-
drivers/media/platform/atmel/atmel-isc.h | 2 +
drivers/media/platform/atmel/atmel-sama5d2-isc.c | 39 ++--
drivers/media/platform/atmel/atmel-sama7g5-isc.c | 22 +-
drivers/media/platform/imx-jpeg/mxc-jpeg.c | 6 +
drivers/media/platform/meson/ge2d/ge2d.c | 6 +-
drivers/media/platform/mtk-vcodec/mtk_vcodec_enc.c | 8 +-
drivers/media/platform/mtk-vpu/mtk_vpu.c | 5 +-
drivers/media/platform/qcom/venus/pm_helpers.c | 8 +-
drivers/media/platform/rcar-vin/rcar-csi2.c | 2 +
drivers/media/platform/rcar-vin/rcar-dma.c | 3 +-
drivers/media/platform/s5p-mfc/s5p_mfc.c | 6 +-
drivers/media/platform/stm32/stm32-dcmi.c | 19 +-
.../media/platform/sunxi/sun6i-csi/sun6i_video.c | 6 +-
drivers/media/radio/radio-wl1273.c | 2 +-
drivers/media/radio/si470x/radio-si470x-i2c.c | 2 +-
drivers/media/radio/si470x/radio-si470x-usb.c | 2 +-
drivers/media/rc/ir_toy.c | 2 +-
drivers/media/rc/ite-cir.c | 2 +-
drivers/media/rc/mceusb.c | 1 +
drivers/media/spi/cxd2880-spi.c | 2 +-
drivers/media/test-drivers/vidtv/vidtv_bridge.c | 1 +
drivers/media/usb/dvb-usb/az6027.c | 1 +
drivers/media/usb/dvb-usb/dibusb-common.c | 2 +-
drivers/media/usb/em28xx/em28xx-cards.c | 5 +-
drivers/media/usb/em28xx/em28xx-core.c | 5 +-
drivers/media/usb/tm6000/tm6000-video.c | 3 +-
drivers/media/usb/ttusb-dec/ttusb_dec.c | 10 +-
drivers/media/usb/uvc/uvc_driver.c | 7 +-
drivers/media/usb/uvc/uvc_v4l2.c | 7 +-
drivers/media/usb/uvc/uvc_video.c | 5 +
drivers/media/v4l2-core/v4l2-ioctl.c | 67 ++++--
drivers/memory/fsl_ifc.c | 13 +-
drivers/memory/renesas-rpc-if.c | 113 ++++++---
drivers/memstick/core/ms_block.c | 2 +-
drivers/memstick/host/jmb38x_ms.c | 2 +-
drivers/memstick/host/r592.c | 8 +-
drivers/mfd/Kconfig | 1 +
drivers/mfd/altera-sysmgr.c | 2 +-
drivers/mfd/dln2.c | 18 ++
drivers/mfd/mfd-core.c | 2 +
drivers/mfd/motorola-cpcap.c | 8 +
drivers/mfd/sprd-sc27xx-spi.c | 7 +
drivers/mmc/host/dw_mmc.c | 3 +-
drivers/mmc/host/moxart-mmc.c | 16 +-
drivers/mmc/host/mtk-sd.c | 5 +
drivers/mmc/host/mxs-mmc.c | 10 +
drivers/mmc/host/sdhci-omap.c | 18 +-
drivers/most/most_usb.c | 5 +-
drivers/mtd/mtdcore.c | 4 +-
drivers/mtd/nand/raw/ams-delta.c | 12 +-
drivers/mtd/nand/raw/arasan-nand-controller.c | 15 ++
drivers/mtd/nand/raw/au1550nd.c | 12 +-
drivers/mtd/nand/raw/fsmc_nand.c | 4 +-
drivers/mtd/nand/raw/gpio.c | 12 +-
drivers/mtd/nand/raw/intel-nand-controller.c | 5 +
drivers/mtd/nand/raw/mpc5121_nfc.c | 12 +-
drivers/mtd/nand/raw/orion_nand.c | 12 +-
drivers/mtd/nand/raw/pasemi_nand.c | 12 +-
drivers/mtd/nand/raw/plat_nand.c | 12 +-
drivers/mtd/nand/raw/socrates_nand.c | 12 +-
drivers/mtd/nand/raw/xway_nand.c | 12 +-
drivers/mtd/spi-nor/controllers/hisi-sfc.c | 1 -
drivers/net/Kconfig | 2 +-
drivers/net/bonding/bond_sysfs_slave.c | 36 +--
drivers/net/can/dev/bittiming.c | 2 +-
drivers/net/can/spi/mcp251xfd/mcp251xfd-core.c | 6 +-
drivers/net/can/usb/etas_es58x/es58x_core.c | 6 +-
drivers/net/can/usb/peak_usb/pcan_usb.c | 17 +-
drivers/net/dsa/lantiq_gswip.c | 28 ++-
drivers/net/dsa/mv88e6xxx/chip.c | 5 +-
drivers/net/dsa/ocelot/felix.c | 9 +-
drivers/net/dsa/rtl8366.c | 2 +-
drivers/net/dsa/rtl8366rb.c | 2 +-
drivers/net/ethernet/amd/xgbe/xgbe-common.h | 8 +
drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c | 20 +-
drivers/net/ethernet/broadcom/bnxt/bnxt.c | 5 +-
drivers/net/ethernet/broadcom/bnxt/bnxt_devlink.c | 13 +-
drivers/net/ethernet/broadcom/bnxt/bnxt_devlink.h | 13 --
drivers/net/ethernet/chelsio/cxgb4/cxgb4_ethtool.c | 7 +-
drivers/net/ethernet/chelsio/cxgb4/t4_hw.h | 2 +
.../chelsio/inline_crypto/chtls/chtls_cm.c | 2 +-
.../chelsio/inline_crypto/chtls/chtls_cm.h | 2 +-
drivers/net/ethernet/dec/tulip/winbond-840.c | 2 +-
drivers/net/ethernet/fealnx.c | 2 +-
drivers/net/ethernet/freescale/enetc/enetc_qos.c | 18 +-
drivers/net/ethernet/google/gve/gve.h | 17 +-
drivers/net/ethernet/google/gve/gve_adminq.h | 1 +
drivers/net/ethernet/google/gve/gve_main.c | 48 +++-
drivers/net/ethernet/google/gve/gve_rx.c | 7 +-
drivers/net/ethernet/google/gve/gve_tx.c | 23 +-
drivers/net/ethernet/google/gve/gve_tx_dqo.c | 84 +++----
.../net/ethernet/hisilicon/hns3/hns3pf/hclge_dcb.c | 20 +-
.../ethernet/hisilicon/hns3/hns3pf/hclge_main.c | 10 +-
.../ethernet/hisilicon/hns3/hns3pf/hclge_main.h | 6 +-
.../net/ethernet/hisilicon/hns3/hns3pf/hclge_tm.c | 77 +++---
.../net/ethernet/hisilicon/hns3/hns3pf/hclge_tm.h | 4 +-
.../ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c | 10 +-
.../ethernet/hisilicon/hns3/hns3vf/hclgevf_main.h | 4 +-
drivers/net/ethernet/ibm/ibmvnic.c | 21 +-
drivers/net/ethernet/intel/ice/ice.h | 7 +-
drivers/net/ethernet/intel/ice/ice_base.c | 2 +-
drivers/net/ethernet/intel/ice/ice_devlink.c | 109 ++++++---
drivers/net/ethernet/intel/ice/ice_devlink.h | 6 +-
drivers/net/ethernet/intel/ice/ice_lib.c | 3 +-
drivers/net/ethernet/intel/ice/ice_main.c | 4 +-
drivers/net/ethernet/intel/ice/ice_virtchnl_pf.c | 22 +-
drivers/net/ethernet/intel/ice/ice_virtchnl_pf.h | 9 +
drivers/net/ethernet/intel/igc/igc_ptp.c | 2 +-
drivers/net/ethernet/litex/litex_liteeth.c | 1 -
drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c | 38 +--
drivers/net/ethernet/marvell/octeontx2/Kconfig | 1 +
.../net/ethernet/marvell/octeontx2/nic/otx2_pf.c | 78 ++++---
drivers/net/ethernet/mellanox/mlx5/core/devlink.c | 18 +-
drivers/net/ethernet/mellanox/mlx5/core/main.c | 2 +
.../ethernet/mellanox/mlx5/core/sf/dev/driver.c | 2 +
.../net/ethernet/netronome/nfp/nfp_net_common.c | 8 +-
drivers/net/ethernet/qlogic/qede/qede_main.c | 12 +-
drivers/net/ethernet/stmicro/stmmac/stmmac_tc.c | 2 -
drivers/net/ethernet/ti/cpsw_ale.c | 6 +-
drivers/net/ethernet/ti/davinci_emac.c | 16 +-
drivers/net/ifb.c | 2 +
drivers/net/phy/micrel.c | 9 +-
drivers/net/phy/phy.c | 7 +-
drivers/net/phy/phylink.c | 7 +-
drivers/net/vrf.c | 28 ++-
drivers/net/wireless/ath/ath10k/core.c | 11 +-
drivers/net/wireless/ath/ath10k/coredump.c | 11 +-
drivers/net/wireless/ath/ath10k/coredump.h | 7 +
drivers/net/wireless/ath/ath10k/mac.c | 37 ++-
drivers/net/wireless/ath/ath10k/qmi.c | 3 +-
drivers/net/wireless/ath/ath10k/sdio.c | 5 +-
drivers/net/wireless/ath/ath10k/snoc.c | 77 ++++++
drivers/net/wireless/ath/ath10k/snoc.h | 5 +
drivers/net/wireless/ath/ath10k/usb.c | 7 +-
drivers/net/wireless/ath/ath10k/wmi.c | 4 +
drivers/net/wireless/ath/ath10k/wmi.h | 3 +
drivers/net/wireless/ath/ath11k/dbring.c | 16 +-
drivers/net/wireless/ath/ath11k/dp_rx.c | 13 +-
drivers/net/wireless/ath/ath11k/mac.c | 2 +-
drivers/net/wireless/ath/ath11k/qmi.c | 4 +-
drivers/net/wireless/ath/ath11k/reg.c | 11 +-
drivers/net/wireless/ath/ath11k/reg.h | 2 +-
drivers/net/wireless/ath/ath11k/wmi.c | 40 ++--
drivers/net/wireless/ath/ath11k/wmi.h | 3 +-
drivers/net/wireless/ath/ath6kl/usb.c | 7 +-
drivers/net/wireless/ath/ath9k/main.c | 4 +-
drivers/net/wireless/ath/dfs_pattern_detector.c | 10 +-
drivers/net/wireless/ath/wcn36xx/dxe.c | 49 ++--
drivers/net/wireless/ath/wcn36xx/hal.h | 32 +++
drivers/net/wireless/ath/wcn36xx/main.c | 21 +-
drivers/net/wireless/ath/wcn36xx/smd.c | 126 +++++++++-
drivers/net/wireless/ath/wcn36xx/smd.h | 1 +
drivers/net/wireless/ath/wcn36xx/txrx.c | 64 ++---
drivers/net/wireless/ath/wcn36xx/txrx.h | 3 +-
drivers/net/wireless/broadcom/b43/phy_g.c | 2 +-
drivers/net/wireless/broadcom/b43legacy/radio.c | 2 +-
.../net/wireless/broadcom/brcm80211/brcmfmac/dmi.c | 10 +
drivers/net/wireless/intel/iwlwifi/fw/pnvm.c | 13 +-
drivers/net/wireless/intel/iwlwifi/mvm/d3.c | 5 +-
drivers/net/wireless/intel/iwlwifi/mvm/utils.c | 3 +
drivers/net/wireless/intel/iwlwifi/pcie/drv.c | 6 +-
drivers/net/wireless/marvell/libertas/if_usb.c | 2 +
drivers/net/wireless/marvell/libertas_tf/if_usb.c | 2 +
drivers/net/wireless/marvell/mwifiex/11n.c | 5 +-
drivers/net/wireless/marvell/mwifiex/cfg80211.c | 32 +--
drivers/net/wireless/marvell/mwifiex/pcie.c | 36 ++-
drivers/net/wireless/marvell/mwifiex/usb.c | 16 ++
drivers/net/wireless/marvell/mwl8k.c | 2 +-
drivers/net/wireless/mediatek/mt76/debugfs.c | 10 +-
drivers/net/wireless/mediatek/mt76/mt76.h | 8 +-
.../net/wireless/mediatek/mt76/mt7615/debugfs.c | 29 ++-
drivers/net/wireless/mediatek/mt76/mt7615/init.c | 6 +-
drivers/net/wireless/mediatek/mt76/mt7615/mac.c | 60 ++---
drivers/net/wireless/mediatek/mt76/mt7615/main.c | 4 +-
drivers/net/wireless/mediatek/mt76/mt7615/mcu.c | 18 +-
.../net/wireless/mediatek/mt76/mt76_connac_mcu.c | 30 ++-
.../net/wireless/mediatek/mt76/mt76_connac_mcu.h | 8 +-
drivers/net/wireless/mediatek/mt76/mt76x02_mac.c | 13 +-
drivers/net/wireless/mediatek/mt76/mt7915/init.c | 10 +-
drivers/net/wireless/mediatek/mt76/mt7915/mac.c | 2 +-
drivers/net/wireless/mediatek/mt76/mt7915/mac.h | 3 +-
drivers/net/wireless/mediatek/mt76/mt7915/mcu.c | 22 +-
.../net/wireless/mediatek/mt76/mt7921/debugfs.c | 36 ++-
drivers/net/wireless/mediatek/mt76/mt7921/init.c | 13 ++
drivers/net/wireless/mediatek/mt76/mt7921/mac.c | 68 +++++-
drivers/net/wireless/mediatek/mt76/mt7921/mac.h | 8 +
drivers/net/wireless/mediatek/mt76/mt7921/mcu.c | 22 +-
drivers/net/wireless/mediatek/mt76/mt7921/mcu.h | 10 +-
drivers/net/wireless/mediatek/mt76/mt7921/regs.h | 8 +-
drivers/net/wireless/microchip/wilc1000/cfg80211.c | 3 +-
.../net/wireless/realtek/rtl818x/rtl8187/rtl8225.c | 14 +-
drivers/net/wireless/realtek/rtw88/fw.c | 7 +-
drivers/net/wireless/realtek/rtw88/reg.h | 1 +
drivers/net/wireless/rsi/rsi_91x_core.c | 2 +
drivers/net/wireless/rsi/rsi_91x_hal.c | 10 +-
drivers/net/wireless/rsi/rsi_91x_mac80211.c | 74 ++----
drivers/net/wireless/rsi/rsi_91x_main.c | 17 +-
drivers/net/wireless/rsi/rsi_91x_mgmt.c | 24 +-
drivers/net/wireless/rsi/rsi_91x_sdio.c | 5 +-
drivers/net/wireless/rsi/rsi_91x_usb.c | 5 +-
drivers/net/wireless/rsi/rsi_hal.h | 11 +
drivers/net/wireless/rsi/rsi_main.h | 15 +-
drivers/nfc/pn533/pn533.c | 6 +-
drivers/nvdimm/btt.c | 1 -
drivers/nvdimm/pmem.c | 13 +-
drivers/nvme/host/multipath.c | 9 +-
drivers/nvme/host/rdma.c | 2 +
drivers/nvme/target/configfs.c | 2 +
drivers/nvme/target/rdma.c | 24 ++
drivers/nvme/target/tcp.c | 16 ++
drivers/of/unittest.c | 16 +-
drivers/opp/of.c | 2 +-
drivers/pci/controller/cadence/pci-j721e.c | 2 +-
drivers/pci/controller/cadence/pcie-cadence-plat.c | 2 +
drivers/pci/controller/dwc/pcie-uniphier.c | 26 +--
drivers/pci/controller/pci-aardvark.c | 251 +++++++++++++++++---
drivers/pci/msi.c | 36 +--
drivers/pci/pci-bridge-emul.c | 13 ++
drivers/pci/pci.c | 8 +
drivers/pci/quirks.c | 1 +
drivers/phy/microchip/sparx5_serdes.c | 4 +-
drivers/phy/qualcomm/phy-qcom-qmp.c | 2 +-
drivers/phy/qualcomm/phy-qcom-qusb2.c | 16 +-
drivers/phy/qualcomm/phy-qcom-snps-femto-v2.c | 2 +-
drivers/phy/ti/phy-gmii-sel.c | 2 +
drivers/pinctrl/core.c | 2 +
drivers/pinctrl/pinctrl-equilibrium.c | 7 +-
drivers/pinctrl/renesas/core.c | 2 +-
drivers/pinctrl/renesas/pinctrl-rzg2l.c | 2 +-
.../platform/surface/surface_aggregator_registry.c | 54 +++++
drivers/platform/x86/thinkpad_acpi.c | 2 +-
drivers/platform/x86/wmi.c | 9 +-
drivers/power/reset/at91-reset.c | 4 +-
drivers/power/supply/bq27xxx_battery_i2c.c | 3 +-
drivers/power/supply/max17040_battery.c | 2 +
drivers/power/supply/max17042_battery.c | 12 +-
drivers/power/supply/rt5033_battery.c | 2 +-
drivers/regulator/s5m8767.c | 21 +-
drivers/remoteproc/imx_rproc.c | 41 ++--
drivers/remoteproc/remoteproc_core.c | 8 +-
drivers/remoteproc/remoteproc_coredump.c | 2 +-
drivers/remoteproc/remoteproc_elf_loader.c | 4 +-
drivers/rtc/rtc-ds1302.c | 7 +
drivers/rtc/rtc-ds1390.c | 7 +
drivers/rtc/rtc-mcp795.c | 7 +
drivers/rtc/rtc-pcf2123.c | 9 +
drivers/rtc/rtc-rv3032.c | 4 +-
drivers/s390/char/tape_std.c | 3 +-
drivers/s390/cio/css.c | 4 +-
drivers/s390/cio/device_ops.c | 12 +-
drivers/s390/crypto/ap_queue.c | 2 +
drivers/scsi/csiostor/csio_lnode.c | 2 +-
drivers/scsi/dc395x.c | 1 +
drivers/scsi/hosts.c | 1 +
drivers/scsi/lpfc/lpfc_els.c | 12 +-
drivers/scsi/lpfc/lpfc_hbadisc.c | 10 +-
drivers/scsi/lpfc/lpfc_nvme.c | 5 +-
drivers/scsi/lpfc/lpfc_scsi.c | 7 +
drivers/scsi/lpfc/lpfc_sli.c | 101 ++++++--
drivers/scsi/megaraid/megaraid_sas_fusion.c | 11 +-
drivers/scsi/pm8001/pm8001_hwi.c | 2 +-
drivers/scsi/pm8001/pm8001_sas.h | 3 +-
drivers/scsi/pm8001/pm80xx_hwi.c | 53 ++++-
drivers/scsi/qedf/qedf_main.c | 2 +
drivers/scsi/qla2xxx/qla_attr.c | 24 +-
drivers/scsi/qla2xxx/qla_edif.c | 259 ++++++++++++---------
drivers/scsi/qla2xxx/qla_edif.h | 3 +-
drivers/scsi/qla2xxx/qla_edif_bsg.h | 2 +-
drivers/scsi/qla2xxx/qla_gbl.h | 4 +-
drivers/scsi/qla2xxx/qla_init.c | 77 ++++--
drivers/scsi/qla2xxx/qla_mr.c | 23 --
drivers/scsi/qla2xxx/qla_nvme.c | 14 +-
drivers/scsi/qla2xxx/qla_os.c | 37 +--
drivers/scsi/qla2xxx/qla_target.c | 1 +
drivers/scsi/scsi_error.c | 25 ++
drivers/scsi/scsi_ioctl.c | 2 +
drivers/scsi/scsi_lib.c | 3 +-
drivers/scsi/scsi_sysfs.c | 1 +
drivers/scsi/ufs/ufshcd-pltfrm.c | 4 +-
drivers/scsi/ufs/ufshcd.c | 186 +--------------
drivers/scsi/ufs/ufshcd.h | 14 --
drivers/scsi/ufs/ufshpb.c | 31 ++-
drivers/scsi/ufs/ufshpb.h | 1 -
drivers/soc/fsl/dpaa2-console.c | 1 +
drivers/soc/fsl/dpio/dpio-service.c | 2 +-
drivers/soc/fsl/dpio/qbman-portal.c | 9 +-
drivers/soc/qcom/apr.c | 2 +
drivers/soc/qcom/llcc-qcom.c | 2 +-
drivers/soc/qcom/rpmhpd.c | 20 +-
drivers/soc/qcom/socinfo.c | 4 +-
drivers/soc/samsung/Kconfig | 1 +
drivers/soc/tegra/pmc.c | 2 +-
drivers/soundwire/bus.c | 2 +-
drivers/soundwire/debugfs.c | 2 +-
drivers/spi/atmel-quadspi.c | 2 +-
drivers/spi/spi-bcm-qspi.c | 8 +-
drivers/spi/spi-mtk-nor.c | 2 +-
drivers/spi/spi-rpc-if.c | 4 +-
drivers/spi/spi-stm32-qspi.c | 2 +-
drivers/spi/spi.c | 41 ++++
drivers/staging/ks7010/Kconfig | 3 +
drivers/staging/media/atomisp/i2c/atomisp-lm3554.c | 37 +--
drivers/staging/media/imx/imx-media-dev-common.c | 2 +
drivers/staging/media/ipu3/ipu3-v4l2.c | 7 +-
drivers/staging/media/rkvdec/rkvdec-h264.c | 5 +-
drivers/staging/media/rkvdec/rkvdec.c | 40 ++--
drivers/staging/most/dim2/Makefile | 2 +-
drivers/staging/most/dim2/dim2.c | 24 +-
drivers/staging/most/dim2/sysfs.c | 49 ----
drivers/staging/most/dim2/sysfs.h | 11 -
drivers/staging/r8188eu/core/rtw_mlme.c | 2 +
drivers/target/target_core_tmr.c | 17 +-
drivers/target/target_core_transport.c | 30 ++-
.../intel/int340x_thermal/processor_thermal_mbox.c | 1 +
drivers/thermal/qcom/Kconfig | 2 +-
drivers/thermal/qcom/tsens.c | 29 ++-
drivers/thermal/thermal_core.c | 16 +-
drivers/tty/serial/8250/8250_dw.c | 2 +-
drivers/tty/serial/8250/8250_port.c | 21 +-
drivers/tty/serial/cpm_uart/cpm_uart_core.c | 2 +
drivers/tty/serial/imx.c | 4 +-
drivers/tty/serial/serial_core.c | 16 +-
drivers/tty/serial/xilinx_uartps.c | 3 +-
drivers/usb/chipidea/core.c | 23 +-
drivers/usb/dwc2/drd.c | 24 +-
drivers/usb/dwc3/core.h | 1 +
drivers/usb/dwc3/gadget.c | 8 +-
drivers/usb/gadget/legacy/hid.c | 4 +-
drivers/usb/host/xhci-hub.c | 3 +-
drivers/usb/host/xhci-pci.c | 16 ++
drivers/usb/misc/iowarrior.c | 8 +-
drivers/usb/musb/Kconfig | 2 +-
drivers/usb/serial/keyspan.c | 15 +-
drivers/usb/typec/Kconfig | 4 +-
drivers/vdpa/mlx5/net/mlx5_vnet.c | 1 -
drivers/video/backlight/backlight.c | 6 -
drivers/video/fbdev/chipsfb.c | 2 +-
drivers/video/fbdev/efifb.c | 21 +-
drivers/virtio/virtio_ring.c | 14 +-
drivers/watchdog/Kconfig | 2 +-
drivers/watchdog/f71808e_wdt.c | 4 +-
drivers/xen/balloon.c | 86 +++++--
drivers/xen/xen-pciback/conf_space_capability.c | 2 +-
fs/btrfs/disk-io.c | 3 +-
fs/btrfs/reflink.c | 2 +-
fs/btrfs/tree-log.c | 4 +-
fs/btrfs/volumes.c | 14 +-
fs/ceph/mdsmap.c | 4 -
fs/cifs/cifsglob.h | 3 +-
fs/cifs/connect.c | 21 +-
fs/cifs/file.c | 35 ++-
fs/cifs/fs_context.c | 8 +
fs/cifs/fs_context.h | 1 +
fs/crypto/fscrypt_private.h | 5 +-
fs/crypto/hkdf.c | 11 +-
fs/crypto/keysetup.c | 57 ++++-
fs/erofs/decompressor.c | 1 -
fs/erofs/zdata.c | 13 +-
fs/erofs/zpvec.h | 13 +-
fs/exfat/inode.c | 2 +-
fs/ext4/extents.c | 63 +++--
fs/ext4/inode.c | 15 +-
fs/ext4/super.c | 9 +-
fs/f2fs/compress.c | 1 +
fs/f2fs/inode.c | 2 +-
fs/f2fs/namei.c | 2 +-
fs/f2fs/super.c | 2 +
fs/fuse/dev.c | 14 +-
fs/gfs2/glock.c | 24 +-
fs/io-wq.c | 88 +++++--
fs/io_uring.c | 4 +-
fs/jfs/jfs_mount.c | 51 ++--
fs/ksmbd/Kconfig | 1 +
fs/ksmbd/server.c | 1 +
fs/ksmbd/smb2misc.c | 6 +-
fs/ksmbd/smb2pdu.c | 11 +-
fs/nfs/dir.c | 9 +-
fs/nfs/direct.c | 2 +-
fs/nfs/flexfilelayout/flexfilelayoutdev.c | 4 +-
fs/nfs/inode.c | 13 +-
fs/nfs/nfs3xdr.c | 2 +-
fs/nfs/nfs4idmap.c | 2 +-
fs/nfs/nfs4proc.c | 15 +-
fs/nfs/pnfs.h | 2 +-
fs/nfs/pnfs_nfs.c | 6 +-
fs/nfs/proc.c | 2 +-
fs/nfs/write.c | 26 +--
fs/ocfs2/file.c | 8 +-
fs/open.c | 16 +-
fs/orangefs/dcache.c | 4 +-
fs/overlayfs/copy_up.c | 23 +-
fs/overlayfs/file.c | 16 +-
fs/overlayfs/inode.c | 5 +-
fs/proc/stat.c | 4 +-
fs/proc/uptime.c | 14 +-
fs/quota/quota_tree.c | 15 ++
fs/tracefs/inode.c | 3 +-
include/drm/ttm/ttm_bo_api.h | 3 +-
include/linux/blkdev.h | 2 -
include/linux/bpf-cgroup.h | 1 +
include/linux/console.h | 2 +
include/linux/cpufreq.h | 2 +-
include/linux/dma-buf.h | 2 +-
include/linux/dsa/ocelot.h | 1 +
include/linux/ethtool_netlink.h | 3 +
include/linux/filter.h | 5 +-
include/linux/fortify-string.h | 5 +-
include/linux/kernel_stat.h | 1 +
include/linux/leds.h | 2 +-
include/linux/libata.h | 2 +-
include/linux/msi.h | 2 +-
include/linux/nfs_fs.h | 1 +
include/linux/posix-timers.h | 2 +
include/linux/rpmsg.h | 2 +-
include/linux/sched.h | 1 +
include/linux/sched/task.h | 3 +-
include/linux/sched/task_stack.h | 4 +
include/linux/seq_file.h | 2 +-
include/linux/signal_types.h | 3 +
include/linux/skmsg.h | 18 +-
include/linux/surface_aggregator/controller.h | 4 +-
include/linux/tpm.h | 1 +
include/media/videobuf2-core.h | 37 +--
include/memory/renesas-rpc-if.h | 1 +
include/net/inet_connection_sock.h | 2 +-
include/net/llc.h | 4 +-
include/net/neighbour.h | 12 +-
include/net/sch_generic.h | 4 +
include/net/sctp/sctp.h | 7 +-
include/net/sock.h | 2 +-
include/net/strparser.h | 20 +-
include/net/tcp.h | 17 +-
include/rdma/ib_verbs.h | 7 +-
include/scsi/scsi_cmnd.h | 2 +-
include/scsi/scsi_host.h | 1 +
include/sound/soc-topology.h | 3 +-
include/uapi/asm-generic/signal-defs.h | 1 +
include/uapi/linux/ethtool_netlink.h | 4 +-
include/uapi/linux/pci_regs.h | 6 +
init/main.c | 4 +-
kernel/bpf/trampoline.c | 6 +-
kernel/bpf/verifier.c | 4 +-
kernel/cgroup/cgroup.c | 31 ++-
kernel/cgroup/rstat.c | 2 -
kernel/debug/kdb/kdb_bt.c | 16 +-
kernel/debug/kdb/kdb_main.c | 37 +--
kernel/debug/kdb/kdb_private.h | 4 +-
kernel/debug/kdb/kdb_support.c | 118 ++--------
kernel/fork.c | 3 +-
kernel/irq/msi.c | 4 +-
kernel/kprobes.c | 3 +-
kernel/locking/lockdep.c | 4 +-
kernel/locking/rwsem.c | 53 +++--
kernel/power/energy_model.c | 23 +-
kernel/power/swap.c | 7 +-
kernel/rcu/rcutorture.c | 48 +++-
kernel/rcu/tasks.h | 3 +-
kernel/rcu/tree.c | 2 +-
kernel/rcu/tree_exp.h | 2 +-
kernel/rcu/tree_plugin.h | 8 +-
kernel/sched/core.c | 62 +++--
kernel/scs.c | 1 +
kernel/signal.c | 26 +--
kernel/time/posix-cpu-timers.c | 19 +-
kernel/trace/ftrace.c | 23 +-
kernel/trace/ring_buffer.c | 5 +
kernel/trace/trace.c | 73 +++---
kernel/trace/trace.h | 3 +
kernel/trace/trace_boot.c | 4 +
kernel/trace/trace_dynevent.c | 2 +-
kernel/trace/trace_event_perf.c | 6 +-
kernel/trace/trace_events.c | 42 ++--
kernel/trace/trace_events_synth.c | 4 +-
kernel/trace/trace_functions_graph.c | 2 +-
kernel/trace/trace_hwlat.c | 6 +-
kernel/trace/trace_kprobe.c | 8 +-
kernel/trace/trace_osnoise.c | 14 +-
kernel/trace/trace_printk.c | 2 +-
kernel/trace/trace_recursion_record.c | 4 +-
kernel/trace/trace_stack.c | 6 +-
kernel/trace/trace_stat.c | 6 +-
kernel/trace/trace_uprobe.c | 4 +-
kernel/trace/tracing_map.c | 40 ++--
kernel/workqueue.c | 15 +-
lib/crypto/sm4.c | 4 +-
lib/decompress_unxz.c | 2 +-
lib/dynamic_debug.c | 12 +
lib/iov_iter.c | 5 +-
lib/test_bpf.c | 37 ++-
lib/xz/xz_dec_lzma2.c | 21 +-
lib/xz/xz_dec_stream.c | 6 +-
mm/filemap.c | 1 -
mm/memcontrol.c | 27 +--
mm/oom_kill.c | 23 +-
mm/zsmalloc.c | 7 +-
net/8021q/vlan.c | 3 -
net/8021q/vlan_dev.c | 3 +
net/9p/client.c | 2 +
net/bluetooth/l2cap_sock.c | 10 +-
net/bluetooth/sco.c | 36 +--
net/bridge/br_private.h | 2 +
net/can/j1939/main.c | 7 +
net/can/j1939/transport.c | 11 +
net/core/dev.c | 2 +
net/core/filter.c | 58 ++++-
net/core/neighbour.c | 48 ++--
net/core/net-sysfs.c | 55 +++++
net/core/net_namespace.c | 4 +
net/core/skmsg.c | 43 +++-
net/core/stream.c | 3 -
net/dccp/dccp.h | 2 +-
net/dccp/proto.c | 14 +-
net/dsa/port.c | 2 +
net/dsa/switch.c | 4 +-
net/dsa/tag_ocelot.c | 3 +
net/ethtool/pause.c | 3 +-
net/ipv4/af_inet.c | 16 +-
net/ipv4/inet_connection_sock.c | 4 +-
net/ipv4/inet_hashtables.c | 2 +-
net/ipv4/proc.c | 2 +-
net/ipv4/tcp.c | 40 +++-
net/ipv4/tcp_bpf.c | 48 +++-
net/ipv6/addrconf.c | 3 +
net/ipv6/af_inet6.c | 21 +-
net/ipv6/udp.c | 2 +-
net/mac80211/s1g.c | 8 +-
net/mctp/af_mctp.c | 13 ++
net/mptcp/options.c | 8 +-
net/mptcp/protocol.c | 43 +++-
net/netfilter/nf_conntrack_proto_udp.c | 7 +-
net/netfilter/nfnetlink_queue.c | 2 +-
net/netfilter/nft_dynset.c | 11 +-
net/rxrpc/rtt.c | 2 +-
net/sched/sch_generic.c | 9 +
net/sched/sch_mq.c | 24 ++
net/sched/sch_mqprio.c | 23 ++
net/sched/sch_taprio.c | 27 ++-
net/sctp/output.c | 13 +-
net/sctp/transport.c | 11 +-
net/smc/af_smc.c | 18 +-
net/strparser/strparser.c | 10 +-
net/sunrpc/addr.c | 40 ++--
net/sunrpc/xprt.c | 28 +--
net/vmw_vsock/af_vsock.c | 2 +
net/wireless/core.c | 10 +
samples/bpf/xdp_redirect_cpu_user.c | 6 +-
samples/kprobes/kretprobe_example.c | 2 +-
scripts/leaking_addresses.pl | 3 +-
security/apparmor/label.c | 4 +-
security/integrity/evm/evm_main.c | 2 +-
security/integrity/ima/ima_policy.c | 27 ++-
security/selinux/ss/services.c | 162 ++++++-------
security/smack/smackfs.c | 11 +-
sound/core/memalloc.c | 7 +-
sound/core/oss/mixer_oss.c | 44 +++-
sound/core/timer.c | 17 +-
sound/firewire/oxfw/oxfw-stream.c | 7 +-
sound/firewire/oxfw/oxfw.c | 8 +
sound/firewire/oxfw/oxfw.h | 5 +
sound/pci/hda/hda_intel.c | 52 ++---
sound/pci/hda/patch_realtek.c | 36 +++
sound/pci/rme9652/hdsp.c | 41 ++--
sound/pci/rme9652/rme9652.c | 41 ++--
sound/soc/codecs/cs42l42.c | 27 ++-
sound/soc/codecs/wcd9335.c | 2 +-
sound/soc/sh/rcar/core.c | 1 +
sound/soc/sof/topology.c | 9 +
sound/soc/tegra/tegra_asoc_machine.c | 60 ++++-
sound/soc/tegra/tegra_asoc_machine.h | 1 +
sound/synth/emux/emux.c | 2 +-
sound/usb/6fire/comm.c | 2 +-
sound/usb/6fire/firmware.c | 6 +-
sound/usb/card.h | 1 +
sound/usb/endpoint.c | 7 +-
sound/usb/format.c | 1 +
sound/usb/line6/driver.c | 14 +-
sound/usb/line6/driver.h | 2 +-
sound/usb/line6/podhd.c | 6 +-
sound/usb/line6/toneport.c | 2 +-
sound/usb/misc/ua101.c | 4 +-
sound/usb/quirks.c | 1 +
tools/arch/x86/lib/insn.c | 5 +-
tools/bpf/bpftool/prog.c | 16 +-
tools/include/asm-generic/unaligned.h | 23 ++
tools/lib/bpf/bpf.c | 4 +-
tools/lib/bpf/bpf_core_read.h | 2 +-
tools/lib/bpf/btf.c | 22 +-
tools/lib/bpf/libbpf.c | 8 +-
tools/lib/bpf/skel_internal.h | 6 +-
tools/objtool/arch/x86/decode.c | 20 ++
tools/objtool/check.c | 159 +++++++------
tools/objtool/include/objtool/arch.h | 1 +
tools/perf/util/bpf-event.c | 4 +-
tools/perf/util/intel-pt-decoder/Build | 2 +
.../testing/selftests/bpf/prog_tests/perf_buffer.c | 4 +-
tools/testing/selftests/bpf/prog_tests/sk_lookup.c | 4 +-
tools/testing/selftests/bpf/prog_tests/test_ima.c | 3 +-
tools/testing/selftests/bpf/progs/strobemeta.h | 11 +
tools/testing/selftests/bpf/test_progs.c | 4 +-
.../selftests/bpf/test_xdp_redirect_multi.sh | 62 ++---
.../testing/selftests/bpf/verifier/array_access.c | 2 +-
tools/testing/selftests/bpf/xdp_redirect_multi.c | 4 +-
tools/testing/selftests/core/close_range_test.c | 2 +-
tools/testing/selftests/kvm/lib/x86_64/svm.c | 14 +-
.../selftests/kvm/x86_64/mmio_warning_test.c | 2 +-
tools/testing/selftests/net/Makefile | 9 +-
tools/testing/selftests/net/fib_nexthops.sh | 1 +
.../selftests/net/forwarding/bridge_igmp.sh | 12 +-
.../testing/selftests/net/forwarding/bridge_mld.sh | 12 +-
tools/testing/selftests/net/gre_gso.sh | 9 +-
tools/testing/selftests/net/mptcp/mptcp_join.sh | 2 +-
tools/testing/selftests/net/udpgso_bench_rx.c | 11 +-
tools/testing/selftests/sched/cs_prctl_test.c | 28 ++-
tools/tracing/latency/latency-collector.c | 2 +-
1028 files changed, 8826 insertions(+), 5203 deletions(-)
^ permalink raw reply [flat|nested] 945+ messages in thread
* [PATCH 5.15 001/917] xhci: Fix USB 3.1 enumeration issues by increasing roothub power-on-good delay
2021-11-15 16:51 [PATCH 5.15 000/917] 5.15.3-rc1 review Greg Kroah-Hartman
@ 2021-11-15 16:51 ` Greg Kroah-Hartman
2021-11-15 16:51 ` [PATCH 5.15 002/917] usb: xhci: Enable runtime-pm by default on AMD Yellow Carp platform Greg Kroah-Hartman
` (918 subsequent siblings)
919 siblings, 0 replies; 945+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-15 16:51 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Walt Jr. Brake, Mathias Nyman
From: Mathias Nyman <mathias.nyman@linux.intel.com>
commit e1959faf085b004e6c3afaaaa743381f00e7c015 upstream.
Some USB 3.1 enumeration issues were reported after the hub driver removed
the minimum 100ms limit for the power-on-good delay.
Since commit 90d28fb53d4a ("usb: core: reduce power-on-good delay time of
root hub") the hub driver sets the power-on-delay based on the
bPwrOn2PwrGood value in the hub descriptor.
xhci driver has a 20ms bPwrOn2PwrGood value for both roothubs based
on xhci spec section 5.4.8, but it's clearly not enough for the
USB 3.1 devices, causing enumeration issues.
Tests indicate full 100ms delay is needed.
Reported-by: Walt Jr. Brake <mr.yming81@gmail.com>
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Fixes: 90d28fb53d4a ("usb: core: reduce power-on-good delay time of root hub")
Cc: stable <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20211105160036.549516-1-mathias.nyman@linux.intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/host/xhci-hub.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/usb/host/xhci-hub.c
+++ b/drivers/usb/host/xhci-hub.c
@@ -257,7 +257,6 @@ static void xhci_common_hub_descriptor(s
{
u16 temp;
- desc->bPwrOn2PwrGood = 10; /* xhci section 5.4.9 says 20ms max */
desc->bHubContrCurrent = 0;
desc->bNbrPorts = ports;
@@ -292,6 +291,7 @@ static void xhci_usb2_hub_descriptor(str
desc->bDescriptorType = USB_DT_HUB;
temp = 1 + (ports / 8);
desc->bDescLength = USB_DT_HUB_NONVAR_SIZE + 2 * temp;
+ desc->bPwrOn2PwrGood = 10; /* xhci section 5.4.8 says 20ms */
/* The Device Removable bits are reported on a byte granularity.
* If the port doesn't exist within that byte, the bit is set to 0.
@@ -344,6 +344,7 @@ static void xhci_usb3_hub_descriptor(str
xhci_common_hub_descriptor(xhci, desc, ports);
desc->bDescriptorType = USB_DT_SS_HUB;
desc->bDescLength = USB_DT_SS_HUB_SIZE;
+ desc->bPwrOn2PwrGood = 50; /* usb 3.1 may fail if less than 100ms */
/* header decode latency should be zero for roothubs,
* see section 4.23.5.2.
^ permalink raw reply [flat|nested] 945+ messages in thread
* [PATCH 5.15 002/917] usb: xhci: Enable runtime-pm by default on AMD Yellow Carp platform
2021-11-15 16:51 [PATCH 5.15 000/917] 5.15.3-rc1 review Greg Kroah-Hartman
2021-11-15 16:51 ` [PATCH 5.15 001/917] xhci: Fix USB 3.1 enumeration issues by increasing roothub power-on-good delay Greg Kroah-Hartman
@ 2021-11-15 16:51 ` Greg Kroah-Hartman
2021-11-15 16:51 ` [PATCH 5.15 003/917] Input: iforce - fix control-message timeout Greg Kroah-Hartman
` (917 subsequent siblings)
919 siblings, 0 replies; 945+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-15 16:51 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Shyam Sundar S K, Mario Limonciello,
Basavaraj Natikar, Nehal Bakulchandra Shah, Mathias Nyman
From: Nehal Bakulchandra Shah <Nehal-Bakulchandra.shah@amd.com>
commit 660a92a59b9e831a0407e41ff62875656d30006e upstream.
AMD's Yellow Carp platform supports runtime power management for
XHCI Controllers, so enable the same by default for all XHCI Controllers.
[ regrouped and aligned the PCI_DEVICE_ID definitions -Mathias]
Cc: stable <stable@vger.kernel.org>
Reviewed-by: Shyam Sundar S K <Shyam-sundar.S-k@amd.com>
Reviewed-by: Mario Limonciello <mario.limonciello@amd.com>
Reviewed-by: Basavaraj Natikar <Basavaraj.Natikar@amd.com>
Signed-off-by: Nehal Bakulchandra Shah <Nehal-Bakulchandra.shah@amd.com>
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Link: https://lore.kernel.org/r/20211014121200.75433-2-mathias.nyman@linux.intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/host/xhci-pci.c | 16 ++++++++++++++++
1 file changed, 16 insertions(+)
--- a/drivers/usb/host/xhci-pci.c
+++ b/drivers/usb/host/xhci-pci.c
@@ -65,6 +65,13 @@
#define PCI_DEVICE_ID_AMD_PROMONTORYA_3 0x43ba
#define PCI_DEVICE_ID_AMD_PROMONTORYA_2 0x43bb
#define PCI_DEVICE_ID_AMD_PROMONTORYA_1 0x43bc
+#define PCI_DEVICE_ID_AMD_YELLOW_CARP_XHCI_1 0x161a
+#define PCI_DEVICE_ID_AMD_YELLOW_CARP_XHCI_2 0x161b
+#define PCI_DEVICE_ID_AMD_YELLOW_CARP_XHCI_3 0x161d
+#define PCI_DEVICE_ID_AMD_YELLOW_CARP_XHCI_4 0x161e
+#define PCI_DEVICE_ID_AMD_YELLOW_CARP_XHCI_5 0x15d6
+#define PCI_DEVICE_ID_AMD_YELLOW_CARP_XHCI_6 0x15d7
+
#define PCI_DEVICE_ID_ASMEDIA_1042_XHCI 0x1042
#define PCI_DEVICE_ID_ASMEDIA_1042A_XHCI 0x1142
#define PCI_DEVICE_ID_ASMEDIA_1142_XHCI 0x1242
@@ -317,6 +324,15 @@ static void xhci_pci_quirks(struct devic
pdev->device == PCI_DEVICE_ID_AMD_PROMONTORYA_4))
xhci->quirks |= XHCI_NO_SOFT_RETRY;
+ if (pdev->vendor == PCI_VENDOR_ID_AMD &&
+ (pdev->device == PCI_DEVICE_ID_AMD_YELLOW_CARP_XHCI_1 ||
+ pdev->device == PCI_DEVICE_ID_AMD_YELLOW_CARP_XHCI_2 ||
+ pdev->device == PCI_DEVICE_ID_AMD_YELLOW_CARP_XHCI_3 ||
+ pdev->device == PCI_DEVICE_ID_AMD_YELLOW_CARP_XHCI_4 ||
+ pdev->device == PCI_DEVICE_ID_AMD_YELLOW_CARP_XHCI_5 ||
+ pdev->device == PCI_DEVICE_ID_AMD_YELLOW_CARP_XHCI_6))
+ xhci->quirks |= XHCI_DEFAULT_PM_RUNTIME_ALLOW;
+
if (xhci->quirks & XHCI_RESET_ON_RESUME)
xhci_dbg_trace(xhci, trace_xhci_dbg_quirks,
"QUIRK: Resetting on resume");
^ permalink raw reply [flat|nested] 945+ messages in thread
* [PATCH 5.15 003/917] Input: iforce - fix control-message timeout
2021-11-15 16:51 [PATCH 5.15 000/917] 5.15.3-rc1 review Greg Kroah-Hartman
2021-11-15 16:51 ` [PATCH 5.15 001/917] xhci: Fix USB 3.1 enumeration issues by increasing roothub power-on-good delay Greg Kroah-Hartman
2021-11-15 16:51 ` [PATCH 5.15 002/917] usb: xhci: Enable runtime-pm by default on AMD Yellow Carp platform Greg Kroah-Hartman
@ 2021-11-15 16:51 ` Greg Kroah-Hartman
2021-11-15 16:51 ` [PATCH 5.15 004/917] Input: elantench - fix misreporting trackpoint coordinates Greg Kroah-Hartman
` (916 subsequent siblings)
919 siblings, 0 replies; 945+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-15 16:51 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Johan Hovold, Dmitry Torokhov
From: Johan Hovold <johan@kernel.org>
commit 744d0090a5f6dfa4c81b53402ccdf08313100429 upstream.
USB control-message timeouts are specified in milliseconds and should
specifically not vary with CONFIG_HZ.
Fixes: 487358627825 ("Input: iforce - use DMA-safe buffer when getting IDs from USB")
Signed-off-by: Johan Hovold <johan@kernel.org>
Cc: stable@vger.kernel.org # 5.3
Link: https://lore.kernel.org/r/20211025115501.5190-1-johan@kernel.org
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/input/joystick/iforce/iforce-usb.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/input/joystick/iforce/iforce-usb.c
+++ b/drivers/input/joystick/iforce/iforce-usb.c
@@ -92,7 +92,7 @@ static int iforce_usb_get_id(struct ifor
id,
USB_TYPE_VENDOR | USB_DIR_IN |
USB_RECIP_INTERFACE,
- 0, 0, buf, IFORCE_MAX_LENGTH, HZ);
+ 0, 0, buf, IFORCE_MAX_LENGTH, 1000);
if (status < 0) {
dev_err(&iforce_usb->intf->dev,
"usb_submit_urb failed: %d\n", status);
^ permalink raw reply [flat|nested] 945+ messages in thread
* [PATCH 5.15 004/917] Input: elantench - fix misreporting trackpoint coordinates
2021-11-15 16:51 [PATCH 5.15 000/917] 5.15.3-rc1 review Greg Kroah-Hartman
` (2 preceding siblings ...)
2021-11-15 16:51 ` [PATCH 5.15 003/917] Input: iforce - fix control-message timeout Greg Kroah-Hartman
@ 2021-11-15 16:51 ` Greg Kroah-Hartman
2021-11-15 16:51 ` [PATCH 5.15 005/917] Input: i8042 - Add quirk for Fujitsu Lifebook T725 Greg Kroah-Hartman
` (915 subsequent siblings)
919 siblings, 0 replies; 945+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-15 16:51 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Phoenix Huang, Yufei Du, Dmitry Torokhov
From: Phoenix Huang <phoenix@emc.com.tw>
commit be896bd3b72b44126c55768f14c22a8729b0992e upstream.
Some firmwares occasionally report bogus data from trackpoint, with X or Y
displacement being too large (outside of [-127, 127] range). Let's drop such
packets so that we do not generate jumps.
Signed-off-by: Phoenix Huang <phoenix@emc.com.tw>
Tested-by: Yufei Du <yufeidu@cs.unc.edu>
Link: https://lore.kernel.org/r/20210729010940.5752-1-phoenix@emc.com.tw
Cc: stable@vger.kernel.org
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/input/mouse/elantech.c | 13 +++++++++++++
1 file changed, 13 insertions(+)
--- a/drivers/input/mouse/elantech.c
+++ b/drivers/input/mouse/elantech.c
@@ -517,6 +517,19 @@ static void elantech_report_trackpoint(s
case 0x16008020U:
case 0x26800010U:
case 0x36808000U:
+
+ /*
+ * This firmware misreport coordinates for trackpoint
+ * occasionally. Discard packets outside of [-127, 127] range
+ * to prevent cursor jumps.
+ */
+ if (packet[4] == 0x80 || packet[5] == 0x80 ||
+ packet[1] >> 7 == packet[4] >> 7 ||
+ packet[2] >> 7 == packet[5] >> 7) {
+ elantech_debug("discarding packet [%6ph]\n", packet);
+ break;
+
+ }
x = packet[4] - (int)((packet[1]^0x80) << 1);
y = (int)((packet[2]^0x80) << 1) - packet[5];
^ permalink raw reply [flat|nested] 945+ messages in thread
* [PATCH 5.15 005/917] Input: i8042 - Add quirk for Fujitsu Lifebook T725
2021-11-15 16:51 [PATCH 5.15 000/917] 5.15.3-rc1 review Greg Kroah-Hartman
` (3 preceding siblings ...)
2021-11-15 16:51 ` [PATCH 5.15 004/917] Input: elantench - fix misreporting trackpoint coordinates Greg Kroah-Hartman
@ 2021-11-15 16:51 ` Greg Kroah-Hartman
2021-11-15 16:51 ` [PATCH 5.15 006/917] libata: fix read log timeout value Greg Kroah-Hartman
` (914 subsequent siblings)
919 siblings, 0 replies; 945+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-15 16:51 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Neal Gompa, Takashi Iwai, Dmitry Torokhov
From: Takashi Iwai <tiwai@suse.de>
commit 16e28abb7290c4ca3b3a0f333ba067f34bb18c86 upstream.
Fujitsu Lifebook T725 laptop requires, like a few other similar
models, the nomux and notimeout options to probe the touchpad
properly. This patch adds the corresponding quirk entries.
BugLink: https://bugzilla.suse.com/show_bug.cgi?id=1191980
Tested-by: Neal Gompa <ngompa13@gmail.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Link: https://lore.kernel.org/r/20211103070019.13374-1-tiwai@suse.de
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/input/serio/i8042-x86ia64io.h | 14 ++++++++++++++
1 file changed, 14 insertions(+)
--- a/drivers/input/serio/i8042-x86ia64io.h
+++ b/drivers/input/serio/i8042-x86ia64io.h
@@ -273,6 +273,13 @@ static const struct dmi_system_id __init
},
},
{
+ /* Fujitsu Lifebook T725 laptop */
+ .matches = {
+ DMI_MATCH(DMI_SYS_VENDOR, "FUJITSU"),
+ DMI_MATCH(DMI_PRODUCT_NAME, "LIFEBOOK T725"),
+ },
+ },
+ {
/* Fujitsu Lifebook U745 */
.matches = {
DMI_MATCH(DMI_SYS_VENDOR, "FUJITSU"),
@@ -841,6 +848,13 @@ static const struct dmi_system_id __init
},
},
{
+ /* Fujitsu Lifebook T725 laptop */
+ .matches = {
+ DMI_MATCH(DMI_SYS_VENDOR, "FUJITSU"),
+ DMI_MATCH(DMI_PRODUCT_NAME, "LIFEBOOK T725"),
+ },
+ },
+ {
/* Fujitsu U574 laptop */
/* https://bugzilla.kernel.org/show_bug.cgi?id=69731 */
.matches = {
^ permalink raw reply [flat|nested] 945+ messages in thread
* [PATCH 5.15 006/917] libata: fix read log timeout value
2021-11-15 16:51 [PATCH 5.15 000/917] 5.15.3-rc1 review Greg Kroah-Hartman
` (4 preceding siblings ...)
2021-11-15 16:51 ` [PATCH 5.15 005/917] Input: i8042 - Add quirk for Fujitsu Lifebook T725 Greg Kroah-Hartman
@ 2021-11-15 16:51 ` Greg Kroah-Hartman
2021-11-15 16:51 ` [PATCH 5.15 007/917] ocfs2: fix data corruption on truncate Greg Kroah-Hartman
` (913 subsequent siblings)
919 siblings, 0 replies; 945+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-15 16:51 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Geert Uytterhoeven,
Geert Uytterhoeven, Damien Le Moal
From: Damien Le Moal <damien.lemoal@opensource.wdc.com>
commit 68dbbe7d5b4fde736d104cbbc9a2fce875562012 upstream.
Some ATA drives are very slow to respond to READ_LOG_EXT and
READ_LOG_DMA_EXT commands issued from ata_dev_configure() when the
device is revalidated right after resuming a system or inserting the
ATA adapter driver (e.g. ahci). The default 5s timeout
(ATA_EH_CMD_DFL_TIMEOUT) used for these commands is too short, causing
errors during the device configuration. Ex:
...
ata9: SATA max UDMA/133 abar m524288@0x9d200000 port 0x9d200400 irq 209
ata9: SATA link up 6.0 Gbps (SStatus 133 SControl 300)
ata9.00: ATA-9: XXX XXXXXXXXXXXXXXX, XXXXXXXX, max UDMA/133
ata9.00: qc timeout (cmd 0x2f)
ata9.00: Read log page 0x00 failed, Emask 0x4
ata9.00: Read log page 0x00 failed, Emask 0x40
ata9.00: NCQ Send/Recv Log not supported
ata9.00: Read log page 0x08 failed, Emask 0x40
ata9.00: 27344764928 sectors, multi 16: LBA48 NCQ (depth 32), AA
ata9.00: Read log page 0x00 failed, Emask 0x40
ata9.00: ATA Identify Device Log not supported
ata9.00: failed to set xfermode (err_mask=0x40)
ata9: SATA link up 6.0 Gbps (SStatus 133 SControl 300)
ata9.00: configured for UDMA/133
...
The timeout error causes a soft reset of the drive link, followed in
most cases by a successful revalidation as that give enough time to the
drive to become fully ready to quickly process the read log commands.
However, in some cases, this also fails resulting in the device being
dropped.
Fix this by using adding the ata_eh_revalidate_timeouts entries for the
READ_LOG_EXT and READ_LOG_DMA_EXT commands. This defines a timeout
increased to 15s, retriable one time.
Reported-by: Geert Uytterhoeven <geert@linux-m68k.org>
Tested-by: Geert Uytterhoeven <geert+renesas@glider.be>
Cc: stable@vger.kernel.org
Signed-off-by: Damien Le Moal <damien.lemoal@opensource.wdc.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/ata/libata-eh.c | 8 ++++++++
include/linux/libata.h | 2 +-
2 files changed, 9 insertions(+), 1 deletion(-)
--- a/drivers/ata/libata-eh.c
+++ b/drivers/ata/libata-eh.c
@@ -93,6 +93,12 @@ static const unsigned long ata_eh_identi
ULONG_MAX,
};
+static const unsigned long ata_eh_revalidate_timeouts[] = {
+ 15000, /* Some drives are slow to read log pages when waking-up */
+ 15000, /* combined time till here is enough even for media access */
+ ULONG_MAX,
+};
+
static const unsigned long ata_eh_flush_timeouts[] = {
15000, /* be generous with flush */
15000, /* ditto */
@@ -129,6 +135,8 @@ static const struct ata_eh_cmd_timeout_e
ata_eh_cmd_timeout_table[ATA_EH_CMD_TIMEOUT_TABLE_SIZE] = {
{ .commands = CMDS(ATA_CMD_ID_ATA, ATA_CMD_ID_ATAPI),
.timeouts = ata_eh_identify_timeouts, },
+ { .commands = CMDS(ATA_CMD_READ_LOG_EXT, ATA_CMD_READ_LOG_DMA_EXT),
+ .timeouts = ata_eh_revalidate_timeouts, },
{ .commands = CMDS(ATA_CMD_READ_NATIVE_MAX, ATA_CMD_READ_NATIVE_MAX_EXT),
.timeouts = ata_eh_other_timeouts, },
{ .commands = CMDS(ATA_CMD_SET_MAX, ATA_CMD_SET_MAX_EXT),
--- a/include/linux/libata.h
+++ b/include/linux/libata.h
@@ -394,7 +394,7 @@ enum {
/* This should match the actual table size of
* ata_eh_cmd_timeout_table in libata-eh.c.
*/
- ATA_EH_CMD_TIMEOUT_TABLE_SIZE = 6,
+ ATA_EH_CMD_TIMEOUT_TABLE_SIZE = 7,
/* Horkage types. May be set by libata or controller on drives
(some horkage may be drive/controller pair dependent */
^ permalink raw reply [flat|nested] 945+ messages in thread
* [PATCH 5.15 007/917] ocfs2: fix data corruption on truncate
2021-11-15 16:51 [PATCH 5.15 000/917] 5.15.3-rc1 review Greg Kroah-Hartman
` (5 preceding siblings ...)
2021-11-15 16:51 ` [PATCH 5.15 006/917] libata: fix read log timeout value Greg Kroah-Hartman
@ 2021-11-15 16:51 ` Greg Kroah-Hartman
2021-11-15 16:51 ` [PATCH 5.15 008/917] scsi: scsi_ioctl: Validate command size Greg Kroah-Hartman
` (912 subsequent siblings)
919 siblings, 0 replies; 945+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-15 16:51 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Jan Kara, Joseph Qi, Mark Fasheh,
Joel Becker, Junxiao Bi, Changwei Ge, Gang He, Jun Piao,
Andrew Morton, Linus Torvalds
From: Jan Kara <jack@suse.cz>
commit 839b63860eb3835da165642923120d305925561d upstream.
Patch series "ocfs2: Truncate data corruption fix".
As further testing has shown, commit 5314454ea3f ("ocfs2: fix data
corruption after conversion from inline format") didn't fix all the data
corruption issues the customer started observing after 6dbf7bb55598
("fs: Don't invalidate page buffers in block_write_full_page()") This
time I have tracked them down to two bugs in ocfs2 truncation code.
One bug (truncating page cache before clearing tail cluster and setting
i_size) could cause data corruption even before 6dbf7bb55598, but before
that commit it needed a race with page fault, after 6dbf7bb55598 it
started to be pretty deterministic.
Another bug (zeroing pages beyond old i_size) used to be harmless
inefficiency before commit 6dbf7bb55598. But after commit 6dbf7bb55598
in combination with the first bug it resulted in deterministic data
corruption.
Although fixing only the first problem is needed to stop data
corruption, I've fixed both issues to make the code more robust.
This patch (of 2):
ocfs2_truncate_file() did unmap invalidate page cache pages before
zeroing partial tail cluster and setting i_size. Thus some pages could
be left (and likely have left if the cluster zeroing happened) in the
page cache beyond i_size after truncate finished letting user possibly
see stale data once the file was extended again. Also the tail cluster
zeroing was not guaranteed to finish before truncate finished causing
possible stale data exposure. The problem started to be particularly
easy to hit after commit 6dbf7bb55598 "fs: Don't invalidate page buffers
in block_write_full_page()" stopped invalidation of pages beyond i_size
from page writeback path.
Fix these problems by unmapping and invalidating pages in the page cache
after the i_size is reduced and tail cluster is zeroed out.
Link: https://lkml.kernel.org/r/20211025150008.29002-1-jack@suse.cz
Link: https://lkml.kernel.org/r/20211025151332.11301-1-jack@suse.cz
Fixes: ccd979bdbce9 ("[PATCH] OCFS2: The Second Oracle Cluster Filesystem")
Signed-off-by: Jan Kara <jack@suse.cz>
Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com>
Cc: Mark Fasheh <mark@fasheh.com>
Cc: Joel Becker <jlbec@evilplan.org>
Cc: Junxiao Bi <junxiao.bi@oracle.com>
Cc: Changwei Ge <gechangwei@live.cn>
Cc: Gang He <ghe@suse.com>
Cc: Jun Piao <piaojun@huawei.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ocfs2/file.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
--- a/fs/ocfs2/file.c
+++ b/fs/ocfs2/file.c
@@ -476,10 +476,11 @@ int ocfs2_truncate_file(struct inode *in
* greater than page size, so we have to truncate them
* anyway.
*/
- unmap_mapping_range(inode->i_mapping, new_i_size + PAGE_SIZE - 1, 0, 1);
- truncate_inode_pages(inode->i_mapping, new_i_size);
if (OCFS2_I(inode)->ip_dyn_features & OCFS2_INLINE_DATA_FL) {
+ unmap_mapping_range(inode->i_mapping,
+ new_i_size + PAGE_SIZE - 1, 0, 1);
+ truncate_inode_pages(inode->i_mapping, new_i_size);
status = ocfs2_truncate_inline(inode, di_bh, new_i_size,
i_size_read(inode), 1);
if (status)
@@ -498,6 +499,9 @@ int ocfs2_truncate_file(struct inode *in
goto bail_unlock_sem;
}
+ unmap_mapping_range(inode->i_mapping, new_i_size + PAGE_SIZE - 1, 0, 1);
+ truncate_inode_pages(inode->i_mapping, new_i_size);
+
status = ocfs2_commit_truncate(osb, inode, di_bh);
if (status < 0) {
mlog_errno(status);
^ permalink raw reply [flat|nested] 945+ messages in thread
* [PATCH 5.15 008/917] scsi: scsi_ioctl: Validate command size
2021-11-15 16:51 [PATCH 5.15 000/917] 5.15.3-rc1 review Greg Kroah-Hartman
` (6 preceding siblings ...)
2021-11-15 16:51 ` [PATCH 5.15 007/917] ocfs2: fix data corruption on truncate Greg Kroah-Hartman
@ 2021-11-15 16:51 ` Greg Kroah-Hartman
2021-11-15 16:51 ` [PATCH 5.15 009/917] scsi: core: Avoid leaving shost->last_reset with stale value if EH does not run Greg Kroah-Hartman
` (911 subsequent siblings)
919 siblings, 0 replies; 945+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-15 16:51 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Bart Van Assche, Christoph Hellwig,
James E.J. Bottomley, Martin K. Petersen, linux-scsi,
Tadeusz Struk
From: Tadeusz Struk <tadeusz.struk@linaro.org>
commit 20aaef52eb08f1d987d46ad26edb8f142f74d83a upstream.
Need to make sure the command size is valid before copying the command from
user space.
Link: https://lore.kernel.org/r/20211103170659.22151-1-tadeusz.struk@linaro.org
Cc: Bart Van Assche <bvanassche@acm.org>
Cc: Christoph Hellwig <hch@lst.de>
Cc: James E.J. Bottomley <jejb@linux.ibm.com>
Cc: Martin K. Petersen <martin.petersen@oracle.com>
Cc: <linux-scsi@vger.kernel.org>
Cc: <linux-kernel@vger.kernel.org>
Cc: <stable@vger.kernel.org> # 5.15, 5.14, 5.10
Signed-off-by: Tadeusz Struk <tadeusz.struk@linaro.org>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/scsi/scsi_ioctl.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/scsi/scsi_ioctl.c
+++ b/drivers/scsi/scsi_ioctl.c
@@ -347,6 +347,8 @@ static int scsi_fill_sghdr_rq(struct scs
{
struct scsi_request *req = scsi_req(rq);
+ if (hdr->cmd_len < 6)
+ return -EMSGSIZE;
if (copy_from_user(req->cmd, hdr->cmdp, hdr->cmd_len))
return -EFAULT;
if (!scsi_cmd_allowed(req->cmd, mode))
^ permalink raw reply [flat|nested] 945+ messages in thread
* [PATCH 5.15 009/917] scsi: core: Avoid leaving shost->last_reset with stale value if EH does not run
2021-11-15 16:51 [PATCH 5.15 000/917] 5.15.3-rc1 review Greg Kroah-Hartman
` (7 preceding siblings ...)
2021-11-15 16:51 ` [PATCH 5.15 008/917] scsi: scsi_ioctl: Validate command size Greg Kroah-Hartman
@ 2021-11-15 16:51 ` Greg Kroah-Hartman
2021-11-15 16:51 ` [PATCH 5.15 010/917] scsi: core: Remove command size deduction from scsi_setup_scsi_cmnd() Greg Kroah-Hartman
` (910 subsequent siblings)
919 siblings, 0 replies; 945+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-15 16:51 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Ewan D. Milne, Martin K. Petersen
From: Ewan D. Milne <emilne@redhat.com>
commit 5ae17501bc62a49b0b193dcce003f16375f16654 upstream.
The changes to issue the abort from the scmd->abort_work instead of the EH
thread introduced a problem if eh_deadline is used. If aborting the
command(s) is successful, and there are never any scmds added to the
shost->eh_cmd_q, there is no code path which will reset the ->last_reset
value back to zero.
The effect of this is that after a successful abort with no EH thread
activity, a subsequent timeout, perhaps a long time later, might
immediately be considered past a user-set eh_deadline time, and the host
will be reset with no attempt at recovery.
Fix this by resetting ->last_reset back to zero in scmd_eh_abort_handler()
if it is determined that the EH thread will not run to do this.
Thanks to Gopinath Marappan for investigating this problem.
Link: https://lore.kernel.org/r/20211029194311.17504-2-emilne@redhat.com
Fixes: e494f6a72839 ("[SCSI] improved eh timeout handler")
Cc: stable@vger.kernel.org
Signed-off-by: Ewan D. Milne <emilne@redhat.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/scsi/hosts.c | 1 +
drivers/scsi/scsi_error.c | 25 +++++++++++++++++++++++++
drivers/scsi/scsi_lib.c | 1 +
include/scsi/scsi_cmnd.h | 2 +-
include/scsi/scsi_host.h | 1 +
5 files changed, 29 insertions(+), 1 deletion(-)
--- a/drivers/scsi/hosts.c
+++ b/drivers/scsi/hosts.c
@@ -388,6 +388,7 @@ struct Scsi_Host *scsi_host_alloc(struct
shost->shost_state = SHOST_CREATED;
INIT_LIST_HEAD(&shost->__devices);
INIT_LIST_HEAD(&shost->__targets);
+ INIT_LIST_HEAD(&shost->eh_abort_list);
INIT_LIST_HEAD(&shost->eh_cmd_q);
INIT_LIST_HEAD(&shost->starved_list);
init_waitqueue_head(&shost->host_wait);
--- a/drivers/scsi/scsi_error.c
+++ b/drivers/scsi/scsi_error.c
@@ -135,6 +135,23 @@ static bool scsi_eh_should_retry_cmd(str
return true;
}
+static void scsi_eh_complete_abort(struct scsi_cmnd *scmd, struct Scsi_Host *shost)
+{
+ unsigned long flags;
+
+ spin_lock_irqsave(shost->host_lock, flags);
+ list_del_init(&scmd->eh_entry);
+ /*
+ * If the abort succeeds, and there is no further
+ * EH action, clear the ->last_reset time.
+ */
+ if (list_empty(&shost->eh_abort_list) &&
+ list_empty(&shost->eh_cmd_q))
+ if (shost->eh_deadline != -1)
+ shost->last_reset = 0;
+ spin_unlock_irqrestore(shost->host_lock, flags);
+}
+
/**
* scmd_eh_abort_handler - Handle command aborts
* @work: command to be aborted.
@@ -152,6 +169,7 @@ scmd_eh_abort_handler(struct work_struct
container_of(work, struct scsi_cmnd, abort_work.work);
struct scsi_device *sdev = scmd->device;
enum scsi_disposition rtn;
+ unsigned long flags;
if (scsi_host_eh_past_deadline(sdev->host)) {
SCSI_LOG_ERROR_RECOVERY(3,
@@ -175,12 +193,14 @@ scmd_eh_abort_handler(struct work_struct
SCSI_LOG_ERROR_RECOVERY(3,
scmd_printk(KERN_WARNING, scmd,
"retry aborted command\n"));
+ scsi_eh_complete_abort(scmd, sdev->host);
scsi_queue_insert(scmd, SCSI_MLQUEUE_EH_RETRY);
return;
} else {
SCSI_LOG_ERROR_RECOVERY(3,
scmd_printk(KERN_WARNING, scmd,
"finish aborted command\n"));
+ scsi_eh_complete_abort(scmd, sdev->host);
scsi_finish_command(scmd);
return;
}
@@ -193,6 +213,9 @@ scmd_eh_abort_handler(struct work_struct
}
}
+ spin_lock_irqsave(sdev->host->host_lock, flags);
+ list_del_init(&scmd->eh_entry);
+ spin_unlock_irqrestore(sdev->host->host_lock, flags);
scsi_eh_scmd_add(scmd);
}
@@ -223,6 +246,8 @@ scsi_abort_command(struct scsi_cmnd *scm
spin_lock_irqsave(shost->host_lock, flags);
if (shost->eh_deadline != -1 && !shost->last_reset)
shost->last_reset = jiffies;
+ BUG_ON(!list_empty(&scmd->eh_entry));
+ list_add_tail(&scmd->eh_entry, &shost->eh_abort_list);
spin_unlock_irqrestore(shost->host_lock, flags);
scmd->eh_eflags |= SCSI_EH_ABORT_SCHEDULED;
--- a/drivers/scsi/scsi_lib.c
+++ b/drivers/scsi/scsi_lib.c
@@ -1143,6 +1143,7 @@ void scsi_init_command(struct scsi_devic
cmd->sense_buffer = buf;
cmd->prot_sdb = prot;
cmd->flags = flags;
+ INIT_LIST_HEAD(&cmd->eh_entry);
INIT_DELAYED_WORK(&cmd->abort_work, scmd_eh_abort_handler);
cmd->jiffies_at_alloc = jiffies_at_alloc;
cmd->retries = retries;
--- a/include/scsi/scsi_cmnd.h
+++ b/include/scsi/scsi_cmnd.h
@@ -68,7 +68,7 @@ struct scsi_pointer {
struct scsi_cmnd {
struct scsi_request req;
struct scsi_device *device;
- struct list_head eh_entry; /* entry for the host eh_cmd_q */
+ struct list_head eh_entry; /* entry for the host eh_abort_list/eh_cmd_q */
struct delayed_work abort_work;
struct rcu_head rcu;
--- a/include/scsi/scsi_host.h
+++ b/include/scsi/scsi_host.h
@@ -556,6 +556,7 @@ struct Scsi_Host {
struct mutex scan_mutex;/* serialize scanning activity */
+ struct list_head eh_abort_list;
struct list_head eh_cmd_q;
struct task_struct * ehandler; /* Error recovery thread. */
struct completion * eh_action; /* Wait for specific actions on the
^ permalink raw reply [flat|nested] 945+ messages in thread
* [PATCH 5.15 010/917] scsi: core: Remove command size deduction from scsi_setup_scsi_cmnd()
2021-11-15 16:51 [PATCH 5.15 000/917] 5.15.3-rc1 review Greg Kroah-Hartman
` (8 preceding siblings ...)
2021-11-15 16:51 ` [PATCH 5.15 009/917] scsi: core: Avoid leaving shost->last_reset with stale value if EH does not run Greg Kroah-Hartman
@ 2021-11-15 16:51 ` Greg Kroah-Hartman
2021-11-15 16:51 ` [PATCH 5.15 011/917] scsi: lpfc: Dont release final kref on Fport node while ABTS outstanding Greg Kroah-Hartman
` (909 subsequent siblings)
919 siblings, 0 replies; 945+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-15 16:51 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Bart Van Assche, Christoph Hellwig,
James E.J. Bottomley, Martin K. Petersen, linux-scsi,
syzbot+5516b30f5401d4dcbcae, Tadeusz Struk
From: Tadeusz Struk <tadeusz.struk@linaro.org>
commit 703535e6ae1e94c89a9c1396b4c7b6b41160ef0c upstream.
No need to deduce command size in scsi_setup_scsi_cmnd() anymore as
appropriate checks have been added to scsi_fill_sghdr_rq() function and the
cmd_len should never be zero here. The code to do that wasn't correct
anyway, as it used uninitialized cmd->cmnd, which caused a null-ptr-deref
if the command size was zero as in the trace below. Fix this by removing
the unneeded code.
KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
CPU: 0 PID: 1822 Comm: repro Not tainted 5.15.0 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-4.fc34 04/01/2014
Call Trace:
blk_mq_dispatch_rq_list+0x7c7/0x12d0
__blk_mq_sched_dispatch_requests+0x244/0x380
blk_mq_sched_dispatch_requests+0xf0/0x160
__blk_mq_run_hw_queue+0xe8/0x160
__blk_mq_delay_run_hw_queue+0x252/0x5d0
blk_mq_run_hw_queue+0x1dd/0x3b0
blk_mq_sched_insert_request+0x1ff/0x3e0
blk_execute_rq_nowait+0x173/0x1e0
blk_execute_rq+0x15c/0x540
sg_io+0x97c/0x1370
scsi_ioctl+0xe16/0x28e0
sd_ioctl+0x134/0x170
blkdev_ioctl+0x362/0x6e0
block_ioctl+0xb0/0xf0
vfs_ioctl+0xa7/0xf0
do_syscall_64+0x3d/0xb0
entry_SYSCALL_64_after_hwframe+0x44/0xae
---[ end trace 8b086e334adef6d2 ]---
Kernel panic - not syncing: Fatal exception
Link: https://lore.kernel.org/r/20211103170659.22151-2-tadeusz.struk@linaro.org
Fixes: 2ceda20f0a99 ("scsi: core: Move command size detection out of the fast path")
Cc: Bart Van Assche <bvanassche@acm.org>
Cc: Christoph Hellwig <hch@lst.de>
Cc: James E.J. Bottomley <jejb@linux.ibm.com>
Cc: Martin K. Petersen <martin.petersen@oracle.com>
Cc: <linux-scsi@vger.kernel.org>
Cc: <linux-kernel@vger.kernel.org>
Cc: <stable@vger.kernel.org> # 5.15, 5.14, 5.10
Reported-by: syzbot+5516b30f5401d4dcbcae@syzkaller.appspotmail.com
Reviewed-by: Bart Van Assche <bvanassche@acm.org>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Tadeusz Struk <tadeusz.struk@linaro.org>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/scsi/scsi_lib.c | 2 --
1 file changed, 2 deletions(-)
--- a/drivers/scsi/scsi_lib.c
+++ b/drivers/scsi/scsi_lib.c
@@ -1175,8 +1175,6 @@ static blk_status_t scsi_setup_scsi_cmnd
}
cmd->cmd_len = scsi_req(req)->cmd_len;
- if (cmd->cmd_len == 0)
- cmd->cmd_len = scsi_command_size(cmd->cmnd);
cmd->cmnd = scsi_req(req)->cmd;
cmd->transfersize = blk_rq_bytes(req);
cmd->allowed = scsi_req(req)->retries;
^ permalink raw reply [flat|nested] 945+ messages in thread
* [PATCH 5.15 011/917] scsi: lpfc: Dont release final kref on Fport node while ABTS outstanding
2021-11-15 16:51 [PATCH 5.15 000/917] 5.15.3-rc1 review Greg Kroah-Hartman
` (9 preceding siblings ...)
2021-11-15 16:51 ` [PATCH 5.15 010/917] scsi: core: Remove command size deduction from scsi_setup_scsi_cmnd() Greg Kroah-Hartman
@ 2021-11-15 16:51 ` Greg Kroah-Hartman
2021-11-15 16:51 ` [PATCH 5.15 012/917] scsi: lpfc: Fix FCP I/O flush functionality for TMF routines Greg Kroah-Hartman
` (908 subsequent siblings)
919 siblings, 0 replies; 945+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-15 16:51 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Justin Tee, James Smart, Martin K. Petersen
From: James Smart <jsmart2021@gmail.com>
commit 982fc3965d1350d3332e04046b0e101006184ba9 upstream.
In a rarely executed path, FLOGI failure, there is a refcounting error. If
FLOGI completed with an error, typically a timeout, the initial completion
handler would remove the job reference. However, the job completion isn't
the actual end of the job/exchange as the timeout usually initiates an
ABTS, and upon that ABTS completion, a final completion is sent. The driver
removes the reference again in the final completion. Thus the imbalance.
In the buggy cases, if there was a link bounce while the delayed response
is outstanding, the fport node may be referenced again but there was no
additional reference as it is already present. The delayed completion then
occurs and removes the last reference freeing the node and causing issues
in the link up processed that is using the node.
Fix this scenario by removing the snippet that removed the reference in the
initial FLOGI completion. The bad snippet was poorly trying to identify the
FLOGI as OK to do so by realizing the node was not registered with either
SCSI or NVMe transport.
Link: https://lore.kernel.org/r/20210910233159.115896-3-jsmart2021@gmail.com
Fixes: 618e2ee146d4 ("scsi: lpfc: Fix FLOGI failure due to accessing a freed node")
Cc: <stable@vger.kernel.org> # v5.13+
Co-developed-by: Justin Tee <justin.tee@broadcom.com>
Signed-off-by: Justin Tee <justin.tee@broadcom.com>
Signed-off-by: James Smart <jsmart2021@gmail.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/scsi/lpfc/lpfc_els.c | 11 +++++------
drivers/scsi/lpfc/lpfc_hbadisc.c | 10 ++++++----
drivers/scsi/lpfc/lpfc_nvme.c | 5 +++--
3 files changed, 14 insertions(+), 12 deletions(-)
--- a/drivers/scsi/lpfc/lpfc_els.c
+++ b/drivers/scsi/lpfc/lpfc_els.c
@@ -1059,9 +1059,10 @@ stop_rr_fcf_flogi:
lpfc_printf_vlog(vport, KERN_WARNING, LOG_TRACE_EVENT,
"0150 FLOGI failure Status:x%x/x%x "
- "xri x%x TMO:x%x\n",
+ "xri x%x TMO:x%x refcnt %d\n",
irsp->ulpStatus, irsp->un.ulpWord[4],
- cmdiocb->sli4_xritag, irsp->ulpTimeout);
+ cmdiocb->sli4_xritag, irsp->ulpTimeout,
+ kref_read(&ndlp->kref));
/* If this is not a loop open failure, bail out */
if (!(irsp->ulpStatus == IOSTAT_LOCAL_REJECT &&
@@ -1122,12 +1123,12 @@ stop_rr_fcf_flogi:
/* FLOGI completes successfully */
lpfc_printf_vlog(vport, KERN_INFO, LOG_ELS,
"0101 FLOGI completes successfully, I/O tag:x%x, "
- "xri x%x Data: x%x x%x x%x x%x x%x x%x x%x\n",
+ "xri x%x Data: x%x x%x x%x x%x x%x x%x x%x %d\n",
cmdiocb->iotag, cmdiocb->sli4_xritag,
irsp->un.ulpWord[4], sp->cmn.e_d_tov,
sp->cmn.w2.r_a_tov, sp->cmn.edtovResolution,
vport->port_state, vport->fc_flag,
- sp->cmn.priority_tagging);
+ sp->cmn.priority_tagging, kref_read(&ndlp->kref));
if (sp->cmn.priority_tagging)
vport->vmid_flag |= LPFC_VMID_ISSUE_QFPA;
@@ -1205,8 +1206,6 @@ flogifail:
phba->fcf.fcf_flag &= ~FCF_DISCOVERY;
spin_unlock_irq(&phba->hbalock);
- if (!(ndlp->fc4_xpt_flags & (SCSI_XPT_REGD | NVME_XPT_REGD)))
- lpfc_nlp_put(ndlp);
if (!lpfc_error_lost_link(irsp)) {
/* FLOGI failed, so just use loop map to make discovery list */
lpfc_disc_list_loopmap(vport);
--- a/drivers/scsi/lpfc/lpfc_hbadisc.c
+++ b/drivers/scsi/lpfc/lpfc_hbadisc.c
@@ -4449,8 +4449,9 @@ lpfc_register_remote_port(struct lpfc_vp
fc_remote_port_rolechg(rport, rport_ids.roles);
lpfc_printf_vlog(ndlp->vport, KERN_INFO, LOG_NODE,
- "3183 %s rport x%px DID x%x, role x%x\n",
- __func__, rport, rport->port_id, rport->roles);
+ "3183 %s rport x%px DID x%x, role x%x refcnt %d\n",
+ __func__, rport, rport->port_id, rport->roles,
+ kref_read(&ndlp->kref));
if ((rport->scsi_target_id != -1) &&
(rport->scsi_target_id < LPFC_MAX_TARGET)) {
@@ -4475,8 +4476,9 @@ lpfc_unregister_remote_port(struct lpfc_
lpfc_printf_vlog(vport, KERN_INFO, LOG_NODE,
"3184 rport unregister x%06x, rport x%px "
- "xptflg x%x\n",
- ndlp->nlp_DID, rport, ndlp->fc4_xpt_flags);
+ "xptflg x%x refcnt %d\n",
+ ndlp->nlp_DID, rport, ndlp->fc4_xpt_flags,
+ kref_read(&ndlp->kref));
fc_remote_port_delete(rport);
lpfc_nlp_put(ndlp);
--- a/drivers/scsi/lpfc/lpfc_nvme.c
+++ b/drivers/scsi/lpfc/lpfc_nvme.c
@@ -209,8 +209,9 @@ lpfc_nvme_remoteport_delete(struct nvme_
* calling state machine to remove the node.
*/
lpfc_printf_vlog(vport, KERN_INFO, LOG_NVME_DISC,
- "6146 remoteport delete of remoteport x%px\n",
- remoteport);
+ "6146 remoteport delete of remoteport x%px, ndlp x%px "
+ "DID x%x xflags x%x\n",
+ remoteport, ndlp, ndlp->nlp_DID, ndlp->fc4_xpt_flags);
spin_lock_irq(&ndlp->lock);
/* The register rebind might have occurred before the delete
^ permalink raw reply [flat|nested] 945+ messages in thread
* [PATCH 5.15 012/917] scsi: lpfc: Fix FCP I/O flush functionality for TMF routines
2021-11-15 16:51 [PATCH 5.15 000/917] 5.15.3-rc1 review Greg Kroah-Hartman
` (10 preceding siblings ...)
2021-11-15 16:51 ` [PATCH 5.15 011/917] scsi: lpfc: Dont release final kref on Fport node while ABTS outstanding Greg Kroah-Hartman
@ 2021-11-15 16:51 ` Greg Kroah-Hartman
2021-11-15 16:51 ` [PATCH 5.15 013/917] scsi: qla2xxx: Fix crash in NVMe abort path Greg Kroah-Hartman
` (907 subsequent siblings)
919 siblings, 0 replies; 945+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-15 16:51 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Justin Tee, James Smart, Martin K. Petersen
From: James Smart <jsmart2021@gmail.com>
commit cd8a36a90babf958082b87bc6b4df5dd70901eba upstream.
A prior patch inadvertently caused lpfc_sli_sum_iocb() to exclude counting
of outstanding aborted I/Os and ABORT IOCBs. Thus,
lpfc_reset_flush_io_context() called from any TMF routine does not properly
wait to flush all outstanding FCP IOCBs leading to a block layer crash on
an invalid scsi_cmnd->request pointer.
kernel BUG at ../block/blk-core.c:1489!
RIP: 0010:blk_requeue_request+0xaf/0xc0
...
Call Trace:
<IRQ>
__scsi_queue_insert+0x90/0xe0 [scsi_mod]
blk_done_softirq+0x7e/0x90
__do_softirq+0xd2/0x280
irq_exit+0xd5/0xe0
do_IRQ+0x4c/0xd0
common_interrupt+0x87/0x87
</IRQ>
Fix by separating out the LPFC_IO_FCP, LPFC_IO_ON_TXCMPLQ,
LPFC_DRIVER_ABORTED, and CMD_ABORT_XRI_CN || CMD_CLOSE_XRI_CN checks into a
new lpfc_sli_validate_fcp_iocb_for_abort() routine when determining to
build an ABORT iocb.
Restore lpfc_reset_flush_io_context() functionality by including counting
of outstanding aborted IOCBs and ABORT IOCBs in lpfc_sli_sum_iocb().
Link: https://lore.kernel.org/r/20210910233159.115896-9-jsmart2021@gmail.com
Fixes: e1364711359f ("scsi: lpfc: Fix illegal memory access on Abort IOCBs")
Cc: <stable@vger.kernel.org> # v5.12+
Co-developed-by: Justin Tee <justin.tee@broadcom.com>
Signed-off-by: Justin Tee <justin.tee@broadcom.com>
Signed-off-by: James Smart <jsmart2021@gmail.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/scsi/lpfc/lpfc_sli.c | 101 +++++++++++++++++++++++++++++++++----------
1 file changed, 78 insertions(+), 23 deletions(-)
--- a/drivers/scsi/lpfc/lpfc_sli.c
+++ b/drivers/scsi/lpfc/lpfc_sli.c
@@ -12488,15 +12488,54 @@ lpfc_sli_hba_iocb_abort(struct lpfc_hba
}
/**
- * lpfc_sli_validate_fcp_iocb - find commands associated with a vport or LUN
+ * lpfc_sli_validate_fcp_iocb_for_abort - filter iocbs appropriate for FCP aborts
+ * @iocbq: Pointer to iocb object.
+ * @vport: Pointer to driver virtual port object.
+ *
+ * This function acts as an iocb filter for functions which abort FCP iocbs.
+ *
+ * Return values
+ * -ENODEV, if a null iocb or vport ptr is encountered
+ * -EINVAL, if the iocb is not an FCP I/O, not on the TX cmpl queue, premarked as
+ * driver already started the abort process, or is an abort iocb itself
+ * 0, passes criteria for aborting the FCP I/O iocb
+ **/
+static int
+lpfc_sli_validate_fcp_iocb_for_abort(struct lpfc_iocbq *iocbq,
+ struct lpfc_vport *vport)
+{
+ IOCB_t *icmd = NULL;
+
+ /* No null ptr vports */
+ if (!iocbq || iocbq->vport != vport)
+ return -ENODEV;
+
+ /* iocb must be for FCP IO, already exists on the TX cmpl queue,
+ * can't be premarked as driver aborted, nor be an ABORT iocb itself
+ */
+ icmd = &iocbq->iocb;
+ if (!(iocbq->iocb_flag & LPFC_IO_FCP) ||
+ !(iocbq->iocb_flag & LPFC_IO_ON_TXCMPLQ) ||
+ (iocbq->iocb_flag & LPFC_DRIVER_ABORTED) ||
+ (icmd->ulpCommand == CMD_ABORT_XRI_CN ||
+ icmd->ulpCommand == CMD_CLOSE_XRI_CN))
+ return -EINVAL;
+
+ return 0;
+}
+
+/**
+ * lpfc_sli_validate_fcp_iocb - validate commands associated with a SCSI target
* @iocbq: Pointer to driver iocb object.
* @vport: Pointer to driver virtual port object.
* @tgt_id: SCSI ID of the target.
* @lun_id: LUN ID of the scsi device.
* @ctx_cmd: LPFC_CTX_LUN/LPFC_CTX_TGT/LPFC_CTX_HOST
*
- * This function acts as an iocb filter for functions which abort or count
- * all FCP iocbs pending on a lun/SCSI target/SCSI host. It will return
+ * This function acts as an iocb filter for validating a lun/SCSI target/SCSI
+ * host.
+ *
+ * It will return
* 0 if the filtering criteria is met for the given iocb and will return
* 1 if the filtering criteria is not met.
* If ctx_cmd == LPFC_CTX_LUN, the function returns 0 only if the
@@ -12515,22 +12554,8 @@ lpfc_sli_validate_fcp_iocb(struct lpfc_i
lpfc_ctx_cmd ctx_cmd)
{
struct lpfc_io_buf *lpfc_cmd;
- IOCB_t *icmd = NULL;
int rc = 1;
- if (!iocbq || iocbq->vport != vport)
- return rc;
-
- if (!(iocbq->iocb_flag & LPFC_IO_FCP) ||
- !(iocbq->iocb_flag & LPFC_IO_ON_TXCMPLQ) ||
- iocbq->iocb_flag & LPFC_DRIVER_ABORTED)
- return rc;
-
- icmd = &iocbq->iocb;
- if (icmd->ulpCommand == CMD_ABORT_XRI_CN ||
- icmd->ulpCommand == CMD_CLOSE_XRI_CN)
- return rc;
-
lpfc_cmd = container_of(iocbq, struct lpfc_io_buf, cur_iocbq);
if (lpfc_cmd->pCmd == NULL)
@@ -12585,17 +12610,33 @@ lpfc_sli_sum_iocb(struct lpfc_vport *vpo
{
struct lpfc_hba *phba = vport->phba;
struct lpfc_iocbq *iocbq;
+ IOCB_t *icmd = NULL;
int sum, i;
+ unsigned long iflags;
- spin_lock_irq(&phba->hbalock);
+ spin_lock_irqsave(&phba->hbalock, iflags);
for (i = 1, sum = 0; i <= phba->sli.last_iotag; i++) {
iocbq = phba->sli.iocbq_lookup[i];
- if (lpfc_sli_validate_fcp_iocb (iocbq, vport, tgt_id, lun_id,
- ctx_cmd) == 0)
+ if (!iocbq || iocbq->vport != vport)
+ continue;
+ if (!(iocbq->iocb_flag & LPFC_IO_FCP) ||
+ !(iocbq->iocb_flag & LPFC_IO_ON_TXCMPLQ))
+ continue;
+
+ /* Include counting outstanding aborts */
+ icmd = &iocbq->iocb;
+ if (icmd->ulpCommand == CMD_ABORT_XRI_CN ||
+ icmd->ulpCommand == CMD_CLOSE_XRI_CN) {
+ sum++;
+ continue;
+ }
+
+ if (lpfc_sli_validate_fcp_iocb(iocbq, vport, tgt_id, lun_id,
+ ctx_cmd) == 0)
sum++;
}
- spin_unlock_irq(&phba->hbalock);
+ spin_unlock_irqrestore(&phba->hbalock, iflags);
return sum;
}
@@ -12662,7 +12703,11 @@ lpfc_sli_abort_fcp_cmpl(struct lpfc_hba
*
* This function sends an abort command for every SCSI command
* associated with the given virtual port pending on the ring
- * filtered by lpfc_sli_validate_fcp_iocb function.
+ * filtered by lpfc_sli_validate_fcp_iocb_for_abort and then
+ * lpfc_sli_validate_fcp_iocb function. The ordering for validation before
+ * submitting abort iocbs must be lpfc_sli_validate_fcp_iocb_for_abort
+ * followed by lpfc_sli_validate_fcp_iocb.
+ *
* When abort_cmd == LPFC_CTX_LUN, the function sends abort only to the
* FCP iocbs associated with lun specified by tgt_id and lun_id
* parameters
@@ -12694,6 +12739,9 @@ lpfc_sli_abort_iocb(struct lpfc_vport *v
for (i = 1; i <= phba->sli.last_iotag; i++) {
iocbq = phba->sli.iocbq_lookup[i];
+ if (lpfc_sli_validate_fcp_iocb_for_abort(iocbq, vport))
+ continue;
+
if (lpfc_sli_validate_fcp_iocb(iocbq, vport, tgt_id, lun_id,
abort_cmd) != 0)
continue;
@@ -12726,7 +12774,11 @@ lpfc_sli_abort_iocb(struct lpfc_vport *v
*
* This function sends an abort command for every SCSI command
* associated with the given virtual port pending on the ring
- * filtered by lpfc_sli_validate_fcp_iocb function.
+ * filtered by lpfc_sli_validate_fcp_iocb_for_abort and then
+ * lpfc_sli_validate_fcp_iocb function. The ordering for validation before
+ * submitting abort iocbs must be lpfc_sli_validate_fcp_iocb_for_abort
+ * followed by lpfc_sli_validate_fcp_iocb.
+ *
* When taskmgmt_cmd == LPFC_CTX_LUN, the function sends abort only to the
* FCP iocbs associated with lun specified by tgt_id and lun_id
* parameters
@@ -12764,6 +12816,9 @@ lpfc_sli_abort_taskmgmt(struct lpfc_vpor
for (i = 1; i <= phba->sli.last_iotag; i++) {
iocbq = phba->sli.iocbq_lookup[i];
+ if (lpfc_sli_validate_fcp_iocb_for_abort(iocbq, vport))
+ continue;
+
if (lpfc_sli_validate_fcp_iocb(iocbq, vport, tgt_id, lun_id,
cmd) != 0)
continue;
^ permalink raw reply [flat|nested] 945+ messages in thread
* [PATCH 5.15 013/917] scsi: qla2xxx: Fix crash in NVMe abort path
2021-11-15 16:51 [PATCH 5.15 000/917] 5.15.3-rc1 review Greg Kroah-Hartman
` (11 preceding siblings ...)
2021-11-15 16:51 ` [PATCH 5.15 012/917] scsi: lpfc: Fix FCP I/O flush functionality for TMF routines Greg Kroah-Hartman
@ 2021-11-15 16:51 ` Greg Kroah-Hartman
2021-11-15 16:51 ` [PATCH 5.15 014/917] scsi: qla2xxx: Fix kernel crash when accessing port_speed sysfs file Greg Kroah-Hartman
` (906 subsequent siblings)
919 siblings, 0 replies; 945+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-15 16:51 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Himanshu Madhani, Arun Easi,
Nilesh Javali, Martin K. Petersen
From: Arun Easi <aeasi@marvell.com>
commit e6e22e6cc2962d3f3d71914b47f7fbc454670e8a upstream.
System crash was seen when I/O was run against an NVMe target and aborts
were occurring.
Crash stack is:
-- relevant crash stack --
BUG: kernel NULL pointer dereference, address: 0000000000000010
:
#6 [ffffae1f8666bdd0] page_fault at ffffffffa740122e
[exception RIP: qla_nvme_abort_work+339]
RIP: ffffffffc0f592e3 RSP: ffffae1f8666be80 RFLAGS: 00010297
RAX: 0000000000000000 RBX: ffff9b581fc8af80 RCX: ffffffffc0f83bd0
RDX: 0000000000000001 RSI: ffff9b5839c6c7c8 RDI: 0000000008000000
RBP: ffff9b6832f85000 R8: ffffffffc0f68160 R9: ffffffffc0f70652
R10: ffffae1f862ffdc8 R11: 0000000000000300 R12: 000000000000010d
R13: 0000000000000000 R14: ffff9b5839cea000 R15: 0ffff9b583fab170
ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018
#7 [ffffae1f8666be98] process_one_work at ffffffffa6aba184
#8 [ffffae1f8666bed8] worker_thread at ffffffffa6aba39d
#9 [ffffae1f8666bf10] kthread at ffffffffa6ac06ed
The crash was due to a stale SRB structure access after it was aborted.
Fix the issue by removing stale access.
Link: https://lore.kernel.org/r/20210908164622.19240-5-njavali@marvell.com
Fixes: 2cabf10dbbe3 ("scsi: qla2xxx: Fix hang on NVMe command timeouts")
Cc: stable@vger.kernel.org
Reviewed-by: Himanshu Madhani <himanshu.madhani@oracle.com>
Signed-off-by: Arun Easi <aeasi@marvell.com>
Signed-off-by: Nilesh Javali <njavali@marvell.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/scsi/qla2xxx/qla_nvme.c | 14 ++++++++++++--
1 file changed, 12 insertions(+), 2 deletions(-)
--- a/drivers/scsi/qla2xxx/qla_nvme.c
+++ b/drivers/scsi/qla2xxx/qla_nvme.c
@@ -228,6 +228,8 @@ static void qla_nvme_abort_work(struct w
fc_port_t *fcport = sp->fcport;
struct qla_hw_data *ha = fcport->vha->hw;
int rval, abts_done_called = 1;
+ bool io_wait_for_abort_done;
+ uint32_t handle;
ql_dbg(ql_dbg_io, fcport->vha, 0xffff,
"%s called for sp=%p, hndl=%x on fcport=%p desc=%p deleted=%d\n",
@@ -244,12 +246,20 @@ static void qla_nvme_abort_work(struct w
goto out;
}
+ /*
+ * sp may not be valid after abort_command if return code is either
+ * SUCCESS or ERR_FROM_FW codes, so cache the value here.
+ */
+ io_wait_for_abort_done = ql2xabts_wait_nvme &&
+ QLA_ABTS_WAIT_ENABLED(sp);
+ handle = sp->handle;
+
rval = ha->isp_ops->abort_command(sp);
ql_dbg(ql_dbg_io, fcport->vha, 0x212b,
"%s: %s command for sp=%p, handle=%x on fcport=%p rval=%x\n",
__func__, (rval != QLA_SUCCESS) ? "Failed to abort" : "Aborted",
- sp, sp->handle, fcport, rval);
+ sp, handle, fcport, rval);
/*
* If async tmf is enabled, the abort callback is called only on
@@ -264,7 +274,7 @@ static void qla_nvme_abort_work(struct w
* are waited until ABTS complete. This kref is decreased
* at qla24xx_abort_sp_done function.
*/
- if (abts_done_called && ql2xabts_wait_nvme && QLA_ABTS_WAIT_ENABLED(sp))
+ if (abts_done_called && io_wait_for_abort_done)
return;
out:
/* kref_get was done before work was schedule. */
^ permalink raw reply [flat|nested] 945+ messages in thread
* [PATCH 5.15 014/917] scsi: qla2xxx: Fix kernel crash when accessing port_speed sysfs file
2021-11-15 16:51 [PATCH 5.15 000/917] 5.15.3-rc1 review Greg Kroah-Hartman
` (12 preceding siblings ...)
2021-11-15 16:51 ` [PATCH 5.15 013/917] scsi: qla2xxx: Fix crash in NVMe abort path Greg Kroah-Hartman
@ 2021-11-15 16:51 ` Greg Kroah-Hartman
2021-11-15 16:51 ` [PATCH 5.15 015/917] scsi: qla2xxx: Fix use after free in eh_abort path Greg Kroah-Hartman
` (905 subsequent siblings)
919 siblings, 0 replies; 945+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-15 16:51 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Himanshu Madhani, Arun Easi,
Nilesh Javali, Martin K. Petersen
From: Arun Easi <aeasi@marvell.com>
commit 3ef68d4f0c9e7cb589ae8b70f07d77f528105331 upstream.
Kernel crashes when accessing port_speed sysfs file. The issue happens on
a CNA when the local array was accessed beyond bounds. Fix this by changing
the lookup.
BUG: unable to handle kernel paging request at 0000000000004000
PGD 0 P4D 0
Oops: 0000 [#1] SMP PTI
CPU: 15 PID: 455213 Comm: sosreport Kdump: loaded Not tainted
4.18.0-305.7.1.el8_4.x86_64 #1
RIP: 0010:string_nocheck+0x12/0x70
Code: 00 00 4c 89 e2 be 20 00 00 00 48 89 ef e8 86 9a 00 00 4c 01
e3 eb 81 90 49 89 f2 48 89 ce 48 89 f8 48 c1 fe 30 66 85 f6 74 4f <44> 0f b6 0a
45 84 c9 74 46 83 ee 01 41 b8 01 00 00 00 48 8d 7c 37
RSP: 0018:ffffb5141c1afcf0 EFLAGS: 00010286
RAX: ffff8bf4009f8000 RBX: ffff8bf4009f9000 RCX: ffff0a00ffffff04
RDX: 0000000000004000 RSI: ffffffffffffffff RDI: ffff8bf4009f8000
RBP: 0000000000004000 R08: 0000000000000001 R09: ffffb5141c1afb84
R10: ffff8bf4009f9000 R11: ffffb5141c1afce6 R12: ffff0a00ffffff04
R13: ffffffffc08e21aa R14: 0000000000001000 R15: ffffffffc08e21aa
FS: 00007fc4ebfff700(0000) GS:ffff8c717f7c0000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000004000 CR3: 000000edfdee6006 CR4: 00000000001706e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
string+0x40/0x50
vsnprintf+0x33c/0x520
scnprintf+0x4d/0x90
qla2x00_port_speed_show+0xb5/0x100 [qla2xxx]
dev_attr_show+0x1c/0x40
sysfs_kf_seq_show+0x9b/0x100
seq_read+0x153/0x410
vfs_read+0x91/0x140
ksys_read+0x4f/0xb0
do_syscall_64+0x5b/0x1a0
entry_SYSCALL_64_after_hwframe+0x65/0xca
Link: https://lore.kernel.org/r/20210908164622.19240-7-njavali@marvell.com
Fixes: 4910b524ac9e ("scsi: qla2xxx: Add support for setting port speed")
Cc: stable@vger.kernel.org
Reviewed-by: Himanshu Madhani <himanshu.madhani@oracle.com>
Signed-off-by: Arun Easi <aeasi@marvell.com>
Signed-off-by: Nilesh Javali <njavali@marvell.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/scsi/qla2xxx/qla_attr.c | 24 ++++++++++++++++++++++--
1 file changed, 22 insertions(+), 2 deletions(-)
--- a/drivers/scsi/qla2xxx/qla_attr.c
+++ b/drivers/scsi/qla2xxx/qla_attr.c
@@ -1868,6 +1868,18 @@ qla2x00_port_speed_store(struct device *
return strlen(buf);
}
+static const struct {
+ u16 rate;
+ char *str;
+} port_speed_str[] = {
+ { PORT_SPEED_4GB, "4" },
+ { PORT_SPEED_8GB, "8" },
+ { PORT_SPEED_16GB, "16" },
+ { PORT_SPEED_32GB, "32" },
+ { PORT_SPEED_64GB, "64" },
+ { PORT_SPEED_10GB, "10" },
+};
+
static ssize_t
qla2x00_port_speed_show(struct device *dev, struct device_attribute *attr,
char *buf)
@@ -1875,7 +1887,8 @@ qla2x00_port_speed_show(struct device *d
struct scsi_qla_host *vha = shost_priv(dev_to_shost(dev));
struct qla_hw_data *ha = vha->hw;
ssize_t rval;
- char *spd[7] = {"0", "0", "0", "4", "8", "16", "32"};
+ u16 i;
+ char *speed = "Unknown";
rval = qla2x00_get_data_rate(vha);
if (rval != QLA_SUCCESS) {
@@ -1884,7 +1897,14 @@ qla2x00_port_speed_show(struct device *d
return -EINVAL;
}
- return scnprintf(buf, PAGE_SIZE, "%s\n", spd[ha->link_data_rate]);
+ for (i = 0; i < ARRAY_SIZE(port_speed_str); i++) {
+ if (port_speed_str[i].rate != ha->link_data_rate)
+ continue;
+ speed = port_speed_str[i].str;
+ break;
+ }
+
+ return scnprintf(buf, PAGE_SIZE, "%s\n", speed);
}
static ssize_t
^ permalink raw reply [flat|nested] 945+ messages in thread
* [PATCH 5.15 015/917] scsi: qla2xxx: Fix use after free in eh_abort path
2021-11-15 16:51 [PATCH 5.15 000/917] 5.15.3-rc1 review Greg Kroah-Hartman
` (13 preceding siblings ...)
2021-11-15 16:51 ` [PATCH 5.15 014/917] scsi: qla2xxx: Fix kernel crash when accessing port_speed sysfs file Greg Kroah-Hartman
@ 2021-11-15 16:51 ` Greg Kroah-Hartman
2021-11-15 16:51 ` [PATCH 5.15 016/917] ce/gf100: fix incorrect CE0 address calculation on some GPUs Greg Kroah-Hartman
` (904 subsequent siblings)
919 siblings, 0 replies; 945+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-15 16:51 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Himanshu Madhani, David Jeffery,
Laurence Oberman, Quinn Tran, Nilesh Javali, Martin K. Petersen
From: Quinn Tran <qutran@marvell.com>
commit 3d33b303d4f3b74a71bede5639ebba3cfd2a2b4d upstream.
In eh_abort path driver prematurely exits the call to upper layer. Check
whether command is aborted / completed by firmware before exiting the call.
9 [ffff8b1ebf803c00] page_fault at ffffffffb0389778
[exception RIP: qla2x00_status_entry+0x48d]
RIP: ffffffffc04fa62d RSP: ffff8b1ebf803cb0 RFLAGS: 00010082
RAX: 00000000ffffffff RBX: 00000000000e0000 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 00000000000013d8 RDI: fffff3253db78440
RBP: ffff8b1ebf803dd0 R8: ffff8b1ebcd9b0c0 R9: 0000000000000000
R10: ffff8b1e38a30808 R11: 0000000000001000 R12: 00000000000003e9
R13: 0000000000000000 R14: ffff8b1ebcd9d740 R15: 0000000000000028
ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018
10 [ffff8b1ebf803cb0] enqueue_entity at ffffffffafce708f
11 [ffff8b1ebf803d00] enqueue_task_fair at ffffffffafce7b88
12 [ffff8b1ebf803dd8] qla24xx_process_response_queue at ffffffffc04fc9a6
[qla2xxx]
13 [ffff8b1ebf803e78] qla24xx_msix_rsp_q at ffffffffc04ff01b [qla2xxx]
14 [ffff8b1ebf803eb0] __handle_irq_event_percpu at ffffffffafd50714
Link: https://lore.kernel.org/r/20210908164622.19240-10-njavali@marvell.com
Fixes: f45bca8c5052 ("scsi: qla2xxx: Fix double scsi_done for abort path")
Cc: stable@vger.kernel.org
Reviewed-by: Himanshu Madhani <himanshu.madhani@oracle.com>
Co-developed-by: David Jeffery <djeffery@redhat.com>
Signed-off-by: David Jeffery <djeffery@redhat.com>
Co-developed-by: Laurence Oberman <loberman@redhat.com>
Signed-off-by: Laurence Oberman <loberman@redhat.com>
Signed-off-by: Quinn Tran <qutran@marvell.com>
Signed-off-by: Nilesh Javali <njavali@marvell.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/scsi/qla2xxx/qla_os.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
--- a/drivers/scsi/qla2xxx/qla_os.c
+++ b/drivers/scsi/qla2xxx/qla_os.c
@@ -1258,6 +1258,7 @@ qla2xxx_eh_abort(struct scsi_cmnd *cmd)
uint32_t ratov_j;
struct qla_qpair *qpair;
unsigned long flags;
+ int fast_fail_status = SUCCESS;
if (qla2x00_isp_reg_stat(ha)) {
ql_log(ql_log_info, vha, 0x8042,
@@ -1266,9 +1267,10 @@ qla2xxx_eh_abort(struct scsi_cmnd *cmd)
return FAILED;
}
+ /* Save any FAST_IO_FAIL value to return later if abort succeeds */
ret = fc_block_scsi_eh(cmd);
if (ret != 0)
- return ret;
+ fast_fail_status = ret;
sp = scsi_cmd_priv(cmd);
qpair = sp->qpair;
@@ -1276,7 +1278,7 @@ qla2xxx_eh_abort(struct scsi_cmnd *cmd)
vha->cmd_timeout_cnt++;
if ((sp->fcport && sp->fcport->deleted) || !qpair)
- return SUCCESS;
+ return fast_fail_status != SUCCESS ? fast_fail_status : FAILED;
spin_lock_irqsave(qpair->qp_lock_ptr, flags);
sp->comp = ∁
@@ -1311,7 +1313,7 @@ qla2xxx_eh_abort(struct scsi_cmnd *cmd)
__func__, ha->r_a_tov/10);
ret = FAILED;
} else {
- ret = SUCCESS;
+ ret = fast_fail_status;
}
break;
default:
^ permalink raw reply [flat|nested] 945+ messages in thread
* [PATCH 5.15 016/917] ce/gf100: fix incorrect CE0 address calculation on some GPUs
2021-11-15 16:51 [PATCH 5.15 000/917] 5.15.3-rc1 review Greg Kroah-Hartman
` (14 preceding siblings ...)
2021-11-15 16:51 ` [PATCH 5.15 015/917] scsi: qla2xxx: Fix use after free in eh_abort path Greg Kroah-Hartman
@ 2021-11-15 16:51 ` Greg Kroah-Hartman
2021-11-15 16:51 ` [PATCH 5.15 017/917] char: xillybus: fix msg_ep UAF in xillyusb_probe() Greg Kroah-Hartman
` (903 subsequent siblings)
919 siblings, 0 replies; 945+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-15 16:51 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Ben Skeggs, Karol Herbst
From: Ben Skeggs <bskeggs@redhat.com>
commit 93f43ed81abec8c805e1b77eb1d20dbc51a24dc4 upstream.
The code which constructs the modules for each engine present on the GPU
passes -1 for 'instance' on non-instanced engines, which affects how the
name for a sub-device is generated. This is then stored as 'instance 0'
in nvkm_subdev.inst, so code can potentially be shared with earlier GPUs
that only had a single instance of an engine.
However, GF100's CE constructor uses this value to calculate the address
of its falcon before it's translated, resulting in CE0 getting the wrong
address.
This slightly modifies the approach, always passing a valid instance for
engines that *can* have multiple copies, and having the code for earlier
GPUs explicitly ask for non-instanced name generation.
Bug: https://gitlab.freedesktop.org/drm/nouveau/-/issues/91
Fixes: 50551b15c760 ("drm/nouveau/ce: switch to instanced constructor")
Cc: <stable@vger.kernel.org> # v5.12+
Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
Reviewed-by: Karol Herbst <kherbst@redhat.com>
Tested-by: Karol Herbst <kherbst@redhat.com>
Signed-off-by: Karol Herbst <kherbst@redhat.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20211103011057.15344-1-skeggsb@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/nouveau/nvkm/engine/ce/gt215.c | 2 +-
drivers/gpu/drm/nouveau/nvkm/engine/device/base.c | 3 +--
2 files changed, 2 insertions(+), 3 deletions(-)
--- a/drivers/gpu/drm/nouveau/nvkm/engine/ce/gt215.c
+++ b/drivers/gpu/drm/nouveau/nvkm/engine/ce/gt215.c
@@ -78,6 +78,6 @@ int
gt215_ce_new(struct nvkm_device *device, enum nvkm_subdev_type type, int inst,
struct nvkm_engine **pengine)
{
- return nvkm_falcon_new_(>215_ce, device, type, inst,
+ return nvkm_falcon_new_(>215_ce, device, type, -1,
(device->chipset != 0xaf), 0x104000, pengine);
}
--- a/drivers/gpu/drm/nouveau/nvkm/engine/device/base.c
+++ b/drivers/gpu/drm/nouveau/nvkm/engine/device/base.c
@@ -3147,8 +3147,7 @@ nvkm_device_ctor(const struct nvkm_devic
WARN_ON(device->chip->ptr.inst & ~((1 << ARRAY_SIZE(device->ptr)) - 1)); \
for (j = 0; device->chip->ptr.inst && j < ARRAY_SIZE(device->ptr); j++) { \
if ((device->chip->ptr.inst & BIT(j)) && (subdev_mask & BIT_ULL(type))) { \
- int inst = (device->chip->ptr.inst == 1) ? -1 : (j); \
- ret = device->chip->ptr.ctor(device, (type), inst, &device->ptr[j]); \
+ ret = device->chip->ptr.ctor(device, (type), (j), &device->ptr[j]); \
subdev = nvkm_device_subdev(device, (type), (j)); \
if (ret) { \
nvkm_subdev_del(&subdev); \
^ permalink raw reply [flat|nested] 945+ messages in thread
* [PATCH 5.15 017/917] char: xillybus: fix msg_ep UAF in xillyusb_probe()
2021-11-15 16:51 [PATCH 5.15 000/917] 5.15.3-rc1 review Greg Kroah-Hartman
` (15 preceding siblings ...)
2021-11-15 16:51 ` [PATCH 5.15 016/917] ce/gf100: fix incorrect CE0 address calculation on some GPUs Greg Kroah-Hartman
@ 2021-11-15 16:51 ` Greg Kroah-Hartman
2021-11-15 16:51 ` [PATCH 5.15 018/917] mmc: mtk-sd: Add wait dma stop done flow Greg Kroah-Hartman
` (902 subsequent siblings)
919 siblings, 0 replies; 945+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-15 16:51 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Eli Billauer, Ziyang Xuan
From: Ziyang Xuan <william.xuanziyang@huawei.com>
commit 15c9a359094ec6251578b02387436bc64f11a477 upstream.
When endpoint_alloc() return failed in xillyusb_setup_base_eps(),
'xdev->msg_ep' will be freed but not set to NULL. That lets program
enter fail handling to cleanup_dev() in xillyusb_probe(). Check for
'xdev->msg_ep' is invalid in cleanup_dev() because 'xdev->msg_ep' did
not set to NULL when was freed. So the UAF problem for 'xdev->msg_ep'
is triggered.
==================================================================
BUG: KASAN: use-after-free in fifo_mem_release+0x1f4/0x210
CPU: 0 PID: 166 Comm: kworker/0:2 Not tainted 5.15.0-rc5+ #19
Call Trace:
dump_stack_lvl+0xe2/0x152
print_address_description.constprop.0+0x21/0x140
? fifo_mem_release+0x1f4/0x210
kasan_report.cold+0x7f/0x11b
? xillyusb_probe+0x530/0x700
? fifo_mem_release+0x1f4/0x210
fifo_mem_release+0x1f4/0x210
? __sanitizer_cov_trace_pc+0x1d/0x50
endpoint_dealloc+0x35/0x2b0
cleanup_dev+0x90/0x120
xillyusb_probe+0x59a/0x700
...
Freed by task 166:
kasan_save_stack+0x1b/0x40
kasan_set_track+0x1c/0x30
kasan_set_free_info+0x20/0x30
__kasan_slab_free+0x109/0x140
kfree+0x117/0x4c0
xillyusb_probe+0x606/0x700
Set 'xdev->msg_ep' to NULL after being freed in xillyusb_setup_base_eps()
to fix the UAF problem.
Fixes: a53d1202aef1 ("char: xillybus: Add driver for XillyUSB (Xillybus variant for USB)")
Cc: stable <stable@vger.kernel.org>
Acked-by: Eli Billauer <eli.billauer@gmail.com>
Signed-off-by: Ziyang Xuan <william.xuanziyang@huawei.com>
Link: https://lore.kernel.org/r/20211016052047.1611983-1-william.xuanziyang@huawei.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/char/xillybus/xillyusb.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/char/xillybus/xillyusb.c
+++ b/drivers/char/xillybus/xillyusb.c
@@ -1912,6 +1912,7 @@ static int xillyusb_setup_base_eps(struc
dealloc:
endpoint_dealloc(xdev->msg_ep); /* Also frees FIFO mem if allocated */
+ xdev->msg_ep = NULL;
return -ENOMEM;
}
^ permalink raw reply [flat|nested] 945+ messages in thread
* [PATCH 5.15 018/917] mmc: mtk-sd: Add wait dma stop done flow
2021-11-15 16:51 [PATCH 5.15 000/917] 5.15.3-rc1 review Greg Kroah-Hartman
` (16 preceding siblings ...)
2021-11-15 16:51 ` [PATCH 5.15 017/917] char: xillybus: fix msg_ep UAF in xillyusb_probe() Greg Kroah-Hartman
@ 2021-11-15 16:51 ` Greg Kroah-Hartman
2021-11-15 16:51 ` [PATCH 5.15 019/917] mmc: dw_mmc: Dont wait for DRTO on Write RSP error Greg Kroah-Hartman
` (901 subsequent siblings)
919 siblings, 0 replies; 945+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-15 16:51 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Derong Liu, Ulf Hansson
From: Derong Liu <derong.liu@mediatek.com>
commit 43e5fee317f4b0a48992b8b07935b1a3ac20ce84 upstream.
We found this issue on a 5G platform, during CMDQ error handling, if DMA
status is active when it call msdc_reset_hw(), it means mmc host hw reset
and DMA transfer will be parallel, mmc host may access sram region
unexpectedly. According to the programming guide of mtk-sd host, it needs
to wait for dma stop done after set dma stop.
This change should be applied to all SoCs.
Signed-off-by: Derong Liu <derong.liu@mediatek.com>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/20210827071537.1034-1-derong.liu@mediatek.com
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/mmc/host/mtk-sd.c | 5 +++++
1 file changed, 5 insertions(+)
--- a/drivers/mmc/host/mtk-sd.c
+++ b/drivers/mmc/host/mtk-sd.c
@@ -8,6 +8,7 @@
#include <linux/clk.h>
#include <linux/delay.h>
#include <linux/dma-mapping.h>
+#include <linux/iopoll.h>
#include <linux/ioport.h>
#include <linux/irq.h>
#include <linux/of_address.h>
@@ -2330,6 +2331,7 @@ static void msdc_cqe_enable(struct mmc_h
static void msdc_cqe_disable(struct mmc_host *mmc, bool recovery)
{
struct msdc_host *host = mmc_priv(mmc);
+ unsigned int val = 0;
/* disable cmdq irq */
sdr_clr_bits(host->base + MSDC_INTEN, MSDC_INT_CMDQ);
@@ -2339,6 +2341,9 @@ static void msdc_cqe_disable(struct mmc_
if (recovery) {
sdr_set_field(host->base + MSDC_DMA_CTRL,
MSDC_DMA_CTRL_STOP, 1);
+ if (WARN_ON(readl_poll_timeout(host->base + MSDC_DMA_CFG, val,
+ !(val & MSDC_DMA_CFG_STS), 1, 3000)))
+ return;
msdc_reset_hw(host);
}
}
^ permalink raw reply [flat|nested] 945+ messages in thread
* [PATCH 5.15 019/917] mmc: dw_mmc: Dont wait for DRTO on Write RSP error
2021-11-15 16:51 [PATCH 5.15 000/917] 5.15.3-rc1 review Greg Kroah-Hartman
` (17 preceding siblings ...)
2021-11-15 16:51 ` [PATCH 5.15 018/917] mmc: mtk-sd: Add wait dma stop done flow Greg Kroah-Hartman
@ 2021-11-15 16:51 ` Greg Kroah-Hartman
2021-11-15 16:51 ` [PATCH 5.15 020/917] exfat: fix incorrect loading of i_blocks for large files Greg Kroah-Hartman
` (900 subsequent siblings)
919 siblings, 0 replies; 945+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-15 16:51 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Christian Loehle, Jaehoon Chung, Ulf Hansson
From: Christian Löhle <CLoehle@hyperstone.com>
commit 43592c8736e84025d7a45e61a46c3fa40536a364 upstream.
Only wait for DRTO on reads, otherwise the driver hangs.
The driver prevents sending CMD12 on response errors like CRCs. According
to the comment this is because some cards have problems with this during
the UHS tuning sequence. Unfortunately this workaround currently also
applies for any command with data. On reads this will set the drto timer,
which then triggers after a while. On writes this will not set any timer
and the tasklet will not be scheduled again.
I cannot test for the UHS workarounds need, but even if so, it should at
most apply to reads. I have observed many hangs when CMD25 response
contained a CRC error. This patch fixes this without touching the actual
UHS tuning workaround.
Signed-off-by: Christian Loehle <cloehle@hyperstone.com>
Reviewed-by: Jaehoon Chung <jh80.chung@samsung.com>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/af8f8b8674ba4fcc9a781019e4aeb72c@hyperstone.com
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/mmc/host/dw_mmc.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/mmc/host/dw_mmc.c
+++ b/drivers/mmc/host/dw_mmc.c
@@ -2086,7 +2086,8 @@ static void dw_mci_tasklet_func(struct t
* delayed. Allowing the transfer to take place
* avoids races and keeps things simple.
*/
- if (err != -ETIMEDOUT) {
+ if (err != -ETIMEDOUT &&
+ host->dir_status == DW_MCI_RECV_STATUS) {
state = STATE_SENDING_DATA;
continue;
}
^ permalink raw reply [flat|nested] 945+ messages in thread
* [PATCH 5.15 020/917] exfat: fix incorrect loading of i_blocks for large files
2021-11-15 16:51 [PATCH 5.15 000/917] 5.15.3-rc1 review Greg Kroah-Hartman
` (18 preceding siblings ...)
2021-11-15 16:51 ` [PATCH 5.15 019/917] mmc: dw_mmc: Dont wait for DRTO on Write RSP error Greg Kroah-Hartman
@ 2021-11-15 16:51 ` Greg Kroah-Hartman
2021-11-15 16:51 ` [PATCH 5.15 021/917] io-wq: remove worker to owner tw dependency Greg Kroah-Hartman
` (899 subsequent siblings)
919 siblings, 0 replies; 945+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-15 16:51 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Ganapathi Kamath, Sungjong Seo, Namjae Jeon
From: Sungjong Seo <sj1557.seo@samsung.com>
commit 0c336d6e33f4bedc443404c89f43c91c8bd9ee11 upstream.
When calculating i_blocks, there was a mistake that was masked with a
32-bit variable. So i_blocks for files larger than 4 GiB had incorrect
values. Mask with a 64-bit variable instead of 32-bit one.
Fixes: 5f2aa075070c ("exfat: add inode operations")
Cc: stable@vger.kernel.org # v5.7+
Reported-by: Ganapathi Kamath <hgkamath@hotmail.com>
Signed-off-by: Sungjong Seo <sj1557.seo@samsung.com>
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/exfat/inode.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/fs/exfat/inode.c
+++ b/fs/exfat/inode.c
@@ -604,7 +604,7 @@ static int exfat_fill_inode(struct inode
exfat_save_attr(inode, info->attr);
inode->i_blocks = ((i_size_read(inode) + (sbi->cluster_size - 1)) &
- ~(sbi->cluster_size - 1)) >> inode->i_blkbits;
+ ~((loff_t)sbi->cluster_size - 1)) >> inode->i_blkbits;
inode->i_mtime = info->mtime;
inode->i_ctime = info->mtime;
ei->i_crtime = info->crtime;
^ permalink raw reply [flat|nested] 945+ messages in thread
* [PATCH 5.15 021/917] io-wq: remove worker to owner tw dependency
2021-11-15 16:51 [PATCH 5.15 000/917] 5.15.3-rc1 review Greg Kroah-Hartman
` (19 preceding siblings ...)
2021-11-15 16:51 ` [PATCH 5.15 020/917] exfat: fix incorrect loading of i_blocks for large files Greg Kroah-Hartman
@ 2021-11-15 16:51 ` Greg Kroah-Hartman
2021-11-15 16:51 ` [PATCH 5.15 022/917] parisc: Fix set_fixmap() on PA1.x CPUs Greg Kroah-Hartman
` (898 subsequent siblings)
919 siblings, 0 replies; 945+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-15 16:51 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Pavel Begunkov, Jens Axboe,
syzbot+27d62ee6f256b186883e
From: Pavel Begunkov <asml.silence@gmail.com>
commit 1d5f5ea7cb7d15b9fb1cc82673ebb054f02cd7d2 upstream.
INFO: task iou-wrk-6609:6612 blocked for more than 143 seconds.
Not tainted 5.15.0-rc5-syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:iou-wrk-6609 state:D stack:27944 pid: 6612 ppid: 6526 flags:0x00004006
Call Trace:
context_switch kernel/sched/core.c:4940 [inline]
__schedule+0xb44/0x5960 kernel/sched/core.c:6287
schedule+0xd3/0x270 kernel/sched/core.c:6366
schedule_timeout+0x1db/0x2a0 kernel/time/timer.c:1857
do_wait_for_common kernel/sched/completion.c:85 [inline]
__wait_for_common kernel/sched/completion.c:106 [inline]
wait_for_common kernel/sched/completion.c:117 [inline]
wait_for_completion+0x176/0x280 kernel/sched/completion.c:138
io_worker_exit fs/io-wq.c:183 [inline]
io_wqe_worker+0x66d/0xc40 fs/io-wq.c:597
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295
io-wq worker may submit a task_work to the master task and upon
io_worker_exit() wait for the tw to get executed. The problem appears
when the master task is waiting in coredump.c:
468 freezer_do_not_count();
469 wait_for_completion(&core_state->startup);
470 freezer_count();
Apparently having some dependency on children threads getting everything
stuck. Workaround it by cancelling the taks_work callback that causes it
before going into io_worker_exit() waiting.
p.s. probably a better option is to not submit tw elevating the refcount
in the first place, but let's leave this excercise for the future.
Cc: stable@vger.kernel.org
Reported-and-tested-by: syzbot+27d62ee6f256b186883e@syzkaller.appspotmail.com
Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
Link: https://lore.kernel.org/r/142a716f4ed936feae868959059154362bfa8c19.1635509451.git.asml.silence@gmail.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/io-wq.c | 46 +++++++++++++++++++++++++++++++++++++---------
1 file changed, 37 insertions(+), 9 deletions(-)
--- a/fs/io-wq.c
+++ b/fs/io-wq.c
@@ -140,6 +140,7 @@ static void io_wqe_dec_running(struct io
static bool io_acct_cancel_pending_work(struct io_wqe *wqe,
struct io_wqe_acct *acct,
struct io_cb_cancel_data *match);
+static void create_worker_cb(struct callback_head *cb);
static bool io_worker_get(struct io_worker *worker)
{
@@ -174,9 +175,44 @@ static void io_worker_ref_put(struct io_
complete(&wq->worker_done);
}
+static void io_worker_cancel_cb(struct io_worker *worker)
+{
+ struct io_wqe_acct *acct = io_wqe_get_acct(worker);
+ struct io_wqe *wqe = worker->wqe;
+ struct io_wq *wq = wqe->wq;
+
+ atomic_dec(&acct->nr_running);
+ raw_spin_lock(&worker->wqe->lock);
+ acct->nr_workers--;
+ raw_spin_unlock(&worker->wqe->lock);
+ io_worker_ref_put(wq);
+ clear_bit_unlock(0, &worker->create_state);
+ io_worker_release(worker);
+}
+
+static bool io_task_worker_match(struct callback_head *cb, void *data)
+{
+ struct io_worker *worker;
+
+ if (cb->func != create_worker_cb)
+ return false;
+ worker = container_of(cb, struct io_worker, create_work);
+ return worker == data;
+}
+
static void io_worker_exit(struct io_worker *worker)
{
struct io_wqe *wqe = worker->wqe;
+ struct io_wq *wq = wqe->wq;
+
+ while (1) {
+ struct callback_head *cb = task_work_cancel_match(wq->task,
+ io_task_worker_match, worker);
+
+ if (!cb)
+ break;
+ io_worker_cancel_cb(worker);
+ }
if (refcount_dec_and_test(&worker->ref))
complete(&worker->ref_done);
@@ -1150,17 +1186,9 @@ static void io_wq_exit_workers(struct io
while ((cb = task_work_cancel_match(wq->task, io_task_work_match, wq)) != NULL) {
struct io_worker *worker;
- struct io_wqe_acct *acct;
worker = container_of(cb, struct io_worker, create_work);
- acct = io_wqe_get_acct(worker);
- atomic_dec(&acct->nr_running);
- raw_spin_lock(&worker->wqe->lock);
- acct->nr_workers--;
- raw_spin_unlock(&worker->wqe->lock);
- io_worker_ref_put(wq);
- clear_bit_unlock(0, &worker->create_state);
- io_worker_release(worker);
+ io_worker_cancel_cb(worker);
}
rcu_read_lock();
^ permalink raw reply [flat|nested] 945+ messages in thread
* [PATCH 5.15 022/917] parisc: Fix set_fixmap() on PA1.x CPUs
2021-11-15 16:51 [PATCH 5.15 000/917] 5.15.3-rc1 review Greg Kroah-Hartman
` (20 preceding siblings ...)
2021-11-15 16:51 ` [PATCH 5.15 021/917] io-wq: remove worker to owner tw dependency Greg Kroah-Hartman
@ 2021-11-15 16:51 ` Greg Kroah-Hartman
2021-11-15 16:51 ` [PATCH 5.15 023/917] parisc: Fix ptrace check on syscall return Greg Kroah-Hartman
` (897 subsequent siblings)
919 siblings, 0 replies; 945+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-15 16:51 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Helge Deller
From: Helge Deller <deller@gmx.de>
commit 6e866a462867b60841202e900f10936a0478608c upstream.
Fix a kernel crash which happens on PA1.x CPUs while initializing the
FTRACE/KPROBE breakpoints. The PTE table entries for the fixmap area
were not created correctly.
Signed-off-by: Helge Deller <deller@gmx.de>
Fixes: ccfbc68d41c2 ("parisc: add set_fixmap()/clear_fixmap()")
Cc: stable@vger.kernel.org # v5.2+
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/parisc/mm/fixmap.c | 5 +----
1 file changed, 1 insertion(+), 4 deletions(-)
--- a/arch/parisc/mm/fixmap.c
+++ b/arch/parisc/mm/fixmap.c
@@ -20,12 +20,9 @@ void notrace set_fixmap(enum fixed_addre
pte_t *pte;
if (pmd_none(*pmd))
- pmd = pmd_alloc(NULL, pud, vaddr);
-
- pte = pte_offset_kernel(pmd, vaddr);
- if (pte_none(*pte))
pte = pte_alloc_kernel(pmd, vaddr);
+ pte = pte_offset_kernel(pmd, vaddr);
set_pte_at(&init_mm, vaddr, pte, __mk_pte(phys, PAGE_KERNEL_RWX));
flush_tlb_kernel_range(vaddr, vaddr + PAGE_SIZE);
}
^ permalink raw reply [flat|nested] 945+ messages in thread
* [PATCH 5.15 023/917] parisc: Fix ptrace check on syscall return
2021-11-15 16:51 [PATCH 5.15 000/917] 5.15.3-rc1 review Greg Kroah-Hartman
` (21 preceding siblings ...)
2021-11-15 16:51 ` [PATCH 5.15 022/917] parisc: Fix set_fixmap() on PA1.x CPUs Greg Kroah-Hartman
@ 2021-11-15 16:51 ` Greg Kroah-Hartman
2021-11-15 16:51 ` [PATCH 5.15 024/917] tpm: Check for integer overflow in tpm2_map_response_body() Greg Kroah-Hartman
` (896 subsequent siblings)
919 siblings, 0 replies; 945+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-15 16:51 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Helge Deller, Kyle McMartin
From: Helge Deller <deller@gmx.de>
commit 8779e05ba8aaffec1829872ef9774a71f44f6580 upstream.
The TIF_XXX flags are stored in the flags field in the thread_info
struct (TI_FLAGS), not in the flags field of the task_struct structure
(TASK_FLAGS).
It seems this bug didn't generate any important side-effects, otherwise it
wouldn't have went unnoticed for 12 years (since v2.6.32).
Signed-off-by: Helge Deller <deller@gmx.de>
Fixes: ecd3d4bc06e48 ("parisc: stop using task->ptrace for {single,block}step flags")
Cc: Kyle McMartin <kyle@mcmartin.ca>
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/parisc/kernel/entry.S | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/parisc/kernel/entry.S
+++ b/arch/parisc/kernel/entry.S
@@ -1834,7 +1834,7 @@ syscall_restore:
LDREG TI_TASK-THREAD_SZ_ALGN-FRAME_SIZE(%r30),%r1
/* Are we being ptraced? */
- ldw TASK_FLAGS(%r1),%r19
+ LDREG TI_FLAGS-THREAD_SZ_ALGN-FRAME_SIZE(%r30),%r19
ldi _TIF_SYSCALL_TRACE_MASK,%r2
and,COND(=) %r19,%r2,%r0
b,n syscall_restore_rfi
^ permalink raw reply [flat|nested] 945+ messages in thread
* [PATCH 5.15 024/917] tpm: Check for integer overflow in tpm2_map_response_body()
2021-11-15 16:51 [PATCH 5.15 000/917] 5.15.3-rc1 review Greg Kroah-Hartman
` (22 preceding siblings ...)
2021-11-15 16:51 ` [PATCH 5.15 023/917] parisc: Fix ptrace check on syscall return Greg Kroah-Hartman
@ 2021-11-15 16:51 ` Greg Kroah-Hartman
2021-11-15 16:52 ` [PATCH 5.15 025/917] firmware/psci: fix application of sizeof to pointer Greg Kroah-Hartman
` (895 subsequent siblings)
919 siblings, 0 replies; 945+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-15 16:51 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Dan Carpenter, Jarkko Sakkinen
From: Dan Carpenter <dan.carpenter@oracle.com>
commit a0bcce2b2a169e10eb265c8f0ebdd5ae4c875670 upstream.
The "4 * be32_to_cpu(data->count)" multiplication can potentially
overflow which would lead to memory corruption. Add a check for that.
Cc: stable@vger.kernel.org
Fixes: 745b361e989a ("tpm: infrastructure for TPM spaces")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/char/tpm/tpm2-space.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/char/tpm/tpm2-space.c
+++ b/drivers/char/tpm/tpm2-space.c
@@ -455,6 +455,9 @@ static int tpm2_map_response_body(struct
if (be32_to_cpu(data->capability) != TPM2_CAP_HANDLES)
return 0;
+ if (be32_to_cpu(data->count) > (UINT_MAX - TPM_HEADER_SIZE - 9) / 4)
+ return -EFAULT;
+
if (len != TPM_HEADER_SIZE + 9 + 4 * be32_to_cpu(data->count))
return -EFAULT;
^ permalink raw reply [flat|nested] 945+ messages in thread
* [PATCH 5.15 025/917] firmware/psci: fix application of sizeof to pointer
2021-11-15 16:51 [PATCH 5.15 000/917] 5.15.3-rc1 review Greg Kroah-Hartman
` (23 preceding siblings ...)
2021-11-15 16:51 ` [PATCH 5.15 024/917] tpm: Check for integer overflow in tpm2_map_response_body() Greg Kroah-Hartman
@ 2021-11-15 16:52 ` Greg Kroah-Hartman
2021-11-15 16:52 ` [PATCH 5.15 026/917] crypto: s5p-sss - Add error handling in s5p_aes_probe() Greg Kroah-Hartman
` (894 subsequent siblings)
919 siblings, 0 replies; 945+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-15 16:52 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Zeal Robot, Mark Rutland,
Gustavo A. R. Silva, jing yangyang
From: jing yangyang <cgel.zte@gmail.com>
commit 2ac5fb35cd520ab1851c9a4816c523b65276052f upstream.
sizeof when applied to a pointer typed expression gives the size of
the pointer.
./drivers/firmware/psci/psci_checker.c:158:41-47: ERROR application of sizeof to pointer
This issue was detected with the help of Coccinelle.
Fixes: 7401056de5f8 ("drivers/firmware: psci_checker: stash and use topology_core_cpumask for hotplug tests")
Cc: stable@vger.kernel.org
Reported-by: Zeal Robot <zealci@zte.com.cn>
Acked-by: Mark Rutland <mark.rutland@arm.com>
Reviewed-by: Gustavo A. R. Silva <gustavoars@kernel.org>
Signed-off-by: jing yangyang <jing.yangyang@zte.com.cn>
Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/firmware/psci/psci_checker.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/firmware/psci/psci_checker.c
+++ b/drivers/firmware/psci/psci_checker.c
@@ -155,7 +155,7 @@ static int alloc_init_cpu_groups(cpumask
if (!alloc_cpumask_var(&tmp, GFP_KERNEL))
return -ENOMEM;
- cpu_groups = kcalloc(nb_available_cpus, sizeof(cpu_groups),
+ cpu_groups = kcalloc(nb_available_cpus, sizeof(*cpu_groups),
GFP_KERNEL);
if (!cpu_groups) {
free_cpumask_var(tmp);
^ permalink raw reply [flat|nested] 945+ messages in thread
* [PATCH 5.15 026/917] crypto: s5p-sss - Add error handling in s5p_aes_probe()
2021-11-15 16:51 [PATCH 5.15 000/917] 5.15.3-rc1 review Greg Kroah-Hartman
` (24 preceding siblings ...)
2021-11-15 16:52 ` [PATCH 5.15 025/917] firmware/psci: fix application of sizeof to pointer Greg Kroah-Hartman
@ 2021-11-15 16:52 ` Greg Kroah-Hartman
2021-11-15 16:52 ` [PATCH 5.15 027/917] media: rkvdec: Do not override sizeimage for output format Greg Kroah-Hartman
` (893 subsequent siblings)
919 siblings, 0 replies; 945+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-15 16:52 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Tang Bin, Krzysztof Kozlowski, Herbert Xu
From: Tang Bin <tangbin@cmss.chinamobile.com>
commit a472cc0dde3eb057db71c80f102556eeced03805 upstream.
The function s5p_aes_probe() does not perform sufficient error
checking after executing platform_get_resource(), thus fix it.
Fixes: c2afad6c6105 ("crypto: s5p-sss - Add HASH support for Exynos")
Cc: <stable@vger.kernel.org>
Signed-off-by: Tang Bin <tangbin@cmss.chinamobile.com>
Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/crypto/s5p-sss.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/crypto/s5p-sss.c
+++ b/drivers/crypto/s5p-sss.c
@@ -2171,6 +2171,8 @@ static int s5p_aes_probe(struct platform
variant = find_s5p_sss_version(pdev);
res = platform_get_resource(pdev, IORESOURCE_MEM, 0);
+ if (!res)
+ return -EINVAL;
/*
* Note: HASH and PRNG uses the same registers in secss, avoid
^ permalink raw reply [flat|nested] 945+ messages in thread
* [PATCH 5.15 027/917] media: rkvdec: Do not override sizeimage for output format
2021-11-15 16:51 [PATCH 5.15 000/917] 5.15.3-rc1 review Greg Kroah-Hartman
` (25 preceding siblings ...)
2021-11-15 16:52 ` [PATCH 5.15 026/917] crypto: s5p-sss - Add error handling in s5p_aes_probe() Greg Kroah-Hartman
@ 2021-11-15 16:52 ` Greg Kroah-Hartman
2021-11-15 16:52 ` [PATCH 5.15 028/917] media: ite-cir: IR receiver stop working after receive overflow Greg Kroah-Hartman
` (892 subsequent siblings)
919 siblings, 0 replies; 945+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-15 16:52 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Chen-Yu Tsai, Nicolas Dufresne,
Hans Verkuil, Mauro Carvalho Chehab
From: Chen-Yu Tsai <wenst@chromium.org>
commit 298d8e8f7bcf023aceb60232d59b983255fec0df upstream.
The rkvdec H.264 decoder currently overrides sizeimage for the output
format. This causes issues when userspace requires and requests a larger
buffer, but ends up with one of insufficient size.
Instead, only provide a default size if none was requested. This fixes
the video_decode_accelerator_tests from Chromium failing on the first
frame due to insufficient buffer space. It also aligns the behavior
of the rkvdec driver with the Hantro and Cedrus drivers.
Fixes: cd33c830448b ("media: rkvdec: Add the rkvdec driver")
Cc: <stable@vger.kernel.org>
Signed-off-by: Chen-Yu Tsai <wenst@chromium.org>
Reviewed-by: Nicolas Dufresne <nicolas.dufresne@collabora.com>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/staging/media/rkvdec/rkvdec-h264.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
--- a/drivers/staging/media/rkvdec/rkvdec-h264.c
+++ b/drivers/staging/media/rkvdec/rkvdec-h264.c
@@ -1015,8 +1015,9 @@ static int rkvdec_h264_adjust_fmt(struct
struct v4l2_pix_format_mplane *fmt = &f->fmt.pix_mp;
fmt->num_planes = 1;
- fmt->plane_fmt[0].sizeimage = fmt->width * fmt->height *
- RKVDEC_H264_MAX_DEPTH_IN_BYTES;
+ if (!fmt->plane_fmt[0].sizeimage)
+ fmt->plane_fmt[0].sizeimage = fmt->width * fmt->height *
+ RKVDEC_H264_MAX_DEPTH_IN_BYTES;
return 0;
}
^ permalink raw reply [flat|nested] 945+ messages in thread
* [PATCH 5.15 028/917] media: ite-cir: IR receiver stop working after receive overflow
2021-11-15 16:51 [PATCH 5.15 000/917] 5.15.3-rc1 review Greg Kroah-Hartman
` (26 preceding siblings ...)
2021-11-15 16:52 ` [PATCH 5.15 027/917] media: rkvdec: Do not override sizeimage for output format Greg Kroah-Hartman
@ 2021-11-15 16:52 ` Greg Kroah-Hartman
2021-11-15 16:52 ` [PATCH 5.15 029/917] media: rkvdec: Support dynamic resolution changes Greg Kroah-Hartman
` (891 subsequent siblings)
919 siblings, 0 replies; 945+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-15 16:52 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Bryan Pass, Sean Young,
Mauro Carvalho Chehab
From: Sean Young <sean@mess.org>
commit fdc881783099c6343921ff017450831c8766d12a upstream.
On an Intel NUC6iSYK, no IR is reported after a receive overflow.
When a receiver overflow occurs, this condition is only cleared by
reading the fifo. Make sure we read anything in the fifo.
Fixes: 28c7afb07ccf ("media: ite-cir: check for receive overflow")
Suggested-by: Bryan Pass <bryan.pass@gmail.com>
Tested-by: Bryan Pass <bryan.pass@gmail.com>
Cc: stable@vger.kernel.org>
Signed-off-by: Sean Young <sean@mess.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/rc/ite-cir.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/media/rc/ite-cir.c
+++ b/drivers/media/rc/ite-cir.c
@@ -242,7 +242,7 @@ static irqreturn_t ite_cir_isr(int irq,
}
/* check for the receive interrupt */
- if (iflags & ITE_IRQ_RX_FIFO) {
+ if (iflags & (ITE_IRQ_RX_FIFO | ITE_IRQ_RX_FIFO_OVERRUN)) {
/* read the FIFO bytes */
rx_bytes = dev->params->get_rx_bytes(dev, rx_buf,
ITE_RX_FIFO_LEN);
^ permalink raw reply [flat|nested] 945+ messages in thread
* [PATCH 5.15 029/917] media: rkvdec: Support dynamic resolution changes
2021-11-15 16:51 [PATCH 5.15 000/917] 5.15.3-rc1 review Greg Kroah-Hartman
` (27 preceding siblings ...)
2021-11-15 16:52 ` [PATCH 5.15 028/917] media: ite-cir: IR receiver stop working after receive overflow Greg Kroah-Hartman
@ 2021-11-15 16:52 ` Greg Kroah-Hartman
2021-11-15 16:52 ` [PATCH 5.15 030/917] media: ir-kbd-i2c: improve responsiveness of hauppauge zilog receivers Greg Kroah-Hartman
` (890 subsequent siblings)
919 siblings, 0 replies; 945+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-15 16:52 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Chen-Yu Tsai, Nicolas Dufresne,
Hans Verkuil, Mauro Carvalho Chehab
From: Chen-Yu Tsai <wenst@chromium.org>
commit 0887e9e152efbd3601d6c907e90033d25067277d upstream.
The mem-to-mem stateless decoder API specifies support for dynamic
resolution changes. In particular, the decoder should accept format
changes on the OUTPUT queue even when buffers have been allocated,
as long as it is not streaming.
Relax restrictions for S_FMT as described in the previous paragraph,
and as long as the codec format remains the same. This aligns it with
the Hantro and Cedrus decoders. This change was mostly based on commit
ae02d49493b5 ("media: hantro: Fix s_fmt for dynamic resolution changes").
Since rkvdec_s_fmt() is now just a wrapper around the output/capture
variants without any additional shared functionality, drop the wrapper
and call the respective functions directly.
Fixes: cd33c830448b ("media: rkvdec: Add the rkvdec driver")
Cc: <stable@vger.kernel.org>
Signed-off-by: Chen-Yu Tsai <wenst@chromium.org>
Reviewed-by: Nicolas Dufresne <nicolas.dufresne@collabora.com>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/staging/media/rkvdec/rkvdec.c | 40 +++++++++++++++++-----------------
1 file changed, 20 insertions(+), 20 deletions(-)
--- a/drivers/staging/media/rkvdec/rkvdec.c
+++ b/drivers/staging/media/rkvdec/rkvdec.c
@@ -280,31 +280,20 @@ static int rkvdec_try_output_fmt(struct
return 0;
}
-static int rkvdec_s_fmt(struct file *file, void *priv,
- struct v4l2_format *f,
- int (*try_fmt)(struct file *, void *,
- struct v4l2_format *))
+static int rkvdec_s_capture_fmt(struct file *file, void *priv,
+ struct v4l2_format *f)
{
struct rkvdec_ctx *ctx = fh_to_rkvdec_ctx(priv);
struct vb2_queue *vq;
+ int ret;
- if (!try_fmt)
- return -EINVAL;
-
- vq = v4l2_m2m_get_vq(ctx->fh.m2m_ctx, f->type);
+ /* Change not allowed if queue is busy */
+ vq = v4l2_m2m_get_vq(ctx->fh.m2m_ctx,
+ V4L2_BUF_TYPE_VIDEO_CAPTURE_MPLANE);
if (vb2_is_busy(vq))
return -EBUSY;
- return try_fmt(file, priv, f);
-}
-
-static int rkvdec_s_capture_fmt(struct file *file, void *priv,
- struct v4l2_format *f)
-{
- struct rkvdec_ctx *ctx = fh_to_rkvdec_ctx(priv);
- int ret;
-
- ret = rkvdec_s_fmt(file, priv, f, rkvdec_try_capture_fmt);
+ ret = rkvdec_try_capture_fmt(file, priv, f);
if (ret)
return ret;
@@ -319,10 +308,21 @@ static int rkvdec_s_output_fmt(struct fi
struct v4l2_m2m_ctx *m2m_ctx = ctx->fh.m2m_ctx;
const struct rkvdec_coded_fmt_desc *desc;
struct v4l2_format *cap_fmt;
- struct vb2_queue *peer_vq;
+ struct vb2_queue *peer_vq, *vq;
int ret;
/*
+ * In order to support dynamic resolution change, the decoder admits
+ * a resolution change, as long as the pixelformat remains. Can't be
+ * done if streaming.
+ */
+ vq = v4l2_m2m_get_vq(m2m_ctx, V4L2_BUF_TYPE_VIDEO_OUTPUT_MPLANE);
+ if (vb2_is_streaming(vq) ||
+ (vb2_is_busy(vq) &&
+ f->fmt.pix_mp.pixelformat != ctx->coded_fmt.fmt.pix_mp.pixelformat))
+ return -EBUSY;
+
+ /*
* Since format change on the OUTPUT queue will reset the CAPTURE
* queue, we can't allow doing so when the CAPTURE queue has buffers
* allocated.
@@ -331,7 +331,7 @@ static int rkvdec_s_output_fmt(struct fi
if (vb2_is_busy(peer_vq))
return -EBUSY;
- ret = rkvdec_s_fmt(file, priv, f, rkvdec_try_output_fmt);
+ ret = rkvdec_try_output_fmt(file, priv, f);
if (ret)
return ret;
^ permalink raw reply [flat|nested] 945+ messages in thread
* [PATCH 5.15 030/917] media: ir-kbd-i2c: improve responsiveness of hauppauge zilog receivers
2021-11-15 16:51 [PATCH 5.15 000/917] 5.15.3-rc1 review Greg Kroah-Hartman
` (28 preceding siblings ...)
2021-11-15 16:52 ` [PATCH 5.15 029/917] media: rkvdec: Support dynamic resolution changes Greg Kroah-Hartman
@ 2021-11-15 16:52 ` Greg Kroah-Hartman
2021-11-15 16:52 ` [PATCH 5.15 031/917] media: v4l2-ioctl: Fix check_ext_ctrls Greg Kroah-Hartman
` (889 subsequent siblings)
919 siblings, 0 replies; 945+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-15 16:52 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable,
Joaquín Alberto Calderón Pozo, Sean Young,
Mauro Carvalho Chehab
From: Sean Young <sean@mess.org>
commit c73ba202a851c0b611ef2c25e568fadeff5e667f upstream.
The IR receiver has two issues:
- Sometimes there is no response to a button press
- Sometimes a button press is repeated when it should not have been
Hanging the polling interval fixes this behaviour.
Link: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=994050
Cc: stable@vger.kernel.org
Suggested-by: Joaquín Alberto Calderón Pozo <kini_calderon@hotmail.com>
Signed-off-by: Sean Young <sean@mess.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/i2c/ir-kbd-i2c.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/media/i2c/ir-kbd-i2c.c
+++ b/drivers/media/i2c/ir-kbd-i2c.c
@@ -791,6 +791,7 @@ static int ir_probe(struct i2c_client *c
rc_proto = RC_PROTO_BIT_RC5 | RC_PROTO_BIT_RC6_MCE |
RC_PROTO_BIT_RC6_6A_32;
ir_codes = RC_MAP_HAUPPAUGE;
+ ir->polling_interval = 125;
probe_tx = true;
break;
}
^ permalink raw reply [flat|nested] 945+ messages in thread
* [PATCH 5.15 031/917] media: v4l2-ioctl: Fix check_ext_ctrls
2021-11-15 16:51 [PATCH 5.15 000/917] 5.15.3-rc1 review Greg Kroah-Hartman
` (29 preceding siblings ...)
2021-11-15 16:52 ` [PATCH 5.15 030/917] media: ir-kbd-i2c: improve responsiveness of hauppauge zilog receivers Greg Kroah-Hartman
@ 2021-11-15 16:52 ` Greg Kroah-Hartman
2021-11-15 16:52 ` [PATCH 5.15 032/917] ALSA: hda/realtek: Fix mic mute LED for the HP Spectre x360 14 Greg Kroah-Hartman
` (888 subsequent siblings)
919 siblings, 0 replies; 945+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-15 16:52 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Hans Verkuil, Ricardo Ribalda,
Laurent Pinchart, Mauro Carvalho Chehab
From: Ricardo Ribalda <ribalda@chromium.org>
commit 861f92cb9160b14beef0ada047384c2340701ee2 upstream.
Drivers that do not use the ctrl-framework use this function instead.
Fix the following issues:
- Do not check for multiple classes when getting the DEF_VAL.
- Return -EINVAL for request_api calls
- Default value cannot be changed, return EINVAL as soon as possible.
- Return the right error_idx
[If an error is found when validating the list of controls passed with
VIDIOC_G_EXT_CTRLS, then error_idx shall be set to ctrls->count to
indicate to userspace that no actual hardware was touched.
It would have been much nicer of course if error_idx could point to the
control index that failed the validation, but sadly that's not how the
API was designed.]
Fixes v4l2-compliance:
Control ioctls (Input 0):
warn: v4l2-test-controls.cpp(834): error_idx should be equal to count
warn: v4l2-test-controls.cpp(855): error_idx should be equal to count
fail: v4l2-test-controls.cpp(813): doioctl(node, VIDIOC_G_EXT_CTRLS, &ctrls)
test VIDIOC_G/S/TRY_EXT_CTRLS: FAIL
Buffer ioctls (Input 0):
fail: v4l2-test-buffers.cpp(1994): ret != EINVAL && ret != EBADR && ret != ENOTTY
test Requests: FAIL
Cc: stable@vger.kernel.org
Fixes: 6fa6f831f095 ("media: v4l2-ctrls: add core request support")
Suggested-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Reviewed-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Ricardo Ribalda <ribalda@chromium.org>
Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/v4l2-core/v4l2-ioctl.c | 60 ++++++++++++++++++++++-------------
1 file changed, 39 insertions(+), 21 deletions(-)
--- a/drivers/media/v4l2-core/v4l2-ioctl.c
+++ b/drivers/media/v4l2-core/v4l2-ioctl.c
@@ -869,7 +869,7 @@ static void v4l_print_default(const void
pr_cont("driver-specific ioctl\n");
}
-static int check_ext_ctrls(struct v4l2_ext_controls *c, int allow_priv)
+static bool check_ext_ctrls(struct v4l2_ext_controls *c, unsigned long ioctl)
{
__u32 i;
@@ -878,23 +878,41 @@ static int check_ext_ctrls(struct v4l2_e
for (i = 0; i < c->count; i++)
c->controls[i].reserved2[0] = 0;
- /* V4L2_CID_PRIVATE_BASE cannot be used as control class
- when using extended controls.
- Only when passed in through VIDIOC_G_CTRL and VIDIOC_S_CTRL
- is it allowed for backwards compatibility.
- */
- if (!allow_priv && c->which == V4L2_CID_PRIVATE_BASE)
- return 0;
- if (!c->which)
- return 1;
+ switch (c->which) {
+ case V4L2_CID_PRIVATE_BASE:
+ /*
+ * V4L2_CID_PRIVATE_BASE cannot be used as control class
+ * when using extended controls.
+ * Only when passed in through VIDIOC_G_CTRL and VIDIOC_S_CTRL
+ * is it allowed for backwards compatibility.
+ */
+ if (ioctl == VIDIOC_G_CTRL || ioctl == VIDIOC_S_CTRL)
+ return false;
+ break;
+ case V4L2_CTRL_WHICH_DEF_VAL:
+ /* Default value cannot be changed */
+ if (ioctl == VIDIOC_S_EXT_CTRLS ||
+ ioctl == VIDIOC_TRY_EXT_CTRLS) {
+ c->error_idx = c->count;
+ return false;
+ }
+ return true;
+ case V4L2_CTRL_WHICH_CUR_VAL:
+ return true;
+ case V4L2_CTRL_WHICH_REQUEST_VAL:
+ c->error_idx = c->count;
+ return false;
+ }
+
/* Check that all controls are from the same control class. */
for (i = 0; i < c->count; i++) {
if (V4L2_CTRL_ID2WHICH(c->controls[i].id) != c->which) {
- c->error_idx = i;
- return 0;
+ c->error_idx = ioctl == VIDIOC_TRY_EXT_CTRLS ? i :
+ c->count;
+ return false;
}
}
- return 1;
+ return true;
}
static int check_fmt(struct file *file, enum v4l2_buf_type type)
@@ -2187,7 +2205,7 @@ static int v4l_g_ctrl(const struct v4l2_
ctrls.controls = &ctrl;
ctrl.id = p->id;
ctrl.value = p->value;
- if (check_ext_ctrls(&ctrls, 1)) {
+ if (check_ext_ctrls(&ctrls, VIDIOC_G_CTRL)) {
int ret = ops->vidioc_g_ext_ctrls(file, fh, &ctrls);
if (ret == 0)
@@ -2221,7 +2239,7 @@ static int v4l_s_ctrl(const struct v4l2_
ctrls.controls = &ctrl;
ctrl.id = p->id;
ctrl.value = p->value;
- if (check_ext_ctrls(&ctrls, 1))
+ if (check_ext_ctrls(&ctrls, VIDIOC_S_CTRL))
return ops->vidioc_s_ext_ctrls(file, fh, &ctrls);
return -EINVAL;
}
@@ -2243,8 +2261,8 @@ static int v4l_g_ext_ctrls(const struct
vfd, vfd->v4l2_dev->mdev, p);
if (ops->vidioc_g_ext_ctrls == NULL)
return -ENOTTY;
- return check_ext_ctrls(p, 0) ? ops->vidioc_g_ext_ctrls(file, fh, p) :
- -EINVAL;
+ return check_ext_ctrls(p, VIDIOC_G_EXT_CTRLS) ?
+ ops->vidioc_g_ext_ctrls(file, fh, p) : -EINVAL;
}
static int v4l_s_ext_ctrls(const struct v4l2_ioctl_ops *ops,
@@ -2264,8 +2282,8 @@ static int v4l_s_ext_ctrls(const struct
vfd, vfd->v4l2_dev->mdev, p);
if (ops->vidioc_s_ext_ctrls == NULL)
return -ENOTTY;
- return check_ext_ctrls(p, 0) ? ops->vidioc_s_ext_ctrls(file, fh, p) :
- -EINVAL;
+ return check_ext_ctrls(p, VIDIOC_S_EXT_CTRLS) ?
+ ops->vidioc_s_ext_ctrls(file, fh, p) : -EINVAL;
}
static int v4l_try_ext_ctrls(const struct v4l2_ioctl_ops *ops,
@@ -2285,8 +2303,8 @@ static int v4l_try_ext_ctrls(const struc
vfd, vfd->v4l2_dev->mdev, p);
if (ops->vidioc_try_ext_ctrls == NULL)
return -ENOTTY;
- return check_ext_ctrls(p, 0) ? ops->vidioc_try_ext_ctrls(file, fh, p) :
- -EINVAL;
+ return check_ext_ctrls(p, VIDIOC_TRY_EXT_CTRLS) ?
+ ops->vidioc_try_ext_ctrls(file, fh, p) : -EINVAL;
}
/*
^ permalink raw reply [flat|nested] 945+ messages in thread
* [PATCH 5.15 032/917] ALSA: hda/realtek: Fix mic mute LED for the HP Spectre x360 14
2021-11-15 16:51 [PATCH 5.15 000/917] 5.15.3-rc1 review Greg Kroah-Hartman
` (30 preceding siblings ...)
2021-11-15 16:52 ` [PATCH 5.15 031/917] media: v4l2-ioctl: Fix check_ext_ctrls Greg Kroah-Hartman
@ 2021-11-15 16:52 ` Greg Kroah-Hartman
2021-11-15 16:52 ` [PATCH 5.15 033/917] ALSA: hda/realtek: Add a quirk for HP OMEN 15 mute LED Greg Kroah-Hartman
` (887 subsequent siblings)
919 siblings, 0 replies; 945+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-15 16:52 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Johnathon Clark, Takashi Iwai
From: Johnathon Clark <john.clark@cantab.net>
commit 5fc462c3aaad601d5089fd5588a5799896a6937d upstream.
On the 'HP Spectre x360 Convertible 14-ea0xx' the microphone mute led is
controlled by GPIO 0x04. The speaker mute LED does not seem to be
exposed by GPIO and is there not set.
[ a slight coding-style fix by tiwai ]
Fixes: c3bb2b521944 ("ALSA: hda/realtek: Quirk for HP Spectre x360 14 amp setup")
Signed-off-by: Johnathon Clark <john.clark@cantab.net>
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20211020131253.35894-1-john.clark@cantab.net
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/pci/hda/patch_realtek.c | 17 +++++++++++++++++
1 file changed, 17 insertions(+)
--- a/sound/pci/hda/patch_realtek.c
+++ b/sound/pci/hda/patch_realtek.c
@@ -4355,6 +4355,16 @@ static void alc287_fixup_hp_gpio_led(str
alc_fixup_hp_gpio_led(codec, action, 0x10, 0);
}
+static void alc245_fixup_hp_gpio_led(struct hda_codec *codec,
+ const struct hda_fixup *fix, int action)
+{
+ struct alc_spec *spec = codec->spec;
+
+ if (action == HDA_FIXUP_ACT_PRE_PROBE)
+ spec->micmute_led_polarity = 1;
+ alc_fixup_hp_gpio_led(codec, action, 0, 0x04);
+}
+
/* turn on/off mic-mute LED per capture hook via VREF change */
static int vref_micmute_led_set(struct led_classdev *led_cdev,
enum led_brightness brightness)
@@ -6709,6 +6719,7 @@ enum {
ALC285_FIXUP_THINKPAD_NO_BASS_SPK_HEADSET_JACK,
ALC287_FIXUP_HP_GPIO_LED,
ALC256_FIXUP_HP_HEADSET_MIC,
+ ALC245_FIXUP_HP_GPIO_LED,
ALC236_FIXUP_DELL_AIO_HEADSET_MIC,
ALC282_FIXUP_ACER_DISABLE_LINEOUT,
ALC255_FIXUP_ACER_LIMIT_INT_MIC_BOOST,
@@ -7333,6 +7344,8 @@ static const struct hda_fixup alc269_fix
[ALC245_FIXUP_HP_X360_AMP] = {
.type = HDA_FIXUP_FUNC,
.v.func = alc245_fixup_hp_x360_amp,
+ .chained = true,
+ .chain_id = ALC245_FIXUP_HP_GPIO_LED
},
[ALC288_FIXUP_DELL_HEADSET_MODE] = {
.type = HDA_FIXUP_FUNC,
@@ -8432,6 +8445,10 @@ static const struct hda_fixup alc269_fix
.type = HDA_FIXUP_FUNC,
.v.func = alc256_fixup_tongfang_reset_persistent_settings,
},
+ [ALC245_FIXUP_HP_GPIO_LED] = {
+ .type = HDA_FIXUP_FUNC,
+ .v.func = alc245_fixup_hp_gpio_led,
+ },
};
static const struct snd_pci_quirk alc269_fixup_tbl[] = {
^ permalink raw reply [flat|nested] 945+ messages in thread
* [PATCH 5.15 033/917] ALSA: hda/realtek: Add a quirk for HP OMEN 15 mute LED
2021-11-15 16:51 [PATCH 5.15 000/917] 5.15.3-rc1 review Greg Kroah-Hartman
` (31 preceding siblings ...)
2021-11-15 16:52 ` [PATCH 5.15 032/917] ALSA: hda/realtek: Fix mic mute LED for the HP Spectre x360 14 Greg Kroah-Hartman
@ 2021-11-15 16:52 ` Greg Kroah-Hartman
2021-11-15 16:52 ` [PATCH 5.15 034/917] ALSA: hda/realtek: Add quirk for Clevo PC70HS Greg Kroah-Hartman
` (886 subsequent siblings)
919 siblings, 0 replies; 945+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-15 16:52 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Takashi Iwai
From: Takashi Iwai <tiwai@suse.de>
commit 375f8426ed994addd2be4d76febc946a6fdd8280 upstream.
HP OMEN 15 laptop requires the quirk to fiddle with COEF 0x0b bit 2
for toggling the mute LED. It's already implemented for other HP
laptops, and we just need to add a proper fixup entry.
BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=214735
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20211028070911.18891-1-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/pci/hda/patch_realtek.c | 1 +
1 file changed, 1 insertion(+)
--- a/sound/pci/hda/patch_realtek.c
+++ b/sound/pci/hda/patch_realtek.c
@@ -8634,6 +8634,7 @@ static const struct snd_pci_quirk alc269
ALC285_FIXUP_HP_GPIO_AMP_INIT),
SND_PCI_QUIRK(0x103c, 0x8783, "HP ZBook Fury 15 G7 Mobile Workstation",
ALC285_FIXUP_HP_GPIO_AMP_INIT),
+ SND_PCI_QUIRK(0x103c, 0x8788, "HP OMEN 15", ALC285_FIXUP_HP_MUTE_LED),
SND_PCI_QUIRK(0x103c, 0x87c8, "HP", ALC287_FIXUP_HP_GPIO_LED),
SND_PCI_QUIRK(0x103c, 0x87e5, "HP ProBook 440 G8 Notebook PC", ALC236_FIXUP_HP_GPIO_LED),
SND_PCI_QUIRK(0x103c, 0x87e7, "HP ProBook 450 G8 Notebook PC", ALC236_FIXUP_HP_GPIO_LED),
^ permalink raw reply [flat|nested] 945+ messages in thread
* [PATCH 5.15 034/917] ALSA: hda/realtek: Add quirk for Clevo PC70HS
2021-11-15 16:51 [PATCH 5.15 000/917] 5.15.3-rc1 review Greg Kroah-Hartman
` (32 preceding siblings ...)
2021-11-15 16:52 ` [PATCH 5.15 033/917] ALSA: hda/realtek: Add a quirk for HP OMEN 15 mute LED Greg Kroah-Hartman
@ 2021-11-15 16:52 ` Greg Kroah-Hartman
2021-11-15 16:52 ` [PATCH 5.15 035/917] ALSA: hda/realtek: Headset fixup for Clevo NH77HJQ Greg Kroah-Hartman
` (885 subsequent siblings)
919 siblings, 0 replies; 945+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-15 16:52 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Tim Crawford, Takashi Iwai
From: Tim Crawford <tcrawford@system76.com>
commit dbfe83507cf4ea66ce4efee2ac14c5ad420e31d3 upstream.
Apply the PB51ED PCI quirk to the Clevo PC70HS. Fixes audio output from
the internal speakers.
Signed-off-by: Tim Crawford <tcrawford@system76.com>
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20211101162134.5336-1-tcrawford@system76.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/pci/hda/patch_realtek.c | 1 +
1 file changed, 1 insertion(+)
--- a/sound/pci/hda/patch_realtek.c
+++ b/sound/pci/hda/patch_realtek.c
@@ -2539,6 +2539,7 @@ static const struct snd_pci_quirk alc882
SND_PCI_QUIRK(0x1558, 0x67d1, "Clevo PB71[ER][CDF]", ALC1220_FIXUP_CLEVO_PB51ED_PINS),
SND_PCI_QUIRK(0x1558, 0x67e1, "Clevo PB71[DE][CDF]", ALC1220_FIXUP_CLEVO_PB51ED_PINS),
SND_PCI_QUIRK(0x1558, 0x67e5, "Clevo PC70D[PRS](?:-D|-G)?", ALC1220_FIXUP_CLEVO_PB51ED_PINS),
+ SND_PCI_QUIRK(0x1558, 0x67f1, "Clevo PC70H[PRS]", ALC1220_FIXUP_CLEVO_PB51ED_PINS),
SND_PCI_QUIRK(0x1558, 0x70d1, "Clevo PC70[ER][CDF]", ALC1220_FIXUP_CLEVO_PB51ED_PINS),
SND_PCI_QUIRK(0x1558, 0x7714, "Clevo X170SM", ALC1220_FIXUP_CLEVO_PB51ED_PINS),
SND_PCI_QUIRK(0x1558, 0x7715, "Clevo X170KM-G", ALC1220_FIXUP_CLEVO_PB51ED),
^ permalink raw reply [flat|nested] 945+ messages in thread
* [PATCH 5.15 035/917] ALSA: hda/realtek: Headset fixup for Clevo NH77HJQ
2021-11-15 16:51 [PATCH 5.15 000/917] 5.15.3-rc1 review Greg Kroah-Hartman
` (33 preceding siblings ...)
2021-11-15 16:52 ` [PATCH 5.15 034/917] ALSA: hda/realtek: Add quirk for Clevo PC70HS Greg Kroah-Hartman
@ 2021-11-15 16:52 ` Greg Kroah-Hartman
2021-11-15 16:52 ` [PATCH 5.15 036/917] ALSA: hda/realtek: Add a quirk for Acer Spin SP513-54N Greg Kroah-Hartman
` (884 subsequent siblings)
919 siblings, 0 replies; 945+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-15 16:52 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Jeremy Soller, Tim Crawford, Takashi Iwai
From: Jeremy Soller <jeremy@system76.com>
commit 1278cc5ac2f96bab50dd55c8c05e0a6a77ce323e upstream.
On Clevo NH77HJ, NH77HP, and their 15" variants, there is a headset
microphone input attached to 0x19 that does not have a jack detect. In
order to get it working, the pin configuration needs to be set
correctly, and a new ALC256_FIXUP_SYSTEM76_MIC_NO_PRESENCE fixup is
applied. This is similar to the existing System76 quirk for ALC293, but
for ALC256.
Signed-off-by: Jeremy Soller <jeremy@system76.com>
Signed-off-by: Tim Crawford <tcrawford@system76.com>
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20211102172104.10610-1-tcrawford@system76.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/pci/hda/patch_realtek.c | 14 ++++++++++++++
1 file changed, 14 insertions(+)
--- a/sound/pci/hda/patch_realtek.c
+++ b/sound/pci/hda/patch_realtek.c
@@ -6739,6 +6739,7 @@ enum {
ALC287_FIXUP_YOGA7_14ITL_SPEAKERS,
ALC287_FIXUP_13S_GEN2_SPEAKERS,
ALC256_FIXUP_TONGFANG_RESET_PERSISTENT_SETTINGS,
+ ALC256_FIXUP_SYSTEM76_MIC_NO_PRESENCE,
};
static const struct hda_fixup alc269_fixups[] = {
@@ -8450,6 +8451,15 @@ static const struct hda_fixup alc269_fix
.type = HDA_FIXUP_FUNC,
.v.func = alc245_fixup_hp_gpio_led,
},
+ [ALC256_FIXUP_SYSTEM76_MIC_NO_PRESENCE] = {
+ .type = HDA_FIXUP_PINS,
+ .v.pins = (const struct hda_pintbl[]) {
+ { 0x19, 0x03a11120 }, /* use as headset mic, without its own jack detect */
+ { }
+ },
+ .chained = true,
+ .chain_id = ALC269_FIXUP_HEADSET_MODE_NO_HP_MIC,
+ },
};
static const struct snd_pci_quirk alc269_fixup_tbl[] = {
@@ -8750,11 +8760,15 @@ static const struct snd_pci_quirk alc269
SND_PCI_QUIRK(0x1558, 0x40a1, "Clevo NL40GU", ALC293_FIXUP_SYSTEM76_MIC_NO_PRESENCE),
SND_PCI_QUIRK(0x1558, 0x40c1, "Clevo NL40[CZ]U", ALC293_FIXUP_SYSTEM76_MIC_NO_PRESENCE),
SND_PCI_QUIRK(0x1558, 0x40d1, "Clevo NL41DU", ALC293_FIXUP_SYSTEM76_MIC_NO_PRESENCE),
+ SND_PCI_QUIRK(0x1558, 0x5015, "Clevo NH5[58]H[HJK]Q", ALC256_FIXUP_SYSTEM76_MIC_NO_PRESENCE),
+ SND_PCI_QUIRK(0x1558, 0x5017, "Clevo NH7[79]H[HJK]Q", ALC256_FIXUP_SYSTEM76_MIC_NO_PRESENCE),
SND_PCI_QUIRK(0x1558, 0x50a3, "Clevo NJ51GU", ALC293_FIXUP_SYSTEM76_MIC_NO_PRESENCE),
SND_PCI_QUIRK(0x1558, 0x50b3, "Clevo NK50S[BEZ]", ALC293_FIXUP_SYSTEM76_MIC_NO_PRESENCE),
SND_PCI_QUIRK(0x1558, 0x50b6, "Clevo NK50S5", ALC293_FIXUP_SYSTEM76_MIC_NO_PRESENCE),
SND_PCI_QUIRK(0x1558, 0x50b8, "Clevo NK50SZ", ALC293_FIXUP_SYSTEM76_MIC_NO_PRESENCE),
SND_PCI_QUIRK(0x1558, 0x50d5, "Clevo NP50D5", ALC293_FIXUP_SYSTEM76_MIC_NO_PRESENCE),
+ SND_PCI_QUIRK(0x1558, 0x50e1, "Clevo NH5[58]HPQ", ALC256_FIXUP_SYSTEM76_MIC_NO_PRESENCE),
+ SND_PCI_QUIRK(0x1558, 0x50e2, "Clevo NH7[79]HPQ", ALC256_FIXUP_SYSTEM76_MIC_NO_PRESENCE),
SND_PCI_QUIRK(0x1558, 0x50f0, "Clevo NH50A[CDF]", ALC293_FIXUP_SYSTEM76_MIC_NO_PRESENCE),
SND_PCI_QUIRK(0x1558, 0x50f2, "Clevo NH50E[PR]", ALC293_FIXUP_SYSTEM76_MIC_NO_PRESENCE),
SND_PCI_QUIRK(0x1558, 0x50f3, "Clevo NH58DPQ", ALC293_FIXUP_SYSTEM76_MIC_NO_PRESENCE),
^ permalink raw reply [flat|nested] 945+ messages in thread
* [PATCH 5.15 036/917] ALSA: hda/realtek: Add a quirk for Acer Spin SP513-54N
2021-11-15 16:51 [PATCH 5.15 000/917] 5.15.3-rc1 review Greg Kroah-Hartman
` (34 preceding siblings ...)
2021-11-15 16:52 ` [PATCH 5.15 035/917] ALSA: hda/realtek: Headset fixup for Clevo NH77HJQ Greg Kroah-Hartman
@ 2021-11-15 16:52 ` Greg Kroah-Hartman
2021-11-15 16:52 ` [PATCH 5.15 037/917] ALSA: hda/realtek: Add quirk for ASUS UX550VE Greg Kroah-Hartman
` (883 subsequent siblings)
919 siblings, 0 replies; 945+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-15 16:52 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Jaroslav Kysela, Takashi Iwai
From: Jaroslav Kysela <perex@perex.cz>
commit 2a5bb694488bb6593066d46881bfd9d07edd1628 upstream.
Another model requires ALC255_FIXUP_ACER_MIC_NO_PRESENCE fixup.
BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=211853
Signed-off-by: Jaroslav Kysela <perex@perex.cz>
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20211104155726.2090997-1-perex@perex.cz
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/pci/hda/patch_realtek.c | 1 +
1 file changed, 1 insertion(+)
--- a/sound/pci/hda/patch_realtek.c
+++ b/sound/pci/hda/patch_realtek.c
@@ -8496,6 +8496,7 @@ static const struct snd_pci_quirk alc269
SND_PCI_QUIRK(0x1025, 0x1308, "Acer Aspire Z24-890", ALC286_FIXUP_ACER_AIO_HEADSET_MIC),
SND_PCI_QUIRK(0x1025, 0x132a, "Acer TravelMate B114-21", ALC233_FIXUP_ACER_HEADSET_MIC),
SND_PCI_QUIRK(0x1025, 0x1330, "Acer TravelMate X514-51T", ALC255_FIXUP_ACER_HEADSET_MIC),
+ SND_PCI_QUIRK(0x1025, 0x141f, "Acer Spin SP513-54N", ALC255_FIXUP_ACER_MIC_NO_PRESENCE),
SND_PCI_QUIRK(0x1025, 0x142b, "Acer Swift SF314-42", ALC255_FIXUP_ACER_MIC_NO_PRESENCE),
SND_PCI_QUIRK(0x1025, 0x1430, "Acer TravelMate B311R-31", ALC256_FIXUP_ACER_MIC_NO_PRESENCE),
SND_PCI_QUIRK(0x1025, 0x1466, "Acer Aspire A515-56", ALC255_FIXUP_ACER_HEADPHONE_AND_MIC),
^ permalink raw reply [flat|nested] 945+ messages in thread
* [PATCH 5.15 037/917] ALSA: hda/realtek: Add quirk for ASUS UX550VE
2021-11-15 16:51 [PATCH 5.15 000/917] 5.15.3-rc1 review Greg Kroah-Hartman
` (35 preceding siblings ...)
2021-11-15 16:52 ` [PATCH 5.15 036/917] ALSA: hda/realtek: Add a quirk for Acer Spin SP513-54N Greg Kroah-Hartman
@ 2021-11-15 16:52 ` Greg Kroah-Hartman
2021-11-15 16:52 ` [PATCH 5.15 038/917] ALSA: hda/realtek: Add quirk for HP EliteBook 840 G7 mute LED Greg Kroah-Hartman
` (882 subsequent siblings)
919 siblings, 0 replies; 945+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-15 16:52 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Takashi Iwai
From: Takashi Iwai <tiwai@suse.de>
commit 4fad4fb9871b43389e4f4bead18ec693064697bb upstream.
ASUS UX550VE (SSID 1043:1970) requires a similar workaround for
managing the routing of the 4 speakers like some other ASUS models.
Add a corresponding quirk entry for fixing it.
BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=212641
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20211107083339.18013-1-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/pci/hda/patch_realtek.c | 1 +
1 file changed, 1 insertion(+)
--- a/sound/pci/hda/patch_realtek.c
+++ b/sound/pci/hda/patch_realtek.c
@@ -8698,6 +8698,7 @@ static const struct snd_pci_quirk alc269
SND_PCI_QUIRK(0x1043, 0x18b1, "Asus MJ401TA", ALC256_FIXUP_ASUS_HEADSET_MIC),
SND_PCI_QUIRK(0x1043, 0x18f1, "Asus FX505DT", ALC256_FIXUP_ASUS_HEADSET_MIC),
SND_PCI_QUIRK(0x1043, 0x194e, "ASUS UX563FD", ALC294_FIXUP_ASUS_HPE),
+ SND_PCI_QUIRK(0x1043, 0x1970, "ASUS UX550VE", ALC289_FIXUP_ASUS_GA401),
SND_PCI_QUIRK(0x1043, 0x1982, "ASUS B1400CEPE", ALC256_FIXUP_ASUS_HPE),
SND_PCI_QUIRK(0x1043, 0x19ce, "ASUS B9450FA", ALC294_FIXUP_ASUS_HPE),
SND_PCI_QUIRK(0x1043, 0x19e1, "ASUS UX581LV", ALC295_FIXUP_ASUS_MIC_NO_PRESENCE),
^ permalink raw reply [flat|nested] 945+ messages in thread
* [PATCH 5.15 038/917] ALSA: hda/realtek: Add quirk for HP EliteBook 840 G7 mute LED
2021-11-15 16:51 [PATCH 5.15 000/917] 5.15.3-rc1 review Greg Kroah-Hartman
` (36 preceding siblings ...)
2021-11-15 16:52 ` [PATCH 5.15 037/917] ALSA: hda/realtek: Add quirk for ASUS UX550VE Greg Kroah-Hartman
@ 2021-11-15 16:52 ` Greg Kroah-Hartman
2021-11-15 16:52 ` [PATCH 5.15 039/917] ALSA: ua101: fix division by zero at probe Greg Kroah-Hartman
` (881 subsequent siblings)
919 siblings, 0 replies; 945+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-15 16:52 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Kai-Heng Feng, Takashi Iwai
From: Kai-Heng Feng <kai.heng.feng@canonical.com>
commit c058493df7edcef8f48c1494d9a84218519f966b upstream.
The mute and micmute LEDs don't work on HP EliteBook 840 G7. The same
quirk for other HP laptops can let LEDs work, so apply it.
Signed-off-by: Kai-Heng Feng <kai.heng.feng@canonical.com>
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20211110144033.118451-1-kai.heng.feng@canonical.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/pci/hda/patch_realtek.c | 1 +
1 file changed, 1 insertion(+)
--- a/sound/pci/hda/patch_realtek.c
+++ b/sound/pci/hda/patch_realtek.c
@@ -8636,6 +8636,7 @@ static const struct snd_pci_quirk alc269
SND_PCI_QUIRK(0x103c, 0x8716, "HP Elite Dragonfly G2 Notebook PC", ALC285_FIXUP_HP_GPIO_AMP_INIT),
SND_PCI_QUIRK(0x103c, 0x8720, "HP EliteBook x360 1040 G8 Notebook PC", ALC285_FIXUP_HP_GPIO_AMP_INIT),
SND_PCI_QUIRK(0x103c, 0x8724, "HP EliteBook 850 G7", ALC285_FIXUP_HP_GPIO_LED),
+ SND_PCI_QUIRK(0x103c, 0x8728, "HP EliteBook 840 G7", ALC285_FIXUP_HP_GPIO_LED),
SND_PCI_QUIRK(0x103c, 0x8729, "HP", ALC285_FIXUP_HP_GPIO_LED),
SND_PCI_QUIRK(0x103c, 0x8730, "HP ProBook 445 G7", ALC236_FIXUP_HP_MUTE_LED_MICMUTE_VREF),
SND_PCI_QUIRK(0x103c, 0x8736, "HP", ALC285_FIXUP_HP_GPIO_AMP_INIT),
^ permalink raw reply [flat|nested] 945+ messages in thread
* [PATCH 5.15 039/917] ALSA: ua101: fix division by zero at probe
2021-11-15 16:51 [PATCH 5.15 000/917] 5.15.3-rc1 review Greg Kroah-Hartman
` (37 preceding siblings ...)
2021-11-15 16:52 ` [PATCH 5.15 038/917] ALSA: hda/realtek: Add quirk for HP EliteBook 840 G7 mute LED Greg Kroah-Hartman
@ 2021-11-15 16:52 ` Greg Kroah-Hartman
2021-11-15 16:52 ` [PATCH 5.15 040/917] ALSA: 6fire: fix control and bulk message timeouts Greg Kroah-Hartman
` (880 subsequent siblings)
919 siblings, 0 replies; 945+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-15 16:52 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Johan Hovold, Takashi Iwai
From: Johan Hovold <johan@kernel.org>
commit 55f261b73a7e1cb254577c3536cef8f415de220a upstream.
Add the missing endpoint max-packet sanity check to probe() to avoid
division by zero in alloc_stream_buffers() in case a malicious device
has broken descriptors (or when doing descriptor fuzz testing).
Note that USB core will reject URBs submitted for endpoints with zero
wMaxPacketSize but that drivers doing packet-size calculations still
need to handle this (cf. commit 2548288b4fb0 ("USB: Fix: Don't skip
endpoint descriptors with maxpacket=0")).
Fixes: 63978ab3e3e9 ("sound: add Edirol UA-101 support")
Cc: stable@vger.kernel.org # 2.6.34
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://lore.kernel.org/r/20211026095401.26522-1-johan@kernel.org
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/usb/misc/ua101.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/sound/usb/misc/ua101.c
+++ b/sound/usb/misc/ua101.c
@@ -1000,7 +1000,7 @@ static int detect_usb_format(struct ua10
fmt_playback->bSubframeSize * ua->playback.channels;
epd = &ua->intf[INTF_CAPTURE]->altsetting[1].endpoint[0].desc;
- if (!usb_endpoint_is_isoc_in(epd)) {
+ if (!usb_endpoint_is_isoc_in(epd) || usb_endpoint_maxp(epd) == 0) {
dev_err(&ua->dev->dev, "invalid capture endpoint\n");
return -ENXIO;
}
@@ -1008,7 +1008,7 @@ static int detect_usb_format(struct ua10
ua->capture.max_packet_bytes = usb_endpoint_maxp(epd);
epd = &ua->intf[INTF_PLAYBACK]->altsetting[1].endpoint[0].desc;
- if (!usb_endpoint_is_isoc_out(epd)) {
+ if (!usb_endpoint_is_isoc_out(epd) || usb_endpoint_maxp(epd) == 0) {
dev_err(&ua->dev->dev, "invalid playback endpoint\n");
return -ENXIO;
}
^ permalink raw reply [flat|nested] 945+ messages in thread
* [PATCH 5.15 040/917] ALSA: 6fire: fix control and bulk message timeouts
2021-11-15 16:51 [PATCH 5.15 000/917] 5.15.3-rc1 review Greg Kroah-Hartman
` (38 preceding siblings ...)
2021-11-15 16:52 ` [PATCH 5.15 039/917] ALSA: ua101: fix division by zero at probe Greg Kroah-Hartman
@ 2021-11-15 16:52 ` Greg Kroah-Hartman
2021-11-15 16:52 ` [PATCH 5.15 041/917] ALSA: line6: fix control and interrupt " Greg Kroah-Hartman
` (879 subsequent siblings)
919 siblings, 0 replies; 945+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-15 16:52 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Johan Hovold, Takashi Iwai
From: Johan Hovold <johan@kernel.org>
commit 9b371c6cc37f954360989eec41c2ddc5a6b83917 upstream.
USB control and bulk message timeouts are specified in milliseconds and
should specifically not vary with CONFIG_HZ.
Fixes: c6d43ba816d1 ("ALSA: usb/6fire - Driver for TerraTec DMX 6Fire USB")
Cc: stable@vger.kernel.org # 2.6.39
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://lore.kernel.org/r/20211025121142.6531-2-johan@kernel.org
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/usb/6fire/comm.c | 2 +-
sound/usb/6fire/firmware.c | 6 +++---
2 files changed, 4 insertions(+), 4 deletions(-)
--- a/sound/usb/6fire/comm.c
+++ b/sound/usb/6fire/comm.c
@@ -95,7 +95,7 @@ static int usb6fire_comm_send_buffer(u8
int actual_len;
ret = usb_interrupt_msg(dev, usb_sndintpipe(dev, COMM_EP),
- buffer, buffer[1] + 2, &actual_len, HZ);
+ buffer, buffer[1] + 2, &actual_len, 1000);
if (ret < 0)
return ret;
else if (actual_len != buffer[1] + 2)
--- a/sound/usb/6fire/firmware.c
+++ b/sound/usb/6fire/firmware.c
@@ -160,7 +160,7 @@ static int usb6fire_fw_ezusb_write(struc
{
return usb_control_msg_send(device, 0, type,
USB_DIR_OUT | USB_TYPE_VENDOR | USB_RECIP_DEVICE,
- value, 0, data, len, HZ, GFP_KERNEL);
+ value, 0, data, len, 1000, GFP_KERNEL);
}
static int usb6fire_fw_ezusb_read(struct usb_device *device,
@@ -168,7 +168,7 @@ static int usb6fire_fw_ezusb_read(struct
{
return usb_control_msg_recv(device, 0, type,
USB_DIR_IN | USB_TYPE_VENDOR | USB_RECIP_DEVICE,
- value, 0, data, len, HZ, GFP_KERNEL);
+ value, 0, data, len, 1000, GFP_KERNEL);
}
static int usb6fire_fw_fpga_write(struct usb_device *device,
@@ -178,7 +178,7 @@ static int usb6fire_fw_fpga_write(struct
int ret;
ret = usb_bulk_msg(device, usb_sndbulkpipe(device, FPGA_EP), data, len,
- &actual_len, HZ);
+ &actual_len, 1000);
if (ret < 0)
return ret;
else if (actual_len != len)
^ permalink raw reply [flat|nested] 945+ messages in thread
* [PATCH 5.15 041/917] ALSA: line6: fix control and interrupt message timeouts
2021-11-15 16:51 [PATCH 5.15 000/917] 5.15.3-rc1 review Greg Kroah-Hartman
` (39 preceding siblings ...)
2021-11-15 16:52 ` [PATCH 5.15 040/917] ALSA: 6fire: fix control and bulk message timeouts Greg Kroah-Hartman
@ 2021-11-15 16:52 ` Greg Kroah-Hartman
2021-11-15 16:52 ` [PATCH 5.15 042/917] ALSA: mixer: oss: Fix racy access to slots Greg Kroah-Hartman
` (878 subsequent siblings)
919 siblings, 0 replies; 945+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-15 16:52 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Johan Hovold, Takashi Iwai
From: Johan Hovold <johan@kernel.org>
commit f4000b58b64344871d7b27c05e73932f137cfef6 upstream.
USB control and interrupt message timeouts are specified in milliseconds
and should specifically not vary with CONFIG_HZ.
Fixes: 705ececd1c60 ("Staging: add line6 usb driver")
Cc: stable@vger.kernel.org # 2.6.30
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://lore.kernel.org/r/20211025121142.6531-3-johan@kernel.org
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/usb/line6/driver.c | 14 +++++++-------
sound/usb/line6/driver.h | 2 +-
sound/usb/line6/podhd.c | 6 +++---
sound/usb/line6/toneport.c | 2 +-
4 files changed, 12 insertions(+), 12 deletions(-)
--- a/sound/usb/line6/driver.c
+++ b/sound/usb/line6/driver.c
@@ -113,12 +113,12 @@ int line6_send_raw_message(struct usb_li
retval = usb_interrupt_msg(line6->usbdev,
usb_sndintpipe(line6->usbdev, properties->ep_ctrl_w),
(char *)frag_buf, frag_size,
- &partial, LINE6_TIMEOUT * HZ);
+ &partial, LINE6_TIMEOUT);
} else {
retval = usb_bulk_msg(line6->usbdev,
usb_sndbulkpipe(line6->usbdev, properties->ep_ctrl_w),
(char *)frag_buf, frag_size,
- &partial, LINE6_TIMEOUT * HZ);
+ &partial, LINE6_TIMEOUT);
}
if (retval) {
@@ -347,7 +347,7 @@ int line6_read_data(struct usb_line6 *li
ret = usb_control_msg_send(usbdev, 0, 0x67,
USB_TYPE_VENDOR | USB_RECIP_DEVICE | USB_DIR_OUT,
(datalen << 8) | 0x21, address, NULL, 0,
- LINE6_TIMEOUT * HZ, GFP_KERNEL);
+ LINE6_TIMEOUT, GFP_KERNEL);
if (ret) {
dev_err(line6->ifcdev, "read request failed (error %d)\n", ret);
goto exit;
@@ -360,7 +360,7 @@ int line6_read_data(struct usb_line6 *li
ret = usb_control_msg_recv(usbdev, 0, 0x67,
USB_TYPE_VENDOR | USB_RECIP_DEVICE | USB_DIR_IN,
0x0012, 0x0000, &len, 1,
- LINE6_TIMEOUT * HZ, GFP_KERNEL);
+ LINE6_TIMEOUT, GFP_KERNEL);
if (ret) {
dev_err(line6->ifcdev,
"receive length failed (error %d)\n", ret);
@@ -387,7 +387,7 @@ int line6_read_data(struct usb_line6 *li
/* receive the result: */
ret = usb_control_msg_recv(usbdev, 0, 0x67,
USB_TYPE_VENDOR | USB_RECIP_DEVICE | USB_DIR_IN,
- 0x0013, 0x0000, data, datalen, LINE6_TIMEOUT * HZ,
+ 0x0013, 0x0000, data, datalen, LINE6_TIMEOUT,
GFP_KERNEL);
if (ret)
dev_err(line6->ifcdev, "read failed (error %d)\n", ret);
@@ -417,7 +417,7 @@ int line6_write_data(struct usb_line6 *l
ret = usb_control_msg_send(usbdev, 0, 0x67,
USB_TYPE_VENDOR | USB_RECIP_DEVICE | USB_DIR_OUT,
- 0x0022, address, data, datalen, LINE6_TIMEOUT * HZ,
+ 0x0022, address, data, datalen, LINE6_TIMEOUT,
GFP_KERNEL);
if (ret) {
dev_err(line6->ifcdev,
@@ -430,7 +430,7 @@ int line6_write_data(struct usb_line6 *l
ret = usb_control_msg_recv(usbdev, 0, 0x67,
USB_TYPE_VENDOR | USB_RECIP_DEVICE | USB_DIR_IN,
- 0x0012, 0x0000, status, 1, LINE6_TIMEOUT * HZ,
+ 0x0012, 0x0000, status, 1, LINE6_TIMEOUT,
GFP_KERNEL);
if (ret) {
dev_err(line6->ifcdev,
--- a/sound/usb/line6/driver.h
+++ b/sound/usb/line6/driver.h
@@ -27,7 +27,7 @@
#define LINE6_FALLBACK_INTERVAL 10
#define LINE6_FALLBACK_MAXPACKETSIZE 16
-#define LINE6_TIMEOUT 1
+#define LINE6_TIMEOUT 1000
#define LINE6_BUFSIZE_LISTEN 64
#define LINE6_MIDI_MESSAGE_MAXLEN 256
--- a/sound/usb/line6/podhd.c
+++ b/sound/usb/line6/podhd.c
@@ -190,7 +190,7 @@ static int podhd_dev_start(struct usb_li
ret = usb_control_msg_send(usbdev, 0,
0x67, USB_TYPE_VENDOR | USB_RECIP_DEVICE | USB_DIR_OUT,
0x11, 0,
- NULL, 0, LINE6_TIMEOUT * HZ, GFP_KERNEL);
+ NULL, 0, LINE6_TIMEOUT, GFP_KERNEL);
if (ret) {
dev_err(pod->line6.ifcdev, "read request failed (error %d)\n", ret);
goto exit;
@@ -200,7 +200,7 @@ static int podhd_dev_start(struct usb_li
ret = usb_control_msg_recv(usbdev, 0, 0x67,
USB_TYPE_VENDOR | USB_RECIP_DEVICE | USB_DIR_IN,
0x11, 0x0,
- init_bytes, 3, LINE6_TIMEOUT * HZ, GFP_KERNEL);
+ init_bytes, 3, LINE6_TIMEOUT, GFP_KERNEL);
if (ret) {
dev_err(pod->line6.ifcdev,
"receive length failed (error %d)\n", ret);
@@ -220,7 +220,7 @@ static int podhd_dev_start(struct usb_li
USB_REQ_SET_FEATURE,
USB_TYPE_STANDARD | USB_RECIP_DEVICE | USB_DIR_OUT,
1, 0,
- NULL, 0, LINE6_TIMEOUT * HZ, GFP_KERNEL);
+ NULL, 0, LINE6_TIMEOUT, GFP_KERNEL);
exit:
return ret;
}
--- a/sound/usb/line6/toneport.c
+++ b/sound/usb/line6/toneport.c
@@ -128,7 +128,7 @@ static int toneport_send_cmd(struct usb_
ret = usb_control_msg_send(usbdev, 0, 0x67,
USB_TYPE_VENDOR | USB_RECIP_DEVICE | USB_DIR_OUT,
- cmd1, cmd2, NULL, 0, LINE6_TIMEOUT * HZ,
+ cmd1, cmd2, NULL, 0, LINE6_TIMEOUT,
GFP_KERNEL);
if (ret) {
^ permalink raw reply [flat|nested] 945+ messages in thread
* [PATCH 5.15 042/917] ALSA: mixer: oss: Fix racy access to slots
2021-11-15 16:51 [PATCH 5.15 000/917] 5.15.3-rc1 review Greg Kroah-Hartman
` (40 preceding siblings ...)
2021-11-15 16:52 ` [PATCH 5.15 041/917] ALSA: line6: fix control and interrupt " Greg Kroah-Hartman
@ 2021-11-15 16:52 ` Greg Kroah-Hartman
2021-11-15 16:52 ` [PATCH 5.15 043/917] ALSA: mixer: fix deadlock in snd_mixer_oss_set_volume Greg Kroah-Hartman
` (877 subsequent siblings)
919 siblings, 0 replies; 945+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-15 16:52 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, syzbot+9988f17cf72a1045a189,
Jaroslav Kysela, Takashi Iwai
From: Takashi Iwai <tiwai@suse.de>
commit 411cef6adfb38a5bb6bd9af3941b28198e7fb680 upstream.
The OSS mixer can reassign the mapping slots dynamically via proc
file. Although the addition and deletion of those slots are protected
by mixer->reg_mutex, the access to slots aren't, hence this may cause
UAF when the slots in use are deleted concurrently.
This patch applies the mixer->reg_mutex in all appropriate code paths
(i.e. the ioctl functions) that may access slots.
Reported-by: syzbot+9988f17cf72a1045a189@syzkaller.appspotmail.com
Reviewed-by: Jaroslav Kysela <perex@perex.cz>
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/00000000000036adc005ceca9175@google.com
Link: https://lore.kernel.org/r/20211020164846.922-1-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/core/oss/mixer_oss.c | 44 +++++++++++++++++++++++++++++++++-----------
1 file changed, 33 insertions(+), 11 deletions(-)
--- a/sound/core/oss/mixer_oss.c
+++ b/sound/core/oss/mixer_oss.c
@@ -130,11 +130,13 @@ static int snd_mixer_oss_devmask(struct
if (mixer == NULL)
return -EIO;
+ mutex_lock(&mixer->reg_mutex);
for (chn = 0; chn < 31; chn++) {
pslot = &mixer->slots[chn];
if (pslot->put_volume || pslot->put_recsrc)
result |= 1 << chn;
}
+ mutex_unlock(&mixer->reg_mutex);
return result;
}
@@ -146,11 +148,13 @@ static int snd_mixer_oss_stereodevs(stru
if (mixer == NULL)
return -EIO;
+ mutex_lock(&mixer->reg_mutex);
for (chn = 0; chn < 31; chn++) {
pslot = &mixer->slots[chn];
if (pslot->put_volume && pslot->stereo)
result |= 1 << chn;
}
+ mutex_unlock(&mixer->reg_mutex);
return result;
}
@@ -161,6 +165,7 @@ static int snd_mixer_oss_recmask(struct
if (mixer == NULL)
return -EIO;
+ mutex_lock(&mixer->reg_mutex);
if (mixer->put_recsrc && mixer->get_recsrc) { /* exclusive */
result = mixer->mask_recsrc;
} else {
@@ -172,6 +177,7 @@ static int snd_mixer_oss_recmask(struct
result |= 1 << chn;
}
}
+ mutex_unlock(&mixer->reg_mutex);
return result;
}
@@ -182,12 +188,12 @@ static int snd_mixer_oss_get_recsrc(stru
if (mixer == NULL)
return -EIO;
+ mutex_lock(&mixer->reg_mutex);
if (mixer->put_recsrc && mixer->get_recsrc) { /* exclusive */
- int err;
unsigned int index;
- err = mixer->get_recsrc(fmixer, &index);
- if (err < 0)
- return err;
+ result = mixer->get_recsrc(fmixer, &index);
+ if (result < 0)
+ goto unlock;
result = 1 << index;
} else {
struct snd_mixer_oss_slot *pslot;
@@ -202,7 +208,10 @@ static int snd_mixer_oss_get_recsrc(stru
}
}
}
- return mixer->oss_recsrc = result;
+ mixer->oss_recsrc = result;
+ unlock:
+ mutex_unlock(&mixer->reg_mutex);
+ return result;
}
static int snd_mixer_oss_set_recsrc(struct snd_mixer_oss_file *fmixer, int recsrc)
@@ -215,6 +224,7 @@ static int snd_mixer_oss_set_recsrc(stru
if (mixer == NULL)
return -EIO;
+ mutex_lock(&mixer->reg_mutex);
if (mixer->get_recsrc && mixer->put_recsrc) { /* exclusive input */
if (recsrc & ~mixer->oss_recsrc)
recsrc &= ~mixer->oss_recsrc;
@@ -240,6 +250,7 @@ static int snd_mixer_oss_set_recsrc(stru
}
}
}
+ mutex_unlock(&mixer->reg_mutex);
return result;
}
@@ -251,6 +262,7 @@ static int snd_mixer_oss_get_volume(stru
if (mixer == NULL || slot > 30)
return -EIO;
+ mutex_lock(&mixer->reg_mutex);
pslot = &mixer->slots[slot];
left = pslot->volume[0];
right = pslot->volume[1];
@@ -258,15 +270,21 @@ static int snd_mixer_oss_get_volume(stru
result = pslot->get_volume(fmixer, pslot, &left, &right);
if (!pslot->stereo)
right = left;
- if (snd_BUG_ON(left < 0 || left > 100))
- return -EIO;
- if (snd_BUG_ON(right < 0 || right > 100))
- return -EIO;
+ if (snd_BUG_ON(left < 0 || left > 100)) {
+ result = -EIO;
+ goto unlock;
+ }
+ if (snd_BUG_ON(right < 0 || right > 100)) {
+ result = -EIO;
+ goto unlock;
+ }
if (result >= 0) {
pslot->volume[0] = left;
pslot->volume[1] = right;
result = (left & 0xff) | ((right & 0xff) << 8);
}
+ unlock:
+ mutex_unlock(&mixer->reg_mutex);
return result;
}
@@ -279,6 +297,7 @@ static int snd_mixer_oss_set_volume(stru
if (mixer == NULL || slot > 30)
return -EIO;
+ mutex_lock(&mixer->reg_mutex);
pslot = &mixer->slots[slot];
if (left > 100)
left = 100;
@@ -289,10 +308,13 @@ static int snd_mixer_oss_set_volume(stru
if (pslot->put_volume)
result = pslot->put_volume(fmixer, pslot, left, right);
if (result < 0)
- return result;
+ goto unlock;
pslot->volume[0] = left;
pslot->volume[1] = right;
- return (left & 0xff) | ((right & 0xff) << 8);
+ result = (left & 0xff) | ((right & 0xff) << 8);
+ unlock:
+ mutex_lock(&mixer->reg_mutex);
+ return result;
}
static int snd_mixer_oss_ioctl1(struct snd_mixer_oss_file *fmixer, unsigned int cmd, unsigned long arg)
^ permalink raw reply [flat|nested] 945+ messages in thread
* [PATCH 5.15 043/917] ALSA: mixer: fix deadlock in snd_mixer_oss_set_volume
2021-11-15 16:51 [PATCH 5.15 000/917] 5.15.3-rc1 review Greg Kroah-Hartman
` (41 preceding siblings ...)
2021-11-15 16:52 ` [PATCH 5.15 042/917] ALSA: mixer: oss: Fix racy access to slots Greg Kroah-Hartman
@ 2021-11-15 16:52 ` Greg Kroah-Hartman
2021-11-15 16:52 ` [PATCH 5.15 044/917] ALSA: usb-audio: Line6 HX-Stomp XL USB_ID for 48k-fixed quirk Greg Kroah-Hartman
` (876 subsequent siblings)
919 siblings, 0 replies; 945+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-15 16:52 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, syzbot+ace149a75a9a0a399ac7,
Pavel Skripkin, Takashi Iwai
From: Pavel Skripkin <paskripkin@gmail.com>
commit 3ab7992018455ac63c33e9b3eaa7264e293e40f4 upstream.
In commit 411cef6adfb3 ("ALSA: mixer: oss: Fix racy access to slots")
added mutex protection in snd_mixer_oss_set_volume(). Second
mutex_lock() in same function looks like typo, fix it.
Reported-by: syzbot+ace149a75a9a0a399ac7@syzkaller.appspotmail.com
Fixes: 411cef6adfb3 ("ALSA: mixer: oss: Fix racy access to slots")
Cc: <stable@vger.kernel.org>
Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
Link: https://lore.kernel.org/r/20211024140315.16704-1-paskripkin@gmail.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/core/oss/mixer_oss.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/sound/core/oss/mixer_oss.c
+++ b/sound/core/oss/mixer_oss.c
@@ -313,7 +313,7 @@ static int snd_mixer_oss_set_volume(stru
pslot->volume[1] = right;
result = (left & 0xff) | ((right & 0xff) << 8);
unlock:
- mutex_lock(&mixer->reg_mutex);
+ mutex_unlock(&mixer->reg_mutex);
return result;
}
^ permalink raw reply [flat|nested] 945+ messages in thread
* [PATCH 5.15 044/917] ALSA: usb-audio: Line6 HX-Stomp XL USB_ID for 48k-fixed quirk
2021-11-15 16:51 [PATCH 5.15 000/917] 5.15.3-rc1 review Greg Kroah-Hartman
` (42 preceding siblings ...)
2021-11-15 16:52 ` [PATCH 5.15 043/917] ALSA: mixer: fix deadlock in snd_mixer_oss_set_volume Greg Kroah-Hartman
@ 2021-11-15 16:52 ` Greg Kroah-Hartman
2021-11-15 16:52 ` [PATCH 5.15 045/917] ALSA: usb-audio: Add registration quirk for JBL Quantum 400 Greg Kroah-Hartman
` (875 subsequent siblings)
919 siblings, 0 replies; 945+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-15 16:52 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Jason Ormes, Takashi Iwai
From: Jason Ormes <skryking@gmail.com>
commit 8f27b689066113a3e579d4df171c980c54368c4e upstream.
Adding the Line6 HX-Stomp XL USB_ID as it needs this fixed frequency
quirk as well.
The device is basically just the HX-Stomp with some more buttons on
the face. I've done some recording with it after adding it, and it
seems to function properly with this fix. The Midi features appear to
be working as well.
[ a coding style fix and patch reformat by tiwai ]
Signed-off-by: Jason Ormes <skryking@gmail.com>
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20211030200405.1358678-1-skryking@gmail.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/usb/format.c | 1 +
1 file changed, 1 insertion(+)
--- a/sound/usb/format.c
+++ b/sound/usb/format.c
@@ -414,6 +414,7 @@ static int line6_parse_audio_format_rate
case USB_ID(0x0e41, 0x4242): /* Line6 Helix Rack */
case USB_ID(0x0e41, 0x4244): /* Line6 Helix LT */
case USB_ID(0x0e41, 0x4246): /* Line6 HX-Stomp */
+ case USB_ID(0x0e41, 0x4253): /* Line6 HX-Stomp XL */
case USB_ID(0x0e41, 0x4247): /* Line6 Pod Go */
case USB_ID(0x0e41, 0x4248): /* Line6 Helix >= fw 2.82 */
case USB_ID(0x0e41, 0x4249): /* Line6 Helix Rack >= fw 2.82 */
^ permalink raw reply [flat|nested] 945+ messages in thread
* [PATCH 5.15 045/917] ALSA: usb-audio: Add registration quirk for JBL Quantum 400
2021-11-15 16:51 [PATCH 5.15 000/917] 5.15.3-rc1 review Greg Kroah-Hartman
` (43 preceding siblings ...)
2021-11-15 16:52 ` [PATCH 5.15 044/917] ALSA: usb-audio: Line6 HX-Stomp XL USB_ID for 48k-fixed quirk Greg Kroah-Hartman
@ 2021-11-15 16:52 ` Greg Kroah-Hartman
2021-11-15 16:52 ` [PATCH 5.15 046/917] ALSA: hda: Free card instance properly at probe errors Greg Kroah-Hartman
` (874 subsequent siblings)
919 siblings, 0 replies; 945+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-15 16:52 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Alexander Tsoy, Takashi Iwai
From: Alexander Tsoy <alexander@tsoy.me>
commit 763d92ed5dece7d439fc28a88b2d2728d525ffd9 upstream.
Add another device ID for JBL Quantum 400. It requires the same quirk as
other JBL Quantum devices.
Signed-off-by: Alexander Tsoy <alexander@tsoy.me>
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20211030174308.1011825-1-alexander@tsoy.me
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/usb/quirks.c | 1 +
1 file changed, 1 insertion(+)
--- a/sound/usb/quirks.c
+++ b/sound/usb/quirks.c
@@ -1749,6 +1749,7 @@ static const struct registration_quirk r
REG_QUIRK_ENTRY(0x0951, 0x16ea, 2), /* Kingston HyperX Cloud Flight S */
REG_QUIRK_ENTRY(0x0ecb, 0x1f46, 2), /* JBL Quantum 600 */
REG_QUIRK_ENTRY(0x0ecb, 0x1f47, 2), /* JBL Quantum 800 */
+ REG_QUIRK_ENTRY(0x0ecb, 0x1f4c, 2), /* JBL Quantum 400 */
REG_QUIRK_ENTRY(0x0ecb, 0x2039, 2), /* JBL Quantum 400 */
REG_QUIRK_ENTRY(0x0ecb, 0x203c, 2), /* JBL Quantum 600 */
REG_QUIRK_ENTRY(0x0ecb, 0x203e, 2), /* JBL Quantum 800 */
^ permalink raw reply [flat|nested] 945+ messages in thread
* [PATCH 5.15 046/917] ALSA: hda: Free card instance properly at probe errors
2021-11-15 16:51 [PATCH 5.15 000/917] 5.15.3-rc1 review Greg Kroah-Hartman
` (44 preceding siblings ...)
2021-11-15 16:52 ` [PATCH 5.15 045/917] ALSA: usb-audio: Add registration quirk for JBL Quantum 400 Greg Kroah-Hartman
@ 2021-11-15 16:52 ` Greg Kroah-Hartman
2021-11-15 16:52 ` [PATCH 5.15 047/917] ALSA: synth: missing check for possible NULL after the call to kstrdup Greg Kroah-Hartman
` (873 subsequent siblings)
919 siblings, 0 replies; 945+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-15 16:52 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Takashi Iwai, Scott Branden
From: Takashi Iwai <tiwai@suse.de>
commit 39173303c83859723dab32c2abfb97296d6af3bf upstream.
The recent change in hda-intel driver to allow repeated probes
surfaced a problem that has been hidden until; the probe process in
the work calls azx_free() at the error path, and this skips the card
free process that eventually releases codec instances. As a result,
we get a kernel WARNING like:
snd_hda_intel 0000:00:1f.3: Cannot probe codecs, giving up
------------[ cut here ]------------
WARNING: CPU: 14 PID: 186 at sound/hda/hdac_bus.c:73
....
For fixing this, we need to call snd_card_free() instead of
azx_free(). Additionally, the device drvdata has to be cleared, as
the driver binding itself is still active. Then the PM and other
driver callbacks will ignore the procedure.
Fixes: c0f1886de7e1 ("ALSA: hda: intel: Allow repeatedly probing on codec configuration errors")
Reported-and-tested-by: Scott Branden <scott.branden@broadcom.com>
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/063e2397-7edb-5f48-7b0d-618b938d9dd8@broadcom.com
Link: https://lore.kernel.org/r/20211110194633.19098-1-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/pci/hda/hda_intel.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/sound/pci/hda/hda_intel.c
+++ b/sound/pci/hda/hda_intel.c
@@ -2330,7 +2330,8 @@ static int azx_probe_continue(struct azx
out_free:
if (err < 0) {
- azx_free(chip);
+ pci_set_drvdata(pci, NULL);
+ snd_card_free(chip->card);
return err;
}
^ permalink raw reply [flat|nested] 945+ messages in thread
* [PATCH 5.15 047/917] ALSA: synth: missing check for possible NULL after the call to kstrdup
2021-11-15 16:51 [PATCH 5.15 000/917] 5.15.3-rc1 review Greg Kroah-Hartman
` (45 preceding siblings ...)
2021-11-15 16:52 ` [PATCH 5.15 046/917] ALSA: hda: Free card instance properly at probe errors Greg Kroah-Hartman
@ 2021-11-15 16:52 ` Greg Kroah-Hartman
2021-11-15 16:52 ` [PATCH 5.15 048/917] ALSA: pci: rme: Fix unaligned buffer addresses Greg Kroah-Hartman
` (872 subsequent siblings)
919 siblings, 0 replies; 945+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-15 16:52 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Austin Kim, Takashi Iwai
From: Austin Kim <austin.kim@lge.com>
commit d159037abbe3412285c271bdfb9cdf19e62678ff upstream.
If kcalloc() return NULL due to memory starvation, it is possible for
kstrdup() to return NULL in similar case. So add null check after the call
to kstrdup() is made.
[ minor coding-style fix by tiwai ]
Signed-off-by: Austin Kim <austin.kim@lge.com>
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20211109003742.GA5423@raspberrypi
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/synth/emux/emux.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/sound/synth/emux/emux.c
+++ b/sound/synth/emux/emux.c
@@ -88,7 +88,7 @@ int snd_emux_register(struct snd_emux *e
emu->name = kstrdup(name, GFP_KERNEL);
emu->voices = kcalloc(emu->max_voices, sizeof(struct snd_emux_voice),
GFP_KERNEL);
- if (emu->voices == NULL)
+ if (emu->name == NULL || emu->voices == NULL)
return -ENOMEM;
/* create soundfont list */
^ permalink raw reply [flat|nested] 945+ messages in thread
* [PATCH 5.15 048/917] ALSA: pci: rme: Fix unaligned buffer addresses
2021-11-15 16:51 [PATCH 5.15 000/917] 5.15.3-rc1 review Greg Kroah-Hartman
` (46 preceding siblings ...)
2021-11-15 16:52 ` [PATCH 5.15 047/917] ALSA: synth: missing check for possible NULL after the call to kstrdup Greg Kroah-Hartman
@ 2021-11-15 16:52 ` Greg Kroah-Hartman
2021-11-15 16:52 ` [PATCH 5.15 049/917] ALSA: PCM: Fix NULL dereference at mmap checks Greg Kroah-Hartman
` (871 subsequent siblings)
919 siblings, 0 replies; 945+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-15 16:52 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Takashi Iwai
From: Takashi Iwai <tiwai@suse.de>
commit 43d35ccc36dad52377dd349b2e3ea803b72c3906 upstream.
The recent fix for setting up the DMA buffer type on RME drivers tried
to address the non-standard memory managements and changed the DMA
buffer information to the standard snd_dma_buffer object that is
allocated at the probe time. However, I overlooked that the RME
drivers handle the buffer addresses based on 64k alignment, and the
previous conversion broke that silently.
This patch is an attempt to fix the regression. The snd_dma_buffer
objects are copied to the original data with the correction to the
aligned accesses, and those are passed to snd_pcm_set_runtime_buffer()
helpers instead. The original snd_dma_buffer objects are managed by
devres, hence they'll be released automagically.
Fixes: 0899a7a23047 ("ALSA: pci: rme: Set up buffer type properly")
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20211108145752.30572-1-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/pci/rme9652/hdsp.c | 41 +++++++++++++++++++++++------------------
sound/pci/rme9652/rme9652.c | 41 +++++++++++++++++++++++------------------
2 files changed, 46 insertions(+), 36 deletions(-)
--- a/sound/pci/rme9652/hdsp.c
+++ b/sound/pci/rme9652/hdsp.c
@@ -468,8 +468,11 @@ struct hdsp {
unsigned char ss_out_channels;
u32 io_loopback; /* output loopback channel states*/
- struct snd_dma_buffer *capture_dma_buf;
- struct snd_dma_buffer *playback_dma_buf;
+ /* DMA buffers; those are copied instances from the original snd_dma_buf
+ * objects (which are managed via devres) for the address alignments
+ */
+ struct snd_dma_buffer capture_dma_buf;
+ struct snd_dma_buffer playback_dma_buf;
unsigned char *capture_buffer; /* suitably aligned address */
unsigned char *playback_buffer; /* suitably aligned address */
@@ -3764,30 +3767,32 @@ static void snd_hdsp_proc_init(struct hd
static int snd_hdsp_initialize_memory(struct hdsp *hdsp)
{
- unsigned long pb_bus, cb_bus;
+ struct snd_dma_buffer *capture_dma, *playback_dma;
- hdsp->capture_dma_buf =
- snd_hammerfall_get_buffer(hdsp->pci, HDSP_DMA_AREA_BYTES);
- hdsp->playback_dma_buf =
- snd_hammerfall_get_buffer(hdsp->pci, HDSP_DMA_AREA_BYTES);
- if (!hdsp->capture_dma_buf || !hdsp->playback_dma_buf) {
+ capture_dma = snd_hammerfall_get_buffer(hdsp->pci, HDSP_DMA_AREA_BYTES);
+ playback_dma = snd_hammerfall_get_buffer(hdsp->pci, HDSP_DMA_AREA_BYTES);
+ if (!capture_dma || !playback_dma) {
dev_err(hdsp->card->dev,
"%s: no buffers available\n", hdsp->card_name);
return -ENOMEM;
}
- /* Align to bus-space 64K boundary */
+ /* copy to the own data for alignment */
+ hdsp->capture_dma_buf = *capture_dma;
+ hdsp->playback_dma_buf = *playback_dma;
- cb_bus = ALIGN(hdsp->capture_dma_buf->addr, 0x10000ul);
- pb_bus = ALIGN(hdsp->playback_dma_buf->addr, 0x10000ul);
+ /* Align to bus-space 64K boundary */
+ hdsp->capture_dma_buf.addr = ALIGN(capture_dma->addr, 0x10000ul);
+ hdsp->playback_dma_buf.addr = ALIGN(playback_dma->addr, 0x10000ul);
/* Tell the card where it is */
+ hdsp_write(hdsp, HDSP_inputBufferAddress, hdsp->capture_dma_buf.addr);
+ hdsp_write(hdsp, HDSP_outputBufferAddress, hdsp->playback_dma_buf.addr);
- hdsp_write(hdsp, HDSP_inputBufferAddress, cb_bus);
- hdsp_write(hdsp, HDSP_outputBufferAddress, pb_bus);
-
- hdsp->capture_buffer = hdsp->capture_dma_buf->area + (cb_bus - hdsp->capture_dma_buf->addr);
- hdsp->playback_buffer = hdsp->playback_dma_buf->area + (pb_bus - hdsp->playback_dma_buf->addr);
+ hdsp->capture_dma_buf.area += hdsp->capture_dma_buf.addr - capture_dma->addr;
+ hdsp->playback_dma_buf.area += hdsp->playback_dma_buf.addr - playback_dma->addr;
+ hdsp->capture_buffer = hdsp->capture_dma_buf.area;
+ hdsp->playback_buffer = hdsp->playback_dma_buf.area;
return 0;
}
@@ -4507,7 +4512,7 @@ static int snd_hdsp_playback_open(struct
snd_pcm_set_sync(substream);
runtime->hw = snd_hdsp_playback_subinfo;
- snd_pcm_set_runtime_buffer(substream, hdsp->playback_dma_buf);
+ snd_pcm_set_runtime_buffer(substream, &hdsp->playback_dma_buf);
hdsp->playback_pid = current->pid;
hdsp->playback_substream = substream;
@@ -4583,7 +4588,7 @@ static int snd_hdsp_capture_open(struct
snd_pcm_set_sync(substream);
runtime->hw = snd_hdsp_capture_subinfo;
- snd_pcm_set_runtime_buffer(substream, hdsp->capture_dma_buf);
+ snd_pcm_set_runtime_buffer(substream, &hdsp->capture_dma_buf);
hdsp->capture_pid = current->pid;
hdsp->capture_substream = substream;
--- a/sound/pci/rme9652/rme9652.c
+++ b/sound/pci/rme9652/rme9652.c
@@ -208,8 +208,11 @@ struct snd_rme9652 {
unsigned char ds_channels;
unsigned char ss_channels; /* different for hammerfall/hammerfall-light */
- struct snd_dma_buffer *playback_dma_buf;
- struct snd_dma_buffer *capture_dma_buf;
+ /* DMA buffers; those are copied instances from the original snd_dma_buf
+ * objects (which are managed via devres) for the address alignments
+ */
+ struct snd_dma_buffer playback_dma_buf;
+ struct snd_dma_buffer capture_dma_buf;
unsigned char *capture_buffer; /* suitably aligned address */
unsigned char *playback_buffer; /* suitably aligned address */
@@ -1719,30 +1722,32 @@ static void snd_rme9652_card_free(struct
static int snd_rme9652_initialize_memory(struct snd_rme9652 *rme9652)
{
- unsigned long pb_bus, cb_bus;
+ struct snd_dma_buffer *capture_dma, *playback_dma;
- rme9652->capture_dma_buf =
- snd_hammerfall_get_buffer(rme9652->pci, RME9652_DMA_AREA_BYTES);
- rme9652->playback_dma_buf =
- snd_hammerfall_get_buffer(rme9652->pci, RME9652_DMA_AREA_BYTES);
- if (!rme9652->capture_dma_buf || !rme9652->playback_dma_buf) {
+ capture_dma = snd_hammerfall_get_buffer(rme9652->pci, RME9652_DMA_AREA_BYTES);
+ playback_dma = snd_hammerfall_get_buffer(rme9652->pci, RME9652_DMA_AREA_BYTES);
+ if (!capture_dma || !playback_dma) {
dev_err(rme9652->card->dev,
"%s: no buffers available\n", rme9652->card_name);
return -ENOMEM;
}
- /* Align to bus-space 64K boundary */
+ /* copy to the own data for alignment */
+ rme9652->capture_dma_buf = *capture_dma;
+ rme9652->playback_dma_buf = *playback_dma;
- cb_bus = ALIGN(rme9652->capture_dma_buf->addr, 0x10000ul);
- pb_bus = ALIGN(rme9652->playback_dma_buf->addr, 0x10000ul);
+ /* Align to bus-space 64K boundary */
+ rme9652->capture_dma_buf.addr = ALIGN(capture_dma->addr, 0x10000ul);
+ rme9652->playback_dma_buf.addr = ALIGN(playback_dma->addr, 0x10000ul);
/* Tell the card where it is */
+ rme9652_write(rme9652, RME9652_rec_buffer, rme9652->capture_dma_buf.addr);
+ rme9652_write(rme9652, RME9652_play_buffer, rme9652->playback_dma_buf.addr);
- rme9652_write(rme9652, RME9652_rec_buffer, cb_bus);
- rme9652_write(rme9652, RME9652_play_buffer, pb_bus);
-
- rme9652->capture_buffer = rme9652->capture_dma_buf->area + (cb_bus - rme9652->capture_dma_buf->addr);
- rme9652->playback_buffer = rme9652->playback_dma_buf->area + (pb_bus - rme9652->playback_dma_buf->addr);
+ rme9652->capture_dma_buf.area += rme9652->capture_dma_buf.addr - capture_dma->addr;
+ rme9652->playback_dma_buf.area += rme9652->playback_dma_buf.addr - playback_dma->addr;
+ rme9652->capture_buffer = rme9652->capture_dma_buf.area;
+ rme9652->playback_buffer = rme9652->playback_dma_buf.area;
return 0;
}
@@ -2259,7 +2264,7 @@ static int snd_rme9652_playback_open(str
snd_pcm_set_sync(substream);
runtime->hw = snd_rme9652_playback_subinfo;
- snd_pcm_set_runtime_buffer(substream, rme9652->playback_dma_buf);
+ snd_pcm_set_runtime_buffer(substream, &rme9652->playback_dma_buf);
if (rme9652->capture_substream == NULL) {
rme9652_stop(rme9652);
@@ -2318,7 +2323,7 @@ static int snd_rme9652_capture_open(stru
snd_pcm_set_sync(substream);
runtime->hw = snd_rme9652_capture_subinfo;
- snd_pcm_set_runtime_buffer(substream, rme9652->capture_dma_buf);
+ snd_pcm_set_runtime_buffer(substream, &rme9652->capture_dma_buf);
if (rme9652->playback_substream == NULL) {
rme9652_stop(rme9652);
^ permalink raw reply [flat|nested] 945+ messages in thread
* [PATCH 5.15 049/917] ALSA: PCM: Fix NULL dereference at mmap checks
2021-11-15 16:51 [PATCH 5.15 000/917] 5.15.3-rc1 review Greg Kroah-Hartman
` (47 preceding siblings ...)
2021-11-15 16:52 ` [PATCH 5.15 048/917] ALSA: pci: rme: Fix unaligned buffer addresses Greg Kroah-Hartman
@ 2021-11-15 16:52 ` Greg Kroah-Hartman
2021-11-15 16:52 ` [PATCH 5.15 050/917] ALSA: timer: Fix use-after-free problem Greg Kroah-Hartman
` (870 subsequent siblings)
919 siblings, 0 replies; 945+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-15 16:52 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Takashi Iwai
From: Takashi Iwai <tiwai@suse.de>
commit 8e537d5dec34cac746dd6abf6a83e5de3aa471fc upstream.
The recent refactoring of mmap handling caused Oops on some devices
that don't use the standard memory allocations. This patch addresses
it by allowing snd_dma_buffer_mmap() helper to receive the NULL
pointer dmab argument (and return an error appropriately).
Fixes: a202bd1ad86d ("ALSA: core: Move mmap handler into memalloc ops")
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20211107163911.13534-1-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/core/memalloc.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
--- a/sound/core/memalloc.c
+++ b/sound/core/memalloc.c
@@ -176,8 +176,11 @@ EXPORT_SYMBOL_GPL(snd_devm_alloc_pages);
int snd_dma_buffer_mmap(struct snd_dma_buffer *dmab,
struct vm_area_struct *area)
{
- const struct snd_malloc_ops *ops = snd_dma_get_ops(dmab);
+ const struct snd_malloc_ops *ops;
+ if (!dmab)
+ return -ENOENT;
+ ops = snd_dma_get_ops(dmab);
if (ops && ops->mmap)
return ops->mmap(dmab, area);
else
^ permalink raw reply [flat|nested] 945+ messages in thread
* [PATCH 5.15 050/917] ALSA: timer: Fix use-after-free problem
2021-11-15 16:51 [PATCH 5.15 000/917] 5.15.3-rc1 review Greg Kroah-Hartman
` (48 preceding siblings ...)
2021-11-15 16:52 ` [PATCH 5.15 049/917] ALSA: PCM: Fix NULL dereference at mmap checks Greg Kroah-Hartman
@ 2021-11-15 16:52 ` Greg Kroah-Hartman
2021-11-15 16:52 ` [PATCH 5.15 051/917] ALSA: timer: Unconditionally unlink slave instances, too Greg Kroah-Hartman
` (869 subsequent siblings)
919 siblings, 0 replies; 945+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-15 16:52 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Wang Wensheng, Takashi Iwai
From: Wang Wensheng <wangwensheng4@huawei.com>
commit c0317c0e87094f5b5782b6fdef5ae0a4b150496c upstream.
When the timer instance was add into ack_list but was not currently in
process, the user could stop it via snd_timer_stop1() without delete it
from the ack_list. Then the user could free the timer instance and when
it was actually processed UAF occurred.
This issue could be reproduced via testcase snd_timer01 in ltp - running
several instances of that testcase at the same time.
What I actually met was that the ack_list of the timer broken and the
kernel went into deadloop with irqoff. That could be detected by
hardlockup detector on board or when we run it on qemu, we could use gdb
to dump the ack_list when the console has no response.
To fix this issue, we delete the timer instance from ack_list and
active_list unconditionally in snd_timer_stop1().
Signed-off-by: Wang Wensheng <wangwensheng4@huawei.com>
Suggested-by: Takashi Iwai <tiwai@suse.de>
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20211103033517.80531-1-wangwensheng4@huawei.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/core/timer.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/sound/core/timer.c
+++ b/sound/core/timer.c
@@ -624,13 +624,13 @@ static int snd_timer_stop1(struct snd_ti
if (!timer)
return -EINVAL;
spin_lock_irqsave(&timer->lock, flags);
+ list_del_init(&timeri->ack_list);
+ list_del_init(&timeri->active_list);
if (!(timeri->flags & (SNDRV_TIMER_IFLG_RUNNING |
SNDRV_TIMER_IFLG_START))) {
result = -EBUSY;
goto unlock;
}
- list_del_init(&timeri->ack_list);
- list_del_init(&timeri->active_list);
if (timer->card && timer->card->shutdown)
goto unlock;
if (stop) {
^ permalink raw reply [flat|nested] 945+ messages in thread
* [PATCH 5.15 051/917] ALSA: timer: Unconditionally unlink slave instances, too
2021-11-15 16:51 [PATCH 5.15 000/917] 5.15.3-rc1 review Greg Kroah-Hartman
` (49 preceding siblings ...)
2021-11-15 16:52 ` [PATCH 5.15 050/917] ALSA: timer: Fix use-after-free problem Greg Kroah-Hartman
@ 2021-11-15 16:52 ` Greg Kroah-Hartman
2021-11-15 16:52 ` [PATCH 5.15 052/917] Revert "ext4: enforce buffer head state assertion in ext4_da_map_blocks" Greg Kroah-Hartman
` (868 subsequent siblings)
919 siblings, 0 replies; 945+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-15 16:52 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Takashi Iwai
From: Takashi Iwai <tiwai@suse.de>
commit ffdd98277f0a1d15a67a74ae09bee713df4c0dbc upstream.
Like the previous fix (commit c0317c0e8709 "ALSA: timer: Fix
use-after-free problem"), we have to unlink slave timer instances
immediately at snd_timer_stop(), too. Otherwise it may leave a stale
entry in the list if the slave instance is freed before actually
running.
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20211105091517.21733-1-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/core/timer.c | 13 ++++++-------
1 file changed, 6 insertions(+), 7 deletions(-)
--- a/sound/core/timer.c
+++ b/sound/core/timer.c
@@ -665,23 +665,22 @@ static int snd_timer_stop1(struct snd_ti
static int snd_timer_stop_slave(struct snd_timer_instance *timeri, bool stop)
{
unsigned long flags;
+ bool running;
spin_lock_irqsave(&slave_active_lock, flags);
- if (!(timeri->flags & SNDRV_TIMER_IFLG_RUNNING)) {
- spin_unlock_irqrestore(&slave_active_lock, flags);
- return -EBUSY;
- }
+ running = timeri->flags & SNDRV_TIMER_IFLG_RUNNING;
timeri->flags &= ~SNDRV_TIMER_IFLG_RUNNING;
if (timeri->timer) {
spin_lock(&timeri->timer->lock);
list_del_init(&timeri->ack_list);
list_del_init(&timeri->active_list);
- snd_timer_notify1(timeri, stop ? SNDRV_TIMER_EVENT_STOP :
- SNDRV_TIMER_EVENT_PAUSE);
+ if (running)
+ snd_timer_notify1(timeri, stop ? SNDRV_TIMER_EVENT_STOP :
+ SNDRV_TIMER_EVENT_PAUSE);
spin_unlock(&timeri->timer->lock);
}
spin_unlock_irqrestore(&slave_active_lock, flags);
- return 0;
+ return running ? 0 : -EBUSY;
}
/*
^ permalink raw reply [flat|nested] 945+ messages in thread
* [PATCH 5.15 052/917] Revert "ext4: enforce buffer head state assertion in ext4_da_map_blocks"
2021-11-15 16:51 [PATCH 5.15 000/917] 5.15.3-rc1 review Greg Kroah-Hartman
` (50 preceding siblings ...)
2021-11-15 16:52 ` [PATCH 5.15 051/917] ALSA: timer: Unconditionally unlink slave instances, too Greg Kroah-Hartman
@ 2021-11-15 16:52 ` Greg Kroah-Hartman
2021-11-15 16:52 ` [PATCH 5.15 053/917] ext4: fix lazy initialization next schedule time computation in more granular unit Greg Kroah-Hartman
` (867 subsequent siblings)
919 siblings, 0 replies; 945+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-15 16:52 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Eric Whitney, Theodore Tso, stable
From: Eric Whitney <enwlinux@gmail.com>
commit 3eda41df05d6ad5c825cbc7fef03d563597b1afa upstream.
This reverts commit 948ca5f30e1df0c11eb5b0f410b9ceb97fa77ad9.
Two crash reports from users running variations on 5.15-rc4 kernels
suggest that it is premature to enforce the state assertion in the
original commit. Both crashes were triggered by BUG calls in that
code, indicating that under some rare circumstance the buffer head
state did not match a delayed allocated block at the time the
block was written out. No reproducer is available. Resolving this
problem will require more time than remains in the current release
cycle, so reverting the original patch for the time being is necessary
to avoid any instability it may cause.
Signed-off-by: Eric Whitney <enwlinux@gmail.com>
Link: https://lore.kernel.org/r/20211012171901.5352-1-enwlinux@gmail.com
Fixes: 948ca5f30e1d ("ext4: enforce buffer head state assertion in ext4_da_map_blocks")
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Cc: stable@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ext4/inode.c | 15 ++++++---------
1 file changed, 6 insertions(+), 9 deletions(-)
--- a/fs/ext4/inode.c
+++ b/fs/ext4/inode.c
@@ -1711,16 +1711,13 @@ static int ext4_da_map_blocks(struct ino
}
/*
- * the buffer head associated with a delayed and not unwritten
- * block found in the extent status cache must contain an
- * invalid block number and have its BH_New and BH_Delay bits
- * set, reflecting the state assigned when the block was
- * initially delayed allocated
+ * Delayed extent could be allocated by fallocate.
+ * So we need to check it.
*/
- if (ext4_es_is_delonly(&es)) {
- BUG_ON(bh->b_blocknr != invalid_block);
- BUG_ON(!buffer_new(bh));
- BUG_ON(!buffer_delay(bh));
+ if (ext4_es_is_delayed(&es) && !ext4_es_is_unwritten(&es)) {
+ map_bh(bh, inode->i_sb, invalid_block);
+ set_buffer_new(bh);
+ set_buffer_delay(bh);
return 0;
}
^ permalink raw reply [flat|nested] 945+ messages in thread
* [PATCH 5.15 053/917] ext4: fix lazy initialization next schedule time computation in more granular unit
2021-11-15 16:51 [PATCH 5.15 000/917] 5.15.3-rc1 review Greg Kroah-Hartman
` (51 preceding siblings ...)
2021-11-15 16:52 ` [PATCH 5.15 052/917] Revert "ext4: enforce buffer head state assertion in ext4_da_map_blocks" Greg Kroah-Hartman
@ 2021-11-15 16:52 ` Greg Kroah-Hartman
2021-11-15 16:52 ` [PATCH 5.15 054/917] ext4: ensure enough credits in ext4_ext_shift_path_extents Greg Kroah-Hartman
` (866 subsequent siblings)
919 siblings, 0 replies; 945+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-15 16:52 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Shaoying Xu, Theodore Tso
From: Shaoying Xu <shaoyi@amazon.com>
commit 39fec6889d15a658c3a3ebb06fd69d3584ddffd3 upstream.
Ext4 file system has default lazy inode table initialization setup once
it is mounted. However, it has issue on computing the next schedule time
that makes the timeout same amount in jiffies but different real time in
secs if with various HZ values. Therefore, fix by measuring the current
time in a more granular unit nanoseconds and make the next schedule time
independent of the HZ value.
Fixes: bfff68738f1c ("ext4: add support for lazy inode table initialization")
Signed-off-by: Shaoying Xu <shaoyi@amazon.com>
Cc: stable@vger.kernel.org
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Link: https://lore.kernel.org/r/20210902164412.9994-2-shaoyi@amazon.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ext4/super.c | 9 ++++-----
1 file changed, 4 insertions(+), 5 deletions(-)
--- a/fs/ext4/super.c
+++ b/fs/ext4/super.c
@@ -3263,9 +3263,9 @@ static int ext4_run_li_request(struct ex
struct super_block *sb = elr->lr_super;
ext4_group_t ngroups = EXT4_SB(sb)->s_groups_count;
ext4_group_t group = elr->lr_next_group;
- unsigned long timeout = 0;
unsigned int prefetch_ios = 0;
int ret = 0;
+ u64 start_time;
if (elr->lr_mode == EXT4_LI_MODE_PREFETCH_BBITMAP) {
elr->lr_next_group = ext4_mb_prefetch(sb, group,
@@ -3302,14 +3302,13 @@ static int ext4_run_li_request(struct ex
ret = 1;
if (!ret) {
- timeout = jiffies;
+ start_time = ktime_get_real_ns();
ret = ext4_init_inode_table(sb, group,
elr->lr_timeout ? 0 : 1);
trace_ext4_lazy_itable_init(sb, group);
if (elr->lr_timeout == 0) {
- timeout = (jiffies - timeout) *
- EXT4_SB(elr->lr_super)->s_li_wait_mult;
- elr->lr_timeout = timeout;
+ elr->lr_timeout = nsecs_to_jiffies((ktime_get_real_ns() - start_time) *
+ EXT4_SB(elr->lr_super)->s_li_wait_mult);
}
elr->lr_next_sched = jiffies + elr->lr_timeout;
elr->lr_next_group = group + 1;
^ permalink raw reply [flat|nested] 945+ messages in thread
* [PATCH 5.15 054/917] ext4: ensure enough credits in ext4_ext_shift_path_extents
2021-11-15 16:51 [PATCH 5.15 000/917] 5.15.3-rc1 review Greg Kroah-Hartman
` (52 preceding siblings ...)
2021-11-15 16:52 ` [PATCH 5.15 053/917] ext4: fix lazy initialization next schedule time computation in more granular unit Greg Kroah-Hartman
@ 2021-11-15 16:52 ` Greg Kroah-Hartman
2021-11-15 16:52 ` [PATCH 5.15 055/917] ext4: refresh the ext4_ext_path struct after dropping i_data_sem Greg Kroah-Hartman
` (865 subsequent siblings)
919 siblings, 0 replies; 945+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-15 16:52 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, stable, yangerkun, Jan Kara, Theodore Tso
From: yangerkun <yangerkun@huawei.com>
commit 4268496e48dc681cfa53b92357314b5d7221e625 upstream.
Like ext4_ext_rm_leaf, we can ensure that there are enough credits
before every call that will consume credits. As part of this fix we
fold the functionality of ext4_access_path() into
ext4_ext_shift_path_extents(). This change is needed as a preparation
for the next bugfix patch.
Cc: stable@kernel.org
Link: https://lore.kernel.org/r/20210903062748.4118886-3-yangerkun@huawei.com
Signed-off-by: yangerkun <yangerkun@huawei.com>
Reviewed-by: Jan Kara <jack@suse.cz>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ext4/extents.c | 49 +++++++++++++++----------------------------------
1 file changed, 15 insertions(+), 34 deletions(-)
--- a/fs/ext4/extents.c
+++ b/fs/ext4/extents.c
@@ -4978,36 +4978,6 @@ int ext4_get_es_cache(struct inode *inod
}
/*
- * ext4_access_path:
- * Function to access the path buffer for marking it dirty.
- * It also checks if there are sufficient credits left in the journal handle
- * to update path.
- */
-static int
-ext4_access_path(handle_t *handle, struct inode *inode,
- struct ext4_ext_path *path)
-{
- int credits, err;
-
- if (!ext4_handle_valid(handle))
- return 0;
-
- /*
- * Check if need to extend journal credits
- * 3 for leaf, sb, and inode plus 2 (bmap and group
- * descriptor) for each block group; assume two block
- * groups
- */
- credits = ext4_writepage_trans_blocks(inode);
- err = ext4_datasem_ensure_credits(handle, inode, 7, credits, 0);
- if (err < 0)
- return err;
-
- err = ext4_ext_get_access(handle, inode, path);
- return err;
-}
-
-/*
* ext4_ext_shift_path_extents:
* Shift the extents of a path structure lying between path[depth].p_ext
* and EXT_LAST_EXTENT(path[depth].p_hdr), by @shift blocks. @SHIFT tells
@@ -5021,6 +4991,7 @@ ext4_ext_shift_path_extents(struct ext4_
int depth, err = 0;
struct ext4_extent *ex_start, *ex_last;
bool update = false;
+ int credits, restart_credits;
depth = path->p_depth;
while (depth >= 0) {
@@ -5030,13 +5001,23 @@ ext4_ext_shift_path_extents(struct ext4_
return -EFSCORRUPTED;
ex_last = EXT_LAST_EXTENT(path[depth].p_hdr);
+ /* leaf + sb + inode */
+ credits = 3;
+ if (ex_start == EXT_FIRST_EXTENT(path[depth].p_hdr)) {
+ update = true;
+ /* extent tree + sb + inode */
+ credits = depth + 2;
+ }
- err = ext4_access_path(handle, inode, path + depth);
+ restart_credits = ext4_writepage_trans_blocks(inode);
+ err = ext4_datasem_ensure_credits(handle, inode, credits,
+ restart_credits, 0);
if (err)
goto out;
- if (ex_start == EXT_FIRST_EXTENT(path[depth].p_hdr))
- update = true;
+ err = ext4_ext_get_access(handle, inode, path + depth);
+ if (err)
+ goto out;
while (ex_start <= ex_last) {
if (SHIFT == SHIFT_LEFT) {
@@ -5067,7 +5048,7 @@ ext4_ext_shift_path_extents(struct ext4_
}
/* Update index too */
- err = ext4_access_path(handle, inode, path + depth);
+ err = ext4_ext_get_access(handle, inode, path + depth);
if (err)
goto out;
^ permalink raw reply [flat|nested] 945+ messages in thread
* [PATCH 5.15 055/917] ext4: refresh the ext4_ext_path struct after dropping i_data_sem.
2021-11-15 16:51 [PATCH 5.15 000/917] 5.15.3-rc1 review Greg Kroah-Hartman
` (53 preceding siblings ...)
2021-11-15 16:52 ` [PATCH 5.15 054/917] ext4: ensure enough credits in ext4_ext_shift_path_extents Greg Kroah-Hartman
@ 2021-11-15 16:52 ` Greg Kroah-Hartman
2021-11-15 16:52 ` [PATCH 5.15 056/917] fuse: fix page stealing Greg Kroah-Hartman
` (864 subsequent siblings)
919 siblings, 0 replies; 945+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-15 16:52 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, stable, yangerkun, Theodore Tso
From: yangerkun <yangerkun@huawei.com>
commit 1811bc401aa58c7bdb0df3205aa6613b49d32127 upstream.
After we drop i_data sem, we need to reload the ext4_ext_path
structure since the extent tree can change once i_data_sem is
released.
This addresses the BUG:
[52117.465187] ------------[ cut here ]------------
[52117.465686] kernel BUG at fs/ext4/extents.c:1756!
...
[52117.478306] Call Trace:
[52117.478565] ext4_ext_shift_extents+0x3ee/0x710
[52117.479020] ext4_fallocate+0x139c/0x1b40
[52117.479405] ? __do_sys_newfstat+0x6b/0x80
[52117.479805] vfs_fallocate+0x151/0x4b0
[52117.480177] ksys_fallocate+0x4a/0xa0
[52117.480533] __x64_sys_fallocate+0x22/0x30
[52117.480930] do_syscall_64+0x35/0x80
[52117.481277] entry_SYSCALL_64_after_hwframe+0x44/0xae
[52117.481769] RIP: 0033:0x7fa062f855ca
Cc: stable@kernel.org
Link: https://lore.kernel.org/r/20210903062748.4118886-4-yangerkun@huawei.com
Signed-off-by: yangerkun <yangerkun@huawei.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ext4/extents.c | 14 +++++++++++++-
1 file changed, 13 insertions(+), 1 deletion(-)
--- a/fs/ext4/extents.c
+++ b/fs/ext4/extents.c
@@ -5012,8 +5012,11 @@ ext4_ext_shift_path_extents(struct ext4_
restart_credits = ext4_writepage_trans_blocks(inode);
err = ext4_datasem_ensure_credits(handle, inode, credits,
restart_credits, 0);
- if (err)
+ if (err) {
+ if (err > 0)
+ err = -EAGAIN;
goto out;
+ }
err = ext4_ext_get_access(handle, inode, path + depth);
if (err)
@@ -5087,6 +5090,7 @@ ext4_ext_shift_extents(struct inode *ino
int ret = 0, depth;
struct ext4_extent *extent;
ext4_lblk_t stop, *iterator, ex_start, ex_end;
+ ext4_lblk_t tmp = EXT_MAX_BLOCKS;
/* Let path point to the last extent */
path = ext4_find_extent(inode, EXT_MAX_BLOCKS - 1, NULL,
@@ -5140,11 +5144,15 @@ ext4_ext_shift_extents(struct inode *ino
* till we reach stop. In case of right shift, iterator points to stop
* and it is decreased till we reach start.
*/
+again:
if (SHIFT == SHIFT_LEFT)
iterator = &start;
else
iterator = &stop;
+ if (tmp != EXT_MAX_BLOCKS)
+ *iterator = tmp;
+
/*
* Its safe to start updating extents. Start and stop are unsigned, so
* in case of right shift if extent with 0 block is reached, iterator
@@ -5173,6 +5181,7 @@ ext4_ext_shift_extents(struct inode *ino
}
}
+ tmp = *iterator;
if (SHIFT == SHIFT_LEFT) {
extent = EXT_LAST_EXTENT(path[depth].p_hdr);
*iterator = le32_to_cpu(extent->ee_block) +
@@ -5191,6 +5200,9 @@ ext4_ext_shift_extents(struct inode *ino
}
ret = ext4_ext_shift_path_extents(path, shift, inode,
handle, SHIFT);
+ /* iterator can be NULL which means we should break */
+ if (ret == -EAGAIN)
+ goto again;
if (ret)
break;
}
^ permalink raw reply [flat|nested] 945+ messages in thread
* [PATCH 5.15 056/917] fuse: fix page stealing
2021-11-15 16:51 [PATCH 5.15 000/917] 5.15.3-rc1 review Greg Kroah-Hartman
` (54 preceding siblings ...)
2021-11-15 16:52 ` [PATCH 5.15 055/917] ext4: refresh the ext4_ext_path struct after dropping i_data_sem Greg Kroah-Hartman
@ 2021-11-15 16:52 ` Greg Kroah-Hartman
2021-11-23 18:28 ` Justin Forbes
2021-11-15 16:52 ` [PATCH 5.15 057/917] x86/sme: Use #define USE_EARLY_PGTABLE_L5 in mem_encrypt_identity.c Greg Kroah-Hartman
` (863 subsequent siblings)
919 siblings, 1 reply; 945+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-15 16:52 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Frank Dinoff, Miklos Szeredi
From: Miklos Szeredi <mszeredi@redhat.com>
commit 712a951025c0667ff00b25afc360f74e639dfabe upstream.
It is possible to trigger a crash by splicing anon pipe bufs to the fuse
device.
The reason for this is that anon_pipe_buf_release() will reuse buf->page if
the refcount is 1, but that page might have already been stolen and its
flags modified (e.g. PG_lru added).
This happens in the unlikely case of fuse_dev_splice_write() getting around
to calling pipe_buf_release() after a page has been stolen, added to the
page cache and removed from the page cache.
Fix by calling pipe_buf_release() right after the page was inserted into
the page cache. In this case the page has an elevated refcount so any
release function will know that the page isn't reusable.
Reported-by: Frank Dinoff <fdinoff@google.com>
Link: https://lore.kernel.org/r/CAAmZXrsGg2xsP1CK+cbuEMumtrqdvD-NKnWzhNcvn71RV3c1yw@mail.gmail.com/
Fixes: dd3bb14f44a6 ("fuse: support splice() writing to fuse device")
Cc: <stable@vger.kernel.org> # v2.6.35
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/fuse/dev.c | 14 ++++++++++++--
1 file changed, 12 insertions(+), 2 deletions(-)
--- a/fs/fuse/dev.c
+++ b/fs/fuse/dev.c
@@ -847,6 +847,12 @@ static int fuse_try_move_page(struct fus
replace_page_cache_page(oldpage, newpage);
+ /*
+ * Release while we have extra ref on stolen page. Otherwise
+ * anon_pipe_buf_release() might think the page can be reused.
+ */
+ pipe_buf_release(cs->pipe, buf);
+
get_page(newpage);
if (!(buf->flags & PIPE_BUF_FLAG_LRU))
@@ -2031,8 +2037,12 @@ static ssize_t fuse_dev_splice_write(str
pipe_lock(pipe);
out_free:
- for (idx = 0; idx < nbuf; idx++)
- pipe_buf_release(pipe, &bufs[idx]);
+ for (idx = 0; idx < nbuf; idx++) {
+ struct pipe_buffer *buf = &bufs[idx];
+
+ if (buf->ops)
+ pipe_buf_release(pipe, buf);
+ }
pipe_unlock(pipe);
kvfree(bufs);
^ permalink raw reply [flat|nested] 945+ messages in thread
* [PATCH 5.15 057/917] x86/sme: Use #define USE_EARLY_PGTABLE_L5 in mem_encrypt_identity.c
2021-11-15 16:51 [PATCH 5.15 000/917] 5.15.3-rc1 review Greg Kroah-Hartman
` (55 preceding siblings ...)
2021-11-15 16:52 ` [PATCH 5.15 056/917] fuse: fix page stealing Greg Kroah-Hartman
@ 2021-11-15 16:52 ` Greg Kroah-Hartman
2021-11-15 16:52 ` [PATCH 5.15 058/917] x86/cpu: Fix migration safety with X86_BUG_NULL_SEL Greg Kroah-Hartman
` (862 subsequent siblings)
919 siblings, 0 replies; 945+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-15 16:52 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Tom Lendacky, Borislav Petkov,
Kirill A. Shutemov
From: Tom Lendacky <thomas.lendacky@amd.com>
commit e7d445ab26db833d6640d4c9a08bee176777cc82 upstream.
When runtime support for converting between 4-level and 5-level pagetables
was added to the kernel, the SME code that built pagetables was updated
to use the pagetable functions, e.g. p4d_offset(), etc., in order to
simplify the code. However, the use of the pagetable functions in early
boot code requires the use of the USE_EARLY_PGTABLE_L5 #define in order to
ensure that the proper definition of pgtable_l5_enabled() is used.
Without the #define, pgtable_l5_enabled() is #defined as
cpu_feature_enabled(X86_FEATURE_LA57). In early boot, the CPU features
have not yet been discovered and populated, so pgtable_l5_enabled() will
return false even when 5-level paging is enabled. This causes the SME code
to always build 4-level pagetables to perform the in-place encryption.
If 5-level paging is enabled, switching to the SME pagetables results in
a page-fault that kills the boot.
Adding the #define results in pgtable_l5_enabled() using the
__pgtable_l5_enabled variable set in early boot and the SME code building
pagetables for the proper paging level.
Fixes: aad983913d77 ("x86/mm/encrypt: Simplify sme_populate_pgd() and sme_populate_pgd_large()")
Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com>
Signed-off-by: Borislav Petkov <bp@suse.de>
Acked-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
Cc: <stable@vger.kernel.org> # 4.18.x
Link: https://lkml.kernel.org/r/2cb8329655f5c753905812d951e212022a480475.1634318656.git.thomas.lendacky@amd.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/mm/mem_encrypt_identity.c | 9 +++++++++
1 file changed, 9 insertions(+)
--- a/arch/x86/mm/mem_encrypt_identity.c
+++ b/arch/x86/mm/mem_encrypt_identity.c
@@ -27,6 +27,15 @@
#undef CONFIG_PARAVIRT_XXL
#undef CONFIG_PARAVIRT_SPINLOCKS
+/*
+ * This code runs before CPU feature bits are set. By default, the
+ * pgtable_l5_enabled() function uses bit X86_FEATURE_LA57 to determine if
+ * 5-level paging is active, so that won't work here. USE_EARLY_PGTABLE_L5
+ * is provided to handle this situation and, instead, use a variable that
+ * has been set by the early boot code.
+ */
+#define USE_EARLY_PGTABLE_L5
+
#include <linux/kernel.h>
#include <linux/mm.h>
#include <linux/mem_encrypt.h>
^ permalink raw reply [flat|nested] 945+ messages in thread
* [PATCH 5.15 058/917] x86/cpu: Fix migration safety with X86_BUG_NULL_SEL
2021-11-15 16:51 [PATCH 5.15 000/917] 5.15.3-rc1 review Greg Kroah-Hartman
` (56 preceding siblings ...)
2021-11-15 16:52 ` [PATCH 5.15 057/917] x86/sme: Use #define USE_EARLY_PGTABLE_L5 in mem_encrypt_identity.c Greg Kroah-Hartman
@ 2021-11-15 16:52 ` Greg Kroah-Hartman
2021-11-15 16:52 ` [PATCH 5.15 059/917] x86/irq: Ensure PI wakeup handler is unregistered before module unload Greg Kroah-Hartman
` (861 subsequent siblings)
919 siblings, 0 replies; 945+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-15 16:52 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Jane Malalane, Borislav Petkov
From: Jane Malalane <jane.malalane@citrix.com>
commit 415de44076640483648d6c0f6d645a9ee61328ad upstream.
Currently, Linux probes for X86_BUG_NULL_SEL unconditionally which
makes it unsafe to migrate in a virtualised environment as the
properties across the migration pool might differ.
To be specific, the case which goes wrong is:
1. Zen1 (or earlier) and Zen2 (or later) in a migration pool
2. Linux boots on Zen2, probes and finds the absence of X86_BUG_NULL_SEL
3. Linux is then migrated to Zen1
Linux is now running on a X86_BUG_NULL_SEL-impacted CPU while believing
that the bug is fixed.
The only way to address the problem is to fully trust the "no longer
affected" CPUID bit when virtualised, because in the above case it would
be clear deliberately to indicate the fact "you might migrate to
somewhere which has this behaviour".
Zen3 adds the NullSelectorClearsBase CPUID bit to indicate that loading
a NULL segment selector zeroes the base and limit fields, as well as
just attributes. Zen2 also has this behaviour but doesn't have the NSCB
bit.
[ bp: Minor touchups. ]
Signed-off-by: Jane Malalane <jane.malalane@citrix.com>
Signed-off-by: Borislav Petkov <bp@suse.de>
CC: <stable@vger.kernel.org>
Link: https://lkml.kernel.org/r/20211021104744.24126-1-jane.malalane@citrix.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kernel/cpu/amd.c | 2 +
arch/x86/kernel/cpu/common.c | 44 ++++++++++++++++++++++++++++++++++++-------
arch/x86/kernel/cpu/cpu.h | 1
arch/x86/kernel/cpu/hygon.c | 2 +
4 files changed, 42 insertions(+), 7 deletions(-)
--- a/arch/x86/kernel/cpu/amd.c
+++ b/arch/x86/kernel/cpu/amd.c
@@ -989,6 +989,8 @@ static void init_amd(struct cpuinfo_x86
if (cpu_has(c, X86_FEATURE_IRPERF) &&
!cpu_has_amd_erratum(c, amd_erratum_1054))
msr_set_bit(MSR_K7_HWCR, MSR_K7_HWCR_IRPERF_EN_BIT);
+
+ check_null_seg_clears_base(c);
}
#ifdef CONFIG_X86_32
--- a/arch/x86/kernel/cpu/common.c
+++ b/arch/x86/kernel/cpu/common.c
@@ -1396,9 +1396,8 @@ void __init early_cpu_init(void)
early_identify_cpu(&boot_cpu_data);
}
-static void detect_null_seg_behavior(struct cpuinfo_x86 *c)
+static bool detect_null_seg_behavior(void)
{
-#ifdef CONFIG_X86_64
/*
* Empirically, writing zero to a segment selector on AMD does
* not clear the base, whereas writing zero to a segment
@@ -1419,10 +1418,43 @@ static void detect_null_seg_behavior(str
wrmsrl(MSR_FS_BASE, 1);
loadsegment(fs, 0);
rdmsrl(MSR_FS_BASE, tmp);
- if (tmp != 0)
- set_cpu_bug(c, X86_BUG_NULL_SEG);
wrmsrl(MSR_FS_BASE, old_base);
-#endif
+ return tmp == 0;
+}
+
+void check_null_seg_clears_base(struct cpuinfo_x86 *c)
+{
+ /* BUG_NULL_SEG is only relevant with 64bit userspace */
+ if (!IS_ENABLED(CONFIG_X86_64))
+ return;
+
+ /* Zen3 CPUs advertise Null Selector Clears Base in CPUID. */
+ if (c->extended_cpuid_level >= 0x80000021 &&
+ cpuid_eax(0x80000021) & BIT(6))
+ return;
+
+ /*
+ * CPUID bit above wasn't set. If this kernel is still running
+ * as a HV guest, then the HV has decided not to advertize
+ * that CPUID bit for whatever reason. For example, one
+ * member of the migration pool might be vulnerable. Which
+ * means, the bug is present: set the BUG flag and return.
+ */
+ if (cpu_has(c, X86_FEATURE_HYPERVISOR)) {
+ set_cpu_bug(c, X86_BUG_NULL_SEG);
+ return;
+ }
+
+ /*
+ * Zen2 CPUs also have this behaviour, but no CPUID bit.
+ * 0x18 is the respective family for Hygon.
+ */
+ if ((c->x86 == 0x17 || c->x86 == 0x18) &&
+ detect_null_seg_behavior())
+ return;
+
+ /* All the remaining ones are affected */
+ set_cpu_bug(c, X86_BUG_NULL_SEG);
}
static void generic_identify(struct cpuinfo_x86 *c)
@@ -1458,8 +1490,6 @@ static void generic_identify(struct cpui
get_model_name(c); /* Default name */
- detect_null_seg_behavior(c);
-
/*
* ESPFIX is a strange bug. All real CPUs have it. Paravirt
* systems that run Linux at CPL > 0 may or may not have the
--- a/arch/x86/kernel/cpu/cpu.h
+++ b/arch/x86/kernel/cpu/cpu.h
@@ -75,6 +75,7 @@ extern int detect_extended_topology_earl
extern int detect_extended_topology(struct cpuinfo_x86 *c);
extern int detect_ht_early(struct cpuinfo_x86 *c);
extern void detect_ht(struct cpuinfo_x86 *c);
+extern void check_null_seg_clears_base(struct cpuinfo_x86 *c);
unsigned int aperfmperf_get_khz(int cpu);
--- a/arch/x86/kernel/cpu/hygon.c
+++ b/arch/x86/kernel/cpu/hygon.c
@@ -335,6 +335,8 @@ static void init_hygon(struct cpuinfo_x8
/* Hygon CPUs don't reset SS attributes on SYSRET, Xen does. */
if (!cpu_has(c, X86_FEATURE_XENPV))
set_cpu_bug(c, X86_BUG_SYSRET_SS_ATTRS);
+
+ check_null_seg_clears_base(c);
}
static void cpu_detect_tlb_hygon(struct cpuinfo_x86 *c)
^ permalink raw reply [flat|nested] 945+ messages in thread
* [PATCH 5.15 059/917] x86/irq: Ensure PI wakeup handler is unregistered before module unload
2021-11-15 16:51 [PATCH 5.15 000/917] 5.15.3-rc1 review Greg Kroah-Hartman
` (57 preceding siblings ...)
2021-11-15 16:52 ` [PATCH 5.15 058/917] x86/cpu: Fix migration safety with X86_BUG_NULL_SEL Greg Kroah-Hartman
@ 2021-11-15 16:52 ` Greg Kroah-Hartman
2021-11-15 16:52 ` [PATCH 5.15 060/917] x86/iopl: Fake iopl(3) CLI/STI usage Greg Kroah-Hartman
` (860 subsequent siblings)
919 siblings, 0 replies; 945+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-15 16:52 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Sean Christopherson, Paolo Bonzini
From: Sean Christopherson <seanjc@google.com>
commit 6ff53f6a438f72998f56e82e76694a1df9d1ea2c upstream.
Add a synchronize_rcu() after clearing the posted interrupt wakeup handler
to ensure all readers, i.e. in-flight IRQ handlers, see the new handler
before returning to the caller. If the caller is an exiting module and
is unregistering its handler, failure to wait could result in the IRQ
handler jumping into an unloaded module.
The registration path doesn't require synchronization, as it's the
caller's responsibility to not generate interrupts it cares about until
after its handler is registered.
Fixes: f6b3c72c2366 ("x86/irq: Define a global vector for VT-d Posted-Interrupts")
Cc: stable@vger.kernel.org
Signed-off-by: Sean Christopherson <seanjc@google.com>
Message-Id: <20211009001107.3936588-2-seanjc@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kernel/irq.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/arch/x86/kernel/irq.c
+++ b/arch/x86/kernel/irq.c
@@ -291,8 +291,10 @@ void kvm_set_posted_intr_wakeup_handler(
{
if (handler)
kvm_posted_intr_wakeup_handler = handler;
- else
+ else {
kvm_posted_intr_wakeup_handler = dummy_handler;
+ synchronize_rcu();
+ }
}
EXPORT_SYMBOL_GPL(kvm_set_posted_intr_wakeup_handler);
^ permalink raw reply [flat|nested] 945+ messages in thread
* [PATCH 5.15 060/917] x86/iopl: Fake iopl(3) CLI/STI usage
2021-11-15 16:51 [PATCH 5.15 000/917] 5.15.3-rc1 review Greg Kroah-Hartman
` (58 preceding siblings ...)
2021-11-15 16:52 ` [PATCH 5.15 059/917] x86/irq: Ensure PI wakeup handler is unregistered before module unload Greg Kroah-Hartman
@ 2021-11-15 16:52 ` Greg Kroah-Hartman
2021-11-15 16:52 ` [PATCH 5.15 061/917] btrfs: clear MISSING device status bit in btrfs_close_one_device Greg Kroah-Hartman
` (859 subsequent siblings)
919 siblings, 0 replies; 945+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-15 16:52 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Ondrej Zary, Peter Zijlstra (Intel),
Thomas Gleixner, stable
From: Peter Zijlstra <peterz@infradead.org>
commit b968e84b509da593c50dc3db679e1d33de701f78 upstream.
Since commit c8137ace5638 ("x86/iopl: Restrict iopl() permission
scope") it's possible to emulate iopl(3) using ioperm(), except for
the CLI/STI usage.
Userspace CLI/STI usage is very dubious (read broken), since any
exception taken during that window can lead to rescheduling anyway (or
worse). The IOPL(2) manpage even states that usage of CLI/STI is highly
discouraged and might even crash the system.
Of course, that won't stop people and HP has the dubious honour of
being the first vendor to be found using this in their hp-health
package.
In order to enable this 'software' to still 'work', have the #GP treat
the CLI/STI instructions as NOPs when iopl(3). Warn the user that
their program is doing dubious things.
Fixes: a24ca9976843 ("x86/iopl: Remove legacy IOPL option")
Reported-by: Ondrej Zary <linux@zary.sk>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Reviewed-by: Thomas Gleixner <tglx@linutronix.de>
Cc: stable@kernel.org # v5.5+
Link: https://lkml.kernel.org/r/20210918090641.GD5106@worktop.programming.kicks-ass.net
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/include/asm/insn-eval.h | 1 +
arch/x86/include/asm/processor.h | 1 +
arch/x86/kernel/process.c | 1 +
arch/x86/kernel/traps.c | 33 +++++++++++++++++++++++++++++++++
arch/x86/lib/insn-eval.c | 2 +-
5 files changed, 37 insertions(+), 1 deletion(-)
--- a/arch/x86/include/asm/insn-eval.h
+++ b/arch/x86/include/asm/insn-eval.h
@@ -21,6 +21,7 @@ int insn_get_modrm_rm_off(struct insn *i
int insn_get_modrm_reg_off(struct insn *insn, struct pt_regs *regs);
unsigned long insn_get_seg_base(struct pt_regs *regs, int seg_reg_idx);
int insn_get_code_seg_params(struct pt_regs *regs);
+int insn_get_effective_ip(struct pt_regs *regs, unsigned long *ip);
int insn_fetch_from_user(struct pt_regs *regs,
unsigned char buf[MAX_INSN_SIZE]);
int insn_fetch_from_user_inatomic(struct pt_regs *regs,
--- a/arch/x86/include/asm/processor.h
+++ b/arch/x86/include/asm/processor.h
@@ -518,6 +518,7 @@ struct thread_struct {
*/
unsigned long iopl_emul;
+ unsigned int iopl_warn:1;
unsigned int sig_on_uaccess_err:1;
/*
--- a/arch/x86/kernel/process.c
+++ b/arch/x86/kernel/process.c
@@ -132,6 +132,7 @@ int copy_thread(unsigned long clone_flag
frame->ret_addr = (unsigned long) ret_from_fork;
p->thread.sp = (unsigned long) fork_frame;
p->thread.io_bitmap = NULL;
+ p->thread.iopl_warn = 0;
memset(p->thread.ptrace_bps, 0, sizeof(p->thread.ptrace_bps));
#ifdef CONFIG_X86_64
--- a/arch/x86/kernel/traps.c
+++ b/arch/x86/kernel/traps.c
@@ -528,6 +528,36 @@ static enum kernel_gp_hint get_kernel_gp
#define GPFSTR "general protection fault"
+static bool fixup_iopl_exception(struct pt_regs *regs)
+{
+ struct thread_struct *t = ¤t->thread;
+ unsigned char byte;
+ unsigned long ip;
+
+ if (!IS_ENABLED(CONFIG_X86_IOPL_IOPERM) || t->iopl_emul != 3)
+ return false;
+
+ if (insn_get_effective_ip(regs, &ip))
+ return false;
+
+ if (get_user(byte, (const char __user *)ip))
+ return false;
+
+ if (byte != 0xfa && byte != 0xfb)
+ return false;
+
+ if (!t->iopl_warn && printk_ratelimit()) {
+ pr_err("%s[%d] attempts to use CLI/STI, pretending it's a NOP, ip:%lx",
+ current->comm, task_pid_nr(current), ip);
+ print_vma_addr(KERN_CONT " in ", ip);
+ pr_cont("\n");
+ t->iopl_warn = 1;
+ }
+
+ regs->ip += 1;
+ return true;
+}
+
DEFINE_IDTENTRY_ERRORCODE(exc_general_protection)
{
char desc[sizeof(GPFSTR) + 50 + 2*sizeof(unsigned long) + 1] = GPFSTR;
@@ -553,6 +583,9 @@ DEFINE_IDTENTRY_ERRORCODE(exc_general_pr
tsk = current;
if (user_mode(regs)) {
+ if (fixup_iopl_exception(regs))
+ goto exit;
+
tsk->thread.error_code = error_code;
tsk->thread.trap_nr = X86_TRAP_GP;
--- a/arch/x86/lib/insn-eval.c
+++ b/arch/x86/lib/insn-eval.c
@@ -1417,7 +1417,7 @@ void __user *insn_get_addr_ref(struct in
}
}
-static int insn_get_effective_ip(struct pt_regs *regs, unsigned long *ip)
+int insn_get_effective_ip(struct pt_regs *regs, unsigned long *ip)
{
unsigned long seg_base = 0;
^ permalink raw reply [flat|nested] 945+ messages in thread
* [PATCH 5.15 061/917] btrfs: clear MISSING device status bit in btrfs_close_one_device
2021-11-15 16:51 [PATCH 5.15 000/917] 5.15.3-rc1 review Greg Kroah-Hartman
` (59 preceding siblings ...)
2021-11-15 16:52 ` [PATCH 5.15 060/917] x86/iopl: Fake iopl(3) CLI/STI usage Greg Kroah-Hartman
@ 2021-11-15 16:52 ` Greg Kroah-Hartman
2021-11-15 16:52 ` [PATCH 5.15 062/917] btrfs: fix lost error handling when replaying directory deletes Greg Kroah-Hartman
` (858 subsequent siblings)
919 siblings, 0 replies; 945+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-15 16:52 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Li Zhang, David Sterba
From: Li Zhang <zhanglikernel@gmail.com>
commit 5d03dbebba2594d2e6fbf3b5dd9060c5a835de3b upstream.
Reported bug: https://github.com/kdave/btrfs-progs/issues/389
There's a problem with scrub reporting aborted status but returning
error code 0, on a filesystem with missing and readded device.
Roughly these steps:
- mkfs -d raid1 dev1 dev2
- fill with data
- unmount
- make dev1 disappear
- mount -o degraded
- copy more data
- make dev1 appear again
Running scrub afterwards reports that the command was aborted, but the
system log message says the exit code was 0.
It seems that the cause of the error is decrementing
fs_devices->missing_devices but not clearing device->dev_state. Every
time we umount filesystem, it would call close_ctree, And it would
eventually involve btrfs_close_one_device to close the device, but it
only decrements fs_devices->missing_devices but does not clear the
device BTRFS_DEV_STATE_MISSING bit. Worse, this bug will cause Integer
Overflow, because every time umount, fs_devices->missing_devices will
decrease. If fs_devices->missing_devices value hit 0, it would overflow.
With added debugging:
loop1: detected capacity change from 0 to 20971520
BTRFS: device fsid 56ad51f1-5523-463b-8547-c19486c51ebb devid 1 transid 21 /dev/loop1 scanned by systemd-udevd (2311)
loop2: detected capacity change from 0 to 20971520
BTRFS: device fsid 56ad51f1-5523-463b-8547-c19486c51ebb devid 2 transid 17 /dev/loop2 scanned by systemd-udevd (2313)
BTRFS info (device loop1): flagging fs with big metadata feature
BTRFS info (device loop1): allowing degraded mounts
BTRFS info (device loop1): using free space tree
BTRFS info (device loop1): has skinny extents
BTRFS info (device loop1): before clear_missing.00000000f706684d /dev/loop1 0
BTRFS warning (device loop1): devid 2 uuid 6635ac31-56dd-4852-873b-c60f5e2d53d2 is missing
BTRFS info (device loop1): before clear_missing.0000000000000000 /dev/loop2 1
BTRFS info (device loop1): flagging fs with big metadata feature
BTRFS info (device loop1): allowing degraded mounts
BTRFS info (device loop1): using free space tree
BTRFS info (device loop1): has skinny extents
BTRFS info (device loop1): before clear_missing.00000000f706684d /dev/loop1 0
BTRFS warning (device loop1): devid 2 uuid 6635ac31-56dd-4852-873b-c60f5e2d53d2 is missing
BTRFS info (device loop1): before clear_missing.0000000000000000 /dev/loop2 0
BTRFS info (device loop1): flagging fs with big metadata feature
BTRFS info (device loop1): allowing degraded mounts
BTRFS info (device loop1): using free space tree
BTRFS info (device loop1): has skinny extents
BTRFS info (device loop1): before clear_missing.00000000f706684d /dev/loop1 18446744073709551615
BTRFS warning (device loop1): devid 2 uuid 6635ac31-56dd-4852-873b-c60f5e2d53d2 is missing
BTRFS info (device loop1): before clear_missing.0000000000000000 /dev/loop2 18446744073709551615
If fs_devices->missing_devices is 0, next time it would be 18446744073709551615
After apply this patch, the fs_devices->missing_devices seems to be
right:
$ truncate -s 10g test1
$ truncate -s 10g test2
$ losetup /dev/loop1 test1
$ losetup /dev/loop2 test2
$ mkfs.btrfs -draid1 -mraid1 /dev/loop1 /dev/loop2 -f
$ losetup -d /dev/loop2
$ mount -o degraded /dev/loop1 /mnt/1
$ umount /mnt/1
$ mount -o degraded /dev/loop1 /mnt/1
$ umount /mnt/1
$ mount -o degraded /dev/loop1 /mnt/1
$ umount /mnt/1
$ dmesg
loop1: detected capacity change from 0 to 20971520
loop2: detected capacity change from 0 to 20971520
BTRFS: device fsid 15aa1203-98d3-4a66-bcae-ca82f629c2cd devid 1 transid 5 /dev/loop1 scanned by mkfs.btrfs (1863)
BTRFS: device fsid 15aa1203-98d3-4a66-bcae-ca82f629c2cd devid 2 transid 5 /dev/loop2 scanned by mkfs.btrfs (1863)
BTRFS info (device loop1): flagging fs with big metadata feature
BTRFS info (device loop1): allowing degraded mounts
BTRFS info (device loop1): disk space caching is enabled
BTRFS info (device loop1): has skinny extents
BTRFS info (device loop1): before clear_missing.00000000975bd577 /dev/loop1 0
BTRFS warning (device loop1): devid 2 uuid 8b333791-0b3f-4f57-b449-1c1ab6b51f38 is missing
BTRFS info (device loop1): before clear_missing.0000000000000000 /dev/loop2 1
BTRFS info (device loop1): checking UUID tree
BTRFS info (device loop1): flagging fs with big metadata feature
BTRFS info (device loop1): allowing degraded mounts
BTRFS info (device loop1): disk space caching is enabled
BTRFS info (device loop1): has skinny extents
BTRFS info (device loop1): before clear_missing.00000000975bd577 /dev/loop1 0
BTRFS warning (device loop1): devid 2 uuid 8b333791-0b3f-4f57-b449-1c1ab6b51f38 is missing
BTRFS info (device loop1): before clear_missing.0000000000000000 /dev/loop2 1
BTRFS info (device loop1): flagging fs with big metadata feature
BTRFS info (device loop1): allowing degraded mounts
BTRFS info (device loop1): disk space caching is enabled
BTRFS info (device loop1): has skinny extents
BTRFS info (device loop1): before clear_missing.00000000975bd577 /dev/loop1 0
BTRFS warning (device loop1): devid 2 uuid 8b333791-0b3f-4f57-b449-1c1ab6b51f38 is missing
BTRFS info (device loop1): before clear_missing.0000000000000000 /dev/loop2 1
CC: stable@vger.kernel.org # 4.19+
Signed-off-by: Li Zhang <zhanglikernel@gmail.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/btrfs/volumes.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/fs/btrfs/volumes.c
+++ b/fs/btrfs/volumes.c
@@ -1122,8 +1122,10 @@ static void btrfs_close_one_device(struc
if (device->devid == BTRFS_DEV_REPLACE_DEVID)
clear_bit(BTRFS_DEV_STATE_REPLACE_TGT, &device->dev_state);
- if (test_bit(BTRFS_DEV_STATE_MISSING, &device->dev_state))
+ if (test_bit(BTRFS_DEV_STATE_MISSING, &device->dev_state)) {
+ clear_bit(BTRFS_DEV_STATE_MISSING, &device->dev_state);
fs_devices->missing_devices--;
+ }
btrfs_close_bdev(device);
if (device->bdev) {
^ permalink raw reply [flat|nested] 945+ messages in thread
* [PATCH 5.15 062/917] btrfs: fix lost error handling when replaying directory deletes
2021-11-15 16:51 [PATCH 5.15 000/917] 5.15.3-rc1 review Greg Kroah-Hartman
` (60 preceding siblings ...)
2021-11-15 16:52 ` [PATCH 5.15 061/917] btrfs: clear MISSING device status bit in btrfs_close_one_device Greg Kroah-Hartman
@ 2021-11-15 16:52 ` Greg Kroah-Hartman
2021-11-15 16:52 ` [PATCH 5.15 063/917] btrfs: call btrfs_check_rw_degradable only if there is a missing device Greg Kroah-Hartman
` (857 subsequent siblings)
919 siblings, 0 replies; 945+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-15 16:52 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Josef Bacik, Filipe Manana, David Sterba
From: Filipe Manana <fdmanana@suse.com>
commit 10adb1152d957a4d570ad630f93a88bb961616c1 upstream.
At replay_dir_deletes(), if find_dir_range() returns an error we break out
of the main while loop and then assign a value of 0 (success) to the 'ret'
variable, resulting in completely ignoring that an error happened. Fix
that by jumping to the 'out' label when find_dir_range() returns an error
(negative value).
CC: stable@vger.kernel.org # 4.4+
Reviewed-by: Josef Bacik <josef@toxicpanda.com>
Signed-off-by: Filipe Manana <fdmanana@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/btrfs/tree-log.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/fs/btrfs/tree-log.c
+++ b/fs/btrfs/tree-log.c
@@ -2500,7 +2500,9 @@ again:
else {
ret = find_dir_range(log, path, dirid, key_type,
&range_start, &range_end);
- if (ret != 0)
+ if (ret < 0)
+ goto out;
+ else if (ret > 0)
break;
}
^ permalink raw reply [flat|nested] 945+ messages in thread
* [PATCH 5.15 063/917] btrfs: call btrfs_check_rw_degradable only if there is a missing device
2021-11-15 16:51 [PATCH 5.15 000/917] 5.15.3-rc1 review Greg Kroah-Hartman
` (61 preceding siblings ...)
2021-11-15 16:52 ` [PATCH 5.15 062/917] btrfs: fix lost error handling when replaying directory deletes Greg Kroah-Hartman
@ 2021-11-15 16:52 ` Greg Kroah-Hartman
2021-11-15 16:52 ` [PATCH 5.15 064/917] KVM: x86/mmu: Drop a redundant, broken remote TLB flush Greg Kroah-Hartman
` (856 subsequent siblings)
919 siblings, 0 replies; 945+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-15 16:52 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Josef Bacik, Anand Jain, David Sterba
From: Anand Jain <anand.jain@oracle.com>
commit 5c78a5e7aa835c4f08a7c90fe02d19f95a776f29 upstream.
In open_ctree() in btrfs_check_rw_degradable() [1], we check each block
group individually if at least the minimum number of devices is available
for that profile. If all the devices are available, then we don't have to
check degradable.
[1]
open_ctree()
::
3559 if (!sb_rdonly(sb) && !btrfs_check_rw_degradable(fs_info, NULL)) {
Also before calling btrfs_check_rw_degradable() in open_ctee() at the
line number shown below [2] we call btrfs_read_chunk_tree() and down to
add_missing_dev() to record number of missing devices.
[2]
open_ctree()
::
3454 ret = btrfs_read_chunk_tree(fs_info);
btrfs_read_chunk_tree()
read_one_chunk() / read_one_dev()
add_missing_dev()
So, check if there is any missing device before btrfs_check_rw_degradable()
in open_ctree().
Also, with this the mount command could save ~16ms.[3] in the most
common case, that is no device is missing.
[3]
1) * 16934.96 us | btrfs_check_rw_degradable [btrfs]();
CC: stable@vger.kernel.org # 4.19+
Reviewed-by: Josef Bacik <josef@toxicpanda.com>
Signed-off-by: Anand Jain <anand.jain@oracle.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/btrfs/disk-io.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/fs/btrfs/disk-io.c
+++ b/fs/btrfs/disk-io.c
@@ -3556,7 +3556,8 @@ int __cold open_ctree(struct super_block
goto fail_sysfs;
}
- if (!sb_rdonly(sb) && !btrfs_check_rw_degradable(fs_info, NULL)) {
+ if (!sb_rdonly(sb) && fs_info->fs_devices->missing_devices &&
+ !btrfs_check_rw_degradable(fs_info, NULL)) {
btrfs_warn(fs_info,
"writable mount is not allowed due to too many missing devices");
goto fail_sysfs;
^ permalink raw reply [flat|nested] 945+ messages in thread
* [PATCH 5.15 064/917] KVM: x86/mmu: Drop a redundant, broken remote TLB flush
2021-11-15 16:51 [PATCH 5.15 000/917] 5.15.3-rc1 review Greg Kroah-Hartman
` (62 preceding siblings ...)
2021-11-15 16:52 ` [PATCH 5.15 063/917] btrfs: call btrfs_check_rw_degradable only if there is a missing device Greg Kroah-Hartman
@ 2021-11-15 16:52 ` Greg Kroah-Hartman
2021-11-15 16:52 ` [PATCH 5.15 065/917] KVM: VMX: Unregister posted interrupt wakeup handler on hardware unsetup Greg Kroah-Hartman
` (855 subsequent siblings)
919 siblings, 0 replies; 945+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-15 16:52 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Maxim Levitsky, Maciej S. Szmigiero,
Sean Christopherson, Paolo Bonzini
From: Sean Christopherson <seanjc@google.com>
commit bc3b3c1002ea684e618ff6d8c387b1b8b319f140 upstream.
A recent commit to fix the calls to kvm_flush_remote_tlbs_with_address()
in kvm_zap_gfn_range() inadvertantly added yet another flush instead of
fixing the existing flush. Drop the redundant flush, and fix the params
for the existing flush.
Cc: stable@vger.kernel.org
Fixes: 2822da446640 ("KVM: x86/mmu: fix parameters to kvm_flush_remote_tlbs_with_address")
Cc: Maxim Levitsky <mlevitsk@redhat.com>
Cc: Maciej S. Szmigiero <maciej.szmigiero@oracle.com>
Signed-off-by: Sean Christopherson <seanjc@google.com>
Message-Id: <20211022010005.1454978-2-seanjc@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kvm/mmu/mmu.c | 6 ++----
1 file changed, 2 insertions(+), 4 deletions(-)
--- a/arch/x86/kvm/mmu/mmu.c
+++ b/arch/x86/kvm/mmu/mmu.c
@@ -5758,13 +5758,11 @@ void kvm_zap_gfn_range(struct kvm *kvm,
for (i = 0; i < KVM_ADDRESS_SPACE_NUM; i++)
flush = kvm_tdp_mmu_zap_gfn_range(kvm, i, gfn_start,
gfn_end, flush);
- if (flush)
- kvm_flush_remote_tlbs_with_address(kvm, gfn_start,
- gfn_end - gfn_start);
}
if (flush)
- kvm_flush_remote_tlbs_with_address(kvm, gfn_start, gfn_end);
+ kvm_flush_remote_tlbs_with_address(kvm, gfn_start,
+ gfn_end - gfn_start);
kvm_dec_notifier_count(kvm, gfn_start, gfn_end);
^ permalink raw reply [flat|nested] 945+ messages in thread
* [PATCH 5.15 065/917] KVM: VMX: Unregister posted interrupt wakeup handler on hardware unsetup
2021-11-15 16:51 [PATCH 5.15 000/917] 5.15.3-rc1 review Greg Kroah-Hartman
` (63 preceding siblings ...)
2021-11-15 16:52 ` [PATCH 5.15 064/917] KVM: x86/mmu: Drop a redundant, broken remote TLB flush Greg Kroah-Hartman
@ 2021-11-15 16:52 ` Greg Kroah-Hartman
2021-11-15 16:52 ` [PATCH 5.15 066/917] powerpc/kvm: Fix kvm_use_magic_page Greg Kroah-Hartman
` (854 subsequent siblings)
919 siblings, 0 replies; 945+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-15 16:52 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Sean Christopherson, Paolo Bonzini
From: Sean Christopherson <seanjc@google.com>
commit ec5a4919fa7b7d8c7a2af1c7e799b1fe4be84343 upstream.
Unregister KVM's posted interrupt wakeup handler during unsetup so that a
spurious interrupt that arrives after kvm_intel.ko is unloaded doesn't
call into freed memory.
Fixes: bf9f6ac8d749 ("KVM: Update Posted-Interrupts Descriptor when vCPU is blocked")
Cc: stable@vger.kernel.org
Signed-off-by: Sean Christopherson <seanjc@google.com>
Message-Id: <20211009001107.3936588-3-seanjc@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kvm/vmx/vmx.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
--- a/arch/x86/kvm/vmx/vmx.c
+++ b/arch/x86/kvm/vmx/vmx.c
@@ -7551,6 +7551,8 @@ static void vmx_migrate_timers(struct kv
static void hardware_unsetup(void)
{
+ kvm_set_posted_intr_wakeup_handler(NULL);
+
if (nested)
nested_vmx_hardware_unsetup();
@@ -7879,8 +7881,6 @@ static __init int hardware_setup(void)
vmx_x86_ops.request_immediate_exit = __kvm_request_immediate_exit;
}
- kvm_set_posted_intr_wakeup_handler(pi_wakeup_handler);
-
kvm_mce_cap_supported |= MCG_LMCE_P;
if (pt_mode != PT_MODE_SYSTEM && pt_mode != PT_MODE_HOST_GUEST)
@@ -7904,6 +7904,9 @@ static __init int hardware_setup(void)
r = alloc_kvm_area();
if (r)
nested_vmx_hardware_unsetup();
+
+ kvm_set_posted_intr_wakeup_handler(pi_wakeup_handler);
+
return r;
}
^ permalink raw reply [flat|nested] 945+ messages in thread
* [PATCH 5.15 066/917] powerpc/kvm: Fix kvm_use_magic_page
2021-11-15 16:51 [PATCH 5.15 000/917] 5.15.3-rc1 review Greg Kroah-Hartman
` (64 preceding siblings ...)
2021-11-15 16:52 ` [PATCH 5.15 065/917] KVM: VMX: Unregister posted interrupt wakeup handler on hardware unsetup Greg Kroah-Hartman
@ 2021-11-15 16:52 ` Greg Kroah-Hartman
2021-11-15 16:52 ` [PATCH 5.15 067/917] KVM: PPC: Tick accounting should defer vtime accounting til after IRQ handling Greg Kroah-Hartman
` (853 subsequent siblings)
919 siblings, 0 replies; 945+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-15 16:52 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Andreas Gruenbacher
From: Andreas Gruenbacher <agruenba@redhat.com>
commit 0c8eb2884a42d992c7726539328b7d3568f22143 upstream.
When switching from __get_user to fault_in_pages_readable, commit
9f9eae5ce717 broke kvm_use_magic_page: like __get_user,
fault_in_pages_readable returns 0 on success.
Fixes: 9f9eae5ce717 ("powerpc/kvm: Prefer fault_in_pages_readable function")
Cc: stable@vger.kernel.org # v4.18+
Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/powerpc/kernel/kvm.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/powerpc/kernel/kvm.c
+++ b/arch/powerpc/kernel/kvm.c
@@ -669,7 +669,7 @@ static void __init kvm_use_magic_page(vo
on_each_cpu(kvm_map_magic_page, &features, 1);
/* Quick self-test to see if the mapping works */
- if (!fault_in_pages_readable((const char *)KVM_MAGIC_PAGE, sizeof(u32))) {
+ if (fault_in_pages_readable((const char *)KVM_MAGIC_PAGE, sizeof(u32))) {
kvm_patching_worked = false;
return;
}
^ permalink raw reply [flat|nested] 945+ messages in thread
* [PATCH 5.15 067/917] KVM: PPC: Tick accounting should defer vtime accounting til after IRQ handling
2021-11-15 16:51 [PATCH 5.15 000/917] 5.15.3-rc1 review Greg Kroah-Hartman
` (65 preceding siblings ...)
2021-11-15 16:52 ` [PATCH 5.15 066/917] powerpc/kvm: Fix kvm_use_magic_page Greg Kroah-Hartman
@ 2021-11-15 16:52 ` Greg Kroah-Hartman
2021-11-15 16:52 ` [PATCH 5.15 068/917] ia64: kprobes: Fix to pass correct trampoline address to the handler Greg Kroah-Hartman
` (852 subsequent siblings)
919 siblings, 0 replies; 945+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-15 16:52 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Laurent Vivier, Nicholas Piggin,
Michael Ellerman
From: Laurent Vivier <lvivier@redhat.com>
commit 235cee162459d96153d63651ce7ff51752528c96 upstream.
Commit 112665286d08 ("KVM: PPC: Book3S HV: Context tracking exit guest
context before enabling irqs") moved guest_exit() into the interrupt
protected area to avoid wrong context warning (or worse). The problem is
that tick-based time accounting has not yet been updated at this point
(because it depends on the timer interrupt firing), so the guest time
gets incorrectly accounted to system time.
To fix the problem, follow the x86 fix in commit 160457140187 ("Defer
vtime accounting 'til after IRQ handling"), and allow host IRQs to run
before accounting the guest exit time.
In the case vtime accounting is enabled, this is not required because TB
is used directly for accounting.
Before this patch, with CONFIG_TICK_CPU_ACCOUNTING=y in the host and a
guest running a kernel compile, the 'guest' fields of /proc/stat are
stuck at zero. With the patch they can be observed increasing roughly as
expected.
Fixes: e233d54d4d97 ("KVM: booke: use __kvm_guest_exit")
Fixes: 112665286d08 ("KVM: PPC: Book3S HV: Context tracking exit guest context before enabling irqs")
Cc: stable@vger.kernel.org # 5.12+
Signed-off-by: Laurent Vivier <lvivier@redhat.com>
[np: only required for tick accounting, add Book3E fix, tweak changelog]
Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Link: https://lore.kernel.org/r/20211027142150.3711582-1-npiggin@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/powerpc/kvm/book3s_hv.c | 30 ++++++++++++++++++++++++++++--
arch/powerpc/kvm/booke.c | 16 +++++++++++++++-
2 files changed, 43 insertions(+), 3 deletions(-)
--- a/arch/powerpc/kvm/book3s_hv.c
+++ b/arch/powerpc/kvm/book3s_hv.c
@@ -3726,7 +3726,20 @@ static noinline void kvmppc_run_core(str
kvmppc_set_host_core(pcpu);
- guest_exit_irqoff();
+ context_tracking_guest_exit();
+ if (!vtime_accounting_enabled_this_cpu()) {
+ local_irq_enable();
+ /*
+ * Service IRQs here before vtime_account_guest_exit() so any
+ * ticks that occurred while running the guest are accounted to
+ * the guest. If vtime accounting is enabled, accounting uses
+ * TB rather than ticks, so it can be done without enabling
+ * interrupts here, which has the problem that it accounts
+ * interrupt processing overhead to the host.
+ */
+ local_irq_disable();
+ }
+ vtime_account_guest_exit();
local_irq_enable();
@@ -4510,7 +4523,20 @@ int kvmhv_run_single_vcpu(struct kvm_vcp
kvmppc_set_host_core(pcpu);
- guest_exit_irqoff();
+ context_tracking_guest_exit();
+ if (!vtime_accounting_enabled_this_cpu()) {
+ local_irq_enable();
+ /*
+ * Service IRQs here before vtime_account_guest_exit() so any
+ * ticks that occurred while running the guest are accounted to
+ * the guest. If vtime accounting is enabled, accounting uses
+ * TB rather than ticks, so it can be done without enabling
+ * interrupts here, which has the problem that it accounts
+ * interrupt processing overhead to the host.
+ */
+ local_irq_disable();
+ }
+ vtime_account_guest_exit();
local_irq_enable();
--- a/arch/powerpc/kvm/booke.c
+++ b/arch/powerpc/kvm/booke.c
@@ -1042,7 +1042,21 @@ int kvmppc_handle_exit(struct kvm_vcpu *
}
trace_kvm_exit(exit_nr, vcpu);
- guest_exit_irqoff();
+
+ context_tracking_guest_exit();
+ if (!vtime_accounting_enabled_this_cpu()) {
+ local_irq_enable();
+ /*
+ * Service IRQs here before vtime_account_guest_exit() so any
+ * ticks that occurred while running the guest are accounted to
+ * the guest. If vtime accounting is enabled, accounting uses
+ * TB rather than ticks, so it can be done without enabling
+ * interrupts here, which has the problem that it accounts
+ * interrupt processing overhead to the host.
+ */
+ local_irq_disable();
+ }
+ vtime_account_guest_exit();
local_irq_enable();
^ permalink raw reply [flat|nested] 945+ messages in thread
* [PATCH 5.15 068/917] ia64: kprobes: Fix to pass correct trampoline address to the handler
2021-11-15 16:51 [PATCH 5.15 000/917] 5.15.3-rc1 review Greg Kroah-Hartman
` (66 preceding siblings ...)
2021-11-15 16:52 ` [PATCH 5.15 067/917] KVM: PPC: Tick accounting should defer vtime accounting til after IRQ handling Greg Kroah-Hartman
@ 2021-11-15 16:52 ` Greg Kroah-Hartman
2021-11-15 16:52 ` [PATCH 5.15 069/917] selinux: fix race condition when computing ocontext SIDs Greg Kroah-Hartman
` (851 subsequent siblings)
919 siblings, 0 replies; 945+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-15 16:52 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Josh Poimboeuf, Ingo Molnar, X86 ML,
Daniel Xu, Thomas Gleixner, Borislav Petkov, Peter Zijlstra,
Abhishek Sagar, Andrii Nakryiko, Paul McKenney, Masami Hiramatsu,
Steven Rostedt (VMware)
From: Masami Hiramatsu <mhiramat@kernel.org>
commit a7fe2378454cf46cd5e2776d05e72bbe8f0a468c upstream.
The following commit:
Commit e792ff804f49 ("ia64: kprobes: Use generic kretprobe trampoline handler")
Passed the wrong trampoline address to __kretprobe_trampoline_handler(): it
passes the descriptor address instead of function entry address.
Pass the right parameter.
Also use correct symbol dereference function to get the function address
from 'kretprobe_trampoline' - an IA64 special.
Link: https://lkml.kernel.org/r/163163042696.489837.12551102356265354730.stgit@devnote2
Fixes: e792ff804f49 ("ia64: kprobes: Use generic kretprobe trampoline handler")
Cc: Josh Poimboeuf <jpoimboe@redhat.com>
Cc: Ingo Molnar <mingo@kernel.org>
Cc: X86 ML <x86@kernel.org>
Cc: Daniel Xu <dxu@dxuuu.xyz>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Borislav Petkov <bp@alien8.de>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Abhishek Sagar <sagar.abhishek@gmail.com>
Cc: Andrii Nakryiko <andrii.nakryiko@gmail.com>
Cc: Paul McKenney <paulmck@kernel.org>
Cc: stable@vger.kernel.org
Signed-off-by: Masami Hiramatsu <mhiramat@kernel.org>
Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/ia64/kernel/kprobes.c | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
--- a/arch/ia64/kernel/kprobes.c
+++ b/arch/ia64/kernel/kprobes.c
@@ -398,7 +398,8 @@ static void kretprobe_trampoline(void)
int __kprobes trampoline_probe_handler(struct kprobe *p, struct pt_regs *regs)
{
- regs->cr_iip = __kretprobe_trampoline_handler(regs, kretprobe_trampoline, NULL);
+ regs->cr_iip = __kretprobe_trampoline_handler(regs,
+ dereference_function_descriptor(kretprobe_trampoline), NULL);
/*
* By returning a non-zero value, we are telling
* kprobe_handler() that we don't want the post_handler
@@ -414,7 +415,7 @@ void __kprobes arch_prepare_kretprobe(st
ri->fp = NULL;
/* Replace the return addr with trampoline addr */
- regs->b0 = ((struct fnptr *)kretprobe_trampoline)->ip;
+ regs->b0 = (unsigned long)dereference_function_descriptor(kretprobe_trampoline);
}
/* Check the instruction in the slot is break */
@@ -902,14 +903,14 @@ static struct kprobe trampoline_p = {
int __init arch_init_kprobes(void)
{
trampoline_p.addr =
- (kprobe_opcode_t *)((struct fnptr *)kretprobe_trampoline)->ip;
+ dereference_function_descriptor(kretprobe_trampoline);
return register_kprobe(&trampoline_p);
}
int __kprobes arch_trampoline_kprobe(struct kprobe *p)
{
if (p->addr ==
- (kprobe_opcode_t *)((struct fnptr *)kretprobe_trampoline)->ip)
+ dereference_function_descriptor(kretprobe_trampoline))
return 1;
return 0;
^ permalink raw reply [flat|nested] 945+ messages in thread
* [PATCH 5.15 069/917] selinux: fix race condition when computing ocontext SIDs
2021-11-15 16:51 [PATCH 5.15 000/917] 5.15.3-rc1 review Greg Kroah-Hartman
` (67 preceding siblings ...)
2021-11-15 16:52 ` [PATCH 5.15 068/917] ia64: kprobes: Fix to pass correct trampoline address to the handler Greg Kroah-Hartman
@ 2021-11-15 16:52 ` Greg Kroah-Hartman
2021-11-15 16:52 ` [PATCH 5.15 070/917] ipmi:watchdog: Set panic count to proper value on a panic Greg Kroah-Hartman
` (850 subsequent siblings)
919 siblings, 0 replies; 945+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-15 16:52 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Xinjie Zheng, Sujithra Periasamy,
Ondrej Mosnacek, Paul Moore
From: Ondrej Mosnacek <omosnace@redhat.com>
commit cbfcd13be5cb2a07868afe67520ed181956579a7 upstream.
Current code contains a lot of racy patterns when converting an
ocontext's context structure to an SID. This is being done in a "lazy"
fashion, such that the SID is looked up in the SID table only when it's
first needed and then cached in the "sid" field of the ocontext
structure. However, this is done without any locking or memory barriers
and is thus unsafe.
Between commits 24ed7fdae669 ("selinux: use separate table for initial
SID lookup") and 66f8e2f03c02 ("selinux: sidtab reverse lookup hash
table"), this race condition lead to an actual observable bug, because a
pointer to the shared sid field was passed directly to
sidtab_context_to_sid(), which was using this location to also store an
intermediate value, which could have been read by other threads and
interpreted as an SID. In practice this caused e.g. new mounts to get a
wrong (seemingly random) filesystem context, leading to strange denials.
This bug has been spotted in the wild at least twice, see [1] and [2].
Fix the race condition by making all the racy functions use a common
helper that ensures the ocontext::sid accesses are made safely using the
appropriate SMP constructs.
Note that security_netif_sid() was populating the sid field of both
contexts stored in the ocontext, but only the first one was actually
used. The SELinux wiki's documentation on the "netifcon" policy
statement [3] suggests that using only the first context is intentional.
I kept only the handling of the first context here, as there is really
no point in doing the SID lookup for the unused one.
I wasn't able to reproduce the bug mentioned above on any kernel that
includes commit 66f8e2f03c02, even though it has been reported that the
issue occurs with that commit, too, just less frequently. Thus, I wasn't
able to verify that this patch fixes the issue, but it makes sense to
avoid the race condition regardless.
[1] https://github.com/containers/container-selinux/issues/89
[2] https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproject.org/thread/6DMTAMHIOAOEMUAVTULJD45JZU7IBAFM/
[3] https://selinuxproject.org/page/NetworkStatements#netifcon
Cc: stable@vger.kernel.org
Cc: Xinjie Zheng <xinjie@google.com>
Reported-by: Sujithra Periasamy <sujithra@google.com>
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
security/selinux/ss/services.c | 162 +++++++++++++++++++----------------------
1 file changed, 77 insertions(+), 85 deletions(-)
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -2377,6 +2377,43 @@ err_policy:
}
/**
+ * ocontext_to_sid - Helper to safely get sid for an ocontext
+ * @sidtab: SID table
+ * @c: ocontext structure
+ * @index: index of the context entry (0 or 1)
+ * @out_sid: pointer to the resulting SID value
+ *
+ * For all ocontexts except OCON_ISID the SID fields are populated
+ * on-demand when needed. Since updating the SID value is an SMP-sensitive
+ * operation, this helper must be used to do that safely.
+ *
+ * WARNING: This function may return -ESTALE, indicating that the caller
+ * must retry the operation after re-acquiring the policy pointer!
+ */
+static int ocontext_to_sid(struct sidtab *sidtab, struct ocontext *c,
+ size_t index, u32 *out_sid)
+{
+ int rc;
+ u32 sid;
+
+ /* Ensure the associated sidtab entry is visible to this thread. */
+ sid = smp_load_acquire(&c->sid[index]);
+ if (!sid) {
+ rc = sidtab_context_to_sid(sidtab, &c->context[index], &sid);
+ if (rc)
+ return rc;
+
+ /*
+ * Ensure the new sidtab entry is visible to other threads
+ * when they see the SID.
+ */
+ smp_store_release(&c->sid[index], sid);
+ }
+ *out_sid = sid;
+ return 0;
+}
+
+/**
* security_port_sid - Obtain the SID for a port.
* @state: SELinux state
* @protocol: protocol number
@@ -2414,17 +2451,13 @@ retry:
}
if (c) {
- if (!c->sid[0]) {
- rc = sidtab_context_to_sid(sidtab, &c->context[0],
- &c->sid[0]);
- if (rc == -ESTALE) {
- rcu_read_unlock();
- goto retry;
- }
- if (rc)
- goto out;
+ rc = ocontext_to_sid(sidtab, c, 0, out_sid);
+ if (rc == -ESTALE) {
+ rcu_read_unlock();
+ goto retry;
}
- *out_sid = c->sid[0];
+ if (rc)
+ goto out;
} else {
*out_sid = SECINITSID_PORT;
}
@@ -2473,18 +2506,13 @@ retry:
}
if (c) {
- if (!c->sid[0]) {
- rc = sidtab_context_to_sid(sidtab,
- &c->context[0],
- &c->sid[0]);
- if (rc == -ESTALE) {
- rcu_read_unlock();
- goto retry;
- }
- if (rc)
- goto out;
+ rc = ocontext_to_sid(sidtab, c, 0, out_sid);
+ if (rc == -ESTALE) {
+ rcu_read_unlock();
+ goto retry;
}
- *out_sid = c->sid[0];
+ if (rc)
+ goto out;
} else
*out_sid = SECINITSID_UNLABELED;
@@ -2533,17 +2561,13 @@ retry:
}
if (c) {
- if (!c->sid[0]) {
- rc = sidtab_context_to_sid(sidtab, &c->context[0],
- &c->sid[0]);
- if (rc == -ESTALE) {
- rcu_read_unlock();
- goto retry;
- }
- if (rc)
- goto out;
+ rc = ocontext_to_sid(sidtab, c, 0, out_sid);
+ if (rc == -ESTALE) {
+ rcu_read_unlock();
+ goto retry;
}
- *out_sid = c->sid[0];
+ if (rc)
+ goto out;
} else
*out_sid = SECINITSID_UNLABELED;
@@ -2587,25 +2611,13 @@ retry:
}
if (c) {
- if (!c->sid[0] || !c->sid[1]) {
- rc = sidtab_context_to_sid(sidtab, &c->context[0],
- &c->sid[0]);
- if (rc == -ESTALE) {
- rcu_read_unlock();
- goto retry;
- }
- if (rc)
- goto out;
- rc = sidtab_context_to_sid(sidtab, &c->context[1],
- &c->sid[1]);
- if (rc == -ESTALE) {
- rcu_read_unlock();
- goto retry;
- }
- if (rc)
- goto out;
+ rc = ocontext_to_sid(sidtab, c, 0, if_sid);
+ if (rc == -ESTALE) {
+ rcu_read_unlock();
+ goto retry;
}
- *if_sid = c->sid[0];
+ if (rc)
+ goto out;
} else
*if_sid = SECINITSID_NETIF;
@@ -2697,18 +2709,13 @@ retry:
}
if (c) {
- if (!c->sid[0]) {
- rc = sidtab_context_to_sid(sidtab,
- &c->context[0],
- &c->sid[0]);
- if (rc == -ESTALE) {
- rcu_read_unlock();
- goto retry;
- }
- if (rc)
- goto out;
+ rc = ocontext_to_sid(sidtab, c, 0, out_sid);
+ if (rc == -ESTALE) {
+ rcu_read_unlock();
+ goto retry;
}
- *out_sid = c->sid[0];
+ if (rc)
+ goto out;
} else {
*out_sid = SECINITSID_NODE;
}
@@ -2873,7 +2880,7 @@ static inline int __security_genfs_sid(s
u16 sclass;
struct genfs *genfs;
struct ocontext *c;
- int rc, cmp = 0;
+ int cmp = 0;
while (path[0] == '/' && path[1] == '/')
path++;
@@ -2887,9 +2894,8 @@ static inline int __security_genfs_sid(s
break;
}
- rc = -ENOENT;
if (!genfs || cmp)
- goto out;
+ return -ENOENT;
for (c = genfs->head; c; c = c->next) {
len = strlen(c->u.name);
@@ -2898,20 +2904,10 @@ static inline int __security_genfs_sid(s
break;
}
- rc = -ENOENT;
if (!c)
- goto out;
+ return -ENOENT;
- if (!c->sid[0]) {
- rc = sidtab_context_to_sid(sidtab, &c->context[0], &c->sid[0]);
- if (rc)
- goto out;
- }
-
- *sid = c->sid[0];
- rc = 0;
-out:
- return rc;
+ return ocontext_to_sid(sidtab, c, 0, sid);
}
/**
@@ -2996,17 +2992,13 @@ retry:
if (c) {
sbsec->behavior = c->v.behavior;
- if (!c->sid[0]) {
- rc = sidtab_context_to_sid(sidtab, &c->context[0],
- &c->sid[0]);
- if (rc == -ESTALE) {
- rcu_read_unlock();
- goto retry;
- }
- if (rc)
- goto out;
+ rc = ocontext_to_sid(sidtab, c, 0, &sbsec->sid);
+ if (rc == -ESTALE) {
+ rcu_read_unlock();
+ goto retry;
}
- sbsec->sid = c->sid[0];
+ if (rc)
+ goto out;
} else {
rc = __security_genfs_sid(policy, fstype, "/",
SECCLASS_DIR, &sbsec->sid);
^ permalink raw reply [flat|nested] 945+ messages in thread
* [PATCH 5.15 070/917] ipmi:watchdog: Set panic count to proper value on a panic
2021-11-15 16:51 [PATCH 5.15 000/917] 5.15.3-rc1 review Greg Kroah-Hartman
` (68 preceding siblings ...)
2021-11-15 16:52 ` [PATCH 5.15 069/917] selinux: fix race condition when computing ocontext SIDs Greg Kroah-Hartman
@ 2021-11-15 16:52 ` Greg Kroah-Hartman
2021-11-15 16:52 ` [PATCH 5.15 071/917] md/raid1: only allocate write behind bio for WriteMostly device Greg Kroah-Hartman
` (849 subsequent siblings)
919 siblings, 0 replies; 945+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-15 16:52 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Anton Lundin, Corey Minyard, Stable
From: Corey Minyard <cminyard@mvista.com>
commit db05ddf7f321634c5659a0cf7ea56594e22365f7 upstream.
You will get two decrements when the messages on a panic are sent, not
one, since commit 2033f6858970 ("ipmi: Free receive messages when in an
oops") was added, but the watchdog code had a bug where it didn't set
the value properly.
Reported-by: Anton Lundin <glance@acc.umu.se>
Cc: <Stable@vger.kernel.org> # v5.4+
Fixes: 2033f6858970 ("ipmi: Free receive messages when in an oops")
Signed-off-by: Corey Minyard <cminyard@mvista.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/char/ipmi/ipmi_watchdog.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
--- a/drivers/char/ipmi/ipmi_watchdog.c
+++ b/drivers/char/ipmi/ipmi_watchdog.c
@@ -497,7 +497,7 @@ static void panic_halt_ipmi_heartbeat(vo
msg.cmd = IPMI_WDOG_RESET_TIMER;
msg.data = NULL;
msg.data_len = 0;
- atomic_inc(&panic_done_count);
+ atomic_add(2, &panic_done_count);
rv = ipmi_request_supply_msgs(watchdog_user,
(struct ipmi_addr *) &addr,
0,
@@ -507,7 +507,7 @@ static void panic_halt_ipmi_heartbeat(vo
&panic_halt_heartbeat_recv_msg,
1);
if (rv)
- atomic_dec(&panic_done_count);
+ atomic_sub(2, &panic_done_count);
}
static struct ipmi_smi_msg panic_halt_smi_msg = {
@@ -531,12 +531,12 @@ static void panic_halt_ipmi_set_timeout(
/* Wait for the messages to be free. */
while (atomic_read(&panic_done_count) != 0)
ipmi_poll_interface(watchdog_user);
- atomic_inc(&panic_done_count);
+ atomic_add(2, &panic_done_count);
rv = __ipmi_set_timeout(&panic_halt_smi_msg,
&panic_halt_recv_msg,
&send_heartbeat_now);
if (rv) {
- atomic_dec(&panic_done_count);
+ atomic_sub(2, &panic_done_count);
pr_warn("Unable to extend the watchdog timeout\n");
} else {
if (send_heartbeat_now)
^ permalink raw reply [flat|nested] 945+ messages in thread
* [PATCH 5.15 071/917] md/raid1: only allocate write behind bio for WriteMostly device
2021-11-15 16:51 [PATCH 5.15 000/917] 5.15.3-rc1 review Greg Kroah-Hartman
` (69 preceding siblings ...)
2021-11-15 16:52 ` [PATCH 5.15 070/917] ipmi:watchdog: Set panic count to proper value on a panic Greg Kroah-Hartman
@ 2021-11-15 16:52 ` Greg Kroah-Hartman
2021-11-15 16:52 ` [PATCH 5.15 072/917] hwmon: (pmbus/lm25066) Add offset coefficients Greg Kroah-Hartman
` (848 subsequent siblings)
919 siblings, 0 replies; 945+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-15 16:52 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Jens Stutte, Guoqing Jiang, Song Liu,
Jens Axboe
From: Guoqing Jiang <guoqing.jiang@linux.dev>
commit fd3b6975e9c11c4fa00965f82a0bfbb3b7b44101 upstream.
Commit 6607cd319b6b91bff94e90f798a61c031650b514 ("raid1: ensure write
behind bio has less than BIO_MAX_VECS sectors") tried to guarantee the
size of behind bio is not bigger than BIO_MAX_VECS sectors.
Unfortunately the same calltrace still could happen since an array could
enable write-behind without write mostly device.
To match the manpage of mdadm (which says "write-behind is only attempted
on drives marked as write-mostly"), we need to check WriteMostly flag to
avoid such unexpected behavior.
[1]. https://bugzilla.kernel.org/show_bug.cgi?id=213181#c25
Cc: stable@vger.kernel.org # v5.12+
Cc: Jens Stutte <jens@chianterastutte.eu>
Reported-by: Jens Stutte <jens@chianterastutte.eu>
Signed-off-by: Guoqing Jiang <guoqing.jiang@linux.dev>
Signed-off-by: Song Liu <songliubraving@fb.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/md/raid1.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/md/raid1.c
+++ b/drivers/md/raid1.c
@@ -1496,7 +1496,7 @@ static void raid1_write_request(struct m
if (!r1_bio->bios[i])
continue;
- if (first_clone) {
+ if (first_clone && test_bit(WriteMostly, &rdev->flags)) {
/* do behind I/O ?
* Not if there are too many, or cannot
* allocate memory, or a reader on WriteMostly
^ permalink raw reply [flat|nested] 945+ messages in thread
* [PATCH 5.15 072/917] hwmon: (pmbus/lm25066) Add offset coefficients
2021-11-15 16:51 [PATCH 5.15 000/917] 5.15.3-rc1 review Greg Kroah-Hartman
` (70 preceding siblings ...)
2021-11-15 16:52 ` [PATCH 5.15 071/917] md/raid1: only allocate write behind bio for WriteMostly device Greg Kroah-Hartman
@ 2021-11-15 16:52 ` Greg Kroah-Hartman
2021-11-15 16:52 ` [PATCH 5.15 073/917] regulator: s5m8767: do not use reset value as DVS voltage if GPIO DVS is disabled Greg Kroah-Hartman
` (847 subsequent siblings)
919 siblings, 0 replies; 945+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-15 16:52 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Zev Weiss, Guenter Roeck
From: Zev Weiss <zev@bewilderbeest.net>
commit ae59dc455a78fb73034dd1fbb337d7e59c27cbd8 upstream.
With the exception of the lm5066i, all the devices handled by this
driver had been missing their offset ('b') coefficients for direct
format readings.
Cc: stable@vger.kernel.org
Fixes: 58615a94f6a1 ("hwmon: (pmbus/lm25066) Add support for LM25056")
Fixes: e53e6497fc9f ("hwmon: (pmbus/lm25066) Refactor device specific coefficients")
Signed-off-by: Zev Weiss <zev@bewilderbeest.net>
Link: https://lore.kernel.org/r/20210928092242.30036-2-zev@bewilderbeest.net
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/hwmon/pmbus/lm25066.c | 23 +++++++++++++++++++++++
1 file changed, 23 insertions(+)
--- a/drivers/hwmon/pmbus/lm25066.c
+++ b/drivers/hwmon/pmbus/lm25066.c
@@ -55,22 +55,27 @@ static struct __coeff lm25066_coeff[6][P
[lm25056] = {
[PSC_VOLTAGE_IN] = {
.m = 16296,
+ .b = 1343,
.R = -2,
},
[PSC_CURRENT_IN] = {
.m = 13797,
+ .b = -1833,
.R = -2,
},
[PSC_CURRENT_IN_L] = {
.m = 6726,
+ .b = -537,
.R = -2,
},
[PSC_POWER] = {
.m = 5501,
+ .b = -2908,
.R = -3,
},
[PSC_POWER_L] = {
.m = 26882,
+ .b = -5646,
.R = -4,
},
[PSC_TEMPERATURE] = {
@@ -82,26 +87,32 @@ static struct __coeff lm25066_coeff[6][P
[lm25066] = {
[PSC_VOLTAGE_IN] = {
.m = 22070,
+ .b = -1800,
.R = -2,
},
[PSC_VOLTAGE_OUT] = {
.m = 22070,
+ .b = -1800,
.R = -2,
},
[PSC_CURRENT_IN] = {
.m = 13661,
+ .b = -5200,
.R = -2,
},
[PSC_CURRENT_IN_L] = {
.m = 6852,
+ .b = -3100,
.R = -2,
},
[PSC_POWER] = {
.m = 736,
+ .b = -3300,
.R = -2,
},
[PSC_POWER_L] = {
.m = 369,
+ .b = -1900,
.R = -2,
},
[PSC_TEMPERATURE] = {
@@ -111,26 +122,32 @@ static struct __coeff lm25066_coeff[6][P
[lm5064] = {
[PSC_VOLTAGE_IN] = {
.m = 4611,
+ .b = -642,
.R = -2,
},
[PSC_VOLTAGE_OUT] = {
.m = 4621,
+ .b = 423,
.R = -2,
},
[PSC_CURRENT_IN] = {
.m = 10742,
+ .b = 1552,
.R = -2,
},
[PSC_CURRENT_IN_L] = {
.m = 5456,
+ .b = 2118,
.R = -2,
},
[PSC_POWER] = {
.m = 1204,
+ .b = 8524,
.R = -3,
},
[PSC_POWER_L] = {
.m = 612,
+ .b = 11202,
.R = -3,
},
[PSC_TEMPERATURE] = {
@@ -140,26 +157,32 @@ static struct __coeff lm25066_coeff[6][P
[lm5066] = {
[PSC_VOLTAGE_IN] = {
.m = 4587,
+ .b = -1200,
.R = -2,
},
[PSC_VOLTAGE_OUT] = {
.m = 4587,
+ .b = -2400,
.R = -2,
},
[PSC_CURRENT_IN] = {
.m = 10753,
+ .b = -1200,
.R = -2,
},
[PSC_CURRENT_IN_L] = {
.m = 5405,
+ .b = -600,
.R = -2,
},
[PSC_POWER] = {
.m = 1204,
+ .b = -6000,
.R = -3,
},
[PSC_POWER_L] = {
.m = 605,
+ .b = -8000,
.R = -3,
},
[PSC_TEMPERATURE] = {
^ permalink raw reply [flat|nested] 945+ messages in thread
* [PATCH 5.15 073/917] regulator: s5m8767: do not use reset value as DVS voltage if GPIO DVS is disabled
2021-11-15 16:51 [PATCH 5.15 000/917] 5.15.3-rc1 review Greg Kroah-Hartman
` (71 preceding siblings ...)
2021-11-15 16:52 ` [PATCH 5.15 072/917] hwmon: (pmbus/lm25066) Add offset coefficients Greg Kroah-Hartman
@ 2021-11-15 16:52 ` Greg Kroah-Hartman
2021-11-15 16:52 ` [PATCH 5.15 074/917] regulator: dt-bindings: samsung,s5m8767: correct s5m8767,pmic-buck-default-dvs-idx property Greg Kroah-Hartman
` (846 subsequent siblings)
919 siblings, 0 replies; 945+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-15 16:52 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Krzysztof Kozlowski, Rob Herring, Mark Brown
From: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
commit b16bef60a9112b1e6daf3afd16484eb06e7ce792 upstream.
The driver and its bindings, before commit 04f9f068a619 ("regulator:
s5m8767: Modify parsing method of the voltage table of buck2/3/4") were
requiring to provide at least one safe/default voltage for DVS registers
if DVS GPIO is not being enabled.
IOW, if s5m8767,pmic-buck2-uses-gpio-dvs is missing, the
s5m8767,pmic-buck2-dvs-voltage should still be present and contain one
voltage.
This requirement was coming from driver behavior matching this condition
(none of DVS GPIO is enabled): it was always initializing the DVS
selector pins to 0 and keeping the DVS enable setting at reset value
(enabled). Therefore if none of DVS GPIO is enabled in devicetree,
driver was configuring the first DVS voltage for buck[234].
Mentioned commit 04f9f068a619 ("regulator: s5m8767: Modify parsing
method of the voltage table of buck2/3/4") broke it because DVS voltage
won't be parsed from devicetree if DVS GPIO is not enabled. After the
change, driver will configure bucks to use the register reset value as
voltage which might have unpleasant effects.
Fix this by relaxing the bindings constrain: if DVS GPIO is not enabled
in devicetree (therefore DVS voltage is also not parsed), explicitly
disable it.
Cc: <stable@vger.kernel.org>
Fixes: 04f9f068a619 ("regulator: s5m8767: Modify parsing method of the voltage table of buck2/3/4")
Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
Acked-by: Rob Herring <robh@kernel.org>
Message-Id: <20211008113723.134648-2-krzysztof.kozlowski@canonical.com>
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
Documentation/devicetree/bindings/regulator/samsung,s5m8767.txt | 21 +++-------
drivers/regulator/s5m8767.c | 21 ++++------
2 files changed, 17 insertions(+), 25 deletions(-)
--- a/Documentation/devicetree/bindings/regulator/samsung,s5m8767.txt
+++ b/Documentation/devicetree/bindings/regulator/samsung,s5m8767.txt
@@ -13,6 +13,14 @@ common regulator binding documented in:
Required properties of the main device node (the parent!):
+ - s5m8767,pmic-buck-ds-gpios: GPIO specifiers for three host gpio's used
+ for selecting GPIO DVS lines. It is one-to-one mapped to dvs gpio lines.
+
+ [1] If either of the 's5m8767,pmic-buck[2/3/4]-uses-gpio-dvs' optional
+ property is specified, then all the eight voltage values for the
+ 's5m8767,pmic-buck[2/3/4]-dvs-voltage' should be specified.
+
+Optional properties of the main device node (the parent!):
- s5m8767,pmic-buck2-dvs-voltage: A set of 8 voltage values in micro-volt (uV)
units for buck2 when changing voltage using gpio dvs. Refer to [1] below
for additional information.
@@ -25,19 +33,6 @@ Required properties of the main device n
units for buck4 when changing voltage using gpio dvs. Refer to [1] below
for additional information.
- - s5m8767,pmic-buck-ds-gpios: GPIO specifiers for three host gpio's used
- for selecting GPIO DVS lines. It is one-to-one mapped to dvs gpio lines.
-
- [1] If none of the 's5m8767,pmic-buck[2/3/4]-uses-gpio-dvs' optional
- property is specified, the 's5m8767,pmic-buck[2/3/4]-dvs-voltage'
- property should specify atleast one voltage level (which would be a
- safe operating voltage).
-
- If either of the 's5m8767,pmic-buck[2/3/4]-uses-gpio-dvs' optional
- property is specified, then all the eight voltage values for the
- 's5m8767,pmic-buck[2/3/4]-dvs-voltage' should be specified.
-
-Optional properties of the main device node (the parent!):
- s5m8767,pmic-buck2-uses-gpio-dvs: 'buck2' can be controlled by gpio dvs.
- s5m8767,pmic-buck3-uses-gpio-dvs: 'buck3' can be controlled by gpio dvs.
- s5m8767,pmic-buck4-uses-gpio-dvs: 'buck4' can be controlled by gpio dvs.
--- a/drivers/regulator/s5m8767.c
+++ b/drivers/regulator/s5m8767.c
@@ -850,18 +850,15 @@ static int s5m8767_pmic_probe(struct pla
/* DS4 GPIO */
gpio_direction_output(pdata->buck_ds[2], 0x0);
- if (pdata->buck2_gpiodvs || pdata->buck3_gpiodvs ||
- pdata->buck4_gpiodvs) {
- regmap_update_bits(s5m8767->iodev->regmap_pmic,
- S5M8767_REG_BUCK2CTRL, 1 << 1,
- (pdata->buck2_gpiodvs) ? (1 << 1) : (0 << 1));
- regmap_update_bits(s5m8767->iodev->regmap_pmic,
- S5M8767_REG_BUCK3CTRL, 1 << 1,
- (pdata->buck3_gpiodvs) ? (1 << 1) : (0 << 1));
- regmap_update_bits(s5m8767->iodev->regmap_pmic,
- S5M8767_REG_BUCK4CTRL, 1 << 1,
- (pdata->buck4_gpiodvs) ? (1 << 1) : (0 << 1));
- }
+ regmap_update_bits(s5m8767->iodev->regmap_pmic,
+ S5M8767_REG_BUCK2CTRL, 1 << 1,
+ (pdata->buck2_gpiodvs) ? (1 << 1) : (0 << 1));
+ regmap_update_bits(s5m8767->iodev->regmap_pmic,
+ S5M8767_REG_BUCK3CTRL, 1 << 1,
+ (pdata->buck3_gpiodvs) ? (1 << 1) : (0 << 1));
+ regmap_update_bits(s5m8767->iodev->regmap_pmic,
+ S5M8767_REG_BUCK4CTRL, 1 << 1,
+ (pdata->buck4_gpiodvs) ? (1 << 1) : (0 << 1));
/* Initialize GPIO DVS registers */
for (i = 0; i < 8; i++) {
^ permalink raw reply [flat|nested] 945+ messages in thread
* [PATCH 5.15 074/917] regulator: dt-bindings: samsung,s5m8767: correct s5m8767,pmic-buck-default-dvs-idx property
2021-11-15 16:51 [PATCH 5.15 000/917] 5.15.3-rc1 review Greg Kroah-Hartman
` (72 preceding siblings ...)
2021-11-15 16:52 ` [PATCH 5.15 073/917] regulator: s5m8767: do not use reset value as DVS voltage if GPIO DVS is disabled Greg Kroah-Hartman
@ 2021-11-15 16:52 ` Greg Kroah-Hartman
2021-11-15 16:52 ` [PATCH 5.15 075/917] EDAC/sb_edac: Fix top-of-high-memory value for Broadwell/Haswell Greg Kroah-Hartman
` (845 subsequent siblings)
919 siblings, 0 replies; 945+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-15 16:52 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Krzysztof Kozlowski, Rob Herring, Mark Brown
From: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
commit a7fda04bc9b6ad9da8e19c9e6e3b1dab773d068a upstream.
The driver was always parsing "s5m8767,pmic-buck-default-dvs-idx", not
"s5m8767,pmic-buck234-default-dvs-idx".
Cc: <stable@vger.kernel.org>
Fixes: 26aec009f6b6 ("regulator: add device tree support for s5m8767")
Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
Acked-by: Rob Herring <robh@kernel.org>
Message-Id: <20211008113723.134648-3-krzysztof.kozlowski@canonical.com>
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
Documentation/devicetree/bindings/regulator/samsung,s5m8767.txt | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/Documentation/devicetree/bindings/regulator/samsung,s5m8767.txt
+++ b/Documentation/devicetree/bindings/regulator/samsung,s5m8767.txt
@@ -39,7 +39,7 @@ Optional properties of the main device n
Additional properties required if either of the optional properties are used:
- - s5m8767,pmic-buck234-default-dvs-idx: Default voltage setting selected from
+ - s5m8767,pmic-buck-default-dvs-idx: Default voltage setting selected from
the possible 8 options selectable by the dvs gpios. The value of this
property should be between 0 and 7. If not specified or if out of range, the
default value of this property is set to 0.
^ permalink raw reply [flat|nested] 945+ messages in thread
* [PATCH 5.15 075/917] EDAC/sb_edac: Fix top-of-high-memory value for Broadwell/Haswell
2021-11-15 16:51 [PATCH 5.15 000/917] 5.15.3-rc1 review Greg Kroah-Hartman
` (73 preceding siblings ...)
2021-11-15 16:52 ` [PATCH 5.15 074/917] regulator: dt-bindings: samsung,s5m8767: correct s5m8767,pmic-buck-default-dvs-idx property Greg Kroah-Hartman
@ 2021-11-15 16:52 ` Greg Kroah-Hartman
2021-11-15 16:52 ` [PATCH 5.15 076/917] mwifiex: fix division by zero in fw download path Greg Kroah-Hartman
` (844 subsequent siblings)
919 siblings, 0 replies; 945+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-15 16:52 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Meeta Saggi, Eric Badger, Tony Luck
From: Eric Badger <ebadger@purestorage.com>
commit 537bddd069c743759addf422d0b8f028ff0f8dbc upstream.
The computation of TOHM is off by one bit. This missed bit results in
too low a value for TOHM, which can cause errors in regular memory to
incorrectly report:
EDAC MC0: 1 CE Error at MMIOH area, on addr 0x000000207fffa680 on any memory
Fixes: 50d1bb93672f ("sb_edac: add support for Haswell based systems")
Cc: stable@vger.kernel.org
Reported-by: Meeta Saggi <msaggi@purestorage.com>
Signed-off-by: Eric Badger <ebadger@purestorage.com>
Signed-off-by: Tony Luck <tony.luck@intel.com>
Link: https://lore.kernel.org/r/20211010170127.848113-1-ebadger@purestorage.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/edac/sb_edac.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/edac/sb_edac.c
+++ b/drivers/edac/sb_edac.c
@@ -1052,7 +1052,7 @@ static u64 haswell_get_tohm(struct sbrid
pci_read_config_dword(pvt->info.pci_vtd, HASWELL_TOHM_1, ®);
rc = ((reg << 6) | rc) << 26;
- return rc | 0x1ffffff;
+ return rc | 0x3ffffff;
}
static u64 knl_get_tolm(struct sbridge_pvt *pvt)
^ permalink raw reply [flat|nested] 945+ messages in thread
* [PATCH 5.15 076/917] mwifiex: fix division by zero in fw download path
2021-11-15 16:51 [PATCH 5.15 000/917] 5.15.3-rc1 review Greg Kroah-Hartman
` (74 preceding siblings ...)
2021-11-15 16:52 ` [PATCH 5.15 075/917] EDAC/sb_edac: Fix top-of-high-memory value for Broadwell/Haswell Greg Kroah-Hartman
@ 2021-11-15 16:52 ` Greg Kroah-Hartman
2021-11-15 16:52 ` [PATCH 5.15 077/917] ath6kl: fix division by zero in send path Greg Kroah-Hartman
` (843 subsequent siblings)
919 siblings, 0 replies; 945+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-15 16:52 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Amitkumar Karwar, Johan Hovold,
Brian Norris, Kalle Valo
From: Johan Hovold <johan@kernel.org>
commit 89f8765a11d8df49296d92c404067f9b5c58ee26 upstream.
Add the missing endpoint sanity checks to probe() to avoid division by
zero in mwifiex_write_data_sync() in case a malicious device has broken
descriptors (or when doing descriptor fuzz testing).
Only add checks for the firmware-download boot stage, which require both
command endpoints, for now. The driver looks like it will handle a
missing endpoint during normal operation without oopsing, albeit not
very gracefully as it will try to submit URBs to the default pipe and
fail.
Note that USB core will reject URBs submitted for endpoints with zero
wMaxPacketSize but that drivers doing packet-size calculations still
need to handle this (cf. commit 2548288b4fb0 ("USB: Fix: Don't skip
endpoint descriptors with maxpacket=0")).
Fixes: 4daffe354366 ("mwifiex: add support for Marvell USB8797 chipset")
Cc: stable@vger.kernel.org # 3.5
Cc: Amitkumar Karwar <akarwar@marvell.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Reviewed-by: Brian Norris <briannorris@chromium.org>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Link: https://lore.kernel.org/r/20211027080819.6675-4-johan@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/wireless/marvell/mwifiex/usb.c | 16 ++++++++++++++++
1 file changed, 16 insertions(+)
--- a/drivers/net/wireless/marvell/mwifiex/usb.c
+++ b/drivers/net/wireless/marvell/mwifiex/usb.c
@@ -505,6 +505,22 @@ static int mwifiex_usb_probe(struct usb_
}
}
+ switch (card->usb_boot_state) {
+ case USB8XXX_FW_DNLD:
+ /* Reject broken descriptors. */
+ if (!card->rx_cmd_ep || !card->tx_cmd_ep)
+ return -ENODEV;
+ if (card->bulk_out_maxpktsize == 0)
+ return -ENODEV;
+ break;
+ case USB8XXX_FW_READY:
+ /* Assume the driver can handle missing endpoints for now. */
+ break;
+ default:
+ WARN_ON(1);
+ return -ENODEV;
+ }
+
usb_set_intfdata(intf, card);
ret = mwifiex_add_card(card, &card->fw_done, &usb_ops,
^ permalink raw reply [flat|nested] 945+ messages in thread
* [PATCH 5.15 077/917] ath6kl: fix division by zero in send path
2021-11-15 16:51 [PATCH 5.15 000/917] 5.15.3-rc1 review Greg Kroah-Hartman
` (75 preceding siblings ...)
2021-11-15 16:52 ` [PATCH 5.15 076/917] mwifiex: fix division by zero in fw download path Greg Kroah-Hartman
@ 2021-11-15 16:52 ` Greg Kroah-Hartman
2021-11-15 16:52 ` [PATCH 5.15 078/917] ath6kl: fix control-message timeout Greg Kroah-Hartman
` (842 subsequent siblings)
919 siblings, 0 replies; 945+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-15 16:52 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Johan Hovold, Kalle Valo
From: Johan Hovold <johan@kernel.org>
commit c1b9ca365deae667192be9fe24db244919971234 upstream.
Add the missing endpoint max-packet sanity check to probe() to avoid
division by zero in ath10k_usb_hif_tx_sg() in case a malicious device
has broken descriptors (or when doing descriptor fuzz testing).
Note that USB core will reject URBs submitted for endpoints with zero
wMaxPacketSize but that drivers doing packet-size calculations still
need to handle this (cf. commit 2548288b4fb0 ("USB: Fix: Don't skip
endpoint descriptors with maxpacket=0")).
Fixes: 9cbee358687e ("ath6kl: add full USB support")
Cc: stable@vger.kernel.org # 3.5
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Link: https://lore.kernel.org/r/20211027080819.6675-3-johan@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/wireless/ath/ath6kl/usb.c | 5 +++++
1 file changed, 5 insertions(+)
--- a/drivers/net/wireless/ath/ath6kl/usb.c
+++ b/drivers/net/wireless/ath/ath6kl/usb.c
@@ -340,6 +340,11 @@ static int ath6kl_usb_setup_pipe_resourc
le16_to_cpu(endpoint->wMaxPacketSize),
endpoint->bInterval);
}
+
+ /* Ignore broken descriptors. */
+ if (usb_endpoint_maxp(endpoint) == 0)
+ continue;
+
urbcount = 0;
pipe_num =
^ permalink raw reply [flat|nested] 945+ messages in thread
* [PATCH 5.15 078/917] ath6kl: fix control-message timeout
2021-11-15 16:51 [PATCH 5.15 000/917] 5.15.3-rc1 review Greg Kroah-Hartman
` (76 preceding siblings ...)
2021-11-15 16:52 ` [PATCH 5.15 077/917] ath6kl: fix division by zero in send path Greg Kroah-Hartman
@ 2021-11-15 16:52 ` Greg Kroah-Hartman
2021-11-15 16:52 ` [PATCH 5.15 079/917] ath10k: " Greg Kroah-Hartman
` (841 subsequent siblings)
919 siblings, 0 replies; 945+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-15 16:52 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Johan Hovold, Kalle Valo
From: Johan Hovold <johan@kernel.org>
commit a066d28a7e729f808a3e6eff22e70c003091544e upstream.
USB control-message timeouts are specified in milliseconds and should
specifically not vary with CONFIG_HZ.
Fixes: 241b128b6b69 ("ath6kl: add back beginnings of USB support")
Cc: stable@vger.kernel.org # 3.4
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Link: https://lore.kernel.org/r/20211025120522.6045-3-johan@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/wireless/ath/ath6kl/usb.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/net/wireless/ath/ath6kl/usb.c
+++ b/drivers/net/wireless/ath/ath6kl/usb.c
@@ -912,7 +912,7 @@ static int ath6kl_usb_submit_ctrl_in(str
req,
USB_DIR_IN | USB_TYPE_VENDOR |
USB_RECIP_DEVICE, value, index, buf,
- size, 2 * HZ);
+ size, 2000);
if (ret < 0) {
ath6kl_warn("Failed to read usb control message: %d\n", ret);
^ permalink raw reply [flat|nested] 945+ messages in thread
* [PATCH 5.15 079/917] ath10k: fix control-message timeout
2021-11-15 16:51 [PATCH 5.15 000/917] 5.15.3-rc1 review Greg Kroah-Hartman
` (77 preceding siblings ...)
2021-11-15 16:52 ` [PATCH 5.15 078/917] ath6kl: fix control-message timeout Greg Kroah-Hartman
@ 2021-11-15 16:52 ` Greg Kroah-Hartman
2021-11-15 16:52 ` [PATCH 5.15 080/917] ath10k: fix division by zero in send path Greg Kroah-Hartman
` (840 subsequent siblings)
919 siblings, 0 replies; 945+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-15 16:52 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Erik Stromdahl, Johan Hovold, Kalle Valo
From: Johan Hovold <johan@kernel.org>
commit 5286132324230168d3fab6ffc16bfd7de85bdfb4 upstream.
USB control-message timeouts are specified in milliseconds and should
specifically not vary with CONFIG_HZ.
Fixes: 4db66499df91 ("ath10k: add initial USB support")
Cc: stable@vger.kernel.org # 4.14
Cc: Erik Stromdahl <erik.stromdahl@gmail.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Link: https://lore.kernel.org/r/20211025120522.6045-2-johan@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/wireless/ath/ath10k/usb.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/net/wireless/ath/ath10k/usb.c
+++ b/drivers/net/wireless/ath/ath10k/usb.c
@@ -525,7 +525,7 @@ static int ath10k_usb_submit_ctrl_in(str
req,
USB_DIR_IN | USB_TYPE_VENDOR |
USB_RECIP_DEVICE, value, index, buf,
- size, 2 * HZ);
+ size, 2000);
if (ret < 0) {
ath10k_warn(ar, "Failed to read usb control message: %d\n",
^ permalink raw reply [flat|nested] 945+ messages in thread
* [PATCH 5.15 080/917] ath10k: fix division by zero in send path
2021-11-15 16:51 [PATCH 5.15 000/917] 5.15.3-rc1 review Greg Kroah-Hartman
` (78 preceding siblings ...)
2021-11-15 16:52 ` [PATCH 5.15 079/917] ath10k: " Greg Kroah-Hartman
@ 2021-11-15 16:52 ` Greg Kroah-Hartman
2021-11-15 16:52 ` [PATCH 5.15 081/917] PCI: Mark Atheros QCA6174 to avoid bus reset Greg Kroah-Hartman
` (839 subsequent siblings)
919 siblings, 0 replies; 945+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-15 16:52 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Erik Stromdahl, Johan Hovold, Kalle Valo
From: Johan Hovold <johan@kernel.org>
commit a006acb931317aad3a8dd41333ebb0453caf49b8 upstream.
Add the missing endpoint max-packet sanity check to probe() to avoid
division by zero in ath10k_usb_hif_tx_sg() in case a malicious device
has broken descriptors (or when doing descriptor fuzz testing).
Note that USB core will reject URBs submitted for endpoints with zero
wMaxPacketSize but that drivers doing packet-size calculations still
need to handle this (cf. commit 2548288b4fb0 ("USB: Fix: Don't skip
endpoint descriptors with maxpacket=0")).
Fixes: 4db66499df91 ("ath10k: add initial USB support")
Cc: stable@vger.kernel.org # 4.14
Cc: Erik Stromdahl <erik.stromdahl@gmail.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Link: https://lore.kernel.org/r/20211027080819.6675-2-johan@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/wireless/ath/ath10k/usb.c | 5 +++++
1 file changed, 5 insertions(+)
--- a/drivers/net/wireless/ath/ath10k/usb.c
+++ b/drivers/net/wireless/ath/ath10k/usb.c
@@ -853,6 +853,11 @@ static int ath10k_usb_setup_pipe_resourc
le16_to_cpu(endpoint->wMaxPacketSize),
endpoint->bInterval);
}
+
+ /* Ignore broken descriptors. */
+ if (usb_endpoint_maxp(endpoint) == 0)
+ continue;
+
urbcount = 0;
pipe_num =
^ permalink raw reply [flat|nested] 945+ messages in thread
* [PATCH 5.15 081/917] PCI: Mark Atheros QCA6174 to avoid bus reset
2021-11-15 16:51 [PATCH 5.15 000/917] 5.15.3-rc1 review Greg Kroah-Hartman
` (79 preceding siblings ...)
2021-11-15 16:52 ` [PATCH 5.15 080/917] ath10k: fix division by zero in send path Greg Kroah-Hartman
@ 2021-11-15 16:52 ` Greg Kroah-Hartman
2021-11-15 16:52 ` [PATCH 5.15 082/917] rtl8187: fix control-message timeouts Greg Kroah-Hartman
` (838 subsequent siblings)
919 siblings, 0 replies; 945+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-15 16:52 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Ingmar Klein, Bjorn Helgaas, Pali Rohár
From: Ingmar Klein <ingmar_klein@web.de>
commit e3f4bd3462f6f796594ecc0dda7144ed2d1e5a26 upstream.
When passing the Atheros QCA6174 through to a virtual machine, the VM hangs
at the point where the ath10k driver loads.
Add a quirk to avoid bus resets on this device, which avoids the hang.
[bhelgaas: commit log]
Link: https://lore.kernel.org/r/08982e05-b6e8-5a8d-24ab-da1488ee50a8@web.de
Signed-off-by: Ingmar Klein <ingmar_klein@web.de>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Reviewed-by: Pali Rohár <pali@kernel.org>
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/pci/quirks.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/pci/quirks.c
+++ b/drivers/pci/quirks.c
@@ -3612,6 +3612,7 @@ DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_A
DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_ATHEROS, 0x003c, quirk_no_bus_reset);
DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_ATHEROS, 0x0033, quirk_no_bus_reset);
DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_ATHEROS, 0x0034, quirk_no_bus_reset);
+DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_ATHEROS, 0x003e, quirk_no_bus_reset);
/*
* Root port on some Cavium CN8xxx chips do not successfully complete a bus
^ permalink raw reply [flat|nested] 945+ messages in thread
* [PATCH 5.15 082/917] rtl8187: fix control-message timeouts
2021-11-15 16:51 [PATCH 5.15 000/917] 5.15.3-rc1 review Greg Kroah-Hartman
` (80 preceding siblings ...)
2021-11-15 16:52 ` [PATCH 5.15 081/917] PCI: Mark Atheros QCA6174 to avoid bus reset Greg Kroah-Hartman
@ 2021-11-15 16:52 ` Greg Kroah-Hartman
2021-11-15 16:52 ` [PATCH 5.15 083/917] evm: mark evm_fixmode as __ro_after_init Greg Kroah-Hartman
` (837 subsequent siblings)
919 siblings, 0 replies; 945+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-15 16:52 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Johan Hovold, Kalle Valo
From: Johan Hovold <johan@kernel.org>
commit 2e9be536a213e838daed6ba42024dd68954ac061 upstream.
USB control-message timeouts are specified in milliseconds and should
specifically not vary with CONFIG_HZ.
Fixes: 605bebe23bf6 ("[PATCH] Add rtl8187 wireless driver")
Cc: stable@vger.kernel.org # 2.6.23
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Link: https://lore.kernel.org/r/20211025120522.6045-4-johan@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/wireless/realtek/rtl818x/rtl8187/rtl8225.c | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
--- a/drivers/net/wireless/realtek/rtl818x/rtl8187/rtl8225.c
+++ b/drivers/net/wireless/realtek/rtl818x/rtl8187/rtl8225.c
@@ -28,7 +28,7 @@ u8 rtl818x_ioread8_idx(struct rtl8187_pr
usb_control_msg(priv->udev, usb_rcvctrlpipe(priv->udev, 0),
RTL8187_REQ_GET_REG, RTL8187_REQT_READ,
(unsigned long)addr, idx & 0x03,
- &priv->io_dmabuf->bits8, sizeof(val), HZ / 2);
+ &priv->io_dmabuf->bits8, sizeof(val), 500);
val = priv->io_dmabuf->bits8;
mutex_unlock(&priv->io_mutex);
@@ -45,7 +45,7 @@ u16 rtl818x_ioread16_idx(struct rtl8187_
usb_control_msg(priv->udev, usb_rcvctrlpipe(priv->udev, 0),
RTL8187_REQ_GET_REG, RTL8187_REQT_READ,
(unsigned long)addr, idx & 0x03,
- &priv->io_dmabuf->bits16, sizeof(val), HZ / 2);
+ &priv->io_dmabuf->bits16, sizeof(val), 500);
val = priv->io_dmabuf->bits16;
mutex_unlock(&priv->io_mutex);
@@ -62,7 +62,7 @@ u32 rtl818x_ioread32_idx(struct rtl8187_
usb_control_msg(priv->udev, usb_rcvctrlpipe(priv->udev, 0),
RTL8187_REQ_GET_REG, RTL8187_REQT_READ,
(unsigned long)addr, idx & 0x03,
- &priv->io_dmabuf->bits32, sizeof(val), HZ / 2);
+ &priv->io_dmabuf->bits32, sizeof(val), 500);
val = priv->io_dmabuf->bits32;
mutex_unlock(&priv->io_mutex);
@@ -79,7 +79,7 @@ void rtl818x_iowrite8_idx(struct rtl8187
usb_control_msg(priv->udev, usb_sndctrlpipe(priv->udev, 0),
RTL8187_REQ_SET_REG, RTL8187_REQT_WRITE,
(unsigned long)addr, idx & 0x03,
- &priv->io_dmabuf->bits8, sizeof(val), HZ / 2);
+ &priv->io_dmabuf->bits8, sizeof(val), 500);
mutex_unlock(&priv->io_mutex);
}
@@ -93,7 +93,7 @@ void rtl818x_iowrite16_idx(struct rtl818
usb_control_msg(priv->udev, usb_sndctrlpipe(priv->udev, 0),
RTL8187_REQ_SET_REG, RTL8187_REQT_WRITE,
(unsigned long)addr, idx & 0x03,
- &priv->io_dmabuf->bits16, sizeof(val), HZ / 2);
+ &priv->io_dmabuf->bits16, sizeof(val), 500);
mutex_unlock(&priv->io_mutex);
}
@@ -107,7 +107,7 @@ void rtl818x_iowrite32_idx(struct rtl818
usb_control_msg(priv->udev, usb_sndctrlpipe(priv->udev, 0),
RTL8187_REQ_SET_REG, RTL8187_REQT_WRITE,
(unsigned long)addr, idx & 0x03,
- &priv->io_dmabuf->bits32, sizeof(val), HZ / 2);
+ &priv->io_dmabuf->bits32, sizeof(val), 500);
mutex_unlock(&priv->io_mutex);
}
@@ -183,7 +183,7 @@ static void rtl8225_write_8051(struct ie
usb_control_msg(priv->udev, usb_sndctrlpipe(priv->udev, 0),
RTL8187_REQ_SET_REG, RTL8187_REQT_WRITE,
addr, 0x8225, &priv->io_dmabuf->bits16, sizeof(data),
- HZ / 2);
+ 500);
mutex_unlock(&priv->io_mutex);
^ permalink raw reply [flat|nested] 945+ messages in thread
* [PATCH 5.15 083/917] evm: mark evm_fixmode as __ro_after_init
2021-11-15 16:51 [PATCH 5.15 000/917] 5.15.3-rc1 review Greg Kroah-Hartman
` (81 preceding siblings ...)
2021-11-15 16:52 ` [PATCH 5.15 082/917] rtl8187: fix control-message timeouts Greg Kroah-Hartman
@ 2021-11-15 16:52 ` Greg Kroah-Hartman
2021-11-15 16:52 ` [PATCH 5.15 084/917] ifb: Depend on netfilter alternatively to tc Greg Kroah-Hartman
` (836 subsequent siblings)
919 siblings, 0 replies; 945+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-15 16:52 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Austin Kim, Mimi Zohar
From: Austin Kim <austin.kim@lge.com>
commit 32ba540f3c2a7ef61ed5a577ce25069a3d714fc9 upstream.
The evm_fixmode is only configurable by command-line option and it is never
modified outside initcalls, so declaring it with __ro_after_init is better.
Signed-off-by: Austin Kim <austin.kim@lge.com>
Cc: stable@vger.kernel.org
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
security/integrity/evm/evm_main.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/security/integrity/evm/evm_main.c
+++ b/security/integrity/evm/evm_main.c
@@ -78,7 +78,7 @@ static struct xattr_list evm_config_defa
LIST_HEAD(evm_config_xattrnames);
-static int evm_fixmode;
+static int evm_fixmode __ro_after_init;
static int __init evm_set_fixmode(char *str)
{
if (strncmp(str, "fix", 3) == 0)
^ permalink raw reply [flat|nested] 945+ messages in thread
* [PATCH 5.15 084/917] ifb: Depend on netfilter alternatively to tc
2021-11-15 16:51 [PATCH 5.15 000/917] 5.15.3-rc1 review Greg Kroah-Hartman
` (82 preceding siblings ...)
2021-11-15 16:52 ` [PATCH 5.15 083/917] evm: mark evm_fixmode as __ro_after_init Greg Kroah-Hartman
@ 2021-11-15 16:52 ` Greg Kroah-Hartman
2021-11-15 16:53 ` [PATCH 5.15 085/917] platform/surface: aggregator_registry: Add support for Surface Laptop Studio Greg Kroah-Hartman
` (835 subsequent siblings)
919 siblings, 0 replies; 945+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-15 16:52 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Lukas Wunner, David S. Miller
From: Lukas Wunner <lukas@wunner.de>
commit 046178e726c2977d686ba5e07105d5a6685c830e upstream.
IFB originally depended on NET_CLS_ACT for traffic redirection.
But since v4.5, that may be achieved with NFT_FWD_NETDEV as well.
Fixes: 39e6dea28adc ("netfilter: nf_tables: add forward expression to the netdev family")
Signed-off-by: Lukas Wunner <lukas@wunner.de>
Cc: <stable@vger.kernel.org> # v4.5+: bcfabee1afd9: netfilter: nft_fwd_netdev: allow to redirect to ifb via ingress
Cc: <stable@vger.kernel.org> # v4.5+
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/Kconfig | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/net/Kconfig
+++ b/drivers/net/Kconfig
@@ -150,7 +150,7 @@ config NET_FC
config IFB
tristate "Intermediate Functional Block support"
- depends on NET_CLS_ACT
+ depends on NET_ACT_MIRRED || NFT_FWD_NETDEV
select NET_REDIRECT
help
This is an intermediate driver that allows sharing of
^ permalink raw reply [flat|nested] 945+ messages in thread
* [PATCH 5.15 085/917] platform/surface: aggregator_registry: Add support for Surface Laptop Studio
2021-11-15 16:51 [PATCH 5.15 000/917] 5.15.3-rc1 review Greg Kroah-Hartman
` (83 preceding siblings ...)
2021-11-15 16:52 ` [PATCH 5.15 084/917] ifb: Depend on netfilter alternatively to tc Greg Kroah-Hartman
@ 2021-11-15 16:53 ` Greg Kroah-Hartman
2021-11-15 16:53 ` [PATCH 5.15 086/917] mt76: mt7615: fix skb use-after-free on mac reset Greg Kroah-Hartman
` (834 subsequent siblings)
919 siblings, 0 replies; 945+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-15 16:53 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Maximilian Luz, Hans de Goede
From: Maximilian Luz <luzmaximilian@gmail.com>
commit 4f042e40199ce8bac6bc2b853e81744ee4ea759c upstream.
Add support for the Surface Laptop Studio.
In contrast to previous Surface Laptop models, this one has its HID
devices attached to target ID 1 (instead of 2). It also has a couple
more of them, including a new notifier for when the pen is stashed /
taken out of its place, a "Sys Control" device, and two other
unidentified HID devices with unknown usages.
Battery and performance profile interfaces remain the same.
Cc: stable@vger.kernel.org # 5.14+
Signed-off-by: Maximilian Luz <luzmaximilian@gmail.com>
Link: https://lore.kernel.org/r/20211021130904.862610-2-luzmaximilian@gmail.com
Reviewed-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/platform/surface/surface_aggregator_registry.c | 54 +++++++++++++++++
1 file changed, 54 insertions(+)
--- a/drivers/platform/surface/surface_aggregator_registry.c
+++ b/drivers/platform/surface/surface_aggregator_registry.c
@@ -77,6 +77,42 @@ static const struct software_node ssam_n
.parent = &ssam_node_root,
};
+/* HID keyboard (TID1). */
+static const struct software_node ssam_node_hid_tid1_keyboard = {
+ .name = "ssam:01:15:01:01:00",
+ .parent = &ssam_node_root,
+};
+
+/* HID pen stash (TID1; pen taken / stashed away evens). */
+static const struct software_node ssam_node_hid_tid1_penstash = {
+ .name = "ssam:01:15:01:02:00",
+ .parent = &ssam_node_root,
+};
+
+/* HID touchpad (TID1). */
+static const struct software_node ssam_node_hid_tid1_touchpad = {
+ .name = "ssam:01:15:01:03:00",
+ .parent = &ssam_node_root,
+};
+
+/* HID device instance 6 (TID1, unknown HID device). */
+static const struct software_node ssam_node_hid_tid1_iid6 = {
+ .name = "ssam:01:15:01:06:00",
+ .parent = &ssam_node_root,
+};
+
+/* HID device instance 7 (TID1, unknown HID device). */
+static const struct software_node ssam_node_hid_tid1_iid7 = {
+ .name = "ssam:01:15:01:07:00",
+ .parent = &ssam_node_root,
+};
+
+/* HID system controls (TID1). */
+static const struct software_node ssam_node_hid_tid1_sysctrl = {
+ .name = "ssam:01:15:01:08:00",
+ .parent = &ssam_node_root,
+};
+
/* HID keyboard. */
static const struct software_node ssam_node_hid_main_keyboard = {
.name = "ssam:01:15:02:01:00",
@@ -159,6 +195,21 @@ static const struct software_node *ssam_
NULL,
};
+/* Devices for Surface Laptop Studio. */
+static const struct software_node *ssam_node_group_sls[] = {
+ &ssam_node_root,
+ &ssam_node_bat_ac,
+ &ssam_node_bat_main,
+ &ssam_node_tmp_pprof,
+ &ssam_node_hid_tid1_keyboard,
+ &ssam_node_hid_tid1_penstash,
+ &ssam_node_hid_tid1_touchpad,
+ &ssam_node_hid_tid1_iid6,
+ &ssam_node_hid_tid1_iid7,
+ &ssam_node_hid_tid1_sysctrl,
+ NULL,
+};
+
/* Devices for Surface Laptop Go. */
static const struct software_node *ssam_node_group_slg1[] = {
&ssam_node_root,
@@ -507,6 +558,9 @@ static const struct acpi_device_id ssam_
/* Surface Laptop Go 1 */
{ "MSHW0118", (unsigned long)ssam_node_group_slg1 },
+ /* Surface Laptop Studio */
+ { "MSHW0123", (unsigned long)ssam_node_group_sls },
+
{ },
};
MODULE_DEVICE_TABLE(acpi, ssam_platform_hub_match);
^ permalink raw reply [flat|nested] 945+ messages in thread
* [PATCH 5.15 086/917] mt76: mt7615: fix skb use-after-free on mac reset
2021-11-15 16:51 [PATCH 5.15 000/917] 5.15.3-rc1 review Greg Kroah-Hartman
` (84 preceding siblings ...)
2021-11-15 16:53 ` [PATCH 5.15 085/917] platform/surface: aggregator_registry: Add support for Surface Laptop Studio Greg Kroah-Hartman
@ 2021-11-15 16:53 ` Greg Kroah-Hartman
2021-11-15 16:53 ` [PATCH 5.15 087/917] HID: surface-hid: Use correct event registry for managing HID events Greg Kroah-Hartman
` (833 subsequent siblings)
919 siblings, 0 replies; 945+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-15 16:53 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Felix Fietkau
From: Felix Fietkau <nbd@nbd.name>
commit b5cd1fd6043bbb7c5810067b5f93f3016bfd8a6f upstream.
When clearing all existing pending tx slots, mt76_tx_complete_skb needs to
be used to free the skbs, to ensure that they are cleared from the status
list as well.
Cc: stable@vger.kernel.org
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/wireless/mediatek/mt76/mt7615/mac.c | 45 ++++++++++++------------
1 file changed, 23 insertions(+), 22 deletions(-)
--- a/drivers/net/wireless/mediatek/mt76/mt7615/mac.c
+++ b/drivers/net/wireless/mediatek/mt76/mt7615/mac.c
@@ -1494,32 +1494,41 @@ out:
}
static void
-mt7615_mac_tx_free_token(struct mt7615_dev *dev, u16 token)
+mt7615_txwi_free(struct mt7615_dev *dev, struct mt76_txwi_cache *txwi)
{
struct mt76_dev *mdev = &dev->mt76;
- struct mt76_txwi_cache *txwi;
__le32 *txwi_data;
u32 val;
u8 wcid;
- trace_mac_tx_free(dev, token);
- txwi = mt76_token_put(mdev, token);
- if (!txwi)
- return;
+ mt7615_txp_skb_unmap(mdev, txwi);
+ if (!txwi->skb)
+ goto out;
txwi_data = (__le32 *)mt76_get_txwi_ptr(mdev, txwi);
val = le32_to_cpu(txwi_data[1]);
wcid = FIELD_GET(MT_TXD1_WLAN_IDX, val);
+ mt76_tx_complete_skb(mdev, wcid, txwi->skb);
- mt7615_txp_skb_unmap(mdev, txwi);
- if (txwi->skb) {
- mt76_tx_complete_skb(mdev, wcid, txwi->skb);
- txwi->skb = NULL;
- }
-
+out:
+ txwi->skb = NULL;
mt76_put_txwi(mdev, txwi);
}
+static void
+mt7615_mac_tx_free_token(struct mt7615_dev *dev, u16 token)
+{
+ struct mt76_dev *mdev = &dev->mt76;
+ struct mt76_txwi_cache *txwi;
+
+ trace_mac_tx_free(dev, token);
+ txwi = mt76_token_put(mdev, token);
+ if (!txwi)
+ return;
+
+ mt7615_txwi_free(dev, txwi);
+}
+
static void mt7615_mac_tx_free(struct mt7615_dev *dev, struct sk_buff *skb)
{
struct mt7615_tx_free *free = (struct mt7615_tx_free *)skb->data;
@@ -2026,16 +2035,8 @@ void mt7615_tx_token_put(struct mt7615_d
int id;
spin_lock_bh(&dev->mt76.token_lock);
- idr_for_each_entry(&dev->mt76.token, txwi, id) {
- mt7615_txp_skb_unmap(&dev->mt76, txwi);
- if (txwi->skb) {
- struct ieee80211_hw *hw;
-
- hw = mt76_tx_status_get_hw(&dev->mt76, txwi->skb);
- ieee80211_free_txskb(hw, txwi->skb);
- }
- mt76_put_txwi(&dev->mt76, txwi);
- }
+ idr_for_each_entry(&dev->mt76.token, txwi, id)
+ mt7615_txwi_free(dev, txwi);
spin_unlock_bh(&dev->mt76.token_lock);
idr_destroy(&dev->mt76.token);
}
^ permalink raw reply [flat|nested] 945+ messages in thread
* [PATCH 5.15 087/917] HID: surface-hid: Use correct event registry for managing HID events
2021-11-15 16:51 [PATCH 5.15 000/917] 5.15.3-rc1 review Greg Kroah-Hartman
` (85 preceding siblings ...)
2021-11-15 16:53 ` [PATCH 5.15 086/917] mt76: mt7615: fix skb use-after-free on mac reset Greg Kroah-Hartman
@ 2021-11-15 16:53 ` Greg Kroah-Hartman
2021-11-15 16:53 ` [PATCH 5.15 088/917] HID: surface-hid: Allow driver matching for target ID 1 devices Greg Kroah-Hartman
` (832 subsequent siblings)
919 siblings, 0 replies; 945+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-15 16:53 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Maximilian Luz, Benjamin Tissoires,
Hans de Goede
From: Maximilian Luz <luzmaximilian@gmail.com>
commit dc0fd0acb6e0e8025a0a43ada54513b216254fac upstream.
Until now, we have only ever seen the REG-category registry being used
on devices addressed with target ID 2. In fact, we have only ever seen
Surface Aggregator Module (SAM) HID devices with target ID 2. For those
devices, the registry also has to be addressed with target ID 2.
Some devices, like the new Surface Laptop Studio, however, address their
HID devices on target ID 1. As a result of this, any target ID 2
commands time out. This includes event management commands addressed to
the target ID 2 REG-category registry. For these devices, the registry
has to be addressed via target ID 1 instead.
We therefore assume that the target ID of the registry to be used
depends on the target ID of the respective device. Implement this
accordingly.
Note that we currently allow the surface HID driver to only load against
devices with target ID 2, so these timeouts are not happening (yet).
This is just a preparation step before we allow the driver to load
against all target IDs.
Cc: stable@vger.kernel.org # 5.14+
Signed-off-by: Maximilian Luz <luzmaximilian@gmail.com>
Acked-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Link: https://lore.kernel.org/r/20211021130904.862610-3-luzmaximilian@gmail.com
Reviewed-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/hid/surface-hid/surface_hid.c | 2 +-
include/linux/surface_aggregator/controller.h | 4 ++--
2 files changed, 3 insertions(+), 3 deletions(-)
--- a/drivers/hid/surface-hid/surface_hid.c
+++ b/drivers/hid/surface-hid/surface_hid.c
@@ -209,7 +209,7 @@ static int surface_hid_probe(struct ssam
shid->notif.base.priority = 1;
shid->notif.base.fn = ssam_hid_event_fn;
- shid->notif.event.reg = SSAM_EVENT_REGISTRY_REG;
+ shid->notif.event.reg = SSAM_EVENT_REGISTRY_REG(sdev->uid.target);
shid->notif.event.id.target_category = sdev->uid.category;
shid->notif.event.id.instance = sdev->uid.instance;
shid->notif.event.mask = SSAM_EVENT_MASK_STRICT;
--- a/include/linux/surface_aggregator/controller.h
+++ b/include/linux/surface_aggregator/controller.h
@@ -792,8 +792,8 @@ enum ssam_event_mask {
#define SSAM_EVENT_REGISTRY_KIP \
SSAM_EVENT_REGISTRY(SSAM_SSH_TC_KIP, 0x02, 0x27, 0x28)
-#define SSAM_EVENT_REGISTRY_REG \
- SSAM_EVENT_REGISTRY(SSAM_SSH_TC_REG, 0x02, 0x01, 0x02)
+#define SSAM_EVENT_REGISTRY_REG(tid)\
+ SSAM_EVENT_REGISTRY(SSAM_SSH_TC_REG, tid, 0x01, 0x02)
/**
* enum ssam_event_notifier_flags - Flags for event notifiers.
^ permalink raw reply [flat|nested] 945+ messages in thread
* [PATCH 5.15 088/917] HID: surface-hid: Allow driver matching for target ID 1 devices
2021-11-15 16:51 [PATCH 5.15 000/917] 5.15.3-rc1 review Greg Kroah-Hartman
` (86 preceding siblings ...)
2021-11-15 16:53 ` [PATCH 5.15 087/917] HID: surface-hid: Use correct event registry for managing HID events Greg Kroah-Hartman
@ 2021-11-15 16:53 ` Greg Kroah-Hartman
2021-11-15 16:53 ` [PATCH 5.15 089/917] wcn36xx: Fix HT40 capability for 2Ghz band Greg Kroah-Hartman
` (831 subsequent siblings)
919 siblings, 0 replies; 945+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-15 16:53 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Maximilian Luz, Benjamin Tissoires,
Hans de Goede
From: Maximilian Luz <luzmaximilian@gmail.com>
commit ab5fe33925c6b03f646a1153771dab047548e4d8 upstream.
Until now we have only ever seen HID devices with target ID 2. The new
Surface Laptop Studio however uses HID devices with target ID 1. Allow
matching this driver to those as well.
Cc: stable@vger.kernel.org # 5.14+
Signed-off-by: Maximilian Luz <luzmaximilian@gmail.com>
Acked-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Link: https://lore.kernel.org/r/20211021130904.862610-4-luzmaximilian@gmail.com
Reviewed-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/hid/surface-hid/surface_hid.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/hid/surface-hid/surface_hid.c
+++ b/drivers/hid/surface-hid/surface_hid.c
@@ -230,7 +230,7 @@ static void surface_hid_remove(struct ss
}
static const struct ssam_device_id surface_hid_match[] = {
- { SSAM_SDEV(HID, 0x02, SSAM_ANY_IID, 0x00) },
+ { SSAM_SDEV(HID, SSAM_ANY_TID, SSAM_ANY_IID, 0x00) },
{ },
};
MODULE_DEVICE_TABLE(ssam, surface_hid_match);
^ permalink raw reply [flat|nested] 945+ messages in thread
* [PATCH 5.15 089/917] wcn36xx: Fix HT40 capability for 2Ghz band
2021-11-15 16:51 [PATCH 5.15 000/917] 5.15.3-rc1 review Greg Kroah-Hartman
` (87 preceding siblings ...)
2021-11-15 16:53 ` [PATCH 5.15 088/917] HID: surface-hid: Allow driver matching for target ID 1 devices Greg Kroah-Hartman
@ 2021-11-15 16:53 ` Greg Kroah-Hartman
2021-11-15 16:53 ` [PATCH 5.15 090/917] wcn36xx: Fix tx_status mechanism Greg Kroah-Hartman
` (830 subsequent siblings)
919 siblings, 0 replies; 945+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-15 16:53 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Loic Poulain, Kalle Valo
From: Loic Poulain <loic.poulain@linaro.org>
commit 960ae77f25631bbe4e3aafefe209b52e044baf31 upstream.
All wcn36xx controllers are supposed to support HT40 (and SGI40),
This doubles the maximum bitrate/throughput with compatible APs.
Tested with wcn3620 & wcn3680B.
Cc: stable@vger.kernel.org
Fixes: 8e84c2582169 ("wcn36xx: mac80211 driver for Qualcomm WCN3660/WCN3680 hardware")
Signed-off-by: Loic Poulain <loic.poulain@linaro.org>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Link: https://lore.kernel.org/r/1634737133-22336-1-git-send-email-loic.poulain@linaro.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/wireless/ath/wcn36xx/main.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/drivers/net/wireless/ath/wcn36xx/main.c
+++ b/drivers/net/wireless/ath/wcn36xx/main.c
@@ -135,7 +135,9 @@ static struct ieee80211_supported_band w
.cap = IEEE80211_HT_CAP_GRN_FLD |
IEEE80211_HT_CAP_SGI_20 |
IEEE80211_HT_CAP_DSSSCCK40 |
- IEEE80211_HT_CAP_LSIG_TXOP_PROT,
+ IEEE80211_HT_CAP_LSIG_TXOP_PROT |
+ IEEE80211_HT_CAP_SGI_40 |
+ IEEE80211_HT_CAP_SUP_WIDTH_20_40,
.ht_supported = true,
.ampdu_factor = IEEE80211_HT_MAX_AMPDU_64K,
.ampdu_density = IEEE80211_HT_MPDU_DENSITY_16,
^ permalink raw reply [flat|nested] 945+ messages in thread
* [PATCH 5.15 090/917] wcn36xx: Fix tx_status mechanism
2021-11-15 16:51 [PATCH 5.15 000/917] 5.15.3-rc1 review Greg Kroah-Hartman
` (88 preceding siblings ...)
2021-11-15 16:53 ` [PATCH 5.15 089/917] wcn36xx: Fix HT40 capability for 2Ghz band Greg Kroah-Hartman
@ 2021-11-15 16:53 ` Greg Kroah-Hartman
2021-11-15 16:53 ` [PATCH 5.15 091/917] wcn36xx: Fix (QoS) null data frame bitrate/modulation Greg Kroah-Hartman
` (829 subsequent siblings)
919 siblings, 0 replies; 945+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-15 16:53 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Loic Poulain, Kalle Valo
From: Loic Poulain <loic.poulain@linaro.org>
commit a9e79b116cc4d0057e912be8f40b2c2e5bdc7c43 upstream.
This change fix the TX ack mechanism in various ways:
- For NO_ACK tagged packets, we don't need to wait for TX_ACK indication
and so are not subject to the single packet ack limitation. So we don't
have to stop the tx queue, and can call the tx status callback as soon
as DMA transfer has completed.
- Fix skb ownership/reference. Only start status indication timeout
once the DMA transfer has been completed. This avoids the skb to be
both referenced in the DMA tx ring and by the tx_ack_skb pointer,
preventing any use-after-free or double-free.
- This adds a sanity (paranoia?) check on the skb tx ack pointer.
- Resume TX queue if TX status tagged packet TX fails.
Cc: stable@vger.kernel.org
Fixes: fdf21cc37149 ("wcn36xx: Add TX ack support")
Signed-off-by: Loic Poulain <loic.poulain@linaro.org>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Link: https://lore.kernel.org/r/1634567281-28997-1-git-send-email-loic.poulain@linaro.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/wireless/ath/wcn36xx/dxe.c | 37 ++++++++++++--------------------
drivers/net/wireless/ath/wcn36xx/txrx.c | 31 +++++---------------------
2 files changed, 21 insertions(+), 47 deletions(-)
--- a/drivers/net/wireless/ath/wcn36xx/dxe.c
+++ b/drivers/net/wireless/ath/wcn36xx/dxe.c
@@ -403,8 +403,21 @@ static void reap_tx_dxes(struct wcn36xx
dma_unmap_single(wcn->dev, ctl->desc->src_addr_l,
ctl->skb->len, DMA_TO_DEVICE);
info = IEEE80211_SKB_CB(ctl->skb);
- if (!(info->flags & IEEE80211_TX_CTL_REQ_TX_STATUS)) {
- /* Keep frame until TX status comes */
+ if (info->flags & IEEE80211_TX_CTL_REQ_TX_STATUS) {
+ if (info->flags & IEEE80211_TX_CTL_NO_ACK) {
+ info->flags |= IEEE80211_TX_STAT_NOACK_TRANSMITTED;
+ ieee80211_tx_status_irqsafe(wcn->hw, ctl->skb);
+ } else {
+ /* Wait for the TX ack indication or timeout... */
+ spin_lock(&wcn->dxe_lock);
+ if (WARN_ON(wcn->tx_ack_skb))
+ ieee80211_free_txskb(wcn->hw, wcn->tx_ack_skb);
+ wcn->tx_ack_skb = ctl->skb; /* Tracking ref */
+ mod_timer(&wcn->tx_ack_timer, jiffies + HZ / 10);
+ spin_unlock(&wcn->dxe_lock);
+ }
+ /* do not free, ownership transferred to mac80211 status cb */
+ } else {
ieee80211_free_txskb(wcn->hw, ctl->skb);
}
@@ -426,7 +439,6 @@ static irqreturn_t wcn36xx_irq_tx_comple
{
struct wcn36xx *wcn = (struct wcn36xx *)dev;
int int_src, int_reason;
- bool transmitted = false;
wcn36xx_dxe_read_register(wcn, WCN36XX_DXE_INT_SRC_RAW_REG, &int_src);
@@ -466,7 +478,6 @@ static irqreturn_t wcn36xx_irq_tx_comple
if (int_reason & (WCN36XX_CH_STAT_INT_DONE_MASK |
WCN36XX_CH_STAT_INT_ED_MASK)) {
reap_tx_dxes(wcn, &wcn->dxe_tx_h_ch);
- transmitted = true;
}
}
@@ -479,7 +490,6 @@ static irqreturn_t wcn36xx_irq_tx_comple
WCN36XX_DXE_0_INT_CLR,
WCN36XX_INT_MASK_CHAN_TX_L);
-
if (int_reason & WCN36XX_CH_STAT_INT_ERR_MASK ) {
wcn36xx_dxe_write_register(wcn,
WCN36XX_DXE_0_INT_ERR_CLR,
@@ -507,25 +517,8 @@ static irqreturn_t wcn36xx_irq_tx_comple
if (int_reason & (WCN36XX_CH_STAT_INT_DONE_MASK |
WCN36XX_CH_STAT_INT_ED_MASK)) {
reap_tx_dxes(wcn, &wcn->dxe_tx_l_ch);
- transmitted = true;
- }
- }
-
- spin_lock(&wcn->dxe_lock);
- if (wcn->tx_ack_skb && transmitted) {
- struct ieee80211_tx_info *info = IEEE80211_SKB_CB(wcn->tx_ack_skb);
-
- /* TX complete, no need to wait for 802.11 ack indication */
- if (info->flags & IEEE80211_TX_CTL_REQ_TX_STATUS &&
- info->flags & IEEE80211_TX_CTL_NO_ACK) {
- info->flags |= IEEE80211_TX_STAT_NOACK_TRANSMITTED;
- del_timer(&wcn->tx_ack_timer);
- ieee80211_tx_status_irqsafe(wcn->hw, wcn->tx_ack_skb);
- wcn->tx_ack_skb = NULL;
- ieee80211_wake_queues(wcn->hw);
}
}
- spin_unlock(&wcn->dxe_lock);
return IRQ_HANDLED;
}
--- a/drivers/net/wireless/ath/wcn36xx/txrx.c
+++ b/drivers/net/wireless/ath/wcn36xx/txrx.c
@@ -502,10 +502,11 @@ int wcn36xx_start_tx(struct wcn36xx *wcn
struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)skb->data;
struct wcn36xx_vif *vif_priv = NULL;
struct ieee80211_tx_info *info = IEEE80211_SKB_CB(skb);
- unsigned long flags;
bool is_low = ieee80211_is_data(hdr->frame_control);
bool bcast = is_broadcast_ether_addr(hdr->addr1) ||
is_multicast_ether_addr(hdr->addr1);
+ bool ack_ind = (info->flags & IEEE80211_TX_CTL_REQ_TX_STATUS) &&
+ !(info->flags & IEEE80211_TX_CTL_NO_ACK);
struct wcn36xx_tx_bd bd;
int ret;
@@ -521,30 +522,16 @@ int wcn36xx_start_tx(struct wcn36xx *wcn
bd.dpu_rf = WCN36XX_BMU_WQ_TX;
- if (info->flags & IEEE80211_TX_CTL_REQ_TX_STATUS) {
+ if (unlikely(ack_ind)) {
wcn36xx_dbg(WCN36XX_DBG_DXE, "TX_ACK status requested\n");
- spin_lock_irqsave(&wcn->dxe_lock, flags);
- if (wcn->tx_ack_skb) {
- spin_unlock_irqrestore(&wcn->dxe_lock, flags);
- wcn36xx_warn("tx_ack_skb already set\n");
- return -EINVAL;
- }
-
- wcn->tx_ack_skb = skb;
- spin_unlock_irqrestore(&wcn->dxe_lock, flags);
-
/* Only one at a time is supported by fw. Stop the TX queues
* until the ack status gets back.
*/
ieee80211_stop_queues(wcn->hw);
- /* TX watchdog if no TX irq or ack indication received */
- mod_timer(&wcn->tx_ack_timer, jiffies + HZ / 10);
-
/* Request ack indication from the firmware */
- if (!(info->flags & IEEE80211_TX_CTL_NO_ACK))
- bd.tx_comp = 1;
+ bd.tx_comp = 1;
}
/* Data frames served first*/
@@ -558,14 +545,8 @@ int wcn36xx_start_tx(struct wcn36xx *wcn
bd.tx_bd_sign = 0xbdbdbdbd;
ret = wcn36xx_dxe_tx_frame(wcn, vif_priv, &bd, skb, is_low);
- if (ret && (info->flags & IEEE80211_TX_CTL_REQ_TX_STATUS)) {
- /* If the skb has not been transmitted,
- * don't keep a reference to it.
- */
- spin_lock_irqsave(&wcn->dxe_lock, flags);
- wcn->tx_ack_skb = NULL;
- spin_unlock_irqrestore(&wcn->dxe_lock, flags);
-
+ if (unlikely(ret && ack_ind)) {
+ /* If the skb has not been transmitted, resume TX queue */
ieee80211_wake_queues(wcn->hw);
}
^ permalink raw reply [flat|nested] 945+ messages in thread
* [PATCH 5.15 091/917] wcn36xx: Fix (QoS) null data frame bitrate/modulation
2021-11-15 16:51 [PATCH 5.15 000/917] 5.15.3-rc1 review Greg Kroah-Hartman
` (89 preceding siblings ...)
2021-11-15 16:53 ` [PATCH 5.15 090/917] wcn36xx: Fix tx_status mechanism Greg Kroah-Hartman
@ 2021-11-15 16:53 ` Greg Kroah-Hartman
2021-11-15 16:53 ` [PATCH 5.15 092/917] PM: sleep: Do not let "syscore" devices runtime-suspend during system transitions Greg Kroah-Hartman
` (828 subsequent siblings)
919 siblings, 0 replies; 945+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-15 16:53 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Loic Poulain, Kalle Valo
From: Loic Poulain <loic.poulain@linaro.org>
commit d3fd2c95c1c13ec217d43ebef3c61cfa00a6cd37 upstream.
We observe unexpected connection drops with some APs due to
non-acked mac80211 generated null data frames (keep-alive).
After debugging and capture, we noticed that null frames are
submitted at standard data bitrate and that the given APs are
in trouble with that.
After setting the null frame bitrate to control bitrate, all
null frames are acked as expected and connection is maintained.
Not sure if it's a requirement of the specification, but it seems
the right thing to do anyway, null frames are mostly used for control
purpose (power-saving, keep-alive...), and submitting them with
a slower/simpler bitrate/modulation is more robust.
Cc: stable@vger.kernel.org
Fixes: 512b191d9652 ("wcn36xx: Fix TX data path")
Signed-off-by: Loic Poulain <loic.poulain@linaro.org>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Link: https://lore.kernel.org/r/1634560399-15290-1-git-send-email-loic.poulain@linaro.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/wireless/ath/wcn36xx/txrx.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/net/wireless/ath/wcn36xx/txrx.c
+++ b/drivers/net/wireless/ath/wcn36xx/txrx.c
@@ -429,6 +429,7 @@ static void wcn36xx_set_tx_data(struct w
if (ieee80211_is_any_nullfunc(hdr->frame_control)) {
/* Don't use a regular queue for null packet (no ampdu) */
bd->queue_id = WCN36XX_TX_U_WQ_ID;
+ bd->bd_rate = WCN36XX_BD_RATE_CTRL;
}
if (bcast) {
^ permalink raw reply [flat|nested] 945+ messages in thread
* [PATCH 5.15 092/917] PM: sleep: Do not let "syscore" devices runtime-suspend during system transitions
2021-11-15 16:51 [PATCH 5.15 000/917] 5.15.3-rc1 review Greg Kroah-Hartman
` (90 preceding siblings ...)
2021-11-15 16:53 ` [PATCH 5.15 091/917] wcn36xx: Fix (QoS) null data frame bitrate/modulation Greg Kroah-Hartman
@ 2021-11-15 16:53 ` Greg Kroah-Hartman
2021-11-15 16:53 ` [PATCH 5.15 093/917] mwifiex: Read a PCI register after writing the TX ring write pointer Greg Kroah-Hartman
` (827 subsequent siblings)
919 siblings, 0 replies; 945+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-15 16:53 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Rafael J. Wysocki, Ulf Hansson
From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
commit 928265e3601cde78c7e0a3e518a93b27defed3b1 upstream.
There is no reason to allow "syscore" devices to runtime-suspend
during system-wide PM transitions, because they are subject to the
same possible failure modes as any other devices in that respect.
Accordingly, change device_prepare() and device_complete() to call
pm_runtime_get_noresume() and pm_runtime_put(), respectively, for
"syscore" devices too.
Fixes: 057d51a1268f ("Merge branch 'pm-sleep'")
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Cc: 3.10+ <stable@vger.kernel.org> # 3.10+
Reviewed-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/base/power/main.c | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
--- a/drivers/base/power/main.c
+++ b/drivers/base/power/main.c
@@ -1051,7 +1051,7 @@ static void device_complete(struct devic
const char *info = NULL;
if (dev->power.syscore)
- return;
+ goto out;
device_lock(dev);
@@ -1081,6 +1081,7 @@ static void device_complete(struct devic
device_unlock(dev);
+out:
pm_runtime_put(dev);
}
@@ -1794,9 +1795,6 @@ static int device_prepare(struct device
int (*callback)(struct device *) = NULL;
int ret = 0;
- if (dev->power.syscore)
- return 0;
-
/*
* If a device's parent goes into runtime suspend at the wrong time,
* it won't be possible to resume the device. To prevent this we
@@ -1805,6 +1803,9 @@ static int device_prepare(struct device
*/
pm_runtime_get_noresume(dev);
+ if (dev->power.syscore)
+ return 0;
+
device_lock(dev);
dev->power.wakeup_path = false;
^ permalink raw reply [flat|nested] 945+ messages in thread
* [PATCH 5.15 093/917] mwifiex: Read a PCI register after writing the TX ring write pointer
2021-11-15 16:51 [PATCH 5.15 000/917] 5.15.3-rc1 review Greg Kroah-Hartman
` (91 preceding siblings ...)
2021-11-15 16:53 ` [PATCH 5.15 092/917] PM: sleep: Do not let "syscore" devices runtime-suspend during system transitions Greg Kroah-Hartman
@ 2021-11-15 16:53 ` Greg Kroah-Hartman
2021-11-15 16:53 ` [PATCH 5.15 094/917] mwifiex: Try waking the firmware until we get an interrupt Greg Kroah-Hartman
` (826 subsequent siblings)
919 siblings, 0 replies; 945+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-15 16:53 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Jonas Dreßler, Kalle Valo
From: Jonas Dreßler <verdre@v0yd.nl>
commit e5f4eb8223aa740237cd463246a7debcddf4eda1 upstream.
On the 88W8897 PCIe+USB card the firmware randomly crashes after setting
the TX ring write pointer. The issue is present in the latest firmware
version 15.68.19.p21 of the PCIe+USB card.
Those firmware crashes can be worked around by reading any PCI register
of the card after setting that register, so read the PCI_VENDOR_ID
register here. The reason this works is probably because we keep the bus
from entering an ASPM state for a bit longer, because that's what causes
the cards firmware to crash.
This fixes a bug where during RX/TX traffic and with ASPM L1 substates
enabled (the specific substates where the issue happens appear to be
platform dependent), the firmware crashes and eventually a command
timeout appears in the logs.
BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=109681
Cc: stable@vger.kernel.org
Signed-off-by: Jonas Dreßler <verdre@v0yd.nl>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Link: https://lore.kernel.org/r/20211011133224.15561-2-verdre@v0yd.nl
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/wireless/marvell/mwifiex/pcie.c | 8 ++++++++
1 file changed, 8 insertions(+)
--- a/drivers/net/wireless/marvell/mwifiex/pcie.c
+++ b/drivers/net/wireless/marvell/mwifiex/pcie.c
@@ -1490,6 +1490,14 @@ mwifiex_pcie_send_data(struct mwifiex_ad
ret = -1;
goto done_unmap;
}
+
+ /* The firmware (latest version 15.68.19.p21) of the 88W8897 PCIe+USB card
+ * seems to crash randomly after setting the TX ring write pointer when
+ * ASPM powersaving is enabled. A workaround seems to be keeping the bus
+ * busy by reading a random register afterwards.
+ */
+ mwifiex_read_reg(adapter, PCI_VENDOR_ID, &rx_val);
+
if ((mwifiex_pcie_txbd_not_full(card)) &&
tx_param->next_pkt_len) {
/* have more packets and TxBD still can hold more */
^ permalink raw reply [flat|nested] 945+ messages in thread
* [PATCH 5.15 094/917] mwifiex: Try waking the firmware until we get an interrupt
2021-11-15 16:51 [PATCH 5.15 000/917] 5.15.3-rc1 review Greg Kroah-Hartman
` (92 preceding siblings ...)
2021-11-15 16:53 ` [PATCH 5.15 093/917] mwifiex: Read a PCI register after writing the TX ring write pointer Greg Kroah-Hartman
@ 2021-11-15 16:53 ` Greg Kroah-Hartman
2021-11-15 16:53 ` [PATCH 5.15 095/917] libata: fix checking of DMA state Greg Kroah-Hartman
` (825 subsequent siblings)
919 siblings, 0 replies; 945+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-15 16:53 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Jonas Dreßler, Kalle Valo
From: Jonas Dreßler <verdre@v0yd.nl>
commit 8e3e59c31fea5de95ffc52c46f0c562c39f20c59 upstream.
It seems that the PCIe+USB firmware (latest version 15.68.19.p21) of the
88W8897 card sometimes ignores or misses when we try to wake it up by
writing to the firmware status register. This leads to the firmware
wakeup timeout expiring and the driver resetting the card because we
assume the firmware has hung up or crashed.
Turns out that the firmware actually didn't hang up, but simply "missed"
our wakeup request and didn't send us an interrupt with an AWAKE event.
Trying again to read the firmware status register after a short timeout
usually makes the firmware wake up as expected, so add a small retry
loop to mwifiex_pm_wakeup_card() that looks at the interrupt status to
check whether the card woke up.
The number of tries and timeout lengths for this were determined
experimentally: The firmware usually takes about 500 us to wake up
after we attempt to read the status register. In some cases where the
firmware is very busy (for example while doing a bluetooth scan) it
might even miss our requests for multiple milliseconds, which is why
after 15 tries the waiting time gets increased to 10 ms. The maximum
number of tries it took to wake the firmware when testing this was
around 20, so a maximum number of 50 tries should give us plenty of
safety margin.
Here's a reproducer for those firmware wakeup failures I've found:
1) Make sure wifi powersaving is enabled (iw dev wlp1s0 set power_save on)
2) Connect to any wifi network (makes firmware go into wifi powersaving
mode, not deep sleep)
3) Make sure bluetooth is turned off (to ensure the firmware actually
enters powersave mode and doesn't keep the radio active doing bluetooth
stuff)
4) To confirm that wifi powersaving is entered ping a device on the LAN,
pings should be a few ms higher than without powersaving
5) Run "while true; do iwconfig; sleep 0.0001; done", this wakes and
suspends the firmware extremely often
6) Wait until things explode, for me it consistently takes <5 minutes
BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=109681
Cc: stable@vger.kernel.org
Signed-off-by: Jonas Dreßler <verdre@v0yd.nl>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Link: https://lore.kernel.org/r/20211011133224.15561-3-verdre@v0yd.nl
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/wireless/marvell/mwifiex/pcie.c | 28 +++++++++++++++++++++++-----
1 file changed, 23 insertions(+), 5 deletions(-)
--- a/drivers/net/wireless/marvell/mwifiex/pcie.c
+++ b/drivers/net/wireless/marvell/mwifiex/pcie.c
@@ -17,6 +17,7 @@
* this warranty disclaimer.
*/
+#include <linux/iopoll.h>
#include <linux/firmware.h>
#include "decl.h"
@@ -647,11 +648,15 @@ static void mwifiex_delay_for_sleep_cook
"max count reached while accessing sleep cookie\n");
}
+#define N_WAKEUP_TRIES_SHORT_INTERVAL 15
+#define N_WAKEUP_TRIES_LONG_INTERVAL 35
+
/* This function wakes up the card by reading fw_status register. */
static int mwifiex_pm_wakeup_card(struct mwifiex_adapter *adapter)
{
struct pcie_service_card *card = adapter->card;
const struct mwifiex_pcie_card_reg *reg = card->pcie.reg;
+ int retval;
mwifiex_dbg(adapter, EVENT,
"event: Wakeup device...\n");
@@ -659,11 +664,24 @@ static int mwifiex_pm_wakeup_card(struct
if (reg->sleep_cookie)
mwifiex_pcie_dev_wakeup_delay(adapter);
- /* Accessing fw_status register will wakeup device */
- if (mwifiex_write_reg(adapter, reg->fw_status, FIRMWARE_READY_PCIE)) {
- mwifiex_dbg(adapter, ERROR,
- "Writing fw_status register failed\n");
- return -1;
+ /* The 88W8897 PCIe+USB firmware (latest version 15.68.19.p21) sometimes
+ * appears to ignore or miss our wakeup request, so we continue trying
+ * until we receive an interrupt from the card.
+ */
+ if (read_poll_timeout(mwifiex_write_reg, retval,
+ READ_ONCE(adapter->int_status) != 0,
+ 500, 500 * N_WAKEUP_TRIES_SHORT_INTERVAL,
+ false,
+ adapter, reg->fw_status, FIRMWARE_READY_PCIE)) {
+ if (read_poll_timeout(mwifiex_write_reg, retval,
+ READ_ONCE(adapter->int_status) != 0,
+ 10000, 10000 * N_WAKEUP_TRIES_LONG_INTERVAL,
+ false,
+ adapter, reg->fw_status, FIRMWARE_READY_PCIE)) {
+ mwifiex_dbg(adapter, ERROR,
+ "Firmware didn't wake up\n");
+ return -EIO;
+ }
}
if (reg->sleep_cookie) {
^ permalink raw reply [flat|nested] 945+ messages in thread
* [PATCH 5.15 095/917] libata: fix checking of DMA state
2021-11-15 16:51 [PATCH 5.15 000/917] 5.15.3-rc1 review Greg Kroah-Hartman
` (93 preceding siblings ...)
2021-11-15 16:53 ` [PATCH 5.15 094/917] mwifiex: Try waking the firmware until we get an interrupt Greg Kroah-Hartman
@ 2021-11-15 16:53 ` Greg Kroah-Hartman
2021-11-15 16:53 ` [PATCH 5.15 096/917] dma-buf: fix and rework dma_buf_poll v7 Greg Kroah-Hartman
` (824 subsequent siblings)
919 siblings, 0 replies; 945+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-15 16:53 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Reimar Döffinger, Paul Menzel,
Damien Le Moal
From: Reimar Döffinger <Reimar.Doeffinger@gmx.de>
commit f971a85439bd25dc7b4d597cf5e4e8dc7ffc884b upstream.
Checking if DMA is enabled should be done via the
ata_dma_enabled helper function, since the init state
0xff indicates disabled.
This meant that ATA_CMD_READ_LOG_DMA_EXT was used and probed
for before DMA was enabled, which caused hangs for some combinations
of controllers and devices.
It might also have caused it to be incorrectly disabled as broken,
but there have been no reports of that.
Cc: stable@vger.kernel.org
BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=195895
Signed-off-by: Reimar Döffinger <Reimar.Doeffinger@gmx.de>
Tested-by: Paul Menzel <pmenzel@molgen.mpg.de>
Signed-off-by: Damien Le Moal <damien.lemoal@wdc.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/ata/libata-core.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/ata/libata-core.c
+++ b/drivers/ata/libata-core.c
@@ -2007,7 +2007,7 @@ unsigned int ata_read_log_page(struct at
retry:
ata_tf_init(dev, &tf);
- if (dev->dma_mode && ata_id_has_read_log_dma_ext(dev->id) &&
+ if (ata_dma_enabled(dev) && ata_id_has_read_log_dma_ext(dev->id) &&
!(dev->horkage & ATA_HORKAGE_NO_DMA_LOG)) {
tf.command = ATA_CMD_READ_LOG_DMA_EXT;
tf.protocol = ATA_PROT_DMA;
^ permalink raw reply [flat|nested] 945+ messages in thread
* [PATCH 5.15 096/917] dma-buf: fix and rework dma_buf_poll v7
2021-11-15 16:51 [PATCH 5.15 000/917] 5.15.3-rc1 review Greg Kroah-Hartman
` (94 preceding siblings ...)
2021-11-15 16:53 ` [PATCH 5.15 095/917] libata: fix checking of DMA state Greg Kroah-Hartman
@ 2021-11-15 16:53 ` Greg Kroah-Hartman
2021-11-15 16:53 ` [PATCH 5.15 097/917] wcn36xx: handle connection loss indication Greg Kroah-Hartman
` (823 subsequent siblings)
919 siblings, 0 replies; 945+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-15 16:53 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Christian König, Daniel Vetter,
Michel Dänzer
From: Christian König <christian.koenig@amd.com>
commit 6b51b02a3a0ac49dfe302818d0746a799545e4e9 upstream.
Daniel pointed me towards this function and there are multiple obvious problems
in the implementation.
First of all the retry loop is not working as intended. In general the retry
makes only sense if you grab the reference first and then check the sequence
values.
Then we should always also wait for the exclusive fence.
It's also good practice to keep the reference around when installing callbacks
to fences you don't own.
And last the whole implementation was unnecessary complex and rather hard to
understand which could lead to probably unexpected behavior of the IOCTL.
Fix all this by reworking the implementation from scratch. Dropping the
whole RCU approach and taking the lock instead.
Only mildly tested and needs a thoughtful review of the code.
Pushing through drm-misc-next to avoid merge conflicts and give the code
another round of testing.
v2: fix the reference counting as well
v3: keep the excl fence handling as is for stable
v4: back to testing all fences, drop RCU
v5: handle in and out separately
v6: add missing clear of events
v7: change coding style as suggested by Michel, drop unused variables
Signed-off-by: Christian König <christian.koenig@amd.com>
Reviewed-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Tested-by: Michel Dänzer <mdaenzer@redhat.com>
CC: stable@vger.kernel.org
Link: https://patchwork.freedesktop.org/patch/msgid/20210720131110.88512-1-christian.koenig@amd.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/dma-buf/dma-buf.c | 152 +++++++++++++++++++++-------------------------
include/linux/dma-buf.h | 2
2 files changed, 71 insertions(+), 83 deletions(-)
--- a/drivers/dma-buf/dma-buf.c
+++ b/drivers/dma-buf/dma-buf.c
@@ -74,7 +74,7 @@ static void dma_buf_release(struct dentr
* If you hit this BUG() it means someone dropped their ref to the
* dma-buf while still having pending operation to the buffer.
*/
- BUG_ON(dmabuf->cb_shared.active || dmabuf->cb_excl.active);
+ BUG_ON(dmabuf->cb_in.active || dmabuf->cb_out.active);
dma_buf_stats_teardown(dmabuf);
dmabuf->ops->release(dmabuf);
@@ -205,16 +205,55 @@ static void dma_buf_poll_cb(struct dma_f
wake_up_locked_poll(dcb->poll, dcb->active);
dcb->active = 0;
spin_unlock_irqrestore(&dcb->poll->lock, flags);
+ dma_fence_put(fence);
+}
+
+static bool dma_buf_poll_shared(struct dma_resv *resv,
+ struct dma_buf_poll_cb_t *dcb)
+{
+ struct dma_resv_list *fobj = dma_resv_shared_list(resv);
+ struct dma_fence *fence;
+ int i, r;
+
+ if (!fobj)
+ return false;
+
+ for (i = 0; i < fobj->shared_count; ++i) {
+ fence = rcu_dereference_protected(fobj->shared[i],
+ dma_resv_held(resv));
+ dma_fence_get(fence);
+ r = dma_fence_add_callback(fence, &dcb->cb, dma_buf_poll_cb);
+ if (!r)
+ return true;
+ dma_fence_put(fence);
+ }
+
+ return false;
+}
+
+static bool dma_buf_poll_excl(struct dma_resv *resv,
+ struct dma_buf_poll_cb_t *dcb)
+{
+ struct dma_fence *fence = dma_resv_excl_fence(resv);
+ int r;
+
+ if (!fence)
+ return false;
+
+ dma_fence_get(fence);
+ r = dma_fence_add_callback(fence, &dcb->cb, dma_buf_poll_cb);
+ if (!r)
+ return true;
+ dma_fence_put(fence);
+
+ return false;
}
static __poll_t dma_buf_poll(struct file *file, poll_table *poll)
{
struct dma_buf *dmabuf;
struct dma_resv *resv;
- struct dma_resv_list *fobj;
- struct dma_fence *fence_excl;
__poll_t events;
- unsigned shared_count, seq;
dmabuf = file->private_data;
if (!dmabuf || !dmabuf->resv)
@@ -228,101 +267,50 @@ static __poll_t dma_buf_poll(struct file
if (!events)
return 0;
-retry:
- seq = read_seqcount_begin(&resv->seq);
- rcu_read_lock();
-
- fobj = rcu_dereference(resv->fence);
- if (fobj)
- shared_count = fobj->shared_count;
- else
- shared_count = 0;
- fence_excl = dma_resv_excl_fence(resv);
- if (read_seqcount_retry(&resv->seq, seq)) {
- rcu_read_unlock();
- goto retry;
- }
-
- if (fence_excl && (!(events & EPOLLOUT) || shared_count == 0)) {
- struct dma_buf_poll_cb_t *dcb = &dmabuf->cb_excl;
- __poll_t pevents = EPOLLIN;
+ dma_resv_lock(resv, NULL);
- if (shared_count == 0)
- pevents |= EPOLLOUT;
+ if (events & EPOLLOUT) {
+ struct dma_buf_poll_cb_t *dcb = &dmabuf->cb_out;
+ /* Check that callback isn't busy */
spin_lock_irq(&dmabuf->poll.lock);
- if (dcb->active) {
- dcb->active |= pevents;
- events &= ~pevents;
- } else
- dcb->active = pevents;
+ if (dcb->active)
+ events &= ~EPOLLOUT;
+ else
+ dcb->active = EPOLLOUT;
spin_unlock_irq(&dmabuf->poll.lock);
- if (events & pevents) {
- if (!dma_fence_get_rcu(fence_excl)) {
- /* force a recheck */
- events &= ~pevents;
+ if (events & EPOLLOUT) {
+ if (!dma_buf_poll_shared(resv, dcb) &&
+ !dma_buf_poll_excl(resv, dcb))
+ /* No callback queued, wake up any other waiters */
dma_buf_poll_cb(NULL, &dcb->cb);
- } else if (!dma_fence_add_callback(fence_excl, &dcb->cb,
- dma_buf_poll_cb)) {
- events &= ~pevents;
- dma_fence_put(fence_excl);
- } else {
- /*
- * No callback queued, wake up any additional
- * waiters.
- */
- dma_fence_put(fence_excl);
- dma_buf_poll_cb(NULL, &dcb->cb);
- }
+ else
+ events &= ~EPOLLOUT;
}
}
- if ((events & EPOLLOUT) && shared_count > 0) {
- struct dma_buf_poll_cb_t *dcb = &dmabuf->cb_shared;
- int i;
+ if (events & EPOLLIN) {
+ struct dma_buf_poll_cb_t *dcb = &dmabuf->cb_in;
- /* Only queue a new callback if no event has fired yet */
+ /* Check that callback isn't busy */
spin_lock_irq(&dmabuf->poll.lock);
if (dcb->active)
- events &= ~EPOLLOUT;
+ events &= ~EPOLLIN;
else
- dcb->active = EPOLLOUT;
+ dcb->active = EPOLLIN;
spin_unlock_irq(&dmabuf->poll.lock);
- if (!(events & EPOLLOUT))
- goto out;
-
- for (i = 0; i < shared_count; ++i) {
- struct dma_fence *fence = rcu_dereference(fobj->shared[i]);
-
- if (!dma_fence_get_rcu(fence)) {
- /*
- * fence refcount dropped to zero, this means
- * that fobj has been freed
- *
- * call dma_buf_poll_cb and force a recheck!
- */
- events &= ~EPOLLOUT;
+ if (events & EPOLLIN) {
+ if (!dma_buf_poll_excl(resv, dcb))
+ /* No callback queued, wake up any other waiters */
dma_buf_poll_cb(NULL, &dcb->cb);
- break;
- }
- if (!dma_fence_add_callback(fence, &dcb->cb,
- dma_buf_poll_cb)) {
- dma_fence_put(fence);
- events &= ~EPOLLOUT;
- break;
- }
- dma_fence_put(fence);
+ else
+ events &= ~EPOLLIN;
}
-
- /* No callback queued, wake up any additional waiters. */
- if (i == shared_count)
- dma_buf_poll_cb(NULL, &dcb->cb);
}
-out:
- rcu_read_unlock();
+ dma_resv_unlock(resv);
return events;
}
@@ -565,8 +553,8 @@ struct dma_buf *dma_buf_export(const str
dmabuf->owner = exp_info->owner;
spin_lock_init(&dmabuf->name_lock);
init_waitqueue_head(&dmabuf->poll);
- dmabuf->cb_excl.poll = dmabuf->cb_shared.poll = &dmabuf->poll;
- dmabuf->cb_excl.active = dmabuf->cb_shared.active = 0;
+ dmabuf->cb_in.poll = dmabuf->cb_out.poll = &dmabuf->poll;
+ dmabuf->cb_in.active = dmabuf->cb_out.active = 0;
if (!resv) {
resv = (struct dma_resv *)&dmabuf[1];
--- a/include/linux/dma-buf.h
+++ b/include/linux/dma-buf.h
@@ -433,7 +433,7 @@ struct dma_buf {
wait_queue_head_t *poll;
__poll_t active;
- } cb_excl, cb_shared;
+ } cb_in, cb_out;
#ifdef CONFIG_DMABUF_SYSFS_STATS
/**
* @sysfs_entry:
^ permalink raw reply [flat|nested] 945+ messages in thread
* [PATCH 5.15 097/917] wcn36xx: handle connection loss indication
2021-11-15 16:51 [PATCH 5.15 000/917] 5.15.3-rc1 review Greg Kroah-Hartman
` (95 preceding siblings ...)
2021-11-15 16:53 ` [PATCH 5.15 096/917] dma-buf: fix and rework dma_buf_poll v7 Greg Kroah-Hartman
@ 2021-11-15 16:53 ` Greg Kroah-Hartman
2021-11-15 16:53 ` [PATCH 5.15 098/917] rsi: fix occasional initialisation failure with BT coex Greg Kroah-Hartman
` (822 subsequent siblings)
919 siblings, 0 replies; 945+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-15 16:53 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Benjamin Li, Bryan ODonoghue,
Loic Poulain, Kalle Valo
From: Benjamin Li <benl@squareup.com>
commit d6dbce453b19c64b96f3e927b10230f9a704b504 upstream.
Firmware sends delete_sta_context_ind when it detects the AP has gone
away in STA mode. Right now the handler for that indication only handles
AP mode; fix it to also handle STA mode.
Cc: stable@vger.kernel.org
Signed-off-by: Benjamin Li <benl@squareup.com>
Reviewed-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
Reviewed-by: Loic Poulain <loic.poulain@linaro.org>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Link: https://lore.kernel.org/r/20210901180606.11686-1-benl@squareup.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/wireless/ath/wcn36xx/smd.c | 44 ++++++++++++++++++++++++---------
1 file changed, 33 insertions(+), 11 deletions(-)
--- a/drivers/net/wireless/ath/wcn36xx/smd.c
+++ b/drivers/net/wireless/ath/wcn36xx/smd.c
@@ -2623,30 +2623,52 @@ static int wcn36xx_smd_delete_sta_contex
size_t len)
{
struct wcn36xx_hal_delete_sta_context_ind_msg *rsp = buf;
- struct wcn36xx_vif *tmp;
+ struct wcn36xx_vif *vif_priv;
+ struct ieee80211_vif *vif;
+ struct ieee80211_bss_conf *bss_conf;
struct ieee80211_sta *sta;
+ bool found = false;
if (len != sizeof(*rsp)) {
wcn36xx_warn("Corrupted delete sta indication\n");
return -EIO;
}
- wcn36xx_dbg(WCN36XX_DBG_HAL, "delete station indication %pM index %d\n",
- rsp->addr2, rsp->sta_id);
+ wcn36xx_dbg(WCN36XX_DBG_HAL,
+ "delete station indication %pM index %d reason %d\n",
+ rsp->addr2, rsp->sta_id, rsp->reason_code);
- list_for_each_entry(tmp, &wcn->vif_list, list) {
+ list_for_each_entry(vif_priv, &wcn->vif_list, list) {
rcu_read_lock();
- sta = ieee80211_find_sta(wcn36xx_priv_to_vif(tmp), rsp->addr2);
- if (sta)
- ieee80211_report_low_ack(sta, 0);
+ vif = wcn36xx_priv_to_vif(vif_priv);
+
+ if (vif->type == NL80211_IFTYPE_STATION) {
+ /* We could call ieee80211_find_sta too, but checking
+ * bss_conf is clearer.
+ */
+ bss_conf = &vif->bss_conf;
+ if (vif_priv->sta_assoc &&
+ !memcmp(bss_conf->bssid, rsp->addr2, ETH_ALEN)) {
+ found = true;
+ wcn36xx_dbg(WCN36XX_DBG_HAL,
+ "connection loss bss_index %d\n",
+ vif_priv->bss_index);
+ ieee80211_connection_loss(vif);
+ }
+ } else {
+ sta = ieee80211_find_sta(vif, rsp->addr2);
+ if (sta) {
+ found = true;
+ ieee80211_report_low_ack(sta, 0);
+ }
+ }
+
rcu_read_unlock();
- if (sta)
+ if (found)
return 0;
}
- wcn36xx_warn("STA with addr %pM and index %d not found\n",
- rsp->addr2,
- rsp->sta_id);
+ wcn36xx_warn("BSS or STA with addr %pM not found\n", rsp->addr2);
return -ENOENT;
}
^ permalink raw reply [flat|nested] 945+ messages in thread
* [PATCH 5.15 098/917] rsi: fix occasional initialisation failure with BT coex
2021-11-15 16:51 [PATCH 5.15 000/917] 5.15.3-rc1 review Greg Kroah-Hartman
` (96 preceding siblings ...)
2021-11-15 16:53 ` [PATCH 5.15 097/917] wcn36xx: handle connection loss indication Greg Kroah-Hartman
@ 2021-11-15 16:53 ` Greg Kroah-Hartman
2021-11-15 16:53 ` [PATCH 5.15 099/917] rsi: fix key enabled check causing unwanted encryption for vap_id > 0 Greg Kroah-Hartman
` (821 subsequent siblings)
919 siblings, 0 replies; 945+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-15 16:53 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Martin Fuzzey, Kalle Valo
From: Martin Fuzzey <martin.fuzzey@flowbird.group>
commit 9b14ed6e11b72dd4806535449ca6c6962cb2369d upstream.
When BT coexistence is enabled (eg oper mode 13, which is the default)
the initialisation on startup sometimes silently fails.
In a normal initialisation we see
usb 1-1.3: Product: Wireless USB Network Module
usb 1-1.3: Manufacturer: Redpine Signals, Inc.
usb 1-1.3: SerialNumber: 000000000001
rsi_91x: rsi_probe: Initialized os intf ops
rsi_91x: rsi_load_9116_firmware: Loading chunk 0
rsi_91x: rsi_load_9116_firmware: Loading chunk 1
rsi_91x: rsi_load_9116_firmware: Loading chunk 2
rsi_91x: Max Stations Allowed = 1
But sometimes the last log is missing and the wlan net device is
not created.
Running a userspace loop that resets the hardware via a GPIO shows the
problem occurring ~5/100 resets.
The problem does not occur in oper mode 1 (wifi only).
Adding logs shows that the initialisation state machine requests a MAC
reset via rsi_send_reset_mac() but the firmware does not reply, leading
to the initialisation sequence being incomplete.
Fix this by delaying attaching the BT adapter until the wifi
initialisation has completed.
With this applied I have done > 300 reset loops with no errors.
Fixes: 716b840c7641 ("rsi: handle BT traffic in driver")
Signed-off-by: Martin Fuzzey <martin.fuzzey@flowbird.group>
CC: stable@vger.kernel.org
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Link: https://lore.kernel.org/r/1630337206-12410-2-git-send-email-martin.fuzzey@flowbird.group
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/wireless/rsi/rsi_91x_main.c | 16 +++++++++++++---
drivers/net/wireless/rsi/rsi_91x_mgmt.c | 3 +++
drivers/net/wireless/rsi/rsi_main.h | 2 ++
3 files changed, 18 insertions(+), 3 deletions(-)
--- a/drivers/net/wireless/rsi/rsi_91x_main.c
+++ b/drivers/net/wireless/rsi/rsi_91x_main.c
@@ -211,9 +211,10 @@ int rsi_read_pkt(struct rsi_common *comm
bt_pkt_type = frame_desc[offset + BT_RX_PKT_TYPE_OFST];
if (bt_pkt_type == BT_CARD_READY_IND) {
rsi_dbg(INFO_ZONE, "BT Card ready recvd\n");
- if (rsi_bt_ops.attach(common, &g_proto_ops))
- rsi_dbg(ERR_ZONE,
- "Failed to attach BT module\n");
+ if (common->fsm_state == FSM_MAC_INIT_DONE)
+ rsi_attach_bt(common);
+ else
+ common->bt_defer_attach = true;
} else {
if (common->bt_adapter)
rsi_bt_ops.recv_pkt(common->bt_adapter,
@@ -278,6 +279,15 @@ void rsi_set_bt_context(void *priv, void
}
#endif
+void rsi_attach_bt(struct rsi_common *common)
+{
+#ifdef CONFIG_RSI_COEX
+ if (rsi_bt_ops.attach(common, &g_proto_ops))
+ rsi_dbg(ERR_ZONE,
+ "Failed to attach BT module\n");
+#endif
+}
+
/**
* rsi_91x_init() - This function initializes os interface operations.
* @oper_mode: One of DEV_OPMODE_*.
--- a/drivers/net/wireless/rsi/rsi_91x_mgmt.c
+++ b/drivers/net/wireless/rsi/rsi_91x_mgmt.c
@@ -2071,6 +2071,9 @@ static int rsi_handle_ta_confirm_type(st
if (common->reinit_hw) {
complete(&common->wlan_init_completion);
} else {
+ if (common->bt_defer_attach)
+ rsi_attach_bt(common);
+
return rsi_mac80211_attach(common);
}
}
--- a/drivers/net/wireless/rsi/rsi_main.h
+++ b/drivers/net/wireless/rsi/rsi_main.h
@@ -320,6 +320,7 @@ struct rsi_common {
struct ieee80211_vif *roc_vif;
bool eapol4_confirm;
+ bool bt_defer_attach;
void *bt_adapter;
struct cfg80211_scan_request *hwscan;
@@ -401,5 +402,6 @@ struct rsi_host_intf_ops {
enum rsi_host_intf rsi_get_host_intf(void *priv);
void rsi_set_bt_context(void *priv, void *bt_context);
+void rsi_attach_bt(struct rsi_common *common);
#endif
^ permalink raw reply [flat|nested] 945+ messages in thread
* [PATCH 5.15 099/917] rsi: fix key enabled check causing unwanted encryption for vap_id > 0
2021-11-15 16:51 [PATCH 5.15 000/917] 5.15.3-rc1 review Greg Kroah-Hartman
` (97 preceding siblings ...)
2021-11-15 16:53 ` [PATCH 5.15 098/917] rsi: fix occasional initialisation failure with BT coex Greg Kroah-Hartman
@ 2021-11-15 16:53 ` Greg Kroah-Hartman
2021-11-15 16:53 ` [PATCH 5.15 100/917] rsi: fix rate mask set leading to P2P failure Greg Kroah-Hartman
` (820 subsequent siblings)
919 siblings, 0 replies; 945+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-15 16:53 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Martin Fuzzey, Kalle Valo
From: Martin Fuzzey <martin.fuzzey@flowbird.group>
commit 99ac6018821253ec67f466086afb63fc18ea48e2 upstream.
My previous patch checked if encryption should be enabled by directly
checking info->control.hw_key (like the downstream driver).
However that missed that the control and driver_info members of
struct ieee80211_tx_info are union fields.
Due to this when rsi_core_xmit() updates fields in "tx_params"
(driver_info) it can overwrite the control.hw_key, causing the result
of the later test to be incorrect.
With the current structure layout the first byte of control.hw_key is
overlayed with the vap_id so, since we only test if control.hw_key is
NULL / non NULL, a non zero vap_id will incorrectly enable encryption.
In basic STA and AP modes the vap_id is always zero so it works but in
P2P client mode a second VIF is created causing vap_id to be non zero
and hence encryption to be enabled before keys have been set.
Fix this by extracting the key presence flag to a new field in the driver
private tx_params structure and populating it first.
Fixes: 314538041b56 ("rsi: fix AP mode with WPA failure due to encrypted EAPOL")
Signed-off-by: Martin Fuzzey <martin.fuzzey@flowbird.group>
CC: stable@vger.kernel.org
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Link: https://lore.kernel.org/r/1630337206-12410-3-git-send-email-martin.fuzzey@flowbird.group
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/wireless/rsi/rsi_91x_core.c | 2 ++
drivers/net/wireless/rsi/rsi_91x_hal.c | 2 +-
drivers/net/wireless/rsi/rsi_main.h | 1 +
3 files changed, 4 insertions(+), 1 deletion(-)
--- a/drivers/net/wireless/rsi/rsi_91x_core.c
+++ b/drivers/net/wireless/rsi/rsi_91x_core.c
@@ -399,6 +399,8 @@ void rsi_core_xmit(struct rsi_common *co
info = IEEE80211_SKB_CB(skb);
tx_params = (struct skb_info *)info->driver_data;
+ /* info->driver_data and info->control part of union so make copy */
+ tx_params->have_key = !!info->control.hw_key;
wh = (struct ieee80211_hdr *)&skb->data[0];
tx_params->sta_id = 0;
--- a/drivers/net/wireless/rsi/rsi_91x_hal.c
+++ b/drivers/net/wireless/rsi/rsi_91x_hal.c
@@ -203,7 +203,7 @@ int rsi_prepare_data_desc(struct rsi_com
wh->frame_control |= cpu_to_le16(RSI_SET_PS_ENABLE);
if ((!(info->flags & IEEE80211_TX_INTFL_DONT_ENCRYPT)) &&
- info->control.hw_key) {
+ tx_params->have_key) {
if (rsi_is_cipher_wep(common))
ieee80211_size += 4;
else
--- a/drivers/net/wireless/rsi/rsi_main.h
+++ b/drivers/net/wireless/rsi/rsi_main.h
@@ -139,6 +139,7 @@ struct skb_info {
u8 internal_hdr_size;
struct ieee80211_vif *vif;
u8 vap_id;
+ bool have_key;
};
enum edca_queue {
^ permalink raw reply [flat|nested] 945+ messages in thread
* [PATCH 5.15 100/917] rsi: fix rate mask set leading to P2P failure
2021-11-15 16:51 [PATCH 5.15 000/917] 5.15.3-rc1 review Greg Kroah-Hartman
` (98 preceding siblings ...)
2021-11-15 16:53 ` [PATCH 5.15 099/917] rsi: fix key enabled check causing unwanted encryption for vap_id > 0 Greg Kroah-Hartman
@ 2021-11-15 16:53 ` Greg Kroah-Hartman
2021-11-15 16:53 ` [PATCH 5.15 101/917] rsi: Fix module dev_oper_mode parameter description Greg Kroah-Hartman
` (819 subsequent siblings)
919 siblings, 0 replies; 945+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-15 16:53 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Martin Fuzzey, Kalle Valo
From: Martin Fuzzey <martin.fuzzey@flowbird.group>
commit b515d097053a71d624e0c5840b42cd4caa653941 upstream.
P2P client mode was only working the first time.
On subsequent connection attempts the group was successfully created but
no data was sent (no transmitted data packets were seen with a sniffer).
The reason for this was that the hardware was being configured in fixed
rate mode with rate RSI_RATE_1 (1Mbps) which is not valid in the 5GHz band.
In P2P mode wpa_supplicant uses NL80211_CMD_SET_TX_BITRATE_MASK to disallow
the 11b rates in the 2.4GHz band which updated common->fixedrate_mask.
rsi_set_min_rate() then used the fixedrate_mask to calculate the minimum
allowed rate, or 0xffff = auto if none was found.
However that calculation did not account for the different rate sets
allowed in the different bands leading to the error.
Fixing set_min_rate() would result in 6Mb/s being used all the time
which is not what we want either.
The reason the problem did not occur on the first connection is that
rsi_mac80211_set_rate_mask() only updated the fixedrate_mask for
the *current* band. When it was called that was still 2.4GHz as the
switch is done later. So the when set_min_rate() was subsequently
called after the switch to 5GHz it still had a mask of zero, leading
to defaulting to auto mode.
Fix this by differentiating the case of a single rate being
requested, in which case the hardware will be used in fixed rate
mode with just that rate, and multiple rates being requested,
in which case we remain in auto mode but the firmware rate selection
algorithm is configured with a restricted set of rates.
Fixes: dad0d04fa7ba ("rsi: Add RS9113 wireless driver")
Signed-off-by: Martin Fuzzey <martin.fuzzey@flowbird.group>
CC: stable@vger.kernel.org
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Link: https://lore.kernel.org/r/1630337206-12410-4-git-send-email-martin.fuzzey@flowbird.group
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/wireless/rsi/rsi_91x_hal.c | 8 +--
drivers/net/wireless/rsi/rsi_91x_mac80211.c | 74 ++++++++--------------------
drivers/net/wireless/rsi/rsi_91x_mgmt.c | 21 +++++--
drivers/net/wireless/rsi/rsi_main.h | 12 +++-
4 files changed, 50 insertions(+), 65 deletions(-)
--- a/drivers/net/wireless/rsi/rsi_91x_hal.c
+++ b/drivers/net/wireless/rsi/rsi_91x_hal.c
@@ -214,15 +214,17 @@ int rsi_prepare_data_desc(struct rsi_com
RSI_WIFI_DATA_Q);
data_desc->header_len = ieee80211_size;
- if (common->min_rate != RSI_RATE_AUTO) {
+ if (common->rate_config[common->band].fixed_enabled) {
/* Send fixed rate */
+ u16 fixed_rate = common->rate_config[common->band].fixed_hw_rate;
+
data_desc->frame_info = cpu_to_le16(RATE_INFO_ENABLE);
- data_desc->rate_info = cpu_to_le16(common->min_rate);
+ data_desc->rate_info = cpu_to_le16(fixed_rate);
if (conf_is_ht40(&common->priv->hw->conf))
data_desc->bbp_info = cpu_to_le16(FULL40M_ENABLE);
- if ((common->vif_info[0].sgi) && (common->min_rate & 0x100)) {
+ if (common->vif_info[0].sgi && (fixed_rate & 0x100)) {
/* Only MCS rates */
data_desc->rate_info |=
cpu_to_le16(ENABLE_SHORTGI_RATE);
--- a/drivers/net/wireless/rsi/rsi_91x_mac80211.c
+++ b/drivers/net/wireless/rsi/rsi_91x_mac80211.c
@@ -510,7 +510,6 @@ static int rsi_mac80211_add_interface(st
if ((vif->type == NL80211_IFTYPE_AP) ||
(vif->type == NL80211_IFTYPE_P2P_GO)) {
rsi_send_rx_filter_frame(common, DISALLOW_BEACONS);
- common->min_rate = RSI_RATE_AUTO;
for (i = 0; i < common->max_stations; i++)
common->stations[i].sta = NULL;
}
@@ -1228,20 +1227,32 @@ static int rsi_mac80211_set_rate_mask(st
struct ieee80211_vif *vif,
const struct cfg80211_bitrate_mask *mask)
{
+ const unsigned int mcs_offset = ARRAY_SIZE(rsi_rates);
struct rsi_hw *adapter = hw->priv;
struct rsi_common *common = adapter->priv;
- enum nl80211_band band = hw->conf.chandef.chan->band;
+ int i;
mutex_lock(&common->mutex);
- common->fixedrate_mask[band] = 0;
- if (mask->control[band].legacy == 0xfff) {
- common->fixedrate_mask[band] =
- (mask->control[band].ht_mcs[0] << 12);
- } else {
- common->fixedrate_mask[band] =
- mask->control[band].legacy;
+ for (i = 0; i < ARRAY_SIZE(common->rate_config); i++) {
+ struct rsi_rate_config *cfg = &common->rate_config[i];
+ u32 bm;
+
+ bm = mask->control[i].legacy | (mask->control[i].ht_mcs[0] << mcs_offset);
+ if (hweight32(bm) == 1) { /* single rate */
+ int rate_index = ffs(bm) - 1;
+
+ if (rate_index < mcs_offset)
+ cfg->fixed_hw_rate = rsi_rates[rate_index].hw_value;
+ else
+ cfg->fixed_hw_rate = rsi_mcsrates[rate_index - mcs_offset];
+ cfg->fixed_enabled = true;
+ } else {
+ cfg->configured_mask = bm;
+ cfg->fixed_enabled = false;
+ }
}
+
mutex_unlock(&common->mutex);
return 0;
@@ -1378,46 +1389,6 @@ void rsi_indicate_pkt_to_os(struct rsi_c
ieee80211_rx_irqsafe(hw, skb);
}
-static void rsi_set_min_rate(struct ieee80211_hw *hw,
- struct ieee80211_sta *sta,
- struct rsi_common *common)
-{
- u8 band = hw->conf.chandef.chan->band;
- u8 ii;
- u32 rate_bitmap;
- bool matched = false;
-
- common->bitrate_mask[band] = sta->supp_rates[band];
-
- rate_bitmap = (common->fixedrate_mask[band] & sta->supp_rates[band]);
-
- if (rate_bitmap & 0xfff) {
- /* Find out the min rate */
- for (ii = 0; ii < ARRAY_SIZE(rsi_rates); ii++) {
- if (rate_bitmap & BIT(ii)) {
- common->min_rate = rsi_rates[ii].hw_value;
- matched = true;
- break;
- }
- }
- }
-
- common->vif_info[0].is_ht = sta->ht_cap.ht_supported;
-
- if ((common->vif_info[0].is_ht) && (rate_bitmap >> 12)) {
- for (ii = 0; ii < ARRAY_SIZE(rsi_mcsrates); ii++) {
- if ((rate_bitmap >> 12) & BIT(ii)) {
- common->min_rate = rsi_mcsrates[ii];
- matched = true;
- break;
- }
- }
- }
-
- if (!matched)
- common->min_rate = 0xffff;
-}
-
/**
* rsi_mac80211_sta_add() - This function notifies driver about a peer getting
* connected.
@@ -1516,9 +1487,9 @@ static int rsi_mac80211_sta_add(struct i
if ((vif->type == NL80211_IFTYPE_STATION) ||
(vif->type == NL80211_IFTYPE_P2P_CLIENT)) {
- rsi_set_min_rate(hw, sta, common);
+ common->bitrate_mask[common->band] = sta->supp_rates[common->band];
+ common->vif_info[0].is_ht = sta->ht_cap.ht_supported;
if (sta->ht_cap.ht_supported) {
- common->vif_info[0].is_ht = true;
common->bitrate_mask[NL80211_BAND_2GHZ] =
sta->supp_rates[NL80211_BAND_2GHZ];
if ((sta->ht_cap.cap & IEEE80211_HT_CAP_SGI_20) ||
@@ -1592,7 +1563,6 @@ static int rsi_mac80211_sta_remove(struc
bss->qos = sta->wme;
common->bitrate_mask[NL80211_BAND_2GHZ] = 0;
common->bitrate_mask[NL80211_BAND_5GHZ] = 0;
- common->min_rate = 0xffff;
common->vif_info[0].is_ht = false;
common->vif_info[0].sgi = false;
common->vif_info[0].seq_start = 0;
--- a/drivers/net/wireless/rsi/rsi_91x_mgmt.c
+++ b/drivers/net/wireless/rsi/rsi_91x_mgmt.c
@@ -276,7 +276,7 @@ static void rsi_set_default_parameters(s
common->channel_width = BW_20MHZ;
common->rts_threshold = IEEE80211_MAX_RTS_THRESHOLD;
common->channel = 1;
- common->min_rate = 0xffff;
+ memset(&common->rate_config, 0, sizeof(common->rate_config));
common->fsm_state = FSM_CARD_NOT_READY;
common->iface_down = true;
common->endpoint = EP_2GHZ_20MHZ;
@@ -1314,7 +1314,7 @@ static int rsi_send_auto_rate_request(st
u8 band = hw->conf.chandef.chan->band;
u8 num_supported_rates = 0;
u8 rate_table_offset, rate_offset = 0;
- u32 rate_bitmap;
+ u32 rate_bitmap, configured_rates;
u16 *selected_rates, min_rate;
bool is_ht = false, is_sgi = false;
u16 frame_len = sizeof(struct rsi_auto_rate);
@@ -1364,6 +1364,10 @@ static int rsi_send_auto_rate_request(st
is_sgi = true;
}
+ /* Limit to any rates administratively configured by cfg80211 */
+ configured_rates = common->rate_config[band].configured_mask ?: 0xffffffff;
+ rate_bitmap &= configured_rates;
+
if (band == NL80211_BAND_2GHZ) {
if ((rate_bitmap == 0) && (is_ht))
min_rate = RSI_RATE_MCS0;
@@ -1389,10 +1393,13 @@ static int rsi_send_auto_rate_request(st
num_supported_rates = jj;
if (is_ht) {
- for (ii = 0; ii < ARRAY_SIZE(mcs); ii++)
- selected_rates[jj++] = mcs[ii];
- num_supported_rates += ARRAY_SIZE(mcs);
- rate_offset += ARRAY_SIZE(mcs);
+ for (ii = 0; ii < ARRAY_SIZE(mcs); ii++) {
+ if (configured_rates & BIT(ii + ARRAY_SIZE(rsi_rates))) {
+ selected_rates[jj++] = mcs[ii];
+ num_supported_rates++;
+ rate_offset++;
+ }
+ }
}
sort(selected_rates, jj, sizeof(u16), &rsi_compare, NULL);
@@ -1482,7 +1489,7 @@ void rsi_inform_bss_status(struct rsi_co
qos_enable,
aid, sta_id,
vif);
- if (common->min_rate == 0xffff)
+ if (!common->rate_config[common->band].fixed_enabled)
rsi_send_auto_rate_request(common, sta, sta_id, vif);
if (opmode == RSI_OPMODE_STA &&
!(assoc_cap & WLAN_CAPABILITY_PRIVACY) &&
--- a/drivers/net/wireless/rsi/rsi_main.h
+++ b/drivers/net/wireless/rsi/rsi_main.h
@@ -61,6 +61,7 @@ enum RSI_FSM_STATES {
extern u32 rsi_zone_enabled;
extern __printf(2, 3) void rsi_dbg(u32 zone, const char *fmt, ...);
+#define RSI_MAX_BANDS 2
#define RSI_MAX_VIFS 3
#define NUM_EDCA_QUEUES 4
#define IEEE80211_ADDR_LEN 6
@@ -230,6 +231,12 @@ struct rsi_9116_features {
u32 ps_options;
};
+struct rsi_rate_config {
+ u32 configured_mask; /* configured by mac80211 bits 0-11=legacy 12+ mcs */
+ u16 fixed_hw_rate;
+ bool fixed_enabled;
+};
+
struct rsi_common {
struct rsi_hw *priv;
struct vif_priv vif_info[RSI_MAX_VIFS];
@@ -255,8 +262,8 @@ struct rsi_common {
u8 channel_width;
u16 rts_threshold;
- u16 bitrate_mask[2];
- u32 fixedrate_mask[2];
+ u32 bitrate_mask[RSI_MAX_BANDS];
+ struct rsi_rate_config rate_config[RSI_MAX_BANDS];
u8 rf_reset;
struct transmit_q_stats tx_stats;
@@ -277,7 +284,6 @@ struct rsi_common {
u8 mac_id;
u8 radio_id;
u16 rate_pwr[20];
- u16 min_rate;
/* WMM algo related */
u8 selected_qnum;
^ permalink raw reply [flat|nested] 945+ messages in thread
* [PATCH 5.15 101/917] rsi: Fix module dev_oper_mode parameter description
2021-11-15 16:51 [PATCH 5.15 000/917] 5.15.3-rc1 review Greg Kroah-Hartman
` (99 preceding siblings ...)
2021-11-15 16:53 ` [PATCH 5.15 100/917] rsi: fix rate mask set leading to P2P failure Greg Kroah-Hartman
@ 2021-11-15 16:53 ` Greg Kroah-Hartman
2021-11-15 16:53 ` [PATCH 5.15 102/917] perf/x86/intel/uncore: Support extra IMC channel on Ice Lake server Greg Kroah-Hartman
` (818 subsequent siblings)
919 siblings, 0 replies; 945+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-15 16:53 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Marek Vasut, Amitkumar Karwar,
Angus Ainslie, David S. Miller, Jakub Kicinski, Kalle Valo,
Karun Eagalapati, Martin Fuzzey, Martin Kepplinger,
Prameela Rani Garnepudi, Sebastian Krzyszkowiak,
Siva Rebbagondla, netdev
From: Marek Vasut <marex@denx.de>
commit 31f97cf9f0c31143a2a6fcc89c4a1286ce20157e upstream.
The module parameters are missing dev_oper_mode 12, BT classic alone,
add it. Moreover, the parameters encode newlines, which ends up being
printed malformed e.g. by modinfo, so fix that too.
However, the module parameter string is duplicated in both USB and SDIO
modules and the dev_oper_mode mode enumeration in those module parameters
is a duplicate of macros used by the driver. Furthermore, the enumeration
is confusing.
So, deduplicate the module parameter string and use __stringify() to
encode the correct mode enumeration values into the module parameter
string. Finally, replace 'Wi-Fi' with 'Wi-Fi alone' and 'BT' with
'BT classic alone' to clarify what those modes really mean.
Fixes: 898b255339310 ("rsi: add module parameter operating mode")
Signed-off-by: Marek Vasut <marex@denx.de>
Cc: Amitkumar Karwar <amit.karwar@redpinesignals.com>
Cc: Angus Ainslie <angus@akkea.ca>
Cc: David S. Miller <davem@davemloft.net>
Cc: Jakub Kicinski <kuba@kernel.org>
Cc: Kalle Valo <kvalo@codeaurora.org>
Cc: Karun Eagalapati <karun256@gmail.com>
Cc: Martin Fuzzey <martin.fuzzey@flowbird.group>
Cc: Martin Kepplinger <martink@posteo.de>
Cc: Prameela Rani Garnepudi <prameela.j04cs@gmail.com>
Cc: Sebastian Krzyszkowiak <sebastian.krzyszkowiak@puri.sm>
Cc: Siva Rebbagondla <siva8118@gmail.com>
Cc: netdev@vger.kernel.org
Cc: <stable@vger.kernel.org> # 4.17+
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Link: https://lore.kernel.org/r/20210916144245.10181-1-marex@denx.de
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/wireless/rsi/rsi_91x_sdio.c | 5 +----
drivers/net/wireless/rsi/rsi_91x_usb.c | 5 +----
drivers/net/wireless/rsi/rsi_hal.h | 11 +++++++++++
3 files changed, 13 insertions(+), 8 deletions(-)
--- a/drivers/net/wireless/rsi/rsi_91x_sdio.c
+++ b/drivers/net/wireless/rsi/rsi_91x_sdio.c
@@ -24,10 +24,7 @@
/* Default operating mode is wlan STA + BT */
static u16 dev_oper_mode = DEV_OPMODE_STA_BT_DUAL;
module_param(dev_oper_mode, ushort, 0444);
-MODULE_PARM_DESC(dev_oper_mode,
- "1[Wi-Fi], 4[BT], 8[BT LE], 5[Wi-Fi STA + BT classic]\n"
- "9[Wi-Fi STA + BT LE], 13[Wi-Fi STA + BT classic + BT LE]\n"
- "6[AP + BT classic], 14[AP + BT classic + BT LE]");
+MODULE_PARM_DESC(dev_oper_mode, DEV_OPMODE_PARAM_DESC);
/**
* rsi_sdio_set_cmd52_arg() - This function prepares cmd 52 read/write arg.
--- a/drivers/net/wireless/rsi/rsi_91x_usb.c
+++ b/drivers/net/wireless/rsi/rsi_91x_usb.c
@@ -25,10 +25,7 @@
/* Default operating mode is wlan STA + BT */
static u16 dev_oper_mode = DEV_OPMODE_STA_BT_DUAL;
module_param(dev_oper_mode, ushort, 0444);
-MODULE_PARM_DESC(dev_oper_mode,
- "1[Wi-Fi], 4[BT], 8[BT LE], 5[Wi-Fi STA + BT classic]\n"
- "9[Wi-Fi STA + BT LE], 13[Wi-Fi STA + BT classic + BT LE]\n"
- "6[AP + BT classic], 14[AP + BT classic + BT LE]");
+MODULE_PARM_DESC(dev_oper_mode, DEV_OPMODE_PARAM_DESC);
static int rsi_rx_urb_submit(struct rsi_hw *adapter, u8 ep_num, gfp_t flags);
--- a/drivers/net/wireless/rsi/rsi_hal.h
+++ b/drivers/net/wireless/rsi/rsi_hal.h
@@ -28,6 +28,17 @@
#define DEV_OPMODE_AP_BT 6
#define DEV_OPMODE_AP_BT_DUAL 14
+#define DEV_OPMODE_PARAM_DESC \
+ __stringify(DEV_OPMODE_WIFI_ALONE) "[Wi-Fi alone], " \
+ __stringify(DEV_OPMODE_BT_ALONE) "[BT classic alone], " \
+ __stringify(DEV_OPMODE_BT_LE_ALONE) "[BT LE alone], " \
+ __stringify(DEV_OPMODE_BT_DUAL) "[BT classic + BT LE alone], " \
+ __stringify(DEV_OPMODE_STA_BT) "[Wi-Fi STA + BT classic], " \
+ __stringify(DEV_OPMODE_STA_BT_LE) "[Wi-Fi STA + BT LE], " \
+ __stringify(DEV_OPMODE_STA_BT_DUAL) "[Wi-Fi STA + BT classic + BT LE], " \
+ __stringify(DEV_OPMODE_AP_BT) "[Wi-Fi AP + BT classic], " \
+ __stringify(DEV_OPMODE_AP_BT_DUAL) "[Wi-Fi AP + BT classic + BT LE]"
+
#define FLASH_WRITE_CHUNK_SIZE (4 * 1024)
#define FLASH_SECTOR_SIZE (4 * 1024)
^ permalink raw reply [flat|nested] 945+ messages in thread
* [PATCH 5.15 102/917] perf/x86/intel/uncore: Support extra IMC channel on Ice Lake server
2021-11-15 16:51 [PATCH 5.15 000/917] 5.15.3-rc1 review Greg Kroah-Hartman
` (100 preceding siblings ...)
2021-11-15 16:53 ` [PATCH 5.15 101/917] rsi: Fix module dev_oper_mode parameter description Greg Kroah-Hartman
@ 2021-11-15 16:53 ` Greg Kroah-Hartman
2021-11-15 16:53 ` [PATCH 5.15 103/917] perf/x86/intel/uncore: Fix invalid unit check Greg Kroah-Hartman
` (817 subsequent siblings)
919 siblings, 0 replies; 945+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-15 16:53 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Kan Liang, Peter Zijlstra (Intel),
Andi Kleen
From: Kan Liang <kan.liang@linux.intel.com>
commit 496a18f09374ad89b3ab4366019bc3975db90234 upstream.
There are three channels on a Ice Lake server, but only two channels
will ever be active. Current perf only enables two channels.
Support the extra IMC channel, which may be activated on some Ice Lake
machines. For a non-activated channel, the SW can still access it. The
write will be ignored by the HW. 0 is always returned for the reading.
Fixes: 2b3b76b5ec67 ("perf/x86/intel/uncore: Add Ice Lake server uncore support")
Signed-off-by: Kan Liang <kan.liang@linux.intel.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Reviewed-by: Andi Kleen <ak@linux.intel.com>
Cc: stable@vger.kernel.org
Link: https://lkml.kernel.org/r/1629991963-102621-2-git-send-email-kan.liang@linux.intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/events/intel/uncore_snbep.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/arch/x86/events/intel/uncore_snbep.c
+++ b/arch/x86/events/intel/uncore_snbep.c
@@ -452,7 +452,7 @@
#define ICX_M3UPI_PCI_PMON_BOX_CTL 0xa0
/* ICX IMC */
-#define ICX_NUMBER_IMC_CHN 2
+#define ICX_NUMBER_IMC_CHN 3
#define ICX_IMC_MEM_STRIDE 0x4
/* SPR */
@@ -5463,7 +5463,7 @@ static struct intel_uncore_ops icx_uncor
static struct intel_uncore_type icx_uncore_imc = {
.name = "imc",
.num_counters = 4,
- .num_boxes = 8,
+ .num_boxes = 12,
.perf_ctr_bits = 48,
.fixed_ctr_bits = 48,
.fixed_ctr = SNR_IMC_MMIO_PMON_FIXED_CTR,
^ permalink raw reply [flat|nested] 945+ messages in thread
* [PATCH 5.15 103/917] perf/x86/intel/uncore: Fix invalid unit check
2021-11-15 16:51 [PATCH 5.15 000/917] 5.15.3-rc1 review Greg Kroah-Hartman
` (101 preceding siblings ...)
2021-11-15 16:53 ` [PATCH 5.15 102/917] perf/x86/intel/uncore: Support extra IMC channel on Ice Lake server Greg Kroah-Hartman
@ 2021-11-15 16:53 ` Greg Kroah-Hartman
2021-11-15 16:53 ` [PATCH 5.15 104/917] perf/x86/intel/uncore: Fix Intel ICX IIO event constraints Greg Kroah-Hartman
` (816 subsequent siblings)
919 siblings, 0 replies; 945+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-15 16:53 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Kan Liang, Peter Zijlstra (Intel),
Andi Kleen
From: Kan Liang <kan.liang@linux.intel.com>
commit e2bb9fab08cbcc7922050c7eb0bd650807abfa4e upstream.
The uncore unit with the type ID 0 and the unit ID 0 is missed.
The table3 of the uncore unit maybe 0. The
uncore_discovery_invalid_unit() mistakenly treated it as an invalid
value.
Remove the !unit.table3 check.
Fixes: edae1f06c2cd ("perf/x86/intel/uncore: Parse uncore discovery tables")
Signed-off-by: Kan Liang <kan.liang@linux.intel.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Reviewed-by: Andi Kleen <ak@linux.intel.com>
Cc: stable@vger.kernel.org
Link: https://lkml.kernel.org/r/1629991963-102621-3-git-send-email-kan.liang@linux.intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/events/intel/uncore_discovery.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/x86/events/intel/uncore_discovery.h
+++ b/arch/x86/events/intel/uncore_discovery.h
@@ -30,7 +30,7 @@
#define uncore_discovery_invalid_unit(unit) \
- (!unit.table1 || !unit.ctl || !unit.table3 || \
+ (!unit.table1 || !unit.ctl || \
unit.table1 == -1ULL || unit.ctl == -1ULL || \
unit.table3 == -1ULL)
^ permalink raw reply [flat|nested] 945+ messages in thread
* [PATCH 5.15 104/917] perf/x86/intel/uncore: Fix Intel ICX IIO event constraints
2021-11-15 16:51 [PATCH 5.15 000/917] 5.15.3-rc1 review Greg Kroah-Hartman
` (102 preceding siblings ...)
2021-11-15 16:53 ` [PATCH 5.15 103/917] perf/x86/intel/uncore: Fix invalid unit check Greg Kroah-Hartman
@ 2021-11-15 16:53 ` Greg Kroah-Hartman
2021-11-15 16:53 ` [PATCH 5.15 105/917] RDMA/qedr: Fix NULL deref for query_qp on the GSI QP Greg Kroah-Hartman
` (815 subsequent siblings)
919 siblings, 0 replies; 945+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-15 16:53 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Kan Liang, Peter Zijlstra (Intel)
From: Kan Liang <kan.liang@linux.intel.com>
commit f42e8a603c88f72bf047a710b9fc1d3579f31e71 upstream.
According to the latest uncore document, both NUM_OUTSTANDING_REQ_OF_CPU
(0x88) event and COMP_BUF_OCCUPANCY(0xd5) event also have constraints. Add
them into the event constraints table.
Fixes: 2b3b76b5ec67 ("perf/x86/intel/uncore: Add Ice Lake server uncore support")
Signed-off-by: Kan Liang <kan.liang@linux.intel.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: stable@vger.kernel.org
Link: https://lkml.kernel.org/r/1629991963-102621-4-git-send-email-kan.liang@linux.intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/events/intel/uncore_snbep.c | 2 ++
1 file changed, 2 insertions(+)
--- a/arch/x86/events/intel/uncore_snbep.c
+++ b/arch/x86/events/intel/uncore_snbep.c
@@ -5076,8 +5076,10 @@ static struct event_constraint icx_uncor
UNCORE_EVENT_CONSTRAINT(0x02, 0x3),
UNCORE_EVENT_CONSTRAINT(0x03, 0x3),
UNCORE_EVENT_CONSTRAINT(0x83, 0x3),
+ UNCORE_EVENT_CONSTRAINT(0x88, 0xc),
UNCORE_EVENT_CONSTRAINT(0xc0, 0xc),
UNCORE_EVENT_CONSTRAINT(0xc5, 0xc),
+ UNCORE_EVENT_CONSTRAINT(0xd5, 0xc),
EVENT_CONSTRAINT_END
};
^ permalink raw reply [flat|nested] 945+ messages in thread
* [PATCH 5.15 105/917] RDMA/qedr: Fix NULL deref for query_qp on the GSI QP
2021-11-15 16:51 [PATCH 5.15 000/917] 5.15.3-rc1 review Greg Kroah-Hartman
` (103 preceding siblings ...)
2021-11-15 16:53 ` [PATCH 5.15 104/917] perf/x86/intel/uncore: Fix Intel ICX IIO event constraints Greg Kroah-Hartman
@ 2021-11-15 16:53 ` Greg Kroah-Hartman
2021-11-15 16:53 ` [PATCH 5.15 106/917] ASoC: tegra: Set default card name for Trimslice Greg Kroah-Hartman
` (814 subsequent siblings)
919 siblings, 0 replies; 945+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-15 16:53 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Ariel Elior, Shai Malin,
Prabhakar Kushwaha, Alok Prasad, Jason Gunthorpe
From: Alok Prasad <palok@marvell.com>
commit 4f960393a0ee9a39469ceb7c8077ae8db665cc12 upstream.
This patch fixes a crash caused by querying the QP via netlink, and
corrects the state of GSI qp. GSI qp's have a NULL qed_qp.
The call trace is generated by:
$ rdma res show
BUG: kernel NULL pointer dereference, address: 0000000000000034
Hardware name: Dell Inc. PowerEdge R720/0M1GCR, BIOS 1.2.6 05/10/2012
RIP: 0010:qed_rdma_query_qp+0x33/0x1a0 [qed]
RSP: 0018:ffffba560a08f580 EFLAGS: 00010206
RAX: 0000000200000000 RBX: ffffba560a08f5b8 RCX: 0000000000000000
RDX: ffffba560a08f5b8 RSI: 0000000000000000 RDI: ffff9807ee458090
RBP: ffffba560a08f5a0 R08: 0000000000000000 R09: ffff9807890e7048
R10: ffffba560a08f658 R11: 0000000000000000 R12: 0000000000000000
R13: ffff9807ee458090 R14: ffff9807f0afb000 R15: ffffba560a08f7ec
FS: 00007fbbf8bfe740(0000) GS:ffff980aafa00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000034 CR3: 00000001720ba001 CR4: 00000000000606f0
Call Trace:
qedr_query_qp+0x82/0x360 [qedr]
ib_query_qp+0x34/0x40 [ib_core]
? ib_query_qp+0x34/0x40 [ib_core]
fill_res_qp_entry_query.isra.26+0x47/0x1d0 [ib_core]
? __nla_put+0x20/0x30
? nla_put+0x33/0x40
fill_res_qp_entry+0xe3/0x120 [ib_core]
res_get_common_dumpit+0x3f8/0x5d0 [ib_core]
? fill_res_cm_id_entry+0x1f0/0x1f0 [ib_core]
nldev_res_get_qp_dumpit+0x1a/0x20 [ib_core]
netlink_dump+0x156/0x2f0
__netlink_dump_start+0x1ab/0x260
rdma_nl_rcv+0x1de/0x330 [ib_core]
? nldev_res_get_cm_id_dumpit+0x20/0x20 [ib_core]
netlink_unicast+0x1b8/0x270
netlink_sendmsg+0x33e/0x470
sock_sendmsg+0x63/0x70
__sys_sendto+0x13f/0x180
? setup_sgl.isra.12+0x70/0xc0
__x64_sys_sendto+0x28/0x30
do_syscall_64+0x3a/0xb0
entry_SYSCALL_64_after_hwframe+0x44/0xae
Cc: stable@vger.kernel.org
Fixes: cecbcddf6461 ("qedr: Add support for QP verbs")
Link: https://lore.kernel.org/r/20211027184329.18454-1-palok@marvell.com
Signed-off-by: Ariel Elior <aelior@marvell.com>
Signed-off-by: Shai Malin <smalin@marvell.com>
Signed-off-by: Prabhakar Kushwaha <pkushwaha@marvell.com>
Signed-off-by: Alok Prasad <palok@marvell.com>
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/infiniband/hw/qedr/verbs.c | 15 +++++++++------
1 file changed, 9 insertions(+), 6 deletions(-)
--- a/drivers/infiniband/hw/qedr/verbs.c
+++ b/drivers/infiniband/hw/qedr/verbs.c
@@ -2744,15 +2744,18 @@ int qedr_query_qp(struct ib_qp *ibqp,
int rc = 0;
memset(¶ms, 0, sizeof(params));
-
- rc = dev->ops->rdma_query_qp(dev->rdma_ctx, qp->qed_qp, ¶ms);
- if (rc)
- goto err;
-
memset(qp_attr, 0, sizeof(*qp_attr));
memset(qp_init_attr, 0, sizeof(*qp_init_attr));
- qp_attr->qp_state = qedr_get_ibqp_state(params.state);
+ if (qp->qp_type != IB_QPT_GSI) {
+ rc = dev->ops->rdma_query_qp(dev->rdma_ctx, qp->qed_qp, ¶ms);
+ if (rc)
+ goto err;
+ qp_attr->qp_state = qedr_get_ibqp_state(params.state);
+ } else {
+ qp_attr->qp_state = qedr_get_ibqp_state(QED_ROCE_QP_STATE_RTS);
+ }
+
qp_attr->cur_qp_state = qedr_get_ibqp_state(params.state);
qp_attr->path_mtu = ib_mtu_int_to_enum(params.mtu);
qp_attr->path_mig_state = IB_MIG_MIGRATED;
^ permalink raw reply [flat|nested] 945+ messages in thread
* [PATCH 5.15 106/917] ASoC: tegra: Set default card name for Trimslice
2021-11-15 16:51 [PATCH 5.15 000/917] 5.15.3-rc1 review Greg Kroah-Hartman
` (104 preceding siblings ...)
2021-11-15 16:53 ` [PATCH 5.15 105/917] RDMA/qedr: Fix NULL deref for query_qp on the GSI QP Greg Kroah-Hartman
@ 2021-11-15 16:53 ` Greg Kroah-Hartman
2021-11-15 16:53 ` [PATCH 5.15 107/917] ASoC: tegra: Restore AC97 support Greg Kroah-Hartman
` (813 subsequent siblings)
919 siblings, 0 replies; 945+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-15 16:53 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Dmitry Osipenko, Mark Brown
From: Dmitry Osipenko <digetx@gmail.com>
commit 824edd866a13db7dbb0d8e26d2142f10271b6460 upstream.
The default card name for Trimslice device should be "tegra-trimslice".
It got lost by accident during unification of machine sound drivers,
fix it.
Cc: <stable@vger.kernel.org>
Fixes: cc8f70f56039 ("ASoC: tegra: Unify ASoC machine drivers")
Signed-off-by: Dmitry Osipenko <digetx@gmail.com>
Link: https://lore.kernel.org/r/20211024192853.21957-2-digetx@gmail.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/soc/tegra/tegra_asoc_machine.c | 1 +
1 file changed, 1 insertion(+)
--- a/sound/soc/tegra/tegra_asoc_machine.c
+++ b/sound/soc/tegra/tegra_asoc_machine.c
@@ -686,6 +686,7 @@ static struct snd_soc_dai_link tegra_tlv
};
static struct snd_soc_card snd_soc_tegra_trimslice = {
+ .name = "tegra-trimslice",
.components = "codec:tlv320aic23",
.dai_link = &tegra_tlv320aic23_dai,
.num_links = 1,
^ permalink raw reply [flat|nested] 945+ messages in thread
* [PATCH 5.15 107/917] ASoC: tegra: Restore AC97 support
2021-11-15 16:51 [PATCH 5.15 000/917] 5.15.3-rc1 review Greg Kroah-Hartman
` (105 preceding siblings ...)
2021-11-15 16:53 ` [PATCH 5.15 106/917] ASoC: tegra: Set default card name for Trimslice Greg Kroah-Hartman
@ 2021-11-15 16:53 ` Greg Kroah-Hartman
2021-11-15 16:53 ` [PATCH 5.15 108/917] signal: Remove the bogus sigkill_pending in ptrace_stop Greg Kroah-Hartman
` (812 subsequent siblings)
919 siblings, 0 replies; 945+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-15 16:53 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Dmitry Osipenko, Mark Brown
From: Dmitry Osipenko <digetx@gmail.com>
commit de8fc2b0a3f9930f3cbe801d40758bb1d80b0ad8 upstream.
The device-tree of AC97 codecs need to be parsed differently from I2S
codecs, plus codec device may need to be created. This was missed by the
patch that unified machine drivers into a single driver, fix it. It should
restore audio on Toradex Colibri board.
Cc: <stable@vger.kernel.org>
Fixes: cc8f70f56039 ("ASoC: tegra: Unify ASoC machine drivers")
Signed-off-by: Dmitry Osipenko <digetx@gmail.com>
Link: https://lore.kernel.org/r/20211024192853.21957-1-digetx@gmail.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/soc/tegra/tegra_asoc_machine.c | 63 ++++++++++++++++++++++++++++-------
sound/soc/tegra/tegra_asoc_machine.h | 1
2 files changed, 52 insertions(+), 12 deletions(-)
--- a/sound/soc/tegra/tegra_asoc_machine.c
+++ b/sound/soc/tegra/tegra_asoc_machine.c
@@ -341,9 +341,34 @@ tegra_machine_parse_phandle(struct devic
return np;
}
+static void tegra_machine_unregister_codec(void *pdev)
+{
+ platform_device_unregister(pdev);
+}
+
+static int tegra_machine_register_codec(struct device *dev, const char *name)
+{
+ struct platform_device *pdev;
+ int err;
+
+ if (!name)
+ return 0;
+
+ pdev = platform_device_register_simple(name, -1, NULL, 0);
+ if (IS_ERR(pdev))
+ return PTR_ERR(pdev);
+
+ err = devm_add_action_or_reset(dev, tegra_machine_unregister_codec,
+ pdev);
+ if (err)
+ return err;
+
+ return 0;
+}
+
int tegra_asoc_machine_probe(struct platform_device *pdev)
{
- struct device_node *np_codec, *np_i2s;
+ struct device_node *np_codec, *np_i2s, *np_ac97;
const struct tegra_asoc_data *asoc;
struct device *dev = &pdev->dev;
struct tegra_machine *machine;
@@ -404,17 +429,30 @@ int tegra_asoc_machine_probe(struct plat
return err;
}
- np_codec = tegra_machine_parse_phandle(dev, "nvidia,audio-codec");
- if (IS_ERR(np_codec))
- return PTR_ERR(np_codec);
-
- np_i2s = tegra_machine_parse_phandle(dev, "nvidia,i2s-controller");
- if (IS_ERR(np_i2s))
- return PTR_ERR(np_i2s);
-
- card->dai_link->cpus->of_node = np_i2s;
- card->dai_link->codecs->of_node = np_codec;
- card->dai_link->platforms->of_node = np_i2s;
+ if (asoc->set_ac97) {
+ err = tegra_machine_register_codec(dev, asoc->codec_dev_name);
+ if (err)
+ return err;
+
+ np_ac97 = tegra_machine_parse_phandle(dev, "nvidia,ac97-controller");
+ if (IS_ERR(np_ac97))
+ return PTR_ERR(np_ac97);
+
+ card->dai_link->cpus->of_node = np_ac97;
+ card->dai_link->platforms->of_node = np_ac97;
+ } else {
+ np_codec = tegra_machine_parse_phandle(dev, "nvidia,audio-codec");
+ if (IS_ERR(np_codec))
+ return PTR_ERR(np_codec);
+
+ np_i2s = tegra_machine_parse_phandle(dev, "nvidia,i2s-controller");
+ if (IS_ERR(np_i2s))
+ return PTR_ERR(np_i2s);
+
+ card->dai_link->cpus->of_node = np_i2s;
+ card->dai_link->codecs->of_node = np_codec;
+ card->dai_link->platforms->of_node = np_i2s;
+ }
if (asoc->add_common_controls) {
card->controls = tegra_machine_controls;
@@ -589,6 +627,7 @@ static struct snd_soc_card snd_soc_tegra
static const struct tegra_asoc_data tegra_wm9712_data = {
.card = &snd_soc_tegra_wm9712,
.add_common_dapm_widgets = true,
+ .codec_dev_name = "wm9712-codec",
.set_ac97 = true,
};
--- a/sound/soc/tegra/tegra_asoc_machine.h
+++ b/sound/soc/tegra/tegra_asoc_machine.h
@@ -13,6 +13,7 @@ struct snd_soc_pcm_runtime;
struct tegra_asoc_data {
unsigned int (*mclk_rate)(unsigned int srate);
+ const char *codec_dev_name;
struct snd_soc_card *card;
unsigned int mclk_id;
bool hp_jack_gpio_active_low;
^ permalink raw reply [flat|nested] 945+ messages in thread
* [PATCH 5.15 108/917] signal: Remove the bogus sigkill_pending in ptrace_stop
2021-11-15 16:51 [PATCH 5.15 000/917] 5.15.3-rc1 review Greg Kroah-Hartman
` (106 preceding siblings ...)
2021-11-15 16:53 ` [PATCH 5.15 107/917] ASoC: tegra: Restore AC97 support Greg Kroah-Hartman
@ 2021-11-15 16:53 ` Greg Kroah-Hartman
2021-11-15 16:53 ` [PATCH 5.15 109/917] memory: renesas-rpc-if: Correct QSPI data transfer in Manual mode Greg Kroah-Hartman
` (811 subsequent siblings)
919 siblings, 0 replies; 945+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-15 16:53 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Kees Cook, Eric W. Biederman
From: Eric W. Biederman <ebiederm@xmission.com>
commit 7d613f9f72ec8f90ddefcae038fdae5adb8404b3 upstream.
The existence of sigkill_pending is a little silly as it is
functionally a duplicate of fatal_signal_pending that is used in
exactly one place.
Checking for pending fatal signals and returning early in ptrace_stop
is actively harmful. It casues the ptrace_stop called by
ptrace_signal to return early before setting current->exit_code.
Later when ptrace_signal reads the signal number from
current->exit_code is undefined, making it unpredictable what will
happen.
Instead rely on the fact that schedule will not sleep if there is a
pending signal that can awaken a task.
Removing the explict sigkill_pending test fixes fixes ptrace_signal
when ptrace_stop does not stop because current->exit_code is always
set to to signr.
Cc: stable@vger.kernel.org
Fixes: 3d749b9e676b ("ptrace: simplify ptrace_stop()->sigkill_pending() path")
Fixes: 1a669c2f16d4 ("Add arch_ptrace_stop")
Link: https://lkml.kernel.org/r/87pmsyx29t.fsf@disp2133
Reviewed-by: Kees Cook <keescook@chromium.org>
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/signal.c | 18 ++++--------------
1 file changed, 4 insertions(+), 14 deletions(-)
--- a/kernel/signal.c
+++ b/kernel/signal.c
@@ -2169,15 +2169,6 @@ static inline bool may_ptrace_stop(void)
return true;
}
-/*
- * Return non-zero if there is a SIGKILL that should be waking us up.
- * Called with the siglock held.
- */
-static bool sigkill_pending(struct task_struct *tsk)
-{
- return sigismember(&tsk->pending.signal, SIGKILL) ||
- sigismember(&tsk->signal->shared_pending.signal, SIGKILL);
-}
/*
* This must be called with current->sighand->siglock held.
@@ -2204,17 +2195,16 @@ static void ptrace_stop(int exit_code, i
* calling arch_ptrace_stop, so we must release it now.
* To preserve proper semantics, we must do this before
* any signal bookkeeping like checking group_stop_count.
- * Meanwhile, a SIGKILL could come in before we retake the
- * siglock. That must prevent us from sleeping in TASK_TRACED.
- * So after regaining the lock, we must check for SIGKILL.
*/
spin_unlock_irq(¤t->sighand->siglock);
arch_ptrace_stop(exit_code, info);
spin_lock_irq(¤t->sighand->siglock);
- if (sigkill_pending(current))
- return;
}
+ /*
+ * schedule() will not sleep if there is a pending signal that
+ * can awaken the task.
+ */
set_special_state(TASK_TRACED);
/*
^ permalink raw reply [flat|nested] 945+ messages in thread
* [PATCH 5.15 109/917] memory: renesas-rpc-if: Correct QSPI data transfer in Manual mode
2021-11-15 16:51 [PATCH 5.15 000/917] 5.15.3-rc1 review Greg Kroah-Hartman
` (107 preceding siblings ...)
2021-11-15 16:53 ` [PATCH 5.15 108/917] signal: Remove the bogus sigkill_pending in ptrace_stop Greg Kroah-Hartman
@ 2021-11-15 16:53 ` Greg Kroah-Hartman
2021-11-15 16:53 ` [PATCH 5.15 110/917] signal/mips: Update (_save|_restore)_fp_context to fail with -EFAULT Greg Kroah-Hartman
` (810 subsequent siblings)
919 siblings, 0 replies; 945+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-15 16:53 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Duc Nguyen, Wolfram Sang,
Lad Prabhakar, Krzysztof Kozlowski
From: Wolfram Sang <wsa+renesas@sang-engineering.com>
commit fff53a551db50f5edecaa0b29a64056ab8d2bbca upstream.
This patch fixes 2 problems:
[1] The output warning logs and data loss when performing
mount/umount then remount the device with jffs2 format.
[2] The access width of SMWDR[0:1]/SMRDR[0:1] register is wrong.
This is the sample warning logs when performing mount/umount then
remount the device with jffs2 format:
jffs2: jffs2_scan_inode_node(): CRC failed on node at 0x031c51d4:
Read 0x00034e00, calculated 0xadb272a7
The reason for issue [1] is that the writing data seems to
get messed up.
Data is only completed when the number of bytes is divisible by 4.
If you only have 3 bytes of data left to write, 1 garbage byte
is inserted after the end of the write stream.
If you only have 2 bytes of data left to write, 2 bytes of '00'
are added into the write stream.
If you only have 1 byte of data left to write, 2 bytes of '00'
are added into the write stream. 1 garbage byte is inserted after
the end of the write stream.
To solve problem [1], data must be written continuously in serial
and the write stream ends when data is out.
Following HW manual 62.2.15, access to SMWDR0 register should be
in the same size as the transfer size specified in the SPIDE[3:0]
bits in the manual mode enable setting register (SMENR).
Be sure to access from address 0.
So, in 16-bit transfer (SPIDE[3:0]=b'1100), SMWDR0 should be
accessed by 16-bit width.
Similar to SMWDR1, SMDDR0/1 registers.
In current code, SMWDR0 register is accessed by regmap_write()
that only set up to do 32-bit width.
To solve problem [2], data must be written 16-bit or 8-bit when
transferring 1-byte or 2-byte.
Fixes: ca7d8b980b67 ("memory: add Renesas RPC-IF driver")
Cc: <stable@vger.kernel.org>
Signed-off-by: Duc Nguyen <duc.nguyen.ub@renesas.com>
[wsa: refactored to use regmap only via reg_read/reg_write]
Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
Tested-by: Lad Prabhakar <prabhakar.mahadev-lad.rj@bp.renesas.com>
Link: https://lore.kernel.org/r/20210922091007.5516-1-wsa+renesas@sang-engineering.com
Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/memory/renesas-rpc-if.c | 113 +++++++++++++++++++++++++++-------------
include/memory/renesas-rpc-if.h | 1
2 files changed, 79 insertions(+), 35 deletions(-)
--- a/drivers/memory/renesas-rpc-if.c
+++ b/drivers/memory/renesas-rpc-if.c
@@ -160,10 +160,62 @@ static const struct regmap_access_table
.n_yes_ranges = ARRAY_SIZE(rpcif_volatile_ranges),
};
+
+/*
+ * Custom accessor functions to ensure SMRDR0 and SMWDR0 are always accessed
+ * with proper width. Requires SMENR_SPIDE to be correctly set before!
+ */
+static int rpcif_reg_read(void *context, unsigned int reg, unsigned int *val)
+{
+ struct rpcif *rpc = context;
+
+ if (reg == RPCIF_SMRDR0 || reg == RPCIF_SMWDR0) {
+ u32 spide = readl(rpc->base + RPCIF_SMENR) & RPCIF_SMENR_SPIDE(0xF);
+
+ if (spide == 0x8) {
+ *val = readb(rpc->base + reg);
+ return 0;
+ } else if (spide == 0xC) {
+ *val = readw(rpc->base + reg);
+ return 0;
+ } else if (spide != 0xF) {
+ return -EILSEQ;
+ }
+ }
+
+ *val = readl(rpc->base + reg);
+ return 0;
+
+}
+
+static int rpcif_reg_write(void *context, unsigned int reg, unsigned int val)
+{
+ struct rpcif *rpc = context;
+
+ if (reg == RPCIF_SMRDR0 || reg == RPCIF_SMWDR0) {
+ u32 spide = readl(rpc->base + RPCIF_SMENR) & RPCIF_SMENR_SPIDE(0xF);
+
+ if (spide == 0x8) {
+ writeb(val, rpc->base + reg);
+ return 0;
+ } else if (spide == 0xC) {
+ writew(val, rpc->base + reg);
+ return 0;
+ } else if (spide != 0xF) {
+ return -EILSEQ;
+ }
+ }
+
+ writel(val, rpc->base + reg);
+ return 0;
+}
+
static const struct regmap_config rpcif_regmap_config = {
.reg_bits = 32,
.val_bits = 32,
.reg_stride = 4,
+ .reg_read = rpcif_reg_read,
+ .reg_write = rpcif_reg_write,
.fast_io = true,
.max_register = RPCIF_PHYINT,
.volatile_table = &rpcif_volatile_table,
@@ -173,17 +225,15 @@ int rpcif_sw_init(struct rpcif *rpc, str
{
struct platform_device *pdev = to_platform_device(dev);
struct resource *res;
- void __iomem *base;
rpc->dev = dev;
res = platform_get_resource_byname(pdev, IORESOURCE_MEM, "regs");
- base = devm_ioremap_resource(&pdev->dev, res);
- if (IS_ERR(base))
- return PTR_ERR(base);
+ rpc->base = devm_ioremap_resource(&pdev->dev, res);
+ if (IS_ERR(rpc->base))
+ return PTR_ERR(rpc->base);
- rpc->regmap = devm_regmap_init_mmio(&pdev->dev, base,
- &rpcif_regmap_config);
+ rpc->regmap = devm_regmap_init(&pdev->dev, NULL, rpc, &rpcif_regmap_config);
if (IS_ERR(rpc->regmap)) {
dev_err(&pdev->dev,
"failed to init regmap for rpcif, error %ld\n",
@@ -354,20 +404,16 @@ void rpcif_prepare(struct rpcif *rpc, co
nbytes = op->data.nbytes;
rpc->xferlen = nbytes;
- rpc->enable |= RPCIF_SMENR_SPIDE(rpcif_bits_set(rpc, nbytes)) |
- RPCIF_SMENR_SPIDB(rpcif_bit_size(op->data.buswidth));
+ rpc->enable |= RPCIF_SMENR_SPIDB(rpcif_bit_size(op->data.buswidth));
}
}
EXPORT_SYMBOL(rpcif_prepare);
int rpcif_manual_xfer(struct rpcif *rpc)
{
- u32 smenr, smcr, pos = 0, max = 4;
+ u32 smenr, smcr, pos = 0, max = rpc->bus_size == 2 ? 8 : 4;
int ret = 0;
- if (rpc->bus_size == 2)
- max = 8;
-
pm_runtime_get_sync(rpc->dev);
regmap_update_bits(rpc->regmap, RPCIF_PHYCNT,
@@ -378,37 +424,36 @@ int rpcif_manual_xfer(struct rpcif *rpc)
regmap_write(rpc->regmap, RPCIF_SMOPR, rpc->option);
regmap_write(rpc->regmap, RPCIF_SMDMCR, rpc->dummy);
regmap_write(rpc->regmap, RPCIF_SMDRENR, rpc->ddr);
+ regmap_write(rpc->regmap, RPCIF_SMADR, rpc->smadr);
smenr = rpc->enable;
switch (rpc->dir) {
case RPCIF_DATA_OUT:
while (pos < rpc->xferlen) {
- u32 nbytes = rpc->xferlen - pos;
- u32 data[2];
+ u32 bytes_left = rpc->xferlen - pos;
+ u32 nbytes, data[2];
smcr = rpc->smcr | RPCIF_SMCR_SPIE;
- if (nbytes > max) {
- nbytes = max;
+
+ /* nbytes may only be 1, 2, 4, or 8 */
+ nbytes = bytes_left >= max ? max : (1 << ilog2(bytes_left));
+ if (bytes_left > nbytes)
smcr |= RPCIF_SMCR_SSLKP;
- }
+
+ smenr |= RPCIF_SMENR_SPIDE(rpcif_bits_set(rpc, nbytes));
+ regmap_write(rpc->regmap, RPCIF_SMENR, smenr);
memcpy(data, rpc->buffer + pos, nbytes);
- if (nbytes > 4) {
+ if (nbytes == 8) {
regmap_write(rpc->regmap, RPCIF_SMWDR1,
data[0]);
regmap_write(rpc->regmap, RPCIF_SMWDR0,
data[1]);
- } else if (nbytes > 2) {
+ } else {
regmap_write(rpc->regmap, RPCIF_SMWDR0,
data[0]);
- } else {
- regmap_write(rpc->regmap, RPCIF_SMWDR0,
- data[0] << 16);
}
- regmap_write(rpc->regmap, RPCIF_SMADR,
- rpc->smadr + pos);
- regmap_write(rpc->regmap, RPCIF_SMENR, smenr);
regmap_write(rpc->regmap, RPCIF_SMCR, smcr);
ret = wait_msg_xfer_end(rpc);
if (ret)
@@ -448,14 +493,16 @@ int rpcif_manual_xfer(struct rpcif *rpc)
break;
}
while (pos < rpc->xferlen) {
- u32 nbytes = rpc->xferlen - pos;
- u32 data[2];
+ u32 bytes_left = rpc->xferlen - pos;
+ u32 nbytes, data[2];
- if (nbytes > max)
- nbytes = max;
+ /* nbytes may only be 1, 2, 4, or 8 */
+ nbytes = bytes_left >= max ? max : (1 << ilog2(bytes_left));
regmap_write(rpc->regmap, RPCIF_SMADR,
rpc->smadr + pos);
+ smenr &= ~RPCIF_SMENR_SPIDE(0xF);
+ smenr |= RPCIF_SMENR_SPIDE(rpcif_bits_set(rpc, nbytes));
regmap_write(rpc->regmap, RPCIF_SMENR, smenr);
regmap_write(rpc->regmap, RPCIF_SMCR,
rpc->smcr | RPCIF_SMCR_SPIE);
@@ -463,18 +510,14 @@ int rpcif_manual_xfer(struct rpcif *rpc)
if (ret)
goto err_out;
- if (nbytes > 4) {
+ if (nbytes == 8) {
regmap_read(rpc->regmap, RPCIF_SMRDR1,
&data[0]);
regmap_read(rpc->regmap, RPCIF_SMRDR0,
&data[1]);
- } else if (nbytes > 2) {
- regmap_read(rpc->regmap, RPCIF_SMRDR0,
- &data[0]);
- } else {
+ } else {
regmap_read(rpc->regmap, RPCIF_SMRDR0,
&data[0]);
- data[0] >>= 16;
}
memcpy(rpc->buffer + pos, data, nbytes);
--- a/include/memory/renesas-rpc-if.h
+++ b/include/memory/renesas-rpc-if.h
@@ -59,6 +59,7 @@ struct rpcif_op {
struct rpcif {
struct device *dev;
+ void __iomem *base;
void __iomem *dirmap;
struct regmap *regmap;
struct reset_control *rstc;
^ permalink raw reply [flat|nested] 945+ messages in thread
* [PATCH 5.15 110/917] signal/mips: Update (_save|_restore)_fp_context to fail with -EFAULT
2021-11-15 16:51 [PATCH 5.15 000/917] 5.15.3-rc1 review Greg Kroah-Hartman
` (108 preceding siblings ...)
2021-11-15 16:53 ` [PATCH 5.15 109/917] memory: renesas-rpc-if: Correct QSPI data transfer in Manual mode Greg Kroah-Hartman
@ 2021-11-15 16:53 ` Greg Kroah-Hartman
2021-11-15 16:53 ` [PATCH 5.15 111/917] signal: Add SA_IMMUTABLE to ensure forced siganls do not get changed Greg Kroah-Hartman
` (809 subsequent siblings)
919 siblings, 0 replies; 945+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-15 16:53 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Thomas Bogendoerfer, Maciej Rozycki,
linux-mips, Eric W. Biederman
From: Eric W. Biederman <ebiederm@xmission.com>
commit 95bf9d646c3c3f95cb0be7e703b371db8da5be68 upstream.
When an instruction to save or restore a register from the stack fails
in _save_fp_context or _restore_fp_context return with -EFAULT. This
change was made to r2300_fpu.S[1] but it looks like it got lost with
the introduction of EX2[2]. This is also what the other implementation
of _save_fp_context and _restore_fp_context in r4k_fpu.S does, and
what is needed for the callers to be able to handle the error.
Furthermore calling do_exit(SIGSEGV) from bad_stack is wrong because
it does not terminate the entire process it just terminates a single
thread.
As the changed code was the only caller of arch/mips/kernel/syscall.c:bad_stack
remove the problematic and now unused helper function.
Cc: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
Cc: Maciej Rozycki <macro@orcam.me.uk>
Cc: linux-mips@vger.kernel.org
[1] 35938a00ba86 ("MIPS: Fix ISA I FP sigcontext access violation handling")
[2] f92722dc4545 ("MIPS: Correct MIPS I FP sigcontext layout")
Cc: stable@vger.kernel.org
Fixes: f92722dc4545 ("MIPS: Correct MIPS I FP sigcontext layout")
Acked-by: Maciej W. Rozycki <macro@orcam.me.uk>
Acked-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
Link: https://lkml.kernel.org/r/20211020174406.17889-5-ebiederm@xmission.com
Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/mips/kernel/r2300_fpu.S | 4 ++--
arch/mips/kernel/syscall.c | 9 ---------
2 files changed, 2 insertions(+), 11 deletions(-)
--- a/arch/mips/kernel/r2300_fpu.S
+++ b/arch/mips/kernel/r2300_fpu.S
@@ -29,8 +29,8 @@
#define EX2(a,b) \
9: a,##b; \
.section __ex_table,"a"; \
- PTR 9b,bad_stack; \
- PTR 9b+4,bad_stack; \
+ PTR 9b,fault; \
+ PTR 9b+4,fault; \
.previous
.set mips1
--- a/arch/mips/kernel/syscall.c
+++ b/arch/mips/kernel/syscall.c
@@ -240,12 +240,3 @@ SYSCALL_DEFINE3(cachectl, char *, addr,
{
return -ENOSYS;
}
-
-/*
- * If we ever come here the user sp is bad. Zap the process right away.
- * Due to the bad stack signaling wouldn't work.
- */
-asmlinkage void bad_stack(void)
-{
- do_exit(SIGSEGV);
-}
^ permalink raw reply [flat|nested] 945+ messages in thread
* [PATCH 5.15 111/917] signal: Add SA_IMMUTABLE to ensure forced siganls do not get changed
2021-11-15 16:51 [PATCH 5.15 000/917] 5.15.3-rc1 review Greg Kroah-Hartman
` (109 preceding siblings ...)
2021-11-15 16:53 ` [PATCH 5.15 110/917] signal/mips: Update (_save|_restore)_fp_context to fail with -EFAULT Greg Kroah-Hartman
@ 2021-11-15 16:53 ` Greg Kroah-Hartman
2021-11-15 16:53 ` [PATCH 5.15 112/917] soc: samsung: exynos-pmu: Fix compilation when nothing selects CONFIG_MFD_CORE Greg Kroah-Hartman
` (808 subsequent siblings)
919 siblings, 0 replies; 945+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-15 16:53 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Andrea Righi, Kees Cook, Eric W. Biederman
From: Eric W. Biederman <ebiederm@xmission.com>
commit 00b06da29cf9dc633cdba87acd3f57f4df3fd5c7 upstream.
As Andy pointed out that there are races between
force_sig_info_to_task and sigaction[1] when force_sig_info_task. As
Kees discovered[2] ptrace is also able to change these signals.
In the case of seeccomp killing a process with a signal it is a
security violation to allow the signal to be caught or manipulated.
Solve this problem by introducing a new flag SA_IMMUTABLE that
prevents sigaction and ptrace from modifying these forced signals.
This flag is carefully made kernel internal so that no new ABI is
introduced.
Longer term I think this can be solved by guaranteeing short circuit
delivery of signals in this case. Unfortunately reliable and
guaranteed short circuit delivery of these signals is still a ways off
from being implemented, tested, and merged. So I have implemented a much
simpler alternative for now.
[1] https://lkml.kernel.org/r/b5d52d25-7bde-4030-a7b1-7c6f8ab90660@www.fastmail.com
[2] https://lkml.kernel.org/r/202110281136.5CE65399A7@keescook
Cc: stable@vger.kernel.org
Fixes: 307d522f5eb8 ("signal/seccomp: Refactor seccomp signal and coredump generation")
Tested-by: Andrea Righi <andrea.righi@canonical.com>
Tested-by: Kees Cook <keescook@chromium.org>
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/linux/signal_types.h | 3 +++
include/uapi/asm-generic/signal-defs.h | 1 +
kernel/signal.c | 8 +++++++-
3 files changed, 11 insertions(+), 1 deletion(-)
--- a/include/linux/signal_types.h
+++ b/include/linux/signal_types.h
@@ -70,6 +70,9 @@ struct ksignal {
int sig;
};
+/* Used to kill the race between sigaction and forced signals */
+#define SA_IMMUTABLE 0x00800000
+
#ifndef __ARCH_UAPI_SA_FLAGS
#ifdef SA_RESTORER
#define __ARCH_UAPI_SA_FLAGS SA_RESTORER
--- a/include/uapi/asm-generic/signal-defs.h
+++ b/include/uapi/asm-generic/signal-defs.h
@@ -45,6 +45,7 @@
#define SA_UNSUPPORTED 0x00000400
#define SA_EXPOSE_TAGBITS 0x00000800
/* 0x00010000 used on mips */
+/* 0x00800000 used for internal SA_IMMUTABLE */
/* 0x01000000 used on x86 */
/* 0x02000000 used on x86 */
/*
--- a/kernel/signal.c
+++ b/kernel/signal.c
@@ -1323,6 +1323,7 @@ force_sig_info_to_task(struct kernel_sig
blocked = sigismember(&t->blocked, sig);
if (blocked || ignored || sigdfl) {
action->sa.sa_handler = SIG_DFL;
+ action->sa.sa_flags |= SA_IMMUTABLE;
if (blocked) {
sigdelset(&t->blocked, sig);
recalc_sigpending_and_wake(t);
@@ -2729,7 +2730,8 @@ relock:
if (!signr)
break; /* will return 0 */
- if (unlikely(current->ptrace) && signr != SIGKILL) {
+ if (unlikely(current->ptrace) && (signr != SIGKILL) &&
+ !(sighand->action[signr -1].sa.sa_flags & SA_IMMUTABLE)) {
signr = ptrace_signal(signr, &ksig->info);
if (!signr)
continue;
@@ -4079,6 +4081,10 @@ int do_sigaction(int sig, struct k_sigac
k = &p->sighand->action[sig-1];
spin_lock_irq(&p->sighand->siglock);
+ if (k->sa.sa_flags & SA_IMMUTABLE) {
+ spin_unlock_irq(&p->sighand->siglock);
+ return -EINVAL;
+ }
if (oact)
*oact = *k;
^ permalink raw reply [flat|nested] 945+ messages in thread
* [PATCH 5.15 112/917] soc: samsung: exynos-pmu: Fix compilation when nothing selects CONFIG_MFD_CORE
2021-11-15 16:51 [PATCH 5.15 000/917] 5.15.3-rc1 review Greg Kroah-Hartman
` (110 preceding siblings ...)
2021-11-15 16:53 ` [PATCH 5.15 111/917] signal: Add SA_IMMUTABLE to ensure forced siganls do not get changed Greg Kroah-Hartman
@ 2021-11-15 16:53 ` Greg Kroah-Hartman
2021-11-15 16:53 ` [PATCH 5.15 113/917] soc: fsl: dpio: replace smp_processor_id with raw_smp_processor_id Greg Kroah-Hartman
` (807 subsequent siblings)
919 siblings, 0 replies; 945+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-15 16:53 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, David Virag, Krzysztof Kozlowski
From: David Virag <virag.david003@gmail.com>
commit e37ef6dcdb1f4738b01cec7fb7be46af07816af9 upstream.
Commit 93618e344a5e ("soc: samsung: exynos-pmu: instantiate clkout
driver as MFD") adds a "devm_mfd_add_devices" call in the exynos-pmu
driver which depends on CONFIG_MFD_CORE. If no driver selects that
config, the build will fail if CONFIG_EXYNOS_PMU is enabled with the
following error:
drivers/soc/samsung/exynos-pmu.c:137: undefined reference to `devm_mfd_add_devices'
Fix this by making CONFIG_EXYNOS_PMU select CONFIG_MFD_CORE.
Fixes: 93618e344a5e ("soc: samsung: exynos-pmu: instantiate clkout driver as MFD")
Cc: <stable@vger.kernel.org>
Signed-off-by: David Virag <virag.david003@gmail.com>
Link: https://lore.kernel.org/r/20210909222812.108614-1-virag.david003@gmail.com
Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/soc/samsung/Kconfig | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/soc/samsung/Kconfig
+++ b/drivers/soc/samsung/Kconfig
@@ -25,6 +25,7 @@ config EXYNOS_PMU
bool "Exynos PMU controller driver" if COMPILE_TEST
depends on ARCH_EXYNOS || ((ARM || ARM64) && COMPILE_TEST)
select EXYNOS_PMU_ARM_DRIVERS if ARM && ARCH_EXYNOS
+ select MFD_CORE
# There is no need to enable these drivers for ARMv8
config EXYNOS_PMU_ARM_DRIVERS
^ permalink raw reply [flat|nested] 945+ messages in thread
* [PATCH 5.15 113/917] soc: fsl: dpio: replace smp_processor_id with raw_smp_processor_id
2021-11-15 16:51 [PATCH 5.15 000/917] 5.15.3-rc1 review Greg Kroah-Hartman
` (111 preceding siblings ...)
2021-11-15 16:53 ` [PATCH 5.15 112/917] soc: samsung: exynos-pmu: Fix compilation when nothing selects CONFIG_MFD_CORE Greg Kroah-Hartman
@ 2021-11-15 16:53 ` Greg Kroah-Hartman
2021-11-15 16:53 ` [PATCH 5.15 114/917] soc: fsl: dpio: use the combined functions to protect critical zone Greg Kroah-Hartman
` (806 subsequent siblings)
919 siblings, 0 replies; 945+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-15 16:53 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Meng Li, Li Yang
From: Meng Li <Meng.Li@windriver.com>
commit e775eb9fc2a4107f03222fa48bc95c2c82427e64 upstream.
When enable debug kernel configs,there will be calltrace as below:
BUG: using smp_processor_id() in preemptible [00000000] code: swapper/0/1
caller is debug_smp_processor_id+0x20/0x30
CPU: 6 PID: 1 Comm: swapper/0 Not tainted 5.10.63-yocto-standard #1
Hardware name: NXP Layerscape LX2160ARDB (DT)
Call trace:
dump_backtrace+0x0/0x1a0
show_stack+0x24/0x30
dump_stack+0xf0/0x13c
check_preemption_disabled+0x100/0x110
debug_smp_processor_id+0x20/0x30
dpaa2_io_query_fq_count+0xdc/0x154
dpaa2_eth_stop+0x144/0x314
__dev_close_many+0xdc/0x160
__dev_change_flags+0xe8/0x220
dev_change_flags+0x30/0x70
ic_close_devs+0x50/0x78
ip_auto_config+0xed0/0xf10
do_one_initcall+0xac/0x460
kernel_init_freeable+0x30c/0x378
kernel_init+0x20/0x128
ret_from_fork+0x10/0x38
Based on comment in the context, it doesn't matter whether
preemption is disable or not. So, replace smp_processor_id()
with raw_smp_processor_id() to avoid above call trace.
Fixes: c89105c9b390 ("staging: fsl-mc: Move DPIO from staging to drivers/soc/fsl")
Cc: stable@vger.kernel.org
Signed-off-by: Meng Li <Meng.Li@windriver.com>
Signed-off-by: Li Yang <leoyang.li@nxp.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/soc/fsl/dpio/dpio-service.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/soc/fsl/dpio/dpio-service.c
+++ b/drivers/soc/fsl/dpio/dpio-service.c
@@ -59,7 +59,7 @@ static inline struct dpaa2_io *service_s
* potentially being migrated away.
*/
if (cpu < 0)
- cpu = smp_processor_id();
+ cpu = raw_smp_processor_id();
/* If a specific cpu was requested, pick it up immediately */
return dpio_by_cpu[cpu];
^ permalink raw reply [flat|nested] 945+ messages in thread
* [PATCH 5.15 114/917] soc: fsl: dpio: use the combined functions to protect critical zone
2021-11-15 16:51 [PATCH 5.15 000/917] 5.15.3-rc1 review Greg Kroah-Hartman
` (112 preceding siblings ...)
2021-11-15 16:53 ` [PATCH 5.15 113/917] soc: fsl: dpio: replace smp_processor_id with raw_smp_processor_id Greg Kroah-Hartman
@ 2021-11-15 16:53 ` Greg Kroah-Hartman
2021-11-15 16:53 ` [PATCH 5.15 115/917] mtd: rawnand: socrates: Keep the driver compatible with on-die ECC engines Greg Kroah-Hartman
` (805 subsequent siblings)
919 siblings, 0 replies; 945+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-15 16:53 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Meng Li, Li Yang
From: Meng Li <Meng.Li@windriver.com>
commit dc7e5940aad6641bd5ab33ea8b21c4b3904d989f upstream.
In orininal code, use 2 function spin_lock() and local_irq_save() to
protect the critical zone. But when enable the kernel debug config,
there are below inconsistent lock state detected.
================================
WARNING: inconsistent lock state
5.10.63-yocto-standard #1 Not tainted
--------------------------------
inconsistent {SOFTIRQ-ON-W} -> {IN-SOFTIRQ-W} usage.
lock_torture_wr/226 [HC0[0]:SC1[5]:HE1:SE0] takes:
ffff002005b2dd80 (&p->access_spinlock){+.?.}-{3:3}, at: qbman_swp_enqueue_multiple_mem_back+0x44/0x270
{SOFTIRQ-ON-W} state was registered at:
lock_acquire.part.0+0xf8/0x250
lock_acquire+0x68/0x84
_raw_spin_lock+0x68/0x90
qbman_swp_enqueue_multiple_mem_back+0x44/0x270
......
cryptomgr_test+0x38/0x60
kthread+0x158/0x164
ret_from_fork+0x10/0x38
irq event stamp: 4498
hardirqs last enabled at (4498): [<ffff800010fcf980>] _raw_spin_unlock_irqrestore+0x90/0xb0
hardirqs last disabled at (4497): [<ffff800010fcffc4>] _raw_spin_lock_irqsave+0xd4/0xe0
softirqs last enabled at (4458): [<ffff8000100108c4>] __do_softirq+0x674/0x724
softirqs last disabled at (4465): [<ffff80001005b2a4>] __irq_exit_rcu+0x190/0x19c
other info that might help us debug this:
Possible unsafe locking scenario:
CPU0
----
lock(&p->access_spinlock);
<Interrupt>
lock(&p->access_spinlock);
*** DEADLOCK ***
So, in order to avoid deadlock, use the combined functions
spin_lock_irqsave/spin_unlock_irqrestore() to protect critical zone.
Fixes: 3b2abda7d28c ("soc: fsl: dpio: Replace QMAN array mode with ring mode enqueue")
Cc: stable@vger.kernel.org
Signed-off-by: Meng Li <Meng.Li@windriver.com>
Signed-off-by: Li Yang <leoyang.li@nxp.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/soc/fsl/dpio/qbman-portal.c | 9 +++------
1 file changed, 3 insertions(+), 6 deletions(-)
--- a/drivers/soc/fsl/dpio/qbman-portal.c
+++ b/drivers/soc/fsl/dpio/qbman-portal.c
@@ -732,8 +732,7 @@ int qbman_swp_enqueue_multiple_mem_back(
int i, num_enqueued = 0;
unsigned long irq_flags;
- spin_lock(&s->access_spinlock);
- local_irq_save(irq_flags);
+ spin_lock_irqsave(&s->access_spinlock, irq_flags);
half_mask = (s->eqcr.pi_ci_mask>>1);
full_mask = s->eqcr.pi_ci_mask;
@@ -744,8 +743,7 @@ int qbman_swp_enqueue_multiple_mem_back(
s->eqcr.available = qm_cyc_diff(s->eqcr.pi_ring_size,
eqcr_ci, s->eqcr.ci);
if (!s->eqcr.available) {
- local_irq_restore(irq_flags);
- spin_unlock(&s->access_spinlock);
+ spin_unlock_irqrestore(&s->access_spinlock, irq_flags);
return 0;
}
}
@@ -784,8 +782,7 @@ int qbman_swp_enqueue_multiple_mem_back(
dma_wmb();
qbman_write_register(s, QBMAN_CINH_SWP_EQCR_PI,
(QB_RT_BIT)|(s->eqcr.pi)|s->eqcr.pi_vb);
- local_irq_restore(irq_flags);
- spin_unlock(&s->access_spinlock);
+ spin_unlock_irqrestore(&s->access_spinlock, irq_flags);
return num_enqueued;
}
^ permalink raw reply [flat|nested] 945+ messages in thread
* [PATCH 5.15 115/917] mtd: rawnand: socrates: Keep the driver compatible with on-die ECC engines
2021-11-15 16:51 [PATCH 5.15 000/917] 5.15.3-rc1 review Greg Kroah-Hartman
` (113 preceding siblings ...)
2021-11-15 16:53 ` [PATCH 5.15 114/917] soc: fsl: dpio: use the combined functions to protect critical zone Greg Kroah-Hartman
@ 2021-11-15 16:53 ` Greg Kroah-Hartman
2021-11-15 16:53 ` [PATCH 5.15 116/917] mctp: handle the struct sockaddr_mctp padding fields Greg Kroah-Hartman
` (804 subsequent siblings)
919 siblings, 0 replies; 945+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-15 16:53 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Miquel Raynal
From: Miquel Raynal <miquel.raynal@bootlin.com>
commit b4ebddd6540d78a7f977b3fea0261bd575c6ffe2 upstream.
Following the introduction of the generic ECC engine infrastructure, it
was necessary to reorganize the code and move the ECC configuration in
the ->attach_chip() hook. Failing to do that properly lead to a first
series of fixes supposed to stabilize the situation. Unfortunately, this
only fixed the use of software ECC engines, preventing any other kind of
engine to be used, including on-die ones.
It is now time to (finally) fix the situation by ensuring that we still
provide a default (eg. software ECC) but will still support different
ECC engines such as on-die ECC engines if properly described in the
device tree.
There are no changes needed on the core side in order to do this, but we
just need to leverage the logic there which allows:
1- a subsystem default (set to Host engines in the raw NAND world)
2- a driver specific default (here set to software ECC engines)
3- any type of engine requested by the user (ie. described in the DT)
As the raw NAND subsystem has not yet been fully converted to the ECC
engine infrastructure, in order to provide a default ECC engine for this
driver we need to set chip->ecc.engine_type *before* calling
nand_scan(). During the initialization step, the core will consider this
entry as the default engine for this driver. This value may of course
be overloaded by the user if the usual DT properties are provided.
Fixes: b36bf0a0fe5d ("mtd: rawnand: socrates: Move the ECC initialization to ->attach_chip()")
Cc: stable@vger.kernel.org
Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
Link: https://lore.kernel.org/linux-mtd/20210928222258.199726-9-miquel.raynal@bootlin.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/mtd/nand/raw/socrates_nand.c | 12 +++++++++---
1 file changed, 9 insertions(+), 3 deletions(-)
--- a/drivers/mtd/nand/raw/socrates_nand.c
+++ b/drivers/mtd/nand/raw/socrates_nand.c
@@ -119,9 +119,8 @@ static int socrates_nand_device_ready(st
static int socrates_attach_chip(struct nand_chip *chip)
{
- chip->ecc.engine_type = NAND_ECC_ENGINE_TYPE_SOFT;
-
- if (chip->ecc.algo == NAND_ECC_ALGO_UNKNOWN)
+ if (chip->ecc.engine_type == NAND_ECC_ENGINE_TYPE_SOFT &&
+ chip->ecc.algo == NAND_ECC_ALGO_UNKNOWN)
chip->ecc.algo = NAND_ECC_ALGO_HAMMING;
return 0;
@@ -175,6 +174,13 @@ static int socrates_nand_probe(struct pl
/* TODO: I have no idea what real delay is. */
nand_chip->legacy.chip_delay = 20; /* 20us command delay time */
+ /*
+ * This driver assumes that the default ECC engine should be TYPE_SOFT.
+ * Set ->engine_type before registering the NAND devices in order to
+ * provide a driver specific default value.
+ */
+ nand_chip->ecc.engine_type = NAND_ECC_ENGINE_TYPE_SOFT;
+
dev_set_drvdata(&ofdev->dev, host);
res = nand_scan(nand_chip, 1);
^ permalink raw reply [flat|nested] 945+ messages in thread
* [PATCH 5.15 116/917] mctp: handle the struct sockaddr_mctp padding fields
2021-11-15 16:51 [PATCH 5.15 000/917] 5.15.3-rc1 review Greg Kroah-Hartman
` (114 preceding siblings ...)
2021-11-15 16:53 ` [PATCH 5.15 115/917] mtd: rawnand: socrates: Keep the driver compatible with on-die ECC engines Greg Kroah-Hartman
@ 2021-11-15 16:53 ` Greg Kroah-Hartman
2021-11-15 16:53 ` [PATCH 5.15 117/917] power: supply: max17042_battery: Prevent int underflow in set_soc_threshold Greg Kroah-Hartman
` (803 subsequent siblings)
919 siblings, 0 replies; 945+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-15 16:53 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Eugene Syromiatnikov, Jeremy Kerr,
Jakub Kicinski
From: Eugene Syromiatnikov <esyr@redhat.com>
commit 1e4b50f06d970d8da3474d2a0354450416710bda upstream.
In order to have the padding fields actually usable in the future,
there have to be checks that user space doesn't supply non-zero garbage
there. It is also worth setting these padding fields to zero, unless
it is known that they have been already zeroed.
Cc: stable@vger.kernel.org # v5.15
Fixes: 5a20dd46b8b84593 ("mctp: Be explicit about struct sockaddr_mctp padding")
Signed-off-by: Eugene Syromiatnikov <esyr@redhat.com>
Acked-by: Jeremy Kerr <jk@codeconstruct.com.au>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/mctp/af_mctp.c | 13 +++++++++++++
1 file changed, 13 insertions(+)
--- a/net/mctp/af_mctp.c
+++ b/net/mctp/af_mctp.c
@@ -30,6 +30,12 @@ static int mctp_release(struct socket *s
return 0;
}
+/* Generic sockaddr checks, padding checks only so far */
+static bool mctp_sockaddr_is_ok(const struct sockaddr_mctp *addr)
+{
+ return !addr->__smctp_pad0 && !addr->__smctp_pad1;
+}
+
static int mctp_bind(struct socket *sock, struct sockaddr *addr, int addrlen)
{
struct sock *sk = sock->sk;
@@ -49,6 +55,9 @@ static int mctp_bind(struct socket *sock
/* it's a valid sockaddr for MCTP, cast and do protocol checks */
smctp = (struct sockaddr_mctp *)addr;
+ if (!mctp_sockaddr_is_ok(smctp))
+ return -EINVAL;
+
lock_sock(sk);
/* TODO: allow rebind */
@@ -83,6 +92,8 @@ static int mctp_sendmsg(struct socket *s
return -EINVAL;
if (addr->smctp_family != AF_MCTP)
return -EINVAL;
+ if (!mctp_sockaddr_is_ok(addr))
+ return -EINVAL;
if (addr->smctp_tag & ~(MCTP_TAG_MASK | MCTP_TAG_OWNER))
return -EINVAL;
@@ -172,11 +183,13 @@ static int mctp_recvmsg(struct socket *s
addr = msg->msg_name;
addr->smctp_family = AF_MCTP;
+ addr->__smctp_pad0 = 0;
addr->smctp_network = cb->net;
addr->smctp_addr.s_addr = hdr->src;
addr->smctp_type = type;
addr->smctp_tag = hdr->flags_seq_tag &
(MCTP_HDR_TAG_MASK | MCTP_HDR_FLAG_TO);
+ addr->__smctp_pad1 = 0;
msg->msg_namelen = sizeof(*addr);
}
^ permalink raw reply [flat|nested] 945+ messages in thread
* [PATCH 5.15 117/917] power: supply: max17042_battery: Prevent int underflow in set_soc_threshold
2021-11-15 16:51 [PATCH 5.15 000/917] 5.15.3-rc1 review Greg Kroah-Hartman
` (115 preceding siblings ...)
2021-11-15 16:53 ` [PATCH 5.15 116/917] mctp: handle the struct sockaddr_mctp padding fields Greg Kroah-Hartman
@ 2021-11-15 16:53 ` Greg Kroah-Hartman
2021-11-15 16:53 ` [PATCH 5.15 118/917] power: supply: max17042_battery: use VFSOC for capacity when no rsns Greg Kroah-Hartman
` (802 subsequent siblings)
919 siblings, 0 replies; 945+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-15 16:53 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Sebastian Krzyszkowiak,
Krzysztof Kozlowski, Sebastian Reichel
From: Sebastian Krzyszkowiak <sebastian.krzyszkowiak@puri.sm>
commit e660dbb68c6b3f7b9eb8b9775846a44f9798b719 upstream.
max17042_set_soc_threshold gets called with offset set to 1, which means
that minimum threshold value would underflow once SOC got down to 0,
causing invalid alerts from the gauge.
Fixes: e5f3872d2044 ("max17042: Add support for signalling change in SOC")
Cc: <stable@vger.kernel.org>
Signed-off-by: Sebastian Krzyszkowiak <sebastian.krzyszkowiak@puri.sm>
Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/power/supply/max17042_battery.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/power/supply/max17042_battery.c
+++ b/drivers/power/supply/max17042_battery.c
@@ -857,7 +857,8 @@ static void max17042_set_soc_threshold(s
regmap_read(map, MAX17042_RepSOC, &soc);
soc >>= 8;
soc_tr = (soc + off) << 8;
- soc_tr |= (soc - off);
+ if (off < soc)
+ soc_tr |= soc - off;
regmap_write(map, MAX17042_SALRT_Th, soc_tr);
}
^ permalink raw reply [flat|nested] 945+ messages in thread
* [PATCH 5.15 118/917] power: supply: max17042_battery: use VFSOC for capacity when no rsns
2021-11-15 16:51 [PATCH 5.15 000/917] 5.15.3-rc1 review Greg Kroah-Hartman
` (116 preceding siblings ...)
2021-11-15 16:53 ` [PATCH 5.15 117/917] power: supply: max17042_battery: Prevent int underflow in set_soc_threshold Greg Kroah-Hartman
@ 2021-11-15 16:53 ` Greg Kroah-Hartman
2021-11-15 16:53 ` [PATCH 5.15 119/917] iio: core: fix double free in iio_device_unregister_sysfs() Greg Kroah-Hartman
` (801 subsequent siblings)
919 siblings, 0 replies; 945+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-15 16:53 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Krzysztof Kozlowski,
Wolfgang Wiedmeyer, Henrik Grimler, Hans de Goede,
Sebastian Reichel
From: Henrik Grimler <henrik@grimler.se>
commit 223a3b82834f036a62aa831f67cbf1f1d644c6e2 upstream.
On Galaxy S3 (i9300/i9305), which has the max17047 fuel gauge and no
current sense resistor (rsns), the RepSOC register does not provide an
accurate state of charge value. The reported value is wrong, and does
not change over time. VFSOC however, which uses the voltage fuel gauge
to determine the state of charge, always shows an accurate value.
For devices without current sense, VFSOC is already used for the
soc-alert (0x0003 is written to MiscCFG register), so with this change
the source of the alert and the PROP_CAPACITY value match.
Fixes: 359ab9f5b154 ("power_supply: Add MAX17042 Fuel Gauge Driver")
Cc: <stable@vger.kernel.org>
Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
Suggested-by: Wolfgang Wiedmeyer <wolfgit@wiedmeyer.de>
Signed-off-by: Henrik Grimler <henrik@grimler.se>
Reviewed-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/power/supply/max17042_battery.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
--- a/drivers/power/supply/max17042_battery.c
+++ b/drivers/power/supply/max17042_battery.c
@@ -313,7 +313,10 @@ static int max17042_get_property(struct
val->intval = data * 625 / 8;
break;
case POWER_SUPPLY_PROP_CAPACITY:
- ret = regmap_read(map, MAX17042_RepSOC, &data);
+ if (chip->pdata->enable_current_sense)
+ ret = regmap_read(map, MAX17042_RepSOC, &data);
+ else
+ ret = regmap_read(map, MAX17042_VFSOC, &data);
if (ret < 0)
return ret;
^ permalink raw reply [flat|nested] 945+ messages in thread
* [PATCH 5.15 119/917] iio: core: fix double free in iio_device_unregister_sysfs()
2021-11-15 16:51 [PATCH 5.15 000/917] 5.15.3-rc1 review Greg Kroah-Hartman
` (117 preceding siblings ...)
2021-11-15 16:53 ` [PATCH 5.15 118/917] power: supply: max17042_battery: use VFSOC for capacity when no rsns Greg Kroah-Hartman
@ 2021-11-15 16:53 ` Greg Kroah-Hartman
2021-11-15 16:53 ` [PATCH 5.15 120/917] iio: core: check return value when calling dev_set_name() Greg Kroah-Hartman
` (800 subsequent siblings)
919 siblings, 0 replies; 945+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-15 16:53 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Hulk Robot, Alexandru Ardelean,
Yang Yingliang, Stable, Jonathan Cameron
From: Yang Yingliang <yangyingliang@huawei.com>
commit 19833c40d0415d6fe4340b5b9c46239abbf718f6 upstream.
I got the double free report:
BUG: KASAN: double-free or invalid-free in kfree+0xce/0x390
iio_device_unregister_sysfs+0x108/0x13b [industrialio]
iio_dev_release+0x9e/0x10e [industrialio]
device_release+0xa5/0x240
If __iio_device_register() fails, iio_dev_opaque->groups will be freed
in error path in iio_device_unregister_sysfs(), then iio_dev_release()
will call iio_device_unregister_sysfs() again, it causes double free.
Set iio_dev_opaque->groups to NULL when it's freed to fix this double free.
Not this is a local work around for a more general mess around life time
management that will get cleaned up and should make this handling
unnecesarry.
Fixes: 32f171724e5c ("iio: core: rework iio device group creation")
Reported-by: Hulk Robot <hulkci@huawei.com>
Reviewed-by: Alexandru Ardelean <ardeleanalex@gmail.com>
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Link: https://lore.kernel.org/r/20211013030532.956133-1-yangyingliang@huawei.com
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/industrialio-core.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/iio/industrialio-core.c
+++ b/drivers/iio/industrialio-core.c
@@ -1600,6 +1600,7 @@ static void iio_device_unregister_sysfs(
kfree(iio_dev_opaque->chan_attr_group.attrs);
iio_dev_opaque->chan_attr_group.attrs = NULL;
kfree(iio_dev_opaque->groups);
+ iio_dev_opaque->groups = NULL;
}
static void iio_dev_release(struct device *device)
^ permalink raw reply [flat|nested] 945+ messages in thread
* [PATCH 5.15 120/917] iio: core: check return value when calling dev_set_name()
2021-11-15 16:51 [PATCH 5.15 000/917] 5.15.3-rc1 review Greg Kroah-Hartman
` (118 preceding siblings ...)
2021-11-15 16:53 ` [PATCH 5.15 119/917] iio: core: fix double free in iio_device_unregister_sysfs() Greg Kroah-Hartman
@ 2021-11-15 16:53 ` Greg Kroah-Hartman
2021-11-15 16:53 ` [PATCH 5.15 121/917] KVM: arm64: Extract ESR_ELx.EC only Greg Kroah-Hartman
` (799 subsequent siblings)
919 siblings, 0 replies; 945+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-15 16:53 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Hulk Robot, Yang Yingliang, Stable,
Jonathan Cameron
From: Yang Yingliang <yangyingliang@huawei.com>
commit fe6f45f6ba22d625a8500cbad0237c60dd3117ee upstream.
I got a null-ptr-deref report when doing fault injection test:
BUG: kernel NULL pointer dereference, address: 0000000000000000
RIP: 0010:strlen+0x0/0x20
Call Trace:
start_creating+0x199/0x2f0
debugfs_create_dir+0x25/0x430
__iio_device_register+0x4da/0x1b40 [industrialio]
__devm_iio_device_register+0x22/0x80 [industrialio]
max1027_probe+0x639/0x860 [max1027]
spi_probe+0x183/0x210
really_probe+0x285/0xc30
If dev_set_name() fails, the dev_name() is null, check the return
value of dev_set_name() to avoid the null-ptr-deref.
Reported-by: Hulk Robot <hulkci@huawei.com>
Fixes: e553f182d55b ("staging: iio: core: Introduce debugfs support...")
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Cc: <Stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20211012063624.3167460-1-yangyingliang@huawei.com
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/industrialio-core.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
--- a/drivers/iio/industrialio-core.c
+++ b/drivers/iio/industrialio-core.c
@@ -1665,7 +1665,13 @@ struct iio_dev *iio_device_alloc(struct
kfree(iio_dev_opaque);
return NULL;
}
- dev_set_name(&indio_dev->dev, "iio:device%d", iio_dev_opaque->id);
+
+ if (dev_set_name(&indio_dev->dev, "iio:device%d", iio_dev_opaque->id)) {
+ ida_simple_remove(&iio_ida, iio_dev_opaque->id);
+ kfree(iio_dev_opaque);
+ return NULL;
+ }
+
INIT_LIST_HEAD(&iio_dev_opaque->buffer_list);
INIT_LIST_HEAD(&iio_dev_opaque->ioctl_handlers);
^ permalink raw reply [flat|nested] 945+ messages in thread
* [PATCH 5.15 121/917] KVM: arm64: Extract ESR_ELx.EC only
2021-11-15 16:51 [PATCH 5.15 000/917] 5.15.3-rc1 review Greg Kroah-Hartman
` (119 preceding siblings ...)
2021-11-15 16:53 ` [PATCH 5.15 120/917] iio: core: check return value when calling dev_set_name() Greg Kroah-Hartman
@ 2021-11-15 16:53 ` Greg Kroah-Hartman
2021-11-15 16:53 ` [PATCH 5.15 122/917] KVM: x86: Fix recording of guest steal time / preempted status Greg Kroah-Hartman
` (798 subsequent siblings)
919 siblings, 0 replies; 945+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-15 16:53 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Mark Rutland, Alexandru Elisei,
Catalin Marinas, James Morse, Marc Zyngier, Suzuki K Poulose,
Will Deacon
From: Mark Rutland <mark.rutland@arm.com>
commit 8bb084119f1acc2ec55ea085a97231e3ddb30782 upstream.
Since ARMv8.0 the upper 32 bits of ESR_ELx have been RES0, and recently
some of the upper bits gained a meaning and can be non-zero. For
example, when FEAT_LS64 is implemented, ESR_ELx[36:32] contain ISS2,
which for an ST64BV or ST64BV0 can be non-zero. This can be seen in ARM
DDI 0487G.b, page D13-3145, section D13.2.37.
Generally, we must not rely on RES0 bit remaining zero in future, and
when extracting ESR_ELx.EC we must mask out all other bits.
All C code uses the ESR_ELx_EC() macro, which masks out the irrelevant
bits, and therefore no alterations are required to C code to avoid
consuming irrelevant bits.
In a couple of places the KVM assembly extracts ESR_ELx.EC using LSR on
an X register, and so could in theory consume previously RES0 bits. In
both cases this is for comparison with EC values ESR_ELx_EC_HVC32 and
ESR_ELx_EC_HVC64, for which the upper bits of ESR_ELx must currently be
zero, but this could change in future.
This patch adjusts the KVM vectors to use UBFX rather than LSR to
extract ESR_ELx.EC, ensuring these are robust to future additions to
ESR_ELx.
Cc: stable@vger.kernel.org
Signed-off-by: Mark Rutland <mark.rutland@arm.com>
Cc: Alexandru Elisei <alexandru.elisei@arm.com>
Cc: Catalin Marinas <catalin.marinas@arm.com>
Cc: James Morse <james.morse@arm.com>
Cc: Marc Zyngier <maz@kernel.org>
Cc: Suzuki K Poulose <suzuki.poulose@arm.com>
Cc: Will Deacon <will@kernel.org>
Acked-by: Will Deacon <will@kernel.org>
Signed-off-by: Marc Zyngier <maz@kernel.org>
Link: https://lore.kernel.org/r/20211103110545.4613-1-mark.rutland@arm.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm64/include/asm/esr.h | 1 +
arch/arm64/kvm/hyp/hyp-entry.S | 2 +-
arch/arm64/kvm/hyp/nvhe/host.S | 2 +-
3 files changed, 3 insertions(+), 2 deletions(-)
--- a/arch/arm64/include/asm/esr.h
+++ b/arch/arm64/include/asm/esr.h
@@ -68,6 +68,7 @@
#define ESR_ELx_EC_MAX (0x3F)
#define ESR_ELx_EC_SHIFT (26)
+#define ESR_ELx_EC_WIDTH (6)
#define ESR_ELx_EC_MASK (UL(0x3F) << ESR_ELx_EC_SHIFT)
#define ESR_ELx_EC(esr) (((esr) & ESR_ELx_EC_MASK) >> ESR_ELx_EC_SHIFT)
--- a/arch/arm64/kvm/hyp/hyp-entry.S
+++ b/arch/arm64/kvm/hyp/hyp-entry.S
@@ -44,7 +44,7 @@
el1_sync: // Guest trapped into EL2
mrs x0, esr_el2
- lsr x0, x0, #ESR_ELx_EC_SHIFT
+ ubfx x0, x0, #ESR_ELx_EC_SHIFT, #ESR_ELx_EC_WIDTH
cmp x0, #ESR_ELx_EC_HVC64
ccmp x0, #ESR_ELx_EC_HVC32, #4, ne
b.ne el1_trap
--- a/arch/arm64/kvm/hyp/nvhe/host.S
+++ b/arch/arm64/kvm/hyp/nvhe/host.S
@@ -115,7 +115,7 @@ SYM_FUNC_END(__hyp_do_panic)
.L__vect_start\@:
stp x0, x1, [sp, #-16]!
mrs x0, esr_el2
- lsr x0, x0, #ESR_ELx_EC_SHIFT
+ ubfx x0, x0, #ESR_ELx_EC_SHIFT, #ESR_ELx_EC_WIDTH
cmp x0, #ESR_ELx_EC_HVC64
b.ne __host_exit
^ permalink raw reply [flat|nested] 945+ messages in thread
* [PATCH 5.15 122/917] KVM: x86: Fix recording of guest steal time / preempted status
2021-11-15 16:51 [PATCH 5.15 000/917] 5.15.3-rc1 review Greg Kroah-Hartman
` (120 preceding siblings ...)
2021-11-15 16:53 ` [PATCH 5.15 121/917] KVM: arm64: Extract ESR_ELx.EC only Greg Kroah-Hartman
@ 2021-11-15 16:53 ` Greg Kroah-Hartman
2021-11-15 16:53 ` [PATCH 5.15 123/917] KVM: x86: Add helper to consolidate core logic of SET_CPUID{2} flows Greg Kroah-Hartman
` (797 subsequent siblings)
919 siblings, 0 replies; 945+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-15 16:53 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, David Woodhouse, Paolo Bonzini
From: David Woodhouse <dwmw2@infradead.org>
commit 7e2175ebd695f17860c5bd4ad7616cce12ed4591 upstream.
In commit b043138246a4 ("x86/KVM: Make sure KVM_VCPU_FLUSH_TLB flag is
not missed") we switched to using a gfn_to_pfn_cache for accessing the
guest steal time structure in order to allow for an atomic xchg of the
preempted field. This has a couple of problems.
Firstly, kvm_map_gfn() doesn't work at all for IOMEM pages when the
atomic flag is set, which it is in kvm_steal_time_set_preempted(). So a
guest vCPU using an IOMEM page for its steal time would never have its
preempted field set.
Secondly, the gfn_to_pfn_cache is not invalidated in all cases where it
should have been. There are two stages to the GFN->PFN conversion;
first the GFN is converted to a userspace HVA, and then that HVA is
looked up in the process page tables to find the underlying host PFN.
Correct invalidation of the latter would require being hooked up to the
MMU notifiers, but that doesn't happen---so it just keeps mapping and
unmapping the *wrong* PFN after the userspace page tables change.
In the !IOMEM case at least the stale page *is* pinned all the time it's
cached, so it won't be freed and reused by anyone else while still
receiving the steal time updates. The map/unmap dance only takes care
of the KVM administrivia such as marking the page dirty.
Until the gfn_to_pfn cache handles the remapping automatically by
integrating with the MMU notifiers, we might as well not get a
kernel mapping of it, and use the perfectly serviceable userspace HVA
that we already have. We just need to implement the atomic xchg on
the userspace address with appropriate exception handling, which is
fairly trivial.
Cc: stable@vger.kernel.org
Fixes: b043138246a4 ("x86/KVM: Make sure KVM_VCPU_FLUSH_TLB flag is not missed")
Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
Message-Id: <3645b9b889dac6438394194bb5586a46b68d581f.camel@infradead.org>
[I didn't entirely agree with David's assessment of the
usefulness of the gfn_to_pfn cache, and integrated the outcome
of the discussion in the above commit message. - Paolo]
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/include/asm/kvm_host.h | 2
arch/x86/kvm/x86.c | 105 ++++++++++++++++++++++++++++------------
2 files changed, 76 insertions(+), 31 deletions(-)
--- a/arch/x86/include/asm/kvm_host.h
+++ b/arch/x86/include/asm/kvm_host.h
@@ -751,7 +751,7 @@ struct kvm_vcpu_arch {
u8 preempted;
u64 msr_val;
u64 last_steal;
- struct gfn_to_pfn_cache cache;
+ struct gfn_to_hva_cache cache;
} st;
u64 l1_tsc_offset;
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -3195,8 +3195,11 @@ static void kvm_vcpu_flush_tlb_guest(str
static void record_steal_time(struct kvm_vcpu *vcpu)
{
- struct kvm_host_map map;
- struct kvm_steal_time *st;
+ struct gfn_to_hva_cache *ghc = &vcpu->arch.st.cache;
+ struct kvm_steal_time __user *st;
+ struct kvm_memslots *slots;
+ u64 steal;
+ u32 version;
if (kvm_xen_msr_enabled(vcpu->kvm)) {
kvm_xen_runstate_set_running(vcpu);
@@ -3206,47 +3209,83 @@ static void record_steal_time(struct kvm
if (!(vcpu->arch.st.msr_val & KVM_MSR_ENABLED))
return;
- /* -EAGAIN is returned in atomic context so we can just return. */
- if (kvm_map_gfn(vcpu, vcpu->arch.st.msr_val >> PAGE_SHIFT,
- &map, &vcpu->arch.st.cache, false))
+ if (WARN_ON_ONCE(current->mm != vcpu->kvm->mm))
return;
- st = map.hva +
- offset_in_page(vcpu->arch.st.msr_val & KVM_STEAL_VALID_BITS);
+ slots = kvm_memslots(vcpu->kvm);
+
+ if (unlikely(slots->generation != ghc->generation ||
+ kvm_is_error_hva(ghc->hva) || !ghc->memslot)) {
+ gfn_t gfn = vcpu->arch.st.msr_val & KVM_STEAL_VALID_BITS;
+
+ /* We rely on the fact that it fits in a single page. */
+ BUILD_BUG_ON((sizeof(*st) - 1) & KVM_STEAL_VALID_BITS);
+
+ if (kvm_gfn_to_hva_cache_init(vcpu->kvm, ghc, gfn, sizeof(*st)) ||
+ kvm_is_error_hva(ghc->hva) || !ghc->memslot)
+ return;
+ }
+
+ st = (struct kvm_steal_time __user *)ghc->hva;
+ if (!user_access_begin(st, sizeof(*st)))
+ return;
/*
* Doing a TLB flush here, on the guest's behalf, can avoid
* expensive IPIs.
*/
if (guest_pv_has(vcpu, KVM_FEATURE_PV_TLB_FLUSH)) {
- u8 st_preempted = xchg(&st->preempted, 0);
+ u8 st_preempted = 0;
+ int err = -EFAULT;
+
+ asm volatile("1: xchgb %0, %2\n"
+ "xor %1, %1\n"
+ "2:\n"
+ _ASM_EXTABLE_UA(1b, 2b)
+ : "+r" (st_preempted),
+ "+&r" (err)
+ : "m" (st->preempted));
+ if (err)
+ goto out;
+
+ user_access_end();
+
+ vcpu->arch.st.preempted = 0;
trace_kvm_pv_tlb_flush(vcpu->vcpu_id,
st_preempted & KVM_VCPU_FLUSH_TLB);
if (st_preempted & KVM_VCPU_FLUSH_TLB)
kvm_vcpu_flush_tlb_guest(vcpu);
+
+ if (!user_access_begin(st, sizeof(*st)))
+ goto dirty;
} else {
- st->preempted = 0;
+ unsafe_put_user(0, &st->preempted, out);
+ vcpu->arch.st.preempted = 0;
}
- vcpu->arch.st.preempted = 0;
-
- if (st->version & 1)
- st->version += 1; /* first time write, random junk */
+ unsafe_get_user(version, &st->version, out);
+ if (version & 1)
+ version += 1; /* first time write, random junk */
- st->version += 1;
+ version += 1;
+ unsafe_put_user(version, &st->version, out);
smp_wmb();
- st->steal += current->sched_info.run_delay -
+ unsafe_get_user(steal, &st->steal, out);
+ steal += current->sched_info.run_delay -
vcpu->arch.st.last_steal;
vcpu->arch.st.last_steal = current->sched_info.run_delay;
+ unsafe_put_user(steal, &st->steal, out);
- smp_wmb();
-
- st->version += 1;
+ version += 1;
+ unsafe_put_user(version, &st->version, out);
- kvm_unmap_gfn(vcpu, &map, &vcpu->arch.st.cache, true, false);
+ out:
+ user_access_end();
+ dirty:
+ mark_page_dirty_in_slot(vcpu->kvm, ghc->memslot, gpa_to_gfn(ghc->gpa));
}
int kvm_set_msr_common(struct kvm_vcpu *vcpu, struct msr_data *msr_info)
@@ -4285,8 +4324,10 @@ void kvm_arch_vcpu_load(struct kvm_vcpu
static void kvm_steal_time_set_preempted(struct kvm_vcpu *vcpu)
{
- struct kvm_host_map map;
- struct kvm_steal_time *st;
+ struct gfn_to_hva_cache *ghc = &vcpu->arch.st.cache;
+ struct kvm_steal_time __user *st;
+ struct kvm_memslots *slots;
+ static const u8 preempted = KVM_VCPU_PREEMPTED;
if (!(vcpu->arch.st.msr_val & KVM_MSR_ENABLED))
return;
@@ -4294,16 +4335,23 @@ static void kvm_steal_time_set_preempted
if (vcpu->arch.st.preempted)
return;
- if (kvm_map_gfn(vcpu, vcpu->arch.st.msr_val >> PAGE_SHIFT, &map,
- &vcpu->arch.st.cache, true))
+ /* This happens on process exit */
+ if (unlikely(current->mm != vcpu->kvm->mm))
return;
- st = map.hva +
- offset_in_page(vcpu->arch.st.msr_val & KVM_STEAL_VALID_BITS);
+ slots = kvm_memslots(vcpu->kvm);
+
+ if (unlikely(slots->generation != ghc->generation ||
+ kvm_is_error_hva(ghc->hva) || !ghc->memslot))
+ return;
- st->preempted = vcpu->arch.st.preempted = KVM_VCPU_PREEMPTED;
+ st = (struct kvm_steal_time __user *)ghc->hva;
+ BUILD_BUG_ON(sizeof(st->preempted) != sizeof(preempted));
- kvm_unmap_gfn(vcpu, &map, &vcpu->arch.st.cache, true, true);
+ if (!copy_to_user_nofault(&st->preempted, &preempted, sizeof(preempted)))
+ vcpu->arch.st.preempted = KVM_VCPU_PREEMPTED;
+
+ mark_page_dirty_in_slot(vcpu->kvm, ghc->memslot, gpa_to_gfn(ghc->gpa));
}
void kvm_arch_vcpu_put(struct kvm_vcpu *vcpu)
@@ -10817,11 +10865,8 @@ void kvm_arch_vcpu_postcreate(struct kvm
void kvm_arch_vcpu_destroy(struct kvm_vcpu *vcpu)
{
- struct gfn_to_pfn_cache *cache = &vcpu->arch.st.cache;
int idx;
- kvm_release_pfn(cache->pfn, cache->dirty, cache);
-
kvmclock_reset(vcpu);
static_call(kvm_x86_vcpu_free)(vcpu);
^ permalink raw reply [flat|nested] 945+ messages in thread
* [PATCH 5.15 123/917] KVM: x86: Add helper to consolidate core logic of SET_CPUID{2} flows
2021-11-15 16:51 [PATCH 5.15 000/917] 5.15.3-rc1 review Greg Kroah-Hartman
` (121 preceding siblings ...)
2021-11-15 16:53 ` [PATCH 5.15 122/917] KVM: x86: Fix recording of guest steal time / preempted status Greg Kroah-Hartman
@ 2021-11-15 16:53 ` Greg Kroah-Hartman
2021-11-15 16:53 ` [PATCH 5.15 124/917] KVM: nVMX: Query current VMCS when determining if MSR bitmaps are in use Greg Kroah-Hartman
` (796 subsequent siblings)
919 siblings, 0 replies; 945+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-15 16:53 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Sean Christopherson, Paolo Bonzini
From: Sean Christopherson <seanjc@google.com>
commit 8b44b174f6aca815fc84c2038e4523ef8e32fabb upstream.
Move the core logic of SET_CPUID and SET_CPUID2 to a common helper, the
only difference between the two ioctls() is the format of the userspace
struct. A future fix will add yet more code to the core logic.
No functional change intended.
Cc: stable@vger.kernel.org
Signed-off-by: Sean Christopherson <seanjc@google.com>
Message-Id: <20211105095101.5384-2-pdurrant@amazon.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kvm/cpuid.c | 47 ++++++++++++++++++++++++-----------------------
1 file changed, 24 insertions(+), 23 deletions(-)
--- a/arch/x86/kvm/cpuid.c
+++ b/arch/x86/kvm/cpuid.c
@@ -232,6 +232,25 @@ u64 kvm_vcpu_reserved_gpa_bits_raw(struc
return rsvd_bits(cpuid_maxphyaddr(vcpu), 63);
}
+static int kvm_set_cpuid(struct kvm_vcpu *vcpu, struct kvm_cpuid_entry2 *e2,
+ int nent)
+{
+ int r;
+
+ r = kvm_check_cpuid(e2, nent);
+ if (r)
+ return r;
+
+ kvfree(vcpu->arch.cpuid_entries);
+ vcpu->arch.cpuid_entries = e2;
+ vcpu->arch.cpuid_nent = nent;
+
+ kvm_update_cpuid_runtime(vcpu);
+ kvm_vcpu_after_set_cpuid(vcpu);
+
+ return 0;
+}
+
/* when an old userspace process fills a new kernel module */
int kvm_vcpu_ioctl_set_cpuid(struct kvm_vcpu *vcpu,
struct kvm_cpuid *cpuid,
@@ -268,18 +287,9 @@ int kvm_vcpu_ioctl_set_cpuid(struct kvm_
e2[i].padding[2] = 0;
}
- r = kvm_check_cpuid(e2, cpuid->nent);
- if (r) {
+ r = kvm_set_cpuid(vcpu, e2, cpuid->nent);
+ if (r)
kvfree(e2);
- goto out_free_cpuid;
- }
-
- kvfree(vcpu->arch.cpuid_entries);
- vcpu->arch.cpuid_entries = e2;
- vcpu->arch.cpuid_nent = cpuid->nent;
-
- kvm_update_cpuid_runtime(vcpu);
- kvm_vcpu_after_set_cpuid(vcpu);
out_free_cpuid:
kvfree(e);
@@ -303,20 +313,11 @@ int kvm_vcpu_ioctl_set_cpuid2(struct kvm
return PTR_ERR(e2);
}
- r = kvm_check_cpuid(e2, cpuid->nent);
- if (r) {
+ r = kvm_set_cpuid(vcpu, e2, cpuid->nent);
+ if (r)
kvfree(e2);
- return r;
- }
- kvfree(vcpu->arch.cpuid_entries);
- vcpu->arch.cpuid_entries = e2;
- vcpu->arch.cpuid_nent = cpuid->nent;
-
- kvm_update_cpuid_runtime(vcpu);
- kvm_vcpu_after_set_cpuid(vcpu);
-
- return 0;
+ return r;
}
int kvm_vcpu_ioctl_get_cpuid2(struct kvm_vcpu *vcpu,
^ permalink raw reply [flat|nested] 945+ messages in thread
* [PATCH 5.15 124/917] KVM: nVMX: Query current VMCS when determining if MSR bitmaps are in use
2021-11-15 16:51 [PATCH 5.15 000/917] 5.15.3-rc1 review Greg Kroah-Hartman
` (122 preceding siblings ...)
2021-11-15 16:53 ` [PATCH 5.15 123/917] KVM: x86: Add helper to consolidate core logic of SET_CPUID{2} flows Greg Kroah-Hartman
@ 2021-11-15 16:53 ` Greg Kroah-Hartman
2021-11-15 16:53 ` [PATCH 5.15 125/917] KVM: nVMX: Handle dynamic MSR intercept toggling Greg Kroah-Hartman
` (795 subsequent siblings)
919 siblings, 0 replies; 945+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-15 16:53 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Sean Christopherson, Paolo Bonzini
From: Sean Christopherson <seanjc@google.com>
commit 7dfbc624eb5726367900c8d86deff50836240361 upstream.
Check the current VMCS controls to determine if an MSR write will be
intercepted due to MSR bitmaps being disabled. In the nested VMX case,
KVM will disable MSR bitmaps in vmcs02 if they're disabled in vmcs12 or
if KVM can't map L1's bitmaps for whatever reason.
Note, the bad behavior is relatively benign in the current code base as
KVM sets all bits in vmcs02's MSR bitmap by default, clears bits if and
only if L0 KVM also disables interception of an MSR, and only uses the
buggy helper for MSR_IA32_SPEC_CTRL. Because KVM explicitly tests WRMSR
before disabling interception of MSR_IA32_SPEC_CTRL, the flawed check
will only result in KVM reading MSR_IA32_SPEC_CTRL from hardware when it
isn't strictly necessary.
Tag the fix for stable in case a future fix wants to use
msr_write_intercepted(), in which case a buggy implementation in older
kernels could prove subtly problematic.
Fixes: d28b387fb74d ("KVM/VMX: Allow direct access to MSR_IA32_SPEC_CTRL")
Cc: stable@vger.kernel.org
Signed-off-by: Sean Christopherson <seanjc@google.com>
Message-Id: <20211109013047.2041518-2-seanjc@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kvm/vmx/vmx.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
--- a/arch/x86/kvm/vmx/vmx.c
+++ b/arch/x86/kvm/vmx/vmx.c
@@ -769,15 +769,15 @@ void vmx_update_exception_bitmap(struct
/*
* Check if MSR is intercepted for currently loaded MSR bitmap.
*/
-static bool msr_write_intercepted(struct kvm_vcpu *vcpu, u32 msr)
+static bool msr_write_intercepted(struct vcpu_vmx *vmx, u32 msr)
{
unsigned long *msr_bitmap;
int f = sizeof(unsigned long);
- if (!cpu_has_vmx_msr_bitmap())
+ if (!(exec_controls_get(vmx) & CPU_BASED_USE_MSR_BITMAPS))
return true;
- msr_bitmap = to_vmx(vcpu)->loaded_vmcs->msr_bitmap;
+ msr_bitmap = vmx->loaded_vmcs->msr_bitmap;
if (msr <= 0x1fff) {
return !!test_bit(msr, msr_bitmap + 0x800 / f);
@@ -6720,7 +6720,7 @@ static fastpath_t vmx_vcpu_run(struct kv
* If the L02 MSR bitmap does not intercept the MSR, then we need to
* save it.
*/
- if (unlikely(!msr_write_intercepted(vcpu, MSR_IA32_SPEC_CTRL)))
+ if (unlikely(!msr_write_intercepted(vmx, MSR_IA32_SPEC_CTRL)))
vmx->spec_ctrl = native_read_msr(MSR_IA32_SPEC_CTRL);
x86_spec_ctrl_restore_host(vmx->spec_ctrl, 0);
^ permalink raw reply [flat|nested] 945+ messages in thread
* [PATCH 5.15 125/917] KVM: nVMX: Handle dynamic MSR intercept toggling
2021-11-15 16:51 [PATCH 5.15 000/917] 5.15.3-rc1 review Greg Kroah-Hartman
` (123 preceding siblings ...)
2021-11-15 16:53 ` [PATCH 5.15 124/917] KVM: nVMX: Query current VMCS when determining if MSR bitmaps are in use Greg Kroah-Hartman
@ 2021-11-15 16:53 ` Greg Kroah-Hartman
2021-11-15 16:53 ` [PATCH 5.15 126/917] can: peak_usb: always ask for BERR reporting for PCAN-USB devices Greg Kroah-Hartman
` (794 subsequent siblings)
919 siblings, 0 replies; 945+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-15 16:53 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Alexander Graf, Sean Christopherson,
Paolo Bonzini
From: Sean Christopherson <seanjc@google.com>
commit 67f4b9969c305be515e47f809ecacfd86bd20a9c upstream.
Always check vmcs01's MSR bitmap when merging L0 and L1 bitmaps for L2,
and always update the relevant bits in vmcs02. This fixes two distinct,
but intertwined bugs related to dynamic MSR bitmap modifications.
The first issue is that KVM fails to enable MSR interception in vmcs02
for the FS/GS base MSRs if L1 first runs L2 with interception disabled,
and later enables interception.
The second issue is that KVM fails to honor userspace MSR filtering when
preparing vmcs02.
Fix both issues simultaneous as fixing only one of the issues (doesn't
matter which) would create a mess that no one should have to bisect.
Fixing only the first bug would exacerbate the MSR filtering issue as
userspace would see inconsistent behavior depending on the whims of L1.
Fixing only the second bug (MSR filtering) effectively requires fixing
the first, as the nVMX code only knows how to transition vmcs02's
bitmap from 1->0.
Move the various accessor/mutators that are currently buried in vmx.c
into vmx.h so that they can be shared by the nested code.
Fixes: 1a155254ff93 ("KVM: x86: Introduce MSR filtering")
Fixes: d69129b4e46a ("KVM: nVMX: Disable intercept for FS/GS base MSRs in vmcs02 when possible")
Cc: stable@vger.kernel.org
Cc: Alexander Graf <graf@amazon.com>
Signed-off-by: Sean Christopherson <seanjc@google.com>
Message-Id: <20211109013047.2041518-3-seanjc@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kvm/vmx/nested.c | 103 ++++++++++++++++++++--------------------------
arch/x86/kvm/vmx/vmx.c | 55 ------------------------
arch/x86/kvm/vmx/vmx.h | 63 ++++++++++++++++++++++++++++
3 files changed, 111 insertions(+), 110 deletions(-)
--- a/arch/x86/kvm/vmx/nested.c
+++ b/arch/x86/kvm/vmx/nested.c
@@ -524,29 +524,6 @@ static int nested_vmx_check_tpr_shadow_c
}
/*
- * Check if MSR is intercepted for L01 MSR bitmap.
- */
-static bool msr_write_intercepted_l01(struct kvm_vcpu *vcpu, u32 msr)
-{
- unsigned long *msr_bitmap;
- int f = sizeof(unsigned long);
-
- if (!cpu_has_vmx_msr_bitmap())
- return true;
-
- msr_bitmap = to_vmx(vcpu)->vmcs01.msr_bitmap;
-
- if (msr <= 0x1fff) {
- return !!test_bit(msr, msr_bitmap + 0x800 / f);
- } else if ((msr >= 0xc0000000) && (msr <= 0xc0001fff)) {
- msr &= 0x1fff;
- return !!test_bit(msr, msr_bitmap + 0xc00 / f);
- }
-
- return true;
-}
-
-/*
* If a msr is allowed by L0, we should check whether it is allowed by L1.
* The corresponding bit will be cleared unless both of L0 and L1 allow it.
*/
@@ -599,6 +576,34 @@ static inline void enable_x2apic_msr_int
}
}
+#define BUILD_NVMX_MSR_INTERCEPT_HELPER(rw) \
+static inline \
+void nested_vmx_set_msr_##rw##_intercept(struct vcpu_vmx *vmx, \
+ unsigned long *msr_bitmap_l1, \
+ unsigned long *msr_bitmap_l0, u32 msr) \
+{ \
+ if (vmx_test_msr_bitmap_##rw(vmx->vmcs01.msr_bitmap, msr) || \
+ vmx_test_msr_bitmap_##rw(msr_bitmap_l1, msr)) \
+ vmx_set_msr_bitmap_##rw(msr_bitmap_l0, msr); \
+ else \
+ vmx_clear_msr_bitmap_##rw(msr_bitmap_l0, msr); \
+}
+BUILD_NVMX_MSR_INTERCEPT_HELPER(read)
+BUILD_NVMX_MSR_INTERCEPT_HELPER(write)
+
+static inline void nested_vmx_set_intercept_for_msr(struct vcpu_vmx *vmx,
+ unsigned long *msr_bitmap_l1,
+ unsigned long *msr_bitmap_l0,
+ u32 msr, int types)
+{
+ if (types & MSR_TYPE_R)
+ nested_vmx_set_msr_read_intercept(vmx, msr_bitmap_l1,
+ msr_bitmap_l0, msr);
+ if (types & MSR_TYPE_W)
+ nested_vmx_set_msr_write_intercept(vmx, msr_bitmap_l1,
+ msr_bitmap_l0, msr);
+}
+
/*
* Merge L0's and L1's MSR bitmap, return false to indicate that
* we do not use the hardware.
@@ -606,10 +611,11 @@ static inline void enable_x2apic_msr_int
static inline bool nested_vmx_prepare_msr_bitmap(struct kvm_vcpu *vcpu,
struct vmcs12 *vmcs12)
{
+ struct vcpu_vmx *vmx = to_vmx(vcpu);
int msr;
unsigned long *msr_bitmap_l1;
- unsigned long *msr_bitmap_l0 = to_vmx(vcpu)->nested.vmcs02.msr_bitmap;
- struct kvm_host_map *map = &to_vmx(vcpu)->nested.msr_bitmap_map;
+ unsigned long *msr_bitmap_l0 = vmx->nested.vmcs02.msr_bitmap;
+ struct kvm_host_map *map = &vmx->nested.msr_bitmap_map;
/* Nothing to do if the MSR bitmap is not in use. */
if (!cpu_has_vmx_msr_bitmap() ||
@@ -660,44 +666,27 @@ static inline bool nested_vmx_prepare_ms
}
}
- /* KVM unconditionally exposes the FS/GS base MSRs to L1. */
+ /*
+ * Always check vmcs01's bitmap to honor userspace MSR filters and any
+ * other runtime changes to vmcs01's bitmap, e.g. dynamic pass-through.
+ */
#ifdef CONFIG_X86_64
- nested_vmx_disable_intercept_for_msr(msr_bitmap_l1, msr_bitmap_l0,
- MSR_FS_BASE, MSR_TYPE_RW);
+ nested_vmx_set_intercept_for_msr(vmx, msr_bitmap_l1, msr_bitmap_l0,
+ MSR_FS_BASE, MSR_TYPE_RW);
- nested_vmx_disable_intercept_for_msr(msr_bitmap_l1, msr_bitmap_l0,
- MSR_GS_BASE, MSR_TYPE_RW);
+ nested_vmx_set_intercept_for_msr(vmx, msr_bitmap_l1, msr_bitmap_l0,
+ MSR_GS_BASE, MSR_TYPE_RW);
- nested_vmx_disable_intercept_for_msr(msr_bitmap_l1, msr_bitmap_l0,
- MSR_KERNEL_GS_BASE, MSR_TYPE_RW);
+ nested_vmx_set_intercept_for_msr(vmx, msr_bitmap_l1, msr_bitmap_l0,
+ MSR_KERNEL_GS_BASE, MSR_TYPE_RW);
#endif
+ nested_vmx_set_intercept_for_msr(vmx, msr_bitmap_l1, msr_bitmap_l0,
+ MSR_IA32_SPEC_CTRL, MSR_TYPE_RW);
- /*
- * Checking the L0->L1 bitmap is trying to verify two things:
- *
- * 1. L0 gave a permission to L1 to actually passthrough the MSR. This
- * ensures that we do not accidentally generate an L02 MSR bitmap
- * from the L12 MSR bitmap that is too permissive.
- * 2. That L1 or L2s have actually used the MSR. This avoids
- * unnecessarily merging of the bitmap if the MSR is unused. This
- * works properly because we only update the L01 MSR bitmap lazily.
- * So even if L0 should pass L1 these MSRs, the L01 bitmap is only
- * updated to reflect this when L1 (or its L2s) actually write to
- * the MSR.
- */
- if (!msr_write_intercepted_l01(vcpu, MSR_IA32_SPEC_CTRL))
- nested_vmx_disable_intercept_for_msr(
- msr_bitmap_l1, msr_bitmap_l0,
- MSR_IA32_SPEC_CTRL,
- MSR_TYPE_R | MSR_TYPE_W);
-
- if (!msr_write_intercepted_l01(vcpu, MSR_IA32_PRED_CMD))
- nested_vmx_disable_intercept_for_msr(
- msr_bitmap_l1, msr_bitmap_l0,
- MSR_IA32_PRED_CMD,
- MSR_TYPE_W);
+ nested_vmx_set_intercept_for_msr(vmx, msr_bitmap_l1, msr_bitmap_l0,
+ MSR_IA32_PRED_CMD, MSR_TYPE_W);
- kvm_vcpu_unmap(vcpu, &to_vmx(vcpu)->nested.msr_bitmap_map, false);
+ kvm_vcpu_unmap(vcpu, &vmx->nested.msr_bitmap_map, false);
return true;
}
--- a/arch/x86/kvm/vmx/vmx.c
+++ b/arch/x86/kvm/vmx/vmx.c
@@ -771,22 +771,11 @@ void vmx_update_exception_bitmap(struct
*/
static bool msr_write_intercepted(struct vcpu_vmx *vmx, u32 msr)
{
- unsigned long *msr_bitmap;
- int f = sizeof(unsigned long);
-
if (!(exec_controls_get(vmx) & CPU_BASED_USE_MSR_BITMAPS))
return true;
- msr_bitmap = vmx->loaded_vmcs->msr_bitmap;
-
- if (msr <= 0x1fff) {
- return !!test_bit(msr, msr_bitmap + 0x800 / f);
- } else if ((msr >= 0xc0000000) && (msr <= 0xc0001fff)) {
- msr &= 0x1fff;
- return !!test_bit(msr, msr_bitmap + 0xc00 / f);
- }
-
- return true;
+ return vmx_test_msr_bitmap_write(vmx->loaded_vmcs->msr_bitmap,
+ MSR_IA32_SPEC_CTRL);
}
static void clear_atomic_switch_msr_special(struct vcpu_vmx *vmx,
@@ -3695,46 +3684,6 @@ void free_vpid(int vpid)
spin_unlock(&vmx_vpid_lock);
}
-static void vmx_clear_msr_bitmap_read(ulong *msr_bitmap, u32 msr)
-{
- int f = sizeof(unsigned long);
-
- if (msr <= 0x1fff)
- __clear_bit(msr, msr_bitmap + 0x000 / f);
- else if ((msr >= 0xc0000000) && (msr <= 0xc0001fff))
- __clear_bit(msr & 0x1fff, msr_bitmap + 0x400 / f);
-}
-
-static void vmx_clear_msr_bitmap_write(ulong *msr_bitmap, u32 msr)
-{
- int f = sizeof(unsigned long);
-
- if (msr <= 0x1fff)
- __clear_bit(msr, msr_bitmap + 0x800 / f);
- else if ((msr >= 0xc0000000) && (msr <= 0xc0001fff))
- __clear_bit(msr & 0x1fff, msr_bitmap + 0xc00 / f);
-}
-
-static void vmx_set_msr_bitmap_read(ulong *msr_bitmap, u32 msr)
-{
- int f = sizeof(unsigned long);
-
- if (msr <= 0x1fff)
- __set_bit(msr, msr_bitmap + 0x000 / f);
- else if ((msr >= 0xc0000000) && (msr <= 0xc0001fff))
- __set_bit(msr & 0x1fff, msr_bitmap + 0x400 / f);
-}
-
-static void vmx_set_msr_bitmap_write(ulong *msr_bitmap, u32 msr)
-{
- int f = sizeof(unsigned long);
-
- if (msr <= 0x1fff)
- __set_bit(msr, msr_bitmap + 0x800 / f);
- else if ((msr >= 0xc0000000) && (msr <= 0xc0001fff))
- __set_bit(msr & 0x1fff, msr_bitmap + 0xc00 / f);
-}
-
void vmx_disable_intercept_for_msr(struct kvm_vcpu *vcpu, u32 msr, int type)
{
struct vcpu_vmx *vmx = to_vmx(vcpu);
--- a/arch/x86/kvm/vmx/vmx.h
+++ b/arch/x86/kvm/vmx/vmx.h
@@ -400,6 +400,69 @@ static inline void vmx_set_intercept_for
void vmx_update_cpu_dirty_logging(struct kvm_vcpu *vcpu);
+static inline bool vmx_test_msr_bitmap_read(ulong *msr_bitmap, u32 msr)
+{
+ int f = sizeof(unsigned long);
+
+ if (msr <= 0x1fff)
+ return test_bit(msr, msr_bitmap + 0x000 / f);
+ else if ((msr >= 0xc0000000) && (msr <= 0xc0001fff))
+ return test_bit(msr & 0x1fff, msr_bitmap + 0x400 / f);
+ return true;
+}
+
+static inline bool vmx_test_msr_bitmap_write(ulong *msr_bitmap, u32 msr)
+{
+ int f = sizeof(unsigned long);
+
+ if (msr <= 0x1fff)
+ return test_bit(msr, msr_bitmap + 0x800 / f);
+ else if ((msr >= 0xc0000000) && (msr <= 0xc0001fff))
+ return test_bit(msr & 0x1fff, msr_bitmap + 0xc00 / f);
+ return true;
+}
+
+static inline void vmx_clear_msr_bitmap_read(ulong *msr_bitmap, u32 msr)
+{
+ int f = sizeof(unsigned long);
+
+ if (msr <= 0x1fff)
+ __clear_bit(msr, msr_bitmap + 0x000 / f);
+ else if ((msr >= 0xc0000000) && (msr <= 0xc0001fff))
+ __clear_bit(msr & 0x1fff, msr_bitmap + 0x400 / f);
+}
+
+static inline void vmx_clear_msr_bitmap_write(ulong *msr_bitmap, u32 msr)
+{
+ int f = sizeof(unsigned long);
+
+ if (msr <= 0x1fff)
+ __clear_bit(msr, msr_bitmap + 0x800 / f);
+ else if ((msr >= 0xc0000000) && (msr <= 0xc0001fff))
+ __clear_bit(msr & 0x1fff, msr_bitmap + 0xc00 / f);
+}
+
+static inline void vmx_set_msr_bitmap_read(ulong *msr_bitmap, u32 msr)
+{
+ int f = sizeof(unsigned long);
+
+ if (msr <= 0x1fff)
+ __set_bit(msr, msr_bitmap + 0x000 / f);
+ else if ((msr >= 0xc0000000) && (msr <= 0xc0001fff))
+ __set_bit(msr & 0x1fff, msr_bitmap + 0x400 / f);
+}
+
+static inline void vmx_set_msr_bitmap_write(ulong *msr_bitmap, u32 msr)
+{
+ int f = sizeof(unsigned long);
+
+ if (msr <= 0x1fff)
+ __set_bit(msr, msr_bitmap + 0x800 / f);
+ else if ((msr >= 0xc0000000) && (msr <= 0xc0001fff))
+ __set_bit(msr & 0x1fff, msr_bitmap + 0xc00 / f);
+}
+
+
static inline u8 vmx_get_rvi(void)
{
return vmcs_read16(GUEST_INTR_STATUS) & 0xff;
^ permalink raw reply [flat|nested] 945+ messages in thread
* [PATCH 5.15 126/917] can: peak_usb: always ask for BERR reporting for PCAN-USB devices
2021-11-15 16:51 [PATCH 5.15 000/917] 5.15.3-rc1 review Greg Kroah-Hartman
` (124 preceding siblings ...)
2021-11-15 16:53 ` [PATCH 5.15 125/917] KVM: nVMX: Handle dynamic MSR intercept toggling Greg Kroah-Hartman
@ 2021-11-15 16:53 ` Greg Kroah-Hartman
2021-11-15 16:53 ` [PATCH 5.15 127/917] can: mcp251xfd: mcp251xfd_irq(): add missing can_rx_offload_threaded_irq_finish() in case of bus off Greg Kroah-Hartman
` (793 subsequent siblings)
919 siblings, 0 replies; 945+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-15 16:53 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Stephane Grosjean, Marc Kleine-Budde
From: Stephane Grosjean <s.grosjean@peak-system.com>
commit 3f1c7aa28498e52a5e6aa2f1b89bf35c63352cfd upstream.
Since for the PCAN-USB, the management of the transition to the
ERROR_WARNING or ERROR_PASSIVE state is done according to the error
counters, these must be requested unconditionally.
Link: https://lore.kernel.org/all/20211021081505.18223-2-s.grosjean@peak-system.com
Fixes: c11dcee75830 ("can: peak_usb: pcan_usb_decode_error(): upgrade handling of bus state changes")
Cc: stable@vger.kernel.org
Signed-off-by: Stephane Grosjean <s.grosjean@peak-system.com>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/can/usb/peak_usb/pcan_usb.c | 17 ++++++++---------
1 file changed, 8 insertions(+), 9 deletions(-)
--- a/drivers/net/can/usb/peak_usb/pcan_usb.c
+++ b/drivers/net/can/usb/peak_usb/pcan_usb.c
@@ -841,14 +841,14 @@ static int pcan_usb_start(struct peak_us
pdev->bec.rxerr = 0;
pdev->bec.txerr = 0;
- /* be notified on error counter changes (if requested by user) */
- if (dev->can.ctrlmode & CAN_CTRLMODE_BERR_REPORTING) {
- err = pcan_usb_set_err_frame(dev, PCAN_USB_BERR_MASK);
- if (err)
- netdev_warn(dev->netdev,
- "Asking for BERR reporting error %u\n",
- err);
- }
+ /* always ask the device for BERR reporting, to be able to switch from
+ * WARNING to PASSIVE state
+ */
+ err = pcan_usb_set_err_frame(dev, PCAN_USB_BERR_MASK);
+ if (err)
+ netdev_warn(dev->netdev,
+ "Asking for BERR reporting error %u\n",
+ err);
/* if revision greater than 3, can put silent mode on/off */
if (dev->device_rev > 3) {
@@ -986,7 +986,6 @@ const struct peak_usb_adapter pcan_usb =
.device_id = PCAN_USB_PRODUCT_ID,
.ctrl_count = 1,
.ctrlmode_supported = CAN_CTRLMODE_3_SAMPLES | CAN_CTRLMODE_LISTENONLY |
- CAN_CTRLMODE_BERR_REPORTING |
CAN_CTRLMODE_CC_LEN8_DLC,
.clock = {
.freq = PCAN_USB_CRYSTAL_HZ / 2,
^ permalink raw reply [flat|nested] 945+ messages in thread
* [PATCH 5.15 127/917] can: mcp251xfd: mcp251xfd_irq(): add missing can_rx_offload_threaded_irq_finish() in case of bus off
2021-11-15 16:51 [PATCH 5.15 000/917] 5.15.3-rc1 review Greg Kroah-Hartman
` (125 preceding siblings ...)
2021-11-15 16:53 ` [PATCH 5.15 126/917] can: peak_usb: always ask for BERR reporting for PCAN-USB devices Greg Kroah-Hartman
@ 2021-11-15 16:53 ` Greg Kroah-Hartman
2021-11-15 16:53 ` [PATCH 5.15 128/917] can: j1939: j1939_tp_cmd_recv(): ignore abort message in the BAM transport Greg Kroah-Hartman
` (792 subsequent siblings)
919 siblings, 0 replies; 945+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-15 16:53 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Marc Kleine-Budde
From: Marc Kleine-Budde <mkl@pengutronix.de>
commit 691204bd66b34ba982e19988e6eba9f6321dfe6c upstream.
The function can_rx_offload_threaded_irq_finish() is needed to trigger
the NAPI thread to deliver read CAN frames to the networking stack.
This patch adds the missing call to can_rx_offload_threaded_irq_finish()
in case of a bus off, before leaving the interrupt handler to avoid
packet starvation.
Link: https://lore.kernel.org/all/20211106201526.44292-1-mkl@pengutronix.de
Fixes: 30bfec4fec59 ("can: rx-offload: can_rx_offload_threaded_irq_finish(): add new function to be called from threaded interrupt")
Cc: stable@vger.kernel.org
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/can/spi/mcp251xfd/mcp251xfd-core.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/drivers/net/can/spi/mcp251xfd/mcp251xfd-core.c
+++ b/drivers/net/can/spi/mcp251xfd/mcp251xfd-core.c
@@ -2290,8 +2290,10 @@ static irqreturn_t mcp251xfd_irq(int irq
* check will fail, too. So leave IRQ handler
* directly.
*/
- if (priv->can.state == CAN_STATE_BUS_OFF)
+ if (priv->can.state == CAN_STATE_BUS_OFF) {
+ can_rx_offload_threaded_irq_finish(&priv->offload);
return IRQ_HANDLED;
+ }
}
handled = IRQ_HANDLED;
^ permalink raw reply [flat|nested] 945+ messages in thread
* [PATCH 5.15 128/917] can: j1939: j1939_tp_cmd_recv(): ignore abort message in the BAM transport
2021-11-15 16:51 [PATCH 5.15 000/917] 5.15.3-rc1 review Greg Kroah-Hartman
` (126 preceding siblings ...)
2021-11-15 16:53 ` [PATCH 5.15 127/917] can: mcp251xfd: mcp251xfd_irq(): add missing can_rx_offload_threaded_irq_finish() in case of bus off Greg Kroah-Hartman
@ 2021-11-15 16:53 ` Greg Kroah-Hartman
2021-11-15 16:53 ` [PATCH 5.15 129/917] can: j1939: j1939_can_recv(): ignore messages with invalid source address Greg Kroah-Hartman
` (791 subsequent siblings)
919 siblings, 0 replies; 945+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-15 16:53 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Zhang Changzhong, Oleksij Rempel,
Marc Kleine-Budde
From: Zhang Changzhong <zhangchangzhong@huawei.com>
commit c0f49d98006f2db3333b917caac65bce2af9865c upstream.
This patch prevents BAM transport from being closed by receiving abort
message, as specified in SAE-J1939-82 2015 (A.3.3 Row 4).
Fixes: 9d71dd0c7009 ("can: add support of SAE J1939 protocol")
Link: https://lore.kernel.org/all/1635431907-15617-2-git-send-email-zhangchangzhong@huawei.com
Cc: stable@vger.kernel.org
Signed-off-by: Zhang Changzhong <zhangchangzhong@huawei.com>
Acked-by: Oleksij Rempel <o.rempel@pengutronix.de>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/can/j1939/transport.c | 6 ++++++
1 file changed, 6 insertions(+)
--- a/net/can/j1939/transport.c
+++ b/net/can/j1939/transport.c
@@ -2085,6 +2085,12 @@ static void j1939_tp_cmd_recv(struct j19
break;
case J1939_ETP_CMD_ABORT: /* && J1939_TP_CMD_ABORT */
+ if (j1939_cb_is_broadcast(skcb)) {
+ netdev_err_once(priv->ndev, "%s: abort to broadcast (%02x), ignoring!\n",
+ __func__, skcb->addr.sa);
+ return;
+ }
+
if (j1939_tp_im_transmitter(skcb))
j1939_xtp_rx_abort(priv, skb, true);
^ permalink raw reply [flat|nested] 945+ messages in thread
* [PATCH 5.15 129/917] can: j1939: j1939_can_recv(): ignore messages with invalid source address
2021-11-15 16:51 [PATCH 5.15 000/917] 5.15.3-rc1 review Greg Kroah-Hartman
` (127 preceding siblings ...)
2021-11-15 16:53 ` [PATCH 5.15 128/917] can: j1939: j1939_tp_cmd_recv(): ignore abort message in the BAM transport Greg Kroah-Hartman
@ 2021-11-15 16:53 ` Greg Kroah-Hartman
2021-11-15 16:53 ` [PATCH 5.15 130/917] can: j1939: j1939_tp_cmd_recv(): check the dst address of TP.CM_BAM Greg Kroah-Hartman
` (790 subsequent siblings)
919 siblings, 0 replies; 945+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-15 16:53 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Zhang Changzhong, Oleksij Rempel,
Marc Kleine-Budde
From: Zhang Changzhong <zhangchangzhong@huawei.com>
commit a79305e156db3d24fcd8eb649cdb3c3b2350e5c2 upstream.
According to SAE-J1939-82 2015 (A.3.6 Row 2), a receiver should never
send TP.CM_CTS to the global address, so we can add a check in
j1939_can_recv() to drop messages with invalid source address.
Fixes: 9d71dd0c7009 ("can: add support of SAE J1939 protocol")
Link: https://lore.kernel.org/all/1635431907-15617-3-git-send-email-zhangchangzhong@huawei.com
Cc: stable@vger.kernel.org
Signed-off-by: Zhang Changzhong <zhangchangzhong@huawei.com>
Acked-by: Oleksij Rempel <o.rempel@pengutronix.de>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/can/j1939/main.c | 7 +++++++
1 file changed, 7 insertions(+)
--- a/net/can/j1939/main.c
+++ b/net/can/j1939/main.c
@@ -75,6 +75,13 @@ static void j1939_can_recv(struct sk_buf
skcb->addr.pgn = (cf->can_id >> 8) & J1939_PGN_MAX;
/* set default message type */
skcb->addr.type = J1939_TP;
+
+ if (!j1939_address_is_valid(skcb->addr.sa)) {
+ netdev_err_once(priv->ndev, "%s: sa is broadcast address, ignoring!\n",
+ __func__);
+ goto done;
+ }
+
if (j1939_pgn_is_pdu1(skcb->addr.pgn)) {
/* Type 1: with destination address */
skcb->addr.da = skcb->addr.pgn;
^ permalink raw reply [flat|nested] 945+ messages in thread
* [PATCH 5.15 130/917] can: j1939: j1939_tp_cmd_recv(): check the dst address of TP.CM_BAM
2021-11-15 16:51 [PATCH 5.15 000/917] 5.15.3-rc1 review Greg Kroah-Hartman
` (128 preceding siblings ...)
2021-11-15 16:53 ` [PATCH 5.15 129/917] can: j1939: j1939_can_recv(): ignore messages with invalid source address Greg Kroah-Hartman
@ 2021-11-15 16:53 ` Greg Kroah-Hartman
2021-11-15 16:53 ` [PATCH 5.15 131/917] iio: adc: tsc2046: fix scan interval warning Greg Kroah-Hartman
` (789 subsequent siblings)
919 siblings, 0 replies; 945+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-15 16:53 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Zhang Changzhong, Oleksij Rempel,
Marc Kleine-Budde
From: Zhang Changzhong <zhangchangzhong@huawei.com>
commit 164051a6ab5445bd97f719f50b16db8b32174269 upstream.
The TP.CM_BAM message must be sent to the global address [1], so add a
check to drop TP.CM_BAM sent to a non-global address.
Without this patch, the receiver will treat the following packets as
normal RTS/CTS transport:
18EC0102#20090002FF002301
18EB0102#0100000000000000
18EB0102#020000FFFFFFFFFF
[1] SAE-J1939-82 2015 A.3.3 Row 1.
Fixes: 9d71dd0c7009 ("can: add support of SAE J1939 protocol")
Link: https://lore.kernel.org/all/1635431907-15617-4-git-send-email-zhangchangzhong@huawei.com
Cc: stable@vger.kernel.org
Signed-off-by: Zhang Changzhong <zhangchangzhong@huawei.com>
Acked-by: Oleksij Rempel <o.rempel@pengutronix.de>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/can/j1939/transport.c | 5 +++++
1 file changed, 5 insertions(+)
--- a/net/can/j1939/transport.c
+++ b/net/can/j1939/transport.c
@@ -2023,6 +2023,11 @@ static void j1939_tp_cmd_recv(struct j19
extd = J1939_ETP;
fallthrough;
case J1939_TP_CMD_BAM:
+ if (cmd == J1939_TP_CMD_BAM && !j1939_cb_is_broadcast(skcb)) {
+ netdev_err_once(priv->ndev, "%s: BAM to unicast (%02x), ignoring!\n",
+ __func__, skcb->addr.sa);
+ return;
+ }
fallthrough;
case J1939_TP_CMD_RTS:
if (skcb->addr.type != extd)
^ permalink raw reply [flat|nested] 945+ messages in thread
* [PATCH 5.15 131/917] iio: adc: tsc2046: fix scan interval warning
2021-11-15 16:51 [PATCH 5.15 000/917] 5.15.3-rc1 review Greg Kroah-Hartman
` (129 preceding siblings ...)
2021-11-15 16:53 ` [PATCH 5.15 130/917] can: j1939: j1939_tp_cmd_recv(): check the dst address of TP.CM_BAM Greg Kroah-Hartman
@ 2021-11-15 16:53 ` Greg Kroah-Hartman
2021-11-15 16:53 ` [PATCH 5.15 132/917] powerpc/85xx: Fix oops when mpc85xx_smp_guts_ids node cannot be found Greg Kroah-Hartman
` (788 subsequent siblings)
919 siblings, 0 replies; 945+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-15 16:53 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Oleksij Rempel, Stable, Jonathan Cameron
From: Oleksij Rempel <o.rempel@pengutronix.de>
commit 69b31fd7a61784692db6433c05d46915b1b1a680 upstream.
Sync if statement with the actual warning.
Fixes: 9504db5765e8 ("iio: adc: tsc2046: fix a warning message in tsc2046_adc_update_scan_mode()")
Signed-off-by: Oleksij Rempel <o.rempel@pengutronix.de>
Link: https://lore.kernel.org/r/20211007093007.1466-2-o.rempel@pengutronix.de
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/adc/ti-tsc2046.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/iio/adc/ti-tsc2046.c
+++ b/drivers/iio/adc/ti-tsc2046.c
@@ -398,7 +398,7 @@ static int tsc2046_adc_update_scan_mode(
priv->xfer.len = size;
priv->time_per_scan_us = size * 8 * priv->time_per_bit_ns / NSEC_PER_USEC;
- if (priv->scan_interval_us > priv->time_per_scan_us)
+ if (priv->scan_interval_us < priv->time_per_scan_us)
dev_warn(&priv->spi->dev, "The scan interval (%d) is less then calculated scan time (%d)\n",
priv->scan_interval_us, priv->time_per_scan_us);
^ permalink raw reply [flat|nested] 945+ messages in thread
* [PATCH 5.15 132/917] powerpc/85xx: Fix oops when mpc85xx_smp_guts_ids node cannot be found
2021-11-15 16:51 [PATCH 5.15 000/917] 5.15.3-rc1 review Greg Kroah-Hartman
` (130 preceding siblings ...)
2021-11-15 16:53 ` [PATCH 5.15 131/917] iio: adc: tsc2046: fix scan interval warning Greg Kroah-Hartman
@ 2021-11-15 16:53 ` Greg Kroah-Hartman
2021-11-15 16:53 ` [PATCH 5.15 133/917] io_uring: honour zeroes as io-wq worker limits Greg Kroah-Hartman
` (787 subsequent siblings)
919 siblings, 0 replies; 945+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-15 16:53 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Xiaoming Ni, Michael Ellerman
From: Xiaoming Ni <nixiaoming@huawei.com>
commit 3c2172c1c47b4079c29f0e6637d764a99355ebcd upstream.
When the field described in mpc85xx_smp_guts_ids[] is not configured in
dtb, the mpc85xx_setup_pmc() does not assign a value to the "guts"
variable. As a result, the oops is triggered when
mpc85xx_freeze_time_base() is executed.
Fixes: 56f1ba280719 ("powerpc/mpc85xx: refactor the PM operations")
Cc: stable@vger.kernel.org # v4.6+
Signed-off-by: Xiaoming Ni <nixiaoming@huawei.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Link: https://lore.kernel.org/r/20210929033646.39630-2-nixiaoming@huawei.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/powerpc/platforms/85xx/mpc85xx_pm_ops.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
--- a/arch/powerpc/platforms/85xx/mpc85xx_pm_ops.c
+++ b/arch/powerpc/platforms/85xx/mpc85xx_pm_ops.c
@@ -94,9 +94,8 @@ int __init mpc85xx_setup_pmc(void)
pr_err("Could not map guts node address\n");
return -ENOMEM;
}
+ qoriq_pm_ops = &mpc85xx_pm_ops;
}
- qoriq_pm_ops = &mpc85xx_pm_ops;
-
return 0;
}
^ permalink raw reply [flat|nested] 945+ messages in thread
* [PATCH 5.15 133/917] io_uring: honour zeroes as io-wq worker limits
2021-11-15 16:51 [PATCH 5.15 000/917] 5.15.3-rc1 review Greg Kroah-Hartman
` (131 preceding siblings ...)
2021-11-15 16:53 ` [PATCH 5.15 132/917] powerpc/85xx: Fix oops when mpc85xx_smp_guts_ids node cannot be found Greg Kroah-Hartman
@ 2021-11-15 16:53 ` Greg Kroah-Hartman
2021-11-15 16:53 ` [PATCH 5.15 134/917] ring-buffer: Protect ring_buffer_reset() from reentrancy Greg Kroah-Hartman
` (786 subsequent siblings)
919 siblings, 0 replies; 945+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-15 16:53 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Beld Zhang, Pavel Begunkov,
Jens Axboe, stable
From: Pavel Begunkov <asml.silence@gmail.com>
commit bad119b9a00019054f0c9e2045f312ed63ace4f4 upstream.
When we pass in zero as an io-wq worker number limit it shouldn't
actually change the limits but return the old value, follow that
behaviour with deferred limits setup as well.
Cc: stable@kernel.org # 5.15
Reported-by: Beld Zhang <beldzhang@gmail.com>
Fixes: e139a1ec92f8d ("io_uring: apply max_workers limit to all future users")
Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
Link: https://lore.kernel.org/r/1b222a92f7a78a24b042763805e891a4cdd4b544.1636384034.git.asml.silence@gmail.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/io_uring.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/fs/io_uring.c
+++ b/fs/io_uring.c
@@ -10684,7 +10684,9 @@ static int io_register_iowq_max_workers(
BUILD_BUG_ON(sizeof(new_count) != sizeof(ctx->iowq_limits));
- memcpy(ctx->iowq_limits, new_count, sizeof(new_count));
+ for (i = 0; i < ARRAY_SIZE(new_count); i++)
+ if (new_count[i])
+ ctx->iowq_limits[i] = new_count[i];
ctx->iowq_limits_set = true;
ret = -EINVAL;
^ permalink raw reply [flat|nested] 945+ messages in thread
* [PATCH 5.15 134/917] ring-buffer: Protect ring_buffer_reset() from reentrancy
2021-11-15 16:51 [PATCH 5.15 000/917] 5.15.3-rc1 review Greg Kroah-Hartman
` (132 preceding siblings ...)
2021-11-15 16:53 ` [PATCH 5.15 133/917] io_uring: honour zeroes as io-wq worker limits Greg Kroah-Hartman
@ 2021-11-15 16:53 ` Greg Kroah-Hartman
2021-11-15 16:53 ` [PATCH 5.15 135/917] serial: core: Fix initializing and restoring termios speed Greg Kroah-Hartman
` (785 subsequent siblings)
919 siblings, 0 replies; 945+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-15 16:53 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Tzvetomir Stoyanov (VMware),
Steven Rostedt (VMware)
From: Steven Rostedt (VMware) <rostedt@goodmis.org>
commit 51d157946666382e779f94c39891e8e9a020da78 upstream.
The resetting of the entire ring buffer use to simply go through and reset
each individual CPU buffer that had its own protection and synchronization.
But this was very slow, due to performing a synchronization for each CPU.
The code was reshuffled to do one disabling of all CPU buffers, followed
by a single RCU synchronization, and then the resetting of each of the CPU
buffers. But unfortunately, the mutex that prevented multiple occurrences
of resetting the buffer was not moved to the upper function, and there is
nothing to protect from it.
Take the ring buffer mutex around the global reset.
Cc: stable@vger.kernel.org
Fixes: b23d7a5f4a07a ("ring-buffer: speed up buffer resets by avoiding synchronize_rcu for each CPU")
Reported-by: "Tzvetomir Stoyanov (VMware)" <tz.stoyanov@gmail.com>
Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/trace/ring_buffer.c | 5 +++++
1 file changed, 5 insertions(+)
--- a/kernel/trace/ring_buffer.c
+++ b/kernel/trace/ring_buffer.c
@@ -5233,6 +5233,9 @@ void ring_buffer_reset(struct trace_buff
struct ring_buffer_per_cpu *cpu_buffer;
int cpu;
+ /* prevent another thread from changing buffer sizes */
+ mutex_lock(&buffer->mutex);
+
for_each_buffer_cpu(buffer, cpu) {
cpu_buffer = buffer->buffers[cpu];
@@ -5251,6 +5254,8 @@ void ring_buffer_reset(struct trace_buff
atomic_dec(&cpu_buffer->record_disabled);
atomic_dec(&cpu_buffer->resize_disabled);
}
+
+ mutex_unlock(&buffer->mutex);
}
EXPORT_SYMBOL_GPL(ring_buffer_reset);
^ permalink raw reply [flat|nested] 945+ messages in thread
* [PATCH 5.15 135/917] serial: core: Fix initializing and restoring termios speed
2021-11-15 16:51 [PATCH 5.15 000/917] 5.15.3-rc1 review Greg Kroah-Hartman
` (133 preceding siblings ...)
2021-11-15 16:53 ` [PATCH 5.15 134/917] ring-buffer: Protect ring_buffer_reset() from reentrancy Greg Kroah-Hartman
@ 2021-11-15 16:53 ` Greg Kroah-Hartman
2021-11-15 16:53 ` [PATCH 5.15 136/917] ifb: fix building without CONFIG_NET_CLS_ACT Greg Kroah-Hartman
` (784 subsequent siblings)
919 siblings, 0 replies; 945+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-15 16:53 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Pali Rohár
From: Pali Rohár <pali@kernel.org>
commit 027b57170bf8bb6999a28e4a5f3d78bf1db0f90c upstream.
Since commit edc6afc54968 ("tty: switch to ktermios and new framework")
termios speed is no longer stored only in c_cflag member but also in new
additional c_ispeed and c_ospeed members. If BOTHER flag is set in c_cflag
then termios speed is stored only in these new members.
Therefore to correctly restore termios speed it is required to store also
ispeed and ospeed members, not only cflag member.
In case only cflag member with BOTHER flag is restored then functions
tty_termios_baud_rate() and tty_termios_input_baud_rate() returns baudrate
stored in c_ospeed / c_ispeed member, which is zero as it was not restored
too. If reported baudrate is invalid (e.g. zero) then serial core functions
report fallback baudrate value 9600. So it means that in this case original
baudrate is lost and kernel changes it to value 9600.
Simple reproducer of this issue is to boot kernel with following command
line argument: "console=ttyXXX,86400" (where ttyXXX is the device name).
For speed 86400 there is no Bnnn constant and therefore kernel has to
represent this speed via BOTHER c_cflag. Which means that speed is stored
only in c_ospeed and c_ispeed members, not in c_cflag anymore.
If bootloader correctly configures serial device to speed 86400 then kernel
prints boot log to early console at speed speed 86400 without any issue.
But after kernel starts initializing real console device ttyXXX then speed
is changed to fallback value 9600 because information about speed was lost.
This patch fixes above issue by storing and restoring also ispeed and
ospeed members, which are required for BOTHER flag.
Fixes: edc6afc54968 ("[PATCH] tty: switch to ktermios and new framework")
Cc: stable@vger.kernel.org
Signed-off-by: Pali Rohár <pali@kernel.org>
Link: https://lore.kernel.org/r/20211002130900.9518-1-pali@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/tty/serial/serial_core.c | 16 ++++++++++++++--
include/linux/console.h | 2 ++
2 files changed, 16 insertions(+), 2 deletions(-)
--- a/drivers/tty/serial/serial_core.c
+++ b/drivers/tty/serial/serial_core.c
@@ -222,7 +222,11 @@ static int uart_port_startup(struct tty_
if (retval == 0) {
if (uart_console(uport) && uport->cons->cflag) {
tty->termios.c_cflag = uport->cons->cflag;
+ tty->termios.c_ispeed = uport->cons->ispeed;
+ tty->termios.c_ospeed = uport->cons->ospeed;
uport->cons->cflag = 0;
+ uport->cons->ispeed = 0;
+ uport->cons->ospeed = 0;
}
/*
* Initialise the hardware port settings.
@@ -290,8 +294,11 @@ static void uart_shutdown(struct tty_str
/*
* Turn off DTR and RTS early.
*/
- if (uport && uart_console(uport) && tty)
+ if (uport && uart_console(uport) && tty) {
uport->cons->cflag = tty->termios.c_cflag;
+ uport->cons->ispeed = tty->termios.c_ispeed;
+ uport->cons->ospeed = tty->termios.c_ospeed;
+ }
if (!tty || C_HUPCL(tty))
uart_port_dtr_rts(uport, 0);
@@ -2094,8 +2101,11 @@ uart_set_options(struct uart_port *port,
* Allow the setting of the UART parameters with a NULL console
* too:
*/
- if (co)
+ if (co) {
co->cflag = termios.c_cflag;
+ co->ispeed = termios.c_ispeed;
+ co->ospeed = termios.c_ospeed;
+ }
return 0;
}
@@ -2229,6 +2239,8 @@ int uart_resume_port(struct uart_driver
*/
memset(&termios, 0, sizeof(struct ktermios));
termios.c_cflag = uport->cons->cflag;
+ termios.c_ispeed = uport->cons->ispeed;
+ termios.c_ospeed = uport->cons->ospeed;
/*
* If that's unset, use the tty termios setting.
--- a/include/linux/console.h
+++ b/include/linux/console.h
@@ -149,6 +149,8 @@ struct console {
short flags;
short index;
int cflag;
+ uint ispeed;
+ uint ospeed;
void *data;
struct console *next;
};
^ permalink raw reply [flat|nested] 945+ messages in thread
* [PATCH 5.15 136/917] ifb: fix building without CONFIG_NET_CLS_ACT
2021-11-15 16:51 [PATCH 5.15 000/917] 5.15.3-rc1 review Greg Kroah-Hartman
` (134 preceding siblings ...)
2021-11-15 16:53 ` [PATCH 5.15 135/917] serial: core: Fix initializing and restoring termios speed Greg Kroah-Hartman
@ 2021-11-15 16:53 ` Greg Kroah-Hartman
2021-11-15 16:53 ` [PATCH 5.15 137/917] xen/balloon: add late_initcall_sync() for initial ballooning done Greg Kroah-Hartman
` (783 subsequent siblings)
919 siblings, 0 replies; 945+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-15 16:53 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Arnd Bergmann, David S. Miller
From: Arnd Bergmann <arnd@arndb.de>
commit 7444d706be31753f65052c7f6325fc8470cc1789 upstream.
The driver no longer depends on this option, but it fails to
build if it's disabled because the skb->tc_skip_classify is
hidden behind an #ifdef:
drivers/net/ifb.c:81:8: error: no member named 'tc_skip_classify' in 'struct sk_buff'
skb->tc_skip_classify = 1;
Use the same #ifdef around the assignment.
Fixes: 046178e726c2 ("ifb: Depend on netfilter alternatively to tc")
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ifb.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/net/ifb.c
+++ b/drivers/net/ifb.c
@@ -76,7 +76,9 @@ static void ifb_ri_tasklet(struct taskle
while ((skb = __skb_dequeue(&txp->tq)) != NULL) {
skb->redirected = 0;
+#ifdef CONFIG_NET_CLS_ACT
skb->tc_skip_classify = 1;
+#endif
u64_stats_update_begin(&txp->tsync);
txp->tx_packets++;
^ permalink raw reply [flat|nested] 945+ messages in thread
* [PATCH 5.15 137/917] xen/balloon: add late_initcall_sync() for initial ballooning done
2021-11-15 16:51 [PATCH 5.15 000/917] 5.15.3-rc1 review Greg Kroah-Hartman
` (135 preceding siblings ...)
2021-11-15 16:53 ` [PATCH 5.15 136/917] ifb: fix building without CONFIG_NET_CLS_ACT Greg Kroah-Hartman
@ 2021-11-15 16:53 ` Greg Kroah-Hartman
2021-11-15 16:53 ` [PATCH 5.15 138/917] ovl: fix use after free in struct ovl_aio_req Greg Kroah-Hartman
` (782 subsequent siblings)
919 siblings, 0 replies; 945+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-15 16:53 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Marek Marczykowski-Górecki,
Juergen Gross, Boris Ostrovsky
From: Juergen Gross <jgross@suse.com>
commit 40fdea0284bb20814399da0484a658a96c735d90 upstream.
When running as PVH or HVM guest with actual memory < max memory the
hypervisor is using "populate on demand" in order to allow the guest
to balloon down from its maximum memory size. For this to work
correctly the guest must not touch more memory pages than its target
memory size as otherwise the PoD cache will be exhausted and the guest
is crashed as a result of that.
In extreme cases ballooning down might not be finished today before
the init process is started, which can consume lots of memory.
In order to avoid random boot crashes in such cases, add a late init
call to wait for ballooning down having finished for PVH/HVM guests.
Warn on console if initial ballooning fails, panic() after stalling
for more than 3 minutes per default. Add a module parameter for
changing this timeout.
[boris: replaced pr_info() with pr_notice()]
Cc: <stable@vger.kernel.org>
Reported-by: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
Signed-off-by: Juergen Gross <jgross@suse.com>
Link: https://lore.kernel.org/r/20211102091944.17487-1-jgross@suse.com
Reviewed-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
Signed-off-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
Documentation/admin-guide/kernel-parameters.txt | 7 +
drivers/xen/balloon.c | 86 +++++++++++++++++-------
2 files changed, 70 insertions(+), 23 deletions(-)
--- a/Documentation/admin-guide/kernel-parameters.txt
+++ b/Documentation/admin-guide/kernel-parameters.txt
@@ -6349,6 +6349,13 @@
improve timer resolution at the expense of processing
more timer interrupts.
+ xen.balloon_boot_timeout= [XEN]
+ The time (in seconds) to wait before giving up to boot
+ in case initial ballooning fails to free enough memory.
+ Applies only when running as HVM or PVH guest and
+ started with less memory configured than allowed at
+ max. Default is 180.
+
xen.event_eoi_delay= [XEN]
How long to delay EOI handling in case of event
storms (jiffies). Default is 10.
--- a/drivers/xen/balloon.c
+++ b/drivers/xen/balloon.c
@@ -58,6 +58,7 @@
#include <linux/percpu-defs.h>
#include <linux/slab.h>
#include <linux/sysctl.h>
+#include <linux/moduleparam.h>
#include <asm/page.h>
#include <asm/tlb.h>
@@ -73,6 +74,12 @@
#include <xen/page.h>
#include <xen/mem-reservation.h>
+#undef MODULE_PARAM_PREFIX
+#define MODULE_PARAM_PREFIX "xen."
+
+static uint __read_mostly balloon_boot_timeout = 180;
+module_param(balloon_boot_timeout, uint, 0444);
+
static int xen_hotplug_unpopulated;
#ifdef CONFIG_XEN_BALLOON_MEMORY_HOTPLUG
@@ -125,12 +132,12 @@ static struct ctl_table xen_root[] = {
* BP_ECANCELED: error, balloon operation canceled.
*/
-enum bp_state {
+static enum bp_state {
BP_DONE,
BP_WAIT,
BP_EAGAIN,
BP_ECANCELED
-};
+} balloon_state = BP_DONE;
/* Main waiting point for xen-balloon thread. */
static DECLARE_WAIT_QUEUE_HEAD(balloon_thread_wq);
@@ -199,18 +206,15 @@ static struct page *balloon_next_page(st
return list_entry(next, struct page, lru);
}
-static enum bp_state update_schedule(enum bp_state state)
+static void update_schedule(void)
{
- if (state == BP_WAIT)
- return BP_WAIT;
-
- if (state == BP_ECANCELED)
- return BP_ECANCELED;
+ if (balloon_state == BP_WAIT || balloon_state == BP_ECANCELED)
+ return;
- if (state == BP_DONE) {
+ if (balloon_state == BP_DONE) {
balloon_stats.schedule_delay = 1;
balloon_stats.retry_count = 1;
- return BP_DONE;
+ return;
}
++balloon_stats.retry_count;
@@ -219,7 +223,8 @@ static enum bp_state update_schedule(enu
balloon_stats.retry_count > balloon_stats.max_retry_count) {
balloon_stats.schedule_delay = 1;
balloon_stats.retry_count = 1;
- return BP_ECANCELED;
+ balloon_state = BP_ECANCELED;
+ return;
}
balloon_stats.schedule_delay <<= 1;
@@ -227,7 +232,7 @@ static enum bp_state update_schedule(enu
if (balloon_stats.schedule_delay > balloon_stats.max_schedule_delay)
balloon_stats.schedule_delay = balloon_stats.max_schedule_delay;
- return BP_EAGAIN;
+ balloon_state = BP_EAGAIN;
}
#ifdef CONFIG_XEN_BALLOON_MEMORY_HOTPLUG
@@ -494,9 +499,9 @@ static enum bp_state decrease_reservatio
* Stop waiting if either state is BP_DONE and ballooning action is
* needed, or if the credit has changed while state is not BP_DONE.
*/
-static bool balloon_thread_cond(enum bp_state state, long credit)
+static bool balloon_thread_cond(long credit)
{
- if (state == BP_DONE)
+ if (balloon_state == BP_DONE)
credit = 0;
return current_credit() != credit || kthread_should_stop();
@@ -510,13 +515,12 @@ static bool balloon_thread_cond(enum bp_
*/
static int balloon_thread(void *unused)
{
- enum bp_state state = BP_DONE;
long credit;
unsigned long timeout;
set_freezable();
for (;;) {
- switch (state) {
+ switch (balloon_state) {
case BP_DONE:
case BP_ECANCELED:
timeout = 3600 * HZ;
@@ -532,7 +536,7 @@ static int balloon_thread(void *unused)
credit = current_credit();
wait_event_freezable_timeout(balloon_thread_wq,
- balloon_thread_cond(state, credit), timeout);
+ balloon_thread_cond(credit), timeout);
if (kthread_should_stop())
return 0;
@@ -543,22 +547,23 @@ static int balloon_thread(void *unused)
if (credit > 0) {
if (balloon_is_inflated())
- state = increase_reservation(credit);
+ balloon_state = increase_reservation(credit);
else
- state = reserve_additional_memory();
+ balloon_state = reserve_additional_memory();
}
if (credit < 0) {
long n_pages;
n_pages = min(-credit, si_mem_available());
- state = decrease_reservation(n_pages, GFP_BALLOON);
- if (state == BP_DONE && n_pages != -credit &&
+ balloon_state = decrease_reservation(n_pages,
+ GFP_BALLOON);
+ if (balloon_state == BP_DONE && n_pages != -credit &&
n_pages < totalreserve_pages)
- state = BP_EAGAIN;
+ balloon_state = BP_EAGAIN;
}
- state = update_schedule(state);
+ update_schedule();
mutex_unlock(&balloon_mutex);
@@ -765,3 +770,38 @@ static int __init balloon_init(void)
return 0;
}
subsys_initcall(balloon_init);
+
+static int __init balloon_wait_finish(void)
+{
+ long credit, last_credit = 0;
+ unsigned long last_changed = 0;
+
+ if (!xen_domain())
+ return -ENODEV;
+
+ /* PV guests don't need to wait. */
+ if (xen_pv_domain() || !current_credit())
+ return 0;
+
+ pr_notice("Waiting for initial ballooning down having finished.\n");
+
+ while ((credit = current_credit()) < 0) {
+ if (credit != last_credit) {
+ last_changed = jiffies;
+ last_credit = credit;
+ }
+ if (balloon_state == BP_ECANCELED) {
+ pr_warn_once("Initial ballooning failed, %ld pages need to be freed.\n",
+ -credit);
+ if (jiffies - last_changed >= HZ * balloon_boot_timeout)
+ panic("Initial ballooning failed!\n");
+ }
+
+ schedule_timeout_interruptible(HZ / 10);
+ }
+
+ pr_notice("Initial ballooning down finished.\n");
+
+ return 0;
+}
+late_initcall_sync(balloon_wait_finish);
^ permalink raw reply [flat|nested] 945+ messages in thread
* [PATCH 5.15 138/917] ovl: fix use after free in struct ovl_aio_req
2021-11-15 16:51 [PATCH 5.15 000/917] 5.15.3-rc1 review Greg Kroah-Hartman
` (136 preceding siblings ...)
2021-11-15 16:53 ` [PATCH 5.15 137/917] xen/balloon: add late_initcall_sync() for initial ballooning done Greg Kroah-Hartman
@ 2021-11-15 16:53 ` Greg Kroah-Hartman
2021-11-15 16:53 ` [PATCH 5.15 139/917] ovl: fix filattr copy-up failure Greg Kroah-Hartman
` (781 subsequent siblings)
919 siblings, 0 replies; 945+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-15 16:53 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, yangerkun, Miklos Szeredi
From: yangerkun <yangerkun@huawei.com>
commit 9a254403760041528bc8f69fe2f5e1ef86950991 upstream.
Example for triggering use after free in a overlay on ext4 setup:
aio_read
ovl_read_iter
vfs_iter_read
ext4_file_read_iter
ext4_dio_read_iter
iomap_dio_rw -> -EIOCBQUEUED
/*
* Here IO is completed in a separate thread,
* ovl_aio_cleanup_handler() frees aio_req which has iocb embedded
*/
file_accessed(iocb->ki_filp); /**BOOM**/
Fix by introducing a refcount in ovl_aio_req similarly to aio_kiocb. This
guarantees that iocb is only freed after vfs_read/write_iter() returns on
underlying fs.
Fixes: 2406a307ac7d ("ovl: implement async IO routines")
Signed-off-by: yangerkun <yangerkun@huawei.com>
Link: https://lore.kernel.org/r/20210930032228.3199690-3-yangerkun@huawei.com/
Cc: <stable@vger.kernel.org> # v5.6
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/overlayfs/file.c | 16 ++++++++++++++--
1 file changed, 14 insertions(+), 2 deletions(-)
--- a/fs/overlayfs/file.c
+++ b/fs/overlayfs/file.c
@@ -17,6 +17,7 @@
struct ovl_aio_req {
struct kiocb iocb;
+ refcount_t ref;
struct kiocb *orig_iocb;
struct fd fd;
};
@@ -252,6 +253,14 @@ static rwf_t ovl_iocb_to_rwf(int ifl)
return flags;
}
+static inline void ovl_aio_put(struct ovl_aio_req *aio_req)
+{
+ if (refcount_dec_and_test(&aio_req->ref)) {
+ fdput(aio_req->fd);
+ kmem_cache_free(ovl_aio_request_cachep, aio_req);
+ }
+}
+
static void ovl_aio_cleanup_handler(struct ovl_aio_req *aio_req)
{
struct kiocb *iocb = &aio_req->iocb;
@@ -268,8 +277,7 @@ static void ovl_aio_cleanup_handler(stru
}
orig_iocb->ki_pos = iocb->ki_pos;
- fdput(aio_req->fd);
- kmem_cache_free(ovl_aio_request_cachep, aio_req);
+ ovl_aio_put(aio_req);
}
static void ovl_aio_rw_complete(struct kiocb *iocb, long res, long res2)
@@ -319,7 +327,9 @@ static ssize_t ovl_read_iter(struct kioc
aio_req->orig_iocb = iocb;
kiocb_clone(&aio_req->iocb, iocb, real.file);
aio_req->iocb.ki_complete = ovl_aio_rw_complete;
+ refcount_set(&aio_req->ref, 2);
ret = vfs_iocb_iter_read(real.file, &aio_req->iocb, iter);
+ ovl_aio_put(aio_req);
if (ret != -EIOCBQUEUED)
ovl_aio_cleanup_handler(aio_req);
}
@@ -390,7 +400,9 @@ static ssize_t ovl_write_iter(struct kio
kiocb_clone(&aio_req->iocb, iocb, real.file);
aio_req->iocb.ki_flags = ifl;
aio_req->iocb.ki_complete = ovl_aio_rw_complete;
+ refcount_set(&aio_req->ref, 2);
ret = vfs_iocb_iter_write(real.file, &aio_req->iocb, iter);
+ ovl_aio_put(aio_req);
if (ret != -EIOCBQUEUED)
ovl_aio_cleanup_handler(aio_req);
}
^ permalink raw reply [flat|nested] 945+ messages in thread
* [PATCH 5.15 139/917] ovl: fix filattr copy-up failure
2021-11-15 16:51 [PATCH 5.15 000/917] 5.15.3-rc1 review Greg Kroah-Hartman
` (137 preceding siblings ...)
2021-11-15 16:53 ` [PATCH 5.15 138/917] ovl: fix use after free in struct ovl_aio_req Greg Kroah-Hartman
@ 2021-11-15 16:53 ` Greg Kroah-Hartman
2021-11-15 16:53 ` [PATCH 5.15 140/917] PCI: pci-bridge-emul: Fix emulation of W1C bits Greg Kroah-Hartman
` (780 subsequent siblings)
919 siblings, 0 replies; 945+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-15 16:53 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Miklos Szeredi, Kevin Locke
From: Miklos Szeredi <mszeredi@redhat.com>
commit 5b0a414d06c3ed2097e32ef7944a4abb644b89bd upstream.
This regression can be reproduced with ntfs-3g and overlayfs:
mkdir lower upper work overlay
dd if=/dev/zero of=ntfs.raw bs=1M count=2
mkntfs -F ntfs.raw
mount ntfs.raw lower
touch lower/file.txt
mount -t overlay -o lowerdir=lower,upperdir=upper,workdir=work - overlay
mv overlay/file.txt overlay/file2.txt
mv fails and (misleadingly) prints
mv: cannot move 'overlay/file.txt' to a subdirectory of itself, 'overlay/file2.txt'
The reason is that ovl_copy_fileattr() is triggered due to S_NOATIME being
set on all inodes (by fuse) regardless of fileattr.
ovl_copy_fileattr() tries to retrieve file attributes from lower file, but
that fails because filesystem does not support this ioctl (this should fail
with ENOTTY, but ntfs-3g return EINVAL instead). This failure is
propagated to origial operation (in this case rename) that triggered the
copy-up.
The fix is to ignore ENOTTY and EINVAL errors from fileattr_get() in copy
up. This also requires turning the internal ENOIOCTLCMD into ENOTTY.
As a further measure to prevent unnecessary failures, only try the
fileattr_get/set on upper if there are any flags to copy up.
Side note: a number of filesystems set S_NOATIME (and sometimes other inode
flags) irrespective of fileattr flags. This causes unnecessary calls
during copy up, which might lead to a performance issue, especially if
latency is high. To fix this, the kernel would need to differentiate
between the two cases. E.g. introduce SB_NOATIME_UPDATE, a per-sb variant
of S_NOATIME. SB_NOATIME doesn't work, because that's interpreted as
"filesystem doesn't store an atime attribute"
Reported-and-tested-by: Kevin Locke <kevin@kevinlocke.name>
Fixes: 72db82115d2b ("ovl: copy up sync/noatime fileattr flags")
Cc: <stable@vger.kernel.org> # v5.15
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/overlayfs/copy_up.c | 23 ++++++++++++++++++-----
fs/overlayfs/inode.c | 5 ++++-
2 files changed, 22 insertions(+), 6 deletions(-)
--- a/fs/overlayfs/copy_up.c
+++ b/fs/overlayfs/copy_up.c
@@ -140,12 +140,14 @@ static int ovl_copy_fileattr(struct inod
int err;
err = ovl_real_fileattr_get(old, &oldfa);
- if (err)
- return err;
-
- err = ovl_real_fileattr_get(new, &newfa);
- if (err)
+ if (err) {
+ /* Ntfs-3g returns -EINVAL for "no fileattr support" */
+ if (err == -ENOTTY || err == -EINVAL)
+ return 0;
+ pr_warn("failed to retrieve lower fileattr (%pd2, err=%i)\n",
+ old, err);
return err;
+ }
/*
* We cannot set immutable and append-only flags on upper inode,
@@ -159,6 +161,17 @@ static int ovl_copy_fileattr(struct inod
return err;
}
+ /* Don't bother copying flags if none are set */
+ if (!(oldfa.flags & OVL_COPY_FS_FLAGS_MASK))
+ return 0;
+
+ err = ovl_real_fileattr_get(new, &newfa);
+ if (err) {
+ pr_warn("failed to retrieve upper fileattr (%pd2, err=%i)\n",
+ new, err);
+ return err;
+ }
+
BUILD_BUG_ON(OVL_COPY_FS_FLAGS_MASK & ~FS_COMMON_FL);
newfa.flags &= ~OVL_COPY_FS_FLAGS_MASK;
newfa.flags |= (oldfa.flags & OVL_COPY_FS_FLAGS_MASK);
--- a/fs/overlayfs/inode.c
+++ b/fs/overlayfs/inode.c
@@ -610,7 +610,10 @@ int ovl_real_fileattr_get(struct path *r
if (err)
return err;
- return vfs_fileattr_get(realpath->dentry, fa);
+ err = vfs_fileattr_get(realpath->dentry, fa);
+ if (err == -ENOIOCTLCMD)
+ err = -ENOTTY;
+ return err;
}
int ovl_fileattr_get(struct dentry *dentry, struct fileattr *fa)
^ permalink raw reply [flat|nested] 945+ messages in thread
* [PATCH 5.15 140/917] PCI: pci-bridge-emul: Fix emulation of W1C bits
2021-11-15 16:51 [PATCH 5.15 000/917] 5.15.3-rc1 review Greg Kroah-Hartman
` (138 preceding siblings ...)
2021-11-15 16:53 ` [PATCH 5.15 139/917] ovl: fix filattr copy-up failure Greg Kroah-Hartman
@ 2021-11-15 16:53 ` Greg Kroah-Hartman
2021-11-15 16:53 ` [PATCH 5.15 141/917] PCI: cadence: Add cdns_plat_pcie_probe() missing return Greg Kroah-Hartman
` (779 subsequent siblings)
919 siblings, 0 replies; 945+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-15 16:53 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Pali Rohár, Marek Behún,
Lorenzo Pieralisi, Russell King
From: Marek Behún <kabel@kernel.org>
commit 7a41ae80bdcb17e14dd7d83239b8a0cf368f18be upstream.
The pci_bridge_emul_conf_write() function correctly clears W1C bits in
cfgspace cache, but it does not inform the underlying implementation
about the clear request: the .write_op() method is given the value with
these bits cleared.
This is wrong if the .write_op() needs to know which bits were requested
to be cleared.
Fix the value to be passed into the .write_op() method to have requested
W1C bits set, so that it can clear them.
Both pci-bridge-emul users (mvebu and aardvark) are compatible with this
change.
Link: https://lore.kernel.org/r/20211028185659.20329-2-kabel@kernel.org
Fixes: 23a5fba4d941 ("PCI: Introduce PCI bridge emulated config space common logic")
Signed-off-by: Pali Rohár <pali@kernel.org>
Signed-off-by: Marek Behún <kabel@kernel.org>
Signed-off-by: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
Cc: stable@vger.kernel.org
Cc: Russell King <rmk+kernel@armlinux.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/pci/pci-bridge-emul.c | 13 +++++++++++++
1 file changed, 13 insertions(+)
--- a/drivers/pci/pci-bridge-emul.c
+++ b/drivers/pci/pci-bridge-emul.c
@@ -431,8 +431,21 @@ int pci_bridge_emul_conf_write(struct pc
/* Clear the W1C bits */
new &= ~((value << shift) & (behavior[reg / 4].w1c & mask));
+ /* Save the new value with the cleared W1C bits into the cfgspace */
cfgspace[reg / 4] = cpu_to_le32(new);
+ /*
+ * Clear the W1C bits not specified by the write mask, so that the
+ * write_op() does not clear them.
+ */
+ new &= ~(behavior[reg / 4].w1c & ~mask);
+
+ /*
+ * Set the W1C bits specified by the write mask, so that write_op()
+ * knows about that they are to be cleared.
+ */
+ new |= (value << shift) & (behavior[reg / 4].w1c & mask);
+
if (write_op)
write_op(bridge, reg, old, new, mask);
^ permalink raw reply [flat|nested] 945+ messages in thread
* [PATCH 5.15 141/917] PCI: cadence: Add cdns_plat_pcie_probe() missing return
2021-11-15 16:51 [PATCH 5.15 000/917] 5.15.3-rc1 review Greg Kroah-Hartman
` (139 preceding siblings ...)
2021-11-15 16:53 ` [PATCH 5.15 140/917] PCI: pci-bridge-emul: Fix emulation of W1C bits Greg Kroah-Hartman
@ 2021-11-15 16:53 ` Greg Kroah-Hartman
2021-11-15 16:53 ` [PATCH 5.15 142/917] cxl/pci: Fix NULL vs ERR_PTR confusion Greg Kroah-Hartman
` (778 subsequent siblings)
919 siblings, 0 replies; 945+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-15 16:53 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Xuliang Zhang, Li Chen, Bjorn Helgaas
From: Li Chen <lchen@ambarella.com>
commit 27cd7e3c9bb1ae13bc16f08138edd6e4df3cd211 upstream.
When cdns_plat_pcie_probe() succeeds, return success instead of falling
into the error handling code.
Fixes: bd22885aa188 ("PCI: cadence: Refactor driver to use as a core library")
Link: https://lore.kernel.org/r/DM6PR19MB40271B93057D949310F0B0EDA0BF9@DM6PR19MB4027.namprd19.prod.outlook.com
Signed-off-by: Xuliang Zhang <xlzhanga@ambarella.com>
Signed-off-by: Li Chen <lchen@ambarella.com>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Reviewed-by: Bjorn Helgaas <bhelgaas@google.com>
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/pci/controller/cadence/pcie-cadence-plat.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/pci/controller/cadence/pcie-cadence-plat.c
+++ b/drivers/pci/controller/cadence/pcie-cadence-plat.c
@@ -127,6 +127,8 @@ static int cdns_plat_pcie_probe(struct p
goto err_init;
}
+ return 0;
+
err_init:
err_get_sync:
pm_runtime_put_sync(dev);
^ permalink raw reply [flat|nested] 945+ messages in thread
* [PATCH 5.15 142/917] cxl/pci: Fix NULL vs ERR_PTR confusion
2021-11-15 16:51 [PATCH 5.15 000/917] 5.15.3-rc1 review Greg Kroah-Hartman
` (140 preceding siblings ...)
2021-11-15 16:53 ` [PATCH 5.15 141/917] PCI: cadence: Add cdns_plat_pcie_probe() missing return Greg Kroah-Hartman
@ 2021-11-15 16:53 ` Greg Kroah-Hartman
2021-11-15 16:53 ` [PATCH 5.15 143/917] PCI: aardvark: Do not clear status bits of masked interrupts Greg Kroah-Hartman
` (777 subsequent siblings)
919 siblings, 0 replies; 945+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-15 16:53 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Ira Weiny, Jonathan Cameron, Dan Williams
From: Dan Williams <dan.j.williams@intel.com>
commit ca76a3a8052b71c0334d5c094859cfa340c290a8 upstream.
cxl_pci_map_regblock() may return an ERR_PTR(), but cxl_pci_setup_regs()
is only prepared for NULL as the error case. Pick the minimal fix for
-stable backport purposes and just have cxl_pci_map_regblock() return
NULL for errors.
Fixes: f8a7e8c29be8 ("cxl/pci: Reserve all device regions at once")
Cc: <stable@vger.kernel.org>
Reviewed-by: Ira Weiny <ira.weiny@intel.com>
Reviewed-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Link: https://lore.kernel.org/r/163433325724.834522.17809774578178224149.stgit@dwillia2-desk3.amr.corp.intel.com
Signed-off-by: Dan Williams <dan.j.williams@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/cxl/pci.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/cxl/pci.c
+++ b/drivers/cxl/pci.c
@@ -972,7 +972,7 @@ static void __iomem *cxl_mem_map_regbloc
if (pci_resource_len(pdev, bar) < offset) {
dev_err(dev, "BAR%d: %pr: too small (offset: %#llx)\n", bar,
&pdev->resource[bar], (unsigned long long)offset);
- return IOMEM_ERR_PTR(-ENXIO);
+ return NULL;
}
addr = pci_iomap(pdev, bar, 0);
^ permalink raw reply [flat|nested] 945+ messages in thread
* [PATCH 5.15 143/917] PCI: aardvark: Do not clear status bits of masked interrupts
2021-11-15 16:51 [PATCH 5.15 000/917] 5.15.3-rc1 review Greg Kroah-Hartman
` (141 preceding siblings ...)
2021-11-15 16:53 ` [PATCH 5.15 142/917] cxl/pci: Fix NULL vs ERR_PTR confusion Greg Kroah-Hartman
@ 2021-11-15 16:53 ` Greg Kroah-Hartman
2021-11-15 16:53 ` [PATCH 5.15 144/917] PCI: aardvark: Fix checking for link up via LTSSM state Greg Kroah-Hartman
` (776 subsequent siblings)
919 siblings, 0 replies; 945+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-15 16:53 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Pali Rohár, Marek Behún,
Lorenzo Pieralisi
From: Pali Rohár <pali@kernel.org>
commit a7ca6d7fa3c02c032db5440ff392d96c04684c21 upstream.
The PCIE_ISR1_REG says which interrupts are currently set / active,
including those which are masked.
The driver currently reads this register and looks if some unmasked
interrupts are active, and if not, it clears status bits of _all_
interrupts, including the masked ones.
This is incorrect, since, for example, some drivers may poll these bits.
Remove this clearing, and also remove this early return statement
completely, since it does not change functionality in any way.
Link: https://lore.kernel.org/r/20211005180952.6812-7-kabel@kernel.org
Fixes: 8c39d710363c ("PCI: aardvark: Add Aardvark PCI host controller driver")
Signed-off-by: Pali Rohár <pali@kernel.org>
Signed-off-by: Marek Behún <kabel@kernel.org>
Signed-off-by: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
Reviewed-by: Marek Behún <kabel@kernel.org>
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/pci/controller/pci-aardvark.c | 6 ------
1 file changed, 6 deletions(-)
--- a/drivers/pci/controller/pci-aardvark.c
+++ b/drivers/pci/controller/pci-aardvark.c
@@ -1286,12 +1286,6 @@ static void advk_pcie_handle_int(struct
isr1_mask = advk_readl(pcie, PCIE_ISR1_MASK_REG);
isr1_status = isr1_val & ((~isr1_mask) & PCIE_ISR1_ALL_MASK);
- if (!isr0_status && !isr1_status) {
- advk_writel(pcie, isr0_val, PCIE_ISR0_REG);
- advk_writel(pcie, isr1_val, PCIE_ISR1_REG);
- return;
- }
-
/* Process MSI interrupts */
if (isr0_status & PCIE_ISR0_MSI_INT_PENDING)
advk_pcie_handle_msi(pcie);
^ permalink raw reply [flat|nested] 945+ messages in thread
* [PATCH 5.15 144/917] PCI: aardvark: Fix checking for link up via LTSSM state
2021-11-15 16:51 [PATCH 5.15 000/917] 5.15.3-rc1 review Greg Kroah-Hartman
` (142 preceding siblings ...)
2021-11-15 16:53 ` [PATCH 5.15 143/917] PCI: aardvark: Do not clear status bits of masked interrupts Greg Kroah-Hartman
@ 2021-11-15 16:53 ` Greg Kroah-Hartman
2021-11-15 16:54 ` [PATCH 5.15 145/917] PCI: aardvark: Do not unmask unused interrupts Greg Kroah-Hartman
` (775 subsequent siblings)
919 siblings, 0 replies; 945+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-15 16:53 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Pali Rohár, Marek Behún,
Lorenzo Pieralisi, Remi Pommarel
From: Pali Rohár <pali@kernel.org>
commit 661c399a651c11aaf83c45cbfe0b4a1fb7bc3179 upstream.
Current implementation of advk_pcie_link_up() is wrong as it marks also
link disabled or hot reset states as link up.
Fix it by marking link up only to those states which are defined in PCIe
Base specification 3.0, Table 4-14: Link Status Mapped to the LTSSM.
To simplify implementation, Define macros for every LTSSM state which
aardvark hardware can return in CFG_REG register.
Fix also checking for link training according to the same Table 4-14.
Define a new function advk_pcie_link_training() for this purpose.
Link: https://lore.kernel.org/r/20211005180952.6812-13-kabel@kernel.org
Fixes: 8c39d710363c ("PCI: aardvark: Add Aardvark PCI host controller driver")
Signed-off-by: Pali Rohár <pali@kernel.org>
Signed-off-by: Marek Behún <kabel@kernel.org>
Signed-off-by: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
Reviewed-by: Marek Behún <kabel@kernel.org>
Cc: stable@vger.kernel.org
Cc: Remi Pommarel <repk@triplefau.lt>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/pci/controller/pci-aardvark.c | 76 +++++++++++++++++++++++++++++++---
1 file changed, 70 insertions(+), 6 deletions(-)
--- a/drivers/pci/controller/pci-aardvark.c
+++ b/drivers/pci/controller/pci-aardvark.c
@@ -164,8 +164,50 @@
#define CFG_REG (LMI_BASE_ADDR + 0x0)
#define LTSSM_SHIFT 24
#define LTSSM_MASK 0x3f
-#define LTSSM_L0 0x10
#define RC_BAR_CONFIG 0x300
+
+/* LTSSM values in CFG_REG */
+enum {
+ LTSSM_DETECT_QUIET = 0x0,
+ LTSSM_DETECT_ACTIVE = 0x1,
+ LTSSM_POLLING_ACTIVE = 0x2,
+ LTSSM_POLLING_COMPLIANCE = 0x3,
+ LTSSM_POLLING_CONFIGURATION = 0x4,
+ LTSSM_CONFIG_LINKWIDTH_START = 0x5,
+ LTSSM_CONFIG_LINKWIDTH_ACCEPT = 0x6,
+ LTSSM_CONFIG_LANENUM_ACCEPT = 0x7,
+ LTSSM_CONFIG_LANENUM_WAIT = 0x8,
+ LTSSM_CONFIG_COMPLETE = 0x9,
+ LTSSM_CONFIG_IDLE = 0xa,
+ LTSSM_RECOVERY_RCVR_LOCK = 0xb,
+ LTSSM_RECOVERY_SPEED = 0xc,
+ LTSSM_RECOVERY_RCVR_CFG = 0xd,
+ LTSSM_RECOVERY_IDLE = 0xe,
+ LTSSM_L0 = 0x10,
+ LTSSM_RX_L0S_ENTRY = 0x11,
+ LTSSM_RX_L0S_IDLE = 0x12,
+ LTSSM_RX_L0S_FTS = 0x13,
+ LTSSM_TX_L0S_ENTRY = 0x14,
+ LTSSM_TX_L0S_IDLE = 0x15,
+ LTSSM_TX_L0S_FTS = 0x16,
+ LTSSM_L1_ENTRY = 0x17,
+ LTSSM_L1_IDLE = 0x18,
+ LTSSM_L2_IDLE = 0x19,
+ LTSSM_L2_TRANSMIT_WAKE = 0x1a,
+ LTSSM_DISABLED = 0x20,
+ LTSSM_LOOPBACK_ENTRY_MASTER = 0x21,
+ LTSSM_LOOPBACK_ACTIVE_MASTER = 0x22,
+ LTSSM_LOOPBACK_EXIT_MASTER = 0x23,
+ LTSSM_LOOPBACK_ENTRY_SLAVE = 0x24,
+ LTSSM_LOOPBACK_ACTIVE_SLAVE = 0x25,
+ LTSSM_LOOPBACK_EXIT_SLAVE = 0x26,
+ LTSSM_HOT_RESET = 0x27,
+ LTSSM_RECOVERY_EQUALIZATION_PHASE0 = 0x28,
+ LTSSM_RECOVERY_EQUALIZATION_PHASE1 = 0x29,
+ LTSSM_RECOVERY_EQUALIZATION_PHASE2 = 0x2a,
+ LTSSM_RECOVERY_EQUALIZATION_PHASE3 = 0x2b,
+};
+
#define VENDOR_ID_REG (LMI_BASE_ADDR + 0x44)
/* PCIe core controller registers */
@@ -262,13 +304,35 @@ static inline u16 advk_read16(struct adv
return advk_readl(pcie, (reg & ~0x3)) >> ((reg & 0x3) * 8);
}
-static int advk_pcie_link_up(struct advk_pcie *pcie)
+static u8 advk_pcie_ltssm_state(struct advk_pcie *pcie)
{
- u32 val, ltssm_state;
+ u32 val;
+ u8 ltssm_state;
val = advk_readl(pcie, CFG_REG);
ltssm_state = (val >> LTSSM_SHIFT) & LTSSM_MASK;
- return ltssm_state >= LTSSM_L0;
+ return ltssm_state;
+}
+
+static inline bool advk_pcie_link_up(struct advk_pcie *pcie)
+{
+ /* check if LTSSM is in normal operation - some L* state */
+ u8 ltssm_state = advk_pcie_ltssm_state(pcie);
+ return ltssm_state >= LTSSM_L0 && ltssm_state < LTSSM_DISABLED;
+}
+
+static inline bool advk_pcie_link_training(struct advk_pcie *pcie)
+{
+ /*
+ * According to PCIe Base specification 3.0, Table 4-14: Link
+ * Status Mapped to the LTSSM is Link Training mapped to LTSSM
+ * Configuration and Recovery states.
+ */
+ u8 ltssm_state = advk_pcie_ltssm_state(pcie);
+ return ((ltssm_state >= LTSSM_CONFIG_LINKWIDTH_START &&
+ ltssm_state < LTSSM_L0) ||
+ (ltssm_state >= LTSSM_RECOVERY_EQUALIZATION_PHASE0 &&
+ ltssm_state <= LTSSM_RECOVERY_EQUALIZATION_PHASE3));
}
static int advk_pcie_wait_for_link(struct advk_pcie *pcie)
@@ -291,7 +355,7 @@ static void advk_pcie_wait_for_retrain(s
size_t retries;
for (retries = 0; retries < RETRAIN_WAIT_MAX_RETRIES; ++retries) {
- if (!advk_pcie_link_up(pcie))
+ if (advk_pcie_link_training(pcie))
break;
udelay(RETRAIN_WAIT_USLEEP_US);
}
@@ -738,7 +802,7 @@ advk_pci_bridge_emul_pcie_conf_read(stru
/* u32 contains both PCI_EXP_LNKCTL and PCI_EXP_LNKSTA */
u32 val = advk_readl(pcie, PCIE_CORE_PCIEXP_CAP + reg) &
~(PCI_EXP_LNKSTA_LT << 16);
- if (!advk_pcie_link_up(pcie))
+ if (advk_pcie_link_training(pcie))
val |= (PCI_EXP_LNKSTA_LT << 16);
*value = val;
return PCI_BRIDGE_EMUL_HANDLED;
^ permalink raw reply [flat|nested] 945+ messages in thread
* [PATCH 5.15 145/917] PCI: aardvark: Do not unmask unused interrupts
2021-11-15 16:51 [PATCH 5.15 000/917] 5.15.3-rc1 review Greg Kroah-Hartman
` (143 preceding siblings ...)
2021-11-15 16:53 ` [PATCH 5.15 144/917] PCI: aardvark: Fix checking for link up via LTSSM state Greg Kroah-Hartman
@ 2021-11-15 16:54 ` Greg Kroah-Hartman
2021-11-15 16:54 ` [PATCH 5.15 146/917] PCI: aardvark: Fix reporting Data Link Layer Link Active Greg Kroah-Hartman
` (774 subsequent siblings)
919 siblings, 0 replies; 945+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-15 16:54 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Pali Rohár, Marek Behún,
Lorenzo Pieralisi
From: Pali Rohár <pali@kernel.org>
commit 1fb95d7d3c7a926b002fe8a6bd27a1cb428b46dc upstream.
There are lot of undocumented interrupt bits. To prevent unwanted
spurious interrupts, fix all *_ALL_MASK macros to define all interrupt
bits, so that driver can properly mask all interrupts, including those
which are undocumented.
Link: https://lore.kernel.org/r/20211005180952.6812-8-kabel@kernel.org
Fixes: 8c39d710363c ("PCI: aardvark: Add Aardvark PCI host controller driver")
Signed-off-by: Pali Rohár <pali@kernel.org>
Signed-off-by: Marek Behún <kabel@kernel.org>
Signed-off-by: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
Reviewed-by: Marek Behún <kabel@kernel.org>
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/pci/controller/pci-aardvark.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
--- a/drivers/pci/controller/pci-aardvark.c
+++ b/drivers/pci/controller/pci-aardvark.c
@@ -106,13 +106,13 @@
#define PCIE_ISR0_MSI_INT_PENDING BIT(24)
#define PCIE_ISR0_INTX_ASSERT(val) BIT(16 + (val))
#define PCIE_ISR0_INTX_DEASSERT(val) BIT(20 + (val))
-#define PCIE_ISR0_ALL_MASK GENMASK(26, 0)
+#define PCIE_ISR0_ALL_MASK GENMASK(31, 0)
#define PCIE_ISR1_REG (CONTROL_BASE_ADDR + 0x48)
#define PCIE_ISR1_MASK_REG (CONTROL_BASE_ADDR + 0x4C)
#define PCIE_ISR1_POWER_STATE_CHANGE BIT(4)
#define PCIE_ISR1_FLUSH BIT(5)
#define PCIE_ISR1_INTX_ASSERT(val) BIT(8 + (val))
-#define PCIE_ISR1_ALL_MASK GENMASK(11, 4)
+#define PCIE_ISR1_ALL_MASK GENMASK(31, 0)
#define PCIE_MSI_ADDR_LOW_REG (CONTROL_BASE_ADDR + 0x50)
#define PCIE_MSI_ADDR_HIGH_REG (CONTROL_BASE_ADDR + 0x54)
#define PCIE_MSI_STATUS_REG (CONTROL_BASE_ADDR + 0x58)
@@ -240,7 +240,7 @@ enum {
#define PCIE_IRQ_MSI_INT2_DET BIT(21)
#define PCIE_IRQ_RC_DBELL_DET BIT(22)
#define PCIE_IRQ_EP_STATUS BIT(23)
-#define PCIE_IRQ_ALL_MASK 0xfff0fb
+#define PCIE_IRQ_ALL_MASK GENMASK(31, 0)
#define PCIE_IRQ_ENABLE_INTS_MASK PCIE_IRQ_CORE_INT
/* Transaction types */
^ permalink raw reply [flat|nested] 945+ messages in thread
* [PATCH 5.15 146/917] PCI: aardvark: Fix reporting Data Link Layer Link Active
2021-11-15 16:51 [PATCH 5.15 000/917] 5.15.3-rc1 review Greg Kroah-Hartman
` (144 preceding siblings ...)
2021-11-15 16:54 ` [PATCH 5.15 145/917] PCI: aardvark: Do not unmask unused interrupts Greg Kroah-Hartman
@ 2021-11-15 16:54 ` Greg Kroah-Hartman
2021-11-15 16:54 ` [PATCH 5.15 147/917] PCI: aardvark: Fix configuring Reference clock Greg Kroah-Hartman
` (773 subsequent siblings)
919 siblings, 0 replies; 945+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-15 16:54 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Pali Rohár, Marek Behún,
Lorenzo Pieralisi
From: Pali Rohár <pali@kernel.org>
commit 2b650b7ff20eb7ea8ef9031d20fb657286ab90cc upstream.
Add support for reporting PCI_EXP_LNKSTA_DLLLA bit in Link Control register
on emulated bridge via current LTSSM state. Also correctly indicate DLLLA
capability via PCI_EXP_LNKCAP_DLLLARC bit in Link Control Capability
register.
Link: https://lore.kernel.org/r/20211005180952.6812-14-kabel@kernel.org
Fixes: 8a3ebd8de328 ("PCI: aardvark: Implement emulated root PCI bridge config space")
Signed-off-by: Pali Rohár <pali@kernel.org>
Signed-off-by: Marek Behún <kabel@kernel.org>
Signed-off-by: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
Reviewed-by: Marek Behún <kabel@kernel.org>
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/pci/controller/pci-aardvark.c | 29 ++++++++++++++++++++++++++++-
1 file changed, 28 insertions(+), 1 deletion(-)
--- a/drivers/pci/controller/pci-aardvark.c
+++ b/drivers/pci/controller/pci-aardvark.c
@@ -321,6 +321,20 @@ static inline bool advk_pcie_link_up(str
return ltssm_state >= LTSSM_L0 && ltssm_state < LTSSM_DISABLED;
}
+static inline bool advk_pcie_link_active(struct advk_pcie *pcie)
+{
+ /*
+ * According to PCIe Base specification 3.0, Table 4-14: Link
+ * Status Mapped to the LTSSM, and 4.2.6.3.6 Configuration.Idle
+ * is Link Up mapped to LTSSM Configuration.Idle, Recovery, L0,
+ * L0s, L1 and L2 states. And according to 3.2.1. Data Link
+ * Control and Management State Machine Rules is DL Up status
+ * reported in DL Active state.
+ */
+ u8 ltssm_state = advk_pcie_ltssm_state(pcie);
+ return ltssm_state >= LTSSM_CONFIG_IDLE && ltssm_state < LTSSM_DISABLED;
+}
+
static inline bool advk_pcie_link_training(struct advk_pcie *pcie)
{
/*
@@ -798,12 +812,26 @@ advk_pci_bridge_emul_pcie_conf_read(stru
return PCI_BRIDGE_EMUL_HANDLED;
}
+ case PCI_EXP_LNKCAP: {
+ u32 val = advk_readl(pcie, PCIE_CORE_PCIEXP_CAP + reg);
+ /*
+ * PCI_EXP_LNKCAP_DLLLARC bit is hardwired in aardvark HW to 0.
+ * But support for PCI_EXP_LNKSTA_DLLLA is emulated via ltssm
+ * state so explicitly enable PCI_EXP_LNKCAP_DLLLARC flag.
+ */
+ val |= PCI_EXP_LNKCAP_DLLLARC;
+ *value = val;
+ return PCI_BRIDGE_EMUL_HANDLED;
+ }
+
case PCI_EXP_LNKCTL: {
/* u32 contains both PCI_EXP_LNKCTL and PCI_EXP_LNKSTA */
u32 val = advk_readl(pcie, PCIE_CORE_PCIEXP_CAP + reg) &
~(PCI_EXP_LNKSTA_LT << 16);
if (advk_pcie_link_training(pcie))
val |= (PCI_EXP_LNKSTA_LT << 16);
+ if (advk_pcie_link_active(pcie))
+ val |= (PCI_EXP_LNKSTA_DLLLA << 16);
*value = val;
return PCI_BRIDGE_EMUL_HANDLED;
}
@@ -811,7 +839,6 @@ advk_pci_bridge_emul_pcie_conf_read(stru
case PCI_CAP_LIST_ID:
case PCI_EXP_DEVCAP:
case PCI_EXP_DEVCTL:
- case PCI_EXP_LNKCAP:
*value = advk_readl(pcie, PCIE_CORE_PCIEXP_CAP + reg);
return PCI_BRIDGE_EMUL_HANDLED;
default:
^ permalink raw reply [flat|nested] 945+ messages in thread
* [PATCH 5.15 147/917] PCI: aardvark: Fix configuring Reference clock
2021-11-15 16:51 [PATCH 5.15 000/917] 5.15.3-rc1 review Greg Kroah-Hartman
` (145 preceding siblings ...)
2021-11-15 16:54 ` [PATCH 5.15 146/917] PCI: aardvark: Fix reporting Data Link Layer Link Active Greg Kroah-Hartman
@ 2021-11-15 16:54 ` Greg Kroah-Hartman
2021-11-15 16:54 ` [PATCH 5.15 148/917] PCI: aardvark: Fix return value of MSI domain .alloc() method Greg Kroah-Hartman
` (772 subsequent siblings)
919 siblings, 0 replies; 945+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-15 16:54 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Pali Rohár, Marek Behún,
Lorenzo Pieralisi
From: Pali Rohár <pali@kernel.org>
commit 46ef6090dbf590711cb12680b6eafde5fa21fe87 upstream.
Commit 366697018c9a ("PCI: aardvark: Add PHY support") introduced
configuration of PCIe Reference clock via PCIE_CORE_REF_CLK_REG register,
but did it incorrectly.
PCIe Reference clock differential pair is routed from system board to
endpoint card, so on CPU side it has output direction. Therefore it is
required to enable transmitting and disable receiving.
Default configuration according to Armada 3700 Functional Specifications is
enabled receiver part and disabled transmitter.
We need this change because otherwise PCIe Reference clock is configured to
some undefined state when differential pair is used for both transmitting
and receiving.
Fix this by disabling receiver part.
Link: https://lore.kernel.org/r/20211005180952.6812-6-kabel@kernel.org
Fixes: 366697018c9a ("PCI: aardvark: Add PHY support")
Signed-off-by: Pali Rohár <pali@kernel.org>
Signed-off-by: Marek Behún <kabel@kernel.org>
Signed-off-by: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
Reviewed-by: Marek Behún <kabel@kernel.org>
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/pci/controller/pci-aardvark.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
--- a/drivers/pci/controller/pci-aardvark.c
+++ b/drivers/pci/controller/pci-aardvark.c
@@ -99,6 +99,7 @@
#define PCIE_CORE_CTRL2_MSI_ENABLE BIT(10)
#define PCIE_CORE_REF_CLK_REG (CONTROL_BASE_ADDR + 0x14)
#define PCIE_CORE_REF_CLK_TX_ENABLE BIT(1)
+#define PCIE_CORE_REF_CLK_RX_ENABLE BIT(2)
#define PCIE_MSG_LOG_REG (CONTROL_BASE_ADDR + 0x30)
#define PCIE_ISR0_REG (CONTROL_BASE_ADDR + 0x40)
#define PCIE_MSG_PM_PME_MASK BIT(7)
@@ -529,9 +530,15 @@ static void advk_pcie_setup_hw(struct ad
u32 reg;
int i;
- /* Enable TX */
+ /*
+ * Configure PCIe Reference clock. Direction is from the PCIe
+ * controller to the endpoint card, so enable transmitting of
+ * Reference clock differential signal off-chip and disable
+ * receiving off-chip differential signal.
+ */
reg = advk_readl(pcie, PCIE_CORE_REF_CLK_REG);
reg |= PCIE_CORE_REF_CLK_TX_ENABLE;
+ reg &= ~PCIE_CORE_REF_CLK_RX_ENABLE;
advk_writel(pcie, reg, PCIE_CORE_REF_CLK_REG);
/* Set to Direct mode */
^ permalink raw reply [flat|nested] 945+ messages in thread
* [PATCH 5.15 148/917] PCI: aardvark: Fix return value of MSI domain .alloc() method
2021-11-15 16:51 [PATCH 5.15 000/917] 5.15.3-rc1 review Greg Kroah-Hartman
` (146 preceding siblings ...)
2021-11-15 16:54 ` [PATCH 5.15 147/917] PCI: aardvark: Fix configuring Reference clock Greg Kroah-Hartman
@ 2021-11-15 16:54 ` Greg Kroah-Hartman
2021-11-15 16:54 ` [PATCH 5.15 149/917] PCI: aardvark: Read all 16-bits from PCIE_MSI_PAYLOAD_REG Greg Kroah-Hartman
` (771 subsequent siblings)
919 siblings, 0 replies; 945+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-15 16:54 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Pali Rohár, Marek Behún,
Lorenzo Pieralisi
From: Marek Behún <kabel@kernel.org>
commit e4313be1599d397625c14fb7826996813622decf upstream.
MSI domain callback .alloc() (implemented by advk_msi_irq_domain_alloc()
function) should return zero on success, since non-zero value indicates
failure.
When the driver was converted to generic MSI API in commit f21a8b1b6837
("PCI: aardvark: Move to MSI handling using generic MSI support"), it
was converted so that it returns hwirq number.
Fix this.
Link: https://lore.kernel.org/r/20211028185659.20329-3-kabel@kernel.org
Fixes: f21a8b1b6837 ("PCI: aardvark: Move to MSI handling using generic MSI support")
Signed-off-by: Pali Rohár <pali@kernel.org>
Signed-off-by: Marek Behún <kabel@kernel.org>
Signed-off-by: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/pci/controller/pci-aardvark.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/pci/controller/pci-aardvark.c
+++ b/drivers/pci/controller/pci-aardvark.c
@@ -1180,7 +1180,7 @@ static int advk_msi_irq_domain_alloc(str
domain->host_data, handle_simple_irq,
NULL, NULL);
- return hwirq;
+ return 0;
}
static void advk_msi_irq_domain_free(struct irq_domain *domain,
^ permalink raw reply [flat|nested] 945+ messages in thread
* [PATCH 5.15 149/917] PCI: aardvark: Read all 16-bits from PCIE_MSI_PAYLOAD_REG
2021-11-15 16:51 [PATCH 5.15 000/917] 5.15.3-rc1 review Greg Kroah-Hartman
` (147 preceding siblings ...)
2021-11-15 16:54 ` [PATCH 5.15 148/917] PCI: aardvark: Fix return value of MSI domain .alloc() method Greg Kroah-Hartman
@ 2021-11-15 16:54 ` Greg Kroah-Hartman
2021-11-15 16:54 ` [PATCH 5.15 150/917] PCI: aardvark: Fix support for bus mastering and PCI_COMMAND on emulated bridge Greg Kroah-Hartman
` (770 subsequent siblings)
919 siblings, 0 replies; 945+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-15 16:54 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Pali Rohár, Marek Behún,
Lorenzo Pieralisi
From: Marek Behún <kabel@kernel.org>
commit 95997723b6402cd6c53e0f9e7ac640ec64eaaff8 upstream.
The PCIE_MSI_PAYLOAD_REG contains 16-bit MSI number, not only lower
8 bits. Fix reading content of this register and add a comment
describing the access to this register.
Link: https://lore.kernel.org/r/20211028185659.20329-4-kabel@kernel.org
Fixes: 8c39d710363c ("PCI: aardvark: Add Aardvark PCI host controller driver")
Signed-off-by: Pali Rohár <pali@kernel.org>
Signed-off-by: Marek Behún <kabel@kernel.org>
Signed-off-by: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/pci/controller/pci-aardvark.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
--- a/drivers/pci/controller/pci-aardvark.c
+++ b/drivers/pci/controller/pci-aardvark.c
@@ -119,6 +119,7 @@
#define PCIE_MSI_STATUS_REG (CONTROL_BASE_ADDR + 0x58)
#define PCIE_MSI_MASK_REG (CONTROL_BASE_ADDR + 0x5C)
#define PCIE_MSI_PAYLOAD_REG (CONTROL_BASE_ADDR + 0x9C)
+#define PCIE_MSI_DATA_MASK GENMASK(15, 0)
/* PCIe window configuration */
#define OB_WIN_BASE_ADDR 0x4c00
@@ -1361,8 +1362,12 @@ static void advk_pcie_handle_msi(struct
if (!(BIT(msi_idx) & msi_status))
continue;
+ /*
+ * msi_idx contains bits [4:0] of the msi_data and msi_data
+ * contains 16bit MSI interrupt number
+ */
advk_writel(pcie, BIT(msi_idx), PCIE_MSI_STATUS_REG);
- msi_data = advk_readl(pcie, PCIE_MSI_PAYLOAD_REG) & 0xFF;
+ msi_data = advk_readl(pcie, PCIE_MSI_PAYLOAD_REG) & PCIE_MSI_DATA_MASK;
generic_handle_irq(msi_data);
}
^ permalink raw reply [flat|nested] 945+ messages in thread
* [PATCH 5.15 150/917] PCI: aardvark: Fix support for bus mastering and PCI_COMMAND on emulated bridge
2021-11-15 16:51 [PATCH 5.15 000/917] 5.15.3-rc1 review Greg Kroah-Hartman
` (148 preceding siblings ...)
2021-11-15 16:54 ` [PATCH 5.15 149/917] PCI: aardvark: Read all 16-bits from PCIE_MSI_PAYLOAD_REG Greg Kroah-Hartman
@ 2021-11-15 16:54 ` Greg Kroah-Hartman
2021-11-15 16:54 ` [PATCH 5.15 151/917] PCI: aardvark: Fix support for PCI_BRIDGE_CTL_BUS_RESET " Greg Kroah-Hartman
` (769 subsequent siblings)
919 siblings, 0 replies; 945+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-15 16:54 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Pali Rohár, Marek Behún,
Lorenzo Pieralisi
From: Pali Rohár <pali@kernel.org>
commit 771153fc884f566a89af2d30033b7f3bc6e24e84 upstream.
>From very vague, ambiguous and incomplete information from Marvell we
deduced that the 32-bit Aardvark register at address 0x4
(PCIE_CORE_CMD_STATUS_REG), which is not documented for Root Complex mode
in the Functional Specification (only for Endpoint mode), controls two
16-bit PCIe registers: Command Register and Status Registers of PCIe Root
Port.
This means that bit 2 controls bus mastering and forwarding of memory and
I/O requests in the upstream direction. According to PCI specifications
bits [0:2] of Command Register, this should be by default disabled on
reset. So explicitly disable these bits at early setup of the Aardvark
driver.
Remove code which unconditionally enables all 3 bits and let kernel code
(via pci_set_master() function) to handle bus mastering of Root PCIe
Bridge via emulated PCI_COMMAND on emulated bridge.
Link: https://lore.kernel.org/r/20211028185659.20329-5-kabel@kernel.org
Fixes: 8a3ebd8de328 ("PCI: aardvark: Implement emulated root PCI bridge config space")
Signed-off-by: Pali Rohár <pali@kernel.org>
Signed-off-by: Marek Behún <kabel@kernel.org>
Signed-off-by: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
Cc: stable@vger.kernel.org # b2a56469d550 ("PCI: aardvark: Add FIXME comment for PCIE_CORE_CMD_STATUS_REG access")
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/pci/controller/pci-aardvark.c | 54 +++++++++++++++++++++++-----------
1 file changed, 38 insertions(+), 16 deletions(-)
--- a/drivers/pci/controller/pci-aardvark.c
+++ b/drivers/pci/controller/pci-aardvark.c
@@ -31,9 +31,6 @@
/* PCIe core registers */
#define PCIE_CORE_DEV_ID_REG 0x0
#define PCIE_CORE_CMD_STATUS_REG 0x4
-#define PCIE_CORE_CMD_IO_ACCESS_EN BIT(0)
-#define PCIE_CORE_CMD_MEM_ACCESS_EN BIT(1)
-#define PCIE_CORE_CMD_MEM_IO_REQ_EN BIT(2)
#define PCIE_CORE_DEV_REV_REG 0x8
#define PCIE_CORE_PCIEXP_CAP 0xc0
#define PCIE_CORE_ERR_CAPCTL_REG 0x118
@@ -563,6 +560,11 @@ static void advk_pcie_setup_hw(struct ad
reg = (PCI_VENDOR_ID_MARVELL << 16) | PCI_VENDOR_ID_MARVELL;
advk_writel(pcie, reg, VENDOR_ID_REG);
+ /* Disable Root Bridge I/O space, memory space and bus mastering */
+ reg = advk_readl(pcie, PCIE_CORE_CMD_STATUS_REG);
+ reg &= ~(PCI_COMMAND_IO | PCI_COMMAND_MEMORY | PCI_COMMAND_MASTER);
+ advk_writel(pcie, reg, PCIE_CORE_CMD_STATUS_REG);
+
/* Set Advanced Error Capabilities and Control PF0 register */
reg = PCIE_CORE_ERR_CAPCTL_ECRC_CHK_TX |
PCIE_CORE_ERR_CAPCTL_ECRC_CHK_TX_EN |
@@ -660,19 +662,6 @@ static void advk_pcie_setup_hw(struct ad
advk_pcie_disable_ob_win(pcie, i);
advk_pcie_train_link(pcie);
-
- /*
- * FIXME: The following register update is suspicious. This register is
- * applicable only when the PCI controller is configured for Endpoint
- * mode, not as a Root Complex. But apparently when this code is
- * removed, some cards stop working. This should be investigated and
- * a comment explaining this should be put here.
- */
- reg = advk_readl(pcie, PCIE_CORE_CMD_STATUS_REG);
- reg |= PCIE_CORE_CMD_MEM_ACCESS_EN |
- PCIE_CORE_CMD_IO_ACCESS_EN |
- PCIE_CORE_CMD_MEM_IO_REQ_EN;
- advk_writel(pcie, reg, PCIE_CORE_CMD_STATUS_REG);
}
static int advk_pcie_check_pio_status(struct advk_pcie *pcie, bool allow_crs, u32 *val)
@@ -793,6 +782,37 @@ static int advk_pcie_wait_pio(struct adv
return -ETIMEDOUT;
}
+static pci_bridge_emul_read_status_t
+advk_pci_bridge_emul_base_conf_read(struct pci_bridge_emul *bridge,
+ int reg, u32 *value)
+{
+ struct advk_pcie *pcie = bridge->data;
+
+ switch (reg) {
+ case PCI_COMMAND:
+ *value = advk_readl(pcie, PCIE_CORE_CMD_STATUS_REG);
+ return PCI_BRIDGE_EMUL_HANDLED;
+
+ default:
+ return PCI_BRIDGE_EMUL_NOT_HANDLED;
+ }
+}
+
+static void
+advk_pci_bridge_emul_base_conf_write(struct pci_bridge_emul *bridge,
+ int reg, u32 old, u32 new, u32 mask)
+{
+ struct advk_pcie *pcie = bridge->data;
+
+ switch (reg) {
+ case PCI_COMMAND:
+ advk_writel(pcie, new, PCIE_CORE_CMD_STATUS_REG);
+ break;
+
+ default:
+ break;
+ }
+}
static pci_bridge_emul_read_status_t
advk_pci_bridge_emul_pcie_conf_read(struct pci_bridge_emul *bridge,
@@ -893,6 +913,8 @@ advk_pci_bridge_emul_pcie_conf_write(str
}
static struct pci_bridge_emul_ops advk_pci_bridge_emul_ops = {
+ .read_base = advk_pci_bridge_emul_base_conf_read,
+ .write_base = advk_pci_bridge_emul_base_conf_write,
.read_pcie = advk_pci_bridge_emul_pcie_conf_read,
.write_pcie = advk_pci_bridge_emul_pcie_conf_write,
};
^ permalink raw reply [flat|nested] 945+ messages in thread
* [PATCH 5.15 151/917] PCI: aardvark: Fix support for PCI_BRIDGE_CTL_BUS_RESET on emulated bridge
2021-11-15 16:51 [PATCH 5.15 000/917] 5.15.3-rc1 review Greg Kroah-Hartman
` (149 preceding siblings ...)
2021-11-15 16:54 ` [PATCH 5.15 150/917] PCI: aardvark: Fix support for bus mastering and PCI_COMMAND on emulated bridge Greg Kroah-Hartman
@ 2021-11-15 16:54 ` Greg Kroah-Hartman
2021-11-15 16:54 ` [PATCH 5.15 152/917] PCI: aardvark: Set PCI Bridge Class Code to PCI Bridge Greg Kroah-Hartman
` (768 subsequent siblings)
919 siblings, 0 replies; 945+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-15 16:54 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Pali Rohár, Marek Behún,
Lorenzo Pieralisi
From: Pali Rohár <pali@kernel.org>
commit bc4fac42e5f8460af09c0a7f2f1915be09e20c71 upstream.
Aardvark supports PCIe Hot Reset via PCIE_CORE_CTRL1_REG.
Use it for implementing PCI_BRIDGE_CTL_BUS_RESET bit of PCI_BRIDGE_CONTROL
register on emulated bridge.
With this, the function pci_reset_secondary_bus() starts working and can
reset connected PCIe card. Custom userspace script [1] which uses setpci
can trigger PCIe Hot Reset and reset the card manually.
[1] https://alexforencich.com/wiki/en/pcie/hot-reset-linux
Link: https://lore.kernel.org/r/20211028185659.20329-7-kabel@kernel.org
Fixes: 8a3ebd8de328 ("PCI: aardvark: Implement emulated root PCI bridge config space")
Signed-off-by: Pali Rohár <pali@kernel.org>
Signed-off-by: Marek Behún <kabel@kernel.org>
Signed-off-by: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/pci/controller/pci-aardvark.c | 27 +++++++++++++++++++++++++++
1 file changed, 27 insertions(+)
--- a/drivers/pci/controller/pci-aardvark.c
+++ b/drivers/pci/controller/pci-aardvark.c
@@ -793,6 +793,22 @@ advk_pci_bridge_emul_base_conf_read(stru
*value = advk_readl(pcie, PCIE_CORE_CMD_STATUS_REG);
return PCI_BRIDGE_EMUL_HANDLED;
+ case PCI_INTERRUPT_LINE: {
+ /*
+ * From the whole 32bit register we support reading from HW only
+ * one bit: PCI_BRIDGE_CTL_BUS_RESET.
+ * Other bits are retrieved only from emulated config buffer.
+ */
+ __le32 *cfgspace = (__le32 *)&bridge->conf;
+ u32 val = le32_to_cpu(cfgspace[PCI_INTERRUPT_LINE / 4]);
+ if (advk_readl(pcie, PCIE_CORE_CTRL1_REG) & HOT_RESET_GEN)
+ val |= PCI_BRIDGE_CTL_BUS_RESET << 16;
+ else
+ val &= ~(PCI_BRIDGE_CTL_BUS_RESET << 16);
+ *value = val;
+ return PCI_BRIDGE_EMUL_HANDLED;
+ }
+
default:
return PCI_BRIDGE_EMUL_NOT_HANDLED;
}
@@ -809,6 +825,17 @@ advk_pci_bridge_emul_base_conf_write(str
advk_writel(pcie, new, PCIE_CORE_CMD_STATUS_REG);
break;
+ case PCI_INTERRUPT_LINE:
+ if (mask & (PCI_BRIDGE_CTL_BUS_RESET << 16)) {
+ u32 val = advk_readl(pcie, PCIE_CORE_CTRL1_REG);
+ if (new & (PCI_BRIDGE_CTL_BUS_RESET << 16))
+ val |= HOT_RESET_GEN;
+ else
+ val &= ~HOT_RESET_GEN;
+ advk_writel(pcie, val, PCIE_CORE_CTRL1_REG);
+ }
+ break;
+
default:
break;
}
^ permalink raw reply [flat|nested] 945+ messages in thread
* [PATCH 5.15 152/917] PCI: aardvark: Set PCI Bridge Class Code to PCI Bridge
2021-11-15 16:51 [PATCH 5.15 000/917] 5.15.3-rc1 review Greg Kroah-Hartman
` (150 preceding siblings ...)
2021-11-15 16:54 ` [PATCH 5.15 151/917] PCI: aardvark: Fix support for PCI_BRIDGE_CTL_BUS_RESET " Greg Kroah-Hartman
@ 2021-11-15 16:54 ` Greg Kroah-Hartman
2021-11-15 16:54 ` [PATCH 5.15 153/917] PCI: aardvark: Fix support for PCI_ROM_ADDRESS1 on emulated bridge Greg Kroah-Hartman
` (767 subsequent siblings)
919 siblings, 0 replies; 945+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-15 16:54 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Pali Rohár, Marek Behún,
Lorenzo Pieralisi
From: Pali Rohár <pali@kernel.org>
commit 84e1b4045dc887b78bdc87d92927093dc3a465aa upstream.
Aardvark controller has something like config space of a Root Port
available at offset 0x0 of internal registers - these registers are used
for implementation of the emulated bridge.
The default value of Class Code of this bridge corresponds to a RAID Mass
storage controller, though. (This is probably intended for when the
controller is used as Endpoint.)
Change the Class Code to correspond to a PCI Bridge.
Add comment explaining this change.
Link: https://lore.kernel.org/r/20211028185659.20329-6-kabel@kernel.org
Fixes: 8a3ebd8de328 ("PCI: aardvark: Implement emulated root PCI bridge config space")
Signed-off-by: Pali Rohár <pali@kernel.org>
Signed-off-by: Marek Behún <kabel@kernel.org>
Signed-off-by: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/pci/controller/pci-aardvark.c | 20 ++++++++++++++++++++
1 file changed, 20 insertions(+)
--- a/drivers/pci/controller/pci-aardvark.c
+++ b/drivers/pci/controller/pci-aardvark.c
@@ -560,6 +560,26 @@ static void advk_pcie_setup_hw(struct ad
reg = (PCI_VENDOR_ID_MARVELL << 16) | PCI_VENDOR_ID_MARVELL;
advk_writel(pcie, reg, VENDOR_ID_REG);
+ /*
+ * Change Class Code of PCI Bridge device to PCI Bridge (0x600400),
+ * because the default value is Mass storage controller (0x010400).
+ *
+ * Note that this Aardvark PCI Bridge does not have compliant Type 1
+ * Configuration Space and it even cannot be accessed via Aardvark's
+ * PCI config space access method. Something like config space is
+ * available in internal Aardvark registers starting at offset 0x0
+ * and is reported as Type 0. In range 0x10 - 0x34 it has totally
+ * different registers.
+ *
+ * Therefore driver uses emulation of PCI Bridge which emulates
+ * access to configuration space via internal Aardvark registers or
+ * emulated configuration buffer.
+ */
+ reg = advk_readl(pcie, PCIE_CORE_DEV_REV_REG);
+ reg &= ~0xffffff00;
+ reg |= (PCI_CLASS_BRIDGE_PCI << 8) << 8;
+ advk_writel(pcie, reg, PCIE_CORE_DEV_REV_REG);
+
/* Disable Root Bridge I/O space, memory space and bus mastering */
reg = advk_readl(pcie, PCIE_CORE_CMD_STATUS_REG);
reg &= ~(PCI_COMMAND_IO | PCI_COMMAND_MEMORY | PCI_COMMAND_MASTER);
^ permalink raw reply [flat|nested] 945+ messages in thread
* [PATCH 5.15 153/917] PCI: aardvark: Fix support for PCI_ROM_ADDRESS1 on emulated bridge
2021-11-15 16:51 [PATCH 5.15 000/917] 5.15.3-rc1 review Greg Kroah-Hartman
` (151 preceding siblings ...)
2021-11-15 16:54 ` [PATCH 5.15 152/917] PCI: aardvark: Set PCI Bridge Class Code to PCI Bridge Greg Kroah-Hartman
@ 2021-11-15 16:54 ` Greg Kroah-Hartman
2021-11-15 16:54 ` [PATCH 5.15 154/917] quota: check block number when reading the block in quota file Greg Kroah-Hartman
` (766 subsequent siblings)
919 siblings, 0 replies; 945+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-15 16:54 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Pali Rohár, Marek Behún,
Lorenzo Pieralisi
From: Pali Rohár <pali@kernel.org>
commit 239edf686c14a9ff926dec2f350289ed7adfefe2 upstream.
This register is exported at address offset 0x30.
Link: https://lore.kernel.org/r/20211028185659.20329-8-kabel@kernel.org
Fixes: 8a3ebd8de328 ("PCI: aardvark: Implement emulated root PCI bridge config space")
Signed-off-by: Pali Rohár <pali@kernel.org>
Signed-off-by: Marek Behún <kabel@kernel.org>
Signed-off-by: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/pci/controller/pci-aardvark.c | 9 +++++++++
1 file changed, 9 insertions(+)
--- a/drivers/pci/controller/pci-aardvark.c
+++ b/drivers/pci/controller/pci-aardvark.c
@@ -32,6 +32,7 @@
#define PCIE_CORE_DEV_ID_REG 0x0
#define PCIE_CORE_CMD_STATUS_REG 0x4
#define PCIE_CORE_DEV_REV_REG 0x8
+#define PCIE_CORE_EXP_ROM_BAR_REG 0x30
#define PCIE_CORE_PCIEXP_CAP 0xc0
#define PCIE_CORE_ERR_CAPCTL_REG 0x118
#define PCIE_CORE_ERR_CAPCTL_ECRC_CHK_TX BIT(5)
@@ -813,6 +814,10 @@ advk_pci_bridge_emul_base_conf_read(stru
*value = advk_readl(pcie, PCIE_CORE_CMD_STATUS_REG);
return PCI_BRIDGE_EMUL_HANDLED;
+ case PCI_ROM_ADDRESS1:
+ *value = advk_readl(pcie, PCIE_CORE_EXP_ROM_BAR_REG);
+ return PCI_BRIDGE_EMUL_HANDLED;
+
case PCI_INTERRUPT_LINE: {
/*
* From the whole 32bit register we support reading from HW only
@@ -845,6 +850,10 @@ advk_pci_bridge_emul_base_conf_write(str
advk_writel(pcie, new, PCIE_CORE_CMD_STATUS_REG);
break;
+ case PCI_ROM_ADDRESS1:
+ advk_writel(pcie, new, PCIE_CORE_EXP_ROM_BAR_REG);
+ break;
+
case PCI_INTERRUPT_LINE:
if (mask & (PCI_BRIDGE_CTL_BUS_RESET << 16)) {
u32 val = advk_readl(pcie, PCIE_CORE_CTRL1_REG);
^ permalink raw reply [flat|nested] 945+ messages in thread
* [PATCH 5.15 154/917] quota: check block number when reading the block in quota file
2021-11-15 16:51 [PATCH 5.15 000/917] 5.15.3-rc1 review Greg Kroah-Hartman
` (152 preceding siblings ...)
2021-11-15 16:54 ` [PATCH 5.15 153/917] PCI: aardvark: Fix support for PCI_ROM_ADDRESS1 on emulated bridge Greg Kroah-Hartman
@ 2021-11-15 16:54 ` Greg Kroah-Hartman
2021-11-15 16:54 ` [PATCH 5.15 155/917] quota: correct error number in free_dqentry() Greg Kroah-Hartman
` (765 subsequent siblings)
919 siblings, 0 replies; 945+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-15 16:54 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Zhang Yi, stable, Jan Kara
From: Zhang Yi <yi.zhang@huawei.com>
commit 9bf3d20331295b1ecb81f4ed9ef358c51699a050 upstream.
The block number in the quota tree on disk should be smaller than the
v2_disk_dqinfo.dqi_blocks. If the quota file was corrupted, we may be
allocating an 'allocated' block and that would lead to a loop in a tree,
which will probably trigger oops later. This patch adds a check for the
block number in the quota tree to prevent such potential issue.
Link: https://lore.kernel.org/r/20211008093821.1001186-2-yi.zhang@huawei.com
Signed-off-by: Zhang Yi <yi.zhang@huawei.com>
Cc: stable@kernel.org
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/quota/quota_tree.c | 14 ++++++++++++++
1 file changed, 14 insertions(+)
--- a/fs/quota/quota_tree.c
+++ b/fs/quota/quota_tree.c
@@ -479,6 +479,13 @@ static int remove_tree(struct qtree_mem_
goto out_buf;
}
newblk = le32_to_cpu(ref[get_index(info, dquot->dq_id, depth)]);
+ if (newblk < QT_TREEOFF || newblk >= info->dqi_blocks) {
+ quota_error(dquot->dq_sb, "Getting block too big (%u >= %u)",
+ newblk, info->dqi_blocks);
+ ret = -EUCLEAN;
+ goto out_buf;
+ }
+
if (depth == info->dqi_qtree_depth - 1) {
ret = free_dqentry(info, dquot, newblk);
newblk = 0;
@@ -578,6 +585,13 @@ static loff_t find_tree_dqentry(struct q
blk = le32_to_cpu(ref[get_index(info, dquot->dq_id, depth)]);
if (!blk) /* No reference? */
goto out_buf;
+ if (blk < QT_TREEOFF || blk >= info->dqi_blocks) {
+ quota_error(dquot->dq_sb, "Getting block too big (%u >= %u)",
+ blk, info->dqi_blocks);
+ ret = -EUCLEAN;
+ goto out_buf;
+ }
+
if (depth < info->dqi_qtree_depth - 1)
ret = find_tree_dqentry(info, dquot, blk, depth+1);
else
^ permalink raw reply [flat|nested] 945+ messages in thread
* [PATCH 5.15 155/917] quota: correct error number in free_dqentry()
2021-11-15 16:51 [PATCH 5.15 000/917] 5.15.3-rc1 review Greg Kroah-Hartman
` (153 preceding siblings ...)
2021-11-15 16:54 ` [PATCH 5.15 154/917] quota: check block number when reading the block in quota file Greg Kroah-Hartman
@ 2021-11-15 16:54 ` Greg Kroah-Hartman
2021-11-15 16:54 ` [PATCH 5.15 156/917] cifs: To match file servers, make sure the server hostname matches Greg Kroah-Hartman
` (764 subsequent siblings)
919 siblings, 0 replies; 945+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-15 16:54 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Zhang Yi, stable, Jan Kara
From: Zhang Yi <yi.zhang@huawei.com>
commit d0e36a62bd4c60c09acc40e06ba4831a4d0bc75b upstream.
Fix the error path in free_dqentry(), pass out the error number if the
block to free is not correct.
Fixes: 1ccd14b9c271 ("quota: Split off quota tree handling into a separate file")
Link: https://lore.kernel.org/r/20211008093821.1001186-3-yi.zhang@huawei.com
Signed-off-by: Zhang Yi <yi.zhang@huawei.com>
Cc: stable@kernel.org
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/quota/quota_tree.c | 1 +
1 file changed, 1 insertion(+)
--- a/fs/quota/quota_tree.c
+++ b/fs/quota/quota_tree.c
@@ -414,6 +414,7 @@ static int free_dqentry(struct qtree_mem
quota_error(dquot->dq_sb, "Quota structure has offset to "
"other block (%u) than it should (%u)", blk,
(uint)(dquot->dq_off >> info->dqi_blocksize_bits));
+ ret = -EIO;
goto out_buf;
}
ret = read_blk(info, blk, buf);
^ permalink raw reply [flat|nested] 945+ messages in thread
* [PATCH 5.15 156/917] cifs: To match file servers, make sure the server hostname matches
2021-11-15 16:51 [PATCH 5.15 000/917] 5.15.3-rc1 review Greg Kroah-Hartman
` (154 preceding siblings ...)
2021-11-15 16:54 ` [PATCH 5.15 155/917] quota: correct error number in free_dqentry() Greg Kroah-Hartman
@ 2021-11-15 16:54 ` Greg Kroah-Hartman
2021-11-15 16:54 ` [PATCH 5.15 157/917] cifs: set a minimum of 120s for next dns resolution Greg Kroah-Hartman
` (763 subsequent siblings)
919 siblings, 0 replies; 945+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-15 16:54 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Shyam Prasad N, Steve French
From: Shyam Prasad N <sprasad@microsoft.com>
commit 7be3248f313930ff3d3436d4e9ddbe9fccc1f541 upstream.
We generally rely on a bunch of factors to differentiate between servers.
For example, IP address, port etc.
For certain server types (like Azure), it is important to make sure
that the server hostname matches too, even if the both hostnames currently
resolve to the same IP address.
Signed-off-by: Shyam Prasad N <sprasad@microsoft.com>
Cc: stable@vger.kernel.org
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/cifs/connect.c | 19 +++++++++++--------
fs/cifs/fs_context.c | 8 ++++++++
fs/cifs/fs_context.h | 1 +
3 files changed, 20 insertions(+), 8 deletions(-)
--- a/fs/cifs/connect.c
+++ b/fs/cifs/connect.c
@@ -794,7 +794,6 @@ static void clean_demultiplex_info(struc
*/
}
- kfree(server->hostname);
kfree(server);
length = atomic_dec_return(&tcpSesAllocCount);
@@ -1235,6 +1234,9 @@ static int match_server(struct TCP_Serve
if (!net_eq(cifs_net_ns(server), current->nsproxy->net_ns))
return 0;
+ if (strcasecmp(server->hostname, ctx->server_hostname))
+ return 0;
+
if (!match_address(server, addr,
(struct sockaddr *)&ctx->srcaddr))
return 0;
@@ -1336,6 +1338,7 @@ cifs_put_tcp_session(struct TCP_Server_I
kfree(server->session_key.response);
server->session_key.response = NULL;
server->session_key.len = 0;
+ kfree(server->hostname);
task = xchg(&server->tsk, NULL);
if (task)
@@ -1361,14 +1364,15 @@ cifs_get_tcp_session(struct smb3_fs_cont
goto out_err;
}
+ tcp_ses->hostname = kstrdup(ctx->server_hostname, GFP_KERNEL);
+ if (!tcp_ses->hostname) {
+ rc = -ENOMEM;
+ goto out_err;
+ }
+
tcp_ses->ops = ctx->ops;
tcp_ses->vals = ctx->vals;
cifs_set_net_ns(tcp_ses, get_net(current->nsproxy->net_ns));
- tcp_ses->hostname = extract_hostname(ctx->UNC);
- if (IS_ERR(tcp_ses->hostname)) {
- rc = PTR_ERR(tcp_ses->hostname);
- goto out_err_crypto_release;
- }
tcp_ses->conn_id = atomic_inc_return(&tcpSesNextId);
tcp_ses->noblockcnt = ctx->rootfs;
@@ -1497,8 +1501,7 @@ out_err_crypto_release:
out_err:
if (tcp_ses) {
- if (!IS_ERR(tcp_ses->hostname))
- kfree(tcp_ses->hostname);
+ kfree(tcp_ses->hostname);
if (tcp_ses->ssocket)
sock_release(tcp_ses->ssocket);
kfree(tcp_ses);
--- a/fs/cifs/fs_context.c
+++ b/fs/cifs/fs_context.c
@@ -318,6 +318,7 @@ smb3_fs_context_dup(struct smb3_fs_conte
DUP_CTX_STR(mount_options);
DUP_CTX_STR(username);
DUP_CTX_STR(password);
+ DUP_CTX_STR(server_hostname);
DUP_CTX_STR(UNC);
DUP_CTX_STR(source);
DUP_CTX_STR(domainname);
@@ -456,6 +457,11 @@ smb3_parse_devname(const char *devname,
if (!pos)
return -EINVAL;
+ /* record the server hostname */
+ ctx->server_hostname = kstrndup(devname + 2, pos - devname - 2, GFP_KERNEL);
+ if (!ctx->server_hostname)
+ return -ENOMEM;
+
/* skip past delimiter */
++pos;
@@ -1496,6 +1502,8 @@ smb3_cleanup_fs_context_contents(struct
ctx->username = NULL;
kfree_sensitive(ctx->password);
ctx->password = NULL;
+ kfree(ctx->server_hostname);
+ ctx->server_hostname = NULL;
kfree(ctx->UNC);
ctx->UNC = NULL;
kfree(ctx->source);
--- a/fs/cifs/fs_context.h
+++ b/fs/cifs/fs_context.h
@@ -166,6 +166,7 @@ struct smb3_fs_context {
char *password;
char *domainname;
char *source;
+ char *server_hostname;
char *UNC;
char *nodename;
char *iocharset; /* local code page for mapping to and from Unicode */
^ permalink raw reply [flat|nested] 945+ messages in thread
* [PATCH 5.15 157/917] cifs: set a minimum of 120s for next dns resolution
2021-11-15 16:51 [PATCH 5.15 000/917] 5.15.3-rc1 review Greg Kroah-Hartman
` (155 preceding siblings ...)
2021-11-15 16:54 ` [PATCH 5.15 156/917] cifs: To match file servers, make sure the server hostname matches Greg Kroah-Hartman
@ 2021-11-15 16:54 ` Greg Kroah-Hartman
2021-11-15 16:54 ` [PATCH 5.15 158/917] mfd: simple-mfd-i2c: Select MFD_CORE to fix build error Greg Kroah-Hartman
` (762 subsequent siblings)
919 siblings, 0 replies; 945+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-15 16:54 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Paulo Alcantara (SUSE),
Shyam Prasad N, Steve French
From: Paulo Alcantara <pc@cjr.nz>
commit 4ac0536f8874a903a72bddc57eb88db774261e3a upstream.
With commit 506c1da44fee ("cifs: use the expiry output of dns_query to
schedule next resolution") and after triggering the first reconnect,
the next async dns resolution of tcp server's hostname would be
scheduled based on dns_resolver's key expiry default, which happens to
default to 5s on most systems that use key.dns_resolver for upcall.
As per key.dns_resolver.conf(5):
default_ttl=<number>
The number of seconds to set as the expiration on a cached
record. This will be overridden if the program manages to re-
trieve TTL information along with the addresses (if, for exam-
ple, it accesses the DNS directly). The default is 5 seconds.
The value must be in the range 1 to INT_MAX.
Make the next async dns resolution no shorter than 120s as we do not
want to be upcalling too often.
Cc: stable@vger.kernel.org
Fixes: 506c1da44fee ("cifs: use the expiry output of dns_query to schedule next resolution")
Signed-off-by: Paulo Alcantara (SUSE) <pc@cjr.nz>
Reviewed-by: Shyam Prasad N <sprasad@microsoft.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/cifs/cifsglob.h | 3 ++-
fs/cifs/connect.c | 2 +-
2 files changed, 3 insertions(+), 2 deletions(-)
--- a/fs/cifs/cifsglob.h
+++ b/fs/cifs/cifsglob.h
@@ -74,7 +74,8 @@
#define SMB_ECHO_INTERVAL_MAX 600
#define SMB_ECHO_INTERVAL_DEFAULT 60
-/* dns resolution interval in seconds */
+/* dns resolution intervals in seconds */
+#define SMB_DNS_RESOLVE_INTERVAL_MIN 120
#define SMB_DNS_RESOLVE_INTERVAL_DEFAULT 600
/* maximum number of PDUs in one compound */
--- a/fs/cifs/connect.c
+++ b/fs/cifs/connect.c
@@ -115,7 +115,7 @@ static int reconn_set_ipaddr_from_hostna
* To make sure we don't use the cached entry, retry 1s
* after expiry.
*/
- ttl = (expiry - now + 1);
+ ttl = max_t(unsigned long, expiry - now, SMB_DNS_RESOLVE_INTERVAL_MIN) + 1;
}
rc = !rc ? -1 : 0;
^ permalink raw reply [flat|nested] 945+ messages in thread
* [PATCH 5.15 158/917] mfd: simple-mfd-i2c: Select MFD_CORE to fix build error
2021-11-15 16:51 [PATCH 5.15 000/917] 5.15.3-rc1 review Greg Kroah-Hartman
` (156 preceding siblings ...)
2021-11-15 16:54 ` [PATCH 5.15 157/917] cifs: set a minimum of 120s for next dns resolution Greg Kroah-Hartman
@ 2021-11-15 16:54 ` Greg Kroah-Hartman
2021-11-15 16:54 ` [PATCH 5.15 159/917] pinctrl: core: fix possible memory leak in pinctrl_enable() Greg Kroah-Hartman
` (761 subsequent siblings)
919 siblings, 0 replies; 945+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-15 16:54 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Robert Marko, Lee Jones
From: Robert Marko <robert.marko@sartura.hr>
commit 5dc6dafe62099ade0e7232ce9db4013b7673d860 upstream.
MFD_SIMPLE_MFD_I2C should select the MFD_CORE to a prevent build error:
aarch64-linux-ld: drivers/mfd/simple-mfd-i2c.o: in function `simple_mfd_i2c_probe':
drivers/mfd/simple-mfd-i2c.c:55: undefined reference to `devm_mfd_add_devices'
Cc: <stable@vger.kernel.org>
Fixes: c753ea31781aa ("mfd: simple-mfd-i2c: Add support for registering devices via MFD cells")
Signed-off-by: Robert Marko <robert.marko@sartura.hr>
Signed-off-by: Lee Jones <lee.jones@linaro.org>
Link: https://lore.kernel.org/r/20211102100420.112215-1-robert.marko@sartura.hr
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/mfd/Kconfig | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/mfd/Kconfig
+++ b/drivers/mfd/Kconfig
@@ -1194,6 +1194,7 @@ config MFD_SI476X_CORE
config MFD_SIMPLE_MFD_I2C
tristate
depends on I2C
+ select MFD_CORE
select REGMAP_I2C
help
This driver creates a single register map with the intention for it
^ permalink raw reply [flat|nested] 945+ messages in thread
* [PATCH 5.15 159/917] pinctrl: core: fix possible memory leak in pinctrl_enable()
2021-11-15 16:51 [PATCH 5.15 000/917] 5.15.3-rc1 review Greg Kroah-Hartman
` (157 preceding siblings ...)
2021-11-15 16:54 ` [PATCH 5.15 158/917] mfd: simple-mfd-i2c: Select MFD_CORE to fix build error Greg Kroah-Hartman
@ 2021-11-15 16:54 ` Greg Kroah-Hartman
2021-11-15 16:54 ` [PATCH 5.15 160/917] coresight: cti: Correct the parameter for pm_runtime_put Greg Kroah-Hartman
` (760 subsequent siblings)
919 siblings, 0 replies; 945+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-15 16:54 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Hulk Robot, Yang Yingliang, Linus Walleij
From: Yang Yingliang <yangyingliang@huawei.com>
commit c7892ae13e461ed20154321eb792e07ebe38f5b3 upstream.
I got memory leak as follows when doing fault injection test:
unreferenced object 0xffff888020a7a680 (size 64):
comm "i2c-mcp23018-41", pid 23090, jiffies 4295160544 (age 8.680s)
hex dump (first 32 bytes):
00 48 d3 1e 80 88 ff ff 00 1a 56 c1 ff ff ff ff .H........V.....
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace:
[<0000000083c79b35>] kmem_cache_alloc_trace+0x16d/0x360
[<0000000051803c95>] pinctrl_init_controller+0x6ed/0xb70
[<0000000064346707>] pinctrl_register+0x27/0x80
[<0000000029b0e186>] devm_pinctrl_register+0x5b/0xe0
[<00000000391f5a3e>] mcp23s08_probe_one+0x968/0x118a [pinctrl_mcp23s08]
[<000000006112c039>] mcp230xx_probe+0x266/0x560 [pinctrl_mcp23s08_i2c]
If pinctrl_claim_hogs() fails, the 'pindesc' allocated in pinctrl_register_one_pin()
need be freed.
Cc: stable@vger.kernel.org
Reported-by: Hulk Robot <hulkci@huawei.com>
Fixes: 950b0d91dc10 ("pinctrl: core: Fix regression caused by delayed work for hogs")
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Link: https://lore.kernel.org/r/20211022014323.1156924-1-yangyingliang@huawei.com
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/pinctrl/core.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/pinctrl/core.c
+++ b/drivers/pinctrl/core.c
@@ -2100,6 +2100,8 @@ int pinctrl_enable(struct pinctrl_dev *p
if (error) {
dev_err(pctldev->dev, "could not claim hogs: %i\n",
error);
+ pinctrl_free_pindescs(pctldev, pctldev->desc->pins,
+ pctldev->desc->npins);
mutex_destroy(&pctldev->mutex);
kfree(pctldev);
^ permalink raw reply [flat|nested] 945+ messages in thread
* [PATCH 5.15 160/917] coresight: cti: Correct the parameter for pm_runtime_put
2021-11-15 16:51 [PATCH 5.15 000/917] 5.15.3-rc1 review Greg Kroah-Hartman
` (158 preceding siblings ...)
2021-11-15 16:54 ` [PATCH 5.15 159/917] pinctrl: core: fix possible memory leak in pinctrl_enable() Greg Kroah-Hartman
@ 2021-11-15 16:54 ` Greg Kroah-Hartman
2021-11-15 16:54 ` [PATCH 5.15 161/917] coresight: trbe: Fix incorrect access of the sink specific data Greg Kroah-Hartman
` (759 subsequent siblings)
919 siblings, 0 replies; 945+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-15 16:54 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Tao Zhang, Leo Yan, Mathieu Poirier
From: Tao Zhang <quic_taozha@quicinc.com>
commit 692c9a499b286ea478f41b23a91fe3873b9e1326 upstream.
The input parameter of the function pm_runtime_put should be the
same in the function cti_enable_hw and cti_disable_hw. The correct
parameter to use here should be dev->parent.
Signed-off-by: Tao Zhang <quic_taozha@quicinc.com>
Reviewed-by: Leo Yan <leo.yan@linaro.org>
Fixes: 835d722ba10a ("coresight: cti: Initial CoreSight CTI Driver")
Cc: stable <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/1629365377-5937-1-git-send-email-quic_taozha@quicinc.com
Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/hwtracing/coresight/coresight-cti-core.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/hwtracing/coresight/coresight-cti-core.c
+++ b/drivers/hwtracing/coresight/coresight-cti-core.c
@@ -175,7 +175,7 @@ static int cti_disable_hw(struct cti_drv
coresight_disclaim_device_unlocked(csdev);
CS_LOCK(drvdata->base);
spin_unlock(&drvdata->spinlock);
- pm_runtime_put(dev);
+ pm_runtime_put(dev->parent);
return 0;
/* not disabled this call */
^ permalink raw reply [flat|nested] 945+ messages in thread
* [PATCH 5.15 161/917] coresight: trbe: Fix incorrect access of the sink specific data
2021-11-15 16:51 [PATCH 5.15 000/917] 5.15.3-rc1 review Greg Kroah-Hartman
` (159 preceding siblings ...)
2021-11-15 16:54 ` [PATCH 5.15 160/917] coresight: cti: Correct the parameter for pm_runtime_put Greg Kroah-Hartman
@ 2021-11-15 16:54 ` Greg Kroah-Hartman
2021-11-15 16:54 ` [PATCH 5.15 162/917] coresight: trbe: Defer the probe on offline CPUs Greg Kroah-Hartman
` (758 subsequent siblings)
919 siblings, 0 replies; 945+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-15 16:54 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Suzuki K Poulose, Anshuman Khandual,
Mathieu Poirier
From: Suzuki K Poulose <suzuki.poulose@arm.com>
commit bb5293e334af51b19b62d8bef1852ea13e935e9b upstream.
The TRBE driver wrongly treats the aux private data as the TRBE driver
specific buffer for a given perf handle, while it is the ETM PMU's
event specific data. Fix this by correcting the instance to use
appropriate helper.
Cc: stable <stable@vger.kernel.org>
Fixes: 3fbf7f011f24 ("coresight: sink: Add TRBE driver")
Signed-off-by: Suzuki K Poulose <suzuki.poulose@arm.com>
Reviewed-by: Anshuman Khandual <anshuman.khandual@arm.com>
Link: https://lore.kernel.org/r/20210921134121.2423546-2-suzuki.poulose@arm.com
[Fixed 13 character SHA down to 12]
Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/hwtracing/coresight/coresight-trbe.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/hwtracing/coresight/coresight-trbe.c
+++ b/drivers/hwtracing/coresight/coresight-trbe.c
@@ -366,7 +366,7 @@ static unsigned long __trbe_normal_offse
static unsigned long trbe_normal_offset(struct perf_output_handle *handle)
{
- struct trbe_buf *buf = perf_get_aux(handle);
+ struct trbe_buf *buf = etm_perf_sink_config(handle);
u64 limit = __trbe_normal_offset(handle);
u64 head = PERF_IDX2OFF(handle->head, buf);
^ permalink raw reply [flat|nested] 945+ messages in thread
* [PATCH 5.15 162/917] coresight: trbe: Defer the probe on offline CPUs
2021-11-15 16:51 [PATCH 5.15 000/917] 5.15.3-rc1 review Greg Kroah-Hartman
` (160 preceding siblings ...)
2021-11-15 16:54 ` [PATCH 5.15 161/917] coresight: trbe: Fix incorrect access of the sink specific data Greg Kroah-Hartman
@ 2021-11-15 16:54 ` Greg Kroah-Hartman
2021-11-15 16:54 ` [PATCH 5.15 163/917] iio: buffer: check return value of kstrdup_const() Greg Kroah-Hartman
` (757 subsequent siblings)
919 siblings, 0 replies; 945+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-15 16:54 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Bransilav Rankov, Anshuman Khandual,
Mathieu Poirier, Mike Leach, Leo Yan, Suzuki K Poulose
From: Suzuki K Poulose <suzuki.poulose@arm.com>
commit a08025b3fe56185290a1ea476581f03ca733f967 upstream.
If a CPU is offline during the driver init, we could end up causing
a kernel crash trying to register the coresight device for the TRBE
instance. The trbe_cpudata for the TRBE instance is initialized only
when it is probed. Otherwise, we could end up dereferencing a NULL
cpudata->drvdata.
e.g:
[ 0.149999] coresight ete0: CPU0: ete v1.1 initialized
[ 0.149999] coresight-etm4x ete_1: ETM arch init failed
[ 0.149999] coresight-etm4x: probe of ete_1 failed with error -22
[ 0.150085] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000050
[ 0.150085] Mem abort info:
[ 0.150085] ESR = 0x96000005
[ 0.150085] EC = 0x25: DABT (current EL), IL = 32 bits
[ 0.150085] SET = 0, FnV = 0
[ 0.150085] EA = 0, S1PTW = 0
[ 0.150085] Data abort info:
[ 0.150085] ISV = 0, ISS = 0x00000005
[ 0.150085] CM = 0, WnR = 0
[ 0.150085] [0000000000000050] user address but active_mm is swapper
[ 0.150085] Internal error: Oops: 96000005 [#1] PREEMPT SMP
[ 0.150085] Modules linked in:
[ 0.150085] Hardware name: FVP Base RevC (DT)
[ 0.150085] pstate: 00800009 (nzcv daif -PAN +UAO -TCO BTYPE=--)
[ 0.150155] pc : arm_trbe_register_coresight_cpu+0x74/0x144
[ 0.150155] lr : arm_trbe_register_coresight_cpu+0x48/0x144
...
[ 0.150237] Call trace:
[ 0.150237] arm_trbe_register_coresight_cpu+0x74/0x144
[ 0.150237] arm_trbe_device_probe+0x1c0/0x2d8
[ 0.150259] platform_drv_probe+0x94/0xbc
[ 0.150259] really_probe+0x1bc/0x4a8
[ 0.150266] driver_probe_device+0x7c/0xb8
[ 0.150266] device_driver_attach+0x6c/0xac
[ 0.150266] __driver_attach+0xc4/0x148
[ 0.150266] bus_for_each_dev+0x7c/0xc8
[ 0.150266] driver_attach+0x24/0x30
[ 0.150266] bus_add_driver+0x100/0x1e0
[ 0.150266] driver_register+0x78/0x110
[ 0.150266] __platform_driver_register+0x44/0x50
[ 0.150266] arm_trbe_init+0x28/0x84
[ 0.150266] do_one_initcall+0x94/0x2bc
[ 0.150266] do_initcall_level+0xa4/0x158
[ 0.150266] do_initcalls+0x54/0x94
[ 0.150319] do_basic_setup+0x24/0x30
[ 0.150319] kernel_init_freeable+0xe8/0x14c
[ 0.150319] kernel_init+0x14/0x18c
[ 0.150319] ret_from_fork+0x10/0x30
[ 0.150319] Code: f94012c8 b0004ce2 9134a442 52819801 (f9402917)
[ 0.150319] ---[ end trace d23e0cfe5098535e ]---
[ 0.150346] Kernel panic - not syncing: Attempted to kill init! exitcode=0x0000000b
Fix this by skipping the step, if we are unable to probe the CPU.
Fixes: 3fbf7f011f24 ("coresight: sink: Add TRBE driver")
Reported-by: Bransilav Rankov <branislav.rankov@arm.com>
Cc: Anshuman Khandual <anshuman.khandual@arm.com>
Cc: Mathieu Poirier <mathieu.poirier@linaro.org>
Cc: Mike Leach <mike.leach@linaro.org>
Cc: Leo Yan <leo.yan@linaro.org>
Cc: stable <stable@vger.kernel.org>
Tested-by: Branislav Rankov <branislav.rankov@arm.com>
Signed-off-by: Suzuki K Poulose <suzuki.poulose@arm.com>
Reviewed-by: Anshuman Khandual <anshuman.khandual@arm.com>
Link: https://lore.kernel.org/r/20211014142238.2221248-1-suzuki.poulose@arm.com
Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/hwtracing/coresight/coresight-trbe.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
--- a/drivers/hwtracing/coresight/coresight-trbe.c
+++ b/drivers/hwtracing/coresight/coresight-trbe.c
@@ -869,6 +869,10 @@ static void arm_trbe_register_coresight_
if (WARN_ON(trbe_csdev))
return;
+ /* If the TRBE was not probed on the CPU, we shouldn't be here */
+ if (WARN_ON(!cpudata->drvdata))
+ return;
+
dev = &cpudata->drvdata->pdev->dev;
desc.name = devm_kasprintf(dev, GFP_KERNEL, "trbe%d", cpu);
if (!desc.name)
@@ -950,7 +954,9 @@ static int arm_trbe_probe_coresight(stru
return -ENOMEM;
for_each_cpu(cpu, &drvdata->supported_cpus) {
- smp_call_function_single(cpu, arm_trbe_probe_cpu, drvdata, 1);
+ /* If we fail to probe the CPU, let us defer it to hotplug callbacks */
+ if (smp_call_function_single(cpu, arm_trbe_probe_cpu, drvdata, 1))
+ continue;
if (cpumask_test_cpu(cpu, &drvdata->supported_cpus))
arm_trbe_register_coresight_cpu(drvdata, cpu);
if (cpumask_test_cpu(cpu, &drvdata->supported_cpus))
^ permalink raw reply [flat|nested] 945+ messages in thread
* [PATCH 5.15 163/917] iio: buffer: check return value of kstrdup_const()
2021-11-15 16:51 [PATCH 5.15 000/917] 5.15.3-rc1 review Greg Kroah-Hartman
` (161 preceding siblings ...)
2021-11-15 16:54 ` [PATCH 5.15 162/917] coresight: trbe: Defer the probe on offline CPUs Greg Kroah-Hartman
@ 2021-11-15 16:54 ` Greg Kroah-Hartman
2021-11-15 16:54 ` [PATCH 5.15 164/917] iio: buffer: Fix memory leak in iio_buffers_alloc_sysfs_and_mask() Greg Kroah-Hartman
` (756 subsequent siblings)
919 siblings, 0 replies; 945+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-15 16:54 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Hulk Robot, Yang Yingliang, Stable,
Jonathan Cameron
From: Yang Yingliang <yangyingliang@huawei.com>
commit 2c0ad3f0cc04dec489552a21b80cd6d708bea96d upstream.
Check return value of kstrdup_const() in iio_buffer_wrap_attr(),
or it will cause null-ptr-deref in kernfs_name_hash() when calling
device_add() as follows:
BUG: kernel NULL pointer dereference, address: 0000000000000000
RIP: 0010:strlen+0x0/0x20
Call Trace:
kernfs_name_hash+0x22/0x110
kernfs_find_ns+0x11d/0x390
kernfs_remove_by_name_ns+0x3b/0xb0
remove_files.isra.1+0x7b/0x190
internal_create_group+0x7f1/0xbb0
internal_create_groups+0xa3/0x150
device_add+0x8f0/0x2020
cdev_device_add+0xc3/0x160
__iio_device_register+0x1427/0x1b40 [industrialio]
__devm_iio_device_register+0x22/0x80 [industrialio]
adjd_s311_probe+0x195/0x200 [adjd_s311]
i2c_device_probe+0xa07/0xbb0
Reported-by: Hulk Robot <hulkci@huawei.com>
Fixes: 15097c7a1adc ("iio: buffer: wrap all buffer attributes into iio_dev_attr")
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Link: https://lore.kernel.org/r/20211013040438.1689277-1-yangyingliang@huawei.com
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/industrialio-buffer.c | 5 +++++
1 file changed, 5 insertions(+)
--- a/drivers/iio/industrialio-buffer.c
+++ b/drivers/iio/industrialio-buffer.c
@@ -1312,6 +1312,11 @@ static struct attribute *iio_buffer_wrap
iio_attr->buffer = buffer;
memcpy(&iio_attr->dev_attr, dattr, sizeof(iio_attr->dev_attr));
iio_attr->dev_attr.attr.name = kstrdup_const(attr->name, GFP_KERNEL);
+ if (!iio_attr->dev_attr.attr.name) {
+ kfree(iio_attr);
+ return NULL;
+ }
+
sysfs_attr_init(&iio_attr->dev_attr.attr);
list_add(&iio_attr->l, &buffer->buffer_attr_list);
^ permalink raw reply [flat|nested] 945+ messages in thread
* [PATCH 5.15 164/917] iio: buffer: Fix memory leak in iio_buffers_alloc_sysfs_and_mask()
2021-11-15 16:51 [PATCH 5.15 000/917] 5.15.3-rc1 review Greg Kroah-Hartman
` (162 preceding siblings ...)
2021-11-15 16:54 ` [PATCH 5.15 163/917] iio: buffer: check return value of kstrdup_const() Greg Kroah-Hartman
@ 2021-11-15 16:54 ` Greg Kroah-Hartman
2021-11-15 16:54 ` [PATCH 5.15 165/917] iio: buffer: Fix memory leak in __iio_buffer_alloc_sysfs_and_mask() Greg Kroah-Hartman
` (755 subsequent siblings)
919 siblings, 0 replies; 945+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-15 16:54 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Hulk Robot, Yang Yingliang, Stable,
Jonathan Cameron
From: Yang Yingliang <yangyingliang@huawei.com>
commit 486a25084155bf633768c26f022201c051d6fd95 upstream.
When 'iio_dev_opaque->buffer_ioctl_handler' alloc fails in
iio_buffers_alloc_sysfs_and_mask(), the 'attrs' allocated in
iio_buffer_register_legacy_sysfs_groups() will be leaked:
unreferenced object 0xffff888108568d00 (size 128):
comm "88", pid 2014, jiffies 4294963294 (age 26.920s)
hex dump (first 32 bytes):
80 3e da 02 80 88 ff ff 00 3a da 02 80 88 ff ff .>.......:......
00 35 da 02 80 88 ff ff 00 38 da 02 80 88 ff ff .5.......8......
backtrace:
[<0000000095a9e51e>] __kmalloc+0x1a3/0x2f0
[<00000000faa3735e>] iio_buffers_alloc_sysfs_and_mask+0xfa3/0x1480 [industrialio]
[<00000000a46384dc>] __iio_device_register+0x52e/0x1b40 [industrialio]
[<00000000210af05e>] __devm_iio_device_register+0x22/0x80 [industrialio]
[<00000000730d7b41>] adjd_s311_probe+0x195/0x200 [adjd_s311]
[<00000000c0f70eb9>] i2c_device_probe+0xa07/0xbb0
The iio_buffer_register_legacy_sysfs_groups() is
called in __iio_buffer_alloc_sysfs_and_mask(),
so move the iio_buffer_unregister_legacy_sysfs_groups()
into __iio_buffer_free_sysfs_and_mask(), then the memory
will be freed.
Reported-by: Hulk Robot <hulkci@huawei.com>
Fixes: d9a625744ed0 ("iio: core: merge buffer/ & scan_elements/ attributes")
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Link: https://lore.kernel.org/r/20211018063718.1971240-1-yangyingliang@huawei.com
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/industrialio-buffer.c | 12 +++++++-----
1 file changed, 7 insertions(+), 5 deletions(-)
--- a/drivers/iio/industrialio-buffer.c
+++ b/drivers/iio/industrialio-buffer.c
@@ -1588,8 +1588,12 @@ error_cleanup_dynamic:
return ret;
}
-static void __iio_buffer_free_sysfs_and_mask(struct iio_buffer *buffer)
+static void __iio_buffer_free_sysfs_and_mask(struct iio_buffer *buffer,
+ struct iio_dev *indio_dev,
+ int index)
{
+ if (index == 0)
+ iio_buffer_unregister_legacy_sysfs_groups(indio_dev);
bitmap_free(buffer->scan_mask);
kfree(buffer->buffer_group.name);
kfree(buffer->buffer_group.attrs);
@@ -1643,7 +1647,7 @@ int iio_buffers_alloc_sysfs_and_mask(str
error_unwind_sysfs_and_mask:
for (; unwind_idx >= 0; unwind_idx--) {
buffer = iio_dev_opaque->attached_buffers[unwind_idx];
- __iio_buffer_free_sysfs_and_mask(buffer);
+ __iio_buffer_free_sysfs_and_mask(buffer, indio_dev, unwind_idx);
}
return ret;
}
@@ -1660,11 +1664,9 @@ void iio_buffers_free_sysfs_and_mask(str
iio_device_ioctl_handler_unregister(iio_dev_opaque->buffer_ioctl_handler);
kfree(iio_dev_opaque->buffer_ioctl_handler);
- iio_buffer_unregister_legacy_sysfs_groups(indio_dev);
-
for (i = iio_dev_opaque->attached_buffers_cnt - 1; i >= 0; i--) {
buffer = iio_dev_opaque->attached_buffers[i];
- __iio_buffer_free_sysfs_and_mask(buffer);
+ __iio_buffer_free_sysfs_and_mask(buffer, indio_dev, i);
}
}
^ permalink raw reply [flat|nested] 945+ messages in thread
* [PATCH 5.15 165/917] iio: buffer: Fix memory leak in __iio_buffer_alloc_sysfs_and_mask()
2021-11-15 16:51 [PATCH 5.15 000/917] 5.15.3-rc1 review Greg Kroah-Hartman
` (163 preceding siblings ...)
2021-11-15 16:54 ` [PATCH 5.15 164/917] iio: buffer: Fix memory leak in iio_buffers_alloc_sysfs_and_mask() Greg Kroah-Hartman
@ 2021-11-15 16:54 ` Greg Kroah-Hartman
2021-11-15 16:54 ` [PATCH 5.15 166/917] iio: buffer: Fix memory leak in iio_buffer_register_legacy_sysfs_groups() Greg Kroah-Hartman
` (754 subsequent siblings)
919 siblings, 0 replies; 945+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-15 16:54 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Hulk Robot, Yang Yingliang, Stable,
Jonathan Cameron
From: Yang Yingliang <yangyingliang@huawei.com>
commit 9a2ff8009e53296e47de72d5af0bc31cd53274ff upstream.
When iio_buffer_wrap_attr() returns NULL or buffer->buffer_group.name alloc
fails, the 'attr' which is allocated in __iio_buffer_alloc_sysfs_and_mask()
is not freed, and cause memory leak.
unreferenced object 0xffff888014882a00 (size 64):
comm "i2c-adjd_s311-8", pid 424, jiffies 4294907737 (age 44.396s)
hex dump (first 32 bytes):
00 0f 8a 15 80 88 ff ff 00 0e 8a 15 80 88 ff ff ................
80 04 8a 15 80 88 ff ff 80 05 8a 15 80 88 ff ff ................
backtrace:
[<0000000021752e67>] __kmalloc+0x1af/0x3c0
[<0000000043e8305c>] iio_buffers_alloc_sysfs_and_mask+0xe73/0x1570 [industrialio]
[<00000000b7aa5a17>] __iio_device_register+0x483/0x1a30 [industrialio]
[<000000003fa0fb2f>] __devm_iio_device_register+0x23/0x90 [industrialio]
[<000000003ab040cf>] adjd_s311_probe+0x19c/0x200 [adjd_s311]
[<0000000080458969>] i2c_device_probe+0xa31/0xbe0
[<00000000e20678ad>] really_probe+0x299/0xc30
[<000000006bea9b27>] __driver_probe_device+0x357/0x500
[<00000000e1df10d4>] driver_probe_device+0x4e/0x140
[<0000000003661beb>] __device_attach_driver+0x257/0x340
[<000000005bb4aa26>] bus_for_each_drv+0x166/0x1e0
[<00000000272c5236>] __device_attach+0x272/0x420
[<00000000d52a96ae>] bus_probe_device+0x1eb/0x2a0
[<00000000129f7737>] device_add+0xbf0/0x1f90
[<000000005eed4e52>] i2c_new_client_device+0x622/0xb20
[<00000000b85a9c43>] new_device_store+0x1fa/0x420
This patch fix to free it before the error return.
Reported-by: Hulk Robot <hulkci@huawei.com>
Fixes: 15097c7a1adc ("iio: buffer: wrap all buffer attributes into iio_dev_attr")
Fixes: d9a625744ed0 ("iio: core: merge buffer/ & scan_elements/ attributes")
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Link: https://lore.kernel.org/r/20211013094343.315275-1-yangyingliang@huawei.com
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/industrialio-buffer.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
--- a/drivers/iio/industrialio-buffer.c
+++ b/drivers/iio/industrialio-buffer.c
@@ -1536,6 +1536,7 @@ static int __iio_buffer_alloc_sysfs_and_
sizeof(struct attribute *) * buffer_attrcount);
buffer_attrcount += ARRAY_SIZE(iio_buffer_attrs);
+ buffer->buffer_group.attrs = attr;
for (i = 0; i < buffer_attrcount; i++) {
struct attribute *wrapped;
@@ -1543,7 +1544,7 @@ static int __iio_buffer_alloc_sysfs_and_
wrapped = iio_buffer_wrap_attr(buffer, attr[i]);
if (!wrapped) {
ret = -ENOMEM;
- goto error_free_scan_mask;
+ goto error_free_buffer_attrs;
}
attr[i] = wrapped;
}
@@ -1558,8 +1559,6 @@ static int __iio_buffer_alloc_sysfs_and_
goto error_free_buffer_attrs;
}
- buffer->buffer_group.attrs = attr;
-
ret = iio_device_register_sysfs_group(indio_dev, &buffer->buffer_group);
if (ret)
goto error_free_buffer_attr_group_name;
^ permalink raw reply [flat|nested] 945+ messages in thread
* [PATCH 5.15 166/917] iio: buffer: Fix memory leak in iio_buffer_register_legacy_sysfs_groups()
2021-11-15 16:51 [PATCH 5.15 000/917] 5.15.3-rc1 review Greg Kroah-Hartman
` (164 preceding siblings ...)
2021-11-15 16:54 ` [PATCH 5.15 165/917] iio: buffer: Fix memory leak in __iio_buffer_alloc_sysfs_and_mask() Greg Kroah-Hartman
@ 2021-11-15 16:54 ` Greg Kroah-Hartman
2021-11-15 16:54 ` [PATCH 5.15 167/917] drivers: iio: dac: ad5766: Fix dt property name Greg Kroah-Hartman
` (753 subsequent siblings)
919 siblings, 0 replies; 945+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-15 16:54 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Hulk Robot, Yang Yingliang, Stable,
Jonathan Cameron
From: Yang Yingliang <yangyingliang@huawei.com>
commit 604faf9a2ecd1addcc0c10a47e5aaef3c4d4fd6b upstream.
If the second iio_device_register_sysfs_group() fails,
'legacy_buffer_group.attrs' need be freed too or it will
cause memory leak:
unreferenced object 0xffff888003618280 (size 64):
comm "xrun", pid 357, jiffies 4294907259 (age 22.296s)
hex dump (first 32 bytes):
80 f6 8c 03 80 88 ff ff 80 fb 8c 03 80 88 ff ff ................
00 f9 8c 03 80 88 ff ff 80 fc 8c 03 80 88 ff ff ................
backtrace:
[<00000000076bfd43>] __kmalloc+0x1a3/0x2f0
[<00000000c32e4886>] iio_buffers_alloc_sysfs_and_mask+0xc31/0x1290 [industrialio]
Reported-by: Hulk Robot <hulkci@huawei.com>
Fixes: d9a625744ed0 ("iio: core: merge buffer/ & scan_elements/ attributes")
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Link: https://lore.kernel.org/r/20211013144242.1685060-1-yangyingliang@huawei.com
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/industrialio-buffer.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/iio/industrialio-buffer.c
+++ b/drivers/iio/industrialio-buffer.c
@@ -1367,10 +1367,10 @@ static int iio_buffer_register_legacy_sy
return 0;
-error_free_buffer_attrs:
- kfree(iio_dev_opaque->legacy_buffer_group.attrs);
error_free_scan_el_attrs:
kfree(iio_dev_opaque->legacy_scan_el_group.attrs);
+error_free_buffer_attrs:
+ kfree(iio_dev_opaque->legacy_buffer_group.attrs);
return ret;
}
^ permalink raw reply [flat|nested] 945+ messages in thread
* [PATCH 5.15 167/917] drivers: iio: dac: ad5766: Fix dt property name
2021-11-15 16:51 [PATCH 5.15 000/917] 5.15.3-rc1 review Greg Kroah-Hartman
` (165 preceding siblings ...)
2021-11-15 16:54 ` [PATCH 5.15 166/917] iio: buffer: Fix memory leak in iio_buffer_register_legacy_sysfs_groups() Greg Kroah-Hartman
@ 2021-11-15 16:54 ` Greg Kroah-Hartman
2021-11-15 16:54 ` [PATCH 5.15 168/917] iio: dac: ad5446: Fix ad5622_write() return value Greg Kroah-Hartman
` (752 subsequent siblings)
919 siblings, 0 replies; 945+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-15 16:54 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Mihail Chindris, Alexandru Ardelean,
Stable, Jonathan Cameron
From: Mihail Chindris <mihail.chindris@analog.com>
commit d9de0fbdeb0103a204055efb69cb5cc8f5f12a6a upstream.
In the documentation the name for the property is
output-range-microvolts which is a standard name, therefore this name
must be used.
Fixes: fd9373e41b9ba ("iio: dac: ad5766: add driver support for AD5766")
Signed-off-by: Mihail Chindris <mihail.chindris@analog.com>
Reviewed-by: Alexandru Ardelean <ardeleanalex@gmail.com>
Link: https://lore.kernel.org/r/20211007080035.2531-5-mihail.chindris@analog.com
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/dac/ad5766.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
--- a/drivers/iio/dac/ad5766.c
+++ b/drivers/iio/dac/ad5766.c
@@ -503,13 +503,13 @@ static int ad5766_get_output_range(struc
int i, ret, min, max, tmp[2];
ret = device_property_read_u32_array(&st->spi->dev,
- "output-range-voltage",
+ "output-range-microvolts",
tmp, 2);
if (ret)
return ret;
- min = tmp[0] / 1000;
- max = tmp[1] / 1000;
+ min = tmp[0] / 1000000;
+ max = tmp[1] / 1000000;
for (i = 0; i < ARRAY_SIZE(ad5766_span_tbl); i++) {
if (ad5766_span_tbl[i].min != min ||
ad5766_span_tbl[i].max != max)
^ permalink raw reply [flat|nested] 945+ messages in thread
* [PATCH 5.15 168/917] iio: dac: ad5446: Fix ad5622_write() return value
2021-11-15 16:51 [PATCH 5.15 000/917] 5.15.3-rc1 review Greg Kroah-Hartman
` (166 preceding siblings ...)
2021-11-15 16:54 ` [PATCH 5.15 167/917] drivers: iio: dac: ad5766: Fix dt property name Greg Kroah-Hartman
@ 2021-11-15 16:54 ` Greg Kroah-Hartman
2021-11-15 16:54 ` [PATCH 5.15 169/917] iio: ad5770r: make devicetree property reading consistent Greg Kroah-Hartman
` (751 subsequent siblings)
919 siblings, 0 replies; 945+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-15 16:54 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Pekka Korpinen, Stable, Jonathan Cameron
From: Pekka Korpinen <pekka.korpinen@iki.fi>
commit 558df982d4ead9cac628153d0d7b60feae05ddc8 upstream.
On success i2c_master_send() returns the number of bytes written. The
call from iio_write_channel_info(), however, expects the return value to
be zero on success.
This bug causes incorrect consumption of the sysfs buffer in
iio_write_channel_info(). When writing more than two characters to
out_voltage0_raw, the ad5446 write handler is called multiple times
causing unexpected behavior.
Fixes: 3ec36a2cf0d5 ("iio:ad5446: Add support for I2C based DACs")
Signed-off-by: Pekka Korpinen <pekka.korpinen@iki.fi>
Link: https://lore.kernel.org/r/20210929185755.2384-1-pekka.korpinen@iki.fi
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/dac/ad5446.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
--- a/drivers/iio/dac/ad5446.c
+++ b/drivers/iio/dac/ad5446.c
@@ -531,8 +531,15 @@ static int ad5622_write(struct ad5446_st
{
struct i2c_client *client = to_i2c_client(st->dev);
__be16 data = cpu_to_be16(val);
+ int ret;
- return i2c_master_send(client, (char *)&data, sizeof(data));
+ ret = i2c_master_send(client, (char *)&data, sizeof(data));
+ if (ret < 0)
+ return ret;
+ if (ret != sizeof(data))
+ return -EIO;
+
+ return 0;
}
/*
^ permalink raw reply [flat|nested] 945+ messages in thread
* [PATCH 5.15 169/917] iio: ad5770r: make devicetree property reading consistent
2021-11-15 16:51 [PATCH 5.15 000/917] 5.15.3-rc1 review Greg Kroah-Hartman
` (167 preceding siblings ...)
2021-11-15 16:54 ` [PATCH 5.15 168/917] iio: dac: ad5446: Fix ad5622_write() return value Greg Kroah-Hartman
@ 2021-11-15 16:54 ` Greg Kroah-Hartman
2021-11-15 16:54 ` [PATCH 5.15 170/917] Documentation:devicetree:bindings:iio:dac: Fix val Greg Kroah-Hartman
` (750 subsequent siblings)
919 siblings, 0 replies; 945+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-15 16:54 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Nuno Sá,
Andy Shevchenko, Stable, Jonathan Cameron
From: Nuno Sá <nuno.sa@analog.com>
commit 26df977a909f818b7d346b3990735513e7e0bf93 upstream.
The bindings file for this driver is defining the property as 'reg' but
the driver was reading it with the 'num' name. The bindings actually had
the 'num' property when added in
commit ea52c21268e6 ("dt-bindings: iio: dac: Add docs for AD5770R DAC")
and then changed it to 'reg' in
commit 2cf3818f18b2 ("dt-bindings: iio: dac: AD5570R fix bindings errors").
However, both these commits landed in v5.7 so the assumption is
that either 'num' is not being used or if it is, the validations were not
done.
Anyways, if someone comes back yelling about this, we might just support
both of the properties in the future. Not ideal, but that's life...
Fixes: 2cf3818f18b2 ("dt-bindings: iio: dac: AD5570R fix bindings errors")
Signed-off-by: Nuno Sá <nuno.sa@analog.com>
Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
Link: https://lore.kernel.org/r/20210818080525.62790-1-nuno.sa@analog.com
Cc: Stable@vger.kernel.org
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/dac/ad5770r.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/iio/dac/ad5770r.c
+++ b/drivers/iio/dac/ad5770r.c
@@ -522,7 +522,7 @@ static int ad5770r_channel_config(struct
return -EINVAL;
device_for_each_child_node(&st->spi->dev, child) {
- ret = fwnode_property_read_u32(child, "num", &num);
+ ret = fwnode_property_read_u32(child, "reg", &num);
if (ret)
goto err_child_out;
if (num >= AD5770R_MAX_CHANNELS) {
^ permalink raw reply [flat|nested] 945+ messages in thread
* [PATCH 5.15 170/917] Documentation:devicetree:bindings:iio:dac: Fix val
2021-11-15 16:51 [PATCH 5.15 000/917] 5.15.3-rc1 review Greg Kroah-Hartman
` (168 preceding siblings ...)
2021-11-15 16:54 ` [PATCH 5.15 169/917] iio: ad5770r: make devicetree property reading consistent Greg Kroah-Hartman
@ 2021-11-15 16:54 ` Greg Kroah-Hartman
2021-11-15 16:54 ` [PATCH 5.15 171/917] USB: serial: keyspan: fix memleak on probe errors Greg Kroah-Hartman
` (749 subsequent siblings)
919 siblings, 0 replies; 945+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-15 16:54 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Mihail Chindris, Alexandru Ardelean,
Stable, Jonathan Cameron
From: Mihail Chindris <mihail.chindris@analog.com>
commit 8fc4f038fa832ec3543907fdcbe1334e1b0a8950 upstream.
A correct value for output-range-microvolts is -5 to 5 Volts
not -5 to 5 milivolts
Fixes: e904cc899293f ("dt-bindings: iio: dac: AD5766 yaml documentation")
Signed-off-by: Mihail Chindris <mihail.chindris@analog.com>
Reviewed-by: Alexandru Ardelean <ardeleanalex@gmail.com>
Link: https://lore.kernel.org/r/20211007080035.2531-6-mihail.chindris@analog.com
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
Documentation/devicetree/bindings/iio/dac/adi,ad5766.yaml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/Documentation/devicetree/bindings/iio/dac/adi,ad5766.yaml
+++ b/Documentation/devicetree/bindings/iio/dac/adi,ad5766.yaml
@@ -54,7 +54,7 @@ examples:
ad5766@0 {
compatible = "adi,ad5766";
- output-range-microvolts = <(-5000) 5000>;
+ output-range-microvolts = <(-5000000) 5000000>;
reg = <0>;
spi-cpol;
spi-max-frequency = <1000000>;
^ permalink raw reply [flat|nested] 945+ messages in thread
* [PATCH 5.15 171/917] USB: serial: keyspan: fix memleak on probe errors
2021-11-15 16:51 [PATCH 5.15 000/917] 5.15.3-rc1 review Greg Kroah-Hartman
` (169 preceding siblings ...)
2021-11-15 16:54 ` [PATCH 5.15 170/917] Documentation:devicetree:bindings:iio:dac: Fix val Greg Kroah-Hartman
@ 2021-11-15 16:54 ` Greg Kroah-Hartman
2021-11-15 16:54 ` [PATCH 5.15 172/917] serial: 8250: fix racy uartclk update Greg Kroah-Hartman
` (748 subsequent siblings)
919 siblings, 0 replies; 945+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-15 16:54 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Hulk Robot, Wang Hai, Johan Hovold
From: Wang Hai <wanghai38@huawei.com>
commit 910c996335c37552ee30fcb837375b808bb4f33b upstream.
I got memory leak as follows when doing fault injection test:
unreferenced object 0xffff888258228440 (size 64):
comm "kworker/7:2", pid 2005, jiffies 4294989509 (age 824.540s)
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace:
[<ffffffff8167939c>] slab_post_alloc_hook+0x9c/0x490
[<ffffffff8167f627>] kmem_cache_alloc_trace+0x1f7/0x470
[<ffffffffa02ac0e4>] keyspan_port_probe+0xa4/0x5d0 [keyspan]
[<ffffffffa0294c07>] usb_serial_device_probe+0x97/0x1d0 [usbserial]
[<ffffffff82b50ca7>] really_probe+0x167/0x460
[<ffffffff82b51099>] __driver_probe_device+0xf9/0x180
[<ffffffff82b51173>] driver_probe_device+0x53/0x130
[<ffffffff82b516f5>] __device_attach_driver+0x105/0x130
[<ffffffff82b4cfe9>] bus_for_each_drv+0x129/0x190
[<ffffffff82b50a69>] __device_attach+0x1c9/0x270
[<ffffffff82b518d0>] device_initial_probe+0x20/0x30
[<ffffffff82b4f062>] bus_probe_device+0x142/0x160
[<ffffffff82b4a4e9>] device_add+0x829/0x1300
[<ffffffffa0295fda>] usb_serial_probe.cold+0xc9b/0x14ac [usbserial]
[<ffffffffa02266aa>] usb_probe_interface+0x1aa/0x3c0 [usbcore]
[<ffffffff82b50ca7>] really_probe+0x167/0x460
If keyspan_port_probe() fails to allocate memory for an out_buffer[i] or
in_buffer[i], the previously allocated memory for out_buffer or
in_buffer needs to be freed on the error handling path, otherwise a
memory leak will result.
Fixes: bad41a5bf177 ("USB: keyspan: fix port DMA-buffer allocations")
Reported-by: Hulk Robot <hulkci@huawei.com>
Signed-off-by: Wang Hai <wanghai38@huawei.com>
Link: https://lore.kernel.org/r/20211015085543.1203011-1-wanghai38@huawei.com
Cc: stable@vger.kernel.org # 3.12
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/serial/keyspan.c | 15 +++++++--------
1 file changed, 7 insertions(+), 8 deletions(-)
--- a/drivers/usb/serial/keyspan.c
+++ b/drivers/usb/serial/keyspan.c
@@ -2890,22 +2890,22 @@ static int keyspan_port_probe(struct usb
for (i = 0; i < ARRAY_SIZE(p_priv->in_buffer); ++i) {
p_priv->in_buffer[i] = kzalloc(IN_BUFLEN, GFP_KERNEL);
if (!p_priv->in_buffer[i])
- goto err_in_buffer;
+ goto err_free_in_buffer;
}
for (i = 0; i < ARRAY_SIZE(p_priv->out_buffer); ++i) {
p_priv->out_buffer[i] = kzalloc(OUT_BUFLEN, GFP_KERNEL);
if (!p_priv->out_buffer[i])
- goto err_out_buffer;
+ goto err_free_out_buffer;
}
p_priv->inack_buffer = kzalloc(INACK_BUFLEN, GFP_KERNEL);
if (!p_priv->inack_buffer)
- goto err_inack_buffer;
+ goto err_free_out_buffer;
p_priv->outcont_buffer = kzalloc(OUTCONT_BUFLEN, GFP_KERNEL);
if (!p_priv->outcont_buffer)
- goto err_outcont_buffer;
+ goto err_free_inack_buffer;
p_priv->device_details = d_details;
@@ -2951,15 +2951,14 @@ static int keyspan_port_probe(struct usb
return 0;
-err_outcont_buffer:
+err_free_inack_buffer:
kfree(p_priv->inack_buffer);
-err_inack_buffer:
+err_free_out_buffer:
for (i = 0; i < ARRAY_SIZE(p_priv->out_buffer); ++i)
kfree(p_priv->out_buffer[i]);
-err_out_buffer:
+err_free_in_buffer:
for (i = 0; i < ARRAY_SIZE(p_priv->in_buffer); ++i)
kfree(p_priv->in_buffer[i]);
-err_in_buffer:
kfree(p_priv);
return -ENOMEM;
^ permalink raw reply [flat|nested] 945+ messages in thread
* [PATCH 5.15 172/917] serial: 8250: fix racy uartclk update
2021-11-15 16:51 [PATCH 5.15 000/917] 5.15.3-rc1 review Greg Kroah-Hartman
` (170 preceding siblings ...)
2021-11-15 16:54 ` [PATCH 5.15 171/917] USB: serial: keyspan: fix memleak on probe errors Greg Kroah-Hartman
@ 2021-11-15 16:54 ` Greg Kroah-Hartman
2021-11-15 16:54 ` [PATCH 5.15 173/917] ksmbd: set unique value to volume serial field in FS_VOLUME_INFORMATION Greg Kroah-Hartman
` (747 subsequent siblings)
919 siblings, 0 replies; 945+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-15 16:54 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Serge Semin, Serge Semin,
Andy Shevchenko, Johan Hovold
From: Johan Hovold <johan@kernel.org>
commit 211cde4f5817dc88ef7f8f2fa286e57fbf14c8ee upstream.
Commit 868f3ee6e452 ("serial: 8250: Add 8250 port clock update method")
added a hack to support SoCs where the UART reference clock can
change behind the back of the driver but failed to add the proper
locking.
First, make sure to take a reference to the tty struct to avoid
dereferencing a NULL pointer if the clock change races with a hangup.
Second, the termios semaphore must be held during the update to prevent
a racing termios change.
Fixes: 868f3ee6e452 ("serial: 8250: Add 8250 port clock update method")
Fixes: c8dff3aa8241 ("serial: 8250: Skip uninitialized TTY port baud rate update")
Cc: stable@vger.kernel.org # 5.9
Cc: Serge Semin <Sergey.Semin@baikalelectronics.ru>
Tested-by: Serge Semin <fancer.lancer@gmail.com>
Reviewed-by: Serge Semin <fancer.lancer@gmail.com>
Acked-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://lore.kernel.org/r/20211015111422.1027-2-johan@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/tty/serial/8250/8250_port.c | 21 +++++++++++++++++----
1 file changed, 17 insertions(+), 4 deletions(-)
diff --git a/drivers/tty/serial/8250/8250_port.c b/drivers/tty/serial/8250/8250_port.c
index 66374704747e..e4dd82fd7c2a 100644
--- a/drivers/tty/serial/8250/8250_port.c
+++ b/drivers/tty/serial/8250/8250_port.c
@@ -2696,21 +2696,32 @@ static unsigned int serial8250_get_baud_rate(struct uart_port *port,
void serial8250_update_uartclk(struct uart_port *port, unsigned int uartclk)
{
struct uart_8250_port *up = up_to_u8250p(port);
+ struct tty_port *tport = &port->state->port;
unsigned int baud, quot, frac = 0;
struct ktermios *termios;
+ struct tty_struct *tty;
unsigned long flags;
- mutex_lock(&port->state->port.mutex);
+ tty = tty_port_tty_get(tport);
+ if (!tty) {
+ mutex_lock(&tport->mutex);
+ port->uartclk = uartclk;
+ mutex_unlock(&tport->mutex);
+ return;
+ }
+
+ down_write(&tty->termios_rwsem);
+ mutex_lock(&tport->mutex);
if (port->uartclk == uartclk)
goto out_lock;
port->uartclk = uartclk;
- if (!tty_port_initialized(&port->state->port))
+ if (!tty_port_initialized(tport))
goto out_lock;
- termios = &port->state->port.tty->termios;
+ termios = &tty->termios;
baud = serial8250_get_baud_rate(port, termios, NULL);
quot = serial8250_get_divisor(port, baud, &frac);
@@ -2727,7 +2738,9 @@ void serial8250_update_uartclk(struct uart_port *port, unsigned int uartclk)
serial8250_rpm_put(up);
out_lock:
- mutex_unlock(&port->state->port.mutex);
+ mutex_unlock(&tport->mutex);
+ up_write(&tty->termios_rwsem);
+ tty_kref_put(tty);
}
EXPORT_SYMBOL_GPL(serial8250_update_uartclk);
--
2.33.1
^ permalink raw reply [flat|nested] 945+ messages in thread
* [PATCH 5.15 173/917] ksmbd: set unique value to volume serial field in FS_VOLUME_INFORMATION
2021-11-15 16:51 [PATCH 5.15 000/917] 5.15.3-rc1 review Greg Kroah-Hartman
` (171 preceding siblings ...)
2021-11-15 16:54 ` [PATCH 5.15 172/917] serial: 8250: fix racy uartclk update Greg Kroah-Hartman
@ 2021-11-15 16:54 ` Greg Kroah-Hartman
2021-11-15 16:54 ` [PATCH 5.15 174/917] io-wq: serialize hash clear with wakeup Greg Kroah-Hartman
` (746 subsequent siblings)
919 siblings, 0 replies; 945+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-15 16:54 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Steve French, Namjae Jeon, Steve French
From: Namjae Jeon <linkinjeon@kernel.org>
commit 5d2f0b1083eb158bdff01dd557e2c25046c0a7d2 upstream.
Steve French reported ksmbd set fixed value to volume serial field in
FS_VOLUME_INFORMATION. Volume serial value needs to be set to a unique
value for client fscache. This patch set crc value that is generated
with share name, path name and netbios name to volume serial.
Fixes: e2f34481b24d ("cifsd: add server-side procedures for SMB3")
Cc: stable@vger.kernel.org # v5.15
Reported-by: Steve French <smfrench@gmail.com>
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ksmbd/Kconfig | 1 +
fs/ksmbd/server.c | 1 +
fs/ksmbd/smb2pdu.c | 9 ++++++++-
3 files changed, 10 insertions(+), 1 deletion(-)
--- a/fs/ksmbd/Kconfig
+++ b/fs/ksmbd/Kconfig
@@ -19,6 +19,7 @@ config SMB_SERVER
select CRYPTO_GCM
select ASN1
select OID_REGISTRY
+ select CRC32
default n
help
Choose Y here if you want to allow SMB3 compliant clients
--- a/fs/ksmbd/server.c
+++ b/fs/ksmbd/server.c
@@ -632,5 +632,6 @@ MODULE_SOFTDEP("pre: sha512");
MODULE_SOFTDEP("pre: aead2");
MODULE_SOFTDEP("pre: ccm");
MODULE_SOFTDEP("pre: gcm");
+MODULE_SOFTDEP("pre: crc32");
module_init(ksmbd_server_init)
module_exit(ksmbd_server_exit)
--- a/fs/ksmbd/smb2pdu.c
+++ b/fs/ksmbd/smb2pdu.c
@@ -4891,11 +4891,18 @@ static int smb2_get_info_filesystem(stru
{
struct filesystem_vol_info *info;
size_t sz;
+ unsigned int serial_crc = 0;
info = (struct filesystem_vol_info *)(rsp->Buffer);
info->VolumeCreationTime = 0;
+ serial_crc = crc32_le(serial_crc, share->name,
+ strlen(share->name));
+ serial_crc = crc32_le(serial_crc, share->path,
+ strlen(share->path));
+ serial_crc = crc32_le(serial_crc, ksmbd_netbios_name(),
+ strlen(ksmbd_netbios_name()));
/* Taking dummy value of serial number*/
- info->SerialNumber = cpu_to_le32(0xbc3ac512);
+ info->SerialNumber = cpu_to_le32(serial_crc);
len = smbConvertToUTF16((__le16 *)info->VolumeLabel,
share->name, PATH_MAX,
conn->local_nls, 0);
^ permalink raw reply [flat|nested] 945+ messages in thread
* [PATCH 5.15 174/917] io-wq: serialize hash clear with wakeup
2021-11-15 16:51 [PATCH 5.15 000/917] 5.15.3-rc1 review Greg Kroah-Hartman
` (172 preceding siblings ...)
2021-11-15 16:54 ` [PATCH 5.15 173/917] ksmbd: set unique value to volume serial field in FS_VOLUME_INFORMATION Greg Kroah-Hartman
@ 2021-11-15 16:54 ` Greg Kroah-Hartman
2021-11-15 16:54 ` [PATCH 5.15 175/917] serial: 8250: Fix reporting real baudrate value in c_ospeed field Greg Kroah-Hartman
` (745 subsequent siblings)
919 siblings, 0 replies; 945+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-15 16:54 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Daniel Black, Jens Axboe
From: Jens Axboe <axboe@kernel.dk>
commit d3e3c102d107bb84251455a298cf475f24bab995 upstream.
We need to ensure that we serialize the stalled and hash bits with the
wait_queue wait handler, or we could be racing with someone modifying
the hashed state after we find it busy, but before we then give up and
wait for it to be cleared. This can cause random delays or stalls when
handling buffered writes for many files, where some of these files cause
hash collisions between the worker threads.
Cc: stable@vger.kernel.org
Reported-by: Daniel Black <daniel@mariadb.org>
Fixes: e941894eae31 ("io-wq: make buffered file write hashed work map per-ctx")
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/io-wq.c | 17 +++++++++++++++--
1 file changed, 15 insertions(+), 2 deletions(-)
--- a/fs/io-wq.c
+++ b/fs/io-wq.c
@@ -421,9 +421,10 @@ static inline unsigned int io_get_work_h
return work->flags >> IO_WQ_HASH_SHIFT;
}
-static void io_wait_on_hash(struct io_wqe *wqe, unsigned int hash)
+static bool io_wait_on_hash(struct io_wqe *wqe, unsigned int hash)
{
struct io_wq *wq = wqe->wq;
+ bool ret = false;
spin_lock_irq(&wq->hash->wait.lock);
if (list_empty(&wqe->wait.entry)) {
@@ -431,9 +432,11 @@ static void io_wait_on_hash(struct io_wq
if (!test_bit(hash, &wq->hash->map)) {
__set_current_state(TASK_RUNNING);
list_del_init(&wqe->wait.entry);
+ ret = true;
}
}
spin_unlock_irq(&wq->hash->wait.lock);
+ return ret;
}
static struct io_wq_work *io_get_next_work(struct io_wqe_acct *acct,
@@ -473,14 +476,21 @@ static struct io_wq_work *io_get_next_wo
}
if (stall_hash != -1U) {
+ bool unstalled;
+
/*
* Set this before dropping the lock to avoid racing with new
* work being added and clearing the stalled bit.
*/
set_bit(IO_ACCT_STALLED_BIT, &acct->flags);
raw_spin_unlock(&wqe->lock);
- io_wait_on_hash(wqe, stall_hash);
+ unstalled = io_wait_on_hash(wqe, stall_hash);
raw_spin_lock(&wqe->lock);
+ if (unstalled) {
+ clear_bit(IO_ACCT_STALLED_BIT, &acct->flags);
+ if (wq_has_sleeper(&wqe->wq->hash->wait))
+ wake_up(&wqe->wq->hash->wait);
+ }
}
return NULL;
@@ -562,8 +572,11 @@ get_next:
io_wqe_enqueue(wqe, linked);
if (hash != -1U && !next_hashed) {
+ /* serialize hash clear with wake_up() */
+ spin_lock_irq(&wq->hash->wait.lock);
clear_bit(hash, &wq->hash->map);
clear_bit(IO_ACCT_STALLED_BIT, &acct->flags);
+ spin_unlock_irq(&wq->hash->wait.lock);
if (wq_has_sleeper(&wq->hash->wait))
wake_up(&wq->hash->wait);
raw_spin_lock(&wqe->lock);
^ permalink raw reply [flat|nested] 945+ messages in thread
* [PATCH 5.15 175/917] serial: 8250: Fix reporting real baudrate value in c_ospeed field
2021-11-15 16:51 [PATCH 5.15 000/917] 5.15.3-rc1 review Greg Kroah-Hartman
` (173 preceding siblings ...)
2021-11-15 16:54 ` [PATCH 5.15 174/917] io-wq: serialize hash clear with wakeup Greg Kroah-Hartman
@ 2021-11-15 16:54 ` Greg Kroah-Hartman
2021-11-15 16:54 ` [PATCH 5.15 176/917] Revert "serial: 8250: Fix reporting real baudrate value in c_ospeed field" Greg Kroah-Hartman
` (744 subsequent siblings)
919 siblings, 0 replies; 945+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-15 16:54 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Pali Rohár
From: Pali Rohár <pali@kernel.org>
commit 32262e2e429cdb31f9e957e997d53458762931b7 upstream.
In most cases it is not possible to set exact baudrate value to hardware.
So fix reporting real baudrate value which was set to hardware via c_ospeed
termios field. It can be retrieved by ioctl(TCGETS2) from userspace.
Real baudrate value is calculated from chosen hardware divisor and base
clock. It is implemented in a new function serial8250_compute_baud_rate()
which is inverse of serial8250_get_divisor() function.
With this change is fixed also UART timeout value (it is updated via
uart_update_timeout() function), which is calculated from the now fixed
baudrate value too.
Cc: stable@vger.kernel.org
Signed-off-by: Pali Rohár <pali@kernel.org>
Link: https://lore.kernel.org/r/20210927093704.19768-1-pali@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/tty/serial/8250/8250_port.c | 17 +++++++++++++++++
1 file changed, 17 insertions(+)
--- a/drivers/tty/serial/8250/8250_port.c
+++ b/drivers/tty/serial/8250/8250_port.c
@@ -2584,6 +2584,19 @@ static unsigned int serial8250_get_divis
return serial8250_do_get_divisor(port, baud, frac);
}
+static unsigned int serial8250_compute_baud_rate(struct uart_port *port,
+ unsigned int quot)
+{
+ if ((port->flags & UPF_MAGIC_MULTIPLIER) && quot == 0x8001)
+ return port->uartclk / 4;
+ else if ((port->flags & UPF_MAGIC_MULTIPLIER) && quot == 0x8002)
+ return port->uartclk / 8;
+ else if (port->type == PORT_NPCM)
+ return DIV_ROUND_CLOSEST(port->uartclk - 2 * (quot + 2), 16 * (quot + 2));
+ else
+ return DIV_ROUND_CLOSEST(port->uartclk, 16 * quot);
+}
+
static unsigned char serial8250_compute_lcr(struct uart_8250_port *up,
tcflag_t c_cflag)
{
@@ -2725,11 +2738,14 @@ void serial8250_update_uartclk(struct ua
baud = serial8250_get_baud_rate(port, termios, NULL);
quot = serial8250_get_divisor(port, baud, &frac);
+ baud = serial8250_compute_baud_rate(port, quot);
serial8250_rpm_get(up);
spin_lock_irqsave(&port->lock, flags);
uart_update_timeout(port, termios->c_cflag, baud);
+ if (tty_termios_baud_rate(termios))
+ tty_termios_encode_baud_rate(termios, baud, baud);
serial8250_set_divisor(port, baud, quot, frac);
serial_port_out(port, UART_LCR, up->lcr);
@@ -2763,6 +2779,7 @@ serial8250_do_set_termios(struct uart_po
baud = serial8250_get_baud_rate(port, termios, old);
quot = serial8250_get_divisor(port, baud, &frac);
+ baud = serial8250_compute_baud_rate(port, quot);
/*
* Ok, we're now changing the port state. Do it with
^ permalink raw reply [flat|nested] 945+ messages in thread
* [PATCH 5.15 176/917] Revert "serial: 8250: Fix reporting real baudrate value in c_ospeed field"
2021-11-15 16:51 [PATCH 5.15 000/917] 5.15.3-rc1 review Greg Kroah-Hartman
` (174 preceding siblings ...)
2021-11-15 16:54 ` [PATCH 5.15 175/917] serial: 8250: Fix reporting real baudrate value in c_ospeed field Greg Kroah-Hartman
@ 2021-11-15 16:54 ` Greg Kroah-Hartman
2021-11-15 16:54 ` [PATCH 5.15 177/917] most: fix control-message timeouts Greg Kroah-Hartman
` (743 subsequent siblings)
919 siblings, 0 replies; 945+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-15 16:54 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Pali Rohár, Johan Hovold
From: Johan Hovold <johan@kernel.org>
commit d02b006b29de14968ba4afa998bede0d55469e29 upstream.
This reverts commit 32262e2e429cdb31f9e957e997d53458762931b7.
The commit in question claims to determine the inverse of
serial8250_get_divisor() but failed to notice that some drivers override
the default implementation using a get_divisor() callback.
This means that the computed line-speed values can be completely wrong
and results in regular TCSETS requests failing (the incorrect values
would also be passed to any overridden set_divisor() callback).
Similarly, it also failed to honour the old (deprecated) ASYNC_SPD_FLAGS
and would break applications relying on those when re-encoding the
actual line speed.
There are also at least two quirks, UART_BUG_QUOT and an OMAP1510
workaround, which were happily ignored and that are now broken.
Finally, even if the offending commit were to be implemented correctly,
this is a new feature and not something which should be backported to
stable.
Cc: Pali Rohár <pali@kernel.org>
Fixes: 32262e2e429c ("serial: 8250: Fix reporting real baudrate value in c_ospeed field")
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://lore.kernel.org/r/20211007133146.28949-1-johan@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/tty/serial/8250/8250_port.c | 17 -----------------
1 file changed, 17 deletions(-)
--- a/drivers/tty/serial/8250/8250_port.c
+++ b/drivers/tty/serial/8250/8250_port.c
@@ -2584,19 +2584,6 @@ static unsigned int serial8250_get_divis
return serial8250_do_get_divisor(port, baud, frac);
}
-static unsigned int serial8250_compute_baud_rate(struct uart_port *port,
- unsigned int quot)
-{
- if ((port->flags & UPF_MAGIC_MULTIPLIER) && quot == 0x8001)
- return port->uartclk / 4;
- else if ((port->flags & UPF_MAGIC_MULTIPLIER) && quot == 0x8002)
- return port->uartclk / 8;
- else if (port->type == PORT_NPCM)
- return DIV_ROUND_CLOSEST(port->uartclk - 2 * (quot + 2), 16 * (quot + 2));
- else
- return DIV_ROUND_CLOSEST(port->uartclk, 16 * quot);
-}
-
static unsigned char serial8250_compute_lcr(struct uart_8250_port *up,
tcflag_t c_cflag)
{
@@ -2738,14 +2725,11 @@ void serial8250_update_uartclk(struct ua
baud = serial8250_get_baud_rate(port, termios, NULL);
quot = serial8250_get_divisor(port, baud, &frac);
- baud = serial8250_compute_baud_rate(port, quot);
serial8250_rpm_get(up);
spin_lock_irqsave(&port->lock, flags);
uart_update_timeout(port, termios->c_cflag, baud);
- if (tty_termios_baud_rate(termios))
- tty_termios_encode_baud_rate(termios, baud, baud);
serial8250_set_divisor(port, baud, quot, frac);
serial_port_out(port, UART_LCR, up->lcr);
@@ -2779,7 +2763,6 @@ serial8250_do_set_termios(struct uart_po
baud = serial8250_get_baud_rate(port, termios, old);
quot = serial8250_get_divisor(port, baud, &frac);
- baud = serial8250_compute_baud_rate(port, quot);
/*
* Ok, we're now changing the port state. Do it with
^ permalink raw reply [flat|nested] 945+ messages in thread
* [PATCH 5.15 177/917] most: fix control-message timeouts
2021-11-15 16:51 [PATCH 5.15 000/917] 5.15.3-rc1 review Greg Kroah-Hartman
` (175 preceding siblings ...)
2021-11-15 16:54 ` [PATCH 5.15 176/917] Revert "serial: 8250: Fix reporting real baudrate value in c_ospeed field" Greg Kroah-Hartman
@ 2021-11-15 16:54 ` Greg Kroah-Hartman
2021-11-15 16:54 ` [PATCH 5.15 178/917] USB: iowarrior: " Greg Kroah-Hartman
` (742 subsequent siblings)
919 siblings, 0 replies; 945+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-15 16:54 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Johan Hovold
From: Johan Hovold <johan@kernel.org>
commit 63b3e810eff65fb8587fcb26fa0b56802be12dcf upstream.
USB control-message timeouts are specified in milliseconds and should
specifically not vary with CONFIG_HZ.
Use the common control-message timeout defines for the five-second
timeouts.
Fixes: 97a6f772f36b ("drivers: most: add USB adapter driver")
Cc: stable@vger.kernel.org # 5.9
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://lore.kernel.org/r/20211025115811.5410-1-johan@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/most/most_usb.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
--- a/drivers/most/most_usb.c
+++ b/drivers/most/most_usb.c
@@ -149,7 +149,8 @@ static inline int drci_rd_reg(struct usb
retval = usb_control_msg(dev, usb_rcvctrlpipe(dev, 0),
DRCI_READ_REQ, req_type,
0x0000,
- reg, dma_buf, sizeof(*dma_buf), 5 * HZ);
+ reg, dma_buf, sizeof(*dma_buf),
+ USB_CTRL_GET_TIMEOUT);
*buf = le16_to_cpu(*dma_buf);
kfree(dma_buf);
@@ -176,7 +177,7 @@ static inline int drci_wr_reg(struct usb
reg,
NULL,
0,
- 5 * HZ);
+ USB_CTRL_SET_TIMEOUT);
}
static inline int start_sync_ep(struct usb_device *usb_dev, u16 ep)
^ permalink raw reply [flat|nested] 945+ messages in thread
* [PATCH 5.15 178/917] USB: iowarrior: fix control-message timeouts
2021-11-15 16:51 [PATCH 5.15 000/917] 5.15.3-rc1 review Greg Kroah-Hartman
` (176 preceding siblings ...)
2021-11-15 16:54 ` [PATCH 5.15 177/917] most: fix control-message timeouts Greg Kroah-Hartman
@ 2021-11-15 16:54 ` Greg Kroah-Hartman
2021-11-15 16:54 ` [PATCH 5.15 179/917] USB: chipidea: fix interrupt deadlock Greg Kroah-Hartman
` (741 subsequent siblings)
919 siblings, 0 replies; 945+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-15 16:54 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Johan Hovold
From: Johan Hovold <johan@kernel.org>
commit 79a4479a17b83310deb0b1a2a274fe5be12d2318 upstream.
USB control-message timeouts are specified in milliseconds and should
specifically not vary with CONFIG_HZ.
Use the common control-message timeout define for the five-second
timeout and drop the driver-specific one.
Fixes: 946b960d13c1 ("USB: add driver for iowarrior devices.")
Cc: stable@vger.kernel.org # 2.6.21
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://lore.kernel.org/r/20211025115159.4954-3-johan@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/misc/iowarrior.c | 8 ++------
1 file changed, 2 insertions(+), 6 deletions(-)
--- a/drivers/usb/misc/iowarrior.c
+++ b/drivers/usb/misc/iowarrior.c
@@ -99,10 +99,6 @@ struct iowarrior {
/* globals */
/*--------------*/
-/*
- * USB spec identifies 5 second timeouts.
- */
-#define GET_TIMEOUT 5
#define USB_REQ_GET_REPORT 0x01
//#if 0
static int usb_get_report(struct usb_device *dev,
@@ -114,7 +110,7 @@ static int usb_get_report(struct usb_dev
USB_DIR_IN | USB_TYPE_CLASS |
USB_RECIP_INTERFACE, (type << 8) + id,
inter->desc.bInterfaceNumber, buf, size,
- GET_TIMEOUT*HZ);
+ USB_CTRL_GET_TIMEOUT);
}
//#endif
@@ -129,7 +125,7 @@ static int usb_set_report(struct usb_int
USB_TYPE_CLASS | USB_RECIP_INTERFACE,
(type << 8) + id,
intf->cur_altsetting->desc.bInterfaceNumber, buf,
- size, HZ);
+ size, 1000);
}
/*---------------------*/
^ permalink raw reply [flat|nested] 945+ messages in thread
* [PATCH 5.15 179/917] USB: chipidea: fix interrupt deadlock
2021-11-15 16:51 [PATCH 5.15 000/917] 5.15.3-rc1 review Greg Kroah-Hartman
` (177 preceding siblings ...)
2021-11-15 16:54 ` [PATCH 5.15 178/917] USB: iowarrior: " Greg Kroah-Hartman
@ 2021-11-15 16:54 ` Greg Kroah-Hartman
2021-11-15 16:54 ` [PATCH 5.15 180/917] power: supply: max17042_battery: Clear status bits in interrupt handler Greg Kroah-Hartman
` (740 subsequent siblings)
919 siblings, 0 replies; 945+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-15 16:54 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Peter Chen, Johan Hovold
From: Johan Hovold <johan@kernel.org>
commit 9aaa81c3366e8393a62374e3a1c67c69edc07b8a upstream.
Chipidea core was calling the interrupt handler from non-IRQ context
with interrupts enabled, something which can lead to a deadlock if
there's an actual interrupt trying to take a lock that's already held
(e.g. the controller lock in udc_irq()).
Add a wrapper that can be used to fake interrupts instead of calling the
handler directly.
Fixes: 3ecb3e09b042 ("usb: chipidea: Use extcon framework for VBUS and ID detect")
Fixes: 876d4e1e8298 ("usb: chipidea: core: add wakeup support for extcon")
Cc: Peter Chen <peter.chen@kernel.org>
Cc: stable@vger.kernel.org # 4.4
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://lore.kernel.org/r/20211021083447.20078-1-johan@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/chipidea/core.c | 23 ++++++++++++++++-------
1 file changed, 16 insertions(+), 7 deletions(-)
--- a/drivers/usb/chipidea/core.c
+++ b/drivers/usb/chipidea/core.c
@@ -514,7 +514,7 @@ int hw_device_reset(struct ci_hdrc *ci)
return 0;
}
-static irqreturn_t ci_irq(int irq, void *data)
+static irqreturn_t ci_irq_handler(int irq, void *data)
{
struct ci_hdrc *ci = data;
irqreturn_t ret = IRQ_NONE;
@@ -567,6 +567,15 @@ static irqreturn_t ci_irq(int irq, void
return ret;
}
+static void ci_irq(struct ci_hdrc *ci)
+{
+ unsigned long flags;
+
+ local_irq_save(flags);
+ ci_irq_handler(ci->irq, ci);
+ local_irq_restore(flags);
+}
+
static int ci_cable_notifier(struct notifier_block *nb, unsigned long event,
void *ptr)
{
@@ -576,7 +585,7 @@ static int ci_cable_notifier(struct noti
cbl->connected = event;
cbl->changed = true;
- ci_irq(ci->irq, ci);
+ ci_irq(ci);
return NOTIFY_DONE;
}
@@ -617,7 +626,7 @@ static int ci_usb_role_switch_set(struct
if (cable) {
cable->changed = true;
cable->connected = false;
- ci_irq(ci->irq, ci);
+ ci_irq(ci);
spin_unlock_irqrestore(&ci->lock, flags);
if (ci->wq && role != USB_ROLE_NONE)
flush_workqueue(ci->wq);
@@ -635,7 +644,7 @@ static int ci_usb_role_switch_set(struct
if (cable) {
cable->changed = true;
cable->connected = true;
- ci_irq(ci->irq, ci);
+ ci_irq(ci);
}
spin_unlock_irqrestore(&ci->lock, flags);
pm_runtime_put_sync(ci->dev);
@@ -1174,7 +1183,7 @@ static int ci_hdrc_probe(struct platform
}
}
- ret = devm_request_irq(dev, ci->irq, ci_irq, IRQF_SHARED,
+ ret = devm_request_irq(dev, ci->irq, ci_irq_handler, IRQF_SHARED,
ci->platdata->name, ci);
if (ret)
goto stop;
@@ -1295,11 +1304,11 @@ static void ci_extcon_wakeup_int(struct
if (!IS_ERR(cable_id->edev) && ci->is_otg &&
(otgsc & OTGSC_IDIE) && (otgsc & OTGSC_IDIS))
- ci_irq(ci->irq, ci);
+ ci_irq(ci);
if (!IS_ERR(cable_vbus->edev) && ci->is_otg &&
(otgsc & OTGSC_BSVIE) && (otgsc & OTGSC_BSVIS))
- ci_irq(ci->irq, ci);
+ ci_irq(ci);
}
static int ci_controller_resume(struct device *dev)
^ permalink raw reply [flat|nested] 945+ messages in thread
* [PATCH 5.15 180/917] power: supply: max17042_battery: Clear status bits in interrupt handler
2021-11-15 16:51 [PATCH 5.15 000/917] 5.15.3-rc1 review Greg Kroah-Hartman
` (178 preceding siblings ...)
2021-11-15 16:54 ` [PATCH 5.15 179/917] USB: chipidea: fix interrupt deadlock Greg Kroah-Hartman
@ 2021-11-15 16:54 ` Greg Kroah-Hartman
2021-11-15 16:54 ` [PATCH 5.15 181/917] component: do not leave master devres group open after bind Greg Kroah-Hartman
` (739 subsequent siblings)
919 siblings, 0 replies; 945+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-15 16:54 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Sebastian Krzyszkowiak,
Krzysztof Kozlowski, Sebastian Reichel
From: Sebastian Krzyszkowiak <sebastian.krzyszkowiak@puri.sm>
commit 0cf48167b87e388fa1268c9fe6d2443ae7f43d8a upstream.
The gauge requires us to clear the status bits manually for some alerts
to be properly dismissed. Previously the IRQ was configured to react only
on falling edge, which wasn't technically correct (the ALRT line is active
low), but it had a happy side-effect of preventing interrupt storms
on uncleared alerts from happening.
Fixes: 7fbf6b731bca ("power: supply: max17042: Do not enforce (incorrect) interrupt trigger type")
Cc: <stable@vger.kernel.org>
Signed-off-by: Sebastian Krzyszkowiak <sebastian.krzyszkowiak@puri.sm>
Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/power/supply/max17042_battery.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/drivers/power/supply/max17042_battery.c
+++ b/drivers/power/supply/max17042_battery.c
@@ -880,6 +880,10 @@ static irqreturn_t max17042_thread_handl
max17042_set_soc_threshold(chip, 1);
}
+ /* we implicitly handle all alerts via power_supply_changed */
+ regmap_clear_bits(chip->regmap, MAX17042_STATUS,
+ 0xFFFF & ~(STATUS_POR_BIT | STATUS_BST_BIT));
+
power_supply_changed(chip->battery);
return IRQ_HANDLED;
}
^ permalink raw reply [flat|nested] 945+ messages in thread
* [PATCH 5.15 181/917] component: do not leave master devres group open after bind
2021-11-15 16:51 [PATCH 5.15 000/917] 5.15.3-rc1 review Greg Kroah-Hartman
` (179 preceding siblings ...)
2021-11-15 16:54 ` [PATCH 5.15 180/917] power: supply: max17042_battery: Clear status bits in interrupt handler Greg Kroah-Hartman
@ 2021-11-15 16:54 ` Greg Kroah-Hartman
2021-11-15 16:54 ` [PATCH 5.15 182/917] dma-buf: WARN on dmabuf release with pending attachments Greg Kroah-Hartman
` (738 subsequent siblings)
919 siblings, 0 replies; 945+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-15 16:54 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Imre Deak, Russell King (Oracle),
Kai Vehmanen
From: Kai Vehmanen <kai.vehmanen@linux.intel.com>
commit c87761db2100677a69be551365105125d872af5b upstream.
In current code, the devres group for aggregate master is left open
after call to component_master_add_*(). This leads to problems when the
master does further managed allocations on its own. When any
participating driver calls component_del(), this leads to immediate
release of resources.
This came up when investigating a page fault occurring with i915 DRM
driver unbind with 5.15-rc1 kernel. The following sequence occurs:
i915_pci_remove()
-> intel_display_driver_unregister()
-> i915_audio_component_cleanup()
-> component_del()
-> component.c:take_down_master()
-> hdac_component_master_unbind() [via master->ops->unbind()]
-> devres_release_group(master->parent, NULL)
With older kernels this has not caused issues, but with audio driver
moving to use managed interfaces for more of its allocations, this no
longer works. Devres log shows following to occur:
component_master_add_with_match()
[ 126.886032] snd_hda_intel 0000:00:1f.3: DEVRES ADD 00000000323ccdc5 devm_component_match_release (24 bytes)
[ 126.886045] snd_hda_intel 0000:00:1f.3: DEVRES ADD 00000000865cdb29 grp< (0 bytes)
[ 126.886049] snd_hda_intel 0000:00:1f.3: DEVRES ADD 000000001b480725 grp< (0 bytes)
audio driver completes its PCI probe()
[ 126.892238] snd_hda_intel 0000:00:1f.3: DEVRES ADD 000000001b480725 pcim_iomap_release (48 bytes)
component_del() called() at DRM/i915 unbind()
[ 137.579422] i915 0000:00:02.0: DEVRES REL 00000000ef44c293 grp< (0 bytes)
[ 137.579445] snd_hda_intel 0000:00:1f.3: DEVRES REL 00000000865cdb29 grp< (0 bytes)
[ 137.579458] snd_hda_intel 0000:00:1f.3: DEVRES REL 000000001b480725 pcim_iomap_release (48 bytes)
So the "devres_release_group(master->parent, NULL)" ends up freeing the
pcim_iomap allocation. Upon next runtime resume, the audio driver will
cause a page fault as the iomap alloc was released without the driver
knowing about it.
Fix this issue by using the "struct master" pointer as identifier for
the devres group, and by closing the devres group after
the master->ops->bind() call is done. This allows devres allocations
done by the driver acting as master to be isolated from the binding state
of the aggregate driver. This modifies the logic originally introduced in
commit 9e1ccb4a7700 ("drivers/base: fix devres handling for master device")
Fixes: 9e1ccb4a7700 ("drivers/base: fix devres handling for master device")
Cc: stable@vger.kernel.org
Acked-by: Imre Deak <imre.deak@intel.com>
Acked-by: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
Signed-off-by: Kai Vehmanen <kai.vehmanen@linux.intel.com>
BugLink: https://gitlab.freedesktop.org/drm/intel/-/issues/4136
Link: https://lore.kernel.org/r/20211013161345.3755341-1-kai.vehmanen@linux.intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/base/component.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
--- a/drivers/base/component.c
+++ b/drivers/base/component.c
@@ -246,7 +246,7 @@ static int try_to_bring_up_master(struct
return 0;
}
- if (!devres_open_group(master->parent, NULL, GFP_KERNEL))
+ if (!devres_open_group(master->parent, master, GFP_KERNEL))
return -ENOMEM;
/* Found all components */
@@ -258,6 +258,7 @@ static int try_to_bring_up_master(struct
return ret;
}
+ devres_close_group(master->parent, NULL);
master->bound = true;
return 1;
}
@@ -282,7 +283,7 @@ static void take_down_master(struct mast
{
if (master->bound) {
master->ops->unbind(master->parent);
- devres_release_group(master->parent, NULL);
+ devres_release_group(master->parent, master);
master->bound = false;
}
}
^ permalink raw reply [flat|nested] 945+ messages in thread
* [PATCH 5.15 182/917] dma-buf: WARN on dmabuf release with pending attachments
2021-11-15 16:51 [PATCH 5.15 000/917] 5.15.3-rc1 review Greg Kroah-Hartman
` (180 preceding siblings ...)
2021-11-15 16:54 ` [PATCH 5.15 181/917] component: do not leave master devres group open after bind Greg Kroah-Hartman
@ 2021-11-15 16:54 ` Greg Kroah-Hartman
2021-11-15 16:54 ` [PATCH 5.15 183/917] drm: panel-orientation-quirks: Update the Lenovo Ideapad D330 quirk (v2) Greg Kroah-Hartman
` (737 subsequent siblings)
919 siblings, 0 replies; 945+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-15 16:54 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Charan Teja Reddy,
Christian König, Sasha Levin
From: Charan Teja Reddy <charante@codeaurora.org>
[ Upstream commit f492283b157053e9555787262f058ae33096f568 ]
It is expected from the clients to follow the below steps on an imported
dmabuf fd:
a) dmabuf = dma_buf_get(fd) // Get the dmabuf from fd
b) dma_buf_attach(dmabuf); // Clients attach to the dmabuf
o Here the kernel does some slab allocations, say for
dma_buf_attachment and may be some other slab allocation in the
dmabuf->ops->attach().
c) Client may need to do dma_buf_map_attachment().
d) Accordingly dma_buf_unmap_attachment() should be called.
e) dma_buf_detach () // Clients detach to the dmabuf.
o Here the slab allocations made in b) are freed.
f) dma_buf_put(dmabuf) // Can free the dmabuf if it is the last
reference.
Now say an erroneous client failed at step c) above thus it directly
called dma_buf_put(), step f) above. Considering that it may be the last
reference to the dmabuf, buffer will be freed with pending attachments
left to the dmabuf which can show up as the 'memory leak'. This should
at least be reported as the WARN().
Signed-off-by: Charan Teja Reddy <charante@codeaurora.org>
Reviewed-by: Christian König <christian.koenig@amd.com>
Link: https://patchwork.freedesktop.org/patch/msgid/1627043468-16381-1-git-send-email-charante@codeaurora.org
Signed-off-by: Christian König <christian.koenig@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/dma-buf/dma-buf.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/dma-buf/dma-buf.c b/drivers/dma-buf/dma-buf.c
index 9f68f76c985e3..61e20ae7b08b7 100644
--- a/drivers/dma-buf/dma-buf.c
+++ b/drivers/dma-buf/dma-buf.c
@@ -82,6 +82,7 @@ static void dma_buf_release(struct dentry *dentry)
if (dmabuf->resv == (struct dma_resv *)&dmabuf[1])
dma_resv_fini(dmabuf->resv);
+ WARN_ON(!list_empty(&dmabuf->attachments));
module_put(dmabuf->owner);
kfree(dmabuf->name);
kfree(dmabuf);
--
2.33.0
^ permalink raw reply [flat|nested] 945+ messages in thread
* [PATCH 5.15 183/917] drm: panel-orientation-quirks: Update the Lenovo Ideapad D330 quirk (v2)
2021-11-15 16:51 [PATCH 5.15 000/917] 5.15.3-rc1 review Greg Kroah-Hartman
` (181 preceding siblings ...)
2021-11-15 16:54 ` [PATCH 5.15 182/917] dma-buf: WARN on dmabuf release with pending attachments Greg Kroah-Hartman
@ 2021-11-15 16:54 ` Greg Kroah-Hartman
2021-11-15 16:54 ` [PATCH 5.15 184/917] drm: panel-orientation-quirks: Add quirk for KD Kurio Smart C15200 2-in-1 Greg Kroah-Hartman
` (736 subsequent siblings)
919 siblings, 0 replies; 945+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-15 16:54 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Simon Ser, Hans de Goede, Sasha Levin
From: Hans de Goede <hdegoede@redhat.com>
[ Upstream commit 820a2ab23d5eab4ccfb82581eda8ad4acf18458f ]
2 improvements to the Lenovo Ideapad D330 panel-orientation quirks:
1. Some versions of the Lenovo Ideapad D330 have a DMI_PRODUCT_NAME of
"81H3" and others have "81MD". Testing has shown that the "81MD" also has
a 90 degree mounted panel. Drop the DMI_PRODUCT_NAME from the existing
quirk so that the existing quirk matches both variants.
2. Some of the Lenovo Ideapad D330 models have a HD (800x1280) screen
instead of a FHD (1200x1920) screen (both are mounted right-side-up) add
a second Lenovo Ideapad D330 quirk for the HD version.
Changes in v2:
- Add a new quirk for Lenovo Ideapad D330 models with a HD screen instead
of a FHD screen
Link: https://github.com/systemd/systemd/pull/18884
Acked-by: Simon Ser <contact@emersion.fr>
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20210530110428.12994-2-hdegoede@redhat.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/drm_panel_orientation_quirks.c | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/drivers/gpu/drm/drm_panel_orientation_quirks.c b/drivers/gpu/drm/drm_panel_orientation_quirks.c
index e1b2ce4921ae7..5d0942e3985b2 100644
--- a/drivers/gpu/drm/drm_panel_orientation_quirks.c
+++ b/drivers/gpu/drm/drm_panel_orientation_quirks.c
@@ -223,10 +223,15 @@ static const struct dmi_system_id orientation_data[] = {
DMI_EXACT_MATCH(DMI_PRODUCT_VERSION, "Lenovo MIIX 320-10ICR"),
},
.driver_data = (void *)&lcd800x1280_rightside_up,
- }, { /* Lenovo Ideapad D330 */
+ }, { /* Lenovo Ideapad D330-10IGM (HD) */
+ .matches = {
+ DMI_EXACT_MATCH(DMI_SYS_VENDOR, "LENOVO"),
+ DMI_EXACT_MATCH(DMI_PRODUCT_VERSION, "Lenovo ideapad D330-10IGM"),
+ },
+ .driver_data = (void *)&lcd800x1280_rightside_up,
+ }, { /* Lenovo Ideapad D330-10IGM (FHD) */
.matches = {
DMI_EXACT_MATCH(DMI_SYS_VENDOR, "LENOVO"),
- DMI_EXACT_MATCH(DMI_PRODUCT_NAME, "81H3"),
DMI_EXACT_MATCH(DMI_PRODUCT_VERSION, "Lenovo ideapad D330-10IGM"),
},
.driver_data = (void *)&lcd1200x1920_rightside_up,
--
2.33.0
^ permalink raw reply [flat|nested] 945+ messages in thread
* [PATCH 5.15 184/917] drm: panel-orientation-quirks: Add quirk for KD Kurio Smart C15200 2-in-1
2021-11-15 16:51 [PATCH 5.15 000/917] 5.15.3-rc1 review Greg Kroah-Hartman
` (182 preceding siblings ...)
2021-11-15 16:54 ` [PATCH 5.15 183/917] drm: panel-orientation-quirks: Update the Lenovo Ideapad D330 quirk (v2) Greg Kroah-Hartman
@ 2021-11-15 16:54 ` Greg Kroah-Hartman
2021-11-15 16:54 ` [PATCH 5.15 185/917] drm: panel-orientation-quirks: Add quirk for the Samsung Galaxy Book 10.6 Greg Kroah-Hartman
` (735 subsequent siblings)
919 siblings, 0 replies; 945+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-15 16:54 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Hans de Goede, Simon Ser, Sasha Levin
From: Hans de Goede <hdegoede@redhat.com>
[ Upstream commit a53f1dd3ab9fec715c6c2e8e01bf4d3c07eef8e5 ]
The KD Kurio Smart C15200 2-in-1 uses a panel which has been mounted 90
degrees rotated. Add a quirk for this.
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Acked-by: Simon Ser <contact@emersion.fr>
Link: https://patchwork.freedesktop.org/patch/msgid/20210530110428.12994-3-hdegoede@redhat.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/drm_panel_orientation_quirks.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/drivers/gpu/drm/drm_panel_orientation_quirks.c b/drivers/gpu/drm/drm_panel_orientation_quirks.c
index 5d0942e3985b2..cf4db2cdebbbd 100644
--- a/drivers/gpu/drm/drm_panel_orientation_quirks.c
+++ b/drivers/gpu/drm/drm_panel_orientation_quirks.c
@@ -205,6 +205,13 @@ static const struct dmi_system_id orientation_data[] = {
DMI_EXACT_MATCH(DMI_BOARD_NAME, "TW891"),
},
.driver_data = (void *)&itworks_tw891,
+ }, { /* KD Kurio Smart C15200 2-in-1 */
+ .matches = {
+ DMI_EXACT_MATCH(DMI_SYS_VENDOR, "KD Interactive"),
+ DMI_EXACT_MATCH(DMI_PRODUCT_NAME, "Kurio Smart"),
+ DMI_EXACT_MATCH(DMI_BOARD_NAME, "KDM960BCP"),
+ },
+ .driver_data = (void *)&lcd800x1280_rightside_up,
}, { /*
* Lenovo Ideapad Miix 310 laptop, only some production batches
* have a portrait screen, the resolution checks makes the quirk
--
2.33.0
^ permalink raw reply [flat|nested] 945+ messages in thread
* [PATCH 5.15 185/917] drm: panel-orientation-quirks: Add quirk for the Samsung Galaxy Book 10.6
2021-11-15 16:51 [PATCH 5.15 000/917] 5.15.3-rc1 review Greg Kroah-Hartman
` (183 preceding siblings ...)
2021-11-15 16:54 ` [PATCH 5.15 184/917] drm: panel-orientation-quirks: Add quirk for KD Kurio Smart C15200 2-in-1 Greg Kroah-Hartman
@ 2021-11-15 16:54 ` Greg Kroah-Hartman
2021-11-15 16:54 ` [PATCH 5.15 186/917] Bluetooth: sco: Fix lock_sock() blockage by memcpy_from_msg() Greg Kroah-Hartman
` (734 subsequent siblings)
919 siblings, 0 replies; 945+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-15 16:54 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Hans de Goede, Simon Ser, Sasha Levin
From: Hans de Goede <hdegoede@redhat.com>
[ Upstream commit 88fa1fde918951c175ae5ea0f31efc4bb1736ab9 ]
The Samsung Galaxy Book 10.6 uses a panel which has been mounted
90 degrees rotated. Add a quirk for this.
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Acked-by: Simon Ser <contact@emersion.fr>
Link: https://patchwork.freedesktop.org/patch/msgid/20210530110428.12994-4-hdegoede@redhat.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/drm_panel_orientation_quirks.c | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/drivers/gpu/drm/drm_panel_orientation_quirks.c b/drivers/gpu/drm/drm_panel_orientation_quirks.c
index cf4db2cdebbbd..926094b83e2f4 100644
--- a/drivers/gpu/drm/drm_panel_orientation_quirks.c
+++ b/drivers/gpu/drm/drm_panel_orientation_quirks.c
@@ -109,6 +109,12 @@ static const struct drm_dmi_panel_orientation_data lcd1200x1920_rightside_up = {
.orientation = DRM_MODE_PANEL_ORIENTATION_RIGHT_UP,
};
+static const struct drm_dmi_panel_orientation_data lcd1280x1920_rightside_up = {
+ .width = 1280,
+ .height = 1920,
+ .orientation = DRM_MODE_PANEL_ORIENTATION_RIGHT_UP,
+};
+
static const struct dmi_system_id orientation_data[] = {
{ /* Acer One 10 (S1003) */
.matches = {
@@ -249,6 +255,12 @@ static const struct dmi_system_id orientation_data[] = {
DMI_EXACT_MATCH(DMI_PRODUCT_VERSION, "Default string"),
},
.driver_data = (void *)&onegx1_pro,
+ }, { /* Samsung GalaxyBook 10.6 */
+ .matches = {
+ DMI_EXACT_MATCH(DMI_SYS_VENDOR, "SAMSUNG ELECTRONICS CO., LTD."),
+ DMI_EXACT_MATCH(DMI_PRODUCT_NAME, "Galaxy Book 10.6"),
+ },
+ .driver_data = (void *)&lcd1280x1920_rightside_up,
}, { /* VIOS LTH17 */
.matches = {
DMI_EXACT_MATCH(DMI_SYS_VENDOR, "VIOS"),
--
2.33.0
^ permalink raw reply [flat|nested] 945+ messages in thread
* [PATCH 5.15 186/917] Bluetooth: sco: Fix lock_sock() blockage by memcpy_from_msg()
2021-11-15 16:51 [PATCH 5.15 000/917] 5.15.3-rc1 review Greg Kroah-Hartman
` (184 preceding siblings ...)
2021-11-15 16:54 ` [PATCH 5.15 185/917] drm: panel-orientation-quirks: Add quirk for the Samsung Galaxy Book 10.6 Greg Kroah-Hartman
@ 2021-11-15 16:54 ` Greg Kroah-Hartman
2021-11-15 16:54 ` [PATCH 5.15 187/917] Bluetooth: fix use-after-free error in lock_sock_nested() Greg Kroah-Hartman
` (733 subsequent siblings)
919 siblings, 0 replies; 945+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-15 16:54 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Takashi Iwai, Marcel Holtmann, Sasha Levin
From: Takashi Iwai <tiwai@suse.de>
[ Upstream commit 99c23da0eed4fd20cae8243f2b51e10e66aa0951 ]
The sco_send_frame() also takes lock_sock() during memcpy_from_msg()
call that may be endlessly blocked by a task with userfaultd
technique, and this will result in a hung task watchdog trigger.
Just like the similar fix for hci_sock_sendmsg() in commit
92c685dc5de0 ("Bluetooth: reorganize functions..."), this patch moves
the memcpy_from_msg() out of lock_sock() for addressing the hang.
This should be the last piece for fixing CVE-2021-3640 after a few
already queued fixes.
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/bluetooth/sco.c | 24 ++++++++++++++++--------
1 file changed, 16 insertions(+), 8 deletions(-)
diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c
index 98a8815865128..b62c91c627e2c 100644
--- a/net/bluetooth/sco.c
+++ b/net/bluetooth/sco.c
@@ -280,7 +280,8 @@ static int sco_connect(struct hci_dev *hdev, struct sock *sk)
return err;
}
-static int sco_send_frame(struct sock *sk, struct msghdr *msg, int len)
+static int sco_send_frame(struct sock *sk, void *buf, int len,
+ unsigned int msg_flags)
{
struct sco_conn *conn = sco_pi(sk)->conn;
struct sk_buff *skb;
@@ -292,15 +293,11 @@ static int sco_send_frame(struct sock *sk, struct msghdr *msg, int len)
BT_DBG("sk %p len %d", sk, len);
- skb = bt_skb_send_alloc(sk, len, msg->msg_flags & MSG_DONTWAIT, &err);
+ skb = bt_skb_send_alloc(sk, len, msg_flags & MSG_DONTWAIT, &err);
if (!skb)
return err;
- if (memcpy_from_msg(skb_put(skb, len), msg, len)) {
- kfree_skb(skb);
- return -EFAULT;
- }
-
+ memcpy(skb_put(skb, len), buf, len);
hci_send_sco(conn->hcon, skb);
return len;
@@ -725,6 +722,7 @@ static int sco_sock_sendmsg(struct socket *sock, struct msghdr *msg,
size_t len)
{
struct sock *sk = sock->sk;
+ void *buf;
int err;
BT_DBG("sock %p, sk %p", sock, sk);
@@ -736,14 +734,24 @@ static int sco_sock_sendmsg(struct socket *sock, struct msghdr *msg,
if (msg->msg_flags & MSG_OOB)
return -EOPNOTSUPP;
+ buf = kmalloc(len, GFP_KERNEL);
+ if (!buf)
+ return -ENOMEM;
+
+ if (memcpy_from_msg(buf, msg, len)) {
+ kfree(buf);
+ return -EFAULT;
+ }
+
lock_sock(sk);
if (sk->sk_state == BT_CONNECTED)
- err = sco_send_frame(sk, msg, len);
+ err = sco_send_frame(sk, buf, len, msg->msg_flags);
else
err = -ENOTCONN;
release_sock(sk);
+ kfree(buf);
return err;
}
--
2.33.0
^ permalink raw reply [flat|nested] 945+ messages in thread
* [PATCH 5.15 187/917] Bluetooth: fix use-after-free error in lock_sock_nested()
2021-11-15 16:51 [PATCH 5.15 000/917] 5.15.3-rc1 review Greg Kroah-Hartman
` (185 preceding siblings ...)
2021-11-15 16:54 ` [PATCH 5.15 186/917] Bluetooth: sco: Fix lock_sock() blockage by memcpy_from_msg() Greg Kroah-Hartman
@ 2021-11-15 16:54 ` Greg Kroah-Hartman
2021-11-15 16:54 ` [PATCH 5.15 188/917] Bluetooth: call sock_hold earlier in sco_conn_del Greg Kroah-Hartman
` (732 subsequent siblings)
919 siblings, 0 replies; 945+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-15 16:54 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Wang ShaoBo, Luiz Augusto von Dentz,
Marcel Holtmann, Sasha Levin
From: Wang ShaoBo <bobo.shaobowang@huawei.com>
[ Upstream commit 1bff51ea59a9afb67d2dd78518ab0582a54a472c ]
use-after-free error in lock_sock_nested is reported:
[ 179.140137][ T3731] =====================================================
[ 179.142675][ T3731] BUG: KMSAN: use-after-free in lock_sock_nested+0x280/0x2c0
[ 179.145494][ T3731] CPU: 4 PID: 3731 Comm: kworker/4:2 Not tainted 5.12.0-rc6+ #54
[ 179.148432][ T3731] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014
[ 179.151806][ T3731] Workqueue: events l2cap_chan_timeout
[ 179.152730][ T3731] Call Trace:
[ 179.153301][ T3731] dump_stack+0x24c/0x2e0
[ 179.154063][ T3731] kmsan_report+0xfb/0x1e0
[ 179.154855][ T3731] __msan_warning+0x5c/0xa0
[ 179.155579][ T3731] lock_sock_nested+0x280/0x2c0
[ 179.156436][ T3731] ? kmsan_get_metadata+0x116/0x180
[ 179.157257][ T3731] l2cap_sock_teardown_cb+0xb8/0x890
[ 179.158154][ T3731] ? __msan_metadata_ptr_for_load_8+0x10/0x20
[ 179.159141][ T3731] ? kmsan_get_metadata+0x116/0x180
[ 179.159994][ T3731] ? kmsan_get_shadow_origin_ptr+0x84/0xb0
[ 179.160959][ T3731] ? l2cap_sock_recv_cb+0x420/0x420
[ 179.161834][ T3731] l2cap_chan_del+0x3e1/0x1d50
[ 179.162608][ T3731] ? kmsan_get_metadata+0x116/0x180
[ 179.163435][ T3731] ? kmsan_get_shadow_origin_ptr+0x84/0xb0
[ 179.164406][ T3731] l2cap_chan_close+0xeea/0x1050
[ 179.165189][ T3731] ? kmsan_internal_unpoison_shadow+0x42/0x70
[ 179.166180][ T3731] l2cap_chan_timeout+0x1da/0x590
[ 179.167066][ T3731] ? __msan_metadata_ptr_for_load_8+0x10/0x20
[ 179.168023][ T3731] ? l2cap_chan_create+0x560/0x560
[ 179.168818][ T3731] process_one_work+0x121d/0x1ff0
[ 179.169598][ T3731] worker_thread+0x121b/0x2370
[ 179.170346][ T3731] kthread+0x4ef/0x610
[ 179.171010][ T3731] ? process_one_work+0x1ff0/0x1ff0
[ 179.171828][ T3731] ? kthread_blkcg+0x110/0x110
[ 179.172587][ T3731] ret_from_fork+0x1f/0x30
[ 179.173348][ T3731]
[ 179.173752][ T3731] Uninit was created at:
[ 179.174409][ T3731] kmsan_internal_poison_shadow+0x5c/0xf0
[ 179.175373][ T3731] kmsan_slab_free+0x76/0xc0
[ 179.176060][ T3731] kfree+0x3a5/0x1180
[ 179.176664][ T3731] __sk_destruct+0x8af/0xb80
[ 179.177375][ T3731] __sk_free+0x812/0x8c0
[ 179.178032][ T3731] sk_free+0x97/0x130
[ 179.178686][ T3731] l2cap_sock_release+0x3d5/0x4d0
[ 179.179457][ T3731] sock_close+0x150/0x450
[ 179.180117][ T3731] __fput+0x6bd/0xf00
[ 179.180787][ T3731] ____fput+0x37/0x40
[ 179.181481][ T3731] task_work_run+0x140/0x280
[ 179.182219][ T3731] do_exit+0xe51/0x3e60
[ 179.182930][ T3731] do_group_exit+0x20e/0x450
[ 179.183656][ T3731] get_signal+0x2dfb/0x38f0
[ 179.184344][ T3731] arch_do_signal_or_restart+0xaa/0xe10
[ 179.185266][ T3731] exit_to_user_mode_prepare+0x2d2/0x560
[ 179.186136][ T3731] syscall_exit_to_user_mode+0x35/0x60
[ 179.186984][ T3731] do_syscall_64+0xc5/0x140
[ 179.187681][ T3731] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 179.188604][ T3731] =====================================================
In our case, there are two Thread A and B:
Context: Thread A: Context: Thread B:
l2cap_chan_timeout() __se_sys_shutdown()
l2cap_chan_close() l2cap_sock_shutdown()
l2cap_chan_del() l2cap_chan_close()
l2cap_sock_teardown_cb() l2cap_sock_teardown_cb()
Once l2cap_sock_teardown_cb() excuted, this sock will be marked as SOCK_ZAPPED,
and can be treated as killable in l2cap_sock_kill() if sock_orphan() has
excuted, at this time we close sock through sock_close() which end to call
l2cap_sock_kill() like Thread C:
Context: Thread C:
sock_close()
l2cap_sock_release()
sock_orphan()
l2cap_sock_kill() #free sock if refcnt is 1
If C completed, Once A or B reaches l2cap_sock_teardown_cb() again,
use-after-free happened.
We should set chan->data to NULL if sock is destructed, for telling teardown
operation is not allowed in l2cap_sock_teardown_cb(), and also we should
avoid killing an already killed socket in l2cap_sock_close_cb().
Signed-off-by: Wang ShaoBo <bobo.shaobowang@huawei.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/bluetooth/l2cap_sock.c | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c
index c99d65ef13b1e..160c016a5dfb9 100644
--- a/net/bluetooth/l2cap_sock.c
+++ b/net/bluetooth/l2cap_sock.c
@@ -1508,6 +1508,9 @@ static void l2cap_sock_close_cb(struct l2cap_chan *chan)
{
struct sock *sk = chan->data;
+ if (!sk)
+ return;
+
l2cap_sock_kill(sk);
}
@@ -1516,6 +1519,9 @@ static void l2cap_sock_teardown_cb(struct l2cap_chan *chan, int err)
struct sock *sk = chan->data;
struct sock *parent;
+ if (!sk)
+ return;
+
BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
/* This callback can be called both for server (BT_LISTEN)
@@ -1707,8 +1713,10 @@ static void l2cap_sock_destruct(struct sock *sk)
{
BT_DBG("sk %p", sk);
- if (l2cap_pi(sk)->chan)
+ if (l2cap_pi(sk)->chan) {
+ l2cap_pi(sk)->chan->data = NULL;
l2cap_chan_put(l2cap_pi(sk)->chan);
+ }
if (l2cap_pi(sk)->rx_busy_skb) {
kfree_skb(l2cap_pi(sk)->rx_busy_skb);
--
2.33.0
^ permalink raw reply [flat|nested] 945+ messages in thread
* [PATCH 5.15 188/917] Bluetooth: call sock_hold earlier in sco_conn_del
2021-11-15 16:51 [PATCH 5.15 000/917] 5.15.3-rc1 review Greg Kroah-Hartman
` (186 preceding siblings ...)
2021-11-15 16:54 ` [PATCH 5.15 187/917] Bluetooth: fix use-after-free error in lock_sock_nested() Greg Kroah-Hartman
@ 2021-11-15 16:54 ` Greg Kroah-Hartman
2021-11-15 16:54 ` [PATCH 5.15 189/917] drm/panel-orientation-quirks: add Valve Steam Deck Greg Kroah-Hartman
` (731 subsequent siblings)
919 siblings, 0 replies; 945+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-15 16:54 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Desmond Cheong Zhi Xi,
Luiz Augusto von Dentz, Sasha Levin
From: Desmond Cheong Zhi Xi <desmondcheongzx@gmail.com>
[ Upstream commit f4712fa993f688d0a48e0c28728fcdeb88c1ea58 ]
In sco_conn_del, conn->sk is read while holding on to the
sco_conn.lock to avoid races with a socket that could be released
concurrently.
However, in between unlocking sco_conn.lock and calling sock_hold,
it's possible for the socket to be freed, which would cause a
use-after-free write when sock_hold is finally called.
To fix this, the reference count of the socket should be increased
while the sco_conn.lock is still held.
Signed-off-by: Desmond Cheong Zhi Xi <desmondcheongzx@gmail.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/bluetooth/sco.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c
index b62c91c627e2c..4a057f99b60aa 100644
--- a/net/bluetooth/sco.c
+++ b/net/bluetooth/sco.c
@@ -187,10 +187,11 @@ static void sco_conn_del(struct hci_conn *hcon, int err)
/* Kill socket */
sco_conn_lock(conn);
sk = conn->sk;
+ if (sk)
+ sock_hold(sk);
sco_conn_unlock(conn);
if (sk) {
- sock_hold(sk);
lock_sock(sk);
sco_sock_clear_timer(sk);
sco_chan_del(sk, err);
--
2.33.0
^ permalink raw reply [flat|nested] 945+ messages in thread
* [PATCH 5.15 189/917] drm/panel-orientation-quirks: add Valve Steam Deck
2021-11-15 16:51 [PATCH 5.15 000/917] 5.15.3-rc1 review Greg Kroah-Hartman
` (187 preceding siblings ...)
2021-11-15 16:54 ` [PATCH 5.15 188/917] Bluetooth: call sock_hold earlier in sco_conn_del Greg Kroah-Hartman
@ 2021-11-15 16:54 ` Greg Kroah-Hartman
2021-11-15 16:54 ` [PATCH 5.15 190/917] rcutorture: Avoid problematic critical section nesting on PREEMPT_RT Greg Kroah-Hartman
` (730 subsequent siblings)
919 siblings, 0 replies; 945+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-15 16:54 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Simon Ser, Jared Baldridge,
Emil Velikov, Daniel Vetter, Hans de Goede, Sam Ravnborg,
Sasha Levin
From: Simon Ser <contact@emersion.fr>
[ Upstream commit 9eeb7b4e40bfd69d8aaa920c7e9df751c9e11dce ]
Valve's Steam Deck has a 800x1280 LCD screen.
Signed-off-by: Simon Ser <contact@emersion.fr>
Cc: Jared Baldridge <jrb@expunge.us>
Cc: Emil Velikov <emil.l.velikov@gmail.com>
Cc: Daniel Vetter <daniel.vetter@ffwll.ch>
Cc: Hans de Goede <hdegoede@redhat.com>
Acked-by: Sam Ravnborg <sam@ravnborg.org>
Reviewed-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20210911102430.253986-1-contact@emersion.fr
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/drm_panel_orientation_quirks.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/drivers/gpu/drm/drm_panel_orientation_quirks.c b/drivers/gpu/drm/drm_panel_orientation_quirks.c
index 926094b83e2f4..a950d5db211c5 100644
--- a/drivers/gpu/drm/drm_panel_orientation_quirks.c
+++ b/drivers/gpu/drm/drm_panel_orientation_quirks.c
@@ -261,6 +261,13 @@ static const struct dmi_system_id orientation_data[] = {
DMI_EXACT_MATCH(DMI_PRODUCT_NAME, "Galaxy Book 10.6"),
},
.driver_data = (void *)&lcd1280x1920_rightside_up,
+ }, { /* Valve Steam Deck */
+ .matches = {
+ DMI_EXACT_MATCH(DMI_SYS_VENDOR, "Valve"),
+ DMI_EXACT_MATCH(DMI_PRODUCT_NAME, "Jupiter"),
+ DMI_EXACT_MATCH(DMI_PRODUCT_VERSION, "1"),
+ },
+ .driver_data = (void *)&lcd800x1280_rightside_up,
}, { /* VIOS LTH17 */
.matches = {
DMI_EXACT_MATCH(DMI_SYS_VENDOR, "VIOS"),
--
2.33.0
^ permalink raw reply [flat|nested] 945+ messages in thread
* [PATCH 5.15 190/917] rcutorture: Avoid problematic critical section nesting on PREEMPT_RT
2021-11-15 16:51 [PATCH 5.15 000/917] 5.15.3-rc1 review Greg Kroah-Hartman
` (188 preceding siblings ...)
2021-11-15 16:54 ` [PATCH 5.15 189/917] drm/panel-orientation-quirks: add Valve Steam Deck Greg Kroah-Hartman
@ 2021-11-15 16:54 ` Greg Kroah-Hartman
2021-11-15 16:54 ` [PATCH 5.15 191/917] platform/x86: wmi: do not fail if disabling fails Greg Kroah-Hartman
` (729 subsequent siblings)
919 siblings, 0 replies; 945+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-15 16:54 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Scott Wood,
Sebastian Andrzej Siewior, Paul E. McKenney, Sasha Levin
From: Scott Wood <swood@redhat.com>
[ Upstream commit 71921a9606ddbcc1d98c00eca7ae82c373d1fecd ]
rcutorture is generating some nesting scenarios that are not compatible on PREEMPT_RT.
For example:
preempt_disable();
rcu_read_lock_bh();
preempt_enable();
rcu_read_unlock_bh();
The problem here is that on PREEMPT_RT the bottom halves have to be
disabled and enabled in preemptible context.
Reorder locking: start with BH locking and continue with then with
disabling preemption or interrupts. In the unlocking do it reverse by
first enabling interrupts and preemption and BH at the very end.
Ensure that on PREEMPT_RT BH locking remains unchanged if in
non-preemptible context.
Link: https://lkml.kernel.org/r/20190911165729.11178-6-swood@redhat.com
Link: https://lkml.kernel.org/r/20210819182035.GF4126399@paulmck-ThinkPad-P17-Gen-1
Signed-off-by: Scott Wood <swood@redhat.com>
[bigeasy: Drop ATOM_BH, make it only about changing BH in atomic
context. Allow enabling RCU in IRQ-off section. Reword commit message.]
Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Signed-off-by: Paul E. McKenney <paulmck@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/rcu/rcutorture.c | 48 ++++++++++++++++++++++++++++++-----------
1 file changed, 36 insertions(+), 12 deletions(-)
diff --git a/kernel/rcu/rcutorture.c b/kernel/rcu/rcutorture.c
index ab4215266ebee..968696ace8f3f 100644
--- a/kernel/rcu/rcutorture.c
+++ b/kernel/rcu/rcutorture.c
@@ -1432,28 +1432,34 @@ static void rcutorture_one_extend(int *readstate, int newstate,
/* First, put new protection in place to avoid critical-section gap. */
if (statesnew & RCUTORTURE_RDR_BH)
local_bh_disable();
+ if (statesnew & RCUTORTURE_RDR_RBH)
+ rcu_read_lock_bh();
if (statesnew & RCUTORTURE_RDR_IRQ)
local_irq_disable();
if (statesnew & RCUTORTURE_RDR_PREEMPT)
preempt_disable();
- if (statesnew & RCUTORTURE_RDR_RBH)
- rcu_read_lock_bh();
if (statesnew & RCUTORTURE_RDR_SCHED)
rcu_read_lock_sched();
if (statesnew & RCUTORTURE_RDR_RCU)
idxnew = cur_ops->readlock() << RCUTORTURE_RDR_SHIFT;
- /* Next, remove old protection, irq first due to bh conflict. */
+ /*
+ * Next, remove old protection, in decreasing order of strength
+ * to avoid unlock paths that aren't safe in the stronger
+ * context. Namely: BH can not be enabled with disabled interrupts.
+ * Additionally PREEMPT_RT requires that BH is enabled in preemptible
+ * context.
+ */
if (statesold & RCUTORTURE_RDR_IRQ)
local_irq_enable();
- if (statesold & RCUTORTURE_RDR_BH)
- local_bh_enable();
if (statesold & RCUTORTURE_RDR_PREEMPT)
preempt_enable();
- if (statesold & RCUTORTURE_RDR_RBH)
- rcu_read_unlock_bh();
if (statesold & RCUTORTURE_RDR_SCHED)
rcu_read_unlock_sched();
+ if (statesold & RCUTORTURE_RDR_BH)
+ local_bh_enable();
+ if (statesold & RCUTORTURE_RDR_RBH)
+ rcu_read_unlock_bh();
if (statesold & RCUTORTURE_RDR_RCU) {
bool lockit = !statesnew && !(torture_random(trsp) & 0xffff);
@@ -1496,6 +1502,9 @@ rcutorture_extend_mask(int oldmask, struct torture_random_state *trsp)
int mask = rcutorture_extend_mask_max();
unsigned long randmask1 = torture_random(trsp) >> 8;
unsigned long randmask2 = randmask1 >> 3;
+ unsigned long preempts = RCUTORTURE_RDR_PREEMPT | RCUTORTURE_RDR_SCHED;
+ unsigned long preempts_irq = preempts | RCUTORTURE_RDR_IRQ;
+ unsigned long bhs = RCUTORTURE_RDR_BH | RCUTORTURE_RDR_RBH;
WARN_ON_ONCE(mask >> RCUTORTURE_RDR_SHIFT);
/* Mostly only one bit (need preemption!), sometimes lots of bits. */
@@ -1503,11 +1512,26 @@ rcutorture_extend_mask(int oldmask, struct torture_random_state *trsp)
mask = mask & randmask2;
else
mask = mask & (1 << (randmask2 % RCUTORTURE_RDR_NBITS));
- /* Can't enable bh w/irq disabled. */
- if ((mask & RCUTORTURE_RDR_IRQ) &&
- ((!(mask & RCUTORTURE_RDR_BH) && (oldmask & RCUTORTURE_RDR_BH)) ||
- (!(mask & RCUTORTURE_RDR_RBH) && (oldmask & RCUTORTURE_RDR_RBH))))
- mask |= RCUTORTURE_RDR_BH | RCUTORTURE_RDR_RBH;
+
+ /*
+ * Can't enable bh w/irq disabled.
+ */
+ if (mask & RCUTORTURE_RDR_IRQ)
+ mask |= oldmask & bhs;
+
+ /*
+ * Ideally these sequences would be detected in debug builds
+ * (regardless of RT), but until then don't stop testing
+ * them on non-RT.
+ */
+ if (IS_ENABLED(CONFIG_PREEMPT_