All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH 5.12 000/173] 5.12.11-rc1 review
@ 2021-06-14 10:25 Greg Kroah-Hartman
  2021-06-14 10:25 ` [PATCH 5.12 001/173] proc: Track /proc/$pid/attr/ opener mm_struct Greg Kroah-Hartman
                   ` (179 more replies)
  0 siblings, 180 replies; 181+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-14 10:25 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, torvalds, akpm, linux, shuah, patches,
	lkft-triage, pavel, jonathanh, f.fainelli, stable

This is the start of the stable review cycle for the 5.12.11 release.
There are 173 patches in this series, all will be posted as a response
to this one.  If anyone has any issues with these being applied, please
let me know.

Responses should be made by Wed, 16 Jun 2021 10:26:30 +0000.
Anything received after that time might be too late.

The whole patch series can be found in one patch at:
	https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.12.11-rc1.gz
or in the git tree and branch at:
	git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.12.y
and the diffstat can be found below.

thanks,

greg k-h

-------------
Pseudo-Shortlog of commits:

Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Linux 5.12.11-rc1

Ming Lei <ming.lei@redhat.com>
    scsi: core: Only put parent device if host state differs from SHOST_CREATED

Ming Lei <ming.lei@redhat.com>
    scsi: core: Put .shost_dev in failure path if host state changes to RUNNING

Ming Lei <ming.lei@redhat.com>
    scsi: core: Fix failure handling of scsi_add_host_with_dma()

Ming Lei <ming.lei@redhat.com>
    scsi: core: Fix error handling of scsi_host_alloc()

Dai Ngo <dai.ngo@oracle.com>
    NFSv4: nfs4_proc_set_acl needs to restore NFS_CAP_UIDGID_NOMAP on error.

Trond Myklebust <trond.myklebust@hammerspace.com>
    NFSv4: Fix second deadlock in nfs4_evict_inode()

Anna Schumaker <Anna.Schumaker@Netapp.com>
    NFS: Fix use-after-free in nfs4_init_client()

Paolo Bonzini <pbonzini@redhat.com>
    kvm: fix previous commit for 32-bit builds

Leo Yan <leo.yan@linaro.org>
    perf session: Correct buffer copying when peeking events

Bjorn Andersson <bjorn.andersson@linaro.org>
    pinctrl: qcom: Make it possible to select SC8180x TLMM

Trond Myklebust <trond.myklebust@hammerspace.com>
    NFSv4: Fix deadlock between nfs4_evict_inode() and nfs4_opendata_get_inode()

Dan Carpenter <dan.carpenter@oracle.com>
    NFS: Fix a potential NULL dereference in nfs_get_client()

Alaa Hleihel <alaa@nvidia.com>
    IB/mlx5: Fix initializing CQ fragments buffer

Sean Christopherson <seanjc@google.com>
    KVM: x86: Ensure liveliness of nested VM-Enter fail tracepoint message

CodyYao-oc <CodyYao-oc@zhaoxin.com>
    x86/nmi_watchdog: Fix old-style NMI watchdog regression on old Intel CPUs

Maximilian Luz <luzmaximilian@gmail.com>
    platform/surface: aggregator: Fix event disable function

Dietmar Eggemann <dietmar.eggemann@arm.com>
    sched/fair: Fix util_est UTIL_AVG_UNCHANGED handling

Kai Vehmanen <kai.vehmanen@linux.intel.com>
    ASoC: SOF: reset enabled_cores state at suspend

Vincent Guittot <vincent.guittot@linaro.org>
    sched/fair: Make sure to update tg contrib for blocked load

Vincent Guittot <vincent.guittot@linaro.org>
    sched/fair: Keep load_avg and load_sum synced

Kyle Tso <kyletso@google.com>
    dt-bindings: connector: Replace BIT macro with generic bit ops

Marco Elver <elver@google.com>
    perf: Fix data race between pin_count increment/decrement

Kan Liang <kan.liang@linux.intel.com>
    perf/x86/intel/uncore: Fix a kernel WARNING triggered by maxcpus=1

Manivannan Sadhasivam <mani@kernel.org>
    pinctrl: qcom: Fix duplication in gpio_groups

Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
    gpio: wcd934x: Fix shift-out-of-bounds error

Yang Li <yang.lee@linux.alibaba.com>
    phy: ti: Fix an error code in wiz_probe()

Jerome Brunet <jbrunet@baylibre.com>
    ASoC: meson: gx-card: fix sound-dai dt schema

Kefeng Wang <wangkefeng.wang@huawei.com>
    ASoC: core: Fix Null-point-dereference in fmt_single_name()

Wang Wensheng <wangwensheng4@huawei.com>
    phy: cadence: Sierra: Fix error return code in cdns_sierra_phy_probe()

Zhen Lei <thunder.leizhen@huawei.com>
    tools/bootconfig: Fix error return code in apply_xbc()

Nathan Chancellor <nathan@kernel.org>
    vmlinux.lds.h: Avoid orphan section with !SMP

Arnd Bergmann <arnd@arndb.de>
    ARM: cpuidle: Avoid orphan section warning

Maor Gottlieb <maorg@nvidia.com>
    RDMA: Verify port when creating flow rule

Mark Bloch <mbloch@nvidia.com>
    RDMA/mlx5: Block FDB rules when not in switchdev mode

Shay Drory <shayd@nvidia.com>
    RDMA/mlx4: Do not map the core_clock page to user space unless enabled

Mark Zhang <markzhang@nvidia.com>
    RDMA/mlx5: Use different doorbell memory for different processes

Kamal Heib <kamalheib1@gmail.com>
    RDMA/ipoib: Fix warning caused by destroying non-initial netns

Robert Marko <robert.marko@sartura.hr>
    hwmon: (tps23861) correct shunt LSB values

Robert Marko <robert.marko@sartura.hr>
    hwmon: (tps23861) set current shunt value

Robert Marko <robert.marko@sartura.hr>
    hwmon: (tps23861) define regmap max register

Wilken Gottwalt <wilken.gottwalt@posteo.net>
    hwmon: (corsair-psu) fix suspend behavior

Jonathan Marek <jonathan@marek.ca>
    drm/msm/a6xx: avoid shadow NULL reference in failure path

Jonathan Marek <jonathan@marek.ca>
    drm/msm/a6xx: update/fix CP_PROTECT initialization

Jonathan Marek <jonathan@marek.ca>
    drm/msm/a6xx: fix incorrectly set uavflagprd_inv field for A650

Linus Walleij <linus.walleij@linaro.org>
    drm/mcde: Fix off by 10^3 in calculation

Bjorn Andersson <bjorn.andersson@linaro.org>
    usb: typec: mux: Fix copy-paste mistake in typec_mux_match

Kyle Tso <kyletso@google.com>
    usb: typec: tcpm: Fix misuses of AMS invocation

Kyle Tso <kyletso@google.com>
    usb: typec: tcpm: Correct the responses in SVDM Version 2.0 DFP

Wesley Cheng <wcheng@codeaurora.org>
    usb: dwc3: gadget: Disable gadget IRQ during pullup disable

Sanket Parmar <sparmar@cadence.com>
    usb: cdns3: Enable TDL_CHK only for OUT ep

Chen Li <chenli@uniontech.com>
    phy: usb: Fix misuse of IS_ENABLED

Axel Lin <axel.lin@ingics.com>
    regulator: rtmv20: Fix .set_current_limit/.get_current_limit callbacks

Axel Lin <axel.lin@ingics.com>
    regulator: atc260x: Fix n_voltages and min_sel for pickable linear ranges

Axel Lin <axel.lin@ingics.com>
    regulator: bd71828: Fix .n_voltages settings

Axel Lin <axel.lin@ingics.com>
    regulator: scmi: Fix off-by-one for linear regulators .n_voltages setting

Axel Lin <axel.lin@ingics.com>
    regulator: fixed: Ensure enable_counter is correct if reg_domain_disable fails

Axel Lin <axel.lin@ingics.com>
    regulator: fan53880: Fix missing n_voltages setting

Axel Lin <axel.lin@ingics.com>
    regulator: da9121: Return REGULATOR_MODE_INVALID for invalid mode

Matti Vaittinen <matti.vaittinen@fi.rohmeurope.com>
    regulator: bd718x7: Fix the BUCK7 voltage setting on BD71837

Dmitry Osipenko <digetx@gmail.com>
    regulator: max77620: Use device_set_of_node_from_dev()

Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
    regulator: core: resolve supply for boot-on/always-on regulators

Kyle Tso <kyletso@google.com>
    usb: typec: tcpm: Do not finish VDM AMS for retrying Responses

Li Jun <jun.li@nxp.com>
    usb: typec: tcpm: cancel frs hrtimer when unregister tcpm port

Li Jun <jun.li@nxp.com>
    usb: typec: tcpm: cancel vdm and state machine hrtimer when unregister tcpm port

Kyle Tso <kyletso@google.com>
    usb: typec: tcpm: Properly handle Alert and Status Messages

Maciej Żenczykowski <maze@google.com>
    usb: fix various gadget panics on 10gbps cabling

Maciej Żenczykowski <maze@google.com>
    usb: fix various gadgets null ptr deref on 10gbps cabling.

Linyu Yuan <linyyuan@codeaurora.com>
    usb: gadget: eem: fix wrong eem header operation

Pawel Laszczak <pawell@cadence.com>
    usb: cdnsp: Fix deadlock issue in cdnsp_thread_irq_handler

Johan Hovold <johan@kernel.org>
    USB: serial: cp210x: fix CP2102N-A01 modem control

Stefan Agner <stefan@agner.ch>
    USB: serial: cp210x: fix alternate function for CP2102N QFN20

Johan Hovold <johan@kernel.org>
    USB: serial: quatech2: fix control-request directions

Alexandre GRIVEAUX <agriveaux@deutnet.info>
    USB: serial: omninet: add device id for Zyxel Omni 56K Plus

George McCollister <george.mccollister@gmail.com>
    USB: serial: ftdi_sio: add NovaTech OrionMX product ID

Wesley Cheng <wcheng@codeaurora.org>
    usb: gadget: f_fs: Ensure io_completion_wq is idle during unbind

Andy Shevchenko <andy.shevchenko@gmail.com>
    usb: typec: intel_pmc_mux: Add missed error check for devm_ioremap_resource()

Andy Shevchenko <andy.shevchenko@gmail.com>
    usb: typec: intel_pmc_mux: Put fwnode in error case during ->probe()

Mayank Rana <mrana@codeaurora.org>
    usb: typec: ucsi: Clear PPM capability data in ucsi_init() error path

Andy Shevchenko <andriy.shevchenko@linux.intel.com>
    usb: typec: wcove: Use LE to CPU conversion when accessing msg->header

Thomas Petazzoni <thomas.petazzoni@bootlin.com>
    usb: musb: fix MUSB_QUIRK_B_DISCONNECT_99 handling

Mario Limonciello <mario.limonciello@amd.com>
    usb: pci-quirks: disable D3cold on xhci suspend for s2idle on AMD Renoir

Marian-Cristian Rotariu <marian.c.rotariu@gmail.com>
    usb: dwc3: ep0: fix NULL pointer exception

Jack Pham <jackp@codeaurora.org>
    usb: dwc3: debugfs: Add and remove endpoint dirs dynamically

Jack Pham <jackp@codeaurora.org>
    usb: dwc3: gadget: Bail from dwc3_gadget_exit() if dwc->gadget is NULL

Christophe JAILLET <christophe.jaillet@wanadoo.fr>
    usb: dwc3: meson-g12a: Disable the regulator in the error handling path of the probe

Neil Armstrong <narmstrong@baylibre.com>
    usb: dwc3-meson-g12a: fix usb2 PHY glue init when phy0 is disabled

Kyle Tso <kyletso@google.com>
    usb: pd: Set PD_T_SINK_WAIT_CAP to 310ms

Maciej Żenczykowski <maze@google.com>
    usb: f_ncm: only first packet of aggregate needs to start timer

Maciej Żenczykowski <maze@google.com>
    USB: f_ncm: ncm_bitrate (speed) is unsigned

Geert Uytterhoeven <geert+renesas@glider.be>
    mmc: renesas_sdhi: Fix HS400 on R-Car M3-W+

Wolfram Sang <wsa+renesas@sang-engineering.com>
    mmc: renesas_sdhi: abort tuning when timeout detected

Masami Hiramatsu <mhiramat@kernel.org>
    tools/bootconfig: Fix a build error accroding to undefined fallthrough

Liangyan <liangyan.peng@linux.alibaba.com>
    tracing: Correct the length check which causes memory corruption

Steven Rostedt (VMware) <rostedt@goodmis.org>
    ftrace: Do not blindly read the ip address in ftrace_bug()

Alexander Kuznetsov <wwfq@yandex-team.ru>
    cgroup1: don't allow '\n' in renaming

Eric W. Biederman <ebiederm@xmission.com>
    coredump: Limit what can interrupt coredumps

Nikolay Borisov <nborisov@suse.com>
    btrfs: promote debugging asserts to full-fledged checks in validate_super

Ritesh Harjani <riteshh@linux.ibm.com>
    btrfs: return value from btrfs_mark_extent_written() in case of error

Naohiro Aota <naohiro.aota@wdc.com>
    btrfs: zoned: fix zone number to sector/physical calculation

Josef Bacik <josef@toxicpanda.com>
    btrfs: do not write supers if we have an fs error

Xiao Ni <xni@redhat.com>
    async_xor: check src_offs is not NULL before updating it

Coly Li <colyli@suse.de>
    bcache: avoid oversized read request in cache missing code path

Coly Li <colyli@suse.de>
    bcache: remove bcache device self-defined readahead

Frederic Weisbecker <frederic@kernel.org>
    tick/nohz: Only check for RCU deferred wakeup on user/guest entry when needed

Wei Yongjun <weiyongjun1@huawei.com>
    bus: mhi: pci_generic: Fix possible use-after-free in mhi_pci_remove()

Ricky Wu <ricky_wu@realtek.com>
    misc: rtsx: separate aspm mode into MODE_REG and MODE_CFG

Yang Yingliang <yangyingliang@huawei.com>
    usb: misc: brcmstb-usb-pinmap: check return value after calling platform_get_resource()

Wenli Looi <wlooi@ucalgary.ca>
    staging: rtl8723bs: Fix uninitialized variables

Paolo Bonzini <pbonzini@redhat.com>
    kvm: avoid speculation-based attacks from out-of-range memslot accesses

Lai Jiangshan <laijs@linux.alibaba.com>
    KVM: X86: MMU: Use the correct inherited permissions to get shadow page

Lai Jiangshan <laijs@linux.alibaba.com>
    KVM: x86: Unload MMU on guest TLB flush if TDP disabled to force MMU sync

Kan Liang <kan.liang@linux.intel.com>
    perf/x86/intel/uncore: Fix M2M event umask for Ice Lake server

Tor Vic <torvic9@mailbox.org>
    x86, lto: Pass -stack-alignment only on LLD < 13.0.0

Desmond Cheong Zhi Xi <desmondcheongzx@gmail.com>
    drm: Lock pointer access in drm_master_release()

Desmond Cheong Zhi Xi <desmondcheongzx@gmail.com>
    drm: Fix use-after-free read in drm_getunique()

Mika Westerberg <mika.westerberg@linux.intel.com>
    ACPI: Pass the same capabilities to the _OSC regardless of the query flag

Zhang Rui <rui.zhang@intel.com>
    Revert "ACPI: sleep: Put the FACS table after using it"

Lukas Wunner <lukas@wunner.de>
    spi: bcm2835: Fix out-of-bounds access with more than 4 slaves

Jeremy Szu <jeremy.szu@canonical.com>
    ALSA: hda/realtek: fix mute/micmute LEDs for HP ZBook Power G8

Jeremy Szu <jeremy.szu@canonical.com>
    ALSA: hda/realtek: fix mute/micmute LEDs for HP EliteBook 840 Aero G8

Jeremy Szu <jeremy.szu@canonical.com>
    ALSA: hda/realtek: fix mute/micmute LEDs and speaker for HP EliteBook x360 1040 G8

Jeremy Szu <jeremy.szu@canonical.com>
    ALSA: hda/realtek: fix mute/micmute LEDs and speaker for HP Elite Dragonfly G2

Hui Wang <hui.wang@canonical.com>
    ALSA: hda/realtek: headphone and mic don't work on an Acer laptop

Takashi Sakamoto <o-takashi@sakamocchi.jp>
    ALSA: firewire-lib: fix the context to call snd_pcm_stop_xrun()

Takashi Iwai <tiwai@suse.de>
    ALSA: seq: Fix race of snd_seq_timer_open()

Chris Packham <chris.packham@alliedtelesis.co.nz>
    i2c: mpc: implement erratum A-004447 workaround

Chris Packham <chris.packham@alliedtelesis.co.nz>
    i2c: mpc: Make use of i2c_recover_bus()

Lukas Wunner <lukas@wunner.de>
    spi: Cleanup on failure of initial setup

Saravana Kannan <saravanak@google.com>
    spi: Don't have controller clean up spi device before driver unbind

Chris Packham <chris.packham@alliedtelesis.co.nz>
    powerpc/fsl: set fsl,i2c-erratum-a004447 flag for P1010 i2c controllers

Chris Packham <chris.packham@alliedtelesis.co.nz>
    powerpc/fsl: set fsl,i2c-erratum-a004447 flag for P2041 i2c controllers

Sagi Grimberg <sagi@grimberg.me>
    nvmet: fix false keep-alive timeout when a controller is torn down

Sagi Grimberg <sagi@grimberg.me>
    nvme-tcp: remove incorrect Kconfig dep in BLK_DEV_NVME

Jiapeng Chong <jiapeng.chong@linux.alibaba.com>
    bnx2x: Fix missing error code in bnx2x_iov_init_one()

John Keeping <john@metanate.com>
    dm verity: fix require_signatures module_param permissions

Daniel Borkmann <daniel@iogearbox.net>
    bpf, selftests: Adjust few selftest result_unpriv outcomes

Tiezhu Yang <yangtiezhu@loongson.cn>
    MIPS: Fix kernel hang under FUNCTION_GRAPH_TRACER and PREEMPT_TRACER

Hannes Reinecke <hare@suse.de>
    nvme-fabrics: decode host pathing error for connect

Nick Desaulniers <ndesaulniers@google.com>
    Makefile: LTO: have linker check -Wframe-larger-than

George McCollister <george.mccollister@gmail.com>
    net: dsa: microchip: enable phy errata workaround on 9567

Saubhik Mukherjee <saubhik.mukherjee@gmail.com>
    net: appletalk: cops: Fix data race in cops_probe1

Zong Li <zong.li@sifive.com>
    net: macb: ensure the device is available before accessing GEMGXL control registers

Dmitry Bogdanov <d.bogdanov@yadro.com>
    scsi: target: qla2xxx: Wait for stop_phase1 at WWN removal

Yang Yingliang <yangyingliang@huawei.com>
    scsi: hisi_sas: Drop free_irq() of devm_request_irq() allocated irq

Matt Wang <wwentao@vmware.com>
    scsi: vmw_pvscsi: Set correct residual data length

Javed Hasan <jhasan@marvell.com>
    scsi: bnx2fc: Return failure if io_req is already in ABTS processing

Íñigo Huguet <ihuguet@redhat.com>
    net:sfc: fix non-freed irq in legacy irq mode

Rao Shoaib <rao.shoaib@oracle.com>
    RDS tcp loopback connection can hang

Zheyu Ma <zheyuma97@gmail.com>
    net/qla3xxx: fix schedule while atomic in ql_sem_spinlock

Sergey Senozhatsky <senozhatsky@chromium.org>
    wq: handle VM suspension in stall detection

Shakeel Butt <shakeelb@google.com>
    cgroup: disable controllers at parse time

Dan Carpenter <dan.carpenter@oracle.com>
    net: mdiobus: get rid of a BUG_ON()

Johannes Berg <johannes.berg@intel.com>
    netlink: disable IRQs for netlink_lock_table()

Johannes Berg <johannes.berg@intel.com>
    bonding: init notify_work earlier to avoid uninitialized use

Zheyu Ma <zheyuma97@gmail.com>
    isdn: mISDN: netjet: Fix crash in nj_probe:

Li Jun <jun.li@nxp.com>
    usb: chipidea: udc: assign interrupt number to USB gadget structure

Chunyan Zhang <chunyan.zhang@unisoc.com>
    spi: sprd: Add missing MODULE_DEVICE_TABLE

Zou Wei <zou_wei@huawei.com>
    ASoC: sti-sas: add missing MODULE_DEVICE_TABLE

Eric Farman <farman@linux.ibm.com>
    vfio-ccw: Serialize FSM IDLE state with I/O completion

Eric Farman <farman@linux.ibm.com>
    vfio-ccw: Reset FSM state to IDLE inside FSM

Jiri Olsa <jolsa@kernel.org>
    bpf: Add deny list of btf ids check for tracing programs

Hans de Goede <hdegoede@redhat.com>
    ASoC: Intel: bytcr_rt5640: Add quirk for the Lenovo Miix 3-830 tablet

Hans de Goede <hdegoede@redhat.com>
    ASoC: Intel: bytcr_rt5640: Add quirk for the Glavey TM800A550L tablet

Dinghao Liu <dinghao.liu@zju.edu.cn>
    usb: cdns3: Fix runtime PM imbalance on error

Jeimon <jjjinmeng.zhou@gmail.com>
    net/nfc/rawsock.c: fix a permission check bug

Bixuan Cui <cuibixuan@huawei.com>
    ASoC: codecs: lpass-tx-macro: add missing MODULE_DEVICE_TABLE

Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
    ASoC: codecs: lpass-rx-macro: add missing MODULE_DEVICE_TABLE

Jiri Olsa <jolsa@kernel.org>
    bpf: Forbid trampoline attach for functions with variable arguments

Karen Dombroski <karen.dombroski@marsbioimaging.com>
    spi: spi-zynq-qspi: Fix stack violation bug

Saravana Kannan <saravanak@google.com>
    spi: Fix spi device unregister flow

Vijendar Mukunda <Vijendar.Mukunda@amd.com>
    ASoC: amd: fix for pcm_read() error

Marco Felsch <m.felsch@pengutronix.de>
    ASoC: max98088: fix ni clock divider calculation

Kees Cook <keescook@chromium.org>
    proc: Track /proc/$pid/attr/ opener mm_struct


-------------

Diffstat:

 .../bindings/sound/amlogic,gx-sound-card.yaml      |   4 +-
 Documentation/virt/kvm/mmu.rst                     |   4 +-
 Makefile                                           |   9 +-
 arch/arm/include/asm/cpuidle.h                     |   5 +-
 arch/mips/lib/mips-atomic.c                        |  12 +-
 arch/powerpc/boot/dts/fsl/p1010si-post.dtsi        |   8 ++
 arch/powerpc/boot/dts/fsl/p2041si-post.dtsi        |  16 +++
 arch/x86/Makefile                                  |   5 +-
 arch/x86/events/intel/uncore_snbep.c               |   9 +-
 arch/x86/kernel/cpu/perfctr-watchdog.c             |   4 +-
 arch/x86/kvm/mmu/paging_tmpl.h                     |  14 +-
 arch/x86/kvm/trace.h                               |   6 +-
 arch/x86/kvm/x86.c                                 |  13 ++
 crypto/async_tx/async_xor.c                        |   3 +-
 drivers/acpi/bus.c                                 |  27 ++--
 drivers/acpi/sleep.c                               |   4 +-
 drivers/bus/mhi/pci_generic.c                      |   2 +-
 drivers/gpio/gpio-wcd934x.c                        |   2 +-
 drivers/gpu/drm/drm_auth.c                         |   3 +-
 drivers/gpu/drm/drm_ioctl.c                        |   9 +-
 drivers/gpu/drm/mcde/mcde_dsi.c                    |   2 +-
 drivers/gpu/drm/msm/adreno/a6xx_gpu.c              | 155 +++++++++++++++------
 drivers/gpu/drm/msm/adreno/a6xx_gpu.h              |   2 +-
 drivers/hwmon/corsair-psu.c                        |  14 ++
 drivers/hwmon/tps23861.c                           |  17 ++-
 drivers/i2c/busses/i2c-mpc.c                       |  95 ++++++++++++-
 drivers/infiniband/core/uverbs_cmd.c               |   5 +
 drivers/infiniband/hw/mlx4/main.c                  |   8 +-
 drivers/infiniband/hw/mlx5/cq.c                    |   9 +-
 drivers/infiniband/hw/mlx5/doorbell.c              |   7 +-
 drivers/infiniband/hw/mlx5/fs.c                    |  11 +-
 drivers/infiniband/ulp/ipoib/ipoib_netlink.c       |   1 +
 drivers/isdn/hardware/mISDN/netjet.c               |   1 -
 drivers/md/bcache/bcache.h                         |   1 -
 drivers/md/bcache/request.c                        |  20 +--
 drivers/md/bcache/stats.c                          |  14 --
 drivers/md/bcache/stats.h                          |   1 -
 drivers/md/bcache/sysfs.c                          |   4 -
 drivers/md/dm-verity-verify-sig.c                  |   2 +-
 drivers/misc/cardreader/rtl8411.c                  |   1 +
 drivers/misc/cardreader/rts5209.c                  |   1 +
 drivers/misc/cardreader/rts5227.c                  |   2 +
 drivers/misc/cardreader/rts5228.c                  |   1 +
 drivers/misc/cardreader/rts5229.c                  |   1 +
 drivers/misc/cardreader/rts5249.c                  |   3 +
 drivers/misc/cardreader/rts5260.c                  |   1 +
 drivers/misc/cardreader/rts5261.c                  |   1 +
 drivers/misc/cardreader/rtsx_pcr.c                 |  44 ++++--
 drivers/mmc/host/renesas_sdhi_core.c               |   9 +-
 drivers/net/appletalk/cops.c                       |   4 +-
 drivers/net/bonding/bond_main.c                    |   2 +-
 drivers/net/dsa/microchip/ksz9477.c                |   1 +
 drivers/net/ethernet/broadcom/bnx2x/bnx2x_sriov.c  |   4 +-
 drivers/net/ethernet/cadence/macb_main.c           |   3 +
 drivers/net/ethernet/mellanox/mlx4/fw.c            |   3 +
 drivers/net/ethernet/mellanox/mlx4/fw.h            |   1 +
 drivers/net/ethernet/mellanox/mlx4/main.c          |   6 +
 drivers/net/ethernet/qlogic/qla3xxx.c              |   2 +-
 drivers/net/ethernet/sfc/nic.c                     |   1 +
 drivers/net/phy/mdio_bus.c                         |   3 +-
 drivers/nvme/host/Kconfig                          |   3 +-
 drivers/nvme/host/fabrics.c                        |   5 +
 drivers/nvme/target/core.c                         |  15 +-
 drivers/nvme/target/nvmet.h                        |   2 +-
 drivers/phy/broadcom/phy-brcm-usb-init.h           |   4 +-
 drivers/phy/cadence/phy-cadence-sierra.c           |   1 +
 drivers/phy/ti/phy-j721e-wiz.c                     |   1 +
 drivers/pinctrl/qcom/Kconfig                       |   2 +-
 drivers/pinctrl/qcom/pinctrl-sdx55.c               |  18 +--
 drivers/platform/surface/aggregator/controller.c   |   2 +-
 drivers/regulator/atc260x-regulator.c              |  19 +--
 drivers/regulator/bd718x7-regulator.c              |   2 +-
 drivers/regulator/core.c                           |   6 +
 drivers/regulator/da9121-regulator.c               |  10 +-
 drivers/regulator/fan53880.c                       |   3 +
 drivers/regulator/fixed.c                          |   7 +-
 drivers/regulator/max77620-regulator.c             |   7 +
 drivers/regulator/rtmv20-regulator.c               |  42 +++++-
 drivers/regulator/scmi-regulator.c                 |   2 +-
 drivers/s390/cio/vfio_ccw_drv.c                    |  12 +-
 drivers/s390/cio/vfio_ccw_fsm.c                    |   1 +
 drivers/s390/cio/vfio_ccw_ops.c                    |   2 -
 drivers/scsi/bnx2fc/bnx2fc_io.c                    |   1 +
 drivers/scsi/hisi_sas/hisi_sas_v3_hw.c             |   8 +-
 drivers/scsi/hosts.c                               |  47 ++++---
 drivers/scsi/qla2xxx/qla_target.c                  |   2 +
 drivers/scsi/vmw_pvscsi.c                          |   8 +-
 drivers/spi/spi-bcm2835.c                          |  10 +-
 drivers/spi/spi-bitbang.c                          |  18 ++-
 drivers/spi/spi-fsl-spi.c                          |   4 +
 drivers/spi/spi-omap-uwire.c                       |   9 +-
 drivers/spi/spi-omap2-mcspi.c                      |  33 +++--
 drivers/spi/spi-pxa2xx.c                           |   9 +-
 drivers/spi/spi-sprd.c                             |   1 +
 drivers/spi/spi-zynq-qspi.c                        |   7 +-
 drivers/spi/spi.c                                  |  20 ++-
 drivers/staging/rtl8723bs/os_dep/ioctl_cfg80211.c  |   2 +-
 drivers/usb/cdns3/cdns3-gadget.c                   |  12 +-
 drivers/usb/cdns3/cdnsp-ring.c                     |   7 +-
 drivers/usb/chipidea/udc.c                         |   1 +
 drivers/usb/dwc3/debug.h                           |   3 +
 drivers/usb/dwc3/debugfs.c                         |  21 +--
 drivers/usb/dwc3/dwc3-meson-g12a.c                 |  13 +-
 drivers/usb/dwc3/ep0.c                             |   3 +
 drivers/usb/dwc3/gadget.c                          |  18 ++-
 drivers/usb/gadget/config.c                        |   8 ++
 drivers/usb/gadget/function/f_ecm.c                |   2 +-
 drivers/usb/gadget/function/f_eem.c                |   6 +-
 drivers/usb/gadget/function/f_fs.c                 |   3 +
 drivers/usb/gadget/function/f_hid.c                |   3 +-
 drivers/usb/gadget/function/f_loopback.c           |   2 +-
 drivers/usb/gadget/function/f_ncm.c                |  10 +-
 drivers/usb/gadget/function/f_printer.c            |   3 +-
 drivers/usb/gadget/function/f_rndis.c              |   2 +-
 drivers/usb/gadget/function/f_serial.c             |   2 +-
 drivers/usb/gadget/function/f_sourcesink.c         |   3 +-
 drivers/usb/gadget/function/f_subset.c             |   2 +-
 drivers/usb/gadget/function/f_tcm.c                |   3 +-
 drivers/usb/host/xhci-pci.c                        |   7 +-
 drivers/usb/host/xhci.h                            |   1 +
 drivers/usb/misc/brcmstb-usb-pinmap.c              |   2 +
 drivers/usb/musb/musb_core.c                       |   3 +-
 drivers/usb/serial/cp210x.c                        |  84 ++++++++++-
 drivers/usb/serial/ftdi_sio.c                      |   1 +
 drivers/usb/serial/ftdi_sio_ids.h                  |   1 +
 drivers/usb/serial/omninet.c                       |   2 +
 drivers/usb/serial/quatech2.c                      |   6 +-
 drivers/usb/typec/mux.c                            |   2 +-
 drivers/usb/typec/mux/intel_pmc_mux.c              |   9 +-
 drivers/usb/typec/tcpm/tcpm.c                      |  84 ++++++-----
 drivers/usb/typec/tcpm/wcove.c                     |   2 +-
 drivers/usb/typec/ucsi/ucsi.c                      |   1 +
 fs/btrfs/disk-io.c                                 |  26 ++--
 fs/btrfs/file.c                                    |   4 +-
 fs/btrfs/tree-log.c                                |  16 +++
 fs/btrfs/zoned.c                                   |  23 ++-
 fs/coredump.c                                      |   2 +-
 fs/nfs/client.c                                    |   2 +-
 fs/nfs/nfs4_fs.h                                   |   1 +
 fs/nfs/nfs4client.c                                |   2 +-
 fs/nfs/nfs4proc.c                                  |  29 +++-
 fs/proc/base.c                                     |   9 +-
 include/asm-generic/vmlinux.lds.h                  |   1 +
 include/dt-bindings/usb/pd.h                       |  20 +--
 include/linux/entry-kvm.h                          |   3 +-
 include/linux/kvm_host.h                           |  10 +-
 include/linux/mfd/rohm-bd71828.h                   |  10 +-
 include/linux/mlx4/device.h                        |   1 +
 include/linux/rtsx_pci.h                           |   2 +
 include/linux/sched.h                              |   8 ++
 include/linux/tick.h                               |   7 +
 include/linux/usb/pd.h                             |   2 +-
 include/linux/usb/pd_ext_sdb.h                     |   4 -
 kernel/bpf/btf.c                                   |  12 ++
 kernel/bpf/verifier.c                              |  14 ++
 kernel/cgroup/cgroup-v1.c                          |   4 +
 kernel/cgroup/cgroup.c                             |  13 +-
 kernel/entry/common.c                              |   5 +-
 kernel/events/core.c                               |   2 +
 kernel/sched/debug.c                               |   3 +-
 kernel/sched/fair.c                                |  18 +--
 kernel/sched/pelt.h                                |  11 +-
 kernel/time/tick-sched.c                           |   1 +
 kernel/trace/ftrace.c                              |   8 +-
 kernel/trace/trace.c                               |   2 +-
 kernel/workqueue.c                                 |  12 +-
 net/netlink/af_netlink.c                           |   6 +-
 net/nfc/rawsock.c                                  |   2 +-
 net/rds/connection.c                               |  23 ++-
 net/rds/tcp.c                                      |   4 +-
 net/rds/tcp.h                                      |   3 +-
 net/rds/tcp_listen.c                               |   6 +
 sound/core/seq/seq_timer.c                         |  10 +-
 sound/firewire/amdtp-stream.c                      |   2 +-
 sound/pci/hda/patch_realtek.c                      |  16 +++
 sound/soc/amd/raven/acp3x-pcm-dma.c                |  10 --
 sound/soc/amd/raven/acp3x.h                        |   1 +
 sound/soc/amd/raven/pci-acp3x.c                    |  15 ++
 sound/soc/codecs/lpass-rx-macro.c                  |   1 +
 sound/soc/codecs/lpass-tx-macro.c                  |   1 +
 sound/soc/codecs/max98088.c                        |  13 +-
 sound/soc/codecs/sti-sas.c                         |   1 +
 sound/soc/intel/boards/bytcr_rt5640.c              |  25 ++++
 sound/soc/soc-core.c                               |   2 +
 sound/soc/sof/pm.c                                 |   1 +
 tools/bootconfig/include/linux/bootconfig.h        |   4 +
 tools/bootconfig/main.c                            |   1 +
 tools/perf/util/session.c                          |   1 +
 tools/testing/selftests/bpf/verifier/stack_ptr.c   |   2 -
 .../selftests/bpf/verifier/value_ptr_arith.c       |   8 --
 190 files changed, 1249 insertions(+), 495 deletions(-)



^ permalink raw reply	[flat|nested] 181+ messages in thread

* [PATCH 5.12 001/173] proc: Track /proc/$pid/attr/ opener mm_struct
  2021-06-14 10:25 [PATCH 5.12 000/173] 5.12.11-rc1 review Greg Kroah-Hartman
@ 2021-06-14 10:25 ` Greg Kroah-Hartman
  2021-06-14 10:25 ` [PATCH 5.12 002/173] ASoC: max98088: fix ni clock divider calculation Greg Kroah-Hartman
                   ` (178 subsequent siblings)
  179 siblings, 0 replies; 181+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-14 10:25 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Christian Brauner, Andrea Righi,
	Kees Cook, Linus Torvalds

From: Kees Cook <keescook@chromium.org>

commit 591a22c14d3f45cc38bd1931c593c221df2f1881 upstream.

Commit bfb819ea20ce ("proc: Check /proc/$pid/attr/ writes against file opener")
tried to make sure that there could not be a confusion between the opener of
a /proc/$pid/attr/ file and the writer. It used struct cred to make sure
the privileges didn't change. However, there were existing cases where a more
privileged thread was passing the opened fd to a differently privileged thread
(during container setup). Instead, use mm_struct to track whether the opener
and writer are still the same process. (This is what several other proc files
already do, though for different reasons.)

Reported-by: Christian Brauner <christian.brauner@ubuntu.com>
Reported-by: Andrea Righi <andrea.righi@canonical.com>
Tested-by: Andrea Righi <andrea.righi@canonical.com>
Fixes: bfb819ea20ce ("proc: Check /proc/$pid/attr/ writes against file opener")
Cc: stable@vger.kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 fs/proc/base.c |    9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

--- a/fs/proc/base.c
+++ b/fs/proc/base.c
@@ -2674,6 +2674,11 @@ out:
 }
 
 #ifdef CONFIG_SECURITY
+static int proc_pid_attr_open(struct inode *inode, struct file *file)
+{
+	return __mem_open(inode, file, PTRACE_MODE_READ_FSCREDS);
+}
+
 static ssize_t proc_pid_attr_read(struct file * file, char __user * buf,
 				  size_t count, loff_t *ppos)
 {
@@ -2704,7 +2709,7 @@ static ssize_t proc_pid_attr_write(struc
 	int rv;
 
 	/* A task may only write when it was the opener. */
-	if (file->f_cred != current_real_cred())
+	if (file->private_data != current->mm)
 		return -EPERM;
 
 	rcu_read_lock();
@@ -2754,9 +2759,11 @@ out:
 }
 
 static const struct file_operations proc_pid_attr_operations = {
+	.open		= proc_pid_attr_open,
 	.read		= proc_pid_attr_read,
 	.write		= proc_pid_attr_write,
 	.llseek		= generic_file_llseek,
+	.release	= mem_release,
 };
 
 #define LSM_DIR_OPS(LSM) \



^ permalink raw reply	[flat|nested] 181+ messages in thread

* [PATCH 5.12 002/173] ASoC: max98088: fix ni clock divider calculation
  2021-06-14 10:25 [PATCH 5.12 000/173] 5.12.11-rc1 review Greg Kroah-Hartman
  2021-06-14 10:25 ` [PATCH 5.12 001/173] proc: Track /proc/$pid/attr/ opener mm_struct Greg Kroah-Hartman
@ 2021-06-14 10:25 ` Greg Kroah-Hartman
  2021-06-14 10:25 ` [PATCH 5.12 003/173] ASoC: amd: fix for pcm_read() error Greg Kroah-Hartman
                   ` (177 subsequent siblings)
  179 siblings, 0 replies; 181+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-14 10:25 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Marco Felsch, Mark Brown, Sasha Levin

From: Marco Felsch <m.felsch@pengutronix.de>

[ Upstream commit 6c9762a78c325107dc37d20ee21002b841679209 ]

The ni1/ni2 ratio formula [1] uses the pclk which is the prescaled mclk.
The max98088 datasheet [2] has no such formula but table-12 equals so
we can assume that it is the same for both devices.

While on it make use of DIV_ROUND_CLOSEST_ULL().

[1] https://datasheets.maximintegrated.com/en/ds/MAX98089.pdf; page 86
[2] https://datasheets.maximintegrated.com/en/ds/MAX98088.pdf; page 82

Signed-off-by: Marco Felsch <m.felsch@pengutronix.de>
Link: https://lore.kernel.org/r/20210423135402.32105-1-m.felsch@pengutronix.de
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 sound/soc/codecs/max98088.c | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/sound/soc/codecs/max98088.c b/sound/soc/codecs/max98088.c
index 4be24e7f51c8..f8e49e45ce33 100644
--- a/sound/soc/codecs/max98088.c
+++ b/sound/soc/codecs/max98088.c
@@ -41,6 +41,7 @@ struct max98088_priv {
 	enum max98088_type devtype;
 	struct max98088_pdata *pdata;
 	struct clk *mclk;
+	unsigned char mclk_prescaler;
 	unsigned int sysclk;
 	struct max98088_cdata dai[2];
 	int eq_textcnt;
@@ -998,13 +999,16 @@ static int max98088_dai1_hw_params(struct snd_pcm_substream *substream,
        /* Configure NI when operating as master */
        if (snd_soc_component_read(component, M98088_REG_14_DAI1_FORMAT)
                & M98088_DAI_MAS) {
+               unsigned long pclk;
+
                if (max98088->sysclk == 0) {
                        dev_err(component->dev, "Invalid system clock frequency\n");
                        return -EINVAL;
                }
                ni = 65536ULL * (rate < 50000 ? 96ULL : 48ULL)
                                * (unsigned long long int)rate;
-               do_div(ni, (unsigned long long int)max98088->sysclk);
+               pclk = DIV_ROUND_CLOSEST(max98088->sysclk, max98088->mclk_prescaler);
+               ni = DIV_ROUND_CLOSEST_ULL(ni, pclk);
                snd_soc_component_write(component, M98088_REG_12_DAI1_CLKCFG_HI,
                        (ni >> 8) & 0x7F);
                snd_soc_component_write(component, M98088_REG_13_DAI1_CLKCFG_LO,
@@ -1065,13 +1069,16 @@ static int max98088_dai2_hw_params(struct snd_pcm_substream *substream,
        /* Configure NI when operating as master */
        if (snd_soc_component_read(component, M98088_REG_1C_DAI2_FORMAT)
                & M98088_DAI_MAS) {
+               unsigned long pclk;
+
                if (max98088->sysclk == 0) {
                        dev_err(component->dev, "Invalid system clock frequency\n");
                        return -EINVAL;
                }
                ni = 65536ULL * (rate < 50000 ? 96ULL : 48ULL)
                                * (unsigned long long int)rate;
-               do_div(ni, (unsigned long long int)max98088->sysclk);
+               pclk = DIV_ROUND_CLOSEST(max98088->sysclk, max98088->mclk_prescaler);
+               ni = DIV_ROUND_CLOSEST_ULL(ni, pclk);
                snd_soc_component_write(component, M98088_REG_1A_DAI2_CLKCFG_HI,
                        (ni >> 8) & 0x7F);
                snd_soc_component_write(component, M98088_REG_1B_DAI2_CLKCFG_LO,
@@ -1113,8 +1120,10 @@ static int max98088_dai_set_sysclk(struct snd_soc_dai *dai,
         */
        if ((freq >= 10000000) && (freq < 20000000)) {
                snd_soc_component_write(component, M98088_REG_10_SYS_CLK, 0x10);
+               max98088->mclk_prescaler = 1;
        } else if ((freq >= 20000000) && (freq < 30000000)) {
                snd_soc_component_write(component, M98088_REG_10_SYS_CLK, 0x20);
+               max98088->mclk_prescaler = 2;
        } else {
                dev_err(component->dev, "Invalid master clock frequency\n");
                return -EINVAL;
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 181+ messages in thread

* [PATCH 5.12 003/173] ASoC: amd: fix for pcm_read() error
  2021-06-14 10:25 [PATCH 5.12 000/173] 5.12.11-rc1 review Greg Kroah-Hartman
  2021-06-14 10:25 ` [PATCH 5.12 001/173] proc: Track /proc/$pid/attr/ opener mm_struct Greg Kroah-Hartman
  2021-06-14 10:25 ` [PATCH 5.12 002/173] ASoC: max98088: fix ni clock divider calculation Greg Kroah-Hartman
@ 2021-06-14 10:25 ` Greg Kroah-Hartman
  2021-06-14 10:25 ` [PATCH 5.12 004/173] spi: Fix spi device unregister flow Greg Kroah-Hartman
                   ` (176 subsequent siblings)
  179 siblings, 0 replies; 181+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-14 10:25 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Vijendar Mukunda, Mark Brown, Sasha Levin

From: Vijendar Mukunda <Vijendar.Mukunda@amd.com>

[ Upstream commit 6879e8e759bf9e05eaee85e32ca1a936e6b46da1 ]

Below phython script throwing pcm_read() error.

import subprocess

p = subprocess.Popen(["aplay -t raw -D plughw:1,0 /dev/zero"], shell=True)
subprocess.call(["arecord -Dhw:1,0 --dump-hw-params"], shell=True)
subprocess.call(["arecord -Dhw:1,0 -fdat -d1 /dev/null"], shell=True)
p.kill()

Handling ACP global external interrupt enable register
causing this issue.
This register got updated wrongly when there is active
stream causing interrupts disabled for active stream.
Refactored code to handle enabling and disabling external interrupts.

Signed-off-by: Vijendar Mukunda <Vijendar.Mukunda@amd.com>
Link: https://lore.kernel.org/r/1619555017-29858-1-git-send-email-Vijendar.Mukunda@amd.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 sound/soc/amd/raven/acp3x-pcm-dma.c | 10 ----------
 sound/soc/amd/raven/acp3x.h         |  1 +
 sound/soc/amd/raven/pci-acp3x.c     | 15 +++++++++++++++
 3 files changed, 16 insertions(+), 10 deletions(-)

diff --git a/sound/soc/amd/raven/acp3x-pcm-dma.c b/sound/soc/amd/raven/acp3x-pcm-dma.c
index 417cda24030c..2447a1e6e913 100644
--- a/sound/soc/amd/raven/acp3x-pcm-dma.c
+++ b/sound/soc/amd/raven/acp3x-pcm-dma.c
@@ -237,10 +237,6 @@ static int acp3x_dma_open(struct snd_soc_component *component,
 		return ret;
 	}
 
-	if (!adata->play_stream && !adata->capture_stream &&
-	    !adata->i2ssp_play_stream && !adata->i2ssp_capture_stream)
-		rv_writel(1, adata->acp3x_base + mmACP_EXTERNAL_INTR_ENB);
-
 	i2s_data->acp3x_base = adata->acp3x_base;
 	runtime->private_data = i2s_data;
 	return ret;
@@ -367,12 +363,6 @@ static int acp3x_dma_close(struct snd_soc_component *component,
 		}
 	}
 
-	/* Disable ACP irq, when the current stream is being closed and
-	 * another stream is also not active.
-	 */
-	if (!adata->play_stream && !adata->capture_stream &&
-		!adata->i2ssp_play_stream && !adata->i2ssp_capture_stream)
-		rv_writel(0, adata->acp3x_base + mmACP_EXTERNAL_INTR_ENB);
 	return 0;
 }
 
diff --git a/sound/soc/amd/raven/acp3x.h b/sound/soc/amd/raven/acp3x.h
index 03fe93913e12..c3f0c8b7545d 100644
--- a/sound/soc/amd/raven/acp3x.h
+++ b/sound/soc/amd/raven/acp3x.h
@@ -77,6 +77,7 @@
 #define ACP_POWER_OFF_IN_PROGRESS	0x03
 
 #define ACP3x_ITER_IRER_SAMP_LEN_MASK	0x38
+#define ACP_EXT_INTR_STAT_CLEAR_MASK 0xFFFFFFFF
 
 struct acp3x_platform_info {
 	u16 play_i2s_instance;
diff --git a/sound/soc/amd/raven/pci-acp3x.c b/sound/soc/amd/raven/pci-acp3x.c
index d3536fd6a124..a013a607b3d4 100644
--- a/sound/soc/amd/raven/pci-acp3x.c
+++ b/sound/soc/amd/raven/pci-acp3x.c
@@ -76,6 +76,19 @@ static int acp3x_reset(void __iomem *acp3x_base)
 	return -ETIMEDOUT;
 }
 
+static void acp3x_enable_interrupts(void __iomem *acp_base)
+{
+	rv_writel(0x01, acp_base + mmACP_EXTERNAL_INTR_ENB);
+}
+
+static void acp3x_disable_interrupts(void __iomem *acp_base)
+{
+	rv_writel(ACP_EXT_INTR_STAT_CLEAR_MASK, acp_base +
+		  mmACP_EXTERNAL_INTR_STAT);
+	rv_writel(0x00, acp_base + mmACP_EXTERNAL_INTR_CNTL);
+	rv_writel(0x00, acp_base + mmACP_EXTERNAL_INTR_ENB);
+}
+
 static int acp3x_init(struct acp3x_dev_data *adata)
 {
 	void __iomem *acp3x_base = adata->acp3x_base;
@@ -93,6 +106,7 @@ static int acp3x_init(struct acp3x_dev_data *adata)
 		pr_err("ACP3x reset failed\n");
 		return ret;
 	}
+	acp3x_enable_interrupts(acp3x_base);
 	return 0;
 }
 
@@ -100,6 +114,7 @@ static int acp3x_deinit(void __iomem *acp3x_base)
 {
 	int ret;
 
+	acp3x_disable_interrupts(acp3x_base);
 	/* Reset */
 	ret = acp3x_reset(acp3x_base);
 	if (ret) {
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 181+ messages in thread

* [PATCH 5.12 004/173] spi: Fix spi device unregister flow
  2021-06-14 10:25 [PATCH 5.12 000/173] 5.12.11-rc1 review Greg Kroah-Hartman
                   ` (2 preceding siblings ...)
  2021-06-14 10:25 ` [PATCH 5.12 003/173] ASoC: amd: fix for pcm_read() error Greg Kroah-Hartman
@ 2021-06-14 10:25 ` Greg Kroah-Hartman
  2021-06-14 10:25 ` [PATCH 5.12 005/173] spi: spi-zynq-qspi: Fix stack violation bug Greg Kroah-Hartman
                   ` (175 subsequent siblings)
  179 siblings, 0 replies; 181+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-14 10:25 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Saravana Kannan, Mark Brown, Sasha Levin

From: Saravana Kannan <saravanak@google.com>

[ Upstream commit c7299fea67696db5bd09d924d1f1080d894f92ef ]

When an SPI device is unregistered, the spi->controller->cleanup() is
called in the device's release callback. That's wrong for a couple of
reasons:

1. spi_dev_put() can be called before spi_add_device() is called. And
   it's spi_add_device() that calls spi_setup(). This will cause clean()
   to get called without the spi device ever being setup.

2. There's no guarantee that the controller's driver would be present by
   the time the spi device's release function gets called.

3. It also causes "sleeping in atomic context" stack dump[1] when device
   link deletion code does a put_device() on the spi device.

Fix these issues by simply moving the cleanup from the device release
callback to the actual spi_unregister_device() function.

[1] - https://lore.kernel.org/lkml/CAHp75Vc=FCGcUyS0v6fnxme2YJ+qD+Y-hQDQLa2JhWNON9VmsQ@mail.gmail.com/

Signed-off-by: Saravana Kannan <saravanak@google.com>
Link: https://lore.kernel.org/r/20210426235638.1285530-1-saravanak@google.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/spi/spi.c | 18 ++++++++++++------
 1 file changed, 12 insertions(+), 6 deletions(-)

diff --git a/drivers/spi/spi.c b/drivers/spi/spi.c
index 6ae7418f648c..125116ab3386 100644
--- a/drivers/spi/spi.c
+++ b/drivers/spi/spi.c
@@ -47,10 +47,6 @@ static void spidev_release(struct device *dev)
 {
 	struct spi_device	*spi = to_spi_device(dev);
 
-	/* spi controllers may cleanup for released devices */
-	if (spi->controller->cleanup)
-		spi->controller->cleanup(spi);
-
 	spi_controller_put(spi->controller);
 	kfree(spi->driver_override);
 	kfree(spi);
@@ -558,6 +554,12 @@ static int spi_dev_check(struct device *dev, void *data)
 	return 0;
 }
 
+static void spi_cleanup(struct spi_device *spi)
+{
+	if (spi->controller->cleanup)
+		spi->controller->cleanup(spi);
+}
+
 /**
  * spi_add_device - Add spi_device allocated with spi_alloc_device
  * @spi: spi_device to register
@@ -622,11 +624,13 @@ int spi_add_device(struct spi_device *spi)
 
 	/* Device may be bound to an active driver when this returns */
 	status = device_add(&spi->dev);
-	if (status < 0)
+	if (status < 0) {
 		dev_err(dev, "can't add %s, status %d\n",
 				dev_name(&spi->dev), status);
-	else
+		spi_cleanup(spi);
+	} else {
 		dev_dbg(dev, "registered child %s\n", dev_name(&spi->dev));
+	}
 
 done:
 	mutex_unlock(&spi_add_lock);
@@ -713,6 +717,8 @@ void spi_unregister_device(struct spi_device *spi)
 	if (!spi)
 		return;
 
+	spi_cleanup(spi);
+
 	if (spi->dev.of_node) {
 		of_node_clear_flag(spi->dev.of_node, OF_POPULATED);
 		of_node_put(spi->dev.of_node);
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 181+ messages in thread

* [PATCH 5.12 005/173] spi: spi-zynq-qspi: Fix stack violation bug
  2021-06-14 10:25 [PATCH 5.12 000/173] 5.12.11-rc1 review Greg Kroah-Hartman
                   ` (3 preceding siblings ...)
  2021-06-14 10:25 ` [PATCH 5.12 004/173] spi: Fix spi device unregister flow Greg Kroah-Hartman
@ 2021-06-14 10:25 ` Greg Kroah-Hartman
  2021-06-14 10:25 ` [PATCH 5.12 006/173] bpf: Forbid trampoline attach for functions with variable arguments Greg Kroah-Hartman
                   ` (174 subsequent siblings)
  179 siblings, 0 replies; 181+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-14 10:25 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Karen Dombroski,
	Amit Kumar Mahapatra, Mark Brown, Sasha Levin

From: Karen Dombroski <karen.dombroski@marsbioimaging.com>

[ Upstream commit 6d5ff8e632a4f2389c331e5554cd1c2a9a28c7aa ]

When the number of bytes for the op is greater than one, the read could
run off the end of the function stack and cause a crash.

This patch restores the behaviour of safely reading out of the original
opcode location.

Signed-off-by: Karen Dombroski <karen.dombroski@marsbioimaging.com>
Signed-off-by: Amit Kumar Mahapatra <amit.kumar-mahapatra@xilinx.com>
Link: https://lore.kernel.org/r/20210429053802.17650-3-amit.kumar-mahapatra@xilinx.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/spi/spi-zynq-qspi.c | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/drivers/spi/spi-zynq-qspi.c b/drivers/spi/spi-zynq-qspi.c
index 5d8a5ee62fa2..2765289028fa 100644
--- a/drivers/spi/spi-zynq-qspi.c
+++ b/drivers/spi/spi-zynq-qspi.c
@@ -528,18 +528,17 @@ static int zynq_qspi_exec_mem_op(struct spi_mem *mem,
 	struct zynq_qspi *xqspi = spi_controller_get_devdata(mem->spi->master);
 	int err = 0, i;
 	u8 *tmpbuf;
-	u8 opcode = op->cmd.opcode;
 
 	dev_dbg(xqspi->dev, "cmd:%#x mode:%d.%d.%d.%d\n",
-		opcode, op->cmd.buswidth, op->addr.buswidth,
+		op->cmd.opcode, op->cmd.buswidth, op->addr.buswidth,
 		op->dummy.buswidth, op->data.buswidth);
 
 	zynq_qspi_chipselect(mem->spi, true);
 	zynq_qspi_config_op(xqspi, mem->spi);
 
-	if (op->cmd.nbytes) {
+	if (op->cmd.opcode) {
 		reinit_completion(&xqspi->data_completion);
-		xqspi->txbuf = &opcode;
+		xqspi->txbuf = (u8 *)&op->cmd.opcode;
 		xqspi->rxbuf = NULL;
 		xqspi->tx_bytes = op->cmd.nbytes;
 		xqspi->rx_bytes = op->cmd.nbytes;
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 181+ messages in thread

* [PATCH 5.12 006/173] bpf: Forbid trampoline attach for functions with variable arguments
  2021-06-14 10:25 [PATCH 5.12 000/173] 5.12.11-rc1 review Greg Kroah-Hartman
                   ` (4 preceding siblings ...)
  2021-06-14 10:25 ` [PATCH 5.12 005/173] spi: spi-zynq-qspi: Fix stack violation bug Greg Kroah-Hartman
@ 2021-06-14 10:25 ` Greg Kroah-Hartman
  2021-06-14 10:25 ` [PATCH 5.12 007/173] ASoC: codecs: lpass-rx-macro: add missing MODULE_DEVICE_TABLE Greg Kroah-Hartman
                   ` (173 subsequent siblings)
  179 siblings, 0 replies; 181+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-14 10:25 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jiri Olsa, Daniel Borkmann,
	Andrii Nakryiko, Sasha Levin

From: Jiri Olsa <jolsa@kernel.org>

[ Upstream commit 31379397dcc364a59ce764fabb131b645c43e340 ]

We can't currently allow to attach functions with variable arguments.
The problem is that we should save all the registers for arguments,
which is probably doable, but if caller uses more than 6 arguments,
we need stack data, which will be wrong, because of the extra stack
frame we do in bpf trampoline, so we could crash.

Also currently there's malformed trampoline code generated for such
functions at the moment as described in:

  https://lore.kernel.org/bpf/20210429212834.82621-1-jolsa@kernel.org/

Signed-off-by: Jiri Olsa <jolsa@kernel.org>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: Andrii Nakryiko <andrii@kernel.org>
Link: https://lore.kernel.org/bpf/20210505132529.401047-1-jolsa@kernel.org
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 kernel/bpf/btf.c | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/kernel/bpf/btf.c b/kernel/bpf/btf.c
index b1a76fe046cb..6bd003568fa5 100644
--- a/kernel/bpf/btf.c
+++ b/kernel/bpf/btf.c
@@ -5126,6 +5126,12 @@ int btf_distill_func_proto(struct bpf_verifier_log *log,
 	m->ret_size = ret;
 
 	for (i = 0; i < nargs; i++) {
+		if (i == nargs - 1 && args[i].type == 0) {
+			bpf_log(log,
+				"The function %s with variable args is unsupported.\n",
+				tname);
+			return -EINVAL;
+		}
 		ret = __get_type_size(btf, args[i].type, &t);
 		if (ret < 0) {
 			bpf_log(log,
@@ -5133,6 +5139,12 @@ int btf_distill_func_proto(struct bpf_verifier_log *log,
 				tname, i, btf_kind_str[BTF_INFO_KIND(t->info)]);
 			return -EINVAL;
 		}
+		if (ret == 0) {
+			bpf_log(log,
+				"The function %s has malformed void argument.\n",
+				tname);
+			return -EINVAL;
+		}
 		m->arg_size[i] = ret;
 	}
 	m->nr_args = nargs;
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 181+ messages in thread

* [PATCH 5.12 007/173] ASoC: codecs: lpass-rx-macro: add missing MODULE_DEVICE_TABLE
  2021-06-14 10:25 [PATCH 5.12 000/173] 5.12.11-rc1 review Greg Kroah-Hartman
                   ` (5 preceding siblings ...)
  2021-06-14 10:25 ` [PATCH 5.12 006/173] bpf: Forbid trampoline attach for functions with variable arguments Greg Kroah-Hartman
@ 2021-06-14 10:25 ` Greg Kroah-Hartman
  2021-06-14 10:25 ` [PATCH 5.12 008/173] ASoC: codecs: lpass-tx-macro: " Greg Kroah-Hartman
                   ` (172 subsequent siblings)
  179 siblings, 0 replies; 181+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-14 10:25 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Srinivas Kandagatla, Mark Brown, Sasha Levin

From: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>

[ Upstream commit d4335d058f8430a0ce2b43dab9531f3a3cf9fe2c ]

Fix module loading by adding missing MODULE_DEVICE_TABLE.

Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
Link: https://lore.kernel.org/r/20210510103844.1532-1-srinivas.kandagatla@linaro.org
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 sound/soc/codecs/lpass-rx-macro.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/sound/soc/codecs/lpass-rx-macro.c b/sound/soc/codecs/lpass-rx-macro.c
index 7878da89d8e0..b7b9c891e2f0 100644
--- a/sound/soc/codecs/lpass-rx-macro.c
+++ b/sound/soc/codecs/lpass-rx-macro.c
@@ -3581,6 +3581,7 @@ static const struct of_device_id rx_macro_dt_match[] = {
 	{ .compatible = "qcom,sm8250-lpass-rx-macro" },
 	{ }
 };
+MODULE_DEVICE_TABLE(of, rx_macro_dt_match);
 
 static struct platform_driver rx_macro_driver = {
 	.driver = {
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 181+ messages in thread

* [PATCH 5.12 008/173] ASoC: codecs: lpass-tx-macro: add missing MODULE_DEVICE_TABLE
  2021-06-14 10:25 [PATCH 5.12 000/173] 5.12.11-rc1 review Greg Kroah-Hartman
                   ` (6 preceding siblings ...)
  2021-06-14 10:25 ` [PATCH 5.12 007/173] ASoC: codecs: lpass-rx-macro: add missing MODULE_DEVICE_TABLE Greg Kroah-Hartman
@ 2021-06-14 10:25 ` Greg Kroah-Hartman
  2021-06-14 10:25 ` [PATCH 5.12 009/173] net/nfc/rawsock.c: fix a permission check bug Greg Kroah-Hartman
                   ` (171 subsequent siblings)
  179 siblings, 0 replies; 181+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-14 10:25 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Hulk Robot, Bixuan Cui,
	Srinivas Kandagatla, Mark Brown, Sasha Levin

From: Bixuan Cui <cuibixuan@huawei.com>

[ Upstream commit 14c0c423746fe7232a093a68809a4bc6233eed60 ]

This patch adds missing MODULE_DEVICE_TABLE definition which generates
correct modalias for automatic loading of this driver when it is built
as an external module.

Reported-by: Hulk Robot <hulkci@huawei.com>
Signed-off-by: Bixuan Cui <cuibixuan@huawei.com>
Reviewed-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
Link: https://lore.kernel.org/r/20210508031512.53783-1-cuibixuan@huawei.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 sound/soc/codecs/lpass-tx-macro.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/sound/soc/codecs/lpass-tx-macro.c b/sound/soc/codecs/lpass-tx-macro.c
index e8c6c738bbaa..5341ca02951c 100644
--- a/sound/soc/codecs/lpass-tx-macro.c
+++ b/sound/soc/codecs/lpass-tx-macro.c
@@ -1846,6 +1846,7 @@ static const struct of_device_id tx_macro_dt_match[] = {
 	{ .compatible = "qcom,sm8250-lpass-tx-macro" },
 	{ }
 };
+MODULE_DEVICE_TABLE(of, tx_macro_dt_match);
 static struct platform_driver tx_macro_driver = {
 	.driver = {
 		.name = "tx_macro",
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 181+ messages in thread

* [PATCH 5.12 009/173] net/nfc/rawsock.c: fix a permission check bug
  2021-06-14 10:25 [PATCH 5.12 000/173] 5.12.11-rc1 review Greg Kroah-Hartman
                   ` (7 preceding siblings ...)
  2021-06-14 10:25 ` [PATCH 5.12 008/173] ASoC: codecs: lpass-tx-macro: " Greg Kroah-Hartman
@ 2021-06-14 10:25 ` Greg Kroah-Hartman
  2021-06-14 10:25 ` [PATCH 5.12 010/173] usb: cdns3: Fix runtime PM imbalance on error Greg Kroah-Hartman
                   ` (170 subsequent siblings)
  179 siblings, 0 replies; 181+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-14 10:25 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jeimon, David S. Miller, Sasha Levin

From: Jeimon <jjjinmeng.zhou@gmail.com>

[ Upstream commit 8ab78863e9eff11910e1ac8bcf478060c29b379e ]

The function rawsock_create() calls a privileged function sk_alloc(), which requires a ns-aware check to check net->user_ns, i.e., ns_capable(). However, the original code checks the init_user_ns using capable(). So we replace the capable() with ns_capable().

Signed-off-by: Jeimon <jjjinmeng.zhou@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/nfc/rawsock.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/nfc/rawsock.c b/net/nfc/rawsock.c
index 9c7eb8455ba8..5f1d438a0a23 100644
--- a/net/nfc/rawsock.c
+++ b/net/nfc/rawsock.c
@@ -329,7 +329,7 @@ static int rawsock_create(struct net *net, struct socket *sock,
 		return -ESOCKTNOSUPPORT;
 
 	if (sock->type == SOCK_RAW) {
-		if (!capable(CAP_NET_RAW))
+		if (!ns_capable(net->user_ns, CAP_NET_RAW))
 			return -EPERM;
 		sock->ops = &rawsock_raw_ops;
 	} else {
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 181+ messages in thread

* [PATCH 5.12 010/173] usb: cdns3: Fix runtime PM imbalance on error
  2021-06-14 10:25 [PATCH 5.12 000/173] 5.12.11-rc1 review Greg Kroah-Hartman
                   ` (8 preceding siblings ...)
  2021-06-14 10:25 ` [PATCH 5.12 009/173] net/nfc/rawsock.c: fix a permission check bug Greg Kroah-Hartman
@ 2021-06-14 10:25 ` Greg Kroah-Hartman
  2021-06-14 10:25 ` [PATCH 5.12 011/173] ASoC: Intel: bytcr_rt5640: Add quirk for the Glavey TM800A550L tablet Greg Kroah-Hartman
                   ` (169 subsequent siblings)
  179 siblings, 0 replies; 181+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-14 10:25 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Dinghao Liu, Peter Chen, Sasha Levin

From: Dinghao Liu <dinghao.liu@zju.edu.cn>

[ Upstream commit 07adc0225484fc199e3dc15ec889f75f498c4fca ]

When cdns3_gadget_start() fails, a pairing PM usage counter
decrement is needed to keep the counter balanced.

Signed-off-by: Dinghao Liu <dinghao.liu@zju.edu.cn>
Link: https://lore.kernel.org/r/20210412054908.7975-1-dinghao.liu@zju.edu.cn
Signed-off-by: Peter Chen <peter.chen@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/usb/cdns3/cdns3-gadget.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/drivers/usb/cdns3/cdns3-gadget.c b/drivers/usb/cdns3/cdns3-gadget.c
index 582bfeceedb4..a49fc68ec2ef 100644
--- a/drivers/usb/cdns3/cdns3-gadget.c
+++ b/drivers/usb/cdns3/cdns3-gadget.c
@@ -3255,8 +3255,10 @@ static int __cdns3_gadget_init(struct cdns *cdns)
 	pm_runtime_get_sync(cdns->dev);
 
 	ret = cdns3_gadget_start(cdns);
-	if (ret)
+	if (ret) {
+		pm_runtime_put_sync(cdns->dev);
 		return ret;
+	}
 
 	/*
 	 * Because interrupt line can be shared with other components in
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 181+ messages in thread

* [PATCH 5.12 011/173] ASoC: Intel: bytcr_rt5640: Add quirk for the Glavey TM800A550L tablet
  2021-06-14 10:25 [PATCH 5.12 000/173] 5.12.11-rc1 review Greg Kroah-Hartman
                   ` (9 preceding siblings ...)
  2021-06-14 10:25 ` [PATCH 5.12 010/173] usb: cdns3: Fix runtime PM imbalance on error Greg Kroah-Hartman
@ 2021-06-14 10:25 ` Greg Kroah-Hartman
  2021-06-14 10:25 ` [PATCH 5.12 012/173] ASoC: Intel: bytcr_rt5640: Add quirk for the Lenovo Miix 3-830 tablet Greg Kroah-Hartman
                   ` (168 subsequent siblings)
  179 siblings, 0 replies; 181+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-14 10:25 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Hans de Goede, Pierre-Louis Bossart,
	Mark Brown, Sasha Levin

From: Hans de Goede <hdegoede@redhat.com>

[ Upstream commit 28c268d3acdd4cbcd2ac320b85609e77f84e74a7 ]

Add a quirk for the Glavey TM800A550L tablet, this BYTCR tablet has no CHAN
package in its ACPI tables and uses SSP0-AIF1 rather then SSP0-AIF2 which
is the default for BYTCR devices.

Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Acked-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
Link: https://lore.kernel.org/r/20210508150146.28403-1-hdegoede@redhat.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 sound/soc/intel/boards/bytcr_rt5640.c | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/sound/soc/intel/boards/bytcr_rt5640.c b/sound/soc/intel/boards/bytcr_rt5640.c
index 22912cab5e63..f18932b3d31b 100644
--- a/sound/soc/intel/boards/bytcr_rt5640.c
+++ b/sound/soc/intel/boards/bytcr_rt5640.c
@@ -574,6 +574,17 @@ static const struct dmi_system_id byt_rt5640_quirk_table[] = {
 					BYT_RT5640_SSP0_AIF1 |
 					BYT_RT5640_MCLK_EN),
 	},
+	{	/* Glavey TM800A550L */
+		.matches = {
+			DMI_MATCH(DMI_BOARD_VENDOR, "AMI Corporation"),
+			DMI_MATCH(DMI_BOARD_NAME, "Aptio CRB"),
+			/* Above strings are too generic, also match on BIOS version */
+			DMI_MATCH(DMI_BIOS_VERSION, "ZY-8-BI-PX4S70VTR400-X423B-005-D"),
+		},
+		.driver_data = (void *)(BYTCR_INPUT_DEFAULTS |
+					BYT_RT5640_SSP0_AIF1 |
+					BYT_RT5640_MCLK_EN),
+	},
 	{
 		.matches = {
 			DMI_EXACT_MATCH(DMI_SYS_VENDOR, "Hewlett-Packard"),
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 181+ messages in thread

* [PATCH 5.12 012/173] ASoC: Intel: bytcr_rt5640: Add quirk for the Lenovo Miix 3-830 tablet
  2021-06-14 10:25 [PATCH 5.12 000/173] 5.12.11-rc1 review Greg Kroah-Hartman
                   ` (10 preceding siblings ...)
  2021-06-14 10:25 ` [PATCH 5.12 011/173] ASoC: Intel: bytcr_rt5640: Add quirk for the Glavey TM800A550L tablet Greg Kroah-Hartman
@ 2021-06-14 10:25 ` Greg Kroah-Hartman
  2021-06-14 10:25 ` [PATCH 5.12 013/173] bpf: Add deny list of btf ids check for tracing programs Greg Kroah-Hartman
                   ` (167 subsequent siblings)
  179 siblings, 0 replies; 181+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-14 10:25 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Hans de Goede, Mark Brown, Sasha Levin

From: Hans de Goede <hdegoede@redhat.com>

[ Upstream commit f0353e1f53f92f7b3da91e6669f5d58ee222ebe8 ]

The Lenovo Miix 3-830 tablet has only 1 speaker, has an internal analog
mic on IN1 and uses JD2 for jack-detect, add a quirk to automatically
apply these settings on Lenovo Miix 3-830 tablets.

Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Link: https://lore.kernel.org/r/20210508150146.28403-2-hdegoede@redhat.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 sound/soc/intel/boards/bytcr_rt5640.c | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/sound/soc/intel/boards/bytcr_rt5640.c b/sound/soc/intel/boards/bytcr_rt5640.c
index f18932b3d31b..cc24e89a7f8d 100644
--- a/sound/soc/intel/boards/bytcr_rt5640.c
+++ b/sound/soc/intel/boards/bytcr_rt5640.c
@@ -663,6 +663,20 @@ static const struct dmi_system_id byt_rt5640_quirk_table[] = {
 					BYT_RT5640_MONO_SPEAKER |
 					BYT_RT5640_MCLK_EN),
 	},
+	{	/* Lenovo Miix 3-830 */
+		.matches = {
+			DMI_EXACT_MATCH(DMI_SYS_VENDOR, "LENOVO"),
+			DMI_EXACT_MATCH(DMI_PRODUCT_VERSION, "Lenovo MIIX 3-830"),
+		},
+		.driver_data = (void *)(BYT_RT5640_IN1_MAP |
+					BYT_RT5640_JD_SRC_JD2_IN4N |
+					BYT_RT5640_OVCD_TH_2000UA |
+					BYT_RT5640_OVCD_SF_0P75 |
+					BYT_RT5640_MONO_SPEAKER |
+					BYT_RT5640_DIFF_MIC |
+					BYT_RT5640_SSP0_AIF1 |
+					BYT_RT5640_MCLK_EN),
+	},
 	{	/* Linx Linx7 tablet */
 		.matches = {
 			DMI_EXACT_MATCH(DMI_SYS_VENDOR, "LINX"),
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 181+ messages in thread

* [PATCH 5.12 013/173] bpf: Add deny list of btf ids check for tracing programs
  2021-06-14 10:25 [PATCH 5.12 000/173] 5.12.11-rc1 review Greg Kroah-Hartman
                   ` (11 preceding siblings ...)
  2021-06-14 10:25 ` [PATCH 5.12 012/173] ASoC: Intel: bytcr_rt5640: Add quirk for the Lenovo Miix 3-830 tablet Greg Kroah-Hartman
@ 2021-06-14 10:25 ` Greg Kroah-Hartman
  2021-06-14 10:25 ` [PATCH 5.12 014/173] vfio-ccw: Reset FSM state to IDLE inside FSM Greg Kroah-Hartman
                   ` (166 subsequent siblings)
  179 siblings, 0 replies; 181+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-14 10:25 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Alexei Starovoitov, Jiri Olsa, Sasha Levin

From: Jiri Olsa <jolsa@kernel.org>

[ Upstream commit 35e3815fa8102fab4dee75f3547472c66581125d ]

The recursion check in __bpf_prog_enter and __bpf_prog_exit
leaves some (not inlined) functions unprotected:

In __bpf_prog_enter:
  - migrate_disable is called before prog->active is checked

In __bpf_prog_exit:
  - migrate_enable,rcu_read_unlock_strict are called after
    prog->active is decreased

When attaching trampoline to them we get panic like:

  traps: PANIC: double fault, error_code: 0x0
  double fault: 0000 [#1] SMP PTI
  RIP: 0010:__bpf_prog_enter+0x4/0x50
  ...
  Call Trace:
   <IRQ>
   bpf_trampoline_6442466513_0+0x18/0x1000
   migrate_disable+0x5/0x50
   __bpf_prog_enter+0x9/0x50
   bpf_trampoline_6442466513_0+0x18/0x1000
   migrate_disable+0x5/0x50
   __bpf_prog_enter+0x9/0x50
   bpf_trampoline_6442466513_0+0x18/0x1000
   migrate_disable+0x5/0x50
   __bpf_prog_enter+0x9/0x50
   bpf_trampoline_6442466513_0+0x18/0x1000
   migrate_disable+0x5/0x50
   ...

Fixing this by adding deny list of btf ids for tracing
programs and checking btf id during program verification.
Adding above functions to this list.

Suggested-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Jiri Olsa <jolsa@kernel.org>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Link: https://lore.kernel.org/bpf/20210429114712.43783-1-jolsa@kernel.org
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 kernel/bpf/verifier.c | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index b186d852fe3d..9e600767803b 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -12556,6 +12556,17 @@ int bpf_check_attach_target(struct bpf_verifier_log *log,
 	return 0;
 }
 
+BTF_SET_START(btf_id_deny)
+BTF_ID_UNUSED
+#ifdef CONFIG_SMP
+BTF_ID(func, migrate_disable)
+BTF_ID(func, migrate_enable)
+#endif
+#if !defined CONFIG_PREEMPT_RCU && !defined CONFIG_TINY_RCU
+BTF_ID(func, rcu_read_unlock_strict)
+#endif
+BTF_SET_END(btf_id_deny)
+
 static int check_attach_btf_id(struct bpf_verifier_env *env)
 {
 	struct bpf_prog *prog = env->prog;
@@ -12615,6 +12626,9 @@ static int check_attach_btf_id(struct bpf_verifier_env *env)
 		ret = bpf_lsm_verify_prog(&env->log, prog);
 		if (ret < 0)
 			return ret;
+	} else if (prog->type == BPF_PROG_TYPE_TRACING &&
+		   btf_id_set_contains(&btf_id_deny, btf_id)) {
+		return -EINVAL;
 	}
 
 	key = bpf_trampoline_compute_key(tgt_prog, prog->aux->attach_btf, btf_id);
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 181+ messages in thread

* [PATCH 5.12 014/173] vfio-ccw: Reset FSM state to IDLE inside FSM
  2021-06-14 10:25 [PATCH 5.12 000/173] 5.12.11-rc1 review Greg Kroah-Hartman
                   ` (12 preceding siblings ...)
  2021-06-14 10:25 ` [PATCH 5.12 013/173] bpf: Add deny list of btf ids check for tracing programs Greg Kroah-Hartman
@ 2021-06-14 10:25 ` Greg Kroah-Hartman
  2021-06-14 10:25 ` [PATCH 5.12 015/173] vfio-ccw: Serialize FSM IDLE state with I/O completion Greg Kroah-Hartman
                   ` (165 subsequent siblings)
  179 siblings, 0 replies; 181+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-14 10:25 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Eric Farman, Cornelia Huck,
	Matthew Rosato, Sasha Levin

From: Eric Farman <farman@linux.ibm.com>

[ Upstream commit 6c02ac4c9211edabe17bda437ac97e578756f31b ]

When an I/O request is made, the fsm_io_request() routine
moves the FSM state from IDLE to CP_PROCESSING, and then
fsm_io_helper() moves it to CP_PENDING if the START SUBCHANNEL
received a cc0. Yet, the error case to go from CP_PROCESSING
back to IDLE is done after the FSM call returns.

Let's move this up into the FSM proper, to provide some
better symmetry when unwinding in this case.

Signed-off-by: Eric Farman <farman@linux.ibm.com>
Reviewed-by: Cornelia Huck <cohuck@redhat.com>
Acked-by: Matthew Rosato <mjrosato@linux.ibm.com>
Message-Id: <20210511195631.3995081-3-farman@linux.ibm.com>
Signed-off-by: Cornelia Huck <cohuck@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/s390/cio/vfio_ccw_fsm.c | 1 +
 drivers/s390/cio/vfio_ccw_ops.c | 2 --
 2 files changed, 1 insertion(+), 2 deletions(-)

diff --git a/drivers/s390/cio/vfio_ccw_fsm.c b/drivers/s390/cio/vfio_ccw_fsm.c
index 23e61aa638e4..e435a9cd92da 100644
--- a/drivers/s390/cio/vfio_ccw_fsm.c
+++ b/drivers/s390/cio/vfio_ccw_fsm.c
@@ -318,6 +318,7 @@ static void fsm_io_request(struct vfio_ccw_private *private,
 	}
 
 err_out:
+	private->state = VFIO_CCW_STATE_IDLE;
 	trace_vfio_ccw_fsm_io_request(scsw->cmd.fctl, schid,
 				      io_region->ret_code, errstr);
 }
diff --git a/drivers/s390/cio/vfio_ccw_ops.c b/drivers/s390/cio/vfio_ccw_ops.c
index 767ac41686fe..5971641964c6 100644
--- a/drivers/s390/cio/vfio_ccw_ops.c
+++ b/drivers/s390/cio/vfio_ccw_ops.c
@@ -276,8 +276,6 @@ static ssize_t vfio_ccw_mdev_write_io_region(struct vfio_ccw_private *private,
 	}
 
 	vfio_ccw_fsm_event(private, VFIO_CCW_EVENT_IO_REQ);
-	if (region->ret_code != 0)
-		private->state = VFIO_CCW_STATE_IDLE;
 	ret = (region->ret_code != 0) ? region->ret_code : count;
 
 out_unlock:
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 181+ messages in thread

* [PATCH 5.12 015/173] vfio-ccw: Serialize FSM IDLE state with I/O completion
  2021-06-14 10:25 [PATCH 5.12 000/173] 5.12.11-rc1 review Greg Kroah-Hartman
                   ` (13 preceding siblings ...)
  2021-06-14 10:25 ` [PATCH 5.12 014/173] vfio-ccw: Reset FSM state to IDLE inside FSM Greg Kroah-Hartman
@ 2021-06-14 10:25 ` Greg Kroah-Hartman
  2021-06-14 10:25 ` [PATCH 5.12 016/173] ASoC: sti-sas: add missing MODULE_DEVICE_TABLE Greg Kroah-Hartman
                   ` (164 subsequent siblings)
  179 siblings, 0 replies; 181+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-14 10:25 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Eric Farman, Matthew Rosato,
	Cornelia Huck, Sasha Levin

From: Eric Farman <farman@linux.ibm.com>

[ Upstream commit 2af7a834a435460d546f0cf0a8b8e4d259f1d910 ]

Today, the stacked call to vfio_ccw_sch_io_todo() does three things:

  1) Update a solicited IRB with CP information, and release the CP
     if the interrupt was the end of a START operation.
  2) Copy the IRB data into the io_region, under the protection of
     the io_mutex
  3) Reset the vfio-ccw FSM state to IDLE to acknowledge that
     vfio-ccw can accept more work.

The trouble is that step 3 is (A) invoked for both solicited and
unsolicited interrupts, and (B) sitting after the mutex for step 2.
This second piece becomes a problem if it processes an interrupt
for a CLEAR SUBCHANNEL while another thread initiates a START,
thus allowing the CP and FSM states to get out of sync. That is:

    CPU 1                           CPU 2
    fsm_do_clear()
    fsm_irq()
                                    fsm_io_request()
    vfio_ccw_sch_io_todo()
                                    fsm_io_helper()

Since the FSM state and CP should be kept in sync, let's make a
note when the CP is released, and rely on that as an indication
that the FSM should also be reset at the end of this routine and
open up the device for more work.

Signed-off-by: Eric Farman <farman@linux.ibm.com>
Acked-by: Matthew Rosato <mjrosato@linux.ibm.com>
Reviewed-by: Cornelia Huck <cohuck@redhat.com>
Message-Id: <20210511195631.3995081-4-farman@linux.ibm.com>
Signed-off-by: Cornelia Huck <cohuck@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/s390/cio/vfio_ccw_drv.c | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/drivers/s390/cio/vfio_ccw_drv.c b/drivers/s390/cio/vfio_ccw_drv.c
index 8c625b530035..9b61e9b131ad 100644
--- a/drivers/s390/cio/vfio_ccw_drv.c
+++ b/drivers/s390/cio/vfio_ccw_drv.c
@@ -86,6 +86,7 @@ static void vfio_ccw_sch_io_todo(struct work_struct *work)
 	struct vfio_ccw_private *private;
 	struct irb *irb;
 	bool is_final;
+	bool cp_is_finished = false;
 
 	private = container_of(work, struct vfio_ccw_private, io_work);
 	irb = &private->irb;
@@ -94,14 +95,21 @@ static void vfio_ccw_sch_io_todo(struct work_struct *work)
 		     (SCSW_ACTL_DEVACT | SCSW_ACTL_SCHACT));
 	if (scsw_is_solicited(&irb->scsw)) {
 		cp_update_scsw(&private->cp, &irb->scsw);
-		if (is_final && private->state == VFIO_CCW_STATE_CP_PENDING)
+		if (is_final && private->state == VFIO_CCW_STATE_CP_PENDING) {
 			cp_free(&private->cp);
+			cp_is_finished = true;
+		}
 	}
 	mutex_lock(&private->io_mutex);
 	memcpy(private->io_region->irb_area, irb, sizeof(*irb));
 	mutex_unlock(&private->io_mutex);
 
-	if (private->mdev && is_final)
+	/*
+	 * Reset to IDLE only if processing of a channel program
+	 * has finished. Do not overwrite a possible processing
+	 * state if the final interrupt was for HSCH or CSCH.
+	 */
+	if (private->mdev && cp_is_finished)
 		private->state = VFIO_CCW_STATE_IDLE;
 
 	if (private->io_trigger)
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 181+ messages in thread

* [PATCH 5.12 016/173] ASoC: sti-sas: add missing MODULE_DEVICE_TABLE
  2021-06-14 10:25 [PATCH 5.12 000/173] 5.12.11-rc1 review Greg Kroah-Hartman
                   ` (14 preceding siblings ...)
  2021-06-14 10:25 ` [PATCH 5.12 015/173] vfio-ccw: Serialize FSM IDLE state with I/O completion Greg Kroah-Hartman
@ 2021-06-14 10:25 ` Greg Kroah-Hartman
  2021-06-14 10:25 ` [PATCH 5.12 017/173] spi: sprd: Add " Greg Kroah-Hartman
                   ` (163 subsequent siblings)
  179 siblings, 0 replies; 181+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-14 10:25 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Hulk Robot, Zou Wei, Mark Brown, Sasha Levin

From: Zou Wei <zou_wei@huawei.com>

[ Upstream commit e072b2671606c77538d6a4dd5dda80b508cb4816 ]

This patch adds missing MODULE_DEVICE_TABLE definition which generates
correct modalias for automatic loading of this driver when it is built
as an external module.

Reported-by: Hulk Robot <hulkci@huawei.com>
Signed-off-by: Zou Wei <zou_wei@huawei.com>
Link: https://lore.kernel.org/r/1620789145-14936-1-git-send-email-zou_wei@huawei.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 sound/soc/codecs/sti-sas.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/sound/soc/codecs/sti-sas.c b/sound/soc/codecs/sti-sas.c
index ec9933b054ad..423daac9d5a9 100644
--- a/sound/soc/codecs/sti-sas.c
+++ b/sound/soc/codecs/sti-sas.c
@@ -411,6 +411,7 @@ static const struct of_device_id sti_sas_dev_match[] = {
 	},
 	{},
 };
+MODULE_DEVICE_TABLE(of, sti_sas_dev_match);
 
 static int sti_sas_driver_probe(struct platform_device *pdev)
 {
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 181+ messages in thread

* [PATCH 5.12 017/173] spi: sprd: Add missing MODULE_DEVICE_TABLE
  2021-06-14 10:25 [PATCH 5.12 000/173] 5.12.11-rc1 review Greg Kroah-Hartman
                   ` (15 preceding siblings ...)
  2021-06-14 10:25 ` [PATCH 5.12 016/173] ASoC: sti-sas: add missing MODULE_DEVICE_TABLE Greg Kroah-Hartman
@ 2021-06-14 10:25 ` Greg Kroah-Hartman
  2021-06-14 10:25 ` [PATCH 5.12 018/173] usb: chipidea: udc: assign interrupt number to USB gadget structure Greg Kroah-Hartman
                   ` (162 subsequent siblings)
  179 siblings, 0 replies; 181+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-14 10:25 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Chunyan Zhang, Mark Brown, Sasha Levin

From: Chunyan Zhang <chunyan.zhang@unisoc.com>

[ Upstream commit 7907cad7d07e0055789ec0c534452f19dfe1fc80 ]

MODULE_DEVICE_TABLE is used to extract the device information out of the
driver and builds a table when being compiled. If using this macro,
kernel can find the driver if available when the device is plugged in,
and then loads that driver and initializes the device.

Signed-off-by: Chunyan Zhang <chunyan.zhang@unisoc.com>
Link: https://lore.kernel.org/r/20210512093534.243040-1-zhang.lyra@gmail.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/spi/spi-sprd.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/spi/spi-sprd.c b/drivers/spi/spi-sprd.c
index b41a75749b49..28e70db9bbba 100644
--- a/drivers/spi/spi-sprd.c
+++ b/drivers/spi/spi-sprd.c
@@ -1068,6 +1068,7 @@ static const struct of_device_id sprd_spi_of_match[] = {
 	{ .compatible = "sprd,sc9860-spi", },
 	{ /* sentinel */ }
 };
+MODULE_DEVICE_TABLE(of, sprd_spi_of_match);
 
 static struct platform_driver sprd_spi_driver = {
 	.driver = {
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 181+ messages in thread

* [PATCH 5.12 018/173] usb: chipidea: udc: assign interrupt number to USB gadget structure
  2021-06-14 10:25 [PATCH 5.12 000/173] 5.12.11-rc1 review Greg Kroah-Hartman
                   ` (16 preceding siblings ...)
  2021-06-14 10:25 ` [PATCH 5.12 017/173] spi: sprd: Add " Greg Kroah-Hartman
@ 2021-06-14 10:25 ` Greg Kroah-Hartman
  2021-06-14 10:25 ` [PATCH 5.12 019/173] isdn: mISDN: netjet: Fix crash in nj_probe: Greg Kroah-Hartman
                   ` (161 subsequent siblings)
  179 siblings, 0 replies; 181+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-14 10:25 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, faqiang.zhu, Li Jun, Peter Chen, Sasha Levin

From: Li Jun <jun.li@nxp.com>

[ Upstream commit 9e3927f6373da54cb17e17f4bd700907e1123d2f ]

Chipidea also need sync interrupt before unbind the udc while
gadget remove driver, otherwise setup irq handling may happen
while unbind, see below dump generated from android function
switch stress test:

[ 4703.503056] android_work: sent uevent USB_STATE=CONNECTED
[ 4703.514642] android_work: sent uevent USB_STATE=DISCONNECTED
[ 4703.651339] android_work: sent uevent USB_STATE=CONNECTED
[ 4703.661806] init: Control message: Processed ctl.stop for 'adbd' from pid: 561 (system_server)
[ 4703.673469] init: processing action (init.svc.adbd=stopped) from (/system/etc/init/hw/init.usb.configfs.rc:14)
[ 4703.676451] Unable to handle kernel read from unreadable memory at virtual address 0000000000000090
[ 4703.676454] Mem abort info:
[ 4703.676458]   ESR = 0x96000004
[ 4703.676461]   EC = 0x25: DABT (current EL), IL = 32 bits
[ 4703.676464]   SET = 0, FnV = 0
[ 4703.676466]   EA = 0, S1PTW = 0
[ 4703.676468] Data abort info:
[ 4703.676471]   ISV = 0, ISS = 0x00000004
[ 4703.676473]   CM = 0, WnR = 0
[ 4703.676478] user pgtable: 4k pages, 48-bit VAs, pgdp=000000004a867000
[ 4703.676481] [0000000000000090] pgd=0000000000000000, p4d=0000000000000000
[ 4703.676503] Internal error: Oops: 96000004 [#1] PREEMPT SMP
[ 4703.758297] Modules linked in: synaptics_dsx_i2c moal(O) mlan(O)
[ 4703.764327] CPU: 0 PID: 235 Comm: lmkd Tainted: G        W  O      5.10.9-00001-g3f5fd8487c38-dirty #63
[ 4703.773720] Hardware name: NXP i.MX8MNano EVK board (DT)
[ 4703.779033] pstate: 60400085 (nZCv daIf +PAN -UAO -TCO BTYPE=--)
[ 4703.785046] pc : _raw_write_unlock_bh+0xc0/0x2c8
[ 4703.789667] lr : android_setup+0x4c/0x168
[ 4703.793676] sp : ffff80001256bd80
[ 4703.796989] x29: ffff80001256bd80 x28: 00000000000000a8
[ 4703.802304] x27: ffff800012470000 x26: ffff80006d923000
[ 4703.807616] x25: ffff800012471000 x24: ffff00000b091140
[ 4703.812929] x23: ffff0000077dbd38 x22: ffff0000077da490
[ 4703.818242] x21: ffff80001256be30 x20: 0000000000000000
[ 4703.823554] x19: 0000000000000080 x18: ffff800012561048
[ 4703.828867] x17: 0000000000000000 x16: 0000000000000039
[ 4703.834180] x15: ffff8000106ad258 x14: ffff80001194c277
[ 4703.839493] x13: 0000000000003934 x12: 0000000000000000
[ 4703.844805] x11: 0000000000000000 x10: 0000000000000001
[ 4703.850117] x9 : 0000000000000000 x8 : 0000000000000090
[ 4703.855429] x7 : 6f72646e61203a70 x6 : ffff8000124f2450
[ 4703.860742] x5 : ffffffffffffffff x4 : 0000000000000009
[ 4703.866054] x3 : ffff8000108a290c x2 : ffff00007fb3a9c8
[ 4703.871367] x1 : 0000000000000000 x0 : 0000000000000090
[ 4703.876681] Call trace:
[ 4703.879129]  _raw_write_unlock_bh+0xc0/0x2c8
[ 4703.883397]  android_setup+0x4c/0x168
[ 4703.887059]  udc_irq+0x824/0xa9c
[ 4703.890287]  ci_irq+0x124/0x148
[ 4703.893429]  __handle_irq_event_percpu+0x84/0x268
[ 4703.898131]  handle_irq_event+0x64/0x14c
[ 4703.902054]  handle_fasteoi_irq+0x110/0x210
[ 4703.906236]  __handle_domain_irq+0x8c/0xd4
[ 4703.910332]  gic_handle_irq+0x6c/0x124
[ 4703.914081]  el1_irq+0xdc/0x1c0
[ 4703.917221]  _raw_spin_unlock_irq+0x20/0x54
[ 4703.921405]  finish_task_switch+0x84/0x224
[ 4703.925502]  __schedule+0x4a4/0x734
[ 4703.928990]  schedule+0xa0/0xe8
[ 4703.932132]  do_notify_resume+0x150/0x184
[ 4703.936140]  work_pending+0xc/0x40c
[ 4703.939633] Code: d5384613 521b0a69 d5184609 f9800111 (885ffd01)
[ 4703.945732] ---[ end trace ba5c1875ae49d53c ]---
[ 4703.950350] Kernel panic - not syncing: Oops: Fatal exception in interrupt
[ 4703.957223] SMP: stopping secondary CPUs
[ 4703.961151] Kernel Offset: disabled
[ 4703.964638] CPU features: 0x0240002,2000200c
[ 4703.968905] Memory Limit: none
[ 4703.971963] Rebooting in 5 seconds..

Tested-by: faqiang.zhu <faqiang.zhu@nxp.com>
Signed-off-by: Li Jun <jun.li@nxp.com>
Link: https://lore.kernel.org/r/1620989984-7653-1-git-send-email-jun.li@nxp.com
Signed-off-by: Peter Chen <peter.chen@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/usb/chipidea/udc.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/usb/chipidea/udc.c b/drivers/usb/chipidea/udc.c
index c16d900cdaee..393f216b9161 100644
--- a/drivers/usb/chipidea/udc.c
+++ b/drivers/usb/chipidea/udc.c
@@ -2061,6 +2061,7 @@ static int udc_start(struct ci_hdrc *ci)
 	ci->gadget.name         = ci->platdata->name;
 	ci->gadget.otg_caps	= otg_caps;
 	ci->gadget.sg_supported = 1;
+	ci->gadget.irq		= ci->irq;
 
 	if (ci->platdata->flags & CI_HDRC_REQUIRES_ALIGNED_DMA)
 		ci->gadget.quirk_avoids_skb_reserve = 1;
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 181+ messages in thread

* [PATCH 5.12 019/173] isdn: mISDN: netjet: Fix crash in nj_probe:
  2021-06-14 10:25 [PATCH 5.12 000/173] 5.12.11-rc1 review Greg Kroah-Hartman
                   ` (17 preceding siblings ...)
  2021-06-14 10:25 ` [PATCH 5.12 018/173] usb: chipidea: udc: assign interrupt number to USB gadget structure Greg Kroah-Hartman
@ 2021-06-14 10:25 ` Greg Kroah-Hartman
  2021-06-14 10:25 ` [PATCH 5.12 020/173] bonding: init notify_work earlier to avoid uninitialized use Greg Kroah-Hartman
                   ` (160 subsequent siblings)
  179 siblings, 0 replies; 181+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-14 10:25 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Zheyu Ma, David S. Miller, Sasha Levin

From: Zheyu Ma <zheyuma97@gmail.com>

[ Upstream commit 9f6f852550d0e1b7735651228116ae9d300f69b3 ]

'nj_setup' in netjet.c might fail with -EIO and in this case
'card->irq' is initialized and is bigger than zero. A subsequent call to
'nj_release' will free the irq that has not been requested.

Fix this bug by deleting the previous assignment to 'card->irq' and just
keep the assignment before 'request_irq'.

The KASAN's log reveals it:

[    3.354615 ] WARNING: CPU: 0 PID: 1 at kernel/irq/manage.c:1826
free_irq+0x100/0x480
[    3.355112 ] Modules linked in:
[    3.355310 ] CPU: 0 PID: 1 Comm: swapper/0 Not tainted
5.13.0-rc1-00144-g25a1298726e #13
[    3.355816 ] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS
rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014
[    3.356552 ] RIP: 0010:free_irq+0x100/0x480
[    3.356820 ] Code: 6e 08 74 6f 4d 89 f4 e8 5e ac 09 00 4d 8b 74 24 18
4d 85 f6 75 e3 e8 4f ac 09 00 8b 75 c8 48 c7 c7 78 c1 2e 85 e8 e0 cf f5
ff <0f> 0b 48 8b 75 c0 4c 89 ff e8 72 33 0b 03 48 8b 43 40 4c 8b a0 80
[    3.358012 ] RSP: 0000:ffffc90000017b48 EFLAGS: 00010082
[    3.358357 ] RAX: 0000000000000000 RBX: ffff888104dc8000 RCX:
0000000000000000
[    3.358814 ] RDX: ffff8881003c8000 RSI: ffffffff8124a9e6 RDI:
00000000ffffffff
[    3.359272 ] RBP: ffffc90000017b88 R08: 0000000000000000 R09:
0000000000000000
[    3.359732 ] R10: ffffc900000179f0 R11: 0000000000001d04 R12:
0000000000000000
[    3.360195 ] R13: ffff888107dc6000 R14: ffff888107dc6928 R15:
ffff888104dc80a8
[    3.360652 ] FS:  0000000000000000(0000) GS:ffff88817bc00000(0000)
knlGS:0000000000000000
[    3.361170 ] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[    3.361538 ] CR2: 0000000000000000 CR3: 000000000582e000 CR4:
00000000000006f0
[    3.362003 ] DR0: 0000000000000000 DR1: 0000000000000000 DR2:
0000000000000000
[    3.362175 ] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7:
0000000000000400
[    3.362175 ] Call Trace:
[    3.362175 ]  nj_release+0x51/0x1e0
[    3.362175 ]  nj_probe+0x450/0x950
[    3.362175 ]  ? pci_device_remove+0x110/0x110
[    3.362175 ]  local_pci_probe+0x45/0xa0
[    3.362175 ]  pci_device_probe+0x12b/0x1d0
[    3.362175 ]  really_probe+0x2a9/0x610
[    3.362175 ]  driver_probe_device+0x90/0x1d0
[    3.362175 ]  ? mutex_lock_nested+0x1b/0x20
[    3.362175 ]  device_driver_attach+0x68/0x70
[    3.362175 ]  __driver_attach+0x124/0x1b0
[    3.362175 ]  ? device_driver_attach+0x70/0x70
[    3.362175 ]  bus_for_each_dev+0xbb/0x110
[    3.362175 ]  ? rdinit_setup+0x45/0x45
[    3.362175 ]  driver_attach+0x27/0x30
[    3.362175 ]  bus_add_driver+0x1eb/0x2a0
[    3.362175 ]  driver_register+0xa9/0x180
[    3.362175 ]  __pci_register_driver+0x82/0x90
[    3.362175 ]  ? w6692_init+0x38/0x38
[    3.362175 ]  nj_init+0x36/0x38
[    3.362175 ]  do_one_initcall+0x7f/0x3d0
[    3.362175 ]  ? rdinit_setup+0x45/0x45
[    3.362175 ]  ? rcu_read_lock_sched_held+0x4f/0x80
[    3.362175 ]  kernel_init_freeable+0x2aa/0x301
[    3.362175 ]  ? rest_init+0x2c0/0x2c0
[    3.362175 ]  kernel_init+0x18/0x190
[    3.362175 ]  ? rest_init+0x2c0/0x2c0
[    3.362175 ]  ? rest_init+0x2c0/0x2c0
[    3.362175 ]  ret_from_fork+0x1f/0x30
[    3.362175 ] Kernel panic - not syncing: panic_on_warn set ...
[    3.362175 ] CPU: 0 PID: 1 Comm: swapper/0 Not tainted
5.13.0-rc1-00144-g25a1298726e #13
[    3.362175 ] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS
rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014
[    3.362175 ] Call Trace:
[    3.362175 ]  dump_stack+0xba/0xf5
[    3.362175 ]  ? free_irq+0x100/0x480
[    3.362175 ]  panic+0x15a/0x3f2
[    3.362175 ]  ? __warn+0xf2/0x150
[    3.362175 ]  ? free_irq+0x100/0x480
[    3.362175 ]  __warn+0x108/0x150
[    3.362175 ]  ? free_irq+0x100/0x480
[    3.362175 ]  report_bug+0x119/0x1c0
[    3.362175 ]  handle_bug+0x3b/0x80
[    3.362175 ]  exc_invalid_op+0x18/0x70
[    3.362175 ]  asm_exc_invalid_op+0x12/0x20
[    3.362175 ] RIP: 0010:free_irq+0x100/0x480
[    3.362175 ] Code: 6e 08 74 6f 4d 89 f4 e8 5e ac 09 00 4d 8b 74 24 18
4d 85 f6 75 e3 e8 4f ac 09 00 8b 75 c8 48 c7 c7 78 c1 2e 85 e8 e0 cf f5
ff <0f> 0b 48 8b 75 c0 4c 89 ff e8 72 33 0b 03 48 8b 43 40 4c 8b a0 80
[    3.362175 ] RSP: 0000:ffffc90000017b48 EFLAGS: 00010082
[    3.362175 ] RAX: 0000000000000000 RBX: ffff888104dc8000 RCX:
0000000000000000
[    3.362175 ] RDX: ffff8881003c8000 RSI: ffffffff8124a9e6 RDI:
00000000ffffffff
[    3.362175 ] RBP: ffffc90000017b88 R08: 0000000000000000 R09:
0000000000000000
[    3.362175 ] R10: ffffc900000179f0 R11: 0000000000001d04 R12:
0000000000000000
[    3.362175 ] R13: ffff888107dc6000 R14: ffff888107dc6928 R15:
ffff888104dc80a8
[    3.362175 ]  ? vprintk+0x76/0x150
[    3.362175 ]  ? free_irq+0x100/0x480
[    3.362175 ]  nj_release+0x51/0x1e0
[    3.362175 ]  nj_probe+0x450/0x950
[    3.362175 ]  ? pci_device_remove+0x110/0x110
[    3.362175 ]  local_pci_probe+0x45/0xa0
[    3.362175 ]  pci_device_probe+0x12b/0x1d0
[    3.362175 ]  really_probe+0x2a9/0x610
[    3.362175 ]  driver_probe_device+0x90/0x1d0
[    3.362175 ]  ? mutex_lock_nested+0x1b/0x20
[    3.362175 ]  device_driver_attach+0x68/0x70
[    3.362175 ]  __driver_attach+0x124/0x1b0
[    3.362175 ]  ? device_driver_attach+0x70/0x70
[    3.362175 ]  bus_for_each_dev+0xbb/0x110
[    3.362175 ]  ? rdinit_setup+0x45/0x45
[    3.362175 ]  driver_attach+0x27/0x30
[    3.362175 ]  bus_add_driver+0x1eb/0x2a0
[    3.362175 ]  driver_register+0xa9/0x180
[    3.362175 ]  __pci_register_driver+0x82/0x90
[    3.362175 ]  ? w6692_init+0x38/0x38
[    3.362175 ]  nj_init+0x36/0x38
[    3.362175 ]  do_one_initcall+0x7f/0x3d0
[    3.362175 ]  ? rdinit_setup+0x45/0x45
[    3.362175 ]  ? rcu_read_lock_sched_held+0x4f/0x80
[    3.362175 ]  kernel_init_freeable+0x2aa/0x301
[    3.362175 ]  ? rest_init+0x2c0/0x2c0
[    3.362175 ]  kernel_init+0x18/0x190
[    3.362175 ]  ? rest_init+0x2c0/0x2c0
[    3.362175 ]  ? rest_init+0x2c0/0x2c0
[    3.362175 ]  ret_from_fork+0x1f/0x30
[    3.362175 ] Dumping ftrace buffer:
[    3.362175 ]    (ftrace buffer empty)
[    3.362175 ] Kernel Offset: disabled
[    3.362175 ] Rebooting in 1 seconds..

Reported-by: Zheyu Ma <zheyuma97@gmail.com>
Signed-off-by: Zheyu Ma <zheyuma97@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/isdn/hardware/mISDN/netjet.c | 1 -
 1 file changed, 1 deletion(-)

diff --git a/drivers/isdn/hardware/mISDN/netjet.c b/drivers/isdn/hardware/mISDN/netjet.c
index ee925b58bbce..2a1ddd47a096 100644
--- a/drivers/isdn/hardware/mISDN/netjet.c
+++ b/drivers/isdn/hardware/mISDN/netjet.c
@@ -1100,7 +1100,6 @@ nj_probe(struct pci_dev *pdev, const struct pci_device_id *ent)
 		card->typ = NETJET_S_TJ300;
 
 	card->base = pci_resource_start(pdev, 0);
-	card->irq = pdev->irq;
 	pci_set_drvdata(pdev, card);
 	err = setup_instance(card);
 	if (err)
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 181+ messages in thread

* [PATCH 5.12 020/173] bonding: init notify_work earlier to avoid uninitialized use
  2021-06-14 10:25 [PATCH 5.12 000/173] 5.12.11-rc1 review Greg Kroah-Hartman
                   ` (18 preceding siblings ...)
  2021-06-14 10:25 ` [PATCH 5.12 019/173] isdn: mISDN: netjet: Fix crash in nj_probe: Greg Kroah-Hartman
@ 2021-06-14 10:25 ` Greg Kroah-Hartman
  2021-06-14 10:25 ` [PATCH 5.12 021/173] netlink: disable IRQs for netlink_lock_table() Greg Kroah-Hartman
                   ` (159 subsequent siblings)
  179 siblings, 0 replies; 181+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-14 10:25 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, syzbot+bfda097c12a00c8cae67,
	Johannes Berg, Jay Vosburgh, David S. Miller, Sasha Levin

From: Johannes Berg <johannes.berg@intel.com>

[ Upstream commit 35d96e631860226d5dc4de0fad0a415362ec2457 ]

If bond_kobj_init() or later kzalloc() in bond_alloc_slave() fail,
then we call kobject_put() on the slave->kobj. This in turn calls
the release function slave_kobj_release() which will always try to
cancel_delayed_work_sync(&slave->notify_work), which shouldn't be
done on an uninitialized work struct.

Always initialize the work struct earlier to avoid problems here.

Syzbot bisected this down to a completely pointless commit, some
fault injection may have been at work here that caused the alloc
failure in the first place, which may interact badly with bisect.

Reported-by: syzbot+bfda097c12a00c8cae67@syzkaller.appspotmail.com
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Acked-by: Jay Vosburgh <jay.vosburgh@canonical.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/bonding/bond_main.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c
index 74cbbb22470b..fa4bf727a48d 100644
--- a/drivers/net/bonding/bond_main.c
+++ b/drivers/net/bonding/bond_main.c
@@ -1526,6 +1526,7 @@ static struct slave *bond_alloc_slave(struct bonding *bond,
 
 	slave->bond = bond;
 	slave->dev = slave_dev;
+	INIT_DELAYED_WORK(&slave->notify_work, bond_netdev_notify_work);
 
 	if (bond_kobj_init(slave))
 		return NULL;
@@ -1538,7 +1539,6 @@ static struct slave *bond_alloc_slave(struct bonding *bond,
 			return NULL;
 		}
 	}
-	INIT_DELAYED_WORK(&slave->notify_work, bond_netdev_notify_work);
 
 	return slave;
 }
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 181+ messages in thread

* [PATCH 5.12 021/173] netlink: disable IRQs for netlink_lock_table()
  2021-06-14 10:25 [PATCH 5.12 000/173] 5.12.11-rc1 review Greg Kroah-Hartman
                   ` (19 preceding siblings ...)
  2021-06-14 10:25 ` [PATCH 5.12 020/173] bonding: init notify_work earlier to avoid uninitialized use Greg Kroah-Hartman
@ 2021-06-14 10:25 ` Greg Kroah-Hartman
  2021-06-14 10:25 ` [PATCH 5.12 022/173] net: mdiobus: get rid of a BUG_ON() Greg Kroah-Hartman
                   ` (158 subsequent siblings)
  179 siblings, 0 replies; 181+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-14 10:25 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, syzbot+69ff9dff50dcfe14ddd4,
	Johannes Berg, David S. Miller, Sasha Levin

From: Johannes Berg <johannes.berg@intel.com>

[ Upstream commit 1d482e666b8e74c7555dbdfbfb77205eeed3ff2d ]

Syzbot reports that in mac80211 we have a potential deadlock
between our "local->stop_queue_reasons_lock" (spinlock) and
netlink's nl_table_lock (rwlock). This is because there's at
least one situation in which we might try to send a netlink
message with this spinlock held while it is also possible to
take the spinlock from a hardirq context, resulting in the
following deadlock scenario reported by lockdep:

       CPU0                    CPU1
       ----                    ----
  lock(nl_table_lock);
                               local_irq_disable();
                               lock(&local->queue_stop_reason_lock);
                               lock(nl_table_lock);
  <Interrupt>
    lock(&local->queue_stop_reason_lock);

This seems valid, we can take the queue_stop_reason_lock in
any kind of context ("CPU0"), and call ieee80211_report_ack_skb()
with the spinlock held and IRQs disabled ("CPU1") in some
code path (ieee80211_do_stop() via ieee80211_free_txskb()).

Short of disallowing netlink use in scenarios like these
(which would be rather complex in mac80211's case due to
the deep callchain), it seems the only fix for this is to
disable IRQs while nl_table_lock is held to avoid hitting
this scenario, this disallows the "CPU0" portion of the
reported deadlock.

Note that the writer side (netlink_table_grab()) already
disables IRQs for this lock.

Unfortunately though, this seems like a huge hammer, and
maybe the whole netlink table locking should be reworked.

Reported-by: syzbot+69ff9dff50dcfe14ddd4@syzkaller.appspotmail.com
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/netlink/af_netlink.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
index 3a62f97acf39..6133e412b948 100644
--- a/net/netlink/af_netlink.c
+++ b/net/netlink/af_netlink.c
@@ -461,11 +461,13 @@ void netlink_table_ungrab(void)
 static inline void
 netlink_lock_table(void)
 {
+	unsigned long flags;
+
 	/* read_lock() synchronizes us to netlink_table_grab */
 
-	read_lock(&nl_table_lock);
+	read_lock_irqsave(&nl_table_lock, flags);
 	atomic_inc(&nl_table_users);
-	read_unlock(&nl_table_lock);
+	read_unlock_irqrestore(&nl_table_lock, flags);
 }
 
 static inline void
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 181+ messages in thread

* [PATCH 5.12 022/173] net: mdiobus: get rid of a BUG_ON()
  2021-06-14 10:25 [PATCH 5.12 000/173] 5.12.11-rc1 review Greg Kroah-Hartman
                   ` (20 preceding siblings ...)
  2021-06-14 10:25 ` [PATCH 5.12 021/173] netlink: disable IRQs for netlink_lock_table() Greg Kroah-Hartman
@ 2021-06-14 10:25 ` Greg Kroah-Hartman
  2021-06-14 10:25 ` [PATCH 5.12 023/173] cgroup: disable controllers at parse time Greg Kroah-Hartman
                   ` (157 subsequent siblings)
  179 siblings, 0 replies; 181+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-14 10:25 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Russell King (Oracle),
	Dan Carpenter, Andrew Lunn, David S. Miller, Sasha Levin

From: Dan Carpenter <dan.carpenter@oracle.com>

[ Upstream commit 1dde47a66d4fb181830d6fa000e5ea86907b639e ]

We spotted a bug recently during a review where a driver was
unregistering a bus that wasn't registered, which would trigger this
BUG_ON().  Let's handle that situation more gracefully, and just print
a warning and return.

Reported-by: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Reviewed-by: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
Reviewed-by: Andrew Lunn <andrew@lunn.ch>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/phy/mdio_bus.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/net/phy/mdio_bus.c b/drivers/net/phy/mdio_bus.c
index 823518554079..d3c916821b11 100644
--- a/drivers/net/phy/mdio_bus.c
+++ b/drivers/net/phy/mdio_bus.c
@@ -607,7 +607,8 @@ void mdiobus_unregister(struct mii_bus *bus)
 	struct mdio_device *mdiodev;
 	int i;
 
-	BUG_ON(bus->state != MDIOBUS_REGISTERED);
+	if (WARN_ON_ONCE(bus->state != MDIOBUS_REGISTERED))
+		return;
 	bus->state = MDIOBUS_UNREGISTERED;
 
 	for (i = 0; i < PHY_MAX_ADDR; i++) {
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 181+ messages in thread

* [PATCH 5.12 023/173] cgroup: disable controllers at parse time
  2021-06-14 10:25 [PATCH 5.12 000/173] 5.12.11-rc1 review Greg Kroah-Hartman
                   ` (21 preceding siblings ...)
  2021-06-14 10:25 ` [PATCH 5.12 022/173] net: mdiobus: get rid of a BUG_ON() Greg Kroah-Hartman
@ 2021-06-14 10:25 ` Greg Kroah-Hartman
  2021-06-14 10:25 ` [PATCH 5.12 024/173] wq: handle VM suspension in stall detection Greg Kroah-Hartman
                   ` (156 subsequent siblings)
  179 siblings, 0 replies; 181+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-14 10:25 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Shakeel Butt, NOMURA JUNICHI ,
	Tejun Heo, Sasha Levin

From: Shakeel Butt <shakeelb@google.com>

[ Upstream commit 45e1ba40837ac2f6f4d4716bddb8d44bd7e4a251 ]

This patch effectively reverts the commit a3e72739b7a7 ("cgroup: fix
too early usage of static_branch_disable()"). The commit 6041186a3258
("init: initialize jump labels before command line option parsing") has
moved the jump_label_init() before parse_args() which has made the
commit a3e72739b7a7 unnecessary. On the other hand there are
consequences of disabling the controllers later as there are subsystems
doing the controller checks for different decisions. One such incident
is reported [1] regarding the memory controller and its impact on memory
reclaim code.

[1] https://lore.kernel.org/linux-mm/921e53f3-4b13-aab8-4a9e-e83ff15371e4@nec.com

Signed-off-by: Shakeel Butt <shakeelb@google.com>
Reported-by: NOMURA JUNICHI(野村 淳一) <junichi.nomura@nec.com>
Signed-off-by: Tejun Heo <tj@kernel.org>
Tested-by: Jun'ichi Nomura <junichi.nomura@nec.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 kernel/cgroup/cgroup.c | 13 +++++--------
 1 file changed, 5 insertions(+), 8 deletions(-)

diff --git a/kernel/cgroup/cgroup.c b/kernel/cgroup/cgroup.c
index 9153b20e5cc6..2529d1f88330 100644
--- a/kernel/cgroup/cgroup.c
+++ b/kernel/cgroup/cgroup.c
@@ -5626,8 +5626,6 @@ int __init cgroup_init_early(void)
 	return 0;
 }
 
-static u16 cgroup_disable_mask __initdata;
-
 /**
  * cgroup_init - cgroup initialization
  *
@@ -5686,12 +5684,8 @@ int __init cgroup_init(void)
 		 * disabled flag and cftype registration needs kmalloc,
 		 * both of which aren't available during early_init.
 		 */
-		if (cgroup_disable_mask & (1 << ssid)) {
-			static_branch_disable(cgroup_subsys_enabled_key[ssid]);
-			printk(KERN_INFO "Disabling %s control group subsystem\n",
-			       ss->name);
+		if (!cgroup_ssid_enabled(ssid))
 			continue;
-		}
 
 		if (cgroup1_ssid_disabled(ssid))
 			printk(KERN_INFO "Disabling %s control group subsystem in v1 mounts\n",
@@ -6206,7 +6200,10 @@ static int __init cgroup_disable(char *str)
 			if (strcmp(token, ss->name) &&
 			    strcmp(token, ss->legacy_name))
 				continue;
-			cgroup_disable_mask |= 1 << i;
+
+			static_branch_disable(cgroup_subsys_enabled_key[i]);
+			pr_info("Disabling %s control group subsystem\n",
+				ss->name);
 		}
 	}
 	return 1;
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 181+ messages in thread

* [PATCH 5.12 024/173] wq: handle VM suspension in stall detection
  2021-06-14 10:25 [PATCH 5.12 000/173] 5.12.11-rc1 review Greg Kroah-Hartman
                   ` (22 preceding siblings ...)
  2021-06-14 10:25 ` [PATCH 5.12 023/173] cgroup: disable controllers at parse time Greg Kroah-Hartman
@ 2021-06-14 10:25 ` Greg Kroah-Hartman
  2021-06-14 10:25 ` [PATCH 5.12 025/173] net/qla3xxx: fix schedule while atomic in ql_sem_spinlock Greg Kroah-Hartman
                   ` (155 subsequent siblings)
  179 siblings, 0 replies; 181+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-14 10:25 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Sergey Senozhatsky, Tejun Heo, Sasha Levin

From: Sergey Senozhatsky <senozhatsky@chromium.org>

[ Upstream commit 940d71c6462e8151c78f28e4919aa8882ff2054e ]

If VCPU is suspended (VM suspend) in wq_watchdog_timer_fn() then
once this VCPU resumes it will see the new jiffies value, while it
may take a while before IRQ detects PVCLOCK_GUEST_STOPPED on this
VCPU and updates all the watchdogs via pvclock_touch_watchdogs().
There is a small chance of misreported WQ stalls in the meantime,
because new jiffies is time_after() old 'ts + thresh'.

wq_watchdog_timer_fn()
{
	for_each_pool(pool, pi) {
		if (time_after(jiffies, ts + thresh)) {
			pr_emerg("BUG: workqueue lockup - pool");
		}
	}
}

Save jiffies at the beginning of this function and use that value
for stall detection. If VM gets suspended then we continue using
"old" jiffies value and old WQ touch timestamps. If IRQ at some
point restarts the stall detection cycle (pvclock_touch_watchdogs())
then old jiffies will always be before new 'ts + thresh'.

Signed-off-by: Sergey Senozhatsky <senozhatsky@chromium.org>
Signed-off-by: Tejun Heo <tj@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 kernel/workqueue.c | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/kernel/workqueue.c b/kernel/workqueue.c
index 79f2319543ce..994eafd25d64 100644
--- a/kernel/workqueue.c
+++ b/kernel/workqueue.c
@@ -50,6 +50,7 @@
 #include <linux/uaccess.h>
 #include <linux/sched/isolation.h>
 #include <linux/nmi.h>
+#include <linux/kvm_para.h>
 
 #include "workqueue_internal.h"
 
@@ -5772,6 +5773,7 @@ static void wq_watchdog_timer_fn(struct timer_list *unused)
 {
 	unsigned long thresh = READ_ONCE(wq_watchdog_thresh) * HZ;
 	bool lockup_detected = false;
+	unsigned long now = jiffies;
 	struct worker_pool *pool;
 	int pi;
 
@@ -5786,6 +5788,12 @@ static void wq_watchdog_timer_fn(struct timer_list *unused)
 		if (list_empty(&pool->worklist))
 			continue;
 
+		/*
+		 * If a virtual machine is stopped by the host it can look to
+		 * the watchdog like a stall.
+		 */
+		kvm_check_and_clear_guest_paused();
+
 		/* get the latest of pool and touched timestamps */
 		if (pool->cpu >= 0)
 			touched = READ_ONCE(per_cpu(wq_watchdog_touched_cpu, pool->cpu));
@@ -5799,12 +5807,12 @@ static void wq_watchdog_timer_fn(struct timer_list *unused)
 			ts = touched;
 
 		/* did we stall? */
-		if (time_after(jiffies, ts + thresh)) {
+		if (time_after(now, ts + thresh)) {
 			lockup_detected = true;
 			pr_emerg("BUG: workqueue lockup - pool");
 			pr_cont_pool_info(pool);
 			pr_cont(" stuck for %us!\n",
-				jiffies_to_msecs(jiffies - pool_ts) / 1000);
+				jiffies_to_msecs(now - pool_ts) / 1000);
 		}
 	}
 
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 181+ messages in thread

* [PATCH 5.12 025/173] net/qla3xxx: fix schedule while atomic in ql_sem_spinlock
  2021-06-14 10:25 [PATCH 5.12 000/173] 5.12.11-rc1 review Greg Kroah-Hartman
                   ` (23 preceding siblings ...)
  2021-06-14 10:25 ` [PATCH 5.12 024/173] wq: handle VM suspension in stall detection Greg Kroah-Hartman
@ 2021-06-14 10:25 ` Greg Kroah-Hartman
  2021-06-14 10:25 ` [PATCH 5.12 026/173] RDS tcp loopback connection can hang Greg Kroah-Hartman
                   ` (154 subsequent siblings)
  179 siblings, 0 replies; 181+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-14 10:25 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Zheyu Ma, David S. Miller, Sasha Levin

From: Zheyu Ma <zheyuma97@gmail.com>

[ Upstream commit 13a6f3153922391e90036ba2267d34eed63196fc ]

When calling the 'ql_sem_spinlock', the driver has already acquired the
spin lock, so the driver should not call 'ssleep' in atomic context.

This bug can be fixed by using 'mdelay' instead of 'ssleep'.

The KASAN's log reveals it:

[    3.238124 ] BUG: scheduling while atomic: swapper/0/1/0x00000002
[    3.238748 ] 2 locks held by swapper/0/1:
[    3.239151 ]  #0: ffff88810177b240 (&dev->mutex){....}-{3:3}, at:
__device_driver_lock+0x41/0x60
[    3.240026 ]  #1: ffff888107c60e28 (&qdev->hw_lock){....}-{2:2}, at:
ql3xxx_probe+0x2aa/0xea0
[    3.240873 ] Modules linked in:
[    3.241187 ] irq event stamp: 460854
[    3.241541 ] hardirqs last  enabled at (460853): [<ffffffff843051bf>]
_raw_spin_unlock_irqrestore+0x4f/0x70
[    3.242245 ] hardirqs last disabled at (460854): [<ffffffff843058ca>]
_raw_spin_lock_irqsave+0x2a/0x70
[    3.242245 ] softirqs last  enabled at (446076): [<ffffffff846002e4>]
__do_softirq+0x2e4/0x4b1
[    3.242245 ] softirqs last disabled at (446069): [<ffffffff811ba5e0>]
irq_exit_rcu+0x100/0x110
[    3.242245 ] Preemption disabled at:
[    3.242245 ] [<ffffffff828ca5ba>] ql3xxx_probe+0x2aa/0xea0
[    3.242245 ] Kernel panic - not syncing: scheduling while atomic
[    3.242245 ] CPU: 2 PID: 1 Comm: swapper/0 Not tainted
5.13.0-rc1-00145
-gee7dc339169-dirty #16
[    3.242245 ] Call Trace:
[    3.242245 ]  dump_stack+0xba/0xf5
[    3.242245 ]  ? ql3xxx_probe+0x1f0/0xea0
[    3.242245 ]  panic+0x15a/0x3f2
[    3.242245 ]  ? vprintk+0x76/0x150
[    3.242245 ]  ? ql3xxx_probe+0x2aa/0xea0
[    3.242245 ]  __schedule_bug+0xae/0xe0
[    3.242245 ]  __schedule+0x72e/0xa00
[    3.242245 ]  schedule+0x43/0xf0
[    3.242245 ]  schedule_timeout+0x28b/0x500
[    3.242245 ]  ? del_timer_sync+0xf0/0xf0
[    3.242245 ]  ? msleep+0x2f/0x70
[    3.242245 ]  msleep+0x59/0x70
[    3.242245 ]  ql3xxx_probe+0x307/0xea0
[    3.242245 ]  ? _raw_spin_unlock_irqrestore+0x3a/0x70
[    3.242245 ]  ? pci_device_remove+0x110/0x110
[    3.242245 ]  local_pci_probe+0x45/0xa0
[    3.242245 ]  pci_device_probe+0x12b/0x1d0
[    3.242245 ]  really_probe+0x2a9/0x610
[    3.242245 ]  driver_probe_device+0x90/0x1d0
[    3.242245 ]  ? mutex_lock_nested+0x1b/0x20
[    3.242245 ]  device_driver_attach+0x68/0x70
[    3.242245 ]  __driver_attach+0x124/0x1b0
[    3.242245 ]  ? device_driver_attach+0x70/0x70
[    3.242245 ]  bus_for_each_dev+0xbb/0x110
[    3.242245 ]  ? rdinit_setup+0x45/0x45
[    3.242245 ]  driver_attach+0x27/0x30
[    3.242245 ]  bus_add_driver+0x1eb/0x2a0
[    3.242245 ]  driver_register+0xa9/0x180
[    3.242245 ]  __pci_register_driver+0x82/0x90
[    3.242245 ]  ? yellowfin_init+0x25/0x25
[    3.242245 ]  ql3xxx_driver_init+0x23/0x25
[    3.242245 ]  do_one_initcall+0x7f/0x3d0
[    3.242245 ]  ? rdinit_setup+0x45/0x45
[    3.242245 ]  ? rcu_read_lock_sched_held+0x4f/0x80
[    3.242245 ]  kernel_init_freeable+0x2aa/0x301
[    3.242245 ]  ? rest_init+0x2c0/0x2c0
[    3.242245 ]  kernel_init+0x18/0x190
[    3.242245 ]  ? rest_init+0x2c0/0x2c0
[    3.242245 ]  ? rest_init+0x2c0/0x2c0
[    3.242245 ]  ret_from_fork+0x1f/0x30
[    3.242245 ] Dumping ftrace buffer:
[    3.242245 ]    (ftrace buffer empty)
[    3.242245 ] Kernel Offset: disabled
[    3.242245 ] Rebooting in 1 seconds.

Reported-by: Zheyu Ma <zheyuma97@gmail.com>
Signed-off-by: Zheyu Ma <zheyuma97@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/ethernet/qlogic/qla3xxx.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/net/ethernet/qlogic/qla3xxx.c b/drivers/net/ethernet/qlogic/qla3xxx.c
index 214e347097a7..2376b2729633 100644
--- a/drivers/net/ethernet/qlogic/qla3xxx.c
+++ b/drivers/net/ethernet/qlogic/qla3xxx.c
@@ -114,7 +114,7 @@ static int ql_sem_spinlock(struct ql3_adapter *qdev,
 		value = readl(&port_regs->CommonRegs.semaphoreReg);
 		if ((value & (sem_mask >> 16)) == sem_bits)
 			return 0;
-		ssleep(1);
+		mdelay(1000);
 	} while (--seconds);
 	return -1;
 }
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 181+ messages in thread

* [PATCH 5.12 026/173] RDS tcp loopback connection can hang
  2021-06-14 10:25 [PATCH 5.12 000/173] 5.12.11-rc1 review Greg Kroah-Hartman
                   ` (24 preceding siblings ...)
  2021-06-14 10:25 ` [PATCH 5.12 025/173] net/qla3xxx: fix schedule while atomic in ql_sem_spinlock Greg Kroah-Hartman
@ 2021-06-14 10:25 ` Greg Kroah-Hartman
  2021-06-14 10:25 ` [PATCH 5.12 027/173] net:sfc: fix non-freed irq in legacy irq mode Greg Kroah-Hartman
                   ` (153 subsequent siblings)
  179 siblings, 0 replies; 181+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-14 10:25 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Rao Shoaib, David S. Miller, Sasha Levin

From: Rao Shoaib <rao.shoaib@oracle.com>

[ Upstream commit aced3ce57cd37b5ca332bcacd370d01f5a8c5371 ]

When TCP is used as transport and a program on the
system connects to RDS port 16385, connection is
accepted but denied per the rules of RDS. However,
RDS connections object is left in the list. Next
loopback connection will select that connection
object as it is at the head of list. The connection
attempt will hang as the connection object is set
to connect over TCP which is not allowed

The issue can be reproduced easily, use rds-ping
to ping a local IP address. After that use any
program like ncat to connect to the same IP
address and port 16385. This will hang so ctrl-c out.
Now try rds-ping, it will hang.

To fix the issue this patch adds checks to disallow
the connection object creation and destroys the
connection object.

Signed-off-by: Rao Shoaib <rao.shoaib@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/rds/connection.c | 23 +++++++++++++++++------
 net/rds/tcp.c        |  4 ++--
 net/rds/tcp.h        |  3 ++-
 net/rds/tcp_listen.c |  6 ++++++
 4 files changed, 27 insertions(+), 9 deletions(-)

diff --git a/net/rds/connection.c b/net/rds/connection.c
index f2fcab182095..a3bc4b54d491 100644
--- a/net/rds/connection.c
+++ b/net/rds/connection.c
@@ -240,12 +240,23 @@ static struct rds_connection *__rds_conn_create(struct net *net,
 	if (loop_trans) {
 		rds_trans_put(loop_trans);
 		conn->c_loopback = 1;
-		if (is_outgoing && trans->t_prefer_loopback) {
-			/* "outgoing" connection - and the transport
-			 * says it wants the connection handled by the
-			 * loopback transport. This is what TCP does.
-			 */
-			trans = &rds_loop_transport;
+		if (trans->t_prefer_loopback) {
+			if (likely(is_outgoing)) {
+				/* "outgoing" connection to local address.
+				 * Protocol says it wants the connection
+				 * handled by the loopback transport.
+				 * This is what TCP does.
+				 */
+				trans = &rds_loop_transport;
+			} else {
+				/* No transport currently in use
+				 * should end up here, but if it
+				 * does, reset/destroy the connection.
+				 */
+				kmem_cache_free(rds_conn_slab, conn);
+				conn = ERR_PTR(-EOPNOTSUPP);
+				goto out;
+			}
 		}
 	}
 
diff --git a/net/rds/tcp.c b/net/rds/tcp.c
index 43db0eca911f..abf19c0e3ba0 100644
--- a/net/rds/tcp.c
+++ b/net/rds/tcp.c
@@ -313,8 +313,8 @@ out:
 }
 #endif
 
-static int rds_tcp_laddr_check(struct net *net, const struct in6_addr *addr,
-			       __u32 scope_id)
+int rds_tcp_laddr_check(struct net *net, const struct in6_addr *addr,
+			__u32 scope_id)
 {
 	struct net_device *dev = NULL;
 #if IS_ENABLED(CONFIG_IPV6)
diff --git a/net/rds/tcp.h b/net/rds/tcp.h
index bad9cf49d565..dc8d745d6857 100644
--- a/net/rds/tcp.h
+++ b/net/rds/tcp.h
@@ -59,7 +59,8 @@ u32 rds_tcp_snd_una(struct rds_tcp_connection *tc);
 u64 rds_tcp_map_seq(struct rds_tcp_connection *tc, u32 seq);
 extern struct rds_transport rds_tcp_transport;
 void rds_tcp_accept_work(struct sock *sk);
-
+int rds_tcp_laddr_check(struct net *net, const struct in6_addr *addr,
+			__u32 scope_id);
 /* tcp_connect.c */
 int rds_tcp_conn_path_connect(struct rds_conn_path *cp);
 void rds_tcp_conn_path_shutdown(struct rds_conn_path *conn);
diff --git a/net/rds/tcp_listen.c b/net/rds/tcp_listen.c
index 101cf14215a0..09cadd556d1e 100644
--- a/net/rds/tcp_listen.c
+++ b/net/rds/tcp_listen.c
@@ -167,6 +167,12 @@ int rds_tcp_accept_one(struct socket *sock)
 	}
 #endif
 
+	if (!rds_tcp_laddr_check(sock_net(sock->sk), peer_addr, dev_if)) {
+		/* local address connection is only allowed via loopback */
+		ret = -EOPNOTSUPP;
+		goto out;
+	}
+
 	conn = rds_conn_create(sock_net(sock->sk),
 			       my_addr, peer_addr,
 			       &rds_tcp_transport, 0, GFP_KERNEL, dev_if);
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 181+ messages in thread

* [PATCH 5.12 027/173] net:sfc: fix non-freed irq in legacy irq mode
  2021-06-14 10:25 [PATCH 5.12 000/173] 5.12.11-rc1 review Greg Kroah-Hartman
                   ` (25 preceding siblings ...)
  2021-06-14 10:25 ` [PATCH 5.12 026/173] RDS tcp loopback connection can hang Greg Kroah-Hartman
@ 2021-06-14 10:25 ` Greg Kroah-Hartman
  2021-06-14 10:26 ` [PATCH 5.12 028/173] scsi: bnx2fc: Return failure if io_req is already in ABTS processing Greg Kroah-Hartman
                   ` (152 subsequent siblings)
  179 siblings, 0 replies; 181+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-14 10:25 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Íñigo Huguet,
	David S. Miller, Sasha Levin

From: Íñigo Huguet <ihuguet@redhat.com>

[ Upstream commit 8f03eeb6e0a0a0b8d617ee0a4bce729e47130036 ]

SFC driver can be configured via modparam to work using MSI-X, MSI or
legacy IRQ interrupts. In the last one, the interrupt was not properly
released on module remove.

It was not freed because the flag irqs_hooked was not set during
initialization in the case of using legacy IRQ.

Example of (trimmed) trace during module remove without this fix:

remove_proc_entry: removing non-empty directory 'irq/125', leaking at least '0000:3b:00.1'
WARNING: CPU: 39 PID: 3658 at fs/proc/generic.c:715 remove_proc_entry+0x15c/0x170
...trimmed...
Call Trace:
 unregister_irq_proc+0xe3/0x100
 free_desc+0x29/0x70
 irq_free_descs+0x47/0x70
 mp_unmap_irq+0x58/0x60
 acpi_unregister_gsi_ioapic+0x2a/0x40
 acpi_pci_irq_disable+0x78/0xb0
 pci_disable_device+0xd1/0x100
 efx_pci_remove+0xa1/0x1e0 [sfc]
 pci_device_remove+0x38/0xa0
 __device_release_driver+0x177/0x230
 driver_detach+0xcb/0x110
 bus_remove_driver+0x58/0xd0
 pci_unregister_driver+0x2a/0xb0
 efx_exit_module+0x24/0xf40 [sfc]
 __do_sys_delete_module.constprop.0+0x171/0x280
 ? exit_to_user_mode_prepare+0x83/0x1d0
 do_syscall_64+0x3d/0x80
 entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x7f9f9385800b
...trimmed...

Signed-off-by: Íñigo Huguet <ihuguet@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/ethernet/sfc/nic.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/net/ethernet/sfc/nic.c b/drivers/net/ethernet/sfc/nic.c
index d1e908846f5d..22fbb0ae77fb 100644
--- a/drivers/net/ethernet/sfc/nic.c
+++ b/drivers/net/ethernet/sfc/nic.c
@@ -90,6 +90,7 @@ int efx_nic_init_interrupt(struct efx_nic *efx)
 				  efx->pci_dev->irq);
 			goto fail1;
 		}
+		efx->irqs_hooked = true;
 		return 0;
 	}
 
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 181+ messages in thread

* [PATCH 5.12 028/173] scsi: bnx2fc: Return failure if io_req is already in ABTS processing
  2021-06-14 10:25 [PATCH 5.12 000/173] 5.12.11-rc1 review Greg Kroah-Hartman
                   ` (26 preceding siblings ...)
  2021-06-14 10:25 ` [PATCH 5.12 027/173] net:sfc: fix non-freed irq in legacy irq mode Greg Kroah-Hartman
@ 2021-06-14 10:26 ` Greg Kroah-Hartman
  2021-06-14 10:26 ` [PATCH 5.12 029/173] scsi: vmw_pvscsi: Set correct residual data length Greg Kroah-Hartman
                   ` (151 subsequent siblings)
  179 siblings, 0 replies; 181+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-14 10:26 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Himanshu Madhani, Javed Hasan,
	Martin K. Petersen, Sasha Levin

From: Javed Hasan <jhasan@marvell.com>

[ Upstream commit 122c81c563b0c1c6b15ff76a9159af5ee1f21563 ]

Return failure from bnx2fc_eh_abort() if io_req is already in ABTS
processing.

Link: https://lore.kernel.org/r/20210519061416.19321-1-jhasan@marvell.com
Reviewed-by: Himanshu Madhani <himanshu.madhani@oracle.com>
Signed-off-by: Javed Hasan <jhasan@marvell.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/scsi/bnx2fc/bnx2fc_io.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/scsi/bnx2fc/bnx2fc_io.c b/drivers/scsi/bnx2fc/bnx2fc_io.c
index 1a0dc18d6915..ed300a279a38 100644
--- a/drivers/scsi/bnx2fc/bnx2fc_io.c
+++ b/drivers/scsi/bnx2fc/bnx2fc_io.c
@@ -1220,6 +1220,7 @@ int bnx2fc_eh_abort(struct scsi_cmnd *sc_cmd)
 		   was a result from the ABTS request rather than the CLEANUP
 		   request */
 		set_bit(BNX2FC_FLAG_IO_CLEANUP,	&io_req->req_flags);
+		rc = FAILED;
 		goto done;
 	}
 
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 181+ messages in thread

* [PATCH 5.12 029/173] scsi: vmw_pvscsi: Set correct residual data length
  2021-06-14 10:25 [PATCH 5.12 000/173] 5.12.11-rc1 review Greg Kroah-Hartman
                   ` (27 preceding siblings ...)
  2021-06-14 10:26 ` [PATCH 5.12 028/173] scsi: bnx2fc: Return failure if io_req is already in ABTS processing Greg Kroah-Hartman
@ 2021-06-14 10:26 ` Greg Kroah-Hartman
  2021-06-14 10:26 ` [PATCH 5.12 030/173] scsi: hisi_sas: Drop free_irq() of devm_request_irq() allocated irq Greg Kroah-Hartman
                   ` (150 subsequent siblings)
  179 siblings, 0 replies; 181+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-14 10:26 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Matt Wang, Martin K. Petersen, Sasha Levin

From: Matt Wang <wwentao@vmware.com>

[ Upstream commit e662502b3a782d479e67736a5a1c169a703d853a ]

Some commands (such as INQUIRY) may return less data than the initiator
requested. To avoid conducting useless information, set the right residual
count to make upper layer aware of this.

Before (INQUIRY PAGE 0xB0 with 128B buffer):

$ sg_raw -r 128 /dev/sda 12 01 B0 00 80 00
SCSI Status: Good

Received 128 bytes of data:
 00 00 b0 00 3c 01 00 00 00 00 00 00 00 00 00 00 00 ...<............
 10 00 00 00 00 00 01 00 00 00 00 00 40 00 00 08 00 ...........@....
 20 80 00 00 00 00 00 00 00 00 00 20 00 00 00 00 00 .......... .....
 30 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
 60 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
 70 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................

After:

$ sg_raw -r 128 /dev/sda 12 01 B0 00 80 00
SCSI Status: Good

Received 64 bytes of data:
00 00 b0 00 3c 01 00 00 00 00 00 00 00 00 00 00 00 ...<............
10 00 00 00 00 00 01 00 00 00 00 00 40 00 00 08 00 ...........@....
20 80 00 00 00 00 00 00 00 00 00 20 00 00 00 00 00 .......... .....
30 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................

[mkp: clarified description]

Link: https://lore.kernel.org/r/03C41093-B62E-43A2-913E-CFC92F1C70C3@vmware.com
Signed-off-by: Matt Wang <wwentao@vmware.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/scsi/vmw_pvscsi.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/drivers/scsi/vmw_pvscsi.c b/drivers/scsi/vmw_pvscsi.c
index 8a79605d9652..b9969fce6b4d 100644
--- a/drivers/scsi/vmw_pvscsi.c
+++ b/drivers/scsi/vmw_pvscsi.c
@@ -585,7 +585,13 @@ static void pvscsi_complete_request(struct pvscsi_adapter *adapter,
 		case BTSTAT_SUCCESS:
 		case BTSTAT_LINKED_COMMAND_COMPLETED:
 		case BTSTAT_LINKED_COMMAND_COMPLETED_WITH_FLAG:
-			/* If everything went fine, let's move on..  */
+			/*
+			 * Commands like INQUIRY may transfer less data than
+			 * requested by the initiator via bufflen. Set residual
+			 * count to make upper layer aware of the actual amount
+			 * of data returned.
+			 */
+			scsi_set_resid(cmd, scsi_bufflen(cmd) - e->dataLen);
 			cmd->result = (DID_OK << 16);
 			break;
 
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 181+ messages in thread

* [PATCH 5.12 030/173] scsi: hisi_sas: Drop free_irq() of devm_request_irq() allocated irq
  2021-06-14 10:25 [PATCH 5.12 000/173] 5.12.11-rc1 review Greg Kroah-Hartman
                   ` (28 preceding siblings ...)
  2021-06-14 10:26 ` [PATCH 5.12 029/173] scsi: vmw_pvscsi: Set correct residual data length Greg Kroah-Hartman
@ 2021-06-14 10:26 ` Greg Kroah-Hartman
  2021-06-14 10:26 ` [PATCH 5.12 031/173] scsi: target: qla2xxx: Wait for stop_phase1 at WWN removal Greg Kroah-Hartman
                   ` (149 subsequent siblings)
  179 siblings, 0 replies; 181+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-14 10:26 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Hulk Robot, John Garry,
	Yang Yingliang, Martin K. Petersen, Sasha Levin

From: Yang Yingliang <yangyingliang@huawei.com>

[ Upstream commit 7907a021e4bbfa29cccacd2ba2dade894d9a7d4c ]

irqs allocated with devm_request_irq() should not be freed using
free_irq(). Doing so causes a dangling pointer and a subsequent double
free.

Link: https://lore.kernel.org/r/20210519130519.2661938-1-yangyingliang@huawei.com
Reported-by: Hulk Robot <hulkci@huawei.com>
Acked-by: John Garry <john.garry@huawei.com>
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/scsi/hisi_sas/hisi_sas_v3_hw.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/drivers/scsi/hisi_sas/hisi_sas_v3_hw.c b/drivers/scsi/hisi_sas/hisi_sas_v3_hw.c
index 4580e081e489..b21246b1ba99 100644
--- a/drivers/scsi/hisi_sas/hisi_sas_v3_hw.c
+++ b/drivers/scsi/hisi_sas/hisi_sas_v3_hw.c
@@ -4799,14 +4799,14 @@ hisi_sas_v3_destroy_irqs(struct pci_dev *pdev, struct hisi_hba *hisi_hba)
 {
 	int i;
 
-	free_irq(pci_irq_vector(pdev, 1), hisi_hba);
-	free_irq(pci_irq_vector(pdev, 2), hisi_hba);
-	free_irq(pci_irq_vector(pdev, 11), hisi_hba);
+	devm_free_irq(&pdev->dev, pci_irq_vector(pdev, 1), hisi_hba);
+	devm_free_irq(&pdev->dev, pci_irq_vector(pdev, 2), hisi_hba);
+	devm_free_irq(&pdev->dev, pci_irq_vector(pdev, 11), hisi_hba);
 	for (i = 0; i < hisi_hba->cq_nvecs; i++) {
 		struct hisi_sas_cq *cq = &hisi_hba->cq[i];
 		int nr = hisi_sas_intr_conv ? 16 : 16 + i;
 
-		free_irq(pci_irq_vector(pdev, nr), cq);
+		devm_free_irq(&pdev->dev, pci_irq_vector(pdev, nr), cq);
 	}
 	pci_free_irq_vectors(pdev);
 }
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 181+ messages in thread

* [PATCH 5.12 031/173] scsi: target: qla2xxx: Wait for stop_phase1 at WWN removal
  2021-06-14 10:25 [PATCH 5.12 000/173] 5.12.11-rc1 review Greg Kroah-Hartman
                   ` (29 preceding siblings ...)
  2021-06-14 10:26 ` [PATCH 5.12 030/173] scsi: hisi_sas: Drop free_irq() of devm_request_irq() allocated irq Greg Kroah-Hartman
@ 2021-06-14 10:26 ` Greg Kroah-Hartman
  2021-06-14 10:26 ` [PATCH 5.12 032/173] net: macb: ensure the device is available before accessing GEMGXL control registers Greg Kroah-Hartman
                   ` (148 subsequent siblings)
  179 siblings, 0 replies; 181+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-14 10:26 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Roman Bolshakov, Dmitry Bogdanov,
	Martin K. Petersen, Sasha Levin

From: Dmitry Bogdanov <d.bogdanov@yadro.com>

[ Upstream commit 2ef7665dfd88830f15415ba007c7c9a46be7acd8 ]

Target de-configuration panics at high CPU load because TPGT and WWPN can
be removed on separate threads.

TPGT removal requests a reset HBA on a separate thread and waits for reset
complete (phase1). Due to high CPU load that HBA reset can be delayed for
some time.

WWPN removal does qlt_stop_phase2(). There it is believed that phase1 has
already completed and thus tgt.tgt_ops is subsequently cleared. However,
tgt.tgt_ops is needed to process incoming traffic and therefore this will
cause one of the following panics:

NIP qlt_reset+0x7c/0x220 [qla2xxx]
LR  qlt_reset+0x68/0x220 [qla2xxx]
Call Trace:
0xc000003ffff63a78 (unreliable)
qlt_handle_imm_notify+0x800/0x10c0 [qla2xxx]
qlt_24xx_atio_pkt+0x208/0x590 [qla2xxx]
qlt_24xx_process_atio_queue+0x33c/0x7a0 [qla2xxx]
qla83xx_msix_atio_q+0x54/0x90 [qla2xxx]

or

NIP qlt_24xx_handle_abts+0xd0/0x2a0 [qla2xxx]
LR  qlt_24xx_handle_abts+0xb4/0x2a0 [qla2xxx]
Call Trace:
qlt_24xx_handle_abts+0x90/0x2a0 [qla2xxx] (unreliable)
qlt_24xx_process_atio_queue+0x500/0x7a0 [qla2xxx]
qla83xx_msix_atio_q+0x54/0x90 [qla2xxx]

or

NIP qlt_create_sess+0x90/0x4e0 [qla2xxx]
LR  qla24xx_do_nack_work+0xa8/0x180 [qla2xxx]
Call Trace:
0xc0000000348fba30 (unreliable)
qla24xx_do_nack_work+0xa8/0x180 [qla2xxx]
qla2x00_do_work+0x674/0xbf0 [qla2xxx]
qla2x00_iocb_work_fn

The patch fixes the issue by serializing qlt_stop_phase1() and
qlt_stop_phase2() functions to make WWPN removal wait for phase1
completion.

Link: https://lore.kernel.org/r/20210415203554.27890-1-d.bogdanov@yadro.com
Reviewed-by: Roman Bolshakov <r.bolshakov@yadro.com>
Signed-off-by: Dmitry Bogdanov <d.bogdanov@yadro.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/scsi/qla2xxx/qla_target.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/scsi/qla2xxx/qla_target.c b/drivers/scsi/qla2xxx/qla_target.c
index 480e7d2dcf3e..745d6d98c02e 100644
--- a/drivers/scsi/qla2xxx/qla_target.c
+++ b/drivers/scsi/qla2xxx/qla_target.c
@@ -1558,10 +1558,12 @@ void qlt_stop_phase2(struct qla_tgt *tgt)
 		return;
 	}
 
+	mutex_lock(&tgt->ha->optrom_mutex);
 	mutex_lock(&vha->vha_tgt.tgt_mutex);
 	tgt->tgt_stop = 0;
 	tgt->tgt_stopped = 1;
 	mutex_unlock(&vha->vha_tgt.tgt_mutex);
+	mutex_unlock(&tgt->ha->optrom_mutex);
 
 	ql_dbg(ql_dbg_tgt_mgt, vha, 0xf00c, "Stop of tgt %p finished\n",
 	    tgt);
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 181+ messages in thread

* [PATCH 5.12 032/173] net: macb: ensure the device is available before accessing GEMGXL control registers
  2021-06-14 10:25 [PATCH 5.12 000/173] 5.12.11-rc1 review Greg Kroah-Hartman
                   ` (30 preceding siblings ...)
  2021-06-14 10:26 ` [PATCH 5.12 031/173] scsi: target: qla2xxx: Wait for stop_phase1 at WWN removal Greg Kroah-Hartman
@ 2021-06-14 10:26 ` Greg Kroah-Hartman
  2021-06-14 10:26 ` [PATCH 5.12 033/173] net: appletalk: cops: Fix data race in cops_probe1 Greg Kroah-Hartman
                   ` (147 subsequent siblings)
  179 siblings, 0 replies; 181+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-14 10:26 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Zong Li, David S. Miller, Sasha Levin

From: Zong Li <zong.li@sifive.com>

[ Upstream commit 5eff1461a6dec84f04fafa9128548bad51d96147 ]

If runtime power menagement is enabled, the gigabit ethernet PLL would
be disabled after macb_probe(). During this period of time, the system
would hang up if we try to access GEMGXL control registers.

We can't put runtime_pm_get/runtime_pm_put/ there due to the issue of
sleep inside atomic section (7fa2955ff70ce453 ("sh_eth: Fix sleeping
function called from invalid context"). Add netif_running checking to
ensure the device is available before accessing GEMGXL device.

Changed in v2:
 - Use netif_running instead of its own flag

Signed-off-by: Zong Li <zong.li@sifive.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/ethernet/cadence/macb_main.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/net/ethernet/cadence/macb_main.c b/drivers/net/ethernet/cadence/macb_main.c
index 0f6a6cb7e98d..51b19172d63b 100644
--- a/drivers/net/ethernet/cadence/macb_main.c
+++ b/drivers/net/ethernet/cadence/macb_main.c
@@ -2837,6 +2837,9 @@ static struct net_device_stats *gem_get_stats(struct macb *bp)
 	struct gem_stats *hwstat = &bp->hw_stats.gem;
 	struct net_device_stats *nstat = &bp->dev->stats;
 
+	if (!netif_running(bp->dev))
+		return nstat;
+
 	gem_update_stats(bp);
 
 	nstat->rx_errors = (hwstat->rx_frame_check_sequence_errors +
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 181+ messages in thread

* [PATCH 5.12 033/173] net: appletalk: cops: Fix data race in cops_probe1
  2021-06-14 10:25 [PATCH 5.12 000/173] 5.12.11-rc1 review Greg Kroah-Hartman
                   ` (31 preceding siblings ...)
  2021-06-14 10:26 ` [PATCH 5.12 032/173] net: macb: ensure the device is available before accessing GEMGXL control registers Greg Kroah-Hartman
@ 2021-06-14 10:26 ` Greg Kroah-Hartman
  2021-06-14 10:26 ` [PATCH 5.12 034/173] net: dsa: microchip: enable phy errata workaround on 9567 Greg Kroah-Hartman
                   ` (146 subsequent siblings)
  179 siblings, 0 replies; 181+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-14 10:26 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Saubhik Mukherjee, David S. Miller,
	Sasha Levin

From: Saubhik Mukherjee <saubhik.mukherjee@gmail.com>

[ Upstream commit a4dd4fc6105e54393d637450a11d4cddb5fabc4f ]

In cops_probe1(), there is a write to dev->base_addr after requesting an
interrupt line and registering the interrupt handler cops_interrupt().
The handler might be called in parallel to handle an interrupt.
cops_interrupt() tries to read dev->base_addr leading to a potential
data race. So write to dev->base_addr before calling request_irq().

Found by Linux Driver Verification project (linuxtesting.org).

Signed-off-by: Saubhik Mukherjee <saubhik.mukherjee@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/appletalk/cops.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/net/appletalk/cops.c b/drivers/net/appletalk/cops.c
index ba8e70a8e312..6b12ce822e51 100644
--- a/drivers/net/appletalk/cops.c
+++ b/drivers/net/appletalk/cops.c
@@ -327,6 +327,8 @@ static int __init cops_probe1(struct net_device *dev, int ioaddr)
 			break;
 	}
 
+	dev->base_addr = ioaddr;
+
 	/* Reserve any actual interrupt. */
 	if (dev->irq) {
 		retval = request_irq(dev->irq, cops_interrupt, 0, dev->name, dev);
@@ -334,8 +336,6 @@ static int __init cops_probe1(struct net_device *dev, int ioaddr)
 			goto err_out;
 	}
 
-	dev->base_addr = ioaddr;
-
         lp = netdev_priv(dev);
         spin_lock_init(&lp->lock);
 
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 181+ messages in thread

* [PATCH 5.12 034/173] net: dsa: microchip: enable phy errata workaround on 9567
  2021-06-14 10:25 [PATCH 5.12 000/173] 5.12.11-rc1 review Greg Kroah-Hartman
                   ` (32 preceding siblings ...)
  2021-06-14 10:26 ` [PATCH 5.12 033/173] net: appletalk: cops: Fix data race in cops_probe1 Greg Kroah-Hartman
@ 2021-06-14 10:26 ` Greg Kroah-Hartman
  2021-06-14 10:26 ` [PATCH 5.12 035/173] Makefile: LTO: have linker check -Wframe-larger-than Greg Kroah-Hartman
                   ` (145 subsequent siblings)
  179 siblings, 0 replies; 181+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-14 10:26 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, George McCollister, Florian Fainelli,
	David S. Miller, Sasha Levin

From: George McCollister <george.mccollister@gmail.com>

[ Upstream commit 8c42a49738f16af0061f9ae5c2f5a955f268d9e3 ]

Also enable phy errata workaround on 9567 since has the same errata as
the 9477 according to the manufacture's documentation.

Signed-off-by: George McCollister <george.mccollister@gmail.com>
Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/dsa/microchip/ksz9477.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/net/dsa/microchip/ksz9477.c b/drivers/net/dsa/microchip/ksz9477.c
index 55e5d479acce..854e25f43fa7 100644
--- a/drivers/net/dsa/microchip/ksz9477.c
+++ b/drivers/net/dsa/microchip/ksz9477.c
@@ -1530,6 +1530,7 @@ static const struct ksz_chip_data ksz9477_switch_chips[] = {
 		.num_statics = 16,
 		.cpu_ports = 0x7F,	/* can be configured as cpu port */
 		.port_cnt = 7,		/* total physical port count */
+		.phy_errata_9477 = true,
 	},
 };
 
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 181+ messages in thread

* [PATCH 5.12 035/173] Makefile: LTO: have linker check -Wframe-larger-than
  2021-06-14 10:25 [PATCH 5.12 000/173] 5.12.11-rc1 review Greg Kroah-Hartman
                   ` (33 preceding siblings ...)
  2021-06-14 10:26 ` [PATCH 5.12 034/173] net: dsa: microchip: enable phy errata workaround on 9567 Greg Kroah-Hartman
@ 2021-06-14 10:26 ` Greg Kroah-Hartman
  2021-06-14 10:26 ` [PATCH 5.12 036/173] nvme-fabrics: decode host pathing error for connect Greg Kroah-Hartman
                   ` (144 subsequent siblings)
  179 siblings, 0 replies; 181+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-14 10:26 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Sami Tolvanen, Candle Sun,
	Fangrui Song, Nick Desaulniers, Kees Cook, Sasha Levin

From: Nick Desaulniers <ndesaulniers@google.com>

[ Upstream commit 24845dcb170e16b3100bd49743687648c71387ae ]

-Wframe-larger-than= requires stack frame information, which the
frontend cannot provide. This diagnostic is emitted late during
compilation once stack frame size is available.

When building with LTO, the frontend simply lowers C to LLVM IR and does
not have stack frame information, so it cannot emit this diagnostic.
When the linker drives LTO, it restarts optimizations and lowers LLVM IR
to object code. At that point, it has stack frame information but
doesn't know to check for a specific max stack frame size.

I consider this a bug in LLVM that we need to fix. There are some
details we're working out related to LTO such as which value to use when
there are multiple different values specified per TU, or how to
propagate these to compiler synthesized routines properly, if at all.

Until it's fixed, ensure we don't miss these. At that point we can wrap
this in a compiler version guard or revert this based on the minimum
support version of Clang.

The error message is not generated during link:
  LTO     vmlinux.o
ld.lld: warning: stack size limit exceeded (8224) in foobarbaz

Cc: Sami Tolvanen <samitolvanen@google.com>
Reported-by: Candle Sun <candlesea@gmail.com>
Suggested-by: Fangrui Song <maskray@google.com>
Signed-off-by: Nick Desaulniers <ndesaulniers@google.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Link: https://lore.kernel.org/r/20210312010942.1546679-1-ndesaulniers@google.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 Makefile | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/Makefile b/Makefile
index ebc02c56db03..358a2b103de9 100644
--- a/Makefile
+++ b/Makefile
@@ -912,6 +912,11 @@ CC_FLAGS_LTO	+= -fvisibility=hidden
 
 # Limit inlining across translation units to reduce binary size
 KBUILD_LDFLAGS += -mllvm -import-instr-limit=5
+
+# Check for frame size exceeding threshold during prolog/epilog insertion.
+ifneq ($(CONFIG_FRAME_WARN),0)
+KBUILD_LDFLAGS	+= -plugin-opt=-warn-stack-size=$(CONFIG_FRAME_WARN)
+endif
 endif
 
 ifdef CONFIG_LTO
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 181+ messages in thread

* [PATCH 5.12 036/173] nvme-fabrics: decode host pathing error for connect
  2021-06-14 10:25 [PATCH 5.12 000/173] 5.12.11-rc1 review Greg Kroah-Hartman
                   ` (34 preceding siblings ...)
  2021-06-14 10:26 ` [PATCH 5.12 035/173] Makefile: LTO: have linker check -Wframe-larger-than Greg Kroah-Hartman
@ 2021-06-14 10:26 ` Greg Kroah-Hartman
  2021-06-14 10:26 ` [PATCH 5.12 037/173] MIPS: Fix kernel hang under FUNCTION_GRAPH_TRACER and PREEMPT_TRACER Greg Kroah-Hartman
                   ` (143 subsequent siblings)
  179 siblings, 0 replies; 181+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-14 10:26 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Hannes Reinecke, Sagi Grimberg,
	Chaitanya Kulkarni, Himanshu Madhani, Christoph Hellwig,
	Sasha Levin

From: Hannes Reinecke <hare@suse.de>

[ Upstream commit 4d9442bf263ac45d495bb7ecf75009e59c0622b2 ]

Add an additional decoding for 'host pathing error' during connect.

Signed-off-by: Hannes Reinecke <hare@suse.de>
Reviewed-by: Sagi Grimberg <sagi@grimberg.me>
Reviewed-by: Chaitanya Kulkarni <chaitanya.kulkarni@wdc.com>
Reviewed-by: Himanshu Madhani <himanshu.madhani@oracle.com>
Signed-off-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/nvme/host/fabrics.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/drivers/nvme/host/fabrics.c b/drivers/nvme/host/fabrics.c
index 604ab0e5a2ad..fb02ca2e3096 100644
--- a/drivers/nvme/host/fabrics.c
+++ b/drivers/nvme/host/fabrics.c
@@ -336,6 +336,11 @@ static void nvmf_log_connect_error(struct nvme_ctrl *ctrl,
 			cmd->connect.recfmt);
 		break;
 
+	case NVME_SC_HOST_PATH_ERROR:
+		dev_err(ctrl->device,
+			"Connect command failed: host path error\n");
+		break;
+
 	default:
 		dev_err(ctrl->device,
 			"Connect command failed, error wo/DNR bit: %d\n",
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 181+ messages in thread

* [PATCH 5.12 037/173] MIPS: Fix kernel hang under FUNCTION_GRAPH_TRACER and PREEMPT_TRACER
  2021-06-14 10:25 [PATCH 5.12 000/173] 5.12.11-rc1 review Greg Kroah-Hartman
                   ` (35 preceding siblings ...)
  2021-06-14 10:26 ` [PATCH 5.12 036/173] nvme-fabrics: decode host pathing error for connect Greg Kroah-Hartman
@ 2021-06-14 10:26 ` Greg Kroah-Hartman
  2021-06-14 10:26 ` [PATCH 5.12 038/173] bpf, selftests: Adjust few selftest result_unpriv outcomes Greg Kroah-Hartman
                   ` (142 subsequent siblings)
  179 siblings, 0 replies; 181+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-14 10:26 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Tiezhu Yang, Steven Rostedt,
	Thomas Bogendoerfer, Sasha Levin

From: Tiezhu Yang <yangtiezhu@loongson.cn>

[ Upstream commit 78cf0eb926cb1abeff2106bae67752e032fe5f3e ]

When update the latest mainline kernel with the following three configs,
the kernel hangs during startup:

(1) CONFIG_FUNCTION_GRAPH_TRACER=y
(2) CONFIG_PREEMPT_TRACER=y
(3) CONFIG_FTRACE_STARTUP_TEST=y

When update the latest mainline kernel with the above two configs (1)
and (2), the kernel starts normally, but it still hangs when execute
the following command:

echo "function_graph" > /sys/kernel/debug/tracing/current_tracer

Without CONFIG_PREEMPT_TRACER=y, the above two kinds of kernel hangs
disappeared, so it seems that CONFIG_PREEMPT_TRACER has some influences
with function_graph tracer at the first glance.

I use ejtag to find out the epc address is related with preempt_enable()
in the file arch/mips/lib/mips-atomic.c, because function tracing can
trace the preempt_{enable,disable} calls that are traced, replace them
with preempt_{enable,disable}_notrace to prevent function tracing from
going into an infinite loop, and then it can fix the kernel hang issue.

By the way, it seems that this commit is a complement and improvement of
commit f93a1a00f2bd ("MIPS: Fix crash that occurs when function tracing
is enabled").

Signed-off-by: Tiezhu Yang <yangtiezhu@loongson.cn>
Cc: Steven Rostedt <rostedt@goodmis.org>
Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/mips/lib/mips-atomic.c | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/arch/mips/lib/mips-atomic.c b/arch/mips/lib/mips-atomic.c
index de03838b343b..a9b72eacfc0b 100644
--- a/arch/mips/lib/mips-atomic.c
+++ b/arch/mips/lib/mips-atomic.c
@@ -37,7 +37,7 @@
  */
 notrace void arch_local_irq_disable(void)
 {
-	preempt_disable();
+	preempt_disable_notrace();
 
 	__asm__ __volatile__(
 	"	.set	push						\n"
@@ -53,7 +53,7 @@ notrace void arch_local_irq_disable(void)
 	: /* no inputs */
 	: "memory");
 
-	preempt_enable();
+	preempt_enable_notrace();
 }
 EXPORT_SYMBOL(arch_local_irq_disable);
 
@@ -61,7 +61,7 @@ notrace unsigned long arch_local_irq_save(void)
 {
 	unsigned long flags;
 
-	preempt_disable();
+	preempt_disable_notrace();
 
 	__asm__ __volatile__(
 	"	.set	push						\n"
@@ -78,7 +78,7 @@ notrace unsigned long arch_local_irq_save(void)
 	: /* no inputs */
 	: "memory");
 
-	preempt_enable();
+	preempt_enable_notrace();
 
 	return flags;
 }
@@ -88,7 +88,7 @@ notrace void arch_local_irq_restore(unsigned long flags)
 {
 	unsigned long __tmp1;
 
-	preempt_disable();
+	preempt_disable_notrace();
 
 	__asm__ __volatile__(
 	"	.set	push						\n"
@@ -106,7 +106,7 @@ notrace void arch_local_irq_restore(unsigned long flags)
 	: "0" (flags)
 	: "memory");
 
-	preempt_enable();
+	preempt_enable_notrace();
 }
 EXPORT_SYMBOL(arch_local_irq_restore);
 
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 181+ messages in thread

* [PATCH 5.12 038/173] bpf, selftests: Adjust few selftest result_unpriv outcomes
  2021-06-14 10:25 [PATCH 5.12 000/173] 5.12.11-rc1 review Greg Kroah-Hartman
                   ` (36 preceding siblings ...)
  2021-06-14 10:26 ` [PATCH 5.12 037/173] MIPS: Fix kernel hang under FUNCTION_GRAPH_TRACER and PREEMPT_TRACER Greg Kroah-Hartman
@ 2021-06-14 10:26 ` Greg Kroah-Hartman
  2021-06-14 10:26 ` [PATCH 5.12 039/173] dm verity: fix require_signatures module_param permissions Greg Kroah-Hartman
                   ` (141 subsequent siblings)
  179 siblings, 0 replies; 181+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-14 10:26 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Daniel Borkmann, Alexei Starovoitov,
	Sasha Levin

From: Daniel Borkmann <daniel@iogearbox.net>

[ Upstream commit 1bad6fd52be4ce12d207e2820ceb0f29ab31fc53 ]

Given we don't need to simulate the speculative domain for registers with
immediates anymore since the verifier uses direct imm-based rewrites instead
of having to mask, we can also lift a few cases that were previously rejected.

Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 tools/testing/selftests/bpf/verifier/stack_ptr.c       | 2 --
 tools/testing/selftests/bpf/verifier/value_ptr_arith.c | 8 --------
 2 files changed, 10 deletions(-)

diff --git a/tools/testing/selftests/bpf/verifier/stack_ptr.c b/tools/testing/selftests/bpf/verifier/stack_ptr.c
index 07eaa04412ae..8ab94d65f3d5 100644
--- a/tools/testing/selftests/bpf/verifier/stack_ptr.c
+++ b/tools/testing/selftests/bpf/verifier/stack_ptr.c
@@ -295,8 +295,6 @@
 	BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0),
 	BPF_EXIT_INSN(),
 	},
-	.result_unpriv = REJECT,
-	.errstr_unpriv = "invalid write to stack R1 off=0 size=1",
 	.result = ACCEPT,
 	.retval = 42,
 },
diff --git a/tools/testing/selftests/bpf/verifier/value_ptr_arith.c b/tools/testing/selftests/bpf/verifier/value_ptr_arith.c
index e5913fd3b903..7ae2859d495c 100644
--- a/tools/testing/selftests/bpf/verifier/value_ptr_arith.c
+++ b/tools/testing/selftests/bpf/verifier/value_ptr_arith.c
@@ -300,8 +300,6 @@
 	},
 	.fixup_map_array_48b = { 3 },
 	.result = ACCEPT,
-	.result_unpriv = REJECT,
-	.errstr_unpriv = "R0 pointer arithmetic of map value goes out of range",
 	.retval = 1,
 },
 {
@@ -371,8 +369,6 @@
 	},
 	.fixup_map_array_48b = { 3 },
 	.result = ACCEPT,
-	.result_unpriv = REJECT,
-	.errstr_unpriv = "R0 pointer arithmetic of map value goes out of range",
 	.retval = 1,
 },
 {
@@ -472,8 +468,6 @@
 	},
 	.fixup_map_array_48b = { 3 },
 	.result = ACCEPT,
-	.result_unpriv = REJECT,
-	.errstr_unpriv = "R0 pointer arithmetic of map value goes out of range",
 	.retval = 1,
 },
 {
@@ -766,8 +760,6 @@
 	},
 	.fixup_map_array_48b = { 3 },
 	.result = ACCEPT,
-	.result_unpriv = REJECT,
-	.errstr_unpriv = "R0 pointer arithmetic of map value goes out of range",
 	.retval = 1,
 },
 {
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 181+ messages in thread

* [PATCH 5.12 039/173] dm verity: fix require_signatures module_param permissions
  2021-06-14 10:25 [PATCH 5.12 000/173] 5.12.11-rc1 review Greg Kroah-Hartman
                   ` (37 preceding siblings ...)
  2021-06-14 10:26 ` [PATCH 5.12 038/173] bpf, selftests: Adjust few selftest result_unpriv outcomes Greg Kroah-Hartman
@ 2021-06-14 10:26 ` Greg Kroah-Hartman
  2021-06-14 10:26 ` [PATCH 5.12 040/173] bnx2x: Fix missing error code in bnx2x_iov_init_one() Greg Kroah-Hartman
                   ` (140 subsequent siblings)
  179 siblings, 0 replies; 181+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-14 10:26 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, John Keeping, Mike Snitzer, Sasha Levin

From: John Keeping <john@metanate.com>

[ Upstream commit 0c1f3193b1cdd21e7182f97dc9bca7d284d18a15 ]

The third parameter of module_param() is permissions for the sysfs node
but it looks like it is being used as the initial value of the parameter
here.  In fact, false here equates to omitting the file from sysfs and
does not affect the value of require_signatures.

Making the parameter writable is not simple because going from
false->true is fine but it should not be possible to remove the
requirement to verify a signature.  But it can be useful to inspect the
value of this parameter from userspace, so change the permissions to
make a read-only file in sysfs.

Signed-off-by: John Keeping <john@metanate.com>
Signed-off-by: Mike Snitzer <snitzer@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/md/dm-verity-verify-sig.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/md/dm-verity-verify-sig.c b/drivers/md/dm-verity-verify-sig.c
index 29385dc470d5..db61a1f43ae9 100644
--- a/drivers/md/dm-verity-verify-sig.c
+++ b/drivers/md/dm-verity-verify-sig.c
@@ -15,7 +15,7 @@
 #define DM_VERITY_VERIFY_ERR(s) DM_VERITY_ROOT_HASH_VERIFICATION " " s
 
 static bool require_signatures;
-module_param(require_signatures, bool, false);
+module_param(require_signatures, bool, 0444);
 MODULE_PARM_DESC(require_signatures,
 		"Verify the roothash of dm-verity hash tree");
 
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 181+ messages in thread

* [PATCH 5.12 040/173] bnx2x: Fix missing error code in bnx2x_iov_init_one()
  2021-06-14 10:25 [PATCH 5.12 000/173] 5.12.11-rc1 review Greg Kroah-Hartman
                   ` (38 preceding siblings ...)
  2021-06-14 10:26 ` [PATCH 5.12 039/173] dm verity: fix require_signatures module_param permissions Greg Kroah-Hartman
@ 2021-06-14 10:26 ` Greg Kroah-Hartman
  2021-06-14 10:26 ` [PATCH 5.12 041/173] nvme-tcp: remove incorrect Kconfig dep in BLK_DEV_NVME Greg Kroah-Hartman
                   ` (139 subsequent siblings)
  179 siblings, 0 replies; 181+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-14 10:26 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Abaci Robot, Jiapeng Chong,
	David S. Miller, Sasha Levin

From: Jiapeng Chong <jiapeng.chong@linux.alibaba.com>

[ Upstream commit 65161c35554f7135e6656b3df1ce2c500ca0bdcf ]

Eliminate the follow smatch warning:

drivers/net/ethernet/broadcom/bnx2x/bnx2x_sriov.c:1227
bnx2x_iov_init_one() warn: missing error code 'err'.

Reported-by: Abaci Robot <abaci@linux.alibaba.com>
Signed-off-by: Jiapeng Chong <jiapeng.chong@linux.alibaba.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/ethernet/broadcom/bnx2x/bnx2x_sriov.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_sriov.c b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_sriov.c
index 9c2f51f23035..9108b497b3c9 100644
--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_sriov.c
+++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_sriov.c
@@ -1224,8 +1224,10 @@ int bnx2x_iov_init_one(struct bnx2x *bp, int int_mode_param,
 		goto failed;
 
 	/* SR-IOV capability was enabled but there are no VFs*/
-	if (iov->total == 0)
+	if (iov->total == 0) {
+		err = -EINVAL;
 		goto failed;
+	}
 
 	iov->nr_virtfn = min_t(u16, iov->total, num_vfs_param);
 
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 181+ messages in thread

* [PATCH 5.12 041/173] nvme-tcp: remove incorrect Kconfig dep in BLK_DEV_NVME
  2021-06-14 10:25 [PATCH 5.12 000/173] 5.12.11-rc1 review Greg Kroah-Hartman
                   ` (39 preceding siblings ...)
  2021-06-14 10:26 ` [PATCH 5.12 040/173] bnx2x: Fix missing error code in bnx2x_iov_init_one() Greg Kroah-Hartman
@ 2021-06-14 10:26 ` Greg Kroah-Hartman
  2021-06-14 10:26 ` [PATCH 5.12 042/173] nvmet: fix false keep-alive timeout when a controller is torn down Greg Kroah-Hartman
                   ` (138 subsequent siblings)
  179 siblings, 0 replies; 181+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-14 10:26 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Sagi Grimberg, Max Gurtovoy,
	Chaitanya Kulkarni, Christoph Hellwig, Sasha Levin

From: Sagi Grimberg <sagi@grimberg.me>

[ Upstream commit 042a3eaad6daeabcfaf163aa44da8ea3cf8b5496 ]

We need to select NVME_CORE.

Signed-off-by: Sagi Grimberg <sagi@grimberg.me>
Reviewed-by: Max Gurtovoy <mgurtovoy@nvidia.com>
Reviewed-by: Chaitanya Kulkarni <chaitanya.kulkarni@wdc.com>
Signed-off-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/nvme/host/Kconfig | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/nvme/host/Kconfig b/drivers/nvme/host/Kconfig
index a44d49d63968..494675aeaaad 100644
--- a/drivers/nvme/host/Kconfig
+++ b/drivers/nvme/host/Kconfig
@@ -71,7 +71,8 @@ config NVME_FC
 config NVME_TCP
 	tristate "NVM Express over Fabrics TCP host driver"
 	depends on INET
-	depends on BLK_DEV_NVME
+	depends on BLOCK
+	select NVME_CORE
 	select NVME_FABRICS
 	select CRYPTO
 	select CRYPTO_CRC32C
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 181+ messages in thread

* [PATCH 5.12 042/173] nvmet: fix false keep-alive timeout when a controller is torn down
  2021-06-14 10:25 [PATCH 5.12 000/173] 5.12.11-rc1 review Greg Kroah-Hartman
                   ` (40 preceding siblings ...)
  2021-06-14 10:26 ` [PATCH 5.12 041/173] nvme-tcp: remove incorrect Kconfig dep in BLK_DEV_NVME Greg Kroah-Hartman
@ 2021-06-14 10:26 ` Greg Kroah-Hartman
  2021-06-14 10:26 ` [PATCH 5.12 043/173] powerpc/fsl: set fsl,i2c-erratum-a004447 flag for P2041 i2c controllers Greg Kroah-Hartman
                   ` (137 subsequent siblings)
  179 siblings, 0 replies; 181+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-14 10:26 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Yi Zhang, Sagi Grimberg,
	Chaitanya Kulkarni, Hannes Reinecke, Christoph Hellwig,
	Sasha Levin

From: Sagi Grimberg <sagi@grimberg.me>

[ Upstream commit aaeadd7075dc9e184bc7876e9dd7b3bada771df2 ]

Controller teardown flow may take some time in case it has many I/O
queues, and the host may not send us keep-alive during this period.
Hence reset the traffic based keep-alive timer so we don't trigger
a controller teardown as a result of a keep-alive expiration.

Reported-by: Yi Zhang <yi.zhang@redhat.com>
Signed-off-by: Sagi Grimberg <sagi@grimberg.me>
Reviewed-by: Chaitanya Kulkarni <chaitanya.kulkarni@wdc.com>
Reviewed-by: Hannes Reinecke <hare@suse.de>
Tested-by: Yi Zhang <yi.zhang@redhat.com>
Signed-off-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/nvme/target/core.c  | 15 +++++++++++----
 drivers/nvme/target/nvmet.h |  2 +-
 2 files changed, 12 insertions(+), 5 deletions(-)

diff --git a/drivers/nvme/target/core.c b/drivers/nvme/target/core.c
index 7d16cb4cd8ac..83921dab8368 100644
--- a/drivers/nvme/target/core.c
+++ b/drivers/nvme/target/core.c
@@ -388,10 +388,10 @@ static void nvmet_keep_alive_timer(struct work_struct *work)
 {
 	struct nvmet_ctrl *ctrl = container_of(to_delayed_work(work),
 			struct nvmet_ctrl, ka_work);
-	bool cmd_seen = ctrl->cmd_seen;
+	bool reset_tbkas = ctrl->reset_tbkas;
 
-	ctrl->cmd_seen = false;
-	if (cmd_seen) {
+	ctrl->reset_tbkas = false;
+	if (reset_tbkas) {
 		pr_debug("ctrl %d reschedule traffic based keep-alive timer\n",
 			ctrl->cntlid);
 		schedule_delayed_work(&ctrl->ka_work, ctrl->kato * HZ);
@@ -804,6 +804,13 @@ void nvmet_sq_destroy(struct nvmet_sq *sq)
 	percpu_ref_exit(&sq->ref);
 
 	if (ctrl) {
+		/*
+		 * The teardown flow may take some time, and the host may not
+		 * send us keep-alive during this period, hence reset the
+		 * traffic based keep-alive timer so we don't trigger a
+		 * controller teardown as a result of a keep-alive expiration.
+		 */
+		ctrl->reset_tbkas = true;
 		nvmet_ctrl_put(ctrl);
 		sq->ctrl = NULL; /* allows reusing the queue later */
 	}
@@ -953,7 +960,7 @@ bool nvmet_req_init(struct nvmet_req *req, struct nvmet_cq *cq,
 	}
 
 	if (sq->ctrl)
-		sq->ctrl->cmd_seen = true;
+		sq->ctrl->reset_tbkas = true;
 
 	return true;
 
diff --git a/drivers/nvme/target/nvmet.h b/drivers/nvme/target/nvmet.h
index 5aad34b106dc..43a668dc8bc4 100644
--- a/drivers/nvme/target/nvmet.h
+++ b/drivers/nvme/target/nvmet.h
@@ -166,7 +166,7 @@ struct nvmet_ctrl {
 	struct nvmet_subsys	*subsys;
 	struct nvmet_sq		**sqs;
 
-	bool			cmd_seen;
+	bool			reset_tbkas;
 
 	struct mutex		lock;
 	u64			cap;
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 181+ messages in thread

* [PATCH 5.12 043/173] powerpc/fsl: set fsl,i2c-erratum-a004447 flag for P2041 i2c controllers
  2021-06-14 10:25 [PATCH 5.12 000/173] 5.12.11-rc1 review Greg Kroah-Hartman
                   ` (41 preceding siblings ...)
  2021-06-14 10:26 ` [PATCH 5.12 042/173] nvmet: fix false keep-alive timeout when a controller is torn down Greg Kroah-Hartman
@ 2021-06-14 10:26 ` Greg Kroah-Hartman
  2021-06-14 10:26 ` [PATCH 5.12 044/173] powerpc/fsl: set fsl,i2c-erratum-a004447 flag for P1010 " Greg Kroah-Hartman
                   ` (136 subsequent siblings)
  179 siblings, 0 replies; 181+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-14 10:26 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Chris Packham, Michael Ellerman,
	Wolfram Sang, Sasha Levin

From: Chris Packham <chris.packham@alliedtelesis.co.nz>

[ Upstream commit 7adc7b225cddcfd0f346d10144fd7a3d3d9f9ea7 ]

The i2c controllers on the P2040/P2041 have an erratum where the
documented scheme for i2c bus recovery will not work (A-004447). A
different mechanism is needed which is documented in the P2040 Chip
Errata Rev Q (latest available at the time of writing).

Signed-off-by: Chris Packham <chris.packham@alliedtelesis.co.nz>
Acked-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Wolfram Sang <wsa@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/powerpc/boot/dts/fsl/p2041si-post.dtsi | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/arch/powerpc/boot/dts/fsl/p2041si-post.dtsi b/arch/powerpc/boot/dts/fsl/p2041si-post.dtsi
index 872e4485dc3f..ddc018d42252 100644
--- a/arch/powerpc/boot/dts/fsl/p2041si-post.dtsi
+++ b/arch/powerpc/boot/dts/fsl/p2041si-post.dtsi
@@ -371,7 +371,23 @@
 	};
 
 /include/ "qoriq-i2c-0.dtsi"
+	i2c@118000 {
+		fsl,i2c-erratum-a004447;
+	};
+
+	i2c@118100 {
+		fsl,i2c-erratum-a004447;
+	};
+
 /include/ "qoriq-i2c-1.dtsi"
+	i2c@119000 {
+		fsl,i2c-erratum-a004447;
+	};
+
+	i2c@119100 {
+		fsl,i2c-erratum-a004447;
+	};
+
 /include/ "qoriq-duart-0.dtsi"
 /include/ "qoriq-duart-1.dtsi"
 /include/ "qoriq-gpio-0.dtsi"
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 181+ messages in thread

* [PATCH 5.12 044/173] powerpc/fsl: set fsl,i2c-erratum-a004447 flag for P1010 i2c controllers
  2021-06-14 10:25 [PATCH 5.12 000/173] 5.12.11-rc1 review Greg Kroah-Hartman
                   ` (42 preceding siblings ...)
  2021-06-14 10:26 ` [PATCH 5.12 043/173] powerpc/fsl: set fsl,i2c-erratum-a004447 flag for P2041 i2c controllers Greg Kroah-Hartman
@ 2021-06-14 10:26 ` Greg Kroah-Hartman
  2021-06-14 10:26 ` [PATCH 5.12 045/173] spi: Dont have controller clean up spi device before driver unbind Greg Kroah-Hartman
                   ` (135 subsequent siblings)
  179 siblings, 0 replies; 181+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-14 10:26 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Chris Packham, Michael Ellerman,
	Wolfram Sang, Sasha Levin

From: Chris Packham <chris.packham@alliedtelesis.co.nz>

[ Upstream commit 19ae697a1e4edf1d755b413e3aa38da65e2db23b ]

The i2c controllers on the P1010 have an erratum where the documented
scheme for i2c bus recovery will not work (A-004447). A different
mechanism is needed which is documented in the P1010 Chip Errata Rev L.

Signed-off-by: Chris Packham <chris.packham@alliedtelesis.co.nz>
Acked-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Wolfram Sang <wsa@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/powerpc/boot/dts/fsl/p1010si-post.dtsi | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/arch/powerpc/boot/dts/fsl/p1010si-post.dtsi b/arch/powerpc/boot/dts/fsl/p1010si-post.dtsi
index 1b4aafc1f6a2..9716a0484ecf 100644
--- a/arch/powerpc/boot/dts/fsl/p1010si-post.dtsi
+++ b/arch/powerpc/boot/dts/fsl/p1010si-post.dtsi
@@ -122,7 +122,15 @@
 	};
 
 /include/ "pq3-i2c-0.dtsi"
+	i2c@3000 {
+		fsl,i2c-erratum-a004447;
+	};
+
 /include/ "pq3-i2c-1.dtsi"
+	i2c@3100 {
+		fsl,i2c-erratum-a004447;
+	};
+
 /include/ "pq3-duart-0.dtsi"
 /include/ "pq3-espi-0.dtsi"
 	spi0: spi@7000 {
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 181+ messages in thread

* [PATCH 5.12 045/173] spi: Dont have controller clean up spi device before driver unbind
  2021-06-14 10:25 [PATCH 5.12 000/173] 5.12.11-rc1 review Greg Kroah-Hartman
                   ` (43 preceding siblings ...)
  2021-06-14 10:26 ` [PATCH 5.12 044/173] powerpc/fsl: set fsl,i2c-erratum-a004447 flag for P1010 " Greg Kroah-Hartman
@ 2021-06-14 10:26 ` Greg Kroah-Hartman
  2021-06-14 10:26 ` [PATCH 5.12 046/173] spi: Cleanup on failure of initial setup Greg Kroah-Hartman
                   ` (134 subsequent siblings)
  179 siblings, 0 replies; 181+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-14 10:26 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Lukas Wunner, Saravana Kannan,
	Andy Shevchenko, Mark Brown, Sasha Levin

From: Saravana Kannan <saravanak@google.com>

[ Upstream commit 27e7db56cf3dffd302bd7ddfacb1d405cf671a2a ]

When a spi device is unregistered and triggers a driver unbind, the
driver might need to access the spi device. So, don't have the
controller clean up the spi device before the driver is unbound. Clean
up the spi device after the driver is unbound.

Fixes: c7299fea6769 ("spi: Fix spi device unregister flow")
Reported-by: Lukas Wunner <lukas@wunner.de>
Signed-off-by: Saravana Kannan <saravanak@google.com>
Tested-by: Andy Shevchenko <andy.shevchenko@gmail.com>
Link: https://lore.kernel.org/r/20210505164734.175546-1-saravanak@google.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/spi/spi.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/drivers/spi/spi.c b/drivers/spi/spi.c
index 125116ab3386..e067c54e87dd 100644
--- a/drivers/spi/spi.c
+++ b/drivers/spi/spi.c
@@ -717,15 +717,15 @@ void spi_unregister_device(struct spi_device *spi)
 	if (!spi)
 		return;
 
-	spi_cleanup(spi);
-
 	if (spi->dev.of_node) {
 		of_node_clear_flag(spi->dev.of_node, OF_POPULATED);
 		of_node_put(spi->dev.of_node);
 	}
 	if (ACPI_COMPANION(&spi->dev))
 		acpi_device_clear_enumerated(ACPI_COMPANION(&spi->dev));
-	device_unregister(&spi->dev);
+	device_del(&spi->dev);
+	spi_cleanup(spi);
+	put_device(&spi->dev);
 }
 EXPORT_SYMBOL_GPL(spi_unregister_device);
 
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 181+ messages in thread

* [PATCH 5.12 046/173] spi: Cleanup on failure of initial setup
  2021-06-14 10:25 [PATCH 5.12 000/173] 5.12.11-rc1 review Greg Kroah-Hartman
                   ` (44 preceding siblings ...)
  2021-06-14 10:26 ` [PATCH 5.12 045/173] spi: Dont have controller clean up spi device before driver unbind Greg Kroah-Hartman
@ 2021-06-14 10:26 ` Greg Kroah-Hartman
  2021-06-14 10:26 ` [PATCH 5.12 047/173] i2c: mpc: Make use of i2c_recover_bus() Greg Kroah-Hartman
                   ` (133 subsequent siblings)
  179 siblings, 0 replies; 181+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-14 10:26 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Lukas Wunner, Saravana Kannan,
	Mark Brown, Sasha Levin, Andy Shevchenko

From: Lukas Wunner <lukas@wunner.de>

[ Upstream commit 2ec6f20b33eb4f62ab90bdcd620436c883ec3af6 ]

Commit c7299fea6769 ("spi: Fix spi device unregister flow") changed the
SPI core's behavior if the ->setup() hook returns an error upon adding
an spi_device:  Before, the ->cleanup() hook was invoked to free any
allocations that were made by ->setup().  With the commit, that's no
longer the case, so the ->setup() hook is expected to free the
allocations itself.

I've identified 5 drivers which depend on the old behavior and am fixing
them up hereinafter: spi-bitbang.c spi-fsl-spi.c spi-omap-uwire.c
spi-omap2-mcspi.c spi-pxa2xx.c

Importantly, ->setup() is not only invoked on spi_device *addition*:
It may subsequently be called to *change* SPI parameters.  If changing
these SPI parameters fails, freeing memory allocations would be wrong.
That should only be done if the spi_device is finally destroyed.
I am therefore using a bool "initial_setup" in 4 of the affected drivers
to differentiate between the invocation on *adding* the spi_device and
any subsequent invocations: spi-bitbang.c spi-fsl-spi.c spi-omap-uwire.c
spi-omap2-mcspi.c

In spi-pxa2xx.c, it seems the ->setup() hook can only fail on spi_device
addition, not any subsequent calls.  It therefore doesn't need the bool.

It's worth noting that 5 other drivers already perform a cleanup if the
->setup() hook fails.  Before c7299fea6769, they caused a double-free
if ->setup() failed on spi_device addition.  Since the commit, they're
fine.  These drivers are: spi-mpc512x-psc.c spi-pl022.c spi-s3c64xx.c
spi-st-ssc4.c spi-tegra114.c

(spi-pxa2xx.c also already performs a cleanup, but only in one of
several error paths.)

Fixes: c7299fea6769 ("spi: Fix spi device unregister flow")
Signed-off-by: Lukas Wunner <lukas@wunner.de>
Cc: Saravana Kannan <saravanak@google.com>
Acked-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com> # pxa2xx
Link: https://lore.kernel.org/r/f76a0599469f265b69c371538794101fa37b5536.1622149321.git.lukas@wunner.de
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/spi/spi-bitbang.c     | 18 ++++++++++++++----
 drivers/spi/spi-fsl-spi.c     |  4 ++++
 drivers/spi/spi-omap-uwire.c  |  9 ++++++++-
 drivers/spi/spi-omap2-mcspi.c | 33 ++++++++++++++++++++-------------
 drivers/spi/spi-pxa2xx.c      |  9 ++++++++-
 5 files changed, 54 insertions(+), 19 deletions(-)

diff --git a/drivers/spi/spi-bitbang.c b/drivers/spi/spi-bitbang.c
index 1a7352abd878..3d8948a17095 100644
--- a/drivers/spi/spi-bitbang.c
+++ b/drivers/spi/spi-bitbang.c
@@ -181,6 +181,8 @@ int spi_bitbang_setup(struct spi_device *spi)
 {
 	struct spi_bitbang_cs	*cs = spi->controller_state;
 	struct spi_bitbang	*bitbang;
+	bool			initial_setup = false;
+	int			retval;
 
 	bitbang = spi_master_get_devdata(spi->master);
 
@@ -189,22 +191,30 @@ int spi_bitbang_setup(struct spi_device *spi)
 		if (!cs)
 			return -ENOMEM;
 		spi->controller_state = cs;
+		initial_setup = true;
 	}
 
 	/* per-word shift register access, in hardware or bitbanging */
 	cs->txrx_word = bitbang->txrx_word[spi->mode & (SPI_CPOL|SPI_CPHA)];
-	if (!cs->txrx_word)
-		return -EINVAL;
+	if (!cs->txrx_word) {
+		retval = -EINVAL;
+		goto err_free;
+	}
 
 	if (bitbang->setup_transfer) {
-		int retval = bitbang->setup_transfer(spi, NULL);
+		retval = bitbang->setup_transfer(spi, NULL);
 		if (retval < 0)
-			return retval;
+			goto err_free;
 	}
 
 	dev_dbg(&spi->dev, "%s, %u nsec/bit\n", __func__, 2 * cs->nsecs);
 
 	return 0;
+
+err_free:
+	if (initial_setup)
+		kfree(cs);
+	return retval;
 }
 EXPORT_SYMBOL_GPL(spi_bitbang_setup);
 
diff --git a/drivers/spi/spi-fsl-spi.c b/drivers/spi/spi-fsl-spi.c
index d0e5aa18b7ba..bdf94cc7be1a 100644
--- a/drivers/spi/spi-fsl-spi.c
+++ b/drivers/spi/spi-fsl-spi.c
@@ -440,6 +440,7 @@ static int fsl_spi_setup(struct spi_device *spi)
 {
 	struct mpc8xxx_spi *mpc8xxx_spi;
 	struct fsl_spi_reg __iomem *reg_base;
+	bool initial_setup = false;
 	int retval;
 	u32 hw_mode;
 	struct spi_mpc8xxx_cs *cs = spi_get_ctldata(spi);
@@ -452,6 +453,7 @@ static int fsl_spi_setup(struct spi_device *spi)
 		if (!cs)
 			return -ENOMEM;
 		spi_set_ctldata(spi, cs);
+		initial_setup = true;
 	}
 	mpc8xxx_spi = spi_master_get_devdata(spi->master);
 
@@ -475,6 +477,8 @@ static int fsl_spi_setup(struct spi_device *spi)
 	retval = fsl_spi_setup_transfer(spi, NULL);
 	if (retval < 0) {
 		cs->hw_mode = hw_mode; /* Restore settings */
+		if (initial_setup)
+			kfree(cs);
 		return retval;
 	}
 
diff --git a/drivers/spi/spi-omap-uwire.c b/drivers/spi/spi-omap-uwire.c
index 71402f71ddd8..df28c6664aba 100644
--- a/drivers/spi/spi-omap-uwire.c
+++ b/drivers/spi/spi-omap-uwire.c
@@ -424,15 +424,22 @@ done:
 static int uwire_setup(struct spi_device *spi)
 {
 	struct uwire_state *ust = spi->controller_state;
+	bool initial_setup = false;
+	int status;
 
 	if (ust == NULL) {
 		ust = kzalloc(sizeof(*ust), GFP_KERNEL);
 		if (ust == NULL)
 			return -ENOMEM;
 		spi->controller_state = ust;
+		initial_setup = true;
 	}
 
-	return uwire_setup_transfer(spi, NULL);
+	status = uwire_setup_transfer(spi, NULL);
+	if (status && initial_setup)
+		kfree(ust);
+
+	return status;
 }
 
 static void uwire_cleanup(struct spi_device *spi)
diff --git a/drivers/spi/spi-omap2-mcspi.c b/drivers/spi/spi-omap2-mcspi.c
index d4c9510af393..3596bbe4b776 100644
--- a/drivers/spi/spi-omap2-mcspi.c
+++ b/drivers/spi/spi-omap2-mcspi.c
@@ -1032,8 +1032,22 @@ static void omap2_mcspi_release_dma(struct spi_master *master)
 	}
 }
 
+static void omap2_mcspi_cleanup(struct spi_device *spi)
+{
+	struct omap2_mcspi_cs	*cs;
+
+	if (spi->controller_state) {
+		/* Unlink controller state from context save list */
+		cs = spi->controller_state;
+		list_del(&cs->node);
+
+		kfree(cs);
+	}
+}
+
 static int omap2_mcspi_setup(struct spi_device *spi)
 {
+	bool			initial_setup = false;
 	int			ret;
 	struct omap2_mcspi	*mcspi = spi_master_get_devdata(spi->master);
 	struct omap2_mcspi_regs	*ctx = &mcspi->ctx;
@@ -1051,35 +1065,28 @@ static int omap2_mcspi_setup(struct spi_device *spi)
 		spi->controller_state = cs;
 		/* Link this to context save list */
 		list_add_tail(&cs->node, &ctx->cs);
+		initial_setup = true;
 	}
 
 	ret = pm_runtime_get_sync(mcspi->dev);
 	if (ret < 0) {
 		pm_runtime_put_noidle(mcspi->dev);
+		if (initial_setup)
+			omap2_mcspi_cleanup(spi);
 
 		return ret;
 	}
 
 	ret = omap2_mcspi_setup_transfer(spi, NULL);
+	if (ret && initial_setup)
+		omap2_mcspi_cleanup(spi);
+
 	pm_runtime_mark_last_busy(mcspi->dev);
 	pm_runtime_put_autosuspend(mcspi->dev);
 
 	return ret;
 }
 
-static void omap2_mcspi_cleanup(struct spi_device *spi)
-{
-	struct omap2_mcspi_cs	*cs;
-
-	if (spi->controller_state) {
-		/* Unlink controller state from context save list */
-		cs = spi->controller_state;
-		list_del(&cs->node);
-
-		kfree(cs);
-	}
-}
-
 static irqreturn_t omap2_mcspi_irq_handler(int irq, void *data)
 {
 	struct omap2_mcspi *mcspi = data;
diff --git a/drivers/spi/spi-pxa2xx.c b/drivers/spi/spi-pxa2xx.c
index 0cc767283674..825cc5b2ab2f 100644
--- a/drivers/spi/spi-pxa2xx.c
+++ b/drivers/spi/spi-pxa2xx.c
@@ -1254,6 +1254,8 @@ static int setup_cs(struct spi_device *spi, struct chip_data *chip,
 		chip->gpio_cs_inverted = spi->mode & SPI_CS_HIGH;
 
 		err = gpiod_direction_output(gpiod, !chip->gpio_cs_inverted);
+		if (err)
+			gpiod_put(chip->gpiod_cs);
 	}
 
 	return err;
@@ -1267,6 +1269,7 @@ static int setup(struct spi_device *spi)
 	struct driver_data *drv_data =
 		spi_controller_get_devdata(spi->controller);
 	uint tx_thres, tx_hi_thres, rx_thres;
+	int err;
 
 	switch (drv_data->ssp_type) {
 	case QUARK_X1000_SSP:
@@ -1413,7 +1416,11 @@ static int setup(struct spi_device *spi)
 	if (drv_data->ssp_type == CE4100_SSP)
 		return 0;
 
-	return setup_cs(spi, chip, chip_info);
+	err = setup_cs(spi, chip, chip_info);
+	if (err)
+		kfree(chip);
+
+	return err;
 }
 
 static void cleanup(struct spi_device *spi)
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 181+ messages in thread

* [PATCH 5.12 047/173] i2c: mpc: Make use of i2c_recover_bus()
  2021-06-14 10:25 [PATCH 5.12 000/173] 5.12.11-rc1 review Greg Kroah-Hartman
                   ` (45 preceding siblings ...)
  2021-06-14 10:26 ` [PATCH 5.12 046/173] spi: Cleanup on failure of initial setup Greg Kroah-Hartman
@ 2021-06-14 10:26 ` Greg Kroah-Hartman
  2021-06-14 10:26 ` [PATCH 5.12 048/173] i2c: mpc: implement erratum A-004447 workaround Greg Kroah-Hartman
                   ` (132 subsequent siblings)
  179 siblings, 0 replies; 181+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-14 10:26 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Chris Packham, Wolfram Sang, Sasha Levin

From: Chris Packham <chris.packham@alliedtelesis.co.nz>

[ Upstream commit 65171b2df15eb7545431d75c2729b5062da89b43 ]

Move the existing calls of mpc_i2c_fixup() to a recovery function
registered via bus_recovery_info. This makes it more obvious that
recovery is supported and allows for a future where recovery is
triggered by the i2c core.

Signed-off-by: Chris Packham <chris.packham@alliedtelesis.co.nz>
Signed-off-by: Wolfram Sang <wsa@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/i2c/busses/i2c-mpc.c | 18 ++++++++++++++++--
 1 file changed, 16 insertions(+), 2 deletions(-)

diff --git a/drivers/i2c/busses/i2c-mpc.c b/drivers/i2c/busses/i2c-mpc.c
index d94f05c8b8b7..6a0d55e9e8e3 100644
--- a/drivers/i2c/busses/i2c-mpc.c
+++ b/drivers/i2c/busses/i2c-mpc.c
@@ -586,7 +586,7 @@ static int mpc_xfer(struct i2c_adapter *adap, struct i2c_msg *msgs, int num)
 			if ((status & (CSR_MCF | CSR_MBB | CSR_RXAK)) != 0) {
 				writeb(status & ~CSR_MAL,
 				       i2c->base + MPC_I2C_SR);
-				mpc_i2c_fixup(i2c);
+				i2c_recover_bus(&i2c->adap);
 			}
 			return -EIO;
 		}
@@ -622,7 +622,7 @@ static int mpc_xfer(struct i2c_adapter *adap, struct i2c_msg *msgs, int num)
 			if ((status & (CSR_MCF | CSR_MBB | CSR_RXAK)) != 0) {
 				writeb(status & ~CSR_MAL,
 				       i2c->base + MPC_I2C_SR);
-				mpc_i2c_fixup(i2c);
+				i2c_recover_bus(&i2c->adap);
 			}
 			return -EIO;
 		}
@@ -637,6 +637,15 @@ static u32 mpc_functionality(struct i2c_adapter *adap)
 	  | I2C_FUNC_SMBUS_READ_BLOCK_DATA | I2C_FUNC_SMBUS_BLOCK_PROC_CALL;
 }
 
+static int fsl_i2c_bus_recovery(struct i2c_adapter *adap)
+{
+	struct mpc_i2c *i2c = i2c_get_adapdata(adap);
+
+	mpc_i2c_fixup(i2c);
+
+	return 0;
+}
+
 static const struct i2c_algorithm mpc_algo = {
 	.master_xfer = mpc_xfer,
 	.functionality = mpc_functionality,
@@ -648,6 +657,10 @@ static struct i2c_adapter mpc_ops = {
 	.timeout = HZ,
 };
 
+static struct i2c_bus_recovery_info fsl_i2c_recovery_info = {
+	.recover_bus = fsl_i2c_bus_recovery,
+};
+
 static const struct of_device_id mpc_i2c_of_match[];
 static int fsl_i2c_probe(struct platform_device *op)
 {
@@ -740,6 +753,7 @@ static int fsl_i2c_probe(struct platform_device *op)
 	i2c_set_adapdata(&i2c->adap, i2c);
 	i2c->adap.dev.parent = &op->dev;
 	i2c->adap.dev.of_node = of_node_get(op->dev.of_node);
+	i2c->adap.bus_recovery_info = &fsl_i2c_recovery_info;
 
 	result = i2c_add_adapter(&i2c->adap);
 	if (result < 0)
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 181+ messages in thread

* [PATCH 5.12 048/173] i2c: mpc: implement erratum A-004447 workaround
  2021-06-14 10:25 [PATCH 5.12 000/173] 5.12.11-rc1 review Greg Kroah-Hartman
                   ` (46 preceding siblings ...)
  2021-06-14 10:26 ` [PATCH 5.12 047/173] i2c: mpc: Make use of i2c_recover_bus() Greg Kroah-Hartman
@ 2021-06-14 10:26 ` Greg Kroah-Hartman
  2021-06-14 10:26 ` [PATCH 5.12 049/173] ALSA: seq: Fix race of snd_seq_timer_open() Greg Kroah-Hartman
                   ` (131 subsequent siblings)
  179 siblings, 0 replies; 181+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-14 10:26 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Chris Packham, Wolfram Sang, Sasha Levin

From: Chris Packham <chris.packham@alliedtelesis.co.nz>

[ Upstream commit drivers/i2c/busses/i2c-mpc.c ]

The P2040/P2041 has an erratum where the normal i2c recovery mechanism
does not work. Implement the alternative recovery mechanism documented
in the P2040 Chip Errata Rev Q.

Signed-off-by: Chris Packham <chris.packham@alliedtelesis.co.nz>
Signed-off-by: Wolfram Sang <wsa@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/i2c/busses/i2c-mpc.c | 79 +++++++++++++++++++++++++++++++++++-
 1 file changed, 78 insertions(+), 1 deletion(-)

diff --git a/drivers/i2c/busses/i2c-mpc.c b/drivers/i2c/busses/i2c-mpc.c
index 6a0d55e9e8e3..af349661fd76 100644
--- a/drivers/i2c/busses/i2c-mpc.c
+++ b/drivers/i2c/busses/i2c-mpc.c
@@ -23,6 +23,7 @@
 
 #include <linux/clk.h>
 #include <linux/io.h>
+#include <linux/iopoll.h>
 #include <linux/fsl_devices.h>
 #include <linux/i2c.h>
 #include <linux/interrupt.h>
@@ -49,6 +50,7 @@
 #define CCR_MTX  0x10
 #define CCR_TXAK 0x08
 #define CCR_RSTA 0x04
+#define CCR_RSVD 0x02
 
 #define CSR_MCF  0x80
 #define CSR_MAAS 0x40
@@ -70,6 +72,7 @@ struct mpc_i2c {
 	u8 fdr, dfsrr;
 #endif
 	struct clk *clk_per;
+	bool has_errata_A004447;
 };
 
 struct mpc_i2c_divider {
@@ -176,6 +179,75 @@ static int i2c_wait(struct mpc_i2c *i2c, unsigned timeout, int writing)
 	return 0;
 }
 
+static int i2c_mpc_wait_sr(struct mpc_i2c *i2c, int mask)
+{
+	void __iomem *addr = i2c->base + MPC_I2C_SR;
+	u8 val;
+
+	return readb_poll_timeout(addr, val, val & mask, 0, 100);
+}
+
+/*
+ * Workaround for Erratum A004447. From the P2040CE Rev Q
+ *
+ * 1.  Set up the frequency divider and sampling rate.
+ * 2.  I2CCR - a0h
+ * 3.  Poll for I2CSR[MBB] to get set.
+ * 4.  If I2CSR[MAL] is set (an indication that SDA is stuck low), then go to
+ *     step 5. If MAL is not set, then go to step 13.
+ * 5.  I2CCR - 00h
+ * 6.  I2CCR - 22h
+ * 7.  I2CCR - a2h
+ * 8.  Poll for I2CSR[MBB] to get set.
+ * 9.  Issue read to I2CDR.
+ * 10. Poll for I2CSR[MIF] to be set.
+ * 11. I2CCR - 82h
+ * 12. Workaround complete. Skip the next steps.
+ * 13. Issue read to I2CDR.
+ * 14. Poll for I2CSR[MIF] to be set.
+ * 15. I2CCR - 80h
+ */
+static void mpc_i2c_fixup_A004447(struct mpc_i2c *i2c)
+{
+	int ret;
+	u32 val;
+
+	writeccr(i2c, CCR_MEN | CCR_MSTA);
+	ret = i2c_mpc_wait_sr(i2c, CSR_MBB);
+	if (ret) {
+		dev_err(i2c->dev, "timeout waiting for CSR_MBB\n");
+		return;
+	}
+
+	val = readb(i2c->base + MPC_I2C_SR);
+
+	if (val & CSR_MAL) {
+		writeccr(i2c, 0x00);
+		writeccr(i2c, CCR_MSTA | CCR_RSVD);
+		writeccr(i2c, CCR_MEN | CCR_MSTA | CCR_RSVD);
+		ret = i2c_mpc_wait_sr(i2c, CSR_MBB);
+		if (ret) {
+			dev_err(i2c->dev, "timeout waiting for CSR_MBB\n");
+			return;
+		}
+		val = readb(i2c->base + MPC_I2C_DR);
+		ret = i2c_mpc_wait_sr(i2c, CSR_MIF);
+		if (ret) {
+			dev_err(i2c->dev, "timeout waiting for CSR_MIF\n");
+			return;
+		}
+		writeccr(i2c, CCR_MEN | CCR_RSVD);
+	} else {
+		val = readb(i2c->base + MPC_I2C_DR);
+		ret = i2c_mpc_wait_sr(i2c, CSR_MIF);
+		if (ret) {
+			dev_err(i2c->dev, "timeout waiting for CSR_MIF\n");
+			return;
+		}
+		writeccr(i2c, CCR_MEN);
+	}
+}
+
 #if defined(CONFIG_PPC_MPC52xx) || defined(CONFIG_PPC_MPC512x)
 static const struct mpc_i2c_divider mpc_i2c_dividers_52xx[] = {
 	{20, 0x20}, {22, 0x21}, {24, 0x22}, {26, 0x23},
@@ -641,7 +713,10 @@ static int fsl_i2c_bus_recovery(struct i2c_adapter *adap)
 {
 	struct mpc_i2c *i2c = i2c_get_adapdata(adap);
 
-	mpc_i2c_fixup(i2c);
+	if (i2c->has_errata_A004447)
+		mpc_i2c_fixup_A004447(i2c);
+	else
+		mpc_i2c_fixup(i2c);
 
 	return 0;
 }
@@ -745,6 +820,8 @@ static int fsl_i2c_probe(struct platform_device *op)
 	dev_info(i2c->dev, "timeout %u us\n", mpc_ops.timeout * 1000000 / HZ);
 
 	platform_set_drvdata(op, i2c);
+	if (of_property_read_bool(op->dev.of_node, "fsl,i2c-erratum-a004447"))
+		i2c->has_errata_A004447 = true;
 
 	i2c->adap = mpc_ops;
 	of_address_to_resource(op->dev.of_node, 0, &res);
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 181+ messages in thread

* [PATCH 5.12 049/173] ALSA: seq: Fix race of snd_seq_timer_open()
  2021-06-14 10:25 [PATCH 5.12 000/173] 5.12.11-rc1 review Greg Kroah-Hartman
                   ` (47 preceding siblings ...)
  2021-06-14 10:26 ` [PATCH 5.12 048/173] i2c: mpc: implement erratum A-004447 workaround Greg Kroah-Hartman
@ 2021-06-14 10:26 ` Greg Kroah-Hartman
  2021-06-14 10:26 ` [PATCH 5.12 050/173] ALSA: firewire-lib: fix the context to call snd_pcm_stop_xrun() Greg Kroah-Hartman
                   ` (130 subsequent siblings)
  179 siblings, 0 replies; 181+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-14 10:26 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, syzbot+ddc1260a83ed1cbf6fb5, Takashi Iwai

From: Takashi Iwai <tiwai@suse.de>

commit 83e197a8414c0ba545e7e3916ce05f836f349273 upstream.

The timer instance per queue is exclusive, and snd_seq_timer_open()
should have managed the concurrent accesses.  It looks as if it's
checking the already existing timer instance at the beginning, but
it's not right, because there is no protection, hence any later
concurrent call of snd_seq_timer_open() may override the timer
instance easily.  This may result in UAF, as the leftover timer
instance can keep running while the queue itself gets closed, as
spotted by syzkaller recently.

For avoiding the race, add a proper check at the assignment of
tmr->timeri again, and return -EBUSY if it's been already registered.

Reported-by: syzbot+ddc1260a83ed1cbf6fb5@syzkaller.appspotmail.com
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/000000000000dce34f05c42f110c@google.com
Link: https://lore.kernel.org/r/20210610152059.24633-1-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 sound/core/seq/seq_timer.c |   10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

--- a/sound/core/seq/seq_timer.c
+++ b/sound/core/seq/seq_timer.c
@@ -297,8 +297,16 @@ int snd_seq_timer_open(struct snd_seq_qu
 		return err;
 	}
 	spin_lock_irq(&tmr->lock);
-	tmr->timeri = t;
+	if (tmr->timeri)
+		err = -EBUSY;
+	else
+		tmr->timeri = t;
 	spin_unlock_irq(&tmr->lock);
+	if (err < 0) {
+		snd_timer_close(t);
+		snd_timer_instance_free(t);
+		return err;
+	}
 	return 0;
 }
 



^ permalink raw reply	[flat|nested] 181+ messages in thread

* [PATCH 5.12 050/173] ALSA: firewire-lib: fix the context to call snd_pcm_stop_xrun()
  2021-06-14 10:25 [PATCH 5.12 000/173] 5.12.11-rc1 review Greg Kroah-Hartman
                   ` (48 preceding siblings ...)
  2021-06-14 10:26 ` [PATCH 5.12 049/173] ALSA: seq: Fix race of snd_seq_timer_open() Greg Kroah-Hartman
@ 2021-06-14 10:26 ` Greg Kroah-Hartman
  2021-06-14 10:26 ` [PATCH 5.12 051/173] ALSA: hda/realtek: headphone and mic dont work on an Acer laptop Greg Kroah-Hartman
                   ` (129 subsequent siblings)
  179 siblings, 0 replies; 181+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-14 10:26 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Takashi Sakamoto, Takashi Iwai

From: Takashi Sakamoto <o-takashi@sakamocchi.jp>

commit 9981b20a5e3694f4625ab5a1ddc98ce7503f6d12 upstream.

In the workqueue to queue wake-up event, isochronous context is not
processed, thus it's useless to check context for the workqueue to switch
status of runtime for PCM substream to XRUN. On the other hand, in
software IRQ context of 1394 OHCI, it's needed.

This commit fixes the bug introduced when tasklet was replaced with
workqueue.

Cc: <stable@vger.kernel.org>
Fixes: 2b3d2987d800 ("ALSA: firewire: Replace tasklet with work")
Signed-off-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
Link: https://lore.kernel.org/r/20210605091054.68866-1-o-takashi@sakamocchi.jp
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 sound/firewire/amdtp-stream.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/sound/firewire/amdtp-stream.c
+++ b/sound/firewire/amdtp-stream.c
@@ -804,7 +804,7 @@ static void generate_pkt_descs(struct am
 static inline void cancel_stream(struct amdtp_stream *s)
 {
 	s->packet_index = -1;
-	if (current_work() == &s->period_work)
+	if (in_interrupt())
 		amdtp_stream_pcm_abort(s);
 	WRITE_ONCE(s->pcm_buffer_pointer, SNDRV_PCM_POS_XRUN);
 }



^ permalink raw reply	[flat|nested] 181+ messages in thread

* [PATCH 5.12 051/173] ALSA: hda/realtek: headphone and mic dont work on an Acer laptop
  2021-06-14 10:25 [PATCH 5.12 000/173] 5.12.11-rc1 review Greg Kroah-Hartman
                   ` (49 preceding siblings ...)
  2021-06-14 10:26 ` [PATCH 5.12 050/173] ALSA: firewire-lib: fix the context to call snd_pcm_stop_xrun() Greg Kroah-Hartman
@ 2021-06-14 10:26 ` Greg Kroah-Hartman
  2021-06-14 10:26 ` [PATCH 5.12 052/173] ALSA: hda/realtek: fix mute/micmute LEDs and speaker for HP Elite Dragonfly G2 Greg Kroah-Hartman
                   ` (128 subsequent siblings)
  179 siblings, 0 replies; 181+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-14 10:26 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Hui Wang, Takashi Iwai

From: Hui Wang <hui.wang@canonical.com>

commit 57c9e21a49b1c196cda28f54de9a5d556ac93f20 upstream.

There are 2 issues on this machine, the 1st one is mic's plug/unplug
can't be detected, that is because the mic is set to manual detecting
mode, need to apply ALC255_FIXUP_XIAOMI_HEADSET_MIC to set it to auto
detecting mode. The other one is headphone's plug/unplug can't be
detected by pulseaudio, that is because the pulseaudio will use
ucm2/sof-hda-dsp on this machine, and the ucm2 only handle
'Headphone Jack', but on this machine the headphone's pincfg sets the
location to Front, then the alsa mixer name is "Front Headphone Jack"
instead of "Headphone Jack", so override the pincfg to change location
to Left.

BugLink: http://bugs.launchpad.net/bugs/1930188
Cc: <stable@vger.kernel.org>
Signed-off-by: Hui Wang <hui.wang@canonical.com>
Link: https://lore.kernel.org/r/20210608024600.6198-1-hui.wang@canonical.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 sound/pci/hda/patch_realtek.c |   12 ++++++++++++
 1 file changed, 12 insertions(+)

--- a/sound/pci/hda/patch_realtek.c
+++ b/sound/pci/hda/patch_realtek.c
@@ -6560,6 +6560,7 @@ enum {
 	ALC285_FIXUP_HP_SPECTRE_X360,
 	ALC287_FIXUP_IDEAPAD_BASS_SPK_AMP,
 	ALC623_FIXUP_LENOVO_THINKSTATION_P340,
+	ALC255_FIXUP_ACER_HEADPHONE_AND_MIC,
 };
 
 static const struct hda_fixup alc269_fixups[] = {
@@ -8132,6 +8133,15 @@ static const struct hda_fixup alc269_fix
 		.chained = true,
 		.chain_id = ALC283_FIXUP_HEADSET_MIC,
 	},
+	[ALC255_FIXUP_ACER_HEADPHONE_AND_MIC] = {
+		.type = HDA_FIXUP_PINS,
+		.v.pins = (const struct hda_pintbl[]) {
+			{ 0x21, 0x03211030 }, /* Change the Headphone location to Left */
+			{ }
+		},
+		.chained = true,
+		.chain_id = ALC255_FIXUP_XIAOMI_HEADSET_MIC
+	},
 };
 
 static const struct snd_pci_quirk alc269_fixup_tbl[] = {
@@ -8168,6 +8178,7 @@ static const struct snd_pci_quirk alc269
 	SND_PCI_QUIRK(0x1025, 0x132a, "Acer TravelMate B114-21", ALC233_FIXUP_ACER_HEADSET_MIC),
 	SND_PCI_QUIRK(0x1025, 0x1330, "Acer TravelMate X514-51T", ALC255_FIXUP_ACER_HEADSET_MIC),
 	SND_PCI_QUIRK(0x1025, 0x1430, "Acer TravelMate B311R-31", ALC256_FIXUP_ACER_MIC_NO_PRESENCE),
+	SND_PCI_QUIRK(0x1025, 0x1466, "Acer Aspire A515-56", ALC255_FIXUP_ACER_HEADPHONE_AND_MIC),
 	SND_PCI_QUIRK(0x1028, 0x0470, "Dell M101z", ALC269_FIXUP_DELL_M101Z),
 	SND_PCI_QUIRK(0x1028, 0x054b, "Dell XPS one 2710", ALC275_FIXUP_DELL_XPS),
 	SND_PCI_QUIRK(0x1028, 0x05bd, "Dell Latitude E6440", ALC292_FIXUP_DELL_E7X),
@@ -8722,6 +8733,7 @@ static const struct hda_model_fixup alc2
 	{.id = ALC285_FIXUP_HP_SPECTRE_X360, .name = "alc285-hp-spectre-x360"},
 	{.id = ALC287_FIXUP_IDEAPAD_BASS_SPK_AMP, .name = "alc287-ideapad-bass-spk-amp"},
 	{.id = ALC623_FIXUP_LENOVO_THINKSTATION_P340, .name = "alc623-lenovo-thinkstation-p340"},
+	{.id = ALC255_FIXUP_ACER_HEADPHONE_AND_MIC, .name = "alc255-acer-headphone-and-mic"},
 	{}
 };
 #define ALC225_STANDARD_PINS \



^ permalink raw reply	[flat|nested] 181+ messages in thread

* [PATCH 5.12 052/173] ALSA: hda/realtek: fix mute/micmute LEDs and speaker for HP Elite Dragonfly G2
  2021-06-14 10:25 [PATCH 5.12 000/173] 5.12.11-rc1 review Greg Kroah-Hartman
                   ` (50 preceding siblings ...)
  2021-06-14 10:26 ` [PATCH 5.12 051/173] ALSA: hda/realtek: headphone and mic dont work on an Acer laptop Greg Kroah-Hartman
@ 2021-06-14 10:26 ` Greg Kroah-Hartman
  2021-06-14 10:26 ` [PATCH 5.12 053/173] ALSA: hda/realtek: fix mute/micmute LEDs and speaker for HP EliteBook x360 1040 G8 Greg Kroah-Hartman
                   ` (127 subsequent siblings)
  179 siblings, 0 replies; 181+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-14 10:26 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Jeremy Szu, Takashi Iwai

From: Jeremy Szu <jeremy.szu@canonical.com>

commit 15d295b560e6dd45f839a53ae69e4f63b54eb32f upstream.

The HP Elite Dragonfly G2 using ALC285 codec which using 0x04 to control
mute LED and 0x01 to control micmute LED.
In the other hand, there is no output from right channel of speaker.
Therefore, add a quirk to make it works.

Signed-off-by: Jeremy Szu <jeremy.szu@canonical.com>
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20210605082539.41797-1-jeremy.szu@canonical.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 sound/pci/hda/patch_realtek.c |    1 +
 1 file changed, 1 insertion(+)

--- a/sound/pci/hda/patch_realtek.c
+++ b/sound/pci/hda/patch_realtek.c
@@ -8307,6 +8307,7 @@ static const struct snd_pci_quirk alc269
 	SND_PCI_QUIRK(0x103c, 0x8519, "HP Spectre x360 15-df0xxx", ALC285_FIXUP_HP_SPECTRE_X360),
 	SND_PCI_QUIRK(0x103c, 0x869d, "HP", ALC236_FIXUP_HP_MUTE_LED),
 	SND_PCI_QUIRK(0x103c, 0x86c7, "HP Envy AiO 32", ALC274_FIXUP_HP_ENVY_GPIO),
+	SND_PCI_QUIRK(0x103c, 0x8716, "HP Elite Dragonfly G2 Notebook PC", ALC285_FIXUP_HP_GPIO_AMP_INIT),
 	SND_PCI_QUIRK(0x103c, 0x8724, "HP EliteBook 850 G7", ALC285_FIXUP_HP_GPIO_LED),
 	SND_PCI_QUIRK(0x103c, 0x8729, "HP", ALC285_FIXUP_HP_GPIO_LED),
 	SND_PCI_QUIRK(0x103c, 0x8730, "HP ProBook 445 G7", ALC236_FIXUP_HP_MUTE_LED_MICMUTE_VREF),



^ permalink raw reply	[flat|nested] 181+ messages in thread

* [PATCH 5.12 053/173] ALSA: hda/realtek: fix mute/micmute LEDs and speaker for HP EliteBook x360 1040 G8
  2021-06-14 10:25 [PATCH 5.12 000/173] 5.12.11-rc1 review Greg Kroah-Hartman
                   ` (51 preceding siblings ...)
  2021-06-14 10:26 ` [PATCH 5.12 052/173] ALSA: hda/realtek: fix mute/micmute LEDs and speaker for HP Elite Dragonfly G2 Greg Kroah-Hartman
@ 2021-06-14 10:26 ` Greg Kroah-Hartman
  2021-06-14 10:26 ` [PATCH 5.12 054/173] ALSA: hda/realtek: fix mute/micmute LEDs for HP EliteBook 840 Aero G8 Greg Kroah-Hartman
                   ` (126 subsequent siblings)
  179 siblings, 0 replies; 181+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-14 10:26 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Jeremy Szu, Takashi Iwai

From: Jeremy Szu <jeremy.szu@canonical.com>

commit 61d3e87468fad82dc8e8cb6de7db563ada64b532 upstream.

The HP EliteBook x360 1040 G8 using ALC285 codec which using 0x04 to control
mute LED and 0x01 to control micmute LED.
In the other hand, there is no output from right channel of speaker.
Therefore, add a quirk to make it works.

Signed-off-by: Jeremy Szu <jeremy.szu@canonical.com>
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20210605082539.41797-2-jeremy.szu@canonical.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 sound/pci/hda/patch_realtek.c |    1 +
 1 file changed, 1 insertion(+)

--- a/sound/pci/hda/patch_realtek.c
+++ b/sound/pci/hda/patch_realtek.c
@@ -8308,6 +8308,7 @@ static const struct snd_pci_quirk alc269
 	SND_PCI_QUIRK(0x103c, 0x869d, "HP", ALC236_FIXUP_HP_MUTE_LED),
 	SND_PCI_QUIRK(0x103c, 0x86c7, "HP Envy AiO 32", ALC274_FIXUP_HP_ENVY_GPIO),
 	SND_PCI_QUIRK(0x103c, 0x8716, "HP Elite Dragonfly G2 Notebook PC", ALC285_FIXUP_HP_GPIO_AMP_INIT),
+	SND_PCI_QUIRK(0x103c, 0x8720, "HP EliteBook x360 1040 G8 Notebook PC", ALC285_FIXUP_HP_GPIO_AMP_INIT),
 	SND_PCI_QUIRK(0x103c, 0x8724, "HP EliteBook 850 G7", ALC285_FIXUP_HP_GPIO_LED),
 	SND_PCI_QUIRK(0x103c, 0x8729, "HP", ALC285_FIXUP_HP_GPIO_LED),
 	SND_PCI_QUIRK(0x103c, 0x8730, "HP ProBook 445 G7", ALC236_FIXUP_HP_MUTE_LED_MICMUTE_VREF),



^ permalink raw reply	[flat|nested] 181+ messages in thread

* [PATCH 5.12 054/173] ALSA: hda/realtek: fix mute/micmute LEDs for HP EliteBook 840 Aero G8
  2021-06-14 10:25 [PATCH 5.12 000/173] 5.12.11-rc1 review Greg Kroah-Hartman
                   ` (52 preceding siblings ...)
  2021-06-14 10:26 ` [PATCH 5.12 053/173] ALSA: hda/realtek: fix mute/micmute LEDs and speaker for HP EliteBook x360 1040 G8 Greg Kroah-Hartman
@ 2021-06-14 10:26 ` Greg Kroah-Hartman
  2021-06-14 10:26 ` [PATCH 5.12 055/173] ALSA: hda/realtek: fix mute/micmute LEDs for HP ZBook Power G8 Greg Kroah-Hartman
                   ` (125 subsequent siblings)
  179 siblings, 0 replies; 181+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-14 10:26 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Jeremy Szu, Takashi Iwai

From: Jeremy Szu <jeremy.szu@canonical.com>

commit dfb06401b4cdfc71e2fc3e19b877ab845cc9f7f7 upstream.

The HP EliteBook 840 Aero G8 using ALC285 codec which using 0x04 to
control mute LED and 0x01 to control micmute LED.
In the other hand, there is no output from right channel of speaker.
Therefore, add a quirk to make it works.

Signed-off-by: Jeremy Szu <jeremy.szu@canonical.com>
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20210605082539.41797-3-jeremy.szu@canonical.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 sound/pci/hda/patch_realtek.c |    1 +
 1 file changed, 1 insertion(+)

--- a/sound/pci/hda/patch_realtek.c
+++ b/sound/pci/hda/patch_realtek.c
@@ -8327,6 +8327,7 @@ static const struct snd_pci_quirk alc269
 	SND_PCI_QUIRK(0x103c, 0x87f5, "HP", ALC287_FIXUP_HP_GPIO_LED),
 	SND_PCI_QUIRK(0x103c, 0x87f7, "HP Spectre x360 14", ALC245_FIXUP_HP_X360_AMP),
 	SND_PCI_QUIRK(0x103c, 0x8846, "HP EliteBook 850 G8 Notebook PC", ALC285_FIXUP_HP_GPIO_LED),
+	SND_PCI_QUIRK(0x103c, 0x884b, "HP EliteBook 840 Aero G8 Notebook PC", ALC285_FIXUP_HP_GPIO_LED),
 	SND_PCI_QUIRK(0x103c, 0x884c, "HP EliteBook 840 G8 Notebook PC", ALC285_FIXUP_HP_GPIO_LED),
 	SND_PCI_QUIRK(0x103c, 0x886d, "HP ZBook Fury 17.3 Inch G8 Mobile Workstation PC", ALC285_FIXUP_HP_GPIO_AMP_INIT),
 	SND_PCI_QUIRK(0x103c, 0x8870, "HP ZBook Fury 15.6 Inch G8 Mobile Workstation PC", ALC285_FIXUP_HP_GPIO_AMP_INIT),



^ permalink raw reply	[flat|nested] 181+ messages in thread

* [PATCH 5.12 055/173] ALSA: hda/realtek: fix mute/micmute LEDs for HP ZBook Power G8
  2021-06-14 10:25 [PATCH 5.12 000/173] 5.12.11-rc1 review Greg Kroah-Hartman
                   ` (53 preceding siblings ...)
  2021-06-14 10:26 ` [PATCH 5.12 054/173] ALSA: hda/realtek: fix mute/micmute LEDs for HP EliteBook 840 Aero G8 Greg Kroah-Hartman
@ 2021-06-14 10:26 ` Greg Kroah-Hartman
  2021-06-14 10:26 ` [PATCH 5.12 056/173] spi: bcm2835: Fix out-of-bounds access with more than 4 slaves Greg Kroah-Hartman
                   ` (124 subsequent siblings)
  179 siblings, 0 replies; 181+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-14 10:26 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Jeremy Szu, Takashi Iwai

From: Jeremy Szu <jeremy.szu@canonical.com>

commit 600dd2a7e8b62170d177381cc1303861f48f9780 upstream.

The HP ZBook Power G8 using ALC236 codec which using 0x02 to
control mute LED and 0x01 to control micmute LED.
Therefore, add a quirk to make it works.

Signed-off-by: Jeremy Szu <jeremy.szu@canonical.com>
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20210608114750.32009-1-jeremy.szu@canonical.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 sound/pci/hda/patch_realtek.c |    1 +
 1 file changed, 1 insertion(+)

--- a/sound/pci/hda/patch_realtek.c
+++ b/sound/pci/hda/patch_realtek.c
@@ -8332,6 +8332,7 @@ static const struct snd_pci_quirk alc269
 	SND_PCI_QUIRK(0x103c, 0x886d, "HP ZBook Fury 17.3 Inch G8 Mobile Workstation PC", ALC285_FIXUP_HP_GPIO_AMP_INIT),
 	SND_PCI_QUIRK(0x103c, 0x8870, "HP ZBook Fury 15.6 Inch G8 Mobile Workstation PC", ALC285_FIXUP_HP_GPIO_AMP_INIT),
 	SND_PCI_QUIRK(0x103c, 0x8873, "HP ZBook Studio 15.6 Inch G8 Mobile Workstation PC", ALC285_FIXUP_HP_GPIO_AMP_INIT),
+	SND_PCI_QUIRK(0x103c, 0x888d, "HP ZBook Power 15.6 inch G8 Mobile Workstation PC", ALC236_FIXUP_HP_GPIO_LED),
 	SND_PCI_QUIRK(0x103c, 0x8896, "HP EliteBook 855 G8 Notebook PC", ALC285_FIXUP_HP_MUTE_LED),
 	SND_PCI_QUIRK(0x1043, 0x103e, "ASUS X540SA", ALC256_FIXUP_ASUS_MIC),
 	SND_PCI_QUIRK(0x1043, 0x103f, "ASUS TX300", ALC282_FIXUP_ASUS_TX300),



^ permalink raw reply	[flat|nested] 181+ messages in thread

* [PATCH 5.12 056/173] spi: bcm2835: Fix out-of-bounds access with more than 4 slaves
  2021-06-14 10:25 [PATCH 5.12 000/173] 5.12.11-rc1 review Greg Kroah-Hartman
                   ` (54 preceding siblings ...)
  2021-06-14 10:26 ` [PATCH 5.12 055/173] ALSA: hda/realtek: fix mute/micmute LEDs for HP ZBook Power G8 Greg Kroah-Hartman
@ 2021-06-14 10:26 ` Greg Kroah-Hartman
  2021-06-14 10:26 ` [PATCH 5.12 057/173] Revert "ACPI: sleep: Put the FACS table after using it" Greg Kroah-Hartman
                   ` (123 subsequent siblings)
  179 siblings, 0 replies; 181+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-14 10:26 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Joe Burmeister, Lukas Wunner,
	Phil Elwell, Mark Brown

From: Lukas Wunner <lukas@wunner.de>

commit 13817d466eb8713a1ffd254f537402f091d48444 upstream.

Commit 571e31fa60b3 ("spi: bcm2835: Cache CS register value for
->prepare_message()") limited the number of slaves to 3 at compile-time.
The limitation was necessitated by a statically-sized array prepare_cs[]
in the driver private data which contains a per-slave register value.

The commit sought to enforce the limitation at run-time by setting the
controller's num_chipselect to 3:  Slaves with a higher chipselect are
rejected by spi_add_device().

However the commit neglected that num_chipselect only limits the number
of *native* chipselects.  If GPIO chipselects are specified in the
device tree for more than 3 slaves, num_chipselect is silently raised by
of_spi_get_gpio_numbers() and the result are out-of-bounds accesses to
the statically-sized array prepare_cs[].

As a bandaid fix which is backportable to stable, raise the number of
allowed slaves to 24 (which "ought to be enough for anybody"), enforce
the limitation on slave ->setup and revert num_chipselect to 3 (which is
the number of native chipselects supported by the controller).
An upcoming for-next commit will allow an arbitrary number of slaves.

Fixes: 571e31fa60b3 ("spi: bcm2835: Cache CS register value for ->prepare_message()")
Reported-by: Joe Burmeister <joe.burmeister@devtank.co.uk>
Signed-off-by: Lukas Wunner <lukas@wunner.de>
Cc: stable@vger.kernel.org # v5.4+
Cc: Phil Elwell <phil@raspberrypi.com>
Link: https://lore.kernel.org/r/75854affc1923309fde05e47494263bde73e5592.1621703210.git.lukas@wunner.de
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/spi/spi-bcm2835.c |   10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

--- a/drivers/spi/spi-bcm2835.c
+++ b/drivers/spi/spi-bcm2835.c
@@ -68,7 +68,7 @@
 #define BCM2835_SPI_FIFO_SIZE		64
 #define BCM2835_SPI_FIFO_SIZE_3_4	48
 #define BCM2835_SPI_DMA_MIN_LENGTH	96
-#define BCM2835_SPI_NUM_CS		4   /* raise as necessary */
+#define BCM2835_SPI_NUM_CS		24  /* raise as necessary */
 #define BCM2835_SPI_MODE_BITS	(SPI_CPOL | SPI_CPHA | SPI_CS_HIGH \
 				| SPI_NO_CS | SPI_3WIRE)
 
@@ -1195,6 +1195,12 @@ static int bcm2835_spi_setup(struct spi_
 	struct gpio_chip *chip;
 	u32 cs;
 
+	if (spi->chip_select >= BCM2835_SPI_NUM_CS) {
+		dev_err(&spi->dev, "only %d chip-selects supported\n",
+			BCM2835_SPI_NUM_CS - 1);
+		return -EINVAL;
+	}
+
 	/*
 	 * Precalculate SPI slave's CS register value for ->prepare_message():
 	 * The driver always uses software-controlled GPIO chip select, hence
@@ -1288,7 +1294,7 @@ static int bcm2835_spi_probe(struct plat
 	ctlr->use_gpio_descriptors = true;
 	ctlr->mode_bits = BCM2835_SPI_MODE_BITS;
 	ctlr->bits_per_word_mask = SPI_BPW_MASK(8);
-	ctlr->num_chipselect = BCM2835_SPI_NUM_CS;
+	ctlr->num_chipselect = 3;
 	ctlr->setup = bcm2835_spi_setup;
 	ctlr->transfer_one = bcm2835_spi_transfer_one;
 	ctlr->handle_err = bcm2835_spi_handle_err;



^ permalink raw reply	[flat|nested] 181+ messages in thread

* [PATCH 5.12 057/173] Revert "ACPI: sleep: Put the FACS table after using it"
  2021-06-14 10:25 [PATCH 5.12 000/173] 5.12.11-rc1 review Greg Kroah-Hartman
                   ` (55 preceding siblings ...)
  2021-06-14 10:26 ` [PATCH 5.12 056/173] spi: bcm2835: Fix out-of-bounds access with more than 4 slaves Greg Kroah-Hartman
@ 2021-06-14 10:26 ` Greg Kroah-Hartman
  2021-06-14 10:26 ` [PATCH 5.12 058/173] ACPI: Pass the same capabilities to the _OSC regardless of the query flag Greg Kroah-Hartman
                   ` (122 subsequent siblings)
  179 siblings, 0 replies; 181+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-14 10:26 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Stephan Hohe, Zhang Rui, Rafael J. Wysocki

From: Zhang Rui <rui.zhang@intel.com>

commit f1ffa9d4cccc8fdf6c03fb1b3429154d22037988 upstream.

Commit 95722237cb2a ("ACPI: sleep: Put the FACS table after using it")
puts the FACS table during initialization.

But the hardware signature bits in the FACS table need to be accessed,
after every hibernation, to compare with the original hardware
signature.

So there is no reason to release the FACS table mapping after
initialization.

This reverts commit 95722237cb2ae4f7b73471058cdb19e8f4057c93.

An alternative solution is to use acpi_gbl_FACS variable instead, which
is mapped by the ACPICA core and never released.

Link: https://bugzilla.kernel.org/show_bug.cgi?id=212277
Reported-by: Stephan Hohe <sth.dev@tejp.de>
Signed-off-by: Zhang Rui <rui.zhang@intel.com>
Cc: 5.8+ <stable@vger.kernel.org> # 5.8+
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/acpi/sleep.c |    4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

--- a/drivers/acpi/sleep.c
+++ b/drivers/acpi/sleep.c
@@ -1009,10 +1009,8 @@ static void acpi_sleep_hibernate_setup(v
 		return;
 
 	acpi_get_table(ACPI_SIG_FACS, 1, (struct acpi_table_header **)&facs);
-	if (facs) {
+	if (facs)
 		s4_hardware_signature = facs->hardware_signature;
-		acpi_put_table((struct acpi_table_header *)facs);
-	}
 }
 #else /* !CONFIG_HIBERNATION */
 static inline void acpi_sleep_hibernate_setup(void) {}



^ permalink raw reply	[flat|nested] 181+ messages in thread

* [PATCH 5.12 058/173] ACPI: Pass the same capabilities to the _OSC regardless of the query flag
  2021-06-14 10:25 [PATCH 5.12 000/173] 5.12.11-rc1 review Greg Kroah-Hartman
                   ` (56 preceding siblings ...)
  2021-06-14 10:26 ` [PATCH 5.12 057/173] Revert "ACPI: sleep: Put the FACS table after using it" Greg Kroah-Hartman
@ 2021-06-14 10:26 ` Greg Kroah-Hartman
  2021-06-14 10:26 ` [PATCH 5.12 059/173] drm: Fix use-after-free read in drm_getunique() Greg Kroah-Hartman
                   ` (121 subsequent siblings)
  179 siblings, 0 replies; 181+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-14 10:26 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Mika Westerberg, Hans de Goede,
	Rafael J. Wysocki

From: Mika Westerberg <mika.westerberg@linux.intel.com>

commit 159d8c274fd92438ca6d7068d7a5eeda157227f4 upstream.

Commit 719e1f561afb ("ACPI: Execute platform _OSC also with query bit
clear") makes acpi_bus_osc_negotiate_platform_control() not only query
the platforms capabilities but it also commits the result back to the
firmware to report which capabilities are supported by the OS back to
the firmware

On certain systems the BIOS loads SSDT tables dynamically based on the
capabilities the OS claims to support. However, on these systems the
_OSC actually clears some of the bits (under certain conditions) so what
happens is that now when we call the _OSC twice the second time we pass
the cleared values and that results errors like below to appear on the
system log:

  ACPI BIOS Error (bug): Could not resolve symbol [\_PR.PR00._CPC], AE_NOT_FOUND (20210105/psargs-330)
  ACPI Error: Aborting method \_PR.PR01._CPC due to previous error (AE_NOT_FOUND) (20210105/psparse-529)

In addition the ACPI 6.4 spec says following [1]:

  If the OS declares support of a feature in the Support Field in one
  call to _OSC, then it must preserve the set state of that bit
  (declaring support for that feature) in all subsequent calls.

Based on the above we can fix the issue by passing the same set of
capabilities to the platform wide _OSC in both calls regardless of the
query flag.

While there drop the context.ret.length checks which were wrong to begin
with (as the length is number of bytes not elements). This is already
checked in acpi_run_osc() that also returns an error in that case.

Includes fixes by Hans de Goede.

[1] https://uefi.org/specs/ACPI/6.4/06_Device_Configuration/Device_Configuration.html#sequence-of-osc-calls

BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=213023
BugLink: https://bugzilla.redhat.com/show_bug.cgi?id=1963717
Fixes: 719e1f561afb ("ACPI: Execute platform _OSC also with query bit clear")
Cc: 5.12+ <stable@vger.kernel.org> # 5.12+
Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com>
Reviewed-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/acpi/bus.c |   27 ++++++++-------------------
 1 file changed, 8 insertions(+), 19 deletions(-)

--- a/drivers/acpi/bus.c
+++ b/drivers/acpi/bus.c
@@ -330,32 +330,21 @@ static void acpi_bus_osc_negotiate_platf
 	if (ACPI_FAILURE(acpi_run_osc(handle, &context)))
 		return;
 
-	capbuf_ret = context.ret.pointer;
-	if (context.ret.length <= OSC_SUPPORT_DWORD) {
-		kfree(context.ret.pointer);
-		return;
-	}
+	kfree(context.ret.pointer);
 
-	/*
-	 * Now run _OSC again with query flag clear and with the caps
-	 * supported by both the OS and the platform.
-	 */
+	/* Now run _OSC again with query flag clear */
 	capbuf[OSC_QUERY_DWORD] = 0;
-	capbuf[OSC_SUPPORT_DWORD] = capbuf_ret[OSC_SUPPORT_DWORD];
-	kfree(context.ret.pointer);
 
 	if (ACPI_FAILURE(acpi_run_osc(handle, &context)))
 		return;
 
 	capbuf_ret = context.ret.pointer;
-	if (context.ret.length > OSC_SUPPORT_DWORD) {
-		osc_sb_apei_support_acked =
-			capbuf_ret[OSC_SUPPORT_DWORD] & OSC_SB_APEI_SUPPORT;
-		osc_pc_lpi_support_confirmed =
-			capbuf_ret[OSC_SUPPORT_DWORD] & OSC_SB_PCLPI_SUPPORT;
-		osc_sb_native_usb4_support_confirmed =
-			capbuf_ret[OSC_SUPPORT_DWORD] & OSC_SB_NATIVE_USB4_SUPPORT;
-	}
+	osc_sb_apei_support_acked =
+		capbuf_ret[OSC_SUPPORT_DWORD] & OSC_SB_APEI_SUPPORT;
+	osc_pc_lpi_support_confirmed =
+		capbuf_ret[OSC_SUPPORT_DWORD] & OSC_SB_PCLPI_SUPPORT;
+	osc_sb_native_usb4_support_confirmed =
+		capbuf_ret[OSC_SUPPORT_DWORD] & OSC_SB_NATIVE_USB4_SUPPORT;
 
 	kfree(context.ret.pointer);
 }



^ permalink raw reply	[flat|nested] 181+ messages in thread

* [PATCH 5.12 059/173] drm: Fix use-after-free read in drm_getunique()
  2021-06-14 10:25 [PATCH 5.12 000/173] 5.12.11-rc1 review Greg Kroah-Hartman
                   ` (57 preceding siblings ...)
  2021-06-14 10:26 ` [PATCH 5.12 058/173] ACPI: Pass the same capabilities to the _OSC regardless of the query flag Greg Kroah-Hartman
@ 2021-06-14 10:26 ` Greg Kroah-Hartman
  2021-06-14 10:26 ` [PATCH 5.12 060/173] drm: Lock pointer access in drm_master_release() Greg Kroah-Hartman
                   ` (120 subsequent siblings)
  179 siblings, 0 replies; 181+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-14 10:26 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, syzbot+c3a706cec1ea99e1c693,
	Desmond Cheong Zhi Xi, Daniel Vetter

From: Desmond Cheong Zhi Xi <desmondcheongzx@gmail.com>

commit b436acd1cf7fac0ba987abd22955d98025c80c2b upstream.

There is a time-of-check-to-time-of-use error in drm_getunique() due
to retrieving file_priv->master prior to locking the device's master
mutex.

An example can be seen in the crash report of the use-after-free error
found by Syzbot:
https://syzkaller.appspot.com/bug?id=148d2f1dfac64af52ffd27b661981a540724f803

In the report, the master pointer was used after being freed. This is
because another process had acquired the device's master mutex in
drm_setmaster_ioctl(), then overwrote fpriv->master in
drm_new_set_master(). The old value of fpriv->master was subsequently
freed before the mutex was unlocked.

To fix this, we lock the device's master mutex before retrieving the
pointer from from fpriv->master. This patch passes the Syzbot
reproducer test.

Reported-by: syzbot+c3a706cec1ea99e1c693@syzkaller.appspotmail.com
Signed-off-by: Desmond Cheong Zhi Xi <desmondcheongzx@gmail.com>
Cc: stable@vger.kernel.org
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Link: https://patchwork.freedesktop.org/patch/msgid/20210608110436.239583-1-desmondcheongzx@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/gpu/drm/drm_ioctl.c |    9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

--- a/drivers/gpu/drm/drm_ioctl.c
+++ b/drivers/gpu/drm/drm_ioctl.c
@@ -118,17 +118,18 @@ int drm_getunique(struct drm_device *dev
 		  struct drm_file *file_priv)
 {
 	struct drm_unique *u = data;
-	struct drm_master *master = file_priv->master;
+	struct drm_master *master;
 
-	mutex_lock(&master->dev->master_mutex);
+	mutex_lock(&dev->master_mutex);
+	master = file_priv->master;
 	if (u->unique_len >= master->unique_len) {
 		if (copy_to_user(u->unique, master->unique, master->unique_len)) {
-			mutex_unlock(&master->dev->master_mutex);
+			mutex_unlock(&dev->master_mutex);
 			return -EFAULT;
 		}
 	}
 	u->unique_len = master->unique_len;
-	mutex_unlock(&master->dev->master_mutex);
+	mutex_unlock(&dev->master_mutex);
 
 	return 0;
 }



^ permalink raw reply	[flat|nested] 181+ messages in thread

* [PATCH 5.12 060/173] drm: Lock pointer access in drm_master_release()
  2021-06-14 10:25 [PATCH 5.12 000/173] 5.12.11-rc1 review Greg Kroah-Hartman
                   ` (58 preceding siblings ...)
  2021-06-14 10:26 ` [PATCH 5.12 059/173] drm: Fix use-after-free read in drm_getunique() Greg Kroah-Hartman
@ 2021-06-14 10:26 ` Greg Kroah-Hartman
  2021-06-14 10:26 ` [PATCH 5.12 061/173] x86, lto: Pass -stack-alignment only on LLD < 13.0.0 Greg Kroah-Hartman
                   ` (119 subsequent siblings)
  179 siblings, 0 replies; 181+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-14 10:26 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Dan Carpenter, Desmond Cheong Zhi Xi,
	Daniel Vetter

From: Desmond Cheong Zhi Xi <desmondcheongzx@gmail.com>

commit c336a5ee984708db4826ef9e47d184e638e29717 upstream.

This patch eliminates the following smatch warning:
drivers/gpu/drm/drm_auth.c:320 drm_master_release() warn: unlocked access 'master' (line 318) expected lock '&dev->master_mutex'

The 'file_priv->master' field should be protected by the mutex lock to
'&dev->master_mutex'. This is because other processes can concurrently
modify this field and free the current 'file_priv->master'
pointer. This could result in a use-after-free error when 'master' is
dereferenced in subsequent function calls to
'drm_legacy_lock_master_cleanup()' or to 'drm_lease_revoke()'.

An example of a scenario that would produce this error can be seen
from a similar bug in 'drm_getunique()' that was reported by Syzbot:
https://syzkaller.appspot.com/bug?id=148d2f1dfac64af52ffd27b661981a540724f803

In the Syzbot report, another process concurrently acquired the
device's master mutex in 'drm_setmaster_ioctl()', then overwrote
'fpriv->master' in 'drm_new_set_master()'. The old value of
'fpriv->master' was subsequently freed before the mutex was unlocked.

Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Desmond Cheong Zhi Xi <desmondcheongzx@gmail.com>
Cc: stable@vger.kernel.org
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Link: https://patchwork.freedesktop.org/patch/msgid/20210609092119.173590-1-desmondcheongzx@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/gpu/drm/drm_auth.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/drivers/gpu/drm/drm_auth.c
+++ b/drivers/gpu/drm/drm_auth.c
@@ -314,9 +314,10 @@ int drm_master_open(struct drm_file *fil
 void drm_master_release(struct drm_file *file_priv)
 {
 	struct drm_device *dev = file_priv->minor->dev;
-	struct drm_master *master = file_priv->master;
+	struct drm_master *master;
 
 	mutex_lock(&dev->master_mutex);
+	master = file_priv->master;
 	if (file_priv->magic)
 		idr_remove(&file_priv->master->magic_map, file_priv->magic);
 



^ permalink raw reply	[flat|nested] 181+ messages in thread

* [PATCH 5.12 061/173] x86, lto: Pass -stack-alignment only on LLD < 13.0.0
  2021-06-14 10:25 [PATCH 5.12 000/173] 5.12.11-rc1 review Greg Kroah-Hartman
                   ` (59 preceding siblings ...)
  2021-06-14 10:26 ` [PATCH 5.12 060/173] drm: Lock pointer access in drm_master_release() Greg Kroah-Hartman
@ 2021-06-14 10:26 ` Greg Kroah-Hartman
  2021-06-14 10:26 ` [PATCH 5.12 062/173] perf/x86/intel/uncore: Fix M2M event umask for Ice Lake server Greg Kroah-Hartman
                   ` (118 subsequent siblings)
  179 siblings, 0 replies; 181+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-14 10:26 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Tor Vic, Nathan Chancellor, Kees Cook

From: Tor Vic <torvic9@mailbox.org>

commit 2398ce80152aae33b9501ef54452e09e8e8d4262 upstream.

Since LLVM commit 3787ee4, the '-stack-alignment' flag has been dropped
[1], leading to the following error message when building a LTO kernel
with Clang-13 and LLD-13:

    ld.lld: error: -plugin-opt=-: ld.lld: Unknown command line argument
    '-stack-alignment=8'.  Try 'ld.lld --help'
    ld.lld: Did you mean '--stackrealign=8'?

It also appears that the '-code-model' flag is not necessary anymore
starting with LLVM-9 [2].

Drop '-code-model' and make '-stack-alignment' conditional on LLD < 13.0.0.

These flags were necessary because these flags were not encoded in the
IR properly, so the link would restart optimizations without them. Now
there are properly encoded in the IR, and these flags exposing
implementation details are no longer necessary.

[1] https://reviews.llvm.org/D103048
[2] https://reviews.llvm.org/D52322

Cc: stable@vger.kernel.org
Link: https://github.com/ClangBuiltLinux/linux/issues/1377
Signed-off-by: Tor Vic <torvic9@mailbox.org>
Reviewed-by: Nathan Chancellor <nathan@kernel.org>
Tested-by: Nathan Chancellor <nathan@kernel.org>
Signed-off-by: Kees Cook <keescook@chromium.org>
Link: https://lore.kernel.org/r/f2c018ee-5999-741e-58d4-e482d5246067@mailbox.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/x86/Makefile |    5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

--- a/arch/x86/Makefile
+++ b/arch/x86/Makefile
@@ -192,8 +192,9 @@ endif
 KBUILD_LDFLAGS += -m elf_$(UTS_MACHINE)
 
 ifdef CONFIG_LTO_CLANG
-KBUILD_LDFLAGS	+= -plugin-opt=-code-model=kernel \
-		   -plugin-opt=-stack-alignment=$(if $(CONFIG_X86_32),4,8)
+ifeq ($(shell test $(CONFIG_LLD_VERSION) -lt 130000; echo $$?),0)
+KBUILD_LDFLAGS	+= -plugin-opt=-stack-alignment=$(if $(CONFIG_X86_32),4,8)
+endif
 endif
 
 ifdef CONFIG_X86_NEED_RELOCS



^ permalink raw reply	[flat|nested] 181+ messages in thread

* [PATCH 5.12 062/173] perf/x86/intel/uncore: Fix M2M event umask for Ice Lake server
  2021-06-14 10:25 [PATCH 5.12 000/173] 5.12.11-rc1 review Greg Kroah-Hartman
                   ` (60 preceding siblings ...)
  2021-06-14 10:26 ` [PATCH 5.12 061/173] x86, lto: Pass -stack-alignment only on LLD < 13.0.0 Greg Kroah-Hartman
@ 2021-06-14 10:26 ` Greg Kroah-Hartman
  2021-06-14 10:26 ` [PATCH 5.12 063/173] KVM: x86: Unload MMU on guest TLB flush if TDP disabled to force MMU sync Greg Kroah-Hartman
                   ` (117 subsequent siblings)
  179 siblings, 0 replies; 181+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-14 10:26 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jin Yao, Kan Liang, Peter Zijlstra (Intel)

From: Kan Liang <kan.liang@linux.intel.com>

commit 848ff3768684701a4ce73a2ec0e5d438d4e2b0da upstream.

Perf tool errors out with the latest event list for the Ice Lake server.

event syntax error: 'unc_m2m_imc_reads.to_pmm'
                           \___ value too big for format, maximum is 255

The same as the Snow Ridge server, the M2M uncore unit in the Ice Lake
server has the unit mask extension field as well.

Fixes: 2b3b76b5ec67 ("perf/x86/intel/uncore: Add Ice Lake server uncore support")
Reported-by: Jin Yao <yao.jin@linux.intel.com>
Signed-off-by: Kan Liang <kan.liang@linux.intel.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: stable@vger.kernel.org
Link: https://lkml.kernel.org/r/1622552943-119174-1-git-send-email-kan.liang@linux.intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/x86/events/intel/uncore_snbep.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/arch/x86/events/intel/uncore_snbep.c
+++ b/arch/x86/events/intel/uncore_snbep.c
@@ -5103,9 +5103,10 @@ static struct intel_uncore_type icx_unco
 	.perf_ctr	= SNR_M2M_PCI_PMON_CTR0,
 	.event_ctl	= SNR_M2M_PCI_PMON_CTL0,
 	.event_mask	= SNBEP_PMON_RAW_EVENT_MASK,
+	.event_mask_ext	= SNR_M2M_PCI_PMON_UMASK_EXT,
 	.box_ctl	= SNR_M2M_PCI_PMON_BOX_CTL,
 	.ops		= &snr_m2m_uncore_pci_ops,
-	.format_group	= &skx_uncore_format_group,
+	.format_group	= &snr_m2m_uncore_format_group,
 };
 
 static struct attribute *icx_upi_uncore_formats_attr[] = {



^ permalink raw reply	[flat|nested] 181+ messages in thread

* [PATCH 5.12 063/173] KVM: x86: Unload MMU on guest TLB flush if TDP disabled to force MMU sync
  2021-06-14 10:25 [PATCH 5.12 000/173] 5.12.11-rc1 review Greg Kroah-Hartman
                   ` (61 preceding siblings ...)
  2021-06-14 10:26 ` [PATCH 5.12 062/173] perf/x86/intel/uncore: Fix M2M event umask for Ice Lake server Greg Kroah-Hartman
@ 2021-06-14 10:26 ` Greg Kroah-Hartman
  2021-06-14 10:26 ` [PATCH 5.12 064/173] KVM: X86: MMU: Use the correct inherited permissions to get shadow page Greg Kroah-Hartman
                   ` (116 subsequent siblings)
  179 siblings, 0 replies; 181+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-14 10:26 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Maxim Levitsky, Lai Jiangshan,
	Sean Christopherson, Paolo Bonzini

From: Lai Jiangshan <laijs@linux.alibaba.com>

commit b53e84eed08b88fd3ff59e5c2a7f1a69d4004e32 upstream.

When using shadow paging, unload the guest MMU when emulating a guest TLB
flush to ensure all roots are synchronized.  From the guest's perspective,
flushing the TLB ensures any and all modifications to its PTEs will be
recognized by the CPU.

Note, unloading the MMU is overkill, but is done to mirror KVM's existing
handling of INVPCID(all) and ensure the bug is squashed.  Future cleanup
can be done to more precisely synchronize roots when servicing a guest
TLB flush.

If TDP is enabled, synchronizing the MMU is unnecessary even if nested
TDP is in play, as a "legacy" TLB flush from L1 does not invalidate L1's
TDP mappings.  For EPT, an explicit INVEPT is required to invalidate
guest-physical mappings; for NPT, guest mappings are always tagged with
an ASID and thus can only be invalidated via the VMCB's ASID control.

This bug has existed since the introduction of KVM_VCPU_FLUSH_TLB.
It was only recently exposed after Linux guests stopped flushing the
local CPU's TLB prior to flushing remote TLBs (see commit 4ce94eabac16,
"x86/mm/tlb: Flush remote and local TLBs concurrently"), but is also
visible in Windows 10 guests.

Tested-by: Maxim Levitsky <mlevitsk@redhat.com>
Reviewed-by: Maxim Levitsky <mlevitsk@redhat.com>
Fixes: f38a7b75267f ("KVM: X86: support paravirtualized help for TLB shootdowns")
Signed-off-by: Lai Jiangshan <laijs@linux.alibaba.com>
[sean: massaged comment and changelog]
Message-Id: <20210531172256.2908-1-jiangshanlai@gmail.com>
Signed-off-by: Sean Christopherson <seanjc@google.com>
Cc: stable@vger.kernel.org
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/x86/kvm/x86.c |   13 +++++++++++++
 1 file changed, 13 insertions(+)

--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -2982,6 +2982,19 @@ static void kvm_vcpu_flush_tlb_all(struc
 static void kvm_vcpu_flush_tlb_guest(struct kvm_vcpu *vcpu)
 {
 	++vcpu->stat.tlb_flush;
+
+	if (!tdp_enabled) {
+               /*
+		 * A TLB flush on behalf of the guest is equivalent to
+		 * INVPCID(all), toggling CR4.PGE, etc., which requires
+		 * a forced sync of the shadow page tables.  Unload the
+		 * entire MMU here and the subsequent load will sync the
+		 * shadow page tables, and also flush the TLB.
+		 */
+		kvm_mmu_unload(vcpu);
+		return;
+	}
+
 	static_call(kvm_x86_tlb_flush_guest)(vcpu);
 }
 



^ permalink raw reply	[flat|nested] 181+ messages in thread

* [PATCH 5.12 064/173] KVM: X86: MMU: Use the correct inherited permissions to get shadow page
  2021-06-14 10:25 [PATCH 5.12 000/173] 5.12.11-rc1 review Greg Kroah-Hartman
                   ` (62 preceding siblings ...)
  2021-06-14 10:26 ` [PATCH 5.12 063/173] KVM: x86: Unload MMU on guest TLB flush if TDP disabled to force MMU sync Greg Kroah-Hartman
@ 2021-06-14 10:26 ` Greg Kroah-Hartman
  2021-06-14 10:26 ` [PATCH 5.12 065/173] kvm: avoid speculation-based attacks from out-of-range memslot accesses Greg Kroah-Hartman
                   ` (115 subsequent siblings)
  179 siblings, 0 replies; 181+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-14 10:26 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Lai Jiangshan, Paolo Bonzini

From: Lai Jiangshan <laijs@linux.alibaba.com>

commit b1bd5cba3306691c771d558e94baa73e8b0b96b7 upstream.

When computing the access permissions of a shadow page, use the effective
permissions of the walk up to that point, i.e. the logic AND of its parents'
permissions.  Two guest PxE entries that point at the same table gfn need to
be shadowed with different shadow pages if their parents' permissions are
different.  KVM currently uses the effective permissions of the last
non-leaf entry for all non-leaf entries.  Because all non-leaf SPTEs have
full ("uwx") permissions, and the effective permissions are recorded only
in role.access and merged into the leaves, this can lead to incorrect
reuse of a shadow page and eventually to a missing guest protection page
fault.

For example, here is a shared pagetable:

   pgd[]   pud[]        pmd[]            virtual address pointers
                     /->pmd1(u--)->pte1(uw-)->page1 <- ptr1 (u--)
        /->pud1(uw-)--->pmd2(uw-)->pte2(uw-)->page2 <- ptr2 (uw-)
   pgd-|           (shared pmd[] as above)
        \->pud2(u--)--->pmd1(u--)->pte1(uw-)->page1 <- ptr3 (u--)
                     \->pmd2(uw-)->pte2(uw-)->page2 <- ptr4 (u--)

  pud1 and pud2 point to the same pmd table, so:
  - ptr1 and ptr3 points to the same page.
  - ptr2 and ptr4 points to the same page.

(pud1 and pud2 here are pud entries, while pmd1 and pmd2 here are pmd entries)

- First, the guest reads from ptr1 first and KVM prepares a shadow
  page table with role.access=u--, from ptr1's pud1 and ptr1's pmd1.
  "u--" comes from the effective permissions of pgd, pud1 and
  pmd1, which are stored in pt->access.  "u--" is used also to get
  the pagetable for pud1, instead of "uw-".

- Then the guest writes to ptr2 and KVM reuses pud1 which is present.
  The hypervisor set up a shadow page for ptr2 with pt->access is "uw-"
  even though the pud1 pmd (because of the incorrect argument to
  kvm_mmu_get_page in the previous step) has role.access="u--".

- Then the guest reads from ptr3.  The hypervisor reuses pud1's
  shadow pmd for pud2, because both use "u--" for their permissions.
  Thus, the shadow pmd already includes entries for both pmd1 and pmd2.

- At last, the guest writes to ptr4.  This causes no vmexit or pagefault,
  because pud1's shadow page structures included an "uw-" page even though
  its role.access was "u--".

Any kind of shared pagetable might have the similar problem when in
virtual machine without TDP enabled if the permissions are different
from different ancestors.

In order to fix the problem, we change pt->access to be an array, and
any access in it will not include permissions ANDed from child ptes.

The test code is: https://lore.kernel.org/kvm/20210603050537.19605-1-jiangshanlai@gmail.com/
Remember to test it with TDP disabled.

The problem had existed long before the commit 41074d07c78b ("KVM: MMU:
Fix inherited permissions for emulated guest pte updates"), and it
is hard to find which is the culprit.  So there is no fixes tag here.

Signed-off-by: Lai Jiangshan <laijs@linux.alibaba.com>
Message-Id: <20210603052455.21023-1-jiangshanlai@gmail.com>
Cc: stable@vger.kernel.org
Fixes: cea0f0e7ea54 ("[PATCH] KVM: MMU: Shadow page table caching")
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 Documentation/virt/kvm/mmu.rst |    4 ++--
 arch/x86/kvm/mmu/paging_tmpl.h |   14 +++++++++-----
 2 files changed, 11 insertions(+), 7 deletions(-)

--- a/Documentation/virt/kvm/mmu.rst
+++ b/Documentation/virt/kvm/mmu.rst
@@ -171,8 +171,8 @@ Shadow pages contain the following infor
     shadow pages) so role.quadrant takes values in the range 0..3.  Each
     quadrant maps 1GB virtual address space.
   role.access:
-    Inherited guest access permissions in the form uwx.  Note execute
-    permission is positive, not negative.
+    Inherited guest access permissions from the parent ptes in the form uwx.
+    Note execute permission is positive, not negative.
   role.invalid:
     The page is invalid and should not be used.  It is a root page that is
     currently pinned (by a cpu hardware register pointing to it); once it is
--- a/arch/x86/kvm/mmu/paging_tmpl.h
+++ b/arch/x86/kvm/mmu/paging_tmpl.h
@@ -90,8 +90,8 @@ struct guest_walker {
 	gpa_t pte_gpa[PT_MAX_FULL_LEVELS];
 	pt_element_t __user *ptep_user[PT_MAX_FULL_LEVELS];
 	bool pte_writable[PT_MAX_FULL_LEVELS];
-	unsigned pt_access;
-	unsigned pte_access;
+	unsigned int pt_access[PT_MAX_FULL_LEVELS];
+	unsigned int pte_access;
 	gfn_t gfn;
 	struct x86_exception fault;
 };
@@ -418,13 +418,15 @@ retry_walk:
 		}
 
 		walker->ptes[walker->level - 1] = pte;
+
+		/* Convert to ACC_*_MASK flags for struct guest_walker.  */
+		walker->pt_access[walker->level - 1] = FNAME(gpte_access)(pt_access ^ walk_nx_mask);
 	} while (!is_last_gpte(mmu, walker->level, pte));
 
 	pte_pkey = FNAME(gpte_pkeys)(vcpu, pte);
 	accessed_dirty = have_ad ? pte_access & PT_GUEST_ACCESSED_MASK : 0;
 
 	/* Convert to ACC_*_MASK flags for struct guest_walker.  */
-	walker->pt_access = FNAME(gpte_access)(pt_access ^ walk_nx_mask);
 	walker->pte_access = FNAME(gpte_access)(pte_access ^ walk_nx_mask);
 	errcode = permission_fault(vcpu, mmu, walker->pte_access, pte_pkey, access);
 	if (unlikely(errcode))
@@ -463,7 +465,8 @@ retry_walk:
 	}
 
 	pgprintk("%s: pte %llx pte_access %x pt_access %x\n",
-		 __func__, (u64)pte, walker->pte_access, walker->pt_access);
+		 __func__, (u64)pte, walker->pte_access,
+		 walker->pt_access[walker->level - 1]);
 	return 1;
 
 error:
@@ -642,7 +645,7 @@ static int FNAME(fetch)(struct kvm_vcpu
 	bool huge_page_disallowed = exec && nx_huge_page_workaround_enabled;
 	struct kvm_mmu_page *sp = NULL;
 	struct kvm_shadow_walk_iterator it;
-	unsigned direct_access, access = gw->pt_access;
+	unsigned int direct_access, access;
 	int top_level, level, req_level, ret;
 	gfn_t base_gfn = gw->gfn;
 
@@ -674,6 +677,7 @@ static int FNAME(fetch)(struct kvm_vcpu
 		sp = NULL;
 		if (!is_shadow_present_pte(*it.sptep)) {
 			table_gfn = gw->table_gfn[it.level - 2];
+			access = gw->pt_access[it.level - 2];
 			sp = kvm_mmu_get_page(vcpu, table_gfn, addr, it.level-1,
 					      false, access);
 		}



^ permalink raw reply	[flat|nested] 181+ messages in thread

* [PATCH 5.12 065/173] kvm: avoid speculation-based attacks from out-of-range memslot accesses
  2021-06-14 10:25 [PATCH 5.12 000/173] 5.12.11-rc1 review Greg Kroah-Hartman
                   ` (63 preceding siblings ...)
  2021-06-14 10:26 ` [PATCH 5.12 064/173] KVM: X86: MMU: Use the correct inherited permissions to get shadow page Greg Kroah-Hartman
@ 2021-06-14 10:26 ` Greg Kroah-Hartman
  2021-06-14 10:26 ` [PATCH 5.12 066/173] staging: rtl8723bs: Fix uninitialized variables Greg Kroah-Hartman
                   ` (114 subsequent siblings)
  179 siblings, 0 replies; 181+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-14 10:26 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Artemiy Margaritov, Paolo Bonzini

From: Paolo Bonzini <pbonzini@redhat.com>

commit da27a83fd6cc7780fea190e1f5c19e87019da65c upstream.

KVM's mechanism for accessing guest memory translates a guest physical
address (gpa) to a host virtual address using the right-shifted gpa
(also known as gfn) and a struct kvm_memory_slot.  The translation is
performed in __gfn_to_hva_memslot using the following formula:

      hva = slot->userspace_addr + (gfn - slot->base_gfn) * PAGE_SIZE

It is expected that gfn falls within the boundaries of the guest's
physical memory.  However, a guest can access invalid physical addresses
in such a way that the gfn is invalid.

__gfn_to_hva_memslot is called from kvm_vcpu_gfn_to_hva_prot, which first
retrieves a memslot through __gfn_to_memslot.  While __gfn_to_memslot
does check that the gfn falls within the boundaries of the guest's
physical memory or not, a CPU can speculate the result of the check and
continue execution speculatively using an illegal gfn. The speculation
can result in calculating an out-of-bounds hva.  If the resulting host
virtual address is used to load another guest physical address, this
is effectively a Spectre gadget consisting of two consecutive reads,
the second of which is data dependent on the first.

Right now it's not clear if there are any cases in which this is
exploitable.  One interesting case was reported by the original author
of this patch, and involves visiting guest page tables on x86.  Right
now these are not vulnerable because the hva read goes through get_user(),
which contains an LFENCE speculation barrier.  However, there are
patches in progress for x86 uaccess.h to mask kernel addresses instead of
using LFENCE; once these land, a guest could use speculation to read
from the VMM's ring 3 address space.  Other architectures such as ARM
already use the address masking method, and would be susceptible to
this same kind of data-dependent access gadgets.  Therefore, this patch
proactively protects from these attacks by masking out-of-bounds gfns
in __gfn_to_hva_memslot, which blocks speculation of invalid hvas.

Sean Christopherson noted that this patch does not cover
kvm_read_guest_offset_cached.  This however is limited to a few bytes
past the end of the cache, and therefore it is unlikely to be useful in
the context of building a chain of data dependent accesses.

Reported-by: Artemiy Margaritov <artemiy.margaritov@gmail.com>
Co-developed-by: Artemiy Margaritov <artemiy.margaritov@gmail.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 include/linux/kvm_host.h |   10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

--- a/include/linux/kvm_host.h
+++ b/include/linux/kvm_host.h
@@ -1118,7 +1118,15 @@ __gfn_to_memslot(struct kvm_memslots *sl
 static inline unsigned long
 __gfn_to_hva_memslot(struct kvm_memory_slot *slot, gfn_t gfn)
 {
-	return slot->userspace_addr + (gfn - slot->base_gfn) * PAGE_SIZE;
+	/*
+	 * The index was checked originally in search_memslots.  To avoid
+	 * that a malicious guest builds a Spectre gadget out of e.g. page
+	 * table walks, do not let the processor speculate loads outside
+	 * the guest's registered memslots.
+	 */
+	unsigned long offset = array_index_nospec(gfn - slot->base_gfn,
+						  slot->npages);
+	return slot->userspace_addr + offset * PAGE_SIZE;
 }
 
 static inline int memslot_id(struct kvm *kvm, gfn_t gfn)



^ permalink raw reply	[flat|nested] 181+ messages in thread

* [PATCH 5.12 066/173] staging: rtl8723bs: Fix uninitialized variables
  2021-06-14 10:25 [PATCH 5.12 000/173] 5.12.11-rc1 review Greg Kroah-Hartman
                   ` (64 preceding siblings ...)
  2021-06-14 10:26 ` [PATCH 5.12 065/173] kvm: avoid speculation-based attacks from out-of-range memslot accesses Greg Kroah-Hartman
@ 2021-06-14 10:26 ` Greg Kroah-Hartman
  2021-06-14 10:26 ` [PATCH 5.12 067/173] usb: misc: brcmstb-usb-pinmap: check return value after calling platform_get_resource() Greg Kroah-Hartman
                   ` (113 subsequent siblings)
  179 siblings, 0 replies; 181+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-14 10:26 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Wenli Looi, Dan Carpenter

From: Wenli Looi <wlooi@ucalgary.ca>

commit 43c85d770db80cb135f576f8fde6ff1a08e707a4 upstream.

The sinfo.pertid and sinfo.generation variables are not initialized and
it causes a crash when we use this as a wireless access point.

[  456.873025] ------------[ cut here ]------------
[  456.878198] kernel BUG at mm/slub.c:3968!
[  456.882680] Internal error: Oops - BUG: 0 [#1] PREEMPT SMP ARM

  [ snip ]

[  457.271004] Backtrace:
[  457.273733] [<c02b7ee4>] (kfree) from [<c0e2a470>] (nl80211_send_station+0x954/0xfc4)
[  457.282481]  r9:eccca0c0 r8:e8edfec0 r7:00000000 r6:00000011 r5:e80a9480 r4:e8edfe00
[  457.291132] [<c0e29b1c>] (nl80211_send_station) from [<c0e2b18c>] (cfg80211_new_sta+0x90/0x1cc)
[  457.300850]  r10:e80a9480 r9:e8edfe00 r8:ea678cca r7:00000a20 r6:00000000 r5:ec46d000
[  457.309586]  r4:ec46d9e0
[  457.312433] [<c0e2b0fc>] (cfg80211_new_sta) from [<bf086684>] (rtw_cfg80211_indicate_sta_assoc+0x80/0x9c [r8723bs])
[  457.324095]  r10:00009930 r9:e85b9d80 r8:bf091050 r7:00000000 r6:00000000 r5:0000001c
[  457.332831]  r4:c1606788
[  457.335692] [<bf086604>] (rtw_cfg80211_indicate_sta_assoc [r8723bs]) from [<bf03df38>] (rtw_stassoc_event_callback+0x1c8/0x1d4 [r8723bs])
[  457.349489]  r7:ea678cc0 r6:000000a1 r5:f1225f84 r4:f086b000
[  457.355845] [<bf03dd70>] (rtw_stassoc_event_callback [r8723bs]) from [<bf048e4c>] (mlme_evt_hdl+0x8c/0xb4 [r8723bs])
[  457.367601]  r7:c1604900 r6:f086c4b8 r5:00000000 r4:f086c000
[  457.373959] [<bf048dc0>] (mlme_evt_hdl [r8723bs]) from [<bf03693c>] (rtw_cmd_thread+0x198/0x3d8 [r8723bs])
[  457.384744]  r5:f086e000 r4:f086c000
[  457.388754] [<bf0367a4>] (rtw_cmd_thread [r8723bs]) from [<c014a214>] (kthread+0x170/0x174)
[  457.398083]  r10:ed7a57e8 r9:bf0367a4 r8:f086b000 r7:e8ede000 r6:00000000 r5:e9975200
[  457.406828]  r4:e8369900
[  457.409653] [<c014a0a4>] (kthread) from [<c01010e8>] (ret_from_fork+0x14/0x2c)
[  457.417718] Exception stack(0xe8edffb0 to 0xe8edfff8)
[  457.423356] ffa0:                                     00000000 00000000 00000000 00000000
[  457.432492] ffc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[  457.441618] ffe0: 00000000 00000000 00000000 00000000 00000013 00000000
[  457.449006]  r10:00000000 r9:00000000 r8:00000000 r7:00000000 r6:00000000 r5:c014a0a4
[  457.457750]  r4:e9975200
[  457.460574] Code: 1a000003 e5953004 e3130001 1a000000 (e7f001f2)
[  457.467381] ---[ end trace 4acbc8c15e9e6aa7 ]---

Link: https://forum.armbian.com/topic/14727-wifi-ap-kernel-bug-in-kernel-5444/
Fixes: 8689c051a201 ("cfg80211: dynamically allocate per-tid stats for station info")
Fixes: f5ea9120be2e ("nl80211: add generation number to all dumps")
Signed-off-by: Wenli Looi <wlooi@ucalgary.ca>
Reviewed-by: Dan Carpenter <dan.carpenter@oracle.com>
Cc: stable <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20210608064620.74059-1-wlooi@ucalgary.ca
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/staging/rtl8723bs/os_dep/ioctl_cfg80211.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/staging/rtl8723bs/os_dep/ioctl_cfg80211.c
+++ b/drivers/staging/rtl8723bs/os_dep/ioctl_cfg80211.c
@@ -2359,7 +2359,7 @@ void rtw_cfg80211_indicate_sta_assoc(str
 	DBG_871X(FUNC_ADPT_FMT"\n", FUNC_ADPT_ARG(padapter));
 
 	{
-		struct station_info sinfo;
+		struct station_info sinfo = {};
 		u8 ie_offset;
 		if (GetFrameSubType(pmgmt_frame) == WIFI_ASSOCREQ)
 			ie_offset = _ASOCREQ_IE_OFFSET_;



^ permalink raw reply	[flat|nested] 181+ messages in thread

* [PATCH 5.12 067/173] usb: misc: brcmstb-usb-pinmap: check return value after calling platform_get_resource()
  2021-06-14 10:25 [PATCH 5.12 000/173] 5.12.11-rc1 review Greg Kroah-Hartman
                   ` (65 preceding siblings ...)
  2021-06-14 10:26 ` [PATCH 5.12 066/173] staging: rtl8723bs: Fix uninitialized variables Greg Kroah-Hartman
@ 2021-06-14 10:26 ` Greg Kroah-Hartman
  2021-06-14 10:26 ` [PATCH 5.12 068/173] misc: rtsx: separate aspm mode into MODE_REG and MODE_CFG Greg Kroah-Hartman
                   ` (112 subsequent siblings)
  179 siblings, 0 replies; 181+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-14 10:26 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Yang Yingliang

From: Yang Yingliang <yangyingliang@huawei.com>

commit fbf649cd6d64d40c03c5397ecd6b1ae922ba7afc upstream.

It will cause null-ptr-deref if platform_get_resource() returns NULL,
we need check the return value.

Fixes: 517c4c44b323 ("usb: Add driver to allow any GPIO to be used for 7211 USB signals")
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Link: https://lore.kernel.org/r/20210605080914.2057758-1-yangyingliang@huawei.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/usb/misc/brcmstb-usb-pinmap.c |    2 ++
 1 file changed, 2 insertions(+)

--- a/drivers/usb/misc/brcmstb-usb-pinmap.c
+++ b/drivers/usb/misc/brcmstb-usb-pinmap.c
@@ -263,6 +263,8 @@ static int __init brcmstb_usb_pinmap_pro
 		return -EINVAL;
 
 	r = platform_get_resource(pdev, IORESOURCE_MEM, 0);
+	if (!r)
+		return -EINVAL;
 
 	pdata = devm_kzalloc(&pdev->dev,
 			     sizeof(*pdata) +



^ permalink raw reply	[flat|nested] 181+ messages in thread

* [PATCH 5.12 068/173] misc: rtsx: separate aspm mode into MODE_REG and MODE_CFG
  2021-06-14 10:25 [PATCH 5.12 000/173] 5.12.11-rc1 review Greg Kroah-Hartman
                   ` (66 preceding siblings ...)
  2021-06-14 10:26 ` [PATCH 5.12 067/173] usb: misc: brcmstb-usb-pinmap: check return value after calling platform_get_resource() Greg Kroah-Hartman
@ 2021-06-14 10:26 ` Greg Kroah-Hartman
  2021-06-14 10:26 ` [PATCH 5.12 069/173] bus: mhi: pci_generic: Fix possible use-after-free in mhi_pci_remove() Greg Kroah-Hartman
                   ` (111 subsequent siblings)
  179 siblings, 0 replies; 181+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-14 10:26 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Chris Chiu, Gordon Lack, Ricky Wu

From: Ricky Wu <ricky_wu@realtek.com>

commit 3df4fce739e2b263120f528c5e0fe6b2f8937b5b upstream.

aspm (Active State Power Management)
rtsx_comm_set_aspm: this function is for driver to make sure
not enter power saving when processing of init and card_detcct
ASPM_MODE_CFG: 8411 5209 5227 5229 5249 5250
Change back to use original way to control aspm
ASPM_MODE_REG: 5227A 524A 5250A 5260 5261 5228
Keep the new way to control aspm

Fixes: 121e9c6b5c4c ("misc: rtsx: modify and fix init_hw function")
Reported-by: Chris Chiu <chris.chiu@canonical.com>
Tested-by: Gordon Lack <gordon.lack@dsl.pipex.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Ricky Wu <ricky_wu@realtek.com>
Link: https://lore.kernel.org/r/20210607101634.4948-1-ricky_wu@realtek.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/misc/cardreader/rtl8411.c  |    1 
 drivers/misc/cardreader/rts5209.c  |    1 
 drivers/misc/cardreader/rts5227.c  |    2 +
 drivers/misc/cardreader/rts5228.c  |    1 
 drivers/misc/cardreader/rts5229.c  |    1 
 drivers/misc/cardreader/rts5249.c  |    3 ++
 drivers/misc/cardreader/rts5260.c  |    1 
 drivers/misc/cardreader/rts5261.c  |    1 
 drivers/misc/cardreader/rtsx_pcr.c |   44 ++++++++++++++++++++++++++-----------
 include/linux/rtsx_pci.h           |    2 +
 10 files changed, 44 insertions(+), 13 deletions(-)

--- a/drivers/misc/cardreader/rtl8411.c
+++ b/drivers/misc/cardreader/rtl8411.c
@@ -468,6 +468,7 @@ static void rtl8411_init_common_params(s
 	pcr->sd30_drive_sel_1v8 = DRIVER_TYPE_B;
 	pcr->sd30_drive_sel_3v3 = DRIVER_TYPE_D;
 	pcr->aspm_en = ASPM_L1_EN;
+	pcr->aspm_mode = ASPM_MODE_CFG;
 	pcr->tx_initial_phase = SET_CLOCK_PHASE(23, 7, 14);
 	pcr->rx_initial_phase = SET_CLOCK_PHASE(4, 3, 10);
 	pcr->ic_version = rtl8411_get_ic_version(pcr);
--- a/drivers/misc/cardreader/rts5209.c
+++ b/drivers/misc/cardreader/rts5209.c
@@ -255,6 +255,7 @@ void rts5209_init_params(struct rtsx_pcr
 	pcr->sd30_drive_sel_1v8 = DRIVER_TYPE_B;
 	pcr->sd30_drive_sel_3v3 = DRIVER_TYPE_D;
 	pcr->aspm_en = ASPM_L1_EN;
+	pcr->aspm_mode = ASPM_MODE_CFG;
 	pcr->tx_initial_phase = SET_CLOCK_PHASE(27, 27, 16);
 	pcr->rx_initial_phase = SET_CLOCK_PHASE(24, 6, 5);
 
--- a/drivers/misc/cardreader/rts5227.c
+++ b/drivers/misc/cardreader/rts5227.c
@@ -358,6 +358,7 @@ void rts5227_init_params(struct rtsx_pcr
 	pcr->sd30_drive_sel_1v8 = CFG_DRIVER_TYPE_B;
 	pcr->sd30_drive_sel_3v3 = CFG_DRIVER_TYPE_B;
 	pcr->aspm_en = ASPM_L1_EN;
+	pcr->aspm_mode = ASPM_MODE_CFG;
 	pcr->tx_initial_phase = SET_CLOCK_PHASE(27, 27, 15);
 	pcr->rx_initial_phase = SET_CLOCK_PHASE(30, 7, 7);
 
@@ -483,6 +484,7 @@ void rts522a_init_params(struct rtsx_pcr
 
 	rts5227_init_params(pcr);
 	pcr->ops = &rts522a_pcr_ops;
+	pcr->aspm_mode = ASPM_MODE_REG;
 	pcr->tx_initial_phase = SET_CLOCK_PHASE(20, 20, 11);
 	pcr->reg_pm_ctrl3 = RTS522A_PM_CTRL3;
 
--- a/drivers/misc/cardreader/rts5228.c
+++ b/drivers/misc/cardreader/rts5228.c
@@ -718,6 +718,7 @@ void rts5228_init_params(struct rtsx_pcr
 	pcr->sd30_drive_sel_1v8 = CFG_DRIVER_TYPE_B;
 	pcr->sd30_drive_sel_3v3 = CFG_DRIVER_TYPE_B;
 	pcr->aspm_en = ASPM_L1_EN;
+	pcr->aspm_mode = ASPM_MODE_REG;
 	pcr->tx_initial_phase = SET_CLOCK_PHASE(28, 27, 11);
 	pcr->rx_initial_phase = SET_CLOCK_PHASE(24, 6, 5);
 
--- a/drivers/misc/cardreader/rts5229.c
+++ b/drivers/misc/cardreader/rts5229.c
@@ -246,6 +246,7 @@ void rts5229_init_params(struct rtsx_pcr
 	pcr->sd30_drive_sel_1v8 = DRIVER_TYPE_B;
 	pcr->sd30_drive_sel_3v3 = DRIVER_TYPE_D;
 	pcr->aspm_en = ASPM_L1_EN;
+	pcr->aspm_mode = ASPM_MODE_CFG;
 	pcr->tx_initial_phase = SET_CLOCK_PHASE(27, 27, 15);
 	pcr->rx_initial_phase = SET_CLOCK_PHASE(30, 6, 6);
 
--- a/drivers/misc/cardreader/rts5249.c
+++ b/drivers/misc/cardreader/rts5249.c
@@ -566,6 +566,7 @@ void rts5249_init_params(struct rtsx_pcr
 	pcr->sd30_drive_sel_1v8 = CFG_DRIVER_TYPE_B;
 	pcr->sd30_drive_sel_3v3 = CFG_DRIVER_TYPE_B;
 	pcr->aspm_en = ASPM_L1_EN;
+	pcr->aspm_mode = ASPM_MODE_CFG;
 	pcr->tx_initial_phase = SET_CLOCK_PHASE(1, 29, 16);
 	pcr->rx_initial_phase = SET_CLOCK_PHASE(24, 6, 5);
 
@@ -729,6 +730,7 @@ static const struct pcr_ops rts524a_pcr_
 void rts524a_init_params(struct rtsx_pcr *pcr)
 {
 	rts5249_init_params(pcr);
+	pcr->aspm_mode = ASPM_MODE_REG;
 	pcr->tx_initial_phase = SET_CLOCK_PHASE(27, 29, 11);
 	pcr->option.ltr_l1off_sspwrgate = LTR_L1OFF_SSPWRGATE_5250_DEF;
 	pcr->option.ltr_l1off_snooze_sspwrgate =
@@ -845,6 +847,7 @@ static const struct pcr_ops rts525a_pcr_
 void rts525a_init_params(struct rtsx_pcr *pcr)
 {
 	rts5249_init_params(pcr);
+	pcr->aspm_mode = ASPM_MODE_REG;
 	pcr->tx_initial_phase = SET_CLOCK_PHASE(25, 29, 11);
 	pcr->option.ltr_l1off_sspwrgate = LTR_L1OFF_SSPWRGATE_5250_DEF;
 	pcr->option.ltr_l1off_snooze_sspwrgate =
--- a/drivers/misc/cardreader/rts5260.c
+++ b/drivers/misc/cardreader/rts5260.c
@@ -628,6 +628,7 @@ void rts5260_init_params(struct rtsx_pcr
 	pcr->sd30_drive_sel_1v8 = CFG_DRIVER_TYPE_B;
 	pcr->sd30_drive_sel_3v3 = CFG_DRIVER_TYPE_B;
 	pcr->aspm_en = ASPM_L1_EN;
+	pcr->aspm_mode = ASPM_MODE_REG;
 	pcr->tx_initial_phase = SET_CLOCK_PHASE(27, 29, 11);
 	pcr->rx_initial_phase = SET_CLOCK_PHASE(24, 6, 5);
 
--- a/drivers/misc/cardreader/rts5261.c
+++ b/drivers/misc/cardreader/rts5261.c
@@ -783,6 +783,7 @@ void rts5261_init_params(struct rtsx_pcr
 	pcr->sd30_drive_sel_1v8 = 0x00;
 	pcr->sd30_drive_sel_3v3 = 0x00;
 	pcr->aspm_en = ASPM_L1_EN;
+	pcr->aspm_mode = ASPM_MODE_REG;
 	pcr->tx_initial_phase = SET_CLOCK_PHASE(27, 27, 11);
 	pcr->rx_initial_phase = SET_CLOCK_PHASE(24, 6, 5);
 
--- a/drivers/misc/cardreader/rtsx_pcr.c
+++ b/drivers/misc/cardreader/rtsx_pcr.c
@@ -85,12 +85,18 @@ static void rtsx_comm_set_aspm(struct rt
 	if (pcr->aspm_enabled == enable)
 		return;
 
-	if (pcr->aspm_en & 0x02)
-		rtsx_pci_write_register(pcr, ASPM_FORCE_CTL, FORCE_ASPM_CTL0 |
-			FORCE_ASPM_CTL1, enable ? 0 : FORCE_ASPM_CTL0 | FORCE_ASPM_CTL1);
-	else
-		rtsx_pci_write_register(pcr, ASPM_FORCE_CTL, FORCE_ASPM_CTL0 |
-			FORCE_ASPM_CTL1, FORCE_ASPM_CTL0 | FORCE_ASPM_CTL1);
+	if (pcr->aspm_mode == ASPM_MODE_CFG) {
+		pcie_capability_clear_and_set_word(pcr->pci, PCI_EXP_LNKCTL,
+						PCI_EXP_LNKCTL_ASPMC,
+						enable ? pcr->aspm_en : 0);
+	} else if (pcr->aspm_mode == ASPM_MODE_REG) {
+		if (pcr->aspm_en & 0x02)
+			rtsx_pci_write_register(pcr, ASPM_FORCE_CTL, FORCE_ASPM_CTL0 |
+				FORCE_ASPM_CTL1, enable ? 0 : FORCE_ASPM_CTL0 | FORCE_ASPM_CTL1);
+		else
+			rtsx_pci_write_register(pcr, ASPM_FORCE_CTL, FORCE_ASPM_CTL0 |
+				FORCE_ASPM_CTL1, FORCE_ASPM_CTL0 | FORCE_ASPM_CTL1);
+	}
 
 	if (!enable && (pcr->aspm_en & 0x02))
 		mdelay(10);
@@ -1394,7 +1400,8 @@ static int rtsx_pci_init_hw(struct rtsx_
 			return err;
 	}
 
-	rtsx_pci_write_register(pcr, ASPM_FORCE_CTL, 0x30, 0x30);
+	if (pcr->aspm_mode == ASPM_MODE_REG)
+		rtsx_pci_write_register(pcr, ASPM_FORCE_CTL, 0x30, 0x30);
 
 	/* No CD interrupt if probing driver with card inserted.
 	 * So we need to initialize pcr->card_exist here.
@@ -1410,6 +1417,8 @@ static int rtsx_pci_init_hw(struct rtsx_
 static int rtsx_pci_init_chip(struct rtsx_pcr *pcr)
 {
 	int err;
+	u16 cfg_val;
+	u8 val;
 
 	spin_lock_init(&pcr->lock);
 	mutex_init(&pcr->pcr_mutex);
@@ -1477,6 +1486,21 @@ static int rtsx_pci_init_chip(struct rts
 	if (!pcr->slots)
 		return -ENOMEM;
 
+	if (pcr->aspm_mode == ASPM_MODE_CFG) {
+		pcie_capability_read_word(pcr->pci, PCI_EXP_LNKCTL, &cfg_val);
+		if (cfg_val & PCI_EXP_LNKCTL_ASPM_L1)
+			pcr->aspm_enabled = true;
+		else
+			pcr->aspm_enabled = false;
+
+	} else if (pcr->aspm_mode == ASPM_MODE_REG) {
+		rtsx_pci_read_register(pcr, ASPM_FORCE_CTL, &val);
+		if (val & FORCE_ASPM_CTL0 && val & FORCE_ASPM_CTL1)
+			pcr->aspm_enabled = false;
+		else
+			pcr->aspm_enabled = true;
+	}
+
 	if (pcr->ops->fetch_vendor_settings)
 		pcr->ops->fetch_vendor_settings(pcr);
 
@@ -1506,7 +1530,6 @@ static int rtsx_pci_probe(struct pci_dev
 	struct pcr_handle *handle;
 	u32 base, len;
 	int ret, i, bar = 0;
-	u8 val;
 
 	dev_dbg(&(pcidev->dev),
 		": Realtek PCI-E Card Reader found at %s [%04x:%04x] (rev %x)\n",
@@ -1572,11 +1595,6 @@ static int rtsx_pci_probe(struct pci_dev
 	pcr->host_cmds_addr = pcr->rtsx_resv_buf_addr;
 	pcr->host_sg_tbl_ptr = pcr->rtsx_resv_buf + HOST_CMDS_BUF_LEN;
 	pcr->host_sg_tbl_addr = pcr->rtsx_resv_buf_addr + HOST_CMDS_BUF_LEN;
-	rtsx_pci_read_register(pcr, ASPM_FORCE_CTL, &val);
-	if (val & FORCE_ASPM_CTL0 && val & FORCE_ASPM_CTL1)
-		pcr->aspm_enabled = false;
-	else
-		pcr->aspm_enabled = true;
 	pcr->card_inserted = 0;
 	pcr->card_removed = 0;
 	INIT_DELAYED_WORK(&pcr->carddet_work, rtsx_pci_card_detect);
--- a/include/linux/rtsx_pci.h
+++ b/include/linux/rtsx_pci.h
@@ -1109,6 +1109,7 @@ struct pcr_ops {
 };
 
 enum PDEV_STAT  {PDEV_STAT_IDLE, PDEV_STAT_RUN};
+enum ASPM_MODE  {ASPM_MODE_CFG, ASPM_MODE_REG};
 
 #define ASPM_L1_1_EN			BIT(0)
 #define ASPM_L1_2_EN			BIT(1)
@@ -1234,6 +1235,7 @@ struct rtsx_pcr {
 	u8				card_drive_sel;
 #define ASPM_L1_EN			0x02
 	u8				aspm_en;
+	enum ASPM_MODE			aspm_mode;
 	bool				aspm_enabled;
 
 #define PCR_MS_PMOS			(1 << 0)



^ permalink raw reply	[flat|nested] 181+ messages in thread

* [PATCH 5.12 069/173] bus: mhi: pci_generic: Fix possible use-after-free in mhi_pci_remove()
  2021-06-14 10:25 [PATCH 5.12 000/173] 5.12.11-rc1 review Greg Kroah-Hartman
                   ` (67 preceding siblings ...)
  2021-06-14 10:26 ` [PATCH 5.12 068/173] misc: rtsx: separate aspm mode into MODE_REG and MODE_CFG Greg Kroah-Hartman
@ 2021-06-14 10:26 ` Greg Kroah-Hartman
  2021-06-14 10:26 ` [PATCH 5.12 070/173] tick/nohz: Only check for RCU deferred wakeup on user/guest entry when needed Greg Kroah-Hartman
                   ` (110 subsequent siblings)
  179 siblings, 0 replies; 181+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-14 10:26 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Hulk Robot, Hemant kumar,
	Manivannan Sadhasivam, Loic Poulain, Wei Yongjun

From: Wei Yongjun <weiyongjun1@huawei.com>

commit 0b67808ade8893a1b3608ddd74fac7854786c919 upstream.

This driver's remove path calls del_timer(). However, that function
does not wait until the timer handler finishes. This means that the
timer handler may still be running after the driver's remove function
has finished, which would result in a use-after-free.

Fix by calling del_timer_sync(), which makes sure the timer handler
has finished, and unable to re-schedule itself.

Link: https://lore.kernel.org/r/20210413160318.2003699-1-weiyongjun1@huawei.com
Fixes: 8562d4fe34a3 ("mhi: pci_generic: Add health-check")
Cc: stable <stable@vger.kernel.org>
Reported-by: Hulk Robot <hulkci@huawei.com>
Reviewed-by: Hemant kumar <hemantk@codeaurora.org>
Reviewed-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
Reviewed-by: Loic Poulain <loic.poulain@linaro.org>
Signed-off-by: Wei Yongjun <weiyongjun1@huawei.com>
Signed-off-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
Link: https://lore.kernel.org/r/20210606153741.20725-3-manivannan.sadhasivam@linaro.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/bus/mhi/pci_generic.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/bus/mhi/pci_generic.c
+++ b/drivers/bus/mhi/pci_generic.c
@@ -505,7 +505,7 @@ static void mhi_pci_remove(struct pci_de
 	struct mhi_pci_device *mhi_pdev = pci_get_drvdata(pdev);
 	struct mhi_controller *mhi_cntrl = &mhi_pdev->mhi_cntrl;
 
-	del_timer(&mhi_pdev->health_check_timer);
+	del_timer_sync(&mhi_pdev->health_check_timer);
 	cancel_work_sync(&mhi_pdev->recovery_work);
 
 	if (test_and_clear_bit(MHI_PCI_DEV_STARTED, &mhi_pdev->status)) {



^ permalink raw reply	[flat|nested] 181+ messages in thread

* [PATCH 5.12 070/173] tick/nohz: Only check for RCU deferred wakeup on user/guest entry when needed
  2021-06-14 10:25 [PATCH 5.12 000/173] 5.12.11-rc1 review Greg Kroah-Hartman
                   ` (68 preceding siblings ...)
  2021-06-14 10:26 ` [PATCH 5.12 069/173] bus: mhi: pci_generic: Fix possible use-after-free in mhi_pci_remove() Greg Kroah-Hartman
@ 2021-06-14 10:26 ` Greg Kroah-Hartman
  2021-06-14 10:26 ` [PATCH 5.12 071/173] bcache: remove bcache device self-defined readahead Greg Kroah-Hartman
                   ` (109 subsequent siblings)
  179 siblings, 0 replies; 181+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-14 10:26 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, kernel test robot,
	Frederic Weisbecker, Peter Zijlstra (Intel),
	Paul E. McKenney

From: Frederic Weisbecker <frederic@kernel.org>

commit f268c3737ecaefcfeecfb4cb5e44958a8976f067 upstream.

Checking for and processing RCU-nocb deferred wakeup upon user/guest
entry is only relevant when nohz_full runs on the local CPU, otherwise
the periodic tick should take care of it.

Make sure we don't needlessly pollute these fast-paths as a -3%
performance regression on a will-it-scale.per_process_ops has been
reported so far.

Fixes: 47b8ff194c1f (entry: Explicitly flush pending rcuog wakeup before last rescheduling point)
Fixes: 4ae7dc97f726 (entry/kvm: Explicitly flush pending rcuog wakeup before last rescheduling point)
Reported-by: kernel test robot <oliver.sang@intel.com>
Signed-off-by: Frederic Weisbecker <frederic@kernel.org>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Reviewed-by: Paul E. McKenney <paulmck@kernel.org>
Cc: stable@vger.kernel.org
Link: https://lkml.kernel.org/r/20210527113441.465489-1-frederic@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 include/linux/entry-kvm.h | 3 ++-
 include/linux/tick.h      | 7 +++++++
 kernel/entry/common.c     | 5 +++--
 kernel/time/tick-sched.c  | 1 +
 4 files changed, 13 insertions(+), 3 deletions(-)

diff --git a/include/linux/entry-kvm.h b/include/linux/entry-kvm.h
index 8b2b1d68b954..136b8d97d8c0 100644
--- a/include/linux/entry-kvm.h
+++ b/include/linux/entry-kvm.h
@@ -3,6 +3,7 @@
 #define __LINUX_ENTRYKVM_H
 
 #include <linux/entry-common.h>
+#include <linux/tick.h>
 
 /* Transfer to guest mode work */
 #ifdef CONFIG_KVM_XFER_TO_GUEST_WORK
@@ -57,7 +58,7 @@ int xfer_to_guest_mode_handle_work(struct kvm_vcpu *vcpu);
 static inline void xfer_to_guest_mode_prepare(void)
 {
 	lockdep_assert_irqs_disabled();
-	rcu_nocb_flush_deferred_wakeup();
+	tick_nohz_user_enter_prepare();
 }
 
 /**
diff --git a/include/linux/tick.h b/include/linux/tick.h
index 7340613c7eff..1a0ff88fa107 100644
--- a/include/linux/tick.h
+++ b/include/linux/tick.h
@@ -11,6 +11,7 @@
 #include <linux/context_tracking_state.h>
 #include <linux/cpumask.h>
 #include <linux/sched.h>
+#include <linux/rcupdate.h>
 
 #ifdef CONFIG_GENERIC_CLOCKEVENTS
 extern void __init tick_init(void);
@@ -300,4 +301,10 @@ static inline void tick_nohz_task_switch(void)
 		__tick_nohz_task_switch();
 }
 
+static inline void tick_nohz_user_enter_prepare(void)
+{
+	if (tick_nohz_full_cpu(smp_processor_id()))
+		rcu_nocb_flush_deferred_wakeup();
+}
+
 #endif
diff --git a/kernel/entry/common.c b/kernel/entry/common.c
index a0b3b04fb596..bf16395b9e13 100644
--- a/kernel/entry/common.c
+++ b/kernel/entry/common.c
@@ -5,6 +5,7 @@
 #include <linux/highmem.h>
 #include <linux/livepatch.h>
 #include <linux/audit.h>
+#include <linux/tick.h>
 
 #include "common.h"
 
@@ -186,7 +187,7 @@ static unsigned long exit_to_user_mode_loop(struct pt_regs *regs,
 		local_irq_disable_exit_to_user();
 
 		/* Check if any of the above work has queued a deferred wakeup */
-		rcu_nocb_flush_deferred_wakeup();
+		tick_nohz_user_enter_prepare();
 
 		ti_work = READ_ONCE(current_thread_info()->flags);
 	}
@@ -202,7 +203,7 @@ static void exit_to_user_mode_prepare(struct pt_regs *regs)
 	lockdep_assert_irqs_disabled();
 
 	/* Flush pending rcuog wakeup before the last need_resched() check */
-	rcu_nocb_flush_deferred_wakeup();
+	tick_nohz_user_enter_prepare();
 
 	if (unlikely(ti_work & EXIT_TO_USER_MODE_WORK))
 		ti_work = exit_to_user_mode_loop(regs, ti_work);
diff --git a/kernel/time/tick-sched.c b/kernel/time/tick-sched.c
index 828b091501ca..6784f27a3099 100644
--- a/kernel/time/tick-sched.c
+++ b/kernel/time/tick-sched.c
@@ -230,6 +230,7 @@ static void tick_sched_handle(struct tick_sched *ts, struct pt_regs *regs)
 
 #ifdef CONFIG_NO_HZ_FULL
 cpumask_var_t tick_nohz_full_mask;
+EXPORT_SYMBOL_GPL(tick_nohz_full_mask);
 bool tick_nohz_full_running;
 EXPORT_SYMBOL_GPL(tick_nohz_full_running);
 static atomic_t tick_dep_mask;
-- 
2.32.0




^ permalink raw reply related	[flat|nested] 181+ messages in thread

* [PATCH 5.12 071/173] bcache: remove bcache device self-defined readahead
  2021-06-14 10:25 [PATCH 5.12 000/173] 5.12.11-rc1 review Greg Kroah-Hartman
                   ` (69 preceding siblings ...)
  2021-06-14 10:26 ` [PATCH 5.12 070/173] tick/nohz: Only check for RCU deferred wakeup on user/guest entry when needed Greg Kroah-Hartman
@ 2021-06-14 10:26 ` Greg Kroah-Hartman
  2021-06-14 10:26 ` [PATCH 5.12 072/173] bcache: avoid oversized read request in cache missing code path Greg Kroah-Hartman
                   ` (108 subsequent siblings)
  179 siblings, 0 replies; 181+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-14 10:26 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Alexander Ullrich, Diego Ercolani,
	Jan Szubiak, Marco Rebhan, Matthias Ferdinand, Victor Westerhuis,
	Vojtech Pavlik, Coly Li, Christoph Hellwig, Kent Overstreet, Nix,
	Takashi Iwai, Jens Axboe, Rolf Fokkens, Thorsten Knabe

From: Coly Li <colyli@suse.de>

commit 1616a4c2ab1a80893b6890ae93da40a2b1d0c691 upstream.

For read cache missing, bcache defines a readahead size for the read I/O
request to the backing device for the missing data. This readahead size
is initialized to 0, and almost no one uses it to avoid unnecessary read
amplifying onto backing device and write amplifying onto cache device.
Considering upper layer file system code has readahead logic allready
and works fine with readahead_cache_policy sysfile interface, we don't
have to keep bcache self-defined readahead anymore.

This patch removes the bcache self-defined readahead for cache missing
request for backing device, and the readahead sysfs file interfaces are
removed as well.

This is the preparation for next patch to fix potential kernel panic due
to oversized request in a simpler method.

Reported-by: Alexander Ullrich <ealex1979@gmail.com>
Reported-by: Diego Ercolani <diego.ercolani@gmail.com>
Reported-by: Jan Szubiak <jan.szubiak@linuxpolska.pl>
Reported-by: Marco Rebhan <me@dblsaiko.net>
Reported-by: Matthias Ferdinand <bcache@mfedv.net>
Reported-by: Victor Westerhuis <victor@westerhu.is>
Reported-by: Vojtech Pavlik <vojtech@suse.cz>
Reported-and-tested-by: Rolf Fokkens <rolf@rolffokkens.nl>
Reported-and-tested-by: Thorsten Knabe <linux@thorsten-knabe.de>
Signed-off-by: Coly Li <colyli@suse.de>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Cc: stable@vger.kernel.org
Cc: Kent Overstreet <kent.overstreet@gmail.com>
Cc: Nix <nix@esperi.org.uk>
Cc: Takashi Iwai <tiwai@suse.com>
Link: https://lore.kernel.org/r/20210607125052.21277-2-colyli@suse.de
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/md/bcache/bcache.h  |    1 -
 drivers/md/bcache/request.c |   13 +------------
 drivers/md/bcache/stats.c   |   14 --------------
 drivers/md/bcache/stats.h   |    1 -
 drivers/md/bcache/sysfs.c   |    4 ----
 5 files changed, 1 insertion(+), 32 deletions(-)

--- a/drivers/md/bcache/bcache.h
+++ b/drivers/md/bcache/bcache.h
@@ -364,7 +364,6 @@ struct cached_dev {
 
 	/* The rest of this all shows up in sysfs */
 	unsigned int		sequential_cutoff;
-	unsigned int		readahead;
 
 	unsigned int		io_disable:1;
 	unsigned int		verify:1;
--- a/drivers/md/bcache/request.c
+++ b/drivers/md/bcache/request.c
@@ -880,7 +880,6 @@ static int cached_dev_cache_miss(struct
 				 struct bio *bio, unsigned int sectors)
 {
 	int ret = MAP_CONTINUE;
-	unsigned int reada = 0;
 	struct cached_dev *dc = container_of(s->d, struct cached_dev, disk);
 	struct bio *miss, *cache_bio;
 
@@ -892,14 +891,7 @@ static int cached_dev_cache_miss(struct
 		goto out_submit;
 	}
 
-	if (!(bio->bi_opf & REQ_RAHEAD) &&
-	    !(bio->bi_opf & (REQ_META|REQ_PRIO)) &&
-	    s->iop.c->gc_stats.in_use < CUTOFF_CACHE_READA)
-		reada = min_t(sector_t, dc->readahead >> 9,
-			      get_capacity(bio->bi_bdev->bd_disk) -
-			      bio_end_sector(bio));
-
-	s->insert_bio_sectors = min(sectors, bio_sectors(bio) + reada);
+	s->insert_bio_sectors = min(sectors, bio_sectors(bio));
 
 	s->iop.replace_key = KEY(s->iop.inode,
 				 bio->bi_iter.bi_sector + s->insert_bio_sectors,
@@ -933,9 +925,6 @@ static int cached_dev_cache_miss(struct
 	if (bch_bio_alloc_pages(cache_bio, __GFP_NOWARN|GFP_NOIO))
 		goto out_put;
 
-	if (reada)
-		bch_mark_cache_readahead(s->iop.c, s->d);
-
 	s->cache_miss	= miss;
 	s->iop.bio	= cache_bio;
 	bio_get(cache_bio);
--- a/drivers/md/bcache/stats.c
+++ b/drivers/md/bcache/stats.c
@@ -46,7 +46,6 @@ read_attribute(cache_misses);
 read_attribute(cache_bypass_hits);
 read_attribute(cache_bypass_misses);
 read_attribute(cache_hit_ratio);
-read_attribute(cache_readaheads);
 read_attribute(cache_miss_collisions);
 read_attribute(bypassed);
 
@@ -64,7 +63,6 @@ SHOW(bch_stats)
 		    DIV_SAFE(var(cache_hits) * 100,
 			     var(cache_hits) + var(cache_misses)));
 
-	var_print(cache_readaheads);
 	var_print(cache_miss_collisions);
 	sysfs_hprint(bypassed,	var(sectors_bypassed) << 9);
 #undef var
@@ -86,7 +84,6 @@ static struct attribute *bch_stats_files
 	&sysfs_cache_bypass_hits,
 	&sysfs_cache_bypass_misses,
 	&sysfs_cache_hit_ratio,
-	&sysfs_cache_readaheads,
 	&sysfs_cache_miss_collisions,
 	&sysfs_bypassed,
 	NULL
@@ -113,7 +110,6 @@ void bch_cache_accounting_clear(struct c
 	acc->total.cache_misses = 0;
 	acc->total.cache_bypass_hits = 0;
 	acc->total.cache_bypass_misses = 0;
-	acc->total.cache_readaheads = 0;
 	acc->total.cache_miss_collisions = 0;
 	acc->total.sectors_bypassed = 0;
 }
@@ -145,7 +141,6 @@ static void scale_stats(struct cache_sta
 		scale_stat(&stats->cache_misses);
 		scale_stat(&stats->cache_bypass_hits);
 		scale_stat(&stats->cache_bypass_misses);
-		scale_stat(&stats->cache_readaheads);
 		scale_stat(&stats->cache_miss_collisions);
 		scale_stat(&stats->sectors_bypassed);
 	}
@@ -168,7 +163,6 @@ static void scale_accounting(struct time
 	move_stat(cache_misses);
 	move_stat(cache_bypass_hits);
 	move_stat(cache_bypass_misses);
-	move_stat(cache_readaheads);
 	move_stat(cache_miss_collisions);
 	move_stat(sectors_bypassed);
 
@@ -209,14 +203,6 @@ void bch_mark_cache_accounting(struct ca
 	mark_cache_stats(&c->accounting.collector, hit, bypass);
 }
 
-void bch_mark_cache_readahead(struct cache_set *c, struct bcache_device *d)
-{
-	struct cached_dev *dc = container_of(d, struct cached_dev, disk);
-
-	atomic_inc(&dc->accounting.collector.cache_readaheads);
-	atomic_inc(&c->accounting.collector.cache_readaheads);
-}
-
 void bch_mark_cache_miss_collision(struct cache_set *c, struct bcache_device *d)
 {
 	struct cached_dev *dc = container_of(d, struct cached_dev, disk);
--- a/drivers/md/bcache/stats.h
+++ b/drivers/md/bcache/stats.h
@@ -7,7 +7,6 @@ struct cache_stat_collector {
 	atomic_t cache_misses;
 	atomic_t cache_bypass_hits;
 	atomic_t cache_bypass_misses;
-	atomic_t cache_readaheads;
 	atomic_t cache_miss_collisions;
 	atomic_t sectors_bypassed;
 };
--- a/drivers/md/bcache/sysfs.c
+++ b/drivers/md/bcache/sysfs.c
@@ -137,7 +137,6 @@ rw_attribute(io_disable);
 rw_attribute(discard);
 rw_attribute(running);
 rw_attribute(label);
-rw_attribute(readahead);
 rw_attribute(errors);
 rw_attribute(io_error_limit);
 rw_attribute(io_error_halflife);
@@ -260,7 +259,6 @@ SHOW(__bch_cached_dev)
 	var_printf(partial_stripes_expensive,	"%u");
 
 	var_hprint(sequential_cutoff);
-	var_hprint(readahead);
 
 	sysfs_print(running,		atomic_read(&dc->running));
 	sysfs_print(state,		states[BDEV_STATE(&dc->sb)]);
@@ -365,7 +363,6 @@ STORE(__cached_dev)
 	sysfs_strtoul_clamp(sequential_cutoff,
 			    dc->sequential_cutoff,
 			    0, UINT_MAX);
-	d_strtoi_h(readahead);
 
 	if (attr == &sysfs_clear_stats)
 		bch_cache_accounting_clear(&dc->accounting);
@@ -538,7 +535,6 @@ static struct attribute *bch_cached_dev_
 	&sysfs_running,
 	&sysfs_state,
 	&sysfs_label,
-	&sysfs_readahead,
 #ifdef CONFIG_BCACHE_DEBUG
 	&sysfs_verify,
 	&sysfs_bypass_torture_test,



^ permalink raw reply	[flat|nested] 181+ messages in thread

* [PATCH 5.12 072/173] bcache: avoid oversized read request in cache missing code path
  2021-06-14 10:25 [PATCH 5.12 000/173] 5.12.11-rc1 review Greg Kroah-Hartman
                   ` (70 preceding siblings ...)
  2021-06-14 10:26 ` [PATCH 5.12 071/173] bcache: remove bcache device self-defined readahead Greg Kroah-Hartman
@ 2021-06-14 10:26 ` Greg Kroah-Hartman
  2021-06-14 10:26 ` [PATCH 5.12 073/173] async_xor: check src_offs is not NULL before updating it Greg Kroah-Hartman
                   ` (107 subsequent siblings)
  179 siblings, 0 replies; 181+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-14 10:26 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Alexander Ullrich, Diego Ercolani,
	Jan Szubiak, Marco Rebhan, Matthias Ferdinand, Victor Westerhuis,
	Vojtech Pavlik, Coly Li, Christoph Hellwig, Kent Overstreet, Nix,
	Takashi Iwai, Jens Axboe, Rolf Fokkens, Thorsten Knabe

From: Coly Li <colyli@suse.de>

commit 41fe8d088e96472f63164e213de44ec77be69478 upstream.

In the cache missing code path of cached device, if a proper location
from the internal B+ tree is matched for a cache miss range, function
cached_dev_cache_miss() will be called in cache_lookup_fn() in the
following code block,
[code block 1]
  526         unsigned int sectors = KEY_INODE(k) == s->iop.inode
  527                 ? min_t(uint64_t, INT_MAX,
  528                         KEY_START(k) - bio->bi_iter.bi_sector)
  529                 : INT_MAX;
  530         int ret = s->d->cache_miss(b, s, bio, sectors);

Here s->d->cache_miss() is the call backfunction pointer initialized as
cached_dev_cache_miss(), the last parameter 'sectors' is an important
hint to calculate the size of read request to backing device of the
missing cache data.

Current calculation in above code block may generate oversized value of
'sectors', which consequently may trigger 2 different potential kernel
panics by BUG() or BUG_ON() as listed below,

1) BUG_ON() inside bch_btree_insert_key(),
[code block 2]
   886         BUG_ON(b->ops->is_extents && !KEY_SIZE(k));
2) BUG() inside biovec_slab(),
[code block 3]
   51         default:
   52                 BUG();
   53                 return NULL;

All the above panics are original from cached_dev_cache_miss() by the
oversized parameter 'sectors'.

Inside cached_dev_cache_miss(), parameter 'sectors' is used to calculate
the size of data read from backing device for the cache missing. This
size is stored in s->insert_bio_sectors by the following lines of code,
[code block 4]
  909    s->insert_bio_sectors = min(sectors, bio_sectors(bio) + reada);

Then the actual key inserting to the internal B+ tree is generated and
stored in s->iop.replace_key by the following lines of code,
[code block 5]
  911   s->iop.replace_key = KEY(s->iop.inode,
  912                    bio->bi_iter.bi_sector + s->insert_bio_sectors,
  913                    s->insert_bio_sectors);
The oversized parameter 'sectors' may trigger panic 1) by BUG_ON() from
the above code block.

And the bio sending to backing device for the missing data is allocated
with hint from s->insert_bio_sectors by the following lines of code,
[code block 6]
  926    cache_bio = bio_alloc_bioset(GFP_NOWAIT,
  927                 DIV_ROUND_UP(s->insert_bio_sectors, PAGE_SECTORS),
  928                 &dc->disk.bio_split);
The oversized parameter 'sectors' may trigger panic 2) by BUG() from the
agove code block.

Now let me explain how the panics happen with the oversized 'sectors'.
In code block 5, replace_key is generated by macro KEY(). From the
definition of macro KEY(),
[code block 7]
  71 #define KEY(inode, offset, size)                                  \
  72 ((struct bkey) {                                                  \
  73      .high = (1ULL << 63) | ((__u64) (size) << 20) | (inode),     \
  74      .low = (offset)                                              \
  75 })

Here 'size' is 16bits width embedded in 64bits member 'high' of struct
bkey. But in code block 1, if "KEY_START(k) - bio->bi_iter.bi_sector" is
very probably to be larger than (1<<16) - 1, which makes the bkey size
calculation in code block 5 is overflowed. In one bug report the value
of parameter 'sectors' is 131072 (= 1 << 17), the overflowed 'sectors'
results the overflowed s->insert_bio_sectors in code block 4, then makes
size field of s->iop.replace_key to be 0 in code block 5. Then the 0-
sized s->iop.replace_key is inserted into the internal B+ tree as cache
missing check key (a special key to detect and avoid a racing between
normal write request and cache missing read request) as,
[code block 8]
  915   ret = bch_btree_insert_check_key(b, &s->op, &s->iop.replace_key);

Then the 0-sized s->iop.replace_key as 3rd parameter triggers the bkey
size check BUG_ON() in code block 2, and causes the kernel panic 1).

Another kernel panic is from code block 6, is by the bvecs number
oversized value s->insert_bio_sectors from code block 4,
        min(sectors, bio_sectors(bio) + reada)
There are two possibility for oversized reresult,
- bio_sectors(bio) is valid, but bio_sectors(bio) + reada is oversized.
- sectors < bio_sectors(bio) + reada, but sectors is oversized.

>From a bug report the result of "DIV_ROUND_UP(s->insert_bio_sectors,
PAGE_SECTORS)" from code block 6 can be 344, 282, 946, 342 and many
other values which larther than BIO_MAX_VECS (a.k.a 256). When calling
bio_alloc_bioset() with such larger-than-256 value as the 2nd parameter,
this value will eventually be sent to biovec_slab() as parameter
'nr_vecs' in following code path,
   bio_alloc_bioset() ==> bvec_alloc() ==> biovec_slab()
Because parameter 'nr_vecs' is larger-than-256 value, the panic by BUG()
in code block 3 is triggered inside biovec_slab().

>From the above analysis, we know that the 4th parameter 'sector' sent
into cached_dev_cache_miss() may cause overflow in code block 5 and 6,
and finally cause kernel panic in code block 2 and 3. And if result of
bio_sectors(bio) + reada exceeds valid bvecs number, it may also trigger
kernel panic in code block 3 from code block 6.

Now the almost-useless readahead size for cache missing request back to
backing device is removed, this patch can fix the oversized issue with
more simpler method.
- add a local variable size_limit,  set it by the minimum value from
  the max bkey size and max bio bvecs number.
- set s->insert_bio_sectors by the minimum value from size_limit,
  sectors, and the sectors size of bio.
- replace sectors by s->insert_bio_sectors to do bio_next_split.

By the above method with size_limit, s->insert_bio_sectors will never
result oversized replace_key size or bio bvecs number. And split bio
'miss' from bio_next_split() will always match the size of 'cache_bio',
that is the current maximum bio size we can sent to backing device for
fetching the cache missing data.

Current problmatic code can be partially found since Linux v3.13-rc1,
therefore all maintained stable kernels should try to apply this fix.

Reported-by: Alexander Ullrich <ealex1979@gmail.com>
Reported-by: Diego Ercolani <diego.ercolani@gmail.com>
Reported-by: Jan Szubiak <jan.szubiak@linuxpolska.pl>
Reported-by: Marco Rebhan <me@dblsaiko.net>
Reported-by: Matthias Ferdinand <bcache@mfedv.net>
Reported-by: Victor Westerhuis <victor@westerhu.is>
Reported-by: Vojtech Pavlik <vojtech@suse.cz>
Reported-and-tested-by: Rolf Fokkens <rolf@rolffokkens.nl>
Reported-and-tested-by: Thorsten Knabe <linux@thorsten-knabe.de>
Signed-off-by: Coly Li <colyli@suse.de>
Cc: stable@vger.kernel.org
Cc: Christoph Hellwig <hch@lst.de>
Cc: Kent Overstreet <kent.overstreet@gmail.com>
Cc: Nix <nix@esperi.org.uk>
Cc: Takashi Iwai <tiwai@suse.com>
Link: https://lore.kernel.org/r/20210607125052.21277-3-colyli@suse.de
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/md/bcache/request.c |    9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

--- a/drivers/md/bcache/request.c
+++ b/drivers/md/bcache/request.c
@@ -882,6 +882,7 @@ static int cached_dev_cache_miss(struct
 	int ret = MAP_CONTINUE;
 	struct cached_dev *dc = container_of(s->d, struct cached_dev, disk);
 	struct bio *miss, *cache_bio;
+	unsigned int size_limit;
 
 	s->cache_missed = 1;
 
@@ -891,7 +892,10 @@ static int cached_dev_cache_miss(struct
 		goto out_submit;
 	}
 
-	s->insert_bio_sectors = min(sectors, bio_sectors(bio));
+	/* Limitation for valid replace key size and cache_bio bvecs number */
+	size_limit = min_t(unsigned int, BIO_MAX_VECS * PAGE_SECTORS,
+			   (1 << KEY_SIZE_BITS) - 1);
+	s->insert_bio_sectors = min3(size_limit, sectors, bio_sectors(bio));
 
 	s->iop.replace_key = KEY(s->iop.inode,
 				 bio->bi_iter.bi_sector + s->insert_bio_sectors,
@@ -903,7 +907,8 @@ static int cached_dev_cache_miss(struct
 
 	s->iop.replace = true;
 
-	miss = bio_next_split(bio, sectors, GFP_NOIO, &s->d->bio_split);
+	miss = bio_next_split(bio, s->insert_bio_sectors, GFP_NOIO,
+			      &s->d->bio_split);
 
 	/* btree_search_recurse()'s btree iterator is no good anymore */
 	ret = miss == bio ? MAP_DONE : -EINTR;



^ permalink raw reply	[flat|nested] 181+ messages in thread

* [PATCH 5.12 073/173] async_xor: check src_offs is not NULL before updating it
  2021-06-14 10:25 [PATCH 5.12 000/173] 5.12.11-rc1 review Greg Kroah-Hartman
                   ` (71 preceding siblings ...)
  2021-06-14 10:26 ` [PATCH 5.12 072/173] bcache: avoid oversized read request in cache missing code path Greg Kroah-Hartman
@ 2021-06-14 10:26 ` Greg Kroah-Hartman
  2021-06-14 10:26 ` [PATCH 5.12 074/173] btrfs: do not write supers if we have an fs error Greg Kroah-Hartman
                   ` (106 subsequent siblings)
  179 siblings, 0 replies; 181+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-14 10:26 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Oleksandr Shchirskyi,
	Oleksandr Shchirskyi, Xiao Ni, Song Liu

From: Xiao Ni <xni@redhat.com>

commit 9be148e408df7d361ec5afd6299b7736ff3928b0 upstream.

When PAGE_SIZE is greater than 4kB, multiple stripes may share the same
page. Thus, src_offs is added to async_xor_offs() with array of offsets.
However, async_xor() passes NULL src_offs to async_xor_offs(). In such
case, src_offs should not be updated. Add a check before the update.

Fixes: ceaf2966ab08(async_xor: increase src_offs when dropping destination page)
Cc: stable@vger.kernel.org # v5.10+
Reported-by: Oleksandr Shchirskyi <oleksandr.shchirskyi@linux.intel.com>
Tested-by: Oleksandr Shchirskyi <oleksandr.shchirskyi@intel.com>
Signed-off-by: Xiao Ni <xni@redhat.com>
Signed-off-by: Song Liu <song@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 crypto/async_tx/async_xor.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/crypto/async_tx/async_xor.c
+++ b/crypto/async_tx/async_xor.c
@@ -233,7 +233,8 @@ async_xor_offs(struct page *dest, unsign
 		if (submit->flags & ASYNC_TX_XOR_DROP_DST) {
 			src_cnt--;
 			src_list++;
-			src_offs++;
+			if (src_offs)
+				src_offs++;
 		}
 
 		/* wait for any prerequisite operations */



^ permalink raw reply	[flat|nested] 181+ messages in thread

* [PATCH 5.12 074/173] btrfs: do not write supers if we have an fs error
  2021-06-14 10:25 [PATCH 5.12 000/173] 5.12.11-rc1 review Greg Kroah-Hartman
                   ` (72 preceding siblings ...)
  2021-06-14 10:26 ` [PATCH 5.12 073/173] async_xor: check src_offs is not NULL before updating it Greg Kroah-Hartman
@ 2021-06-14 10:26 ` Greg Kroah-Hartman
  2021-06-14 10:26 ` [PATCH 5.12 075/173] btrfs: zoned: fix zone number to sector/physical calculation Greg Kroah-Hartman
                   ` (105 subsequent siblings)
  179 siblings, 0 replies; 181+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-14 10:26 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Filipe Manana, Josef Bacik, David Sterba

From: Josef Bacik <josef@toxicpanda.com>

commit 165ea85f14831f27fc6fe3b02b35e42e50b9ed94 upstream.

Error injection testing uncovered a pretty severe problem where we could
end up committing a super that pointed to the wrong tree roots,
resulting in transid mismatch errors.

The way we commit the transaction is we update the super copy with the
current generations and bytenrs of the important roots, and then copy
that into our super_for_commit.  Then we allow transactions to continue
again, we write out the dirty pages for the transaction, and then we
write the super.  If the write out fails we'll bail and skip writing the
supers.

However since we've allowed a new transaction to start, we can have a
log attempting to sync at this point, which would be blocked on
fs_info->tree_log_mutex.  Once the commit fails we're allowed to do the
log tree commit, which uses super_for_commit, which now points at fs
tree's that were not written out.

Fix this by checking BTRFS_FS_STATE_ERROR once we acquire the
tree_log_mutex.  This way if the transaction commit fails we're sure to
see this bit set and we can skip writing the super out.  This patch
fixes this specific transid mismatch error I was seeing with this
particular error path.

CC: stable@vger.kernel.org # 5.12+
Reviewed-by: Filipe Manana <fdmanana@suse.com>
Signed-off-by: Josef Bacik <josef@toxicpanda.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 fs/btrfs/tree-log.c |   16 ++++++++++++++++
 1 file changed, 16 insertions(+)

--- a/fs/btrfs/tree-log.c
+++ b/fs/btrfs/tree-log.c
@@ -3302,6 +3302,22 @@ int btrfs_sync_log(struct btrfs_trans_ha
 	 *    begins and releases it only after writing its superblock.
 	 */
 	mutex_lock(&fs_info->tree_log_mutex);
+
+	/*
+	 * The previous transaction writeout phase could have failed, and thus
+	 * marked the fs in an error state.  We must not commit here, as we
+	 * could have updated our generation in the super_for_commit and
+	 * writing the super here would result in transid mismatches.  If there
+	 * is an error here just bail.
+	 */
+	if (test_bit(BTRFS_FS_STATE_ERROR, &fs_info->fs_state)) {
+		ret = -EIO;
+		btrfs_set_log_full_commit(trans);
+		btrfs_abort_transaction(trans, ret);
+		mutex_unlock(&fs_info->tree_log_mutex);
+		goto out_wake_log_root;
+	}
+
 	btrfs_set_super_log_root(fs_info->super_for_commit, log_root_start);
 	btrfs_set_super_log_root_level(fs_info->super_for_commit, log_root_level);
 	ret = write_all_supers(fs_info, 1);



^ permalink raw reply	[flat|nested] 181+ messages in thread

* [PATCH 5.12 075/173] btrfs: zoned: fix zone number to sector/physical calculation
  2021-06-14 10:25 [PATCH 5.12 000/173] 5.12.11-rc1 review Greg Kroah-Hartman
                   ` (73 preceding siblings ...)
  2021-06-14 10:26 ` [PATCH 5.12 074/173] btrfs: do not write supers if we have an fs error Greg Kroah-Hartman
@ 2021-06-14 10:26 ` Greg Kroah-Hartman
  2021-06-14 10:26 ` [PATCH 5.12 076/173] btrfs: return value from btrfs_mark_extent_written() in case of error Greg Kroah-Hartman
                   ` (104 subsequent siblings)
  179 siblings, 0 replies; 181+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-14 10:26 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Dmitry Fomichev, Johannes Thumshirn,
	Naohiro Aota, David Sterba

From: Naohiro Aota <naohiro.aota@wdc.com>

commit 5b434df8778771d181bc19fb4593bca114d1c4eb upstream.

In btrfs_get_dev_zone_info(), we have "u32 sb_zone" and calculate "sector_t
sector" by shifting it. But, this "sector" is calculated in 32bit, leading
it to be 0 for the 2nd superblock copy.

Since zone number is u32, shifting it to sector (sector_t) or physical
address (u64) can easily trigger a missing cast bug like this.

This commit introduces helpers to convert zone number to sector/LBA, so we
won't fall into the same pitfall again.

Reported-by: Dmitry Fomichev <Dmitry.Fomichev@wdc.com>
Fixes: 12659251ca5d ("btrfs: implement log-structured superblock for ZONED mode")
CC: stable@vger.kernel.org # 5.11+
Reviewed-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
Signed-off-by: Naohiro Aota <naohiro.aota@wdc.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 fs/btrfs/zoned.c |   23 ++++++++++++++++++-----
 1 file changed, 18 insertions(+), 5 deletions(-)

--- a/fs/btrfs/zoned.c
+++ b/fs/btrfs/zoned.c
@@ -150,6 +150,18 @@ static inline u32 sb_zone_number(int shi
 	return (u32)zone;
 }
 
+static inline sector_t zone_start_sector(u32 zone_number,
+					 struct block_device *bdev)
+{
+	return (sector_t)zone_number << ilog2(bdev_zone_sectors(bdev));
+}
+
+static inline u64 zone_start_physical(u32 zone_number,
+				      struct btrfs_zoned_device_info *zone_info)
+{
+	return (u64)zone_number << zone_info->zone_size_shift;
+}
+
 /*
  * Emulate blkdev_report_zones() for a non-zoned device. It slices up the block
  * device into static sized chunks and fake a conventional zone on each of
@@ -405,8 +417,8 @@ int btrfs_get_dev_zone_info(struct btrfs
 		if (sb_zone + 1 >= zone_info->nr_zones)
 			continue;
 
-		sector = sb_zone << (zone_info->zone_size_shift - SECTOR_SHIFT);
-		ret = btrfs_get_dev_zones(device, sector << SECTOR_SHIFT,
+		ret = btrfs_get_dev_zones(device,
+					  zone_start_physical(sb_zone, zone_info),
 					  &zone_info->sb_zones[sb_pos],
 					  &nr_zones);
 		if (ret)
@@ -721,7 +733,7 @@ int btrfs_sb_log_location_bdev(struct bl
 	if (sb_zone + 1 >= nr_zones)
 		return -ENOENT;
 
-	ret = blkdev_report_zones(bdev, sb_zone << zone_sectors_shift,
+	ret = blkdev_report_zones(bdev, zone_start_sector(sb_zone, bdev),
 				  BTRFS_NR_SB_LOG_ZONES, copy_zone_info_cb,
 				  zones);
 	if (ret < 0)
@@ -826,7 +838,7 @@ int btrfs_reset_sb_log_zones(struct bloc
 		return -ENOENT;
 
 	return blkdev_zone_mgmt(bdev, REQ_OP_ZONE_RESET,
-				sb_zone << zone_sectors_shift,
+				zone_start_sector(sb_zone, bdev),
 				zone_sectors * BTRFS_NR_SB_LOG_ZONES, GFP_NOFS);
 }
 
@@ -878,7 +890,8 @@ u64 btrfs_find_allocatable_zones(struct
 			if (!(end <= sb_zone ||
 			      sb_zone + BTRFS_NR_SB_LOG_ZONES <= begin)) {
 				have_sb = true;
-				pos = ((u64)sb_zone + BTRFS_NR_SB_LOG_ZONES) << shift;
+				pos = zone_start_physical(
+					sb_zone + BTRFS_NR_SB_LOG_ZONES, zinfo);
 				break;
 			}
 



^ permalink raw reply	[flat|nested] 181+ messages in thread

* [PATCH 5.12 076/173] btrfs: return value from btrfs_mark_extent_written() in case of error
  2021-06-14 10:25 [PATCH 5.12 000/173] 5.12.11-rc1 review Greg Kroah-Hartman
                   ` (74 preceding siblings ...)
  2021-06-14 10:26 ` [PATCH 5.12 075/173] btrfs: zoned: fix zone number to sector/physical calculation Greg Kroah-Hartman
@ 2021-06-14 10:26 ` Greg Kroah-Hartman
  2021-06-14 10:26 ` [PATCH 5.12 077/173] btrfs: promote debugging asserts to full-fledged checks in validate_super Greg Kroah-Hartman
                   ` (103 subsequent siblings)
  179 siblings, 0 replies; 181+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-14 10:26 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Ritesh Harjani, David Sterba

From: Ritesh Harjani <riteshh@linux.ibm.com>

commit e7b2ec3d3d4ebeb4cff7ae45cf430182fa6a49fb upstream.

We always return 0 even in case of an error in btrfs_mark_extent_written().
Fix it to return proper error value in case of a failure. All callers
handle it.

CC: stable@vger.kernel.org # 4.4+
Signed-off-by: Ritesh Harjani <riteshh@linux.ibm.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 fs/btrfs/file.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/fs/btrfs/file.c
+++ b/fs/btrfs/file.c
@@ -1094,7 +1094,7 @@ int btrfs_mark_extent_written(struct btr
 	int del_nr = 0;
 	int del_slot = 0;
 	int recow;
-	int ret;
+	int ret = 0;
 	u64 ino = btrfs_ino(inode);
 
 	path = btrfs_alloc_path();
@@ -1315,7 +1315,7 @@ again:
 	}
 out:
 	btrfs_free_path(path);
-	return 0;
+	return ret;
 }
 
 /*



^ permalink raw reply	[flat|nested] 181+ messages in thread

* [PATCH 5.12 077/173] btrfs: promote debugging asserts to full-fledged checks in validate_super
  2021-06-14 10:25 [PATCH 5.12 000/173] 5.12.11-rc1 review Greg Kroah-Hartman
                   ` (75 preceding siblings ...)
  2021-06-14 10:26 ` [PATCH 5.12 076/173] btrfs: return value from btrfs_mark_extent_written() in case of error Greg Kroah-Hartman
@ 2021-06-14 10:26 ` Greg Kroah-Hartman
  2021-06-14 10:26 ` [PATCH 5.12 078/173] coredump: Limit what can interrupt coredumps Greg Kroah-Hartman
                   ` (102 subsequent siblings)
  179 siblings, 0 replies; 181+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-14 10:26 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, syzbot+a6bf271c02e4fe66b4e4,
	Johannes Thumshirn, Qu Wenruo, Nikolay Borisov, David Sterba

From: Nikolay Borisov <nborisov@suse.com>

commit aefd7f7065567a4666f42c0fc8cdb379d2e036bf upstream.

Syzbot managed to trigger this assert while performing its fuzzing.
Turns out it's better to have those asserts turned into full-fledged
checks so that in case buggy btrfs images are mounted the users gets
an error and mounting is stopped. Alternatively with CONFIG_BTRFS_ASSERT
disabled such image would have been erroneously allowed to be mounted.

Reported-by: syzbot+a6bf271c02e4fe66b4e4@syzkaller.appspotmail.com
CC: stable@vger.kernel.org # 5.4+
Reviewed-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
Reviewed-by: Qu Wenruo <wqu@suse.com>
Signed-off-by: Nikolay Borisov <nborisov@suse.com>
Reviewed-by: David Sterba <dsterba@suse.com>
[ add uuids to the messages ]
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 fs/btrfs/disk-io.c |   26 ++++++++++++++++++--------
 1 file changed, 18 insertions(+), 8 deletions(-)

--- a/fs/btrfs/disk-io.c
+++ b/fs/btrfs/disk-io.c
@@ -2558,6 +2558,24 @@ static int validate_super(struct btrfs_f
 		ret = -EINVAL;
 	}
 
+	if (memcmp(fs_info->fs_devices->fsid, fs_info->super_copy->fsid,
+		   BTRFS_FSID_SIZE)) {
+		btrfs_err(fs_info,
+		"superblock fsid doesn't match fsid of fs_devices: %pU != %pU",
+			fs_info->super_copy->fsid, fs_info->fs_devices->fsid);
+		ret = -EINVAL;
+	}
+
+	if (btrfs_fs_incompat(fs_info, METADATA_UUID) &&
+	    memcmp(fs_info->fs_devices->metadata_uuid,
+		   fs_info->super_copy->metadata_uuid, BTRFS_FSID_SIZE)) {
+		btrfs_err(fs_info,
+"superblock metadata_uuid doesn't match metadata uuid of fs_devices: %pU != %pU",
+			fs_info->super_copy->metadata_uuid,
+			fs_info->fs_devices->metadata_uuid);
+		ret = -EINVAL;
+	}
+
 	if (memcmp(fs_info->fs_devices->metadata_uuid, sb->dev_item.fsid,
 		   BTRFS_FSID_SIZE) != 0) {
 		btrfs_err(fs_info,
@@ -3185,14 +3203,6 @@ int __cold open_ctree(struct super_block
 
 	disk_super = fs_info->super_copy;
 
-	ASSERT(!memcmp(fs_info->fs_devices->fsid, fs_info->super_copy->fsid,
-		       BTRFS_FSID_SIZE));
-
-	if (btrfs_fs_incompat(fs_info, METADATA_UUID)) {
-		ASSERT(!memcmp(fs_info->fs_devices->metadata_uuid,
-				fs_info->super_copy->metadata_uuid,
-				BTRFS_FSID_SIZE));
-	}
 
 	features = btrfs_super_flags(disk_super);
 	if (features & BTRFS_SUPER_FLAG_CHANGING_FSID_V2) {



^ permalink raw reply	[flat|nested] 181+ messages in thread

* [PATCH 5.12 078/173] coredump: Limit what can interrupt coredumps
  2021-06-14 10:25 [PATCH 5.12 000/173] 5.12.11-rc1 review Greg Kroah-Hartman
                   ` (76 preceding siblings ...)
  2021-06-14 10:26 ` [PATCH 5.12 077/173] btrfs: promote debugging asserts to full-fledged checks in validate_super Greg Kroah-Hartman
@ 2021-06-14 10:26 ` Greg Kroah-Hartman
  2021-06-14 10:26 ` [PATCH 5.12 079/173] cgroup1: dont allow \n in renaming Greg Kroah-Hartman
                   ` (101 subsequent siblings)
  179 siblings, 0 replies; 181+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-14 10:26 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Olivier Langlois, Eric W. Biederman,
	Linus Torvalds

From: Eric W. Biederman <ebiederm@xmission.com>

commit 06af8679449d4ed282df13191fc52d5ba28ec536 upstream.

Olivier Langlois has been struggling with coredumps being incompletely written in
processes using io_uring.

Olivier Langlois <olivier@trillion01.com> writes:
> io_uring is a big user of task_work and any event that io_uring made a
> task waiting for that occurs during the core dump generation will
> generate a TIF_NOTIFY_SIGNAL.
>
> Here are the detailed steps of the problem:
> 1. io_uring calls vfs_poll() to install a task to a file wait queue
>    with io_async_wake() as the wakeup function cb from io_arm_poll_handler()
> 2. wakeup function ends up calling task_work_add() with TWA_SIGNAL
> 3. task_work_add() sets the TIF_NOTIFY_SIGNAL bit by calling
>    set_notify_signal()

The coredump code deliberately supports being interrupted by SIGKILL,
and depends upon prepare_signal to filter out all other signals.   Now
that signal_pending includes wake ups for TIF_NOTIFY_SIGNAL this hack
in dump_emitted by the coredump code no longer works.

Make the coredump code more robust by explicitly testing for all of
the wakeup conditions the coredump code supports.  This prevents
new wakeup conditions from breaking the coredump code, as well
as fixing the current issue.

The filesystem code that the coredump code uses already limits
itself to only aborting on fatal_signal_pending.  So it should
not develop surprising wake-up reasons either.

v2: Don't remove the now unnecessary code in prepare_signal.

Cc: stable@vger.kernel.org
Fixes: 12db8b690010 ("entry: Add support for TIF_NOTIFY_SIGNAL")
Reported-by: Olivier Langlois <olivier@trillion01.com>
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 fs/coredump.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/fs/coredump.c
+++ b/fs/coredump.c
@@ -519,7 +519,7 @@ static bool dump_interrupted(void)
 	 * but then we need to teach dump_write() to restart and clear
 	 * TIF_SIGPENDING.
 	 */
-	return signal_pending(current);
+	return fatal_signal_pending(current) || freezing(current);
 }
 
 static void wait_for_dump_helpers(struct file *file)



^ permalink raw reply	[flat|nested] 181+ messages in thread

* [PATCH 5.12 079/173] cgroup1: dont allow \n in renaming
  2021-06-14 10:25 [PATCH 5.12 000/173] 5.12.11-rc1 review Greg Kroah-Hartman
                   ` (77 preceding siblings ...)
  2021-06-14 10:26 ` [PATCH 5.12 078/173] coredump: Limit what can interrupt coredumps Greg Kroah-Hartman
@ 2021-06-14 10:26 ` Greg Kroah-Hartman
  2021-06-14 10:26 ` [PATCH 5.12 080/173] ftrace: Do not blindly read the ip address in ftrace_bug() Greg Kroah-Hartman
                   ` (100 subsequent siblings)
  179 siblings, 0 replies; 181+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-14 10:26 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Alexander Kuznetsov,
	Andrey Krasichkov, Dmitry Yakunin, Tejun Heo

From: Alexander Kuznetsov <wwfq@yandex-team.ru>

commit b7e24eb1caa5f8da20d405d262dba67943aedc42 upstream.

cgroup_mkdir() have restriction on newline usage in names:
$ mkdir $'/sys/fs/cgroup/cpu/test\ntest2'
mkdir: cannot create directory
'/sys/fs/cgroup/cpu/test\ntest2': Invalid argument

But in cgroup1_rename() such check is missed.
This allows us to make /proc/<pid>/cgroup unparsable:
$ mkdir /sys/fs/cgroup/cpu/test
$ mv /sys/fs/cgroup/cpu/test $'/sys/fs/cgroup/cpu/test\ntest2'
$ echo $$ > $'/sys/fs/cgroup/cpu/test\ntest2'
$ cat /proc/self/cgroup
11:pids:/
10:freezer:/
9:hugetlb:/
8:cpuset:/
7:blkio:/user.slice
6:memory:/user.slice
5:net_cls,net_prio:/
4:perf_event:/
3:devices:/user.slice
2:cpu,cpuacct:/test
test2
1:name=systemd:/
0::/

Signed-off-by: Alexander Kuznetsov <wwfq@yandex-team.ru>
Reported-by: Andrey Krasichkov <buglloc@yandex-team.ru>
Acked-by: Dmitry Yakunin <zeil@yandex-team.ru>
Cc: stable@vger.kernel.org
Signed-off-by: Tejun Heo <tj@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 kernel/cgroup/cgroup-v1.c |    4 ++++
 1 file changed, 4 insertions(+)

--- a/kernel/cgroup/cgroup-v1.c
+++ b/kernel/cgroup/cgroup-v1.c
@@ -820,6 +820,10 @@ static int cgroup1_rename(struct kernfs_
 	struct cgroup *cgrp = kn->priv;
 	int ret;
 
+	/* do not accept '\n' to prevent making /proc/<pid>/cgroup unparsable */
+	if (strchr(new_name_str, '\n'))
+		return -EINVAL;
+
 	if (kernfs_type(kn) != KERNFS_DIR)
 		return -ENOTDIR;
 	if (kn->parent != new_parent)



^ permalink raw reply	[flat|nested] 181+ messages in thread

* [PATCH 5.12 080/173] ftrace: Do not blindly read the ip address in ftrace_bug()
  2021-06-14 10:25 [PATCH 5.12 000/173] 5.12.11-rc1 review Greg Kroah-Hartman
                   ` (78 preceding siblings ...)
  2021-06-14 10:26 ` [PATCH 5.12 079/173] cgroup1: dont allow \n in renaming Greg Kroah-Hartman
@ 2021-06-14 10:26 ` Greg Kroah-Hartman
  2021-06-14 10:26 ` [PATCH 5.12 081/173] tracing: Correct the length check which causes memory corruption Greg Kroah-Hartman
                   ` (99 subsequent siblings)
  179 siblings, 0 replies; 181+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-14 10:26 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Mark-PK Tsai, Steven Rostedt (VMware)

From: Steven Rostedt (VMware) <rostedt@goodmis.org>

commit 6c14133d2d3f768e0a35128faac8aa6ed4815051 upstream.

It was reported that a bug on arm64 caused a bad ip address to be used for
updating into a nop in ftrace_init(), but the error path (rightfully)
returned -EINVAL and not -EFAULT, as the bug caused more than one error to
occur. But because -EINVAL was returned, the ftrace_bug() tried to report
what was at the location of the ip address, and read it directly. This
caused the machine to panic, as the ip was not pointing to a valid memory
address.

Instead, read the ip address with copy_from_kernel_nofault() to safely
access the memory, and if it faults, report that the address faulted,
otherwise report what was in that location.

Link: https://lore.kernel.org/lkml/20210607032329.28671-1-mark-pk.tsai@mediatek.com/

Cc: stable@vger.kernel.org
Fixes: 05736a427f7e1 ("ftrace: warn on failure to disable mcount callers")
Reported-by: Mark-PK Tsai <mark-pk.tsai@mediatek.com>
Tested-by: Mark-PK Tsai <mark-pk.tsai@mediatek.com>
Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 kernel/trace/ftrace.c |    8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

--- a/kernel/trace/ftrace.c
+++ b/kernel/trace/ftrace.c
@@ -1967,12 +1967,18 @@ static int ftrace_hash_ipmodify_update(s
 
 static void print_ip_ins(const char *fmt, const unsigned char *p)
 {
+	char ins[MCOUNT_INSN_SIZE];
 	int i;
 
+	if (copy_from_kernel_nofault(ins, p, MCOUNT_INSN_SIZE)) {
+		printk(KERN_CONT "%s[FAULT] %px\n", fmt, p);
+		return;
+	}
+
 	printk(KERN_CONT "%s", fmt);
 
 	for (i = 0; i < MCOUNT_INSN_SIZE; i++)
-		printk(KERN_CONT "%s%02x", i ? ":" : "", p[i]);
+		printk(KERN_CONT "%s%02x", i ? ":" : "", ins[i]);
 }
 
 enum ftrace_bug_type ftrace_bug_type;



^ permalink raw reply	[flat|nested] 181+ messages in thread

* [PATCH 5.12 081/173] tracing: Correct the length check which causes memory corruption
  2021-06-14 10:25 [PATCH 5.12 000/173] 5.12.11-rc1 review Greg Kroah-Hartman
                   ` (79 preceding siblings ...)
  2021-06-14 10:26 ` [PATCH 5.12 080/173] ftrace: Do not blindly read the ip address in ftrace_bug() Greg Kroah-Hartman
@ 2021-06-14 10:26 ` Greg Kroah-Hartman
  2021-06-14 10:26 ` [PATCH 5.12 082/173] tools/bootconfig: Fix a build error accroding to undefined fallthrough Greg Kroah-Hartman
                   ` (98 subsequent siblings)
  179 siblings, 0 replies; 181+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-14 10:26 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Ingo Molnar, Xunlei Pang, yinbinbin,
	Wetp Zhang, James Wang, Liangyan, Steven Rostedt (VMware)

From: Liangyan <liangyan.peng@linux.alibaba.com>

commit 3e08a9f9760f4a70d633c328a76408e62d6f80a3 upstream.

We've suffered from severe kernel crashes due to memory corruption on
our production environment, like,

Call Trace:
[1640542.554277] general protection fault: 0000 [#1] SMP PTI
[1640542.554856] CPU: 17 PID: 26996 Comm: python Kdump: loaded Tainted:G
[1640542.556629] RIP: 0010:kmem_cache_alloc+0x90/0x190
[1640542.559074] RSP: 0018:ffffb16faa597df8 EFLAGS: 00010286
[1640542.559587] RAX: 0000000000000000 RBX: 0000000000400200 RCX:
0000000006e931bf
[1640542.560323] RDX: 0000000006e931be RSI: 0000000000400200 RDI:
ffff9a45ff004300
[1640542.560996] RBP: 0000000000400200 R08: 0000000000023420 R09:
0000000000000000
[1640542.561670] R10: 0000000000000000 R11: 0000000000000000 R12:
ffffffff9a20608d
[1640542.562366] R13: ffff9a45ff004300 R14: ffff9a45ff004300 R15:
696c662f65636976
[1640542.563128] FS:  00007f45d7c6f740(0000) GS:ffff9a45ff840000(0000)
knlGS:0000000000000000
[1640542.563937] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[1640542.564557] CR2: 00007f45d71311a0 CR3: 000000189d63e004 CR4:
00000000003606e0
[1640542.565279] DR0: 0000000000000000 DR1: 0000000000000000 DR2:
0000000000000000
[1640542.566069] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7:
0000000000000400
[1640542.566742] Call Trace:
[1640542.567009]  anon_vma_clone+0x5d/0x170
[1640542.567417]  __split_vma+0x91/0x1a0
[1640542.567777]  do_munmap+0x2c6/0x320
[1640542.568128]  vm_munmap+0x54/0x70
[1640542.569990]  __x64_sys_munmap+0x22/0x30
[1640542.572005]  do_syscall_64+0x5b/0x1b0
[1640542.573724]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[1640542.575642] RIP: 0033:0x7f45d6e61e27

James Wang has reproduced it stably on the latest 4.19 LTS.
After some debugging, we finally proved that it's due to ftrace
buffer out-of-bound access using a debug tool as follows:
[   86.775200] BUG: Out-of-bounds write at addr 0xffff88aefe8b7000
[   86.780806]  no_context+0xdf/0x3c0
[   86.784327]  __do_page_fault+0x252/0x470
[   86.788367]  do_page_fault+0x32/0x140
[   86.792145]  page_fault+0x1e/0x30
[   86.795576]  strncpy_from_unsafe+0x66/0xb0
[   86.799789]  fetch_memory_string+0x25/0x40
[   86.804002]  fetch_deref_string+0x51/0x60
[   86.808134]  kprobe_trace_func+0x32d/0x3a0
[   86.812347]  kprobe_dispatcher+0x45/0x50
[   86.816385]  kprobe_ftrace_handler+0x90/0xf0
[   86.820779]  ftrace_ops_assist_func+0xa1/0x140
[   86.825340]  0xffffffffc00750bf
[   86.828603]  do_sys_open+0x5/0x1f0
[   86.832124]  do_syscall_64+0x5b/0x1b0
[   86.835900]  entry_SYSCALL_64_after_hwframe+0x44/0xa9

commit b220c049d519 ("tracing: Check length before giving out
the filter buffer") adds length check to protect trace data
overflow introduced in 0fc1b09ff1ff, seems that this fix can't prevent
overflow entirely, the length check should also take the sizeof
entry->array[0] into account, since this array[0] is filled the
length of trace data and occupy addtional space and risk overflow.

Link: https://lkml.kernel.org/r/20210607125734.1770447-1-liangyan.peng@linux.alibaba.com

Cc: stable@vger.kernel.org
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Xunlei Pang <xlpang@linux.alibaba.com>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Fixes: b220c049d519 ("tracing: Check length before giving out the filter buffer")
Reviewed-by: Xunlei Pang <xlpang@linux.alibaba.com>
Reviewed-by: yinbinbin <yinbinbin@alibabacloud.com>
Reviewed-by: Wetp Zhang <wetp.zy@linux.alibaba.com>
Tested-by: James Wang <jnwang@linux.alibaba.com>
Signed-off-by: Liangyan <liangyan.peng@linux.alibaba.com>
Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 kernel/trace/trace.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/kernel/trace/trace.c
+++ b/kernel/trace/trace.c
@@ -2735,7 +2735,7 @@ trace_event_buffer_lock_reserve(struct t
 	    (entry = this_cpu_read(trace_buffered_event))) {
 		/* Try to use the per cpu buffer first */
 		val = this_cpu_inc_return(trace_buffered_event_cnt);
-		if ((len < (PAGE_SIZE - sizeof(*entry))) && val == 1) {
+		if ((len < (PAGE_SIZE - sizeof(*entry) - sizeof(entry->array[0]))) && val == 1) {
 			trace_event_setup(entry, type, trace_ctx);
 			entry->array[0] = len;
 			return entry;



^ permalink raw reply	[flat|nested] 181+ messages in thread

* [PATCH 5.12 082/173] tools/bootconfig: Fix a build error accroding to undefined fallthrough
  2021-06-14 10:25 [PATCH 5.12 000/173] 5.12.11-rc1 review Greg Kroah-Hartman
                   ` (80 preceding siblings ...)
  2021-06-14 10:26 ` [PATCH 5.12 081/173] tracing: Correct the length check which causes memory corruption Greg Kroah-Hartman
@ 2021-06-14 10:26 ` Greg Kroah-Hartman
  2021-06-14 10:26 ` [PATCH 5.12 083/173] mmc: renesas_sdhi: abort tuning when timeout detected Greg Kroah-Hartman
                   ` (97 subsequent siblings)
  179 siblings, 0 replies; 181+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-14 10:26 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Ingo Molnar, Masami Hiramatsu,
	Steven Rostedt (VMware)

From: Masami Hiramatsu <mhiramat@kernel.org>

commit 824afd55e95c3cb12c55d297a0ae408be1779cc8 upstream.

Since the "fallthrough" is defined only in the kernel, building
lib/bootconfig.c as a part of user-space tools causes a build
error.

Add a dummy fallthrough to avoid the build error.

Link: https://lkml.kernel.org/r/162087519356.442660.11385099982318160180.stgit@devnote2

Cc: Ingo Molnar <mingo@kernel.org>
Cc: stable@vger.kernel.org
Fixes: 4c1ca831adb1 ("Revert "lib: Revert use of fallthrough pseudo-keyword in lib/"")
Signed-off-by: Masami Hiramatsu <mhiramat@kernel.org>
Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 tools/bootconfig/include/linux/bootconfig.h | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/tools/bootconfig/include/linux/bootconfig.h b/tools/bootconfig/include/linux/bootconfig.h
index 078cbd2ba651..de7f30f99af3 100644
--- a/tools/bootconfig/include/linux/bootconfig.h
+++ b/tools/bootconfig/include/linux/bootconfig.h
@@ -4,4 +4,8 @@
 
 #include "../../../../include/linux/bootconfig.h"
 
+#ifndef fallthrough
+# define fallthrough
+#endif
+
 #endif
-- 
2.32.0




^ permalink raw reply related	[flat|nested] 181+ messages in thread

* [PATCH 5.12 083/173] mmc: renesas_sdhi: abort tuning when timeout detected
  2021-06-14 10:25 [PATCH 5.12 000/173] 5.12.11-rc1 review Greg Kroah-Hartman
                   ` (81 preceding siblings ...)
  2021-06-14 10:26 ` [PATCH 5.12 082/173] tools/bootconfig: Fix a build error accroding to undefined fallthrough Greg Kroah-Hartman
@ 2021-06-14 10:26 ` Greg Kroah-Hartman
  2021-06-14 10:26 ` [PATCH 5.12 084/173] mmc: renesas_sdhi: Fix HS400 on R-Car M3-W+ Greg Kroah-Hartman
                   ` (96 subsequent siblings)
  179 siblings, 0 replies; 181+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-14 10:26 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Wolfram Sang, Niklas Söderlund,
	Yoshihiro Shimoda, Ulf Hansson

From: Wolfram Sang <wsa+renesas@sang-engineering.com>

commit 2c9017d0b5d3fbf17e69577a42d9e610ca122810 upstream.

We have to bring the eMMC from sending-data state back to transfer state
once we detected a CRC error (timeout) during tuning. So, send a stop
command via mmc_abort_tuning().

Fixes: 4f11997773b6 ("mmc: tmio: Add tuning support")
Reported-by Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
Reviewed-by: Niklas Söderlund <niklas.soderlund+renesas@ragnatech.se>
Reviewed-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
Tested-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
Link: https://lore.kernel.org/r/20210602073435.5955-1-wsa+renesas@sang-engineering.com
Cc: stable@vger.kernel.org
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/mmc/host/renesas_sdhi_core.c |    7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

--- a/drivers/mmc/host/renesas_sdhi_core.c
+++ b/drivers/mmc/host/renesas_sdhi_core.c
@@ -679,14 +679,19 @@ static int renesas_sdhi_execute_tuning(s
 
 	/* Issue CMD19 twice for each tap */
 	for (i = 0; i < 2 * priv->tap_num; i++) {
+		int cmd_error;
+
 		/* Set sampling clock position */
 		sd_scc_write32(host, priv, SH_MOBILE_SDHI_SCC_TAPSET, i % priv->tap_num);
 
-		if (mmc_send_tuning(mmc, opcode, NULL) == 0)
+		if (mmc_send_tuning(mmc, opcode, &cmd_error) == 0)
 			set_bit(i, priv->taps);
 
 		if (sd_scc_read32(host, priv, SH_MOBILE_SDHI_SCC_SMPCMP) == 0)
 			set_bit(i, priv->smpcmp);
+
+		if (cmd_error)
+			mmc_abort_tuning(mmc, opcode);
 	}
 
 	ret = renesas_sdhi_select_tuning(host);



^ permalink raw reply	[flat|nested] 181+ messages in thread

* [PATCH 5.12 084/173] mmc: renesas_sdhi: Fix HS400 on R-Car M3-W+
  2021-06-14 10:25 [PATCH 5.12 000/173] 5.12.11-rc1 review Greg Kroah-Hartman
                   ` (82 preceding siblings ...)
  2021-06-14 10:26 ` [PATCH 5.12 083/173] mmc: renesas_sdhi: abort tuning when timeout detected Greg Kroah-Hartman
@ 2021-06-14 10:26 ` Greg Kroah-Hartman
  2021-06-14 10:26 ` [PATCH 5.12 085/173] USB: f_ncm: ncm_bitrate (speed) is unsigned Greg Kroah-Hartman
                   ` (95 subsequent siblings)
  179 siblings, 0 replies; 181+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-14 10:26 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Geert Uytterhoeven, Wolfram Sang,
	Niklas Söderlund, Yoshihiro Shimoda, Ulf Hansson

From: Geert Uytterhoeven <geert+renesas@glider.be>

commit 6687cd72aa9112a454a4646986e0402dd1b07d0e upstream.

R-Car M3-W ES3.0 is marketed as R-Car M3-W+ (R8A77961), and has its own
compatible value "renesas,r8a77961".

Hence using soc_device_match() with soc_id = "r8a7796" and revision =
"ES3.*" does not actually match running on an R-Car M3-W+ SoC.

Fix this by matching with soc_id = "r8a77961" instead.

Fixes: a38c078fea0b1393 ("mmc: renesas_sdhi: Avoid bad TAP in HS400")
Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
Reviewed-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
Reviewed-by: Niklas Söderlund <niklas.soderlund+renesas@ragnatech.se>
Reviewed-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
Link: https://lore.kernel.org/r/ee8af5d631f5331139ffea714539030d97352e93.1622811525.git.geert+renesas@glider.be
Cc: stable@vger.kernel.org
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/mmc/host/renesas_sdhi_core.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/mmc/host/renesas_sdhi_core.c
+++ b/drivers/mmc/host/renesas_sdhi_core.c
@@ -931,7 +931,7 @@ static const struct soc_device_attribute
 	{ .soc_id = "r8a7795", .revision = "ES3.*", .data = &sdhi_quirks_bad_taps2367 },
 	{ .soc_id = "r8a7796", .revision = "ES1.[012]", .data = &sdhi_quirks_4tap_nohs400 },
 	{ .soc_id = "r8a7796", .revision = "ES1.*", .data = &sdhi_quirks_r8a7796_es13 },
-	{ .soc_id = "r8a7796", .revision = "ES3.*", .data = &sdhi_quirks_bad_taps1357 },
+	{ .soc_id = "r8a77961", .data = &sdhi_quirks_bad_taps1357 },
 	{ .soc_id = "r8a77965", .data = &sdhi_quirks_r8a77965 },
 	{ .soc_id = "r8a77980", .data = &sdhi_quirks_nohs400 },
 	{ .soc_id = "r8a77990", .data = &sdhi_quirks_r8a77990 },



^ permalink raw reply	[flat|nested] 181+ messages in thread

* [PATCH 5.12 085/173] USB: f_ncm: ncm_bitrate (speed) is unsigned
  2021-06-14 10:25 [PATCH 5.12 000/173] 5.12.11-rc1 review Greg Kroah-Hartman
                   ` (83 preceding siblings ...)
  2021-06-14 10:26 ` [PATCH 5.12 084/173] mmc: renesas_sdhi: Fix HS400 on R-Car M3-W+ Greg Kroah-Hartman
@ 2021-06-14 10:26 ` Greg Kroah-Hartman
  2021-06-14 10:26 ` [PATCH 5.12 086/173] usb: f_ncm: only first packet of aggregate needs to start timer Greg Kroah-Hartman
                   ` (94 subsequent siblings)
  179 siblings, 0 replies; 181+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-14 10:26 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Brooke Basile, Bryan ODonoghue,
	Felipe Balbi, Lorenzo Colitti, Yauheni Kaliuta,
	Linux USB Mailing List, Maciej Żenczykowski

From: Maciej Żenczykowski <maze@google.com>

commit 3370139745853f7826895293e8ac3aec1430508e upstream.

[  190.544755] configfs-gadget gadget: notify speed -44967296

This is because 4250000000 - 2**32 is -44967296.

Fixes: 9f6ce4240a2b ("usb: gadget: f_ncm.c added")
Cc: Brooke Basile <brookebasile@gmail.com>
Cc: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
Cc: Felipe Balbi <balbi@kernel.org>
Cc: Lorenzo Colitti <lorenzo@google.com>
Cc: Yauheni Kaliuta <yauheni.kaliuta@nokia.com>
Cc: Linux USB Mailing List <linux-usb@vger.kernel.org>
Acked-By: Lorenzo Colitti <lorenzo@google.com>
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Cc: stable <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20210608005344.3762668-1-zenczykowski@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/usb/gadget/function/f_ncm.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/usb/gadget/function/f_ncm.c
+++ b/drivers/usb/gadget/function/f_ncm.c
@@ -583,7 +583,7 @@ static void ncm_do_notify(struct f_ncm *
 		data[0] = cpu_to_le32(ncm_bitrate(cdev->gadget));
 		data[1] = data[0];
 
-		DBG(cdev, "notify speed %d\n", ncm_bitrate(cdev->gadget));
+		DBG(cdev, "notify speed %u\n", ncm_bitrate(cdev->gadget));
 		ncm->notify_state = NCM_NOTIFY_CONNECT;
 		break;
 	}



^ permalink raw reply	[flat|nested] 181+ messages in thread

* [PATCH 5.12 086/173] usb: f_ncm: only first packet of aggregate needs to start timer
  2021-06-14 10:25 [PATCH 5.12 000/173] 5.12.11-rc1 review Greg Kroah-Hartman
                   ` (84 preceding siblings ...)
  2021-06-14 10:26 ` [PATCH 5.12 085/173] USB: f_ncm: ncm_bitrate (speed) is unsigned Greg Kroah-Hartman
@ 2021-06-14 10:26 ` Greg Kroah-Hartman
  2021-06-14 10:26 ` [PATCH 5.12 087/173] usb: pd: Set PD_T_SINK_WAIT_CAP to 310ms Greg Kroah-Hartman
                   ` (93 subsequent siblings)
  179 siblings, 0 replies; 181+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-14 10:26 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Brooke Basile, Bryan ODonoghue,
	Felipe Balbi, Lorenzo Colitti, Maciej Żenczykowski

From: Maciej Żenczykowski <maze@google.com>

commit 1958ff5ad2d4908b44a72bcf564dfe67c981e7fe upstream.

The reasoning for this change is that if we already had
a packet pending, then we also already had a pending timer,
and as such there is no need to reschedule it.

This also prevents packets getting delayed 60 ms worst case
under a tiny packet every 290us transmit load, by keeping the
timeout always relative to the first queued up packet.
(300us delay * 16KB max aggregation / 80 byte packet =~ 60 ms)

As such the first packet is now at most delayed by 300us.

Under low transmit load, this will simply result in us sending
a shorter aggregate, as originally intended.

This patch has the benefit of greatly reducing (by ~10 factor
with 1500 byte frames aggregated into 16 kiB) the number of
(potentially pretty costly) updates to the hrtimer.

Cc: Brooke Basile <brookebasile@gmail.com>
Cc: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
Cc: Felipe Balbi <balbi@kernel.org>
Cc: Lorenzo Colitti <lorenzo@google.com>
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Link: https://lore.kernel.org/r/20210608085438.813960-1-zenczykowski@gmail.com
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/usb/gadget/function/f_ncm.c |    8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

--- a/drivers/usb/gadget/function/f_ncm.c
+++ b/drivers/usb/gadget/function/f_ncm.c
@@ -1101,11 +1101,11 @@ static struct sk_buff *ncm_wrap_ntb(stru
 			ncm->ndp_dgram_count = 1;
 
 			/* Note: we skip opts->next_ndp_index */
-		}
 
-		/* Delay the timer. */
-		hrtimer_start(&ncm->task_timer, TX_TIMEOUT_NSECS,
-			      HRTIMER_MODE_REL_SOFT);
+			/* Start the timer. */
+			hrtimer_start(&ncm->task_timer, TX_TIMEOUT_NSECS,
+				      HRTIMER_MODE_REL_SOFT);
+		}
 
 		/* Add the datagram position entries */
 		ntb_ndp = skb_put_zero(ncm->skb_tx_ndp, dgram_idx_len);



^ permalink raw reply	[flat|nested] 181+ messages in thread

* [PATCH 5.12 087/173] usb: pd: Set PD_T_SINK_WAIT_CAP to 310ms
  2021-06-14 10:25 [PATCH 5.12 000/173] 5.12.11-rc1 review Greg Kroah-Hartman
                   ` (85 preceding siblings ...)
  2021-06-14 10:26 ` [PATCH 5.12 086/173] usb: f_ncm: only first packet of aggregate needs to start timer Greg Kroah-Hartman
@ 2021-06-14 10:26 ` Greg Kroah-Hartman
  2021-06-14 10:27 ` [PATCH 5.12 088/173] usb: dwc3-meson-g12a: fix usb2 PHY glue init when phy0 is disabled Greg Kroah-Hartman
                   ` (92 subsequent siblings)
  179 siblings, 0 replies; 181+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-14 10:26 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Guenter Roeck, Kyle Tso

From: Kyle Tso <kyletso@google.com>

commit 6490fa565534fa83593278267785a694fd378a2b upstream.

Current timer PD_T_SINK_WAIT_CAP is set to 240ms which will violate the
SinkWaitCapTimer (tTypeCSinkWaitCap 310 - 620 ms) defined in the PD
Spec if the port is faster enough when running the state machine. Set it
to the lower bound 310ms to ensure the timeout is in Spec.

Fixes: f0690a25a140 ("staging: typec: USB Type-C Port Manager (tcpm)")
Cc: stable <stable@vger.kernel.org>
Reviewed-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Kyle Tso <kyletso@google.com>
Link: https://lore.kernel.org/r/20210528081613.730661-1-kyletso@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 include/linux/usb/pd.h |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/include/linux/usb/pd.h
+++ b/include/linux/usb/pd.h
@@ -460,7 +460,7 @@ static inline unsigned int rdo_max_power
 #define PD_T_RECEIVER_RESPONSE	15	/* 15ms max */
 #define PD_T_SOURCE_ACTIVITY	45
 #define PD_T_SINK_ACTIVITY	135
-#define PD_T_SINK_WAIT_CAP	240
+#define PD_T_SINK_WAIT_CAP	310	/* 310 - 620 ms */
 #define PD_T_PS_TRANSITION	500
 #define PD_T_SRC_TRANSITION	35
 #define PD_T_DRP_SNK		40



^ permalink raw reply	[flat|nested] 181+ messages in thread

* [PATCH 5.12 088/173] usb: dwc3-meson-g12a: fix usb2 PHY glue init when phy0 is disabled
  2021-06-14 10:25 [PATCH 5.12 000/173] 5.12.11-rc1 review Greg Kroah-Hartman
                   ` (86 preceding siblings ...)
  2021-06-14 10:26 ` [PATCH 5.12 087/173] usb: pd: Set PD_T_SINK_WAIT_CAP to 310ms Greg Kroah-Hartman
@ 2021-06-14 10:27 ` Greg Kroah-Hartman
  2021-06-14 10:27 ` [PATCH 5.12 089/173] usb: dwc3: meson-g12a: Disable the regulator in the error handling path of the probe Greg Kroah-Hartman
                   ` (91 subsequent siblings)
  179 siblings, 0 replies; 181+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-14 10:27 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Martin Blumenstingl, Neil Armstrong

From: Neil Armstrong <narmstrong@baylibre.com>

commit 4d2aa178d2ad2fb156711113790dde13e9aa2376 upstream.

When only PHY1 is used (for example on Odroid-HC4), the regmap init code
uses the usb2 ports when doesn't initialize the PHY1 regmap entry.

This fixes:
Unable to handle kernel NULL pointer dereference at virtual address 0000000000000020
...
pc : regmap_update_bits_base+0x40/0xa0
lr : dwc3_meson_g12a_usb2_init_phy+0x4c/0xf8
...
Call trace:
regmap_update_bits_base+0x40/0xa0
dwc3_meson_g12a_usb2_init_phy+0x4c/0xf8
dwc3_meson_g12a_usb2_init+0x7c/0xc8
dwc3_meson_g12a_usb_init+0x28/0x48
dwc3_meson_g12a_probe+0x298/0x540
platform_probe+0x70/0xe0
really_probe+0xf0/0x4d8
driver_probe_device+0xfc/0x168
...

Fixes: 013af227f58a97 ("usb: dwc3: meson-g12a: handle the phy and glue registers separately")
Reviewed-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
Cc: stable <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20210601084830.260196-1-narmstrong@baylibre.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/usb/dwc3/dwc3-meson-g12a.c |    5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

--- a/drivers/usb/dwc3/dwc3-meson-g12a.c
+++ b/drivers/usb/dwc3/dwc3-meson-g12a.c
@@ -651,7 +651,7 @@ static int dwc3_meson_g12a_setup_regmaps
 		return PTR_ERR(priv->usb_glue_regmap);
 
 	/* Create a regmap for each USB2 PHY control register set */
-	for (i = 0; i < priv->usb2_ports; i++) {
+	for (i = 0; i < priv->drvdata->num_phys; i++) {
 		struct regmap_config u2p_regmap_config = {
 			.reg_bits = 8,
 			.val_bits = 32,
@@ -659,6 +659,9 @@ static int dwc3_meson_g12a_setup_regmaps
 			.max_register = U2P_R1,
 		};
 
+		if (!strstr(priv->drvdata->phy_names[i], "usb2"))
+			continue;
+
 		u2p_regmap_config.name = devm_kasprintf(priv->dev, GFP_KERNEL,
 							"u2p-%d", i);
 		if (!u2p_regmap_config.name)



^ permalink raw reply	[flat|nested] 181+ messages in thread

* [PATCH 5.12 089/173] usb: dwc3: meson-g12a: Disable the regulator in the error handling path of the probe
  2021-06-14 10:25 [PATCH 5.12 000/173] 5.12.11-rc1 review Greg Kroah-Hartman
                   ` (87 preceding siblings ...)
  2021-06-14 10:27 ` [PATCH 5.12 088/173] usb: dwc3-meson-g12a: fix usb2 PHY glue init when phy0 is disabled Greg Kroah-Hartman
@ 2021-06-14 10:27 ` Greg Kroah-Hartman
  2021-06-14 10:27 ` [PATCH 5.12 090/173] usb: dwc3: gadget: Bail from dwc3_gadget_exit() if dwc->gadget is NULL Greg Kroah-Hartman
                   ` (90 subsequent siblings)
  179 siblings, 0 replies; 181+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-14 10:27 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Martin Blumenstingl, Neil Armstrong,
	Christophe JAILLET

From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>

commit 1d0d3d818eafe1963ec1eaf302175cd14938188e upstream.

If an error occurs after a successful 'regulator_enable()' call,
'regulator_disable()' must be called.

Fix the error handling path of the probe accordingly.

The remove function doesn't need to be fixed, because the
'regulator_disable()' call is already hidden in 'dwc3_meson_g12a_suspend()'
which is called via 'pm_runtime_set_suspended()' in the remove function.

Fixes: c99993376f72 ("usb: dwc3: Add Amlogic G12A DWC3 glue")
Reviewed-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
Acked-by: Neil Armstrong <narmstrong@baylibre.com>
Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
Link: https://lore.kernel.org/r/79df054046224bbb0716a8c5c2082650290eec86.1621616013.git.christophe.jaillet@wanadoo.fr
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/usb/dwc3/dwc3-meson-g12a.c |    8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

--- a/drivers/usb/dwc3/dwc3-meson-g12a.c
+++ b/drivers/usb/dwc3/dwc3-meson-g12a.c
@@ -775,13 +775,13 @@ static int dwc3_meson_g12a_probe(struct
 
 	ret = priv->drvdata->usb_init(priv);
 	if (ret)
-		goto err_disable_clks;
+		goto err_disable_regulator;
 
 	/* Init PHYs */
 	for (i = 0 ; i < PHY_COUNT ; ++i) {
 		ret = phy_init(priv->phys[i]);
 		if (ret)
-			goto err_disable_clks;
+			goto err_disable_regulator;
 	}
 
 	/* Set PHY Power */
@@ -819,6 +819,10 @@ err_phys_exit:
 	for (i = 0 ; i < PHY_COUNT ; ++i)
 		phy_exit(priv->phys[i]);
 
+err_disable_regulator:
+	if (priv->vbus)
+		regulator_disable(priv->vbus);
+
 err_disable_clks:
 	clk_bulk_disable_unprepare(priv->drvdata->num_clks,
 				   priv->drvdata->clks);



^ permalink raw reply	[flat|nested] 181+ messages in thread

* [PATCH 5.12 090/173] usb: dwc3: gadget: Bail from dwc3_gadget_exit() if dwc->gadget is NULL
  2021-06-14 10:25 [PATCH 5.12 000/173] 5.12.11-rc1 review Greg Kroah-Hartman
                   ` (88 preceding siblings ...)
  2021-06-14 10:27 ` [PATCH 5.12 089/173] usb: dwc3: meson-g12a: Disable the regulator in the error handling path of the probe Greg Kroah-Hartman
@ 2021-06-14 10:27 ` Greg Kroah-Hartman
  2021-06-14 10:27 ` [PATCH 5.12 091/173] usb: dwc3: debugfs: Add and remove endpoint dirs dynamically Greg Kroah-Hartman
                   ` (89 subsequent siblings)
  179 siblings, 0 replies; 181+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-14 10:27 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Peter Chen, Jack Pham

From: Jack Pham <jackp@codeaurora.org>

commit 03715ea2e3dbbc56947137ce3b4ac18a726b2f87 upstream.

There exists a possible scenario in which dwc3_gadget_init() can fail:
during during host -> peripheral mode switch in dwc3_set_mode(), and
a pending gadget driver fails to bind.  Then, if the DRD undergoes
another mode switch from peripheral->host the resulting
dwc3_gadget_exit() will attempt to reference an invalid and dangling
dwc->gadget pointer as well as call dma_free_coherent() on unmapped
DMA pointers.

The exact scenario can be reproduced as follows:
 - Start DWC3 in peripheral mode
 - Configure ConfigFS gadget with FunctionFS instance (or use g_ffs)
 - Run FunctionFS userspace application (open EPs, write descriptors, etc)
 - Bind gadget driver to DWC3's UDC
 - Switch DWC3 to host mode
   => dwc3_gadget_exit() is called. usb_del_gadget() will put the
	ConfigFS driver instance on the gadget_driver_pending_list
 - Stop FunctionFS application (closes the ep files)
 - Switch DWC3 to peripheral mode
   => dwc3_gadget_init() fails as usb_add_gadget() calls
	check_pending_gadget_drivers() and attempts to rebind the UDC
	to the ConfigFS gadget but fails with -19 (-ENODEV) because the
	FFS instance is not in FFS_ACTIVE state (userspace has not
	re-opened and written the descriptors yet, i.e. desc_ready!=0).
 - Switch DWC3 back to host mode
   => dwc3_gadget_exit() is called again, but this time dwc->gadget
	is invalid.

Although it can be argued that userspace should take responsibility
for ensuring that the FunctionFS application be ready prior to
allowing the composite driver bind to the UDC, failure to do so
should not result in a panic from the kernel driver.

Fix this by setting dwc->gadget to NULL in the failure path of
dwc3_gadget_init() and add a check to dwc3_gadget_exit() to bail out
unless the gadget pointer is valid.

Fixes: e81a7018d93a ("usb: dwc3: allocate gadget structure dynamically")
Cc: <stable@vger.kernel.org>
Reviewed-by: Peter Chen <peter.chen@kernel.org>
Signed-off-by: Jack Pham <jackp@codeaurora.org>
Link: https://lore.kernel.org/r/20210528160405.17550-1-jackp@codeaurora.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/usb/dwc3/gadget.c |    4 ++++
 1 file changed, 4 insertions(+)

--- a/drivers/usb/dwc3/gadget.c
+++ b/drivers/usb/dwc3/gadget.c
@@ -4012,6 +4012,7 @@ err5:
 	dwc3_gadget_free_endpoints(dwc);
 err4:
 	usb_put_gadget(dwc->gadget);
+	dwc->gadget = NULL;
 err3:
 	dma_free_coherent(dwc->sysdev, DWC3_BOUNCE_SIZE, dwc->bounce,
 			dwc->bounce_addr);
@@ -4031,6 +4032,9 @@ err0:
 
 void dwc3_gadget_exit(struct dwc3 *dwc)
 {
+	if (!dwc->gadget)
+		return;
+
 	usb_del_gadget(dwc->gadget);
 	dwc3_gadget_free_endpoints(dwc);
 	usb_put_gadget(dwc->gadget);



^ permalink raw reply	[flat|nested] 181+ messages in thread

* [PATCH 5.12 091/173] usb: dwc3: debugfs: Add and remove endpoint dirs dynamically
  2021-06-14 10:25 [PATCH 5.12 000/173] 5.12.11-rc1 review Greg Kroah-Hartman
                   ` (89 preceding siblings ...)
  2021-06-14 10:27 ` [PATCH 5.12 090/173] usb: dwc3: gadget: Bail from dwc3_gadget_exit() if dwc->gadget is NULL Greg Kroah-Hartman
@ 2021-06-14 10:27 ` Greg Kroah-Hartman
  2021-06-14 10:27 ` [PATCH 5.12 092/173] usb: dwc3: ep0: fix NULL pointer exception Greg Kroah-Hartman
                   ` (88 subsequent siblings)
  179 siblings, 0 replies; 181+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-14 10:27 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Peter Chen, Jack Pham

From: Jack Pham <jackp@codeaurora.org>

commit 8d396bb0a5b62b326f6be7594d8bd46b088296bd upstream.

The DWC3 DebugFS directory and files are currently created once
during probe.  This includes creation of subdirectories for each
of the gadget's endpoints.  This works fine for peripheral-only
controllers, as dwc3_core_init_mode() calls dwc3_gadget_init()
just prior to calling dwc3_debugfs_init().

However, for dual-role controllers, dwc3_core_init_mode() will
instead call dwc3_drd_init() which is problematic in a few ways.
First, the initial state must be determined, then dwc3_set_mode()
will have to schedule drd_work and by then dwc3_debugfs_init()
could have already been invoked.  Even if the initial mode is
peripheral, dwc3_gadget_init() happens after the DebugFS files
are created, and worse so if the initial state is host and the
controller switches to peripheral much later.  And secondly,
even if the gadget endpoints' debug entries were successfully
created, if the controller exits peripheral mode, its dwc3_eps
are freed so the debug files would now hold stale references.

So it is best if the DebugFS endpoint entries are created and
removed dynamically at the same time the underlying dwc3_eps are.
Do this by calling dwc3_debugfs_create_endpoint_dir() as each
endpoint is created, and conversely remove the DebugFS entry when
the endpoint is freed.

Fixes: 41ce1456e1db ("usb: dwc3: core: make dwc3_set_mode() work properly")
Cc: stable <stable@vger.kernel.org>
Reviewed-by: Peter Chen <peter.chen@kernel.org>
Signed-off-by: Jack Pham <jackp@codeaurora.org>
Link: https://lore.kernel.org/r/20210529192932.22912-1-jackp@codeaurora.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/usb/dwc3/debug.h   |    3 +++
 drivers/usb/dwc3/debugfs.c |   21 ++-------------------
 drivers/usb/dwc3/gadget.c  |    3 +++
 3 files changed, 8 insertions(+), 19 deletions(-)

--- a/drivers/usb/dwc3/debug.h
+++ b/drivers/usb/dwc3/debug.h
@@ -413,9 +413,12 @@ static inline const char *dwc3_gadget_ge
 
 
 #ifdef CONFIG_DEBUG_FS
+extern void dwc3_debugfs_create_endpoint_dir(struct dwc3_ep *dep);
 extern void dwc3_debugfs_init(struct dwc3 *d);
 extern void dwc3_debugfs_exit(struct dwc3 *d);
 #else
+static inline void dwc3_debugfs_create_endpoint_dir(struct dwc3_ep *dep)
+{  }
 static inline void dwc3_debugfs_init(struct dwc3 *d)
 {  }
 static inline void dwc3_debugfs_exit(struct dwc3 *d)
--- a/drivers/usb/dwc3/debugfs.c
+++ b/drivers/usb/dwc3/debugfs.c
@@ -890,30 +890,14 @@ static void dwc3_debugfs_create_endpoint
 	}
 }
 
-static void dwc3_debugfs_create_endpoint_dir(struct dwc3_ep *dep,
-		struct dentry *parent)
+void dwc3_debugfs_create_endpoint_dir(struct dwc3_ep *dep)
 {
 	struct dentry		*dir;
 
-	dir = debugfs_create_dir(dep->name, parent);
+	dir = debugfs_create_dir(dep->name, dep->dwc->root);
 	dwc3_debugfs_create_endpoint_files(dep, dir);
 }
 
-static void dwc3_debugfs_create_endpoint_dirs(struct dwc3 *dwc,
-		struct dentry *parent)
-{
-	int			i;
-
-	for (i = 0; i < dwc->num_eps; i++) {
-		struct dwc3_ep	*dep = dwc->eps[i];
-
-		if (!dep)
-			continue;
-
-		dwc3_debugfs_create_endpoint_dir(dep, parent);
-	}
-}
-
 void dwc3_debugfs_init(struct dwc3 *dwc)
 {
 	struct dentry		*root;
@@ -944,7 +928,6 @@ void dwc3_debugfs_init(struct dwc3 *dwc)
 				&dwc3_testmode_fops);
 		debugfs_create_file("link_state", 0644, root, dwc,
 				    &dwc3_link_state_fops);
-		dwc3_debugfs_create_endpoint_dirs(dwc, root);
 	}
 }
 
--- a/drivers/usb/dwc3/gadget.c
+++ b/drivers/usb/dwc3/gadget.c
@@ -2720,6 +2720,8 @@ static int dwc3_gadget_init_endpoint(str
 	INIT_LIST_HEAD(&dep->started_list);
 	INIT_LIST_HEAD(&dep->cancelled_list);
 
+	dwc3_debugfs_create_endpoint_dir(dep);
+
 	return 0;
 }
 
@@ -2763,6 +2765,7 @@ static void dwc3_gadget_free_endpoints(s
 			list_del(&dep->endpoint.ep_list);
 		}
 
+		debugfs_remove_recursive(debugfs_lookup(dep->name, dwc->root));
 		kfree(dep);
 	}
 }



^ permalink raw reply	[flat|nested] 181+ messages in thread

* [PATCH 5.12 092/173] usb: dwc3: ep0: fix NULL pointer exception
  2021-06-14 10:25 [PATCH 5.12 000/173] 5.12.11-rc1 review Greg Kroah-Hartman
                   ` (90 preceding siblings ...)
  2021-06-14 10:27 ` [PATCH 5.12 091/173] usb: dwc3: debugfs: Add and remove endpoint dirs dynamically Greg Kroah-Hartman
@ 2021-06-14 10:27 ` Greg Kroah-Hartman
  2021-06-14 10:27 ` [PATCH 5.12 093/173] usb: pci-quirks: disable D3cold on xhci suspend for s2idle on AMD Renoir Greg Kroah-Hartman
                   ` (87 subsequent siblings)
  179 siblings, 0 replies; 181+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-14 10:27 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Marian-Cristian Rotariu

From: Marian-Cristian Rotariu <marian.c.rotariu@gmail.com>

commit d00889080ab60051627dab1d85831cd9db750e2a upstream.

There is no validation of the index from dwc3_wIndex_to_dep() and we might
be referring a non-existing ep and trigger a NULL pointer exception. In
certain configurations we might use fewer eps and the index might wrongly
indicate a larger ep index than existing.

By adding this validation from the patch we can actually report a wrong
index back to the caller.

In our usecase we are using a composite device on an older kernel, but
upstream might use this fix also. Unfortunately, I cannot describe the
hardware for others to reproduce the issue as it is a proprietary
implementation.

[   82.958261] Unable to handle kernel NULL pointer dereference at virtual address 00000000000000a4
[   82.966891] Mem abort info:
[   82.969663]   ESR = 0x96000006
[   82.972703]   Exception class = DABT (current EL), IL = 32 bits
[   82.978603]   SET = 0, FnV = 0
[   82.981642]   EA = 0, S1PTW = 0
[   82.984765] Data abort info:
[   82.987631]   ISV = 0, ISS = 0x00000006
[   82.991449]   CM = 0, WnR = 0
[   82.994409] user pgtable: 4k pages, 39-bit VAs, pgdp = 00000000c6210ccc
[   83.000999] [00000000000000a4] pgd=0000000053aa5003, pud=0000000053aa5003, pmd=0000000000000000
[   83.009685] Internal error: Oops: 96000006 [#1] PREEMPT SMP
[   83.026433] Process irq/62-dwc3 (pid: 303, stack limit = 0x000000003985154c)
[   83.033470] CPU: 0 PID: 303 Comm: irq/62-dwc3 Not tainted 4.19.124 #1
[   83.044836] pstate: 60000085 (nZCv daIf -PAN -UAO)
[   83.049628] pc : dwc3_ep0_handle_feature+0x414/0x43c
[   83.054558] lr : dwc3_ep0_interrupt+0x3b4/0xc94

...

[   83.141788] Call trace:
[   83.144227]  dwc3_ep0_handle_feature+0x414/0x43c
[   83.148823]  dwc3_ep0_interrupt+0x3b4/0xc94
[   83.181546] ---[ end trace aac6b5267d84c32f ]---

Signed-off-by: Marian-Cristian Rotariu <marian.c.rotariu@gmail.com>
Cc: stable <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20210608162650.58426-1-marian.c.rotariu@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/usb/dwc3/ep0.c |    3 +++
 1 file changed, 3 insertions(+)

--- a/drivers/usb/dwc3/ep0.c
+++ b/drivers/usb/dwc3/ep0.c
@@ -292,6 +292,9 @@ static struct dwc3_ep *dwc3_wIndex_to_de
 		epnum |= 1;
 
 	dep = dwc->eps[epnum];
+	if (dep == NULL)
+		return NULL;
+
 	if (dep->flags & DWC3_EP_ENABLED)
 		return dep;
 



^ permalink raw reply	[flat|nested] 181+ messages in thread

* [PATCH 5.12 093/173] usb: pci-quirks: disable D3cold on xhci suspend for s2idle on AMD Renoir
  2021-06-14 10:25 [PATCH 5.12 000/173] 5.12.11-rc1 review Greg Kroah-Hartman
                   ` (91 preceding siblings ...)
  2021-06-14 10:27 ` [PATCH 5.12 092/173] usb: dwc3: ep0: fix NULL pointer exception Greg Kroah-Hartman
@ 2021-06-14 10:27 ` Greg Kroah-Hartman
  2021-06-14 10:27 ` [PATCH 5.12 094/173] usb: musb: fix MUSB_QUIRK_B_DISCONNECT_99 handling Greg Kroah-Hartman
                   ` (86 subsequent siblings)
  179 siblings, 0 replies; 181+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-14 10:27 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Prike Liang, Mario Limonciello

From: Mario Limonciello <mario.limonciello@amd.com>

commit d1658268e43980c071dbffc3d894f6f6c4b6732a upstream.

The XHCI controller is required to enter D3hot rather than D3cold for AMD
s2idle on this hardware generation.

Otherwise, the 'Controller Not Ready' (CNR) bit is not being cleared by
host in resume and eventually this results in xhci resume failures during
the s2idle wakeup.

Link: https://lore.kernel.org/linux-usb/1612527609-7053-1-git-send-email-Prike.Liang@amd.com/
Suggested-by: Prike Liang <Prike.Liang@amd.com>
Signed-off-by: Mario Limonciello <mario.limonciello@amd.com>
Cc: stable <stable@vger.kernel.org> # 5.11+
Link: https://lore.kernel.org/r/20210527154534.8900-1-mario.limonciello@amd.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/usb/host/xhci-pci.c |    7 ++++++-
 drivers/usb/host/xhci.h     |    1 +
 2 files changed, 7 insertions(+), 1 deletion(-)

--- a/drivers/usb/host/xhci-pci.c
+++ b/drivers/usb/host/xhci-pci.c
@@ -59,6 +59,7 @@
 #define PCI_DEVICE_ID_INTEL_MAPLE_RIDGE_XHCI		0x1138
 #define PCI_DEVICE_ID_INTEL_ALDER_LAKE_XHCI		0x461e
 
+#define PCI_DEVICE_ID_AMD_RENOIR_XHCI			0x1639
 #define PCI_DEVICE_ID_AMD_PROMONTORYA_4			0x43b9
 #define PCI_DEVICE_ID_AMD_PROMONTORYA_3			0x43ba
 #define PCI_DEVICE_ID_AMD_PROMONTORYA_2			0x43bb
@@ -182,6 +183,10 @@ static void xhci_pci_quirks(struct devic
 		(pdev->device == PCI_DEVICE_ID_AMD_PROMONTORYA_1)))
 		xhci->quirks |= XHCI_U2_DISABLE_WAKE;
 
+	if (pdev->vendor == PCI_VENDOR_ID_AMD &&
+		pdev->device == PCI_DEVICE_ID_AMD_RENOIR_XHCI)
+		xhci->quirks |= XHCI_BROKEN_D3COLD;
+
 	if (pdev->vendor == PCI_VENDOR_ID_INTEL) {
 		xhci->quirks |= XHCI_LPM_SUPPORT;
 		xhci->quirks |= XHCI_INTEL_HOST;
@@ -539,7 +544,7 @@ static int xhci_pci_suspend(struct usb_h
 	 * Systems with the TI redriver that loses port status change events
 	 * need to have the registers polled during D3, so avoid D3cold.
 	 */
-	if (xhci->quirks & XHCI_COMP_MODE_QUIRK)
+	if (xhci->quirks & (XHCI_COMP_MODE_QUIRK | XHCI_BROKEN_D3COLD))
 		pci_d3cold_disable(pdev);
 
 	if (xhci->quirks & XHCI_PME_STUCK_QUIRK)
--- a/drivers/usb/host/xhci.h
+++ b/drivers/usb/host/xhci.h
@@ -1892,6 +1892,7 @@ struct xhci_hcd {
 #define XHCI_DISABLE_SPARSE	BIT_ULL(38)
 #define XHCI_SG_TRB_CACHE_SIZE_QUIRK	BIT_ULL(39)
 #define XHCI_NO_SOFT_RETRY	BIT_ULL(40)
+#define XHCI_BROKEN_D3COLD	BIT_ULL(41)
 
 	unsigned int		num_active_eps;
 	unsigned int		limit_active_eps;



^ permalink raw reply	[flat|nested] 181+ messages in thread

* [PATCH 5.12 094/173] usb: musb: fix MUSB_QUIRK_B_DISCONNECT_99 handling
  2021-06-14 10:25 [PATCH 5.12 000/173] 5.12.11-rc1 review Greg Kroah-Hartman
                   ` (92 preceding siblings ...)
  2021-06-14 10:27 ` [PATCH 5.12 093/173] usb: pci-quirks: disable D3cold on xhci suspend for s2idle on AMD Renoir Greg Kroah-Hartman
@ 2021-06-14 10:27 ` Greg Kroah-Hartman
  2021-06-14 10:27 ` [PATCH 5.12 095/173] usb: typec: wcove: Use LE to CPU conversion when accessing msg->header Greg Kroah-Hartman
                   ` (85 subsequent siblings)
  179 siblings, 0 replies; 181+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-14 10:27 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Alexandre Belloni, Drew Fustini,
	Tony Lindgren, Thomas Petazzoni

From: Thomas Petazzoni <thomas.petazzoni@bootlin.com>

commit b65ba0c362be665192381cc59e3ac3ef6f0dd1e1 upstream.

In commit 92af4fc6ec33 ("usb: musb: Fix suspend with devices
connected for a64"), the logic to support the
MUSB_QUIRK_B_DISCONNECT_99 quirk was modified to only conditionally
schedule the musb->irq_work delayed work.

This commit badly breaks ECM Gadget on AM335X. Indeed, with this
commit, one can observe massive packet loss:

$ ping 192.168.0.100
...
15 packets transmitted, 3 received, 80% packet loss, time 14316ms

Reverting this commit brings back a properly functioning ECM
Gadget. An analysis of the commit seems to indicate that a mistake was
made: the previous code was not falling through into the
MUSB_QUIRK_B_INVALID_VBUS_91, but now it is, unless the condition is
taken.

Changing the logic to be as it was before the problematic commit *and*
only conditionally scheduling musb->irq_work resolves the regression:

$ ping 192.168.0.100
...
64 packets transmitted, 64 received, 0% packet loss, time 64475ms

Fixes: 92af4fc6ec33 ("usb: musb: Fix suspend with devices connected for a64")
Cc: stable@vger.kernel.org
Tested-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Tested-by: Drew Fustini <drew@beagleboard.org>
Acked-by: Tony Lindgren <tony@atomide.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Link: https://lore.kernel.org/r/20210528140446.278076-1-thomas.petazzoni@bootlin.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/usb/musb/musb_core.c |    3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

--- a/drivers/usb/musb/musb_core.c
+++ b/drivers/usb/musb/musb_core.c
@@ -2009,9 +2009,8 @@ static void musb_pm_runtime_check_sessio
 			schedule_delayed_work(&musb->irq_work,
 					      msecs_to_jiffies(1000));
 			musb->quirk_retries--;
-			break;
 		}
-		fallthrough;
+		break;
 	case MUSB_QUIRK_B_INVALID_VBUS_91:
 		if (musb->quirk_retries && !musb->flush_irq_work) {
 			musb_dbg(musb,



^ permalink raw reply	[flat|nested] 181+ messages in thread

* [PATCH 5.12 095/173] usb: typec: wcove: Use LE to CPU conversion when accessing msg->header
  2021-06-14 10:25 [PATCH 5.12 000/173] 5.12.11-rc1 review Greg Kroah-Hartman
                   ` (93 preceding siblings ...)
  2021-06-14 10:27 ` [PATCH 5.12 094/173] usb: musb: fix MUSB_QUIRK_B_DISCONNECT_99 handling Greg Kroah-Hartman
@ 2021-06-14 10:27 ` Greg Kroah-Hartman
  2021-06-14 10:27 ` [PATCH 5.12 096/173] usb: typec: ucsi: Clear PPM capability data in ucsi_init() error path Greg Kroah-Hartman
                   ` (84 subsequent siblings)
  179 siblings, 0 replies; 181+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-14 10:27 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, kernel test robot, Heikki Krogerus,
	Guenter Roeck, Andy Shevchenko

From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>

commit d5ab95da2a41567440097c277c5771ad13928dad upstream.

As LKP noticed the Sparse is not happy about strict type handling:
   .../typec/tcpm/wcove.c:380:50: sparse:     expected unsigned short [usertype] header
   .../typec/tcpm/wcove.c:380:50: sparse:     got restricted __le16 const [usertype] header

Fix this by switching to use pd_header_cnt_le() instead of pd_header_cnt()
in the affected code.

Fixes: ae8a2ca8a221 ("usb: typec: Group all TCPCI/TCPM code together")
Fixes: 3c4fb9f16921 ("usb: typec: wcove: start using tcpm for USB PD support")
Reported-by: kernel test robot <lkp@intel.com>
Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
Reviewed-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Link: https://lore.kernel.org/r/20210609172202.83377-1-andriy.shevchenko@linux.intel.com
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/usb/typec/tcpm/wcove.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/usb/typec/tcpm/wcove.c
+++ b/drivers/usb/typec/tcpm/wcove.c
@@ -378,7 +378,7 @@ static int wcove_pd_transmit(struct tcpc
 		const u8 *data = (void *)msg;
 		int i;
 
-		for (i = 0; i < pd_header_cnt(msg->header) * 4 + 2; i++) {
+		for (i = 0; i < pd_header_cnt_le(msg->header) * 4 + 2; i++) {
 			ret = regmap_write(wcove->regmap, USBC_TX_DATA + i,
 					   data[i]);
 			if (ret)



^ permalink raw reply	[flat|nested] 181+ messages in thread

* [PATCH 5.12 096/173] usb: typec: ucsi: Clear PPM capability data in ucsi_init() error path
  2021-06-14 10:25 [PATCH 5.12 000/173] 5.12.11-rc1 review Greg Kroah-Hartman
                   ` (94 preceding siblings ...)
  2021-06-14 10:27 ` [PATCH 5.12 095/173] usb: typec: wcove: Use LE to CPU conversion when accessing msg->header Greg Kroah-Hartman
@ 2021-06-14 10:27 ` Greg Kroah-Hartman
  2021-06-14 10:27 ` [PATCH 5.12 097/173] usb: typec: intel_pmc_mux: Put fwnode in error case during ->probe() Greg Kroah-Hartman
                   ` (83 subsequent siblings)
  179 siblings, 0 replies; 181+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-14 10:27 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Heikki Krogerus, Mayank Rana, Jack Pham

From: Mayank Rana <mrana@codeaurora.org>

commit f247f0a82a4f8c3bfed178d8fd9e069d1424ee4e upstream.

If ucsi_init() fails for some reason (e.g. ucsi_register_port()
fails or general communication failure to the PPM), particularly at
any point after the GET_CAPABILITY command had been issued, this
results in unwinding the initialization and returning an error.
However the ucsi structure's ucsi_capability member retains its
current value, including likely a non-zero num_connectors.
And because ucsi_init() itself is done in a workqueue a UCSI
interface driver will be unaware that it failed and may think the
ucsi_register() call was completely successful.  Later, if
ucsi_unregister() is called, due to this stale ucsi->cap value it
would try to access the items in the ucsi->connector array which
might not be in a proper state or not even allocated at all and
results in NULL or invalid pointer dereference.

Fix this by clearing the ucsi->cap value to 0 during the error
path of ucsi_init() in order to prevent a later ucsi_unregister()
from entering the connector cleanup loop.

Fixes: c1b0bc2dabfa ("usb: typec: Add support for UCSI interface")
Cc: stable@vger.kernel.org
Acked-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
Signed-off-by: Mayank Rana <mrana@codeaurora.org>
Signed-off-by: Jack Pham <jackp@codeaurora.org>
Link: https://lore.kernel.org/r/20210609073535.5094-1-jackp@codeaurora.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/usb/typec/ucsi/ucsi.c |    1 +
 1 file changed, 1 insertion(+)

--- a/drivers/usb/typec/ucsi/ucsi.c
+++ b/drivers/usb/typec/ucsi/ucsi.c
@@ -1253,6 +1253,7 @@ err_unregister:
 	}
 
 err_reset:
+	memset(&ucsi->cap, 0, sizeof(ucsi->cap));
 	ucsi_reset_ppm(ucsi);
 err:
 	return ret;



^ permalink raw reply	[flat|nested] 181+ messages in thread

* [PATCH 5.12 097/173] usb: typec: intel_pmc_mux: Put fwnode in error case during ->probe()
  2021-06-14 10:25 [PATCH 5.12 000/173] 5.12.11-rc1 review Greg Kroah-Hartman
                   ` (95 preceding siblings ...)
  2021-06-14 10:27 ` [PATCH 5.12 096/173] usb: typec: ucsi: Clear PPM capability data in ucsi_init() error path Greg Kroah-Hartman
@ 2021-06-14 10:27 ` Greg Kroah-Hartman
  2021-06-14 10:27 ` [PATCH 5.12 098/173] usb: typec: intel_pmc_mux: Add missed error check for devm_ioremap_resource() Greg Kroah-Hartman
                   ` (82 subsequent siblings)
  179 siblings, 0 replies; 181+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-14 10:27 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Heikki Krogerus, Andy Shevchenko

From: Andy Shevchenko <andy.shevchenko@gmail.com>

commit 1a85b350a7741776a406005b943e3dec02c424ed upstream.

device_get_next_child_node() bumps a reference counting of a returned variable.
We have to balance it whenever we return to the caller.

Fixes: 6701adfa9693 ("usb: typec: driver for Intel PMC mux control")
Cc: Heikki Krogerus <heikki.krogerus@linux.intel.com>
Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
Signed-off-by: Andy Shevchenko <andy.shevchenko@gmail.com>
Cc: stable <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20210607205007.71458-1-andy.shevchenko@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/usb/typec/mux/intel_pmc_mux.c |    4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

--- a/drivers/usb/typec/mux/intel_pmc_mux.c
+++ b/drivers/usb/typec/mux/intel_pmc_mux.c
@@ -636,8 +636,10 @@ static int pmc_usb_probe(struct platform
 			break;
 
 		ret = pmc_usb_register_port(pmc, i, fwnode);
-		if (ret)
+		if (ret) {
+			fwnode_handle_put(fwnode);
 			goto err_remove_ports;
+		}
 	}
 
 	platform_set_drvdata(pdev, pmc);



^ permalink raw reply	[flat|nested] 181+ messages in thread

* [PATCH 5.12 098/173] usb: typec: intel_pmc_mux: Add missed error check for devm_ioremap_resource()
  2021-06-14 10:25 [PATCH 5.12 000/173] 5.12.11-rc1 review Greg Kroah-Hartman
                   ` (96 preceding siblings ...)
  2021-06-14 10:27 ` [PATCH 5.12 097/173] usb: typec: intel_pmc_mux: Put fwnode in error case during ->probe() Greg Kroah-Hartman
@ 2021-06-14 10:27 ` Greg Kroah-Hartman
  2021-06-14 10:27 ` [PATCH 5.12 099/173] usb: gadget: f_fs: Ensure io_completion_wq is idle during unbind Greg Kroah-Hartman
                   ` (81 subsequent siblings)
  179 siblings, 0 replies; 181+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-14 10:27 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Heikki Krogerus, Andy Shevchenko

From: Andy Shevchenko <andy.shevchenko@gmail.com>

commit 843fabdd7623271330af07f1b7fbd7fabe33c8de upstream.

devm_ioremap_resource() can return an error, add missed check for it.

Fixes: 43d596e32276 ("usb: typec: intel_pmc_mux: Check the port status before connect")
Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
Signed-off-by: Andy Shevchenko <andy.shevchenko@gmail.com>
Cc: stable <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20210607205007.71458-2-andy.shevchenko@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/usb/typec/mux/intel_pmc_mux.c |    5 +++++
 1 file changed, 5 insertions(+)

--- a/drivers/usb/typec/mux/intel_pmc_mux.c
+++ b/drivers/usb/typec/mux/intel_pmc_mux.c
@@ -586,6 +586,11 @@ static int pmc_usb_probe_iom(struct pmc_
 		return -ENOMEM;
 	}
 
+	if (IS_ERR(pmc->iom_base)) {
+		put_device(&adev->dev);
+		return PTR_ERR(pmc->iom_base);
+	}
+
 	pmc->iom_adev = adev;
 
 	return 0;



^ permalink raw reply	[flat|nested] 181+ messages in thread

* [PATCH 5.12 099/173] usb: gadget: f_fs: Ensure io_completion_wq is idle during unbind
  2021-06-14 10:25 [PATCH 5.12 000/173] 5.12.11-rc1 review Greg Kroah-Hartman
                   ` (97 preceding siblings ...)
  2021-06-14 10:27 ` [PATCH 5.12 098/173] usb: typec: intel_pmc_mux: Add missed error check for devm_ioremap_resource() Greg Kroah-Hartman
@ 2021-06-14 10:27 ` Greg Kroah-Hartman
  2021-06-14 10:27 ` [PATCH 5.12 100/173] USB: serial: ftdi_sio: add NovaTech OrionMX product ID Greg Kroah-Hartman
                   ` (80 subsequent siblings)
  179 siblings, 0 replies; 181+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-14 10:27 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Wesley Cheng

From: Wesley Cheng <wcheng@codeaurora.org>

commit 6fc1db5e6211e30fbb1cee8d7925d79d4ed2ae14 upstream.

During unbind, ffs_func_eps_disable() will be executed, resulting in
completion callbacks for any pending USB requests.  When using AIO,
irrespective of the completion status, io_data work is queued to
io_completion_wq to evaluate and handle the completed requests.  Since
work runs asynchronously to the unbind() routine, there can be a
scenario where the work runs after the USB gadget has been fully
removed, resulting in accessing of a resource which has been already
freed. (i.e. usb_ep_free_request() accessing the USB ep structure)

Explicitly drain the io_completion_wq, instead of relying on the
destroy_workqueue() (in ffs_data_put()) to make sure no pending
completion work items are running.

Signed-off-by: Wesley Cheng <wcheng@codeaurora.org>
Cc: stable <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/1621644261-1236-1-git-send-email-wcheng@codeaurora.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/usb/gadget/function/f_fs.c |    3 +++
 1 file changed, 3 insertions(+)

--- a/drivers/usb/gadget/function/f_fs.c
+++ b/drivers/usb/gadget/function/f_fs.c
@@ -3567,6 +3567,9 @@ static void ffs_func_unbind(struct usb_c
 		ffs->func = NULL;
 	}
 
+	/* Drain any pending AIO completions */
+	drain_workqueue(ffs->io_completion_wq);
+
 	if (!--opts->refcnt)
 		functionfs_unbind(ffs);
 



^ permalink raw reply	[flat|nested] 181+ messages in thread

* [PATCH 5.12 100/173] USB: serial: ftdi_sio: add NovaTech OrionMX product ID
  2021-06-14 10:25 [PATCH 5.12 000/173] 5.12.11-rc1 review Greg Kroah-Hartman
                   ` (98 preceding siblings ...)
  2021-06-14 10:27 ` [PATCH 5.12 099/173] usb: gadget: f_fs: Ensure io_completion_wq is idle during unbind Greg Kroah-Hartman
@ 2021-06-14 10:27 ` Greg Kroah-Hartman
  2021-06-14 10:27 ` [PATCH 5.12 101/173] USB: serial: omninet: add device id for Zyxel Omni 56K Plus Greg Kroah-Hartman
                   ` (79 subsequent siblings)
  179 siblings, 0 replies; 181+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-14 10:27 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, George McCollister, Johan Hovold

From: George McCollister <george.mccollister@gmail.com>

commit bc96c72df33ee81b24d87eab953c73f7bcc04f29 upstream.

Add PID for the NovaTech OrionMX so it can be automatically detected.

Signed-off-by: George McCollister <george.mccollister@gmail.com>
Cc: stable@vger.kernel.org
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/usb/serial/ftdi_sio.c     |    1 +
 drivers/usb/serial/ftdi_sio_ids.h |    1 +
 2 files changed, 2 insertions(+)

--- a/drivers/usb/serial/ftdi_sio.c
+++ b/drivers/usb/serial/ftdi_sio.c
@@ -611,6 +611,7 @@ static const struct usb_device_id id_tab
 		.driver_info = (kernel_ulong_t)&ftdi_jtag_quirk },
 	{ USB_DEVICE(FTDI_VID, FTDI_NT_ORIONLX_PLUS_PID) },
 	{ USB_DEVICE(FTDI_VID, FTDI_NT_ORION_IO_PID) },
+	{ USB_DEVICE(FTDI_VID, FTDI_NT_ORIONMX_PID) },
 	{ USB_DEVICE(FTDI_VID, FTDI_SYNAPSE_SS200_PID) },
 	{ USB_DEVICE(FTDI_VID, FTDI_CUSTOMWARE_MINIPLEX_PID) },
 	{ USB_DEVICE(FTDI_VID, FTDI_CUSTOMWARE_MINIPLEX2_PID) },
--- a/drivers/usb/serial/ftdi_sio_ids.h
+++ b/drivers/usb/serial/ftdi_sio_ids.h
@@ -581,6 +581,7 @@
 #define FTDI_NT_ORIONLXM_PID		0x7c90	/* OrionLXm Substation Automation Platform */
 #define FTDI_NT_ORIONLX_PLUS_PID	0x7c91	/* OrionLX+ Substation Automation Platform */
 #define FTDI_NT_ORION_IO_PID		0x7c92	/* Orion I/O */
+#define FTDI_NT_ORIONMX_PID		0x7c93	/* OrionMX */
 
 /*
  * Synapse Wireless product ids (FTDI_VID)



^ permalink raw reply	[flat|nested] 181+ messages in thread

* [PATCH 5.12 101/173] USB: serial: omninet: add device id for Zyxel Omni 56K Plus
  2021-06-14 10:25 [PATCH 5.12 000/173] 5.12.11-rc1 review Greg Kroah-Hartman
                   ` (99 preceding siblings ...)
  2021-06-14 10:27 ` [PATCH 5.12 100/173] USB: serial: ftdi_sio: add NovaTech OrionMX product ID Greg Kroah-Hartman
@ 2021-06-14 10:27 ` Greg Kroah-Hartman
  2021-06-14 10:27 ` [PATCH 5.12 102/173] USB: serial: quatech2: fix control-request directions Greg Kroah-Hartman
                   ` (78 subsequent siblings)
  179 siblings, 0 replies; 181+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-14 10:27 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Alexandre GRIVEAUX, Johan Hovold

From: Alexandre GRIVEAUX <agriveaux@deutnet.info>

commit fc0b3dc9a11771c3919eaaaf9d649138b095aa0f upstream.

Add device id for Zyxel Omni 56K Plus modem, this modem include:

USB chip:
NetChip
NET2888

Main chip:
901041A
F721501APGF

Another modem using the same chips is the Zyxel Omni 56K DUO/NEO,
could be added with the right USB ID.

Signed-off-by: Alexandre GRIVEAUX <agriveaux@deutnet.info>
Cc: stable@vger.kernel.org
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/usb/serial/omninet.c |    2 ++
 1 file changed, 2 insertions(+)

--- a/drivers/usb/serial/omninet.c
+++ b/drivers/usb/serial/omninet.c
@@ -26,6 +26,7 @@
 
 #define ZYXEL_VENDOR_ID		0x0586
 #define ZYXEL_OMNINET_ID	0x1000
+#define ZYXEL_OMNI_56K_PLUS_ID	0x1500
 /* This one seems to be a re-branded ZyXEL device */
 #define BT_IGNITIONPRO_ID	0x2000
 
@@ -40,6 +41,7 @@ static void omninet_port_remove(struct u
 
 static const struct usb_device_id id_table[] = {
 	{ USB_DEVICE(ZYXEL_VENDOR_ID, ZYXEL_OMNINET_ID) },
+	{ USB_DEVICE(ZYXEL_VENDOR_ID, ZYXEL_OMNI_56K_PLUS_ID) },
 	{ USB_DEVICE(ZYXEL_VENDOR_ID, BT_IGNITIONPRO_ID) },
 	{ }						/* Terminating entry */
 };



^ permalink raw reply	[flat|nested] 181+ messages in thread

* [PATCH 5.12 102/173] USB: serial: quatech2: fix control-request directions
  2021-06-14 10:25 [PATCH 5.12 000/173] 5.12.11-rc1 review Greg Kroah-Hartman
                   ` (100 preceding siblings ...)
  2021-06-14 10:27 ` [PATCH 5.12 101/173] USB: serial: omninet: add device id for Zyxel Omni 56K Plus Greg Kroah-Hartman
@ 2021-06-14 10:27 ` Greg Kroah-Hartman
  2021-06-14 10:27 ` [PATCH 5.12 103/173] USB: serial: cp210x: fix alternate function for CP2102N QFN20 Greg Kroah-Hartman
                   ` (77 subsequent siblings)
  179 siblings, 0 replies; 181+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-14 10:27 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Johan Hovold

From: Johan Hovold <johan@kernel.org>

commit eb8dbe80326c3d44c1e38ee4f40e0d8d3e06f2d0 upstream.

The direction of the pipe argument must match the request-type direction
bit or control requests may fail depending on the host-controller-driver
implementation.

Fix the three requests which erroneously used usb_rcvctrlpipe().

Fixes: f7a33e608d9a ("USB: serial: add quatech2 usb to serial driver")
Cc: stable@vger.kernel.org      # 3.5
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/usb/serial/quatech2.c |    6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

--- a/drivers/usb/serial/quatech2.c
+++ b/drivers/usb/serial/quatech2.c
@@ -416,7 +416,7 @@ static void qt2_close(struct usb_serial_
 
 	/* flush the port transmit buffer */
 	i = usb_control_msg(serial->dev,
-			    usb_rcvctrlpipe(serial->dev, 0),
+			    usb_sndctrlpipe(serial->dev, 0),
 			    QT2_FLUSH_DEVICE, 0x40, 1,
 			    port_priv->device_port, NULL, 0, QT2_USB_TIMEOUT);
 
@@ -426,7 +426,7 @@ static void qt2_close(struct usb_serial_
 
 	/* flush the port receive buffer */
 	i = usb_control_msg(serial->dev,
-			    usb_rcvctrlpipe(serial->dev, 0),
+			    usb_sndctrlpipe(serial->dev, 0),
 			    QT2_FLUSH_DEVICE, 0x40, 0,
 			    port_priv->device_port, NULL, 0, QT2_USB_TIMEOUT);
 
@@ -654,7 +654,7 @@ static int qt2_attach(struct usb_serial
 	int status;
 
 	/* power on unit */
-	status = usb_control_msg(serial->dev, usb_rcvctrlpipe(serial->dev, 0),
+	status = usb_control_msg(serial->dev, usb_sndctrlpipe(serial->dev, 0),
 				 0xc2, 0x40, 0x8000, 0, NULL, 0,
 				 QT2_USB_TIMEOUT);
 	if (status < 0) {



^ permalink raw reply	[flat|nested] 181+ messages in thread

* [PATCH 5.12 103/173] USB: serial: cp210x: fix alternate function for CP2102N QFN20
  2021-06-14 10:25 [PATCH 5.12 000/173] 5.12.11-rc1 review Greg Kroah-Hartman
                   ` (101 preceding siblings ...)
  2021-06-14 10:27 ` [PATCH 5.12 102/173] USB: serial: quatech2: fix control-request directions Greg Kroah-Hartman
@ 2021-06-14 10:27 ` Greg Kroah-Hartman
  2021-06-14 10:27 ` [PATCH 5.12 104/173] USB: serial: cp210x: fix CP2102N-A01 modem control Greg Kroah-Hartman
                   ` (76 subsequent siblings)
  179 siblings, 0 replies; 181+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-14 10:27 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Stefan Agner, Johan Hovold

From: Stefan Agner <stefan@agner.ch>

commit 6f7ec77cc8b64ff5037c1945e4650c65c458037d upstream.

The QFN20 part has a different GPIO/port function assignment. The
configuration struct bit field ordered as TX/RX/RS485/WAKEUP/CLK
which exactly matches GPIO0-3 for QFN24/28. However, QFN20 has a
different GPIO to primary function assignment.

Special case QFN20 to follow to properly detect which GPIOs are
available.

Signed-off-by: Stefan Agner <stefan@agner.ch>
Link: https://lore.kernel.org/r/51830b2b24118eb0f77c5c9ac64ffb2f519dbb1d.1622218300.git.stefan@agner.ch
Fixes: c8acfe0aadbe ("USB: serial: cp210x: implement GPIO support for CP2102N")
Cc: stable@vger.kernel.org	# 4.19
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/usb/serial/cp210x.c |   20 +++++++++++++++++++-
 1 file changed, 19 insertions(+), 1 deletion(-)

--- a/drivers/usb/serial/cp210x.c
+++ b/drivers/usb/serial/cp210x.c
@@ -537,6 +537,12 @@ struct cp210x_single_port_config {
 #define CP210X_2NCONFIG_GPIO_RSTLATCH_IDX	587
 #define CP210X_2NCONFIG_GPIO_CONTROL_IDX	600
 
+/* CP2102N QFN20 port configuration values */
+#define CP2102N_QFN20_GPIO2_TXLED_MODE		BIT(2)
+#define CP2102N_QFN20_GPIO3_RXLED_MODE		BIT(3)
+#define CP2102N_QFN20_GPIO1_RS485_MODE		BIT(4)
+#define CP2102N_QFN20_GPIO0_CLK_MODE		BIT(6)
+
 /* CP210X_VENDOR_SPECIFIC, CP210X_WRITE_LATCH call writes these 0x2 bytes. */
 struct cp210x_gpio_write {
 	u8	mask;
@@ -1726,7 +1732,19 @@ static int cp2102n_gpioconf_init(struct
 	priv->gpio_pushpull = (gpio_pushpull >> 3) & 0x0f;
 
 	/* 0 indicates GPIO mode, 1 is alternate function */
-	priv->gpio_altfunc = (gpio_ctrl >> 2) & 0x0f;
+	if (priv->partnum == CP210X_PARTNUM_CP2102N_QFN20) {
+		/* QFN20 is special... */
+		if (gpio_ctrl & CP2102N_QFN20_GPIO0_CLK_MODE)   /* GPIO 0 */
+			priv->gpio_altfunc |= BIT(0);
+		if (gpio_ctrl & CP2102N_QFN20_GPIO1_RS485_MODE) /* GPIO 1 */
+			priv->gpio_altfunc |= BIT(1);
+		if (gpio_ctrl & CP2102N_QFN20_GPIO2_TXLED_MODE) /* GPIO 2 */
+			priv->gpio_altfunc |= BIT(2);
+		if (gpio_ctrl & CP2102N_QFN20_GPIO3_RXLED_MODE) /* GPIO 3 */
+			priv->gpio_altfunc |= BIT(3);
+	} else {
+		priv->gpio_altfunc = (gpio_ctrl >> 2) & 0x0f;
+	}
 
 	if (priv->partnum == CP210X_PARTNUM_CP2102N_QFN28) {
 		/*



^ permalink raw reply	[flat|nested] 181+ messages in thread

* [PATCH 5.12 104/173] USB: serial: cp210x: fix CP2102N-A01 modem control
  2021-06-14 10:25 [PATCH 5.12 000/173] 5.12.11-rc1 review Greg Kroah-Hartman
                   ` (102 preceding siblings ...)
  2021-06-14 10:27 ` [PATCH 5.12 103/173] USB: serial: cp210x: fix alternate function for CP2102N QFN20 Greg Kroah-Hartman
@ 2021-06-14 10:27 ` Greg Kroah-Hartman
  2021-06-14 10:27 ` [PATCH 5.12 105/173] usb: cdnsp: Fix deadlock issue in cdnsp_thread_irq_handler Greg Kroah-Hartman
                   ` (75 subsequent siblings)
  179 siblings, 0 replies; 181+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-14 10:27 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, David Frey, Alex Villacís Lasso,
	Johan Hovold

From: Johan Hovold <johan@kernel.org>

commit 63a8eef70ccb5199534dec56fed9759d214bfe55 upstream.

CP2102N revision A01 (firmware version <= 1.0.4) has a buggy
flow-control implementation that uses the ulXonLimit instead of
ulFlowReplace field of the flow-control settings structure (erratum
CP2102N_E104).

A recent change that set the input software flow-control limits
incidentally broke RTS control for these devices when CRTSCTS is not set
as the new limits would always enable hardware flow control.

Fix this by explicitly disabling flow control for the buggy firmware
versions and only updating the input software flow-control limits when
IXOFF is requested. This makes sure that the terminal settings matches
the default zero ulXonLimit (ulFlowReplace) for these devices.

Link: https://lore.kernel.org/r/20210609161509.9459-1-johan@kernel.org
Reported-by: David Frey <dpfrey@gmail.com>
Reported-by: Alex Villacís Lasso <a_villacis@palosanto.com>
Tested-by: Alex Villacís Lasso <a_villacis@palosanto.com>
Fixes: f61309d9c96a ("USB: serial: cp210x: set IXOFF thresholds")
Cc: stable@vger.kernel.org      # 5.12
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/usb/serial/cp210x.c |   64 ++++++++++++++++++++++++++++++++++++++++----
 1 file changed, 59 insertions(+), 5 deletions(-)

--- a/drivers/usb/serial/cp210x.c
+++ b/drivers/usb/serial/cp210x.c
@@ -252,9 +252,11 @@ struct cp210x_serial_private {
 	u8			gpio_input;
 #endif
 	u8			partnum;
+	u32			fw_version;
 	speed_t			min_speed;
 	speed_t			max_speed;
 	bool			use_actual_rate;
+	bool			no_flow_control;
 };
 
 enum cp210x_event_state {
@@ -398,6 +400,7 @@ struct cp210x_special_chars {
 
 /* CP210X_VENDOR_SPECIFIC values */
 #define CP210X_READ_2NCONFIG	0x000E
+#define CP210X_GET_FW_VER_2N	0x0010
 #define CP210X_READ_LATCH	0x00C2
 #define CP210X_GET_PARTNUM	0x370B
 #define CP210X_GET_PORTCONFIG	0x370C
@@ -1128,6 +1131,7 @@ static bool cp210x_termios_change(const
 static void cp210x_set_flow_control(struct tty_struct *tty,
 		struct usb_serial_port *port, struct ktermios *old_termios)
 {
+	struct cp210x_serial_private *priv = usb_get_serial_data(port->serial);
 	struct cp210x_port_private *port_priv = usb_get_serial_port_data(port);
 	struct cp210x_special_chars chars;
 	struct cp210x_flow_ctl flow_ctl;
@@ -1135,6 +1139,15 @@ static void cp210x_set_flow_control(stru
 	u32 ctl_hs;
 	int ret;
 
+	/*
+	 * Some CP2102N interpret ulXonLimit as ulFlowReplace (erratum
+	 * CP2102N_E104). Report back that flow control is not supported.
+	 */
+	if (priv->no_flow_control) {
+		tty->termios.c_cflag &= ~CRTSCTS;
+		tty->termios.c_iflag &= ~(IXON | IXOFF);
+	}
+
 	if (old_termios &&
 			C_CRTSCTS(tty) == (old_termios->c_cflag & CRTSCTS) &&
 			I_IXON(tty) == (old_termios->c_iflag & IXON) &&
@@ -1191,19 +1204,20 @@ static void cp210x_set_flow_control(stru
 		port_priv->crtscts = false;
 	}
 
-	if (I_IXOFF(tty))
+	if (I_IXOFF(tty)) {
 		flow_repl |= CP210X_SERIAL_AUTO_RECEIVE;
-	else
+
+		flow_ctl.ulXonLimit = cpu_to_le32(128);
+		flow_ctl.ulXoffLimit = cpu_to_le32(128);
+	} else {
 		flow_repl &= ~CP210X_SERIAL_AUTO_RECEIVE;
+	}
 
 	if (I_IXON(tty))
 		flow_repl |= CP210X_SERIAL_AUTO_TRANSMIT;
 	else
 		flow_repl &= ~CP210X_SERIAL_AUTO_TRANSMIT;
 
-	flow_ctl.ulXonLimit = cpu_to_le32(128);
-	flow_ctl.ulXoffLimit = cpu_to_le32(128);
-
 	dev_dbg(&port->dev, "%s - ctrl = 0x%02x, flow = 0x%02x\n", __func__,
 			ctl_hs, flow_repl);
 
@@ -1919,6 +1933,45 @@ static void cp210x_init_max_speed(struct
 	priv->use_actual_rate = use_actual_rate;
 }
 
+static int cp210x_get_fw_version(struct usb_serial *serial, u16 value)
+{
+	struct cp210x_serial_private *priv = usb_get_serial_data(serial);
+	u8 ver[3];
+	int ret;
+
+	ret = cp210x_read_vendor_block(serial, REQTYPE_DEVICE_TO_HOST, value,
+			ver, sizeof(ver));
+	if (ret)
+		return ret;
+
+	dev_dbg(&serial->interface->dev, "%s - %d.%d.%d\n", __func__,
+			ver[0], ver[1], ver[2]);
+
+	priv->fw_version = ver[0] << 16 | ver[1] << 8 | ver[2];
+
+	return 0;
+}
+
+static void cp210x_determine_quirks(struct usb_serial *serial)
+{
+	struct cp210x_serial_private *priv = usb_get_serial_data(serial);
+	int ret;
+
+	switch (priv->partnum) {
+	case CP210X_PARTNUM_CP2102N_QFN28:
+	case CP210X_PARTNUM_CP2102N_QFN24:
+	case CP210X_PARTNUM_CP2102N_QFN20:
+		ret = cp210x_get_fw_version(serial, CP210X_GET_FW_VER_2N);
+		if (ret)
+			break;
+		if (priv->fw_version <= 0x10004)
+			priv->no_flow_control = true;
+		break;
+	default:
+		break;
+	}
+}
+
 static int cp210x_attach(struct usb_serial *serial)
 {
 	int result;
@@ -1939,6 +1992,7 @@ static int cp210x_attach(struct usb_seri
 
 	usb_set_serial_data(serial, priv);
 
+	cp210x_determine_quirks(serial);
 	cp210x_init_max_speed(serial);
 
 	result = cp210x_gpio_init(serial);



^ permalink raw reply	[flat|nested] 181+ messages in thread

* [PATCH 5.12 105/173] usb: cdnsp: Fix deadlock issue in cdnsp_thread_irq_handler
  2021-06-14 10:25 [PATCH 5.12 000/173] 5.12.11-rc1 review Greg Kroah-Hartman
                   ` (103 preceding siblings ...)
  2021-06-14 10:27 ` [PATCH 5.12 104/173] USB: serial: cp210x: fix CP2102N-A01 modem control Greg Kroah-Hartman
@ 2021-06-14 10:27 ` Greg Kroah-Hartman
  2021-06-14 10:27 ` [PATCH 5.12 106/173] usb: gadget: eem: fix wrong eem header operation Greg Kroah-Hartman
                   ` (74 subsequent siblings)
  179 siblings, 0 replies; 181+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-14 10:27 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Pawel Laszczak, Peter Chen

From: Pawel Laszczak <pawell@cadence.com>

commit a9aecef198faae3240921b707bc09b602e966fce upstream.

Patch fixes the following critical issue caused by deadlock which has been
detected during testing NCM class:

smp: csd: Detected non-responsive CSD lock (#1) on CPU#0
smp:     csd: CSD lock (#1) unresponsive.
....
RIP: 0010:native_queued_spin_lock_slowpath+0x61/0x1d0
RSP: 0018:ffffbc494011cde0 EFLAGS: 00000002
RAX: 0000000000000101 RBX: ffff9ee8116b4a68 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff9ee8116b4658
RBP: ffffbc494011cde0 R08: 0000000000000001 R09: 0000000000000000
R10: ffff9ee8116b4670 R11: 0000000000000000 R12: ffff9ee8116b4658
R13: ffff9ee8116b4670 R14: 0000000000000246 R15: ffff9ee8116b4658
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f7bcc41a830 CR3: 000000007a612003 CR4: 00000000001706e0
Call Trace:
 <IRQ>
 do_raw_spin_lock+0xc0/0xd0
 _raw_spin_lock_irqsave+0x95/0xa0
 cdnsp_gadget_ep_queue.cold+0x88/0x107 [cdnsp_udc_pci]
 usb_ep_queue+0x35/0x110
 eth_start_xmit+0x220/0x3d0 [u_ether]
 ncm_tx_timeout+0x34/0x40 [usb_f_ncm]
 ? ncm_free_inst+0x50/0x50 [usb_f_ncm]
 __hrtimer_run_queues+0xac/0x440
 hrtimer_run_softirq+0x8c/0xb0
 __do_softirq+0xcf/0x428
 asm_call_irq_on_stack+0x12/0x20
 </IRQ>
 do_softirq_own_stack+0x61/0x70
 irq_exit_rcu+0xc1/0xd0
 sysvec_apic_timer_interrupt+0x52/0xb0
 asm_sysvec_apic_timer_interrupt+0x12/0x20
RIP: 0010:do_raw_spin_trylock+0x18/0x40
RSP: 0018:ffffbc494138bda8 EFLAGS: 00000246
RAX: 0000000000000000 RBX: ffff9ee8116b4658 RCX: 0000000000000000
RDX: 0000000000000001 RSI: 0000000000000000 RDI: ffff9ee8116b4658
RBP: ffffbc494138bda8 R08: 0000000000000001 R09: 0000000000000000
R10: ffff9ee8116b4670 R11: 0000000000000000 R12: ffff9ee8116b4658
R13: ffff9ee8116b4670 R14: ffff9ee7b5c73d80 R15: ffff9ee8116b4000
 _raw_spin_lock+0x3d/0x70
 ? cdnsp_thread_irq_handler.cold+0x32/0x112c [cdnsp_udc_pci]
 cdnsp_thread_irq_handler.cold+0x32/0x112c [cdnsp_udc_pci]
 ? cdnsp_remove_request+0x1f0/0x1f0 [cdnsp_udc_pci]
 ? cdnsp_thread_irq_handler+0x5/0xa0 [cdnsp_udc_pci]
 ? irq_thread+0xa0/0x1c0
 irq_thread_fn+0x28/0x60
 irq_thread+0x105/0x1c0
 ? __kthread_parkme+0x42/0x90
 ? irq_forced_thread_fn+0x90/0x90
 ? wake_threads_waitq+0x30/0x30
 ? irq_thread_check_affinity+0xe0/0xe0
 kthread+0x12a/0x160
 ? kthread_park+0x90/0x90
 ret_from_fork+0x22/0x30

The root cause of issue is spin_lock/spin_unlock instruction instead
spin_lock_irqsave/spin_lock_irqrestore in cdnsp_thread_irq_handler
function.

Cc: stable@vger.kernel.org
Fixes: 3d82904559f4 ("usb: cdnsp: cdns3 Add main part of Cadence USBSSP DRD Driver")
Signed-off-by: Pawel Laszczak <pawell@cadence.com>
Link: https://lore.kernel.org/r/20210526060527.7197-1-pawell@gli-login.cadence.com
Signed-off-by: Peter Chen <peter.chen@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/usb/cdns3/cdnsp-ring.c |    7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

--- a/drivers/usb/cdns3/cdnsp-ring.c
+++ b/drivers/usb/cdns3/cdnsp-ring.c
@@ -1517,13 +1517,14 @@ irqreturn_t cdnsp_thread_irq_handler(int
 {
 	struct cdnsp_device *pdev = (struct cdnsp_device *)data;
 	union cdnsp_trb *event_ring_deq;
+	unsigned long flags;
 	int counter = 0;
 
-	spin_lock(&pdev->lock);
+	spin_lock_irqsave(&pdev->lock, flags);
 
 	if (pdev->cdnsp_state & (CDNSP_STATE_HALTED | CDNSP_STATE_DYING)) {
 		cdnsp_died(pdev);
-		spin_unlock(&pdev->lock);
+		spin_unlock_irqrestore(&pdev->lock, flags);
 		return IRQ_HANDLED;
 	}
 
@@ -1539,7 +1540,7 @@ irqreturn_t cdnsp_thread_irq_handler(int
 
 	cdnsp_update_erst_dequeue(pdev, event_ring_deq, 1);
 
-	spin_unlock(&pdev->lock);
+	spin_unlock_irqrestore(&pdev->lock, flags);
 
 	return IRQ_HANDLED;
 }



^ permalink raw reply	[flat|nested] 181+ messages in thread

* [PATCH 5.12 106/173] usb: gadget: eem: fix wrong eem header operation
  2021-06-14 10:25 [PATCH 5.12 000/173] 5.12.11-rc1 review Greg Kroah-Hartman
                   ` (104 preceding siblings ...)
  2021-06-14 10:27 ` [PATCH 5.12 105/173] usb: cdnsp: Fix deadlock issue in cdnsp_thread_irq_handler Greg Kroah-Hartman
@ 2021-06-14 10:27 ` Greg Kroah-Hartman
  2021-06-14 10:27 ` [PATCH 5.12 107/173] usb: fix various gadgets null ptr deref on 10gbps cabling Greg Kroah-Hartman
                   ` (73 subsequent siblings)
  179 siblings, 0 replies; 181+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-14 10:27 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Linyu Yuan

From: Linyu Yuan <linyyuan@codeaurora.com>

commit 305f670846a31a261462577dd0b967c4fa796871 upstream.

when skb_clone() or skb_copy_expand() fail,
it should pull skb with lengh indicated by header,
or not it will read network data and check it as header.

Cc: <stable@vger.kernel.org>
Signed-off-by: Linyu Yuan <linyyuan@codeaurora.com>
Link: https://lore.kernel.org/r/20210608233547.3767-1-linyyuan@codeaurora.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/usb/gadget/function/f_eem.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/usb/gadget/function/f_eem.c
+++ b/drivers/usb/gadget/function/f_eem.c
@@ -495,7 +495,7 @@ static int eem_unwrap(struct gether *por
 			skb2 = skb_clone(skb, GFP_ATOMIC);
 			if (unlikely(!skb2)) {
 				DBG(cdev, "unable to unframe EEM packet\n");
-				continue;
+				goto next;
 			}
 			skb_trim(skb2, len - ETH_FCS_LEN);
 
@@ -505,7 +505,7 @@ static int eem_unwrap(struct gether *por
 						GFP_ATOMIC);
 			if (unlikely(!skb3)) {
 				dev_kfree_skb_any(skb2);
-				continue;
+				goto next;
 			}
 			dev_kfree_skb_any(skb2);
 			skb_queue_tail(list, skb3);



^ permalink raw reply	[flat|nested] 181+ messages in thread

* [PATCH 5.12 107/173] usb: fix various gadgets null ptr deref on 10gbps cabling.
  2021-06-14 10:25 [PATCH 5.12 000/173] 5.12.11-rc1 review Greg Kroah-Hartman
                   ` (105 preceding siblings ...)
  2021-06-14 10:27 ` [PATCH 5.12 106/173] usb: gadget: eem: fix wrong eem header operation Greg Kroah-Hartman
@ 2021-06-14 10:27 ` Greg Kroah-Hartman
  2021-06-14 10:27 ` [PATCH 5.12 108/173] usb: fix various gadget panics " Greg Kroah-Hartman
                   ` (72 subsequent siblings)
  179 siblings, 0 replies; 181+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-14 10:27 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Christophe JAILLET, Felipe Balbi,
	Gustavo A. R. Silva, Lorenzo Colitti, Martin K. Petersen,
	Michael R Sweet, Mike Christie, Pawel Laszczak, Peter Chen,
	Sudhakar Panneerselvam, Wei Ming Chen, Will McVicker, Zqiang,
	Maciej Żenczykowski

From: Maciej Żenczykowski <maze@google.com>

commit 90c4d05780d47e14a50e11a7f17373104cd47d25 upstream.

This avoids a null pointer dereference in
f_{ecm,eem,hid,loopback,printer,rndis,serial,sourcesink,subset,tcm}
by simply reusing the 5gbps config for 10gbps.

Fixes: eaef50c76057 ("usb: gadget: Update usb_assign_descriptors for SuperSpeedPlus")
Cc: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
Cc: Felipe Balbi <balbi@kernel.org>
Cc: Gustavo A. R. Silva <gustavoars@kernel.org>
Cc: Lorenzo Colitti <lorenzo@google.com>
Cc: Martin K. Petersen <martin.petersen@oracle.com>
Cc: Michael R Sweet <msweet@msweet.org>
Cc: Mike Christie <michael.christie@oracle.com>
Cc: Pawel Laszczak <pawell@cadence.com>
Cc: Peter Chen <peter.chen@nxp.com>
Cc: Sudhakar Panneerselvam <sudhakar.panneerselvam@oracle.com>
Cc: Wei Ming Chen <jj251510319013@gmail.com>
Cc: Will McVicker <willmcvicker@google.com>
Cc: Zqiang <qiang.zhang@windriver.com>
Reviewed-By: Lorenzo Colitti <lorenzo@google.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Link: https://lore.kernel.org/r/20210608044141.3898496-1-zenczykowski@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/usb/gadget/function/f_ecm.c        |    2 +-
 drivers/usb/gadget/function/f_eem.c        |    2 +-
 drivers/usb/gadget/function/f_hid.c        |    3 ++-
 drivers/usb/gadget/function/f_loopback.c   |    2 +-
 drivers/usb/gadget/function/f_printer.c    |    3 ++-
 drivers/usb/gadget/function/f_rndis.c      |    2 +-
 drivers/usb/gadget/function/f_serial.c     |    2 +-
 drivers/usb/gadget/function/f_sourcesink.c |    3 ++-
 drivers/usb/gadget/function/f_subset.c     |    2 +-
 drivers/usb/gadget/function/f_tcm.c        |    3 ++-
 10 files changed, 14 insertions(+), 10 deletions(-)

--- a/drivers/usb/gadget/function/f_ecm.c
+++ b/drivers/usb/gadget/function/f_ecm.c
@@ -791,7 +791,7 @@ ecm_bind(struct usb_configuration *c, st
 		fs_ecm_notify_desc.bEndpointAddress;
 
 	status = usb_assign_descriptors(f, ecm_fs_function, ecm_hs_function,
-			ecm_ss_function, NULL);
+			ecm_ss_function, ecm_ss_function);
 	if (status)
 		goto fail;
 
--- a/drivers/usb/gadget/function/f_eem.c
+++ b/drivers/usb/gadget/function/f_eem.c
@@ -302,7 +302,7 @@ static int eem_bind(struct usb_configura
 	eem_ss_out_desc.bEndpointAddress = eem_fs_out_desc.bEndpointAddress;
 
 	status = usb_assign_descriptors(f, eem_fs_function, eem_hs_function,
-			eem_ss_function, NULL);
+			eem_ss_function, eem_ss_function);
 	if (status)
 		goto fail;
 
--- a/drivers/usb/gadget/function/f_hid.c
+++ b/drivers/usb/gadget/function/f_hid.c
@@ -802,7 +802,8 @@ static int hidg_bind(struct usb_configur
 		hidg_fs_out_ep_desc.bEndpointAddress;
 
 	status = usb_assign_descriptors(f, hidg_fs_descriptors,
-			hidg_hs_descriptors, hidg_ss_descriptors, NULL);
+			hidg_hs_descriptors, hidg_ss_descriptors,
+			hidg_ss_descriptors);
 	if (status)
 		goto fail;
 
--- a/drivers/usb/gadget/function/f_loopback.c
+++ b/drivers/usb/gadget/function/f_loopback.c
@@ -207,7 +207,7 @@ autoconf_fail:
 	ss_loop_sink_desc.bEndpointAddress = fs_loop_sink_desc.bEndpointAddress;
 
 	ret = usb_assign_descriptors(f, fs_loopback_descs, hs_loopback_descs,
-			ss_loopback_descs, NULL);
+			ss_loopback_descs, ss_loopback_descs);
 	if (ret)
 		return ret;
 
--- a/drivers/usb/gadget/function/f_printer.c
+++ b/drivers/usb/gadget/function/f_printer.c
@@ -1101,7 +1101,8 @@ autoconf_fail:
 	ss_ep_out_desc.bEndpointAddress = fs_ep_out_desc.bEndpointAddress;
 
 	ret = usb_assign_descriptors(f, fs_printer_function,
-			hs_printer_function, ss_printer_function, NULL);
+			hs_printer_function, ss_printer_function,
+			ss_printer_function);
 	if (ret)
 		return ret;
 
--- a/drivers/usb/gadget/function/f_rndis.c
+++ b/drivers/usb/gadget/function/f_rndis.c
@@ -789,7 +789,7 @@ rndis_bind(struct usb_configuration *c,
 	ss_notify_desc.bEndpointAddress = fs_notify_desc.bEndpointAddress;
 
 	status = usb_assign_descriptors(f, eth_fs_function, eth_hs_function,
-			eth_ss_function, NULL);
+			eth_ss_function, eth_ss_function);
 	if (status)
 		goto fail;
 
--- a/drivers/usb/gadget/function/f_serial.c
+++ b/drivers/usb/gadget/function/f_serial.c
@@ -233,7 +233,7 @@ static int gser_bind(struct usb_configur
 	gser_ss_out_desc.bEndpointAddress = gser_fs_out_desc.bEndpointAddress;
 
 	status = usb_assign_descriptors(f, gser_fs_function, gser_hs_function,
-			gser_ss_function, NULL);
+			gser_ss_function, gser_ss_function);
 	if (status)
 		goto fail;
 	dev_dbg(&cdev->gadget->dev, "generic ttyGS%d: %s speed IN/%s OUT/%s\n",
--- a/drivers/usb/gadget/function/f_sourcesink.c
+++ b/drivers/usb/gadget/function/f_sourcesink.c
@@ -431,7 +431,8 @@ no_iso:
 	ss_iso_sink_desc.bEndpointAddress = fs_iso_sink_desc.bEndpointAddress;
 
 	ret = usb_assign_descriptors(f, fs_source_sink_descs,
-			hs_source_sink_descs, ss_source_sink_descs, NULL);
+			hs_source_sink_descs, ss_source_sink_descs,
+			ss_source_sink_descs);
 	if (ret)
 		return ret;
 
--- a/drivers/usb/gadget/function/f_subset.c
+++ b/drivers/usb/gadget/function/f_subset.c
@@ -358,7 +358,7 @@ geth_bind(struct usb_configuration *c, s
 		fs_subset_out_desc.bEndpointAddress;
 
 	status = usb_assign_descriptors(f, fs_eth_function, hs_eth_function,
-			ss_eth_function, NULL);
+			ss_eth_function, ss_eth_function);
 	if (status)
 		goto fail;
 
--- a/drivers/usb/gadget/function/f_tcm.c
+++ b/drivers/usb/gadget/function/f_tcm.c
@@ -2061,7 +2061,8 @@ static int tcm_bind(struct usb_configura
 	uasp_fs_cmd_desc.bEndpointAddress = uasp_ss_cmd_desc.bEndpointAddress;
 
 	ret = usb_assign_descriptors(f, uasp_fs_function_desc,
-			uasp_hs_function_desc, uasp_ss_function_desc, NULL);
+			uasp_hs_function_desc, uasp_ss_function_desc,
+			uasp_ss_function_desc);
 	if (ret)
 		goto ep_fail;
 



^ permalink raw reply	[flat|nested] 181+ messages in thread

* [PATCH 5.12 108/173] usb: fix various gadget panics on 10gbps cabling
  2021-06-14 10:25 [PATCH 5.12 000/173] 5.12.11-rc1 review Greg Kroah-Hartman
                   ` (106 preceding siblings ...)
  2021-06-14 10:27 ` [PATCH 5.12 107/173] usb: fix various gadgets null ptr deref on 10gbps cabling Greg Kroah-Hartman
@ 2021-06-14 10:27 ` Greg Kroah-Hartman
  2021-06-14 10:27 ` [PATCH 5.12 109/173] usb: typec: tcpm: Properly handle Alert and Status Messages Greg Kroah-Hartman
                   ` (71 subsequent siblings)
  179 siblings, 0 replies; 181+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-14 10:27 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Felipe Balbi, Maciej Żenczykowski

From: Maciej Żenczykowski <maze@google.com>

commit 032e288097a553db5653af552dd8035cd2a0ba96 upstream.

usb_assign_descriptors() is called with 5 parameters,
the last 4 of which are the usb_descriptor_header for:
  full-speed (USB1.1 - 12Mbps [including USB1.0 low-speed @ 1.5Mbps),
  high-speed (USB2.0 - 480Mbps),
  super-speed (USB3.0 - 5Gbps),
  super-speed-plus (USB3.1 - 10Gbps).

The differences between full/high/super-speed descriptors are usually
substantial (due to changes in the maximum usb block size from 64 to 512
to 1024 bytes and other differences in the specs), while the difference
between 5 and 10Gbps descriptors may be as little as nothing
(in many cases the same tuning is simply good enough).

However if a gadget driver calls usb_assign_descriptors() with
a NULL descriptor for super-speed-plus and is then used on a max 10gbps
configuration, the kernel will crash with a null pointer dereference,
when a 10gbps capable device port + cable + host port combination shows up.
(This wouldn't happen if the gadget max-speed was set to 5gbps, but
it of course defaults to the maximum, and there's no real reason to
artificially limit it)

The fix is to simply use the 5gbps descriptor as the 10gbps descriptor,
if a 10gbps descriptor wasn't provided.

Obviously this won't fix the problem if the 5gbps descriptor is also
NULL, but such cases can't be so trivially solved (and any such gadgets
are unlikely to be used with USB3 ports any way).

Cc: Felipe Balbi <balbi@kernel.org>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Cc: stable <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20210609024459.1126080-1-zenczykowski@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/usb/gadget/config.c |    8 ++++++++
 1 file changed, 8 insertions(+)

--- a/drivers/usb/gadget/config.c
+++ b/drivers/usb/gadget/config.c
@@ -164,6 +164,14 @@ int usb_assign_descriptors(struct usb_fu
 {
 	struct usb_gadget *g = f->config->cdev->gadget;
 
+	/* super-speed-plus descriptor falls back to super-speed one,
+	 * if such a descriptor was provided, thus avoiding a NULL
+	 * pointer dereference if a 5gbps capable gadget is used with
+	 * a 10gbps capable config (device port + cable + host port)
+	 */
+	if (!ssp)
+		ssp = ss;
+
 	if (fs) {
 		f->fs_descriptors = usb_copy_descriptors(fs);
 		if (!f->fs_descriptors)



^ permalink raw reply	[flat|nested] 181+ messages in thread

* [PATCH 5.12 109/173] usb: typec: tcpm: Properly handle Alert and Status Messages
  2021-06-14 10:25 [PATCH 5.12 000/173] 5.12.11-rc1 review Greg Kroah-Hartman
                   ` (107 preceding siblings ...)
  2021-06-14 10:27 ` [PATCH 5.12 108/173] usb: fix various gadget panics " Greg Kroah-Hartman
@ 2021-06-14 10:27 ` Greg Kroah-Hartman
  2021-06-14 10:27 ` [PATCH 5.12 110/173] usb: typec: tcpm: cancel vdm and state machine hrtimer when unregister tcpm port Greg Kroah-Hartman
                   ` (70 subsequent siblings)
  179 siblings, 0 replies; 181+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-14 10:27 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Kyle Tso

From: Kyle Tso <kyletso@google.com>

commit 063933f47a7af01650af9c4fbcc5831f1c4eb7d9 upstream.

When receiving Alert Message, if it is not unexpected but is
unsupported for some reason, the port should return Not_Supported
Message response.

Also, according to PD3.0 Spec 6.5.2.1.4 Event Flags Field, the
OTP/OVP/OCP flags in the Event Flags field in Status Message no longer
require Get_PPS_Status Message to clear them. Thus remove it when
receiving Status Message with those flags being set.

In addition, add the missing AMS operations for Status Message.

Fixes: 64f7c494a3c0 ("typec: tcpm: Add support for sink PPS related messages")
Fixes: 0908c5aca31e ("usb: typec: tcpm: AMS and Collision Avoidance")
Signed-off-by: Kyle Tso <kyletso@google.com>
Link: https://lore.kernel.org/r/20210531164928.2368606-1-kyletso@google.com
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/usb/typec/tcpm/tcpm.c  |   52 +++++++++++++++++++++--------------------
 include/linux/usb/pd_ext_sdb.h |    4 ---
 2 files changed, 27 insertions(+), 29 deletions(-)

--- a/drivers/usb/typec/tcpm/tcpm.c
+++ b/drivers/usb/typec/tcpm/tcpm.c
@@ -2163,20 +2163,25 @@ static void tcpm_handle_alert(struct tcp
 
 	if (!type) {
 		tcpm_log(port, "Alert message received with no type");
+		tcpm_queue_message(port, PD_MSG_CTRL_NOT_SUPP);
 		return;
 	}
 
 	/* Just handling non-battery alerts for now */
 	if (!(type & USB_PD_ADO_TYPE_BATT_STATUS_CHANGE)) {
-		switch (port->state) {
-		case SRC_READY:
-		case SNK_READY:
+		if (port->pwr_role == TYPEC_SOURCE) {
+			port->upcoming_state = GET_STATUS_SEND;
+			tcpm_ams_start(port, GETTING_SOURCE_SINK_STATUS);
+		} else {
+			/*
+			 * Do not check SinkTxOk here in case the Source doesn't set its Rp to
+			 * SinkTxOk in time.
+			 */
+			port->ams = GETTING_SOURCE_SINK_STATUS;
 			tcpm_set_state(port, GET_STATUS_SEND, 0);
-			break;
-		default:
-			tcpm_queue_message(port, PD_MSG_CTRL_WAIT);
-			break;
 		}
+	} else {
+		tcpm_queue_message(port, PD_MSG_CTRL_NOT_SUPP);
 	}
 }
 
@@ -2420,7 +2425,12 @@ static void tcpm_pd_data_request(struct
 		tcpm_pd_handle_state(port, BIST_RX, BIST, 0);
 		break;
 	case PD_DATA_ALERT:
-		tcpm_handle_alert(port, msg->payload, cnt);
+		if (port->state != SRC_READY && port->state != SNK_READY)
+			tcpm_pd_handle_state(port, port->pwr_role == TYPEC_SOURCE ?
+					     SRC_SOFT_RESET_WAIT_SNK_TX : SNK_SOFT_RESET,
+					     NONE_AMS, 0);
+		else
+			tcpm_handle_alert(port, msg->payload, cnt);
 		break;
 	case PD_DATA_BATT_STATUS:
 	case PD_DATA_GET_COUNTRY_INFO:
@@ -2744,24 +2754,16 @@ static void tcpm_pd_ext_msg_request(stru
 
 	switch (type) {
 	case PD_EXT_STATUS:
-		/*
-		 * If PPS related events raised then get PPS status to clear
-		 * (see USB PD 3.0 Spec, 6.5.2.4)
-		 */
-		if (msg->ext_msg.data[USB_PD_EXT_SDB_EVENT_FLAGS] &
-		    USB_PD_EXT_SDB_PPS_EVENTS)
-			tcpm_pd_handle_state(port, GET_PPS_STATUS_SEND,
-					     GETTING_SOURCE_SINK_STATUS, 0);
-
-		else
-			tcpm_pd_handle_state(port, ready_state(port), NONE_AMS, 0);
-		break;
 	case PD_EXT_PPS_STATUS:
-		/*
-		 * For now the PPS status message is used to clear events
-		 * and nothing more.
-		 */
-		tcpm_pd_handle_state(port, ready_state(port), NONE_AMS, 0);
+		if (port->ams == GETTING_SOURCE_SINK_STATUS) {
+			tcpm_ams_finish(port);
+			tcpm_set_state(port, ready_state(port), 0);
+		} else {
+			/* unexpected Status or PPS_Status Message */
+			tcpm_pd_handle_state(port, port->pwr_role == TYPEC_SOURCE ?
+					     SRC_SOFT_RESET_WAIT_SNK_TX : SNK_SOFT_RESET,
+					     NONE_AMS, 0);
+		}
 		break;
 	case PD_EXT_SOURCE_CAP_EXT:
 	case PD_EXT_GET_BATT_CAP:
--- a/include/linux/usb/pd_ext_sdb.h
+++ b/include/linux/usb/pd_ext_sdb.h
@@ -24,8 +24,4 @@ enum usb_pd_ext_sdb_fields {
 #define USB_PD_EXT_SDB_EVENT_OVP		BIT(3)
 #define USB_PD_EXT_SDB_EVENT_CF_CV_MODE		BIT(4)
 
-#define USB_PD_EXT_SDB_PPS_EVENTS	(USB_PD_EXT_SDB_EVENT_OCP |	\
-					 USB_PD_EXT_SDB_EVENT_OTP |	\
-					 USB_PD_EXT_SDB_EVENT_OVP)
-
 #endif /* __LINUX_USB_PD_EXT_SDB_H */



^ permalink raw reply	[flat|nested] 181+ messages in thread

* [PATCH 5.12 110/173] usb: typec: tcpm: cancel vdm and state machine hrtimer when unregister tcpm port
  2021-06-14 10:25 [PATCH 5.12 000/173] 5.12.11-rc1 review Greg Kroah-Hartman
                   ` (108 preceding siblings ...)
  2021-06-14 10:27 ` [PATCH 5.12 109/173] usb: typec: tcpm: Properly handle Alert and Status Messages Greg Kroah-Hartman
@ 2021-06-14 10:27 ` Greg Kroah-Hartman
  2021-06-14 10:27 ` [PATCH 5.12 111/173] usb: typec: tcpm: cancel frs " Greg Kroah-Hartman
                   ` (69 subsequent siblings)
  179 siblings, 0 replies; 181+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-14 10:27 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Guenter Roeck, Li Jun

From: Li Jun <jun.li@nxp.com>

commit 3a13ff7ef4349d70d1d18378d661117dd5af8efe upstream.

A pending hrtimer may expire after the kthread_worker of tcpm port
is destroyed, see below kernel dump when do module unload, fix it
by cancel the 2 hrtimers.

[  111.517018] Unable to handle kernel paging request at virtual address ffff8000118cb880
[  111.518786] blk_update_request: I/O error, dev sda, sector 60061185 op 0x0:(READ) flags 0x0 phys_seg 1 prio class 0
[  111.526594] Mem abort info:
[  111.526597]   ESR = 0x96000047
[  111.526600]   EC = 0x25: DABT (current EL), IL = 32 bits
[  111.526604]   SET = 0, FnV = 0
[  111.526607]   EA = 0, S1PTW = 0
[  111.526610] Data abort info:
[  111.526612]   ISV = 0, ISS = 0x00000047
[  111.526615]   CM = 0, WnR = 1
[  111.526619] swapper pgtable: 4k pages, 48-bit VAs, pgdp=0000000041d75000
[  111.526623] [ffff8000118cb880] pgd=10000001bffff003, p4d=10000001bffff003, pud=10000001bfffe003, pmd=10000001bfffa003, pte=0000000000000000
[  111.526642] Internal error: Oops: 96000047 [#1] PREEMPT SMP
[  111.526647] Modules linked in: dwc3_imx8mp dwc3 phy_fsl_imx8mq_usb [last unloaded: tcpci]
[  111.526663] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.13.0-rc4-00927-gebbe9dbd802c-dirty #36
[  111.526670] Hardware name: NXP i.MX8MPlus EVK board (DT)
[  111.526674] pstate: 800000c5 (Nzcv daIF -PAN -UAO -TCO BTYPE=--)
[  111.526681] pc : queued_spin_lock_slowpath+0x1a0/0x390
[  111.526695] lr : _raw_spin_lock_irqsave+0x88/0xb4
[  111.526703] sp : ffff800010003e20
[  111.526706] x29: ffff800010003e20 x28: ffff00017f380180
[  111.537156] buffer_io_error: 6 callbacks suppressed
[  111.537162] Buffer I/O error on dev sda1, logical block 60040704, async page read
[  111.539932]  x27: ffff00017f3801c0
[  111.539938] x26: ffff800010ba2490 x25: 0000000000000000 x24: 0000000000000001
[  111.543025] blk_update_request: I/O error, dev sda, sector 60061186 op 0x0:(READ) flags 0x0 phys_seg 7 prio class 0
[  111.548304]
[  111.548306] x23: 00000000000000c0 x22: ffff0000c2a9f184 x21: ffff00017f380180
[  111.551374] Buffer I/O error on dev sda1, logical block 60040705, async page read
[  111.554499]
[  111.554503] x20: ffff0000c5f14210 x19: 00000000000000c0 x18: 0000000000000000
[  111.557391] Buffer I/O error on dev sda1, logical block 60040706, async page read
[  111.561218]
[  111.561222] x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000
[  111.564205] Buffer I/O error on dev sda1, logical block 60040707, async page read
[  111.570887] x14: 00000000000000f5 x13: 0000000000000001 x12: 0000000000000040
[  111.570902] x11: ffff0000c05ac6d8
[  111.583420] Buffer I/O error on dev sda1, logical block 60040708, async page read
[  111.588978]  x10: 0000000000000000 x9 : 0000000000040000
[  111.588988] x8 : 0000000000000000
[  111.597173] Buffer I/O error on dev sda1, logical block 60040709, async page read
[  111.605766]  x7 : ffff00017f384880 x6 : ffff8000118cb880
[  111.605777] x5 : ffff00017f384880
[  111.611094] Buffer I/O error on dev sda1, logical block 60040710, async page read
[  111.617086]  x4 : 0000000000000000 x3 : ffff0000c2a9f184
[  111.617096] x2 : ffff8000118cb880
[  111.622242] Buffer I/O error on dev sda1, logical block 60040711, async page read
[  111.626927]  x1 : ffff8000118cb880 x0 : ffff00017f384888
[  111.626938] Call trace:
[  111.626942]  queued_spin_lock_slowpath+0x1a0/0x390
[  111.795809]  kthread_queue_work+0x30/0xc0
[  111.799828]  state_machine_timer_handler+0x20/0x30
[  111.804624]  __hrtimer_run_queues+0x140/0x1e0
[  111.808990]  hrtimer_interrupt+0xec/0x2c0
[  111.813004]  arch_timer_handler_phys+0x38/0x50
[  111.817456]  handle_percpu_devid_irq+0x88/0x150
[  111.821991]  __handle_domain_irq+0x80/0xe0
[  111.826093]  gic_handle_irq+0xc0/0x140
[  111.829848]  el1_irq+0xbc/0x154
[  111.832991]  arch_cpu_idle+0x1c/0x2c
[  111.836572]  default_idle_call+0x24/0x6c
[  111.840497]  do_idle+0x238/0x2ac
[  111.843729]  cpu_startup_entry+0x2c/0x70
[  111.847657]  rest_init+0xdc/0xec
[  111.850890]  arch_call_rest_init+0x14/0x20
[  111.854988]  start_kernel+0x508/0x540
[  111.858659] Code: 910020e0 8b0200c2 f861d884 aa0203e1 (f8246827)
[  111.864760] ---[ end trace 308b9a4a3dcb73ac ]---
[  111.869381] Kernel panic - not syncing: Oops: Fatal exception in interrupt
[  111.876258] SMP: stopping secondary CPUs
[  111.880185] Kernel Offset: disabled
[  111.883673] CPU features: 0x00001001,20000846
[  111.888031] Memory Limit: none
[  111.891090] ---[ end Kernel panic - not syncing: Oops: Fatal exception in interrupt ]---

Fixes: 3ed8e1c2ac99 ("usb: typec: tcpm: Migrate workqueue to RT priority for processing events")
Cc: stable <stable@vger.kernel.org>
Reviewed-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Li Jun <jun.li@nxp.com>
Link: https://lore.kernel.org/r/1622627829-11070-1-git-send-email-jun.li@nxp.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/usb/typec/tcpm/tcpm.c |    3 +++
 1 file changed, 3 insertions(+)

--- a/drivers/usb/typec/tcpm/tcpm.c
+++ b/drivers/usb/typec/tcpm/tcpm.c
@@ -6228,6 +6228,9 @@ void tcpm_unregister_port(struct tcpm_po
 {
 	int i;
 
+	hrtimer_cancel(&port->vdm_state_machine_timer);
+	hrtimer_cancel(&port->state_machine_timer);
+
 	tcpm_reset_port(port);
 	for (i = 0; i < ARRAY_SIZE(port->port_altmode); i++)
 		typec_unregister_altmode(port->port_altmode[i]);



^ permalink raw reply	[flat|nested] 181+ messages in thread

* [PATCH 5.12 111/173] usb: typec: tcpm: cancel frs hrtimer when unregister tcpm port
  2021-06-14 10:25 [PATCH 5.12 000/173] 5.12.11-rc1 review Greg Kroah-Hartman
                   ` (109 preceding siblings ...)
  2021-06-14 10:27 ` [PATCH 5.12 110/173] usb: typec: tcpm: cancel vdm and state machine hrtimer when unregister tcpm port Greg Kroah-Hartman
@ 2021-06-14 10:27 ` Greg Kroah-Hartman
  2021-06-14 10:27 ` [PATCH 5.12 112/173] usb: typec: tcpm: Do not finish VDM AMS for retrying Responses Greg Kroah-Hartman
                   ` (68 subsequent siblings)
  179 siblings, 0 replies; 181+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-14 10:27 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Guenter Roeck, Li Jun

From: Li Jun <jun.li@nxp.com>

commit 7ade4805e296c8d1e40c842395bbe478c7210555 upstream.

Like the state_machine_timer, we should also cancel possible pending
frs hrtimer when unregister tcpm port.

Fixes: 8dc4bd073663 ("usb: typec: tcpm: Add support for Sink Fast Role SWAP(FRS)")
Cc: stable <stable@vger.kernel.org>
Reviewed-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Li Jun <jun.li@nxp.com>
Link: https://lore.kernel.org/r/1622627829-11070-2-git-send-email-jun.li@nxp.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/usb/typec/tcpm/tcpm.c |    1 +
 1 file changed, 1 insertion(+)

--- a/drivers/usb/typec/tcpm/tcpm.c
+++ b/drivers/usb/typec/tcpm/tcpm.c
@@ -6228,6 +6228,7 @@ void tcpm_unregister_port(struct tcpm_po
 {
 	int i;
 
+	hrtimer_cancel(&port->enable_frs_timer);
 	hrtimer_cancel(&port->vdm_state_machine_timer);
 	hrtimer_cancel(&port->state_machine_timer);
 



^ permalink raw reply	[flat|nested] 181+ messages in thread

* [PATCH 5.12 112/173] usb: typec: tcpm: Do not finish VDM AMS for retrying Responses
  2021-06-14 10:25 [PATCH 5.12 000/173] 5.12.11-rc1 review Greg Kroah-Hartman
                   ` (110 preceding siblings ...)
  2021-06-14 10:27 ` [PATCH 5.12 111/173] usb: typec: tcpm: cancel frs " Greg Kroah-Hartman
@ 2021-06-14 10:27 ` Greg Kroah-Hartman
  2021-06-14 10:27 ` [PATCH 5.12 113/173] regulator: core: resolve supply for boot-on/always-on regulators Greg Kroah-Hartman
                   ` (67 subsequent siblings)
  179 siblings, 0 replies; 181+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-14 10:27 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Guenter Roeck, Heikki Krogerus, Kyle Tso

From: Kyle Tso <kyletso@google.com>

commit 5ab14ab1f2db24ffae6c5c39a689660486962e6e upstream.

If the VDM responses couldn't be sent successfully, it doesn't need to
finish the AMS until the retry count reaches the limit.

Fixes: 0908c5aca31e ("usb: typec: tcpm: AMS and Collision Avoidance")
Reviewed-by: Guenter Roeck <linux@roeck-us.net>
Cc: stable <stable@vger.kernel.org>
Acked-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
Signed-off-by: Kyle Tso <kyletso@google.com>
Link: https://lore.kernel.org/r/20210606081452.764032-1-kyletso@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/usb/typec/tcpm/tcpm.c |    3 +++
 1 file changed, 3 insertions(+)

--- a/drivers/usb/typec/tcpm/tcpm.c
+++ b/drivers/usb/typec/tcpm/tcpm.c
@@ -1917,6 +1917,9 @@ static void vdm_run_state_machine(struct
 			tcpm_log(port, "VDM Tx error, retry");
 			port->vdm_retries++;
 			port->vdm_state = VDM_STATE_READY;
+			if (PD_VDO_SVDM(vdo_hdr) && PD_VDO_CMDT(vdo_hdr) == CMDT_INIT)
+				tcpm_ams_finish(port);
+		} else {
 			tcpm_ams_finish(port);
 		}
 		break;



^ permalink raw reply	[flat|nested] 181+ messages in thread

* [PATCH 5.12 113/173] regulator: core: resolve supply for boot-on/always-on regulators
  2021-06-14 10:25 [PATCH 5.12 000/173] 5.12.11-rc1 review Greg Kroah-Hartman
                   ` (111 preceding siblings ...)
  2021-06-14 10:27 ` [PATCH 5.12 112/173] usb: typec: tcpm: Do not finish VDM AMS for retrying Responses Greg Kroah-Hartman
@ 2021-06-14 10:27 ` Greg Kroah-Hartman
  2021-06-14 10:27 ` [PATCH 5.12 114/173] regulator: max77620: Use device_set_of_node_from_dev() Greg Kroah-Hartman
                   ` (66 subsequent siblings)
  179 siblings, 0 replies; 181+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-14 10:27 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Dmitry Baryshkov, Mark Brown

From: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>

commit 98e48cd9283dbac0e1445ee780889f10b3d1db6a upstream.

For the boot-on/always-on regulators the set_machine_constrainst() is
called before resolving rdev->supply. Thus the code would try to enable
rdev before enabling supplying regulator. Enforce resolving supply
regulator before enabling rdev.

Fixes: aea6cb99703e ("regulator: resolve supply after creating regulator")
Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
Link: https://lore.kernel.org/r/20210519221224.2868496-1-dmitry.baryshkov@linaro.org
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/regulator/core.c |    6 ++++++
 1 file changed, 6 insertions(+)

--- a/drivers/regulator/core.c
+++ b/drivers/regulator/core.c
@@ -1422,6 +1422,12 @@ static int set_machine_constraints(struc
 	 * and we have control then make sure it is enabled.
 	 */
 	if (rdev->constraints->always_on || rdev->constraints->boot_on) {
+		/* If we want to enable this regulator, make sure that we know
+		 * the supplying regulator.
+		 */
+		if (rdev->supply_name && !rdev->supply)
+			return -EPROBE_DEFER;
+
 		if (rdev->supply) {
 			ret = regulator_enable(rdev->supply);
 			if (ret < 0) {



^ permalink raw reply	[flat|nested] 181+ messages in thread

* [PATCH 5.12 114/173] regulator: max77620: Use device_set_of_node_from_dev()
  2021-06-14 10:25 [PATCH 5.12 000/173] 5.12.11-rc1 review Greg Kroah-Hartman
                   ` (112 preceding siblings ...)
  2021-06-14 10:27 ` [PATCH 5.12 113/173] regulator: core: resolve supply for boot-on/always-on regulators Greg Kroah-Hartman
@ 2021-06-14 10:27 ` Greg Kroah-Hartman
  2021-06-14 10:27 ` [PATCH 5.12 115/173] regulator: bd718x7: Fix the BUCK7 voltage setting on BD71837 Greg Kroah-Hartman
                   ` (65 subsequent siblings)
  179 siblings, 0 replies; 181+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-14 10:27 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Dmitry Osipenko, Mark Brown

From: Dmitry Osipenko <digetx@gmail.com>

commit 6f55c5dd1118b3076d11d9cb17f5c5f4bc3a1162 upstream.

The MAX77620 driver fails to re-probe on deferred probe because driver
core tries to claim resources that are already claimed by the PINCTRL
device. Use device_set_of_node_from_dev() helper which marks OF node as
reused, skipping erroneous execution of pinctrl_bind_pins() for the PMIC
device on the re-probe.

Fixes: aea6cb99703e ("regulator: resolve supply after creating regulator")
Signed-off-by: Dmitry Osipenko <digetx@gmail.com>
Link: https://lore.kernel.org/r/20210523224243.13219-2-digetx@gmail.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/regulator/max77620-regulator.c |    7 +++++++
 1 file changed, 7 insertions(+)

--- a/drivers/regulator/max77620-regulator.c
+++ b/drivers/regulator/max77620-regulator.c
@@ -814,6 +814,13 @@ static int max77620_regulator_probe(stru
 	config.dev = dev;
 	config.driver_data = pmic;
 
+	/*
+	 * Set of_node_reuse flag to prevent driver core from attempting to
+	 * claim any pinmux resources already claimed by the parent device.
+	 * Otherwise PMIC driver will fail to re-probe.
+	 */
+	device_set_of_node_from_dev(&pdev->dev, pdev->dev.parent);
+
 	for (id = 0; id < MAX77620_NUM_REGS; id++) {
 		struct regulator_dev *rdev;
 		struct regulator_desc *rdesc;



^ permalink raw reply	[flat|nested] 181+ messages in thread

* [PATCH 5.12 115/173] regulator: bd718x7: Fix the BUCK7 voltage setting on BD71837
  2021-06-14 10:25 [PATCH 5.12 000/173] 5.12.11-rc1 review Greg Kroah-Hartman
                   ` (113 preceding siblings ...)
  2021-06-14 10:27 ` [PATCH 5.12 114/173] regulator: max77620: Use device_set_of_node_from_dev() Greg Kroah-Hartman
@ 2021-06-14 10:27 ` Greg Kroah-Hartman
  2021-06-14 10:27 ` [PATCH 5.12 116/173] regulator: da9121: Return REGULATOR_MODE_INVALID for invalid mode Greg Kroah-Hartman
                   ` (64 subsequent siblings)
  179 siblings, 0 replies; 181+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-14 10:27 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Matti Vaittinen, Mark Brown

From: Matti Vaittinen <matti.vaittinen@fi.rohmeurope.com>

commit bc537e65b09a05923f98a31920d1ab170e648dba upstream.

Changing the BD71837 voltages for other regulators except the first 4 BUCKs
should be forbidden when the regulator is enabled. There may be out-of-spec
voltage spikes if the voltage of these "non DVS" bucks is changed when
enabled. This restriction was accidentally removed when the LDO voltage
change was allowed for BD71847. (It was not noticed that the BD71837
BUCK7 used same voltage setting function as LDOs).

Additionally this bug causes incorrect voltage monitoring register access.
The voltage change function accidentally used for bd71837 BUCK7 is
intended to only handle LDO voltage changes. A BD71847 LDO specific
voltage monitoring disabling code gets executed on BD71837 and register
offsets are wrongly calculated as regulator is assumed to be an LDO.

Prevent the BD71837 BUCK7 voltage change when BUCK7 is enabled by using
the correct voltage setting operation.

Fixes: 9bcbabafa19b ("regulator: bd718x7: remove voltage change restriction from BD71847 LDOs")
Signed-off-by: Matti Vaittinen <matti.vaittinen@fi.rohmeurope.com>
Link: https://lore.kernel.org/r/bd8c00931421fafa57e3fdf46557a83075b7cc17.1622610103.git.matti.vaittinen@fi.rohmeurope.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/regulator/bd718x7-regulator.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/regulator/bd718x7-regulator.c
+++ b/drivers/regulator/bd718x7-regulator.c
@@ -364,7 +364,7 @@ BD718XX_OPS(bd71837_buck_regulator_ops,
 	    NULL);
 
 BD718XX_OPS(bd71837_buck_regulator_nolinear_ops, regulator_list_voltage_table,
-	    regulator_map_voltage_ascend, bd718xx_set_voltage_sel_restricted,
+	    regulator_map_voltage_ascend, bd71837_set_voltage_sel_restricted,
 	    regulator_get_voltage_sel_regmap, regulator_set_voltage_time_sel,
 	    NULL);
 /*



^ permalink raw reply	[flat|nested] 181+ messages in thread

* [PATCH 5.12 116/173] regulator: da9121: Return REGULATOR_MODE_INVALID for invalid mode
  2021-06-14 10:25 [PATCH 5.12 000/173] 5.12.11-rc1 review Greg Kroah-Hartman
                   ` (114 preceding siblings ...)
  2021-06-14 10:27 ` [PATCH 5.12 115/173] regulator: bd718x7: Fix the BUCK7 voltage setting on BD71837 Greg Kroah-Hartman
@ 2021-06-14 10:27 ` Greg Kroah-Hartman
  2021-06-14 10:27 ` [PATCH 5.12 117/173] regulator: fan53880: Fix missing n_voltages setting Greg Kroah-Hartman
                   ` (63 subsequent siblings)
  179 siblings, 0 replies; 181+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-14 10:27 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Axel Lin, Adam Ward, Mark Brown

From: Axel Lin <axel.lin@ingics.com>

commit 0b1e552673724832b08d49037cdeeac634a3b319 upstream.

-EINVAL is not a valid return value for .of_map_mode, return
REGULATOR_MODE_INVALID instead.

Fixes: 65ac97042d4e ("regulator: da9121: add mode support")
Signed-off-by: Axel Lin <axel.lin@ingics.com>
Acked-by: Adam Ward <Adam.Ward.opensource@diasemi.com>
Link: https://lore.kernel.org/r/20210517052721.1063375-1-axel.lin@ingics.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/regulator/da9121-regulator.c |   10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

--- a/drivers/regulator/da9121-regulator.c
+++ b/drivers/regulator/da9121-regulator.c
@@ -280,7 +280,7 @@ static unsigned int da9121_map_mode(unsi
 	case DA9121_BUCK_MODE_FORCE_PFM:
 		return REGULATOR_MODE_STANDBY;
 	default:
-		return -EINVAL;
+		return REGULATOR_MODE_INVALID;
 	}
 }
 
@@ -317,7 +317,7 @@ static unsigned int da9121_buck_get_mode
 {
 	struct da9121 *chip = rdev_get_drvdata(rdev);
 	int id = rdev_get_id(rdev);
-	unsigned int val;
+	unsigned int val, mode;
 	int ret = 0;
 
 	ret = regmap_read(chip->regmap, da9121_mode_field[id].reg, &val);
@@ -326,7 +326,11 @@ static unsigned int da9121_buck_get_mode
 		return -EINVAL;
 	}
 
-	return da9121_map_mode(val & da9121_mode_field[id].msk);
+	mode = da9121_map_mode(val & da9121_mode_field[id].msk);
+	if (mode == REGULATOR_MODE_INVALID)
+		return -EINVAL;
+
+	return mode;
 }
 
 static const struct regulator_ops da9121_buck_ops = {



^ permalink raw reply	[flat|nested] 181+ messages in thread

* [PATCH 5.12 117/173] regulator: fan53880: Fix missing n_voltages setting
  2021-06-14 10:25 [PATCH 5.12 000/173] 5.12.11-rc1 review Greg Kroah-Hartman
                   ` (115 preceding siblings ...)
  2021-06-14 10:27 ` [PATCH 5.12 116/173] regulator: da9121: Return REGULATOR_MODE_INVALID for invalid mode Greg Kroah-Hartman
@ 2021-06-14 10:27 ` Greg Kroah-Hartman
  2021-06-14 10:27 ` [PATCH 5.12 118/173] regulator: fixed: Ensure enable_counter is correct if reg_domain_disable fails Greg Kroah-Hartman
                   ` (62 subsequent siblings)
  179 siblings, 0 replies; 181+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-14 10:27 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Axel Lin, Christoph Fritz, Mark Brown

From: Axel Lin <axel.lin@ingics.com>

commit 34991ee96fd8477479dd15adadceb6b28b30d9b0 upstream.

Fixes: e6dea51e2d41 ("regulator: fan53880: Add initial support")
Signed-off-by: Axel Lin <axel.lin@ingics.com>
Acked-by: Christoph Fritz <chf.fritz@googlemail.com>
Link: https://lore.kernel.org/r/20210517105325.1227393-1-axel.lin@ingics.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/regulator/fan53880.c |    3 +++
 1 file changed, 3 insertions(+)

--- a/drivers/regulator/fan53880.c
+++ b/drivers/regulator/fan53880.c
@@ -51,6 +51,7 @@ static const struct regulator_ops fan538
 		      REGULATOR_LINEAR_RANGE(800000, 0xf, 0x73, 25000),	\
 		},							\
 		.n_linear_ranges = 2,					\
+		.n_voltages =	   0x74,				\
 		.vsel_reg =	   FAN53880_LDO ## _num ## VOUT,	\
 		.vsel_mask =	   0x7f,				\
 		.enable_reg =	   FAN53880_ENABLE,			\
@@ -76,6 +77,7 @@ static const struct regulator_desc fan53
 		      REGULATOR_LINEAR_RANGE(600000, 0x1f, 0xf7, 12500),
 		},
 		.n_linear_ranges = 2,
+		.n_voltages =	   0xf8,
 		.vsel_reg =	   FAN53880_BUCKVOUT,
 		.vsel_mask =	   0x7f,
 		.enable_reg =	   FAN53880_ENABLE,
@@ -95,6 +97,7 @@ static const struct regulator_desc fan53
 		      REGULATOR_LINEAR_RANGE(3000000, 0x4, 0x70, 25000),
 		},
 		.n_linear_ranges = 2,
+		.n_voltages =	   0x71,
 		.vsel_reg =	   FAN53880_BOOSTVOUT,
 		.vsel_mask =	   0x7f,
 		.enable_reg =	   FAN53880_ENABLE_BOOST,



^ permalink raw reply	[flat|nested] 181+ messages in thread

* [PATCH 5.12 118/173] regulator: fixed: Ensure enable_counter is correct if reg_domain_disable fails
  2021-06-14 10:25 [PATCH 5.12 000/173] 5.12.11-rc1 review Greg Kroah-Hartman
                   ` (116 preceding siblings ...)
  2021-06-14 10:27 ` [PATCH 5.12 117/173] regulator: fan53880: Fix missing n_voltages setting Greg Kroah-Hartman
@ 2021-06-14 10:27 ` Greg Kroah-Hartman
  2021-06-14 10:27 ` [PATCH 5.12 119/173] regulator: scmi: Fix off-by-one for linear regulators .n_voltages setting Greg Kroah-Hartman
                   ` (61 subsequent siblings)
  179 siblings, 0 replies; 181+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-14 10:27 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Axel Lin, Mark Brown

From: Axel Lin <axel.lin@ingics.com>

commit 855bfff9d623e7aff6556bfb6831d324dec8d96a upstream.

dev_pm_genpd_set_performance_state() may fail, so had better to check it's
return value before decreasing priv->enable_counter.

Fixes: bf3a28cf4241 ("regulator: fixed: support using power domain for enable/disable")
Signed-off-by: Axel Lin <axel.lin@ingics.com>
Link: https://lore.kernel.org/r/20210520111811.1806293-1-axel.lin@ingics.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/regulator/fixed.c |    7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

--- a/drivers/regulator/fixed.c
+++ b/drivers/regulator/fixed.c
@@ -88,10 +88,15 @@ static int reg_domain_disable(struct reg
 {
 	struct fixed_voltage_data *priv = rdev_get_drvdata(rdev);
 	struct device *dev = rdev->dev.parent;
+	int ret;
+
+	ret = dev_pm_genpd_set_performance_state(dev, 0);
+	if (ret)
+		return ret;
 
 	priv->enable_counter--;
 
-	return dev_pm_genpd_set_performance_state(dev, 0);
+	return 0;
 }
 
 static int reg_is_enabled(struct regulator_dev *rdev)



^ permalink raw reply	[flat|nested] 181+ messages in thread

* [PATCH 5.12 119/173] regulator: scmi: Fix off-by-one for linear regulators .n_voltages setting
  2021-06-14 10:25 [PATCH 5.12 000/173] 5.12.11-rc1 review Greg Kroah-Hartman
                   ` (117 preceding siblings ...)
  2021-06-14 10:27 ` [PATCH 5.12 118/173] regulator: fixed: Ensure enable_counter is correct if reg_domain_disable fails Greg Kroah-Hartman
@ 2021-06-14 10:27 ` Greg Kroah-Hartman
  2021-06-14 10:27 ` [PATCH 5.12 120/173] regulator: bd71828: Fix .n_voltages settings Greg Kroah-Hartman
                   ` (60 subsequent siblings)
  179 siblings, 0 replies; 181+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-14 10:27 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Axel Lin, Cristian Marussi, Mark Brown

From: Axel Lin <axel.lin@ingics.com>

commit 36cb555fae0875d5416e8514a84a427bec6e4cda upstream.

For linear regulators, the .n_voltages is (max_uv - min_uv) / uv_step + 1.

Fixes: 0fbeae70ee7c ("regulator: add SCMI driver")
Signed-off-by: Axel Lin <axel.lin@ingics.com>
Reviewed-by: Cristian Marussi <cristian.marussi@arm.com>
Link: https://lore.kernel.org/r/20210521073020.1944981-1-axel.lin@ingics.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/regulator/scmi-regulator.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/regulator/scmi-regulator.c
+++ b/drivers/regulator/scmi-regulator.c
@@ -176,7 +176,7 @@ scmi_config_linear_regulator_mappings(st
 		sreg->desc.uV_step =
 			vinfo->levels_uv[SCMI_VOLTAGE_SEGMENT_STEP];
 		sreg->desc.linear_min_sel = 0;
-		sreg->desc.n_voltages = delta_uV / sreg->desc.uV_step;
+		sreg->desc.n_voltages = (delta_uV / sreg->desc.uV_step) + 1;
 		sreg->desc.ops = &scmi_reg_linear_ops;
 	}
 



^ permalink raw reply	[flat|nested] 181+ messages in thread

* [PATCH 5.12 120/173] regulator: bd71828: Fix .n_voltages settings
  2021-06-14 10:25 [PATCH 5.12 000/173] 5.12.11-rc1 review Greg Kroah-Hartman
                   ` (118 preceding siblings ...)
  2021-06-14 10:27 ` [PATCH 5.12 119/173] regulator: scmi: Fix off-by-one for linear regulators .n_voltages setting Greg Kroah-Hartman
@ 2021-06-14 10:27 ` Greg Kroah-Hartman
  2021-06-14 10:27 ` [PATCH 5.12 121/173] regulator: atc260x: Fix n_voltages and min_sel for pickable linear ranges Greg Kroah-Hartman
                   ` (59 subsequent siblings)
  179 siblings, 0 replies; 181+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-14 10:27 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Axel Lin, Matti Vaittinen, Mark Brown

From: Axel Lin <axel.lin@ingics.com>

commit 4c668630bf8ea90a041fc69c9984486e0f56682d upstream.

Current .n_voltages settings do not cover the latest 2 valid selectors,
so it fails to set voltage for the hightest voltage support.
The latest linear range has step_uV = 0, so it does not matter if we
count the .n_voltages to maximum selector + 1 or the first selector of
latest linear range + 1.
To simplify calculating the n_voltages, let's just set the
.n_voltages to maximum selector + 1.

Fixes: 522498f8cb8c ("regulator: bd71828: Basic support for ROHM bd71828 PMIC regulators")
Signed-off-by: Axel Lin <axel.lin@ingics.com>
Reviewed-by: Matti Vaittinen <matti.vaittinen@fi.rohmeurope.com>
Link: https://lore.kernel.org/r/20210523071045.2168904-2-axel.lin@ingics.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 include/linux/mfd/rohm-bd71828.h |   10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

--- a/include/linux/mfd/rohm-bd71828.h
+++ b/include/linux/mfd/rohm-bd71828.h
@@ -26,11 +26,11 @@ enum {
 	BD71828_REGULATOR_AMOUNT,
 };
 
-#define BD71828_BUCK1267_VOLTS		0xEF
-#define BD71828_BUCK3_VOLTS		0x10
-#define BD71828_BUCK4_VOLTS		0x20
-#define BD71828_BUCK5_VOLTS		0x10
-#define BD71828_LDO_VOLTS		0x32
+#define BD71828_BUCK1267_VOLTS		0x100
+#define BD71828_BUCK3_VOLTS		0x20
+#define BD71828_BUCK4_VOLTS		0x40
+#define BD71828_BUCK5_VOLTS		0x20
+#define BD71828_LDO_VOLTS		0x40
 /* LDO6 is fixed 1.8V voltage */
 #define BD71828_LDO_6_VOLTAGE		1800000
 



^ permalink raw reply	[flat|nested] 181+ messages in thread

* [PATCH 5.12 121/173] regulator: atc260x: Fix n_voltages and min_sel for pickable linear ranges
  2021-06-14 10:25 [PATCH 5.12 000/173] 5.12.11-rc1 review Greg Kroah-Hartman
                   ` (119 preceding siblings ...)
  2021-06-14 10:27 ` [PATCH 5.12 120/173] regulator: bd71828: Fix .n_voltages settings Greg Kroah-Hartman
@ 2021-06-14 10:27 ` Greg Kroah-Hartman
  2021-06-14 10:27 ` [PATCH 5.12 122/173] regulator: rtmv20: Fix .set_current_limit/.get_current_limit callbacks Greg Kroah-Hartman
                   ` (58 subsequent siblings)
  179 siblings, 0 replies; 181+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-14 10:27 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Axel Lin, Cristian Ciocaltea, Mark Brown

From: Axel Lin <axel.lin@ingics.com>

commit 1963fa67d78674a110bc9b2a8b1e226967692f05 upstream.

The .n_voltages was missed for pickable linear ranges, fix it.
The min_sel for each pickable range should be starting from 0.
Also fix atc260x_ldo_voltage_range_sel setting (bit 5 - LDO<N>_VOL_SEL
in datasheet).

Fixes: 3b15ccac161a ("regulator: Add regulator driver for ATC260x PMICs")
Signed-off-by: Axel Lin <axel.lin@ingics.com>
Reviewed-by: Cristian Ciocaltea <cristian.ciocaltea@gmail.com>
Link: https://lore.kernel.org/r/20210528230147.363974-1-axel.lin@ingics.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/regulator/atc260x-regulator.c |   19 ++++++++++---------
 1 file changed, 10 insertions(+), 9 deletions(-)

--- a/drivers/regulator/atc260x-regulator.c
+++ b/drivers/regulator/atc260x-regulator.c
@@ -28,16 +28,16 @@ static const struct linear_range atc2609
 
 static const struct linear_range atc2609a_ldo_voltage_ranges0[] = {
 	REGULATOR_LINEAR_RANGE(700000, 0, 15, 100000),
-	REGULATOR_LINEAR_RANGE(2100000, 16, 28, 100000),
+	REGULATOR_LINEAR_RANGE(2100000, 0, 12, 100000),
 };
 
 static const struct linear_range atc2609a_ldo_voltage_ranges1[] = {
 	REGULATOR_LINEAR_RANGE(850000, 0, 15, 100000),
-	REGULATOR_LINEAR_RANGE(2100000, 16, 27, 100000),
+	REGULATOR_LINEAR_RANGE(2100000, 0, 11, 100000),
 };
 
 static const unsigned int atc260x_ldo_voltage_range_sel[] = {
-	0x0, 0x1,
+	0x0, 0x20,
 };
 
 static int atc260x_dcdc_set_voltage_time_sel(struct regulator_dev *rdev,
@@ -411,7 +411,7 @@ enum atc2609a_reg_ids {
 	.owner = THIS_MODULE, \
 }
 
-#define atc2609a_reg_desc_ldo_range_pick(num, n_range) { \
+#define atc2609a_reg_desc_ldo_range_pick(num, n_range, n_volt) { \
 	.name = "LDO"#num, \
 	.supply_name = "ldo"#num, \
 	.of_match = of_match_ptr("ldo"#num), \
@@ -421,6 +421,7 @@ enum atc2609a_reg_ids {
 	.type = REGULATOR_VOLTAGE, \
 	.linear_ranges = atc2609a_ldo_voltage_ranges##n_range, \
 	.n_linear_ranges = ARRAY_SIZE(atc2609a_ldo_voltage_ranges##n_range), \
+	.n_voltages = n_volt, \
 	.vsel_reg = ATC2609A_PMU_LDO##num##_CTL0, \
 	.vsel_mask = GENMASK(4, 1), \
 	.vsel_range_reg = ATC2609A_PMU_LDO##num##_CTL0, \
@@ -458,12 +459,12 @@ static const struct regulator_desc atc26
 	atc2609a_reg_desc_ldo_bypass(0),
 	atc2609a_reg_desc_ldo_bypass(1),
 	atc2609a_reg_desc_ldo_bypass(2),
-	atc2609a_reg_desc_ldo_range_pick(3, 0),
-	atc2609a_reg_desc_ldo_range_pick(4, 0),
+	atc2609a_reg_desc_ldo_range_pick(3, 0, 29),
+	atc2609a_reg_desc_ldo_range_pick(4, 0, 29),
 	atc2609a_reg_desc_ldo(5),
-	atc2609a_reg_desc_ldo_range_pick(6, 1),
-	atc2609a_reg_desc_ldo_range_pick(7, 0),
-	atc2609a_reg_desc_ldo_range_pick(8, 0),
+	atc2609a_reg_desc_ldo_range_pick(6, 1, 28),
+	atc2609a_reg_desc_ldo_range_pick(7, 0, 29),
+	atc2609a_reg_desc_ldo_range_pick(8, 0, 29),
 	atc2609a_reg_desc_ldo_fixed(9),
 };
 



^ permalink raw reply	[flat|nested] 181+ messages in thread

* [PATCH 5.12 122/173] regulator: rtmv20: Fix .set_current_limit/.get_current_limit callbacks
  2021-06-14 10:25 [PATCH 5.12 000/173] 5.12.11-rc1 review Greg Kroah-Hartman
                   ` (120 preceding siblings ...)
  2021-06-14 10:27 ` [PATCH 5.12 121/173] regulator: atc260x: Fix n_voltages and min_sel for pickable linear ranges Greg Kroah-Hartman
@ 2021-06-14 10:27 ` Greg Kroah-Hartman
  2021-06-14 10:27 ` [PATCH 5.12 123/173] phy: usb: Fix misuse of IS_ENABLED Greg Kroah-Hartman
                   ` (57 subsequent siblings)
  179 siblings, 0 replies; 181+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-14 10:27 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Axel Lin, ChiYuan Huang, Mark Brown

From: Axel Lin <axel.lin@ingics.com>

commit 86ab21cc39e6b99b7065ab9008c90bec5dec535a upstream.

Current code does not set .curr_table and .n_linear_ranges settings,
so it cannot use the regulator_get/set_current_limit_regmap helpers.
If we setup the curr_table, it will has 200 entries.
Implement customized .set_current_limit/.get_current_limit callbacks
instead.

Fixes: b8c054a5eaf0 ("regulator: rtmv20: Adds support for Richtek RTMV20 load switch regulator")
Signed-off-by: Axel Lin <axel.lin@ingics.com>
Reviewed-by: ChiYuan Huang <cy_huang@richtek.com>
Link: https://lore.kernel.org/r/20210530124101.477727-1-axel.lin@ingics.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/regulator/rtmv20-regulator.c |   42 +++++++++++++++++++++++++++++++++--
 1 file changed, 40 insertions(+), 2 deletions(-)

--- a/drivers/regulator/rtmv20-regulator.c
+++ b/drivers/regulator/rtmv20-regulator.c
@@ -103,9 +103,47 @@ static int rtmv20_lsw_disable(struct reg
 	return 0;
 }
 
+static int rtmv20_lsw_set_current_limit(struct regulator_dev *rdev, int min_uA,
+					int max_uA)
+{
+	int sel;
+
+	if (min_uA > RTMV20_LSW_MAXUA || max_uA < RTMV20_LSW_MINUA)
+		return -EINVAL;
+
+	if (max_uA > RTMV20_LSW_MAXUA)
+		max_uA = RTMV20_LSW_MAXUA;
+
+	sel = (max_uA - RTMV20_LSW_MINUA) / RTMV20_LSW_STEPUA;
+
+	/* Ensure the selected setting is still in range */
+	if ((sel * RTMV20_LSW_STEPUA + RTMV20_LSW_MINUA) < min_uA)
+		return -EINVAL;
+
+	sel <<= ffs(rdev->desc->csel_mask) - 1;
+
+	return regmap_update_bits(rdev->regmap, rdev->desc->csel_reg,
+				  rdev->desc->csel_mask, sel);
+}
+
+static int rtmv20_lsw_get_current_limit(struct regulator_dev *rdev)
+{
+	unsigned int val;
+	int ret;
+
+	ret = regmap_read(rdev->regmap, rdev->desc->csel_reg, &val);
+	if (ret)
+		return ret;
+
+	val &= rdev->desc->csel_mask;
+	val >>= ffs(rdev->desc->csel_mask) - 1;
+
+	return val * RTMV20_LSW_STEPUA + RTMV20_LSW_MINUA;
+}
+
 static const struct regulator_ops rtmv20_regulator_ops = {
-	.set_current_limit = regulator_set_current_limit_regmap,
-	.get_current_limit = regulator_get_current_limit_regmap,
+	.set_current_limit = rtmv20_lsw_set_current_limit,
+	.get_current_limit = rtmv20_lsw_get_current_limit,
 	.enable = rtmv20_lsw_enable,
 	.disable = rtmv20_lsw_disable,
 	.is_enabled = regulator_is_enabled_regmap,



^ permalink raw reply	[flat|nested] 181+ messages in thread

* [PATCH 5.12 123/173] phy: usb: Fix misuse of IS_ENABLED
  2021-06-14 10:25 [PATCH 5.12 000/173] 5.12.11-rc1 review Greg Kroah-Hartman
                   ` (121 preceding siblings ...)
  2021-06-14 10:27 ` [PATCH 5.12 122/173] regulator: rtmv20: Fix .set_current_limit/.get_current_limit callbacks Greg Kroah-Hartman
@ 2021-06-14 10:27 ` Greg Kroah-Hartman
  2021-06-14 10:27 ` [PATCH 5.12 124/173] usb: cdns3: Enable TDL_CHK only for OUT ep Greg Kroah-Hartman
                   ` (56 subsequent siblings)
  179 siblings, 0 replies; 181+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-14 10:27 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Chen Li, Al Cooper, Florian Fainelli,
	Vinod Koul

From: Chen Li <chenli@uniontech.com>

commit 7c2fc79250cafa1a29befeb60163028ec4720814 upstream.

While IS_ENABLED() is perfectly fine for CONFIG_* symbols, it is not
for other symbols such as __BIG_ENDIAN that is provided directly by
the compiler.

Switch to use CONFIG_CPU_BIG_ENDIAN instead of __BIG_ENDIAN.

Signed-off-by: Chen Li <chenli@uniontech.com>
Reviewed-by: Al Cooper <alcooperx@gmail.com>
Acked-by: Florian Fainelli <f.fainelli@gmail.com>
Fixes: 94583a41047e ("phy: usb: Restructure in preparation for adding 7216 USB support")
Link: https://lore.kernel.org/r/87czuggpra.wl-chenli@uniontech.com
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/phy/broadcom/phy-brcm-usb-init.h |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/phy/broadcom/phy-brcm-usb-init.h
+++ b/drivers/phy/broadcom/phy-brcm-usb-init.h
@@ -78,7 +78,7 @@ static inline u32 brcm_usb_readl(void __
 	 * Other architectures (e.g., ARM) either do not support big endian, or
 	 * else leave I/O in little endian mode.
 	 */
-	if (IS_ENABLED(CONFIG_MIPS) && IS_ENABLED(__BIG_ENDIAN))
+	if (IS_ENABLED(CONFIG_MIPS) && IS_ENABLED(CONFIG_CPU_BIG_ENDIAN))
 		return __raw_readl(addr);
 	else
 		return readl_relaxed(addr);
@@ -87,7 +87,7 @@ static inline u32 brcm_usb_readl(void __
 static inline void brcm_usb_writel(u32 val, void __iomem *addr)
 {
 	/* See brcmnand_readl() comments */
-	if (IS_ENABLED(CONFIG_MIPS) && IS_ENABLED(__BIG_ENDIAN))
+	if (IS_ENABLED(CONFIG_MIPS) && IS_ENABLED(CONFIG_CPU_BIG_ENDIAN))
 		__raw_writel(val, addr);
 	else
 		writel_relaxed(val, addr);



^ permalink raw reply	[flat|nested] 181+ messages in thread

* [PATCH 5.12 124/173] usb: cdns3: Enable TDL_CHK only for OUT ep
  2021-06-14 10:25 [PATCH 5.12 000/173] 5.12.11-rc1 review Greg Kroah-Hartman
                   ` (122 preceding siblings ...)
  2021-06-14 10:27 ` [PATCH 5.12 123/173] phy: usb: Fix misuse of IS_ENABLED Greg Kroah-Hartman
@ 2021-06-14 10:27 ` Greg Kroah-Hartman
  2021-06-14 10:27 ` [PATCH 5.12 125/173] usb: dwc3: gadget: Disable gadget IRQ during pullup disable Greg Kroah-Hartman
                   ` (55 subsequent siblings)
  179 siblings, 0 replies; 181+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-14 10:27 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Aswath Govindraju, Sanket Parmar, Peter Chen

From: Sanket Parmar <sparmar@cadence.com>

commit d6eef886903c4bb5af41b9a31d4ba11dc7a6f8e8 upstream.

ZLP gets stuck if TDL_CHK bit is set and TDL_FROM_TRB is used
as TDL source for IN endpoints. To fix it, TDL_CHK is only
enabled for OUT endpoints.

Fixes: 7733f6c32e36 ("usb: cdns3: Add Cadence USB3 DRD Driver")
Reported-by: Aswath Govindraju <a-govindraju@ti.com>
Signed-off-by: Sanket Parmar <sparmar@cadence.com>
Link: https://lore.kernel.org/r/1621263912-13175-1-git-send-email-sparmar@cadence.com
Signed-off-by: Peter Chen <peter.chen@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/usb/cdns3/cdns3-gadget.c |    8 +++-----
 1 file changed, 3 insertions(+), 5 deletions(-)

--- a/drivers/usb/cdns3/cdns3-gadget.c
+++ b/drivers/usb/cdns3/cdns3-gadget.c
@@ -2006,7 +2006,7 @@ static void cdns3_configure_dmult(struct
 		else
 			mask = BIT(priv_ep->num);
 
-		if (priv_ep->type != USB_ENDPOINT_XFER_ISOC) {
+		if (priv_ep->type != USB_ENDPOINT_XFER_ISOC  && !priv_ep->dir) {
 			cdns3_set_register_bit(&regs->tdl_from_trb, mask);
 			cdns3_set_register_bit(&regs->tdl_beh, mask);
 			cdns3_set_register_bit(&regs->tdl_beh2, mask);
@@ -2045,15 +2045,13 @@ int cdns3_ep_config(struct cdns3_endpoin
 	case USB_ENDPOINT_XFER_INT:
 		ep_cfg = EP_CFG_EPTYPE(USB_ENDPOINT_XFER_INT);
 
-		if ((priv_dev->dev_ver == DEV_VER_V2 && !priv_ep->dir) ||
-		    priv_dev->dev_ver > DEV_VER_V2)
+		if (priv_dev->dev_ver >= DEV_VER_V2 && !priv_ep->dir)
 			ep_cfg |= EP_CFG_TDL_CHK;
 		break;
 	case USB_ENDPOINT_XFER_BULK:
 		ep_cfg = EP_CFG_EPTYPE(USB_ENDPOINT_XFER_BULK);
 
-		if ((priv_dev->dev_ver == DEV_VER_V2  && !priv_ep->dir) ||
-		    priv_dev->dev_ver > DEV_VER_V2)
+		if (priv_dev->dev_ver >= DEV_VER_V2 && !priv_ep->dir)
 			ep_cfg |= EP_CFG_TDL_CHK;
 		break;
 	default:



^ permalink raw reply	[flat|nested] 181+ messages in thread

* [PATCH 5.12 125/173] usb: dwc3: gadget: Disable gadget IRQ during pullup disable
  2021-06-14 10:25 [PATCH 5.12 000/173] 5.12.11-rc1 review Greg Kroah-Hartman
                   ` (123 preceding siblings ...)
  2021-06-14 10:27 ` [PATCH 5.12 124/173] usb: cdns3: Enable TDL_CHK only for OUT ep Greg Kroah-Hartman
@ 2021-06-14 10:27 ` Greg Kroah-Hartman
  2021-06-14 10:27 ` [PATCH 5.12 126/173] usb: typec: tcpm: Correct the responses in SVDM Version 2.0 DFP Greg Kroah-Hartman
                   ` (54 subsequent siblings)
  179 siblings, 0 replies; 181+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-14 10:27 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Wesley Cheng

From: Wesley Cheng <wcheng@codeaurora.org>

commit 8212937305f84ef73ea81036dafb80c557583d4b upstream.

Current sequence utilizes dwc3_gadget_disable_irq() alongside
synchronize_irq() to ensure that no further DWC3 events are generated.
However, the dwc3_gadget_disable_irq() API only disables device
specific events.  Endpoint events can still be generated.  Briefly
disable the interrupt line, so that the cleanup code can run to
prevent device and endpoint events. (i.e. __dwc3_gadget_stop() and
dwc3_stop_active_transfers() respectively)

Without doing so, it can lead to both the interrupt handler and the
pullup disable routine both writing to the GEVNTCOUNT register, which
will cause an incorrect count being read from future interrupts.

Fixes: ae7e86108b12 ("usb: dwc3: Stop active transfers before halting the controller")
Signed-off-by: Wesley Cheng <wcheng@codeaurora.org>
Link: https://lore.kernel.org/r/1621571037-1424-1-git-send-email-wcheng@codeaurora.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/usb/dwc3/gadget.c |   11 +++++------
 1 file changed, 5 insertions(+), 6 deletions(-)

--- a/drivers/usb/dwc3/gadget.c
+++ b/drivers/usb/dwc3/gadget.c
@@ -2240,13 +2240,10 @@ static int dwc3_gadget_pullup(struct usb
 	}
 
 	/*
-	 * Synchronize any pending event handling before executing the controller
-	 * halt routine.
+	 * Synchronize and disable any further event handling while controller
+	 * is being enabled/disabled.
 	 */
-	if (!is_on) {
-		dwc3_gadget_disable_irq(dwc);
-		synchronize_irq(dwc->irq_gadget);
-	}
+	disable_irq(dwc->irq_gadget);
 
 	spin_lock_irqsave(&dwc->lock, flags);
 
@@ -2284,6 +2281,8 @@ static int dwc3_gadget_pullup(struct usb
 
 	ret = dwc3_gadget_run_stop(dwc, is_on, false);
 	spin_unlock_irqrestore(&dwc->lock, flags);
+	enable_irq(dwc->irq_gadget);
+
 	pm_runtime_put(dwc->dev);
 
 	return ret;



^ permalink raw reply	[flat|nested] 181+ messages in thread

* [PATCH 5.12 126/173] usb: typec: tcpm: Correct the responses in SVDM Version 2.0 DFP
  2021-06-14 10:25 [PATCH 5.12 000/173] 5.12.11-rc1 review Greg Kroah-Hartman
                   ` (124 preceding siblings ...)
  2021-06-14 10:27 ` [PATCH 5.12 125/173] usb: dwc3: gadget: Disable gadget IRQ during pullup disable Greg Kroah-Hartman
@ 2021-06-14 10:27 ` Greg Kroah-Hartman
  2021-06-14 10:27 ` [PATCH 5.12 127/173] usb: typec: tcpm: Fix misuses of AMS invocation Greg Kroah-Hartman
                   ` (53 subsequent siblings)
  179 siblings, 0 replies; 181+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-14 10:27 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Heikki Krogerus, Kyle Tso

From: Kyle Tso <kyletso@google.com>

commit f41bfc7e9c7c1d721c8752f1853cde43e606ad43 upstream.

In USB PD Spec Rev 3.1 Ver 1.0, section "6.12.5 Applicability of
Structured VDM Commands", DFP is allowed and recommended to respond to
Discovery Identity with ACK. And in section "6.4.4.2.5.1 Commands other
than Attention", NAK should be returned only when receiving Messages
with invalid fields, Messages in wrong situation, or unrecognize
Messages.

Still keep the original design for SVDM Version 1.0 for backward
compatibilities.

Fixes: 193a68011fdc ("staging: typec: tcpm: Respond to Discover Identity commands")
Acked-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
Signed-off-by: Kyle Tso <kyletso@google.com>
Link: https://lore.kernel.org/r/20210601123151.3441914-2-kyletso@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/usb/typec/tcpm/tcpm.c |   14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

--- a/drivers/usb/typec/tcpm/tcpm.c
+++ b/drivers/usb/typec/tcpm/tcpm.c
@@ -1531,19 +1531,25 @@ static int tcpm_pd_svdm(struct tcpm_port
 			if (PD_VDO_VID(p[0]) != USB_SID_PD)
 				break;
 
-			if (PD_VDO_SVDM_VER(p[0]) < svdm_version)
+			if (PD_VDO_SVDM_VER(p[0]) < svdm_version) {
 				typec_partner_set_svdm_version(port->partner,
 							       PD_VDO_SVDM_VER(p[0]));
+				svdm_version = PD_VDO_SVDM_VER(p[0]);
+			}
 
 			tcpm_ams_start(port, DISCOVER_IDENTITY);
-			/* 6.4.4.3.1: Only respond as UFP (device) */
-			if (port->data_role == TYPEC_DEVICE &&
+			/*
+			 * PD2.0 Spec 6.10.3: respond with NAK as DFP (data host)
+			 * PD3.1 Spec 6.4.4.2.5.1: respond with NAK if "invalid field" or
+			 * "wrong configuation" or "Unrecognized"
+			 */
+			if ((port->data_role == TYPEC_DEVICE || svdm_version >= SVDM_VER_2_0) &&
 			    port->nr_snk_vdo) {
 				/*
 				 * Product Type DFP and Connector Type are not defined in SVDM
 				 * version 1.0 and shall be set to zero.
 				 */
-				if (typec_get_negotiated_svdm_version(typec) < SVDM_VER_2_0)
+				if (svdm_version < SVDM_VER_2_0)
 					response[1] = port->snk_vdo[0] & ~IDH_DFP_MASK
 						      & ~IDH_CONN_MASK;
 				else



^ permalink raw reply	[flat|nested] 181+ messages in thread

* [PATCH 5.12 127/173] usb: typec: tcpm: Fix misuses of AMS invocation
  2021-06-14 10:25 [PATCH 5.12 000/173] 5.12.11-rc1 review Greg Kroah-Hartman
                   ` (125 preceding siblings ...)
  2021-06-14 10:27 ` [PATCH 5.12 126/173] usb: typec: tcpm: Correct the responses in SVDM Version 2.0 DFP Greg Kroah-Hartman
@ 2021-06-14 10:27 ` Greg Kroah-Hartman
  2021-06-14 10:27 ` [PATCH 5.12 128/173] usb: typec: mux: Fix copy-paste mistake in typec_mux_match Greg Kroah-Hartman
                   ` (52 subsequent siblings)
  179 siblings, 0 replies; 181+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-14 10:27 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Kyle Tso

From: Kyle Tso <kyletso@google.com>

commit 80137c18737c30d20ee630e442405236d96898a7 upstream.

tcpm_ams_start is used to initiate an AMS as well as checking Collision
Avoidance conditions but not for flagging passive AMS (initiated by the
port partner). Fix the misuses of tcpm_ams_start in tcpm_pd_svdm.

ATTENTION doesn't need responses so the AMS flag is not needed here.

Fixes: 0bc3ee92880d ("usb: typec: tcpm: Properly interrupt VDM AMS")
Signed-off-by: Kyle Tso <kyletso@google.com>
Link: https://lore.kernel.org/r/20210601123151.3441914-5-kyletso@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/usb/typec/tcpm/tcpm.c |   11 +++++------
 1 file changed, 5 insertions(+), 6 deletions(-)

--- a/drivers/usb/typec/tcpm/tcpm.c
+++ b/drivers/usb/typec/tcpm/tcpm.c
@@ -1537,7 +1537,7 @@ static int tcpm_pd_svdm(struct tcpm_port
 				svdm_version = PD_VDO_SVDM_VER(p[0]);
 			}
 
-			tcpm_ams_start(port, DISCOVER_IDENTITY);
+			port->ams = DISCOVER_IDENTITY;
 			/*
 			 * PD2.0 Spec 6.10.3: respond with NAK as DFP (data host)
 			 * PD3.1 Spec 6.4.4.2.5.1: respond with NAK if "invalid field" or
@@ -1560,19 +1560,18 @@ static int tcpm_pd_svdm(struct tcpm_port
 			}
 			break;
 		case CMD_DISCOVER_SVID:
-			tcpm_ams_start(port, DISCOVER_SVIDS);
+			port->ams = DISCOVER_SVIDS;
 			break;
 		case CMD_DISCOVER_MODES:
-			tcpm_ams_start(port, DISCOVER_MODES);
+			port->ams = DISCOVER_MODES;
 			break;
 		case CMD_ENTER_MODE:
-			tcpm_ams_start(port, DFP_TO_UFP_ENTER_MODE);
+			port->ams = DFP_TO_UFP_ENTER_MODE;
 			break;
 		case CMD_EXIT_MODE:
-			tcpm_ams_start(port, DFP_TO_UFP_EXIT_MODE);
+			port->ams = DFP_TO_UFP_EXIT_MODE;
 			break;
 		case CMD_ATTENTION:
-			tcpm_ams_start(port, ATTENTION);
 			/* Attention command does not have response */
 			*adev_action = ADEV_ATTENTION;
 			return 0;



^ permalink raw reply	[flat|nested] 181+ messages in thread

* [PATCH 5.12 128/173] usb: typec: mux: Fix copy-paste mistake in typec_mux_match
  2021-06-14 10:25 [PATCH 5.12 000/173] 5.12.11-rc1 review Greg Kroah-Hartman
                   ` (126 preceding siblings ...)
  2021-06-14 10:27 ` [PATCH 5.12 127/173] usb: typec: tcpm: Fix misuses of AMS invocation Greg Kroah-Hartman
@ 2021-06-14 10:27 ` Greg Kroah-Hartman
  2021-06-14 10:27 ` [PATCH 5.12 129/173] drm/mcde: Fix off by 10^3 in calculation Greg Kroah-Hartman
                   ` (51 subsequent siblings)
  179 siblings, 0 replies; 181+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-14 10:27 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Heikki Krogerus, Bjorn Andersson

From: Bjorn Andersson <bjorn.andersson@linaro.org>

commit 142d0b24c1b17139f1aaaacae7542a38aa85640f upstream.

Fix the copy-paste mistake in the return path of typec_mux_match(),
where dev is considered a member of struct typec_switch rather than
struct typec_mux.

The two structs are identical in regards to having the struct device as
the first entry, so this provides no functional change.

Fixes: 3370db35193b ("usb: typec: Registering real device entries for the muxes")
Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
Signed-off-by: Bjorn Andersson <bjorn.andersson@linaro.org>
Link: https://lore.kernel.org/r/20210610002132.3088083-1-bjorn.andersson@linaro.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/usb/typec/mux.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/usb/typec/mux.c
+++ b/drivers/usb/typec/mux.c
@@ -239,7 +239,7 @@ find_mux:
 	dev = class_find_device(&typec_mux_class, NULL, fwnode,
 				mux_fwnode_match);
 
-	return dev ? to_typec_switch(dev) : ERR_PTR(-EPROBE_DEFER);
+	return dev ? to_typec_mux(dev) : ERR_PTR(-EPROBE_DEFER);
 }
 
 /**



^ permalink raw reply	[flat|nested] 181+ messages in thread

* [PATCH 5.12 129/173] drm/mcde: Fix off by 10^3 in calculation
  2021-06-14 10:25 [PATCH 5.12 000/173] 5.12.11-rc1 review Greg Kroah-Hartman
                   ` (127 preceding siblings ...)
  2021-06-14 10:27 ` [PATCH 5.12 128/173] usb: typec: mux: Fix copy-paste mistake in typec_mux_match Greg Kroah-Hartman
@ 2021-06-14 10:27 ` Greg Kroah-Hartman
  2021-06-14 10:27 ` [PATCH 5.12 130/173] drm/msm/a6xx: fix incorrectly set uavflagprd_inv field for A650 Greg Kroah-Hartman
                   ` (50 subsequent siblings)
  179 siblings, 0 replies; 181+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-14 10:27 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Ville Syrjälä,
	Stephan Gerhold, Linus Walleij

From: Linus Walleij <linus.walleij@linaro.org>

commit c8a570443943304cac2e4186dbce6989b6c2b8b5 upstream.

The calclulation of how many bytes we stuff into the
DSI pipeline for video mode panels is off by three
orders of magnitude because we did not account for the
fact that the DRM mode clock is in kilohertz rather
than hertz.

This used to be:
drm_mode_vrefresh(mode) * mode->htotal * mode->vtotal
which would become for example for s6e63m0:
60 x 514 x 831 = 25628040 Hz, but mode->clock is
25628 as it is in kHz.

This affects only the Samsung GT-I8190 "Golden" phone
right now since it is the only MCDE device with a video
mode display.

Curiously some specimen work with this code and wild
settings in the EOL and empty packets at the end of the
display, but I have noticed an eeire flicker until now.
Others were not so lucky and got black screens.

Cc: Ville Syrjälä <ville.syrjala@linux.intel.com>
Reported-by: Stephan Gerhold <stephan@gerhold.net>
Fixes: 920dd1b1425b ("drm/mcde: Use mode->clock instead of reverse calculating it from the vrefresh")
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Tested-by: Stephan Gerhold <stephan@gerhold.net>
Reviewed-by: Stephan Gerhold <stephan@gerhold.net>
Link: https://patchwork.freedesktop.org/patch/msgid/20210608213318.3897858-1-linus.walleij@linaro.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/gpu/drm/mcde/mcde_dsi.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/gpu/drm/mcde/mcde_dsi.c
+++ b/drivers/gpu/drm/mcde/mcde_dsi.c
@@ -577,7 +577,7 @@ static void mcde_dsi_setup_video_mode(st
 	 * porches and sync.
 	 */
 	/* (ps/s) / (pixels/s) = ps/pixels */
-	pclk = DIV_ROUND_UP_ULL(1000000000000, mode->clock);
+	pclk = DIV_ROUND_UP_ULL(1000000000000, (mode->clock * 1000));
 	dev_dbg(d->dev, "picoseconds between two pixels: %llu\n",
 		pclk);
 



^ permalink raw reply	[flat|nested] 181+ messages in thread

* [PATCH 5.12 130/173] drm/msm/a6xx: fix incorrectly set uavflagprd_inv field for A650
  2021-06-14 10:25 [PATCH 5.12 000/173] 5.12.11-rc1 review Greg Kroah-Hartman
                   ` (128 preceding siblings ...)
  2021-06-14 10:27 ` [PATCH 5.12 129/173] drm/mcde: Fix off by 10^3 in calculation Greg Kroah-Hartman
@ 2021-06-14 10:27 ` Greg Kroah-Hartman
  2021-06-14 10:27 ` [PATCH 5.12 131/173] drm/msm/a6xx: update/fix CP_PROTECT initialization Greg Kroah-Hartman
                   ` (49 subsequent siblings)
  179 siblings, 0 replies; 181+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-14 10:27 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jonathan Marek, Akhil P Oommen, Rob Clark

From: Jonathan Marek <jonathan@marek.ca>

commit b4387eaf3821a4c4241ac3a556e13244eb1fdaa5 upstream.

Value was shifted in the wrong direction, resulting in the field always
being zero, which is incorrect for A650.

Fixes: d0bac4e9cd66 ("drm/msm/a6xx: set ubwc config for A640 and A650")
Signed-off-by: Jonathan Marek <jonathan@marek.ca>
Reviewed-by: Akhil P Oommen <akhilpo@codeaurora.org>
Link: https://lore.kernel.org/r/20210513171431.18632-4-jonathan@marek.ca
Signed-off-by: Rob Clark <robdclark@chromium.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/gpu/drm/msm/adreno/a6xx_gpu.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/gpu/drm/msm/adreno/a6xx_gpu.c
+++ b/drivers/gpu/drm/msm/adreno/a6xx_gpu.c
@@ -489,7 +489,7 @@ static void a6xx_set_ubwc_config(struct
 		rgb565_predicator << 11 | amsbc << 4 | lower_bit << 1);
 	gpu_write(gpu, REG_A6XX_TPL1_NC_MODE_CNTL, lower_bit << 1);
 	gpu_write(gpu, REG_A6XX_SP_NC_MODE_CNTL,
-		uavflagprd_inv >> 4 | lower_bit << 1);
+		uavflagprd_inv << 4 | lower_bit << 1);
 	gpu_write(gpu, REG_A6XX_UCHE_MODE_CNTL, lower_bit << 21);
 }
 



^ permalink raw reply	[flat|nested] 181+ messages in thread

* [PATCH 5.12 131/173] drm/msm/a6xx: update/fix CP_PROTECT initialization
  2021-06-14 10:25 [PATCH 5.12 000/173] 5.12.11-rc1 review Greg Kroah-Hartman
                   ` (129 preceding siblings ...)
  2021-06-14 10:27 ` [PATCH 5.12 130/173] drm/msm/a6xx: fix incorrectly set uavflagprd_inv field for A650 Greg Kroah-Hartman
@ 2021-06-14 10:27 ` Greg Kroah-Hartman
  2021-06-14 10:27 ` [PATCH 5.12 132/173] drm/msm/a6xx: avoid shadow NULL reference in failure path Greg Kroah-Hartman
                   ` (48 subsequent siblings)
  179 siblings, 0 replies; 181+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-14 10:27 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jonathan Marek, Akhil P Oommen, Rob Clark

From: Jonathan Marek <jonathan@marek.ca>

commit 408434036958699a7f50ddec984f7ba33e11a8f5 upstream.

Update CP_PROTECT register programming based on downstream.

A6XX_PROTECT_RW is renamed to A6XX_PROTECT_NORDWR to make things aligned
and also be more clear about what it does.

Note that this required switching to use the CP_ALWAYS_ON_COUNTER as the
GMU counter is not accessible from the cmdstream.  Which also means
using the CPU counter for the msm_gpu_submit_flush() tracepoint (as
catapult depends on being able to compare this to the start/end values
captured in cmdstream).  This may need to be revisited when IFPC is
enabled.

Also, compared to downstream, this opens up CP_PERFCTR_CP_SEL as the
userspace performance tooling (fdperf and pps-producer) expect to be
able to configure the CP counters.

Fixes: 4b565ca5a2cb ("drm/msm: Add A6XX device support")
Signed-off-by: Jonathan Marek <jonathan@marek.ca>
Reviewed-by: Akhil P Oommen <akhilpo@codeaurora.org>
Link: https://lore.kernel.org/r/20210513171431.18632-5-jonathan@marek.ca
[switch to CP_ALWAYS_ON_COUNTER, open up CP_PERFCNTR_CP_SEL, and spiff
 up commit msg]
Signed-off-by: Rob Clark <robdclark@chromium.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/gpu/drm/msm/adreno/a6xx_gpu.c |  151 +++++++++++++++++++++++++---------
 drivers/gpu/drm/msm/adreno/a6xx_gpu.h |    2 
 2 files changed, 113 insertions(+), 40 deletions(-)

--- a/drivers/gpu/drm/msm/adreno/a6xx_gpu.c
+++ b/drivers/gpu/drm/msm/adreno/a6xx_gpu.c
@@ -157,7 +157,7 @@ static void a6xx_submit(struct msm_gpu *
 	 * GPU registers so we need to add 0x1a800 to the register value on A630
 	 * to get the right value from PM4.
 	 */
-	get_stats_counter(ring, REG_A6XX_GMU_ALWAYS_ON_COUNTER_L + 0x1a800,
+	get_stats_counter(ring, REG_A6XX_CP_ALWAYS_ON_COUNTER_LO,
 		rbmemptr_stats(ring, index, alwayson_start));
 
 	/* Invalidate CCU depth and color */
@@ -187,7 +187,7 @@ static void a6xx_submit(struct msm_gpu *
 
 	get_stats_counter(ring, REG_A6XX_RBBM_PERFCTR_CP_0_LO,
 		rbmemptr_stats(ring, index, cpcycles_end));
-	get_stats_counter(ring, REG_A6XX_GMU_ALWAYS_ON_COUNTER_L + 0x1a800,
+	get_stats_counter(ring, REG_A6XX_CP_ALWAYS_ON_COUNTER_LO,
 		rbmemptr_stats(ring, index, alwayson_end));
 
 	/* Write the fence to the scratch register */
@@ -206,8 +206,8 @@ static void a6xx_submit(struct msm_gpu *
 	OUT_RING(ring, submit->seqno);
 
 	trace_msm_gpu_submit_flush(submit,
-		gmu_read64(&a6xx_gpu->gmu, REG_A6XX_GMU_ALWAYS_ON_COUNTER_L,
-			REG_A6XX_GMU_ALWAYS_ON_COUNTER_H));
+		gpu_read64(gpu, REG_A6XX_CP_ALWAYS_ON_COUNTER_LO,
+			REG_A6XX_CP_ALWAYS_ON_COUNTER_HI));
 
 	a6xx_flush(gpu, ring);
 }
@@ -462,6 +462,113 @@ static void a6xx_set_hwcg(struct msm_gpu
 	gpu_write(gpu, REG_A6XX_RBBM_CLOCK_CNTL, state ? clock_cntl_on : 0);
 }
 
+/* For a615, a616, a618, A619, a630, a640 and a680 */
+static const u32 a6xx_protect[] = {
+	A6XX_PROTECT_RDONLY(0x00000, 0x04ff),
+	A6XX_PROTECT_RDONLY(0x00501, 0x0005),
+	A6XX_PROTECT_RDONLY(0x0050b, 0x02f4),
+	A6XX_PROTECT_NORDWR(0x0050e, 0x0000),
+	A6XX_PROTECT_NORDWR(0x00510, 0x0000),
+	A6XX_PROTECT_NORDWR(0x00534, 0x0000),
+	A6XX_PROTECT_NORDWR(0x00800, 0x0082),
+	A6XX_PROTECT_NORDWR(0x008a0, 0x0008),
+	A6XX_PROTECT_NORDWR(0x008ab, 0x0024),
+	A6XX_PROTECT_RDONLY(0x008de, 0x00ae),
+	A6XX_PROTECT_NORDWR(0x00900, 0x004d),
+	A6XX_PROTECT_NORDWR(0x0098d, 0x0272),
+	A6XX_PROTECT_NORDWR(0x00e00, 0x0001),
+	A6XX_PROTECT_NORDWR(0x00e03, 0x000c),
+	A6XX_PROTECT_NORDWR(0x03c00, 0x00c3),
+	A6XX_PROTECT_RDONLY(0x03cc4, 0x1fff),
+	A6XX_PROTECT_NORDWR(0x08630, 0x01cf),
+	A6XX_PROTECT_NORDWR(0x08e00, 0x0000),
+	A6XX_PROTECT_NORDWR(0x08e08, 0x0000),
+	A6XX_PROTECT_NORDWR(0x08e50, 0x001f),
+	A6XX_PROTECT_NORDWR(0x09624, 0x01db),
+	A6XX_PROTECT_NORDWR(0x09e70, 0x0001),
+	A6XX_PROTECT_NORDWR(0x09e78, 0x0187),
+	A6XX_PROTECT_NORDWR(0x0a630, 0x01cf),
+	A6XX_PROTECT_NORDWR(0x0ae02, 0x0000),
+	A6XX_PROTECT_NORDWR(0x0ae50, 0x032f),
+	A6XX_PROTECT_NORDWR(0x0b604, 0x0000),
+	A6XX_PROTECT_NORDWR(0x0be02, 0x0001),
+	A6XX_PROTECT_NORDWR(0x0be20, 0x17df),
+	A6XX_PROTECT_NORDWR(0x0f000, 0x0bff),
+	A6XX_PROTECT_RDONLY(0x0fc00, 0x1fff),
+	A6XX_PROTECT_NORDWR(0x11c00, 0x0000), /* note: infinite range */
+};
+
+/* These are for a620 and a650 */
+static const u32 a650_protect[] = {
+	A6XX_PROTECT_RDONLY(0x00000, 0x04ff),
+	A6XX_PROTECT_RDONLY(0x00501, 0x0005),
+	A6XX_PROTECT_RDONLY(0x0050b, 0x02f4),
+	A6XX_PROTECT_NORDWR(0x0050e, 0x0000),
+	A6XX_PROTECT_NORDWR(0x00510, 0x0000),
+	A6XX_PROTECT_NORDWR(0x00534, 0x0000),
+	A6XX_PROTECT_NORDWR(0x00800, 0x0082),
+	A6XX_PROTECT_NORDWR(0x008a0, 0x0008),
+	A6XX_PROTECT_NORDWR(0x008ab, 0x0024),
+	A6XX_PROTECT_RDONLY(0x008de, 0x00ae),
+	A6XX_PROTECT_NORDWR(0x00900, 0x004d),
+	A6XX_PROTECT_NORDWR(0x0098d, 0x0272),
+	A6XX_PROTECT_NORDWR(0x00e00, 0x0001),
+	A6XX_PROTECT_NORDWR(0x00e03, 0x000c),
+	A6XX_PROTECT_NORDWR(0x03c00, 0x00c3),
+	A6XX_PROTECT_RDONLY(0x03cc4, 0x1fff),
+	A6XX_PROTECT_NORDWR(0x08630, 0x01cf),
+	A6XX_PROTECT_NORDWR(0x08e00, 0x0000),
+	A6XX_PROTECT_NORDWR(0x08e08, 0x0000),
+	A6XX_PROTECT_NORDWR(0x08e50, 0x001f),
+	A6XX_PROTECT_NORDWR(0x08e80, 0x027f),
+	A6XX_PROTECT_NORDWR(0x09624, 0x01db),
+	A6XX_PROTECT_NORDWR(0x09e60, 0x0011),
+	A6XX_PROTECT_NORDWR(0x09e78, 0x0187),
+	A6XX_PROTECT_NORDWR(0x0a630, 0x01cf),
+	A6XX_PROTECT_NORDWR(0x0ae02, 0x0000),
+	A6XX_PROTECT_NORDWR(0x0ae50, 0x032f),
+	A6XX_PROTECT_NORDWR(0x0b604, 0x0000),
+	A6XX_PROTECT_NORDWR(0x0b608, 0x0007),
+	A6XX_PROTECT_NORDWR(0x0be02, 0x0001),
+	A6XX_PROTECT_NORDWR(0x0be20, 0x17df),
+	A6XX_PROTECT_NORDWR(0x0f000, 0x0bff),
+	A6XX_PROTECT_RDONLY(0x0fc00, 0x1fff),
+	A6XX_PROTECT_NORDWR(0x18400, 0x1fff),
+	A6XX_PROTECT_NORDWR(0x1a800, 0x1fff),
+	A6XX_PROTECT_NORDWR(0x1f400, 0x0443),
+	A6XX_PROTECT_RDONLY(0x1f844, 0x007b),
+	A6XX_PROTECT_NORDWR(0x1f887, 0x001b),
+	A6XX_PROTECT_NORDWR(0x1f8c0, 0x0000), /* note: infinite range */
+};
+
+static void a6xx_set_cp_protect(struct msm_gpu *gpu)
+{
+	struct adreno_gpu *adreno_gpu = to_adreno_gpu(gpu);
+	const u32 *regs = a6xx_protect;
+	unsigned i, count = ARRAY_SIZE(a6xx_protect), count_max = 32;
+
+	BUILD_BUG_ON(ARRAY_SIZE(a6xx_protect) > 32);
+	BUILD_BUG_ON(ARRAY_SIZE(a650_protect) > 48);
+
+	if (adreno_is_a650(adreno_gpu)) {
+		regs = a650_protect;
+		count = ARRAY_SIZE(a650_protect);
+		count_max = 48;
+	}
+
+	/*
+	 * Enable access protection to privileged registers, fault on an access
+	 * protect violation and select the last span to protect from the start
+	 * address all the way to the end of the register address space
+	 */
+	gpu_write(gpu, REG_A6XX_CP_PROTECT_CNTL, BIT(0) | BIT(1) | BIT(3));
+
+	for (i = 0; i < count - 1; i++)
+		gpu_write(gpu, REG_A6XX_CP_PROTECT(i), regs[i]);
+	/* last CP_PROTECT to have "infinite" length on the last entry */
+	gpu_write(gpu, REG_A6XX_CP_PROTECT(count_max - 1), regs[i]);
+}
+
 static void a6xx_set_ubwc_config(struct msm_gpu *gpu)
 {
 	struct adreno_gpu *adreno_gpu = to_adreno_gpu(gpu);
@@ -776,41 +883,7 @@ static int a6xx_hw_init(struct msm_gpu *
 	}
 
 	/* Protect registers from the CP */
-	gpu_write(gpu, REG_A6XX_CP_PROTECT_CNTL, 0x00000003);
-
-	gpu_write(gpu, REG_A6XX_CP_PROTECT(0),
-		A6XX_PROTECT_RDONLY(0x600, 0x51));
-	gpu_write(gpu, REG_A6XX_CP_PROTECT(1), A6XX_PROTECT_RW(0xae50, 0x2));
-	gpu_write(gpu, REG_A6XX_CP_PROTECT(2), A6XX_PROTECT_RW(0x9624, 0x13));
-	gpu_write(gpu, REG_A6XX_CP_PROTECT(3), A6XX_PROTECT_RW(0x8630, 0x8));
-	gpu_write(gpu, REG_A6XX_CP_PROTECT(4), A6XX_PROTECT_RW(0x9e70, 0x1));
-	gpu_write(gpu, REG_A6XX_CP_PROTECT(5), A6XX_PROTECT_RW(0x9e78, 0x187));
-	gpu_write(gpu, REG_A6XX_CP_PROTECT(6), A6XX_PROTECT_RW(0xf000, 0x810));
-	gpu_write(gpu, REG_A6XX_CP_PROTECT(7),
-		A6XX_PROTECT_RDONLY(0xfc00, 0x3));
-	gpu_write(gpu, REG_A6XX_CP_PROTECT(8), A6XX_PROTECT_RW(0x50e, 0x0));
-	gpu_write(gpu, REG_A6XX_CP_PROTECT(9), A6XX_PROTECT_RDONLY(0x50f, 0x0));
-	gpu_write(gpu, REG_A6XX_CP_PROTECT(10), A6XX_PROTECT_RW(0x510, 0x0));
-	gpu_write(gpu, REG_A6XX_CP_PROTECT(11),
-		A6XX_PROTECT_RDONLY(0x0, 0x4f9));
-	gpu_write(gpu, REG_A6XX_CP_PROTECT(12),
-		A6XX_PROTECT_RDONLY(0x501, 0xa));
-	gpu_write(gpu, REG_A6XX_CP_PROTECT(13),
-		A6XX_PROTECT_RDONLY(0x511, 0x44));
-	gpu_write(gpu, REG_A6XX_CP_PROTECT(14), A6XX_PROTECT_RW(0xe00, 0xe));
-	gpu_write(gpu, REG_A6XX_CP_PROTECT(15), A6XX_PROTECT_RW(0x8e00, 0x0));
-	gpu_write(gpu, REG_A6XX_CP_PROTECT(16), A6XX_PROTECT_RW(0x8e50, 0xf));
-	gpu_write(gpu, REG_A6XX_CP_PROTECT(17), A6XX_PROTECT_RW(0xbe02, 0x0));
-	gpu_write(gpu, REG_A6XX_CP_PROTECT(18),
-		A6XX_PROTECT_RW(0xbe20, 0x11f3));
-	gpu_write(gpu, REG_A6XX_CP_PROTECT(19), A6XX_PROTECT_RW(0x800, 0x82));
-	gpu_write(gpu, REG_A6XX_CP_PROTECT(20), A6XX_PROTECT_RW(0x8a0, 0x8));
-	gpu_write(gpu, REG_A6XX_CP_PROTECT(21), A6XX_PROTECT_RW(0x8ab, 0x19));
-	gpu_write(gpu, REG_A6XX_CP_PROTECT(22), A6XX_PROTECT_RW(0x900, 0x4d));
-	gpu_write(gpu, REG_A6XX_CP_PROTECT(23), A6XX_PROTECT_RW(0x98d, 0x76));
-	gpu_write(gpu, REG_A6XX_CP_PROTECT(24),
-			A6XX_PROTECT_RDONLY(0x980, 0x4));
-	gpu_write(gpu, REG_A6XX_CP_PROTECT(25), A6XX_PROTECT_RW(0xa630, 0x0));
+	a6xx_set_cp_protect(gpu);
 
 	/* Enable expanded apriv for targets that support it */
 	if (gpu->hw_apriv) {
--- a/drivers/gpu/drm/msm/adreno/a6xx_gpu.h
+++ b/drivers/gpu/drm/msm/adreno/a6xx_gpu.h
@@ -44,7 +44,7 @@ struct a6xx_gpu {
  * REG_CP_PROTECT_REG(n) - this will block both reads and writes for _len
  * registers starting at _reg.
  */
-#define A6XX_PROTECT_RW(_reg, _len) \
+#define A6XX_PROTECT_NORDWR(_reg, _len) \
 	((1 << 31) | \
 	(((_len) & 0x3FFF) << 18) | ((_reg) & 0x3FFFF))
 



^ permalink raw reply	[flat|nested] 181+ messages in thread

* [PATCH 5.12 132/173] drm/msm/a6xx: avoid shadow NULL reference in failure path
  2021-06-14 10:25 [PATCH 5.12 000/173] 5.12.11-rc1 review Greg Kroah-Hartman
                   ` (130 preceding siblings ...)
  2021-06-14 10:27 ` [PATCH 5.12 131/173] drm/msm/a6xx: update/fix CP_PROTECT initialization Greg Kroah-Hartman
@ 2021-06-14 10:27 ` Greg Kroah-Hartman
  2021-06-14 10:27 ` [PATCH 5.12 133/173] hwmon: (corsair-psu) fix suspend behavior Greg Kroah-Hartman
                   ` (47 subsequent siblings)
  179 siblings, 0 replies; 181+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-14 10:27 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jonathan Marek, Akhil P Oommen, Rob Clark

From: Jonathan Marek <jonathan@marek.ca>

commit ce86c239e4d218ae6040bec18e6d19a58edb8b7c upstream.

If a6xx_hw_init() fails before creating the shadow_bo, the a6xx_pm_suspend
code referencing it will crash. Change the condition to one that avoids
this problem (note: creation of shadow_bo is behind this same condition)

Fixes: e8b0b994c3a5 ("drm/msm/a6xx: Clear shadow on suspend")
Signed-off-by: Jonathan Marek <jonathan@marek.ca>
Reviewed-by: Akhil P Oommen <akhilpo@codeaurora.org>
Link: https://lore.kernel.org/r/20210513171431.18632-6-jonathan@marek.ca
Signed-off-by: Rob Clark <robdclark@chromium.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/gpu/drm/msm/adreno/a6xx_gpu.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/gpu/drm/msm/adreno/a6xx_gpu.c
+++ b/drivers/gpu/drm/msm/adreno/a6xx_gpu.c
@@ -1284,7 +1284,7 @@ static int a6xx_pm_suspend(struct msm_gp
 	if (ret)
 		return ret;
 
-	if (adreno_gpu->base.hw_apriv || a6xx_gpu->has_whereami)
+	if (a6xx_gpu->shadow_bo)
 		for (i = 0; i < gpu->nr_rings; i++)
 			a6xx_gpu->shadow[i] = 0;
 



^ permalink raw reply	[flat|nested] 181+ messages in thread

* [PATCH 5.12 133/173] hwmon: (corsair-psu) fix suspend behavior
  2021-06-14 10:25 [PATCH 5.12 000/173] 5.12.11-rc1 review Greg Kroah-Hartman
                   ` (131 preceding siblings ...)
  2021-06-14 10:27 ` [PATCH 5.12 132/173] drm/msm/a6xx: avoid shadow NULL reference in failure path Greg Kroah-Hartman
@ 2021-06-14 10:27 ` Greg Kroah-Hartman
  2021-06-14 10:27 ` [PATCH 5.12 134/173] hwmon: (tps23861) define regmap max register Greg Kroah-Hartman
                   ` (46 subsequent siblings)
  179 siblings, 0 replies; 181+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-14 10:27 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Wilken Gottwalt, Guenter Roeck

From: Wilken Gottwalt <wilken.gottwalt@posteo.net>

commit 7656cd2177612aa7c299b083ecff30a4d3e9a587 upstream.

During standby some PSUs turn off the microcontroller. A re-init is
required during resume or the microcontroller stays unresponsive.

Fixes: d115b51e0e56 ("hwmon: add Corsair PSU HID controller driver")
Signed-off-by: Wilken Gottwalt <wilken.gottwalt@posteo.net>
Link: https://lore.kernel.org/r/YLjCJiVtu5zgTabI@monster.powergraphx.local
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/hwmon/corsair-psu.c |   14 ++++++++++++++
 1 file changed, 14 insertions(+)

--- a/drivers/hwmon/corsair-psu.c
+++ b/drivers/hwmon/corsair-psu.c
@@ -570,6 +570,16 @@ static int corsairpsu_raw_event(struct h
 	return 0;
 }
 
+#ifdef CONFIG_PM
+static int corsairpsu_resume(struct hid_device *hdev)
+{
+	struct corsairpsu_data *priv = hid_get_drvdata(hdev);
+
+	/* some PSUs turn off the microcontroller during standby, so a reinit is required */
+	return corsairpsu_init(priv);
+}
+#endif
+
 static const struct hid_device_id corsairpsu_idtable[] = {
 	{ HID_USB_DEVICE(0x1b1c, 0x1c03) }, /* Corsair HX550i */
 	{ HID_USB_DEVICE(0x1b1c, 0x1c04) }, /* Corsair HX650i */
@@ -592,6 +602,10 @@ static struct hid_driver corsairpsu_driv
 	.probe		= corsairpsu_probe,
 	.remove		= corsairpsu_remove,
 	.raw_event	= corsairpsu_raw_event,
+#ifdef CONFIG_PM
+	.resume		= corsairpsu_resume,
+	.reset_resume	= corsairpsu_resume,
+#endif
 };
 module_hid_driver(corsairpsu_driver);
 



^ permalink raw reply	[flat|nested] 181+ messages in thread

* [PATCH 5.12 134/173] hwmon: (tps23861) define regmap max register
  2021-06-14 10:25 [PATCH 5.12 000/173] 5.12.11-rc1 review Greg Kroah-Hartman
                   ` (132 preceding siblings ...)
  2021-06-14 10:27 ` [PATCH 5.12 133/173] hwmon: (corsair-psu) fix suspend behavior Greg Kroah-Hartman
@ 2021-06-14 10:27 ` Greg Kroah-Hartman
  2021-06-14 10:27 ` [PATCH 5.12 135/173] hwmon: (tps23861) set current shunt value Greg Kroah-Hartman
                   ` (45 subsequent siblings)
  179 siblings, 0 replies; 181+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-14 10:27 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Robert Marko, Guenter Roeck

From: Robert Marko <robert.marko@sartura.hr>

commit fb8543fb863e89baa433b4d716d73395caa1b7f4 upstream.

Define the max register address the device supports.
This allows reading the whole register space via
regmap debugfs, without it only register 0x0 is visible.

This was forgotten in the original driver commit.

Fixes: fff7b8ab2255 ("hwmon: add Texas Instruments TPS23861 driver")
Signed-off-by: Robert Marko <robert.marko@sartura.hr>
Link: https://lore.kernel.org/r/20210609220728.499879-1-robert.marko@sartura.hr
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/hwmon/tps23861.c |    1 +
 1 file changed, 1 insertion(+)

--- a/drivers/hwmon/tps23861.c
+++ b/drivers/hwmon/tps23861.c
@@ -117,6 +117,7 @@ struct tps23861_data {
 static struct regmap_config tps23861_regmap_config = {
 	.reg_bits = 8,
 	.val_bits = 8,
+	.max_register = 0x6f,
 };
 
 static int tps23861_read_temp(struct tps23861_data *data, long *val)



^ permalink raw reply	[flat|nested] 181+ messages in thread

* [PATCH 5.12 135/173] hwmon: (tps23861) set current shunt value
  2021-06-14 10:25 [PATCH 5.12 000/173] 5.12.11-rc1 review Greg Kroah-Hartman
                   ` (133 preceding siblings ...)
  2021-06-14 10:27 ` [PATCH 5.12 134/173] hwmon: (tps23861) define regmap max register Greg Kroah-Hartman
@ 2021-06-14 10:27 ` Greg Kroah-Hartman
  2021-06-14 10:27 ` [PATCH 5.12 136/173] hwmon: (tps23861) correct shunt LSB values Greg Kroah-Hartman
                   ` (44 subsequent siblings)
  179 siblings, 0 replies; 181+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-14 10:27 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Robert Marko, Guenter Roeck

From: Robert Marko <robert.marko@sartura.hr>

commit b325d3526e14942d42c392c2ac9fbea59c22894c upstream.

TPS23861 has a configuration bit for setting of the
current shunt value used on the board.
Its bit 0 of the General Mask 1 register.

According to the datasheet bit values are:
0 for 255 mOhm (Default)
1 for 250 mOhm

So, configure the bit before registering the hwmon
device according to the value passed in the DTS or
default one if none is passed.

This caused potentially reading slightly skewed values
due to max current value being 1.02A when 250mOhm shunt
is used instead of 1.0A when 255mOhm is used.

Fixes: fff7b8ab2255 ("hwmon: add Texas Instruments TPS23861 driver")
Signed-off-by: Robert Marko <robert.marko@sartura.hr>
Link: https://lore.kernel.org/r/20210609220728.499879-2-robert.marko@sartura.hr
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/hwmon/tps23861.c |   12 ++++++++++++
 1 file changed, 12 insertions(+)

--- a/drivers/hwmon/tps23861.c
+++ b/drivers/hwmon/tps23861.c
@@ -99,6 +99,9 @@
 #define POWER_ENABLE			0x19
 #define TPS23861_NUM_PORTS		4
 
+#define TPS23861_GENERAL_MASK_1		0x17
+#define TPS23861_CURRENT_SHUNT_MASK	BIT(0)
+
 #define TEMPERATURE_LSB			652 /* 0.652 degrees Celsius */
 #define VOLTAGE_LSB			3662 /* 3.662 mV */
 #define SHUNT_RESISTOR_DEFAULT		255000 /* 255 mOhm */
@@ -561,6 +564,15 @@ static int tps23861_probe(struct i2c_cli
 	else
 		data->shunt_resistor = SHUNT_RESISTOR_DEFAULT;
 
+	if (data->shunt_resistor == SHUNT_RESISTOR_DEFAULT)
+		regmap_clear_bits(data->regmap,
+				  TPS23861_GENERAL_MASK_1,
+				  TPS23861_CURRENT_SHUNT_MASK);
+	else
+		regmap_set_bits(data->regmap,
+				TPS23861_GENERAL_MASK_1,
+				TPS23861_CURRENT_SHUNT_MASK);
+
 	hwmon_dev = devm_hwmon_device_register_with_info(dev, client->name,
 							 data, &tps23861_chip_info,
 							 NULL);



^ permalink raw reply	[flat|nested] 181+ messages in thread

* [PATCH 5.12 136/173] hwmon: (tps23861) correct shunt LSB values
  2021-06-14 10:25 [PATCH 5.12 000/173] 5.12.11-rc1 review Greg Kroah-Hartman
                   ` (134 preceding siblings ...)
  2021-06-14 10:27 ` [PATCH 5.12 135/173] hwmon: (tps23861) set current shunt value Greg Kroah-Hartman
@ 2021-06-14 10:27 ` Greg Kroah-Hartman
  2021-06-14 10:27 ` [PATCH 5.12 137/173] RDMA/ipoib: Fix warning caused by destroying non-initial netns Greg Kroah-Hartman
                   ` (43 subsequent siblings)
  179 siblings, 0 replies; 181+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-14 10:27 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Robert Marko, Guenter Roeck

From: Robert Marko <robert.marko@sartura.hr>

commit e13d1127241404f1c3eb1379ac4dd100eaf385b4 upstream.

Current shunt LSB values got reversed during in the
original driver commit.

So, correct the current shunt LSB values according to
the datasheet.

This caused reading slightly skewed current values.

Fixes: fff7b8ab2255 ("hwmon: add Texas Instruments TPS23861 driver")
Signed-off-by: Robert Marko <robert.marko@sartura.hr>
Link: https://lore.kernel.org/r/20210609220728.499879-3-robert.marko@sartura.hr
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/hwmon/tps23861.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/hwmon/tps23861.c
+++ b/drivers/hwmon/tps23861.c
@@ -105,8 +105,8 @@
 #define TEMPERATURE_LSB			652 /* 0.652 degrees Celsius */
 #define VOLTAGE_LSB			3662 /* 3.662 mV */
 #define SHUNT_RESISTOR_DEFAULT		255000 /* 255 mOhm */
-#define CURRENT_LSB_255			62260 /* 62.260 uA */
-#define CURRENT_LSB_250			61039 /* 61.039 uA */
+#define CURRENT_LSB_250			62260 /* 62.260 uA */
+#define CURRENT_LSB_255			61039 /* 61.039 uA */
 #define RESISTANCE_LSB			110966 /* 11.0966 Ohm*/
 #define RESISTANCE_LSB_LOW		157216 /* 15.7216 Ohm*/
 



^ permalink raw reply	[flat|nested] 181+ messages in thread

* [PATCH 5.12 137/173] RDMA/ipoib: Fix warning caused by destroying non-initial netns
  2021-06-14 10:25 [PATCH 5.12 000/173] 5.12.11-rc1 review Greg Kroah-Hartman
                   ` (135 preceding siblings ...)
  2021-06-14 10:27 ` [PATCH 5.12 136/173] hwmon: (tps23861) correct shunt LSB values Greg Kroah-Hartman
@ 2021-06-14 10:27 ` Greg Kroah-Hartman
  2021-06-14 10:27 ` [PATCH 5.12 138/173] RDMA/mlx5: Use different doorbell memory for different processes Greg Kroah-Hartman
                   ` (42 subsequent siblings)
  179 siblings, 0 replies; 181+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-14 10:27 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Kamal Heib, Leon Romanovsky, Jason Gunthorpe

From: Kamal Heib <kamalheib1@gmail.com>

commit a3e74fb9247cd530dca246699d5eb5a691884d32 upstream.

After the commit 5ce2dced8e95 ("RDMA/ipoib: Set rtnl_link_ops for ipoib
interfaces"), if the IPoIB device is moved to non-initial netns,
destroying that netns lets the device vanish instead of moving it back to
the initial netns, This is happening because default_device_exit() skips
the interfaces due to having rtnl_link_ops set.

Steps to reporoduce:
  ip netns add foo
  ip link set mlx5_ib0 netns foo
  ip netns delete foo

WARNING: CPU: 1 PID: 704 at net/core/dev.c:11435 netdev_exit+0x3f/0x50
Modules linked in: xt_CHECKSUM xt_MASQUERADE xt_conntrack ipt_REJECT
nf_reject_ipv4 nft_compat nft_counter nft_chain_nat nf_nat nf_conntrack
nf_defrag_ipv6 nf_defrag_ipv4 nf_tables nfnetlink tun d
 fuse
CPU: 1 PID: 704 Comm: kworker/u64:3 Tainted: G S      W  5.13.0-rc1+ #1
Hardware name: Dell Inc. PowerEdge R630/02C2CP, BIOS 2.1.5 04/11/2016
Workqueue: netns cleanup_net
RIP: 0010:netdev_exit+0x3f/0x50
Code: 48 8b bb 30 01 00 00 e8 ef 81 b1 ff 48 81 fb c0 3a 54 a1 74 13 48
8b 83 90 00 00 00 48 81 c3 90 00 00 00 48 39 d8 75 02 5b c3 <0f> 0b 5b
c3 66 66 2e 0f 1f 84 00 00 00 00 00 66 90 0f 1f 44 00
RSP: 0018:ffffb297079d7e08 EFLAGS: 00010206
RAX: ffff8eb542c00040 RBX: ffff8eb541333150 RCX: 000000008010000d
RDX: 000000008010000e RSI: 000000008010000d RDI: ffff8eb440042c00
RBP: ffffb297079d7e48 R08: 0000000000000001 R09: ffffffff9fdeac00
R10: ffff8eb5003be000 R11: 0000000000000001 R12: ffffffffa1545620
R13: ffffffffa1545628 R14: 0000000000000000 R15: ffffffffa1543b20
FS:  0000000000000000(0000) GS:ffff8ed37fa00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00005601b5f4c2e8 CR3: 0000001fc8c10002 CR4: 00000000003706e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 ops_exit_list.isra.9+0x36/0x70
 cleanup_net+0x234/0x390
 process_one_work+0x1cb/0x360
 ? process_one_work+0x360/0x360
 worker_thread+0x30/0x370
 ? process_one_work+0x360/0x360
 kthread+0x116/0x130
 ? kthread_park+0x80/0x80
 ret_from_fork+0x22/0x30

To avoid the above warning and later on the kernel panic that could happen
on shutdown due to a NULL pointer dereference, make sure to set the
netns_refund flag that was introduced by commit 3a5ca857079e ("can: dev:
Move device back to init netns on owning netns delete") to properly
restore the IPoIB interfaces to the initial netns.

Fixes: 5ce2dced8e95 ("RDMA/ipoib: Set rtnl_link_ops for ipoib interfaces")
Link: https://lore.kernel.org/r/20210525150134.139342-1-kamalheib1@gmail.com
Signed-off-by: Kamal Heib <kamalheib1@gmail.com>
Reviewed-by: Leon Romanovsky <leonro@nvidia.com>
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/infiniband/ulp/ipoib/ipoib_netlink.c |    1 +
 1 file changed, 1 insertion(+)

--- a/drivers/infiniband/ulp/ipoib/ipoib_netlink.c
+++ b/drivers/infiniband/ulp/ipoib/ipoib_netlink.c
@@ -163,6 +163,7 @@ static size_t ipoib_get_size(const struc
 
 static struct rtnl_link_ops ipoib_link_ops __read_mostly = {
 	.kind		= "ipoib",
+	.netns_refund   = true,
 	.maxtype	= IFLA_IPOIB_MAX,
 	.policy		= ipoib_policy,
 	.priv_size	= sizeof(struct ipoib_dev_priv),



^ permalink raw reply	[flat|nested] 181+ messages in thread

* [PATCH 5.12 138/173] RDMA/mlx5: Use different doorbell memory for different processes
  2021-06-14 10:25 [PATCH 5.12 000/173] 5.12.11-rc1 review Greg Kroah-Hartman
                   ` (136 preceding siblings ...)
  2021-06-14 10:27 ` [PATCH 5.12 137/173] RDMA/ipoib: Fix warning caused by destroying non-initial netns Greg Kroah-Hartman
@ 2021-06-14 10:27 ` Greg Kroah-Hartman
  2021-06-14 10:27 ` [PATCH 5.12 139/173] RDMA/mlx4: Do not map the core_clock page to user space unless enabled Greg Kroah-Hartman
                   ` (41 subsequent siblings)
  179 siblings, 0 replies; 181+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-14 10:27 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jason Gunthorpe, Mark Zhang, Leon Romanovsky

From: Mark Zhang <markzhang@nvidia.com>

commit a0ffb4c12f7fa89163e228e6f27df09b46631db1 upstream.

In a fork scenario, the parent and child can have same virtual address and
also share the uverbs fd.  That causes to the list_for_each_entry search
return same doorbell physical page for all processes, even though that
page has been COW' or copied.

This patch takes the mm_struct into consideration during search, to make
sure that VA's belonging to different processes are not intermixed.

Resolves the malfunction of uverbs after fork in some specific cases.

Fixes: e126ba97dba9 ("mlx5: Add driver for Mellanox Connect-IB adapters")
Link: https://lore.kernel.org/r/feacc23fe0bc6e1088c6824d5583798745e72405.1622726212.git.leonro@nvidia.com
Reviewed-by: Jason Gunthorpe <jgg@nvidia.com>
Signed-off-by: Mark Zhang <markzhang@nvidia.com>
Signed-off-by: Leon Romanovsky <leonro@nvidia.com>
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/infiniband/hw/mlx5/doorbell.c |    7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

--- a/drivers/infiniband/hw/mlx5/doorbell.c
+++ b/drivers/infiniband/hw/mlx5/doorbell.c
@@ -41,6 +41,7 @@ struct mlx5_ib_user_db_page {
 	struct ib_umem	       *umem;
 	unsigned long		user_virt;
 	int			refcnt;
+	struct mm_struct	*mm;
 };
 
 int mlx5_ib_db_map_user(struct mlx5_ib_ucontext *context,
@@ -53,7 +54,8 @@ int mlx5_ib_db_map_user(struct mlx5_ib_u
 	mutex_lock(&context->db_page_mutex);
 
 	list_for_each_entry(page, &context->db_page_list, list)
-		if (page->user_virt == (virt & PAGE_MASK))
+		if ((current->mm == page->mm) &&
+		    (page->user_virt == (virt & PAGE_MASK)))
 			goto found;
 
 	page = kmalloc(sizeof(*page), GFP_KERNEL);
@@ -71,6 +73,8 @@ int mlx5_ib_db_map_user(struct mlx5_ib_u
 		kfree(page);
 		goto out;
 	}
+	mmgrab(current->mm);
+	page->mm = current->mm;
 
 	list_add(&page->list, &context->db_page_list);
 
@@ -91,6 +95,7 @@ void mlx5_ib_db_unmap_user(struct mlx5_i
 
 	if (!--db->u.user_page->refcnt) {
 		list_del(&db->u.user_page->list);
+		mmdrop(db->u.user_page->mm);
 		ib_umem_release(db->u.user_page->umem);
 		kfree(db->u.user_page);
 	}



^ permalink raw reply	[flat|nested] 181+ messages in thread

* [PATCH 5.12 139/173] RDMA/mlx4: Do not map the core_clock page to user space unless enabled
  2021-06-14 10:25 [PATCH 5.12 000/173] 5.12.11-rc1 review Greg Kroah-Hartman
                   ` (137 preceding siblings ...)
  2021-06-14 10:27 ` [PATCH 5.12 138/173] RDMA/mlx5: Use different doorbell memory for different processes Greg Kroah-Hartman
@ 2021-06-14 10:27 ` Greg Kroah-Hartman
  2021-06-14 10:27 ` [PATCH 5.12 140/173] RDMA/mlx5: Block FDB rules when not in switchdev mode Greg Kroah-Hartman
                   ` (40 subsequent siblings)
  179 siblings, 0 replies; 181+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-14 10:27 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Shay Drory, Leon Romanovsky, Jason Gunthorpe

From: Shay Drory <shayd@nvidia.com>

commit 404e5a12691fe797486475fe28cc0b80cb8bef2c upstream.

Currently when mlx4 maps the hca_core_clock page to the user space there
are read-modifiable registers, one of which is semaphore, on this page as
well as the clock counter. If user reads the wrong offset, it can modify
the semaphore and hang the device.

Do not map the hca_core_clock page to the user space unless the device has
been put in a backwards compatibility mode to support this feature.

After this patch, mlx4 core_clock won't be mapped to user space on the
majority of existing devices and the uverbs device time feature in
ibv_query_rt_values_ex() will be disabled.

Fixes: 52033cfb5aab ("IB/mlx4: Add mmap call to map the hardware clock")
Link: https://lore.kernel.org/r/9632304e0d6790af84b3b706d8c18732bc0d5e27.1622726305.git.leonro@nvidia.com
Signed-off-by: Shay Drory <shayd@nvidia.com>
Signed-off-by: Leon Romanovsky <leonro@nvidia.com>
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/infiniband/hw/mlx4/main.c         |    5 +----
 drivers/net/ethernet/mellanox/mlx4/fw.c   |    3 +++
 drivers/net/ethernet/mellanox/mlx4/fw.h   |    1 +
 drivers/net/ethernet/mellanox/mlx4/main.c |    6 ++++++
 include/linux/mlx4/device.h               |    1 +
 5 files changed, 12 insertions(+), 4 deletions(-)

--- a/drivers/infiniband/hw/mlx4/main.c
+++ b/drivers/infiniband/hw/mlx4/main.c
@@ -580,12 +580,9 @@ static int mlx4_ib_query_device(struct i
 	props->cq_caps.max_cq_moderation_count = MLX4_MAX_CQ_COUNT;
 	props->cq_caps.max_cq_moderation_period = MLX4_MAX_CQ_PERIOD;
 
-	if (!mlx4_is_slave(dev->dev))
-		err = mlx4_get_internal_clock_params(dev->dev, &clock_params);
-
 	if (uhw->outlen >= resp.response_length + sizeof(resp.hca_core_clock_offset)) {
 		resp.response_length += sizeof(resp.hca_core_clock_offset);
-		if (!err && !mlx4_is_slave(dev->dev)) {
+		if (!mlx4_get_internal_clock_params(dev->dev, &clock_params)) {
 			resp.comp_mask |= MLX4_IB_QUERY_DEV_RESP_MASK_CORE_CLOCK_OFFSET;
 			resp.hca_core_clock_offset = clock_params.offset % PAGE_SIZE;
 		}
--- a/drivers/net/ethernet/mellanox/mlx4/fw.c
+++ b/drivers/net/ethernet/mellanox/mlx4/fw.c
@@ -823,6 +823,7 @@ int mlx4_QUERY_DEV_CAP(struct mlx4_dev *
 #define QUERY_DEV_CAP_MAD_DEMUX_OFFSET		0xb0
 #define QUERY_DEV_CAP_DMFS_HIGH_RATE_QPN_BASE_OFFSET	0xa8
 #define QUERY_DEV_CAP_DMFS_HIGH_RATE_QPN_RANGE_OFFSET	0xac
+#define QUERY_DEV_CAP_MAP_CLOCK_TO_USER 0xc1
 #define QUERY_DEV_CAP_QP_RATE_LIMIT_NUM_OFFSET	0xcc
 #define QUERY_DEV_CAP_QP_RATE_LIMIT_MAX_OFFSET	0xd0
 #define QUERY_DEV_CAP_QP_RATE_LIMIT_MIN_OFFSET	0xd2
@@ -841,6 +842,8 @@ int mlx4_QUERY_DEV_CAP(struct mlx4_dev *
 
 	if (mlx4_is_mfunc(dev))
 		disable_unsupported_roce_caps(outbox);
+	MLX4_GET(field, outbox, QUERY_DEV_CAP_MAP_CLOCK_TO_USER);
+	dev_cap->map_clock_to_user = field & 0x80;
 	MLX4_GET(field, outbox, QUERY_DEV_CAP_RSVD_QP_OFFSET);
 	dev_cap->reserved_qps = 1 << (field & 0xf);
 	MLX4_GET(field, outbox, QUERY_DEV_CAP_MAX_QP_OFFSET);
--- a/drivers/net/ethernet/mellanox/mlx4/fw.h
+++ b/drivers/net/ethernet/mellanox/mlx4/fw.h
@@ -131,6 +131,7 @@ struct mlx4_dev_cap {
 	u32 health_buffer_addrs;
 	struct mlx4_port_cap port_cap[MLX4_MAX_PORTS + 1];
 	bool wol_port[MLX4_MAX_PORTS + 1];
+	bool map_clock_to_user;
 };
 
 struct mlx4_func_cap {
--- a/drivers/net/ethernet/mellanox/mlx4/main.c
+++ b/drivers/net/ethernet/mellanox/mlx4/main.c
@@ -498,6 +498,7 @@ static int mlx4_dev_cap(struct mlx4_dev
 		}
 	}
 
+	dev->caps.map_clock_to_user  = dev_cap->map_clock_to_user;
 	dev->caps.uar_page_size	     = PAGE_SIZE;
 	dev->caps.num_uars	     = dev_cap->uar_size / PAGE_SIZE;
 	dev->caps.local_ca_ack_delay = dev_cap->local_ca_ack_delay;
@@ -1948,6 +1949,11 @@ int mlx4_get_internal_clock_params(struc
 	if (mlx4_is_slave(dev))
 		return -EOPNOTSUPP;
 
+	if (!dev->caps.map_clock_to_user) {
+		mlx4_dbg(dev, "Map clock to user is not supported.\n");
+		return -EOPNOTSUPP;
+	}
+
 	if (!params)
 		return -EINVAL;
 
--- a/include/linux/mlx4/device.h
+++ b/include/linux/mlx4/device.h
@@ -630,6 +630,7 @@ struct mlx4_caps {
 	bool			wol_port[MLX4_MAX_PORTS + 1];
 	struct mlx4_rate_limit_caps rl_caps;
 	u32			health_buffer_addrs;
+	bool			map_clock_to_user;
 };
 
 struct mlx4_buf_list {



^ permalink raw reply	[flat|nested] 181+ messages in thread

* [PATCH 5.12 140/173] RDMA/mlx5: Block FDB rules when not in switchdev mode
  2021-06-14 10:25 [PATCH 5.12 000/173] 5.12.11-rc1 review Greg Kroah-Hartman
                   ` (138 preceding siblings ...)
  2021-06-14 10:27 ` [PATCH 5.12 139/173] RDMA/mlx4: Do not map the core_clock page to user space unless enabled Greg Kroah-Hartman
@ 2021-06-14 10:27 ` Greg Kroah-Hartman
  2021-06-14 10:27 ` [PATCH 5.12 141/173] RDMA: Verify port when creating flow rule Greg Kroah-Hartman
                   ` (39 subsequent siblings)
  179 siblings, 0 replies; 181+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-14 10:27 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Maor Gottlieb, Mark Bloch,
	Leon Romanovsky, Jason Gunthorpe

From: Mark Bloch <mbloch@nvidia.com>

commit edc0b0bccc9c80d9a44d3002dcca94984b25e7cf upstream.

Allow creating FDB steering rules only when in switchdev mode.

The only software model where a userspace application can manipulate
FDB entries is when it manages the eswitch. This is only possible in
switchdev mode where we expose a single RDMA device with representors
for all the vports that are connected to the eswitch.

Fixes: 52438be44112 ("RDMA/mlx5: Allow inserting a steering rule to the FDB")
Link: https://lore.kernel.org/r/e928ae7c58d07f104716a2a8d730963d1bd01204.1623052923.git.leonro@nvidia.com
Reviewed-by: Maor Gottlieb <maorg@nvidia.com>
Signed-off-by: Mark Bloch <mbloch@nvidia.com>
Signed-off-by: Leon Romanovsky <leonro@nvidia.com>
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/infiniband/hw/mlx5/fs.c |    6 ++++++
 1 file changed, 6 insertions(+)

--- a/drivers/infiniband/hw/mlx5/fs.c
+++ b/drivers/infiniband/hw/mlx5/fs.c
@@ -2134,6 +2134,12 @@ static int UVERBS_HANDLER(MLX5_IB_METHOD
 	if (err)
 		goto end;
 
+	if (obj->ns_type == MLX5_FLOW_NAMESPACE_FDB &&
+	    mlx5_eswitch_mode(dev->mdev) != MLX5_ESWITCH_OFFLOADS) {
+		err = -EINVAL;
+		goto end;
+	}
+
 	uobj->object = obj;
 	obj->mdev = dev->mdev;
 	atomic_set(&obj->usecnt, 0);



^ permalink raw reply	[flat|nested] 181+ messages in thread

* [PATCH 5.12 141/173] RDMA: Verify port when creating flow rule
  2021-06-14 10:25 [PATCH 5.12 000/173] 5.12.11-rc1 review Greg Kroah-Hartman
                   ` (139 preceding siblings ...)
  2021-06-14 10:27 ` [PATCH 5.12 140/173] RDMA/mlx5: Block FDB rules when not in switchdev mode Greg Kroah-Hartman
@ 2021-06-14 10:27 ` Greg Kroah-Hartman
  2021-06-14 10:27 ` [PATCH 5.12 142/173] ARM: cpuidle: Avoid orphan section warning Greg Kroah-Hartman
                   ` (38 subsequent siblings)
  179 siblings, 0 replies; 181+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-14 10:27 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Mark Bloch, Maor Gottlieb,
	Leon Romanovsky, Jason Gunthorpe

From: Maor Gottlieb <maorg@nvidia.com>

commit 2adcb4c5a52a2623cd2b43efa7041e74d19f3a5e upstream.

Validate port value provided by the user and with that remove no longer
needed validation by the driver.  The missing check in the mlx5_ib driver
could cause to the below oops.

Call trace:
  _create_flow_rule+0x2d4/0xf28 [mlx5_ib]
  mlx5_ib_create_flow+0x2d0/0x5b0 [mlx5_ib]
  ib_uverbs_ex_create_flow+0x4cc/0x624 [ib_uverbs]
  ib_uverbs_handler_UVERBS_METHOD_INVOKE_WRITE+0xd4/0x150 [ib_uverbs]
  ib_uverbs_cmd_verbs.isra.7+0xb28/0xc50 [ib_uverbs]
  ib_uverbs_ioctl+0x158/0x1d0 [ib_uverbs]
  do_vfs_ioctl+0xd0/0xaf0
  ksys_ioctl+0x84/0xb4
  __arm64_sys_ioctl+0x28/0xc4
  el0_svc_common.constprop.3+0xa4/0x254
  el0_svc_handler+0x84/0xa0
  el0_svc+0x10/0x26c
 Code: b9401260 f9615681 51000400 8b001c20 (f9403c1a)

Fixes: 436f2ad05a0b ("IB/core: Export ib_create/destroy_flow through uverbs")
Link: https://lore.kernel.org/r/faad30dc5219a01727f47db3dc2f029d07c82c00.1623309971.git.leonro@nvidia.com
Reviewed-by: Mark Bloch <markb@mellanox.com>
Signed-off-by: Maor Gottlieb <maorg@nvidia.com>
Signed-off-by: Leon Romanovsky <leonro@nvidia.com>
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/infiniband/core/uverbs_cmd.c |    5 +++++
 drivers/infiniband/hw/mlx4/main.c    |    3 ---
 drivers/infiniband/hw/mlx5/fs.c      |    5 ++---
 3 files changed, 7 insertions(+), 6 deletions(-)

--- a/drivers/infiniband/core/uverbs_cmd.c
+++ b/drivers/infiniband/core/uverbs_cmd.c
@@ -3247,6 +3247,11 @@ static int ib_uverbs_ex_create_flow(stru
 		goto err_free_attr;
 	}
 
+	if (!rdma_is_port_valid(uobj->context->device, cmd.flow_attr.port)) {
+		err = -EINVAL;
+		goto err_uobj;
+	}
+
 	qp = uobj_get_obj_read(qp, UVERBS_OBJECT_QP, cmd.qp_handle, attrs);
 	if (!qp) {
 		err = -EINVAL;
--- a/drivers/infiniband/hw/mlx4/main.c
+++ b/drivers/infiniband/hw/mlx4/main.c
@@ -1696,9 +1696,6 @@ static struct ib_flow *mlx4_ib_create_fl
 	struct mlx4_dev *dev = (to_mdev(qp->device))->dev;
 	int is_bonded = mlx4_is_bonded(dev);
 
-	if (!rdma_is_port_valid(qp->device, flow_attr->port))
-		return ERR_PTR(-EINVAL);
-
 	if (flow_attr->flags & ~IB_FLOW_ATTR_FLAGS_DONT_TRAP)
 		return ERR_PTR(-EOPNOTSUPP);
 
--- a/drivers/infiniband/hw/mlx5/fs.c
+++ b/drivers/infiniband/hw/mlx5/fs.c
@@ -1194,9 +1194,8 @@ static struct ib_flow *mlx5_ib_create_fl
 		goto free_ucmd;
 	}
 
-	if (flow_attr->port > dev->num_ports ||
-	    (flow_attr->flags &
-	     ~(IB_FLOW_ATTR_FLAGS_DONT_TRAP | IB_FLOW_ATTR_FLAGS_EGRESS))) {
+	if (flow_attr->flags &
+	    ~(IB_FLOW_ATTR_FLAGS_DONT_TRAP | IB_FLOW_ATTR_FLAGS_EGRESS)) {
 		err = -EINVAL;
 		goto free_ucmd;
 	}



^ permalink raw reply	[flat|nested] 181+ messages in thread

* [PATCH 5.12 142/173] ARM: cpuidle: Avoid orphan section warning
  2021-06-14 10:25 [PATCH 5.12 000/173] 5.12.11-rc1 review Greg Kroah-Hartman
                   ` (140 preceding siblings ...)
  2021-06-14 10:27 ` [PATCH 5.12 141/173] RDMA: Verify port when creating flow rule Greg Kroah-Hartman
@ 2021-06-14 10:27 ` Greg Kroah-Hartman
  2021-06-14 10:27 ` [PATCH 5.12 143/173] vmlinux.lds.h: Avoid orphan section with !SMP Greg Kroah-Hartman
                   ` (37 subsequent siblings)
  179 siblings, 0 replies; 181+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-14 10:27 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Arnd Bergmann, Miguel Ojeda,
	Nick Desaulniers, Kees Cook

From: Arnd Bergmann <arnd@arndb.de>

commit d94b93a9101573eb75b819dee94b1417acff631b upstream.

Since commit 83109d5d5fba ("x86/build: Warn on orphan section placement"),
we get a warning for objects in orphan sections. The cpuidle implementation
for OMAP causes this when CONFIG_CPU_IDLE is disabled:

arm-linux-gnueabi-ld: warning: orphan section `__cpuidle_method_of_table' from `arch/arm/mach-omap2/pm33xx-core.o' being placed in section `__cpuidle_method_of_table'
arm-linux-gnueabi-ld: warning: orphan section `__cpuidle_method_of_table' from `arch/arm/mach-omap2/pm33xx-core.o' being placed in section `__cpuidle_method_of_table'
arm-linux-gnueabi-ld: warning: orphan section `__cpuidle_method_of_table' from `arch/arm/mach-omap2/pm33xx-core.o' being placed in section `__cpuidle_method_of_table'

Change the definition of CPUIDLE_METHOD_OF_DECLARE() to silently
drop the table and all code referenced from it when CONFIG_CPU_IDLE
is disabled.

Fixes: 06ee7a950b6a ("ARM: OMAP2+: pm33xx-core: Add cpuidle_ops for am335x/am437x")
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Reviewed-by: Miguel Ojeda <ojeda@kernel.org>
Reviewed-by: Nick Desaulniers <ndesaulniers@google.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Link: https://lore.kernel.org/r/20201230155506.1085689-1-arnd@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/arm/include/asm/cpuidle.h |    5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

--- a/arch/arm/include/asm/cpuidle.h
+++ b/arch/arm/include/asm/cpuidle.h
@@ -7,9 +7,11 @@
 #ifdef CONFIG_CPU_IDLE
 extern int arm_cpuidle_simple_enter(struct cpuidle_device *dev,
 		struct cpuidle_driver *drv, int index);
+#define __cpuidle_method_section __used __section("__cpuidle_method_of_table")
 #else
 static inline int arm_cpuidle_simple_enter(struct cpuidle_device *dev,
 		struct cpuidle_driver *drv, int index) { return -ENODEV; }
+#define __cpuidle_method_section __maybe_unused /* drop silently */
 #endif
 
 /* Common ARM WFI state */
@@ -42,8 +44,7 @@ struct of_cpuidle_method {
 
 #define CPUIDLE_METHOD_OF_DECLARE(name, _method, _ops)			\
 	static const struct of_cpuidle_method __cpuidle_method_of_table_##name \
-	__used __section("__cpuidle_method_of_table")			\
-	= { .method = _method, .ops = _ops }
+	__cpuidle_method_section = { .method = _method, .ops = _ops }
 
 extern int arm_cpuidle_suspend(int index);
 



^ permalink raw reply	[flat|nested] 181+ messages in thread

* [PATCH 5.12 143/173] vmlinux.lds.h: Avoid orphan section with !SMP
  2021-06-14 10:25 [PATCH 5.12 000/173] 5.12.11-rc1 review Greg Kroah-Hartman
                   ` (141 preceding siblings ...)
  2021-06-14 10:27 ` [PATCH 5.12 142/173] ARM: cpuidle: Avoid orphan section warning Greg Kroah-Hartman
@ 2021-06-14 10:27 ` Greg Kroah-Hartman
  2021-06-14 10:27 ` [PATCH 5.12 144/173] tools/bootconfig: Fix error return code in apply_xbc() Greg Kroah-Hartman
                   ` (36 subsequent siblings)
  179 siblings, 0 replies; 181+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-14 10:27 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, kernel test robot, Nathan Chancellor,
	Kees Cook, Nick Desaulniers

From: Nathan Chancellor <nathan@kernel.org>

commit d4c6399900364facd84c9e35ce1540b6046c345f upstream.

With x86_64_defconfig and the following configs, there is an orphan
section warning:

CONFIG_SMP=n
CONFIG_AMD_MEM_ENCRYPT=y
CONFIG_HYPERVISOR_GUEST=y
CONFIG_KVM=y
CONFIG_PARAVIRT=y

ld: warning: orphan section `.data..decrypted' from `arch/x86/kernel/cpu/vmware.o' being placed in section `.data..decrypted'
ld: warning: orphan section `.data..decrypted' from `arch/x86/kernel/kvm.o' being placed in section `.data..decrypted'

These sections are created with DEFINE_PER_CPU_DECRYPTED, which
ultimately turns into __PCPU_ATTRS, which in turn has a section
attribute with a value of PER_CPU_BASE_SECTION + the section name. When
CONFIG_SMP is not set, the base section is .data and that is not
currently handled in any linker script.

Add .data..decrypted to PERCPU_DECRYPTED_SECTION, which is included in
PERCPU_INPUT -> PERCPU_SECTION, which is include in the x86 linker
script when either CONFIG_X86_64 or CONFIG_SMP is unset, taking care of
the warning.

Fixes: ac26963a1175 ("percpu: Introduce DEFINE_PER_CPU_DECRYPTED")
Link: https://github.com/ClangBuiltLinux/linux/issues/1360
Reported-by: kernel test robot <lkp@intel.com>
Signed-off-by: Nathan Chancellor <nathan@kernel.org>
Tested-by: Nick Desaulniers <ndesaulniers@google.com> # build
Signed-off-by: Kees Cook <keescook@chromium.org>
Link: https://lore.kernel.org/r/20210506001410.1026691-1-nathan@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 include/asm-generic/vmlinux.lds.h |    1 +
 1 file changed, 1 insertion(+)

--- a/include/asm-generic/vmlinux.lds.h
+++ b/include/asm-generic/vmlinux.lds.h
@@ -943,6 +943,7 @@
 #ifdef CONFIG_AMD_MEM_ENCRYPT
 #define PERCPU_DECRYPTED_SECTION					\
 	. = ALIGN(PAGE_SIZE);						\
+	*(.data..decrypted)						\
 	*(.data..percpu..decrypted)					\
 	. = ALIGN(PAGE_SIZE);
 #else



^ permalink raw reply	[flat|nested] 181+ messages in thread

* [PATCH 5.12 144/173] tools/bootconfig: Fix error return code in apply_xbc()
  2021-06-14 10:25 [PATCH 5.12 000/173] 5.12.11-rc1 review Greg Kroah-Hartman
                   ` (142 preceding siblings ...)
  2021-06-14 10:27 ` [PATCH 5.12 143/173] vmlinux.lds.h: Avoid orphan section with !SMP Greg Kroah-Hartman
@ 2021-06-14 10:27 ` Greg Kroah-Hartman
  2021-06-14 10:27 ` [PATCH 5.12 145/173] phy: cadence: Sierra: Fix error return code in cdns_sierra_phy_probe() Greg Kroah-Hartman
                   ` (35 subsequent siblings)
  179 siblings, 0 replies; 181+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-14 10:27 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Hulk Robot, Masami Hiramatsu,
	Zhen Lei, Steven Rostedt (VMware)

From: Zhen Lei <thunder.leizhen@huawei.com>

commit e8ba0b2b64126381643bb50df3556b139a60545a upstream.

Fix to return a negative error code from the error handling case instead
of 0, as done elsewhere in this function.

Link: https://lkml.kernel.org/r/20210508034216.2277-1-thunder.leizhen@huawei.com

Fixes: a995e6bc0524 ("tools/bootconfig: Fix to check the write failure correctly")
Reported-by: Hulk Robot <hulkci@huawei.com>
Acked-by: Masami Hiramatsu <mhiramat@kernel.org>
Signed-off-by: Zhen Lei <thunder.leizhen@huawei.com>
Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 tools/bootconfig/main.c |    1 +
 1 file changed, 1 insertion(+)

--- a/tools/bootconfig/main.c
+++ b/tools/bootconfig/main.c
@@ -399,6 +399,7 @@ static int apply_xbc(const char *path, c
 	}
 	/* TODO: Ensure the @path is initramfs/initrd image */
 	if (fstat(fd, &stat) < 0) {
+		ret = -errno;
 		pr_err("Failed to get the size of %s\n", path);
 		goto out;
 	}



^ permalink raw reply	[flat|nested] 181+ messages in thread

* [PATCH 5.12 145/173] phy: cadence: Sierra: Fix error return code in cdns_sierra_phy_probe()
  2021-06-14 10:25 [PATCH 5.12 000/173] 5.12.11-rc1 review Greg Kroah-Hartman
                   ` (143 preceding siblings ...)
  2021-06-14 10:27 ` [PATCH 5.12 144/173] tools/bootconfig: Fix error return code in apply_xbc() Greg Kroah-Hartman
@ 2021-06-14 10:27 ` Greg Kroah-Hartman
  2021-06-14 10:27 ` [PATCH 5.12 146/173] ASoC: core: Fix Null-point-dereference in fmt_single_name() Greg Kroah-Hartman
                   ` (34 subsequent siblings)
  179 siblings, 0 replies; 181+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-14 10:27 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Hulk Robot, Wang Wensheng, Vinod Koul

From: Wang Wensheng <wangwensheng4@huawei.com>

commit 6411e386db0a477217607015e7d2910d02f75426 upstream.

Fix to return a negative error code from the error handling
case instead of 0, as done elsewhere in this function.

Fixes: a43f72ae136a ("phy: cadence: Sierra: Change MAX_LANES of Sierra to 16")
Reported-by: Hulk Robot <hulkci@huawei.com>
Signed-off-by: Wang Wensheng <wangwensheng4@huawei.com>
Link: https://lore.kernel.org/r/20210517015749.127799-1-wangwensheng4@huawei.com
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/phy/cadence/phy-cadence-sierra.c |    1 +
 1 file changed, 1 insertion(+)

--- a/drivers/phy/cadence/phy-cadence-sierra.c
+++ b/drivers/phy/cadence/phy-cadence-sierra.c
@@ -612,6 +612,7 @@ static int cdns_sierra_phy_probe(struct
 	sp->nsubnodes = node;
 
 	if (sp->num_lanes > SIERRA_MAX_LANES) {
+		ret = -EINVAL;
 		dev_err(dev, "Invalid lane configuration\n");
 		goto put_child2;
 	}



^ permalink raw reply	[flat|nested] 181+ messages in thread

* [PATCH 5.12 146/173] ASoC: core: Fix Null-point-dereference in fmt_single_name()
  2021-06-14 10:25 [PATCH 5.12 000/173] 5.12.11-rc1 review Greg Kroah-Hartman
                   ` (144 preceding siblings ...)
  2021-06-14 10:27 ` [PATCH 5.12 145/173] phy: cadence: Sierra: Fix error return code in cdns_sierra_phy_probe() Greg Kroah-Hartman
@ 2021-06-14 10:27 ` Greg Kroah-Hartman
  2021-06-14 10:27 ` [PATCH 5.12 147/173] ASoC: meson: gx-card: fix sound-dai dt schema Greg Kroah-Hartman
                   ` (33 subsequent siblings)
  179 siblings, 0 replies; 181+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-14 10:27 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Dmitry Baryshkov, Hulk Robot,
	Kefeng Wang, Mark Brown

From: Kefeng Wang <wangkefeng.wang@huawei.com>

commit 41daf6ba594d55f201c50280ebcd430590441da1 upstream.

Check the return value of devm_kstrdup() in case of
Null-point-dereference.

Fixes: 45dd9943fce0 ("ASoC: core: remove artificial component and DAI name constraint")
Cc: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
Reported-by: Hulk Robot <hulkci@huawei.com>
Signed-off-by: Kefeng Wang <wangkefeng.wang@huawei.com>
Link: https://lore.kernel.org/r/20210524024941.159952-1-wangkefeng.wang@huawei.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 sound/soc/soc-core.c |    2 ++
 1 file changed, 2 insertions(+)

--- a/sound/soc/soc-core.c
+++ b/sound/soc/soc-core.c
@@ -2223,6 +2223,8 @@ static char *fmt_single_name(struct devi
 		return NULL;
 
 	name = devm_kstrdup(dev, devname, GFP_KERNEL);
+	if (!name)
+		return NULL;
 
 	/* are we a "%s.%d" name (platform and SPI components) */
 	found = strstr(name, dev->driver->name);



^ permalink raw reply	[flat|nested] 181+ messages in thread

* [PATCH 5.12 147/173] ASoC: meson: gx-card: fix sound-dai dt schema
  2021-06-14 10:25 [PATCH 5.12 000/173] 5.12.11-rc1 review Greg Kroah-Hartman
                   ` (145 preceding siblings ...)
  2021-06-14 10:27 ` [PATCH 5.12 146/173] ASoC: core: Fix Null-point-dereference in fmt_single_name() Greg Kroah-Hartman
@ 2021-06-14 10:27 ` Greg Kroah-Hartman
  2021-06-14 10:28 ` [PATCH 5.12 148/173] phy: ti: Fix an error code in wiz_probe() Greg Kroah-Hartman
                   ` (32 subsequent siblings)
  179 siblings, 0 replies; 181+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-14 10:27 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Jerome Brunet, Mark Brown

From: Jerome Brunet <jbrunet@baylibre.com>

commit d031d99b02eaf7363c33f5b27b38086cc8104082 upstream.

There is a fair amount of warnings when running 'make dtbs_check' with
amlogic,gx-sound-card.yaml.

Ex:
arch/arm64/boot/dts/amlogic/meson-gxm-q200.dt.yaml: sound: dai-link-0:sound-dai:0:1: missing phandle tag in 0
arch/arm64/boot/dts/amlogic/meson-gxm-q200.dt.yaml: sound: dai-link-0:sound-dai:0:2: missing phandle tag in 0
arch/arm64/boot/dts/amlogic/meson-gxm-q200.dt.yaml: sound: dai-link-0:sound-dai:0: [66, 0, 0] is too long

The reason is that the sound-dai phandle provided has cells, and in such
case the schema should use 'phandle-array' instead of 'phandle'.

Fixes: fd00366b8e41 ("ASoC: meson: gx: add sound card dt-binding documentation")
Signed-off-by: Jerome Brunet <jbrunet@baylibre.com>
Link: https://lore.kernel.org/r/20210524093448.357140-1-jbrunet@baylibre.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 Documentation/devicetree/bindings/sound/amlogic,gx-sound-card.yaml |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/Documentation/devicetree/bindings/sound/amlogic,gx-sound-card.yaml
+++ b/Documentation/devicetree/bindings/sound/amlogic,gx-sound-card.yaml
@@ -57,7 +57,7 @@ patternProperties:
           rate
 
       sound-dai:
-        $ref: /schemas/types.yaml#/definitions/phandle
+        $ref: /schemas/types.yaml#/definitions/phandle-array
         description: phandle of the CPU DAI
 
     patternProperties:
@@ -71,7 +71,7 @@ patternProperties:
 
         properties:
           sound-dai:
-            $ref: /schemas/types.yaml#/definitions/phandle
+            $ref: /schemas/types.yaml#/definitions/phandle-array
             description: phandle of the codec DAI
 
         required:



^ permalink raw reply	[flat|nested] 181+ messages in thread

* [PATCH 5.12 148/173] phy: ti: Fix an error code in wiz_probe()
  2021-06-14 10:25 [PATCH 5.12 000/173] 5.12.11-rc1 review Greg Kroah-Hartman
                   ` (146 preceding siblings ...)
  2021-06-14 10:27 ` [PATCH 5.12 147/173] ASoC: meson: gx-card: fix sound-dai dt schema Greg Kroah-Hartman
@ 2021-06-14 10:28 ` Greg Kroah-Hartman
  2021-06-14 10:28 ` [PATCH 5.12 149/173] gpio: wcd934x: Fix shift-out-of-bounds error Greg Kroah-Hartman
                   ` (31 subsequent siblings)
  179 siblings, 0 replies; 181+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-14 10:28 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Abaci Robot, Yang Li, Vinod Koul

From: Yang Li <yang.lee@linux.alibaba.com>

commit b8203ec7f58ae925e10fadd3d136073ae7503a6e upstream.

When the code execute this if statement, the value of ret is 0.
However, we can see from the dev_err() log that the value of
ret should be -EINVAL.

Clean up smatch warning:

drivers/phy/ti/phy-j721e-wiz.c:1216 wiz_probe() warn: missing error code 'ret'

Reported-by: Abaci Robot <abaci@linux.alibaba.com>
Fixes: c9f9eba06629 ("phy: ti: j721e-wiz: Manage typec-gpio-dir")
Signed-off-by: Yang Li <yang.lee@linux.alibaba.com>
Link: https://lore.kernel.org/r/1621939832-65535-1-git-send-email-yang.lee@linux.alibaba.com
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/phy/ti/phy-j721e-wiz.c |    1 +
 1 file changed, 1 insertion(+)

--- a/drivers/phy/ti/phy-j721e-wiz.c
+++ b/drivers/phy/ti/phy-j721e-wiz.c
@@ -894,6 +894,7 @@ static int wiz_probe(struct platform_dev
 
 		if (wiz->typec_dir_delay < WIZ_TYPEC_DIR_DEBOUNCE_MIN ||
 		    wiz->typec_dir_delay > WIZ_TYPEC_DIR_DEBOUNCE_MAX) {
+			ret = -EINVAL;
 			dev_err(dev, "Invalid typec-dir-debounce property\n");
 			goto err_addr_to_resource;
 		}



^ permalink raw reply	[flat|nested] 181+ messages in thread

* [PATCH 5.12 149/173] gpio: wcd934x: Fix shift-out-of-bounds error
  2021-06-14 10:25 [PATCH 5.12 000/173] 5.12.11-rc1 review Greg Kroah-Hartman
                   ` (147 preceding siblings ...)
  2021-06-14 10:28 ` [PATCH 5.12 148/173] phy: ti: Fix an error code in wiz_probe() Greg Kroah-Hartman
@ 2021-06-14 10:28 ` Greg Kroah-Hartman
  2021-06-14 10:28 ` [PATCH 5.12 150/173] pinctrl: qcom: Fix duplication in gpio_groups Greg Kroah-Hartman
                   ` (30 subsequent siblings)
  179 siblings, 0 replies; 181+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-14 10:28 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Srinivas Kandagatla, Andy Shevchenko,
	Bjorn Andersson, Bartosz Golaszewski

From: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>

commit dbec64b11c65d74f31427e2b9d5746fbf17bf840 upstream.

bit-mask for pins 0 to 4 is BIT(0) to BIT(4) however we ended up with BIT(n - 1)
which is not right, and this was caught by below usban check

UBSAN: shift-out-of-bounds in drivers/gpio/gpio-wcd934x.c:34:14

Fixes: 59c324683400 ("gpio: wcd934x: Add support to wcd934x gpio controller")
Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
Reviewed-by: Bjorn Andersson <bjorn.andersson@linaro.org>
Signed-off-by: Bartosz Golaszewski <bgolaszewski@baylibre.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/gpio/gpio-wcd934x.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/gpio/gpio-wcd934x.c
+++ b/drivers/gpio/gpio-wcd934x.c
@@ -7,7 +7,7 @@
 #include <linux/slab.h>
 #include <linux/of_device.h>
 
-#define WCD_PIN_MASK(p) BIT(p - 1)
+#define WCD_PIN_MASK(p) BIT(p)
 #define WCD_REG_DIR_CTL_OFFSET 0x42
 #define WCD_REG_VAL_CTL_OFFSET 0x43
 #define WCD934X_NPINS		5



^ permalink raw reply	[flat|nested] 181+ messages in thread

* [PATCH 5.12 150/173] pinctrl: qcom: Fix duplication in gpio_groups
  2021-06-14 10:25 [PATCH 5.12 000/173] 5.12.11-rc1 review Greg Kroah-Hartman
                   ` (148 preceding siblings ...)
  2021-06-14 10:28 ` [PATCH 5.12 149/173] gpio: wcd934x: Fix shift-out-of-bounds error Greg Kroah-Hartman
@ 2021-06-14 10:28 ` Greg Kroah-Hartman
  2021-06-14 10:28 ` [PATCH 5.12 151/173] perf/x86/intel/uncore: Fix a kernel WARNING triggered by maxcpus=1 Greg Kroah-Hartman
                   ` (29 subsequent siblings)
  179 siblings, 0 replies; 181+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-14 10:28 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Manivannan Sadhasivam, Vinod Koul,
	Bjorn Andersson, Linus Walleij

From: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>

commit 0e4bf265b11a00bde9fef6b791bd8ee2d8059701 upstream.

"gpio52" and "gpio53" are duplicated in gpio_groups, fix them!

Fixes: ac43c44a7a37 ("pinctrl: qcom: Add SDX55 pincontrol driver")
Signed-off-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
Reviewed-by: Vinod Koul <vkoul@kernel.org>
Reviewed-by: Bjorn Andersson <bjorn.andersson@linaro.org>
Link: https://lore.kernel.org/r/20210526082857.174682-1-manivannan.sadhasivam@linaro.org
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/pinctrl/qcom/pinctrl-sdx55.c |   18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

--- a/drivers/pinctrl/qcom/pinctrl-sdx55.c
+++ b/drivers/pinctrl/qcom/pinctrl-sdx55.c
@@ -410,15 +410,15 @@ static const char * const gpio_groups[]
 	"gpio29", "gpio30", "gpio31", "gpio32", "gpio33", "gpio34", "gpio35",
 	"gpio36", "gpio37", "gpio38", "gpio39", "gpio40", "gpio41", "gpio42",
 	"gpio43", "gpio44", "gpio45", "gpio46", "gpio47", "gpio48", "gpio49",
-	"gpio50", "gpio51", "gpio52", "gpio52", "gpio53", "gpio53", "gpio54",
-	"gpio55", "gpio56", "gpio57", "gpio58", "gpio59", "gpio60", "gpio61",
-	"gpio62", "gpio63", "gpio64", "gpio65", "gpio66", "gpio67", "gpio68",
-	"gpio69", "gpio70", "gpio71", "gpio72", "gpio73", "gpio74", "gpio75",
-	"gpio76", "gpio77", "gpio78", "gpio79", "gpio80", "gpio81", "gpio82",
-	"gpio83", "gpio84", "gpio85", "gpio86", "gpio87", "gpio88", "gpio89",
-	"gpio90", "gpio91", "gpio92", "gpio93", "gpio94", "gpio95", "gpio96",
-	"gpio97", "gpio98", "gpio99", "gpio100", "gpio101", "gpio102",
-	"gpio103", "gpio104", "gpio105", "gpio106", "gpio107",
+	"gpio50", "gpio51", "gpio52", "gpio53", "gpio54", "gpio55", "gpio56",
+	"gpio57", "gpio58", "gpio59", "gpio60", "gpio61", "gpio62", "gpio63",
+	"gpio64", "gpio65", "gpio66", "gpio67", "gpio68", "gpio69", "gpio70",
+	"gpio71", "gpio72", "gpio73", "gpio74", "gpio75", "gpio76", "gpio77",
+	"gpio78", "gpio79", "gpio80", "gpio81", "gpio82", "gpio83", "gpio84",
+	"gpio85", "gpio86", "gpio87", "gpio88", "gpio89", "gpio90", "gpio91",
+	"gpio92", "gpio93", "gpio94", "gpio95", "gpio96", "gpio97", "gpio98",
+	"gpio99", "gpio100", "gpio101", "gpio102", "gpio103", "gpio104",
+	"gpio105", "gpio106", "gpio107",
 };
 
 static const char * const qdss_stm_groups[] = {



^ permalink raw reply	[flat|nested] 181+ messages in thread

* [PATCH 5.12 151/173] perf/x86/intel/uncore: Fix a kernel WARNING triggered by maxcpus=1
  2021-06-14 10:25 [PATCH 5.12 000/173] 5.12.11-rc1 review Greg Kroah-Hartman
                   ` (149 preceding siblings ...)
  2021-06-14 10:28 ` [PATCH 5.12 150/173] pinctrl: qcom: Fix duplication in gpio_groups Greg Kroah-Hartman
@ 2021-06-14 10:28 ` Greg Kroah-Hartman
  2021-06-14 10:28 ` [PATCH 5.12 152/173] perf: Fix data race between pin_count increment/decrement Greg Kroah-Hartman
                   ` (28 subsequent siblings)
  179 siblings, 0 replies; 181+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-14 10:28 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, John Donnelly, Kan Liang,
	Peter Zijlstra (Intel)

From: Kan Liang <kan.liang@linux.intel.com>

commit 4a0e3ff30980b7601b13dd3b7ee275212b852843 upstream.

A kernel WARNING may be triggered when setting maxcpus=1.

The uncore counters are Die-scope. When probing a PCI device, only the
BUS information can be retrieved. The uncore driver has to maintain a
mapping table used to calculate the logical Die ID from a given BUS#.

Before the patch ba9506be4e40, the mapping table stores the mapping
information from the BUS# -> a Physical Socket ID. To calculate the
logical die ID, perf does,
- In snbep_pci2phy_map_init(), retrieve the BUS# -> a Physical Socket ID
  from the UBOX PCI configure space.
- Calculate the mapping information (a BUS# -> a Physical Socket ID) for
  the other PCI BUS.
- In the uncore_pci_probe(), get the physical Socket ID from a given BUS
  and the mapping table.
- Calculate the logical Die ID

Since only the logical Die ID is required, with the patch ba9506be4e40,
the mapping table stores the mapping information from the BUS# -> a
logical Die ID. Now perf does,
- In snbep_pci2phy_map_init(), retrieve the BUS# -> a Physical Socket ID
  from the UBOX PCI configure space.
- Calculate the logical Die ID
- Calculate the mapping information (a BUS# -> a logical Die ID) for the
  other PCI BUS.
- In the uncore_pci_probe(), get the logical die ID from a given BUS and
  the mapping table.

When calculating the logical Die ID, -1 may be returned, especially when
maxcpus=1. Here, -1 means the logical Die ID is not found. But when
calculating the mapping information for the other PCI BUS, -1 indicates
that it's the other PCI BUS that requires the calculation of the
mapping. The driver will mistakenly do the calculation.

Uses the -ENODEV to indicate the case which the logical Die ID is not
found. The driver will not mess up the mapping table anymore.

Fixes: ba9506be4e40 ("perf/x86/intel/uncore: Store the logical die id instead of the physical die id.")
Reported-by: John Donnelly <john.p.donnelly@oracle.com>
Signed-off-by: Kan Liang <kan.liang@linux.intel.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Acked-by: John Donnelly <john.p.donnelly@oracle.com>
Tested-by: John Donnelly <john.p.donnelly@oracle.com>
Link: https://lkml.kernel.org/r/1622037527-156028-1-git-send-email-kan.liang@linux.intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/x86/events/intel/uncore_snbep.c |    6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

--- a/arch/x86/events/intel/uncore_snbep.c
+++ b/arch/x86/events/intel/uncore_snbep.c
@@ -1406,6 +1406,8 @@ static int snbep_pci2phy_map_init(int de
 						die_id = i;
 					else
 						die_id = topology_phys_to_logical_pkg(i);
+					if (die_id < 0)
+						die_id = -ENODEV;
 					map->pbus_to_dieid[bus] = die_id;
 					break;
 				}
@@ -1452,14 +1454,14 @@ static int snbep_pci2phy_map_init(int de
 			i = -1;
 			if (reverse) {
 				for (bus = 255; bus >= 0; bus--) {
-					if (map->pbus_to_dieid[bus] >= 0)
+					if (map->pbus_to_dieid[bus] != -1)
 						i = map->pbus_to_dieid[bus];
 					else
 						map->pbus_to_dieid[bus] = i;
 				}
 			} else {
 				for (bus = 0; bus <= 255; bus++) {
-					if (map->pbus_to_dieid[bus] >= 0)
+					if (map->pbus_to_dieid[bus] != -1)
 						i = map->pbus_to_dieid[bus];
 					else
 						map->pbus_to_dieid[bus] = i;



^ permalink raw reply	[flat|nested] 181+ messages in thread

* [PATCH 5.12 152/173] perf: Fix data race between pin_count increment/decrement
  2021-06-14 10:25 [PATCH 5.12 000/173] 5.12.11-rc1 review Greg Kroah-Hartman
                   ` (150 preceding siblings ...)
  2021-06-14 10:28 ` [PATCH 5.12 151/173] perf/x86/intel/uncore: Fix a kernel WARNING triggered by maxcpus=1 Greg Kroah-Hartman
@ 2021-06-14 10:28 ` Greg Kroah-Hartman
  2021-06-14 10:28 ` [PATCH 5.12 153/173] dt-bindings: connector: Replace BIT macro with generic bit ops Greg Kroah-Hartman
                   ` (27 subsequent siblings)
  179 siblings, 0 replies; 181+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-14 10:28 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, syzbot+142c9018f5962db69c7e,
	Marco Elver, Peter Zijlstra (Intel)

From: Marco Elver <elver@google.com>

commit 6c605f8371159432ec61cbb1488dcf7ad24ad19a upstream.

KCSAN reports a data race between increment and decrement of pin_count:

  write to 0xffff888237c2d4e0 of 4 bytes by task 15740 on cpu 1:
   find_get_context		kernel/events/core.c:4617
   __do_sys_perf_event_open	kernel/events/core.c:12097 [inline]
   __se_sys_perf_event_open	kernel/events/core.c:11933
   ...
  read to 0xffff888237c2d4e0 of 4 bytes by task 15743 on cpu 0:
   perf_unpin_context		kernel/events/core.c:1525 [inline]
   __do_sys_perf_event_open	kernel/events/core.c:12328 [inline]
   __se_sys_perf_event_open	kernel/events/core.c:11933
   ...

Because neither read-modify-write here is atomic, this can lead to one
of the operations being lost, resulting in an inconsistent pin_count.
Fix it by adding the missing locking in the CPU-event case.

Fixes: fe4b04fa31a6 ("perf: Cure task_oncpu_function_call() races")
Reported-by: syzbot+142c9018f5962db69c7e@syzkaller.appspotmail.com
Signed-off-by: Marco Elver <elver@google.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Link: https://lkml.kernel.org/r/20210527104711.2671610-1-elver@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 kernel/events/core.c |    2 ++
 1 file changed, 2 insertions(+)

--- a/kernel/events/core.c
+++ b/kernel/events/core.c
@@ -4542,7 +4542,9 @@ find_get_context(struct pmu *pmu, struct
 		cpuctx = per_cpu_ptr(pmu->pmu_cpu_context, cpu);
 		ctx = &cpuctx->ctx;
 		get_ctx(ctx);
+		raw_spin_lock_irqsave(&ctx->lock, flags);
 		++ctx->pin_count;
+		raw_spin_unlock_irqrestore(&ctx->lock, flags);
 
 		return ctx;
 	}



^ permalink raw reply	[flat|nested] 181+ messages in thread

* [PATCH 5.12 153/173] dt-bindings: connector: Replace BIT macro with generic bit ops
  2021-06-14 10:25 [PATCH 5.12 000/173] 5.12.11-rc1 review Greg Kroah-Hartman
                   ` (151 preceding siblings ...)
  2021-06-14 10:28 ` [PATCH 5.12 152/173] perf: Fix data race between pin_count increment/decrement Greg Kroah-Hartman
@ 2021-06-14 10:28 ` Greg Kroah-Hartman
  2021-06-14 10:28 ` [PATCH 5.12 154/173] sched/fair: Keep load_avg and load_sum synced Greg Kroah-Hartman
                   ` (26 subsequent siblings)
  179 siblings, 0 replies; 181+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-14 10:28 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Rob Herring, Kyle Tso

From: Kyle Tso <kyletso@google.com>

commit 9257bd80b917cc7908abd27ed5a5211964563f62 upstream.

BIT macro is not defined. Replace it with generic bit operations.

Fixes: 630dce2810b9 ("dt-bindings: connector: Add SVDM VDO properties")
Reviewed-by: Rob Herring <robh@kernel.org>
Signed-off-by: Kyle Tso <kyletso@google.com>
Link: https://lore.kernel.org/r/20210527121029.583611-1-kyletso@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 include/dt-bindings/usb/pd.h |   20 ++++++++++----------
 1 file changed, 10 insertions(+), 10 deletions(-)

--- a/include/dt-bindings/usb/pd.h
+++ b/include/dt-bindings/usb/pd.h
@@ -163,10 +163,10 @@
 #define UFP_VDO_VER1_2		2
 
 /* Device Capability */
-#define DEV_USB2_CAPABLE	BIT(0)
-#define DEV_USB2_BILLBOARD	BIT(1)
-#define DEV_USB3_CAPABLE	BIT(2)
-#define DEV_USB4_CAPABLE	BIT(3)
+#define DEV_USB2_CAPABLE	(1 << 0)
+#define DEV_USB2_BILLBOARD	(1 << 1)
+#define DEV_USB3_CAPABLE	(1 << 2)
+#define DEV_USB4_CAPABLE	(1 << 3)
 
 /* Connector Type */
 #define UFP_RECEPTACLE		2
@@ -191,9 +191,9 @@
 
 /* Alternate Modes */
 #define UFP_ALTMODE_NOT_SUPP	0
-#define UFP_ALTMODE_TBT3	BIT(0)
-#define UFP_ALTMODE_RECFG	BIT(1)
-#define UFP_ALTMODE_NO_RECFG	BIT(2)
+#define UFP_ALTMODE_TBT3	(1 << 0)
+#define UFP_ALTMODE_RECFG	(1 << 1)
+#define UFP_ALTMODE_NO_RECFG	(1 << 2)
 
 /* USB Highest Speed */
 #define UFP_USB2_ONLY		0
@@ -217,9 +217,9 @@
  * <4:0>   :: Port number
  */
 #define DFP_VDO_VER1_1		1
-#define HOST_USB2_CAPABLE	BIT(0)
-#define HOST_USB3_CAPABLE	BIT(1)
-#define HOST_USB4_CAPABLE	BIT(2)
+#define HOST_USB2_CAPABLE	(1 << 0)
+#define HOST_USB3_CAPABLE	(1 << 1)
+#define HOST_USB4_CAPABLE	(1 << 2)
 #define DFP_RECEPTACLE		2
 #define DFP_CAPTIVE		3
 



^ permalink raw reply	[flat|nested] 181+ messages in thread

* [PATCH 5.12 154/173] sched/fair: Keep load_avg and load_sum synced
  2021-06-14 10:25 [PATCH 5.12 000/173] 5.12.11-rc1 review Greg Kroah-Hartman
                   ` (152 preceding siblings ...)
  2021-06-14 10:28 ` [PATCH 5.12 153/173] dt-bindings: connector: Replace BIT macro with generic bit ops Greg Kroah-Hartman
@ 2021-06-14 10:28 ` Greg Kroah-Hartman
  2021-06-14 10:28 ` [PATCH 5.12 155/173] sched/fair: Make sure to update tg contrib for blocked load Greg Kroah-Hartman
                   ` (25 subsequent siblings)
  179 siblings, 0 replies; 181+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-14 10:28 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Odin Ugedal, Vincent Guittot,
	Peter Zijlstra (Intel)

From: Vincent Guittot <vincent.guittot@linaro.org>

commit 7c7ad626d9a0ff0a36c1e2a3cfbbc6a13828d5eb upstream.

when removing a cfs_rq from the list we only check _sum value so we must
ensure that _avg and _sum stay synced so load_sum can't be null whereas
load_avg is not after propagating load in the cgroup hierarchy.

Use load_avg to compute load_sum similarly to what is done for util_sum
and runnable_sum.

Fixes: 0e2d2aaaae52 ("sched/fair: Rewrite PELT migration propagation")
Reported-by: Odin Ugedal <odin@uged.al>
Signed-off-by: Vincent Guittot <vincent.guittot@linaro.org>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Reviewed-by: Odin Ugedal <odin@uged.al>
Link: https://lkml.kernel.org/r/20210527122916.27683-2-vincent.guittot@linaro.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 kernel/sched/fair.c |   11 +++++------
 1 file changed, 5 insertions(+), 6 deletions(-)

--- a/kernel/sched/fair.c
+++ b/kernel/sched/fair.c
@@ -3494,10 +3494,9 @@ update_tg_cfs_runnable(struct cfs_rq *cf
 static inline void
 update_tg_cfs_load(struct cfs_rq *cfs_rq, struct sched_entity *se, struct cfs_rq *gcfs_rq)
 {
-	long delta_avg, running_sum, runnable_sum = gcfs_rq->prop_runnable_sum;
+	long delta, running_sum, runnable_sum = gcfs_rq->prop_runnable_sum;
 	unsigned long load_avg;
 	u64 load_sum = 0;
-	s64 delta_sum;
 	u32 divider;
 
 	if (!runnable_sum)
@@ -3544,13 +3543,13 @@ update_tg_cfs_load(struct cfs_rq *cfs_rq
 	load_sum = (s64)se_weight(se) * runnable_sum;
 	load_avg = div_s64(load_sum, divider);
 
-	delta_sum = load_sum - (s64)se_weight(se) * se->avg.load_sum;
-	delta_avg = load_avg - se->avg.load_avg;
+	delta = load_avg - se->avg.load_avg;
 
 	se->avg.load_sum = runnable_sum;
 	se->avg.load_avg = load_avg;
-	add_positive(&cfs_rq->avg.load_avg, delta_avg);
-	add_positive(&cfs_rq->avg.load_sum, delta_sum);
+
+	add_positive(&cfs_rq->avg.load_avg, delta);
+	cfs_rq->avg.load_sum = cfs_rq->avg.load_avg * divider;
 }
 
 static inline void add_tg_cfs_propagate(struct cfs_rq *cfs_rq, long runnable_sum)



^ permalink raw reply	[flat|nested] 181+ messages in thread

* [PATCH 5.12 155/173] sched/fair: Make sure to update tg contrib for blocked load
  2021-06-14 10:25 [PATCH 5.12 000/173] 5.12.11-rc1 review Greg Kroah-Hartman
                   ` (153 preceding siblings ...)
  2021-06-14 10:28 ` [PATCH 5.12 154/173] sched/fair: Keep load_avg and load_sum synced Greg Kroah-Hartman
@ 2021-06-14 10:28 ` Greg Kroah-Hartman
  2021-06-14 10:28 ` [PATCH 5.12 156/173] ASoC: SOF: reset enabled_cores state at suspend Greg Kroah-Hartman
                   ` (24 subsequent siblings)
  179 siblings, 0 replies; 181+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-14 10:28 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Odin Ugedal, Vincent Guittot,
	Peter Zijlstra (Intel)

From: Vincent Guittot <vincent.guittot@linaro.org>

commit 02da26ad5ed6ea8680e5d01f20661439611ed776 upstream.

During the update of fair blocked load (__update_blocked_fair()), we
update the contribution of the cfs in tg->load_avg if cfs_rq's pelt
has decayed.  Nevertheless, the pelt values of a cfs_rq could have
been recently updated while propagating the change of a child. In this
case, cfs_rq's pelt will not decayed because it has already been
updated and we don't update tg->load_avg.

__update_blocked_fair
  ...
  for_each_leaf_cfs_rq_safe: child cfs_rq
    update cfs_rq_load_avg() for child cfs_rq
    ...
    update_load_avg(cfs_rq_of(se), se, 0)
      ...
      update cfs_rq_load_avg() for parent cfs_rq
		-propagation of child's load makes parent cfs_rq->load_sum
		 becoming null
        -UPDATE_TG is not set so it doesn't update parent
		 cfs_rq->tg_load_avg_contrib
  ..
  for_each_leaf_cfs_rq_safe: parent cfs_rq
    update cfs_rq_load_avg() for parent cfs_rq
      - nothing to do because parent cfs_rq has already been updated
		recently so cfs_rq->tg_load_avg_contrib is not updated
    ...
    parent cfs_rq is decayed
      list_del_leaf_cfs_rq parent cfs_rq
	  - but it still contibutes to tg->load_avg

we must set UPDATE_TG flags when propagting pending load to the parent

Fixes: 039ae8bcf7a5 ("sched/fair: Fix O(nr_cgroups) in the load balancing path")
Reported-by: Odin Ugedal <odin@uged.al>
Signed-off-by: Vincent Guittot <vincent.guittot@linaro.org>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Reviewed-by: Odin Ugedal <odin@uged.al>
Link: https://lkml.kernel.org/r/20210527122916.27683-3-vincent.guittot@linaro.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 kernel/sched/fair.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/kernel/sched/fair.c
+++ b/kernel/sched/fair.c
@@ -8005,7 +8005,7 @@ static bool __update_blocked_fair(struct
 		/* Propagate pending load changes to the parent, if any: */
 		se = cfs_rq->tg->se[cpu];
 		if (se && !skip_blocked_update(se))
-			update_load_avg(cfs_rq_of(se), se, 0);
+			update_load_avg(cfs_rq_of(se), se, UPDATE_TG);
 
 		/*
 		 * There can be a lot of idle CPU cgroups.  Don't let fully



^ permalink raw reply	[flat|nested] 181+ messages in thread

* [PATCH 5.12 156/173] ASoC: SOF: reset enabled_cores state at suspend
  2021-06-14 10:25 [PATCH 5.12 000/173] 5.12.11-rc1 review Greg Kroah-Hartman
                   ` (154 preceding siblings ...)
  2021-06-14 10:28 ` [PATCH 5.12 155/173] sched/fair: Make sure to update tg contrib for blocked load Greg Kroah-Hartman
@ 2021-06-14 10:28 ` Greg Kroah-Hartman
  2021-06-14 10:28 ` [PATCH 5.12 157/173] sched/fair: Fix util_est UTIL_AVG_UNCHANGED handling Greg Kroah-Hartman
                   ` (23 subsequent siblings)
  179 siblings, 0 replies; 181+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-14 10:28 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Kai Vehmanen, Pierre-Louis Bossart,
	Ranjani Sridharan, Mark Brown

From: Kai Vehmanen <kai.vehmanen@linux.intel.com>

commit b640e8a4bd24e17ce24a064d704aba14831651a8 upstream.

The recent changes to use common code to power up/down DSP cores also
removed the reset of the core state at suspend. It turns out this is
still needed. When the firmware state is reset to
SOF_FW_BOOT_NOT_STARTED, also enabled_cores should be reset, and
existing DSP drivers depend on this.

BugLink: https://github.com/thesofproject/linux/issues/2824
Fixes: 42077f08b3 ("ASoC: SOF: update dsp core power status in common APIs")
Signed-off-by: Kai Vehmanen <kai.vehmanen@linux.intel.com>
Reviewed-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
Reviewed-by: Ranjani Sridharan <ranjani.sridharan@linux.intel.com>
Link: https://lore.kernel.org/r/20210528144330.2551-1-kai.vehmanen@linux.intel.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 sound/soc/sof/pm.c |    1 +
 1 file changed, 1 insertion(+)

--- a/sound/soc/sof/pm.c
+++ b/sound/soc/sof/pm.c
@@ -256,6 +256,7 @@ suspend:
 
 	/* reset FW state */
 	sdev->fw_state = SOF_FW_BOOT_NOT_STARTED;
+	sdev->enabled_cores_mask = 0;
 
 	return ret;
 }



^ permalink raw reply	[flat|nested] 181+ messages in thread

* [PATCH 5.12 157/173] sched/fair: Fix util_est UTIL_AVG_UNCHANGED handling
  2021-06-14 10:25 [PATCH 5.12 000/173] 5.12.11-rc1 review Greg Kroah-Hartman
                   ` (155 preceding siblings ...)
  2021-06-14 10:28 ` [PATCH 5.12 156/173] ASoC: SOF: reset enabled_cores state at suspend Greg Kroah-Hartman
@ 2021-06-14 10:28 ` Greg Kroah-Hartman
  2021-06-14 10:28 ` [PATCH 5.12 158/173] platform/surface: aggregator: Fix event disable function Greg Kroah-Hartman
                   ` (22 subsequent siblings)
  179 siblings, 0 replies; 181+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-14 10:28 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Dietmar Eggemann,
	Peter Zijlstra (Intel),
	Xuewen Yan, Vincent Donnefort, Vincent Guittot

From: Dietmar Eggemann <dietmar.eggemann@arm.com>

commit 68d7a190682aa4eb02db477328088ebad15acc83 upstream.

The util_est internal UTIL_AVG_UNCHANGED flag which is used to prevent
unnecessary util_est updates uses the LSB of util_est.enqueued. It is
exposed via _task_util_est() (and task_util_est()).

Commit 92a801e5d5b7 ("sched/fair: Mask UTIL_AVG_UNCHANGED usages")
mentions that the LSB is lost for util_est resolution but
find_energy_efficient_cpu() checks if task_util_est() returns 0 to
return prev_cpu early.

_task_util_est() returns the max value of util_est.ewma and
util_est.enqueued or'ed w/ UTIL_AVG_UNCHANGED.
So task_util_est() returning the max of task_util() and
_task_util_est() will never return 0 under the default
SCHED_FEAT(UTIL_EST, true).

To fix this use the MSB of util_est.enqueued instead and keep the flag
util_est internal, i.e. don't export it via _task_util_est().

The maximal possible util_avg value for a task is 1024 so the MSB of
'unsigned int util_est.enqueued' isn't used to store a util value.

As a caveat the code behind the util_est_se trace point has to filter
UTIL_AVG_UNCHANGED to see the real util_est.enqueued value which should
be easy to do.

This also fixes an issue report by Xuewen Yan that util_est_update()
only used UTIL_AVG_UNCHANGED for the subtrahend of the equation:

  last_enqueued_diff = ue.enqueued - (task_util() | UTIL_AVG_UNCHANGED)

Fixes: b89997aa88f0b sched/pelt: Fix task util_est update filtering
Signed-off-by: Dietmar Eggemann <dietmar.eggemann@arm.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Reviewed-by: Xuewen Yan <xuewen.yan@unisoc.com>
Reviewed-by: Vincent Donnefort <vincent.donnefort@arm.com>
Reviewed-by: Vincent Guittot <vincent.guittot@linaro.org>
Link: https://lore.kernel.org/r/20210602145808.1562603-1-dietmar.eggemann@arm.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 include/linux/sched.h |    8 ++++++++
 kernel/sched/debug.c  |    3 ++-
 kernel/sched/fair.c   |    5 +++--
 kernel/sched/pelt.h   |   11 +----------
 4 files changed, 14 insertions(+), 13 deletions(-)

--- a/include/linux/sched.h
+++ b/include/linux/sched.h
@@ -350,11 +350,19 @@ struct load_weight {
  * Only for tasks we track a moving average of the past instantaneous
  * estimated utilization. This allows to absorb sporadic drops in utilization
  * of an otherwise almost periodic task.
+ *
+ * The UTIL_AVG_UNCHANGED flag is used to synchronize util_est with util_avg
+ * updates. When a task is dequeued, its util_est should not be updated if its
+ * util_avg has not been updated in the meantime.
+ * This information is mapped into the MSB bit of util_est.enqueued at dequeue
+ * time. Since max value of util_est.enqueued for a task is 1024 (PELT util_avg
+ * for a task) it is safe to use MSB.
  */
 struct util_est {
 	unsigned int			enqueued;
 	unsigned int			ewma;
 #define UTIL_EST_WEIGHT_SHIFT		2
+#define UTIL_AVG_UNCHANGED		0x80000000
 } __attribute__((__aligned__(sizeof(u64))));
 
 /*
--- a/kernel/sched/debug.c
+++ b/kernel/sched/debug.c
@@ -888,6 +888,7 @@ __initcall(init_sched_debug_procfs);
 #define __PS(S, F) SEQ_printf(m, "%-45s:%21Ld\n", S, (long long)(F))
 #define __P(F) __PS(#F, F)
 #define   P(F) __PS(#F, p->F)
+#define   PM(F, M) __PS(#F, p->F & (M))
 #define __PSN(S, F) SEQ_printf(m, "%-45s:%14Ld.%06ld\n", S, SPLIT_NS((long long)(F)))
 #define __PN(F) __PSN(#F, F)
 #define   PN(F) __PSN(#F, p->F)
@@ -1014,7 +1015,7 @@ void proc_sched_show_task(struct task_st
 	P(se.avg.util_avg);
 	P(se.avg.last_update_time);
 	P(se.avg.util_est.ewma);
-	P(se.avg.util_est.enqueued);
+	PM(se.avg.util_est.enqueued, ~UTIL_AVG_UNCHANGED);
 #endif
 #ifdef CONFIG_UCLAMP_TASK
 	__PS("uclamp.min", p->uclamp_req[UCLAMP_MIN].value);
--- a/kernel/sched/fair.c
+++ b/kernel/sched/fair.c
@@ -3896,7 +3896,7 @@ static inline unsigned long _task_util_e
 {
 	struct util_est ue = READ_ONCE(p->se.avg.util_est);
 
-	return (max(ue.ewma, ue.enqueued) | UTIL_AVG_UNCHANGED);
+	return max(ue.ewma, (ue.enqueued & ~UTIL_AVG_UNCHANGED));
 }
 
 static inline unsigned long task_util_est(struct task_struct *p)
@@ -3996,7 +3996,7 @@ static inline void util_est_update(struc
 	 * Reset EWMA on utilization increases, the moving average is used only
 	 * to smooth utilization decreases.
 	 */
-	ue.enqueued = (task_util(p) | UTIL_AVG_UNCHANGED);
+	ue.enqueued = task_util(p);
 	if (sched_feat(UTIL_EST_FASTUP)) {
 		if (ue.ewma < ue.enqueued) {
 			ue.ewma = ue.enqueued;
@@ -4045,6 +4045,7 @@ static inline void util_est_update(struc
 	ue.ewma  += last_ewma_diff;
 	ue.ewma >>= UTIL_EST_WEIGHT_SHIFT;
 done:
+	ue.enqueued |= UTIL_AVG_UNCHANGED;
 	WRITE_ONCE(p->se.avg.util_est, ue);
 
 	trace_sched_util_est_se_tp(&p->se);
--- a/kernel/sched/pelt.h
+++ b/kernel/sched/pelt.h
@@ -42,15 +42,6 @@ static inline u32 get_pelt_divider(struc
 	return LOAD_AVG_MAX - 1024 + avg->period_contrib;
 }
 
-/*
- * When a task is dequeued, its estimated utilization should not be update if
- * its util_avg has not been updated at least once.
- * This flag is used to synchronize util_avg updates with util_est updates.
- * We map this information into the LSB bit of the utilization saved at
- * dequeue time (i.e. util_est.dequeued).
- */
-#define UTIL_AVG_UNCHANGED 0x1
-
 static inline void cfs_se_util_change(struct sched_avg *avg)
 {
 	unsigned int enqueued;
@@ -58,7 +49,7 @@ static inline void cfs_se_util_change(st
 	if (!sched_feat(UTIL_EST))
 		return;
 
-	/* Avoid store if the flag has been already set */
+	/* Avoid store if the flag has been already reset */
 	enqueued = avg->util_est.enqueued;
 	if (!(enqueued & UTIL_AVG_UNCHANGED))
 		return;



^ permalink raw reply	[flat|nested] 181+ messages in thread

* [PATCH 5.12 158/173] platform/surface: aggregator: Fix event disable function
  2021-06-14 10:25 [PATCH 5.12 000/173] 5.12.11-rc1 review Greg Kroah-Hartman
                   ` (156 preceding siblings ...)
  2021-06-14 10:28 ` [PATCH 5.12 157/173] sched/fair: Fix util_est UTIL_AVG_UNCHANGED handling Greg Kroah-Hartman
@ 2021-06-14 10:28 ` Greg Kroah-Hartman
  2021-06-14 10:28 ` [PATCH 5.12 159/173] x86/nmi_watchdog: Fix old-style NMI watchdog regression on old Intel CPUs Greg Kroah-Hartman
                   ` (21 subsequent siblings)
  179 siblings, 0 replies; 181+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-14 10:28 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Maximilian Luz, Hans de Goede

From: Maximilian Luz <luzmaximilian@gmail.com>

commit b430e1d65ef6eeee42c4e53028f8dfcc6abc728b upstream.

Disabling events silently fails due to the wrong command ID being used.
Instead of the command ID for the disable call, the command ID for the
enable call was being used. This causes the disable call to enable the
event instead. As the event is already enabled when we call this
function, the EC silently drops this command and does nothing.

Use the correct command ID for disabling the event to fix this.

Fixes: c167b9c7e3d6 ("platform/surface: Add Surface Aggregator subsystem")
Signed-off-by: Maximilian Luz <luzmaximilian@gmail.com>
Link: https://lore.kernel.org/r/20210603000636.568846-1-luzmaximilian@gmail.com
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/platform/surface/aggregator/controller.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/platform/surface/aggregator/controller.c
+++ b/drivers/platform/surface/aggregator/controller.c
@@ -1907,7 +1907,7 @@ static int ssam_ssh_event_disable(struct
 {
 	int status;
 
-	status = __ssam_ssh_event_request(ctrl, reg, reg.cid_enable, id, flags);
+	status = __ssam_ssh_event_request(ctrl, reg, reg.cid_disable, id, flags);
 
 	if (status < 0 && status != -EINVAL) {
 		ssam_err(ctrl,



^ permalink raw reply	[flat|nested] 181+ messages in thread

* [PATCH 5.12 159/173] x86/nmi_watchdog: Fix old-style NMI watchdog regression on old Intel CPUs
  2021-06-14 10:25 [PATCH 5.12 000/173] 5.12.11-rc1 review Greg Kroah-Hartman
                   ` (157 preceding siblings ...)
  2021-06-14 10:28 ` [PATCH 5.12 158/173] platform/surface: aggregator: Fix event disable function Greg Kroah-Hartman
@ 2021-06-14 10:28 ` Greg Kroah-Hartman
  2021-06-14 10:28 ` [PATCH 5.12 160/173] KVM: x86: Ensure liveliness of nested VM-Enter fail tracepoint message Greg Kroah-Hartman
                   ` (20 subsequent siblings)
  179 siblings, 0 replies; 181+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-14 10:28 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, CodyYao-oc, Ingo Molnar,
	Peter Zijlstra (Intel)

From: CodyYao-oc <CodyYao-oc@zhaoxin.com>

commit a8383dfb2138742a1bb77b481ada047aededa2ba upstream.

The following commit:

   3a4ac121c2ca ("x86/perf: Add hardware performance events support for Zhaoxin CPU.")

Got the old-style NMI watchdog logic wrong and broke it for basically every
Intel CPU where it was active. Which is only truly old CPUs, so few people noticed.

On CPUs with perf events support we turn off the old-style NMI watchdog, so it
was pretty pointless to add the logic for X86_VENDOR_ZHAOXIN to begin with ... :-/

Anyway, the fix is to restore the old logic and add a 'break'.

[ mingo: Wrote a new changelog. ]

Fixes: 3a4ac121c2ca ("x86/perf: Add hardware performance events support for Zhaoxin CPU.")
Signed-off-by: CodyYao-oc <CodyYao-oc@zhaoxin.com>
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Link: https://lore.kernel.org/r/20210607025335.9643-1-CodyYao-oc@zhaoxin.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/x86/kernel/cpu/perfctr-watchdog.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/arch/x86/kernel/cpu/perfctr-watchdog.c
+++ b/arch/x86/kernel/cpu/perfctr-watchdog.c
@@ -63,7 +63,7 @@ static inline unsigned int nmi_perfctr_m
 		case 15:
 			return msr - MSR_P4_BPU_PERFCTR0;
 		}
-		fallthrough;
+		break;
 	case X86_VENDOR_ZHAOXIN:
 	case X86_VENDOR_CENTAUR:
 		return msr - MSR_ARCH_PERFMON_PERFCTR0;
@@ -96,7 +96,7 @@ static inline unsigned int nmi_evntsel_m
 		case 15:
 			return msr - MSR_P4_BSU_ESCR0;
 		}
-		fallthrough;
+		break;
 	case X86_VENDOR_ZHAOXIN:
 	case X86_VENDOR_CENTAUR:
 		return msr - MSR_ARCH_PERFMON_EVENTSEL0;



^ permalink raw reply	[flat|nested] 181+ messages in thread

* [PATCH 5.12 160/173] KVM: x86: Ensure liveliness of nested VM-Enter fail tracepoint message
  2021-06-14 10:25 [PATCH 5.12 000/173] 5.12.11-rc1 review Greg Kroah-Hartman
                   ` (158 preceding siblings ...)
  2021-06-14 10:28 ` [PATCH 5.12 159/173] x86/nmi_watchdog: Fix old-style NMI watchdog regression on old Intel CPUs Greg Kroah-Hartman
@ 2021-06-14 10:28 ` Greg Kroah-Hartman
  2021-06-14 10:28 ` [PATCH 5.12 161/173] IB/mlx5: Fix initializing CQ fragments buffer Greg Kroah-Hartman
                   ` (19 subsequent siblings)
  179 siblings, 0 replies; 181+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-14 10:28 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Steven Rostedt, Sean Christopherson

From: Sean Christopherson <seanjc@google.com>

commit f31500b0d437a2464ca5972d8f5439e156b74960 upstream.

Use the __string() machinery provided by the tracing subystem to make a
copy of the string literals consumed by the "nested VM-Enter failed"
tracepoint.  A complete copy is necessary to ensure that the tracepoint
can't outlive the data/memory it consumes and deference stale memory.

Because the tracepoint itself is defined by kvm, if kvm-intel and/or
kvm-amd are built as modules, the memory holding the string literals
defined by the vendor modules will be freed when the module is unloaded,
whereas the tracepoint and its data in the ring buffer will live until
kvm is unloaded (or "indefinitely" if kvm is built-in).

This bug has existed since the tracepoint was added, but was recently
exposed by a new check in tracing to detect exactly this type of bug.

  fmt: '%s%s
  ' current_buffer: ' vmx_dirty_log_t-140127  [003] ....  kvm_nested_vmenter_failed: '
  WARNING: CPU: 3 PID: 140134 at kernel/trace/trace.c:3759 trace_check_vprintf+0x3be/0x3e0
  CPU: 3 PID: 140134 Comm: less Not tainted 5.13.0-rc1-ce2e73ce600a-req #184
  Hardware name: ASUS Q87M-E/Q87M-E, BIOS 1102 03/03/2014
  RIP: 0010:trace_check_vprintf+0x3be/0x3e0
  Code: <0f> 0b 44 8b 4c 24 1c e9 a9 fe ff ff c6 44 02 ff 00 49 8b 97 b0 20
  RSP: 0018:ffffa895cc37bcb0 EFLAGS: 00010282
  RAX: 0000000000000000 RBX: ffffa895cc37bd08 RCX: 0000000000000027
  RDX: 0000000000000027 RSI: 00000000ffffdfff RDI: ffff9766cfad74f8
  RBP: ffffffffc0a041d4 R08: ffff9766cfad74f0 R09: ffffa895cc37bad8
  R10: 0000000000000001 R11: 0000000000000001 R12: ffffffffc0a041d4
  R13: ffffffffc0f4dba8 R14: 0000000000000000 R15: ffff976409f2c000
  FS:  00007f92fa200740(0000) GS:ffff9766cfac0000(0000) knlGS:0000000000000000
  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
  CR2: 0000559bd11b0000 CR3: 000000019fbaa002 CR4: 00000000001726e0
  Call Trace:
   trace_event_printf+0x5e/0x80
   trace_raw_output_kvm_nested_vmenter_failed+0x3a/0x60 [kvm]
   print_trace_line+0x1dd/0x4e0
   s_show+0x45/0x150
   seq_read_iter+0x2d5/0x4c0
   seq_read+0x106/0x150
   vfs_read+0x98/0x180
   ksys_read+0x5f/0xe0
   do_syscall_64+0x40/0xb0
   entry_SYSCALL_64_after_hwframe+0x44/0xae

Cc: Steven Rostedt <rostedt@goodmis.org>
Fixes: 380e0055bc7e ("KVM: nVMX: trace nested VM-Enter failures detected by H/W")
Signed-off-by: Sean Christopherson <seanjc@google.com>
Reviewed-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
Message-Id: <20210607175748.674002-1-seanjc@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/x86/kvm/trace.h |    6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

--- a/arch/x86/kvm/trace.h
+++ b/arch/x86/kvm/trace.h
@@ -1550,16 +1550,16 @@ TRACE_EVENT(kvm_nested_vmenter_failed,
 	TP_ARGS(msg, err),
 
 	TP_STRUCT__entry(
-		__field(const char *, msg)
+		__string(msg, msg)
 		__field(u32, err)
 	),
 
 	TP_fast_assign(
-		__entry->msg = msg;
+		__assign_str(msg, msg);
 		__entry->err = err;
 	),
 
-	TP_printk("%s%s", __entry->msg, !__entry->err ? "" :
+	TP_printk("%s%s", __get_str(msg), !__entry->err ? "" :
 		__print_symbolic(__entry->err, VMX_VMENTER_INSTRUCTION_ERRORS))
 );
 



^ permalink raw reply	[flat|nested] 181+ messages in thread

* [PATCH 5.12 161/173] IB/mlx5: Fix initializing CQ fragments buffer
  2021-06-14 10:25 [PATCH 5.12 000/173] 5.12.11-rc1 review Greg Kroah-Hartman
                   ` (159 preceding siblings ...)
  2021-06-14 10:28 ` [PATCH 5.12 160/173] KVM: x86: Ensure liveliness of nested VM-Enter fail tracepoint message Greg Kroah-Hartman
@ 2021-06-14 10:28 ` Greg Kroah-Hartman
  2021-06-14 10:28 ` [PATCH 5.12 162/173] NFS: Fix a potential NULL dereference in nfs_get_client() Greg Kroah-Hartman
                   ` (18 subsequent siblings)
  179 siblings, 0 replies; 181+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-14 10:28 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Alaa Hleihel, Leon Romanovsky,
	Jason Gunthorpe

From: Alaa Hleihel <alaa@nvidia.com>

commit 2ba0aa2feebda680ecfc3c552e867cf4d1b05a3a upstream.

The function init_cq_frag_buf() can be called to initialize the current CQ
fragments buffer cq->buf, or the temporary cq->resize_buf that is filled
during CQ resize operation.

However, the offending commit started to use function get_cqe() for
getting the CQEs, the issue with this change is that get_cqe() always
returns CQEs from cq->buf, which leads us to initialize the wrong buffer,
and in case of enlarging the CQ we try to access elements beyond the size
of the current cq->buf and eventually hit a kernel panic.

 [exception RIP: init_cq_frag_buf+103]
  [ffff9f799ddcbcd8] mlx5_ib_resize_cq at ffffffffc0835d60 [mlx5_ib]
  [ffff9f799ddcbdb0] ib_resize_cq at ffffffffc05270df [ib_core]
  [ffff9f799ddcbdc0] llt_rdma_setup_qp at ffffffffc0a6a712 [llt]
  [ffff9f799ddcbe10] llt_rdma_cc_event_action at ffffffffc0a6b411 [llt]
  [ffff9f799ddcbe98] llt_rdma_client_conn_thread at ffffffffc0a6bb75 [llt]
  [ffff9f799ddcbec8] kthread at ffffffffa66c5da1
  [ffff9f799ddcbf50] ret_from_fork_nospec_begin at ffffffffa6d95ddd

Fix it by getting the needed CQE by calling mlx5_frag_buf_get_wqe() that
takes the correct source buffer as a parameter.

Fixes: 388ca8be0037 ("IB/mlx5: Implement fragmented completion queue (CQ)")
Link: https://lore.kernel.org/r/90a0e8c924093cfa50a482880ad7e7edb73dc19a.1623309971.git.leonro@nvidia.com
Signed-off-by: Alaa Hleihel <alaa@nvidia.com>
Signed-off-by: Leon Romanovsky <leonro@nvidia.com>
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/infiniband/hw/mlx5/cq.c |    9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

--- a/drivers/infiniband/hw/mlx5/cq.c
+++ b/drivers/infiniband/hw/mlx5/cq.c
@@ -849,15 +849,14 @@ static void destroy_cq_user(struct mlx5_
 	ib_umem_release(cq->buf.umem);
 }
 
-static void init_cq_frag_buf(struct mlx5_ib_cq *cq,
-			     struct mlx5_ib_cq_buf *buf)
+static void init_cq_frag_buf(struct mlx5_ib_cq_buf *buf)
 {
 	int i;
 	void *cqe;
 	struct mlx5_cqe64 *cqe64;
 
 	for (i = 0; i < buf->nent; i++) {
-		cqe = get_cqe(cq, i);
+		cqe = mlx5_frag_buf_get_wqe(&buf->fbc, i);
 		cqe64 = buf->cqe_size == 64 ? cqe : cqe + 64;
 		cqe64->op_own = MLX5_CQE_INVALID << 4;
 	}
@@ -883,7 +882,7 @@ static int create_cq_kernel(struct mlx5_
 	if (err)
 		goto err_db;
 
-	init_cq_frag_buf(cq, &cq->buf);
+	init_cq_frag_buf(&cq->buf);
 
 	*inlen = MLX5_ST_SZ_BYTES(create_cq_in) +
 		 MLX5_FLD_SZ_BYTES(create_cq_in, pas[0]) *
@@ -1184,7 +1183,7 @@ static int resize_kernel(struct mlx5_ib_
 	if (err)
 		goto ex;
 
-	init_cq_frag_buf(cq, cq->resize_buf);
+	init_cq_frag_buf(cq->resize_buf);
 
 	return 0;
 



^ permalink raw reply	[flat|nested] 181+ messages in thread

* [PATCH 5.12 162/173] NFS: Fix a potential NULL dereference in nfs_get_client()
  2021-06-14 10:25 [PATCH 5.12 000/173] 5.12.11-rc1 review Greg Kroah-Hartman
                   ` (160 preceding siblings ...)
  2021-06-14 10:28 ` [PATCH 5.12 161/173] IB/mlx5: Fix initializing CQ fragments buffer Greg Kroah-Hartman
@ 2021-06-14 10:28 ` Greg Kroah-Hartman
  2021-06-14 10:28 ` [PATCH 5.12 163/173] NFSv4: Fix deadlock between nfs4_evict_inode() and nfs4_opendata_get_inode() Greg Kroah-Hartman
                   ` (17 subsequent siblings)
  179 siblings, 0 replies; 181+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-14 10:28 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Dan Carpenter, Trond Myklebust, Sasha Levin

From: Dan Carpenter <dan.carpenter@oracle.com>

[ Upstream commit 09226e8303beeec10f2ff844d2e46d1371dc58e0 ]

None of the callers are expecting NULL returns from nfs_get_client() so
this code will lead to an Oops.  It's better to return an error
pointer.  I expect that this is dead code so hopefully no one is
affected.

Fixes: 31434f496abb ("nfs: check hostname in nfs_get_client")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 fs/nfs/client.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/fs/nfs/client.c b/fs/nfs/client.c
index ff5c4d0d6d13..686b211342a8 100644
--- a/fs/nfs/client.c
+++ b/fs/nfs/client.c
@@ -406,7 +406,7 @@ struct nfs_client *nfs_get_client(const struct nfs_client_initdata *cl_init)
 
 	if (cl_init->hostname == NULL) {
 		WARN_ON(1);
-		return NULL;
+		return ERR_PTR(-EINVAL);
 	}
 
 	/* see if the client already exists */
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 181+ messages in thread

* [PATCH 5.12 163/173] NFSv4: Fix deadlock between nfs4_evict_inode() and nfs4_opendata_get_inode()
  2021-06-14 10:25 [PATCH 5.12 000/173] 5.12.11-rc1 review Greg Kroah-Hartman
                   ` (161 preceding siblings ...)
  2021-06-14 10:28 ` [PATCH 5.12 162/173] NFS: Fix a potential NULL dereference in nfs_get_client() Greg Kroah-Hartman
@ 2021-06-14 10:28 ` Greg Kroah-Hartman
  2021-06-14 10:28 ` [PATCH 5.12 164/173] pinctrl: qcom: Make it possible to select SC8180x TLMM Greg Kroah-Hartman
                   ` (16 subsequent siblings)
  179 siblings, 0 replies; 181+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-14 10:28 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, zhangxiaoxu (A),
	Trond Myklebust, Sasha Levin

From: Trond Myklebust <trond.myklebust@hammerspace.com>

[ Upstream commit dfe1fe75e00e4c724ede7b9e593f6f680e446c5f ]

If the inode is being evicted, but has to return a delegation first,
then it can cause a deadlock in the corner case where the server reboots
before the delegreturn completes, but while the call to iget5_locked() in
nfs4_opendata_get_inode() is waiting for the inode free to complete.
Since the open call still holds a session slot, the reboot recovery
cannot proceed.

In order to break the logjam, we can turn the delegation return into a
privileged operation for the case where we're evicting the inode. We
know that in that case, there can be no other state recovery operation
that conflicts.

Reported-by: zhangxiaoxu (A) <zhangxiaoxu5@huawei.com>
Fixes: 5fcdfacc01f3 ("NFSv4: Return delegations synchronously in evict_inode")
Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 fs/nfs/nfs4_fs.h  |  1 +
 fs/nfs/nfs4proc.c | 12 +++++++++++-
 2 files changed, 12 insertions(+), 1 deletion(-)

diff --git a/fs/nfs/nfs4_fs.h b/fs/nfs/nfs4_fs.h
index 065cb04222a1..543d916f79ab 100644
--- a/fs/nfs/nfs4_fs.h
+++ b/fs/nfs/nfs4_fs.h
@@ -205,6 +205,7 @@ struct nfs4_exception {
 	struct inode *inode;
 	nfs4_stateid *stateid;
 	long timeout;
+	unsigned char task_is_privileged : 1;
 	unsigned char delay : 1,
 		      recovering : 1,
 		      retry : 1;
diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c
index 0b809cc6ad1d..bd3db61b746f 100644
--- a/fs/nfs/nfs4proc.c
+++ b/fs/nfs/nfs4proc.c
@@ -590,6 +590,8 @@ int nfs4_handle_exception(struct nfs_server *server, int errorcode, struct nfs4_
 		goto out_retry;
 	}
 	if (exception->recovering) {
+		if (exception->task_is_privileged)
+			return -EDEADLOCK;
 		ret = nfs4_wait_clnt_recover(clp);
 		if (test_bit(NFS_MIG_FAILED, &server->mig_status))
 			return -EIO;
@@ -615,6 +617,8 @@ nfs4_async_handle_exception(struct rpc_task *task, struct nfs_server *server,
 		goto out_retry;
 	}
 	if (exception->recovering) {
+		if (exception->task_is_privileged)
+			return -EDEADLOCK;
 		rpc_sleep_on(&clp->cl_rpcwaitq, task, NULL);
 		if (test_bit(NFS4CLNT_MANAGER_RUNNING, &clp->cl_state) == 0)
 			rpc_wake_up_queued_task(&clp->cl_rpcwaitq, task);
@@ -6381,6 +6385,7 @@ static void nfs4_delegreturn_done(struct rpc_task *task, void *calldata)
 	struct nfs4_exception exception = {
 		.inode = data->inode,
 		.stateid = &data->stateid,
+		.task_is_privileged = data->args.seq_args.sa_privileged,
 	};
 
 	if (!nfs4_sequence_done(task, &data->res.seq_res))
@@ -6504,7 +6509,6 @@ static int _nfs4_proc_delegreturn(struct inode *inode, const struct cred *cred,
 	data = kzalloc(sizeof(*data), GFP_NOFS);
 	if (data == NULL)
 		return -ENOMEM;
-	nfs4_init_sequence(&data->args.seq_args, &data->res.seq_res, 1, 0);
 
 	nfs4_state_protect(server->nfs_client,
 			NFS_SP4_MACH_CRED_CLEANUP,
@@ -6535,6 +6539,12 @@ static int _nfs4_proc_delegreturn(struct inode *inode, const struct cred *cred,
 		}
 	}
 
+	if (!data->inode)
+		nfs4_init_sequence(&data->args.seq_args, &data->res.seq_res, 1,
+				   1);
+	else
+		nfs4_init_sequence(&data->args.seq_args, &data->res.seq_res, 1,
+				   0);
 	task_setup_data.callback_data = data;
 	msg.rpc_argp = &data->args;
 	msg.rpc_resp = &data->res;
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 181+ messages in thread

* [PATCH 5.12 164/173] pinctrl: qcom: Make it possible to select SC8180x TLMM
  2021-06-14 10:25 [PATCH 5.12 000/173] 5.12.11-rc1 review Greg Kroah-Hartman
                   ` (162 preceding siblings ...)
  2021-06-14 10:28 ` [PATCH 5.12 163/173] NFSv4: Fix deadlock between nfs4_evict_inode() and nfs4_opendata_get_inode() Greg Kroah-Hartman
@ 2021-06-14 10:28 ` Greg Kroah-Hartman
  2021-06-14 10:28 ` [PATCH 5.12 165/173] perf session: Correct buffer copying when peeking events Greg Kroah-Hartman
                   ` (15 subsequent siblings)
  179 siblings, 0 replies; 181+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-14 10:28 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Bjorn Andersson, Linus Walleij, Sasha Levin

From: Bjorn Andersson <bjorn.andersson@linaro.org>

[ Upstream commit 30e9857a134905ac0d03ca244b615cc3ff0a076e ]

It's currently not possible to select the SC8180x TLMM driver, due to it
selecting PINCTRL_MSM, rather than depending on the same. Fix this.

Fixes: 97423113ec4b ("pinctrl: qcom: Add sc8180x TLMM driver")
Signed-off-by: Bjorn Andersson <bjorn.andersson@linaro.org>
Link: https://lore.kernel.org/r/20210608180702.2064253-1-bjorn.andersson@linaro.org
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/pinctrl/qcom/Kconfig | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/pinctrl/qcom/Kconfig b/drivers/pinctrl/qcom/Kconfig
index 6853a896c476..740ecf6011a9 100644
--- a/drivers/pinctrl/qcom/Kconfig
+++ b/drivers/pinctrl/qcom/Kconfig
@@ -223,7 +223,7 @@ config PINCTRL_SC7280
 config PINCTRL_SC8180X
 	tristate "Qualcomm Technologies Inc SC8180x pin controller driver"
 	depends on GPIOLIB && OF
-	select PINCTRL_MSM
+	depends on PINCTRL_MSM
 	help
 	  This is the pinctrl, pinmux, pinconf and gpiolib driver for the
 	  Qualcomm Technologies Inc TLMM block found on the Qualcomm
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 181+ messages in thread

* [PATCH 5.12 165/173] perf session: Correct buffer copying when peeking events
  2021-06-14 10:25 [PATCH 5.12 000/173] 5.12.11-rc1 review Greg Kroah-Hartman
                   ` (163 preceding siblings ...)
  2021-06-14 10:28 ` [PATCH 5.12 164/173] pinctrl: qcom: Make it possible to select SC8180x TLMM Greg Kroah-Hartman
@ 2021-06-14 10:28 ` Greg Kroah-Hartman
  2021-06-14 10:28 ` [PATCH 5.12 166/173] kvm: fix previous commit for 32-bit builds Greg Kroah-Hartman
                   ` (14 subsequent siblings)
  179 siblings, 0 replies; 181+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-14 10:28 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Leo Yan, Adrian Hunter, Jiri Olsa,
	Alexander Shishkin, Kan Liang, Mark Rutland, Namhyung Kim,
	Peter Zijlstra, Arnaldo Carvalho de Melo, Sasha Levin

From: Leo Yan <leo.yan@linaro.org>

[ Upstream commit 197eecb6ecae0b04bd694432f640ff75597fed9c ]

When peeking an event, it has a short path and a long path.  The short
path uses the session pointer "one_mmap_addr" to directly fetch the
event; and the long path needs to read out the event header and the
following event data from file and fill into the buffer pointer passed
through the argument "buf".

The issue is in the long path that it copies the event header and event
data into the same destination address which pointer "buf", this means
the event header is overwritten.  We are just lucky to run into the
short path in most cases, so we don't hit the issue in the long path.

This patch adds the offset "hdr_sz" to the pointer "buf" when copying
the event data, so that it can reserve the event header which can be
used properly by its caller.

Fixes: 5a52f33adf02 ("perf session: Add perf_session__peek_event()")
Signed-off-by: Leo Yan <leo.yan@linaro.org>
Acked-by: Adrian Hunter <adrian.hunter@intel.com>
Acked-by: Jiri Olsa <jolsa@redhat.com>
Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: Kan Liang <kan.liang@linux.intel.com>
Cc: Mark Rutland <mark.rutland@arm.com>
Cc: Namhyung Kim <namhyung@kernel.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Link: http://lore.kernel.org/lkml/20210605052957.1070720-1-leo.yan@linaro.org
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 tools/perf/util/session.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/tools/perf/util/session.c b/tools/perf/util/session.c
index e9d4e6f4bdf3..b7cfdbf207b7 100644
--- a/tools/perf/util/session.c
+++ b/tools/perf/util/session.c
@@ -1710,6 +1710,7 @@ int perf_session__peek_event(struct perf_session *session, off_t file_offset,
 	if (event->header.size < hdr_sz || event->header.size > buf_sz)
 		return -1;
 
+	buf += hdr_sz;
 	rest = event->header.size - hdr_sz;
 
 	if (readn(fd, buf, rest) != (ssize_t)rest)
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 181+ messages in thread

* [PATCH 5.12 166/173] kvm: fix previous commit for 32-bit builds
  2021-06-14 10:25 [PATCH 5.12 000/173] 5.12.11-rc1 review Greg Kroah-Hartman
                   ` (164 preceding siblings ...)
  2021-06-14 10:28 ` [PATCH 5.12 165/173] perf session: Correct buffer copying when peeking events Greg Kroah-Hartman
@ 2021-06-14 10:28 ` Greg Kroah-Hartman
  2021-06-14 10:28 ` [PATCH 5.12 167/173] NFS: Fix use-after-free in nfs4_init_client() Greg Kroah-Hartman
                   ` (13 subsequent siblings)
  179 siblings, 0 replies; 181+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-14 10:28 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Paolo Bonzini

From: Paolo Bonzini <pbonzini@redhat.com>

commit 4422829e8053068e0225e4d0ef42dc41ea7c9ef5 upstream.

array_index_nospec does not work for uint64_t on 32-bit builds.
However, the size of a memory slot must be less than 20 bits wide
on those system, since the memory slot must fit in the user
address space.  So just store it in an unsigned long.

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 include/linux/kvm_host.h |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/include/linux/kvm_host.h
+++ b/include/linux/kvm_host.h
@@ -1124,8 +1124,8 @@ __gfn_to_hva_memslot(struct kvm_memory_s
 	 * table walks, do not let the processor speculate loads outside
 	 * the guest's registered memslots.
 	 */
-	unsigned long offset = array_index_nospec(gfn - slot->base_gfn,
-						  slot->npages);
+	unsigned long offset = gfn - slot->base_gfn;
+	offset = array_index_nospec(offset, slot->npages);
 	return slot->userspace_addr + offset * PAGE_SIZE;
 }
 



^ permalink raw reply	[flat|nested] 181+ messages in thread

* [PATCH 5.12 167/173] NFS: Fix use-after-free in nfs4_init_client()
  2021-06-14 10:25 [PATCH 5.12 000/173] 5.12.11-rc1 review Greg Kroah-Hartman
                   ` (165 preceding siblings ...)
  2021-06-14 10:28 ` [PATCH 5.12 166/173] kvm: fix previous commit for 32-bit builds Greg Kroah-Hartman
@ 2021-06-14 10:28 ` Greg Kroah-Hartman
  2021-06-14 10:28 ` [PATCH 5.12 168/173] NFSv4: Fix second deadlock in nfs4_evict_inode() Greg Kroah-Hartman
                   ` (12 subsequent siblings)
  179 siblings, 0 replies; 181+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-14 10:28 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Anna Schumaker, Trond Myklebust

From: Anna Schumaker <Anna.Schumaker@Netapp.com>

commit 476bdb04c501fc64bf3b8464ffddefc8dbe01577 upstream.

KASAN reports a use-after-free when attempting to mount two different
exports through two different NICs that belong to the same server.

Olga was able to hit this with kernels starting somewhere between 5.7
and 5.10, but I traced the patch that introduced the clear_bit() call to
4.13. So something must have changed in the refcounting of the clp
pointer to make this call to nfs_put_client() the very last one.

Fixes: 8dcbec6d20 ("NFSv41: Handle EXCHID4_FLAG_CONFIRMED_R during NFSv4.1 migration")
Cc: stable@vger.kernel.org # 4.13+
Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 fs/nfs/nfs4client.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/fs/nfs/nfs4client.c
+++ b/fs/nfs/nfs4client.c
@@ -435,8 +435,8 @@ struct nfs_client *nfs4_init_client(stru
 		 */
 		nfs_mark_client_ready(clp, -EPERM);
 	}
-	nfs_put_client(clp);
 	clear_bit(NFS_CS_TSM_POSSIBLE, &clp->cl_flags);
+	nfs_put_client(clp);
 	return old;
 
 error:



^ permalink raw reply	[flat|nested] 181+ messages in thread

* [PATCH 5.12 168/173] NFSv4: Fix second deadlock in nfs4_evict_inode()
  2021-06-14 10:25 [PATCH 5.12 000/173] 5.12.11-rc1 review Greg Kroah-Hartman
                   ` (166 preceding siblings ...)
  2021-06-14 10:28 ` [PATCH 5.12 167/173] NFS: Fix use-after-free in nfs4_init_client() Greg Kroah-Hartman
@ 2021-06-14 10:28 ` Greg Kroah-Hartman
  2021-06-14 10:28 ` [PATCH 5.12 169/173] NFSv4: nfs4_proc_set_acl needs to restore NFS_CAP_UIDGID_NOMAP on error Greg Kroah-Hartman
                   ` (11 subsequent siblings)
  179 siblings, 0 replies; 181+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-14 10:28 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Trond Myklebust

From: Trond Myklebust <trond.myklebust@hammerspace.com>

commit c3aba897c6e67fa464ec02b1f17911577d619713 upstream.

If the inode is being evicted but has to return a layout first, then
that too can cause a deadlock in the corner case where the server
reboots.

Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 fs/nfs/nfs4proc.c |    9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

--- a/fs/nfs/nfs4proc.c
+++ b/fs/nfs/nfs4proc.c
@@ -9630,15 +9630,20 @@ int nfs4_proc_layoutreturn(struct nfs4_l
 			&task_setup_data.rpc_client, &msg);
 
 	dprintk("--> %s\n", __func__);
+	lrp->inode = nfs_igrab_and_active(lrp->args.inode);
 	if (!sync) {
-		lrp->inode = nfs_igrab_and_active(lrp->args.inode);
 		if (!lrp->inode) {
 			nfs4_layoutreturn_release(lrp);
 			return -EAGAIN;
 		}
 		task_setup_data.flags |= RPC_TASK_ASYNC;
 	}
-	nfs4_init_sequence(&lrp->args.seq_args, &lrp->res.seq_res, 1, 0);
+	if (!lrp->inode)
+		nfs4_init_sequence(&lrp->args.seq_args, &lrp->res.seq_res, 1,
+				   1);
+	else
+		nfs4_init_sequence(&lrp->args.seq_args, &lrp->res.seq_res, 1,
+				   0);
 	task = rpc_run_task(&task_setup_data);
 	if (IS_ERR(task))
 		return PTR_ERR(task);



^ permalink raw reply	[flat|nested] 181+ messages in thread

* [PATCH 5.12 169/173] NFSv4: nfs4_proc_set_acl needs to restore NFS_CAP_UIDGID_NOMAP on error.
  2021-06-14 10:25 [PATCH 5.12 000/173] 5.12.11-rc1 review Greg Kroah-Hartman
                   ` (167 preceding siblings ...)
  2021-06-14 10:28 ` [PATCH 5.12 168/173] NFSv4: Fix second deadlock in nfs4_evict_inode() Greg Kroah-Hartman
@ 2021-06-14 10:28 ` Greg Kroah-Hartman
  2021-06-14 10:28 ` [PATCH 5.12 170/173] scsi: core: Fix error handling of scsi_host_alloc() Greg Kroah-Hartman
                   ` (10 subsequent siblings)
  179 siblings, 0 replies; 181+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-14 10:28 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Dai Ngo, Trond Myklebust

From: Dai Ngo <dai.ngo@oracle.com>

commit f8849e206ef52b584cd9227255f4724f0cc900bb upstream.

Currently if __nfs4_proc_set_acl fails with NFS4ERR_BADOWNER it
re-enables the idmapper by clearing NFS_CAP_UIDGID_NOMAP before
retrying again. The NFS_CAP_UIDGID_NOMAP remains cleared even if
the retry fails. This causes problem for subsequent setattr
requests for v4 server that does not have idmapping configured.

This patch modifies nfs4_proc_set_acl to detect NFS4ERR_BADOWNER
and NFS4ERR_BADNAME and skips the retry, since the kernel isn't
involved in encoding the ACEs, and return -EINVAL.

Steps to reproduce the problem:

 # mount -o vers=4.1,sec=sys server:/export/test /tmp/mnt
 # touch /tmp/mnt/file1
 # chown 99 /tmp/mnt/file1
 # nfs4_setfacl -a A::unknown.user@xyz.com:wrtncy /tmp/mnt/file1
 Failed setxattr operation: Invalid argument
 # chown 99 /tmp/mnt/file1
 chown: changing ownership of ‘/tmp/mnt/file1’: Invalid argument
 # umount /tmp/mnt
 # mount -o vers=4.1,sec=sys server:/export/test /tmp/mnt
 # chown 99 /tmp/mnt/file1
 #

v2: detect NFS4ERR_BADOWNER and NFS4ERR_BADNAME and skip retry
       in nfs4_proc_set_acl.
Signed-off-by: Dai Ngo <dai.ngo@oracle.com>
Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 fs/nfs/nfs4proc.c |    8 ++++++++
 1 file changed, 8 insertions(+)

--- a/fs/nfs/nfs4proc.c
+++ b/fs/nfs/nfs4proc.c
@@ -5944,6 +5944,14 @@ static int nfs4_proc_set_acl(struct inod
 	do {
 		err = __nfs4_proc_set_acl(inode, buf, buflen);
 		trace_nfs4_set_acl(inode, err);
+		if (err == -NFS4ERR_BADOWNER || err == -NFS4ERR_BADNAME) {
+			/*
+			 * no need to retry since the kernel
+			 * isn't involved in encoding the ACEs.
+			 */
+			err = -EINVAL;
+			break;
+		}
 		err = nfs4_handle_exception(NFS_SERVER(inode), err,
 				&exception);
 	} while (exception.retry);



^ permalink raw reply	[flat|nested] 181+ messages in thread

* [PATCH 5.12 170/173] scsi: core: Fix error handling of scsi_host_alloc()
  2021-06-14 10:25 [PATCH 5.12 000/173] 5.12.11-rc1 review Greg Kroah-Hartman
                   ` (168 preceding siblings ...)
  2021-06-14 10:28 ` [PATCH 5.12 169/173] NFSv4: nfs4_proc_set_acl needs to restore NFS_CAP_UIDGID_NOMAP on error Greg Kroah-Hartman
@ 2021-06-14 10:28 ` Greg Kroah-Hartman
  2021-06-14 10:28 ` [PATCH 5.12 171/173] scsi: core: Fix failure handling of scsi_add_host_with_dma() Greg Kroah-Hartman
                   ` (9 subsequent siblings)
  179 siblings, 0 replies; 181+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-14 10:28 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Bart Van Assche, John Garry,
	Hannes Reinecke, Ming Lei, Martin K. Petersen

From: Ming Lei <ming.lei@redhat.com>

commit 66a834d092930cf41d809c0e989b13cd6f9ca006 upstream.

After device is initialized via device_initialize(), or its name is set via
dev_set_name(), the device has to be freed via put_device().  Otherwise
device name will be leaked because it is allocated dynamically in
dev_set_name().

Fix the leak by replacing kfree() with put_device(). Since
scsi_host_dev_release() properly handles IDA and kthread removal, remove
special-casing these from the error handling as well.

Link: https://lore.kernel.org/r/20210602133029.2864069-2-ming.lei@redhat.com
Cc: Bart Van Assche <bvanassche@acm.org>
Cc: John Garry <john.garry@huawei.com>
Cc: Hannes Reinecke <hare@suse.de>
Tested-by: John Garry <john.garry@huawei.com>
Reviewed-by: Bart Van Assche <bvanassche@acm.org>
Reviewed-by: John Garry <john.garry@huawei.com>
Reviewed-by: Hannes Reinecke <hare@suse.de>
Signed-off-by: Ming Lei <ming.lei@redhat.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/scsi/hosts.c |   23 +++++++++++++----------
 1 file changed, 13 insertions(+), 10 deletions(-)

--- a/drivers/scsi/hosts.c
+++ b/drivers/scsi/hosts.c
@@ -392,8 +392,10 @@ struct Scsi_Host *scsi_host_alloc(struct
 	mutex_init(&shost->scan_mutex);
 
 	index = ida_simple_get(&host_index_ida, 0, 0, GFP_KERNEL);
-	if (index < 0)
-		goto fail_kfree;
+	if (index < 0) {
+		kfree(shost);
+		return NULL;
+	}
 	shost->host_no = index;
 
 	shost->dma_channel = 0xff;
@@ -486,7 +488,7 @@ struct Scsi_Host *scsi_host_alloc(struct
 		shost_printk(KERN_WARNING, shost,
 			"error handler thread failed to spawn, error = %ld\n",
 			PTR_ERR(shost->ehandler));
-		goto fail_index_remove;
+		goto fail;
 	}
 
 	shost->tmf_work_q = alloc_workqueue("scsi_tmf_%d",
@@ -495,17 +497,18 @@ struct Scsi_Host *scsi_host_alloc(struct
 	if (!shost->tmf_work_q) {
 		shost_printk(KERN_WARNING, shost,
 			     "failed to create tmf workq\n");
-		goto fail_kthread;
+		goto fail;
 	}
 	scsi_proc_hostdir_add(shost->hostt);
 	return shost;
+ fail:
+	/*
+	 * Host state is still SHOST_CREATED and that is enough to release
+	 * ->shost_gendev. scsi_host_dev_release() will free
+	 * dev_name(&shost->shost_dev).
+	 */
+	put_device(&shost->shost_gendev);
 
- fail_kthread:
-	kthread_stop(shost->ehandler);
- fail_index_remove:
-	ida_simple_remove(&host_index_ida, shost->host_no);
- fail_kfree:
-	kfree(shost);
 	return NULL;
 }
 EXPORT_SYMBOL(scsi_host_alloc);



^ permalink raw reply	[flat|nested] 181+ messages in thread

* [PATCH 5.12 171/173] scsi: core: Fix failure handling of scsi_add_host_with_dma()
  2021-06-14 10:25 [PATCH 5.12 000/173] 5.12.11-rc1 review Greg Kroah-Hartman
                   ` (169 preceding siblings ...)
  2021-06-14 10:28 ` [PATCH 5.12 170/173] scsi: core: Fix error handling of scsi_host_alloc() Greg Kroah-Hartman
@ 2021-06-14 10:28 ` Greg Kroah-Hartman
  2021-06-14 10:28 ` [PATCH 5.12 172/173] scsi: core: Put .shost_dev in failure path if host state changes to RUNNING Greg Kroah-Hartman
                   ` (8 subsequent siblings)
  179 siblings, 0 replies; 181+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-14 10:28 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Bart Van Assche, John Garry,
	Hannes Reinecke, Ming Lei, Martin K. Petersen

From: Ming Lei <ming.lei@redhat.com>

commit 3719f4ff047e20062b8314c23ec3cab84d74c908 upstream.

When scsi_add_host_with_dma() returns failure, the caller will call
scsi_host_put(shost) to release everything allocated for this host
instance. Consequently we can't also free allocated stuff in
scsi_add_host_with_dma(), otherwise we will end up with a double free.

Strictly speaking, host resource allocations should have been done in
scsi_host_alloc(). However, the allocations may need information which is
not yet provided by the driver when that function is called. So leave the
allocations where they are but rely on host device's release handler to
free resources.

Link: https://lore.kernel.org/r/20210602133029.2864069-3-ming.lei@redhat.com
Cc: Bart Van Assche <bvanassche@acm.org>
Cc: John Garry <john.garry@huawei.com>
Cc: Hannes Reinecke <hare@suse.de>
Tested-by: John Garry <john.garry@huawei.com>
Reviewed-by: Bart Van Assche <bvanassche@acm.org>
Reviewed-by: John Garry <john.garry@huawei.com>
Reviewed-by: Hannes Reinecke <hare@suse.de>
Signed-off-by: Ming Lei <ming.lei@redhat.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/scsi/hosts.c |   14 ++++++--------
 1 file changed, 6 insertions(+), 8 deletions(-)

--- a/drivers/scsi/hosts.c
+++ b/drivers/scsi/hosts.c
@@ -278,23 +278,22 @@ int scsi_add_host_with_dma(struct Scsi_H
 
 		if (!shost->work_q) {
 			error = -EINVAL;
-			goto out_free_shost_data;
+			goto out_del_dev;
 		}
 	}
 
 	error = scsi_sysfs_add_host(shost);
 	if (error)
-		goto out_destroy_host;
+		goto out_del_dev;
 
 	scsi_proc_host_add(shost);
 	scsi_autopm_put_host(shost);
 	return error;
 
- out_destroy_host:
-	if (shost->work_q)
-		destroy_workqueue(shost->work_q);
- out_free_shost_data:
-	kfree(shost->shost_data);
+	/*
+	 * Any host allocation in this function will be freed in
+	 * scsi_host_dev_release().
+	 */
  out_del_dev:
 	device_del(&shost->shost_dev);
  out_del_gendev:
@@ -304,7 +303,6 @@ int scsi_add_host_with_dma(struct Scsi_H
 	pm_runtime_disable(&shost->shost_gendev);
 	pm_runtime_set_suspended(&shost->shost_gendev);
 	pm_runtime_put_noidle(&shost->shost_gendev);
-	scsi_mq_destroy_tags(shost);
  fail:
 	return error;
 }



^ permalink raw reply	[flat|nested] 181+ messages in thread

* [PATCH 5.12 172/173] scsi: core: Put .shost_dev in failure path if host state changes to RUNNING
  2021-06-14 10:25 [PATCH 5.12 000/173] 5.12.11-rc1 review Greg Kroah-Hartman
                   ` (170 preceding siblings ...)
  2021-06-14 10:28 ` [PATCH 5.12 171/173] scsi: core: Fix failure handling of scsi_add_host_with_dma() Greg Kroah-Hartman
@ 2021-06-14 10:28 ` Greg Kroah-Hartman
  2021-06-14 10:28 ` [PATCH 5.12 173/173] scsi: core: Only put parent device if host state differs from SHOST_CREATED Greg Kroah-Hartman
                   ` (7 subsequent siblings)
  179 siblings, 0 replies; 181+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-14 10:28 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Bart Van Assche, Hannes Reinecke,
	John Garry, Ming Lei, Martin K. Petersen

From: Ming Lei <ming.lei@redhat.com>

commit 11714026c02d613c30a149c3f4c4a15047744529 upstream.

scsi_host_dev_release() only frees dev_name when host state is
SHOST_CREATED. After host state has changed to SHOST_RUNNING,
scsi_host_dev_release() no longer cleans up.

Fix this by doing a put_device(&shost->shost_dev) in the failure path when
host state is SHOST_RUNNING. Move get_device(&shost->shost_gendev) before
device_add(&shost->shost_dev) so that scsi_host_cls_release() can do a put
on this reference.

Link: https://lore.kernel.org/r/20210602133029.2864069-4-ming.lei@redhat.com
Cc: Bart Van Assche <bvanassche@acm.org>
Cc: Hannes Reinecke <hare@suse.de>
Reported-by: John Garry <john.garry@huawei.com>
Tested-by: John Garry <john.garry@huawei.com>
Reviewed-by: John Garry <john.garry@huawei.com>
Reviewed-by: Hannes Reinecke <hare@suse.de>
Signed-off-by: Ming Lei <ming.lei@redhat.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/scsi/hosts.c |    8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

--- a/drivers/scsi/hosts.c
+++ b/drivers/scsi/hosts.c
@@ -254,12 +254,11 @@ int scsi_add_host_with_dma(struct Scsi_H
 
 	device_enable_async_suspend(&shost->shost_dev);
 
+	get_device(&shost->shost_gendev);
 	error = device_add(&shost->shost_dev);
 	if (error)
 		goto out_del_gendev;
 
-	get_device(&shost->shost_gendev);
-
 	if (shost->transportt->host_size) {
 		shost->shost_data = kzalloc(shost->transportt->host_size,
 					 GFP_KERNEL);
@@ -297,6 +296,11 @@ int scsi_add_host_with_dma(struct Scsi_H
  out_del_dev:
 	device_del(&shost->shost_dev);
  out_del_gendev:
+	/*
+	 * Host state is SHOST_RUNNING so we have to explicitly release
+	 * ->shost_dev.
+	 */
+	put_device(&shost->shost_dev);
 	device_del(&shost->shost_gendev);
  out_disable_runtime_pm:
 	device_disable_async_suspend(&shost->shost_gendev);



^ permalink raw reply	[flat|nested] 181+ messages in thread

* [PATCH 5.12 173/173] scsi: core: Only put parent device if host state differs from SHOST_CREATED
  2021-06-14 10:25 [PATCH 5.12 000/173] 5.12.11-rc1 review Greg Kroah-Hartman
                   ` (171 preceding siblings ...)
  2021-06-14 10:28 ` [PATCH 5.12 172/173] scsi: core: Put .shost_dev in failure path if host state changes to RUNNING Greg Kroah-Hartman
@ 2021-06-14 10:28 ` Greg Kroah-Hartman
  2021-06-14 16:34 ` [PATCH 5.12 000/173] 5.12.11-rc1 review Fox Chen
                   ` (6 subsequent siblings)
  179 siblings, 0 replies; 181+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-14 10:28 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Bart Van Assche, John Garry,
	Hannes Reinecke, Ming Lei, Martin K. Petersen

From: Ming Lei <ming.lei@redhat.com>

commit 1e0d4e6225996f05271de1ebcb1a7c9381af0b27 upstream.

get_device(shost->shost_gendev.parent) is called after host state has
switched to SHOST_RUNNING. scsi_host_dev_release() shouldn't release the
parent device if host state is still SHOST_CREATED.

Link: https://lore.kernel.org/r/20210602133029.2864069-5-ming.lei@redhat.com
Cc: Bart Van Assche <bvanassche@acm.org>
Cc: John Garry <john.garry@huawei.com>
Cc: Hannes Reinecke <hare@suse.de>
Tested-by: John Garry <john.garry@huawei.com>
Reviewed-by: John Garry <john.garry@huawei.com>
Signed-off-by: Ming Lei <ming.lei@redhat.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/scsi/hosts.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/scsi/hosts.c
+++ b/drivers/scsi/hosts.c
@@ -347,7 +347,7 @@ static void scsi_host_dev_release(struct
 
 	ida_simple_remove(&host_index_ida, shost->host_no);
 
-	if (parent)
+	if (shost->shost_state != SHOST_CREATED)
 		put_device(parent);
 	kfree(shost);
 }



^ permalink raw reply	[flat|nested] 181+ messages in thread

* RE: [PATCH 5.12 000/173] 5.12.11-rc1 review
  2021-06-14 10:25 [PATCH 5.12 000/173] 5.12.11-rc1 review Greg Kroah-Hartman
                   ` (172 preceding siblings ...)
  2021-06-14 10:28 ` [PATCH 5.12 173/173] scsi: core: Only put parent device if host state differs from SHOST_CREATED Greg Kroah-Hartman
@ 2021-06-14 16:34 ` Fox Chen
  2021-06-14 17:55 ` Jon Hunter
                   ` (5 subsequent siblings)
  179 siblings, 0 replies; 181+ messages in thread
From: Fox Chen @ 2021-06-14 16:34 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, torvalds, akpm, linux, shuah, patches,
	lkft-triage, pavel, jonathanh, f.fainelli, stable, Fox Chen

On Mon, 14 Jun 2021 12:25:32 +0200, Greg Kroah-Hartman <gregkh@linuxfoundation.org> wrote:
> This is the start of the stable review cycle for the 5.12.11 release.
> There are 173 patches in this series, all will be posted as a response
> to this one.  If anyone has any issues with these being applied, please
> let me know.
> 
> Responses should be made by Wed, 16 Jun 2021 10:26:30 +0000.
> Anything received after that time might be too late.
> 
> The whole patch series can be found in one patch at:
> 	https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.12.11-rc1.gz
> or in the git tree and branch at:
> 	git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.12.y
> and the diffstat can be found below.
> 
> thanks,
> 
> greg k-h
> 

5.12.11-rc1 Successfully Compiled and booted on my Raspberry PI 4b (8g) (bcm2711)
                
Tested-by: Fox Chen <foxhlchen@gmail.com>


^ permalink raw reply	[flat|nested] 181+ messages in thread

* Re: [PATCH 5.12 000/173] 5.12.11-rc1 review
  2021-06-14 10:25 [PATCH 5.12 000/173] 5.12.11-rc1 review Greg Kroah-Hartman
                   ` (173 preceding siblings ...)
  2021-06-14 16:34 ` [PATCH 5.12 000/173] 5.12.11-rc1 review Fox Chen
@ 2021-06-14 17:55 ` Jon Hunter
  2021-06-14 19:26 ` Shuah Khan
                   ` (4 subsequent siblings)
  179 siblings, 0 replies; 181+ messages in thread
From: Jon Hunter @ 2021-06-14 17:55 UTC (permalink / raw)
  To: Greg Kroah-Hartman
  Cc: Greg Kroah-Hartman, torvalds, akpm, linux, shuah, patches,
	lkft-triage, pavel, jonathanh, f.fainelli, stable, linux-tegra

On Mon, 14 Jun 2021 12:25:32 +0200, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 5.12.11 release.
> There are 173 patches in this series, all will be posted as a response
> to this one.  If anyone has any issues with these being applied, please
> let me know.
> 
> Responses should be made by Wed, 16 Jun 2021 10:26:30 +0000.
> Anything received after that time might be too late.
> 
> The whole patch series can be found in one patch at:
> 	https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.12.11-rc1.gz
> or in the git tree and branch at:
> 	git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.12.y
> and the diffstat can be found below.
> 
> thanks,
> 
> greg k-h

All tests passing for Tegra ...

Test results for stable-v5.12:
    12 builds:	12 pass, 0 fail
    28 boots:	28 pass, 0 fail
    104 tests:	104 pass, 0 fail

Linux version:	5.12.11-rc1-g38004b22b0ae
Boards tested:	tegra124-jetson-tk1, tegra186-p2771-0000,
                tegra194-p2972-0000, tegra194-p3509-0000+p3668-0000,
                tegra20-ventana, tegra210-p2371-2180,
                tegra210-p3450-0000, tegra30-cardhu-a04

Tested-by: Jon Hunter <jonathanh@nvidia.com>

Jon

^ permalink raw reply	[flat|nested] 181+ messages in thread

* Re: [PATCH 5.12 000/173] 5.12.11-rc1 review
  2021-06-14 10:25 [PATCH 5.12 000/173] 5.12.11-rc1 review Greg Kroah-Hartman
                   ` (174 preceding siblings ...)
  2021-06-14 17:55 ` Jon Hunter
@ 2021-06-14 19:26 ` Shuah Khan
  2021-06-14 19:47 ` Florian Fainelli
                   ` (3 subsequent siblings)
  179 siblings, 0 replies; 181+ messages in thread
From: Shuah Khan @ 2021-06-14 19:26 UTC (permalink / raw)
  To: Greg Kroah-Hartman, linux-kernel
  Cc: torvalds, akpm, linux, shuah, patches, lkft-triage, pavel,
	jonathanh, f.fainelli, stable, Shuah Khan

On 6/14/21 4:25 AM, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 5.12.11 release.
> There are 173 patches in this series, all will be posted as a response
> to this one.  If anyone has any issues with these being applied, please
> let me know.
> 
> Responses should be made by Wed, 16 Jun 2021 10:26:30 +0000.
> Anything received after that time might be too late.
> 
> The whole patch series can be found in one patch at:
> 	https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.12.11-rc1.gz
> or in the git tree and branch at:
> 	git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.12.y
> and the diffstat can be found below.
> 
> thanks,
> 
> greg k-h
> 

Compiled and booted on my test system. No dmesg regressions.

Tested-by: Shuah Khan <skhan@linuxfoundation.org>

thanks,
-- Shuah


^ permalink raw reply	[flat|nested] 181+ messages in thread

* Re: [PATCH 5.12 000/173] 5.12.11-rc1 review
  2021-06-14 10:25 [PATCH 5.12 000/173] 5.12.11-rc1 review Greg Kroah-Hartman
                   ` (175 preceding siblings ...)
  2021-06-14 19:26 ` Shuah Khan
@ 2021-06-14 19:47 ` Florian Fainelli
  2021-06-14 19:55 ` Justin Forbes
                   ` (2 subsequent siblings)
  179 siblings, 0 replies; 181+ messages in thread
From: Florian Fainelli @ 2021-06-14 19:47 UTC (permalink / raw)
  To: Greg Kroah-Hartman, linux-kernel
  Cc: torvalds, akpm, linux, shuah, patches, lkft-triage, pavel,
	jonathanh, stable



On 6/14/2021 3:25 AM, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 5.12.11 release.
> There are 173 patches in this series, all will be posted as a response
> to this one.  If anyone has any issues with these being applied, please
> let me know.
> 
> Responses should be made by Wed, 16 Jun 2021 10:26:30 +0000.
> Anything received after that time might be too late.
> 
> The whole patch series can be found in one patch at:
> 	https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.12.11-rc1.gz
> or in the git tree and branch at:
> 	git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.12.y
> and the diffstat can be found below.
> 
> thanks,
> 
> greg k-h

On ARCH_BRCMSTB using 32-bit and 64-bit kernels:

Tested-by: Florian Fainelli <f.fainelli@gmail.com>
-- 
Florian

^ permalink raw reply	[flat|nested] 181+ messages in thread

* Re: [PATCH 5.12 000/173] 5.12.11-rc1 review
  2021-06-14 10:25 [PATCH 5.12 000/173] 5.12.11-rc1 review Greg Kroah-Hartman
                   ` (176 preceding siblings ...)
  2021-06-14 19:47 ` Florian Fainelli
@ 2021-06-14 19:55 ` Justin Forbes
  2021-06-15  4:32 ` Naresh Kamboju
  2021-06-15 14:21 ` Guenter Roeck
  179 siblings, 0 replies; 181+ messages in thread
From: Justin Forbes @ 2021-06-14 19:55 UTC (permalink / raw)
  To: Greg Kroah-Hartman
  Cc: linux-kernel, torvalds, akpm, linux, shuah, patches, lkft-triage,
	pavel, jonathanh, f.fainelli, stable

On Mon, Jun 14, 2021 at 12:25:32PM +0200, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 5.12.11 release.
> There are 173 patches in this series, all will be posted as a response
> to this one.  If anyone has any issues with these being applied, please
> let me know.
> 
> Responses should be made by Wed, 16 Jun 2021 10:26:30 +0000.
> Anything received after that time might be too late.
> 
> The whole patch series can be found in one patch at:
> 	https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.12.11-rc1.gz
> or in the git tree and branch at:
> 	git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.12.y
> and the diffstat can be found below.
> 
> thanks,
> 
> greg k-h
> 

Tested rc1 against the Fedora build system (aarch64, armv7, ppc64le,
s390x, x86_64), and boot tested x86_64. No regressions noted.

Tested-by: Justin M. Forbes <jforbes@fedoraproject.org>

^ permalink raw reply	[flat|nested] 181+ messages in thread

* Re: [PATCH 5.12 000/173] 5.12.11-rc1 review
  2021-06-14 10:25 [PATCH 5.12 000/173] 5.12.11-rc1 review Greg Kroah-Hartman
                   ` (177 preceding siblings ...)
  2021-06-14 19:55 ` Justin Forbes
@ 2021-06-15  4:32 ` Naresh Kamboju
  2021-06-15 14:21 ` Guenter Roeck
  179 siblings, 0 replies; 181+ messages in thread
From: Naresh Kamboju @ 2021-06-15  4:32 UTC (permalink / raw)
  To: Greg Kroah-Hartman
  Cc: open list, Shuah Khan, Florian Fainelli, patches, lkft-triage,
	Jon Hunter, linux-stable, Pavel Machek, Andrew Morton,
	Linus Torvalds, Guenter Roeck

On Mon, 14 Jun 2021 at 16:18, Greg Kroah-Hartman
<gregkh@linuxfoundation.org> wrote:
>
> This is the start of the stable review cycle for the 5.12.11 release.
> There are 173 patches in this series, all will be posted as a response
> to this one.  If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Wed, 16 Jun 2021 10:26:30 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
>         https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.12.11-rc1.gz
> or in the git tree and branch at:
>         git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.12.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h

Results from Linaro’s test farm.
No regressions on arm64, arm, x86_64, and i386.

Tested-by: Linux Kernel Functional Testing <lkft@linaro.org>

## Build
* kernel: 5.12.11-rc1
* git: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git
* git branch: linux-5.12.y
* git commit: 38004b22b0ae0ed236de37f13b323c9d89311f9e
* git describe: v5.12.10-174-g38004b22b0ae
* test details:
https://qa-reports.linaro.org/lkft/linux-stable-rc-linux-5.12.y/build/v5.12.10-174-g38004b22b0ae

## No regressions (compared to v5.12.10)

## No fixes (compared to v5.12.10)

## Test result summary
 total: 83712, pass: 69169, fail: 1865, skip: 11956, xfail: 722,

## Build Summary
* arc: 10 total, 10 passed, 0 failed
* arm: 193 total, 193 passed, 0 failed
* arm64: 27 total, 27 passed, 0 failed
* dragonboard-410c: 1 total, 1 passed, 0 failed
* hi6220-hikey: 1 total, 1 passed, 0 failed
* i386: 26 total, 26 passed, 0 failed
* juno-r2: 1 total, 1 passed, 0 failed
* mips: 45 total, 45 passed, 0 failed
* parisc: 9 total, 9 passed, 0 failed
* powerpc: 27 total, 27 passed, 0 failed
* riscv: 21 total, 21 passed, 0 failed
* s390: 18 total, 18 passed, 0 failed
* sh: 18 total, 18 passed, 0 failed
* sparc: 9 total, 9 passed, 0 failed
* x15: 1 total, 0 passed, 1 failed
* x86: 1 total, 1 passed, 0 failed
* x86_64: 27 total, 27 passed, 0 failed

## Test suites summary
* fwts
* igt-gpu-tools
* install-android-platform-tools-r2600
* kselftest-
* kselftest-android
* kselftest-bpf
* kselftest-breakpoints
* kselftest-capabilities
* kselftest-cgroup
* kselftest-clone3
* kselftest-core
* kselftest-cpu-hotplug
* kselftest-cpufreq
* kselftest-drivers
* kselftest-efivarfs
* kselftest-filesystems
* kselftest-firmware
* kselftest-fpu
* kselftest-futex
* kselftest-gpio
* kselftest-intel_pstate
* kselftest-ipc
* kselftest-ir
* kselftest-kcmp
* kselftest-kexec
* kselftest-kvm
* kselftest-lib
* kselftest-livepatch
* kselftest-lkdtm
* kselftest-membarrier
* kselftest-memfd
* kselftest-memory-hotplug
* kselftest-mincore
* kselftest-mount
* kselftest-mqueue
* kselftest-net
* kselftest-netfilter
* kselftest-nsfs
* kselftest-openat2
* kselftest-pid_namespace
* kselftest-pidfd
* kselftest-proc
* kselftest-pstore
* kselftest-ptrace
* kselftest-rseq
* kselftest-rtc
* kselftest-seccomp
* kselftest-sigaltstack
* kselftest-size
* kselftest-splice
* kselftest-static_keys
* kselftest-sync
* kselftest-sysctl
* kselftest-tc-testing
* kselftest-timens
* kselftest-timers
* kselftest-tmpfs
* kselftest-tpm2
* kselftest-user
* kselftest-vm
* kselftest-vsyscall-mode-native-
* kselftest-vsyscall-mode-none-
* kselftest-x86
* kselftest-zram
* kunit
* kvm-unit-tests
* libhugetlbfs
* linux-log-parser
* ltp-cap_bounds-tests
* ltp-commands-tests
* ltp-containers-tests
* ltp-controllers-tests
* ltp-cpuhotplug-tests
* ltp-crypto-tests
* ltp-cve-tests
* ltp-dio-tests
* ltp-fcntl-locktests-tests
* ltp-filecaps-tests
* ltp-fs-tests
* ltp-fs_bind-tests
* ltp-fs_perms_simple-tests
* ltp-fsx-tests
* ltp-hugetlb-tests
* ltp-io-tests
* ltp-ipc-tests
* ltp-math-tests
* ltp-mm-tests
* ltp-nptl-tests
* ltp-open-posix-tests
* ltp-pty-tests
* ltp-sched-tests
* ltp-securebits-tests
* ltp-syscalls-tests
* ltp-tracing-tests
* network-basic-tests
* packetdrill
* perf
* prep-inline
* rcutorture
* ssuite
* v4l2-compliance

--
Linaro LKFT
https://lkft.linaro.org

^ permalink raw reply	[flat|nested] 181+ messages in thread

* Re: [PATCH 5.12 000/173] 5.12.11-rc1 review
  2021-06-14 10:25 [PATCH 5.12 000/173] 5.12.11-rc1 review Greg Kroah-Hartman
                   ` (178 preceding siblings ...)
  2021-06-15  4:32 ` Naresh Kamboju
@ 2021-06-15 14:21 ` Guenter Roeck
  179 siblings, 0 replies; 181+ messages in thread
From: Guenter Roeck @ 2021-06-15 14:21 UTC (permalink / raw)
  To: Greg Kroah-Hartman
  Cc: linux-kernel, torvalds, akpm, shuah, patches, lkft-triage, pavel,
	jonathanh, f.fainelli, stable

On Mon, Jun 14, 2021 at 12:25:32PM +0200, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 5.12.11 release.
> There are 173 patches in this series, all will be posted as a response
> to this one.  If anyone has any issues with these being applied, please
> let me know.
> 
> Responses should be made by Wed, 16 Jun 2021 10:26:30 +0000.
> Anything received after that time might be too late.
> 

Build results:
	total: 151 pass: 151 fail: 0
Qemu test results:
	total: 462 pass: 462 fail: 0

Tested-by: Guenter Roeck <linux@roeck-us.net>

Guenter

^ permalink raw reply	[flat|nested] 181+ messages in thread

end of thread, other threads:[~2021-06-15 14:27 UTC | newest]

Thread overview: 181+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-06-14 10:25 [PATCH 5.12 000/173] 5.12.11-rc1 review Greg Kroah-Hartman
2021-06-14 10:25 ` [PATCH 5.12 001/173] proc: Track /proc/$pid/attr/ opener mm_struct Greg Kroah-Hartman
2021-06-14 10:25 ` [PATCH 5.12 002/173] ASoC: max98088: fix ni clock divider calculation Greg Kroah-Hartman
2021-06-14 10:25 ` [PATCH 5.12 003/173] ASoC: amd: fix for pcm_read() error Greg Kroah-Hartman
2021-06-14 10:25 ` [PATCH 5.12 004/173] spi: Fix spi device unregister flow Greg Kroah-Hartman
2021-06-14 10:25 ` [PATCH 5.12 005/173] spi: spi-zynq-qspi: Fix stack violation bug Greg Kroah-Hartman
2021-06-14 10:25 ` [PATCH 5.12 006/173] bpf: Forbid trampoline attach for functions with variable arguments Greg Kroah-Hartman
2021-06-14 10:25 ` [PATCH 5.12 007/173] ASoC: codecs: lpass-rx-macro: add missing MODULE_DEVICE_TABLE Greg Kroah-Hartman
2021-06-14 10:25 ` [PATCH 5.12 008/173] ASoC: codecs: lpass-tx-macro: " Greg Kroah-Hartman
2021-06-14 10:25 ` [PATCH 5.12 009/173] net/nfc/rawsock.c: fix a permission check bug Greg Kroah-Hartman
2021-06-14 10:25 ` [PATCH 5.12 010/173] usb: cdns3: Fix runtime PM imbalance on error Greg Kroah-Hartman
2021-06-14 10:25 ` [PATCH 5.12 011/173] ASoC: Intel: bytcr_rt5640: Add quirk for the Glavey TM800A550L tablet Greg Kroah-Hartman
2021-06-14 10:25 ` [PATCH 5.12 012/173] ASoC: Intel: bytcr_rt5640: Add quirk for the Lenovo Miix 3-830 tablet Greg Kroah-Hartman
2021-06-14 10:25 ` [PATCH 5.12 013/173] bpf: Add deny list of btf ids check for tracing programs Greg Kroah-Hartman
2021-06-14 10:25 ` [PATCH 5.12 014/173] vfio-ccw: Reset FSM state to IDLE inside FSM Greg Kroah-Hartman
2021-06-14 10:25 ` [PATCH 5.12 015/173] vfio-ccw: Serialize FSM IDLE state with I/O completion Greg Kroah-Hartman
2021-06-14 10:25 ` [PATCH 5.12 016/173] ASoC: sti-sas: add missing MODULE_DEVICE_TABLE Greg Kroah-Hartman
2021-06-14 10:25 ` [PATCH 5.12 017/173] spi: sprd: Add " Greg Kroah-Hartman
2021-06-14 10:25 ` [PATCH 5.12 018/173] usb: chipidea: udc: assign interrupt number to USB gadget structure Greg Kroah-Hartman
2021-06-14 10:25 ` [PATCH 5.12 019/173] isdn: mISDN: netjet: Fix crash in nj_probe: Greg Kroah-Hartman
2021-06-14 10:25 ` [PATCH 5.12 020/173] bonding: init notify_work earlier to avoid uninitialized use Greg Kroah-Hartman
2021-06-14 10:25 ` [PATCH 5.12 021/173] netlink: disable IRQs for netlink_lock_table() Greg Kroah-Hartman
2021-06-14 10:25 ` [PATCH 5.12 022/173] net: mdiobus: get rid of a BUG_ON() Greg Kroah-Hartman
2021-06-14 10:25 ` [PATCH 5.12 023/173] cgroup: disable controllers at parse time Greg Kroah-Hartman
2021-06-14 10:25 ` [PATCH 5.12 024/173] wq: handle VM suspension in stall detection Greg Kroah-Hartman
2021-06-14 10:25 ` [PATCH 5.12 025/173] net/qla3xxx: fix schedule while atomic in ql_sem_spinlock Greg Kroah-Hartman
2021-06-14 10:25 ` [PATCH 5.12 026/173] RDS tcp loopback connection can hang Greg Kroah-Hartman
2021-06-14 10:25 ` [PATCH 5.12 027/173] net:sfc: fix non-freed irq in legacy irq mode Greg Kroah-Hartman
2021-06-14 10:26 ` [PATCH 5.12 028/173] scsi: bnx2fc: Return failure if io_req is already in ABTS processing Greg Kroah-Hartman
2021-06-14 10:26 ` [PATCH 5.12 029/173] scsi: vmw_pvscsi: Set correct residual data length Greg Kroah-Hartman
2021-06-14 10:26 ` [PATCH 5.12 030/173] scsi: hisi_sas: Drop free_irq() of devm_request_irq() allocated irq Greg Kroah-Hartman
2021-06-14 10:26 ` [PATCH 5.12 031/173] scsi: target: qla2xxx: Wait for stop_phase1 at WWN removal Greg Kroah-Hartman
2021-06-14 10:26 ` [PATCH 5.12 032/173] net: macb: ensure the device is available before accessing GEMGXL control registers Greg Kroah-Hartman
2021-06-14 10:26 ` [PATCH 5.12 033/173] net: appletalk: cops: Fix data race in cops_probe1 Greg Kroah-Hartman
2021-06-14 10:26 ` [PATCH 5.12 034/173] net: dsa: microchip: enable phy errata workaround on 9567 Greg Kroah-Hartman
2021-06-14 10:26 ` [PATCH 5.12 035/173] Makefile: LTO: have linker check -Wframe-larger-than Greg Kroah-Hartman
2021-06-14 10:26 ` [PATCH 5.12 036/173] nvme-fabrics: decode host pathing error for connect Greg Kroah-Hartman
2021-06-14 10:26 ` [PATCH 5.12 037/173] MIPS: Fix kernel hang under FUNCTION_GRAPH_TRACER and PREEMPT_TRACER Greg Kroah-Hartman
2021-06-14 10:26 ` [PATCH 5.12 038/173] bpf, selftests: Adjust few selftest result_unpriv outcomes Greg Kroah-Hartman
2021-06-14 10:26 ` [PATCH 5.12 039/173] dm verity: fix require_signatures module_param permissions Greg Kroah-Hartman
2021-06-14 10:26 ` [PATCH 5.12 040/173] bnx2x: Fix missing error code in bnx2x_iov_init_one() Greg Kroah-Hartman
2021-06-14 10:26 ` [PATCH 5.12 041/173] nvme-tcp: remove incorrect Kconfig dep in BLK_DEV_NVME Greg Kroah-Hartman
2021-06-14 10:26 ` [PATCH 5.12 042/173] nvmet: fix false keep-alive timeout when a controller is torn down Greg Kroah-Hartman
2021-06-14 10:26 ` [PATCH 5.12 043/173] powerpc/fsl: set fsl,i2c-erratum-a004447 flag for P2041 i2c controllers Greg Kroah-Hartman
2021-06-14 10:26 ` [PATCH 5.12 044/173] powerpc/fsl: set fsl,i2c-erratum-a004447 flag for P1010 " Greg Kroah-Hartman
2021-06-14 10:26 ` [PATCH 5.12 045/173] spi: Dont have controller clean up spi device before driver unbind Greg Kroah-Hartman
2021-06-14 10:26 ` [PATCH 5.12 046/173] spi: Cleanup on failure of initial setup Greg Kroah-Hartman
2021-06-14 10:26 ` [PATCH 5.12 047/173] i2c: mpc: Make use of i2c_recover_bus() Greg Kroah-Hartman
2021-06-14 10:26 ` [PATCH 5.12 048/173] i2c: mpc: implement erratum A-004447 workaround Greg Kroah-Hartman
2021-06-14 10:26 ` [PATCH 5.12 049/173] ALSA: seq: Fix race of snd_seq_timer_open() Greg Kroah-Hartman
2021-06-14 10:26 ` [PATCH 5.12 050/173] ALSA: firewire-lib: fix the context to call snd_pcm_stop_xrun() Greg Kroah-Hartman
2021-06-14 10:26 ` [PATCH 5.12 051/173] ALSA: hda/realtek: headphone and mic dont work on an Acer laptop Greg Kroah-Hartman
2021-06-14 10:26 ` [PATCH 5.12 052/173] ALSA: hda/realtek: fix mute/micmute LEDs and speaker for HP Elite Dragonfly G2 Greg Kroah-Hartman
2021-06-14 10:26 ` [PATCH 5.12 053/173] ALSA: hda/realtek: fix mute/micmute LEDs and speaker for HP EliteBook x360 1040 G8 Greg Kroah-Hartman
2021-06-14 10:26 ` [PATCH 5.12 054/173] ALSA: hda/realtek: fix mute/micmute LEDs for HP EliteBook 840 Aero G8 Greg Kroah-Hartman
2021-06-14 10:26 ` [PATCH 5.12 055/173] ALSA: hda/realtek: fix mute/micmute LEDs for HP ZBook Power G8 Greg Kroah-Hartman
2021-06-14 10:26 ` [PATCH 5.12 056/173] spi: bcm2835: Fix out-of-bounds access with more than 4 slaves Greg Kroah-Hartman
2021-06-14 10:26 ` [PATCH 5.12 057/173] Revert "ACPI: sleep: Put the FACS table after using it" Greg Kroah-Hartman
2021-06-14 10:26 ` [PATCH 5.12 058/173] ACPI: Pass the same capabilities to the _OSC regardless of the query flag Greg Kroah-Hartman
2021-06-14 10:26 ` [PATCH 5.12 059/173] drm: Fix use-after-free read in drm_getunique() Greg Kroah-Hartman
2021-06-14 10:26 ` [PATCH 5.12 060/173] drm: Lock pointer access in drm_master_release() Greg Kroah-Hartman
2021-06-14 10:26 ` [PATCH 5.12 061/173] x86, lto: Pass -stack-alignment only on LLD < 13.0.0 Greg Kroah-Hartman
2021-06-14 10:26 ` [PATCH 5.12 062/173] perf/x86/intel/uncore: Fix M2M event umask for Ice Lake server Greg Kroah-Hartman
2021-06-14 10:26 ` [PATCH 5.12 063/173] KVM: x86: Unload MMU on guest TLB flush if TDP disabled to force MMU sync Greg Kroah-Hartman
2021-06-14 10:26 ` [PATCH 5.12 064/173] KVM: X86: MMU: Use the correct inherited permissions to get shadow page Greg Kroah-Hartman
2021-06-14 10:26 ` [PATCH 5.12 065/173] kvm: avoid speculation-based attacks from out-of-range memslot accesses Greg Kroah-Hartman
2021-06-14 10:26 ` [PATCH 5.12 066/173] staging: rtl8723bs: Fix uninitialized variables Greg Kroah-Hartman
2021-06-14 10:26 ` [PATCH 5.12 067/173] usb: misc: brcmstb-usb-pinmap: check return value after calling platform_get_resource() Greg Kroah-Hartman
2021-06-14 10:26 ` [PATCH 5.12 068/173] misc: rtsx: separate aspm mode into MODE_REG and MODE_CFG Greg Kroah-Hartman
2021-06-14 10:26 ` [PATCH 5.12 069/173] bus: mhi: pci_generic: Fix possible use-after-free in mhi_pci_remove() Greg Kroah-Hartman
2021-06-14 10:26 ` [PATCH 5.12 070/173] tick/nohz: Only check for RCU deferred wakeup on user/guest entry when needed Greg Kroah-Hartman
2021-06-14 10:26 ` [PATCH 5.12 071/173] bcache: remove bcache device self-defined readahead Greg Kroah-Hartman
2021-06-14 10:26 ` [PATCH 5.12 072/173] bcache: avoid oversized read request in cache missing code path Greg Kroah-Hartman
2021-06-14 10:26 ` [PATCH 5.12 073/173] async_xor: check src_offs is not NULL before updating it Greg Kroah-Hartman
2021-06-14 10:26 ` [PATCH 5.12 074/173] btrfs: do not write supers if we have an fs error Greg Kroah-Hartman
2021-06-14 10:26 ` [PATCH 5.12 075/173] btrfs: zoned: fix zone number to sector/physical calculation Greg Kroah-Hartman
2021-06-14 10:26 ` [PATCH 5.12 076/173] btrfs: return value from btrfs_mark_extent_written() in case of error Greg Kroah-Hartman
2021-06-14 10:26 ` [PATCH 5.12 077/173] btrfs: promote debugging asserts to full-fledged checks in validate_super Greg Kroah-Hartman
2021-06-14 10:26 ` [PATCH 5.12 078/173] coredump: Limit what can interrupt coredumps Greg Kroah-Hartman
2021-06-14 10:26 ` [PATCH 5.12 079/173] cgroup1: dont allow \n in renaming Greg Kroah-Hartman
2021-06-14 10:26 ` [PATCH 5.12 080/173] ftrace: Do not blindly read the ip address in ftrace_bug() Greg Kroah-Hartman
2021-06-14 10:26 ` [PATCH 5.12 081/173] tracing: Correct the length check which causes memory corruption Greg Kroah-Hartman
2021-06-14 10:26 ` [PATCH 5.12 082/173] tools/bootconfig: Fix a build error accroding to undefined fallthrough Greg Kroah-Hartman
2021-06-14 10:26 ` [PATCH 5.12 083/173] mmc: renesas_sdhi: abort tuning when timeout detected Greg Kroah-Hartman
2021-06-14 10:26 ` [PATCH 5.12 084/173] mmc: renesas_sdhi: Fix HS400 on R-Car M3-W+ Greg Kroah-Hartman
2021-06-14 10:26 ` [PATCH 5.12 085/173] USB: f_ncm: ncm_bitrate (speed) is unsigned Greg Kroah-Hartman
2021-06-14 10:26 ` [PATCH 5.12 086/173] usb: f_ncm: only first packet of aggregate needs to start timer Greg Kroah-Hartman
2021-06-14 10:26 ` [PATCH 5.12 087/173] usb: pd: Set PD_T_SINK_WAIT_CAP to 310ms Greg Kroah-Hartman
2021-06-14 10:27 ` [PATCH 5.12 088/173] usb: dwc3-meson-g12a: fix usb2 PHY glue init when phy0 is disabled Greg Kroah-Hartman
2021-06-14 10:27 ` [PATCH 5.12 089/173] usb: dwc3: meson-g12a: Disable the regulator in the error handling path of the probe Greg Kroah-Hartman
2021-06-14 10:27 ` [PATCH 5.12 090/173] usb: dwc3: gadget: Bail from dwc3_gadget_exit() if dwc->gadget is NULL Greg Kroah-Hartman
2021-06-14 10:27 ` [PATCH 5.12 091/173] usb: dwc3: debugfs: Add and remove endpoint dirs dynamically Greg Kroah-Hartman
2021-06-14 10:27 ` [PATCH 5.12 092/173] usb: dwc3: ep0: fix NULL pointer exception Greg Kroah-Hartman
2021-06-14 10:27 ` [PATCH 5.12 093/173] usb: pci-quirks: disable D3cold on xhci suspend for s2idle on AMD Renoir Greg Kroah-Hartman
2021-06-14 10:27 ` [PATCH 5.12 094/173] usb: musb: fix MUSB_QUIRK_B_DISCONNECT_99 handling Greg Kroah-Hartman
2021-06-14 10:27 ` [PATCH 5.12 095/173] usb: typec: wcove: Use LE to CPU conversion when accessing msg->header Greg Kroah-Hartman
2021-06-14 10:27 ` [PATCH 5.12 096/173] usb: typec: ucsi: Clear PPM capability data in ucsi_init() error path Greg Kroah-Hartman
2021-06-14 10:27 ` [PATCH 5.12 097/173] usb: typec: intel_pmc_mux: Put fwnode in error case during ->probe() Greg Kroah-Hartman
2021-06-14 10:27 ` [PATCH 5.12 098/173] usb: typec: intel_pmc_mux: Add missed error check for devm_ioremap_resource() Greg Kroah-Hartman
2021-06-14 10:27 ` [PATCH 5.12 099/173] usb: gadget: f_fs: Ensure io_completion_wq is idle during unbind Greg Kroah-Hartman
2021-06-14 10:27 ` [PATCH 5.12 100/173] USB: serial: ftdi_sio: add NovaTech OrionMX product ID Greg Kroah-Hartman
2021-06-14 10:27 ` [PATCH 5.12 101/173] USB: serial: omninet: add device id for Zyxel Omni 56K Plus Greg Kroah-Hartman
2021-06-14 10:27 ` [PATCH 5.12 102/173] USB: serial: quatech2: fix control-request directions Greg Kroah-Hartman
2021-06-14 10:27 ` [PATCH 5.12 103/173] USB: serial: cp210x: fix alternate function for CP2102N QFN20 Greg Kroah-Hartman
2021-06-14 10:27 ` [PATCH 5.12 104/173] USB: serial: cp210x: fix CP2102N-A01 modem control Greg Kroah-Hartman
2021-06-14 10:27 ` [PATCH 5.12 105/173] usb: cdnsp: Fix deadlock issue in cdnsp_thread_irq_handler Greg Kroah-Hartman
2021-06-14 10:27 ` [PATCH 5.12 106/173] usb: gadget: eem: fix wrong eem header operation Greg Kroah-Hartman
2021-06-14 10:27 ` [PATCH 5.12 107/173] usb: fix various gadgets null ptr deref on 10gbps cabling Greg Kroah-Hartman
2021-06-14 10:27 ` [PATCH 5.12 108/173] usb: fix various gadget panics " Greg Kroah-Hartman
2021-06-14 10:27 ` [PATCH 5.12 109/173] usb: typec: tcpm: Properly handle Alert and Status Messages Greg Kroah-Hartman
2021-06-14 10:27 ` [PATCH 5.12 110/173] usb: typec: tcpm: cancel vdm and state machine hrtimer when unregister tcpm port Greg Kroah-Hartman
2021-06-14 10:27 ` [PATCH 5.12 111/173] usb: typec: tcpm: cancel frs " Greg Kroah-Hartman
2021-06-14 10:27 ` [PATCH 5.12 112/173] usb: typec: tcpm: Do not finish VDM AMS for retrying Responses Greg Kroah-Hartman
2021-06-14 10:27 ` [PATCH 5.12 113/173] regulator: core: resolve supply for boot-on/always-on regulators Greg Kroah-Hartman
2021-06-14 10:27 ` [PATCH 5.12 114/173] regulator: max77620: Use device_set_of_node_from_dev() Greg Kroah-Hartman
2021-06-14 10:27 ` [PATCH 5.12 115/173] regulator: bd718x7: Fix the BUCK7 voltage setting on BD71837 Greg Kroah-Hartman
2021-06-14 10:27 ` [PATCH 5.12 116/173] regulator: da9121: Return REGULATOR_MODE_INVALID for invalid mode Greg Kroah-Hartman
2021-06-14 10:27 ` [PATCH 5.12 117/173] regulator: fan53880: Fix missing n_voltages setting Greg Kroah-Hartman
2021-06-14 10:27 ` [PATCH 5.12 118/173] regulator: fixed: Ensure enable_counter is correct if reg_domain_disable fails Greg Kroah-Hartman
2021-06-14 10:27 ` [PATCH 5.12 119/173] regulator: scmi: Fix off-by-one for linear regulators .n_voltages setting Greg Kroah-Hartman
2021-06-14 10:27 ` [PATCH 5.12 120/173] regulator: bd71828: Fix .n_voltages settings Greg Kroah-Hartman
2021-06-14 10:27 ` [PATCH 5.12 121/173] regulator: atc260x: Fix n_voltages and min_sel for pickable linear ranges Greg Kroah-Hartman
2021-06-14 10:27 ` [PATCH 5.12 122/173] regulator: rtmv20: Fix .set_current_limit/.get_current_limit callbacks Greg Kroah-Hartman
2021-06-14 10:27 ` [PATCH 5.12 123/173] phy: usb: Fix misuse of IS_ENABLED Greg Kroah-Hartman
2021-06-14 10:27 ` [PATCH 5.12 124/173] usb: cdns3: Enable TDL_CHK only for OUT ep Greg Kroah-Hartman
2021-06-14 10:27 ` [PATCH 5.12 125/173] usb: dwc3: gadget: Disable gadget IRQ during pullup disable Greg Kroah-Hartman
2021-06-14 10:27 ` [PATCH 5.12 126/173] usb: typec: tcpm: Correct the responses in SVDM Version 2.0 DFP Greg Kroah-Hartman
2021-06-14 10:27 ` [PATCH 5.12 127/173] usb: typec: tcpm: Fix misuses of AMS invocation Greg Kroah-Hartman
2021-06-14 10:27 ` [PATCH 5.12 128/173] usb: typec: mux: Fix copy-paste mistake in typec_mux_match Greg Kroah-Hartman
2021-06-14 10:27 ` [PATCH 5.12 129/173] drm/mcde: Fix off by 10^3 in calculation Greg Kroah-Hartman
2021-06-14 10:27 ` [PATCH 5.12 130/173] drm/msm/a6xx: fix incorrectly set uavflagprd_inv field for A650 Greg Kroah-Hartman
2021-06-14 10:27 ` [PATCH 5.12 131/173] drm/msm/a6xx: update/fix CP_PROTECT initialization Greg Kroah-Hartman
2021-06-14 10:27 ` [PATCH 5.12 132/173] drm/msm/a6xx: avoid shadow NULL reference in failure path Greg Kroah-Hartman
2021-06-14 10:27 ` [PATCH 5.12 133/173] hwmon: (corsair-psu) fix suspend behavior Greg Kroah-Hartman
2021-06-14 10:27 ` [PATCH 5.12 134/173] hwmon: (tps23861) define regmap max register Greg Kroah-Hartman
2021-06-14 10:27 ` [PATCH 5.12 135/173] hwmon: (tps23861) set current shunt value Greg Kroah-Hartman
2021-06-14 10:27 ` [PATCH 5.12 136/173] hwmon: (tps23861) correct shunt LSB values Greg Kroah-Hartman
2021-06-14 10:27 ` [PATCH 5.12 137/173] RDMA/ipoib: Fix warning caused by destroying non-initial netns Greg Kroah-Hartman
2021-06-14 10:27 ` [PATCH 5.12 138/173] RDMA/mlx5: Use different doorbell memory for different processes Greg Kroah-Hartman
2021-06-14 10:27 ` [PATCH 5.12 139/173] RDMA/mlx4: Do not map the core_clock page to user space unless enabled Greg Kroah-Hartman
2021-06-14 10:27 ` [PATCH 5.12 140/173] RDMA/mlx5: Block FDB rules when not in switchdev mode Greg Kroah-Hartman
2021-06-14 10:27 ` [PATCH 5.12 141/173] RDMA: Verify port when creating flow rule Greg Kroah-Hartman
2021-06-14 10:27 ` [PATCH 5.12 142/173] ARM: cpuidle: Avoid orphan section warning Greg Kroah-Hartman
2021-06-14 10:27 ` [PATCH 5.12 143/173] vmlinux.lds.h: Avoid orphan section with !SMP Greg Kroah-Hartman
2021-06-14 10:27 ` [PATCH 5.12 144/173] tools/bootconfig: Fix error return code in apply_xbc() Greg Kroah-Hartman
2021-06-14 10:27 ` [PATCH 5.12 145/173] phy: cadence: Sierra: Fix error return code in cdns_sierra_phy_probe() Greg Kroah-Hartman
2021-06-14 10:27 ` [PATCH 5.12 146/173] ASoC: core: Fix Null-point-dereference in fmt_single_name() Greg Kroah-Hartman
2021-06-14 10:27 ` [PATCH 5.12 147/173] ASoC: meson: gx-card: fix sound-dai dt schema Greg Kroah-Hartman
2021-06-14 10:28 ` [PATCH 5.12 148/173] phy: ti: Fix an error code in wiz_probe() Greg Kroah-Hartman
2021-06-14 10:28 ` [PATCH 5.12 149/173] gpio: wcd934x: Fix shift-out-of-bounds error Greg Kroah-Hartman
2021-06-14 10:28 ` [PATCH 5.12 150/173] pinctrl: qcom: Fix duplication in gpio_groups Greg Kroah-Hartman
2021-06-14 10:28 ` [PATCH 5.12 151/173] perf/x86/intel/uncore: Fix a kernel WARNING triggered by maxcpus=1 Greg Kroah-Hartman
2021-06-14 10:28 ` [PATCH 5.12 152/173] perf: Fix data race between pin_count increment/decrement Greg Kroah-Hartman
2021-06-14 10:28 ` [PATCH 5.12 153/173] dt-bindings: connector: Replace BIT macro with generic bit ops Greg Kroah-Hartman
2021-06-14 10:28 ` [PATCH 5.12 154/173] sched/fair: Keep load_avg and load_sum synced Greg Kroah-Hartman
2021-06-14 10:28 ` [PATCH 5.12 155/173] sched/fair: Make sure to update tg contrib for blocked load Greg Kroah-Hartman
2021-06-14 10:28 ` [PATCH 5.12 156/173] ASoC: SOF: reset enabled_cores state at suspend Greg Kroah-Hartman
2021-06-14 10:28 ` [PATCH 5.12 157/173] sched/fair: Fix util_est UTIL_AVG_UNCHANGED handling Greg Kroah-Hartman
2021-06-14 10:28 ` [PATCH 5.12 158/173] platform/surface: aggregator: Fix event disable function Greg Kroah-Hartman
2021-06-14 10:28 ` [PATCH 5.12 159/173] x86/nmi_watchdog: Fix old-style NMI watchdog regression on old Intel CPUs Greg Kroah-Hartman
2021-06-14 10:28 ` [PATCH 5.12 160/173] KVM: x86: Ensure liveliness of nested VM-Enter fail tracepoint message Greg Kroah-Hartman
2021-06-14 10:28 ` [PATCH 5.12 161/173] IB/mlx5: Fix initializing CQ fragments buffer Greg Kroah-Hartman
2021-06-14 10:28 ` [PATCH 5.12 162/173] NFS: Fix a potential NULL dereference in nfs_get_client() Greg Kroah-Hartman
2021-06-14 10:28 ` [PATCH 5.12 163/173] NFSv4: Fix deadlock between nfs4_evict_inode() and nfs4_opendata_get_inode() Greg Kroah-Hartman
2021-06-14 10:28 ` [PATCH 5.12 164/173] pinctrl: qcom: Make it possible to select SC8180x TLMM Greg Kroah-Hartman
2021-06-14 10:28 ` [PATCH 5.12 165/173] perf session: Correct buffer copying when peeking events Greg Kroah-Hartman
2021-06-14 10:28 ` [PATCH 5.12 166/173] kvm: fix previous commit for 32-bit builds Greg Kroah-Hartman
2021-06-14 10:28 ` [PATCH 5.12 167/173] NFS: Fix use-after-free in nfs4_init_client() Greg Kroah-Hartman
2021-06-14 10:28 ` [PATCH 5.12 168/173] NFSv4: Fix second deadlock in nfs4_evict_inode() Greg Kroah-Hartman
2021-06-14 10:28 ` [PATCH 5.12 169/173] NFSv4: nfs4_proc_set_acl needs to restore NFS_CAP_UIDGID_NOMAP on error Greg Kroah-Hartman
2021-06-14 10:28 ` [PATCH 5.12 170/173] scsi: core: Fix error handling of scsi_host_alloc() Greg Kroah-Hartman
2021-06-14 10:28 ` [PATCH 5.12 171/173] scsi: core: Fix failure handling of scsi_add_host_with_dma() Greg Kroah-Hartman
2021-06-14 10:28 ` [PATCH 5.12 172/173] scsi: core: Put .shost_dev in failure path if host state changes to RUNNING Greg Kroah-Hartman
2021-06-14 10:28 ` [PATCH 5.12 173/173] scsi: core: Only put parent device if host state differs from SHOST_CREATED Greg Kroah-Hartman
2021-06-14 16:34 ` [PATCH 5.12 000/173] 5.12.11-rc1 review Fox Chen
2021-06-14 17:55 ` Jon Hunter
2021-06-14 19:26 ` Shuah Khan
2021-06-14 19:47 ` Florian Fainelli
2021-06-14 19:55 ` Justin Forbes
2021-06-15  4:32 ` Naresh Kamboju
2021-06-15 14:21 ` Guenter Roeck

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.