All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH 5.17 0000/1126] 5.17.2-rc1 review
@ 2022-04-05  7:12 Greg Kroah-Hartman
  2022-04-05  7:12 ` [PATCH 5.17 0001/1126] Revert "swiotlb: rework "fix info leak with DMA_FROM_DEVICE"" Greg Kroah-Hartman
                   ` (989 more replies)
  0 siblings, 990 replies; 1159+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05  7:12 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, torvalds, akpm, linux, shuah,
	patches, lkft-triage, pavel, jonathanh, f.fainelli,
	sudipm.mukherjee, slade

This is the start of the stable review cycle for the 5.17.2 release.
There are 1126 patches in this series, all will be posted as a response
to this one.  If anyone has any issues with these being applied, please
let me know.

Responses should be made by Thu, 07 Apr 2022 07:01:33 +0000.
Anything received after that time might be too late.

The whole patch series can be found in one patch at:
	https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.17.2-rc1.gz
or in the git tree and branch at:
	git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.17.y
and the diffstat can be found below.

thanks,

greg k-h

-------------
Pseudo-Shortlog of commits:

Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Linux 5.17.2-rc1

Eric W. Biederman <ebiederm@xmission.com>
    coredump: Use the vma snapshot in fill_files_note

Eric W. Biederman <ebiederm@xmission.com>
    coredump/elf: Pass coredump_params into fill_note_info

Eric W. Biederman <ebiederm@xmission.com>
    coredump: Remove the WARN_ON in dump_vma_snapshot

Eric W. Biederman <ebiederm@xmission.com>
    coredump: Snapshot the vmas in do_coredump

Ulf Hansson <ulf.hansson@linaro.org>
    mmc: rtsx: Fix build errors/warnings for unused variable

Kai-Heng Feng <kai.heng.feng@canonical.com>
    mmc: rtsx: Let MMC core handle runtime PM

Jens Axboe <axboe@kernel.dk>
    Revert "nbd: fix possible overflow on 'first_minor' in nbd_dev_add()"

Jackie Liu <liuyun01@kylinos.cn>
    n64cart: convert bi_disk to bi_bdev->bd_disk fix build

Paul E. McKenney <paulmck@kernel.org>
    torture: Make torture.sh help message match reality

Martin Varghese <martin.varghese@nokia.com>
    openvswitch: Fixed nd target mask field in the flow dump.

Eli Cohen <elic@nvidia.com>
    vdpa/mlx5: Avoid processing works if workqueue was destroyed

Maciej Fijalkowski <maciej.fijalkowski@intel.com>
    ice: xsk: Fix indexing in ice_tx_xsk_pool()

Magnus Karlsson <magnus.karlsson@intel.com>
    xsk: Do not write NULL in SW ring at allocation failure

Guilherme G. Piccoli <gpiccoli@igalia.com>
    docs: sysctl/kernel: add missing bit to panic_print

Anton Ivanov <anton.ivanov@cambridgegreys.com>
    um: Fix uml_mconsole stop/go

Kuldeep Singh <singh.kuldeep87k@gmail.com>
    arm64: dts: ls1046a: Update i2c node dma properties

Kuldeep Singh <singh.kuldeep87k@gmail.com>
    arm64: dts: ls1043a: Update i2c dma properties

Kuldeep Singh <singh.kuldeep87k@gmail.com>
    ARM: dts: spear13xx: Update SPI dma properties

Kuldeep Singh <singh.kuldeep87k@gmail.com>
    ARM: dts: spear1340: Update serial node properties

Leilk Liu <leilk.liu@mediatek.com>
    spi: mediatek: support tick_delay without enhance_timing

Guodong Liu <guodong.liu@mediatek.com>
    pinctrl: canonical rsel resistance selection property

Janusz Krzysztofik <jmkrzyszt@gmail.com>
    media: ov6650: Fix crop rectangle affected by set format

Janusz Krzysztofik <jmkrzyszt@gmail.com>
    media: ov6650: Add try support to selection API operations

Ian Rogers <irogers@google.com>
    perf vendor events: Update metrics for SkyLake Server

Amadeusz Sławiński <amadeuszx.slawinski@linux.intel.com>
    ASoC: topology: Allow TLV control to be either read or write

Zheng Bin <zhengbin13@huawei.com>
    ASoC: SOF: Intel: Fix build error without SND_SOC_SOF_PCI_DEV

Eric Dumazet <edumazet@google.com>
    net: preserve skb_end_offset() in skb_unclone_keeptruesize()

Zhihao Cheng <chengzhihao1@huawei.com>
    ubi: fastmap: Return error code if memory allocation fails in add_aeb()

Horatiu Vultur <horatiu.vultur@microchip.com>
    dt-bindings: pinctrl: pinctrl-microchip-sgpio: Fix example

Chen-Yu Tsai <wenst@chromium.org>
    dt-bindings: pinctrl: mt8195: fix bias-pull-{up,down} checks

Yong Wu <yong.wu@mediatek.com>
    dt-bindings: memory: mtk-smi: Correct minItems to 2 for the gals clocks

Yong Wu <yong.wu@mediatek.com>
    dt-bindings: memory: mtk-smi: No need mediatek,larb-id for mt8167

Yong Wu <yong.wu@mediatek.com>
    dt-bindings: memory: mtk-smi: Rename clock to clocks

Martin Kepplinger <martink@posteo.de>
    media: dt-bindings: media: hynix,hi846: add link-frequencies description

Martin Kepplinger <martink@posteo.de>
    media: dt-binding: media: hynix,hi846: use $defs/port-base port description

Miquel Raynal <miquel.raynal@bootlin.com>
    dt-bindings: spi: mxic: The interrupt property is not mandatory

Miquel Raynal <miquel.raynal@bootlin.com>
    dt-bindings: mtd: nand-controller: Fix a comment in the examples

Miquel Raynal <miquel.raynal@bootlin.com>
    dt-bindings: mtd: nand-controller: Fix the reg property description

Kai-Heng Feng <kai.heng.feng@canonical.com>
    mmc: rtsx: Use pm_runtime_{get,put}() to handle runtime PM

Zhang Wensheng <zhangwensheng5@huawei.com>
    nbd: fix possible overflow on 'first_minor' in nbd_dev_add()

Hengqi Chen <hengqi.chen@gmail.com>
    bpf: Fix comment for helper bpf_current_task_under_cgroup()

Namhyung Kim <namhyung@kernel.org>
    bpf: Adjust BPF stack helper functions to accommodate skip > 0

Toke Høiland-Jørgensen <toke@redhat.com>
    libbpf: Define BTF_KIND_* constants in btf.h to avoid compilation errors

Kuniyuki Iwashima <kuniyu@amazon.co.jp>
    af_unix: Support POLLPRI for OOB.

Randy Dunlap <rdunlap@infradead.org>
    mm/usercopy: return 1 from hardened_usercopy __setup() handler

Randy Dunlap <rdunlap@infradead.org>
    mm/memcontrol: return 1 from cgroup.memory __setup() handler

Randy Dunlap <rdunlap@infradead.org>
    ARM: 9187/1: JIVE: fix return value of __setup handler

Randy Dunlap <rdunlap@infradead.org>
    mm/mmap: return 1 from stack_guard_gap __setup() handler

Eric Dumazet <edumazet@google.com>
    net: add skb_set_end_offset() helper

Nemanja Rakovic <nemanja.rakovic@syrmia.com>
    mips: Enable KCSAN - take 2

Steven Rostedt (Google) <rostedt@goodmis.org>
    tracing: Have type enum modifications copy the strings

Linus Torvalds <torvalds@linux-foundation.org>
    Reinstate some of "swiotlb: rework "fix info leak with DMA_FROM_DEVICE""

Duoming Zhou <duoming@zju.edu.cn>
    ax25: fix UAF bug in ax25_send_control()

Maxim Levitsky <mlevitsk@redhat.com>
    KVM: x86: SVM: fix avic spec based definitions again

Jiasheng Jiang <jiasheng@iscas.ac.cn>
    ASoC: soc-compress: Change the check for codec_dai

Will Deacon <will@kernel.org>
    arm64: mm: Drop 'const' from conditional arm64_dma_phys_limit definition

Wan Jiabing <wanjiabing@vivo.com>
    docs: fix 'make htmldocs' warning in SCTP.rst

Arınç ÜNAL <arinc.unal@arinc9.com>
    staging: mt7621-dts: fix pinctrl-0 items to be size-1 items on ethernet

Saurav Kashyap <skashyap@marvell.com>
    scsi: qla2xxx: Add qla2x00_async_done() for async routines

Maxime Ripard <maxime@cerno.tech>
    drm/connector: Fix typo in documentation

Joerg Roedel <jroedel@suse.de>
    x86/sev: Unroll string mmio with CC_ATTR_GUEST_UNROLL_STRING_IO

Yang Zhong <yang.zhong@intel.com>
    x86/fpu/xstate: Fix the ARCH_REQ_XCOMP_PERM implementation

Lv Ruyi <lv.ruyi@zte.com.cn>
    proc: bootconfig: Add null pointer check

Oliver Hartkopp <socketcan@hartkopp.net>
    can: isotp: restore accidentally removed MSG_PEEK feature

Hans de Goede <hdegoede@redhat.com>
    platform/x86: asus-wmi: Fix regression when probing for fan curve control

Prashant Malani <pmalani@chromium.org>
    platform/chrome: cros_ec_typec: Check for EC device

Jon Hunter <jonathanh@nvidia.com>
    spi: Fix Tegra QSPI example

Anirudh Rayabharam <mail@anirudhrb.com>
    vhost: handle error while adding split ranges to iotlb

Rafael J. Wysocki <rafael.j.wysocki@intel.com>
    ACPI: CPPC: Avoid out of bounds access when parsing _CPC data

Fangrui Song <maskray@google.com>
    riscv module: remove (NOLOAD)

Pavel Begunkov <asml.silence@gmail.com>
    io_uring: fix memory leak of uid in files registration

Jens Axboe <axboe@kernel.dk>
    io_uring: bump poll refs to full 31-bits

Jens Axboe <axboe@kernel.dk>
    io_uring: remove poll entry from list when canceling all

Stefano Garzarella <sgarzare@redhat.com>
    virtio: use virtio_device_ready() in virtio_device_restore()

Jason Wang <jasowang@redhat.com>
    Revert "virtio_pci: harden MSI-X interrupts"

Jason Wang <jasowang@redhat.com>
    Revert "virtio-pci: harden INTX interrupts"

Jiri Slaby <jirislaby@kernel.org>
    block: restore the old set_task_ioprio() behaviour wrt PF_EXITING

Christophe JAILLET <christophe.jaillet@wanadoo.fr>
    block: Fix the maximum minor value is blk_alloc_ext_minor()

Arnd Bergmann <arnd@arndb.de>
    ARM: iop32x: offset IRQ numbers by 1

Baokun Li <libaokun1@huawei.com>
    ubi: Fix race condition between ctrl_cdev_ioctl and ubi_cdev_ioctl

Jiaxin Yu <jiaxin.yu@mediatek.com>
    ASoC: mediatek: mt6358: add missing EXPORT_SYMBOLs

Meng Tang <tangmeng@uniontech.com>
    ASoC: rockchip: i2s_tdm: Fixup config for SND_SOC_DAIFMT_DSP_A/B

Jonathan Neuschäfer <j.neuschaefer@gmx.net>
    pinctrl: nuvoton: npcm7xx: Use %zu printk format for ARRAY_SIZE()

Jonathan Neuschäfer <j.neuschaefer@gmx.net>
    pinctrl: nuvoton: npcm7xx: Rename DS() macro to DSTR()

Randy Dunlap <rdunlap@infradead.org>
    net: sparx5: uses, depends on BRIDGE or !BRIDGE

Miaoqian Lin <linmq006@gmail.com>
    watchdog: rti-wdt: Add missing pm_runtime_disable() in probe function

Chen-Yu Tsai <wenst@chromium.org>
    pinctrl: pinconf-generic: Print arguments for bias-pull-*

Eric Dumazet <edumazet@google.com>
    watch_queue: Free the page array when watch_queue is dismantled

Herbert Xu <herbert@gondor.apana.org.au>
    crypto: arm/aes-neonbs-cbc - Select generic cbc and aes

Peter Zijlstra <peterz@infradead.org>
    crypto: x86/poly1305 - Fixup SLS

Robin Gong <yibin.gong@nxp.com>
    mailbox: imx: fix wakeup failure from freeze mode

David Howells <dhowells@redhat.com>
    rxrpc: Fix call timer start racing with call destruction

Xiaolong Huang <butterflyhuangxx@gmail.com>
    rxrpc: fix some null-ptr-deref bugs in server_key.c

Guangbin Huang <huangguangbin2@huawei.com>
    net: hns3: fix software vlan talbe of vlan 0 inconsistent with hardware

Yufeng Mo <moyufeng@huawei.com>
    net: hns3: fix the concurrency between functions reading debugfs

Andrew Price <anprice@redhat.com>
    gfs2: Make sure FITRIM minlen is rounded up to fs block size

Andreas Gruenbacher <agruenba@redhat.com>
    gfs2: Fix gfs2_file_buffered_write endless loop workaround

Andreas Gruenbacher <agruenba@redhat.com>
    gfs2: gfs2_setattr_size error path fix

Carlos Llamas <cmllamas@google.com>
    loop: fix ioctl calls using compat_loop_info

Tom Rix <trix@redhat.com>
    rtc: check if __rtc_read_time was successful

Miaoqian Lin <linmq006@gmail.com>
    rtc: gamecube: Fix refcount leak in gamecube_rtc_read_offset_from_sram

Masahiro Yamada <masahiroy@kernel.org>
    modpost: restore the warning message for missing symbol versions

Matthew Wilcox (Oracle) <willy@infradead.org>
    XArray: Update the LRU list in xas_split()

Matthew Wilcox (Oracle) <willy@infradead.org>
    XArray: Include bitmap.h from xarray.h

Tom Rix <trix@redhat.com>
    can: mcp251xfd: mcp251xfd_register_get_dev_id(): fix return of error value

Pavel Skripkin <paskripkin@gmail.com>
    can: mcba_usb: properly check endpoint type

Hangyu Hua <hbh25y@gmail.com>
    can: mcba_usb: mcba_usb_start_xmit(): fix double dev_kfree_skb in error path

Matthew Wilcox (Oracle) <willy@infradead.org>
    XArray: Fix xas_create_range() when multi-order entry present

Jason A. Donenfeld <Jason@zx2c4.com>
    wireguard: socket: ignore v6 endpoints when ipv6 is disabled

Wang Hai <wanghai38@huawei.com>
    wireguard: socket: free skb in send6 when ipv6 is disabled

Jason A. Donenfeld <Jason@zx2c4.com>
    wireguard: queueing: use CFI-safe ptr_ring cleanup function

Pankaj Raghav <p.raghav@samsung.com>
    nvme: fix the read-only state for zoned namespaces with unsupposed features

Sungup Moon <sungup.moon@samsung.com>
    nvme: allow duplicate NSIDs for private namespaces

Baokun Li <libaokun1@huawei.com>
    ubifs: rename_whiteout: correct old_dir size computing

Zhihao Cheng <chengzhihao1@huawei.com>
    ubifs: Fix to add refcount once page is set private

Zhihao Cheng <chengzhihao1@huawei.com>
    ubifs: Fix read out-of-bounds in ubifs_wbuf_write_nolock()

Zhihao Cheng <chengzhihao1@huawei.com>
    ubifs: setflags: Make dirtied_ino_d 8 bytes aligned

Zhihao Cheng <chengzhihao1@huawei.com>
    ubifs: Rectify space amount budget for mkdir/tmpfile operations

Zhihao Cheng <chengzhihao1@huawei.com>
    ubifs: Fix 'ui->dirty' race between do_tmpfile() and writeback work

Zhihao Cheng <chengzhihao1@huawei.com>
    ubifs: Rename whiteout atomically

Zhihao Cheng <chengzhihao1@huawei.com>
    ubifs: Add missing iput if do_tmpfile() failed in rename whiteout

Zhihao Cheng <chengzhihao1@huawei.com>
    ubifs: Fix deadlock in concurrent rename whiteout and inode writeback

Zhihao Cheng <chengzhihao1@huawei.com>
    ubifs: rename_whiteout: Fix double free for whiteout_ui->data

David Woodhouse <dwmw@amazon.co.uk>
    KVM: avoid double put_page with gfn-to-pfn cache

Yi Wang <wang.yi59@zte.com.cn>
    KVM: SVM: fix panic on out-of-bounds guest IRQ

Li RongQing <lirongqing@baidu.com>
    KVM: x86: fix sending PV IPI

David Matlack <dmatlack@google.com>
    KVM: Prevent module exit until all VMs are freed

Paolo Bonzini <pbonzini@redhat.com>
    KVM: x86/mmu: do compare-and-exchange of gPTE via the user address

Vitaly Kuznetsov <vkuznets@redhat.com>
    KVM: x86: Forbid VMM to set SYNIC/STIMER MSRs when SynIC wasn't activated

Vitaly Kuznetsov <vkuznets@redhat.com>
    KVM: x86: Avoid theoretical NULL pointer dereference in kvm_irq_delivery_to_apic_fast()

Vitaly Kuznetsov <vkuznets@redhat.com>
    KVM: x86: Check lapic_in_kernel() before attempting to set a SynIC irq

Paul Cercueil <paul@crapouillou.net>
    MIPS: crypto: Fix CRC32 code

Gwendal Grignou <gwendal@chromium.org>
    platform: chrome: Split trace include file

Manish Rangankar <mrangankar@marvell.com>
    scsi: qla2xxx: Use correct feature type field during RFF_ID processing

Quinn Tran <qutran@marvell.com>
    scsi: qla2xxx: Reduce false trigger to login

Quinn Tran <qutran@marvell.com>
    scsi: qla2xxx: Fix stuck session of PRLI reject

Quinn Tran <qutran@marvell.com>
    scsi: qla2xxx: Fix N2N inconsistent PLOGI

Arun Easi <aeasi@marvell.com>
    scsi: qla2xxx: Fix crash during module load unload test

Arun Easi <aeasi@marvell.com>
    scsi: qla2xxx: Fix missed DMA unmap for NVMe ls requests

Quinn Tran <qutran@marvell.com>
    scsi: qla2xxx: Fix laggy FC remote port session recovery

Quinn Tran <qutran@marvell.com>
    scsi: qla2xxx: Fix hang due to session stuck

Quinn Tran <qutran@marvell.com>
    scsi: qla2xxx: Fix incorrect reporting of task management failure

Quinn Tran <qutran@marvell.com>
    scsi: qla2xxx: Fix disk failure to rediscover

Saurav Kashyap <skashyap@marvell.com>
    scsi: qla2xxx: Suppress a kernel complaint in qla_create_qpair()

Joe Carnuccio <joe.carnuccio@cavium.com>
    scsi: qla2xxx: Check for firmware dump already collected

Joe Carnuccio <joe.carnuccio@cavium.com>
    scsi: qla2xxx: Add devids and conditionals for 28xx

Joe Carnuccio <joe.carnuccio@cavium.com>
    scsi: qla2xxx: Fix T10 PI tag escape and IP guard options for 28XX adapters

Quinn Tran <qutran@marvell.com>
    scsi: qla2xxx: edif: Fix clang warning

Arun Easi <aeasi@marvell.com>
    scsi: qla2xxx: Fix device reconnect in loop topology

Nilesh Javali <njavali@marvell.com>
    scsi: qla2xxx: Fix warning for missing error code

Bikash Hazarika <bhazarika@marvell.com>
    scsi: qla2xxx: Fix wrong FDMI data for 64G adapter

Quinn Tran <qutran@marvell.com>
    scsi: qla2xxx: Fix premature hw access after PCI error

Quinn Tran <qutran@marvell.com>
    scsi: qla2xxx: Fix scheduling while atomic

Quinn Tran <qutran@marvell.com>
    scsi: qla2xxx: Fix warning message due to adisc being flushed

Quinn Tran <qutran@marvell.com>
    scsi: qla2xxx: Fix stuck session in gpdb

Saurav Kashyap <skashyap@marvell.com>
    scsi: qla2xxx: Implement ref count for SRB

Daniel Wagner <dwagner@suse.de>
    scsi: qla2xxx: Refactor asynchronous command initialization

Ville Syrjälä <ville.syrjala@linux.intel.com>
    drm/i915: Reject unsupported TMDS rates on ICL+

Ville Syrjälä <ville.syrjala@linux.intel.com>
    drm/i915: Fix PSF GV point mask when SAGV is not possible

Ville Syrjälä <ville.syrjala@linux.intel.com>
    drm/i915: Treat SAGV block time 0 as SAGV disabled

Kees Cook <keescook@chromium.org>
    drm/dp: Fix off-by-one in register cache size

Anders Roxell <anders.roxell@linaro.org>
    powerpc: Fix build errors with newer binutils

Christophe Leroy <christophe.leroy@csgroup.eu>
    powerpc: Add set_memory_{p/np}() and remove set_memory_attr()

Anders Roxell <anders.roxell@linaro.org>
    powerpc/lib/sstep: Fix build errors with newer binutils

Anders Roxell <anders.roxell@linaro.org>
    powerpc/lib/sstep: Fix 'sthcx' instruction

Nicholas Piggin <npiggin@gmail.com>
    powerpc/tm: Fix more userspace r13 corruption

Chen Jingwen <chenjingwen6@huawei.com>
    powerpc/kasan: Fix early region not updated correctly

Vitaly Kuznetsov <vkuznets@redhat.com>
    KVM: x86: hyper-v: HVCALL_SEND_IPI_EX is an XMM fast hypercall

Vitaly Kuznetsov <vkuznets@redhat.com>
    KVM: x86: hyper-v: Fix the maximum number of sparse banks for XMM fast TLB flush hypercalls

Vitaly Kuznetsov <vkuznets@redhat.com>
    KVM: x86: hyper-v: Drop redundant 'ex' parameter from kvm_hv_flush_tlb()

Vitaly Kuznetsov <vkuznets@redhat.com>
    KVM: x86: hyper-v: Drop redundant 'ex' parameter from kvm_hv_send_ipi()

Sean Christopherson <seanjc@google.com>
    KVM: x86/mmu: Check for present SPTE when clearing dirty bit in TDP MMU

Sean Christopherson <seanjc@google.com>
    KVM: x86/mmu: Zap _all_ roots when unmapping gfn range in TDP MMU

Sean Christopherson <seanjc@google.com>
    KVM: x86/mmu: Move "invalid" check out of kvm_tdp_mmu_get_root()

Sean Christopherson <seanjc@google.com>
    KVM: x86/mmu: Use common TDP MMU zap helper for MMU notifier unmap hook

Paolo Bonzini <pbonzini@redhat.com>
    KVM: x86: Reinitialize context if host userspace toggles EFER.LME

Suravee Suthikulpanit <suravee.suthikulpanit@amd.com>
    KVM: SVM: Allow AVIC support on system w/ physical APIC ID > 255

Matt Kramer <mccleetus@gmail.com>
    ALSA: hda/realtek: Add alc256-samsung-headphone fixup

Mauro Carvalho Chehab <mchehab@kernel.org>
    media: atomisp: fix bad usage at error handling logic

Miaoqian Lin <linmq006@gmail.com>
    ASoC: mediatek: Fix error handling in mt8183_da7219_max98357_dev_probe

Ulf Hansson <ulf.hansson@linaro.org>
    mmc: host: Return an error when ->enable_sdio_irq() ops is missing

Steven Rostedt (Google) <rostedt@goodmis.org>
    tracing: Have TRACE_DEFINE_ENUM affect trace event types as well

Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
    ASoC: Intel: sof_es8336: log all quirks

Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
    ASoC: Intel: sof_es8336: use NHLT information to set dmic and SSP

Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
    ASoC: Intel: Revert "ASoC: Intel: sof_es8336: add quirk for Huawei D15 2021"

Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
    ALSA: intel-dspconfig: add ES8336 support for CNL

Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
    ASoC: Intel: soc-acpi: add more ACPI HIDs for ES83x6 devices

Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
    ALSA: intel-dsp-config: add more ACPI HIDs for ES83x6 devices

Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
    ALSA: intel-nhlt: add helper to detect SSP link mask

Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
    ASoC: SOF: Intel: hda: retrieve DMIC number for I2S boards

Anthony I Gilea <i@cpp.in>
    ASoC: Intel: sof_sdw: fix quirks for 2022 HP Spectre x360 13"

Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
    ASoC: SOF: debug: clarify operator precedence

Dongliang Mu <mudongliangabcd@gmail.com>
    media: hdpvr: initialize dev->worker at hdpvr_register_videodev

Pavel Skripkin <paskripkin@gmail.com>
    media: Revert "media: em28xx: add missing em28xx_close_extension"

Hans de Goede <hdegoede@redhat.com>
    media: i2c: ov5648: Fix lockdep error

Zheyu Ma <zheyuma97@gmail.com>
    video: fbdev: sm712fb: Fix crash in smtcfb_write()

Vijendar Mukunda <Vijendar.Mukunda@amd.com>
    ASoC: amd: vangogh: fix uninitialized symbol warning in machine driver

Vijendar Mukunda <Vijendar.Mukunda@amd.com>
    ASoC: amd: vg: fix for pm resume callback sequence

Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
    ARM: mmp: Fix failure to remove sram device

Richard Leitner <richard.leitner@skidata.com>
    ARM: tegra: tamonten: Fix I2C3 pad setting

Arnd Bergmann <arnd@arndb.de>
    lib/test_lockup: fix kernel pointer check for separate address spaces

Arnd Bergmann <arnd@arndb.de>
    uaccess: fix type mismatch warnings from access_ok()

Svyatoslav Ryhel <clamor95@gmail.com>
    ARM: tegra: transformer: Drop reg-shift for Tegra HS UART

Derek Fang <derek.fang@realtek.com>
    ASoC: rt5682s: Fix the wrong jack type detected

Daniel González Cabanelas <dgcbueu@gmail.com>
    media: cx88-mpeg: clear interrupt status register before streaming video

Ming Qian <ming.qian@nxp.com>
    media: imx-jpeg: fix a bug of accessing array out of bounds

Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
    ASoC: Intel: sof_es8336: add quirk for Huawei D15 2021

Shengjiu Wang <shengjiu.wang@nxp.com>
    ASoC: soc-core: skip zero num_dai component in searching dai name

Richard Schleich <rs@noreya.tech>
    ARM: dts: bcm2711: Add the missing L1/L2 cache information

Jing Yao <yao.jing2@zte.com.cn>
    video: fbdev: udlfb: replace snprintf in show functions with sysfs_emit

Jing Yao <yao.jing2@zte.com.cn>
    video: fbdev: omapfb: panel-tpo-td043mtea1: Use sysfs_emit() instead of snprintf()

Jing Yao <yao.jing2@zte.com.cn>
    video: fbdev: omapfb: panel-dsi-cm: Use sysfs_emit() instead of snprintf()

Marcel Ziswiler <marcel.ziswiler@toradex.com>
    arm64: defconfig: build imx-sdma as a module

Abel Vesa <abel.vesa@nxp.com>
    ARM: dts: imx7: Use audio_mclk_post_div instead audio_mclk_root_clk

Takashi Iwai <tiwai@suse.de>
    ALSA: hda: Fix driver index handling at re-binding

Ard Biesheuvel <ardb@kernel.org>
    ARM: ftrace: avoid redundant loads or clobbering IP

Tsuchiya Yuto <kitakar@gmail.com>
    media: atomisp: fix dummy_ptr check to avoid duplicate active_bo

Hans de Goede <hdegoede@redhat.com>
    media: atomisp_gmin_platform: Add DMI quirk to not turn AXP ELDO2 regulator off on some boards

Charles Keepax <ckeepax@opensource.cirrus.com>
    ASoC: madera: Add dependencies on MFD

Richard Schleich <rs@noreya.tech>
    ARM: dts: bcm2837: Add the missing L1/L2 cache information

David Heidelberg <david@ixit.cz>
    ARM: dts: qcom: fix gic_irq_domain_translate warnings for msm8960

Yang Guang <yang.guang5@zte.com.cn>
    video: fbdev: omapfb: acx565akm: replace snprintf with sysfs_emit

George Kennedy <george.kennedy@oracle.com>
    video: fbdev: cirrusfb: check pixclock to avoid divide by zero

Evgeny Novikov <novikov@ispras.ru>
    video: fbdev: w100fb: Reset global state

Tim Gardner <tim.gardner@canonical.com>
    video: fbdev: nvidiafb: Use strscpy() to prevent buffer overflow

Yong Wu <yong.wu@mediatek.com>
    media: iommu/mediatek: Add device_link between the consumer and the larb devices

Yong Wu <yong.wu@mediatek.com>
    media: iommu/mediatek: Return ENODEV if the device is NULL

Yong Wu <yong.wu@mediatek.com>
    media: iommu/mediatek-v1: Free the existed fwspec if the master dev already has

Ranjani Sridharan <ranjani.sridharan@linux.intel.com>
    ASoC: SOF: Intel: hda: Remove link assignment limitation

Mirela Rabulea <mirela.rabulea@oss.nxp.com>
    media: imx-jpeg: Prevent decoding NV12M jpegs into single-planar buffers

Bard Liao <yung-chuan.liao@linux.intel.com>
    ASoC: SOF: Intel: match sdw version on link_slaves_found

Richard Fitzgerald <rf@opensource.cirrus.com>
    ASoC: cs42l42: Report full jack status when plug is detected

Lad Prabhakar <prabhakar.mahadev-lad.rj@bp.renesas.com>
    ASoC: sh: rz-ssi: Make the data structures available before registering the handlers

Peiwei Hu <jlu.hpw@foxmail.com>
    media: ir_toy: free before error exiting

Eugen Hristev <eugen.hristev@microchip.com>
    media: atmel: atmel-isc-base: report frame sizes as full supported range

Hans Verkuil <hverkuil-cisco@xs4all.nl>
    media: staging: media: zoran: fix various V4L2 compliance errors

Corentin Labbe <clabbe@baylibre.com>
    media: staging: media: zoran: calculate the right buffer number for zoran_reap_stat_com

Corentin Labbe <clabbe@baylibre.com>
    media: staging: media: zoran: move videodev alloc

Dongliang Mu <mudongliangabcd@gmail.com>
    ntfs: add sanity check on allocation size

Rohith Surabattula <rohiths@microsoft.com>
    Adjust cifssb maximum read size

Chao Yu <chao@kernel.org>
    f2fs: compress: fix to print raw data size in error path of lz4 decompression

Jaegeuk Kim <jaegeuk@kernel.org>
    f2fs: use spin_lock to avoid hang

Josef Bacik <josef@toxicpanda.com>
    btrfs: do not clean up repair bio if submit fails

Josef Bacik <josef@toxicpanda.com>
    btrfs: do not double complete bio on errors during compressed reads

Josef Bacik <josef@toxicpanda.com>
    btrfs: handle csum lookup errors properly on reads

Josef Bacik <josef@toxicpanda.com>
    btrfs: make search_csum_tree return 0 if we get -EFBIG

Anand Jain <anand.jain@oracle.com>
    btrfs: harden identification of a stale device

Jaegeuk Kim <jaegeuk@kernel.org>
    f2fs: don't get FREEZE lock in f2fs_evict_inode in frozen fs

Chuck Lever <chuck.lever@oracle.com>
    NFSD: Fix nfsd_breaker_owns_lease() return values

Chao Yu <chao@kernel.org>
    f2fs: fix to do sanity check on curseg->alloc_type

Theodore Ts'o <tytso@mit.edu>
    ext4: don't BUG if someone dirty pages without asking ext4 first

Valentin Schneider <valentin.schneider@arm.com>
    sched/tracing: Report TASK_RTLOCK_WAIT tasks as TASK_UNINTERRUPTIBLE

Valentin Schneider <valentin.schneider@arm.com>
    sched/tracing: Don't re-read p->state when emitting sched_switch event

Ritesh Harjani <riteshh@linux.ibm.com>
    ext4: fix ext4_mb_mark_bb() with flex_bg with fast_commit

Ritesh Harjani <riteshh@linux.ibm.com>
    ext4: correct cluster len and clusters changed accounting in ext4_mb_mark_bb

Waiman Long <longman@redhat.com>
    locking/lockdep: Iterate lock_classes directly when reading lockdep files

Mark Rutland <mark.rutland@arm.com>
    atomics: Fix atomic64_{read_acquire,set_release} fallbacks

Eddie James <eajames@linux.ibm.com>
    spi: fsi: Implement a timeout for polling status

Minghao Chi <chi.minghao@zte.com.cn>
    spi: tegra20: Use of_device_get_match_data()

Chris Leech <cleech@redhat.com>
    nvme-tcp: lockdep: annotate in-kernel sockets

John David Anglin <dave.anglin@bell.net>
    parisc: Fix handling off probe non-access faults

John David Anglin <dave.anglin@bell.net>
    parisc: Fix non-access data TLB cache flush faults

Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
    PM: core: keep irq flags in device_pm_check_callbacks()

Darren Hart <darren@os.amperecomputing.com>
    ACPI/APEI: Limit printable size of BERT table data

Paolo Valente <paolo.valente@linaro.org>
    Revert "Revert "block, bfq: honor already-setup queue merges""

Paul Menzel <pmenzel@molgen.mpg.de>
    lib/raid6/test/Makefile: Use $(pound) instead of \# for Make 4.3

Hans de Goede <hdegoede@redhat.com>
    ACPI / x86: Add skip i2c clients quirk for Lenovo Yoga Tablet 1050F/L

Hans de Goede <hdegoede@redhat.com>
    ACPI / x86: Add skip i2c clients quirk for Nextbook Ares 8

Rafael J. Wysocki <rafael.j.wysocki@intel.com>
    ACPICA: Avoid walking the ACPI Namespace if it is not there

Zhang Wensheng <zhangwensheng5@huawei.com>
    bfq: fix use-after-free in bfq_dispatch_request

Wan Jiabing <wanjiabing@vivo.com>
    hwrng: cavium - fix NULL but dereferenced coccicheck error

Akira Kawata <akirakawata1@gmail.com>
    fs/binfmt_elf: Fix AT_PHDR for unusual ELF files

Souptick Joarder (HPE) <jrdr.linux@gmail.com>
    irqchip/nvic: Release nvic_base upon failure

Marc Zyngier <maz@kernel.org>
    irqchip/qcom-pdc: Fix broken locking

Casey Schaufler <casey@schaufler-ca.com>
    Fix incorrect type in assignment of ipv6 port for audit

Chaitanya Kulkarni <kch@nvidia.com>
    loop: use sysfs_emit() in the sysfs xxx show()

Richard Haines <richard_c_haines@btinternet.com>
    selinux: allow FIOCLEX and FIONCLEX with policy capability

Fangrui Song <maskray@google.com>
    arm64: module: remove (NOLOAD) from linker script

Daniel Lezcano <daniel.lezcano@linaro.org>
    powercap/dtpm_cpu: Reset per_cpu variable in the release function

Christian Göttsche <cgzones@googlemail.com>
    selinux: use correct type for context length

Yu Kuai <yukuai3@huawei.com>
    block, bfq: don't move oom_bfqq

Kai Ye <yekai13@huawei.com>
    crypto: hisilicon/sec - not need to enable sm4 extra mode at HW V3

Herbert Xu <herbert@gondor.apana.org.au>
    crypto: xts - Add softdep on ecb

Yahu Gao <gaoyahu19@gmail.com>
    block/bfq_wf2q: correct weight to ioprio

Christoph Hellwig <hch@lst.de>
    memstick/mspro_block: fix handling of read-only devices

Ming Lei <ming.lei@redhat.com>
    block: throttle split bio in case of iops limit

Paul E. McKenney <paulmck@kernel.org>
    rcu: Mark writes to the rcu_segcblist structure's ->flags field

Marc Zyngier <maz@kernel.org>
    pinctrl: npcm: Fix broken references to chip->parent_device

David Woodhouse <dwmw@amazon.co.uk>
    rcu: Kill rnp->ofl_seq and use only rcu_state.ofl_lock for exclusion

Kees Cook <keescook@chromium.org>
    gcc-plugins/stackleak: Exactly match strings instead of prefixes

Srujana Challa <schalla@marvell.com>
    crypto: octeontx2 - CN10K CPT to RNM workaround

Kai Ye <yekai13@huawei.com>
    crypto: hisilicon/qm - cleanup warning in qm_vf_read_qos

Dave Stevenson <dave.stevenson@raspberrypi.com>
    regulator: rpi-panel: Handle I2C errors/timing to the Atmel

Casey Schaufler <casey@schaufler-ca.com>
    LSM: general protection fault in legacy_parse_param

Linus Torvalds <torvalds@linux-foundation.org>
    fs: fix fd table size alignment properly

Dan Carpenter <dan.carpenter@oracle.com>
    lib/test: use after free in register_test_dev_kmod()

Linus Torvalds <torvalds@linux-foundation.org>
    fs: fd tables have to be multiples of BITS_PER_LONG

Xiaomeng Tong <xiam0nd.tong@gmail.com>
    net: dsa: bcm_sf2_cfp: fix an incorrect NULL check on list iterator

Trond Myklebust <trond.myklebust@hammerspace.com>
    NFSv4/pNFS: Fix another issue with a list iterator pointing to the head

Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
    net/sched: act_ct: fix ref leak when switching zones

Jakub Kicinski <kuba@kernel.org>
    selftests: tls: skip cmsg_to_pipe tests with TLS=n

Tom Rix <trix@redhat.com>
    octeontx2-af: initialize action variable

Zheng Yongjun <zhengyongjun3@huawei.com>
    net: sparx5: switchdev: fix possible NULL pointer dereference

Duoming Zhou <duoming@zju.edu.cn>
    net/x25: Fix null-ptr-deref caused by x25_disconnect

Tom Rix <trix@redhat.com>
    qlcnic: dcb: default to returning -EOPNOTSUPP

Randy Dunlap <rdunlap@infradead.org>
    net: sparx5: depends on PTP_1588_CLOCK_OPTIONAL

Guangbin Huang <huangguangbin2@huawei.com>
    net: hns3: fix phy can not link up when autoneg off and reset

Hao Chen <chenhao288@hisilicon.com>
    net: hns3: add NULL pointer check for hns3_set/get_ringparam()

Hao Chen <chenhao288@hisilicon.com>
    net: hns3: add netdev reset check for hns3_set_tunable()

Peng Li <lipeng321@huawei.com>
    net: hns3: clean residual vf config after disable sriov

Hao Chen <chenhao288@hisilicon.com>
    net: hns3: add max order judgement for tx spare buffer

Hao Chen <chenhao288@hisilicon.com>
    net: hns3: fix ethtool tx copybreak buf size indicating not aligned issue

Shunsuke Nakamura <nakamura.shun@fujitsu.com>
    libperf tests: Fix typo in perf_evlist__open() failure error messages

Trond Myklebust <trond.myklebust@hammerspace.com>
    NFS: Don't loop forever in nfs_do_recoalesce()

Ido Schimmel <idosch@nvidia.com>
    selftests: test_vxlan_under_vrf: Fix broken test case

Florian Fainelli <f.fainelli@gmail.com>
    net: phy: broadcom: Fix brcm_fet_config_init()

Jian Shen <shenjian15@huawei.com>
    net: hns3: refine the process when PF set VF VLAN

Jian Shen <shenjian15@huawei.com>
    net: hns3: add vlan list lock to protect vlan list

Jian Shen <shenjian15@huawei.com>
    net: hns3: fix port base vlan add fail when concurrent with reset

Jian Shen <shenjian15@huawei.com>
    net: hns3: fix bug when PF set the duplicate MAC address for VFs

Vladimir Oltean <vladimir.oltean@nxp.com>
    net: enetc: report software timestamping via SO_TIMESTAMPING

Juergen Gross <jgross@suse.com>
    xen: fix is_xen_pmu()

Maxime Ripard <maxime@cerno.tech>
    clk: Initialize orphan req_rate

Stefano Garzarella <sgarzare@redhat.com>
    vsock/virtio: enable VQs early on probe

Stefano Garzarella <sgarzare@redhat.com>
    vsock/virtio: read the negotiated features before using VQs

Stefano Garzarella <sgarzare@redhat.com>
    vsock/virtio: initialize vdev->priv before using VQs

Konrad Dybcio <konrad.dybcio@somainline.org>
    clk: qcom: gcc-msm8994: Fix gpll4 width

Bjorn Andersson <bjorn.andersson@linaro.org>
    net: stmmac: dwmac-qcom-ethqos: Enable RGMII functional clock on resume

Thomas Richter <tmricht@linux.ibm.com>
    perf stat: Fix forked applications enablement of counters

Daniel Thompson <daniel.thompson@linaro.org>
    kdb: Fix the putarea helper function

Olga Kornievskaia <kolga@netapp.com>
    NFSv4.1: don't retry BIND_CONN_TO_SESSION on session error

Olga Kornievskaia <kolga@netapp.com>
    SUNRPC don't resend a task on an offlined transport

Pablo Neira Ayuso <pablo@netfilter.org>
    netfilter: nf_conntrack_tcp: preserve liberal flag in tcp options

Phil Sutter <phil@nwl.cc>
    netfilter: egress: Report interface as outgoing

Ian Rogers <irogers@google.com>
    perf parse-events: Move slots only with topdown

Trond Myklebust <trond.myklebust@hammerspace.com>
    SUNRPC: Don't call connect() more than once on a TCP socket

NeilBrown <neilb@suse.de>
    SUNRPC: improve 'swap' handling: scheduling and PF_MEMALLOC

NeilBrown <neilb@suse.de>
    SUNRPC/call_alloc: async tasks mustn't block waiting for memory

Pavel Skripkin <paskripkin@gmail.com>
    jfs: fix divide error in dbNextAG

German Gomez <german.gomez@arm.com>
    perf test arm64: Test unwinding using fame-pointer (fp) mode

Randy Dunlap <rdunlap@infradead.org>
    driver core: dd: fix return value of __setup handler

David Gow <davidgow@google.com>
    firmware: google: Properly state IOMEM dependency

Randy Dunlap <rdunlap@infradead.org>
    kgdbts: fix return value of __setup handler

Xiaolong Huang <butterflyhuangxx@gmail.com>
    virt: acrn: fix a memory leak in acrn_dev_ioctl()

Yonghua Huang <yonghua.huang@intel.com>
    virt: acrn: obtain pa from VMA with PFNMAP flag

Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
    serial: 8250: fix XOFF/XON sending when DMA is used

Randy Dunlap <rdunlap@infradead.org>
    kgdboc: fix return value of __setup handler

Randy Dunlap <rdunlap@infradead.org>
    tty: hvc: fix return value of __setup handler

Dan Carpenter <dan.carpenter@oracle.com>
    clk: visconti: prevent array overflow in visconti_clk_register_gates()

Miaoqian Lin <linmq006@gmail.com>
    pinctrl/rockchip: Add missing of_node_put() in rockchip_pinctrl_probe

Miaoqian Lin <linmq006@gmail.com>
    pinctrl: nomadik: Add missing of_node_put() in nmk_pinctrl_probe

Michael Walle <michael@walle.cc>
    pinctrl: microchip-sgpio: lock RMW access

Horatiu Vultur <horatiu.vultur@microchip.com>
    pinctrl: ocelot: Fix interrupt parsing

Chen-Yu Tsai <wenst@chromium.org>
    pinctrl: mediatek: paris: Skip custom extra pin config dump for virtual GPIOs

Chen-Yu Tsai <wenst@chromium.org>
    pinctrl: mediatek: paris: Fix pingroup pin config state readback

Chen-Yu Tsai <wenst@chromium.org>
    pinctrl: mediatek: paris: Fix "argument" argument type for mtk_pinconf_get()

Chen-Yu Tsai <wenst@chromium.org>
    pinctrl: mediatek: paris: Fix PIN_CONFIG_BIAS_* readback

Miaoqian Lin <linmq006@gmail.com>
    pinctrl: mediatek: Fix missing of_node_put() in mtk_pctrl_init

Michael Walle <michael@walle.cc>
    pinctrl: ocelot: fix duplicate debugfs entry

Michael Walle <michael@walle.cc>
    pinctrl: ocelot: fix confops resource index

Arınç ÜNAL <arinc.unal@arinc9.com>
    staging: mt7621-dts: fix GB-PC2 devicetree

Arınç ÜNAL <arinc.unal@arinc9.com>
    staging: mt7621-dts: fix pinctrl properties for ethernet

Arınç ÜNAL <arinc.unal@arinc9.com>
    staging: mt7621-dts: fix formatting

Arınç ÜNAL <arinc.unal@arinc9.com>
    staging: mt7621-dts: fix LEDs and pinctrl on GB-PC1 devicetree

Alexey Khoroshilov <khoroshilov@ispras.ru>
    NFS: remove unneeded check in decode_devicenotify_args()

Robin Gong <yibin.gong@nxp.com>
    mailbox: imx: fix crash in resume on i.mx8ulp

Miaoqian Lin <linmq006@gmail.com>
    clk: tegra: tegra124-emc: Fix missing put_device() call in emc_ensure_emc_driver

Maxime Ripard <maxime@cerno.tech>
    clk: Fix clk_hw_get_clk() when dev is NULL

Jonathan Neuschäfer <j.neuschaefer@gmx.net>
    clk: clps711x: Terminate clk_div_table with sentinel element

Jonathan Neuschäfer <j.neuschaefer@gmx.net>
    clk: hisilicon: Terminate clk_div_table with sentinel element

Jonathan Neuschäfer <j.neuschaefer@gmx.net>
    clk: loongson1: Terminate clk_div_table with sentinel element

Jonathan Neuschäfer <j.neuschaefer@gmx.net>
    clk: actions: Terminate clk_div_table with sentinel element

Dan Williams <dan.j.williams@intel.com>
    nvdimm/region: Fix default alignment for small regions

Miaoqian Lin <linmq006@gmail.com>
    remoteproc: qcom_q6v5_mss: Fix some leaks in q6v5_alloc_memory_region

Miaoqian Lin <linmq006@gmail.com>
    remoteproc: qcom_wcnss: Add missing of_node_put() in wcnss_alloc_memory_region

Miaoqian Lin <linmq006@gmail.com>
    remoteproc: qcom: Fix missing of_node_put in adsp_alloc_memory_region

Jie Hai <haijie1@huawei.com>
    dmaengine: hisi_dma: fix MSI allocate fail when reload hisi_dma

Emil Renner Berthing <kernel@esmil.dk>
    clk: starfive: jh7100: Handle audio_div clock properly

Emil Renner Berthing <kernel@esmil.dk>
    clk: starfive: jh7100: Don't round divisor up twice

Taniya Das <tdas@codeaurora.org>
    clk: qcom: clk-rcg2: Update the frac table for pixel clock

Taniya Das <tdas@codeaurora.org>
    clk: qcom: clk-rcg2: Update logic to calculate D value for RCG

Codrin Ciubotariu <codrin.ciubotariu@microchip.com>
    clk: at91: sama7g5: fix parents of PDMCs' GCLK

Dan Carpenter <dan.carpenter@oracle.com>
    clk: imx: off by one in imx_lpcg_parse_clks_from_dt()

Abel Vesa <abel.vesa@nxp.com>
    clk: imx7d: Remove audio_mclk_root_clk

Randy Dunlap <rdunlap@infradead.org>
    dma-debug: fix return value of __setup handlers

Martin Kaiser <martin@kaiser.cx>
    staging: r8188eu: fix endless loop in recv_func

Trond Myklebust <trond.myklebust@hammerspace.com>
    NFS: Return valid errors from nfs2/3_decode_dirent()

Jiasheng Jiang <jiasheng@iscas.ac.cn>
    habanalabs: Add check for pci_enable_device

Jiasheng Jiang <jiasheng@iscas.ac.cn>
    iio: adc: Add check for devm_request_threaded_irq

Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
    serial: 8250: Fix race condition in RTS-after-send handling

Trond Myklebust <trond.myklebust@hammerspace.com>
    NFS: Use of mapping_set_error() results in spurious errors

Andy Shevchenko <andriy.shevchenko@linux.intel.com>
    serial: 8250_lpss: Balance reference count for PCI DMA device

Andy Shevchenko <andriy.shevchenko@linux.intel.com>
    serial: 8250_mid: Balance reference count for PCI DMA device

Rafał Miłecki <rafal@milecki.pl>
    phy: phy-brcm-usb: fixup BCM4908 support

Liu Ying <victor.liu@nxp.com>
    phy: dphy: Correct lpx parameter and its derivatives(ta_{get,go,sure})

Dirk Buchwalder <buchwalder@posteo.de>
    clk: qcom: ipq8074: Use floor ops for SDCC1 clock

Geert Uytterhoeven <geert+renesas@glider.be>
    pinctrl: renesas: checker: Fix miscalculation of number of states

Geert Uytterhoeven <geert+renesas@glider.be>
    pinctrl: renesas: r8a77470: Reduce size for narrow VIN1 channel

Geert Uytterhoeven <geert+renesas@glider.be>
    clk: renesas: r8a779f0: Fix RSW2 clock divider

Jonathan Cameron <Jonathan.Cameron@huawei.com>
    staging:iio:adc:ad7280a: Fix handing of device address bit reversing.

Zev Weiss <zev@bewilderbeest.net>
    serial: 8250_aspeed_vuart: add PORT_ASPEED_VUART port type

Hangyu Hua <hbh25y@gmail.com>
    staging: qlge: add unregister_netdev in qlge_probe

Hans de Goede <hdegoede@redhat.com>
    iio: mma8452: Fix probe failing when an i2c_device_id is used

Dave Jiang <dave.jiang@intel.com>
    dmaengine: idxd: restore traffic class defaults after wq reset

Robert Marko <robimarko@gmail.com>
    clk: qcom: ipq8074: fix PCI-E clock oops

Libin Yang <libin.yang@intel.com>
    soundwire: intel: fix wrong register name in intel_shim_wake

Luca Weiss <luca@z3ntu.xyz>
    cpufreq: qcom-cpufreq-nvmem: fix reading of PVS Valid fuse

Christophe JAILLET <christophe.jaillet@wanadoo.fr>
    misc: alcor_pci: Fix an error handling path

Christophe JAILLET <christophe.jaillet@wanadoo.fr>
    fsi: Aspeed: Fix a potential double free

Robert Hancock <robert.hancock@calian.com>
    pps: clients: gpio: Propagate return value from pps_gpio_probe

Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
    pwm: lpc18xx-sct: Initialize driver data and hardware before pwmchip_add()

Joel Stanley <joel@jms.id.au>
    fsi: scom: Remove retries in indirect scoms

Joel Stanley <joel@jms.id.au>
    fsi: scom: Fix error handling

Jiri Slaby <jirislaby@kernel.org>
    mxser: fix xmit_buf leak in activate when LSR == 0xff

Michael Straube <straube.linux@gmail.com>
    staging: r8188eu: release_firmware is not called if allocation fails

Lad Prabhakar <prabhakar.mahadev-lad.rj@bp.renesas.com>
    clk: renesas: r9a07g044: Update multiplier and divider values for PLL2/3

Miaohe Lin <linmiaohe@huawei.com>
    kernel/resource: fix kfree() of bootmem memory again

Sondhauß, Jan <Jan.Sondhauss@wago.com>
    drivers: ethernet: cpsw: fix panic when interrupt coaleceing is set via ethtool

Alexander Lobakin <alexandr.lobakin@intel.com>
    ice: don't allow to run ice_send_event_to_aux() in atomic ctx

Alexander Lobakin <alexandr.lobakin@intel.com>
    ice: fix 'scheduling while atomic' on aux critical err interrupt

Miaoqian Lin <linmq006@gmail.com>
    mfd: asic3: Add missing iounmap() on error asic3_mfd_probe

Hoang Le <hoang.h.le@dektech.com.au>
    tipc: fix the timer expires after interval 100ms

Yang Yingliang <yangyingliang@huawei.com>
    net: wwan: qcom_bam_dmux: fix wrong pointer passed to IS_ERR()

Vladimir Oltean <vladimir.oltean@nxp.com>
    net: dsa: fix panic on shutdown if multi-chip tree failed to probe

Aaron Conole <aconole@redhat.com>
    openvswitch: always update flow key after nat

Jakub Kicinski <kuba@kernel.org>
    tcp: ensure PMTU updates are processed during fastopen

Jeremy Linton <jeremy.linton@arm.com>
    net: bcmgenet: Use stronger register read/writes to assure ordering

Bjorn Helgaas <bhelgaas@google.com>
    PCI: Avoid broken MSI on SB600 USB devices

Yafang Shao <laoar.shao@gmail.com>
    bpftool: Fix print error when show bpf map

Hangbin Liu <liuhangbin@gmail.com>
    selftests/bpf/test_lirc_mode2.sh: Exit with proper code

Lucas De Marchi <lucas.demarchi@intel.com>
    drm/i915: Fix renamed struct field

Duoming Zhou <duoming@zju.edu.cn>
    ax25: Fix NULL pointer dereferences in ax25 timers

Duoming Zhou <duoming@zju.edu.cn>
    ax25: Fix refcount leaks caused by ax25_cb_del()

Michael Ellerman <mpe@ellerman.id.au>
    powerpc/pseries: Fix use after free in remove_phb_dynamic()

Peter Rosin <peda@axentia.se>
    i2c: mux: demux-pinctrl: do not deactivate a master that is not active

Phil Sutter <phil@nwl.cc>
    netfilter: conntrack: Add and use nf_ct_set_auto_assign_helper_warned()

Lucas Tanure <tanure@linux.com>
    i2c: meson: Fix wrong speed use from probe

Petr Machata <petrm@nvidia.com>
    af_netlink: Fix shift out of bounds in group mask calculation

Yonglong Li <liyonglong@chinatelecom.cn>
    mptcp: Fix crash due to tcp_tsorted_anchor was initialized before release skb

Guillaume Nault <gnault@redhat.com>
    ipv4: Fix route lookups when handling ICMP redirects and PMTU updates

Dan Carpenter <dan.carpenter@oracle.com>
    RDMA/nldev: Prevent underflow in nldev_stat_set_counter_dynamic_doit()

Yake Yang <yake.yang@mediatek.com>
    Bluetooth: btmtksdio: Fix kernel oops in btmtksdio_interrupt

Niels Dossche <dossche.niels@gmail.com>
    Bluetooth: call hci_le_conn_failed with hdev lock in hci_le_conn_failed

Pavel Skripkin <paskripkin@gmail.com>
    Bluetooth: hci_uart: add missing NULL check in h5_enqueue

Jakub Sitnicki <jakub@cloudflare.com>
    selftests/bpf: Fix error reporting from sock_fields programs

Kuniyuki Iwashima <kuniyu@amazon.co.jp>
    af_unix: Fix some data-races around unix_sk(sk)->oob_skb.

Sukadev Bhattiprolu <sukadev@linux.ibm.com>
    ibmvnic: fix race between xmit and reset

Richard Zhu <hongxing.zhu@nxp.com>
    PCI: imx6: Assert i.MX8MM CLKREQ# even if no device present

Richard Zhu <hongxing.zhu@nxp.com>
    PCI: imx6: Invoke the PHY exit function after PHY power off

Hangbin Liu <liuhangbin@gmail.com>
    bareudp: use ipv6_mod_enabled to check if IPv6 enabled

Oliver Hartkopp <socketcan@hartkopp.net>
    can: isotp: support MSG_TRUNC flag when reading from socket

Oliver Hartkopp <socketcan@hartkopp.net>
    can: isotp: return -EADDRNOTAVAIL when reading from unbound socket

Lorenzo Bianconi <lorenzo@kernel.org>
    mt76: mt7921: fix mt7921_queues_acq implementation

Pablo Neira Ayuso <pablo@netfilter.org>
    netfilter: flowtable: Fix QinQ and pppoe support for inet table

José Roberto de Souza <jose.souza@intel.com>
    drm/i915/display: Do not re-enable PSR after it was marked as not reliable

José Roberto de Souza <jose.souza@intel.com>
    drm/i915/display: Fix HPD short pulse handling for eDP

Nicholas Piggin <npiggin@gmail.com>
    powerpc/time: Fix KVM host re-arming a timer beyond decrementer range

Randy Dunlap <rdunlap@infradead.org>
    powerpc/xive: fix return value of __setup handler

Bob Pearson <rpearsonhpe@gmail.com>
    RDMA/rxe: Fix ref error in rxe_av.c

Chengguang Xu <cgxu519@mykernel.net>
    RDMA/rxe: Change variable and function argument to proper type

Nicholas Kazlauskas <nicholas.kazlauskas@amd.com>
    drm/amd/display: Fix double free during GPU reset on DC streams

Dan Carpenter <dan.carpenter@oracle.com>
    USB: storage: ums-realtek: fix error code in rts51x_read_mem()

Niklas Söderlund <niklas.soderlund@corigine.com>
    samples/bpf, xdpsock: Fix race when running for fix duration of time

Wang Yufen <wangyufen@huawei.com>
    bpf, sockmap: Fix double uncharge the mem of sk_msg

Wang Yufen <wangyufen@huawei.com>
    bpf, sockmap: Fix more uncharged while msg has more_data

Wang Yufen <wangyufen@huawei.com>
    bpf, sockmap: Fix memleak in tcp_bpf_sendmsg while sk msg is full

Wang Yufen <wangyufen@huawei.com>
    bpf, sockmap: Fix memleak in sk_psock_queue_msg

Yongzhi Liu <lyz_cs@pku.edu.cn>
    RDMA/mlx5: Fix memory leak in error flow for subscribe event routine

Leon Romanovsky <leon@kernel.org>
    Revert "RDMA/core: Fix ib_qp_usecnt_dec() called when error"

Dan Carpenter <dan.carpenter@oracle.com>
    RDMA/irdma: Prevent some integer underflows

Linus Walleij <linus.walleij@linaro.org>
    power: ab8500_chargalg: Use CLOCK_MONOTONIC

Xin Xiong <xiongx18@fudan.edu.cn>
    mtd: rawnand: atmel: fix refcount issue in atmel_nand_controller_init

Yaliang Wang <Yaliang.Wang@windriver.com>
    MIPS: pgalloc: fix memory leak caused by pgd_free()

Randy Dunlap <rdunlap@infradead.org>
    MIPS: RB532: fix return value of __setup handler

Miaoqian Lin <linmq006@gmail.com>
    mips: cdmm: Fix refcount leak in mips_cdmm_phys_base

Miaoqian Lin <linmq006@gmail.com>
    ath10k: Fix error handling in ath10k_setup_msa_resources

Oliver Hartkopp <socketcan@hartkopp.net>
    vxcan: enable local echo for sent CAN frames

Johannes Berg <johannes.berg@intel.com>
    iwlwifi: pcie: fix SW error MSI-X mapping

Max Filippov <jcmvbkbc@gmail.com>
    xtensa: add missing XCHAL_HAVE_WINDOWED check

Hangyu Hua <hbh25y@gmail.com>
    powerpc: 8xx: fix a return value error in mpc8xx_pic_init

Sreekanth Reddy <sreekanth.reddy@broadcom.com>
    scsi: mpt3sas: Fix incorrect 4GB boundary check

Jia-Ju Bai <baijiaju1990@gmail.com>
    platform/x86: huawei-wmi: check the return value of device_create_file()

Felix Maurer <fmaurer@redhat.com>
    selftests/bpf: Make test_lwt_ip_encap more stable and faster

lic121 <lic121@chinatelecom.cn>
    libbpf: Unmap rings when umem deleted

Jiasheng Jiang <jiasheng@iscas.ac.cn>
    mfd: mc13xxx: Add check for mc13xxx_irq_request

Michael Ellerman <mpe@ellerman.id.au>
    powerpc/64s: Don't use DSISR for SLB faults

Jakob Koschel <jakobkoschel@gmail.com>
    powerpc/sysdev: fix incorrect use to determine if list is empty

Maciej W. Rozycki <macro@orcam.me.uk>
    MIPS: Sanitise Cavium switch cases in TLB handler synthesizers

Randy Dunlap <rdunlap@infradead.org>
    mips: DEC: honor CONFIG_MIPS_FP_SUPPORT=n

Rob Clark <robdclark@chromium.org>
    drm/msm/a6xx: Fix missing ARRAY_SIZE() check

Robert Hancock <robert.hancock@calian.com>
    net: axienet: fix RX ring refill allocation failure handling

Mark Tomlinson <mark.tomlinson@alliedtelesis.co.nz>
    PCI: Reduce warnings on possible RW1C corruption

Yajun Deng <yajun.deng@linux.dev>
    RDMA/core: Fix ib_qp_usecnt_dec() called when error

Mike Marciniszyn <mike.marciniszyn@cornelisnetworks.com>
    IB/hfi1: Allow larger MTU without AIP

Jiasheng Jiang <jiasheng@iscas.ac.cn>
    power: supply: wm8350-power: Add missing free in free_charger_irq

Jiasheng Jiang <jiasheng@iscas.ac.cn>
    power: supply: wm8350-power: Handle error for wm8350_register_irq

Radoslaw Biernacki <rad@semihalf.com>
    Bluetooth: Fix skb allocation in mgmt_remote_name() & mgmt_device_connected()

Tom Rix <trix@redhat.com>
    Bluetooth: hci_sync: fix undefined return of hci_disconnect_all_sync()

Divya Koppera <Divya.Koppera@microchip.com>
    net: phy: micrel: Fix concurrent register access

Robert Hancock <robert.hancock@calian.com>
    i2c: xiic: Make bus names unique

Mark Brown <broonie@kernel.org>
    KVM: arm64: Enable Cortex-A510 erratum 2077057 by default

Anssi Hannula <anssi.hannula@bitwise.fi>
    hv_balloon: rate-limit "Unhandled message" warning

Sean Christopherson <seanjc@google.com>
    KVM: SVM: Exit to userspace on ENOMEM/EFAULT GHCB errors

Hou Wenlong <houwenlong.hwl@antgroup.com>
    KVM: x86/emulator: Defer not-present segment check in __load_segment_descriptor()

Zhenzhong Duan <zhenzhong.duan@intel.com>
    KVM: x86: Fix emulation in writing cr8

Michael Ellerman <mpe@ellerman.id.au>
    powerpc/Makefile: Don't pass -mcpu=powerpc64 when building 32-bit

Daniel Henrique Barboza <danielhb413@gmail.com>
    powerpc/mm/numa: skip NUMA_NO_NODE onlining in parse_numa_properties()

Xu Kuohai <xukuohai@huawei.com>
    libbpf: Skip forward declaration when counting duplicated type names

Christophe JAILLET <christophe.jaillet@wanadoo.fr>
    gpu: host1x: Fix a memory leak in 'host1x_remove()'

Christophe JAILLET <christophe.jaillet@wanadoo.fr>
    gpu: host1x: Fix an error handling path in 'host1x_probe()'

Stijn Tintel <stijn@linux-ipv6.be>
    libbpf: Fix BPF_MAP_TYPE_PERF_EVENT_ARRAY auto-pinning

Mustafa Ismail <mustafa.ismail@intel.com>
    RDMA/irdma: Remove incorrect masking of PD

Mustafa Ismail <mustafa.ismail@intel.com>
    RDMA/irdma: Fix Passthrough mode in VM

Mustafa Ismail <mustafa.ismail@intel.com>
    RDMA/irdma: Fix netdev notifications for vlan's

Magnus Karlsson <magnus.karlsson@intel.com>
    xsk: Fix race at socket teardown

Hou Tao <houtao1@huawei.com>
    bpf, arm64: Feed byte-offset into bpf line info

Hou Tao <houtao1@huawei.com>
    bpf, arm64: Call build_prologue() first in first JIT pass

Nishanth Menon <nm@ti.com>
    drm/bridge: cdns-dsi: Make sure to to create proper aliases for dt

Xiang Chen <chenxiang66@hisilicon.com>
    scsi: hisi_sas: Change permission of parameter prot_mask

Hans de Goede <hdegoede@redhat.com>
    power: supply: bq24190_charger: Fix bq24190_vbus_is_enabled() wrong false return

Miaoqian Lin <linmq006@gmail.com>
    drm/tegra: Fix reference leak in tegra_dsi_ganged_probe

Zhang Yi <yi.zhang@huawei.com>
    ext2: correct max file size computing

Kees Cook <keescook@chromium.org>
    drm/dp: Fix OOB read when handling Post Cursor2 register

MeiChia Chiu <meichia.chiu@mediatek.com>
    mt76: mt7915: fix the muru tlv issue

Bo Jiao <Bo.Jiao@mediatek.com>
    mt76: mt7915: enlarge wcid size to 544

Christophe JAILLET <christophe.jaillet@wanadoo.fr>
    power: supply: sbs-charger: Don't cancel work that is not initialized

Randy Dunlap <rdunlap@infradead.org>
    TOMOYO: fix __setup handlers return values

Maíra Canal <maira.canal@usp.br>
    drm/amd/display: Remove vupdate_int_entry definition

Aharon Landau <aharonl@nvidia.com>
    RDMA/mlx5: Fix the flow of a miss in the allocation of a cache ODP MR

Luiz Angelo Daros de Luca <luizluca@gmail.com>
    net: dsa: realtek-smi: move to subdirectory

Luiz Angelo Daros de Luca <luizluca@gmail.com>
    net: dsa: realtek-smi: fix kdoc warnings

Deren Wu <deren.wu@mediatek.com>
    mt76: mt7921s: fix missing fc type/sub-type for 802.11 pkts

Lorenzo Bianconi <lorenzo@kernel.org>
    mt76: fix endianness errors in reverse_frag0_hdr_trans

Lorenzo Bianconi <lorenzo@kernel.org>
    mt76: do not always copy ethhdr in reverse_frag0_hdr_trans

Damien Le Moal <damien.lemoal@opensource.wdc.com>
    scsi: pm8001: Fix abort all task initialization

Damien Le Moal <damien.lemoal@opensource.wdc.com>
    scsi: pm8001: Fix NCQ NON DATA command completion handling

Damien Le Moal <damien.lemoal@opensource.wdc.com>
    scsi: pm8001: Fix NCQ NON DATA command task initialization

Damien Le Moal <damien.lemoal@opensource.wdc.com>
    scsi: pm8001: Fix le32 values handling in pm80xx_chip_sata_req()

Damien Le Moal <damien.lemoal@opensource.wdc.com>
    scsi: pm8001: Fix le32 values handling in pm80xx_chip_ssp_io_req()

Damien Le Moal <damien.lemoal@opensource.wdc.com>
    scsi: pm8001: Fix payload initialization in pm80xx_encrypt_update()

Damien Le Moal <damien.lemoal@opensource.wdc.com>
    scsi: pm8001: Fix le32 values handling in pm80xx_set_sas_protocol_timer_config()

Damien Le Moal <damien.lemoal@opensource.wdc.com>
    scsi: pm8001: Fix payload initialization in pm80xx_set_thermal_config()

Damien Le Moal <damien.lemoal@opensource.wdc.com>
    scsi: pm8001: Fix command initialization in pm8001_chip_ssp_tm_req()

Damien Le Moal <damien.lemoal@opensource.wdc.com>
    scsi: pm8001: Fix command initialization in pm80XX_send_read_log()

Bart Van Assche <bvanassche@acm.org>
    scsi: fnic: Fix a tracing statement

Abhishek Sahu <abhsahu@nvidia.com>
    vfio/pci: wake-up devices around reset functions

Abhishek Sahu <abhsahu@nvidia.com>
    vfio/pci: fix memory leak during D3hot to D0 transition

Aashish Sharma <shraash@google.com>
    dm crypt: fix get_key_size compiler warning if !CONFIG_KEYS

Nemanja Rakovic <nemanja.rakovic@syrmia.com>
    mips: Enable KCSAN

Rameshkumar Sundaram <quic_ramess@quicinc.com>
    ath11k: Invalidate cached reo ring entry before accessing it

Alexander Lobakin <alexandr.lobakin@intel.com>
    i40e: remove dead stores on XSK hotpath

Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
    drm/msm/dp: fix panel bridge attachment

Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
    drm/msm/dpu: remove msm_dp cached in dpu_encoder_virt

Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
    drm/msm/dpu: fix dp audio condition

Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
    drm/msm/dpu: add DSPP blocks teardown

Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
    drm/msm/dsi/phy: fix 7nm v4.0 settings for C-PHY mode

Marijn Suijten <marijn.suijten@somainline.org>
    drm/msm/dsi: Use "ref" fw clock instead of global name for VCO parent

Kuogee Hsieh <quic_khsieh@quicinc.com>
    drm/msm/dp: always add fail-safe mode into connector mode list

Kuogee Hsieh <quic_khsieh@quicinc.com>
    drm/msm/dp: stop link training after link training 2 failed

Kuogee Hsieh <quic_khsieh@quicinc.com>
    drm/msm/dp: populate connector of struct dp_panel

Kuogee Hsieh <quic_khsieh@quicinc.com>
    drm/msm/dp: do not initialize phy until plugin interrupt received

Amit Kumar Mahapatra <amit.kumar-mahapatra@xilinx.com>
    mtd: rawnand: pl353: Set the nand chip node as the flash node

Dan Carpenter <dan.carpenter@oracle.com>
    iwlwifi: mvm: Fix an error code in iwl_mvm_up()

Colin Ian King <colin.king@intel.com>
    iwlwifi: Fix -EIO error code that is never returned

Dan Carpenter <dan.carpenter@oracle.com>
    iwlwifi: mvm: fix off by one in iwl_mvm_stat_iterator_all_macs()

Mukesh Sisodiya <mukesh.sisodiya@intel.com>
    iwlwifi: yoyo: Avoid using dram data if allocation failed

Rotem Saado <rotem.saado@intel.com>
    iwlwifi: yoyo: remove DBGI_SRAM address reset writing

Johannes Berg <johannes.berg@intel.com>
    iwlwifi: mvm: align locking in D3 test debugfs

Luca Coelho <luciano.coelho@intel.com>
    iwlwifi: mvm: don't iterate unadded vifs when handling FW SMPS req

Takashi Iwai <tiwai@suse.de>
    iwlwifi: mvm: Don't call iwl_mvm_sta_from_mac80211() with NULL sta

Geliang Tang <geliang.tang@suse.com>
    selftests: mptcp: add csum mib check for mptcp_connect

Tong Zhang <ztong0001@gmail.com>
    dax: make sure inodes are flushed before destroy cache

Dan Williams <dan.j.williams@intel.com>
    cxl/port: Hold port reference until decoder release

Dan Williams <dan.j.williams@intel.com>
    cxl/core/port: Rename bus.c to port.c

Håkon Bugge <haakon.bugge@oracle.com>
    IB/cma: Allow XRC INI QPs to set their local ACK timeout

Andrii Nakryiko <andrii@kernel.org>
    libbpf: Fix memleak in libbpf_netlink_recv()

Jiri Olsa <jolsa@kernel.org>
    bpftool: Fix pretty print dump for maps without BTF loaded

Roman Li <Roman.Li@amd.com>
    drm/amd/display: Add affected crtcs to atomic state for dsc mst unplug

Yiqing Yao <yiqing.yao@amd.com>
    drm/amd/pm: enable pm sysfs write for one VF mode

Yinjun Zhang <yinjun.zhang@corigine.com>
    bpftool: Fix the error when lookup in no-btf maps

Martin Povišer <povik+lin@cutebit.org>
    i2c: pasemi: Drop I2C classes from platform driver variant

Wen Gong <quic_wgong@quicinc.com>
    ath11k: fix uninitialized rate_idx in ath11k_dp_tx_update_txcompl()

Pin-Yen Lin <treapking@chromium.org>
    drm/bridge: anx7625: Fix overflow issue on reading EDID

Jiasheng Jiang <jiasheng@iscas.ac.cn>
    iommu/ipmmu-vmsa: Check for error num after setting mask

Dmitry Torokhov <dmitry.torokhov@gmail.com>
    HID: i2c-hid: fix GET/SET_REPORT for unnumbered reports

Miaoqian Lin <linmq006@gmail.com>
    power: supply: ab8500: Fix memory leak in ab8500_fg_sysfs_init

Toke Høiland-Jørgensen <toke@redhat.com>
    libbpf: Use dynamically allocated buffer when receiving netlink messages

Andrii Nakryiko <andrii@kernel.org>
    libbpf: Fix libbpf.map inheritance chain for LIBBPF_0.7.0

Linus Walleij <linus.walleij@linaro.org>
    power: supply: ab8500: Swap max and overvoltage

Neil Armstrong <narmstrong@baylibre.com>
    drm/bridge: dw-hdmi: use safe format when first in bridge chain

Dan Carpenter <dan.carpenter@oracle.com>
    rtw88: fix use after free in rtw_hw_scan_update_probe_req()

Andrii Nakryiko <andrii@kernel.org>
    libbpf: Fix compilation warning due to mismatched printf format

Po Liu <po.liu@nxp.com>
    net:enetc: allocate CBD ring data memory using DMA coherent methods

Tianyu Lan <Tianyu.Lan@microsoft.com>
    Netvsc: Call hv_unmap_memory() in the netvsc_device_remove()

Jonathan Cameron <Jonathan.Cameron@huawei.com>
    cxl/regs: Fix size of CXL Capability Header Register

Dan Williams <dan.j.williams@intel.com>
    tools/testing/cxl: Fix root port to host bridge assignment

Dan Williams <dan.j.williams@intel.com>
    cxl/core: Fix cxl_probe_component_regs() error message

Ilya Leoshkevich <iii@linux.ibm.com>
    libbpf: Fix riscv register names

Dan Carpenter <dan.carpenter@oracle.com>
    libbpf: Fix signedness bug in btf_dump_array_data()

Xiao Yang <yangx.jy@fujitsu.com>
    RDMA/rxe: Check the last packet by RXE_END_MASK

Pali Rohár <pali@kernel.org>
    PCI: aardvark: Fix reading PCI_EXP_RTSTA_PME bit on emulated bridge

Pali Rohár <pali@kernel.org>
    PCI: aardvark: Fix reading MSI interrupt number

Luben Tuikov <luben.tuikov@amd.com>
    drm/amdgpu: Don't offset by 2 in FRU EEPROM

Corinna Vinschen <vinschen@redhat.com>
    igb: refactor XDP registration

Corinna Vinschen <vinschen@redhat.com>
    igc: avoid kernel warning when changing RX ring parameters

Naveen N. Rao <naveen.n.rao@linux.vnet.ibm.com>
    selftests/bpf: Use "__se_" prefix on architectures without syscall wrapper

Kenta Tada <Kenta.Tada@sony.com>
    selftests/bpf: Extract syscall wrapper

Mark Brown <broonie@kernel.org>
    mtd: mchp48l640: Add SPI ID table

Mark Brown <broonie@kernel.org>
    mtd: mchp23k256: Add SPI ID table

Christophe JAILLET <christophe.jaillet@wanadoo.fr>
    i2c: bcm2835: Fix the error handling in 'bcm2835_i2c_probe()'

Pavel Skripkin <paskripkin@gmail.com>
    net: asix: add proper error handling of usb read errors

Christophe Leroy <christophe.leroy@csgroup.eu>
    livepatch: Fix build failure on 32 bits processors

Thomas Bracht Laumann Jespersen <t@laumann.xyz>
    scripts/dtc: Call pkg-config POSIXly correct

Johannes Berg <johannes.berg@intel.com>
    mac80211: limit bandwidth in HE capabilities

Yonghong Song <yhs@fb.com>
    bpf: Fix a btf decl_tag bug when tagging a function

Tobias Waldekranz <tobias@waldekranz.com>
    net: dsa: mv88e6xxx: Enable port policy support on 6097

Miroslav Lichvar <mlichvar@redhat.com>
    ptp: unregister virtual clocks when unregistering physical clock.

MeiChia Chiu <meichia.chiu@mediatek.com>
    mt76: mt7915: fix the nss setting in bitrates

Peter Chiu <chui-hao.chiu@mediatek.com>
    mt76: mt7915: fix mcs_map in mt7915_mcu_set_sta_he_mcs()

Lorenzo Bianconi <lorenzo@kernel.org>
    mt76: mt7921s: fix a possible memory leak in mt7921_load_patch

Lorenzo Bianconi <lorenzo@kernel.org>
    mt76: mt7915: fix possible memory leak in mt7915_mcu_add_sta

Lorenzo Bianconi <lorenzo@kernel.org>
    mt76: mt7615: check sta_rates pointer in mt7615_sta_rate_tbl_update

Lorenzo Bianconi <lorenzo@kernel.org>
    mt76: mt7603: check sta_rates pointer in mt7603_sta_rate_tbl_update

Sean Wang <sean.wang@mediatek.com>
    mt76: mt7921e: fix possible probe failure after reboot

Leon Yen <leon.yen@mediatek.com>
    mt76: mt7921s: fix mt7921s_mcu_[fw|drv]_pmctrl

Peter Chiu <chui-hao.chiu@mediatek.com>
    mt76: mt7921: fix ht mcs in mt7921_mac_add_txs_skb()

Peter Chiu <chui-hao.chiu@mediatek.com>
    mt76: mt7915: fix ht mcs in mt7915_mac_add_txs_skb()

Lorenzo Bianconi <lorenzo@kernel.org>
    mt76: mt7615: fix a leftover race in runtime-pm

Lorenzo Bianconi <lorenzo@kernel.org>
    mt76: mt7921: fix a leftover race in runtime-pm

Lorenzo Bianconi <lorenzo@kernel.org>
    mt76: mt7921: do not always disable fw runtime-pm

Sean Wang <sean.wang@mediatek.com>
    mt76: mt7921: set EDCA parameters with the MCU CE command

Sean Wang <sean.wang@mediatek.com>
    mt76: mt76_connac: fix MCU_CE_CMD_SET_ROC definition error

Lorenzo Bianconi <lorenzo@kernel.org>
    mt76: mt7915: use proper aid value in mt7915_mcu_sta_basic_tlv

Lorenzo Bianconi <lorenzo@kernel.org>
    mt76: mt7915: use proper aid value in mt7915_mcu_wtbl_generic_tlv in sta mode

Lorenzo Bianconi <lorenzo@kernel.org>
    mt76: connac: fix sta_rec_wtbl tag len

Athira Rajeev <atrajeev@linux.vnet.ibm.com>
    powerpc/perf: Don't use perf_hw_context for trace IMC PMU

Fabiano Rosas <farosas@linux.ibm.com>
    KVM: PPC: Book3S HV: Check return value of kvmppc_radix_init

Maxim Kiselev <bigunclemax@gmail.com>
    powerpc: dts: t1040rdb: fix ports names for Seville Ethernet switch

Jiasheng Jiang <jiasheng@iscas.ac.cn>
    ray_cs: Check ioremap return value

Miaoqian Lin <linmq006@gmail.com>
    power: reset: gemini-poweroff: Fix IRQ check in gemini_poweroff_probe

Alexander Lobakin <alexandr.lobakin@intel.com>
    ixgbe: respect metadata on XSK Rx to skb

Alexander Lobakin <alexandr.lobakin@intel.com>
    ixgbe: don't reserve excessive XDP_PACKET_HEADROOM on XSK Rx to skb

Alexander Lobakin <alexandr.lobakin@intel.com>
    ixgbe: pass bi->xdp to ixgbe_construct_skb_zc() directly

Alexander Lobakin <alexandr.lobakin@intel.com>
    igc: don't reserve excessive XDP_PACKET_HEADROOM on XSK Rx to skb

Alexander Lobakin <alexandr.lobakin@intel.com>
    ice: respect metadata on XSK Rx to skb

Alexander Lobakin <alexandr.lobakin@intel.com>
    ice: don't reserve excessive XDP_PACKET_HEADROOM on XSK Rx to skb

Alexander Lobakin <alexandr.lobakin@intel.com>
    i40e: respect metadata on XSK Rx to skb

Alexander Lobakin <alexandr.lobakin@intel.com>
    i40e: don't reserve excessive XDP_PACKET_HEADROOM on XSK Rx to skb

Christophe JAILLET <christophe.jaillet@wanadoo.fr>
    drm/bridge: lt9611: Fix an error handling path in lt9611_probe()

Po-Hao Huang <phhuang@realtek.com>
    rtw88: fix memory overrun and memory leak during hw_scan

Po-Hao Huang <phhuang@realtek.com>
    rtw88: fix idle mode flow for hw scan

Muhammad Usama Anjum <usama.anjum@collabora.com>
    rtw88: check for validity before using a pointer

Gerhard Engleder <gerhard@engleder-embedded.com>
    selftests/net: timestamping: Fix bind_phc check

Fabiano Rosas <farosas@linux.ibm.com>
    KVM: PPC: Fix vmx/vsx mixup in mmio emulation

Maor Gottlieb <maorg@nvidia.com>
    RDMA/core: Set MR type in ib_reg_user_mr

Wen Gong <quic_wgong@quicinc.com>
    ath11k: set WMI_PEER_40MHZ while peer assoc for 6 GHz

Pavel Skripkin <paskripkin@gmail.com>
    ath9k_htc: fix uninit value bugs

Hangbin Liu <liuhangbin@gmail.com>
    selftests/bpf/test_xdp_redirect_multi: use temp netns for testing

Robert Hancock <robert.hancock@calian.com>
    net: phy: at803x: move page selection fix to config_init

Tom Rix <trix@redhat.com>
    drm/amd/pm: return -ENOTSUPP if there is no get_dpm_ultimate_freq function

Zhou Qingyang <zhou1615@umn.edu>
    drm/amd/display: Fix a NULL pointer dereference in amdgpu_dm_connector_add_common_modes()

Nicholas Kazlauskas <nicholas.kazlauskas@amd.com>
    drm/amd/display: Call dc_stream_release for remove link enc assignment

Zhou Qingyang <zhou1615@umn.edu>
    drm/nouveau/acr: Fix undefined behavior in nvkm_acr_hsfw_load_bl()

Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
    Bluetooth: hci_event: Fix HCI_EV_VENDOR max_len

Tobias Waldekranz <tobias@waldekranz.com>
    net: dsa: Avoid cross-chip syncing of VLAN filtering

Tobias Waldekranz <tobias@waldekranz.com>
    net: dsa: Move VLAN filtering syncing out of dsa_switch_bridge_leave

Brett Creeley <brett@pensando.io>
    ionic: Correctly print AQ errors if completions aren't received

Shannon Nelson <snelson@pensando.io>
    ionic: fix up printing of timeout error

Brett Creeley <brett@pensando.io>
    ionic: Don't send reset commands if FW isn't running

Shannon Nelson <snelson@pensando.io>
    ionic: start watchdog after all is setup

Shannon Nelson <snelson@pensando.io>
    ionic: fix type complaint in ionic_dev_cmd_clean()

Maxime Ripard <maxime@cerno.tech>
    drm/edid: Split deep color modes between RGB and YUV444

Maxime Ripard <maxime@cerno.tech>
    drm/edid: Don't clear formats if using deep color

Magnus Karlsson <magnus.karlsson@intel.com>
    selftests, xsk: Fix rx_full stats test

Dario Binacchi <dario.binacchi@amarulasolutions.com>
    mtd: rawnand: gpmi: fix controller timings setting

Jiasheng Jiang <jiasheng@iscas.ac.cn>
    mtd: onenand: Check for error irq

Sean Wang <sean.wang@mediatek.com>
    Bluetooth: btmtksdio: mask out interrupt status

Mark Chen <mark-yw.chen@mediatek.com>
    Bluetooth: mt7921s: fix btmtksdio_[drv|fw]_pmctrl()

Mark Chen <mark-yw.chen@mediatek.com>
    Bluetooth: btmtksdio: refactor btmtksdio_runtime_[suspend|resume]()

Mark Chen <mark-yw.chen@mediatek.com>
    Bluetooth: mt7921s: fix bus hang with wrong privilege

Mark Chen <mark-yw.chen@mediatek.com>
    Bluetooth: mt7921s: fix firmware coredump retrieve

Pavel Skripkin <paskripkin@gmail.com>
    Bluetooth: hci_serdev: call init_rwsem() before p->open()

Tedd Ho-Jeong An <tedd.an@intel.com>
    Bluetooth: btintel: Fix WBS setting for Intel legacy ROM products

Felix Maurer <fmaurer@redhat.com>
    selftests: bpf: Fix bind on used port

Jani Nikula <jani.nikula@intel.com>
    drm/locking: fix drm_modeset_acquire_ctx kernel-doc

José Expósito <jose.exposito89@gmail.com>
    drm/selftests/test-drm_dp_mst_helper: Fix memory leak in sideband_msg_req_encode_decode

Kumar Kartikeya Dwivedi <memxor@gmail.com>
    bpf: Fix UAF due to race between btf_try_get_module and load_module

Pavel Skripkin <paskripkin@gmail.com>
    udmabuf: validate ubuf->pagecount

Dan Carpenter <dan.carpenter@oracle.com>
    ath11k: fix error code in ath11k_qmi_assign_target_mem_chunk()

Wei Fu <fuweid89@gmail.com>
    bpftool: Only set obj->skeleton on complete success

Yafang Shao <laoar.shao@gmail.com>
    libbpf: Fix possible NULL pointer dereference when destroying skeleton

Mauricio Vásquez <mauricio@kinvolk.io>
    bpftool: Fix error check when calling hashmap__new()

Jiasheng Jiang <jiasheng@iscas.ac.cn>
    drm/panfrost: Check for error num after setting mask

Wen Gong <quic_wgong@quicinc.com>
    ath11k: free peer for station when disconnect from AP for QCA6390/WCN6855

Dan Carpenter <dan.carpenter@oracle.com>
    Bluetooth: hci_sync: unlock on error in hci_inquiry_result_with_rssi_evt()

Jiasheng Jiang <jiasheng@iscas.ac.cn>
    drm/v3d/v3d_drv: Check for error num after setting mask

Wen Gong <quic_wgong@quicinc.com>
    ath10k: fix memory overwrite of the WoWLAN wakeup packet pattern

Yang Yingliang <yangyingliang@huawei.com>
    ath11k: add missing of_node_put() to avoid leak

Jagan Teki <jagan@amarulasolutions.com>
    drm: bridge: adv7511: Fix ADV7535 HPD enablement

Miaoqian Lin <linmq006@gmail.com>
    drm/bridge: nwl-dsi: Fix PM disable depth imbalance in nwl_dsi_probe

Miaoqian Lin <linmq006@gmail.com>
    drm/bridge: Add missing pm_runtime_disable() in __dw_mipi_dsi_probe

Miaoqian Lin <linmq006@gmail.com>
    drm/bridge: Fix free wrong object in sii8620_init_rcp_input_dev

Martin Blumenstingl <martin.blumenstingl@googlemail.com>
    drm/meson: Fix error handling when afbcd.ops->init fails

Martin Blumenstingl <martin.blumenstingl@googlemail.com>
    drm/meson: osd_afbcd: Add an exit callback to struct meson_afbcd_ops

Christophe JAILLET <christophe.jaillet@wanadoo.fr>
    drm/bridge: sn65dsi83: Fix an error handling path in sn65dsi83_probe()

Andre Przywara <andre.przywara@arm.com>
    ARM: configs: multi_v5_defconfig: re-enable DRM_PANEL and FB_xxx

Andre Przywara <andre.przywara@arm.com>
    ARM: configs: multi_v5_defconfig: re-enable CONFIG_V4L_PLATFORM_DRIVERS

Meng Tang <tangmeng@uniontech.com>
    ASoC: amd: Fix reference to PCM buffer address

Miaoqian Lin <linmq006@gmail.com>
    ASoC: codecs: wcd934x: Add missing of_node_put() in wcd934x_codec_parse_data

Miaoqian Lin <linmq006@gmail.com>
    ASoC: mediatek: mt8195: Fix error handling in mt8195_mt6359_rt1019_rt5682_dev_probe

Miaoqian Lin <linmq006@gmail.com>
    ASoC: msm8916-wcd-analog: Fix error handling in pm8916_wcd_analog_spmi_probe

Miaoqian Lin <linmq006@gmail.com>
    ASoC: atmel: Fix error handling in sam9x5_wm8731_driver_probe

zhangqilong <zhangqilong3@huawei.com>
    ASoC: rockchip: Fix PM usage reference of rockchip_i2s_tdm_resume

Daniel Bristot de Oliveira <bristot@kernel.org>
    rtla/osnoise: Fix osnoise hist stop tracing message

Jiasheng Jiang <jiasheng@iscas.ac.cn>
    mmc: davinci_mmc: Handle error for clk_enable

Miaoqian Lin <linmq006@gmail.com>
    ASoC: msm8916-wcd-digital: Fix missing clk_disable_unprepare() in msm8916_wcd_digital_probe

Kai Vehmanen <kai.vehmanen@linux.intel.com>
    ASoC: SOF: Intel: enable DMI L1 for playback streams

Wang Wensheng <wangwensheng4@huawei.com>
    ASoC: imx-es8328: Fix error return code in imx_es8328_probe()

Shengjiu Wang <shengjiu.wang@nxp.com>
    ASoC: fsl_spdif: Disable TX clock when stop

Miaoqian Lin <linmq006@gmail.com>
    ASoC: mxs: Fix error handling in mxs_sgtl5000_probe

Codrin Ciubotariu <codrin.ciubotariu@microchip.com>
    ASoC: dmaengine: do not use a NULL prepare_slave_config() callback

Miaoqian Lin <linmq006@gmail.com>
    ASoC: rk817: Fix missing clk_disable_unprepare() in rk817_platform_probe

Miaoqian Lin <linmq006@gmail.com>
    ASoC: mediatek: mt8192-mt6359: Fix error handling in mt8192_mt6359_dev_probe

Miaoqian Lin <linmq006@gmail.com>
    ASoC: SOF: Add missing of_node_put() in imx8m_probe

Miaoqian Lin <linmq006@gmail.com>
    ASoC: rockchip: i2s: Fix missing clk_disable_unprepare() in rockchip_i2s_probe

Miaoqian Lin <linmq006@gmail.com>
    ASoC: atmel: Fix error handling in snd_proto_probe

Hans Verkuil <hverkuil-cisco@xs4all.nl>
    ivtv: fix incorrect device_caps for ivtvfb

Jakob Koschel <jakobkoschel@gmail.com>
    media: saa7134: fix incorrect use to determine if list is empty

Miaoqian Lin <linmq006@gmail.com>
    video: fbdev: omapfb: Add missing of_node_put() in dvic_probe_of

Jiasheng Jiang <jiasheng@iscas.ac.cn>
    ASoC: fsi: Add check for clk_enable

Jiasheng Jiang <jiasheng@iscas.ac.cn>
    ASoC: wm8350: Handle error for wm8350_register_irq

Miaoqian Lin <linmq006@gmail.com>
    ASoC: atmel: Add missing of_node_put() in at91sam9g20ek_audio_probe

Lucas Tanure <tanureal@opensource.cirrus.com>
    ASoC: cs35l41: Fix max number of TX channels

David Rhodes <drhodes@opensource.cirrus.com>
    ASoC: cs35l41: Fix GPIO2 configuration

Jiasheng Jiang <jiasheng@iscas.ac.cn>
    media: vidtv: Check for null return of vzalloc

Dafna Hirschfeld <dafna.hirschfeld@collabora.com>
    media: stk1160: If start stream fails, return buffers with VB2_BUF_STATE_QUEUED

Randy Dunlap <rdunlap@infradead.org>
    m68k: coldfire/device.c: only build for MCF_EDMA when h/w macros are defined

Rob Herring <robh@kernel.org>
    arm64: dts: rockchip: Fix SDIO regulator supply properties on rk3399-firefly

Takashi Sakamoto <o-takashi@sakamocchi.jp>
    ALSA: firewire-lib: fix uninitialized flag for AV/C deferred transaction

Jia-Ju Bai <baijiaju1990@gmail.com>
    memory: emif: check the pointer temp in get_device_details()

Jiasheng Jiang <jiasheng@iscas.ac.cn>
    memory: emif: Add check for setup_interrupts

Daniel Scally <djrscally@gmail.com>
    media: i2c: Fix pixel array positions in ov8865

Jiasheng Jiang <jiasheng@iscas.ac.cn>
    ASoC: soc-compress: prevent the potentially use of null pointer

Jiasheng Jiang <jiasheng@iscas.ac.cn>
    ASoC: dwc-i2s: Handle errors for clk_enable

Jiasheng Jiang <jiasheng@iscas.ac.cn>
    ASoC: atmel_ssc_dai: Handle errors for clk_enable

Jiasheng Jiang <jiasheng@iscas.ac.cn>
    ASoC: mxs-saif: Handle errors for clk_enable

Randy Dunlap <rdunlap@infradead.org>
    printk: fix return value of printk.devkmsg __setup handler

Frank Wunderlich <frank-w@public-files.de>
    arm64: dts: broadcom: Fix sata nodename

Kuldeep Singh <singh.kuldeep87k@gmail.com>
    arm64: dts: ns2: Fix spi-cpol and spi-cpha property

Jiasheng Jiang <jiasheng@iscas.ac.cn>
    ALSA: spi: Add check for clk_enable()

Jiasheng Jiang <jiasheng@iscas.ac.cn>
    ASoC: ti: davinci-i2s: Add check for clk_enable()

Aswath Govindraju <a-govindraju@ti.com>
    mmc: sdhci_am654: Fix the driver data of AM64 SoC

Chun-Jie Chen <chun-jie.chen@mediatek.com>
    soc: mediatek: pm-domains: Add wakeup capacity support in power domain

Jia-Ju Bai <baijiaju1990@gmail.com>
    ASoC: acp: check the return value of devm_kzalloc() in acp_legacy_dai_links_create()

Jia-Ju Bai <baijiaju1990@gmail.com>
    ASoC: rt5663: check the return value of devm_kzalloc() in rt5663_parse_dp()

Arnd Bergmann <arnd@arndb.de>
    uaccess: fix nios2 and microblaze get_user_8()

Christophe Leroy <christophe.leroy@csgroup.eu>
    vsprintf: Fix %pK with kptr_restrict == 0

Muhammad Usama Anjum <usama.anjum@collabora.com>
    selftests/lkdtm: Add UBSAN config

Muhammad Usama Anjum <usama.anjum@collabora.com>
    selftests: vm: remove dependecy from internal kernel macros

Mirela Rabulea <mirela.rabulea@nxp.com>
    media: ov5640: Fix set format, v4l2_mbus_pixelcode not updated

Jernej Skrabec <jernej.skrabec@gmail.com>
    media: hantro: sunxi: Fix VP9 steps

Nicolas Dufresne <nicolas.dufresne@collabora.com>
    media: v4l2-core: Initialize h264 scaling matrix

Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
    ASoC: codecs: wcd934x: fix return value of wcd934x_rx_hph_mode_put

Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
    ASoC: codecs: wcd934x: fix kcontrol max values

Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
    ASoC: codecs: wcd938x: fix kcontrol max values

Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
    ASoC: codecs: wc938x: fix accessing array out of bounds for enum type

Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
    ASoC: codecs: va-macro: fix accessing array out of bounds for enum type

Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
    ASoC: codecs: rx-macro: fix accessing array out of bounds for enum type

Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
    ASoC: codecs: rx-macro: fix accessing compander for aux

Keerthy <j-keerthy@ti.com>
    arm64: dts: ti: k3-j721s2-mcu-wakeup: Fix the interrupt-parent for wkup_gpioX instances

Jernej Skrabec <jernej.skrabec@gmail.com>
    media: cedrus: h264: Fix neighbour info buffer size

Jernej Skrabec <jernej.skrabec@gmail.com>
    media: cedrus: H265: Fix neighbour info buffer size

Dan Carpenter <dan.carpenter@oracle.com>
    media: usb: go7007: s2250-board: fix leak in probe()

Yunfei Dong <yunfei.dong@mediatek.com>
    media: uapi: Init VP9 stateless decode params

Dongliang Mu <mudongliangabcd@gmail.com>
    media: em28xx: initialize refcount before kref_get

Zhou Qingyang <zhou1615@umn.edu>
    media: ti-vpe: cal: Fix a NULL pointer dereference in cal_ctx_v4l2_init_formats()

Tom Rix <trix@redhat.com>
    media: video/hdmi: handle short reads of hdmi info frame.

Neil Armstrong <narmstrong@baylibre.com>
    media: mexon-ge2d: fixup frames size in registers

Marek Vasut <marex@denx.de>
    ARM: dts: imx: Add missing LVDS decoder on M53Menlo

Manivannan Sadhasivam <mani@kernel.org>
    ARM: dts: qcom: sdx55: Fix the address used for PCIe EP local addr space

Andy Shevchenko <andriy.shevchenko@linux.intel.com>
    vsprintf: Fix potential unaligned access

Ard Biesheuvel <ardb@kernel.org>
    ARM: ftrace: ensure that ADR takes the Thumb bit into account

Olivier Moysan <olivier.moysan@foss.st.com>
    ARM: dts: stm32: fix AV96 board SAI2 pin muxing on stm32mp15

Paul Kocialkowski <paul.kocialkowski@bootlin.com>
    ARM: dts: sun8i: v3s: Move the csi1 block to follow address order

Stephan Gerhold <stephan@gerhold.net>
    cpuidle: qcom-spm: Check if any CPU is managed by SPM

Miaoqian Lin <linmq006@gmail.com>
    soc: ti: wkup_m3_ipc: Fix IRQ check in wkup_m3_ipc_probe

Christophe JAILLET <christophe.jaillet@wanadoo.fr>
    firmware: ti_sci: Fix compilation failure when CONFIG_TI_SCI_PROTOCOL is not defined

Baruch Siach <baruch@tkos.co.il>
    arm64: dts: qcom: ipq6018: fix usb reference period

Petr Vorel <petr.vorel@gmail.com>
    arm64: dts: qcom: msm8994: Provide missing "xo_board" and "sleep_clk" to GCC

Maulik Shah <quic_mkshah@quicinc.com>
    arm64: dts: qcom: sm8450: Update cpuidle states parameters

Maulik Shah <quic_mkshah@quicinc.com>
    arm64: dts: qcom: sm8350: Correct TCS configuration for apps rsc

Maulik Shah <quic_mkshah@quicinc.com>
    arm64: dts: qcom: sm8150: Correct TCS configuration for apps rsc

Rafał Miłecki <rafal@milecki.pl>
    arm64: dts: broadcom: bcm4908: use proper TWD binding

Petr Vorel <petr.vorel@gmail.com>
    arm64: dts: qcom: msm8916-j5: Fix typo

Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
    arm64: dts: qcom: sm8250: fix PCIe bindings to follow schema

David Heidelberg <david@ixit.cz>
    arm64: dts: qcom: sdm845: fix microphone bias properties and values

Daniel Thompson <daniel.thompson@linaro.org>
    soc: qcom: aoss: remove spurious IRQF_ONESHOT flags

Miaoqian Lin <linmq006@gmail.com>
    soc: qcom: aoss: Fix missing put_device call in qmp_get

Miaoqian Lin <linmq006@gmail.com>
    soc: qcom: ocmem: Fix missing put_device() call in of_get_ocmem

Jiasheng Jiang <jiasheng@iscas.ac.cn>
    soc: qcom: rpmpd: Check for null return of devm_kcalloc

Pavel Kubelun <be.dissent@gmail.com>
    ARM: dts: qcom: ipq4019: fix sleep clock

Marijn Suijten <marijn.suijten@somainline.org>
    firmware: qcom: scm: Remove reassignment to desc following initializer

Douglas Anderson <dianders@chromium.org>
    arm64: dts: qcom: sc7280: Fix gmu unit address

Randy Dunlap <rdunlap@infradead.org>
    ASoC: max98927: add missing header file

Zev Weiss <zev@bewilderbeest.net>
    ARM: dts: Fix OpenBMC flash layout label addresses

Dan Carpenter <dan.carpenter@oracle.com>
    video: fbdev: fbcvt.c: fix printing in fb_cvt_print_name()

Dan Carpenter <dan.carpenter@oracle.com>
    video: fbdev: atmel_lcdfb: fix an error code in atmel_lcdfb_probe()

Wang Hai <wanghai38@huawei.com>
    video: fbdev: smscufx: Fix null-ptr-deref in ufx_usb_probe()

YueHaibing <yuehaibing@huawei.com>
    video: fbdev: controlfb: Fix COMPILE_TEST build

Z. Liu <liuzx@knownsec.com>
    video: fbdev: matroxfb: set maxvram of vbG200eW to the same as vbG200 to avoid black screen

Jammy Huang <jammy_huang@aspeedtech.com>
    media: aspeed: Correct value for h-total-pixels

Bingbu Cao <bingbu.cao@intel.com>
    media: ov2740: identify module after subdev initialisation

Sakari Ailus <sakari.ailus@linux.intel.com>
    media: ov5648: Don't pack controls struct

Sakari Ailus <sakari.ailus@linux.intel.com>
    media: v4l: Avoid unaligned access warnings when printing 4cc modifiers

Janusz Krzysztofik <jmkrzyszt@gmail.com>
    media: ov6650: Fix set format try processing path

Chen-Yu Tsai <wenst@chromium.org>
    media: hantro: Fix overfill bottom register field name

Jiasheng Jiang <jiasheng@iscas.ac.cn>
    media: meson: vdec: potential dereference of null pointer

Miaoqian Lin <linmq006@gmail.com>
    media: coda: Fix missing put_device() call in coda_get_vdoa_data

Dmitry Osipenko <digetx@gmail.com>
    memory: tegra20-emc: Correct memory device mask

Robert Hancock <robert.hancock@calian.com>
    ASoC: simple-card-utils: Set sysclk on all components

Robert Hancock <robert.hancock@calian.com>
    ASoC: xilinx: xlnx_formatter_pcm: Handle sysclk setting

Jiasheng Jiang <jiasheng@iscas.ac.cn>
    ASoC: codecs: Check for error pointer after calling devm_regmap_init_mmio

Lad Prabhakar <prabhakar.mahadev-lad.rj@bp.renesas.com>
    ASoC: sh: rz-ssi: Drop calling rz_ssi_pio_recv() recursively

Eugen Hristev <eugen.hristev@microchip.com>
    media: atmel: atmel-sama7g5-isc: fix ispck leftover

Ondrej Zary <linux@zary.sk>
    media: bttv: fix WARNING regression on tunerless devices

Martin Kepplinger <martink@posteo.de>
    media: imx: imx8mq-mipi_csi2: fix system resume

Martin Kepplinger <martink@posteo.de>
    media: imx: imx8mq-mipi-csi2: remove wrong irq config write operation

Jiasheng Jiang <jiasheng@iscas.ac.cn>
    media: mtk-vcodec: potential dereference of null pointer

Chen-Yu Tsai <wenst@chromium.org>
    media: v4l2-mem2mem: Apply DST_QUEUE_OFF_BASE on MMAP buffers across ioctls

Laurent Pinchart <laurent.pinchart@ideasonboard.com>
    media: staging: media: imx: imx7-mipi-csis: Make subdev name unique

Jonathan Marek <jonathan@marek.ca>
    media: camss: vfe-170: fix "VFE halt timeout" error

Jonathan Marek <jonathan@marek.ca>
    media: camss: csid-170: set the right HALT_CMD when disabled

Jonathan Marek <jonathan@marek.ca>
    media: camss: csid-170: don't enable unused irqs

Jonathan Marek <jonathan@marek.ca>
    media: camss: csid-170: fix non-10bit formats

Corentin Labbe <clabbe@baylibre.com>
    media: staging: media: zoran: fix usage of vb2_dma_contig_set_max_seg_size

Sam Protsenko <semen.protsenko@linaro.org>
    pinctrl: samsung: Remove EINT handler for Exynos850 ALIVE and CMGP gpios

Peng Liu <liupeng256@huawei.com>
    kunit: make kunit_test_timeout compatible with comment

David Hildenbrand <david@redhat.com>
    drivers/base/memory: add memory block to memory group after registration succeeded

Guillaume Tucker <guillaume.tucker@collabora.com>
    selftests, x86: fix how check_cc.sh is being invoked

Shyam Prasad N <sprasad@microsoft.com>
    cifs: use a different reconnect helper for non-cifsd threads

Fengnan Chang <changfengnan@vivo.com>
    f2fs: fix compressed file start atomic write may cause data corruption

Dongliang Mu <mudongliangabcd@gmail.com>
    fs: erofs: add sanity check for kobject in erofs_unregister_sysfs

Matthew Wilcox (Oracle) <willy@infradead.org>
    iomap: Fix iomap_invalidatepage tracepoint

Filipe Manana <fdmanana@suse.com>
    btrfs: fix unexpected error path when reflinking an inline extent

Chao Yu <chao@kernel.org>
    f2fs: fix to avoid potential deadlock

Valentin Schneider <valentin.schneider@arm.com>
    sched/rt: Plug rt_mutex_setprio() vs push_rt_task() race

Chengming Zhou <zhouchengming@bytedance.com>
    sched/cpuacct: Fix charge percpu cpuusage

Amir Goldstein <amir73il@gmail.com>
    nfsd: more robust allocation failure handling in nfsd_file_cache_init

Lukas Czerner <lczerner@redhat.com>
    ext4: fix remount with 'abort' option

Jaegeuk Kim <jaegeuk@kernel.org>
    f2fs: fix missing free nid in f2fs_handle_failed_inode

Mel Gorman <mgorman@techsingularity.net>
    sched/fair: Improve consistency of allowed NUMA balance calculations

Adrian Hunter <adrian.hunter@intel.com>
    perf/x86/intel/pt: Fix address filter config for 32-bit kernel

Adrian Hunter <adrian.hunter@intel.com>
    perf/core: Fix address filter parser for multiple filters

Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
    rseq: Remove broken uapi field layout on 32-bit little endian

Qais Yousef <qais.yousef@arm.com>
    sched/uclamp: Fix iowait boost escaping uclamp restriction

Qais Yousef <qais.yousef@arm.com>
    sched/sugov: Ignore 'busy' filter when rq is capped by uclamp_max

Qais Yousef <qais.yousef@arm.com>
    sched/core: Export pelt_thermal_tp

Bharata B Rao <bharata@amd.com>
    sched/debug: Remove mpol_get/put and task_lock/unlock from sched_show_numa

Chao Yu <chao@kernel.org>
    f2fs: fix to enable ATGC correctly via gc_idle sysfs interface

David Howells <dhowells@redhat.com>
    watch_queue: Actually free the watch

David Howells <dhowells@redhat.com>
    watch_queue: Fix NULL dereference in error cleanup

Jens Axboe <axboe@kernel.dk>
    io_uring: terminate manual loop iterator loop correctly for non-vecs

Jens Axboe <axboe@kernel.dk>
    io_uring: don't check unrelated req->open.how in accept request

Randy Dunlap <rdunlap@infradead.org>
    clocksource: acpi_pm: fix return value of __setup handler

Brandon Wyman <bjwyman@gmail.com>
    hwmon: (pmbus) Add Vin unit off handling

Miaoqian Lin <linmq006@gmail.com>
    hwrng: nomadik - Change clk_disable to clk_disable_unprepare

Giovanni Cabiddu <giovanni.cabiddu@intel.com>
    crypto: qat - fix initialization of pfvf rts_map_msg structures

Giovanni Cabiddu <giovanni.cabiddu@intel.com>
    crypto: qat - fix initialization of pfvf cap_msg structures

Jianglei Nie <niejianglei2021@163.com>
    crypto: ccree - Fix use after free in cc_cipher_exit()

Dāvis Mosāns <davispuh@gmail.com>
    crypto: ccp - ccp_dmaengine_unregister release dma channels

Randy Dunlap <rdunlap@infradead.org>
    ACPI: APEI: fix return value of __setup handlers

Dave Kleikamp <dave.kleikamp@oracle.com>
    KEYS: trusted: Avoid calling null function trusted_key_exit

Andreas Rammhold <andreas@rammhold.de>
    KEYS: trusted: Fix trusted key backends when building as module

Robin Murphy <robin.murphy@arm.com>
    perf/arm-cmn: Update watchpoint format

Robin Murphy <robin.murphy@arm.com>
    perf/arm-cmn: Hide XP PUB events for CMN-600

Mark Rutland <mark.rutland@arm.com>
    arm64: prevent instrumentation of bp hardening callbacks

Guillaume Ranquet <granquet@baylibre.com>
    clocksource/drivers/timer-of: Check return value of of_iomap in timer_of_base_init()

Claudiu Beznea <claudiu.beznea@microchip.com>
    clocksource/drivers/timer-microchip-pit64b: Use notrace

Krzysztof Kozlowski <krzk@kernel.org>
    clocksource/drivers/exynos_mct: Handle DTS with higher number of interrupts

Drew Fustini <dfustini@baylibre.com>
    clocksource/drivers/timer-ti-dm: Fix regression from errata i940 fix

Petr Vorel <pvorel@suse.cz>
    crypto: vmx - add missing dependencies

Corentin Labbe <clabbe@baylibre.com>
    crypto: gemini - call finalize with bh disabled

Corentin Labbe <clabbe@baylibre.com>
    crypto: amlogic - call finalize with bh disabled

Corentin Labbe <clabbe@baylibre.com>
    crypto: sun8i-ce - call finalize with bh disabled

Corentin Labbe <clabbe@baylibre.com>
    crypto: sun8i-ss - call finalize with bh disabled

Claudiu Beznea <claudiu.beznea@microchip.com>
    hwrng: atmel - disable trng on failure path

Jiasheng Jiang <jiasheng@iscas.ac.cn>
    spi: spi-zynqmp-gqspi: Handle error for dma_set_mask

Randy Dunlap <rdunlap@infradead.org>
    PM: suspend: fix return value of __setup handler

Randy Dunlap <rdunlap@infradead.org>
    PM: hibernate: fix __setup handler error handling

Eric Biggers <ebiggers@google.com>
    block: don't delete queue kobject before its children

Christoph Hellwig <hch@lst.de>
    nvme: fix the check for duplicate unique identifiers

Christoph Hellwig <hch@lst.de>
    nvme: cleanup __nvme_check_ids

Armin Wolf <W_Armin@gmx.de>
    hwmon: (sch56xx-common) Replace WDOG_ACTIVE with WDOG_HW_RUNNING

Patrick Rudolph <patrick.rudolph@9elements.com>
    hwmon: (pmbus) Add mutex to regulator ops

Andy Shevchenko <andriy.shevchenko@linux.intel.com>
    spi: pxa2xx-pci: Balance reference count for PCI DMA device

Kai Ye <yekai13@huawei.com>
    crypto: hisilicon/sec - fix the aead software fallback for engine

Gilad Ben-Yossef <gilad@benyossef.com>
    crypto: ccree - don't attempt 0 len DMA mappings

Randy Dunlap <rdunlap@infradead.org>
    EVM: fix the evm= __setup handler return value

Richard Guy Briggs <rgb@redhat.com>
    audit: log AUDIT_TIME_* records only from rules

Zhang Wensheng <zhangwensheng5@huawei.com>
    block: update io_ticks when io hang

Corentin Labbe <clabbe@baylibre.com>
    crypto: rockchip - ECB does not need IV

Muhammad Usama Anjum <usama.anjum@collabora.com>
    selftests/sgx: Treat CC as one argument

Muhammad Usama Anjum <usama.anjum@collabora.com>
    selftests/x86: Add validity check and allow field splitting

Chengming Zhou <zhouchengming@bytedance.com>
    blk-cgroup: set blkg iostat after percpu stat aggregation

Ondrej Mosnacek <omosnace@redhat.com>
    security: implement sctp_assoc_established hook in selinux

Ondrej Mosnacek <omosnace@redhat.com>
    security: add sctp_assoc_established hook

Jianyong Wu <jianyong.wu@arm.com>
    arm64/mm: avoid fixmap race condition when create pud mapping

Marco Elver <elver@google.com>
    stack: Constrain and fix stack offset randomization with Clang builds

Reinette Chatre <reinette.chatre@intel.com>
    selftests/sgx: Ensure enclave data available during debug print

Reinette Chatre <reinette.chatre@intel.com>
    selftests/sgx: Do not attempt enclave build without valid enclave

Reinette Chatre <reinette.chatre@intel.com>
    selftests/sgx: Fix NULL-pointer-dereference upon early test failure

Geert Uytterhoeven <geert+renesas@glider.be>
    perf: MARVELL_CN10K_TAD_PMU should depend on ARCH_THUNDER

Miaoqian Lin <linmq006@gmail.com>
    spi: tegra210-quad: Fix missin IRQ check in tegra_qspi_probe

Miaoqian Lin <linmq006@gmail.com>
    spi: tegra114: Add missing IRQ check in tegra_spi_probe

Shijith Thotton <sthotton@marvell.com>
    crypto: octeontx2 - remove CONFIG_DM_CRYPT check

Jiasheng Jiang <jiasheng@iscas.ac.cn>
    thermal: int340x: Check for NULL after calling kmemdup()

Scott Mayhew <smayhew@redhat.com>
    selinux: Fix selinux_sb_mnt_opts_compat()

Tomas Paukrt <tomaspaukrt@email.cz>
    crypto: mxs-dcp - Fix scatterlist processing

Shijith Thotton <sthotton@marvell.com>
    crypto: octeontx2 - select CONFIG_NET_DEVLINK

Herbert Xu <herbert@gondor.apana.org.au>
    crypto: authenc - Fix sleep in atomic context in decrypt_tail

Giovanni Cabiddu <giovanni.cabiddu@intel.com>
    crypto: qat - fix access to PFVF interrupt registers for GEN4

Herbert Xu <herbert@gondor.apana.org.au>
    crypto: kdf - Select hmac in addition to sha256

Corentin Labbe <clabbe@baylibre.com>
    crypto: sun8i-ss - really disable hash on A80

Geert Uytterhoeven <geert+renesas@glider.be>
    hwrng: cavium - HW_RANDOM_CAVIUM should depend on ARCH_THUNDER

Dan Carpenter <dan.carpenter@oracle.com>
    crypto: qat - fix a signedness bug in get_service_enabled()

Peter Gonda <pgonda@google.com>
    crypto: ccp - Ensure psp_ret is always init'd in __sev_platform_init_locked()

Christian Göttsche <cgzones@googlemail.com>
    selinux: check return value of sel_make_avc_files

GONG, Ruiqi <gongruiqi1@huawei.com>
    selinux: access superblock_security_struct in LSM blob way

kernel test robot <lkp@intel.com>
    regulator: qcom_smd: fix for_each_child.cocci warnings

Marc Zyngier <maz@kernel.org>
    PCI: xgene: Revert "PCI: xgene: Fix IB window setup"

Marc Zyngier <maz@kernel.org>
    PCI: xgene: Revert "PCI: xgene: Use inbound resources for setup"

Liguang Zhang <zhangliguang@linux.alibaba.com>
    PCI: pciehp: Clear cmd_busy bit in polling mode

Fabio Estevam <festevam@gmail.com>
    PCI: imx6: Allow to probe when dw_pcie_wait_for_link() fails

Mastan Katragadda <mastanx.katragadda@intel.com>
    drm/i915/gem: add missing boundary check in vm_access

Jani Nikula <jani.nikula@intel.com>
    drm/i915/opregion: check port number bounds for SWSCI display power state

Hector Martin <marcan@marcan.st>
    brcmfmac: pcie: Fix crashes due to early IRQs

Hector Martin <marcan@marcan.st>
    brcmfmac: pcie: Replace brcmf_pcie_copy_mem_todev with memcpy_toio

Hector Martin <marcan@marcan.st>
    brcmfmac: pcie: Declare missing firmware files in pcie.c

Hector Martin <marcan@marcan.st>
    brcmfmac: pcie: Release firmwares in the brcmf_pcie_setup error path

Hector Martin <marcan@marcan.st>
    brcmfmac: firmware: Allocate space for default boardrev in nvram

Thomas Zimmermann <tzimmermann@suse.de>
    drm/fb-helper: Mark screen buffers in system memory with FBINFO_VIRTFB

Lyude Paul <lyude@redhat.com>
    drm/nouveau/backlight: Just set all backlight types as RAW

Lyude Paul <lyude@redhat.com>
    drm/nouveau/backlight: Fix LVDS backlight detection on some laptops

Christian König <christian.koenig@amd.com>
    drm/syncobj: flatten dma_fence_chains on transfer

Claudio Imbrenda <imbrenda@linux.ibm.com>
    KVM: s390x: fix SCK locking

Max Filippov <jcmvbkbc@gmail.com>
    xtensa: fix xtensa_wsr always writing 0

Max Filippov <jcmvbkbc@gmail.com>
    xtensa: fix stop_machine_cpuslocked call in patch_text

Max Filippov <jcmvbkbc@gmail.com>
    xtensa: define update_mmu_tlb function

Qu Wenruo <wqu@suse.com>
    btrfs: verify the tranisd of the to-be-written dirty extent buffer

Niels Dossche <dossche.niels@gmail.com>
    btrfs: extend locking to all space_info members accesses

Naohiro Aota <naohiro.aota@wdc.com>
    btrfs: zoned: mark relocation as writing

Paul Cercueil <paul@crapouillou.net>
    mips: Always permit to build u-boot images

Johan Hovold <johan@kernel.org>
    media: davinci: vpif: fix use-after-free on driver unbind

Johan Hovold <johan@kernel.org>
    media: davinci: vpif: fix unbalanced runtime PM enable

Johan Hovold <johan@kernel.org>
    media: davinci: vpif: fix unbalanced runtime PM get

Stanimir Varbanov <stanimir.varbanov@linaro.org>
    media: venus: venc: Fix h264 8x8 transform control

Stanimir Varbanov <stanimir.varbanov@linaro.org>
    media: venus: hfi_cmds: List HDR10 property as unsupported for v1 and v3

Ameer Hamza <amhamza.mgc@gmail.com>
    media: venus: vdec: fixed possible memory leak issue

Kees Cook <keescook@chromium.org>
    media: omap3isp: Use struct_group() for memcpy() region

Sean Young <sean@mess.org>
    media: gpio-ir-tx: fix transmit with long spaces on Orange Pi PC

Maciej W. Rozycki <macro@orcam.me.uk>
    DEC: Limit PMAX memory probing to R3k systems

Shawn Guo <shawn.guo@linaro.org>
    PM: domains: Fix sleep-in-atomic bug caused by genpd_debug_remove()

Mingzhe Zou <mingzhe.zou@easystack.cn>
    bcache: fixup multiple threads crash

Eric Biggers <ebiggers@google.com>
    crypto: rsa-pkcs1pad - fix buffer overread in pkcs1pad_verify_complete()

Eric Biggers <ebiggers@google.com>
    crypto: rsa-pkcs1pad - restore signature length check

Eric Biggers <ebiggers@google.com>
    crypto: rsa-pkcs1pad - correctly get hash from source scatterlist

Eric Biggers <ebiggers@google.com>
    crypto: rsa-pkcs1pad - only allow with rsa

Kees Cook <keescook@chromium.org>
    exec: Force single empty string when argv is empty

Dirk Müller <dmueller@suse.de>
    lib/raid6/test: fix multiple definition linking error

Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
    thermal: int340x: Increase bitmap size

Jann Horn <jannh@google.com>
    pstore: Don't use semaphores in always-atomic-context code

Colin Ian King <colin.king@intel.com>
    carl9170: fix missing bit-wise or operator for tx_params

Jocelyn Falempe <jfalempe@redhat.com>
    mgag200 fix memmapsl configuration in GCTL6 register

Krzysztof Kozlowski <krzk@kernel.org>
    ARM: dts: exynos: add missing HDMI supplies on SMDK5420

Krzysztof Kozlowski <krzk@kernel.org>
    ARM: dts: exynos: add missing HDMI supplies on SMDK5250

Krzysztof Kozlowski <krzk@kernel.org>
    ARM: dts: exynos: fix UART3 pins configuration in Exynos5250

Tudor Ambarus <tudor.ambarus@microchip.com>
    ARM: dts: at91: sama5d2: Fix PMERRLOC resource size

Tudor Ambarus <tudor.ambarus@microchip.com>
    ARM: dts: at91: sama7g5: Remove unused properties in i2c nodes

Johannes Berg <johannes.berg@intel.com>
    rfkill: make new event layout opt-in

Michael Schmitz <schmitzmic@gmail.com>
    video: fbdev: atari: Atari 2 bpp (STe) palette bugfix

Helge Deller <deller@gmx.de>
    video: fbdev: sm712fb: Fix crash in smtcfb_read()

Thomas Zimmermann <tzimmermann@suse.de>
    fbdev: Hot-unplug firmware fb devices on forced removal

Cooper Chiou <cooper.chiou@intel.com>
    drm/edid: check basic audio support on CEA extension block

Tejun Heo <tj@kernel.org>
    block: don't merge across cgroup boundaries if blkcg is enabled

Shin'ichiro Kawasaki <shinichiro.kawasaki@wdc.com>
    block: limit request dispatch loop duration

Tejun Heo <tj@kernel.org>
    block: fix rq-qos breakage from skipping rq_qos_done_bio()

Nikolay Borisov <nborisov@suse.com>
    btrfs: zoned: put block group after final usage

Pekka Pessi <ppessi@nvidia.com>
    mailbox: tegra-hsp: Flush whole channel

Christian Brauner <brauner@kernel.org>
    landlock: Use square brackets around "landlock-ruleset"

Tom Rix <trix@redhat.com>
    samples/landlock: Fix path_list memory leak

Ojaswin Mujoo <ojaswin@linux.ibm.com>
    ext4: make mb_optimize_scan performance mount option work with extents

Ojaswin Mujoo <ojaswin@linux.ibm.com>
    ext4: make mb_optimize_scan option work with set/unset mount cmd

Ye Bin <yebin10@huawei.com>
    ext4: fix fs corruption when tring to remove a non-empty directory with IO error

Ritesh Harjani <riteshh@linux.ibm.com>
    ext4: fix ext4_fc_stats trace point

Jann Horn <jannh@google.com>
    coredump: Also dump first pages of non-executable ELF libraries

Sakari Ailus <sakari.ailus@linux.intel.com>
    ACPI: properties: Consistently return -ENOENT if there are no more references

Rafael J. Wysocki <rafael.j.wysocki@intel.com>
    Revert "ACPI: Pass the same capabilities to the _OSC regardless of the query flag"

Sergey Shtylyov <s.shtylyov@omp.ru>
    mmc: core: use sysfs_emit() instead of sprintf()

Ammar Faizi <ammarfaizi2@gnuweeb.org>
    ASoC: SOF: Intel: Fix NULL ptr dereference when ENOMEM

Nishanth Menon <nm@ti.com>
    arm64: dts: ti: k3-j721s2: Fix gic-v3 compatible regs

Nishanth Menon <nm@ti.com>
    arm64: dts: ti: k3-am64: Fix gic-v3 compatible regs

Nishanth Menon <nm@ti.com>
    arm64: dts: ti: k3-j7200: Fix gic-v3 compatible regs

Nishanth Menon <nm@ti.com>
    arm64: dts: ti: k3-j721e: Fix gic-v3 compatible regs

Nishanth Menon <nm@ti.com>
    arm64: dts: ti: k3-am65: Fix gic-v3 compatible regs

Manivannan Sadhasivam <mani@kernel.org>
    arm64: dts: qcom: sm8250: Fix MSI IRQ for PCIe1 and PCIe2

Vijay Balakrishna <vijayb@linux.microsoft.com>
    arm64: Do not defer reserve_crashkernel() for platforms with no DMA memory zones

David Engraf <david.engraf@sysgo.com>
    arm64: signal: nofpsimd: Do not allocate fp/simd context when not available

Ben Dooks <ben.dooks@codethink.co.uk>
    PCI: fu740: Force 2.5GT/s for initial device probe

Oliver Hartkopp <socketcan@hartkopp.net>
    can: isotp: sanitize CAN ID checks in isotp_bind()

Lars Ellenberg <lars.ellenberg@linbit.com>
    drbd: fix potential silent data corruption

Steven Rostedt (Google) <rostedt@goodmis.org>
    tracing: Have trace event string test handle zero length strings

Mikulas Patocka <mpatocka@redhat.com>
    dm integrity: set journal entry unused when shrinking device

Mike Snitzer <snitzer@redhat.com>
    dm: fix double accounting of flush with data

Mike Snitzer <snitzer@redhat.com>
    dm: interlock pending dm_io and dm_wait_for_bios_completion

Kirill Tkhai <ktkhai@virtuozzo.com>
    dm: fix use-after-free in dm_cleanup_zoned_dev()

Mike Snitzer <snitzer@redhat.com>
    dm stats: fix too short end duration_ns when using precise_timestamps

Kuan-Ying Lee <Kuan-Ying.Lee@mediatek.com>
    mm/kmemleak: reset tag when compare object pointer

Oscar Salvador <osalvador@suse.de>
    mm: only re-generate demotion targets when a numa node changes its N_CPU state

Rik van Riel <riel@surriel.com>
    mm,hwpoison: unmap poisoned page before invalidation

Charan Teja Kalla <quic_charante@quicinc.com>
    Revert "mm: madvise: skip unmapped vma holes passed to process_madvise"

Charan Teja Kalla <quic_charante@quicinc.com>
    mm: madvise: return correct bytes advised with process_madvise

Charan Teja Kalla <quic_charante@quicinc.com>
    mm: madvise: skip unmapped vma holes passed to process_madvise

Hans de Goede <hdegoede@redhat.com>
    drm/simpledrm: Add "panel orientation" property on non-upright mounted LCD panels

Joseph Qi <joseph.qi@linux.alibaba.com>
    ocfs2: fix crash when mount with quota enabled

Jens Axboe <axboe@kernel.dk>
    io_uring: ensure that fsnotify is always called

Ali Pouladi <quic_apouladi@quicinc.com>
    rtc: pl031: fix rtc features null pointer dereference

Mateusz Jończyk <mat.jonczyk@o2.pl>
    rtc: mc146818-lib: fix locking in mc146818_set_time

Kai-Heng Feng <kai.heng.feng@canonical.com>
    ALSA: hda/realtek: Fix audio regression on Mi Notebook Pro 2020

Takashi Iwai <tiwai@suse.de>
    ALSA: pcm: Fix potential AB/BA lock with buffer_mutex and mmap_lock

Mohan Kumar <mkumard@nvidia.com>
    ALSA: hda: Avoid unsol event during RPM suspending

Xiaomeng Tong <xiam0nd.tong@gmail.com>
    ALSA: cs4236: fix an incorrect NULL check on list iterator

Paulo Alcantara <pc@cjr.nz>
    cifs: fix NULL ptr dereference in smb2_ioctl_query_info()

Paulo Alcantara <pc@cjr.nz>
    cifs: prevent bad output lengths in smb2_ioctl_query_info()

Xiaomeng Tong <xiam0nd.tong@gmail.com>
    cifs: fix incorrect use of list iterator after the loop

Paulo Alcantara <pc@cjr.nz>
    cifs: do not skip link targets when an I/O fails

José Expósito <jose.exposito89@gmail.com>
    Revert "Input: clear BTN_RIGHT/MIDDLE on buttonpads"

Atish Patra <atishp@rivosinc.com>
    RISC-V: Declare per cpu boot data as static

Dmitry Vyukov <dvyukov@google.com>
    riscv: Increase stack size under KASAN

Nikita Shubin <n.shubin@yadro.com>
    riscv: Fix fill_callchain return value

Niklas Cassel <niklas.cassel@wdc.com>
    riscv: dts: canaan: Fix SPI3 bus width

Manish Chopra <manishc@marvell.com>
    qed: validate and restrict untrusted VFs vlan promisc mode

Manish Chopra <manishc@marvell.com>
    qed: display VF trust config

Damien Le Moal <damien.lemoal@opensource.wdc.com>
    scsi: libsas: Fix sas_ata_qc_issue() handling of NCQ NON DATA commands

James Smart <jsmart2021@gmail.com>
    scsi: scsi_transport_fc: Fix FPIN Link Integrity statistics counters

Adrian Hunter <adrian.hunter@intel.com>
    scsi: ufs: Fix runtime PM messages never-ending cycle

Adrian Hunter <adrian.hunter@intel.com>
    scsi: core: sd: Add silence_suspend flag to suppress some PM messages

Hugh Dickins <hughd@google.com>
    mempolicy: mbind_range() set_policy() after vma_merge()

Rik van Riel <riel@surriel.com>
    mm: invalidate hwpoison page cache page in fault path

Alistair Popple <apopple@nvidia.com>
    mm/pages_alloc.c: don't create ZONE_MOVABLE beyond the end of a node

Peter Xu <peterx@redhat.com>
    mm: don't skip swap entry even if zap_details specified

Minchan Kim <minchan@kernel.org>
    mm: fs: fix lru_cache_disabled race in bh_lru

Baokun Li <libaokun1@huawei.com>
    jffs2: fix memory leak in jffs2_scan_medium

Baokun Li <libaokun1@huawei.com>
    jffs2: fix memory leak in jffs2_do_mount_fs

Baokun Li <libaokun1@huawei.com>
    jffs2: fix use-after-free in jffs2_clear_xattr_subsystem

Hangyu Hua <hbh25y@gmail.com>
    can: usb_8dev: usb_8dev_start_xmit(): fix double dev_kfree_skb() in error path

Marc Kleine-Budde <mkl@pengutronix.de>
    can: m_can: m_can_tx_handler(): fix use after free of skb

Hangyu Hua <hbh25y@gmail.com>
    can: ems_usb: ems_usb_start_xmit(): fix double dev_kfree_skb() in error path

Sean Nyekjaer <sean@geanix.com>
    mtd: rawnand: protect access to rawnand devices while in suspend

Tudor Ambarus <tudor.ambarus@microchip.com>
    mtd: spi-nor: Skip erase logic when SPI_NOR_NO_ERASE is set

Miquel Raynal <miquel.raynal@bootlin.com>
    spi: mxic: Fix the transmit path

Damien Le Moal <damien.lemoal@opensource.wdc.com>
    net: bnxt_ptp: fix compilation error

Krzysztof Kozlowski <krzk@kernel.org>
    pinctrl: samsung: drop pin banks references on error paths

Aidan MacDonald <aidanmacdonald.0x0@gmail.com>
    pinctrl: ingenic: Fix regmap on X series SoCs

Miaohe Lin <linmiaohe@huawei.com>
    mm/mlock: fix two bugs in user_shm_lock()

Alistair Delva <adelva@google.com>
    remoteproc: Fix count check in rproc_coredump_write()

Chao Yu <chao@kernel.org>
    f2fs: fix to do sanity check on .cp_pack_total_block_count

Juhyung Park <qkrwngud825@gmail.com>
    f2fs: quota: fix loop condition at f2fs_quota_sync()

Chao Yu <chao@kernel.org>
    f2fs: fix to unlock page correctly in error path of is_alive()

Dan Carpenter <dan.carpenter@oracle.com>
    NFSD: prevent integer overflow on 32 bit systems

Dan Carpenter <dan.carpenter@oracle.com>
    NFSD: prevent underflow in nfssvc_decode_writeargs()

Trond Myklebust <trond.myklebust@hammerspace.com>
    NFS: NFSv2/v3 clients should never be setting NFS_CAP_XATTR

Trond Myklebust <trond.myklebust@hammerspace.com>
    SUNRPC: Do not dereference non-socket transports in sysfs

NeilBrown <neilb@suse.de>
    SUNRPC: avoid race between mod_timer() and del_timer_sync()

Gwendal Grignou <gwendal@chromium.org>
    HID: intel-ish-hid: Use dma_alloc_coherent for firmware update

Johan Hovold <johan@kernel.org>
    firmware: sysfb: fix platform-device leak in error path

Ang Tien Sung <tien.sung.ang@intel.com>
    firmware: stratix10-svc: add missing callback parameter on RSU

Bagas Sanjaya <bagasdotme@gmail.com>
    Documentation: update stable tree link

Bagas Sanjaya <bagasdotme@gmail.com>
    Documentation: add link to stable release candidate tree

Eric Biggers <ebiggers@google.com>
    KEYS: asymmetric: properly validate hash_algo and encoding

Eric Biggers <ebiggers@google.com>
    KEYS: asymmetric: enforce that sig algo matches key algo

Eric Biggers <ebiggers@google.com>
    KEYS: fix length validation in keyctl_pkey_params_get_2()

Ronnie Sahlberg <lsahlber@redhat.com>
    cifs: we do not need a spinlock around the tree access during umount

Ronnie Sahlberg <lsahlber@redhat.com>
    cifs: fix handlecache and multiuser

Ronnie Sahlberg <lsahlber@redhat.com>
    cifs: truncate the inode and mapping when we simulate fcollapse

Jann Horn <jannh@google.com>
    ptrace: Check PTRACE_O_SUSPEND_SECCOMP permission on PTRACE_SEIZE

Kunihiko Hayashi <hayashi.kunihiko@socionext.com>
    clk: uniphier: Fix fixed-rate initialization

Quentin Schulz <quentin.schulz@theobroma-systems.com>
    clk: rockchip: re-add rational best approximation algorithm to the fractional divider

Dan Carpenter <dan.carpenter@oracle.com>
    greybus: svc: fix an error handling bug in gb_svc_hello()

Liam Beguin <liambeguin@gmail.com>
    iio: inkern: make a best effort on offset calculation

Liam Beguin <liambeguin@gmail.com>
    iio: inkern: apply consumer scale when no channel scale is available

Liam Beguin <liambeguin@gmail.com>
    iio: inkern: apply consumer scale on IIO_VAL_INT cases

Robert Hancock <robert.hancock@calian.com>
    iio: adc: xilinx-ams: Fixed wrong sequencer register settings

Robert Hancock <robert.hancock@calian.com>
    iio: adc: xilinx-ams: Fixed missing PS channels

Liam Beguin <liambeguin@gmail.com>
    iio: afe: rescale: use s64 for temporary scale calculations

Haibo Chen <haibo.chen@nxp.com>
    iio: imu: st_lsm6dsx: use dev_to_iio_dev() to get iio_dev struct

Billy Tsai <billy_tsai@aspeedtech.com>
    iio: adc: aspeed: Add divider flag to fix incorrect voltage reading.

Haibo Chen <haibo.chen@nxp.com>
    iio: accel: mma8452: use the correct logic to get mma8452_data

Robert Hancock <robert.hancock@calian.com>
    iio: adc: xilinx-ams: Fix single channel switching sequence

Robert Hancock <robert.hancock@calian.com>
    dt-bindings: iio: adc: zynqmp_ams: Add clock entry

Miaoqian Lin <linmq006@gmail.com>
    coresight: syscfg: Fix memleak on registration failure in cscfg_create_device

James Clark <james.clark@arm.com>
    coresight: Fix TRCCONFIGR.QE sysfs interface

Akira Yokosawa <akiyks@gmail.com>
    docs: sphinx/requirements: Limit jinja2<3.1

Paul Davey <paul.davey@alliedtelesis.co.nz>
    bus: mhi: Fix MHI DMA structure endianness

Paul Davey <paul.davey@alliedtelesis.co.nz>
    bus: mhi: Fix pm_state conversion to string

Yonglin Tan <yonglin.tan@outlook.com>
    bus: mhi: pci_generic: Add mru_default for Quectel EM1xx series

Alexander Usyskin <alexander.usyskin@intel.com>
    mei: avoid iterator usage outside of list_for_each_entry

Alexander Usyskin <alexander.usyskin@intel.com>
    mei: me: add Alder Lake N device id.

Alexander Usyskin <alexander.usyskin@intel.com>
    mei: me: disable driver on the ign firmware

Anssi Hannula <anssi.hannula@bitwise.fi>
    xhci: fix uninitialized string returned by xhci_decode_ctrl_ctx()

Mathias Nyman <mathias.nyman@linux.intel.com>
    xhci: make xhci_handshake timeout for xhci_reset() adjustable

Henry Lin <henryl@nvidia.com>
    xhci: fix runtime PM imbalance in USB2 resume

Anssi Hannula <anssi.hannula@bitwise.fi>
    xhci: fix garbage USBSTS being logged in some cases

Alan Stern <stern@rowland.harvard.edu>
    USB: usb-storage: Fix use of bitfields for hardware data in ene_ub6250.c

Sven Peter <sven@svenpeter.dev>
    usb: typec: tipd: Forward plug orientation to typec subsystem

Jens Axboe <axboe@kernel.dk>
    block: ensure plug merging checks the correct queue at least once

Jens Axboe <axboe@kernel.dk>
    block: flush plug based on hardware and software queue order

Robin Murphy <robin.murphy@arm.com>
    iommu/iova: Improve 32-bit free space estimate

Alex Deucher <alexander.deucher@amd.com>
    drm/amdgpu: only check for _PR3 on dGPUs

Alex Deucher <alexander.deucher@amd.com>
    drm/amdgpu: move PX checking into amdgpu_device_ip_early_init

Waiman Long <longman@redhat.com>
    locking/lockdep: Avoid potential access of invalid memory in lock_class

Muchun Song <songmuchun@bytedance.com>
    mm: kfence: fix missing objcg housekeeping for SLAB

Johan Hovold <johan@kernel.org>
    USB: serial: simple: add Nokia phone driver

Johan Hovold <johan@kernel.org>
    USB: serial: pl2303: fix GS type detection

Krzysztof Kozlowski <krzk@kernel.org>
    dt-bindings: usb: hcd: correct usb-device path

Eddie James <eajames@linux.ibm.com>
    USB: serial: pl2303: add IBM device IDs

Linus Torvalds <torvalds@linux-foundation.org>
    Revert "swiotlb: rework "fix info leak with DMA_FROM_DEVICE""


-------------

Diffstat:

 Documentation/ABI/testing/sysfs-fs-f2fs            |   1 +
 Documentation/admin-guide/kernel-parameters.txt    |   3 +-
 Documentation/admin-guide/sysctl/kernel.rst        |   1 +
 .../bindings/iio/adc/xlnx,zynqmp-ams.yaml          |   8 +
 .../devicetree/bindings/media/i2c/hynix,hi846.yaml |   6 +-
 .../memory-controllers/mediatek,smi-common.yaml    |  28 +-
 .../memory-controllers/mediatek,smi-larb.yaml      |  16 +-
 .../devicetree/bindings/mtd/nand-controller.yaml   |   4 +-
 .../bindings/pinctrl/microchip,sparx5-sgpio.yaml   |   2 +-
 .../bindings/pinctrl/pinctrl-mt8195.yaml           |  30 +-
 .../bindings/spi/nvidia,tegra210-quad.yaml         |   2 +-
 Documentation/devicetree/bindings/spi/spi-mxic.txt |   4 +-
 Documentation/devicetree/bindings/usb/usb-hcd.yaml |   2 +-
 Documentation/driver-api/cxl/memory-devices.rst    |   4 +-
 Documentation/process/stable-kernel-rules.rst      |  11 +-
 Documentation/security/SCTP.rst                    |  26 +-
 Documentation/sound/hd-audio/models.rst            |   4 +
 Documentation/sphinx/requirements.txt              |   2 +
 MAINTAINERS                                        |   3 +-
 Makefile                                           |   4 +-
 arch/Kconfig                                       |   1 +
 arch/arc/kernel/process.c                          |   2 +-
 arch/arm/boot/dts/bcm2711.dtsi                     |  50 +++
 arch/arm/boot/dts/bcm2837.dtsi                     |  49 +++
 arch/arm/boot/dts/dra7-l4.dtsi                     |   5 +-
 arch/arm/boot/dts/dra7.dtsi                        |   8 +-
 arch/arm/boot/dts/exynos5250-pinctrl.dtsi          |   2 +-
 arch/arm/boot/dts/exynos5250-smdk5250.dts          |   3 +
 arch/arm/boot/dts/exynos5420-smdk5420.dts          |   3 +
 arch/arm/boot/dts/imx53-m53menlo.dts               |  29 +-
 arch/arm/boot/dts/imx7-colibri.dtsi                |   4 +-
 arch/arm/boot/dts/imx7-mba7.dtsi                   |   2 +-
 arch/arm/boot/dts/imx7d-nitrogen7.dts              |   2 +-
 arch/arm/boot/dts/imx7d-pico-hobbit.dts            |   4 +-
 arch/arm/boot/dts/imx7d-pico-pi.dts                |   4 +-
 arch/arm/boot/dts/imx7d-sdb.dts                    |   4 +-
 arch/arm/boot/dts/imx7s-warp.dts                   |   4 +-
 arch/arm/boot/dts/openbmc-flash-layout-64.dtsi     |   2 +-
 arch/arm/boot/dts/openbmc-flash-layout.dtsi        |   2 +-
 arch/arm/boot/dts/qcom-ipq4019.dtsi                |   3 +-
 arch/arm/boot/dts/qcom-msm8960.dtsi                |   8 +-
 arch/arm/boot/dts/qcom-sdx55.dtsi                  |   2 +-
 arch/arm/boot/dts/sama5d2.dtsi                     |   2 +-
 arch/arm/boot/dts/sama7g5.dtsi                     |   6 -
 arch/arm/boot/dts/spear1340.dtsi                   |   6 +-
 arch/arm/boot/dts/spear13xx.dtsi                   |   6 +-
 arch/arm/boot/dts/stm32mp15-pinctrl.dtsi           |   2 +-
 arch/arm/boot/dts/sun8i-v3s.dtsi                   |  22 +-
 arch/arm/boot/dts/tegra20-asus-tf101.dts           |   2 +
 arch/arm/boot/dts/tegra20-tamonten.dtsi            |   6 +-
 .../boot/dts/tegra30-asus-transformer-common.dtsi  |   2 +
 arch/arm/boot/dts/tegra30-pegatron-chagall.dts     |   2 +
 arch/arm/configs/multi_v5_defconfig                |   2 +
 arch/arm/crypto/Kconfig                            |   2 +
 arch/arm/kernel/entry-ftrace.S                     |  53 +--
 arch/arm/kernel/swp_emulate.c                      |   2 +-
 arch/arm/kernel/traps.c                            |   2 +-
 arch/arm/mach-iop32x/include/mach/entry-macro.S    |   2 +-
 arch/arm/mach-iop32x/include/mach/irqs.h           |   2 +-
 arch/arm/mach-iop32x/irq.c                         |   6 +-
 arch/arm/mach-iop32x/irqs.h                        |  60 +--
 arch/arm/mach-mmp/sram.c                           |  22 +-
 arch/arm/mach-s3c/mach-jive.c                      |   6 +-
 arch/arm64/Kconfig                                 |   1 +
 arch/arm64/boot/dts/broadcom/bcm4908/bcm4908.dtsi  |   8 +-
 .../arm64/boot/dts/broadcom/northstar2/ns2-svk.dts |   8 +-
 arch/arm64/boot/dts/broadcom/northstar2/ns2.dtsi   |   2 +-
 arch/arm64/boot/dts/freescale/fsl-ls1043a.dtsi     |   6 +-
 arch/arm64/boot/dts/freescale/fsl-ls1046a.dtsi     |   6 +-
 arch/arm64/boot/dts/qcom/ipq6018.dtsi              |   2 +-
 arch/arm64/boot/dts/qcom/msm8916-samsung-j5.dts    |   2 +-
 arch/arm64/boot/dts/qcom/msm8994.dtsi              |   3 +
 arch/arm64/boot/dts/qcom/sc7280.dtsi               |   2 +-
 arch/arm64/boot/dts/qcom/sdm845.dtsi               |   8 +-
 arch/arm64/boot/dts/qcom/sm8150.dtsi               |   6 +-
 arch/arm64/boot/dts/qcom/sm8250.dtsi               |  16 +-
 arch/arm64/boot/dts/qcom/sm8350.dtsi               |   2 +-
 arch/arm64/boot/dts/qcom/sm8450.dtsi               |  28 +-
 arch/arm64/boot/dts/rockchip/rk3399-firefly.dts    |   4 +-
 arch/arm64/boot/dts/ti/k3-am64-main.dtsi           |   5 +-
 arch/arm64/boot/dts/ti/k3-am64.dtsi                |   1 +
 arch/arm64/boot/dts/ti/k3-am65-main.dtsi           |   5 +-
 arch/arm64/boot/dts/ti/k3-am65.dtsi                |   1 +
 arch/arm64/boot/dts/ti/k3-j7200-main.dtsi          |   5 +-
 arch/arm64/boot/dts/ti/k3-j7200.dtsi               |   1 +
 arch/arm64/boot/dts/ti/k3-j721e-main.dtsi          |   5 +-
 arch/arm64/boot/dts/ti/k3-j721e.dtsi               |   1 +
 arch/arm64/boot/dts/ti/k3-j721s2-main.dtsi         |   5 +-
 arch/arm64/boot/dts/ti/k3-j721s2-mcu-wakeup.dtsi   |   4 +-
 arch/arm64/boot/dts/ti/k3-j721s2.dtsi              |   1 +
 arch/arm64/configs/defconfig                       |   2 +-
 arch/arm64/include/asm/module.lds.h                |   6 +-
 arch/arm64/include/asm/spectre.h                   |   3 +-
 arch/arm64/kernel/proton-pack.c                    |   9 +-
 arch/arm64/kernel/signal.c                         |  10 +-
 arch/arm64/mm/init.c                               |  36 +-
 arch/arm64/mm/mmu.c                                |  41 +-
 arch/arm64/net/bpf_jit_comp.c                      |  18 +-
 arch/csky/kernel/perf_callchain.c                  |   2 +-
 arch/csky/kernel/signal.c                          |   2 +-
 arch/m68k/coldfire/device.c                        |   6 +-
 arch/microblaze/include/asm/uaccess.h              |  18 +-
 arch/mips/Kconfig                                  |   1 +
 arch/mips/Makefile                                 |   4 -
 arch/mips/boot/compressed/Makefile                 |   1 +
 arch/mips/crypto/crc32-mips.c                      |  46 +-
 arch/mips/dec/int-handler.S                        |   6 +-
 arch/mips/dec/prom/Makefile                        |   2 +-
 arch/mips/dec/setup.c                              |   3 +-
 arch/mips/include/asm/dec/prom.h                   |  15 +-
 arch/mips/include/asm/pgalloc.h                    |   6 +
 arch/mips/mm/tlbex.c                               |  23 +-
 arch/mips/rb532/devices.c                          |   6 +-
 arch/mips/vdso/Makefile                            |   3 +
 arch/nios2/include/asm/uaccess.h                   |  26 +-
 arch/nios2/kernel/signal.c                         |  20 +-
 arch/parisc/include/asm/traps.h                    |   1 +
 arch/parisc/kernel/cache.c                         |  28 +-
 arch/parisc/kernel/traps.c                         |   2 +
 arch/parisc/mm/fault.c                             |  89 ++++
 arch/powerpc/Makefile                              |   2 +-
 arch/powerpc/boot/dts/fsl/t1040rdb-rev-a.dts       |  30 ++
 arch/powerpc/boot/dts/fsl/t1040rdb.dts             |   8 +-
 arch/powerpc/include/asm/io.h                      |  40 +-
 arch/powerpc/include/asm/set_memory.h              |  12 +-
 arch/powerpc/include/asm/uaccess.h                 |   3 +
 arch/powerpc/kernel/time.c                         |   5 +-
 arch/powerpc/kernel/tm.S                           |  25 +-
 arch/powerpc/kvm/book3s_hv.c                       |   5 +-
 arch/powerpc/kvm/powerpc.c                         |   4 +-
 arch/powerpc/lib/sstep.c                           |  12 +-
 arch/powerpc/mm/fault.c                            |  14 +-
 arch/powerpc/mm/kasan/kasan_init_32.c              |   3 +-
 arch/powerpc/mm/numa.c                             |   4 +-
 arch/powerpc/mm/pageattr.c                         |  39 +-
 arch/powerpc/mm/pgtable_32.c                       |  24 +-
 arch/powerpc/perf/imc-pmu.c                        |   6 +-
 arch/powerpc/platforms/8xx/pic.c                   |   1 +
 arch/powerpc/platforms/powernv/rng.c               |   6 +-
 arch/powerpc/platforms/pseries/pci_dlpar.c         |   4 +
 arch/powerpc/sysdev/fsl_gtm.c                      |   4 +-
 arch/powerpc/sysdev/xive/common.c                  |   6 +-
 arch/riscv/boot/dts/canaan/sipeed_maix_bit.dts     |   2 +
 arch/riscv/boot/dts/canaan/sipeed_maix_dock.dts    |   2 +
 arch/riscv/boot/dts/canaan/sipeed_maix_go.dts      |   2 +
 arch/riscv/boot/dts/canaan/sipeed_maixduino.dts    |   2 +
 arch/riscv/include/asm/module.lds.h                |   6 +-
 arch/riscv/include/asm/thread_info.h               |  10 +-
 arch/riscv/kernel/cpu_ops_sbi.c                    |   2 +-
 arch/riscv/kernel/perf_callchain.c                 |   6 +-
 arch/s390/kvm/kvm-s390.c                           |  19 +-
 arch/s390/kvm/kvm-s390.h                           |   4 +-
 arch/s390/kvm/priv.c                               |  15 +-
 arch/sparc/kernel/signal_32.c                      |   2 +-
 arch/um/drivers/mconsole_kern.c                    |   3 +-
 arch/x86/crypto/poly1305-x86_64-cryptogams.pl      |  38 +-
 arch/x86/events/intel/pt.c                         |   2 +-
 arch/x86/include/asm/svm.h                         |  10 +-
 arch/x86/kernel/fpu/xstate.c                       |   2 +-
 arch/x86/kernel/kvm.c                              |   2 +-
 arch/x86/kvm/emulate.c                             |  14 +-
 arch/x86/kvm/hyperv.c                              |  96 +++--
 arch/x86/kvm/lapic.c                               |   9 +-
 arch/x86/kvm/mmu.h                                 |   1 +
 arch/x86/kvm/mmu/paging_tmpl.h                     |  74 ++--
 arch/x86/kvm/mmu/tdp_mmu.c                         |  61 ++-
 arch/x86/kvm/mmu/tdp_mmu.h                         |   3 -
 arch/x86/kvm/svm/avic.c                            |  17 +-
 arch/x86/kvm/svm/sev.c                             |  36 +-
 arch/x86/kvm/x86.c                                 |   3 +-
 arch/x86/lib/iomem.c                               |  65 ++-
 arch/x86/xen/pmu.c                                 |  10 +-
 arch/x86/xen/pmu.h                                 |   3 +-
 arch/x86/xen/smp_pv.c                              |   2 +-
 arch/xtensa/include/asm/pgtable.h                  |   4 +
 arch/xtensa/include/asm/processor.h                |   4 +-
 arch/xtensa/kernel/jump_label.c                    |   2 +-
 arch/xtensa/kernel/mxhead.S                        |   2 +
 arch/xtensa/mm/tlb.c                               |   6 +
 block/bfq-cgroup.c                                 |   6 +
 block/bfq-iosched.c                                |  31 +-
 block/bfq-wf2q.c                                   |   2 +-
 block/bio.c                                        |   3 +-
 block/blk-cgroup.c                                 |  10 +-
 block/blk-ioc.c                                    |   3 +-
 block/blk-iolatency.c                              |   2 +-
 block/blk-merge.c                                  |  33 +-
 block/blk-mq-sched.c                               |   9 +-
 block/blk-mq.c                                     |  59 ++-
 block/blk-rq-qos.h                                 |  20 +-
 block/blk-sysfs.c                                  |   8 +-
 block/blk-throttle.c                               |  10 +-
 block/blk-throttle.h                               |   2 -
 block/genhd.c                                      |  16 +-
 crypto/Kconfig                                     |   1 +
 crypto/asymmetric_keys/pkcs7_verify.c              |   6 -
 crypto/asymmetric_keys/public_key.c                | 126 ++++--
 crypto/asymmetric_keys/x509_public_key.c           |   6 -
 crypto/authenc.c                                   |   2 +-
 crypto/rsa-pkcs1pad.c                              |  11 +-
 crypto/xts.c                                       |   1 +
 drivers/acpi/acpica/nswalk.c                       |   3 +
 drivers/acpi/apei/bert.c                           |  10 +-
 drivers/acpi/apei/erst.c                           |   2 +-
 drivers/acpi/apei/hest.c                           |   2 +-
 drivers/acpi/bus.c                                 |  27 +-
 drivers/acpi/cppc_acpi.c                           |   5 +
 drivers/acpi/property.c                            |   2 +-
 drivers/acpi/x86/utils.c                           |  21 +
 drivers/base/dd.c                                  |   2 +-
 drivers/base/memory.c                              |   8 +-
 drivers/base/power/domain.c                        |   2 +-
 drivers/base/power/main.c                          |   6 +-
 drivers/block/drbd/drbd_req.c                      |   3 +-
 drivers/block/loop.c                               |  11 +-
 drivers/block/n64cart.c                            |   2 +-
 drivers/bluetooth/btintel.c                        |  11 +-
 drivers/bluetooth/btintel.h                        |   1 +
 drivers/bluetooth/btmtksdio.c                      | 157 +++++--
 drivers/bluetooth/btusb.c                          |   6 +
 drivers/bluetooth/hci_h5.c                         |   8 +-
 drivers/bluetooth/hci_serdev.c                     |   3 +-
 drivers/bus/mhi/core/debugfs.c                     |  26 +-
 drivers/bus/mhi/core/init.c                        |  46 +-
 drivers/bus/mhi/core/internal.h                    | 121 +++---
 drivers/bus/mhi/core/main.c                        |  22 +-
 drivers/bus/mhi/core/pm.c                          |   4 +-
 drivers/bus/mhi/pci_generic.c                      |   1 +
 drivers/bus/mips_cdmm.c                            |   1 +
 drivers/char/hw_random/Kconfig                     |   2 +-
 drivers/char/hw_random/atmel-rng.c                 |   1 +
 drivers/char/hw_random/cavium-rng-vf.c             |   2 +-
 drivers/char/hw_random/nomadik-rng.c               |   4 +-
 drivers/clk/actions/owl-s700.c                     |   1 +
 drivers/clk/actions/owl-s900.c                     |   2 +-
 drivers/clk/at91/sama7g5.c                         |   8 +-
 drivers/clk/clk-clps711x.c                         |   2 +
 drivers/clk/clk.c                                  |  16 +-
 drivers/clk/hisilicon/clk-hi3559a.c                |   4 +-
 drivers/clk/imx/clk-imx7d.c                        |   1 -
 drivers/clk/imx/clk-imx8qxp-lpcg.c                 |   2 +-
 drivers/clk/loongson1/clk-loongson1c.c             |   1 +
 drivers/clk/qcom/clk-rcg2.c                        |  14 +-
 drivers/clk/qcom/gcc-ipq8074.c                     |  21 +-
 drivers/clk/qcom/gcc-msm8994.c                     |   1 +
 drivers/clk/renesas/r8a779f0-cpg-mssr.c            |   2 +-
 drivers/clk/renesas/r9a07g044-cpg.c                |   4 +-
 drivers/clk/rockchip/clk.c                         |   3 +
 drivers/clk/starfive/clk-starfive-jh7100.c         |  82 +++-
 drivers/clk/tegra/clk-tegra124-emc.c               |   1 +
 drivers/clk/uniphier/clk-uniphier-fixed-rate.c     |   1 +
 drivers/clk/visconti/clkc-tmpv770x.c               |   2 +-
 drivers/clk/visconti/clkc.c                        |   2 +-
 drivers/clk/visconti/clkc.h                        |   3 +
 drivers/clocksource/acpi_pm.c                      |   6 +-
 drivers/clocksource/exynos_mct.c                   |  10 +-
 drivers/clocksource/timer-microchip-pit64b.c       |   2 +-
 drivers/clocksource/timer-of.c                     |   6 +-
 drivers/clocksource/timer-ti-dm-systimer.c         |   4 +-
 drivers/cpufreq/qcom-cpufreq-nvmem.c               |   2 +-
 drivers/cpuidle/cpuidle-qcom-spm.c                 |  20 +
 .../crypto/allwinner/sun8i-ce/sun8i-ce-cipher.c    |   3 +
 drivers/crypto/allwinner/sun8i-ce/sun8i-ce-hash.c  |   3 +
 .../crypto/allwinner/sun8i-ss/sun8i-ss-cipher.c    |   3 +
 drivers/crypto/allwinner/sun8i-ss/sun8i-ss-core.c  |   2 +
 drivers/crypto/allwinner/sun8i-ss/sun8i-ss-hash.c  |   3 +
 drivers/crypto/amlogic/amlogic-gxl-cipher.c        |   2 +
 drivers/crypto/ccp/ccp-dmaengine.c                 |  16 +
 drivers/crypto/ccp/sev-dev.c                       |   2 +-
 drivers/crypto/ccree/cc_buffer_mgr.c               |   7 +
 drivers/crypto/ccree/cc_cipher.c                   |   2 +-
 drivers/crypto/gemini/sl3516-ce-cipher.c           |   2 +
 drivers/crypto/hisilicon/qm.c                      |   2 +-
 drivers/crypto/hisilicon/sec2/sec_crypto.c         |  16 +-
 drivers/crypto/hisilicon/sec2/sec_main.c           |   8 +-
 drivers/crypto/marvell/Kconfig                     |   1 +
 .../crypto/marvell/octeontx2/otx2_cptpf_ucode.c    |  43 +-
 drivers/crypto/marvell/octeontx2/otx2_cptvf_algs.c |  17 +-
 drivers/crypto/mxs-dcp.c                           |   2 +-
 drivers/crypto/qat/qat_4xxx/adf_4xxx_hw_data.c     |   2 +-
 drivers/crypto/qat/qat_common/adf_gen4_pfvf.c      |  42 +-
 drivers/crypto/qat/qat_common/adf_pfvf_vf_msg.c    |   4 +-
 drivers/crypto/rockchip/rk3288_crypto_skcipher.c   |   1 -
 drivers/crypto/vmx/Kconfig                         |   4 +
 drivers/cxl/core/Makefile                          |   2 +-
 drivers/cxl/core/{bus.c => port.c}                 |   4 +
 drivers/cxl/core/regs.c                            |   6 +-
 drivers/dax/super.c                                |   1 +
 drivers/dma-buf/udmabuf.c                          |   4 +
 drivers/dma/hisi_dma.c                             |   2 +-
 drivers/dma/idxd/device.c                          |   9 +-
 drivers/firmware/efi/efi-pstore.c                  |   2 +-
 drivers/firmware/google/Kconfig                    |   2 +-
 drivers/firmware/qcom_scm.c                        |   6 -
 drivers/firmware/stratix10-svc.c                   |   2 +-
 drivers/firmware/sysfb_simplefb.c                  |  23 +-
 drivers/fsi/fsi-master-aspeed.c                    |  17 +-
 drivers/fsi/fsi-scom.c                             |  45 +-
 drivers/gpu/drm/amd/amdgpu/amdgpu_connectors.c     |   2 +-
 drivers/gpu/drm/amd/amdgpu/amdgpu_device.c         |  15 +
 drivers/gpu/drm/amd/amdgpu/amdgpu_fru_eeprom.c     |  13 +-
 drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c            |  11 -
 drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c  |  19 +-
 .../gpu/drm/amd/display/dc/core/dc_link_enc_cfg.c  |   8 +
 drivers/gpu/drm/amd/display/dc/inc/link_enc_cfg.h  |   5 +
 .../amd/display/dc/irq/dcn21/irq_service_dcn21.c   |  14 -
 drivers/gpu/drm/amd/pm/amdgpu_pm.c                 |   4 +-
 drivers/gpu/drm/amd/pm/swsmu/amdgpu_smu.c          |   2 +-
 drivers/gpu/drm/bridge/adv7511/adv7511.h           |   1 +
 drivers/gpu/drm/bridge/adv7511/adv7511_drv.c       |  29 +-
 drivers/gpu/drm/bridge/analogix/anx7625.c          |   3 +-
 drivers/gpu/drm/bridge/cdns-dsi.c                  |   1 +
 drivers/gpu/drm/bridge/lontium-lt9611.c            |   6 +-
 drivers/gpu/drm/bridge/nwl-dsi.c                   |   1 +
 drivers/gpu/drm/bridge/sil-sii8620.c               |   2 +-
 drivers/gpu/drm/bridge/synopsys/dw-hdmi.c          |   5 +-
 drivers/gpu/drm/bridge/synopsys/dw-mipi-dsi.c      |   1 +
 drivers/gpu/drm/bridge/ti-sn65dsi83.c              |  32 +-
 drivers/gpu/drm/drm_dp_helper.c                    |  10 -
 drivers/gpu/drm/drm_edid.c                         |  18 +-
 drivers/gpu/drm/drm_fb_helper.c                    |   9 +-
 drivers/gpu/drm/drm_syncobj.c                      |  61 ++-
 drivers/gpu/drm/i915/display/intel_bw.c            |   3 +-
 drivers/gpu/drm/i915/display/intel_dp.c            |   2 +-
 drivers/gpu/drm/i915/display/intel_hdmi.c          |  13 +-
 drivers/gpu/drm/i915/display/intel_opregion.c      |  15 +
 drivers/gpu/drm/i915/display/intel_pps.c           |   6 +-
 drivers/gpu/drm/i915/display/intel_pps.h           |   2 +-
 drivers/gpu/drm/i915/display/intel_psr.c           |   4 +
 drivers/gpu/drm/i915/gem/i915_gem_mman.c           |   2 +-
 drivers/gpu/drm/i915/i915_drv.h                    |   2 +-
 drivers/gpu/drm/i915/intel_pm.c                    |  10 +-
 drivers/gpu/drm/meson/meson_drv.c                  |  25 +-
 drivers/gpu/drm/meson/meson_osd_afbcd.c            |  41 +-
 drivers/gpu/drm/meson/meson_osd_afbcd.h            |   1 +
 drivers/gpu/drm/mgag200/mgag200_mode.c             |   5 +-
 drivers/gpu/drm/msm/adreno/a6xx_gpu.c              |  12 +-
 drivers/gpu/drm/msm/disp/dpu1/dpu_encoder.c        |   7 +-
 drivers/gpu/drm/msm/disp/dpu1/dpu_rm.c             |   8 +
 drivers/gpu/drm/msm/dp/dp_ctrl.c                   |  83 ++--
 drivers/gpu/drm/msm/dp/dp_ctrl.h                   |   8 +-
 drivers/gpu/drm/msm/dp/dp_display.c                | 116 +++---
 drivers/gpu/drm/msm/dp/dp_drm.c                    |  21 +-
 drivers/gpu/drm/msm/dp/dp_panel.c                  |   5 +
 drivers/gpu/drm/msm/dsi/phy/dsi_phy_10nm.c         |   4 +-
 drivers/gpu/drm/msm/dsi/phy/dsi_phy_14nm.c         |   4 +-
 drivers/gpu/drm/msm/dsi/phy/dsi_phy_28nm.c         |   4 +-
 drivers/gpu/drm/msm/dsi/phy/dsi_phy_28nm_8960.c    |   4 +-
 drivers/gpu/drm/msm/dsi/phy/dsi_phy_7nm.c          |  26 +-
 drivers/gpu/drm/nouveau/nouveau_backlight.c        |   6 +-
 drivers/gpu/drm/nouveau/nvkm/subdev/acr/hsfw.c     |   9 +-
 drivers/gpu/drm/panfrost/panfrost_gpu.c            |   5 +-
 drivers/gpu/drm/radeon/radeon_connectors.c         |   2 +-
 drivers/gpu/drm/selftests/test-drm_dp_mst_helper.c |   4 +-
 drivers/gpu/drm/tegra/dp.c                         |  11 +-
 drivers/gpu/drm/tegra/dsi.c                        |   4 +-
 drivers/gpu/drm/tiny/simpledrm.c                   |   3 +
 drivers/gpu/drm/v3d/v3d_drv.c                      |   8 +-
 drivers/gpu/host1x/dev.c                           |   8 +-
 drivers/greybus/svc.c                              |   8 +-
 drivers/hid/i2c-hid/i2c-hid-core.c                 |  32 +-
 drivers/hid/intel-ish-hid/ishtp-fw-loader.c        |  29 +-
 drivers/hv/hv_balloon.c                            |   2 +-
 drivers/hwmon/pmbus/pmbus.h                        |   1 +
 drivers/hwmon/pmbus/pmbus_core.c                   |  18 +-
 drivers/hwmon/sch56xx-common.c                     |   2 +-
 .../hwtracing/coresight/coresight-etm4x-sysfs.c    |   8 +-
 drivers/hwtracing/coresight/coresight-syscfg.c     |   2 +-
 drivers/i2c/busses/i2c-bcm2835.c                   |  21 +-
 drivers/i2c/busses/i2c-meson.c                     |  12 +-
 drivers/i2c/busses/i2c-pasemi-core.c               |   1 -
 drivers/i2c/busses/i2c-pasemi-pci.c                |   1 +
 drivers/i2c/busses/i2c-xiic.c                      |   3 +-
 drivers/i2c/muxes/i2c-demux-pinctrl.c              |   5 +-
 drivers/iio/accel/mma8452.c                        |  33 +-
 drivers/iio/adc/aspeed_adc.c                       |   4 +-
 drivers/iio/adc/twl6030-gpadc.c                    |   2 +
 drivers/iio/adc/xilinx-ams.c                       |  15 +-
 drivers/iio/afe/iio-rescale.c                      |   8 +-
 drivers/iio/imu/st_lsm6dsx/st_lsm6dsx_core.c       |   4 +-
 drivers/iio/inkern.c                               |  40 +-
 drivers/infiniband/core/cma.c                      |   2 +-
 drivers/infiniband/core/nldev.c                    |   3 +-
 drivers/infiniband/core/verbs.c                    |   1 +
 drivers/infiniband/hw/hfi1/verbs.c                 |   3 +-
 drivers/infiniband/hw/irdma/ctrl.c                 |  10 +-
 drivers/infiniband/hw/irdma/hw.c                   |   2 +-
 drivers/infiniband/hw/irdma/i40iw_if.c             |   1 +
 drivers/infiniband/hw/irdma/main.c                 |   1 +
 drivers/infiniband/hw/irdma/main.h                 |   1 +
 drivers/infiniband/hw/irdma/utils.c                |  48 ++-
 drivers/infiniband/hw/irdma/verbs.c                |   4 +-
 drivers/infiniband/hw/mlx5/devx.c                  |   4 +-
 drivers/infiniband/hw/mlx5/mr.c                    |   2 +
 drivers/infiniband/sw/rxe/rxe_av.c                 |  19 +-
 drivers/infiniband/sw/rxe/rxe_loc.h                |   5 +-
 drivers/infiniband/sw/rxe/rxe_net.c                |  17 +-
 drivers/infiniband/sw/rxe/rxe_req.c                |  63 +--
 drivers/infiniband/sw/rxe/rxe_resp.c               |  12 +-
 drivers/input/input.c                              |   6 -
 drivers/iommu/iova.c                               |   5 +-
 drivers/iommu/ipmmu-vmsa.c                         |   4 +-
 drivers/iommu/mtk_iommu.c                          |  32 +-
 drivers/iommu/mtk_iommu_v1.c                       |  40 +-
 drivers/irqchip/irq-nvic.c                         |   2 +
 drivers/irqchip/qcom-pdc.c                         |   5 +-
 drivers/mailbox/imx-mailbox.c                      |  11 +-
 drivers/mailbox/tegra-hsp.c                        |   5 +
 drivers/md/bcache/btree.c                          |   6 +-
 drivers/md/bcache/writeback.c                      |   6 +-
 drivers/md/dm-core.h                               |   2 +
 drivers/md/dm-crypt.c                              |   2 +-
 drivers/md/dm-integrity.c                          |   6 +-
 drivers/md/dm-stats.c                              |  34 +-
 drivers/md/dm-stats.h                              |  11 +-
 drivers/md/dm.c                                    |  86 ++--
 drivers/media/i2c/adv7511-v4l2.c                   |   2 +-
 drivers/media/i2c/adv7604.c                        |   2 +-
 drivers/media/i2c/adv7842.c                        |   2 +-
 drivers/media/i2c/ov2740.c                         |   8 +-
 drivers/media/i2c/ov5640.c                         |  14 +-
 drivers/media/i2c/ov5648.c                         |  12 +-
 drivers/media/i2c/ov6650.c                         | 115 +++--
 drivers/media/i2c/ov8865.c                         |   4 +-
 drivers/media/pci/bt8xx/bttv-driver.c              |   4 +-
 drivers/media/pci/cx88/cx88-mpeg.c                 |   3 +
 drivers/media/pci/ivtv/ivtv-driver.h               |   1 -
 drivers/media/pci/ivtv/ivtv-ioctl.c                |  10 +-
 drivers/media/pci/ivtv/ivtv-streams.c              |  11 +-
 drivers/media/pci/saa7134/saa7134-alsa.c           |   4 +-
 drivers/media/platform/aspeed-video.c              |   9 +-
 drivers/media/platform/atmel/atmel-isc-base.c      |  22 +-
 drivers/media/platform/atmel/atmel-sama7g5-isc.c   |   6 -
 drivers/media/platform/coda/coda-common.c          |   1 +
 drivers/media/platform/davinci/vpif.c              | 109 +++--
 drivers/media/platform/imx-jpeg/mxc-jpeg.c         |   7 +-
 drivers/media/platform/meson/ge2d/ge2d.c           |  24 +-
 .../media/platform/mtk-vcodec/mtk_vcodec_fw_vpu.c  |   2 +
 drivers/media/platform/omap3isp/ispstat.c          |   5 +-
 drivers/media/platform/qcom/camss/camss-csid-170.c |  19 +-
 drivers/media/platform/qcom/camss/camss-vfe-170.c  |  12 +-
 drivers/media/platform/qcom/venus/helpers.c        |   2 +-
 drivers/media/platform/qcom/venus/hfi_cmds.c       |   2 +
 drivers/media/platform/qcom/venus/venc.c           |   4 +-
 drivers/media/platform/qcom/venus/venc_ctrls.c     |   6 +-
 drivers/media/platform/ti-vpe/cal-video.c          |   3 +
 drivers/media/rc/gpio-ir-tx.c                      |  28 +-
 drivers/media/rc/ir_toy.c                          |   2 +-
 drivers/media/test-drivers/vidtv/vidtv_s302m.c     |  17 +-
 drivers/media/usb/em28xx/em28xx-cards.c            |  13 +-
 drivers/media/usb/go7007/s2250-board.c             |  10 +-
 drivers/media/usb/hdpvr/hdpvr-video.c              |   4 +-
 drivers/media/usb/stk1160/stk1160-core.c           |   2 +-
 drivers/media/usb/stk1160/stk1160-v4l.c            |  10 +-
 drivers/media/usb/stk1160/stk1160.h                |   2 +-
 drivers/media/v4l2-core/v4l2-ctrls-core.c          |  18 +
 drivers/media/v4l2-core/v4l2-ioctl.c               |  12 +-
 drivers/media/v4l2-core/v4l2-mem2mem.c             |  53 ++-
 drivers/memory/emif.c                              |   8 +-
 drivers/memory/tegra/tegra20-emc.c                 |   2 +-
 drivers/memstick/core/mspro_block.c                |  10 +-
 drivers/mfd/asic3.c                                |  10 +-
 drivers/mfd/mc13xxx-core.c                         |   4 +-
 drivers/misc/cardreader/alcor_pci.c                |   9 +-
 drivers/misc/habanalabs/common/debugfs.c           |   2 +
 drivers/misc/kgdbts.c                              |   4 +-
 drivers/misc/mei/hw-me-regs.h                      |   2 +
 drivers/misc/mei/hw-me.c                           |  23 +-
 drivers/misc/mei/interrupt.c                       |  35 +-
 drivers/misc/mei/pci-me.c                          |   1 +
 drivers/mmc/core/bus.c                             |   9 +-
 drivers/mmc/core/bus.h                             |   3 +-
 drivers/mmc/core/host.c                            |  15 +-
 drivers/mmc/core/mmc.c                             |  16 +-
 drivers/mmc/core/sd.c                              |  25 +-
 drivers/mmc/core/sdio.c                            |   5 +-
 drivers/mmc/core/sdio_bus.c                        |   7 +-
 drivers/mmc/host/davinci_mmc.c                     |   6 +-
 drivers/mmc/host/rtsx_pci_sdmmc.c                  |  20 +-
 drivers/mmc/host/sdhci_am654.c                     |  24 +-
 drivers/mtd/devices/mchp23k256.c                   |  14 +
 drivers/mtd/devices/mchp48l640.c                   |  10 +
 drivers/mtd/nand/onenand/generic.c                 |   7 +-
 drivers/mtd/nand/raw/atmel/nand-controller.c       |  14 +-
 drivers/mtd/nand/raw/gpmi-nand/gpmi-nand.c         |   3 +
 drivers/mtd/nand/raw/nand_base.c                   |  44 +-
 drivers/mtd/nand/raw/pl35x-nand-controller.c       |   2 +-
 drivers/mtd/spi-nor/core.c                         |   3 +-
 drivers/mtd/ubi/build.c                            |   9 +-
 drivers/mtd/ubi/fastmap.c                          |  28 +-
 drivers/mtd/ubi/vmt.c                              |   8 +-
 drivers/net/bareudp.c                              |  19 +-
 drivers/net/can/m_can/m_can.c                      |   5 +-
 drivers/net/can/spi/mcp251xfd/mcp251xfd-core.c     |   2 +-
 drivers/net/can/usb/ems_usb.c                      |   1 -
 drivers/net/can/usb/mcba_usb.c                     |  27 +-
 drivers/net/can/usb/usb_8dev.c                     |  30 +-
 drivers/net/can/vxcan.c                            |   2 +-
 drivers/net/dsa/Kconfig                            |  12 +-
 drivers/net/dsa/Makefile                           |   3 +-
 drivers/net/dsa/bcm_sf2_cfp.c                      |   6 +-
 drivers/net/dsa/mv88e6xxx/chip.c                   |   1 +
 drivers/net/dsa/realtek/Kconfig                    |  20 +
 drivers/net/dsa/realtek/Makefile                   |   3 +
 drivers/net/dsa/{ => realtek}/realtek-smi-core.c   |   0
 drivers/net/dsa/{ => realtek}/realtek-smi-core.h   |   4 +-
 drivers/net/dsa/{ => realtek}/rtl8365mb.c          |   0
 drivers/net/dsa/{ => realtek}/rtl8366.c            |   0
 drivers/net/dsa/{ => realtek}/rtl8366rb.c          |   2 +
 drivers/net/ethernet/broadcom/bnxt/bnxt_ptp.c      |   6 +-
 drivers/net/ethernet/broadcom/bnxt/bnxt_ptp.h      |   2 +-
 drivers/net/ethernet/broadcom/genet/bcmgenet.c     |   4 +-
 .../net/ethernet/freescale/enetc/enetc_ethtool.c   |   5 +-
 drivers/net/ethernet/freescale/enetc/enetc_qos.c   | 128 +++---
 drivers/net/ethernet/hisilicon/hns3/hnae3.h        |   4 +
 drivers/net/ethernet/hisilicon/hns3/hns3_debugfs.c |  15 +-
 drivers/net/ethernet/hisilicon/hns3/hns3_debugfs.h |   1 -
 drivers/net/ethernet/hisilicon/hns3/hns3_enet.c    |  44 +-
 drivers/net/ethernet/hisilicon/hns3/hns3_ethtool.c |  23 +-
 .../ethernet/hisilicon/hns3/hns3pf/hclge_main.c    | 179 ++++++--
 .../ethernet/hisilicon/hns3/hns3pf/hclge_main.h    |   4 +
 .../ethernet/hisilicon/hns3/hns3pf/hclge_mdio.c    |   4 +-
 .../ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c  |   5 +
 drivers/net/ethernet/ibm/ibmvnic.c                 |  63 ++-
 drivers/net/ethernet/ibm/ibmvnic.h                 |   7 +-
 drivers/net/ethernet/intel/i40e/i40e_xsk.c         |  19 +-
 drivers/net/ethernet/intel/ice/ice.h               |   4 +-
 drivers/net/ethernet/intel/ice/ice_idc.c           |   3 +
 drivers/net/ethernet/intel/ice/ice_main.c          |  25 +-
 drivers/net/ethernet/intel/ice/ice_xsk.c           |  16 +-
 drivers/net/ethernet/intel/igb/igb_ethtool.c       |   4 -
 drivers/net/ethernet/intel/igb/igb_main.c          |  19 +-
 drivers/net/ethernet/intel/igc/igc_main.c          |  16 +-
 drivers/net/ethernet/intel/ixgbe/ixgbe_xsk.c       |  27 +-
 .../net/ethernet/marvell/octeontx2/af/rvu_npc.c    |  15 +-
 drivers/net/ethernet/microchip/sparx5/Kconfig      |   2 +
 .../net/ethernet/microchip/sparx5/sparx5_fdma.c    |   2 +
 .../net/ethernet/pensando/ionic/ionic_bus_pci.c    |   4 +-
 drivers/net/ethernet/pensando/ionic/ionic_dev.c    |  20 +-
 drivers/net/ethernet/pensando/ionic/ionic_dev.h    |   1 +
 drivers/net/ethernet/pensando/ionic/ionic_main.c   |  34 +-
 drivers/net/ethernet/qlogic/qed/qed_sriov.c        |  29 +-
 drivers/net/ethernet/qlogic/qed/qed_sriov.h        |   1 +
 drivers/net/ethernet/qlogic/qlcnic/qlcnic_dcb.h    |  10 +-
 .../ethernet/stmicro/stmmac/dwmac-qcom-ethqos.c    |   7 +
 drivers/net/ethernet/ti/cpsw_ethtool.c             |   6 +-
 drivers/net/ethernet/xilinx/xilinx_axienet_main.c  |  72 ++--
 drivers/net/hyperv/netvsc.c                        |  24 +-
 drivers/net/phy/at803x.c                           |  40 +-
 drivers/net/phy/broadcom.c                         |  21 +
 drivers/net/phy/micrel.c                           |  30 +-
 drivers/net/usb/asix.h                             |   4 +-
 drivers/net/usb/asix_common.c                      |  19 +-
 drivers/net/usb/asix_devices.c                     |  21 +-
 drivers/net/wireguard/queueing.c                   |   3 +-
 drivers/net/wireguard/socket.c                     |   5 +-
 drivers/net/wireless/ath/ath10k/snoc.c             |   2 +-
 drivers/net/wireless/ath/ath10k/wow.c              |   7 +-
 drivers/net/wireless/ath/ath11k/dp_rx.c            |   2 +-
 drivers/net/wireless/ath/ath11k/dp_tx.c            |   2 +-
 drivers/net/wireless/ath/ath11k/mac.c              |  34 +-
 drivers/net/wireless/ath/ath11k/mhi.c              |   1 +
 drivers/net/wireless/ath/ath11k/qmi.c              |   3 +-
 drivers/net/wireless/ath/ath9k/htc_hst.c           |   5 +
 drivers/net/wireless/ath/carl9170/main.c           |   2 +-
 .../broadcom/brcm80211/brcmfmac/firmware.c         |   2 +
 .../wireless/broadcom/brcm80211/brcmfmac/pcie.c    |  73 ++--
 .../wireless/broadcom/brcm80211/brcmfmac/sdio.c    |   1 -
 drivers/net/wireless/intel/iwlwifi/dvm/mac80211.c  |   2 +-
 drivers/net/wireless/intel/iwlwifi/fw/dbg.c        |   2 -
 drivers/net/wireless/intel/iwlwifi/iwl-dbg-tlv.c   |  13 +-
 drivers/net/wireless/intel/iwlwifi/iwl-prph.h      |   2 -
 drivers/net/wireless/intel/iwlwifi/mvm/d3.c        |   4 +
 drivers/net/wireless/intel/iwlwifi/mvm/fw.c        |   4 +-
 drivers/net/wireless/intel/iwlwifi/mvm/ops.c       |   3 +-
 drivers/net/wireless/intel/iwlwifi/mvm/rx.c        |   2 +-
 drivers/net/wireless/intel/iwlwifi/mvm/tx.c        |   5 +-
 drivers/net/wireless/intel/iwlwifi/pcie/trans.c    |   2 +-
 drivers/net/wireless/mediatek/mt76/mt76.h          |   2 +-
 drivers/net/wireless/mediatek/mt76/mt7603/main.c   |   3 +
 drivers/net/wireless/mediatek/mt76/mt7615/mac.c    |  56 ++-
 drivers/net/wireless/mediatek/mt76/mt7615/main.c   |   3 +
 .../net/wireless/mediatek/mt76/mt76_connac_mcu.c   |   2 +-
 .../net/wireless/mediatek/mt76/mt76_connac_mcu.h   |   3 +-
 drivers/net/wireless/mediatek/mt76/mt7915/init.c   |   2 +-
 drivers/net/wireless/mediatek/mt76/mt7915/mac.c    |  50 ++-
 drivers/net/wireless/mediatek/mt76/mt7915/mcu.c    |  67 ++-
 drivers/net/wireless/mediatek/mt76/mt7915/mt7915.h |   8 +-
 .../net/wireless/mediatek/mt76/mt7921/debugfs.c    |  16 +-
 drivers/net/wireless/mediatek/mt76/mt7921/dma.c    | 119 ------
 drivers/net/wireless/mediatek/mt76/mt7921/mac.c    |  68 +--
 drivers/net/wireless/mediatek/mt76/mt7921/mac.h    |   3 +
 drivers/net/wireless/mediatek/mt76/mt7921/mcu.c    |  57 +--
 drivers/net/wireless/mediatek/mt76/mt7921/mt7921.h |   1 +
 drivers/net/wireless/mediatek/mt76/mt7921/pci.c    | 124 ++++++
 .../net/wireless/mediatek/mt76/mt7921/pci_mcu.c    |  18 +-
 drivers/net/wireless/mediatek/mt76/mt7921/regs.h   |  11 +-
 .../net/wireless/mediatek/mt76/mt7921/sdio_mcu.c   |  38 ++
 drivers/net/wireless/mediatek/mt76/sdio.h          |   2 +
 drivers/net/wireless/ray_cs.c                      |   6 +
 drivers/net/wireless/realtek/rtw88/fw.c            |  42 +-
 drivers/net/wireless/realtek/rtw88/mac80211.c      |   5 +-
 drivers/net/wireless/realtek/rtw88/main.c          |  16 +-
 drivers/net/wireless/realtek/rtw88/main.h          |   4 +-
 drivers/net/wwan/qcom_bam_dmux.c                   |   2 +-
 drivers/nvdimm/region_devs.c                       |   3 +
 drivers/nvme/host/core.c                           |  48 ++-
 drivers/nvme/host/multipath.c                      |   7 +-
 drivers/nvme/host/nvme.h                           |  19 +
 drivers/nvme/host/tcp.c                            |  40 ++
 drivers/pci/access.c                               |   9 +-
 drivers/pci/controller/dwc/pci-imx6.c              |  15 +-
 drivers/pci/controller/dwc/pcie-fu740.c            |  51 ++-
 drivers/pci/controller/pci-aardvark.c              |  13 +-
 drivers/pci/controller/pci-xgene.c                 |  35 +-
 drivers/pci/hotplug/pciehp_hpc.c                   |   2 +
 drivers/pci/quirks.c                               |  12 +
 drivers/perf/Kconfig                               |   2 +-
 drivers/perf/arm-cmn.c                             |  21 +-
 drivers/phy/broadcom/phy-brcm-usb-init.c           |  36 ++
 drivers/phy/broadcom/phy-brcm-usb-init.h           |   1 +
 drivers/phy/broadcom/phy-brcm-usb.c                |  11 +-
 drivers/phy/phy-core-mipi-dphy.c                   |   4 +-
 drivers/pinctrl/mediatek/pinctrl-mtk-common.c      |   2 +
 drivers/pinctrl/mediatek/pinctrl-paris.c           |  32 +-
 drivers/pinctrl/nomadik/pinctrl-nomadik.c          |   4 +-
 drivers/pinctrl/nuvoton/pinctrl-npcm7xx.c          | 185 ++++-----
 drivers/pinctrl/pinconf-generic.c                  |   6 +-
 drivers/pinctrl/pinctrl-ingenic.c                  |  46 +-
 drivers/pinctrl/pinctrl-microchip-sgpio.c          |  15 +
 drivers/pinctrl/pinctrl-ocelot.c                   |   7 +-
 drivers/pinctrl/pinctrl-rockchip.c                 |   2 +
 drivers/pinctrl/renesas/core.c                     |   5 +-
 drivers/pinctrl/renesas/pfc-r8a77470.c             |   4 +-
 drivers/pinctrl/samsung/pinctrl-exynos-arm64.c     |   2 -
 drivers/pinctrl/samsung/pinctrl-samsung.c          |  30 +-
 drivers/platform/chrome/Makefile                   |   3 +-
 drivers/platform/chrome/cros_ec_sensorhub_ring.c   |   3 +-
 drivers/platform/chrome/cros_ec_sensorhub_trace.h  | 123 ++++++
 drivers/platform/chrome/cros_ec_trace.h            |  95 -----
 drivers/platform/chrome/cros_ec_typec.c            |   6 +
 drivers/platform/x86/asus-wmi.c                    |   2 +-
 drivers/platform/x86/huawei-wmi.c                  |  13 +-
 drivers/power/reset/gemini-poweroff.c              |   4 +-
 drivers/power/supply/ab8500_bmdata.c               |   8 +-
 drivers/power/supply/ab8500_chargalg.c             |   6 +-
 drivers/power/supply/ab8500_fg.c                   |  12 +-
 drivers/power/supply/bq24190_charger.c             |   7 +-
 drivers/power/supply/sbs-charger.c                 |  18 +-
 drivers/power/supply/wm8350_power.c                |  97 ++++-
 drivers/powercap/dtpm_cpu.c                        |   7 +
 drivers/pps/clients/pps-gpio.c                     |   2 +-
 drivers/ptp/ptp_clock.c                            |  11 +-
 drivers/pwm/pwm-lpc18xx-sct.c                      |  20 +-
 drivers/regulator/qcom_smd-regulator.c             |   4 +-
 drivers/regulator/rpi-panel-attiny-regulator.c     |  56 ++-
 drivers/remoteproc/qcom_q6v5_adsp.c                |   1 +
 drivers/remoteproc/qcom_q6v5_mss.c                 |  11 +-
 drivers/remoteproc/qcom_wcnss.c                    |   1 +
 drivers/remoteproc/remoteproc_debugfs.c            |   2 +-
 drivers/rtc/interface.c                            |   7 +-
 drivers/rtc/rtc-gamecube.c                         |   1 +
 drivers/rtc/rtc-mc146818-lib.c                     |   6 +-
 drivers/rtc/rtc-pl031.c                            |   6 +-
 drivers/scsi/fnic/fnic_scsi.c                      |   2 +-
 drivers/scsi/hisi_sas/hisi_sas_v3_hw.c             |   2 +-
 drivers/scsi/libsas/sas_ata.c                      |   2 +-
 drivers/scsi/mpt3sas/mpt3sas_base.c                |  25 +-
 drivers/scsi/pm8001/pm8001_hwi.c                   |  23 +-
 drivers/scsi/pm8001/pm80xx_hwi.c                   | 209 +++++-----
 drivers/scsi/qla2xxx/qla_attr.c                    |   7 +-
 drivers/scsi/qla2xxx/qla_bsg.c                     |   6 +-
 drivers/scsi/qla2xxx/qla_def.h                     |  22 +-
 drivers/scsi/qla2xxx/qla_edif.c                    |  25 +-
 drivers/scsi/qla2xxx/qla_gbl.h                     |   4 +-
 drivers/scsi/qla2xxx/qla_gs.c                      | 160 +++----
 drivers/scsi/qla2xxx/qla_init.c                    | 233 ++++++-----
 drivers/scsi/qla2xxx/qla_inline.h                  |   2 +
 drivers/scsi/qla2xxx/qla_iocb.c                    |  93 +++--
 drivers/scsi/qla2xxx/qla_isr.c                     |   1 +
 drivers/scsi/qla2xxx/qla_mbx.c                     |  29 +-
 drivers/scsi/qla2xxx/qla_mid.c                     |   9 +-
 drivers/scsi/qla2xxx/qla_mr.c                      |  11 +-
 drivers/scsi/qla2xxx/qla_nvme.c                    |  22 +
 drivers/scsi/qla2xxx/qla_os.c                      |  54 ++-
 drivers/scsi/qla2xxx/qla_sup.c                     |   4 +-
 drivers/scsi/qla2xxx/qla_target.c                  |  14 +-
 drivers/scsi/qla2xxx/qla_tmpl.c                    |   9 +-
 drivers/scsi/scsi_error.c                          |   9 +-
 drivers/scsi/scsi_transport_fc.c                   |  39 +-
 drivers/scsi/sd.c                                  |   6 +-
 drivers/scsi/ufs/ufshcd.c                          |  21 +-
 drivers/soc/mediatek/mtk-pm-domains.c              |   3 +
 drivers/soc/qcom/ocmem.c                           |   1 +
 drivers/soc/qcom/qcom_aoss.c                       |   8 +-
 drivers/soc/qcom/rpmpd.c                           |   3 +
 drivers/soc/ti/wkup_m3_ipc.c                       |   4 +-
 drivers/soundwire/dmi-quirks.c                     |   2 +-
 drivers/soundwire/intel.c                          |   4 +-
 drivers/spi/spi-fsi.c                              |  10 +
 drivers/spi/spi-mt65xx.c                           |  15 +-
 drivers/spi/spi-mxic.c                             |  28 +-
 drivers/spi/spi-pxa2xx-pci.c                       |  17 +-
 drivers/spi/spi-tegra114.c                         |   4 +
 drivers/spi/spi-tegra20-slink.c                    |   8 +-
 drivers/spi/spi-tegra210-quad.c                    |   2 +
 drivers/spi/spi-zynqmp-gqspi.c                     |   5 +-
 drivers/staging/iio/adc/ad7280a.c                  |   4 +-
 drivers/staging/media/atomisp/pci/atomisp_acc.c    |  28 +-
 .../media/atomisp/pci/atomisp_gmin_platform.c      |  18 +
 drivers/staging/media/atomisp/pci/hmm/hmm.c        |   7 +-
 drivers/staging/media/hantro/hantro_h1_jpeg_enc.c  |   2 +-
 drivers/staging/media/hantro/hantro_h1_regs.h      |   2 +-
 drivers/staging/media/hantro/sunxi_vpu_hw.c        |   4 +-
 drivers/staging/media/imx/imx7-mipi-csis.c         |   6 +-
 drivers/staging/media/imx/imx8mq-mipi-csi2.c       |  74 ++--
 drivers/staging/media/meson/vdec/esparser.c        |   7 +-
 drivers/staging/media/meson/vdec/vdec_helpers.c    |   8 +-
 drivers/staging/media/meson/vdec/vdec_helpers.h    |   4 +-
 drivers/staging/media/sunxi/cedrus/cedrus_h264.c   |   2 +-
 drivers/staging/media/sunxi/cedrus/cedrus_h265.c   |   2 +-
 drivers/staging/media/zoran/zoran.h                |   2 +-
 drivers/staging/media/zoran/zoran_card.c           |  86 ++--
 drivers/staging/media/zoran/zoran_device.c         |   7 +-
 drivers/staging/media/zoran/zoran_driver.c         |  18 +-
 drivers/staging/mt7621-dts/gbpc1.dts               |  40 +-
 drivers/staging/mt7621-dts/gbpc2.dts               | 116 +++++-
 drivers/staging/mt7621-dts/mt7621.dtsi             |  26 +-
 drivers/staging/qlge/qlge_main.c                   |  11 +-
 drivers/staging/r8188eu/core/rtw_recv.c            |   3 +-
 drivers/staging/r8188eu/hal/rtl8188e_hal_init.c    |   2 +-
 .../intel/int340x_thermal/int3400_thermal.c        |   7 +-
 drivers/tty/hvc/hvc_iucv.c                         |   4 +-
 drivers/tty/mxser.c                                |  15 +-
 drivers/tty/serial/8250/8250_aspeed_vuart.c        |   2 +-
 drivers/tty/serial/8250/8250_dma.c                 |  11 +-
 drivers/tty/serial/8250/8250_lpss.c                |  28 +-
 drivers/tty/serial/8250/8250_mid.c                 |  19 +-
 drivers/tty/serial/8250/8250_port.c                |  24 +-
 drivers/tty/serial/kgdboc.c                        |   6 +-
 drivers/tty/serial/serial_core.c                   |  14 +
 drivers/usb/host/xhci-hub.c                        |   5 +-
 drivers/usb/host/xhci-mem.c                        |   2 +-
 drivers/usb/host/xhci.c                            |  20 +-
 drivers/usb/host/xhci.h                            |  14 +-
 drivers/usb/serial/Kconfig                         |   1 +
 drivers/usb/serial/pl2303.c                        |   2 +
 drivers/usb/serial/pl2303.h                        |   3 +
 drivers/usb/serial/usb-serial-simple.c             |   7 +
 drivers/usb/storage/ene_ub6250.c                   | 155 ++++---
 drivers/usb/storage/realtek_cr.c                   |   2 +-
 drivers/usb/typec/tipd/core.c                      |   5 +
 drivers/usb/typec/tipd/tps6598x.h                  |   1 +
 drivers/vdpa/mlx5/net/mlx5_vnet.c                  |   7 +-
 drivers/vfio/pci/vfio_pci_core.c                   |  61 +++
 drivers/vhost/iotlb.c                              |   6 +-
 drivers/video/fbdev/atafb.c                        |  12 +-
 drivers/video/fbdev/atmel_lcdfb.c                  |  11 +-
 drivers/video/fbdev/cirrusfb.c                     |  16 +-
 drivers/video/fbdev/controlfb.c                    |   2 +
 drivers/video/fbdev/core/fbcvt.c                   |  53 +--
 drivers/video/fbdev/core/fbmem.c                   |  29 +-
 drivers/video/fbdev/matrox/matroxfb_base.c         |   2 +-
 drivers/video/fbdev/nvidia/nv_i2c.c                |   2 +-
 .../fbdev/omap2/omapfb/displays/connector-dvi.c    |   1 +
 .../fbdev/omap2/omapfb/displays/panel-dsi-cm.c     |   8 +-
 .../omap2/omapfb/displays/panel-sony-acx565akm.c   |   2 +-
 .../omap2/omapfb/displays/panel-tpo-td043mtea1.c   |   4 +-
 drivers/video/fbdev/sm712fb.c                      |  46 +-
 drivers/video/fbdev/smscufx.c                      |   3 +-
 drivers/video/fbdev/udlfb.c                        |   8 +-
 drivers/video/fbdev/w100fb.c                       |  15 +-
 drivers/virt/acrn/hsm.c                            |  20 +-
 drivers/virt/acrn/mm.c                             |  24 ++
 drivers/virtio/virtio.c                            |   5 +-
 drivers/virtio/virtio_pci_common.c                 |  48 +--
 drivers/virtio/virtio_pci_common.h                 |   7 +-
 drivers/virtio/virtio_pci_legacy.c                 |   5 +-
 drivers/virtio/virtio_pci_modern.c                 |   6 +-
 drivers/watchdog/rti_wdt.c                         |   1 +
 fs/binfmt_elf.c                                    |  90 ++--
 fs/binfmt_elf_fdpic.c                              |  18 +-
 fs/btrfs/block-group.c                             |   8 +-
 fs/btrfs/compression.c                             |  20 +-
 fs/btrfs/disk-io.c                                 |  26 +-
 fs/btrfs/extent_io.c                               |  22 +-
 fs/btrfs/file-item.c                               |  38 +-
 fs/btrfs/inode.c                                   |   8 +-
 fs/btrfs/reflink.c                                 |   7 +-
 fs/btrfs/space-info.c                              |   3 +-
 fs/btrfs/volumes.c                                 |  48 ++-
 fs/buffer.c                                        |   8 +-
 fs/cifs/cifs_swn.c                                 |   6 +-
 fs/cifs/cifsfs.c                                   |  14 +-
 fs/cifs/cifsproto.h                                |   3 +
 fs/cifs/connect.c                                  |  56 ++-
 fs/cifs/dfs_cache.c                                |   2 +-
 fs/cifs/file.c                                     |  10 +
 fs/cifs/smb1ops.c                                  |   2 +-
 fs/cifs/smb2ops.c                                  | 148 ++++---
 fs/cifs/smb2pdu.c                                  |   6 +-
 fs/cifs/transport.c                                |   2 +-
 fs/coredump.c                                      |  86 +++-
 fs/erofs/sysfs.c                                   |   8 +-
 fs/exec.c                                          |  26 +-
 fs/ext2/super.c                                    |   6 +-
 fs/ext4/inline.c                                   |   9 +-
 fs/ext4/inode.c                                    |  25 ++
 fs/ext4/mballoc.c                                  | 128 +++---
 fs/ext4/namei.c                                    |  10 +-
 fs/ext4/super.c                                    |  53 ++-
 fs/f2fs/checkpoint.c                               |   8 +-
 fs/f2fs/compress.c                                 |   5 +-
 fs/f2fs/data.c                                     |   8 +-
 fs/f2fs/debug.c                                    |  18 +-
 fs/f2fs/f2fs.h                                     |   1 +
 fs/f2fs/file.c                                     |   5 +-
 fs/f2fs/gc.c                                       |   4 +-
 fs/f2fs/inode.c                                    |   7 +-
 fs/f2fs/node.c                                     |   6 +-
 fs/f2fs/segment.c                                  |   7 +
 fs/f2fs/super.c                                    |  10 +-
 fs/f2fs/sysfs.c                                    |   2 +-
 fs/file.c                                          |  31 +-
 fs/gfs2/bmap.c                                     |   2 +-
 fs/gfs2/file.c                                     |   3 +-
 fs/gfs2/inode.c                                    |   2 +-
 fs/gfs2/rgrp.c                                     |  10 +-
 fs/gfs2/rgrp.h                                     |   2 +-
 fs/gfs2/super.c                                    |   2 +-
 fs/io_uring.c                                      |  21 +-
 fs/iomap/buffered-io.c                             |   3 +-
 fs/jffs2/build.c                                   |   4 +-
 fs/jffs2/fs.c                                      |   2 +-
 fs/jffs2/scan.c                                    |   6 +-
 fs/jfs/jfs_dmap.c                                  |   7 +
 fs/nfs/callback_proc.c                             |  27 +-
 fs/nfs/callback_xdr.c                              |   4 -
 fs/nfs/nfs2xdr.c                                   |   2 +-
 fs/nfs/nfs3xdr.c                                   |  22 +-
 fs/nfs/nfs4proc.c                                  |   1 +
 fs/nfs/pagelist.c                                  |   1 +
 fs/nfs/pnfs.c                                      |  11 +
 fs/nfs/pnfs.h                                      |   2 +
 fs/nfs/proc.c                                      |   1 +
 fs/nfs/write.c                                     |   7 +-
 fs/nfsd/filecache.c                                |   6 +-
 fs/nfsd/nfs4state.c                                |  12 +-
 fs/nfsd/nfsproc.c                                  |   2 +-
 fs/nfsd/xdr.h                                      |   2 +-
 fs/ntfs/inode.c                                    |   4 +
 fs/ocfs2/quota_global.c                            |  23 +-
 fs/ocfs2/quota_local.c                             |   2 -
 fs/proc/bootconfig.c                               |   2 +
 fs/pstore/platform.c                               |  38 +-
 fs/ubifs/dir.c                                     | 238 ++++++-----
 fs/ubifs/file.c                                    |  14 +-
 fs/ubifs/io.c                                      |  34 +-
 fs/ubifs/ioctl.c                                   |   2 +-
 fs/ubifs/journal.c                                 |  52 ++-
 include/drm/drm_connector.h                        |  12 +-
 include/drm/drm_dp_helper.h                        |   4 +-
 include/drm/drm_modeset_lock.h                     |   1 +
 include/linux/atomic/atomic-arch-fallback.h        |  38 +-
 include/linux/binfmts.h                            |   3 +
 include/linux/blk-cgroup.h                         |  17 +
 include/linux/blk_types.h                          |   3 +-
 include/linux/coredump.h                           |   5 +-
 include/linux/fb.h                                 |   1 +
 include/linux/lsm_hook_defs.h                      |   2 +
 include/linux/lsm_hooks.h                          |   5 +
 include/linux/migrate.h                            |   8 +
 include/linux/mtd/rawnand.h                        |   2 +
 include/linux/netfilter_netdev.h                   |   2 +-
 include/linux/nvme.h                               |   1 +
 include/linux/pci.h                                |   1 +
 include/linux/pstore.h                             |   6 +-
 include/linux/randomize_kstack.h                   |  16 +-
 include/linux/sched.h                              |  19 +-
 include/linux/security.h                           |   8 +
 include/linux/serial_core.h                        |   2 +
 include/linux/skbuff.h                             |  28 +-
 include/linux/skmsg.h                              |  13 +-
 include/linux/soc/ti/ti_sci_protocol.h             |   2 +-
 include/linux/sunrpc/xdr.h                         |   2 +
 include/linux/sunrpc/xprt.h                        |   3 +
 include/linux/sunrpc/xprtsock.h                    |   2 +-
 include/linux/xarray.h                             |   1 +
 include/net/netfilter/nf_conntrack_helper.h        |   1 +
 include/net/netfilter/nf_flow_table.h              |  18 +
 include/scsi/scsi_device.h                         |   1 +
 include/sound/intel-nhlt.h                         |  22 +-
 include/sound/pcm.h                                |   1 +
 include/trace/events/ext4.h                        |  78 ++--
 include/trace/events/rxrpc.h                       |   8 +-
 include/trace/events/sched.h                       |  11 +-
 include/uapi/linux/bpf.h                           |  12 +-
 include/uapi/linux/loop.h                          |   4 +-
 include/uapi/linux/omap3isp.h                      |  21 +-
 include/uapi/linux/rfkill.h                        |  14 +-
 include/uapi/linux/rseq.h                          |  20 +-
 include/uapi/linux/serial_core.h                   |   3 +
 kernel/audit.h                                     |   4 +
 kernel/auditsc.c                                   |  87 +++-
 kernel/bpf/btf.c                                   |  55 ++-
 kernel/bpf/stackmap.c                              |  56 ++-
 kernel/debug/kdb/kdb_support.c                     |   2 +-
 kernel/dma/debug.c                                 |   4 +-
 kernel/dma/swiotlb.c                               |  11 +-
 kernel/events/core.c                               |   3 +
 kernel/livepatch/core.c                            |   4 +-
 kernel/locking/lockdep.c                           |  38 +-
 kernel/locking/lockdep_internals.h                 |   6 +-
 kernel/locking/lockdep_proc.c                      |  51 ++-
 kernel/power/hibernate.c                           |   2 +-
 kernel/power/suspend_test.c                        |   8 +-
 kernel/printk/printk.c                             |   6 +-
 kernel/ptrace.c                                    |  47 ++-
 kernel/rcu/rcu_segcblist.h                         |   4 +-
 kernel/rcu/tree.c                                  |  71 ++--
 kernel/rcu/tree.h                                  |   4 +-
 kernel/resource.c                                  |  41 +-
 kernel/rseq.c                                      |   8 +-
 kernel/sched/core.c                                |   5 +-
 kernel/sched/cpuacct.c                             |   3 +-
 kernel/sched/cpufreq_schedutil.c                   |  11 +-
 kernel/sched/deadline.c                            |  12 +-
 kernel/sched/debug.c                               |  10 -
 kernel/sched/fair.c                                |  18 +-
 kernel/sched/rt.c                                  |  32 +-
 kernel/sched/sched.h                               | 181 ++++----
 kernel/trace/fgraph.c                              |   4 +-
 kernel/trace/ftrace.c                              |   4 +-
 kernel/trace/trace.c                               |   9 +-
 kernel/trace/trace_events.c                        |  96 ++++-
 kernel/trace/trace_osnoise.c                       |   4 +-
 kernel/trace/trace_sched_switch.c                  |   1 +
 kernel/trace/trace_sched_wakeup.c                  |   1 +
 kernel/watch_queue.c                               |   4 +-
 lib/kunit/try-catch.c                              |   2 +-
 lib/raid6/test/Makefile                            |   4 +-
 lib/raid6/test/test.c                              |   1 -
 lib/test_kmod.c                                    |   1 +
 lib/test_lockup.c                                  |  11 +-
 lib/test_xarray.c                                  |  22 +
 lib/vsprintf.c                                     |  48 ++-
 lib/xarray.c                                       |   4 +
 mm/kmemleak.c                                      |   9 +-
 mm/madvise.c                                       |   3 +-
 mm/memcontrol.c                                    |   2 +-
 mm/memory.c                                        |  57 ++-
 mm/mempolicy.c                                     |   8 +-
 mm/migrate.c                                       |  47 +--
 mm/mlock.c                                         |   7 +-
 mm/mmap.c                                          |   2 +-
 mm/page_alloc.c                                    |   9 +-
 mm/slab.c                                          |   1 +
 mm/usercopy.c                                      |   5 +-
 mm/vmstat.c                                        |  13 +-
 net/ax25/af_ax25.c                                 |  18 +-
 net/ax25/ax25_subr.c                               |  20 +-
 net/bluetooth/eir.h                                |   5 +
 net/bluetooth/hci_conn.c                           |   2 +
 net/bluetooth/hci_event.c                          |  13 +-
 net/bluetooth/hci_sync.c                           |   2 +-
 net/bluetooth/mgmt.c                               |  18 +-
 net/can/isotp.c                                    |  69 +--
 net/core/skbuff.c                                  |  51 ++-
 net/core/skmsg.c                                   |  17 +-
 net/dsa/dsa2.c                                     |   5 +
 net/dsa/switch.c                                   |  40 +-
 net/ipv4/route.c                                   |  18 +-
 net/ipv4/tcp_bpf.c                                 |  14 +-
 net/ipv4/tcp_output.c                              |   5 +-
 net/mac80211/ieee80211_i.h                         |   2 +-
 net/mac80211/mesh.c                                |   2 +-
 net/mac80211/mlme.c                                |  11 +-
 net/mac80211/util.c                                |  27 +-
 net/mptcp/protocol.c                               |   1 +
 net/netfilter/nf_conntrack_helper.c                |   6 +
 net/netfilter/nf_conntrack_proto_tcp.c             |  17 +-
 net/netfilter/nf_flow_table_inet.c                 |  17 +
 net/netfilter/nf_flow_table_ip.c                   |  18 -
 net/netfilter/nft_ct.c                             |   3 +
 net/netlink/af_netlink.c                           |   2 +
 net/openvswitch/conntrack.c                        | 118 +++---
 net/openvswitch/flow_netlink.c                     |   4 +-
 net/rfkill/core.c                                  |  48 ++-
 net/rxrpc/ar-internal.h                            |  15 +-
 net/rxrpc/call_event.c                             |   2 +-
 net/rxrpc/call_object.c                            |  40 +-
 net/rxrpc/server_key.c                             |   7 +-
 net/sched/act_ct.c                                 |  15 +-
 net/sctp/sm_statefuns.c                            |   8 +-
 net/sunrpc/clnt.c                                  |   6 +-
 net/sunrpc/sched.c                                 |  22 +-
 net/sunrpc/sysfs.c                                 |  55 ++-
 net/sunrpc/xprt.c                                  |  10 +
 net/sunrpc/xprtrdma/transport.c                    |   8 +-
 net/sunrpc/xprtsock.c                              |  56 ++-
 net/tipc/socket.c                                  |   3 +-
 net/unix/af_unix.c                                 |  16 +-
 net/vmw_vsock/virtio_transport.c                   |  11 +-
 net/x25/af_x25.c                                   |  11 +-
 net/xdp/xsk.c                                      |  69 ++-
 net/xdp/xsk_buff_pool.c                            |   8 +-
 samples/bpf/xdpsock_user.c                         |   6 +-
 samples/landlock/sandboxer.c                       |   1 +
 scripts/atomic/fallbacks/read_acquire              |  11 +-
 scripts/atomic/fallbacks/set_release               |   7 +-
 scripts/dtc/Makefile                               |   2 +-
 scripts/gcc-plugins/stackleak_plugin.c             |  25 +-
 scripts/mod/modpost.c                              |   2 +-
 security/integrity/evm/evm_main.c                  |   2 +-
 security/keys/keyctl_pkey.c                        |  14 +-
 security/keys/trusted-keys/trusted_core.c          |   6 +-
 security/landlock/syscalls.c                       |   2 +-
 security/security.c                                |  24 +-
 security/selinux/hooks.c                           | 180 +++++---
 security/selinux/include/policycap.h               |   1 +
 security/selinux/include/policycap_names.h         |   3 +-
 security/selinux/include/security.h                |   7 +
 security/selinux/selinuxfs.c                       |   2 +
 security/selinux/xfrm.c                            |   2 +-
 security/smack/smack_lsm.c                         |   2 +-
 security/tomoyo/load_policy.c                      |   4 +-
 sound/core/pcm.c                                   |   1 +
 sound/core/pcm_lib.c                               |   9 +-
 sound/core/pcm_native.c                            |  39 +-
 sound/firewire/fcp.c                               |   4 +-
 sound/hda/intel-dsp-config.c                       |  36 +-
 sound/hda/intel-nhlt.c                             |  22 +
 sound/isa/cs423x/cs4236.c                          |   8 +-
 sound/pci/hda/hda_intel.c                          |  10 +-
 sound/pci/hda/patch_hdmi.c                         |   8 +-
 sound/pci/hda/patch_realtek.c                      |  15 +-
 sound/soc/amd/acp/acp-mach-common.c                |   2 +
 sound/soc/amd/vangogh/acp5x-mach.c                 |   1 +
 sound/soc/amd/vangogh/acp5x-pcm-dma.c              |  68 +--
 sound/soc/atmel/atmel_ssc_dai.c                    |   5 +-
 sound/soc/atmel/mikroe-proto.c                     |  20 +-
 sound/soc/atmel/sam9g20_wm8731.c                   |   1 +
 sound/soc/atmel/sam9x5_wm8731.c                    |  13 +-
 sound/soc/codecs/Kconfig                           |   5 +
 sound/soc/codecs/cs35l41.c                         |   6 +-
 sound/soc/codecs/cs42l42.c                         |  14 +-
 sound/soc/codecs/lpass-rx-macro.c                  |  14 +-
 sound/soc/codecs/lpass-tx-macro.c                  |   2 +
 sound/soc/codecs/lpass-va-macro.c                  |   4 +-
 sound/soc/codecs/lpass-wsa-macro.c                 |   2 +
 sound/soc/codecs/max98927.c                        |   1 +
 sound/soc/codecs/msm8916-wcd-analog.c              |  22 +-
 sound/soc/codecs/msm8916-wcd-digital.c             |   5 +-
 sound/soc/codecs/mt6358.c                          |   4 +
 sound/soc/codecs/rk817_codec.c                     |   6 +-
 sound/soc/codecs/rt5663.c                          |   2 +
 sound/soc/codecs/rt5682s.c                         |  26 +-
 sound/soc/codecs/rt5682s.h                         |   1 -
 sound/soc/codecs/wcd934x.c                         |  12 +-
 sound/soc/codecs/wcd938x.c                         |  10 +-
 sound/soc/codecs/wm8350.c                          |  28 +-
 sound/soc/dwc/dwc-i2s.c                            |  17 +-
 sound/soc/fsl/fsl_spdif.c                          |   2 +
 sound/soc/fsl/imx-es8328.c                         |   1 +
 sound/soc/generic/simple-card-utils.c              |  15 +
 sound/soc/intel/boards/sof_es8336.c                |  63 ++-
 sound/soc/intel/boards/sof_sdw.c                   |   2 +-
 sound/soc/intel/common/soc-acpi-intel-bxt-match.c  |   7 +-
 sound/soc/intel/common/soc-acpi-intel-cml-match.c  |   7 +-
 sound/soc/intel/common/soc-acpi-intel-glk-match.c  |   7 +-
 sound/soc/intel/common/soc-acpi-intel-jsl-match.c  |   7 +-
 sound/soc/intel/common/soc-acpi-intel-tgl-match.c  |   7 +-
 sound/soc/mediatek/mt8183/mt8183-da7219-max98357.c |  23 +-
 .../mediatek/mt8192/mt8192-mt6359-rt1015-rt5682.c  |  18 +-
 .../mediatek/mt8195/mt8195-mt6359-rt1019-rt5682.c  |   4 +-
 sound/soc/mxs/mxs-saif.c                           |   5 +-
 sound/soc/mxs/mxs-sgtl5000.c                       |   3 +
 sound/soc/rockchip/rockchip_i2s.c                  |  15 +-
 sound/soc/rockchip/rockchip_i2s_tdm.c              |  12 +-
 sound/soc/sh/fsi.c                                 |  19 +-
 sound/soc/sh/rz-ssi.c                              |  73 ++--
 sound/soc/soc-compress.c                           |   5 +
 sound/soc/soc-core.c                               |   2 +-
 sound/soc/soc-generic-dmaengine-pcm.c              |   6 +-
 sound/soc/soc-topology.c                           |   3 +-
 sound/soc/sof/debug.c                              |   2 +-
 sound/soc/sof/imx/imx8m.c                          |   1 +
 sound/soc/sof/intel/Kconfig                        |   1 +
 sound/soc/sof/intel/hda-dai.c                      |  13 +
 sound/soc/sof/intel/hda-loader.c                   |  11 +-
 sound/soc/sof/intel/hda-pcm.c                      |   1 +
 sound/soc/sof/intel/hda.c                          |  61 +--
 sound/soc/ti/davinci-i2s.c                         |   5 +-
 sound/soc/xilinx/xlnx_formatter_pcm.c              |  25 ++
 sound/spi/at73c213.c                               |  27 +-
 tools/bpf/bpftool/btf.c                            |   2 +-
 tools/bpf/bpftool/gen.c                            |   2 +-
 tools/bpf/bpftool/link.c                           |   3 +-
 tools/bpf/bpftool/map.c                            |  42 +-
 tools/bpf/bpftool/pids.c                           |   3 +-
 tools/bpf/bpftool/prog.c                           |   2 +-
 tools/include/uapi/linux/bpf.h                     |   4 +-
 tools/lib/bpf/bpf_tracing.h                        |   4 +-
 tools/lib/bpf/btf.h                                |  22 +-
 tools/lib/bpf/btf_dump.c                           |  11 +-
 tools/lib/bpf/libbpf.c                             |  47 ++-
 tools/lib/bpf/libbpf.map                           |   2 +-
 tools/lib/bpf/netlink.c                            |  63 ++-
 tools/lib/bpf/xsk.c                                |  11 +
 tools/lib/perf/tests/test-evlist.c                 |   8 +-
 tools/perf/arch/x86/util/evlist.c                  |  18 +-
 tools/perf/builtin-stat.c                          |   2 +-
 tools/perf/pmu-events/arch/x86/skylakex/cache.json | 111 ++---
 .../arch/x86/skylakex/floating-point.json          |  24 +-
 .../pmu-events/arch/x86/skylakex/frontend.json     |  18 +-
 .../perf/pmu-events/arch/x86/skylakex/memory.json  |  96 ++---
 .../pmu-events/arch/x86/skylakex/pipeline.json     |  11 +
 .../pmu-events/arch/x86/skylakex/skx-metrics.json  | 461 ++++++++++++++++++---
 .../pmu-events/arch/x86/skylakex/uncore-other.json |  23 +
 tools/perf/tests/shell/test_arm_callgraph_fp.sh    |  68 +++
 tools/testing/cxl/Kbuild                           |   2 +-
 tools/testing/cxl/test/cxl.c                       |   2 +-
 tools/testing/selftests/bpf/prog_tests/bind_perm.c |  20 +-
 tools/testing/selftests/bpf/progs/bpf_misc.h       |  19 +
 .../testing/selftests/bpf/progs/test_probe_user.c  |  15 +-
 .../testing/selftests/bpf/progs/test_sock_fields.c |   2 +-
 tools/testing/selftests/bpf/test_lirc_mode2.sh     |   5 +-
 tools/testing/selftests/bpf/test_lwt_ip_encap.sh   |  10 +-
 .../selftests/bpf/test_xdp_redirect_multi.sh       |  60 +--
 tools/testing/selftests/bpf/xdpxceiver.c           |   5 +-
 tools/testing/selftests/lkdtm/config               |   1 +
 .../testing/selftests/net/af_unix/test_unix_oob.c  |   6 +-
 tools/testing/selftests/net/mptcp/mptcp_connect.sh |  19 +
 .../testing/selftests/net/test_vxlan_under_vrf.sh  |   8 +-
 tools/testing/selftests/net/timestamping.c         |   4 +-
 tools/testing/selftests/net/tls.c                  |   6 +
 tools/testing/selftests/rcutorture/bin/torture.sh  |   4 +-
 tools/testing/selftests/sgx/Makefile               |   2 +-
 tools/testing/selftests/sgx/load.c                 |   9 +-
 tools/testing/selftests/sgx/main.c                 |   5 +-
 tools/testing/selftests/vm/Makefile                |   6 +-
 tools/testing/selftests/vm/userfaultfd.c           |   3 +
 tools/testing/selftests/x86/Makefile               |   6 +-
 tools/testing/selftests/x86/check_cc.sh            |   2 +-
 tools/tracing/rtla/src/osnoise_hist.c              |   2 +-
 virt/kvm/kvm_main.c                                |  13 +
 virt/kvm/pfncache.c                                |   1 +
 1147 files changed, 11879 insertions(+), 6157 deletions(-)



^ permalink raw reply	[flat|nested] 1159+ messages in thread

* [PATCH 5.17 0001/1126] Revert "swiotlb: rework "fix info leak with DMA_FROM_DEVICE""
  2022-04-05  7:12 [PATCH 5.17 0000/1126] 5.17.2-rc1 review Greg Kroah-Hartman
@ 2022-04-05  7:12 ` Greg Kroah-Hartman
  2022-04-05  7:12 ` [PATCH 5.17 0002/1126] USB: serial: pl2303: add IBM device IDs Greg Kroah-Hartman
                   ` (988 subsequent siblings)
  989 siblings, 0 replies; 1159+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05  7:12 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Olha Cherevyk, Halil Pasic,
	Christoph Hellwig, Kalle Valo, Robin Murphy,
	Toke Høiland-Jørgensen, Maxime Bizon, Johannes Berg,
	Linus Torvalds, Oleksandr Natalenko

From: Linus Torvalds <torvalds@linux-foundation.org>

commit bddac7c1e02ba47f0570e494c9289acea3062cc1 upstream.

This reverts commit aa6f8dcbab473f3a3c7454b74caa46d36cdc5d13.

It turns out this breaks at least the ath9k wireless driver, and
possibly others.

What the ath9k driver does on packet receive is to set up the DMA
transfer with:

  int ath_rx_init(..)
  ..
                bf->bf_buf_addr = dma_map_single(sc->dev, skb->data,
                                                 common->rx_bufsize,
                                                 DMA_FROM_DEVICE);

and then the receive logic (through ath_rx_tasklet()) will fetch
incoming packets

  static bool ath_edma_get_buffers(..)
  ..
        dma_sync_single_for_cpu(sc->dev, bf->bf_buf_addr,
                                common->rx_bufsize, DMA_FROM_DEVICE);

        ret = ath9k_hw_process_rxdesc_edma(ah, rs, skb->data);
        if (ret == -EINPROGRESS) {
                /*let device gain the buffer again*/
                dma_sync_single_for_device(sc->dev, bf->bf_buf_addr,
                                common->rx_bufsize, DMA_FROM_DEVICE);
                return false;
        }

and it's worth noting how that first DMA sync:

    dma_sync_single_for_cpu(..DMA_FROM_DEVICE);

is there to make sure the CPU can read the DMA buffer (possibly by
copying it from the bounce buffer area, or by doing some cache flush).
The iommu correctly turns that into a "copy from bounce bufer" so that
the driver can look at the state of the packets.

In the meantime, the device may continue to write to the DMA buffer, but
we at least have a snapshot of the state due to that first DMA sync.

But that _second_ DMA sync:

    dma_sync_single_for_device(..DMA_FROM_DEVICE);

is telling the DMA mapping that the CPU wasn't interested in the area
because the packet wasn't there.  In the case of a DMA bounce buffer,
that is a no-op.

Note how it's not a sync for the CPU (the "for_device()" part), and it's
not a sync for data written by the CPU (the "DMA_FROM_DEVICE" part).

Or rather, it _should_ be a no-op.  That's what commit aa6f8dcbab47
broke: it made the code bounce the buffer unconditionally, and changed
the DMA_FROM_DEVICE to just unconditionally and illogically be
DMA_TO_DEVICE.

[ Side note: purely within the confines of the swiotlb driver it wasn't
  entirely illogical: The reason it did that odd DMA_FROM_DEVICE ->
  DMA_TO_DEVICE conversion thing is because inside the swiotlb driver,
  it uses just a swiotlb_bounce() helper that doesn't care about the
  whole distinction of who the sync is for - only which direction to
  bounce.

  So it took the "sync for device" to mean that the CPU must have been
  the one writing, and thought it meant DMA_TO_DEVICE. ]

Also note how the commentary in that commit was wrong, probably due to
that whole confusion, claiming that the commit makes the swiotlb code

                                  "bounce unconditionally (that is, also
    when dir == DMA_TO_DEVICE) in order do avoid synchronising back stale
    data from the swiotlb buffer"

which is nonsensical for two reasons:

 - that "also when dir == DMA_TO_DEVICE" is nonsensical, as that was
   exactly when it always did - and should do - the bounce.

 - since this is a sync for the device (not for the CPU), we're clearly
   fundamentally not coping back stale data from the bounce buffers at
   all, because we'd be copying *to* the bounce buffers.

So that commit was just very confused.  It confused the direction of the
synchronization (to the device, not the cpu) with the direction of the
DMA (from the device).

Reported-and-bisected-by: Oleksandr Natalenko <oleksandr@natalenko.name>
Reported-by: Olha Cherevyk <olha.cherevyk@gmail.com>
Cc: Halil Pasic <pasic@linux.ibm.com>
Cc: Christoph Hellwig <hch@lst.de>
Cc: Kalle Valo <kvalo@kernel.org>
Cc: Robin Murphy <robin.murphy@arm.com>
Cc: Toke Høiland-Jørgensen <toke@toke.dk>
Cc: Maxime Bizon <mbizon@freebox.fr>
Cc: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 Documentation/core-api/dma-attributes.rst |    8 ++++++++
 include/linux/dma-mapping.h               |    8 ++++++++
 kernel/dma/swiotlb.c                      |   23 ++++++++---------------
 3 files changed, 24 insertions(+), 15 deletions(-)

--- a/Documentation/core-api/dma-attributes.rst
+++ b/Documentation/core-api/dma-attributes.rst
@@ -130,3 +130,11 @@ accesses to DMA buffers in both privileg
 subsystem that the buffer is fully accessible at the elevated privilege
 level (and ideally inaccessible or at least read-only at the
 lesser-privileged levels).
+
+DMA_ATTR_OVERWRITE
+------------------
+
+This is a hint to the DMA-mapping subsystem that the device is expected to
+overwrite the entire mapped size, thus the caller does not require any of the
+previous buffer contents to be preserved. This allows bounce-buffering
+implementations to optimise DMA_FROM_DEVICE transfers.
--- a/include/linux/dma-mapping.h
+++ b/include/linux/dma-mapping.h
@@ -62,6 +62,14 @@
 #define DMA_ATTR_PRIVILEGED		(1UL << 9)
 
 /*
+ * This is a hint to the DMA-mapping subsystem that the device is expected
+ * to overwrite the entire mapped size, thus the caller does not require any
+ * of the previous buffer contents to be preserved. This allows
+ * bounce-buffering implementations to optimise DMA_FROM_DEVICE transfers.
+ */
+#define DMA_ATTR_OVERWRITE		(1UL << 10)
+
+/*
  * A dma_addr_t can hold any valid DMA or bus address for the platform.  It can
  * be given to a device to use as a DMA source or target.  It is specific to a
  * given device and there may be a translation between the CPU physical address
--- a/kernel/dma/swiotlb.c
+++ b/kernel/dma/swiotlb.c
@@ -627,14 +627,10 @@ phys_addr_t swiotlb_tbl_map_single(struc
 	for (i = 0; i < nr_slots(alloc_size + offset); i++)
 		mem->slots[index + i].orig_addr = slot_addr(orig_addr, i);
 	tlb_addr = slot_addr(mem->start, index) + offset;
-	/*
-	 * When dir == DMA_FROM_DEVICE we could omit the copy from the orig
-	 * to the tlb buffer, if we knew for sure the device will
-	 * overwirte the entire current content. But we don't. Thus
-	 * unconditional bounce may prevent leaking swiotlb content (i.e.
-	 * kernel memory) to user-space.
-	 */
-	swiotlb_bounce(dev, tlb_addr, mapping_size, DMA_TO_DEVICE);
+	if (!(attrs & DMA_ATTR_SKIP_CPU_SYNC) &&
+	    (!(attrs & DMA_ATTR_OVERWRITE) || dir == DMA_TO_DEVICE ||
+	    dir == DMA_BIDIRECTIONAL))
+		swiotlb_bounce(dev, tlb_addr, mapping_size, DMA_TO_DEVICE);
 	return tlb_addr;
 }
 
@@ -701,13 +697,10 @@ void swiotlb_tbl_unmap_single(struct dev
 void swiotlb_sync_single_for_device(struct device *dev, phys_addr_t tlb_addr,
 		size_t size, enum dma_data_direction dir)
 {
-	/*
-	 * Unconditional bounce is necessary to avoid corruption on
-	 * sync_*_for_cpu or dma_ummap_* when the device didn't overwrite
-	 * the whole lengt of the bounce buffer.
-	 */
-	swiotlb_bounce(dev, tlb_addr, size, DMA_TO_DEVICE);
-	BUG_ON(!valid_dma_direction(dir));
+	if (dir == DMA_TO_DEVICE || dir == DMA_BIDIRECTIONAL)
+		swiotlb_bounce(dev, tlb_addr, size, DMA_TO_DEVICE);
+	else
+		BUG_ON(dir != DMA_FROM_DEVICE);
 }
 
 void swiotlb_sync_single_for_cpu(struct device *dev, phys_addr_t tlb_addr,



^ permalink raw reply	[flat|nested] 1159+ messages in thread

* [PATCH 5.17 0002/1126] USB: serial: pl2303: add IBM device IDs
  2022-04-05  7:12 [PATCH 5.17 0000/1126] 5.17.2-rc1 review Greg Kroah-Hartman
  2022-04-05  7:12 ` [PATCH 5.17 0001/1126] Revert "swiotlb: rework "fix info leak with DMA_FROM_DEVICE"" Greg Kroah-Hartman
@ 2022-04-05  7:12 ` Greg Kroah-Hartman
  2022-04-05  7:12 ` [PATCH 5.17 0003/1126] dt-bindings: usb: hcd: correct usb-device path Greg Kroah-Hartman
                   ` (987 subsequent siblings)
  989 siblings, 0 replies; 1159+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05  7:12 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Eddie James, Joel Stanley, Johan Hovold

From: Eddie James <eajames@linux.ibm.com>

commit e1d15646565b284e9ef2433234d6cfdaf66695f1 upstream.

IBM manufactures a PL2303 device for UPS communications. Add the vendor
and product IDs so that the PL2303 driver binds to the device.

Signed-off-by: Eddie James <eajames@linux.ibm.com>
Signed-off-by: Joel Stanley <joel@jms.id.au>
Signed-off-by: Eddie James <eajames@linux.ibm.com>
Link: https://lore.kernel.org/r/20220301224446.21236-1-eajames@linux.ibm.com
Cc: stable@vger.kernel.org
[ johan: amend the SoB chain ]
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/usb/serial/pl2303.c |    1 +
 drivers/usb/serial/pl2303.h |    3 +++
 2 files changed, 4 insertions(+)

--- a/drivers/usb/serial/pl2303.c
+++ b/drivers/usb/serial/pl2303.c
@@ -116,6 +116,7 @@ static const struct usb_device_id id_tab
 	{ USB_DEVICE(ADLINK_VENDOR_ID, ADLINK_ND6530GC_PRODUCT_ID) },
 	{ USB_DEVICE(SMART_VENDOR_ID, SMART_PRODUCT_ID) },
 	{ USB_DEVICE(AT_VENDOR_ID, AT_VTKIT3_PRODUCT_ID) },
+	{ USB_DEVICE(IBM_VENDOR_ID, IBM_PRODUCT_ID) },
 	{ }					/* Terminating entry */
 };
 
--- a/drivers/usb/serial/pl2303.h
+++ b/drivers/usb/serial/pl2303.h
@@ -35,6 +35,9 @@
 #define ATEN_PRODUCT_UC232B	0x2022
 #define ATEN_PRODUCT_ID2	0x2118
 
+#define IBM_VENDOR_ID		0x04b3
+#define IBM_PRODUCT_ID		0x4016
+
 #define IODATA_VENDOR_ID	0x04bb
 #define IODATA_PRODUCT_ID	0x0a03
 #define IODATA_PRODUCT_ID_RSAQ5	0x0a0e



^ permalink raw reply	[flat|nested] 1159+ messages in thread

* [PATCH 5.17 0003/1126] dt-bindings: usb: hcd: correct usb-device path
  2022-04-05  7:12 [PATCH 5.17 0000/1126] 5.17.2-rc1 review Greg Kroah-Hartman
  2022-04-05  7:12 ` [PATCH 5.17 0001/1126] Revert "swiotlb: rework "fix info leak with DMA_FROM_DEVICE"" Greg Kroah-Hartman
  2022-04-05  7:12 ` [PATCH 5.17 0002/1126] USB: serial: pl2303: add IBM device IDs Greg Kroah-Hartman
@ 2022-04-05  7:12 ` Greg Kroah-Hartman
  2022-04-05  7:12 ` [PATCH 5.17 0004/1126] USB: serial: pl2303: fix GS type detection Greg Kroah-Hartman
                   ` (986 subsequent siblings)
  989 siblings, 0 replies; 1159+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05  7:12 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Rob Herring, Krzysztof Kozlowski

From: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>

commit 801109b1a37ad99784e6370cc7e462596f505ea3 upstream.

The usb-device.yaml reference is absolute so it should use /schemas part
in path.

Fixes: 23bf6fc7046c ("dt-bindings: usb: convert usb-device.txt to YAML schema")
Cc: <stable@vger.kernel.org>
Reported-by: Rob Herring <robh@kernel.org>
Acked-by: Rob Herring <robh@kernel.org>
Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
Link: https://lore.kernel.org/r/20220314181830.245853-1-krzysztof.kozlowski@canonical.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 Documentation/devicetree/bindings/usb/usb-hcd.yaml |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/Documentation/devicetree/bindings/usb/usb-hcd.yaml
+++ b/Documentation/devicetree/bindings/usb/usb-hcd.yaml
@@ -33,7 +33,7 @@ patternProperties:
   "^.*@[0-9a-f]{1,2}$":
     description: The hard wired USB devices
     type: object
-    $ref: /usb/usb-device.yaml
+    $ref: /schemas/usb/usb-device.yaml
 
 additionalProperties: true
 



^ permalink raw reply	[flat|nested] 1159+ messages in thread

* [PATCH 5.17 0004/1126] USB: serial: pl2303: fix GS type detection
  2022-04-05  7:12 [PATCH 5.17 0000/1126] 5.17.2-rc1 review Greg Kroah-Hartman
                   ` (2 preceding siblings ...)
  2022-04-05  7:12 ` [PATCH 5.17 0003/1126] dt-bindings: usb: hcd: correct usb-device path Greg Kroah-Hartman
@ 2022-04-05  7:12 ` Greg Kroah-Hartman
  2022-04-05  7:12 ` [PATCH 5.17 0005/1126] USB: serial: simple: add Nokia phone driver Greg Kroah-Hartman
                   ` (985 subsequent siblings)
  989 siblings, 0 replies; 1159+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05  7:12 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Matyáš Kroupa, Johan Hovold

From: Johan Hovold <johan@kernel.org>

commit 5b6ab28d06780c87320ceade61698bb6719c85db upstream.

At least some PL2303GS have a bcdDevice of 0x605 instead of 0x100 as the
datasheet claims. Add it to the list of known release numbers for the
HXN (G) type.

Fixes: 894758d0571d ("USB: serial: pl2303: tighten type HXN (G) detection")
Reported-by: Matyáš Kroupa <kroupa.matyas@gmail.com>
Link: https://lore.kernel.org/r/165de6a0-43e9-092c-2916-66b115c7fbf4@gmail.com
Cc: stable@vger.kernel.org	# 5.13
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/usb/serial/pl2303.c |    1 +
 1 file changed, 1 insertion(+)

--- a/drivers/usb/serial/pl2303.c
+++ b/drivers/usb/serial/pl2303.c
@@ -436,6 +436,7 @@ static int pl2303_detect_type(struct usb
 		case 0x105:
 		case 0x305:
 		case 0x405:
+		case 0x605:
 			/*
 			 * Assume it's an HXN-type if the device doesn't
 			 * support the old read request value.



^ permalink raw reply	[flat|nested] 1159+ messages in thread

* [PATCH 5.17 0005/1126] USB: serial: simple: add Nokia phone driver
  2022-04-05  7:12 [PATCH 5.17 0000/1126] 5.17.2-rc1 review Greg Kroah-Hartman
                   ` (3 preceding siblings ...)
  2022-04-05  7:12 ` [PATCH 5.17 0004/1126] USB: serial: pl2303: fix GS type detection Greg Kroah-Hartman
@ 2022-04-05  7:12 ` Greg Kroah-Hartman
  2022-04-05  7:12 ` [PATCH 5.17 0006/1126] mm: kfence: fix missing objcg housekeeping for SLAB Greg Kroah-Hartman
                   ` (984 subsequent siblings)
  989 siblings, 0 replies; 1159+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05  7:12 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Johan Hovold

From: Johan Hovold <johan@kernel.org>

commit c4b9c570965f75d0d55e639747f1e5ccdad2fae0 upstream.

Add a new "simple" driver for certain Nokia phones, including Nokia 130
(RM-1035) which exposes two serial ports in "charging only" mode:

Bus 001 Device 009: ID 0421:069a Nokia Mobile Phones 130 [RM-1035] (Charging only)
Device Descriptor:
  bLength                18
  bDescriptorType         1
  bcdUSB               2.00
  bDeviceClass            0
  bDeviceSubClass         0
  bDeviceProtocol         0
  bMaxPacketSize0         8
  idVendor           0x0421 Nokia Mobile Phones
  idProduct          0x069a 130 [RM-1035] (Charging only)
  bcdDevice            1.00
  iManufacturer           1 Nokia
  iProduct                2 Nokia 130 (RM-1035)
  iSerial                 0
  bNumConfigurations      1
  Configuration Descriptor:
    bLength                 9
    bDescriptorType         2
    wTotalLength       0x0037
    bNumInterfaces          2
    bConfigurationValue     1
    iConfiguration          0
    bmAttributes         0x80
      (Bus Powered)
    MaxPower              500mA
    Interface Descriptor:
      bLength                 9
      bDescriptorType         4
      bInterfaceNumber        0
      bAlternateSetting       0
      bNumEndpoints           2
      bInterfaceClass       255 Vendor Specific Class
      bInterfaceSubClass    255 Vendor Specific Subclass
      bInterfaceProtocol    255 Vendor Specific Protocol
      iInterface              0
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x81  EP 1 IN
        bmAttributes            2
          Transfer Type            Bulk
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0040  1x 64 bytes
        bInterval               0
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x01  EP 1 OUT
        bmAttributes            2
          Transfer Type            Bulk
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0040  1x 64 bytes
        bInterval               0
    Interface Descriptor:
      bLength                 9
      bDescriptorType         4
      bInterfaceNumber        1
      bAlternateSetting       0
      bNumEndpoints           2
      bInterfaceClass       255 Vendor Specific Class
      bInterfaceSubClass    255 Vendor Specific Subclass
      bInterfaceProtocol    255 Vendor Specific Protocol
      iInterface              0
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x82  EP 2 IN
        bmAttributes            2
          Transfer Type            Bulk
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0040  1x 64 bytes
        bInterval               0
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x02  EP 2 OUT
        bmAttributes            2
          Transfer Type            Bulk
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0040  1x 64 bytes
        bInterval               0
Device Status:     0x0000
  (Bus Powered)

Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/20220228084919.10656-1-johan@kernel.org
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/usb/serial/Kconfig             |    1 +
 drivers/usb/serial/usb-serial-simple.c |    7 +++++++
 2 files changed, 8 insertions(+)

--- a/drivers/usb/serial/Kconfig
+++ b/drivers/usb/serial/Kconfig
@@ -66,6 +66,7 @@ config USB_SERIAL_SIMPLE
 		- Libtransistor USB console
 		- a number of Motorola phones
 		- Motorola Tetra devices
+		- Nokia mobile phones
 		- Novatel Wireless GPS receivers
 		- Siemens USB/MPI adapter.
 		- ViVOtech ViVOpay USB device.
--- a/drivers/usb/serial/usb-serial-simple.c
+++ b/drivers/usb/serial/usb-serial-simple.c
@@ -91,6 +91,11 @@ DEVICE(moto_modem, MOTO_IDS);
 	{ USB_DEVICE(0x0cad, 0x9016) }	/* TPG2200 */
 DEVICE(motorola_tetra, MOTOROLA_TETRA_IDS);
 
+/* Nokia mobile phone driver */
+#define NOKIA_IDS()			\
+	{ USB_DEVICE(0x0421, 0x069a) }	/* Nokia 130 (RM-1035) */
+DEVICE(nokia, NOKIA_IDS);
+
 /* Novatel Wireless GPS driver */
 #define NOVATEL_IDS()			\
 	{ USB_DEVICE(0x09d7, 0x0100) }	/* NovAtel FlexPack GPS */
@@ -123,6 +128,7 @@ static struct usb_serial_driver * const
 	&vivopay_device,
 	&moto_modem_device,
 	&motorola_tetra_device,
+	&nokia_device,
 	&novatel_gps_device,
 	&hp4x_device,
 	&suunto_device,
@@ -140,6 +146,7 @@ static const struct usb_device_id id_tab
 	VIVOPAY_IDS(),
 	MOTO_IDS(),
 	MOTOROLA_TETRA_IDS(),
+	NOKIA_IDS(),
 	NOVATEL_IDS(),
 	HP4X_IDS(),
 	SUUNTO_IDS(),



^ permalink raw reply	[flat|nested] 1159+ messages in thread

* [PATCH 5.17 0006/1126] mm: kfence: fix missing objcg housekeeping for SLAB
  2022-04-05  7:12 [PATCH 5.17 0000/1126] 5.17.2-rc1 review Greg Kroah-Hartman
                   ` (4 preceding siblings ...)
  2022-04-05  7:12 ` [PATCH 5.17 0005/1126] USB: serial: simple: add Nokia phone driver Greg Kroah-Hartman
@ 2022-04-05  7:12 ` Greg Kroah-Hartman
  2022-04-05  7:12 ` [PATCH 5.17 0007/1126] locking/lockdep: Avoid potential access of invalid memory in lock_class Greg Kroah-Hartman
                   ` (983 subsequent siblings)
  989 siblings, 0 replies; 1159+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05  7:12 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, syzbot+f8c45ccc7d5d45fc5965,
	Muchun Song, Dmitry Vyukov, Marco Elver, Andrew Morton,
	Linus Torvalds

From: Muchun Song <songmuchun@bytedance.com>

commit ae085d7f9365de7da27ab5c0d16b12d51ea7fca9 upstream.

The objcg is not cleared and put for kfence object when it is freed,
which could lead to memory leak for struct obj_cgroup and wrong
statistics of NR_SLAB_RECLAIMABLE_B or NR_SLAB_UNRECLAIMABLE_B.

Since the last freed object's objcg is not cleared,
mem_cgroup_from_obj() could return the wrong memcg when this kfence
object, which is not charged to any objcgs, is reallocated to other
users.

A real word issue [1] is caused by this bug.

Link: https://lore.kernel.org/all/000000000000cabcb505dae9e577@google.com/ [1]
Reported-by: syzbot+f8c45ccc7d5d45fc5965@syzkaller.appspotmail.com
Fixes: d3fb45f370d9 ("mm, kfence: insert KFENCE hooks for SLAB")
Signed-off-by: Muchun Song <songmuchun@bytedance.com>
Cc: Dmitry Vyukov <dvyukov@google.com>
Cc: Marco Elver <elver@google.com>
Cc: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 mm/slab.c |    1 +
 1 file changed, 1 insertion(+)

--- a/mm/slab.c
+++ b/mm/slab.c
@@ -3421,6 +3421,7 @@ static __always_inline void __cache_free
 
 	if (is_kfence_address(objp)) {
 		kmemleak_free_recursive(objp, cachep->flags);
+		memcg_slab_free_hook(cachep, &objp, 1);
 		__kfence_free(objp);
 		return;
 	}



^ permalink raw reply	[flat|nested] 1159+ messages in thread

* [PATCH 5.17 0007/1126] locking/lockdep: Avoid potential access of invalid memory in lock_class
  2022-04-05  7:12 [PATCH 5.17 0000/1126] 5.17.2-rc1 review Greg Kroah-Hartman
                   ` (5 preceding siblings ...)
  2022-04-05  7:12 ` [PATCH 5.17 0006/1126] mm: kfence: fix missing objcg housekeeping for SLAB Greg Kroah-Hartman
@ 2022-04-05  7:12 ` Greg Kroah-Hartman
  2022-04-05  7:12 ` [PATCH 5.17 0008/1126] drm/amdgpu: move PX checking into amdgpu_device_ip_early_init Greg Kroah-Hartman
                   ` (982 subsequent siblings)
  989 siblings, 0 replies; 1159+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05  7:12 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Tetsuo Handa, Waiman Long,
	Peter Zijlstra (Intel),
	Bart Van Assche, Cheng-Jui Wang

From: Waiman Long <longman@redhat.com>

commit 61cc4534b6550997c97a03759ab46b29d44c0017 upstream.

It was found that reading /proc/lockdep after a lockdep splat may
potentially cause an access to freed memory if lockdep_unregister_key()
is called after the splat but before access to /proc/lockdep [1]. This
is due to the fact that graph_lock() call in lockdep_unregister_key()
fails after the clearing of debug_locks by the splat process.

After lockdep_unregister_key() is called, the lock_name may be freed
but the corresponding lock_class structure still have a reference to
it. That invalid memory pointer will then be accessed when /proc/lockdep
is read by a user and a use-after-free (UAF) error will be reported if
KASAN is enabled.

To fix this problem, lockdep_unregister_key() is now modified to always
search for a matching key irrespective of the debug_locks state and
zap the corresponding lock class if a matching one is found.

[1] https://lore.kernel.org/lkml/77f05c15-81b6-bddd-9650-80d5f23fe330@i-love.sakura.ne.jp/

Fixes: 8b39adbee805 ("locking/lockdep: Make lockdep_unregister_key() honor 'debug_locks' again")
Reported-by: Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>
Signed-off-by: Waiman Long <longman@redhat.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Reviewed-by: Bart Van Assche <bvanassche@acm.org>
Cc: Cheng-Jui Wang <cheng-jui.wang@mediatek.com>
Link: https://lkml.kernel.org/r/20220103023558.1377055-1-longman@redhat.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 kernel/locking/lockdep.c |   24 +++++++++++++++---------
 1 file changed, 15 insertions(+), 9 deletions(-)

--- a/kernel/locking/lockdep.c
+++ b/kernel/locking/lockdep.c
@@ -6290,7 +6290,13 @@ void lockdep_reset_lock(struct lockdep_m
 		lockdep_reset_lock_reg(lock);
 }
 
-/* Unregister a dynamically allocated key. */
+/*
+ * Unregister a dynamically allocated key.
+ *
+ * Unlike lockdep_register_key(), a search is always done to find a matching
+ * key irrespective of debug_locks to avoid potential invalid access to freed
+ * memory in lock_class entry.
+ */
 void lockdep_unregister_key(struct lock_class_key *key)
 {
 	struct hlist_head *hash_head = keyhashentry(key);
@@ -6305,10 +6311,8 @@ void lockdep_unregister_key(struct lock_
 		return;
 
 	raw_local_irq_save(flags);
-	if (!graph_lock())
-		goto out_irq;
+	lockdep_lock();
 
-	pf = get_pending_free();
 	hlist_for_each_entry_rcu(k, hash_head, hash_entry) {
 		if (k == key) {
 			hlist_del_rcu(&k->hash_entry);
@@ -6316,11 +6320,13 @@ void lockdep_unregister_key(struct lock_
 			break;
 		}
 	}
-	WARN_ON_ONCE(!found);
-	__lockdep_free_key_range(pf, key, 1);
-	call_rcu_zapped(pf);
-	graph_unlock();
-out_irq:
+	WARN_ON_ONCE(!found && debug_locks);
+	if (found) {
+		pf = get_pending_free();
+		__lockdep_free_key_range(pf, key, 1);
+		call_rcu_zapped(pf);
+	}
+	lockdep_unlock();
 	raw_local_irq_restore(flags);
 
 	/* Wait until is_dynamic_key() has finished accessing k->hash_entry. */



^ permalink raw reply	[flat|nested] 1159+ messages in thread

* [PATCH 5.17 0008/1126] drm/amdgpu: move PX checking into amdgpu_device_ip_early_init
  2022-04-05  7:12 [PATCH 5.17 0000/1126] 5.17.2-rc1 review Greg Kroah-Hartman
                   ` (6 preceding siblings ...)
  2022-04-05  7:12 ` [PATCH 5.17 0007/1126] locking/lockdep: Avoid potential access of invalid memory in lock_class Greg Kroah-Hartman
@ 2022-04-05  7:12 ` Greg Kroah-Hartman
  2022-04-05  7:12 ` [PATCH 5.17 0009/1126] drm/amdgpu: only check for _PR3 on dGPUs Greg Kroah-Hartman
                   ` (981 subsequent siblings)
  989 siblings, 0 replies; 1159+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05  7:12 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Evan Quan, Alex Deucher, Mario Limonciello

From: Alex Deucher <alexander.deucher@amd.com>

commit 901e2be20dc55079997ea1885ea77fc72e6826e7 upstream.

We need to set the APU flag from IP discovery before
we evaluate this code.

Acked-by: Evan Quan <evan.quan@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Cc: Mario Limonciello <Mario.Limonciello@amd.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/gpu/drm/amd/amdgpu/amdgpu_device.c |   13 +++++++++++++
 drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c    |   11 -----------
 2 files changed, 13 insertions(+), 11 deletions(-)

--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c
@@ -31,6 +31,7 @@
 #include <linux/console.h>
 #include <linux/slab.h>
 #include <linux/iommu.h>
+#include <linux/pci.h>
 
 #include <drm/drm_atomic_helper.h>
 #include <drm/drm_probe_helper.h>
@@ -2073,6 +2074,8 @@ out:
  */
 static int amdgpu_device_ip_early_init(struct amdgpu_device *adev)
 {
+	struct drm_device *dev = adev_to_drm(adev);
+	struct pci_dev *parent;
 	int i, r;
 
 	amdgpu_device_enable_virtual_display(adev);
@@ -2137,6 +2140,16 @@ static int amdgpu_device_ip_early_init(s
 		break;
 	}
 
+	if (amdgpu_has_atpx() &&
+	    (amdgpu_is_atpx_hybrid() ||
+	     amdgpu_has_atpx_dgpu_power_cntl()) &&
+	    ((adev->flags & AMD_IS_APU) == 0) &&
+	    !pci_is_thunderbolt_attached(to_pci_dev(dev->dev)))
+		adev->flags |= AMD_IS_PX;
+
+	parent = pci_upstream_bridge(adev->pdev);
+	adev->has_pr3 = parent ? pci_pr3_present(parent) : false;
+
 	amdgpu_amdkfd_device_probe(adev);
 
 	adev->pm.pp_feature = amdgpu_pp_feature_mask;
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c
@@ -152,21 +152,10 @@ static void amdgpu_get_audio_func(struct
 int amdgpu_driver_load_kms(struct amdgpu_device *adev, unsigned long flags)
 {
 	struct drm_device *dev;
-	struct pci_dev *parent;
 	int r, acpi_status;
 
 	dev = adev_to_drm(adev);
 
-	if (amdgpu_has_atpx() &&
-	    (amdgpu_is_atpx_hybrid() ||
-	     amdgpu_has_atpx_dgpu_power_cntl()) &&
-	    ((flags & AMD_IS_APU) == 0) &&
-	    !pci_is_thunderbolt_attached(to_pci_dev(dev->dev)))
-		flags |= AMD_IS_PX;
-
-	parent = pci_upstream_bridge(adev->pdev);
-	adev->has_pr3 = parent ? pci_pr3_present(parent) : false;
-
 	/* amdgpu_device_init should report only fatal error
 	 * like memory allocation failure or iomapping failure,
 	 * or memory manager initialization failure, it must



^ permalink raw reply	[flat|nested] 1159+ messages in thread

* [PATCH 5.17 0009/1126] drm/amdgpu: only check for _PR3 on dGPUs
  2022-04-05  7:12 [PATCH 5.17 0000/1126] 5.17.2-rc1 review Greg Kroah-Hartman
                   ` (7 preceding siblings ...)
  2022-04-05  7:12 ` [PATCH 5.17 0008/1126] drm/amdgpu: move PX checking into amdgpu_device_ip_early_init Greg Kroah-Hartman
@ 2022-04-05  7:12 ` Greg Kroah-Hartman
  2022-04-05  7:12 ` [PATCH 5.17 0010/1126] iommu/iova: Improve 32-bit free space estimate Greg Kroah-Hartman
                   ` (980 subsequent siblings)
  989 siblings, 0 replies; 1159+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05  7:12 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Mario Limonciello, Alex Deucher

From: Alex Deucher <alexander.deucher@amd.com>

commit 85ac2021fe3ace59cc0afd6edf005abad35625b0 upstream.

We don't support runtime pm on APUs.  They support more
dynamic power savings using clock and powergating.

Reviewed-by: Mario Limonciello <mario.limonciello@amd.com>
Tested-by: Mario Limonciello <mario.limonciello@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/gpu/drm/amd/amdgpu/amdgpu_device.c |    6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c
@@ -2147,8 +2147,10 @@ static int amdgpu_device_ip_early_init(s
 	    !pci_is_thunderbolt_attached(to_pci_dev(dev->dev)))
 		adev->flags |= AMD_IS_PX;
 
-	parent = pci_upstream_bridge(adev->pdev);
-	adev->has_pr3 = parent ? pci_pr3_present(parent) : false;
+	if (!(adev->flags & AMD_IS_APU)) {
+		parent = pci_upstream_bridge(adev->pdev);
+		adev->has_pr3 = parent ? pci_pr3_present(parent) : false;
+	}
 
 	amdgpu_amdkfd_device_probe(adev);
 



^ permalink raw reply	[flat|nested] 1159+ messages in thread

* [PATCH 5.17 0010/1126] iommu/iova: Improve 32-bit free space estimate
  2022-04-05  7:12 [PATCH 5.17 0000/1126] 5.17.2-rc1 review Greg Kroah-Hartman
                   ` (8 preceding siblings ...)
  2022-04-05  7:12 ` [PATCH 5.17 0009/1126] drm/amdgpu: only check for _PR3 on dGPUs Greg Kroah-Hartman
@ 2022-04-05  7:12 ` Greg Kroah-Hartman
  2022-04-05  7:12 ` [PATCH 5.17 0011/1126] block: flush plug based on hardware and software queue order Greg Kroah-Hartman
                   ` (979 subsequent siblings)
  989 siblings, 0 replies; 1159+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05  7:12 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Yunfei Wang, Robin Murphy,
	Miles Chen, Joerg Roedel

From: Robin Murphy <robin.murphy@arm.com>

commit 5b61343b50590fb04a3f6be2cdc4868091757262 upstream.

For various reasons based on the allocator behaviour and typical
use-cases at the time, when the max32_alloc_size optimisation was
introduced it seemed reasonable to couple the reset of the tracked
size to the update of cached32_node upon freeing a relevant IOVA.
However, since subsequent optimisations focused on helping genuine
32-bit devices make best use of even more limited address spaces, it
is now a lot more likely for cached32_node to be anywhere in a "full"
32-bit address space, and as such more likely for space to become
available from IOVAs below that node being freed.

At this point, the short-cut in __cached_rbnode_delete_update() really
doesn't hold up any more, and we need to fix the logic to reliably
provide the expected behaviour. We still want cached32_node to only move
upwards, but we should reset the allocation size if *any* 32-bit space
has become available.

Reported-by: Yunfei Wang <yf.wang@mediatek.com>
Signed-off-by: Robin Murphy <robin.murphy@arm.com>
Reviewed-by: Miles Chen <miles.chen@mediatek.com>
Link: https://lore.kernel.org/r/033815732d83ca73b13c11485ac39336f15c3b40.1646318408.git.robin.murphy@arm.com
Signed-off-by: Joerg Roedel <jroedel@suse.de>
Cc: Miles Chen <miles.chen@mediatek.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/iommu/iova.c |    5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

--- a/drivers/iommu/iova.c
+++ b/drivers/iommu/iova.c
@@ -95,10 +95,11 @@ __cached_rbnode_delete_update(struct iov
 	cached_iova = to_iova(iovad->cached32_node);
 	if (free == cached_iova ||
 	    (free->pfn_hi < iovad->dma_32bit_pfn &&
-	     free->pfn_lo >= cached_iova->pfn_lo)) {
+	     free->pfn_lo >= cached_iova->pfn_lo))
 		iovad->cached32_node = rb_next(&free->node);
+
+	if (free->pfn_lo < iovad->dma_32bit_pfn)
 		iovad->max32_alloc_size = iovad->dma_32bit_pfn;
-	}
 
 	cached_iova = to_iova(iovad->cached_node);
 	if (free->pfn_lo >= cached_iova->pfn_lo)



^ permalink raw reply	[flat|nested] 1159+ messages in thread

* [PATCH 5.17 0011/1126] block: flush plug based on hardware and software queue order
  2022-04-05  7:12 [PATCH 5.17 0000/1126] 5.17.2-rc1 review Greg Kroah-Hartman
                   ` (9 preceding siblings ...)
  2022-04-05  7:12 ` [PATCH 5.17 0010/1126] iommu/iova: Improve 32-bit free space estimate Greg Kroah-Hartman
@ 2022-04-05  7:12 ` Greg Kroah-Hartman
  2022-04-05  7:12 ` [PATCH 5.17 0012/1126] block: ensure plug merging checks the correct queue at least once Greg Kroah-Hartman
                   ` (978 subsequent siblings)
  989 siblings, 0 replies; 1159+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05  7:12 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Song Liu, Jens Axboe, Song Liu

From: Jens Axboe <axboe@kernel.dk>

commit 26fed4ac4eab09c27fbae1859696cc38f0536407 upstream.

We used to sort the plug list if we had multiple queues before dispatching
requests to the IO scheduler. This usually isn't needed, but for certain
workloads that interleave requests to disks, it's a less efficient to
process the plug list one-by-one if everything is interleaved.

Don't sort the list, but skip through it and flush out entries that have
the same target at the same time.

Fixes: df87eb0fce8f ("block: get rid of plug list sorting")
Reported-and-tested-by: Song Liu <song@kernel.org>
Reviewed-by: Song Liu <songliubraving@fb.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 block/blk-mq.c |   59 +++++++++++++++++++++++++++------------------------------
 1 file changed, 28 insertions(+), 31 deletions(-)

--- a/block/blk-mq.c
+++ b/block/blk-mq.c
@@ -2561,13 +2561,36 @@ static void __blk_mq_flush_plug_list(str
 	q->mq_ops->queue_rqs(&plug->mq_list);
 }
 
+static void blk_mq_dispatch_plug_list(struct blk_plug *plug, bool from_sched)
+{
+	struct blk_mq_hw_ctx *this_hctx = NULL;
+	struct blk_mq_ctx *this_ctx = NULL;
+	struct request *requeue_list = NULL;
+	unsigned int depth = 0;
+	LIST_HEAD(list);
+
+	do {
+		struct request *rq = rq_list_pop(&plug->mq_list);
+
+		if (!this_hctx) {
+			this_hctx = rq->mq_hctx;
+			this_ctx = rq->mq_ctx;
+		} else if (this_hctx != rq->mq_hctx || this_ctx != rq->mq_ctx) {
+			rq_list_add(&requeue_list, rq);
+			continue;
+		}
+		list_add_tail(&rq->queuelist, &list);
+		depth++;
+	} while (!rq_list_empty(plug->mq_list));
+
+	plug->mq_list = requeue_list;
+	trace_block_unplug(this_hctx->queue, depth, !from_sched);
+	blk_mq_sched_insert_requests(this_hctx, this_ctx, &list, from_sched);
+}
+
 void blk_mq_flush_plug_list(struct blk_plug *plug, bool from_schedule)
 {
-	struct blk_mq_hw_ctx *this_hctx;
-	struct blk_mq_ctx *this_ctx;
 	struct request *rq;
-	unsigned int depth;
-	LIST_HEAD(list);
 
 	if (rq_list_empty(plug->mq_list))
 		return;
@@ -2603,35 +2626,9 @@ void blk_mq_flush_plug_list(struct blk_p
 			return;
 	}
 
-	this_hctx = NULL;
-	this_ctx = NULL;
-	depth = 0;
 	do {
-		rq = rq_list_pop(&plug->mq_list);
-
-		if (!this_hctx) {
-			this_hctx = rq->mq_hctx;
-			this_ctx = rq->mq_ctx;
-		} else if (this_hctx != rq->mq_hctx || this_ctx != rq->mq_ctx) {
-			trace_block_unplug(this_hctx->queue, depth,
-						!from_schedule);
-			blk_mq_sched_insert_requests(this_hctx, this_ctx,
-						&list, from_schedule);
-			depth = 0;
-			this_hctx = rq->mq_hctx;
-			this_ctx = rq->mq_ctx;
-
-		}
-
-		list_add(&rq->queuelist, &list);
-		depth++;
+		blk_mq_dispatch_plug_list(plug, from_schedule);
 	} while (!rq_list_empty(plug->mq_list));
-
-	if (!list_empty(&list)) {
-		trace_block_unplug(this_hctx->queue, depth, !from_schedule);
-		blk_mq_sched_insert_requests(this_hctx, this_ctx, &list,
-						from_schedule);
-	}
 }
 
 void blk_mq_try_issue_list_directly(struct blk_mq_hw_ctx *hctx,



^ permalink raw reply	[flat|nested] 1159+ messages in thread

* [PATCH 5.17 0012/1126] block: ensure plug merging checks the correct queue at least once
  2022-04-05  7:12 [PATCH 5.17 0000/1126] 5.17.2-rc1 review Greg Kroah-Hartman
                   ` (10 preceding siblings ...)
  2022-04-05  7:12 ` [PATCH 5.17 0011/1126] block: flush plug based on hardware and software queue order Greg Kroah-Hartman
@ 2022-04-05  7:12 ` Greg Kroah-Hartman
  2022-04-05  7:12 ` [PATCH 5.17 0013/1126] usb: typec: tipd: Forward plug orientation to typec subsystem Greg Kroah-Hartman
                   ` (977 subsequent siblings)
  989 siblings, 0 replies; 1159+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05  7:12 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Song Liu, Jens Axboe, Song Liu

From: Jens Axboe <axboe@kernel.dk>

commit 5b2050718d095cd3242d1f42aaaea3a2fec8e6f0 upstream.

Song reports that a RAID rebuild workload runs much slower recently,
and it is seeing a lot less merging than it did previously. The reason
is that a previous commit reduced the amount of work we do for plug
merging. RAID rebuild interleaves requests between disks, so a last-entry
check in plug merging always misses a merge opportunity since we always
find a different disk than what we are looking for.

Modify the logic such that it's still a one-hit cache, but ensure that
we check enough to find the right target before giving up.

Fixes: d38a9c04c0d5 ("block: only check previous entry for plug merge attempt")
Reported-and-tested-by: Song Liu <song@kernel.org>
Reviewed-by: Song Liu <songliubraving@fb.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 block/blk-merge.c |   20 ++++++++++++++------
 1 file changed, 14 insertions(+), 6 deletions(-)

--- a/block/blk-merge.c
+++ b/block/blk-merge.c
@@ -1089,12 +1089,20 @@ bool blk_attempt_plug_merge(struct reque
 	if (!plug || rq_list_empty(plug->mq_list))
 		return false;
 
-	/* check the previously added entry for a quick merge attempt */
-	rq = rq_list_peek(&plug->mq_list);
-	if (rq->q == q) {
-		if (blk_attempt_bio_merge(q, rq, bio, nr_segs, false) ==
-				BIO_MERGE_OK)
-			return true;
+	rq_list_for_each(&plug->mq_list, rq) {
+		if (rq->q == q) {
+			if (blk_attempt_bio_merge(q, rq, bio, nr_segs, false) ==
+			    BIO_MERGE_OK)
+				return true;
+			break;
+		}
+
+		/*
+		 * Only keep iterating plug list for merges if we have multiple
+		 * queues
+		 */
+		if (!plug->multiple_queues)
+			break;
 	}
 	return false;
 }



^ permalink raw reply	[flat|nested] 1159+ messages in thread

* [PATCH 5.17 0013/1126] usb: typec: tipd: Forward plug orientation to typec subsystem
  2022-04-05  7:12 [PATCH 5.17 0000/1126] 5.17.2-rc1 review Greg Kroah-Hartman
                   ` (11 preceding siblings ...)
  2022-04-05  7:12 ` [PATCH 5.17 0012/1126] block: ensure plug merging checks the correct queue at least once Greg Kroah-Hartman
@ 2022-04-05  7:12 ` Greg Kroah-Hartman
  2022-04-05  7:12 ` [PATCH 5.17 0014/1126] USB: usb-storage: Fix use of bitfields for hardware data in ene_ub6250.c Greg Kroah-Hartman
                   ` (976 subsequent siblings)
  989 siblings, 0 replies; 1159+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05  7:12 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Heikki Krogerus, Sven Peter

From: Sven Peter <sven@svenpeter.dev>

commit 676748389f5db74e7d28f9d630eebd75cb8a11b4 upstream.

In order to bring up the USB3 PHY on the Apple M1 we need to know the
orientation of the Type-C cable. Extract it from the status register and
forward it to the typec subsystem.

Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Sven Peter <sven@svenpeter.dev>
Link: https://lore.kernel.org/r/20220226125912.59828-1-sven@svenpeter.dev
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/usb/typec/tipd/core.c     |    5 +++++
 drivers/usb/typec/tipd/tps6598x.h |    1 +
 2 files changed, 6 insertions(+)

--- a/drivers/usb/typec/tipd/core.c
+++ b/drivers/usb/typec/tipd/core.c
@@ -256,6 +256,10 @@ static int tps6598x_connect(struct tps65
 	typec_set_pwr_opmode(tps->port, mode);
 	typec_set_pwr_role(tps->port, TPS_STATUS_TO_TYPEC_PORTROLE(status));
 	typec_set_vconn_role(tps->port, TPS_STATUS_TO_TYPEC_VCONN(status));
+	if (TPS_STATUS_TO_UPSIDE_DOWN(status))
+		typec_set_orientation(tps->port, TYPEC_ORIENTATION_REVERSE);
+	else
+		typec_set_orientation(tps->port, TYPEC_ORIENTATION_NORMAL);
 	tps6598x_set_data_role(tps, TPS_STATUS_TO_TYPEC_DATAROLE(status), true);
 
 	tps->partner = typec_register_partner(tps->port, &desc);
@@ -278,6 +282,7 @@ static void tps6598x_disconnect(struct t
 	typec_set_pwr_opmode(tps->port, TYPEC_PWR_MODE_USB);
 	typec_set_pwr_role(tps->port, TPS_STATUS_TO_TYPEC_PORTROLE(status));
 	typec_set_vconn_role(tps->port, TPS_STATUS_TO_TYPEC_VCONN(status));
+	typec_set_orientation(tps->port, TYPEC_ORIENTATION_NONE);
 	tps6598x_set_data_role(tps, TPS_STATUS_TO_TYPEC_DATAROLE(status), false);
 
 	power_supply_changed(tps->psy);
--- a/drivers/usb/typec/tipd/tps6598x.h
+++ b/drivers/usb/typec/tipd/tps6598x.h
@@ -17,6 +17,7 @@
 /* TPS_REG_STATUS bits */
 #define TPS_STATUS_PLUG_PRESENT		BIT(0)
 #define TPS_STATUS_PLUG_UPSIDE_DOWN	BIT(4)
+#define TPS_STATUS_TO_UPSIDE_DOWN(s)	(!!((s) & TPS_STATUS_PLUG_UPSIDE_DOWN))
 #define TPS_STATUS_PORTROLE		BIT(5)
 #define TPS_STATUS_TO_TYPEC_PORTROLE(s) (!!((s) & TPS_STATUS_PORTROLE))
 #define TPS_STATUS_DATAROLE		BIT(6)



^ permalink raw reply	[flat|nested] 1159+ messages in thread

* [PATCH 5.17 0014/1126] USB: usb-storage: Fix use of bitfields for hardware data in ene_ub6250.c
  2022-04-05  7:12 [PATCH 5.17 0000/1126] 5.17.2-rc1 review Greg Kroah-Hartman
                   ` (12 preceding siblings ...)
  2022-04-05  7:12 ` [PATCH 5.17 0013/1126] usb: typec: tipd: Forward plug orientation to typec subsystem Greg Kroah-Hartman
@ 2022-04-05  7:12 ` Greg Kroah-Hartman
  2022-04-05  7:12 ` [PATCH 5.17 0015/1126] xhci: fix garbage USBSTS being logged in some cases Greg Kroah-Hartman
                   ` (975 subsequent siblings)
  989 siblings, 0 replies; 1159+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05  7:12 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Alan Stern

From: Alan Stern <stern@rowland.harvard.edu>

commit 1892bf90677abcad7f06e897e308f5c3e3618dd4 upstream.

The kernel test robot found a problem with the ene_ub6250 subdriver in
usb-storage: It uses structures containing bitfields to represent
hardware bits in its SD_STATUS, MS_STATUS, and SM_STATUS bytes.  This
is not safe; it presumes a particular bit ordering and it assumes the
compiler will not insert padding, neither of which is guaranteed.

This patch fixes the problem by changing the structures to simple u8
values, with the bitfields replaced by bitmask constants.

CC: <stable@vger.kernel.org>
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Link: https://lore.kernel.org/r/YjOcbuU106UpJ/V8@rowland.harvard.edu
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/usb/storage/ene_ub6250.c |  153 +++++++++++++++++++--------------------
 1 file changed, 75 insertions(+), 78 deletions(-)

--- a/drivers/usb/storage/ene_ub6250.c
+++ b/drivers/usb/storage/ene_ub6250.c
@@ -237,36 +237,33 @@ static struct us_unusual_dev ene_ub6250_
 #define memstick_logaddr(logadr1, logadr0) ((((u16)(logadr1)) << 8) | (logadr0))
 
 
-struct SD_STATUS {
-	u8    Insert:1;
-	u8    Ready:1;
-	u8    MediaChange:1;
-	u8    IsMMC:1;
-	u8    HiCapacity:1;
-	u8    HiSpeed:1;
-	u8    WtP:1;
-	u8    Reserved:1;
-};
-
-struct MS_STATUS {
-	u8    Insert:1;
-	u8    Ready:1;
-	u8    MediaChange:1;
-	u8    IsMSPro:1;
-	u8    IsMSPHG:1;
-	u8    Reserved1:1;
-	u8    WtP:1;
-	u8    Reserved2:1;
-};
-
-struct SM_STATUS {
-	u8    Insert:1;
-	u8    Ready:1;
-	u8    MediaChange:1;
-	u8    Reserved:3;
-	u8    WtP:1;
-	u8    IsMS:1;
-};
+/* SD_STATUS bits */
+#define SD_Insert	BIT(0)
+#define SD_Ready	BIT(1)
+#define SD_MediaChange	BIT(2)
+#define SD_IsMMC	BIT(3)
+#define SD_HiCapacity	BIT(4)
+#define SD_HiSpeed	BIT(5)
+#define SD_WtP		BIT(6)
+			/* Bit 7 reserved */
+
+/* MS_STATUS bits */
+#define MS_Insert	BIT(0)
+#define MS_Ready	BIT(1)
+#define MS_MediaChange	BIT(2)
+#define MS_IsMSPro	BIT(3)
+#define MS_IsMSPHG	BIT(4)
+			/* Bit 5 reserved */
+#define MS_WtP		BIT(6)
+			/* Bit 7 reserved */
+
+/* SM_STATUS bits */
+#define SM_Insert	BIT(0)
+#define SM_Ready	BIT(1)
+#define SM_MediaChange	BIT(2)
+			/* Bits 3-5 reserved */
+#define SM_WtP		BIT(6)
+#define SM_IsMS		BIT(7)
 
 struct ms_bootblock_cis {
 	u8 bCistplDEVICE[6];    /* 0 */
@@ -437,9 +434,9 @@ struct ene_ub6250_info {
 	u8		*bbuf;
 
 	/* for 6250 code */
-	struct SD_STATUS	SD_Status;
-	struct MS_STATUS	MS_Status;
-	struct SM_STATUS	SM_Status;
+	u8		SD_Status;
+	u8		MS_Status;
+	u8		SM_Status;
 
 	/* ----- SD Control Data ---------------- */
 	/*SD_REGISTER SD_Regs; */
@@ -602,7 +599,7 @@ static int sd_scsi_test_unit_ready(struc
 {
 	struct ene_ub6250_info *info = (struct ene_ub6250_info *) us->extra;
 
-	if (info->SD_Status.Insert && info->SD_Status.Ready)
+	if ((info->SD_Status & SD_Insert) && (info->SD_Status & SD_Ready))
 		return USB_STOR_TRANSPORT_GOOD;
 	else {
 		ene_sd_init(us);
@@ -622,7 +619,7 @@ static int sd_scsi_mode_sense(struct us_
 		0x0b, 0x00, 0x80, 0x08, 0x00, 0x00,
 		0x71, 0xc0, 0x00, 0x00, 0x02, 0x00 };
 
-	if (info->SD_Status.WtP)
+	if (info->SD_Status & SD_WtP)
 		usb_stor_set_xfer_buf(mediaWP, 12, srb);
 	else
 		usb_stor_set_xfer_buf(mediaNoWP, 12, srb);
@@ -641,9 +638,9 @@ static int sd_scsi_read_capacity(struct
 	struct ene_ub6250_info *info = (struct ene_ub6250_info *) us->extra;
 
 	usb_stor_dbg(us, "sd_scsi_read_capacity\n");
-	if (info->SD_Status.HiCapacity) {
+	if (info->SD_Status & SD_HiCapacity) {
 		bl_len = 0x200;
-		if (info->SD_Status.IsMMC)
+		if (info->SD_Status & SD_IsMMC)
 			bl_num = info->HC_C_SIZE-1;
 		else
 			bl_num = (info->HC_C_SIZE + 1) * 1024 - 1;
@@ -693,7 +690,7 @@ static int sd_scsi_read(struct us_data *
 		return USB_STOR_TRANSPORT_ERROR;
 	}
 
-	if (info->SD_Status.HiCapacity)
+	if (info->SD_Status & SD_HiCapacity)
 		bnByte = bn;
 
 	/* set up the command wrapper */
@@ -733,7 +730,7 @@ static int sd_scsi_write(struct us_data
 		return USB_STOR_TRANSPORT_ERROR;
 	}
 
-	if (info->SD_Status.HiCapacity)
+	if (info->SD_Status & SD_HiCapacity)
 		bnByte = bn;
 
 	/* set up the command wrapper */
@@ -1456,7 +1453,7 @@ static int ms_scsi_test_unit_ready(struc
 	struct ene_ub6250_info *info = (struct ene_ub6250_info *)(us->extra);
 
 	/* pr_info("MS_SCSI_Test_Unit_Ready\n"); */
-	if (info->MS_Status.Insert && info->MS_Status.Ready) {
+	if ((info->MS_Status & MS_Insert) && (info->MS_Status & MS_Ready)) {
 		return USB_STOR_TRANSPORT_GOOD;
 	} else {
 		ene_ms_init(us);
@@ -1476,7 +1473,7 @@ static int ms_scsi_mode_sense(struct us_
 		0x0b, 0x00, 0x80, 0x08, 0x00, 0x00,
 		0x71, 0xc0, 0x00, 0x00, 0x02, 0x00 };
 
-	if (info->MS_Status.WtP)
+	if (info->MS_Status & MS_WtP)
 		usb_stor_set_xfer_buf(mediaWP, 12, srb);
 	else
 		usb_stor_set_xfer_buf(mediaNoWP, 12, srb);
@@ -1495,7 +1492,7 @@ static int ms_scsi_read_capacity(struct
 
 	usb_stor_dbg(us, "ms_scsi_read_capacity\n");
 	bl_len = 0x200;
-	if (info->MS_Status.IsMSPro)
+	if (info->MS_Status & MS_IsMSPro)
 		bl_num = info->MSP_TotalBlock - 1;
 	else
 		bl_num = info->MS_Lib.NumberOfLogBlock * info->MS_Lib.blockSize * 2 - 1;
@@ -1650,7 +1647,7 @@ static int ms_scsi_read(struct us_data *
 	if (bn > info->bl_num)
 		return USB_STOR_TRANSPORT_ERROR;
 
-	if (info->MS_Status.IsMSPro) {
+	if (info->MS_Status & MS_IsMSPro) {
 		result = ene_load_bincode(us, MSP_RW_PATTERN);
 		if (result != USB_STOR_XFER_GOOD) {
 			usb_stor_dbg(us, "Load MPS RW pattern Fail !!\n");
@@ -1751,7 +1748,7 @@ static int ms_scsi_write(struct us_data
 	if (bn > info->bl_num)
 		return USB_STOR_TRANSPORT_ERROR;
 
-	if (info->MS_Status.IsMSPro) {
+	if (info->MS_Status & MS_IsMSPro) {
 		result = ene_load_bincode(us, MSP_RW_PATTERN);
 		if (result != USB_STOR_XFER_GOOD) {
 			pr_info("Load MSP RW pattern Fail !!\n");
@@ -1859,12 +1856,12 @@ static int ene_get_card_status(struct us
 
 	tmpreg = (u16) reg4b;
 	reg4b = *(u32 *)(&buf[0x14]);
-	if (info->SD_Status.HiCapacity && !info->SD_Status.IsMMC)
+	if ((info->SD_Status & SD_HiCapacity) && !(info->SD_Status & SD_IsMMC))
 		info->HC_C_SIZE = (reg4b >> 8) & 0x3fffff;
 
 	info->SD_C_SIZE = ((tmpreg & 0x03) << 10) | (u16)(reg4b >> 22);
 	info->SD_C_SIZE_MULT = (u8)(reg4b >> 7)  & 0x07;
-	if (info->SD_Status.HiCapacity && info->SD_Status.IsMMC)
+	if ((info->SD_Status & SD_HiCapacity) && (info->SD_Status & SD_IsMMC))
 		info->HC_C_SIZE = *(u32 *)(&buf[0x100]);
 
 	if (info->SD_READ_BL_LEN > SD_BLOCK_LEN) {
@@ -2076,6 +2073,7 @@ static int ene_ms_init(struct us_data *u
 	u16 MSP_BlockSize, MSP_UserAreaBlocks;
 	struct ene_ub6250_info *info = (struct ene_ub6250_info *) us->extra;
 	u8 *bbuf = info->bbuf;
+	unsigned int s;
 
 	printk(KERN_INFO "transport --- ENE_MSInit\n");
 
@@ -2100,15 +2098,16 @@ static int ene_ms_init(struct us_data *u
 		return USB_STOR_TRANSPORT_ERROR;
 	}
 	/* the same part to test ENE */
-	info->MS_Status = *(struct MS_STATUS *) bbuf;
+	info->MS_Status = bbuf[0];
 
-	if (info->MS_Status.Insert && info->MS_Status.Ready) {
-		printk(KERN_INFO "Insert     = %x\n", info->MS_Status.Insert);
-		printk(KERN_INFO "Ready      = %x\n", info->MS_Status.Ready);
-		printk(KERN_INFO "IsMSPro    = %x\n", info->MS_Status.IsMSPro);
-		printk(KERN_INFO "IsMSPHG    = %x\n", info->MS_Status.IsMSPHG);
-		printk(KERN_INFO "WtP= %x\n", info->MS_Status.WtP);
-		if (info->MS_Status.IsMSPro) {
+	s = info->MS_Status;
+	if ((s & MS_Insert) && (s & MS_Ready)) {
+		printk(KERN_INFO "Insert     = %x\n", !!(s & MS_Insert));
+		printk(KERN_INFO "Ready      = %x\n", !!(s & MS_Ready));
+		printk(KERN_INFO "IsMSPro    = %x\n", !!(s & MS_IsMSPro));
+		printk(KERN_INFO "IsMSPHG    = %x\n", !!(s & MS_IsMSPHG));
+		printk(KERN_INFO "WtP= %x\n", !!(s & MS_WtP));
+		if (s & MS_IsMSPro) {
 			MSP_BlockSize      = (bbuf[6] << 8) | bbuf[7];
 			MSP_UserAreaBlocks = (bbuf[10] << 8) | bbuf[11];
 			info->MSP_TotalBlock = MSP_BlockSize * MSP_UserAreaBlocks;
@@ -2169,17 +2168,17 @@ static int ene_sd_init(struct us_data *u
 		return USB_STOR_TRANSPORT_ERROR;
 	}
 
-	info->SD_Status =  *(struct SD_STATUS *) bbuf;
-	if (info->SD_Status.Insert && info->SD_Status.Ready) {
-		struct SD_STATUS *s = &info->SD_Status;
+	info->SD_Status = bbuf[0];
+	if ((info->SD_Status & SD_Insert) && (info->SD_Status & SD_Ready)) {
+		unsigned int s = info->SD_Status;
 
 		ene_get_card_status(us, bbuf);
-		usb_stor_dbg(us, "Insert     = %x\n", s->Insert);
-		usb_stor_dbg(us, "Ready      = %x\n", s->Ready);
-		usb_stor_dbg(us, "IsMMC      = %x\n", s->IsMMC);
-		usb_stor_dbg(us, "HiCapacity = %x\n", s->HiCapacity);
-		usb_stor_dbg(us, "HiSpeed    = %x\n", s->HiSpeed);
-		usb_stor_dbg(us, "WtP        = %x\n", s->WtP);
+		usb_stor_dbg(us, "Insert     = %x\n", !!(s & SD_Insert));
+		usb_stor_dbg(us, "Ready      = %x\n", !!(s & SD_Ready));
+		usb_stor_dbg(us, "IsMMC      = %x\n", !!(s & SD_IsMMC));
+		usb_stor_dbg(us, "HiCapacity = %x\n", !!(s & SD_HiCapacity));
+		usb_stor_dbg(us, "HiSpeed    = %x\n", !!(s & SD_HiSpeed));
+		usb_stor_dbg(us, "WtP        = %x\n", !!(s & SD_WtP));
 	} else {
 		usb_stor_dbg(us, "SD Card Not Ready --- %x\n", bbuf[0]);
 		return USB_STOR_TRANSPORT_ERROR;
@@ -2201,14 +2200,14 @@ static int ene_init(struct us_data *us)
 
 	misc_reg03 = bbuf[0];
 	if (misc_reg03 & 0x01) {
-		if (!info->SD_Status.Ready) {
+		if (!(info->SD_Status & SD_Ready)) {
 			result = ene_sd_init(us);
 			if (result != USB_STOR_XFER_GOOD)
 				return USB_STOR_TRANSPORT_ERROR;
 		}
 	}
 	if (misc_reg03 & 0x02) {
-		if (!info->MS_Status.Ready) {
+		if (!(info->MS_Status & MS_Ready)) {
 			result = ene_ms_init(us);
 			if (result != USB_STOR_XFER_GOOD)
 				return USB_STOR_TRANSPORT_ERROR;
@@ -2307,14 +2306,14 @@ static int ene_transport(struct scsi_cmn
 
 	/*US_DEBUG(usb_stor_show_command(us, srb)); */
 	scsi_set_resid(srb, 0);
-	if (unlikely(!(info->SD_Status.Ready || info->MS_Status.Ready)))
+	if (unlikely(!(info->SD_Status & SD_Ready) || (info->MS_Status & MS_Ready)))
 		result = ene_init(us);
 	if (result == USB_STOR_XFER_GOOD) {
 		result = USB_STOR_TRANSPORT_ERROR;
-		if (info->SD_Status.Ready)
+		if (info->SD_Status & SD_Ready)
 			result = sd_scsi_irp(us, srb);
 
-		if (info->MS_Status.Ready)
+		if (info->MS_Status & MS_Ready)
 			result = ms_scsi_irp(us, srb);
 	}
 	return result;
@@ -2378,7 +2377,6 @@ static int ene_ub6250_probe(struct usb_i
 
 static int ene_ub6250_resume(struct usb_interface *iface)
 {
-	u8 tmp = 0;
 	struct us_data *us = usb_get_intfdata(iface);
 	struct ene_ub6250_info *info = (struct ene_ub6250_info *)(us->extra);
 
@@ -2390,17 +2388,16 @@ static int ene_ub6250_resume(struct usb_
 	mutex_unlock(&us->dev_mutex);
 
 	info->Power_IsResum = true;
-	/*info->SD_Status.Ready = 0; */
-	info->SD_Status = *(struct SD_STATUS *)&tmp;
-	info->MS_Status = *(struct MS_STATUS *)&tmp;
-	info->SM_Status = *(struct SM_STATUS *)&tmp;
+	/* info->SD_Status &= ~SD_Ready; */
+	info->SD_Status = 0;
+	info->MS_Status = 0;
+	info->SM_Status = 0;
 
 	return 0;
 }
 
 static int ene_ub6250_reset_resume(struct usb_interface *iface)
 {
-	u8 tmp = 0;
 	struct us_data *us = usb_get_intfdata(iface);
 	struct ene_ub6250_info *info = (struct ene_ub6250_info *)(us->extra);
 
@@ -2412,10 +2409,10 @@ static int ene_ub6250_reset_resume(struc
 	 * the device
 	 */
 	info->Power_IsResum = true;
-	/*info->SD_Status.Ready = 0; */
-	info->SD_Status = *(struct SD_STATUS *)&tmp;
-	info->MS_Status = *(struct MS_STATUS *)&tmp;
-	info->SM_Status = *(struct SM_STATUS *)&tmp;
+	/* info->SD_Status &= ~SD_Ready; */
+	info->SD_Status = 0;
+	info->MS_Status = 0;
+	info->SM_Status = 0;
 
 	return 0;
 }



^ permalink raw reply	[flat|nested] 1159+ messages in thread

* [PATCH 5.17 0015/1126] xhci: fix garbage USBSTS being logged in some cases
  2022-04-05  7:12 [PATCH 5.17 0000/1126] 5.17.2-rc1 review Greg Kroah-Hartman
                   ` (13 preceding siblings ...)
  2022-04-05  7:12 ` [PATCH 5.17 0014/1126] USB: usb-storage: Fix use of bitfields for hardware data in ene_ub6250.c Greg Kroah-Hartman
@ 2022-04-05  7:12 ` Greg Kroah-Hartman
  2022-04-05  7:12 ` [PATCH 5.17 0016/1126] xhci: fix runtime PM imbalance in USB2 resume Greg Kroah-Hartman
                   ` (974 subsequent siblings)
  989 siblings, 0 replies; 1159+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05  7:12 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Anssi Hannula, Mathias Nyman

From: Anssi Hannula <anssi.hannula@bitwise.fi>

commit 3105bc977d7cbf2edc35e24cc7e009686f6e4a56 upstream.

xhci_decode_usbsts() is expected to return a zero-terminated string by
its only caller, xhci_stop_endpoint_command_watchdog(), which directly
logs the return value:

  xhci_warn(xhci, "USBSTS:%s\n", xhci_decode_usbsts(str, usbsts));

However, if no recognized bits are set in usbsts, the function will
return without having called any sprintf() and therefore return an
untouched non-zero-terminated caller-provided buffer, causing garbage
to be output to log.

Fix that by always including the raw value in the output.

Note that before commit 4843b4b5ec64 ("xhci: fix even more unsafe memory
usage in xhci tracing") the result effect in the failure case was different
as a static buffer was used here, but the code still worked incorrectly.

Fixes: 9c1aa36efdae ("xhci: Show host status when watchdog triggers and host is assumed dead.")
Cc: stable@vger.kernel.org
Signed-off-by: Anssi Hannula <anssi.hannula@bitwise.fi>
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Link: https://lore.kernel.org/r/20220303110903.1662404-3-mathias.nyman@linux.intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/usb/host/xhci.h |    5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

--- a/drivers/usb/host/xhci.h
+++ b/drivers/usb/host/xhci.h
@@ -2624,8 +2624,11 @@ static inline const char *xhci_decode_us
 {
 	int ret = 0;
 
+	ret = sprintf(str, " 0x%08x", usbsts);
+
 	if (usbsts == ~(u32)0)
-		return " 0xffffffff";
+		return str;
+
 	if (usbsts & STS_HALT)
 		ret += sprintf(str + ret, " HCHalted");
 	if (usbsts & STS_FATAL)



^ permalink raw reply	[flat|nested] 1159+ messages in thread

* [PATCH 5.17 0016/1126] xhci: fix runtime PM imbalance in USB2 resume
  2022-04-05  7:12 [PATCH 5.17 0000/1126] 5.17.2-rc1 review Greg Kroah-Hartman
                   ` (14 preceding siblings ...)
  2022-04-05  7:12 ` [PATCH 5.17 0015/1126] xhci: fix garbage USBSTS being logged in some cases Greg Kroah-Hartman
@ 2022-04-05  7:12 ` Greg Kroah-Hartman
  2022-04-05  7:12 ` [PATCH 5.17 0017/1126] xhci: make xhci_handshake timeout for xhci_reset() adjustable Greg Kroah-Hartman
                   ` (973 subsequent siblings)
  989 siblings, 0 replies; 1159+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05  7:12 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Henry Lin, Mathias Nyman

From: Henry Lin <henryl@nvidia.com>

commit 70c05e4cf63054cd755ca66c1819327b22cb085f upstream.

A race between system resume and device-initiated resume may result in
runtime PM imbalance on USB2 root hub. If a device-initiated resume
starts and system resume xhci_bus_resume() directs U0 before hub driver
sees the resuming device in RESUME state, device-initiated resume will
not be finished in xhci_handle_usb2_port_link_resume(). In this case,
usb_hcd_end_port_resume() call is missing.

This changes calls usb_hcd_end_port_resume() if resuming device reaches
U0 to keep runtime PM balance.

Fixes: a231ec41e6f6 ("xhci: refactor U0 link state handling in get_port_status")
Cc: stable@vger.kernel.org
Signed-off-by: Henry Lin <henryl@nvidia.com>
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Link: https://lore.kernel.org/r/20220303110903.1662404-5-mathias.nyman@linux.intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/usb/host/xhci-hub.c |    3 +++
 1 file changed, 3 insertions(+)

--- a/drivers/usb/host/xhci-hub.c
+++ b/drivers/usb/host/xhci-hub.c
@@ -1088,6 +1088,9 @@ static void xhci_get_usb2_port_status(st
 		if (link_state == XDEV_U2)
 			*status |= USB_PORT_STAT_L1;
 		if (link_state == XDEV_U0) {
+			if (bus_state->resume_done[portnum])
+				usb_hcd_end_port_resume(&port->rhub->hcd->self,
+							portnum);
 			bus_state->resume_done[portnum] = 0;
 			clear_bit(portnum, &bus_state->resuming_ports);
 			if (bus_state->suspended_ports & (1 << portnum)) {



^ permalink raw reply	[flat|nested] 1159+ messages in thread

* [PATCH 5.17 0017/1126] xhci: make xhci_handshake timeout for xhci_reset() adjustable
  2022-04-05  7:12 [PATCH 5.17 0000/1126] 5.17.2-rc1 review Greg Kroah-Hartman
                   ` (15 preceding siblings ...)
  2022-04-05  7:12 ` [PATCH 5.17 0016/1126] xhci: fix runtime PM imbalance in USB2 resume Greg Kroah-Hartman
@ 2022-04-05  7:12 ` Greg Kroah-Hartman
  2022-04-05  7:12 ` [PATCH 5.17 0018/1126] xhci: fix uninitialized string returned by xhci_decode_ctrl_ctx() Greg Kroah-Hartman
                   ` (972 subsequent siblings)
  989 siblings, 0 replies; 1159+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05  7:12 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Sergey Shtylyov, Pavan Kondeti,
	Mathias Nyman

From: Mathias Nyman <mathias.nyman@linux.intel.com>

commit 14073ce951b5919da450022c050772902f24f054 upstream.

xhci_reset() timeout was increased from 250ms to 10 seconds in order to
give Renesas 720201 xHC enough time to get ready in probe.

xhci_reset() is called with interrupts disabled in other places, and
waiting for 10 seconds there is not acceptable.

Add a timeout parameter to xhci_reset(), and adjust it back to 250ms
when called from xhci_stop() or xhci_shutdown() where interrupts are
disabled, and successful reset isn't that critical.
This solves issues when deactivating host mode on platforms like SM8450.

For now don't change the timeout if xHC is reset in xhci_resume().
No issues are reported for it, and we need the reset to succeed.
Locking around that reset needs to be revisited later.

Additionally change the signed integer timeout parameter in
xhci_handshake() to a u64 to match the timeout value we pass to
readl_poll_timeout_atomic()

Fixes: 22ceac191211 ("xhci: Increase reset timeout for Renesas 720201 host.")
Cc: stable@vger.kernel.org
Reported-by: Sergey Shtylyov <s.shtylyov@omp.ru>
Reported-by: Pavan Kondeti <quic_pkondeti@quicinc.com>
Tested-by: Pavan Kondeti <quic_pkondeti@quicinc.com>
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Link: https://lore.kernel.org/r/20220303110903.1662404-2-mathias.nyman@linux.intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/usb/host/xhci-hub.c |    2 +-
 drivers/usb/host/xhci-mem.c |    2 +-
 drivers/usb/host/xhci.c     |   20 +++++++++-----------
 drivers/usb/host/xhci.h     |    7 +++++--
 4 files changed, 16 insertions(+), 15 deletions(-)

--- a/drivers/usb/host/xhci-hub.c
+++ b/drivers/usb/host/xhci-hub.c
@@ -762,7 +762,7 @@ static int xhci_exit_test_mode(struct xh
 	}
 	pm_runtime_allow(xhci_to_hcd(xhci)->self.controller);
 	xhci->test_mode = 0;
-	return xhci_reset(xhci);
+	return xhci_reset(xhci, XHCI_RESET_SHORT_USEC);
 }
 
 void xhci_set_link_state(struct xhci_hcd *xhci, struct xhci_port *port,
--- a/drivers/usb/host/xhci-mem.c
+++ b/drivers/usb/host/xhci-mem.c
@@ -2583,7 +2583,7 @@ int xhci_mem_init(struct xhci_hcd *xhci,
 
 fail:
 	xhci_halt(xhci);
-	xhci_reset(xhci);
+	xhci_reset(xhci, XHCI_RESET_SHORT_USEC);
 	xhci_mem_cleanup(xhci);
 	return -ENOMEM;
 }
--- a/drivers/usb/host/xhci.c
+++ b/drivers/usb/host/xhci.c
@@ -65,7 +65,7 @@ static bool td_on_ring(struct xhci_td *t
  * handshake done).  There are two failure modes:  "usec" have passed (major
  * hardware flakeout), or the register reads as all-ones (hardware removed).
  */
-int xhci_handshake(void __iomem *ptr, u32 mask, u32 done, int usec)
+int xhci_handshake(void __iomem *ptr, u32 mask, u32 done, u64 timeout_us)
 {
 	u32	result;
 	int	ret;
@@ -73,7 +73,7 @@ int xhci_handshake(void __iomem *ptr, u3
 	ret = readl_poll_timeout_atomic(ptr, result,
 					(result & mask) == done ||
 					result == U32_MAX,
-					1, usec);
+					1, timeout_us);
 	if (result == U32_MAX)		/* card removed */
 		return -ENODEV;
 
@@ -162,7 +162,7 @@ int xhci_start(struct xhci_hcd *xhci)
  * Transactions will be terminated immediately, and operational registers
  * will be set to their defaults.
  */
-int xhci_reset(struct xhci_hcd *xhci)
+int xhci_reset(struct xhci_hcd *xhci, u64 timeout_us)
 {
 	u32 command;
 	u32 state;
@@ -195,8 +195,7 @@ int xhci_reset(struct xhci_hcd *xhci)
 	if (xhci->quirks & XHCI_INTEL_HOST)
 		udelay(1000);
 
-	ret = xhci_handshake(&xhci->op_regs->command,
-			CMD_RESET, 0, 10 * 1000 * 1000);
+	ret = xhci_handshake(&xhci->op_regs->command, CMD_RESET, 0, timeout_us);
 	if (ret)
 		return ret;
 
@@ -209,8 +208,7 @@ int xhci_reset(struct xhci_hcd *xhci)
 	 * xHCI cannot write to any doorbells or operational registers other
 	 * than status until the "Controller Not Ready" flag is cleared.
 	 */
-	ret = xhci_handshake(&xhci->op_regs->status,
-			STS_CNR, 0, 10 * 1000 * 1000);
+	ret = xhci_handshake(&xhci->op_regs->status, STS_CNR, 0, timeout_us);
 
 	xhci->usb2_rhub.bus_state.port_c_suspend = 0;
 	xhci->usb2_rhub.bus_state.suspended_ports = 0;
@@ -731,7 +729,7 @@ static void xhci_stop(struct usb_hcd *hc
 	xhci->xhc_state |= XHCI_STATE_HALTED;
 	xhci->cmd_ring_state = CMD_RING_STATE_STOPPED;
 	xhci_halt(xhci);
-	xhci_reset(xhci);
+	xhci_reset(xhci, XHCI_RESET_SHORT_USEC);
 	spin_unlock_irq(&xhci->lock);
 
 	xhci_cleanup_msix(xhci);
@@ -784,7 +782,7 @@ void xhci_shutdown(struct usb_hcd *hcd)
 	xhci_halt(xhci);
 	/* Workaround for spurious wakeups at shutdown with HSW */
 	if (xhci->quirks & XHCI_SPURIOUS_WAKEUP)
-		xhci_reset(xhci);
+		xhci_reset(xhci, XHCI_RESET_SHORT_USEC);
 	spin_unlock_irq(&xhci->lock);
 
 	xhci_cleanup_msix(xhci);
@@ -1170,7 +1168,7 @@ int xhci_resume(struct xhci_hcd *xhci, b
 		xhci_dbg(xhci, "Stop HCD\n");
 		xhci_halt(xhci);
 		xhci_zero_64b_regs(xhci);
-		retval = xhci_reset(xhci);
+		retval = xhci_reset(xhci, XHCI_RESET_LONG_USEC);
 		spin_unlock_irq(&xhci->lock);
 		if (retval)
 			return retval;
@@ -5316,7 +5314,7 @@ int xhci_gen_setup(struct usb_hcd *hcd,
 
 	xhci_dbg(xhci, "Resetting HCD\n");
 	/* Reset the internal HC memory state and registers. */
-	retval = xhci_reset(xhci);
+	retval = xhci_reset(xhci, XHCI_RESET_LONG_USEC);
 	if (retval)
 		return retval;
 	xhci_dbg(xhci, "Reset complete\n");
--- a/drivers/usb/host/xhci.h
+++ b/drivers/usb/host/xhci.h
@@ -229,6 +229,9 @@ struct xhci_op_regs {
 #define CMD_ETE		(1 << 14)
 /* bits 15:31 are reserved (and should be preserved on writes). */
 
+#define XHCI_RESET_LONG_USEC		(10 * 1000 * 1000)
+#define XHCI_RESET_SHORT_USEC		(250 * 1000)
+
 /* IMAN - Interrupt Management Register */
 #define IMAN_IE		(1 << 1)
 #define IMAN_IP		(1 << 0)
@@ -2083,11 +2086,11 @@ void xhci_free_container_ctx(struct xhci
 
 /* xHCI host controller glue */
 typedef void (*xhci_get_quirks_t)(struct device *, struct xhci_hcd *);
-int xhci_handshake(void __iomem *ptr, u32 mask, u32 done, int usec);
+int xhci_handshake(void __iomem *ptr, u32 mask, u32 done, u64 timeout_us);
 void xhci_quiesce(struct xhci_hcd *xhci);
 int xhci_halt(struct xhci_hcd *xhci);
 int xhci_start(struct xhci_hcd *xhci);
-int xhci_reset(struct xhci_hcd *xhci);
+int xhci_reset(struct xhci_hcd *xhci, u64 timeout_us);
 int xhci_run(struct usb_hcd *hcd);
 int xhci_gen_setup(struct usb_hcd *hcd, xhci_get_quirks_t get_quirks);
 void xhci_shutdown(struct usb_hcd *hcd);



^ permalink raw reply	[flat|nested] 1159+ messages in thread

* [PATCH 5.17 0018/1126] xhci: fix uninitialized string returned by xhci_decode_ctrl_ctx()
  2022-04-05  7:12 [PATCH 5.17 0000/1126] 5.17.2-rc1 review Greg Kroah-Hartman
                   ` (16 preceding siblings ...)
  2022-04-05  7:12 ` [PATCH 5.17 0017/1126] xhci: make xhci_handshake timeout for xhci_reset() adjustable Greg Kroah-Hartman
@ 2022-04-05  7:12 ` Greg Kroah-Hartman
  2022-04-05  7:12 ` [PATCH 5.17 0019/1126] mei: me: disable driver on the ign firmware Greg Kroah-Hartman
                   ` (971 subsequent siblings)
  989 siblings, 0 replies; 1159+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05  7:12 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Anssi Hannula, Mathias Nyman

From: Anssi Hannula <anssi.hannula@bitwise.fi>

commit 05519b8589a679edb8fa781259893d20bece04ad upstream.

xhci_decode_ctrl_ctx() returns the untouched buffer as-is if both "drop"
and "add" parameters are zero.

Fix the function to return an empty string in that case.

It was not immediately clear from the possible call chains whether this
issue is currently actually triggerable or not.

Note that before commit 4843b4b5ec64 ("xhci: fix even more unsafe memory
usage in xhci tracing") the result effect in the failure case was different
as a static buffer was used here, but the code still worked incorrectly.

Fixes: 90d6d5731da7 ("xhci: Add tracing for input control context")
Cc: stable@vger.kernel.org
Signed-off-by: Anssi Hannula <anssi.hannula@bitwise.fi>
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
commit 4843b4b5ec64 ("xhci: fix even more unsafe memory usage in xhci tracing")
Link: https://lore.kernel.org/r/20220303110903.1662404-4-mathias.nyman@linux.intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/usb/host/xhci.h |    2 ++
 1 file changed, 2 insertions(+)

--- a/drivers/usb/host/xhci.h
+++ b/drivers/usb/host/xhci.h
@@ -2470,6 +2470,8 @@ static inline const char *xhci_decode_ct
 	unsigned int	bit;
 	int		ret = 0;
 
+	str[0] = '\0';
+
 	if (drop) {
 		ret = sprintf(str, "Drop:");
 		for_each_set_bit(bit, &drop, 32)



^ permalink raw reply	[flat|nested] 1159+ messages in thread

* [PATCH 5.17 0019/1126] mei: me: disable driver on the ign firmware
  2022-04-05  7:12 [PATCH 5.17 0000/1126] 5.17.2-rc1 review Greg Kroah-Hartman
                   ` (17 preceding siblings ...)
  2022-04-05  7:12 ` [PATCH 5.17 0018/1126] xhci: fix uninitialized string returned by xhci_decode_ctrl_ctx() Greg Kroah-Hartman
@ 2022-04-05  7:12 ` Greg Kroah-Hartman
  2022-04-05  7:12 ` [PATCH 5.17 0020/1126] mei: me: add Alder Lake N device id Greg Kroah-Hartman
                   ` (970 subsequent siblings)
  989 siblings, 0 replies; 1159+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05  7:12 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Alexander Usyskin, Tomas Winkler

From: Alexander Usyskin <alexander.usyskin@intel.com>

commit ccdf6f806fbf559f7c29ed9302a7c1b4da7fd37f upstream.

Add a quirk to disable MEI interface on Intel PCH Ignition (IGN)
as the IGN firmware doesn't support the protocol.

Cc: <stable@vger.kernel.org>
Signed-off-by: Alexander Usyskin <alexander.usyskin@intel.com>
Signed-off-by: Tomas Winkler <tomas.winkler@intel.com>
Link: https://lore.kernel.org/r/20220215080438.264876-1-tomas.winkler@intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/misc/mei/hw-me-regs.h |    1 +
 drivers/misc/mei/hw-me.c      |   23 ++++++++++++-----------
 2 files changed, 13 insertions(+), 11 deletions(-)

--- a/drivers/misc/mei/hw-me-regs.h
+++ b/drivers/misc/mei/hw-me-regs.h
@@ -120,6 +120,7 @@
 #define PCI_CFG_HFS_2         0x48
 #define PCI_CFG_HFS_3         0x60
 #  define PCI_CFG_HFS_3_FW_SKU_MSK   0x00000070
+#  define PCI_CFG_HFS_3_FW_SKU_IGN   0x00000000
 #  define PCI_CFG_HFS_3_FW_SKU_SPS   0x00000060
 #define PCI_CFG_HFS_4         0x64
 #define PCI_CFG_HFS_5         0x68
--- a/drivers/misc/mei/hw-me.c
+++ b/drivers/misc/mei/hw-me.c
@@ -1405,16 +1405,16 @@ static bool mei_me_fw_type_sps_4(const s
 	.quirk_probe = mei_me_fw_type_sps_4
 
 /**
- * mei_me_fw_type_sps() - check for sps sku
+ * mei_me_fw_type_sps_ign() - check for sps or ign sku
  *
- * Read ME FW Status register to check for SPS Firmware.
- * The SPS FW is only signaled in pci function 0
+ * Read ME FW Status register to check for SPS or IGN Firmware.
+ * The SPS/IGN FW is only signaled in pci function 0
  *
  * @pdev: pci device
  *
- * Return: true in case of SPS firmware
+ * Return: true in case of SPS/IGN firmware
  */
-static bool mei_me_fw_type_sps(const struct pci_dev *pdev)
+static bool mei_me_fw_type_sps_ign(const struct pci_dev *pdev)
 {
 	u32 reg;
 	u32 fw_type;
@@ -1427,14 +1427,15 @@ static bool mei_me_fw_type_sps(const str
 
 	dev_dbg(&pdev->dev, "fw type is %d\n", fw_type);
 
-	return fw_type == PCI_CFG_HFS_3_FW_SKU_SPS;
+	return fw_type == PCI_CFG_HFS_3_FW_SKU_IGN ||
+	       fw_type == PCI_CFG_HFS_3_FW_SKU_SPS;
 }
 
 #define MEI_CFG_KIND_ITOUCH                     \
 	.kind = "itouch"
 
-#define MEI_CFG_FW_SPS                          \
-	.quirk_probe = mei_me_fw_type_sps
+#define MEI_CFG_FW_SPS_IGN                      \
+	.quirk_probe = mei_me_fw_type_sps_ign
 
 #define MEI_CFG_FW_VER_SUPP                     \
 	.fw_ver_supported = 1
@@ -1535,7 +1536,7 @@ static const struct mei_cfg mei_me_pch12
 	MEI_CFG_PCH8_HFS,
 	MEI_CFG_FW_VER_SUPP,
 	MEI_CFG_DMA_128,
-	MEI_CFG_FW_SPS,
+	MEI_CFG_FW_SPS_IGN,
 };
 
 /* Cannon Lake itouch with quirk for SPS 5.0 and newer Firmware exclusion
@@ -1545,7 +1546,7 @@ static const struct mei_cfg mei_me_pch12
 	MEI_CFG_KIND_ITOUCH,
 	MEI_CFG_PCH8_HFS,
 	MEI_CFG_FW_VER_SUPP,
-	MEI_CFG_FW_SPS,
+	MEI_CFG_FW_SPS_IGN,
 };
 
 /* Tiger Lake and newer devices */
@@ -1562,7 +1563,7 @@ static const struct mei_cfg mei_me_pch15
 	MEI_CFG_FW_VER_SUPP,
 	MEI_CFG_DMA_128,
 	MEI_CFG_TRC,
-	MEI_CFG_FW_SPS,
+	MEI_CFG_FW_SPS_IGN,
 };
 
 /*



^ permalink raw reply	[flat|nested] 1159+ messages in thread

* [PATCH 5.17 0020/1126] mei: me: add Alder Lake N device id.
  2022-04-05  7:12 [PATCH 5.17 0000/1126] 5.17.2-rc1 review Greg Kroah-Hartman
                   ` (18 preceding siblings ...)
  2022-04-05  7:12 ` [PATCH 5.17 0019/1126] mei: me: disable driver on the ign firmware Greg Kroah-Hartman
@ 2022-04-05  7:12 ` Greg Kroah-Hartman
  2022-04-05  7:12 ` [PATCH 5.17 0021/1126] mei: avoid iterator usage outside of list_for_each_entry Greg Kroah-Hartman
                   ` (969 subsequent siblings)
  989 siblings, 0 replies; 1159+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05  7:12 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Alexander Usyskin, Tomas Winkler

From: Alexander Usyskin <alexander.usyskin@intel.com>

commit 7bbbd0845818cffa9fa8ccfe52fa1cad58e7e4f2 upstream.

Add Alder Lake N device ID.

Cc: <stable@vger.kernel.org>
Signed-off-by: Alexander Usyskin <alexander.usyskin@intel.com>
Signed-off-by: Tomas Winkler <tomas.winkler@intel.com>
Link: https://lore.kernel.org/r/20220301071115.96145-1-tomas.winkler@intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/misc/mei/hw-me-regs.h |    1 +
 drivers/misc/mei/pci-me.c     |    1 +
 2 files changed, 2 insertions(+)

--- a/drivers/misc/mei/hw-me-regs.h
+++ b/drivers/misc/mei/hw-me-regs.h
@@ -107,6 +107,7 @@
 #define MEI_DEV_ID_ADP_S      0x7AE8  /* Alder Lake Point S */
 #define MEI_DEV_ID_ADP_LP     0x7A60  /* Alder Lake Point LP */
 #define MEI_DEV_ID_ADP_P      0x51E0  /* Alder Lake Point P */
+#define MEI_DEV_ID_ADP_N      0x54E0  /* Alder Lake Point N */
 
 /*
  * MEI HW Section
--- a/drivers/misc/mei/pci-me.c
+++ b/drivers/misc/mei/pci-me.c
@@ -113,6 +113,7 @@ static const struct pci_device_id mei_me
 	{MEI_PCI_DEVICE(MEI_DEV_ID_ADP_S, MEI_ME_PCH15_CFG)},
 	{MEI_PCI_DEVICE(MEI_DEV_ID_ADP_LP, MEI_ME_PCH15_CFG)},
 	{MEI_PCI_DEVICE(MEI_DEV_ID_ADP_P, MEI_ME_PCH15_CFG)},
+	{MEI_PCI_DEVICE(MEI_DEV_ID_ADP_N, MEI_ME_PCH15_CFG)},
 
 	/* required last entry */
 	{0, }



^ permalink raw reply	[flat|nested] 1159+ messages in thread

* [PATCH 5.17 0021/1126] mei: avoid iterator usage outside of list_for_each_entry
  2022-04-05  7:12 [PATCH 5.17 0000/1126] 5.17.2-rc1 review Greg Kroah-Hartman
                   ` (19 preceding siblings ...)
  2022-04-05  7:12 ` [PATCH 5.17 0020/1126] mei: me: add Alder Lake N device id Greg Kroah-Hartman
@ 2022-04-05  7:12 ` Greg Kroah-Hartman
  2022-04-05  7:12 ` [PATCH 5.17 0022/1126] bus: mhi: pci_generic: Add mru_default for Quectel EM1xx series Greg Kroah-Hartman
                   ` (968 subsequent siblings)
  989 siblings, 0 replies; 1159+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05  7:12 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Alexander Usyskin, Tomas Winkler

From: Alexander Usyskin <alexander.usyskin@intel.com>

commit c10187b1c5ebb8681ca467ab7b0ded5ea415d258 upstream.

Usage of the iterator outside of the list_for_each_entry
is considered harmful. https://lkml.org/lkml/2022/2/17/1032

Do not reference the loop variable outside of the loop,
by rearranging the orders of execution.
Instead of performing search loop and checking outside the loop
if the end of the list was hit and no matching element was found,
the execution is performed inside the loop upon a successful match
followed by a goto statement to the next step,
therefore no condition has to be performed after the loop has ended.

Cc: <stable@vger.kernel.org>
Signed-off-by: Alexander Usyskin <alexander.usyskin@intel.com>
Signed-off-by: Tomas Winkler <tomas.winkler@intel.com>
Link: https://lore.kernel.org/r/20220308095926.300412-1-tomas.winkler@intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/misc/mei/interrupt.c |   35 +++++++++++++++--------------------
 1 file changed, 15 insertions(+), 20 deletions(-)

--- a/drivers/misc/mei/interrupt.c
+++ b/drivers/misc/mei/interrupt.c
@@ -424,31 +424,26 @@ int mei_irq_read_handler(struct mei_devi
 	list_for_each_entry(cl, &dev->file_list, link) {
 		if (mei_cl_hbm_equal(cl, mei_hdr)) {
 			cl_dbg(dev, cl, "got a message\n");
-			break;
+			ret = mei_cl_irq_read_msg(cl, mei_hdr, meta_hdr, cmpl_list);
+			goto reset_slots;
 		}
 	}
 
 	/* if no recipient cl was found we assume corrupted header */
-	if (&cl->link == &dev->file_list) {
-		/* A message for not connected fixed address clients
-		 * should be silently discarded
-		 * On power down client may be force cleaned,
-		 * silently discard such messages
-		 */
-		if (hdr_is_fixed(mei_hdr) ||
-		    dev->dev_state == MEI_DEV_POWER_DOWN) {
-			mei_irq_discard_msg(dev, mei_hdr, mei_hdr->length);
-			ret = 0;
-			goto reset_slots;
-		}
-		dev_err(dev->dev, "no destination client found 0x%08X\n",
-				dev->rd_msg_hdr[0]);
-		ret = -EBADMSG;
-		goto end;
+	/* A message for not connected fixed address clients
+	 * should be silently discarded
+	 * On power down client may be force cleaned,
+	 * silently discard such messages
+	 */
+	if (hdr_is_fixed(mei_hdr) ||
+	    dev->dev_state == MEI_DEV_POWER_DOWN) {
+		mei_irq_discard_msg(dev, mei_hdr, mei_hdr->length);
+		ret = 0;
+		goto reset_slots;
 	}
-
-	ret = mei_cl_irq_read_msg(cl, mei_hdr, meta_hdr, cmpl_list);
-
+	dev_err(dev->dev, "no destination client found 0x%08X\n", dev->rd_msg_hdr[0]);
+	ret = -EBADMSG;
+	goto end;
 
 reset_slots:
 	/* reset the number of slots and header */



^ permalink raw reply	[flat|nested] 1159+ messages in thread

* [PATCH 5.17 0022/1126] bus: mhi: pci_generic: Add mru_default for Quectel EM1xx series
  2022-04-05  7:12 [PATCH 5.17 0000/1126] 5.17.2-rc1 review Greg Kroah-Hartman
                   ` (20 preceding siblings ...)
  2022-04-05  7:12 ` [PATCH 5.17 0021/1126] mei: avoid iterator usage outside of list_for_each_entry Greg Kroah-Hartman
@ 2022-04-05  7:12 ` Greg Kroah-Hartman
  2022-04-05  7:12 ` [PATCH 5.17 0023/1126] bus: mhi: Fix pm_state conversion to string Greg Kroah-Hartman
                   ` (967 subsequent siblings)
  989 siblings, 0 replies; 1159+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05  7:12 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Manivannan Sadhasivam, Yonglin Tan,
	Manivannan Sadhasivam

From: Yonglin Tan <yonglin.tan@outlook.com>

commit 2413ffbf19a95cfcd7adf63135c5a9343a66d0a2 upstream.

For default mechanism, the driver uses default MRU 3500 if mru_default
is not initialized. The Qualcomm configured the MRU size to 32768 in the
WWAN device FW. So, we align the driver setting with Qualcomm FW setting.

Link: https://lore.kernel.org/r/MEYP282MB2374EE345DADDB591AFDA6AFFD2E9@MEYP282MB2374.AUSP282.PROD.OUTLOOK.COM
Fixes: ac4bf60bbaa0 ("bus: mhi: pci_generic: Introduce quectel EM1XXGR-L support")
Cc: stable@vger.kernel.org
Reviewed-by: Manivannan Sadhasivam <mani@kernel.org>
Signed-off-by: Yonglin Tan <yonglin.tan@outlook.com>
Signed-off-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
Link: https://lore.kernel.org/r/20220301160308.107452-2-manivannan.sadhasivam@linaro.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/bus/mhi/pci_generic.c |    1 +
 1 file changed, 1 insertion(+)

--- a/drivers/bus/mhi/pci_generic.c
+++ b/drivers/bus/mhi/pci_generic.c
@@ -327,6 +327,7 @@ static const struct mhi_pci_dev_info mhi
 	.config = &modem_quectel_em1xx_config,
 	.bar_num = MHI_PCI_DEFAULT_BAR_NUM,
 	.dma_data_width = 32,
+	.mru_default = 32768,
 	.sideband_wake = true,
 };
 



^ permalink raw reply	[flat|nested] 1159+ messages in thread

* [PATCH 5.17 0023/1126] bus: mhi: Fix pm_state conversion to string
  2022-04-05  7:12 [PATCH 5.17 0000/1126] 5.17.2-rc1 review Greg Kroah-Hartman
                   ` (21 preceding siblings ...)
  2022-04-05  7:12 ` [PATCH 5.17 0022/1126] bus: mhi: pci_generic: Add mru_default for Quectel EM1xx series Greg Kroah-Hartman
@ 2022-04-05  7:12 ` Greg Kroah-Hartman
  2022-04-05  7:12 ` [PATCH 5.17 0024/1126] bus: mhi: Fix MHI DMA structure endianness Greg Kroah-Hartman
                   ` (966 subsequent siblings)
  989 siblings, 0 replies; 1159+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05  7:12 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Manivannan Sadhasivam, Hemant Kumar,
	Alex Elder, Paul Davey, Manivannan Sadhasivam

From: Paul Davey <paul.davey@alliedtelesis.co.nz>

commit 64f93a9a27c1970fa8ee5ffc5a6ae2bda477ec5b upstream.

On big endian architectures the mhi debugfs files which report pm state
give "Invalid State" for all states.  This is caused by using
find_last_bit which takes an unsigned long* while the state is passed in
as an enum mhi_pm_state which will be of int size.

Fix by using __fls to pass the value of state instead of find_last_bit.

Also the current API expects "mhi_pm_state" enumerator as the function
argument but the function only works with bitmasks. So as Alex suggested,
let's change the argument to u32 to avoid confusion.

Fixes: a6e2e3522f29 ("bus: mhi: core: Add support for PM state transitions")
Cc: stable@vger.kernel.org
[mani: changed the function argument to u32]
Reviewed-by: Manivannan Sadhasivam <mani@kernel.org>
Reviewed-by: Hemant Kumar <hemantk@codeaurora.org>
Reviewed-by: Alex Elder <elder@linaro.org>
Signed-off-by: Paul Davey <paul.davey@alliedtelesis.co.nz>
Signed-off-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
Link: https://lore.kernel.org/r/20220301160308.107452-3-manivannan.sadhasivam@linaro.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/bus/mhi/core/init.c     |   10 ++++++----
 drivers/bus/mhi/core/internal.h |    2 +-
 2 files changed, 7 insertions(+), 5 deletions(-)

--- a/drivers/bus/mhi/core/init.c
+++ b/drivers/bus/mhi/core/init.c
@@ -77,12 +77,14 @@ static const char * const mhi_pm_state_s
 	[MHI_PM_STATE_LD_ERR_FATAL_DETECT] = "Linkdown or Error Fatal Detect",
 };
 
-const char *to_mhi_pm_state_str(enum mhi_pm_state state)
+const char *to_mhi_pm_state_str(u32 state)
 {
-	unsigned long pm_state = state;
-	int index = find_last_bit(&pm_state, 32);
+	int index;
 
-	if (index >= ARRAY_SIZE(mhi_pm_state_str))
+	if (state)
+		index = __fls(state);
+
+	if (!state || index >= ARRAY_SIZE(mhi_pm_state_str))
 		return "Invalid State";
 
 	return mhi_pm_state_str[index];
--- a/drivers/bus/mhi/core/internal.h
+++ b/drivers/bus/mhi/core/internal.h
@@ -622,7 +622,7 @@ void mhi_free_bhie_table(struct mhi_cont
 enum mhi_pm_state __must_check mhi_tryset_pm_state(
 					struct mhi_controller *mhi_cntrl,
 					enum mhi_pm_state state);
-const char *to_mhi_pm_state_str(enum mhi_pm_state state);
+const char *to_mhi_pm_state_str(u32 state);
 int mhi_queue_state_transition(struct mhi_controller *mhi_cntrl,
 			       enum dev_st_transition state);
 void mhi_pm_st_worker(struct work_struct *work);



^ permalink raw reply	[flat|nested] 1159+ messages in thread

* [PATCH 5.17 0024/1126] bus: mhi: Fix MHI DMA structure endianness
  2022-04-05  7:12 [PATCH 5.17 0000/1126] 5.17.2-rc1 review Greg Kroah-Hartman
                   ` (22 preceding siblings ...)
  2022-04-05  7:12 ` [PATCH 5.17 0023/1126] bus: mhi: Fix pm_state conversion to string Greg Kroah-Hartman
@ 2022-04-05  7:12 ` Greg Kroah-Hartman
  2022-04-05  7:12 ` [PATCH 5.17 0025/1126] docs: sphinx/requirements: Limit jinja2<3.1 Greg Kroah-Hartman
                   ` (965 subsequent siblings)
  989 siblings, 0 replies; 1159+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05  7:12 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Manivannan Sadhasivam, Alex Elder,
	Paul Davey

From: Paul Davey <paul.davey@alliedtelesis.co.nz>

commit ed2d980503235829aa3e0c7ae3b82374c30a081c upstream.

The MHI driver does not work on big endian architectures.  The
controller never transitions into mission mode.  This appears to be due
to the modem device expecting the various contexts and transfer rings to
have fields in little endian order in memory, but the driver constructs
them in native endianness.

Fix MHI event, channel and command contexts and TRE handling macros to
use explicit conversion to little endian.  Mark fields in relevant
structures as little endian to document this requirement.

Fixes: a6e2e3522f29 ("bus: mhi: core: Add support for PM state transitions")
Fixes: 6cd330ae76ff ("bus: mhi: core: Add support for ringing channel/event ring doorbells")
Cc: stable@vger.kernel.org
Reviewed-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
Reviewed-by: Alex Elder <elder@linaro.org>
Signed-off-by: Paul Davey <paul.davey@alliedtelesis.co.nz>
Signed-off-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
Link: https://lore.kernel.org/r/20220301160308.107452-4-manivannan.sadhasivam@linaro.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/bus/mhi/core/debugfs.c  |   26 ++++----
 drivers/bus/mhi/core/init.c     |   36 ++++++------
 drivers/bus/mhi/core/internal.h |  119 ++++++++++++++++++++--------------------
 drivers/bus/mhi/core/main.c     |   22 +++----
 drivers/bus/mhi/core/pm.c       |    4 -
 5 files changed, 104 insertions(+), 103 deletions(-)

--- a/drivers/bus/mhi/core/debugfs.c
+++ b/drivers/bus/mhi/core/debugfs.c
@@ -60,16 +60,16 @@ static int mhi_debugfs_events_show(struc
 		}
 
 		seq_printf(m, "Index: %d intmod count: %lu time: %lu",
-			   i, (er_ctxt->intmod & EV_CTX_INTMODC_MASK) >>
+			   i, (le32_to_cpu(er_ctxt->intmod) & EV_CTX_INTMODC_MASK) >>
 			   EV_CTX_INTMODC_SHIFT,
-			   (er_ctxt->intmod & EV_CTX_INTMODT_MASK) >>
+			   (le32_to_cpu(er_ctxt->intmod) & EV_CTX_INTMODT_MASK) >>
 			   EV_CTX_INTMODT_SHIFT);
 
-		seq_printf(m, " base: 0x%0llx len: 0x%llx", er_ctxt->rbase,
-			   er_ctxt->rlen);
+		seq_printf(m, " base: 0x%0llx len: 0x%llx", le64_to_cpu(er_ctxt->rbase),
+			   le64_to_cpu(er_ctxt->rlen));
 
-		seq_printf(m, " rp: 0x%llx wp: 0x%llx", er_ctxt->rp,
-			   er_ctxt->wp);
+		seq_printf(m, " rp: 0x%llx wp: 0x%llx", le64_to_cpu(er_ctxt->rp),
+			   le64_to_cpu(er_ctxt->wp));
 
 		seq_printf(m, " local rp: 0x%pK db: 0x%pad\n", ring->rp,
 			   &mhi_event->db_cfg.db_val);
@@ -106,18 +106,18 @@ static int mhi_debugfs_channels_show(str
 
 		seq_printf(m,
 			   "%s(%u) state: 0x%lx brstmode: 0x%lx pollcfg: 0x%lx",
-			   mhi_chan->name, mhi_chan->chan, (chan_ctxt->chcfg &
+			   mhi_chan->name, mhi_chan->chan, (le32_to_cpu(chan_ctxt->chcfg) &
 			   CHAN_CTX_CHSTATE_MASK) >> CHAN_CTX_CHSTATE_SHIFT,
-			   (chan_ctxt->chcfg & CHAN_CTX_BRSTMODE_MASK) >>
-			   CHAN_CTX_BRSTMODE_SHIFT, (chan_ctxt->chcfg &
+			   (le32_to_cpu(chan_ctxt->chcfg) & CHAN_CTX_BRSTMODE_MASK) >>
+			   CHAN_CTX_BRSTMODE_SHIFT, (le32_to_cpu(chan_ctxt->chcfg) &
 			   CHAN_CTX_POLLCFG_MASK) >> CHAN_CTX_POLLCFG_SHIFT);
 
-		seq_printf(m, " type: 0x%x event ring: %u", chan_ctxt->chtype,
-			   chan_ctxt->erindex);
+		seq_printf(m, " type: 0x%x event ring: %u", le32_to_cpu(chan_ctxt->chtype),
+			   le32_to_cpu(chan_ctxt->erindex));
 
 		seq_printf(m, " base: 0x%llx len: 0x%llx rp: 0x%llx wp: 0x%llx",
-			   chan_ctxt->rbase, chan_ctxt->rlen, chan_ctxt->rp,
-			   chan_ctxt->wp);
+			   le64_to_cpu(chan_ctxt->rbase), le64_to_cpu(chan_ctxt->rlen),
+			   le64_to_cpu(chan_ctxt->rp), le64_to_cpu(chan_ctxt->wp));
 
 		seq_printf(m, " local rp: 0x%pK local wp: 0x%pK db: 0x%pad\n",
 			   ring->rp, ring->wp,
--- a/drivers/bus/mhi/core/init.c
+++ b/drivers/bus/mhi/core/init.c
@@ -293,17 +293,17 @@ int mhi_init_dev_ctxt(struct mhi_control
 		if (mhi_chan->offload_ch)
 			continue;
 
-		tmp = chan_ctxt->chcfg;
+		tmp = le32_to_cpu(chan_ctxt->chcfg);
 		tmp &= ~CHAN_CTX_CHSTATE_MASK;
 		tmp |= (MHI_CH_STATE_DISABLED << CHAN_CTX_CHSTATE_SHIFT);
 		tmp &= ~CHAN_CTX_BRSTMODE_MASK;
 		tmp |= (mhi_chan->db_cfg.brstmode << CHAN_CTX_BRSTMODE_SHIFT);
 		tmp &= ~CHAN_CTX_POLLCFG_MASK;
 		tmp |= (mhi_chan->db_cfg.pollcfg << CHAN_CTX_POLLCFG_SHIFT);
-		chan_ctxt->chcfg = tmp;
+		chan_ctxt->chcfg = cpu_to_le32(tmp);
 
-		chan_ctxt->chtype = mhi_chan->type;
-		chan_ctxt->erindex = mhi_chan->er_index;
+		chan_ctxt->chtype = cpu_to_le32(mhi_chan->type);
+		chan_ctxt->erindex = cpu_to_le32(mhi_chan->er_index);
 
 		mhi_chan->ch_state = MHI_CH_STATE_DISABLED;
 		mhi_chan->tre_ring.db_addr = (void __iomem *)&chan_ctxt->wp;
@@ -328,14 +328,14 @@ int mhi_init_dev_ctxt(struct mhi_control
 		if (mhi_event->offload_ev)
 			continue;
 
-		tmp = er_ctxt->intmod;
+		tmp = le32_to_cpu(er_ctxt->intmod);
 		tmp &= ~EV_CTX_INTMODC_MASK;
 		tmp &= ~EV_CTX_INTMODT_MASK;
 		tmp |= (mhi_event->intmod << EV_CTX_INTMODT_SHIFT);
-		er_ctxt->intmod = tmp;
+		er_ctxt->intmod = cpu_to_le32(tmp);
 
-		er_ctxt->ertype = MHI_ER_TYPE_VALID;
-		er_ctxt->msivec = mhi_event->irq;
+		er_ctxt->ertype = cpu_to_le32(MHI_ER_TYPE_VALID);
+		er_ctxt->msivec = cpu_to_le32(mhi_event->irq);
 		mhi_event->db_cfg.db_mode = true;
 
 		ring->el_size = sizeof(struct mhi_tre);
@@ -349,9 +349,9 @@ int mhi_init_dev_ctxt(struct mhi_control
 		 * ring is empty
 		 */
 		ring->rp = ring->wp = ring->base;
-		er_ctxt->rbase = ring->iommu_base;
+		er_ctxt->rbase = cpu_to_le64(ring->iommu_base);
 		er_ctxt->rp = er_ctxt->wp = er_ctxt->rbase;
-		er_ctxt->rlen = ring->len;
+		er_ctxt->rlen = cpu_to_le64(ring->len);
 		ring->ctxt_wp = &er_ctxt->wp;
 	}
 
@@ -378,9 +378,9 @@ int mhi_init_dev_ctxt(struct mhi_control
 			goto error_alloc_cmd;
 
 		ring->rp = ring->wp = ring->base;
-		cmd_ctxt->rbase = ring->iommu_base;
+		cmd_ctxt->rbase = cpu_to_le64(ring->iommu_base);
 		cmd_ctxt->rp = cmd_ctxt->wp = cmd_ctxt->rbase;
-		cmd_ctxt->rlen = ring->len;
+		cmd_ctxt->rlen = cpu_to_le64(ring->len);
 		ring->ctxt_wp = &cmd_ctxt->wp;
 	}
 
@@ -581,10 +581,10 @@ void mhi_deinit_chan_ctxt(struct mhi_con
 	chan_ctxt->rp = 0;
 	chan_ctxt->wp = 0;
 
-	tmp = chan_ctxt->chcfg;
+	tmp = le32_to_cpu(chan_ctxt->chcfg);
 	tmp &= ~CHAN_CTX_CHSTATE_MASK;
 	tmp |= (MHI_CH_STATE_DISABLED << CHAN_CTX_CHSTATE_SHIFT);
-	chan_ctxt->chcfg = tmp;
+	chan_ctxt->chcfg = cpu_to_le32(tmp);
 
 	/* Update to all cores */
 	smp_wmb();
@@ -618,14 +618,14 @@ int mhi_init_chan_ctxt(struct mhi_contro
 		return -ENOMEM;
 	}
 
-	tmp = chan_ctxt->chcfg;
+	tmp = le32_to_cpu(chan_ctxt->chcfg);
 	tmp &= ~CHAN_CTX_CHSTATE_MASK;
 	tmp |= (MHI_CH_STATE_ENABLED << CHAN_CTX_CHSTATE_SHIFT);
-	chan_ctxt->chcfg = tmp;
+	chan_ctxt->chcfg = cpu_to_le32(tmp);
 
-	chan_ctxt->rbase = tre_ring->iommu_base;
+	chan_ctxt->rbase = cpu_to_le64(tre_ring->iommu_base);
 	chan_ctxt->rp = chan_ctxt->wp = chan_ctxt->rbase;
-	chan_ctxt->rlen = tre_ring->len;
+	chan_ctxt->rlen = cpu_to_le64(tre_ring->len);
 	tre_ring->ctxt_wp = &chan_ctxt->wp;
 
 	tre_ring->rp = tre_ring->wp = tre_ring->base;
--- a/drivers/bus/mhi/core/internal.h
+++ b/drivers/bus/mhi/core/internal.h
@@ -209,14 +209,14 @@ extern struct bus_type mhi_bus_type;
 #define EV_CTX_INTMODT_MASK GENMASK(31, 16)
 #define EV_CTX_INTMODT_SHIFT 16
 struct mhi_event_ctxt {
-	__u32 intmod;
-	__u32 ertype;
-	__u32 msivec;
-
-	__u64 rbase __packed __aligned(4);
-	__u64 rlen __packed __aligned(4);
-	__u64 rp __packed __aligned(4);
-	__u64 wp __packed __aligned(4);
+	__le32 intmod;
+	__le32 ertype;
+	__le32 msivec;
+
+	__le64 rbase __packed __aligned(4);
+	__le64 rlen __packed __aligned(4);
+	__le64 rp __packed __aligned(4);
+	__le64 wp __packed __aligned(4);
 };
 
 #define CHAN_CTX_CHSTATE_MASK GENMASK(7, 0)
@@ -227,25 +227,25 @@ struct mhi_event_ctxt {
 #define CHAN_CTX_POLLCFG_SHIFT 10
 #define CHAN_CTX_RESERVED_MASK GENMASK(31, 16)
 struct mhi_chan_ctxt {
-	__u32 chcfg;
-	__u32 chtype;
-	__u32 erindex;
-
-	__u64 rbase __packed __aligned(4);
-	__u64 rlen __packed __aligned(4);
-	__u64 rp __packed __aligned(4);
-	__u64 wp __packed __aligned(4);
+	__le32 chcfg;
+	__le32 chtype;
+	__le32 erindex;
+
+	__le64 rbase __packed __aligned(4);
+	__le64 rlen __packed __aligned(4);
+	__le64 rp __packed __aligned(4);
+	__le64 wp __packed __aligned(4);
 };
 
 struct mhi_cmd_ctxt {
-	__u32 reserved0;
-	__u32 reserved1;
-	__u32 reserved2;
-
-	__u64 rbase __packed __aligned(4);
-	__u64 rlen __packed __aligned(4);
-	__u64 rp __packed __aligned(4);
-	__u64 wp __packed __aligned(4);
+	__le32 reserved0;
+	__le32 reserved1;
+	__le32 reserved2;
+
+	__le64 rbase __packed __aligned(4);
+	__le64 rlen __packed __aligned(4);
+	__le64 rp __packed __aligned(4);
+	__le64 wp __packed __aligned(4);
 };
 
 struct mhi_ctxt {
@@ -258,8 +258,8 @@ struct mhi_ctxt {
 };
 
 struct mhi_tre {
-	u64 ptr;
-	u32 dword[2];
+	__le64 ptr;
+	__le32 dword[2];
 };
 
 struct bhi_vec_entry {
@@ -277,57 +277,58 @@ enum mhi_cmd_type {
 /* No operation command */
 #define MHI_TRE_CMD_NOOP_PTR (0)
 #define MHI_TRE_CMD_NOOP_DWORD0 (0)
-#define MHI_TRE_CMD_NOOP_DWORD1 (MHI_CMD_NOP << 16)
+#define MHI_TRE_CMD_NOOP_DWORD1 (cpu_to_le32(MHI_CMD_NOP << 16))
 
 /* Channel reset command */
 #define MHI_TRE_CMD_RESET_PTR (0)
 #define MHI_TRE_CMD_RESET_DWORD0 (0)
-#define MHI_TRE_CMD_RESET_DWORD1(chid) ((chid << 24) | \
-					(MHI_CMD_RESET_CHAN << 16))
+#define MHI_TRE_CMD_RESET_DWORD1(chid) (cpu_to_le32((chid << 24) | \
+					(MHI_CMD_RESET_CHAN << 16)))
 
 /* Channel stop command */
 #define MHI_TRE_CMD_STOP_PTR (0)
 #define MHI_TRE_CMD_STOP_DWORD0 (0)
-#define MHI_TRE_CMD_STOP_DWORD1(chid) ((chid << 24) | \
-				       (MHI_CMD_STOP_CHAN << 16))
+#define MHI_TRE_CMD_STOP_DWORD1(chid) (cpu_to_le32((chid << 24) | \
+				       (MHI_CMD_STOP_CHAN << 16)))
 
 /* Channel start command */
 #define MHI_TRE_CMD_START_PTR (0)
 #define MHI_TRE_CMD_START_DWORD0 (0)
-#define MHI_TRE_CMD_START_DWORD1(chid) ((chid << 24) | \
-					(MHI_CMD_START_CHAN << 16))
+#define MHI_TRE_CMD_START_DWORD1(chid) (cpu_to_le32((chid << 24) | \
+					(MHI_CMD_START_CHAN << 16)))
 
-#define MHI_TRE_GET_CMD_CHID(tre) (((tre)->dword[1] >> 24) & 0xFF)
-#define MHI_TRE_GET_CMD_TYPE(tre) (((tre)->dword[1] >> 16) & 0xFF)
+#define MHI_TRE_GET_DWORD(tre, word) (le32_to_cpu((tre)->dword[(word)]))
+#define MHI_TRE_GET_CMD_CHID(tre) ((MHI_TRE_GET_DWORD(tre, 1) >> 24) & 0xFF)
+#define MHI_TRE_GET_CMD_TYPE(tre) ((MHI_TRE_GET_DWORD(tre, 1) >> 16) & 0xFF)
 
 /* Event descriptor macros */
-#define MHI_TRE_EV_PTR(ptr) (ptr)
-#define MHI_TRE_EV_DWORD0(code, len) ((code << 24) | len)
-#define MHI_TRE_EV_DWORD1(chid, type) ((chid << 24) | (type << 16))
-#define MHI_TRE_GET_EV_PTR(tre) ((tre)->ptr)
-#define MHI_TRE_GET_EV_CODE(tre) (((tre)->dword[0] >> 24) & 0xFF)
-#define MHI_TRE_GET_EV_LEN(tre) ((tre)->dword[0] & 0xFFFF)
-#define MHI_TRE_GET_EV_CHID(tre) (((tre)->dword[1] >> 24) & 0xFF)
-#define MHI_TRE_GET_EV_TYPE(tre) (((tre)->dword[1] >> 16) & 0xFF)
-#define MHI_TRE_GET_EV_STATE(tre) (((tre)->dword[0] >> 24) & 0xFF)
-#define MHI_TRE_GET_EV_EXECENV(tre) (((tre)->dword[0] >> 24) & 0xFF)
-#define MHI_TRE_GET_EV_SEQ(tre) ((tre)->dword[0])
-#define MHI_TRE_GET_EV_TIME(tre) ((tre)->ptr)
-#define MHI_TRE_GET_EV_COOKIE(tre) lower_32_bits((tre)->ptr)
-#define MHI_TRE_GET_EV_VEID(tre) (((tre)->dword[0] >> 16) & 0xFF)
-#define MHI_TRE_GET_EV_LINKSPEED(tre) (((tre)->dword[1] >> 24) & 0xFF)
-#define MHI_TRE_GET_EV_LINKWIDTH(tre) ((tre)->dword[0] & 0xFF)
+#define MHI_TRE_EV_PTR(ptr) (cpu_to_le64(ptr))
+#define MHI_TRE_EV_DWORD0(code, len) (cpu_to_le32((code << 24) | len))
+#define MHI_TRE_EV_DWORD1(chid, type) (cpu_to_le32((chid << 24) | (type << 16)))
+#define MHI_TRE_GET_EV_PTR(tre) (le64_to_cpu((tre)->ptr))
+#define MHI_TRE_GET_EV_CODE(tre) ((MHI_TRE_GET_DWORD(tre, 0) >> 24) & 0xFF)
+#define MHI_TRE_GET_EV_LEN(tre) (MHI_TRE_GET_DWORD(tre, 0) & 0xFFFF)
+#define MHI_TRE_GET_EV_CHID(tre) ((MHI_TRE_GET_DWORD(tre, 1) >> 24) & 0xFF)
+#define MHI_TRE_GET_EV_TYPE(tre) ((MHI_TRE_GET_DWORD(tre, 1) >> 16) & 0xFF)
+#define MHI_TRE_GET_EV_STATE(tre) ((MHI_TRE_GET_DWORD(tre, 0) >> 24) & 0xFF)
+#define MHI_TRE_GET_EV_EXECENV(tre) ((MHI_TRE_GET_DWORD(tre, 0) >> 24) & 0xFF)
+#define MHI_TRE_GET_EV_SEQ(tre) MHI_TRE_GET_DWORD(tre, 0)
+#define MHI_TRE_GET_EV_TIME(tre) (MHI_TRE_GET_EV_PTR(tre))
+#define MHI_TRE_GET_EV_COOKIE(tre) lower_32_bits(MHI_TRE_GET_EV_PTR(tre))
+#define MHI_TRE_GET_EV_VEID(tre) ((MHI_TRE_GET_DWORD(tre, 0) >> 16) & 0xFF)
+#define MHI_TRE_GET_EV_LINKSPEED(tre) ((MHI_TRE_GET_DWORD(tre, 1) >> 24) & 0xFF)
+#define MHI_TRE_GET_EV_LINKWIDTH(tre) (MHI_TRE_GET_DWORD(tre, 0) & 0xFF)
 
 /* Transfer descriptor macros */
-#define MHI_TRE_DATA_PTR(ptr) (ptr)
-#define MHI_TRE_DATA_DWORD0(len) (len & MHI_MAX_MTU)
-#define MHI_TRE_DATA_DWORD1(bei, ieot, ieob, chain) ((2 << 16) | (bei << 10) \
-	| (ieot << 9) | (ieob << 8) | chain)
+#define MHI_TRE_DATA_PTR(ptr) (cpu_to_le64(ptr))
+#define MHI_TRE_DATA_DWORD0(len) (cpu_to_le32(len & MHI_MAX_MTU))
+#define MHI_TRE_DATA_DWORD1(bei, ieot, ieob, chain) (cpu_to_le32((2 << 16) | (bei << 10) \
+	| (ieot << 9) | (ieob << 8) | chain))
 
 /* RSC transfer descriptor macros */
-#define MHI_RSCTRE_DATA_PTR(ptr, len) (((u64)len << 48) | ptr)
-#define MHI_RSCTRE_DATA_DWORD0(cookie) (cookie)
-#define MHI_RSCTRE_DATA_DWORD1 (MHI_PKT_TYPE_COALESCING << 16)
+#define MHI_RSCTRE_DATA_PTR(ptr, len) (cpu_to_le64(((u64)len << 48) | ptr))
+#define MHI_RSCTRE_DATA_DWORD0(cookie) (cpu_to_le32(cookie))
+#define MHI_RSCTRE_DATA_DWORD1 (cpu_to_le32(MHI_PKT_TYPE_COALESCING << 16))
 
 enum mhi_pkt_type {
 	MHI_PKT_TYPE_INVALID = 0x0,
@@ -500,7 +501,7 @@ struct state_transition {
 struct mhi_ring {
 	dma_addr_t dma_handle;
 	dma_addr_t iommu_base;
-	u64 *ctxt_wp; /* point to ctxt wp */
+	__le64 *ctxt_wp; /* point to ctxt wp */
 	void *pre_aligned;
 	void *base;
 	void *rp;
--- a/drivers/bus/mhi/core/main.c
+++ b/drivers/bus/mhi/core/main.c
@@ -114,7 +114,7 @@ void mhi_ring_er_db(struct mhi_event *mh
 	struct mhi_ring *ring = &mhi_event->ring;
 
 	mhi_event->db_cfg.process_db(mhi_event->mhi_cntrl, &mhi_event->db_cfg,
-				     ring->db_addr, *ring->ctxt_wp);
+				     ring->db_addr, le64_to_cpu(*ring->ctxt_wp));
 }
 
 void mhi_ring_cmd_db(struct mhi_controller *mhi_cntrl, struct mhi_cmd *mhi_cmd)
@@ -123,7 +123,7 @@ void mhi_ring_cmd_db(struct mhi_controll
 	struct mhi_ring *ring = &mhi_cmd->ring;
 
 	db = ring->iommu_base + (ring->wp - ring->base);
-	*ring->ctxt_wp = db;
+	*ring->ctxt_wp = cpu_to_le64(db);
 	mhi_write_db(mhi_cntrl, ring->db_addr, db);
 }
 
@@ -140,7 +140,7 @@ void mhi_ring_chan_db(struct mhi_control
 	 * before letting h/w know there is new element to fetch.
 	 */
 	dma_wmb();
-	*ring->ctxt_wp = db;
+	*ring->ctxt_wp = cpu_to_le64(db);
 
 	mhi_chan->db_cfg.process_db(mhi_cntrl, &mhi_chan->db_cfg,
 				    ring->db_addr, db);
@@ -432,7 +432,7 @@ irqreturn_t mhi_irq_handler(int irq_numb
 	struct mhi_event_ctxt *er_ctxt =
 		&mhi_cntrl->mhi_ctxt->er_ctxt[mhi_event->er_index];
 	struct mhi_ring *ev_ring = &mhi_event->ring;
-	dma_addr_t ptr = er_ctxt->rp;
+	dma_addr_t ptr = le64_to_cpu(er_ctxt->rp);
 	void *dev_rp;
 
 	if (!is_valid_ring_ptr(ev_ring, ptr)) {
@@ -537,14 +537,14 @@ static void mhi_recycle_ev_ring_element(
 
 	/* Update the WP */
 	ring->wp += ring->el_size;
-	ctxt_wp = *ring->ctxt_wp + ring->el_size;
+	ctxt_wp = le64_to_cpu(*ring->ctxt_wp) + ring->el_size;
 
 	if (ring->wp >= (ring->base + ring->len)) {
 		ring->wp = ring->base;
 		ctxt_wp = ring->iommu_base;
 	}
 
-	*ring->ctxt_wp = ctxt_wp;
+	*ring->ctxt_wp = cpu_to_le64(ctxt_wp);
 
 	/* Update the RP */
 	ring->rp += ring->el_size;
@@ -801,7 +801,7 @@ int mhi_process_ctrl_ev_ring(struct mhi_
 	struct device *dev = &mhi_cntrl->mhi_dev->dev;
 	u32 chan;
 	int count = 0;
-	dma_addr_t ptr = er_ctxt->rp;
+	dma_addr_t ptr = le64_to_cpu(er_ctxt->rp);
 
 	/*
 	 * This is a quick check to avoid unnecessary event processing
@@ -940,7 +940,7 @@ int mhi_process_ctrl_ev_ring(struct mhi_
 		mhi_recycle_ev_ring_element(mhi_cntrl, ev_ring);
 		local_rp = ev_ring->rp;
 
-		ptr = er_ctxt->rp;
+		ptr = le64_to_cpu(er_ctxt->rp);
 		if (!is_valid_ring_ptr(ev_ring, ptr)) {
 			dev_err(&mhi_cntrl->mhi_dev->dev,
 				"Event ring rp points outside of the event ring\n");
@@ -970,7 +970,7 @@ int mhi_process_data_event_ring(struct m
 	int count = 0;
 	u32 chan;
 	struct mhi_chan *mhi_chan;
-	dma_addr_t ptr = er_ctxt->rp;
+	dma_addr_t ptr = le64_to_cpu(er_ctxt->rp);
 
 	if (unlikely(MHI_EVENT_ACCESS_INVALID(mhi_cntrl->pm_state)))
 		return -EIO;
@@ -1011,7 +1011,7 @@ int mhi_process_data_event_ring(struct m
 		mhi_recycle_ev_ring_element(mhi_cntrl, ev_ring);
 		local_rp = ev_ring->rp;
 
-		ptr = er_ctxt->rp;
+		ptr = le64_to_cpu(er_ctxt->rp);
 		if (!is_valid_ring_ptr(ev_ring, ptr)) {
 			dev_err(&mhi_cntrl->mhi_dev->dev,
 				"Event ring rp points outside of the event ring\n");
@@ -1533,7 +1533,7 @@ static void mhi_mark_stale_events(struct
 	/* mark all stale events related to channel as STALE event */
 	spin_lock_irqsave(&mhi_event->lock, flags);
 
-	ptr = er_ctxt->rp;
+	ptr = le64_to_cpu(er_ctxt->rp);
 	if (!is_valid_ring_ptr(ev_ring, ptr)) {
 		dev_err(&mhi_cntrl->mhi_dev->dev,
 			"Event ring rp points outside of the event ring\n");
--- a/drivers/bus/mhi/core/pm.c
+++ b/drivers/bus/mhi/core/pm.c
@@ -218,7 +218,7 @@ int mhi_ready_state_transition(struct mh
 			continue;
 
 		ring->wp = ring->base + ring->len - ring->el_size;
-		*ring->ctxt_wp = ring->iommu_base + ring->len - ring->el_size;
+		*ring->ctxt_wp = cpu_to_le64(ring->iommu_base + ring->len - ring->el_size);
 		/* Update all cores */
 		smp_wmb();
 
@@ -420,7 +420,7 @@ static int mhi_pm_mission_mode_transitio
 			continue;
 
 		ring->wp = ring->base + ring->len - ring->el_size;
-		*ring->ctxt_wp = ring->iommu_base + ring->len - ring->el_size;
+		*ring->ctxt_wp = cpu_to_le64(ring->iommu_base + ring->len - ring->el_size);
 		/* Update to all cores */
 		smp_wmb();
 



^ permalink raw reply	[flat|nested] 1159+ messages in thread

* [PATCH 5.17 0025/1126] docs: sphinx/requirements: Limit jinja2<3.1
  2022-04-05  7:12 [PATCH 5.17 0000/1126] 5.17.2-rc1 review Greg Kroah-Hartman
                   ` (23 preceding siblings ...)
  2022-04-05  7:12 ` [PATCH 5.17 0024/1126] bus: mhi: Fix MHI DMA structure endianness Greg Kroah-Hartman
@ 2022-04-05  7:12 ` Greg Kroah-Hartman
  2022-04-05  7:12 ` [PATCH 5.17 0026/1126] coresight: Fix TRCCONFIGR.QE sysfs interface Greg Kroah-Hartman
                   ` (964 subsequent siblings)
  989 siblings, 0 replies; 1159+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05  7:12 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Akira Yokosawa,
	Mauro Carvalho Chehab, Jonathan Corbet

From: Akira Yokosawa <akiyks@gmail.com>

commit be78837ca3c88eebd405103a7a2ce891c466b0db upstream.

jinja2 release 3.1.0 (March 24, 2022) broke Sphinx<4.0.
This looks like the result of deprecating Python 3.6.
It has been tested against Sphinx 4.3.0 and later.

Setting an upper limit of <3.1 to junja2 can unbreak Sphinx<4.0
including Sphinx 2.4.4.

Signed-off-by: Akira Yokosawa <akiyks@gmail.com>
Cc: Mauro Carvalho Chehab <mchehab@kernel.org>
Cc: stable@vger.kernel.org # v5.15+
Link: https://lore.kernel.org/r/7dbff8a0-f4ff-34a0-71c7-1987baf471f9@gmail.com
Signed-off-by: Jonathan Corbet <corbet@lwn.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 Documentation/sphinx/requirements.txt |    2 ++
 1 file changed, 2 insertions(+)

--- a/Documentation/sphinx/requirements.txt
+++ b/Documentation/sphinx/requirements.txt
@@ -1,2 +1,4 @@
+# jinja2>=3.1 is not compatible with Sphinx<4.0
+jinja2<3.1
 sphinx_rtd_theme
 Sphinx==2.4.4



^ permalink raw reply	[flat|nested] 1159+ messages in thread

* [PATCH 5.17 0026/1126] coresight: Fix TRCCONFIGR.QE sysfs interface
  2022-04-05  7:12 [PATCH 5.17 0000/1126] 5.17.2-rc1 review Greg Kroah-Hartman
                   ` (24 preceding siblings ...)
  2022-04-05  7:12 ` [PATCH 5.17 0025/1126] docs: sphinx/requirements: Limit jinja2<3.1 Greg Kroah-Hartman
@ 2022-04-05  7:12 ` Greg Kroah-Hartman
  2022-04-05  7:12 ` [PATCH 5.17 0027/1126] coresight: syscfg: Fix memleak on registration failure in cscfg_create_device Greg Kroah-Hartman
                   ` (963 subsequent siblings)
  989 siblings, 0 replies; 1159+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05  7:12 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, James Clark, Mike Leach,
	Mathieu Poirier, Suzuki K Poulose

From: James Clark <james.clark@arm.com>

commit ea75a342aed5ed72c87f38fbe0df2f5df7eae374 upstream.

It's impossible to program a valid value for TRCCONFIGR.QE
when TRCIDR0.QSUPP==0b10. In that case the following is true:

  Q element support is implemented, and only supports Q elements without
  instruction counts. TRCCONFIGR.QE can only take the values 0b00 or 0b11.

Currently the low bit of QSUPP is checked to see if the low bit of QE can
be written to, but as you can see when QSUPP==0b10 the low bit is cleared
making it impossible to ever write the only valid value of 0b11 to QE.
0b10 would be written instead, which is a reserved QE value even for all
values of QSUPP.

The fix is to allow writing the low bit of QE for any non zero value of
QSUPP.

This change also ensures that the low bit is always set, even when the
user attempts to only set the high bit.

Signed-off-by: James Clark <james.clark@arm.com>
Reviewed-by: Mike Leach <mike.leach@linaro.org>
Fixes: d8c66962084f ("coresight-etm4x: Controls pertaining to the reset, mode, pe and events")
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/20220120113047.2839622-2-james.clark@arm.com
Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org>
Signed-off-by: Suzuki K Poulose <suzuki.poulose@arm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/hwtracing/coresight/coresight-etm4x-sysfs.c |    8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

--- a/drivers/hwtracing/coresight/coresight-etm4x-sysfs.c
+++ b/drivers/hwtracing/coresight/coresight-etm4x-sysfs.c
@@ -367,8 +367,12 @@ static ssize_t mode_store(struct device
 	mode = ETM_MODE_QELEM(config->mode);
 	/* start by clearing QE bits */
 	config->cfg &= ~(BIT(13) | BIT(14));
-	/* if supported, Q elements with instruction counts are enabled */
-	if ((mode & BIT(0)) && (drvdata->q_support & BIT(0)))
+	/*
+	 * if supported, Q elements with instruction counts are enabled.
+	 * Always set the low bit for any requested mode. Valid combos are
+	 * 0b00, 0b01 and 0b11.
+	 */
+	if (mode && drvdata->q_support)
 		config->cfg |= BIT(13);
 	/*
 	 * if supported, Q elements with and without instruction



^ permalink raw reply	[flat|nested] 1159+ messages in thread

* [PATCH 5.17 0027/1126] coresight: syscfg: Fix memleak on registration failure in cscfg_create_device
  2022-04-05  7:12 [PATCH 5.17 0000/1126] 5.17.2-rc1 review Greg Kroah-Hartman
                   ` (25 preceding siblings ...)
  2022-04-05  7:12 ` [PATCH 5.17 0026/1126] coresight: Fix TRCCONFIGR.QE sysfs interface Greg Kroah-Hartman
@ 2022-04-05  7:12 ` Greg Kroah-Hartman
  2022-04-05  7:12 ` [PATCH 5.17 0028/1126] dt-bindings: iio: adc: zynqmp_ams: Add clock entry Greg Kroah-Hartman
                   ` (962 subsequent siblings)
  989 siblings, 0 replies; 1159+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05  7:12 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Miaoqian Lin, Mathieu Poirier,
	Suzuki K Poulose

From: Miaoqian Lin <linmq006@gmail.com>

commit cfa5dbcdd7aece76f3415284569f2f384aff0253 upstream.

device_register() calls device_initialize(),
according to doc of device_initialize:

    Use put_device() to give up your reference instead of freeing
    * @dev directly once you have called this function.

To prevent potential memleak, use put_device() for error handling.

Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
Fixes: 85e2414c518a ("coresight: syscfg: Initial coresight system configuration")
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/20220124124121.8888-1-linmq006@gmail.com
Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org>
Signed-off-by: Suzuki K Poulose <suzuki.poulose@arm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/hwtracing/coresight/coresight-syscfg.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/hwtracing/coresight/coresight-syscfg.c
+++ b/drivers/hwtracing/coresight/coresight-syscfg.c
@@ -1049,7 +1049,7 @@ static int cscfg_create_device(void)
 
 	err = device_register(dev);
 	if (err)
-		cscfg_dev_release(dev);
+		put_device(dev);
 
 create_dev_exit_unlock:
 	mutex_unlock(&cscfg_mutex);



^ permalink raw reply	[flat|nested] 1159+ messages in thread

* [PATCH 5.17 0028/1126] dt-bindings: iio: adc: zynqmp_ams: Add clock entry
  2022-04-05  7:12 [PATCH 5.17 0000/1126] 5.17.2-rc1 review Greg Kroah-Hartman
                   ` (26 preceding siblings ...)
  2022-04-05  7:12 ` [PATCH 5.17 0027/1126] coresight: syscfg: Fix memleak on registration failure in cscfg_create_device Greg Kroah-Hartman
@ 2022-04-05  7:12 ` Greg Kroah-Hartman
  2022-04-05  7:12 ` [PATCH 5.17 0029/1126] iio: adc: xilinx-ams: Fix single channel switching sequence Greg Kroah-Hartman
                   ` (961 subsequent siblings)
  989 siblings, 0 replies; 1159+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05  7:12 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Robert Hancock, Rob Herring,
	Michal Simek, Stable, Jonathan Cameron

From: Robert Hancock <robert.hancock@calian.com>

commit 5165102efa41c2aedc77441612f4506a8a8671db upstream.

The AMS driver DT binding was missing the clock entry, which is actually
mandatory according to the driver implementation. Add this in.

Fixes: 39dd2d1e251d ("dt-bindings: iio: adc: Add Xilinx AMS binding documentation")
Signed-off-by: Robert Hancock <robert.hancock@calian.com>
Reviewed-by: Rob Herring <robh@kernel.org>
Acked-by: Michal Simek <michal.simek@xilinx.com>
Link: https://lore.kernel.org/r/20220127173450.3684318-2-robert.hancock@calian.com
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 Documentation/devicetree/bindings/iio/adc/xlnx,zynqmp-ams.yaml |    8 ++++++++
 1 file changed, 8 insertions(+)

--- a/Documentation/devicetree/bindings/iio/adc/xlnx,zynqmp-ams.yaml
+++ b/Documentation/devicetree/bindings/iio/adc/xlnx,zynqmp-ams.yaml
@@ -92,6 +92,10 @@ properties:
     description: AMS Controller register space
     maxItems: 1
 
+  clocks:
+    items:
+      - description: AMS reference clock
+
   ranges:
     description:
       Maps the child address space for PS and/or PL.
@@ -181,12 +185,15 @@ properties:
 required:
   - compatible
   - reg
+  - clocks
   - ranges
 
 additionalProperties: false
 
 examples:
   - |
+    #include <dt-bindings/clock/xlnx-zynqmp-clk.h>
+
     bus {
         #address-cells = <2>;
         #size-cells = <2>;
@@ -196,6 +203,7 @@ examples:
             interrupt-parent = <&gic>;
             interrupts = <0 56 4>;
             reg = <0x0 0xffa50000 0x0 0x800>;
+            clocks = <&zynqmp_clk AMS_REF>;
             #address-cells = <1>;
             #size-cells = <1>;
             #io-channel-cells = <1>;



^ permalink raw reply	[flat|nested] 1159+ messages in thread

* [PATCH 5.17 0029/1126] iio: adc: xilinx-ams: Fix single channel switching sequence
  2022-04-05  7:12 [PATCH 5.17 0000/1126] 5.17.2-rc1 review Greg Kroah-Hartman
                   ` (27 preceding siblings ...)
  2022-04-05  7:12 ` [PATCH 5.17 0028/1126] dt-bindings: iio: adc: zynqmp_ams: Add clock entry Greg Kroah-Hartman
@ 2022-04-05  7:12 ` Greg Kroah-Hartman
  2022-04-05  7:12 ` [PATCH 5.17 0030/1126] iio: accel: mma8452: use the correct logic to get mma8452_data Greg Kroah-Hartman
                   ` (960 subsequent siblings)
  989 siblings, 0 replies; 1159+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05  7:12 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Robert Hancock, Michal Simek, Stable,
	Jonathan Cameron

From: Robert Hancock <robert.hancock@calian.com>

commit 0bf126163c3e7e6d722622073046aed567a5551e upstream.

Some of the AMS channels need to be read by switching into single-channel
mode from the normal polling sequence. There was a logic issue in this
switching code that could cause the first read of these channels to read
back as zero.

It appears that the sequencer should be set back to default mode before
changing the channel selection, and the channel should be set before
switching the sequencer back into single-channel mode.

Also, write 1 to the EOC bit in the status register to clear it before
waiting for it to become set, so that we actually wait for a new
conversion to complete, and don't proceed based on a previous conversion
completing.

Fixes: d5c70627a794 ("iio: adc: Add Xilinx AMS driver")
Signed-off-by: Robert Hancock <robert.hancock@calian.com>
Acked-by: Michal Simek <michal.simek@xilinx.com>
Link: https://lore.kernel.org/r/20220127173450.3684318-5-robert.hancock@calian.com
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/iio/adc/xilinx-ams.c |   10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

--- a/drivers/iio/adc/xilinx-ams.c
+++ b/drivers/iio/adc/xilinx-ams.c
@@ -530,14 +530,18 @@ static int ams_enable_single_channel(str
 		return -EINVAL;
 	}
 
-	/* set single channel, sequencer off mode */
+	/* put sysmon in a soft reset to change the sequence */
 	ams_ps_update_reg(ams, AMS_REG_CONFIG1, AMS_CONF1_SEQ_MASK,
-			  AMS_CONF1_SEQ_SINGLE_CHANNEL);
+			  AMS_CONF1_SEQ_DEFAULT);
 
 	/* write the channel number */
 	ams_ps_update_reg(ams, AMS_REG_CONFIG0, AMS_CONF0_CHANNEL_NUM_MASK,
 			  channel_num);
 
+	/* set single channel, sequencer off mode */
+	ams_ps_update_reg(ams, AMS_REG_CONFIG1, AMS_CONF1_SEQ_MASK,
+			  AMS_CONF1_SEQ_SINGLE_CHANNEL);
+
 	return 0;
 }
 
@@ -551,6 +555,8 @@ static int ams_read_vcc_reg(struct ams *
 	if (ret)
 		return ret;
 
+	/* clear end-of-conversion flag, wait for next conversion to complete */
+	writel(expect, ams->base + AMS_ISR_1);
 	ret = readl_poll_timeout(ams->base + AMS_ISR_1, reg, (reg & expect),
 				 AMS_INIT_POLL_TIME_US, AMS_INIT_TIMEOUT_US);
 	if (ret)



^ permalink raw reply	[flat|nested] 1159+ messages in thread

* [PATCH 5.17 0030/1126] iio: accel: mma8452: use the correct logic to get mma8452_data
  2022-04-05  7:12 [PATCH 5.17 0000/1126] 5.17.2-rc1 review Greg Kroah-Hartman
                   ` (28 preceding siblings ...)
  2022-04-05  7:12 ` [PATCH 5.17 0029/1126] iio: adc: xilinx-ams: Fix single channel switching sequence Greg Kroah-Hartman
@ 2022-04-05  7:12 ` Greg Kroah-Hartman
  2022-04-05  7:12 ` [PATCH 5.17 0031/1126] iio: adc: aspeed: Add divider flag to fix incorrect voltage reading Greg Kroah-Hartman
                   ` (959 subsequent siblings)
  989 siblings, 0 replies; 1159+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05  7:12 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Haibo Chen, Martin Kepplinger,
	Stable, Jonathan Cameron

From: Haibo Chen <haibo.chen@nxp.com>

commit c87b7b12f48db86ac9909894f4dc0107d7df6375 upstream.

The original logic to get mma8452_data is wrong, the *dev point to
the device belong to iio_dev. we can't use this dev to find the
correct i2c_client. The original logic happen to work because it
finally use dev->driver_data to get iio_dev. Here use the API
to_i2c_client() is wrong and make reader confuse. To correct the
logic, it should be like this

  struct mma8452_data *data = iio_priv(dev_get_drvdata(dev));

But after commit 8b7651f25962 ("iio: iio_device_alloc(): Remove
unnecessary self drvdata"), the upper logic also can't work.
When try to show the avialable scale in userspace, will meet kernel
dump, kernel handle NULL pointer dereference.

So use dev_to_iio_dev() to correct the logic.

Dual fixes tags as the second reflects when the bug was exposed, whilst
the first reflects when the original bug was introduced.

Fixes: c3cdd6e48e35 ("iio: mma8452: refactor for seperating chip specific data")
Fixes: 8b7651f25962 ("iio: iio_device_alloc(): Remove unnecessary self drvdata")
Signed-off-by: Haibo Chen <haibo.chen@nxp.com>
Reviewed-by: Martin Kepplinger <martink@posteo.de>
Cc: <Stable@vger.kernel.org>
Link: https://lore.kernel.org/r/1645497741-5402-1-git-send-email-haibo.chen@nxp.com
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/iio/accel/mma8452.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/iio/accel/mma8452.c
+++ b/drivers/iio/accel/mma8452.c
@@ -379,8 +379,8 @@ static ssize_t mma8452_show_scale_avail(
 					struct device_attribute *attr,
 					char *buf)
 {
-	struct mma8452_data *data = iio_priv(i2c_get_clientdata(
-					     to_i2c_client(dev)));
+	struct iio_dev *indio_dev = dev_to_iio_dev(dev);
+	struct mma8452_data *data = iio_priv(indio_dev);
 
 	return mma8452_show_int_plus_micros(buf, data->chip_info->mma_scales,
 		ARRAY_SIZE(data->chip_info->mma_scales));



^ permalink raw reply	[flat|nested] 1159+ messages in thread

* [PATCH 5.17 0031/1126] iio: adc: aspeed: Add divider flag to fix incorrect voltage reading.
  2022-04-05  7:12 [PATCH 5.17 0000/1126] 5.17.2-rc1 review Greg Kroah-Hartman
                   ` (29 preceding siblings ...)
  2022-04-05  7:12 ` [PATCH 5.17 0030/1126] iio: accel: mma8452: use the correct logic to get mma8452_data Greg Kroah-Hartman
@ 2022-04-05  7:12 ` Greg Kroah-Hartman
  2022-04-05  7:12 ` [PATCH 5.17 0032/1126] iio: imu: st_lsm6dsx: use dev_to_iio_dev() to get iio_dev struct Greg Kroah-Hartman
                   ` (958 subsequent siblings)
  989 siblings, 0 replies; 1159+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05  7:12 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Konstantin Klubnichkin, Billy Tsai,
	Joel Stanley, Stable, Jonathan Cameron

From: Billy Tsai <billy_tsai@aspeedtech.com>

commit 571426631acf46e2999c7ecd1e9d048172969a43 upstream.

The formula for the ADC sampling period in ast2400/ast2500 is:
ADC clock period = PCLK * 2 * (ADC0C[31:17] + 1) * (ADC0C[9:0])
When ADC0C[9:0] is set to 0 the sampling voltage will be lower than
expected, because the hardware may not have enough time to
charge/discharge to a stable voltage. This patch use the flag
CLK_DIVIDER_ONE_BASED which will use the raw value read from the
register, with the value of zero considered invalid to conform to the
corrected formula.

Fixes: 573803234e72 ("iio: Aspeed ADC")
Reported-by: Konstantin Klubnichkin <kitsok@yandex-team.ru>
Signed-off-by: Billy Tsai <billy_tsai@aspeedtech.com>
Reviewed-by: Joel Stanley <joel@jms.id.au>
Link: https://lore.kernel.org/r/20220221012705.22008-1-billy_tsai@aspeedtech.com
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/iio/adc/aspeed_adc.c |    4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

--- a/drivers/iio/adc/aspeed_adc.c
+++ b/drivers/iio/adc/aspeed_adc.c
@@ -539,7 +539,9 @@ static int aspeed_adc_probe(struct platf
 	data->clk_scaler = devm_clk_hw_register_divider(
 		&pdev->dev, clk_name, clk_parent_name, scaler_flags,
 		data->base + ASPEED_REG_CLOCK_CONTROL, 0,
-		data->model_data->scaler_bit_width, 0, &data->clk_lock);
+		data->model_data->scaler_bit_width,
+		data->model_data->need_prescaler ? CLK_DIVIDER_ONE_BASED : 0,
+		&data->clk_lock);
 	if (IS_ERR(data->clk_scaler))
 		return PTR_ERR(data->clk_scaler);
 



^ permalink raw reply	[flat|nested] 1159+ messages in thread

* [PATCH 5.17 0032/1126] iio: imu: st_lsm6dsx: use dev_to_iio_dev() to get iio_dev struct
  2022-04-05  7:12 [PATCH 5.17 0000/1126] 5.17.2-rc1 review Greg Kroah-Hartman
                   ` (30 preceding siblings ...)
  2022-04-05  7:12 ` [PATCH 5.17 0031/1126] iio: adc: aspeed: Add divider flag to fix incorrect voltage reading Greg Kroah-Hartman
@ 2022-04-05  7:12 ` Greg Kroah-Hartman
  2022-04-05  7:13 ` [PATCH 5.17 0033/1126] iio: afe: rescale: use s64 for temporary scale calculations Greg Kroah-Hartman
                   ` (957 subsequent siblings)
  989 siblings, 0 replies; 1159+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05  7:12 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Haibo Chen, Stable, Jonathan Cameron

From: Haibo Chen <haibo.chen@nxp.com>

commit 6270bf1f0197739a9cddaf0a40699a99b7357cb5 upstream.

dev_get_drvdata() on iio_dev->dev no longer returns the iio_dev.
Use dev_to_iio_dev() to get iio_dev struct.

Fixes: 8b7651f25962 ("iio: iio_device_alloc(): Remove unnecessary self drvdata")
Signed-off-by: Haibo Chen <haibo.chen@nxp.com>
Link: https://lore.kernel.org/r/1645702191-9400-1-git-send-email-haibo.chen@nxp.com
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/iio/imu/st_lsm6dsx/st_lsm6dsx_core.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/iio/imu/st_lsm6dsx/st_lsm6dsx_core.c
+++ b/drivers/iio/imu/st_lsm6dsx/st_lsm6dsx_core.c
@@ -1633,7 +1633,7 @@ st_lsm6dsx_sysfs_sampling_frequency_avai
 					  struct device_attribute *attr,
 					  char *buf)
 {
-	struct st_lsm6dsx_sensor *sensor = iio_priv(dev_get_drvdata(dev));
+	struct st_lsm6dsx_sensor *sensor = iio_priv(dev_to_iio_dev(dev));
 	const struct st_lsm6dsx_odr_table_entry *odr_table;
 	int i, len = 0;
 
@@ -1651,7 +1651,7 @@ static ssize_t st_lsm6dsx_sysfs_scale_av
 					    struct device_attribute *attr,
 					    char *buf)
 {
-	struct st_lsm6dsx_sensor *sensor = iio_priv(dev_get_drvdata(dev));
+	struct st_lsm6dsx_sensor *sensor = iio_priv(dev_to_iio_dev(dev));
 	const struct st_lsm6dsx_fs_table_entry *fs_table;
 	struct st_lsm6dsx_hw *hw = sensor->hw;
 	int i, len = 0;



^ permalink raw reply	[flat|nested] 1159+ messages in thread

* [PATCH 5.17 0033/1126] iio: afe: rescale: use s64 for temporary scale calculations
  2022-04-05  7:12 [PATCH 5.17 0000/1126] 5.17.2-rc1 review Greg Kroah-Hartman
                   ` (31 preceding siblings ...)
  2022-04-05  7:12 ` [PATCH 5.17 0032/1126] iio: imu: st_lsm6dsx: use dev_to_iio_dev() to get iio_dev struct Greg Kroah-Hartman
@ 2022-04-05  7:13 ` Greg Kroah-Hartman
  2022-04-05  7:13 ` [PATCH 5.17 0034/1126] iio: adc: xilinx-ams: Fixed missing PS channels Greg Kroah-Hartman
                   ` (956 subsequent siblings)
  989 siblings, 0 replies; 1159+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05  7:13 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Liam Beguin, Peter Rosin,
	Andy Shevchenko, Stable, Jonathan Cameron

From: Liam Beguin <liambeguin@gmail.com>

commit 51593106b608ae4247cc8da928813347da16d025 upstream.

All four scaling coefficients can take signed values.
Make tmp a signed 64-bit integer and switch to div_s64() to preserve
signs during 64-bit divisions.

Fixes: 8b74816b5a9a ("iio: afe: rescale: new driver")
Signed-off-by: Liam Beguin <liambeguin@gmail.com>
Reviewed-by: Peter Rosin <peda@axentia.se>
Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
Link: https://lore.kernel.org/r/20220108205319.2046348-5-liambeguin@gmail.com
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/iio/afe/iio-rescale.c |    8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

--- a/drivers/iio/afe/iio-rescale.c
+++ b/drivers/iio/afe/iio-rescale.c
@@ -39,7 +39,7 @@ static int rescale_read_raw(struct iio_d
 			    int *val, int *val2, long mask)
 {
 	struct rescale *rescale = iio_priv(indio_dev);
-	unsigned long long tmp;
+	s64 tmp;
 	int ret;
 
 	switch (mask) {
@@ -77,10 +77,10 @@ static int rescale_read_raw(struct iio_d
 			*val2 = rescale->denominator;
 			return IIO_VAL_FRACTIONAL;
 		case IIO_VAL_FRACTIONAL_LOG2:
-			tmp = *val * 1000000000LL;
-			do_div(tmp, rescale->denominator);
+			tmp = (s64)*val * 1000000000LL;
+			tmp = div_s64(tmp, rescale->denominator);
 			tmp *= rescale->numerator;
-			do_div(tmp, 1000000000LL);
+			tmp = div_s64(tmp, 1000000000LL);
 			*val = tmp;
 			return ret;
 		default:



^ permalink raw reply	[flat|nested] 1159+ messages in thread

* [PATCH 5.17 0034/1126] iio: adc: xilinx-ams: Fixed missing PS channels
  2022-04-05  7:12 [PATCH 5.17 0000/1126] 5.17.2-rc1 review Greg Kroah-Hartman
                   ` (32 preceding siblings ...)
  2022-04-05  7:13 ` [PATCH 5.17 0033/1126] iio: afe: rescale: use s64 for temporary scale calculations Greg Kroah-Hartman
@ 2022-04-05  7:13 ` Greg Kroah-Hartman
  2022-04-05  7:13 ` [PATCH 5.17 0035/1126] iio: adc: xilinx-ams: Fixed wrong sequencer register settings Greg Kroah-Hartman
                   ` (955 subsequent siblings)
  989 siblings, 0 replies; 1159+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05  7:13 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Robert Hancock, Michael Tretter,
	Michal Simek, Stable, Jonathan Cameron

From: Robert Hancock <robert.hancock@calian.com>

commit 1f21a41578062d439cc485bce2d8b664f9a6170e upstream.

The code forgot to increment num_channels for the PS channel inputs,
resulting in them not being enabled as they should.

Fixes: d5c70627a794 ("iio: adc: Add Xilinx AMS driver")
Signed-off-by: Robert Hancock <robert.hancock@calian.com>
Reviewed-by: Michael Tretter <m.tretter@pengutronix.de>
Acked-by: Michal Simek <michal.simek@xilinx.com>
Link: https://lore.kernel.org/r/20220127173450.3684318-3-robert.hancock@calian.com
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/iio/adc/xilinx-ams.c |    1 +
 1 file changed, 1 insertion(+)

--- a/drivers/iio/adc/xilinx-ams.c
+++ b/drivers/iio/adc/xilinx-ams.c
@@ -1230,6 +1230,7 @@ static int ams_init_module(struct iio_de
 
 		/* add PS channels to iio device channels */
 		memcpy(channels, ams_ps_channels, sizeof(ams_ps_channels));
+		num_channels = ARRAY_SIZE(ams_ps_channels);
 	} else if (fwnode_property_match_string(fwnode, "compatible",
 						"xlnx,zynqmp-ams-pl") == 0) {
 		ams->pl_base = fwnode_iomap(fwnode, 0);



^ permalink raw reply	[flat|nested] 1159+ messages in thread

* [PATCH 5.17 0035/1126] iio: adc: xilinx-ams: Fixed wrong sequencer register settings
  2022-04-05  7:12 [PATCH 5.17 0000/1126] 5.17.2-rc1 review Greg Kroah-Hartman
                   ` (33 preceding siblings ...)
  2022-04-05  7:13 ` [PATCH 5.17 0034/1126] iio: adc: xilinx-ams: Fixed missing PS channels Greg Kroah-Hartman
@ 2022-04-05  7:13 ` Greg Kroah-Hartman
  2022-04-05  7:13 ` [PATCH 5.17 0036/1126] iio: inkern: apply consumer scale on IIO_VAL_INT cases Greg Kroah-Hartman
                   ` (954 subsequent siblings)
  989 siblings, 0 replies; 1159+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05  7:13 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Robert Hancock, Michael Tretter,
	Michal Simek, Stable, Jonathan Cameron

From: Robert Hancock <robert.hancock@calian.com>

commit d5d786fb531697be74c567b3844c6897ddf1ffdd upstream.

Register settings used for the sequencer configuration register
were incorrect, causing some inputs to not be read properly.

Fixes: d5c70627a794 ("iio: adc: Add Xilinx AMS driver")
Signed-off-by: Robert Hancock <robert.hancock@calian.com>
Reviewed-by: Michael Tretter <m.tretter@pengutronix.de>
Acked-by: Michal Simek <michal.simek@xilinx.com>
Link: https://lore.kernel.org/r/20220127173450.3684318-4-robert.hancock@calian.com
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/iio/adc/xilinx-ams.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/iio/adc/xilinx-ams.c
+++ b/drivers/iio/adc/xilinx-ams.c
@@ -91,8 +91,8 @@
 
 #define AMS_CONF1_SEQ_MASK		GENMASK(15, 12)
 #define AMS_CONF1_SEQ_DEFAULT		FIELD_PREP(AMS_CONF1_SEQ_MASK, 0)
-#define AMS_CONF1_SEQ_CONTINUOUS	FIELD_PREP(AMS_CONF1_SEQ_MASK, 1)
-#define AMS_CONF1_SEQ_SINGLE_CHANNEL	FIELD_PREP(AMS_CONF1_SEQ_MASK, 2)
+#define AMS_CONF1_SEQ_CONTINUOUS	FIELD_PREP(AMS_CONF1_SEQ_MASK, 2)
+#define AMS_CONF1_SEQ_SINGLE_CHANNEL	FIELD_PREP(AMS_CONF1_SEQ_MASK, 3)
 
 #define AMS_REG_SEQ0_MASK		GENMASK(15, 0)
 #define AMS_REG_SEQ2_MASK		GENMASK(21, 16)



^ permalink raw reply	[flat|nested] 1159+ messages in thread

* [PATCH 5.17 0036/1126] iio: inkern: apply consumer scale on IIO_VAL_INT cases
  2022-04-05  7:12 [PATCH 5.17 0000/1126] 5.17.2-rc1 review Greg Kroah-Hartman
                   ` (34 preceding siblings ...)
  2022-04-05  7:13 ` [PATCH 5.17 0035/1126] iio: adc: xilinx-ams: Fixed wrong sequencer register settings Greg Kroah-Hartman
@ 2022-04-05  7:13 ` Greg Kroah-Hartman
  2022-04-05  7:13 ` [PATCH 5.17 0037/1126] iio: inkern: apply consumer scale when no channel scale is available Greg Kroah-Hartman
                   ` (953 subsequent siblings)
  989 siblings, 0 replies; 1159+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05  7:13 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Liam Beguin, Peter Rosin,
	Andy Shevchenko, Stable, Jonathan Cameron

From: Liam Beguin <liambeguin@gmail.com>

commit 1bca97ff95c732a516ebb68da72814194980e0a5 upstream.

When a consumer calls iio_read_channel_processed() and the channel has
an integer scale, the scale channel scale is applied and the processed
value is returned as expected.

On the other hand, if the consumer calls iio_convert_raw_to_processed()
the scaling factor requested by the consumer is not applied.

This for example causes the consumer to process mV when expecting uV.
Make sure to always apply the scaling factor requested by the consumer.

Fixes: 48e44ce0f881 ("iio:inkern: Add function to read the processed value")
Signed-off-by: Liam Beguin <liambeguin@gmail.com>
Reviewed-by: Peter Rosin <peda@axentia.se>
Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
Link: https://lore.kernel.org/r/20220108205319.2046348-2-liambeguin@gmail.com
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/iio/inkern.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/iio/inkern.c
+++ b/drivers/iio/inkern.c
@@ -616,7 +616,7 @@ static int iio_convert_raw_to_processed_
 
 	switch (scale_type) {
 	case IIO_VAL_INT:
-		*processed = raw64 * scale_val;
+		*processed = raw64 * scale_val * scale;
 		break;
 	case IIO_VAL_INT_PLUS_MICRO:
 		if (scale_val2 < 0)



^ permalink raw reply	[flat|nested] 1159+ messages in thread

* [PATCH 5.17 0037/1126] iio: inkern: apply consumer scale when no channel scale is available
  2022-04-05  7:12 [PATCH 5.17 0000/1126] 5.17.2-rc1 review Greg Kroah-Hartman
                   ` (35 preceding siblings ...)
  2022-04-05  7:13 ` [PATCH 5.17 0036/1126] iio: inkern: apply consumer scale on IIO_VAL_INT cases Greg Kroah-Hartman
@ 2022-04-05  7:13 ` Greg Kroah-Hartman
  2022-04-05  7:13 ` [PATCH 5.17 0038/1126] iio: inkern: make a best effort on offset calculation Greg Kroah-Hartman
                   ` (952 subsequent siblings)
  989 siblings, 0 replies; 1159+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05  7:13 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Liam Beguin, Peter Rosin,
	Andy Shevchenko, Stable, Jonathan Cameron

From: Liam Beguin <liambeguin@gmail.com>

commit 14b457fdde38de594a4bc4bd9075019319d978da upstream.

When a consumer calls iio_read_channel_processed() and no channel scale
is available, it's assumed that the scale is one and the raw value is
returned as expected.

On the other hand, if the consumer calls iio_convert_raw_to_processed()
the scaling factor requested by the consumer is not applied.

This for example causes the consumer to process mV when expecting uV.
Make sure to always apply the scaling factor requested by the consumer.

Fixes: adc8ec5ff183 ("iio: inkern: pass through raw values if no scaling")
Signed-off-by: Liam Beguin <liambeguin@gmail.com>
Reviewed-by: Peter Rosin <peda@axentia.se>
Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
Link: https://lore.kernel.org/r/20220108205319.2046348-3-liambeguin@gmail.com
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/iio/inkern.c |    6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

--- a/drivers/iio/inkern.c
+++ b/drivers/iio/inkern.c
@@ -607,10 +607,10 @@ static int iio_convert_raw_to_processed_
 					IIO_CHAN_INFO_SCALE);
 	if (scale_type < 0) {
 		/*
-		 * Just pass raw values as processed if no scaling is
-		 * available.
+		 * If no channel scaling is available apply consumer scale to
+		 * raw value and return.
 		 */
-		*processed = raw;
+		*processed = raw * scale;
 		return 0;
 	}
 



^ permalink raw reply	[flat|nested] 1159+ messages in thread

* [PATCH 5.17 0038/1126] iio: inkern: make a best effort on offset calculation
  2022-04-05  7:12 [PATCH 5.17 0000/1126] 5.17.2-rc1 review Greg Kroah-Hartman
                   ` (36 preceding siblings ...)
  2022-04-05  7:13 ` [PATCH 5.17 0037/1126] iio: inkern: apply consumer scale when no channel scale is available Greg Kroah-Hartman
@ 2022-04-05  7:13 ` Greg Kroah-Hartman
  2022-04-05  7:13 ` [PATCH 5.17 0039/1126] greybus: svc: fix an error handling bug in gb_svc_hello() Greg Kroah-Hartman
                   ` (951 subsequent siblings)
  989 siblings, 0 replies; 1159+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05  7:13 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Liam Beguin, Peter Rosin,
	Andy Shevchenko, Stable, Jonathan Cameron

From: Liam Beguin <liambeguin@gmail.com>

commit ca85123354e1a65a22170286387b4791997fe864 upstream.

iio_convert_raw_to_processed_unlocked() assumes the offset is an
integer. Make a best effort to get a valid offset value for fractional
cases without breaking implicit truncations.

Fixes: 48e44ce0f881 ("iio:inkern: Add function to read the processed value")
Signed-off-by: Liam Beguin <liambeguin@gmail.com>
Reviewed-by: Peter Rosin <peda@axentia.se>
Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
Link: https://lore.kernel.org/r/20220108205319.2046348-4-liambeguin@gmail.com
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/iio/inkern.c |   32 +++++++++++++++++++++++++++-----
 1 file changed, 27 insertions(+), 5 deletions(-)

--- a/drivers/iio/inkern.c
+++ b/drivers/iio/inkern.c
@@ -595,13 +595,35 @@ EXPORT_SYMBOL_GPL(iio_read_channel_avera
 static int iio_convert_raw_to_processed_unlocked(struct iio_channel *chan,
 	int raw, int *processed, unsigned int scale)
 {
-	int scale_type, scale_val, scale_val2, offset;
+	int scale_type, scale_val, scale_val2;
+	int offset_type, offset_val, offset_val2;
 	s64 raw64 = raw;
-	int ret;
 
-	ret = iio_channel_read(chan, &offset, NULL, IIO_CHAN_INFO_OFFSET);
-	if (ret >= 0)
-		raw64 += offset;
+	offset_type = iio_channel_read(chan, &offset_val, &offset_val2,
+				       IIO_CHAN_INFO_OFFSET);
+	if (offset_type >= 0) {
+		switch (offset_type) {
+		case IIO_VAL_INT:
+			break;
+		case IIO_VAL_INT_PLUS_MICRO:
+		case IIO_VAL_INT_PLUS_NANO:
+			/*
+			 * Both IIO_VAL_INT_PLUS_MICRO and IIO_VAL_INT_PLUS_NANO
+			 * implicitely truncate the offset to it's integer form.
+			 */
+			break;
+		case IIO_VAL_FRACTIONAL:
+			offset_val /= offset_val2;
+			break;
+		case IIO_VAL_FRACTIONAL_LOG2:
+			offset_val >>= offset_val2;
+			break;
+		default:
+			return -EINVAL;
+		}
+
+		raw64 += offset_val;
+	}
 
 	scale_type = iio_channel_read(chan, &scale_val, &scale_val2,
 					IIO_CHAN_INFO_SCALE);



^ permalink raw reply	[flat|nested] 1159+ messages in thread

* [PATCH 5.17 0039/1126] greybus: svc: fix an error handling bug in gb_svc_hello()
  2022-04-05  7:12 [PATCH 5.17 0000/1126] 5.17.2-rc1 review Greg Kroah-Hartman
                   ` (37 preceding siblings ...)
  2022-04-05  7:13 ` [PATCH 5.17 0038/1126] iio: inkern: make a best effort on offset calculation Greg Kroah-Hartman
@ 2022-04-05  7:13 ` Greg Kroah-Hartman
  2022-04-05  7:13 ` [PATCH 5.17 0040/1126] clk: rockchip: re-add rational best approximation algorithm to the fractional divider Greg Kroah-Hartman
                   ` (950 subsequent siblings)
  989 siblings, 0 replies; 1159+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05  7:13 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Dan Carpenter, Johan Hovold

From: Dan Carpenter <dan.carpenter@oracle.com>

commit 5f8583a3b7552092582a92e7bbd2153319929ad7 upstream.

Cleanup if gb_svc_queue_deferred_request() fails.

Link: https://lore.kernel.org/r/20220202072016.GA6748@kili
Fixes: ee2f2074fdb2 ("greybus: svc: reconfig APBridgeA-Switch link to handle required load")
Cc: stable@vger.kernel.org      # 4.9
[johan: fix commit summary prefix and rename label ]
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://lore.kernel.org/r/20220202113347.1288-2-johan@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/greybus/svc.c |    8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

--- a/drivers/greybus/svc.c
+++ b/drivers/greybus/svc.c
@@ -866,8 +866,14 @@ static int gb_svc_hello(struct gb_operat
 
 	gb_svc_debugfs_init(svc);
 
-	return gb_svc_queue_deferred_request(op);
+	ret = gb_svc_queue_deferred_request(op);
+	if (ret)
+		goto err_remove_debugfs;
 
+	return 0;
+
+err_remove_debugfs:
+	gb_svc_debugfs_exit(svc);
 err_unregister_device:
 	gb_svc_watchdog_destroy(svc);
 	device_del(&svc->dev);



^ permalink raw reply	[flat|nested] 1159+ messages in thread

* [PATCH 5.17 0040/1126] clk: rockchip: re-add rational best approximation algorithm to the fractional divider
  2022-04-05  7:12 [PATCH 5.17 0000/1126] 5.17.2-rc1 review Greg Kroah-Hartman
                   ` (38 preceding siblings ...)
  2022-04-05  7:13 ` [PATCH 5.17 0039/1126] greybus: svc: fix an error handling bug in gb_svc_hello() Greg Kroah-Hartman
@ 2022-04-05  7:13 ` Greg Kroah-Hartman
  2022-04-05  7:13 ` [PATCH 5.17 0041/1126] clk: uniphier: Fix fixed-rate initialization Greg Kroah-Hartman
                   ` (949 subsequent siblings)
  989 siblings, 0 replies; 1159+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05  7:13 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Quentin Schulz, Quentin Schulz,
	Heiko Stuebner

From: Quentin Schulz <quentin.schulz@theobroma-systems.com>

commit 10b74af310735860510a533433b1d3ab2e05a138 upstream.

In commit 4e7cf74fa3b2 ("clk: fractional-divider: Export approximation
algorithm to the CCF users"), the code handling the rational best
approximation algorithm was replaced by a call to the core
clk_fractional_divider_general_approximation function which did the same
thing back then.

However, in commit 82f53f9ee577 ("clk: fractional-divider: Introduce
POWER_OF_TWO_PS flag"), this common code was made conditional on
CLK_FRAC_DIVIDER_POWER_OF_TWO_PS flag which was not added back to the
rockchip clock driver.

This broke the ltk050h3146w-a2 MIPI DSI display present on a PX30-based
downstream board.

Let's add the flag to the fractional divider flags so that the original
and intended behavior is brought back to the rockchip clock drivers.

Fixes: 82f53f9ee577 ("clk: fractional-divider: Introduce POWER_OF_TWO_PS flag")
Cc: stable@vger.kernel.org
Cc: Quentin Schulz <foss+kernel@0leil.net>
Signed-off-by: Quentin Schulz <quentin.schulz@theobroma-systems.com>
Link: https://lore.kernel.org/r/20220131163224.708002-1-quentin.schulz@theobroma-systems.com
Signed-off-by: Heiko Stuebner <heiko@sntech.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/clk/rockchip/clk.c |    3 +++
 1 file changed, 3 insertions(+)

--- a/drivers/clk/rockchip/clk.c
+++ b/drivers/clk/rockchip/clk.c
@@ -180,6 +180,7 @@ static void rockchip_fractional_approxim
 		unsigned long rate, unsigned long *parent_rate,
 		unsigned long *m, unsigned long *n)
 {
+	struct clk_fractional_divider *fd = to_clk_fd(hw);
 	unsigned long p_rate, p_parent_rate;
 	struct clk_hw *p_parent;
 
@@ -190,6 +191,8 @@ static void rockchip_fractional_approxim
 		*parent_rate = p_parent_rate;
 	}
 
+	fd->flags |= CLK_FRAC_DIVIDER_POWER_OF_TWO_PS;
+
 	clk_fractional_divider_general_approximation(hw, rate, parent_rate, m, n);
 }
 



^ permalink raw reply	[flat|nested] 1159+ messages in thread

* [PATCH 5.17 0041/1126] clk: uniphier: Fix fixed-rate initialization
  2022-04-05  7:12 [PATCH 5.17 0000/1126] 5.17.2-rc1 review Greg Kroah-Hartman
                   ` (39 preceding siblings ...)
  2022-04-05  7:13 ` [PATCH 5.17 0040/1126] clk: rockchip: re-add rational best approximation algorithm to the fractional divider Greg Kroah-Hartman
@ 2022-04-05  7:13 ` Greg Kroah-Hartman
  2022-04-05  7:13 ` [PATCH 5.17 0042/1126] ptrace: Check PTRACE_O_SUSPEND_SECCOMP permission on PTRACE_SEIZE Greg Kroah-Hartman
                   ` (948 subsequent siblings)
  989 siblings, 0 replies; 1159+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05  7:13 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Kunihiko Hayashi, Stephen Boyd

From: Kunihiko Hayashi <hayashi.kunihiko@socionext.com>

commit ca85a66710a8a1f6b0719397225c3e9ee0abb692 upstream.

Fixed-rate clocks in UniPhier don't have any parent clocks, however,
initial data "init.flags" isn't initialized, so it might be determined
that there is a parent clock for fixed-rate clock.

This sets init.flags to zero as initialization.

Cc: <stable@vger.kernel.org>
Fixes: 734d82f4a678 ("clk: uniphier: add core support code for UniPhier clock driver")
Signed-off-by: Kunihiko Hayashi <hayashi.kunihiko@socionext.com>
Link: https://lore.kernel.org/r/1646808918-30899-1-git-send-email-hayashi.kunihiko@socionext.com
Signed-off-by: Stephen Boyd <sboyd@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/clk/uniphier/clk-uniphier-fixed-rate.c |    1 +
 1 file changed, 1 insertion(+)

--- a/drivers/clk/uniphier/clk-uniphier-fixed-rate.c
+++ b/drivers/clk/uniphier/clk-uniphier-fixed-rate.c
@@ -24,6 +24,7 @@ struct clk_hw *uniphier_clk_register_fix
 
 	init.name = name;
 	init.ops = &clk_fixed_rate_ops;
+	init.flags = 0;
 	init.parent_names = NULL;
 	init.num_parents = 0;
 



^ permalink raw reply	[flat|nested] 1159+ messages in thread

* [PATCH 5.17 0042/1126] ptrace: Check PTRACE_O_SUSPEND_SECCOMP permission on PTRACE_SEIZE
  2022-04-05  7:12 [PATCH 5.17 0000/1126] 5.17.2-rc1 review Greg Kroah-Hartman
                   ` (40 preceding siblings ...)
  2022-04-05  7:13 ` [PATCH 5.17 0041/1126] clk: uniphier: Fix fixed-rate initialization Greg Kroah-Hartman
@ 2022-04-05  7:13 ` Greg Kroah-Hartman
  2022-04-05  7:13 ` [PATCH 5.17 0043/1126] cifs: truncate the inode and mapping when we simulate fcollapse Greg Kroah-Hartman
                   ` (947 subsequent siblings)
  989 siblings, 0 replies; 1159+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05  7:13 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, stable, Jann Horn, Eric W. Biederman

From: Jann Horn <jannh@google.com>

commit ee1fee900537b5d9560e9f937402de5ddc8412f3 upstream.

Setting PTRACE_O_SUSPEND_SECCOMP is supposed to be a highly privileged
operation because it allows the tracee to completely bypass all seccomp
filters on kernels with CONFIG_CHECKPOINT_RESTORE=y. It is only supposed to
be settable by a process with global CAP_SYS_ADMIN, and only if that
process is not subject to any seccomp filters at all.

However, while these permission checks were done on the PTRACE_SETOPTIONS
path, they were missing on the PTRACE_SEIZE path, which also sets
user-specified ptrace flags.

Move the permissions checks out into a helper function and let both
ptrace_attach() and ptrace_setoptions() call it.

Cc: stable@kernel.org
Fixes: 13c4a90119d2 ("seccomp: add ptrace options for suspend/resume")
Signed-off-by: Jann Horn <jannh@google.com>
Link: https://lkml.kernel.org/r/20220319010838.1386861-1-jannh@google.com
Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 kernel/ptrace.c |   47 ++++++++++++++++++++++++++++++++---------------
 1 file changed, 32 insertions(+), 15 deletions(-)

--- a/kernel/ptrace.c
+++ b/kernel/ptrace.c
@@ -371,6 +371,26 @@ bool ptrace_may_access(struct task_struc
 	return !err;
 }
 
+static int check_ptrace_options(unsigned long data)
+{
+	if (data & ~(unsigned long)PTRACE_O_MASK)
+		return -EINVAL;
+
+	if (unlikely(data & PTRACE_O_SUSPEND_SECCOMP)) {
+		if (!IS_ENABLED(CONFIG_CHECKPOINT_RESTORE) ||
+		    !IS_ENABLED(CONFIG_SECCOMP))
+			return -EINVAL;
+
+		if (!capable(CAP_SYS_ADMIN))
+			return -EPERM;
+
+		if (seccomp_mode(&current->seccomp) != SECCOMP_MODE_DISABLED ||
+		    current->ptrace & PT_SUSPEND_SECCOMP)
+			return -EPERM;
+	}
+	return 0;
+}
+
 static int ptrace_attach(struct task_struct *task, long request,
 			 unsigned long addr,
 			 unsigned long flags)
@@ -382,8 +402,16 @@ static int ptrace_attach(struct task_str
 	if (seize) {
 		if (addr != 0)
 			goto out;
+		/*
+		 * This duplicates the check in check_ptrace_options() because
+		 * ptrace_attach() and ptrace_setoptions() have historically
+		 * used different error codes for unknown ptrace options.
+		 */
 		if (flags & ~(unsigned long)PTRACE_O_MASK)
 			goto out;
+		retval = check_ptrace_options(flags);
+		if (retval)
+			return retval;
 		flags = PT_PTRACED | PT_SEIZED | (flags << PT_OPT_FLAG_SHIFT);
 	} else {
 		flags = PT_PTRACED;
@@ -654,22 +682,11 @@ int ptrace_writedata(struct task_struct
 static int ptrace_setoptions(struct task_struct *child, unsigned long data)
 {
 	unsigned flags;
+	int ret;
 
-	if (data & ~(unsigned long)PTRACE_O_MASK)
-		return -EINVAL;
-
-	if (unlikely(data & PTRACE_O_SUSPEND_SECCOMP)) {
-		if (!IS_ENABLED(CONFIG_CHECKPOINT_RESTORE) ||
-		    !IS_ENABLED(CONFIG_SECCOMP))
-			return -EINVAL;
-
-		if (!capable(CAP_SYS_ADMIN))
-			return -EPERM;
-
-		if (seccomp_mode(&current->seccomp) != SECCOMP_MODE_DISABLED ||
-		    current->ptrace & PT_SUSPEND_SECCOMP)
-			return -EPERM;
-	}
+	ret = check_ptrace_options(data);
+	if (ret)
+		return ret;
 
 	/* Avoid intermediate state when all opts are cleared */
 	flags = child->ptrace;



^ permalink raw reply	[flat|nested] 1159+ messages in thread

* [PATCH 5.17 0043/1126] cifs: truncate the inode and mapping when we simulate fcollapse
  2022-04-05  7:12 [PATCH 5.17 0000/1126] 5.17.2-rc1 review Greg Kroah-Hartman
                   ` (41 preceding siblings ...)
  2022-04-05  7:13 ` [PATCH 5.17 0042/1126] ptrace: Check PTRACE_O_SUSPEND_SECCOMP permission on PTRACE_SEIZE Greg Kroah-Hartman
@ 2022-04-05  7:13 ` Greg Kroah-Hartman
  2022-04-05  7:13 ` [PATCH 5.17 0044/1126] cifs: fix handlecache and multiuser Greg Kroah-Hartman
                   ` (946 subsequent siblings)
  989 siblings, 0 replies; 1159+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05  7:13 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Xiaoli Feng, kernel test robot,
	Ronnie Sahlberg, Steve French

From: Ronnie Sahlberg <lsahlber@redhat.com>

commit 84330d41efb12bc227899e54dbdbe7d9590cb2b7 upstream.

RHBZ:1997367

When we collapse a range in smb3_collapse_range() we must make sure
we update the inode size and pagecache accordingly.

If not, both inode size and pagecahce may be stale until it is refreshed.

This can be demonstrated for the inode size by running :

xfs_io -i -f -c "truncate 320k" -c "fcollapse 64k 128k" -c "fiemap -v"  \
/mnt/testfile

where we can see the result of stale data in the fiemap output.
The third line of the output is wrong, all this data should be truncated.

 EXT: FILE-OFFSET      BLOCK-RANGE      TOTAL FLAGS
   0: [0..127]:        hole               128
   1: [128..383]:      128..383           256   0x1
   2: [384..639]:      hole               256

And the correct output, when the inode size has been updated correctly should
look like this:

 EXT: FILE-OFFSET      BLOCK-RANGE      TOTAL FLAGS
   0: [0..127]:        hole               128
   1: [128..383]:      128..383           256   0x1

Reported-by: Xiaoli Feng <xifeng@redhat.com>
Reported-by: kernel test robot <lkp@intel.com>
Cc: stable@vger.kernel.org
Signed-off-by: Ronnie Sahlberg <lsahlber@redhat.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 fs/cifs/smb2ops.c |   18 ++++++++++++++----
 1 file changed, 14 insertions(+), 4 deletions(-)

--- a/fs/cifs/smb2ops.c
+++ b/fs/cifs/smb2ops.c
@@ -25,6 +25,7 @@
 #include "smb2glob.h"
 #include "cifs_ioctl.h"
 #include "smbdirect.h"
+#include "fscache.h"
 #include "fs_context.h"
 
 /* Change credits for different ops and return the total number of credits */
@@ -3887,29 +3888,38 @@ static long smb3_collapse_range(struct f
 {
 	int rc;
 	unsigned int xid;
+	struct inode *inode;
 	struct cifsFileInfo *cfile = file->private_data;
+	struct cifsInodeInfo *cifsi;
 	__le64 eof;
 
 	xid = get_xid();
 
-	if (off >= i_size_read(file->f_inode) ||
-	    off + len >= i_size_read(file->f_inode)) {
+	inode = d_inode(cfile->dentry);
+	cifsi = CIFS_I(inode);
+
+	if (off >= i_size_read(inode) ||
+	    off + len >= i_size_read(inode)) {
 		rc = -EINVAL;
 		goto out;
 	}
 
 	rc = smb2_copychunk_range(xid, cfile, cfile, off + len,
-				  i_size_read(file->f_inode) - off - len, off);
+				  i_size_read(inode) - off - len, off);
 	if (rc < 0)
 		goto out;
 
-	eof = cpu_to_le64(i_size_read(file->f_inode) - len);
+	eof = cpu_to_le64(i_size_read(inode) - len);
 	rc = SMB2_set_eof(xid, tcon, cfile->fid.persistent_fid,
 			  cfile->fid.volatile_fid, cfile->pid, &eof);
 	if (rc < 0)
 		goto out;
 
 	rc = 0;
+
+	cifsi->server_eof = i_size_read(inode) - len;
+	truncate_setsize(inode, cifsi->server_eof);
+	fscache_resize_cookie(cifs_inode_cookie(inode), cifsi->server_eof);
  out:
 	free_xid(xid);
 	return rc;



^ permalink raw reply	[flat|nested] 1159+ messages in thread

* [PATCH 5.17 0044/1126] cifs: fix handlecache and multiuser
  2022-04-05  7:12 [PATCH 5.17 0000/1126] 5.17.2-rc1 review Greg Kroah-Hartman
                   ` (42 preceding siblings ...)
  2022-04-05  7:13 ` [PATCH 5.17 0043/1126] cifs: truncate the inode and mapping when we simulate fcollapse Greg Kroah-Hartman
@ 2022-04-05  7:13 ` Greg Kroah-Hartman
  2022-04-05  7:13 ` [PATCH 5.17 0045/1126] cifs: we do not need a spinlock around the tree access during umount Greg Kroah-Hartman
                   ` (945 subsequent siblings)
  989 siblings, 0 replies; 1159+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05  7:13 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Ronnie Sahlberg,
	Paulo Alcantara (SUSE),
	Steve French

From: Ronnie Sahlberg <lsahlber@redhat.com>

commit 47178c7722ac528ea08aa82c3ef9ffa178962d7a upstream.

In multiuser each individual user has their own tcon structure for the
share and thus their own handle for a cached directory.
When we umount such a share we much make sure to release the pinned down dentry
for each such tcon and not just the master tcon.

Otherwise we will get nasty warnings on umount that dentries are still in use:
[ 3459.590047] BUG: Dentry 00000000115c6f41{i=12000000019d95,n=/}  still in use\
 (2) [unmount of cifs cifs]
...
[ 3459.590492] Call Trace:
[ 3459.590500]  d_walk+0x61/0x2a0
[ 3459.590518]  ? shrink_lock_dentry.part.0+0xe0/0xe0
[ 3459.590526]  shrink_dcache_for_umount+0x49/0x110
[ 3459.590535]  generic_shutdown_super+0x1a/0x110
[ 3459.590542]  kill_anon_super+0x14/0x30
[ 3459.590549]  cifs_kill_sb+0xf5/0x104 [cifs]
[ 3459.590773]  deactivate_locked_super+0x36/0xa0
[ 3459.590782]  cleanup_mnt+0x131/0x190
[ 3459.590789]  task_work_run+0x5c/0x90
[ 3459.590798]  exit_to_user_mode_loop+0x151/0x160
[ 3459.590809]  exit_to_user_mode_prepare+0x83/0xd0
[ 3459.590818]  syscall_exit_to_user_mode+0x12/0x30
[ 3459.590828]  do_syscall_64+0x48/0x90
[ 3459.590833]  entry_SYSCALL_64_after_hwframe+0x44/0xae

Signed-off-by: Ronnie Sahlberg <lsahlber@redhat.com>
Acked-by: Paulo Alcantara (SUSE) <pc@cjr.nz>
Cc: stable@vger.kernel.org
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 fs/cifs/cifsfs.c |   13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

--- a/fs/cifs/cifsfs.c
+++ b/fs/cifs/cifsfs.c
@@ -254,6 +254,9 @@ static void cifs_kill_sb(struct super_bl
 	struct cifs_sb_info *cifs_sb = CIFS_SB(sb);
 	struct cifs_tcon *tcon;
 	struct cached_fid *cfid;
+	struct rb_root *root = &cifs_sb->tlink_tree;
+	struct rb_node *node;
+	struct tcon_link *tlink;
 
 	/*
 	 * We ned to release all dentries for the cached directories
@@ -263,17 +266,21 @@ static void cifs_kill_sb(struct super_bl
 		dput(cifs_sb->root);
 		cifs_sb->root = NULL;
 	}
-	tcon = cifs_sb_master_tcon(cifs_sb);
-	if (tcon) {
+	spin_lock(&cifs_sb->tlink_tree_lock);
+	node = rb_first(root);
+	while (node != NULL) {
+		tlink = rb_entry(node, struct tcon_link, tl_rbnode);
+		tcon = tlink_tcon(tlink);
 		cfid = &tcon->crfid;
 		mutex_lock(&cfid->fid_mutex);
 		if (cfid->dentry) {
-
 			dput(cfid->dentry);
 			cfid->dentry = NULL;
 		}
 		mutex_unlock(&cfid->fid_mutex);
+		node = rb_next(node);
 	}
+	spin_unlock(&cifs_sb->tlink_tree_lock);
 
 	kill_anon_super(sb);
 	cifs_umount(cifs_sb);



^ permalink raw reply	[flat|nested] 1159+ messages in thread

* [PATCH 5.17 0045/1126] cifs: we do not need a spinlock around the tree access during umount
  2022-04-05  7:12 [PATCH 5.17 0000/1126] 5.17.2-rc1 review Greg Kroah-Hartman
                   ` (43 preceding siblings ...)
  2022-04-05  7:13 ` [PATCH 5.17 0044/1126] cifs: fix handlecache and multiuser Greg Kroah-Hartman
@ 2022-04-05  7:13 ` Greg Kroah-Hartman
  2022-04-05  7:13 ` [PATCH 5.17 0046/1126] KEYS: fix length validation in keyctl_pkey_params_get_2() Greg Kroah-Hartman
                   ` (944 subsequent siblings)
  989 siblings, 0 replies; 1159+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05  7:13 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, kernel test robot, Ronnie Sahlberg,
	Steve French

From: Ronnie Sahlberg <lsahlber@redhat.com>

commit 9a14b65d590105d393b63f5320e1594edda7c672 upstream.

Remove the spinlock around the tree traversal as we are calling possibly
sleeping functions.
We do not need a spinlock here as there will be no modifications to this
tree at this point.

This prevents warnings like this to occur in dmesg:
[  653.774996] BUG: sleeping function called from invalid context at kernel/loc\
king/mutex.c:280
[  653.775088] in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 1827, nam\
e: umount
[  653.775152] preempt_count: 1, expected: 0
[  653.775191] CPU: 0 PID: 1827 Comm: umount Tainted: G        W  OE     5.17.0\
-rc7-00006-g4eb628dd74df #135
[  653.775195] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-\
1.fc33 04/01/2014
[  653.775197] Call Trace:
[  653.775199]  <TASK>
[  653.775202]  dump_stack_lvl+0x34/0x44
[  653.775209]  __might_resched.cold+0x13f/0x172
[  653.775213]  mutex_lock+0x75/0xf0
[  653.775217]  ? __mutex_lock_slowpath+0x10/0x10
[  653.775220]  ? _raw_write_lock_irq+0xd0/0xd0
[  653.775224]  ? dput+0x6b/0x360
[  653.775228]  cifs_kill_sb+0xff/0x1d0 [cifs]
[  653.775285]  deactivate_locked_super+0x85/0x130
[  653.775289]  cleanup_mnt+0x32c/0x4d0
[  653.775292]  ? path_umount+0x228/0x380
[  653.775296]  task_work_run+0xd8/0x180
[  653.775301]  exit_to_user_mode_loop+0x152/0x160
[  653.775306]  exit_to_user_mode_prepare+0x89/0xd0
[  653.775315]  syscall_exit_to_user_mode+0x12/0x30
[  653.775322]  do_syscall_64+0x48/0x90
[  653.775326]  entry_SYSCALL_64_after_hwframe+0x44/0xae

Fixes: 187af6e98b44e5d8f25e1d41a92db138eb54416f ("cifs: fix handlecache and multiuser")
Reported-by: kernel test robot <oliver.sang@intel.com>
Cc: stable@vger.kernel.org
Signed-off-by: Ronnie Sahlberg <lsahlber@redhat.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 fs/cifs/cifsfs.c |    2 --
 1 file changed, 2 deletions(-)

--- a/fs/cifs/cifsfs.c
+++ b/fs/cifs/cifsfs.c
@@ -266,7 +266,6 @@ static void cifs_kill_sb(struct super_bl
 		dput(cifs_sb->root);
 		cifs_sb->root = NULL;
 	}
-	spin_lock(&cifs_sb->tlink_tree_lock);
 	node = rb_first(root);
 	while (node != NULL) {
 		tlink = rb_entry(node, struct tcon_link, tl_rbnode);
@@ -280,7 +279,6 @@ static void cifs_kill_sb(struct super_bl
 		mutex_unlock(&cfid->fid_mutex);
 		node = rb_next(node);
 	}
-	spin_unlock(&cifs_sb->tlink_tree_lock);
 
 	kill_anon_super(sb);
 	cifs_umount(cifs_sb);



^ permalink raw reply	[flat|nested] 1159+ messages in thread

* [PATCH 5.17 0046/1126] KEYS: fix length validation in keyctl_pkey_params_get_2()
  2022-04-05  7:12 [PATCH 5.17 0000/1126] 5.17.2-rc1 review Greg Kroah-Hartman
                   ` (44 preceding siblings ...)
  2022-04-05  7:13 ` [PATCH 5.17 0045/1126] cifs: we do not need a spinlock around the tree access during umount Greg Kroah-Hartman
@ 2022-04-05  7:13 ` Greg Kroah-Hartman
  2022-04-05  7:13 ` [PATCH 5.17 0047/1126] KEYS: asymmetric: enforce that sig algo matches key algo Greg Kroah-Hartman
                   ` (943 subsequent siblings)
  989 siblings, 0 replies; 1159+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05  7:13 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Eric Biggers, Jarkko Sakkinen

From: Eric Biggers <ebiggers@google.com>

commit c51abd96837f600d8fd940b6ab8e2da578575504 upstream.

In many cases, keyctl_pkey_params_get_2() is validating the user buffer
lengths against the wrong algorithm properties.  Fix it to check against
the correct properties.

Probably this wasn't noticed before because for all asymmetric keys of
the "public_key" subtype, max_data_size == max_sig_size == max_enc_size
== max_dec_size.  However, this isn't necessarily true for the
"asym_tpm" subtype (it should be, but it's not strictly validated).  Of
course, future key types could have different values as well.

Fixes: 00d60fd3b932 ("KEYS: Provide keyctls to drive the new key type ops for asymmetric keys [ver #2]")
Cc: <stable@vger.kernel.org> # v4.20+
Signed-off-by: Eric Biggers <ebiggers@google.com>
Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 security/keys/keyctl_pkey.c |   14 +++++++++++---
 1 file changed, 11 insertions(+), 3 deletions(-)

--- a/security/keys/keyctl_pkey.c
+++ b/security/keys/keyctl_pkey.c
@@ -135,15 +135,23 @@ static int keyctl_pkey_params_get_2(cons
 
 	switch (op) {
 	case KEYCTL_PKEY_ENCRYPT:
+		if (uparams.in_len  > info.max_dec_size ||
+		    uparams.out_len > info.max_enc_size)
+			return -EINVAL;
+		break;
 	case KEYCTL_PKEY_DECRYPT:
 		if (uparams.in_len  > info.max_enc_size ||
 		    uparams.out_len > info.max_dec_size)
 			return -EINVAL;
 		break;
 	case KEYCTL_PKEY_SIGN:
+		if (uparams.in_len  > info.max_data_size ||
+		    uparams.out_len > info.max_sig_size)
+			return -EINVAL;
+		break;
 	case KEYCTL_PKEY_VERIFY:
-		if (uparams.in_len  > info.max_sig_size ||
-		    uparams.out_len > info.max_data_size)
+		if (uparams.in_len  > info.max_data_size ||
+		    uparams.in2_len > info.max_sig_size)
 			return -EINVAL;
 		break;
 	default:
@@ -151,7 +159,7 @@ static int keyctl_pkey_params_get_2(cons
 	}
 
 	params->in_len  = uparams.in_len;
-	params->out_len = uparams.out_len;
+	params->out_len = uparams.out_len; /* Note: same as in2_len */
 	return 0;
 }
 



^ permalink raw reply	[flat|nested] 1159+ messages in thread

* [PATCH 5.17 0047/1126] KEYS: asymmetric: enforce that sig algo matches key algo
  2022-04-05  7:12 [PATCH 5.17 0000/1126] 5.17.2-rc1 review Greg Kroah-Hartman
                   ` (45 preceding siblings ...)
  2022-04-05  7:13 ` [PATCH 5.17 0046/1126] KEYS: fix length validation in keyctl_pkey_params_get_2() Greg Kroah-Hartman
@ 2022-04-05  7:13 ` Greg Kroah-Hartman
  2022-04-05  7:13 ` [PATCH 5.17 0048/1126] KEYS: asymmetric: properly validate hash_algo and encoding Greg Kroah-Hartman
                   ` (942 subsequent siblings)
  989 siblings, 0 replies; 1159+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05  7:13 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Stefan Berger, Tianjia Zhang,
	Eric Biggers, Vitaly Chikunov, Jarkko Sakkinen

From: Eric Biggers <ebiggers@google.com>

commit 2abc9c246e0548e52985b10440c9ea3e9f65f793 upstream.

Most callers of public_key_verify_signature(), including most indirect
callers via verify_signature() as well as pkcs7_verify_sig_chain(),
don't check that public_key_signature::pkey_algo matches
public_key::pkey_algo.  These should always match.  However, a malicious
signature could intentionally declare an unintended algorithm.  It is
essential that such signatures be rejected outright, or that the
algorithm of the *key* be used -- not the algorithm of the signature as
that would allow attackers to choose the algorithm used.

Currently, public_key_verify_signature() correctly uses the key's
algorithm when deciding which akcipher to allocate.  That's good.
However, it uses the signature's algorithm when deciding whether to do
the first step of SM2, which is incorrect.  Also, v4.19 and older
kernels used the signature's algorithm for the entire process.

Prevent such errors by making public_key_verify_signature() enforce that
the signature's algorithm (if given) matches the key's algorithm.

Also remove two checks of this done by callers, which are now redundant.

Cc: stable@vger.kernel.org
Tested-by: Stefan Berger <stefanb@linux.ibm.com>
Tested-by: Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
Signed-off-by: Eric Biggers <ebiggers@google.com>
Reviewed-by: Vitaly Chikunov <vt@altlinux.org>
Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 crypto/asymmetric_keys/pkcs7_verify.c    |    6 ------
 crypto/asymmetric_keys/public_key.c      |   15 +++++++++++++++
 crypto/asymmetric_keys/x509_public_key.c |    6 ------
 3 files changed, 15 insertions(+), 12 deletions(-)

--- a/crypto/asymmetric_keys/pkcs7_verify.c
+++ b/crypto/asymmetric_keys/pkcs7_verify.c
@@ -174,12 +174,6 @@ static int pkcs7_find_key(struct pkcs7_m
 		pr_devel("Sig %u: Found cert serial match X.509[%u]\n",
 			 sinfo->index, certix);
 
-		if (strcmp(x509->pub->pkey_algo, sinfo->sig->pkey_algo) != 0) {
-			pr_warn("Sig %u: X.509 algo and PKCS#7 sig algo don't match\n",
-				sinfo->index);
-			continue;
-		}
-
 		sinfo->signer = x509;
 		return 0;
 	}
--- a/crypto/asymmetric_keys/public_key.c
+++ b/crypto/asymmetric_keys/public_key.c
@@ -325,6 +325,21 @@ int public_key_verify_signature(const st
 	BUG_ON(!sig);
 	BUG_ON(!sig->s);
 
+	/*
+	 * If the signature specifies a public key algorithm, it *must* match
+	 * the key's actual public key algorithm.
+	 *
+	 * Small exception: ECDSA signatures don't specify the curve, but ECDSA
+	 * keys do.  So the strings can mismatch slightly in that case:
+	 * "ecdsa-nist-*" for the key, but "ecdsa" for the signature.
+	 */
+	if (sig->pkey_algo) {
+		if (strcmp(pkey->pkey_algo, sig->pkey_algo) != 0 &&
+		    (strncmp(pkey->pkey_algo, "ecdsa-", 6) != 0 ||
+		     strcmp(sig->pkey_algo, "ecdsa") != 0))
+			return -EKEYREJECTED;
+	}
+
 	ret = software_key_determine_akcipher(sig->encoding,
 					      sig->hash_algo,
 					      pkey, alg_name);
--- a/crypto/asymmetric_keys/x509_public_key.c
+++ b/crypto/asymmetric_keys/x509_public_key.c
@@ -128,12 +128,6 @@ int x509_check_for_self_signed(struct x5
 			goto out;
 	}
 
-	ret = -EKEYREJECTED;
-	if (strcmp(cert->pub->pkey_algo, cert->sig->pkey_algo) != 0 &&
-	    (strncmp(cert->pub->pkey_algo, "ecdsa-", 6) != 0 ||
-	     strcmp(cert->sig->pkey_algo, "ecdsa") != 0))
-		goto out;
-
 	ret = public_key_verify_signature(cert->pub, cert->sig);
 	if (ret < 0) {
 		if (ret == -ENOPKG) {



^ permalink raw reply	[flat|nested] 1159+ messages in thread

* [PATCH 5.17 0048/1126] KEYS: asymmetric: properly validate hash_algo and encoding
  2022-04-05  7:12 [PATCH 5.17 0000/1126] 5.17.2-rc1 review Greg Kroah-Hartman
                   ` (46 preceding siblings ...)
  2022-04-05  7:13 ` [PATCH 5.17 0047/1126] KEYS: asymmetric: enforce that sig algo matches key algo Greg Kroah-Hartman
@ 2022-04-05  7:13 ` Greg Kroah-Hartman
  2022-04-05  7:13 ` [PATCH 5.17 0049/1126] Documentation: add link to stable release candidate tree Greg Kroah-Hartman
                   ` (941 subsequent siblings)
  989 siblings, 0 replies; 1159+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05  7:13 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Stefan Berger, Tianjia Zhang,
	Eric Biggers, Vitaly Chikunov, Jarkko Sakkinen

From: Eric Biggers <ebiggers@google.com>

commit 590bfb57b2328951d5833979e7ca1d5fde2e609a upstream.

It is insecure to allow arbitrary hash algorithms and signature
encodings to be used with arbitrary signature algorithms.  Notably,
ECDSA, ECRDSA, and SM2 all sign/verify raw hash values and don't
disambiguate between different hash algorithms like RSA PKCS#1 v1.5
padding does.  Therefore, they need to be restricted to certain sets of
hash algorithms (ideally just one, but in practice small sets are used).
Additionally, the encoding is an integral part of modern signature
algorithms, and is not supposed to vary.

Therefore, tighten the checks of hash_algo and encoding done by
software_key_determine_akcipher().

Also rearrange the parameters to software_key_determine_akcipher() to
put the public_key first, as this is the most important parameter and it
often determines everything else.

Fixes: 299f561a6693 ("x509: Add support for parsing x509 certs with ECDSA keys")
Fixes: 215525639631 ("X.509: support OSCCA SM2-with-SM3 certificate verification")
Fixes: 0d7a78643f69 ("crypto: ecrdsa - add EC-RDSA (GOST 34.10) algorithm")
Cc: stable@vger.kernel.org
Tested-by: Stefan Berger <stefanb@linux.ibm.com>
Tested-by: Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
Signed-off-by: Eric Biggers <ebiggers@google.com>
Reviewed-by: Vitaly Chikunov <vt@altlinux.org>
Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 crypto/asymmetric_keys/public_key.c |  111 ++++++++++++++++++++++++------------
 1 file changed, 76 insertions(+), 35 deletions(-)

--- a/crypto/asymmetric_keys/public_key.c
+++ b/crypto/asymmetric_keys/public_key.c
@@ -60,39 +60,83 @@ static void public_key_destroy(void *pay
 }
 
 /*
- * Determine the crypto algorithm name.
+ * Given a public_key, and an encoding and hash_algo to be used for signing
+ * and/or verification with that key, determine the name of the corresponding
+ * akcipher algorithm.  Also check that encoding and hash_algo are allowed.
  */
-static
-int software_key_determine_akcipher(const char *encoding,
-				    const char *hash_algo,
-				    const struct public_key *pkey,
-				    char alg_name[CRYPTO_MAX_ALG_NAME])
+static int
+software_key_determine_akcipher(const struct public_key *pkey,
+				const char *encoding, const char *hash_algo,
+				char alg_name[CRYPTO_MAX_ALG_NAME])
 {
 	int n;
 
-	if (strcmp(encoding, "pkcs1") == 0) {
-		/* The data wangled by the RSA algorithm is typically padded
-		 * and encoded in some manner, such as EMSA-PKCS1-1_5 [RFC3447
-		 * sec 8.2].
+	if (!encoding)
+		return -EINVAL;
+
+	if (strcmp(pkey->pkey_algo, "rsa") == 0) {
+		/*
+		 * RSA signatures usually use EMSA-PKCS1-1_5 [RFC3447 sec 8.2].
+		 */
+		if (strcmp(encoding, "pkcs1") == 0) {
+			if (!hash_algo)
+				n = snprintf(alg_name, CRYPTO_MAX_ALG_NAME,
+					     "pkcs1pad(%s)",
+					     pkey->pkey_algo);
+			else
+				n = snprintf(alg_name, CRYPTO_MAX_ALG_NAME,
+					     "pkcs1pad(%s,%s)",
+					     pkey->pkey_algo, hash_algo);
+			return n >= CRYPTO_MAX_ALG_NAME ? -EINVAL : 0;
+		}
+		if (strcmp(encoding, "raw") != 0)
+			return -EINVAL;
+		/*
+		 * Raw RSA cannot differentiate between different hash
+		 * algorithms.
+		 */
+		if (hash_algo)
+			return -EINVAL;
+	} else if (strncmp(pkey->pkey_algo, "ecdsa", 5) == 0) {
+		if (strcmp(encoding, "x962") != 0)
+			return -EINVAL;
+		/*
+		 * ECDSA signatures are taken over a raw hash, so they don't
+		 * differentiate between different hash algorithms.  That means
+		 * that the verifier should hard-code a specific hash algorithm.
+		 * Unfortunately, in practice ECDSA is used with multiple SHAs,
+		 * so we have to allow all of them and not just one.
 		 */
 		if (!hash_algo)
-			n = snprintf(alg_name, CRYPTO_MAX_ALG_NAME,
-				     "pkcs1pad(%s)",
-				     pkey->pkey_algo);
-		else
-			n = snprintf(alg_name, CRYPTO_MAX_ALG_NAME,
-				     "pkcs1pad(%s,%s)",
-				     pkey->pkey_algo, hash_algo);
-		return n >= CRYPTO_MAX_ALG_NAME ? -EINVAL : 0;
-	}
-
-	if (strcmp(encoding, "raw") == 0 ||
-	    strcmp(encoding, "x962") == 0) {
-		strcpy(alg_name, pkey->pkey_algo);
-		return 0;
+			return -EINVAL;
+		if (strcmp(hash_algo, "sha1") != 0 &&
+		    strcmp(hash_algo, "sha224") != 0 &&
+		    strcmp(hash_algo, "sha256") != 0 &&
+		    strcmp(hash_algo, "sha384") != 0 &&
+		    strcmp(hash_algo, "sha512") != 0)
+			return -EINVAL;
+	} else if (strcmp(pkey->pkey_algo, "sm2") == 0) {
+		if (strcmp(encoding, "raw") != 0)
+			return -EINVAL;
+		if (!hash_algo)
+			return -EINVAL;
+		if (strcmp(hash_algo, "sm3") != 0)
+			return -EINVAL;
+	} else if (strcmp(pkey->pkey_algo, "ecrdsa") == 0) {
+		if (strcmp(encoding, "raw") != 0)
+			return -EINVAL;
+		if (!hash_algo)
+			return -EINVAL;
+		if (strcmp(hash_algo, "streebog256") != 0 &&
+		    strcmp(hash_algo, "streebog512") != 0)
+			return -EINVAL;
+	} else {
+		/* Unknown public key algorithm */
+		return -ENOPKG;
 	}
-
-	return -ENOPKG;
+	if (strscpy(alg_name, pkey->pkey_algo, CRYPTO_MAX_ALG_NAME) < 0)
+		return -EINVAL;
+	return 0;
 }
 
 static u8 *pkey_pack_u32(u8 *dst, u32 val)
@@ -113,9 +157,8 @@ static int software_key_query(const stru
 	u8 *key, *ptr;
 	int ret, len;
 
-	ret = software_key_determine_akcipher(params->encoding,
-					      params->hash_algo,
-					      pkey, alg_name);
+	ret = software_key_determine_akcipher(pkey, params->encoding,
+					      params->hash_algo, alg_name);
 	if (ret < 0)
 		return ret;
 
@@ -179,9 +222,8 @@ static int software_key_eds_op(struct ke
 
 	pr_devel("==>%s()\n", __func__);
 
-	ret = software_key_determine_akcipher(params->encoding,
-					      params->hash_algo,
-					      pkey, alg_name);
+	ret = software_key_determine_akcipher(pkey, params->encoding,
+					      params->hash_algo, alg_name);
 	if (ret < 0)
 		return ret;
 
@@ -340,9 +382,8 @@ int public_key_verify_signature(const st
 			return -EKEYREJECTED;
 	}
 
-	ret = software_key_determine_akcipher(sig->encoding,
-					      sig->hash_algo,
-					      pkey, alg_name);
+	ret = software_key_determine_akcipher(pkey, sig->encoding,
+					      sig->hash_algo, alg_name);
 	if (ret < 0)
 		return ret;
 



^ permalink raw reply	[flat|nested] 1159+ messages in thread

* [PATCH 5.17 0049/1126] Documentation: add link to stable release candidate tree
  2022-04-05  7:12 [PATCH 5.17 0000/1126] 5.17.2-rc1 review Greg Kroah-Hartman
                   ` (47 preceding siblings ...)
  2022-04-05  7:13 ` [PATCH 5.17 0048/1126] KEYS: asymmetric: properly validate hash_algo and encoding Greg Kroah-Hartman
@ 2022-04-05  7:13 ` Greg Kroah-Hartman
  2022-04-05  7:13 ` [PATCH 5.17 0050/1126] Documentation: update stable tree link Greg Kroah-Hartman
                   ` (940 subsequent siblings)
  989 siblings, 0 replies; 1159+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05  7:13 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Sasha Levin, Jonathan Corbet, Bagas Sanjaya

From: Bagas Sanjaya <bagasdotme@gmail.com>

commit 587d39b260c4d090166314d64be70b1f6a26b0b5 upstream.

There is also stable release candidate tree. Mention it, however with a
warning that the tree is for testing purposes.

Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Sasha Levin <sashal@kernel.org>
Cc: Jonathan Corbet <corbet@lwn.net>
Cc: stable@vger.kernel.org
Cc: linux-kernel@vger.kernel.org
Signed-off-by: Bagas Sanjaya <bagasdotme@gmail.com>
Link: https://lore.kernel.org/r/20220314113329.485372-5-bagasdotme@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 Documentation/process/stable-kernel-rules.rst |    9 +++++++++
 1 file changed, 9 insertions(+)

--- a/Documentation/process/stable-kernel-rules.rst
+++ b/Documentation/process/stable-kernel-rules.rst
@@ -170,6 +170,15 @@ Trees
 
 	https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git
 
+ - The release candidate of all stable kernel versions can be found at:
+
+        https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git/
+
+   .. warning::
+      The -stable-rc tree is a snapshot in time of the stable-queue tree and
+      will change frequently, hence will be rebased often. It should only be
+      used for testing purposes (e.g. to be consumed by CI systems).
+
 
 Review committee
 ----------------



^ permalink raw reply	[flat|nested] 1159+ messages in thread

* [PATCH 5.17 0050/1126] Documentation: update stable tree link
  2022-04-05  7:12 [PATCH 5.17 0000/1126] 5.17.2-rc1 review Greg Kroah-Hartman
                   ` (48 preceding siblings ...)
  2022-04-05  7:13 ` [PATCH 5.17 0049/1126] Documentation: add link to stable release candidate tree Greg Kroah-Hartman
@ 2022-04-05  7:13 ` Greg Kroah-Hartman
  2022-04-05  7:13 ` [PATCH 5.17 0051/1126] firmware: stratix10-svc: add missing callback parameter on RSU Greg Kroah-Hartman
                   ` (939 subsequent siblings)
  989 siblings, 0 replies; 1159+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05  7:13 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Sasha Levin, Jonathan Corbet, Bagas Sanjaya

From: Bagas Sanjaya <bagasdotme@gmail.com>

commit 555d44932c67e617d89bc13c81c7efac5b51fcfa upstream.

The link to stable tree is redirected to
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git. Update
accordingly.

Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Sasha Levin <sashal@kernel.org>
Cc: Jonathan Corbet <corbet@lwn.net>
Cc: stable@vger.kernel.org
Cc: linux-kernel@vger.kernel.org
Signed-off-by: Bagas Sanjaya <bagasdotme@gmail.com>
Link: https://lore.kernel.org/r/20220314113329.485372-6-bagasdotme@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 Documentation/process/stable-kernel-rules.rst |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/Documentation/process/stable-kernel-rules.rst
+++ b/Documentation/process/stable-kernel-rules.rst
@@ -168,7 +168,7 @@ Trees
  - The finalized and tagged releases of all stable kernels can be found
    in separate branches per version at:
 
-	https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git
+	https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
 
  - The release candidate of all stable kernel versions can be found at:
 



^ permalink raw reply	[flat|nested] 1159+ messages in thread

* [PATCH 5.17 0051/1126] firmware: stratix10-svc: add missing callback parameter on RSU
  2022-04-05  7:12 [PATCH 5.17 0000/1126] 5.17.2-rc1 review Greg Kroah-Hartman
                   ` (49 preceding siblings ...)
  2022-04-05  7:13 ` [PATCH 5.17 0050/1126] Documentation: update stable tree link Greg Kroah-Hartman
@ 2022-04-05  7:13 ` Greg Kroah-Hartman
  2022-04-05  7:13 ` [PATCH 5.17 0052/1126] firmware: sysfb: fix platform-device leak in error path Greg Kroah-Hartman
                   ` (938 subsequent siblings)
  989 siblings, 0 replies; 1159+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05  7:13 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Ang Tien Sung, Dinh Nguyen

From: Ang Tien Sung <tien.sung.ang@intel.com>

commit b850b7a8b369322adf699ef48ceff4d902525c8c upstream.

Fix a bug whereby, the return response of parameter a1 from an
SMC call is not properly set to the callback data during an
INTEL_SIP_SMC_RSU_ERROR command.

Link: https://lore.kernel.org/lkml/20220216081513.28319-1-tien.sung.ang@intel.com
Fixes: 6b50d882d38d ("firmware: add remote status update client support")
Cc: stable@vger.kernel.org
Signed-off-by: Ang Tien Sung <tien.sung.ang@intel.com>
Signed-off-by: Dinh Nguyen <dinguyen@kernel.org>
Link: https://lore.kernel.org/r/20220223144146.399263-1-dinguyen@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/firmware/stratix10-svc.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/firmware/stratix10-svc.c
+++ b/drivers/firmware/stratix10-svc.c
@@ -477,7 +477,7 @@ static int svc_normal_to_secure_thread(v
 		case INTEL_SIP_SMC_RSU_ERROR:
 			pr_err("%s: STATUS_ERROR\n", __func__);
 			cbdata->status = BIT(SVC_STATUS_ERROR);
-			cbdata->kaddr1 = NULL;
+			cbdata->kaddr1 = &res.a1;
 			cbdata->kaddr2 = NULL;
 			cbdata->kaddr3 = NULL;
 			pdata->chan->scl->receive_cb(pdata->chan->scl, cbdata);



^ permalink raw reply	[flat|nested] 1159+ messages in thread

* [PATCH 5.17 0052/1126] firmware: sysfb: fix platform-device leak in error path
  2022-04-05  7:12 [PATCH 5.17 0000/1126] 5.17.2-rc1 review Greg Kroah-Hartman
                   ` (50 preceding siblings ...)
  2022-04-05  7:13 ` [PATCH 5.17 0051/1126] firmware: stratix10-svc: add missing callback parameter on RSU Greg Kroah-Hartman
@ 2022-04-05  7:13 ` Greg Kroah-Hartman
  2022-04-05  7:13 ` [PATCH 5.17 0053/1126] HID: intel-ish-hid: Use dma_alloc_coherent for firmware update Greg Kroah-Hartman
                   ` (937 subsequent siblings)
  989 siblings, 0 replies; 1159+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05  7:13 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Miaoqian Lin,
	Javier Martinez Canillas, Johan Hovold

From: Johan Hovold <johan@kernel.org>

commit 202c08914ba50dd324e42d5ad99535a89f242560 upstream.

Make sure to free the platform device also in the unlikely event that
registration fails.

Fixes: 0589e8889dce ("drivers/firmware: Add missing platform_device_put() in sysfb_create_simplefb")
Fixes: 8633ef82f101 ("drivers/firmware: consolidate EFI framebuffer setup for all arches")
Cc: stable@vger.kernel.org      # 5.14
Cc: Miaoqian Lin <linmq006@gmail.com>
Cc: Javier Martinez Canillas <javierm@redhat.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://lore.kernel.org/r/20220303180519.3117-1-johan@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/firmware/sysfb_simplefb.c |   23 ++++++++++++++---------
 1 file changed, 14 insertions(+), 9 deletions(-)

--- a/drivers/firmware/sysfb_simplefb.c
+++ b/drivers/firmware/sysfb_simplefb.c
@@ -113,16 +113,21 @@ __init int sysfb_create_simplefb(const s
 	sysfb_apply_efi_quirks(pd);
 
 	ret = platform_device_add_resources(pd, &res, 1);
-	if (ret) {
-		platform_device_put(pd);
-		return ret;
-	}
+	if (ret)
+		goto err_put_device;
 
 	ret = platform_device_add_data(pd, mode, sizeof(*mode));
-	if (ret) {
-		platform_device_put(pd);
-		return ret;
-	}
+	if (ret)
+		goto err_put_device;
 
-	return platform_device_add(pd);
+	ret = platform_device_add(pd);
+	if (ret)
+		goto err_put_device;
+
+	return 0;
+
+err_put_device:
+	platform_device_put(pd);
+
+	return ret;
 }



^ permalink raw reply	[flat|nested] 1159+ messages in thread

* [PATCH 5.17 0053/1126] HID: intel-ish-hid: Use dma_alloc_coherent for firmware update
  2022-04-05  7:12 [PATCH 5.17 0000/1126] 5.17.2-rc1 review Greg Kroah-Hartman
                   ` (51 preceding siblings ...)
  2022-04-05  7:13 ` [PATCH 5.17 0052/1126] firmware: sysfb: fix platform-device leak in error path Greg Kroah-Hartman
@ 2022-04-05  7:13 ` Greg Kroah-Hartman
  2022-04-05  7:13 ` [PATCH 5.17 0054/1126] SUNRPC: avoid race between mod_timer() and del_timer_sync() Greg Kroah-Hartman
                   ` (936 subsequent siblings)
  989 siblings, 0 replies; 1159+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05  7:13 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Gwendal Grignou, Srinivas Pandruvada,
	Jiri Kosina

From: Gwendal Grignou <gwendal@chromium.org>

commit f97ec5d75e9261a5da78dc28a8955b7cc0c4468b upstream.

Allocating memory with kmalloc and GPF_DMA32 is not allowed, the
allocator will ignore the attribute.

Instead, use dma_alloc_coherent() API as we allocate a small amount of
memory to transfer firmware fragment to the ISH.

On Arcada chromebook, after the patch the warning:
"Unexpected gfp: 0x4 (GFP_DMA32). Fixing up to gfp: 0xcc0 (GFP_KERNEL).  Fix your code!"
is gone. The ISH firmware is loaded properly and we can interact with
the ISH:
> ectool  --name cros_ish version
...
Build info:    arcada_ish_v2.0.3661+3c1a1c1ae0 2022-02-08 05:37:47 @localhost
Tool version:  v2.0.12300-900b03ec7f 2022-02-08 10:01:48 @localhost

Fixes: commit 91b228107da3 ("HID: intel-ish-hid: ISH firmware loader client driver")
Signed-off-by: Gwendal Grignou <gwendal@chromium.org>
Acked-by: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
Cc: stable@vger.kernel.org
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/hid/intel-ish-hid/ishtp-fw-loader.c |   29 ++--------------------------
 1 file changed, 3 insertions(+), 26 deletions(-)

--- a/drivers/hid/intel-ish-hid/ishtp-fw-loader.c
+++ b/drivers/hid/intel-ish-hid/ishtp-fw-loader.c
@@ -661,21 +661,12 @@ static int ish_fw_xfer_direct_dma(struct
 	 */
 	payload_max_size &= ~(L1_CACHE_BYTES - 1);
 
-	dma_buf = kmalloc(payload_max_size, GFP_KERNEL | GFP_DMA32);
+	dma_buf = dma_alloc_coherent(devc, payload_max_size, &dma_buf_phy, GFP_KERNEL);
 	if (!dma_buf) {
 		client_data->flag_retry = true;
 		return -ENOMEM;
 	}
 
-	dma_buf_phy = dma_map_single(devc, dma_buf, payload_max_size,
-				     DMA_TO_DEVICE);
-	if (dma_mapping_error(devc, dma_buf_phy)) {
-		dev_err(cl_data_to_dev(client_data), "DMA map failed\n");
-		client_data->flag_retry = true;
-		rv = -ENOMEM;
-		goto end_err_dma_buf_release;
-	}
-
 	ldr_xfer_dma_frag.fragment.hdr.command = LOADER_CMD_XFER_FRAGMENT;
 	ldr_xfer_dma_frag.fragment.xfer_mode = LOADER_XFER_MODE_DIRECT_DMA;
 	ldr_xfer_dma_frag.ddr_phys_addr = (u64)dma_buf_phy;
@@ -695,14 +686,7 @@ static int ish_fw_xfer_direct_dma(struct
 		ldr_xfer_dma_frag.fragment.size = fragment_size;
 		memcpy(dma_buf, &fw->data[fragment_offset], fragment_size);
 
-		dma_sync_single_for_device(devc, dma_buf_phy,
-					   payload_max_size,
-					   DMA_TO_DEVICE);
-
-		/*
-		 * Flush cache here because the dma_sync_single_for_device()
-		 * does not do for x86.
-		 */
+		/* Flush cache to be sure the data is in main memory. */
 		clflush_cache_range(dma_buf, payload_max_size);
 
 		dev_dbg(cl_data_to_dev(client_data),
@@ -725,15 +709,8 @@ static int ish_fw_xfer_direct_dma(struct
 		fragment_offset += fragment_size;
 	}
 
-	dma_unmap_single(devc, dma_buf_phy, payload_max_size, DMA_TO_DEVICE);
-	kfree(dma_buf);
-	return 0;
-
 end_err_resp_buf_release:
-	/* Free ISH buffer if not done already, in error case */
-	dma_unmap_single(devc, dma_buf_phy, payload_max_size, DMA_TO_DEVICE);
-end_err_dma_buf_release:
-	kfree(dma_buf);
+	dma_free_coherent(devc, payload_max_size, dma_buf, dma_buf_phy);
 	return rv;
 }
 



^ permalink raw reply	[flat|nested] 1159+ messages in thread

* [PATCH 5.17 0054/1126] SUNRPC: avoid race between mod_timer() and del_timer_sync()
  2022-04-05  7:12 [PATCH 5.17 0000/1126] 5.17.2-rc1 review Greg Kroah-Hartman
                   ` (52 preceding siblings ...)
  2022-04-05  7:13 ` [PATCH 5.17 0053/1126] HID: intel-ish-hid: Use dma_alloc_coherent for firmware update Greg Kroah-Hartman
@ 2022-04-05  7:13 ` Greg Kroah-Hartman
  2022-04-05  7:13 ` [PATCH 5.17 0055/1126] SUNRPC: Do not dereference non-socket transports in sysfs Greg Kroah-Hartman
                   ` (935 subsequent siblings)
  989 siblings, 0 replies; 1159+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05  7:13 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, NeilBrown, Trond Myklebust

From: NeilBrown <neilb@suse.de>

commit 3848e96edf4788f772d83990022fa7023a233d83 upstream.

xprt_destory() claims XPRT_LOCKED and then calls del_timer_sync().
Both xprt_unlock_connect() and xprt_release() call
 ->release_xprt()
which drops XPRT_LOCKED and *then* xprt_schedule_autodisconnect()
which calls mod_timer().

This may result in mod_timer() being called *after* del_timer_sync().
When this happens, the timer may fire long after the xprt has been freed,
and run_timer_softirq() will probably crash.

The pairing of ->release_xprt() and xprt_schedule_autodisconnect() is
always called under ->transport_lock.  So if we take ->transport_lock to
call del_timer_sync(), we can be sure that mod_timer() will run first
(if it runs at all).

Cc: stable@vger.kernel.org
Signed-off-by: NeilBrown <neilb@suse.de>
Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/sunrpc/xprt.c |    7 +++++++
 1 file changed, 7 insertions(+)

--- a/net/sunrpc/xprt.c
+++ b/net/sunrpc/xprt.c
@@ -2112,7 +2112,14 @@ static void xprt_destroy(struct rpc_xprt
 	 */
 	wait_on_bit_lock(&xprt->state, XPRT_LOCKED, TASK_UNINTERRUPTIBLE);
 
+	/*
+	 * xprt_schedule_autodisconnect() can run after XPRT_LOCKED
+	 * is cleared.  We use ->transport_lock to ensure the mod_timer()
+	 * can only run *before* del_time_sync(), never after.
+	 */
+	spin_lock(&xprt->transport_lock);
 	del_timer_sync(&xprt->timer);
+	spin_unlock(&xprt->transport_lock);
 
 	/*
 	 * Destroy sockets etc from the system workqueue so they can



^ permalink raw reply	[flat|nested] 1159+ messages in thread

* [PATCH 5.17 0055/1126] SUNRPC: Do not dereference non-socket transports in sysfs
  2022-04-05  7:12 [PATCH 5.17 0000/1126] 5.17.2-rc1 review Greg Kroah-Hartman
                   ` (53 preceding siblings ...)
  2022-04-05  7:13 ` [PATCH 5.17 0054/1126] SUNRPC: avoid race between mod_timer() and del_timer_sync() Greg Kroah-Hartman
@ 2022-04-05  7:13 ` Greg Kroah-Hartman
  2022-04-05  7:13 ` [PATCH 5.17 0056/1126] NFS: NFSv2/v3 clients should never be setting NFS_CAP_XATTR Greg Kroah-Hartman
                   ` (934 subsequent siblings)
  989 siblings, 0 replies; 1159+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05  7:13 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Trond Myklebust

From: Trond Myklebust <trond.myklebust@hammerspace.com>

commit 421ab1be43bd015ffe744f4ea25df4f19d1ce6fe upstream.

Do not cast the struct xprt to a sock_xprt unless we know it is a UDP or
TCP transport. Otherwise the call to lock the mutex will scribble over
whatever structure is actually there. This has been seen to cause hard
system lockups when the underlying transport was RDMA.

Fixes: b49ea673e119 ("SUNRPC: lock against ->sock changing during sysfs read")
Cc: stable@vger.kernel.org
Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 include/linux/sunrpc/xprt.h     |    3 ++
 include/linux/sunrpc/xprtsock.h |    1 
 net/sunrpc/sysfs.c              |   55 +++++++++++++++++++---------------------
 net/sunrpc/xprtsock.c           |   26 +++++++++++++++++-
 4 files changed, 54 insertions(+), 31 deletions(-)

--- a/include/linux/sunrpc/xprt.h
+++ b/include/linux/sunrpc/xprt.h
@@ -139,6 +139,9 @@ struct rpc_xprt_ops {
 	void		(*rpcbind)(struct rpc_task *task);
 	void		(*set_port)(struct rpc_xprt *xprt, unsigned short port);
 	void		(*connect)(struct rpc_xprt *xprt, struct rpc_task *task);
+	int		(*get_srcaddr)(struct rpc_xprt *xprt, char *buf,
+				       size_t buflen);
+	unsigned short	(*get_srcport)(struct rpc_xprt *xprt);
 	int		(*buf_alloc)(struct rpc_task *task);
 	void		(*buf_free)(struct rpc_task *task);
 	void		(*prepare_request)(struct rpc_rqst *req);
--- a/include/linux/sunrpc/xprtsock.h
+++ b/include/linux/sunrpc/xprtsock.h
@@ -10,7 +10,6 @@
 
 int		init_socket_xprt(void);
 void		cleanup_socket_xprt(void);
-unsigned short	get_srcport(struct rpc_xprt *);
 
 #define RPC_MIN_RESVPORT	(1U)
 #define RPC_MAX_RESVPORT	(65535U)
--- a/net/sunrpc/sysfs.c
+++ b/net/sunrpc/sysfs.c
@@ -97,7 +97,7 @@ static ssize_t rpc_sysfs_xprt_dstaddr_sh
 		return 0;
 	ret = sprintf(buf, "%s\n", xprt->address_strings[RPC_DISPLAY_ADDR]);
 	xprt_put(xprt);
-	return ret + 1;
+	return ret;
 }
 
 static ssize_t rpc_sysfs_xprt_srcaddr_show(struct kobject *kobj,
@@ -105,33 +105,31 @@ static ssize_t rpc_sysfs_xprt_srcaddr_sh
 					   char *buf)
 {
 	struct rpc_xprt *xprt = rpc_sysfs_xprt_kobj_get_xprt(kobj);
-	struct sockaddr_storage saddr;
-	struct sock_xprt *sock;
-	ssize_t ret = -1;
+	size_t buflen = PAGE_SIZE;
+	ssize_t ret = -ENOTSOCK;
 
 	if (!xprt || !xprt_connected(xprt)) {
-		xprt_put(xprt);
-		return -ENOTCONN;
+		ret = -ENOTCONN;
+	} else if (xprt->ops->get_srcaddr) {
+		ret = xprt->ops->get_srcaddr(xprt, buf, buflen);
+		if (ret > 0) {
+			if (ret < buflen - 1) {
+				buf[ret] = '\n';
+				ret++;
+				buf[ret] = '\0';
+			}
+		}
 	}
-
-	sock = container_of(xprt, struct sock_xprt, xprt);
-	mutex_lock(&sock->recv_mutex);
-	if (sock->sock == NULL ||
-	    kernel_getsockname(sock->sock, (struct sockaddr *)&saddr) < 0)
-		goto out;
-
-	ret = sprintf(buf, "%pISc\n", &saddr);
-out:
-	mutex_unlock(&sock->recv_mutex);
 	xprt_put(xprt);
-	return ret + 1;
+	return ret;
 }
 
 static ssize_t rpc_sysfs_xprt_info_show(struct kobject *kobj,
-					struct kobj_attribute *attr,
-					char *buf)
+					struct kobj_attribute *attr, char *buf)
 {
 	struct rpc_xprt *xprt = rpc_sysfs_xprt_kobj_get_xprt(kobj);
+	unsigned short srcport = 0;
+	size_t buflen = PAGE_SIZE;
 	ssize_t ret;
 
 	if (!xprt || !xprt_connected(xprt)) {
@@ -139,7 +137,11 @@ static ssize_t rpc_sysfs_xprt_info_show(
 		return -ENOTCONN;
 	}
 
-	ret = sprintf(buf, "last_used=%lu\ncur_cong=%lu\ncong_win=%lu\n"
+	if (xprt->ops->get_srcport)
+		srcport = xprt->ops->get_srcport(xprt);
+
+	ret = snprintf(buf, buflen,
+		       "last_used=%lu\ncur_cong=%lu\ncong_win=%lu\n"
 		       "max_num_slots=%u\nmin_num_slots=%u\nnum_reqs=%u\n"
 		       "binding_q_len=%u\nsending_q_len=%u\npending_q_len=%u\n"
 		       "backlog_q_len=%u\nmain_xprt=%d\nsrc_port=%u\n"
@@ -147,14 +149,11 @@ static ssize_t rpc_sysfs_xprt_info_show(
 		       xprt->last_used, xprt->cong, xprt->cwnd, xprt->max_reqs,
 		       xprt->min_reqs, xprt->num_reqs, xprt->binding.qlen,
 		       xprt->sending.qlen, xprt->pending.qlen,
-		       xprt->backlog.qlen, xprt->main,
-		       (xprt->xprt_class->ident == XPRT_TRANSPORT_TCP) ?
-		       get_srcport(xprt) : 0,
+		       xprt->backlog.qlen, xprt->main, srcport,
 		       atomic_long_read(&xprt->queuelen),
-		       (xprt->xprt_class->ident == XPRT_TRANSPORT_TCP) ?
-				xprt->address_strings[RPC_DISPLAY_PORT] : "0");
+		       xprt->address_strings[RPC_DISPLAY_PORT]);
 	xprt_put(xprt);
-	return ret + 1;
+	return ret;
 }
 
 static ssize_t rpc_sysfs_xprt_state_show(struct kobject *kobj,
@@ -201,7 +200,7 @@ static ssize_t rpc_sysfs_xprt_state_show
 	}
 
 	xprt_put(xprt);
-	return ret + 1;
+	return ret;
 }
 
 static ssize_t rpc_sysfs_xprt_switch_info_show(struct kobject *kobj,
@@ -220,7 +219,7 @@ static ssize_t rpc_sysfs_xprt_switch_inf
 		      xprt_switch->xps_nunique_destaddr_xprts,
 		      atomic_long_read(&xprt_switch->xps_queuelen));
 	xprt_switch_put(xprt_switch);
-	return ret + 1;
+	return ret;
 }
 
 static ssize_t rpc_sysfs_xprt_dstaddr_store(struct kobject *kobj,
--- a/net/sunrpc/xprtsock.c
+++ b/net/sunrpc/xprtsock.c
@@ -1638,7 +1638,7 @@ static int xs_get_srcport(struct sock_xp
 	return port;
 }
 
-unsigned short get_srcport(struct rpc_xprt *xprt)
+static unsigned short xs_sock_srcport(struct rpc_xprt *xprt)
 {
 	struct sock_xprt *sock = container_of(xprt, struct sock_xprt, xprt);
 	unsigned short ret = 0;
@@ -1648,7 +1648,25 @@ unsigned short get_srcport(struct rpc_xp
 	mutex_unlock(&sock->recv_mutex);
 	return ret;
 }
-EXPORT_SYMBOL(get_srcport);
+
+static int xs_sock_srcaddr(struct rpc_xprt *xprt, char *buf, size_t buflen)
+{
+	struct sock_xprt *sock = container_of(xprt, struct sock_xprt, xprt);
+	union {
+		struct sockaddr sa;
+		struct sockaddr_storage st;
+	} saddr;
+	int ret = -ENOTCONN;
+
+	mutex_lock(&sock->recv_mutex);
+	if (sock->sock) {
+		ret = kernel_getsockname(sock->sock, &saddr.sa);
+		if (ret >= 0)
+			ret = snprintf(buf, buflen, "%pISc", &saddr.sa);
+	}
+	mutex_unlock(&sock->recv_mutex);
+	return ret;
+}
 
 static unsigned short xs_next_srcport(struct sock_xprt *transport, unsigned short port)
 {
@@ -2621,6 +2639,8 @@ static const struct rpc_xprt_ops xs_udp_
 	.rpcbind		= rpcb_getport_async,
 	.set_port		= xs_set_port,
 	.connect		= xs_connect,
+	.get_srcaddr		= xs_sock_srcaddr,
+	.get_srcport		= xs_sock_srcport,
 	.buf_alloc		= rpc_malloc,
 	.buf_free		= rpc_free,
 	.send_request		= xs_udp_send_request,
@@ -2643,6 +2663,8 @@ static const struct rpc_xprt_ops xs_tcp_
 	.rpcbind		= rpcb_getport_async,
 	.set_port		= xs_set_port,
 	.connect		= xs_connect,
+	.get_srcaddr		= xs_sock_srcaddr,
+	.get_srcport		= xs_sock_srcport,
 	.buf_alloc		= rpc_malloc,
 	.buf_free		= rpc_free,
 	.prepare_request	= xs_stream_prepare_request,



^ permalink raw reply	[flat|nested] 1159+ messages in thread

* [PATCH 5.17 0056/1126] NFS: NFSv2/v3 clients should never be setting NFS_CAP_XATTR
  2022-04-05  7:12 [PATCH 5.17 0000/1126] 5.17.2-rc1 review Greg Kroah-Hartman
                   ` (54 preceding siblings ...)
  2022-04-05  7:13 ` [PATCH 5.17 0055/1126] SUNRPC: Do not dereference non-socket transports in sysfs Greg Kroah-Hartman
@ 2022-04-05  7:13 ` Greg Kroah-Hartman
  2022-04-05  7:13 ` [PATCH 5.17 0057/1126] NFSD: prevent underflow in nfssvc_decode_writeargs() Greg Kroah-Hartman
                   ` (933 subsequent siblings)
  989 siblings, 0 replies; 1159+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05  7:13 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Olga Kornievskaia, Trond Myklebust

From: Trond Myklebust <trond.myklebust@hammerspace.com>

commit b622ffe1d9ecbac71f0cddb52ff0831efdf8fb83 upstream.

Ensure that we always initialise the 'xattr_support' field in struct
nfs_fsinfo, so that nfs_server_set_fsinfo() doesn't declare our NFSv2/v3
client to be capable of supporting the NFSv4.2 xattr protocol by setting
the NFS_CAP_XATTR capability.

This configuration can cause nfs_do_access() to set access mode bits
that are unsupported by the NFSv3 ACCESS call, which may confuse
spec-compliant servers.

Reported-by: Olga Kornievskaia <kolga@netapp.com>
Fixes: b78ef845c35d ("NFSv4.2: query the server for extended attribute support")
Cc: stable@vger.kernel.org
Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 fs/nfs/nfs3xdr.c |    1 +
 fs/nfs/proc.c    |    1 +
 2 files changed, 2 insertions(+)

--- a/fs/nfs/nfs3xdr.c
+++ b/fs/nfs/nfs3xdr.c
@@ -2228,6 +2228,7 @@ static int decode_fsinfo3resok(struct xd
 	/* ignore properties */
 	result->lease_time = 0;
 	result->change_attr_type = NFS4_CHANGE_TYPE_IS_UNDEFINED;
+	result->xattr_support = 0;
 	return 0;
 }
 
--- a/fs/nfs/proc.c
+++ b/fs/nfs/proc.c
@@ -92,6 +92,7 @@ nfs_proc_get_root(struct nfs_server *ser
 	info->maxfilesize = 0x7FFFFFFF;
 	info->lease_time = 0;
 	info->change_attr_type = NFS4_CHANGE_TYPE_IS_UNDEFINED;
+	info->xattr_support = 0;
 	return 0;
 }
 



^ permalink raw reply	[flat|nested] 1159+ messages in thread

* [PATCH 5.17 0057/1126] NFSD: prevent underflow in nfssvc_decode_writeargs()
  2022-04-05  7:12 [PATCH 5.17 0000/1126] 5.17.2-rc1 review Greg Kroah-Hartman
                   ` (55 preceding siblings ...)
  2022-04-05  7:13 ` [PATCH 5.17 0056/1126] NFS: NFSv2/v3 clients should never be setting NFS_CAP_XATTR Greg Kroah-Hartman
@ 2022-04-05  7:13 ` Greg Kroah-Hartman
  2022-04-05  7:13 ` [PATCH 5.17 0058/1126] NFSD: prevent integer overflow on 32 bit systems Greg Kroah-Hartman
                   ` (932 subsequent siblings)
  989 siblings, 0 replies; 1159+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05  7:13 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Dan Carpenter, Chuck Lever

From: Dan Carpenter <dan.carpenter@oracle.com>

commit 184416d4b98509fb4c3d8fc3d6dc1437896cc159 upstream.

Smatch complains:

	fs/nfsd/nfsxdr.c:341 nfssvc_decode_writeargs()
	warn: no lower bound on 'args->len'

Change the type to unsigned to prevent this issue.

Cc: stable@vger.kernel.org
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 fs/nfsd/nfsproc.c |    2 +-
 fs/nfsd/xdr.h     |    2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

--- a/fs/nfsd/nfsproc.c
+++ b/fs/nfsd/nfsproc.c
@@ -230,7 +230,7 @@ nfsd_proc_write(struct svc_rqst *rqstp)
 	unsigned long cnt = argp->len;
 	unsigned int nvecs;
 
-	dprintk("nfsd: WRITE    %s %d bytes at %d\n",
+	dprintk("nfsd: WRITE    %s %u bytes at %d\n",
 		SVCFH_fmt(&argp->fh),
 		argp->len, argp->offset);
 
--- a/fs/nfsd/xdr.h
+++ b/fs/nfsd/xdr.h
@@ -32,7 +32,7 @@ struct nfsd_readargs {
 struct nfsd_writeargs {
 	svc_fh			fh;
 	__u32			offset;
-	int			len;
+	__u32			len;
 	struct xdr_buf		payload;
 };
 



^ permalink raw reply	[flat|nested] 1159+ messages in thread

* [PATCH 5.17 0058/1126] NFSD: prevent integer overflow on 32 bit systems
  2022-04-05  7:12 [PATCH 5.17 0000/1126] 5.17.2-rc1 review Greg Kroah-Hartman
                   ` (56 preceding siblings ...)
  2022-04-05  7:13 ` [PATCH 5.17 0057/1126] NFSD: prevent underflow in nfssvc_decode_writeargs() Greg Kroah-Hartman
@ 2022-04-05  7:13 ` Greg Kroah-Hartman
  2022-04-05  7:13 ` [PATCH 5.17 0059/1126] f2fs: fix to unlock page correctly in error path of is_alive() Greg Kroah-Hartman
                   ` (931 subsequent siblings)
  989 siblings, 0 replies; 1159+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05  7:13 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Dan Carpenter, Chuck Lever

From: Dan Carpenter <dan.carpenter@oracle.com>

commit 23a9dbbe0faf124fc4c139615633b9d12a3a89ef upstream.

On a 32 bit system, the "len * sizeof(*p)" operation can have an
integer overflow.

Cc: stable@vger.kernel.org
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 include/linux/sunrpc/xdr.h |    2 ++
 1 file changed, 2 insertions(+)

--- a/include/linux/sunrpc/xdr.h
+++ b/include/linux/sunrpc/xdr.h
@@ -731,6 +731,8 @@ xdr_stream_decode_uint32_array(struct xd
 
 	if (unlikely(xdr_stream_decode_u32(xdr, &len) < 0))
 		return -EBADMSG;
+	if (len > SIZE_MAX / sizeof(*p))
+		return -EBADMSG;
 	p = xdr_inline_decode(xdr, len * sizeof(*p));
 	if (unlikely(!p))
 		return -EBADMSG;



^ permalink raw reply	[flat|nested] 1159+ messages in thread

* [PATCH 5.17 0059/1126] f2fs: fix to unlock page correctly in error path of is_alive()
  2022-04-05  7:12 [PATCH 5.17 0000/1126] 5.17.2-rc1 review Greg Kroah-Hartman
                   ` (57 preceding siblings ...)
  2022-04-05  7:13 ` [PATCH 5.17 0058/1126] NFSD: prevent integer overflow on 32 bit systems Greg Kroah-Hartman
@ 2022-04-05  7:13 ` Greg Kroah-Hartman
  2022-04-05  7:13 ` [PATCH 5.17 0060/1126] f2fs: quota: fix loop condition at f2fs_quota_sync() Greg Kroah-Hartman
                   ` (930 subsequent siblings)
  989 siblings, 0 replies; 1159+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05  7:13 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Pavel Machek, Chao Yu, Jaegeuk Kim

From: Chao Yu <chao@kernel.org>

commit 6d18762ed5cd549fde74fd0e05d4d87bac5a3beb upstream.

As Pavel Machek reported in below link [1]:

After commit 77900c45ee5c ("f2fs: fix to do sanity check in is_alive()"),
node page should be unlock via calling f2fs_put_page() in the error path
of is_alive(), otherwise, f2fs may hang when it tries to lock the node
page, fix it.

[1] https://lore.kernel.org/stable/20220124203637.GA19321@duo.ucw.cz/

Fixes: 77900c45ee5c ("f2fs: fix to do sanity check in is_alive()")
Cc: <stable@vger.kernel.org>
Reported-by: Pavel Machek <pavel@denx.de>
Signed-off-by: Pavel Machek <pavel@denx.de>
Signed-off-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 fs/f2fs/gc.c |    4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

--- a/fs/f2fs/gc.c
+++ b/fs/f2fs/gc.c
@@ -1038,8 +1038,10 @@ static bool is_alive(struct f2fs_sb_info
 		set_sbi_flag(sbi, SBI_NEED_FSCK);
 	}
 
-	if (f2fs_check_nid_range(sbi, dni->ino))
+	if (f2fs_check_nid_range(sbi, dni->ino)) {
+		f2fs_put_page(node_page, 1);
 		return false;
+	}
 
 	*nofs = ofs_of_node(node_page);
 	source_blkaddr = data_blkaddr(NULL, node_page, ofs_in_node);



^ permalink raw reply	[flat|nested] 1159+ messages in thread

* [PATCH 5.17 0060/1126] f2fs: quota: fix loop condition at f2fs_quota_sync()
  2022-04-05  7:12 [PATCH 5.17 0000/1126] 5.17.2-rc1 review Greg Kroah-Hartman
                   ` (58 preceding siblings ...)
  2022-04-05  7:13 ` [PATCH 5.17 0059/1126] f2fs: fix to unlock page correctly in error path of is_alive() Greg Kroah-Hartman
@ 2022-04-05  7:13 ` Greg Kroah-Hartman
  2022-04-05  7:13 ` [PATCH 5.17 0061/1126] f2fs: fix to do sanity check on .cp_pack_total_block_count Greg Kroah-Hartman
                   ` (929 subsequent siblings)
  989 siblings, 0 replies; 1159+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05  7:13 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Juhyung Park, Chao Yu, Jaegeuk Kim

From: Juhyung Park <qkrwngud825@gmail.com>

commit 680af5b824a52faa819167628665804a14f0e0df upstream.

cnt should be passed to sb_has_quota_active() instead of type to check
active quota properly.

Moreover, when the type is -1, the compiler with enough inline knowledge
can discard sb_has_quota_active() check altogether, causing a NULL pointer
dereference at the following inode_lock(dqopt->files[cnt]):

[    2.796010] Unable to handle kernel NULL pointer dereference at virtual address 00000000000000a0
[    2.796024] Mem abort info:
[    2.796025]   ESR = 0x96000005
[    2.796028]   EC = 0x25: DABT (current EL), IL = 32 bits
[    2.796029]   SET = 0, FnV = 0
[    2.796031]   EA = 0, S1PTW = 0
[    2.796032] Data abort info:
[    2.796034]   ISV = 0, ISS = 0x00000005
[    2.796035]   CM = 0, WnR = 0
[    2.796046] user pgtable: 4k pages, 39-bit VAs, pgdp=00000003370d1000
[    2.796048] [00000000000000a0] pgd=0000000000000000, pud=0000000000000000
[    2.796051] Internal error: Oops: 96000005 [#1] PREEMPT SMP
[    2.796056] CPU: 7 PID: 640 Comm: f2fs_ckpt-259:7 Tainted: G S                5.4.179-arter97-r8-64666-g2f16e087f9d8 #1
[    2.796057] Hardware name: Qualcomm Technologies, Inc. Lahaina MTP lemonadep (DT)
[    2.796059] pstate: 80c00005 (Nzcv daif +PAN +UAO)
[    2.796065] pc : down_write+0x28/0x70
[    2.796070] lr : f2fs_quota_sync+0x100/0x294
[    2.796071] sp : ffffffa3f48ffc30
[    2.796073] x29: ffffffa3f48ffc30 x28: 0000000000000000
[    2.796075] x27: ffffffa3f6d718b8 x26: ffffffa415fe9d80
[    2.796077] x25: ffffffa3f7290048 x24: 0000000000000001
[    2.796078] x23: 0000000000000000 x22: ffffffa3f7290000
[    2.796080] x21: ffffffa3f72904a0 x20: ffffffa3f7290110
[    2.796081] x19: ffffffa3f77a9800 x18: ffffffc020aae038
[    2.796083] x17: ffffffa40e38e040 x16: ffffffa40e38e6d0
[    2.796085] x15: ffffffa40e38e6cc x14: ffffffa40e38e6d0
[    2.796086] x13: 00000000000004f6 x12: 00162c44ff493000
[    2.796088] x11: 0000000000000400 x10: ffffffa40e38c948
[    2.796090] x9 : 0000000000000000 x8 : 00000000000000a0
[    2.796091] x7 : 0000000000000000 x6 : 0000d1060f00002a
[    2.796093] x5 : ffffffa3f48ff718 x4 : 000000000000000d
[    2.796094] x3 : 00000000060c0000 x2 : 0000000000000001
[    2.796096] x1 : 0000000000000000 x0 : 00000000000000a0
[    2.796098] Call trace:
[    2.796100]  down_write+0x28/0x70
[    2.796102]  f2fs_quota_sync+0x100/0x294
[    2.796104]  block_operations+0x120/0x204
[    2.796106]  f2fs_write_checkpoint+0x11c/0x520
[    2.796107]  __checkpoint_and_complete_reqs+0x7c/0xd34
[    2.796109]  issue_checkpoint_thread+0x6c/0xb8
[    2.796112]  kthread+0x138/0x414
[    2.796114]  ret_from_fork+0x10/0x18
[    2.796117] Code: aa0803e0 aa1f03e1 52800022 aa0103e9 (c8e97d02)
[    2.796120] ---[ end trace 96e942e8eb6a0b53 ]---
[    2.800116] Kernel panic - not syncing: Fatal exception
[    2.800120] SMP: stopping secondary CPUs

Fixes: 9de71ede81e6 ("f2fs: quota: fix potential deadlock")
Cc: <stable@vger.kernel.org> # v5.15+
Signed-off-by: Juhyung Park <qkrwngud825@gmail.com>
Reviewed-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 fs/f2fs/super.c |    6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

--- a/fs/f2fs/super.c
+++ b/fs/f2fs/super.c
@@ -2688,7 +2688,7 @@ int f2fs_quota_sync(struct super_block *
 	struct f2fs_sb_info *sbi = F2FS_SB(sb);
 	struct quota_info *dqopt = sb_dqopt(sb);
 	int cnt;
-	int ret;
+	int ret = 0;
 
 	/*
 	 * Now when everything is written we can discard the pagecache so
@@ -2699,8 +2699,8 @@ int f2fs_quota_sync(struct super_block *
 		if (type != -1 && cnt != type)
 			continue;
 
-		if (!sb_has_quota_active(sb, type))
-			return 0;
+		if (!sb_has_quota_active(sb, cnt))
+			continue;
 
 		inode_lock(dqopt->files[cnt]);
 



^ permalink raw reply	[flat|nested] 1159+ messages in thread

* [PATCH 5.17 0061/1126] f2fs: fix to do sanity check on .cp_pack_total_block_count
  2022-04-05  7:12 [PATCH 5.17 0000/1126] 5.17.2-rc1 review Greg Kroah-Hartman
                   ` (59 preceding siblings ...)
  2022-04-05  7:13 ` [PATCH 5.17 0060/1126] f2fs: quota: fix loop condition at f2fs_quota_sync() Greg Kroah-Hartman
@ 2022-04-05  7:13 ` Greg Kroah-Hartman
  2022-04-05  7:13 ` [PATCH 5.17 0062/1126] remoteproc: Fix count check in rproc_coredump_write() Greg Kroah-Hartman
                   ` (928 subsequent siblings)
  989 siblings, 0 replies; 1159+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05  7:13 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Chao Yu, Jaegeuk Kim

From: Chao Yu <chao@kernel.org>

commit 5b5b4f85b01604389f7a0f11ef180a725bf0e2d4 upstream.

As bughunter reported in bugzilla:

https://bugzilla.kernel.org/show_bug.cgi?id=215709

f2fs may hang when mounting a fuzzed image, the dmesg shows as below:

__filemap_get_folio+0x3a9/0x590
pagecache_get_page+0x18/0x60
__get_meta_page+0x95/0x460 [f2fs]
get_checkpoint_version+0x2a/0x1e0 [f2fs]
validate_checkpoint+0x8e/0x2a0 [f2fs]
f2fs_get_valid_checkpoint+0xd0/0x620 [f2fs]
f2fs_fill_super+0xc01/0x1d40 [f2fs]
mount_bdev+0x18a/0x1c0
f2fs_mount+0x15/0x20 [f2fs]
legacy_get_tree+0x28/0x50
vfs_get_tree+0x27/0xc0
path_mount+0x480/0xaa0
do_mount+0x7c/0xa0
__x64_sys_mount+0x8b/0xe0
do_syscall_64+0x38/0xc0
entry_SYSCALL_64_after_hwframe+0x44/0xae

The root cause is cp_pack_total_block_count field in checkpoint was fuzzed
to one, as calcuated, two cp pack block locates in the same block address,
so then read latter cp pack block, it will block on the page lock due to
the lock has already held when reading previous cp pack block, fix it by
adding sanity check for cp_pack_total_block_count.

Cc: stable@vger.kernel.org
Signed-off-by: Chao Yu <chao.yu@oppo.com>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 fs/f2fs/checkpoint.c |    8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

--- a/fs/f2fs/checkpoint.c
+++ b/fs/f2fs/checkpoint.c
@@ -864,6 +864,7 @@ static struct page *validate_checkpoint(
 	struct page *cp_page_1 = NULL, *cp_page_2 = NULL;
 	struct f2fs_checkpoint *cp_block = NULL;
 	unsigned long long cur_version = 0, pre_version = 0;
+	unsigned int cp_blocks;
 	int err;
 
 	err = get_checkpoint_version(sbi, cp_addr, &cp_block,
@@ -871,15 +872,16 @@ static struct page *validate_checkpoint(
 	if (err)
 		return NULL;
 
-	if (le32_to_cpu(cp_block->cp_pack_total_block_count) >
-					sbi->blocks_per_seg) {
+	cp_blocks = le32_to_cpu(cp_block->cp_pack_total_block_count);
+
+	if (cp_blocks > sbi->blocks_per_seg || cp_blocks <= F2FS_CP_PACKS) {
 		f2fs_warn(sbi, "invalid cp_pack_total_block_count:%u",
 			  le32_to_cpu(cp_block->cp_pack_total_block_count));
 		goto invalid_cp;
 	}
 	pre_version = *version;
 
-	cp_addr += le32_to_cpu(cp_block->cp_pack_total_block_count) - 1;
+	cp_addr += cp_blocks - 1;
 	err = get_checkpoint_version(sbi, cp_addr, &cp_block,
 					&cp_page_2, version);
 	if (err)



^ permalink raw reply	[flat|nested] 1159+ messages in thread

* [PATCH 5.17 0062/1126] remoteproc: Fix count check in rproc_coredump_write()
  2022-04-05  7:12 [PATCH 5.17 0000/1126] 5.17.2-rc1 review Greg Kroah-Hartman
                   ` (60 preceding siblings ...)
  2022-04-05  7:13 ` [PATCH 5.17 0061/1126] f2fs: fix to do sanity check on .cp_pack_total_block_count Greg Kroah-Hartman
@ 2022-04-05  7:13 ` Greg Kroah-Hartman
  2022-04-05  7:13 ` [PATCH 5.17 0063/1126] mm/mlock: fix two bugs in user_shm_lock() Greg Kroah-Hartman
                   ` (927 subsequent siblings)
  989 siblings, 0 replies; 1159+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05  7:13 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Alistair Delva, Rishabh Bhatnagar,
	Ohad Ben-Cohen, Bjorn Andersson, Mathieu Poirier, Sibi Sankar,
	linux-remoteproc, kernel-team

From: Alistair Delva <adelva@google.com>

commit f89672cc3681952f2d06314981a6b45f8b0045d1 upstream.

Check count for 0, to avoid a potential underflow. Make the check the
same as the one in rproc_recovery_write().

Fixes: 3afdc59e4390 ("remoteproc: Add coredump debugfs entry")
Signed-off-by: Alistair Delva <adelva@google.com>
Cc: Rishabh Bhatnagar <rishabhb@codeaurora.org>
Cc: stable@vger.kernel.org
Cc: Ohad Ben-Cohen <ohad@wizery.com>
Cc: Bjorn Andersson <bjorn.andersson@linaro.org>
Cc: Mathieu Poirier <mathieu.poirier@linaro.org>
Cc: Sibi Sankar <sibis@codeaurora.org>
Cc: linux-remoteproc@vger.kernel.org
Cc: kernel-team@android.com
Reviewed-by: Bjorn Andersson <bjorn.andersson@linaro.org>
Signed-off-by: Bjorn Andersson <bjorn.andersson@linaro.org>
Link: https://lore.kernel.org/r/20220119232139.1125908-1-adelva@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/remoteproc/remoteproc_debugfs.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/remoteproc/remoteproc_debugfs.c
+++ b/drivers/remoteproc/remoteproc_debugfs.c
@@ -76,7 +76,7 @@ static ssize_t rproc_coredump_write(stru
 	int ret, err = 0;
 	char buf[20];
 
-	if (count > sizeof(buf))
+	if (count < 1 || count > sizeof(buf))
 		return -EINVAL;
 
 	ret = copy_from_user(buf, user_buf, count);



^ permalink raw reply	[flat|nested] 1159+ messages in thread

* [PATCH 5.17 0063/1126] mm/mlock: fix two bugs in user_shm_lock()
  2022-04-05  7:12 [PATCH 5.17 0000/1126] 5.17.2-rc1 review Greg Kroah-Hartman
                   ` (61 preceding siblings ...)
  2022-04-05  7:13 ` [PATCH 5.17 0062/1126] remoteproc: Fix count check in rproc_coredump_write() Greg Kroah-Hartman
@ 2022-04-05  7:13 ` Greg Kroah-Hartman
  2022-04-05  7:13 ` [PATCH 5.17 0064/1126] pinctrl: ingenic: Fix regmap on X series SoCs Greg Kroah-Hartman
                   ` (926 subsequent siblings)
  989 siblings, 0 replies; 1159+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05  7:13 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Miaohe Lin, Eric W. Biederman

From: Miaohe Lin <linmiaohe@huawei.com>

commit e97824ff663ce3509fe040431c713182c2f058b1 upstream.

user_shm_lock forgets to set allowed to 0 when get_ucounts fails. So the
later user_shm_unlock might do the extra dec_rlimit_ucounts. Also in the
RLIM_INFINITY case, user_shm_lock will success regardless of the value of
memlock where memblock == LONG_MAX && !capable(CAP_IPC_LOCK) should fail.
Fix all of these by changing the code to leave lock_limit at ULONG_MAX aka
RLIM_INFINITY, leave "allowed" initialized to 0 and remove the special case
of RLIM_INFINITY as nothing can be greater than ULONG_MAX.

Credit goes to Eric W. Biederman for proposing simplifying the code and
thus catching the later bug.

Fixes: d7c9e99aee48 ("Reimplement RLIMIT_MEMLOCK on top of ucounts")
Signed-off-by: Miaohe Lin <linmiaohe@huawei.com>
Cc: stable@vger.kernel.org
v1: https://lkml.kernel.org/r/20220310132417.41189-1-linmiaohe@huawei.com
v2: https://lkml.kernel.org/r/20220314064039.62972-1-linmiaohe@huawei.com
Link: https://lkml.kernel.org/r/20220322080918.59861-1-linmiaohe@huawei.com
Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 mm/mlock.c |    7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

--- a/mm/mlock.c
+++ b/mm/mlock.c
@@ -827,13 +827,12 @@ int user_shm_lock(size_t size, struct uc
 
 	locked = (size + PAGE_SIZE - 1) >> PAGE_SHIFT;
 	lock_limit = rlimit(RLIMIT_MEMLOCK);
-	if (lock_limit == RLIM_INFINITY)
-		allowed = 1;
-	lock_limit >>= PAGE_SHIFT;
+	if (lock_limit != RLIM_INFINITY)
+		lock_limit >>= PAGE_SHIFT;
 	spin_lock(&shmlock_user_lock);
 	memlock = inc_rlimit_ucounts(ucounts, UCOUNT_RLIMIT_MEMLOCK, locked);
 
-	if (!allowed && (memlock == LONG_MAX || memlock > lock_limit) && !capable(CAP_IPC_LOCK)) {
+	if ((memlock == LONG_MAX || memlock > lock_limit) && !capable(CAP_IPC_LOCK)) {
 		dec_rlimit_ucounts(ucounts, UCOUNT_RLIMIT_MEMLOCK, locked);
 		goto out;
 	}



^ permalink raw reply	[flat|nested] 1159+ messages in thread

* [PATCH 5.17 0064/1126] pinctrl: ingenic: Fix regmap on X series SoCs
  2022-04-05  7:12 [PATCH 5.17 0000/1126] 5.17.2-rc1 review Greg Kroah-Hartman
                   ` (62 preceding siblings ...)
  2022-04-05  7:13 ` [PATCH 5.17 0063/1126] mm/mlock: fix two bugs in user_shm_lock() Greg Kroah-Hartman
@ 2022-04-05  7:13 ` Greg Kroah-Hartman
  2022-04-05  7:13 ` [PATCH 5.17 0065/1126] pinctrl: samsung: drop pin banks references on error paths Greg Kroah-Hartman
                   ` (925 subsequent siblings)
  989 siblings, 0 replies; 1159+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05  7:13 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Aidan MacDonald, Paul Cercueil,
	Linus Walleij

From: Aidan MacDonald <aidanmacdonald.0x0@gmail.com>

commit 9279c00fa40250e5cb23a8423dce7dbc6516a0ea upstream.

The X series Ingenic SoCs have a shadow GPIO group which is at a higher
offset than the other groups, and is used for all GPIO configuration.
The regmap did not take this offset into account and set max_register
too low, so the regmap API blocked writes to the shadow group, which
made the pinctrl driver unable to configure any pins.

Fix this by adding regmap access tables to the chip info. The way that
max_register was computed was also off by one, since max_register is an
inclusive bound, not an exclusive bound; this has been fixed.

Cc: stable@vger.kernel.org
Signed-off-by: Aidan MacDonald <aidanmacdonald.0x0@gmail.com>
Fixes: 6626a76ef857 ("pinctrl: ingenic: Add .max_register in  regmap_config")
Reviewed-by: Paul Cercueil <paul@crapouillou.net>
Link: https://lore.kernel.org/r/20220317000740.1045204-1-aidanmacdonald.0x0@gmail.com
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/pinctrl/pinctrl-ingenic.c |   46 +++++++++++++++++++++++++++++++++++++-
 1 file changed, 45 insertions(+), 1 deletion(-)

--- a/drivers/pinctrl/pinctrl-ingenic.c
+++ b/drivers/pinctrl/pinctrl-ingenic.c
@@ -119,6 +119,8 @@ struct ingenic_chip_info {
 	unsigned int num_functions;
 
 	const u32 *pull_ups, *pull_downs;
+
+	const struct regmap_access_table *access_table;
 };
 
 struct ingenic_pinctrl {
@@ -2179,6 +2181,17 @@ static const struct function_desc x1000_
 	{ "mac", x1000_mac_groups, ARRAY_SIZE(x1000_mac_groups), },
 };
 
+static const struct regmap_range x1000_access_ranges[] = {
+	regmap_reg_range(0x000, 0x400 - 4),
+	regmap_reg_range(0x700, 0x800 - 4),
+};
+
+/* shared with X1500 */
+static const struct regmap_access_table x1000_access_table = {
+	.yes_ranges = x1000_access_ranges,
+	.n_yes_ranges = ARRAY_SIZE(x1000_access_ranges),
+};
+
 static const struct ingenic_chip_info x1000_chip_info = {
 	.num_chips = 4,
 	.reg_offset = 0x100,
@@ -2189,6 +2202,7 @@ static const struct ingenic_chip_info x1
 	.num_functions = ARRAY_SIZE(x1000_functions),
 	.pull_ups = x1000_pull_ups,
 	.pull_downs = x1000_pull_downs,
+	.access_table = &x1000_access_table,
 };
 
 static int x1500_uart0_data_pins[] = { 0x4a, 0x4b, };
@@ -2300,6 +2314,7 @@ static const struct ingenic_chip_info x1
 	.num_functions = ARRAY_SIZE(x1500_functions),
 	.pull_ups = x1000_pull_ups,
 	.pull_downs = x1000_pull_downs,
+	.access_table = &x1000_access_table,
 };
 
 static const u32 x1830_pull_ups[4] = {
@@ -2506,6 +2521,16 @@ static const struct function_desc x1830_
 	{ "mac", x1830_mac_groups, ARRAY_SIZE(x1830_mac_groups), },
 };
 
+static const struct regmap_range x1830_access_ranges[] = {
+	regmap_reg_range(0x0000, 0x4000 - 4),
+	regmap_reg_range(0x7000, 0x8000 - 4),
+};
+
+static const struct regmap_access_table x1830_access_table = {
+	.yes_ranges = x1830_access_ranges,
+	.n_yes_ranges = ARRAY_SIZE(x1830_access_ranges),
+};
+
 static const struct ingenic_chip_info x1830_chip_info = {
 	.num_chips = 4,
 	.reg_offset = 0x1000,
@@ -2516,6 +2541,7 @@ static const struct ingenic_chip_info x1
 	.num_functions = ARRAY_SIZE(x1830_functions),
 	.pull_ups = x1830_pull_ups,
 	.pull_downs = x1830_pull_downs,
+	.access_table = &x1830_access_table,
 };
 
 static const u32 x2000_pull_ups[5] = {
@@ -2969,6 +2995,17 @@ static const struct function_desc x2000_
 	{ "otg", x2000_otg_groups, ARRAY_SIZE(x2000_otg_groups), },
 };
 
+static const struct regmap_range x2000_access_ranges[] = {
+	regmap_reg_range(0x000, 0x500 - 4),
+	regmap_reg_range(0x700, 0x800 - 4),
+};
+
+/* shared with X2100 */
+static const struct regmap_access_table x2000_access_table = {
+	.yes_ranges = x2000_access_ranges,
+	.n_yes_ranges = ARRAY_SIZE(x2000_access_ranges),
+};
+
 static const struct ingenic_chip_info x2000_chip_info = {
 	.num_chips = 5,
 	.reg_offset = 0x100,
@@ -2979,6 +3016,7 @@ static const struct ingenic_chip_info x2
 	.num_functions = ARRAY_SIZE(x2000_functions),
 	.pull_ups = x2000_pull_ups,
 	.pull_downs = x2000_pull_downs,
+	.access_table = &x2000_access_table,
 };
 
 static const u32 x2100_pull_ups[5] = {
@@ -3189,6 +3227,7 @@ static const struct ingenic_chip_info x2
 	.num_functions = ARRAY_SIZE(x2100_functions),
 	.pull_ups = x2100_pull_ups,
 	.pull_downs = x2100_pull_downs,
+	.access_table = &x2000_access_table,
 };
 
 static u32 ingenic_gpio_read_reg(struct ingenic_gpio_chip *jzgc, u8 reg)
@@ -4168,7 +4207,12 @@ static int __init ingenic_pinctrl_probe(
 		return PTR_ERR(base);
 
 	regmap_config = ingenic_pinctrl_regmap_config;
-	regmap_config.max_register = chip_info->num_chips * chip_info->reg_offset;
+	if (chip_info->access_table) {
+		regmap_config.rd_table = chip_info->access_table;
+		regmap_config.wr_table = chip_info->access_table;
+	} else {
+		regmap_config.max_register = chip_info->num_chips * chip_info->reg_offset - 4;
+	}
 
 	jzpc->map = devm_regmap_init_mmio(dev, base, &regmap_config);
 	if (IS_ERR(jzpc->map)) {



^ permalink raw reply	[flat|nested] 1159+ messages in thread

* [PATCH 5.17 0065/1126] pinctrl: samsung: drop pin banks references on error paths
  2022-04-05  7:12 [PATCH 5.17 0000/1126] 5.17.2-rc1 review Greg Kroah-Hartman
                   ` (63 preceding siblings ...)
  2022-04-05  7:13 ` [PATCH 5.17 0064/1126] pinctrl: ingenic: Fix regmap on X series SoCs Greg Kroah-Hartman
@ 2022-04-05  7:13 ` Greg Kroah-Hartman
  2022-04-05  7:13 ` [PATCH 5.17 0066/1126] net: bnxt_ptp: fix compilation error Greg Kroah-Hartman
                   ` (924 subsequent siblings)
  989 siblings, 0 replies; 1159+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05  7:13 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Krzysztof Kozlowski, Sam Protsenko,
	Chanho Park

From: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>

commit 50ebd19e3585b9792e994cfa8cbee8947fe06371 upstream.

The driver iterates over its devicetree children with
for_each_child_of_node() and stores for later found node pointer.  This
has to be put in error paths to avoid leak during re-probing.

Fixes: ab663789d697 ("pinctrl: samsung: Match pin banks with their device nodes")
Cc: <stable@vger.kernel.org>
Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
Reviewed-by: Sam Protsenko <semen.protsenko@linaro.org>
Reviewed-by: Chanho Park <chanho61.park@samsung.com>
Link: https://lore.kernel.org/r/20220111201426.326777-2-krzysztof.kozlowski@canonical.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/pinctrl/samsung/pinctrl-samsung.c |   30 +++++++++++++++++++++++-------
 1 file changed, 23 insertions(+), 7 deletions(-)

--- a/drivers/pinctrl/samsung/pinctrl-samsung.c
+++ b/drivers/pinctrl/samsung/pinctrl-samsung.c
@@ -1002,6 +1002,16 @@ samsung_pinctrl_get_soc_data_for_of_alia
 	return &(of_data->ctrl[id]);
 }
 
+static void samsung_banks_of_node_put(struct samsung_pinctrl_drv_data *d)
+{
+	struct samsung_pin_bank *bank;
+	unsigned int i;
+
+	bank = d->pin_banks;
+	for (i = 0; i < d->nr_banks; ++i, ++bank)
+		of_node_put(bank->of_node);
+}
+
 /* retrieve the soc specific data */
 static const struct samsung_pin_ctrl *
 samsung_pinctrl_get_soc_data(struct samsung_pinctrl_drv_data *d,
@@ -1117,19 +1127,19 @@ static int samsung_pinctrl_probe(struct
 	if (ctrl->retention_data) {
 		drvdata->retention_ctrl = ctrl->retention_data->init(drvdata,
 							  ctrl->retention_data);
-		if (IS_ERR(drvdata->retention_ctrl))
-			return PTR_ERR(drvdata->retention_ctrl);
+		if (IS_ERR(drvdata->retention_ctrl)) {
+			ret = PTR_ERR(drvdata->retention_ctrl);
+			goto err_put_banks;
+		}
 	}
 
 	ret = samsung_pinctrl_register(pdev, drvdata);
 	if (ret)
-		return ret;
+		goto err_put_banks;
 
 	ret = samsung_gpiolib_register(pdev, drvdata);
-	if (ret) {
-		samsung_pinctrl_unregister(pdev, drvdata);
-		return ret;
-	}
+	if (ret)
+		goto err_unregister;
 
 	if (ctrl->eint_gpio_init)
 		ctrl->eint_gpio_init(drvdata);
@@ -1139,6 +1149,12 @@ static int samsung_pinctrl_probe(struct
 	platform_set_drvdata(pdev, drvdata);
 
 	return 0;
+
+err_unregister:
+	samsung_pinctrl_unregister(pdev, drvdata);
+err_put_banks:
+	samsung_banks_of_node_put(drvdata);
+	return ret;
 }
 
 /*



^ permalink raw reply	[flat|nested] 1159+ messages in thread

* [PATCH 5.17 0066/1126] net: bnxt_ptp: fix compilation error
  2022-04-05  7:12 [PATCH 5.17 0000/1126] 5.17.2-rc1 review Greg Kroah-Hartman
                   ` (64 preceding siblings ...)
  2022-04-05  7:13 ` [PATCH 5.17 0065/1126] pinctrl: samsung: drop pin banks references on error paths Greg Kroah-Hartman
@ 2022-04-05  7:13 ` Greg Kroah-Hartman
  2022-04-05  7:13 ` [PATCH 5.17 0067/1126] spi: mxic: Fix the transmit path Greg Kroah-Hartman
                   ` (923 subsequent siblings)
  989 siblings, 0 replies; 1159+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05  7:13 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Damien Le Moal, Michael Chan, Jakub Kicinski

From: Damien Le Moal <damien.lemoal@opensource.wdc.com>

commit dcf500065fabe27676dfe7b4ba521a4f1e0fc8ac upstream.

The Broadcom bnxt_ptp driver does not compile with GCC 11.2.2 when
CONFIG_WERROR is enabled. The following error is generated:

drivers/net/ethernet/broadcom/bnxt/bnxt_ptp.c: In function ‘bnxt_ptp_enable’:
drivers/net/ethernet/broadcom/bnxt/bnxt_ptp.c:400:43: error: array
subscript 255 is above array bounds of ‘struct pps_pin[4]’
[-Werror=array-bounds]
  400 |  ptp->pps_info.pins[pin_id].event = BNXT_PPS_EVENT_EXTERNAL;
      |  ~~~~~~~~~~~~~~~~~~^~~~~~~~
In file included from drivers/net/ethernet/broadcom/bnxt/bnxt_ptp.c:20:
drivers/net/ethernet/broadcom/bnxt/bnxt_ptp.h:75:24: note: while
referencing ‘pins’
   75 |         struct pps_pin pins[BNXT_MAX_TSIO_PINS];
      |                        ^~~~
cc1: all warnings being treated as errors

This is due to the function ptp_find_pin() returning a pin ID of -1 when
a valid pin is not found and this error never being checked.
Change the TSIO_PIN_VALID() function to also check that a pin ID is not
negative and use this macro in bnxt_ptp_enable() to check the result of
the calls to ptp_find_pin() to return an error early for invalid pins.
This fixes the compilation error.

Cc: <stable@vger.kernel.org>
Fixes: 9e518f25802c ("bnxt_en: 1PPS functions to configure TSIO pins")
Signed-off-by: Damien Le Moal <damien.lemoal@opensource.wdc.com>
Reviewed-by: Michael Chan <michael.chan@broadcom.com>
Link: https://lore.kernel.org/r/20220328062708.207079-1-damien.lemoal@opensource.wdc.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/ethernet/broadcom/bnxt/bnxt_ptp.c |    6 +++++-
 drivers/net/ethernet/broadcom/bnxt/bnxt_ptp.h |    2 +-
 2 files changed, 6 insertions(+), 2 deletions(-)

--- a/drivers/net/ethernet/broadcom/bnxt/bnxt_ptp.c
+++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_ptp.c
@@ -329,7 +329,7 @@ static int bnxt_ptp_enable(struct ptp_cl
 	struct bnxt_ptp_cfg *ptp = container_of(ptp_info, struct bnxt_ptp_cfg,
 						ptp_info);
 	struct bnxt *bp = ptp->bp;
-	u8 pin_id;
+	int pin_id;
 	int rc;
 
 	switch (rq->type) {
@@ -337,6 +337,8 @@ static int bnxt_ptp_enable(struct ptp_cl
 		/* Configure an External PPS IN */
 		pin_id = ptp_find_pin(ptp->ptp_clock, PTP_PF_EXTTS,
 				      rq->extts.index);
+		if (!TSIO_PIN_VALID(pin_id))
+			return -EOPNOTSUPP;
 		if (!on)
 			break;
 		rc = bnxt_ptp_cfg_pin(bp, pin_id, BNXT_PPS_PIN_PPS_IN);
@@ -350,6 +352,8 @@ static int bnxt_ptp_enable(struct ptp_cl
 		/* Configure a Periodic PPS OUT */
 		pin_id = ptp_find_pin(ptp->ptp_clock, PTP_PF_PEROUT,
 				      rq->perout.index);
+		if (!TSIO_PIN_VALID(pin_id))
+			return -EOPNOTSUPP;
 		if (!on)
 			break;
 
--- a/drivers/net/ethernet/broadcom/bnxt/bnxt_ptp.h
+++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_ptp.h
@@ -31,7 +31,7 @@ struct pps_pin {
 	u8 state;
 };
 
-#define TSIO_PIN_VALID(pin) ((pin) < (BNXT_MAX_TSIO_PINS))
+#define TSIO_PIN_VALID(pin) ((pin) >= 0 && (pin) < (BNXT_MAX_TSIO_PINS))
 
 #define EVENT_DATA2_PPS_EVENT_TYPE(data2)				\
 	((data2) & ASYNC_EVENT_CMPL_PPS_TIMESTAMP_EVENT_DATA2_EVENT_TYPE)



^ permalink raw reply	[flat|nested] 1159+ messages in thread

* [PATCH 5.17 0067/1126] spi: mxic: Fix the transmit path
  2022-04-05  7:12 [PATCH 5.17 0000/1126] 5.17.2-rc1 review Greg Kroah-Hartman
                   ` (65 preceding siblings ...)
  2022-04-05  7:13 ` [PATCH 5.17 0066/1126] net: bnxt_ptp: fix compilation error Greg Kroah-Hartman
@ 2022-04-05  7:13 ` Greg Kroah-Hartman
  2022-04-05  7:13 ` [PATCH 5.17 0068/1126] mtd: spi-nor: Skip erase logic when SPI_NOR_NO_ERASE is set Greg Kroah-Hartman
                   ` (922 subsequent siblings)
  989 siblings, 0 replies; 1159+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05  7:13 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Mason Yang, Miquel Raynal,
	Zhengxun Li, Mark Brown

From: Miquel Raynal <miquel.raynal@bootlin.com>

commit 5fd6739e0df7e320bcac103dfb95fe75941fea17 upstream.

By working with external hardware ECC engines, we figured out that
Under certain circumstances, it is needed for the SPI controller to
check INT_TX_EMPTY and INT_RX_NOT_EMPTY in both receive and transmit
path (not only in the receive path). The delay penalty being
negligible, move this code in the common path.

Fixes: b942d80b0a39 ("spi: Add MXIC controller driver")
Cc: stable@vger.kernel.org
Suggested-by: Mason Yang <masonccyang@mxic.com.tw>
Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
Reviewed-by: Zhengxun Li <zhengxunli@mxic.com.tw>
Reviewed-by: Mark Brown <broonie@kernel.org>
Link: https://lore.kernel.org/linux-mtd/20220127091808.1043392-10-miquel.raynal@bootlin.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/spi/spi-mxic.c |   26 +++++++++++---------------
 1 file changed, 11 insertions(+), 15 deletions(-)

--- a/drivers/spi/spi-mxic.c
+++ b/drivers/spi/spi-mxic.c
@@ -304,25 +304,21 @@ static int mxic_spi_data_xfer(struct mxi
 
 		writel(data, mxic->regs + TXD(nbytes % 4));
 
-		if (rxbuf) {
-			ret = readl_poll_timeout(mxic->regs + INT_STS, sts,
-						 sts & INT_TX_EMPTY, 0,
-						 USEC_PER_SEC);
-			if (ret)
-				return ret;
+		ret = readl_poll_timeout(mxic->regs + INT_STS, sts,
+					 sts & INT_TX_EMPTY, 0, USEC_PER_SEC);
+		if (ret)
+			return ret;
 
-			ret = readl_poll_timeout(mxic->regs + INT_STS, sts,
-						 sts & INT_RX_NOT_EMPTY, 0,
-						 USEC_PER_SEC);
-			if (ret)
-				return ret;
+		ret = readl_poll_timeout(mxic->regs + INT_STS, sts,
+					 sts & INT_RX_NOT_EMPTY, 0,
+					 USEC_PER_SEC);
+		if (ret)
+			return ret;
 
-			data = readl(mxic->regs + RXD);
+		data = readl(mxic->regs + RXD);
+		if (rxbuf) {
 			data >>= (8 * (4 - nbytes));
 			memcpy(rxbuf + pos, &data, nbytes);
-			WARN_ON(readl(mxic->regs + INT_STS) & INT_RX_NOT_EMPTY);
-		} else {
-			readl(mxic->regs + RXD);
 		}
 		WARN_ON(readl(mxic->regs + INT_STS) & INT_RX_NOT_EMPTY);
 



^ permalink raw reply	[flat|nested] 1159+ messages in thread

* [PATCH 5.17 0068/1126] mtd: spi-nor: Skip erase logic when SPI_NOR_NO_ERASE is set
  2022-04-05  7:12 [PATCH 5.17 0000/1126] 5.17.2-rc1 review Greg Kroah-Hartman
                   ` (66 preceding siblings ...)
  2022-04-05  7:13 ` [PATCH 5.17 0067/1126] spi: mxic: Fix the transmit path Greg Kroah-Hartman
@ 2022-04-05  7:13 ` Greg Kroah-Hartman
  2022-04-05  7:13 ` [PATCH 5.17 0069/1126] mtd: rawnand: protect access to rawnand devices while in suspend Greg Kroah-Hartman
                   ` (921 subsequent siblings)
  989 siblings, 0 replies; 1159+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05  7:13 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Tudor Ambarus, Michael Walle

From: Tudor Ambarus <tudor.ambarus@microchip.com>

commit 151c6b49d679872d6fc0b50e0ad96303091694a2 upstream.

Even if SPI_NOR_NO_ERASE was set, one could still send erase opcodes
to the flash. It is not recommended to send unsupported opcodes to
flashes. Fix the logic and do not set mtd->_erase when SPI_NOR_NO_ERASE
is specified. With this users will not be able to issue erase opcodes to
flashes and instead they will recive an -ENOTSUPP error.

Fixes: b199489d37b2 ("mtd: spi-nor: add the framework for SPI NOR")
Signed-off-by: Tudor Ambarus <tudor.ambarus@microchip.com>
Reviewed-by: Michael Walle <michael@walle.cc>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/20220228163334.277730-1-tudor.ambarus@microchip.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/mtd/spi-nor/core.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/drivers/mtd/spi-nor/core.c
+++ b/drivers/mtd/spi-nor/core.c
@@ -3181,10 +3181,11 @@ static void spi_nor_set_mtd_info(struct
 	mtd->flags = MTD_CAP_NORFLASH;
 	if (nor->info->flags & SPI_NOR_NO_ERASE)
 		mtd->flags |= MTD_NO_ERASE;
+	else
+		mtd->_erase = spi_nor_erase;
 	mtd->writesize = nor->params->writesize;
 	mtd->writebufsize = nor->params->page_size;
 	mtd->size = nor->params->size;
-	mtd->_erase = spi_nor_erase;
 	mtd->_read = spi_nor_read;
 	/* Might be already set by some SST flashes. */
 	if (!mtd->_write)



^ permalink raw reply	[flat|nested] 1159+ messages in thread

* [PATCH 5.17 0069/1126] mtd: rawnand: protect access to rawnand devices while in suspend
  2022-04-05  7:12 [PATCH 5.17 0000/1126] 5.17.2-rc1 review Greg Kroah-Hartman
                   ` (67 preceding siblings ...)
  2022-04-05  7:13 ` [PATCH 5.17 0068/1126] mtd: spi-nor: Skip erase logic when SPI_NOR_NO_ERASE is set Greg Kroah-Hartman
@ 2022-04-05  7:13 ` Greg Kroah-Hartman
  2022-04-05  7:13 ` [PATCH 5.17 0070/1126] can: ems_usb: ems_usb_start_xmit(): fix double dev_kfree_skb() in error path Greg Kroah-Hartman
                   ` (920 subsequent siblings)
  989 siblings, 0 replies; 1159+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05  7:13 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Sean Nyekjaer, Boris Brezillon,
	Miquel Raynal

From: Sean Nyekjaer <sean@geanix.com>

commit 8cba323437a49a45756d661f500b324fc2d486fe upstream.

Prevent rawnand access while in a suspended state.

Commit 013e6292aaf5 ("mtd: rawnand: Simplify the locking") allows the
rawnand layer to return errors rather than waiting in a blocking wait.

Tested on a iMX6ULL.

Fixes: 013e6292aaf5 ("mtd: rawnand: Simplify the locking")
Signed-off-by: Sean Nyekjaer <sean@geanix.com>
Reviewed-by: Boris Brezillon <boris.brezillon@collabora.com>
Cc: stable@vger.kernel.org
Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
Link: https://lore.kernel.org/linux-mtd/20220208085213.1838273-1-sean@geanix.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/mtd/nand/raw/nand_base.c |   44 +++++++++++++++++----------------------
 include/linux/mtd/rawnand.h      |    2 +
 2 files changed, 22 insertions(+), 24 deletions(-)

--- a/drivers/mtd/nand/raw/nand_base.c
+++ b/drivers/mtd/nand/raw/nand_base.c
@@ -338,16 +338,19 @@ static int nand_isbad_bbm(struct nand_ch
  *
  * Return: -EBUSY if the chip has been suspended, 0 otherwise
  */
-static int nand_get_device(struct nand_chip *chip)
+static void nand_get_device(struct nand_chip *chip)
 {
-	mutex_lock(&chip->lock);
-	if (chip->suspended) {
+	/* Wait until the device is resumed. */
+	while (1) {
+		mutex_lock(&chip->lock);
+		if (!chip->suspended) {
+			mutex_lock(&chip->controller->lock);
+			return;
+		}
 		mutex_unlock(&chip->lock);
-		return -EBUSY;
-	}
-	mutex_lock(&chip->controller->lock);
 
-	return 0;
+		wait_event(chip->resume_wq, !chip->suspended);
+	}
 }
 
 /**
@@ -576,9 +579,7 @@ static int nand_block_markbad_lowlevel(s
 		nand_erase_nand(chip, &einfo, 0);
 
 		/* Write bad block marker to OOB */
-		ret = nand_get_device(chip);
-		if (ret)
-			return ret;
+		nand_get_device(chip);
 
 		ret = nand_markbad_bbm(chip, ofs);
 		nand_release_device(chip);
@@ -3826,9 +3827,7 @@ static int nand_read_oob(struct mtd_info
 	    ops->mode != MTD_OPS_RAW)
 		return -ENOTSUPP;
 
-	ret = nand_get_device(chip);
-	if (ret)
-		return ret;
+	nand_get_device(chip);
 
 	if (!ops->datbuf)
 		ret = nand_do_read_oob(chip, from, ops);
@@ -4415,13 +4414,11 @@ static int nand_write_oob(struct mtd_inf
 			  struct mtd_oob_ops *ops)
 {
 	struct nand_chip *chip = mtd_to_nand(mtd);
-	int ret;
+	int ret = 0;
 
 	ops->retlen = 0;
 
-	ret = nand_get_device(chip);
-	if (ret)
-		return ret;
+	nand_get_device(chip);
 
 	switch (ops->mode) {
 	case MTD_OPS_PLACE_OOB:
@@ -4481,9 +4478,7 @@ int nand_erase_nand(struct nand_chip *ch
 		return -EIO;
 
 	/* Grab the lock and see if the device is available */
-	ret = nand_get_device(chip);
-	if (ret)
-		return ret;
+	nand_get_device(chip);
 
 	/* Shift to get first page */
 	page = (int)(instr->addr >> chip->page_shift);
@@ -4570,7 +4565,7 @@ static void nand_sync(struct mtd_info *m
 	pr_debug("%s: called\n", __func__);
 
 	/* Grab the lock and see if the device is available */
-	WARN_ON(nand_get_device(chip));
+	nand_get_device(chip);
 	/* Release it and go back */
 	nand_release_device(chip);
 }
@@ -4587,9 +4582,7 @@ static int nand_block_isbad(struct mtd_i
 	int ret;
 
 	/* Select the NAND device */
-	ret = nand_get_device(chip);
-	if (ret)
-		return ret;
+	nand_get_device(chip);
 
 	nand_select_target(chip, chipnr);
 
@@ -4660,6 +4653,8 @@ static void nand_resume(struct mtd_info
 			__func__);
 	}
 	mutex_unlock(&chip->lock);
+
+	wake_up_all(&chip->resume_wq);
 }
 
 /**
@@ -5437,6 +5432,7 @@ static int nand_scan_ident(struct nand_c
 	chip->cur_cs = -1;
 
 	mutex_init(&chip->lock);
+	init_waitqueue_head(&chip->resume_wq);
 
 	/* Enforce the right timings for reset/detection */
 	chip->current_interface_config = nand_get_reset_interface_config();
--- a/include/linux/mtd/rawnand.h
+++ b/include/linux/mtd/rawnand.h
@@ -1240,6 +1240,7 @@ struct nand_secure_region {
  * @lock: Lock protecting the suspended field. Also used to serialize accesses
  *        to the NAND device
  * @suspended: Set to 1 when the device is suspended, 0 when it's not
+ * @resume_wq: wait queue to sleep if rawnand is in suspended state.
  * @cur_cs: Currently selected target. -1 means no target selected, otherwise we
  *          should always have cur_cs >= 0 && cur_cs < nanddev_ntargets().
  *          NAND Controller drivers should not modify this value, but they're
@@ -1294,6 +1295,7 @@ struct nand_chip {
 	/* Internals */
 	struct mutex lock;
 	unsigned int suspended : 1;
+	wait_queue_head_t resume_wq;
 	int cur_cs;
 	int read_retries;
 	struct nand_secure_region *secure_regions;



^ permalink raw reply	[flat|nested] 1159+ messages in thread

* [PATCH 5.17 0070/1126] can: ems_usb: ems_usb_start_xmit(): fix double dev_kfree_skb() in error path
  2022-04-05  7:12 [PATCH 5.17 0000/1126] 5.17.2-rc1 review Greg Kroah-Hartman
                   ` (68 preceding siblings ...)
  2022-04-05  7:13 ` [PATCH 5.17 0069/1126] mtd: rawnand: protect access to rawnand devices while in suspend Greg Kroah-Hartman
@ 2022-04-05  7:13 ` Greg Kroah-Hartman
  2022-04-05  7:13 ` [PATCH 5.17 0071/1126] can: m_can: m_can_tx_handler(): fix use after free of skb Greg Kroah-Hartman
                   ` (919 subsequent siblings)
  989 siblings, 0 replies; 1159+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05  7:13 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Sebastian Haas, Hangyu Hua,
	Marc Kleine-Budde

From: Hangyu Hua <hbh25y@gmail.com>

commit c70222752228a62135cee3409dccefd494a24646 upstream.

There is no need to call dev_kfree_skb() when usb_submit_urb() fails
beacause can_put_echo_skb() deletes the original skb and
can_free_echo_skb() deletes the cloned skb.

Link: https://lore.kernel.org/all/20220228083639.38183-1-hbh25y@gmail.com
Fixes: 702171adeed3 ("ems_usb: Added support for EMS CPC-USB/ARM7 CAN/USB interface")
Cc: stable@vger.kernel.org
Cc: Sebastian Haas <haas@ems-wuensche.com>
Signed-off-by: Hangyu Hua <hbh25y@gmail.com>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/can/usb/ems_usb.c |    1 -
 1 file changed, 1 deletion(-)

--- a/drivers/net/can/usb/ems_usb.c
+++ b/drivers/net/can/usb/ems_usb.c
@@ -819,7 +819,6 @@ static netdev_tx_t ems_usb_start_xmit(st
 
 		usb_unanchor_urb(urb);
 		usb_free_coherent(dev->udev, size, buf, urb->transfer_dma);
-		dev_kfree_skb(skb);
 
 		atomic_dec(&dev->active_tx_urbs);
 



^ permalink raw reply	[flat|nested] 1159+ messages in thread

* [PATCH 5.17 0071/1126] can: m_can: m_can_tx_handler(): fix use after free of skb
  2022-04-05  7:12 [PATCH 5.17 0000/1126] 5.17.2-rc1 review Greg Kroah-Hartman
                   ` (69 preceding siblings ...)
  2022-04-05  7:13 ` [PATCH 5.17 0070/1126] can: ems_usb: ems_usb_start_xmit(): fix double dev_kfree_skb() in error path Greg Kroah-Hartman
@ 2022-04-05  7:13 ` Greg Kroah-Hartman
  2022-04-05  7:13 ` [PATCH 5.17 0072/1126] can: usb_8dev: usb_8dev_start_xmit(): fix double dev_kfree_skb() in error path Greg Kroah-Hartman
                   ` (918 subsequent siblings)
  989 siblings, 0 replies; 1159+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05  7:13 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Hangyu Hua, Marc Kleine-Budde

From: Marc Kleine-Budde <mkl@pengutronix.de>

commit 2e8e79c416aae1de224c0f1860f2e3350fa171f8 upstream.

can_put_echo_skb() will clone skb then free the skb. Move the
can_put_echo_skb() for the m_can version 3.0.x directly before the
start of the xmit in hardware, similar to the 3.1.x branch.

Fixes: 80646733f11c ("can: m_can: update to support CAN FD features")
Link: https://lore.kernel.org/all/20220317081305.739554-1-mkl@pengutronix.de
Cc: stable@vger.kernel.org
Reported-by: Hangyu Hua <hbh25y@gmail.com>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/can/m_can/m_can.c |    5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

--- a/drivers/net/can/m_can/m_can.c
+++ b/drivers/net/can/m_can/m_can.c
@@ -1637,8 +1637,6 @@ static netdev_tx_t m_can_tx_handler(stru
 		if (err)
 			goto out_fail;
 
-		can_put_echo_skb(skb, dev, 0, 0);
-
 		if (cdev->can.ctrlmode & CAN_CTRLMODE_FD) {
 			cccr = m_can_read(cdev, M_CAN_CCCR);
 			cccr &= ~CCCR_CMR_MASK;
@@ -1655,6 +1653,9 @@ static netdev_tx_t m_can_tx_handler(stru
 			m_can_write(cdev, M_CAN_CCCR, cccr);
 		}
 		m_can_write(cdev, M_CAN_TXBTIE, 0x1);
+
+		can_put_echo_skb(skb, dev, 0, 0);
+
 		m_can_write(cdev, M_CAN_TXBAR, 0x1);
 		/* End of xmit function for version 3.0.x */
 	} else {



^ permalink raw reply	[flat|nested] 1159+ messages in thread

* [PATCH 5.17 0072/1126] can: usb_8dev: usb_8dev_start_xmit(): fix double dev_kfree_skb() in error path
  2022-04-05  7:12 [PATCH 5.17 0000/1126] 5.17.2-rc1 review Greg Kroah-Hartman
                   ` (70 preceding siblings ...)
  2022-04-05  7:13 ` [PATCH 5.17 0071/1126] can: m_can: m_can_tx_handler(): fix use after free of skb Greg Kroah-Hartman
@ 2022-04-05  7:13 ` Greg Kroah-Hartman
  2022-04-05  7:13 ` [PATCH 5.17 0073/1126] jffs2: fix use-after-free in jffs2_clear_xattr_subsystem Greg Kroah-Hartman
                   ` (917 subsequent siblings)
  989 siblings, 0 replies; 1159+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05  7:13 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Hangyu Hua, Marc Kleine-Budde

From: Hangyu Hua <hbh25y@gmail.com>

commit 3d3925ff6433f98992685a9679613a2cc97f3ce2 upstream.

There is no need to call dev_kfree_skb() when usb_submit_urb() fails
because can_put_echo_skb() deletes original skb and
can_free_echo_skb() deletes the cloned skb.

Fixes: 0024d8ad1639 ("can: usb_8dev: Add support for USB2CAN interface from 8 devices")
Link: https://lore.kernel.org/all/20220311080614.45229-1-hbh25y@gmail.com
Cc: stable@vger.kernel.org
Signed-off-by: Hangyu Hua <hbh25y@gmail.com>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/can/usb/usb_8dev.c |   30 ++++++++++++++----------------
 1 file changed, 14 insertions(+), 16 deletions(-)

--- a/drivers/net/can/usb/usb_8dev.c
+++ b/drivers/net/can/usb/usb_8dev.c
@@ -663,9 +663,20 @@ static netdev_tx_t usb_8dev_start_xmit(s
 	atomic_inc(&priv->active_tx_urbs);
 
 	err = usb_submit_urb(urb, GFP_ATOMIC);
-	if (unlikely(err))
-		goto failed;
-	else if (atomic_read(&priv->active_tx_urbs) >= MAX_TX_URBS)
+	if (unlikely(err)) {
+		can_free_echo_skb(netdev, context->echo_index, NULL);
+
+		usb_unanchor_urb(urb);
+		usb_free_coherent(priv->udev, size, buf, urb->transfer_dma);
+
+		atomic_dec(&priv->active_tx_urbs);
+
+		if (err == -ENODEV)
+			netif_device_detach(netdev);
+		else
+			netdev_warn(netdev, "failed tx_urb %d\n", err);
+		stats->tx_dropped++;
+	} else if (atomic_read(&priv->active_tx_urbs) >= MAX_TX_URBS)
 		/* Slow down tx path */
 		netif_stop_queue(netdev);
 
@@ -684,19 +695,6 @@ nofreecontext:
 
 	return NETDEV_TX_BUSY;
 
-failed:
-	can_free_echo_skb(netdev, context->echo_index, NULL);
-
-	usb_unanchor_urb(urb);
-	usb_free_coherent(priv->udev, size, buf, urb->transfer_dma);
-
-	atomic_dec(&priv->active_tx_urbs);
-
-	if (err == -ENODEV)
-		netif_device_detach(netdev);
-	else
-		netdev_warn(netdev, "failed tx_urb %d\n", err);
-
 nomembuf:
 	usb_free_urb(urb);
 



^ permalink raw reply	[flat|nested] 1159+ messages in thread

* [PATCH 5.17 0073/1126] jffs2: fix use-after-free in jffs2_clear_xattr_subsystem
  2022-04-05  7:12 [PATCH 5.17 0000/1126] 5.17.2-rc1 review Greg Kroah-Hartman
                   ` (71 preceding siblings ...)
  2022-04-05  7:13 ` [PATCH 5.17 0072/1126] can: usb_8dev: usb_8dev_start_xmit(): fix double dev_kfree_skb() in error path Greg Kroah-Hartman
@ 2022-04-05  7:13 ` Greg Kroah-Hartman
  2022-04-05  7:13 ` [PATCH 5.17 0074/1126] jffs2: fix memory leak in jffs2_do_mount_fs Greg Kroah-Hartman
                   ` (916 subsequent siblings)
  989 siblings, 0 replies; 1159+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05  7:13 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Hulk Robot, Baokun Li, Richard Weinberger

From: Baokun Li <libaokun1@huawei.com>

commit 4c7c44ee1650677fbe89d86edbad9497b7679b5c upstream.

When we mount a jffs2 image, assume that the first few blocks of
the image are normal and contain at least one xattr-related inode,
but the next block is abnormal. As a result, an error is returned
in jffs2_scan_eraseblock(). jffs2_clear_xattr_subsystem() is then
called in jffs2_build_filesystem() and then again in
jffs2_do_fill_super().

Finally we can observe the following report:
 ==================================================================
 BUG: KASAN: use-after-free in jffs2_clear_xattr_subsystem+0x95/0x6ac
 Read of size 8 at addr ffff8881243384e0 by task mount/719

 Call Trace:
  dump_stack+0x115/0x16b
  jffs2_clear_xattr_subsystem+0x95/0x6ac
  jffs2_do_fill_super+0x84f/0xc30
  jffs2_fill_super+0x2ea/0x4c0
  mtd_get_sb+0x254/0x400
  mtd_get_sb_by_nr+0x4f/0xd0
  get_tree_mtd+0x498/0x840
  jffs2_get_tree+0x25/0x30
  vfs_get_tree+0x8d/0x2e0
  path_mount+0x50f/0x1e50
  do_mount+0x107/0x130
  __se_sys_mount+0x1c5/0x2f0
  __x64_sys_mount+0xc7/0x160
  do_syscall_64+0x45/0x70
  entry_SYSCALL_64_after_hwframe+0x44/0xa9

 Allocated by task 719:
  kasan_save_stack+0x23/0x60
  __kasan_kmalloc.constprop.0+0x10b/0x120
  kasan_slab_alloc+0x12/0x20
  kmem_cache_alloc+0x1c0/0x870
  jffs2_alloc_xattr_ref+0x2f/0xa0
  jffs2_scan_medium.cold+0x3713/0x4794
  jffs2_do_mount_fs.cold+0xa7/0x2253
  jffs2_do_fill_super+0x383/0xc30
  jffs2_fill_super+0x2ea/0x4c0
 [...]

 Freed by task 719:
  kmem_cache_free+0xcc/0x7b0
  jffs2_free_xattr_ref+0x78/0x98
  jffs2_clear_xattr_subsystem+0xa1/0x6ac
  jffs2_do_mount_fs.cold+0x5e6/0x2253
  jffs2_do_fill_super+0x383/0xc30
  jffs2_fill_super+0x2ea/0x4c0
 [...]

 The buggy address belongs to the object at ffff8881243384b8
  which belongs to the cache jffs2_xattr_ref of size 48
 The buggy address is located 40 bytes inside of
  48-byte region [ffff8881243384b8, ffff8881243384e8)
 [...]
 ==================================================================

The triggering of the BUG is shown in the following stack:
-----------------------------------------------------------
jffs2_fill_super
  jffs2_do_fill_super
    jffs2_do_mount_fs
      jffs2_build_filesystem
        jffs2_scan_medium
          jffs2_scan_eraseblock        <--- ERROR
        jffs2_clear_xattr_subsystem    <--- free
    jffs2_clear_xattr_subsystem        <--- free again
-----------------------------------------------------------

An error is returned in jffs2_do_mount_fs(). If the error is returned
by jffs2_sum_init(), the jffs2_clear_xattr_subsystem() does not need to
be executed. If the error is returned by jffs2_build_filesystem(), the
jffs2_clear_xattr_subsystem() also does not need to be executed again.
So move jffs2_clear_xattr_subsystem() from 'out_inohash' to 'out_root'
to fix this UAF problem.

Fixes: aa98d7cf59b5 ("[JFFS2][XATTR] XATTR support on JFFS2 (version. 5)")
Cc: stable@vger.kernel.org
Reported-by: Hulk Robot <hulkci@huawei.com>
Signed-off-by: Baokun Li <libaokun1@huawei.com>
Signed-off-by: Richard Weinberger <richard@nod.at>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 fs/jffs2/fs.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/fs/jffs2/fs.c
+++ b/fs/jffs2/fs.c
@@ -603,8 +603,8 @@ out_root:
 	jffs2_free_ino_caches(c);
 	jffs2_free_raw_node_refs(c);
 	kvfree(c->blocks);
- out_inohash:
 	jffs2_clear_xattr_subsystem(c);
+ out_inohash:
 	kfree(c->inocache_list);
  out_wbuf:
 	jffs2_flash_cleanup(c);



^ permalink raw reply	[flat|nested] 1159+ messages in thread

* [PATCH 5.17 0074/1126] jffs2: fix memory leak in jffs2_do_mount_fs
  2022-04-05  7:12 [PATCH 5.17 0000/1126] 5.17.2-rc1 review Greg Kroah-Hartman
                   ` (72 preceding siblings ...)
  2022-04-05  7:13 ` [PATCH 5.17 0073/1126] jffs2: fix use-after-free in jffs2_clear_xattr_subsystem Greg Kroah-Hartman
@ 2022-04-05  7:13 ` Greg Kroah-Hartman
  2022-04-05  7:13 ` [PATCH 5.17 0075/1126] jffs2: fix memory leak in jffs2_scan_medium Greg Kroah-Hartman
                   ` (915 subsequent siblings)
  989 siblings, 0 replies; 1159+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05  7:13 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Baokun Li, Richard Weinberger

From: Baokun Li <libaokun1@huawei.com>

commit d051cef784de4d54835f6b6836d98a8f6935772c upstream.

If jffs2_build_filesystem() in jffs2_do_mount_fs() returns an error,
we can observe the following kmemleak report:

--------------------------------------------
unreferenced object 0xffff88811b25a640 (size 64):
  comm "mount", pid 691, jiffies 4294957728 (age 71.952s)
  hex dump (first 32 bytes):
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  backtrace:
    [<ffffffffa493be24>] kmem_cache_alloc_trace+0x584/0x880
    [<ffffffffa5423a06>] jffs2_sum_init+0x86/0x130
    [<ffffffffa5400e58>] jffs2_do_mount_fs+0x798/0xac0
    [<ffffffffa540acf3>] jffs2_do_fill_super+0x383/0xc30
    [<ffffffffa540c00a>] jffs2_fill_super+0x2ea/0x4c0
    [...]
unreferenced object 0xffff88812c760000 (size 65536):
  comm "mount", pid 691, jiffies 4294957728 (age 71.952s)
  hex dump (first 32 bytes):
    bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb  ................
    bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb  ................
  backtrace:
    [<ffffffffa493a449>] __kmalloc+0x6b9/0x910
    [<ffffffffa5423a57>] jffs2_sum_init+0xd7/0x130
    [<ffffffffa5400e58>] jffs2_do_mount_fs+0x798/0xac0
    [<ffffffffa540acf3>] jffs2_do_fill_super+0x383/0xc30
    [<ffffffffa540c00a>] jffs2_fill_super+0x2ea/0x4c0
    [...]
--------------------------------------------

This is because the resources allocated in jffs2_sum_init() are not
released. Call jffs2_sum_exit() to release these resources to solve
the problem.

Fixes: e631ddba5887 ("[JFFS2] Add erase block summary support (mount time improvement)")
Cc: stable@vger.kernel.org
Signed-off-by: Baokun Li <libaokun1@huawei.com>
Signed-off-by: Richard Weinberger <richard@nod.at>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 fs/jffs2/build.c |    4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

--- a/fs/jffs2/build.c
+++ b/fs/jffs2/build.c
@@ -415,13 +415,15 @@ int jffs2_do_mount_fs(struct jffs2_sb_in
 		jffs2_free_ino_caches(c);
 		jffs2_free_raw_node_refs(c);
 		ret = -EIO;
-		goto out_free;
+		goto out_sum_exit;
 	}
 
 	jffs2_calc_trigger_levels(c);
 
 	return 0;
 
+ out_sum_exit:
+	jffs2_sum_exit(c);
  out_free:
 	kvfree(c->blocks);
 



^ permalink raw reply	[flat|nested] 1159+ messages in thread

* [PATCH 5.17 0075/1126] jffs2: fix memory leak in jffs2_scan_medium
  2022-04-05  7:12 [PATCH 5.17 0000/1126] 5.17.2-rc1 review Greg Kroah-Hartman
                   ` (73 preceding siblings ...)
  2022-04-05  7:13 ` [PATCH 5.17 0074/1126] jffs2: fix memory leak in jffs2_do_mount_fs Greg Kroah-Hartman
@ 2022-04-05  7:13 ` Greg Kroah-Hartman
  2022-04-05  7:13 ` [PATCH 5.17 0076/1126] mm: fs: fix lru_cache_disabled race in bh_lru Greg Kroah-Hartman
                   ` (914 subsequent siblings)
  989 siblings, 0 replies; 1159+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05  7:13 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Baokun Li, Richard Weinberger

From: Baokun Li <libaokun1@huawei.com>

commit 9cdd3128874f5fe759e2c4e1360ab7fb96a8d1df upstream.

If an error is returned in jffs2_scan_eraseblock() and some memory
has been added to the jffs2_summary *s, we can observe the following
kmemleak report:

--------------------------------------------
unreferenced object 0xffff88812b889c40 (size 64):
  comm "mount", pid 692, jiffies 4294838325 (age 34.288s)
  hex dump (first 32 bytes):
    40 48 b5 14 81 88 ff ff 01 e0 31 00 00 00 50 00  @H........1...P.
    00 00 01 00 00 00 01 00 00 00 02 00 00 00 09 08  ................
  backtrace:
    [<ffffffffae93a3a3>] __kmalloc+0x613/0x910
    [<ffffffffaf423b9c>] jffs2_sum_add_dirent_mem+0x5c/0xa0
    [<ffffffffb0f3afa8>] jffs2_scan_medium.cold+0x36e5/0x4794
    [<ffffffffb0f3dbe1>] jffs2_do_mount_fs.cold+0xa7/0x2267
    [<ffffffffaf40acf3>] jffs2_do_fill_super+0x383/0xc30
    [<ffffffffaf40c00a>] jffs2_fill_super+0x2ea/0x4c0
    [<ffffffffb0315d64>] mtd_get_sb+0x254/0x400
    [<ffffffffb0315f5f>] mtd_get_sb_by_nr+0x4f/0xd0
    [<ffffffffb0316478>] get_tree_mtd+0x498/0x840
    [<ffffffffaf40bd15>] jffs2_get_tree+0x25/0x30
    [<ffffffffae9f358d>] vfs_get_tree+0x8d/0x2e0
    [<ffffffffaea7a98f>] path_mount+0x50f/0x1e50
    [<ffffffffaea7c3d7>] do_mount+0x107/0x130
    [<ffffffffaea7c5c5>] __se_sys_mount+0x1c5/0x2f0
    [<ffffffffaea7c917>] __x64_sys_mount+0xc7/0x160
    [<ffffffffb10142f5>] do_syscall_64+0x45/0x70
unreferenced object 0xffff888114b54840 (size 32):
  comm "mount", pid 692, jiffies 4294838325 (age 34.288s)
  hex dump (first 32 bytes):
    c0 75 b5 14 81 88 ff ff 02 e0 02 00 00 00 02 00  .u..............
    00 00 84 00 00 00 44 00 00 00 6b 6b 6b 6b 6b a5  ......D...kkkkk.
  backtrace:
    [<ffffffffae93be24>] kmem_cache_alloc_trace+0x584/0x880
    [<ffffffffaf423b04>] jffs2_sum_add_inode_mem+0x54/0x90
    [<ffffffffb0f3bd44>] jffs2_scan_medium.cold+0x4481/0x4794
    [...]
unreferenced object 0xffff888114b57280 (size 32):
  comm "mount", pid 692, jiffies 4294838393 (age 34.357s)
  hex dump (first 32 bytes):
    10 d5 6c 11 81 88 ff ff 08 e0 05 00 00 00 01 00  ..l.............
    00 00 38 02 00 00 28 00 00 00 6b 6b 6b 6b 6b a5  ..8...(...kkkkk.
  backtrace:
    [<ffffffffae93be24>] kmem_cache_alloc_trace+0x584/0x880
    [<ffffffffaf423c34>] jffs2_sum_add_xattr_mem+0x54/0x90
    [<ffffffffb0f3a24f>] jffs2_scan_medium.cold+0x298c/0x4794
    [...]
unreferenced object 0xffff8881116cd510 (size 16):
  comm "mount", pid 692, jiffies 4294838395 (age 34.355s)
  hex dump (first 16 bytes):
    00 00 00 00 00 00 00 00 09 e0 60 02 00 00 6b a5  ..........`...k.
  backtrace:
    [<ffffffffae93be24>] kmem_cache_alloc_trace+0x584/0x880
    [<ffffffffaf423cc4>] jffs2_sum_add_xref_mem+0x54/0x90
    [<ffffffffb0f3b2e3>] jffs2_scan_medium.cold+0x3a20/0x4794
    [...]
--------------------------------------------

Therefore, we should call jffs2_sum_reset_collected(s) on exit to
release the memory added in s. In addition, a new tag "out_buf" is
added to prevent the NULL pointer reference caused by s being NULL.
(thanks to Zhang Yi for this analysis)

Fixes: e631ddba5887 ("[JFFS2] Add erase block summary support (mount time improvement)")
Cc: stable@vger.kernel.org
Co-developed-with: Zhihao Cheng <chengzhihao1@huawei.com>
Signed-off-by: Baokun Li <libaokun1@huawei.com>
Signed-off-by: Richard Weinberger <richard@nod.at>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 fs/jffs2/scan.c |    6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

--- a/fs/jffs2/scan.c
+++ b/fs/jffs2/scan.c
@@ -136,7 +136,7 @@ int jffs2_scan_medium(struct jffs2_sb_in
 		if (!s) {
 			JFFS2_WARNING("Can't allocate memory for summary\n");
 			ret = -ENOMEM;
-			goto out;
+			goto out_buf;
 		}
 	}
 
@@ -275,13 +275,15 @@ int jffs2_scan_medium(struct jffs2_sb_in
 	}
 	ret = 0;
  out:
+	jffs2_sum_reset_collected(s);
+	kfree(s);
+ out_buf:
 	if (buf_size)
 		kfree(flashbuf);
 #ifndef __ECOS
 	else
 		mtd_unpoint(c->mtd, 0, c->mtd->size);
 #endif
-	kfree(s);
 	return ret;
 }
 



^ permalink raw reply	[flat|nested] 1159+ messages in thread

* [PATCH 5.17 0076/1126] mm: fs: fix lru_cache_disabled race in bh_lru
  2022-04-05  7:12 [PATCH 5.17 0000/1126] 5.17.2-rc1 review Greg Kroah-Hartman
                   ` (74 preceding siblings ...)
  2022-04-05  7:13 ` [PATCH 5.17 0075/1126] jffs2: fix memory leak in jffs2_scan_medium Greg Kroah-Hartman
@ 2022-04-05  7:13 ` Greg Kroah-Hartman
  2022-04-05  7:13 ` [PATCH 5.17 0077/1126] mm: dont skip swap entry even if zap_details specified Greg Kroah-Hartman
                   ` (913 subsequent siblings)
  989 siblings, 0 replies; 1159+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05  7:13 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Minchan Kim, Chris Goldsworthy,
	Marcelo Tosatti, John Dias, Andrew Morton, Linus Torvalds

From: Minchan Kim <minchan@kernel.org>

commit c0226eb8bde854e016a594a16f5c0d98aca426fa upstream.

Check lru_cache_disabled under bh_lru_lock.  Otherwise, it could introduce
race below and it fails to migrate pages containing buffer_head.

   CPU 0					CPU 1

bh_lru_install
                                       lru_cache_disable
  lru_cache_disabled = false
                                       atomic_inc(&lru_disable_count);
				       invalidate_bh_lrus_cpu of CPU 0
				       bh_lru_lock
				       __invalidate_bh_lrus
				       bh_lru_unlock
  bh_lru_lock
  install the bh
  bh_lru_unlock

WHen this race happens a CMA allocation fails, which is critical for
the workload which depends on CMA.

Link: https://lkml.kernel.org/r/20220308180709.2017638-1-minchan@kernel.org
Fixes: 8cc621d2f45d ("mm: fs: invalidate BH LRU during page migration")
Signed-off-by: Minchan Kim <minchan@kernel.org>
Cc: Chris Goldsworthy <cgoldswo@codeaurora.org>
Cc: Marcelo Tosatti <mtosatti@redhat.com>
Cc: John Dias <joaodias@google.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 fs/buffer.c |    8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

--- a/fs/buffer.c
+++ b/fs/buffer.c
@@ -1235,16 +1235,18 @@ static void bh_lru_install(struct buffer
 	int i;
 
 	check_irqs_on();
+	bh_lru_lock();
+
 	/*
 	 * the refcount of buffer_head in bh_lru prevents dropping the
 	 * attached page(i.e., try_to_free_buffers) so it could cause
 	 * failing page migration.
 	 * Skip putting upcoming bh into bh_lru until migration is done.
 	 */
-	if (lru_cache_disabled())
+	if (lru_cache_disabled()) {
+		bh_lru_unlock();
 		return;
-
-	bh_lru_lock();
+	}
 
 	b = this_cpu_ptr(&bh_lrus);
 	for (i = 0; i < BH_LRU_SIZE; i++) {



^ permalink raw reply	[flat|nested] 1159+ messages in thread

* [PATCH 5.17 0077/1126] mm: dont skip swap entry even if zap_details specified
  2022-04-05  7:12 [PATCH 5.17 0000/1126] 5.17.2-rc1 review Greg Kroah-Hartman
                   ` (75 preceding siblings ...)
  2022-04-05  7:13 ` [PATCH 5.17 0076/1126] mm: fs: fix lru_cache_disabled race in bh_lru Greg Kroah-Hartman
@ 2022-04-05  7:13 ` Greg Kroah-Hartman
  2022-04-05  7:13 ` [PATCH 5.17 0078/1126] mm/pages_alloc.c: dont create ZONE_MOVABLE beyond the end of a node Greg Kroah-Hartman
                   ` (912 subsequent siblings)
  989 siblings, 0 replies; 1159+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05  7:13 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Peter Xu, John Hubbard,
	David Hildenbrand, Hugh Dickins, Alistair Popple,
	Andrea Arcangeli, Kirill A . Shutemov, Matthew Wilcox,
	Vlastimil Babka, Yang Shi, Andrew Morton, Linus Torvalds

From: Peter Xu <peterx@redhat.com>

commit 5abfd71d936a8aefd9f9ccd299dea7a164a5d455 upstream.

Patch series "mm: Rework zap ptes on swap entries", v5.

Patch 1 should fix a long standing bug for zap_pte_range() on
zap_details usage.  The risk is we could have some swap entries skipped
while we should have zapped them.

Migration entries are not the major concern because file backed memory
always zap in the pattern that "first time without page lock, then
re-zap with page lock" hence the 2nd zap will always make sure all
migration entries are already recovered.

However there can be issues with real swap entries got skipped
errornoously.  There's a reproducer provided in commit message of patch
1 for that.

Patch 2-4 are cleanups that are based on patch 1.  After the whole
patchset applied, we should have a very clean view of zap_pte_range().

Only patch 1 needs to be backported to stable if necessary.

This patch (of 4):

The "details" pointer shouldn't be the token to decide whether we should
skip swap entries.

For example, when the callers specified details->zap_mapping==NULL, it
means the user wants to zap all the pages (including COWed pages), then
we need to look into swap entries because there can be private COWed
pages that was swapped out.

Skipping some swap entries when details is non-NULL may lead to wrongly
leaving some of the swap entries while we should have zapped them.

A reproducer of the problem:

===8<===
        #define _GNU_SOURCE         /* See feature_test_macros(7) */
        #include <stdio.h>
        #include <assert.h>
        #include <unistd.h>
        #include <sys/mman.h>
        #include <sys/types.h>

        int page_size;
        int shmem_fd;
        char *buffer;

        void main(void)
        {
                int ret;
                char val;

                page_size = getpagesize();
                shmem_fd = memfd_create("test", 0);
                assert(shmem_fd >= 0);

                ret = ftruncate(shmem_fd, page_size * 2);
                assert(ret == 0);

                buffer = mmap(NULL, page_size * 2, PROT_READ | PROT_WRITE,
                                MAP_PRIVATE, shmem_fd, 0);
                assert(buffer != MAP_FAILED);

                /* Write private page, swap it out */
                buffer[page_size] = 1;
                madvise(buffer, page_size * 2, MADV_PAGEOUT);

                /* This should drop private buffer[page_size] already */
                ret = ftruncate(shmem_fd, page_size);
                assert(ret == 0);
                /* Recover the size */
                ret = ftruncate(shmem_fd, page_size * 2);
                assert(ret == 0);

                /* Re-read the data, it should be all zero */
                val = buffer[page_size];
                if (val == 0)
                        printf("Good\n");
                else
                        printf("BUG\n");
        }
===8<===

We don't need to touch up the pmd path, because pmd never had a issue with
swap entries.  For example, shmem pmd migration will always be split into
pte level, and same to swapping on anonymous.

Add another helper should_zap_cows() so that we can also check whether we
should zap private mappings when there's no page pointer specified.

This patch drops that trick, so we handle swap ptes coherently.  Meanwhile
we should do the same check upon migration entry, hwpoison entry and
genuine swap entries too.

To be explicit, we should still remember to keep the private entries if
even_cows==false, and always zap them when even_cows==true.

The issue seems to exist starting from the initial commit of git.

[peterx@redhat.com: comment tweaks]
  Link: https://lkml.kernel.org/r/20220217060746.71256-2-peterx@redhat.com

Link: https://lkml.kernel.org/r/20220217060746.71256-1-peterx@redhat.com
Link: https://lkml.kernel.org/r/20220216094810.60572-1-peterx@redhat.com
Link: https://lkml.kernel.org/r/20220216094810.60572-2-peterx@redhat.com
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Peter Xu <peterx@redhat.com>
Reviewed-by: John Hubbard <jhubbard@nvidia.com>
Cc: David Hildenbrand <david@redhat.com>
Cc: Hugh Dickins <hughd@google.com>
Cc: Alistair Popple <apopple@nvidia.com>
Cc: Andrea Arcangeli <aarcange@redhat.com>
Cc: "Kirill A . Shutemov" <kirill@shutemov.name>
Cc: Matthew Wilcox <willy@infradead.org>
Cc: Vlastimil Babka <vbabka@suse.cz>
Cc: Yang Shi <shy828301@gmail.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 mm/memory.c |   40 +++++++++++++++++++++++++++++++---------
 1 file changed, 31 insertions(+), 9 deletions(-)

--- a/mm/memory.c
+++ b/mm/memory.c
@@ -1313,6 +1313,17 @@ struct zap_details {
 	struct folio *single_folio;	/* Locked folio to be unmapped */
 };
 
+/* Whether we should zap all COWed (private) pages too */
+static inline bool should_zap_cows(struct zap_details *details)
+{
+	/* By default, zap all pages */
+	if (!details)
+		return true;
+
+	/* Or, we zap COWed pages only if the caller wants to */
+	return !details->zap_mapping;
+}
+
 /*
  * We set details->zap_mapping when we want to unmap shared but keep private
  * pages. Return true if skip zapping this page, false otherwise.
@@ -1320,11 +1331,15 @@ struct zap_details {
 static inline bool
 zap_skip_check_mapping(struct zap_details *details, struct page *page)
 {
-	if (!details || !page)
+	/* If we can make a decision without *page.. */
+	if (should_zap_cows(details))
+		return false;
+
+	/* E.g. the caller passes NULL for the case of a zero page */
+	if (!page)
 		return false;
 
-	return details->zap_mapping &&
-		(details->zap_mapping != page_rmapping(page));
+	return details->zap_mapping != page_rmapping(page);
 }
 
 static unsigned long zap_pte_range(struct mmu_gather *tlb,
@@ -1405,17 +1420,24 @@ again:
 			continue;
 		}
 
-		/* If details->check_mapping, we leave swap entries. */
-		if (unlikely(details))
-			continue;
-
-		if (!non_swap_entry(entry))
+		if (!non_swap_entry(entry)) {
+			/* Genuine swap entry, hence a private anon page */
+			if (!should_zap_cows(details))
+				continue;
 			rss[MM_SWAPENTS]--;
-		else if (is_migration_entry(entry)) {
+		} else if (is_migration_entry(entry)) {
 			struct page *page;
 
 			page = pfn_swap_entry_to_page(entry);
+			if (zap_skip_check_mapping(details, page))
+				continue;
 			rss[mm_counter(page)]--;
+		} else if (is_hwpoison_entry(entry)) {
+			if (!should_zap_cows(details))
+				continue;
+		} else {
+			/* We should have covered all the swap entry types */
+			WARN_ON_ONCE(1);
 		}
 		if (unlikely(!free_swap_and_cache(entry)))
 			print_bad_pte(vma, addr, ptent, NULL);



^ permalink raw reply	[flat|nested] 1159+ messages in thread

* [PATCH 5.17 0078/1126] mm/pages_alloc.c: dont create ZONE_MOVABLE beyond the end of a node
  2022-04-05  7:12 [PATCH 5.17 0000/1126] 5.17.2-rc1 review Greg Kroah-Hartman
                   ` (76 preceding siblings ...)
  2022-04-05  7:13 ` [PATCH 5.17 0077/1126] mm: dont skip swap entry even if zap_details specified Greg Kroah-Hartman
@ 2022-04-05  7:13 ` Greg Kroah-Hartman
  2022-04-05  7:13 ` [PATCH 5.17 0079/1126] mm: invalidate hwpoison page cache page in fault path Greg Kroah-Hartman
                   ` (911 subsequent siblings)
  989 siblings, 0 replies; 1159+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05  7:13 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Alistair Popple, David Hildenbrand,
	Mel Gorman, John Hubbard, Zi Yan, Anshuman Khandual,
	Oscar Salvador, Andrew Morton, Linus Torvalds

From: Alistair Popple <apopple@nvidia.com>

commit ddbc84f3f595cf1fc8234a191193b5d20ad43938 upstream.

ZONE_MOVABLE uses the remaining memory in each node.  Its starting pfn
is also aligned to MAX_ORDER_NR_PAGES.  It is possible for the remaining
memory in a node to be less than MAX_ORDER_NR_PAGES, meaning there is
not enough room for ZONE_MOVABLE on that node.

Unfortunately this condition is not checked for.  This leads to
zone_movable_pfn[] getting set to a pfn greater than the last pfn in a
node.

calculate_node_totalpages() then sets zone->present_pages to be greater
than zone->spanned_pages which is invalid, as spanned_pages represents
the maximum number of pages in a zone assuming no holes.

Subsequently it is possible free_area_init_core() will observe a zone of
size zero with present pages.  In this case it will skip setting up the
zone, including the initialisation of free_lists[].

However populated_zone() checks zone->present_pages to see if a zone has
memory available.  This is used by iterators such as
walk_zones_in_node().  pagetypeinfo_showfree() uses this to walk the
free_list of each zone in each node, which are assumed to be initialised
due to the zone not being empty.

As free_area_init_core() never initialised the free_lists[] this results
in the following kernel crash when trying to read /proc/pagetypeinfo:

  BUG: kernel NULL pointer dereference, address: 0000000000000000
  #PF: supervisor read access in kernel mode
  #PF: error_code(0x0000) - not-present page
  PGD 0 P4D 0
  Oops: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC NOPTI
  CPU: 0 PID: 456 Comm: cat Not tainted 5.16.0 #461
  Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-2 04/01/2014
  RIP: 0010:pagetypeinfo_show+0x163/0x460
  Code: 9e 82 e8 80 57 0e 00 49 8b 06 b9 01 00 00 00 4c 39 f0 75 16 e9 65 02 00 00 48 83 c1 01 48 81 f9 a0 86 01 00 0f 84 48 02 00 00 <48> 8b 00 4c 39 f0 75 e7 48 c7 c2 80 a2 e2 82 48 c7 c6 79 ef e3 82
  RSP: 0018:ffffc90001c4bd10 EFLAGS: 00010003
  RAX: 0000000000000000 RBX: ffff88801105f638 RCX: 0000000000000001
  RDX: 0000000000000001 RSI: 000000000000068b RDI: ffff8880163dc68b
  RBP: ffffc90001c4bd90 R08: 0000000000000001 R09: ffff8880163dc67e
  R10: 656c6261766f6d6e R11: 6c6261766f6d6e55 R12: ffff88807ffb4a00
  R13: ffff88807ffb49f8 R14: ffff88807ffb4580 R15: ffff88807ffb3000
  FS:  00007f9c83eff5c0(0000) GS:ffff88807dc00000(0000) knlGS:0000000000000000
  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
  CR2: 0000000000000000 CR3: 0000000013c8e000 CR4: 0000000000350ef0
  Call Trace:
   seq_read_iter+0x128/0x460
   proc_reg_read_iter+0x51/0x80
   new_sync_read+0x113/0x1a0
   vfs_read+0x136/0x1d0
   ksys_read+0x70/0xf0
   __x64_sys_read+0x1a/0x20
   do_syscall_64+0x3b/0xc0
   entry_SYSCALL_64_after_hwframe+0x44/0xae

Fix this by checking that the aligned zone_movable_pfn[] does not exceed
the end of the node, and if it does skip creating a movable zone on this
node.

Link: https://lkml.kernel.org/r/20220215025831.2113067-1-apopple@nvidia.com
Fixes: 2a1e274acf0b ("Create the ZONE_MOVABLE zone")
Signed-off-by: Alistair Popple <apopple@nvidia.com>
Acked-by: David Hildenbrand <david@redhat.com>
Acked-by: Mel Gorman <mgorman@techsingularity.net>
Cc: John Hubbard <jhubbard@nvidia.com>
Cc: Zi Yan <ziy@nvidia.com>
Cc: Anshuman Khandual <anshuman.khandual@arm.com>
Cc: Oscar Salvador <osalvador@suse.de>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 mm/page_alloc.c |    9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

--- a/mm/page_alloc.c
+++ b/mm/page_alloc.c
@@ -7972,10 +7972,17 @@ restart:
 
 out2:
 	/* Align start of ZONE_MOVABLE on all nids to MAX_ORDER_NR_PAGES */
-	for (nid = 0; nid < MAX_NUMNODES; nid++)
+	for (nid = 0; nid < MAX_NUMNODES; nid++) {
+		unsigned long start_pfn, end_pfn;
+
 		zone_movable_pfn[nid] =
 			roundup(zone_movable_pfn[nid], MAX_ORDER_NR_PAGES);
 
+		get_pfn_range_for_nid(nid, &start_pfn, &end_pfn);
+		if (zone_movable_pfn[nid] >= end_pfn)
+			zone_movable_pfn[nid] = 0;
+	}
+
 out:
 	/* restore the node_state */
 	node_states[N_MEMORY] = saved_node_state;



^ permalink raw reply	[flat|nested] 1159+ messages in thread

* [PATCH 5.17 0079/1126] mm: invalidate hwpoison page cache page in fault path
  2022-04-05  7:12 [PATCH 5.17 0000/1126] 5.17.2-rc1 review Greg Kroah-Hartman
                   ` (77 preceding siblings ...)
  2022-04-05  7:13 ` [PATCH 5.17 0078/1126] mm/pages_alloc.c: dont create ZONE_MOVABLE beyond the end of a node Greg Kroah-Hartman
@ 2022-04-05  7:13 ` Greg Kroah-Hartman
  2022-04-05  7:13 ` [PATCH 5.17 0080/1126] mempolicy: mbind_range() set_policy() after vma_merge() Greg Kroah-Hartman
                   ` (910 subsequent siblings)
  989 siblings, 0 replies; 1159+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05  7:13 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Rik van Riel, Miaohe Lin,
	Naoya Horiguchi, Oscar Salvador, John Hubbard, Mel Gorman,
	Johannes Weiner, Matthew Wilcox, Andrew Morton, Linus Torvalds

From: Rik van Riel <riel@surriel.com>

commit e53ac7374e64dede04d745ff0e70ff5048378d1f upstream.

Sometimes the page offlining code can leave behind a hwpoisoned clean
page cache page.  This can lead to programs being killed over and over
and over again as they fault in the hwpoisoned page, get killed, and
then get re-spawned by whatever wanted to run them.

This is particularly embarrassing when the page was offlined due to
having too many corrected memory errors.  Now we are killing tasks due
to them trying to access memory that probably isn't even corrupted.

This problem can be avoided by invalidating the page from the page fault
handler, which already has a branch for dealing with these kinds of
pages.  With this patch we simply pretend the page fault was successful
if the page was invalidated, return to userspace, incur another page
fault, read in the file from disk (to a new memory page), and then
everything works again.

Link: https://lkml.kernel.org/r/20220212213740.423efcea@imladris.surriel.com
Signed-off-by: Rik van Riel <riel@surriel.com>
Reviewed-by: Miaohe Lin <linmiaohe@huawei.com>
Acked-by: Naoya Horiguchi <naoya.horiguchi@nec.com>
Reviewed-by: Oscar Salvador <osalvador@suse.de>
Cc: John Hubbard <jhubbard@nvidia.com>
Cc: Mel Gorman <mgorman@suse.de>
Cc: Johannes Weiner <hannes@cmpxchg.org>
Cc: Matthew Wilcox <willy@infradead.org>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 mm/memory.c |    9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

--- a/mm/memory.c
+++ b/mm/memory.c
@@ -3893,11 +3893,16 @@ static vm_fault_t __do_fault(struct vm_f
 		return ret;
 
 	if (unlikely(PageHWPoison(vmf->page))) {
-		if (ret & VM_FAULT_LOCKED)
+		vm_fault_t poisonret = VM_FAULT_HWPOISON;
+		if (ret & VM_FAULT_LOCKED) {
+			/* Retry if a clean page was removed from the cache. */
+			if (invalidate_inode_page(vmf->page))
+				poisonret = 0;
 			unlock_page(vmf->page);
+		}
 		put_page(vmf->page);
 		vmf->page = NULL;
-		return VM_FAULT_HWPOISON;
+		return poisonret;
 	}
 
 	if (unlikely(!(ret & VM_FAULT_LOCKED)))



^ permalink raw reply	[flat|nested] 1159+ messages in thread

* [PATCH 5.17 0080/1126] mempolicy: mbind_range() set_policy() after vma_merge()
  2022-04-05  7:12 [PATCH 5.17 0000/1126] 5.17.2-rc1 review Greg Kroah-Hartman
                   ` (78 preceding siblings ...)
  2022-04-05  7:13 ` [PATCH 5.17 0079/1126] mm: invalidate hwpoison page cache page in fault path Greg Kroah-Hartman
@ 2022-04-05  7:13 ` Greg Kroah-Hartman
  2022-04-05  7:13 ` [PATCH 5.17 0081/1126] scsi: core: sd: Add silence_suspend flag to suppress some PM messages Greg Kroah-Hartman
                   ` (909 subsequent siblings)
  989 siblings, 0 replies; 1159+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05  7:13 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Hugh Dickins, Oleg Nesterov,
	Liam R. Howlett, Vlastimil Babka, Andrew Morton, Linus Torvalds

From: Hugh Dickins <hughd@google.com>

commit 4e0906008cdb56381638aa17d9c32734eae6d37a upstream.

v2.6.34 commit 9d8cebd4bcd7 ("mm: fix mbind vma merge problem") introduced
vma_merge() to mbind_range(); but unlike madvise, mlock and mprotect, it
put a "continue" to next vma where its precedents go to update flags on
current vma before advancing: that left vma with the wrong setting in the
infamous vma_merge() case 8.

v3.10 commit 1444f92c8498 ("mm: merging memory blocks resets mempolicy")
tried to fix that in vma_adjust(), without fully understanding the issue.

v3.11 commit 3964acd0dbec ("mm: mempolicy: fix mbind_range() &&
vma_adjust() interaction") reverted that, and went about the fix in the
right way, but chose to optimize out an unnecessary mpol_dup() with a
prior mpol_equal() test.  But on tmpfs, that also pessimized out the vital
call to its ->set_policy(), leaving the new mbind unenforced.

The user visible effect was that the pages got allocated on the local
node (happened to be 0), after the mbind() caller had specifically
asked for them to be allocated on node 1.  There was not any page
migration involved in the case reported: the pages simply got allocated
on the wrong node.

Just delete that optimization now (though it could be made conditional on
vma not having a set_policy).  Also remove the "next" variable: it turned
out to be blameless, but also pointless.

Link: https://lkml.kernel.org/r/319e4db9-64ae-4bca-92f0-ade85d342ff@google.com
Fixes: 3964acd0dbec ("mm: mempolicy: fix mbind_range() && vma_adjust() interaction")
Signed-off-by: Hugh Dickins <hughd@google.com>
Acked-by: Oleg Nesterov <oleg@redhat.com>
Reviewed-by: Liam R. Howlett <Liam.Howlett@oracle.com>
Cc: Vlastimil Babka <vbabka@suse.cz>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 mm/mempolicy.c |    8 +-------
 1 file changed, 1 insertion(+), 7 deletions(-)

--- a/mm/mempolicy.c
+++ b/mm/mempolicy.c
@@ -786,7 +786,6 @@ static int vma_replace_policy(struct vm_
 static int mbind_range(struct mm_struct *mm, unsigned long start,
 		       unsigned long end, struct mempolicy *new_pol)
 {
-	struct vm_area_struct *next;
 	struct vm_area_struct *prev;
 	struct vm_area_struct *vma;
 	int err = 0;
@@ -801,8 +800,7 @@ static int mbind_range(struct mm_struct
 	if (start > vma->vm_start)
 		prev = vma;
 
-	for (; vma && vma->vm_start < end; prev = vma, vma = next) {
-		next = vma->vm_next;
+	for (; vma && vma->vm_start < end; prev = vma, vma = vma->vm_next) {
 		vmstart = max(start, vma->vm_start);
 		vmend   = min(end, vma->vm_end);
 
@@ -817,10 +815,6 @@ static int mbind_range(struct mm_struct
 				 anon_vma_name(vma));
 		if (prev) {
 			vma = prev;
-			next = vma->vm_next;
-			if (mpol_equal(vma_policy(vma), new_pol))
-				continue;
-			/* vma_merge() joined vma && vma->next, case 8 */
 			goto replace;
 		}
 		if (vma->vm_start != vmstart) {



^ permalink raw reply	[flat|nested] 1159+ messages in thread

* [PATCH 5.17 0081/1126] scsi: core: sd: Add silence_suspend flag to suppress some PM messages
  2022-04-05  7:12 [PATCH 5.17 0000/1126] 5.17.2-rc1 review Greg Kroah-Hartman
                   ` (79 preceding siblings ...)
  2022-04-05  7:13 ` [PATCH 5.17 0080/1126] mempolicy: mbind_range() set_policy() after vma_merge() Greg Kroah-Hartman
@ 2022-04-05  7:13 ` Greg Kroah-Hartman
  2022-04-05  7:13 ` [PATCH 5.17 0082/1126] scsi: ufs: Fix runtime PM messages never-ending cycle Greg Kroah-Hartman
                   ` (908 subsequent siblings)
  989 siblings, 0 replies; 1159+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05  7:13 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Adrian Hunter, Martin K. Petersen

From: Adrian Hunter <adrian.hunter@intel.com>

commit af4edb1d50c6d1044cb34bc43621411b7ba2cffe upstream.

Kernel messages produced during runtime PM can cause a never-ending cycle
because user space utilities (e.g. journald or rsyslog) write the messages
back to storage, causing runtime resume, more messages, and so on.

Messages that tell of things that are expected to happen are arguably
unnecessary, so add a flag to suppress them. This flag is used by the UFS
driver.

Link: https://lore.kernel.org/r/20220228113652.970857-2-adrian.hunter@intel.com
Cc: stable@vger.kernel.org
Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/scsi/scsi_error.c  |    9 +++++++--
 drivers/scsi/sd.c          |    6 ++++--
 include/scsi/scsi_device.h |    1 +
 3 files changed, 12 insertions(+), 4 deletions(-)

--- a/drivers/scsi/scsi_error.c
+++ b/drivers/scsi/scsi_error.c
@@ -484,8 +484,13 @@ static void scsi_report_sense(struct scs
 
 		if (sshdr->asc == 0x29) {
 			evt_type = SDEV_EVT_POWER_ON_RESET_OCCURRED;
-			sdev_printk(KERN_WARNING, sdev,
-				    "Power-on or device reset occurred\n");
+			/*
+			 * Do not print message if it is an expected side-effect
+			 * of runtime PM.
+			 */
+			if (!sdev->silence_suspend)
+				sdev_printk(KERN_WARNING, sdev,
+					    "Power-on or device reset occurred\n");
 		}
 
 		if (sshdr->asc == 0x2a && sshdr->ascq == 0x01) {
--- a/drivers/scsi/sd.c
+++ b/drivers/scsi/sd.c
@@ -3752,7 +3752,8 @@ static int sd_suspend_common(struct devi
 		return 0;
 
 	if (sdkp->WCE && sdkp->media_present) {
-		sd_printk(KERN_NOTICE, sdkp, "Synchronizing SCSI cache\n");
+		if (!sdkp->device->silence_suspend)
+			sd_printk(KERN_NOTICE, sdkp, "Synchronizing SCSI cache\n");
 		ret = sd_sync_cache(sdkp, &sshdr);
 
 		if (ret) {
@@ -3774,7 +3775,8 @@ static int sd_suspend_common(struct devi
 	}
 
 	if (sdkp->device->manage_start_stop) {
-		sd_printk(KERN_NOTICE, sdkp, "Stopping disk\n");
+		if (!sdkp->device->silence_suspend)
+			sd_printk(KERN_NOTICE, sdkp, "Stopping disk\n");
 		/* an error is not worth aborting a system sleep */
 		ret = sd_start_stop_device(sdkp, 0);
 		if (ignore_stop_errors)
--- a/include/scsi/scsi_device.h
+++ b/include/scsi/scsi_device.h
@@ -206,6 +206,7 @@ struct scsi_device {
 	unsigned rpm_autosuspend:1;	/* Enable runtime autosuspend at device
 					 * creation time */
 	unsigned ignore_media_change:1; /* Ignore MEDIA CHANGE on resume */
+	unsigned silence_suspend:1;	/* Do not print runtime PM related messages */
 
 	unsigned int queue_stopped;	/* request queue is quiesced */
 	bool offline_already;		/* Device offline message logged */



^ permalink raw reply	[flat|nested] 1159+ messages in thread

* [PATCH 5.17 0082/1126] scsi: ufs: Fix runtime PM messages never-ending cycle
  2022-04-05  7:12 [PATCH 5.17 0000/1126] 5.17.2-rc1 review Greg Kroah-Hartman
                   ` (80 preceding siblings ...)
  2022-04-05  7:13 ` [PATCH 5.17 0081/1126] scsi: core: sd: Add silence_suspend flag to suppress some PM messages Greg Kroah-Hartman
@ 2022-04-05  7:13 ` Greg Kroah-Hartman
  2022-04-05  7:13 ` [PATCH 5.17 0083/1126] scsi: scsi_transport_fc: Fix FPIN Link Integrity statistics counters Greg Kroah-Hartman
                   ` (907 subsequent siblings)
  989 siblings, 0 replies; 1159+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05  7:13 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Adrian Hunter, Martin K. Petersen

From: Adrian Hunter <adrian.hunter@intel.com>

commit 71bb9ab6e3511b7bb98678a19eb8cf1ccbf3ca2f upstream.

Kernel messages produced during runtime PM can cause a never-ending cycle
because user space utilities (e.g. journald or rsyslog) write the messages
back to storage, causing runtime resume, more messages, and so on.

Messages that tell of things that are expected to happen, are arguably
unnecessary, so suppress them.

UFS driver messages are changes to from dev_err() to dev_dbg() which means
they will not display unless activated by dynamic debug of building with
-DDEBUG.

sdev->silence_suspend is set to skip messages from sd_suspend_common()
"Synchronizing SCSI cache", "Stopping disk" and scsi_report_sense()
"Power-on or device reset occurred" message (Note, that message appears
when the LUN is accessed after runtime PM, not during runtime PM)

 Example messages from Ubuntu 21.10:

 $ dmesg | tail
 [ 1620.380071] ufshcd 0000:00:12.5: ufshcd_print_pwr_info:[RX, TX]: gear=[1, 1], lane[1, 1], pwr[SLOWAUTO_MODE, SLOWAUTO_MODE], rate = 0
 [ 1620.408825] ufshcd 0000:00:12.5: ufshcd_print_pwr_info:[RX, TX]: gear=[4, 4], lane[2, 2], pwr[FAST MODE, FAST MODE], rate = 2
 [ 1620.409020] ufshcd 0000:00:12.5: ufshcd_find_max_sup_active_icc_level: Regulator capability was not set, actvIccLevel=0
 [ 1620.409524] sd 0:0:0:0: Power-on or device reset occurred
 [ 1622.938794] sd 0:0:0:0: [sda] Synchronizing SCSI cache
 [ 1622.939184] ufs_device_wlun 0:0:0:49488: Power-on or device reset occurred
 [ 1625.183175] ufshcd 0000:00:12.5: ufshcd_print_pwr_info:[RX, TX]: gear=[1, 1], lane[1, 1], pwr[SLOWAUTO_MODE, SLOWAUTO_MODE], rate = 0
 [ 1625.208041] ufshcd 0000:00:12.5: ufshcd_print_pwr_info:[RX, TX]: gear=[4, 4], lane[2, 2], pwr[FAST MODE, FAST MODE], rate = 2
 [ 1625.208311] ufshcd 0000:00:12.5: ufshcd_find_max_sup_active_icc_level: Regulator capability was not set, actvIccLevel=0
 [ 1625.209035] sd 0:0:0:0: Power-on or device reset occurred

Note for stable: depends on patch "scsi: core: sd: Add silence_suspend flag
to suppress some PM messages".

Link: https://lore.kernel.org/r/20220228113652.970857-3-adrian.hunter@intel.com
Cc: stable@vger.kernel.org
Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/scsi/ufs/ufshcd.c |   21 +++++++++++++++++++--
 1 file changed, 19 insertions(+), 2 deletions(-)

--- a/drivers/scsi/ufs/ufshcd.c
+++ b/drivers/scsi/ufs/ufshcd.c
@@ -585,7 +585,12 @@ static void ufshcd_print_pwr_info(struct
 		"INVALID MODE",
 	};
 
-	dev_err(hba->dev, "%s:[RX, TX]: gear=[%d, %d], lane[%d, %d], pwr[%s, %s], rate = %d\n",
+	/*
+	 * Using dev_dbg to avoid messages during runtime PM to avoid
+	 * never-ending cycles of messages written back to storage by user space
+	 * causing runtime resume, causing more messages and so on.
+	 */
+	dev_dbg(hba->dev, "%s:[RX, TX]: gear=[%d, %d], lane[%d, %d], pwr[%s, %s], rate = %d\n",
 		 __func__,
 		 hba->pwr_info.gear_rx, hba->pwr_info.gear_tx,
 		 hba->pwr_info.lane_rx, hba->pwr_info.lane_tx,
@@ -5024,6 +5029,12 @@ static int ufshcd_slave_configure(struct
 		pm_runtime_get_noresume(&sdev->sdev_gendev);
 	else if (ufshcd_is_rpm_autosuspend_allowed(hba))
 		sdev->rpm_autosuspend = 1;
+	/*
+	 * Do not print messages during runtime PM to avoid never-ending cycles
+	 * of messages written back to storage by user space causing runtime
+	 * resume, causing more messages and so on.
+	 */
+	sdev->silence_suspend = 1;
 
 	ufshcd_crypto_register(hba, q);
 
@@ -7339,7 +7350,13 @@ static u32 ufshcd_find_max_sup_active_ic
 
 	if (!hba->vreg_info.vcc || !hba->vreg_info.vccq ||
 						!hba->vreg_info.vccq2) {
-		dev_err(hba->dev,
+		/*
+		 * Using dev_dbg to avoid messages during runtime PM to avoid
+		 * never-ending cycles of messages written back to storage by
+		 * user space causing runtime resume, causing more messages and
+		 * so on.
+		 */
+		dev_dbg(hba->dev,
 			"%s: Regulator capability was not set, actvIccLevel=%d",
 							__func__, icc_level);
 		goto out;



^ permalink raw reply	[flat|nested] 1159+ messages in thread

* [PATCH 5.17 0083/1126] scsi: scsi_transport_fc: Fix FPIN Link Integrity statistics counters
  2022-04-05  7:12 [PATCH 5.17 0000/1126] 5.17.2-rc1 review Greg Kroah-Hartman
                   ` (81 preceding siblings ...)
  2022-04-05  7:13 ` [PATCH 5.17 0082/1126] scsi: ufs: Fix runtime PM messages never-ending cycle Greg Kroah-Hartman
@ 2022-04-05  7:13 ` Greg Kroah-Hartman
  2022-04-05  7:13 ` [PATCH 5.17 0084/1126] scsi: libsas: Fix sas_ata_qc_issue() handling of NCQ NON DATA commands Greg Kroah-Hartman
                   ` (906 subsequent siblings)
  989 siblings, 0 replies; 1159+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05  7:13 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Shyam Sundar, Nilesh Javali,
	Himanshu Madhani, James Smart, Martin K. Petersen

From: James Smart <jsmart2021@gmail.com>

commit 07e0984b96ec1ba8c6de1c092b986b00ea0c114c upstream.

In the original FPIN commit, stats were incremented by the event_count.
Event_count is the minimum # of events that must occur before an FPIN is
sent. Thus, its not the actual number of events, and could be significantly
off (too low) as it doesn't reflect anything not reported.  Rather than
attempt to count events, have the statistic count how many FPINS cross the
threshold and were reported.

Link: https://lore.kernel.org/r/20220301175536.60250-1-jsmart2021@gmail.com
Fixes: 3dcfe0de5a97 ("scsi: fc: Parse FPIN packets and update statistics")
Cc: <stable@vger.kernel.org> # v5.11+
Cc: Shyam Sundar <ssundar@marvell.com>
Cc: Nilesh Javali <njavali@marvell.com>
Reviewed-by: Himanshu Madhani <himanshu.madhani@oracle.com>
Signed-off-by: James Smart <jsmart2021@gmail.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/scsi/scsi_transport_fc.c |   39 ++++++++++++++++-----------------------
 1 file changed, 16 insertions(+), 23 deletions(-)

--- a/drivers/scsi/scsi_transport_fc.c
+++ b/drivers/scsi/scsi_transport_fc.c
@@ -34,7 +34,7 @@ static int fc_bsg_hostadd(struct Scsi_Ho
 static int fc_bsg_rportadd(struct Scsi_Host *, struct fc_rport *);
 static void fc_bsg_remove(struct request_queue *);
 static void fc_bsg_goose_queue(struct fc_rport *);
-static void fc_li_stats_update(struct fc_fn_li_desc *li_desc,
+static void fc_li_stats_update(u16 event_type,
 			       struct fc_fpin_stats *stats);
 static void fc_delivery_stats_update(u32 reason_code,
 				     struct fc_fpin_stats *stats);
@@ -670,42 +670,34 @@ fc_find_rport_by_wwpn(struct Scsi_Host *
 EXPORT_SYMBOL(fc_find_rport_by_wwpn);
 
 static void
-fc_li_stats_update(struct fc_fn_li_desc *li_desc,
+fc_li_stats_update(u16 event_type,
 		   struct fc_fpin_stats *stats)
 {
-	stats->li += be32_to_cpu(li_desc->event_count);
-	switch (be16_to_cpu(li_desc->event_type)) {
+	stats->li++;
+	switch (event_type) {
 	case FPIN_LI_UNKNOWN:
-		stats->li_failure_unknown +=
-		    be32_to_cpu(li_desc->event_count);
+		stats->li_failure_unknown++;
 		break;
 	case FPIN_LI_LINK_FAILURE:
-		stats->li_link_failure_count +=
-		    be32_to_cpu(li_desc->event_count);
+		stats->li_link_failure_count++;
 		break;
 	case FPIN_LI_LOSS_OF_SYNC:
-		stats->li_loss_of_sync_count +=
-		    be32_to_cpu(li_desc->event_count);
+		stats->li_loss_of_sync_count++;
 		break;
 	case FPIN_LI_LOSS_OF_SIG:
-		stats->li_loss_of_signals_count +=
-		    be32_to_cpu(li_desc->event_count);
+		stats->li_loss_of_signals_count++;
 		break;
 	case FPIN_LI_PRIM_SEQ_ERR:
-		stats->li_prim_seq_err_count +=
-		    be32_to_cpu(li_desc->event_count);
+		stats->li_prim_seq_err_count++;
 		break;
 	case FPIN_LI_INVALID_TX_WD:
-		stats->li_invalid_tx_word_count +=
-		    be32_to_cpu(li_desc->event_count);
+		stats->li_invalid_tx_word_count++;
 		break;
 	case FPIN_LI_INVALID_CRC:
-		stats->li_invalid_crc_count +=
-		    be32_to_cpu(li_desc->event_count);
+		stats->li_invalid_crc_count++;
 		break;
 	case FPIN_LI_DEVICE_SPEC:
-		stats->li_device_specific +=
-		    be32_to_cpu(li_desc->event_count);
+		stats->li_device_specific++;
 		break;
 	}
 }
@@ -767,6 +759,7 @@ fc_fpin_li_stats_update(struct Scsi_Host
 	struct fc_rport *attach_rport = NULL;
 	struct fc_host_attrs *fc_host = shost_to_fc_host(shost);
 	struct fc_fn_li_desc *li_desc = (struct fc_fn_li_desc *)tlv;
+	u16 event_type = be16_to_cpu(li_desc->event_type);
 	u64 wwpn;
 
 	rport = fc_find_rport_by_wwpn(shost,
@@ -775,7 +768,7 @@ fc_fpin_li_stats_update(struct Scsi_Host
 	    (rport->roles & FC_PORT_ROLE_FCP_TARGET ||
 	     rport->roles & FC_PORT_ROLE_NVME_TARGET)) {
 		attach_rport = rport;
-		fc_li_stats_update(li_desc, &attach_rport->fpin_stats);
+		fc_li_stats_update(event_type, &attach_rport->fpin_stats);
 	}
 
 	if (be32_to_cpu(li_desc->pname_count) > 0) {
@@ -789,14 +782,14 @@ fc_fpin_li_stats_update(struct Scsi_Host
 			    rport->roles & FC_PORT_ROLE_NVME_TARGET)) {
 				if (rport == attach_rport)
 					continue;
-				fc_li_stats_update(li_desc,
+				fc_li_stats_update(event_type,
 						   &rport->fpin_stats);
 			}
 		}
 	}
 
 	if (fc_host->port_name == be64_to_cpu(li_desc->attached_wwpn))
-		fc_li_stats_update(li_desc, &fc_host->fpin_stats);
+		fc_li_stats_update(event_type, &fc_host->fpin_stats);
 }
 
 /*



^ permalink raw reply	[flat|nested] 1159+ messages in thread

* [PATCH 5.17 0084/1126] scsi: libsas: Fix sas_ata_qc_issue() handling of NCQ NON DATA commands
  2022-04-05  7:12 [PATCH 5.17 0000/1126] 5.17.2-rc1 review Greg Kroah-Hartman
                   ` (82 preceding siblings ...)
  2022-04-05  7:13 ` [PATCH 5.17 0083/1126] scsi: scsi_transport_fc: Fix FPIN Link Integrity statistics counters Greg Kroah-Hartman
@ 2022-04-05  7:13 ` Greg Kroah-Hartman
  2022-04-05  7:13 ` [PATCH 5.17 0085/1126] qed: display VF trust config Greg Kroah-Hartman
                   ` (905 subsequent siblings)
  989 siblings, 0 replies; 1159+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05  7:13 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, John Garry, Jack Wang,
	Damien Le Moal, Martin K. Petersen

From: Damien Le Moal <damien.lemoal@opensource.wdc.com>

commit 8454563e4c2aafbfb81a383ab423ea8b9b430a25 upstream.

To detect for the DMA_NONE (no data transfer) DMA direction,
sas_ata_qc_issue() tests if the command protocol is ATA_PROT_NODATA.  This
test does not include the ATA_CMD_NCQ_NON_DATA command as this command
protocol is defined as ATA_PROT_NCQ_NODATA (equal to ATA_PROT_FLAG_NCQ) and
not as ATA_PROT_NODATA.

To include both NCQ and non-NCQ commands when testing for the DMA_NONE DMA
direction, use "!ata_is_data()".

Link: https://lore.kernel.org/r/20220220031810.738362-2-damien.lemoal@opensource.wdc.com
Fixes: 176ddd89171d ("scsi: libsas: Reset num_scatter if libata marks qc as NODATA")
Cc: stable@vger.kernel.org
Reviewed-by: John Garry <john.garry@huawei.com>
Reviewed-by: Jack Wang <jinpu.wang@ionos.com>
Signed-off-by: Damien Le Moal <damien.lemoal@opensource.wdc.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/scsi/libsas/sas_ata.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/scsi/libsas/sas_ata.c
+++ b/drivers/scsi/libsas/sas_ata.c
@@ -197,7 +197,7 @@ static unsigned int sas_ata_qc_issue(str
 		task->total_xfer_len = qc->nbytes;
 		task->num_scatter = qc->n_elem;
 		task->data_dir = qc->dma_dir;
-	} else if (qc->tf.protocol == ATA_PROT_NODATA) {
+	} else if (!ata_is_data(qc->tf.protocol)) {
 		task->data_dir = DMA_NONE;
 	} else {
 		for_each_sg(qc->sg, sg, qc->n_elem, si)



^ permalink raw reply	[flat|nested] 1159+ messages in thread

* [PATCH 5.17 0085/1126] qed: display VF trust config
  2022-04-05  7:12 [PATCH 5.17 0000/1126] 5.17.2-rc1 review Greg Kroah-Hartman
                   ` (83 preceding siblings ...)
  2022-04-05  7:13 ` [PATCH 5.17 0084/1126] scsi: libsas: Fix sas_ata_qc_issue() handling of NCQ NON DATA commands Greg Kroah-Hartman
@ 2022-04-05  7:13 ` Greg Kroah-Hartman
  2022-04-05  7:13 ` [PATCH 5.17 0086/1126] qed: validate and restrict untrusted VFs vlan promisc mode Greg Kroah-Hartman
                   ` (904 subsequent siblings)
  989 siblings, 0 replies; 1159+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05  7:13 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Manish Chopra, Ariel Elior, David S. Miller

From: Manish Chopra <manishc@marvell.com>

commit 4e6e6bec7440b9b76f312f28b1f4e944eebb3abc upstream.

Driver does support SR-IOV VFs trust configuration but
it does not display it when queried via ip link utility.

Cc: stable@vger.kernel.org
Fixes: f990c82c385b ("qed*: Add support for ndo_set_vf_trust")
Signed-off-by: Manish Chopra <manishc@marvell.com>
Signed-off-by: Ariel Elior <aelior@marvell.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/ethernet/qlogic/qed/qed_sriov.c |    1 +
 1 file changed, 1 insertion(+)

--- a/drivers/net/ethernet/qlogic/qed/qed_sriov.c
+++ b/drivers/net/ethernet/qlogic/qed/qed_sriov.c
@@ -4719,6 +4719,7 @@ static int qed_get_vf_config(struct qed_
 	tx_rate = vf_info->tx_rate;
 	ivi->max_tx_rate = tx_rate ? tx_rate : link.speed;
 	ivi->min_tx_rate = qed_iov_get_vf_min_rate(hwfn, vf_id);
+	ivi->trusted = vf_info->is_trusted_request;
 
 	return 0;
 }



^ permalink raw reply	[flat|nested] 1159+ messages in thread

* [PATCH 5.17 0086/1126] qed: validate and restrict untrusted VFs vlan promisc mode
  2022-04-05  7:12 [PATCH 5.17 0000/1126] 5.17.2-rc1 review Greg Kroah-Hartman
                   ` (84 preceding siblings ...)
  2022-04-05  7:13 ` [PATCH 5.17 0085/1126] qed: display VF trust config Greg Kroah-Hartman
@ 2022-04-05  7:13 ` Greg Kroah-Hartman
  2022-04-05  7:13 ` [PATCH 5.17 0087/1126] riscv: dts: canaan: Fix SPI3 bus width Greg Kroah-Hartman
                   ` (903 subsequent siblings)
  989 siblings, 0 replies; 1159+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05  7:13 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Manish Chopra, Ariel Elior, David S. Miller

From: Manish Chopra <manishc@marvell.com>

commit cbcc44db2cf7b836896733acc0e5ea966136ed22 upstream.

Today when VFs are put in promiscuous mode, they can request PF
to configure device for them to receive all VLANs traffic regardless
of what vlan is configured by the PF (via ip link) and PF allows this
config request regardless of whether VF is trusted or not.

>From security POV, when VLAN is configured for VF through PF (via ip link),
honour such config requests from VF only when they are configured to be
trusted, otherwise restrict such VFs vlan promisc mode config.

Cc: stable@vger.kernel.org
Fixes: f990c82c385b ("qed*: Add support for ndo_set_vf_trust")
Signed-off-by: Manish Chopra <manishc@marvell.com>
Signed-off-by: Ariel Elior <aelior@marvell.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/ethernet/qlogic/qed/qed_sriov.c |   28 ++++++++++++++++++++++++++--
 drivers/net/ethernet/qlogic/qed/qed_sriov.h |    1 +
 2 files changed, 27 insertions(+), 2 deletions(-)

--- a/drivers/net/ethernet/qlogic/qed/qed_sriov.c
+++ b/drivers/net/ethernet/qlogic/qed/qed_sriov.c
@@ -2984,12 +2984,16 @@ static int qed_iov_pre_update_vport(stru
 	u8 mask = QED_ACCEPT_UCAST_UNMATCHED | QED_ACCEPT_MCAST_UNMATCHED;
 	struct qed_filter_accept_flags *flags = &params->accept_flags;
 	struct qed_public_vf_info *vf_info;
+	u16 tlv_mask;
+
+	tlv_mask = BIT(QED_IOV_VP_UPDATE_ACCEPT_PARAM) |
+		   BIT(QED_IOV_VP_UPDATE_ACCEPT_ANY_VLAN);
 
 	/* Untrusted VFs can't even be trusted to know that fact.
 	 * Simply indicate everything is configured fine, and trace
 	 * configuration 'behind their back'.
 	 */
-	if (!(*tlvs & BIT(QED_IOV_VP_UPDATE_ACCEPT_PARAM)))
+	if (!(*tlvs & tlv_mask))
 		return 0;
 
 	vf_info = qed_iov_get_public_vf_info(hwfn, vfid, true);
@@ -3006,6 +3010,13 @@ static int qed_iov_pre_update_vport(stru
 			flags->tx_accept_filter &= ~mask;
 	}
 
+	if (params->update_accept_any_vlan_flg) {
+		vf_info->accept_any_vlan = params->accept_any_vlan;
+
+		if (vf_info->forced_vlan && !vf_info->is_trusted_configured)
+			params->accept_any_vlan = false;
+	}
+
 	return 0;
 }
 
@@ -5150,6 +5161,12 @@ static void qed_iov_handle_trust_change(
 
 		params.update_ctl_frame_check = 1;
 		params.mac_chk_en = !vf_info->is_trusted_configured;
+		params.update_accept_any_vlan_flg = 0;
+
+		if (vf_info->accept_any_vlan && vf_info->forced_vlan) {
+			params.update_accept_any_vlan_flg = 1;
+			params.accept_any_vlan = vf_info->accept_any_vlan;
+		}
 
 		if (vf_info->rx_accept_mode & mask) {
 			flags->update_rx_mode_config = 1;
@@ -5165,13 +5182,20 @@ static void qed_iov_handle_trust_change(
 		if (!vf_info->is_trusted_configured) {
 			flags->rx_accept_filter &= ~mask;
 			flags->tx_accept_filter &= ~mask;
+			params.accept_any_vlan = false;
 		}
 
 		if (flags->update_rx_mode_config ||
 		    flags->update_tx_mode_config ||
-		    params.update_ctl_frame_check)
+		    params.update_ctl_frame_check ||
+		    params.update_accept_any_vlan_flg) {
+			DP_VERBOSE(hwfn, QED_MSG_IOV,
+				   "vport update config for %s VF[abs 0x%x rel 0x%x]\n",
+				   vf_info->is_trusted_configured ? "trusted" : "untrusted",
+				   vf->abs_vf_id, vf->relative_vf_id);
 			qed_sp_vport_update(hwfn, &params,
 					    QED_SPQ_MODE_EBLOCK, NULL);
+		}
 	}
 }
 
--- a/drivers/net/ethernet/qlogic/qed/qed_sriov.h
+++ b/drivers/net/ethernet/qlogic/qed/qed_sriov.h
@@ -62,6 +62,7 @@ struct qed_public_vf_info {
 	bool is_trusted_request;
 	u8 rx_accept_mode;
 	u8 tx_accept_mode;
+	bool accept_any_vlan;
 };
 
 struct qed_iov_vf_init_params {



^ permalink raw reply	[flat|nested] 1159+ messages in thread

* [PATCH 5.17 0087/1126] riscv: dts: canaan: Fix SPI3 bus width
  2022-04-05  7:12 [PATCH 5.17 0000/1126] 5.17.2-rc1 review Greg Kroah-Hartman
                   ` (85 preceding siblings ...)
  2022-04-05  7:13 ` [PATCH 5.17 0086/1126] qed: validate and restrict untrusted VFs vlan promisc mode Greg Kroah-Hartman
@ 2022-04-05  7:13 ` Greg Kroah-Hartman
  2022-04-05  7:13 ` [PATCH 5.17 0088/1126] riscv: Fix fill_callchain return value Greg Kroah-Hartman
                   ` (902 subsequent siblings)
  989 siblings, 0 replies; 1159+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05  7:13 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Niklas Cassel, Damien Le Moal,
	Palmer Dabbelt

From: Niklas Cassel <niklas.cassel@wdc.com>

commit 6846d656106add3aeefcd6eda0dc885787deaa6e upstream.

According to the K210 Standalone SDK Programming guide:
https://canaan-creative.com/wp-content/uploads/2020/03/kendryte_standalone_programming_guide_20190311144158_en.pdf

Section 15.4.3.3:
SPI0 and SPI1 supports: standard, dual, quad and octal transfers.
SPI3 supports: standard, dual and quad transfers (octal is not supported).

In order to support quad transfers (Quad SPI), SPI3 must have four IO wires
connected to the SPI flash.

Update the device tree to specify the correct bus width.

Tested on maix bit, maix dock and maixduino, which all have the same
SPI flash (gd25lq128d) connected to SPI3. maix go is untested, but it
would not make sense for this k210 board to be designed differently.

Signed-off-by: Niklas Cassel <niklas.cassel@wdc.com>
Reviewed-by: Damien Le Moal <damien.lemoal@opensource.wdc.com>
Fixes: 8f5b0e79f3e5 ("riscv: Add SiPeed MAIXDUINO board device tree")
Fixes: 8194f08bda18 ("riscv: Add SiPeed MAIX GO board device tree")
Fixes: a40f920964c4 ("riscv: Add SiPeed MAIX DOCK board device tree")
Fixes: 97c279bcf813 ("riscv: Add SiPeed MAIX BiT board device tree")
Cc: stable@vger.kernel.org
Signed-off-by: Palmer Dabbelt <palmer@rivosinc.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/riscv/boot/dts/canaan/sipeed_maix_bit.dts  |    2 ++
 arch/riscv/boot/dts/canaan/sipeed_maix_dock.dts |    2 ++
 arch/riscv/boot/dts/canaan/sipeed_maix_go.dts   |    2 ++
 arch/riscv/boot/dts/canaan/sipeed_maixduino.dts |    2 ++
 4 files changed, 8 insertions(+)

--- a/arch/riscv/boot/dts/canaan/sipeed_maix_bit.dts
+++ b/arch/riscv/boot/dts/canaan/sipeed_maix_bit.dts
@@ -203,6 +203,8 @@
 		compatible = "jedec,spi-nor";
 		reg = <0>;
 		spi-max-frequency = <50000000>;
+		spi-tx-bus-width = <4>;
+		spi-rx-bus-width = <4>;
 		m25p,fast-read;
 		broken-flash-reset;
 	};
--- a/arch/riscv/boot/dts/canaan/sipeed_maix_dock.dts
+++ b/arch/riscv/boot/dts/canaan/sipeed_maix_dock.dts
@@ -205,6 +205,8 @@
 		compatible = "jedec,spi-nor";
 		reg = <0>;
 		spi-max-frequency = <50000000>;
+		spi-tx-bus-width = <4>;
+		spi-rx-bus-width = <4>;
 		m25p,fast-read;
 		broken-flash-reset;
 	};
--- a/arch/riscv/boot/dts/canaan/sipeed_maix_go.dts
+++ b/arch/riscv/boot/dts/canaan/sipeed_maix_go.dts
@@ -213,6 +213,8 @@
 		compatible = "jedec,spi-nor";
 		reg = <0>;
 		spi-max-frequency = <50000000>;
+		spi-tx-bus-width = <4>;
+		spi-rx-bus-width = <4>;
 		m25p,fast-read;
 		broken-flash-reset;
 	};
--- a/arch/riscv/boot/dts/canaan/sipeed_maixduino.dts
+++ b/arch/riscv/boot/dts/canaan/sipeed_maixduino.dts
@@ -178,6 +178,8 @@
 		compatible = "jedec,spi-nor";
 		reg = <0>;
 		spi-max-frequency = <50000000>;
+		spi-tx-bus-width = <4>;
+		spi-rx-bus-width = <4>;
 		m25p,fast-read;
 		broken-flash-reset;
 	};



^ permalink raw reply	[flat|nested] 1159+ messages in thread

* [PATCH 5.17 0088/1126] riscv: Fix fill_callchain return value
  2022-04-05  7:12 [PATCH 5.17 0000/1126] 5.17.2-rc1 review Greg Kroah-Hartman
                   ` (86 preceding siblings ...)
  2022-04-05  7:13 ` [PATCH 5.17 0087/1126] riscv: dts: canaan: Fix SPI3 bus width Greg Kroah-Hartman
@ 2022-04-05  7:13 ` Greg Kroah-Hartman
  2022-04-05  7:13 ` [PATCH 5.17 0089/1126] riscv: Increase stack size under KASAN Greg Kroah-Hartman
                   ` (901 subsequent siblings)
  989 siblings, 0 replies; 1159+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05  7:13 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Nikita Shubin, Palmer Dabbelt

From: Nikita Shubin <n.shubin@yadro.com>

commit 2b2b574ac587ec5bd7716a356492a85ab8b0ce9f upstream.

perf_callchain_store return 0 on success, -1 otherwise,
fix fill_callchain to return correct bool value.

Fixes: dbeb90b0c1eb ("riscv: Add perf callchain support")
Signed-off-by: Nikita Shubin <n.shubin@yadro.com>
Cc: stable@vger.kernel.org
Signed-off-by: Palmer Dabbelt <palmer@rivosinc.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/riscv/kernel/perf_callchain.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/arch/riscv/kernel/perf_callchain.c
+++ b/arch/riscv/kernel/perf_callchain.c
@@ -68,7 +68,7 @@ void perf_callchain_user(struct perf_cal
 
 static bool fill_callchain(void *entry, unsigned long pc)
 {
-	return perf_callchain_store(entry, pc);
+	return perf_callchain_store(entry, pc) == 0;
 }
 
 void perf_callchain_kernel(struct perf_callchain_entry_ctx *entry,



^ permalink raw reply	[flat|nested] 1159+ messages in thread

* [PATCH 5.17 0089/1126] riscv: Increase stack size under KASAN
  2022-04-05  7:12 [PATCH 5.17 0000/1126] 5.17.2-rc1 review Greg Kroah-Hartman
                   ` (87 preceding siblings ...)
  2022-04-05  7:13 ` [PATCH 5.17 0088/1126] riscv: Fix fill_callchain return value Greg Kroah-Hartman
@ 2022-04-05  7:13 ` Greg Kroah-Hartman
  2022-04-05  7:13 ` [PATCH 5.17 0090/1126] RISC-V: Declare per cpu boot data as static Greg Kroah-Hartman
                   ` (900 subsequent siblings)
  989 siblings, 0 replies; 1159+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05  7:13 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Dmitry Vyukov,
	syzbot+0600986d88e2d4d7ebb8, Palmer Dabbelt

From: Dmitry Vyukov <dvyukov@google.com>

commit b81d591386c3a50b96dddcf663628ea0df0bf2b3 upstream.

KASAN requires more stack space because of compiler instrumentation.
Increase stack size as other arches do.

Signed-off-by: Dmitry Vyukov <dvyukov@google.com>
Reported-by: syzbot+0600986d88e2d4d7ebb8@syzkaller.appspotmail.com
Fixes: 8ad8b72721d0 ("riscv: Add KASAN support")
Cc: stable@vger.kernel.org
Signed-off-by: Palmer Dabbelt <palmer@rivosinc.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/riscv/include/asm/thread_info.h |   10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

--- a/arch/riscv/include/asm/thread_info.h
+++ b/arch/riscv/include/asm/thread_info.h
@@ -11,11 +11,17 @@
 #include <asm/page.h>
 #include <linux/const.h>
 
+#ifdef CONFIG_KASAN
+#define KASAN_STACK_ORDER 1
+#else
+#define KASAN_STACK_ORDER 0
+#endif
+
 /* thread information allocation */
 #ifdef CONFIG_64BIT
-#define THREAD_SIZE_ORDER	(2)
+#define THREAD_SIZE_ORDER	(2 + KASAN_STACK_ORDER)
 #else
-#define THREAD_SIZE_ORDER	(1)
+#define THREAD_SIZE_ORDER	(1 + KASAN_STACK_ORDER)
 #endif
 #define THREAD_SIZE		(PAGE_SIZE << THREAD_SIZE_ORDER)
 



^ permalink raw reply	[flat|nested] 1159+ messages in thread

* [PATCH 5.17 0090/1126] RISC-V: Declare per cpu boot data as static
  2022-04-05  7:12 [PATCH 5.17 0000/1126] 5.17.2-rc1 review Greg Kroah-Hartman
                   ` (88 preceding siblings ...)
  2022-04-05  7:13 ` [PATCH 5.17 0089/1126] riscv: Increase stack size under KASAN Greg Kroah-Hartman
@ 2022-04-05  7:13 ` Greg Kroah-Hartman
  2022-04-05  7:13 ` [PATCH 5.17 0091/1126] Revert "Input: clear BTN_RIGHT/MIDDLE on buttonpads" Greg Kroah-Hartman
                   ` (899 subsequent siblings)
  989 siblings, 0 replies; 1159+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05  7:13 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, kernel test robot, Atish Patra,
	Palmer Dabbelt

From: Atish Patra <atishp@rivosinc.com>

commit f1de125766d6f377a4b5d5821bc12928f929a4eb upstream.

The per cpu boot data is only used within the cpu_ops_sbi.c. It can
be delcared as static.

Fixes: 9a2451f18663 ("RISC-V: Avoid using per cpu array for ordered booting")
Reported-by: kernel test robot <lkp@intel.com>
Signed-off-by: Atish Patra <atishp@rivosinc.com>
Cc: stable@vger.kernel.org
Signed-off-by: Palmer Dabbelt <palmer@rivosinc.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/riscv/kernel/cpu_ops_sbi.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/arch/riscv/kernel/cpu_ops_sbi.c
+++ b/arch/riscv/kernel/cpu_ops_sbi.c
@@ -21,7 +21,7 @@ const struct cpu_operations cpu_ops_sbi;
  * be invoked from multiple threads in parallel. Define a per cpu data
  * to handle that.
  */
-DEFINE_PER_CPU(struct sbi_hart_boot_data, boot_data);
+static DEFINE_PER_CPU(struct sbi_hart_boot_data, boot_data);
 
 static int sbi_hsm_hart_start(unsigned long hartid, unsigned long saddr,
 			      unsigned long priv)



^ permalink raw reply	[flat|nested] 1159+ messages in thread

* [PATCH 5.17 0091/1126] Revert "Input: clear BTN_RIGHT/MIDDLE on buttonpads"
  2022-04-05  7:12 [PATCH 5.17 0000/1126] 5.17.2-rc1 review Greg Kroah-Hartman
                   ` (89 preceding siblings ...)
  2022-04-05  7:13 ` [PATCH 5.17 0090/1126] RISC-V: Declare per cpu boot data as static Greg Kroah-Hartman
@ 2022-04-05  7:13 ` Greg Kroah-Hartman
  2022-04-05  7:13 ` [PATCH 5.17 0092/1126] cifs: do not skip link targets when an I/O fails Greg Kroah-Hartman
                   ` (898 subsequent siblings)
  989 siblings, 0 replies; 1159+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05  7:13 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, José Expósito,
	Hans de Goede, Peter Hutterer, Benjamin Tissoires,
	Dmitry Torokhov

From: José Expósito <jose.exposito89@gmail.com>

commit 8b188fba75195745026e11d408e4a7e94e01d701 upstream.

This reverts commit 37ef4c19b4c659926ce65a7ac709ceaefb211c40.

The touchpad present in the Dell Precision 7550 and 7750 laptops
reports a HID_DG_BUTTONTYPE of type MT_BUTTONTYPE_CLICKPAD. However,
the device is not a clickpad, it is a touchpad with physical buttons.

In order to fix this issue, a quirk for the device was introduced in
libinput [1] [2] to disable the INPUT_PROP_BUTTONPAD property:

	[Precision 7x50 Touchpad]
	MatchBus=i2c
	MatchUdevType=touchpad
	MatchDMIModalias=dmi:*svnDellInc.:pnPrecision7?50*
	AttrInputPropDisable=INPUT_PROP_BUTTONPAD

However, because of the change introduced in 37ef4c19b4 ("Input: clear
BTN_RIGHT/MIDDLE on buttonpads") the BTN_RIGHT key bit is not mapped
anymore breaking the device right click button and making impossible to
workaround it in user space.

In order to avoid breakage on other present or future devices, revert
the patch causing the issue.

Signed-off-by: José Expósito <jose.exposito89@gmail.com>
Reviewed-by: Hans de Goede <hdegoede@redhat.com>
Acked-by: Peter Hutterer <peter.hutterer@who-t.net>
Acked-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/20220321184404.20025-1-jose.exposito89@gmail.com
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/input/input.c |    6 ------
 1 file changed, 6 deletions(-)

--- a/drivers/input/input.c
+++ b/drivers/input/input.c
@@ -2285,12 +2285,6 @@ int input_register_device(struct input_d
 	/* KEY_RESERVED is not supposed to be transmitted to userspace. */
 	__clear_bit(KEY_RESERVED, dev->keybit);
 
-	/* Buttonpads should not map BTN_RIGHT and/or BTN_MIDDLE. */
-	if (test_bit(INPUT_PROP_BUTTONPAD, dev->propbit)) {
-		__clear_bit(BTN_RIGHT, dev->keybit);
-		__clear_bit(BTN_MIDDLE, dev->keybit);
-	}
-
 	/* Make sure that bitmasks not mentioned in dev->evbit are clean. */
 	input_cleanse_bitmasks(dev);
 



^ permalink raw reply	[flat|nested] 1159+ messages in thread

* [PATCH 5.17 0092/1126] cifs: do not skip link targets when an I/O fails
  2022-04-05  7:12 [PATCH 5.17 0000/1126] 5.17.2-rc1 review Greg Kroah-Hartman
                   ` (90 preceding siblings ...)
  2022-04-05  7:13 ` [PATCH 5.17 0091/1126] Revert "Input: clear BTN_RIGHT/MIDDLE on buttonpads" Greg Kroah-Hartman
@ 2022-04-05  7:13 ` Greg Kroah-Hartman
  2022-04-05  7:14 ` [PATCH 5.17 0093/1126] cifs: fix incorrect use of list iterator after the loop Greg Kroah-Hartman
                   ` (897 subsequent siblings)
  989 siblings, 0 replies; 1159+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05  7:13 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Paulo Alcantara (SUSE), Steve French

From: Paulo Alcantara <pc@cjr.nz>

commit 5d7e282541fc91b831a5c4477c5d72881c623df9 upstream.

When I/O fails in one of the currently connected DFS targets, retry it
from other targets as specified in MS-DFSC "3.1.5.2 I/O Operation to
+Target Fails with an Error Other Than STATUS_PATH_NOT_COVERED."

Signed-off-by: Paulo Alcantara (SUSE) <pc@cjr.nz>
Cc: stable@vger.kernel.org
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 fs/cifs/connect.c |   14 +++++++++++---
 1 file changed, 11 insertions(+), 3 deletions(-)

--- a/fs/cifs/connect.c
+++ b/fs/cifs/connect.c
@@ -3473,6 +3473,9 @@ static int connect_dfs_target(struct mou
 	struct cifs_sb_info *cifs_sb = mnt_ctx->cifs_sb;
 	char *oldmnt = cifs_sb->ctx->mount_options;
 
+	cifs_dbg(FYI, "%s: full_path=%s ref_path=%s target=%s\n", __func__, full_path, ref_path,
+		 dfs_cache_get_tgt_name(tit));
+
 	rc = dfs_cache_get_tgt_referral(ref_path, tit, &ref);
 	if (rc)
 		goto out;
@@ -3571,13 +3574,18 @@ static int __follow_dfs_link(struct moun
 	if (rc)
 		goto out;
 
-	/* Try all dfs link targets */
+	/* Try all dfs link targets.  If an I/O fails from currently connected DFS target with an
+	 * error other than STATUS_PATH_NOT_COVERED (-EREMOTE), then retry it from other targets as
+	 * specified in MS-DFSC "3.1.5.2 I/O Operation to Target Fails with an Error Other Than
+	 * STATUS_PATH_NOT_COVERED."
+	 */
 	for (rc = -ENOENT, tit = dfs_cache_get_tgt_iterator(&tl);
 	     tit; tit = dfs_cache_get_next_tgt(&tl, tit)) {
 		rc = connect_dfs_target(mnt_ctx, full_path, mnt_ctx->leaf_fullpath + 1, tit);
 		if (!rc) {
 			rc = is_path_remote(mnt_ctx);
-			break;
+			if (!rc || rc == -EREMOTE)
+				break;
 		}
 	}
 
@@ -3651,7 +3659,7 @@ int cifs_mount(struct cifs_sb_info *cifs
 		goto error;
 
 	rc = is_path_remote(&mnt_ctx);
-	if (rc == -EREMOTE)
+	if (rc)
 		rc = follow_dfs_link(&mnt_ctx);
 	if (rc)
 		goto error;



^ permalink raw reply	[flat|nested] 1159+ messages in thread

* [PATCH 5.17 0093/1126] cifs: fix incorrect use of list iterator after the loop
  2022-04-05  7:12 [PATCH 5.17 0000/1126] 5.17.2-rc1 review Greg Kroah-Hartman
                   ` (91 preceding siblings ...)
  2022-04-05  7:13 ` [PATCH 5.17 0092/1126] cifs: do not skip link targets when an I/O fails Greg Kroah-Hartman
@ 2022-04-05  7:14 ` Greg Kroah-Hartman
  2022-04-05  7:14 ` [PATCH 5.17 0094/1126] cifs: prevent bad output lengths in smb2_ioctl_query_info() Greg Kroah-Hartman
                   ` (896 subsequent siblings)
  989 siblings, 0 replies; 1159+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05  7:14 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Xiaomeng Tong, Shyam Prasad N, Steve French

From: Xiaomeng Tong <xiam0nd.tong@gmail.com>

commit a96c94481f5993eac2271f9fb4d009b7dc076c24 upstream.

The bug is here:
if (!tcon) {
	resched = true;
	list_del_init(&ses->rlist);
	cifs_put_smb_ses(ses);

Because the list_for_each_entry() never exits early (without any
break/goto/return inside the loop), the iterator 'ses' after the
loop will always be an pointer to a invalid struct containing the
HEAD (&pserver->smb_ses_list). As a result, the uses of 'ses' above
will lead to a invalid memory access.

The original intention should have been to walk each entry 'ses' in
'&tmp_ses_list', delete '&ses->rlist' and put 'ses'. So fix it with
a list_for_each_entry_safe().

Cc: stable@vger.kernel.org # 5.17
Fixes: 3663c9045f51a ("cifs: check reconnects for channels of active tcons too")
Signed-off-by: Xiaomeng Tong <xiam0nd.tong@gmail.com>
Reviewed-by: Shyam Prasad N <sprasad@microsoft.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 fs/cifs/smb2pdu.c |    6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

--- a/fs/cifs/smb2pdu.c
+++ b/fs/cifs/smb2pdu.c
@@ -3858,8 +3858,10 @@ void smb2_reconnect_server(struct work_s
 	tcon = kzalloc(sizeof(struct cifs_tcon), GFP_KERNEL);
 	if (!tcon) {
 		resched = true;
-		list_del_init(&ses->rlist);
-		cifs_put_smb_ses(ses);
+		list_for_each_entry_safe(ses, ses2, &tmp_ses_list, rlist) {
+			list_del_init(&ses->rlist);
+			cifs_put_smb_ses(ses);
+		}
 		goto done;
 	}
 



^ permalink raw reply	[flat|nested] 1159+ messages in thread

* [PATCH 5.17 0094/1126] cifs: prevent bad output lengths in smb2_ioctl_query_info()
  2022-04-05  7:12 [PATCH 5.17 0000/1126] 5.17.2-rc1 review Greg Kroah-Hartman
                   ` (92 preceding siblings ...)
  2022-04-05  7:14 ` [PATCH 5.17 0093/1126] cifs: fix incorrect use of list iterator after the loop Greg Kroah-Hartman
@ 2022-04-05  7:14 ` Greg Kroah-Hartman
  2022-04-05  7:14 ` [PATCH 5.17 0095/1126] cifs: fix NULL ptr dereference " Greg Kroah-Hartman
                   ` (895 subsequent siblings)
  989 siblings, 0 replies; 1159+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05  7:14 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Paulo Alcantara (SUSE), Steve French

From: Paulo Alcantara <pc@cjr.nz>

commit b92e358757b91c2827af112cae9af513f26a3f34 upstream.

When calling smb2_ioctl_query_info() with
smb_query_info::flags=PASSTHRU_FSCTL and
smb_query_info::output_buffer_length=0, the following would return
0x10

	buffer = memdup_user(arg + sizeof(struct smb_query_info),
			     qi.output_buffer_length);
	if (IS_ERR(buffer)) {
		kfree(vars);
		return PTR_ERR(buffer);
	}

rather than a valid pointer thus making IS_ERR() check fail.  This
would then cause a NULL ptr deference in @buffer when accessing it
later in smb2_ioctl_query_ioctl().  While at it, prevent having a
@buffer smaller than 8 bytes to correctly handle SMB2_SET_INFO
FileEndOfFileInformation requests when
smb_query_info::flags=PASSTHRU_SET_INFO.

Here is a small C reproducer which triggers a NULL ptr in @buffer when
passing an invalid smb_query_info::flags

	#include <stdio.h>
	#include <stdlib.h>
	#include <stdint.h>
	#include <unistd.h>
	#include <fcntl.h>
	#include <sys/ioctl.h>

	#define die(s) perror(s), exit(1)
	#define QUERY_INFO 0xc018cf07

	int main(int argc, char *argv[])
	{
		int fd;

		if (argc < 2)
			exit(1);
		fd = open(argv[1], O_RDONLY);
		if (fd == -1)
			die("open");
		if (ioctl(fd, QUERY_INFO, (uint32_t[]) { 0, 0, 0, 4, 0, 0}) == -1)
			die("ioctl");
		close(fd);
		return 0;
	}

	mount.cifs //srv/share /mnt -o ...
	gcc repro.c && ./a.out /mnt/f0

	[  114.138620] general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN NOPTI
	[  114.139310] KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
	[  114.139775] CPU: 2 PID: 995 Comm: a.out Not tainted 5.17.0-rc8 #1
	[  114.140148] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.15.0-0-g2dd4b9b-rebuilt.opensuse.org 04/01/2014
	[  114.140818] RIP: 0010:smb2_ioctl_query_info+0x206/0x410 [cifs]
	[  114.141221] Code: 00 00 00 00 fc ff df 48 c1 ea 03 80 3c 02 00 0f 85 c8 01 00 00 48 b8 00 00 00 00 00 fc ff df 4c 8b 7b 28 4c 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 9c 01 00 00 49 8b 3f e8 58 02 fb ff 48 8b 14 24
	[  114.142348] RSP: 0018:ffffc90000b47b00 EFLAGS: 00010256
	[  114.142692] RAX: dffffc0000000000 RBX: ffff888115503200 RCX: ffffffffa020580d
	[  114.143119] RDX: 0000000000000000 RSI: 0000000000000004 RDI: ffffffffa043a380
	[  114.143544] RBP: ffff888115503278 R08: 0000000000000001 R09: 0000000000000003
	[  114.143983] R10: fffffbfff4087470 R11: 0000000000000001 R12: ffff888115503288
	[  114.144424] R13: 00000000ffffffea R14: ffff888115503228 R15: 0000000000000000
	[  114.144852] FS:  00007f7aeabdf740(0000) GS:ffff888151600000(0000) knlGS:0000000000000000
	[  114.145338] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
	[  114.145692] CR2: 00007f7aeacfdf5e CR3: 000000012000e000 CR4: 0000000000350ee0
	[  114.146131] Call Trace:
	[  114.146291]  <TASK>
	[  114.146432]  ? smb2_query_reparse_tag+0x890/0x890 [cifs]
	[  114.146800]  ? cifs_mapchar+0x460/0x460 [cifs]
	[  114.147121]  ? rcu_read_lock_sched_held+0x3f/0x70
	[  114.147412]  ? cifs_strndup_to_utf16+0x15b/0x250 [cifs]
	[  114.147775]  ? dentry_path_raw+0xa6/0xf0
	[  114.148024]  ? cifs_convert_path_to_utf16+0x198/0x220 [cifs]
	[  114.148413]  ? smb2_check_message+0x1080/0x1080 [cifs]
	[  114.148766]  ? rcu_read_lock_sched_held+0x3f/0x70
	[  114.149065]  cifs_ioctl+0x1577/0x3320 [cifs]
	[  114.149371]  ? lock_downgrade+0x6f0/0x6f0
	[  114.149631]  ? cifs_readdir+0x2e60/0x2e60 [cifs]
	[  114.149956]  ? rcu_read_lock_sched_held+0x3f/0x70
	[  114.150250]  ? __rseq_handle_notify_resume+0x80b/0xbe0
	[  114.150562]  ? __up_read+0x192/0x710
	[  114.150791]  ? __ia32_sys_rseq+0xf0/0xf0
	[  114.151025]  ? __x64_sys_openat+0x11f/0x1d0
	[  114.151296]  __x64_sys_ioctl+0x127/0x190
	[  114.151549]  do_syscall_64+0x3b/0x90
	[  114.151768]  entry_SYSCALL_64_after_hwframe+0x44/0xae
	[  114.152079] RIP: 0033:0x7f7aead043df
	[  114.152306] Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <41> 89 c0 3d 00 f0 ff ff 77 1f 48 8b 44 24 18 64 48 2b 04 25 28 00
	[  114.153431] RSP: 002b:00007ffc2e0c1f80 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
	[  114.153890] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f7aead043df
	[  114.154315] RDX: 00007ffc2e0c1ff0 RSI: 00000000c018cf07 RDI: 0000000000000003
	[  114.154747] RBP: 00007ffc2e0c2010 R08: 00007f7aeae03db0 R09: 00007f7aeae24c4e
	[  114.155192] R10: 00007f7aeabf7d40 R11: 0000000000000246 R12: 00007ffc2e0c2128
	[  114.155642] R13: 0000000000401176 R14: 0000000000403df8 R15: 00007f7aeae57000
	[  114.156071]  </TASK>
	[  114.156218] Modules linked in: cifs cifs_arc4 cifs_md4 bpf_preload
	[  114.156608] ---[ end trace 0000000000000000 ]---
	[  114.156898] RIP: 0010:smb2_ioctl_query_info+0x206/0x410 [cifs]
	[  114.157792] Code: 00 00 00 00 fc ff df 48 c1 ea 03 80 3c 02 00 0f 85 c8 01 00 00 48 b8 00 00 00 00 00 fc ff df 4c 8b 7b 28 4c 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 9c 01 00 00 49 8b 3f e8 58 02 fb ff 48 8b 14 24
	[  114.159293] RSP: 0018:ffffc90000b47b00 EFLAGS: 00010256
	[  114.159641] RAX: dffffc0000000000 RBX: ffff888115503200 RCX: ffffffffa020580d
	[  114.160093] RDX: 0000000000000000 RSI: 0000000000000004 RDI: ffffffffa043a380
	[  114.160699] RBP: ffff888115503278 R08: 0000000000000001 R09: 0000000000000003
	[  114.161196] R10: fffffbfff4087470 R11: 0000000000000001 R12: ffff888115503288
	[  114.155642] R13: 0000000000401176 R14: 0000000000403df8 R15: 00007f7aeae57000
	[  114.156071]  </TASK>
	[  114.156218] Modules linked in: cifs cifs_arc4 cifs_md4 bpf_preload
	[  114.156608] ---[ end trace 0000000000000000 ]---
	[  114.156898] RIP: 0010:smb2_ioctl_query_info+0x206/0x410 [cifs]
	[  114.157792] Code: 00 00 00 00 fc ff df 48 c1 ea 03 80 3c 02 00 0f 85 c8 01 00 00 48 b8 00 00 00 00 00 fc ff df 4c 8b 7b 28 4c 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 9c 01 00 00 49 8b 3f e8 58 02 fb ff 48 8b 14 24
	[  114.159293] RSP: 0018:ffffc90000b47b00 EFLAGS: 00010256
	[  114.159641] RAX: dffffc0000000000 RBX: ffff888115503200 RCX: ffffffffa020580d
	[  114.160093] RDX: 0000000000000000 RSI: 0000000000000004 RDI: ffffffffa043a380
	[  114.160699] RBP: ffff888115503278 R08: 0000000000000001 R09: 0000000000000003
	[  114.161196] R10: fffffbfff4087470 R11: 0000000000000001 R12: ffff888115503288
	[  114.161823] R13: 00000000ffffffea R14: ffff888115503228 R15: 0000000000000000
	[  114.162274] FS:  00007f7aeabdf740(0000) GS:ffff888151600000(0000) knlGS:0000000000000000
	[  114.162853] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
	[  114.163218] CR2: 00007f7aeacfdf5e CR3: 000000012000e000 CR4: 0000000000350ee0
	[  114.163691] Kernel panic - not syncing: Fatal exception
	[  114.164087] Kernel Offset: disabled
	[  114.164316] ---[ end Kernel panic - not syncing: Fatal exception ]---

Cc: stable@vger.kernel.org
Signed-off-by: Paulo Alcantara (SUSE) <pc@cjr.nz>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 fs/cifs/smb2ops.c |   16 ++++++++++------
 1 file changed, 10 insertions(+), 6 deletions(-)

--- a/fs/cifs/smb2ops.c
+++ b/fs/cifs/smb2ops.c
@@ -1668,11 +1668,12 @@ smb2_ioctl_query_info(const unsigned int
 	if (smb3_encryption_required(tcon))
 		flags |= CIFS_TRANSFORM_REQ;
 
-	buffer = memdup_user(arg + sizeof(struct smb_query_info),
-			     qi.output_buffer_length);
-	if (IS_ERR(buffer)) {
-		kfree(vars);
-		return PTR_ERR(buffer);
+	if (qi.output_buffer_length) {
+		buffer = memdup_user(arg + sizeof(struct smb_query_info), qi.output_buffer_length);
+		if (IS_ERR(buffer)) {
+			kfree(vars);
+			return PTR_ERR(buffer);
+		}
 	}
 
 	/* Open */
@@ -1735,10 +1736,13 @@ smb2_ioctl_query_info(const unsigned int
 		/* Can eventually relax perm check since server enforces too */
 		if (!capable(CAP_SYS_ADMIN))
 			rc = -EPERM;
-		else  {
+		else if (qi.output_buffer_length < 8)
+			rc = -EINVAL;
+		else {
 			rqst[1].rq_iov = &vars->si_iov[0];
 			rqst[1].rq_nvec = 1;
 
+			/* MS-FSCC 2.4.13 FileEndOfFileInformation */
 			size[0] = 8;
 			data[0] = buffer;
 



^ permalink raw reply	[flat|nested] 1159+ messages in thread

* [PATCH 5.17 0095/1126] cifs: fix NULL ptr dereference in smb2_ioctl_query_info()
  2022-04-05  7:12 [PATCH 5.17 0000/1126] 5.17.2-rc1 review Greg Kroah-Hartman
                   ` (93 preceding siblings ...)
  2022-04-05  7:14 ` [PATCH 5.17 0094/1126] cifs: prevent bad output lengths in smb2_ioctl_query_info() Greg Kroah-Hartman
@ 2022-04-05  7:14 ` Greg Kroah-Hartman
  2022-04-05  7:14 ` [PATCH 5.17 0096/1126] ALSA: cs4236: fix an incorrect NULL check on list iterator Greg Kroah-Hartman
                   ` (894 subsequent siblings)
  989 siblings, 0 replies; 1159+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05  7:14 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Paulo Alcantara (SUSE), Steve French

From: Paulo Alcantara <pc@cjr.nz>

commit d6f5e358452479fa8a773b5c6ccc9e4ec5a20880 upstream.

When calling smb2_ioctl_query_info() with invalid
smb_query_info::flags, a NULL ptr dereference is triggered when trying
to kfree() uninitialised rqst[n].rq_iov array.

This also fixes leaked paths that are created in SMB2_open_init()
which required SMB2_open_free() to properly free them.

Here is a small C reproducer that triggers it

	#include <stdio.h>
	#include <stdlib.h>
	#include <stdint.h>
	#include <unistd.h>
	#include <fcntl.h>
	#include <sys/ioctl.h>

	#define die(s) perror(s), exit(1)
	#define QUERY_INFO 0xc018cf07

	int main(int argc, char *argv[])
	{
		int fd;

		if (argc < 2)
			exit(1);
		fd = open(argv[1], O_RDONLY);
		if (fd == -1)
			die("open");
		if (ioctl(fd, QUERY_INFO, (uint32_t[]) { 0, 0, 0, 4, 0, 0}) == -1)
			die("ioctl");
		close(fd);
		return 0;
	}

	mount.cifs //srv/share /mnt -o ...
	gcc repro.c && ./a.out /mnt/f0

	[ 1832.124468] CIFS: VFS: \\w22-dc.zelda.test\test Invalid passthru query flags: 0x4
	[ 1832.125043] general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN NOPTI
	[ 1832.125764] KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
	[ 1832.126241] CPU: 3 PID: 1133 Comm: a.out Not tainted 5.17.0-rc8 #2
	[ 1832.126630] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.15.0-0-g2dd4b9b-rebuilt.opensuse.org 04/01/2014
	[ 1832.127322] RIP: 0010:smb2_ioctl_query_info+0x7a3/0xe30 [cifs]
	[ 1832.127749] Code: 00 00 00 fc ff df 48 c1 ea 03 80 3c 02 00 0f 85 6c 05 00 00 48 b8 00 00 00 00 00 fc ff df 4d 8b 74 24 28 4c 89 f2 48 c1 ea 03 <80> 3c 02 00 0f 85 cb 04 00 00 49 8b 3e e8 bb fc fa ff 48 89 da 48
	[ 1832.128911] RSP: 0018:ffffc90000957b08 EFLAGS: 00010256
	[ 1832.129243] RAX: dffffc0000000000 RBX: ffff888117e9b850 RCX: ffffffffa020580d
	[ 1832.129691] RDX: 0000000000000000 RSI: 0000000000000004 RDI: ffffffffa043a2c0
	[ 1832.130137] RBP: ffff888117e9b878 R08: 0000000000000001 R09: 0000000000000003
	[ 1832.130585] R10: fffffbfff4087458 R11: 0000000000000001 R12: ffff888117e9b800
	[ 1832.131037] R13: 00000000ffffffea R14: 0000000000000000 R15: ffff888117e9b8a8
	[ 1832.131485] FS:  00007fcee9900740(0000) GS:ffff888151a00000(0000) knlGS:0000000000000000
	[ 1832.131993] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
	[ 1832.132354] CR2: 00007fcee9a1ef5e CR3: 0000000114cd2000 CR4: 0000000000350ee0
	[ 1832.132801] Call Trace:
	[ 1832.132962]  <TASK>
	[ 1832.133104]  ? smb2_query_reparse_tag+0x890/0x890 [cifs]
	[ 1832.133489]  ? cifs_mapchar+0x460/0x460 [cifs]
	[ 1832.133822]  ? rcu_read_lock_sched_held+0x3f/0x70
	[ 1832.134125]  ? cifs_strndup_to_utf16+0x15b/0x250 [cifs]
	[ 1832.134502]  ? lock_downgrade+0x6f0/0x6f0
	[ 1832.134760]  ? cifs_convert_path_to_utf16+0x198/0x220 [cifs]
	[ 1832.135170]  ? smb2_check_message+0x1080/0x1080 [cifs]
	[ 1832.135545]  cifs_ioctl+0x1577/0x3320 [cifs]
	[ 1832.135864]  ? lock_downgrade+0x6f0/0x6f0
	[ 1832.136125]  ? cifs_readdir+0x2e60/0x2e60 [cifs]
	[ 1832.136468]  ? rcu_read_lock_sched_held+0x3f/0x70
	[ 1832.136769]  ? __rseq_handle_notify_resume+0x80b/0xbe0
	[ 1832.137096]  ? __up_read+0x192/0x710
	[ 1832.137327]  ? __ia32_sys_rseq+0xf0/0xf0
	[ 1832.137578]  ? __x64_sys_openat+0x11f/0x1d0
	[ 1832.137850]  __x64_sys_ioctl+0x127/0x190
	[ 1832.138103]  do_syscall_64+0x3b/0x90
	[ 1832.138378]  entry_SYSCALL_64_after_hwframe+0x44/0xae
	[ 1832.138702] RIP: 0033:0x7fcee9a253df
	[ 1832.138937] Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <41> 89 c0 3d 00 f0 ff ff 77 1f 48 8b 44 24 18 64 48 2b 04 25 28 00
	[ 1832.140107] RSP: 002b:00007ffeba94a8a0 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
	[ 1832.140606] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fcee9a253df
	[ 1832.141058] RDX: 00007ffeba94a910 RSI: 00000000c018cf07 RDI: 0000000000000003
	[ 1832.141503] RBP: 00007ffeba94a930 R08: 00007fcee9b24db0 R09: 00007fcee9b45c4e
	[ 1832.141948] R10: 00007fcee9918d40 R11: 0000000000000246 R12: 00007ffeba94aa48
	[ 1832.142396] R13: 0000000000401176 R14: 0000000000403df8 R15: 00007fcee9b78000
	[ 1832.142851]  </TASK>
	[ 1832.142994] Modules linked in: cifs cifs_arc4 cifs_md4 bpf_preload [last unloaded: cifs]

Cc: stable@vger.kernel.org
Signed-off-by: Paulo Alcantara (SUSE) <pc@cjr.nz>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 fs/cifs/smb2ops.c |  124 ++++++++++++++++++++++++++++--------------------------
 1 file changed, 65 insertions(+), 59 deletions(-)

--- a/fs/cifs/smb2ops.c
+++ b/fs/cifs/smb2ops.c
@@ -1643,6 +1643,7 @@ smb2_ioctl_query_info(const unsigned int
 	unsigned int size[2];
 	void *data[2];
 	int create_options = is_dir ? CREATE_NOT_FILE : CREATE_NOT_DIR;
+	void (*free_req1_func)(struct smb_rqst *r);
 
 	vars = kzalloc(sizeof(*vars), GFP_ATOMIC);
 	if (vars == NULL)
@@ -1652,17 +1653,18 @@ smb2_ioctl_query_info(const unsigned int
 
 	resp_buftype[0] = resp_buftype[1] = resp_buftype[2] = CIFS_NO_BUFFER;
 
-	if (copy_from_user(&qi, arg, sizeof(struct smb_query_info)))
-		goto e_fault;
-
+	if (copy_from_user(&qi, arg, sizeof(struct smb_query_info))) {
+		rc = -EFAULT;
+		goto free_vars;
+	}
 	if (qi.output_buffer_length > 1024) {
-		kfree(vars);
-		return -EINVAL;
+		rc = -EINVAL;
+		goto free_vars;
 	}
 
 	if (!ses || !server) {
-		kfree(vars);
-		return -EIO;
+		rc = -EIO;
+		goto free_vars;
 	}
 
 	if (smb3_encryption_required(tcon))
@@ -1671,8 +1673,8 @@ smb2_ioctl_query_info(const unsigned int
 	if (qi.output_buffer_length) {
 		buffer = memdup_user(arg + sizeof(struct smb_query_info), qi.output_buffer_length);
 		if (IS_ERR(buffer)) {
-			kfree(vars);
-			return PTR_ERR(buffer);
+			rc = PTR_ERR(buffer);
+			goto free_vars;
 		}
 	}
 
@@ -1711,48 +1713,45 @@ smb2_ioctl_query_info(const unsigned int
 	rc = SMB2_open_init(tcon, server,
 			    &rqst[0], &oplock, &oparms, path);
 	if (rc)
-		goto iqinf_exit;
+		goto free_output_buffer;
 	smb2_set_next_command(tcon, &rqst[0]);
 
 	/* Query */
 	if (qi.flags & PASSTHRU_FSCTL) {
 		/* Can eventually relax perm check since server enforces too */
-		if (!capable(CAP_SYS_ADMIN))
+		if (!capable(CAP_SYS_ADMIN)) {
 			rc = -EPERM;
-		else  {
-			rqst[1].rq_iov = &vars->io_iov[0];
-			rqst[1].rq_nvec = SMB2_IOCTL_IOV_SIZE;
-
-			rc = SMB2_ioctl_init(tcon, server,
-					     &rqst[1],
-					     COMPOUND_FID, COMPOUND_FID,
-					     qi.info_type, true, buffer,
-					     qi.output_buffer_length,
-					     CIFSMaxBufSize -
-					     MAX_SMB2_CREATE_RESPONSE_SIZE -
-					     MAX_SMB2_CLOSE_RESPONSE_SIZE);
+			goto free_open_req;
 		}
+		rqst[1].rq_iov = &vars->io_iov[0];
+		rqst[1].rq_nvec = SMB2_IOCTL_IOV_SIZE;
+
+		rc = SMB2_ioctl_init(tcon, server, &rqst[1], COMPOUND_FID, COMPOUND_FID,
+				     qi.info_type, true, buffer, qi.output_buffer_length,
+				     CIFSMaxBufSize - MAX_SMB2_CREATE_RESPONSE_SIZE -
+				     MAX_SMB2_CLOSE_RESPONSE_SIZE);
+		free_req1_func = SMB2_ioctl_free;
 	} else if (qi.flags == PASSTHRU_SET_INFO) {
 		/* Can eventually relax perm check since server enforces too */
-		if (!capable(CAP_SYS_ADMIN))
+		if (!capable(CAP_SYS_ADMIN)) {
 			rc = -EPERM;
-		else if (qi.output_buffer_length < 8)
+			goto free_open_req;
+		}
+		if (qi.output_buffer_length < 8) {
 			rc = -EINVAL;
-		else {
-			rqst[1].rq_iov = &vars->si_iov[0];
-			rqst[1].rq_nvec = 1;
-
-			/* MS-FSCC 2.4.13 FileEndOfFileInformation */
-			size[0] = 8;
-			data[0] = buffer;
-
-			rc = SMB2_set_info_init(tcon, server,
-					&rqst[1],
-					COMPOUND_FID, COMPOUND_FID,
-					current->tgid,
-					FILE_END_OF_FILE_INFORMATION,
-					SMB2_O_INFO_FILE, 0, data, size);
+			goto free_open_req;
 		}
+		rqst[1].rq_iov = &vars->si_iov[0];
+		rqst[1].rq_nvec = 1;
+
+		/* MS-FSCC 2.4.13 FileEndOfFileInformation */
+		size[0] = 8;
+		data[0] = buffer;
+
+		rc = SMB2_set_info_init(tcon, server, &rqst[1], COMPOUND_FID, COMPOUND_FID,
+					current->tgid, FILE_END_OF_FILE_INFORMATION,
+					SMB2_O_INFO_FILE, 0, data, size);
+		free_req1_func = SMB2_set_info_free;
 	} else if (qi.flags == PASSTHRU_QUERY_INFO) {
 		rqst[1].rq_iov = &vars->qi_iov[0];
 		rqst[1].rq_nvec = 1;
@@ -1763,6 +1762,7 @@ smb2_ioctl_query_info(const unsigned int
 				  qi.info_type, qi.additional_information,
 				  qi.input_buffer_length,
 				  qi.output_buffer_length, buffer);
+		free_req1_func = SMB2_query_info_free;
 	} else { /* unknown flags */
 		cifs_tcon_dbg(VFS, "Invalid passthru query flags: 0x%x\n",
 			      qi.flags);
@@ -1770,7 +1770,7 @@ smb2_ioctl_query_info(const unsigned int
 	}
 
 	if (rc)
-		goto iqinf_exit;
+		goto free_open_req;
 	smb2_set_next_command(tcon, &rqst[1]);
 	smb2_set_related(&rqst[1]);
 
@@ -1781,14 +1781,14 @@ smb2_ioctl_query_info(const unsigned int
 	rc = SMB2_close_init(tcon, server,
 			     &rqst[2], COMPOUND_FID, COMPOUND_FID, false);
 	if (rc)
-		goto iqinf_exit;
+		goto free_req_1;
 	smb2_set_related(&rqst[2]);
 
 	rc = compound_send_recv(xid, ses, server,
 				flags, 3, rqst,
 				resp_buftype, rsp_iov);
 	if (rc)
-		goto iqinf_exit;
+		goto out;
 
 	/* No need to bump num_remote_opens since handle immediately closed */
 	if (qi.flags & PASSTHRU_FSCTL) {
@@ -1798,18 +1798,22 @@ smb2_ioctl_query_info(const unsigned int
 			qi.input_buffer_length = le32_to_cpu(io_rsp->OutputCount);
 		if (qi.input_buffer_length > 0 &&
 		    le32_to_cpu(io_rsp->OutputOffset) + qi.input_buffer_length
-		    > rsp_iov[1].iov_len)
-			goto e_fault;
+		    > rsp_iov[1].iov_len) {
+			rc = -EFAULT;
+			goto out;
+		}
 
 		if (copy_to_user(&pqi->input_buffer_length,
 				 &qi.input_buffer_length,
-				 sizeof(qi.input_buffer_length)))
-			goto e_fault;
+				 sizeof(qi.input_buffer_length))) {
+			rc = -EFAULT;
+			goto out;
+		}
 
 		if (copy_to_user((void __user *)pqi + sizeof(struct smb_query_info),
 				 (const void *)io_rsp + le32_to_cpu(io_rsp->OutputOffset),
 				 qi.input_buffer_length))
-			goto e_fault;
+			rc = -EFAULT;
 	} else {
 		pqi = (struct smb_query_info __user *)arg;
 		qi_rsp = (struct smb2_query_info_rsp *)rsp_iov[1].iov_base;
@@ -1817,28 +1821,30 @@ smb2_ioctl_query_info(const unsigned int
 			qi.input_buffer_length = le32_to_cpu(qi_rsp->OutputBufferLength);
 		if (copy_to_user(&pqi->input_buffer_length,
 				 &qi.input_buffer_length,
-				 sizeof(qi.input_buffer_length)))
-			goto e_fault;
+				 sizeof(qi.input_buffer_length))) {
+			rc = -EFAULT;
+			goto out;
+		}
 
 		if (copy_to_user(pqi + 1, qi_rsp->Buffer,
 				 qi.input_buffer_length))
-			goto e_fault;
+			rc = -EFAULT;
 	}
 
- iqinf_exit:
-	cifs_small_buf_release(rqst[0].rq_iov[0].iov_base);
-	cifs_small_buf_release(rqst[1].rq_iov[0].iov_base);
-	cifs_small_buf_release(rqst[2].rq_iov[0].iov_base);
+out:
 	free_rsp_buf(resp_buftype[0], rsp_iov[0].iov_base);
 	free_rsp_buf(resp_buftype[1], rsp_iov[1].iov_base);
 	free_rsp_buf(resp_buftype[2], rsp_iov[2].iov_base);
-	kfree(vars);
+	SMB2_close_free(&rqst[2]);
+free_req_1:
+	free_req1_func(&rqst[1]);
+free_open_req:
+	SMB2_open_free(&rqst[0]);
+free_output_buffer:
 	kfree(buffer);
+free_vars:
+	kfree(vars);
 	return rc;
-
-e_fault:
-	rc = -EFAULT;
-	goto iqinf_exit;
 }
 
 static ssize_t



^ permalink raw reply	[flat|nested] 1159+ messages in thread

* [PATCH 5.17 0096/1126] ALSA: cs4236: fix an incorrect NULL check on list iterator
  2022-04-05  7:12 [PATCH 5.17 0000/1126] 5.17.2-rc1 review Greg Kroah-Hartman
                   ` (94 preceding siblings ...)
  2022-04-05  7:14 ` [PATCH 5.17 0095/1126] cifs: fix NULL ptr dereference " Greg Kroah-Hartman
@ 2022-04-05  7:14 ` Greg Kroah-Hartman
  2022-04-05  7:14 ` [PATCH 5.17 0097/1126] ALSA: hda: Avoid unsol event during RPM suspending Greg Kroah-Hartman
                   ` (893 subsequent siblings)
  989 siblings, 0 replies; 1159+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05  7:14 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Xiaomeng Tong, Takashi Iwai

From: Xiaomeng Tong <xiam0nd.tong@gmail.com>

commit 0112f822f8a6d8039c94e0bc9b264d7ffc5d4704 upstream.

The bug is here:
	err = snd_card_cs423x_pnp(dev, card->private_data, pdev, cdev);

The list iterator value 'cdev' will *always* be set and non-NULL
by list_for_each_entry(), so it is incorrect to assume that the
iterator value will be NULL if the list is empty or no element
is found.

To fix the bug, use a new variable 'iter' as the list iterator,
while use the original variable 'cdev' as a dedicated pointer
to point to the found element. And snd_card_cs423x_pnp() itself
has NULL check for cdev.

Cc: stable@vger.kernel.org
Fixes: c2b73d1458014 ("ALSA: cs4236: cs4232 and cs4236 driver merge to solve PnP BIOS detection")
Signed-off-by: Xiaomeng Tong <xiam0nd.tong@gmail.com>
Link: https://lore.kernel.org/r/20220327060822.4735-1-xiam0nd.tong@gmail.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 sound/isa/cs423x/cs4236.c |    8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

--- a/sound/isa/cs423x/cs4236.c
+++ b/sound/isa/cs423x/cs4236.c
@@ -494,7 +494,7 @@ static int snd_cs423x_pnpbios_detect(str
 	static int dev;
 	int err;
 	struct snd_card *card;
-	struct pnp_dev *cdev;
+	struct pnp_dev *cdev, *iter;
 	char cid[PNP_ID_LEN];
 
 	if (pnp_device_is_isapnp(pdev))
@@ -510,9 +510,11 @@ static int snd_cs423x_pnpbios_detect(str
 	strcpy(cid, pdev->id[0].id);
 	cid[5] = '1';
 	cdev = NULL;
-	list_for_each_entry(cdev, &(pdev->protocol->devices), protocol_list) {
-		if (!strcmp(cdev->id[0].id, cid))
+	list_for_each_entry(iter, &(pdev->protocol->devices), protocol_list) {
+		if (!strcmp(iter->id[0].id, cid)) {
+			cdev = iter;
 			break;
+		}
 	}
 	err = snd_cs423x_card_new(&pdev->dev, dev, &card);
 	if (err < 0)



^ permalink raw reply	[flat|nested] 1159+ messages in thread

* [PATCH 5.17 0097/1126] ALSA: hda: Avoid unsol event during RPM suspending
  2022-04-05  7:12 [PATCH 5.17 0000/1126] 5.17.2-rc1 review Greg Kroah-Hartman
                   ` (95 preceding siblings ...)
  2022-04-05  7:14 ` [PATCH 5.17 0096/1126] ALSA: cs4236: fix an incorrect NULL check on list iterator Greg Kroah-Hartman
@ 2022-04-05  7:14 ` Greg Kroah-Hartman
  2022-04-05  7:14 ` [PATCH 5.17 0098/1126] ALSA: pcm: Fix potential AB/BA lock with buffer_mutex and mmap_lock Greg Kroah-Hartman
                   ` (892 subsequent siblings)
  989 siblings, 0 replies; 1159+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05  7:14 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Mohan Kumar, Takashi Iwai

From: Mohan Kumar <mkumard@nvidia.com>

commit 6ddc2f749621d5d45ca03edc9f0616bcda136d29 upstream.

There is a corner case with unsol event handling during codec runtime
suspending state. When the codec runtime suspend call initiated, the
codec->in_pm atomic variable would be 0, currently the codec runtime
suspend function calls snd_hdac_enter_pm() which will just increments
the codec->in_pm atomic variable. Consider unsol event happened just
after this step and before snd_hdac_leave_pm() in the codec runtime
suspend function. The snd_hdac_power_up_pm() in the unsol event
flow in hdmi_present_sense_via_verbs() function would just increment
the codec->in_pm atomic variable without calling pm_runtime_get_sync
function.

As codec runtime suspend flow is already in progress and in parallel
unsol event is also accessing the codec verbs, as soon as codec
suspend flow completes and clocks are  switched off before completing
the unsol event handling as both functions doesn't wait for each other.
This will result in below errors

[  589.428020] tegra-hda 3510000.hda: azx_get_response timeout, switching
to polling mode: last cmd=0x505f2f57
[  589.428344] tegra-hda 3510000.hda: spurious response 0x80000074:0x5,
last cmd=0x505f2f57
[  589.428547] tegra-hda 3510000.hda: spurious response 0x80000065:0x5,
last cmd=0x505f2f57

To avoid this, the unsol event flow should not perform any codec verb
related operations during RPM_SUSPENDING state.

Signed-off-by: Mohan Kumar <mkumard@nvidia.com>
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20220329155940.26331-1-mkumard@nvidia.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 sound/pci/hda/patch_hdmi.c |    8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

--- a/sound/pci/hda/patch_hdmi.c
+++ b/sound/pci/hda/patch_hdmi.c
@@ -1617,6 +1617,7 @@ static void hdmi_present_sense_via_verbs
 	struct hda_codec *codec = per_pin->codec;
 	struct hdmi_spec *spec = codec->spec;
 	struct hdmi_eld *eld = &spec->temp_eld;
+	struct device *dev = hda_codec_dev(codec);
 	hda_nid_t pin_nid = per_pin->pin_nid;
 	int dev_id = per_pin->dev_id;
 	/*
@@ -1630,8 +1631,13 @@ static void hdmi_present_sense_via_verbs
 	int present;
 	int ret;
 
+#ifdef	CONFIG_PM
+	if (dev->power.runtime_status == RPM_SUSPENDING)
+		return;
+#endif
+
 	ret = snd_hda_power_up_pm(codec);
-	if (ret < 0 && pm_runtime_suspended(hda_codec_dev(codec)))
+	if (ret < 0 && pm_runtime_suspended(dev))
 		goto out;
 
 	present = snd_hda_jack_pin_sense(codec, pin_nid, dev_id);



^ permalink raw reply	[flat|nested] 1159+ messages in thread

* [PATCH 5.17 0098/1126] ALSA: pcm: Fix potential AB/BA lock with buffer_mutex and mmap_lock
  2022-04-05  7:12 [PATCH 5.17 0000/1126] 5.17.2-rc1 review Greg Kroah-Hartman
                   ` (96 preceding siblings ...)
  2022-04-05  7:14 ` [PATCH 5.17 0097/1126] ALSA: hda: Avoid unsol event during RPM suspending Greg Kroah-Hartman
@ 2022-04-05  7:14 ` Greg Kroah-Hartman
  2022-04-05  7:14 ` [PATCH 5.17 0099/1126] ALSA: hda/realtek: Fix audio regression on Mi Notebook Pro 2020 Greg Kroah-Hartman
                   ` (891 subsequent siblings)
  989 siblings, 0 replies; 1159+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05  7:14 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, syzbot+6e5c88838328e99c7e1c, Takashi Iwai

From: Takashi Iwai <tiwai@suse.de>

commit bc55cfd5718c7c23e5524582e9fa70b4d10f2433 upstream.

syzbot caught a potential deadlock between the PCM
runtime->buffer_mutex and the mm->mmap_lock.  It was brought by the
recent fix to cover the racy read/write and other ioctls, and in that
commit, I overlooked a (hopefully only) corner case that may take the
revert lock, namely, the OSS mmap.  The OSS mmap operation
exceptionally allows to re-configure the parameters inside the OSS
mmap syscall, where mm->mmap_mutex is already held.  Meanwhile, the
copy_from/to_user calls at read/write operations also take the
mm->mmap_lock internally, hence it may lead to a AB/BA deadlock.

A similar problem was already seen in the past and we fixed it with a
refcount (in commit b248371628aa).  The former fix covered only the
call paths with OSS read/write and OSS ioctls, while we need to cover
the concurrent access via both ALSA and OSS APIs now.

This patch addresses the problem above by replacing the buffer_mutex
lock in the read/write operations with a refcount similar as we've
used for OSS.  The new field, runtime->buffer_accessing, keeps the
number of concurrent read/write operations.  Unlike the former
buffer_mutex protection, this protects only around the
copy_from/to_user() calls; the other codes are basically protected by
the PCM stream lock.  The refcount can be a negative, meaning blocked
by the ioctls.  If a negative value is seen, the read/write aborts
with -EBUSY.  In the ioctl side, OTOH, they check this refcount, too,
and set to a negative value for blocking unless it's already being
accessed.

Reported-by: syzbot+6e5c88838328e99c7e1c@syzkaller.appspotmail.com
Fixes: dca947d4d26d ("ALSA: pcm: Fix races among concurrent read/write and buffer changes")
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/000000000000381a0d05db622a81@google.com
Link: https://lore.kernel.org/r/20220330120903.4738-1-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 include/sound/pcm.h     |    1 +
 sound/core/pcm.c        |    1 +
 sound/core/pcm_lib.c    |    9 +++++----
 sound/core/pcm_native.c |   39 ++++++++++++++++++++++++++++++++-------
 4 files changed, 39 insertions(+), 11 deletions(-)

--- a/include/sound/pcm.h
+++ b/include/sound/pcm.h
@@ -402,6 +402,7 @@ struct snd_pcm_runtime {
 	struct fasync_struct *fasync;
 	bool stop_operating;		/* sync_stop will be called */
 	struct mutex buffer_mutex;	/* protect for buffer changes */
+	atomic_t buffer_accessing;	/* >0: in r/w operation, <0: blocked */
 
 	/* -- private section -- */
 	void *private_data;
--- a/sound/core/pcm.c
+++ b/sound/core/pcm.c
@@ -970,6 +970,7 @@ int snd_pcm_attach_substream(struct snd_
 
 	runtime->status->state = SNDRV_PCM_STATE_OPEN;
 	mutex_init(&runtime->buffer_mutex);
+	atomic_set(&runtime->buffer_accessing, 0);
 
 	substream->runtime = runtime;
 	substream->private_data = pcm->private_data;
--- a/sound/core/pcm_lib.c
+++ b/sound/core/pcm_lib.c
@@ -1906,11 +1906,9 @@ static int wait_for_avail(struct snd_pcm
 		if (avail >= runtime->twake)
 			break;
 		snd_pcm_stream_unlock_irq(substream);
-		mutex_unlock(&runtime->buffer_mutex);
 
 		tout = schedule_timeout(wait_time);
 
-		mutex_lock(&runtime->buffer_mutex);
 		snd_pcm_stream_lock_irq(substream);
 		set_current_state(TASK_INTERRUPTIBLE);
 		switch (runtime->status->state) {
@@ -2221,7 +2219,6 @@ snd_pcm_sframes_t __snd_pcm_lib_xfer(str
 
 	nonblock = !!(substream->f_flags & O_NONBLOCK);
 
-	mutex_lock(&runtime->buffer_mutex);
 	snd_pcm_stream_lock_irq(substream);
 	err = pcm_accessible_state(runtime);
 	if (err < 0)
@@ -2276,6 +2273,10 @@ snd_pcm_sframes_t __snd_pcm_lib_xfer(str
 			err = -EINVAL;
 			goto _end_unlock;
 		}
+		if (!atomic_inc_unless_negative(&runtime->buffer_accessing)) {
+			err = -EBUSY;
+			goto _end_unlock;
+		}
 		snd_pcm_stream_unlock_irq(substream);
 		if (!is_playback)
 			snd_pcm_dma_buffer_sync(substream, SNDRV_DMA_SYNC_CPU);
@@ -2284,6 +2285,7 @@ snd_pcm_sframes_t __snd_pcm_lib_xfer(str
 		if (is_playback)
 			snd_pcm_dma_buffer_sync(substream, SNDRV_DMA_SYNC_DEVICE);
 		snd_pcm_stream_lock_irq(substream);
+		atomic_dec(&runtime->buffer_accessing);
 		if (err < 0)
 			goto _end_unlock;
 		err = pcm_accessible_state(runtime);
@@ -2313,7 +2315,6 @@ snd_pcm_sframes_t __snd_pcm_lib_xfer(str
 	if (xfer > 0 && err >= 0)
 		snd_pcm_update_state(substream, runtime);
 	snd_pcm_stream_unlock_irq(substream);
-	mutex_unlock(&runtime->buffer_mutex);
 	return xfer > 0 ? (snd_pcm_sframes_t)xfer : err;
 }
 EXPORT_SYMBOL(__snd_pcm_lib_xfer);
--- a/sound/core/pcm_native.c
+++ b/sound/core/pcm_native.c
@@ -685,6 +685,24 @@ static int snd_pcm_hw_params_choose(stru
 	return 0;
 }
 
+/* acquire buffer_mutex; if it's in r/w operation, return -EBUSY, otherwise
+ * block the further r/w operations
+ */
+static int snd_pcm_buffer_access_lock(struct snd_pcm_runtime *runtime)
+{
+	if (!atomic_dec_unless_positive(&runtime->buffer_accessing))
+		return -EBUSY;
+	mutex_lock(&runtime->buffer_mutex);
+	return 0; /* keep buffer_mutex, unlocked by below */
+}
+
+/* release buffer_mutex and clear r/w access flag */
+static void snd_pcm_buffer_access_unlock(struct snd_pcm_runtime *runtime)
+{
+	mutex_unlock(&runtime->buffer_mutex);
+	atomic_inc(&runtime->buffer_accessing);
+}
+
 #if IS_ENABLED(CONFIG_SND_PCM_OSS)
 #define is_oss_stream(substream)	((substream)->oss.oss)
 #else
@@ -695,14 +713,16 @@ static int snd_pcm_hw_params(struct snd_
 			     struct snd_pcm_hw_params *params)
 {
 	struct snd_pcm_runtime *runtime;
-	int err = 0, usecs;
+	int err, usecs;
 	unsigned int bits;
 	snd_pcm_uframes_t frames;
 
 	if (PCM_RUNTIME_CHECK(substream))
 		return -ENXIO;
 	runtime = substream->runtime;
-	mutex_lock(&runtime->buffer_mutex);
+	err = snd_pcm_buffer_access_lock(runtime);
+	if (err < 0)
+		return err;
 	snd_pcm_stream_lock_irq(substream);
 	switch (runtime->status->state) {
 	case SNDRV_PCM_STATE_OPEN:
@@ -820,7 +840,7 @@ static int snd_pcm_hw_params(struct snd_
 			snd_pcm_lib_free_pages(substream);
 	}
  unlock:
-	mutex_unlock(&runtime->buffer_mutex);
+	snd_pcm_buffer_access_unlock(runtime);
 	return err;
 }
 
@@ -865,7 +885,9 @@ static int snd_pcm_hw_free(struct snd_pc
 	if (PCM_RUNTIME_CHECK(substream))
 		return -ENXIO;
 	runtime = substream->runtime;
-	mutex_lock(&runtime->buffer_mutex);
+	result = snd_pcm_buffer_access_lock(runtime);
+	if (result < 0)
+		return result;
 	snd_pcm_stream_lock_irq(substream);
 	switch (runtime->status->state) {
 	case SNDRV_PCM_STATE_SETUP:
@@ -884,7 +906,7 @@ static int snd_pcm_hw_free(struct snd_pc
 	snd_pcm_set_state(substream, SNDRV_PCM_STATE_OPEN);
 	cpu_latency_qos_remove_request(&substream->latency_pm_qos_req);
  unlock:
-	mutex_unlock(&runtime->buffer_mutex);
+	snd_pcm_buffer_access_unlock(runtime);
 	return result;
 }
 
@@ -1369,12 +1391,15 @@ static int snd_pcm_action_nonatomic(cons
 
 	/* Guarantee the group members won't change during non-atomic action */
 	down_read(&snd_pcm_link_rwsem);
-	mutex_lock(&substream->runtime->buffer_mutex);
+	res = snd_pcm_buffer_access_lock(substream->runtime);
+	if (res < 0)
+		goto unlock;
 	if (snd_pcm_stream_linked(substream))
 		res = snd_pcm_action_group(ops, substream, state, false);
 	else
 		res = snd_pcm_action_single(ops, substream, state);
-	mutex_unlock(&substream->runtime->buffer_mutex);
+	snd_pcm_buffer_access_unlock(substream->runtime);
+ unlock:
 	up_read(&snd_pcm_link_rwsem);
 	return res;
 }



^ permalink raw reply	[flat|nested] 1159+ messages in thread

* [PATCH 5.17 0099/1126] ALSA: hda/realtek: Fix audio regression on Mi Notebook Pro 2020
  2022-04-05  7:12 [PATCH 5.17 0000/1126] 5.17.2-rc1 review Greg Kroah-Hartman
                   ` (97 preceding siblings ...)
  2022-04-05  7:14 ` [PATCH 5.17 0098/1126] ALSA: pcm: Fix potential AB/BA lock with buffer_mutex and mmap_lock Greg Kroah-Hartman
@ 2022-04-05  7:14 ` Greg Kroah-Hartman
  2022-04-05  7:14 ` [PATCH 5.17 0100/1126] rtc: mc146818-lib: fix locking in mc146818_set_time Greg Kroah-Hartman
                   ` (890 subsequent siblings)
  989 siblings, 0 replies; 1159+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05  7:14 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, kernel test robot, Dan Carpenter,
	Kai-Heng Feng, Takashi Iwai

From: Kai-Heng Feng <kai.heng.feng@canonical.com>

commit f30741cded62f87bb4b1cc58bc627f076abcaba8 upstream.

Commit 5aec98913095 ("ALSA: hda/realtek - ALC236 headset MIC recording
issue") is to solve recording issue met on AL236, by matching codec
variant ALC269_TYPE_ALC257 and ALC269_TYPE_ALC256.

This match can be too broad and Mi Notebook Pro 2020 is broken by the
patch.

Instead, use codec ID to be narrow down the scope, in order to make
ALC256 unaffected.

Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=215484
Fixes: 5aec98913095 ("ALSA: hda/realtek - ALC236 headset MIC recording issue")
Reported-by: kernel test robot <lkp@intel.com>
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Kai-Heng Feng <kai.heng.feng@canonical.com>
Link: https://lore.kernel.org/r/20220330061335.1015533-1-kai.heng.feng@canonical.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 sound/pci/hda/patch_realtek.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/sound/pci/hda/patch_realtek.c
+++ b/sound/pci/hda/patch_realtek.c
@@ -3617,8 +3617,8 @@ static void alc256_shutup(struct hda_cod
 	/* If disable 3k pulldown control for alc257, the Mic detection will not work correctly
 	 * when booting with headset plugged. So skip setting it for the codec alc257
 	 */
-	if (spec->codec_variant != ALC269_TYPE_ALC257 &&
-	    spec->codec_variant != ALC269_TYPE_ALC256)
+	if (codec->core.vendor_id != 0x10ec0236 &&
+	    codec->core.vendor_id != 0x10ec0257)
 		alc_update_coef_idx(codec, 0x46, 0, 3 << 12);
 
 	if (!spec->no_shutup_pins)



^ permalink raw reply	[flat|nested] 1159+ messages in thread

* [PATCH 5.17 0100/1126] rtc: mc146818-lib: fix locking in mc146818_set_time
  2022-04-05  7:12 [PATCH 5.17 0000/1126] 5.17.2-rc1 review Greg Kroah-Hartman
                   ` (98 preceding siblings ...)
  2022-04-05  7:14 ` [PATCH 5.17 0099/1126] ALSA: hda/realtek: Fix audio regression on Mi Notebook Pro 2020 Greg Kroah-Hartman
@ 2022-04-05  7:14 ` Greg Kroah-Hartman
  2022-04-05  7:14 ` [PATCH 5.17 0101/1126] rtc: pl031: fix rtc features null pointer dereference Greg Kroah-Hartman
                   ` (889 subsequent siblings)
  989 siblings, 0 replies; 1159+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05  7:14 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Mateusz Jończyk,
	Alessandro Zummo, Alexandre Belloni, Thomas Gleixner

From: Mateusz Jończyk <mat.jonczyk@o2.pl>

commit 811f5559270f25c34c338d6eaa2ece2544c3d3bd upstream.

In mc146818_set_time(), CMOS_READ(RTC_CONTROL) was performed without the
rtc_lock taken, which is required for CMOS accesses. Fix this.

Nothing in kernel modifies RTC_DM_BINARY, so a separate critical section
is allowed here.

Fixes: dcf257e92622 ("rtc: mc146818: Reduce spinlock section in mc146818_set_time()")
Signed-off-by: Mateusz Jończyk <mat.jonczyk@o2.pl>
Cc: Alessandro Zummo <a.zummo@towertech.it>
Cc: Alexandre Belloni <alexandre.belloni@bootlin.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: stable@vger.kernel.org
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Link: https://lore.kernel.org/r/20220220090403.153928-1-mat.jonczyk@o2.pl
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/rtc/rtc-mc146818-lib.c |    6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

--- a/drivers/rtc/rtc-mc146818-lib.c
+++ b/drivers/rtc/rtc-mc146818-lib.c
@@ -232,8 +232,10 @@ int mc146818_set_time(struct rtc_time *t
 	if (yrs >= 100)
 		yrs -= 100;
 
-	if (!(CMOS_READ(RTC_CONTROL) & RTC_DM_BINARY)
-	    || RTC_ALWAYS_BCD) {
+	spin_lock_irqsave(&rtc_lock, flags);
+	save_control = CMOS_READ(RTC_CONTROL);
+	spin_unlock_irqrestore(&rtc_lock, flags);
+	if (!(save_control & RTC_DM_BINARY) || RTC_ALWAYS_BCD) {
 		sec = bin2bcd(sec);
 		min = bin2bcd(min);
 		hrs = bin2bcd(hrs);



^ permalink raw reply	[flat|nested] 1159+ messages in thread

* [PATCH 5.17 0101/1126] rtc: pl031: fix rtc features null pointer dereference
  2022-04-05  7:12 [PATCH 5.17 0000/1126] 5.17.2-rc1 review Greg Kroah-Hartman
                   ` (99 preceding siblings ...)
  2022-04-05  7:14 ` [PATCH 5.17 0100/1126] rtc: mc146818-lib: fix locking in mc146818_set_time Greg Kroah-Hartman
@ 2022-04-05  7:14 ` Greg Kroah-Hartman
  2022-04-05  7:14 ` [PATCH 5.17 0102/1126] io_uring: ensure that fsnotify is always called Greg Kroah-Hartman
                   ` (888 subsequent siblings)
  989 siblings, 0 replies; 1159+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05  7:14 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Ali Pouladi, Elliot Berman,
	Alexandre Belloni

From: Ali Pouladi <quic_apouladi@quicinc.com>

commit ea6af39f3da50c86367a71eb3cc674ade3ed244c upstream.

When there is no interrupt line, rtc alarm feature is disabled.

The clearing of the alarm feature bit was being done prior to allocations
of ldata->rtc device, resulting in a null pointer dereference.

Clear RTC_FEATURE_ALARM after the rtc device is allocated.

Fixes: d9b0dd54a194 ("rtc: pl031: use RTC_FEATURE_ALARM")
Cc: stable@vger.kernel.org
Signed-off-by: Ali Pouladi <quic_apouladi@quicinc.com>
Signed-off-by: Elliot Berman <quic_eberman@quicinc.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Link: https://lore.kernel.org/r/20220225161924.274141-1-quic_eberman@quicinc.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/rtc/rtc-pl031.c |    6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

--- a/drivers/rtc/rtc-pl031.c
+++ b/drivers/rtc/rtc-pl031.c
@@ -350,9 +350,6 @@ static int pl031_probe(struct amba_devic
 		}
 	}
 
-	if (!adev->irq[0])
-		clear_bit(RTC_FEATURE_ALARM, ldata->rtc->features);
-
 	device_init_wakeup(&adev->dev, true);
 	ldata->rtc = devm_rtc_allocate_device(&adev->dev);
 	if (IS_ERR(ldata->rtc)) {
@@ -360,6 +357,9 @@ static int pl031_probe(struct amba_devic
 		goto out;
 	}
 
+	if (!adev->irq[0])
+		clear_bit(RTC_FEATURE_ALARM, ldata->rtc->features);
+
 	ldata->rtc->ops = ops;
 	ldata->rtc->range_min = vendor->range_min;
 	ldata->rtc->range_max = vendor->range_max;



^ permalink raw reply	[flat|nested] 1159+ messages in thread

* [PATCH 5.17 0102/1126] io_uring: ensure that fsnotify is always called
  2022-04-05  7:12 [PATCH 5.17 0000/1126] 5.17.2-rc1 review Greg Kroah-Hartman
                   ` (100 preceding siblings ...)
  2022-04-05  7:14 ` [PATCH 5.17 0101/1126] rtc: pl031: fix rtc features null pointer dereference Greg Kroah-Hartman
@ 2022-04-05  7:14 ` Greg Kroah-Hartman
  2022-04-05  7:14 ` [PATCH 5.17 0103/1126] ocfs2: fix crash when mount with quota enabled Greg Kroah-Hartman
                   ` (887 subsequent siblings)
  989 siblings, 0 replies; 1159+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05  7:14 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Jens Axboe

From: Jens Axboe <axboe@kernel.dk>

commit f63cf5192fe3418ad5ae1a4412eba5694b145f79 upstream.

Ensure that we call fsnotify_modify() if we write a file, and that we
do fsnotify_access() if we read it. This enables anyone using inotify
on the file to get notified.

Ditto for fallocate, ensure that fsnotify_modify() is called.

Cc: stable@vger.kernel.org
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 fs/io_uring.c |    8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

--- a/fs/io_uring.c
+++ b/fs/io_uring.c
@@ -2813,8 +2813,12 @@ static bool io_rw_should_reissue(struct
 
 static bool __io_complete_rw_common(struct io_kiocb *req, long res)
 {
-	if (req->rw.kiocb.ki_flags & IOCB_WRITE)
+	if (req->rw.kiocb.ki_flags & IOCB_WRITE) {
 		kiocb_end_write(req);
+		fsnotify_modify(req->file);
+	} else {
+		fsnotify_access(req->file);
+	}
 	if (unlikely(res != req->result)) {
 		if ((res == -EAGAIN || res == -EOPNOTSUPP) &&
 		    io_rw_should_reissue(req)) {
@@ -4301,6 +4305,8 @@ static int io_fallocate(struct io_kiocb
 				req->sync.len);
 	if (ret < 0)
 		req_set_fail(req);
+	else
+		fsnotify_modify(req->file);
 	io_req_complete(req, ret);
 	return 0;
 }



^ permalink raw reply	[flat|nested] 1159+ messages in thread

* [PATCH 5.17 0103/1126] ocfs2: fix crash when mount with quota enabled
  2022-04-05  7:12 [PATCH 5.17 0000/1126] 5.17.2-rc1 review Greg Kroah-Hartman
                   ` (101 preceding siblings ...)
  2022-04-05  7:14 ` [PATCH 5.17 0102/1126] io_uring: ensure that fsnotify is always called Greg Kroah-Hartman
@ 2022-04-05  7:14 ` Greg Kroah-Hartman
  2022-04-05  7:14 ` [PATCH 5.17 0104/1126] drm/simpledrm: Add "panel orientation" property on non-upright mounted LCD panels Greg Kroah-Hartman
                   ` (886 subsequent siblings)
  989 siblings, 0 replies; 1159+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05  7:14 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Joseph Qi, Dayvison, Valentin Vidic,
	Andrew Morton, Linus Torvalds

From: Joseph Qi <joseph.qi@linux.alibaba.com>

commit de19433423c7bedabbd4f9a25f7dbc62c5e78921 upstream.

There is a reported crash when mounting ocfs2 with quota enabled.

  RIP: 0010:ocfs2_qinfo_lock_res_init+0x44/0x50 [ocfs2]
  Call Trace:
    ocfs2_local_read_info+0xb9/0x6f0 [ocfs2]
    dquot_load_quota_sb+0x216/0x470
    dquot_load_quota_inode+0x85/0x100
    ocfs2_enable_quotas+0xa0/0x1c0 [ocfs2]
    ocfs2_fill_super.cold+0xc8/0x1bf [ocfs2]
    mount_bdev+0x185/0x1b0
    legacy_get_tree+0x27/0x40
    vfs_get_tree+0x25/0xb0
    path_mount+0x465/0xac0
    __x64_sys_mount+0x103/0x140

It is caused by when initializing dqi_gqlock, the corresponding dqi_type
and dqi_sb are not properly initialized.

This issue is introduced by commit 6c85c2c72819, which wants to avoid
accessing uninitialized variables in error cases.  So make global quota
info properly initialized.

Link: https://lkml.kernel.org/r/20220323023644.40084-1-joseph.qi@linux.alibaba.com
Link: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1007141
Fixes: 6c85c2c72819 ("ocfs2: quota_local: fix possible uninitialized-variable access in ocfs2_local_read_info()")
Signed-off-by: Joseph Qi <joseph.qi@linux.alibaba.com>
Reported-by: Dayvison <sathlerds@gmail.com>
Tested-by: Valentin Vidic <vvidic@valentin-vidic.from.hr>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 fs/ocfs2/quota_global.c |   23 ++++++++++++-----------
 fs/ocfs2/quota_local.c  |    2 --
 2 files changed, 12 insertions(+), 13 deletions(-)

--- a/fs/ocfs2/quota_global.c
+++ b/fs/ocfs2/quota_global.c
@@ -337,7 +337,6 @@ void ocfs2_unlock_global_qf(struct ocfs2
 /* Read information header from global quota file */
 int ocfs2_global_read_info(struct super_block *sb, int type)
 {
-	struct inode *gqinode = NULL;
 	unsigned int ino[OCFS2_MAXQUOTAS] = { USER_QUOTA_SYSTEM_INODE,
 					      GROUP_QUOTA_SYSTEM_INODE };
 	struct ocfs2_global_disk_dqinfo dinfo;
@@ -346,29 +345,31 @@ int ocfs2_global_read_info(struct super_
 	u64 pcount;
 	int status;
 
+	oinfo->dqi_gi.dqi_sb = sb;
+	oinfo->dqi_gi.dqi_type = type;
+	ocfs2_qinfo_lock_res_init(&oinfo->dqi_gqlock, oinfo);
+	oinfo->dqi_gi.dqi_entry_size = sizeof(struct ocfs2_global_disk_dqblk);
+	oinfo->dqi_gi.dqi_ops = &ocfs2_global_ops;
+	oinfo->dqi_gqi_bh = NULL;
+	oinfo->dqi_gqi_count = 0;
+
 	/* Read global header */
-	gqinode = ocfs2_get_system_file_inode(OCFS2_SB(sb), ino[type],
+	oinfo->dqi_gqinode = ocfs2_get_system_file_inode(OCFS2_SB(sb), ino[type],
 			OCFS2_INVALID_SLOT);
-	if (!gqinode) {
+	if (!oinfo->dqi_gqinode) {
 		mlog(ML_ERROR, "failed to get global quota inode (type=%d)\n",
 			type);
 		status = -EINVAL;
 		goto out_err;
 	}
-	oinfo->dqi_gi.dqi_sb = sb;
-	oinfo->dqi_gi.dqi_type = type;
-	oinfo->dqi_gi.dqi_entry_size = sizeof(struct ocfs2_global_disk_dqblk);
-	oinfo->dqi_gi.dqi_ops = &ocfs2_global_ops;
-	oinfo->dqi_gqi_bh = NULL;
-	oinfo->dqi_gqi_count = 0;
-	oinfo->dqi_gqinode = gqinode;
+
 	status = ocfs2_lock_global_qf(oinfo, 0);
 	if (status < 0) {
 		mlog_errno(status);
 		goto out_err;
 	}
 
-	status = ocfs2_extent_map_get_blocks(gqinode, 0, &oinfo->dqi_giblk,
+	status = ocfs2_extent_map_get_blocks(oinfo->dqi_gqinode, 0, &oinfo->dqi_giblk,
 					     &pcount, NULL);
 	if (status < 0)
 		goto out_unlock;
--- a/fs/ocfs2/quota_local.c
+++ b/fs/ocfs2/quota_local.c
@@ -702,8 +702,6 @@ static int ocfs2_local_read_info(struct
 	info->dqi_priv = oinfo;
 	oinfo->dqi_type = type;
 	INIT_LIST_HEAD(&oinfo->dqi_chunk);
-	oinfo->dqi_gqinode = NULL;
-	ocfs2_qinfo_lock_res_init(&oinfo->dqi_gqlock, oinfo);
 	oinfo->dqi_rec = NULL;
 	oinfo->dqi_lqi_bh = NULL;
 	oinfo->dqi_libh = NULL;



^ permalink raw reply	[flat|nested] 1159+ messages in thread

* [PATCH 5.17 0104/1126] drm/simpledrm: Add "panel orientation" property on non-upright mounted LCD panels
  2022-04-05  7:12 [PATCH 5.17 0000/1126] 5.17.2-rc1 review Greg Kroah-Hartman
                   ` (102 preceding siblings ...)
  2022-04-05  7:14 ` [PATCH 5.17 0103/1126] ocfs2: fix crash when mount with quota enabled Greg Kroah-Hartman
@ 2022-04-05  7:14 ` Greg Kroah-Hartman
  2022-04-05  7:14 ` [PATCH 5.17 0105/1126] mm: madvise: skip unmapped vma holes passed to process_madvise Greg Kroah-Hartman
                   ` (885 subsequent siblings)
  989 siblings, 0 replies; 1159+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05  7:14 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Javier Martinez Canillas,
	Hans de Goede, Thomas Zimmermann

From: Hans de Goede <hdegoede@redhat.com>

commit 94fa115f7b28a3f02611499175e134f0a823b686 upstream.

Some devices use e.g. a portrait panel in a standard laptop casing made
for landscape panels. efifb calls drm_get_panel_orientation_quirk() and
sets fb_info.fbcon_rotate_hint to make fbcon rotate the console so that
it shows up-right instead of on its side.

When switching to simpledrm the fbcon renders on its side. Call the
drm_connector_set_panel_orientation_with_quirk() helper to add
a "panel orientation" property on devices listed in the quirk table,
to make the fbcon (and aware userspace apps) rotate the image to
display properly.

Cc: Javier Martinez Canillas <javierm@redhat.com>
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Reviewed-by: Javier Martinez Canillas <javierm@redhat.com>
Acked-by: Thomas Zimmermann <tzimmermann@suse.de>
Link: https://patchwork.freedesktop.org/patch/msgid/20220221220045.11958-1-hdegoede@redhat.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/gpu/drm/tiny/simpledrm.c |    3 +++
 1 file changed, 3 insertions(+)

--- a/drivers/gpu/drm/tiny/simpledrm.c
+++ b/drivers/gpu/drm/tiny/simpledrm.c
@@ -798,6 +798,9 @@ static int simpledrm_device_init_modeset
 	if (ret)
 		return ret;
 	drm_connector_helper_add(connector, &simpledrm_connector_helper_funcs);
+	drm_connector_set_panel_orientation_with_quirk(connector,
+						       DRM_MODE_PANEL_ORIENTATION_UNKNOWN,
+						       mode->hdisplay, mode->vdisplay);
 
 	formats = simpledrm_device_formats(sdev, &nformats);
 



^ permalink raw reply	[flat|nested] 1159+ messages in thread

* [PATCH 5.17 0105/1126] mm: madvise: skip unmapped vma holes passed to process_madvise
  2022-04-05  7:12 [PATCH 5.17 0000/1126] 5.17.2-rc1 review Greg Kroah-Hartman
                   ` (103 preceding siblings ...)
  2022-04-05  7:14 ` [PATCH 5.17 0104/1126] drm/simpledrm: Add "panel orientation" property on non-upright mounted LCD panels Greg Kroah-Hartman
@ 2022-04-05  7:14 ` Greg Kroah-Hartman
  2022-04-05  7:14 ` [PATCH 5.17 0106/1126] mm: madvise: return correct bytes advised with process_madvise Greg Kroah-Hartman
                   ` (884 subsequent siblings)
  989 siblings, 0 replies; 1159+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05  7:14 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Charan Teja Kalla, David Rientjes,
	Michal Hocko, Minchan Kim, Nadav Amit, Stephen Rothwell,
	Suren Baghdasaryan, Vlastimil Babka, Andrew Morton,
	Linus Torvalds

From: Charan Teja Kalla <quic_charante@quicinc.com>

commit 08095d6310a7ce43256b4251577bc66a25c6e1a6 upstream.

The process_madvise() system call is expected to skip holes in vma passed
through 'struct iovec' vector list.  But do_madvise, which
process_madvise() calls for each vma, returns ENOMEM in case of unmapped
holes, despite the VMA is processed.

Thus process_madvise() should treat ENOMEM as expected and consider the
VMA passed to as processed and continue processing other vma's in the
vector list.  Returning -ENOMEM to user, despite the VMA is processed,
will be unable to figure out where to start the next madvise.

Link: https://lkml.kernel.org/r/4f091776142f2ebf7b94018146de72318474e686.1647008754.git.quic_charante@quicinc.com
Fixes: ecb8ac8b1f14("mm/madvise: introduce process_madvise() syscall: an external memory hinting API")
Signed-off-by: Charan Teja Kalla <quic_charante@quicinc.com>
Cc: David Rientjes <rientjes@google.com>
Cc: Michal Hocko <mhocko@suse.com>
Cc: Minchan Kim <minchan@kernel.org>
Cc: Nadav Amit <nadav.amit@gmail.com>
Cc: Stephen Rothwell <sfr@canb.auug.org.au>
Cc: Suren Baghdasaryan <surenb@google.com>
Cc: Vlastimil Babka <vbabka@suse.cz>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 mm/madvise.c |    9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

--- a/mm/madvise.c
+++ b/mm/madvise.c
@@ -1426,9 +1426,16 @@ SYSCALL_DEFINE5(process_madvise, int, pi
 
 	while (iov_iter_count(&iter)) {
 		iovec = iov_iter_iovec(&iter);
+		/*
+		 * do_madvise returns ENOMEM if unmapped holes are present
+		 * in the passed VMA. process_madvise() is expected to skip
+		 * unmapped holes passed to it in the 'struct iovec' list
+		 * and not fail because of them. Thus treat -ENOMEM return
+		 * from do_madvise as valid and continue processing.
+		 */
 		ret = do_madvise(mm, (unsigned long)iovec.iov_base,
 					iovec.iov_len, behavior);
-		if (ret < 0)
+		if (ret < 0 && ret != -ENOMEM)
 			break;
 		iov_iter_advance(&iter, iovec.iov_len);
 	}



^ permalink raw reply	[flat|nested] 1159+ messages in thread

* [PATCH 5.17 0106/1126] mm: madvise: return correct bytes advised with process_madvise
  2022-04-05  7:12 [PATCH 5.17 0000/1126] 5.17.2-rc1 review Greg Kroah-Hartman
                   ` (104 preceding siblings ...)
  2022-04-05  7:14 ` [PATCH 5.17 0105/1126] mm: madvise: skip unmapped vma holes passed to process_madvise Greg Kroah-Hartman
@ 2022-04-05  7:14 ` Greg Kroah-Hartman
  2022-04-05  7:14 ` [PATCH 5.17 0107/1126] Revert "mm: madvise: skip unmapped vma holes passed to process_madvise" Greg Kroah-Hartman
                   ` (883 subsequent siblings)
  989 siblings, 0 replies; 1159+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05  7:14 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Charan Teja Kalla,
	Suren Baghdasaryan, Vlastimil Babka, David Rientjes,
	Stephen Rothwell, Minchan Kim, Nadav Amit, Michal Hocko,
	Andrew Morton, Linus Torvalds

From: Charan Teja Kalla <quic_charante@quicinc.com>

commit 5bd009c7c9a9e888077c07535dc0c70aeab242c3 upstream.

Patch series "mm: madvise: return correct bytes processed with
process_madvise", v2.  With the process_madvise(), always choose to return
non zero processed bytes over an error.  This can help the user to know on
which VMA, passed in the 'struct iovec' vector list, is failed to advise
thus can take the decission of retrying/skipping on that VMA.

This patch (of 2):

The process_madvise() system call returns error even after processing some
VMA's passed in the 'struct iovec' vector list which leaves the user
confused to know where to restart the advise next.  It is also against
this syscall man page[1] documentation where it mentions that "return
value may be less than the total number of requested bytes, if an error
occurred after some iovec elements were already processed.".

Consider a user passed 10 VMA's in the 'struct iovec' vector list of which
9 are processed but one.  Then it just returns the error caused on that
failed VMA despite the first 9 VMA's processed, leaving the user confused
about on which VMA it is failed.  Returning the number of bytes processed
here can help the user to know which VMA it is failed on and thus can
retry/skip the advise on that VMA.

[1]https://man7.org/linux/man-pages/man2/process_madvise.2.html.

Link: https://lkml.kernel.org/r/cover.1647008754.git.quic_charante@quicinc.com
Link: https://lkml.kernel.org/r/125b61a0edcee5c2db8658aed9d06a43a19ccafc.1647008754.git.quic_charante@quicinc.com
Fixes: ecb8ac8b1f14("mm/madvise: introduce process_madvise() syscall: an external memory hinting API")
Signed-off-by: Charan Teja Kalla <quic_charante@quicinc.com>
Cc: Suren Baghdasaryan <surenb@google.com>
Cc: Vlastimil Babka <vbabka@suse.cz>
Cc: David Rientjes <rientjes@google.com>
Cc: Stephen Rothwell <sfr@canb.auug.org.au>
Cc: Minchan Kim <minchan@kernel.org>
Cc: Nadav Amit <nadav.amit@gmail.com>
Cc: Michal Hocko <mhocko@suse.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 mm/madvise.c |    3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

--- a/mm/madvise.c
+++ b/mm/madvise.c
@@ -1440,8 +1440,7 @@ SYSCALL_DEFINE5(process_madvise, int, pi
 		iov_iter_advance(&iter, iovec.iov_len);
 	}
 
-	if (ret == 0)
-		ret = total_len - iov_iter_count(&iter);
+	ret = (total_len - iov_iter_count(&iter)) ? : ret;
 
 release_mm:
 	mmput(mm);



^ permalink raw reply	[flat|nested] 1159+ messages in thread

* [PATCH 5.17 0107/1126] Revert "mm: madvise: skip unmapped vma holes passed to process_madvise"
  2022-04-05  7:12 [PATCH 5.17 0000/1126] 5.17.2-rc1 review Greg Kroah-Hartman
                   ` (105 preceding siblings ...)
  2022-04-05  7:14 ` [PATCH 5.17 0106/1126] mm: madvise: return correct bytes advised with process_madvise Greg Kroah-Hartman
@ 2022-04-05  7:14 ` Greg Kroah-Hartman
  2022-04-05  7:14 ` [PATCH 5.17 0108/1126] mm,hwpoison: unmap poisoned page before invalidation Greg Kroah-Hartman
                   ` (882 subsequent siblings)
  989 siblings, 0 replies; 1159+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05  7:14 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Charan Teja Kalla, Michal Hocko,
	Suren Baghdasaryan, Vlastimil Babka, David Rientjes, Nadav Amit,
	Andrew Morton, Linus Torvalds

From: Charan Teja Kalla <quic_charante@quicinc.com>

commit e6b0a7b357659c332231621e4315658d062c23ee upstream.

This reverts commit 08095d6310a7 ("mm: madvise: skip unmapped vma holes
passed to process_madvise") as process_madvise() fails to return the
exact processed bytes in other cases too.

As an example: if process_madvise() hits mlocked pages after processing
some initial bytes passed in [start, end), it just returns EINVAL
although some bytes are processed.  Thus making an exception only for
ENOMEM is partially fixing the problem of returning the proper advised
bytes.

Thus revert this patch and return proper bytes advised.

Link: https://lkml.kernel.org/r/e73da1304a88b6a8a11907045117cccf4c2b8374.1648046642.git.quic_charante@quicinc.com
Fixes: 08095d6310a7ce ("mm: madvise: skip unmapped vma holes passed to process_madvise")
Signed-off-by: Charan Teja Kalla <quic_charante@quicinc.com>
Acked-by: Michal Hocko <mhocko@suse.com>
Cc: Suren Baghdasaryan <surenb@google.com>
Cc: Vlastimil Babka <vbabka@suse.cz>
Cc: David Rientjes <rientjes@google.com>
Cc: Nadav Amit <nadav.amit@gmail.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 mm/madvise.c |    9 +--------
 1 file changed, 1 insertion(+), 8 deletions(-)

--- a/mm/madvise.c
+++ b/mm/madvise.c
@@ -1426,16 +1426,9 @@ SYSCALL_DEFINE5(process_madvise, int, pi
 
 	while (iov_iter_count(&iter)) {
 		iovec = iov_iter_iovec(&iter);
-		/*
-		 * do_madvise returns ENOMEM if unmapped holes are present
-		 * in the passed VMA. process_madvise() is expected to skip
-		 * unmapped holes passed to it in the 'struct iovec' list
-		 * and not fail because of them. Thus treat -ENOMEM return
-		 * from do_madvise as valid and continue processing.
-		 */
 		ret = do_madvise(mm, (unsigned long)iovec.iov_base,
 					iovec.iov_len, behavior);
-		if (ret < 0 && ret != -ENOMEM)
+		if (ret < 0)
 			break;
 		iov_iter_advance(&iter, iovec.iov_len);
 	}



^ permalink raw reply	[flat|nested] 1159+ messages in thread

* [PATCH 5.17 0108/1126] mm,hwpoison: unmap poisoned page before invalidation
  2022-04-05  7:12 [PATCH 5.17 0000/1126] 5.17.2-rc1 review Greg Kroah-Hartman
                   ` (106 preceding siblings ...)
  2022-04-05  7:14 ` [PATCH 5.17 0107/1126] Revert "mm: madvise: skip unmapped vma holes passed to process_madvise" Greg Kroah-Hartman
@ 2022-04-05  7:14 ` Greg Kroah-Hartman
  2022-04-05  7:14 ` [PATCH 5.17 0109/1126] mm: only re-generate demotion targets when a numa node changes its N_CPU state Greg Kroah-Hartman
                   ` (881 subsequent siblings)
  989 siblings, 0 replies; 1159+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05  7:14 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Rik van Riel, Miaohe Lin,
	Naoya Horiguchi, Oscar Salvador, Mel Gorman, Johannes Weiner,
	Andrew Morton, Linus Torvalds

From: Rik van Riel <riel@surriel.com>

commit 3149c79f3cb0e2e3bafb7cfadacec090cbd250d3 upstream.

In some cases it appears the invalidation of a hwpoisoned page fails
because the page is still mapped in another process.  This can cause a
program to be continuously restarted and die when it page faults on the
page that was not invalidated.  Avoid that problem by unmapping the
hwpoisoned page when we find it.

Another issue is that sometimes we end up oopsing in finish_fault, if
the code tries to do something with the now-NULL vmf->page.  I did not
hit this error when submitting the previous patch because there are
several opportunities for alloc_set_pte to bail out before accessing
vmf->page, and that apparently happened on those systems, and most of
the time on other systems, too.

However, across several million systems that error does occur a handful
of times a day.  It can be avoided by returning VM_FAULT_NOPAGE which
will cause do_read_fault to return before calling finish_fault.

Link: https://lkml.kernel.org/r/20220325161428.5068d97e@imladris.surriel.com
Fixes: e53ac7374e64 ("mm: invalidate hwpoison page cache page in fault path")
Signed-off-by: Rik van Riel <riel@surriel.com>
Reviewed-by: Miaohe Lin <linmiaohe@huawei.com>
Tested-by: Naoya Horiguchi <naoya.horiguchi@nec.com>
Reviewed-by: Oscar Salvador <osalvador@suse.de>
Cc: Mel Gorman <mgorman@suse.de>
Cc: Johannes Weiner <hannes@cmpxchg.org>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 mm/memory.c |   12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

--- a/mm/memory.c
+++ b/mm/memory.c
@@ -3893,14 +3893,18 @@ static vm_fault_t __do_fault(struct vm_f
 		return ret;
 
 	if (unlikely(PageHWPoison(vmf->page))) {
+		struct page *page = vmf->page;
 		vm_fault_t poisonret = VM_FAULT_HWPOISON;
 		if (ret & VM_FAULT_LOCKED) {
+			if (page_mapped(page))
+				unmap_mapping_pages(page_mapping(page),
+						    page->index, 1, false);
 			/* Retry if a clean page was removed from the cache. */
-			if (invalidate_inode_page(vmf->page))
-				poisonret = 0;
-			unlock_page(vmf->page);
+			if (invalidate_inode_page(page))
+				poisonret = VM_FAULT_NOPAGE;
+			unlock_page(page);
 		}
-		put_page(vmf->page);
+		put_page(page);
 		vmf->page = NULL;
 		return poisonret;
 	}



^ permalink raw reply	[flat|nested] 1159+ messages in thread

* [PATCH 5.17 0109/1126] mm: only re-generate demotion targets when a numa node changes its N_CPU state
  2022-04-05  7:12 [PATCH 5.17 0000/1126] 5.17.2-rc1 review Greg Kroah-Hartman
                   ` (107 preceding siblings ...)
  2022-04-05  7:14 ` [PATCH 5.17 0108/1126] mm,hwpoison: unmap poisoned page before invalidation Greg Kroah-Hartman
@ 2022-04-05  7:14 ` Greg Kroah-Hartman
  2022-04-05  7:14 ` [PATCH 5.17 0110/1126] mm/kmemleak: reset tag when compare object pointer Greg Kroah-Hartman
                   ` (880 subsequent siblings)
  989 siblings, 0 replies; 1159+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05  7:14 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Oscar Salvador, Baolin Wang,
	Abhishek Goel, Dave Hansen, Huang, Ying, Andrew Morton,
	Linus Torvalds

From: Oscar Salvador <osalvador@suse.de>

commit 734c15700cdf9062ae98d8b131c6fe873dfad26d upstream.

Abhishek reported that after patch [1], hotplug operations are taking
roughly double the expected time.  [2]

The reason behind is that the CPU callbacks that
migrate_on_reclaim_init() sets always call set_migration_target_nodes()
whenever a CPU is brought up/down.

But we only care about numa nodes going from having cpus to become
cpuless, and vice versa, as that influences the demotion_target order.

We do already have two CPU callbacks (vmstat_cpu_online() and
vmstat_cpu_dead()) that check exactly that, so get rid of the CPU
callbacks in migrate_on_reclaim_init() and only call
set_migration_target_nodes() from vmstat_cpu_{dead,online}() whenever a
numa node change its N_CPU state.

[1] https://lore.kernel.org/linux-mm/20210721063926.3024591-2-ying.huang@intel.com/
[2] https://lore.kernel.org/linux-mm/eb438ddd-2919-73d4-bd9f-b7eecdd9577a@linux.vnet.ibm.com/

[osalvador@suse.de: add feedback from Huang Ying]
  Link: https://lkml.kernel.org/r/20220314150945.12694-1-osalvador@suse.de

Link: https://lkml.kernel.org/r/20220310120749.23077-1-osalvador@suse.de
Fixes: 884a6e5d1f93b ("mm/migrate: update node demotion order on hotplug events")
Signed-off-by: Oscar Salvador <osalvador@suse.de>
Reviewed-by: Baolin Wang <baolin.wang@linux.alibaba.com>
Tested-by: Baolin Wang <baolin.wang@linux.alibaba.com>
Reported-by: Abhishek Goel <huntbag@linux.vnet.ibm.com>
Cc: Dave Hansen <dave.hansen@linux.intel.com>
Cc: "Huang, Ying" <ying.huang@intel.com>
Cc: Abhishek Goel <huntbag@linux.vnet.ibm.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 include/linux/migrate.h |    8 ++++++++
 mm/migrate.c            |   47 ++++++++++-------------------------------------
 mm/vmstat.c             |   13 ++++++++++++-
 3 files changed, 30 insertions(+), 38 deletions(-)

--- a/include/linux/migrate.h
+++ b/include/linux/migrate.h
@@ -48,7 +48,15 @@ int folio_migrate_mapping(struct address
 		struct folio *newfolio, struct folio *folio, int extra_count);
 
 extern bool numa_demotion_enabled;
+extern void migrate_on_reclaim_init(void);
+#ifdef CONFIG_HOTPLUG_CPU
+extern void set_migration_target_nodes(void);
 #else
+static inline void set_migration_target_nodes(void) {}
+#endif
+#else
+
+static inline void set_migration_target_nodes(void) {}
 
 static inline void putback_movable_pages(struct list_head *l) {}
 static inline int migrate_pages(struct list_head *l, new_page_t new,
--- a/mm/migrate.c
+++ b/mm/migrate.c
@@ -3190,7 +3190,7 @@ again:
 /*
  * For callers that do not hold get_online_mems() already.
  */
-static void set_migration_target_nodes(void)
+void set_migration_target_nodes(void)
 {
 	get_online_mems();
 	__set_migration_target_nodes();
@@ -3254,51 +3254,24 @@ static int __meminit migrate_on_reclaim_
 	return notifier_from_errno(0);
 }
 
-/*
- * React to hotplug events that might affect the migration targets
- * like events that online or offline NUMA nodes.
- *
- * The ordering is also currently dependent on which nodes have
- * CPUs.  That means we need CPU on/offline notification too.
- */
-static int migration_online_cpu(unsigned int cpu)
-{
-	set_migration_target_nodes();
-	return 0;
-}
-
-static int migration_offline_cpu(unsigned int cpu)
-{
-	set_migration_target_nodes();
-	return 0;
-}
-
-static int __init migrate_on_reclaim_init(void)
+void __init migrate_on_reclaim_init(void)
 {
-	int ret;
-
 	node_demotion = kmalloc_array(nr_node_ids,
 				      sizeof(struct demotion_nodes),
 				      GFP_KERNEL);
 	WARN_ON(!node_demotion);
 
-	ret = cpuhp_setup_state_nocalls(CPUHP_MM_DEMOTION_DEAD, "mm/demotion:offline",
-					NULL, migration_offline_cpu);
+	hotplug_memory_notifier(migrate_on_reclaim_callback, 100);
 	/*
-	 * In the unlikely case that this fails, the automatic
-	 * migration targets may become suboptimal for nodes
-	 * where N_CPU changes.  With such a small impact in a
-	 * rare case, do not bother trying to do anything special.
+	 * At this point, all numa nodes with memory/CPus have their state
+	 * properly set, so we can build the demotion order now.
+	 * Let us hold the cpu_hotplug lock just, as we could possibily have
+	 * CPU hotplug events during boot.
 	 */
-	WARN_ON(ret < 0);
-	ret = cpuhp_setup_state(CPUHP_AP_MM_DEMOTION_ONLINE, "mm/demotion:online",
-				migration_online_cpu, NULL);
-	WARN_ON(ret < 0);
-
-	hotplug_memory_notifier(migrate_on_reclaim_callback, 100);
-	return 0;
+	cpus_read_lock();
+	set_migration_target_nodes();
+	cpus_read_unlock();
 }
-late_initcall(migrate_on_reclaim_init);
 #endif /* CONFIG_HOTPLUG_CPU */
 
 bool numa_demotion_enabled = false;
--- a/mm/vmstat.c
+++ b/mm/vmstat.c
@@ -28,6 +28,7 @@
 #include <linux/mm_inline.h>
 #include <linux/page_ext.h>
 #include <linux/page_owner.h>
+#include <linux/migrate.h>
 
 #include "internal.h"
 
@@ -2043,7 +2044,12 @@ static void __init init_cpu_node_state(v
 static int vmstat_cpu_online(unsigned int cpu)
 {
 	refresh_zone_stat_thresholds();
-	node_set_state(cpu_to_node(cpu), N_CPU);
+
+	if (!node_state(cpu_to_node(cpu), N_CPU)) {
+		node_set_state(cpu_to_node(cpu), N_CPU);
+		set_migration_target_nodes();
+	}
+
 	return 0;
 }
 
@@ -2066,6 +2072,8 @@ static int vmstat_cpu_dead(unsigned int
 		return 0;
 
 	node_clear_state(node, N_CPU);
+	set_migration_target_nodes();
+
 	return 0;
 }
 
@@ -2097,6 +2105,9 @@ void __init init_mm_internals(void)
 
 	start_shepherd_timer();
 #endif
+#if defined(CONFIG_MIGRATION) && defined(CONFIG_HOTPLUG_CPU)
+	migrate_on_reclaim_init();
+#endif
 #ifdef CONFIG_PROC_FS
 	proc_create_seq("buddyinfo", 0444, NULL, &fragmentation_op);
 	proc_create_seq("pagetypeinfo", 0400, NULL, &pagetypeinfo_op);



^ permalink raw reply	[flat|nested] 1159+ messages in thread

* [PATCH 5.17 0110/1126] mm/kmemleak: reset tag when compare object pointer
  2022-04-05  7:12 [PATCH 5.17 0000/1126] 5.17.2-rc1 review Greg Kroah-Hartman
                   ` (108 preceding siblings ...)
  2022-04-05  7:14 ` [PATCH 5.17 0109/1126] mm: only re-generate demotion targets when a numa node changes its N_CPU state Greg Kroah-Hartman
@ 2022-04-05  7:14 ` Greg Kroah-Hartman
  2022-04-05  7:14 ` [PATCH 5.17 0111/1126] dm stats: fix too short end duration_ns when using precise_timestamps Greg Kroah-Hartman
                   ` (879 subsequent siblings)
  989 siblings, 0 replies; 1159+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05  7:14 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Kuan-Ying Lee, Catalin Marinas,
	Matthias Brugger, Chinwen Chang, Nicholas Tang, Yee Lee,
	Andrew Morton, Linus Torvalds

From: Kuan-Ying Lee <Kuan-Ying.Lee@mediatek.com>

commit bfc8089f00fa526dea983844c880fa8106c33ac4 upstream.

When we use HW-tag based kasan and enable vmalloc support, we hit the
following bug.  It is due to comparison between tagged object and
non-tagged pointer.

We need to reset the kasan tag when we need to compare tagged object and
non-tagged pointer.

  kmemleak: [name:kmemleak&]Scan area larger than object 0xffffffe77076f440
  CPU: 4 PID: 1 Comm: init Tainted: G S      W         5.15.25-android13-0-g5cacf919c2bc #1
  Hardware name: MT6983(ENG) (DT)
  Call trace:
   add_scan_area+0xc4/0x244
   kmemleak_scan_area+0x40/0x9c
   layout_and_allocate+0x1e8/0x288
   load_module+0x2c8/0xf00
   __se_sys_finit_module+0x190/0x1d0
   __arm64_sys_finit_module+0x20/0x30
   invoke_syscall+0x60/0x170
   el0_svc_common+0xc8/0x114
   do_el0_svc+0x28/0xa0
   el0_svc+0x60/0xf8
   el0t_64_sync_handler+0x88/0xec
   el0t_64_sync+0x1b4/0x1b8
  kmemleak: [name:kmemleak&]Object 0xf5ffffe77076b000 (size 32768):
  kmemleak: [name:kmemleak&]  comm "init", pid 1, jiffies 4294894197
  kmemleak: [name:kmemleak&]  min_count = 0
  kmemleak: [name:kmemleak&]  count = 0
  kmemleak: [name:kmemleak&]  flags = 0x1
  kmemleak: [name:kmemleak&]  checksum = 0
  kmemleak: [name:kmemleak&]  backtrace:
       module_alloc+0x9c/0x120
       move_module+0x34/0x19c
       layout_and_allocate+0x1c4/0x288
       load_module+0x2c8/0xf00
       __se_sys_finit_module+0x190/0x1d0
       __arm64_sys_finit_module+0x20/0x30
       invoke_syscall+0x60/0x170
       el0_svc_common+0xc8/0x114
       do_el0_svc+0x28/0xa0
       el0_svc+0x60/0xf8
       el0t_64_sync_handler+0x88/0xec
       el0t_64_sync+0x1b4/0x1b8

Link: https://lkml.kernel.org/r/20220318034051.30687-1-Kuan-Ying.Lee@mediatek.com
Signed-off-by: Kuan-Ying Lee <Kuan-Ying.Lee@mediatek.com>
Reviewed-by: Catalin Marinas <catalin.marinas@arm.com>
Cc: Matthias Brugger <matthias.bgg@gmail.com>
Cc: Chinwen Chang <chinwen.chang@mediatek.com>
Cc: Nicholas Tang <nicholas.tang@mediatek.com>
Cc: Yee Lee <yee.lee@mediatek.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 mm/kmemleak.c |    9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

--- a/mm/kmemleak.c
+++ b/mm/kmemleak.c
@@ -796,6 +796,8 @@ static void add_scan_area(unsigned long
 	unsigned long flags;
 	struct kmemleak_object *object;
 	struct kmemleak_scan_area *area = NULL;
+	unsigned long untagged_ptr;
+	unsigned long untagged_objp;
 
 	object = find_and_get_object(ptr, 1);
 	if (!object) {
@@ -804,6 +806,9 @@ static void add_scan_area(unsigned long
 		return;
 	}
 
+	untagged_ptr = (unsigned long)kasan_reset_tag((void *)ptr);
+	untagged_objp = (unsigned long)kasan_reset_tag((void *)object->pointer);
+
 	if (scan_area_cache)
 		area = kmem_cache_alloc(scan_area_cache, gfp_kmemleak_mask(gfp));
 
@@ -815,8 +820,8 @@ static void add_scan_area(unsigned long
 		goto out_unlock;
 	}
 	if (size == SIZE_MAX) {
-		size = object->pointer + object->size - ptr;
-	} else if (ptr + size > object->pointer + object->size) {
+		size = untagged_objp + object->size - untagged_ptr;
+	} else if (untagged_ptr + size > untagged_objp + object->size) {
 		kmemleak_warn("Scan area larger than object 0x%08lx\n", ptr);
 		dump_object_info(object);
 		kmem_cache_free(scan_area_cache, area);



^ permalink raw reply	[flat|nested] 1159+ messages in thread

* [PATCH 5.17 0111/1126] dm stats: fix too short end duration_ns when using precise_timestamps
  2022-04-05  7:12 [PATCH 5.17 0000/1126] 5.17.2-rc1 review Greg Kroah-Hartman
                   ` (109 preceding siblings ...)
  2022-04-05  7:14 ` [PATCH 5.17 0110/1126] mm/kmemleak: reset tag when compare object pointer Greg Kroah-Hartman
@ 2022-04-05  7:14 ` Greg Kroah-Hartman
  2022-04-05  7:14 ` [PATCH 5.17 0112/1126] dm: fix use-after-free in dm_cleanup_zoned_dev() Greg Kroah-Hartman
                   ` (878 subsequent siblings)
  989 siblings, 0 replies; 1159+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05  7:14 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Mikulas Patocka, Mike Snitzer

From: Mike Snitzer <snitzer@redhat.com>

commit 0cdb90f0f306384ecbc60dfd6dc48cdbc1f2d0d8 upstream.

dm_stats_account_io()'s STAT_PRECISE_TIMESTAMPS support doesn't handle
the fact that with commit b879f915bc48 ("dm: properly fix redundant
bio-based IO accounting") io->start_time _may_ be in the past (meaning
the start_io_acct() was deferred until later).

Add a new dm_stats_recalc_precise_timestamps() helper that will
set/clear a new 'precise_timestamps' flag in the dm_stats struct based
on whether any configured stats enable STAT_PRECISE_TIMESTAMPS.
And update DM core's alloc_io() to use dm_stats_record_start() to set
stats_aux.duration_ns if stats->precise_timestamps is true.

Also, remove unused 'last_sector' and 'last_rw' members from the
dm_stats struct.

Fixes: b879f915bc48 ("dm: properly fix redundant bio-based IO accounting")
Cc: stable@vger.kernel.org
Co-developed-by: Mikulas Patocka <mpatocka@redhat.com>
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Signed-off-by: Mike Snitzer <snitzer@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/md/dm-stats.c |   28 +++++++++++++++++++++++++---
 drivers/md/dm-stats.h |    9 +++++++--
 drivers/md/dm.c       |    2 ++
 3 files changed, 34 insertions(+), 5 deletions(-)

--- a/drivers/md/dm-stats.c
+++ b/drivers/md/dm-stats.c
@@ -195,6 +195,7 @@ void dm_stats_init(struct dm_stats *stat
 
 	mutex_init(&stats->mutex);
 	INIT_LIST_HEAD(&stats->list);
+	stats->precise_timestamps = false;
 	stats->last = alloc_percpu(struct dm_stats_last_position);
 	for_each_possible_cpu(cpu) {
 		last = per_cpu_ptr(stats->last, cpu);
@@ -231,6 +232,22 @@ void dm_stats_cleanup(struct dm_stats *s
 	mutex_destroy(&stats->mutex);
 }
 
+static void dm_stats_recalc_precise_timestamps(struct dm_stats *stats)
+{
+	struct list_head *l;
+	struct dm_stat *tmp_s;
+	bool precise_timestamps = false;
+
+	list_for_each(l, &stats->list) {
+		tmp_s = container_of(l, struct dm_stat, list_entry);
+		if (tmp_s->stat_flags & STAT_PRECISE_TIMESTAMPS) {
+			precise_timestamps = true;
+			break;
+		}
+	}
+	stats->precise_timestamps = precise_timestamps;
+}
+
 static int dm_stats_create(struct dm_stats *stats, sector_t start, sector_t end,
 			   sector_t step, unsigned stat_flags,
 			   unsigned n_histogram_entries,
@@ -376,6 +393,9 @@ static int dm_stats_create(struct dm_sta
 	}
 	ret_id = s->id;
 	list_add_tail_rcu(&s->list_entry, l);
+
+	dm_stats_recalc_precise_timestamps(stats);
+
 	mutex_unlock(&stats->mutex);
 
 	resume_callback(md);
@@ -418,6 +438,9 @@ static int dm_stats_delete(struct dm_sta
 	}
 
 	list_del_rcu(&s->list_entry);
+
+	dm_stats_recalc_precise_timestamps(stats);
+
 	mutex_unlock(&stats->mutex);
 
 	/*
@@ -654,9 +677,8 @@ void dm_stats_account_io(struct dm_stats
 	got_precise_time = false;
 	list_for_each_entry_rcu(s, &stats->list, list_entry) {
 		if (s->stat_flags & STAT_PRECISE_TIMESTAMPS && !got_precise_time) {
-			if (!end)
-				stats_aux->duration_ns = ktime_to_ns(ktime_get());
-			else
+			/* start (!end) duration_ns is set by DM core's alloc_io() */
+			if (end)
 				stats_aux->duration_ns = ktime_to_ns(ktime_get()) - stats_aux->duration_ns;
 			got_precise_time = true;
 		}
--- a/drivers/md/dm-stats.h
+++ b/drivers/md/dm-stats.h
@@ -13,8 +13,7 @@ struct dm_stats {
 	struct mutex mutex;
 	struct list_head list;	/* list of struct dm_stat */
 	struct dm_stats_last_position __percpu *last;
-	sector_t last_sector;
-	unsigned last_rw;
+	bool precise_timestamps;
 };
 
 struct dm_stats_aux {
@@ -40,4 +39,10 @@ static inline bool dm_stats_used(struct
 	return !list_empty(&st->list);
 }
 
+static inline void dm_stats_record_start(struct dm_stats *stats, struct dm_stats_aux *aux)
+{
+	if (unlikely(stats->precise_timestamps))
+		aux->duration_ns = ktime_to_ns(ktime_get());
+}
+
 #endif
--- a/drivers/md/dm.c
+++ b/drivers/md/dm.c
@@ -537,6 +537,8 @@ static struct dm_io *alloc_io(struct map
 
 	io->start_time = jiffies;
 
+	dm_stats_record_start(&md->stats, &io->stats_aux);
+
 	return io;
 }
 



^ permalink raw reply	[flat|nested] 1159+ messages in thread

* [PATCH 5.17 0112/1126] dm: fix use-after-free in dm_cleanup_zoned_dev()
  2022-04-05  7:12 [PATCH 5.17 0000/1126] 5.17.2-rc1 review Greg Kroah-Hartman
                   ` (110 preceding siblings ...)
  2022-04-05  7:14 ` [PATCH 5.17 0111/1126] dm stats: fix too short end duration_ns when using precise_timestamps Greg Kroah-Hartman
@ 2022-04-05  7:14 ` Greg Kroah-Hartman
  2022-04-05  7:14 ` [PATCH 5.17 0113/1126] dm: interlock pending dm_io and dm_wait_for_bios_completion Greg Kroah-Hartman
                   ` (877 subsequent siblings)
  989 siblings, 0 replies; 1159+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05  7:14 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Kirill Tkhai, Damien Le Moal, Mike Snitzer

From: Kirill Tkhai <ktkhai@virtuozzo.com>

commit 588b7f5df0cb64f281290c7672470c006abe7160 upstream.

dm_cleanup_zoned_dev() uses queue, so it must be called
before blk_cleanup_disk() starts its killing:

blk_cleanup_disk->blk_cleanup_queue()->kobject_put()->blk_release_queue()->
->...RCU...->blk_free_queue_rcu()->kmem_cache_free()

Otherwise, RCU callback may be executed first and
dm_cleanup_zoned_dev() will touch free'd memory:

 BUG: KASAN: use-after-free in dm_cleanup_zoned_dev+0x33/0xd0
 Read of size 8 at addr ffff88805ac6e430 by task dmsetup/681

 CPU: 4 PID: 681 Comm: dmsetup Not tainted 5.17.0-rc2+ #6
 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-2 04/01/2014
 Call Trace:
  <TASK>
  dump_stack_lvl+0x57/0x7d
  print_address_description.constprop.0+0x1f/0x150
  ? dm_cleanup_zoned_dev+0x33/0xd0
  kasan_report.cold+0x7f/0x11b
  ? dm_cleanup_zoned_dev+0x33/0xd0
  dm_cleanup_zoned_dev+0x33/0xd0
  __dm_destroy+0x26a/0x400
  ? dm_blk_ioctl+0x230/0x230
  ? up_write+0xd8/0x270
  dev_remove+0x156/0x1d0
  ctl_ioctl+0x269/0x530
  ? table_clear+0x140/0x140
  ? lock_release+0xb2/0x750
  ? remove_all+0x40/0x40
  ? rcu_read_lock_sched_held+0x12/0x70
  ? lock_downgrade+0x3c0/0x3c0
  ? rcu_read_lock_sched_held+0x12/0x70
  dm_ctl_ioctl+0xa/0x10
  __x64_sys_ioctl+0xb9/0xf0
  do_syscall_64+0x3b/0x90
  entry_SYSCALL_64_after_hwframe+0x44/0xae
 RIP: 0033:0x7fb6dfa95c27

Fixes: bb37d77239af ("dm: introduce zone append emulation")
Cc: stable@vger.kernel.org
Signed-off-by: Kirill Tkhai <ktkhai@virtuozzo.com>
Reviewed-by: Damien Le Moal <damien.lemoal@opensource.wdc.com>
Signed-off-by: Mike Snitzer <snitzer@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/md/dm.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/md/dm.c
+++ b/drivers/md/dm.c
@@ -1609,6 +1609,7 @@ static void cleanup_mapped_device(struct
 		md->dax_dev = NULL;
 	}
 
+	dm_cleanup_zoned_dev(md);
 	if (md->disk) {
 		spin_lock(&_minor_lock);
 		md->disk->private_data = NULL;
@@ -1629,7 +1630,6 @@ static void cleanup_mapped_device(struct
 	mutex_destroy(&md->swap_bios_lock);
 
 	dm_mq_cleanup_mapped_device(md);
-	dm_cleanup_zoned_dev(md);
 }
 
 /*



^ permalink raw reply	[flat|nested] 1159+ messages in thread

* [PATCH 5.17 0113/1126] dm: interlock pending dm_io and dm_wait_for_bios_completion
  2022-04-05  7:12 [PATCH 5.17 0000/1126] 5.17.2-rc1 review Greg Kroah-Hartman
                   ` (111 preceding siblings ...)
  2022-04-05  7:14 ` [PATCH 5.17 0112/1126] dm: fix use-after-free in dm_cleanup_zoned_dev() Greg Kroah-Hartman
@ 2022-04-05  7:14 ` Greg Kroah-Hartman
  2022-04-05  7:14 ` [PATCH 5.17 0114/1126] dm: fix double accounting of flush with data Greg Kroah-Hartman
                   ` (876 subsequent siblings)
  989 siblings, 0 replies; 1159+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05  7:14 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Mikulas Patocka, Mike Snitzer

From: Mike Snitzer <snitzer@redhat.com>

commit 9f6dc633761006f974701d4c88da71ab68670749 upstream.

Commit d208b89401e0 ("dm: fix mempool NULL pointer race when
completing IO") didn't go far enough.

When bio_end_io_acct ends the count of in-flight I/Os may reach zero
and the DM device may be suspended. There is a possibility that the
suspend races with dm_stats_account_io.

Fix this by adding percpu "pending_io" counters to track outstanding
dm_io. Move kicking of suspend queue to dm_io_dec_pending(). Also,
rename md_in_flight_bios() to dm_in_flight_bios() and update it to
iterate all pending_io counters.

Fixes: d208b89401e0 ("dm: fix mempool NULL pointer race when completing IO")
Cc: stable@vger.kernel.org
Co-developed-by: Mikulas Patocka <mpatocka@redhat.com>
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Signed-off-by: Mike Snitzer <snitzer@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/md/dm-core.h |    2 ++
 drivers/md/dm.c      |   35 +++++++++++++++++++++++------------
 2 files changed, 25 insertions(+), 12 deletions(-)

--- a/drivers/md/dm-core.h
+++ b/drivers/md/dm-core.h
@@ -65,6 +65,8 @@ struct mapped_device {
 	struct gendisk *disk;
 	struct dax_device *dax_dev;
 
+	unsigned long __percpu *pending_io;
+
 	/*
 	 * A list of ios that arrived while we were suspended.
 	 */
--- a/drivers/md/dm.c
+++ b/drivers/md/dm.c
@@ -507,10 +507,6 @@ static void end_io_acct(struct mapped_de
 		dm_stats_account_io(&md->stats, bio_data_dir(bio),
 				    bio->bi_iter.bi_sector, bio_sectors(bio),
 				    true, duration, stats_aux);
-
-	/* nudge anyone waiting on suspend queue */
-	if (unlikely(wq_has_sleeper(&md->wait)))
-		wake_up(&md->wait);
 }
 
 static struct dm_io *alloc_io(struct mapped_device *md, struct bio *bio)
@@ -531,6 +527,7 @@ static struct dm_io *alloc_io(struct map
 	io->magic = DM_IO_MAGIC;
 	io->status = 0;
 	atomic_set(&io->io_count, 1);
+	this_cpu_inc(*md->pending_io);
 	io->orig_bio = bio;
 	io->md = md;
 	spin_lock_init(&io->endio_lock);
@@ -828,6 +825,12 @@ void dm_io_dec_pending(struct dm_io *io,
 		stats_aux = io->stats_aux;
 		free_io(md, io);
 		end_io_acct(md, bio, start_time, &stats_aux);
+		smp_wmb();
+		this_cpu_dec(*md->pending_io);
+
+		/* nudge anyone waiting on suspend queue */
+		if (unlikely(wq_has_sleeper(&md->wait)))
+			wake_up(&md->wait);
 
 		if (io_error == BLK_STS_DM_REQUEUE)
 			return;
@@ -1622,6 +1625,11 @@ static void cleanup_mapped_device(struct
 		blk_cleanup_disk(md->disk);
 	}
 
+	if (md->pending_io) {
+		free_percpu(md->pending_io);
+		md->pending_io = NULL;
+	}
+
 	cleanup_srcu_struct(&md->io_barrier);
 
 	mutex_destroy(&md->suspend_lock);
@@ -1723,6 +1731,10 @@ static struct mapped_device *alloc_dev(i
 	if (!md->wq)
 		goto bad;
 
+	md->pending_io = alloc_percpu(unsigned long);
+	if (!md->pending_io)
+		goto bad;
+
 	dm_stats_init(&md->stats);
 
 	/* Populate the mapping, nobody knows we exist yet */
@@ -2130,16 +2142,13 @@ void dm_put(struct mapped_device *md)
 }
 EXPORT_SYMBOL_GPL(dm_put);
 
-static bool md_in_flight_bios(struct mapped_device *md)
+static bool dm_in_flight_bios(struct mapped_device *md)
 {
 	int cpu;
-	struct block_device *part = dm_disk(md)->part0;
-	long sum = 0;
+	unsigned long sum = 0;
 
-	for_each_possible_cpu(cpu) {
-		sum += part_stat_local_read_cpu(part, in_flight[0], cpu);
-		sum += part_stat_local_read_cpu(part, in_flight[1], cpu);
-	}
+	for_each_possible_cpu(cpu)
+		sum += *per_cpu_ptr(md->pending_io, cpu);
 
 	return sum != 0;
 }
@@ -2152,7 +2161,7 @@ static int dm_wait_for_bios_completion(s
 	while (true) {
 		prepare_to_wait(&md->wait, &wait, task_state);
 
-		if (!md_in_flight_bios(md))
+		if (!dm_in_flight_bios(md))
 			break;
 
 		if (signal_pending_state(task_state, current)) {
@@ -2164,6 +2173,8 @@ static int dm_wait_for_bios_completion(s
 	}
 	finish_wait(&md->wait, &wait);
 
+	smp_rmb();
+
 	return r;
 }
 



^ permalink raw reply	[flat|nested] 1159+ messages in thread

* [PATCH 5.17 0114/1126] dm: fix double accounting of flush with data
  2022-04-05  7:12 [PATCH 5.17 0000/1126] 5.17.2-rc1 review Greg Kroah-Hartman
                   ` (112 preceding siblings ...)
  2022-04-05  7:14 ` [PATCH 5.17 0113/1126] dm: interlock pending dm_io and dm_wait_for_bios_completion Greg Kroah-Hartman
@ 2022-04-05  7:14 ` Greg Kroah-Hartman
  2022-04-05  7:14 ` [PATCH 5.17 0115/1126] dm integrity: set journal entry unused when shrinking device Greg Kroah-Hartman
                   ` (875 subsequent siblings)
  989 siblings, 0 replies; 1159+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05  7:14 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Mike Snitzer

From: Mike Snitzer <snitzer@redhat.com>

commit 8d394bc4adf588ca4a0650745167cb83f86c18c9 upstream.

DM handles a flush with data by first issuing an empty flush and then
once it completes the REQ_PREFLUSH flag is removed and the payload is
issued.  The problem fixed by this commit is that both the empty flush
bio and the data payload will account the full extent of the data
payload.

Fix this by factoring out dm_io_acct() and having it wrap all IO
accounting to set the size of  bio with REQ_PREFLUSH to 0, account the
IO, and then restore the original size.

Cc: stable@vger.kernel.org
Signed-off-by: Mike Snitzer <snitzer@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/md/dm-stats.c |    6 ++++--
 drivers/md/dm-stats.h |    2 +-
 drivers/md/dm.c       |   47 +++++++++++++++++++++++++++++++++--------------
 3 files changed, 38 insertions(+), 17 deletions(-)

--- a/drivers/md/dm-stats.c
+++ b/drivers/md/dm-stats.c
@@ -644,13 +644,14 @@ static void __dm_stat_bio(struct dm_stat
 
 void dm_stats_account_io(struct dm_stats *stats, unsigned long bi_rw,
 			 sector_t bi_sector, unsigned bi_sectors, bool end,
-			 unsigned long duration_jiffies,
+			 unsigned long start_time,
 			 struct dm_stats_aux *stats_aux)
 {
 	struct dm_stat *s;
 	sector_t end_sector;
 	struct dm_stats_last_position *last;
 	bool got_precise_time;
+	unsigned long duration_jiffies = 0;
 
 	if (unlikely(!bi_sectors))
 		return;
@@ -670,7 +671,8 @@ void dm_stats_account_io(struct dm_stats
 				       ));
 		WRITE_ONCE(last->last_sector, end_sector);
 		WRITE_ONCE(last->last_rw, bi_rw);
-	}
+	} else
+		duration_jiffies = jiffies - start_time;
 
 	rcu_read_lock();
 
--- a/drivers/md/dm-stats.h
+++ b/drivers/md/dm-stats.h
@@ -31,7 +31,7 @@ int dm_stats_message(struct mapped_devic
 
 void dm_stats_account_io(struct dm_stats *stats, unsigned long bi_rw,
 			 sector_t bi_sector, unsigned bi_sectors, bool end,
-			 unsigned long duration_jiffies,
+			 unsigned long start_time,
 			 struct dm_stats_aux *aux);
 
 static inline bool dm_stats_used(struct dm_stats *st)
--- a/drivers/md/dm.c
+++ b/drivers/md/dm.c
@@ -484,29 +484,48 @@ u64 dm_start_time_ns_from_clone(struct b
 }
 EXPORT_SYMBOL_GPL(dm_start_time_ns_from_clone);
 
-static void start_io_acct(struct dm_io *io)
+static bool bio_is_flush_with_data(struct bio *bio)
 {
-	struct mapped_device *md = io->md;
-	struct bio *bio = io->orig_bio;
+	return ((bio->bi_opf & REQ_PREFLUSH) && bio->bi_iter.bi_size);
+}
+
+static void dm_io_acct(bool end, struct mapped_device *md, struct bio *bio,
+		       unsigned long start_time, struct dm_stats_aux *stats_aux)
+{
+	bool is_flush_with_data;
+	unsigned int bi_size;
+
+	/* If REQ_PREFLUSH set save any payload but do not account it */
+	is_flush_with_data = bio_is_flush_with_data(bio);
+	if (is_flush_with_data) {
+		bi_size = bio->bi_iter.bi_size;
+		bio->bi_iter.bi_size = 0;
+	}
+
+	if (!end)
+		bio_start_io_acct_time(bio, start_time);
+	else
+		bio_end_io_acct(bio, start_time);
 
-	bio_start_io_acct_time(bio, io->start_time);
 	if (unlikely(dm_stats_used(&md->stats)))
 		dm_stats_account_io(&md->stats, bio_data_dir(bio),
 				    bio->bi_iter.bi_sector, bio_sectors(bio),
-				    false, 0, &io->stats_aux);
+				    end, start_time, stats_aux);
+
+	/* Restore bio's payload so it does get accounted upon requeue */
+	if (is_flush_with_data)
+		bio->bi_iter.bi_size = bi_size;
+}
+
+static void start_io_acct(struct dm_io *io)
+{
+	dm_io_acct(false, io->md, io->orig_bio, io->start_time, &io->stats_aux);
 }
 
 static void end_io_acct(struct mapped_device *md, struct bio *bio,
 			unsigned long start_time, struct dm_stats_aux *stats_aux)
 {
-	unsigned long duration = jiffies - start_time;
-
-	bio_end_io_acct(bio, start_time);
-
-	if (unlikely(dm_stats_used(&md->stats)))
-		dm_stats_account_io(&md->stats, bio_data_dir(bio),
-				    bio->bi_iter.bi_sector, bio_sectors(bio),
-				    true, duration, stats_aux);
+	dm_io_acct(true, md, bio, start_time, stats_aux);
 }
 
 static struct dm_io *alloc_io(struct mapped_device *md, struct bio *bio)
@@ -835,7 +854,7 @@ void dm_io_dec_pending(struct dm_io *io,
 		if (io_error == BLK_STS_DM_REQUEUE)
 			return;
 
-		if ((bio->bi_opf & REQ_PREFLUSH) && bio->bi_iter.bi_size) {
+		if (bio_is_flush_with_data(bio)) {
 			/*
 			 * Preflush done for flush with data, reissue
 			 * without REQ_PREFLUSH.



^ permalink raw reply	[flat|nested] 1159+ messages in thread

* [PATCH 5.17 0115/1126] dm integrity: set journal entry unused when shrinking device
  2022-04-05  7:12 [PATCH 5.17 0000/1126] 5.17.2-rc1 review Greg Kroah-Hartman
                   ` (113 preceding siblings ...)
  2022-04-05  7:14 ` [PATCH 5.17 0114/1126] dm: fix double accounting of flush with data Greg Kroah-Hartman
@ 2022-04-05  7:14 ` Greg Kroah-Hartman
  2022-04-05  7:14 ` [PATCH 5.17 0116/1126] tracing: Have trace event string test handle zero length strings Greg Kroah-Hartman
                   ` (874 subsequent siblings)
  989 siblings, 0 replies; 1159+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05  7:14 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Mikulas Patocka, Milan Broz, Mike Snitzer

From: Mikulas Patocka <mpatocka@redhat.com>

commit cc09e8a9dec4f0e8299e80a7a2a8e6f54164a10b upstream.

Commit f6f72f32c22c ("dm integrity: don't replay journal data past the
end of the device") skips journal replay if the target sector points
beyond the end of the device. Unfortunatelly, it doesn't set the
journal entry unused, which resulted in this BUG being triggered:
BUG_ON(!journal_entry_is_unused(je))

Fix this by calling journal_entry_set_unused() for this case.

Fixes: f6f72f32c22c ("dm integrity: don't replay journal data past the end of the device")
Cc: stable@vger.kernel.org # v5.7+
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Tested-by: Milan Broz <gmazyland@gmail.com>
[snitzer: revised header]
Signed-off-by: Mike Snitzer <snitzer@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/md/dm-integrity.c |    6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

--- a/drivers/md/dm-integrity.c
+++ b/drivers/md/dm-integrity.c
@@ -2473,9 +2473,11 @@ static void do_journal_write(struct dm_i
 					dm_integrity_io_error(ic, "invalid sector in journal", -EIO);
 					sec &= ~(sector_t)(ic->sectors_per_block - 1);
 				}
+				if (unlikely(sec >= ic->provided_data_sectors)) {
+					journal_entry_set_unused(je);
+					continue;
+				}
 			}
-			if (unlikely(sec >= ic->provided_data_sectors))
-				continue;
 			get_area_and_offset(ic, sec, &area, &offset);
 			restore_last_bytes(ic, access_journal_data(ic, i, j), je);
 			for (k = j + 1; k < ic->journal_section_entries; k++) {



^ permalink raw reply	[flat|nested] 1159+ messages in thread

* [PATCH 5.17 0116/1126] tracing: Have trace event string test handle zero length strings
  2022-04-05  7:12 [PATCH 5.17 0000/1126] 5.17.2-rc1 review Greg Kroah-Hartman
                   ` (114 preceding siblings ...)
  2022-04-05  7:14 ` [PATCH 5.17 0115/1126] dm integrity: set journal entry unused when shrinking device Greg Kroah-Hartman
@ 2022-04-05  7:14 ` Greg Kroah-Hartman
  2022-04-05  7:14 ` [PATCH 5.17 0117/1126] drbd: fix potential silent data corruption Greg Kroah-Hartman
                   ` (873 subsequent siblings)
  989 siblings, 0 replies; 1159+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05  7:14 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Brian Foster, Steven Rostedt (Google)

From: Steven Rostedt (Google) <rostedt@goodmis.org>

commit eca344a7362e0f34f179298fd8366bcd556eede1 upstream.

If a trace event has in its TP_printk():

 "%*.s", len, len ? __get_str(string) : NULL

It is perfectly valid if len is zero and passing in the NULL.
Unfortunately, the runtime string check at time of reading the trace sees
the NULL and flags it as a bad string and produces a WARN_ON().

Handle this case by passing into the test function if the format has an
asterisk (star) and if so, if the length is zero, then mark it as safe.

Link: https://lore.kernel.org/all/YjsWzuw5FbWPrdqq@bfoster/

Cc: stable@vger.kernel.org
Reported-by: Brian Foster <bfoster@redhat.com>
Tested-by: Brian Foster <bfoster@redhat.com>
Fixes: 9a6944fee68e2 ("tracing: Add a verifier to check string pointers for trace events")
Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 kernel/trace/trace.c |    9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

--- a/kernel/trace/trace.c
+++ b/kernel/trace/trace.c
@@ -3663,12 +3663,17 @@ static char *trace_iter_expand_format(st
 }
 
 /* Returns true if the string is safe to dereference from an event */
-static bool trace_safe_str(struct trace_iterator *iter, const char *str)
+static bool trace_safe_str(struct trace_iterator *iter, const char *str,
+			   bool star, int len)
 {
 	unsigned long addr = (unsigned long)str;
 	struct trace_event *trace_event;
 	struct trace_event_call *event;
 
+	/* Ignore strings with no length */
+	if (star && !len)
+		return true;
+
 	/* OK if part of the event data */
 	if ((addr >= (unsigned long)iter->ent) &&
 	    (addr < (unsigned long)iter->ent + iter->ent_size))
@@ -3854,7 +3859,7 @@ void trace_check_vprintf(struct trace_it
 		 * instead. See samples/trace_events/trace-events-sample.h
 		 * for reference.
 		 */
-		if (WARN_ONCE(!trace_safe_str(iter, str),
+		if (WARN_ONCE(!trace_safe_str(iter, str, star, len),
 			      "fmt: '%s' current_buffer: '%s'",
 			      fmt, show_buffer(&iter->seq))) {
 			int ret;



^ permalink raw reply	[flat|nested] 1159+ messages in thread

* [PATCH 5.17 0117/1126] drbd: fix potential silent data corruption
  2022-04-05  7:12 [PATCH 5.17 0000/1126] 5.17.2-rc1 review Greg Kroah-Hartman
                   ` (115 preceding siblings ...)
  2022-04-05  7:14 ` [PATCH 5.17 0116/1126] tracing: Have trace event string test handle zero length strings Greg Kroah-Hartman
@ 2022-04-05  7:14 ` Greg Kroah-Hartman
  2022-04-05  7:14 ` [PATCH 5.17 0118/1126] can: isotp: sanitize CAN ID checks in isotp_bind() Greg Kroah-Hartman
                   ` (872 subsequent siblings)
  989 siblings, 0 replies; 1159+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05  7:14 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Lars Ellenberg,
	Christoph Böhmwalder, Jens Axboe

From: Lars Ellenberg <lars.ellenberg@linbit.com>

commit f4329d1f848ac35757d9cc5487669d19dfc5979c upstream.

Scenario:
---------

bio chain generated by blk_queue_split().
Some split bio fails and propagates its error status to the "parent" bio.
But then the (last part of the) parent bio itself completes without error.

We would clobber the already recorded error status with BLK_STS_OK,
causing silent data corruption.

Reproducer:
-----------

How to trigger this in the real world within seconds:

DRBD on top of degraded parity raid,
small stripe_cache_size, large read_ahead setting.
Drop page cache (sysctl vm.drop_caches=1, fadvise "DONTNEED",
umount and mount again, "reboot").

Cause significant read ahead.

Large read ahead request is split by blk_queue_split().
Parts of the read ahead that are already in the stripe cache,
or find an available stripe cache to use, can be serviced.
Parts of the read ahead that would need "too much work",
would need to wait for a "stripe_head" to become available,
are rejected immediately.

For larger read ahead requests that are split in many pieces, it is very
likely that some "splits" will be serviced, but then the stripe cache is
exhausted/busy, and the remaining ones will be rejected.

Signed-off-by: Lars Ellenberg <lars.ellenberg@linbit.com>
Signed-off-by: Christoph Böhmwalder <christoph.boehmwalder@linbit.com>
Cc: <stable@vger.kernel.org> # 4.13.x
Link: https://lore.kernel.org/r/20220330185551.3553196-1-christoph.boehmwalder@linbit.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/block/drbd/drbd_req.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/drivers/block/drbd/drbd_req.c
+++ b/drivers/block/drbd/drbd_req.c
@@ -180,7 +180,8 @@ void start_new_tl_epoch(struct drbd_conn
 void complete_master_bio(struct drbd_device *device,
 		struct bio_and_error *m)
 {
-	m->bio->bi_status = errno_to_blk_status(m->error);
+	if (unlikely(m->error))
+		m->bio->bi_status = errno_to_blk_status(m->error);
 	bio_endio(m->bio);
 	dec_ap_bio(device);
 }



^ permalink raw reply	[flat|nested] 1159+ messages in thread

* [PATCH 5.17 0118/1126] can: isotp: sanitize CAN ID checks in isotp_bind()
  2022-04-05  7:12 [PATCH 5.17 0000/1126] 5.17.2-rc1 review Greg Kroah-Hartman
                   ` (116 preceding siblings ...)
  2022-04-05  7:14 ` [PATCH 5.17 0117/1126] drbd: fix potential silent data corruption Greg Kroah-Hartman
@ 2022-04-05  7:14 ` Greg Kroah-Hartman
  2022-04-05  7:14 ` [PATCH 5.17 0119/1126] PCI: fu740: Force 2.5GT/s for initial device probe Greg Kroah-Hartman
                   ` (871 subsequent siblings)
  989 siblings, 0 replies; 1159+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05  7:14 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, syzbot+2339c27f5c66c652843e,
	Oliver Hartkopp, Marc Kleine-Budde

From: Oliver Hartkopp <socketcan@hartkopp.net>

commit 3ea566422cbde9610c2734980d1286ab681bb40e upstream.

Syzbot created an environment that lead to a state machine status that
can not be reached with a compliant CAN ID address configuration.
The provided address information consisted of CAN ID 0x6000001 and 0xC28001
which both boil down to 11 bit CAN IDs 0x001 in sending and receiving.

Sanitize the SFF/EFF CAN ID values before performing the address checks.

Fixes: e057dd3fc20f ("can: add ISO 15765-2:2016 transport protocol")
Link: https://lore.kernel.org/all/20220316164258.54155-1-socketcan@hartkopp.net
Reported-by: syzbot+2339c27f5c66c652843e@syzkaller.appspotmail.com
Signed-off-by: Oliver Hartkopp <socketcan@hartkopp.net>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/can/isotp.c |   38 ++++++++++++++++++++------------------
 1 file changed, 20 insertions(+), 18 deletions(-)

--- a/net/can/isotp.c
+++ b/net/can/isotp.c
@@ -1104,6 +1104,7 @@ static int isotp_bind(struct socket *soc
 	struct net *net = sock_net(sk);
 	int ifindex;
 	struct net_device *dev;
+	canid_t tx_id, rx_id;
 	int err = 0;
 	int notify_enetdown = 0;
 	int do_rx_reg = 1;
@@ -1111,8 +1112,18 @@ static int isotp_bind(struct socket *soc
 	if (len < ISOTP_MIN_NAMELEN)
 		return -EINVAL;
 
-	if (addr->can_addr.tp.tx_id & (CAN_ERR_FLAG | CAN_RTR_FLAG))
-		return -EADDRNOTAVAIL;
+	/* sanitize tx/rx CAN identifiers */
+	tx_id = addr->can_addr.tp.tx_id;
+	if (tx_id & CAN_EFF_FLAG)
+		tx_id &= (CAN_EFF_FLAG | CAN_EFF_MASK);
+	else
+		tx_id &= CAN_SFF_MASK;
+
+	rx_id = addr->can_addr.tp.rx_id;
+	if (rx_id & CAN_EFF_FLAG)
+		rx_id &= (CAN_EFF_FLAG | CAN_EFF_MASK);
+	else
+		rx_id &= CAN_SFF_MASK;
 
 	if (!addr->can_ifindex)
 		return -ENODEV;
@@ -1124,21 +1135,13 @@ static int isotp_bind(struct socket *soc
 		do_rx_reg = 0;
 
 	/* do not validate rx address for functional addressing */
-	if (do_rx_reg) {
-		if (addr->can_addr.tp.rx_id == addr->can_addr.tp.tx_id) {
-			err = -EADDRNOTAVAIL;
-			goto out;
-		}
-
-		if (addr->can_addr.tp.rx_id & (CAN_ERR_FLAG | CAN_RTR_FLAG)) {
-			err = -EADDRNOTAVAIL;
-			goto out;
-		}
+	if (do_rx_reg && rx_id == tx_id) {
+		err = -EADDRNOTAVAIL;
+		goto out;
 	}
 
 	if (so->bound && addr->can_ifindex == so->ifindex &&
-	    addr->can_addr.tp.rx_id == so->rxid &&
-	    addr->can_addr.tp.tx_id == so->txid)
+	    rx_id == so->rxid && tx_id == so->txid)
 		goto out;
 
 	dev = dev_get_by_index(net, addr->can_ifindex);
@@ -1162,8 +1165,7 @@ static int isotp_bind(struct socket *soc
 	ifindex = dev->ifindex;
 
 	if (do_rx_reg)
-		can_rx_register(net, dev, addr->can_addr.tp.rx_id,
-				SINGLE_MASK(addr->can_addr.tp.rx_id),
+		can_rx_register(net, dev, rx_id, SINGLE_MASK(rx_id),
 				isotp_rcv, sk, "isotp", sk);
 
 	dev_put(dev);
@@ -1183,8 +1185,8 @@ static int isotp_bind(struct socket *soc
 
 	/* switch to new settings */
 	so->ifindex = ifindex;
-	so->rxid = addr->can_addr.tp.rx_id;
-	so->txid = addr->can_addr.tp.tx_id;
+	so->rxid = rx_id;
+	so->txid = tx_id;
 	so->bound = 1;
 
 out:



^ permalink raw reply	[flat|nested] 1159+ messages in thread

* [PATCH 5.17 0119/1126] PCI: fu740: Force 2.5GT/s for initial device probe
  2022-04-05  7:12 [PATCH 5.17 0000/1126] 5.17.2-rc1 review Greg Kroah-Hartman
                   ` (117 preceding siblings ...)
  2022-04-05  7:14 ` [PATCH 5.17 0118/1126] can: isotp: sanitize CAN ID checks in isotp_bind() Greg Kroah-Hartman
@ 2022-04-05  7:14 ` Greg Kroah-Hartman
  2022-04-05  7:14 ` [PATCH 5.17 0120/1126] arm64: signal: nofpsimd: Do not allocate fp/simd context when not available Greg Kroah-Hartman
                   ` (870 subsequent siblings)
  989 siblings, 0 replies; 1159+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05  7:14 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Ben Dooks, Bjorn Helgaas,
	Palmer Dabbelt, Dimitri John Ledkov

From: Ben Dooks <ben.dooks@codethink.co.uk>

commit a382c757ec5ef83137a86125f43a4c43dc2ab50b upstream.

The fu740 PCIe core does not probe any devices on the SiFive Unmatched
board without this fix (or having U-Boot explicitly start the PCIe via
either boot-script or user command). The fix is to start the link at
2.5GT/s speeds and once the link is up then change the maximum speed back
to the default.

The U-Boot driver claims to set the link-speed to 2.5GT/s to get the probe
to work (and U-Boot does print link up at 2.5GT/s) in the following code:
https://source.denx.de/u-boot/u-boot/-/blob/master/drivers/pci/pcie_dw_sifive.c?id=v2022.01#L271

Link: https://lore.kernel.org/r/20220318152430.526320-1-ben.dooks@codethink.co.uk
Signed-off-by: Ben Dooks <ben.dooks@codethink.co.uk>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Acked-by: Palmer Dabbelt <palmer@rivosinc.com>
Signed-off-by: Dimitri John Ledkov <dimitri.ledkov@canonical.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/pci/controller/dwc/pcie-fu740.c |   51 +++++++++++++++++++++++++++++++-
 1 file changed, 50 insertions(+), 1 deletion(-)

--- a/drivers/pci/controller/dwc/pcie-fu740.c
+++ b/drivers/pci/controller/dwc/pcie-fu740.c
@@ -181,10 +181,59 @@ static int fu740_pcie_start_link(struct
 {
 	struct device *dev = pci->dev;
 	struct fu740_pcie *afp = dev_get_drvdata(dev);
+	u8 cap_exp = dw_pcie_find_capability(pci, PCI_CAP_ID_EXP);
+	int ret;
+	u32 orig, tmp;
+
+	/*
+	 * Force 2.5GT/s when starting the link, due to some devices not
+	 * probing at higher speeds. This happens with the PCIe switch
+	 * on the Unmatched board when U-Boot has not initialised the PCIe.
+	 * The fix in U-Boot is to force 2.5GT/s, which then gets cleared
+	 * by the soft reset done by this driver.
+	 */
+	dev_dbg(dev, "cap_exp at %x\n", cap_exp);
+	dw_pcie_dbi_ro_wr_en(pci);
+
+	tmp = dw_pcie_readl_dbi(pci, cap_exp + PCI_EXP_LNKCAP);
+	orig = tmp & PCI_EXP_LNKCAP_SLS;
+	tmp &= ~PCI_EXP_LNKCAP_SLS;
+	tmp |= PCI_EXP_LNKCAP_SLS_2_5GB;
+	dw_pcie_writel_dbi(pci, cap_exp + PCI_EXP_LNKCAP, tmp);
 
 	/* Enable LTSSM */
 	writel_relaxed(0x1, afp->mgmt_base + PCIEX8MGMT_APP_LTSSM_ENABLE);
-	return 0;
+
+	ret = dw_pcie_wait_for_link(pci);
+	if (ret) {
+		dev_err(dev, "error: link did not start\n");
+		goto err;
+	}
+
+	tmp = dw_pcie_readl_dbi(pci, cap_exp + PCI_EXP_LNKCAP);
+	if ((tmp & PCI_EXP_LNKCAP_SLS) != orig) {
+		dev_dbg(dev, "changing speed back to original\n");
+
+		tmp &= ~PCI_EXP_LNKCAP_SLS;
+		tmp |= orig;
+		dw_pcie_writel_dbi(pci, cap_exp + PCI_EXP_LNKCAP, tmp);
+
+		tmp = dw_pcie_readl_dbi(pci, PCIE_LINK_WIDTH_SPEED_CONTROL);
+		tmp |= PORT_LOGIC_SPEED_CHANGE;
+		dw_pcie_writel_dbi(pci, PCIE_LINK_WIDTH_SPEED_CONTROL, tmp);
+
+		ret = dw_pcie_wait_for_link(pci);
+		if (ret) {
+			dev_err(dev, "error: link did not start at new speed\n");
+			goto err;
+		}
+	}
+
+	ret = 0;
+err:
+	WARN_ON(ret);	/* we assume that errors will be very rare */
+	dw_pcie_dbi_ro_wr_dis(pci);
+	return ret;
 }
 
 static int fu740_pcie_host_init(struct pcie_port *pp)



^ permalink raw reply	[flat|nested] 1159+ messages in thread

* [PATCH 5.17 0120/1126] arm64: signal: nofpsimd: Do not allocate fp/simd context when not available
  2022-04-05  7:12 [PATCH 5.17 0000/1126] 5.17.2-rc1 review Greg Kroah-Hartman
                   ` (118 preceding siblings ...)
  2022-04-05  7:14 ` [PATCH 5.17 0119/1126] PCI: fu740: Force 2.5GT/s for initial device probe Greg Kroah-Hartman
@ 2022-04-05  7:14 ` Greg Kroah-Hartman
  2022-04-05  7:14 ` [PATCH 5.17 0121/1126] arm64: Do not defer reserve_crashkernel() for platforms with no DMA memory zones Greg Kroah-Hartman
                   ` (869 subsequent siblings)
  989 siblings, 0 replies; 1159+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05  7:14 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, David Engraf, Catalin Marinas,
	Will Deacon, Mark Brown

From: David Engraf <david.engraf@sysgo.com>

commit 0a32c88ddb9af30e8a16d41d7b9b824c27d29459 upstream.

Commit 6d502b6ba1b2 ("arm64: signal: nofpsimd: Handle fp/simd context for
signal frames") introduced saving the fp/simd context for signal handling
only when support is available. But setup_sigframe_layout() always
reserves memory for fp/simd context. The additional memory is not touched
because preserve_fpsimd_context() is not called and thus the magic is
invalid.

This may lead to an error when parse_user_sigframe() checks the fp/simd
area and does not find a valid magic number.

Signed-off-by: David Engraf <david.engraf@sysgo.com>
Reviwed-by: Mark Brown <broonie@kernel.org>
Fixes: 6d502b6ba1b267b3 ("arm64: signal: nofpsimd: Handle fp/simd context for signal frames")
Cc: <stable@vger.kernel.org> # 5.6.x
Reviewed-by: Catalin Marinas <catalin.marinas@arm.com>
Link: https://lore.kernel.org/r/20220225104008.820289-1-david.engraf@sysgo.com
Signed-off-by: Will Deacon <will@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/arm64/kernel/signal.c |   10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

--- a/arch/arm64/kernel/signal.c
+++ b/arch/arm64/kernel/signal.c
@@ -577,10 +577,12 @@ static int setup_sigframe_layout(struct
 {
 	int err;
 
-	err = sigframe_alloc(user, &user->fpsimd_offset,
-			     sizeof(struct fpsimd_context));
-	if (err)
-		return err;
+	if (system_supports_fpsimd()) {
+		err = sigframe_alloc(user, &user->fpsimd_offset,
+				     sizeof(struct fpsimd_context));
+		if (err)
+			return err;
+	}
 
 	/* fault information, if valid */
 	if (add_all || current->thread.fault_code) {



^ permalink raw reply	[flat|nested] 1159+ messages in thread

* [PATCH 5.17 0121/1126] arm64: Do not defer reserve_crashkernel() for platforms with no DMA memory zones
  2022-04-05  7:12 [PATCH 5.17 0000/1126] 5.17.2-rc1 review Greg Kroah-Hartman
                   ` (119 preceding siblings ...)
  2022-04-05  7:14 ` [PATCH 5.17 0120/1126] arm64: signal: nofpsimd: Do not allocate fp/simd context when not available Greg Kroah-Hartman
@ 2022-04-05  7:14 ` Greg Kroah-Hartman
  2022-04-05  7:14 ` [PATCH 5.17 0122/1126] arm64: dts: qcom: sm8250: Fix MSI IRQ for PCIe1 and PCIe2 Greg Kroah-Hartman
                   ` (868 subsequent siblings)
  989 siblings, 0 replies; 1159+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05  7:14 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Vijay Balakrishna, Pasha Tatashin,
	Will Deacon

From: Vijay Balakrishna <vijayb@linux.microsoft.com>

commit 031495635b4668f94e964e037ca93d0d38bfde58 upstream.

The following patches resulted in deferring crash kernel reservation to
mem_init(), mainly aimed at platforms with DMA memory zones (no IOMMU),
in particular Raspberry Pi 4.

commit 1a8e1cef7603 ("arm64: use both ZONE_DMA and ZONE_DMA32")
commit 8424ecdde7df ("arm64: mm: Set ZONE_DMA size based on devicetree's dma-ranges")
commit 0a30c53573b0 ("arm64: mm: Move reserve_crashkernel() into mem_init()")
commit 2687275a5843 ("arm64: Force NO_BLOCK_MAPPINGS if crashkernel reservation is required")

Above changes introduced boot slowdown due to linear map creation for
all the memory banks with NO_BLOCK_MAPPINGS, see discussion[1].  The proposed
changes restore crash kernel reservation to earlier behavior thus avoids
slow boot, particularly for platforms with IOMMU (no DMA memory zones).

Tested changes to confirm no ~150ms boot slowdown on our SoC with IOMMU
and 8GB memory.  Also tested with ZONE_DMA and/or ZONE_DMA32 configs to confirm
no regression to deferring scheme of crash kernel memory reservation.
In both cases successfully collected kernel crash dump.

[1] https://lore.kernel.org/all/9436d033-579b-55fa-9b00-6f4b661c2dd7@linux.microsoft.com/

Signed-off-by: Vijay Balakrishna <vijayb@linux.microsoft.com>
Cc: stable@vger.kernel.org
Reviewed-by: Pasha Tatashin <pasha.tatashin@soleen.com>
Link: https://lore.kernel.org/r/1646242689-20744-1-git-send-email-vijayb@linux.microsoft.com
[will: Add #ifdef CONFIG_KEXEC_CORE guards to fix 'crashk_res' references in allnoconfig build]
Signed-off-by: Will Deacon <will@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/arm64/mm/init.c |   36 ++++++++++++++++++++++++++++++++----
 arch/arm64/mm/mmu.c  |   32 +++++++++++++++++++++++++++++++-
 2 files changed, 63 insertions(+), 5 deletions(-)

--- a/arch/arm64/mm/init.c
+++ b/arch/arm64/mm/init.c
@@ -61,8 +61,34 @@ EXPORT_SYMBOL(memstart_addr);
  * unless restricted on specific platforms (e.g. 30-bit on Raspberry Pi 4).
  * In such case, ZONE_DMA32 covers the rest of the 32-bit addressable memory,
  * otherwise it is empty.
+ *
+ * Memory reservation for crash kernel either done early or deferred
+ * depending on DMA memory zones configs (ZONE_DMA) --
+ *
+ * In absence of ZONE_DMA configs arm64_dma_phys_limit initialized
+ * here instead of max_zone_phys().  This lets early reservation of
+ * crash kernel memory which has a dependency on arm64_dma_phys_limit.
+ * Reserving memory early for crash kernel allows linear creation of block
+ * mappings (greater than page-granularity) for all the memory bank rangs.
+ * In this scheme a comparatively quicker boot is observed.
+ *
+ * If ZONE_DMA configs are defined, crash kernel memory reservation
+ * is delayed until DMA zone memory range size initilazation performed in
+ * zone_sizes_init().  The defer is necessary to steer clear of DMA zone
+ * memory range to avoid overlap allocation.  So crash kernel memory boundaries
+ * are not known when mapping all bank memory ranges, which otherwise means
+ * not possible to exclude crash kernel range from creating block mappings
+ * so page-granularity mappings are created for the entire memory range.
+ * Hence a slightly slower boot is observed.
+ *
+ * Note: Page-granularity mapppings are necessary for crash kernel memory
+ * range for shrinking its size via /sys/kernel/kexec_crash_size interface.
  */
-phys_addr_t arm64_dma_phys_limit __ro_after_init;
+#if IS_ENABLED(CONFIG_ZONE_DMA) || IS_ENABLED(CONFIG_ZONE_DMA32)
+phys_addr_t __ro_after_init arm64_dma_phys_limit;
+#else
+const phys_addr_t arm64_dma_phys_limit = PHYS_MASK + 1;
+#endif
 
 #ifdef CONFIG_KEXEC_CORE
 /*
@@ -153,8 +179,6 @@ static void __init zone_sizes_init(unsig
 	if (!arm64_dma_phys_limit)
 		arm64_dma_phys_limit = dma32_phys_limit;
 #endif
-	if (!arm64_dma_phys_limit)
-		arm64_dma_phys_limit = PHYS_MASK + 1;
 	max_zone_pfns[ZONE_NORMAL] = max;
 
 	free_area_init(max_zone_pfns);
@@ -315,6 +339,9 @@ void __init arm64_memblock_init(void)
 
 	early_init_fdt_scan_reserved_mem();
 
+	if (!IS_ENABLED(CONFIG_ZONE_DMA) && !IS_ENABLED(CONFIG_ZONE_DMA32))
+		reserve_crashkernel();
+
 	high_memory = __va(memblock_end_of_DRAM() - 1) + 1;
 }
 
@@ -361,7 +388,8 @@ void __init bootmem_init(void)
 	 * request_standard_resources() depends on crashkernel's memory being
 	 * reserved, so do it here.
 	 */
-	reserve_crashkernel();
+	if (IS_ENABLED(CONFIG_ZONE_DMA) || IS_ENABLED(CONFIG_ZONE_DMA32))
+		reserve_crashkernel();
 
 	memblock_dump_all();
 }
--- a/arch/arm64/mm/mmu.c
+++ b/arch/arm64/mm/mmu.c
@@ -517,7 +517,7 @@ static void __init map_mem(pgd_t *pgdp)
 	 */
 	BUILD_BUG_ON(pgd_index(direct_map_end - 1) == pgd_index(direct_map_end));
 
-	if (can_set_direct_map() || crash_mem_map || IS_ENABLED(CONFIG_KFENCE))
+	if (can_set_direct_map() || IS_ENABLED(CONFIG_KFENCE))
 		flags |= NO_BLOCK_MAPPINGS | NO_CONT_MAPPINGS;
 
 	/*
@@ -528,6 +528,17 @@ static void __init map_mem(pgd_t *pgdp)
 	 */
 	memblock_mark_nomap(kernel_start, kernel_end - kernel_start);
 
+#ifdef CONFIG_KEXEC_CORE
+	if (crash_mem_map) {
+		if (IS_ENABLED(CONFIG_ZONE_DMA) ||
+		    IS_ENABLED(CONFIG_ZONE_DMA32))
+			flags |= NO_BLOCK_MAPPINGS | NO_CONT_MAPPINGS;
+		else if (crashk_res.end)
+			memblock_mark_nomap(crashk_res.start,
+			    resource_size(&crashk_res));
+	}
+#endif
+
 	/* map all the memory banks */
 	for_each_mem_range(i, &start, &end) {
 		if (start >= end)
@@ -554,6 +565,25 @@ static void __init map_mem(pgd_t *pgdp)
 	__map_memblock(pgdp, kernel_start, kernel_end,
 		       PAGE_KERNEL, NO_CONT_MAPPINGS);
 	memblock_clear_nomap(kernel_start, kernel_end - kernel_start);
+
+	/*
+	 * Use page-level mappings here so that we can shrink the region
+	 * in page granularity and put back unused memory to buddy system
+	 * through /sys/kernel/kexec_crash_size interface.
+	 */
+#ifdef CONFIG_KEXEC_CORE
+	if (crash_mem_map &&
+	    !IS_ENABLED(CONFIG_ZONE_DMA) && !IS_ENABLED(CONFIG_ZONE_DMA32)) {
+		if (crashk_res.end) {
+			__map_memblock(pgdp, crashk_res.start,
+				       crashk_res.end + 1,
+				       PAGE_KERNEL,
+				       NO_BLOCK_MAPPINGS | NO_CONT_MAPPINGS);
+			memblock_clear_nomap(crashk_res.start,
+					     resource_size(&crashk_res));
+		}
+	}
+#endif
 }
 
 void mark_rodata_ro(void)



^ permalink raw reply	[flat|nested] 1159+ messages in thread

* [PATCH 5.17 0122/1126] arm64: dts: qcom: sm8250: Fix MSI IRQ for PCIe1 and PCIe2
  2022-04-05  7:12 [PATCH 5.17 0000/1126] 5.17.2-rc1 review Greg Kroah-Hartman
                   ` (120 preceding siblings ...)
  2022-04-05  7:14 ` [PATCH 5.17 0121/1126] arm64: Do not defer reserve_crashkernel() for platforms with no DMA memory zones Greg Kroah-Hartman
@ 2022-04-05  7:14 ` Greg Kroah-Hartman
  2022-04-05  7:14 ` [PATCH 5.17 0123/1126] arm64: dts: ti: k3-am65: Fix gic-v3 compatible regs Greg Kroah-Hartman
                   ` (867 subsequent siblings)
  989 siblings, 0 replies; 1159+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05  7:14 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jordan Crouse, Manivannan Sadhasivam,
	Dmitry Baryshkov, Bjorn Andersson

From: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>

commit 1b7101e8124b450f2d6a35591e9cbb478c143ace upstream.

Fix the MSI IRQ used for PCIe instances 1 and 2.

Cc: stable@vger.kernel.org
Fixes: e53bdfc00977 ("arm64: dts: qcom: sm8250: Add PCIe support")
Reported-by: Jordan Crouse <jordan@cosmicpenguin.net>
Signed-off-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
Signed-off-by: Bjorn Andersson <bjorn.andersson@linaro.org>
Link: https://lore.kernel.org/r/20220112035556.5108-1-manivannan.sadhasivam@linaro.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/arm64/boot/dts/qcom/sm8250.dtsi |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/arch/arm64/boot/dts/qcom/sm8250.dtsi
+++ b/arch/arm64/boot/dts/qcom/sm8250.dtsi
@@ -1801,7 +1801,7 @@
 			ranges = <0x01000000 0x0 0x40200000 0x0 0x40200000 0x0 0x100000>,
 				 <0x02000000 0x0 0x40300000 0x0 0x40300000 0x0 0x1fd00000>;
 
-			interrupts = <GIC_SPI 306 IRQ_TYPE_EDGE_RISING>;
+			interrupts = <GIC_SPI 307 IRQ_TYPE_LEVEL_HIGH>;
 			interrupt-names = "msi";
 			#interrupt-cells = <1>;
 			interrupt-map-mask = <0 0 0 0x7>;
@@ -1907,7 +1907,7 @@
 			ranges = <0x01000000 0x0 0x64200000 0x0 0x64200000 0x0 0x100000>,
 				 <0x02000000 0x0 0x64300000 0x0 0x64300000 0x0 0x3d00000>;
 
-			interrupts = <GIC_SPI 236 IRQ_TYPE_EDGE_RISING>;
+			interrupts = <GIC_SPI 243 IRQ_TYPE_LEVEL_HIGH>;
 			interrupt-names = "msi";
 			#interrupt-cells = <1>;
 			interrupt-map-mask = <0 0 0 0x7>;



^ permalink raw reply	[flat|nested] 1159+ messages in thread

* [PATCH 5.17 0123/1126] arm64: dts: ti: k3-am65: Fix gic-v3 compatible regs
  2022-04-05  7:12 [PATCH 5.17 0000/1126] 5.17.2-rc1 review Greg Kroah-Hartman
                   ` (121 preceding siblings ...)
  2022-04-05  7:14 ` [PATCH 5.17 0122/1126] arm64: dts: qcom: sm8250: Fix MSI IRQ for PCIe1 and PCIe2 Greg Kroah-Hartman
@ 2022-04-05  7:14 ` Greg Kroah-Hartman
  2022-04-05  7:14 ` [PATCH 5.17 0124/1126] arm64: dts: ti: k3-j721e: " Greg Kroah-Hartman
                   ` (866 subsequent siblings)
  989 siblings, 0 replies; 1159+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05  7:14 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Marc Zyngier, Nishanth Menon

From: Nishanth Menon <nm@ti.com>

commit 8cae268b70f387ff9e697ccd62fb2384079124e7 upstream.

Though GIC ARE option is disabled for no GIC-v2 compatibility,
Cortex-A53 is free to implement the CPU interface as long as it
communicates with the GIC using the stream protocol. This requires
that the SoC integration mark out the PERIPHBASE[1] as reserved area
within the SoC. See longer discussion in [2] for further information.

Update the GIC register map to indicate offsets from PERIPHBASE based
on [3]. Without doing this, systems like kvm will not function with
gic-v2 emulation.

[1] https://developer.arm.com/documentation/ddi0500/e/system-control/aarch64-register-descriptions/configuration-base-address-register--el1
[2] https://lore.kernel.org/all/87k0e0tirw.wl-maz@kernel.org/
[3] https://developer.arm.com/documentation/ddi0500/e/generic-interrupt-controller-cpu-interface/gic-programmers-model/memory-map

Cc: stable@vger.kernel.org # 5.10+
Fixes: ea47eed33a3f ("arm64: dts: ti: Add Support for AM654 SoC")
Reported-by: Marc Zyngier <maz@kernel.org>
Signed-off-by: Nishanth Menon <nm@ti.com>
Acked-by: Marc Zyngier <maz@kernel.org>
Link: https://lore.kernel.org/r/20220215201008.15235-2-nm@ti.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/arm64/boot/dts/ti/k3-am65-main.dtsi |    5 ++++-
 arch/arm64/boot/dts/ti/k3-am65.dtsi      |    1 +
 2 files changed, 5 insertions(+), 1 deletion(-)

--- a/arch/arm64/boot/dts/ti/k3-am65-main.dtsi
+++ b/arch/arm64/boot/dts/ti/k3-am65-main.dtsi
@@ -35,7 +35,10 @@
 		#interrupt-cells = <3>;
 		interrupt-controller;
 		reg = <0x00 0x01800000 0x00 0x10000>,	/* GICD */
-		      <0x00 0x01880000 0x00 0x90000>;	/* GICR */
+		      <0x00 0x01880000 0x00 0x90000>,	/* GICR */
+		      <0x00 0x6f000000 0x00 0x2000>,	/* GICC */
+		      <0x00 0x6f010000 0x00 0x1000>,	/* GICH */
+		      <0x00 0x6f020000 0x00 0x2000>;	/* GICV */
 		/*
 		 * vcpumntirq:
 		 * virtual CPU interface maintenance interrupt
--- a/arch/arm64/boot/dts/ti/k3-am65.dtsi
+++ b/arch/arm64/boot/dts/ti/k3-am65.dtsi
@@ -86,6 +86,7 @@
 			 <0x00 0x46000000 0x00 0x46000000 0x00 0x00200000>,
 			 <0x00 0x47000000 0x00 0x47000000 0x00 0x00068400>,
 			 <0x00 0x50000000 0x00 0x50000000 0x00 0x8000000>,
+			 <0x00 0x6f000000 0x00 0x6f000000 0x00 0x00310000>, /* A53 PERIPHBASE */
 			 <0x00 0x70000000 0x00 0x70000000 0x00 0x200000>,
 			 <0x05 0x00000000 0x05 0x00000000 0x01 0x0000000>,
 			 <0x07 0x00000000 0x07 0x00000000 0x01 0x0000000>;



^ permalink raw reply	[flat|nested] 1159+ messages in thread

* [PATCH 5.17 0124/1126] arm64: dts: ti: k3-j721e: Fix gic-v3 compatible regs
  2022-04-05  7:12 [PATCH 5.17 0000/1126] 5.17.2-rc1 review Greg Kroah-Hartman
                   ` (122 preceding siblings ...)
  2022-04-05  7:14 ` [PATCH 5.17 0123/1126] arm64: dts: ti: k3-am65: Fix gic-v3 compatible regs Greg Kroah-Hartman
@ 2022-04-05  7:14 ` Greg Kroah-Hartman
  2022-04-05  7:14 ` [PATCH 5.17 0125/1126] arm64: dts: ti: k3-j7200: " Greg Kroah-Hartman
                   ` (865 subsequent siblings)
  989 siblings, 0 replies; 1159+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05  7:14 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Marc Zyngier, Nishanth Menon

From: Nishanth Menon <nm@ti.com>

commit a06ed27f3bc63ab9e10007dc0118d910908eb045 upstream.

Though GIC ARE option is disabled for no GIC-v2 compatibility,
Cortex-A72 is free to implement the CPU interface as long as it
communicates with the GIC using the stream protocol. This requires
that the SoC integration mark out the PERIPHBASE[1] as reserved area
within the SoC. See longer discussion in [2] for further information.

Update the GIC register map to indicate offsets from PERIPHBASE based
on [3]. Without doing this, systems like kvm will not function with
gic-v2 emulation.

[1] https://developer.arm.com/documentation/100095/0002/system-control/aarch64-register-descriptions/configuration-base-address-register--el1
[2] https://lore.kernel.org/all/87k0e0tirw.wl-maz@kernel.org/
[3] https://developer.arm.com/documentation/100095/0002/way1382452674438

Cc: stable@vger.kernel.org # 5.10+
Fixes: 2d87061e70de ("arm64: dts: ti: Add Support for J721E SoC")
Reported-by: Marc Zyngier <maz@kernel.org>
Signed-off-by: Nishanth Menon <nm@ti.com>
Acked-by: Marc Zyngier <maz@kernel.org>
Link: https://lore.kernel.org/r/20220215201008.15235-3-nm@ti.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/arm64/boot/dts/ti/k3-j721e-main.dtsi |    5 ++++-
 arch/arm64/boot/dts/ti/k3-j721e.dtsi      |    1 +
 2 files changed, 5 insertions(+), 1 deletion(-)

--- a/arch/arm64/boot/dts/ti/k3-j721e-main.dtsi
+++ b/arch/arm64/boot/dts/ti/k3-j721e-main.dtsi
@@ -76,7 +76,10 @@
 		#interrupt-cells = <3>;
 		interrupt-controller;
 		reg = <0x00 0x01800000 0x00 0x10000>,	/* GICD */
-		      <0x00 0x01900000 0x00 0x100000>;	/* GICR */
+		      <0x00 0x01900000 0x00 0x100000>,	/* GICR */
+		      <0x00 0x6f000000 0x00 0x2000>,	/* GICC */
+		      <0x00 0x6f010000 0x00 0x1000>,	/* GICH */
+		      <0x00 0x6f020000 0x00 0x2000>;	/* GICV */
 
 		/* vcpumntirq: virtual CPU interface maintenance interrupt */
 		interrupts = <GIC_PPI 9 IRQ_TYPE_LEVEL_HIGH>;
--- a/arch/arm64/boot/dts/ti/k3-j721e.dtsi
+++ b/arch/arm64/boot/dts/ti/k3-j721e.dtsi
@@ -139,6 +139,7 @@
 			 <0x00 0x0e000000 0x00 0x0e000000 0x00 0x01800000>, /* PCIe Core*/
 			 <0x00 0x10000000 0x00 0x10000000 0x00 0x10000000>, /* PCIe DAT */
 			 <0x00 0x64800000 0x00 0x64800000 0x00 0x00800000>, /* C71 */
+			 <0x00 0x6f000000 0x00 0x6f000000 0x00 0x00310000>, /* A72 PERIPHBASE */
 			 <0x44 0x00000000 0x44 0x00000000 0x00 0x08000000>, /* PCIe2 DAT */
 			 <0x44 0x10000000 0x44 0x10000000 0x00 0x08000000>, /* PCIe3 DAT */
 			 <0x4d 0x80800000 0x4d 0x80800000 0x00 0x00800000>, /* C66_0 */



^ permalink raw reply	[flat|nested] 1159+ messages in thread

* [PATCH 5.17 0125/1126] arm64: dts: ti: k3-j7200: Fix gic-v3 compatible regs
  2022-04-05  7:12 [PATCH 5.17 0000/1126] 5.17.2-rc1 review Greg Kroah-Hartman
                   ` (123 preceding siblings ...)
  2022-04-05  7:14 ` [PATCH 5.17 0124/1126] arm64: dts: ti: k3-j721e: " Greg Kroah-Hartman
@ 2022-04-05  7:14 ` Greg Kroah-Hartman
  2022-04-05  7:14 ` [PATCH 5.17 0126/1126] arm64: dts: ti: k3-am64: " Greg Kroah-Hartman
                   ` (864 subsequent siblings)
  989 siblings, 0 replies; 1159+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05  7:14 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Marc Zyngier, Nishanth Menon

From: Nishanth Menon <nm@ti.com>

commit 1a307cc299430dd7139d351a3b8941f493dfa885 upstream.

Though GIC ARE option is disabled for no GIC-v2 compatibility,
Cortex-A72 is free to implement the CPU interface as long as it
communicates with the GIC using the stream protocol. This requires
that the SoC integration mark out the PERIPHBASE[1] as reserved area
within the SoC. See longer discussion in [2] for further information.

Update the GIC register map to indicate offsets from PERIPHBASE based
on [3]. Without doing this, systems like kvm will not function with
gic-v2 emulation.

[1] https://developer.arm.com/documentation/100095/0002/system-control/aarch64-register-descriptions/configuration-base-address-register--el1
[2] https://lore.kernel.org/all/87k0e0tirw.wl-maz@kernel.org/
[3] https://developer.arm.com/documentation/100095/0002/way1382452674438

Cc: stable@vger.kernel.org
Fixes: d361ed88455f ("arm64: dts: ti: Add support for J7200 SoC")
Reported-by: Marc Zyngier <maz@kernel.org>
Signed-off-by: Nishanth Menon <nm@ti.com>
Acked-by: Marc Zyngier <maz@kernel.org>
Link: https://lore.kernel.org/r/20220215201008.15235-4-nm@ti.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/arm64/boot/dts/ti/k3-j7200-main.dtsi |    5 ++++-
 arch/arm64/boot/dts/ti/k3-j7200.dtsi      |    1 +
 2 files changed, 5 insertions(+), 1 deletion(-)

--- a/arch/arm64/boot/dts/ti/k3-j7200-main.dtsi
+++ b/arch/arm64/boot/dts/ti/k3-j7200-main.dtsi
@@ -54,7 +54,10 @@
 		#interrupt-cells = <3>;
 		interrupt-controller;
 		reg = <0x00 0x01800000 0x00 0x10000>,	/* GICD */
-		      <0x00 0x01900000 0x00 0x100000>;	/* GICR */
+		      <0x00 0x01900000 0x00 0x100000>,	/* GICR */
+		      <0x00 0x6f000000 0x00 0x2000>,	/* GICC */
+		      <0x00 0x6f010000 0x00 0x1000>,	/* GICH */
+		      <0x00 0x6f020000 0x00 0x2000>;	/* GICV */
 
 		/* vcpumntirq: virtual CPU interface maintenance interrupt */
 		interrupts = <GIC_PPI 9 IRQ_TYPE_LEVEL_HIGH>;
--- a/arch/arm64/boot/dts/ti/k3-j7200.dtsi
+++ b/arch/arm64/boot/dts/ti/k3-j7200.dtsi
@@ -129,6 +129,7 @@
 			 <0x00 0x00a40000 0x00 0x00a40000 0x00 0x00000800>, /* timesync router */
 			 <0x00 0x01000000 0x00 0x01000000 0x00 0x0d000000>, /* Most peripherals */
 			 <0x00 0x30000000 0x00 0x30000000 0x00 0x0c400000>, /* MAIN NAVSS */
+			 <0x00 0x6f000000 0x00 0x6f000000 0x00 0x00310000>, /* A72 PERIPHBASE */
 			 <0x00 0x70000000 0x00 0x70000000 0x00 0x00800000>, /* MSMC RAM */
 			 <0x00 0x18000000 0x00 0x18000000 0x00 0x08000000>, /* PCIe1 DAT0 */
 			 <0x41 0x00000000 0x41 0x00000000 0x01 0x00000000>, /* PCIe1 DAT1 */



^ permalink raw reply	[flat|nested] 1159+ messages in thread

* [PATCH 5.17 0126/1126] arm64: dts: ti: k3-am64: Fix gic-v3 compatible regs
  2022-04-05  7:12 [PATCH 5.17 0000/1126] 5.17.2-rc1 review Greg Kroah-Hartman
                   ` (124 preceding siblings ...)
  2022-04-05  7:14 ` [PATCH 5.17 0125/1126] arm64: dts: ti: k3-j7200: " Greg Kroah-Hartman
@ 2022-04-05  7:14 ` Greg Kroah-Hartman
  2022-04-05  7:14 ` [PATCH 5.17 0127/1126] arm64: dts: ti: k3-j721s2: " Greg Kroah-Hartman
                   ` (863 subsequent siblings)
  989 siblings, 0 replies; 1159+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05  7:14 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Marc Zyngier, Nishanth Menon

From: Nishanth Menon <nm@ti.com>

commit de60edf1be3d42d4a1b303b41c7c53b2f865726e upstream.

Though GIC ARE option is disabled for no GIC-v2 compatibility,
Cortex-A53 is free to implement the CPU interface as long as it
communicates with the GIC using the stream protocol. This requires
that the SoC integration mark out the PERIPHBASE[1] as reserved area
within the SoC. See longer discussion in [2] for further information.

Update the GIC register map to indicate offsets from PERIPHBASE based
on [3]. Without doing this, systems like kvm will not function with
gic-v2 emulation.

[1] https://developer.arm.com/documentation/ddi0500/e/system-control/aarch64-register-descriptions/configuration-base-address-register--el1
[2] https://lore.kernel.org/all/87k0e0tirw.wl-maz@kernel.org/
[3] https://developer.arm.com/documentation/ddi0500/e/generic-interrupt-controller-cpu-interface/gic-programmers-model/memory-map

Cc: stable@vger.kernel.org
Fixes: 8abae9389bdb ("arm64: dts: ti: Add support for AM642 SoC")
Reported-by: Marc Zyngier <maz@kernel.org>
Signed-off-by: Nishanth Menon <nm@ti.com>
Acked-by: Marc Zyngier <maz@kernel.org>
Link: https://lore.kernel.org/r/20220215201008.15235-5-nm@ti.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/arm64/boot/dts/ti/k3-am64-main.dtsi |    5 ++++-
 arch/arm64/boot/dts/ti/k3-am64.dtsi      |    1 +
 2 files changed, 5 insertions(+), 1 deletion(-)

--- a/arch/arm64/boot/dts/ti/k3-am64-main.dtsi
+++ b/arch/arm64/boot/dts/ti/k3-am64-main.dtsi
@@ -59,7 +59,10 @@
 		#interrupt-cells = <3>;
 		interrupt-controller;
 		reg = <0x00 0x01800000 0x00 0x10000>,	/* GICD */
-		      <0x00 0x01840000 0x00 0xC0000>;	/* GICR */
+		      <0x00 0x01840000 0x00 0xC0000>,	/* GICR */
+		      <0x01 0x00000000 0x00 0x2000>,	/* GICC */
+		      <0x01 0x00010000 0x00 0x1000>,	/* GICH */
+		      <0x01 0x00020000 0x00 0x2000>;	/* GICV */
 		/*
 		 * vcpumntirq:
 		 * virtual CPU interface maintenance interrupt
--- a/arch/arm64/boot/dts/ti/k3-am64.dtsi
+++ b/arch/arm64/boot/dts/ti/k3-am64.dtsi
@@ -87,6 +87,7 @@
 			 <0x00 0x68000000 0x00 0x68000000 0x00 0x08000000>, /* PCIe DAT0 */
 			 <0x00 0x70000000 0x00 0x70000000 0x00 0x00200000>, /* OC SRAM */
 			 <0x00 0x78000000 0x00 0x78000000 0x00 0x00800000>, /* Main R5FSS */
+			 <0x01 0x00000000 0x01 0x00000000 0x00 0x00310000>, /* A53 PERIPHBASE */
 			 <0x06 0x00000000 0x06 0x00000000 0x01 0x00000000>, /* PCIe DAT1 */
 			 <0x05 0x00000000 0x05 0x00000000 0x01 0x00000000>, /* FSS0 DAT3 */
 



^ permalink raw reply	[flat|nested] 1159+ messages in thread

* [PATCH 5.17 0127/1126] arm64: dts: ti: k3-j721s2: Fix gic-v3 compatible regs
  2022-04-05  7:12 [PATCH 5.17 0000/1126] 5.17.2-rc1 review Greg Kroah-Hartman
                   ` (125 preceding siblings ...)
  2022-04-05  7:14 ` [PATCH 5.17 0126/1126] arm64: dts: ti: k3-am64: " Greg Kroah-Hartman
@ 2022-04-05  7:14 ` Greg Kroah-Hartman
  2022-04-05  7:14   ` Greg Kroah-Hartman
                   ` (862 subsequent siblings)
  989 siblings, 0 replies; 1159+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05  7:14 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Marc Zyngier, Nishanth Menon

From: Nishanth Menon <nm@ti.com>

commit a966803781fc5e1875511db9392b0d16174c5dd2 upstream.

Though GIC ARE option is disabled for no GIC-v2 compatibility,
Cortex-A72 is free to implement the CPU interface as long as it
communicates with the GIC using the stream protocol. This requires
that the SoC integration mark out the PERIPHBASE[1] as reserved area
within the SoC. See longer discussion in [2] for further information.

Update the GIC register map to indicate offsets from PERIPHBASE based
on [3]. Without doing this, systems like kvm will not function with
gic-v2 emulation.

[1] https://developer.arm.com/documentation/100095/0002/system-control/aarch64-register-descriptions/configuration-base-address-register--el1
[2] https://lore.kernel.org/all/87k0e0tirw.wl-maz@kernel.org/
[3] https://developer.arm.com/documentation/100095/0002/way1382452674438

Cc: stable@vger.kernel.org
Fixes: b8545f9d3a54 ("arm64: dts: ti: Add initial support for J721S2 SoC")
Reported-by: Marc Zyngier <maz@kernel.org>
Signed-off-by: Nishanth Menon <nm@ti.com>
Acked-by: Marc Zyngier <maz@kernel.org>
Link: https://lore.kernel.org/r/20220215201008.15235-6-nm@ti.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/arm64/boot/dts/ti/k3-j721s2-main.dtsi |    5 ++++-
 arch/arm64/boot/dts/ti/k3-j721s2.dtsi      |    1 +
 2 files changed, 5 insertions(+), 1 deletion(-)

--- a/arch/arm64/boot/dts/ti/k3-j721s2-main.dtsi
+++ b/arch/arm64/boot/dts/ti/k3-j721s2-main.dtsi
@@ -34,7 +34,10 @@
 		#interrupt-cells = <3>;
 		interrupt-controller;
 		reg = <0x00 0x01800000 0x00 0x200000>, /* GICD */
-		      <0x00 0x01900000 0x00 0x100000>; /* GICR */
+		      <0x00 0x01900000 0x00 0x100000>, /* GICR */
+		      <0x00 0x6f000000 0x00 0x2000>,   /* GICC */
+		      <0x00 0x6f010000 0x00 0x1000>,   /* GICH */
+		      <0x00 0x6f020000 0x00 0x2000>;   /* GICV */
 
 		/* vcpumntirq: virtual CPU interface maintenance interrupt */
 		interrupts = <GIC_PPI 9 IRQ_TYPE_LEVEL_HIGH>;
--- a/arch/arm64/boot/dts/ti/k3-j721s2.dtsi
+++ b/arch/arm64/boot/dts/ti/k3-j721s2.dtsi
@@ -119,6 +119,7 @@
 			 <0x00 0x18000000 0x00 0x18000000 0x00 0x08000000>, /* PCIe1 DAT0 */
 			 <0x00 0x64800000 0x00 0x64800000 0x00 0x0070c000>, /* C71_1 */
 			 <0x00 0x65800000 0x00 0x65800000 0x00 0x0070c000>, /* C71_2 */
+			 <0x00 0x6f000000 0x00 0x6f000000 0x00 0x00310000>, /* A72 PERIPHBASE */
 			 <0x00 0x70000000 0x00 0x70000000 0x00 0x00400000>, /* MSMC RAM */
 			 <0x00 0x30000000 0x00 0x30000000 0x00 0x0c400000>, /* MAIN NAVSS */
 			 <0x41 0x00000000 0x41 0x00000000 0x01 0x00000000>, /* PCIe1 DAT1 */



^ permalink raw reply	[flat|nested] 1159+ messages in thread

* [PATCH 5.17 0128/1126] ASoC: SOF: Intel: Fix NULL ptr dereference when ENOMEM
  2022-04-05  7:12 [PATCH 5.17 0000/1126] 5.17.2-rc1 review Greg Kroah-Hartman
@ 2022-04-05  7:14   ` Greg Kroah-Hartman
  2022-04-05  7:12 ` [PATCH 5.17 0002/1126] USB: serial: pl2303: add IBM device IDs Greg Kroah-Hartman
                     ` (988 subsequent siblings)
  989 siblings, 0 replies; 1159+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05  7:14 UTC (permalink / raw)
  To: linux-kernel
  Cc: Pierre-Louis Bossart, alsa-devel, Kai Vehmanen, Ammar Faizi,
	Greg Kroah-Hartman, Takashi Iwai, Keyon Jie, Liam Girdwood,
	stable, Mark Brown, Ranjani Sridharan, Peter Ujfalusi,
	Rander Wang, Daniel Baluta, sound-open-firmware

From: Ammar Faizi <ammarfaizi2@gnuweeb.org>

commit b7fb0ae09009d076964afe4c1a2bde1ee2bd88a9 upstream.

Do not call snd_dma_free_pages() when snd_dma_alloc_pages() returns
-ENOMEM because it leads to a NULL pointer dereference bug.

The dmesg says:

  [ T1387] sof-audio-pci-intel-tgl 0000:00:1f.3: error: memory alloc failed: -12
  [ T1387] BUG: kernel NULL pointer dereference, address: 0000000000000000
  [ T1387] #PF: supervisor read access in kernel mode
  [ T1387] #PF: error_code(0x0000) - not-present page
  [ T1387] PGD 0 P4D 0
  [ T1387] Oops: 0000 [#1] PREEMPT SMP NOPTI
  [ T1387] CPU: 6 PID: 1387 Comm: alsa-sink-HDA A Tainted: G        W         5.17.0-rc4-superb-owl-00055-g80d47f5de5e3
  [ T1387] Hardware name: HP HP Laptop 14s-dq2xxx/87FD, BIOS F.15 09/15/2021
  [ T1387] RIP: 0010:dma_free_noncontiguous+0x37/0x80
  [ T1387] Code: [... snip ...]
  [ T1387] RSP: 0000:ffffc90002b87770 EFLAGS: 00010246
  [ T1387] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
  [ T1387] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff888101db30d0
  [ T1387] RBP: 00000000fffffff4 R08: 0000000000000000 R09: 0000000000000000
  [ T1387] R10: 0000000000000000 R11: ffffc90002b874d0 R12: 0000000000000001
  [ T1387] R13: 0000000000058000 R14: ffff888105260c68 R15: ffff888105260828
  [ T1387] FS:  00007f42e2ffd640(0000) GS:ffff888466b80000(0000) knlGS:0000000000000000
  [ T1387] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
  [ T1387] CR2: 0000000000000000 CR3: 000000014acf0003 CR4: 0000000000770ee0
  [ T1387] PKRU: 55555554
  [ T1387] Call Trace:
  [ T1387]  <TASK>
  [ T1387]  cl_stream_prepare+0x10a/0x120 [snd_sof_intel_hda_common 146addf995b9279ae7f509621078cccbe4f875e1]
  [... snip ...]
  [ T1387]  </TASK>

Cc: Daniel Baluta <daniel.baluta@nxp.com>
Cc: Jaroslav Kysela <perex@perex.cz>
Cc: Kai Vehmanen <kai.vehmanen@linux.intel.com>
Cc: Keyon Jie <yang.jie@linux.intel.com>
Cc: Liam Girdwood <lgirdwood@gmail.com>
Cc: Mark Brown <broonie@kernel.org>
Cc: Rander Wang <rander.wang@intel.com>
Cc: Ranjani Sridharan <ranjani.sridharan@linux.intel.com>
Cc: Takashi Iwai <tiwai@suse.com>
Cc: sound-open-firmware@alsa-project.org
Cc: alsa-devel@alsa-project.org
Cc: linux-kernel@vger.kernel.org
Cc: stable@vger.kernel.org # v5.2+
Fixes: d16046ffa6de040bf580a64d5f4d0aa18258a854 ("ASoC: SOF: Intel: Add Intel specific HDA firmware loader")
Link: https://lore.kernel.org/lkml/20220224145124.15985-1-ammarfaizi2@gnuweeb.org/ # v1
Link: https://lore.kernel.org/lkml/20220224180850.34592-1-ammarfaizi2@gnuweeb.org/ # v2
Link: https://lore.kernel.org/lkml/20220224182818.40301-1-ammarfaizi2@gnuweeb.org/ # v3
Reviewed-by: Peter Ujfalusi <peter.ujfalusi@linux.intel.com>
Reviewed-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
Signed-off-by: Ammar Faizi <ammarfaizi2@gnuweeb.org>
Link: https://lore.kernel.org/r/20220224185836.44907-1-ammarfaizi2@gnuweeb.org
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 sound/soc/sof/intel/hda-loader.c |   11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

--- a/sound/soc/sof/intel/hda-loader.c
+++ b/sound/soc/sof/intel/hda-loader.c
@@ -47,7 +47,7 @@ static struct hdac_ext_stream *cl_stream
 	ret = snd_dma_alloc_pages(SNDRV_DMA_TYPE_DEV_SG, &pci->dev, size, dmab);
 	if (ret < 0) {
 		dev_err(sdev->dev, "error: memory alloc failed: %d\n", ret);
-		goto error;
+		goto out_put;
 	}
 
 	hstream->period_bytes = 0;/* initialize period_bytes */
@@ -58,22 +58,23 @@ static struct hdac_ext_stream *cl_stream
 		ret = hda_dsp_iccmax_stream_hw_params(sdev, dsp_stream, dmab, NULL);
 		if (ret < 0) {
 			dev_err(sdev->dev, "error: iccmax stream prepare failed: %d\n", ret);
-			goto error;
+			goto out_free;
 		}
 	} else {
 		ret = hda_dsp_stream_hw_params(sdev, dsp_stream, dmab, NULL);
 		if (ret < 0) {
 			dev_err(sdev->dev, "error: hdac prepare failed: %d\n", ret);
-			goto error;
+			goto out_free;
 		}
 		hda_dsp_stream_spib_config(sdev, dsp_stream, HDA_DSP_SPIB_ENABLE, size);
 	}
 
 	return dsp_stream;
 
-error:
-	hda_dsp_stream_put(sdev, direction, hstream->stream_tag);
+out_free:
 	snd_dma_free_pages(dmab);
+out_put:
+	hda_dsp_stream_put(sdev, direction, hstream->stream_tag);
 	return ERR_PTR(ret);
 }
 



^ permalink raw reply	[flat|nested] 1159+ messages in thread

* [PATCH 5.17 0128/1126] ASoC: SOF: Intel: Fix NULL ptr dereference when ENOMEM
@ 2022-04-05  7:14   ` Greg Kroah-Hartman
  0 siblings, 0 replies; 1159+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05  7:14 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Daniel Baluta, Jaroslav Kysela,
	Kai Vehmanen, Keyon Jie, Liam Girdwood, Mark Brown, Rander Wang,
	Ranjani Sridharan, Takashi Iwai, sound-open-firmware, alsa-devel,
	Peter Ujfalusi, Pierre-Louis Bossart, Ammar Faizi

From: Ammar Faizi <ammarfaizi2@gnuweeb.org>

commit b7fb0ae09009d076964afe4c1a2bde1ee2bd88a9 upstream.

Do not call snd_dma_free_pages() when snd_dma_alloc_pages() returns
-ENOMEM because it leads to a NULL pointer dereference bug.

The dmesg says:

  [ T1387] sof-audio-pci-intel-tgl 0000:00:1f.3: error: memory alloc failed: -12
  [ T1387] BUG: kernel NULL pointer dereference, address: 0000000000000000
  [ T1387] #PF: supervisor read access in kernel mode
  [ T1387] #PF: error_code(0x0000) - not-present page
  [ T1387] PGD 0 P4D 0
  [ T1387] Oops: 0000 [#1] PREEMPT SMP NOPTI
  [ T1387] CPU: 6 PID: 1387 Comm: alsa-sink-HDA A Tainted: G        W         5.17.0-rc4-superb-owl-00055-g80d47f5de5e3
  [ T1387] Hardware name: HP HP Laptop 14s-dq2xxx/87FD, BIOS F.15 09/15/2021
  [ T1387] RIP: 0010:dma_free_noncontiguous+0x37/0x80
  [ T1387] Code: [... snip ...]
  [ T1387] RSP: 0000:ffffc90002b87770 EFLAGS: 00010246
  [ T1387] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
  [ T1387] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff888101db30d0
  [ T1387] RBP: 00000000fffffff4 R08: 0000000000000000 R09: 0000000000000000
  [ T1387] R10: 0000000000000000 R11: ffffc90002b874d0 R12: 0000000000000001
  [ T1387] R13: 0000000000058000 R14: ffff888105260c68 R15: ffff888105260828
  [ T1387] FS:  00007f42e2ffd640(0000) GS:ffff888466b80000(0000) knlGS:0000000000000000
  [ T1387] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
  [ T1387] CR2: 0000000000000000 CR3: 000000014acf0003 CR4: 0000000000770ee0
  [ T1387] PKRU: 55555554
  [ T1387] Call Trace:
  [ T1387]  <TASK>
  [ T1387]  cl_stream_prepare+0x10a/0x120 [snd_sof_intel_hda_common 146addf995b9279ae7f509621078cccbe4f875e1]
  [... snip ...]
  [ T1387]  </TASK>

Cc: Daniel Baluta <daniel.baluta@nxp.com>
Cc: Jaroslav Kysela <perex@perex.cz>
Cc: Kai Vehmanen <kai.vehmanen@linux.intel.com>
Cc: Keyon Jie <yang.jie@linux.intel.com>
Cc: Liam Girdwood <lgirdwood@gmail.com>
Cc: Mark Brown <broonie@kernel.org>
Cc: Rander Wang <rander.wang@intel.com>
Cc: Ranjani Sridharan <ranjani.sridharan@linux.intel.com>
Cc: Takashi Iwai <tiwai@suse.com>
Cc: sound-open-firmware@alsa-project.org
Cc: alsa-devel@alsa-project.org
Cc: linux-kernel@vger.kernel.org
Cc: stable@vger.kernel.org # v5.2+
Fixes: d16046ffa6de040bf580a64d5f4d0aa18258a854 ("ASoC: SOF: Intel: Add Intel specific HDA firmware loader")
Link: https://lore.kernel.org/lkml/20220224145124.15985-1-ammarfaizi2@gnuweeb.org/ # v1
Link: https://lore.kernel.org/lkml/20220224180850.34592-1-ammarfaizi2@gnuweeb.org/ # v2
Link: https://lore.kernel.org/lkml/20220224182818.40301-1-ammarfaizi2@gnuweeb.org/ # v3
Reviewed-by: Peter Ujfalusi <peter.ujfalusi@linux.intel.com>
Reviewed-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
Signed-off-by: Ammar Faizi <ammarfaizi2@gnuweeb.org>
Link: https://lore.kernel.org/r/20220224185836.44907-1-ammarfaizi2@gnuweeb.org
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 sound/soc/sof/intel/hda-loader.c |   11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

--- a/sound/soc/sof/intel/hda-loader.c
+++ b/sound/soc/sof/intel/hda-loader.c
@@ -47,7 +47,7 @@ static struct hdac_ext_stream *cl_stream
 	ret = snd_dma_alloc_pages(SNDRV_DMA_TYPE_DEV_SG, &pci->dev, size, dmab);
 	if (ret < 0) {
 		dev_err(sdev->dev, "error: memory alloc failed: %d\n", ret);
-		goto error;
+		goto out_put;
 	}
 
 	hstream->period_bytes = 0;/* initialize period_bytes */
@@ -58,22 +58,23 @@ static struct hdac_ext_stream *cl_stream
 		ret = hda_dsp_iccmax_stream_hw_params(sdev, dsp_stream, dmab, NULL);
 		if (ret < 0) {
 			dev_err(sdev->dev, "error: iccmax stream prepare failed: %d\n", ret);
-			goto error;
+			goto out_free;
 		}
 	} else {
 		ret = hda_dsp_stream_hw_params(sdev, dsp_stream, dmab, NULL);
 		if (ret < 0) {
 			dev_err(sdev->dev, "error: hdac prepare failed: %d\n", ret);
-			goto error;
+			goto out_free;
 		}
 		hda_dsp_stream_spib_config(sdev, dsp_stream, HDA_DSP_SPIB_ENABLE, size);
 	}
 
 	return dsp_stream;
 
-error:
-	hda_dsp_stream_put(sdev, direction, hstream->stream_tag);
+out_free:
 	snd_dma_free_pages(dmab);
+out_put:
+	hda_dsp_stream_put(sdev, direction, hstream->stream_tag);
 	return ERR_PTR(ret);
 }
 



^ permalink raw reply	[flat|nested] 1159+ messages in thread

* [PATCH 5.17 0129/1126] mmc: core: use sysfs_emit() instead of sprintf()
  2022-04-05  7:12 [PATCH 5.17 0000/1126] 5.17.2-rc1 review Greg Kroah-Hartman
                   ` (127 preceding siblings ...)
  2022-04-05  7:14   ` Greg Kroah-Hartman
@ 2022-04-05  7:14 ` Greg Kroah-Hartman
  2022-04-05  7:14 ` [PATCH 5.17 0130/1126] Revert "ACPI: Pass the same capabilities to the _OSC regardless of the query flag" Greg Kroah-Hartman
                   ` (860 subsequent siblings)
  989 siblings, 0 replies; 1159+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05  7:14 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Sergey Shtylyov, Ulf Hansson

From: Sergey Shtylyov <s.shtylyov@omp.ru>

commit f5d8a5fe77ce933f53eb8f2e22bb7a1a2019ea11 upstream.

sprintf() (still used in the MMC core for the sysfs output) is vulnerable
to the buffer overflow.  Use the new-fangled sysfs_emit() instead.

Found by Linux Verification Center (linuxtesting.org) with the SVACE static
analysis tool.

Signed-off-by: Sergey Shtylyov <s.shtylyov@omp.ru>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/717729b2-d65b-c72e-9fac-471d28d00b5a@omp.ru
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/mmc/core/bus.c      |    9 +++++----
 drivers/mmc/core/bus.h      |    3 ++-
 drivers/mmc/core/mmc.c      |   16 ++++++++--------
 drivers/mmc/core/sd.c       |   27 +++++++++++++--------------
 drivers/mmc/core/sdio.c     |    5 +++--
 drivers/mmc/core/sdio_bus.c |    7 ++++---
 6 files changed, 35 insertions(+), 32 deletions(-)

--- a/drivers/mmc/core/bus.c
+++ b/drivers/mmc/core/bus.c
@@ -15,6 +15,7 @@
 #include <linux/stat.h>
 #include <linux/of.h>
 #include <linux/pm_runtime.h>
+#include <linux/sysfs.h>
 
 #include <linux/mmc/card.h>
 #include <linux/mmc/host.h>
@@ -34,13 +35,13 @@ static ssize_t type_show(struct device *
 
 	switch (card->type) {
 	case MMC_TYPE_MMC:
-		return sprintf(buf, "MMC\n");
+		return sysfs_emit(buf, "MMC\n");
 	case MMC_TYPE_SD:
-		return sprintf(buf, "SD\n");
+		return sysfs_emit(buf, "SD\n");
 	case MMC_TYPE_SDIO:
-		return sprintf(buf, "SDIO\n");
+		return sysfs_emit(buf, "SDIO\n");
 	case MMC_TYPE_SD_COMBO:
-		return sprintf(buf, "SDcombo\n");
+		return sysfs_emit(buf, "SDcombo\n");
 	default:
 		return -EFAULT;
 	}
--- a/drivers/mmc/core/bus.h
+++ b/drivers/mmc/core/bus.h
@@ -9,6 +9,7 @@
 #define _MMC_CORE_BUS_H
 
 #include <linux/device.h>
+#include <linux/sysfs.h>
 
 struct mmc_host;
 struct mmc_card;
@@ -17,7 +18,7 @@ struct mmc_card;
 static ssize_t mmc_##name##_show (struct device *dev, struct device_attribute *attr, char *buf)	\
 {										\
 	struct mmc_card *card = mmc_dev_to_card(dev);				\
-	return sprintf(buf, fmt, args);						\
+	return sysfs_emit(buf, fmt, args);					\
 }										\
 static DEVICE_ATTR(name, S_IRUGO, mmc_##name##_show, NULL)
 
--- a/drivers/mmc/core/mmc.c
+++ b/drivers/mmc/core/mmc.c
@@ -12,6 +12,7 @@
 #include <linux/slab.h>
 #include <linux/stat.h>
 #include <linux/pm_runtime.h>
+#include <linux/sysfs.h>
 
 #include <linux/mmc/host.h>
 #include <linux/mmc/card.h>
@@ -812,12 +813,11 @@ static ssize_t mmc_fwrev_show(struct dev
 {
 	struct mmc_card *card = mmc_dev_to_card(dev);
 
-	if (card->ext_csd.rev < 7) {
-		return sprintf(buf, "0x%x\n", card->cid.fwrev);
-	} else {
-		return sprintf(buf, "0x%*phN\n", MMC_FIRMWARE_LEN,
-			       card->ext_csd.fwrev);
-	}
+	if (card->ext_csd.rev < 7)
+		return sysfs_emit(buf, "0x%x\n", card->cid.fwrev);
+	else
+		return sysfs_emit(buf, "0x%*phN\n", MMC_FIRMWARE_LEN,
+				  card->ext_csd.fwrev);
 }
 
 static DEVICE_ATTR(fwrev, S_IRUGO, mmc_fwrev_show, NULL);
@@ -830,10 +830,10 @@ static ssize_t mmc_dsr_show(struct devic
 	struct mmc_host *host = card->host;
 
 	if (card->csd.dsr_imp && host->dsr_req)
-		return sprintf(buf, "0x%x\n", host->dsr);
+		return sysfs_emit(buf, "0x%x\n", host->dsr);
 	else
 		/* return default DSR value */
-		return sprintf(buf, "0x%x\n", 0x404);
+		return sysfs_emit(buf, "0x%x\n", 0x404);
 }
 
 static DEVICE_ATTR(dsr, S_IRUGO, mmc_dsr_show, NULL);
--- a/drivers/mmc/core/sd.c
+++ b/drivers/mmc/core/sd.c
@@ -13,6 +13,7 @@
 #include <linux/stat.h>
 #include <linux/pm_runtime.h>
 #include <linux/scatterlist.h>
+#include <linux/sysfs.h>
 
 #include <linux/mmc/host.h>
 #include <linux/mmc/card.h>
@@ -708,18 +709,16 @@ MMC_DEV_ATTR(ocr, "0x%08x\n", card->ocr)
 MMC_DEV_ATTR(rca, "0x%04x\n", card->rca);
 
 
-static ssize_t mmc_dsr_show(struct device *dev,
-                           struct device_attribute *attr,
-                           char *buf)
-{
-       struct mmc_card *card = mmc_dev_to_card(dev);
-       struct mmc_host *host = card->host;
-
-       if (card->csd.dsr_imp && host->dsr_req)
-               return sprintf(buf, "0x%x\n", host->dsr);
-       else
-               /* return default DSR value */
-               return sprintf(buf, "0x%x\n", 0x404);
+static ssize_t mmc_dsr_show(struct device *dev, struct device_attribute *attr,
+			    char *buf)
+{
+	struct mmc_card *card = mmc_dev_to_card(dev);
+	struct mmc_host *host = card->host;
+
+	if (card->csd.dsr_imp && host->dsr_req)
+		return sysfs_emit(buf, "0x%x\n", host->dsr);
+	/* return default DSR value */
+	return sysfs_emit(buf, "0x%x\n", 0x404);
 }
 
 static DEVICE_ATTR(dsr, S_IRUGO, mmc_dsr_show, NULL);
@@ -735,9 +734,9 @@ static ssize_t info##num##_show(struct d
 												\
 	if (num > card->num_info)								\
 		return -ENODATA;								\
-	if (!card->info[num-1][0])								\
+	if (!card->info[num - 1][0])								\
 		return 0;									\
-	return sprintf(buf, "%s\n", card->info[num-1]);						\
+	return sysfs_emit(buf, "%s\n", card->info[num - 1]);					\
 }												\
 static DEVICE_ATTR_RO(info##num)
 
--- a/drivers/mmc/core/sdio.c
+++ b/drivers/mmc/core/sdio.c
@@ -7,6 +7,7 @@
 
 #include <linux/err.h>
 #include <linux/pm_runtime.h>
+#include <linux/sysfs.h>
 
 #include <linux/mmc/host.h>
 #include <linux/mmc/card.h>
@@ -40,9 +41,9 @@ static ssize_t info##num##_show(struct d
 												\
 	if (num > card->num_info)								\
 		return -ENODATA;								\
-	if (!card->info[num-1][0])								\
+	if (!card->info[num - 1][0])								\
 		return 0;									\
-	return sprintf(buf, "%s\n", card->info[num-1]);						\
+	return sysfs_emit(buf, "%s\n", card->info[num - 1]);					\
 }												\
 static DEVICE_ATTR_RO(info##num)
 
--- a/drivers/mmc/core/sdio_bus.c
+++ b/drivers/mmc/core/sdio_bus.c
@@ -14,6 +14,7 @@
 #include <linux/pm_runtime.h>
 #include <linux/pm_domain.h>
 #include <linux/acpi.h>
+#include <linux/sysfs.h>
 
 #include <linux/mmc/card.h>
 #include <linux/mmc/host.h>
@@ -35,7 +36,7 @@ field##_show(struct device *dev, struct
 	struct sdio_func *func;						\
 									\
 	func = dev_to_sdio_func (dev);					\
-	return sprintf(buf, format_string, args);			\
+	return sysfs_emit(buf, format_string, args);			\
 }									\
 static DEVICE_ATTR_RO(field)
 
@@ -52,9 +53,9 @@ static ssize_t info##num##_show(struct d
 												\
 	if (num > func->num_info)								\
 		return -ENODATA;								\
-	if (!func->info[num-1][0])								\
+	if (!func->info[num - 1][0])								\
 		return 0;									\
-	return sprintf(buf, "%s\n", func->info[num-1]);						\
+	return sysfs_emit(buf, "%s\n", func->info[num - 1]);					\
 }												\
 static DEVICE_ATTR_RO(info##num)
 



^ permalink raw reply	[flat|nested] 1159+ messages in thread

* [PATCH 5.17 0130/1126] Revert "ACPI: Pass the same capabilities to the _OSC regardless of the query flag"
  2022-04-05  7:12 [PATCH 5.17 0000/1126] 5.17.2-rc1 review Greg Kroah-Hartman
                   ` (128 preceding siblings ...)
  2022-04-05  7:14 ` [PATCH 5.17 0129/1126] mmc: core: use sysfs_emit() instead of sprintf() Greg Kroah-Hartman
@ 2022-04-05  7:14 ` Greg Kroah-Hartman
  2022-04-05  7:14 ` [PATCH 5.17 0131/1126] ACPI: properties: Consistently return -ENOENT if there are no more references Greg Kroah-Hartman
                   ` (859 subsequent siblings)
  989 siblings, 0 replies; 1159+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05  7:14 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Mario Limonciello, Rafael J. Wysocki,
	Mario Limonciello, Huang Rui, Mika Westerberg

From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>

commit 2ca8e6285250c07a2e5a22ecbfd59b5a4ef73484 upstream.

Revert commit 159d8c274fd9 ("ACPI: Pass the same capabilities to the
_OSC regardless of the query flag") which caused legitimate usage
scenarios (when the platform firmware does not want the OS to control
certain platform features controlled by the system bus scope _OSC) to
break and was misguided by some misleading language in the _OSC
definition in the ACPI specification (in particular, Section 6.2.11.1.3
"Sequence of _OSC Calls" that contradicts other perts of the _OSC
definition).

Link: https://lore.kernel.org/linux-acpi/CAJZ5v0iStA0JmO0H3z+VgQsVuQONVjKPpw0F5HKfiq=Gb6B5yw@mail.gmail.com
Reported-by: Mario Limonciello <Mario.Limonciello@amd.com>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Tested-by: Mario Limonciello <mario.limonciello@amd.com>
Acked-by: Huang Rui <ray.huang@amd.com>
Reviewed-by: Mika Westerberg <mika.westerberg@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/acpi/bus.c |   27 +++++++++++++++++++--------
 1 file changed, 19 insertions(+), 8 deletions(-)

--- a/drivers/acpi/bus.c
+++ b/drivers/acpi/bus.c
@@ -332,21 +332,32 @@ static void acpi_bus_osc_negotiate_platf
 	if (ACPI_FAILURE(acpi_run_osc(handle, &context)))
 		return;
 
-	kfree(context.ret.pointer);
+	capbuf_ret = context.ret.pointer;
+	if (context.ret.length <= OSC_SUPPORT_DWORD) {
+		kfree(context.ret.pointer);
+		return;
+	}
 
-	/* Now run _OSC again with query flag clear */
+	/*
+	 * Now run _OSC again with query flag clear and with the caps
+	 * supported by both the OS and the platform.
+	 */
 	capbuf[OSC_QUERY_DWORD] = 0;
+	capbuf[OSC_SUPPORT_DWORD] = capbuf_ret[OSC_SUPPORT_DWORD];
+	kfree(context.ret.pointer);
 
 	if (ACPI_FAILURE(acpi_run_osc(handle, &context)))
 		return;
 
 	capbuf_ret = context.ret.pointer;
-	osc_sb_apei_support_acked =
-		capbuf_ret[OSC_SUPPORT_DWORD] & OSC_SB_APEI_SUPPORT;
-	osc_pc_lpi_support_confirmed =
-		capbuf_ret[OSC_SUPPORT_DWORD] & OSC_SB_PCLPI_SUPPORT;
-	osc_sb_native_usb4_support_confirmed =
-		capbuf_ret[OSC_SUPPORT_DWORD] & OSC_SB_NATIVE_USB4_SUPPORT;
+	if (context.ret.length > OSC_SUPPORT_DWORD) {
+		osc_sb_apei_support_acked =
+			capbuf_ret[OSC_SUPPORT_DWORD] & OSC_SB_APEI_SUPPORT;
+		osc_pc_lpi_support_confirmed =
+			capbuf_ret[OSC_SUPPORT_DWORD] & OSC_SB_PCLPI_SUPPORT;
+		osc_sb_native_usb4_support_confirmed =
+			capbuf_ret[OSC_SUPPORT_DWORD] & OSC_SB_NATIVE_USB4_SUPPORT;
+	}
 
 	kfree(context.ret.pointer);
 }



^ permalink raw reply	[flat|nested] 1159+ messages in thread

* [PATCH 5.17 0131/1126] ACPI: properties: Consistently return -ENOENT if there are no more references
  2022-04-05  7:12 [PATCH 5.17 0000/1126] 5.17.2-rc1 review Greg Kroah-Hartman
                   ` (129 preceding siblings ...)
  2022-04-05  7:14 ` [PATCH 5.17 0130/1126] Revert "ACPI: Pass the same capabilities to the _OSC regardless of the query flag" Greg Kroah-Hartman
@ 2022-04-05  7:14 ` Greg Kroah-Hartman
  2022-04-05  7:14 ` [PATCH 5.17 0132/1126] coredump: Also dump first pages of non-executable ELF libraries Greg Kroah-Hartman
                   ` (858 subsequent siblings)
  989 siblings, 0 replies; 1159+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05  7:14 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Sakari Ailus, Rafael J. Wysocki

From: Sakari Ailus <sakari.ailus@linux.intel.com>

commit babc92da5928f81af951663fc436997352e02d3a upstream.

__acpi_node_get_property_reference() is documented to return -ENOENT if
the caller requests a property reference at an index that does not exist,
not -EINVAL which it actually does.

Fix this by returning -ENOENT consistenly, independently of whether the
property value is a plain reference or a package.

Fixes: c343bc2ce2c6 ("ACPI: properties: Align return codes of __acpi_node_get_property_reference()")
Cc: 4.14+ <stable@vger.kernel.org> # 4.14+
Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/acpi/property.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/acpi/property.c
+++ b/drivers/acpi/property.c
@@ -685,7 +685,7 @@ int __acpi_node_get_property_reference(c
 	 */
 	if (obj->type == ACPI_TYPE_LOCAL_REFERENCE) {
 		if (index)
-			return -EINVAL;
+			return -ENOENT;
 
 		device = acpi_fetch_acpi_dev(obj->reference.handle);
 		if (!device)



^ permalink raw reply	[flat|nested] 1159+ messages in thread

* [PATCH 5.17 0132/1126] coredump: Also dump first pages of non-executable ELF libraries
  2022-04-05  7:12 [PATCH 5.17 0000/1126] 5.17.2-rc1 review Greg Kroah-Hartman
                   ` (130 preceding siblings ...)
  2022-04-05  7:14 ` [PATCH 5.17 0131/1126] ACPI: properties: Consistently return -ENOENT if there are no more references Greg Kroah-Hartman
@ 2022-04-05  7:14 ` Greg Kroah-Hartman
  2022-04-05  7:14 ` [PATCH 5.17 0133/1126] ext4: fix ext4_fc_stats trace point Greg Kroah-Hartman
                   ` (857 subsequent siblings)
  989 siblings, 0 replies; 1159+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05  7:14 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Bill Messmer, Jann Horn, Kees Cook

From: Jann Horn <jannh@google.com>

commit 84158b7f6a0624b81800b4e7c90f7fb7fdecf66c upstream.

When I rewrote the VMA dumping logic for coredumps, I changed it to
recognize ELF library mappings based on the file being executable instead
of the mapping having an ELF header. But turns out, distros ship many ELF
libraries as non-executable, so the heuristic goes wrong...

Restore the old behavior where FILTER(ELF_HEADERS) dumps the first page of
any offset-0 readable mapping that starts with the ELF magic.

This fix is technically layer-breaking a bit, because it checks for
something ELF-specific in fs/coredump.c; but since we probably want to
share this between standard ELF and FDPIC ELF anyway, I guess it's fine?
And this also keeps the change small for backporting.

Cc: stable@vger.kernel.org
Fixes: 429a22e776a2 ("coredump: rework elf/elf_fdpic vma_dump_size() into common helper")
Reported-by: Bill Messmer <wmessmer@microsoft.com>
Signed-off-by: Jann Horn <jannh@google.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Link: https://lore.kernel.org/r/20220126025739.2014888-1-jannh@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 fs/coredump.c |   39 ++++++++++++++++++++++++++++++++++-----
 1 file changed, 34 insertions(+), 5 deletions(-)

--- a/fs/coredump.c
+++ b/fs/coredump.c
@@ -42,6 +42,7 @@
 #include <linux/path.h>
 #include <linux/timekeeping.h>
 #include <linux/sysctl.h>
+#include <linux/elf.h>
 
 #include <linux/uaccess.h>
 #include <asm/mmu_context.h>
@@ -980,6 +981,8 @@ static bool always_dump_vma(struct vm_ar
 	return false;
 }
 
+#define DUMP_SIZE_MAYBE_ELFHDR_PLACEHOLDER 1
+
 /*
  * Decide how much of @vma's contents should be included in a core dump.
  */
@@ -1039,9 +1042,20 @@ static unsigned long vma_dump_size(struc
 	 * dump the first page to aid in determining what was mapped here.
 	 */
 	if (FILTER(ELF_HEADERS) &&
-	    vma->vm_pgoff == 0 && (vma->vm_flags & VM_READ) &&
-	    (READ_ONCE(file_inode(vma->vm_file)->i_mode) & 0111) != 0)
-		return PAGE_SIZE;
+	    vma->vm_pgoff == 0 && (vma->vm_flags & VM_READ)) {
+		if ((READ_ONCE(file_inode(vma->vm_file)->i_mode) & 0111) != 0)
+			return PAGE_SIZE;
+
+		/*
+		 * ELF libraries aren't always executable.
+		 * We'll want to check whether the mapping starts with the ELF
+		 * magic, but not now - we're holding the mmap lock,
+		 * so copy_from_user() doesn't work here.
+		 * Use a placeholder instead, and fix it up later in
+		 * dump_vma_snapshot().
+		 */
+		return DUMP_SIZE_MAYBE_ELFHDR_PLACEHOLDER;
+	}
 
 #undef	FILTER
 
@@ -1116,8 +1130,6 @@ int dump_vma_snapshot(struct coredump_pa
 		m->end = vma->vm_end;
 		m->flags = vma->vm_flags;
 		m->dump_size = vma_dump_size(vma, cprm->mm_flags);
-
-		vma_data_size += m->dump_size;
 	}
 
 	mmap_write_unlock(mm);
@@ -1127,6 +1139,23 @@ int dump_vma_snapshot(struct coredump_pa
 		return -EFAULT;
 	}
 
+	for (i = 0; i < *vma_count; i++) {
+		struct core_vma_metadata *m = (*vma_meta) + i;
+
+		if (m->dump_size == DUMP_SIZE_MAYBE_ELFHDR_PLACEHOLDER) {
+			char elfmag[SELFMAG];
+
+			if (copy_from_user(elfmag, (void __user *)m->start, SELFMAG) ||
+					memcmp(elfmag, ELFMAG, SELFMAG) != 0) {
+				m->dump_size = 0;
+			} else {
+				m->dump_size = PAGE_SIZE;
+			}
+		}
+
+		vma_data_size += m->dump_size;
+	}
+
 	*vma_data_size_ptr = vma_data_size;
 	return 0;
 }



^ permalink raw reply	[flat|nested] 1159+ messages in thread

* [PATCH 5.17 0133/1126] ext4: fix ext4_fc_stats trace point
  2022-04-05  7:12 [PATCH 5.17 0000/1126] 5.17.2-rc1 review Greg Kroah-Hartman
                   ` (131 preceding siblings ...)
  2022-04-05  7:14 ` [PATCH 5.17 0132/1126] coredump: Also dump first pages of non-executable ELF libraries Greg Kroah-Hartman
@ 2022-04-05  7:14 ` Greg Kroah-Hartman
  2022-04-05  7:14 ` [PATCH 5.17 0134/1126] ext4: fix fs corruption when tring to remove a non-empty directory with IO error Greg Kroah-Hartman
                   ` (856 subsequent siblings)
  989 siblings, 0 replies; 1159+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05  7:14 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, stable, Steven Rostedt,
	Ritesh Harjani, Jan Kara, Harshad Shirwadkar, Theodore Tso

From: Ritesh Harjani <riteshh@linux.ibm.com>

commit 7af1974af0a9ba8a8ed2e3e947d87dd4d9a78d27 upstream.

ftrace's __print_symbolic() requires that any enum values used in the
symbol to string translation table be wrapped in a TRACE_DEFINE_ENUM
so that the enum value can be decoded from the ftrace ring buffer by
user space tooling.

This patch also fixes few other problems found in this trace point.
e.g. dereferencing structures in TP_printk which should not be done
at any cost.

Also to avoid checkpatch warnings, this patch removes those
whitespaces/tab stops issues.

Cc: stable@kernel.org
Fixes: aa75f4d3daae ("ext4: main fast-commit commit path")
Reported-by: Steven Rostedt <rostedt@goodmis.org>
Signed-off-by: Ritesh Harjani <riteshh@linux.ibm.com>
Reviewed-by: Jan Kara <jack@suse.cz>
Reviewed-by: Steven Rostedt (Google) <rostedt@goodmis.org>
Reviewed-by: Harshad Shirwadkar <harshadshirwadkar@gmail.com>
Link: https://lore.kernel.org/r/b4b9691414c35c62e570b723e661c80674169f9a.1647057583.git.riteshh@linux.ibm.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 include/trace/events/ext4.h |   80 +++++++++++++++++++++++++++-----------------
 1 file changed, 50 insertions(+), 30 deletions(-)

--- a/include/trace/events/ext4.h
+++ b/include/trace/events/ext4.h
@@ -95,6 +95,17 @@ TRACE_DEFINE_ENUM(ES_REFERENCED_B);
 	{ FALLOC_FL_COLLAPSE_RANGE,	"COLLAPSE_RANGE"},	\
 	{ FALLOC_FL_ZERO_RANGE,		"ZERO_RANGE"})
 
+TRACE_DEFINE_ENUM(EXT4_FC_REASON_XATTR);
+TRACE_DEFINE_ENUM(EXT4_FC_REASON_CROSS_RENAME);
+TRACE_DEFINE_ENUM(EXT4_FC_REASON_JOURNAL_FLAG_CHANGE);
+TRACE_DEFINE_ENUM(EXT4_FC_REASON_NOMEM);
+TRACE_DEFINE_ENUM(EXT4_FC_REASON_SWAP_BOOT);
+TRACE_DEFINE_ENUM(EXT4_FC_REASON_RESIZE);
+TRACE_DEFINE_ENUM(EXT4_FC_REASON_RENAME_DIR);
+TRACE_DEFINE_ENUM(EXT4_FC_REASON_FALLOC_RANGE);
+TRACE_DEFINE_ENUM(EXT4_FC_REASON_INODE_JOURNAL_DATA);
+TRACE_DEFINE_ENUM(EXT4_FC_REASON_MAX);
+
 #define show_fc_reason(reason)						\
 	__print_symbolic(reason,					\
 		{ EXT4_FC_REASON_XATTR,		"XATTR"},		\
@@ -2723,41 +2734,50 @@ TRACE_EVENT(ext4_fc_commit_stop,
 
 #define FC_REASON_NAME_STAT(reason)					\
 	show_fc_reason(reason),						\
-	__entry->sbi->s_fc_stats.fc_ineligible_reason_count[reason]
+	__entry->fc_ineligible_rc[reason]
 
 TRACE_EVENT(ext4_fc_stats,
-	    TP_PROTO(struct super_block *sb),
+	TP_PROTO(struct super_block *sb),
+
+	TP_ARGS(sb),
+
+	TP_STRUCT__entry(
+		__field(dev_t, dev)
+		__array(unsigned int, fc_ineligible_rc, EXT4_FC_REASON_MAX)
+		__field(unsigned long, fc_commits)
+		__field(unsigned long, fc_ineligible_commits)
+		__field(unsigned long, fc_numblks)
+	),
 
-	    TP_ARGS(sb),
+	TP_fast_assign(
+		int i;
 
-	    TP_STRUCT__entry(
-		    __field(dev_t, dev)
-		    __field(struct ext4_sb_info *, sbi)
-		    __field(int, count)
-		    ),
-
-	    TP_fast_assign(
-		    __entry->dev = sb->s_dev;
-		    __entry->sbi = EXT4_SB(sb);
-		    ),
-
-	    TP_printk("dev %d:%d fc ineligible reasons:\n"
-		      "%s:%d, %s:%d, %s:%d, %s:%d, %s:%d, %s:%d, %s:%d, %s:%d, %s:%d; "
-		      "num_commits:%ld, ineligible: %ld, numblks: %ld",
-		      MAJOR(__entry->dev), MINOR(__entry->dev),
-		      FC_REASON_NAME_STAT(EXT4_FC_REASON_XATTR),
-		      FC_REASON_NAME_STAT(EXT4_FC_REASON_CROSS_RENAME),
-		      FC_REASON_NAME_STAT(EXT4_FC_REASON_JOURNAL_FLAG_CHANGE),
-		      FC_REASON_NAME_STAT(EXT4_FC_REASON_NOMEM),
-		      FC_REASON_NAME_STAT(EXT4_FC_REASON_SWAP_BOOT),
-		      FC_REASON_NAME_STAT(EXT4_FC_REASON_RESIZE),
-		      FC_REASON_NAME_STAT(EXT4_FC_REASON_RENAME_DIR),
-		      FC_REASON_NAME_STAT(EXT4_FC_REASON_FALLOC_RANGE),
-		      FC_REASON_NAME_STAT(EXT4_FC_REASON_INODE_JOURNAL_DATA),
-		      __entry->sbi->s_fc_stats.fc_num_commits,
-		      __entry->sbi->s_fc_stats.fc_ineligible_commits,
-		      __entry->sbi->s_fc_stats.fc_numblks)
+		__entry->dev = sb->s_dev;
+		for (i = 0; i < EXT4_FC_REASON_MAX; i++) {
+			__entry->fc_ineligible_rc[i] =
+				EXT4_SB(sb)->s_fc_stats.fc_ineligible_reason_count[i];
+		}
+		__entry->fc_commits = EXT4_SB(sb)->s_fc_stats.fc_num_commits;
+		__entry->fc_ineligible_commits =
+			EXT4_SB(sb)->s_fc_stats.fc_ineligible_commits;
+		__entry->fc_numblks = EXT4_SB(sb)->s_fc_stats.fc_numblks;
+	),
 
+	TP_printk("dev %d,%d fc ineligible reasons:\n"
+		  "%s:%u, %s:%u, %s:%u, %s:%u, %s:%u, %s:%u, %s:%u, %s:%u, %s:%u "
+		  "num_commits:%lu, ineligible: %lu, numblks: %lu",
+		  MAJOR(__entry->dev), MINOR(__entry->dev),
+		  FC_REASON_NAME_STAT(EXT4_FC_REASON_XATTR),
+		  FC_REASON_NAME_STAT(EXT4_FC_REASON_CROSS_RENAME),
+		  FC_REASON_NAME_STAT(EXT4_FC_REASON_JOURNAL_FLAG_CHANGE),
+		  FC_REASON_NAME_STAT(EXT4_FC_REASON_NOMEM),
+		  FC_REASON_NAME_STAT(EXT4_FC_REASON_SWAP_BOOT),
+		  FC_REASON_NAME_STAT(EXT4_FC_REASON_RESIZE),
+		  FC_REASON_NAME_STAT(EXT4_FC_REASON_RENAME_DIR),
+		  FC_REASON_NAME_STAT(EXT4_FC_REASON_FALLOC_RANGE),
+		  FC_REASON_NAME_STAT(EXT4_FC_REASON_INODE_JOURNAL_DATA),
+		  __entry->fc_commits, __entry->fc_ineligible_commits,
+		  __entry->fc_numblks)
 );
 
 #define DEFINE_TRACE_DENTRY_EVENT(__type)				\



^ permalink raw reply	[flat|nested] 1159+ messages in thread

* [PATCH 5.17 0134/1126] ext4: fix fs corruption when tring to remove a non-empty directory with IO error
  2022-04-05  7:12 [PATCH 5.17 0000/1126] 5.17.2-rc1 review Greg Kroah-Hartman
                   ` (132 preceding siblings ...)
  2022-04-05  7:14 ` [PATCH 5.17 0133/1126] ext4: fix ext4_fc_stats trace point Greg Kroah-Hartman
@ 2022-04-05  7:14 ` Greg Kroah-Hartman
  2022-04-05  7:14 ` [PATCH 5.17 0135/1126] ext4: make mb_optimize_scan option work with set/unset mount cmd Greg Kroah-Hartman
                   ` (855 subsequent siblings)
  989 siblings, 0 replies; 1159+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05  7:14 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Ye Bin, stable, Theodore Tso

From: Ye Bin <yebin10@huawei.com>

commit 7aab5c84a0f6ec2290e2ba4a6b245178b1bf949a upstream.

We inject IO error when rmdir non empty direcory, then got issue as follows:
step1: mkfs.ext4 -F /dev/sda
step2: mount /dev/sda  test
step3: cd test
step4: mkdir -p 1/2
step5: rmdir 1
	[  110.920551] ext4_empty_dir: inject fault
	[  110.921926] EXT4-fs warning (device sda): ext4_rmdir:3113: inode #12:
	comm rmdir: empty directory '1' has too many links (3)
step6: cd ..
step7: umount test
step8: fsck.ext4 -f /dev/sda
	e2fsck 1.42.9 (28-Dec-2013)
	Pass 1: Checking inodes, blocks, and sizes
	Pass 2: Checking directory structure
	Entry '..' in .../??? (13) has deleted/unused inode 12.  Clear<y>? yes
	Pass 3: Checking directory connectivity
	Unconnected directory inode 13 (...)
	Connect to /lost+found<y>? yes
	Pass 4: Checking reference counts
	Inode 13 ref count is 3, should be 2.  Fix<y>? yes
	Pass 5: Checking group summary information

	/dev/sda: ***** FILE SYSTEM WAS MODIFIED *****
	/dev/sda: 12/131072 files (0.0% non-contiguous), 26157/524288 blocks

ext4_rmdir
	if (!ext4_empty_dir(inode))
		goto end_rmdir;
ext4_empty_dir
	bh = ext4_read_dirblock(inode, 0, DIRENT_HTREE);
	if (IS_ERR(bh))
		return true;
Now if read directory block failed, 'ext4_empty_dir' will return true, assume
directory is empty. Obviously, it will lead to above issue.
To solve this issue, if read directory block failed 'ext4_empty_dir' just
return false. To avoid making things worse when file system is already
corrupted, 'ext4_empty_dir' also return false.

Signed-off-by: Ye Bin <yebin10@huawei.com>
Cc: stable@kernel.org
Link: https://lore.kernel.org/r/20220228024815.3952506-1-yebin10@huawei.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 fs/ext4/inline.c |    9 ++++-----
 fs/ext4/namei.c  |   10 +++++-----
 2 files changed, 9 insertions(+), 10 deletions(-)

--- a/fs/ext4/inline.c
+++ b/fs/ext4/inline.c
@@ -1783,19 +1783,20 @@ bool empty_inline_dir(struct inode *dir,
 	void *inline_pos;
 	unsigned int offset;
 	struct ext4_dir_entry_2 *de;
-	bool ret = true;
+	bool ret = false;
 
 	err = ext4_get_inode_loc(dir, &iloc);
 	if (err) {
 		EXT4_ERROR_INODE_ERR(dir, -err,
 				     "error %d getting inode %lu block",
 				     err, dir->i_ino);
-		return true;
+		return false;
 	}
 
 	down_read(&EXT4_I(dir)->xattr_sem);
 	if (!ext4_has_inline_data(dir)) {
 		*has_inline_data = 0;
+		ret = true;
 		goto out;
 	}
 
@@ -1804,7 +1805,6 @@ bool empty_inline_dir(struct inode *dir,
 		ext4_warning(dir->i_sb,
 			     "bad inline directory (dir #%lu) - no `..'",
 			     dir->i_ino);
-		ret = true;
 		goto out;
 	}
 
@@ -1823,16 +1823,15 @@ bool empty_inline_dir(struct inode *dir,
 				     dir->i_ino, le32_to_cpu(de->inode),
 				     le16_to_cpu(de->rec_len), de->name_len,
 				     inline_size);
-			ret = true;
 			goto out;
 		}
 		if (le32_to_cpu(de->inode)) {
-			ret = false;
 			goto out;
 		}
 		offset += ext4_rec_len_from_disk(de->rec_len, inline_size);
 	}
 
+	ret = true;
 out:
 	up_read(&EXT4_I(dir)->xattr_sem);
 	brelse(iloc.bh);
--- a/fs/ext4/namei.c
+++ b/fs/ext4/namei.c
@@ -2997,14 +2997,14 @@ bool ext4_empty_dir(struct inode *inode)
 	if (inode->i_size < ext4_dir_rec_len(1, NULL) +
 					ext4_dir_rec_len(2, NULL)) {
 		EXT4_ERROR_INODE(inode, "invalid size");
-		return true;
+		return false;
 	}
 	/* The first directory block must not be a hole,
 	 * so treat it as DIRENT_HTREE
 	 */
 	bh = ext4_read_dirblock(inode, 0, DIRENT_HTREE);
 	if (IS_ERR(bh))
-		return true;
+		return false;
 
 	de = (struct ext4_dir_entry_2 *) bh->b_data;
 	if (ext4_check_dir_entry(inode, NULL, de, bh, bh->b_data, bh->b_size,
@@ -3012,7 +3012,7 @@ bool ext4_empty_dir(struct inode *inode)
 	    le32_to_cpu(de->inode) != inode->i_ino || strcmp(".", de->name)) {
 		ext4_warning_inode(inode, "directory missing '.'");
 		brelse(bh);
-		return true;
+		return false;
 	}
 	offset = ext4_rec_len_from_disk(de->rec_len, sb->s_blocksize);
 	de = ext4_next_entry(de, sb->s_blocksize);
@@ -3021,7 +3021,7 @@ bool ext4_empty_dir(struct inode *inode)
 	    le32_to_cpu(de->inode) == 0 || strcmp("..", de->name)) {
 		ext4_warning_inode(inode, "directory missing '..'");
 		brelse(bh);
-		return true;
+		return false;
 	}
 	offset += ext4_rec_len_from_disk(de->rec_len, sb->s_blocksize);
 	while (offset < inode->i_size) {
@@ -3035,7 +3035,7 @@ bool ext4_empty_dir(struct inode *inode)
 				continue;
 			}
 			if (IS_ERR(bh))
-				return true;
+				return false;
 		}
 		de = (struct ext4_dir_entry_2 *) (bh->b_data +
 					(offset & (sb->s_blocksize - 1)));



^ permalink raw reply	[flat|nested] 1159+ messages in thread

* [PATCH 5.17 0135/1126] ext4: make mb_optimize_scan option work with set/unset mount cmd
  2022-04-05  7:12 [PATCH 5.17 0000/1126] 5.17.2-rc1 review Greg Kroah-Hartman
                   ` (133 preceding siblings ...)
  2022-04-05  7:14 ` [PATCH 5.17 0134/1126] ext4: fix fs corruption when tring to remove a non-empty directory with IO error Greg Kroah-Hartman
@ 2022-04-05  7:14 ` Greg Kroah-Hartman
  2022-04-05  7:14 ` [PATCH 5.17 0136/1126] ext4: make mb_optimize_scan performance mount option work with extents Greg Kroah-Hartman
                   ` (854 subsequent siblings)
  989 siblings, 0 replies; 1159+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05  7:14 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, stable, Ritesh Harjani,
	Ojaswin Mujoo, Theodore Tso

From: Ojaswin Mujoo <ojaswin@linux.ibm.com>

commit 27b38686a3bb601db48901dbc4e2fc5d77ffa2c1 upstream.

After moving to the new mount API, mb_optimize_scan mount option
handling was not working as expected due to the parsed value always
being overwritten by default. Refactor and fix this to the expected
behavior described below:

*  mb_optimize_scan=1 - On
*  mb_optimize_scan=0 - Off
*  mb_optimize_scan not passed - On if no. of BGs > threshold else off
*  Remounts retain previous value unless we explicitly pass the option
   with a new value

Fixes: cebe85d570cf ("ext4: switch to the new mount api")
Cc: stable@kernel.org
Reported-by: Ritesh Harjani <riteshh@linux.ibm.com>
Signed-off-by: Ojaswin Mujoo <ojaswin@linux.ibm.com>
Reviewed-by: Ritesh Harjani <riteshh@linux.ibm.com>
Link: https://lore.kernel.org/r/c98970fe99f26718586d02e942f293300fb48ef3.1646732698.git.ojaswin@linux.ibm.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 fs/ext4/super.c |   24 ++++++++++++++----------
 1 file changed, 14 insertions(+), 10 deletions(-)

--- a/fs/ext4/super.c
+++ b/fs/ext4/super.c
@@ -2021,12 +2021,12 @@ static int ext4_set_test_dummy_encryptio
 #define EXT4_SPEC_s_commit_interval		(1 << 16)
 #define EXT4_SPEC_s_fc_debug_max_replay		(1 << 17)
 #define EXT4_SPEC_s_sb_block			(1 << 18)
+#define EXT4_SPEC_mb_optimize_scan		(1 << 19)
 
 struct ext4_fs_context {
 	char		*s_qf_names[EXT4_MAXQUOTAS];
 	char		*test_dummy_enc_arg;
 	int		s_jquota_fmt;	/* Format of quota to use */
-	int		mb_optimize_scan;
 #ifdef CONFIG_EXT4_DEBUG
 	int s_fc_debug_max_replay;
 #endif
@@ -2451,12 +2451,17 @@ static int ext4_parse_param(struct fs_co
 			ctx_clear_mount_opt(ctx, m->mount_opt);
 		return 0;
 	case Opt_mb_optimize_scan:
-		if (result.int_32 != 0 && result.int_32 != 1) {
+		if (result.int_32 == 1) {
+			ctx_set_mount_opt2(ctx, EXT4_MOUNT2_MB_OPTIMIZE_SCAN);
+			ctx->spec |= EXT4_SPEC_mb_optimize_scan;
+		} else if (result.int_32 == 0) {
+			ctx_clear_mount_opt2(ctx, EXT4_MOUNT2_MB_OPTIMIZE_SCAN);
+			ctx->spec |= EXT4_SPEC_mb_optimize_scan;
+		} else {
 			ext4_msg(NULL, KERN_WARNING,
 				 "mb_optimize_scan should be set to 0 or 1.");
 			return -EINVAL;
 		}
-		ctx->mb_optimize_scan = result.int_32;
 		return 0;
 	}
 
@@ -4369,7 +4374,6 @@ static int __ext4_fill_super(struct fs_c
 
 	/* Set defaults for the variables that will be set during parsing */
 	ctx->journal_ioprio = DEFAULT_JOURNAL_IOPRIO;
-	ctx->mb_optimize_scan = DEFAULT_MB_OPTIMIZE_SCAN;
 
 	sbi->s_inode_readahead_blks = EXT4_DEF_INODE_READAHEAD_BLKS;
 	sbi->s_sectors_written_start =
@@ -5320,12 +5324,12 @@ no_journal:
 	 * turned off by passing "mb_optimize_scan=0". This can also be
 	 * turned on forcefully by passing "mb_optimize_scan=1".
 	 */
-	if (ctx->mb_optimize_scan == 1)
-		set_opt2(sb, MB_OPTIMIZE_SCAN);
-	else if (ctx->mb_optimize_scan == 0)
-		clear_opt2(sb, MB_OPTIMIZE_SCAN);
-	else if (sbi->s_groups_count >= MB_DEFAULT_LINEAR_SCAN_THRESHOLD)
-		set_opt2(sb, MB_OPTIMIZE_SCAN);
+	if (!(ctx->spec & EXT4_SPEC_mb_optimize_scan)) {
+		if (sbi->s_groups_count >= MB_DEFAULT_LINEAR_SCAN_THRESHOLD)
+			set_opt2(sb, MB_OPTIMIZE_SCAN);
+		else
+			clear_opt2(sb, MB_OPTIMIZE_SCAN);
+	}
 
 	err = ext4_mb_init(sb);
 	if (err) {



^ permalink raw reply	[flat|nested] 1159+ messages in thread

* [PATCH 5.17 0136/1126] ext4: make mb_optimize_scan performance mount option work with extents
  2022-04-05  7:12 [PATCH 5.17 0000/1126] 5.17.2-rc1 review Greg Kroah-Hartman
                   ` (134 preceding siblings ...)
  2022-04-05  7:14 ` [PATCH 5.17 0135/1126] ext4: make mb_optimize_scan option work with set/unset mount cmd Greg Kroah-Hartman
@ 2022-04-05  7:14 ` Greg Kroah-Hartman
  2022-04-05  7:14 ` [PATCH 5.17 0137/1126] samples/landlock: Fix path_list memory leak Greg Kroah-Hartman
                   ` (853 subsequent siblings)
  989 siblings, 0 replies; 1159+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05  7:14 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, stable, Geetika Moolchandani,
	Nageswara R Sastry, Ritesh Harjani, Ojaswin Mujoo, Theodore Tso

From: Ojaswin Mujoo <ojaswin@linux.ibm.com>

commit 077d0c2c78df6f7260cdd015a991327efa44d8ad upstream.

Currently mb_optimize_scan scan feature which improves filesystem
performance heavily (when FS is fragmented), seems to be not working
with files with extents (ext4 by default has files with extents).

This patch fixes that and makes mb_optimize_scan feature work
for files with extents.

Below are some performance numbers obtained when allocating a 10M and 100M
file with and w/o this patch on a filesytem with no 1M contiguous block.

<perf numbers>
===============
Workload: dd if=/dev/urandom of=test conv=fsync bs=1M count=10/100

Time taken
=====================================================
no.     Size   without-patch     with-patch    Diff(%)
1       10M      0m8.401s         0m5.623s     33.06%
2       100M     1m40.465s        1m14.737s    25.6%

<debug stats>
=============
w/o patch:
  mballoc:
    reqs: 17056
    success: 11407
    groups_scanned: 13643
    cr0_stats:
            hits: 37
            groups_considered: 9472
            useless_loops: 36
            bad_suggestions: 0
    cr1_stats:
            hits: 11418
            groups_considered: 908560
            useless_loops: 1894
            bad_suggestions: 0
    cr2_stats:
            hits: 1873
            groups_considered: 6913
            useless_loops: 21
    cr3_stats:
            hits: 21
            groups_considered: 5040
            useless_loops: 21
    extents_scanned: 417364
            goal_hits: 3707
            2^n_hits: 37
            breaks: 1873
            lost: 0
    buddies_generated: 239/240
    buddies_time_used: 651080
    preallocated: 705
    discarded: 478

with patch:
  mballoc:
    reqs: 12768
    success: 11305
    groups_scanned: 12768
    cr0_stats:
            hits: 1
            groups_considered: 18
            useless_loops: 0
            bad_suggestions: 0
    cr1_stats:
            hits: 5829
            groups_considered: 50626
            useless_loops: 0
            bad_suggestions: 0
    cr2_stats:
            hits: 6938
            groups_considered: 580363
            useless_loops: 0
    cr3_stats:
            hits: 0
            groups_considered: 0
            useless_loops: 0
    extents_scanned: 309059
            goal_hits: 0
            2^n_hits: 1
            breaks: 1463
            lost: 0
    buddies_generated: 239/240
    buddies_time_used: 791392
    preallocated: 673
    discarded: 446

Fixes: 196e402 (ext4: improve cr 0 / cr 1 group scanning)
Cc: stable@kernel.org
Reported-by: Geetika Moolchandani <Geetika.Moolchandani1@ibm.com>
Reported-by: Nageswara R Sastry <rnsastry@linux.ibm.com>
Suggested-by: Ritesh Harjani <riteshh@linux.ibm.com>
Signed-off-by: Ojaswin Mujoo <ojaswin@linux.ibm.com>
Link: https://lore.kernel.org/r/fc9a48f7f8dcfc83891a8b21f6dd8cdf056ed810.1646732698.git.ojaswin@linux.ibm.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 fs/ext4/mballoc.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/fs/ext4/mballoc.c
+++ b/fs/ext4/mballoc.c
@@ -1000,7 +1000,7 @@ static inline int should_optimize_scan(s
 		return 0;
 	if (ac->ac_criteria >= 2)
 		return 0;
-	if (ext4_test_inode_flag(ac->ac_inode, EXT4_INODE_EXTENTS))
+	if (!ext4_test_inode_flag(ac->ac_inode, EXT4_INODE_EXTENTS))
 		return 0;
 	return 1;
 }



^ permalink raw reply	[flat|nested] 1159+ messages in thread

* [PATCH 5.17 0137/1126] samples/landlock: Fix path_list memory leak
  2022-04-05  7:12 [PATCH 5.17 0000/1126] 5.17.2-rc1 review Greg Kroah-Hartman
                   ` (135 preceding siblings ...)
  2022-04-05  7:14 ` [PATCH 5.17 0136/1126] ext4: make mb_optimize_scan performance mount option work with extents Greg Kroah-Hartman
@ 2022-04-05  7:14 ` Greg Kroah-Hartman
  2022-04-05  7:14 ` [PATCH 5.17 0138/1126] landlock: Use square brackets around "landlock-ruleset" Greg Kroah-Hartman
                   ` (852 subsequent siblings)
  989 siblings, 0 replies; 1159+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05  7:14 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Tom Rix, Mickaël Salaün

From: Tom Rix <trix@redhat.com>

commit 66b513b7c64a7290c1fbb88e657f7cece992e131 upstream.

Clang static analysis reports this error

sandboxer.c:134:8: warning: Potential leak of memory
  pointed to by 'path_list'
        ret = 0;
              ^
path_list is allocated in parse_path() but never freed.

Signed-off-by: Tom Rix <trix@redhat.com>
Link: https://lore.kernel.org/r/20210428213852.2874324-1-trix@redhat.com
Cc: stable@vger.kernel.org
Signed-off-by: Mickaël Salaün <mic@linux.microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 samples/landlock/sandboxer.c |    1 +
 1 file changed, 1 insertion(+)

--- a/samples/landlock/sandboxer.c
+++ b/samples/landlock/sandboxer.c
@@ -134,6 +134,7 @@ static int populate_ruleset(
 	ret = 0;
 
 out_free_name:
+	free(path_list);
 	free(env_path_name);
 	return ret;
 }



^ permalink raw reply	[flat|nested] 1159+ messages in thread

* [PATCH 5.17 0138/1126] landlock: Use square brackets around "landlock-ruleset"
  2022-04-05  7:12 [PATCH 5.17 0000/1126] 5.17.2-rc1 review Greg Kroah-Hartman
                   ` (136 preceding siblings ...)
  2022-04-05  7:14 ` [PATCH 5.17 0137/1126] samples/landlock: Fix path_list memory leak Greg Kroah-Hartman
@ 2022-04-05  7:14 ` Greg Kroah-Hartman
  2022-04-05  7:14 ` [PATCH 5.17 0139/1126] mailbox: tegra-hsp: Flush whole channel Greg Kroah-Hartman
                   ` (851 subsequent siblings)
  989 siblings, 0 replies; 1159+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05  7:14 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, linux-security-module,
	Christian Brauner, Mickaël Salaün

From: Christian Brauner <christian.brauner@ubuntu.com>

commit aea0b9f2486da8497f35c7114b764bf55e17c7ea upstream.

Make the name of the anon inode fd "[landlock-ruleset]" instead of
"landlock-ruleset". This is minor but most anon inode fds already
carry square brackets around their name:

    [eventfd]
    [eventpoll]
    [fanotify]
    [fscontext]
    [io_uring]
    [pidfd]
    [signalfd]
    [timerfd]
    [userfaultfd]

For the sake of consistency lets do the same for the landlock-ruleset anon
inode fd that comes with landlock. We did the same in
1cdc415f1083 ("uapi, fsopen: use square brackets around "fscontext" [ver #2]")
for the new mount api.

Cc: linux-security-module@vger.kernel.org
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Link: https://lore.kernel.org/r/20211011133704.1704369-1-brauner@kernel.org
Cc: stable@vger.kernel.org
Signed-off-by: Mickaël Salaün <mic@linux.microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 security/landlock/syscalls.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/security/landlock/syscalls.c
+++ b/security/landlock/syscalls.c
@@ -192,7 +192,7 @@ SYSCALL_DEFINE3(landlock_create_ruleset,
 		return PTR_ERR(ruleset);
 
 	/* Creates anonymous FD referring to the ruleset. */
-	ruleset_fd = anon_inode_getfd("landlock-ruleset", &ruleset_fops,
+	ruleset_fd = anon_inode_getfd("[landlock-ruleset]", &ruleset_fops,
 			ruleset, O_RDWR | O_CLOEXEC);
 	if (ruleset_fd < 0)
 		landlock_put_ruleset(ruleset);



^ permalink raw reply	[flat|nested] 1159+ messages in thread

* [PATCH 5.17 0139/1126] mailbox: tegra-hsp: Flush whole channel
  2022-04-05  7:12 [PATCH 5.17 0000/1126] 5.17.2-rc1 review Greg Kroah-Hartman
                   ` (137 preceding siblings ...)
  2022-04-05  7:14 ` [PATCH 5.17 0138/1126] landlock: Use square brackets around "landlock-ruleset" Greg Kroah-Hartman
@ 2022-04-05  7:14 ` Greg Kroah-Hartman
  2022-04-05  7:14 ` [PATCH 5.17 0140/1126] btrfs: zoned: put block group after final usage Greg Kroah-Hartman
                   ` (850 subsequent siblings)
  989 siblings, 0 replies; 1159+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05  7:14 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Pekka Pessi, Jon Hunter,
	Thierry Reding, Jassi Brar

From: Pekka Pessi <ppessi@nvidia.com>

commit 60de2d2dc284e0dd1c2c897d08625bde24ef3454 upstream.

The txdone can re-fill the mailbox. Keep polling the mailbox during the
flush until all the messages have been delivered.

This fixes an issue with the Tegra Combined UART (TCU) where output can
get truncated under high traffic load.

Signed-off-by: Pekka Pessi <ppessi@nvidia.com>
Tested-by: Jon Hunter <jonathanh@nvidia.com>
Fixes: 91b1b1c3da8a ("mailbox: tegra-hsp: Add support for shared mailboxes")
Cc: stable@vger.kernel.org
Signed-off-by: Thierry Reding <treding@nvidia.com>
Reviewed-by: Jon Hunter <jonathanh@nvidia.com>
Signed-off-by: Jassi Brar <jaswinder.singh@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/mailbox/tegra-hsp.c |    5 +++++
 1 file changed, 5 insertions(+)

--- a/drivers/mailbox/tegra-hsp.c
+++ b/drivers/mailbox/tegra-hsp.c
@@ -412,6 +412,11 @@ static int tegra_hsp_mailbox_flush(struc
 		value = tegra_hsp_channel_readl(ch, HSP_SM_SHRD_MBOX);
 		if ((value & HSP_SM_SHRD_MBOX_FULL) == 0) {
 			mbox_chan_txdone(chan, 0);
+
+			/* Wait until channel is empty */
+			if (chan->active_req != NULL)
+				continue;
+
 			return 0;
 		}
 



^ permalink raw reply	[flat|nested] 1159+ messages in thread

* [PATCH 5.17 0140/1126] btrfs: zoned: put block group after final usage
  2022-04-05  7:12 [PATCH 5.17 0000/1126] 5.17.2-rc1 review Greg Kroah-Hartman
                   ` (138 preceding siblings ...)
  2022-04-05  7:14 ` [PATCH 5.17 0139/1126] mailbox: tegra-hsp: Flush whole channel Greg Kroah-Hartman
@ 2022-04-05  7:14 ` Greg Kroah-Hartman
  2022-04-05  7:14 ` [PATCH 5.17 0141/1126] block: fix rq-qos breakage from skipping rq_qos_done_bio() Greg Kroah-Hartman
                   ` (849 subsequent siblings)
  989 siblings, 0 replies; 1159+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05  7:14 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Johannes Thumshirn, Nikolay Borisov,
	David Sterba

From: Nikolay Borisov <nborisov@suse.com>

commit d3e29967079c522ce1c5cab0e9fab2c280b977eb upstream.

It's counter-intuitive (and wrong) to put the block group _before_ the
final usage in submit_eb_page. Fix it by re-ordering the call to
btrfs_put_block_group after its final reference. Also fix a minor typo
in 'implies'

Fixes: be1a1d7a5d24 ("btrfs: zoned: finish fully written block group")
CC: stable@vger.kernel.org # 5.16+
Reviewed-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
Signed-off-by: Nikolay Borisov <nborisov@suse.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 fs/btrfs/extent_io.c |    7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

--- a/fs/btrfs/extent_io.c
+++ b/fs/btrfs/extent_io.c
@@ -4780,11 +4780,12 @@ static int submit_eb_page(struct page *p
 		return ret;
 	}
 	if (cache) {
-		/* Impiles write in zoned mode */
-		btrfs_put_block_group(cache);
-		/* Mark the last eb in a block group */
+		/*
+		 * Implies write in zoned mode. Mark the last eb in a block group.
+		 */
 		if (cache->seq_zone && eb->start + eb->len == cache->zone_capacity)
 			set_bit(EXTENT_BUFFER_ZONE_FINISH, &eb->bflags);
+		btrfs_put_block_group(cache);
 	}
 	ret = write_one_eb(eb, wbc, epd);
 	free_extent_buffer(eb);



^ permalink raw reply	[flat|nested] 1159+ messages in thread

* [PATCH 5.17 0141/1126] block: fix rq-qos breakage from skipping rq_qos_done_bio()
  2022-04-05  7:12 [PATCH 5.17 0000/1126] 5.17.2-rc1 review Greg Kroah-Hartman
                   ` (139 preceding siblings ...)
  2022-04-05  7:14 ` [PATCH 5.17 0140/1126] btrfs: zoned: put block group after final usage Greg Kroah-Hartman
@ 2022-04-05  7:14 ` Greg Kroah-Hartman
  2022-04-05  7:14 ` [PATCH 5.17 0142/1126] block: limit request dispatch loop duration Greg Kroah-Hartman
                   ` (848 subsequent siblings)
  989 siblings, 0 replies; 1159+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05  7:14 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Tejun Heo, Ming Lei, Yu Kuai, Jens Axboe

From: Tejun Heo <tj@kernel.org>

commit aa1b46dcdc7baaf5fec0be25782ef24b26aa209e upstream.

a647a524a467 ("block: don't call rq_qos_ops->done_bio if the bio isn't
tracked") made bio_endio() skip rq_qos_done_bio() if BIO_TRACKED is not set.
While this fixed a potential oops, it also broke blk-iocost by skipping the
done_bio callback for merged bios.

Before, whether a bio goes through rq_qos_throttle() or rq_qos_merge(),
rq_qos_done_bio() would be called on the bio on completion with BIO_TRACKED
distinguishing the former from the latter. rq_qos_done_bio() is not called
for bios which wenth through rq_qos_merge(). This royally confuses
blk-iocost as the merged bios never finish and are considered perpetually
in-flight.

One reliably reproducible failure mode is an intermediate cgroup geting
stuck active preventing its children from being activated due to the
leaf-only rule, leading to loss of control. The following is from
resctl-bench protection scenario which emulates isolating a web server like
workload from a memory bomb run on an iocost configuration which should
yield a reasonable level of protection.

  # cat /sys/block/nvme2n1/device/model
  Samsung SSD 970 PRO 512GB
  # cat /sys/fs/cgroup/io.cost.model
  259:0 ctrl=user model=linear rbps=834913556 rseqiops=93622 rrandiops=102913 wbps=618985353 wseqiops=72325 wrandiops=71025
  # cat /sys/fs/cgroup/io.cost.qos
  259:0 enable=1 ctrl=user rpct=95.00 rlat=18776 wpct=95.00 wlat=8897 min=60.00 max=100.00
  # resctl-bench -m 29.6G -r out.json run protection::scenario=mem-hog,loops=1
  ...
  Memory Hog Summary
  ==================

  IO Latency: R p50=242u:336u/2.5m p90=794u:1.4m/7.5m p99=2.7m:8.0m/62.5m max=8.0m:36.4m/350m
              W p50=221u:323u/1.5m p90=709u:1.2m/5.5m p99=1.5m:2.5m/9.5m max=6.9m:35.9m/350m

  Isolation and Request Latency Impact Distributions:

                min   p01   p05   p10   p25   p50   p75   p90   p95   p99   max  mean stdev
  isol%       15.90 15.90 15.90 40.05 57.24 59.07 60.01 74.63 74.63 90.35 90.35 58.12 15.82
  lat-imp%        0     0     0     0     0  4.55 14.68 15.54 233.5 548.1 548.1 53.88 143.6

  Result: isol=58.12:15.82% lat_imp=53.88%:143.6 work_csv=100.0% missing=3.96%

The isolation result of 58.12% is close to what this device would show
without any IO control.

Fix it by introducing a new flag BIO_QOS_MERGED to mark merged bios and
calling rq_qos_done_bio() on them too. For consistency and clarity, rename
BIO_TRACKED to BIO_QOS_THROTTLED. The flag checks are moved into
rq_qos_done_bio() so that it's next to the code paths that set the flags.

With the patch applied, the above same benchmark shows:

  # resctl-bench -m 29.6G -r out.json run protection::scenario=mem-hog,loops=1
  ...
  Memory Hog Summary
  ==================

  IO Latency: R p50=123u:84.4u/985u p90=322u:256u/2.5m p99=1.6m:1.4m/9.5m max=11.1m:36.0m/350m
              W p50=429u:274u/995u p90=1.7m:1.3m/4.5m p99=3.4m:2.7m/11.5m max=7.9m:5.9m/26.5m

  Isolation and Request Latency Impact Distributions:

                min   p01   p05   p10   p25   p50   p75   p90   p95   p99   max  mean stdev
  isol%       84.91 84.91 89.51 90.73 92.31 94.49 96.36 98.04 98.71 100.0 100.0 94.42  2.81
  lat-imp%        0     0     0     0     0  2.81  5.73 11.11 13.92 17.53 22.61  4.10  4.68

  Result: isol=94.42:2.81% lat_imp=4.10%:4.68 work_csv=58.34% missing=0%

Signed-off-by: Tejun Heo <tj@kernel.org>
Fixes: a647a524a467 ("block: don't call rq_qos_ops->done_bio if the bio isn't tracked")
Cc: stable@vger.kernel.org # v5.15+
Cc: Ming Lei <ming.lei@redhat.com>
Cc: Yu Kuai <yukuai3@huawei.com>
Reviewed-by: Ming Lei <ming.lei@redhat.com>
Link: https://lore.kernel.org/r/Yi7rdrzQEHjJLGKB@slm.duckdns.org
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 block/bio.c               |    3 +--
 block/blk-iolatency.c     |    2 +-
 block/blk-rq-qos.h        |   20 +++++++++++---------
 include/linux/blk_types.h |    3 ++-
 4 files changed, 15 insertions(+), 13 deletions(-)

--- a/block/bio.c
+++ b/block/bio.c
@@ -1486,8 +1486,7 @@ again:
 	if (!bio_integrity_endio(bio))
 		return;
 
-	if (bio->bi_bdev && bio_flagged(bio, BIO_TRACKED))
-		rq_qos_done_bio(bdev_get_queue(bio->bi_bdev), bio);
+	rq_qos_done_bio(bio);
 
 	if (bio->bi_bdev && bio_flagged(bio, BIO_TRACE_COMPLETION)) {
 		trace_block_bio_complete(bdev_get_queue(bio->bi_bdev), bio);
--- a/block/blk-iolatency.c
+++ b/block/blk-iolatency.c
@@ -598,7 +598,7 @@ static void blkcg_iolatency_done_bio(str
 	int inflight = 0;
 
 	blkg = bio->bi_blkg;
-	if (!blkg || !bio_flagged(bio, BIO_TRACKED))
+	if (!blkg || !bio_flagged(bio, BIO_QOS_THROTTLED))
 		return;
 
 	iolat = blkg_to_lat(bio->bi_blkg);
--- a/block/blk-rq-qos.h
+++ b/block/blk-rq-qos.h
@@ -177,20 +177,20 @@ static inline void rq_qos_requeue(struct
 		__rq_qos_requeue(q->rq_qos, rq);
 }
 
-static inline void rq_qos_done_bio(struct request_queue *q, struct bio *bio)
+static inline void rq_qos_done_bio(struct bio *bio)
 {
-	if (q->rq_qos)
-		__rq_qos_done_bio(q->rq_qos, bio);
+	if (bio->bi_bdev && (bio_flagged(bio, BIO_QOS_THROTTLED) ||
+			     bio_flagged(bio, BIO_QOS_MERGED))) {
+		struct request_queue *q = bdev_get_queue(bio->bi_bdev);
+		if (q->rq_qos)
+			__rq_qos_done_bio(q->rq_qos, bio);
+	}
 }
 
 static inline void rq_qos_throttle(struct request_queue *q, struct bio *bio)
 {
-	/*
-	 * BIO_TRACKED lets controllers know that a bio went through the
-	 * normal rq_qos path.
-	 */
 	if (q->rq_qos) {
-		bio_set_flag(bio, BIO_TRACKED);
+		bio_set_flag(bio, BIO_QOS_THROTTLED);
 		__rq_qos_throttle(q->rq_qos, bio);
 	}
 }
@@ -205,8 +205,10 @@ static inline void rq_qos_track(struct r
 static inline void rq_qos_merge(struct request_queue *q, struct request *rq,
 				struct bio *bio)
 {
-	if (q->rq_qos)
+	if (q->rq_qos) {
+		bio_set_flag(bio, BIO_QOS_MERGED);
 		__rq_qos_merge(q->rq_qos, rq, bio);
+	}
 }
 
 static inline void rq_qos_queue_depth_changed(struct request_queue *q)
--- a/include/linux/blk_types.h
+++ b/include/linux/blk_types.h
@@ -317,7 +317,8 @@ enum {
 	BIO_TRACE_COMPLETION,	/* bio_endio() should trace the final completion
 				 * of this bio. */
 	BIO_CGROUP_ACCT,	/* has been accounted to a cgroup */
-	BIO_TRACKED,		/* set if bio goes through the rq_qos path */
+	BIO_QOS_THROTTLED,	/* bio went through rq_qos throttle path */
+	BIO_QOS_MERGED,		/* but went through rq_qos merge path */
 	BIO_REMAPPED,
 	BIO_ZONE_WRITE_LOCKED,	/* Owns a zoned device zone write lock */
 	BIO_PERCPU_CACHE,	/* can participate in per-cpu alloc cache */



^ permalink raw reply	[flat|nested] 1159+ messages in thread

* [PATCH 5.17 0142/1126] block: limit request dispatch loop duration
  2022-04-05  7:12 [PATCH 5.17 0000/1126] 5.17.2-rc1 review Greg Kroah-Hartman
                   ` (140 preceding siblings ...)
  2022-04-05  7:14 ` [PATCH 5.17 0141/1126] block: fix rq-qos breakage from skipping rq_qos_done_bio() Greg Kroah-Hartman
@ 2022-04-05  7:14 ` Greg Kroah-Hartman
  2022-04-05  7:14 ` [PATCH 5.17 0143/1126] block: dont merge across cgroup boundaries if blkcg is enabled Greg Kroah-Hartman
                   ` (847 subsequent siblings)
  989 siblings, 0 replies; 1159+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05  7:14 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Shinichiro Kawasaki, Jens Axboe

From: Shin'ichiro Kawasaki <shinichiro.kawasaki@wdc.com>

commit 572299f03afd676dd4e20669cdaf5ed0fe1379d4 upstream.

When IO requests are made continuously and the target block device
handles requests faster than request arrival, the request dispatch loop
keeps on repeating to dispatch the arriving requests very long time,
more than a minute. Since the loop runs as a workqueue worker task, the
very long loop duration triggers workqueue watchdog timeout and BUG [1].

To avoid the very long loop duration, break the loop periodically. When
opportunity to dispatch requests still exists, check need_resched(). If
need_resched() returns true, the dispatch loop already consumed its time
slice, then reschedule the dispatch work and break the loop. With heavy
IO load, need_resched() does not return true for 20~30 seconds. To cover
such case, check time spent in the dispatch loop with jiffies. If more
than 1 second is spent, reschedule the dispatch work and break the loop.

[1]

[  609.691437] BUG: workqueue lockup - pool cpus=10 node=1 flags=0x0 nice=-20 stuck for 35s!
[  609.701820] Showing busy workqueues and worker pools:
[  609.707915] workqueue events: flags=0x0
[  609.712615]   pwq 0: cpus=0 node=0 flags=0x0 nice=0 active=1/256 refcnt=2
[  609.712626]     pending: drm_fb_helper_damage_work [drm_kms_helper]
[  609.712687] workqueue events_freezable: flags=0x4
[  609.732943]   pwq 0: cpus=0 node=0 flags=0x0 nice=0 active=1/256 refcnt=2
[  609.732952]     pending: pci_pme_list_scan
[  609.732968] workqueue events_power_efficient: flags=0x80
[  609.751947]   pwq 0: cpus=0 node=0 flags=0x0 nice=0 active=1/256 refcnt=2
[  609.751955]     pending: neigh_managed_work
[  609.752018] workqueue kblockd: flags=0x18
[  609.769480]   pwq 21: cpus=10 node=1 flags=0x0 nice=-20 active=3/256 refcnt=4
[  609.769488]     in-flight: 1020:blk_mq_run_work_fn
[  609.769498]     pending: blk_mq_timeout_work, blk_mq_run_work_fn
[  609.769744] pool 21: cpus=10 node=1 flags=0x0 nice=-20 hung=35s workers=2 idle: 67
[  639.899730] BUG: workqueue lockup - pool cpus=10 node=1 flags=0x0 nice=-20 stuck for 66s!
[  639.909513] Showing busy workqueues and worker pools:
[  639.915404] workqueue events: flags=0x0
[  639.920197]   pwq 0: cpus=0 node=0 flags=0x0 nice=0 active=1/256 refcnt=2
[  639.920215]     pending: drm_fb_helper_damage_work [drm_kms_helper]
[  639.920365] workqueue kblockd: flags=0x18
[  639.939932]   pwq 21: cpus=10 node=1 flags=0x0 nice=-20 active=3/256 refcnt=4
[  639.939942]     in-flight: 1020:blk_mq_run_work_fn
[  639.939955]     pending: blk_mq_timeout_work, blk_mq_run_work_fn
[  639.940212] pool 21: cpus=10 node=1 flags=0x0 nice=-20 hung=66s workers=2 idle: 67

Fixes: 6e6fcbc27e778 ("blk-mq: support batching dispatch in case of io")
Signed-off-by: Shin'ichiro Kawasaki <shinichiro.kawasaki@wdc.com>
Cc: stable@vger.kernel.org # v5.10+
Link: https://lore.kernel.org/linux-block/20220310091649.zypaem5lkyfadymg@shindev/
Link: https://lore.kernel.org/r/20220318022641.133484-1-shinichiro.kawasaki@wdc.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 block/blk-mq-sched.c |    9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

--- a/block/blk-mq-sched.c
+++ b/block/blk-mq-sched.c
@@ -180,11 +180,18 @@ static int __blk_mq_do_dispatch_sched(st
 
 static int blk_mq_do_dispatch_sched(struct blk_mq_hw_ctx *hctx)
 {
+	unsigned long end = jiffies + HZ;
 	int ret;
 
 	do {
 		ret = __blk_mq_do_dispatch_sched(hctx);
-	} while (ret == 1);
+		if (ret != 1)
+			break;
+		if (need_resched() || time_is_before_jiffies(end)) {
+			blk_mq_delay_run_hw_queue(hctx, 0);
+			break;
+		}
+	} while (1);
 
 	return ret;
 }



^ permalink raw reply	[flat|nested] 1159+ messages in thread

* [PATCH 5.17 0143/1126] block: dont merge across cgroup boundaries if blkcg is enabled
  2022-04-05  7:12 [PATCH 5.17 0000/1126] 5.17.2-rc1 review Greg Kroah-Hartman
                   ` (141 preceding siblings ...)
  2022-04-05  7:14 ` [PATCH 5.17 0142/1126] block: limit request dispatch loop duration Greg Kroah-Hartman
@ 2022-04-05  7:14 ` Greg Kroah-Hartman
  2022-04-05  7:14   ` Greg Kroah-Hartman
                   ` (846 subsequent siblings)
  989 siblings, 0 replies; 1159+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05  7:14 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Tejun Heo, Josef Bacik, Jens Axboe

From: Tejun Heo <tj@kernel.org>

commit 6b2b04590b51aa4cf395fcd185ce439cab5961dc upstream.

blk-iocost and iolatency are cgroup aware rq-qos policies but they didn't
disable merges across different cgroups. This obviously can lead to
accounting and control errors but more importantly to priority inversions -
e.g. an IO which belongs to a higher priority cgroup or IO class may end up
getting throttled incorrectly because it gets merged to an IO issued from a
low priority cgroup.

Fix it by adding blk_cgroup_mergeable() which is called from merge paths and
rejects cross-cgroup and cross-issue_as_root merges.

Signed-off-by: Tejun Heo <tj@kernel.org>
Fixes: d70675121546 ("block: introduce blk-iolatency io controller")
Cc: stable@vger.kernel.org # v4.19+
Cc: Josef Bacik <jbacik@fb.com>
Link: https://lore.kernel.org/r/Yi/eE/6zFNyWJ+qd@slm.duckdns.org
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 block/blk-merge.c          |   11 +++++++++++
 include/linux/blk-cgroup.h |   17 +++++++++++++++++
 2 files changed, 28 insertions(+)

--- a/block/blk-merge.c
+++ b/block/blk-merge.c
@@ -9,6 +9,7 @@
 #include <linux/blk-integrity.h>
 #include <linux/scatterlist.h>
 #include <linux/part_stat.h>
+#include <linux/blk-cgroup.h>
 
 #include <trace/events/block.h>
 
@@ -600,6 +601,9 @@ static inline unsigned int blk_rq_get_ma
 static inline int ll_new_hw_segment(struct request *req, struct bio *bio,
 		unsigned int nr_phys_segs)
 {
+	if (!blk_cgroup_mergeable(req, bio))
+		goto no_merge;
+
 	if (blk_integrity_merge_bio(req->q, req, bio) == false)
 		goto no_merge;
 
@@ -696,6 +700,9 @@ static int ll_merge_requests_fn(struct r
 	if (total_phys_segments > blk_rq_get_max_segments(req))
 		return 0;
 
+	if (!blk_cgroup_mergeable(req, next->bio))
+		return 0;
+
 	if (blk_integrity_merge_rq(q, req, next) == false)
 		return 0;
 
@@ -904,6 +911,10 @@ bool blk_rq_merge_ok(struct request *rq,
 	if (bio_data_dir(bio) != rq_data_dir(rq))
 		return false;
 
+	/* don't merge across cgroup boundaries */
+	if (!blk_cgroup_mergeable(rq, bio))
+		return false;
+
 	/* only merge integrity protected bio into ditto rq */
 	if (blk_integrity_merge_bio(rq->q, rq, bio) == false)
 		return false;
--- a/include/linux/blk-cgroup.h
+++ b/include/linux/blk-cgroup.h
@@ -24,6 +24,7 @@
 #include <linux/atomic.h>
 #include <linux/kthread.h>
 #include <linux/fs.h>
+#include <linux/blk-mq.h>
 
 /* percpu_counter batch for blkg_[rw]stats, per-cpu drift doesn't matter */
 #define BLKG_STAT_CPU_BATCH	(INT_MAX / 2)
@@ -604,6 +605,21 @@ static inline void blkcg_clear_delay(str
 		atomic_dec(&blkg->blkcg->css.cgroup->congestion_count);
 }
 
+/**
+ * blk_cgroup_mergeable - Determine whether to allow or disallow merges
+ * @rq: request to merge into
+ * @bio: bio to merge
+ *
+ * @bio and @rq should belong to the same cgroup and their issue_as_root should
+ * match. The latter is necessary as we don't want to throttle e.g. a metadata
+ * update because it happens to be next to a regular IO.
+ */
+static inline bool blk_cgroup_mergeable(struct request *rq, struct bio *bio)
+{
+	return rq->bio->bi_blkg == bio->bi_blkg &&
+		bio_issue_as_root_blkg(rq->bio) == bio_issue_as_root_blkg(bio);
+}
+
 void blk_cgroup_bio_start(struct bio *bio);
 void blkcg_add_delay(struct blkcg_gq *blkg, u64 now, u64 delta);
 void blkcg_schedule_throttle(struct request_queue *q, bool use_memdelay);
@@ -659,6 +675,7 @@ static inline void blkg_put(struct blkcg
 static inline bool blkcg_punt_bio_submit(struct bio *bio) { return false; }
 static inline void blkcg_bio_issue_init(struct bio *bio) { }
 static inline void blk_cgroup_bio_start(struct bio *bio) { }
+static inline bool blk_cgroup_mergeable(struct request *rq, struct bio *bio) { return true; }
 
 #define blk_queue_for_each_rl(rl, q)	\
 	for ((rl) = &(q)->root_rl; (rl); (rl) = NULL)



^ permalink raw reply	[flat|nested] 1159+ messages in thread

* [Intel-gfx] [PATCH 5.17 0144/1126] drm/edid: check basic audio support on CEA extension block
  2022-04-05  7:12 [PATCH 5.17 0000/1126] 5.17.2-rc1 review Greg Kroah-Hartman
@ 2022-04-05  7:14   ` Greg Kroah-Hartman
  2022-04-05  7:12 ` [PATCH 5.17 0002/1126] USB: serial: pl2303: add IBM device IDs Greg Kroah-Hartman
                     ` (988 subsequent siblings)
  989 siblings, 0 replies; 1159+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05  7:14 UTC (permalink / raw)
  To: linux-kernel
  Cc: Cooper Chiou, Jani Nikula, Greg Kroah-Hartman, intel-gfx, stable

From: Cooper Chiou <cooper.chiou@intel.com>

commit 5662abf6e21338be6d085d6375d3732ac6147fd2 upstream.

Tag code stored in bit7:5 for CTA block byte[3] is not the same as
CEA extension block definition. Only check CEA block has
basic audio support.

v3: update commit message.

Cc: stable@vger.kernel.org
Cc: Jani Nikula <jani.nikula@intel.com>
Cc: Shawn C Lee <shawn.c.lee@intel.com>
Cc: intel-gfx <intel-gfx@lists.freedesktop.org>
Signed-off-by: Cooper Chiou <cooper.chiou@intel.com>
Signed-off-by: Lee Shawn C <shawn.c.lee@intel.com>
Fixes: e28ad544f462 ("drm/edid: parse CEA blocks embedded in DisplayID")
Reviewed-by: Jani Nikula <jani.nikula@intel.com>
Signed-off-by: Jani Nikula <jani.nikula@intel.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20220324061218.32739-1-shawn.c.lee@intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/gpu/drm/drm_edid.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/drivers/gpu/drm/drm_edid.c
+++ b/drivers/gpu/drm/drm_edid.c
@@ -4848,7 +4848,8 @@ bool drm_detect_monitor_audio(struct edi
 	if (!edid_ext)
 		goto end;
 
-	has_audio = ((edid_ext[3] & EDID_BASIC_AUDIO) != 0);
+	has_audio = (edid_ext[0] == CEA_EXT &&
+		    (edid_ext[3] & EDID_BASIC_AUDIO) != 0);
 
 	if (has_audio) {
 		DRM_DEBUG_KMS("Monitor has basic audio support\n");



^ permalink raw reply	[flat|nested] 1159+ messages in thread

* [PATCH 5.17 0144/1126] drm/edid: check basic audio support on CEA extension block
@ 2022-04-05  7:14   ` Greg Kroah-Hartman
  0 siblings, 0 replies; 1159+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05  7:14 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jani Nikula, Shawn C Lee, intel-gfx,
	Cooper Chiou

From: Cooper Chiou <cooper.chiou@intel.com>

commit 5662abf6e21338be6d085d6375d3732ac6147fd2 upstream.

Tag code stored in bit7:5 for CTA block byte[3] is not the same as
CEA extension block definition. Only check CEA block has
basic audio support.

v3: update commit message.

Cc: stable@vger.kernel.org
Cc: Jani Nikula <jani.nikula@intel.com>
Cc: Shawn C Lee <shawn.c.lee@intel.com>
Cc: intel-gfx <intel-gfx@lists.freedesktop.org>
Signed-off-by: Cooper Chiou <cooper.chiou@intel.com>
Signed-off-by: Lee Shawn C <shawn.c.lee@intel.com>
Fixes: e28ad544f462 ("drm/edid: parse CEA blocks embedded in DisplayID")
Reviewed-by: Jani Nikula <jani.nikula@intel.com>
Signed-off-by: Jani Nikula <jani.nikula@intel.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20220324061218.32739-1-shawn.c.lee@intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/gpu/drm/drm_edid.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/drivers/gpu/drm/drm_edid.c
+++ b/drivers/gpu/drm/drm_edid.c
@@ -4848,7 +4848,8 @@ bool drm_detect_monitor_audio(struct edi
 	if (!edid_ext)
 		goto end;
 
-	has_audio = ((edid_ext[3] & EDID_BASIC_AUDIO) != 0);
+	has_audio = (edid_ext[0] == CEA_EXT &&
+		    (edid_ext[3] & EDID_BASIC_AUDIO) != 0);
 
 	if (has_audio) {
 		DRM_DEBUG_KMS("Monitor has basic audio support\n");



^ permalink raw reply	[flat|nested] 1159+ messages in thread

* [PATCH 5.17 0145/1126] fbdev: Hot-unplug firmware fb devices on forced removal
  2022-04-05  7:12 [PATCH 5.17 0000/1126] 5.17.2-rc1 review Greg Kroah-Hartman
                   ` (143 preceding siblings ...)
  2022-04-05  7:14   ` Greg Kroah-Hartman
@ 2022-04-05  7:14 ` Greg Kroah-Hartman
  2022-04-05  7:14 ` [PATCH 5.17 0146/1126] video: fbdev: sm712fb: Fix crash in smtcfb_read() Greg Kroah-Hartman
                   ` (844 subsequent siblings)
  989 siblings, 0 replies; 1159+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05  7:14 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Thomas Zimmermann, Zack Rusin,
	Javier Martinez Canillas, Hans de Goede

From: Thomas Zimmermann <tzimmermann@suse.de>

commit 27599aacbaefcbf2af7b06b0029459bbf682000d upstream.

Hot-unplug all firmware-framebuffer devices as part of removing
them via remove_conflicting_framebuffers() et al. Releases all
memory regions to be acquired by native drivers.

Firmware, such as EFI, install a framebuffer while posting the
computer. After removing the firmware-framebuffer device from fbdev,
a native driver takes over the hardware and the firmware framebuffer
becomes invalid.

Firmware-framebuffer drivers, specifically simplefb, don't release
their device from Linux' device hierarchy. It still owns the firmware
framebuffer and blocks the native drivers from loading. This has been
observed in the vmwgfx driver. [1]

Initiating a device removal (i.e., hot unplug) as part of
remove_conflicting_framebuffers() removes the underlying device and
returns the memory range to the system.

[1] https://lore.kernel.org/dri-devel/20220117180359.18114-1-zack@kde.org/

v2:
	* rename variable 'dev' to 'device' (Javier)

Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de>
Reported-by: Zack Rusin <zackr@vmware.com>
Reviewed-by: Javier Martinez Canillas <javierm@redhat.com>
Reviewed-by: Zack Rusin <zackr@vmware.com>
Reviewed-by: Hans de Goede <hdegoede@redhat.com>
CC: stable@vger.kernel.org # v5.11+
Link: https://patchwork.freedesktop.org/patch/msgid/20220125091222.21457-2-tzimmermann@suse.de
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/video/fbdev/core/fbmem.c |   29 ++++++++++++++++++++++++++---
 include/linux/fb.h               |    1 +
 2 files changed, 27 insertions(+), 3 deletions(-)

--- a/drivers/video/fbdev/core/fbmem.c
+++ b/drivers/video/fbdev/core/fbmem.c
@@ -25,6 +25,7 @@
 #include <linux/init.h>
 #include <linux/linux_logo.h>
 #include <linux/proc_fs.h>
+#include <linux/platform_device.h>
 #include <linux/seq_file.h>
 #include <linux/console.h>
 #include <linux/kmod.h>
@@ -1559,18 +1560,36 @@ static void do_remove_conflicting_frameb
 	/* check all firmware fbs and kick off if the base addr overlaps */
 	for_each_registered_fb(i) {
 		struct apertures_struct *gen_aper;
+		struct device *device;
 
 		if (!(registered_fb[i]->flags & FBINFO_MISC_FIRMWARE))
 			continue;
 
 		gen_aper = registered_fb[i]->apertures;
+		device = registered_fb[i]->device;
 		if (fb_do_apertures_overlap(gen_aper, a) ||
 			(primary && gen_aper && gen_aper->count &&
 			 gen_aper->ranges[0].base == VGA_FB_PHYS)) {
 
 			printk(KERN_INFO "fb%d: switching to %s from %s\n",
 			       i, name, registered_fb[i]->fix.id);
-			do_unregister_framebuffer(registered_fb[i]);
+
+			/*
+			 * If we kick-out a firmware driver, we also want to remove
+			 * the underlying platform device, such as simple-framebuffer,
+			 * VESA, EFI, etc. A native driver will then be able to
+			 * allocate the memory range.
+			 *
+			 * If it's not a platform device, at least print a warning. A
+			 * fix would add code to remove the device from the system.
+			 */
+			if (dev_is_platform(device)) {
+				registered_fb[i]->forced_out = true;
+				platform_device_unregister(to_platform_device(device));
+			} else {
+				pr_warn("fb%d: cannot remove device\n", i);
+				do_unregister_framebuffer(registered_fb[i]);
+			}
 		}
 	}
 }
@@ -1900,9 +1919,13 @@ EXPORT_SYMBOL(register_framebuffer);
 void
 unregister_framebuffer(struct fb_info *fb_info)
 {
-	mutex_lock(&registration_lock);
+	bool forced_out = fb_info->forced_out;
+
+	if (!forced_out)
+		mutex_lock(&registration_lock);
 	do_unregister_framebuffer(fb_info);
-	mutex_unlock(&registration_lock);
+	if (!forced_out)
+		mutex_unlock(&registration_lock);
 }
 EXPORT_SYMBOL(unregister_framebuffer);
 
--- a/include/linux/fb.h
+++ b/include/linux/fb.h
@@ -502,6 +502,7 @@ struct fb_info {
 	} *apertures;
 
 	bool skip_vt_switch; /* no VT switch on suspend/resume required */
+	bool forced_out; /* set when being removed by another driver */
 };
 
 static inline struct apertures_struct *alloc_apertures(unsigned int max_num) {



^ permalink raw reply	[flat|nested] 1159+ messages in thread

* [PATCH 5.17 0146/1126] video: fbdev: sm712fb: Fix crash in smtcfb_read()
  2022-04-05  7:12 [PATCH 5.17 0000/1126] 5.17.2-rc1 review Greg Kroah-Hartman
                   ` (144 preceding siblings ...)
  2022-04-05  7:14 ` [PATCH 5.17 0145/1126] fbdev: Hot-unplug firmware fb devices on forced removal Greg Kroah-Hartman
@ 2022-04-05  7:14 ` Greg Kroah-Hartman
  2022-04-05  7:14 ` [PATCH 5.17 0147/1126] video: fbdev: atari: Atari 2 bpp (STe) palette bugfix Greg Kroah-Hartman
                   ` (843 subsequent siblings)
  989 siblings, 0 replies; 1159+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05  7:14 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Zheyu Ma, Helge Deller

From: Helge Deller <deller@gmx.de>

commit bd771cf5c4254511cc4abb88f3dab3bd58bdf8e8 upstream.

Zheyu Ma reported this crash in the sm712fb driver when reading
three bytes from the framebuffer:

 BUG: unable to handle page fault for address: ffffc90001ffffff
 RIP: 0010:smtcfb_read+0x230/0x3e0
 Call Trace:
  vfs_read+0x198/0xa00
  ? do_sys_openat2+0x27d/0x350
  ? __fget_light+0x54/0x340
  ksys_read+0xce/0x190
  do_syscall_64+0x43/0x90

Fix it by removing the open-coded endianess fixup-code and
by moving the pointer post decrement out the fb_readl() function.

Reported-by: Zheyu Ma <zheyuma97@gmail.com>
Signed-off-by: Helge Deller <deller@gmx.de>
Tested-by: Zheyu Ma <zheyuma97@gmail.com>
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/video/fbdev/sm712fb.c |   25 +++++++------------------
 1 file changed, 7 insertions(+), 18 deletions(-)

--- a/drivers/video/fbdev/sm712fb.c
+++ b/drivers/video/fbdev/sm712fb.c
@@ -1047,7 +1047,7 @@ static ssize_t smtcfb_read(struct fb_inf
 	if (count + p > total_size)
 		count = total_size - p;
 
-	buffer = kmalloc((count > PAGE_SIZE) ? PAGE_SIZE : count, GFP_KERNEL);
+	buffer = kmalloc(PAGE_SIZE, GFP_KERNEL);
 	if (!buffer)
 		return -ENOMEM;
 
@@ -1059,25 +1059,14 @@ static ssize_t smtcfb_read(struct fb_inf
 	while (count) {
 		c = (count > PAGE_SIZE) ? PAGE_SIZE : count;
 		dst = buffer;
-		for (i = c >> 2; i--;) {
-			*dst = fb_readl(src++);
-			*dst = big_swap(*dst);
+		for (i = (c + 3) >> 2; i--;) {
+			u32 val;
+
+			val = fb_readl(src);
+			*dst = big_swap(val);
+			src++;
 			dst++;
 		}
-		if (c & 3) {
-			u8 *dst8 = (u8 *)dst;
-			u8 __iomem *src8 = (u8 __iomem *)src;
-
-			for (i = c & 3; i--;) {
-				if (i & 1) {
-					*dst8++ = fb_readb(++src8);
-				} else {
-					*dst8++ = fb_readb(--src8);
-					src8 += 2;
-				}
-			}
-			src = (u32 __iomem *)src8;
-		}
 
 		if (copy_to_user(buf, buffer, c)) {
 			err = -EFAULT;



^ permalink raw reply	[flat|nested] 1159+ messages in thread

* [PATCH 5.17 0147/1126] video: fbdev: atari: Atari 2 bpp (STe) palette bugfix
  2022-04-05  7:12 [PATCH 5.17 0000/1126] 5.17.2-rc1 review Greg Kroah-Hartman
                   ` (145 preceding siblings ...)
  2022-04-05  7:14 ` [PATCH 5.17 0146/1126] video: fbdev: sm712fb: Fix crash in smtcfb_read() Greg Kroah-Hartman
@ 2022-04-05  7:14 ` Greg Kroah-Hartman
  2022-04-05  7:14 ` [PATCH 5.17 0148/1126] rfkill: make new event layout opt-in Greg Kroah-Hartman
                   ` (842 subsequent siblings)
  989 siblings, 0 replies; 1159+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05  7:14 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Geert Uytterhoeven, Michael Schmitz,
	Helge Deller

From: Michael Schmitz <schmitzmic@gmail.com>

commit c8be5edbd36ceed2ff3d6b8f8e40643c3f396ea3 upstream.

The code to set the shifter STe palette registers has a long
standing operator precedence bug, manifesting as colors set
on a 2 bits per pixel frame buffer coming up with a distinctive
blue tint.

Add parentheses around the calculation of the per-color palette
data before shifting those into their respective bit field position.

This bug goes back a long way (2.4 days at the very least) so there
won't be a Fixes: tag.

Tested on ARAnyM as well on Falcon030 hardware.

Cc: stable@vger.kernel.org
Reported-by: Geert Uytterhoeven <geert@linux-m68k.org>
Link: https://lore.kernel.org/all/CAMuHMdU3ievhXxKR_xi_v3aumnYW7UNUO6qMdhgfyWTyVSsCkQ@mail.gmail.com
Tested-by: Michael Schmitz <schmitzmic@gmail.com>
Tested-by: Geert Uytterhoeven <geert@linux-m68k.org>
Signed-off-by: Michael Schmitz <schmitzmic@gmail.com>
Signed-off-by: Helge Deller <deller@gmx.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/video/fbdev/atafb.c |   12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

--- a/drivers/video/fbdev/atafb.c
+++ b/drivers/video/fbdev/atafb.c
@@ -1683,9 +1683,9 @@ static int falcon_setcolreg(unsigned int
 			   ((blue & 0xfc00) >> 8));
 	if (regno < 16) {
 		shifter_tt.color_reg[regno] =
-			(((red & 0xe000) >> 13) | ((red & 0x1000) >> 12) << 8) |
-			(((green & 0xe000) >> 13) | ((green & 0x1000) >> 12) << 4) |
-			((blue & 0xe000) >> 13) | ((blue & 0x1000) >> 12);
+			((((red & 0xe000) >> 13)   | ((red & 0x1000) >> 12)) << 8)   |
+			((((green & 0xe000) >> 13) | ((green & 0x1000) >> 12)) << 4) |
+			   ((blue & 0xe000) >> 13) | ((blue & 0x1000) >> 12);
 		((u32 *)info->pseudo_palette)[regno] = ((red & 0xf800) |
 						       ((green & 0xfc00) >> 5) |
 						       ((blue & 0xf800) >> 11));
@@ -1971,9 +1971,9 @@ static int stste_setcolreg(unsigned int
 	green >>= 12;
 	if (ATARIHW_PRESENT(EXTD_SHIFTER))
 		shifter_tt.color_reg[regno] =
-			(((red & 0xe) >> 1) | ((red & 1) << 3) << 8) |
-			(((green & 0xe) >> 1) | ((green & 1) << 3) << 4) |
-			((blue & 0xe) >> 1) | ((blue & 1) << 3);
+			((((red & 0xe)   >> 1) | ((red & 1)   << 3)) << 8) |
+			((((green & 0xe) >> 1) | ((green & 1) << 3)) << 4) |
+			  ((blue & 0xe)  >> 1) | ((blue & 1)  << 3);
 	else
 		shifter_tt.color_reg[regno] =
 			((red & 0xe) << 7) |



^ permalink raw reply	[flat|nested] 1159+ messages in thread

* [PATCH 5.17 0148/1126] rfkill: make new event layout opt-in
  2022-04-05  7:12 [PATCH 5.17 0000/1126] 5.17.2-rc1 review Greg Kroah-Hartman
                   ` (146 preceding siblings ...)
  2022-04-05  7:14 ` [PATCH 5.17 0147/1126] video: fbdev: atari: Atari 2 bpp (STe) palette bugfix Greg Kroah-Hartman
@ 2022-04-05  7:14 ` Greg Kroah-Hartman
  2022-04-05  7:14 ` [PATCH 5.17 0149/1126] ARM: dts: at91: sama7g5: Remove unused properties in i2c nodes Greg Kroah-Hartman
                   ` (841 subsequent siblings)
  989 siblings, 0 replies; 1159+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05  7:14 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Johannes Berg, Kalle Valo

From: Johannes Berg <johannes.berg@intel.com>

commit 54f586a9153201c6cff55e1f561990c78bd99aa7 upstream.

Again new complaints surfaced that we had broken the ABI here,
although previously all the userspace tools had agreed that it
was their mistake and fixed it. Yet now there are cases (e.g.
RHEL) that want to run old userspace with newer kernels, and
thus are broken.

Since this is a bit of a whack-a-mole thing, change the whole
extensibility scheme of rfkill to no longer just rely on the
message lengths, but instead require userspace to opt in via a
new ioctl to a given maximum event size that it is willing to
understand.

By default, set that to RFKILL_EVENT_SIZE_V1 (8), so that the
behaviour for userspace not calling the ioctl will look as if
it's just running on an older kernel.

Fixes: 14486c82612a ("rfkill: add a reason to the HW rfkill state")
Cc: stable@vger.kernel.org # 5.11+
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Kalle Valo <kvalo@kernel.org>
Link: https://lore.kernel.org/r/20220316212749.16491491b270.Ifcb1950998330a596f29a2a162e00b7546a1d6d0@changeid
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 include/uapi/linux/rfkill.h |   14 +++++++++++-
 net/rfkill/core.c           |   48 +++++++++++++++++++++++++++++++-------------
 2 files changed, 46 insertions(+), 16 deletions(-)

--- a/include/uapi/linux/rfkill.h
+++ b/include/uapi/linux/rfkill.h
@@ -159,8 +159,16 @@ struct rfkill_event_ext {
  * old behaviour for all userspace, unless it explicitly opts in to the
  * rules outlined here by using the new &struct rfkill_event_ext.
  *
- * Userspace using &struct rfkill_event_ext must adhere to the following
- * rules
+ * Additionally, some other userspace (bluez, g-s-d) was reading with a
+ * large size but as streaming reads rather than message-based, or with
+ * too strict checks for the returned size. So eventually, we completely
+ * reverted this, and extended messages need to be opted in to by using
+ * an ioctl:
+ *
+ *  ioctl(fd, RFKILL_IOCTL_MAX_SIZE, sizeof(struct rfkill_event_ext));
+ *
+ * Userspace using &struct rfkill_event_ext and the ioctl must adhere to
+ * the following rules:
  *
  * 1. accept short writes, optionally using them to detect that it's
  *    running on an older kernel;
@@ -175,6 +183,8 @@ struct rfkill_event_ext {
 #define RFKILL_IOC_MAGIC	'R'
 #define RFKILL_IOC_NOINPUT	1
 #define RFKILL_IOCTL_NOINPUT	_IO(RFKILL_IOC_MAGIC, RFKILL_IOC_NOINPUT)
+#define RFKILL_IOC_MAX_SIZE	2
+#define RFKILL_IOCTL_MAX_SIZE	_IOW(RFKILL_IOC_MAGIC, RFKILL_IOC_EXT_SIZE, __u32)
 
 /* and that's all userspace gets */
 
--- a/net/rfkill/core.c
+++ b/net/rfkill/core.c
@@ -78,6 +78,7 @@ struct rfkill_data {
 	struct mutex		mtx;
 	wait_queue_head_t	read_wait;
 	bool			input_handler;
+	u8			max_size;
 };
 
 
@@ -1153,6 +1154,8 @@ static int rfkill_fop_open(struct inode
 	if (!data)
 		return -ENOMEM;
 
+	data->max_size = RFKILL_EVENT_SIZE_V1;
+
 	INIT_LIST_HEAD(&data->events);
 	mutex_init(&data->mtx);
 	init_waitqueue_head(&data->read_wait);
@@ -1235,6 +1238,7 @@ static ssize_t rfkill_fop_read(struct fi
 				list);
 
 	sz = min_t(unsigned long, sizeof(ev->ev), count);
+	sz = min_t(unsigned long, sz, data->max_size);
 	ret = sz;
 	if (copy_to_user(buf, &ev->ev, sz))
 		ret = -EFAULT;
@@ -1249,6 +1253,7 @@ static ssize_t rfkill_fop_read(struct fi
 static ssize_t rfkill_fop_write(struct file *file, const char __user *buf,
 				size_t count, loff_t *pos)
 {
+	struct rfkill_data *data = file->private_data;
 	struct rfkill *rfkill;
 	struct rfkill_event_ext ev;
 	int ret;
@@ -1263,6 +1268,7 @@ static ssize_t rfkill_fop_write(struct f
 	 * our API version even in a write() call, if it cares.
 	 */
 	count = min(count, sizeof(ev));
+	count = min_t(size_t, count, data->max_size);
 	if (copy_from_user(&ev, buf, count))
 		return -EFAULT;
 
@@ -1322,31 +1328,47 @@ static int rfkill_fop_release(struct ino
 	return 0;
 }
 
-#ifdef CONFIG_RFKILL_INPUT
 static long rfkill_fop_ioctl(struct file *file, unsigned int cmd,
 			     unsigned long arg)
 {
 	struct rfkill_data *data = file->private_data;
+	int ret = -ENOSYS;
+	u32 size;
 
 	if (_IOC_TYPE(cmd) != RFKILL_IOC_MAGIC)
 		return -ENOSYS;
 
-	if (_IOC_NR(cmd) != RFKILL_IOC_NOINPUT)
-		return -ENOSYS;
-
 	mutex_lock(&data->mtx);
-
-	if (!data->input_handler) {
-		if (atomic_inc_return(&rfkill_input_disabled) == 1)
-			printk(KERN_DEBUG "rfkill: input handler disabled\n");
-		data->input_handler = true;
+	switch (_IOC_NR(cmd)) {
+#ifdef CONFIG_RFKILL_INPUT
+	case RFKILL_IOC_NOINPUT:
+		if (!data->input_handler) {
+			if (atomic_inc_return(&rfkill_input_disabled) == 1)
+				printk(KERN_DEBUG "rfkill: input handler disabled\n");
+			data->input_handler = true;
+		}
+		ret = 0;
+		break;
+#endif
+	case RFKILL_IOC_MAX_SIZE:
+		if (get_user(size, (__u32 __user *)arg)) {
+			ret = -EFAULT;
+			break;
+		}
+		if (size < RFKILL_EVENT_SIZE_V1 || size > U8_MAX) {
+			ret = -EINVAL;
+			break;
+		}
+		data->max_size = size;
+		ret = 0;
+		break;
+	default:
+		break;
 	}
-
 	mutex_unlock(&data->mtx);
 
-	return 0;
+	return ret;
 }
-#endif
 
 static const struct file_operations rfkill_fops = {
 	.owner		= THIS_MODULE,
@@ -1355,10 +1377,8 @@ static const struct file_operations rfki
 	.write		= rfkill_fop_write,
 	.poll		= rfkill_fop_poll,
 	.release	= rfkill_fop_release,
-#ifdef CONFIG_RFKILL_INPUT
 	.unlocked_ioctl	= rfkill_fop_ioctl,
 	.compat_ioctl	= compat_ptr_ioctl,
-#endif
 	.llseek		= no_llseek,
 };
 



^ permalink raw reply	[flat|nested] 1159+ messages in thread

* [PATCH 5.17 0149/1126] ARM: dts: at91: sama7g5: Remove unused properties in i2c nodes
  2022-04-05  7:12 [PATCH 5.17 0000/1126] 5.17.2-rc1 review Greg Kroah-Hartman
                   ` (147 preceding siblings ...)
  2022-04-05  7:14 ` [PATCH 5.17 0148/1126] rfkill: make new event layout opt-in Greg Kroah-Hartman
@ 2022-04-05  7:14 ` Greg Kroah-Hartman
  2022-04-05  7:14 ` [PATCH 5.17 0150/1126] ARM: dts: at91: sama5d2: Fix PMERRLOC resource size Greg Kroah-Hartman
                   ` (840 subsequent siblings)
  989 siblings, 0 replies; 1159+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05  7:14 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Tudor Ambarus, Eugen Hristev, Nicolas Ferre

From: Tudor Ambarus <tudor.ambarus@microchip.com>

commit cbb92a7717d2e1c512b7e81c6b22c7298b58a881 upstream.

The "atmel,use-dma-rx", "atmel,use-dma-rx" dt properties are not used by
the i2c-at91 driver, nor they are defined in the bindings file, thus remove
them.

Cc: stable@vger.kernel.org
Fixes: 7540629e2fc7 ("ARM: dts: at91: add sama7g5 SoC DT and sama7g5-ek")
Signed-off-by: Tudor Ambarus <tudor.ambarus@microchip.com>
Reviewed-by: Eugen Hristev <eugen.hristev@microchip.com>
Signed-off-by: Nicolas Ferre <nicolas.ferre@microchip.com>
Link: https://lore.kernel.org/r/20220302161854.32177-1-tudor.ambarus@microchip.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/arm/boot/dts/sama7g5.dtsi |    6 ------
 1 file changed, 6 deletions(-)

--- a/arch/arm/boot/dts/sama7g5.dtsi
+++ b/arch/arm/boot/dts/sama7g5.dtsi
@@ -382,8 +382,6 @@
 				dmas = <&dma0 AT91_XDMAC_DT_PERID(7)>,
 					<&dma0 AT91_XDMAC_DT_PERID(8)>;
 				dma-names = "rx", "tx";
-				atmel,use-dma-rx;
-				atmel,use-dma-tx;
 				status = "disabled";
 			};
 		};
@@ -558,8 +556,6 @@
 				dmas = <&dma0 AT91_XDMAC_DT_PERID(21)>,
 					<&dma0 AT91_XDMAC_DT_PERID(22)>;
 				dma-names = "rx", "tx";
-				atmel,use-dma-rx;
-				atmel,use-dma-tx;
 				status = "disabled";
 			};
 		};
@@ -584,8 +580,6 @@
 				dmas = <&dma0 AT91_XDMAC_DT_PERID(23)>,
 					<&dma0 AT91_XDMAC_DT_PERID(24)>;
 				dma-names = "rx", "tx";
-				atmel,use-dma-rx;
-				atmel,use-dma-tx;
 				status = "disabled";
 			};
 		};



^ permalink raw reply	[flat|nested] 1159+ messages in thread

* [PATCH 5.17 0150/1126] ARM: dts: at91: sama5d2: Fix PMERRLOC resource size
  2022-04-05  7:12 [PATCH 5.17 0000/1126] 5.17.2-rc1 review Greg Kroah-Hartman
                   ` (148 preceding siblings ...)
  2022-04-05  7:14 ` [PATCH 5.17 0149/1126] ARM: dts: at91: sama7g5: Remove unused properties in i2c nodes Greg Kroah-Hartman
@ 2022-04-05  7:14 ` Greg Kroah-Hartman
  2022-04-05  7:14 ` [PATCH 5.17 0151/1126] ARM: dts: exynos: fix UART3 pins configuration in Exynos5250 Greg Kroah-Hartman
                   ` (839 subsequent siblings)
  989 siblings, 0 replies; 1159+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05  7:14 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Tudor Ambarus, Alexander Dahl, Nicolas Ferre

From: Tudor Ambarus <tudor.ambarus@microchip.com>

commit 0fb578a529ac7aca326a9fa475b4a6f58a756fda upstream.

PMERRLOC resource size was set to 0x100, which resulted in HSMC_ERRLOCx
register being truncated to offset x = 21, causing error correction to
fail if more than 22 bit errors and if 24 or 32 bit error correction
was supported.

Fixes: d9c41bf30cf8 ("ARM: dts: at91: Declare EBI/NAND controllers")
Signed-off-by: Tudor Ambarus <tudor.ambarus@microchip.com>
Cc: <stable@vger.kernel.org> # 4.13.x
Acked-by: Alexander Dahl <ada@thorsis.com>
Signed-off-by: Nicolas Ferre <nicolas.ferre@microchip.com>
Link: https://lore.kernel.org/r/20220111132301.906712-1-tudor.ambarus@microchip.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/arm/boot/dts/sama5d2.dtsi |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/arch/arm/boot/dts/sama5d2.dtsi
+++ b/arch/arm/boot/dts/sama5d2.dtsi
@@ -415,7 +415,7 @@
 				pmecc: ecc-engine@f8014070 {
 					compatible = "atmel,sama5d2-pmecc";
 					reg = <0xf8014070 0x490>,
-					      <0xf8014500 0x100>;
+					      <0xf8014500 0x200>;
 				};
 			};
 



^ permalink raw reply	[flat|nested] 1159+ messages in thread

* [PATCH 5.17 0151/1126] ARM: dts: exynos: fix UART3 pins configuration in Exynos5250
  2022-04-05  7:12 [PATCH 5.17 0000/1126] 5.17.2-rc1 review Greg Kroah-Hartman
                   ` (149 preceding siblings ...)
  2022-04-05  7:14 ` [PATCH 5.17 0150/1126] ARM: dts: at91: sama5d2: Fix PMERRLOC resource size Greg Kroah-Hartman
@ 2022-04-05  7:14 ` Greg Kroah-Hartman
  2022-04-05  7:14 ` [PATCH 5.17 0152/1126] ARM: dts: exynos: add missing HDMI supplies on SMDK5250 Greg Kroah-Hartman
                   ` (838 subsequent siblings)
  989 siblings, 0 replies; 1159+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05  7:14 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Krzysztof Kozlowski,
	Marek Szyprowski, Alim Akhtar

From: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>

commit 372d7027fed43c8570018e124cf78b89523a1f8e upstream.

The gpa1-4 pin was put twice in UART3 pin configuration of Exynos5250,
instead of proper pin gpa1-5.

Fixes: f8bfe2b050f3 ("ARM: dts: add pin state information in client nodes for Exynos5 platforms")
Cc: <stable@vger.kernel.org>
Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
Tested-by: Marek Szyprowski <m.szyprowski@samsung.com>
Reviewed-by: Alim Akhtar <alim.akhtar@samsung.com>
Link: https://lore.kernel.org/r/20211230195325.328220-1-krzysztof.kozlowski@canonical.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/arm/boot/dts/exynos5250-pinctrl.dtsi |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/arch/arm/boot/dts/exynos5250-pinctrl.dtsi
+++ b/arch/arm/boot/dts/exynos5250-pinctrl.dtsi
@@ -260,7 +260,7 @@
 	};
 
 	uart3_data: uart3-data {
-		samsung,pins = "gpa1-4", "gpa1-4";
+		samsung,pins = "gpa1-4", "gpa1-5";
 		samsung,pin-function = <EXYNOS_PIN_FUNC_2>;
 		samsung,pin-pud = <EXYNOS_PIN_PULL_NONE>;
 		samsung,pin-drv = <EXYNOS4_PIN_DRV_LV1>;



^ permalink raw reply	[flat|nested] 1159+ messages in thread

* [PATCH 5.17 0152/1126] ARM: dts: exynos: add missing HDMI supplies on SMDK5250
  2022-04-05  7:12 [PATCH 5.17 0000/1126] 5.17.2-rc1 review Greg Kroah-Hartman
                   ` (150 preceding siblings ...)
  2022-04-05  7:14 ` [PATCH 5.17 0151/1126] ARM: dts: exynos: fix UART3 pins configuration in Exynos5250 Greg Kroah-Hartman
@ 2022-04-05  7:14 ` Greg Kroah-Hartman
  2022-04-05  7:15 ` [PATCH 5.17 0153/1126] ARM: dts: exynos: add missing HDMI supplies on SMDK5420 Greg Kroah-Hartman
                   ` (837 subsequent siblings)
  989 siblings, 0 replies; 1159+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05  7:14 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Krzysztof Kozlowski, Alim Akhtar

From: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>

commit 60a9914cb2061ba612a3f14f6ad329912b486360 upstream.

Add required VDD supplies to HDMI block on SMDK5250.  Without them, the
HDMI driver won't probe.  Because of lack of schematics, use same
supplies as on Arndale 5250 board (voltage matches).

Cc: <stable@vger.kernel.org> # v3.15+
Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
Reviewed-by: Alim Akhtar <alim.akhtar@samsung.com>
Link: https://lore.kernel.org/r/20220208171823.226211-2-krzysztof.kozlowski@canonical.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/arm/boot/dts/exynos5250-smdk5250.dts |    3 +++
 1 file changed, 3 insertions(+)

--- a/arch/arm/boot/dts/exynos5250-smdk5250.dts
+++ b/arch/arm/boot/dts/exynos5250-smdk5250.dts
@@ -118,6 +118,9 @@
 	status = "okay";
 	ddc = <&i2c_2>;
 	hpd-gpios = <&gpx3 7 GPIO_ACTIVE_HIGH>;
+	vdd-supply = <&ldo8_reg>;
+	vdd_osc-supply = <&ldo10_reg>;
+	vdd_pll-supply = <&ldo8_reg>;
 };
 
 &i2c_0 {



^ permalink raw reply	[flat|nested] 1159+ messages in thread

* [PATCH 5.17 0153/1126] ARM: dts: exynos: add missing HDMI supplies on SMDK5420
  2022-04-05  7:12 [PATCH 5.17 0000/1126] 5.17.2-rc1 review Greg Kroah-Hartman
                   ` (151 preceding siblings ...)
  2022-04-05  7:14 ` [PATCH 5.17 0152/1126] ARM: dts: exynos: add missing HDMI supplies on SMDK5250 Greg Kroah-Hartman
@ 2022-04-05  7:15 ` Greg Kroah-Hartman
  2022-04-05  7:15 ` [PATCH 5.17 0154/1126] mgag200 fix memmapsl configuration in GCTL6 register Greg Kroah-Hartman
                   ` (836 subsequent siblings)
  989 siblings, 0 replies; 1159+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05  7:15 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Krzysztof Kozlowski, Alim Akhtar

From: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>

commit 453a24ded415f7fce0499c6b0a2c7b28f84911f2 upstream.

Add required VDD supplies to HDMI block on SMDK5420.  Without them, the
HDMI driver won't probe.  Because of lack of schematics, use same
supplies as on Arndale Octa and Odroid XU3 boards (voltage matches).

Cc: <stable@vger.kernel.org> # v3.15+
Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
Reviewed-by: Alim Akhtar <alim.akhtar@samsung.com>
Link: https://lore.kernel.org/r/20220208171823.226211-3-krzysztof.kozlowski@canonical.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/arm/boot/dts/exynos5420-smdk5420.dts |    3 +++
 1 file changed, 3 insertions(+)

--- a/arch/arm/boot/dts/exynos5420-smdk5420.dts
+++ b/arch/arm/boot/dts/exynos5420-smdk5420.dts
@@ -124,6 +124,9 @@
 	hpd-gpios = <&gpx3 7 GPIO_ACTIVE_HIGH>;
 	pinctrl-names = "default";
 	pinctrl-0 = <&hdmi_hpd_irq>;
+	vdd-supply = <&ldo6_reg>;
+	vdd_osc-supply = <&ldo7_reg>;
+	vdd_pll-supply = <&ldo6_reg>;
 };
 
 &hsi2c_4 {



^ permalink raw reply	[flat|nested] 1159+ messages in thread

* [PATCH 5.17 0154/1126] mgag200 fix memmapsl configuration in GCTL6 register
  2022-04-05  7:12 [PATCH 5.17 0000/1126] 5.17.2-rc1 review Greg Kroah-Hartman
                   ` (152 preceding siblings ...)
  2022-04-05  7:15 ` [PATCH 5.17 0153/1126] ARM: dts: exynos: add missing HDMI supplies on SMDK5420 Greg Kroah-Hartman
@ 2022-04-05  7:15 ` Greg Kroah-Hartman
  2022-04-05  7:15 ` [PATCH 5.17 0155/1126] carl9170: fix missing bit-wise or operator for tx_params Greg Kroah-Hartman
                   ` (835 subsequent siblings)
  989 siblings, 0 replies; 1159+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05  7:15 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jocelyn Falempe,
	Javier Martinez Canillas, Lyude Paul, Thomas Zimmermann

From: Jocelyn Falempe <jfalempe@redhat.com>

commit 028a73e10705af1ffd51f2537460f616dc58680e upstream.

On some servers with MGA G200_SE_A (rev 42), booting with Legacy BIOS,
the hardware hangs when using kdump and kexec into the kdump kernel.
This happens when the uncompress code tries to write "Decompressing Linux"
to the VGA Console.

It can be reproduced by writing to the VGA console (0xB8000) after
booting to graphic mode, it generates the following error:

kernel:NMI: PCI system error (SERR) for reason a0 on CPU 0.
kernel:Dazed and confused, but trying to continue

The root cause is the configuration of the MGA GCTL6 register

According to the GCTL6 register documentation:

bit 0 is gcgrmode:
    0: Enables alpha mode, and the character generator addressing system is
     activated.
    1: Enables graphics mode, and the character addressing system is not
     used.

bit 1 is chainodd even:
    0: The A0 signal of the memory address bus is used during system memory
     addressing.
    1: Allows A0 to be replaced by either the A16 signal of the system
     address (ifmemmapsl is ‘00’), or by the hpgoddev (MISC<5>, odd/even
     page select) field, described on page 3-294).

bit 3-2 are memmapsl:
    Memory map select bits 1 and 0. VGA.
    These bits select where the video memory is mapped, as shown below:
        00 => A0000h - BFFFFh
        01 => A0000h - AFFFFh
        10 => B0000h - B7FFFh
        11 => B8000h - BFFFFh

bit 7-4 are reserved.

Current code set it to 0x05 => memmapsl to b01 => 0xa0000 (graphic mode)
But on x86, the VGA console is at 0xb8000 (text mode)
In arch/x86/boot/compressed/misc.c debug strings are written to 0xb8000
As the driver doesn't use this mapping at 0xa0000, it is safe to set it to
0xb8000 instead, to avoid kernel hang on G200_SE_A rev42, with kexec/kdump.

Thus changing the value 0x05 to 0x0d

Signed-off-by: Jocelyn Falempe <jfalempe@redhat.com>
Reviewed-by: Javier Martinez Canillas <javierm@redhat.com>
Acked-by: Lyude Paul <lyude@redhat.com>
Cc: stable@vger.kernel.org
Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de>
Link: https://patchwork.freedesktop.org/patch/msgid/20220119102905.1194787-1-jfalempe@redhat.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/gpu/drm/mgag200/mgag200_mode.c |    5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

--- a/drivers/gpu/drm/mgag200/mgag200_mode.c
+++ b/drivers/gpu/drm/mgag200/mgag200_mode.c
@@ -529,7 +529,10 @@ static void mgag200_set_format_regs(stru
 	WREG_GFX(3, 0x00);
 	WREG_GFX(4, 0x00);
 	WREG_GFX(5, 0x40);
-	WREG_GFX(6, 0x05);
+	/* GCTL6 should be 0x05, but we configure memmapsl to 0xb8000 (text mode),
+	 * so that it doesn't hang when running kexec/kdump on G200_SE rev42.
+	 */
+	WREG_GFX(6, 0x0d);
 	WREG_GFX(7, 0x0f);
 	WREG_GFX(8, 0x0f);
 



^ permalink raw reply	[flat|nested] 1159+ messages in thread

* [PATCH 5.17 0155/1126] carl9170: fix missing bit-wise or operator for tx_params
  2022-04-05  7:12 [PATCH 5.17 0000/1126] 5.17.2-rc1 review Greg Kroah-Hartman
                   ` (153 preceding siblings ...)
  2022-04-05  7:15 ` [PATCH 5.17 0154/1126] mgag200 fix memmapsl configuration in GCTL6 register Greg Kroah-Hartman
@ 2022-04-05  7:15 ` Greg Kroah-Hartman
  2022-04-05  7:15 ` [PATCH 5.17 0156/1126] pstore: Dont use semaphores in always-atomic-context code Greg Kroah-Hartman
                   ` (834 subsequent siblings)
  989 siblings, 0 replies; 1159+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05  7:15 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Colin Ian King, Stable,
	Christian Lamparter, Kalle Valo

From: Colin Ian King <colin.i.king@gmail.com>

commit 02a95374b5eebdbd3b6413fd7ddec151d2ea75a1 upstream.

Currently tx_params is being re-assigned with a new value and the
previous setting IEEE80211_HT_MCS_TX_RX_DIFF is being overwritten.
The assignment operator is incorrect, the original intent was to
bit-wise or the value in. Fix this by replacing the = operator
with |= instead.

Kudos to Christian Lamparter for suggesting the correct fix.

Fixes: fe8ee9ad80b2 ("carl9170: mac80211 glue and command interface")
Signed-off-by: Colin Ian King <colin.i.king@gmail.com>
Cc: <Stable@vger.kernel.org>
Acked-by: Christian Lamparter <chunkeey@gmail.com>
Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
Link: https://lore.kernel.org/r/20220125004406.344422-1-colin.i.king@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/wireless/ath/carl9170/main.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/net/wireless/ath/carl9170/main.c
+++ b/drivers/net/wireless/ath/carl9170/main.c
@@ -1914,7 +1914,7 @@ static int carl9170_parse_eeprom(struct
 		WARN_ON(!(tx_streams >= 1 && tx_streams <=
 			IEEE80211_HT_MCS_TX_MAX_STREAMS));
 
-		tx_params = (tx_streams - 1) <<
+		tx_params |= (tx_streams - 1) <<
 			    IEEE80211_HT_MCS_TX_MAX_STREAMS_SHIFT;
 
 		carl9170_band_2GHz.ht_cap.mcs.tx_params |= tx_params;



^ permalink raw reply	[flat|nested] 1159+ messages in thread

* [PATCH 5.17 0156/1126] pstore: Dont use semaphores in always-atomic-context code
  2022-04-05  7:12 [PATCH 5.17 0000/1126] 5.17.2-rc1 review Greg Kroah-Hartman
                   ` (154 preceding siblings ...)
  2022-04-05  7:15 ` [PATCH 5.17 0155/1126] carl9170: fix missing bit-wise or operator for tx_params Greg Kroah-Hartman
@ 2022-04-05  7:15 ` Greg Kroah-Hartman
  2022-04-05  7:15 ` [PATCH 5.17 0157/1126] thermal: int340x: Increase bitmap size Greg Kroah-Hartman
                   ` (833 subsequent siblings)
  989 siblings, 0 replies; 1159+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05  7:15 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Sebastian Andrzej Siewior, Jann Horn,
	Kees Cook

From: Jann Horn <jannh@google.com>

commit 8126b1c73108bc691f5643df19071a59a69d0bc6 upstream.

pstore_dump() is *always* invoked in atomic context (nowadays in an RCU
read-side critical section, before that under a spinlock).
It doesn't make sense to try to use semaphores here.

This is mostly a revert of commit ea84b580b955 ("pstore: Convert buf_lock
to semaphore"), except that two parts aren't restored back exactly as they
were:

 - keep the lock initialization in pstore_register
 - in efi_pstore_write(), always set the "block" flag to false
 - omit "is_locked", that was unnecessary since
   commit 959217c84c27 ("pstore: Actually give up during locking failure")
 - fix the bailout message

The actual problem that the buggy commit was trying to address may have
been that the use of preemptible() in efi_pstore_write() was wrong - it
only looks at preempt_count() and the state of IRQs, but __rcu_read_lock()
doesn't touch either of those under CONFIG_PREEMPT_RCU.
(Sidenote: CONFIG_PREEMPT_RCU means that the scheduler can preempt tasks in
RCU read-side critical sections, but you're not allowed to actively
block/reschedule.)

Lockdep probably never caught the problem because it's very rare that you
actually hit the contended case, so lockdep always just sees the
down_trylock(), not the down_interruptible(), and so it can't tell that
there's a problem.

Fixes: ea84b580b955 ("pstore: Convert buf_lock to semaphore")
Cc: stable@vger.kernel.org
Acked-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Signed-off-by: Jann Horn <jannh@google.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Link: https://lore.kernel.org/r/20220314185953.2068993-1-jannh@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/firmware/efi/efi-pstore.c |    2 +-
 fs/pstore/platform.c              |   38 ++++++++++++++++++--------------------
 include/linux/pstore.h            |    6 +++---
 3 files changed, 22 insertions(+), 24 deletions(-)

--- a/drivers/firmware/efi/efi-pstore.c
+++ b/drivers/firmware/efi/efi-pstore.c
@@ -266,7 +266,7 @@ static int efi_pstore_write(struct pstor
 		efi_name[i] = name[i];
 
 	ret = efivar_entry_set_safe(efi_name, vendor, PSTORE_EFI_ATTRIBUTES,
-			      preemptible(), record->size, record->psi->buf);
+			      false, record->size, record->psi->buf);
 
 	if (record->reason == KMSG_DUMP_OOPS && try_module_get(THIS_MODULE))
 		if (!schedule_work(&efivar_work))
--- a/fs/pstore/platform.c
+++ b/fs/pstore/platform.c
@@ -143,21 +143,22 @@ static void pstore_timer_kick(void)
 	mod_timer(&pstore_timer, jiffies + msecs_to_jiffies(pstore_update_ms));
 }
 
-/*
- * Should pstore_dump() wait for a concurrent pstore_dump()? If
- * not, the current pstore_dump() will report a failure to dump
- * and return.
- */
-static bool pstore_cannot_wait(enum kmsg_dump_reason reason)
+static bool pstore_cannot_block_path(enum kmsg_dump_reason reason)
 {
-	/* In NMI path, pstore shouldn't block regardless of reason. */
+	/*
+	 * In case of NMI path, pstore shouldn't be blocked
+	 * regardless of reason.
+	 */
 	if (in_nmi())
 		return true;
 
 	switch (reason) {
 	/* In panic case, other cpus are stopped by smp_send_stop(). */
 	case KMSG_DUMP_PANIC:
-	/* Emergency restart shouldn't be blocked. */
+	/*
+	 * Emergency restart shouldn't be blocked by spinning on
+	 * pstore_info::buf_lock.
+	 */
 	case KMSG_DUMP_EMERG:
 		return true;
 	default:
@@ -389,21 +390,19 @@ static void pstore_dump(struct kmsg_dump
 	unsigned long	total = 0;
 	const char	*why;
 	unsigned int	part = 1;
+	unsigned long	flags = 0;
 	int		ret;
 
 	why = kmsg_dump_reason_str(reason);
 
-	if (down_trylock(&psinfo->buf_lock)) {
-		/* Failed to acquire lock: give up if we cannot wait. */
-		if (pstore_cannot_wait(reason)) {
-			pr_err("dump skipped in %s path: may corrupt error record\n",
-				in_nmi() ? "NMI" : why);
-			return;
-		}
-		if (down_interruptible(&psinfo->buf_lock)) {
-			pr_err("could not grab semaphore?!\n");
+	if (pstore_cannot_block_path(reason)) {
+		if (!spin_trylock_irqsave(&psinfo->buf_lock, flags)) {
+			pr_err("dump skipped in %s path because of concurrent dump\n",
+					in_nmi() ? "NMI" : why);
 			return;
 		}
+	} else {
+		spin_lock_irqsave(&psinfo->buf_lock, flags);
 	}
 
 	kmsg_dump_rewind(&iter);
@@ -467,8 +466,7 @@ static void pstore_dump(struct kmsg_dump
 		total += record.size;
 		part++;
 	}
-
-	up(&psinfo->buf_lock);
+	spin_unlock_irqrestore(&psinfo->buf_lock, flags);
 }
 
 static struct kmsg_dumper pstore_dumper = {
@@ -594,7 +592,7 @@ int pstore_register(struct pstore_info *
 		psi->write_user = pstore_write_user_compat;
 	psinfo = psi;
 	mutex_init(&psinfo->read_mutex);
-	sema_init(&psinfo->buf_lock, 1);
+	spin_lock_init(&psinfo->buf_lock);
 
 	if (psi->flags & PSTORE_FLAGS_DMESG)
 		allocate_buf_for_compression();
--- a/include/linux/pstore.h
+++ b/include/linux/pstore.h
@@ -14,7 +14,7 @@
 #include <linux/errno.h>
 #include <linux/kmsg_dump.h>
 #include <linux/mutex.h>
-#include <linux/semaphore.h>
+#include <linux/spinlock.h>
 #include <linux/time.h>
 #include <linux/types.h>
 
@@ -87,7 +87,7 @@ struct pstore_record {
  * @owner:	module which is responsible for this backend driver
  * @name:	name of the backend driver
  *
- * @buf_lock:	semaphore to serialize access to @buf
+ * @buf_lock:	spinlock to serialize access to @buf
  * @buf:	preallocated crash dump buffer
  * @bufsize:	size of @buf available for crash dump bytes (must match
  *		smallest number of bytes available for writing to a
@@ -178,7 +178,7 @@ struct pstore_info {
 	struct module	*owner;
 	const char	*name;
 
-	struct semaphore buf_lock;
+	spinlock_t	buf_lock;
 	char		*buf;
 	size_t		bufsize;
 



^ permalink raw reply	[flat|nested] 1159+ messages in thread

* [PATCH 5.17 0157/1126] thermal: int340x: Increase bitmap size
  2022-04-05  7:12 [PATCH 5.17 0000/1126] 5.17.2-rc1 review Greg Kroah-Hartman
                   ` (155 preceding siblings ...)
  2022-04-05  7:15 ` [PATCH 5.17 0156/1126] pstore: Dont use semaphores in always-atomic-context code Greg Kroah-Hartman
@ 2022-04-05  7:15 ` Greg Kroah-Hartman
  2022-04-05  7:15 ` [PATCH 5.17 0158/1126] lib/raid6/test: fix multiple definition linking error Greg Kroah-Hartman
                   ` (832 subsequent siblings)
  989 siblings, 0 replies; 1159+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05  7:15 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Srinivas Pandruvada, Rafael J. Wysocki

From: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>

commit 668f69a5f863b877bc3ae129efe9a80b6f055141 upstream.

The number of policies are 10, so can't be supported by the bitmap size
of u8.

Even though there are no platfoms with these many policies, but
for correctness increase to u32.

Signed-off-by: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
Fixes: 16fc8eca1975 ("thermal/int340x_thermal: Add additional UUIDs")
Cc: 5.1+ <stable@vger.kernel.org> # 5.1+
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/thermal/intel/int340x_thermal/int3400_thermal.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/thermal/intel/int340x_thermal/int3400_thermal.c
+++ b/drivers/thermal/intel/int340x_thermal/int3400_thermal.c
@@ -53,7 +53,7 @@ struct int3400_thermal_priv {
 	struct art *arts;
 	int trt_count;
 	struct trt *trts;
-	u8 uuid_bitmap;
+	u32 uuid_bitmap;
 	int rel_misc_dev_res;
 	int current_uuid_index;
 	char *data_vault;



^ permalink raw reply	[flat|nested] 1159+ messages in thread

* [PATCH 5.17 0158/1126] lib/raid6/test: fix multiple definition linking error
  2022-04-05  7:12 [PATCH 5.17 0000/1126] 5.17.2-rc1 review Greg Kroah-Hartman
                   ` (156 preceding siblings ...)
  2022-04-05  7:15 ` [PATCH 5.17 0157/1126] thermal: int340x: Increase bitmap size Greg Kroah-Hartman
@ 2022-04-05  7:15 ` Greg Kroah-Hartman
  2022-04-05  7:15 ` [PATCH 5.17 0159/1126] exec: Force single empty string when argv is empty Greg Kroah-Hartman
                   ` (831 subsequent siblings)
  989 siblings, 0 replies; 1159+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05  7:15 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Dirk Müller, Paul Menzel, Song Liu

From: Dirk Müller <dmueller@suse.de>

commit a5359ddd052860bacf957e65fe819c63e974b3a6 upstream.

GCC 10+ defaults to -fno-common, which enforces proper declaration of
external references using "extern". without this change a link would
fail with:

  lib/raid6/test/algos.c:28: multiple definition of `raid6_call';
  lib/raid6/test/test.c:22: first defined here

the pq.h header that is included already includes an extern declaration
so we can just remove the redundant one here.

Cc: <stable@vger.kernel.org>
Signed-off-by: Dirk Müller <dmueller@suse.de>
Reviewed-by: Paul Menzel <pmenzel@molgen.mpg.de>
Signed-off-by: Song Liu <song@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 lib/raid6/test/test.c |    1 -
 1 file changed, 1 deletion(-)

--- a/lib/raid6/test/test.c
+++ b/lib/raid6/test/test.c
@@ -19,7 +19,6 @@
 #define NDISKS		16	/* Including P and Q */
 
 const char raid6_empty_zero_page[PAGE_SIZE] __attribute__((aligned(PAGE_SIZE)));
-struct raid6_calls raid6_call;
 
 char *dataptrs[NDISKS];
 char data[NDISKS][PAGE_SIZE] __attribute__((aligned(PAGE_SIZE)));



^ permalink raw reply	[flat|nested] 1159+ messages in thread

* [PATCH 5.17 0159/1126] exec: Force single empty string when argv is empty
  2022-04-05  7:12 [PATCH 5.17 0000/1126] 5.17.2-rc1 review Greg Kroah-Hartman
                   ` (157 preceding siblings ...)
  2022-04-05  7:15 ` [PATCH 5.17 0158/1126] lib/raid6/test: fix multiple definition linking error Greg Kroah-Hartman
@ 2022-04-05  7:15 ` Greg Kroah-Hartman
  2022-04-05  7:15 ` [PATCH 5.17 0160/1126] crypto: rsa-pkcs1pad - only allow with rsa Greg Kroah-Hartman
                   ` (830 subsequent siblings)
  989 siblings, 0 replies; 1159+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05  7:15 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Ariadne Conill, Michael Kerrisk,
	Matthew Wilcox, Christian Brauner, Rich Felker, Eric Biederman,
	Alexander Viro, linux-fsdevel, Kees Cook, Andy Lutomirski

From: Kees Cook <keescook@chromium.org>

commit dcd46d897adb70d63e025f175a00a89797d31a43 upstream.

Quoting[1] Ariadne Conill:

"In several other operating systems, it is a hard requirement that the
second argument to execve(2) be the name of a program, thus prohibiting
a scenario where argc < 1. POSIX 2017 also recommends this behaviour,
but it is not an explicit requirement[2]:

    The argument arg0 should point to a filename string that is
    associated with the process being started by one of the exec
    functions.
...
Interestingly, Michael Kerrisk opened an issue about this in 2008[3],
but there was no consensus to support fixing this issue then.
Hopefully now that CVE-2021-4034 shows practical exploitative use[4]
of this bug in a shellcode, we can reconsider.

This issue is being tracked in the KSPP issue tracker[5]."

While the initial code searches[6][7] turned up what appeared to be
mostly corner case tests, trying to that just reject argv == NULL
(or an immediately terminated pointer list) quickly started tripping[8]
existing userspace programs.

The next best approach is forcing a single empty string into argv and
adjusting argc to match. The number of programs depending on argc == 0
seems a smaller set than those calling execve with a NULL argv.

Account for the additional stack space in bprm_stack_limits(). Inject an
empty string when argc == 0 (and set argc = 1). Warn about the case so
userspace has some notice about the change:

    process './argc0' launched './argc0' with NULL argv: empty string added

Additionally WARN() and reject NULL argv usage for kernel threads.

[1] https://lore.kernel.org/lkml/20220127000724.15106-1-ariadne@dereferenced.org/
[2] https://pubs.opengroup.org/onlinepubs/9699919799/functions/exec.html
[3] https://bugzilla.kernel.org/show_bug.cgi?id=8408
[4] https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt
[5] https://github.com/KSPP/linux/issues/176
[6] https://codesearch.debian.net/search?q=execve%5C+*%5C%28%5B%5E%2C%5D%2B%2C+*NULL&literal=0
[7] https://codesearch.debian.net/search?q=execlp%3F%5Cs*%5C%28%5B%5E%2C%5D%2B%2C%5Cs*NULL&literal=0
[8] https://lore.kernel.org/lkml/20220131144352.GE16385@xsang-OptiPlex-9020/

Reported-by: Ariadne Conill <ariadne@dereferenced.org>
Reported-by: Michael Kerrisk <mtk.manpages@gmail.com>
Cc: Matthew Wilcox <willy@infradead.org>
Cc: Christian Brauner <brauner@kernel.org>
Cc: Rich Felker <dalias@libc.org>
Cc: Eric Biederman <ebiederm@xmission.com>
Cc: Alexander Viro <viro@zeniv.linux.org.uk>
Cc: linux-fsdevel@vger.kernel.org
Cc: stable@vger.kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>
Acked-by: Christian Brauner <brauner@kernel.org>
Acked-by: Ariadne Conill <ariadne@dereferenced.org>
Acked-by: Andy Lutomirski <luto@kernel.org>
Link: https://lore.kernel.org/r/20220201000947.2453721-1-keescook@chromium.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 fs/exec.c |   26 +++++++++++++++++++++++++-
 1 file changed, 25 insertions(+), 1 deletion(-)

--- a/fs/exec.c
+++ b/fs/exec.c
@@ -495,8 +495,14 @@ static int bprm_stack_limits(struct linu
 	 * the stack. They aren't stored until much later when we can't
 	 * signal to the parent that the child has run out of stack space.
 	 * Instead, calculate it here so it's possible to fail gracefully.
+	 *
+	 * In the case of argc = 0, make sure there is space for adding a
+	 * empty string (which will bump argc to 1), to ensure confused
+	 * userspace programs don't start processing from argv[1], thinking
+	 * argc can never be 0, to keep them from walking envp by accident.
+	 * See do_execveat_common().
 	 */
-	ptr_size = (bprm->argc + bprm->envc) * sizeof(void *);
+	ptr_size = (max(bprm->argc, 1) + bprm->envc) * sizeof(void *);
 	if (limit <= ptr_size)
 		return -E2BIG;
 	limit -= ptr_size;
@@ -1897,6 +1903,9 @@ static int do_execveat_common(int fd, st
 	}
 
 	retval = count(argv, MAX_ARG_STRINGS);
+	if (retval == 0)
+		pr_warn_once("process '%s' launched '%s' with NULL argv: empty string added\n",
+			     current->comm, bprm->filename);
 	if (retval < 0)
 		goto out_free;
 	bprm->argc = retval;
@@ -1923,6 +1932,19 @@ static int do_execveat_common(int fd, st
 	if (retval < 0)
 		goto out_free;
 
+	/*
+	 * When argv is empty, add an empty string ("") as argv[0] to
+	 * ensure confused userspace programs that start processing
+	 * from argv[1] won't end up walking envp. See also
+	 * bprm_stack_limits().
+	 */
+	if (bprm->argc == 0) {
+		retval = copy_string_kernel("", bprm);
+		if (retval < 0)
+			goto out_free;
+		bprm->argc = 1;
+	}
+
 	retval = bprm_execve(bprm, fd, filename, flags);
 out_free:
 	free_bprm(bprm);
@@ -1951,6 +1973,8 @@ int kernel_execve(const char *kernel_fil
 	}
 
 	retval = count_strings_kernel(argv);
+	if (WARN_ON_ONCE(retval == 0))
+		retval = -EINVAL;
 	if (retval < 0)
 		goto out_free;
 	bprm->argc = retval;



^ permalink raw reply	[flat|nested] 1159+ messages in thread

* [PATCH 5.17 0160/1126] crypto: rsa-pkcs1pad - only allow with rsa
  2022-04-05  7:12 [PATCH 5.17 0000/1126] 5.17.2-rc1 review Greg Kroah-Hartman
                   ` (158 preceding siblings ...)
  2022-04-05  7:15 ` [PATCH 5.17 0159/1126] exec: Force single empty string when argv is empty Greg Kroah-Hartman
@ 2022-04-05  7:15 ` Greg Kroah-Hartman
  2022-04-05  7:15 ` [PATCH 5.17 0161/1126] crypto: rsa-pkcs1pad - correctly get hash from source scatterlist Greg Kroah-Hartman
                   ` (829 subsequent siblings)
  989 siblings, 0 replies; 1159+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05  7:15 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Eric Biggers, Herbert Xu

From: Eric Biggers <ebiggers@google.com>

commit 9b30430ea356f237945e52f8a3a42158877bd5a9 upstream.

The pkcs1pad template can be instantiated with an arbitrary akcipher
algorithm, which doesn't make sense; it is specifically an RSA padding
scheme.  Make it check that the underlying algorithm really is RSA.

Fixes: 3d5b1ecdea6f ("crypto: rsa - RSA padding algorithm")
Cc: <stable@vger.kernel.org> # v4.5+
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 crypto/rsa-pkcs1pad.c |    5 +++++
 1 file changed, 5 insertions(+)

--- a/crypto/rsa-pkcs1pad.c
+++ b/crypto/rsa-pkcs1pad.c
@@ -621,6 +621,11 @@ static int pkcs1pad_create(struct crypto
 
 	rsa_alg = crypto_spawn_akcipher_alg(&ctx->spawn);
 
+	if (strcmp(rsa_alg->base.cra_name, "rsa") != 0) {
+		err = -EINVAL;
+		goto err_free_inst;
+	}
+
 	err = -ENAMETOOLONG;
 	hash_name = crypto_attr_alg_name(tb[2]);
 	if (IS_ERR(hash_name)) {



^ permalink raw reply	[flat|nested] 1159+ messages in thread

* [PATCH 5.17 0161/1126] crypto: rsa-pkcs1pad - correctly get hash from source scatterlist
  2022-04-05  7:12 [PATCH 5.17 0000/1126] 5.17.2-rc1 review Greg Kroah-Hartman
                   ` (159 preceding siblings ...)
  2022-04-05  7:15 ` [PATCH 5.17 0160/1126] crypto: rsa-pkcs1pad - only allow with rsa Greg Kroah-Hartman
@ 2022-04-05  7:15 ` Greg Kroah-Hartman
  2022-04-05  7:15 ` [PATCH 5.17 0162/1126] crypto: rsa-pkcs1pad - restore signature length check Greg Kroah-Hartman
                   ` (828 subsequent siblings)
  989 siblings, 0 replies; 1159+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05  7:15 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Vitaly Chikunov, Eric Biggers, Herbert Xu

From: Eric Biggers <ebiggers@google.com>

commit e316f7179be22912281ce6331d96d7c121fb2b17 upstream.

Commit c7381b012872 ("crypto: akcipher - new verify API for public key
algorithms") changed akcipher_alg::verify to take in both the signature
and the actual hash and do the signature verification, rather than just
return the hash expected by the signature as was the case before.  To do
this, it implemented a hack where the signature and hash are
concatenated with each other in one scatterlist.

Obviously, for this to work correctly, akcipher_alg::verify needs to
correctly extract the two items from the scatterlist it is given.
Unfortunately, it doesn't correctly extract the hash in the case where
the signature is longer than the RSA key size, as it assumes that the
signature's length is equal to the RSA key size.  This causes a prefix
of the hash, or even the entire hash, to be taken from the *signature*.

(Note, the case of a signature longer than the RSA key size should not
be allowed in the first place; a separate patch will fix that.)

It is unclear whether the resulting scheme has any useful security
properties.

Fix this by correctly extracting the hash from the scatterlist.

Fixes: c7381b012872 ("crypto: akcipher - new verify API for public key algorithms")
Cc: <stable@vger.kernel.org> # v5.2+
Reviewed-by: Vitaly Chikunov <vt@altlinux.org>
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 crypto/rsa-pkcs1pad.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/crypto/rsa-pkcs1pad.c
+++ b/crypto/rsa-pkcs1pad.c
@@ -495,7 +495,7 @@ static int pkcs1pad_verify_complete(stru
 			   sg_nents_for_len(req->src,
 					    req->src_len + req->dst_len),
 			   req_ctx->out_buf + ctx->key_size,
-			   req->dst_len, ctx->key_size);
+			   req->dst_len, req->src_len);
 	/* Do the actual verification step. */
 	if (memcmp(req_ctx->out_buf + ctx->key_size, out_buf + pos,
 		   req->dst_len) != 0)



^ permalink raw reply	[flat|nested] 1159+ messages in thread

* [PATCH 5.17 0162/1126] crypto: rsa-pkcs1pad - restore signature length check
  2022-04-05  7:12 [PATCH 5.17 0000/1126] 5.17.2-rc1 review Greg Kroah-Hartman
                   ` (160 preceding siblings ...)
  2022-04-05  7:15 ` [PATCH 5.17 0161/1126] crypto: rsa-pkcs1pad - correctly get hash from source scatterlist Greg Kroah-Hartman
@ 2022-04-05  7:15 ` Greg Kroah-Hartman
  2022-04-05  7:15 ` [PATCH 5.17 0163/1126] crypto: rsa-pkcs1pad - fix buffer overread in pkcs1pad_verify_complete() Greg Kroah-Hartman
                   ` (827 subsequent siblings)
  989 siblings, 0 replies; 1159+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05  7:15 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Tadeusz Struk, Vitaly Chikunov,
	Eric Biggers, Herbert Xu

From: Eric Biggers <ebiggers@google.com>

commit d3481accd974541e6a5d6a1fb588924a3519c36e upstream.

RSA PKCS#1 v1.5 signatures are required to be the same length as the RSA
key size.  RFC8017 specifically requires the verifier to check this
(https://datatracker.ietf.org/doc/html/rfc8017#section-8.2.2).

Commit a49de377e051 ("crypto: Add hash param to pkcs1pad") changed the
kernel to allow longer signatures, but didn't explain this part of the
change; it seems to be unrelated to the rest of the commit.

Revert this change, since it doesn't appear to be correct.

We can be pretty sure that no one is relying on overly-long signatures
(which would have to be front-padded with zeroes) being supported, given
that they would have been broken since commit c7381b012872
("crypto: akcipher - new verify API for public key algorithms").

Fixes: a49de377e051 ("crypto: Add hash param to pkcs1pad")
Cc: <stable@vger.kernel.org> # v4.6+
Cc: Tadeusz Struk <tadeusz.struk@linaro.org>
Suggested-by: Vitaly Chikunov <vt@altlinux.org>
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 crypto/rsa-pkcs1pad.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/crypto/rsa-pkcs1pad.c
+++ b/crypto/rsa-pkcs1pad.c
@@ -538,7 +538,7 @@ static int pkcs1pad_verify(struct akciph
 
 	if (WARN_ON(req->dst) ||
 	    WARN_ON(!req->dst_len) ||
-	    !ctx->key_size || req->src_len < ctx->key_size)
+	    !ctx->key_size || req->src_len != ctx->key_size)
 		return -EINVAL;
 
 	req_ctx->out_buf = kmalloc(ctx->key_size + req->dst_len, GFP_KERNEL);



^ permalink raw reply	[flat|nested] 1159+ messages in thread

* [PATCH 5.17 0163/1126] crypto: rsa-pkcs1pad - fix buffer overread in pkcs1pad_verify_complete()
  2022-04-05  7:12 [PATCH 5.17 0000/1126] 5.17.2-rc1 review Greg Kroah-Hartman
                   ` (161 preceding siblings ...)
  2022-04-05  7:15 ` [PATCH 5.17 0162/1126] crypto: rsa-pkcs1pad - restore signature length check Greg Kroah-Hartman
@ 2022-04-05  7:15 ` Greg Kroah-Hartman
  2022-04-05  7:15 ` [PATCH 5.17 0164/1126] bcache: fixup multiple threads crash Greg Kroah-Hartman
                   ` (826 subsequent siblings)
  989 siblings, 0 replies; 1159+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05  7:15 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Tadeusz Struk, Eric Biggers, Herbert Xu

From: Eric Biggers <ebiggers@google.com>

commit a24611ea356c7f3f0ec926da11b9482ac1f414fd upstream.

Before checking whether the expected digest_info is present, we need to
check that there are enough bytes remaining.

Fixes: a49de377e051 ("crypto: Add hash param to pkcs1pad")
Cc: <stable@vger.kernel.org> # v4.6+
Cc: Tadeusz Struk <tadeusz.struk@linaro.org>
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 crypto/rsa-pkcs1pad.c |    2 ++
 1 file changed, 2 insertions(+)

--- a/crypto/rsa-pkcs1pad.c
+++ b/crypto/rsa-pkcs1pad.c
@@ -476,6 +476,8 @@ static int pkcs1pad_verify_complete(stru
 	pos++;
 
 	if (digest_info) {
+		if (digest_info->size > dst_len - pos)
+			goto done;
 		if (crypto_memneq(out_buf + pos, digest_info->data,
 				  digest_info->size))
 			goto done;



^ permalink raw reply	[flat|nested] 1159+ messages in thread

* [PATCH 5.17 0164/1126] bcache: fixup multiple threads crash
  2022-04-05  7:12 [PATCH 5.17 0000/1126] 5.17.2-rc1 review Greg Kroah-Hartman
                   ` (162 preceding siblings ...)
  2022-04-05  7:15 ` [PATCH 5.17 0163/1126] crypto: rsa-pkcs1pad - fix buffer overread in pkcs1pad_verify_complete() Greg Kroah-Hartman
@ 2022-04-05  7:15 ` Greg Kroah-Hartman
  2022-04-05  7:15 ` [PATCH 5.17 0165/1126] PM: domains: Fix sleep-in-atomic bug caused by genpd_debug_remove() Greg Kroah-Hartman
                   ` (825 subsequent siblings)
  989 siblings, 0 replies; 1159+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05  7:15 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Mingzhe Zou, Coly Li

From: Mingzhe Zou <mingzhe.zou@easystack.cn>

commit 887554ab96588de2917b6c8c73e552da082e5368 upstream.

When multiple threads to check btree nodes in parallel, the main
thread wait for all threads to stop or CACHE_SET_IO_DISABLE flag:

wait_event_interruptible(check_state->wait,
                         atomic_read(&check_state->started) == 0 ||
                         test_bit(CACHE_SET_IO_DISABLE, &c->flags));

However, the bch_btree_node_read and bch_btree_node_read_done
maybe call bch_cache_set_error, then the CACHE_SET_IO_DISABLE
will be set. If the flag already set, the main thread return
error. At the same time, maybe some threads still running and
read NULL pointer, the kernel will crash.

This patch change the event wait condition, the main thread must
wait for all threads to stop.

Fixes: 8e7102273f597 ("bcache: make bch_btree_check() to be multithreaded")
Signed-off-by: Mingzhe Zou <mingzhe.zou@easystack.cn>
Cc: stable@vger.kernel.org # v5.7+
Signed-off-by: Coly Li <colyli@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/md/bcache/btree.c     |    6 ++++--
 drivers/md/bcache/writeback.c |    6 ++++--
 2 files changed, 8 insertions(+), 4 deletions(-)

--- a/drivers/md/bcache/btree.c
+++ b/drivers/md/bcache/btree.c
@@ -2060,9 +2060,11 @@ int bch_btree_check(struct cache_set *c)
 		}
 	}
 
+	/*
+	 * Must wait for all threads to stop.
+	 */
 	wait_event_interruptible(check_state->wait,
-				 atomic_read(&check_state->started) == 0 ||
-				  test_bit(CACHE_SET_IO_DISABLE, &c->flags));
+				 atomic_read(&check_state->started) == 0);
 
 	for (i = 0; i < check_state->total_threads; i++) {
 		if (check_state->infos[i].result) {
--- a/drivers/md/bcache/writeback.c
+++ b/drivers/md/bcache/writeback.c
@@ -998,9 +998,11 @@ void bch_sectors_dirty_init(struct bcach
 		}
 	}
 
+	/*
+	 * Must wait for all threads to stop.
+	 */
 	wait_event_interruptible(state->wait,
-		 atomic_read(&state->started) == 0 ||
-		 test_bit(CACHE_SET_IO_DISABLE, &c->flags));
+		 atomic_read(&state->started) == 0);
 
 out:
 	kfree(state);



^ permalink raw reply	[flat|nested] 1159+ messages in thread

* [PATCH 5.17 0165/1126] PM: domains: Fix sleep-in-atomic bug caused by genpd_debug_remove()
  2022-04-05  7:12 [PATCH 5.17 0000/1126] 5.17.2-rc1 review Greg Kroah-Hartman
                   ` (163 preceding siblings ...)
  2022-04-05  7:15 ` [PATCH 5.17 0164/1126] bcache: fixup multiple threads crash Greg Kroah-Hartman
@ 2022-04-05  7:15 ` Greg Kroah-Hartman
  2022-04-05  7:15 ` [PATCH 5.17 0166/1126] DEC: Limit PMAX memory probing to R3k systems Greg Kroah-Hartman
                   ` (824 subsequent siblings)
  989 siblings, 0 replies; 1159+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05  7:15 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Shawn Guo, Ulf Hansson, Rafael J. Wysocki

From: Shawn Guo <shawn.guo@linaro.org>

commit f6bfe8b5b2c2a5ac8bd2fc7bca3706e6c3fc26d8 upstream.

When a genpd with GENPD_FLAG_IRQ_SAFE gets removed, the following
sleep-in-atomic bug will be seen, as genpd_debug_remove() will be called
with a spinlock being held.

[    0.029183] BUG: sleeping function called from invalid context at kernel/locking/rwsem.c:1460
[    0.029204] in_atomic(): 1, irqs_disabled(): 128, non_block: 0, pid: 1, name: swapper/0
[    0.029219] preempt_count: 1, expected: 0
[    0.029230] CPU: 1 PID: 1 Comm: swapper/0 Not tainted 5.17.0-rc4+ #489
[    0.029245] Hardware name: Thundercomm TurboX CM2290 (DT)
[    0.029256] Call trace:
[    0.029265]  dump_backtrace.part.0+0xbc/0xd0
[    0.029285]  show_stack+0x3c/0xa0
[    0.029298]  dump_stack_lvl+0x7c/0xa0
[    0.029311]  dump_stack+0x18/0x34
[    0.029323]  __might_resched+0x10c/0x13c
[    0.029338]  __might_sleep+0x4c/0x80
[    0.029351]  down_read+0x24/0xd0
[    0.029363]  lookup_one_len_unlocked+0x9c/0xcc
[    0.029379]  lookup_positive_unlocked+0x10/0x50
[    0.029392]  debugfs_lookup+0x68/0xac
[    0.029406]  genpd_remove.part.0+0x12c/0x1b4
[    0.029419]  of_genpd_remove_last+0xa8/0xd4
[    0.029434]  psci_cpuidle_domain_probe+0x174/0x53c
[    0.029449]  platform_probe+0x68/0xe0
[    0.029462]  really_probe+0x190/0x430
[    0.029473]  __driver_probe_device+0x90/0x18c
[    0.029485]  driver_probe_device+0x40/0xe0
[    0.029497]  __driver_attach+0xf4/0x1d0
[    0.029508]  bus_for_each_dev+0x70/0xd0
[    0.029523]  driver_attach+0x24/0x30
[    0.029534]  bus_add_driver+0x164/0x22c
[    0.029545]  driver_register+0x78/0x130
[    0.029556]  __platform_driver_register+0x28/0x34
[    0.029569]  psci_idle_init_domains+0x1c/0x28
[    0.029583]  do_one_initcall+0x50/0x1b0
[    0.029595]  kernel_init_freeable+0x214/0x280
[    0.029609]  kernel_init+0x2c/0x13c
[    0.029622]  ret_from_fork+0x10/0x20

It doesn't seem necessary to call genpd_debug_remove() with the lock, so
move it out from locking to fix the problem.

Fixes: 718072ceb211 ("PM: domains: create debugfs nodes when adding power domains")
Signed-off-by: Shawn Guo <shawn.guo@linaro.org>
Reviewed-by: Ulf Hansson <ulf.hansson@linaro.org>
Cc: 5.11+ <stable@vger.kernel.org> # 5.11+
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/base/power/domain.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/base/power/domain.c
+++ b/drivers/base/power/domain.c
@@ -2058,9 +2058,9 @@ static int genpd_remove(struct generic_p
 		kfree(link);
 	}
 
-	genpd_debug_remove(genpd);
 	list_del(&genpd->gpd_list_node);
 	genpd_unlock(genpd);
+	genpd_debug_remove(genpd);
 	cancel_work_sync(&genpd->power_off_work);
 	if (genpd_is_cpu_domain(genpd))
 		free_cpumask_var(genpd->cpus);



^ permalink raw reply	[flat|nested] 1159+ messages in thread

* [PATCH 5.17 0166/1126] DEC: Limit PMAX memory probing to R3k systems
  2022-04-05  7:12 [PATCH 5.17 0000/1126] 5.17.2-rc1 review Greg Kroah-Hartman
                   ` (164 preceding siblings ...)
  2022-04-05  7:15 ` [PATCH 5.17 0165/1126] PM: domains: Fix sleep-in-atomic bug caused by genpd_debug_remove() Greg Kroah-Hartman
@ 2022-04-05  7:15 ` Greg Kroah-Hartman
  2022-04-05  7:15 ` [PATCH 5.17 0167/1126] media: gpio-ir-tx: fix transmit with long spaces on Orange Pi PC Greg Kroah-Hartman
                   ` (823 subsequent siblings)
  989 siblings, 0 replies; 1159+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05  7:15 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jan-Benedict Glaw, Sudip Mukherjee,
	Maciej W. Rozycki, Thomas Bogendoerfer

From: Maciej W. Rozycki <macro@orcam.me.uk>

commit 244eae91a94c6dab82b3232967d10eeb9dfa21c6 upstream.

Recent tightening of the opcode table in binutils so as to consistently
disallow the assembly or disassembly of CP0 instructions not supported
by the processor architecture chosen has caused a regression like below:

arch/mips/dec/prom/locore.S: Assembler messages:
arch/mips/dec/prom/locore.S:29: Error: opcode not supported on this processor: r4600 (mips3) `rfe'

in a piece of code used to probe for memory with PMAX DECstation models,
which have non-REX firmware.  Those computers always have an R2000 CPU
and consequently the exception handler used in memory probing uses the
RFE instruction, which those processors use.

While adding 64-bit support this code was correctly excluded for 64-bit
configurations, however it should have also been excluded for irrelevant
32-bit configurations.  Do this now then, and only enable PMAX memory
probing for R3k systems.

Reported-by: Jan-Benedict Glaw <jbglaw@lug-owl.de>
Reported-by: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
Signed-off-by: Maciej W. Rozycki <macro@orcam.me.uk>
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable@vger.kernel.org # v2.6.12+
Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/mips/dec/prom/Makefile      |    2 +-
 arch/mips/include/asm/dec/prom.h |   15 +++++----------
 2 files changed, 6 insertions(+), 11 deletions(-)

--- a/arch/mips/dec/prom/Makefile
+++ b/arch/mips/dec/prom/Makefile
@@ -6,4 +6,4 @@
 
 lib-y			+= init.o memory.o cmdline.o identify.o console.o
 
-lib-$(CONFIG_32BIT)	+= locore.o
+lib-$(CONFIG_CPU_R3000)	+= locore.o
--- a/arch/mips/include/asm/dec/prom.h
+++ b/arch/mips/include/asm/dec/prom.h
@@ -43,16 +43,11 @@
  */
 #define REX_PROM_MAGIC		0x30464354
 
-#ifdef CONFIG_64BIT
-
-#define prom_is_rex(magic)	1	/* KN04 and KN05 are REX PROMs.  */
-
-#else /* !CONFIG_64BIT */
-
-#define prom_is_rex(magic)	((magic) == REX_PROM_MAGIC)
-
-#endif /* !CONFIG_64BIT */
-
+/* KN04 and KN05 are REX PROMs, so only do the check for R3k systems.  */
+static inline bool prom_is_rex(u32 magic)
+{
+	return !IS_ENABLED(CONFIG_CPU_R3000) || magic == REX_PROM_MAGIC;
+}
 
 /*
  * 3MIN/MAXINE PROM entry points for DS5000/1xx's, DS5000/xx's and



^ permalink raw reply	[flat|nested] 1159+ messages in thread

* [PATCH 5.17 0167/1126] media: gpio-ir-tx: fix transmit with long spaces on Orange Pi PC
  2022-04-05  7:12 [PATCH 5.17 0000/1126] 5.17.2-rc1 review Greg Kroah-Hartman
                   ` (165 preceding siblings ...)
  2022-04-05  7:15 ` [PATCH 5.17 0166/1126] DEC: Limit PMAX memory probing to R3k systems Greg Kroah-Hartman
@ 2022-04-05  7:15 ` Greg Kroah-Hartman
  2022-04-05  7:15 ` [PATCH 5.17 0168/1126] media: omap3isp: Use struct_group() for memcpy() region Greg Kroah-Hartman
                   ` (822 subsequent siblings)
  989 siblings, 0 replies; 1159+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05  7:15 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable,
	Михаил,
	Sean Young, Mauro Carvalho Chehab

From: Sean Young <sean@mess.org>

commit 5ad05ecad4326ddaa26a83ba2233a67be24c1aaa upstream.

Calling udelay for than 1000us does not always yield the correct
results.

Cc: stable@vger.kernel.org
Reported-by: Михаил <vrserver1@gmail.com>
Signed-off-by: Sean Young <sean@mess.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/media/rc/gpio-ir-tx.c |   28 +++++++++++++++++++++-------
 1 file changed, 21 insertions(+), 7 deletions(-)

--- a/drivers/media/rc/gpio-ir-tx.c
+++ b/drivers/media/rc/gpio-ir-tx.c
@@ -48,11 +48,29 @@ static int gpio_ir_tx_set_carrier(struct
 	return 0;
 }
 
+static void delay_until(ktime_t until)
+{
+	/*
+	 * delta should never exceed 0.5 seconds (IR_MAX_DURATION) and on
+	 * m68k ndelay(s64) does not compile; so use s32 rather than s64.
+	 */
+	s32 delta;
+
+	while (true) {
+		delta = ktime_us_delta(until, ktime_get());
+		if (delta <= 0)
+			return;
+
+		/* udelay more than 1ms may not work */
+		delta = min(delta, 1000);
+		udelay(delta);
+	}
+}
+
 static void gpio_ir_tx_unmodulated(struct gpio_ir *gpio_ir, uint *txbuf,
 				   uint count)
 {
 	ktime_t edge;
-	s32 delta;
 	int i;
 
 	local_irq_disable();
@@ -63,9 +81,7 @@ static void gpio_ir_tx_unmodulated(struc
 		gpiod_set_value(gpio_ir->gpio, !(i % 2));
 
 		edge = ktime_add_us(edge, txbuf[i]);
-		delta = ktime_us_delta(edge, ktime_get());
-		if (delta > 0)
-			udelay(delta);
+		delay_until(edge);
 	}
 
 	gpiod_set_value(gpio_ir->gpio, 0);
@@ -97,9 +113,7 @@ static void gpio_ir_tx_modulated(struct
 		if (i % 2) {
 			// space
 			edge = ktime_add_us(edge, txbuf[i]);
-			delta = ktime_us_delta(edge, ktime_get());
-			if (delta > 0)
-				udelay(delta);
+			delay_until(edge);
 		} else {
 			// pulse
 			ktime_t last = ktime_add_us(edge, txbuf[i]);



^ permalink raw reply	[flat|nested] 1159+ messages in thread

* [PATCH 5.17 0168/1126] media: omap3isp: Use struct_group() for memcpy() region
  2022-04-05  7:12 [PATCH 5.17 0000/1126] 5.17.2-rc1 review Greg Kroah-Hartman
                   ` (166 preceding siblings ...)
  2022-04-05  7:15 ` [PATCH 5.17 0167/1126] media: gpio-ir-tx: fix transmit with long spaces on Orange Pi PC Greg Kroah-Hartman
@ 2022-04-05  7:15 ` Greg Kroah-Hartman
  2022-04-05  7:15 ` [PATCH 5.17 0169/1126] media: venus: vdec: fixed possible memory leak issue Greg Kroah-Hartman
                   ` (821 subsequent siblings)
  989 siblings, 0 replies; 1159+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05  7:15 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Arnd Bergmann, Gustavo A. R. Silva,
	Kees Cook, Laurent Pinchart, Sakari Ailus, Mauro Carvalho Chehab

From: Kees Cook <keescook@chromium.org>

commit d4568fc8525897e683983806f813be1ae9eedaed upstream.

In preparation for FORTIFY_SOURCE performing compile-time and run-time
field bounds checking for memcpy(), memmove(), and memset(), avoid
intentionally writing across neighboring fields. Wrap the target region
in struct_group(). This additionally fixes a theoretical misalignment
of the copy (since the size of "buf" changes between 64-bit and 32-bit,
but this is likely never built for 64-bit).

FWIW, I think this code is totally broken on 64-bit (which appears to
not be a "real" build configuration): it would either always fail (with
an uninitialized data->buf_size) or would cause corruption in userspace
due to the copy_to_user() in the call path against an uninitialized
data->buf value:

omap3isp_stat_request_statistics_time32(...)
    struct omap3isp_stat_data data64;
    ...
    omap3isp_stat_request_statistics(stat, &data64);

int omap3isp_stat_request_statistics(struct ispstat *stat,
                                     struct omap3isp_stat_data *data)
    ...
    buf = isp_stat_buf_get(stat, data);

static struct ispstat_buffer *isp_stat_buf_get(struct ispstat *stat,
                                               struct omap3isp_stat_data *data)
...
    if (buf->buf_size > data->buf_size) {
            ...
            return ERR_PTR(-EINVAL);
    }
    ...
    rval = copy_to_user(data->buf,
                        buf->virt_addr,
                        buf->buf_size);

Regardless, additionally initialize data64 to be zero-filled to avoid
undefined behavior.

Link: https://lore.kernel.org/lkml/20211215220505.GB21862@embeddedor

Cc: Arnd Bergmann <arnd@arndb.de>
Fixes: 378e3f81cb56 ("media: omap3isp: support 64-bit version of omap3isp_stat_data")
Cc: stable@vger.kernel.org
Reviewed-by: Gustavo A. R. Silva <gustavoars@kernel.org>
Signed-off-by: Kees Cook <keescook@chromium.org>
Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/media/platform/omap3isp/ispstat.c |    5 +++--
 include/uapi/linux/omap3isp.h             |   21 +++++++++++++--------
 2 files changed, 16 insertions(+), 10 deletions(-)

--- a/drivers/media/platform/omap3isp/ispstat.c
+++ b/drivers/media/platform/omap3isp/ispstat.c
@@ -512,7 +512,7 @@ int omap3isp_stat_request_statistics(str
 int omap3isp_stat_request_statistics_time32(struct ispstat *stat,
 					struct omap3isp_stat_data_time32 *data)
 {
-	struct omap3isp_stat_data data64;
+	struct omap3isp_stat_data data64 = { };
 	int ret;
 
 	ret = omap3isp_stat_request_statistics(stat, &data64);
@@ -521,7 +521,8 @@ int omap3isp_stat_request_statistics_tim
 
 	data->ts.tv_sec = data64.ts.tv_sec;
 	data->ts.tv_usec = data64.ts.tv_usec;
-	memcpy(&data->buf, &data64.buf, sizeof(*data) - sizeof(data->ts));
+	data->buf = (uintptr_t)data64.buf;
+	memcpy(&data->frame, &data64.frame, sizeof(data->frame));
 
 	return 0;
 }
--- a/include/uapi/linux/omap3isp.h
+++ b/include/uapi/linux/omap3isp.h
@@ -162,6 +162,7 @@ struct omap3isp_h3a_aewb_config {
  * struct omap3isp_stat_data - Statistic data sent to or received from user
  * @ts: Timestamp of returned framestats.
  * @buf: Pointer to pass to user.
+ * @buf_size: Size of buffer.
  * @frame_number: Frame number of requested stats.
  * @cur_frame: Current frame number being processed.
  * @config_counter: Number of the configuration associated with the data.
@@ -176,10 +177,12 @@ struct omap3isp_stat_data {
 	struct timeval ts;
 #endif
 	void __user *buf;
-	__u32 buf_size;
-	__u16 frame_number;
-	__u16 cur_frame;
-	__u16 config_counter;
+	__struct_group(/* no tag */, frame, /* no attrs */,
+		__u32 buf_size;
+		__u16 frame_number;
+		__u16 cur_frame;
+		__u16 config_counter;
+	);
 };
 
 #ifdef __KERNEL__
@@ -189,10 +192,12 @@ struct omap3isp_stat_data_time32 {
 		__s32	tv_usec;
 	} ts;
 	__u32 buf;
-	__u32 buf_size;
-	__u16 frame_number;
-	__u16 cur_frame;
-	__u16 config_counter;
+	__struct_group(/* no tag */, frame, /* no attrs */,
+		__u32 buf_size;
+		__u16 frame_number;
+		__u16 cur_frame;
+		__u16 config_counter;
+	);
 };
 #endif
 



^ permalink raw reply	[flat|nested] 1159+ messages in thread

* [PATCH 5.17 0169/1126] media: venus: vdec: fixed possible memory leak issue
  2022-04-05  7:12 [PATCH 5.17 0000/1126] 5.17.2-rc1 review Greg Kroah-Hartman
                   ` (167 preceding siblings ...)
  2022-04-05  7:15 ` [PATCH 5.17 0168/1126] media: omap3isp: Use struct_group() for memcpy() region Greg Kroah-Hartman
@ 2022-04-05  7:15 ` Greg Kroah-Hartman
  2022-04-05  7:15 ` [PATCH 5.17 0170/1126] media: venus: hfi_cmds: List HDR10 property as unsupported for v1 and v3 Greg Kroah-Hartman
                   ` (820 subsequent siblings)
  989 siblings, 0 replies; 1159+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05  7:15 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Ameer Hamza, Kieran Bingham,
	Stanimir Varbanov, Mauro Carvalho Chehab

From: Ameer Hamza <amhamza.mgc@gmail.com>

commit 8403fdd775858a7bf04868d43daea0acbe49ddfc upstream.

The venus_helper_alloc_dpb_bufs() implementation allows an early return
on an error path when checking the id from ida_alloc_min() which would
not release the earlier buffer allocation.

Move the direct kfree() from the error checking of dma_alloc_attrs() to
the common fail path to ensure that allocations are released on all
error paths in this function.

Addresses-Coverity: 1494120 ("Resource leak")

cc: stable@vger.kernel.org # 5.16+
Fixes: 40d87aafee29 ("media: venus: vdec: decoded picture buffer handling during reconfig sequence")
Signed-off-by: Ameer Hamza <amhamza.mgc@gmail.com>
Reviewed-by: Kieran Bingham <kieran.bingham+renesas@ideasonboard.com>
Signed-off-by: Stanimir Varbanov <stanimir.varbanov@linaro.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/media/platform/qcom/venus/helpers.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/media/platform/qcom/venus/helpers.c
+++ b/drivers/media/platform/qcom/venus/helpers.c
@@ -189,7 +189,6 @@ int venus_helper_alloc_dpb_bufs(struct v
 		buf->va = dma_alloc_attrs(dev, buf->size, &buf->da, GFP_KERNEL,
 					  buf->attrs);
 		if (!buf->va) {
-			kfree(buf);
 			ret = -ENOMEM;
 			goto fail;
 		}
@@ -209,6 +208,7 @@ int venus_helper_alloc_dpb_bufs(struct v
 	return 0;
 
 fail:
+	kfree(buf);
 	venus_helper_free_dpb_bufs(inst);
 	return ret;
 }



^ permalink raw reply	[flat|nested] 1159+ messages in thread

* [PATCH 5.17 0170/1126] media: venus: hfi_cmds: List HDR10 property as unsupported for v1 and v3
  2022-04-05  7:12 [PATCH 5.17 0000/1126] 5.17.2-rc1 review Greg Kroah-Hartman
                   ` (168 preceding siblings ...)
  2022-04-05  7:15 ` [PATCH 5.17 0169/1126] media: venus: vdec: fixed possible memory leak issue Greg Kroah-Hartman
@ 2022-04-05  7:15 ` Greg Kroah-Hartman
  2022-04-05  7:15 ` [PATCH 5.17 0171/1126] media: venus: venc: Fix h264 8x8 transform control Greg Kroah-Hartman
                   ` (819 subsequent siblings)
  989 siblings, 0 replies; 1159+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05  7:15 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Stanimir Varbanov, Mauro Carvalho Chehab

From: Stanimir Varbanov <stanimir.varbanov@linaro.org>

commit 22beb839f48d841ec75974872863dc253d37c21c upstream.

The HFI_PROPERTY_PARAM_VENC_HDR10_PQ_SEI HFI property is not supported
on Venus v1 and v3.

cc: stable@vger.kernel.org # 5.13+
Fixes: 9172652d72f8 ("media: venus: venc: Add support for CLL and Mastering display controls")
Signed-off-by: Stanimir Varbanov <stanimir.varbanov@linaro.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/media/platform/qcom/venus/hfi_cmds.c |    2 ++
 1 file changed, 2 insertions(+)

--- a/drivers/media/platform/qcom/venus/hfi_cmds.c
+++ b/drivers/media/platform/qcom/venus/hfi_cmds.c
@@ -1054,6 +1054,8 @@ static int pkt_session_set_property_1x(s
 		pkt->shdr.hdr.size += sizeof(u32) + sizeof(*info);
 		break;
 	}
+	case HFI_PROPERTY_PARAM_VENC_HDR10_PQ_SEI:
+		return -ENOTSUPP;
 
 	/* FOLLOWING PROPERTIES ARE NOT IMPLEMENTED IN CORE YET */
 	case HFI_PROPERTY_CONFIG_BUFFER_REQUIREMENTS:



^ permalink raw reply	[flat|nested] 1159+ messages in thread

* [PATCH 5.17 0171/1126] media: venus: venc: Fix h264 8x8 transform control
  2022-04-05  7:12 [PATCH 5.17 0000/1126] 5.17.2-rc1 review Greg Kroah-Hartman
                   ` (169 preceding siblings ...)
  2022-04-05  7:15 ` [PATCH 5.17 0170/1126] media: venus: hfi_cmds: List HDR10 property as unsupported for v1 and v3 Greg Kroah-Hartman
@ 2022-04-05  7:15 ` Greg Kroah-Hartman
  2022-04-05  7:15 ` [PATCH 5.17 0172/1126] media: davinci: vpif: fix unbalanced runtime PM get Greg Kroah-Hartman
                   ` (818 subsequent siblings)
  989 siblings, 0 replies; 1159+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05  7:15 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Stanimir Varbanov, Mauro Carvalho Chehab

From: Stanimir Varbanov <stanimir.varbanov@linaro.org>

commit 61b3317dd424a3488b6754d7ff8301944d9d17d7 upstream.

During encoder driver open controls are initialized via a call
to v4l2_ctrl_handler_setup which returns EINVAL error for
V4L2_CID_MPEG_VIDEO_H264_8X8_TRANSFORM v4l2 control. The control
default value is disabled and because of firmware limitations
8x8 transform cannot be disabled for the supported HIGH and
CONSTRAINED_HIGH profiles.

To fix the issue change the control default value to enabled
(this is fine because the firmware enables 8x8 transform for
high and constrained_high profiles by default). Also, correct
the checking of profile ids in s_ctrl from hfi to v4l2 ids.

cc: stable@vger.kernel.org # 5.15+
Fixes: bfee75f73c37 ("media: venus: venc: add support for V4L2_CID_MPEG_VIDEO_H264_8X8_TRANSFORM control")
Signed-off-by: Stanimir Varbanov <stanimir.varbanov@linaro.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/media/platform/qcom/venus/venc.c       |    4 ++--
 drivers/media/platform/qcom/venus/venc_ctrls.c |    6 +++---
 2 files changed, 5 insertions(+), 5 deletions(-)

--- a/drivers/media/platform/qcom/venus/venc.c
+++ b/drivers/media/platform/qcom/venus/venc.c
@@ -662,8 +662,8 @@ static int venc_set_properties(struct ve
 
 		ptype = HFI_PROPERTY_PARAM_VENC_H264_TRANSFORM_8X8;
 		h264_transform.enable_type = 0;
-		if (ctr->profile.h264 == HFI_H264_PROFILE_HIGH ||
-		    ctr->profile.h264 == HFI_H264_PROFILE_CONSTRAINED_HIGH)
+		if (ctr->profile.h264 == V4L2_MPEG_VIDEO_H264_PROFILE_HIGH ||
+		    ctr->profile.h264 == V4L2_MPEG_VIDEO_H264_PROFILE_CONSTRAINED_HIGH)
 			h264_transform.enable_type = ctr->h264_8x8_transform;
 
 		ret = hfi_session_set_property(inst, ptype, &h264_transform);
--- a/drivers/media/platform/qcom/venus/venc_ctrls.c
+++ b/drivers/media/platform/qcom/venus/venc_ctrls.c
@@ -320,8 +320,8 @@ static int venc_op_s_ctrl(struct v4l2_ct
 		ctr->intra_refresh_period = ctrl->val;
 		break;
 	case V4L2_CID_MPEG_VIDEO_H264_8X8_TRANSFORM:
-		if (ctr->profile.h264 != HFI_H264_PROFILE_HIGH &&
-		    ctr->profile.h264 != HFI_H264_PROFILE_CONSTRAINED_HIGH)
+		if (ctr->profile.h264 != V4L2_MPEG_VIDEO_H264_PROFILE_HIGH &&
+		    ctr->profile.h264 != V4L2_MPEG_VIDEO_H264_PROFILE_CONSTRAINED_HIGH)
 			return -EINVAL;
 
 		/*
@@ -457,7 +457,7 @@ int venc_ctrl_init(struct venus_inst *in
 			  V4L2_CID_MPEG_VIDEO_H264_I_FRAME_MIN_QP, 1, 51, 1, 1);
 
 	v4l2_ctrl_new_std(&inst->ctrl_handler, &venc_ctrl_ops,
-			  V4L2_CID_MPEG_VIDEO_H264_8X8_TRANSFORM, 0, 1, 1, 0);
+			  V4L2_CID_MPEG_VIDEO_H264_8X8_TRANSFORM, 0, 1, 1, 1);
 
 	v4l2_ctrl_new_std(&inst->ctrl_handler, &venc_ctrl_ops,
 			  V4L2_CID_MPEG_VIDEO_H264_P_FRAME_MIN_QP, 1, 51, 1, 1);



^ permalink raw reply	[flat|nested] 1159+ messages in thread

* [PATCH 5.17 0172/1126] media: davinci: vpif: fix unbalanced runtime PM get
  2022-04-05  7:12 [PATCH 5.17 0000/1126] 5.17.2-rc1 review Greg Kroah-Hartman
                   ` (170 preceding siblings ...)
  2022-04-05  7:15 ` [PATCH 5.17 0171/1126] media: venus: venc: Fix h264 8x8 transform control Greg Kroah-Hartman
@ 2022-04-05  7:15 ` Greg Kroah-Hartman
  2022-04-05  7:15 ` [PATCH 5.17 0173/1126] media: davinci: vpif: fix unbalanced runtime PM enable Greg Kroah-Hartman
                   ` (817 subsequent siblings)
  989 siblings, 0 replies; 1159+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05  7:15 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Lad, Prabhakar, Johan Hovold,
	Hans Verkuil, Mauro Carvalho Chehab, Lad

From: Johan Hovold <johan@kernel.org>

commit 4a321de239213300a714fa0353a5f1272d381a44 upstream.

Make sure to balance the runtime PM usage counter on driver unbind.

Fixes: 407ccc65bfd2 ("[media] davinci: vpif: add pm_runtime support")
Cc: stable@vger.kernel.org      # 3.9
Cc: Lad, Prabhakar <prabhakar.csengg@gmail.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Reviewed-by: Lad Prabhakar <prabhakar.csengg@gmail.com>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/media/platform/davinci/vpif.c |    1 +
 1 file changed, 1 insertion(+)

--- a/drivers/media/platform/davinci/vpif.c
+++ b/drivers/media/platform/davinci/vpif.c
@@ -495,6 +495,7 @@ static int vpif_probe(struct platform_de
 
 static int vpif_remove(struct platform_device *pdev)
 {
+	pm_runtime_put(&pdev->dev);
 	pm_runtime_disable(&pdev->dev);
 	return 0;
 }



^ permalink raw reply	[flat|nested] 1159+ messages in thread

* [PATCH 5.17 0173/1126] media: davinci: vpif: fix unbalanced runtime PM enable
  2022-04-05  7:12 [PATCH 5.17 0000/1126] 5.17.2-rc1 review Greg Kroah-Hartman
                   ` (171 preceding siblings ...)
  2022-04-05  7:15 ` [PATCH 5.17 0172/1126] media: davinci: vpif: fix unbalanced runtime PM get Greg Kroah-Hartman
@ 2022-04-05  7:15 ` Greg Kroah-Hartman
  2022-04-05  7:15 ` [PATCH 5.17 0174/1126] media: davinci: vpif: fix use-after-free on driver unbind Greg Kroah-Hartman
                   ` (816 subsequent siblings)
  989 siblings, 0 replies; 1159+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05  7:15 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Kevin Hilman, Johan Hovold,
	Hans Verkuil, Mauro Carvalho Chehab

From: Johan Hovold <johan@kernel.org>

commit d42b3ad105b5d3481f6a56bc789aa2b27aa09325 upstream.

Make sure to disable runtime PM before returning on probe errors.

Fixes: 479f7a118105 ("[media] davinci: vpif: adaptions for DT support")
Cc: stable@vger.kernel.org
Cc: Kevin Hilman <khilman@baylibre.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/media/platform/davinci/vpif.c |   11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

--- a/drivers/media/platform/davinci/vpif.c
+++ b/drivers/media/platform/davinci/vpif.c
@@ -428,6 +428,7 @@ static int vpif_probe(struct platform_de
 	static struct resource *res_irq;
 	struct platform_device *pdev_capture, *pdev_display;
 	struct device_node *endpoint = NULL;
+	int ret;
 
 	vpif_base = devm_platform_ioremap_resource(pdev, 0);
 	if (IS_ERR(vpif_base))
@@ -456,8 +457,8 @@ static int vpif_probe(struct platform_de
 	res_irq = platform_get_resource(pdev, IORESOURCE_IRQ, 0);
 	if (!res_irq) {
 		dev_warn(&pdev->dev, "Missing IRQ resource.\n");
-		pm_runtime_put(&pdev->dev);
-		return -EINVAL;
+		ret = -EINVAL;
+		goto err_put_rpm;
 	}
 
 	pdev_capture = devm_kzalloc(&pdev->dev, sizeof(*pdev_capture),
@@ -491,6 +492,12 @@ static int vpif_probe(struct platform_de
 	}
 
 	return 0;
+
+err_put_rpm:
+	pm_runtime_put(&pdev->dev);
+	pm_runtime_disable(&pdev->dev);
+
+	return ret;
 }
 
 static int vpif_remove(struct platform_device *pdev)



^ permalink raw reply	[flat|nested] 1159+ messages in thread

* [PATCH 5.17 0174/1126] media: davinci: vpif: fix use-after-free on driver unbind
  2022-04-05  7:12 [PATCH 5.17 0000/1126] 5.17.2-rc1 review Greg Kroah-Hartman
                   ` (172 preceding siblings ...)
  2022-04-05  7:15 ` [PATCH 5.17 0173/1126] media: davinci: vpif: fix unbalanced runtime PM enable Greg Kroah-Hartman
@ 2022-04-05  7:15 ` Greg Kroah-Hartman
  2022-04-05  7:15 ` [PATCH 5.17 0175/1126] mips: Always permit to build u-boot images Greg Kroah-Hartman
                   ` (815 subsequent siblings)
  989 siblings, 0 replies; 1159+ messages in thread
From: Greg Kroah-Hartman @ 2022-04-05  7:15 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Kevin Hilman, Johan Hovold,
	Lad Prabhakar, Hans Verkuil, Mauro Carvalho Chehab

From: Johan Hovold <johan@kernel.org>

commit 43acb728bbc40169d2e2425e84a80068270974be upstream.

The driver allocates and registers two platform device structures during
probe, but the devices were never deregistered on driver unbind.

This results in a use-after-free on driver unbind as the device
structures were allocated using devres and would be freed by driver
core when remove() returns.

Fix this by adding the missing deregistration calls to the remove()
callback and failing probe on registration errors.

Note that the platform device structures must be freed using a proper
release callback to avoid leaking associated resources like device
names.

Fixes: 479f7a118105 ("[media] davinci: vpif: adaptions for DT support")
Cc: stable@vger.kernel.org      # 4.12
Cc: Kevin Hilman <khilman@baylibre.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Reviewed-by: Lad Prabhakar <prabhakar.csengg@gmail.com>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/media/platform/davinci/vpif.c |   97 ++++++++++++++++++++++++----------
 1 file changed, 71 insertions(+), 26 de