* [PATCH 5.10 000/599] 5.10.110-rc1 review
@ 2022-04-05 7:24 Greg Kroah-Hartman
2022-04-05 7:24 ` [PATCH 5.10 001/599] swiotlb: fix info leak with DMA_FROM_DEVICE Greg Kroah-Hartman
` (611 more replies)
0 siblings, 612 replies; 636+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05 7:24 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, torvalds, akpm, linux, shuah,
patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, slade
This is the start of the stable review cycle for the 5.10.110 release.
There are 599 patches in this series, all will be posted as a response
to this one. If anyone has any issues with these being applied, please
let me know.
Responses should be made by Thu, 07 Apr 2022 07:01:33 +0000.
Anything received after that time might be too late.
The whole patch series can be found in one patch at:
https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.10.110-rc1.gz
or in the git tree and branch at:
git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.10.y
and the diffstat can be found below.
thanks,
greg k-h
-------------
Pseudo-Shortlog of commits:
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Linux 5.10.110-rc1
Vijay Balakrishna <vijayb@linux.microsoft.com>
arm64: Do not defer reserve_crashkernel() for platforms with no DMA memory zones
Eric W. Biederman <ebiederm@xmission.com>
coredump: Use the vma snapshot in fill_files_note
Eric W. Biederman <ebiederm@xmission.com>
coredump/elf: Pass coredump_params into fill_note_info
Eric W. Biederman <ebiederm@xmission.com>
coredump: Remove the WARN_ON in dump_vma_snapshot
Eric W. Biederman <ebiederm@xmission.com>
coredump: Snapshot the vmas in do_coredump
Hangyu Hua <hbh25y@gmail.com>
can: usb_8dev: usb_8dev_start_xmit(): fix double dev_kfree_skb() in error path
Marc Kleine-Budde <mkl@pengutronix.de>
can: m_can: m_can_tx_handler(): fix use after free of skb
Paolo Bonzini <pbonzini@redhat.com>
KVM: x86/mmu: do compare-and-exchange of gPTE via the user address
Martin Varghese <martin.varghese@nokia.com>
openvswitch: Fixed nd target mask field in the flow dump.
Guilherme G. Piccoli <gpiccoli@igalia.com>
docs: sysctl/kernel: add missing bit to panic_print
Anton Ivanov <anton.ivanov@cambridgegreys.com>
um: Fix uml_mconsole stop/go
Kuldeep Singh <singh.kuldeep87k@gmail.com>
ARM: dts: spear13xx: Update SPI dma properties
Kuldeep Singh <singh.kuldeep87k@gmail.com>
ARM: dts: spear1340: Update serial node properties
Amadeusz Sławiński <amadeuszx.slawinski@linux.intel.com>
ASoC: topology: Allow TLV control to be either read or write
Zhihao Cheng <chengzhihao1@huawei.com>
ubi: fastmap: Return error code if memory allocation fails in add_aeb()
Miquel Raynal <miquel.raynal@bootlin.com>
dt-bindings: spi: mxic: The interrupt property is not mandatory
Miquel Raynal <miquel.raynal@bootlin.com>
dt-bindings: mtd: nand-controller: Fix a comment in the examples
Miquel Raynal <miquel.raynal@bootlin.com>
dt-bindings: mtd: nand-controller: Fix the reg property description
Hengqi Chen <hengqi.chen@gmail.com>
bpf: Fix comment for helper bpf_current_task_under_cgroup()
Namhyung Kim <namhyung@kernel.org>
bpf: Adjust BPF stack helper functions to accommodate skip > 0
Randy Dunlap <rdunlap@infradead.org>
mm/usercopy: return 1 from hardened_usercopy __setup() handler
Randy Dunlap <rdunlap@infradead.org>
mm/memcontrol: return 1 from cgroup.memory __setup() handler
Randy Dunlap <rdunlap@infradead.org>
ARM: 9187/1: JIVE: fix return value of __setup handler
Randy Dunlap <rdunlap@infradead.org>
mm/mmap: return 1 from stack_guard_gap __setup() handler
Sven Eckelmann <sven@narfation.org>
batman-adv: Check ptr for NULL before reducing its refcnt
Jiasheng Jiang <jiasheng@iscas.ac.cn>
ASoC: soc-compress: Change the check for codec_dai
Arınç ÜNAL <arinc.unal@arinc9.com>
staging: mt7621-dts: fix pinctrl-0 items to be size-1 items on ethernet
Lv Ruyi <lv.ruyi@zte.com.cn>
proc: bootconfig: Add null pointer check
Oliver Hartkopp <socketcan@hartkopp.net>
can: isotp: restore accidentally removed MSG_PEEK feature
Prashant Malani <pmalani@chromium.org>
platform/chrome: cros_ec_typec: Check for EC device
Rafael J. Wysocki <rafael.j.wysocki@intel.com>
ACPI: CPPC: Avoid out of bounds access when parsing _CPC data
Fangrui Song <maskray@google.com>
riscv module: remove (NOLOAD)
Pavel Begunkov <asml.silence@gmail.com>
io_uring: fix memory leak of uid in files registration
Arnd Bergmann <arnd@arndb.de>
ARM: iop32x: offset IRQ numbers by 1
Baokun Li <libaokun1@huawei.com>
ubi: Fix race condition between ctrl_cdev_ioctl and ubi_cdev_ioctl
Jiaxin Yu <jiaxin.yu@mediatek.com>
ASoC: mediatek: mt6358: add missing EXPORT_SYMBOLs
Jonathan Neuschäfer <j.neuschaefer@gmx.net>
pinctrl: nuvoton: npcm7xx: Use %zu printk format for ARRAY_SIZE()
Jonathan Neuschäfer <j.neuschaefer@gmx.net>
pinctrl: nuvoton: npcm7xx: Rename DS() macro to DSTR()
Miaoqian Lin <linmq006@gmail.com>
watchdog: rti-wdt: Add missing pm_runtime_disable() in probe function
Chen-Yu Tsai <wenst@chromium.org>
pinctrl: pinconf-generic: Print arguments for bias-pull-*
Eric Dumazet <edumazet@google.com>
watch_queue: Free the page array when watch_queue is dismantled
Herbert Xu <herbert@gondor.apana.org.au>
crypto: arm/aes-neonbs-cbc - Select generic cbc and aes
Robin Gong <yibin.gong@nxp.com>
mailbox: imx: fix wakeup failure from freeze mode
David Howells <dhowells@redhat.com>
rxrpc: Fix call timer start racing with call destruction
Guangbin Huang <huangguangbin2@huawei.com>
net: hns3: fix software vlan talbe of vlan 0 inconsistent with hardware
Andrew Price <anprice@redhat.com>
gfs2: Make sure FITRIM minlen is rounded up to fs block size
Tom Rix <trix@redhat.com>
rtc: check if __rtc_read_time was successful
Matthew Wilcox (Oracle) <willy@infradead.org>
XArray: Update the LRU list in xas_split()
Tom Rix <trix@redhat.com>
can: mcp251xfd: mcp251xfd_register_get_dev_id(): fix return of error value
Pavel Skripkin <paskripkin@gmail.com>
can: mcba_usb: properly check endpoint type
Hangyu Hua <hbh25y@gmail.com>
can: mcba_usb: mcba_usb_start_xmit(): fix double dev_kfree_skb in error path
Matthew Wilcox (Oracle) <willy@infradead.org>
XArray: Fix xas_create_range() when multi-order entry present
Jason A. Donenfeld <Jason@zx2c4.com>
wireguard: socket: ignore v6 endpoints when ipv6 is disabled
Wang Hai <wanghai38@huawei.com>
wireguard: socket: free skb in send6 when ipv6 is disabled
Jason A. Donenfeld <Jason@zx2c4.com>
wireguard: queueing: use CFI-safe ptr_ring cleanup function
Baokun Li <libaokun1@huawei.com>
ubifs: rename_whiteout: correct old_dir size computing
Zhihao Cheng <chengzhihao1@huawei.com>
ubifs: Fix to add refcount once page is set private
Zhihao Cheng <chengzhihao1@huawei.com>
ubifs: Fix read out-of-bounds in ubifs_wbuf_write_nolock()
Zhihao Cheng <chengzhihao1@huawei.com>
ubifs: setflags: Make dirtied_ino_d 8 bytes aligned
Zhihao Cheng <chengzhihao1@huawei.com>
ubifs: Add missing iput if do_tmpfile() failed in rename whiteout
Zhihao Cheng <chengzhihao1@huawei.com>
ubifs: Fix deadlock in concurrent rename whiteout and inode writeback
Zhihao Cheng <chengzhihao1@huawei.com>
ubifs: rename_whiteout: Fix double free for whiteout_ui->data
Ammar Faizi <ammarfaizi2@gnuweeb.org>
ASoC: SOF: Intel: Fix NULL ptr dereference when ENOMEM
Yi Wang <wang.yi59@zte.com.cn>
KVM: SVM: fix panic on out-of-bounds guest IRQ
Li RongQing <lirongqing@baidu.com>
KVM: x86: fix sending PV IPI
David Matlack <dmatlack@google.com>
KVM: Prevent module exit until all VMs are freed
Vitaly Kuznetsov <vkuznets@redhat.com>
KVM: x86: Forbid VMM to set SYNIC/STIMER MSRs when SynIC wasn't activated
Gwendal Grignou <gwendal@chromium.org>
platform: chrome: Split trace include file
Manish Rangankar <mrangankar@marvell.com>
scsi: qla2xxx: Use correct feature type field during RFF_ID processing
Quinn Tran <qutran@marvell.com>
scsi: qla2xxx: Reduce false trigger to login
Quinn Tran <qutran@marvell.com>
scsi: qla2xxx: Fix N2N inconsistent PLOGI
Arun Easi <aeasi@marvell.com>
scsi: qla2xxx: Fix missed DMA unmap for NVMe ls requests
Quinn Tran <qutran@marvell.com>
scsi: qla2xxx: Fix hang due to session stuck
Quinn Tran <qutran@marvell.com>
scsi: qla2xxx: Fix incorrect reporting of task management failure
Quinn Tran <qutran@marvell.com>
scsi: qla2xxx: Fix disk failure to rediscover
Saurav Kashyap <skashyap@marvell.com>
scsi: qla2xxx: Suppress a kernel complaint in qla_create_qpair()
Joe Carnuccio <joe.carnuccio@cavium.com>
scsi: qla2xxx: Check for firmware dump already collected
Joe Carnuccio <joe.carnuccio@cavium.com>
scsi: qla2xxx: Add devids and conditionals for 28xx
Arun Easi <aeasi@marvell.com>
scsi: qla2xxx: Fix device reconnect in loop topology
Nilesh Javali <njavali@marvell.com>
scsi: qla2xxx: Fix warning for missing error code
Bikash Hazarika <bhazarika@marvell.com>
scsi: qla2xxx: Fix wrong FDMI data for 64G adapter
Quinn Tran <qutran@marvell.com>
scsi: qla2xxx: Fix scheduling while atomic
Quinn Tran <qutran@marvell.com>
scsi: qla2xxx: Fix stuck session in gpdb
Anders Roxell <anders.roxell@linaro.org>
powerpc: Fix build errors with newer binutils
Anders Roxell <anders.roxell@linaro.org>
powerpc/lib/sstep: Fix build errors with newer binutils
Anders Roxell <anders.roxell@linaro.org>
powerpc/lib/sstep: Fix 'sthcx' instruction
Chen Jingwen <chenjingwen6@huawei.com>
powerpc/kasan: Fix early region not updated correctly
Sean Christopherson <seanjc@google.com>
KVM: x86/mmu: Check for present SPTE when clearing dirty bit in TDP MMU
Matt Kramer <mccleetus@gmail.com>
ALSA: hda/realtek: Add alc256-samsung-headphone fixup
Mauro Carvalho Chehab <mchehab@kernel.org>
media: atomisp: fix bad usage at error handling logic
Ulf Hansson <ulf.hansson@linaro.org>
mmc: host: Return an error when ->enable_sdio_irq() ops is missing
Steven Rostedt (Google) <rostedt@goodmis.org>
tracing: Have TRACE_DEFINE_ENUM affect trace event types as well
Dongliang Mu <mudongliangabcd@gmail.com>
media: hdpvr: initialize dev->worker at hdpvr_register_videodev
Pavel Skripkin <paskripkin@gmail.com>
media: Revert "media: em28xx: add missing em28xx_close_extension"
Zheyu Ma <zheyuma97@gmail.com>
video: fbdev: sm712fb: Fix crash in smtcfb_write()
Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
ARM: mmp: Fix failure to remove sram device
Richard Leitner <richard.leitner@skidata.com>
ARM: tegra: tamonten: Fix I2C3 pad setting
Arnd Bergmann <arnd@arndb.de>
lib/test_lockup: fix kernel pointer check for separate address spaces
Arnd Bergmann <arnd@arndb.de>
uaccess: fix type mismatch warnings from access_ok()
Daniel González Cabanelas <dgcbueu@gmail.com>
media: cx88-mpeg: clear interrupt status register before streaming video
Shengjiu Wang <shengjiu.wang@nxp.com>
ASoC: soc-core: skip zero num_dai component in searching dai name
Richard Schleich <rs@noreya.tech>
ARM: dts: bcm2711: Add the missing L1/L2 cache information
Jing Yao <yao.jing2@zte.com.cn>
video: fbdev: udlfb: replace snprintf in show functions with sysfs_emit
Jing Yao <yao.jing2@zte.com.cn>
video: fbdev: omapfb: panel-tpo-td043mtea1: Use sysfs_emit() instead of snprintf()
Jing Yao <yao.jing2@zte.com.cn>
video: fbdev: omapfb: panel-dsi-cm: Use sysfs_emit() instead of snprintf()
Marcel Ziswiler <marcel.ziswiler@toradex.com>
arm64: defconfig: build imx-sdma as a module
Abel Vesa <abel.vesa@nxp.com>
ARM: dts: imx7: Use audio_mclk_post_div instead audio_mclk_root_clk
Ard Biesheuvel <ardb@kernel.org>
ARM: ftrace: avoid redundant loads or clobbering IP
Tsuchiya Yuto <kitakar@gmail.com>
media: atomisp: fix dummy_ptr check to avoid duplicate active_bo
Hans de Goede <hdegoede@redhat.com>
media: atomisp_gmin_platform: Add DMI quirk to not turn AXP ELDO2 regulator off on some boards
Charles Keepax <ckeepax@opensource.cirrus.com>
ASoC: madera: Add dependencies on MFD
Richard Schleich <rs@noreya.tech>
ARM: dts: bcm2837: Add the missing L1/L2 cache information
David Heidelberg <david@ixit.cz>
ARM: dts: qcom: fix gic_irq_domain_translate warnings for msm8960
Yang Guang <yang.guang5@zte.com.cn>
video: fbdev: omapfb: acx565akm: replace snprintf with sysfs_emit
George Kennedy <george.kennedy@oracle.com>
video: fbdev: cirrusfb: check pixclock to avoid divide by zero
Evgeny Novikov <novikov@ispras.ru>
video: fbdev: w100fb: Reset global state
Tim Gardner <tim.gardner@canonical.com>
video: fbdev: nvidiafb: Use strscpy() to prevent buffer overflow
Ranjani Sridharan <ranjani.sridharan@linux.intel.com>
ASoC: SOF: Intel: hda: Remove link assignment limitation
Peiwei Hu <jlu.hpw@foxmail.com>
media: ir_toy: free before error exiting
Hans Verkuil <hverkuil-cisco@xs4all.nl>
media: staging: media: zoran: fix various V4L2 compliance errors
Corentin Labbe <clabbe@baylibre.com>
media: staging: media: zoran: calculate the right buffer number for zoran_reap_stat_com
Corentin Labbe <clabbe@baylibre.com>
media: staging: media: zoran: move videodev alloc
Dongliang Mu <mudongliangabcd@gmail.com>
ntfs: add sanity check on allocation size
Chao Yu <chao@kernel.org>
f2fs: compress: fix to print raw data size in error path of lz4 decompression
Chuck Lever <chuck.lever@oracle.com>
NFSD: Fix nfsd_breaker_owns_lease() return values
Chao Yu <chao@kernel.org>
f2fs: fix to do sanity check on curseg->alloc_type
Theodore Ts'o <tytso@mit.edu>
ext4: don't BUG if someone dirty pages without asking ext4 first
Ritesh Harjani <riteshh@linux.ibm.com>
ext4: fix ext4_mb_mark_bb() with flex_bg with fast_commit
Ritesh Harjani <riteshh@linux.ibm.com>
ext4: correct cluster len and clusters changed accounting in ext4_mb_mark_bb
Waiman Long <longman@redhat.com>
locking/lockdep: Iterate lock_classes directly when reading lockdep files
Minghao Chi <chi.minghao@zte.com.cn>
spi: tegra20: Use of_device_get_match_data()
Chris Leech <cleech@redhat.com>
nvme-tcp: lockdep: annotate in-kernel sockets
John David Anglin <dave.anglin@bell.net>
parisc: Fix handling off probe non-access faults
Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
PM: core: keep irq flags in device_pm_check_callbacks()
Darren Hart <darren@os.amperecomputing.com>
ACPI/APEI: Limit printable size of BERT table data
Paolo Valente <paolo.valente@linaro.org>
Revert "Revert "block, bfq: honor already-setup queue merges""
Paul Menzel <pmenzel@molgen.mpg.de>
lib/raid6/test/Makefile: Use $(pound) instead of \# for Make 4.3
Rafael J. Wysocki <rafael.j.wysocki@intel.com>
ACPICA: Avoid walking the ACPI Namespace if it is not there
Zhang Wensheng <zhangwensheng5@huawei.com>
bfq: fix use-after-free in bfq_dispatch_request
Akira Kawata <akirakawata1@gmail.com>
fs/binfmt_elf: Fix AT_PHDR for unusual ELF files
Souptick Joarder (HPE) <jrdr.linux@gmail.com>
irqchip/nvic: Release nvic_base upon failure
Marc Zyngier <maz@kernel.org>
irqchip/qcom-pdc: Fix broken locking
Casey Schaufler <casey@schaufler-ca.com>
Fix incorrect type in assignment of ipv6 port for audit
Chaitanya Kulkarni <kch@nvidia.com>
loop: use sysfs_emit() in the sysfs xxx show()
Richard Haines <richard_c_haines@btinternet.com>
selinux: allow FIOCLEX and FIONCLEX with policy capability
Christian Göttsche <cgzones@googlemail.com>
selinux: use correct type for context length
Yu Kuai <yukuai3@huawei.com>
block, bfq: don't move oom_bfqq
Marc Zyngier <maz@kernel.org>
pinctrl: npcm: Fix broken references to chip->parent_device
Kees Cook <keescook@chromium.org>
gcc-plugins/stackleak: Exactly match strings instead of prefixes
Dave Stevenson <dave.stevenson@raspberrypi.com>
regulator: rpi-panel: Handle I2C errors/timing to the Atmel
Casey Schaufler <casey@schaufler-ca.com>
LSM: general protection fault in legacy_parse_param
Linus Torvalds <torvalds@linux-foundation.org>
fs: fix fd table size alignment properly
Dan Carpenter <dan.carpenter@oracle.com>
lib/test: use after free in register_test_dev_kmod()
Linus Torvalds <torvalds@linux-foundation.org>
fs: fd tables have to be multiples of BITS_PER_LONG
Xiaomeng Tong <xiam0nd.tong@gmail.com>
net: dsa: bcm_sf2_cfp: fix an incorrect NULL check on list iterator
Trond Myklebust <trond.myklebust@hammerspace.com>
NFSv4/pNFS: Fix another issue with a list iterator pointing to the head
Duoming Zhou <duoming@zju.edu.cn>
net/x25: Fix null-ptr-deref caused by x25_disconnect
Tom Rix <trix@redhat.com>
qlcnic: dcb: default to returning -EOPNOTSUPP
Ido Schimmel <idosch@nvidia.com>
selftests: test_vxlan_under_vrf: Fix broken test case
Florian Fainelli <f.fainelli@gmail.com>
net: phy: broadcom: Fix brcm_fet_config_init()
Jian Shen <shenjian15@huawei.com>
net: hns3: fix bug when PF set the duplicate MAC address for VFs
Vladimir Oltean <vladimir.oltean@nxp.com>
net: enetc: report software timestamping via SO_TIMESTAMPING
Juergen Gross <jgross@suse.com>
xen: fix is_xen_pmu()
Maxime Ripard <maxime@cerno.tech>
clk: Initialize orphan req_rate
Konrad Dybcio <konrad.dybcio@somainline.org>
clk: qcom: gcc-msm8994: Fix gpll4 width
Daniel Thompson <daniel.thompson@linaro.org>
kdb: Fix the putarea helper function
Olga Kornievskaia <kolga@netapp.com>
NFSv4.1: don't retry BIND_CONN_TO_SESSION on session error
Pablo Neira Ayuso <pablo@netfilter.org>
netfilter: nf_conntrack_tcp: preserve liberal flag in tcp options
Pavel Skripkin <paskripkin@gmail.com>
jfs: fix divide error in dbNextAG
Randy Dunlap <rdunlap@infradead.org>
driver core: dd: fix return value of __setup handler
David Gow <davidgow@google.com>
firmware: google: Properly state IOMEM dependency
Randy Dunlap <rdunlap@infradead.org>
kgdbts: fix return value of __setup handler
Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
serial: 8250: fix XOFF/XON sending when DMA is used
Randy Dunlap <rdunlap@infradead.org>
kgdboc: fix return value of __setup handler
Randy Dunlap <rdunlap@infradead.org>
tty: hvc: fix return value of __setup handler
Miaoqian Lin <linmq006@gmail.com>
pinctrl/rockchip: Add missing of_node_put() in rockchip_pinctrl_probe
Miaoqian Lin <linmq006@gmail.com>
pinctrl: nomadik: Add missing of_node_put() in nmk_pinctrl_probe
Chen-Yu Tsai <wenst@chromium.org>
pinctrl: mediatek: paris: Skip custom extra pin config dump for virtual GPIOs
Chen-Yu Tsai <wenst@chromium.org>
pinctrl: mediatek: paris: Fix pingroup pin config state readback
Chen-Yu Tsai <wenst@chromium.org>
pinctrl: mediatek: paris: Fix "argument" argument type for mtk_pinconf_get()
Chen-Yu Tsai <wenst@chromium.org>
pinctrl: mediatek: paris: Fix PIN_CONFIG_BIAS_* readback
Miaoqian Lin <linmq006@gmail.com>
pinctrl: mediatek: Fix missing of_node_put() in mtk_pctrl_init
Arınç ÜNAL <arinc.unal@arinc9.com>
staging: mt7621-dts: fix GB-PC2 devicetree
Arınç ÜNAL <arinc.unal@arinc9.com>
staging: mt7621-dts: fix pinctrl properties for ethernet
Arınç ÜNAL <arinc.unal@arinc9.com>
staging: mt7621-dts: fix formatting
Arınç ÜNAL <arinc.unal@arinc9.com>
staging: mt7621-dts: fix LEDs and pinctrl on GB-PC1 devicetree
Alexey Khoroshilov <khoroshilov@ispras.ru>
NFS: remove unneeded check in decode_devicenotify_args()
Miaoqian Lin <linmq006@gmail.com>
clk: tegra: tegra124-emc: Fix missing put_device() call in emc_ensure_emc_driver
Jonathan Neuschäfer <j.neuschaefer@gmx.net>
clk: clps711x: Terminate clk_div_table with sentinel element
Jonathan Neuschäfer <j.neuschaefer@gmx.net>
clk: loongson1: Terminate clk_div_table with sentinel element
Jonathan Neuschäfer <j.neuschaefer@gmx.net>
clk: actions: Terminate clk_div_table with sentinel element
Dan Williams <dan.j.williams@intel.com>
nvdimm/region: Fix default alignment for small regions
Miaoqian Lin <linmq006@gmail.com>
remoteproc: qcom_q6v5_mss: Fix some leaks in q6v5_alloc_memory_region
Miaoqian Lin <linmq006@gmail.com>
remoteproc: qcom_wcnss: Add missing of_node_put() in wcnss_alloc_memory_region
Miaoqian Lin <linmq006@gmail.com>
remoteproc: qcom: Fix missing of_node_put in adsp_alloc_memory_region
Jie Hai <haijie1@huawei.com>
dmaengine: hisi_dma: fix MSI allocate fail when reload hisi_dma
Taniya Das <tdas@codeaurora.org>
clk: qcom: clk-rcg2: Update the frac table for pixel clock
Taniya Das <tdas@codeaurora.org>
clk: qcom: clk-rcg2: Update logic to calculate D value for RCG
Codrin Ciubotariu <codrin.ciubotariu@microchip.com>
clk: at91: sama7g5: fix parents of PDMCs' GCLK
Abel Vesa <abel.vesa@nxp.com>
clk: imx7d: Remove audio_mclk_root_clk
Randy Dunlap <rdunlap@infradead.org>
dma-debug: fix return value of __setup handlers
Trond Myklebust <trond.myklebust@hammerspace.com>
NFS: Return valid errors from nfs2/3_decode_dirent()
Jiasheng Jiang <jiasheng@iscas.ac.cn>
habanalabs: Add check for pci_enable_device
Jiasheng Jiang <jiasheng@iscas.ac.cn>
iio: adc: Add check for devm_request_threaded_irq
Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
serial: 8250: Fix race condition in RTS-after-send handling
Trond Myklebust <trond.myklebust@hammerspace.com>
NFS: Use of mapping_set_error() results in spurious errors
Andy Shevchenko <andriy.shevchenko@linux.intel.com>
serial: 8250_lpss: Balance reference count for PCI DMA device
Andy Shevchenko <andriy.shevchenko@linux.intel.com>
serial: 8250_mid: Balance reference count for PCI DMA device
Liu Ying <victor.liu@nxp.com>
phy: dphy: Correct lpx parameter and its derivatives(ta_{get,go,sure})
Dirk Buchwalder <buchwalder@posteo.de>
clk: qcom: ipq8074: Use floor ops for SDCC1 clock
Geert Uytterhoeven <geert+renesas@glider.be>
pinctrl: renesas: checker: Fix miscalculation of number of states
Geert Uytterhoeven <geert+renesas@glider.be>
pinctrl: renesas: r8a77470: Reduce size for narrow VIN1 channel
Jonathan Cameron <Jonathan.Cameron@huawei.com>
staging:iio:adc:ad7280a: Fix handing of device address bit reversing.
Hans de Goede <hdegoede@redhat.com>
iio: mma8452: Fix probe failing when an i2c_device_id is used
Robert Marko <robimarko@gmail.com>
clk: qcom: ipq8074: fix PCI-E clock oops
Libin Yang <libin.yang@intel.com>
soundwire: intel: fix wrong register name in intel_shim_wake
Luca Weiss <luca@z3ntu.xyz>
cpufreq: qcom-cpufreq-nvmem: fix reading of PVS Valid fuse
Christophe JAILLET <christophe.jaillet@wanadoo.fr>
misc: alcor_pci: Fix an error handling path
Christophe JAILLET <christophe.jaillet@wanadoo.fr>
fsi: Aspeed: Fix a potential double free
Yangtao Li <tiny.windzz@gmail.com>
fsi: aspeed: convert to devm_platform_ioremap_resource
Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
pwm: lpc18xx-sct: Initialize driver data and hardware before pwmchip_add()
Jiri Slaby <jirislaby@kernel.org>
mxser: fix xmit_buf leak in activate when LSR == 0xff
Miaoqian Lin <linmq006@gmail.com>
mfd: asic3: Add missing iounmap() on error asic3_mfd_probe
Hoang Le <hoang.h.le@dektech.com.au>
tipc: fix the timer expires after interval 100ms
Aaron Conole <aconole@redhat.com>
openvswitch: always update flow key after nat
Jakub Kicinski <kuba@kernel.org>
tcp: ensure PMTU updates are processed during fastopen
Jeremy Linton <jeremy.linton@arm.com>
net: bcmgenet: Use stronger register read/writes to assure ordering
Bjorn Helgaas <bhelgaas@google.com>
PCI: Avoid broken MSI on SB600 USB devices
Hangbin Liu <liuhangbin@gmail.com>
selftests/bpf/test_lirc_mode2.sh: Exit with proper code
Peter Rosin <peda@axentia.se>
i2c: mux: demux-pinctrl: do not deactivate a master that is not active
Lucas Tanure <tanure@linux.com>
i2c: meson: Fix wrong speed use from probe
Petr Machata <petrm@nvidia.com>
af_netlink: Fix shift out of bounds in group mask calculation
Guillaume Nault <gnault@redhat.com>
ipv4: Fix route lookups when handling ICMP redirects and PMTU updates
Yake Yang <yake.yang@mediatek.com>
Bluetooth: btmtksdio: Fix kernel oops in btmtksdio_interrupt
Niels Dossche <dossche.niels@gmail.com>
Bluetooth: call hci_le_conn_failed with hdev lock in hci_le_conn_failed
Jakub Sitnicki <jakub@cloudflare.com>
selftests/bpf: Fix error reporting from sock_fields programs
Hangbin Liu <liuhangbin@gmail.com>
bareudp: use ipv6_mod_enabled to check if IPv6 enabled
Oliver Hartkopp <socketcan@hartkopp.net>
can: isotp: support MSG_TRUNC flag when reading from socket
Oliver Hartkopp <socketcan@hartkopp.net>
can: isotp: return -EADDRNOTAVAIL when reading from unbound socket
Dan Carpenter <dan.carpenter@oracle.com>
USB: storage: ums-realtek: fix error code in rts51x_read_mem()
Niklas Söderlund <niklas.soderlund@corigine.com>
samples/bpf, xdpsock: Fix race when running for fix duration of time
Wang Yufen <wangyufen@huawei.com>
bpf, sockmap: Fix double uncharge the mem of sk_msg
Wang Yufen <wangyufen@huawei.com>
bpf, sockmap: Fix more uncharged while msg has more_data
Wang Yufen <wangyufen@huawei.com>
bpf, sockmap: Fix memleak in tcp_bpf_sendmsg while sk msg is full
Yongzhi Liu <lyz_cs@pku.edu.cn>
RDMA/mlx5: Fix memory leak in error flow for subscribe event routine
Xin Xiong <xiongx18@fudan.edu.cn>
mtd: rawnand: atmel: fix refcount issue in atmel_nand_controller_init
Yaliang Wang <Yaliang.Wang@windriver.com>
MIPS: pgalloc: fix memory leak caused by pgd_free()
Randy Dunlap <rdunlap@infradead.org>
MIPS: RB532: fix return value of __setup handler
Miaoqian Lin <linmq006@gmail.com>
mips: cdmm: Fix refcount leak in mips_cdmm_phys_base
Miaoqian Lin <linmq006@gmail.com>
ath10k: Fix error handling in ath10k_setup_msa_resources
Oliver Hartkopp <socketcan@hartkopp.net>
vxcan: enable local echo for sent CAN frames
Hangyu Hua <hbh25y@gmail.com>
powerpc: 8xx: fix a return value error in mpc8xx_pic_init
Jia-Ju Bai <baijiaju1990@gmail.com>
platform/x86: huawei-wmi: check the return value of device_create_file()
Felix Maurer <fmaurer@redhat.com>
selftests/bpf: Make test_lwt_ip_encap more stable and faster
lic121 <lic121@chinatelecom.cn>
libbpf: Unmap rings when umem deleted
Jiasheng Jiang <jiasheng@iscas.ac.cn>
mfd: mc13xxx: Add check for mc13xxx_irq_request
Jakob Koschel <jakobkoschel@gmail.com>
powerpc/sysdev: fix incorrect use to determine if list is empty
Randy Dunlap <rdunlap@infradead.org>
mips: DEC: honor CONFIG_MIPS_FP_SUPPORT=n
Robert Hancock <robert.hancock@calian.com>
net: axienet: fix RX ring refill allocation failure handling
Mark Tomlinson <mark.tomlinson@alliedtelesis.co.nz>
PCI: Reduce warnings on possible RW1C corruption
Mike Marciniszyn <mike.marciniszyn@cornelisnetworks.com>
IB/hfi1: Allow larger MTU without AIP
Jiasheng Jiang <jiasheng@iscas.ac.cn>
power: supply: wm8350-power: Add missing free in free_charger_irq
Jiasheng Jiang <jiasheng@iscas.ac.cn>
power: supply: wm8350-power: Handle error for wm8350_register_irq
Robert Hancock <robert.hancock@calian.com>
i2c: xiic: Make bus names unique
Anssi Hannula <anssi.hannula@bitwise.fi>
hv_balloon: rate-limit "Unhandled message" warning
Hou Wenlong <houwenlong.hwl@antgroup.com>
KVM: x86/emulator: Defer not-present segment check in __load_segment_descriptor()
Zhenzhong Duan <zhenzhong.duan@intel.com>
KVM: x86: Fix emulation in writing cr8
Michael Ellerman <mpe@ellerman.id.au>
powerpc/Makefile: Don't pass -mcpu=powerpc64 when building 32-bit
Daniel Henrique Barboza <danielhb413@gmail.com>
powerpc/mm/numa: skip NUMA_NO_NODE onlining in parse_numa_properties()
Xu Kuohai <xukuohai@huawei.com>
libbpf: Skip forward declaration when counting duplicated type names
Christophe JAILLET <christophe.jaillet@wanadoo.fr>
gpu: host1x: Fix a memory leak in 'host1x_remove()'
Hou Tao <houtao1@huawei.com>
bpf, arm64: Feed byte-offset into bpf line info
Hou Tao <houtao1@huawei.com>
bpf, arm64: Call build_prologue() first in first JIT pass
Nishanth Menon <nm@ti.com>
drm/bridge: cdns-dsi: Make sure to to create proper aliases for dt
Xiang Chen <chenxiang66@hisilicon.com>
scsi: hisi_sas: Change permission of parameter prot_mask
Hans de Goede <hdegoede@redhat.com>
power: supply: bq24190_charger: Fix bq24190_vbus_is_enabled() wrong false return
Miaoqian Lin <linmq006@gmail.com>
drm/tegra: Fix reference leak in tegra_dsi_ganged_probe
Zhang Yi <yi.zhang@huawei.com>
ext2: correct max file size computing
Randy Dunlap <rdunlap@infradead.org>
TOMOYO: fix __setup handlers return values
Maíra Canal <maira.canal@usp.br>
drm/amd/display: Remove vupdate_int_entry definition
Aharon Landau <aharonl@nvidia.com>
RDMA/mlx5: Fix the flow of a miss in the allocation of a cache ODP MR
Damien Le Moal <damien.lemoal@opensource.wdc.com>
scsi: pm8001: Fix abort all task initialization
Damien Le Moal <damien.lemoal@opensource.wdc.com>
scsi: pm8001: Fix NCQ NON DATA command completion handling
Damien Le Moal <damien.lemoal@opensource.wdc.com>
scsi: pm8001: Fix NCQ NON DATA command task initialization
Damien Le Moal <damien.lemoal@opensource.wdc.com>
scsi: pm8001: Fix le32 values handling in pm80xx_chip_sata_req()
Damien Le Moal <damien.lemoal@opensource.wdc.com>
scsi: pm8001: Fix le32 values handling in pm80xx_chip_ssp_io_req()
Damien Le Moal <damien.lemoal@opensource.wdc.com>
scsi: pm8001: Fix payload initialization in pm80xx_encrypt_update()
Damien Le Moal <damien.lemoal@opensource.wdc.com>
scsi: pm8001: Fix le32 values handling in pm80xx_set_sas_protocol_timer_config()
Damien Le Moal <damien.lemoal@opensource.wdc.com>
scsi: pm8001: Fix payload initialization in pm80xx_set_thermal_config()
Damien Le Moal <damien.lemoal@opensource.wdc.com>
scsi: pm8001: Fix command initialization in pm8001_chip_ssp_tm_req()
Damien Le Moal <damien.lemoal@opensource.wdc.com>
scsi: pm8001: Fix command initialization in pm80XX_send_read_log()
Aashish Sharma <shraash@google.com>
dm crypt: fix get_key_size compiler warning if !CONFIG_KEYS
Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
drm/msm/dpu: fix dp audio condition
Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
drm/msm/dpu: add DSPP blocks teardown
Kuogee Hsieh <quic_khsieh@quicinc.com>
drm/msm/dp: populate connector of struct dp_panel
Dan Carpenter <dan.carpenter@oracle.com>
iwlwifi: mvm: Fix an error code in iwl_mvm_up()
Colin Ian King <colin.king@canonical.com>
iwlwifi: Fix -EIO error code that is never returned
Tong Zhang <ztong0001@gmail.com>
dax: make sure inodes are flushed before destroy cache
Håkon Bugge <haakon.bugge@oracle.com>
IB/cma: Allow XRC INI QPs to set their local ACK timeout
Roman Li <Roman.Li@amd.com>
drm/amd/display: Add affected crtcs to atomic state for dsc mst unplug
Yiqing Yao <yiqing.yao@amd.com>
drm/amd/pm: enable pm sysfs write for one VF mode
Jiasheng Jiang <jiasheng@iscas.ac.cn>
iommu/ipmmu-vmsa: Check for error num after setting mask
Dmitry Torokhov <dmitry.torokhov@gmail.com>
HID: i2c-hid: fix GET/SET_REPORT for unnumbered reports
Miaoqian Lin <linmq006@gmail.com>
power: supply: ab8500: Fix memory leak in ab8500_fg_sysfs_init
Neil Armstrong <narmstrong@baylibre.com>
drm/bridge: dw-hdmi: use safe format when first in bridge chain
Pali Rohár <pali@kernel.org>
PCI: aardvark: Fix reading PCI_EXP_RTSTA_PME bit on emulated bridge
Christophe Leroy <christophe.leroy@csgroup.eu>
livepatch: Fix build failure on 32 bits processors
Thomas Bracht Laumann Jespersen <t@laumann.xyz>
scripts/dtc: Call pkg-config POSIXly correct
Tobias Waldekranz <tobias@waldekranz.com>
net: dsa: mv88e6xxx: Enable port policy support on 6097
Lorenzo Bianconi <lorenzo@kernel.org>
mt76: mt7615: check sta_rates pointer in mt7615_sta_rate_tbl_update
Lorenzo Bianconi <lorenzo@kernel.org>
mt76: mt7603: check sta_rates pointer in mt7603_sta_rate_tbl_update
Lorenzo Bianconi <lorenzo@kernel.org>
mt76: mt7915: use proper aid value in mt7915_mcu_sta_basic_tlv
Lorenzo Bianconi <lorenzo@kernel.org>
mt76: mt7915: use proper aid value in mt7915_mcu_wtbl_generic_tlv in sta mode
Athira Rajeev <atrajeev@linux.vnet.ibm.com>
powerpc/perf: Don't use perf_hw_context for trace IMC PMU
Fabiano Rosas <farosas@linux.ibm.com>
KVM: PPC: Book3S HV: Check return value of kvmppc_radix_init
Maxim Kiselev <bigunclemax@gmail.com>
powerpc: dts: t1040rdb: fix ports names for Seville Ethernet switch
Jiasheng Jiang <jiasheng@iscas.ac.cn>
ray_cs: Check ioremap return value
Miaoqian Lin <linmq006@gmail.com>
power: reset: gemini-poweroff: Fix IRQ check in gemini_poweroff_probe
Alexander Lobakin <alexandr.lobakin@intel.com>
i40e: respect metadata on XSK Rx to skb
Alexander Lobakin <alexandr.lobakin@intel.com>
i40e: don't reserve excessive XDP_PACKET_HEADROOM on XSK Rx to skb
Fabiano Rosas <farosas@linux.ibm.com>
KVM: PPC: Fix vmx/vsx mixup in mmio emulation
Maor Gottlieb <maorg@nvidia.com>
RDMA/core: Set MR type in ib_reg_user_mr
Pavel Skripkin <paskripkin@gmail.com>
ath9k_htc: fix uninit value bugs
Tom Rix <trix@redhat.com>
drm/amd/pm: return -ENOTSUPP if there is no get_dpm_ultimate_freq function
Zhou Qingyang <zhou1615@umn.edu>
drm/amd/display: Fix a NULL pointer dereference in amdgpu_dm_connector_add_common_modes()
Zhou Qingyang <zhou1615@umn.edu>
drm/nouveau/acr: Fix undefined behavior in nvkm_acr_hsfw_load_bl()
Shannon Nelson <snelson@pensando.io>
ionic: fix type complaint in ionic_dev_cmd_clean()
Maxime Ripard <maxime@cerno.tech>
drm/edid: Don't clear formats if using deep color
Dario Binacchi <dario.binacchi@amarulasolutions.com>
mtd: rawnand: gpmi: fix controller timings setting
Jiasheng Jiang <jiasheng@iscas.ac.cn>
mtd: onenand: Check for error irq
Pavel Skripkin <paskripkin@gmail.com>
Bluetooth: hci_serdev: call init_rwsem() before p->open()
Pavel Skripkin <paskripkin@gmail.com>
udmabuf: validate ubuf->pagecount
Yafang Shao <laoar.shao@gmail.com>
libbpf: Fix possible NULL pointer dereference when destroying skeleton
Jiasheng Jiang <jiasheng@iscas.ac.cn>
drm/panfrost: Check for error num after setting mask
Wen Gong <quic_wgong@quicinc.com>
ath10k: fix memory overwrite of the WoWLAN wakeup packet pattern
Jagan Teki <jagan@amarulasolutions.com>
drm: bridge: adv7511: Fix ADV7535 HPD enablement
Miaoqian Lin <linmq006@gmail.com>
drm/bridge: nwl-dsi: Fix PM disable depth imbalance in nwl_dsi_probe
Miaoqian Lin <linmq006@gmail.com>
drm/bridge: Add missing pm_runtime_disable() in __dw_mipi_dsi_probe
Miaoqian Lin <linmq006@gmail.com>
drm/bridge: Fix free wrong object in sii8620_init_rcp_input_dev
Martin Blumenstingl <martin.blumenstingl@googlemail.com>
drm/meson: osd_afbcd: Add an exit callback to struct meson_afbcd_ops
Andre Przywara <andre.przywara@arm.com>
ARM: configs: multi_v5_defconfig: re-enable CONFIG_V4L_PLATFORM_DRIVERS
Miaoqian Lin <linmq006@gmail.com>
ASoC: codecs: wcd934x: Add missing of_node_put() in wcd934x_codec_parse_data
Miaoqian Lin <linmq006@gmail.com>
ASoC: msm8916-wcd-analog: Fix error handling in pm8916_wcd_analog_spmi_probe
Miaoqian Lin <linmq006@gmail.com>
ASoC: atmel: Fix error handling in sam9x5_wm8731_driver_probe
Yang Yingliang <yangyingliang@huawei.com>
ASoC: atmel: sam9x5_wm8731: use devm_snd_soc_register_card()
Jiasheng Jiang <jiasheng@iscas.ac.cn>
mmc: davinci_mmc: Handle error for clk_enable
Miaoqian Lin <linmq006@gmail.com>
ASoC: msm8916-wcd-digital: Fix missing clk_disable_unprepare() in msm8916_wcd_digital_probe
Wang Wensheng <wangwensheng4@huawei.com>
ASoC: imx-es8328: Fix error return code in imx_es8328_probe()
Shengjiu Wang <shengjiu.wang@nxp.com>
ASoC: fsl_spdif: Disable TX clock when stop
Miaoqian Lin <linmq006@gmail.com>
ASoC: mxs: Fix error handling in mxs_sgtl5000_probe
Codrin Ciubotariu <codrin.ciubotariu@microchip.com>
ASoC: dmaengine: do not use a NULL prepare_slave_config() callback
Miaoqian Lin <linmq006@gmail.com>
ASoC: SOF: Add missing of_node_put() in imx8m_probe
Miaoqian Lin <linmq006@gmail.com>
ASoC: rockchip: i2s: Fix missing clk_disable_unprepare() in rockchip_i2s_probe
Yang Yingliang <yangyingliang@huawei.com>
ASoC: rockchip: i2s: Use devm_platform_get_and_ioremap_resource()
Hans Verkuil <hverkuil-cisco@xs4all.nl>
ivtv: fix incorrect device_caps for ivtvfb
Jakob Koschel <jakobkoschel@gmail.com>
media: saa7134: fix incorrect use to determine if list is empty
Yang Yingliang <yangyingliang@huawei.com>
media: saa7134: convert list_for_each to entry variant
Miaoqian Lin <linmq006@gmail.com>
video: fbdev: omapfb: Add missing of_node_put() in dvic_probe_of
Jiasheng Jiang <jiasheng@iscas.ac.cn>
ASoC: fsi: Add check for clk_enable
Jiasheng Jiang <jiasheng@iscas.ac.cn>
ASoC: wm8350: Handle error for wm8350_register_irq
Miaoqian Lin <linmq006@gmail.com>
ASoC: atmel: Add missing of_node_put() in at91sam9g20ek_audio_probe
Jiasheng Jiang <jiasheng@iscas.ac.cn>
media: vidtv: Check for null return of vzalloc
Dafna Hirschfeld <dafna.hirschfeld@collabora.com>
media: stk1160: If start stream fails, return buffers with VB2_BUF_STATE_QUEUED
Randy Dunlap <rdunlap@infradead.org>
m68k: coldfire/device.c: only build for MCF_EDMA when h/w macros are defined
Rob Herring <robh@kernel.org>
arm64: dts: rockchip: Fix SDIO regulator supply properties on rk3399-firefly
Takashi Sakamoto <o-takashi@sakamocchi.jp>
ALSA: firewire-lib: fix uninitialized flag for AV/C deferred transaction
Jia-Ju Bai <baijiaju1990@gmail.com>
memory: emif: check the pointer temp in get_device_details()
Jiasheng Jiang <jiasheng@iscas.ac.cn>
memory: emif: Add check for setup_interrupts
Jiasheng Jiang <jiasheng@iscas.ac.cn>
ASoC: soc-compress: prevent the potentially use of null pointer
Jiasheng Jiang <jiasheng@iscas.ac.cn>
ASoC: dwc-i2s: Handle errors for clk_enable
Jiasheng Jiang <jiasheng@iscas.ac.cn>
ASoC: atmel_ssc_dai: Handle errors for clk_enable
Jiasheng Jiang <jiasheng@iscas.ac.cn>
ASoC: mxs-saif: Handle errors for clk_enable
Randy Dunlap <rdunlap@infradead.org>
printk: fix return value of printk.devkmsg __setup handler
Frank Wunderlich <frank-w@public-files.de>
arm64: dts: broadcom: Fix sata nodename
Kuldeep Singh <singh.kuldeep87k@gmail.com>
arm64: dts: ns2: Fix spi-cpol and spi-cpha property
Jiasheng Jiang <jiasheng@iscas.ac.cn>
ALSA: spi: Add check for clk_enable()
Jiasheng Jiang <jiasheng@iscas.ac.cn>
ASoC: ti: davinci-i2s: Add check for clk_enable()
Jia-Ju Bai <baijiaju1990@gmail.com>
ASoC: rt5663: check the return value of devm_kzalloc() in rt5663_parse_dp()
Arnd Bergmann <arnd@arndb.de>
uaccess: fix nios2 and microblaze get_user_8()
Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
ASoC: codecs: wcd934x: fix return value of wcd934x_rx_hph_mode_put
Jernej Skrabec <jernej.skrabec@gmail.com>
media: cedrus: h264: Fix neighbour info buffer size
Jernej Skrabec <jernej.skrabec@gmail.com>
media: cedrus: H265: Fix neighbour info buffer size
Dan Carpenter <dan.carpenter@oracle.com>
media: usb: go7007: s2250-board: fix leak in probe()
Dongliang Mu <mudongliangabcd@gmail.com>
media: em28xx: initialize refcount before kref_get
Tom Rix <trix@redhat.com>
media: video/hdmi: handle short reads of hdmi info frame.
Marek Vasut <marex@denx.de>
ARM: dts: imx: Add missing LVDS decoder on M53Menlo
Ard Biesheuvel <ardb@kernel.org>
ARM: ftrace: ensure that ADR takes the Thumb bit into account
Paul Kocialkowski <paul.kocialkowski@bootlin.com>
ARM: dts: sun8i: v3s: Move the csi1 block to follow address order
Miaoqian Lin <linmq006@gmail.com>
soc: ti: wkup_m3_ipc: Fix IRQ check in wkup_m3_ipc_probe
Christophe JAILLET <christophe.jaillet@wanadoo.fr>
firmware: ti_sci: Fix compilation failure when CONFIG_TI_SCI_PROTOCOL is not defined
Maulik Shah <quic_mkshah@quicinc.com>
arm64: dts: qcom: sm8150: Correct TCS configuration for apps rsc
David Heidelberg <david@ixit.cz>
arm64: dts: qcom: sdm845: fix microphone bias properties and values
Daniel Thompson <daniel.thompson@linaro.org>
soc: qcom: aoss: remove spurious IRQF_ONESHOT flags
Miaoqian Lin <linmq006@gmail.com>
soc: qcom: ocmem: Fix missing put_device() call in of_get_ocmem
Jiasheng Jiang <jiasheng@iscas.ac.cn>
soc: qcom: rpmpd: Check for null return of devm_kcalloc
Pavel Kubelun <be.dissent@gmail.com>
ARM: dts: qcom: ipq4019: fix sleep clock
Marijn Suijten <marijn.suijten@somainline.org>
firmware: qcom: scm: Remove reassignment to desc following initializer
Dan Carpenter <dan.carpenter@oracle.com>
video: fbdev: fbcvt.c: fix printing in fb_cvt_print_name()
Dan Carpenter <dan.carpenter@oracle.com>
video: fbdev: atmel_lcdfb: fix an error code in atmel_lcdfb_probe()
Wang Hai <wanghai38@huawei.com>
video: fbdev: smscufx: Fix null-ptr-deref in ufx_usb_probe()
YueHaibing <yuehaibing@huawei.com>
video: fbdev: controlfb: Fix COMPILE_TEST build
Sam Ravnborg <sam@ravnborg.org>
video: fbdev: controlfb: Fix set but not used warnings
Z. Liu <liuzx@knownsec.com>
video: fbdev: matroxfb: set maxvram of vbG200eW to the same as vbG200 to avoid black screen
Jammy Huang <jammy_huang@aspeedtech.com>
media: aspeed: Correct value for h-total-pixels
Chen-Yu Tsai <wenst@chromium.org>
media: hantro: Fix overfill bottom register field name
Jiasheng Jiang <jiasheng@iscas.ac.cn>
media: meson: vdec: potential dereference of null pointer
Miaoqian Lin <linmq006@gmail.com>
media: coda: Fix missing put_device() call in coda_get_vdoa_data
Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
ASoC: generic: simple-card-utils: remove useless assignment
Robert Hancock <robert.hancock@calian.com>
ASoC: xilinx: xlnx_formatter_pcm: Handle sysclk setting
Ondrej Zary <linux@zary.sk>
media: bttv: fix WARNING regression on tunerless devices
Jiasheng Jiang <jiasheng@iscas.ac.cn>
media: mtk-vcodec: potential dereference of null pointer
Chen-Yu Tsai <wenst@chromium.org>
media: v4l2-mem2mem: Apply DST_QUEUE_OFF_BASE on MMAP buffers across ioctls
Corentin Labbe <clabbe@baylibre.com>
media: staging: media: zoran: fix usage of vb2_dma_contig_set_max_seg_size
Peng Liu <liupeng256@huawei.com>
kunit: make kunit_test_timeout compatible with comment
Guillaume Tucker <guillaume.tucker@collabora.com>
selftests, x86: fix how check_cc.sh is being invoked
Fengnan Chang <changfengnan@vivo.com>
f2fs: fix compressed file start atomic write may cause data corruption
Fengnan Chang <changfengnan@vivo.com>
f2fs: compress: remove unneeded read when rewrite whole cluster
Filipe Manana <fdmanana@suse.com>
btrfs: fix unexpected error path when reflinking an inline extent
Chao Yu <chao@kernel.org>
f2fs: fix to avoid potential deadlock
Amir Goldstein <amir73il@gmail.com>
nfsd: more robust allocation failure handling in nfsd_file_cache_init
Jaegeuk Kim <jaegeuk@kernel.org>
f2fs: fix missing free nid in f2fs_handle_failed_inode
Adrian Hunter <adrian.hunter@intel.com>
perf/x86/intel/pt: Fix address filter config for 32-bit kernel
Adrian Hunter <adrian.hunter@intel.com>
perf/core: Fix address filter parser for multiple filters
Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
rseq: Remove broken uapi field layout on 32-bit little endian
Eric Dumazet <edumazet@google.com>
rseq: Optimise rseq_get_rseq_cs() and clear_rseq_cs()
Qais Yousef <qais.yousef@arm.com>
sched/core: Export pelt_thermal_tp
Bharata B Rao <bharata@amd.com>
sched/debug: Remove mpol_get/put and task_lock/unlock from sched_show_numa
Chao Yu <chao@kernel.org>
f2fs: fix to enable ATGC correctly via gc_idle sysfs interface
David Howells <dhowells@redhat.com>
watch_queue: Actually free the watch
David Howells <dhowells@redhat.com>
watch_queue: Fix NULL dereference in error cleanup
Jens Axboe <axboe@kernel.dk>
io_uring: terminate manual loop iterator loop correctly for non-vecs
Randy Dunlap <rdunlap@infradead.org>
clocksource: acpi_pm: fix return value of __setup handler
Brandon Wyman <bjwyman@gmail.com>
hwmon: (pmbus) Add Vin unit off handling
Miaoqian Lin <linmq006@gmail.com>
hwrng: nomadik - Change clk_disable to clk_disable_unprepare
Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
amba: Make the remove callback return void
Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
vfio: platform: simplify device removal
Jianglei Nie <niejianglei2021@163.com>
crypto: ccree - Fix use after free in cc_cipher_exit()
Dāvis Mosāns <davispuh@gmail.com>
crypto: ccp - ccp_dmaengine_unregister release dma channels
Randy Dunlap <rdunlap@infradead.org>
ACPI: APEI: fix return value of __setup handlers
Guillaume Ranquet <granquet@baylibre.com>
clocksource/drivers/timer-of: Check return value of of_iomap in timer_of_base_init()
Claudiu Beznea <claudiu.beznea@microchip.com>
clocksource/drivers/timer-microchip-pit64b: Use notrace
Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
clocksource/drivers/exynos_mct: Handle DTS with higher number of interrupts
Marek Szyprowski <m.szyprowski@samsung.com>
clocksource/drivers/exynos_mct: Refactor resources allocation
Drew Fustini <dfustini@baylibre.com>
clocksource/drivers/timer-ti-dm: Fix regression from errata i940 fix
Petr Vorel <pvorel@suse.cz>
crypto: vmx - add missing dependencies
Corentin Labbe <clabbe@baylibre.com>
crypto: amlogic - call finalize with bh disabled
Corentin Labbe <clabbe@baylibre.com>
crypto: sun8i-ce - call finalize with bh disabled
Corentin Labbe <clabbe@baylibre.com>
crypto: sun8i-ss - call finalize with bh disabled
Claudiu Beznea <claudiu.beznea@microchip.com>
hwrng: atmel - disable trng on failure path
Jiasheng Jiang <jiasheng@iscas.ac.cn>
spi: spi-zynqmp-gqspi: Handle error for dma_set_mask
Randy Dunlap <rdunlap@infradead.org>
PM: suspend: fix return value of __setup handler
Randy Dunlap <rdunlap@infradead.org>
PM: hibernate: fix __setup handler error handling
Eric Biggers <ebiggers@google.com>
block: don't delete queue kobject before its children
Christoph Hellwig <hch@lst.de>
nvme: cleanup __nvme_check_ids
Armin Wolf <W_Armin@gmx.de>
hwmon: (sch56xx-common) Replace WDOG_ACTIVE with WDOG_HW_RUNNING
Patrick Rudolph <patrick.rudolph@9elements.com>
hwmon: (pmbus) Add mutex to regulator ops
Andy Shevchenko <andriy.shevchenko@linux.intel.com>
spi: pxa2xx-pci: Balance reference count for PCI DMA device
Gilad Ben-Yossef <gilad@benyossef.com>
crypto: ccree - don't attempt 0 len DMA mappings
Randy Dunlap <rdunlap@infradead.org>
EVM: fix the evm= __setup handler return value
Richard Guy Briggs <rgb@redhat.com>
audit: log AUDIT_TIME_* records only from rules
Corentin Labbe <clabbe@baylibre.com>
crypto: rockchip - ECB does not need IV
Muhammad Usama Anjum <usama.anjum@collabora.com>
selftests/x86: Add validity check and allow field splitting
Jianyong Wu <jianyong.wu@arm.com>
arm64/mm: avoid fixmap race condition when create pud mapping
Miaoqian Lin <linmq006@gmail.com>
spi: tegra114: Add missing IRQ check in tegra_spi_probe
Jiasheng Jiang <jiasheng@iscas.ac.cn>
thermal: int340x: Check for NULL after calling kmemdup()
Tomas Paukrt <tomaspaukrt@email.cz>
crypto: mxs-dcp - Fix scatterlist processing
Herbert Xu <herbert@gondor.apana.org.au>
crypto: authenc - Fix sleep in atomic context in decrypt_tail
Corentin Labbe <clabbe@baylibre.com>
crypto: sun8i-ss - really disable hash on A80
Geert Uytterhoeven <geert+renesas@glider.be>
hwrng: cavium - HW_RANDOM_CAVIUM should depend on ARCH_THUNDER
Sunil Goutham <sgoutham@marvell.com>
hwrng: cavium - Check health status while reading random data
Christian Göttsche <cgzones@googlemail.com>
selinux: check return value of sel_make_avc_files
kernel test robot <lkp@intel.com>
regulator: qcom_smd: fix for_each_child.cocci warnings
Marc Zyngier <maz@kernel.org>
PCI: xgene: Revert "PCI: xgene: Fix IB window setup"
Liguang Zhang <zhangliguang@linux.alibaba.com>
PCI: pciehp: Clear cmd_busy bit in polling mode
Mastan Katragadda <mastanx.katragadda@intel.com>
drm/i915/gem: add missing boundary check in vm_access
Jani Nikula <jani.nikula@intel.com>
drm/i915/opregion: check port number bounds for SWSCI display power state
Hector Martin <marcan@marcan.st>
brcmfmac: pcie: Fix crashes due to early IRQs
Hector Martin <marcan@marcan.st>
brcmfmac: pcie: Replace brcmf_pcie_copy_mem_todev with memcpy_toio
Hector Martin <marcan@marcan.st>
brcmfmac: pcie: Release firmwares in the brcmf_pcie_setup error path
Hector Martin <marcan@marcan.st>
brcmfmac: firmware: Allocate space for default boardrev in nvram
Max Filippov <jcmvbkbc@gmail.com>
xtensa: fix xtensa_wsr always writing 0
Max Filippov <jcmvbkbc@gmail.com>
xtensa: fix stop_machine_cpuslocked call in patch_text
Johan Hovold <johan@kernel.org>
media: davinci: vpif: fix unbalanced runtime PM enable
Johan Hovold <johan@kernel.org>
media: davinci: vpif: fix unbalanced runtime PM get
Sean Young <sean@mess.org>
media: gpio-ir-tx: fix transmit with long spaces on Orange Pi PC
Maciej W. Rozycki <macro@orcam.me.uk>
DEC: Limit PMAX memory probing to R3k systems
Mingzhe Zou <mingzhe.zou@easystack.cn>
bcache: fixup multiple threads crash
Eric Biggers <ebiggers@google.com>
crypto: rsa-pkcs1pad - fix buffer overread in pkcs1pad_verify_complete()
Eric Biggers <ebiggers@google.com>
crypto: rsa-pkcs1pad - restore signature length check
Eric Biggers <ebiggers@google.com>
crypto: rsa-pkcs1pad - correctly get hash from source scatterlist
Eric Biggers <ebiggers@google.com>
crypto: rsa-pkcs1pad - only allow with rsa
Kees Cook <keescook@chromium.org>
exec: Force single empty string when argv is empty
Dirk Müller <dmueller@suse.de>
lib/raid6/test: fix multiple definition linking error
Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
thermal: int340x: Increase bitmap size
Jann Horn <jannh@google.com>
pstore: Don't use semaphores in always-atomic-context code
Colin Ian King <colin.i.king@gmail.com>
carl9170: fix missing bit-wise or operator for tx_params
Jocelyn Falempe <jfalempe@redhat.com>
mgag200 fix memmapsl configuration in GCTL6 register
Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
ARM: dts: exynos: add missing HDMI supplies on SMDK5420
Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
ARM: dts: exynos: add missing HDMI supplies on SMDK5250
Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
ARM: dts: exynos: fix UART3 pins configuration in Exynos5250
Tudor Ambarus <tudor.ambarus@microchip.com>
ARM: dts: at91: sama5d2: Fix PMERRLOC resource size
Michael Schmitz <schmitzmic@gmail.com>
video: fbdev: atari: Atari 2 bpp (STe) palette bugfix
Helge Deller <deller@gmx.de>
video: fbdev: sm712fb: Fix crash in smtcfb_read()
Cooper Chiou <cooper.chiou@intel.com>
drm/edid: check basic audio support on CEA extension block
Tejun Heo <tj@kernel.org>
block: don't merge across cgroup boundaries if blkcg is enabled
Shin'ichiro Kawasaki <shinichiro.kawasaki@wdc.com>
block: limit request dispatch loop duration
Pekka Pessi <ppessi@nvidia.com>
mailbox: tegra-hsp: Flush whole channel
Duoming Zhou <duoming@zju.edu.cn>
drivers: hamradio: 6pack: fix UAF bug caused by mod_timer()
Ye Bin <yebin10@huawei.com>
ext4: fix fs corruption when tring to remove a non-empty directory with IO error
Ritesh Harjani <riteshh@linux.ibm.com>
ext4: fix ext4_fc_stats trace point
Jann Horn <jannh@google.com>
coredump: Also dump first pages of non-executable ELF libraries
Sakari Ailus <sakari.ailus@linux.intel.com>
ACPI: properties: Consistently return -ENOENT if there are no more references
Nishanth Menon <nm@ti.com>
arm64: dts: ti: k3-j7200: Fix gic-v3 compatible regs
Nishanth Menon <nm@ti.com>
arm64: dts: ti: k3-j721e: Fix gic-v3 compatible regs
Nishanth Menon <nm@ti.com>
arm64: dts: ti: k3-am65: Fix gic-v3 compatible regs
David Engraf <david.engraf@sysgo.com>
arm64: signal: nofpsimd: Do not allocate fp/simd context when not available
Xin Long <lucien.xin@gmail.com>
udp: call udp_encap_enable for v6 sockets when enabling encap
Andreas Gruenbacher <agruenba@redhat.com>
powerpc/kvm: Fix kvm_use_magic_page
Oliver Hartkopp <socketcan@hartkopp.net>
can: isotp: sanitize CAN ID checks in isotp_bind()
Lars Ellenberg <lars.ellenberg@linbit.com>
drbd: fix potential silent data corruption
Mikulas Patocka <mpatocka@redhat.com>
dm integrity: set journal entry unused when shrinking device
Kuan-Ying Lee <Kuan-Ying.Lee@mediatek.com>
mm/kmemleak: reset tag when compare object pointer
Rik van Riel <riel@surriel.com>
mm,hwpoison: unmap poisoned page before invalidation
Charan Teja Kalla <quic_charante@quicinc.com>
Revert "mm: madvise: skip unmapped vma holes passed to process_madvise"
Charan Teja Kalla <quic_charante@quicinc.com>
mm: madvise: return correct bytes advised with process_madvise
Charan Teja Kalla <quic_charante@quicinc.com>
mm: madvise: skip unmapped vma holes passed to process_madvise
Kai-Heng Feng <kai.heng.feng@canonical.com>
ALSA: hda/realtek: Fix audio regression on Mi Notebook Pro 2020
Takashi Iwai <tiwai@suse.de>
ALSA: pcm: Fix potential AB/BA lock with buffer_mutex and mmap_lock
Mohan Kumar <mkumard@nvidia.com>
ALSA: hda: Avoid unsol event during RPM suspending
Xiaomeng Tong <xiam0nd.tong@gmail.com>
ALSA: cs4236: fix an incorrect NULL check on list iterator
Paulo Alcantara <pc@cjr.nz>
cifs: fix NULL ptr dereference in smb2_ioctl_query_info()
Paulo Alcantara <pc@cjr.nz>
cifs: prevent bad output lengths in smb2_ioctl_query_info()
José Expósito <jose.exposito89@gmail.com>
Revert "Input: clear BTN_RIGHT/MIDDLE on buttonpads"
Dmitry Vyukov <dvyukov@google.com>
riscv: Increase stack size under KASAN
Nikita Shubin <n.shubin@yadro.com>
riscv: Fix fill_callchain return value
Manish Chopra <manishc@marvell.com>
qed: validate and restrict untrusted VFs vlan promisc mode
Manish Chopra <manishc@marvell.com>
qed: display VF trust config
Damien Le Moal <damien.lemoal@opensource.wdc.com>
scsi: libsas: Fix sas_ata_qc_issue() handling of NCQ NON DATA commands
Hugh Dickins <hughd@google.com>
mempolicy: mbind_range() set_policy() after vma_merge()
Rik van Riel <riel@surriel.com>
mm: invalidate hwpoison page cache page in fault path
Alistair Popple <apopple@nvidia.com>
mm/pages_alloc.c: don't create ZONE_MOVABLE beyond the end of a node
Baokun Li <libaokun1@huawei.com>
jffs2: fix memory leak in jffs2_scan_medium
Baokun Li <libaokun1@huawei.com>
jffs2: fix memory leak in jffs2_do_mount_fs
Baokun Li <libaokun1@huawei.com>
jffs2: fix use-after-free in jffs2_clear_xattr_subsystem
Hangyu Hua <hbh25y@gmail.com>
can: ems_usb: ems_usb_start_xmit(): fix double dev_kfree_skb() in error path
Sean Nyekjaer <sean@geanix.com>
mtd: rawnand: protect access to rawnand devices while in suspend
Miquel Raynal <miquel.raynal@bootlin.com>
spi: mxic: Fix the transmit path
Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
pinctrl: samsung: drop pin banks references on error paths
Alistair Delva <adelva@google.com>
remoteproc: Fix count check in rproc_coredump_write()
Chao Yu <chao@kernel.org>
f2fs: fix to do sanity check on .cp_pack_total_block_count
Juhyung Park <qkrwngud825@gmail.com>
f2fs: quota: fix loop condition at f2fs_quota_sync()
Chao Yu <chao@kernel.org>
f2fs: fix to unlock page correctly in error path of is_alive()
Dan Carpenter <dan.carpenter@oracle.com>
NFSD: prevent integer overflow on 32 bit systems
Dan Carpenter <dan.carpenter@oracle.com>
NFSD: prevent underflow in nfssvc_decode_writeargs()
NeilBrown <neilb@suse.de>
SUNRPC: avoid race between mod_timer() and del_timer_sync()
Gwendal Grignou <gwendal@chromium.org>
HID: intel-ish-hid: Use dma_alloc_coherent for firmware update
Ang Tien Sung <tien.sung.ang@intel.com>
firmware: stratix10-svc: add missing callback parameter on RSU
Bagas Sanjaya <bagasdotme@gmail.com>
Documentation: update stable tree link
Bagas Sanjaya <bagasdotme@gmail.com>
Documentation: add link to stable release candidate tree
Eric Biggers <ebiggers@google.com>
KEYS: fix length validation in keyctl_pkey_params_get_2()
Jann Horn <jannh@google.com>
ptrace: Check PTRACE_O_SUSPEND_SECCOMP permission on PTRACE_SEIZE
Kunihiko Hayashi <hayashi.kunihiko@socionext.com>
clk: uniphier: Fix fixed-rate initialization
Dan Carpenter <dan.carpenter@oracle.com>
greybus: svc: fix an error handling bug in gb_svc_hello()
Liam Beguin <liambeguin@gmail.com>
iio: inkern: make a best effort on offset calculation
Liam Beguin <liambeguin@gmail.com>
iio: inkern: apply consumer scale when no channel scale is available
Liam Beguin <liambeguin@gmail.com>
iio: inkern: apply consumer scale on IIO_VAL_INT cases
Liam Beguin <liambeguin@gmail.com>
iio: afe: rescale: use s64 for temporary scale calculations
James Clark <james.clark@arm.com>
coresight: Fix TRCCONFIGR.QE sysfs interface
Alexander Usyskin <alexander.usyskin@intel.com>
mei: avoid iterator usage outside of list_for_each_entry
Alexander Usyskin <alexander.usyskin@intel.com>
mei: me: add Alder Lake N device id.
Anssi Hannula <anssi.hannula@bitwise.fi>
xhci: fix uninitialized string returned by xhci_decode_ctrl_ctx()
Mathias Nyman <mathias.nyman@linux.intel.com>
xhci: make xhci_handshake timeout for xhci_reset() adjustable
Henry Lin <henryl@nvidia.com>
xhci: fix runtime PM imbalance in USB2 resume
Anssi Hannula <anssi.hannula@bitwise.fi>
xhci: fix garbage USBSTS being logged in some cases
Alan Stern <stern@rowland.harvard.edu>
USB: usb-storage: Fix use of bitfields for hardware data in ene_ub6250.c
Xie Yongji <xieyongji@bytedance.com>
virtio-blk: Use blk_validate_block_size() to validate block size
Lino Sanfilippo <LinoSanfilippo@gmx.de>
tpm: fix reference counting for struct tpm_chip
Robin Murphy <robin.murphy@arm.com>
iommu/iova: Improve 32-bit free space estimate
Waiman Long <longman@redhat.com>
locking/lockdep: Avoid potential access of invalid memory in lock_class
Claudiu Beznea <claudiu.beznea@microchip.com>
net: dsa: microchip: add spi_device_id tables
Haimin Zhang <tcs_kernel@tencent.com>
af_key: add __GFP_ZERO flag for compose_sadb_supported in function pfkey_register
Linus Walleij <linus.walleij@linaro.org>
Input: zinitix - do not report shadow fingers
Biju Das <biju.das.jz@bp.renesas.com>
spi: Fix erroneous sgs value with min_t()
Bartosz Golaszewski <brgl@bgdev.pl>
Revert "gpio: Revert regression in sysfs-gpio (gpiolib.c)"
Minghao Chi (CGEL ZTE) <chi.minghao@zte.com.cn>
net:mcf8390: Use platform_get_irq() to get the interrupt
Biju Das <biju.das.jz@bp.renesas.com>
spi: Fix invalid sgs value
Marcelo Roberto Jimenez <marcelo.jimenez@gmail.com>
gpio: Revert regression in sysfs-gpio (gpiolib.c)
Zheyu Ma <zheyuma97@gmail.com>
ethernet: sun: Free the coherent when failing in probing
Stefano Garzarella <sgarzare@redhat.com>
tools/virtio: fix virtio_test execution
Si-Wei Liu <si-wei.liu@oracle.com>
vdpa/mlx5: should verify CTRL_VQ feature exists for MQ
Michael S. Tsirkin <mst@redhat.com>
virtio_console: break out of buf poll on remove
Daniel Palmer <daniel@0x0f.com>
ARM: mstar: Select HAVE_ARM_ARCH_TIMER
Lina Wang <lina.wang@mediatek.com>
xfrm: fix tunnel model fragmentation behavior
Lucas Zampieri <lzampier@redhat.com>
HID: logitech-dj: add new lightspeed receiver id
Yajun Deng <yajun.deng@linux.dev>
netdevice: add the case if dev is NULL
Randy Dunlap <rdunlap@infradead.org>
hv: utils: add PTP_1588_CLOCK to Kconfig to fix build
Johan Hovold <johan@kernel.org>
USB: serial: simple: add Nokia phone driver
Eddie James <eajames@linux.ibm.com>
USB: serial: pl2303: add IBM device IDs
Halil Pasic <pasic@linux.ibm.com>
swiotlb: fix info leak with DMA_FROM_DEVICE
-------------
Diffstat:
Documentation/admin-guide/sysctl/kernel.rst | 1 +
Documentation/core-api/dma-attributes.rst | 8 +
.../devicetree/bindings/mtd/nand-controller.yaml | 4 +-
Documentation/devicetree/bindings/spi/spi-mxic.txt | 4 +-
Documentation/process/stable-kernel-rules.rst | 11 +-
Documentation/sound/hd-audio/models.rst | 4 +
Makefile | 4 +-
arch/arc/kernel/process.c | 2 +-
arch/arm/boot/dts/bcm2711.dtsi | 50 +++++
arch/arm/boot/dts/bcm2837.dtsi | 49 +++++
arch/arm/boot/dts/dra7-l4.dtsi | 5 +-
arch/arm/boot/dts/dra7.dtsi | 8 +-
arch/arm/boot/dts/exynos5250-pinctrl.dtsi | 2 +-
arch/arm/boot/dts/exynos5250-smdk5250.dts | 3 +
arch/arm/boot/dts/exynos5420-smdk5420.dts | 3 +
arch/arm/boot/dts/imx53-m53menlo.dts | 29 ++-
arch/arm/boot/dts/imx7-colibri.dtsi | 4 +-
arch/arm/boot/dts/imx7-mba7.dtsi | 2 +-
arch/arm/boot/dts/imx7d-nitrogen7.dts | 2 +-
arch/arm/boot/dts/imx7d-pico-hobbit.dts | 4 +-
arch/arm/boot/dts/imx7d-pico-pi.dts | 4 +-
arch/arm/boot/dts/imx7d-sdb.dts | 4 +-
arch/arm/boot/dts/imx7s-warp.dts | 4 +-
arch/arm/boot/dts/qcom-ipq4019.dtsi | 3 +-
arch/arm/boot/dts/qcom-msm8960.dtsi | 8 +-
arch/arm/boot/dts/sama5d2.dtsi | 2 +-
arch/arm/boot/dts/spear1340.dtsi | 6 +-
arch/arm/boot/dts/spear13xx.dtsi | 6 +-
arch/arm/boot/dts/sun8i-v3s.dtsi | 22 +--
arch/arm/boot/dts/tegra20-tamonten.dtsi | 6 +-
arch/arm/configs/multi_v5_defconfig | 1 +
arch/arm/crypto/Kconfig | 2 +
arch/arm/kernel/entry-ftrace.S | 53 +++---
arch/arm/kernel/swp_emulate.c | 2 +-
arch/arm/kernel/traps.c | 2 +-
arch/arm/mach-iop32x/include/mach/entry-macro.S | 2 +-
arch/arm/mach-iop32x/include/mach/irqs.h | 2 +-
arch/arm/mach-iop32x/irq.c | 6 +-
arch/arm/mach-iop32x/irqs.h | 60 +++---
arch/arm/mach-mmp/sram.c | 22 ++-
arch/arm/mach-mstar/Kconfig | 1 +
arch/arm/mach-s3c/mach-jive.c | 6 +-
.../arm64/boot/dts/broadcom/northstar2/ns2-svk.dts | 8 +-
arch/arm64/boot/dts/broadcom/northstar2/ns2.dtsi | 2 +-
arch/arm64/boot/dts/qcom/sdm845.dtsi | 8 +-
arch/arm64/boot/dts/qcom/sm8150.dtsi | 6 +-
arch/arm64/boot/dts/rockchip/rk3399-firefly.dts | 4 +-
arch/arm64/boot/dts/ti/k3-am65-main.dtsi | 5 +-
arch/arm64/boot/dts/ti/k3-am65.dtsi | 1 +
arch/arm64/boot/dts/ti/k3-j7200-main.dtsi | 5 +-
arch/arm64/boot/dts/ti/k3-j7200.dtsi | 1 +
arch/arm64/boot/dts/ti/k3-j721e-main.dtsi | 5 +-
arch/arm64/boot/dts/ti/k3-j721e.dtsi | 1 +
arch/arm64/configs/defconfig | 2 +-
arch/arm64/kernel/signal.c | 10 +-
arch/arm64/mm/init.c | 36 +++-
arch/arm64/mm/mmu.c | 41 +++-
arch/arm64/net/bpf_jit_comp.c | 18 +-
arch/csky/kernel/perf_callchain.c | 2 +-
arch/csky/kernel/signal.c | 2 +-
arch/m68k/coldfire/device.c | 6 +-
arch/microblaze/include/asm/uaccess.h | 18 +-
arch/mips/dec/int-handler.S | 6 +-
arch/mips/dec/prom/Makefile | 2 +-
arch/mips/dec/setup.c | 3 +-
arch/mips/include/asm/dec/prom.h | 15 +-
arch/mips/include/asm/pgalloc.h | 6 +
arch/mips/rb532/devices.c | 6 +-
arch/nios2/include/asm/uaccess.h | 26 ++-
arch/nios2/kernel/signal.c | 20 +-
arch/parisc/include/asm/traps.h | 1 +
arch/parisc/kernel/traps.c | 2 +
arch/parisc/mm/fault.c | 89 +++++++++
arch/powerpc/Makefile | 2 +-
arch/powerpc/boot/dts/fsl/t1040rdb-rev-a.dts | 30 +++
arch/powerpc/boot/dts/fsl/t1040rdb.dts | 8 +-
arch/powerpc/include/asm/io.h | 40 +++-
arch/powerpc/include/asm/uaccess.h | 3 +
arch/powerpc/kernel/kvm.c | 2 +-
arch/powerpc/kvm/book3s_hv.c | 5 +-
arch/powerpc/kvm/powerpc.c | 4 +-
arch/powerpc/lib/sstep.c | 12 +-
arch/powerpc/mm/kasan/kasan_init_32.c | 3 +-
arch/powerpc/mm/numa.c | 4 +-
arch/powerpc/perf/imc-pmu.c | 6 +-
arch/powerpc/platforms/8xx/pic.c | 1 +
arch/powerpc/platforms/powernv/rng.c | 6 +-
arch/powerpc/sysdev/fsl_gtm.c | 4 +-
arch/riscv/include/asm/module.lds.h | 6 +-
arch/riscv/include/asm/thread_info.h | 10 +-
arch/riscv/kernel/perf_callchain.c | 6 +-
arch/sparc/kernel/signal_32.c | 2 +-
arch/um/drivers/mconsole_kern.c | 3 +-
arch/x86/events/intel/pt.c | 2 +-
arch/x86/kernel/kvm.c | 2 +-
arch/x86/kvm/emulate.c | 14 +-
arch/x86/kvm/hyperv.c | 9 +-
arch/x86/kvm/lapic.c | 5 +-
arch/x86/kvm/mmu/paging_tmpl.h | 77 ++++----
arch/x86/kvm/mmu/tdp_mmu.c | 3 +
arch/x86/kvm/svm/avic.c | 10 +-
arch/x86/xen/pmu.c | 10 +-
arch/x86/xen/pmu.h | 3 +-
arch/x86/xen/smp_pv.c | 2 +-
arch/xtensa/include/asm/processor.h | 4 +-
arch/xtensa/kernel/jump_label.c | 2 +-
block/bfq-cgroup.c | 6 +
block/bfq-iosched.c | 31 ++-
block/blk-merge.c | 11 ++
block/blk-mq-sched.c | 9 +-
block/blk-sysfs.c | 8 +-
crypto/authenc.c | 2 +-
crypto/rsa-pkcs1pad.c | 11 +-
drivers/acpi/acpica/nswalk.c | 3 +
drivers/acpi/apei/bert.c | 10 +-
drivers/acpi/apei/erst.c | 2 +-
drivers/acpi/apei/hest.c | 2 +-
drivers/acpi/cppc_acpi.c | 5 +
drivers/acpi/property.c | 2 +-
drivers/amba/bus.c | 5 +-
drivers/base/dd.c | 2 +-
drivers/base/power/main.c | 6 +-
drivers/block/drbd/drbd_req.c | 3 +-
drivers/block/loop.c | 10 +-
drivers/block/virtio_blk.c | 12 +-
drivers/bluetooth/btmtksdio.c | 4 +-
drivers/bluetooth/hci_serdev.c | 3 +-
drivers/bus/mips_cdmm.c | 1 +
drivers/char/hw_random/Kconfig | 2 +-
drivers/char/hw_random/atmel-rng.c | 1 +
drivers/char/hw_random/cavium-rng-vf.c | 194 ++++++++++++++++++-
drivers/char/hw_random/cavium-rng.c | 11 +-
drivers/char/hw_random/nomadik-rng.c | 7 +-
drivers/char/tpm/tpm-chip.c | 46 +----
drivers/char/tpm/tpm.h | 2 +
drivers/char/tpm/tpm2-space.c | 65 +++++++
drivers/char/virtio_console.c | 7 +
drivers/clk/actions/owl-s700.c | 1 +
drivers/clk/actions/owl-s900.c | 2 +-
drivers/clk/at91/sama7g5.c | 8 +-
drivers/clk/clk-clps711x.c | 2 +
drivers/clk/clk.c | 13 ++
drivers/clk/imx/clk-imx7d.c | 1 -
drivers/clk/loongson1/clk-loongson1c.c | 1 +
drivers/clk/qcom/clk-rcg2.c | 14 +-
drivers/clk/qcom/gcc-ipq8074.c | 21 +--
drivers/clk/qcom/gcc-msm8994.c | 1 +
drivers/clk/tegra/clk-tegra124-emc.c | 1 +
drivers/clk/uniphier/clk-uniphier-fixed-rate.c | 1 +
drivers/clocksource/acpi_pm.c | 6 +-
drivers/clocksource/exynos_mct.c | 60 +++---
drivers/clocksource/timer-microchip-pit64b.c | 2 +-
drivers/clocksource/timer-of.c | 6 +-
drivers/clocksource/timer-ti-dm-systimer.c | 4 +-
drivers/cpufreq/qcom-cpufreq-nvmem.c | 2 +-
.../crypto/allwinner/sun8i-ce/sun8i-ce-cipher.c | 3 +
drivers/crypto/allwinner/sun8i-ce/sun8i-ce-hash.c | 3 +
.../crypto/allwinner/sun8i-ss/sun8i-ss-cipher.c | 3 +
drivers/crypto/allwinner/sun8i-ss/sun8i-ss-core.c | 2 +
drivers/crypto/allwinner/sun8i-ss/sun8i-ss-hash.c | 3 +
drivers/crypto/amlogic/amlogic-gxl-cipher.c | 2 +
drivers/crypto/ccp/ccp-dmaengine.c | 16 ++
drivers/crypto/ccree/cc_buffer_mgr.c | 7 +
drivers/crypto/ccree/cc_cipher.c | 2 +-
drivers/crypto/mxs-dcp.c | 2 +-
drivers/crypto/rockchip/rk3288_crypto_skcipher.c | 1 -
drivers/crypto/vmx/Kconfig | 4 +
drivers/dax/super.c | 1 +
drivers/dma-buf/udmabuf.c | 4 +
drivers/dma/hisi_dma.c | 2 +-
drivers/dma/pl330.c | 3 +-
drivers/firmware/efi/efi-pstore.c | 2 +-
drivers/firmware/google/Kconfig | 2 +-
drivers/firmware/qcom_scm.c | 6 -
drivers/firmware/stratix10-svc.c | 2 +-
drivers/fsi/fsi-master-aspeed.c | 21 ++-
drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 10 +-
.../amd/display/dc/irq/dcn21/irq_service_dcn21.c | 14 --
drivers/gpu/drm/amd/pm/amdgpu_pm.c | 4 +-
drivers/gpu/drm/amd/pm/swsmu/amdgpu_smu.c | 2 +-
drivers/gpu/drm/bridge/adv7511/adv7511.h | 1 +
drivers/gpu/drm/bridge/adv7511/adv7511_drv.c | 29 ++-
drivers/gpu/drm/bridge/cdns-dsi.c | 1 +
drivers/gpu/drm/bridge/nwl-dsi.c | 1 +
drivers/gpu/drm/bridge/sil-sii8620.c | 2 +-
drivers/gpu/drm/bridge/synopsys/dw-hdmi.c | 5 +-
drivers/gpu/drm/bridge/synopsys/dw-mipi-dsi.c | 1 +
drivers/gpu/drm/drm_edid.c | 11 +-
drivers/gpu/drm/i915/display/intel_opregion.c | 15 ++
drivers/gpu/drm/i915/gem/i915_gem_mman.c | 2 +-
drivers/gpu/drm/meson/meson_drv.c | 6 +-
drivers/gpu/drm/meson/meson_osd_afbcd.c | 41 ++--
drivers/gpu/drm/meson/meson_osd_afbcd.h | 1 +
drivers/gpu/drm/mgag200/mgag200_mode.c | 5 +-
drivers/gpu/drm/msm/disp/dpu1/dpu_encoder.c | 2 +-
drivers/gpu/drm/msm/disp/dpu1/dpu_rm.c | 8 +
drivers/gpu/drm/msm/dp/dp_display.c | 5 +
drivers/gpu/drm/nouveau/nvkm/subdev/acr/hsfw.c | 9 +-
drivers/gpu/drm/panfrost/panfrost_gpu.c | 5 +-
drivers/gpu/drm/pl111/pl111_drv.c | 4 +-
drivers/gpu/drm/tegra/dsi.c | 4 +-
drivers/gpu/host1x/dev.c | 1 +
drivers/greybus/svc.c | 8 +-
drivers/hid/hid-logitech-dj.c | 1 +
drivers/hid/i2c-hid/i2c-hid-core.c | 32 +++-
drivers/hid/intel-ish-hid/ishtp-fw-loader.c | 29 +--
drivers/hv/Kconfig | 1 +
drivers/hv/hv_balloon.c | 2 +-
drivers/hwmon/pmbus/pmbus.h | 1 +
drivers/hwmon/pmbus/pmbus_core.c | 18 +-
drivers/hwmon/sch56xx-common.c | 2 +-
drivers/hwtracing/coresight/coresight-catu.c | 3 +-
drivers/hwtracing/coresight/coresight-cpu-debug.c | 4 +-
drivers/hwtracing/coresight/coresight-cti-core.c | 4 +-
drivers/hwtracing/coresight/coresight-etb10.c | 4 +-
drivers/hwtracing/coresight/coresight-etm3x-core.c | 4 +-
drivers/hwtracing/coresight/coresight-etm4x-core.c | 4 +-
.../hwtracing/coresight/coresight-etm4x-sysfs.c | 8 +-
drivers/hwtracing/coresight/coresight-funnel.c | 4 +-
drivers/hwtracing/coresight/coresight-replicator.c | 4 +-
drivers/hwtracing/coresight/coresight-stm.c | 4 +-
drivers/hwtracing/coresight/coresight-tmc-core.c | 4 +-
drivers/hwtracing/coresight/coresight-tpiu.c | 4 +-
drivers/i2c/busses/i2c-meson.c | 12 +-
drivers/i2c/busses/i2c-nomadik.c | 4 +-
drivers/i2c/busses/i2c-xiic.c | 3 +-
drivers/i2c/muxes/i2c-demux-pinctrl.c | 5 +-
drivers/iio/accel/mma8452.c | 29 +--
drivers/iio/adc/twl6030-gpadc.c | 2 +
drivers/iio/afe/iio-rescale.c | 8 +-
drivers/iio/inkern.c | 40 +++-
drivers/infiniband/core/cma.c | 2 +-
drivers/infiniband/core/verbs.c | 1 +
drivers/infiniband/hw/hfi1/verbs.c | 3 +-
drivers/infiniband/hw/mlx5/devx.c | 4 +-
drivers/infiniband/hw/mlx5/mr.c | 2 +
drivers/input/input.c | 6 -
drivers/input/serio/ambakmi.c | 3 +-
drivers/input/touchscreen/zinitix.c | 44 ++++-
drivers/iommu/iova.c | 5 +-
drivers/iommu/ipmmu-vmsa.c | 4 +-
drivers/irqchip/irq-nvic.c | 2 +
drivers/irqchip/qcom-pdc.c | 5 +-
drivers/mailbox/imx-mailbox.c | 9 +
drivers/mailbox/tegra-hsp.c | 5 +
drivers/md/bcache/btree.c | 6 +-
drivers/md/bcache/writeback.c | 6 +-
drivers/md/dm-crypt.c | 2 +-
drivers/md/dm-integrity.c | 6 +-
drivers/media/i2c/adv7511-v4l2.c | 2 +-
drivers/media/i2c/adv7604.c | 2 +-
drivers/media/i2c/adv7842.c | 2 +-
drivers/media/pci/bt8xx/bttv-driver.c | 4 +-
drivers/media/pci/cx88/cx88-mpeg.c | 3 +
drivers/media/pci/ivtv/ivtv-driver.h | 1 -
drivers/media/pci/ivtv/ivtv-ioctl.c | 10 +-
drivers/media/pci/ivtv/ivtv-streams.c | 11 +-
drivers/media/pci/saa7134/saa7134-alsa.c | 8 +-
drivers/media/platform/aspeed-video.c | 9 +-
drivers/media/platform/coda/coda-common.c | 1 +
drivers/media/platform/davinci/vpif.c | 12 +-
.../media/platform/mtk-vcodec/mtk_vcodec_fw_vpu.c | 2 +
drivers/media/rc/gpio-ir-tx.c | 28 ++-
drivers/media/rc/ir_toy.c | 2 +-
drivers/media/test-drivers/vidtv/vidtv_s302m.c | 17 +-
drivers/media/usb/em28xx/em28xx-cards.c | 13 +-
drivers/media/usb/go7007/s2250-board.c | 10 +-
drivers/media/usb/hdpvr/hdpvr-video.c | 4 +-
drivers/media/usb/stk1160/stk1160-core.c | 2 +-
drivers/media/usb/stk1160/stk1160-v4l.c | 10 +-
drivers/media/usb/stk1160/stk1160.h | 2 +-
drivers/media/v4l2-core/v4l2-mem2mem.c | 53 ++++--
drivers/memory/emif.c | 8 +-
drivers/memory/pl172.c | 4 +-
drivers/memory/pl353-smc.c | 4 +-
drivers/mfd/asic3.c | 10 +-
drivers/mfd/mc13xxx-core.c | 4 +-
drivers/misc/cardreader/alcor_pci.c | 9 +-
drivers/misc/habanalabs/common/debugfs.c | 2 +
drivers/misc/kgdbts.c | 4 +-
drivers/misc/mei/hw-me-regs.h | 1 +
drivers/misc/mei/interrupt.c | 35 ++--
drivers/misc/mei/pci-me.c | 1 +
drivers/mmc/core/host.c | 15 +-
drivers/mmc/host/davinci_mmc.c | 6 +-
drivers/mmc/host/mmci.c | 4 +-
drivers/mtd/nand/onenand/generic.c | 7 +-
drivers/mtd/nand/raw/atmel/nand-controller.c | 14 +-
drivers/mtd/nand/raw/gpmi-nand/gpmi-nand.c | 3 +
drivers/mtd/nand/raw/nand_base.c | 44 ++---
drivers/mtd/ubi/build.c | 9 +-
drivers/mtd/ubi/fastmap.c | 28 ++-
drivers/mtd/ubi/vmt.c | 8 +-
drivers/net/bareudp.c | 25 +--
drivers/net/can/m_can/m_can.c | 5 +-
drivers/net/can/spi/mcp251xfd/mcp251xfd-core.c | 2 +-
drivers/net/can/usb/ems_usb.c | 1 -
drivers/net/can/usb/mcba_usb.c | 27 +--
drivers/net/can/usb/usb_8dev.c | 30 ++-
drivers/net/can/vxcan.c | 2 +-
drivers/net/dsa/bcm_sf2_cfp.c | 6 +-
drivers/net/dsa/microchip/ksz8795_spi.c | 11 ++
drivers/net/dsa/microchip/ksz9477_spi.c | 12 ++
drivers/net/dsa/mv88e6xxx/chip.c | 1 +
drivers/net/ethernet/8390/mcf8390.c | 10 +-
drivers/net/ethernet/broadcom/genet/bcmgenet.c | 4 +-
.../net/ethernet/freescale/enetc/enetc_ethtool.c | 5 +-
.../ethernet/hisilicon/hns3/hns3pf/hclge_main.c | 11 +-
drivers/net/ethernet/intel/i40e/i40e_xsk.c | 16 +-
drivers/net/ethernet/pensando/ionic/ionic_main.c | 6 +-
drivers/net/ethernet/qlogic/qed/qed_sriov.c | 29 ++-
drivers/net/ethernet/qlogic/qed/qed_sriov.h | 1 +
drivers/net/ethernet/qlogic/qlcnic/qlcnic_dcb.h | 10 +-
drivers/net/ethernet/sun/sunhme.c | 6 +-
drivers/net/ethernet/xilinx/xilinx_axienet_main.c | 72 ++++---
drivers/net/hamradio/6pack.c | 4 +-
drivers/net/phy/broadcom.c | 21 +++
drivers/net/wireguard/queueing.c | 3 +-
drivers/net/wireguard/socket.c | 5 +-
drivers/net/wireless/ath/ath10k/snoc.c | 2 +-
drivers/net/wireless/ath/ath10k/wow.c | 7 +-
drivers/net/wireless/ath/ath9k/htc_hst.c | 5 +
drivers/net/wireless/ath/carl9170/main.c | 2 +-
.../broadcom/brcm80211/brcmfmac/firmware.c | 2 +
.../wireless/broadcom/brcm80211/brcmfmac/pcie.c | 66 ++-----
drivers/net/wireless/intel/iwlwifi/dvm/mac80211.c | 2 +-
drivers/net/wireless/intel/iwlwifi/mvm/fw.c | 4 +-
drivers/net/wireless/mediatek/mt76/mt7603/main.c | 3 +
drivers/net/wireless/mediatek/mt76/mt7615/main.c | 3 +
drivers/net/wireless/mediatek/mt76/mt7915/mcu.c | 9 +-
drivers/net/wireless/ray_cs.c | 6 +
drivers/nvdimm/region_devs.c | 3 +
drivers/nvme/host/core.c | 9 +-
drivers/nvme/host/tcp.c | 40 ++++
drivers/pci/access.c | 9 +-
drivers/pci/controller/pci-aardvark.c | 4 +-
drivers/pci/controller/pci-xgene.c | 2 +-
drivers/pci/hotplug/pciehp_hpc.c | 2 +
drivers/pci/quirks.c | 12 ++
drivers/phy/phy-core-mipi-dphy.c | 4 +-
drivers/pinctrl/mediatek/pinctrl-mtk-common.c | 2 +
drivers/pinctrl/mediatek/pinctrl-paris.c | 30 ++-
drivers/pinctrl/nomadik/pinctrl-nomadik.c | 4 +-
drivers/pinctrl/nuvoton/pinctrl-npcm7xx.c | 185 +++++++++---------
drivers/pinctrl/pinconf-generic.c | 6 +-
drivers/pinctrl/pinctrl-rockchip.c | 2 +
drivers/pinctrl/renesas/core.c | 5 +-
drivers/pinctrl/renesas/pfc-r8a77470.c | 4 +-
drivers/pinctrl/samsung/pinctrl-samsung.c | 30 ++-
drivers/platform/chrome/Makefile | 3 +-
drivers/platform/chrome/cros_ec_sensorhub_ring.c | 3 +-
drivers/platform/chrome/cros_ec_sensorhub_trace.h | 123 ++++++++++++
drivers/platform/chrome/cros_ec_trace.h | 95 ----------
drivers/platform/chrome/cros_ec_typec.c | 6 +
drivers/platform/x86/huawei-wmi.c | 13 +-
drivers/power/reset/gemini-poweroff.c | 4 +-
drivers/power/supply/ab8500_fg.c | 4 +-
drivers/power/supply/bq24190_charger.c | 7 +-
drivers/power/supply/wm8350_power.c | 97 ++++++++--
drivers/pwm/pwm-lpc18xx-sct.c | 20 +-
drivers/regulator/qcom_smd-regulator.c | 4 +-
drivers/regulator/rpi-panel-attiny-regulator.c | 56 +++++-
drivers/remoteproc/qcom_q6v5_adsp.c | 1 +
drivers/remoteproc/qcom_q6v5_mss.c | 11 +-
drivers/remoteproc/qcom_wcnss.c | 1 +
drivers/remoteproc/remoteproc_debugfs.c | 2 +-
drivers/rtc/interface.c | 7 +-
drivers/rtc/rtc-pl030.c | 4 +-
drivers/rtc/rtc-pl031.c | 4 +-
drivers/scsi/hisi_sas/hisi_sas_v3_hw.c | 2 +-
drivers/scsi/libsas/sas_ata.c | 2 +-
drivers/scsi/pm8001/pm8001_hwi.c | 23 ++-
drivers/scsi/pm8001/pm80xx_hwi.c | 209 +++++++++++----------
drivers/scsi/qla2xxx/qla_attr.c | 7 +-
drivers/scsi/qla2xxx/qla_def.h | 10 +-
drivers/scsi/qla2xxx/qla_gs.c | 5 +-
drivers/scsi/qla2xxx/qla_init.c | 73 +++++--
drivers/scsi/qla2xxx/qla_iocb.c | 8 +-
drivers/scsi/qla2xxx/qla_isr.c | 1 +
drivers/scsi/qla2xxx/qla_mbx.c | 14 +-
drivers/scsi/qla2xxx/qla_nvme.c | 22 +++
drivers/scsi/qla2xxx/qla_os.c | 8 +-
drivers/scsi/qla2xxx/qla_sup.c | 4 +-
drivers/scsi/qla2xxx/qla_target.c | 4 +-
drivers/soc/qcom/ocmem.c | 1 +
drivers/soc/qcom/qcom_aoss.c | 2 +-
drivers/soc/qcom/rpmpd.c | 3 +
drivers/soc/ti/wkup_m3_ipc.c | 4 +-
drivers/soundwire/intel.c | 4 +-
drivers/spi/spi-mxic.c | 28 ++-
drivers/spi/spi-pl022.c | 5 +-
drivers/spi/spi-pxa2xx-pci.c | 17 +-
drivers/spi/spi-tegra114.c | 4 +
drivers/spi/spi-tegra20-slink.c | 8 +-
drivers/spi/spi-zynqmp-gqspi.c | 5 +-
drivers/spi/spi.c | 4 +-
drivers/staging/iio/adc/ad7280a.c | 4 +-
drivers/staging/media/atomisp/pci/atomisp_acc.c | 28 ++-
.../media/atomisp/pci/atomisp_gmin_platform.c | 18 ++
drivers/staging/media/atomisp/pci/hmm/hmm.c | 7 +-
drivers/staging/media/hantro/hantro_h1_jpeg_enc.c | 2 +-
drivers/staging/media/hantro/hantro_h1_regs.h | 2 +-
drivers/staging/media/meson/vdec/esparser.c | 7 +-
drivers/staging/media/meson/vdec/vdec_helpers.c | 8 +-
drivers/staging/media/meson/vdec/vdec_helpers.h | 4 +-
drivers/staging/media/sunxi/cedrus/cedrus_h264.c | 2 +-
drivers/staging/media/sunxi/cedrus/cedrus_h265.c | 2 +-
drivers/staging/media/zoran/zoran.h | 2 +-
drivers/staging/media/zoran/zoran_card.c | 86 +++++----
drivers/staging/media/zoran/zoran_device.c | 7 +-
drivers/staging/media/zoran/zoran_driver.c | 18 +-
drivers/staging/mt7621-dts/gbpc1.dts | 40 ++--
drivers/staging/mt7621-dts/gbpc2.dts | 116 +++++++++++-
drivers/staging/mt7621-dts/mt7621.dtsi | 26 +--
.../intel/int340x_thermal/int3400_thermal.c | 7 +-
drivers/tty/hvc/hvc_iucv.c | 4 +-
drivers/tty/mxser.c | 15 +-
drivers/tty/serial/8250/8250_dma.c | 11 +-
drivers/tty/serial/8250/8250_lpss.c | 28 ++-
drivers/tty/serial/8250/8250_mid.c | 19 +-
drivers/tty/serial/8250/8250_port.c | 16 +-
drivers/tty/serial/amba-pl010.c | 4 +-
drivers/tty/serial/amba-pl011.c | 3 +-
drivers/tty/serial/kgdboc.c | 6 +-
drivers/tty/serial/serial_core.c | 14 ++
drivers/usb/host/xhci-hub.c | 5 +-
drivers/usb/host/xhci-mem.c | 2 +-
drivers/usb/host/xhci.c | 20 +-
drivers/usb/host/xhci.h | 14 +-
drivers/usb/serial/Kconfig | 1 +
drivers/usb/serial/pl2303.c | 1 +
drivers/usb/serial/pl2303.h | 3 +
drivers/usb/serial/usb-serial-simple.c | 7 +
drivers/usb/storage/ene_ub6250.c | 155 ++++++++-------
drivers/usb/storage/realtek_cr.c | 2 +-
drivers/vdpa/mlx5/net/mlx5_vnet.c | 18 +-
drivers/vfio/platform/vfio_amba.c | 15 +-
drivers/video/fbdev/amba-clcd.c | 4 +-
drivers/video/fbdev/atafb.c | 12 +-
drivers/video/fbdev/atmel_lcdfb.c | 11 +-
drivers/video/fbdev/cirrusfb.c | 16 +-
drivers/video/fbdev/controlfb.c | 6 +-
drivers/video/fbdev/core/fbcvt.c | 53 +++---
drivers/video/fbdev/matrox/matroxfb_base.c | 2 +-
drivers/video/fbdev/nvidia/nv_i2c.c | 2 +-
.../fbdev/omap2/omapfb/displays/connector-dvi.c | 1 +
.../fbdev/omap2/omapfb/displays/panel-dsi-cm.c | 8 +-
.../omap2/omapfb/displays/panel-sony-acx565akm.c | 2 +-
.../omap2/omapfb/displays/panel-tpo-td043mtea1.c | 4 +-
drivers/video/fbdev/sm712fb.c | 46 ++---
drivers/video/fbdev/smscufx.c | 3 +-
drivers/video/fbdev/udlfb.c | 8 +-
drivers/video/fbdev/w100fb.c | 15 +-
drivers/watchdog/rti_wdt.c | 1 +
drivers/watchdog/sp805_wdt.c | 4 +-
fs/binfmt_elf.c | 84 +++++----
fs/binfmt_elf_fdpic.c | 18 +-
fs/btrfs/reflink.c | 7 +-
fs/cifs/smb2ops.c | 130 +++++++------
fs/coredump.c | 86 +++++++--
fs/exec.c | 26 ++-
fs/ext2/super.c | 6 +-
fs/ext4/inline.c | 9 +-
fs/ext4/inode.c | 25 +++
fs/ext4/mballoc.c | 126 ++++++++-----
fs/ext4/namei.c | 10 +-
fs/f2fs/checkpoint.c | 8 +-
fs/f2fs/compress.c | 5 +-
fs/f2fs/data.c | 9 +-
fs/f2fs/file.c | 5 +-
fs/f2fs/gc.c | 4 +-
fs/f2fs/inode.c | 1 +
fs/f2fs/node.c | 6 +-
fs/f2fs/segment.c | 7 +
fs/f2fs/super.c | 6 +-
fs/f2fs/sysfs.c | 2 +-
fs/file.c | 31 ++-
fs/gfs2/rgrp.c | 3 +-
fs/io_uring.c | 7 +-
fs/jffs2/build.c | 4 +-
fs/jffs2/fs.c | 2 +-
fs/jffs2/scan.c | 6 +-
fs/jfs/jfs_dmap.c | 7 +
fs/nfs/callback_proc.c | 27 +--
fs/nfs/callback_xdr.c | 4 -
fs/nfs/nfs2xdr.c | 2 +-
fs/nfs/nfs3xdr.c | 21 +--
fs/nfs/nfs4proc.c | 1 +
fs/nfs/pnfs.c | 11 ++
fs/nfs/pnfs.h | 2 +
fs/nfs/write.c | 5 +-
fs/nfsd/filecache.c | 6 +-
fs/nfsd/nfs4state.c | 12 +-
fs/nfsd/nfsproc.c | 2 +-
fs/nfsd/xdr.h | 2 +-
fs/ntfs/inode.c | 4 +
fs/proc/bootconfig.c | 2 +
fs/pstore/platform.c | 38 ++--
fs/ubifs/dir.c | 32 ++--
fs/ubifs/file.c | 14 +-
fs/ubifs/io.c | 34 +++-
fs/ubifs/ioctl.c | 2 +-
include/linux/amba/bus.h | 2 +-
include/linux/binfmts.h | 3 +
include/linux/blk-cgroup.h | 17 ++
include/linux/coredump.h | 5 +-
include/linux/dma-mapping.h | 8 +
include/linux/mtd/rawnand.h | 2 +
include/linux/netdevice.h | 6 +-
include/linux/pci.h | 1 +
include/linux/pstore.h | 6 +-
include/linux/serial_core.h | 2 +
include/linux/soc/ti/ti_sci_protocol.h | 2 +-
include/linux/sunrpc/xdr.h | 2 +
include/net/udp.h | 1 +
include/net/udp_tunnel.h | 3 +-
include/sound/pcm.h | 1 +
include/trace/events/ext4.h | 78 +++++---
include/trace/events/rxrpc.h | 8 +-
include/uapi/linux/bpf.h | 12 +-
include/uapi/linux/rseq.h | 20 +-
kernel/audit.h | 4 +
kernel/auditsc.c | 87 +++++++--
kernel/bpf/stackmap.c | 56 +++---
kernel/debug/kdb/kdb_support.c | 2 +-
kernel/dma/debug.c | 4 +-
kernel/dma/swiotlb.c | 3 +-
kernel/events/core.c | 3 +
kernel/livepatch/core.c | 4 +-
kernel/locking/lockdep.c | 38 ++--
kernel/locking/lockdep_internals.h | 6 +-
kernel/locking/lockdep_proc.c | 51 ++++-
kernel/power/hibernate.c | 2 +-
kernel/power/suspend_test.c | 8 +-
kernel/printk/printk.c | 6 +-
kernel/ptrace.c | 47 +++--
kernel/rseq.c | 13 +-
kernel/sched/core.c | 1 +
kernel/sched/debug.c | 10 -
kernel/trace/trace_events.c | 28 +++
kernel/watch_queue.c | 4 +-
lib/kunit/try-catch.c | 2 +-
lib/raid6/test/Makefile | 4 +-
lib/raid6/test/test.c | 1 -
lib/test_kmod.c | 1 +
lib/test_lockup.c | 11 +-
lib/test_xarray.c | 22 +++
lib/xarray.c | 4 +
mm/kmemleak.c | 9 +-
mm/madvise.c | 3 +-
mm/memcontrol.c | 2 +-
mm/memory.c | 17 +-
mm/mempolicy.c | 8 +-
mm/mmap.c | 2 +-
mm/page_alloc.c | 9 +-
mm/usercopy.c | 5 +-
net/batman-adv/bridge_loop_avoidance.c | 6 +
net/batman-adv/distributed-arp-table.c | 3 +
net/batman-adv/gateway_client.c | 12 +-
net/batman-adv/gateway_client.h | 16 +-
net/batman-adv/hard-interface.h | 3 +
net/batman-adv/network-coding.c | 6 +
net/batman-adv/originator.c | 72 +------
net/batman-adv/originator.h | 96 +++++++++-
net/batman-adv/soft-interface.c | 15 +-
net/batman-adv/soft-interface.h | 16 +-
net/batman-adv/tp_meter.c | 3 +
net/batman-adv/translation-table.c | 22 +--
net/batman-adv/translation-table.h | 18 +-
net/batman-adv/tvlv.c | 6 +
net/bluetooth/hci_conn.c | 2 +
net/can/isotp.c | 69 ++++---
net/core/skmsg.c | 17 +-
net/ipv4/route.c | 18 +-
net/ipv4/tcp_bpf.c | 14 +-
net/ipv4/tcp_output.c | 5 +-
net/ipv4/udp.c | 6 +
net/ipv6/udp.c | 4 +-
net/ipv6/xfrm6_output.c | 16 ++
net/key/af_key.c | 2 +-
net/netfilter/nf_conntrack_proto_tcp.c | 17 +-
net/netlink/af_netlink.c | 2 +
net/openvswitch/conntrack.c | 118 ++++++------
net/openvswitch/flow_netlink.c | 4 +-
net/rxrpc/ar-internal.h | 15 +-
net/rxrpc/call_event.c | 2 +-
net/rxrpc/call_object.c | 40 +++-
net/sunrpc/xprt.c | 7 +
net/tipc/socket.c | 3 +-
net/x25/af_x25.c | 11 +-
net/xfrm/xfrm_interface.c | 5 +-
samples/bpf/xdpsock_user.c | 5 +-
scripts/dtc/Makefile | 2 +-
scripts/gcc-plugins/stackleak_plugin.c | 25 ++-
security/integrity/evm/evm_main.c | 2 +-
security/keys/keyctl_pkey.c | 14 +-
security/security.c | 17 +-
security/selinux/hooks.c | 11 +-
security/selinux/include/policycap.h | 1 +
security/selinux/include/policycap_names.h | 3 +-
security/selinux/include/security.h | 7 +
security/selinux/selinuxfs.c | 2 +
security/selinux/xfrm.c | 2 +-
security/smack/smack_lsm.c | 2 +-
security/tomoyo/load_policy.c | 4 +-
sound/arm/aaci.c | 4 +-
sound/core/pcm.c | 1 +
sound/core/pcm_lib.c | 9 +-
sound/core/pcm_native.c | 39 +++-
sound/firewire/fcp.c | 4 +-
sound/isa/cs423x/cs4236.c | 8 +-
sound/pci/hda/patch_hdmi.c | 8 +-
sound/pci/hda/patch_realtek.c | 15 +-
sound/soc/atmel/atmel_ssc_dai.c | 5 +-
sound/soc/atmel/sam9g20_wm8731.c | 1 +
sound/soc/atmel/sam9x5_wm8731.c | 16 +-
sound/soc/codecs/Kconfig | 5 +
sound/soc/codecs/msm8916-wcd-analog.c | 22 ++-
sound/soc/codecs/msm8916-wcd-digital.c | 5 +-
sound/soc/codecs/mt6358.c | 4 +
sound/soc/codecs/rt5663.c | 2 +
sound/soc/codecs/wcd934x.c | 6 +-
sound/soc/codecs/wm8350.c | 28 ++-
sound/soc/dwc/dwc-i2s.c | 17 +-
sound/soc/fsl/fsl_spdif.c | 2 +
sound/soc/fsl/imx-es8328.c | 1 +
sound/soc/generic/simple-card-utils.c | 2 +-
sound/soc/mxs/mxs-saif.c | 5 +-
sound/soc/mxs/mxs-sgtl5000.c | 3 +
sound/soc/rockchip/rockchip_i2s.c | 18 +-
sound/soc/sh/fsi.c | 19 +-
sound/soc/soc-compress.c | 5 +
sound/soc/soc-core.c | 2 +-
sound/soc/soc-generic-dmaengine-pcm.c | 6 +-
sound/soc/soc-topology.c | 3 +-
sound/soc/sof/imx/imx8m.c | 1 +
sound/soc/sof/intel/hda-dai.c | 13 ++
sound/soc/sof/intel/hda-loader.c | 11 +-
sound/soc/ti/davinci-i2s.c | 5 +-
sound/soc/xilinx/xlnx_formatter_pcm.c | 25 +++
sound/spi/at73c213.c | 27 ++-
tools/include/uapi/linux/bpf.h | 4 +-
tools/lib/bpf/btf_dump.c | 5 +
tools/lib/bpf/libbpf.c | 3 +
tools/lib/bpf/xsk.c | 11 ++
.../testing/selftests/bpf/progs/test_sock_fields.c | 2 +-
tools/testing/selftests/bpf/test_lirc_mode2.sh | 5 +-
tools/testing/selftests/bpf/test_lwt_ip_encap.sh | 10 +-
.../testing/selftests/net/test_vxlan_under_vrf.sh | 8 +-
tools/testing/selftests/vm/Makefile | 6 +-
tools/testing/selftests/x86/Makefile | 6 +-
tools/testing/selftests/x86/check_cc.sh | 2 +-
tools/virtio/virtio_test.c | 1 +
virt/kvm/kvm_main.c | 13 ++
654 files changed, 5424 insertions(+), 2742 deletions(-)
^ permalink raw reply [flat|nested] 636+ messages in thread
* [PATCH 5.10 001/599] swiotlb: fix info leak with DMA_FROM_DEVICE
2022-04-05 7:24 [PATCH 5.10 000/599] 5.10.110-rc1 review Greg Kroah-Hartman
@ 2022-04-05 7:24 ` Greg Kroah-Hartman
2022-04-05 7:24 ` [PATCH 5.10 002/599] USB: serial: pl2303: add IBM device IDs Greg Kroah-Hartman
` (610 subsequent siblings)
611 siblings, 0 replies; 636+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05 7:24 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Halil Pasic, Christoph Hellwig
From: Halil Pasic <pasic@linux.ibm.com>
commit ddbd89deb7d32b1fbb879f48d68fda1a8ac58e8e upstream.
The problem I'm addressing was discovered by the LTP test covering
cve-2018-1000204.
A short description of what happens follows:
1) The test case issues a command code 00 (TEST UNIT READY) via the SG_IO
interface with: dxfer_len == 524288, dxdfer_dir == SG_DXFER_FROM_DEV
and a corresponding dxferp. The peculiar thing about this is that TUR
is not reading from the device.
2) In sg_start_req() the invocation of blk_rq_map_user() effectively
bounces the user-space buffer. As if the device was to transfer into
it. Since commit a45b599ad808 ("scsi: sg: allocate with __GFP_ZERO in
sg_build_indirect()") we make sure this first bounce buffer is
allocated with GFP_ZERO.
3) For the rest of the story we keep ignoring that we have a TUR, so the
device won't touch the buffer we prepare as if the we had a
DMA_FROM_DEVICE type of situation. My setup uses a virtio-scsi device
and the buffer allocated by SG is mapped by the function
virtqueue_add_split() which uses DMA_FROM_DEVICE for the "in" sgs (here
scatter-gather and not scsi generics). This mapping involves bouncing
via the swiotlb (we need swiotlb to do virtio in protected guest like
s390 Secure Execution, or AMD SEV).
4) When the SCSI TUR is done, we first copy back the content of the second
(that is swiotlb) bounce buffer (which most likely contains some
previous IO data), to the first bounce buffer, which contains all
zeros. Then we copy back the content of the first bounce buffer to
the user-space buffer.
5) The test case detects that the buffer, which it zero-initialized,
ain't all zeros and fails.
One can argue that this is an swiotlb problem, because without swiotlb
we leak all zeros, and the swiotlb should be transparent in a sense that
it does not affect the outcome (if all other participants are well
behaved).
Copying the content of the original buffer into the swiotlb buffer is
the only way I can think of to make swiotlb transparent in such
scenarios. So let's do just that if in doubt, but allow the driver
to tell us that the whole mapped buffer is going to be overwritten,
in which case we can preserve the old behavior and avoid the performance
impact of the extra bounce.
Signed-off-by: Halil Pasic <pasic@linux.ibm.com>
Signed-off-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
Documentation/core-api/dma-attributes.rst | 8 ++++++++
include/linux/dma-mapping.h | 8 ++++++++
kernel/dma/swiotlb.c | 3 ++-
3 files changed, 18 insertions(+), 1 deletion(-)
--- a/Documentation/core-api/dma-attributes.rst
+++ b/Documentation/core-api/dma-attributes.rst
@@ -130,3 +130,11 @@ accesses to DMA buffers in both privileg
subsystem that the buffer is fully accessible at the elevated privilege
level (and ideally inaccessible or at least read-only at the
lesser-privileged levels).
+
+DMA_ATTR_OVERWRITE
+------------------
+
+This is a hint to the DMA-mapping subsystem that the device is expected to
+overwrite the entire mapped size, thus the caller does not require any of the
+previous buffer contents to be preserved. This allows bounce-buffering
+implementations to optimise DMA_FROM_DEVICE transfers.
--- a/include/linux/dma-mapping.h
+++ b/include/linux/dma-mapping.h
@@ -62,6 +62,14 @@
#define DMA_ATTR_PRIVILEGED (1UL << 9)
/*
+ * This is a hint to the DMA-mapping subsystem that the device is expected
+ * to overwrite the entire mapped size, thus the caller does not require any
+ * of the previous buffer contents to be preserved. This allows
+ * bounce-buffering implementations to optimise DMA_FROM_DEVICE transfers.
+ */
+#define DMA_ATTR_OVERWRITE (1UL << 10)
+
+/*
* A dma_addr_t can hold any valid DMA or bus address for the platform. It can
* be given to a device to use as a DMA source or target. It is specific to a
* given device and there may be a translation between the CPU physical address
--- a/kernel/dma/swiotlb.c
+++ b/kernel/dma/swiotlb.c
@@ -598,7 +598,8 @@ phys_addr_t swiotlb_tbl_map_single(struc
tlb_addr = slot_addr(io_tlb_start, index) + offset;
if (!(attrs & DMA_ATTR_SKIP_CPU_SYNC) &&
- (dir == DMA_TO_DEVICE || dir == DMA_BIDIRECTIONAL))
+ (!(attrs & DMA_ATTR_OVERWRITE) || dir == DMA_TO_DEVICE ||
+ dir == DMA_BIDIRECTIONAL))
swiotlb_bounce(orig_addr, tlb_addr, mapping_size, DMA_TO_DEVICE);
return tlb_addr;
}
^ permalink raw reply [flat|nested] 636+ messages in thread
* [PATCH 5.10 002/599] USB: serial: pl2303: add IBM device IDs
2022-04-05 7:24 [PATCH 5.10 000/599] 5.10.110-rc1 review Greg Kroah-Hartman
2022-04-05 7:24 ` [PATCH 5.10 001/599] swiotlb: fix info leak with DMA_FROM_DEVICE Greg Kroah-Hartman
@ 2022-04-05 7:24 ` Greg Kroah-Hartman
2022-04-05 7:24 ` [PATCH 5.10 003/599] USB: serial: simple: add Nokia phone driver Greg Kroah-Hartman
` (609 subsequent siblings)
611 siblings, 0 replies; 636+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05 7:24 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Eddie James, Joel Stanley, Johan Hovold
From: Eddie James <eajames@linux.ibm.com>
commit e1d15646565b284e9ef2433234d6cfdaf66695f1 upstream.
IBM manufactures a PL2303 device for UPS communications. Add the vendor
and product IDs so that the PL2303 driver binds to the device.
Signed-off-by: Eddie James <eajames@linux.ibm.com>
Signed-off-by: Joel Stanley <joel@jms.id.au>
Signed-off-by: Eddie James <eajames@linux.ibm.com>
Link: https://lore.kernel.org/r/20220301224446.21236-1-eajames@linux.ibm.com
Cc: stable@vger.kernel.org
[ johan: amend the SoB chain ]
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/serial/pl2303.c | 1 +
drivers/usb/serial/pl2303.h | 3 +++
2 files changed, 4 insertions(+)
--- a/drivers/usb/serial/pl2303.c
+++ b/drivers/usb/serial/pl2303.c
@@ -116,6 +116,7 @@ static const struct usb_device_id id_tab
{ USB_DEVICE(ADLINK_VENDOR_ID, ADLINK_ND6530GC_PRODUCT_ID) },
{ USB_DEVICE(SMART_VENDOR_ID, SMART_PRODUCT_ID) },
{ USB_DEVICE(AT_VENDOR_ID, AT_VTKIT3_PRODUCT_ID) },
+ { USB_DEVICE(IBM_VENDOR_ID, IBM_PRODUCT_ID) },
{ } /* Terminating entry */
};
--- a/drivers/usb/serial/pl2303.h
+++ b/drivers/usb/serial/pl2303.h
@@ -35,6 +35,9 @@
#define ATEN_PRODUCT_UC232B 0x2022
#define ATEN_PRODUCT_ID2 0x2118
+#define IBM_VENDOR_ID 0x04b3
+#define IBM_PRODUCT_ID 0x4016
+
#define IODATA_VENDOR_ID 0x04bb
#define IODATA_PRODUCT_ID 0x0a03
#define IODATA_PRODUCT_ID_RSAQ5 0x0a0e
^ permalink raw reply [flat|nested] 636+ messages in thread
* [PATCH 5.10 003/599] USB: serial: simple: add Nokia phone driver
2022-04-05 7:24 [PATCH 5.10 000/599] 5.10.110-rc1 review Greg Kroah-Hartman
2022-04-05 7:24 ` [PATCH 5.10 001/599] swiotlb: fix info leak with DMA_FROM_DEVICE Greg Kroah-Hartman
2022-04-05 7:24 ` [PATCH 5.10 002/599] USB: serial: pl2303: add IBM device IDs Greg Kroah-Hartman
@ 2022-04-05 7:24 ` Greg Kroah-Hartman
2022-04-05 7:24 ` [PATCH 5.10 004/599] hv: utils: add PTP_1588_CLOCK to Kconfig to fix build Greg Kroah-Hartman
` (608 subsequent siblings)
611 siblings, 0 replies; 636+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05 7:24 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Johan Hovold
From: Johan Hovold <johan@kernel.org>
commit c4b9c570965f75d0d55e639747f1e5ccdad2fae0 upstream.
Add a new "simple" driver for certain Nokia phones, including Nokia 130
(RM-1035) which exposes two serial ports in "charging only" mode:
Bus 001 Device 009: ID 0421:069a Nokia Mobile Phones 130 [RM-1035] (Charging only)
Device Descriptor:
bLength 18
bDescriptorType 1
bcdUSB 2.00
bDeviceClass 0
bDeviceSubClass 0
bDeviceProtocol 0
bMaxPacketSize0 8
idVendor 0x0421 Nokia Mobile Phones
idProduct 0x069a 130 [RM-1035] (Charging only)
bcdDevice 1.00
iManufacturer 1 Nokia
iProduct 2 Nokia 130 (RM-1035)
iSerial 0
bNumConfigurations 1
Configuration Descriptor:
bLength 9
bDescriptorType 2
wTotalLength 0x0037
bNumInterfaces 2
bConfigurationValue 1
iConfiguration 0
bmAttributes 0x80
(Bus Powered)
MaxPower 500mA
Interface Descriptor:
bLength 9
bDescriptorType 4
bInterfaceNumber 0
bAlternateSetting 0
bNumEndpoints 2
bInterfaceClass 255 Vendor Specific Class
bInterfaceSubClass 255 Vendor Specific Subclass
bInterfaceProtocol 255 Vendor Specific Protocol
iInterface 0
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x81 EP 1 IN
bmAttributes 2
Transfer Type Bulk
Synch Type None
Usage Type Data
wMaxPacketSize 0x0040 1x 64 bytes
bInterval 0
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x01 EP 1 OUT
bmAttributes 2
Transfer Type Bulk
Synch Type None
Usage Type Data
wMaxPacketSize 0x0040 1x 64 bytes
bInterval 0
Interface Descriptor:
bLength 9
bDescriptorType 4
bInterfaceNumber 1
bAlternateSetting 0
bNumEndpoints 2
bInterfaceClass 255 Vendor Specific Class
bInterfaceSubClass 255 Vendor Specific Subclass
bInterfaceProtocol 255 Vendor Specific Protocol
iInterface 0
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x82 EP 2 IN
bmAttributes 2
Transfer Type Bulk
Synch Type None
Usage Type Data
wMaxPacketSize 0x0040 1x 64 bytes
bInterval 0
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x02 EP 2 OUT
bmAttributes 2
Transfer Type Bulk
Synch Type None
Usage Type Data
wMaxPacketSize 0x0040 1x 64 bytes
bInterval 0
Device Status: 0x0000
(Bus Powered)
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/20220228084919.10656-1-johan@kernel.org
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/serial/Kconfig | 1 +
drivers/usb/serial/usb-serial-simple.c | 7 +++++++
2 files changed, 8 insertions(+)
--- a/drivers/usb/serial/Kconfig
+++ b/drivers/usb/serial/Kconfig
@@ -66,6 +66,7 @@ config USB_SERIAL_SIMPLE
- Libtransistor USB console
- a number of Motorola phones
- Motorola Tetra devices
+ - Nokia mobile phones
- Novatel Wireless GPS receivers
- Siemens USB/MPI adapter.
- ViVOtech ViVOpay USB device.
--- a/drivers/usb/serial/usb-serial-simple.c
+++ b/drivers/usb/serial/usb-serial-simple.c
@@ -91,6 +91,11 @@ DEVICE(moto_modem, MOTO_IDS);
{ USB_DEVICE(0x0cad, 0x9016) } /* TPG2200 */
DEVICE(motorola_tetra, MOTOROLA_TETRA_IDS);
+/* Nokia mobile phone driver */
+#define NOKIA_IDS() \
+ { USB_DEVICE(0x0421, 0x069a) } /* Nokia 130 (RM-1035) */
+DEVICE(nokia, NOKIA_IDS);
+
/* Novatel Wireless GPS driver */
#define NOVATEL_IDS() \
{ USB_DEVICE(0x09d7, 0x0100) } /* NovAtel FlexPack GPS */
@@ -123,6 +128,7 @@ static struct usb_serial_driver * const
&vivopay_device,
&moto_modem_device,
&motorola_tetra_device,
+ &nokia_device,
&novatel_gps_device,
&hp4x_device,
&suunto_device,
@@ -140,6 +146,7 @@ static const struct usb_device_id id_tab
VIVOPAY_IDS(),
MOTO_IDS(),
MOTOROLA_TETRA_IDS(),
+ NOKIA_IDS(),
NOVATEL_IDS(),
HP4X_IDS(),
SUUNTO_IDS(),
^ permalink raw reply [flat|nested] 636+ messages in thread
* [PATCH 5.10 004/599] hv: utils: add PTP_1588_CLOCK to Kconfig to fix build
2022-04-05 7:24 [PATCH 5.10 000/599] 5.10.110-rc1 review Greg Kroah-Hartman
` (2 preceding siblings ...)
2022-04-05 7:24 ` [PATCH 5.10 003/599] USB: serial: simple: add Nokia phone driver Greg Kroah-Hartman
@ 2022-04-05 7:24 ` Greg Kroah-Hartman
2022-04-05 7:24 ` [PATCH 5.10 005/599] netdevice: add the case if dev is NULL Greg Kroah-Hartman
` (607 subsequent siblings)
611 siblings, 0 replies; 636+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05 7:24 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Randy Dunlap, kernel test robot,
Arnd Bergmann, K. Y. Srinivasan, Haiyang Zhang,
Stephen Hemminger, Wei Liu, Dexuan Cui, linux-hyperv,
Michael Kelley, Petr Štetiar
From: Randy Dunlap <rdunlap@infradead.org>
commit 1dc2f2b81a6a9895da59f3915760f6c0c3074492 upstream.
The hyperv utilities use PTP clock interfaces and should depend a
a kconfig symbol such that they will be built as a loadable module or
builtin so that linker errors do not happen.
Prevents these build errors:
ld: drivers/hv/hv_util.o: in function `hv_timesync_deinit':
hv_util.c:(.text+0x37d): undefined reference to `ptp_clock_unregister'
ld: drivers/hv/hv_util.o: in function `hv_timesync_init':
hv_util.c:(.text+0x738): undefined reference to `ptp_clock_register'
Fixes: 3716a49a81ba ("hv_utils: implement Hyper-V PTP source")
Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
Reported-by: kernel test robot <lkp@intel.com>
Cc: Arnd Bergmann <arnd@arndb.de>
Cc: "K. Y. Srinivasan" <kys@microsoft.com>
Cc: Haiyang Zhang <haiyangz@microsoft.com>
Cc: Stephen Hemminger <sthemmin@microsoft.com>
Cc: Wei Liu <wei.liu@kernel.org>
Cc: Dexuan Cui <decui@microsoft.com>
Cc: linux-hyperv@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Reviewed-by: Michael Kelley <mikelley@microsoft.com>
Link: https://lore.kernel.org/r/20211126023316.25184-1-rdunlap@infradead.org
Signed-off-by: Wei Liu <wei.liu@kernel.org>
Cc: Petr Štetiar <ynezz@true.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/hv/Kconfig | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/hv/Kconfig
+++ b/drivers/hv/Kconfig
@@ -17,6 +17,7 @@ config HYPERV_TIMER
config HYPERV_UTILS
tristate "Microsoft Hyper-V Utilities driver"
depends on HYPERV && CONNECTOR && NLS
+ depends on PTP_1588_CLOCK_OPTIONAL
help
Select this option to enable the Hyper-V Utilities.
^ permalink raw reply [flat|nested] 636+ messages in thread
* [PATCH 5.10 005/599] netdevice: add the case if dev is NULL
2022-04-05 7:24 [PATCH 5.10 000/599] 5.10.110-rc1 review Greg Kroah-Hartman
` (3 preceding siblings ...)
2022-04-05 7:24 ` [PATCH 5.10 004/599] hv: utils: add PTP_1588_CLOCK to Kconfig to fix build Greg Kroah-Hartman
@ 2022-04-05 7:24 ` Greg Kroah-Hartman
2022-04-05 7:25 ` [PATCH 5.10 006/599] HID: logitech-dj: add new lightspeed receiver id Greg Kroah-Hartman
` (606 subsequent siblings)
611 siblings, 0 replies; 636+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05 7:24 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Yajun Deng, David S. Miller, Pavel Machek
From: Yajun Deng <yajun.deng@linux.dev>
commit b37a466837393af72fe8bcb8f1436410f3f173f3 upstream.
Add the case if dev is NULL in dev_{put, hold}, so the caller doesn't
need to care whether dev is NULL or not.
Signed-off-by: Yajun Deng <yajun.deng@linux.dev>
Signed-off-by: David S. Miller <davem@davemloft.net>
Cc: Pavel Machek <pavel@denx.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/linux/netdevice.h | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
--- a/include/linux/netdevice.h
+++ b/include/linux/netdevice.h
@@ -3980,7 +3980,8 @@ void netdev_run_todo(void);
*/
static inline void dev_put(struct net_device *dev)
{
- this_cpu_dec(*dev->pcpu_refcnt);
+ if (dev)
+ this_cpu_dec(*dev->pcpu_refcnt);
}
/**
@@ -3991,7 +3992,8 @@ static inline void dev_put(struct net_de
*/
static inline void dev_hold(struct net_device *dev)
{
- this_cpu_inc(*dev->pcpu_refcnt);
+ if (dev)
+ this_cpu_inc(*dev->pcpu_refcnt);
}
/* Carrier loss detection, dial on demand. The functions netif_carrier_on
^ permalink raw reply [flat|nested] 636+ messages in thread
* [PATCH 5.10 006/599] HID: logitech-dj: add new lightspeed receiver id
2022-04-05 7:24 [PATCH 5.10 000/599] 5.10.110-rc1 review Greg Kroah-Hartman
` (4 preceding siblings ...)
2022-04-05 7:24 ` [PATCH 5.10 005/599] netdevice: add the case if dev is NULL Greg Kroah-Hartman
@ 2022-04-05 7:25 ` Greg Kroah-Hartman
2022-04-05 7:25 ` [PATCH 5.10 007/599] xfrm: fix tunnel model fragmentation behavior Greg Kroah-Hartman
` (605 subsequent siblings)
611 siblings, 0 replies; 636+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05 7:25 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Lucas Zampieri, Nestor Lopez Casado,
Jiri Kosina, Sasha Levin
From: Lucas Zampieri <lzampier@redhat.com>
[ Upstream commit 25666e8ccd952627899b09b68f7c9b68cfeaf028 ]
As of logitech lightspeed receiver fw version 04.02.B0009,
HIDPP_PARAM_DEVICE_INFO is being reported as 0x11.
With patch "HID: logitech-dj: add support for the new lightspeed receiver
iteration", the mouse starts to error out with:
logitech-djreceiver: unusable device of type UNKNOWN (0x011) connected on
slot 1
and becomes unusable.
This has been noticed on a Logitech G Pro X Superlight fw MPM 25.01.B0018.
Signed-off-by: Lucas Zampieri <lzampier@redhat.com>
Acked-by: Nestor Lopez Casado <nlopezcasad@logitech.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/hid/hid-logitech-dj.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/hid/hid-logitech-dj.c b/drivers/hid/hid-logitech-dj.c
index a311b0a33eba..587259b3db97 100644
--- a/drivers/hid/hid-logitech-dj.c
+++ b/drivers/hid/hid-logitech-dj.c
@@ -1000,6 +1000,7 @@ static void logi_hidpp_recv_queue_notif(struct hid_device *hdev,
workitem.reports_supported |= STD_KEYBOARD;
break;
case 0x0f:
+ case 0x11:
device_type = "eQUAD Lightspeed 1.2";
logi_hidpp_dev_conn_notif_equad(hdev, hidpp_report, &workitem);
workitem.reports_supported |= STD_KEYBOARD;
--
2.34.1
^ permalink raw reply related [flat|nested] 636+ messages in thread
* [PATCH 5.10 007/599] xfrm: fix tunnel model fragmentation behavior
2022-04-05 7:24 [PATCH 5.10 000/599] 5.10.110-rc1 review Greg Kroah-Hartman
` (5 preceding siblings ...)
2022-04-05 7:25 ` [PATCH 5.10 006/599] HID: logitech-dj: add new lightspeed receiver id Greg Kroah-Hartman
@ 2022-04-05 7:25 ` Greg Kroah-Hartman
2022-04-05 7:25 ` [PATCH 5.10 008/599] ARM: mstar: Select HAVE_ARM_ARCH_TIMER Greg Kroah-Hartman
` (604 subsequent siblings)
611 siblings, 0 replies; 636+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05 7:25 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Lina Wang, Steffen Klassert, Sasha Levin
From: Lina Wang <lina.wang@mediatek.com>
[ Upstream commit 4ff2980b6bd2aa6b4ded3ce3b7c0ccfab29980af ]
in tunnel mode, if outer interface(ipv4) is less, it is easily to let
inner IPV6 mtu be less than 1280. If so, a Packet Too Big ICMPV6 message
is received. When send again, packets are fragmentized with 1280, they
are still rejected with ICMPV6(Packet Too Big) by xfrmi_xmit2().
According to RFC4213 Section3.2.2:
if (IPv4 path MTU - 20) is less than 1280
if packet is larger than 1280 bytes
Send ICMPv6 "packet too big" with MTU=1280
Drop packet
else
Encapsulate but do not set the Don't Fragment
flag in the IPv4 header. The resulting IPv4
packet might be fragmented by the IPv4 layer
on the encapsulator or by some router along
the IPv4 path.
endif
else
if packet is larger than (IPv4 path MTU - 20)
Send ICMPv6 "packet too big" with
MTU = (IPv4 path MTU - 20).
Drop packet.
else
Encapsulate and set the Don't Fragment flag
in the IPv4 header.
endif
endif
Packets should be fragmentized with ipv4 outer interface, so change it.
After it is fragemtized with ipv4, there will be double fragmenation.
No.48 & No.51 are ipv6 fragment packets, No.48 is double fragmentized,
then tunneled with IPv4(No.49& No.50), which obey spec. And received peer
cannot decrypt it rightly.
48 2002::10 2002::11 1296(length) IPv6 fragment (off=0 more=y ident=0xa20da5bc nxt=50)
49 0x0000 (0) 2002::10 2002::11 1304 IPv6 fragment (off=0 more=y ident=0x7448042c nxt=44)
50 0x0000 (0) 2002::10 2002::11 200 ESP (SPI=0x00035000)
51 2002::10 2002::11 180 Echo (ping) request
52 0x56dc 2002::10 2002::11 248 IPv6 fragment (off=1232 more=n ident=0xa20da5bc nxt=50)
xfrm6_noneed_fragment has fixed above issues. Finally, it acted like below:
1 0x6206 192.168.1.138 192.168.1.1 1316 Fragmented IP protocol (proto=Encap Security Payload 50, off=0, ID=6206) [Reassembled in #2]
2 0x6206 2002::10 2002::11 88 IPv6 fragment (off=0 more=y ident=0x1f440778 nxt=50)
3 0x0000 2002::10 2002::11 248 ICMPv6 Echo (ping) request
Signed-off-by: Lina Wang <lina.wang@mediatek.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv6/xfrm6_output.c | 16 ++++++++++++++++
net/xfrm/xfrm_interface.c | 5 ++++-
2 files changed, 20 insertions(+), 1 deletion(-)
diff --git a/net/ipv6/xfrm6_output.c b/net/ipv6/xfrm6_output.c
index 6abb45a67199..ee349c243878 100644
--- a/net/ipv6/xfrm6_output.c
+++ b/net/ipv6/xfrm6_output.c
@@ -52,6 +52,19 @@ static int __xfrm6_output_finish(struct net *net, struct sock *sk, struct sk_buf
return xfrm_output(sk, skb);
}
+static int xfrm6_noneed_fragment(struct sk_buff *skb)
+{
+ struct frag_hdr *fh;
+ u8 prevhdr = ipv6_hdr(skb)->nexthdr;
+
+ if (prevhdr != NEXTHDR_FRAGMENT)
+ return 0;
+ fh = (struct frag_hdr *)(skb->data + sizeof(struct ipv6hdr));
+ if (fh->nexthdr == NEXTHDR_ESP || fh->nexthdr == NEXTHDR_AUTH)
+ return 1;
+ return 0;
+}
+
static int __xfrm6_output(struct net *net, struct sock *sk, struct sk_buff *skb)
{
struct dst_entry *dst = skb_dst(skb);
@@ -80,6 +93,9 @@ static int __xfrm6_output(struct net *net, struct sock *sk, struct sk_buff *skb)
xfrm6_local_rxpmtu(skb, mtu);
kfree_skb(skb);
return -EMSGSIZE;
+ } else if (toobig && xfrm6_noneed_fragment(skb)) {
+ skb->ignore_df = 1;
+ goto skip_frag;
} else if (!skb->ignore_df && toobig && skb->sk) {
xfrm_local_error(skb, mtu);
kfree_skb(skb);
diff --git a/net/xfrm/xfrm_interface.c b/net/xfrm/xfrm_interface.c
index 4420c8fd318a..da518b4ca84c 100644
--- a/net/xfrm/xfrm_interface.c
+++ b/net/xfrm/xfrm_interface.c
@@ -303,7 +303,10 @@ xfrmi_xmit2(struct sk_buff *skb, struct net_device *dev, struct flowi *fl)
if (mtu < IPV6_MIN_MTU)
mtu = IPV6_MIN_MTU;
- icmpv6_ndo_send(skb, ICMPV6_PKT_TOOBIG, 0, mtu);
+ if (skb->len > 1280)
+ icmpv6_ndo_send(skb, ICMPV6_PKT_TOOBIG, 0, mtu);
+ else
+ goto xmit;
} else {
if (!(ip_hdr(skb)->frag_off & htons(IP_DF)))
goto xmit;
--
2.34.1
^ permalink raw reply related [flat|nested] 636+ messages in thread
* [PATCH 5.10 008/599] ARM: mstar: Select HAVE_ARM_ARCH_TIMER
2022-04-05 7:24 [PATCH 5.10 000/599] 5.10.110-rc1 review Greg Kroah-Hartman
` (6 preceding siblings ...)
2022-04-05 7:25 ` [PATCH 5.10 007/599] xfrm: fix tunnel model fragmentation behavior Greg Kroah-Hartman
@ 2022-04-05 7:25 ` Greg Kroah-Hartman
2022-04-05 7:25 ` [PATCH 5.10 009/599] virtio_console: break out of buf poll on remove Greg Kroah-Hartman
` (603 subsequent siblings)
611 siblings, 0 replies; 636+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05 7:25 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Daniel Palmer, Arnd Bergmann, Sasha Levin
From: Daniel Palmer <daniel@0x0f.com>
[ Upstream commit ea49432d184a6a09f84461604b7711a4e9f5ec9c ]
The mstar SoCs have an arch timer but HAVE_ARM_ARCH_TIMER wasn't
selected. If MSC313E_TIMER isn't selected then the kernel gets
stuck at boot because there are no timers available.
Signed-off-by: Daniel Palmer <daniel@0x0f.com>
Link: https://lore.kernel.org/r/20220301104349.3040422-1-daniel@0x0f.com'
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm/mach-mstar/Kconfig | 1 +
1 file changed, 1 insertion(+)
diff --git a/arch/arm/mach-mstar/Kconfig b/arch/arm/mach-mstar/Kconfig
index 576d1ab293c8..30560fdf87ed 100644
--- a/arch/arm/mach-mstar/Kconfig
+++ b/arch/arm/mach-mstar/Kconfig
@@ -3,6 +3,7 @@ menuconfig ARCH_MSTARV7
depends on ARCH_MULTI_V7
select ARM_GIC
select ARM_HEAVY_MB
+ select HAVE_ARM_ARCH_TIMER
select MST_IRQ
help
Support for newer MStar/Sigmastar SoC families that are
--
2.34.1
^ permalink raw reply related [flat|nested] 636+ messages in thread
* [PATCH 5.10 009/599] virtio_console: break out of buf poll on remove
2022-04-05 7:24 [PATCH 5.10 000/599] 5.10.110-rc1 review Greg Kroah-Hartman
` (7 preceding siblings ...)
2022-04-05 7:25 ` [PATCH 5.10 008/599] ARM: mstar: Select HAVE_ARM_ARCH_TIMER Greg Kroah-Hartman
@ 2022-04-05 7:25 ` Greg Kroah-Hartman
2022-04-05 7:25 ` [PATCH 5.10 010/599] vdpa/mlx5: should verify CTRL_VQ feature exists for MQ Greg Kroah-Hartman
` (602 subsequent siblings)
611 siblings, 0 replies; 636+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05 7:25 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Michael S. Tsirkin, Sasha Levin
From: Michael S. Tsirkin <mst@redhat.com>
[ Upstream commit 0e7174b9d5877130fec41fb4a16e0c2ee4958d44 ]
A common pattern for device reset is currently:
vdev->config->reset(vdev);
.. cleanup ..
reset prevents new interrupts from arriving and waits for interrupt
handlers to finish.
However if - as is common - the handler queues a work request which is
flushed during the cleanup stage, we have code adding buffers / trying
to get buffers while device is reset. Not good.
This was reproduced by running
modprobe virtio_console
modprobe -r virtio_console
in a loop.
Fix this up by calling virtio_break_device + flush before reset.
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1786239
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/char/virtio_console.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/drivers/char/virtio_console.c b/drivers/char/virtio_console.c
index 673522874cec..3dd4deb60adb 100644
--- a/drivers/char/virtio_console.c
+++ b/drivers/char/virtio_console.c
@@ -1959,6 +1959,13 @@ static void virtcons_remove(struct virtio_device *vdev)
list_del(&portdev->list);
spin_unlock_irq(&pdrvdata_lock);
+ /* Device is going away, exit any polling for buffers */
+ virtio_break_device(vdev);
+ if (use_multiport(portdev))
+ flush_work(&portdev->control_work);
+ else
+ flush_work(&portdev->config_work);
+
/* Disable interrupts for vqs */
vdev->config->reset(vdev);
/* Finish up work that's lined up */
--
2.34.1
^ permalink raw reply related [flat|nested] 636+ messages in thread
* [PATCH 5.10 010/599] vdpa/mlx5: should verify CTRL_VQ feature exists for MQ
2022-04-05 7:24 [PATCH 5.10 000/599] 5.10.110-rc1 review Greg Kroah-Hartman
` (8 preceding siblings ...)
2022-04-05 7:25 ` [PATCH 5.10 009/599] virtio_console: break out of buf poll on remove Greg Kroah-Hartman
@ 2022-04-05 7:25 ` Greg Kroah-Hartman
2022-04-05 7:25 ` [PATCH 5.10 011/599] tools/virtio: fix virtio_test execution Greg Kroah-Hartman
` (601 subsequent siblings)
611 siblings, 0 replies; 636+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05 7:25 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Si-Wei Liu, Michael S. Tsirkin,
Eli Cohen, Jason Wang, Sasha Levin
From: Si-Wei Liu <si-wei.liu@oracle.com>
[ Upstream commit 30c22f3816ffef8aa21a000e93c4ee1402a6ea65 ]
Per VIRTIO v1.1 specification, section 5.1.3.1 Feature bit requirements:
"VIRTIO_NET_F_MQ Requires VIRTIO_NET_F_CTRL_VQ".
There's assumption in the mlx5_vdpa multiqueue code that MQ must come
together with CTRL_VQ. However, there's nowhere in the upper layer to
guarantee this assumption would hold. Were there an untrusted driver
sending down MQ without CTRL_VQ, it would compromise various spots for
e.g. is_index_valid() and is_ctrl_vq_idx(). Although this doesn't end
up with immediate panic or security loophole as of today's code, the
chance for this to be taken advantage of due to future code change is
not zero.
Harden the crispy assumption by failing the set_driver_features() call
when seeing (MQ && !CTRL_VQ). For that end, verify_min_features() is
renamed to verify_driver_features() to reflect the fact that it now does
more than just validate the minimum features. verify_driver_features()
is now used to accommodate various checks against the driver features
for set_driver_features().
Signed-off-by: Si-Wei Liu <si-wei.liu@oracle.com>
Link: https://lore.kernel.org/r/1642206481-30721-3-git-send-email-si-wei.liu@oracle.com
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Eli Cohen <elic@nvidia.com>
Acked-by: Jason Wang <jasowang@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/vdpa/mlx5/net/mlx5_vnet.c | 18 ++++++++++++++++--
1 file changed, 16 insertions(+), 2 deletions(-)
diff --git a/drivers/vdpa/mlx5/net/mlx5_vnet.c b/drivers/vdpa/mlx5/net/mlx5_vnet.c
index 65d6f8fd81e7..577ff786f11b 100644
--- a/drivers/vdpa/mlx5/net/mlx5_vnet.c
+++ b/drivers/vdpa/mlx5/net/mlx5_vnet.c
@@ -1482,11 +1482,25 @@ static u64 mlx5_vdpa_get_features(struct vdpa_device *vdev)
return ndev->mvdev.mlx_features;
}
-static int verify_min_features(struct mlx5_vdpa_dev *mvdev, u64 features)
+static int verify_driver_features(struct mlx5_vdpa_dev *mvdev, u64 features)
{
+ /* Minimum features to expect */
if (!(features & BIT_ULL(VIRTIO_F_ACCESS_PLATFORM)))
return -EOPNOTSUPP;
+ /* Double check features combination sent down by the driver.
+ * Fail invalid features due to absence of the depended feature.
+ *
+ * Per VIRTIO v1.1 specification, section 5.1.3.1 Feature bit
+ * requirements: "VIRTIO_NET_F_MQ Requires VIRTIO_NET_F_CTRL_VQ".
+ * By failing the invalid features sent down by untrusted drivers,
+ * we're assured the assumption made upon is_index_valid() and
+ * is_ctrl_vq_idx() will not be compromised.
+ */
+ if ((features & (BIT_ULL(VIRTIO_NET_F_MQ) | BIT_ULL(VIRTIO_NET_F_CTRL_VQ))) ==
+ BIT_ULL(VIRTIO_NET_F_MQ))
+ return -EINVAL;
+
return 0;
}
@@ -1544,7 +1558,7 @@ static int mlx5_vdpa_set_features(struct vdpa_device *vdev, u64 features)
print_features(mvdev, features, true);
- err = verify_min_features(mvdev, features);
+ err = verify_driver_features(mvdev, features);
if (err)
return err;
--
2.34.1
^ permalink raw reply related [flat|nested] 636+ messages in thread
* [PATCH 5.10 011/599] tools/virtio: fix virtio_test execution
2022-04-05 7:24 [PATCH 5.10 000/599] 5.10.110-rc1 review Greg Kroah-Hartman
` (9 preceding siblings ...)
2022-04-05 7:25 ` [PATCH 5.10 010/599] vdpa/mlx5: should verify CTRL_VQ feature exists for MQ Greg Kroah-Hartman
@ 2022-04-05 7:25 ` Greg Kroah-Hartman
2022-04-05 7:25 ` [PATCH 5.10 012/599] ethernet: sun: Free the coherent when failing in probing Greg Kroah-Hartman
` (600 subsequent siblings)
611 siblings, 0 replies; 636+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05 7:25 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Stefano Garzarella,
Michael S. Tsirkin, Jason Wang, Sasha Levin
From: Stefano Garzarella <sgarzare@redhat.com>
[ Upstream commit 32f1b53fe8f03d962423ba81f8e92af5839814da ]
virtio_test hangs on __vring_new_virtqueue() because `vqs_list_lock`
is not initialized.
Let's initialize it in vdev_info_init().
Signed-off-by: Stefano Garzarella <sgarzare@redhat.com>
Link: https://lore.kernel.org/r/20220118150631.167015-1-sgarzare@redhat.com
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Acked-by: Jason Wang <jasowang@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/virtio/virtio_test.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/tools/virtio/virtio_test.c b/tools/virtio/virtio_test.c
index cb3f29c09aff..23f142af544a 100644
--- a/tools/virtio/virtio_test.c
+++ b/tools/virtio/virtio_test.c
@@ -130,6 +130,7 @@ static void vdev_info_init(struct vdev_info* dev, unsigned long long features)
memset(dev, 0, sizeof *dev);
dev->vdev.features = features;
INIT_LIST_HEAD(&dev->vdev.vqs);
+ spin_lock_init(&dev->vdev.vqs_list_lock);
dev->buf_size = 1024;
dev->buf = malloc(dev->buf_size);
assert(dev->buf);
--
2.34.1
^ permalink raw reply related [flat|nested] 636+ messages in thread
* [PATCH 5.10 012/599] ethernet: sun: Free the coherent when failing in probing
2022-04-05 7:24 [PATCH 5.10 000/599] 5.10.110-rc1 review Greg Kroah-Hartman
` (10 preceding siblings ...)
2022-04-05 7:25 ` [PATCH 5.10 011/599] tools/virtio: fix virtio_test execution Greg Kroah-Hartman
@ 2022-04-05 7:25 ` Greg Kroah-Hartman
2022-04-05 7:25 ` [PATCH 5.10 013/599] gpio: Revert regression in sysfs-gpio (gpiolib.c) Greg Kroah-Hartman
` (599 subsequent siblings)
611 siblings, 0 replies; 636+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05 7:25 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Zheyu Ma, Andrew Lunn,
David S. Miller, Sasha Levin
From: Zheyu Ma <zheyuma97@gmail.com>
[ Upstream commit bb77bd31c281f70ec77c9c4f584950a779e05cf8 ]
When the driver fails to register net device, it should free the DMA
region first, and then do other cleanup.
Signed-off-by: Zheyu Ma <zheyuma97@gmail.com>
Reviewed-by: Andrew Lunn <andrew@lunn.ch>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/sun/sunhme.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/sun/sunhme.c b/drivers/net/ethernet/sun/sunhme.c
index 54b53dbdb33c..69fc47089e62 100644
--- a/drivers/net/ethernet/sun/sunhme.c
+++ b/drivers/net/ethernet/sun/sunhme.c
@@ -3163,7 +3163,7 @@ static int happy_meal_pci_probe(struct pci_dev *pdev,
if (err) {
printk(KERN_ERR "happymeal(PCI): Cannot register net device, "
"aborting.\n");
- goto err_out_iounmap;
+ goto err_out_free_coherent;
}
pci_set_drvdata(pdev, hp);
@@ -3196,6 +3196,10 @@ static int happy_meal_pci_probe(struct pci_dev *pdev,
return 0;
+err_out_free_coherent:
+ dma_free_coherent(hp->dma_dev, PAGE_SIZE,
+ hp->happy_block, hp->hblock_dvma);
+
err_out_iounmap:
iounmap(hp->gregs);
--
2.34.1
^ permalink raw reply related [flat|nested] 636+ messages in thread
* [PATCH 5.10 013/599] gpio: Revert regression in sysfs-gpio (gpiolib.c)
2022-04-05 7:24 [PATCH 5.10 000/599] 5.10.110-rc1 review Greg Kroah-Hartman
` (11 preceding siblings ...)
2022-04-05 7:25 ` [PATCH 5.10 012/599] ethernet: sun: Free the coherent when failing in probing Greg Kroah-Hartman
@ 2022-04-05 7:25 ` Greg Kroah-Hartman
2022-04-05 7:25 ` [PATCH 5.10 014/599] spi: Fix invalid sgs value Greg Kroah-Hartman
` (598 subsequent siblings)
611 siblings, 0 replies; 636+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05 7:25 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Marcelo Roberto Jimenez,
Bartosz Golaszewski, Sasha Levin
From: Marcelo Roberto Jimenez <marcelo.jimenez@gmail.com>
[ Upstream commit fc328a7d1fcce263db0b046917a66f3aa6e68719 ]
Some GPIO lines have stopped working after the patch
commit 2ab73c6d8323f ("gpio: Support GPIO controllers without pin-ranges")
And this has supposedly been fixed in the following patches
commit 89ad556b7f96a ("gpio: Avoid using pin ranges with !PINCTRL")
commit 6dbbf84603961 ("gpiolib: Don't free if pin ranges are not defined")
But an erratic behavior where some GPIO lines work while others do not work
has been introduced.
This patch reverts those changes so that the sysfs-gpio interface works
properly again.
Signed-off-by: Marcelo Roberto Jimenez <marcelo.jimenez@gmail.com>
Signed-off-by: Bartosz Golaszewski <brgl@bgdev.pl>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpio/gpiolib.c | 10 ----------
1 file changed, 10 deletions(-)
diff --git a/drivers/gpio/gpiolib.c b/drivers/gpio/gpiolib.c
index 00526fdd7691..bbf34d84636d 100644
--- a/drivers/gpio/gpiolib.c
+++ b/drivers/gpio/gpiolib.c
@@ -1804,11 +1804,6 @@ static inline void gpiochip_irqchip_free_valid_mask(struct gpio_chip *gc)
*/
int gpiochip_generic_request(struct gpio_chip *gc, unsigned offset)
{
-#ifdef CONFIG_PINCTRL
- if (list_empty(&gc->gpiodev->pin_ranges))
- return 0;
-#endif
-
return pinctrl_gpio_request(gc->gpiodev->base + offset);
}
EXPORT_SYMBOL_GPL(gpiochip_generic_request);
@@ -1820,11 +1815,6 @@ EXPORT_SYMBOL_GPL(gpiochip_generic_request);
*/
void gpiochip_generic_free(struct gpio_chip *gc, unsigned offset)
{
-#ifdef CONFIG_PINCTRL
- if (list_empty(&gc->gpiodev->pin_ranges))
- return;
-#endif
-
pinctrl_gpio_free(gc->gpiodev->base + offset);
}
EXPORT_SYMBOL_GPL(gpiochip_generic_free);
--
2.34.1
^ permalink raw reply related [flat|nested] 636+ messages in thread
* [PATCH 5.10 014/599] spi: Fix invalid sgs value
2022-04-05 7:24 [PATCH 5.10 000/599] 5.10.110-rc1 review Greg Kroah-Hartman
` (12 preceding siblings ...)
2022-04-05 7:25 ` [PATCH 5.10 013/599] gpio: Revert regression in sysfs-gpio (gpiolib.c) Greg Kroah-Hartman
@ 2022-04-05 7:25 ` Greg Kroah-Hartman
2022-04-05 7:25 ` [PATCH 5.10 015/599] net:mcf8390: Use platform_get_irq() to get the interrupt Greg Kroah-Hartman
` (597 subsequent siblings)
611 siblings, 0 replies; 636+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05 7:25 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Biju Das, Lad Prabhakar,
Geert Uytterhoeven, Mark Brown, Sasha Levin
From: Biju Das <biju.das.jz@bp.renesas.com>
[ Upstream commit 1a4e53d2fc4f68aa654ad96d13ad042e1a8e8a7d ]
max_seg_size is unsigned int and it can have a value up to 2^32
(for eg:-RZ_DMAC driver sets dma_set_max_seg_size as U32_MAX)
When this value is used in min_t() as an integer type, it becomes
-1 and the value of sgs becomes 0.
Fix this issue by replacing the 'int' data type with 'unsigned int'
in min_t().
Signed-off-by: Biju Das <biju.das.jz@bp.renesas.com>
Reviewed-by: Lad Prabhakar <prabhakar.mahadev-lad.rj@bp.renesas.com>
Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
Link: https://lore.kernel.org/r/20220307184843.9994-1-biju.das.jz@bp.renesas.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/spi/spi.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/spi/spi.c b/drivers/spi/spi.c
index 8c261eac2cee..2396565fc91b 100644
--- a/drivers/spi/spi.c
+++ b/drivers/spi/spi.c
@@ -881,10 +881,10 @@ int spi_map_buf(struct spi_controller *ctlr, struct device *dev,
int i, ret;
if (vmalloced_buf || kmap_buf) {
- desc_len = min_t(int, max_seg_size, PAGE_SIZE);
+ desc_len = min_t(unsigned int, max_seg_size, PAGE_SIZE);
sgs = DIV_ROUND_UP(len + offset_in_page(buf), desc_len);
} else if (virt_addr_valid(buf)) {
- desc_len = min_t(int, max_seg_size, ctlr->max_dma_len);
+ desc_len = min_t(unsigned int, max_seg_size, ctlr->max_dma_len);
sgs = DIV_ROUND_UP(len, desc_len);
} else {
return -EINVAL;
--
2.34.1
^ permalink raw reply related [flat|nested] 636+ messages in thread
* [PATCH 5.10 015/599] net:mcf8390: Use platform_get_irq() to get the interrupt
2022-04-05 7:24 [PATCH 5.10 000/599] 5.10.110-rc1 review Greg Kroah-Hartman
` (13 preceding siblings ...)
2022-04-05 7:25 ` [PATCH 5.10 014/599] spi: Fix invalid sgs value Greg Kroah-Hartman
@ 2022-04-05 7:25 ` Greg Kroah-Hartman
2022-04-05 7:25 ` [PATCH 5.10 016/599] Revert "gpio: Revert regression in sysfs-gpio (gpiolib.c)" Greg Kroah-Hartman
` (596 subsequent siblings)
611 siblings, 0 replies; 636+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05 7:25 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Zeal Robot, Minghao Chi (CGEL ZTE),
David S. Miller, Sasha Levin
From: Minghao Chi (CGEL ZTE) <chi.minghao@zte.com.cn>
[ Upstream commit 2a760554dcba450d3ad61b32375b50ed6d59a87c ]
It is not recommened to use platform_get_resource(pdev, IORESOURCE_IRQ)
for requesting IRQ's resources any more, as they can be not ready yet in
case of DT-booting.
platform_get_irq() instead is a recommended way for getting IRQ even if
it was not retrieved earlier.
It also makes code simpler because we're getting "int" value right away
and no conversion from resource to int is required.
Reported-by: Zeal Robot <zealci@zte.com.cn>
Signed-off-by: Minghao Chi (CGEL ZTE) <chi.minghao@zte.com.cn>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/8390/mcf8390.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/drivers/net/ethernet/8390/mcf8390.c b/drivers/net/ethernet/8390/mcf8390.c
index 4ad8031ab669..065fdbe66c42 100644
--- a/drivers/net/ethernet/8390/mcf8390.c
+++ b/drivers/net/ethernet/8390/mcf8390.c
@@ -406,12 +406,12 @@ static int mcf8390_init(struct net_device *dev)
static int mcf8390_probe(struct platform_device *pdev)
{
struct net_device *dev;
- struct resource *mem, *irq;
+ struct resource *mem;
resource_size_t msize;
- int ret;
+ int ret, irq;
- irq = platform_get_resource(pdev, IORESOURCE_IRQ, 0);
- if (irq == NULL) {
+ irq = platform_get_irq(pdev, 0);
+ if (irq < 0) {
dev_err(&pdev->dev, "no IRQ specified?\n");
return -ENXIO;
}
@@ -434,7 +434,7 @@ static int mcf8390_probe(struct platform_device *pdev)
SET_NETDEV_DEV(dev, &pdev->dev);
platform_set_drvdata(pdev, dev);
- dev->irq = irq->start;
+ dev->irq = irq;
dev->base_addr = mem->start;
ret = mcf8390_init(dev);
--
2.34.1
^ permalink raw reply related [flat|nested] 636+ messages in thread
* [PATCH 5.10 016/599] Revert "gpio: Revert regression in sysfs-gpio (gpiolib.c)"
2022-04-05 7:24 [PATCH 5.10 000/599] 5.10.110-rc1 review Greg Kroah-Hartman
` (14 preceding siblings ...)
2022-04-05 7:25 ` [PATCH 5.10 015/599] net:mcf8390: Use platform_get_irq() to get the interrupt Greg Kroah-Hartman
@ 2022-04-05 7:25 ` Greg Kroah-Hartman
2022-04-05 7:25 ` [PATCH 5.10 017/599] spi: Fix erroneous sgs value with min_t() Greg Kroah-Hartman
` (595 subsequent siblings)
611 siblings, 0 replies; 636+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05 7:25 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Bartosz Golaszewski, Michael Walle,
Thorsten Leemhuis, Marcelo Roberto Jimenez, Linus Torvalds,
Sasha Levin, Guenter Roeck
From: Bartosz Golaszewski <brgl@bgdev.pl>
[ Upstream commit 56e337f2cf1326323844927a04e9dbce9a244835 ]
This reverts commit fc328a7d1fcce263db0b046917a66f3aa6e68719.
This commit - while attempting to fix a regression - has caused a number
of other problems. As the fallout from it is more significant than the
initial problem itself, revert it for now before we find a correct
solution.
Link: https://lore.kernel.org/all/20220314192522.GA3031157@roeck-us.net/
Link: https://lore.kernel.org/stable/20220314155509.552218-1-michael@walle.cc/
Link: https://lore.kernel.org/all/20211217153555.9413-1-marcelo.jimenez@gmail.com/
Signed-off-by: Bartosz Golaszewski <brgl@bgdev.pl>
Reported-and-bisected-by: Guenter Roeck <linux@roeck-us.net>
Reported-by: Michael Walle <michael@walle.cc>
Cc: Thorsten Leemhuis <linux@leemhuis.info>
Cc: Marcelo Roberto Jimenez <marcelo.jimenez@gmail.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpio/gpiolib.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/drivers/gpio/gpiolib.c b/drivers/gpio/gpiolib.c
index bbf34d84636d..00526fdd7691 100644
--- a/drivers/gpio/gpiolib.c
+++ b/drivers/gpio/gpiolib.c
@@ -1804,6 +1804,11 @@ static inline void gpiochip_irqchip_free_valid_mask(struct gpio_chip *gc)
*/
int gpiochip_generic_request(struct gpio_chip *gc, unsigned offset)
{
+#ifdef CONFIG_PINCTRL
+ if (list_empty(&gc->gpiodev->pin_ranges))
+ return 0;
+#endif
+
return pinctrl_gpio_request(gc->gpiodev->base + offset);
}
EXPORT_SYMBOL_GPL(gpiochip_generic_request);
@@ -1815,6 +1820,11 @@ EXPORT_SYMBOL_GPL(gpiochip_generic_request);
*/
void gpiochip_generic_free(struct gpio_chip *gc, unsigned offset)
{
+#ifdef CONFIG_PINCTRL
+ if (list_empty(&gc->gpiodev->pin_ranges))
+ return;
+#endif
+
pinctrl_gpio_free(gc->gpiodev->base + offset);
}
EXPORT_SYMBOL_GPL(gpiochip_generic_free);
--
2.34.1
^ permalink raw reply related [flat|nested] 636+ messages in thread
* [PATCH 5.10 017/599] spi: Fix erroneous sgs value with min_t()
2022-04-05 7:24 [PATCH 5.10 000/599] 5.10.110-rc1 review Greg Kroah-Hartman
` (15 preceding siblings ...)
2022-04-05 7:25 ` [PATCH 5.10 016/599] Revert "gpio: Revert regression in sysfs-gpio (gpiolib.c)" Greg Kroah-Hartman
@ 2022-04-05 7:25 ` Greg Kroah-Hartman
2022-04-05 7:25 ` [PATCH 5.10 018/599] Input: zinitix - do not report shadow fingers Greg Kroah-Hartman
` (594 subsequent siblings)
611 siblings, 0 replies; 636+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05 7:25 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Linus Torvalds, Geert Uytterhoeven,
Biju Das, Lad Prabhakar, Mark Brown, Sasha Levin
From: Biju Das <biju.das.jz@bp.renesas.com>
[ Upstream commit ebc4cb43ea5ada3db46c80156fca58a54b9bbca8 ]
While computing sgs in spi_map_buf(), the data type
used in min_t() for max_seg_size is 'unsigned int' where
as that of ctlr->max_dma_len is 'size_t'.
min_t(unsigned int,x,y) gives wrong results if one of x/y is
'size_t'
Consider the below examples on a 64-bit machine (ie size_t is
64-bits, and unsigned int is 32-bit).
case 1) min_t(unsigned int, 5, 0x100000001);
case 2) min_t(size_t, 5, 0x100000001);
Case 1 returns '1', where as case 2 returns '5'. As you can see
the result from case 1 is wrong.
This patch fixes the above issue by using the data type of the
parameters that are used in min_t with maximum data length.
Fixes: commit 1a4e53d2fc4f68aa ("spi: Fix invalid sgs value")
Reported-by: Linus Torvalds <torvalds@linux-foundation.org>
Suggested-by: Geert Uytterhoeven <geert+renesas@glider.be>
Signed-off-by: Biju Das <biju.das.jz@bp.renesas.com>
Reviewed-by: Lad Prabhakar <prabhakar.mahadev-lad.rj@bp.renesas.com>
Link: https://lore.kernel.org/r/20220316175317.465-1-biju.das.jz@bp.renesas.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/spi/spi.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/spi/spi.c b/drivers/spi/spi.c
index 2396565fc91b..6ea7b286c80c 100644
--- a/drivers/spi/spi.c
+++ b/drivers/spi/spi.c
@@ -881,10 +881,10 @@ int spi_map_buf(struct spi_controller *ctlr, struct device *dev,
int i, ret;
if (vmalloced_buf || kmap_buf) {
- desc_len = min_t(unsigned int, max_seg_size, PAGE_SIZE);
+ desc_len = min_t(unsigned long, max_seg_size, PAGE_SIZE);
sgs = DIV_ROUND_UP(len + offset_in_page(buf), desc_len);
} else if (virt_addr_valid(buf)) {
- desc_len = min_t(unsigned int, max_seg_size, ctlr->max_dma_len);
+ desc_len = min_t(size_t, max_seg_size, ctlr->max_dma_len);
sgs = DIV_ROUND_UP(len, desc_len);
} else {
return -EINVAL;
--
2.34.1
^ permalink raw reply related [flat|nested] 636+ messages in thread
* [PATCH 5.10 018/599] Input: zinitix - do not report shadow fingers
2022-04-05 7:24 [PATCH 5.10 000/599] 5.10.110-rc1 review Greg Kroah-Hartman
` (16 preceding siblings ...)
2022-04-05 7:25 ` [PATCH 5.10 017/599] spi: Fix erroneous sgs value with min_t() Greg Kroah-Hartman
@ 2022-04-05 7:25 ` Greg Kroah-Hartman
2022-04-05 7:25 ` [PATCH 5.10 019/599] af_key: add __GFP_ZERO flag for compose_sadb_supported in function pfkey_register Greg Kroah-Hartman
` (593 subsequent siblings)
611 siblings, 0 replies; 636+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05 7:25 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Linus Walleij, Dmitry Torokhov, Sasha Levin
From: Linus Walleij <linus.walleij@linaro.org>
[ Upstream commit e941dc13fd3717122207d74539ab95da07ef797f ]
I observed the following problem with the BT404 touch pad
running the Phosh UI:
When e.g. typing on the virtual keyboard pressing "g" would
produce "ggg".
After some analysis it turns out the firmware reports that three
fingers hit that coordinate at the same time, finger 0, 2 and
4 (of the five available 0,1,2,3,4).
DOWN
Zinitix-TS 3-0020: finger 0 down (246, 395)
Zinitix-TS 3-0020: finger 1 up (0, 0)
Zinitix-TS 3-0020: finger 2 down (246, 395)
Zinitix-TS 3-0020: finger 3 up (0, 0)
Zinitix-TS 3-0020: finger 4 down (246, 395)
UP
Zinitix-TS 3-0020: finger 0 up (246, 395)
Zinitix-TS 3-0020: finger 2 up (246, 395)
Zinitix-TS 3-0020: finger 4 up (246, 395)
This is one touch and release: i.e. this is all reported on
touch (down) and release.
There is a field in the struct touch_event called finger_cnt
which is actually a bitmask of the fingers active in the
event.
Rename this field finger_mask as this matches the use contents
better, then use for_each_set_bit() to iterate over just the
fingers that are actally active.
Factor out a finger reporting function zinitix_report_fingers()
to handle all fingers.
Also be more careful in reporting finger down/up: we were
reporting every event with input_mt_report_slot_state(..., true);
but this should only be reported on finger down or move,
not on finger up, so also add code to check p->sub_status
to see what is happening and report correctly.
After this my Zinitix BT404 touchscreen report fingers
flawlessly.
The vendor drive I have notably does not use the "finger_cnt"
and contains obviously incorrect code like this:
if (touch_dev->touch_info.finger_cnt > MAX_SUPPORTED_FINGER_NUM)
touch_dev->touch_info.finger_cnt = MAX_SUPPORTED_FINGER_NUM;
As MAX_SUPPORTED_FINGER_NUM is an ordinal and the field is
a bitmask this seems quite confused.
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Link: https://lore.kernel.org/r/20220228233017.2270599-1-linus.walleij@linaro.org
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/input/touchscreen/zinitix.c | 44 +++++++++++++++++++++++------
1 file changed, 35 insertions(+), 9 deletions(-)
diff --git a/drivers/input/touchscreen/zinitix.c b/drivers/input/touchscreen/zinitix.c
index 6df6f07f1ac6..17b10b81c713 100644
--- a/drivers/input/touchscreen/zinitix.c
+++ b/drivers/input/touchscreen/zinitix.c
@@ -135,7 +135,7 @@ struct point_coord {
struct touch_event {
__le16 status;
- u8 finger_cnt;
+ u8 finger_mask;
u8 time_stamp;
struct point_coord point_coord[MAX_SUPPORTED_FINGER_NUM];
};
@@ -311,11 +311,32 @@ static int zinitix_send_power_on_sequence(struct bt541_ts_data *bt541)
static void zinitix_report_finger(struct bt541_ts_data *bt541, int slot,
const struct point_coord *p)
{
+ u16 x, y;
+
+ if (unlikely(!(p->sub_status &
+ (SUB_BIT_UP | SUB_BIT_DOWN | SUB_BIT_MOVE)))) {
+ dev_dbg(&bt541->client->dev, "unknown finger event %#02x\n",
+ p->sub_status);
+ return;
+ }
+
+ x = le16_to_cpu(p->x);
+ y = le16_to_cpu(p->y);
+
input_mt_slot(bt541->input_dev, slot);
- input_mt_report_slot_state(bt541->input_dev, MT_TOOL_FINGER, true);
- touchscreen_report_pos(bt541->input_dev, &bt541->prop,
- le16_to_cpu(p->x), le16_to_cpu(p->y), true);
- input_report_abs(bt541->input_dev, ABS_MT_TOUCH_MAJOR, p->width);
+ if (input_mt_report_slot_state(bt541->input_dev, MT_TOOL_FINGER,
+ !(p->sub_status & SUB_BIT_UP))) {
+ touchscreen_report_pos(bt541->input_dev,
+ &bt541->prop, x, y, true);
+ input_report_abs(bt541->input_dev,
+ ABS_MT_TOUCH_MAJOR, p->width);
+ dev_dbg(&bt541->client->dev, "finger %d %s (%u, %u)\n",
+ slot, p->sub_status & SUB_BIT_DOWN ? "down" : "move",
+ x, y);
+ } else {
+ dev_dbg(&bt541->client->dev, "finger %d up (%u, %u)\n",
+ slot, x, y);
+ }
}
static irqreturn_t zinitix_ts_irq_handler(int irq, void *bt541_handler)
@@ -323,6 +344,7 @@ static irqreturn_t zinitix_ts_irq_handler(int irq, void *bt541_handler)
struct bt541_ts_data *bt541 = bt541_handler;
struct i2c_client *client = bt541->client;
struct touch_event touch_event;
+ unsigned long finger_mask;
int error;
int i;
@@ -335,10 +357,14 @@ static irqreturn_t zinitix_ts_irq_handler(int irq, void *bt541_handler)
goto out;
}
- for (i = 0; i < MAX_SUPPORTED_FINGER_NUM; i++)
- if (touch_event.point_coord[i].sub_status & SUB_BIT_EXIST)
- zinitix_report_finger(bt541, i,
- &touch_event.point_coord[i]);
+ finger_mask = touch_event.finger_mask;
+ for_each_set_bit(i, &finger_mask, MAX_SUPPORTED_FINGER_NUM) {
+ const struct point_coord *p = &touch_event.point_coord[i];
+
+ /* Only process contacts that are actually reported */
+ if (p->sub_status & SUB_BIT_EXIST)
+ zinitix_report_finger(bt541, i, p);
+ }
input_mt_sync_frame(bt541->input_dev);
input_sync(bt541->input_dev);
--
2.34.1
^ permalink raw reply related [flat|nested] 636+ messages in thread
* [PATCH 5.10 019/599] af_key: add __GFP_ZERO flag for compose_sadb_supported in function pfkey_register
2022-04-05 7:24 [PATCH 5.10 000/599] 5.10.110-rc1 review Greg Kroah-Hartman
` (17 preceding siblings ...)
2022-04-05 7:25 ` [PATCH 5.10 018/599] Input: zinitix - do not report shadow fingers Greg Kroah-Hartman
@ 2022-04-05 7:25 ` Greg Kroah-Hartman
2022-04-05 7:25 ` [PATCH 5.10 020/599] net: dsa: microchip: add spi_device_id tables Greg Kroah-Hartman
` (592 subsequent siblings)
611 siblings, 0 replies; 636+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05 7:25 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, TCS Robot, Haimin Zhang,
Steffen Klassert, Sasha Levin
From: Haimin Zhang <tcs_kernel@tencent.com>
[ Upstream commit 9a564bccb78a76740ea9d75a259942df8143d02c ]
Add __GFP_ZERO flag for compose_sadb_supported in function pfkey_register
to initialize the buffer of supp_skb to fix a kernel-info-leak issue.
1) Function pfkey_register calls compose_sadb_supported to request
a sk_buff. 2) compose_sadb_supported calls alloc_sbk to allocate
a sk_buff, but it doesn't zero it. 3) If auth_len is greater 0, then
compose_sadb_supported treats the memory as a struct sadb_supported and
begins to initialize. But it just initializes the field sadb_supported_len
and field sadb_supported_exttype without field sadb_supported_reserved.
Reported-by: TCS Robot <tcs_robot@tencent.com>
Signed-off-by: Haimin Zhang <tcs_kernel@tencent.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/key/af_key.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/key/af_key.c b/net/key/af_key.c
index d1364b858fdf..bd9b5c573b5a 100644
--- a/net/key/af_key.c
+++ b/net/key/af_key.c
@@ -1703,7 +1703,7 @@ static int pfkey_register(struct sock *sk, struct sk_buff *skb, const struct sad
xfrm_probe_algs();
- supp_skb = compose_sadb_supported(hdr, GFP_KERNEL);
+ supp_skb = compose_sadb_supported(hdr, GFP_KERNEL | __GFP_ZERO);
if (!supp_skb) {
if (hdr->sadb_msg_satype != SADB_SATYPE_UNSPEC)
pfk->registered &= ~(1<<hdr->sadb_msg_satype);
--
2.34.1
^ permalink raw reply related [flat|nested] 636+ messages in thread
* [PATCH 5.10 020/599] net: dsa: microchip: add spi_device_id tables
2022-04-05 7:24 [PATCH 5.10 000/599] 5.10.110-rc1 review Greg Kroah-Hartman
` (18 preceding siblings ...)
2022-04-05 7:25 ` [PATCH 5.10 019/599] af_key: add __GFP_ZERO flag for compose_sadb_supported in function pfkey_register Greg Kroah-Hartman
@ 2022-04-05 7:25 ` Greg Kroah-Hartman
2022-04-05 7:25 ` [PATCH 5.10 021/599] locking/lockdep: Avoid potential access of invalid memory in lock_class Greg Kroah-Hartman
` (591 subsequent siblings)
611 siblings, 0 replies; 636+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05 7:25 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Claudiu Beznea, David S. Miller, Sasha Levin
From: Claudiu Beznea <claudiu.beznea@microchip.com>
[ Upstream commit e981bc74aefc6a177b50c16cfa7023599799cf74 ]
Add spi_device_id tables to avoid logs like "SPI driver ksz9477-switch
has no spi_device_id".
Signed-off-by: Claudiu Beznea <claudiu.beznea@microchip.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/dsa/microchip/ksz8795_spi.c | 11 +++++++++++
drivers/net/dsa/microchip/ksz9477_spi.c | 12 ++++++++++++
2 files changed, 23 insertions(+)
diff --git a/drivers/net/dsa/microchip/ksz8795_spi.c b/drivers/net/dsa/microchip/ksz8795_spi.c
index 8b00f8e6c02f..5639c5c59e25 100644
--- a/drivers/net/dsa/microchip/ksz8795_spi.c
+++ b/drivers/net/dsa/microchip/ksz8795_spi.c
@@ -86,12 +86,23 @@ static const struct of_device_id ksz8795_dt_ids[] = {
};
MODULE_DEVICE_TABLE(of, ksz8795_dt_ids);
+static const struct spi_device_id ksz8795_spi_ids[] = {
+ { "ksz8765" },
+ { "ksz8794" },
+ { "ksz8795" },
+ { "ksz8863" },
+ { "ksz8873" },
+ { },
+};
+MODULE_DEVICE_TABLE(spi, ksz8795_spi_ids);
+
static struct spi_driver ksz8795_spi_driver = {
.driver = {
.name = "ksz8795-switch",
.owner = THIS_MODULE,
.of_match_table = of_match_ptr(ksz8795_dt_ids),
},
+ .id_table = ksz8795_spi_ids,
.probe = ksz8795_spi_probe,
.remove = ksz8795_spi_remove,
.shutdown = ksz8795_spi_shutdown,
diff --git a/drivers/net/dsa/microchip/ksz9477_spi.c b/drivers/net/dsa/microchip/ksz9477_spi.c
index 1142768969c2..9bda83d063e8 100644
--- a/drivers/net/dsa/microchip/ksz9477_spi.c
+++ b/drivers/net/dsa/microchip/ksz9477_spi.c
@@ -88,12 +88,24 @@ static const struct of_device_id ksz9477_dt_ids[] = {
};
MODULE_DEVICE_TABLE(of, ksz9477_dt_ids);
+static const struct spi_device_id ksz9477_spi_ids[] = {
+ { "ksz9477" },
+ { "ksz9897" },
+ { "ksz9893" },
+ { "ksz9563" },
+ { "ksz8563" },
+ { "ksz9567" },
+ { },
+};
+MODULE_DEVICE_TABLE(spi, ksz9477_spi_ids);
+
static struct spi_driver ksz9477_spi_driver = {
.driver = {
.name = "ksz9477-switch",
.owner = THIS_MODULE,
.of_match_table = of_match_ptr(ksz9477_dt_ids),
},
+ .id_table = ksz9477_spi_ids,
.probe = ksz9477_spi_probe,
.remove = ksz9477_spi_remove,
.shutdown = ksz9477_spi_shutdown,
--
2.34.1
^ permalink raw reply related [flat|nested] 636+ messages in thread
* [PATCH 5.10 021/599] locking/lockdep: Avoid potential access of invalid memory in lock_class
2022-04-05 7:24 [PATCH 5.10 000/599] 5.10.110-rc1 review Greg Kroah-Hartman
` (19 preceding siblings ...)
2022-04-05 7:25 ` [PATCH 5.10 020/599] net: dsa: microchip: add spi_device_id tables Greg Kroah-Hartman
@ 2022-04-05 7:25 ` Greg Kroah-Hartman
2022-04-05 7:25 ` [PATCH 5.10 022/599] iommu/iova: Improve 32-bit free space estimate Greg Kroah-Hartman
` (590 subsequent siblings)
611 siblings, 0 replies; 636+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05 7:25 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Tetsuo Handa, Waiman Long,
Peter Zijlstra (Intel),
Bart Van Assche, Cheng-Jui Wang
From: Waiman Long <longman@redhat.com>
commit 61cc4534b6550997c97a03759ab46b29d44c0017 upstream.
It was found that reading /proc/lockdep after a lockdep splat may
potentially cause an access to freed memory if lockdep_unregister_key()
is called after the splat but before access to /proc/lockdep [1]. This
is due to the fact that graph_lock() call in lockdep_unregister_key()
fails after the clearing of debug_locks by the splat process.
After lockdep_unregister_key() is called, the lock_name may be freed
but the corresponding lock_class structure still have a reference to
it. That invalid memory pointer will then be accessed when /proc/lockdep
is read by a user and a use-after-free (UAF) error will be reported if
KASAN is enabled.
To fix this problem, lockdep_unregister_key() is now modified to always
search for a matching key irrespective of the debug_locks state and
zap the corresponding lock class if a matching one is found.
[1] https://lore.kernel.org/lkml/77f05c15-81b6-bddd-9650-80d5f23fe330@i-love.sakura.ne.jp/
Fixes: 8b39adbee805 ("locking/lockdep: Make lockdep_unregister_key() honor 'debug_locks' again")
Reported-by: Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>
Signed-off-by: Waiman Long <longman@redhat.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Reviewed-by: Bart Van Assche <bvanassche@acm.org>
Cc: Cheng-Jui Wang <cheng-jui.wang@mediatek.com>
Link: https://lkml.kernel.org/r/20220103023558.1377055-1-longman@redhat.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/locking/lockdep.c | 24 +++++++++++++++---------
1 file changed, 15 insertions(+), 9 deletions(-)
--- a/kernel/locking/lockdep.c
+++ b/kernel/locking/lockdep.c
@@ -6209,7 +6209,13 @@ void lockdep_reset_lock(struct lockdep_m
lockdep_reset_lock_reg(lock);
}
-/* Unregister a dynamically allocated key. */
+/*
+ * Unregister a dynamically allocated key.
+ *
+ * Unlike lockdep_register_key(), a search is always done to find a matching
+ * key irrespective of debug_locks to avoid potential invalid access to freed
+ * memory in lock_class entry.
+ */
void lockdep_unregister_key(struct lock_class_key *key)
{
struct hlist_head *hash_head = keyhashentry(key);
@@ -6224,10 +6230,8 @@ void lockdep_unregister_key(struct lock_
return;
raw_local_irq_save(flags);
- if (!graph_lock())
- goto out_irq;
+ lockdep_lock();
- pf = get_pending_free();
hlist_for_each_entry_rcu(k, hash_head, hash_entry) {
if (k == key) {
hlist_del_rcu(&k->hash_entry);
@@ -6235,11 +6239,13 @@ void lockdep_unregister_key(struct lock_
break;
}
}
- WARN_ON_ONCE(!found);
- __lockdep_free_key_range(pf, key, 1);
- call_rcu_zapped(pf);
- graph_unlock();
-out_irq:
+ WARN_ON_ONCE(!found && debug_locks);
+ if (found) {
+ pf = get_pending_free();
+ __lockdep_free_key_range(pf, key, 1);
+ call_rcu_zapped(pf);
+ }
+ lockdep_unlock();
raw_local_irq_restore(flags);
/* Wait until is_dynamic_key() has finished accessing k->hash_entry. */
^ permalink raw reply [flat|nested] 636+ messages in thread
* [PATCH 5.10 022/599] iommu/iova: Improve 32-bit free space estimate
2022-04-05 7:24 [PATCH 5.10 000/599] 5.10.110-rc1 review Greg Kroah-Hartman
` (20 preceding siblings ...)
2022-04-05 7:25 ` [PATCH 5.10 021/599] locking/lockdep: Avoid potential access of invalid memory in lock_class Greg Kroah-Hartman
@ 2022-04-05 7:25 ` Greg Kroah-Hartman
2022-04-05 7:25 ` [PATCH 5.10 023/599] tpm: fix reference counting for struct tpm_chip Greg Kroah-Hartman
` (589 subsequent siblings)
611 siblings, 0 replies; 636+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05 7:25 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Yunfei Wang, Robin Murphy,
Miles Chen, Joerg Roedel
From: Robin Murphy <robin.murphy@arm.com>
commit 5b61343b50590fb04a3f6be2cdc4868091757262 upstream.
For various reasons based on the allocator behaviour and typical
use-cases at the time, when the max32_alloc_size optimisation was
introduced it seemed reasonable to couple the reset of the tracked
size to the update of cached32_node upon freeing a relevant IOVA.
However, since subsequent optimisations focused on helping genuine
32-bit devices make best use of even more limited address spaces, it
is now a lot more likely for cached32_node to be anywhere in a "full"
32-bit address space, and as such more likely for space to become
available from IOVAs below that node being freed.
At this point, the short-cut in __cached_rbnode_delete_update() really
doesn't hold up any more, and we need to fix the logic to reliably
provide the expected behaviour. We still want cached32_node to only move
upwards, but we should reset the allocation size if *any* 32-bit space
has become available.
Reported-by: Yunfei Wang <yf.wang@mediatek.com>
Signed-off-by: Robin Murphy <robin.murphy@arm.com>
Reviewed-by: Miles Chen <miles.chen@mediatek.com>
Link: https://lore.kernel.org/r/033815732d83ca73b13c11485ac39336f15c3b40.1646318408.git.robin.murphy@arm.com
Signed-off-by: Joerg Roedel <jroedel@suse.de>
Cc: Miles Chen <miles.chen@mediatek.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iommu/iova.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
--- a/drivers/iommu/iova.c
+++ b/drivers/iommu/iova.c
@@ -138,10 +138,11 @@ __cached_rbnode_delete_update(struct iov
cached_iova = rb_entry(iovad->cached32_node, struct iova, node);
if (free == cached_iova ||
(free->pfn_hi < iovad->dma_32bit_pfn &&
- free->pfn_lo >= cached_iova->pfn_lo)) {
+ free->pfn_lo >= cached_iova->pfn_lo))
iovad->cached32_node = rb_next(&free->node);
+
+ if (free->pfn_lo < iovad->dma_32bit_pfn)
iovad->max32_alloc_size = iovad->dma_32bit_pfn;
- }
cached_iova = rb_entry(iovad->cached_node, struct iova, node);
if (free->pfn_lo >= cached_iova->pfn_lo)
^ permalink raw reply [flat|nested] 636+ messages in thread
* [PATCH 5.10 023/599] tpm: fix reference counting for struct tpm_chip
2022-04-05 7:24 [PATCH 5.10 000/599] 5.10.110-rc1 review Greg Kroah-Hartman
` (21 preceding siblings ...)
2022-04-05 7:25 ` [PATCH 5.10 022/599] iommu/iova: Improve 32-bit free space estimate Greg Kroah-Hartman
@ 2022-04-05 7:25 ` Greg Kroah-Hartman
2022-04-05 7:25 ` [PATCH 5.10 024/599] virtio-blk: Use blk_validate_block_size() to validate block size Greg Kroah-Hartman
` (588 subsequent siblings)
611 siblings, 0 replies; 636+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05 7:25 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Jason Gunthorpe, Lino Sanfilippo,
Stefan Berger, Jason Gunthorpe, Jarkko Sakkinen
From: Lino Sanfilippo <LinoSanfilippo@gmx.de>
commit 7e0438f83dc769465ee663bb5dcf8cc154940712 upstream.
The following sequence of operations results in a refcount warning:
1. Open device /dev/tpmrm.
2. Remove module tpm_tis_spi.
3. Write a TPM command to the file descriptor opened at step 1.
------------[ cut here ]------------
WARNING: CPU: 3 PID: 1161 at lib/refcount.c:25 kobject_get+0xa0/0xa4
refcount_t: addition on 0; use-after-free.
Modules linked in: tpm_tis_spi tpm_tis_core tpm mdio_bcm_unimac brcmfmac
sha256_generic libsha256 sha256_arm hci_uart btbcm bluetooth cfg80211 vc4
brcmutil ecdh_generic ecc snd_soc_core crc32_arm_ce libaes
raspberrypi_hwmon ac97_bus snd_pcm_dmaengine bcm2711_thermal snd_pcm
snd_timer genet snd phy_generic soundcore [last unloaded: spi_bcm2835]
CPU: 3 PID: 1161 Comm: hold_open Not tainted 5.10.0ls-main-dirty #2
Hardware name: BCM2711
[<c0410c3c>] (unwind_backtrace) from [<c040b580>] (show_stack+0x10/0x14)
[<c040b580>] (show_stack) from [<c1092174>] (dump_stack+0xc4/0xd8)
[<c1092174>] (dump_stack) from [<c0445a30>] (__warn+0x104/0x108)
[<c0445a30>] (__warn) from [<c0445aa8>] (warn_slowpath_fmt+0x74/0xb8)
[<c0445aa8>] (warn_slowpath_fmt) from [<c08435d0>] (kobject_get+0xa0/0xa4)
[<c08435d0>] (kobject_get) from [<bf0a715c>] (tpm_try_get_ops+0x14/0x54 [tpm])
[<bf0a715c>] (tpm_try_get_ops [tpm]) from [<bf0a7d6c>] (tpm_common_write+0x38/0x60 [tpm])
[<bf0a7d6c>] (tpm_common_write [tpm]) from [<c05a7ac0>] (vfs_write+0xc4/0x3c0)
[<c05a7ac0>] (vfs_write) from [<c05a7ee4>] (ksys_write+0x58/0xcc)
[<c05a7ee4>] (ksys_write) from [<c04001a0>] (ret_fast_syscall+0x0/0x4c)
Exception stack(0xc226bfa8 to 0xc226bff0)
bfa0: 00000000 000105b4 00000003 beafe664 00000014 00000000
bfc0: 00000000 000105b4 000103f8 00000004 00000000 00000000 b6f9c000 beafe684
bfe0: 0000006c beafe648 0001056c b6eb6944
---[ end trace d4b8409def9b8b1f ]---
The reason for this warning is the attempt to get the chip->dev reference
in tpm_common_write() although the reference counter is already zero.
Since commit 8979b02aaf1d ("tpm: Fix reference count to main device") the
extra reference used to prevent a premature zero counter is never taken,
because the required TPM_CHIP_FLAG_TPM2 flag is never set.
Fix this by moving the TPM 2 character device handling from
tpm_chip_alloc() to tpm_add_char_device() which is called at a later point
in time when the flag has been set in case of TPM2.
Commit fdc915f7f719 ("tpm: expose spaces via a device link /dev/tpmrm<n>")
already introduced function tpm_devs_release() to release the extra
reference but did not implement the required put on chip->devs that results
in the call of this function.
Fix this by putting chip->devs in tpm_chip_unregister().
Finally move the new implementation for the TPM 2 handling into a new
function to avoid multiple checks for the TPM_CHIP_FLAG_TPM2 flag in the
good case and error cases.
Cc: stable@vger.kernel.org
Fixes: fdc915f7f719 ("tpm: expose spaces via a device link /dev/tpmrm<n>")
Fixes: 8979b02aaf1d ("tpm: Fix reference count to main device")
Co-developed-by: Jason Gunthorpe <jgg@ziepe.ca>
Signed-off-by: Jason Gunthorpe <jgg@ziepe.ca>
Signed-off-by: Lino Sanfilippo <LinoSanfilippo@gmx.de>
Tested-by: Stefan Berger <stefanb@linux.ibm.com>
Reviewed-by: Jason Gunthorpe <jgg@nvidia.com>
Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/char/tpm/tpm-chip.c | 46 +++++------------------------
drivers/char/tpm/tpm.h | 2 +
drivers/char/tpm/tpm2-space.c | 65 ++++++++++++++++++++++++++++++++++++++++++
3 files changed, 75 insertions(+), 38 deletions(-)
--- a/drivers/char/tpm/tpm-chip.c
+++ b/drivers/char/tpm/tpm-chip.c
@@ -274,14 +274,6 @@ static void tpm_dev_release(struct devic
kfree(chip);
}
-static void tpm_devs_release(struct device *dev)
-{
- struct tpm_chip *chip = container_of(dev, struct tpm_chip, devs);
-
- /* release the master device reference */
- put_device(&chip->dev);
-}
-
/**
* tpm_class_shutdown() - prepare the TPM device for loss of power.
* @dev: device to which the chip is associated.
@@ -344,7 +336,6 @@ struct tpm_chip *tpm_chip_alloc(struct d
chip->dev_num = rc;
device_initialize(&chip->dev);
- device_initialize(&chip->devs);
chip->dev.class = tpm_class;
chip->dev.class->shutdown_pre = tpm_class_shutdown;
@@ -352,39 +343,20 @@ struct tpm_chip *tpm_chip_alloc(struct d
chip->dev.parent = pdev;
chip->dev.groups = chip->groups;
- chip->devs.parent = pdev;
- chip->devs.class = tpmrm_class;
- chip->devs.release = tpm_devs_release;
- /* get extra reference on main device to hold on
- * behalf of devs. This holds the chip structure
- * while cdevs is in use. The corresponding put
- * is in the tpm_devs_release (TPM2 only)
- */
- if (chip->flags & TPM_CHIP_FLAG_TPM2)
- get_device(&chip->dev);
-
if (chip->dev_num == 0)
chip->dev.devt = MKDEV(MISC_MAJOR, TPM_MINOR);
else
chip->dev.devt = MKDEV(MAJOR(tpm_devt), chip->dev_num);
- chip->devs.devt =
- MKDEV(MAJOR(tpm_devt), chip->dev_num + TPM_NUM_DEVICES);
-
rc = dev_set_name(&chip->dev, "tpm%d", chip->dev_num);
if (rc)
goto out;
- rc = dev_set_name(&chip->devs, "tpmrm%d", chip->dev_num);
- if (rc)
- goto out;
if (!pdev)
chip->flags |= TPM_CHIP_FLAG_VIRTUAL;
cdev_init(&chip->cdev, &tpm_fops);
- cdev_init(&chip->cdevs, &tpmrm_fops);
chip->cdev.owner = THIS_MODULE;
- chip->cdevs.owner = THIS_MODULE;
rc = tpm2_init_space(&chip->work_space, TPM2_SPACE_BUFFER_SIZE);
if (rc) {
@@ -396,7 +368,6 @@ struct tpm_chip *tpm_chip_alloc(struct d
return chip;
out:
- put_device(&chip->devs);
put_device(&chip->dev);
return ERR_PTR(rc);
}
@@ -445,14 +416,9 @@ static int tpm_add_char_device(struct tp
}
if (chip->flags & TPM_CHIP_FLAG_TPM2) {
- rc = cdev_device_add(&chip->cdevs, &chip->devs);
- if (rc) {
- dev_err(&chip->devs,
- "unable to cdev_device_add() %s, major %d, minor %d, err=%d\n",
- dev_name(&chip->devs), MAJOR(chip->devs.devt),
- MINOR(chip->devs.devt), rc);
- return rc;
- }
+ rc = tpm_devs_add(chip);
+ if (rc)
+ goto err_del_cdev;
}
/* Make the chip available. */
@@ -460,6 +426,10 @@ static int tpm_add_char_device(struct tp
idr_replace(&dev_nums_idr, chip, chip->dev_num);
mutex_unlock(&idr_lock);
+ return 0;
+
+err_del_cdev:
+ cdev_device_del(&chip->cdev, &chip->dev);
return rc;
}
@@ -641,7 +611,7 @@ void tpm_chip_unregister(struct tpm_chip
hwrng_unregister(&chip->hwrng);
tpm_bios_log_teardown(chip);
if (chip->flags & TPM_CHIP_FLAG_TPM2)
- cdev_device_del(&chip->cdevs, &chip->devs);
+ tpm_devs_remove(chip);
tpm_del_char_device(chip);
}
EXPORT_SYMBOL_GPL(tpm_chip_unregister);
--- a/drivers/char/tpm/tpm.h
+++ b/drivers/char/tpm/tpm.h
@@ -234,6 +234,8 @@ int tpm2_prepare_space(struct tpm_chip *
size_t cmdsiz);
int tpm2_commit_space(struct tpm_chip *chip, struct tpm_space *space, void *buf,
size_t *bufsiz);
+int tpm_devs_add(struct tpm_chip *chip);
+void tpm_devs_remove(struct tpm_chip *chip);
void tpm_bios_log_setup(struct tpm_chip *chip);
void tpm_bios_log_teardown(struct tpm_chip *chip);
--- a/drivers/char/tpm/tpm2-space.c
+++ b/drivers/char/tpm/tpm2-space.c
@@ -574,3 +574,68 @@ out:
dev_err(&chip->dev, "%s: error %d\n", __func__, rc);
return rc;
}
+
+/*
+ * Put the reference to the main device.
+ */
+static void tpm_devs_release(struct device *dev)
+{
+ struct tpm_chip *chip = container_of(dev, struct tpm_chip, devs);
+
+ /* release the master device reference */
+ put_device(&chip->dev);
+}
+
+/*
+ * Remove the device file for exposed TPM spaces and release the device
+ * reference. This may also release the reference to the master device.
+ */
+void tpm_devs_remove(struct tpm_chip *chip)
+{
+ cdev_device_del(&chip->cdevs, &chip->devs);
+ put_device(&chip->devs);
+}
+
+/*
+ * Add a device file to expose TPM spaces. Also take a reference to the
+ * main device.
+ */
+int tpm_devs_add(struct tpm_chip *chip)
+{
+ int rc;
+
+ device_initialize(&chip->devs);
+ chip->devs.parent = chip->dev.parent;
+ chip->devs.class = tpmrm_class;
+
+ /*
+ * Get extra reference on main device to hold on behalf of devs.
+ * This holds the chip structure while cdevs is in use. The
+ * corresponding put is in the tpm_devs_release.
+ */
+ get_device(&chip->dev);
+ chip->devs.release = tpm_devs_release;
+ chip->devs.devt = MKDEV(MAJOR(tpm_devt), chip->dev_num + TPM_NUM_DEVICES);
+ cdev_init(&chip->cdevs, &tpmrm_fops);
+ chip->cdevs.owner = THIS_MODULE;
+
+ rc = dev_set_name(&chip->devs, "tpmrm%d", chip->dev_num);
+ if (rc)
+ goto err_put_devs;
+
+ rc = cdev_device_add(&chip->cdevs, &chip->devs);
+ if (rc) {
+ dev_err(&chip->devs,
+ "unable to cdev_device_add() %s, major %d, minor %d, err=%d\n",
+ dev_name(&chip->devs), MAJOR(chip->devs.devt),
+ MINOR(chip->devs.devt), rc);
+ goto err_put_devs;
+ }
+
+ return 0;
+
+err_put_devs:
+ put_device(&chip->devs);
+
+ return rc;
+}
^ permalink raw reply [flat|nested] 636+ messages in thread
* [PATCH 5.10 024/599] virtio-blk: Use blk_validate_block_size() to validate block size
2022-04-05 7:24 [PATCH 5.10 000/599] 5.10.110-rc1 review Greg Kroah-Hartman
` (22 preceding siblings ...)
2022-04-05 7:25 ` [PATCH 5.10 023/599] tpm: fix reference counting for struct tpm_chip Greg Kroah-Hartman
@ 2022-04-05 7:25 ` Greg Kroah-Hartman
2022-04-05 7:25 ` [PATCH 5.10 025/599] USB: usb-storage: Fix use of bitfields for hardware data in ene_ub6250.c Greg Kroah-Hartman
` (587 subsequent siblings)
611 siblings, 0 replies; 636+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05 7:25 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Xie Yongji, Michael S. Tsirkin,
Jens Axboe, Lee Jones
From: Xie Yongji <xieyongji@bytedance.com>
commit 57a13a5b8157d9a8606490aaa1b805bafe6c37e1 upstream.
The block layer can't support a block size larger than
page size yet. And a block size that's too small or
not a power of two won't work either. If a misconfigured
device presents an invalid block size in configuration space,
it will result in the kernel crash something like below:
[ 506.154324] BUG: kernel NULL pointer dereference, address: 0000000000000008
[ 506.160416] RIP: 0010:create_empty_buffers+0x24/0x100
[ 506.174302] Call Trace:
[ 506.174651] create_page_buffers+0x4d/0x60
[ 506.175207] block_read_full_page+0x50/0x380
[ 506.175798] ? __mod_lruvec_page_state+0x60/0xa0
[ 506.176412] ? __add_to_page_cache_locked+0x1b2/0x390
[ 506.177085] ? blkdev_direct_IO+0x4a0/0x4a0
[ 506.177644] ? scan_shadow_nodes+0x30/0x30
[ 506.178206] ? lru_cache_add+0x42/0x60
[ 506.178716] do_read_cache_page+0x695/0x740
[ 506.179278] ? read_part_sector+0xe0/0xe0
[ 506.179821] read_part_sector+0x36/0xe0
[ 506.180337] adfspart_check_ICS+0x32/0x320
[ 506.180890] ? snprintf+0x45/0x70
[ 506.181350] ? read_part_sector+0xe0/0xe0
[ 506.181906] bdev_disk_changed+0x229/0x5c0
[ 506.182483] blkdev_get_whole+0x6d/0x90
[ 506.183013] blkdev_get_by_dev+0x122/0x2d0
[ 506.183562] device_add_disk+0x39e/0x3c0
[ 506.184472] virtblk_probe+0x3f8/0x79b [virtio_blk]
[ 506.185461] virtio_dev_probe+0x15e/0x1d0 [virtio]
So let's use a block layer helper to validate the block size.
Signed-off-by: Xie Yongji <xieyongji@bytedance.com>
Acked-by: Michael S. Tsirkin <mst@redhat.com>
Link: https://lore.kernel.org/r/20211026144015.188-5-xieyongji@bytedance.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Lee Jones <lee.jones@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/block/virtio_blk.c | 12 ++++++++++--
1 file changed, 10 insertions(+), 2 deletions(-)
--- a/drivers/block/virtio_blk.c
+++ b/drivers/block/virtio_blk.c
@@ -825,9 +825,17 @@ static int virtblk_probe(struct virtio_d
err = virtio_cread_feature(vdev, VIRTIO_BLK_F_BLK_SIZE,
struct virtio_blk_config, blk_size,
&blk_size);
- if (!err)
+ if (!err) {
+ err = blk_validate_block_size(blk_size);
+ if (err) {
+ dev_err(&vdev->dev,
+ "virtio_blk: invalid block size: 0x%x\n",
+ blk_size);
+ goto out_free_tags;
+ }
+
blk_queue_logical_block_size(q, blk_size);
- else
+ } else
blk_size = queue_logical_block_size(q);
/* Use topology information if available */
^ permalink raw reply [flat|nested] 636+ messages in thread
* [PATCH 5.10 025/599] USB: usb-storage: Fix use of bitfields for hardware data in ene_ub6250.c
2022-04-05 7:24 [PATCH 5.10 000/599] 5.10.110-rc1 review Greg Kroah-Hartman
` (23 preceding siblings ...)
2022-04-05 7:25 ` [PATCH 5.10 024/599] virtio-blk: Use blk_validate_block_size() to validate block size Greg Kroah-Hartman
@ 2022-04-05 7:25 ` Greg Kroah-Hartman
2022-04-05 7:25 ` [PATCH 5.10 026/599] xhci: fix garbage USBSTS being logged in some cases Greg Kroah-Hartman
` (586 subsequent siblings)
611 siblings, 0 replies; 636+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05 7:25 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Alan Stern
From: Alan Stern <stern@rowland.harvard.edu>
commit 1892bf90677abcad7f06e897e308f5c3e3618dd4 upstream.
The kernel test robot found a problem with the ene_ub6250 subdriver in
usb-storage: It uses structures containing bitfields to represent
hardware bits in its SD_STATUS, MS_STATUS, and SM_STATUS bytes. This
is not safe; it presumes a particular bit ordering and it assumes the
compiler will not insert padding, neither of which is guaranteed.
This patch fixes the problem by changing the structures to simple u8
values, with the bitfields replaced by bitmask constants.
CC: <stable@vger.kernel.org>
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Link: https://lore.kernel.org/r/YjOcbuU106UpJ/V8@rowland.harvard.edu
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/storage/ene_ub6250.c | 153 +++++++++++++++++++--------------------
1 file changed, 75 insertions(+), 78 deletions(-)
--- a/drivers/usb/storage/ene_ub6250.c
+++ b/drivers/usb/storage/ene_ub6250.c
@@ -237,36 +237,33 @@ static struct us_unusual_dev ene_ub6250_
#define memstick_logaddr(logadr1, logadr0) ((((u16)(logadr1)) << 8) | (logadr0))
-struct SD_STATUS {
- u8 Insert:1;
- u8 Ready:1;
- u8 MediaChange:1;
- u8 IsMMC:1;
- u8 HiCapacity:1;
- u8 HiSpeed:1;
- u8 WtP:1;
- u8 Reserved:1;
-};
-
-struct MS_STATUS {
- u8 Insert:1;
- u8 Ready:1;
- u8 MediaChange:1;
- u8 IsMSPro:1;
- u8 IsMSPHG:1;
- u8 Reserved1:1;
- u8 WtP:1;
- u8 Reserved2:1;
-};
-
-struct SM_STATUS {
- u8 Insert:1;
- u8 Ready:1;
- u8 MediaChange:1;
- u8 Reserved:3;
- u8 WtP:1;
- u8 IsMS:1;
-};
+/* SD_STATUS bits */
+#define SD_Insert BIT(0)
+#define SD_Ready BIT(1)
+#define SD_MediaChange BIT(2)
+#define SD_IsMMC BIT(3)
+#define SD_HiCapacity BIT(4)
+#define SD_HiSpeed BIT(5)
+#define SD_WtP BIT(6)
+ /* Bit 7 reserved */
+
+/* MS_STATUS bits */
+#define MS_Insert BIT(0)
+#define MS_Ready BIT(1)
+#define MS_MediaChange BIT(2)
+#define MS_IsMSPro BIT(3)
+#define MS_IsMSPHG BIT(4)
+ /* Bit 5 reserved */
+#define MS_WtP BIT(6)
+ /* Bit 7 reserved */
+
+/* SM_STATUS bits */
+#define SM_Insert BIT(0)
+#define SM_Ready BIT(1)
+#define SM_MediaChange BIT(2)
+ /* Bits 3-5 reserved */
+#define SM_WtP BIT(6)
+#define SM_IsMS BIT(7)
struct ms_bootblock_cis {
u8 bCistplDEVICE[6]; /* 0 */
@@ -437,9 +434,9 @@ struct ene_ub6250_info {
u8 *bbuf;
/* for 6250 code */
- struct SD_STATUS SD_Status;
- struct MS_STATUS MS_Status;
- struct SM_STATUS SM_Status;
+ u8 SD_Status;
+ u8 MS_Status;
+ u8 SM_Status;
/* ----- SD Control Data ---------------- */
/*SD_REGISTER SD_Regs; */
@@ -602,7 +599,7 @@ static int sd_scsi_test_unit_ready(struc
{
struct ene_ub6250_info *info = (struct ene_ub6250_info *) us->extra;
- if (info->SD_Status.Insert && info->SD_Status.Ready)
+ if ((info->SD_Status & SD_Insert) && (info->SD_Status & SD_Ready))
return USB_STOR_TRANSPORT_GOOD;
else {
ene_sd_init(us);
@@ -622,7 +619,7 @@ static int sd_scsi_mode_sense(struct us_
0x0b, 0x00, 0x80, 0x08, 0x00, 0x00,
0x71, 0xc0, 0x00, 0x00, 0x02, 0x00 };
- if (info->SD_Status.WtP)
+ if (info->SD_Status & SD_WtP)
usb_stor_set_xfer_buf(mediaWP, 12, srb);
else
usb_stor_set_xfer_buf(mediaNoWP, 12, srb);
@@ -641,9 +638,9 @@ static int sd_scsi_read_capacity(struct
struct ene_ub6250_info *info = (struct ene_ub6250_info *) us->extra;
usb_stor_dbg(us, "sd_scsi_read_capacity\n");
- if (info->SD_Status.HiCapacity) {
+ if (info->SD_Status & SD_HiCapacity) {
bl_len = 0x200;
- if (info->SD_Status.IsMMC)
+ if (info->SD_Status & SD_IsMMC)
bl_num = info->HC_C_SIZE-1;
else
bl_num = (info->HC_C_SIZE + 1) * 1024 - 1;
@@ -693,7 +690,7 @@ static int sd_scsi_read(struct us_data *
return USB_STOR_TRANSPORT_ERROR;
}
- if (info->SD_Status.HiCapacity)
+ if (info->SD_Status & SD_HiCapacity)
bnByte = bn;
/* set up the command wrapper */
@@ -733,7 +730,7 @@ static int sd_scsi_write(struct us_data
return USB_STOR_TRANSPORT_ERROR;
}
- if (info->SD_Status.HiCapacity)
+ if (info->SD_Status & SD_HiCapacity)
bnByte = bn;
/* set up the command wrapper */
@@ -1455,7 +1452,7 @@ static int ms_scsi_test_unit_ready(struc
struct ene_ub6250_info *info = (struct ene_ub6250_info *)(us->extra);
/* pr_info("MS_SCSI_Test_Unit_Ready\n"); */
- if (info->MS_Status.Insert && info->MS_Status.Ready) {
+ if ((info->MS_Status & MS_Insert) && (info->MS_Status & MS_Ready)) {
return USB_STOR_TRANSPORT_GOOD;
} else {
ene_ms_init(us);
@@ -1475,7 +1472,7 @@ static int ms_scsi_mode_sense(struct us_
0x0b, 0x00, 0x80, 0x08, 0x00, 0x00,
0x71, 0xc0, 0x00, 0x00, 0x02, 0x00 };
- if (info->MS_Status.WtP)
+ if (info->MS_Status & MS_WtP)
usb_stor_set_xfer_buf(mediaWP, 12, srb);
else
usb_stor_set_xfer_buf(mediaNoWP, 12, srb);
@@ -1494,7 +1491,7 @@ static int ms_scsi_read_capacity(struct
usb_stor_dbg(us, "ms_scsi_read_capacity\n");
bl_len = 0x200;
- if (info->MS_Status.IsMSPro)
+ if (info->MS_Status & MS_IsMSPro)
bl_num = info->MSP_TotalBlock - 1;
else
bl_num = info->MS_Lib.NumberOfLogBlock * info->MS_Lib.blockSize * 2 - 1;
@@ -1649,7 +1646,7 @@ static int ms_scsi_read(struct us_data *
if (bn > info->bl_num)
return USB_STOR_TRANSPORT_ERROR;
- if (info->MS_Status.IsMSPro) {
+ if (info->MS_Status & MS_IsMSPro) {
result = ene_load_bincode(us, MSP_RW_PATTERN);
if (result != USB_STOR_XFER_GOOD) {
usb_stor_dbg(us, "Load MPS RW pattern Fail !!\n");
@@ -1750,7 +1747,7 @@ static int ms_scsi_write(struct us_data
if (bn > info->bl_num)
return USB_STOR_TRANSPORT_ERROR;
- if (info->MS_Status.IsMSPro) {
+ if (info->MS_Status & MS_IsMSPro) {
result = ene_load_bincode(us, MSP_RW_PATTERN);
if (result != USB_STOR_XFER_GOOD) {
pr_info("Load MSP RW pattern Fail !!\n");
@@ -1858,12 +1855,12 @@ static int ene_get_card_status(struct us
tmpreg = (u16) reg4b;
reg4b = *(u32 *)(&buf[0x14]);
- if (info->SD_Status.HiCapacity && !info->SD_Status.IsMMC)
+ if ((info->SD_Status & SD_HiCapacity) && !(info->SD_Status & SD_IsMMC))
info->HC_C_SIZE = (reg4b >> 8) & 0x3fffff;
info->SD_C_SIZE = ((tmpreg & 0x03) << 10) | (u16)(reg4b >> 22);
info->SD_C_SIZE_MULT = (u8)(reg4b >> 7) & 0x07;
- if (info->SD_Status.HiCapacity && info->SD_Status.IsMMC)
+ if ((info->SD_Status & SD_HiCapacity) && (info->SD_Status & SD_IsMMC))
info->HC_C_SIZE = *(u32 *)(&buf[0x100]);
if (info->SD_READ_BL_LEN > SD_BLOCK_LEN) {
@@ -2075,6 +2072,7 @@ static int ene_ms_init(struct us_data *u
u16 MSP_BlockSize, MSP_UserAreaBlocks;
struct ene_ub6250_info *info = (struct ene_ub6250_info *) us->extra;
u8 *bbuf = info->bbuf;
+ unsigned int s;
printk(KERN_INFO "transport --- ENE_MSInit\n");
@@ -2099,15 +2097,16 @@ static int ene_ms_init(struct us_data *u
return USB_STOR_TRANSPORT_ERROR;
}
/* the same part to test ENE */
- info->MS_Status = *(struct MS_STATUS *) bbuf;
+ info->MS_Status = bbuf[0];
- if (info->MS_Status.Insert && info->MS_Status.Ready) {
- printk(KERN_INFO "Insert = %x\n", info->MS_Status.Insert);
- printk(KERN_INFO "Ready = %x\n", info->MS_Status.Ready);
- printk(KERN_INFO "IsMSPro = %x\n", info->MS_Status.IsMSPro);
- printk(KERN_INFO "IsMSPHG = %x\n", info->MS_Status.IsMSPHG);
- printk(KERN_INFO "WtP= %x\n", info->MS_Status.WtP);
- if (info->MS_Status.IsMSPro) {
+ s = info->MS_Status;
+ if ((s & MS_Insert) && (s & MS_Ready)) {
+ printk(KERN_INFO "Insert = %x\n", !!(s & MS_Insert));
+ printk(KERN_INFO "Ready = %x\n", !!(s & MS_Ready));
+ printk(KERN_INFO "IsMSPro = %x\n", !!(s & MS_IsMSPro));
+ printk(KERN_INFO "IsMSPHG = %x\n", !!(s & MS_IsMSPHG));
+ printk(KERN_INFO "WtP= %x\n", !!(s & MS_WtP));
+ if (s & MS_IsMSPro) {
MSP_BlockSize = (bbuf[6] << 8) | bbuf[7];
MSP_UserAreaBlocks = (bbuf[10] << 8) | bbuf[11];
info->MSP_TotalBlock = MSP_BlockSize * MSP_UserAreaBlocks;
@@ -2168,17 +2167,17 @@ static int ene_sd_init(struct us_data *u
return USB_STOR_TRANSPORT_ERROR;
}
- info->SD_Status = *(struct SD_STATUS *) bbuf;
- if (info->SD_Status.Insert && info->SD_Status.Ready) {
- struct SD_STATUS *s = &info->SD_Status;
+ info->SD_Status = bbuf[0];
+ if ((info->SD_Status & SD_Insert) && (info->SD_Status & SD_Ready)) {
+ unsigned int s = info->SD_Status;
ene_get_card_status(us, bbuf);
- usb_stor_dbg(us, "Insert = %x\n", s->Insert);
- usb_stor_dbg(us, "Ready = %x\n", s->Ready);
- usb_stor_dbg(us, "IsMMC = %x\n", s->IsMMC);
- usb_stor_dbg(us, "HiCapacity = %x\n", s->HiCapacity);
- usb_stor_dbg(us, "HiSpeed = %x\n", s->HiSpeed);
- usb_stor_dbg(us, "WtP = %x\n", s->WtP);
+ usb_stor_dbg(us, "Insert = %x\n", !!(s & SD_Insert));
+ usb_stor_dbg(us, "Ready = %x\n", !!(s & SD_Ready));
+ usb_stor_dbg(us, "IsMMC = %x\n", !!(s & SD_IsMMC));
+ usb_stor_dbg(us, "HiCapacity = %x\n", !!(s & SD_HiCapacity));
+ usb_stor_dbg(us, "HiSpeed = %x\n", !!(s & SD_HiSpeed));
+ usb_stor_dbg(us, "WtP = %x\n", !!(s & SD_WtP));
} else {
usb_stor_dbg(us, "SD Card Not Ready --- %x\n", bbuf[0]);
return USB_STOR_TRANSPORT_ERROR;
@@ -2200,14 +2199,14 @@ static int ene_init(struct us_data *us)
misc_reg03 = bbuf[0];
if (misc_reg03 & 0x01) {
- if (!info->SD_Status.Ready) {
+ if (!(info->SD_Status & SD_Ready)) {
result = ene_sd_init(us);
if (result != USB_STOR_XFER_GOOD)
return USB_STOR_TRANSPORT_ERROR;
}
}
if (misc_reg03 & 0x02) {
- if (!info->MS_Status.Ready) {
+ if (!(info->MS_Status & MS_Ready)) {
result = ene_ms_init(us);
if (result != USB_STOR_XFER_GOOD)
return USB_STOR_TRANSPORT_ERROR;
@@ -2306,14 +2305,14 @@ static int ene_transport(struct scsi_cmn
/*US_DEBUG(usb_stor_show_command(us, srb)); */
scsi_set_resid(srb, 0);
- if (unlikely(!(info->SD_Status.Ready || info->MS_Status.Ready)))
+ if (unlikely(!(info->SD_Status & SD_Ready) || (info->MS_Status & MS_Ready)))
result = ene_init(us);
if (result == USB_STOR_XFER_GOOD) {
result = USB_STOR_TRANSPORT_ERROR;
- if (info->SD_Status.Ready)
+ if (info->SD_Status & SD_Ready)
result = sd_scsi_irp(us, srb);
- if (info->MS_Status.Ready)
+ if (info->MS_Status & MS_Ready)
result = ms_scsi_irp(us, srb);
}
return result;
@@ -2377,7 +2376,6 @@ static int ene_ub6250_probe(struct usb_i
static int ene_ub6250_resume(struct usb_interface *iface)
{
- u8 tmp = 0;
struct us_data *us = usb_get_intfdata(iface);
struct ene_ub6250_info *info = (struct ene_ub6250_info *)(us->extra);
@@ -2389,17 +2387,16 @@ static int ene_ub6250_resume(struct usb_
mutex_unlock(&us->dev_mutex);
info->Power_IsResum = true;
- /*info->SD_Status.Ready = 0; */
- info->SD_Status = *(struct SD_STATUS *)&tmp;
- info->MS_Status = *(struct MS_STATUS *)&tmp;
- info->SM_Status = *(struct SM_STATUS *)&tmp;
+ /* info->SD_Status &= ~SD_Ready; */
+ info->SD_Status = 0;
+ info->MS_Status = 0;
+ info->SM_Status = 0;
return 0;
}
static int ene_ub6250_reset_resume(struct usb_interface *iface)
{
- u8 tmp = 0;
struct us_data *us = usb_get_intfdata(iface);
struct ene_ub6250_info *info = (struct ene_ub6250_info *)(us->extra);
@@ -2411,10 +2408,10 @@ static int ene_ub6250_reset_resume(struc
* the device
*/
info->Power_IsResum = true;
- /*info->SD_Status.Ready = 0; */
- info->SD_Status = *(struct SD_STATUS *)&tmp;
- info->MS_Status = *(struct MS_STATUS *)&tmp;
- info->SM_Status = *(struct SM_STATUS *)&tmp;
+ /* info->SD_Status &= ~SD_Ready; */
+ info->SD_Status = 0;
+ info->MS_Status = 0;
+ info->SM_Status = 0;
return 0;
}
^ permalink raw reply [flat|nested] 636+ messages in thread
* [PATCH 5.10 026/599] xhci: fix garbage USBSTS being logged in some cases
2022-04-05 7:24 [PATCH 5.10 000/599] 5.10.110-rc1 review Greg Kroah-Hartman
` (24 preceding siblings ...)
2022-04-05 7:25 ` [PATCH 5.10 025/599] USB: usb-storage: Fix use of bitfields for hardware data in ene_ub6250.c Greg Kroah-Hartman
@ 2022-04-05 7:25 ` Greg Kroah-Hartman
2022-04-05 7:25 ` [PATCH 5.10 027/599] xhci: fix runtime PM imbalance in USB2 resume Greg Kroah-Hartman
` (585 subsequent siblings)
611 siblings, 0 replies; 636+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05 7:25 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Anssi Hannula, Mathias Nyman
From: Anssi Hannula <anssi.hannula@bitwise.fi>
commit 3105bc977d7cbf2edc35e24cc7e009686f6e4a56 upstream.
xhci_decode_usbsts() is expected to return a zero-terminated string by
its only caller, xhci_stop_endpoint_command_watchdog(), which directly
logs the return value:
xhci_warn(xhci, "USBSTS:%s\n", xhci_decode_usbsts(str, usbsts));
However, if no recognized bits are set in usbsts, the function will
return without having called any sprintf() and therefore return an
untouched non-zero-terminated caller-provided buffer, causing garbage
to be output to log.
Fix that by always including the raw value in the output.
Note that before commit 4843b4b5ec64 ("xhci: fix even more unsafe memory
usage in xhci tracing") the result effect in the failure case was different
as a static buffer was used here, but the code still worked incorrectly.
Fixes: 9c1aa36efdae ("xhci: Show host status when watchdog triggers and host is assumed dead.")
Cc: stable@vger.kernel.org
Signed-off-by: Anssi Hannula <anssi.hannula@bitwise.fi>
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Link: https://lore.kernel.org/r/20220303110903.1662404-3-mathias.nyman@linux.intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/host/xhci.h | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
--- a/drivers/usb/host/xhci.h
+++ b/drivers/usb/host/xhci.h
@@ -2612,8 +2612,11 @@ static inline const char *xhci_decode_us
{
int ret = 0;
+ ret = sprintf(str, " 0x%08x", usbsts);
+
if (usbsts == ~(u32)0)
- return " 0xffffffff";
+ return str;
+
if (usbsts & STS_HALT)
ret += sprintf(str + ret, " HCHalted");
if (usbsts & STS_FATAL)
^ permalink raw reply [flat|nested] 636+ messages in thread
* [PATCH 5.10 027/599] xhci: fix runtime PM imbalance in USB2 resume
2022-04-05 7:24 [PATCH 5.10 000/599] 5.10.110-rc1 review Greg Kroah-Hartman
` (25 preceding siblings ...)
2022-04-05 7:25 ` [PATCH 5.10 026/599] xhci: fix garbage USBSTS being logged in some cases Greg Kroah-Hartman
@ 2022-04-05 7:25 ` Greg Kroah-Hartman
2022-04-05 7:25 ` [PATCH 5.10 028/599] xhci: make xhci_handshake timeout for xhci_reset() adjustable Greg Kroah-Hartman
` (584 subsequent siblings)
611 siblings, 0 replies; 636+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05 7:25 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Henry Lin, Mathias Nyman
From: Henry Lin <henryl@nvidia.com>
commit 70c05e4cf63054cd755ca66c1819327b22cb085f upstream.
A race between system resume and device-initiated resume may result in
runtime PM imbalance on USB2 root hub. If a device-initiated resume
starts and system resume xhci_bus_resume() directs U0 before hub driver
sees the resuming device in RESUME state, device-initiated resume will
not be finished in xhci_handle_usb2_port_link_resume(). In this case,
usb_hcd_end_port_resume() call is missing.
This changes calls usb_hcd_end_port_resume() if resuming device reaches
U0 to keep runtime PM balance.
Fixes: a231ec41e6f6 ("xhci: refactor U0 link state handling in get_port_status")
Cc: stable@vger.kernel.org
Signed-off-by: Henry Lin <henryl@nvidia.com>
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Link: https://lore.kernel.org/r/20220303110903.1662404-5-mathias.nyman@linux.intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/host/xhci-hub.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/usb/host/xhci-hub.c
+++ b/drivers/usb/host/xhci-hub.c
@@ -1002,6 +1002,9 @@ static void xhci_get_usb2_port_status(st
if (link_state == XDEV_U2)
*status |= USB_PORT_STAT_L1;
if (link_state == XDEV_U0) {
+ if (bus_state->resume_done[portnum])
+ usb_hcd_end_port_resume(&port->rhub->hcd->self,
+ portnum);
bus_state->resume_done[portnum] = 0;
clear_bit(portnum, &bus_state->resuming_ports);
if (bus_state->suspended_ports & (1 << portnum)) {
^ permalink raw reply [flat|nested] 636+ messages in thread
* [PATCH 5.10 028/599] xhci: make xhci_handshake timeout for xhci_reset() adjustable
2022-04-05 7:24 [PATCH 5.10 000/599] 5.10.110-rc1 review Greg Kroah-Hartman
` (26 preceding siblings ...)
2022-04-05 7:25 ` [PATCH 5.10 027/599] xhci: fix runtime PM imbalance in USB2 resume Greg Kroah-Hartman
@ 2022-04-05 7:25 ` Greg Kroah-Hartman
2022-04-05 7:25 ` [PATCH 5.10 029/599] xhci: fix uninitialized string returned by xhci_decode_ctrl_ctx() Greg Kroah-Hartman
` (583 subsequent siblings)
611 siblings, 0 replies; 636+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05 7:25 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Sergey Shtylyov, Pavan Kondeti,
Mathias Nyman
From: Mathias Nyman <mathias.nyman@linux.intel.com>
commit 14073ce951b5919da450022c050772902f24f054 upstream.
xhci_reset() timeout was increased from 250ms to 10 seconds in order to
give Renesas 720201 xHC enough time to get ready in probe.
xhci_reset() is called with interrupts disabled in other places, and
waiting for 10 seconds there is not acceptable.
Add a timeout parameter to xhci_reset(), and adjust it back to 250ms
when called from xhci_stop() or xhci_shutdown() where interrupts are
disabled, and successful reset isn't that critical.
This solves issues when deactivating host mode on platforms like SM8450.
For now don't change the timeout if xHC is reset in xhci_resume().
No issues are reported for it, and we need the reset to succeed.
Locking around that reset needs to be revisited later.
Additionally change the signed integer timeout parameter in
xhci_handshake() to a u64 to match the timeout value we pass to
readl_poll_timeout_atomic()
Fixes: 22ceac191211 ("xhci: Increase reset timeout for Renesas 720201 host.")
Cc: stable@vger.kernel.org
Reported-by: Sergey Shtylyov <s.shtylyov@omp.ru>
Reported-by: Pavan Kondeti <quic_pkondeti@quicinc.com>
Tested-by: Pavan Kondeti <quic_pkondeti@quicinc.com>
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Link: https://lore.kernel.org/r/20220303110903.1662404-2-mathias.nyman@linux.intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/host/xhci-hub.c | 2 +-
drivers/usb/host/xhci-mem.c | 2 +-
drivers/usb/host/xhci.c | 20 +++++++++-----------
drivers/usb/host/xhci.h | 7 +++++--
4 files changed, 16 insertions(+), 15 deletions(-)
--- a/drivers/usb/host/xhci-hub.c
+++ b/drivers/usb/host/xhci-hub.c
@@ -676,7 +676,7 @@ static int xhci_exit_test_mode(struct xh
}
pm_runtime_allow(xhci_to_hcd(xhci)->self.controller);
xhci->test_mode = 0;
- return xhci_reset(xhci);
+ return xhci_reset(xhci, XHCI_RESET_SHORT_USEC);
}
void xhci_set_link_state(struct xhci_hcd *xhci, struct xhci_port *port,
--- a/drivers/usb/host/xhci-mem.c
+++ b/drivers/usb/host/xhci-mem.c
@@ -2595,7 +2595,7 @@ int xhci_mem_init(struct xhci_hcd *xhci,
fail:
xhci_halt(xhci);
- xhci_reset(xhci);
+ xhci_reset(xhci, XHCI_RESET_SHORT_USEC);
xhci_mem_cleanup(xhci);
return -ENOMEM;
}
--- a/drivers/usb/host/xhci.c
+++ b/drivers/usb/host/xhci.c
@@ -66,7 +66,7 @@ static bool td_on_ring(struct xhci_td *t
* handshake done). There are two failure modes: "usec" have passed (major
* hardware flakeout), or the register reads as all-ones (hardware removed).
*/
-int xhci_handshake(void __iomem *ptr, u32 mask, u32 done, int usec)
+int xhci_handshake(void __iomem *ptr, u32 mask, u32 done, u64 timeout_us)
{
u32 result;
int ret;
@@ -74,7 +74,7 @@ int xhci_handshake(void __iomem *ptr, u3
ret = readl_poll_timeout_atomic(ptr, result,
(result & mask) == done ||
result == U32_MAX,
- 1, usec);
+ 1, timeout_us);
if (result == U32_MAX) /* card removed */
return -ENODEV;
@@ -163,7 +163,7 @@ int xhci_start(struct xhci_hcd *xhci)
* Transactions will be terminated immediately, and operational registers
* will be set to their defaults.
*/
-int xhci_reset(struct xhci_hcd *xhci)
+int xhci_reset(struct xhci_hcd *xhci, u64 timeout_us)
{
u32 command;
u32 state;
@@ -196,8 +196,7 @@ int xhci_reset(struct xhci_hcd *xhci)
if (xhci->quirks & XHCI_INTEL_HOST)
udelay(1000);
- ret = xhci_handshake(&xhci->op_regs->command,
- CMD_RESET, 0, 10 * 1000 * 1000);
+ ret = xhci_handshake(&xhci->op_regs->command, CMD_RESET, 0, timeout_us);
if (ret)
return ret;
@@ -210,8 +209,7 @@ int xhci_reset(struct xhci_hcd *xhci)
* xHCI cannot write to any doorbells or operational registers other
* than status until the "Controller Not Ready" flag is cleared.
*/
- ret = xhci_handshake(&xhci->op_regs->status,
- STS_CNR, 0, 10 * 1000 * 1000);
+ ret = xhci_handshake(&xhci->op_regs->status, STS_CNR, 0, timeout_us);
xhci->usb2_rhub.bus_state.port_c_suspend = 0;
xhci->usb2_rhub.bus_state.suspended_ports = 0;
@@ -732,7 +730,7 @@ static void xhci_stop(struct usb_hcd *hc
xhci->xhc_state |= XHCI_STATE_HALTED;
xhci->cmd_ring_state = CMD_RING_STATE_STOPPED;
xhci_halt(xhci);
- xhci_reset(xhci);
+ xhci_reset(xhci, XHCI_RESET_SHORT_USEC);
spin_unlock_irq(&xhci->lock);
xhci_cleanup_msix(xhci);
@@ -785,7 +783,7 @@ void xhci_shutdown(struct usb_hcd *hcd)
xhci_halt(xhci);
/* Workaround for spurious wakeups at shutdown with HSW */
if (xhci->quirks & XHCI_SPURIOUS_WAKEUP)
- xhci_reset(xhci);
+ xhci_reset(xhci, XHCI_RESET_SHORT_USEC);
spin_unlock_irq(&xhci->lock);
xhci_cleanup_msix(xhci);
@@ -1170,7 +1168,7 @@ int xhci_resume(struct xhci_hcd *xhci, b
xhci_dbg(xhci, "Stop HCD\n");
xhci_halt(xhci);
xhci_zero_64b_regs(xhci);
- retval = xhci_reset(xhci);
+ retval = xhci_reset(xhci, XHCI_RESET_LONG_USEC);
spin_unlock_irq(&xhci->lock);
if (retval)
return retval;
@@ -5276,7 +5274,7 @@ int xhci_gen_setup(struct usb_hcd *hcd,
xhci_dbg(xhci, "Resetting HCD\n");
/* Reset the internal HC memory state and registers. */
- retval = xhci_reset(xhci);
+ retval = xhci_reset(xhci, XHCI_RESET_LONG_USEC);
if (retval)
return retval;
xhci_dbg(xhci, "Reset complete\n");
--- a/drivers/usb/host/xhci.h
+++ b/drivers/usb/host/xhci.h
@@ -229,6 +229,9 @@ struct xhci_op_regs {
#define CMD_ETE (1 << 14)
/* bits 15:31 are reserved (and should be preserved on writes). */
+#define XHCI_RESET_LONG_USEC (10 * 1000 * 1000)
+#define XHCI_RESET_SHORT_USEC (250 * 1000)
+
/* IMAN - Interrupt Management Register */
#define IMAN_IE (1 << 1)
#define IMAN_IP (1 << 0)
@@ -2068,11 +2071,11 @@ void xhci_free_container_ctx(struct xhci
/* xHCI host controller glue */
typedef void (*xhci_get_quirks_t)(struct device *, struct xhci_hcd *);
-int xhci_handshake(void __iomem *ptr, u32 mask, u32 done, int usec);
+int xhci_handshake(void __iomem *ptr, u32 mask, u32 done, u64 timeout_us);
void xhci_quiesce(struct xhci_hcd *xhci);
int xhci_halt(struct xhci_hcd *xhci);
int xhci_start(struct xhci_hcd *xhci);
-int xhci_reset(struct xhci_hcd *xhci);
+int xhci_reset(struct xhci_hcd *xhci, u64 timeout_us);
int xhci_run(struct usb_hcd *hcd);
int xhci_gen_setup(struct usb_hcd *hcd, xhci_get_quirks_t get_quirks);
void xhci_shutdown(struct usb_hcd *hcd);
^ permalink raw reply [flat|nested] 636+ messages in thread
* [PATCH 5.10 029/599] xhci: fix uninitialized string returned by xhci_decode_ctrl_ctx()
2022-04-05 7:24 [PATCH 5.10 000/599] 5.10.110-rc1 review Greg Kroah-Hartman
` (27 preceding siblings ...)
2022-04-05 7:25 ` [PATCH 5.10 028/599] xhci: make xhci_handshake timeout for xhci_reset() adjustable Greg Kroah-Hartman
@ 2022-04-05 7:25 ` Greg Kroah-Hartman
2022-04-05 7:25 ` [PATCH 5.10 030/599] mei: me: add Alder Lake N device id Greg Kroah-Hartman
` (582 subsequent siblings)
611 siblings, 0 replies; 636+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05 7:25 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Anssi Hannula, Mathias Nyman
From: Anssi Hannula <anssi.hannula@bitwise.fi>
commit 05519b8589a679edb8fa781259893d20bece04ad upstream.
xhci_decode_ctrl_ctx() returns the untouched buffer as-is if both "drop"
and "add" parameters are zero.
Fix the function to return an empty string in that case.
It was not immediately clear from the possible call chains whether this
issue is currently actually triggerable or not.
Note that before commit 4843b4b5ec64 ("xhci: fix even more unsafe memory
usage in xhci tracing") the result effect in the failure case was different
as a static buffer was used here, but the code still worked incorrectly.
Fixes: 90d6d5731da7 ("xhci: Add tracing for input control context")
Cc: stable@vger.kernel.org
Signed-off-by: Anssi Hannula <anssi.hannula@bitwise.fi>
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
commit 4843b4b5ec64 ("xhci: fix even more unsafe memory usage in xhci tracing")
Link: https://lore.kernel.org/r/20220303110903.1662404-4-mathias.nyman@linux.intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/host/xhci.h | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/usb/host/xhci.h
+++ b/drivers/usb/host/xhci.h
@@ -2458,6 +2458,8 @@ static inline const char *xhci_decode_ct
unsigned int bit;
int ret = 0;
+ str[0] = '\0';
+
if (drop) {
ret = sprintf(str, "Drop:");
for_each_set_bit(bit, &drop, 32)
^ permalink raw reply [flat|nested] 636+ messages in thread
* [PATCH 5.10 030/599] mei: me: add Alder Lake N device id.
2022-04-05 7:24 [PATCH 5.10 000/599] 5.10.110-rc1 review Greg Kroah-Hartman
` (28 preceding siblings ...)
2022-04-05 7:25 ` [PATCH 5.10 029/599] xhci: fix uninitialized string returned by xhci_decode_ctrl_ctx() Greg Kroah-Hartman
@ 2022-04-05 7:25 ` Greg Kroah-Hartman
2022-04-05 7:25 ` [PATCH 5.10 031/599] mei: avoid iterator usage outside of list_for_each_entry Greg Kroah-Hartman
` (581 subsequent siblings)
611 siblings, 0 replies; 636+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05 7:25 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Alexander Usyskin, Tomas Winkler
From: Alexander Usyskin <alexander.usyskin@intel.com>
commit 7bbbd0845818cffa9fa8ccfe52fa1cad58e7e4f2 upstream.
Add Alder Lake N device ID.
Cc: <stable@vger.kernel.org>
Signed-off-by: Alexander Usyskin <alexander.usyskin@intel.com>
Signed-off-by: Tomas Winkler <tomas.winkler@intel.com>
Link: https://lore.kernel.org/r/20220301071115.96145-1-tomas.winkler@intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/misc/mei/hw-me-regs.h | 1 +
drivers/misc/mei/pci-me.c | 1 +
2 files changed, 2 insertions(+)
--- a/drivers/misc/mei/hw-me-regs.h
+++ b/drivers/misc/mei/hw-me-regs.h
@@ -107,6 +107,7 @@
#define MEI_DEV_ID_ADP_S 0x7AE8 /* Alder Lake Point S */
#define MEI_DEV_ID_ADP_LP 0x7A60 /* Alder Lake Point LP */
#define MEI_DEV_ID_ADP_P 0x51E0 /* Alder Lake Point P */
+#define MEI_DEV_ID_ADP_N 0x54E0 /* Alder Lake Point N */
/*
* MEI HW Section
--- a/drivers/misc/mei/pci-me.c
+++ b/drivers/misc/mei/pci-me.c
@@ -113,6 +113,7 @@ static const struct pci_device_id mei_me
{MEI_PCI_DEVICE(MEI_DEV_ID_ADP_S, MEI_ME_PCH15_CFG)},
{MEI_PCI_DEVICE(MEI_DEV_ID_ADP_LP, MEI_ME_PCH15_CFG)},
{MEI_PCI_DEVICE(MEI_DEV_ID_ADP_P, MEI_ME_PCH15_CFG)},
+ {MEI_PCI_DEVICE(MEI_DEV_ID_ADP_N, MEI_ME_PCH15_CFG)},
/* required last entry */
{0, }
^ permalink raw reply [flat|nested] 636+ messages in thread
* [PATCH 5.10 031/599] mei: avoid iterator usage outside of list_for_each_entry
2022-04-05 7:24 [PATCH 5.10 000/599] 5.10.110-rc1 review Greg Kroah-Hartman
` (29 preceding siblings ...)
2022-04-05 7:25 ` [PATCH 5.10 030/599] mei: me: add Alder Lake N device id Greg Kroah-Hartman
@ 2022-04-05 7:25 ` Greg Kroah-Hartman
2022-04-05 7:25 ` [PATCH 5.10 032/599] coresight: Fix TRCCONFIGR.QE sysfs interface Greg Kroah-Hartman
` (580 subsequent siblings)
611 siblings, 0 replies; 636+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05 7:25 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Alexander Usyskin, Tomas Winkler
From: Alexander Usyskin <alexander.usyskin@intel.com>
commit c10187b1c5ebb8681ca467ab7b0ded5ea415d258 upstream.
Usage of the iterator outside of the list_for_each_entry
is considered harmful. https://lkml.org/lkml/2022/2/17/1032
Do not reference the loop variable outside of the loop,
by rearranging the orders of execution.
Instead of performing search loop and checking outside the loop
if the end of the list was hit and no matching element was found,
the execution is performed inside the loop upon a successful match
followed by a goto statement to the next step,
therefore no condition has to be performed after the loop has ended.
Cc: <stable@vger.kernel.org>
Signed-off-by: Alexander Usyskin <alexander.usyskin@intel.com>
Signed-off-by: Tomas Winkler <tomas.winkler@intel.com>
Link: https://lore.kernel.org/r/20220308095926.300412-1-tomas.winkler@intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/misc/mei/interrupt.c | 35 +++++++++++++++--------------------
1 file changed, 15 insertions(+), 20 deletions(-)
--- a/drivers/misc/mei/interrupt.c
+++ b/drivers/misc/mei/interrupt.c
@@ -427,31 +427,26 @@ int mei_irq_read_handler(struct mei_devi
list_for_each_entry(cl, &dev->file_list, link) {
if (mei_cl_hbm_equal(cl, mei_hdr)) {
cl_dbg(dev, cl, "got a message\n");
- break;
+ ret = mei_cl_irq_read_msg(cl, mei_hdr, meta_hdr, cmpl_list);
+ goto reset_slots;
}
}
/* if no recipient cl was found we assume corrupted header */
- if (&cl->link == &dev->file_list) {
- /* A message for not connected fixed address clients
- * should be silently discarded
- * On power down client may be force cleaned,
- * silently discard such messages
- */
- if (hdr_is_fixed(mei_hdr) ||
- dev->dev_state == MEI_DEV_POWER_DOWN) {
- mei_irq_discard_msg(dev, mei_hdr, mei_hdr->length);
- ret = 0;
- goto reset_slots;
- }
- dev_err(dev->dev, "no destination client found 0x%08X\n",
- dev->rd_msg_hdr[0]);
- ret = -EBADMSG;
- goto end;
+ /* A message for not connected fixed address clients
+ * should be silently discarded
+ * On power down client may be force cleaned,
+ * silently discard such messages
+ */
+ if (hdr_is_fixed(mei_hdr) ||
+ dev->dev_state == MEI_DEV_POWER_DOWN) {
+ mei_irq_discard_msg(dev, mei_hdr, mei_hdr->length);
+ ret = 0;
+ goto reset_slots;
}
-
- ret = mei_cl_irq_read_msg(cl, mei_hdr, meta_hdr, cmpl_list);
-
+ dev_err(dev->dev, "no destination client found 0x%08X\n", dev->rd_msg_hdr[0]);
+ ret = -EBADMSG;
+ goto end;
reset_slots:
/* reset the number of slots and header */
^ permalink raw reply [flat|nested] 636+ messages in thread
* [PATCH 5.10 032/599] coresight: Fix TRCCONFIGR.QE sysfs interface
2022-04-05 7:24 [PATCH 5.10 000/599] 5.10.110-rc1 review Greg Kroah-Hartman
` (30 preceding siblings ...)
2022-04-05 7:25 ` [PATCH 5.10 031/599] mei: avoid iterator usage outside of list_for_each_entry Greg Kroah-Hartman
@ 2022-04-05 7:25 ` Greg Kroah-Hartman
2022-04-05 7:25 ` [PATCH 5.10 033/599] iio: afe: rescale: use s64 for temporary scale calculations Greg Kroah-Hartman
` (579 subsequent siblings)
611 siblings, 0 replies; 636+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05 7:25 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, James Clark, Mike Leach,
Mathieu Poirier, Suzuki K Poulose
From: James Clark <james.clark@arm.com>
commit ea75a342aed5ed72c87f38fbe0df2f5df7eae374 upstream.
It's impossible to program a valid value for TRCCONFIGR.QE
when TRCIDR0.QSUPP==0b10. In that case the following is true:
Q element support is implemented, and only supports Q elements without
instruction counts. TRCCONFIGR.QE can only take the values 0b00 or 0b11.
Currently the low bit of QSUPP is checked to see if the low bit of QE can
be written to, but as you can see when QSUPP==0b10 the low bit is cleared
making it impossible to ever write the only valid value of 0b11 to QE.
0b10 would be written instead, which is a reserved QE value even for all
values of QSUPP.
The fix is to allow writing the low bit of QE for any non zero value of
QSUPP.
This change also ensures that the low bit is always set, even when the
user attempts to only set the high bit.
Signed-off-by: James Clark <james.clark@arm.com>
Reviewed-by: Mike Leach <mike.leach@linaro.org>
Fixes: d8c66962084f ("coresight-etm4x: Controls pertaining to the reset, mode, pe and events")
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/20220120113047.2839622-2-james.clark@arm.com
Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org>
Signed-off-by: Suzuki K Poulose <suzuki.poulose@arm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/hwtracing/coresight/coresight-etm4x-sysfs.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
--- a/drivers/hwtracing/coresight/coresight-etm4x-sysfs.c
+++ b/drivers/hwtracing/coresight/coresight-etm4x-sysfs.c
@@ -364,8 +364,12 @@ static ssize_t mode_store(struct device
mode = ETM_MODE_QELEM(config->mode);
/* start by clearing QE bits */
config->cfg &= ~(BIT(13) | BIT(14));
- /* if supported, Q elements with instruction counts are enabled */
- if ((mode & BIT(0)) && (drvdata->q_support & BIT(0)))
+ /*
+ * if supported, Q elements with instruction counts are enabled.
+ * Always set the low bit for any requested mode. Valid combos are
+ * 0b00, 0b01 and 0b11.
+ */
+ if (mode && drvdata->q_support)
config->cfg |= BIT(13);
/*
* if supported, Q elements with and without instruction
^ permalink raw reply [flat|nested] 636+ messages in thread
* [PATCH 5.10 033/599] iio: afe: rescale: use s64 for temporary scale calculations
2022-04-05 7:24 [PATCH 5.10 000/599] 5.10.110-rc1 review Greg Kroah-Hartman
` (31 preceding siblings ...)
2022-04-05 7:25 ` [PATCH 5.10 032/599] coresight: Fix TRCCONFIGR.QE sysfs interface Greg Kroah-Hartman
@ 2022-04-05 7:25 ` Greg Kroah-Hartman
2022-04-05 7:25 ` [PATCH 5.10 034/599] iio: inkern: apply consumer scale on IIO_VAL_INT cases Greg Kroah-Hartman
` (578 subsequent siblings)
611 siblings, 0 replies; 636+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05 7:25 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Liam Beguin, Peter Rosin,
Andy Shevchenko, Stable, Jonathan Cameron
From: Liam Beguin <liambeguin@gmail.com>
commit 51593106b608ae4247cc8da928813347da16d025 upstream.
All four scaling coefficients can take signed values.
Make tmp a signed 64-bit integer and switch to div_s64() to preserve
signs during 64-bit divisions.
Fixes: 8b74816b5a9a ("iio: afe: rescale: new driver")
Signed-off-by: Liam Beguin <liambeguin@gmail.com>
Reviewed-by: Peter Rosin <peda@axentia.se>
Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
Link: https://lore.kernel.org/r/20220108205319.2046348-5-liambeguin@gmail.com
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/afe/iio-rescale.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
--- a/drivers/iio/afe/iio-rescale.c
+++ b/drivers/iio/afe/iio-rescale.c
@@ -38,7 +38,7 @@ static int rescale_read_raw(struct iio_d
int *val, int *val2, long mask)
{
struct rescale *rescale = iio_priv(indio_dev);
- unsigned long long tmp;
+ s64 tmp;
int ret;
switch (mask) {
@@ -59,10 +59,10 @@ static int rescale_read_raw(struct iio_d
*val2 = rescale->denominator;
return IIO_VAL_FRACTIONAL;
case IIO_VAL_FRACTIONAL_LOG2:
- tmp = *val * 1000000000LL;
- do_div(tmp, rescale->denominator);
+ tmp = (s64)*val * 1000000000LL;
+ tmp = div_s64(tmp, rescale->denominator);
tmp *= rescale->numerator;
- do_div(tmp, 1000000000LL);
+ tmp = div_s64(tmp, 1000000000LL);
*val = tmp;
return ret;
default:
^ permalink raw reply [flat|nested] 636+ messages in thread
* [PATCH 5.10 034/599] iio: inkern: apply consumer scale on IIO_VAL_INT cases
2022-04-05 7:24 [PATCH 5.10 000/599] 5.10.110-rc1 review Greg Kroah-Hartman
` (32 preceding siblings ...)
2022-04-05 7:25 ` [PATCH 5.10 033/599] iio: afe: rescale: use s64 for temporary scale calculations Greg Kroah-Hartman
@ 2022-04-05 7:25 ` Greg Kroah-Hartman
2022-04-05 7:25 ` [PATCH 5.10 035/599] iio: inkern: apply consumer scale when no channel scale is available Greg Kroah-Hartman
` (577 subsequent siblings)
611 siblings, 0 replies; 636+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05 7:25 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Liam Beguin, Peter Rosin,
Andy Shevchenko, Stable, Jonathan Cameron
From: Liam Beguin <liambeguin@gmail.com>
commit 1bca97ff95c732a516ebb68da72814194980e0a5 upstream.
When a consumer calls iio_read_channel_processed() and the channel has
an integer scale, the scale channel scale is applied and the processed
value is returned as expected.
On the other hand, if the consumer calls iio_convert_raw_to_processed()
the scaling factor requested by the consumer is not applied.
This for example causes the consumer to process mV when expecting uV.
Make sure to always apply the scaling factor requested by the consumer.
Fixes: 48e44ce0f881 ("iio:inkern: Add function to read the processed value")
Signed-off-by: Liam Beguin <liambeguin@gmail.com>
Reviewed-by: Peter Rosin <peda@axentia.se>
Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
Link: https://lore.kernel.org/r/20220108205319.2046348-2-liambeguin@gmail.com
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/inkern.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/iio/inkern.c
+++ b/drivers/iio/inkern.c
@@ -582,7 +582,7 @@ static int iio_convert_raw_to_processed_
switch (scale_type) {
case IIO_VAL_INT:
- *processed = raw64 * scale_val;
+ *processed = raw64 * scale_val * scale;
break;
case IIO_VAL_INT_PLUS_MICRO:
if (scale_val2 < 0)
^ permalink raw reply [flat|nested] 636+ messages in thread
* [PATCH 5.10 035/599] iio: inkern: apply consumer scale when no channel scale is available
2022-04-05 7:24 [PATCH 5.10 000/599] 5.10.110-rc1 review Greg Kroah-Hartman
` (33 preceding siblings ...)
2022-04-05 7:25 ` [PATCH 5.10 034/599] iio: inkern: apply consumer scale on IIO_VAL_INT cases Greg Kroah-Hartman
@ 2022-04-05 7:25 ` Greg Kroah-Hartman
2022-04-05 7:25 ` [PATCH 5.10 036/599] iio: inkern: make a best effort on offset calculation Greg Kroah-Hartman
` (576 subsequent siblings)
611 siblings, 0 replies; 636+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05 7:25 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Liam Beguin, Peter Rosin,
Andy Shevchenko, Stable, Jonathan Cameron
From: Liam Beguin <liambeguin@gmail.com>
commit 14b457fdde38de594a4bc4bd9075019319d978da upstream.
When a consumer calls iio_read_channel_processed() and no channel scale
is available, it's assumed that the scale is one and the raw value is
returned as expected.
On the other hand, if the consumer calls iio_convert_raw_to_processed()
the scaling factor requested by the consumer is not applied.
This for example causes the consumer to process mV when expecting uV.
Make sure to always apply the scaling factor requested by the consumer.
Fixes: adc8ec5ff183 ("iio: inkern: pass through raw values if no scaling")
Signed-off-by: Liam Beguin <liambeguin@gmail.com>
Reviewed-by: Peter Rosin <peda@axentia.se>
Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
Link: https://lore.kernel.org/r/20220108205319.2046348-3-liambeguin@gmail.com
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/inkern.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
--- a/drivers/iio/inkern.c
+++ b/drivers/iio/inkern.c
@@ -573,10 +573,10 @@ static int iio_convert_raw_to_processed_
IIO_CHAN_INFO_SCALE);
if (scale_type < 0) {
/*
- * Just pass raw values as processed if no scaling is
- * available.
+ * If no channel scaling is available apply consumer scale to
+ * raw value and return.
*/
- *processed = raw;
+ *processed = raw * scale;
return 0;
}
^ permalink raw reply [flat|nested] 636+ messages in thread
* [PATCH 5.10 036/599] iio: inkern: make a best effort on offset calculation
2022-04-05 7:24 [PATCH 5.10 000/599] 5.10.110-rc1 review Greg Kroah-Hartman
` (34 preceding siblings ...)
2022-04-05 7:25 ` [PATCH 5.10 035/599] iio: inkern: apply consumer scale when no channel scale is available Greg Kroah-Hartman
@ 2022-04-05 7:25 ` Greg Kroah-Hartman
2022-04-05 7:25 ` [PATCH 5.10 037/599] greybus: svc: fix an error handling bug in gb_svc_hello() Greg Kroah-Hartman
` (575 subsequent siblings)
611 siblings, 0 replies; 636+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05 7:25 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Liam Beguin, Peter Rosin,
Andy Shevchenko, Stable, Jonathan Cameron
From: Liam Beguin <liambeguin@gmail.com>
commit ca85123354e1a65a22170286387b4791997fe864 upstream.
iio_convert_raw_to_processed_unlocked() assumes the offset is an
integer. Make a best effort to get a valid offset value for fractional
cases without breaking implicit truncations.
Fixes: 48e44ce0f881 ("iio:inkern: Add function to read the processed value")
Signed-off-by: Liam Beguin <liambeguin@gmail.com>
Reviewed-by: Peter Rosin <peda@axentia.se>
Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
Link: https://lore.kernel.org/r/20220108205319.2046348-4-liambeguin@gmail.com
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/inkern.c | 32 +++++++++++++++++++++++++++-----
1 file changed, 27 insertions(+), 5 deletions(-)
--- a/drivers/iio/inkern.c
+++ b/drivers/iio/inkern.c
@@ -561,13 +561,35 @@ EXPORT_SYMBOL_GPL(iio_read_channel_avera
static int iio_convert_raw_to_processed_unlocked(struct iio_channel *chan,
int raw, int *processed, unsigned int scale)
{
- int scale_type, scale_val, scale_val2, offset;
+ int scale_type, scale_val, scale_val2;
+ int offset_type, offset_val, offset_val2;
s64 raw64 = raw;
- int ret;
- ret = iio_channel_read(chan, &offset, NULL, IIO_CHAN_INFO_OFFSET);
- if (ret >= 0)
- raw64 += offset;
+ offset_type = iio_channel_read(chan, &offset_val, &offset_val2,
+ IIO_CHAN_INFO_OFFSET);
+ if (offset_type >= 0) {
+ switch (offset_type) {
+ case IIO_VAL_INT:
+ break;
+ case IIO_VAL_INT_PLUS_MICRO:
+ case IIO_VAL_INT_PLUS_NANO:
+ /*
+ * Both IIO_VAL_INT_PLUS_MICRO and IIO_VAL_INT_PLUS_NANO
+ * implicitely truncate the offset to it's integer form.
+ */
+ break;
+ case IIO_VAL_FRACTIONAL:
+ offset_val /= offset_val2;
+ break;
+ case IIO_VAL_FRACTIONAL_LOG2:
+ offset_val >>= offset_val2;
+ break;
+ default:
+ return -EINVAL;
+ }
+
+ raw64 += offset_val;
+ }
scale_type = iio_channel_read(chan, &scale_val, &scale_val2,
IIO_CHAN_INFO_SCALE);
^ permalink raw reply [flat|nested] 636+ messages in thread
* [PATCH 5.10 037/599] greybus: svc: fix an error handling bug in gb_svc_hello()
2022-04-05 7:24 [PATCH 5.10 000/599] 5.10.110-rc1 review Greg Kroah-Hartman
` (35 preceding siblings ...)
2022-04-05 7:25 ` [PATCH 5.10 036/599] iio: inkern: make a best effort on offset calculation Greg Kroah-Hartman
@ 2022-04-05 7:25 ` Greg Kroah-Hartman
2022-04-05 7:25 ` [PATCH 5.10 038/599] clk: uniphier: Fix fixed-rate initialization Greg Kroah-Hartman
` (574 subsequent siblings)
611 siblings, 0 replies; 636+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05 7:25 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Dan Carpenter, Johan Hovold
From: Dan Carpenter <dan.carpenter@oracle.com>
commit 5f8583a3b7552092582a92e7bbd2153319929ad7 upstream.
Cleanup if gb_svc_queue_deferred_request() fails.
Link: https://lore.kernel.org/r/20220202072016.GA6748@kili
Fixes: ee2f2074fdb2 ("greybus: svc: reconfig APBridgeA-Switch link to handle required load")
Cc: stable@vger.kernel.org # 4.9
[johan: fix commit summary prefix and rename label ]
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://lore.kernel.org/r/20220202113347.1288-2-johan@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/greybus/svc.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
--- a/drivers/greybus/svc.c
+++ b/drivers/greybus/svc.c
@@ -866,8 +866,14 @@ static int gb_svc_hello(struct gb_operat
gb_svc_debugfs_init(svc);
- return gb_svc_queue_deferred_request(op);
+ ret = gb_svc_queue_deferred_request(op);
+ if (ret)
+ goto err_remove_debugfs;
+ return 0;
+
+err_remove_debugfs:
+ gb_svc_debugfs_exit(svc);
err_unregister_device:
gb_svc_watchdog_destroy(svc);
device_del(&svc->dev);
^ permalink raw reply [flat|nested] 636+ messages in thread
* [PATCH 5.10 038/599] clk: uniphier: Fix fixed-rate initialization
2022-04-05 7:24 [PATCH 5.10 000/599] 5.10.110-rc1 review Greg Kroah-Hartman
` (36 preceding siblings ...)
2022-04-05 7:25 ` [PATCH 5.10 037/599] greybus: svc: fix an error handling bug in gb_svc_hello() Greg Kroah-Hartman
@ 2022-04-05 7:25 ` Greg Kroah-Hartman
2022-04-05 7:25 ` [PATCH 5.10 039/599] ptrace: Check PTRACE_O_SUSPEND_SECCOMP permission on PTRACE_SEIZE Greg Kroah-Hartman
` (573 subsequent siblings)
611 siblings, 0 replies; 636+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05 7:25 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Kunihiko Hayashi, Stephen Boyd
From: Kunihiko Hayashi <hayashi.kunihiko@socionext.com>
commit ca85a66710a8a1f6b0719397225c3e9ee0abb692 upstream.
Fixed-rate clocks in UniPhier don't have any parent clocks, however,
initial data "init.flags" isn't initialized, so it might be determined
that there is a parent clock for fixed-rate clock.
This sets init.flags to zero as initialization.
Cc: <stable@vger.kernel.org>
Fixes: 734d82f4a678 ("clk: uniphier: add core support code for UniPhier clock driver")
Signed-off-by: Kunihiko Hayashi <hayashi.kunihiko@socionext.com>
Link: https://lore.kernel.org/r/1646808918-30899-1-git-send-email-hayashi.kunihiko@socionext.com
Signed-off-by: Stephen Boyd <sboyd@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/clk/uniphier/clk-uniphier-fixed-rate.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/clk/uniphier/clk-uniphier-fixed-rate.c
+++ b/drivers/clk/uniphier/clk-uniphier-fixed-rate.c
@@ -24,6 +24,7 @@ struct clk_hw *uniphier_clk_register_fix
init.name = name;
init.ops = &clk_fixed_rate_ops;
+ init.flags = 0;
init.parent_names = NULL;
init.num_parents = 0;
^ permalink raw reply [flat|nested] 636+ messages in thread
* [PATCH 5.10 039/599] ptrace: Check PTRACE_O_SUSPEND_SECCOMP permission on PTRACE_SEIZE
2022-04-05 7:24 [PATCH 5.10 000/599] 5.10.110-rc1 review Greg Kroah-Hartman
` (37 preceding siblings ...)
2022-04-05 7:25 ` [PATCH 5.10 038/599] clk: uniphier: Fix fixed-rate initialization Greg Kroah-Hartman
@ 2022-04-05 7:25 ` Greg Kroah-Hartman
2022-04-05 7:25 ` [PATCH 5.10 040/599] KEYS: fix length validation in keyctl_pkey_params_get_2() Greg Kroah-Hartman
` (572 subsequent siblings)
611 siblings, 0 replies; 636+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05 7:25 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, stable, Jann Horn, Eric W. Biederman
From: Jann Horn <jannh@google.com>
commit ee1fee900537b5d9560e9f937402de5ddc8412f3 upstream.
Setting PTRACE_O_SUSPEND_SECCOMP is supposed to be a highly privileged
operation because it allows the tracee to completely bypass all seccomp
filters on kernels with CONFIG_CHECKPOINT_RESTORE=y. It is only supposed to
be settable by a process with global CAP_SYS_ADMIN, and only if that
process is not subject to any seccomp filters at all.
However, while these permission checks were done on the PTRACE_SETOPTIONS
path, they were missing on the PTRACE_SEIZE path, which also sets
user-specified ptrace flags.
Move the permissions checks out into a helper function and let both
ptrace_attach() and ptrace_setoptions() call it.
Cc: stable@kernel.org
Fixes: 13c4a90119d2 ("seccomp: add ptrace options for suspend/resume")
Signed-off-by: Jann Horn <jannh@google.com>
Link: https://lkml.kernel.org/r/20220319010838.1386861-1-jannh@google.com
Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/ptrace.c | 47 ++++++++++++++++++++++++++++++++---------------
1 file changed, 32 insertions(+), 15 deletions(-)
--- a/kernel/ptrace.c
+++ b/kernel/ptrace.c
@@ -370,6 +370,26 @@ bool ptrace_may_access(struct task_struc
return !err;
}
+static int check_ptrace_options(unsigned long data)
+{
+ if (data & ~(unsigned long)PTRACE_O_MASK)
+ return -EINVAL;
+
+ if (unlikely(data & PTRACE_O_SUSPEND_SECCOMP)) {
+ if (!IS_ENABLED(CONFIG_CHECKPOINT_RESTORE) ||
+ !IS_ENABLED(CONFIG_SECCOMP))
+ return -EINVAL;
+
+ if (!capable(CAP_SYS_ADMIN))
+ return -EPERM;
+
+ if (seccomp_mode(¤t->seccomp) != SECCOMP_MODE_DISABLED ||
+ current->ptrace & PT_SUSPEND_SECCOMP)
+ return -EPERM;
+ }
+ return 0;
+}
+
static int ptrace_attach(struct task_struct *task, long request,
unsigned long addr,
unsigned long flags)
@@ -381,8 +401,16 @@ static int ptrace_attach(struct task_str
if (seize) {
if (addr != 0)
goto out;
+ /*
+ * This duplicates the check in check_ptrace_options() because
+ * ptrace_attach() and ptrace_setoptions() have historically
+ * used different error codes for unknown ptrace options.
+ */
if (flags & ~(unsigned long)PTRACE_O_MASK)
goto out;
+ retval = check_ptrace_options(flags);
+ if (retval)
+ return retval;
flags = PT_PTRACED | PT_SEIZED | (flags << PT_OPT_FLAG_SHIFT);
} else {
flags = PT_PTRACED;
@@ -655,22 +683,11 @@ int ptrace_writedata(struct task_struct
static int ptrace_setoptions(struct task_struct *child, unsigned long data)
{
unsigned flags;
+ int ret;
- if (data & ~(unsigned long)PTRACE_O_MASK)
- return -EINVAL;
-
- if (unlikely(data & PTRACE_O_SUSPEND_SECCOMP)) {
- if (!IS_ENABLED(CONFIG_CHECKPOINT_RESTORE) ||
- !IS_ENABLED(CONFIG_SECCOMP))
- return -EINVAL;
-
- if (!capable(CAP_SYS_ADMIN))
- return -EPERM;
-
- if (seccomp_mode(¤t->seccomp) != SECCOMP_MODE_DISABLED ||
- current->ptrace & PT_SUSPEND_SECCOMP)
- return -EPERM;
- }
+ ret = check_ptrace_options(data);
+ if (ret)
+ return ret;
/* Avoid intermediate state when all opts are cleared */
flags = child->ptrace;
^ permalink raw reply [flat|nested] 636+ messages in thread
* [PATCH 5.10 040/599] KEYS: fix length validation in keyctl_pkey_params_get_2()
2022-04-05 7:24 [PATCH 5.10 000/599] 5.10.110-rc1 review Greg Kroah-Hartman
` (38 preceding siblings ...)
2022-04-05 7:25 ` [PATCH 5.10 039/599] ptrace: Check PTRACE_O_SUSPEND_SECCOMP permission on PTRACE_SEIZE Greg Kroah-Hartman
@ 2022-04-05 7:25 ` Greg Kroah-Hartman
2022-04-05 7:25 ` [PATCH 5.10 041/599] Documentation: add link to stable release candidate tree Greg Kroah-Hartman
` (571 subsequent siblings)
611 siblings, 0 replies; 636+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05 7:25 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Eric Biggers, Jarkko Sakkinen
From: Eric Biggers <ebiggers@google.com>
commit c51abd96837f600d8fd940b6ab8e2da578575504 upstream.
In many cases, keyctl_pkey_params_get_2() is validating the user buffer
lengths against the wrong algorithm properties. Fix it to check against
the correct properties.
Probably this wasn't noticed before because for all asymmetric keys of
the "public_key" subtype, max_data_size == max_sig_size == max_enc_size
== max_dec_size. However, this isn't necessarily true for the
"asym_tpm" subtype (it should be, but it's not strictly validated). Of
course, future key types could have different values as well.
Fixes: 00d60fd3b932 ("KEYS: Provide keyctls to drive the new key type ops for asymmetric keys [ver #2]")
Cc: <stable@vger.kernel.org> # v4.20+
Signed-off-by: Eric Biggers <ebiggers@google.com>
Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
security/keys/keyctl_pkey.c | 14 +++++++++++---
1 file changed, 11 insertions(+), 3 deletions(-)
--- a/security/keys/keyctl_pkey.c
+++ b/security/keys/keyctl_pkey.c
@@ -135,15 +135,23 @@ static int keyctl_pkey_params_get_2(cons
switch (op) {
case KEYCTL_PKEY_ENCRYPT:
+ if (uparams.in_len > info.max_dec_size ||
+ uparams.out_len > info.max_enc_size)
+ return -EINVAL;
+ break;
case KEYCTL_PKEY_DECRYPT:
if (uparams.in_len > info.max_enc_size ||
uparams.out_len > info.max_dec_size)
return -EINVAL;
break;
case KEYCTL_PKEY_SIGN:
+ if (uparams.in_len > info.max_data_size ||
+ uparams.out_len > info.max_sig_size)
+ return -EINVAL;
+ break;
case KEYCTL_PKEY_VERIFY:
- if (uparams.in_len > info.max_sig_size ||
- uparams.out_len > info.max_data_size)
+ if (uparams.in_len > info.max_data_size ||
+ uparams.in2_len > info.max_sig_size)
return -EINVAL;
break;
default:
@@ -151,7 +159,7 @@ static int keyctl_pkey_params_get_2(cons
}
params->in_len = uparams.in_len;
- params->out_len = uparams.out_len;
+ params->out_len = uparams.out_len; /* Note: same as in2_len */
return 0;
}
^ permalink raw reply [flat|nested] 636+ messages in thread
* [PATCH 5.10 041/599] Documentation: add link to stable release candidate tree
2022-04-05 7:24 [PATCH 5.10 000/599] 5.10.110-rc1 review Greg Kroah-Hartman
` (39 preceding siblings ...)
2022-04-05 7:25 ` [PATCH 5.10 040/599] KEYS: fix length validation in keyctl_pkey_params_get_2() Greg Kroah-Hartman
@ 2022-04-05 7:25 ` Greg Kroah-Hartman
2022-04-05 7:25 ` [PATCH 5.10 042/599] Documentation: update stable tree link Greg Kroah-Hartman
` (570 subsequent siblings)
611 siblings, 0 replies; 636+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05 7:25 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Sasha Levin, Jonathan Corbet, Bagas Sanjaya
From: Bagas Sanjaya <bagasdotme@gmail.com>
commit 587d39b260c4d090166314d64be70b1f6a26b0b5 upstream.
There is also stable release candidate tree. Mention it, however with a
warning that the tree is for testing purposes.
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Sasha Levin <sashal@kernel.org>
Cc: Jonathan Corbet <corbet@lwn.net>
Cc: stable@vger.kernel.org
Cc: linux-kernel@vger.kernel.org
Signed-off-by: Bagas Sanjaya <bagasdotme@gmail.com>
Link: https://lore.kernel.org/r/20220314113329.485372-5-bagasdotme@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
Documentation/process/stable-kernel-rules.rst | 9 +++++++++
1 file changed, 9 insertions(+)
--- a/Documentation/process/stable-kernel-rules.rst
+++ b/Documentation/process/stable-kernel-rules.rst
@@ -170,6 +170,15 @@ Trees
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git
+ - The release candidate of all stable kernel versions can be found at:
+
+ https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git/
+
+ .. warning::
+ The -stable-rc tree is a snapshot in time of the stable-queue tree and
+ will change frequently, hence will be rebased often. It should only be
+ used for testing purposes (e.g. to be consumed by CI systems).
+
Review committee
----------------
^ permalink raw reply [flat|nested] 636+ messages in thread
* [PATCH 5.10 042/599] Documentation: update stable tree link
2022-04-05 7:24 [PATCH 5.10 000/599] 5.10.110-rc1 review Greg Kroah-Hartman
` (40 preceding siblings ...)
2022-04-05 7:25 ` [PATCH 5.10 041/599] Documentation: add link to stable release candidate tree Greg Kroah-Hartman
@ 2022-04-05 7:25 ` Greg Kroah-Hartman
2022-04-05 7:25 ` [PATCH 5.10 043/599] firmware: stratix10-svc: add missing callback parameter on RSU Greg Kroah-Hartman
` (569 subsequent siblings)
611 siblings, 0 replies; 636+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05 7:25 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Sasha Levin, Jonathan Corbet, Bagas Sanjaya
From: Bagas Sanjaya <bagasdotme@gmail.com>
commit 555d44932c67e617d89bc13c81c7efac5b51fcfa upstream.
The link to stable tree is redirected to
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git. Update
accordingly.
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Sasha Levin <sashal@kernel.org>
Cc: Jonathan Corbet <corbet@lwn.net>
Cc: stable@vger.kernel.org
Cc: linux-kernel@vger.kernel.org
Signed-off-by: Bagas Sanjaya <bagasdotme@gmail.com>
Link: https://lore.kernel.org/r/20220314113329.485372-6-bagasdotme@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
Documentation/process/stable-kernel-rules.rst | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/Documentation/process/stable-kernel-rules.rst
+++ b/Documentation/process/stable-kernel-rules.rst
@@ -168,7 +168,7 @@ Trees
- The finalized and tagged releases of all stable kernels can be found
in separate branches per version at:
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git
+ https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- The release candidate of all stable kernel versions can be found at:
^ permalink raw reply [flat|nested] 636+ messages in thread
* [PATCH 5.10 043/599] firmware: stratix10-svc: add missing callback parameter on RSU
2022-04-05 7:24 [PATCH 5.10 000/599] 5.10.110-rc1 review Greg Kroah-Hartman
` (41 preceding siblings ...)
2022-04-05 7:25 ` [PATCH 5.10 042/599] Documentation: update stable tree link Greg Kroah-Hartman
@ 2022-04-05 7:25 ` Greg Kroah-Hartman
2022-04-05 7:25 ` [PATCH 5.10 044/599] HID: intel-ish-hid: Use dma_alloc_coherent for firmware update Greg Kroah-Hartman
` (568 subsequent siblings)
611 siblings, 0 replies; 636+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05 7:25 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Ang Tien Sung, Dinh Nguyen
From: Ang Tien Sung <tien.sung.ang@intel.com>
commit b850b7a8b369322adf699ef48ceff4d902525c8c upstream.
Fix a bug whereby, the return response of parameter a1 from an
SMC call is not properly set to the callback data during an
INTEL_SIP_SMC_RSU_ERROR command.
Link: https://lore.kernel.org/lkml/20220216081513.28319-1-tien.sung.ang@intel.com
Fixes: 6b50d882d38d ("firmware: add remote status update client support")
Cc: stable@vger.kernel.org
Signed-off-by: Ang Tien Sung <tien.sung.ang@intel.com>
Signed-off-by: Dinh Nguyen <dinguyen@kernel.org>
Link: https://lore.kernel.org/r/20220223144146.399263-1-dinguyen@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/firmware/stratix10-svc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/firmware/stratix10-svc.c
+++ b/drivers/firmware/stratix10-svc.c
@@ -477,7 +477,7 @@ static int svc_normal_to_secure_thread(v
case INTEL_SIP_SMC_RSU_ERROR:
pr_err("%s: STATUS_ERROR\n", __func__);
cbdata->status = BIT(SVC_STATUS_ERROR);
- cbdata->kaddr1 = NULL;
+ cbdata->kaddr1 = &res.a1;
cbdata->kaddr2 = NULL;
cbdata->kaddr3 = NULL;
pdata->chan->scl->receive_cb(pdata->chan->scl, cbdata);
^ permalink raw reply [flat|nested] 636+ messages in thread
* [PATCH 5.10 044/599] HID: intel-ish-hid: Use dma_alloc_coherent for firmware update
2022-04-05 7:24 [PATCH 5.10 000/599] 5.10.110-rc1 review Greg Kroah-Hartman
` (42 preceding siblings ...)
2022-04-05 7:25 ` [PATCH 5.10 043/599] firmware: stratix10-svc: add missing callback parameter on RSU Greg Kroah-Hartman
@ 2022-04-05 7:25 ` Greg Kroah-Hartman
2022-04-05 7:25 ` [PATCH 5.10 045/599] SUNRPC: avoid race between mod_timer() and del_timer_sync() Greg Kroah-Hartman
` (567 subsequent siblings)
611 siblings, 0 replies; 636+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05 7:25 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Gwendal Grignou, Srinivas Pandruvada,
Jiri Kosina
From: Gwendal Grignou <gwendal@chromium.org>
commit f97ec5d75e9261a5da78dc28a8955b7cc0c4468b upstream.
Allocating memory with kmalloc and GPF_DMA32 is not allowed, the
allocator will ignore the attribute.
Instead, use dma_alloc_coherent() API as we allocate a small amount of
memory to transfer firmware fragment to the ISH.
On Arcada chromebook, after the patch the warning:
"Unexpected gfp: 0x4 (GFP_DMA32). Fixing up to gfp: 0xcc0 (GFP_KERNEL). Fix your code!"
is gone. The ISH firmware is loaded properly and we can interact with
the ISH:
> ectool --name cros_ish version
...
Build info: arcada_ish_v2.0.3661+3c1a1c1ae0 2022-02-08 05:37:47 @localhost
Tool version: v2.0.12300-900b03ec7f 2022-02-08 10:01:48 @localhost
Fixes: commit 91b228107da3 ("HID: intel-ish-hid: ISH firmware loader client driver")
Signed-off-by: Gwendal Grignou <gwendal@chromium.org>
Acked-by: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
Cc: stable@vger.kernel.org
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/hid/intel-ish-hid/ishtp-fw-loader.c | 29 ++--------------------------
1 file changed, 3 insertions(+), 26 deletions(-)
--- a/drivers/hid/intel-ish-hid/ishtp-fw-loader.c
+++ b/drivers/hid/intel-ish-hid/ishtp-fw-loader.c
@@ -656,21 +656,12 @@ static int ish_fw_xfer_direct_dma(struct
*/
payload_max_size &= ~(L1_CACHE_BYTES - 1);
- dma_buf = kmalloc(payload_max_size, GFP_KERNEL | GFP_DMA32);
+ dma_buf = dma_alloc_coherent(devc, payload_max_size, &dma_buf_phy, GFP_KERNEL);
if (!dma_buf) {
client_data->flag_retry = true;
return -ENOMEM;
}
- dma_buf_phy = dma_map_single(devc, dma_buf, payload_max_size,
- DMA_TO_DEVICE);
- if (dma_mapping_error(devc, dma_buf_phy)) {
- dev_err(cl_data_to_dev(client_data), "DMA map failed\n");
- client_data->flag_retry = true;
- rv = -ENOMEM;
- goto end_err_dma_buf_release;
- }
-
ldr_xfer_dma_frag.fragment.hdr.command = LOADER_CMD_XFER_FRAGMENT;
ldr_xfer_dma_frag.fragment.xfer_mode = LOADER_XFER_MODE_DIRECT_DMA;
ldr_xfer_dma_frag.ddr_phys_addr = (u64)dma_buf_phy;
@@ -690,14 +681,7 @@ static int ish_fw_xfer_direct_dma(struct
ldr_xfer_dma_frag.fragment.size = fragment_size;
memcpy(dma_buf, &fw->data[fragment_offset], fragment_size);
- dma_sync_single_for_device(devc, dma_buf_phy,
- payload_max_size,
- DMA_TO_DEVICE);
-
- /*
- * Flush cache here because the dma_sync_single_for_device()
- * does not do for x86.
- */
+ /* Flush cache to be sure the data is in main memory. */
clflush_cache_range(dma_buf, payload_max_size);
dev_dbg(cl_data_to_dev(client_data),
@@ -720,15 +704,8 @@ static int ish_fw_xfer_direct_dma(struct
fragment_offset += fragment_size;
}
- dma_unmap_single(devc, dma_buf_phy, payload_max_size, DMA_TO_DEVICE);
- kfree(dma_buf);
- return 0;
-
end_err_resp_buf_release:
- /* Free ISH buffer if not done already, in error case */
- dma_unmap_single(devc, dma_buf_phy, payload_max_size, DMA_TO_DEVICE);
-end_err_dma_buf_release:
- kfree(dma_buf);
+ dma_free_coherent(devc, payload_max_size, dma_buf, dma_buf_phy);
return rv;
}
^ permalink raw reply [flat|nested] 636+ messages in thread
* [PATCH 5.10 045/599] SUNRPC: avoid race between mod_timer() and del_timer_sync()
2022-04-05 7:24 [PATCH 5.10 000/599] 5.10.110-rc1 review Greg Kroah-Hartman
` (43 preceding siblings ...)
2022-04-05 7:25 ` [PATCH 5.10 044/599] HID: intel-ish-hid: Use dma_alloc_coherent for firmware update Greg Kroah-Hartman
@ 2022-04-05 7:25 ` Greg Kroah-Hartman
2022-04-05 7:25 ` [PATCH 5.10 046/599] NFSD: prevent underflow in nfssvc_decode_writeargs() Greg Kroah-Hartman
` (566 subsequent siblings)
611 siblings, 0 replies; 636+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05 7:25 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, NeilBrown, Trond Myklebust
From: NeilBrown <neilb@suse.de>
commit 3848e96edf4788f772d83990022fa7023a233d83 upstream.
xprt_destory() claims XPRT_LOCKED and then calls del_timer_sync().
Both xprt_unlock_connect() and xprt_release() call
->release_xprt()
which drops XPRT_LOCKED and *then* xprt_schedule_autodisconnect()
which calls mod_timer().
This may result in mod_timer() being called *after* del_timer_sync().
When this happens, the timer may fire long after the xprt has been freed,
and run_timer_softirq() will probably crash.
The pairing of ->release_xprt() and xprt_schedule_autodisconnect() is
always called under ->transport_lock. So if we take ->transport_lock to
call del_timer_sync(), we can be sure that mod_timer() will run first
(if it runs at all).
Cc: stable@vger.kernel.org
Signed-off-by: NeilBrown <neilb@suse.de>
Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/sunrpc/xprt.c | 7 +++++++
1 file changed, 7 insertions(+)
--- a/net/sunrpc/xprt.c
+++ b/net/sunrpc/xprt.c
@@ -2037,7 +2037,14 @@ static void xprt_destroy(struct rpc_xprt
*/
wait_on_bit_lock(&xprt->state, XPRT_LOCKED, TASK_UNINTERRUPTIBLE);
+ /*
+ * xprt_schedule_autodisconnect() can run after XPRT_LOCKED
+ * is cleared. We use ->transport_lock to ensure the mod_timer()
+ * can only run *before* del_time_sync(), never after.
+ */
+ spin_lock(&xprt->transport_lock);
del_timer_sync(&xprt->timer);
+ spin_unlock(&xprt->transport_lock);
/*
* Destroy sockets etc from the system workqueue so they can
^ permalink raw reply [flat|nested] 636+ messages in thread
* [PATCH 5.10 046/599] NFSD: prevent underflow in nfssvc_decode_writeargs()
2022-04-05 7:24 [PATCH 5.10 000/599] 5.10.110-rc1 review Greg Kroah-Hartman
` (44 preceding siblings ...)
2022-04-05 7:25 ` [PATCH 5.10 045/599] SUNRPC: avoid race between mod_timer() and del_timer_sync() Greg Kroah-Hartman
@ 2022-04-05 7:25 ` Greg Kroah-Hartman
2022-04-05 7:25 ` [PATCH 5.10 047/599] NFSD: prevent integer overflow on 32 bit systems Greg Kroah-Hartman
` (565 subsequent siblings)
611 siblings, 0 replies; 636+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05 7:25 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Dan Carpenter, Chuck Lever
From: Dan Carpenter <dan.carpenter@oracle.com>
commit 184416d4b98509fb4c3d8fc3d6dc1437896cc159 upstream.
Smatch complains:
fs/nfsd/nfsxdr.c:341 nfssvc_decode_writeargs()
warn: no lower bound on 'args->len'
Change the type to unsigned to prevent this issue.
Cc: stable@vger.kernel.org
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/nfsd/nfsproc.c | 2 +-
fs/nfsd/xdr.h | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
--- a/fs/nfsd/nfsproc.c
+++ b/fs/nfsd/nfsproc.c
@@ -223,7 +223,7 @@ nfsd_proc_write(struct svc_rqst *rqstp)
unsigned long cnt = argp->len;
unsigned int nvecs;
- dprintk("nfsd: WRITE %s %d bytes at %d\n",
+ dprintk("nfsd: WRITE %s %u bytes at %d\n",
SVCFH_fmt(&argp->fh),
argp->len, argp->offset);
--- a/fs/nfsd/xdr.h
+++ b/fs/nfsd/xdr.h
@@ -33,7 +33,7 @@ struct nfsd_readargs {
struct nfsd_writeargs {
svc_fh fh;
__u32 offset;
- int len;
+ __u32 len;
struct kvec first;
};
^ permalink raw reply [flat|nested] 636+ messages in thread
* [PATCH 5.10 047/599] NFSD: prevent integer overflow on 32 bit systems
2022-04-05 7:24 [PATCH 5.10 000/599] 5.10.110-rc1 review Greg Kroah-Hartman
` (45 preceding siblings ...)
2022-04-05 7:25 ` [PATCH 5.10 046/599] NFSD: prevent underflow in nfssvc_decode_writeargs() Greg Kroah-Hartman
@ 2022-04-05 7:25 ` Greg Kroah-Hartman
2022-04-05 7:25 ` [PATCH 5.10 048/599] f2fs: fix to unlock page correctly in error path of is_alive() Greg Kroah-Hartman
` (564 subsequent siblings)
611 siblings, 0 replies; 636+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05 7:25 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Dan Carpenter, Chuck Lever
From: Dan Carpenter <dan.carpenter@oracle.com>
commit 23a9dbbe0faf124fc4c139615633b9d12a3a89ef upstream.
On a 32 bit system, the "len * sizeof(*p)" operation can have an
integer overflow.
Cc: stable@vger.kernel.org
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/linux/sunrpc/xdr.h | 2 ++
1 file changed, 2 insertions(+)
--- a/include/linux/sunrpc/xdr.h
+++ b/include/linux/sunrpc/xdr.h
@@ -603,6 +603,8 @@ xdr_stream_decode_uint32_array(struct xd
if (unlikely(xdr_stream_decode_u32(xdr, &len) < 0))
return -EBADMSG;
+ if (len > SIZE_MAX / sizeof(*p))
+ return -EBADMSG;
p = xdr_inline_decode(xdr, len * sizeof(*p));
if (unlikely(!p))
return -EBADMSG;
^ permalink raw reply [flat|nested] 636+ messages in thread
* [PATCH 5.10 048/599] f2fs: fix to unlock page correctly in error path of is_alive()
2022-04-05 7:24 [PATCH 5.10 000/599] 5.10.110-rc1 review Greg Kroah-Hartman
` (46 preceding siblings ...)
2022-04-05 7:25 ` [PATCH 5.10 047/599] NFSD: prevent integer overflow on 32 bit systems Greg Kroah-Hartman
@ 2022-04-05 7:25 ` Greg Kroah-Hartman
2022-04-05 7:25 ` [PATCH 5.10 049/599] f2fs: quota: fix loop condition at f2fs_quota_sync() Greg Kroah-Hartman
` (563 subsequent siblings)
611 siblings, 0 replies; 636+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05 7:25 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Pavel Machek, Chao Yu, Jaegeuk Kim
From: Chao Yu <chao@kernel.org>
commit 6d18762ed5cd549fde74fd0e05d4d87bac5a3beb upstream.
As Pavel Machek reported in below link [1]:
After commit 77900c45ee5c ("f2fs: fix to do sanity check in is_alive()"),
node page should be unlock via calling f2fs_put_page() in the error path
of is_alive(), otherwise, f2fs may hang when it tries to lock the node
page, fix it.
[1] https://lore.kernel.org/stable/20220124203637.GA19321@duo.ucw.cz/
Fixes: 77900c45ee5c ("f2fs: fix to do sanity check in is_alive()")
Cc: <stable@vger.kernel.org>
Reported-by: Pavel Machek <pavel@denx.de>
Signed-off-by: Pavel Machek <pavel@denx.de>
Signed-off-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/f2fs/gc.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/fs/f2fs/gc.c
+++ b/fs/f2fs/gc.c
@@ -998,8 +998,10 @@ static bool is_alive(struct f2fs_sb_info
set_sbi_flag(sbi, SBI_NEED_FSCK);
}
- if (f2fs_check_nid_range(sbi, dni->ino))
+ if (f2fs_check_nid_range(sbi, dni->ino)) {
+ f2fs_put_page(node_page, 1);
return false;
+ }
*nofs = ofs_of_node(node_page);
source_blkaddr = data_blkaddr(NULL, node_page, ofs_in_node);
^ permalink raw reply [flat|nested] 636+ messages in thread
* [PATCH 5.10 049/599] f2fs: quota: fix loop condition at f2fs_quota_sync()
2022-04-05 7:24 [PATCH 5.10 000/599] 5.10.110-rc1 review Greg Kroah-Hartman
` (47 preceding siblings ...)
2022-04-05 7:25 ` [PATCH 5.10 048/599] f2fs: fix to unlock page correctly in error path of is_alive() Greg Kroah-Hartman
@ 2022-04-05 7:25 ` Greg Kroah-Hartman
2022-04-05 7:25 ` [PATCH 5.10 050/599] f2fs: fix to do sanity check on .cp_pack_total_block_count Greg Kroah-Hartman
` (562 subsequent siblings)
611 siblings, 0 replies; 636+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05 7:25 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Juhyung Park, Chao Yu, Jaegeuk Kim
From: Juhyung Park <qkrwngud825@gmail.com>
commit 680af5b824a52faa819167628665804a14f0e0df upstream.
cnt should be passed to sb_has_quota_active() instead of type to check
active quota properly.
Moreover, when the type is -1, the compiler with enough inline knowledge
can discard sb_has_quota_active() check altogether, causing a NULL pointer
dereference at the following inode_lock(dqopt->files[cnt]):
[ 2.796010] Unable to handle kernel NULL pointer dereference at virtual address 00000000000000a0
[ 2.796024] Mem abort info:
[ 2.796025] ESR = 0x96000005
[ 2.796028] EC = 0x25: DABT (current EL), IL = 32 bits
[ 2.796029] SET = 0, FnV = 0
[ 2.796031] EA = 0, S1PTW = 0
[ 2.796032] Data abort info:
[ 2.796034] ISV = 0, ISS = 0x00000005
[ 2.796035] CM = 0, WnR = 0
[ 2.796046] user pgtable: 4k pages, 39-bit VAs, pgdp=00000003370d1000
[ 2.796048] [00000000000000a0] pgd=0000000000000000, pud=0000000000000000
[ 2.796051] Internal error: Oops: 96000005 [#1] PREEMPT SMP
[ 2.796056] CPU: 7 PID: 640 Comm: f2fs_ckpt-259:7 Tainted: G S 5.4.179-arter97-r8-64666-g2f16e087f9d8 #1
[ 2.796057] Hardware name: Qualcomm Technologies, Inc. Lahaina MTP lemonadep (DT)
[ 2.796059] pstate: 80c00005 (Nzcv daif +PAN +UAO)
[ 2.796065] pc : down_write+0x28/0x70
[ 2.796070] lr : f2fs_quota_sync+0x100/0x294
[ 2.796071] sp : ffffffa3f48ffc30
[ 2.796073] x29: ffffffa3f48ffc30 x28: 0000000000000000
[ 2.796075] x27: ffffffa3f6d718b8 x26: ffffffa415fe9d80
[ 2.796077] x25: ffffffa3f7290048 x24: 0000000000000001
[ 2.796078] x23: 0000000000000000 x22: ffffffa3f7290000
[ 2.796080] x21: ffffffa3f72904a0 x20: ffffffa3f7290110
[ 2.796081] x19: ffffffa3f77a9800 x18: ffffffc020aae038
[ 2.796083] x17: ffffffa40e38e040 x16: ffffffa40e38e6d0
[ 2.796085] x15: ffffffa40e38e6cc x14: ffffffa40e38e6d0
[ 2.796086] x13: 00000000000004f6 x12: 00162c44ff493000
[ 2.796088] x11: 0000000000000400 x10: ffffffa40e38c948
[ 2.796090] x9 : 0000000000000000 x8 : 00000000000000a0
[ 2.796091] x7 : 0000000000000000 x6 : 0000d1060f00002a
[ 2.796093] x5 : ffffffa3f48ff718 x4 : 000000000000000d
[ 2.796094] x3 : 00000000060c0000 x2 : 0000000000000001
[ 2.796096] x1 : 0000000000000000 x0 : 00000000000000a0
[ 2.796098] Call trace:
[ 2.796100] down_write+0x28/0x70
[ 2.796102] f2fs_quota_sync+0x100/0x294
[ 2.796104] block_operations+0x120/0x204
[ 2.796106] f2fs_write_checkpoint+0x11c/0x520
[ 2.796107] __checkpoint_and_complete_reqs+0x7c/0xd34
[ 2.796109] issue_checkpoint_thread+0x6c/0xb8
[ 2.796112] kthread+0x138/0x414
[ 2.796114] ret_from_fork+0x10/0x18
[ 2.796117] Code: aa0803e0 aa1f03e1 52800022 aa0103e9 (c8e97d02)
[ 2.796120] ---[ end trace 96e942e8eb6a0b53 ]---
[ 2.800116] Kernel panic - not syncing: Fatal exception
[ 2.800120] SMP: stopping secondary CPUs
Fixes: 9de71ede81e6 ("f2fs: quota: fix potential deadlock")
Cc: <stable@vger.kernel.org> # v5.15+
Signed-off-by: Juhyung Park <qkrwngud825@gmail.com>
Reviewed-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/f2fs/super.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
--- a/fs/f2fs/super.c
+++ b/fs/f2fs/super.c
@@ -2278,7 +2278,7 @@ int f2fs_quota_sync(struct super_block *
struct f2fs_sb_info *sbi = F2FS_SB(sb);
struct quota_info *dqopt = sb_dqopt(sb);
int cnt;
- int ret;
+ int ret = 0;
/*
* Now when everything is written we can discard the pagecache so
@@ -2289,8 +2289,8 @@ int f2fs_quota_sync(struct super_block *
if (type != -1 && cnt != type)
continue;
- if (!sb_has_quota_active(sb, type))
- return 0;
+ if (!sb_has_quota_active(sb, cnt))
+ continue;
inode_lock(dqopt->files[cnt]);
^ permalink raw reply [flat|nested] 636+ messages in thread
* [PATCH 5.10 050/599] f2fs: fix to do sanity check on .cp_pack_total_block_count
2022-04-05 7:24 [PATCH 5.10 000/599] 5.10.110-rc1 review Greg Kroah-Hartman
` (48 preceding siblings ...)
2022-04-05 7:25 ` [PATCH 5.10 049/599] f2fs: quota: fix loop condition at f2fs_quota_sync() Greg Kroah-Hartman
@ 2022-04-05 7:25 ` Greg Kroah-Hartman
2022-04-05 7:25 ` [PATCH 5.10 051/599] remoteproc: Fix count check in rproc_coredump_write() Greg Kroah-Hartman
` (561 subsequent siblings)
611 siblings, 0 replies; 636+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05 7:25 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Chao Yu, Jaegeuk Kim
From: Chao Yu <chao@kernel.org>
commit 5b5b4f85b01604389f7a0f11ef180a725bf0e2d4 upstream.
As bughunter reported in bugzilla:
https://bugzilla.kernel.org/show_bug.cgi?id=215709
f2fs may hang when mounting a fuzzed image, the dmesg shows as below:
__filemap_get_folio+0x3a9/0x590
pagecache_get_page+0x18/0x60
__get_meta_page+0x95/0x460 [f2fs]
get_checkpoint_version+0x2a/0x1e0 [f2fs]
validate_checkpoint+0x8e/0x2a0 [f2fs]
f2fs_get_valid_checkpoint+0xd0/0x620 [f2fs]
f2fs_fill_super+0xc01/0x1d40 [f2fs]
mount_bdev+0x18a/0x1c0
f2fs_mount+0x15/0x20 [f2fs]
legacy_get_tree+0x28/0x50
vfs_get_tree+0x27/0xc0
path_mount+0x480/0xaa0
do_mount+0x7c/0xa0
__x64_sys_mount+0x8b/0xe0
do_syscall_64+0x38/0xc0
entry_SYSCALL_64_after_hwframe+0x44/0xae
The root cause is cp_pack_total_block_count field in checkpoint was fuzzed
to one, as calcuated, two cp pack block locates in the same block address,
so then read latter cp pack block, it will block on the page lock due to
the lock has already held when reading previous cp pack block, fix it by
adding sanity check for cp_pack_total_block_count.
Cc: stable@vger.kernel.org
Signed-off-by: Chao Yu <chao.yu@oppo.com>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/f2fs/checkpoint.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
--- a/fs/f2fs/checkpoint.c
+++ b/fs/f2fs/checkpoint.c
@@ -851,6 +851,7 @@ static struct page *validate_checkpoint(
struct page *cp_page_1 = NULL, *cp_page_2 = NULL;
struct f2fs_checkpoint *cp_block = NULL;
unsigned long long cur_version = 0, pre_version = 0;
+ unsigned int cp_blocks;
int err;
err = get_checkpoint_version(sbi, cp_addr, &cp_block,
@@ -858,15 +859,16 @@ static struct page *validate_checkpoint(
if (err)
return NULL;
- if (le32_to_cpu(cp_block->cp_pack_total_block_count) >
- sbi->blocks_per_seg) {
+ cp_blocks = le32_to_cpu(cp_block->cp_pack_total_block_count);
+
+ if (cp_blocks > sbi->blocks_per_seg || cp_blocks <= F2FS_CP_PACKS) {
f2fs_warn(sbi, "invalid cp_pack_total_block_count:%u",
le32_to_cpu(cp_block->cp_pack_total_block_count));
goto invalid_cp;
}
pre_version = *version;
- cp_addr += le32_to_cpu(cp_block->cp_pack_total_block_count) - 1;
+ cp_addr += cp_blocks - 1;
err = get_checkpoint_version(sbi, cp_addr, &cp_block,
&cp_page_2, version);
if (err)
^ permalink raw reply [flat|nested] 636+ messages in thread
* [PATCH 5.10 051/599] remoteproc: Fix count check in rproc_coredump_write()
2022-04-05 7:24 [PATCH 5.10 000/599] 5.10.110-rc1 review Greg Kroah-Hartman
` (49 preceding siblings ...)
2022-04-05 7:25 ` [PATCH 5.10 050/599] f2fs: fix to do sanity check on .cp_pack_total_block_count Greg Kroah-Hartman
@ 2022-04-05 7:25 ` Greg Kroah-Hartman
2022-04-05 7:25 ` [PATCH 5.10 052/599] pinctrl: samsung: drop pin banks references on error paths Greg Kroah-Hartman
` (560 subsequent siblings)
611 siblings, 0 replies; 636+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05 7:25 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Alistair Delva, Rishabh Bhatnagar,
Ohad Ben-Cohen, Bjorn Andersson, Mathieu Poirier, Sibi Sankar,
linux-remoteproc, kernel-team
From: Alistair Delva <adelva@google.com>
commit f89672cc3681952f2d06314981a6b45f8b0045d1 upstream.
Check count for 0, to avoid a potential underflow. Make the check the
same as the one in rproc_recovery_write().
Fixes: 3afdc59e4390 ("remoteproc: Add coredump debugfs entry")
Signed-off-by: Alistair Delva <adelva@google.com>
Cc: Rishabh Bhatnagar <rishabhb@codeaurora.org>
Cc: stable@vger.kernel.org
Cc: Ohad Ben-Cohen <ohad@wizery.com>
Cc: Bjorn Andersson <bjorn.andersson@linaro.org>
Cc: Mathieu Poirier <mathieu.poirier@linaro.org>
Cc: Sibi Sankar <sibis@codeaurora.org>
Cc: linux-remoteproc@vger.kernel.org
Cc: kernel-team@android.com
Reviewed-by: Bjorn Andersson <bjorn.andersson@linaro.org>
Signed-off-by: Bjorn Andersson <bjorn.andersson@linaro.org>
Link: https://lore.kernel.org/r/20220119232139.1125908-1-adelva@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/remoteproc/remoteproc_debugfs.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/remoteproc/remoteproc_debugfs.c
+++ b/drivers/remoteproc/remoteproc_debugfs.c
@@ -76,7 +76,7 @@ static ssize_t rproc_coredump_write(stru
int ret, err = 0;
char buf[20];
- if (count > sizeof(buf))
+ if (count < 1 || count > sizeof(buf))
return -EINVAL;
ret = copy_from_user(buf, user_buf, count);
^ permalink raw reply [flat|nested] 636+ messages in thread
* [PATCH 5.10 052/599] pinctrl: samsung: drop pin banks references on error paths
2022-04-05 7:24 [PATCH 5.10 000/599] 5.10.110-rc1 review Greg Kroah-Hartman
` (50 preceding siblings ...)
2022-04-05 7:25 ` [PATCH 5.10 051/599] remoteproc: Fix count check in rproc_coredump_write() Greg Kroah-Hartman
@ 2022-04-05 7:25 ` Greg Kroah-Hartman
2022-04-05 7:25 ` [PATCH 5.10 053/599] spi: mxic: Fix the transmit path Greg Kroah-Hartman
` (559 subsequent siblings)
611 siblings, 0 replies; 636+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05 7:25 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Krzysztof Kozlowski, Sam Protsenko,
Chanho Park
From: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
commit 50ebd19e3585b9792e994cfa8cbee8947fe06371 upstream.
The driver iterates over its devicetree children with
for_each_child_of_node() and stores for later found node pointer. This
has to be put in error paths to avoid leak during re-probing.
Fixes: ab663789d697 ("pinctrl: samsung: Match pin banks with their device nodes")
Cc: <stable@vger.kernel.org>
Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
Reviewed-by: Sam Protsenko <semen.protsenko@linaro.org>
Reviewed-by: Chanho Park <chanho61.park@samsung.com>
Link: https://lore.kernel.org/r/20220111201426.326777-2-krzysztof.kozlowski@canonical.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/pinctrl/samsung/pinctrl-samsung.c | 30 +++++++++++++++++++++++-------
1 file changed, 23 insertions(+), 7 deletions(-)
--- a/drivers/pinctrl/samsung/pinctrl-samsung.c
+++ b/drivers/pinctrl/samsung/pinctrl-samsung.c
@@ -1002,6 +1002,16 @@ samsung_pinctrl_get_soc_data_for_of_alia
return &(of_data->ctrl[id]);
}
+static void samsung_banks_of_node_put(struct samsung_pinctrl_drv_data *d)
+{
+ struct samsung_pin_bank *bank;
+ unsigned int i;
+
+ bank = d->pin_banks;
+ for (i = 0; i < d->nr_banks; ++i, ++bank)
+ of_node_put(bank->of_node);
+}
+
/* retrieve the soc specific data */
static const struct samsung_pin_ctrl *
samsung_pinctrl_get_soc_data(struct samsung_pinctrl_drv_data *d,
@@ -1116,19 +1126,19 @@ static int samsung_pinctrl_probe(struct
if (ctrl->retention_data) {
drvdata->retention_ctrl = ctrl->retention_data->init(drvdata,
ctrl->retention_data);
- if (IS_ERR(drvdata->retention_ctrl))
- return PTR_ERR(drvdata->retention_ctrl);
+ if (IS_ERR(drvdata->retention_ctrl)) {
+ ret = PTR_ERR(drvdata->retention_ctrl);
+ goto err_put_banks;
+ }
}
ret = samsung_pinctrl_register(pdev, drvdata);
if (ret)
- return ret;
+ goto err_put_banks;
ret = samsung_gpiolib_register(pdev, drvdata);
- if (ret) {
- samsung_pinctrl_unregister(pdev, drvdata);
- return ret;
- }
+ if (ret)
+ goto err_unregister;
if (ctrl->eint_gpio_init)
ctrl->eint_gpio_init(drvdata);
@@ -1138,6 +1148,12 @@ static int samsung_pinctrl_probe(struct
platform_set_drvdata(pdev, drvdata);
return 0;
+
+err_unregister:
+ samsung_pinctrl_unregister(pdev, drvdata);
+err_put_banks:
+ samsung_banks_of_node_put(drvdata);
+ return ret;
}
/*
^ permalink raw reply [flat|nested] 636+ messages in thread
* [PATCH 5.10 053/599] spi: mxic: Fix the transmit path
2022-04-05 7:24 [PATCH 5.10 000/599] 5.10.110-rc1 review Greg Kroah-Hartman
` (51 preceding siblings ...)
2022-04-05 7:25 ` [PATCH 5.10 052/599] pinctrl: samsung: drop pin banks references on error paths Greg Kroah-Hartman
@ 2022-04-05 7:25 ` Greg Kroah-Hartman
2022-04-05 7:25 ` [PATCH 5.10 054/599] mtd: rawnand: protect access to rawnand devices while in suspend Greg Kroah-Hartman
` (558 subsequent siblings)
611 siblings, 0 replies; 636+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05 7:25 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Mason Yang, Miquel Raynal,
Zhengxun Li, Mark Brown
From: Miquel Raynal <miquel.raynal@bootlin.com>
commit 5fd6739e0df7e320bcac103dfb95fe75941fea17 upstream.
By working with external hardware ECC engines, we figured out that
Under certain circumstances, it is needed for the SPI controller to
check INT_TX_EMPTY and INT_RX_NOT_EMPTY in both receive and transmit
path (not only in the receive path). The delay penalty being
negligible, move this code in the common path.
Fixes: b942d80b0a39 ("spi: Add MXIC controller driver")
Cc: stable@vger.kernel.org
Suggested-by: Mason Yang <masonccyang@mxic.com.tw>
Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
Reviewed-by: Zhengxun Li <zhengxunli@mxic.com.tw>
Reviewed-by: Mark Brown <broonie@kernel.org>
Link: https://lore.kernel.org/linux-mtd/20220127091808.1043392-10-miquel.raynal@bootlin.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/spi/spi-mxic.c | 26 +++++++++++---------------
1 file changed, 11 insertions(+), 15 deletions(-)
--- a/drivers/spi/spi-mxic.c
+++ b/drivers/spi/spi-mxic.c
@@ -304,25 +304,21 @@ static int mxic_spi_data_xfer(struct mxi
writel(data, mxic->regs + TXD(nbytes % 4));
- if (rxbuf) {
- ret = readl_poll_timeout(mxic->regs + INT_STS, sts,
- sts & INT_TX_EMPTY, 0,
- USEC_PER_SEC);
- if (ret)
- return ret;
+ ret = readl_poll_timeout(mxic->regs + INT_STS, sts,
+ sts & INT_TX_EMPTY, 0, USEC_PER_SEC);
+ if (ret)
+ return ret;
- ret = readl_poll_timeout(mxic->regs + INT_STS, sts,
- sts & INT_RX_NOT_EMPTY, 0,
- USEC_PER_SEC);
- if (ret)
- return ret;
+ ret = readl_poll_timeout(mxic->regs + INT_STS, sts,
+ sts & INT_RX_NOT_EMPTY, 0,
+ USEC_PER_SEC);
+ if (ret)
+ return ret;
- data = readl(mxic->regs + RXD);
+ data = readl(mxic->regs + RXD);
+ if (rxbuf) {
data >>= (8 * (4 - nbytes));
memcpy(rxbuf + pos, &data, nbytes);
- WARN_ON(readl(mxic->regs + INT_STS) & INT_RX_NOT_EMPTY);
- } else {
- readl(mxic->regs + RXD);
}
WARN_ON(readl(mxic->regs + INT_STS) & INT_RX_NOT_EMPTY);
^ permalink raw reply [flat|nested] 636+ messages in thread
* [PATCH 5.10 054/599] mtd: rawnand: protect access to rawnand devices while in suspend
2022-04-05 7:24 [PATCH 5.10 000/599] 5.10.110-rc1 review Greg Kroah-Hartman
` (52 preceding siblings ...)
2022-04-05 7:25 ` [PATCH 5.10 053/599] spi: mxic: Fix the transmit path Greg Kroah-Hartman
@ 2022-04-05 7:25 ` Greg Kroah-Hartman
2022-04-05 7:25 ` [PATCH 5.10 055/599] can: ems_usb: ems_usb_start_xmit(): fix double dev_kfree_skb() in error path Greg Kroah-Hartman
` (557 subsequent siblings)
611 siblings, 0 replies; 636+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05 7:25 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Sean Nyekjaer, Boris Brezillon,
Miquel Raynal
From: Sean Nyekjaer <sean@geanix.com>
commit 8cba323437a49a45756d661f500b324fc2d486fe upstream.
Prevent rawnand access while in a suspended state.
Commit 013e6292aaf5 ("mtd: rawnand: Simplify the locking") allows the
rawnand layer to return errors rather than waiting in a blocking wait.
Tested on a iMX6ULL.
Fixes: 013e6292aaf5 ("mtd: rawnand: Simplify the locking")
Signed-off-by: Sean Nyekjaer <sean@geanix.com>
Reviewed-by: Boris Brezillon <boris.brezillon@collabora.com>
Cc: stable@vger.kernel.org
Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
Link: https://lore.kernel.org/linux-mtd/20220208085213.1838273-1-sean@geanix.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/mtd/nand/raw/nand_base.c | 44 +++++++++++++++++----------------------
include/linux/mtd/rawnand.h | 2 +
2 files changed, 22 insertions(+), 24 deletions(-)
--- a/drivers/mtd/nand/raw/nand_base.c
+++ b/drivers/mtd/nand/raw/nand_base.c
@@ -297,16 +297,19 @@ static int nand_isbad_bbm(struct nand_ch
*
* Return: -EBUSY if the chip has been suspended, 0 otherwise
*/
-static int nand_get_device(struct nand_chip *chip)
+static void nand_get_device(struct nand_chip *chip)
{
- mutex_lock(&chip->lock);
- if (chip->suspended) {
+ /* Wait until the device is resumed. */
+ while (1) {
+ mutex_lock(&chip->lock);
+ if (!chip->suspended) {
+ mutex_lock(&chip->controller->lock);
+ return;
+ }
mutex_unlock(&chip->lock);
- return -EBUSY;
- }
- mutex_lock(&chip->controller->lock);
- return 0;
+ wait_event(chip->resume_wq, !chip->suspended);
+ }
}
/**
@@ -531,9 +534,7 @@ static int nand_block_markbad_lowlevel(s
nand_erase_nand(chip, &einfo, 0);
/* Write bad block marker to OOB */
- ret = nand_get_device(chip);
- if (ret)
- return ret;
+ nand_get_device(chip);
ret = nand_markbad_bbm(chip, ofs);
nand_release_device(chip);
@@ -3534,9 +3535,7 @@ static int nand_read_oob(struct mtd_info
ops->mode != MTD_OPS_RAW)
return -ENOTSUPP;
- ret = nand_get_device(chip);
- if (ret)
- return ret;
+ nand_get_device(chip);
if (!ops->datbuf)
ret = nand_do_read_oob(chip, from, ops);
@@ -4119,13 +4118,11 @@ static int nand_write_oob(struct mtd_inf
struct mtd_oob_ops *ops)
{
struct nand_chip *chip = mtd_to_nand(mtd);
- int ret;
+ int ret = 0;
ops->retlen = 0;
- ret = nand_get_device(chip);
- if (ret)
- return ret;
+ nand_get_device(chip);
switch (ops->mode) {
case MTD_OPS_PLACE_OOB:
@@ -4181,9 +4178,7 @@ int nand_erase_nand(struct nand_chip *ch
return -EINVAL;
/* Grab the lock and see if the device is available */
- ret = nand_get_device(chip);
- if (ret)
- return ret;
+ nand_get_device(chip);
/* Shift to get first page */
page = (int)(instr->addr >> chip->page_shift);
@@ -4270,7 +4265,7 @@ static void nand_sync(struct mtd_info *m
pr_debug("%s: called\n", __func__);
/* Grab the lock and see if the device is available */
- WARN_ON(nand_get_device(chip));
+ nand_get_device(chip);
/* Release it and go back */
nand_release_device(chip);
}
@@ -4287,9 +4282,7 @@ static int nand_block_isbad(struct mtd_i
int ret;
/* Select the NAND device */
- ret = nand_get_device(chip);
- if (ret)
- return ret;
+ nand_get_device(chip);
nand_select_target(chip, chipnr);
@@ -4360,6 +4353,8 @@ static void nand_resume(struct mtd_info
__func__);
}
mutex_unlock(&chip->lock);
+
+ wake_up_all(&chip->resume_wq);
}
/**
@@ -5068,6 +5063,7 @@ static int nand_scan_ident(struct nand_c
chip->cur_cs = -1;
mutex_init(&chip->lock);
+ init_waitqueue_head(&chip->resume_wq);
/* Enforce the right timings for reset/detection */
chip->current_interface_config = nand_get_reset_interface_config();
--- a/include/linux/mtd/rawnand.h
+++ b/include/linux/mtd/rawnand.h
@@ -1083,6 +1083,7 @@ struct nand_manufacturer {
* @lock: Lock protecting the suspended field. Also used to serialize accesses
* to the NAND device
* @suspended: Set to 1 when the device is suspended, 0 when it's not
+ * @resume_wq: wait queue to sleep if rawnand is in suspended state.
* @cur_cs: Currently selected target. -1 means no target selected, otherwise we
* should always have cur_cs >= 0 && cur_cs < nanddev_ntargets().
* NAND Controller drivers should not modify this value, but they're
@@ -1135,6 +1136,7 @@ struct nand_chip {
/* Internals */
struct mutex lock;
unsigned int suspended : 1;
+ wait_queue_head_t resume_wq;
int cur_cs;
int read_retries;
^ permalink raw reply [flat|nested] 636+ messages in thread
* [PATCH 5.10 055/599] can: ems_usb: ems_usb_start_xmit(): fix double dev_kfree_skb() in error path
2022-04-05 7:24 [PATCH 5.10 000/599] 5.10.110-rc1 review Greg Kroah-Hartman
` (53 preceding siblings ...)
2022-04-05 7:25 ` [PATCH 5.10 054/599] mtd: rawnand: protect access to rawnand devices while in suspend Greg Kroah-Hartman
@ 2022-04-05 7:25 ` Greg Kroah-Hartman
2022-04-05 7:25 ` [PATCH 5.10 056/599] jffs2: fix use-after-free in jffs2_clear_xattr_subsystem Greg Kroah-Hartman
` (556 subsequent siblings)
611 siblings, 0 replies; 636+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05 7:25 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Sebastian Haas, Hangyu Hua,
Marc Kleine-Budde
From: Hangyu Hua <hbh25y@gmail.com>
commit c70222752228a62135cee3409dccefd494a24646 upstream.
There is no need to call dev_kfree_skb() when usb_submit_urb() fails
beacause can_put_echo_skb() deletes the original skb and
can_free_echo_skb() deletes the cloned skb.
Link: https://lore.kernel.org/all/20220228083639.38183-1-hbh25y@gmail.com
Fixes: 702171adeed3 ("ems_usb: Added support for EMS CPC-USB/ARM7 CAN/USB interface")
Cc: stable@vger.kernel.org
Cc: Sebastian Haas <haas@ems-wuensche.com>
Signed-off-by: Hangyu Hua <hbh25y@gmail.com>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/can/usb/ems_usb.c | 1 -
1 file changed, 1 deletion(-)
--- a/drivers/net/can/usb/ems_usb.c
+++ b/drivers/net/can/usb/ems_usb.c
@@ -823,7 +823,6 @@ static netdev_tx_t ems_usb_start_xmit(st
usb_unanchor_urb(urb);
usb_free_coherent(dev->udev, size, buf, urb->transfer_dma);
- dev_kfree_skb(skb);
atomic_dec(&dev->active_tx_urbs);
^ permalink raw reply [flat|nested] 636+ messages in thread
* [PATCH 5.10 056/599] jffs2: fix use-after-free in jffs2_clear_xattr_subsystem
2022-04-05 7:24 [PATCH 5.10 000/599] 5.10.110-rc1 review Greg Kroah-Hartman
` (54 preceding siblings ...)
2022-04-05 7:25 ` [PATCH 5.10 055/599] can: ems_usb: ems_usb_start_xmit(): fix double dev_kfree_skb() in error path Greg Kroah-Hartman
@ 2022-04-05 7:25 ` Greg Kroah-Hartman
2022-04-05 7:25 ` [PATCH 5.10 057/599] jffs2: fix memory leak in jffs2_do_mount_fs Greg Kroah-Hartman
` (555 subsequent siblings)
611 siblings, 0 replies; 636+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05 7:25 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Hulk Robot, Baokun Li, Richard Weinberger
From: Baokun Li <libaokun1@huawei.com>
commit 4c7c44ee1650677fbe89d86edbad9497b7679b5c upstream.
When we mount a jffs2 image, assume that the first few blocks of
the image are normal and contain at least one xattr-related inode,
but the next block is abnormal. As a result, an error is returned
in jffs2_scan_eraseblock(). jffs2_clear_xattr_subsystem() is then
called in jffs2_build_filesystem() and then again in
jffs2_do_fill_super().
Finally we can observe the following report:
==================================================================
BUG: KASAN: use-after-free in jffs2_clear_xattr_subsystem+0x95/0x6ac
Read of size 8 at addr ffff8881243384e0 by task mount/719
Call Trace:
dump_stack+0x115/0x16b
jffs2_clear_xattr_subsystem+0x95/0x6ac
jffs2_do_fill_super+0x84f/0xc30
jffs2_fill_super+0x2ea/0x4c0
mtd_get_sb+0x254/0x400
mtd_get_sb_by_nr+0x4f/0xd0
get_tree_mtd+0x498/0x840
jffs2_get_tree+0x25/0x30
vfs_get_tree+0x8d/0x2e0
path_mount+0x50f/0x1e50
do_mount+0x107/0x130
__se_sys_mount+0x1c5/0x2f0
__x64_sys_mount+0xc7/0x160
do_syscall_64+0x45/0x70
entry_SYSCALL_64_after_hwframe+0x44/0xa9
Allocated by task 719:
kasan_save_stack+0x23/0x60
__kasan_kmalloc.constprop.0+0x10b/0x120
kasan_slab_alloc+0x12/0x20
kmem_cache_alloc+0x1c0/0x870
jffs2_alloc_xattr_ref+0x2f/0xa0
jffs2_scan_medium.cold+0x3713/0x4794
jffs2_do_mount_fs.cold+0xa7/0x2253
jffs2_do_fill_super+0x383/0xc30
jffs2_fill_super+0x2ea/0x4c0
[...]
Freed by task 719:
kmem_cache_free+0xcc/0x7b0
jffs2_free_xattr_ref+0x78/0x98
jffs2_clear_xattr_subsystem+0xa1/0x6ac
jffs2_do_mount_fs.cold+0x5e6/0x2253
jffs2_do_fill_super+0x383/0xc30
jffs2_fill_super+0x2ea/0x4c0
[...]
The buggy address belongs to the object at ffff8881243384b8
which belongs to the cache jffs2_xattr_ref of size 48
The buggy address is located 40 bytes inside of
48-byte region [ffff8881243384b8, ffff8881243384e8)
[...]
==================================================================
The triggering of the BUG is shown in the following stack:
-----------------------------------------------------------
jffs2_fill_super
jffs2_do_fill_super
jffs2_do_mount_fs
jffs2_build_filesystem
jffs2_scan_medium
jffs2_scan_eraseblock <--- ERROR
jffs2_clear_xattr_subsystem <--- free
jffs2_clear_xattr_subsystem <--- free again
-----------------------------------------------------------
An error is returned in jffs2_do_mount_fs(). If the error is returned
by jffs2_sum_init(), the jffs2_clear_xattr_subsystem() does not need to
be executed. If the error is returned by jffs2_build_filesystem(), the
jffs2_clear_xattr_subsystem() also does not need to be executed again.
So move jffs2_clear_xattr_subsystem() from 'out_inohash' to 'out_root'
to fix this UAF problem.
Fixes: aa98d7cf59b5 ("[JFFS2][XATTR] XATTR support on JFFS2 (version. 5)")
Cc: stable@vger.kernel.org
Reported-by: Hulk Robot <hulkci@huawei.com>
Signed-off-by: Baokun Li <libaokun1@huawei.com>
Signed-off-by: Richard Weinberger <richard@nod.at>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/jffs2/fs.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/fs/jffs2/fs.c
+++ b/fs/jffs2/fs.c
@@ -602,8 +602,8 @@ out_root:
jffs2_free_ino_caches(c);
jffs2_free_raw_node_refs(c);
kvfree(c->blocks);
- out_inohash:
jffs2_clear_xattr_subsystem(c);
+ out_inohash:
kfree(c->inocache_list);
out_wbuf:
jffs2_flash_cleanup(c);
^ permalink raw reply [flat|nested] 636+ messages in thread
* [PATCH 5.10 057/599] jffs2: fix memory leak in jffs2_do_mount_fs
2022-04-05 7:24 [PATCH 5.10 000/599] 5.10.110-rc1 review Greg Kroah-Hartman
` (55 preceding siblings ...)
2022-04-05 7:25 ` [PATCH 5.10 056/599] jffs2: fix use-after-free in jffs2_clear_xattr_subsystem Greg Kroah-Hartman
@ 2022-04-05 7:25 ` Greg Kroah-Hartman
2022-04-05 7:25 ` [PATCH 5.10 058/599] jffs2: fix memory leak in jffs2_scan_medium Greg Kroah-Hartman
` (554 subsequent siblings)
611 siblings, 0 replies; 636+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05 7:25 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Baokun Li, Richard Weinberger
From: Baokun Li <libaokun1@huawei.com>
commit d051cef784de4d54835f6b6836d98a8f6935772c upstream.
If jffs2_build_filesystem() in jffs2_do_mount_fs() returns an error,
we can observe the following kmemleak report:
--------------------------------------------
unreferenced object 0xffff88811b25a640 (size 64):
comm "mount", pid 691, jiffies 4294957728 (age 71.952s)
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace:
[<ffffffffa493be24>] kmem_cache_alloc_trace+0x584/0x880
[<ffffffffa5423a06>] jffs2_sum_init+0x86/0x130
[<ffffffffa5400e58>] jffs2_do_mount_fs+0x798/0xac0
[<ffffffffa540acf3>] jffs2_do_fill_super+0x383/0xc30
[<ffffffffa540c00a>] jffs2_fill_super+0x2ea/0x4c0
[...]
unreferenced object 0xffff88812c760000 (size 65536):
comm "mount", pid 691, jiffies 4294957728 (age 71.952s)
hex dump (first 32 bytes):
bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb ................
bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb ................
backtrace:
[<ffffffffa493a449>] __kmalloc+0x6b9/0x910
[<ffffffffa5423a57>] jffs2_sum_init+0xd7/0x130
[<ffffffffa5400e58>] jffs2_do_mount_fs+0x798/0xac0
[<ffffffffa540acf3>] jffs2_do_fill_super+0x383/0xc30
[<ffffffffa540c00a>] jffs2_fill_super+0x2ea/0x4c0
[...]
--------------------------------------------
This is because the resources allocated in jffs2_sum_init() are not
released. Call jffs2_sum_exit() to release these resources to solve
the problem.
Fixes: e631ddba5887 ("[JFFS2] Add erase block summary support (mount time improvement)")
Cc: stable@vger.kernel.org
Signed-off-by: Baokun Li <libaokun1@huawei.com>
Signed-off-by: Richard Weinberger <richard@nod.at>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/jffs2/build.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/fs/jffs2/build.c
+++ b/fs/jffs2/build.c
@@ -415,13 +415,15 @@ int jffs2_do_mount_fs(struct jffs2_sb_in
jffs2_free_ino_caches(c);
jffs2_free_raw_node_refs(c);
ret = -EIO;
- goto out_free;
+ goto out_sum_exit;
}
jffs2_calc_trigger_levels(c);
return 0;
+ out_sum_exit:
+ jffs2_sum_exit(c);
out_free:
kvfree(c->blocks);
^ permalink raw reply [flat|nested] 636+ messages in thread
* [PATCH 5.10 058/599] jffs2: fix memory leak in jffs2_scan_medium
2022-04-05 7:24 [PATCH 5.10 000/599] 5.10.110-rc1 review Greg Kroah-Hartman
` (56 preceding siblings ...)
2022-04-05 7:25 ` [PATCH 5.10 057/599] jffs2: fix memory leak in jffs2_do_mount_fs Greg Kroah-Hartman
@ 2022-04-05 7:25 ` Greg Kroah-Hartman
2022-04-05 7:25 ` [PATCH 5.10 059/599] mm/pages_alloc.c: dont create ZONE_MOVABLE beyond the end of a node Greg Kroah-Hartman
` (553 subsequent siblings)
611 siblings, 0 replies; 636+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05 7:25 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Baokun Li, Richard Weinberger
From: Baokun Li <libaokun1@huawei.com>
commit 9cdd3128874f5fe759e2c4e1360ab7fb96a8d1df upstream.
If an error is returned in jffs2_scan_eraseblock() and some memory
has been added to the jffs2_summary *s, we can observe the following
kmemleak report:
--------------------------------------------
unreferenced object 0xffff88812b889c40 (size 64):
comm "mount", pid 692, jiffies 4294838325 (age 34.288s)
hex dump (first 32 bytes):
40 48 b5 14 81 88 ff ff 01 e0 31 00 00 00 50 00 @H........1...P.
00 00 01 00 00 00 01 00 00 00 02 00 00 00 09 08 ................
backtrace:
[<ffffffffae93a3a3>] __kmalloc+0x613/0x910
[<ffffffffaf423b9c>] jffs2_sum_add_dirent_mem+0x5c/0xa0
[<ffffffffb0f3afa8>] jffs2_scan_medium.cold+0x36e5/0x4794
[<ffffffffb0f3dbe1>] jffs2_do_mount_fs.cold+0xa7/0x2267
[<ffffffffaf40acf3>] jffs2_do_fill_super+0x383/0xc30
[<ffffffffaf40c00a>] jffs2_fill_super+0x2ea/0x4c0
[<ffffffffb0315d64>] mtd_get_sb+0x254/0x400
[<ffffffffb0315f5f>] mtd_get_sb_by_nr+0x4f/0xd0
[<ffffffffb0316478>] get_tree_mtd+0x498/0x840
[<ffffffffaf40bd15>] jffs2_get_tree+0x25/0x30
[<ffffffffae9f358d>] vfs_get_tree+0x8d/0x2e0
[<ffffffffaea7a98f>] path_mount+0x50f/0x1e50
[<ffffffffaea7c3d7>] do_mount+0x107/0x130
[<ffffffffaea7c5c5>] __se_sys_mount+0x1c5/0x2f0
[<ffffffffaea7c917>] __x64_sys_mount+0xc7/0x160
[<ffffffffb10142f5>] do_syscall_64+0x45/0x70
unreferenced object 0xffff888114b54840 (size 32):
comm "mount", pid 692, jiffies 4294838325 (age 34.288s)
hex dump (first 32 bytes):
c0 75 b5 14 81 88 ff ff 02 e0 02 00 00 00 02 00 .u..............
00 00 84 00 00 00 44 00 00 00 6b 6b 6b 6b 6b a5 ......D...kkkkk.
backtrace:
[<ffffffffae93be24>] kmem_cache_alloc_trace+0x584/0x880
[<ffffffffaf423b04>] jffs2_sum_add_inode_mem+0x54/0x90
[<ffffffffb0f3bd44>] jffs2_scan_medium.cold+0x4481/0x4794
[...]
unreferenced object 0xffff888114b57280 (size 32):
comm "mount", pid 692, jiffies 4294838393 (age 34.357s)
hex dump (first 32 bytes):
10 d5 6c 11 81 88 ff ff 08 e0 05 00 00 00 01 00 ..l.............
00 00 38 02 00 00 28 00 00 00 6b 6b 6b 6b 6b a5 ..8...(...kkkkk.
backtrace:
[<ffffffffae93be24>] kmem_cache_alloc_trace+0x584/0x880
[<ffffffffaf423c34>] jffs2_sum_add_xattr_mem+0x54/0x90
[<ffffffffb0f3a24f>] jffs2_scan_medium.cold+0x298c/0x4794
[...]
unreferenced object 0xffff8881116cd510 (size 16):
comm "mount", pid 692, jiffies 4294838395 (age 34.355s)
hex dump (first 16 bytes):
00 00 00 00 00 00 00 00 09 e0 60 02 00 00 6b a5 ..........`...k.
backtrace:
[<ffffffffae93be24>] kmem_cache_alloc_trace+0x584/0x880
[<ffffffffaf423cc4>] jffs2_sum_add_xref_mem+0x54/0x90
[<ffffffffb0f3b2e3>] jffs2_scan_medium.cold+0x3a20/0x4794
[...]
--------------------------------------------
Therefore, we should call jffs2_sum_reset_collected(s) on exit to
release the memory added in s. In addition, a new tag "out_buf" is
added to prevent the NULL pointer reference caused by s being NULL.
(thanks to Zhang Yi for this analysis)
Fixes: e631ddba5887 ("[JFFS2] Add erase block summary support (mount time improvement)")
Cc: stable@vger.kernel.org
Co-developed-with: Zhihao Cheng <chengzhihao1@huawei.com>
Signed-off-by: Baokun Li <libaokun1@huawei.com>
Signed-off-by: Richard Weinberger <richard@nod.at>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/jffs2/scan.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
--- a/fs/jffs2/scan.c
+++ b/fs/jffs2/scan.c
@@ -136,7 +136,7 @@ int jffs2_scan_medium(struct jffs2_sb_in
if (!s) {
JFFS2_WARNING("Can't allocate memory for summary\n");
ret = -ENOMEM;
- goto out;
+ goto out_buf;
}
}
@@ -275,13 +275,15 @@ int jffs2_scan_medium(struct jffs2_sb_in
}
ret = 0;
out:
+ jffs2_sum_reset_collected(s);
+ kfree(s);
+ out_buf:
if (buf_size)
kfree(flashbuf);
#ifndef __ECOS
else
mtd_unpoint(c->mtd, 0, c->mtd->size);
#endif
- kfree(s);
return ret;
}
^ permalink raw reply [flat|nested] 636+ messages in thread
* [PATCH 5.10 059/599] mm/pages_alloc.c: dont create ZONE_MOVABLE beyond the end of a node
2022-04-05 7:24 [PATCH 5.10 000/599] 5.10.110-rc1 review Greg Kroah-Hartman
` (57 preceding siblings ...)
2022-04-05 7:25 ` [PATCH 5.10 058/599] jffs2: fix memory leak in jffs2_scan_medium Greg Kroah-Hartman
@ 2022-04-05 7:25 ` Greg Kroah-Hartman
2022-04-05 7:25 ` [PATCH 5.10 060/599] mm: invalidate hwpoison page cache page in fault path Greg Kroah-Hartman
` (552 subsequent siblings)
611 siblings, 0 replies; 636+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05 7:25 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Alistair Popple, David Hildenbrand,
Mel Gorman, John Hubbard, Zi Yan, Anshuman Khandual,
Oscar Salvador, Andrew Morton, Linus Torvalds
From: Alistair Popple <apopple@nvidia.com>
commit ddbc84f3f595cf1fc8234a191193b5d20ad43938 upstream.
ZONE_MOVABLE uses the remaining memory in each node. Its starting pfn
is also aligned to MAX_ORDER_NR_PAGES. It is possible for the remaining
memory in a node to be less than MAX_ORDER_NR_PAGES, meaning there is
not enough room for ZONE_MOVABLE on that node.
Unfortunately this condition is not checked for. This leads to
zone_movable_pfn[] getting set to a pfn greater than the last pfn in a
node.
calculate_node_totalpages() then sets zone->present_pages to be greater
than zone->spanned_pages which is invalid, as spanned_pages represents
the maximum number of pages in a zone assuming no holes.
Subsequently it is possible free_area_init_core() will observe a zone of
size zero with present pages. In this case it will skip setting up the
zone, including the initialisation of free_lists[].
However populated_zone() checks zone->present_pages to see if a zone has
memory available. This is used by iterators such as
walk_zones_in_node(). pagetypeinfo_showfree() uses this to walk the
free_list of each zone in each node, which are assumed to be initialised
due to the zone not being empty.
As free_area_init_core() never initialised the free_lists[] this results
in the following kernel crash when trying to read /proc/pagetypeinfo:
BUG: kernel NULL pointer dereference, address: 0000000000000000
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 0 P4D 0
Oops: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC NOPTI
CPU: 0 PID: 456 Comm: cat Not tainted 5.16.0 #461
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-2 04/01/2014
RIP: 0010:pagetypeinfo_show+0x163/0x460
Code: 9e 82 e8 80 57 0e 00 49 8b 06 b9 01 00 00 00 4c 39 f0 75 16 e9 65 02 00 00 48 83 c1 01 48 81 f9 a0 86 01 00 0f 84 48 02 00 00 <48> 8b 00 4c 39 f0 75 e7 48 c7 c2 80 a2 e2 82 48 c7 c6 79 ef e3 82
RSP: 0018:ffffc90001c4bd10 EFLAGS: 00010003
RAX: 0000000000000000 RBX: ffff88801105f638 RCX: 0000000000000001
RDX: 0000000000000001 RSI: 000000000000068b RDI: ffff8880163dc68b
RBP: ffffc90001c4bd90 R08: 0000000000000001 R09: ffff8880163dc67e
R10: 656c6261766f6d6e R11: 6c6261766f6d6e55 R12: ffff88807ffb4a00
R13: ffff88807ffb49f8 R14: ffff88807ffb4580 R15: ffff88807ffb3000
FS: 00007f9c83eff5c0(0000) GS:ffff88807dc00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 0000000013c8e000 CR4: 0000000000350ef0
Call Trace:
seq_read_iter+0x128/0x460
proc_reg_read_iter+0x51/0x80
new_sync_read+0x113/0x1a0
vfs_read+0x136/0x1d0
ksys_read+0x70/0xf0
__x64_sys_read+0x1a/0x20
do_syscall_64+0x3b/0xc0
entry_SYSCALL_64_after_hwframe+0x44/0xae
Fix this by checking that the aligned zone_movable_pfn[] does not exceed
the end of the node, and if it does skip creating a movable zone on this
node.
Link: https://lkml.kernel.org/r/20220215025831.2113067-1-apopple@nvidia.com
Fixes: 2a1e274acf0b ("Create the ZONE_MOVABLE zone")
Signed-off-by: Alistair Popple <apopple@nvidia.com>
Acked-by: David Hildenbrand <david@redhat.com>
Acked-by: Mel Gorman <mgorman@techsingularity.net>
Cc: John Hubbard <jhubbard@nvidia.com>
Cc: Zi Yan <ziy@nvidia.com>
Cc: Anshuman Khandual <anshuman.khandual@arm.com>
Cc: Oscar Salvador <osalvador@suse.de>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/page_alloc.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
--- a/mm/page_alloc.c
+++ b/mm/page_alloc.c
@@ -7402,10 +7402,17 @@ restart:
out2:
/* Align start of ZONE_MOVABLE on all nids to MAX_ORDER_NR_PAGES */
- for (nid = 0; nid < MAX_NUMNODES; nid++)
+ for (nid = 0; nid < MAX_NUMNODES; nid++) {
+ unsigned long start_pfn, end_pfn;
+
zone_movable_pfn[nid] =
roundup(zone_movable_pfn[nid], MAX_ORDER_NR_PAGES);
+ get_pfn_range_for_nid(nid, &start_pfn, &end_pfn);
+ if (zone_movable_pfn[nid] >= end_pfn)
+ zone_movable_pfn[nid] = 0;
+ }
+
out:
/* restore the node_state */
node_states[N_MEMORY] = saved_node_state;
^ permalink raw reply [flat|nested] 636+ messages in thread
* [PATCH 5.10 060/599] mm: invalidate hwpoison page cache page in fault path
2022-04-05 7:24 [PATCH 5.10 000/599] 5.10.110-rc1 review Greg Kroah-Hartman
` (58 preceding siblings ...)
2022-04-05 7:25 ` [PATCH 5.10 059/599] mm/pages_alloc.c: dont create ZONE_MOVABLE beyond the end of a node Greg Kroah-Hartman
@ 2022-04-05 7:25 ` Greg Kroah-Hartman
2022-04-05 7:25 ` [PATCH 5.10 061/599] mempolicy: mbind_range() set_policy() after vma_merge() Greg Kroah-Hartman
` (551 subsequent siblings)
611 siblings, 0 replies; 636+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05 7:25 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Rik van Riel, Miaohe Lin,
Naoya Horiguchi, Oscar Salvador, John Hubbard, Mel Gorman,
Johannes Weiner, Matthew Wilcox, Andrew Morton, Linus Torvalds
From: Rik van Riel <riel@surriel.com>
commit e53ac7374e64dede04d745ff0e70ff5048378d1f upstream.
Sometimes the page offlining code can leave behind a hwpoisoned clean
page cache page. This can lead to programs being killed over and over
and over again as they fault in the hwpoisoned page, get killed, and
then get re-spawned by whatever wanted to run them.
This is particularly embarrassing when the page was offlined due to
having too many corrected memory errors. Now we are killing tasks due
to them trying to access memory that probably isn't even corrupted.
This problem can be avoided by invalidating the page from the page fault
handler, which already has a branch for dealing with these kinds of
pages. With this patch we simply pretend the page fault was successful
if the page was invalidated, return to userspace, incur another page
fault, read in the file from disk (to a new memory page), and then
everything works again.
Link: https://lkml.kernel.org/r/20220212213740.423efcea@imladris.surriel.com
Signed-off-by: Rik van Riel <riel@surriel.com>
Reviewed-by: Miaohe Lin <linmiaohe@huawei.com>
Acked-by: Naoya Horiguchi <naoya.horiguchi@nec.com>
Reviewed-by: Oscar Salvador <osalvador@suse.de>
Cc: John Hubbard <jhubbard@nvidia.com>
Cc: Mel Gorman <mgorman@suse.de>
Cc: Johannes Weiner <hannes@cmpxchg.org>
Cc: Matthew Wilcox <willy@infradead.org>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/memory.c | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
--- a/mm/memory.c
+++ b/mm/memory.c
@@ -3676,11 +3676,16 @@ static vm_fault_t __do_fault(struct vm_f
return ret;
if (unlikely(PageHWPoison(vmf->page))) {
- if (ret & VM_FAULT_LOCKED)
+ vm_fault_t poisonret = VM_FAULT_HWPOISON;
+ if (ret & VM_FAULT_LOCKED) {
+ /* Retry if a clean page was removed from the cache. */
+ if (invalidate_inode_page(vmf->page))
+ poisonret = 0;
unlock_page(vmf->page);
+ }
put_page(vmf->page);
vmf->page = NULL;
- return VM_FAULT_HWPOISON;
+ return poisonret;
}
if (unlikely(!(ret & VM_FAULT_LOCKED)))
^ permalink raw reply [flat|nested] 636+ messages in thread
* [PATCH 5.10 061/599] mempolicy: mbind_range() set_policy() after vma_merge()
2022-04-05 7:24 [PATCH 5.10 000/599] 5.10.110-rc1 review Greg Kroah-Hartman
` (59 preceding siblings ...)
2022-04-05 7:25 ` [PATCH 5.10 060/599] mm: invalidate hwpoison page cache page in fault path Greg Kroah-Hartman
@ 2022-04-05 7:25 ` Greg Kroah-Hartman
2022-04-05 7:25 ` [PATCH 5.10 062/599] scsi: libsas: Fix sas_ata_qc_issue() handling of NCQ NON DATA commands Greg Kroah-Hartman
` (550 subsequent siblings)
611 siblings, 0 replies; 636+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05 7:25 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Hugh Dickins, Oleg Nesterov,
Liam R. Howlett, Vlastimil Babka, Andrew Morton, Linus Torvalds
From: Hugh Dickins <hughd@google.com>
commit 4e0906008cdb56381638aa17d9c32734eae6d37a upstream.
v2.6.34 commit 9d8cebd4bcd7 ("mm: fix mbind vma merge problem") introduced
vma_merge() to mbind_range(); but unlike madvise, mlock and mprotect, it
put a "continue" to next vma where its precedents go to update flags on
current vma before advancing: that left vma with the wrong setting in the
infamous vma_merge() case 8.
v3.10 commit 1444f92c8498 ("mm: merging memory blocks resets mempolicy")
tried to fix that in vma_adjust(), without fully understanding the issue.
v3.11 commit 3964acd0dbec ("mm: mempolicy: fix mbind_range() &&
vma_adjust() interaction") reverted that, and went about the fix in the
right way, but chose to optimize out an unnecessary mpol_dup() with a
prior mpol_equal() test. But on tmpfs, that also pessimized out the vital
call to its ->set_policy(), leaving the new mbind unenforced.
The user visible effect was that the pages got allocated on the local
node (happened to be 0), after the mbind() caller had specifically
asked for them to be allocated on node 1. There was not any page
migration involved in the case reported: the pages simply got allocated
on the wrong node.
Just delete that optimization now (though it could be made conditional on
vma not having a set_policy). Also remove the "next" variable: it turned
out to be blameless, but also pointless.
Link: https://lkml.kernel.org/r/319e4db9-64ae-4bca-92f0-ade85d342ff@google.com
Fixes: 3964acd0dbec ("mm: mempolicy: fix mbind_range() && vma_adjust() interaction")
Signed-off-by: Hugh Dickins <hughd@google.com>
Acked-by: Oleg Nesterov <oleg@redhat.com>
Reviewed-by: Liam R. Howlett <Liam.Howlett@oracle.com>
Cc: Vlastimil Babka <vbabka@suse.cz>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/mempolicy.c | 8 +-------
1 file changed, 1 insertion(+), 7 deletions(-)
--- a/mm/mempolicy.c
+++ b/mm/mempolicy.c
@@ -802,7 +802,6 @@ static int vma_replace_policy(struct vm_
static int mbind_range(struct mm_struct *mm, unsigned long start,
unsigned long end, struct mempolicy *new_pol)
{
- struct vm_area_struct *next;
struct vm_area_struct *prev;
struct vm_area_struct *vma;
int err = 0;
@@ -817,8 +816,7 @@ static int mbind_range(struct mm_struct
if (start > vma->vm_start)
prev = vma;
- for (; vma && vma->vm_start < end; prev = vma, vma = next) {
- next = vma->vm_next;
+ for (; vma && vma->vm_start < end; prev = vma, vma = vma->vm_next) {
vmstart = max(start, vma->vm_start);
vmend = min(end, vma->vm_end);
@@ -832,10 +830,6 @@ static int mbind_range(struct mm_struct
new_pol, vma->vm_userfaultfd_ctx);
if (prev) {
vma = prev;
- next = vma->vm_next;
- if (mpol_equal(vma_policy(vma), new_pol))
- continue;
- /* vma_merge() joined vma && vma->next, case 8 */
goto replace;
}
if (vma->vm_start != vmstart) {
^ permalink raw reply [flat|nested] 636+ messages in thread
* [PATCH 5.10 062/599] scsi: libsas: Fix sas_ata_qc_issue() handling of NCQ NON DATA commands
2022-04-05 7:24 [PATCH 5.10 000/599] 5.10.110-rc1 review Greg Kroah-Hartman
` (60 preceding siblings ...)
2022-04-05 7:25 ` [PATCH 5.10 061/599] mempolicy: mbind_range() set_policy() after vma_merge() Greg Kroah-Hartman
@ 2022-04-05 7:25 ` Greg Kroah-Hartman
2022-04-05 7:25 ` [PATCH 5.10 063/599] qed: display VF trust config Greg Kroah-Hartman
` (549 subsequent siblings)
611 siblings, 0 replies; 636+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05 7:25 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, John Garry, Jack Wang,
Damien Le Moal, Martin K. Petersen
From: Damien Le Moal <damien.lemoal@opensource.wdc.com>
commit 8454563e4c2aafbfb81a383ab423ea8b9b430a25 upstream.
To detect for the DMA_NONE (no data transfer) DMA direction,
sas_ata_qc_issue() tests if the command protocol is ATA_PROT_NODATA. This
test does not include the ATA_CMD_NCQ_NON_DATA command as this command
protocol is defined as ATA_PROT_NCQ_NODATA (equal to ATA_PROT_FLAG_NCQ) and
not as ATA_PROT_NODATA.
To include both NCQ and non-NCQ commands when testing for the DMA_NONE DMA
direction, use "!ata_is_data()".
Link: https://lore.kernel.org/r/20220220031810.738362-2-damien.lemoal@opensource.wdc.com
Fixes: 176ddd89171d ("scsi: libsas: Reset num_scatter if libata marks qc as NODATA")
Cc: stable@vger.kernel.org
Reviewed-by: John Garry <john.garry@huawei.com>
Reviewed-by: Jack Wang <jinpu.wang@ionos.com>
Signed-off-by: Damien Le Moal <damien.lemoal@opensource.wdc.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/scsi/libsas/sas_ata.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/scsi/libsas/sas_ata.c
+++ b/drivers/scsi/libsas/sas_ata.c
@@ -202,7 +202,7 @@ static unsigned int sas_ata_qc_issue(str
task->total_xfer_len = qc->nbytes;
task->num_scatter = qc->n_elem;
task->data_dir = qc->dma_dir;
- } else if (qc->tf.protocol == ATA_PROT_NODATA) {
+ } else if (!ata_is_data(qc->tf.protocol)) {
task->data_dir = DMA_NONE;
} else {
for_each_sg(qc->sg, sg, qc->n_elem, si)
^ permalink raw reply [flat|nested] 636+ messages in thread
* [PATCH 5.10 063/599] qed: display VF trust config
2022-04-05 7:24 [PATCH 5.10 000/599] 5.10.110-rc1 review Greg Kroah-Hartman
` (61 preceding siblings ...)
2022-04-05 7:25 ` [PATCH 5.10 062/599] scsi: libsas: Fix sas_ata_qc_issue() handling of NCQ NON DATA commands Greg Kroah-Hartman
@ 2022-04-05 7:25 ` Greg Kroah-Hartman
2022-04-05 7:25 ` [PATCH 5.10 064/599] qed: validate and restrict untrusted VFs vlan promisc mode Greg Kroah-Hartman
` (548 subsequent siblings)
611 siblings, 0 replies; 636+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05 7:25 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Manish Chopra, Ariel Elior, David S. Miller
From: Manish Chopra <manishc@marvell.com>
commit 4e6e6bec7440b9b76f312f28b1f4e944eebb3abc upstream.
Driver does support SR-IOV VFs trust configuration but
it does not display it when queried via ip link utility.
Cc: stable@vger.kernel.org
Fixes: f990c82c385b ("qed*: Add support for ndo_set_vf_trust")
Signed-off-by: Manish Chopra <manishc@marvell.com>
Signed-off-by: Ariel Elior <aelior@marvell.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/qlogic/qed/qed_sriov.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/net/ethernet/qlogic/qed/qed_sriov.c
+++ b/drivers/net/ethernet/qlogic/qed/qed_sriov.c
@@ -4691,6 +4691,7 @@ static int qed_get_vf_config(struct qed_
tx_rate = vf_info->tx_rate;
ivi->max_tx_rate = tx_rate ? tx_rate : link.speed;
ivi->min_tx_rate = qed_iov_get_vf_min_rate(hwfn, vf_id);
+ ivi->trusted = vf_info->is_trusted_request;
return 0;
}
^ permalink raw reply [flat|nested] 636+ messages in thread
* [PATCH 5.10 064/599] qed: validate and restrict untrusted VFs vlan promisc mode
2022-04-05 7:24 [PATCH 5.10 000/599] 5.10.110-rc1 review Greg Kroah-Hartman
` (62 preceding siblings ...)
2022-04-05 7:25 ` [PATCH 5.10 063/599] qed: display VF trust config Greg Kroah-Hartman
@ 2022-04-05 7:25 ` Greg Kroah-Hartman
2022-04-05 7:25 ` [PATCH 5.10 065/599] riscv: Fix fill_callchain return value Greg Kroah-Hartman
` (547 subsequent siblings)
611 siblings, 0 replies; 636+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05 7:25 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Manish Chopra, Ariel Elior, David S. Miller
From: Manish Chopra <manishc@marvell.com>
commit cbcc44db2cf7b836896733acc0e5ea966136ed22 upstream.
Today when VFs are put in promiscuous mode, they can request PF
to configure device for them to receive all VLANs traffic regardless
of what vlan is configured by the PF (via ip link) and PF allows this
config request regardless of whether VF is trusted or not.
>From security POV, when VLAN is configured for VF through PF (via ip link),
honour such config requests from VF only when they are configured to be
trusted, otherwise restrict such VFs vlan promisc mode config.
Cc: stable@vger.kernel.org
Fixes: f990c82c385b ("qed*: Add support for ndo_set_vf_trust")
Signed-off-by: Manish Chopra <manishc@marvell.com>
Signed-off-by: Ariel Elior <aelior@marvell.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/qlogic/qed/qed_sriov.c | 28 ++++++++++++++++++++++++++--
drivers/net/ethernet/qlogic/qed/qed_sriov.h | 1 +
2 files changed, 27 insertions(+), 2 deletions(-)
--- a/drivers/net/ethernet/qlogic/qed/qed_sriov.c
+++ b/drivers/net/ethernet/qlogic/qed/qed_sriov.c
@@ -2982,12 +2982,16 @@ static int qed_iov_pre_update_vport(stru
u8 mask = QED_ACCEPT_UCAST_UNMATCHED | QED_ACCEPT_MCAST_UNMATCHED;
struct qed_filter_accept_flags *flags = ¶ms->accept_flags;
struct qed_public_vf_info *vf_info;
+ u16 tlv_mask;
+
+ tlv_mask = BIT(QED_IOV_VP_UPDATE_ACCEPT_PARAM) |
+ BIT(QED_IOV_VP_UPDATE_ACCEPT_ANY_VLAN);
/* Untrusted VFs can't even be trusted to know that fact.
* Simply indicate everything is configured fine, and trace
* configuration 'behind their back'.
*/
- if (!(*tlvs & BIT(QED_IOV_VP_UPDATE_ACCEPT_PARAM)))
+ if (!(*tlvs & tlv_mask))
return 0;
vf_info = qed_iov_get_public_vf_info(hwfn, vfid, true);
@@ -3004,6 +3008,13 @@ static int qed_iov_pre_update_vport(stru
flags->tx_accept_filter &= ~mask;
}
+ if (params->update_accept_any_vlan_flg) {
+ vf_info->accept_any_vlan = params->accept_any_vlan;
+
+ if (vf_info->forced_vlan && !vf_info->is_trusted_configured)
+ params->accept_any_vlan = false;
+ }
+
return 0;
}
@@ -5121,6 +5132,12 @@ static void qed_iov_handle_trust_change(
params.update_ctl_frame_check = 1;
params.mac_chk_en = !vf_info->is_trusted_configured;
+ params.update_accept_any_vlan_flg = 0;
+
+ if (vf_info->accept_any_vlan && vf_info->forced_vlan) {
+ params.update_accept_any_vlan_flg = 1;
+ params.accept_any_vlan = vf_info->accept_any_vlan;
+ }
if (vf_info->rx_accept_mode & mask) {
flags->update_rx_mode_config = 1;
@@ -5136,13 +5153,20 @@ static void qed_iov_handle_trust_change(
if (!vf_info->is_trusted_configured) {
flags->rx_accept_filter &= ~mask;
flags->tx_accept_filter &= ~mask;
+ params.accept_any_vlan = false;
}
if (flags->update_rx_mode_config ||
flags->update_tx_mode_config ||
- params.update_ctl_frame_check)
+ params.update_ctl_frame_check ||
+ params.update_accept_any_vlan_flg) {
+ DP_VERBOSE(hwfn, QED_MSG_IOV,
+ "vport update config for %s VF[abs 0x%x rel 0x%x]\n",
+ vf_info->is_trusted_configured ? "trusted" : "untrusted",
+ vf->abs_vf_id, vf->relative_vf_id);
qed_sp_vport_update(hwfn, ¶ms,
QED_SPQ_MODE_EBLOCK, NULL);
+ }
}
}
--- a/drivers/net/ethernet/qlogic/qed/qed_sriov.h
+++ b/drivers/net/ethernet/qlogic/qed/qed_sriov.h
@@ -62,6 +62,7 @@ struct qed_public_vf_info {
bool is_trusted_request;
u8 rx_accept_mode;
u8 tx_accept_mode;
+ bool accept_any_vlan;
};
struct qed_iov_vf_init_params {
^ permalink raw reply [flat|nested] 636+ messages in thread
* [PATCH 5.10 065/599] riscv: Fix fill_callchain return value
2022-04-05 7:24 [PATCH 5.10 000/599] 5.10.110-rc1 review Greg Kroah-Hartman
` (63 preceding siblings ...)
2022-04-05 7:25 ` [PATCH 5.10 064/599] qed: validate and restrict untrusted VFs vlan promisc mode Greg Kroah-Hartman
@ 2022-04-05 7:25 ` Greg Kroah-Hartman
2022-04-05 7:26 ` [PATCH 5.10 066/599] riscv: Increase stack size under KASAN Greg Kroah-Hartman
` (546 subsequent siblings)
611 siblings, 0 replies; 636+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05 7:25 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Nikita Shubin, Palmer Dabbelt
From: Nikita Shubin <n.shubin@yadro.com>
commit 2b2b574ac587ec5bd7716a356492a85ab8b0ce9f upstream.
perf_callchain_store return 0 on success, -1 otherwise,
fix fill_callchain to return correct bool value.
Fixes: dbeb90b0c1eb ("riscv: Add perf callchain support")
Signed-off-by: Nikita Shubin <n.shubin@yadro.com>
Cc: stable@vger.kernel.org
Signed-off-by: Palmer Dabbelt <palmer@rivosinc.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/riscv/kernel/perf_callchain.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/riscv/kernel/perf_callchain.c
+++ b/arch/riscv/kernel/perf_callchain.c
@@ -77,7 +77,7 @@ void perf_callchain_user(struct perf_cal
bool fill_callchain(unsigned long pc, void *entry)
{
- return perf_callchain_store(entry, pc);
+ return perf_callchain_store(entry, pc) == 0;
}
void notrace walk_stackframe(struct task_struct *task,
^ permalink raw reply [flat|nested] 636+ messages in thread
* [PATCH 5.10 066/599] riscv: Increase stack size under KASAN
2022-04-05 7:24 [PATCH 5.10 000/599] 5.10.110-rc1 review Greg Kroah-Hartman
` (64 preceding siblings ...)
2022-04-05 7:25 ` [PATCH 5.10 065/599] riscv: Fix fill_callchain return value Greg Kroah-Hartman
@ 2022-04-05 7:26 ` Greg Kroah-Hartman
2022-04-05 7:26 ` [PATCH 5.10 067/599] Revert "Input: clear BTN_RIGHT/MIDDLE on buttonpads" Greg Kroah-Hartman
` (545 subsequent siblings)
611 siblings, 0 replies; 636+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05 7:26 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Dmitry Vyukov,
syzbot+0600986d88e2d4d7ebb8, Palmer Dabbelt
From: Dmitry Vyukov <dvyukov@google.com>
commit b81d591386c3a50b96dddcf663628ea0df0bf2b3 upstream.
KASAN requires more stack space because of compiler instrumentation.
Increase stack size as other arches do.
Signed-off-by: Dmitry Vyukov <dvyukov@google.com>
Reported-by: syzbot+0600986d88e2d4d7ebb8@syzkaller.appspotmail.com
Fixes: 8ad8b72721d0 ("riscv: Add KASAN support")
Cc: stable@vger.kernel.org
Signed-off-by: Palmer Dabbelt <palmer@rivosinc.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/riscv/include/asm/thread_info.h | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
--- a/arch/riscv/include/asm/thread_info.h
+++ b/arch/riscv/include/asm/thread_info.h
@@ -11,11 +11,17 @@
#include <asm/page.h>
#include <linux/const.h>
+#ifdef CONFIG_KASAN
+#define KASAN_STACK_ORDER 1
+#else
+#define KASAN_STACK_ORDER 0
+#endif
+
/* thread information allocation */
#ifdef CONFIG_64BIT
-#define THREAD_SIZE_ORDER (2)
+#define THREAD_SIZE_ORDER (2 + KASAN_STACK_ORDER)
#else
-#define THREAD_SIZE_ORDER (1)
+#define THREAD_SIZE_ORDER (1 + KASAN_STACK_ORDER)
#endif
#define THREAD_SIZE (PAGE_SIZE << THREAD_SIZE_ORDER)
^ permalink raw reply [flat|nested] 636+ messages in thread
* [PATCH 5.10 067/599] Revert "Input: clear BTN_RIGHT/MIDDLE on buttonpads"
2022-04-05 7:24 [PATCH 5.10 000/599] 5.10.110-rc1 review Greg Kroah-Hartman
` (65 preceding siblings ...)
2022-04-05 7:26 ` [PATCH 5.10 066/599] riscv: Increase stack size under KASAN Greg Kroah-Hartman
@ 2022-04-05 7:26 ` Greg Kroah-Hartman
2022-04-05 7:26 ` [PATCH 5.10 068/599] cifs: prevent bad output lengths in smb2_ioctl_query_info() Greg Kroah-Hartman
` (544 subsequent siblings)
611 siblings, 0 replies; 636+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05 7:26 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, José Expósito,
Hans de Goede, Peter Hutterer, Benjamin Tissoires,
Dmitry Torokhov
From: José Expósito <jose.exposito89@gmail.com>
commit 8b188fba75195745026e11d408e4a7e94e01d701 upstream.
This reverts commit 37ef4c19b4c659926ce65a7ac709ceaefb211c40.
The touchpad present in the Dell Precision 7550 and 7750 laptops
reports a HID_DG_BUTTONTYPE of type MT_BUTTONTYPE_CLICKPAD. However,
the device is not a clickpad, it is a touchpad with physical buttons.
In order to fix this issue, a quirk for the device was introduced in
libinput [1] [2] to disable the INPUT_PROP_BUTTONPAD property:
[Precision 7x50 Touchpad]
MatchBus=i2c
MatchUdevType=touchpad
MatchDMIModalias=dmi:*svnDellInc.:pnPrecision7?50*
AttrInputPropDisable=INPUT_PROP_BUTTONPAD
However, because of the change introduced in 37ef4c19b4 ("Input: clear
BTN_RIGHT/MIDDLE on buttonpads") the BTN_RIGHT key bit is not mapped
anymore breaking the device right click button and making impossible to
workaround it in user space.
In order to avoid breakage on other present or future devices, revert
the patch causing the issue.
Signed-off-by: José Expósito <jose.exposito89@gmail.com>
Reviewed-by: Hans de Goede <hdegoede@redhat.com>
Acked-by: Peter Hutterer <peter.hutterer@who-t.net>
Acked-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/20220321184404.20025-1-jose.exposito89@gmail.com
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/input/input.c | 6 ------
1 file changed, 6 deletions(-)
--- a/drivers/input/input.c
+++ b/drivers/input/input.c
@@ -2179,12 +2179,6 @@ int input_register_device(struct input_d
/* KEY_RESERVED is not supposed to be transmitted to userspace. */
__clear_bit(KEY_RESERVED, dev->keybit);
- /* Buttonpads should not map BTN_RIGHT and/or BTN_MIDDLE. */
- if (test_bit(INPUT_PROP_BUTTONPAD, dev->propbit)) {
- __clear_bit(BTN_RIGHT, dev->keybit);
- __clear_bit(BTN_MIDDLE, dev->keybit);
- }
-
/* Make sure that bitmasks not mentioned in dev->evbit are clean. */
input_cleanse_bitmasks(dev);
^ permalink raw reply [flat|nested] 636+ messages in thread
* [PATCH 5.10 068/599] cifs: prevent bad output lengths in smb2_ioctl_query_info()
2022-04-05 7:24 [PATCH 5.10 000/599] 5.10.110-rc1 review Greg Kroah-Hartman
` (66 preceding siblings ...)
2022-04-05 7:26 ` [PATCH 5.10 067/599] Revert "Input: clear BTN_RIGHT/MIDDLE on buttonpads" Greg Kroah-Hartman
@ 2022-04-05 7:26 ` Greg Kroah-Hartman
2022-04-05 7:26 ` [PATCH 5.10 069/599] cifs: fix NULL ptr dereference " Greg Kroah-Hartman
` (543 subsequent siblings)
611 siblings, 0 replies; 636+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05 7:26 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Paulo Alcantara (SUSE), Steve French
From: Paulo Alcantara <pc@cjr.nz>
commit b92e358757b91c2827af112cae9af513f26a3f34 upstream.
When calling smb2_ioctl_query_info() with
smb_query_info::flags=PASSTHRU_FSCTL and
smb_query_info::output_buffer_length=0, the following would return
0x10
buffer = memdup_user(arg + sizeof(struct smb_query_info),
qi.output_buffer_length);
if (IS_ERR(buffer)) {
kfree(vars);
return PTR_ERR(buffer);
}
rather than a valid pointer thus making IS_ERR() check fail. This
would then cause a NULL ptr deference in @buffer when accessing it
later in smb2_ioctl_query_ioctl(). While at it, prevent having a
@buffer smaller than 8 bytes to correctly handle SMB2_SET_INFO
FileEndOfFileInformation requests when
smb_query_info::flags=PASSTHRU_SET_INFO.
Here is a small C reproducer which triggers a NULL ptr in @buffer when
passing an invalid smb_query_info::flags
#include <stdio.h>
#include <stdlib.h>
#include <stdint.h>
#include <unistd.h>
#include <fcntl.h>
#include <sys/ioctl.h>
#define die(s) perror(s), exit(1)
#define QUERY_INFO 0xc018cf07
int main(int argc, char *argv[])
{
int fd;
if (argc < 2)
exit(1);
fd = open(argv[1], O_RDONLY);
if (fd == -1)
die("open");
if (ioctl(fd, QUERY_INFO, (uint32_t[]) { 0, 0, 0, 4, 0, 0}) == -1)
die("ioctl");
close(fd);
return 0;
}
mount.cifs //srv/share /mnt -o ...
gcc repro.c && ./a.out /mnt/f0
[ 114.138620] general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN NOPTI
[ 114.139310] KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
[ 114.139775] CPU: 2 PID: 995 Comm: a.out Not tainted 5.17.0-rc8 #1
[ 114.140148] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.15.0-0-g2dd4b9b-rebuilt.opensuse.org 04/01/2014
[ 114.140818] RIP: 0010:smb2_ioctl_query_info+0x206/0x410 [cifs]
[ 114.141221] Code: 00 00 00 00 fc ff df 48 c1 ea 03 80 3c 02 00 0f 85 c8 01 00 00 48 b8 00 00 00 00 00 fc ff df 4c 8b 7b 28 4c 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 9c 01 00 00 49 8b 3f e8 58 02 fb ff 48 8b 14 24
[ 114.142348] RSP: 0018:ffffc90000b47b00 EFLAGS: 00010256
[ 114.142692] RAX: dffffc0000000000 RBX: ffff888115503200 RCX: ffffffffa020580d
[ 114.143119] RDX: 0000000000000000 RSI: 0000000000000004 RDI: ffffffffa043a380
[ 114.143544] RBP: ffff888115503278 R08: 0000000000000001 R09: 0000000000000003
[ 114.143983] R10: fffffbfff4087470 R11: 0000000000000001 R12: ffff888115503288
[ 114.144424] R13: 00000000ffffffea R14: ffff888115503228 R15: 0000000000000000
[ 114.144852] FS: 00007f7aeabdf740(0000) GS:ffff888151600000(0000) knlGS:0000000000000000
[ 114.145338] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 114.145692] CR2: 00007f7aeacfdf5e CR3: 000000012000e000 CR4: 0000000000350ee0
[ 114.146131] Call Trace:
[ 114.146291] <TASK>
[ 114.146432] ? smb2_query_reparse_tag+0x890/0x890 [cifs]
[ 114.146800] ? cifs_mapchar+0x460/0x460 [cifs]
[ 114.147121] ? rcu_read_lock_sched_held+0x3f/0x70
[ 114.147412] ? cifs_strndup_to_utf16+0x15b/0x250 [cifs]
[ 114.147775] ? dentry_path_raw+0xa6/0xf0
[ 114.148024] ? cifs_convert_path_to_utf16+0x198/0x220 [cifs]
[ 114.148413] ? smb2_check_message+0x1080/0x1080 [cifs]
[ 114.148766] ? rcu_read_lock_sched_held+0x3f/0x70
[ 114.149065] cifs_ioctl+0x1577/0x3320 [cifs]
[ 114.149371] ? lock_downgrade+0x6f0/0x6f0
[ 114.149631] ? cifs_readdir+0x2e60/0x2e60 [cifs]
[ 114.149956] ? rcu_read_lock_sched_held+0x3f/0x70
[ 114.150250] ? __rseq_handle_notify_resume+0x80b/0xbe0
[ 114.150562] ? __up_read+0x192/0x710
[ 114.150791] ? __ia32_sys_rseq+0xf0/0xf0
[ 114.151025] ? __x64_sys_openat+0x11f/0x1d0
[ 114.151296] __x64_sys_ioctl+0x127/0x190
[ 114.151549] do_syscall_64+0x3b/0x90
[ 114.151768] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 114.152079] RIP: 0033:0x7f7aead043df
[ 114.152306] Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <41> 89 c0 3d 00 f0 ff ff 77 1f 48 8b 44 24 18 64 48 2b 04 25 28 00
[ 114.153431] RSP: 002b:00007ffc2e0c1f80 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[ 114.153890] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f7aead043df
[ 114.154315] RDX: 00007ffc2e0c1ff0 RSI: 00000000c018cf07 RDI: 0000000000000003
[ 114.154747] RBP: 00007ffc2e0c2010 R08: 00007f7aeae03db0 R09: 00007f7aeae24c4e
[ 114.155192] R10: 00007f7aeabf7d40 R11: 0000000000000246 R12: 00007ffc2e0c2128
[ 114.155642] R13: 0000000000401176 R14: 0000000000403df8 R15: 00007f7aeae57000
[ 114.156071] </TASK>
[ 114.156218] Modules linked in: cifs cifs_arc4 cifs_md4 bpf_preload
[ 114.156608] ---[ end trace 0000000000000000 ]---
[ 114.156898] RIP: 0010:smb2_ioctl_query_info+0x206/0x410 [cifs]
[ 114.157792] Code: 00 00 00 00 fc ff df 48 c1 ea 03 80 3c 02 00 0f 85 c8 01 00 00 48 b8 00 00 00 00 00 fc ff df 4c 8b 7b 28 4c 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 9c 01 00 00 49 8b 3f e8 58 02 fb ff 48 8b 14 24
[ 114.159293] RSP: 0018:ffffc90000b47b00 EFLAGS: 00010256
[ 114.159641] RAX: dffffc0000000000 RBX: ffff888115503200 RCX: ffffffffa020580d
[ 114.160093] RDX: 0000000000000000 RSI: 0000000000000004 RDI: ffffffffa043a380
[ 114.160699] RBP: ffff888115503278 R08: 0000000000000001 R09: 0000000000000003
[ 114.161196] R10: fffffbfff4087470 R11: 0000000000000001 R12: ffff888115503288
[ 114.155642] R13: 0000000000401176 R14: 0000000000403df8 R15: 00007f7aeae57000
[ 114.156071] </TASK>
[ 114.156218] Modules linked in: cifs cifs_arc4 cifs_md4 bpf_preload
[ 114.156608] ---[ end trace 0000000000000000 ]---
[ 114.156898] RIP: 0010:smb2_ioctl_query_info+0x206/0x410 [cifs]
[ 114.157792] Code: 00 00 00 00 fc ff df 48 c1 ea 03 80 3c 02 00 0f 85 c8 01 00 00 48 b8 00 00 00 00 00 fc ff df 4c 8b 7b 28 4c 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 9c 01 00 00 49 8b 3f e8 58 02 fb ff 48 8b 14 24
[ 114.159293] RSP: 0018:ffffc90000b47b00 EFLAGS: 00010256
[ 114.159641] RAX: dffffc0000000000 RBX: ffff888115503200 RCX: ffffffffa020580d
[ 114.160093] RDX: 0000000000000000 RSI: 0000000000000004 RDI: ffffffffa043a380
[ 114.160699] RBP: ffff888115503278 R08: 0000000000000001 R09: 0000000000000003
[ 114.161196] R10: fffffbfff4087470 R11: 0000000000000001 R12: ffff888115503288
[ 114.161823] R13: 00000000ffffffea R14: ffff888115503228 R15: 0000000000000000
[ 114.162274] FS: 00007f7aeabdf740(0000) GS:ffff888151600000(0000) knlGS:0000000000000000
[ 114.162853] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 114.163218] CR2: 00007f7aeacfdf5e CR3: 000000012000e000 CR4: 0000000000350ee0
[ 114.163691] Kernel panic - not syncing: Fatal exception
[ 114.164087] Kernel Offset: disabled
[ 114.164316] ---[ end Kernel panic - not syncing: Fatal exception ]---
Cc: stable@vger.kernel.org
Signed-off-by: Paulo Alcantara (SUSE) <pc@cjr.nz>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/cifs/smb2ops.c | 16 ++++++++++------
1 file changed, 10 insertions(+), 6 deletions(-)
--- a/fs/cifs/smb2ops.c
+++ b/fs/cifs/smb2ops.c
@@ -1551,11 +1551,12 @@ smb2_ioctl_query_info(const unsigned int
if (smb3_encryption_required(tcon))
flags |= CIFS_TRANSFORM_REQ;
- buffer = memdup_user(arg + sizeof(struct smb_query_info),
- qi.output_buffer_length);
- if (IS_ERR(buffer)) {
- kfree(vars);
- return PTR_ERR(buffer);
+ if (qi.output_buffer_length) {
+ buffer = memdup_user(arg + sizeof(struct smb_query_info), qi.output_buffer_length);
+ if (IS_ERR(buffer)) {
+ kfree(vars);
+ return PTR_ERR(buffer);
+ }
}
/* Open */
@@ -1618,10 +1619,13 @@ smb2_ioctl_query_info(const unsigned int
/* Can eventually relax perm check since server enforces too */
if (!capable(CAP_SYS_ADMIN))
rc = -EPERM;
- else {
+ else if (qi.output_buffer_length < 8)
+ rc = -EINVAL;
+ else {
rqst[1].rq_iov = &vars->si_iov[0];
rqst[1].rq_nvec = 1;
+ /* MS-FSCC 2.4.13 FileEndOfFileInformation */
size[0] = 8;
data[0] = buffer;
^ permalink raw reply [flat|nested] 636+ messages in thread
* [PATCH 5.10 069/599] cifs: fix NULL ptr dereference in smb2_ioctl_query_info()
2022-04-05 7:24 [PATCH 5.10 000/599] 5.10.110-rc1 review Greg Kroah-Hartman
` (67 preceding siblings ...)
2022-04-05 7:26 ` [PATCH 5.10 068/599] cifs: prevent bad output lengths in smb2_ioctl_query_info() Greg Kroah-Hartman
@ 2022-04-05 7:26 ` Greg Kroah-Hartman
2022-04-05 7:26 ` [PATCH 5.10 070/599] ALSA: cs4236: fix an incorrect NULL check on list iterator Greg Kroah-Hartman
` (542 subsequent siblings)
611 siblings, 0 replies; 636+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05 7:26 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Paulo Alcantara (SUSE), Steve French
From: Paulo Alcantara <pc@cjr.nz>
commit d6f5e358452479fa8a773b5c6ccc9e4ec5a20880 upstream.
When calling smb2_ioctl_query_info() with invalid
smb_query_info::flags, a NULL ptr dereference is triggered when trying
to kfree() uninitialised rqst[n].rq_iov array.
This also fixes leaked paths that are created in SMB2_open_init()
which required SMB2_open_free() to properly free them.
Here is a small C reproducer that triggers it
#include <stdio.h>
#include <stdlib.h>
#include <stdint.h>
#include <unistd.h>
#include <fcntl.h>
#include <sys/ioctl.h>
#define die(s) perror(s), exit(1)
#define QUERY_INFO 0xc018cf07
int main(int argc, char *argv[])
{
int fd;
if (argc < 2)
exit(1);
fd = open(argv[1], O_RDONLY);
if (fd == -1)
die("open");
if (ioctl(fd, QUERY_INFO, (uint32_t[]) { 0, 0, 0, 4, 0, 0}) == -1)
die("ioctl");
close(fd);
return 0;
}
mount.cifs //srv/share /mnt -o ...
gcc repro.c && ./a.out /mnt/f0
[ 1832.124468] CIFS: VFS: \\w22-dc.zelda.test\test Invalid passthru query flags: 0x4
[ 1832.125043] general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN NOPTI
[ 1832.125764] KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
[ 1832.126241] CPU: 3 PID: 1133 Comm: a.out Not tainted 5.17.0-rc8 #2
[ 1832.126630] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.15.0-0-g2dd4b9b-rebuilt.opensuse.org 04/01/2014
[ 1832.127322] RIP: 0010:smb2_ioctl_query_info+0x7a3/0xe30 [cifs]
[ 1832.127749] Code: 00 00 00 fc ff df 48 c1 ea 03 80 3c 02 00 0f 85 6c 05 00 00 48 b8 00 00 00 00 00 fc ff df 4d 8b 74 24 28 4c 89 f2 48 c1 ea 03 <80> 3c 02 00 0f 85 cb 04 00 00 49 8b 3e e8 bb fc fa ff 48 89 da 48
[ 1832.128911] RSP: 0018:ffffc90000957b08 EFLAGS: 00010256
[ 1832.129243] RAX: dffffc0000000000 RBX: ffff888117e9b850 RCX: ffffffffa020580d
[ 1832.129691] RDX: 0000000000000000 RSI: 0000000000000004 RDI: ffffffffa043a2c0
[ 1832.130137] RBP: ffff888117e9b878 R08: 0000000000000001 R09: 0000000000000003
[ 1832.130585] R10: fffffbfff4087458 R11: 0000000000000001 R12: ffff888117e9b800
[ 1832.131037] R13: 00000000ffffffea R14: 0000000000000000 R15: ffff888117e9b8a8
[ 1832.131485] FS: 00007fcee9900740(0000) GS:ffff888151a00000(0000) knlGS:0000000000000000
[ 1832.131993] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 1832.132354] CR2: 00007fcee9a1ef5e CR3: 0000000114cd2000 CR4: 0000000000350ee0
[ 1832.132801] Call Trace:
[ 1832.132962] <TASK>
[ 1832.133104] ? smb2_query_reparse_tag+0x890/0x890 [cifs]
[ 1832.133489] ? cifs_mapchar+0x460/0x460 [cifs]
[ 1832.133822] ? rcu_read_lock_sched_held+0x3f/0x70
[ 1832.134125] ? cifs_strndup_to_utf16+0x15b/0x250 [cifs]
[ 1832.134502] ? lock_downgrade+0x6f0/0x6f0
[ 1832.134760] ? cifs_convert_path_to_utf16+0x198/0x220 [cifs]
[ 1832.135170] ? smb2_check_message+0x1080/0x1080 [cifs]
[ 1832.135545] cifs_ioctl+0x1577/0x3320 [cifs]
[ 1832.135864] ? lock_downgrade+0x6f0/0x6f0
[ 1832.136125] ? cifs_readdir+0x2e60/0x2e60 [cifs]
[ 1832.136468] ? rcu_read_lock_sched_held+0x3f/0x70
[ 1832.136769] ? __rseq_handle_notify_resume+0x80b/0xbe0
[ 1832.137096] ? __up_read+0x192/0x710
[ 1832.137327] ? __ia32_sys_rseq+0xf0/0xf0
[ 1832.137578] ? __x64_sys_openat+0x11f/0x1d0
[ 1832.137850] __x64_sys_ioctl+0x127/0x190
[ 1832.138103] do_syscall_64+0x3b/0x90
[ 1832.138378] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 1832.138702] RIP: 0033:0x7fcee9a253df
[ 1832.138937] Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <41> 89 c0 3d 00 f0 ff ff 77 1f 48 8b 44 24 18 64 48 2b 04 25 28 00
[ 1832.140107] RSP: 002b:00007ffeba94a8a0 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[ 1832.140606] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fcee9a253df
[ 1832.141058] RDX: 00007ffeba94a910 RSI: 00000000c018cf07 RDI: 0000000000000003
[ 1832.141503] RBP: 00007ffeba94a930 R08: 00007fcee9b24db0 R09: 00007fcee9b45c4e
[ 1832.141948] R10: 00007fcee9918d40 R11: 0000000000000246 R12: 00007ffeba94aa48
[ 1832.142396] R13: 0000000000401176 R14: 0000000000403df8 R15: 00007fcee9b78000
[ 1832.142851] </TASK>
[ 1832.142994] Modules linked in: cifs cifs_arc4 cifs_md4 bpf_preload [last unloaded: cifs]
Cc: stable@vger.kernel.org
Signed-off-by: Paulo Alcantara (SUSE) <pc@cjr.nz>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/cifs/smb2ops.c | 124 ++++++++++++++++++++++++++++--------------------------
1 file changed, 65 insertions(+), 59 deletions(-)
--- a/fs/cifs/smb2ops.c
+++ b/fs/cifs/smb2ops.c
@@ -1526,6 +1526,7 @@ smb2_ioctl_query_info(const unsigned int
unsigned int size[2];
void *data[2];
int create_options = is_dir ? CREATE_NOT_FILE : CREATE_NOT_DIR;
+ void (*free_req1_func)(struct smb_rqst *r);
vars = kzalloc(sizeof(*vars), GFP_ATOMIC);
if (vars == NULL)
@@ -1535,17 +1536,18 @@ smb2_ioctl_query_info(const unsigned int
resp_buftype[0] = resp_buftype[1] = resp_buftype[2] = CIFS_NO_BUFFER;
- if (copy_from_user(&qi, arg, sizeof(struct smb_query_info)))
- goto e_fault;
-
+ if (copy_from_user(&qi, arg, sizeof(struct smb_query_info))) {
+ rc = -EFAULT;
+ goto free_vars;
+ }
if (qi.output_buffer_length > 1024) {
- kfree(vars);
- return -EINVAL;
+ rc = -EINVAL;
+ goto free_vars;
}
if (!ses || !server) {
- kfree(vars);
- return -EIO;
+ rc = -EIO;
+ goto free_vars;
}
if (smb3_encryption_required(tcon))
@@ -1554,8 +1556,8 @@ smb2_ioctl_query_info(const unsigned int
if (qi.output_buffer_length) {
buffer = memdup_user(arg + sizeof(struct smb_query_info), qi.output_buffer_length);
if (IS_ERR(buffer)) {
- kfree(vars);
- return PTR_ERR(buffer);
+ rc = PTR_ERR(buffer);
+ goto free_vars;
}
}
@@ -1594,48 +1596,45 @@ smb2_ioctl_query_info(const unsigned int
rc = SMB2_open_init(tcon, server,
&rqst[0], &oplock, &oparms, path);
if (rc)
- goto iqinf_exit;
+ goto free_output_buffer;
smb2_set_next_command(tcon, &rqst[0]);
/* Query */
if (qi.flags & PASSTHRU_FSCTL) {
/* Can eventually relax perm check since server enforces too */
- if (!capable(CAP_SYS_ADMIN))
+ if (!capable(CAP_SYS_ADMIN)) {
rc = -EPERM;
- else {
- rqst[1].rq_iov = &vars->io_iov[0];
- rqst[1].rq_nvec = SMB2_IOCTL_IOV_SIZE;
-
- rc = SMB2_ioctl_init(tcon, server,
- &rqst[1],
- COMPOUND_FID, COMPOUND_FID,
- qi.info_type, true, buffer,
- qi.output_buffer_length,
- CIFSMaxBufSize -
- MAX_SMB2_CREATE_RESPONSE_SIZE -
- MAX_SMB2_CLOSE_RESPONSE_SIZE);
+ goto free_open_req;
}
+ rqst[1].rq_iov = &vars->io_iov[0];
+ rqst[1].rq_nvec = SMB2_IOCTL_IOV_SIZE;
+
+ rc = SMB2_ioctl_init(tcon, server, &rqst[1], COMPOUND_FID, COMPOUND_FID,
+ qi.info_type, true, buffer, qi.output_buffer_length,
+ CIFSMaxBufSize - MAX_SMB2_CREATE_RESPONSE_SIZE -
+ MAX_SMB2_CLOSE_RESPONSE_SIZE);
+ free_req1_func = SMB2_ioctl_free;
} else if (qi.flags == PASSTHRU_SET_INFO) {
/* Can eventually relax perm check since server enforces too */
- if (!capable(CAP_SYS_ADMIN))
+ if (!capable(CAP_SYS_ADMIN)) {
rc = -EPERM;
- else if (qi.output_buffer_length < 8)
+ goto free_open_req;
+ }
+ if (qi.output_buffer_length < 8) {
rc = -EINVAL;
- else {
- rqst[1].rq_iov = &vars->si_iov[0];
- rqst[1].rq_nvec = 1;
-
- /* MS-FSCC 2.4.13 FileEndOfFileInformation */
- size[0] = 8;
- data[0] = buffer;
-
- rc = SMB2_set_info_init(tcon, server,
- &rqst[1],
- COMPOUND_FID, COMPOUND_FID,
- current->tgid,
- FILE_END_OF_FILE_INFORMATION,
- SMB2_O_INFO_FILE, 0, data, size);
+ goto free_open_req;
}
+ rqst[1].rq_iov = &vars->si_iov[0];
+ rqst[1].rq_nvec = 1;
+
+ /* MS-FSCC 2.4.13 FileEndOfFileInformation */
+ size[0] = 8;
+ data[0] = buffer;
+
+ rc = SMB2_set_info_init(tcon, server, &rqst[1], COMPOUND_FID, COMPOUND_FID,
+ current->tgid, FILE_END_OF_FILE_INFORMATION,
+ SMB2_O_INFO_FILE, 0, data, size);
+ free_req1_func = SMB2_set_info_free;
} else if (qi.flags == PASSTHRU_QUERY_INFO) {
rqst[1].rq_iov = &vars->qi_iov[0];
rqst[1].rq_nvec = 1;
@@ -1646,6 +1645,7 @@ smb2_ioctl_query_info(const unsigned int
qi.info_type, qi.additional_information,
qi.input_buffer_length,
qi.output_buffer_length, buffer);
+ free_req1_func = SMB2_query_info_free;
} else { /* unknown flags */
cifs_tcon_dbg(VFS, "Invalid passthru query flags: 0x%x\n",
qi.flags);
@@ -1653,7 +1653,7 @@ smb2_ioctl_query_info(const unsigned int
}
if (rc)
- goto iqinf_exit;
+ goto free_open_req;
smb2_set_next_command(tcon, &rqst[1]);
smb2_set_related(&rqst[1]);
@@ -1664,14 +1664,14 @@ smb2_ioctl_query_info(const unsigned int
rc = SMB2_close_init(tcon, server,
&rqst[2], COMPOUND_FID, COMPOUND_FID, false);
if (rc)
- goto iqinf_exit;
+ goto free_req_1;
smb2_set_related(&rqst[2]);
rc = compound_send_recv(xid, ses, server,
flags, 3, rqst,
resp_buftype, rsp_iov);
if (rc)
- goto iqinf_exit;
+ goto out;
/* No need to bump num_remote_opens since handle immediately closed */
if (qi.flags & PASSTHRU_FSCTL) {
@@ -1681,18 +1681,22 @@ smb2_ioctl_query_info(const unsigned int
qi.input_buffer_length = le32_to_cpu(io_rsp->OutputCount);
if (qi.input_buffer_length > 0 &&
le32_to_cpu(io_rsp->OutputOffset) + qi.input_buffer_length
- > rsp_iov[1].iov_len)
- goto e_fault;
+ > rsp_iov[1].iov_len) {
+ rc = -EFAULT;
+ goto out;
+ }
if (copy_to_user(&pqi->input_buffer_length,
&qi.input_buffer_length,
- sizeof(qi.input_buffer_length)))
- goto e_fault;
+ sizeof(qi.input_buffer_length))) {
+ rc = -EFAULT;
+ goto out;
+ }
if (copy_to_user((void __user *)pqi + sizeof(struct smb_query_info),
(const void *)io_rsp + le32_to_cpu(io_rsp->OutputOffset),
qi.input_buffer_length))
- goto e_fault;
+ rc = -EFAULT;
} else {
pqi = (struct smb_query_info __user *)arg;
qi_rsp = (struct smb2_query_info_rsp *)rsp_iov[1].iov_base;
@@ -1700,28 +1704,30 @@ smb2_ioctl_query_info(const unsigned int
qi.input_buffer_length = le32_to_cpu(qi_rsp->OutputBufferLength);
if (copy_to_user(&pqi->input_buffer_length,
&qi.input_buffer_length,
- sizeof(qi.input_buffer_length)))
- goto e_fault;
+ sizeof(qi.input_buffer_length))) {
+ rc = -EFAULT;
+ goto out;
+ }
if (copy_to_user(pqi + 1, qi_rsp->Buffer,
qi.input_buffer_length))
- goto e_fault;
+ rc = -EFAULT;
}
- iqinf_exit:
- cifs_small_buf_release(rqst[0].rq_iov[0].iov_base);
- cifs_small_buf_release(rqst[1].rq_iov[0].iov_base);
- cifs_small_buf_release(rqst[2].rq_iov[0].iov_base);
+out:
free_rsp_buf(resp_buftype[0], rsp_iov[0].iov_base);
free_rsp_buf(resp_buftype[1], rsp_iov[1].iov_base);
free_rsp_buf(resp_buftype[2], rsp_iov[2].iov_base);
- kfree(vars);
+ SMB2_close_free(&rqst[2]);
+free_req_1:
+ free_req1_func(&rqst[1]);
+free_open_req:
+ SMB2_open_free(&rqst[0]);
+free_output_buffer:
kfree(buffer);
+free_vars:
+ kfree(vars);
return rc;
-
-e_fault:
- rc = -EFAULT;
- goto iqinf_exit;
}
static ssize_t
^ permalink raw reply [flat|nested] 636+ messages in thread
* [PATCH 5.10 070/599] ALSA: cs4236: fix an incorrect NULL check on list iterator
2022-04-05 7:24 [PATCH 5.10 000/599] 5.10.110-rc1 review Greg Kroah-Hartman
` (68 preceding siblings ...)
2022-04-05 7:26 ` [PATCH 5.10 069/599] cifs: fix NULL ptr dereference " Greg Kroah-Hartman
@ 2022-04-05 7:26 ` Greg Kroah-Hartman
2022-04-05 7:26 ` [PATCH 5.10 071/599] ALSA: hda: Avoid unsol event during RPM suspending Greg Kroah-Hartman
` (541 subsequent siblings)
611 siblings, 0 replies; 636+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05 7:26 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Xiaomeng Tong, Takashi Iwai
From: Xiaomeng Tong <xiam0nd.tong@gmail.com>
commit 0112f822f8a6d8039c94e0bc9b264d7ffc5d4704 upstream.
The bug is here:
err = snd_card_cs423x_pnp(dev, card->private_data, pdev, cdev);
The list iterator value 'cdev' will *always* be set and non-NULL
by list_for_each_entry(), so it is incorrect to assume that the
iterator value will be NULL if the list is empty or no element
is found.
To fix the bug, use a new variable 'iter' as the list iterator,
while use the original variable 'cdev' as a dedicated pointer
to point to the found element. And snd_card_cs423x_pnp() itself
has NULL check for cdev.
Cc: stable@vger.kernel.org
Fixes: c2b73d1458014 ("ALSA: cs4236: cs4232 and cs4236 driver merge to solve PnP BIOS detection")
Signed-off-by: Xiaomeng Tong <xiam0nd.tong@gmail.com>
Link: https://lore.kernel.org/r/20220327060822.4735-1-xiam0nd.tong@gmail.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/isa/cs423x/cs4236.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
--- a/sound/isa/cs423x/cs4236.c
+++ b/sound/isa/cs423x/cs4236.c
@@ -544,7 +544,7 @@ static int snd_cs423x_pnpbios_detect(str
static int dev;
int err;
struct snd_card *card;
- struct pnp_dev *cdev;
+ struct pnp_dev *cdev, *iter;
char cid[PNP_ID_LEN];
if (pnp_device_is_isapnp(pdev))
@@ -560,9 +560,11 @@ static int snd_cs423x_pnpbios_detect(str
strcpy(cid, pdev->id[0].id);
cid[5] = '1';
cdev = NULL;
- list_for_each_entry(cdev, &(pdev->protocol->devices), protocol_list) {
- if (!strcmp(cdev->id[0].id, cid))
+ list_for_each_entry(iter, &(pdev->protocol->devices), protocol_list) {
+ if (!strcmp(iter->id[0].id, cid)) {
+ cdev = iter;
break;
+ }
}
err = snd_cs423x_card_new(&pdev->dev, dev, &card);
if (err < 0)
^ permalink raw reply [flat|nested] 636+ messages in thread
* [PATCH 5.10 071/599] ALSA: hda: Avoid unsol event during RPM suspending
2022-04-05 7:24 [PATCH 5.10 000/599] 5.10.110-rc1 review Greg Kroah-Hartman
` (69 preceding siblings ...)
2022-04-05 7:26 ` [PATCH 5.10 070/599] ALSA: cs4236: fix an incorrect NULL check on list iterator Greg Kroah-Hartman
@ 2022-04-05 7:26 ` Greg Kroah-Hartman
2022-04-05 7:26 ` [PATCH 5.10 072/599] ALSA: pcm: Fix potential AB/BA lock with buffer_mutex and mmap_lock Greg Kroah-Hartman
` (540 subsequent siblings)
611 siblings, 0 replies; 636+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05 7:26 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Mohan Kumar, Takashi Iwai
From: Mohan Kumar <mkumard@nvidia.com>
commit 6ddc2f749621d5d45ca03edc9f0616bcda136d29 upstream.
There is a corner case with unsol event handling during codec runtime
suspending state. When the codec runtime suspend call initiated, the
codec->in_pm atomic variable would be 0, currently the codec runtime
suspend function calls snd_hdac_enter_pm() which will just increments
the codec->in_pm atomic variable. Consider unsol event happened just
after this step and before snd_hdac_leave_pm() in the codec runtime
suspend function. The snd_hdac_power_up_pm() in the unsol event
flow in hdmi_present_sense_via_verbs() function would just increment
the codec->in_pm atomic variable without calling pm_runtime_get_sync
function.
As codec runtime suspend flow is already in progress and in parallel
unsol event is also accessing the codec verbs, as soon as codec
suspend flow completes and clocks are switched off before completing
the unsol event handling as both functions doesn't wait for each other.
This will result in below errors
[ 589.428020] tegra-hda 3510000.hda: azx_get_response timeout, switching
to polling mode: last cmd=0x505f2f57
[ 589.428344] tegra-hda 3510000.hda: spurious response 0x80000074:0x5,
last cmd=0x505f2f57
[ 589.428547] tegra-hda 3510000.hda: spurious response 0x80000065:0x5,
last cmd=0x505f2f57
To avoid this, the unsol event flow should not perform any codec verb
related operations during RPM_SUSPENDING state.
Signed-off-by: Mohan Kumar <mkumard@nvidia.com>
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20220329155940.26331-1-mkumard@nvidia.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/pci/hda/patch_hdmi.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
--- a/sound/pci/hda/patch_hdmi.c
+++ b/sound/pci/hda/patch_hdmi.c
@@ -1608,6 +1608,7 @@ static void hdmi_present_sense_via_verbs
struct hda_codec *codec = per_pin->codec;
struct hdmi_spec *spec = codec->spec;
struct hdmi_eld *eld = &spec->temp_eld;
+ struct device *dev = hda_codec_dev(codec);
hda_nid_t pin_nid = per_pin->pin_nid;
int dev_id = per_pin->dev_id;
/*
@@ -1621,8 +1622,13 @@ static void hdmi_present_sense_via_verbs
int present;
int ret;
+#ifdef CONFIG_PM
+ if (dev->power.runtime_status == RPM_SUSPENDING)
+ return;
+#endif
+
ret = snd_hda_power_up_pm(codec);
- if (ret < 0 && pm_runtime_suspended(hda_codec_dev(codec)))
+ if (ret < 0 && pm_runtime_suspended(dev))
goto out;
present = snd_hda_jack_pin_sense(codec, pin_nid, dev_id);
^ permalink raw reply [flat|nested] 636+ messages in thread
* [PATCH 5.10 072/599] ALSA: pcm: Fix potential AB/BA lock with buffer_mutex and mmap_lock
2022-04-05 7:24 [PATCH 5.10 000/599] 5.10.110-rc1 review Greg Kroah-Hartman
` (70 preceding siblings ...)
2022-04-05 7:26 ` [PATCH 5.10 071/599] ALSA: hda: Avoid unsol event during RPM suspending Greg Kroah-Hartman
@ 2022-04-05 7:26 ` Greg Kroah-Hartman
2022-04-05 7:26 ` [PATCH 5.10 073/599] ALSA: hda/realtek: Fix audio regression on Mi Notebook Pro 2020 Greg Kroah-Hartman
` (539 subsequent siblings)
611 siblings, 0 replies; 636+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05 7:26 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, syzbot+6e5c88838328e99c7e1c, Takashi Iwai
From: Takashi Iwai <tiwai@suse.de>
commit bc55cfd5718c7c23e5524582e9fa70b4d10f2433 upstream.
syzbot caught a potential deadlock between the PCM
runtime->buffer_mutex and the mm->mmap_lock. It was brought by the
recent fix to cover the racy read/write and other ioctls, and in that
commit, I overlooked a (hopefully only) corner case that may take the
revert lock, namely, the OSS mmap. The OSS mmap operation
exceptionally allows to re-configure the parameters inside the OSS
mmap syscall, where mm->mmap_mutex is already held. Meanwhile, the
copy_from/to_user calls at read/write operations also take the
mm->mmap_lock internally, hence it may lead to a AB/BA deadlock.
A similar problem was already seen in the past and we fixed it with a
refcount (in commit b248371628aa). The former fix covered only the
call paths with OSS read/write and OSS ioctls, while we need to cover
the concurrent access via both ALSA and OSS APIs now.
This patch addresses the problem above by replacing the buffer_mutex
lock in the read/write operations with a refcount similar as we've
used for OSS. The new field, runtime->buffer_accessing, keeps the
number of concurrent read/write operations. Unlike the former
buffer_mutex protection, this protects only around the
copy_from/to_user() calls; the other codes are basically protected by
the PCM stream lock. The refcount can be a negative, meaning blocked
by the ioctls. If a negative value is seen, the read/write aborts
with -EBUSY. In the ioctl side, OTOH, they check this refcount, too,
and set to a negative value for blocking unless it's already being
accessed.
Reported-by: syzbot+6e5c88838328e99c7e1c@syzkaller.appspotmail.com
Fixes: dca947d4d26d ("ALSA: pcm: Fix races among concurrent read/write and buffer changes")
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/000000000000381a0d05db622a81@google.com
Link: https://lore.kernel.org/r/20220330120903.4738-1-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/sound/pcm.h | 1 +
sound/core/pcm.c | 1 +
sound/core/pcm_lib.c | 9 +++++----
sound/core/pcm_native.c | 39 ++++++++++++++++++++++++++++++++-------
4 files changed, 39 insertions(+), 11 deletions(-)
--- a/include/sound/pcm.h
+++ b/include/sound/pcm.h
@@ -399,6 +399,7 @@ struct snd_pcm_runtime {
struct fasync_struct *fasync;
bool stop_operating; /* sync_stop will be called */
struct mutex buffer_mutex; /* protect for buffer changes */
+ atomic_t buffer_accessing; /* >0: in r/w operation, <0: blocked */
/* -- private section -- */
void *private_data;
--- a/sound/core/pcm.c
+++ b/sound/core/pcm.c
@@ -970,6 +970,7 @@ int snd_pcm_attach_substream(struct snd_
runtime->status->state = SNDRV_PCM_STATE_OPEN;
mutex_init(&runtime->buffer_mutex);
+ atomic_set(&runtime->buffer_accessing, 0);
substream->runtime = runtime;
substream->private_data = pcm->private_data;
--- a/sound/core/pcm_lib.c
+++ b/sound/core/pcm_lib.c
@@ -1871,11 +1871,9 @@ static int wait_for_avail(struct snd_pcm
if (avail >= runtime->twake)
break;
snd_pcm_stream_unlock_irq(substream);
- mutex_unlock(&runtime->buffer_mutex);
tout = schedule_timeout(wait_time);
- mutex_lock(&runtime->buffer_mutex);
snd_pcm_stream_lock_irq(substream);
set_current_state(TASK_INTERRUPTIBLE);
switch (runtime->status->state) {
@@ -2169,7 +2167,6 @@ snd_pcm_sframes_t __snd_pcm_lib_xfer(str
nonblock = !!(substream->f_flags & O_NONBLOCK);
- mutex_lock(&runtime->buffer_mutex);
snd_pcm_stream_lock_irq(substream);
err = pcm_accessible_state(runtime);
if (err < 0)
@@ -2224,10 +2221,15 @@ snd_pcm_sframes_t __snd_pcm_lib_xfer(str
err = -EINVAL;
goto _end_unlock;
}
+ if (!atomic_inc_unless_negative(&runtime->buffer_accessing)) {
+ err = -EBUSY;
+ goto _end_unlock;
+ }
snd_pcm_stream_unlock_irq(substream);
err = writer(substream, appl_ofs, data, offset, frames,
transfer);
snd_pcm_stream_lock_irq(substream);
+ atomic_dec(&runtime->buffer_accessing);
if (err < 0)
goto _end_unlock;
err = pcm_accessible_state(runtime);
@@ -2257,7 +2259,6 @@ snd_pcm_sframes_t __snd_pcm_lib_xfer(str
if (xfer > 0 && err >= 0)
snd_pcm_update_state(substream, runtime);
snd_pcm_stream_unlock_irq(substream);
- mutex_unlock(&runtime->buffer_mutex);
return xfer > 0 ? (snd_pcm_sframes_t)xfer : err;
}
EXPORT_SYMBOL(__snd_pcm_lib_xfer);
--- a/sound/core/pcm_native.c
+++ b/sound/core/pcm_native.c
@@ -667,6 +667,24 @@ static int snd_pcm_hw_params_choose(stru
return 0;
}
+/* acquire buffer_mutex; if it's in r/w operation, return -EBUSY, otherwise
+ * block the further r/w operations
+ */
+static int snd_pcm_buffer_access_lock(struct snd_pcm_runtime *runtime)
+{
+ if (!atomic_dec_unless_positive(&runtime->buffer_accessing))
+ return -EBUSY;
+ mutex_lock(&runtime->buffer_mutex);
+ return 0; /* keep buffer_mutex, unlocked by below */
+}
+
+/* release buffer_mutex and clear r/w access flag */
+static void snd_pcm_buffer_access_unlock(struct snd_pcm_runtime *runtime)
+{
+ mutex_unlock(&runtime->buffer_mutex);
+ atomic_inc(&runtime->buffer_accessing);
+}
+
#if IS_ENABLED(CONFIG_SND_PCM_OSS)
#define is_oss_stream(substream) ((substream)->oss.oss)
#else
@@ -677,14 +695,16 @@ static int snd_pcm_hw_params(struct snd_
struct snd_pcm_hw_params *params)
{
struct snd_pcm_runtime *runtime;
- int err = 0, usecs;
+ int err, usecs;
unsigned int bits;
snd_pcm_uframes_t frames;
if (PCM_RUNTIME_CHECK(substream))
return -ENXIO;
runtime = substream->runtime;
- mutex_lock(&runtime->buffer_mutex);
+ err = snd_pcm_buffer_access_lock(runtime);
+ if (err < 0)
+ return err;
snd_pcm_stream_lock_irq(substream);
switch (runtime->status->state) {
case SNDRV_PCM_STATE_OPEN:
@@ -801,7 +821,7 @@ static int snd_pcm_hw_params(struct snd_
snd_pcm_lib_free_pages(substream);
}
unlock:
- mutex_unlock(&runtime->buffer_mutex);
+ snd_pcm_buffer_access_unlock(runtime);
return err;
}
@@ -846,7 +866,9 @@ static int snd_pcm_hw_free(struct snd_pc
if (PCM_RUNTIME_CHECK(substream))
return -ENXIO;
runtime = substream->runtime;
- mutex_lock(&runtime->buffer_mutex);
+ result = snd_pcm_buffer_access_lock(runtime);
+ if (result < 0)
+ return result;
snd_pcm_stream_lock_irq(substream);
switch (runtime->status->state) {
case SNDRV_PCM_STATE_SETUP:
@@ -865,7 +887,7 @@ static int snd_pcm_hw_free(struct snd_pc
snd_pcm_set_state(substream, SNDRV_PCM_STATE_OPEN);
cpu_latency_qos_remove_request(&substream->latency_pm_qos_req);
unlock:
- mutex_unlock(&runtime->buffer_mutex);
+ snd_pcm_buffer_access_unlock(runtime);
return result;
}
@@ -1350,12 +1372,15 @@ static int snd_pcm_action_nonatomic(cons
/* Guarantee the group members won't change during non-atomic action */
down_read(&snd_pcm_link_rwsem);
- mutex_lock(&substream->runtime->buffer_mutex);
+ res = snd_pcm_buffer_access_lock(substream->runtime);
+ if (res < 0)
+ goto unlock;
if (snd_pcm_stream_linked(substream))
res = snd_pcm_action_group(ops, substream, state, false);
else
res = snd_pcm_action_single(ops, substream, state);
- mutex_unlock(&substream->runtime->buffer_mutex);
+ snd_pcm_buffer_access_unlock(substream->runtime);
+ unlock:
up_read(&snd_pcm_link_rwsem);
return res;
}
^ permalink raw reply [flat|nested] 636+ messages in thread
* [PATCH 5.10 073/599] ALSA: hda/realtek: Fix audio regression on Mi Notebook Pro 2020
2022-04-05 7:24 [PATCH 5.10 000/599] 5.10.110-rc1 review Greg Kroah-Hartman
` (71 preceding siblings ...)
2022-04-05 7:26 ` [PATCH 5.10 072/599] ALSA: pcm: Fix potential AB/BA lock with buffer_mutex and mmap_lock Greg Kroah-Hartman
@ 2022-04-05 7:26 ` Greg Kroah-Hartman
2022-04-05 7:26 ` [PATCH 5.10 074/599] mm: madvise: skip unmapped vma holes passed to process_madvise Greg Kroah-Hartman
` (538 subsequent siblings)
611 siblings, 0 replies; 636+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05 7:26 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, kernel test robot, Dan Carpenter,
Kai-Heng Feng, Takashi Iwai
From: Kai-Heng Feng <kai.heng.feng@canonical.com>
commit f30741cded62f87bb4b1cc58bc627f076abcaba8 upstream.
Commit 5aec98913095 ("ALSA: hda/realtek - ALC236 headset MIC recording
issue") is to solve recording issue met on AL236, by matching codec
variant ALC269_TYPE_ALC257 and ALC269_TYPE_ALC256.
This match can be too broad and Mi Notebook Pro 2020 is broken by the
patch.
Instead, use codec ID to be narrow down the scope, in order to make
ALC256 unaffected.
Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=215484
Fixes: 5aec98913095 ("ALSA: hda/realtek - ALC236 headset MIC recording issue")
Reported-by: kernel test robot <lkp@intel.com>
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Kai-Heng Feng <kai.heng.feng@canonical.com>
Link: https://lore.kernel.org/r/20220330061335.1015533-1-kai.heng.feng@canonical.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/pci/hda/patch_realtek.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/sound/pci/hda/patch_realtek.c
+++ b/sound/pci/hda/patch_realtek.c
@@ -3615,8 +3615,8 @@ static void alc256_shutup(struct hda_cod
/* If disable 3k pulldown control for alc257, the Mic detection will not work correctly
* when booting with headset plugged. So skip setting it for the codec alc257
*/
- if (spec->codec_variant != ALC269_TYPE_ALC257 &&
- spec->codec_variant != ALC269_TYPE_ALC256)
+ if (codec->core.vendor_id != 0x10ec0236 &&
+ codec->core.vendor_id != 0x10ec0257)
alc_update_coef_idx(codec, 0x46, 0, 3 << 12);
if (!spec->no_shutup_pins)
^ permalink raw reply [flat|nested] 636+ messages in thread
* [PATCH 5.10 074/599] mm: madvise: skip unmapped vma holes passed to process_madvise
2022-04-05 7:24 [PATCH 5.10 000/599] 5.10.110-rc1 review Greg Kroah-Hartman
` (72 preceding siblings ...)
2022-04-05 7:26 ` [PATCH 5.10 073/599] ALSA: hda/realtek: Fix audio regression on Mi Notebook Pro 2020 Greg Kroah-Hartman
@ 2022-04-05 7:26 ` Greg Kroah-Hartman
2022-04-05 7:26 ` [PATCH 5.10 075/599] mm: madvise: return correct bytes advised with process_madvise Greg Kroah-Hartman
` (537 subsequent siblings)
611 siblings, 0 replies; 636+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05 7:26 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Charan Teja Kalla, David Rientjes,
Michal Hocko, Minchan Kim, Nadav Amit, Stephen Rothwell,
Suren Baghdasaryan, Vlastimil Babka, Andrew Morton,
Linus Torvalds
From: Charan Teja Kalla <quic_charante@quicinc.com>
commit 08095d6310a7ce43256b4251577bc66a25c6e1a6 upstream.
The process_madvise() system call is expected to skip holes in vma passed
through 'struct iovec' vector list. But do_madvise, which
process_madvise() calls for each vma, returns ENOMEM in case of unmapped
holes, despite the VMA is processed.
Thus process_madvise() should treat ENOMEM as expected and consider the
VMA passed to as processed and continue processing other vma's in the
vector list. Returning -ENOMEM to user, despite the VMA is processed,
will be unable to figure out where to start the next madvise.
Link: https://lkml.kernel.org/r/4f091776142f2ebf7b94018146de72318474e686.1647008754.git.quic_charante@quicinc.com
Fixes: ecb8ac8b1f14("mm/madvise: introduce process_madvise() syscall: an external memory hinting API")
Signed-off-by: Charan Teja Kalla <quic_charante@quicinc.com>
Cc: David Rientjes <rientjes@google.com>
Cc: Michal Hocko <mhocko@suse.com>
Cc: Minchan Kim <minchan@kernel.org>
Cc: Nadav Amit <nadav.amit@gmail.com>
Cc: Stephen Rothwell <sfr@canb.auug.org.au>
Cc: Suren Baghdasaryan <surenb@google.com>
Cc: Vlastimil Babka <vbabka@suse.cz>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/madvise.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
--- a/mm/madvise.c
+++ b/mm/madvise.c
@@ -1222,9 +1222,16 @@ SYSCALL_DEFINE5(process_madvise, int, pi
while (iov_iter_count(&iter)) {
iovec = iov_iter_iovec(&iter);
+ /*
+ * do_madvise returns ENOMEM if unmapped holes are present
+ * in the passed VMA. process_madvise() is expected to skip
+ * unmapped holes passed to it in the 'struct iovec' list
+ * and not fail because of them. Thus treat -ENOMEM return
+ * from do_madvise as valid and continue processing.
+ */
ret = do_madvise(mm, (unsigned long)iovec.iov_base,
iovec.iov_len, behavior);
- if (ret < 0)
+ if (ret < 0 && ret != -ENOMEM)
break;
iov_iter_advance(&iter, iovec.iov_len);
}
^ permalink raw reply [flat|nested] 636+ messages in thread
* [PATCH 5.10 075/599] mm: madvise: return correct bytes advised with process_madvise
2022-04-05 7:24 [PATCH 5.10 000/599] 5.10.110-rc1 review Greg Kroah-Hartman
` (73 preceding siblings ...)
2022-04-05 7:26 ` [PATCH 5.10 074/599] mm: madvise: skip unmapped vma holes passed to process_madvise Greg Kroah-Hartman
@ 2022-04-05 7:26 ` Greg Kroah-Hartman
2022-04-05 7:26 ` [PATCH 5.10 076/599] Revert "mm: madvise: skip unmapped vma holes passed to process_madvise" Greg Kroah-Hartman
` (536 subsequent siblings)
611 siblings, 0 replies; 636+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05 7:26 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Charan Teja Kalla,
Suren Baghdasaryan, Vlastimil Babka, David Rientjes,
Stephen Rothwell, Minchan Kim, Nadav Amit, Michal Hocko,
Andrew Morton, Linus Torvalds
From: Charan Teja Kalla <quic_charante@quicinc.com>
commit 5bd009c7c9a9e888077c07535dc0c70aeab242c3 upstream.
Patch series "mm: madvise: return correct bytes processed with
process_madvise", v2. With the process_madvise(), always choose to return
non zero processed bytes over an error. This can help the user to know on
which VMA, passed in the 'struct iovec' vector list, is failed to advise
thus can take the decission of retrying/skipping on that VMA.
This patch (of 2):
The process_madvise() system call returns error even after processing some
VMA's passed in the 'struct iovec' vector list which leaves the user
confused to know where to restart the advise next. It is also against
this syscall man page[1] documentation where it mentions that "return
value may be less than the total number of requested bytes, if an error
occurred after some iovec elements were already processed.".
Consider a user passed 10 VMA's in the 'struct iovec' vector list of which
9 are processed but one. Then it just returns the error caused on that
failed VMA despite the first 9 VMA's processed, leaving the user confused
about on which VMA it is failed. Returning the number of bytes processed
here can help the user to know which VMA it is failed on and thus can
retry/skip the advise on that VMA.
[1]https://man7.org/linux/man-pages/man2/process_madvise.2.html.
Link: https://lkml.kernel.org/r/cover.1647008754.git.quic_charante@quicinc.com
Link: https://lkml.kernel.org/r/125b61a0edcee5c2db8658aed9d06a43a19ccafc.1647008754.git.quic_charante@quicinc.com
Fixes: ecb8ac8b1f14("mm/madvise: introduce process_madvise() syscall: an external memory hinting API")
Signed-off-by: Charan Teja Kalla <quic_charante@quicinc.com>
Cc: Suren Baghdasaryan <surenb@google.com>
Cc: Vlastimil Babka <vbabka@suse.cz>
Cc: David Rientjes <rientjes@google.com>
Cc: Stephen Rothwell <sfr@canb.auug.org.au>
Cc: Minchan Kim <minchan@kernel.org>
Cc: Nadav Amit <nadav.amit@gmail.com>
Cc: Michal Hocko <mhocko@suse.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/madvise.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
--- a/mm/madvise.c
+++ b/mm/madvise.c
@@ -1236,8 +1236,7 @@ SYSCALL_DEFINE5(process_madvise, int, pi
iov_iter_advance(&iter, iovec.iov_len);
}
- if (ret == 0)
- ret = total_len - iov_iter_count(&iter);
+ ret = (total_len - iov_iter_count(&iter)) ? : ret;
release_mm:
mmput(mm);
^ permalink raw reply [flat|nested] 636+ messages in thread
* [PATCH 5.10 076/599] Revert "mm: madvise: skip unmapped vma holes passed to process_madvise"
2022-04-05 7:24 [PATCH 5.10 000/599] 5.10.110-rc1 review Greg Kroah-Hartman
` (74 preceding siblings ...)
2022-04-05 7:26 ` [PATCH 5.10 075/599] mm: madvise: return correct bytes advised with process_madvise Greg Kroah-Hartman
@ 2022-04-05 7:26 ` Greg Kroah-Hartman
2022-04-05 7:26 ` [PATCH 5.10 077/599] mm,hwpoison: unmap poisoned page before invalidation Greg Kroah-Hartman
` (535 subsequent siblings)
611 siblings, 0 replies; 636+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05 7:26 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Charan Teja Kalla, Michal Hocko,
Suren Baghdasaryan, Vlastimil Babka, David Rientjes, Nadav Amit,
Andrew Morton, Linus Torvalds
From: Charan Teja Kalla <quic_charante@quicinc.com>
commit e6b0a7b357659c332231621e4315658d062c23ee upstream.
This reverts commit 08095d6310a7 ("mm: madvise: skip unmapped vma holes
passed to process_madvise") as process_madvise() fails to return the
exact processed bytes in other cases too.
As an example: if process_madvise() hits mlocked pages after processing
some initial bytes passed in [start, end), it just returns EINVAL
although some bytes are processed. Thus making an exception only for
ENOMEM is partially fixing the problem of returning the proper advised
bytes.
Thus revert this patch and return proper bytes advised.
Link: https://lkml.kernel.org/r/e73da1304a88b6a8a11907045117cccf4c2b8374.1648046642.git.quic_charante@quicinc.com
Fixes: 08095d6310a7ce ("mm: madvise: skip unmapped vma holes passed to process_madvise")
Signed-off-by: Charan Teja Kalla <quic_charante@quicinc.com>
Acked-by: Michal Hocko <mhocko@suse.com>
Cc: Suren Baghdasaryan <surenb@google.com>
Cc: Vlastimil Babka <vbabka@suse.cz>
Cc: David Rientjes <rientjes@google.com>
Cc: Nadav Amit <nadav.amit@gmail.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/madvise.c | 9 +--------
1 file changed, 1 insertion(+), 8 deletions(-)
--- a/mm/madvise.c
+++ b/mm/madvise.c
@@ -1222,16 +1222,9 @@ SYSCALL_DEFINE5(process_madvise, int, pi
while (iov_iter_count(&iter)) {
iovec = iov_iter_iovec(&iter);
- /*
- * do_madvise returns ENOMEM if unmapped holes are present
- * in the passed VMA. process_madvise() is expected to skip
- * unmapped holes passed to it in the 'struct iovec' list
- * and not fail because of them. Thus treat -ENOMEM return
- * from do_madvise as valid and continue processing.
- */
ret = do_madvise(mm, (unsigned long)iovec.iov_base,
iovec.iov_len, behavior);
- if (ret < 0 && ret != -ENOMEM)
+ if (ret < 0)
break;
iov_iter_advance(&iter, iovec.iov_len);
}
^ permalink raw reply [flat|nested] 636+ messages in thread
* [PATCH 5.10 077/599] mm,hwpoison: unmap poisoned page before invalidation
2022-04-05 7:24 [PATCH 5.10 000/599] 5.10.110-rc1 review Greg Kroah-Hartman
` (75 preceding siblings ...)
2022-04-05 7:26 ` [PATCH 5.10 076/599] Revert "mm: madvise: skip unmapped vma holes passed to process_madvise" Greg Kroah-Hartman
@ 2022-04-05 7:26 ` Greg Kroah-Hartman
2022-04-05 7:26 ` [PATCH 5.10 078/599] mm/kmemleak: reset tag when compare object pointer Greg Kroah-Hartman
` (534 subsequent siblings)
611 siblings, 0 replies; 636+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05 7:26 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Rik van Riel, Miaohe Lin,
Naoya Horiguchi, Oscar Salvador, Mel Gorman, Johannes Weiner,
Andrew Morton, Linus Torvalds
From: Rik van Riel <riel@surriel.com>
commit 3149c79f3cb0e2e3bafb7cfadacec090cbd250d3 upstream.
In some cases it appears the invalidation of a hwpoisoned page fails
because the page is still mapped in another process. This can cause a
program to be continuously restarted and die when it page faults on the
page that was not invalidated. Avoid that problem by unmapping the
hwpoisoned page when we find it.
Another issue is that sometimes we end up oopsing in finish_fault, if
the code tries to do something with the now-NULL vmf->page. I did not
hit this error when submitting the previous patch because there are
several opportunities for alloc_set_pte to bail out before accessing
vmf->page, and that apparently happened on those systems, and most of
the time on other systems, too.
However, across several million systems that error does occur a handful
of times a day. It can be avoided by returning VM_FAULT_NOPAGE which
will cause do_read_fault to return before calling finish_fault.
Link: https://lkml.kernel.org/r/20220325161428.5068d97e@imladris.surriel.com
Fixes: e53ac7374e64 ("mm: invalidate hwpoison page cache page in fault path")
Signed-off-by: Rik van Riel <riel@surriel.com>
Reviewed-by: Miaohe Lin <linmiaohe@huawei.com>
Tested-by: Naoya Horiguchi <naoya.horiguchi@nec.com>
Reviewed-by: Oscar Salvador <osalvador@suse.de>
Cc: Mel Gorman <mgorman@suse.de>
Cc: Johannes Weiner <hannes@cmpxchg.org>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/memory.c | 12 ++++++++----
1 file changed, 8 insertions(+), 4 deletions(-)
--- a/mm/memory.c
+++ b/mm/memory.c
@@ -3676,14 +3676,18 @@ static vm_fault_t __do_fault(struct vm_f
return ret;
if (unlikely(PageHWPoison(vmf->page))) {
+ struct page *page = vmf->page;
vm_fault_t poisonret = VM_FAULT_HWPOISON;
if (ret & VM_FAULT_LOCKED) {
+ if (page_mapped(page))
+ unmap_mapping_pages(page_mapping(page),
+ page->index, 1, false);
/* Retry if a clean page was removed from the cache. */
- if (invalidate_inode_page(vmf->page))
- poisonret = 0;
- unlock_page(vmf->page);
+ if (invalidate_inode_page(page))
+ poisonret = VM_FAULT_NOPAGE;
+ unlock_page(page);
}
- put_page(vmf->page);
+ put_page(page);
vmf->page = NULL;
return poisonret;
}
^ permalink raw reply [flat|nested] 636+ messages in thread
* [PATCH 5.10 078/599] mm/kmemleak: reset tag when compare object pointer
2022-04-05 7:24 [PATCH 5.10 000/599] 5.10.110-rc1 review Greg Kroah-Hartman
` (76 preceding siblings ...)
2022-04-05 7:26 ` [PATCH 5.10 077/599] mm,hwpoison: unmap poisoned page before invalidation Greg Kroah-Hartman
@ 2022-04-05 7:26 ` Greg Kroah-Hartman
2022-04-05 7:26 ` [PATCH 5.10 079/599] dm integrity: set journal entry unused when shrinking device Greg Kroah-Hartman
` (533 subsequent siblings)
611 siblings, 0 replies; 636+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05 7:26 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Kuan-Ying Lee, Catalin Marinas,
Matthias Brugger, Chinwen Chang, Nicholas Tang, Yee Lee,
Andrew Morton, Linus Torvalds
From: Kuan-Ying Lee <Kuan-Ying.Lee@mediatek.com>
commit bfc8089f00fa526dea983844c880fa8106c33ac4 upstream.
When we use HW-tag based kasan and enable vmalloc support, we hit the
following bug. It is due to comparison between tagged object and
non-tagged pointer.
We need to reset the kasan tag when we need to compare tagged object and
non-tagged pointer.
kmemleak: [name:kmemleak&]Scan area larger than object 0xffffffe77076f440
CPU: 4 PID: 1 Comm: init Tainted: G S W 5.15.25-android13-0-g5cacf919c2bc #1
Hardware name: MT6983(ENG) (DT)
Call trace:
add_scan_area+0xc4/0x244
kmemleak_scan_area+0x40/0x9c
layout_and_allocate+0x1e8/0x288
load_module+0x2c8/0xf00
__se_sys_finit_module+0x190/0x1d0
__arm64_sys_finit_module+0x20/0x30
invoke_syscall+0x60/0x170
el0_svc_common+0xc8/0x114
do_el0_svc+0x28/0xa0
el0_svc+0x60/0xf8
el0t_64_sync_handler+0x88/0xec
el0t_64_sync+0x1b4/0x1b8
kmemleak: [name:kmemleak&]Object 0xf5ffffe77076b000 (size 32768):
kmemleak: [name:kmemleak&] comm "init", pid 1, jiffies 4294894197
kmemleak: [name:kmemleak&] min_count = 0
kmemleak: [name:kmemleak&] count = 0
kmemleak: [name:kmemleak&] flags = 0x1
kmemleak: [name:kmemleak&] checksum = 0
kmemleak: [name:kmemleak&] backtrace:
module_alloc+0x9c/0x120
move_module+0x34/0x19c
layout_and_allocate+0x1c4/0x288
load_module+0x2c8/0xf00
__se_sys_finit_module+0x190/0x1d0
__arm64_sys_finit_module+0x20/0x30
invoke_syscall+0x60/0x170
el0_svc_common+0xc8/0x114
do_el0_svc+0x28/0xa0
el0_svc+0x60/0xf8
el0t_64_sync_handler+0x88/0xec
el0t_64_sync+0x1b4/0x1b8
Link: https://lkml.kernel.org/r/20220318034051.30687-1-Kuan-Ying.Lee@mediatek.com
Signed-off-by: Kuan-Ying Lee <Kuan-Ying.Lee@mediatek.com>
Reviewed-by: Catalin Marinas <catalin.marinas@arm.com>
Cc: Matthias Brugger <matthias.bgg@gmail.com>
Cc: Chinwen Chang <chinwen.chang@mediatek.com>
Cc: Nicholas Tang <nicholas.tang@mediatek.com>
Cc: Yee Lee <yee.lee@mediatek.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/kmemleak.c | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
--- a/mm/kmemleak.c
+++ b/mm/kmemleak.c
@@ -787,6 +787,8 @@ static void add_scan_area(unsigned long
unsigned long flags;
struct kmemleak_object *object;
struct kmemleak_scan_area *area = NULL;
+ unsigned long untagged_ptr;
+ unsigned long untagged_objp;
object = find_and_get_object(ptr, 1);
if (!object) {
@@ -795,6 +797,9 @@ static void add_scan_area(unsigned long
return;
}
+ untagged_ptr = (unsigned long)kasan_reset_tag((void *)ptr);
+ untagged_objp = (unsigned long)kasan_reset_tag((void *)object->pointer);
+
if (scan_area_cache)
area = kmem_cache_alloc(scan_area_cache, gfp_kmemleak_mask(gfp));
@@ -806,8 +811,8 @@ static void add_scan_area(unsigned long
goto out_unlock;
}
if (size == SIZE_MAX) {
- size = object->pointer + object->size - ptr;
- } else if (ptr + size > object->pointer + object->size) {
+ size = untagged_objp + object->size - untagged_ptr;
+ } else if (untagged_ptr + size > untagged_objp + object->size) {
kmemleak_warn("Scan area larger than object 0x%08lx\n", ptr);
dump_object_info(object);
kmem_cache_free(scan_area_cache, area);
^ permalink raw reply [flat|nested] 636+ messages in thread
* [PATCH 5.10 079/599] dm integrity: set journal entry unused when shrinking device
2022-04-05 7:24 [PATCH 5.10 000/599] 5.10.110-rc1 review Greg Kroah-Hartman
` (77 preceding siblings ...)
2022-04-05 7:26 ` [PATCH 5.10 078/599] mm/kmemleak: reset tag when compare object pointer Greg Kroah-Hartman
@ 2022-04-05 7:26 ` Greg Kroah-Hartman
2022-04-05 7:26 ` [PATCH 5.10 080/599] drbd: fix potential silent data corruption Greg Kroah-Hartman
` (532 subsequent siblings)
611 siblings, 0 replies; 636+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05 7:26 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Mikulas Patocka, Milan Broz, Mike Snitzer
From: Mikulas Patocka <mpatocka@redhat.com>
commit cc09e8a9dec4f0e8299e80a7a2a8e6f54164a10b upstream.
Commit f6f72f32c22c ("dm integrity: don't replay journal data past the
end of the device") skips journal replay if the target sector points
beyond the end of the device. Unfortunatelly, it doesn't set the
journal entry unused, which resulted in this BUG being triggered:
BUG_ON(!journal_entry_is_unused(je))
Fix this by calling journal_entry_set_unused() for this case.
Fixes: f6f72f32c22c ("dm integrity: don't replay journal data past the end of the device")
Cc: stable@vger.kernel.org # v5.7+
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Tested-by: Milan Broz <gmazyland@gmail.com>
[snitzer: revised header]
Signed-off-by: Mike Snitzer <snitzer@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/md/dm-integrity.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
--- a/drivers/md/dm-integrity.c
+++ b/drivers/md/dm-integrity.c
@@ -2354,9 +2354,11 @@ static void do_journal_write(struct dm_i
dm_integrity_io_error(ic, "invalid sector in journal", -EIO);
sec &= ~(sector_t)(ic->sectors_per_block - 1);
}
+ if (unlikely(sec >= ic->provided_data_sectors)) {
+ journal_entry_set_unused(je);
+ continue;
+ }
}
- if (unlikely(sec >= ic->provided_data_sectors))
- continue;
get_area_and_offset(ic, sec, &area, &offset);
restore_last_bytes(ic, access_journal_data(ic, i, j), je);
for (k = j + 1; k < ic->journal_section_entries; k++) {
^ permalink raw reply [flat|nested] 636+ messages in thread
* [PATCH 5.10 080/599] drbd: fix potential silent data corruption
2022-04-05 7:24 [PATCH 5.10 000/599] 5.10.110-rc1 review Greg Kroah-Hartman
` (78 preceding siblings ...)
2022-04-05 7:26 ` [PATCH 5.10 079/599] dm integrity: set journal entry unused when shrinking device Greg Kroah-Hartman
@ 2022-04-05 7:26 ` Greg Kroah-Hartman
2022-04-05 7:26 ` [PATCH 5.10 081/599] can: isotp: sanitize CAN ID checks in isotp_bind() Greg Kroah-Hartman
` (531 subsequent siblings)
611 siblings, 0 replies; 636+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05 7:26 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Lars Ellenberg,
Christoph Böhmwalder, Jens Axboe
From: Lars Ellenberg <lars.ellenberg@linbit.com>
commit f4329d1f848ac35757d9cc5487669d19dfc5979c upstream.
Scenario:
---------
bio chain generated by blk_queue_split().
Some split bio fails and propagates its error status to the "parent" bio.
But then the (last part of the) parent bio itself completes without error.
We would clobber the already recorded error status with BLK_STS_OK,
causing silent data corruption.
Reproducer:
-----------
How to trigger this in the real world within seconds:
DRBD on top of degraded parity raid,
small stripe_cache_size, large read_ahead setting.
Drop page cache (sysctl vm.drop_caches=1, fadvise "DONTNEED",
umount and mount again, "reboot").
Cause significant read ahead.
Large read ahead request is split by blk_queue_split().
Parts of the read ahead that are already in the stripe cache,
or find an available stripe cache to use, can be serviced.
Parts of the read ahead that would need "too much work",
would need to wait for a "stripe_head" to become available,
are rejected immediately.
For larger read ahead requests that are split in many pieces, it is very
likely that some "splits" will be serviced, but then the stripe cache is
exhausted/busy, and the remaining ones will be rejected.
Signed-off-by: Lars Ellenberg <lars.ellenberg@linbit.com>
Signed-off-by: Christoph Böhmwalder <christoph.boehmwalder@linbit.com>
Cc: <stable@vger.kernel.org> # 4.13.x
Link: https://lore.kernel.org/r/20220330185551.3553196-1-christoph.boehmwalder@linbit.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/block/drbd/drbd_req.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/block/drbd/drbd_req.c
+++ b/drivers/block/drbd/drbd_req.c
@@ -177,7 +177,8 @@ void start_new_tl_epoch(struct drbd_conn
void complete_master_bio(struct drbd_device *device,
struct bio_and_error *m)
{
- m->bio->bi_status = errno_to_blk_status(m->error);
+ if (unlikely(m->error))
+ m->bio->bi_status = errno_to_blk_status(m->error);
bio_endio(m->bio);
dec_ap_bio(device);
}
^ permalink raw reply [flat|nested] 636+ messages in thread
* [PATCH 5.10 081/599] can: isotp: sanitize CAN ID checks in isotp_bind()
2022-04-05 7:24 [PATCH 5.10 000/599] 5.10.110-rc1 review Greg Kroah-Hartman
` (79 preceding siblings ...)
2022-04-05 7:26 ` [PATCH 5.10 080/599] drbd: fix potential silent data corruption Greg Kroah-Hartman
@ 2022-04-05 7:26 ` Greg Kroah-Hartman
2022-04-05 7:26 ` [PATCH 5.10 082/599] powerpc/kvm: Fix kvm_use_magic_page Greg Kroah-Hartman
` (530 subsequent siblings)
611 siblings, 0 replies; 636+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05 7:26 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, syzbot+2339c27f5c66c652843e,
Oliver Hartkopp, Marc Kleine-Budde
From: Oliver Hartkopp <socketcan@hartkopp.net>
commit 3ea566422cbde9610c2734980d1286ab681bb40e upstream.
Syzbot created an environment that lead to a state machine status that
can not be reached with a compliant CAN ID address configuration.
The provided address information consisted of CAN ID 0x6000001 and 0xC28001
which both boil down to 11 bit CAN IDs 0x001 in sending and receiving.
Sanitize the SFF/EFF CAN ID values before performing the address checks.
Fixes: e057dd3fc20f ("can: add ISO 15765-2:2016 transport protocol")
Link: https://lore.kernel.org/all/20220316164258.54155-1-socketcan@hartkopp.net
Reported-by: syzbot+2339c27f5c66c652843e@syzkaller.appspotmail.com
Signed-off-by: Oliver Hartkopp <socketcan@hartkopp.net>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/can/isotp.c | 38 ++++++++++++++++++++------------------
1 file changed, 20 insertions(+), 18 deletions(-)
--- a/net/can/isotp.c
+++ b/net/can/isotp.c
@@ -1102,6 +1102,7 @@ static int isotp_bind(struct socket *soc
struct net *net = sock_net(sk);
int ifindex;
struct net_device *dev;
+ canid_t tx_id, rx_id;
int err = 0;
int notify_enetdown = 0;
int do_rx_reg = 1;
@@ -1109,8 +1110,18 @@ static int isotp_bind(struct socket *soc
if (len < ISOTP_MIN_NAMELEN)
return -EINVAL;
- if (addr->can_addr.tp.tx_id & (CAN_ERR_FLAG | CAN_RTR_FLAG))
- return -EADDRNOTAVAIL;
+ /* sanitize tx/rx CAN identifiers */
+ tx_id = addr->can_addr.tp.tx_id;
+ if (tx_id & CAN_EFF_FLAG)
+ tx_id &= (CAN_EFF_FLAG | CAN_EFF_MASK);
+ else
+ tx_id &= CAN_SFF_MASK;
+
+ rx_id = addr->can_addr.tp.rx_id;
+ if (rx_id & CAN_EFF_FLAG)
+ rx_id &= (CAN_EFF_FLAG | CAN_EFF_MASK);
+ else
+ rx_id &= CAN_SFF_MASK;
if (!addr->can_ifindex)
return -ENODEV;
@@ -1122,21 +1133,13 @@ static int isotp_bind(struct socket *soc
do_rx_reg = 0;
/* do not validate rx address for functional addressing */
- if (do_rx_reg) {
- if (addr->can_addr.tp.rx_id == addr->can_addr.tp.tx_id) {
- err = -EADDRNOTAVAIL;
- goto out;
- }
-
- if (addr->can_addr.tp.rx_id & (CAN_ERR_FLAG | CAN_RTR_FLAG)) {
- err = -EADDRNOTAVAIL;
- goto out;
- }
+ if (do_rx_reg && rx_id == tx_id) {
+ err = -EADDRNOTAVAIL;
+ goto out;
}
if (so->bound && addr->can_ifindex == so->ifindex &&
- addr->can_addr.tp.rx_id == so->rxid &&
- addr->can_addr.tp.tx_id == so->txid)
+ rx_id == so->rxid && tx_id == so->txid)
goto out;
dev = dev_get_by_index(net, addr->can_ifindex);
@@ -1160,8 +1163,7 @@ static int isotp_bind(struct socket *soc
ifindex = dev->ifindex;
if (do_rx_reg)
- can_rx_register(net, dev, addr->can_addr.tp.rx_id,
- SINGLE_MASK(addr->can_addr.tp.rx_id),
+ can_rx_register(net, dev, rx_id, SINGLE_MASK(rx_id),
isotp_rcv, sk, "isotp", sk);
dev_put(dev);
@@ -1181,8 +1183,8 @@ static int isotp_bind(struct socket *soc
/* switch to new settings */
so->ifindex = ifindex;
- so->rxid = addr->can_addr.tp.rx_id;
- so->txid = addr->can_addr.tp.tx_id;
+ so->rxid = rx_id;
+ so->txid = tx_id;
so->bound = 1;
out:
^ permalink raw reply [flat|nested] 636+ messages in thread
* [PATCH 5.10 082/599] powerpc/kvm: Fix kvm_use_magic_page
2022-04-05 7:24 [PATCH 5.10 000/599] 5.10.110-rc1 review Greg Kroah-Hartman
` (80 preceding siblings ...)
2022-04-05 7:26 ` [PATCH 5.10 081/599] can: isotp: sanitize CAN ID checks in isotp_bind() Greg Kroah-Hartman
@ 2022-04-05 7:26 ` Greg Kroah-Hartman
2022-04-05 7:26 ` [PATCH 5.10 083/599] udp: call udp_encap_enable for v6 sockets when enabling encap Greg Kroah-Hartman
` (529 subsequent siblings)
611 siblings, 0 replies; 636+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05 7:26 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Andreas Gruenbacher, Anand Jain
From: Andreas Gruenbacher <agruenba@redhat.com>
commit 0c8eb2884a42d992c7726539328b7d3568f22143 upstream.
When switching from __get_user to fault_in_pages_readable, commit
9f9eae5ce717 broke kvm_use_magic_page: like __get_user,
fault_in_pages_readable returns 0 on success.
Fixes: 9f9eae5ce717 ("powerpc/kvm: Prefer fault_in_pages_readable function")
Cc: stable@vger.kernel.org # v4.18+
Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
Signed-off-by: Anand Jain <anand.jain@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/powerpc/kernel/kvm.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/powerpc/kernel/kvm.c
+++ b/arch/powerpc/kernel/kvm.c
@@ -669,7 +669,7 @@ static void __init kvm_use_magic_page(vo
on_each_cpu(kvm_map_magic_page, &features, 1);
/* Quick self-test to see if the mapping works */
- if (!fault_in_pages_readable((const char *)KVM_MAGIC_PAGE, sizeof(u32))) {
+ if (fault_in_pages_readable((const char *)KVM_MAGIC_PAGE, sizeof(u32))) {
kvm_patching_worked = false;
return;
}
^ permalink raw reply [flat|nested] 636+ messages in thread
* [PATCH 5.10 083/599] udp: call udp_encap_enable for v6 sockets when enabling encap
2022-04-05 7:24 [PATCH 5.10 000/599] 5.10.110-rc1 review Greg Kroah-Hartman
` (81 preceding siblings ...)
2022-04-05 7:26 ` [PATCH 5.10 082/599] powerpc/kvm: Fix kvm_use_magic_page Greg Kroah-Hartman
@ 2022-04-05 7:26 ` Greg Kroah-Hartman
2022-04-05 7:26 ` [PATCH 5.10 084/599] arm64: signal: nofpsimd: Do not allocate fp/simd context when not available Greg Kroah-Hartman
` (528 subsequent siblings)
611 siblings, 0 replies; 636+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05 7:26 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Willem de Bruijn, Xin Long,
Jakub Kicinski, Antonio Quartulli
From: Xin Long <lucien.xin@gmail.com>
commit a4a600dd301ccde6ea239804ec1f19364a39d643 upstream.
When enabling encap for a ipv6 socket without udp_encap_needed_key
increased, UDP GRO won't work for v4 mapped v6 address packets as
sk will be NULL in udp4_gro_receive().
This patch is to enable it by increasing udp_encap_needed_key for
v6 sockets in udp_tunnel_encap_enable(), and correspondingly
decrease udp_encap_needed_key in udpv6_destroy_sock().
v1->v2:
- add udp_encap_disable() and export it.
v2->v3:
- add the change for rxrpc and bareudp into one patch, as Alex
suggested.
v3->v4:
- move rxrpc part to another patch.
Acked-by: Willem de Bruijn <willemb@google.com>
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Tested-by: Antonio Quartulli <antonio@openvpn.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/bareudp.c | 6 ------
include/net/udp.h | 1 +
include/net/udp_tunnel.h | 3 +--
net/ipv4/udp.c | 6 ++++++
net/ipv6/udp.c | 4 +++-
5 files changed, 11 insertions(+), 9 deletions(-)
--- a/drivers/net/bareudp.c
+++ b/drivers/net/bareudp.c
@@ -246,12 +246,6 @@ static int bareudp_socket_create(struct
tunnel_cfg.encap_destroy = NULL;
setup_udp_tunnel_sock(bareudp->net, sock, &tunnel_cfg);
- /* As the setup_udp_tunnel_sock does not call udp_encap_enable if the
- * socket type is v6 an explicit call to udp_encap_enable is needed.
- */
- if (sock->sk->sk_family == AF_INET6)
- udp_encap_enable();
-
rcu_assign_pointer(bareudp->sock, sock);
return 0;
}
--- a/include/net/udp.h
+++ b/include/net/udp.h
@@ -467,6 +467,7 @@ void udp_init(void);
DECLARE_STATIC_KEY_FALSE(udp_encap_needed_key);
void udp_encap_enable(void);
+void udp_encap_disable(void);
#if IS_ENABLED(CONFIG_IPV6)
DECLARE_STATIC_KEY_FALSE(udpv6_encap_needed_key);
void udpv6_encap_enable(void);
--- a/include/net/udp_tunnel.h
+++ b/include/net/udp_tunnel.h
@@ -177,9 +177,8 @@ static inline void udp_tunnel_encap_enab
#if IS_ENABLED(CONFIG_IPV6)
if (sock->sk->sk_family == PF_INET6)
ipv6_stub->udpv6_encap_enable();
- else
#endif
- udp_encap_enable();
+ udp_encap_enable();
}
#define UDP_TUNNEL_NIC_MAX_TABLES 4
--- a/net/ipv4/udp.c
+++ b/net/ipv4/udp.c
@@ -598,6 +598,12 @@ void udp_encap_enable(void)
}
EXPORT_SYMBOL(udp_encap_enable);
+void udp_encap_disable(void)
+{
+ static_branch_dec(&udp_encap_needed_key);
+}
+EXPORT_SYMBOL(udp_encap_disable);
+
/* Handler for tunnels with arbitrary destination ports: no socket lookup, go
* through error handlers in encapsulations looking for a match.
*/
--- a/net/ipv6/udp.c
+++ b/net/ipv6/udp.c
@@ -1610,8 +1610,10 @@ void udpv6_destroy_sock(struct sock *sk)
if (encap_destroy)
encap_destroy(sk);
}
- if (up->encap_enabled)
+ if (up->encap_enabled) {
static_branch_dec(&udpv6_encap_needed_key);
+ udp_encap_disable();
+ }
}
inet6_destroy_sock(sk);
^ permalink raw reply [flat|nested] 636+ messages in thread
* [PATCH 5.10 084/599] arm64: signal: nofpsimd: Do not allocate fp/simd context when not available
2022-04-05 7:24 [PATCH 5.10 000/599] 5.10.110-rc1 review Greg Kroah-Hartman
` (82 preceding siblings ...)
2022-04-05 7:26 ` [PATCH 5.10 083/599] udp: call udp_encap_enable for v6 sockets when enabling encap Greg Kroah-Hartman
@ 2022-04-05 7:26 ` Greg Kroah-Hartman
2022-04-05 7:26 ` [PATCH 5.10 085/599] arm64: dts: ti: k3-am65: Fix gic-v3 compatible regs Greg Kroah-Hartman
` (527 subsequent siblings)
611 siblings, 0 replies; 636+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05 7:26 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, David Engraf, Catalin Marinas,
Will Deacon, Mark Brown
From: David Engraf <david.engraf@sysgo.com>
commit 0a32c88ddb9af30e8a16d41d7b9b824c27d29459 upstream.
Commit 6d502b6ba1b2 ("arm64: signal: nofpsimd: Handle fp/simd context for
signal frames") introduced saving the fp/simd context for signal handling
only when support is available. But setup_sigframe_layout() always
reserves memory for fp/simd context. The additional memory is not touched
because preserve_fpsimd_context() is not called and thus the magic is
invalid.
This may lead to an error when parse_user_sigframe() checks the fp/simd
area and does not find a valid magic number.
Signed-off-by: David Engraf <david.engraf@sysgo.com>
Reviwed-by: Mark Brown <broonie@kernel.org>
Fixes: 6d502b6ba1b267b3 ("arm64: signal: nofpsimd: Handle fp/simd context for signal frames")
Cc: <stable@vger.kernel.org> # 5.6.x
Reviewed-by: Catalin Marinas <catalin.marinas@arm.com>
Link: https://lore.kernel.org/r/20220225104008.820289-1-david.engraf@sysgo.com
Signed-off-by: Will Deacon <will@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm64/kernel/signal.c | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
--- a/arch/arm64/kernel/signal.c
+++ b/arch/arm64/kernel/signal.c
@@ -572,10 +572,12 @@ static int setup_sigframe_layout(struct
{
int err;
- err = sigframe_alloc(user, &user->fpsimd_offset,
- sizeof(struct fpsimd_context));
- if (err)
- return err;
+ if (system_supports_fpsimd()) {
+ err = sigframe_alloc(user, &user->fpsimd_offset,
+ sizeof(struct fpsimd_context));
+ if (err)
+ return err;
+ }
/* fault information, if valid */
if (add_all || current->thread.fault_code) {
^ permalink raw reply [flat|nested] 636+ messages in thread
* [PATCH 5.10 085/599] arm64: dts: ti: k3-am65: Fix gic-v3 compatible regs
2022-04-05 7:24 [PATCH 5.10 000/599] 5.10.110-rc1 review Greg Kroah-Hartman
` (83 preceding siblings ...)
2022-04-05 7:26 ` [PATCH 5.10 084/599] arm64: signal: nofpsimd: Do not allocate fp/simd context when not available Greg Kroah-Hartman
@ 2022-04-05 7:26 ` Greg Kroah-Hartman
2022-04-05 7:26 ` [PATCH 5.10 086/599] arm64: dts: ti: k3-j721e: " Greg Kroah-Hartman
` (526 subsequent siblings)
611 siblings, 0 replies; 636+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05 7:26 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Marc Zyngier, Nishanth Menon
From: Nishanth Menon <nm@ti.com>
commit 8cae268b70f387ff9e697ccd62fb2384079124e7 upstream.
Though GIC ARE option is disabled for no GIC-v2 compatibility,
Cortex-A53 is free to implement the CPU interface as long as it
communicates with the GIC using the stream protocol. This requires
that the SoC integration mark out the PERIPHBASE[1] as reserved area
within the SoC. See longer discussion in [2] for further information.
Update the GIC register map to indicate offsets from PERIPHBASE based
on [3]. Without doing this, systems like kvm will not function with
gic-v2 emulation.
[1] https://developer.arm.com/documentation/ddi0500/e/system-control/aarch64-register-descriptions/configuration-base-address-register--el1
[2] https://lore.kernel.org/all/87k0e0tirw.wl-maz@kernel.org/
[3] https://developer.arm.com/documentation/ddi0500/e/generic-interrupt-controller-cpu-interface/gic-programmers-model/memory-map
Cc: stable@vger.kernel.org # 5.10+
Fixes: ea47eed33a3f ("arm64: dts: ti: Add Support for AM654 SoC")
Reported-by: Marc Zyngier <maz@kernel.org>
Signed-off-by: Nishanth Menon <nm@ti.com>
Acked-by: Marc Zyngier <maz@kernel.org>
Link: https://lore.kernel.org/r/20220215201008.15235-2-nm@ti.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm64/boot/dts/ti/k3-am65-main.dtsi | 5 ++++-
arch/arm64/boot/dts/ti/k3-am65.dtsi | 1 +
2 files changed, 5 insertions(+), 1 deletion(-)
--- a/arch/arm64/boot/dts/ti/k3-am65-main.dtsi
+++ b/arch/arm64/boot/dts/ti/k3-am65-main.dtsi
@@ -35,7 +35,10 @@
#interrupt-cells = <3>;
interrupt-controller;
reg = <0x00 0x01800000 0x00 0x10000>, /* GICD */
- <0x00 0x01880000 0x00 0x90000>; /* GICR */
+ <0x00 0x01880000 0x00 0x90000>, /* GICR */
+ <0x00 0x6f000000 0x00 0x2000>, /* GICC */
+ <0x00 0x6f010000 0x00 0x1000>, /* GICH */
+ <0x00 0x6f020000 0x00 0x2000>; /* GICV */
/*
* vcpumntirq:
* virtual CPU interface maintenance interrupt
--- a/arch/arm64/boot/dts/ti/k3-am65.dtsi
+++ b/arch/arm64/boot/dts/ti/k3-am65.dtsi
@@ -84,6 +84,7 @@
<0x00 0x46000000 0x00 0x46000000 0x00 0x00200000>,
<0x00 0x47000000 0x00 0x47000000 0x00 0x00068400>,
<0x00 0x50000000 0x00 0x50000000 0x00 0x8000000>,
+ <0x00 0x6f000000 0x00 0x6f000000 0x00 0x00310000>, /* A53 PERIPHBASE */
<0x00 0x70000000 0x00 0x70000000 0x00 0x200000>,
<0x05 0x00000000 0x05 0x00000000 0x01 0x0000000>,
<0x07 0x00000000 0x07 0x00000000 0x01 0x0000000>;
^ permalink raw reply [flat|nested] 636+ messages in thread
* [PATCH 5.10 086/599] arm64: dts: ti: k3-j721e: Fix gic-v3 compatible regs
2022-04-05 7:24 [PATCH 5.10 000/599] 5.10.110-rc1 review Greg Kroah-Hartman
` (84 preceding siblings ...)
2022-04-05 7:26 ` [PATCH 5.10 085/599] arm64: dts: ti: k3-am65: Fix gic-v3 compatible regs Greg Kroah-Hartman
@ 2022-04-05 7:26 ` Greg Kroah-Hartman
2022-04-05 7:26 ` [PATCH 5.10 087/599] arm64: dts: ti: k3-j7200: " Greg Kroah-Hartman
` (525 subsequent siblings)
611 siblings, 0 replies; 636+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05 7:26 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Marc Zyngier, Nishanth Menon
From: Nishanth Menon <nm@ti.com>
commit a06ed27f3bc63ab9e10007dc0118d910908eb045 upstream.
Though GIC ARE option is disabled for no GIC-v2 compatibility,
Cortex-A72 is free to implement the CPU interface as long as it
communicates with the GIC using the stream protocol. This requires
that the SoC integration mark out the PERIPHBASE[1] as reserved area
within the SoC. See longer discussion in [2] for further information.
Update the GIC register map to indicate offsets from PERIPHBASE based
on [3]. Without doing this, systems like kvm will not function with
gic-v2 emulation.
[1] https://developer.arm.com/documentation/100095/0002/system-control/aarch64-register-descriptions/configuration-base-address-register--el1
[2] https://lore.kernel.org/all/87k0e0tirw.wl-maz@kernel.org/
[3] https://developer.arm.com/documentation/100095/0002/way1382452674438
Cc: stable@vger.kernel.org # 5.10+
Fixes: 2d87061e70de ("arm64: dts: ti: Add Support for J721E SoC")
Reported-by: Marc Zyngier <maz@kernel.org>
Signed-off-by: Nishanth Menon <nm@ti.com>
Acked-by: Marc Zyngier <maz@kernel.org>
Link: https://lore.kernel.org/r/20220215201008.15235-3-nm@ti.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm64/boot/dts/ti/k3-j721e-main.dtsi | 5 ++++-
arch/arm64/boot/dts/ti/k3-j721e.dtsi | 1 +
2 files changed, 5 insertions(+), 1 deletion(-)
--- a/arch/arm64/boot/dts/ti/k3-j721e-main.dtsi
+++ b/arch/arm64/boot/dts/ti/k3-j721e-main.dtsi
@@ -108,7 +108,10 @@
#interrupt-cells = <3>;
interrupt-controller;
reg = <0x00 0x01800000 0x00 0x10000>, /* GICD */
- <0x00 0x01900000 0x00 0x100000>; /* GICR */
+ <0x00 0x01900000 0x00 0x100000>, /* GICR */
+ <0x00 0x6f000000 0x00 0x2000>, /* GICC */
+ <0x00 0x6f010000 0x00 0x1000>, /* GICH */
+ <0x00 0x6f020000 0x00 0x2000>; /* GICV */
/* vcpumntirq: virtual CPU interface maintenance interrupt */
interrupts = <GIC_PPI 9 IRQ_TYPE_LEVEL_HIGH>;
--- a/arch/arm64/boot/dts/ti/k3-j721e.dtsi
+++ b/arch/arm64/boot/dts/ti/k3-j721e.dtsi
@@ -136,6 +136,7 @@
<0x00 0x0e000000 0x00 0x0e000000 0x00 0x01800000>, /* PCIe Core*/
<0x00 0x10000000 0x00 0x10000000 0x00 0x10000000>, /* PCIe DAT */
<0x00 0x64800000 0x00 0x64800000 0x00 0x00800000>, /* C71 */
+ <0x00 0x6f000000 0x00 0x6f000000 0x00 0x00310000>, /* A72 PERIPHBASE */
<0x44 0x00000000 0x44 0x00000000 0x00 0x08000000>, /* PCIe2 DAT */
<0x44 0x10000000 0x44 0x10000000 0x00 0x08000000>, /* PCIe3 DAT */
<0x4d 0x80800000 0x4d 0x80800000 0x00 0x00800000>, /* C66_0 */
^ permalink raw reply [flat|nested] 636+ messages in thread
* [PATCH 5.10 087/599] arm64: dts: ti: k3-j7200: Fix gic-v3 compatible regs
2022-04-05 7:24 [PATCH 5.10 000/599] 5.10.110-rc1 review Greg Kroah-Hartman
` (85 preceding siblings ...)
2022-04-05 7:26 ` [PATCH 5.10 086/599] arm64: dts: ti: k3-j721e: " Greg Kroah-Hartman
@ 2022-04-05 7:26 ` Greg Kroah-Hartman
2022-04-05 7:26 ` [PATCH 5.10 088/599] ACPI: properties: Consistently return -ENOENT if there are no more references Greg Kroah-Hartman
` (524 subsequent siblings)
611 siblings, 0 replies; 636+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05 7:26 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Marc Zyngier, Nishanth Menon
From: Nishanth Menon <nm@ti.com>
commit 1a307cc299430dd7139d351a3b8941f493dfa885 upstream.
Though GIC ARE option is disabled for no GIC-v2 compatibility,
Cortex-A72 is free to implement the CPU interface as long as it
communicates with the GIC using the stream protocol. This requires
that the SoC integration mark out the PERIPHBASE[1] as reserved area
within the SoC. See longer discussion in [2] for further information.
Update the GIC register map to indicate offsets from PERIPHBASE based
on [3]. Without doing this, systems like kvm will not function with
gic-v2 emulation.
[1] https://developer.arm.com/documentation/100095/0002/system-control/aarch64-register-descriptions/configuration-base-address-register--el1
[2] https://lore.kernel.org/all/87k0e0tirw.wl-maz@kernel.org/
[3] https://developer.arm.com/documentation/100095/0002/way1382452674438
Cc: stable@vger.kernel.org
Fixes: d361ed88455f ("arm64: dts: ti: Add support for J7200 SoC")
Reported-by: Marc Zyngier <maz@kernel.org>
Signed-off-by: Nishanth Menon <nm@ti.com>
Acked-by: Marc Zyngier <maz@kernel.org>
Link: https://lore.kernel.org/r/20220215201008.15235-4-nm@ti.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm64/boot/dts/ti/k3-j7200-main.dtsi | 5 ++++-
arch/arm64/boot/dts/ti/k3-j7200.dtsi | 1 +
2 files changed, 5 insertions(+), 1 deletion(-)
--- a/arch/arm64/boot/dts/ti/k3-j7200-main.dtsi
+++ b/arch/arm64/boot/dts/ti/k3-j7200-main.dtsi
@@ -47,7 +47,10 @@
#interrupt-cells = <3>;
interrupt-controller;
reg = <0x00 0x01800000 0x00 0x10000>, /* GICD */
- <0x00 0x01900000 0x00 0x100000>; /* GICR */
+ <0x00 0x01900000 0x00 0x100000>, /* GICR */
+ <0x00 0x6f000000 0x00 0x2000>, /* GICC */
+ <0x00 0x6f010000 0x00 0x1000>, /* GICH */
+ <0x00 0x6f020000 0x00 0x2000>; /* GICV */
/* vcpumntirq: virtual CPU interface maintenance interrupt */
interrupts = <GIC_PPI 9 IRQ_TYPE_LEVEL_HIGH>;
--- a/arch/arm64/boot/dts/ti/k3-j7200.dtsi
+++ b/arch/arm64/boot/dts/ti/k3-j7200.dtsi
@@ -127,6 +127,7 @@
<0x00 0x00a40000 0x00 0x00a40000 0x00 0x00000800>, /* timesync router */
<0x00 0x01000000 0x00 0x01000000 0x00 0x0d000000>, /* Most peripherals */
<0x00 0x30000000 0x00 0x30000000 0x00 0x0c400000>, /* MAIN NAVSS */
+ <0x00 0x6f000000 0x00 0x6f000000 0x00 0x00310000>, /* A72 PERIPHBASE */
<0x00 0x70000000 0x00 0x70000000 0x00 0x00800000>, /* MSMC RAM */
<0x00 0x18000000 0x00 0x18000000 0x00 0x08000000>, /* PCIe1 DAT0 */
<0x41 0x00000000 0x41 0x00000000 0x01 0x00000000>, /* PCIe1 DAT1 */
^ permalink raw reply [flat|nested] 636+ messages in thread
* [PATCH 5.10 088/599] ACPI: properties: Consistently return -ENOENT if there are no more references
2022-04-05 7:24 [PATCH 5.10 000/599] 5.10.110-rc1 review Greg Kroah-Hartman
` (86 preceding siblings ...)
2022-04-05 7:26 ` [PATCH 5.10 087/599] arm64: dts: ti: k3-j7200: " Greg Kroah-Hartman
@ 2022-04-05 7:26 ` Greg Kroah-Hartman
2022-04-05 7:26 ` [PATCH 5.10 089/599] coredump: Also dump first pages of non-executable ELF libraries Greg Kroah-Hartman
` (523 subsequent siblings)
611 siblings, 0 replies; 636+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05 7:26 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Sakari Ailus, Rafael J. Wysocki
From: Sakari Ailus <sakari.ailus@linux.intel.com>
commit babc92da5928f81af951663fc436997352e02d3a upstream.
__acpi_node_get_property_reference() is documented to return -ENOENT if
the caller requests a property reference at an index that does not exist,
not -EINVAL which it actually does.
Fix this by returning -ENOENT consistenly, independently of whether the
property value is a plain reference or a package.
Fixes: c343bc2ce2c6 ("ACPI: properties: Align return codes of __acpi_node_get_property_reference()")
Cc: 4.14+ <stable@vger.kernel.org> # 4.14+
Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/acpi/property.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/acpi/property.c
+++ b/drivers/acpi/property.c
@@ -685,7 +685,7 @@ int __acpi_node_get_property_reference(c
*/
if (obj->type == ACPI_TYPE_LOCAL_REFERENCE) {
if (index)
- return -EINVAL;
+ return -ENOENT;
ret = acpi_bus_get_device(obj->reference.handle, &device);
if (ret)
^ permalink raw reply [flat|nested] 636+ messages in thread
* [PATCH 5.10 089/599] coredump: Also dump first pages of non-executable ELF libraries
2022-04-05 7:24 [PATCH 5.10 000/599] 5.10.110-rc1 review Greg Kroah-Hartman
` (87 preceding siblings ...)
2022-04-05 7:26 ` [PATCH 5.10 088/599] ACPI: properties: Consistently return -ENOENT if there are no more references Greg Kroah-Hartman
@ 2022-04-05 7:26 ` Greg Kroah-Hartman
2022-04-05 7:26 ` [PATCH 5.10 090/599] ext4: fix ext4_fc_stats trace point Greg Kroah-Hartman
` (522 subsequent siblings)
611 siblings, 0 replies; 636+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05 7:26 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Bill Messmer, Jann Horn, Kees Cook
From: Jann Horn <jannh@google.com>
commit 84158b7f6a0624b81800b4e7c90f7fb7fdecf66c upstream.
When I rewrote the VMA dumping logic for coredumps, I changed it to
recognize ELF library mappings based on the file being executable instead
of the mapping having an ELF header. But turns out, distros ship many ELF
libraries as non-executable, so the heuristic goes wrong...
Restore the old behavior where FILTER(ELF_HEADERS) dumps the first page of
any offset-0 readable mapping that starts with the ELF magic.
This fix is technically layer-breaking a bit, because it checks for
something ELF-specific in fs/coredump.c; but since we probably want to
share this between standard ELF and FDPIC ELF anyway, I guess it's fine?
And this also keeps the change small for backporting.
Cc: stable@vger.kernel.org
Fixes: 429a22e776a2 ("coredump: rework elf/elf_fdpic vma_dump_size() into common helper")
Reported-by: Bill Messmer <wmessmer@microsoft.com>
Signed-off-by: Jann Horn <jannh@google.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Link: https://lore.kernel.org/r/20220126025739.2014888-1-jannh@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/coredump.c | 39 ++++++++++++++++++++++++++++++++++-----
1 file changed, 34 insertions(+), 5 deletions(-)
--- a/fs/coredump.c
+++ b/fs/coredump.c
@@ -41,6 +41,7 @@
#include <linux/fs.h>
#include <linux/path.h>
#include <linux/timekeeping.h>
+#include <linux/elf.h>
#include <linux/uaccess.h>
#include <asm/mmu_context.h>
@@ -969,6 +970,8 @@ static bool always_dump_vma(struct vm_ar
return false;
}
+#define DUMP_SIZE_MAYBE_ELFHDR_PLACEHOLDER 1
+
/*
* Decide how much of @vma's contents should be included in a core dump.
*/
@@ -1028,9 +1031,20 @@ static unsigned long vma_dump_size(struc
* dump the first page to aid in determining what was mapped here.
*/
if (FILTER(ELF_HEADERS) &&
- vma->vm_pgoff == 0 && (vma->vm_flags & VM_READ) &&
- (READ_ONCE(file_inode(vma->vm_file)->i_mode) & 0111) != 0)
- return PAGE_SIZE;
+ vma->vm_pgoff == 0 && (vma->vm_flags & VM_READ)) {
+ if ((READ_ONCE(file_inode(vma->vm_file)->i_mode) & 0111) != 0)
+ return PAGE_SIZE;
+
+ /*
+ * ELF libraries aren't always executable.
+ * We'll want to check whether the mapping starts with the ELF
+ * magic, but not now - we're holding the mmap lock,
+ * so copy_from_user() doesn't work here.
+ * Use a placeholder instead, and fix it up later in
+ * dump_vma_snapshot().
+ */
+ return DUMP_SIZE_MAYBE_ELFHDR_PLACEHOLDER;
+ }
#undef FILTER
@@ -1105,8 +1119,6 @@ int dump_vma_snapshot(struct coredump_pa
m->end = vma->vm_end;
m->flags = vma->vm_flags;
m->dump_size = vma_dump_size(vma, cprm->mm_flags);
-
- vma_data_size += m->dump_size;
}
mmap_write_unlock(mm);
@@ -1116,6 +1128,23 @@ int dump_vma_snapshot(struct coredump_pa
return -EFAULT;
}
+ for (i = 0; i < *vma_count; i++) {
+ struct core_vma_metadata *m = (*vma_meta) + i;
+
+ if (m->dump_size == DUMP_SIZE_MAYBE_ELFHDR_PLACEHOLDER) {
+ char elfmag[SELFMAG];
+
+ if (copy_from_user(elfmag, (void __user *)m->start, SELFMAG) ||
+ memcmp(elfmag, ELFMAG, SELFMAG) != 0) {
+ m->dump_size = 0;
+ } else {
+ m->dump_size = PAGE_SIZE;
+ }
+ }
+
+ vma_data_size += m->dump_size;
+ }
+
*vma_data_size_ptr = vma_data_size;
return 0;
}
^ permalink raw reply [flat|nested] 636+ messages in thread
* [PATCH 5.10 090/599] ext4: fix ext4_fc_stats trace point
2022-04-05 7:24 [PATCH 5.10 000/599] 5.10.110-rc1 review Greg Kroah-Hartman
` (88 preceding siblings ...)
2022-04-05 7:26 ` [PATCH 5.10 089/599] coredump: Also dump first pages of non-executable ELF libraries Greg Kroah-Hartman
@ 2022-04-05 7:26 ` Greg Kroah-Hartman
2022-04-05 7:26 ` [PATCH 5.10 091/599] ext4: fix fs corruption when tring to remove a non-empty directory with IO error Greg Kroah-Hartman
` (521 subsequent siblings)
611 siblings, 0 replies; 636+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05 7:26 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, stable, Steven Rostedt,
Ritesh Harjani, Jan Kara, Harshad Shirwadkar, Theodore Tso
From: Ritesh Harjani <riteshh@linux.ibm.com>
commit 7af1974af0a9ba8a8ed2e3e947d87dd4d9a78d27 upstream.
ftrace's __print_symbolic() requires that any enum values used in the
symbol to string translation table be wrapped in a TRACE_DEFINE_ENUM
so that the enum value can be decoded from the ftrace ring buffer by
user space tooling.
This patch also fixes few other problems found in this trace point.
e.g. dereferencing structures in TP_printk which should not be done
at any cost.
Also to avoid checkpatch warnings, this patch removes those
whitespaces/tab stops issues.
Cc: stable@kernel.org
Fixes: aa75f4d3daae ("ext4: main fast-commit commit path")
Reported-by: Steven Rostedt <rostedt@goodmis.org>
Signed-off-by: Ritesh Harjani <riteshh@linux.ibm.com>
Reviewed-by: Jan Kara <jack@suse.cz>
Reviewed-by: Steven Rostedt (Google) <rostedt@goodmis.org>
Reviewed-by: Harshad Shirwadkar <harshadshirwadkar@gmail.com>
Link: https://lore.kernel.org/r/b4b9691414c35c62e570b723e661c80674169f9a.1647057583.git.riteshh@linux.ibm.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/trace/events/ext4.h | 80 +++++++++++++++++++++++++++-----------------
1 file changed, 50 insertions(+), 30 deletions(-)
--- a/include/trace/events/ext4.h
+++ b/include/trace/events/ext4.h
@@ -95,6 +95,17 @@ TRACE_DEFINE_ENUM(ES_REFERENCED_B);
{ FALLOC_FL_COLLAPSE_RANGE, "COLLAPSE_RANGE"}, \
{ FALLOC_FL_ZERO_RANGE, "ZERO_RANGE"})
+TRACE_DEFINE_ENUM(EXT4_FC_REASON_XATTR);
+TRACE_DEFINE_ENUM(EXT4_FC_REASON_CROSS_RENAME);
+TRACE_DEFINE_ENUM(EXT4_FC_REASON_JOURNAL_FLAG_CHANGE);
+TRACE_DEFINE_ENUM(EXT4_FC_REASON_NOMEM);
+TRACE_DEFINE_ENUM(EXT4_FC_REASON_SWAP_BOOT);
+TRACE_DEFINE_ENUM(EXT4_FC_REASON_RESIZE);
+TRACE_DEFINE_ENUM(EXT4_FC_REASON_RENAME_DIR);
+TRACE_DEFINE_ENUM(EXT4_FC_REASON_FALLOC_RANGE);
+TRACE_DEFINE_ENUM(EXT4_FC_REASON_INODE_JOURNAL_DATA);
+TRACE_DEFINE_ENUM(EXT4_FC_REASON_MAX);
+
#define show_fc_reason(reason) \
__print_symbolic(reason, \
{ EXT4_FC_REASON_XATTR, "XATTR"}, \
@@ -2899,41 +2910,50 @@ TRACE_EVENT(ext4_fc_commit_stop,
#define FC_REASON_NAME_STAT(reason) \
show_fc_reason(reason), \
- __entry->sbi->s_fc_stats.fc_ineligible_reason_count[reason]
+ __entry->fc_ineligible_rc[reason]
TRACE_EVENT(ext4_fc_stats,
- TP_PROTO(struct super_block *sb),
+ TP_PROTO(struct super_block *sb),
+
+ TP_ARGS(sb),
+
+ TP_STRUCT__entry(
+ __field(dev_t, dev)
+ __array(unsigned int, fc_ineligible_rc, EXT4_FC_REASON_MAX)
+ __field(unsigned long, fc_commits)
+ __field(unsigned long, fc_ineligible_commits)
+ __field(unsigned long, fc_numblks)
+ ),
- TP_ARGS(sb),
+ TP_fast_assign(
+ int i;
- TP_STRUCT__entry(
- __field(dev_t, dev)
- __field(struct ext4_sb_info *, sbi)
- __field(int, count)
- ),
-
- TP_fast_assign(
- __entry->dev = sb->s_dev;
- __entry->sbi = EXT4_SB(sb);
- ),
-
- TP_printk("dev %d:%d fc ineligible reasons:\n"
- "%s:%d, %s:%d, %s:%d, %s:%d, %s:%d, %s:%d, %s:%d, %s:%d, %s:%d; "
- "num_commits:%ld, ineligible: %ld, numblks: %ld",
- MAJOR(__entry->dev), MINOR(__entry->dev),
- FC_REASON_NAME_STAT(EXT4_FC_REASON_XATTR),
- FC_REASON_NAME_STAT(EXT4_FC_REASON_CROSS_RENAME),
- FC_REASON_NAME_STAT(EXT4_FC_REASON_JOURNAL_FLAG_CHANGE),
- FC_REASON_NAME_STAT(EXT4_FC_REASON_NOMEM),
- FC_REASON_NAME_STAT(EXT4_FC_REASON_SWAP_BOOT),
- FC_REASON_NAME_STAT(EXT4_FC_REASON_RESIZE),
- FC_REASON_NAME_STAT(EXT4_FC_REASON_RENAME_DIR),
- FC_REASON_NAME_STAT(EXT4_FC_REASON_FALLOC_RANGE),
- FC_REASON_NAME_STAT(EXT4_FC_REASON_INODE_JOURNAL_DATA),
- __entry->sbi->s_fc_stats.fc_num_commits,
- __entry->sbi->s_fc_stats.fc_ineligible_commits,
- __entry->sbi->s_fc_stats.fc_numblks)
+ __entry->dev = sb->s_dev;
+ for (i = 0; i < EXT4_FC_REASON_MAX; i++) {
+ __entry->fc_ineligible_rc[i] =
+ EXT4_SB(sb)->s_fc_stats.fc_ineligible_reason_count[i];
+ }
+ __entry->fc_commits = EXT4_SB(sb)->s_fc_stats.fc_num_commits;
+ __entry->fc_ineligible_commits =
+ EXT4_SB(sb)->s_fc_stats.fc_ineligible_commits;
+ __entry->fc_numblks = EXT4_SB(sb)->s_fc_stats.fc_numblks;
+ ),
+ TP_printk("dev %d,%d fc ineligible reasons:\n"
+ "%s:%u, %s:%u, %s:%u, %s:%u, %s:%u, %s:%u, %s:%u, %s:%u, %s:%u "
+ "num_commits:%lu, ineligible: %lu, numblks: %lu",
+ MAJOR(__entry->dev), MINOR(__entry->dev),
+ FC_REASON_NAME_STAT(EXT4_FC_REASON_XATTR),
+ FC_REASON_NAME_STAT(EXT4_FC_REASON_CROSS_RENAME),
+ FC_REASON_NAME_STAT(EXT4_FC_REASON_JOURNAL_FLAG_CHANGE),
+ FC_REASON_NAME_STAT(EXT4_FC_REASON_NOMEM),
+ FC_REASON_NAME_STAT(EXT4_FC_REASON_SWAP_BOOT),
+ FC_REASON_NAME_STAT(EXT4_FC_REASON_RESIZE),
+ FC_REASON_NAME_STAT(EXT4_FC_REASON_RENAME_DIR),
+ FC_REASON_NAME_STAT(EXT4_FC_REASON_FALLOC_RANGE),
+ FC_REASON_NAME_STAT(EXT4_FC_REASON_INODE_JOURNAL_DATA),
+ __entry->fc_commits, __entry->fc_ineligible_commits,
+ __entry->fc_numblks)
);
#define DEFINE_TRACE_DENTRY_EVENT(__type) \
^ permalink raw reply [flat|nested] 636+ messages in thread
* [PATCH 5.10 091/599] ext4: fix fs corruption when tring to remove a non-empty directory with IO error
2022-04-05 7:24 [PATCH 5.10 000/599] 5.10.110-rc1 review Greg Kroah-Hartman
` (89 preceding siblings ...)
2022-04-05 7:26 ` [PATCH 5.10 090/599] ext4: fix ext4_fc_stats trace point Greg Kroah-Hartman
@ 2022-04-05 7:26 ` Greg Kroah-Hartman
2022-04-05 7:26 ` [PATCH 5.10 092/599] drivers: hamradio: 6pack: fix UAF bug caused by mod_timer() Greg Kroah-Hartman
` (520 subsequent siblings)
611 siblings, 0 replies; 636+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05 7:26 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Ye Bin, stable, Theodore Tso
From: Ye Bin <yebin10@huawei.com>
commit 7aab5c84a0f6ec2290e2ba4a6b245178b1bf949a upstream.
We inject IO error when rmdir non empty direcory, then got issue as follows:
step1: mkfs.ext4 -F /dev/sda
step2: mount /dev/sda test
step3: cd test
step4: mkdir -p 1/2
step5: rmdir 1
[ 110.920551] ext4_empty_dir: inject fault
[ 110.921926] EXT4-fs warning (device sda): ext4_rmdir:3113: inode #12:
comm rmdir: empty directory '1' has too many links (3)
step6: cd ..
step7: umount test
step8: fsck.ext4 -f /dev/sda
e2fsck 1.42.9 (28-Dec-2013)
Pass 1: Checking inodes, blocks, and sizes
Pass 2: Checking directory structure
Entry '..' in .../??? (13) has deleted/unused inode 12. Clear<y>? yes
Pass 3: Checking directory connectivity
Unconnected directory inode 13 (...)
Connect to /lost+found<y>? yes
Pass 4: Checking reference counts
Inode 13 ref count is 3, should be 2. Fix<y>? yes
Pass 5: Checking group summary information
/dev/sda: ***** FILE SYSTEM WAS MODIFIED *****
/dev/sda: 12/131072 files (0.0% non-contiguous), 26157/524288 blocks
ext4_rmdir
if (!ext4_empty_dir(inode))
goto end_rmdir;
ext4_empty_dir
bh = ext4_read_dirblock(inode, 0, DIRENT_HTREE);
if (IS_ERR(bh))
return true;
Now if read directory block failed, 'ext4_empty_dir' will return true, assume
directory is empty. Obviously, it will lead to above issue.
To solve this issue, if read directory block failed 'ext4_empty_dir' just
return false. To avoid making things worse when file system is already
corrupted, 'ext4_empty_dir' also return false.
Signed-off-by: Ye Bin <yebin10@huawei.com>
Cc: stable@kernel.org
Link: https://lore.kernel.org/r/20220228024815.3952506-1-yebin10@huawei.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ext4/inline.c | 9 ++++-----
fs/ext4/namei.c | 10 +++++-----
2 files changed, 9 insertions(+), 10 deletions(-)
--- a/fs/ext4/inline.c
+++ b/fs/ext4/inline.c
@@ -1768,19 +1768,20 @@ bool empty_inline_dir(struct inode *dir,
void *inline_pos;
unsigned int offset;
struct ext4_dir_entry_2 *de;
- bool ret = true;
+ bool ret = false;
err = ext4_get_inode_loc(dir, &iloc);
if (err) {
EXT4_ERROR_INODE_ERR(dir, -err,
"error %d getting inode %lu block",
err, dir->i_ino);
- return true;
+ return false;
}
down_read(&EXT4_I(dir)->xattr_sem);
if (!ext4_has_inline_data(dir)) {
*has_inline_data = 0;
+ ret = true;
goto out;
}
@@ -1789,7 +1790,6 @@ bool empty_inline_dir(struct inode *dir,
ext4_warning(dir->i_sb,
"bad inline directory (dir #%lu) - no `..'",
dir->i_ino);
- ret = true;
goto out;
}
@@ -1808,16 +1808,15 @@ bool empty_inline_dir(struct inode *dir,
dir->i_ino, le32_to_cpu(de->inode),
le16_to_cpu(de->rec_len), de->name_len,
inline_size);
- ret = true;
goto out;
}
if (le32_to_cpu(de->inode)) {
- ret = false;
goto out;
}
offset += ext4_rec_len_from_disk(de->rec_len, inline_size);
}
+ ret = true;
out:
up_read(&EXT4_I(dir)->xattr_sem);
brelse(iloc.bh);
--- a/fs/ext4/namei.c
+++ b/fs/ext4/namei.c
@@ -2868,14 +2868,14 @@ bool ext4_empty_dir(struct inode *inode)
sb = inode->i_sb;
if (inode->i_size < EXT4_DIR_REC_LEN(1) + EXT4_DIR_REC_LEN(2)) {
EXT4_ERROR_INODE(inode, "invalid size");
- return true;
+ return false;
}
/* The first directory block must not be a hole,
* so treat it as DIRENT_HTREE
*/
bh = ext4_read_dirblock(inode, 0, DIRENT_HTREE);
if (IS_ERR(bh))
- return true;
+ return false;
de = (struct ext4_dir_entry_2 *) bh->b_data;
if (ext4_check_dir_entry(inode, NULL, de, bh, bh->b_data, bh->b_size,
@@ -2883,7 +2883,7 @@ bool ext4_empty_dir(struct inode *inode)
le32_to_cpu(de->inode) != inode->i_ino || strcmp(".", de->name)) {
ext4_warning_inode(inode, "directory missing '.'");
brelse(bh);
- return true;
+ return false;
}
offset = ext4_rec_len_from_disk(de->rec_len, sb->s_blocksize);
de = ext4_next_entry(de, sb->s_blocksize);
@@ -2892,7 +2892,7 @@ bool ext4_empty_dir(struct inode *inode)
le32_to_cpu(de->inode) == 0 || strcmp("..", de->name)) {
ext4_warning_inode(inode, "directory missing '..'");
brelse(bh);
- return true;
+ return false;
}
offset += ext4_rec_len_from_disk(de->rec_len, sb->s_blocksize);
while (offset < inode->i_size) {
@@ -2906,7 +2906,7 @@ bool ext4_empty_dir(struct inode *inode)
continue;
}
if (IS_ERR(bh))
- return true;
+ return false;
}
de = (struct ext4_dir_entry_2 *) (bh->b_data +
(offset & (sb->s_blocksize - 1)));
^ permalink raw reply [flat|nested] 636+ messages in thread
* [PATCH 5.10 092/599] drivers: hamradio: 6pack: fix UAF bug caused by mod_timer()
2022-04-05 7:24 [PATCH 5.10 000/599] 5.10.110-rc1 review Greg Kroah-Hartman
` (90 preceding siblings ...)
2022-04-05 7:26 ` [PATCH 5.10 091/599] ext4: fix fs corruption when tring to remove a non-empty directory with IO error Greg Kroah-Hartman
@ 2022-04-05 7:26 ` Greg Kroah-Hartman
2022-04-12 6:24 ` xujia (Q)
2022-04-05 7:26 ` [PATCH 5.10 093/599] mailbox: tegra-hsp: Flush whole channel Greg Kroah-Hartman
` (519 subsequent siblings)
611 siblings, 1 reply; 636+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05 7:26 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Duoming Zhou, Lin Ma, David S. Miller
From: Duoming Zhou <duoming@zju.edu.cn>
commit efe4186e6a1b54bf38b9e05450d43b0da1fd7739 upstream.
When a 6pack device is detaching, the sixpack_close() will act to cleanup
necessary resources. Although del_timer_sync() in sixpack_close()
won't return if there is an active timer, one could use mod_timer() in
sp_xmit_on_air() to wake up timer again by calling userspace syscall such
as ax25_sendmsg(), ax25_connect() and ax25_ioctl().
This unexpected waked handler, sp_xmit_on_air(), realizes nothing about
the undergoing cleanup and may still call pty_write() to use driver layer
resources that have already been released.
One of the possible race conditions is shown below:
(USE) | (FREE)
ax25_sendmsg() |
ax25_queue_xmit() |
... |
sp_xmit() |
sp_encaps() | sixpack_close()
sp_xmit_on_air() | del_timer_sync(&sp->tx_t)
mod_timer(&sp->tx_t,...) | ...
| unregister_netdev()
| ...
(wait a while) | tty_release()
| tty_release_struct()
| release_tty()
sp_xmit_on_air() | tty_kref_put(tty_struct) //FREE
pty_write(tty_struct) //USE | ...
The corresponding fail log is shown below:
===============================================================
BUG: KASAN: use-after-free in __run_timers.part.0+0x170/0x470
Write of size 8 at addr ffff88800a652ab8 by task swapper/2/0
...
Call Trace:
...
queue_work_on+0x3f/0x50
pty_write+0xcd/0xe0pty_write+0xcd/0xe0
sp_xmit_on_air+0xb2/0x1f0
call_timer_fn+0x28/0x150
__run_timers.part.0+0x3c2/0x470
run_timer_softirq+0x3b/0x80
__do_softirq+0xf1/0x380
...
This patch reorders the del_timer_sync() after the unregister_netdev()
to avoid UAF bugs. Because the unregister_netdev() is well synchronized,
it flushs out any pending queues, waits the refcount of net_device
decreases to zero and removes net_device from kernel. There is not any
running routines after executing unregister_netdev(). Therefore, we could
not arouse timer from userspace again.
Signed-off-by: Duoming Zhou <duoming@zju.edu.cn>
Reviewed-by: Lin Ma <linma@zju.edu.cn>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/hamradio/6pack.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/net/hamradio/6pack.c
+++ b/drivers/net/hamradio/6pack.c
@@ -674,14 +674,14 @@ static void sixpack_close(struct tty_str
*/
netif_stop_queue(sp->dev);
+ unregister_netdev(sp->dev);
+
del_timer_sync(&sp->tx_t);
del_timer_sync(&sp->resync_t);
/* Free all 6pack frame buffers. */
kfree(sp->rbuff);
kfree(sp->xbuff);
-
- unregister_netdev(sp->dev);
}
/* Perform I/O control on an active 6pack channel. */
^ permalink raw reply [flat|nested] 636+ messages in thread
* [PATCH 5.10 093/599] mailbox: tegra-hsp: Flush whole channel
2022-04-05 7:24 [PATCH 5.10 000/599] 5.10.110-rc1 review Greg Kroah-Hartman
` (91 preceding siblings ...)
2022-04-05 7:26 ` [PATCH 5.10 092/599] drivers: hamradio: 6pack: fix UAF bug caused by mod_timer() Greg Kroah-Hartman
@ 2022-04-05 7:26 ` Greg Kroah-Hartman
2022-04-05 7:26 ` [PATCH 5.10 094/599] block: limit request dispatch loop duration Greg Kroah-Hartman
` (518 subsequent siblings)
611 siblings, 0 replies; 636+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05 7:26 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Pekka Pessi, Jon Hunter,
Thierry Reding, Jassi Brar
From: Pekka Pessi <ppessi@nvidia.com>
commit 60de2d2dc284e0dd1c2c897d08625bde24ef3454 upstream.
The txdone can re-fill the mailbox. Keep polling the mailbox during the
flush until all the messages have been delivered.
This fixes an issue with the Tegra Combined UART (TCU) where output can
get truncated under high traffic load.
Signed-off-by: Pekka Pessi <ppessi@nvidia.com>
Tested-by: Jon Hunter <jonathanh@nvidia.com>
Fixes: 91b1b1c3da8a ("mailbox: tegra-hsp: Add support for shared mailboxes")
Cc: stable@vger.kernel.org
Signed-off-by: Thierry Reding <treding@nvidia.com>
Reviewed-by: Jon Hunter <jonathanh@nvidia.com>
Signed-off-by: Jassi Brar <jaswinder.singh@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/mailbox/tegra-hsp.c | 5 +++++
1 file changed, 5 insertions(+)
--- a/drivers/mailbox/tegra-hsp.c
+++ b/drivers/mailbox/tegra-hsp.c
@@ -410,6 +410,11 @@ static int tegra_hsp_mailbox_flush(struc
value = tegra_hsp_channel_readl(ch, HSP_SM_SHRD_MBOX);
if ((value & HSP_SM_SHRD_MBOX_FULL) == 0) {
mbox_chan_txdone(chan, 0);
+
+ /* Wait until channel is empty */
+ if (chan->active_req != NULL)
+ continue;
+
return 0;
}
^ permalink raw reply [flat|nested] 636+ messages in thread
* [PATCH 5.10 094/599] block: limit request dispatch loop duration
2022-04-05 7:24 [PATCH 5.10 000/599] 5.10.110-rc1 review Greg Kroah-Hartman
` (92 preceding siblings ...)
2022-04-05 7:26 ` [PATCH 5.10 093/599] mailbox: tegra-hsp: Flush whole channel Greg Kroah-Hartman
@ 2022-04-05 7:26 ` Greg Kroah-Hartman
2022-04-05 7:26 ` [PATCH 5.10 095/599] block: dont merge across cgroup boundaries if blkcg is enabled Greg Kroah-Hartman
` (517 subsequent siblings)
611 siblings, 0 replies; 636+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05 7:26 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Shinichiro Kawasaki, Jens Axboe
From: Shin'ichiro Kawasaki <shinichiro.kawasaki@wdc.com>
commit 572299f03afd676dd4e20669cdaf5ed0fe1379d4 upstream.
When IO requests are made continuously and the target block device
handles requests faster than request arrival, the request dispatch loop
keeps on repeating to dispatch the arriving requests very long time,
more than a minute. Since the loop runs as a workqueue worker task, the
very long loop duration triggers workqueue watchdog timeout and BUG [1].
To avoid the very long loop duration, break the loop periodically. When
opportunity to dispatch requests still exists, check need_resched(). If
need_resched() returns true, the dispatch loop already consumed its time
slice, then reschedule the dispatch work and break the loop. With heavy
IO load, need_resched() does not return true for 20~30 seconds. To cover
such case, check time spent in the dispatch loop with jiffies. If more
than 1 second is spent, reschedule the dispatch work and break the loop.
[1]
[ 609.691437] BUG: workqueue lockup - pool cpus=10 node=1 flags=0x0 nice=-20 stuck for 35s!
[ 609.701820] Showing busy workqueues and worker pools:
[ 609.707915] workqueue events: flags=0x0
[ 609.712615] pwq 0: cpus=0 node=0 flags=0x0 nice=0 active=1/256 refcnt=2
[ 609.712626] pending: drm_fb_helper_damage_work [drm_kms_helper]
[ 609.712687] workqueue events_freezable: flags=0x4
[ 609.732943] pwq 0: cpus=0 node=0 flags=0x0 nice=0 active=1/256 refcnt=2
[ 609.732952] pending: pci_pme_list_scan
[ 609.732968] workqueue events_power_efficient: flags=0x80
[ 609.751947] pwq 0: cpus=0 node=0 flags=0x0 nice=0 active=1/256 refcnt=2
[ 609.751955] pending: neigh_managed_work
[ 609.752018] workqueue kblockd: flags=0x18
[ 609.769480] pwq 21: cpus=10 node=1 flags=0x0 nice=-20 active=3/256 refcnt=4
[ 609.769488] in-flight: 1020:blk_mq_run_work_fn
[ 609.769498] pending: blk_mq_timeout_work, blk_mq_run_work_fn
[ 609.769744] pool 21: cpus=10 node=1 flags=0x0 nice=-20 hung=35s workers=2 idle: 67
[ 639.899730] BUG: workqueue lockup - pool cpus=10 node=1 flags=0x0 nice=-20 stuck for 66s!
[ 639.909513] Showing busy workqueues and worker pools:
[ 639.915404] workqueue events: flags=0x0
[ 639.920197] pwq 0: cpus=0 node=0 flags=0x0 nice=0 active=1/256 refcnt=2
[ 639.920215] pending: drm_fb_helper_damage_work [drm_kms_helper]
[ 639.920365] workqueue kblockd: flags=0x18
[ 639.939932] pwq 21: cpus=10 node=1 flags=0x0 nice=-20 active=3/256 refcnt=4
[ 639.939942] in-flight: 1020:blk_mq_run_work_fn
[ 639.939955] pending: blk_mq_timeout_work, blk_mq_run_work_fn
[ 639.940212] pool 21: cpus=10 node=1 flags=0x0 nice=-20 hung=66s workers=2 idle: 67
Fixes: 6e6fcbc27e778 ("blk-mq: support batching dispatch in case of io")
Signed-off-by: Shin'ichiro Kawasaki <shinichiro.kawasaki@wdc.com>
Cc: stable@vger.kernel.org # v5.10+
Link: https://lore.kernel.org/linux-block/20220310091649.zypaem5lkyfadymg@shindev/
Link: https://lore.kernel.org/r/20220318022641.133484-1-shinichiro.kawasaki@wdc.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
block/blk-mq-sched.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
--- a/block/blk-mq-sched.c
+++ b/block/blk-mq-sched.c
@@ -194,11 +194,18 @@ static int __blk_mq_do_dispatch_sched(st
static int blk_mq_do_dispatch_sched(struct blk_mq_hw_ctx *hctx)
{
+ unsigned long end = jiffies + HZ;
int ret;
do {
ret = __blk_mq_do_dispatch_sched(hctx);
- } while (ret == 1);
+ if (ret != 1)
+ break;
+ if (need_resched() || time_is_before_jiffies(end)) {
+ blk_mq_delay_run_hw_queue(hctx, 0);
+ break;
+ }
+ } while (1);
return ret;
}
^ permalink raw reply [flat|nested] 636+ messages in thread
* [PATCH 5.10 095/599] block: dont merge across cgroup boundaries if blkcg is enabled
2022-04-05 7:24 [PATCH 5.10 000/599] 5.10.110-rc1 review Greg Kroah-Hartman
` (93 preceding siblings ...)
2022-04-05 7:26 ` [PATCH 5.10 094/599] block: limit request dispatch loop duration Greg Kroah-Hartman
@ 2022-04-05 7:26 ` Greg Kroah-Hartman
2022-04-05 7:26 ` Greg Kroah-Hartman
` (516 subsequent siblings)
611 siblings, 0 replies; 636+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05 7:26 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Tejun Heo, Josef Bacik, Jens Axboe
From: Tejun Heo <tj@kernel.org>
commit 6b2b04590b51aa4cf395fcd185ce439cab5961dc upstream.
blk-iocost and iolatency are cgroup aware rq-qos policies but they didn't
disable merges across different cgroups. This obviously can lead to
accounting and control errors but more importantly to priority inversions -
e.g. an IO which belongs to a higher priority cgroup or IO class may end up
getting throttled incorrectly because it gets merged to an IO issued from a
low priority cgroup.
Fix it by adding blk_cgroup_mergeable() which is called from merge paths and
rejects cross-cgroup and cross-issue_as_root merges.
Signed-off-by: Tejun Heo <tj@kernel.org>
Fixes: d70675121546 ("block: introduce blk-iolatency io controller")
Cc: stable@vger.kernel.org # v4.19+
Cc: Josef Bacik <jbacik@fb.com>
Link: https://lore.kernel.org/r/Yi/eE/6zFNyWJ+qd@slm.duckdns.org
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
block/blk-merge.c | 11 +++++++++++
include/linux/blk-cgroup.h | 17 +++++++++++++++++
2 files changed, 28 insertions(+)
--- a/block/blk-merge.c
+++ b/block/blk-merge.c
@@ -7,6 +7,7 @@
#include <linux/bio.h>
#include <linux/blkdev.h>
#include <linux/scatterlist.h>
+#include <linux/blk-cgroup.h>
#include <trace/events/block.h>
@@ -554,6 +555,9 @@ static inline unsigned int blk_rq_get_ma
static inline int ll_new_hw_segment(struct request *req, struct bio *bio,
unsigned int nr_phys_segs)
{
+ if (!blk_cgroup_mergeable(req, bio))
+ goto no_merge;
+
if (blk_integrity_merge_bio(req->q, req, bio) == false)
goto no_merge;
@@ -650,6 +654,9 @@ static int ll_merge_requests_fn(struct r
if (total_phys_segments > blk_rq_get_max_segments(req))
return 0;
+ if (!blk_cgroup_mergeable(req, next->bio))
+ return 0;
+
if (blk_integrity_merge_rq(q, req, next) == false)
return 0;
@@ -861,6 +868,10 @@ bool blk_rq_merge_ok(struct request *rq,
if (rq->rq_disk != bio->bi_disk)
return false;
+ /* don't merge across cgroup boundaries */
+ if (!blk_cgroup_mergeable(rq, bio))
+ return false;
+
/* only merge integrity protected bio into ditto rq */
if (blk_integrity_merge_bio(rq->q, rq, bio) == false)
return false;
--- a/include/linux/blk-cgroup.h
+++ b/include/linux/blk-cgroup.h
@@ -24,6 +24,7 @@
#include <linux/atomic.h>
#include <linux/kthread.h>
#include <linux/fs.h>
+#include <linux/blk-mq.h>
/* percpu_counter batch for blkg_[rw]stats, per-cpu drift doesn't matter */
#define BLKG_STAT_CPU_BATCH (INT_MAX / 2)
@@ -599,6 +600,21 @@ static inline void blkcg_clear_delay(str
atomic_dec(&blkg->blkcg->css.cgroup->congestion_count);
}
+/**
+ * blk_cgroup_mergeable - Determine whether to allow or disallow merges
+ * @rq: request to merge into
+ * @bio: bio to merge
+ *
+ * @bio and @rq should belong to the same cgroup and their issue_as_root should
+ * match. The latter is necessary as we don't want to throttle e.g. a metadata
+ * update because it happens to be next to a regular IO.
+ */
+static inline bool blk_cgroup_mergeable(struct request *rq, struct bio *bio)
+{
+ return rq->bio->bi_blkg == bio->bi_blkg &&
+ bio_issue_as_root_blkg(rq->bio) == bio_issue_as_root_blkg(bio);
+}
+
void blk_cgroup_bio_start(struct bio *bio);
void blkcg_add_delay(struct blkcg_gq *blkg, u64 now, u64 delta);
void blkcg_schedule_throttle(struct request_queue *q, bool use_memdelay);
@@ -654,6 +670,7 @@ static inline void blkg_put(struct blkcg
static inline bool blkcg_punt_bio_submit(struct bio *bio) { return false; }
static inline void blkcg_bio_issue_init(struct bio *bio) { }
static inline void blk_cgroup_bio_start(struct bio *bio) { }
+static inline bool blk_cgroup_mergeable(struct request *rq, struct bio *bio) { return true; }
#define blk_queue_for_each_rl(rl, q) \
for ((rl) = &(q)->root_rl; (rl); (rl) = NULL)
^ permalink raw reply [flat|nested] 636+ messages in thread
* [Intel-gfx] [PATCH 5.10 096/599] drm/edid: check basic audio support on CEA extension block
2022-04-05 7:24 [PATCH 5.10 000/599] 5.10.110-rc1 review Greg Kroah-Hartman
@ 2022-04-05 7:26 ` Greg Kroah-Hartman
2022-04-05 7:24 ` [PATCH 5.10 002/599] USB: serial: pl2303: add IBM device IDs Greg Kroah-Hartman
` (610 subsequent siblings)
611 siblings, 0 replies; 636+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05 7:26 UTC (permalink / raw)
To: linux-kernel
Cc: Cooper Chiou, Jani Nikula, Greg Kroah-Hartman, intel-gfx, stable
From: Cooper Chiou <cooper.chiou@intel.com>
commit 5662abf6e21338be6d085d6375d3732ac6147fd2 upstream.
Tag code stored in bit7:5 for CTA block byte[3] is not the same as
CEA extension block definition. Only check CEA block has
basic audio support.
v3: update commit message.
Cc: stable@vger.kernel.org
Cc: Jani Nikula <jani.nikula@intel.com>
Cc: Shawn C Lee <shawn.c.lee@intel.com>
Cc: intel-gfx <intel-gfx@lists.freedesktop.org>
Signed-off-by: Cooper Chiou <cooper.chiou@intel.com>
Signed-off-by: Lee Shawn C <shawn.c.lee@intel.com>
Fixes: e28ad544f462 ("drm/edid: parse CEA blocks embedded in DisplayID")
Reviewed-by: Jani Nikula <jani.nikula@intel.com>
Signed-off-by: Jani Nikula <jani.nikula@intel.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20220324061218.32739-1-shawn.c.lee@intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/drm_edid.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/gpu/drm/drm_edid.c
+++ b/drivers/gpu/drm/drm_edid.c
@@ -4806,7 +4806,8 @@ bool drm_detect_monitor_audio(struct edi
if (!edid_ext)
goto end;
- has_audio = ((edid_ext[3] & EDID_BASIC_AUDIO) != 0);
+ has_audio = (edid_ext[0] == CEA_EXT &&
+ (edid_ext[3] & EDID_BASIC_AUDIO) != 0);
if (has_audio) {
DRM_DEBUG_KMS("Monitor has basic audio support\n");
^ permalink raw reply [flat|nested] 636+ messages in thread
* [PATCH 5.10 096/599] drm/edid: check basic audio support on CEA extension block
@ 2022-04-05 7:26 ` Greg Kroah-Hartman
0 siblings, 0 replies; 636+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05 7:26 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Jani Nikula, Shawn C Lee, intel-gfx,
Cooper Chiou
From: Cooper Chiou <cooper.chiou@intel.com>
commit 5662abf6e21338be6d085d6375d3732ac6147fd2 upstream.
Tag code stored in bit7:5 for CTA block byte[3] is not the same as
CEA extension block definition. Only check CEA block has
basic audio support.
v3: update commit message.
Cc: stable@vger.kernel.org
Cc: Jani Nikula <jani.nikula@intel.com>
Cc: Shawn C Lee <shawn.c.lee@intel.com>
Cc: intel-gfx <intel-gfx@lists.freedesktop.org>
Signed-off-by: Cooper Chiou <cooper.chiou@intel.com>
Signed-off-by: Lee Shawn C <shawn.c.lee@intel.com>
Fixes: e28ad544f462 ("drm/edid: parse CEA blocks embedded in DisplayID")
Reviewed-by: Jani Nikula <jani.nikula@intel.com>
Signed-off-by: Jani Nikula <jani.nikula@intel.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20220324061218.32739-1-shawn.c.lee@intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/drm_edid.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/gpu/drm/drm_edid.c
+++ b/drivers/gpu/drm/drm_edid.c
@@ -4806,7 +4806,8 @@ bool drm_detect_monitor_audio(struct edi
if (!edid_ext)
goto end;
- has_audio = ((edid_ext[3] & EDID_BASIC_AUDIO) != 0);
+ has_audio = (edid_ext[0] == CEA_EXT &&
+ (edid_ext[3] & EDID_BASIC_AUDIO) != 0);
if (has_audio) {
DRM_DEBUG_KMS("Monitor has basic audio support\n");
^ permalink raw reply [flat|nested] 636+ messages in thread
* [PATCH 5.10 097/599] video: fbdev: sm712fb: Fix crash in smtcfb_read()
2022-04-05 7:24 [PATCH 5.10 000/599] 5.10.110-rc1 review Greg Kroah-Hartman
` (95 preceding siblings ...)
2022-04-05 7:26 ` Greg Kroah-Hartman
@ 2022-04-05 7:26 ` Greg Kroah-Hartman
2022-04-05 7:26 ` [PATCH 5.10 098/599] video: fbdev: atari: Atari 2 bpp (STe) palette bugfix Greg Kroah-Hartman
` (514 subsequent siblings)
611 siblings, 0 replies; 636+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05 7:26 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Zheyu Ma, Helge Deller
From: Helge Deller <deller@gmx.de>
commit bd771cf5c4254511cc4abb88f3dab3bd58bdf8e8 upstream.
Zheyu Ma reported this crash in the sm712fb driver when reading
three bytes from the framebuffer:
BUG: unable to handle page fault for address: ffffc90001ffffff
RIP: 0010:smtcfb_read+0x230/0x3e0
Call Trace:
vfs_read+0x198/0xa00
? do_sys_openat2+0x27d/0x350
? __fget_light+0x54/0x340
ksys_read+0xce/0x190
do_syscall_64+0x43/0x90
Fix it by removing the open-coded endianess fixup-code and
by moving the pointer post decrement out the fb_readl() function.
Reported-by: Zheyu Ma <zheyuma97@gmail.com>
Signed-off-by: Helge Deller <deller@gmx.de>
Tested-by: Zheyu Ma <zheyuma97@gmail.com>
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/video/fbdev/sm712fb.c | 25 +++++++------------------
1 file changed, 7 insertions(+), 18 deletions(-)
--- a/drivers/video/fbdev/sm712fb.c
+++ b/drivers/video/fbdev/sm712fb.c
@@ -1047,7 +1047,7 @@ static ssize_t smtcfb_read(struct fb_inf
if (count + p > total_size)
count = total_size - p;
- buffer = kmalloc((count > PAGE_SIZE) ? PAGE_SIZE : count, GFP_KERNEL);
+ buffer = kmalloc(PAGE_SIZE, GFP_KERNEL);
if (!buffer)
return -ENOMEM;
@@ -1059,25 +1059,14 @@ static ssize_t smtcfb_read(struct fb_inf
while (count) {
c = (count > PAGE_SIZE) ? PAGE_SIZE : count;
dst = buffer;
- for (i = c >> 2; i--;) {
- *dst = fb_readl(src++);
- *dst = big_swap(*dst);
+ for (i = (c + 3) >> 2; i--;) {
+ u32 val;
+
+ val = fb_readl(src);
+ *dst = big_swap(val);
+ src++;
dst++;
}
- if (c & 3) {
- u8 *dst8 = (u8 *)dst;
- u8 __iomem *src8 = (u8 __iomem *)src;
-
- for (i = c & 3; i--;) {
- if (i & 1) {
- *dst8++ = fb_readb(++src8);
- } else {
- *dst8++ = fb_readb(--src8);
- src8 += 2;
- }
- }
- src = (u32 __iomem *)src8;
- }
if (copy_to_user(buf, buffer, c)) {
err = -EFAULT;
^ permalink raw reply [flat|nested] 636+ messages in thread
* [PATCH 5.10 098/599] video: fbdev: atari: Atari 2 bpp (STe) palette bugfix
2022-04-05 7:24 [PATCH 5.10 000/599] 5.10.110-rc1 review Greg Kroah-Hartman
` (96 preceding siblings ...)
2022-04-05 7:26 ` [PATCH 5.10 097/599] video: fbdev: sm712fb: Fix crash in smtcfb_read() Greg Kroah-Hartman
@ 2022-04-05 7:26 ` Greg Kroah-Hartman
2022-04-05 7:26 ` [PATCH 5.10 099/599] ARM: dts: at91: sama5d2: Fix PMERRLOC resource size Greg Kroah-Hartman
` (513 subsequent siblings)
611 siblings, 0 replies; 636+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05 7:26 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Geert Uytterhoeven, Michael Schmitz,
Helge Deller
From: Michael Schmitz <schmitzmic@gmail.com>
commit c8be5edbd36ceed2ff3d6b8f8e40643c3f396ea3 upstream.
The code to set the shifter STe palette registers has a long
standing operator precedence bug, manifesting as colors set
on a 2 bits per pixel frame buffer coming up with a distinctive
blue tint.
Add parentheses around the calculation of the per-color palette
data before shifting those into their respective bit field position.
This bug goes back a long way (2.4 days at the very least) so there
won't be a Fixes: tag.
Tested on ARAnyM as well on Falcon030 hardware.
Cc: stable@vger.kernel.org
Reported-by: Geert Uytterhoeven <geert@linux-m68k.org>
Link: https://lore.kernel.org/all/CAMuHMdU3ievhXxKR_xi_v3aumnYW7UNUO6qMdhgfyWTyVSsCkQ@mail.gmail.com
Tested-by: Michael Schmitz <schmitzmic@gmail.com>
Tested-by: Geert Uytterhoeven <geert@linux-m68k.org>
Signed-off-by: Michael Schmitz <schmitzmic@gmail.com>
Signed-off-by: Helge Deller <deller@gmx.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/video/fbdev/atafb.c | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
--- a/drivers/video/fbdev/atafb.c
+++ b/drivers/video/fbdev/atafb.c
@@ -1691,9 +1691,9 @@ static int falcon_setcolreg(unsigned int
((blue & 0xfc00) >> 8));
if (regno < 16) {
shifter_tt.color_reg[regno] =
- (((red & 0xe000) >> 13) | ((red & 0x1000) >> 12) << 8) |
- (((green & 0xe000) >> 13) | ((green & 0x1000) >> 12) << 4) |
- ((blue & 0xe000) >> 13) | ((blue & 0x1000) >> 12);
+ ((((red & 0xe000) >> 13) | ((red & 0x1000) >> 12)) << 8) |
+ ((((green & 0xe000) >> 13) | ((green & 0x1000) >> 12)) << 4) |
+ ((blue & 0xe000) >> 13) | ((blue & 0x1000) >> 12);
((u32 *)info->pseudo_palette)[regno] = ((red & 0xf800) |
((green & 0xfc00) >> 5) |
((blue & 0xf800) >> 11));
@@ -1979,9 +1979,9 @@ static int stste_setcolreg(unsigned int
green >>= 12;
if (ATARIHW_PRESENT(EXTD_SHIFTER))
shifter_tt.color_reg[regno] =
- (((red & 0xe) >> 1) | ((red & 1) << 3) << 8) |
- (((green & 0xe) >> 1) | ((green & 1) << 3) << 4) |
- ((blue & 0xe) >> 1) | ((blue & 1) << 3);
+ ((((red & 0xe) >> 1) | ((red & 1) << 3)) << 8) |
+ ((((green & 0xe) >> 1) | ((green & 1) << 3)) << 4) |
+ ((blue & 0xe) >> 1) | ((blue & 1) << 3);
else
shifter_tt.color_reg[regno] =
((red & 0xe) << 7) |
^ permalink raw reply [flat|nested] 636+ messages in thread
* [PATCH 5.10 099/599] ARM: dts: at91: sama5d2: Fix PMERRLOC resource size
2022-04-05 7:24 [PATCH 5.10 000/599] 5.10.110-rc1 review Greg Kroah-Hartman
` (97 preceding siblings ...)
2022-04-05 7:26 ` [PATCH 5.10 098/599] video: fbdev: atari: Atari 2 bpp (STe) palette bugfix Greg Kroah-Hartman
@ 2022-04-05 7:26 ` Greg Kroah-Hartman
2022-04-05 7:26 ` [PATCH 5.10 100/599] ARM: dts: exynos: fix UART3 pins configuration in Exynos5250 Greg Kroah-Hartman
` (512 subsequent siblings)
611 siblings, 0 replies; 636+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05 7:26 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Tudor Ambarus, Alexander Dahl, Nicolas Ferre
From: Tudor Ambarus <tudor.ambarus@microchip.com>
commit 0fb578a529ac7aca326a9fa475b4a6f58a756fda upstream.
PMERRLOC resource size was set to 0x100, which resulted in HSMC_ERRLOCx
register being truncated to offset x = 21, causing error correction to
fail if more than 22 bit errors and if 24 or 32 bit error correction
was supported.
Fixes: d9c41bf30cf8 ("ARM: dts: at91: Declare EBI/NAND controllers")
Signed-off-by: Tudor Ambarus <tudor.ambarus@microchip.com>
Cc: <stable@vger.kernel.org> # 4.13.x
Acked-by: Alexander Dahl <ada@thorsis.com>
Signed-off-by: Nicolas Ferre <nicolas.ferre@microchip.com>
Link: https://lore.kernel.org/r/20220111132301.906712-1-tudor.ambarus@microchip.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm/boot/dts/sama5d2.dtsi | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/arm/boot/dts/sama5d2.dtsi
+++ b/arch/arm/boot/dts/sama5d2.dtsi
@@ -413,7 +413,7 @@
pmecc: ecc-engine@f8014070 {
compatible = "atmel,sama5d2-pmecc";
reg = <0xf8014070 0x490>,
- <0xf8014500 0x100>;
+ <0xf8014500 0x200>;
};
};
^ permalink raw reply [flat|nested] 636+ messages in thread
* [PATCH 5.10 100/599] ARM: dts: exynos: fix UART3 pins configuration in Exynos5250
2022-04-05 7:24 [PATCH 5.10 000/599] 5.10.110-rc1 review Greg Kroah-Hartman
` (98 preceding siblings ...)
2022-04-05 7:26 ` [PATCH 5.10 099/599] ARM: dts: at91: sama5d2: Fix PMERRLOC resource size Greg Kroah-Hartman
@ 2022-04-05 7:26 ` Greg Kroah-Hartman
2022-04-05 7:26 ` [PATCH 5.10 101/599] ARM: dts: exynos: add missing HDMI supplies on SMDK5250 Greg Kroah-Hartman
` (511 subsequent siblings)
611 siblings, 0 replies; 636+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05 7:26 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Krzysztof Kozlowski,
Marek Szyprowski, Alim Akhtar
From: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
commit 372d7027fed43c8570018e124cf78b89523a1f8e upstream.
The gpa1-4 pin was put twice in UART3 pin configuration of Exynos5250,
instead of proper pin gpa1-5.
Fixes: f8bfe2b050f3 ("ARM: dts: add pin state information in client nodes for Exynos5 platforms")
Cc: <stable@vger.kernel.org>
Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
Tested-by: Marek Szyprowski <m.szyprowski@samsung.com>
Reviewed-by: Alim Akhtar <alim.akhtar@samsung.com>
Link: https://lore.kernel.org/r/20211230195325.328220-1-krzysztof.kozlowski@canonical.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm/boot/dts/exynos5250-pinctrl.dtsi | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/arm/boot/dts/exynos5250-pinctrl.dtsi
+++ b/arch/arm/boot/dts/exynos5250-pinctrl.dtsi
@@ -260,7 +260,7 @@
};
uart3_data: uart3-data {
- samsung,pins = "gpa1-4", "gpa1-4";
+ samsung,pins = "gpa1-4", "gpa1-5";
samsung,pin-function = <EXYNOS_PIN_FUNC_2>;
samsung,pin-pud = <EXYNOS_PIN_PULL_NONE>;
samsung,pin-drv = <EXYNOS4_PIN_DRV_LV1>;
^ permalink raw reply [flat|nested] 636+ messages in thread
* [PATCH 5.10 101/599] ARM: dts: exynos: add missing HDMI supplies on SMDK5250
2022-04-05 7:24 [PATCH 5.10 000/599] 5.10.110-rc1 review Greg Kroah-Hartman
` (99 preceding siblings ...)
2022-04-05 7:26 ` [PATCH 5.10 100/599] ARM: dts: exynos: fix UART3 pins configuration in Exynos5250 Greg Kroah-Hartman
@ 2022-04-05 7:26 ` Greg Kroah-Hartman
2022-04-05 7:26 ` [PATCH 5.10 102/599] ARM: dts: exynos: add missing HDMI supplies on SMDK5420 Greg Kroah-Hartman
` (510 subsequent siblings)
611 siblings, 0 replies; 636+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05 7:26 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Krzysztof Kozlowski, Alim Akhtar
From: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
commit 60a9914cb2061ba612a3f14f6ad329912b486360 upstream.
Add required VDD supplies to HDMI block on SMDK5250. Without them, the
HDMI driver won't probe. Because of lack of schematics, use same
supplies as on Arndale 5250 board (voltage matches).
Cc: <stable@vger.kernel.org> # v3.15+
Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
Reviewed-by: Alim Akhtar <alim.akhtar@samsung.com>
Link: https://lore.kernel.org/r/20220208171823.226211-2-krzysztof.kozlowski@canonical.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm/boot/dts/exynos5250-smdk5250.dts | 3 +++
1 file changed, 3 insertions(+)
--- a/arch/arm/boot/dts/exynos5250-smdk5250.dts
+++ b/arch/arm/boot/dts/exynos5250-smdk5250.dts
@@ -118,6 +118,9 @@
status = "okay";
ddc = <&i2c_2>;
hpd-gpios = <&gpx3 7 GPIO_ACTIVE_HIGH>;
+ vdd-supply = <&ldo8_reg>;
+ vdd_osc-supply = <&ldo10_reg>;
+ vdd_pll-supply = <&ldo8_reg>;
};
&i2c_0 {
^ permalink raw reply [flat|nested] 636+ messages in thread
* [PATCH 5.10 102/599] ARM: dts: exynos: add missing HDMI supplies on SMDK5420
2022-04-05 7:24 [PATCH 5.10 000/599] 5.10.110-rc1 review Greg Kroah-Hartman
` (100 preceding siblings ...)
2022-04-05 7:26 ` [PATCH 5.10 101/599] ARM: dts: exynos: add missing HDMI supplies on SMDK5250 Greg Kroah-Hartman
@ 2022-04-05 7:26 ` Greg Kroah-Hartman
2022-04-05 7:26 ` [PATCH 5.10 103/599] mgag200 fix memmapsl configuration in GCTL6 register Greg Kroah-Hartman
` (509 subsequent siblings)
611 siblings, 0 replies; 636+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05 7:26 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Krzysztof Kozlowski, Alim Akhtar
From: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
commit 453a24ded415f7fce0499c6b0a2c7b28f84911f2 upstream.
Add required VDD supplies to HDMI block on SMDK5420. Without them, the
HDMI driver won't probe. Because of lack of schematics, use same
supplies as on Arndale Octa and Odroid XU3 boards (voltage matches).
Cc: <stable@vger.kernel.org> # v3.15+
Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
Reviewed-by: Alim Akhtar <alim.akhtar@samsung.com>
Link: https://lore.kernel.org/r/20220208171823.226211-3-krzysztof.kozlowski@canonical.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm/boot/dts/exynos5420-smdk5420.dts | 3 +++
1 file changed, 3 insertions(+)
--- a/arch/arm/boot/dts/exynos5420-smdk5420.dts
+++ b/arch/arm/boot/dts/exynos5420-smdk5420.dts
@@ -124,6 +124,9 @@
hpd-gpios = <&gpx3 7 GPIO_ACTIVE_HIGH>;
pinctrl-names = "default";
pinctrl-0 = <&hdmi_hpd_irq>;
+ vdd-supply = <&ldo6_reg>;
+ vdd_osc-supply = <&ldo7_reg>;
+ vdd_pll-supply = <&ldo6_reg>;
};
&hsi2c_4 {
^ permalink raw reply [flat|nested] 636+ messages in thread
* [PATCH 5.10 103/599] mgag200 fix memmapsl configuration in GCTL6 register
2022-04-05 7:24 [PATCH 5.10 000/599] 5.10.110-rc1 review Greg Kroah-Hartman
` (101 preceding siblings ...)
2022-04-05 7:26 ` [PATCH 5.10 102/599] ARM: dts: exynos: add missing HDMI supplies on SMDK5420 Greg Kroah-Hartman
@ 2022-04-05 7:26 ` Greg Kroah-Hartman
2022-04-05 7:26 ` [PATCH 5.10 104/599] carl9170: fix missing bit-wise or operator for tx_params Greg Kroah-Hartman
` (508 subsequent siblings)
611 siblings, 0 replies; 636+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05 7:26 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Jocelyn Falempe,
Javier Martinez Canillas, Lyude Paul, Thomas Zimmermann
From: Jocelyn Falempe <jfalempe@redhat.com>
commit 028a73e10705af1ffd51f2537460f616dc58680e upstream.
On some servers with MGA G200_SE_A (rev 42), booting with Legacy BIOS,
the hardware hangs when using kdump and kexec into the kdump kernel.
This happens when the uncompress code tries to write "Decompressing Linux"
to the VGA Console.
It can be reproduced by writing to the VGA console (0xB8000) after
booting to graphic mode, it generates the following error:
kernel:NMI: PCI system error (SERR) for reason a0 on CPU 0.
kernel:Dazed and confused, but trying to continue
The root cause is the configuration of the MGA GCTL6 register
According to the GCTL6 register documentation:
bit 0 is gcgrmode:
0: Enables alpha mode, and the character generator addressing system is
activated.
1: Enables graphics mode, and the character addressing system is not
used.
bit 1 is chainodd even:
0: The A0 signal of the memory address bus is used during system memory
addressing.
1: Allows A0 to be replaced by either the A16 signal of the system
address (ifmemmapsl is ‘00’), or by the hpgoddev (MISC<5>, odd/even
page select) field, described on page 3-294).
bit 3-2 are memmapsl:
Memory map select bits 1 and 0. VGA.
These bits select where the video memory is mapped, as shown below:
00 => A0000h - BFFFFh
01 => A0000h - AFFFFh
10 => B0000h - B7FFFh
11 => B8000h - BFFFFh
bit 7-4 are reserved.
Current code set it to 0x05 => memmapsl to b01 => 0xa0000 (graphic mode)
But on x86, the VGA console is at 0xb8000 (text mode)
In arch/x86/boot/compressed/misc.c debug strings are written to 0xb8000
As the driver doesn't use this mapping at 0xa0000, it is safe to set it to
0xb8000 instead, to avoid kernel hang on G200_SE_A rev42, with kexec/kdump.
Thus changing the value 0x05 to 0x0d
Signed-off-by: Jocelyn Falempe <jfalempe@redhat.com>
Reviewed-by: Javier Martinez Canillas <javierm@redhat.com>
Acked-by: Lyude Paul <lyude@redhat.com>
Cc: stable@vger.kernel.org
Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de>
Link: https://patchwork.freedesktop.org/patch/msgid/20220119102905.1194787-1-jfalempe@redhat.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/mgag200/mgag200_mode.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
--- a/drivers/gpu/drm/mgag200/mgag200_mode.c
+++ b/drivers/gpu/drm/mgag200/mgag200_mode.c
@@ -1243,7 +1243,10 @@ static void mgag200_set_format_regs(stru
WREG_GFX(3, 0x00);
WREG_GFX(4, 0x00);
WREG_GFX(5, 0x40);
- WREG_GFX(6, 0x05);
+ /* GCTL6 should be 0x05, but we configure memmapsl to 0xb8000 (text mode),
+ * so that it doesn't hang when running kexec/kdump on G200_SE rev42.
+ */
+ WREG_GFX(6, 0x0d);
WREG_GFX(7, 0x0f);
WREG_GFX(8, 0x0f);
^ permalink raw reply [flat|nested] 636+ messages in thread
* [PATCH 5.10 104/599] carl9170: fix missing bit-wise or operator for tx_params
2022-04-05 7:24 [PATCH 5.10 000/599] 5.10.110-rc1 review Greg Kroah-Hartman
` (102 preceding siblings ...)
2022-04-05 7:26 ` [PATCH 5.10 103/599] mgag200 fix memmapsl configuration in GCTL6 register Greg Kroah-Hartman
@ 2022-04-05 7:26 ` Greg Kroah-Hartman
2022-04-05 7:26 ` [PATCH 5.10 105/599] pstore: Dont use semaphores in always-atomic-context code Greg Kroah-Hartman
` (507 subsequent siblings)
611 siblings, 0 replies; 636+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05 7:26 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Colin Ian King, Stable,
Christian Lamparter, Kalle Valo
From: Colin Ian King <colin.i.king@gmail.com>
commit 02a95374b5eebdbd3b6413fd7ddec151d2ea75a1 upstream.
Currently tx_params is being re-assigned with a new value and the
previous setting IEEE80211_HT_MCS_TX_RX_DIFF is being overwritten.
The assignment operator is incorrect, the original intent was to
bit-wise or the value in. Fix this by replacing the = operator
with |= instead.
Kudos to Christian Lamparter for suggesting the correct fix.
Fixes: fe8ee9ad80b2 ("carl9170: mac80211 glue and command interface")
Signed-off-by: Colin Ian King <colin.i.king@gmail.com>
Cc: <Stable@vger.kernel.org>
Acked-by: Christian Lamparter <chunkeey@gmail.com>
Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
Link: https://lore.kernel.org/r/20220125004406.344422-1-colin.i.king@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/wireless/ath/carl9170/main.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/net/wireless/ath/carl9170/main.c
+++ b/drivers/net/wireless/ath/carl9170/main.c
@@ -1916,7 +1916,7 @@ static int carl9170_parse_eeprom(struct
WARN_ON(!(tx_streams >= 1 && tx_streams <=
IEEE80211_HT_MCS_TX_MAX_STREAMS));
- tx_params = (tx_streams - 1) <<
+ tx_params |= (tx_streams - 1) <<
IEEE80211_HT_MCS_TX_MAX_STREAMS_SHIFT;
carl9170_band_2GHz.ht_cap.mcs.tx_params |= tx_params;
^ permalink raw reply [flat|nested] 636+ messages in thread
* [PATCH 5.10 105/599] pstore: Dont use semaphores in always-atomic-context code
2022-04-05 7:24 [PATCH 5.10 000/599] 5.10.110-rc1 review Greg Kroah-Hartman
` (103 preceding siblings ...)
2022-04-05 7:26 ` [PATCH 5.10 104/599] carl9170: fix missing bit-wise or operator for tx_params Greg Kroah-Hartman
@ 2022-04-05 7:26 ` Greg Kroah-Hartman
2022-04-05 7:26 ` [PATCH 5.10 106/599] thermal: int340x: Increase bitmap size Greg Kroah-Hartman
` (506 subsequent siblings)
611 siblings, 0 replies; 636+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05 7:26 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Sebastian Andrzej Siewior, Jann Horn,
Kees Cook
From: Jann Horn <jannh@google.com>
commit 8126b1c73108bc691f5643df19071a59a69d0bc6 upstream.
pstore_dump() is *always* invoked in atomic context (nowadays in an RCU
read-side critical section, before that under a spinlock).
It doesn't make sense to try to use semaphores here.
This is mostly a revert of commit ea84b580b955 ("pstore: Convert buf_lock
to semaphore"), except that two parts aren't restored back exactly as they
were:
- keep the lock initialization in pstore_register
- in efi_pstore_write(), always set the "block" flag to false
- omit "is_locked", that was unnecessary since
commit 959217c84c27 ("pstore: Actually give up during locking failure")
- fix the bailout message
The actual problem that the buggy commit was trying to address may have
been that the use of preemptible() in efi_pstore_write() was wrong - it
only looks at preempt_count() and the state of IRQs, but __rcu_read_lock()
doesn't touch either of those under CONFIG_PREEMPT_RCU.
(Sidenote: CONFIG_PREEMPT_RCU means that the scheduler can preempt tasks in
RCU read-side critical sections, but you're not allowed to actively
block/reschedule.)
Lockdep probably never caught the problem because it's very rare that you
actually hit the contended case, so lockdep always just sees the
down_trylock(), not the down_interruptible(), and so it can't tell that
there's a problem.
Fixes: ea84b580b955 ("pstore: Convert buf_lock to semaphore")
Cc: stable@vger.kernel.org
Acked-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Signed-off-by: Jann Horn <jannh@google.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Link: https://lore.kernel.org/r/20220314185953.2068993-1-jannh@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/firmware/efi/efi-pstore.c | 2 +-
fs/pstore/platform.c | 38 ++++++++++++++++++--------------------
include/linux/pstore.h | 6 +++---
3 files changed, 22 insertions(+), 24 deletions(-)
--- a/drivers/firmware/efi/efi-pstore.c
+++ b/drivers/firmware/efi/efi-pstore.c
@@ -266,7 +266,7 @@ static int efi_pstore_write(struct pstor
efi_name[i] = name[i];
ret = efivar_entry_set_safe(efi_name, vendor, PSTORE_EFI_ATTRIBUTES,
- preemptible(), record->size, record->psi->buf);
+ false, record->size, record->psi->buf);
if (record->reason == KMSG_DUMP_OOPS && try_module_get(THIS_MODULE))
if (!schedule_work(&efivar_work))
--- a/fs/pstore/platform.c
+++ b/fs/pstore/platform.c
@@ -143,21 +143,22 @@ static void pstore_timer_kick(void)
mod_timer(&pstore_timer, jiffies + msecs_to_jiffies(pstore_update_ms));
}
-/*
- * Should pstore_dump() wait for a concurrent pstore_dump()? If
- * not, the current pstore_dump() will report a failure to dump
- * and return.
- */
-static bool pstore_cannot_wait(enum kmsg_dump_reason reason)
+static bool pstore_cannot_block_path(enum kmsg_dump_reason reason)
{
- /* In NMI path, pstore shouldn't block regardless of reason. */
+ /*
+ * In case of NMI path, pstore shouldn't be blocked
+ * regardless of reason.
+ */
if (in_nmi())
return true;
switch (reason) {
/* In panic case, other cpus are stopped by smp_send_stop(). */
case KMSG_DUMP_PANIC:
- /* Emergency restart shouldn't be blocked. */
+ /*
+ * Emergency restart shouldn't be blocked by spinning on
+ * pstore_info::buf_lock.
+ */
case KMSG_DUMP_EMERG:
return true;
default:
@@ -388,21 +389,19 @@ static void pstore_dump(struct kmsg_dump
unsigned long total = 0;
const char *why;
unsigned int part = 1;
+ unsigned long flags = 0;
int ret;
why = kmsg_dump_reason_str(reason);
- if (down_trylock(&psinfo->buf_lock)) {
- /* Failed to acquire lock: give up if we cannot wait. */
- if (pstore_cannot_wait(reason)) {
- pr_err("dump skipped in %s path: may corrupt error record\n",
- in_nmi() ? "NMI" : why);
- return;
- }
- if (down_interruptible(&psinfo->buf_lock)) {
- pr_err("could not grab semaphore?!\n");
+ if (pstore_cannot_block_path(reason)) {
+ if (!spin_trylock_irqsave(&psinfo->buf_lock, flags)) {
+ pr_err("dump skipped in %s path because of concurrent dump\n",
+ in_nmi() ? "NMI" : why);
return;
}
+ } else {
+ spin_lock_irqsave(&psinfo->buf_lock, flags);
}
oopscount++;
@@ -464,8 +463,7 @@ static void pstore_dump(struct kmsg_dump
total += record.size;
part++;
}
-
- up(&psinfo->buf_lock);
+ spin_unlock_irqrestore(&psinfo->buf_lock, flags);
}
static struct kmsg_dumper pstore_dumper = {
@@ -591,7 +589,7 @@ int pstore_register(struct pstore_info *
psi->write_user = pstore_write_user_compat;
psinfo = psi;
mutex_init(&psinfo->read_mutex);
- sema_init(&psinfo->buf_lock, 1);
+ spin_lock_init(&psinfo->buf_lock);
if (psi->flags & PSTORE_FLAGS_DMESG)
allocate_buf_for_compression();
--- a/include/linux/pstore.h
+++ b/include/linux/pstore.h
@@ -14,7 +14,7 @@
#include <linux/errno.h>
#include <linux/kmsg_dump.h>
#include <linux/mutex.h>
-#include <linux/semaphore.h>
+#include <linux/spinlock.h>
#include <linux/time.h>
#include <linux/types.h>
@@ -87,7 +87,7 @@ struct pstore_record {
* @owner: module which is responsible for this backend driver
* @name: name of the backend driver
*
- * @buf_lock: semaphore to serialize access to @buf
+ * @buf_lock: spinlock to serialize access to @buf
* @buf: preallocated crash dump buffer
* @bufsize: size of @buf available for crash dump bytes (must match
* smallest number of bytes available for writing to a
@@ -178,7 +178,7 @@ struct pstore_info {
struct module *owner;
const char *name;
- struct semaphore buf_lock;
+ spinlock_t buf_lock;
char *buf;
size_t bufsize;
^ permalink raw reply [flat|nested] 636+ messages in thread
* [PATCH 5.10 106/599] thermal: int340x: Increase bitmap size
2022-04-05 7:24 [PATCH 5.10 000/599] 5.10.110-rc1 review Greg Kroah-Hartman
` (104 preceding siblings ...)
2022-04-05 7:26 ` [PATCH 5.10 105/599] pstore: Dont use semaphores in always-atomic-context code Greg Kroah-Hartman
@ 2022-04-05 7:26 ` Greg Kroah-Hartman
2022-04-05 7:26 ` [PATCH 5.10 107/599] lib/raid6/test: fix multiple definition linking error Greg Kroah-Hartman
` (505 subsequent siblings)
611 siblings, 0 replies; 636+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05 7:26 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Srinivas Pandruvada, Rafael J. Wysocki
From: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
commit 668f69a5f863b877bc3ae129efe9a80b6f055141 upstream.
The number of policies are 10, so can't be supported by the bitmap size
of u8.
Even though there are no platfoms with these many policies, but
for correctness increase to u32.
Signed-off-by: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
Fixes: 16fc8eca1975 ("thermal/int340x_thermal: Add additional UUIDs")
Cc: 5.1+ <stable@vger.kernel.org> # 5.1+
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/thermal/intel/int340x_thermal/int3400_thermal.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/thermal/intel/int340x_thermal/int3400_thermal.c
+++ b/drivers/thermal/intel/int340x_thermal/int3400_thermal.c
@@ -53,7 +53,7 @@ struct int3400_thermal_priv {
struct art *arts;
int trt_count;
struct trt *trts;
- u8 uuid_bitmap;
+ u32 uuid_bitmap;
int rel_misc_dev_res;
int current_uuid_index;
char *data_vault;
^ permalink raw reply [flat|nested] 636+ messages in thread
* [PATCH 5.10 107/599] lib/raid6/test: fix multiple definition linking error
2022-04-05 7:24 [PATCH 5.10 000/599] 5.10.110-rc1 review Greg Kroah-Hartman
` (105 preceding siblings ...)
2022-04-05 7:26 ` [PATCH 5.10 106/599] thermal: int340x: Increase bitmap size Greg Kroah-Hartman
@ 2022-04-05 7:26 ` Greg Kroah-Hartman
2022-04-05 7:26 ` [PATCH 5.10 108/599] exec: Force single empty string when argv is empty Greg Kroah-Hartman
` (504 subsequent siblings)
611 siblings, 0 replies; 636+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05 7:26 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Dirk Müller, Paul Menzel, Song Liu
From: Dirk Müller <dmueller@suse.de>
commit a5359ddd052860bacf957e65fe819c63e974b3a6 upstream.
GCC 10+ defaults to -fno-common, which enforces proper declaration of
external references using "extern". without this change a link would
fail with:
lib/raid6/test/algos.c:28: multiple definition of `raid6_call';
lib/raid6/test/test.c:22: first defined here
the pq.h header that is included already includes an extern declaration
so we can just remove the redundant one here.
Cc: <stable@vger.kernel.org>
Signed-off-by: Dirk Müller <dmueller@suse.de>
Reviewed-by: Paul Menzel <pmenzel@molgen.mpg.de>
Signed-off-by: Song Liu <song@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
lib/raid6/test/test.c | 1 -
1 file changed, 1 deletion(-)
--- a/lib/raid6/test/test.c
+++ b/lib/raid6/test/test.c
@@ -19,7 +19,6 @@
#define NDISKS 16 /* Including P and Q */
const char raid6_empty_zero_page[PAGE_SIZE] __attribute__((aligned(PAGE_SIZE)));
-struct raid6_calls raid6_call;
char *dataptrs[NDISKS];
char data[NDISKS][PAGE_SIZE] __attribute__((aligned(PAGE_SIZE)));
^ permalink raw reply [flat|nested] 636+ messages in thread
* [PATCH 5.10 108/599] exec: Force single empty string when argv is empty
2022-04-05 7:24 [PATCH 5.10 000/599] 5.10.110-rc1 review Greg Kroah-Hartman
` (106 preceding siblings ...)
2022-04-05 7:26 ` [PATCH 5.10 107/599] lib/raid6/test: fix multiple definition linking error Greg Kroah-Hartman
@ 2022-04-05 7:26 ` Greg Kroah-Hartman
2022-04-05 7:26 ` [PATCH 5.10 109/599] crypto: rsa-pkcs1pad - only allow with rsa Greg Kroah-Hartman
` (503 subsequent siblings)
611 siblings, 0 replies; 636+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05 7:26 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Ariadne Conill, Michael Kerrisk,
Matthew Wilcox, Christian Brauner, Rich Felker, Eric Biederman,
Alexander Viro, linux-fsdevel, Kees Cook, Andy Lutomirski
From: Kees Cook <keescook@chromium.org>
commit dcd46d897adb70d63e025f175a00a89797d31a43 upstream.
Quoting[1] Ariadne Conill:
"In several other operating systems, it is a hard requirement that the
second argument to execve(2) be the name of a program, thus prohibiting
a scenario where argc < 1. POSIX 2017 also recommends this behaviour,
but it is not an explicit requirement[2]:
The argument arg0 should point to a filename string that is
associated with the process being started by one of the exec
functions.
...
Interestingly, Michael Kerrisk opened an issue about this in 2008[3],
but there was no consensus to support fixing this issue then.
Hopefully now that CVE-2021-4034 shows practical exploitative use[4]
of this bug in a shellcode, we can reconsider.
This issue is being tracked in the KSPP issue tracker[5]."
While the initial code searches[6][7] turned up what appeared to be
mostly corner case tests, trying to that just reject argv == NULL
(or an immediately terminated pointer list) quickly started tripping[8]
existing userspace programs.
The next best approach is forcing a single empty string into argv and
adjusting argc to match. The number of programs depending on argc == 0
seems a smaller set than those calling execve with a NULL argv.
Account for the additional stack space in bprm_stack_limits(). Inject an
empty string when argc == 0 (and set argc = 1). Warn about the case so
userspace has some notice about the change:
process './argc0' launched './argc0' with NULL argv: empty string added
Additionally WARN() and reject NULL argv usage for kernel threads.
[1] https://lore.kernel.org/lkml/20220127000724.15106-1-ariadne@dereferenced.org/
[2] https://pubs.opengroup.org/onlinepubs/9699919799/functions/exec.html
[3] https://bugzilla.kernel.org/show_bug.cgi?id=8408
[4] https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt
[5] https://github.com/KSPP/linux/issues/176
[6] https://codesearch.debian.net/search?q=execve%5C+*%5C%28%5B%5E%2C%5D%2B%2C+*NULL&literal=0
[7] https://codesearch.debian.net/search?q=execlp%3F%5Cs*%5C%28%5B%5E%2C%5D%2B%2C%5Cs*NULL&literal=0
[8] https://lore.kernel.org/lkml/20220131144352.GE16385@xsang-OptiPlex-9020/
Reported-by: Ariadne Conill <ariadne@dereferenced.org>
Reported-by: Michael Kerrisk <mtk.manpages@gmail.com>
Cc: Matthew Wilcox <willy@infradead.org>
Cc: Christian Brauner <brauner@kernel.org>
Cc: Rich Felker <dalias@libc.org>
Cc: Eric Biederman <ebiederm@xmission.com>
Cc: Alexander Viro <viro@zeniv.linux.org.uk>
Cc: linux-fsdevel@vger.kernel.org
Cc: stable@vger.kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>
Acked-by: Christian Brauner <brauner@kernel.org>
Acked-by: Ariadne Conill <ariadne@dereferenced.org>
Acked-by: Andy Lutomirski <luto@kernel.org>
Link: https://lore.kernel.org/r/20220201000947.2453721-1-keescook@chromium.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/exec.c | 26 +++++++++++++++++++++++++-
1 file changed, 25 insertions(+), 1 deletion(-)
--- a/fs/exec.c
+++ b/fs/exec.c
@@ -494,8 +494,14 @@ static int bprm_stack_limits(struct linu
* the stack. They aren't stored until much later when we can't
* signal to the parent that the child has run out of stack space.
* Instead, calculate it here so it's possible to fail gracefully.
+ *
+ * In the case of argc = 0, make sure there is space for adding a
+ * empty string (which will bump argc to 1), to ensure confused
+ * userspace programs don't start processing from argv[1], thinking
+ * argc can never be 0, to keep them from walking envp by accident.
+ * See do_execveat_common().
*/
- ptr_size = (bprm->argc + bprm->envc) * sizeof(void *);
+ ptr_size = (max(bprm->argc, 1) + bprm->envc) * sizeof(void *);
if (limit <= ptr_size)
return -E2BIG;
limit -= ptr_size;
@@ -1886,6 +1892,9 @@ static int do_execveat_common(int fd, st
}
retval = count(argv, MAX_ARG_STRINGS);
+ if (retval == 0)
+ pr_warn_once("process '%s' launched '%s' with NULL argv: empty string added\n",
+ current->comm, bprm->filename);
if (retval < 0)
goto out_free;
bprm->argc = retval;
@@ -1912,6 +1921,19 @@ static int do_execveat_common(int fd, st
if (retval < 0)
goto out_free;
+ /*
+ * When argv is empty, add an empty string ("") as argv[0] to
+ * ensure confused userspace programs that start processing
+ * from argv[1] won't end up walking envp. See also
+ * bprm_stack_limits().
+ */
+ if (bprm->argc == 0) {
+ retval = copy_string_kernel("", bprm);
+ if (retval < 0)
+ goto out_free;
+ bprm->argc = 1;
+ }
+
retval = bprm_execve(bprm, fd, filename, flags);
out_free:
free_bprm(bprm);
@@ -1940,6 +1962,8 @@ int kernel_execve(const char *kernel_fil
}
retval = count_strings_kernel(argv);
+ if (WARN_ON_ONCE(retval == 0))
+ retval = -EINVAL;
if (retval < 0)
goto out_free;
bprm->argc = retval;
^ permalink raw reply [flat|nested] 636+ messages in thread
* [PATCH 5.10 109/599] crypto: rsa-pkcs1pad - only allow with rsa
2022-04-05 7:24 [PATCH 5.10 000/599] 5.10.110-rc1 review Greg Kroah-Hartman
` (107 preceding siblings ...)
2022-04-05 7:26 ` [PATCH 5.10 108/599] exec: Force single empty string when argv is empty Greg Kroah-Hartman
@ 2022-04-05 7:26 ` Greg Kroah-Hartman
2022-04-05 7:26 ` [PATCH 5.10 110/599] crypto: rsa-pkcs1pad - correctly get hash from source scatterlist Greg Kroah-Hartman
` (502 subsequent siblings)
611 siblings, 0 replies; 636+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05 7:26 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Eric Biggers, Herbert Xu
From: Eric Biggers <ebiggers@google.com>
commit 9b30430ea356f237945e52f8a3a42158877bd5a9 upstream.
The pkcs1pad template can be instantiated with an arbitrary akcipher
algorithm, which doesn't make sense; it is specifically an RSA padding
scheme. Make it check that the underlying algorithm really is RSA.
Fixes: 3d5b1ecdea6f ("crypto: rsa - RSA padding algorithm")
Cc: <stable@vger.kernel.org> # v4.5+
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
crypto/rsa-pkcs1pad.c | 5 +++++
1 file changed, 5 insertions(+)
--- a/crypto/rsa-pkcs1pad.c
+++ b/crypto/rsa-pkcs1pad.c
@@ -621,6 +621,11 @@ static int pkcs1pad_create(struct crypto
rsa_alg = crypto_spawn_akcipher_alg(&ctx->spawn);
+ if (strcmp(rsa_alg->base.cra_name, "rsa") != 0) {
+ err = -EINVAL;
+ goto err_free_inst;
+ }
+
err = -ENAMETOOLONG;
hash_name = crypto_attr_alg_name(tb[2]);
if (IS_ERR(hash_name)) {
^ permalink raw reply [flat|nested] 636+ messages in thread
* [PATCH 5.10 110/599] crypto: rsa-pkcs1pad - correctly get hash from source scatterlist
2022-04-05 7:24 [PATCH 5.10 000/599] 5.10.110-rc1 review Greg Kroah-Hartman
` (108 preceding siblings ...)
2022-04-05 7:26 ` [PATCH 5.10 109/599] crypto: rsa-pkcs1pad - only allow with rsa Greg Kroah-Hartman
@ 2022-04-05 7:26 ` Greg Kroah-Hartman
2022-04-05 7:26 ` [PATCH 5.10 111/599] crypto: rsa-pkcs1pad - restore signature length check Greg Kroah-Hartman
` (501 subsequent siblings)
611 siblings, 0 replies; 636+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05 7:26 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Vitaly Chikunov, Eric Biggers, Herbert Xu
From: Eric Biggers <ebiggers@google.com>
commit e316f7179be22912281ce6331d96d7c121fb2b17 upstream.
Commit c7381b012872 ("crypto: akcipher - new verify API for public key
algorithms") changed akcipher_alg::verify to take in both the signature
and the actual hash and do the signature verification, rather than just
return the hash expected by the signature as was the case before. To do
this, it implemented a hack where the signature and hash are
concatenated with each other in one scatterlist.
Obviously, for this to work correctly, akcipher_alg::verify needs to
correctly extract the two items from the scatterlist it is given.
Unfortunately, it doesn't correctly extract the hash in the case where
the signature is longer than the RSA key size, as it assumes that the
signature's length is equal to the RSA key size. This causes a prefix
of the hash, or even the entire hash, to be taken from the *signature*.
(Note, the case of a signature longer than the RSA key size should not
be allowed in the first place; a separate patch will fix that.)
It is unclear whether the resulting scheme has any useful security
properties.
Fix this by correctly extracting the hash from the scatterlist.
Fixes: c7381b012872 ("crypto: akcipher - new verify API for public key algorithms")
Cc: <stable@vger.kernel.org> # v5.2+
Reviewed-by: Vitaly Chikunov <vt@altlinux.org>
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
crypto/rsa-pkcs1pad.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/crypto/rsa-pkcs1pad.c
+++ b/crypto/rsa-pkcs1pad.c
@@ -495,7 +495,7 @@ static int pkcs1pad_verify_complete(stru
sg_nents_for_len(req->src,
req->src_len + req->dst_len),
req_ctx->out_buf + ctx->key_size,
- req->dst_len, ctx->key_size);
+ req->dst_len, req->src_len);
/* Do the actual verification step. */
if (memcmp(req_ctx->out_buf + ctx->key_size, out_buf + pos,
req->dst_len) != 0)
^ permalink raw reply [flat|nested] 636+ messages in thread
* [PATCH 5.10 111/599] crypto: rsa-pkcs1pad - restore signature length check
2022-04-05 7:24 [PATCH 5.10 000/599] 5.10.110-rc1 review Greg Kroah-Hartman
` (109 preceding siblings ...)
2022-04-05 7:26 ` [PATCH 5.10 110/599] crypto: rsa-pkcs1pad - correctly get hash from source scatterlist Greg Kroah-Hartman
@ 2022-04-05 7:26 ` Greg Kroah-Hartman
2022-04-05 7:26 ` [PATCH 5.10 112/599] crypto: rsa-pkcs1pad - fix buffer overread in pkcs1pad_verify_complete() Greg Kroah-Hartman
` (500 subsequent siblings)
611 siblings, 0 replies; 636+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05 7:26 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Tadeusz Struk, Vitaly Chikunov,
Eric Biggers, Herbert Xu
From: Eric Biggers <ebiggers@google.com>
commit d3481accd974541e6a5d6a1fb588924a3519c36e upstream.
RSA PKCS#1 v1.5 signatures are required to be the same length as the RSA
key size. RFC8017 specifically requires the verifier to check this
(https://datatracker.ietf.org/doc/html/rfc8017#section-8.2.2).
Commit a49de377e051 ("crypto: Add hash param to pkcs1pad") changed the
kernel to allow longer signatures, but didn't explain this part of the
change; it seems to be unrelated to the rest of the commit.
Revert this change, since it doesn't appear to be correct.
We can be pretty sure that no one is relying on overly-long signatures
(which would have to be front-padded with zeroes) being supported, given
that they would have been broken since commit c7381b012872
("crypto: akcipher - new verify API for public key algorithms").
Fixes: a49de377e051 ("crypto: Add hash param to pkcs1pad")
Cc: <stable@vger.kernel.org> # v4.6+
Cc: Tadeusz Struk <tadeusz.struk@linaro.org>
Suggested-by: Vitaly Chikunov <vt@altlinux.org>
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
crypto/rsa-pkcs1pad.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/crypto/rsa-pkcs1pad.c
+++ b/crypto/rsa-pkcs1pad.c
@@ -538,7 +538,7 @@ static int pkcs1pad_verify(struct akciph
if (WARN_ON(req->dst) ||
WARN_ON(!req->dst_len) ||
- !ctx->key_size || req->src_len < ctx->key_size)
+ !ctx->key_size || req->src_len != ctx->key_size)
return -EINVAL;
req_ctx->out_buf = kmalloc(ctx->key_size + req->dst_len, GFP_KERNEL);
^ permalink raw reply [flat|nested] 636+ messages in thread
* [PATCH 5.10 112/599] crypto: rsa-pkcs1pad - fix buffer overread in pkcs1pad_verify_complete()
2022-04-05 7:24 [PATCH 5.10 000/599] 5.10.110-rc1 review Greg Kroah-Hartman
` (110 preceding siblings ...)
2022-04-05 7:26 ` [PATCH 5.10 111/599] crypto: rsa-pkcs1pad - restore signature length check Greg Kroah-Hartman
@ 2022-04-05 7:26 ` Greg Kroah-Hartman
2022-04-05 7:26 ` [PATCH 5.10 113/599] bcache: fixup multiple threads crash Greg Kroah-Hartman
` (499 subsequent siblings)
611 siblings, 0 replies; 636+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05 7:26 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Tadeusz Struk, Eric Biggers, Herbert Xu
From: Eric Biggers <ebiggers@google.com>
commit a24611ea356c7f3f0ec926da11b9482ac1f414fd upstream.
Before checking whether the expected digest_info is present, we need to
check that there are enough bytes remaining.
Fixes: a49de377e051 ("crypto: Add hash param to pkcs1pad")
Cc: <stable@vger.kernel.org> # v4.6+
Cc: Tadeusz Struk <tadeusz.struk@linaro.org>
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
crypto/rsa-pkcs1pad.c | 2 ++
1 file changed, 2 insertions(+)
--- a/crypto/rsa-pkcs1pad.c
+++ b/crypto/rsa-pkcs1pad.c
@@ -476,6 +476,8 @@ static int pkcs1pad_verify_complete(stru
pos++;
if (digest_info) {
+ if (digest_info->size > dst_len - pos)
+ goto done;
if (crypto_memneq(out_buf + pos, digest_info->data,
digest_info->size))
goto done;
^ permalink raw reply [flat|nested] 636+ messages in thread
* [PATCH 5.10 113/599] bcache: fixup multiple threads crash
2022-04-05 7:24 [PATCH 5.10 000/599] 5.10.110-rc1 review Greg Kroah-Hartman
` (111 preceding siblings ...)
2022-04-05 7:26 ` [PATCH 5.10 112/599] crypto: rsa-pkcs1pad - fix buffer overread in pkcs1pad_verify_complete() Greg Kroah-Hartman
@ 2022-04-05 7:26 ` Greg Kroah-Hartman
2022-04-05 7:26 ` [PATCH 5.10 114/599] DEC: Limit PMAX memory probing to R3k systems Greg Kroah-Hartman
` (498 subsequent siblings)
611 siblings, 0 replies; 636+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05 7:26 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Mingzhe Zou, Coly Li
From: Mingzhe Zou <mingzhe.zou@easystack.cn>
commit 887554ab96588de2917b6c8c73e552da082e5368 upstream.
When multiple threads to check btree nodes in parallel, the main
thread wait for all threads to stop or CACHE_SET_IO_DISABLE flag:
wait_event_interruptible(check_state->wait,
atomic_read(&check_state->started) == 0 ||
test_bit(CACHE_SET_IO_DISABLE, &c->flags));
However, the bch_btree_node_read and bch_btree_node_read_done
maybe call bch_cache_set_error, then the CACHE_SET_IO_DISABLE
will be set. If the flag already set, the main thread return
error. At the same time, maybe some threads still running and
read NULL pointer, the kernel will crash.
This patch change the event wait condition, the main thread must
wait for all threads to stop.
Fixes: 8e7102273f597 ("bcache: make bch_btree_check() to be multithreaded")
Signed-off-by: Mingzhe Zou <mingzhe.zou@easystack.cn>
Cc: stable@vger.kernel.org # v5.7+
Signed-off-by: Coly Li <colyli@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/md/bcache/btree.c | 6 ++++--
drivers/md/bcache/writeback.c | 6 ++++--
2 files changed, 8 insertions(+), 4 deletions(-)
--- a/drivers/md/bcache/btree.c
+++ b/drivers/md/bcache/btree.c
@@ -2060,9 +2060,11 @@ int bch_btree_check(struct cache_set *c)
}
}
+ /*
+ * Must wait for all threads to stop.
+ */
wait_event_interruptible(check_state->wait,
- atomic_read(&check_state->started) == 0 ||
- test_bit(CACHE_SET_IO_DISABLE, &c->flags));
+ atomic_read(&check_state->started) == 0);
for (i = 0; i < check_state->total_threads; i++) {
if (check_state->infos[i].result) {
--- a/drivers/md/bcache/writeback.c
+++ b/drivers/md/bcache/writeback.c
@@ -952,9 +952,11 @@ void bch_sectors_dirty_init(struct bcach
}
}
+ /*
+ * Must wait for all threads to stop.
+ */
wait_event_interruptible(state->wait,
- atomic_read(&state->started) == 0 ||
- test_bit(CACHE_SET_IO_DISABLE, &c->flags));
+ atomic_read(&state->started) == 0);
out:
kfree(state);
^ permalink raw reply [flat|nested] 636+ messages in thread
* [PATCH 5.10 114/599] DEC: Limit PMAX memory probing to R3k systems
2022-04-05 7:24 [PATCH 5.10 000/599] 5.10.110-rc1 review Greg Kroah-Hartman
` (112 preceding siblings ...)
2022-04-05 7:26 ` [PATCH 5.10 113/599] bcache: fixup multiple threads crash Greg Kroah-Hartman
@ 2022-04-05 7:26 ` Greg Kroah-Hartman
2022-04-05 7:26 ` [PATCH 5.10 115/599] media: gpio-ir-tx: fix transmit with long spaces on Orange Pi PC Greg Kroah-Hartman
` (497 subsequent siblings)
611 siblings, 0 replies; 636+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05 7:26 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Jan-Benedict Glaw, Sudip Mukherjee,
Maciej W. Rozycki, Thomas Bogendoerfer
From: Maciej W. Rozycki <macro@orcam.me.uk>
commit 244eae91a94c6dab82b3232967d10eeb9dfa21c6 upstream.
Recent tightening of the opcode table in binutils so as to consistently
disallow the assembly or disassembly of CP0 instructions not supported
by the processor architecture chosen has caused a regression like below:
arch/mips/dec/prom/locore.S: Assembler messages:
arch/mips/dec/prom/locore.S:29: Error: opcode not supported on this processor: r4600 (mips3) `rfe'
in a piece of code used to probe for memory with PMAX DECstation models,
which have non-REX firmware. Those computers always have an R2000 CPU
and consequently the exception handler used in memory probing uses the
RFE instruction, which those processors use.
While adding 64-bit support this code was correctly excluded for 64-bit
configurations, however it should have also been excluded for irrelevant
32-bit configurations. Do this now then, and only enable PMAX memory
probing for R3k systems.
Reported-by: Jan-Benedict Glaw <jbglaw@lug-owl.de>
Reported-by: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
Signed-off-by: Maciej W. Rozycki <macro@orcam.me.uk>
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable@vger.kernel.org # v2.6.12+
Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/mips/dec/prom/Makefile | 2 +-
arch/mips/include/asm/dec/prom.h | 15 +++++----------
2 files changed, 6 insertions(+), 11 deletions(-)
--- a/arch/mips/dec/prom/Makefile
+++ b/arch/mips/dec/prom/Makefile
@@ -6,4 +6,4 @@
lib-y += init.o memory.o cmdline.o identify.o console.o
-lib-$(CONFIG_32BIT) += locore.o
+lib-$(CONFIG_CPU_R3000) += locore.o
--- a/arch/mips/include/asm/dec/prom.h
+++ b/arch/mips/include/asm/dec/prom.h
@@ -43,16 +43,11 @@
*/
#define REX_PROM_MAGIC 0x30464354
-#ifdef CONFIG_64BIT
-
-#define prom_is_rex(magic) 1 /* KN04 and KN05 are REX PROMs. */
-
-#else /* !CONFIG_64BIT */
-
-#define prom_is_rex(magic) ((magic) == REX_PROM_MAGIC)
-
-#endif /* !CONFIG_64BIT */
-
+/* KN04 and KN05 are REX PROMs, so only do the check for R3k systems. */
+static inline bool prom_is_rex(u32 magic)
+{
+ return !IS_ENABLED(CONFIG_CPU_R3000) || magic == REX_PROM_MAGIC;
+}
/*
* 3MIN/MAXINE PROM entry points for DS5000/1xx's, DS5000/xx's and
^ permalink raw reply [flat|nested] 636+ messages in thread
* [PATCH 5.10 115/599] media: gpio-ir-tx: fix transmit with long spaces on Orange Pi PC
2022-04-05 7:24 [PATCH 5.10 000/599] 5.10.110-rc1 review Greg Kroah-Hartman
` (113 preceding siblings ...)
2022-04-05 7:26 ` [PATCH 5.10 114/599] DEC: Limit PMAX memory probing to R3k systems Greg Kroah-Hartman
@ 2022-04-05 7:26 ` Greg Kroah-Hartman
2022-04-05 7:26 ` [PATCH 5.10 116/599] media: davinci: vpif: fix unbalanced runtime PM get Greg Kroah-Hartman
` (496 subsequent siblings)
611 siblings, 0 replies; 636+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05 7:26 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable,
Михаил,
Sean Young, Mauro Carvalho Chehab
From: Sean Young <sean@mess.org>
commit 5ad05ecad4326ddaa26a83ba2233a67be24c1aaa upstream.
Calling udelay for than 1000us does not always yield the correct
results.
Cc: stable@vger.kernel.org
Reported-by: Михаил <vrserver1@gmail.com>
Signed-off-by: Sean Young <sean@mess.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/rc/gpio-ir-tx.c | 28 +++++++++++++++++++++-------
1 file changed, 21 insertions(+), 7 deletions(-)
--- a/drivers/media/rc/gpio-ir-tx.c
+++ b/drivers/media/rc/gpio-ir-tx.c
@@ -48,11 +48,29 @@ static int gpio_ir_tx_set_carrier(struct
return 0;
}
+static void delay_until(ktime_t until)
+{
+ /*
+ * delta should never exceed 0.5 seconds (IR_MAX_DURATION) and on
+ * m68k ndelay(s64) does not compile; so use s32 rather than s64.
+ */
+ s32 delta;
+
+ while (true) {
+ delta = ktime_us_delta(until, ktime_get());
+ if (delta <= 0)
+ return;
+
+ /* udelay more than 1ms may not work */
+ delta = min(delta, 1000);
+ udelay(delta);
+ }
+}
+
static void gpio_ir_tx_unmodulated(struct gpio_ir *gpio_ir, uint *txbuf,
uint count)
{
ktime_t edge;
- s32 delta;
int i;
local_irq_disable();
@@ -63,9 +81,7 @@ static void gpio_ir_tx_unmodulated(struc
gpiod_set_value(gpio_ir->gpio, !(i % 2));
edge = ktime_add_us(edge, txbuf[i]);
- delta = ktime_us_delta(edge, ktime_get());
- if (delta > 0)
- udelay(delta);
+ delay_until(edge);
}
gpiod_set_value(gpio_ir->gpio, 0);
@@ -97,9 +113,7 @@ static void gpio_ir_tx_modulated(struct
if (i % 2) {
// space
edge = ktime_add_us(edge, txbuf[i]);
- delta = ktime_us_delta(edge, ktime_get());
- if (delta > 0)
- udelay(delta);
+ delay_until(edge);
} else {
// pulse
ktime_t last = ktime_add_us(edge, txbuf[i]);
^ permalink raw reply [flat|nested] 636+ messages in thread
* [PATCH 5.10 116/599] media: davinci: vpif: fix unbalanced runtime PM get
2022-04-05 7:24 [PATCH 5.10 000/599] 5.10.110-rc1 review Greg Kroah-Hartman
` (114 preceding siblings ...)
2022-04-05 7:26 ` [PATCH 5.10 115/599] media: gpio-ir-tx: fix transmit with long spaces on Orange Pi PC Greg Kroah-Hartman
@ 2022-04-05 7:26 ` Greg Kroah-Hartman
2022-04-05 7:26 ` [PATCH 5.10 117/599] media: davinci: vpif: fix unbalanced runtime PM enable Greg Kroah-Hartman
` (495 subsequent siblings)
611 siblings, 0 replies; 636+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05 7:26 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Lad, Prabhakar, Johan Hovold,
Hans Verkuil, Mauro Carvalho Chehab, Lad
From: Johan Hovold <johan@kernel.org>
commit 4a321de239213300a714fa0353a5f1272d381a44 upstream.
Make sure to balance the runtime PM usage counter on driver unbind.
Fixes: 407ccc65bfd2 ("[media] davinci: vpif: add pm_runtime support")
Cc: stable@vger.kernel.org # 3.9
Cc: Lad, Prabhakar <prabhakar.csengg@gmail.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Reviewed-by: Lad Prabhakar <prabhakar.csengg@gmail.com>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/platform/davinci/vpif.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/media/platform/davinci/vpif.c
+++ b/drivers/media/platform/davinci/vpif.c
@@ -497,6 +497,7 @@ static int vpif_probe(struct platform_de
static int vpif_remove(struct platform_device *pdev)
{
+ pm_runtime_put(&pdev->dev);
pm_runtime_disable(&pdev->dev);
return 0;
}
^ permalink raw reply [flat|nested] 636+ messages in thread
* [PATCH 5.10 117/599] media: davinci: vpif: fix unbalanced runtime PM enable
2022-04-05 7:24 [PATCH 5.10 000/599] 5.10.110-rc1 review Greg Kroah-Hartman
` (115 preceding siblings ...)
2022-04-05 7:26 ` [PATCH 5.10 116/599] media: davinci: vpif: fix unbalanced runtime PM get Greg Kroah-Hartman
@ 2022-04-05 7:26 ` Greg Kroah-Hartman
2022-04-05 7:26 ` [PATCH 5.10 118/599] xtensa: fix stop_machine_cpuslocked call in patch_text Greg Kroah-Hartman
` (494 subsequent siblings)
611 siblings, 0 replies; 636+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05 7:26 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Kevin Hilman, Johan Hovold,
Hans Verkuil, Mauro Carvalho Chehab
From: Johan Hovold <johan@kernel.org>
commit d42b3ad105b5d3481f6a56bc789aa2b27aa09325 upstream.
Make sure to disable runtime PM before returning on probe errors.
Fixes: 479f7a118105 ("[media] davinci: vpif: adaptions for DT support")
Cc: stable@vger.kernel.org
Cc: Kevin Hilman <khilman@baylibre.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/platform/davinci/vpif.c | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
--- a/drivers/media/platform/davinci/vpif.c
+++ b/drivers/media/platform/davinci/vpif.c
@@ -428,6 +428,7 @@ static int vpif_probe(struct platform_de
static struct resource *res, *res_irq;
struct platform_device *pdev_capture, *pdev_display;
struct device_node *endpoint = NULL;
+ int ret;
res = platform_get_resource(pdev, IORESOURCE_MEM, 0);
vpif_base = devm_ioremap_resource(&pdev->dev, res);
@@ -458,8 +459,8 @@ static int vpif_probe(struct platform_de
res_irq = platform_get_resource(pdev, IORESOURCE_IRQ, 0);
if (!res_irq) {
dev_warn(&pdev->dev, "Missing IRQ resource.\n");
- pm_runtime_put(&pdev->dev);
- return -EINVAL;
+ ret = -EINVAL;
+ goto err_put_rpm;
}
pdev_capture = devm_kzalloc(&pdev->dev, sizeof(*pdev_capture),
@@ -493,6 +494,12 @@ static int vpif_probe(struct platform_de
}
return 0;
+
+err_put_rpm:
+ pm_runtime_put(&pdev->dev);
+ pm_runtime_disable(&pdev->dev);
+
+ return ret;
}
static int vpif_remove(struct platform_device *pdev)
^ permalink raw reply [flat|nested] 636+ messages in thread
* [PATCH 5.10 118/599] xtensa: fix stop_machine_cpuslocked call in patch_text
2022-04-05 7:24 [PATCH 5.10 000/599] 5.10.110-rc1 review Greg Kroah-Hartman
` (116 preceding siblings ...)
2022-04-05 7:26 ` [PATCH 5.10 117/599] media: davinci: vpif: fix unbalanced runtime PM enable Greg Kroah-Hartman
@ 2022-04-05 7:26 ` Greg Kroah-Hartman
2022-04-05 7:26 ` [PATCH 5.10 119/599] xtensa: fix xtensa_wsr always writing 0 Greg Kroah-Hartman
` (493 subsequent siblings)
611 siblings, 0 replies; 636+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05 7:26 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Max Filippov
From: Max Filippov <jcmvbkbc@gmail.com>
commit f406f2d03e07afc199dd8cf501f361dde6be8a69 upstream.
patch_text must invoke patch_text_stop_machine on all online CPUs, but
it calls stop_machine_cpuslocked with NULL cpumask. As a result only one
CPU runs patch_text_stop_machine potentially leaving stale icache
entries on other CPUs. Fix that by calling stop_machine_cpuslocked with
cpu_online_mask as the last argument.
Cc: stable@vger.kernel.org
Fixes: 64711f9a47d4 ("xtensa: implement jump_label support")
Signed-off-by: Max Filippov <jcmvbkbc@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/xtensa/kernel/jump_label.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/xtensa/kernel/jump_label.c
+++ b/arch/xtensa/kernel/jump_label.c
@@ -61,7 +61,7 @@ static void patch_text(unsigned long add
.data = data,
};
stop_machine_cpuslocked(patch_text_stop_machine,
- &patch, NULL);
+ &patch, cpu_online_mask);
} else {
unsigned long flags;
^ permalink raw reply [flat|nested] 636+ messages in thread
* [PATCH 5.10 119/599] xtensa: fix xtensa_wsr always writing 0
2022-04-05 7:24 [PATCH 5.10 000/599] 5.10.110-rc1 review Greg Kroah-Hartman
` (117 preceding siblings ...)
2022-04-05 7:26 ` [PATCH 5.10 118/599] xtensa: fix stop_machine_cpuslocked call in patch_text Greg Kroah-Hartman
@ 2022-04-05 7:26 ` Greg Kroah-Hartman
2022-04-05 7:26 ` [PATCH 5.10 120/599] brcmfmac: firmware: Allocate space for default boardrev in nvram Greg Kroah-Hartman
` (492 subsequent siblings)
611 siblings, 0 replies; 636+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05 7:26 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Max Filippov
From: Max Filippov <jcmvbkbc@gmail.com>
commit a3d0245c58f962ee99d4440ea0eaf45fb7f5a5cc upstream.
The commit cad6fade6e78 ("xtensa: clean up WSR*/RSR*/get_sr/set_sr")
replaced 'WSR' macro in the function xtensa_wsr with 'xtensa_set_sr',
but variable 'v' in the xtensa_set_sr body shadowed the argument 'v'
passed to it, resulting in wrong value written to debug registers.
Fix that by removing intermediate variable from the xtensa_set_sr
macro body.
Cc: stable@vger.kernel.org
Fixes: cad6fade6e78 ("xtensa: clean up WSR*/RSR*/get_sr/set_sr")
Signed-off-by: Max Filippov <jcmvbkbc@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/xtensa/include/asm/processor.h | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/arch/xtensa/include/asm/processor.h
+++ b/arch/xtensa/include/asm/processor.h
@@ -226,8 +226,8 @@ extern unsigned long get_wchan(struct ta
#define xtensa_set_sr(x, sr) \
({ \
- unsigned int v = (unsigned int)(x); \
- __asm__ __volatile__ ("wsr %0, "__stringify(sr) :: "a"(v)); \
+ __asm__ __volatile__ ("wsr %0, "__stringify(sr) :: \
+ "a"((unsigned int)(x))); \
})
#define xtensa_get_sr(sr) \
^ permalink raw reply [flat|nested] 636+ messages in thread
* [PATCH 5.10 120/599] brcmfmac: firmware: Allocate space for default boardrev in nvram
2022-04-05 7:24 [PATCH 5.10 000/599] 5.10.110-rc1 review Greg Kroah-Hartman
` (118 preceding siblings ...)
2022-04-05 7:26 ` [PATCH 5.10 119/599] xtensa: fix xtensa_wsr always writing 0 Greg Kroah-Hartman
@ 2022-04-05 7:26 ` Greg Kroah-Hartman
2022-04-05 7:26 ` [PATCH 5.10 121/599] brcmfmac: pcie: Release firmwares in the brcmf_pcie_setup error path Greg Kroah-Hartman
` (491 subsequent siblings)
611 siblings, 0 replies; 636+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05 7:26 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Arend van Spriel, Hector Martin,
Andy Shevchenko, Kalle Valo
From: Hector Martin <marcan@marcan.st>
commit d19d8e3ba256f81ea4a27209dbbd1f0a00ef1903 upstream.
If boardrev is missing from the NVRAM we add a default one, but this
might need more space in the output buffer than was allocated. Ensure
we have enough padding for this in the buffer.
Fixes: 46f2b38a91b0 ("brcmfmac: insert default boardrev in nvram data if missing")
Reviewed-by: Arend van Spriel <arend.vanspriel@broadcom.com>
Cc: stable@vger.kernel.org
Signed-off-by: Hector Martin <marcan@marcan.st>
Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
Signed-off-by: Kalle Valo <kvalo@kernel.org>
Link: https://lore.kernel.org/r/20220131160713.245637-3-marcan@marcan.st
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/wireless/broadcom/brcm80211/brcmfmac/firmware.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/firmware.c
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/firmware.c
@@ -207,6 +207,8 @@ static int brcmf_init_nvram_parser(struc
size = BRCMF_FW_MAX_NVRAM_SIZE;
else
size = data_len;
+ /* Add space for properties we may add */
+ size += strlen(BRCMF_FW_DEFAULT_BOARDREV) + 1;
/* Alloc for extra 0 byte + roundup by 4 + length field */
size += 1 + 3 + sizeof(u32);
nvp->nvram = kzalloc(size, GFP_KERNEL);
^ permalink raw reply [flat|nested] 636+ messages in thread
* [PATCH 5.10 121/599] brcmfmac: pcie: Release firmwares in the brcmf_pcie_setup error path
2022-04-05 7:24 [PATCH 5.10 000/599] 5.10.110-rc1 review Greg Kroah-Hartman
` (119 preceding siblings ...)
2022-04-05 7:26 ` [PATCH 5.10 120/599] brcmfmac: firmware: Allocate space for default boardrev in nvram Greg Kroah-Hartman
@ 2022-04-05 7:26 ` Greg Kroah-Hartman
2022-04-05 7:26 ` [PATCH 5.10 122/599] brcmfmac: pcie: Replace brcmf_pcie_copy_mem_todev with memcpy_toio Greg Kroah-Hartman
` (490 subsequent siblings)
611 siblings, 0 replies; 636+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05 7:26 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Linus Walleij, Arend van Spriel,
Hector Martin, Andy Shevchenko, Kalle Valo
From: Hector Martin <marcan@marcan.st>
commit 5e90f0f3ead014867dade7a22f93958119f5efab upstream.
This avoids leaking memory if brcmf_chip_get_raminfo fails. Note that
the CLM blob is released in the device remove path.
Fixes: 82f93cf46d60 ("brcmfmac: get chip's default RAM info during PCIe setup")
Reviewed-by: Linus Walleij <linus.walleij@linaro.org>
Reviewed-by: Arend van Spriel <arend.vanspriel@broadcom.com>
Cc: stable@vger.kernel.org
Signed-off-by: Hector Martin <marcan@marcan.st>
Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
Signed-off-by: Kalle Valo <kvalo@kernel.org>
Link: https://lore.kernel.org/r/20220131160713.245637-2-marcan@marcan.st
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c
@@ -1775,6 +1775,8 @@ static void brcmf_pcie_setup(struct devi
ret = brcmf_chip_get_raminfo(devinfo->ci);
if (ret) {
brcmf_err(bus, "Failed to get RAM info\n");
+ release_firmware(fw);
+ brcmf_fw_nvram_free(nvram);
goto fail;
}
^ permalink raw reply [flat|nested] 636+ messages in thread
* [PATCH 5.10 122/599] brcmfmac: pcie: Replace brcmf_pcie_copy_mem_todev with memcpy_toio
2022-04-05 7:24 [PATCH 5.10 000/599] 5.10.110-rc1 review Greg Kroah-Hartman
` (120 preceding siblings ...)
2022-04-05 7:26 ` [PATCH 5.10 121/599] brcmfmac: pcie: Release firmwares in the brcmf_pcie_setup error path Greg Kroah-Hartman
@ 2022-04-05 7:26 ` Greg Kroah-Hartman
2022-04-05 7:26 ` [PATCH 5.10 123/599] brcmfmac: pcie: Fix crashes due to early IRQs Greg Kroah-Hartman
` (489 subsequent siblings)
611 siblings, 0 replies; 636+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05 7:26 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Linus Walleij, Arend van Spriel,
Andy Shevchenko, Hector Martin, Kalle Valo
From: Hector Martin <marcan@marcan.st>
commit 9466987f246758eb7e9071ae58005253f631271e upstream.
The alignment check was wrong (e.g. & 4 instead of & 3), and the logic
was also inefficient if the length was not a multiple of 4, since it
would needlessly fall back to copying the entire buffer bytewise.
We already have a perfectly good memcpy_toio function, so just call that
instead of rolling our own copy logic here. brcmf_pcie_init_ringbuffers
was already using it anyway.
Fixes: 9e37f045d5e7 ("brcmfmac: Adding PCIe bus layer support.")
Reviewed-by: Linus Walleij <linus.walleij@linaro.org>
Reviewed-by: Arend van Spriel <arend.vanspriel@broadcom.com>
Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
Cc: stable@vger.kernel.org
Signed-off-by: Hector Martin <marcan@marcan.st>
Signed-off-by: Kalle Valo <kvalo@kernel.org>
Link: https://lore.kernel.org/r/20220131160713.245637-6-marcan@marcan.st
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c | 48 +---------------
1 file changed, 4 insertions(+), 44 deletions(-)
--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c
@@ -12,6 +12,7 @@
#include <linux/interrupt.h>
#include <linux/bcma/bcma.h>
#include <linux/sched.h>
+#include <linux/io.h>
#include <asm/unaligned.h>
#include <soc.h>
@@ -447,47 +448,6 @@ brcmf_pcie_write_ram32(struct brcmf_pcie
static void
-brcmf_pcie_copy_mem_todev(struct brcmf_pciedev_info *devinfo, u32 mem_offset,
- void *srcaddr, u32 len)
-{
- void __iomem *address = devinfo->tcm + mem_offset;
- __le32 *src32;
- __le16 *src16;
- u8 *src8;
-
- if (((ulong)address & 4) || ((ulong)srcaddr & 4) || (len & 4)) {
- if (((ulong)address & 2) || ((ulong)srcaddr & 2) || (len & 2)) {
- src8 = (u8 *)srcaddr;
- while (len) {
- iowrite8(*src8, address);
- address++;
- src8++;
- len--;
- }
- } else {
- len = len / 2;
- src16 = (__le16 *)srcaddr;
- while (len) {
- iowrite16(le16_to_cpu(*src16), address);
- address += 2;
- src16++;
- len--;
- }
- }
- } else {
- len = len / 4;
- src32 = (__le32 *)srcaddr;
- while (len) {
- iowrite32(le32_to_cpu(*src32), address);
- address += 4;
- src32++;
- len--;
- }
- }
-}
-
-
-static void
brcmf_pcie_copy_dev_tomem(struct brcmf_pciedev_info *devinfo, u32 mem_offset,
void *dstaddr, u32 len)
{
@@ -1561,8 +1521,8 @@ static int brcmf_pcie_download_fw_nvram(
return err;
brcmf_dbg(PCIE, "Download FW %s\n", devinfo->fw_name);
- brcmf_pcie_copy_mem_todev(devinfo, devinfo->ci->rambase,
- (void *)fw->data, fw->size);
+ memcpy_toio(devinfo->tcm + devinfo->ci->rambase,
+ (void *)fw->data, fw->size);
resetintr = get_unaligned_le32(fw->data);
release_firmware(fw);
@@ -1576,7 +1536,7 @@ static int brcmf_pcie_download_fw_nvram(
brcmf_dbg(PCIE, "Download NVRAM %s\n", devinfo->nvram_name);
address = devinfo->ci->rambase + devinfo->ci->ramsize -
nvram_len;
- brcmf_pcie_copy_mem_todev(devinfo, address, nvram, nvram_len);
+ memcpy_toio(devinfo->tcm + address, nvram, nvram_len);
brcmf_fw_nvram_free(nvram);
} else {
brcmf_dbg(PCIE, "No matching NVRAM file found %s\n",
^ permalink raw reply [flat|nested] 636+ messages in thread
* [PATCH 5.10 123/599] brcmfmac: pcie: Fix crashes due to early IRQs
2022-04-05 7:24 [PATCH 5.10 000/599] 5.10.110-rc1 review Greg Kroah-Hartman
` (121 preceding siblings ...)
2022-04-05 7:26 ` [PATCH 5.10 122/599] brcmfmac: pcie: Replace brcmf_pcie_copy_mem_todev with memcpy_toio Greg Kroah-Hartman
@ 2022-04-05 7:26 ` Greg Kroah-Hartman
2022-04-05 7:26 ` [PATCH 5.10 124/599] drm/i915/opregion: check port number bounds for SWSCI display power state Greg Kroah-Hartman
` (488 subsequent siblings)
611 siblings, 0 replies; 636+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05 7:26 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Linus Walleij, Arend van Spriel,
Hector Martin, Andy Shevchenko, Kalle Valo
From: Hector Martin <marcan@marcan.st>
commit b50255c83b914defd61a57fbc81d452334b63f4c upstream.
The driver was enabling IRQs before the message processing was
initialized. This could cause IRQs to come in too early and crash the
driver. Instead, move the IRQ enable and hostready to a bus preinit
function, at which point everything is properly initialized.
Fixes: 9e37f045d5e7 ("brcmfmac: Adding PCIe bus layer support.")
Reviewed-by: Linus Walleij <linus.walleij@linaro.org>
Reviewed-by: Arend van Spriel <arend.vanspriel@broadcom.com>
Cc: stable@vger.kernel.org
Signed-off-by: Hector Martin <marcan@marcan.st>
Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
Signed-off-by: Kalle Valo <kvalo@kernel.org>
Link: https://lore.kernel.org/r/20220131160713.245637-7-marcan@marcan.st
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c | 16 +++++++++++++---
1 file changed, 13 insertions(+), 3 deletions(-)
--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c
@@ -1306,6 +1306,18 @@ static void brcmf_pcie_down(struct devic
{
}
+static int brcmf_pcie_preinit(struct device *dev)
+{
+ struct brcmf_bus *bus_if = dev_get_drvdata(dev);
+ struct brcmf_pciedev *buspub = bus_if->bus_priv.pcie;
+
+ brcmf_dbg(PCIE, "Enter\n");
+
+ brcmf_pcie_intr_enable(buspub->devinfo);
+ brcmf_pcie_hostready(buspub->devinfo);
+
+ return 0;
+}
static int brcmf_pcie_tx(struct device *dev, struct sk_buff *skb)
{
@@ -1414,6 +1426,7 @@ static int brcmf_pcie_reset(struct devic
}
static const struct brcmf_bus_ops brcmf_pcie_bus_ops = {
+ .preinit = brcmf_pcie_preinit,
.txdata = brcmf_pcie_tx,
.stop = brcmf_pcie_down,
.txctl = brcmf_pcie_tx_ctlpkt,
@@ -1786,9 +1799,6 @@ static void brcmf_pcie_setup(struct devi
init_waitqueue_head(&devinfo->mbdata_resp_wait);
- brcmf_pcie_intr_enable(devinfo);
- brcmf_pcie_hostready(devinfo);
-
ret = brcmf_attach(&devinfo->pdev->dev);
if (ret)
goto fail;
^ permalink raw reply [flat|nested] 636+ messages in thread
* [PATCH 5.10 124/599] drm/i915/opregion: check port number bounds for SWSCI display power state
2022-04-05 7:24 [PATCH 5.10 000/599] 5.10.110-rc1 review Greg Kroah-Hartman
` (122 preceding siblings ...)
2022-04-05 7:26 ` [PATCH 5.10 123/599] brcmfmac: pcie: Fix crashes due to early IRQs Greg Kroah-Hartman
@ 2022-04-05 7:26 ` Greg Kroah-Hartman
2022-04-05 7:26 ` [PATCH 5.10 125/599] drm/i915/gem: add missing boundary check in vm_access Greg Kroah-Hartman
` (487 subsequent siblings)
611 siblings, 0 replies; 636+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05 7:26 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Ville Syrjälä,
Lucas De Marchi, Jani Nikula
From: Jani Nikula <jani.nikula@intel.com>
commit 24a644ebbfd3b13cda702f98907f9dd123e34bf9 upstream.
The mapping from enum port to whatever port numbering scheme is used by
the SWSCI Display Power State Notification is odd, and the memory of it
has faded. In any case, the parameter only has space for ports numbered
[0..4], and UBSAN reports bit shift beyond it when the platform has port
F or more.
Since the SWSCI functionality is supposed to be obsolete for new
platforms (i.e. ones that might have port F or more), just bail out
early if the mapped and mangled port number is beyond what the Display
Power State Notification can support.
Fixes: 9c4b0a683193 ("drm/i915: add opregion function to notify bios of encoder enable/disable")
Cc: <stable@vger.kernel.org> # v3.13+
Cc: Ville Syrjälä <ville.syrjala@linux.intel.com>
Cc: Lucas De Marchi <lucas.demarchi@intel.com>
Closes: https://gitlab.freedesktop.org/drm/intel/-/issues/4800
Signed-off-by: Jani Nikula <jani.nikula@intel.com>
Reviewed-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
Link: https://patchwork.freedesktop.org/patch/msgid/cc363f42d6b5a5932b6d218fefcc8bdfb15dbbe5.1644489329.git.jani.nikula@intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/i915/display/intel_opregion.c | 15 +++++++++++++++
1 file changed, 15 insertions(+)
--- a/drivers/gpu/drm/i915/display/intel_opregion.c
+++ b/drivers/gpu/drm/i915/display/intel_opregion.c
@@ -376,6 +376,21 @@ int intel_opregion_notify_encoder(struct
return -EINVAL;
}
+ /*
+ * The port numbering and mapping here is bizarre. The now-obsolete
+ * swsci spec supports ports numbered [0..4]. Port E is handled as a
+ * special case, but port F and beyond are not. The functionality is
+ * supposed to be obsolete for new platforms. Just bail out if the port
+ * number is out of bounds after mapping.
+ */
+ if (port > 4) {
+ drm_dbg_kms(&dev_priv->drm,
+ "[ENCODER:%d:%s] port %c (index %u) out of bounds for display power state notification\n",
+ intel_encoder->base.base.id, intel_encoder->base.name,
+ port_name(intel_encoder->port), port);
+ return -EINVAL;
+ }
+
if (!enable)
parm |= 4 << 8;
^ permalink raw reply [flat|nested] 636+ messages in thread
* [PATCH 5.10 125/599] drm/i915/gem: add missing boundary check in vm_access
2022-04-05 7:24 [PATCH 5.10 000/599] 5.10.110-rc1 review Greg Kroah-Hartman
` (123 preceding siblings ...)
2022-04-05 7:26 ` [PATCH 5.10 124/599] drm/i915/opregion: check port number bounds for SWSCI display power state Greg Kroah-Hartman
@ 2022-04-05 7:26 ` Greg Kroah-Hartman
2022-04-05 7:27 ` [PATCH 5.10 126/599] PCI: pciehp: Clear cmd_busy bit in polling mode Greg Kroah-Hartman
` (486 subsequent siblings)
611 siblings, 0 replies; 636+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05 7:26 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Mastan Katragadda, Adam Zabrocki,
Jackson Cody, Chris Wilson, Jon Bloomfield, Sudeep Dutt,
Matthew Auld, Joonas Lahtinen
From: Mastan Katragadda <mastanx.katragadda@intel.com>
commit 3886a86e7e6cc6ce2ce93c440fecd8f42aed0ce7 upstream.
A missing bounds check in vm_access() can lead to an out-of-bounds read
or write in the adjacent memory area, since the len attribute is not
validated before the memcpy later in the function, potentially hitting:
[ 183.637831] BUG: unable to handle page fault for address: ffffc90000c86000
[ 183.637934] #PF: supervisor read access in kernel mode
[ 183.637997] #PF: error_code(0x0000) - not-present page
[ 183.638059] PGD 100000067 P4D 100000067 PUD 100258067 PMD 106341067 PTE 0
[ 183.638144] Oops: 0000 [#2] PREEMPT SMP NOPTI
[ 183.638201] CPU: 3 PID: 1790 Comm: poc Tainted: G D 5.17.0-rc6-ci-drm-11296+ #1
[ 183.638298] Hardware name: Intel Corporation CoffeeLake Client Platform/CoffeeLake H DDR4 RVP, BIOS CNLSFWR1.R00.X208.B00.1905301319 05/30/2019
[ 183.638430] RIP: 0010:memcpy_erms+0x6/0x10
[ 183.640213] RSP: 0018:ffffc90001763d48 EFLAGS: 00010246
[ 183.641117] RAX: ffff888109c14000 RBX: ffff888111bece40 RCX: 0000000000000ffc
[ 183.642029] RDX: 0000000000001000 RSI: ffffc90000c86000 RDI: ffff888109c14004
[ 183.642946] RBP: 0000000000000ffc R08: 800000000000016b R09: 0000000000000000
[ 183.643848] R10: ffffc90000c85000 R11: 0000000000000048 R12: 0000000000001000
[ 183.644742] R13: ffff888111bed190 R14: ffff888109c14000 R15: 0000000000001000
[ 183.645653] FS: 00007fe5ef807540(0000) GS:ffff88845b380000(0000) knlGS:0000000000000000
[ 183.646570] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 183.647481] CR2: ffffc90000c86000 CR3: 000000010ff02006 CR4: 00000000003706e0
[ 183.648384] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 183.649271] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 183.650142] Call Trace:
[ 183.650988] <TASK>
[ 183.651793] vm_access+0x1f0/0x2a0 [i915]
[ 183.652726] __access_remote_vm+0x224/0x380
[ 183.653561] mem_rw.isra.0+0xf9/0x190
[ 183.654402] vfs_read+0x9d/0x1b0
[ 183.655238] ksys_read+0x63/0xe0
[ 183.656065] do_syscall_64+0x38/0xc0
[ 183.656882] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 183.657663] RIP: 0033:0x7fe5ef725142
[ 183.659351] RSP: 002b:00007ffe1e81c7e8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
[ 183.660227] RAX: ffffffffffffffda RBX: 0000557055dfb780 RCX: 00007fe5ef725142
[ 183.661104] RDX: 0000000000001000 RSI: 00007ffe1e81d880 RDI: 0000000000000005
[ 183.661972] RBP: 00007ffe1e81e890 R08: 0000000000000030 R09: 0000000000000046
[ 183.662832] R10: 0000557055dfc2e0 R11: 0000000000000246 R12: 0000557055dfb1c0
[ 183.663691] R13: 00007ffe1e81e980 R14: 0000000000000000 R15: 0000000000000000
Changes since v1:
- Updated if condition with range_overflows_t [Chris Wilson]
Fixes: 9f909e215fea ("drm/i915: Implement vm_ops->access for gdb access into mmaps")
Signed-off-by: Mastan Katragadda <mastanx.katragadda@intel.com>
Suggested-by: Adam Zabrocki <adamza@microsoft.com>
Reported-by: Jackson Cody <cody.jackson@intel.com>
Cc: Chris Wilson <chris@chris-wilson.co.uk>
Cc: Jon Bloomfield <jon.bloomfield@intel.com>
Cc: Sudeep Dutt <sudeep.dutt@intel.com>
Cc: <stable@vger.kernel.org> # v5.8+
Reviewed-by: Matthew Auld <matthew.auld@intel.com>
[mauld: tidy up the commit message and add Cc: stable]
Signed-off-by: Matthew Auld <matthew.auld@intel.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20220303060428.1668844-1-mastanx.katragadda@intel.com
(cherry picked from commit 661412e301e2ca86799aa4f400d1cf0bd38c57c6)
Signed-off-by: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/i915/gem/i915_gem_mman.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/gpu/drm/i915/gem/i915_gem_mman.c
+++ b/drivers/gpu/drm/i915/gem/i915_gem_mman.c
@@ -423,7 +423,7 @@ vm_access(struct vm_area_struct *area, u
return -EACCES;
addr -= area->vm_start;
- if (addr >= obj->base.size)
+ if (range_overflows_t(u64, addr, len, obj->base.size))
return -EINVAL;
/* As this is primarily for debugging, let's focus on simplicity */
^ permalink raw reply [flat|nested] 636+ messages in thread
* [PATCH 5.10 126/599] PCI: pciehp: Clear cmd_busy bit in polling mode
2022-04-05 7:24 [PATCH 5.10 000/599] 5.10.110-rc1 review Greg Kroah-Hartman
` (124 preceding siblings ...)
2022-04-05 7:26 ` [PATCH 5.10 125/599] drm/i915/gem: add missing boundary check in vm_access Greg Kroah-Hartman
@ 2022-04-05 7:27 ` Greg Kroah-Hartman
2022-04-09 8:13 ` Pavel Machek
2022-04-05 7:27 ` [PATCH 5.10 127/599] PCI: xgene: Revert "PCI: xgene: Fix IB window setup" Greg Kroah-Hartman
` (485 subsequent siblings)
611 siblings, 1 reply; 636+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05 7:27 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Liguang Zhang, Bjorn Helgaas, Lukas Wunner
From: Liguang Zhang <zhangliguang@linux.alibaba.com>
commit 92912b175178c7e895f5e5e9f1e30ac30319162b upstream.
Writes to a Downstream Port's Slot Control register are PCIe hotplug
"commands." If the Port supports Command Completed events, software must
wait for a command to complete before writing to Slot Control again.
pcie_do_write_cmd() sets ctrl->cmd_busy when it writes to Slot Control. If
software notification is enabled, i.e., PCI_EXP_SLTCTL_HPIE and
PCI_EXP_SLTCTL_CCIE are set, ctrl->cmd_busy is cleared by pciehp_isr().
But when software notification is disabled, as it is when pcie_init()
powers off an empty slot, pcie_wait_cmd() uses pcie_poll_cmd() to poll for
command completion, and it neglects to clear ctrl->cmd_busy, which leads to
spurious timeouts:
pcieport 0000:00:03.0: pciehp: Timeout on hotplug command 0x01c0 (issued 2264 msec ago)
pcieport 0000:00:03.0: pciehp: Timeout on hotplug command 0x05c0 (issued 2288 msec ago)
Clear ctrl->cmd_busy in pcie_poll_cmd() when it detects a Command Completed
event (PCI_EXP_SLTSTA_CC).
[bhelgaas: commit log]
Fixes: a5dd4b4b0570 ("PCI: pciehp: Wait for hotplug command completion where necessary")
Link: https://lore.kernel.org/r/20211111054258.7309-1-zhangliguang@linux.alibaba.com
Link: https://bugzilla.kernel.org/show_bug.cgi?id=215143
Link: https://lore.kernel.org/r/20211126173309.GA12255@wunner.de
Signed-off-by: Liguang Zhang <zhangliguang@linux.alibaba.com>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Reviewed-by: Lukas Wunner <lukas@wunner.de>
Cc: stable@vger.kernel.org # v4.19+
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/pci/hotplug/pciehp_hpc.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/pci/hotplug/pciehp_hpc.c
+++ b/drivers/pci/hotplug/pciehp_hpc.c
@@ -98,6 +98,8 @@ static int pcie_poll_cmd(struct controll
if (slot_status & PCI_EXP_SLTSTA_CC) {
pcie_capability_write_word(pdev, PCI_EXP_SLTSTA,
PCI_EXP_SLTSTA_CC);
+ ctrl->cmd_busy = 0;
+ smp_mb();
return 1;
}
msleep(10);
^ permalink raw reply [flat|nested] 636+ messages in thread
* [PATCH 5.10 127/599] PCI: xgene: Revert "PCI: xgene: Fix IB window setup"
2022-04-05 7:24 [PATCH 5.10 000/599] 5.10.110-rc1 review Greg Kroah-Hartman
` (125 preceding siblings ...)
2022-04-05 7:27 ` [PATCH 5.10 126/599] PCI: pciehp: Clear cmd_busy bit in polling mode Greg Kroah-Hartman
@ 2022-04-05 7:27 ` Greg Kroah-Hartman
2022-04-05 7:27 ` [PATCH 5.10 128/599] regulator: qcom_smd: fix for_each_child.cocci warnings Greg Kroah-Hartman
` (484 subsequent siblings)
611 siblings, 0 replies; 636+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05 7:27 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Marc Zyngier, Lorenzo Pieralisi,
Rob Herring, Toan Le, Krzysztof Wilczyński, Bjorn Helgaas,
Stéphane Graber, dann frazier
From: Marc Zyngier <maz@kernel.org>
commit 825da4e9cec68713fbb02dc6f71fe1bf65fe8050 upstream.
Commit c7a75d07827a ("PCI: xgene: Fix IB window setup") tried to
fix the damages that 6dce5aa59e0b ("PCI: xgene: Use inbound resources
for setup") caused, but actually didn't improve anything for some
plarforms (at least Mustang and m400 are still broken).
Given that 6dce5aa59e0b has been reverted, revert this patch as well,
restoring the PCIe support on XGene to its pre-5.5, working state.
Link: https://lore.kernel.org/r/YjN8pT5e6/8cRohQ@xps13.dannf
Link: https://lore.kernel.org/r/20220321104843.949645-3-maz@kernel.org
Fixes: c7a75d07827a ("PCI: xgene: Fix IB window setup")
Signed-off-by: Marc Zyngier <maz@kernel.org>
Signed-off-by: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
Cc: stable@vger.kernel.org
Cc: Rob Herring <robh@kernel.org>
Cc: Toan Le <toan@os.amperecomputing.com>
Cc: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
Cc: Krzysztof Wilczyński <kw@linux.com>
Cc: Bjorn Helgaas <bhelgaas@google.com>
Cc: Stéphane Graber <stgraber@ubuntu.com>
Cc: dann frazier <dann.frazier@canonical.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/pci/controller/pci-xgene.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/pci/controller/pci-xgene.c
+++ b/drivers/pci/controller/pci-xgene.c
@@ -467,7 +467,7 @@ static int xgene_pcie_select_ib_reg(u8 *
return 1;
}
- if ((size > SZ_1K) && (size < SZ_4G) && !(*ib_reg_mask & (1 << 0))) {
+ if ((size > SZ_1K) && (size < SZ_1T) && !(*ib_reg_mask & (1 << 0))) {
*ib_reg_mask |= (1 << 0);
return 0;
}
^ permalink raw reply [flat|nested] 636+ messages in thread
* [PATCH 5.10 128/599] regulator: qcom_smd: fix for_each_child.cocci warnings
2022-04-05 7:24 [PATCH 5.10 000/599] 5.10.110-rc1 review Greg Kroah-Hartman
` (126 preceding siblings ...)
2022-04-05 7:27 ` [PATCH 5.10 127/599] PCI: xgene: Revert "PCI: xgene: Fix IB window setup" Greg Kroah-Hartman
@ 2022-04-05 7:27 ` Greg Kroah-Hartman
2022-04-05 7:27 ` [PATCH 5.10 129/599] selinux: check return value of sel_make_avc_files Greg Kroah-Hartman
` (483 subsequent siblings)
611 siblings, 0 replies; 636+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05 7:27 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Konrad Dybcio, kernel test robot,
Julia Lawall, Mark Brown, Sasha Levin
From: kernel test robot <lkp@intel.com>
[ Upstream commit 6390d42c21efff0b4c10956a38e341f4e84ecd3d ]
drivers/regulator/qcom_smd-regulator.c:1318:1-33: WARNING: Function "for_each_available_child_of_node" should have of_node_put() before return around line 1321.
Semantic patch information:
False positives can be due to function calls within the for_each
loop that may encapsulate an of_node_put.
Generated by: scripts/coccinelle/iterators/for_each_child.cocci
Fixes: 14e2976fbabd ("regulator: qcom_smd: Align probe function with rpmh-regulator")
CC: Konrad Dybcio <konrad.dybcio@somainline.org>
Reported-by: kernel test robot <lkp@intel.com>
Signed-off-by: kernel test robot <lkp@intel.com>
Signed-off-by: Julia Lawall <julia.lawall@inria.fr>
Link: https://lore.kernel.org/r/alpine.DEB.2.22.394.2201151210170.3051@hadrien
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/regulator/qcom_smd-regulator.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/regulator/qcom_smd-regulator.c b/drivers/regulator/qcom_smd-regulator.c
index 03e146e98abd..8d784a2a09d8 100644
--- a/drivers/regulator/qcom_smd-regulator.c
+++ b/drivers/regulator/qcom_smd-regulator.c
@@ -1185,8 +1185,10 @@ static int rpm_reg_probe(struct platform_device *pdev)
for_each_available_child_of_node(dev->of_node, node) {
vreg = devm_kzalloc(&pdev->dev, sizeof(*vreg), GFP_KERNEL);
- if (!vreg)
+ if (!vreg) {
+ of_node_put(node);
return -ENOMEM;
+ }
ret = rpm_regulator_init_vreg(vreg, dev, node, rpm, vreg_data);
--
2.34.1
^ permalink raw reply related [flat|nested] 636+ messages in thread
* [PATCH 5.10 129/599] selinux: check return value of sel_make_avc_files
2022-04-05 7:24 [PATCH 5.10 000/599] 5.10.110-rc1 review Greg Kroah-Hartman
` (127 preceding siblings ...)
2022-04-05 7:27 ` [PATCH 5.10 128/599] regulator: qcom_smd: fix for_each_child.cocci warnings Greg Kroah-Hartman
@ 2022-04-05 7:27 ` Greg Kroah-Hartman
2022-04-05 7:27 ` [PATCH 5.10 130/599] hwrng: cavium - Check health status while reading random data Greg Kroah-Hartman
` (482 subsequent siblings)
611 siblings, 0 replies; 636+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05 7:27 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Christian Göttsche,
Nick Desaulniers, Paul Moore, Sasha Levin
From: Christian Göttsche <cgzones@googlemail.com>
[ Upstream commit bcb62828e3e8c813b6613db6eb7fd9657db248fc ]
sel_make_avc_files() might fail and return a negative errno value on
memory allocation failures. Re-add the check of the return value,
dropped in 66f8e2f03c02 ("selinux: sidtab reverse lookup hash table").
Reported by clang-analyzer:
security/selinux/selinuxfs.c:2129:2: warning: Value stored to
'ret' is never read [deadcode.DeadStores]
ret = sel_make_avc_files(dentry);
^ ~~~~~~~~~~~~~~~~~~~~~~~~~~
Fixes: 66f8e2f03c02 ("selinux: sidtab reverse lookup hash table")
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Reviewed-by: Nick Desaulniers <ndesaulniers@google.com>
[PM: description line wrapping, added proper commit ref]
Signed-off-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
security/selinux/selinuxfs.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c
index 2b745ae8cb98..d893c2280f59 100644
--- a/security/selinux/selinuxfs.c
+++ b/security/selinux/selinuxfs.c
@@ -2124,6 +2124,8 @@ static int sel_fill_super(struct super_block *sb, struct fs_context *fc)
}
ret = sel_make_avc_files(dentry);
+ if (ret)
+ goto err;
dentry = sel_make_dir(sb->s_root, "ss", &fsi->last_ino);
if (IS_ERR(dentry)) {
--
2.34.1
^ permalink raw reply related [flat|nested] 636+ messages in thread
* [PATCH 5.10 130/599] hwrng: cavium - Check health status while reading random data
2022-04-05 7:24 [PATCH 5.10 000/599] 5.10.110-rc1 review Greg Kroah-Hartman
` (128 preceding siblings ...)
2022-04-05 7:27 ` [PATCH 5.10 129/599] selinux: check return value of sel_make_avc_files Greg Kroah-Hartman
@ 2022-04-05 7:27 ` Greg Kroah-Hartman
2022-04-05 7:27 ` [PATCH 5.10 131/599] hwrng: cavium - HW_RANDOM_CAVIUM should depend on ARCH_THUNDER Greg Kroah-Hartman
` (481 subsequent siblings)
611 siblings, 0 replies; 636+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05 7:27 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Sunil Goutham, Herbert Xu, Sasha Levin
From: Sunil Goutham <sgoutham@marvell.com>
[ Upstream commit 680efb33546be8960ccbb2f4e0e43034d9c93b30 ]
This RNG device is present on Marvell OcteonTx2 silicons as well and
also provides entropy health status.
HW continuously checks health condition of entropy and reports
faults. Fault is in terms of co-processor cycles since last fault
detected. This doesn't get cleared and only updated when new fault
is detected. Also there are chances of detecting false positives.
So to detect a entropy failure SW has to check if failures are
persistent ie cycles elapsed is frequently updated by HW.
This patch adds support to detect health failures using below algo.
1. Consider any fault detected before 10ms as a false positive and ignore.
10ms is chosen randomly, no significance.
2. Upon first failure detection make a note of cycles elapsed and when this
error happened in realtime (cntvct).
3. Upon subsequent failure, check if this is new or a old one by comparing
current cycles with the ones since last failure. cycles or time since
last failure is calculated using cycles and time info captured at (2).
HEALTH_CHECK status register is not available to VF, hence had to map
PF registers. Also since cycles are in terms of co-processor cycles,
had to retrieve co-processor clock rate from RST device.
Signed-off-by: Sunil Goutham <sgoutham@marvell.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/char/hw_random/Kconfig | 2 +-
drivers/char/hw_random/cavium-rng-vf.c | 194 +++++++++++++++++++++++--
drivers/char/hw_random/cavium-rng.c | 11 +-
3 files changed, 190 insertions(+), 17 deletions(-)
diff --git a/drivers/char/hw_random/Kconfig b/drivers/char/hw_random/Kconfig
index 5952210526aa..31d367949fad 100644
--- a/drivers/char/hw_random/Kconfig
+++ b/drivers/char/hw_random/Kconfig
@@ -427,7 +427,7 @@ config HW_RANDOM_MESON
config HW_RANDOM_CAVIUM
tristate "Cavium ThunderX Random Number Generator support"
- depends on HW_RANDOM && PCI && (ARM64 || (COMPILE_TEST && 64BIT))
+ depends on HW_RANDOM && PCI && ARM64
default HW_RANDOM
help
This driver provides kernel-side support for the Random Number
diff --git a/drivers/char/hw_random/cavium-rng-vf.c b/drivers/char/hw_random/cavium-rng-vf.c
index 3de4a6a443ef..6f66919652bf 100644
--- a/drivers/char/hw_random/cavium-rng-vf.c
+++ b/drivers/char/hw_random/cavium-rng-vf.c
@@ -1,10 +1,7 @@
+// SPDX-License-Identifier: GPL-2.0
/*
- * Hardware Random Number Generator support for Cavium, Inc.
- * Thunder processor family.
- *
- * This file is subject to the terms and conditions of the GNU General Public
- * License. See the file "COPYING" in the main directory of this archive
- * for more details.
+ * Hardware Random Number Generator support.
+ * Cavium Thunder, Marvell OcteonTx/Tx2 processor families.
*
* Copyright (C) 2016 Cavium, Inc.
*/
@@ -15,16 +12,146 @@
#include <linux/pci.h>
#include <linux/pci_ids.h>
+#include <asm/arch_timer.h>
+
+/* PCI device IDs */
+#define PCI_DEVID_CAVIUM_RNG_PF 0xA018
+#define PCI_DEVID_CAVIUM_RNG_VF 0xA033
+
+#define HEALTH_STATUS_REG 0x38
+
+/* RST device info */
+#define PCI_DEVICE_ID_RST_OTX2 0xA085
+#define RST_BOOT_REG 0x1600ULL
+#define CLOCK_BASE_RATE 50000000ULL
+#define MSEC_TO_NSEC(x) (x * 1000000)
+
struct cavium_rng {
struct hwrng ops;
void __iomem *result;
+ void __iomem *pf_regbase;
+ struct pci_dev *pdev;
+ u64 clock_rate;
+ u64 prev_error;
+ u64 prev_time;
};
+static inline bool is_octeontx(struct pci_dev *pdev)
+{
+ if (midr_is_cpu_model_range(read_cpuid_id(), MIDR_THUNDERX_83XX,
+ MIDR_CPU_VAR_REV(0, 0),
+ MIDR_CPU_VAR_REV(3, 0)) ||
+ midr_is_cpu_model_range(read_cpuid_id(), MIDR_THUNDERX_81XX,
+ MIDR_CPU_VAR_REV(0, 0),
+ MIDR_CPU_VAR_REV(3, 0)) ||
+ midr_is_cpu_model_range(read_cpuid_id(), MIDR_THUNDERX,
+ MIDR_CPU_VAR_REV(0, 0),
+ MIDR_CPU_VAR_REV(3, 0)))
+ return true;
+
+ return false;
+}
+
+static u64 rng_get_coprocessor_clkrate(void)
+{
+ u64 ret = CLOCK_BASE_RATE * 16; /* Assume 800Mhz as default */
+ struct pci_dev *pdev;
+ void __iomem *base;
+
+ pdev = pci_get_device(PCI_VENDOR_ID_CAVIUM,
+ PCI_DEVICE_ID_RST_OTX2, NULL);
+ if (!pdev)
+ goto error;
+
+ base = pci_ioremap_bar(pdev, 0);
+ if (!base)
+ goto error_put_pdev;
+
+ /* RST: PNR_MUL * 50Mhz gives clockrate */
+ ret = CLOCK_BASE_RATE * ((readq(base + RST_BOOT_REG) >> 33) & 0x3F);
+
+ iounmap(base);
+
+error_put_pdev:
+ pci_dev_put(pdev);
+
+error:
+ return ret;
+}
+
+static int check_rng_health(struct cavium_rng *rng)
+{
+ u64 cur_err, cur_time;
+ u64 status, cycles;
+ u64 time_elapsed;
+
+
+ /* Skip checking health for OcteonTx */
+ if (!rng->pf_regbase)
+ return 0;
+
+ status = readq(rng->pf_regbase + HEALTH_STATUS_REG);
+ if (status & BIT_ULL(0)) {
+ dev_err(&rng->pdev->dev, "HWRNG: Startup health test failed\n");
+ return -EIO;
+ }
+
+ cycles = status >> 1;
+ if (!cycles)
+ return 0;
+
+ cur_time = arch_timer_read_counter();
+
+ /* RNM_HEALTH_STATUS[CYCLES_SINCE_HEALTH_FAILURE]
+ * Number of coprocessor cycles times 2 since the last failure.
+ * This field doesn't get cleared/updated until another failure.
+ */
+ cycles = cycles / 2;
+ cur_err = (cycles * 1000000000) / rng->clock_rate; /* In nanosec */
+
+ /* Ignore errors that happenned a long time ago, these
+ * are most likely false positive errors.
+ */
+ if (cur_err > MSEC_TO_NSEC(10)) {
+ rng->prev_error = 0;
+ rng->prev_time = 0;
+ return 0;
+ }
+
+ if (rng->prev_error) {
+ /* Calculate time elapsed since last error
+ * '1' tick of CNTVCT is 10ns, since it runs at 100Mhz.
+ */
+ time_elapsed = (cur_time - rng->prev_time) * 10;
+ time_elapsed += rng->prev_error;
+
+ /* Check if current error is a new one or the old one itself.
+ * If error is a new one then consider there is a persistent
+ * issue with entropy, declare hardware failure.
+ */
+ if (cur_err < time_elapsed) {
+ dev_err(&rng->pdev->dev, "HWRNG failure detected\n");
+ rng->prev_error = cur_err;
+ rng->prev_time = cur_time;
+ return -EIO;
+ }
+ }
+
+ rng->prev_error = cur_err;
+ rng->prev_time = cur_time;
+ return 0;
+}
+
/* Read data from the RNG unit */
static int cavium_rng_read(struct hwrng *rng, void *dat, size_t max, bool wait)
{
struct cavium_rng *p = container_of(rng, struct cavium_rng, ops);
unsigned int size = max;
+ int err = 0;
+
+ err = check_rng_health(p);
+ if (err)
+ return err;
while (size >= 8) {
*((u64 *)dat) = readq(p->result);
@@ -39,6 +166,39 @@ static int cavium_rng_read(struct hwrng *rng, void *dat, size_t max, bool wait)
return max;
}
+static int cavium_map_pf_regs(struct cavium_rng *rng)
+{
+ struct pci_dev *pdev;
+
+ /* Health status is not supported on 83xx, skip mapping PF CSRs */
+ if (is_octeontx(rng->pdev)) {
+ rng->pf_regbase = NULL;
+ return 0;
+ }
+
+ pdev = pci_get_device(PCI_VENDOR_ID_CAVIUM,
+ PCI_DEVID_CAVIUM_RNG_PF, NULL);
+ if (!pdev) {
+ dev_err(&pdev->dev, "Cannot find RNG PF device\n");
+ return -EIO;
+ }
+
+ rng->pf_regbase = ioremap(pci_resource_start(pdev, 0),
+ pci_resource_len(pdev, 0));
+ if (!rng->pf_regbase) {
+ dev_err(&pdev->dev, "Failed to map PF CSR region\n");
+ pci_dev_put(pdev);
+ return -ENOMEM;
+ }
+
+ pci_dev_put(pdev);
+
+ /* Get co-processor clock rate */
+ rng->clock_rate = rng_get_coprocessor_clkrate();
+
+ return 0;
+}
+
/* Map Cavium RNG to an HWRNG object */
static int cavium_rng_probe_vf(struct pci_dev *pdev,
const struct pci_device_id *id)
@@ -50,6 +210,8 @@ static int cavium_rng_probe_vf(struct pci_dev *pdev,
if (!rng)
return -ENOMEM;
+ rng->pdev = pdev;
+
/* Map the RNG result */
rng->result = pcim_iomap(pdev, 0, 0);
if (!rng->result) {
@@ -67,6 +229,11 @@ static int cavium_rng_probe_vf(struct pci_dev *pdev,
pci_set_drvdata(pdev, rng);
+ /* Health status is available only at PF, hence map PF registers. */
+ ret = cavium_map_pf_regs(rng);
+ if (ret)
+ return ret;
+
ret = devm_hwrng_register(&pdev->dev, &rng->ops);
if (ret) {
dev_err(&pdev->dev, "Error registering device as HWRNG.\n");
@@ -76,10 +243,18 @@ static int cavium_rng_probe_vf(struct pci_dev *pdev,
return 0;
}
+/* Remove the VF */
+static void cavium_rng_remove_vf(struct pci_dev *pdev)
+{
+ struct cavium_rng *rng;
+
+ rng = pci_get_drvdata(pdev);
+ iounmap(rng->pf_regbase);
+}
static const struct pci_device_id cavium_rng_vf_id_table[] = {
- { PCI_DEVICE(PCI_VENDOR_ID_CAVIUM, 0xa033), 0, 0, 0},
- {0,},
+ { PCI_DEVICE(PCI_VENDOR_ID_CAVIUM, PCI_DEVID_CAVIUM_RNG_VF) },
+ { 0, }
};
MODULE_DEVICE_TABLE(pci, cavium_rng_vf_id_table);
@@ -87,8 +262,9 @@ static struct pci_driver cavium_rng_vf_driver = {
.name = "cavium_rng_vf",
.id_table = cavium_rng_vf_id_table,
.probe = cavium_rng_probe_vf,
+ .remove = cavium_rng_remove_vf,
};
module_pci_driver(cavium_rng_vf_driver);
MODULE_AUTHOR("Omer Khaliq <okhaliq@caviumnetworks.com>");
-MODULE_LICENSE("GPL");
+MODULE_LICENSE("GPL v2");
diff --git a/drivers/char/hw_random/cavium-rng.c b/drivers/char/hw_random/cavium-rng.c
index 63d6e68c24d2..b96579222408 100644
--- a/drivers/char/hw_random/cavium-rng.c
+++ b/drivers/char/hw_random/cavium-rng.c
@@ -1,10 +1,7 @@
+// SPDX-License-Identifier: GPL-2.0
/*
- * Hardware Random Number Generator support for Cavium Inc.
- * Thunder processor family.
- *
- * This file is subject to the terms and conditions of the GNU General Public
- * License. See the file "COPYING" in the main directory of this archive
- * for more details.
+ * Hardware Random Number Generator support.
+ * Cavium Thunder, Marvell OcteonTx/Tx2 processor families.
*
* Copyright (C) 2016 Cavium, Inc.
*/
@@ -91,4 +88,4 @@ static struct pci_driver cavium_rng_pf_driver = {
module_pci_driver(cavium_rng_pf_driver);
MODULE_AUTHOR("Omer Khaliq <okhaliq@caviumnetworks.com>");
-MODULE_LICENSE("GPL");
+MODULE_LICENSE("GPL v2");
--
2.34.1
^ permalink raw reply related [flat|nested] 636+ messages in thread
* [PATCH 5.10 131/599] hwrng: cavium - HW_RANDOM_CAVIUM should depend on ARCH_THUNDER
2022-04-05 7:24 [PATCH 5.10 000/599] 5.10.110-rc1 review Greg Kroah-Hartman
` (129 preceding siblings ...)
2022-04-05 7:27 ` [PATCH 5.10 130/599] hwrng: cavium - Check health status while reading random data Greg Kroah-Hartman
@ 2022-04-05 7:27 ` Greg Kroah-Hartman
2022-04-05 7:27 ` [PATCH 5.10 132/599] crypto: sun8i-ss - really disable hash on A80 Greg Kroah-Hartman
` (480 subsequent siblings)
611 siblings, 0 replies; 636+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05 7:27 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Geert Uytterhoeven, Herbert Xu, Sasha Levin
From: Geert Uytterhoeven <geert+renesas@glider.be>
[ Upstream commit ab7d88549e2f7ae116afd303f32e1950cb790a1d ]
The Cavium ThunderX Random Number Generator is only present on Cavium
ThunderX SoCs, and not available as an independent PCIe endpoint. Hence
add a dependency on ARCH_THUNDER, to prevent asking the user about this
driver when configuring a kernel without Cavium Thunder SoC support.
Fixes: cc2f1908c6b8f625 ("hwrng: cavium - Add Cavium HWRNG driver for ThunderX SoC.")
Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/char/hw_random/Kconfig | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/char/hw_random/Kconfig b/drivers/char/hw_random/Kconfig
index 31d367949fad..a7d9e4600d40 100644
--- a/drivers/char/hw_random/Kconfig
+++ b/drivers/char/hw_random/Kconfig
@@ -427,7 +427,7 @@ config HW_RANDOM_MESON
config HW_RANDOM_CAVIUM
tristate "Cavium ThunderX Random Number Generator support"
- depends on HW_RANDOM && PCI && ARM64
+ depends on HW_RANDOM && PCI && ARCH_THUNDER
default HW_RANDOM
help
This driver provides kernel-side support for the Random Number
--
2.34.1
^ permalink raw reply related [flat|nested] 636+ messages in thread
* [PATCH 5.10 132/599] crypto: sun8i-ss - really disable hash on A80
2022-04-05 7:24 [PATCH 5.10 000/599] 5.10.110-rc1 review Greg Kroah-Hartman
` (130 preceding siblings ...)
2022-04-05 7:27 ` [PATCH 5.10 131/599] hwrng: cavium - HW_RANDOM_CAVIUM should depend on ARCH_THUNDER Greg Kroah-Hartman
@ 2022-04-05 7:27 ` Greg Kroah-Hartman
2022-04-05 7:27 ` [PATCH 5.10 133/599] crypto: authenc - Fix sleep in atomic context in decrypt_tail Greg Kroah-Hartman
` (479 subsequent siblings)
611 siblings, 0 replies; 636+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05 7:27 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Corentin Labbe, Herbert Xu, Sasha Levin
From: Corentin Labbe <clabbe@baylibre.com>
[ Upstream commit 881fc7fba6c3e7d77d608b9a50b01a89d5e0c61b ]
When adding hashes support to sun8i-ss, I have added them only on A83T.
But I forgot that 0 is a valid algorithm ID, so hashes are enabled on A80 but
with an incorrect ID.
Anyway, even with correct IDs, hashes do not work on A80 and I cannot
find why.
So let's disable all of them on A80.
Fixes: d9b45418a917 ("crypto: sun8i-ss - support hash algorithms")
Signed-off-by: Corentin Labbe <clabbe@baylibre.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/crypto/allwinner/sun8i-ss/sun8i-ss-core.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/crypto/allwinner/sun8i-ss/sun8i-ss-core.c b/drivers/crypto/allwinner/sun8i-ss/sun8i-ss-core.c
index 80e89066dbd1..319fe3279a71 100644
--- a/drivers/crypto/allwinner/sun8i-ss/sun8i-ss-core.c
+++ b/drivers/crypto/allwinner/sun8i-ss/sun8i-ss-core.c
@@ -30,6 +30,8 @@
static const struct ss_variant ss_a80_variant = {
.alg_cipher = { SS_ALG_AES, SS_ALG_DES, SS_ALG_3DES,
},
+ .alg_hash = { SS_ID_NOTSUPP, SS_ID_NOTSUPP, SS_ID_NOTSUPP, SS_ID_NOTSUPP,
+ },
.op_mode = { SS_OP_ECB, SS_OP_CBC,
},
.ss_clks = {
--
2.34.1
^ permalink raw reply related [flat|nested] 636+ messages in thread
* [PATCH 5.10 133/599] crypto: authenc - Fix sleep in atomic context in decrypt_tail
2022-04-05 7:24 [PATCH 5.10 000/599] 5.10.110-rc1 review Greg Kroah-Hartman
` (131 preceding siblings ...)
2022-04-05 7:27 ` [PATCH 5.10 132/599] crypto: sun8i-ss - really disable hash on A80 Greg Kroah-Hartman
@ 2022-04-05 7:27 ` Greg Kroah-Hartman
2022-04-05 7:27 ` [PATCH 5.10 134/599] crypto: mxs-dcp - Fix scatterlist processing Greg Kroah-Hartman
` (478 subsequent siblings)
611 siblings, 0 replies; 636+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05 7:27 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Corentin Labbe, Herbert Xu, Sasha Levin
From: Herbert Xu <herbert@gondor.apana.org.au>
[ Upstream commit 66eae850333d639fc278d6f915c6fc01499ea893 ]
The function crypto_authenc_decrypt_tail discards its flags
argument and always relies on the flags from the original request
when starting its sub-request.
This is clearly wrong as it may cause the SLEEPABLE flag to be
set when it shouldn't.
Fixes: 92d95ba91772 ("crypto: authenc - Convert to new AEAD interface")
Reported-by: Corentin Labbe <clabbe.montjoie@gmail.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Tested-by: Corentin Labbe <clabbe.montjoie@gmail.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
crypto/authenc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/crypto/authenc.c b/crypto/authenc.c
index 670bf1a01d00..17f674a7cdff 100644
--- a/crypto/authenc.c
+++ b/crypto/authenc.c
@@ -253,7 +253,7 @@ static int crypto_authenc_decrypt_tail(struct aead_request *req,
dst = scatterwalk_ffwd(areq_ctx->dst, req->dst, req->assoclen);
skcipher_request_set_tfm(skreq, ctx->enc);
- skcipher_request_set_callback(skreq, aead_request_flags(req),
+ skcipher_request_set_callback(skreq, flags,
req->base.complete, req->base.data);
skcipher_request_set_crypt(skreq, src, dst,
req->cryptlen - authsize, req->iv);
--
2.34.1
^ permalink raw reply related [flat|nested] 636+ messages in thread
* [PATCH 5.10 134/599] crypto: mxs-dcp - Fix scatterlist processing
2022-04-05 7:24 [PATCH 5.10 000/599] 5.10.110-rc1 review Greg Kroah-Hartman
` (132 preceding siblings ...)
2022-04-05 7:27 ` [PATCH 5.10 133/599] crypto: authenc - Fix sleep in atomic context in decrypt_tail Greg Kroah-Hartman
@ 2022-04-05 7:27 ` Greg Kroah-Hartman
2022-04-05 7:27 ` [PATCH 5.10 135/599] thermal: int340x: Check for NULL after calling kmemdup() Greg Kroah-Hartman
` (477 subsequent siblings)
611 siblings, 0 replies; 636+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05 7:27 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Tomas Paukrt, Herbert Xu, Sasha Levin
From: Tomas Paukrt <tomaspaukrt@email.cz>
[ Upstream commit 28e9b6d8199a3f124682b143800c2dacdc3d70dd ]
This patch fixes a bug in scatterlist processing that may cause incorrect AES block encryption/decryption.
Fixes: 2e6d793e1bf0 ("crypto: mxs-dcp - Use sg_mapping_iter to copy data")
Signed-off-by: Tomas Paukrt <tomaspaukrt@email.cz>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/crypto/mxs-dcp.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/crypto/mxs-dcp.c b/drivers/crypto/mxs-dcp.c
index 5edc91cdb4e6..a9d3e675f7ff 100644
--- a/drivers/crypto/mxs-dcp.c
+++ b/drivers/crypto/mxs-dcp.c
@@ -330,7 +330,7 @@ static int mxs_dcp_aes_block_crypt(struct crypto_async_request *arq)
memset(key + AES_KEYSIZE_128, 0, AES_KEYSIZE_128);
}
- for_each_sg(req->src, src, sg_nents(src), i) {
+ for_each_sg(req->src, src, sg_nents(req->src), i) {
src_buf = sg_virt(src);
len = sg_dma_len(src);
tlen += len;
--
2.34.1
^ permalink raw reply related [flat|nested] 636+ messages in thread
* [PATCH 5.10 135/599] thermal: int340x: Check for NULL after calling kmemdup()
2022-04-05 7:24 [PATCH 5.10 000/599] 5.10.110-rc1 review Greg Kroah-Hartman
` (133 preceding siblings ...)
2022-04-05 7:27 ` [PATCH 5.10 134/599] crypto: mxs-dcp - Fix scatterlist processing Greg Kroah-Hartman
@ 2022-04-05 7:27 ` Greg Kroah-Hartman
2022-04-05 7:27 ` [PATCH 5.10 136/599] spi: tegra114: Add missing IRQ check in tegra_spi_probe Greg Kroah-Hartman
` (476 subsequent siblings)
611 siblings, 0 replies; 636+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05 7:27 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Jiasheng Jiang, Rafael J. Wysocki,
Sasha Levin
From: Jiasheng Jiang <jiasheng@iscas.ac.cn>
[ Upstream commit 38b16d6cfe54c820848bcfc999bc5e8a7da1cefb ]
As the potential failure of the allocation, kmemdup() may return NULL.
Then, 'bin_attr_data_vault.private' will be NULL, but
'bin_attr_data_vault.size' is not 0, which is not consistent.
Therefore, it is better to check the return value of kmemdup() to
avoid the confusion.
Fixes: 0ba13c763aac ("thermal/int340x_thermal: Export GDDV")
Signed-off-by: Jiasheng Jiang <jiasheng@iscas.ac.cn>
[ rjw: Subject and changelog edits ]
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/thermal/intel/int340x_thermal/int3400_thermal.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/drivers/thermal/intel/int340x_thermal/int3400_thermal.c b/drivers/thermal/intel/int340x_thermal/int3400_thermal.c
index 793d7b58fc65..55f5bc7cd20b 100644
--- a/drivers/thermal/intel/int340x_thermal/int3400_thermal.c
+++ b/drivers/thermal/intel/int340x_thermal/int3400_thermal.c
@@ -466,6 +466,11 @@ static void int3400_setup_gddv(struct int3400_thermal_priv *priv)
priv->data_vault = kmemdup(obj->package.elements[0].buffer.pointer,
obj->package.elements[0].buffer.length,
GFP_KERNEL);
+ if (!priv->data_vault) {
+ kfree(buffer.pointer);
+ return;
+ }
+
bin_attr_data_vault.private = priv->data_vault;
bin_attr_data_vault.size = obj->package.elements[0].buffer.length;
kfree(buffer.pointer);
--
2.34.1
^ permalink raw reply related [flat|nested] 636+ messages in thread
* [PATCH 5.10 136/599] spi: tegra114: Add missing IRQ check in tegra_spi_probe
2022-04-05 7:24 [PATCH 5.10 000/599] 5.10.110-rc1 review Greg Kroah-Hartman
` (134 preceding siblings ...)
2022-04-05 7:27 ` [PATCH 5.10 135/599] thermal: int340x: Check for NULL after calling kmemdup() Greg Kroah-Hartman
@ 2022-04-05 7:27 ` Greg Kroah-Hartman
2022-04-05 7:27 ` [PATCH 5.10 137/599] arm64/mm: avoid fixmap race condition when create pud mapping Greg Kroah-Hartman
` (475 subsequent siblings)
611 siblings, 0 replies; 636+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05 7:27 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Miaoqian Lin, Mark Brown, Sasha Levin
From: Miaoqian Lin <linmq006@gmail.com>
[ Upstream commit 4f92724d4b92c024e721063f520d66e11ca4b54b ]
This func misses checking for platform_get_irq()'s call and may passes the
negative error codes to request_threaded_irq(), which takes unsigned IRQ #,
causing it to fail with -EINVAL, overriding an original error code.
Stop calling request_threaded_irq() with invalid IRQ #s.
Fixes: f333a331adfa ("spi/tegra114: add spi driver")
Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
Link: https://lore.kernel.org/r/20220128165238.25615-1-linmq006@gmail.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/spi/spi-tegra114.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/drivers/spi/spi-tegra114.c b/drivers/spi/spi-tegra114.c
index a2e5907276e7..ed42665b1224 100644
--- a/drivers/spi/spi-tegra114.c
+++ b/drivers/spi/spi-tegra114.c
@@ -1353,6 +1353,10 @@ static int tegra_spi_probe(struct platform_device *pdev)
tspi->phys = r->start;
spi_irq = platform_get_irq(pdev, 0);
+ if (spi_irq < 0) {
+ ret = spi_irq;
+ goto exit_free_master;
+ }
tspi->irq = spi_irq;
tspi->clk = devm_clk_get(&pdev->dev, "spi");
--
2.34.1
^ permalink raw reply related [flat|nested] 636+ messages in thread
* [PATCH 5.10 137/599] arm64/mm: avoid fixmap race condition when create pud mapping
2022-04-05 7:24 [PATCH 5.10 000/599] 5.10.110-rc1 review Greg Kroah-Hartman
` (135 preceding siblings ...)
2022-04-05 7:27 ` [PATCH 5.10 136/599] spi: tegra114: Add missing IRQ check in tegra_spi_probe Greg Kroah-Hartman
@ 2022-04-05 7:27 ` Greg Kroah-Hartman
2022-04-05 7:27 ` [PATCH 5.10 138/599] selftests/x86: Add validity check and allow field splitting Greg Kroah-Hartman
` (474 subsequent siblings)
611 siblings, 0 replies; 636+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05 7:27 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Jianyong Wu, Catalin Marinas,
Will Deacon, Sasha Levin
From: Jianyong Wu <jianyong.wu@arm.com>
[ Upstream commit ee017ee353506fcec58e481673e4331ff198a80e ]
The 'fixmap' is a global resource and is used recursively by
create pud mapping(), leading to a potential race condition in the
presence of a concurrent call to alloc_init_pud():
kernel_init thread virtio-mem workqueue thread
================== ===========================
alloc_init_pud(...) alloc_init_pud(...)
pudp = pud_set_fixmap_offset(...) pudp = pud_set_fixmap_offset(...)
READ_ONCE(*pudp)
pud_clear_fixmap(...)
READ_ONCE(*pudp) // CRASH!
As kernel may sleep during creating pud mapping, introduce a mutex lock to
serialise use of the fixmap entries by alloc_init_pud(). However, there is
no need for locking in early boot stage and it doesn't work well with
KASLR enabled when early boot. So, enable lock when system_state doesn't
equal to "SYSTEM_BOOTING".
Signed-off-by: Jianyong Wu <jianyong.wu@arm.com>
Reviewed-by: Catalin Marinas <catalin.marinas@arm.com>
Fixes: f4710445458c ("arm64: mm: use fixmap when creating page tables")
Link: https://lore.kernel.org/r/20220201114400.56885-1-jianyong.wu@arm.com
Signed-off-by: Will Deacon <will@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/mm/mmu.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/arch/arm64/mm/mmu.c b/arch/arm64/mm/mmu.c
index 991e599f7057..a9ec8c739d37 100644
--- a/arch/arm64/mm/mmu.c
+++ b/arch/arm64/mm/mmu.c
@@ -61,6 +61,7 @@ static pmd_t bm_pmd[PTRS_PER_PMD] __page_aligned_bss __maybe_unused;
static pud_t bm_pud[PTRS_PER_PUD] __page_aligned_bss __maybe_unused;
static DEFINE_SPINLOCK(swapper_pgdir_lock);
+static DEFINE_MUTEX(fixmap_lock);
void set_swapper_pgd(pgd_t *pgdp, pgd_t pgd)
{
@@ -314,6 +315,12 @@ static void alloc_init_pud(pgd_t *pgdp, unsigned long addr, unsigned long end,
}
BUG_ON(p4d_bad(p4d));
+ /*
+ * No need for locking during early boot. And it doesn't work as
+ * expected with KASLR enabled.
+ */
+ if (system_state != SYSTEM_BOOTING)
+ mutex_lock(&fixmap_lock);
pudp = pud_set_fixmap_offset(p4dp, addr);
do {
pud_t old_pud = READ_ONCE(*pudp);
@@ -344,6 +351,8 @@ static void alloc_init_pud(pgd_t *pgdp, unsigned long addr, unsigned long end,
} while (pudp++, addr = next, addr != end);
pud_clear_fixmap();
+ if (system_state != SYSTEM_BOOTING)
+ mutex_unlock(&fixmap_lock);
}
static void __create_pgd_mapping(pgd_t *pgdir, phys_addr_t phys,
--
2.34.1
^ permalink raw reply related [flat|nested] 636+ messages in thread
* [PATCH 5.10 138/599] selftests/x86: Add validity check and allow field splitting
2022-04-05 7:24 [PATCH 5.10 000/599] 5.10.110-rc1 review Greg Kroah-Hartman
` (136 preceding siblings ...)
2022-04-05 7:27 ` [PATCH 5.10 137/599] arm64/mm: avoid fixmap race condition when create pud mapping Greg Kroah-Hartman
@ 2022-04-05 7:27 ` Greg Kroah-Hartman
2022-04-05 7:27 ` [PATCH 5.10 139/599] crypto: rockchip - ECB does not need IV Greg Kroah-Hartman
` (473 subsequent siblings)
611 siblings, 0 replies; 636+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05 7:27 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, kernelci.org bot,
Muhammad Usama Anjum, Dave Hansen, Sasha Levin
From: Muhammad Usama Anjum <usama.anjum@collabora.com>
[ Upstream commit b06e15ebd5bfb670f93c7f11a29b8299c1178bc6 ]
Add check to test if CC has a string. CC can have multiple sub-strings
like "ccache gcc". Erorr pops up if it is treated as single string and
double quotes are used around it. This can be fixed by removing the
quotes and not treating CC as a single string.
Fixes: e9886ace222e ("selftests, x86: Rework x86 target architecture detection")
Reported-by: "kernelci.org bot" <bot@kernelci.org>
Signed-off-by: Muhammad Usama Anjum <usama.anjum@collabora.com>
Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
Link: https://lkml.kernel.org/r/20220214184109.3739179-2-usama.anjum@collabora.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/testing/selftests/x86/check_cc.sh | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tools/testing/selftests/x86/check_cc.sh b/tools/testing/selftests/x86/check_cc.sh
index 3e2089c8cf54..8c669c0d662e 100755
--- a/tools/testing/selftests/x86/check_cc.sh
+++ b/tools/testing/selftests/x86/check_cc.sh
@@ -7,7 +7,7 @@ CC="$1"
TESTPROG="$2"
shift 2
-if "$CC" -o /dev/null "$TESTPROG" -O0 "$@" 2>/dev/null; then
+if [ -n "$CC" ] && $CC -o /dev/null "$TESTPROG" -O0 "$@" 2>/dev/null; then
echo 1
else
echo 0
--
2.34.1
^ permalink raw reply related [flat|nested] 636+ messages in thread
* [PATCH 5.10 139/599] crypto: rockchip - ECB does not need IV
2022-04-05 7:24 [PATCH 5.10 000/599] 5.10.110-rc1 review Greg Kroah-Hartman
` (137 preceding siblings ...)
2022-04-05 7:27 ` [PATCH 5.10 138/599] selftests/x86: Add validity check and allow field splitting Greg Kroah-Hartman
@ 2022-04-05 7:27 ` Greg Kroah-Hartman
2022-04-05 7:27 ` [PATCH 5.10 140/599] audit: log AUDIT_TIME_* records only from rules Greg Kroah-Hartman
` (472 subsequent siblings)
611 siblings, 0 replies; 636+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05 7:27 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Corentin Labbe, Herbert Xu, Sasha Levin
From: Corentin Labbe <clabbe@baylibre.com>
[ Upstream commit 973d74e93820d99d8ea203882631c76edab699c9 ]
When loading rockchip crypto module, testmgr complains that ivsize of ecb-des3-ede-rk
is not the same than generic implementation.
In fact ECB does not use an IV.
Fixes: ce0183cb6464b ("crypto: rockchip - switch to skcipher API")
Signed-off-by: Corentin Labbe <clabbe@baylibre.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/crypto/rockchip/rk3288_crypto_skcipher.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/drivers/crypto/rockchip/rk3288_crypto_skcipher.c b/drivers/crypto/rockchip/rk3288_crypto_skcipher.c
index 1cece1a7d3f0..5bbf0d2722e1 100644
--- a/drivers/crypto/rockchip/rk3288_crypto_skcipher.c
+++ b/drivers/crypto/rockchip/rk3288_crypto_skcipher.c
@@ -506,7 +506,6 @@ struct rk_crypto_tmp rk_ecb_des3_ede_alg = {
.exit = rk_ablk_exit_tfm,
.min_keysize = DES3_EDE_KEY_SIZE,
.max_keysize = DES3_EDE_KEY_SIZE,
- .ivsize = DES_BLOCK_SIZE,
.setkey = rk_tdes_setkey,
.encrypt = rk_des3_ede_ecb_encrypt,
.decrypt = rk_des3_ede_ecb_decrypt,
--
2.34.1
^ permalink raw reply related [flat|nested] 636+ messages in thread
* [PATCH 5.10 140/599] audit: log AUDIT_TIME_* records only from rules
2022-04-05 7:24 [PATCH 5.10 000/599] 5.10.110-rc1 review Greg Kroah-Hartman
` (138 preceding siblings ...)
2022-04-05 7:27 ` [PATCH 5.10 139/599] crypto: rockchip - ECB does not need IV Greg Kroah-Hartman
@ 2022-04-05 7:27 ` Greg Kroah-Hartman
2022-04-05 7:27 ` [PATCH 5.10 141/599] EVM: fix the evm= __setup handler return value Greg Kroah-Hartman
` (471 subsequent siblings)
611 siblings, 0 replies; 636+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05 7:27 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Richard Guy Briggs, Paul Moore, Sasha Levin
From: Richard Guy Briggs <rgb@redhat.com>
[ Upstream commit 272ceeaea355214b301530e262a0df8600bfca95 ]
AUDIT_TIME_* events are generated when there are syscall rules present
that are not related to time keeping. This will produce noisy log
entries that could flood the logs and hide events we really care about.
Rather than immediately produce the AUDIT_TIME_* records, store the data
in the context and log it at syscall exit time respecting the filter
rules.
Note: This eats the audit_buffer, unlike any others in show_special().
Please see https://bugzilla.redhat.com/show_bug.cgi?id=1991919
Fixes: 7e8eda734d30 ("ntp: Audit NTP parameters adjustment")
Fixes: 2d87a0674bd6 ("timekeeping: Audit clock adjustments")
Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
[PM: fixed style/whitespace issues]
Signed-off-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/audit.h | 4 +++
kernel/auditsc.c | 87 +++++++++++++++++++++++++++++++++++++-----------
2 files changed, 71 insertions(+), 20 deletions(-)
diff --git a/kernel/audit.h b/kernel/audit.h
index 3b9c0945225a..1918019e6aaf 100644
--- a/kernel/audit.h
+++ b/kernel/audit.h
@@ -191,6 +191,10 @@ struct audit_context {
struct {
char *name;
} module;
+ struct {
+ struct audit_ntp_data ntp_data;
+ struct timespec64 tk_injoffset;
+ } time;
};
int fds[2];
struct audit_proctitle proctitle;
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 638f424859ed..07e2788bbbf1 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -1214,6 +1214,53 @@ static void audit_log_fcaps(struct audit_buffer *ab, struct audit_names *name)
from_kuid(&init_user_ns, name->fcap.rootid));
}
+static void audit_log_time(struct audit_context *context, struct audit_buffer **ab)
+{
+ const struct audit_ntp_data *ntp = &context->time.ntp_data;
+ const struct timespec64 *tk = &context->time.tk_injoffset;
+ static const char * const ntp_name[] = {
+ "offset",
+ "freq",
+ "status",
+ "tai",
+ "tick",
+ "adjust",
+ };
+ int type;
+
+ if (context->type == AUDIT_TIME_ADJNTPVAL) {
+ for (type = 0; type < AUDIT_NTP_NVALS; type++) {
+ if (ntp->vals[type].newval != ntp->vals[type].oldval) {
+ if (!*ab) {
+ *ab = audit_log_start(context,
+ GFP_KERNEL,
+ AUDIT_TIME_ADJNTPVAL);
+ if (!*ab)
+ return;
+ }
+ audit_log_format(*ab, "op=%s old=%lli new=%lli",
+ ntp_name[type],
+ ntp->vals[type].oldval,
+ ntp->vals[type].newval);
+ audit_log_end(*ab);
+ *ab = NULL;
+ }
+ }
+ }
+ if (tk->tv_sec != 0 || tk->tv_nsec != 0) {
+ if (!*ab) {
+ *ab = audit_log_start(context, GFP_KERNEL,
+ AUDIT_TIME_INJOFFSET);
+ if (!*ab)
+ return;
+ }
+ audit_log_format(*ab, "sec=%lli nsec=%li",
+ (long long)tk->tv_sec, tk->tv_nsec);
+ audit_log_end(*ab);
+ *ab = NULL;
+ }
+}
+
static void show_special(struct audit_context *context, int *call_panic)
{
struct audit_buffer *ab;
@@ -1319,6 +1366,11 @@ static void show_special(struct audit_context *context, int *call_panic)
audit_log_format(ab, "(null)");
break;
+ case AUDIT_TIME_ADJNTPVAL:
+ case AUDIT_TIME_INJOFFSET:
+ /* this call deviates from the rest, eating the buffer */
+ audit_log_time(context, &ab);
+ break;
}
audit_log_end(ab);
}
@@ -2560,31 +2612,26 @@ void __audit_fanotify(unsigned int response)
void __audit_tk_injoffset(struct timespec64 offset)
{
- audit_log(audit_context(), GFP_KERNEL, AUDIT_TIME_INJOFFSET,
- "sec=%lli nsec=%li",
- (long long)offset.tv_sec, offset.tv_nsec);
-}
-
-static void audit_log_ntp_val(const struct audit_ntp_data *ad,
- const char *op, enum audit_ntp_type type)
-{
- const struct audit_ntp_val *val = &ad->vals[type];
-
- if (val->newval == val->oldval)
- return;
+ struct audit_context *context = audit_context();
- audit_log(audit_context(), GFP_KERNEL, AUDIT_TIME_ADJNTPVAL,
- "op=%s old=%lli new=%lli", op, val->oldval, val->newval);
+ /* only set type if not already set by NTP */
+ if (!context->type)
+ context->type = AUDIT_TIME_INJOFFSET;
+ memcpy(&context->time.tk_injoffset, &offset, sizeof(offset));
}
void __audit_ntp_log(const struct audit_ntp_data *ad)
{
- audit_log_ntp_val(ad, "offset", AUDIT_NTP_OFFSET);
- audit_log_ntp_val(ad, "freq", AUDIT_NTP_FREQ);
- audit_log_ntp_val(ad, "status", AUDIT_NTP_STATUS);
- audit_log_ntp_val(ad, "tai", AUDIT_NTP_TAI);
- audit_log_ntp_val(ad, "tick", AUDIT_NTP_TICK);
- audit_log_ntp_val(ad, "adjust", AUDIT_NTP_ADJUST);
+ struct audit_context *context = audit_context();
+ int type;
+
+ for (type = 0; type < AUDIT_NTP_NVALS; type++)
+ if (ad->vals[type].newval != ad->vals[type].oldval) {
+ /* unconditionally set type, overwriting TK */
+ context->type = AUDIT_TIME_ADJNTPVAL;
+ memcpy(&context->time.ntp_data, ad, sizeof(*ad));
+ break;
+ }
}
void __audit_log_nfcfg(const char *name, u8 af, unsigned int nentries,
--
2.34.1
^ permalink raw reply related [flat|nested] 636+ messages in thread
* [PATCH 5.10 141/599] EVM: fix the evm= __setup handler return value
2022-04-05 7:24 [PATCH 5.10 000/599] 5.10.110-rc1 review Greg Kroah-Hartman
` (139 preceding siblings ...)
2022-04-05 7:27 ` [PATCH 5.10 140/599] audit: log AUDIT_TIME_* records only from rules Greg Kroah-Hartman
@ 2022-04-05 7:27 ` Greg Kroah-Hartman
2022-04-05 7:27 ` [PATCH 5.10 142/599] crypto: ccree - dont attempt 0 len DMA mappings Greg Kroah-Hartman
` (470 subsequent siblings)
611 siblings, 0 replies; 636+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05 7:27 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Randy Dunlap, Igor Zhbanov,
Mimi Zohar, Sasha Levin
From: Randy Dunlap <rdunlap@infradead.org>
[ Upstream commit f2544f5e6c691679d56bb38637d2f347075b36fa ]
__setup() handlers should return 1 if the parameter is handled.
Returning 0 causes the entire string to be added to init's
environment strings (limited to 32 strings), unnecessarily polluting it.
Using the documented string "evm=fix" causes an Unknown parameter message:
Unknown kernel command line parameters
"BOOT_IMAGE=/boot/bzImage-517rc5 evm=fix", will be passed to user space.
and that string is added to init's environment string space:
Run /sbin/init as init process
with arguments:
/sbin/init
with environment:
HOME=/
TERM=linux
BOOT_IMAGE=/boot/bzImage-517rc5
evm=fix
With this change, using "evm=fix" acts as expected and an invalid
option ("evm=evm") causes a warning to be printed:
evm: invalid "evm" mode
but init's environment is not polluted with this string, as expected.
Fixes: 7102ebcd65c1 ("evm: permit only valid security.evm xattrs to be updated")
Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
Reported-by: Igor Zhbanov <i.zhbanov@omprussia.ru>
Link: lore.kernel.org/r/64644a2f-4a20-bab3-1e15-3b2cdd0defe3@omprussia.ru
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
security/integrity/evm/evm_main.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/evm_main.c
index b929c683aba1..0033364ac404 100644
--- a/security/integrity/evm/evm_main.c
+++ b/security/integrity/evm/evm_main.c
@@ -62,7 +62,7 @@ static int __init evm_set_fixmode(char *str)
else
pr_err("invalid \"%s\" mode", str);
- return 0;
+ return 1;
}
__setup("evm=", evm_set_fixmode);
--
2.34.1
^ permalink raw reply related [flat|nested] 636+ messages in thread
* [PATCH 5.10 142/599] crypto: ccree - dont attempt 0 len DMA mappings
2022-04-05 7:24 [PATCH 5.10 000/599] 5.10.110-rc1 review Greg Kroah-Hartman
` (140 preceding siblings ...)
2022-04-05 7:27 ` [PATCH 5.10 141/599] EVM: fix the evm= __setup handler return value Greg Kroah-Hartman
@ 2022-04-05 7:27 ` Greg Kroah-Hartman
2022-04-05 7:27 ` [PATCH 5.10 143/599] spi: pxa2xx-pci: Balance reference count for PCI DMA device Greg Kroah-Hartman
` (469 subsequent siblings)
611 siblings, 0 replies; 636+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05 7:27 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Gilad Ben-Yossef, Corentin Labbe,
Herbert Xu, Sasha Levin
From: Gilad Ben-Yossef <gilad@benyossef.com>
[ Upstream commit 1fb37b5692c915edcc2448a6b37255738c7c77e0 ]
Refuse to try mapping zero bytes as this may cause a fault
on some configurations / platforms and it seems the prev.
attempt is not enough and we need to be more explicit.
Signed-off-by: Gilad Ben-Yossef <gilad@benyossef.com>
Reported-by: Corentin Labbe <clabbe.montjoie@gmail.com>
Fixes: ce0fc6db38de ("crypto: ccree - protect against empty or NULL
scatterlists")
Tested-by: Corentin Labbe <clabbe.montjoie@gmail.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/crypto/ccree/cc_buffer_mgr.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/drivers/crypto/ccree/cc_buffer_mgr.c b/drivers/crypto/ccree/cc_buffer_mgr.c
index a5e041d9d2cf..11e0278c8631 100644
--- a/drivers/crypto/ccree/cc_buffer_mgr.c
+++ b/drivers/crypto/ccree/cc_buffer_mgr.c
@@ -258,6 +258,13 @@ static int cc_map_sg(struct device *dev, struct scatterlist *sg,
{
int ret = 0;
+ if (!nbytes) {
+ *mapped_nents = 0;
+ *lbytes = 0;
+ *nents = 0;
+ return 0;
+ }
+
*nents = cc_get_sgl_nents(dev, sg, nbytes, lbytes);
if (*nents > max_sg_nents) {
*nents = 0;
--
2.34.1
^ permalink raw reply related [flat|nested] 636+ messages in thread
* [PATCH 5.10 143/599] spi: pxa2xx-pci: Balance reference count for PCI DMA device
2022-04-05 7:24 [PATCH 5.10 000/599] 5.10.110-rc1 review Greg Kroah-Hartman
` (141 preceding siblings ...)
2022-04-05 7:27 ` [PATCH 5.10 142/599] crypto: ccree - dont attempt 0 len DMA mappings Greg Kroah-Hartman
@ 2022-04-05 7:27 ` Greg Kroah-Hartman
2022-04-05 7:27 ` [PATCH 5.10 144/599] hwmon: (pmbus) Add mutex to regulator ops Greg Kroah-Hartman
` (468 subsequent siblings)
611 siblings, 0 replies; 636+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05 7:27 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Wang Qing, Andy Shevchenko,
Mark Brown, Sasha Levin
From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
[ Upstream commit 609d7ffdc42199a0ec949db057e3b4be6745d6c5 ]
The pci_get_slot() increases its reference count, the caller
must decrement the reference count by calling pci_dev_put().
Fixes: 743485ea3bee ("spi: pxa2xx-pci: Do a specific setup in a separate function")
Fixes: 25014521603f ("spi: pxa2xx-pci: Enable DMA for Intel Merrifield")
Reported-by: Wang Qing <wangqing@vivo.com>
Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Link: https://lore.kernel.org/r/20220223191637.31147-1-andriy.shevchenko@linux.intel.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/spi/spi-pxa2xx-pci.c | 17 ++++++++++++++++-
1 file changed, 16 insertions(+), 1 deletion(-)
diff --git a/drivers/spi/spi-pxa2xx-pci.c b/drivers/spi/spi-pxa2xx-pci.c
index aafac128bb5f..4eb979a096c7 100644
--- a/drivers/spi/spi-pxa2xx-pci.c
+++ b/drivers/spi/spi-pxa2xx-pci.c
@@ -74,14 +74,23 @@ static bool lpss_dma_filter(struct dma_chan *chan, void *param)
return true;
}
+static void lpss_dma_put_device(void *dma_dev)
+{
+ pci_dev_put(dma_dev);
+}
+
static int lpss_spi_setup(struct pci_dev *dev, struct pxa_spi_info *c)
{
struct pci_dev *dma_dev;
+ int ret;
c->num_chipselect = 1;
c->max_clk_rate = 50000000;
dma_dev = pci_get_slot(dev->bus, PCI_DEVFN(PCI_SLOT(dev->devfn), 0));
+ ret = devm_add_action_or_reset(&dev->dev, lpss_dma_put_device, dma_dev);
+ if (ret)
+ return ret;
if (c->tx_param) {
struct dw_dma_slave *slave = c->tx_param;
@@ -105,8 +114,9 @@ static int lpss_spi_setup(struct pci_dev *dev, struct pxa_spi_info *c)
static int mrfld_spi_setup(struct pci_dev *dev, struct pxa_spi_info *c)
{
- struct pci_dev *dma_dev = pci_get_slot(dev->bus, PCI_DEVFN(21, 0));
struct dw_dma_slave *tx, *rx;
+ struct pci_dev *dma_dev;
+ int ret;
switch (PCI_FUNC(dev->devfn)) {
case 0:
@@ -131,6 +141,11 @@ static int mrfld_spi_setup(struct pci_dev *dev, struct pxa_spi_info *c)
return -ENODEV;
}
+ dma_dev = pci_get_slot(dev->bus, PCI_DEVFN(21, 0));
+ ret = devm_add_action_or_reset(&dev->dev, lpss_dma_put_device, dma_dev);
+ if (ret)
+ return ret;
+
tx = c->tx_param;
tx->dma_dev = &dma_dev->dev;
--
2.34.1
^ permalink raw reply related [flat|nested] 636+ messages in thread
* [PATCH 5.10 144/599] hwmon: (pmbus) Add mutex to regulator ops
2022-04-05 7:24 [PATCH 5.10 000/599] 5.10.110-rc1 review Greg Kroah-Hartman
` (142 preceding siblings ...)
2022-04-05 7:27 ` [PATCH 5.10 143/599] spi: pxa2xx-pci: Balance reference count for PCI DMA device Greg Kroah-Hartman
@ 2022-04-05 7:27 ` Greg Kroah-Hartman
2022-04-05 7:27 ` [PATCH 5.10 145/599] hwmon: (sch56xx-common) Replace WDOG_ACTIVE with WDOG_HW_RUNNING Greg Kroah-Hartman
` (467 subsequent siblings)
611 siblings, 0 replies; 636+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05 7:27 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Patrick Rudolph,
Marcello Sylvester Bauer, Alan Tull, Guenter Roeck, Sasha Levin
From: Patrick Rudolph <patrick.rudolph@9elements.com>
[ Upstream commit 686d303ee6301261b422ea51e64833d7909a2c36 ]
On PMBUS devices with multiple pages, the regulator ops need to be
protected with the update mutex. This prevents accidentally changing
the page in a separate thread while operating on the PMBUS_OPERATION
register.
Tested on Infineon xdpe11280 while a separate thread polls for sensor
data.
Signed-off-by: Patrick Rudolph <patrick.rudolph@9elements.com>
Signed-off-by: Marcello Sylvester Bauer <sylv@sylv.io>
Link: https://lore.kernel.org/r/b991506bcbf665f7af185945f70bf9d5cf04637c.1645804976.git.sylv@sylv.io
Fixes: ddbb4db4ced1b ("hwmon: (pmbus) Add regulator support")
Cc: Alan Tull <atull@opensource.altera.com>
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/hwmon/pmbus/pmbus_core.c | 16 +++++++++++++---
1 file changed, 13 insertions(+), 3 deletions(-)
diff --git a/drivers/hwmon/pmbus/pmbus_core.c b/drivers/hwmon/pmbus/pmbus_core.c
index 71798fde2ef0..7a13057007d9 100644
--- a/drivers/hwmon/pmbus/pmbus_core.c
+++ b/drivers/hwmon/pmbus/pmbus_core.c
@@ -2255,10 +2255,14 @@ static int pmbus_regulator_is_enabled(struct regulator_dev *rdev)
{
struct device *dev = rdev_get_dev(rdev);
struct i2c_client *client = to_i2c_client(dev->parent);
+ struct pmbus_data *data = i2c_get_clientdata(client);
u8 page = rdev_get_id(rdev);
int ret;
+ mutex_lock(&data->update_lock);
ret = pmbus_read_byte_data(client, page, PMBUS_OPERATION);
+ mutex_unlock(&data->update_lock);
+
if (ret < 0)
return ret;
@@ -2269,11 +2273,17 @@ static int _pmbus_regulator_on_off(struct regulator_dev *rdev, bool enable)
{
struct device *dev = rdev_get_dev(rdev);
struct i2c_client *client = to_i2c_client(dev->parent);
+ struct pmbus_data *data = i2c_get_clientdata(client);
u8 page = rdev_get_id(rdev);
+ int ret;
- return pmbus_update_byte_data(client, page, PMBUS_OPERATION,
- PB_OPERATION_CONTROL_ON,
- enable ? PB_OPERATION_CONTROL_ON : 0);
+ mutex_lock(&data->update_lock);
+ ret = pmbus_update_byte_data(client, page, PMBUS_OPERATION,
+ PB_OPERATION_CONTROL_ON,
+ enable ? PB_OPERATION_CONTROL_ON : 0);
+ mutex_unlock(&data->update_lock);
+
+ return ret;
}
static int pmbus_regulator_enable(struct regulator_dev *rdev)
--
2.34.1
^ permalink raw reply related [flat|nested] 636+ messages in thread
* [PATCH 5.10 145/599] hwmon: (sch56xx-common) Replace WDOG_ACTIVE with WDOG_HW_RUNNING
2022-04-05 7:24 [PATCH 5.10 000/599] 5.10.110-rc1 review Greg Kroah-Hartman
` (143 preceding siblings ...)
2022-04-05 7:27 ` [PATCH 5.10 144/599] hwmon: (pmbus) Add mutex to regulator ops Greg Kroah-Hartman
@ 2022-04-05 7:27 ` Greg Kroah-Hartman
2022-04-05 7:27 ` [PATCH 5.10 146/599] nvme: cleanup __nvme_check_ids Greg Kroah-Hartman
` (466 subsequent siblings)
611 siblings, 0 replies; 636+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05 7:27 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Guenter Roeck, Armin Wolf,
Hans de Goede, Sasha Levin
From: Armin Wolf <W_Armin@gmx.de>
[ Upstream commit 647d6f09bea7dacf4cdb6d4ea7e3051883955297 ]
If the watchdog was already enabled by the BIOS after booting, the
watchdog infrastructure needs to regularly send keepalives to
prevent a unexpected reset.
WDOG_ACTIVE only serves as an status indicator for userspace,
we want to use WDOG_HW_RUNNING instead.
Since my Fujitsu Esprimo P720 does not support the watchdog,
this change is compile-tested only.
Suggested-by: Guenter Roeck <linux@roeck-us.net>
Fixes: fb551405c0f8 (watchdog: sch56xx: Use watchdog core)
Signed-off-by: Armin Wolf <W_Armin@gmx.de>
Link: https://lore.kernel.org/r/20220131211935.3656-5-W_Armin@gmx.de
Reviewed-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/hwmon/sch56xx-common.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/hwmon/sch56xx-common.c b/drivers/hwmon/sch56xx-common.c
index 6c84780e358e..066b12990fbf 100644
--- a/drivers/hwmon/sch56xx-common.c
+++ b/drivers/hwmon/sch56xx-common.c
@@ -424,7 +424,7 @@ struct sch56xx_watchdog_data *sch56xx_watchdog_register(struct device *parent,
if (nowayout)
set_bit(WDOG_NO_WAY_OUT, &data->wddev.status);
if (output_enable & SCH56XX_WDOG_OUTPUT_ENABLE)
- set_bit(WDOG_ACTIVE, &data->wddev.status);
+ set_bit(WDOG_HW_RUNNING, &data->wddev.status);
/* Since the watchdog uses a downcounter there is no register to read
the BIOS set timeout from (if any was set at all) ->
--
2.34.1
^ permalink raw reply related [flat|nested] 636+ messages in thread
* [PATCH 5.10 146/599] nvme: cleanup __nvme_check_ids
2022-04-05 7:24 [PATCH 5.10 000/599] 5.10.110-rc1 review Greg Kroah-Hartman
` (144 preceding siblings ...)
2022-04-05 7:27 ` [PATCH 5.10 145/599] hwmon: (sch56xx-common) Replace WDOG_ACTIVE with WDOG_HW_RUNNING Greg Kroah-Hartman
@ 2022-04-05 7:27 ` Greg Kroah-Hartman
2022-04-05 7:27 ` [PATCH 5.10 147/599] block: dont delete queue kobject before its children Greg Kroah-Hartman
` (465 subsequent siblings)
611 siblings, 0 replies; 636+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05 7:27 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Christoph Hellwig, Keith Busch,
Chaitanya Kulkarni, Sasha Levin
From: Christoph Hellwig <hch@lst.de>
[ Upstream commit fd8099e7918cd2df39ef306dd1d1af7178a15b81 ]
Pass the actual nvme_ns_ids used for the comparison instead of the
ns_head that isn't needed and use a more descriptive function name.
Signed-off-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Keith Busch <kbusch@kernel.org>
Reviewed-by: Chaitanya Kulkarni <kch@nvidia.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/nvme/host/core.c | 9 ++++-----
1 file changed, 4 insertions(+), 5 deletions(-)
diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c
index 71c85c99e86c..853b9a24f744 100644
--- a/drivers/nvme/host/core.c
+++ b/drivers/nvme/host/core.c
@@ -3681,16 +3681,15 @@ static struct nvme_ns_head *nvme_find_ns_head(struct nvme_subsystem *subsys,
return NULL;
}
-static int __nvme_check_ids(struct nvme_subsystem *subsys,
- struct nvme_ns_head *new)
+static int nvme_subsys_check_duplicate_ids(struct nvme_subsystem *subsys,
+ struct nvme_ns_ids *ids)
{
struct nvme_ns_head *h;
lockdep_assert_held(&subsys->lock);
list_for_each_entry(h, &subsys->nsheads, entry) {
- if (nvme_ns_ids_valid(&new->ids) &&
- nvme_ns_ids_equal(&new->ids, &h->ids))
+ if (nvme_ns_ids_valid(ids) && nvme_ns_ids_equal(ids, &h->ids))
return -EINVAL;
}
@@ -3724,7 +3723,7 @@ static struct nvme_ns_head *nvme_alloc_ns_head(struct nvme_ctrl *ctrl,
head->ids = *ids;
kref_init(&head->ref);
- ret = __nvme_check_ids(ctrl->subsys, head);
+ ret = nvme_subsys_check_duplicate_ids(ctrl->subsys, &head->ids);
if (ret) {
dev_err(ctrl->device,
"duplicate IDs for nsid %d\n", nsid);
--
2.34.1
^ permalink raw reply related [flat|nested] 636+ messages in thread
* [PATCH 5.10 147/599] block: dont delete queue kobject before its children
2022-04-05 7:24 [PATCH 5.10 000/599] 5.10.110-rc1 review Greg Kroah-Hartman
` (145 preceding siblings ...)
2022-04-05 7:27 ` [PATCH 5.10 146/599] nvme: cleanup __nvme_check_ids Greg Kroah-Hartman
@ 2022-04-05 7:27 ` Greg Kroah-Hartman
2022-04-05 7:27 ` [PATCH 5.10 148/599] PM: hibernate: fix __setup handler error handling Greg Kroah-Hartman
` (464 subsequent siblings)
611 siblings, 0 replies; 636+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05 7:27 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Hannes Reinecke, Bart Van Assche,
Eric Biggers, Christoph Hellwig, Jens Axboe, Sasha Levin
From: Eric Biggers <ebiggers@google.com>
[ Upstream commit 0f69288253e9fc7c495047720e523b9f1aba5712 ]
kobjects aren't supposed to be deleted before their child kobjects are
deleted. Apparently this is usually benign; however, a WARN will be
triggered if one of the child kobjects has a named attribute group:
sysfs group 'modes' not found for kobject 'crypto'
WARNING: CPU: 0 PID: 1 at fs/sysfs/group.c:278 sysfs_remove_group+0x72/0x80
...
Call Trace:
sysfs_remove_groups+0x29/0x40 fs/sysfs/group.c:312
__kobject_del+0x20/0x80 lib/kobject.c:611
kobject_cleanup+0xa4/0x140 lib/kobject.c:696
kobject_release lib/kobject.c:736 [inline]
kref_put include/linux/kref.h:65 [inline]
kobject_put+0x53/0x70 lib/kobject.c:753
blk_crypto_sysfs_unregister+0x10/0x20 block/blk-crypto-sysfs.c:159
blk_unregister_queue+0xb0/0x110 block/blk-sysfs.c:962
del_gendisk+0x117/0x250 block/genhd.c:610
Fix this by moving the kobject_del() and the corresponding
kobject_uevent() to the correct place.
Fixes: 2c2086afc2b8 ("block: Protect less code with sysfs_lock in blk_{un,}register_queue()")
Reviewed-by: Hannes Reinecke <hare@suse.de>
Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Reviewed-by: Bart Van Assche <bvanassche@acm.org>
Signed-off-by: Eric Biggers <ebiggers@google.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Link: https://lore.kernel.org/r/20220124215938.2769-3-ebiggers@kernel.org
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
block/blk-sysfs.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/block/blk-sysfs.c b/block/blk-sysfs.c
index b513f1683af0..8c5816364dd1 100644
--- a/block/blk-sysfs.c
+++ b/block/blk-sysfs.c
@@ -958,15 +958,17 @@ void blk_unregister_queue(struct gendisk *disk)
*/
if (queue_is_mq(q))
blk_mq_unregister_dev(disk_to_dev(disk), q);
-
- kobject_uevent(&q->kobj, KOBJ_REMOVE);
- kobject_del(&q->kobj);
blk_trace_remove_sysfs(disk_to_dev(disk));
mutex_lock(&q->sysfs_lock);
if (q->elevator)
elv_unregister_queue(q);
mutex_unlock(&q->sysfs_lock);
+
+ /* Now that we've deleted all child objects, we can delete the queue. */
+ kobject_uevent(&q->kobj, KOBJ_REMOVE);
+ kobject_del(&q->kobj);
+
mutex_unlock(&q->sysfs_dir_lock);
kobject_put(&disk_to_dev(disk)->kobj);
--
2.34.1
^ permalink raw reply related [flat|nested] 636+ messages in thread
* [PATCH 5.10 148/599] PM: hibernate: fix __setup handler error handling
2022-04-05 7:24 [PATCH 5.10 000/599] 5.10.110-rc1 review Greg Kroah-Hartman
` (146 preceding siblings ...)
2022-04-05 7:27 ` [PATCH 5.10 147/599] block: dont delete queue kobject before its children Greg Kroah-Hartman
@ 2022-04-05 7:27 ` Greg Kroah-Hartman
2022-04-05 7:27 ` [PATCH 5.10 149/599] PM: suspend: fix return value of __setup handler Greg Kroah-Hartman
` (463 subsequent siblings)
611 siblings, 0 replies; 636+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05 7:27 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Randy Dunlap, Igor Zhbanov,
Rafael J. Wysocki, Sasha Levin
From: Randy Dunlap <rdunlap@infradead.org>
[ Upstream commit ba7ffcd4c4da374b0f64666354eeeda7d3827131 ]
If an invalid value is used in "resumedelay=<seconds>", it is
silently ignored. Add a warning message and then let the __setup
handler return 1 to indicate that the kernel command line option
has been handled.
Fixes: 317cf7e5e85e3 ("PM / hibernate: convert simple_strtoul to kstrtoul")
Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
Reported-by: Igor Zhbanov <i.zhbanov@omprussia.ru>
Link: lore.kernel.org/r/64644a2f-4a20-bab3-1e15-3b2cdd0defe3@omprussia.ru
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/power/hibernate.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kernel/power/hibernate.c b/kernel/power/hibernate.c
index bf640fd6142a..522cb1387462 100644
--- a/kernel/power/hibernate.c
+++ b/kernel/power/hibernate.c
@@ -1323,7 +1323,7 @@ static int __init resumedelay_setup(char *str)
int rc = kstrtouint(str, 0, &resume_delay);
if (rc)
- return rc;
+ pr_warn("resumedelay: bad option string '%s'\n", str);
return 1;
}
--
2.34.1
^ permalink raw reply related [flat|nested] 636+ messages in thread
* [PATCH 5.10 149/599] PM: suspend: fix return value of __setup handler
2022-04-05 7:24 [PATCH 5.10 000/599] 5.10.110-rc1 review Greg Kroah-Hartman
` (147 preceding siblings ...)
2022-04-05 7:27 ` [PATCH 5.10 148/599] PM: hibernate: fix __setup handler error handling Greg Kroah-Hartman
@ 2022-04-05 7:27 ` Greg Kroah-Hartman
2022-04-05 7:27 ` [PATCH 5.10 150/599] spi: spi-zynqmp-gqspi: Handle error for dma_set_mask Greg Kroah-Hartman
` (462 subsequent siblings)
611 siblings, 0 replies; 636+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05 7:27 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Randy Dunlap, Igor Zhbanov,
Rafael J. Wysocki, Sasha Levin
From: Randy Dunlap <rdunlap@infradead.org>
[ Upstream commit 7a64ca17e4dd50d5f910769167f3553902777844 ]
If an invalid option is given for "test_suspend=<option>", the entire
string is added to init's environment, so return 1 instead of 0 from
the __setup handler.
Unknown kernel command line parameters "BOOT_IMAGE=/boot/bzImage-517rc5
test_suspend=invalid"
and
Run /sbin/init as init process
with arguments:
/sbin/init
with environment:
HOME=/
TERM=linux
BOOT_IMAGE=/boot/bzImage-517rc5
test_suspend=invalid
Fixes: 2ce986892faf ("PM / sleep: Enhance test_suspend option with repeat capability")
Fixes: 27ddcc6596e5 ("PM / sleep: Add state field to pm_states[] entries")
Fixes: a9d7052363a6 ("PM: Separate suspend to RAM functionality from core")
Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
Reported-by: Igor Zhbanov <i.zhbanov@omprussia.ru>
Link: lore.kernel.org/r/64644a2f-4a20-bab3-1e15-3b2cdd0defe3@omprussia.ru
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/power/suspend_test.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/kernel/power/suspend_test.c b/kernel/power/suspend_test.c
index e1ed58adb69e..be480ae5cb2a 100644
--- a/kernel/power/suspend_test.c
+++ b/kernel/power/suspend_test.c
@@ -157,22 +157,22 @@ static int __init setup_test_suspend(char *value)
value++;
suspend_type = strsep(&value, ",");
if (!suspend_type)
- return 0;
+ return 1;
repeat = strsep(&value, ",");
if (repeat) {
if (kstrtou32(repeat, 0, &test_repeat_count_max))
- return 0;
+ return 1;
}
for (i = PM_SUSPEND_MIN; i < PM_SUSPEND_MAX; i++)
if (!strcmp(pm_labels[i], suspend_type)) {
test_state_label = pm_labels[i];
- return 0;
+ return 1;
}
printk(warn_bad_state, suspend_type);
- return 0;
+ return 1;
}
__setup("test_suspend", setup_test_suspend);
--
2.34.1
^ permalink raw reply related [flat|nested] 636+ messages in thread
* [PATCH 5.10 150/599] spi: spi-zynqmp-gqspi: Handle error for dma_set_mask
2022-04-05 7:24 [PATCH 5.10 000/599] 5.10.110-rc1 review Greg Kroah-Hartman
` (148 preceding siblings ...)
2022-04-05 7:27 ` [PATCH 5.10 149/599] PM: suspend: fix return value of __setup handler Greg Kroah-Hartman
@ 2022-04-05 7:27 ` Greg Kroah-Hartman
2022-04-05 7:27 ` [PATCH 5.10 151/599] hwrng: atmel - disable trng on failure path Greg Kroah-Hartman
` (461 subsequent siblings)
611 siblings, 0 replies; 636+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05 7:27 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Jiasheng Jiang, Mark Brown, Sasha Levin
From: Jiasheng Jiang <jiasheng@iscas.ac.cn>
[ Upstream commit 13262fc26c1837c51a5131dbbdd67a2387f8bfc7 ]
As the potential failure of the dma_set_mask(),
it should be better to check it and return error
if fails.
Fixes: 126bdb606fd2 ("spi: spi-zynqmp-gqspi: return -ENOMEM if dma_map_single fails")
Signed-off-by: Jiasheng Jiang <jiasheng@iscas.ac.cn>
Link: https://lore.kernel.org/r/20220302092051.121343-1-jiasheng@iscas.ac.cn
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/spi/spi-zynqmp-gqspi.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/drivers/spi/spi-zynqmp-gqspi.c b/drivers/spi/spi-zynqmp-gqspi.c
index 1dd2af9cc237..3d3ac48243eb 100644
--- a/drivers/spi/spi-zynqmp-gqspi.c
+++ b/drivers/spi/spi-zynqmp-gqspi.c
@@ -1165,7 +1165,10 @@ static int zynqmp_qspi_probe(struct platform_device *pdev)
goto clk_dis_all;
}
- dma_set_mask(&pdev->dev, DMA_BIT_MASK(44));
+ ret = dma_set_mask(&pdev->dev, DMA_BIT_MASK(44));
+ if (ret)
+ goto clk_dis_all;
+
ctlr->bits_per_word_mask = SPI_BPW_MASK(8);
ctlr->num_chipselect = GQSPI_DEFAULT_NUM_CS;
ctlr->mem_ops = &zynqmp_qspi_mem_ops;
--
2.34.1
^ permalink raw reply related [flat|nested] 636+ messages in thread
* [PATCH 5.10 151/599] hwrng: atmel - disable trng on failure path
2022-04-05 7:24 [PATCH 5.10 000/599] 5.10.110-rc1 review Greg Kroah-Hartman
` (149 preceding siblings ...)
2022-04-05 7:27 ` [PATCH 5.10 150/599] spi: spi-zynqmp-gqspi: Handle error for dma_set_mask Greg Kroah-Hartman
@ 2022-04-05 7:27 ` Greg Kroah-Hartman
2022-04-05 7:27 ` [PATCH 5.10 152/599] crypto: sun8i-ss - call finalize with bh disabled Greg Kroah-Hartman
` (460 subsequent siblings)
611 siblings, 0 replies; 636+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05 7:27 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Claudiu Beznea, Herbert Xu, Sasha Levin
From: Claudiu Beznea <claudiu.beznea@microchip.com>
[ Upstream commit a223ea9f89ab960eb254ba78429efd42eaf845eb ]
Call atmel_trng_disable() on failure path of probe.
Fixes: a1fa98d8116f ("hwrng: atmel - disable TRNG during suspend")
Signed-off-by: Claudiu Beznea <claudiu.beznea@microchip.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/char/hw_random/atmel-rng.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/char/hw_random/atmel-rng.c b/drivers/char/hw_random/atmel-rng.c
index ecb71c4317a5..8cf0ef501341 100644
--- a/drivers/char/hw_random/atmel-rng.c
+++ b/drivers/char/hw_random/atmel-rng.c
@@ -114,6 +114,7 @@ static int atmel_trng_probe(struct platform_device *pdev)
err_register:
clk_disable_unprepare(trng->clk);
+ atmel_trng_disable(trng);
return ret;
}
--
2.34.1
^ permalink raw reply related [flat|nested] 636+ messages in thread
* [PATCH 5.10 152/599] crypto: sun8i-ss - call finalize with bh disabled
2022-04-05 7:24 [PATCH 5.10 000/599] 5.10.110-rc1 review Greg Kroah-Hartman
` (150 preceding siblings ...)
2022-04-05 7:27 ` [PATCH 5.10 151/599] hwrng: atmel - disable trng on failure path Greg Kroah-Hartman
@ 2022-04-05 7:27 ` Greg Kroah-Hartman
2022-04-05 7:27 ` [PATCH 5.10 153/599] crypto: sun8i-ce " Greg Kroah-Hartman
` (459 subsequent siblings)
611 siblings, 0 replies; 636+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05 7:27 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Corentin Labbe, Herbert Xu, Sasha Levin
From: Corentin Labbe <clabbe@baylibre.com>
[ Upstream commit b169b3766242b6f3336e24a6c8ee1522978b57a7 ]
Doing ipsec produces a spinlock recursion warning.
This is due to not disabling BH during crypto completion function.
Fixes: f08fcced6d00 ("crypto: allwinner - Add sun8i-ss cryptographic offloader")
Signed-off-by: Corentin Labbe <clabbe@baylibre.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/crypto/allwinner/sun8i-ss/sun8i-ss-cipher.c | 3 +++
drivers/crypto/allwinner/sun8i-ss/sun8i-ss-hash.c | 3 +++
2 files changed, 6 insertions(+)
diff --git a/drivers/crypto/allwinner/sun8i-ss/sun8i-ss-cipher.c b/drivers/crypto/allwinner/sun8i-ss/sun8i-ss-cipher.c
index 7c355bc2fb06..f783748462f9 100644
--- a/drivers/crypto/allwinner/sun8i-ss/sun8i-ss-cipher.c
+++ b/drivers/crypto/allwinner/sun8i-ss/sun8i-ss-cipher.c
@@ -11,6 +11,7 @@
* You could find a link for the datasheet in Documentation/arm/sunxi.rst
*/
+#include <linux/bottom_half.h>
#include <linux/crypto.h>
#include <linux/dma-mapping.h>
#include <linux/io.h>
@@ -271,7 +272,9 @@ static int sun8i_ss_handle_cipher_request(struct crypto_engine *engine, void *ar
struct skcipher_request *breq = container_of(areq, struct skcipher_request, base);
err = sun8i_ss_cipher(breq);
+ local_bh_disable();
crypto_finalize_skcipher_request(engine, breq, err);
+ local_bh_enable();
return 0;
}
diff --git a/drivers/crypto/allwinner/sun8i-ss/sun8i-ss-hash.c b/drivers/crypto/allwinner/sun8i-ss/sun8i-ss-hash.c
index 756d5a783548..c9edecd43ef9 100644
--- a/drivers/crypto/allwinner/sun8i-ss/sun8i-ss-hash.c
+++ b/drivers/crypto/allwinner/sun8i-ss/sun8i-ss-hash.c
@@ -9,6 +9,7 @@
*
* You could find the datasheet in Documentation/arm/sunxi.rst
*/
+#include <linux/bottom_half.h>
#include <linux/dma-mapping.h>
#include <linux/pm_runtime.h>
#include <linux/scatterlist.h>
@@ -440,6 +441,8 @@ int sun8i_ss_hash_run(struct crypto_engine *engine, void *breq)
theend:
kfree(pad);
kfree(result);
+ local_bh_disable();
crypto_finalize_hash_request(engine, breq, err);
+ local_bh_enable();
return 0;
}
--
2.34.1
^ permalink raw reply related [flat|nested] 636+ messages in thread
* [PATCH 5.10 153/599] crypto: sun8i-ce - call finalize with bh disabled
2022-04-05 7:24 [PATCH 5.10 000/599] 5.10.110-rc1 review Greg Kroah-Hartman
` (151 preceding siblings ...)
2022-04-05 7:27 ` [PATCH 5.10 152/599] crypto: sun8i-ss - call finalize with bh disabled Greg Kroah-Hartman
@ 2022-04-05 7:27 ` Greg Kroah-Hartman
2022-04-05 7:27 ` [PATCH 5.10 154/599] crypto: amlogic " Greg Kroah-Hartman
` (458 subsequent siblings)
611 siblings, 0 replies; 636+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05 7:27 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Corentin Labbe, Herbert Xu, Sasha Levin
From: Corentin Labbe <clabbe@baylibre.com>
[ Upstream commit f75a749b6d78aeae2ce90e14fcc4b7b3ba46126d ]
Doing ipsec produces a spinlock recursion warning.
This is due to not disabling BH during crypto completion function.
Fixes: 06f751b61329 ("crypto: allwinner - Add sun8i-ce Crypto Engine")
Signed-off-by: Corentin Labbe <clabbe@baylibre.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/crypto/allwinner/sun8i-ce/sun8i-ce-cipher.c | 3 +++
drivers/crypto/allwinner/sun8i-ce/sun8i-ce-hash.c | 3 +++
2 files changed, 6 insertions(+)
diff --git a/drivers/crypto/allwinner/sun8i-ce/sun8i-ce-cipher.c b/drivers/crypto/allwinner/sun8i-ce/sun8i-ce-cipher.c
index 33707a2e55ff..64133d4da3d5 100644
--- a/drivers/crypto/allwinner/sun8i-ce/sun8i-ce-cipher.c
+++ b/drivers/crypto/allwinner/sun8i-ce/sun8i-ce-cipher.c
@@ -11,6 +11,7 @@
* You could find a link for the datasheet in Documentation/arm/sunxi.rst
*/
+#include <linux/bottom_half.h>
#include <linux/crypto.h>
#include <linux/dma-mapping.h>
#include <linux/io.h>
@@ -280,7 +281,9 @@ static int sun8i_ce_cipher_run(struct crypto_engine *engine, void *areq)
flow = rctx->flow;
err = sun8i_ce_run_task(ce, flow, crypto_tfm_alg_name(breq->base.tfm));
+ local_bh_disable();
crypto_finalize_skcipher_request(engine, breq, err);
+ local_bh_enable();
return 0;
}
diff --git a/drivers/crypto/allwinner/sun8i-ce/sun8i-ce-hash.c b/drivers/crypto/allwinner/sun8i-ce/sun8i-ce-hash.c
index 4c5a2c11d714..62c07a724d40 100644
--- a/drivers/crypto/allwinner/sun8i-ce/sun8i-ce-hash.c
+++ b/drivers/crypto/allwinner/sun8i-ce/sun8i-ce-hash.c
@@ -9,6 +9,7 @@
*
* You could find the datasheet in Documentation/arm/sunxi.rst
*/
+#include <linux/bottom_half.h>
#include <linux/dma-mapping.h>
#include <linux/pm_runtime.h>
#include <linux/scatterlist.h>
@@ -412,6 +413,8 @@ int sun8i_ce_hash_run(struct crypto_engine *engine, void *breq)
theend:
kfree(buf);
kfree(result);
+ local_bh_disable();
crypto_finalize_hash_request(engine, breq, err);
+ local_bh_enable();
return 0;
}
--
2.34.1
^ permalink raw reply related [flat|nested] 636+ messages in thread
* [PATCH 5.10 154/599] crypto: amlogic - call finalize with bh disabled
2022-04-05 7:24 [PATCH 5.10 000/599] 5.10.110-rc1 review Greg Kroah-Hartman
` (152 preceding siblings ...)
2022-04-05 7:27 ` [PATCH 5.10 153/599] crypto: sun8i-ce " Greg Kroah-Hartman
@ 2022-04-05 7:27 ` Greg Kroah-Hartman
2022-04-05 7:27 ` [PATCH 5.10 155/599] crypto: vmx - add missing dependencies Greg Kroah-Hartman
` (457 subsequent siblings)
611 siblings, 0 replies; 636+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05 7:27 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Corentin Labbe, Herbert Xu, Sasha Levin
From: Corentin Labbe <clabbe@baylibre.com>
[ Upstream commit dba633342994ce47d347bcf5522ba28301247b79 ]
Doing ipsec produces a spinlock recursion warning.
This is due to not disabling BH during crypto completion function.
Fixes: 48fe583fe541 ("crypto: amlogic - Add crypto accelerator for amlogic GXL")
Signed-off-by: Corentin Labbe <clabbe@baylibre.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/crypto/amlogic/amlogic-gxl-cipher.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/crypto/amlogic/amlogic-gxl-cipher.c b/drivers/crypto/amlogic/amlogic-gxl-cipher.c
index 8b5e07316352..652e72d030bb 100644
--- a/drivers/crypto/amlogic/amlogic-gxl-cipher.c
+++ b/drivers/crypto/amlogic/amlogic-gxl-cipher.c
@@ -265,7 +265,9 @@ static int meson_handle_cipher_request(struct crypto_engine *engine,
struct skcipher_request *breq = container_of(areq, struct skcipher_request, base);
err = meson_cipher(breq);
+ local_bh_disable();
crypto_finalize_skcipher_request(engine, breq, err);
+ local_bh_enable();
return 0;
}
--
2.34.1
^ permalink raw reply related [flat|nested] 636+ messages in thread
* [PATCH 5.10 155/599] crypto: vmx - add missing dependencies
2022-04-05 7:24 [PATCH 5.10 000/599] 5.10.110-rc1 review Greg Kroah-Hartman
` (153 preceding siblings ...)
2022-04-05 7:27 ` [PATCH 5.10 154/599] crypto: amlogic " Greg Kroah-Hartman
@ 2022-04-05 7:27 ` Greg Kroah-Hartman
2022-04-05 7:27 ` [PATCH 5.10 156/599] clocksource/drivers/timer-ti-dm: Fix regression from errata i940 fix Greg Kroah-Hartman
` (456 subsequent siblings)
611 siblings, 0 replies; 636+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05 7:27 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Nicolai Stange, Petr Vorel,
Herbert Xu, Sasha Levin
From: Petr Vorel <pvorel@suse.cz>
[ Upstream commit 647d41d3952d726d4ae49e853a9eff68ebad3b3f ]
vmx-crypto module depends on CRYPTO_AES, CRYPTO_CBC, CRYPTO_CTR or
CRYPTO_XTS, thus add them.
These dependencies are likely to be enabled, but if
CRYPTO_DEV_VMX=y && !CRYPTO_MANAGER_DISABLE_TESTS
and either of CRYPTO_AES, CRYPTO_CBC, CRYPTO_CTR or CRYPTO_XTS is built
as module or disabled, alg_test() from crypto/testmgr.c complains during
boot about failing to allocate the generic fallback implementations
(2 == ENOENT):
[ 0.540953] Failed to allocate xts(aes) fallback: -2
[ 0.541014] alg: skcipher: failed to allocate transform for p8_aes_xts: -2
[ 0.541120] alg: self-tests for p8_aes_xts (xts(aes)) failed (rc=-2)
[ 0.544440] Failed to allocate ctr(aes) fallback: -2
[ 0.544497] alg: skcipher: failed to allocate transform for p8_aes_ctr: -2
[ 0.544603] alg: self-tests for p8_aes_ctr (ctr(aes)) failed (rc=-2)
[ 0.547992] Failed to allocate cbc(aes) fallback: -2
[ 0.548052] alg: skcipher: failed to allocate transform for p8_aes_cbc: -2
[ 0.548156] alg: self-tests for p8_aes_cbc (cbc(aes)) failed (rc=-2)
[ 0.550745] Failed to allocate transformation for 'aes': -2
[ 0.550801] alg: cipher: Failed to load transform for p8_aes: -2
[ 0.550892] alg: self-tests for p8_aes (aes) failed (rc=-2)
Fixes: c07f5d3da643 ("crypto: vmx - Adding support for XTS")
Fixes: d2e3ae6f3aba ("crypto: vmx - Enabling VMX module for PPC64")
Suggested-by: Nicolai Stange <nstange@suse.de>
Signed-off-by: Petr Vorel <pvorel@suse.cz>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/crypto/vmx/Kconfig | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/drivers/crypto/vmx/Kconfig b/drivers/crypto/vmx/Kconfig
index c85fab7ef0bd..b2c28b87f14b 100644
--- a/drivers/crypto/vmx/Kconfig
+++ b/drivers/crypto/vmx/Kconfig
@@ -2,7 +2,11 @@
config CRYPTO_DEV_VMX_ENCRYPT
tristate "Encryption acceleration support on P8 CPU"
depends on CRYPTO_DEV_VMX
+ select CRYPTO_AES
+ select CRYPTO_CBC
+ select CRYPTO_CTR
select CRYPTO_GHASH
+ select CRYPTO_XTS
default m
help
Support for VMX cryptographic acceleration instructions on Power8 CPU.
--
2.34.1
^ permalink raw reply related [flat|nested] 636+ messages in thread
* [PATCH 5.10 156/599] clocksource/drivers/timer-ti-dm: Fix regression from errata i940 fix
2022-04-05 7:24 [PATCH 5.10 000/599] 5.10.110-rc1 review Greg Kroah-Hartman
` (154 preceding siblings ...)
2022-04-05 7:27 ` [PATCH 5.10 155/599] crypto: vmx - add missing dependencies Greg Kroah-Hartman
@ 2022-04-05 7:27 ` Greg Kroah-Hartman
2022-04-05 7:27 ` [PATCH 5.10 157/599] clocksource/drivers/exynos_mct: Refactor resources allocation Greg Kroah-Hartman
` (455 subsequent siblings)
611 siblings, 0 replies; 636+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05 7:27 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Suman Anna, Tony Lindgren,
Drew Fustini, Daniel Lezcano, Sasha Levin
From: Drew Fustini <dfustini@baylibre.com>
[ Upstream commit bceaae3bac0ce27c549bb050336d8d08abc2ee54 ]
The existing fix for errata i940 causes a conflict for IPU2 which is
using timer 3 and 4. From arch/arm/boot/dts/dra7-ipu-dsp-common.dtsi:
&ipu2 {
mboxes = <&mailbox6 &mbox_ipu2_ipc3x>;
ti,timers = <&timer3>;
ti,watchdog-timers = <&timer4>, <&timer9>;
};
The conflict was noticed when booting mainline on the BeagleBoard X15
which has a TI AM5728 SoC:
remoteproc remoteproc1: 55020000.ipu is available
remoteproc remoteproc1: powering up 55020000.ipu
remoteproc remoteproc1: Booting fw image dra7-ipu2-fw.xem4
omap-rproc 55020000.ipu: could not get timer platform device
omap-rproc 55020000.ipu: omap_rproc_enable_timers failed: -19
remoteproc remoteproc1: can't start rproc 55020000.ipu: -19
This change modifies the errata fix to instead use timer 15 and 16 which
resolves the timer conflict.
It does not appear to introduce any latency regression. Results from
cyclictest with original errata fix using dmtimer 3 and 4:
# cyclictest --mlockall --smp --priority=80 --interval=200 --distance=0
policy: fifo: loadavg: 0.02 0.03 0.05
T: 0 ( 1449) P:80 I:200 C: 800368 Min: 0 Act: 32 Avg: 22 Max: 128
T: 1 ( 1450) P:80 I:200 C: 800301 Min: 0 Act: 12 Avg: 23 Max: 70
The results after the change to dmtimer 15 and 16:
# cyclictest --mlockall --smp --priority=80 --interval=200 --distance=0
policy: fifo: loadavg: 0.36 0.19 0.07
T: 0 ( 1711) P:80 I:200 C: 759599 Min: 0 Act: 6 Avg: 22 Max: 108
T: 1 ( 1712) P:80 I:200 C: 759539 Min: 0 Act: 19 Avg: 23 Max: 79
Fixes: 25de4ce5ed02 ("clocksource/drivers/timer-ti-dm: Handle dra7 timer wrap errata i940")
Link: https://lore.kernel.org/linux-omap/YfWsG0p6to3IJuvE@x1/
Suggested-by: Suman Anna <s-anna@ti.com>
Reviewed-by: Tony Lindgren <tony@atomide.com>
Signed-off-by: Drew Fustini <dfustini@baylibre.com>
Link: https://lore.kernel.org/r/20220204053503.1409162-1-dfustini@baylibre.com
Signed-off-by: Daniel Lezcano <daniel.lezcano@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm/boot/dts/dra7-l4.dtsi | 5 ++---
arch/arm/boot/dts/dra7.dtsi | 8 ++++----
drivers/clocksource/timer-ti-dm-systimer.c | 4 ++--
3 files changed, 8 insertions(+), 9 deletions(-)
diff --git a/arch/arm/boot/dts/dra7-l4.dtsi b/arch/arm/boot/dts/dra7-l4.dtsi
index 30b72f431850..f8c0eee7a62b 100644
--- a/arch/arm/boot/dts/dra7-l4.dtsi
+++ b/arch/arm/boot/dts/dra7-l4.dtsi
@@ -3448,8 +3448,7 @@
ti,timer-pwm;
};
};
-
- target-module@2c000 { /* 0x4882c000, ap 17 02.0 */
+ timer15_target: target-module@2c000 { /* 0x4882c000, ap 17 02.0 */
compatible = "ti,sysc-omap4-timer", "ti,sysc";
reg = <0x2c000 0x4>,
<0x2c010 0x4>;
@@ -3477,7 +3476,7 @@
};
};
- target-module@2e000 { /* 0x4882e000, ap 19 14.0 */
+ timer16_target: target-module@2e000 { /* 0x4882e000, ap 19 14.0 */
compatible = "ti,sysc-omap4-timer", "ti,sysc";
reg = <0x2e000 0x4>,
<0x2e010 0x4>;
diff --git a/arch/arm/boot/dts/dra7.dtsi b/arch/arm/boot/dts/dra7.dtsi
index 7ecf8f86ac74..998932136656 100644
--- a/arch/arm/boot/dts/dra7.dtsi
+++ b/arch/arm/boot/dts/dra7.dtsi
@@ -1093,20 +1093,20 @@
};
/* Local timers, see ARM architected timer wrap erratum i940 */
-&timer3_target {
+&timer15_target {
ti,no-reset-on-init;
ti,no-idle;
timer@0 {
- assigned-clocks = <&l4per_clkctrl DRA7_L4PER_TIMER3_CLKCTRL 24>;
+ assigned-clocks = <&l4per3_clkctrl DRA7_L4PER3_TIMER15_CLKCTRL 24>;
assigned-clock-parents = <&timer_sys_clk_div>;
};
};
-&timer4_target {
+&timer16_target {
ti,no-reset-on-init;
ti,no-idle;
timer@0 {
- assigned-clocks = <&l4per_clkctrl DRA7_L4PER_TIMER4_CLKCTRL 24>;
+ assigned-clocks = <&l4per3_clkctrl DRA7_L4PER3_TIMER16_CLKCTRL 24>;
assigned-clock-parents = <&timer_sys_clk_div>;
};
};
diff --git a/drivers/clocksource/timer-ti-dm-systimer.c b/drivers/clocksource/timer-ti-dm-systimer.c
index 1fccb457fcc5..2737407ff069 100644
--- a/drivers/clocksource/timer-ti-dm-systimer.c
+++ b/drivers/clocksource/timer-ti-dm-systimer.c
@@ -694,9 +694,9 @@ static int __init dmtimer_percpu_quirk_init(struct device_node *np, u32 pa)
return 0;
}
- if (pa == 0x48034000) /* dra7 dmtimer3 */
+ if (pa == 0x4882c000) /* dra7 dmtimer15 */
return dmtimer_percpu_timer_init(np, 0);
- else if (pa == 0x48036000) /* dra7 dmtimer4 */
+ else if (pa == 0x4882e000) /* dra7 dmtimer16 */
return dmtimer_percpu_timer_init(np, 1);
return 0;
--
2.34.1
^ permalink raw reply related [flat|nested] 636+ messages in thread
* [PATCH 5.10 157/599] clocksource/drivers/exynos_mct: Refactor resources allocation
2022-04-05 7:24 [PATCH 5.10 000/599] 5.10.110-rc1 review Greg Kroah-Hartman
` (155 preceding siblings ...)
2022-04-05 7:27 ` [PATCH 5.10 156/599] clocksource/drivers/timer-ti-dm: Fix regression from errata i940 fix Greg Kroah-Hartman
@ 2022-04-05 7:27 ` Greg Kroah-Hartman
2022-04-05 7:27 ` [PATCH 5.10 158/599] clocksource/drivers/exynos_mct: Handle DTS with higher number of interrupts Greg Kroah-Hartman
` (454 subsequent siblings)
611 siblings, 0 replies; 636+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05 7:27 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Marek Szyprowski, Chanwoo Choi,
Krzysztof Kozlowski, Sam Protsenko, Daniel Lezcano, Sasha Levin
From: Marek Szyprowski <m.szyprowski@samsung.com>
[ Upstream commit 7cd925a8823d16de5614d3f0aabea9948747accd ]
Move interrupts allocation from exynos4_timer_resources() into separate
function together with the interrupt number parsing code from
mct_init_dt(), so the code for managing interrupts is kept together.
While touching exynos4_timer_resources() function, move of_iomap() to it.
No functional changes.
Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>
Reviewed-by: Chanwoo Choi <cw00.choi@samsung.com>
Tested-by: Chanwoo Choi <cw00.choi@samsung.com>
Reviewed-by: Krzysztof Kozlowski <krzk@kernel.org>
Signed-off-by: Sam Protsenko <semen.protsenko@linaro.org>
Link: https://lore.kernel.org/r/20211101193531.15078-2-semen.protsenko@linaro.org
Signed-off-by: Daniel Lezcano <daniel.lezcano@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/clocksource/exynos_mct.c | 50 +++++++++++++++++++-------------
1 file changed, 30 insertions(+), 20 deletions(-)
diff --git a/drivers/clocksource/exynos_mct.c b/drivers/clocksource/exynos_mct.c
index fabad79baafc..5533c9afc088 100644
--- a/drivers/clocksource/exynos_mct.c
+++ b/drivers/clocksource/exynos_mct.c
@@ -494,11 +494,14 @@ static int exynos4_mct_dying_cpu(unsigned int cpu)
return 0;
}
-static int __init exynos4_timer_resources(struct device_node *np, void __iomem *base)
+static int __init exynos4_timer_resources(struct device_node *np)
{
- int err, cpu;
struct clk *mct_clk, *tick_clk;
+ reg_base = of_iomap(np, 0);
+ if (!reg_base)
+ panic("%s: unable to ioremap mct address space\n", __func__);
+
tick_clk = of_clk_get_by_name(np, "fin_pll");
if (IS_ERR(tick_clk))
panic("%s: unable to determine tick clock rate\n", __func__);
@@ -509,9 +512,27 @@ static int __init exynos4_timer_resources(struct device_node *np, void __iomem *
panic("%s: unable to retrieve mct clock instance\n", __func__);
clk_prepare_enable(mct_clk);
- reg_base = base;
- if (!reg_base)
- panic("%s: unable to ioremap mct address space\n", __func__);
+ return 0;
+}
+
+static int __init exynos4_timer_interrupts(struct device_node *np,
+ unsigned int int_type)
+{
+ int nr_irqs, i, err, cpu;
+
+ mct_int_type = int_type;
+
+ /* This driver uses only one global timer interrupt */
+ mct_irqs[MCT_G0_IRQ] = irq_of_parse_and_map(np, MCT_G0_IRQ);
+
+ /*
+ * Find out the number of local irqs specified. The local
+ * timer irqs are specified after the four global timer
+ * irqs are specified.
+ */
+ nr_irqs = of_irq_count(np);
+ for (i = MCT_L0_IRQ; i < nr_irqs; i++)
+ mct_irqs[i] = irq_of_parse_and_map(np, i);
if (mct_int_type == MCT_INT_PPI) {
@@ -571,24 +592,13 @@ static int __init exynos4_timer_resources(struct device_node *np, void __iomem *
static int __init mct_init_dt(struct device_node *np, unsigned int int_type)
{
- u32 nr_irqs, i;
int ret;
- mct_int_type = int_type;
-
- /* This driver uses only one global timer interrupt */
- mct_irqs[MCT_G0_IRQ] = irq_of_parse_and_map(np, MCT_G0_IRQ);
-
- /*
- * Find out the number of local irqs specified. The local
- * timer irqs are specified after the four global timer
- * irqs are specified.
- */
- nr_irqs = of_irq_count(np);
- for (i = MCT_L0_IRQ; i < nr_irqs; i++)
- mct_irqs[i] = irq_of_parse_and_map(np, i);
+ ret = exynos4_timer_resources(np);
+ if (ret)
+ return ret;
- ret = exynos4_timer_resources(np, of_iomap(np, 0));
+ ret = exynos4_timer_interrupts(np, int_type);
if (ret)
return ret;
--
2.34.1
^ permalink raw reply related [flat|nested] 636+ messages in thread
* [PATCH 5.10 158/599] clocksource/drivers/exynos_mct: Handle DTS with higher number of interrupts
2022-04-05 7:24 [PATCH 5.10 000/599] 5.10.110-rc1 review Greg Kroah-Hartman
` (156 preceding siblings ...)
2022-04-05 7:27 ` [PATCH 5.10 157/599] clocksource/drivers/exynos_mct: Refactor resources allocation Greg Kroah-Hartman
@ 2022-04-05 7:27 ` Greg Kroah-Hartman
2022-04-05 7:27 ` [PATCH 5.10 159/599] clocksource/drivers/timer-microchip-pit64b: Use notrace Greg Kroah-Hartman
` (453 subsequent siblings)
611 siblings, 0 replies; 636+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05 7:27 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Krzysztof Kozlowski, Alim Akhtar,
Daniel Lezcano, Sasha Levin
From: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
[ Upstream commit ab8da93dc06d82f464c47ab30e6c75190702f369 ]
The driver statically defines maximum number of interrupts it can
handle, however it does not respect that limit when configuring them.
When provided with a DTS with more interrupts than assumed, the driver
will overwrite static array mct_irqs leading to silent memory
corruption.
Validate the interrupts coming from DTS to avoid this. This does not
change the fact that such DTS might not boot at all, because it is
simply incompatible, however at least some warning will be printed.
Fixes: 36ba5d527e95 ("ARM: EXYNOS: add device tree support for MCT controller driver")
Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
Reviewed-by: Alim Akhtar <alim.akhtar@samsung.com>
Link: https://lore.kernel.org/r/20220220103815.135380-1-krzysztof.kozlowski@canonical.com
Signed-off-by: Daniel Lezcano <daniel.lezcano@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/clocksource/exynos_mct.c | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/drivers/clocksource/exynos_mct.c b/drivers/clocksource/exynos_mct.c
index 5533c9afc088..df194b05e944 100644
--- a/drivers/clocksource/exynos_mct.c
+++ b/drivers/clocksource/exynos_mct.c
@@ -531,6 +531,11 @@ static int __init exynos4_timer_interrupts(struct device_node *np,
* irqs are specified.
*/
nr_irqs = of_irq_count(np);
+ if (nr_irqs > ARRAY_SIZE(mct_irqs)) {
+ pr_err("exynos-mct: too many (%d) interrupts configured in DT\n",
+ nr_irqs);
+ nr_irqs = ARRAY_SIZE(mct_irqs);
+ }
for (i = MCT_L0_IRQ; i < nr_irqs; i++)
mct_irqs[i] = irq_of_parse_and_map(np, i);
@@ -543,11 +548,14 @@ static int __init exynos4_timer_interrupts(struct device_node *np,
mct_irqs[MCT_L0_IRQ], err);
} else {
for_each_possible_cpu(cpu) {
- int mct_irq = mct_irqs[MCT_L0_IRQ + cpu];
+ int mct_irq;
struct mct_clock_event_device *pcpu_mevt =
per_cpu_ptr(&percpu_mct_tick, cpu);
pcpu_mevt->evt.irq = -1;
+ if (MCT_L0_IRQ + cpu >= ARRAY_SIZE(mct_irqs))
+ break;
+ mct_irq = mct_irqs[MCT_L0_IRQ + cpu];
irq_set_status_flags(mct_irq, IRQ_NOAUTOEN);
if (request_irq(mct_irq,
--
2.34.1
^ permalink raw reply related [flat|nested] 636+ messages in thread
* [PATCH 5.10 159/599] clocksource/drivers/timer-microchip-pit64b: Use notrace
2022-04-05 7:24 [PATCH 5.10 000/599] 5.10.110-rc1 review Greg Kroah-Hartman
` (157 preceding siblings ...)
2022-04-05 7:27 ` [PATCH 5.10 158/599] clocksource/drivers/exynos_mct: Handle DTS with higher number of interrupts Greg Kroah-Hartman
@ 2022-04-05 7:27 ` Greg Kroah-Hartman
2022-04-05 7:27 ` [PATCH 5.10 160/599] clocksource/drivers/timer-of: Check return value of of_iomap in timer_of_base_init() Greg Kroah-Hartman
` (452 subsequent siblings)
611 siblings, 0 replies; 636+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05 7:27 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Claudiu Beznea, Daniel Lezcano, Sasha Levin
From: Claudiu Beznea <claudiu.beznea@microchip.com>
[ Upstream commit ff10ee97cb203262e88d9c8bc87369cbd4004a0c ]
Use notrace for mchp_pit64b_sched_read_clk() to avoid recursive call of
prepare_ftrace_return() when issuing:
echo function_graph > /sys/kernel/debug/tracing/current_tracer
Fixes: 625022a5f160 ("clocksource/drivers/timer-microchip-pit64b: Add Microchip PIT64B support")
Signed-off-by: Claudiu Beznea <claudiu.beznea@microchip.com>
Link: https://lore.kernel.org/r/20220304133601.2404086-3-claudiu.beznea@microchip.com
Signed-off-by: Daniel Lezcano <daniel.lezcano@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/clocksource/timer-microchip-pit64b.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/clocksource/timer-microchip-pit64b.c b/drivers/clocksource/timer-microchip-pit64b.c
index 59e11ca8ee73..5c9485cb4e05 100644
--- a/drivers/clocksource/timer-microchip-pit64b.c
+++ b/drivers/clocksource/timer-microchip-pit64b.c
@@ -121,7 +121,7 @@ static u64 mchp_pit64b_clksrc_read(struct clocksource *cs)
return mchp_pit64b_cnt_read(mchp_pit64b_cs_base);
}
-static u64 mchp_pit64b_sched_read_clk(void)
+static u64 notrace mchp_pit64b_sched_read_clk(void)
{
return mchp_pit64b_cnt_read(mchp_pit64b_cs_base);
}
--
2.34.1
^ permalink raw reply related [flat|nested] 636+ messages in thread
* [PATCH 5.10 160/599] clocksource/drivers/timer-of: Check return value of of_iomap in timer_of_base_init()
2022-04-05 7:24 [PATCH 5.10 000/599] 5.10.110-rc1 review Greg Kroah-Hartman
` (158 preceding siblings ...)
2022-04-05 7:27 ` [PATCH 5.10 159/599] clocksource/drivers/timer-microchip-pit64b: Use notrace Greg Kroah-Hartman
@ 2022-04-05 7:27 ` Greg Kroah-Hartman
2022-04-05 7:27 ` [PATCH 5.10 161/599] ACPI: APEI: fix return value of __setup handlers Greg Kroah-Hartman
` (451 subsequent siblings)
611 siblings, 0 replies; 636+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05 7:27 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Guillaume Ranquet, Daniel Lezcano,
Sasha Levin
From: Guillaume Ranquet <granquet@baylibre.com>
[ Upstream commit 4467b8bad2401794fb89a0268c8c8257180bf60f ]
of_base->base can either be iomapped using of_io_request_and_map() or
of_iomap() depending whether or not an of_base->name has been set.
Thus check of_base->base against NULL as of_iomap() does not return a
PTR_ERR() in case of error.
Fixes: 9aea417afa6b ("clocksource/drivers/timer-of: Don't request the resource by name")
Signed-off-by: Guillaume Ranquet <granquet@baylibre.com>
Link: https://lore.kernel.org/r/20220307172656.4836-1-granquet@baylibre.com
Signed-off-by: Daniel Lezcano <daniel.lezcano@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/clocksource/timer-of.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/drivers/clocksource/timer-of.c b/drivers/clocksource/timer-of.c
index 572da477c6d3..b965f20174e3 100644
--- a/drivers/clocksource/timer-of.c
+++ b/drivers/clocksource/timer-of.c
@@ -157,9 +157,9 @@ static __init int timer_of_base_init(struct device_node *np,
of_base->base = of_base->name ?
of_io_request_and_map(np, of_base->index, of_base->name) :
of_iomap(np, of_base->index);
- if (IS_ERR(of_base->base)) {
- pr_err("Failed to iomap (%s)\n", of_base->name);
- return PTR_ERR(of_base->base);
+ if (IS_ERR_OR_NULL(of_base->base)) {
+ pr_err("Failed to iomap (%s:%s)\n", np->name, of_base->name);
+ return of_base->base ? PTR_ERR(of_base->base) : -ENOMEM;
}
return 0;
--
2.34.1
^ permalink raw reply related [flat|nested] 636+ messages in thread
* [PATCH 5.10 161/599] ACPI: APEI: fix return value of __setup handlers
2022-04-05 7:24 [PATCH 5.10 000/599] 5.10.110-rc1 review Greg Kroah-Hartman
` (159 preceding siblings ...)
2022-04-05 7:27 ` [PATCH 5.10 160/599] clocksource/drivers/timer-of: Check return value of of_iomap in timer_of_base_init() Greg Kroah-Hartman
@ 2022-04-05 7:27 ` Greg Kroah-Hartman
2022-04-05 7:27 ` [PATCH 5.10 162/599] crypto: ccp - ccp_dmaengine_unregister release dma channels Greg Kroah-Hartman
` (450 subsequent siblings)
611 siblings, 0 replies; 636+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05 7:27 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Randy Dunlap, Igor Zhbanov, Huang,
Ying, Rafael J. Wysocki, Sasha Levin
From: Randy Dunlap <rdunlap@infradead.org>
[ Upstream commit f3303ff649dbf7dcdc6a6e1a922235b12b3028f4 ]
__setup() handlers should return 1 to indicate that the boot option
has been handled. Returning 0 causes a boot option to be listed in
the Unknown kernel command line parameters and also added to init's
arg list (if no '=' sign) or environment list (if of the form 'a=b').
Unknown kernel command line parameters "erst_disable
bert_disable hest_disable BOOT_IMAGE=/boot/bzImage-517rc6", will be
passed to user space.
Run /sbin/init as init process
with arguments:
/sbin/init
erst_disable
bert_disable
hest_disable
with environment:
HOME=/
TERM=linux
BOOT_IMAGE=/boot/bzImage-517rc6
Fixes: a3e2acc5e37b ("ACPI / APEI: Add Boot Error Record Table (BERT) support")
Fixes: a08f82d08053 ("ACPI, APEI, Error Record Serialization Table (ERST) support")
Fixes: 9dc966641677 ("ACPI, APEI, HEST table parsing")
Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
Reported-by: Igor Zhbanov <i.zhbanov@omprussia.ru>
Link: lore.kernel.org/r/64644a2f-4a20-bab3-1e15-3b2cdd0defe3@omprussia.ru
Reviewed-by: "Huang, Ying" <ying.huang@intel.com>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/acpi/apei/bert.c | 2 +-
drivers/acpi/apei/erst.c | 2 +-
drivers/acpi/apei/hest.c | 2 +-
3 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/drivers/acpi/apei/bert.c b/drivers/acpi/apei/bert.c
index 19e50fcbf4d6..86211422f4ee 100644
--- a/drivers/acpi/apei/bert.c
+++ b/drivers/acpi/apei/bert.c
@@ -77,7 +77,7 @@ static int __init setup_bert_disable(char *str)
{
bert_disable = 1;
- return 0;
+ return 1;
}
__setup("bert_disable", setup_bert_disable);
diff --git a/drivers/acpi/apei/erst.c b/drivers/acpi/apei/erst.c
index 2e0b0fcad960..83efb52a3f31 100644
--- a/drivers/acpi/apei/erst.c
+++ b/drivers/acpi/apei/erst.c
@@ -891,7 +891,7 @@ EXPORT_SYMBOL_GPL(erst_clear);
static int __init setup_erst_disable(char *str)
{
erst_disable = 1;
- return 0;
+ return 1;
}
__setup("erst_disable", setup_erst_disable);
diff --git a/drivers/acpi/apei/hest.c b/drivers/acpi/apei/hest.c
index 6e980fe16772..7bf48c2776fb 100644
--- a/drivers/acpi/apei/hest.c
+++ b/drivers/acpi/apei/hest.c
@@ -219,7 +219,7 @@ static int __init hest_ghes_dev_register(unsigned int ghes_count)
static int __init setup_hest_disable(char *str)
{
hest_disable = HEST_DISABLED;
- return 0;
+ return 1;
}
__setup("hest_disable", setup_hest_disable);
--
2.34.1
^ permalink raw reply related [flat|nested] 636+ messages in thread
* [PATCH 5.10 162/599] crypto: ccp - ccp_dmaengine_unregister release dma channels
2022-04-05 7:24 [PATCH 5.10 000/599] 5.10.110-rc1 review Greg Kroah-Hartman
` (160 preceding siblings ...)
2022-04-05 7:27 ` [PATCH 5.10 161/599] ACPI: APEI: fix return value of __setup handlers Greg Kroah-Hartman
@ 2022-04-05 7:27 ` Greg Kroah-Hartman
2022-04-05 7:27 ` [PATCH 5.10 163/599] crypto: ccree - Fix use after free in cc_cipher_exit() Greg Kroah-Hartman
` (449 subsequent siblings)
611 siblings, 0 replies; 636+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05 7:27 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Dāvis Mosāns, John Allen,
Herbert Xu, Sasha Levin
From: Dāvis Mosāns <davispuh@gmail.com>
[ Upstream commit 54cce8ecb9254f971b40a72911c6da403720a2d2 ]
ccp_dmaengine_register adds dma_chan->device_node to dma_dev->channels list
but ccp_dmaengine_unregister didn't remove them.
That can cause crashes in various dmaengine methods that tries to use dma_dev->channels
Fixes: 58ea8abf4904 ("crypto: ccp - Register the CCP as a DMA...")
Signed-off-by: Dāvis Mosāns <davispuh@gmail.com>
Acked-by: John Allen <john.allen@amd.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/crypto/ccp/ccp-dmaengine.c | 16 ++++++++++++++++
1 file changed, 16 insertions(+)
diff --git a/drivers/crypto/ccp/ccp-dmaengine.c b/drivers/crypto/ccp/ccp-dmaengine.c
index 0770a83bf1a5..b3eea329f840 100644
--- a/drivers/crypto/ccp/ccp-dmaengine.c
+++ b/drivers/crypto/ccp/ccp-dmaengine.c
@@ -633,6 +633,20 @@ static int ccp_terminate_all(struct dma_chan *dma_chan)
return 0;
}
+static void ccp_dma_release(struct ccp_device *ccp)
+{
+ struct ccp_dma_chan *chan;
+ struct dma_chan *dma_chan;
+ unsigned int i;
+
+ for (i = 0; i < ccp->cmd_q_count; i++) {
+ chan = ccp->ccp_dma_chan + i;
+ dma_chan = &chan->dma_chan;
+ tasklet_kill(&chan->cleanup_tasklet);
+ list_del_rcu(&dma_chan->device_node);
+ }
+}
+
int ccp_dmaengine_register(struct ccp_device *ccp)
{
struct ccp_dma_chan *chan;
@@ -737,6 +751,7 @@ int ccp_dmaengine_register(struct ccp_device *ccp)
return 0;
err_reg:
+ ccp_dma_release(ccp);
kmem_cache_destroy(ccp->dma_desc_cache);
err_cache:
@@ -753,6 +768,7 @@ void ccp_dmaengine_unregister(struct ccp_device *ccp)
return;
dma_async_device_unregister(dma_dev);
+ ccp_dma_release(ccp);
kmem_cache_destroy(ccp->dma_desc_cache);
kmem_cache_destroy(ccp->dma_cmd_cache);
--
2.34.1
^ permalink raw reply related [flat|nested] 636+ messages in thread
* [PATCH 5.10 163/599] crypto: ccree - Fix use after free in cc_cipher_exit()
2022-04-05 7:24 [PATCH 5.10 000/599] 5.10.110-rc1 review Greg Kroah-Hartman
` (161 preceding siblings ...)
2022-04-05 7:27 ` [PATCH 5.10 162/599] crypto: ccp - ccp_dmaengine_unregister release dma channels Greg Kroah-Hartman
@ 2022-04-05 7:27 ` Greg Kroah-Hartman
2022-04-05 7:27 ` [PATCH 5.10 164/599] vfio: platform: simplify device removal Greg Kroah-Hartman
` (448 subsequent siblings)
611 siblings, 0 replies; 636+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05 7:27 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Jianglei Nie, Herbert Xu, Sasha Levin
From: Jianglei Nie <niejianglei2021@163.com>
[ Upstream commit 3d950c34074ed74d2713c3856ba01264523289e6 ]
kfree_sensitive(ctx_p->user.key) will free the ctx_p->user.key. But
ctx_p->user.key is still used in the next line, which will lead to a
use after free.
We can call kfree_sensitive() after dev_dbg() to avoid the uaf.
Fixes: 63ee04c8b491 ("crypto: ccree - add skcipher support")
Signed-off-by: Jianglei Nie <niejianglei2021@163.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/crypto/ccree/cc_cipher.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/crypto/ccree/cc_cipher.c b/drivers/crypto/ccree/cc_cipher.c
index dafa6577a845..c289e4d5cbdc 100644
--- a/drivers/crypto/ccree/cc_cipher.c
+++ b/drivers/crypto/ccree/cc_cipher.c
@@ -254,8 +254,8 @@ static void cc_cipher_exit(struct crypto_tfm *tfm)
&ctx_p->user.key_dma_addr);
/* Free key buffer in context */
- kfree_sensitive(ctx_p->user.key);
dev_dbg(dev, "Free key buffer in context. key=@%p\n", ctx_p->user.key);
+ kfree_sensitive(ctx_p->user.key);
}
struct tdes_keys {
--
2.34.1
^ permalink raw reply related [flat|nested] 636+ messages in thread
* [PATCH 5.10 164/599] vfio: platform: simplify device removal
2022-04-05 7:24 [PATCH 5.10 000/599] 5.10.110-rc1 review Greg Kroah-Hartman
` (162 preceding siblings ...)
2022-04-05 7:27 ` [PATCH 5.10 163/599] crypto: ccree - Fix use after free in cc_cipher_exit() Greg Kroah-Hartman
@ 2022-04-05 7:27 ` Greg Kroah-Hartman
2022-04-05 7:27 ` [PATCH 5.10 165/599] amba: Make the remove callback return void Greg Kroah-Hartman
` (447 subsequent siblings)
611 siblings, 0 replies; 636+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05 7:27 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Eric Auger, Uwe Kleine-König,
Sasha Levin, Arnd Bergmann
From: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
[ Upstream commit 5b495ac8fe03b9e0d2e775f9064c3e2a340ff440 ]
vfio_platform_remove_common() cannot return non-NULL in
vfio_amba_remove() as the latter is only called if vfio_amba_probe()
returned success.
Diagnosed-by: Arnd Bergmann <arnd@arndb.de>
Acked-by: Eric Auger <eric.auger@redhat.com>
Link: https://lore.kernel.org/r/20210126165835.687514-4-u.kleine-koenig@pengutronix.de
Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/vfio/platform/vfio_amba.c | 14 +++++---------
1 file changed, 5 insertions(+), 9 deletions(-)
diff --git a/drivers/vfio/platform/vfio_amba.c b/drivers/vfio/platform/vfio_amba.c
index 9636a2afaecd..7b3ebf1558e1 100644
--- a/drivers/vfio/platform/vfio_amba.c
+++ b/drivers/vfio/platform/vfio_amba.c
@@ -73,16 +73,12 @@ static int vfio_amba_probe(struct amba_device *adev, const struct amba_id *id)
static int vfio_amba_remove(struct amba_device *adev)
{
- struct vfio_platform_device *vdev;
-
- vdev = vfio_platform_remove_common(&adev->dev);
- if (vdev) {
- kfree(vdev->name);
- kfree(vdev);
- return 0;
- }
+ struct vfio_platform_device *vdev =
+ vfio_platform_remove_common(&adev->dev);
- return -EINVAL;
+ kfree(vdev->name);
+ kfree(vdev);
+ return 0;
}
static const struct amba_id pl330_ids[] = {
--
2.34.1
^ permalink raw reply related [flat|nested] 636+ messages in thread
* [PATCH 5.10 165/599] amba: Make the remove callback return void
2022-04-05 7:24 [PATCH 5.10 000/599] 5.10.110-rc1 review Greg Kroah-Hartman
` (163 preceding siblings ...)
2022-04-05 7:27 ` [PATCH 5.10 164/599] vfio: platform: simplify device removal Greg Kroah-Hartman
@ 2022-04-05 7:27 ` Greg Kroah-Hartman
2022-04-05 7:27 ` [PATCH 5.10 166/599] hwrng: nomadik - Change clk_disable to clk_disable_unprepare Greg Kroah-Hartman
` (446 subsequent siblings)
611 siblings, 0 replies; 636+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05 7:27 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Ulf Hansson, Arnd Bergmann,
Alexandre Belloni, Dmitry Torokhov, Mark Brown, Linus Walleij,
Uwe Kleine-König, Sasha Levin, Krzysztof Kozlowski,
Suzuki K Poulose, Vinod Koul, Guenter Roeck, Wolfram Sang,
Takashi Iwai, Vladimir Zapolskiy
From: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
[ Upstream commit 3fd269e74f2feec973f45ee11d822faeda4fe284 ]
All amba drivers return 0 in their remove callback. Together with the
driver core ignoring the return value anyhow, it doesn't make sense to
return a value here.
Change the remove prototype to return void, which makes it explicit that
returning an error value doesn't work as expected. This simplifies changing
the core remove callback to return void, too.
Reviewed-by: Ulf Hansson <ulf.hansson@linaro.org>
Reviewed-by: Arnd Bergmann <arnd@arndb.de>
Acked-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Acked-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Acked-by: Krzysztof Kozlowski <krzk@kernel.org> # for drivers/memory
Acked-by: Mark Brown <broonie@kernel.org>
Acked-by: Linus Walleij <linus.walleij@linaro.org>
Acked-by: Suzuki K Poulose <suzuki.poulose@arm.com> # for hwtracing/coresight
Acked-By: Vinod Koul <vkoul@kernel.org> # for dmaengine
Acked-by: Guenter Roeck <linux@roeck-us.net> # for watchdog
Acked-by: Wolfram Sang <wsa@kernel.org> # for I2C
Acked-by: Takashi Iwai <tiwai@suse.de> # for sound
Acked-by: Vladimir Zapolskiy <vz@mleia.com> # for memory/pl172
Acked-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Link: https://lore.kernel.org/r/20210126165835.687514-5-u.kleine-koenig@pengutronix.de
Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/amba/bus.c | 5 ++---
drivers/char/hw_random/nomadik-rng.c | 3 +--
drivers/dma/pl330.c | 3 +--
drivers/gpu/drm/pl111/pl111_drv.c | 4 +---
drivers/hwtracing/coresight/coresight-catu.c | 3 +--
drivers/hwtracing/coresight/coresight-cpu-debug.c | 4 +---
drivers/hwtracing/coresight/coresight-cti-core.c | 4 +---
drivers/hwtracing/coresight/coresight-etb10.c | 4 +---
drivers/hwtracing/coresight/coresight-etm3x-core.c | 4 +---
drivers/hwtracing/coresight/coresight-etm4x-core.c | 4 +---
drivers/hwtracing/coresight/coresight-funnel.c | 4 ++--
drivers/hwtracing/coresight/coresight-replicator.c | 4 ++--
drivers/hwtracing/coresight/coresight-stm.c | 4 +---
drivers/hwtracing/coresight/coresight-tmc-core.c | 4 +---
drivers/hwtracing/coresight/coresight-tpiu.c | 4 +---
drivers/i2c/busses/i2c-nomadik.c | 4 +---
drivers/input/serio/ambakmi.c | 3 +--
drivers/memory/pl172.c | 4 +---
drivers/memory/pl353-smc.c | 4 +---
drivers/mmc/host/mmci.c | 4 +---
drivers/rtc/rtc-pl030.c | 4 +---
drivers/rtc/rtc-pl031.c | 4 +---
drivers/spi/spi-pl022.c | 5 ++---
drivers/tty/serial/amba-pl010.c | 4 +---
drivers/tty/serial/amba-pl011.c | 3 +--
drivers/vfio/platform/vfio_amba.c | 3 +--
drivers/video/fbdev/amba-clcd.c | 4 +---
drivers/watchdog/sp805_wdt.c | 4 +---
include/linux/amba/bus.h | 2 +-
sound/arm/aaci.c | 4 +---
30 files changed, 34 insertions(+), 80 deletions(-)
diff --git a/drivers/amba/bus.c b/drivers/amba/bus.c
index 8f4ae6e967e3..47c72447ccd5 100644
--- a/drivers/amba/bus.c
+++ b/drivers/amba/bus.c
@@ -299,11 +299,10 @@ static int amba_remove(struct device *dev)
{
struct amba_device *pcdev = to_amba_device(dev);
struct amba_driver *drv = to_amba_driver(dev->driver);
- int ret = 0;
pm_runtime_get_sync(dev);
if (drv->remove)
- ret = drv->remove(pcdev);
+ drv->remove(pcdev);
pm_runtime_put_noidle(dev);
/* Undo the runtime PM settings in amba_probe() */
@@ -314,7 +313,7 @@ static int amba_remove(struct device *dev)
amba_put_disable_pclk(pcdev);
dev_pm_domain_detach(dev, true);
- return ret;
+ return 0;
}
static void amba_shutdown(struct device *dev)
diff --git a/drivers/char/hw_random/nomadik-rng.c b/drivers/char/hw_random/nomadik-rng.c
index b0ded41eb865..67947a19aa22 100644
--- a/drivers/char/hw_random/nomadik-rng.c
+++ b/drivers/char/hw_random/nomadik-rng.c
@@ -69,11 +69,10 @@ static int nmk_rng_probe(struct amba_device *dev, const struct amba_id *id)
return ret;
}
-static int nmk_rng_remove(struct amba_device *dev)
+static void nmk_rng_remove(struct amba_device *dev)
{
amba_release_regions(dev);
clk_disable(rng_clk);
- return 0;
}
static const struct amba_id nmk_rng_ids[] = {
diff --git a/drivers/dma/pl330.c b/drivers/dma/pl330.c
index dfbf514188f3..6dca548f4dab 100644
--- a/drivers/dma/pl330.c
+++ b/drivers/dma/pl330.c
@@ -3199,7 +3199,7 @@ pl330_probe(struct amba_device *adev, const struct amba_id *id)
return ret;
}
-static int pl330_remove(struct amba_device *adev)
+static void pl330_remove(struct amba_device *adev)
{
struct pl330_dmac *pl330 = amba_get_drvdata(adev);
struct dma_pl330_chan *pch, *_p;
@@ -3239,7 +3239,6 @@ static int pl330_remove(struct amba_device *adev)
if (pl330->rstc)
reset_control_assert(pl330->rstc);
- return 0;
}
static const struct amba_id pl330_ids[] = {
diff --git a/drivers/gpu/drm/pl111/pl111_drv.c b/drivers/gpu/drm/pl111/pl111_drv.c
index 46b0d1c4a16c..d5e8e3a8bff3 100644
--- a/drivers/gpu/drm/pl111/pl111_drv.c
+++ b/drivers/gpu/drm/pl111/pl111_drv.c
@@ -324,7 +324,7 @@ static int pl111_amba_probe(struct amba_device *amba_dev,
return ret;
}
-static int pl111_amba_remove(struct amba_device *amba_dev)
+static void pl111_amba_remove(struct amba_device *amba_dev)
{
struct device *dev = &amba_dev->dev;
struct drm_device *drm = amba_get_drvdata(amba_dev);
@@ -335,8 +335,6 @@ static int pl111_amba_remove(struct amba_device *amba_dev)
drm_panel_bridge_remove(priv->bridge);
drm_dev_put(drm);
of_reserved_mem_device_release(dev);
-
- return 0;
}
/*
diff --git a/drivers/hwtracing/coresight/coresight-catu.c b/drivers/hwtracing/coresight/coresight-catu.c
index a61313f320bd..8e19e8cdcce5 100644
--- a/drivers/hwtracing/coresight/coresight-catu.c
+++ b/drivers/hwtracing/coresight/coresight-catu.c
@@ -567,12 +567,11 @@ static int catu_probe(struct amba_device *adev, const struct amba_id *id)
return ret;
}
-static int catu_remove(struct amba_device *adev)
+static void catu_remove(struct amba_device *adev)
{
struct catu_drvdata *drvdata = dev_get_drvdata(&adev->dev);
coresight_unregister(drvdata->csdev);
- return 0;
}
static struct amba_id catu_ids[] = {
diff --git a/drivers/hwtracing/coresight/coresight-cpu-debug.c b/drivers/hwtracing/coresight/coresight-cpu-debug.c
index e1d232411d8d..2dcf13de751f 100644
--- a/drivers/hwtracing/coresight/coresight-cpu-debug.c
+++ b/drivers/hwtracing/coresight/coresight-cpu-debug.c
@@ -627,7 +627,7 @@ static int debug_probe(struct amba_device *adev, const struct amba_id *id)
return ret;
}
-static int debug_remove(struct amba_device *adev)
+static void debug_remove(struct amba_device *adev)
{
struct device *dev = &adev->dev;
struct debug_drvdata *drvdata = amba_get_drvdata(adev);
@@ -642,8 +642,6 @@ static int debug_remove(struct amba_device *adev)
if (!--debug_count)
debug_func_exit();
-
- return 0;
}
static const struct amba_cs_uci_id uci_id_debug[] = {
diff --git a/drivers/hwtracing/coresight/coresight-cti-core.c b/drivers/hwtracing/coresight/coresight-cti-core.c
index 7ea93598f0ee..0276700c246d 100644
--- a/drivers/hwtracing/coresight/coresight-cti-core.c
+++ b/drivers/hwtracing/coresight/coresight-cti-core.c
@@ -836,7 +836,7 @@ static void cti_device_release(struct device *dev)
if (drvdata->csdev_release)
drvdata->csdev_release(dev);
}
-static int cti_remove(struct amba_device *adev)
+static void cti_remove(struct amba_device *adev)
{
struct cti_drvdata *drvdata = dev_get_drvdata(&adev->dev);
@@ -845,8 +845,6 @@ static int cti_remove(struct amba_device *adev)
mutex_unlock(&ect_mutex);
coresight_unregister(drvdata->csdev);
-
- return 0;
}
static int cti_probe(struct amba_device *adev, const struct amba_id *id)
diff --git a/drivers/hwtracing/coresight/coresight-etb10.c b/drivers/hwtracing/coresight/coresight-etb10.c
index 0cf6f0b947b6..51c801c05e5c 100644
--- a/drivers/hwtracing/coresight/coresight-etb10.c
+++ b/drivers/hwtracing/coresight/coresight-etb10.c
@@ -803,7 +803,7 @@ static int etb_probe(struct amba_device *adev, const struct amba_id *id)
return ret;
}
-static int etb_remove(struct amba_device *adev)
+static void etb_remove(struct amba_device *adev)
{
struct etb_drvdata *drvdata = dev_get_drvdata(&adev->dev);
@@ -814,8 +814,6 @@ static int etb_remove(struct amba_device *adev)
*/
misc_deregister(&drvdata->miscdev);
coresight_unregister(drvdata->csdev);
-
- return 0;
}
#ifdef CONFIG_PM
diff --git a/drivers/hwtracing/coresight/coresight-etm3x-core.c b/drivers/hwtracing/coresight/coresight-etm3x-core.c
index 5bf5a5a4ce6d..683a69e88efd 100644
--- a/drivers/hwtracing/coresight/coresight-etm3x-core.c
+++ b/drivers/hwtracing/coresight/coresight-etm3x-core.c
@@ -909,7 +909,7 @@ static void clear_etmdrvdata(void *info)
etmdrvdata[cpu] = NULL;
}
-static int etm_remove(struct amba_device *adev)
+static void etm_remove(struct amba_device *adev)
{
struct etm_drvdata *drvdata = dev_get_drvdata(&adev->dev);
@@ -932,8 +932,6 @@ static int etm_remove(struct amba_device *adev)
cpus_read_unlock();
coresight_unregister(drvdata->csdev);
-
- return 0;
}
#ifdef CONFIG_PM
diff --git a/drivers/hwtracing/coresight/coresight-etm4x-core.c b/drivers/hwtracing/coresight/coresight-etm4x-core.c
index 74d3e2fe43d4..99df453575f5 100644
--- a/drivers/hwtracing/coresight/coresight-etm4x-core.c
+++ b/drivers/hwtracing/coresight/coresight-etm4x-core.c
@@ -1582,7 +1582,7 @@ static void clear_etmdrvdata(void *info)
etmdrvdata[cpu] = NULL;
}
-static int etm4_remove(struct amba_device *adev)
+static void etm4_remove(struct amba_device *adev)
{
struct etmv4_drvdata *drvdata = dev_get_drvdata(&adev->dev);
@@ -1605,8 +1605,6 @@ static int etm4_remove(struct amba_device *adev)
cpus_read_unlock();
coresight_unregister(drvdata->csdev);
-
- return 0;
}
static const struct amba_id etm4_ids[] = {
diff --git a/drivers/hwtracing/coresight/coresight-funnel.c b/drivers/hwtracing/coresight/coresight-funnel.c
index 3fc6c678b51d..b2fb853776d7 100644
--- a/drivers/hwtracing/coresight/coresight-funnel.c
+++ b/drivers/hwtracing/coresight/coresight-funnel.c
@@ -370,9 +370,9 @@ static int dynamic_funnel_probe(struct amba_device *adev,
return funnel_probe(&adev->dev, &adev->res);
}
-static int dynamic_funnel_remove(struct amba_device *adev)
+static void dynamic_funnel_remove(struct amba_device *adev)
{
- return funnel_remove(&adev->dev);
+ funnel_remove(&adev->dev);
}
static const struct amba_id dynamic_funnel_ids[] = {
diff --git a/drivers/hwtracing/coresight/coresight-replicator.c b/drivers/hwtracing/coresight/coresight-replicator.c
index 38008aca2c0f..da2bfeeabc1b 100644
--- a/drivers/hwtracing/coresight/coresight-replicator.c
+++ b/drivers/hwtracing/coresight/coresight-replicator.c
@@ -388,9 +388,9 @@ static int dynamic_replicator_probe(struct amba_device *adev,
return replicator_probe(&adev->dev, &adev->res);
}
-static int dynamic_replicator_remove(struct amba_device *adev)
+static void dynamic_replicator_remove(struct amba_device *adev)
{
- return replicator_remove(&adev->dev);
+ replicator_remove(&adev->dev);
}
static const struct amba_id dynamic_replicator_ids[] = {
diff --git a/drivers/hwtracing/coresight/coresight-stm.c b/drivers/hwtracing/coresight/coresight-stm.c
index 587c1d7f2520..0ecca9f93f3a 100644
--- a/drivers/hwtracing/coresight/coresight-stm.c
+++ b/drivers/hwtracing/coresight/coresight-stm.c
@@ -951,15 +951,13 @@ static int stm_probe(struct amba_device *adev, const struct amba_id *id)
return ret;
}
-static int stm_remove(struct amba_device *adev)
+static void stm_remove(struct amba_device *adev)
{
struct stm_drvdata *drvdata = dev_get_drvdata(&adev->dev);
coresight_unregister(drvdata->csdev);
stm_unregister_device(&drvdata->stm);
-
- return 0;
}
#ifdef CONFIG_PM
diff --git a/drivers/hwtracing/coresight/coresight-tmc-core.c b/drivers/hwtracing/coresight/coresight-tmc-core.c
index 8169dff5a9f6..e29b3914fc0f 100644
--- a/drivers/hwtracing/coresight/coresight-tmc-core.c
+++ b/drivers/hwtracing/coresight/coresight-tmc-core.c
@@ -559,7 +559,7 @@ static void tmc_shutdown(struct amba_device *adev)
spin_unlock_irqrestore(&drvdata->spinlock, flags);
}
-static int tmc_remove(struct amba_device *adev)
+static void tmc_remove(struct amba_device *adev)
{
struct tmc_drvdata *drvdata = dev_get_drvdata(&adev->dev);
@@ -570,8 +570,6 @@ static int tmc_remove(struct amba_device *adev)
*/
misc_deregister(&drvdata->miscdev);
coresight_unregister(drvdata->csdev);
-
- return 0;
}
static const struct amba_id tmc_ids[] = {
diff --git a/drivers/hwtracing/coresight/coresight-tpiu.c b/drivers/hwtracing/coresight/coresight-tpiu.c
index 5b35029461a0..0ca39d905d0b 100644
--- a/drivers/hwtracing/coresight/coresight-tpiu.c
+++ b/drivers/hwtracing/coresight/coresight-tpiu.c
@@ -173,13 +173,11 @@ static int tpiu_probe(struct amba_device *adev, const struct amba_id *id)
return PTR_ERR(drvdata->csdev);
}
-static int tpiu_remove(struct amba_device *adev)
+static void tpiu_remove(struct amba_device *adev)
{
struct tpiu_drvdata *drvdata = dev_get_drvdata(&adev->dev);
coresight_unregister(drvdata->csdev);
-
- return 0;
}
#ifdef CONFIG_PM
diff --git a/drivers/i2c/busses/i2c-nomadik.c b/drivers/i2c/busses/i2c-nomadik.c
index d4b1b0865f67..a3363b20f168 100644
--- a/drivers/i2c/busses/i2c-nomadik.c
+++ b/drivers/i2c/busses/i2c-nomadik.c
@@ -1055,7 +1055,7 @@ static int nmk_i2c_probe(struct amba_device *adev, const struct amba_id *id)
return ret;
}
-static int nmk_i2c_remove(struct amba_device *adev)
+static void nmk_i2c_remove(struct amba_device *adev)
{
struct resource *res = &adev->res;
struct nmk_i2c_dev *dev = amba_get_drvdata(adev);
@@ -1068,8 +1068,6 @@ static int nmk_i2c_remove(struct amba_device *adev)
i2c_clr_bit(dev->virtbase + I2C_CR, I2C_CR_PE);
clk_disable_unprepare(dev->clk);
release_mem_region(res->start, resource_size(res));
-
- return 0;
}
static struct i2c_vendor_data vendor_stn8815 = {
diff --git a/drivers/input/serio/ambakmi.c b/drivers/input/serio/ambakmi.c
index ecdeca147ed7..4408245b61d2 100644
--- a/drivers/input/serio/ambakmi.c
+++ b/drivers/input/serio/ambakmi.c
@@ -159,7 +159,7 @@ static int amba_kmi_probe(struct amba_device *dev,
return ret;
}
-static int amba_kmi_remove(struct amba_device *dev)
+static void amba_kmi_remove(struct amba_device *dev)
{
struct amba_kmi_port *kmi = amba_get_drvdata(dev);
@@ -168,7 +168,6 @@ static int amba_kmi_remove(struct amba_device *dev)
iounmap(kmi->base);
kfree(kmi);
amba_release_regions(dev);
- return 0;
}
static int __maybe_unused amba_kmi_resume(struct device *dev)
diff --git a/drivers/memory/pl172.c b/drivers/memory/pl172.c
index 575fadbffa30..9eb8cc7de494 100644
--- a/drivers/memory/pl172.c
+++ b/drivers/memory/pl172.c
@@ -273,14 +273,12 @@ static int pl172_probe(struct amba_device *adev, const struct amba_id *id)
return ret;
}
-static int pl172_remove(struct amba_device *adev)
+static void pl172_remove(struct amba_device *adev)
{
struct pl172_data *pl172 = amba_get_drvdata(adev);
clk_disable_unprepare(pl172->clk);
amba_release_regions(adev);
-
- return 0;
}
static const struct amba_id pl172_ids[] = {
diff --git a/drivers/memory/pl353-smc.c b/drivers/memory/pl353-smc.c
index cc01979780d8..b0b251bb207f 100644
--- a/drivers/memory/pl353-smc.c
+++ b/drivers/memory/pl353-smc.c
@@ -427,14 +427,12 @@ static int pl353_smc_probe(struct amba_device *adev, const struct amba_id *id)
return err;
}
-static int pl353_smc_remove(struct amba_device *adev)
+static void pl353_smc_remove(struct amba_device *adev)
{
struct pl353_smc_data *pl353_smc = amba_get_drvdata(adev);
clk_disable_unprepare(pl353_smc->memclk);
clk_disable_unprepare(pl353_smc->aclk);
-
- return 0;
}
static const struct amba_id pl353_ids[] = {
diff --git a/drivers/mmc/host/mmci.c b/drivers/mmc/host/mmci.c
index 9bde0def114b..b5684e5d79e6 100644
--- a/drivers/mmc/host/mmci.c
+++ b/drivers/mmc/host/mmci.c
@@ -2203,7 +2203,7 @@ static int mmci_probe(struct amba_device *dev,
return ret;
}
-static int mmci_remove(struct amba_device *dev)
+static void mmci_remove(struct amba_device *dev)
{
struct mmc_host *mmc = amba_get_drvdata(dev);
@@ -2231,8 +2231,6 @@ static int mmci_remove(struct amba_device *dev)
clk_disable_unprepare(host->clk);
mmc_free_host(mmc);
}
-
- return 0;
}
#ifdef CONFIG_PM
diff --git a/drivers/rtc/rtc-pl030.c b/drivers/rtc/rtc-pl030.c
index ebe03eba8f5f..87c93843d62a 100644
--- a/drivers/rtc/rtc-pl030.c
+++ b/drivers/rtc/rtc-pl030.c
@@ -137,7 +137,7 @@ static int pl030_probe(struct amba_device *dev, const struct amba_id *id)
return ret;
}
-static int pl030_remove(struct amba_device *dev)
+static void pl030_remove(struct amba_device *dev)
{
struct pl030_rtc *rtc = amba_get_drvdata(dev);
@@ -146,8 +146,6 @@ static int pl030_remove(struct amba_device *dev)
free_irq(dev->irq[0], rtc);
iounmap(rtc->base);
amba_release_regions(dev);
-
- return 0;
}
static struct amba_id pl030_ids[] = {
diff --git a/drivers/rtc/rtc-pl031.c b/drivers/rtc/rtc-pl031.c
index d4b2ab786126..2f5581ea26fe 100644
--- a/drivers/rtc/rtc-pl031.c
+++ b/drivers/rtc/rtc-pl031.c
@@ -280,7 +280,7 @@ static int pl031_set_alarm(struct device *dev, struct rtc_wkalrm *alarm)
return 0;
}
-static int pl031_remove(struct amba_device *adev)
+static void pl031_remove(struct amba_device *adev)
{
struct pl031_local *ldata = dev_get_drvdata(&adev->dev);
@@ -289,8 +289,6 @@ static int pl031_remove(struct amba_device *adev)
if (adev->irq[0])
free_irq(adev->irq[0], ldata);
amba_release_regions(adev);
-
- return 0;
}
static int pl031_probe(struct amba_device *adev, const struct amba_id *id)
diff --git a/drivers/spi/spi-pl022.c b/drivers/spi/spi-pl022.c
index e4ee8b084799..f7603c209e9d 100644
--- a/drivers/spi/spi-pl022.c
+++ b/drivers/spi/spi-pl022.c
@@ -2315,13 +2315,13 @@ static int pl022_probe(struct amba_device *adev, const struct amba_id *id)
return status;
}
-static int
+static void
pl022_remove(struct amba_device *adev)
{
struct pl022 *pl022 = amba_get_drvdata(adev);
if (!pl022)
- return 0;
+ return;
/*
* undo pm_runtime_put() in probe. I assume that we're not
@@ -2336,7 +2336,6 @@ pl022_remove(struct amba_device *adev)
clk_disable_unprepare(pl022->clk);
amba_release_regions(adev);
tasklet_disable(&pl022->pump_transfers);
- return 0;
}
#ifdef CONFIG_PM_SLEEP
diff --git a/drivers/tty/serial/amba-pl010.c b/drivers/tty/serial/amba-pl010.c
index 75d61e038a77..e538d6d75155 100644
--- a/drivers/tty/serial/amba-pl010.c
+++ b/drivers/tty/serial/amba-pl010.c
@@ -751,7 +751,7 @@ static int pl010_probe(struct amba_device *dev, const struct amba_id *id)
return ret;
}
-static int pl010_remove(struct amba_device *dev)
+static void pl010_remove(struct amba_device *dev)
{
struct uart_amba_port *uap = amba_get_drvdata(dev);
int i;
@@ -767,8 +767,6 @@ static int pl010_remove(struct amba_device *dev)
if (!busy)
uart_unregister_driver(&amba_reg);
-
- return 0;
}
#ifdef CONFIG_PM_SLEEP
diff --git a/drivers/tty/serial/amba-pl011.c b/drivers/tty/serial/amba-pl011.c
index 61183e7ff009..07b19e97f850 100644
--- a/drivers/tty/serial/amba-pl011.c
+++ b/drivers/tty/serial/amba-pl011.c
@@ -2658,13 +2658,12 @@ static int pl011_probe(struct amba_device *dev, const struct amba_id *id)
return pl011_register_port(uap);
}
-static int pl011_remove(struct amba_device *dev)
+static void pl011_remove(struct amba_device *dev)
{
struct uart_amba_port *uap = amba_get_drvdata(dev);
uart_remove_one_port(&amba_reg, &uap->port);
pl011_unregister_port(uap);
- return 0;
}
#ifdef CONFIG_PM_SLEEP
diff --git a/drivers/vfio/platform/vfio_amba.c b/drivers/vfio/platform/vfio_amba.c
index 7b3ebf1558e1..3626c2150101 100644
--- a/drivers/vfio/platform/vfio_amba.c
+++ b/drivers/vfio/platform/vfio_amba.c
@@ -71,14 +71,13 @@ static int vfio_amba_probe(struct amba_device *adev, const struct amba_id *id)
return ret;
}
-static int vfio_amba_remove(struct amba_device *adev)
+static void vfio_amba_remove(struct amba_device *adev)
{
struct vfio_platform_device *vdev =
vfio_platform_remove_common(&adev->dev);
kfree(vdev->name);
kfree(vdev);
- return 0;
}
static const struct amba_id pl330_ids[] = {
diff --git a/drivers/video/fbdev/amba-clcd.c b/drivers/video/fbdev/amba-clcd.c
index b7682de412d8..33595cc4778e 100644
--- a/drivers/video/fbdev/amba-clcd.c
+++ b/drivers/video/fbdev/amba-clcd.c
@@ -925,7 +925,7 @@ static int clcdfb_probe(struct amba_device *dev, const struct amba_id *id)
return ret;
}
-static int clcdfb_remove(struct amba_device *dev)
+static void clcdfb_remove(struct amba_device *dev)
{
struct clcd_fb *fb = amba_get_drvdata(dev);
@@ -942,8 +942,6 @@ static int clcdfb_remove(struct amba_device *dev)
kfree(fb);
amba_release_regions(dev);
-
- return 0;
}
static const struct amba_id clcdfb_id_table[] = {
diff --git a/drivers/watchdog/sp805_wdt.c b/drivers/watchdog/sp805_wdt.c
index 190d26e2e75f..2815f78d22bb 100644
--- a/drivers/watchdog/sp805_wdt.c
+++ b/drivers/watchdog/sp805_wdt.c
@@ -304,14 +304,12 @@ sp805_wdt_probe(struct amba_device *adev, const struct amba_id *id)
return ret;
}
-static int sp805_wdt_remove(struct amba_device *adev)
+static void sp805_wdt_remove(struct amba_device *adev)
{
struct sp805_wdt *wdt = amba_get_drvdata(adev);
watchdog_unregister_device(&wdt->wdd);
watchdog_set_drvdata(&wdt->wdd, NULL);
-
- return 0;
}
static int __maybe_unused sp805_wdt_suspend(struct device *dev)
diff --git a/include/linux/amba/bus.h b/include/linux/amba/bus.h
index 0bbfd647f5c6..6cc93ab5b809 100644
--- a/include/linux/amba/bus.h
+++ b/include/linux/amba/bus.h
@@ -76,7 +76,7 @@ struct amba_device {
struct amba_driver {
struct device_driver drv;
int (*probe)(struct amba_device *, const struct amba_id *);
- int (*remove)(struct amba_device *);
+ void (*remove)(struct amba_device *);
void (*shutdown)(struct amba_device *);
const struct amba_id *id_table;
};
diff --git a/sound/arm/aaci.c b/sound/arm/aaci.c
index a0996c47e58f..b326a5f5f0d5 100644
--- a/sound/arm/aaci.c
+++ b/sound/arm/aaci.c
@@ -1055,7 +1055,7 @@ static int aaci_probe(struct amba_device *dev,
return ret;
}
-static int aaci_remove(struct amba_device *dev)
+static void aaci_remove(struct amba_device *dev)
{
struct snd_card *card = amba_get_drvdata(dev);
@@ -1066,8 +1066,6 @@ static int aaci_remove(struct amba_device *dev)
snd_card_free(card);
amba_release_regions(dev);
}
-
- return 0;
}
static struct amba_id aaci_ids[] = {
--
2.34.1
^ permalink raw reply related [flat|nested] 636+ messages in thread
* [PATCH 5.10 166/599] hwrng: nomadik - Change clk_disable to clk_disable_unprepare
2022-04-05 7:24 [PATCH 5.10 000/599] 5.10.110-rc1 review Greg Kroah-Hartman
` (164 preceding siblings ...)
2022-04-05 7:27 ` [PATCH 5.10 165/599] amba: Make the remove callback return void Greg Kroah-Hartman
@ 2022-04-05 7:27 ` Greg Kroah-Hartman
2022-04-05 7:27 ` [PATCH 5.10 167/599] hwmon: (pmbus) Add Vin unit off handling Greg Kroah-Hartman
` (445 subsequent siblings)
611 siblings, 0 replies; 636+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05 7:27 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Miaoqian Lin, Linus Walleij,
Herbert Xu, Sasha Levin
From: Miaoqian Lin <linmq006@gmail.com>
[ Upstream commit 7f0f1f3ef62ed7a40e30aff28115bd94c4211d1d ]
The corresponding API for clk_prepare_enable is clk_disable_unprepare,
other than clk_disable_unprepare.
Fix this by changing clk_disable to clk_disable_unprepare.
Fixes: beca35d05cc2 ("hwrng: nomadik - use clk_prepare_enable()")
Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
Reviewed-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/char/hw_random/nomadik-rng.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/char/hw_random/nomadik-rng.c b/drivers/char/hw_random/nomadik-rng.c
index 67947a19aa22..e8f9621e7954 100644
--- a/drivers/char/hw_random/nomadik-rng.c
+++ b/drivers/char/hw_random/nomadik-rng.c
@@ -65,14 +65,14 @@ static int nmk_rng_probe(struct amba_device *dev, const struct amba_id *id)
out_release:
amba_release_regions(dev);
out_clk:
- clk_disable(rng_clk);
+ clk_disable_unprepare(rng_clk);
return ret;
}
static void nmk_rng_remove(struct amba_device *dev)
{
amba_release_regions(dev);
- clk_disable(rng_clk);
+ clk_disable_unprepare(rng_clk);
}
static const struct amba_id nmk_rng_ids[] = {
--
2.34.1
^ permalink raw reply related [flat|nested] 636+ messages in thread
* [PATCH 5.10 167/599] hwmon: (pmbus) Add Vin unit off handling
2022-04-05 7:24 [PATCH 5.10 000/599] 5.10.110-rc1 review Greg Kroah-Hartman
` (165 preceding siblings ...)
2022-04-05 7:27 ` [PATCH 5.10 166/599] hwrng: nomadik - Change clk_disable to clk_disable_unprepare Greg Kroah-Hartman
@ 2022-04-05 7:27 ` Greg Kroah-Hartman
2022-04-05 7:27 ` [PATCH 5.10 168/599] clocksource: acpi_pm: fix return value of __setup handler Greg Kroah-Hartman
` (444 subsequent siblings)
611 siblings, 0 replies; 636+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05 7:27 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Brandon Wyman, Guenter Roeck, Sasha Levin
From: Brandon Wyman <bjwyman@gmail.com>
[ Upstream commit a5436af598779219b375c1977555c82def1c35d0 ]
If there is an input undervoltage fault, reported in STATUS_INPUT
command response, there is quite likely a "Unit Off For Insufficient
Input Voltage" condition as well.
Add a constant for bit 3 of STATUS_INPUT. Update the Vin limit
attributes to include both bits in the mask for clearing faults.
If an input undervoltage fault occurs, causing a unit off for
insufficient input voltage, but the unit is off bit is not cleared, the
STATUS_WORD will not be updated to clear the input fault condition.
Including the unit is off bit (bit 3) allows for the input fault
condition to completely clear.
Signed-off-by: Brandon Wyman <bjwyman@gmail.com>
Link: https://lore.kernel.org/r/20220317232123.2103592-1-bjwyman@gmail.com
Fixes: b4ce237b7f7d3 ("hwmon: (pmbus) Introduce infrastructure to detect sensors and limit registers")
[groeck: Dropped unnecessary ()]
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/hwmon/pmbus/pmbus.h | 1 +
drivers/hwmon/pmbus/pmbus_core.c | 2 +-
2 files changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/hwmon/pmbus/pmbus.h b/drivers/hwmon/pmbus/pmbus.h
index 88a5df2633fb..de27837e8527 100644
--- a/drivers/hwmon/pmbus/pmbus.h
+++ b/drivers/hwmon/pmbus/pmbus.h
@@ -319,6 +319,7 @@ enum pmbus_fan_mode { percent = 0, rpm };
/*
* STATUS_VOUT, STATUS_INPUT
*/
+#define PB_VOLTAGE_VIN_OFF BIT(3)
#define PB_VOLTAGE_UV_FAULT BIT(4)
#define PB_VOLTAGE_UV_WARNING BIT(5)
#define PB_VOLTAGE_OV_WARNING BIT(6)
diff --git a/drivers/hwmon/pmbus/pmbus_core.c b/drivers/hwmon/pmbus/pmbus_core.c
index 7a13057007d9..117e3ce9c76a 100644
--- a/drivers/hwmon/pmbus/pmbus_core.c
+++ b/drivers/hwmon/pmbus/pmbus_core.c
@@ -1360,7 +1360,7 @@ static const struct pmbus_limit_attr vin_limit_attrs[] = {
.reg = PMBUS_VIN_UV_FAULT_LIMIT,
.attr = "lcrit",
.alarm = "lcrit_alarm",
- .sbit = PB_VOLTAGE_UV_FAULT,
+ .sbit = PB_VOLTAGE_UV_FAULT | PB_VOLTAGE_VIN_OFF,
}, {
.reg = PMBUS_VIN_OV_WARN_LIMIT,
.attr = "max",
--
2.34.1
^ permalink raw reply related [flat|nested] 636+ messages in thread
* [PATCH 5.10 168/599] clocksource: acpi_pm: fix return value of __setup handler
2022-04-05 7:24 [PATCH 5.10 000/599] 5.10.110-rc1 review Greg Kroah-Hartman
` (166 preceding siblings ...)
2022-04-05 7:27 ` [PATCH 5.10 167/599] hwmon: (pmbus) Add Vin unit off handling Greg Kroah-Hartman
@ 2022-04-05 7:27 ` Greg Kroah-Hartman
2022-04-05 7:27 ` [PATCH 5.10 169/599] io_uring: terminate manual loop iterator loop correctly for non-vecs Greg Kroah-Hartman
` (443 subsequent siblings)
611 siblings, 0 replies; 636+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05 7:27 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Randy Dunlap, Igor Zhbanov,
Rafael J. Wysocki, Sasha Levin
From: Randy Dunlap <rdunlap@infradead.org>
[ Upstream commit 6a861abceecb68497dd82a324fee45a5332dcece ]
__setup() handlers should return 1 to obsolete_checksetup() in
init/main.c to indicate that the boot option has been handled.
A return of 0 causes the boot option/value to be listed as an Unknown
kernel parameter and added to init's (limited) environment strings.
The __setup() handler interface isn't meant to handle negative return
values -- they are non-zero, so they mean "handled" (like a return
value of 1 does), but that's just a quirk. So return 1 from
parse_pmtmr(). Also print a warning message if kstrtouint() returns
an error.
Fixes: 6b148507d3d0 ("pmtmr: allow command line override of ioport")
Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
Reported-by: Igor Zhbanov <i.zhbanov@omprussia.ru>
Link: lore.kernel.org/r/64644a2f-4a20-bab3-1e15-3b2cdd0defe3@omprussia.ru
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/clocksource/acpi_pm.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/drivers/clocksource/acpi_pm.c b/drivers/clocksource/acpi_pm.c
index eb596ff9e7bb..279ddff81ab4 100644
--- a/drivers/clocksource/acpi_pm.c
+++ b/drivers/clocksource/acpi_pm.c
@@ -229,8 +229,10 @@ static int __init parse_pmtmr(char *arg)
int ret;
ret = kstrtouint(arg, 16, &base);
- if (ret)
- return ret;
+ if (ret) {
+ pr_warn("PMTMR: invalid 'pmtmr=' value: '%s'\n", arg);
+ return 1;
+ }
pr_info("PMTMR IOPort override: 0x%04x -> 0x%04x\n", pmtmr_ioport,
base);
--
2.34.1
^ permalink raw reply related [flat|nested] 636+ messages in thread
* [PATCH 5.10 169/599] io_uring: terminate manual loop iterator loop correctly for non-vecs
2022-04-05 7:24 [PATCH 5.10 000/599] 5.10.110-rc1 review Greg Kroah-Hartman
` (167 preceding siblings ...)
2022-04-05 7:27 ` [PATCH 5.10 168/599] clocksource: acpi_pm: fix return value of __setup handler Greg Kroah-Hartman
@ 2022-04-05 7:27 ` Greg Kroah-Hartman
2022-04-05 7:27 ` [PATCH 5.10 170/599] watch_queue: Fix NULL dereference in error cleanup Greg Kroah-Hartman
` (442 subsequent siblings)
611 siblings, 0 replies; 636+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05 7:27 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Joel Jaeschke, Jens Axboe, Sasha Levin
From: Jens Axboe <axboe@kernel.dk>
[ Upstream commit 5e929367468c8f97cd1ffb0417316cecfebef94b ]
The fix for not advancing the iterator if we're using fixed buffers is
broken in that it can hit a condition where we don't terminate the loop.
This results in io-wq looping forever, asking to read (or write) 0 bytes
for every subsequent loop.
Reported-by: Joel Jaeschke <joel.jaeschke@gmail.com>
Link: https://github.com/axboe/liburing/issues/549
Fixes: 16c8d2df7ec0 ("io_uring: ensure symmetry in handling iter types in loop_rw_iter()")
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/io_uring.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/fs/io_uring.c b/fs/io_uring.c
index fd188b972151..82f1311dab8e 100644
--- a/fs/io_uring.c
+++ b/fs/io_uring.c
@@ -3220,13 +3220,15 @@ static ssize_t loop_rw_iter(int rw, struct io_kiocb *req, struct iov_iter *iter)
ret = nr;
break;
}
+ ret += nr;
if (!iov_iter_is_bvec(iter)) {
iov_iter_advance(iter, nr);
} else {
- req->rw.len -= nr;
req->rw.addr += nr;
+ req->rw.len -= nr;
+ if (!req->rw.len)
+ break;
}
- ret += nr;
if (nr != iovec.iov_len)
break;
}
--
2.34.1
^ permalink raw reply related [flat|nested] 636+ messages in thread
* [PATCH 5.10 170/599] watch_queue: Fix NULL dereference in error cleanup
2022-04-05 7:24 [PATCH 5.10 000/599] 5.10.110-rc1 review Greg Kroah-Hartman
` (168 preceding siblings ...)
2022-04-05 7:27 ` [PATCH 5.10 169/599] io_uring: terminate manual loop iterator loop correctly for non-vecs Greg Kroah-Hartman
@ 2022-04-05 7:27 ` Greg Kroah-Hartman
2022-04-05 7:27 ` [PATCH 5.10 171/599] watch_queue: Actually free the watch Greg Kroah-Hartman
` (441 subsequent siblings)
611 siblings, 0 replies; 636+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05 7:27 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, David Howells, Fabio M. De Francesco,
Sasha Levin, syzbot+d55757faa9b80590767b
From: David Howells <dhowells@redhat.com>
[ Upstream commit a635415a064e77bcfbf43da413fd9dfe0bbed9cb ]
In watch_queue_set_size(), the error cleanup code doesn't take account of
the fact that __free_page() can't handle a NULL pointer when trying to free
up buffer pages that did get allocated.
Fix this by only calling __free_page() on the pages actually allocated.
Without the fix, this can lead to something like the following:
BUG: KASAN: null-ptr-deref in __free_pages+0x1f/0x1b0 mm/page_alloc.c:5473
Read of size 4 at addr 0000000000000034 by task syz-executor168/3599
...
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
__kasan_report mm/kasan/report.c:446 [inline]
kasan_report.cold+0x66/0xdf mm/kasan/report.c:459
check_region_inline mm/kasan/generic.c:183 [inline]
kasan_check_range+0x13d/0x180 mm/kasan/generic.c:189
instrument_atomic_read include/linux/instrumented.h:71 [inline]
atomic_read include/linux/atomic/atomic-instrumented.h:27 [inline]
page_ref_count include/linux/page_ref.h:67 [inline]
put_page_testzero include/linux/mm.h:717 [inline]
__free_pages+0x1f/0x1b0 mm/page_alloc.c:5473
watch_queue_set_size+0x499/0x630 kernel/watch_queue.c:275
pipe_ioctl+0xac/0x2b0 fs/pipe.c:632
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:874 [inline]
__se_sys_ioctl fs/ioctl.c:860 [inline]
__x64_sys_ioctl+0x193/0x200 fs/ioctl.c:860
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae
Fixes: c73be61cede5 ("pipe: Add general notification queue support")
Reported-and-tested-by: syzbot+d55757faa9b80590767b@syzkaller.appspotmail.com
Signed-off-by: David Howells <dhowells@redhat.com>
Reviewed-by: Fabio M. De Francesco <fmdefrancesco@gmail.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/watch_queue.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kernel/watch_queue.c b/kernel/watch_queue.c
index e3f144d96026..45a8eb90e5fc 100644
--- a/kernel/watch_queue.c
+++ b/kernel/watch_queue.c
@@ -274,7 +274,7 @@ long watch_queue_set_size(struct pipe_inode_info *pipe, unsigned int nr_notes)
return 0;
error_p:
- for (i = 0; i < nr_pages; i++)
+ while (--i >= 0)
__free_page(pages[i]);
kfree(pages);
error:
--
2.34.1
^ permalink raw reply related [flat|nested] 636+ messages in thread
* [PATCH 5.10 171/599] watch_queue: Actually free the watch
2022-04-05 7:24 [PATCH 5.10 000/599] 5.10.110-rc1 review Greg Kroah-Hartman
` (169 preceding siblings ...)
2022-04-05 7:27 ` [PATCH 5.10 170/599] watch_queue: Fix NULL dereference in error cleanup Greg Kroah-Hartman
@ 2022-04-05 7:27 ` Greg Kroah-Hartman
2022-04-05 7:27 ` [PATCH 5.10 172/599] f2fs: fix to enable ATGC correctly via gc_idle sysfs interface Greg Kroah-Hartman
` (440 subsequent siblings)
611 siblings, 0 replies; 636+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05 7:27 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, David Howells, Sasha Levin,
syzbot+6e2de48f06cdb2884bfc
From: David Howells <dhowells@redhat.com>
[ Upstream commit 3d8dcf278b1ee1eff1e90be848fa2237db4c07a7 ]
free_watch() does everything barring actually freeing the watch object. Fix
this by adding the missing kfree.
kmemleak produces a report something like the following. Note that as an
address can be seen in the first word, the watch would appear to have gone
through call_rcu().
BUG: memory leak
unreferenced object 0xffff88810ce4a200 (size 96):
comm "syz-executor352", pid 3605, jiffies 4294947473 (age 13.720s)
hex dump (first 32 bytes):
e0 82 48 0d 81 88 ff ff 00 00 00 00 00 00 00 00 ..H.............
80 a2 e4 0c 81 88 ff ff 00 00 00 00 00 00 00 00 ................
backtrace:
[<ffffffff8214e6cc>] kmalloc include/linux/slab.h:581 [inline]
[<ffffffff8214e6cc>] kzalloc include/linux/slab.h:714 [inline]
[<ffffffff8214e6cc>] keyctl_watch_key+0xec/0x2e0 security/keys/keyctl.c:1800
[<ffffffff8214ec84>] __do_sys_keyctl+0x3c4/0x490 security/keys/keyctl.c:2016
[<ffffffff84493a25>] do_syscall_x64 arch/x86/entry/common.c:50 [inline]
[<ffffffff84493a25>] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
[<ffffffff84600068>] entry_SYSCALL_64_after_hwframe+0x44/0xae
Fixes: c73be61cede5 ("pipe: Add general notification queue support")
Reported-and-tested-by: syzbot+6e2de48f06cdb2884bfc@syzkaller.appspotmail.com
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/watch_queue.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/kernel/watch_queue.c b/kernel/watch_queue.c
index 45a8eb90e5fc..a662abccf52c 100644
--- a/kernel/watch_queue.c
+++ b/kernel/watch_queue.c
@@ -398,6 +398,7 @@ static void free_watch(struct rcu_head *rcu)
put_watch_queue(rcu_access_pointer(watch->queue));
atomic_dec(&watch->cred->user->nr_watches);
put_cred(watch->cred);
+ kfree(watch);
}
static void __put_watch(struct kref *kref)
--
2.34.1
^ permalink raw reply related [flat|nested] 636+ messages in thread
* [PATCH 5.10 172/599] f2fs: fix to enable ATGC correctly via gc_idle sysfs interface
2022-04-05 7:24 [PATCH 5.10 000/599] 5.10.110-rc1 review Greg Kroah-Hartman
` (170 preceding siblings ...)
2022-04-05 7:27 ` [PATCH 5.10 171/599] watch_queue: Actually free the watch Greg Kroah-Hartman
@ 2022-04-05 7:27 ` Greg Kroah-Hartman
2022-04-05 7:27 ` [PATCH 5.10 173/599] sched/debug: Remove mpol_get/put and task_lock/unlock from sched_show_numa Greg Kroah-Hartman
` (439 subsequent siblings)
611 siblings, 0 replies; 636+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05 7:27 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Zhipeng Tan, Jicheng Shao, Chao Yu,
Jaegeuk Kim, Sasha Levin
From: Chao Yu <chao@kernel.org>
[ Upstream commit 7d19e3dab0002e527052b0aaf986e8c32e5537bf ]
It needs to assign sbi->gc_mode with GC_IDLE_AT rather than GC_AT when
user tries to enable ATGC via gc_idle sysfs interface, fix it.
Fixes: 093749e296e2 ("f2fs: support age threshold based garbage collection")
Cc: Zhipeng Tan <tanzhipeng@hust.edu.cn>
Signed-off-by: Jicheng Shao <shaojicheng@hust.edu.cn>
Signed-off-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/f2fs/sysfs.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/f2fs/sysfs.c b/fs/f2fs/sysfs.c
index 7ffd4bb398b0..a7e7d68256e0 100644
--- a/fs/f2fs/sysfs.c
+++ b/fs/f2fs/sysfs.c
@@ -386,7 +386,7 @@ static ssize_t __sbi_store(struct f2fs_attr *a,
} else if (t == GC_IDLE_AT) {
if (!sbi->am.atgc_enabled)
return -EINVAL;
- sbi->gc_mode = GC_AT;
+ sbi->gc_mode = GC_IDLE_AT;
} else {
sbi->gc_mode = GC_NORMAL;
}
--
2.34.1
^ permalink raw reply related [flat|nested] 636+ messages in thread
* [PATCH 5.10 173/599] sched/debug: Remove mpol_get/put and task_lock/unlock from sched_show_numa
2022-04-05 7:24 [PATCH 5.10 000/599] 5.10.110-rc1 review Greg Kroah-Hartman
` (171 preceding siblings ...)
2022-04-05 7:27 ` [PATCH 5.10 172/599] f2fs: fix to enable ATGC correctly via gc_idle sysfs interface Greg Kroah-Hartman
@ 2022-04-05 7:27 ` Greg Kroah-Hartman
2022-04-05 7:27 ` [PATCH 5.10 174/599] sched/core: Export pelt_thermal_tp Greg Kroah-Hartman
` (438 subsequent siblings)
611 siblings, 0 replies; 636+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05 7:27 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Bharata B Rao, Peter Zijlstra (Intel),
Srikar Dronamraju, Mel Gorman, Sasha Levin
From: Bharata B Rao <bharata@amd.com>
[ Upstream commit 28c988c3ec29db74a1dda631b18785958d57df4f ]
The older format of /proc/pid/sched printed home node info which
required the mempolicy and task lock around mpol_get(). However
the format has changed since then and there is no need for
sched_show_numa() any more to have mempolicy argument,
asssociated mpol_get/put and task_lock/unlock. Remove them.
Fixes: 397f2378f1361 ("sched/numa: Fix numa balancing stats in /proc/pid/sched")
Signed-off-by: Bharata B Rao <bharata@amd.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Reviewed-by: Srikar Dronamraju <srikar@linux.vnet.ibm.com>
Acked-by: Mel Gorman <mgorman@suse.de>
Link: https://lore.kernel.org/r/20220118050515.2973-1-bharata@amd.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/sched/debug.c | 10 ----------
1 file changed, 10 deletions(-)
diff --git a/kernel/sched/debug.c b/kernel/sched/debug.c
index 70a578272436..e7df4f293587 100644
--- a/kernel/sched/debug.c
+++ b/kernel/sched/debug.c
@@ -908,25 +908,15 @@ void print_numa_stats(struct seq_file *m, int node, unsigned long tsf,
static void sched_show_numa(struct task_struct *p, struct seq_file *m)
{
#ifdef CONFIG_NUMA_BALANCING
- struct mempolicy *pol;
-
if (p->mm)
P(mm->numa_scan_seq);
- task_lock(p);
- pol = p->mempolicy;
- if (pol && !(pol->flags & MPOL_F_MORON))
- pol = NULL;
- mpol_get(pol);
- task_unlock(p);
-
P(numa_pages_migrated);
P(numa_preferred_nid);
P(total_numa_faults);
SEQ_printf(m, "current_node=%d, numa_group_id=%d\n",
task_node(p), task_numa_group_id(p));
show_numa_stats(p, m);
- mpol_put(pol);
#endif
}
--
2.34.1
^ permalink raw reply related [flat|nested] 636+ messages in thread
* [PATCH 5.10 174/599] sched/core: Export pelt_thermal_tp
2022-04-05 7:24 [PATCH 5.10 000/599] 5.10.110-rc1 review Greg Kroah-Hartman
` (172 preceding siblings ...)
2022-04-05 7:27 ` [PATCH 5.10 173/599] sched/debug: Remove mpol_get/put and task_lock/unlock from sched_show_numa Greg Kroah-Hartman
@ 2022-04-05 7:27 ` Greg Kroah-Hartman
2022-04-05 7:27 ` [PATCH 5.10 175/599] rseq: Optimise rseq_get_rseq_cs() and clear_rseq_cs() Greg Kroah-Hartman
` (437 subsequent siblings)
611 siblings, 0 replies; 636+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05 7:27 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Qais Yousef, Peter Zijlstra (Intel),
Sasha Levin
From: Qais Yousef <qais.yousef@arm.com>
[ Upstream commit 77cf151b7bbdfa3577b3c3f3a5e267a6c60a263b ]
We can't use this tracepoint in modules without having the symbol
exported first, fix that.
Fixes: 765047932f15 ("sched/pelt: Add support to track thermal pressure")
Signed-off-by: Qais Yousef <qais.yousef@arm.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Link: https://lkml.kernel.org/r/20211028115005.873539-1-qais.yousef@arm.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/sched/core.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/kernel/sched/core.c b/kernel/sched/core.c
index 0a5f9fad45e4..e437d946b27b 100644
--- a/kernel/sched/core.c
+++ b/kernel/sched/core.c
@@ -36,6 +36,7 @@ EXPORT_TRACEPOINT_SYMBOL_GPL(pelt_rt_tp);
EXPORT_TRACEPOINT_SYMBOL_GPL(pelt_dl_tp);
EXPORT_TRACEPOINT_SYMBOL_GPL(pelt_irq_tp);
EXPORT_TRACEPOINT_SYMBOL_GPL(pelt_se_tp);
+EXPORT_TRACEPOINT_SYMBOL_GPL(pelt_thermal_tp);
EXPORT_TRACEPOINT_SYMBOL_GPL(sched_cpu_capacity_tp);
EXPORT_TRACEPOINT_SYMBOL_GPL(sched_overutilized_tp);
EXPORT_TRACEPOINT_SYMBOL_GPL(sched_util_est_cfs_tp);
--
2.34.1
^ permalink raw reply related [flat|nested] 636+ messages in thread
* [PATCH 5.10 175/599] rseq: Optimise rseq_get_rseq_cs() and clear_rseq_cs()
2022-04-05 7:24 [PATCH 5.10 000/599] 5.10.110-rc1 review Greg Kroah-Hartman
` (173 preceding siblings ...)
2022-04-05 7:27 ` [PATCH 5.10 174/599] sched/core: Export pelt_thermal_tp Greg Kroah-Hartman
@ 2022-04-05 7:27 ` Greg Kroah-Hartman
2022-04-05 7:27 ` [PATCH 5.10 176/599] rseq: Remove broken uapi field layout on 32-bit little endian Greg Kroah-Hartman
` (436 subsequent siblings)
611 siblings, 0 replies; 636+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05 7:27 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Eric Dumazet, Peter Zijlstra (Intel),
Mathieu Desnoyers, Sasha Levin
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit 5e0ccd4a3b01c5a71732a13186ca110a138516ea ]
Commit ec9c82e03a74 ("rseq: uapi: Declare rseq_cs field as union,
update includes") added regressions for our servers.
Using copy_from_user() and clear_user() for 64bit values
is suboptimal.
We can use faster put_user() and get_user() on 64bit arches.
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Reviewed-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Link: https://lkml.kernel.org/r/20210413203352.71350-4-eric.dumazet@gmail.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/rseq.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/kernel/rseq.c b/kernel/rseq.c
index 0077713bf240..1b4547e0d841 100644
--- a/kernel/rseq.c
+++ b/kernel/rseq.c
@@ -120,8 +120,13 @@ static int rseq_get_rseq_cs(struct task_struct *t, struct rseq_cs *rseq_cs)
u32 sig;
int ret;
+#ifdef CONFIG_64BIT
+ if (get_user(ptr, &t->rseq->rseq_cs.ptr64))
+ return -EFAULT;
+#else
if (copy_from_user(&ptr, &t->rseq->rseq_cs.ptr64, sizeof(ptr)))
return -EFAULT;
+#endif
if (!ptr) {
memset(rseq_cs, 0, sizeof(*rseq_cs));
return 0;
@@ -204,9 +209,13 @@ static int clear_rseq_cs(struct task_struct *t)
*
* Set rseq_cs to NULL.
*/
+#ifdef CONFIG_64BIT
+ return put_user(0UL, &t->rseq->rseq_cs.ptr64);
+#else
if (clear_user(&t->rseq->rseq_cs.ptr64, sizeof(t->rseq->rseq_cs.ptr64)))
return -EFAULT;
return 0;
+#endif
}
/*
--
2.34.1
^ permalink raw reply related [flat|nested] 636+ messages in thread
* [PATCH 5.10 176/599] rseq: Remove broken uapi field layout on 32-bit little endian
2022-04-05 7:24 [PATCH 5.10 000/599] 5.10.110-rc1 review Greg Kroah-Hartman
` (174 preceding siblings ...)
2022-04-05 7:27 ` [PATCH 5.10 175/599] rseq: Optimise rseq_get_rseq_cs() and clear_rseq_cs() Greg Kroah-Hartman
@ 2022-04-05 7:27 ` Greg Kroah-Hartman
2022-04-05 7:27 ` [PATCH 5.10 177/599] perf/core: Fix address filter parser for multiple filters Greg Kroah-Hartman
` (435 subsequent siblings)
611 siblings, 0 replies; 636+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05 7:27 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Mathieu Desnoyers,
Peter Zijlstra (Intel),
Sasha Levin
From: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
[ Upstream commit bfdf4e6208051ed7165b2e92035b4bf11f43eb63 ]
The rseq rseq_cs.ptr.{ptr32,padding} uapi endianness handling is
entirely wrong on 32-bit little endian: a preprocessor logic mistake
wrongly uses the big endian field layout on 32-bit little endian
architectures.
Fortunately, those ptr32 accessors were never used within the kernel,
and only meant as a convenience for user-space.
Remove those and replace the whole rseq_cs union by a __u64 type, as
this is the only thing really needed to express the ABI. Document how
32-bit architectures are meant to interact with this field.
Fixes: ec9c82e03a74 ("rseq: uapi: Declare rseq_cs field as union, update includes")
Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Link: https://lkml.kernel.org/r/20220127152720.25898-1-mathieu.desnoyers@efficios.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/uapi/linux/rseq.h | 20 ++++----------------
kernel/rseq.c | 8 ++++----
2 files changed, 8 insertions(+), 20 deletions(-)
diff --git a/include/uapi/linux/rseq.h b/include/uapi/linux/rseq.h
index 9a402fdb60e9..77ee207623a9 100644
--- a/include/uapi/linux/rseq.h
+++ b/include/uapi/linux/rseq.h
@@ -105,23 +105,11 @@ struct rseq {
* Read and set by the kernel. Set by user-space with single-copy
* atomicity semantics. This field should only be updated by the
* thread which registered this data structure. Aligned on 64-bit.
+ *
+ * 32-bit architectures should update the low order bits of the
+ * rseq_cs field, leaving the high order bits initialized to 0.
*/
- union {
- __u64 ptr64;
-#ifdef __LP64__
- __u64 ptr;
-#else
- struct {
-#if (defined(__BYTE_ORDER) && (__BYTE_ORDER == __BIG_ENDIAN)) || defined(__BIG_ENDIAN)
- __u32 padding; /* Initialized to zero. */
- __u32 ptr32;
-#else /* LITTLE */
- __u32 ptr32;
- __u32 padding; /* Initialized to zero. */
-#endif /* ENDIAN */
- } ptr;
-#endif
- } rseq_cs;
+ __u64 rseq_cs;
/*
* Restartable sequences flags field.
diff --git a/kernel/rseq.c b/kernel/rseq.c
index 1b4547e0d841..6ca29dddceab 100644
--- a/kernel/rseq.c
+++ b/kernel/rseq.c
@@ -121,10 +121,10 @@ static int rseq_get_rseq_cs(struct task_struct *t, struct rseq_cs *rseq_cs)
int ret;
#ifdef CONFIG_64BIT
- if (get_user(ptr, &t->rseq->rseq_cs.ptr64))
+ if (get_user(ptr, &t->rseq->rseq_cs))
return -EFAULT;
#else
- if (copy_from_user(&ptr, &t->rseq->rseq_cs.ptr64, sizeof(ptr)))
+ if (copy_from_user(&ptr, &t->rseq->rseq_cs, sizeof(ptr)))
return -EFAULT;
#endif
if (!ptr) {
@@ -210,9 +210,9 @@ static int clear_rseq_cs(struct task_struct *t)
* Set rseq_cs to NULL.
*/
#ifdef CONFIG_64BIT
- return put_user(0UL, &t->rseq->rseq_cs.ptr64);
+ return put_user(0UL, &t->rseq->rseq_cs);
#else
- if (clear_user(&t->rseq->rseq_cs.ptr64, sizeof(t->rseq->rseq_cs.ptr64)))
+ if (clear_user(&t->rseq->rseq_cs, sizeof(t->rseq->rseq_cs)))
return -EFAULT;
return 0;
#endif
--
2.34.1
^ permalink raw reply related [flat|nested] 636+ messages in thread
* [PATCH 5.10 177/599] perf/core: Fix address filter parser for multiple filters
2022-04-05 7:24 [PATCH 5.10 000/599] 5.10.110-rc1 review Greg Kroah-Hartman
` (175 preceding siblings ...)
2022-04-05 7:27 ` [PATCH 5.10 176/599] rseq: Remove broken uapi field layout on 32-bit little endian Greg Kroah-Hartman
@ 2022-04-05 7:27 ` Greg Kroah-Hartman
2022-04-05 7:27 ` [PATCH 5.10 178/599] perf/x86/intel/pt: Fix address filter config for 32-bit kernel Greg Kroah-Hartman
` (434 subsequent siblings)
611 siblings, 0 replies; 636+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05 7:27 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Adrian Hunter, Peter Zijlstra (Intel),
Sasha Levin
From: Adrian Hunter <adrian.hunter@intel.com>
[ Upstream commit d680ff24e9e14444c63945b43a37ede7cd6958f9 ]
Reset appropriate variables in the parser loop between parsing separate
filters, so that they do not interfere with parsing the next filter.
Fixes: 375637bc524952 ("perf/core: Introduce address range filtering")
Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Link: https://lore.kernel.org/r/20220131072453.2839535-4-adrian.hunter@intel.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/events/core.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/kernel/events/core.c b/kernel/events/core.c
index c8b3f94f0dbb..79d8b27cf2fc 100644
--- a/kernel/events/core.c
+++ b/kernel/events/core.c
@@ -10265,8 +10265,11 @@ perf_event_parse_addr_filter(struct perf_event *event, char *fstr,
}
/* ready to consume more filters */
+ kfree(filename);
+ filename = NULL;
state = IF_STATE_ACTION;
filter = NULL;
+ kernel = 0;
}
}
--
2.34.1
^ permalink raw reply related [flat|nested] 636+ messages in thread
* [PATCH 5.10 178/599] perf/x86/intel/pt: Fix address filter config for 32-bit kernel
2022-04-05 7:24 [PATCH 5.10 000/599] 5.10.110-rc1 review Greg Kroah-Hartman
` (176 preceding siblings ...)
2022-04-05 7:27 ` [PATCH 5.10 177/599] perf/core: Fix address filter parser for multiple filters Greg Kroah-Hartman
@ 2022-04-05 7:27 ` Greg Kroah-Hartman
2022-04-05 7:27 ` [PATCH 5.10 179/599] f2fs: fix missing free nid in f2fs_handle_failed_inode Greg Kroah-Hartman
` (433 subsequent siblings)
611 siblings, 0 replies; 636+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05 7:27 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Adrian Hunter, Peter Zijlstra (Intel),
Sasha Levin
From: Adrian Hunter <adrian.hunter@intel.com>
[ Upstream commit e5524bf1047eb3b3f3f33b5f59897ba67b3ade87 ]
Change from shifting 'unsigned long' to 'u64' to prevent the config bits
being lost on a 32-bit kernel.
Fixes: eadf48cab4b6b0 ("perf/x86/intel/pt: Add support for address range filtering in PT")
Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Link: https://lore.kernel.org/r/20220131072453.2839535-5-adrian.hunter@intel.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/x86/events/intel/pt.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/x86/events/intel/pt.c b/arch/x86/events/intel/pt.c
index c084899e9582..cc3b79c06685 100644
--- a/arch/x86/events/intel/pt.c
+++ b/arch/x86/events/intel/pt.c
@@ -472,7 +472,7 @@ static u64 pt_config_filters(struct perf_event *event)
pt->filters.filter[range].msr_b = filter->msr_b;
}
- rtit_ctl |= filter->config << pt_address_ranges[range].reg_off;
+ rtit_ctl |= (u64)filter->config << pt_address_ranges[range].reg_off;
}
return rtit_ctl;
--
2.34.1
^ permalink raw reply related [flat|nested] 636+ messages in thread
* [PATCH 5.10 179/599] f2fs: fix missing free nid in f2fs_handle_failed_inode
2022-04-05 7:24 [PATCH 5.10 000/599] 5.10.110-rc1 review Greg Kroah-Hartman
` (177 preceding siblings ...)
2022-04-05 7:27 ` [PATCH 5.10 178/599] perf/x86/intel/pt: Fix address filter config for 32-bit kernel Greg Kroah-Hartman
@ 2022-04-05 7:27 ` Greg Kroah-Hartman
2022-04-05 7:27 ` [PATCH 5.10 180/599] nfsd: more robust allocation failure handling in nfsd_file_cache_init Greg Kroah-Hartman
` (432 subsequent siblings)
611 siblings, 0 replies; 636+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05 7:27 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Chao Yu, Jaegeuk Kim, Sasha Levin
From: Jaegeuk Kim <jaegeuk@kernel.org>
[ Upstream commit 2fef99b8372c1ae3d8445ab570e888b5a358dbe9 ]
This patch fixes xfstests/generic/475 failure.
[ 293.680694] F2FS-fs (dm-1): May loss orphan inode, run fsck to fix.
[ 293.685358] Buffer I/O error on dev dm-1, logical block 8388592, async page read
[ 293.691527] Buffer I/O error on dev dm-1, logical block 8388592, async page read
[ 293.691764] sh (7615): drop_caches: 3
[ 293.691819] sh (7616): drop_caches: 3
[ 293.694017] Buffer I/O error on dev dm-1, logical block 1, async page read
[ 293.695659] sh (7618): drop_caches: 3
[ 293.696979] sh (7617): drop_caches: 3
[ 293.700290] sh (7623): drop_caches: 3
[ 293.708621] sh (7626): drop_caches: 3
[ 293.711386] sh (7628): drop_caches: 3
[ 293.711825] sh (7627): drop_caches: 3
[ 293.716738] sh (7630): drop_caches: 3
[ 293.719613] sh (7632): drop_caches: 3
[ 293.720971] sh (7633): drop_caches: 3
[ 293.727741] sh (7634): drop_caches: 3
[ 293.730783] sh (7636): drop_caches: 3
[ 293.732681] sh (7635): drop_caches: 3
[ 293.732988] sh (7637): drop_caches: 3
[ 293.738836] sh (7639): drop_caches: 3
[ 293.740568] sh (7641): drop_caches: 3
[ 293.743053] sh (7640): drop_caches: 3
[ 293.821889] ------------[ cut here ]------------
[ 293.824654] kernel BUG at fs/f2fs/node.c:3334!
[ 293.826226] invalid opcode: 0000 [#1] PREEMPT SMP PTI
[ 293.828713] CPU: 0 PID: 7653 Comm: umount Tainted: G OE 5.17.0-rc1-custom #1
[ 293.830946] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
[ 293.832526] RIP: 0010:f2fs_destroy_node_manager+0x33f/0x350 [f2fs]
[ 293.833905] Code: e8 d6 3d f9 f9 48 8b 45 d0 65 48 2b 04 25 28 00 00 00 75 1a 48 81 c4 28 03 00 00 5b 41 5c 41 5d 41 5e 41 5f 5d c3 0f 0b
[ 293.837783] RSP: 0018:ffffb04ec31e7a20 EFLAGS: 00010202
[ 293.839062] RAX: 0000000000000001 RBX: ffff9df947db2eb8 RCX: 0000000080aa0072
[ 293.840666] RDX: 0000000000000000 RSI: ffffe86c0432a140 RDI: ffffffffc0b72a21
[ 293.842261] RBP: ffffb04ec31e7d70 R08: ffff9df94ca85780 R09: 0000000080aa0072
[ 293.843909] R10: ffff9df94ca85700 R11: ffff9df94e1ccf58 R12: ffff9df947db2e00
[ 293.845594] R13: ffff9df947db2ed0 R14: ffff9df947db2eb8 R15: ffff9df947db2eb8
[ 293.847855] FS: 00007f5a97379800(0000) GS:ffff9dfa77c00000(0000) knlGS:0000000000000000
[ 293.850647] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 293.852940] CR2: 00007f5a97528730 CR3: 000000010bc76005 CR4: 0000000000370ef0
[ 293.854680] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 293.856423] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 293.858380] Call Trace:
[ 293.859302] <TASK>
[ 293.860311] ? ttwu_do_wakeup+0x1c/0x170
[ 293.861800] ? ttwu_do_activate+0x6d/0xb0
[ 293.863057] ? _raw_spin_unlock_irqrestore+0x29/0x40
[ 293.864411] ? try_to_wake_up+0x9d/0x5e0
[ 293.865618] ? debug_smp_processor_id+0x17/0x20
[ 293.866934] ? debug_smp_processor_id+0x17/0x20
[ 293.868223] ? free_unref_page+0xbf/0x120
[ 293.869470] ? __free_slab+0xcb/0x1c0
[ 293.870614] ? preempt_count_add+0x7a/0xc0
[ 293.871811] ? __slab_free+0xa0/0x2d0
[ 293.872918] ? __wake_up_common_lock+0x8a/0xc0
[ 293.874186] ? __slab_free+0xa0/0x2d0
[ 293.875305] ? free_inode_nonrcu+0x20/0x20
[ 293.876466] ? free_inode_nonrcu+0x20/0x20
[ 293.877650] ? debug_smp_processor_id+0x17/0x20
[ 293.878949] ? call_rcu+0x11a/0x240
[ 293.880060] ? f2fs_destroy_stats+0x59/0x60 [f2fs]
[ 293.881437] ? kfree+0x1fe/0x230
[ 293.882674] f2fs_put_super+0x160/0x390 [f2fs]
[ 293.883978] generic_shutdown_super+0x7a/0x120
[ 293.885274] kill_block_super+0x27/0x50
[ 293.886496] kill_f2fs_super+0x7f/0x100 [f2fs]
[ 293.887806] deactivate_locked_super+0x35/0xa0
[ 293.889271] deactivate_super+0x40/0x50
[ 293.890513] cleanup_mnt+0x139/0x190
[ 293.891689] __cleanup_mnt+0x12/0x20
[ 293.892850] task_work_run+0x64/0xa0
[ 293.894035] exit_to_user_mode_prepare+0x1b7/0x1c0
[ 293.895409] syscall_exit_to_user_mode+0x27/0x50
[ 293.896872] do_syscall_64+0x48/0xc0
[ 293.898090] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 293.899517] RIP: 0033:0x7f5a975cd25b
Fixes: 7735730d39d7 ("f2fs: fix to propagate error from __get_meta_page()")
Reviewed-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/f2fs/inode.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/fs/f2fs/inode.c b/fs/f2fs/inode.c
index a35fcf43ad5a..98483f50e5e9 100644
--- a/fs/f2fs/inode.c
+++ b/fs/f2fs/inode.c
@@ -848,6 +848,7 @@ void f2fs_handle_failed_inode(struct inode *inode)
err = f2fs_get_node_info(sbi, inode->i_ino, &ni);
if (err) {
set_sbi_flag(sbi, SBI_NEED_FSCK);
+ set_inode_flag(inode, FI_FREE_NID);
f2fs_warn(sbi, "May loss orphan inode, run fsck to fix.");
goto out;
}
--
2.34.1
^ permalink raw reply related [flat|nested] 636+ messages in thread
* [PATCH 5.10 180/599] nfsd: more robust allocation failure handling in nfsd_file_cache_init
2022-04-05 7:24 [PATCH 5.10 000/599] 5.10.110-rc1 review Greg Kroah-Hartman
` (178 preceding siblings ...)
2022-04-05 7:27 ` [PATCH 5.10 179/599] f2fs: fix missing free nid in f2fs_handle_failed_inode Greg Kroah-Hartman
@ 2022-04-05 7:27 ` Greg Kroah-Hartman
2022-04-05 7:27 ` [PATCH 5.10 181/599] f2fs: fix to avoid potential deadlock Greg Kroah-Hartman
` (431 subsequent siblings)
611 siblings, 0 replies; 636+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05 7:27 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Jeff Layton, Amir Goldstein,
Chuck Lever, Sasha Levin
From: Amir Goldstein <amir73il@gmail.com>
[ Upstream commit 4d2eeafecd6c83b4444db3dc0ada201c89b1aa44 ]
The nfsd file cache table can be pretty large and its allocation
may require as many as 80 contigious pages.
Employ the same fix that was employed for similar issue that was
reported for the reply cache hash table allocation several years ago
by commit 8f97514b423a ("nfsd: more robust allocation failure handling
in nfsd_reply_cache_init").
Fixes: 65294c1f2c5e ("nfsd: add a new struct file caching facility to nfsd")
Link: https://lore.kernel.org/linux-nfs/e3cdaeec85a6cfec980e87fc294327c0381c1778.camel@kernel.org/
Suggested-by: Jeff Layton <jlayton@kernel.org>
Signed-off-by: Amir Goldstein <amir73il@gmail.com>
Reviewed-by: Jeff Layton <jlayton@kernel.org>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Tested-by: Amir Goldstein <amir73il@gmail.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/nfsd/filecache.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/fs/nfsd/filecache.c b/fs/nfsd/filecache.c
index e5aad1c10ea3..acd0898e3866 100644
--- a/fs/nfsd/filecache.c
+++ b/fs/nfsd/filecache.c
@@ -641,7 +641,7 @@ nfsd_file_cache_init(void)
if (!nfsd_filecache_wq)
goto out;
- nfsd_file_hashtbl = kcalloc(NFSD_FILE_HASH_SIZE,
+ nfsd_file_hashtbl = kvcalloc(NFSD_FILE_HASH_SIZE,
sizeof(*nfsd_file_hashtbl), GFP_KERNEL);
if (!nfsd_file_hashtbl) {
pr_err("nfsd: unable to allocate nfsd_file_hashtbl\n");
@@ -708,7 +708,7 @@ nfsd_file_cache_init(void)
nfsd_file_slab = NULL;
kmem_cache_destroy(nfsd_file_mark_slab);
nfsd_file_mark_slab = NULL;
- kfree(nfsd_file_hashtbl);
+ kvfree(nfsd_file_hashtbl);
nfsd_file_hashtbl = NULL;
destroy_workqueue(nfsd_filecache_wq);
nfsd_filecache_wq = NULL;
@@ -854,7 +854,7 @@ nfsd_file_cache_shutdown(void)
fsnotify_wait_marks_destroyed();
kmem_cache_destroy(nfsd_file_mark_slab);
nfsd_file_mark_slab = NULL;
- kfree(nfsd_file_hashtbl);
+ kvfree(nfsd_file_hashtbl);
nfsd_file_hashtbl = NULL;
destroy_workqueue(nfsd_filecache_wq);
nfsd_filecache_wq = NULL;
--
2.34.1
^ permalink raw reply related [flat|nested] 636+ messages in thread
* [PATCH 5.10 181/599] f2fs: fix to avoid potential deadlock
2022-04-05 7:24 [PATCH 5.10 000/599] 5.10.110-rc1 review Greg Kroah-Hartman
` (179 preceding siblings ...)
2022-04-05 7:27 ` [PATCH 5.10 180/599] nfsd: more robust allocation failure handling in nfsd_file_cache_init Greg Kroah-Hartman
@ 2022-04-05 7:27 ` Greg Kroah-Hartman
2022-04-05 7:27 ` [PATCH 5.10 182/599] btrfs: fix unexpected error path when reflinking an inline extent Greg Kroah-Hartman
` (430 subsequent siblings)
611 siblings, 0 replies; 636+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05 7:27 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Zhiguo Niu, Jing Xia, Chao Yu,
Jaegeuk Kim, Sasha Levin
From: Chao Yu <chao@kernel.org>
[ Upstream commit 344150999b7fc88502a65bbb147a47503eca2033 ]
Quoted from Jing Xia's report, there is a potential deadlock may happen
between kworker and checkpoint as below:
[T:writeback] [T:checkpoint]
- wb_writeback
- blk_start_plug
bio contains NodeA was plugged in writeback threads
- do_writepages -- sync write inodeB, inc wb_sync_req[DATA]
- f2fs_write_data_pages
- f2fs_write_single_data_page -- write last dirty page
- f2fs_do_write_data_page
- set_page_writeback -- clear page dirty flag and
PAGECACHE_TAG_DIRTY tag in radix tree
- f2fs_outplace_write_data
- f2fs_update_data_blkaddr
- f2fs_wait_on_page_writeback -- wait NodeA to writeback here
- inode_dec_dirty_pages
- writeback_sb_inodes
- writeback_single_inode
- do_writepages
- f2fs_write_data_pages -- skip writepages due to wb_sync_req[DATA]
- wbc->pages_skipped += get_dirty_pages() -- PAGECACHE_TAG_DIRTY is not set but get_dirty_pages() returns one
- requeue_inode -- requeue inode to wb->b_dirty queue due to non-zero.pages_skipped
- blk_finish_plug
Let's try to avoid deadlock condition by forcing unplugging previous bio via
blk_finish_plug(current->plug) once we'v skipped writeback in writepages()
due to valid sbi->wb_sync_req[DATA/NODE].
Fixes: 687de7f1010c ("f2fs: avoid IO split due to mixed WB_SYNC_ALL and WB_SYNC_NONE")
Signed-off-by: Zhiguo Niu <zhiguo.niu@unisoc.com>
Signed-off-by: Jing Xia <jing.xia@unisoc.com>
Signed-off-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/f2fs/data.c | 6 +++++-
fs/f2fs/node.c | 6 +++++-
2 files changed, 10 insertions(+), 2 deletions(-)
diff --git a/fs/f2fs/data.c b/fs/f2fs/data.c
index 1b11a42847c4..d27a92a54447 100644
--- a/fs/f2fs/data.c
+++ b/fs/f2fs/data.c
@@ -3264,8 +3264,12 @@ static int __f2fs_write_data_pages(struct address_space *mapping,
/* to avoid spliting IOs due to mixed WB_SYNC_ALL and WB_SYNC_NONE */
if (wbc->sync_mode == WB_SYNC_ALL)
atomic_inc(&sbi->wb_sync_req[DATA]);
- else if (atomic_read(&sbi->wb_sync_req[DATA]))
+ else if (atomic_read(&sbi->wb_sync_req[DATA])) {
+ /* to avoid potential deadlock */
+ if (current->plug)
+ blk_finish_plug(current->plug);
goto skip_write;
+ }
if (__should_serialize_io(inode, wbc)) {
mutex_lock(&sbi->writepages);
diff --git a/fs/f2fs/node.c b/fs/f2fs/node.c
index 7e625806bd4a..5fa10d0b0068 100644
--- a/fs/f2fs/node.c
+++ b/fs/f2fs/node.c
@@ -2055,8 +2055,12 @@ static int f2fs_write_node_pages(struct address_space *mapping,
if (wbc->sync_mode == WB_SYNC_ALL)
atomic_inc(&sbi->wb_sync_req[NODE]);
- else if (atomic_read(&sbi->wb_sync_req[NODE]))
+ else if (atomic_read(&sbi->wb_sync_req[NODE])) {
+ /* to avoid potential deadlock */
+ if (current->plug)
+ blk_finish_plug(current->plug);
goto skip_write;
+ }
trace_f2fs_writepages(mapping->host, wbc, NODE);
--
2.34.1
^ permalink raw reply related [flat|nested] 636+ messages in thread
* [PATCH 5.10 182/599] btrfs: fix unexpected error path when reflinking an inline extent
2022-04-05 7:24 [PATCH 5.10 000/599] 5.10.110-rc1 review Greg Kroah-Hartman
` (180 preceding siblings ...)
2022-04-05 7:27 ` [PATCH 5.10 181/599] f2fs: fix to avoid potential deadlock Greg Kroah-Hartman
@ 2022-04-05 7:27 ` Greg Kroah-Hartman
2022-04-05 7:27 ` [PATCH 5.10 183/599] f2fs: compress: remove unneeded read when rewrite whole cluster Greg Kroah-Hartman
` (429 subsequent siblings)
611 siblings, 0 replies; 636+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05 7:27 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Filipe Manana, David Sterba, Sasha Levin
From: Filipe Manana <fdmanana@suse.com>
[ Upstream commit 1f4613cdbe7739ce291554b316bff8e551383389 ]
When reflinking an inline extent, we assert that its file offset is 0 and
that its uncompressed length is not greater than the sector size. We then
return an error if one of those conditions is not satisfied. However we
use a return statement, which results in returning from btrfs_clone()
without freeing the path and buffer that were allocated before, as well as
not clearing the flag BTRFS_INODE_NO_DELALLOC_FLUSH for the destination
inode.
Fix that by jumping to the 'out' label instead, and also add a WARN_ON()
for each condition so that in case assertions are disabled, we get to
known which of the unexpected conditions triggered the error.
Fixes: a61e1e0df9f321 ("Btrfs: simplify inline extent handling when doing reflinks")
Signed-off-by: Filipe Manana <fdmanana@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/btrfs/reflink.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/fs/btrfs/reflink.c b/fs/btrfs/reflink.c
index 3a3102bc15a0..4b3ae0faf548 100644
--- a/fs/btrfs/reflink.c
+++ b/fs/btrfs/reflink.c
@@ -503,8 +503,11 @@ static int btrfs_clone(struct inode *src, struct inode *inode,
*/
ASSERT(key.offset == 0);
ASSERT(datal <= fs_info->sectorsize);
- if (key.offset != 0 || datal > fs_info->sectorsize)
- return -EUCLEAN;
+ if (WARN_ON(key.offset != 0) ||
+ WARN_ON(datal > fs_info->sectorsize)) {
+ ret = -EUCLEAN;
+ goto out;
+ }
ret = clone_copy_inline_extent(inode, path, &new_key,
drop_start, datal, size,
--
2.34.1
^ permalink raw reply related [flat|nested] 636+ messages in thread
* [PATCH 5.10 183/599] f2fs: compress: remove unneeded read when rewrite whole cluster
2022-04-05 7:24 [PATCH 5.10 000/599] 5.10.110-rc1 review Greg Kroah-Hartman
` (181 preceding siblings ...)
2022-04-05 7:27 ` [PATCH 5.10 182/599] btrfs: fix unexpected error path when reflinking an inline extent Greg Kroah-Hartman
@ 2022-04-05 7:27 ` Greg Kroah-Hartman
2022-04-05 7:27 ` [PATCH 5.10 184/599] f2fs: fix compressed file start atomic write may cause data corruption Greg Kroah-Hartman
` (428 subsequent siblings)
611 siblings, 0 replies; 636+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05 7:27 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Fengnan Chang, Chao Yu, Jaegeuk Kim,
Sasha Levin
From: Fengnan Chang <changfengnan@vivo.com>
[ Upstream commit 7eab7a6968278c735b1ca6387056a408f7960265 ]
when we overwrite the whole page in cluster, we don't need read original
data before write, because after write_end(), writepages() can help to
load left data in that cluster.
Signed-off-by: Fengnan Chang <changfengnan@vivo.com>
Signed-off-by: Chao Yu <yuchao0@huawei.com>
Acked-by: Chao Yu <yuchao0@huawei.com>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/f2fs/data.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/fs/f2fs/data.c b/fs/f2fs/data.c
index d27a92a54447..04e980c58319 100644
--- a/fs/f2fs/data.c
+++ b/fs/f2fs/data.c
@@ -3461,6 +3461,9 @@ static int f2fs_write_begin(struct file *file, struct address_space *mapping,
*fsdata = NULL;
+ if (len == PAGE_SIZE)
+ goto repeat;
+
ret = f2fs_prepare_compress_overwrite(inode, pagep,
index, fsdata);
if (ret < 0) {
--
2.34.1
^ permalink raw reply related [flat|nested] 636+ messages in thread
* [PATCH 5.10 184/599] f2fs: fix compressed file start atomic write may cause data corruption
2022-04-05 7:24 [PATCH 5.10 000/599] 5.10.110-rc1 review Greg Kroah-Hartman
` (182 preceding siblings ...)
2022-04-05 7:27 ` [PATCH 5.10 183/599] f2fs: compress: remove unneeded read when rewrite whole cluster Greg Kroah-Hartman
@ 2022-04-05 7:27 ` Greg Kroah-Hartman
2022-04-05 7:27 ` [PATCH 5.10 185/599] selftests, x86: fix how check_cc.sh is being invoked Greg Kroah-Hartman
` (427 subsequent siblings)
611 siblings, 0 replies; 636+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05 7:27 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, kernel test robot, Dan Carpenter,
Fengnan Chang, Chao Yu, Jaegeuk Kim, Sasha Levin
From: Fengnan Chang <changfengnan@vivo.com>
[ Upstream commit 9b56adcf525522e9ffa52471260298d91fc1d395 ]
When compressed file has blocks, f2fs_ioc_start_atomic_write will succeed,
but compressed flag will be remained in inode. If write partial compreseed
cluster and commit atomic write will cause data corruption.
This is the reproduction process:
Step 1:
create a compressed file ,write 64K data , call fsync(), then the blocks
are write as compressed cluster.
Step2:
iotcl(F2FS_IOC_START_ATOMIC_WRITE) --- this should be fail, but not.
write page 0 and page 3.
iotcl(F2FS_IOC_COMMIT_ATOMIC_WRITE) -- page 0 and 3 write as normal file,
Step3:
drop cache.
read page 0-4 -- Since page 0 has a valid block address, read as
non-compressed cluster, page 1 and 2 will be filled with compressed data
or zero.
The root cause is, after commit 7eab7a696827 ("f2fs: compress: remove
unneeded read when rewrite whole cluster"), in step 2, f2fs_write_begin()
only set target page dirty, and in f2fs_commit_inmem_pages(), we will write
partial raw pages into compressed cluster, result in corrupting compressed
cluster layout.
Fixes: 4c8ff7095bef ("f2fs: support data compression")
Fixes: 7eab7a696827 ("f2fs: compress: remove unneeded read when rewrite whole cluster")
Reported-by: kernel test robot <lkp@intel.com>
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Fengnan Chang <changfengnan@vivo.com>
Reviewed-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/f2fs/data.c | 2 +-
fs/f2fs/file.c | 5 ++++-
2 files changed, 5 insertions(+), 2 deletions(-)
diff --git