All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH 4.9 000/167] 4.9.318-rc1 review
@ 2022-06-13 10:07 Greg Kroah-Hartman
  2022-06-13 10:07 ` [PATCH 4.9 001/167] USB: new quirk for Dell Gen 2 devices Greg Kroah-Hartman
                   ` (171 more replies)
  0 siblings, 172 replies; 174+ messages in thread
From: Greg Kroah-Hartman @ 2022-06-13 10:07 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, torvalds, akpm, linux, shuah,
	patches, lkft-triage, pavel, jonathanh, f.fainelli,
	sudipm.mukherjee, slade

This is the start of the stable review cycle for the 4.9.318 release.
There are 167 patches in this series, all will be posted as a response
to this one.  If anyone has any issues with these being applied, please
let me know.

Responses should be made by Wed, 15 Jun 2022 09:47:08 +0000.
Anything received after that time might be too late.

The whole patch series can be found in one patch at:
	https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.9.318-rc1.gz
or in the git tree and branch at:
	git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.9.y
and the diffstat can be found below.

thanks,

greg k-h

-------------
Pseudo-Shortlog of commits:

Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Linux 4.9.318-rc1

Johan Hovold <johan+linaro@kernel.org>
    PCI: qcom: Fix unbalanced PHY init on probe errors

Tokunori Ikegami <ikegami.t@gmail.com>
    mtd: cfi_cmdset_0002: Use chip_ready() for write on S29GL064N

Tokunori Ikegami <ikegami.t@gmail.com>
    mtd: cfi_cmdset_0002: Move and rename chip_check/chip_ready/chip_good_for_write

Michael Ellerman <mpe@ellerman.id.au>
    powerpc/32: Fix overread/overwrite of thread_struct via ptrace

Mathias Nyman <mathias.nyman@linux.intel.com>
    Input: bcm5974 - set missing URB_NO_TRANSFER_DMA_MAP urb flag

Martin Faltesek <mfaltesek@google.com>
    nfc: st21nfca: fix memory leaks in EVT_TRANSACTION handling

Martin Faltesek <mfaltesek@google.com>
    nfc: st21nfca: fix incorrect validating logic in EVT_TRANSACTION

Sergey Shtylyov <s.shtylyov@omp.ru>
    ata: libata-transport: fix {dma|pio|xfer}_mode sysfs files

Shyam Prasad N <sprasad@microsoft.com>
    cifs: return errors during session setup during reconnects

huangwenhui <huangwenhuia@uniontech.com>
    ALSA: hda/conexant - Fix loopback issue with CX20632

Xie Yongji <xieyongji@bytedance.com>
    vringh: Fix loop descriptors check in the indirect cases

Kees Cook <keescook@chromium.org>
    nodemask: Fix return values to be unsigned

Masahiro Yamada <masahiroy@kernel.org>
    modpost: fix undefined behavior of is_arm_mapping_symbol()

Gong Yuanjun <ruc_gongyuanjun@163.com>
    drm/radeon: fix a possible null pointer dereference

Michal Kubecek <mkubecek@suse.cz>
    Revert "net: af_key: add check for pfkey_broadcast in function pfkey_process"

Guoqing Jiang <guoqing.jiang@cloud.ionos.com>
    md: protect md_unregister_thread from reentrancy

John Ogness <john.ogness@linutronix.de>
    serial: msm_serial: disable interrupts in __msm_console_write()

Wang Cheng <wanngchenng@gmail.com>
    staging: rtl8712: fix uninit-value in r871xu_drv_init()

Andre Przywara <andre.przywara@arm.com>
    clocksource/drivers/sp804: Avoid error on multiple instances

Shuah Khan <skhan@linuxfoundation.org>
    misc: rtsx: set NULL intfdata when probe fails

Marek Szyprowski <m.szyprowski@samsung.com>
    usb: dwc2: gadget: don't reset gadget's driver->bus

Evan Green <evgreen@chromium.org>
    USB: hcd-pci: Fully suspend across freeze/thaw cycle

Duoming Zhou <duoming@zju.edu.cn>
    drivers: usb: host: Fix deadlock in oxu_bus_suspend()

Duoming Zhou <duoming@zju.edu.cn>
    drivers: tty: serial: Fix deadlock in sa1100_set_termios()

Zhen Ni <nizhen@uniontech.com>
    USB: host: isp116x: check return value after calling platform_get_resource()

Duoming Zhou <duoming@zju.edu.cn>
    drivers: staging: rtl8192e: Fix deadlock in rtllib_beacons_stop()

Huang Guobin <huangguobin4@huawei.com>
    tty: Fix a possible resource leak in icom_probe

Zheyu Ma <zheyuma97@gmail.com>
    tty: synclink_gt: Fix null-pointer-dereference in slgt_clean()

Kees Cook <keescook@chromium.org>
    lkdtm/usercopy: Expand size of "out of frame" object

Xiaoke Wang <xkernel.wang@foxmail.com>
    iio: dummy: iio_simple_dummy: check the return value of kstrdup()

Miaoqian Lin <linmq006@gmail.com>
    net: altera: Fix refcount leak in altera_tse_mdio_create

Masahiro Yamada <masahiroy@kernel.org>
    net: xfrm: unexport __init-annotated xfrm4_protocol_init()

Chuck Lever <chuck.lever@oracle.com>
    SUNRPC: Fix the calculation of xdr->end in xdr_get_next_encode_buffer()

Gal Pressman <gal@nvidia.com>
    net/mlx4_en: Fix wrong return value on ioctl EEPROM query failure

Miaoqian Lin <linmq006@gmail.com>
    ata: pata_octeon_cf: Fix refcount leak in octeon_cf_probe

Maciej Żenczykowski <maze@google.com>
    net: fix nla_strcmp to handle more then one trailing null character

Yang Yingliang <yangyingliang@huawei.com>
    video: fbdev: pxa3xx-gcu: release the resources correctly in pxa3xx_gcu_probe/remove()

Greg Ungerer <gerg@linux-m68k.org>
    m68knommu: fix undefined reference to `_init_sp'

Greg Ungerer <gerg@linux-m68k.org>
    m68knommu: set ZERO_PAGE() to the allocated zeroed page

Lucas Tanure <tanureal@opensource.cirrus.com>
    i2c: cadence: Increase timeout per message if necessary

Mark-PK Tsai <mark-pk.tsai@mediatek.com>
    tracing: Avoid adding tracer option before update_tracer_options

Eric Dumazet <edumazet@google.com>
    tcp: tcp_rtx_synack() can be called from process context

Baokun Li <libaokun1@huawei.com>
    jffs2: fix memory leak in jffs2_do_fill_super

Alexander Lobakin <alexandr.lobakin@intel.com>
    modpost: fix removing numeric suffixes

Dan Carpenter <dan.carpenter@oracle.com>
    net: ethernet: mtk_eth_soc: out of bounds read in mtk_hwlro_get_fdir_entry()

Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
    clocksource/drivers/oxnas-rps: Fix irq_of_parse_and_map() return value

Miaoqian Lin <linmq006@gmail.com>
    firmware: dmi-sysfs: Fix memory leak in dmi_sysfs_register_handle

Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
    serial: st-asc: Sanitize CSIZE and correct PARENB for CS7

Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
    serial: sh-sci: Don't allow CS5-6

Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
    serial: txx9: Don't allow CS5-6

Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
    serial: digicolor-usart: Don't allow CS5-6

John Ogness <john.ogness@linutronix.de>
    serial: meson: acquire port->lock in startup()

Yang Yingliang <yangyingliang@huawei.com>
    rtc: mt6397: check return value after calling platform_get_resource()

Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
    rpmsg: qcom_smd: Fix irq_of_parse_and_map() return value

Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
    pwm: lp3943: Fix duty calculation in case period was clamped

Lin Ma <linma@zju.edu.cn>
    USB: storage: karma: fix rio_karma_init return

Niels Dossche <dossche.niels@gmail.com>
    usb: usbip: add missing device lock on tweak configuration cmd

Hangyu Hua <hbh25y@gmail.com>
    usb: usbip: fix a refcount leak in stub_probe()

Jakob Koschel <jakobkoschel@gmail.com>
    staging: greybus: codecs: fix type confusion of list iterator variable

Randy Dunlap <rdunlap@infradead.org>
    pcmcia: db1xxx_ss: restrict to MIPS_DB1XXX boards

Pablo Neira Ayuso <pablo@netfilter.org>
    netfilter: nf_tables: disallow non-stateful expression in sets earlier

Maciej W. Rozycki <macro@orcam.me.uk>
    MIPS: IP27: Remove incorrect `cpu_has_fpu' override

Xiao Yang <yangx.jy@fujitsu.com>
    RDMA/rxe: Generate a completion for unsupported/invalid opcode

Dinh Nguyen <dinguyen@kernel.org>
    dt-bindings: gpio: altera: correct interrupt-cells

Akira Yokosawa <akiyks@gmail.com>
    docs/conf.py: Cope with removal of language=None in Sphinx 5.0.0

Xiaomeng Tong <xiam0nd.tong@gmail.com>
    gma500: fix an incorrect NULL check on list iterator

Xiaomeng Tong <xiam0nd.tong@gmail.com>
    carl9170: tx: fix an incorrect use of list iterator

Mark Brown <broonie@kernel.org>
    ASoC: rt5514: Fix event generation for "DSP Voice Wake Up" control

Alexander Wetzel <alexander@wetzel-home.de>
    rtl818x: Prevent using not initialized queues

Mike Kravetz <mike.kravetz@oracle.com>
    hugetlb: fix huge_pmd_unshare address update

Christophe de Dinechin <dinechin@redhat.com>
    nodemask.h: fix compilation error with GCC12

Xiaomeng Tong <xiam0nd.tong@gmail.com>
    iommu/msm: Fix an incorrect NULL check on list iterator

Vincent Whitchurch <vincent.whitchurch@axis.com>
    um: Fix out-of-bounds read in LDT setup

Johannes Berg <johannes.berg@intel.com>
    um: chan_user: Fix winch_tramp() return value

Felix Fietkau <nbd@nbd.name>
    mac80211: upgrade passive scan to active scan on DFS channels after beacon rx

Max Filippov <jcmvbkbc@gmail.com>
    irqchip: irq-xtensa-mx: fix initial IRQ affinity

Pali Rohár <pali@kernel.org>
    irqchip/armada-370-xp: Do not touch Performance Counter Overflow on A375, A38x, A39x

Dennis Dalessandro <dennis.dalessandro@cornelisnetworks.com>
    RDMA/hfi1: Fix potential integer multiplication overflow errors

Xiaomeng Tong <xiam0nd.tong@gmail.com>
    md: fix an incorrect NULL check in md_reload_sb

Xiaomeng Tong <xiam0nd.tong@gmail.com>
    md: fix an incorrect NULL check in does_sb_need_changing

Brian Norris <briannorris@chromium.org>
    drm/bridge: analogix_dp: Grab runtime PM reference for DP-AUX

Dave Airlie <airlied@redhat.com>
    drm/amdgpu/cs: make commands with 0 chunks illegal behaviour.

Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
    scsi: ufs: qcom: Add a readl() to make sure ref_clk gets enabled

Xiaomeng Tong <xiam0nd.tong@gmail.com>
    scsi: dc395x: Fix a missing check on list iterator

Junxiao Bi via Ocfs2-devel <ocfs2-devel@oss.oracle.com>
    ocfs2: dlmfs: fix error handling of user_dlm_destroy_lock

Alexander Aring <aahringo@redhat.com>
    dlm: fix missing lkb refcount handling

Alexander Aring <aahringo@redhat.com>
    dlm: fix plock invalid read

Jan Kara <jack@suse.cz>
    ext4: verify dir block before splitting it

Ye Bin <yebin10@huawei.com>
    ext4: fix bug_on in ext4_writepages

Ye Bin <yebin10@huawei.com>
    ext4: fix use-after-free in ext4_rename_dir_prepare

Zhihao Cheng <chengzhihao1@huawei.com>
    fs-writeback: writeback_sb_inodes:Recalculate 'wrote' according skipped pages

Emmanuel Grumbach <emmanuel.grumbach@intel.com>
    iwlwifi: mvm: fix assert 1F04 upon reconfig

Johannes Berg <johannes.berg@intel.com>
    wifi: mac80211: fix use-after-free in chanctx code

Joerg Roedel <jroedel@suse.de>
    iommu/amd: Increase timeout waiting for GA log enablement

Miaoqian Lin <linmq006@gmail.com>
    video: fbdev: clcdfb: Fix refcount leak in clcdfb_of_vram_setup

Miaoqian Lin <linmq006@gmail.com>
    Input: sparcspkr - fix refcount leak in bbc_beep_probe

Qi Zheng <zhengqi.arch@bytedance.com>
    tty: fix deadlock caused by calling printk() under tty_port->lock

Randy Dunlap <rdunlap@infradead.org>
    powerpc/4xx/cpm: Fix return value of __setup() handler

Randy Dunlap <rdunlap@infradead.org>
    powerpc/idle: Fix return value of __setup() handler

Randy Dunlap <rdunlap@infradead.org>
    powerpc/8xx: export 'cpm_setbrg' for modules

Miaohe Lin <linmiaohe@huawei.com>
    drivers/base/node.c: fix compaction sysfs file leak

Gustavo A. R. Silva <gustavoars@kernel.org>
    scsi: fcoe: Fix Wstringop-overflow warnings in fcoe_wwn_from_mac()

Lv Ruyi <lv.ruyi@zte.com.cn>
    mfd: ipaq-micro: Fix error check return value of platform_get_irq()

Miaoqian Lin <linmq006@gmail.com>
    soc: qcom: smsm: Fix missing of_node_put() in smsm_parse_ipc

Miaoqian Lin <linmq006@gmail.com>
    soc: qcom: smp2p: Fix missing of_node_put() in smp2p_parse_ipc

David Howells <dhowells@redhat.com>
    rxrpc: Don't try to resend the request if we're receiving the reply

David Howells <dhowells@redhat.com>
    rxrpc: Fix listen() setting the bar too high for the prealloc rings

Yang Yingliang <yangyingliang@huawei.com>
    ASoC: wm2000: fix missing clk_disable_unprepare() on error in wm2000_anc_transition()

Eric Dumazet <edumazet@google.com>
    sctp: read sk->sk_bound_dev_if once in sctp_rcv()

Geert Uytterhoeven <geert@linux-m68k.org>
    m68k: math-emu: Fix dependencies of math emulation support

Ying Hsu <yinghsu@chromium.org>
    Bluetooth: fix dangling sco_conn and use-after-free in sco_sock_timeout

Pavel Skripkin <paskripkin@gmail.com>
    media: pvrusb2: fix array-index-out-of-bounds in pvr2_i2c_core_init

Miaoqian Lin <linmq006@gmail.com>
    media: exynos4-is: Change clk_disable to clk_disable_unprepare

Miaoqian Lin <linmq006@gmail.com>
    regulator: pfuze100: Fix refcount leak in pfuze_parse_regulators_dt

Miaoqian Lin <linmq006@gmail.com>
    ASoC: mxs-saif: Fix refcount leak in mxs_saif_probe

Xiaomeng Tong <xiam0nd.tong@gmail.com>
    media: uvcvideo: Fix missing check to determine if element is found in list

Dan Carpenter <dan.carpenter@oracle.com>
    drm/msm: return an error pointer in msm_gem_prime_get_sg_table()

Randy Dunlap <rdunlap@infradead.org>
    x86/mm: Cleanup the control_va_addr_alignment() __setup handler

Yang Yingliang <yangyingliang@huawei.com>
    drm/rockchip: vop: fix possible null-ptr-deref in vop_bind()

Yang Yingliang <yangyingliang@huawei.com>
    drm/msm/hdmi: check return value after calling platform_get_resource_byname()

Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
    drm/msm/dsi: fix error checks and return values for DSI xmit functions

Matthieu Baerts <matthieu.baerts@tessares.net>
    x86/pm: Fix false positive kmemleak report in msr_build_context()

Amir Goldstein <amir73il@gmail.com>
    inotify: show inotify mask flags in proc fdinfo

Dan Carpenter <dan.carpenter@oracle.com>
    ath9k_htc: fix potential out of bounds access with invalid rxstatus->rs_keyix

Zheng Yongjun <zhengyongjun3@huawei.com>
    spi: img-spfi: Fix pm_runtime_get_sync() error checking

Jonathan Teh <jonathan.teh@outlook.com>
    HID: hid-led: fix maximum brightness for Dream Cheeky

Lin Ma <linma@zju.edu.cn>
    NFC: NULL out the dev->rfkill to prevent UAF

Miaoqian Lin <linmq006@gmail.com>
    spi: spi-ti-qspi: Fix return value handling of wait_for_completion_timeout

Miles Chen <miles.chen@mediatek.com>
    drm/mediatek: Fix mtk_cec_mask()

Ammar Faizi <ammarfaizi2@gnuweeb.org>
    x86/delay: Fix the wrong asm constraint in delay_loop()

Miaoqian Lin <linmq006@gmail.com>
    ASoC: mediatek: Fix error handling in mt8173_max98090_dev_probe

Linus Torvalds <torvalds@linux-foundation.org>
    drm: fix EDID struct for old ARM OABI format

Finn Thain <fthain@linux-m68k.org>
    macintosh/via-pmu: Fix build failure when CONFIG_INPUT is disabled

Lv Ruyi <lv.ruyi@zte.com.cn>
    powerpc/xics: fix refcount leak in icp_opal_init()

Yicong Yang <yangyicong@hisilicon.com>
    PCI: Avoid pci_dev_lock() AB/BA deadlock with sriov_numvfs_store()

Peng Wu <wupeng58@huawei.com>
    ARM: hisi: Add missing of_node_put after of_find_compatible_node

Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
    ARM: dts: exynos: add atmel,24c128 fallback to Samsung EEPROM

Peng Wu <wupeng58@huawei.com>
    ARM: versatile: Add missing of_node_put in dcscb_init

OGAWA Hirofumi <hirofumi@mail.parknet.co.jp>
    fat: add ratelimit to fat*_ent_bread()

Janusz Krzysztofik <jmkrzyszt@gmail.com>
    ARM: OMAP1: clock: Fix UART rate reporting algorithm

Zixuan Fu <r33s3n6@gmail.com>
    fs: jfs: fix possible NULL pointer dereference in dbFree()

Jakub Kicinski <kuba@kernel.org>
    eth: tg3: silence the GCC 12 array-bounds warning

David Howells <dhowells@redhat.com>
    rxrpc: Return an error to sendmsg if call failed

Kwanghoon Son <k.son@samsung.com>
    media: exynos4-is: Fix compile warning

Lin Ma <linma@zju.edu.cn>
    ASoC: rt5645: Fix errorenous cleanup order

Smith, Kyle Miller (Nimble Kernel) <kyles@hpe.com>
    nvme-pci: fix a NULL pointer dereference in nvme_alloc_admin_tags

Jason A. Donenfeld <Jason@zx2c4.com>
    openrisc: start CPU timer early in boot

Corey Minyard <cminyard@mvista.com>
    ipmi:ssif: Check for NULL msg when handling events and messages

Mikulas Patocka <mpatocka@redhat.com>
    dma-debug: change allocation mode from GFP_NOWAIT to GFP_ATIOMIC

Mark Brown <broonie@kernel.org>
    ASoC: dapm: Don't fold register value changes into notifications

jianghaoran <jianghaoran@kylinos.cn>
    ipv6: Don't send rs packets to the interface of ARPHRD_TUNNEL

Evan Quan <evan.quan@amd.com>
    drm/amd/pm: fix the compile warning

Lv Ruyi <lv.ruyi@zte.com.cn>
    scsi: megaraid: Fix error check return value of register_chrdev()

Zheyu Ma <zheyuma97@gmail.com>
    media: cx25821: Fix the warning when removing the module

Thibaut VARÈNE <hacks+kernel@slashdirt.org>
    ath9k: fix QCA9561 PA bias level

Keita Suzuki <keitasuzuki.park@sslab.ics.keio.ac.jp>
    drm/amd/pm: fix double free in si_parse_power_table()

Amadeusz Sławiński <amadeuszx.slawinski@linux.intel.com>
    ALSA: jack: Access input_dev under mutex

Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
    ACPICA: Avoid cache flush inside virtual machines

Haowen Bai <baihaowen@meizu.com>
    ipw2x00: Fix potential NULL dereference in libipw_xmit()

Haowen Bai <baihaowen@meizu.com>
    b43: Fix assigning negative value to unsigned variable

Haowen Bai <baihaowen@meizu.com>
    b43legacy: Fix assigning negative value to unsigned variable

Niels Dossche <dossche.niels@gmail.com>
    mwifiex: add mutex lock for call in mwifiex_dfs_chan_sw_work_queue

Liu Zixian <liuzixian4@huawei.com>
    drm/virtio: fix NULL pointer dereference in virtio_gpu_conn_get_modes

Qu Wenruo <wqu@suse.com>
    btrfs: add "0x" prefix for unsupported optional features

Eric W. Biederman <ebiederm@xmission.com>
    ptrace: Reimplement PTRACE_KILL by always sending SIGKILL

Eric W. Biederman <ebiederm@xmission.com>
    ptrace/xtensa: Replace PT_SINGLESTEP with TIF_SINGLESTEP

Monish Kumar R <monish.kumar.r@intel.com>
    USB: new quirk for Dell Gen 2 devices


-------------

Diffstat:

 Documentation/ABI/testing/sysfs-ata                |  5 +-
 Documentation/conf.py                              |  2 +-
 .../devicetree/bindings/gpio/gpio-altera.txt       |  5 +-
 Makefile                                           |  4 +-
 arch/arm/boot/dts/exynos5250-smdk5250.dts          |  4 +-
 arch/arm/mach-hisi/platsmp.c                       |  4 +
 arch/arm/mach-omap1/clock.c                        |  2 +-
 arch/arm/mach-vexpress/dcscb.c                     |  1 +
 arch/m68k/Kconfig.cpu                              |  2 +-
 arch/m68k/Kconfig.machine                          |  1 +
 arch/m68k/include/asm/pgtable_no.h                 |  3 +-
 .../include/asm/mach-ip27/cpu-feature-overrides.h  |  1 -
 arch/openrisc/include/asm/timex.h                  |  1 +
 arch/openrisc/kernel/head.S                        |  9 +++
 arch/powerpc/kernel/idle.c                         |  2 +-
 arch/powerpc/kernel/ptrace.c                       | 18 ++++-
 arch/powerpc/sysdev/cpm1.c                         |  1 +
 arch/powerpc/sysdev/ppc4xx_cpm.c                   |  2 +-
 arch/powerpc/sysdev/xics/icp-opal.c                |  1 +
 arch/um/drivers/chan_user.c                        |  9 ++-
 arch/x86/include/asm/acenv.h                       | 14 +++-
 arch/x86/include/asm/suspend_32.h                  |  2 +-
 arch/x86/include/asm/suspend_64.h                  | 12 ++-
 arch/x86/kernel/step.c                             |  3 +-
 arch/x86/kernel/sys_x86_64.c                       |  7 +-
 arch/x86/lib/delay.c                               |  4 +-
 arch/x86/um/ldt.c                                  |  6 +-
 arch/xtensa/kernel/ptrace.c                        |  4 +-
 arch/xtensa/kernel/signal.c                        |  4 +-
 drivers/ata/libata-transport.c                     |  2 +-
 drivers/ata/pata_octeon_cf.c                       |  3 +
 drivers/base/node.c                                |  1 +
 drivers/char/ipmi/ipmi_ssif.c                      | 23 ++++++
 drivers/clocksource/timer-oxnas-rps.c              |  2 +-
 drivers/clocksource/timer-sp804.c                  | 10 +--
 drivers/firmware/dmi-sysfs.c                       |  2 +-
 drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c             |  2 +-
 drivers/gpu/drm/amd/amdgpu/kv_dpm.c                | 14 +---
 drivers/gpu/drm/amd/amdgpu/si_dpm.c                |  8 +-
 drivers/gpu/drm/bridge/analogix/analogix_dp_core.c | 13 ++-
 drivers/gpu/drm/gma500/psb_intel_display.c         |  7 +-
 drivers/gpu/drm/mediatek/mtk_cec.c                 |  2 +-
 drivers/gpu/drm/msm/dsi/dsi_host.c                 | 21 +++--
 drivers/gpu/drm/msm/hdmi/hdmi.c                    |  4 +
 drivers/gpu/drm/msm/msm_gem_prime.c                |  2 +-
 drivers/gpu/drm/radeon/radeon_connectors.c         |  4 +
 drivers/gpu/drm/rockchip/rockchip_drm_vop.c        |  2 +-
 drivers/gpu/drm/virtio/virtgpu_display.c           |  2 +
 drivers/hid/hid-led.c                              |  2 +-
 drivers/i2c/busses/i2c-cadence.c                   | 12 ++-
 drivers/iio/dummy/iio_simple_dummy.c               | 20 +++--
 drivers/infiniband/hw/hfi1/init.c                  |  2 +-
 drivers/infiniband/sw/rxe/rxe_req.c                |  2 +-
 drivers/input/misc/sparcspkr.c                     |  1 +
 drivers/input/mouse/bcm5974.c                      |  7 +-
 drivers/iommu/amd_iommu_init.c                     |  2 +-
 drivers/iommu/msm_iommu.c                          | 11 ++-
 drivers/irqchip/irq-armada-370-xp.c                | 11 ++-
 drivers/irqchip/irq-xtensa-mx.c                    | 18 ++++-
 drivers/macintosh/Kconfig                          |  4 +
 drivers/macintosh/Makefile                         |  3 +-
 drivers/macintosh/via-pmu.c                        |  2 +-
 drivers/md/md.c                                    | 33 +++++---
 drivers/media/pci/cx25821/cx25821-core.c           |  2 +-
 drivers/media/platform/exynos4-is/fimc-is.c        |  2 +-
 drivers/media/platform/exynos4-is/fimc-isp-video.h |  2 +-
 drivers/media/usb/pvrusb2/pvrusb2-hdw.c            |  7 +-
 drivers/media/usb/uvc/uvc_v4l2.c                   | 20 ++---
 drivers/mfd/ipaq-micro.c                           |  2 +-
 drivers/mfd/rtsx_usb.c                             |  1 +
 drivers/misc/lkdtm_usercopy.c                      | 17 +++-
 drivers/mtd/chips/cfi_cmdset_0002.c                | 93 ++++++++++++----------
 drivers/net/ethernet/altera/altera_tse_main.c      |  6 +-
 drivers/net/ethernet/broadcom/Makefile             |  5 ++
 drivers/net/ethernet/mediatek/mtk_eth_soc.c        |  3 +
 drivers/net/ethernet/mellanox/mlx4/en_ethtool.c    |  2 +-
 drivers/net/wireless/ath/ath9k/ar9003_phy.h        |  2 +-
 drivers/net/wireless/ath/ath9k/htc_drv_txrx.c      |  8 ++
 drivers/net/wireless/ath/carl9170/tx.c             |  3 +
 drivers/net/wireless/broadcom/b43/phy_n.c          |  2 +-
 drivers/net/wireless/broadcom/b43legacy/phy.c      |  2 +-
 drivers/net/wireless/intel/ipw2x00/libipw_tx.c     |  2 +-
 drivers/net/wireless/intel/iwlwifi/mvm/power.c     |  3 +
 drivers/net/wireless/marvell/mwifiex/11h.c         |  2 +
 drivers/net/wireless/realtek/rtl818x/rtl8180/dev.c |  8 +-
 drivers/nfc/st21nfca/se.c                          | 15 +++-
 drivers/nvme/host/pci.c                            |  1 +
 drivers/pci/host/pcie-qcom.c                       |  7 +-
 drivers/pci/pci.c                                  | 10 +--
 drivers/pcmcia/Kconfig                             |  2 +-
 drivers/pwm/pwm-lp3943.c                           |  1 +
 drivers/regulator/pfuze100-regulator.c             |  2 +
 drivers/rpmsg/qcom_smd.c                           |  2 +-
 drivers/rtc/rtc-mt6397.c                           |  2 +
 drivers/scsi/dc395x.c                              | 15 +++-
 drivers/scsi/fcoe/fcoe_ctlr.c                      |  2 +-
 drivers/scsi/megaraid.c                            |  2 +-
 drivers/scsi/ufs/ufs-qcom.c                        |  7 +-
 drivers/soc/qcom/smp2p.c                           |  1 +
 drivers/soc/qcom/smsm.c                            |  1 +
 drivers/spi/spi-img-spfi.c                         |  2 +-
 drivers/spi/spi-ti-qspi.c                          |  5 +-
 drivers/staging/greybus/audio_codec.c              |  4 +-
 drivers/staging/rtl8192e/rtllib_softmac.c          |  2 +-
 drivers/staging/rtl8712/usb_intf.c                 |  6 +-
 drivers/tty/serial/digicolor-usart.c               |  2 +
 drivers/tty/serial/icom.c                          |  2 +-
 drivers/tty/serial/meson_uart.c                    | 13 +++
 drivers/tty/serial/msm_serial.c                    |  5 ++
 drivers/tty/serial/sa1100.c                        |  4 +-
 drivers/tty/serial/serial_txx9.c                   |  2 +
 drivers/tty/serial/sh-sci.c                        |  6 +-
 drivers/tty/serial/st-asc.c                        |  4 +
 drivers/tty/synclink_gt.c                          |  2 +
 drivers/tty/tty_buffer.c                           |  3 +-
 drivers/usb/core/hcd-pci.c                         |  4 +-
 drivers/usb/core/quirks.c                          |  3 +
 drivers/usb/dwc2/gadget.c                          |  1 -
 drivers/usb/host/isp116x-hcd.c                     |  6 +-
 drivers/usb/host/oxu210hp-hcd.c                    |  2 +
 drivers/usb/storage/karma.c                        | 15 ++--
 drivers/usb/usbip/stub_dev.c                       |  2 +-
 drivers/usb/usbip/stub_rx.c                        |  2 +
 drivers/vhost/vringh.c                             | 10 ++-
 drivers/video/fbdev/amba-clcd.c                    |  5 +-
 drivers/video/fbdev/pxa3xx-gcu.c                   | 12 +--
 fs/btrfs/disk-io.c                                 |  4 +-
 fs/cifs/smb2pdu.c                                  |  3 +
 fs/dlm/lock.c                                      | 11 ++-
 fs/dlm/plock.c                                     | 12 ++-
 fs/ext4/inline.c                                   | 12 +++
 fs/ext4/namei.c                                    | 62 +++++++++++----
 fs/fat/fatent.c                                    |  7 +-
 fs/fs-writeback.c                                  | 13 +--
 fs/jffs2/fs.c                                      |  1 +
 fs/jfs/jfs_dmap.c                                  |  3 +-
 fs/notify/fdinfo.c                                 | 11 +--
 fs/notify/inotify/inotify.h                        | 12 +++
 fs/notify/inotify/inotify_user.c                   |  2 +-
 fs/ocfs2/dlmfs/userdlm.c                           | 16 +++-
 include/drm/drm_edid.h                             |  6 +-
 include/linux/mtd/cfi.h                            |  1 +
 include/linux/nodemask.h                           | 51 ++++++------
 include/linux/ptrace.h                             |  6 --
 include/scsi/libfcoe.h                             |  3 +-
 include/sound/jack.h                               |  1 +
 kernel/ptrace.c                                    |  5 +-
 kernel/trace/trace.c                               |  7 ++
 lib/dma-debug.c                                    |  2 +-
 lib/nlattr.c                                       |  2 +-
 lib/nodemask.c                                     |  4 +-
 mm/hugetlb.c                                       |  9 ++-
 net/bluetooth/sco.c                                | 21 +++--
 net/ipv4/tcp_output.c                              |  4 +-
 net/ipv4/xfrm4_protocol.c                          |  1 -
 net/ipv6/addrconf.c                                |  3 +-
 net/key/af_key.c                                   | 10 ++-
 net/mac80211/chan.c                                |  7 +-
 net/mac80211/ieee80211_i.h                         |  5 ++
 net/mac80211/scan.c                                | 20 +++++
 net/netfilter/nf_tables_api.c                      | 16 ++--
 net/netfilter/nft_dynset.c                         |  3 -
 net/nfc/core.c                                     |  1 +
 net/rxrpc/call_event.c                             |  3 +-
 net/rxrpc/sendmsg.c                                |  6 ++
 net/rxrpc/sysctl.c                                 |  4 +-
 net/sctp/input.c                                   |  4 +-
 net/sunrpc/xdr.c                                   |  6 +-
 scripts/mod/modpost.c                              |  5 +-
 sound/core/jack.c                                  | 34 ++++++--
 sound/pci/hda/patch_conexant.c                     |  7 ++
 sound/soc/codecs/rt5514.c                          |  2 +-
 sound/soc/codecs/rt5645.c                          |  6 ++
 sound/soc/codecs/wm2000.c                          |  6 +-
 sound/soc/mediatek/mt8173/mt8173-max98090.c        |  5 +-
 sound/soc/mxs/mxs-saif.c                           |  1 +
 sound/soc/soc-dapm.c                               |  2 -
 177 files changed, 840 insertions(+), 383 deletions(-)



^ permalink raw reply	[flat|nested] 174+ messages in thread

* [PATCH 4.9 001/167] USB: new quirk for Dell Gen 2 devices
  2022-06-13 10:07 [PATCH 4.9 000/167] 4.9.318-rc1 review Greg Kroah-Hartman
@ 2022-06-13 10:07 ` Greg Kroah-Hartman
  2022-06-13 10:07 ` [PATCH 4.9 002/167] ptrace/xtensa: Replace PT_SINGLESTEP with TIF_SINGLESTEP Greg Kroah-Hartman
                   ` (170 subsequent siblings)
  171 siblings, 0 replies; 174+ messages in thread
From: Greg Kroah-Hartman @ 2022-06-13 10:07 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Monish Kumar R

From: Monish Kumar R <monish.kumar.r@intel.com>

commit 97fa5887cf283bb75ffff5f6b2c0e71794c02400 upstream.

Add USB_QUIRK_NO_LPM and USB_QUIRK_RESET_RESUME quirks for Dell usb gen
2 device to not fail during enumeration.

Found this bug on own testing

Signed-off-by: Monish Kumar R <monish.kumar.r@intel.com>
Cc: stable <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20220520130044.17303-1-monish.kumar.r@intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/usb/core/quirks.c |    3 +++
 1 file changed, 3 insertions(+)

--- a/drivers/usb/core/quirks.c
+++ b/drivers/usb/core/quirks.c
@@ -328,6 +328,9 @@ static const struct usb_device_id usb_qu
 	/* DJI CineSSD */
 	{ USB_DEVICE(0x2ca3, 0x0031), .driver_info = USB_QUIRK_NO_LPM },
 
+	/* DELL USB GEN2 */
+	{ USB_DEVICE(0x413c, 0xb062), .driver_info = USB_QUIRK_NO_LPM | USB_QUIRK_RESET_RESUME },
+
 	/* VCOM device */
 	{ USB_DEVICE(0x4296, 0x7570), .driver_info = USB_QUIRK_CONFIG_INTF_STRINGS },
 



^ permalink raw reply	[flat|nested] 174+ messages in thread

* [PATCH 4.9 002/167] ptrace/xtensa: Replace PT_SINGLESTEP with TIF_SINGLESTEP
  2022-06-13 10:07 [PATCH 4.9 000/167] 4.9.318-rc1 review Greg Kroah-Hartman
  2022-06-13 10:07 ` [PATCH 4.9 001/167] USB: new quirk for Dell Gen 2 devices Greg Kroah-Hartman
@ 2022-06-13 10:07 ` Greg Kroah-Hartman
  2022-06-13 10:07 ` [PATCH 4.9 003/167] ptrace: Reimplement PTRACE_KILL by always sending SIGKILL Greg Kroah-Hartman
                   ` (169 subsequent siblings)
  171 siblings, 0 replies; 174+ messages in thread
From: Greg Kroah-Hartman @ 2022-06-13 10:07 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Max Filippov, Kees Cook,
	Oleg Nesterov, Eric W. Biederman

From: Eric W. Biederman <ebiederm@xmission.com>

commit 4a3d2717d140401df7501a95e454180831a0c5af upstream.

xtensa is the last user of the PT_SINGLESTEP flag.  Changing tsk->ptrace in
user_enable_single_step and user_disable_single_step without locking could
potentiallly cause problems.

So use a thread info flag instead of a flag in tsk->ptrace.  Use TIF_SINGLESTEP
that xtensa already had defined but unused.

Remove the definitions of PT_SINGLESTEP and PT_BLOCKSTEP as they have no more users.

Cc: stable@vger.kernel.org
Acked-by: Max Filippov <jcmvbkbc@gmail.com>
Tested-by: Kees Cook <keescook@chromium.org>
Reviewed-by: Oleg Nesterov <oleg@redhat.com>
Link: https://lkml.kernel.org/r/20220505182645.497868-4-ebiederm@xmission.com
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/xtensa/kernel/ptrace.c |    4 ++--
 arch/xtensa/kernel/signal.c |    4 ++--
 include/linux/ptrace.h      |    6 ------
 3 files changed, 4 insertions(+), 10 deletions(-)

--- a/arch/xtensa/kernel/ptrace.c
+++ b/arch/xtensa/kernel/ptrace.c
@@ -34,12 +34,12 @@
 
 void user_enable_single_step(struct task_struct *child)
 {
-	child->ptrace |= PT_SINGLESTEP;
+	set_tsk_thread_flag(child, TIF_SINGLESTEP);
 }
 
 void user_disable_single_step(struct task_struct *child)
 {
-	child->ptrace &= ~PT_SINGLESTEP;
+	clear_tsk_thread_flag(child, TIF_SINGLESTEP);
 }
 
 /*
--- a/arch/xtensa/kernel/signal.c
+++ b/arch/xtensa/kernel/signal.c
@@ -458,7 +458,7 @@ static void do_signal(struct pt_regs *re
 		/* Set up the stack frame */
 		ret = setup_frame(&ksig, sigmask_to_save(), regs);
 		signal_setup_done(ret, &ksig, 0);
-		if (current->ptrace & PT_SINGLESTEP)
+		if (test_thread_flag(TIF_SINGLESTEP))
 			task_pt_regs(current)->icountlevel = 1;
 
 		return;
@@ -484,7 +484,7 @@ static void do_signal(struct pt_regs *re
 	/* If there's no signal to deliver, we just restore the saved mask.  */
 	restore_saved_sigmask();
 
-	if (current->ptrace & PT_SINGLESTEP)
+	if (test_thread_flag(TIF_SINGLESTEP))
 		task_pt_regs(current)->icountlevel = 1;
 	return;
 }
--- a/include/linux/ptrace.h
+++ b/include/linux/ptrace.h
@@ -38,12 +38,6 @@ extern int ptrace_access_vm(struct task_
 #define PT_EXITKILL		(PTRACE_O_EXITKILL << PT_OPT_FLAG_SHIFT)
 #define PT_SUSPEND_SECCOMP	(PTRACE_O_SUSPEND_SECCOMP << PT_OPT_FLAG_SHIFT)
 
-/* single stepping state bits (used on ARM and PA-RISC) */
-#define PT_SINGLESTEP_BIT	31
-#define PT_SINGLESTEP		(1<<PT_SINGLESTEP_BIT)
-#define PT_BLOCKSTEP_BIT	30
-#define PT_BLOCKSTEP		(1<<PT_BLOCKSTEP_BIT)
-
 extern long arch_ptrace(struct task_struct *child, long request,
 			unsigned long addr, unsigned long data);
 extern int ptrace_readdata(struct task_struct *tsk, unsigned long src, char __user *dst, int len);



^ permalink raw reply	[flat|nested] 174+ messages in thread

* [PATCH 4.9 003/167] ptrace: Reimplement PTRACE_KILL by always sending SIGKILL
  2022-06-13 10:07 [PATCH 4.9 000/167] 4.9.318-rc1 review Greg Kroah-Hartman
  2022-06-13 10:07 ` [PATCH 4.9 001/167] USB: new quirk for Dell Gen 2 devices Greg Kroah-Hartman
  2022-06-13 10:07 ` [PATCH 4.9 002/167] ptrace/xtensa: Replace PT_SINGLESTEP with TIF_SINGLESTEP Greg Kroah-Hartman
@ 2022-06-13 10:07 ` Greg Kroah-Hartman
  2022-06-13 10:07 ` [PATCH 4.9 004/167] btrfs: add "0x" prefix for unsupported optional features Greg Kroah-Hartman
                   ` (168 subsequent siblings)
  171 siblings, 0 replies; 174+ messages in thread
From: Greg Kroah-Hartman @ 2022-06-13 10:07 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Al Viro, Kees Cook, Oleg Nesterov,
	Eric W. Biederman

From: Eric W. Biederman <ebiederm@xmission.com>

commit 6a2d90ba027adba528509ffa27097cffd3879257 upstream.

The current implementation of PTRACE_KILL is buggy and has been for
many years as it assumes it's target has stopped in ptrace_stop.  At a
quick skim it looks like this assumption has existed since ptrace
support was added in linux v1.0.

While PTRACE_KILL has been deprecated we can not remove it as
a quick search with google code search reveals many existing
programs calling it.

When the ptracee is not stopped at ptrace_stop some fields would be
set that are ignored except in ptrace_stop.  Making the userspace
visible behavior of PTRACE_KILL a noop in those case.

As the usual rules are not obeyed it is not clear what the
consequences are of calling PTRACE_KILL on a running process.
Presumably userspace does not do this as it achieves nothing.

Replace the implementation of PTRACE_KILL with a simple
send_sig_info(SIGKILL) followed by a return 0.  This changes the
observable user space behavior only in that PTRACE_KILL on a process
not stopped in ptrace_stop will also kill it.  As that has always
been the intent of the code this seems like a reasonable change.

Cc: stable@vger.kernel.org
Reported-by: Al Viro <viro@zeniv.linux.org.uk>
Suggested-by: Al Viro <viro@zeniv.linux.org.uk>
Tested-by: Kees Cook <keescook@chromium.org>
Reviewed-by: Oleg Nesterov <oleg@redhat.com>
Link: https://lkml.kernel.org/r/20220505182645.497868-7-ebiederm@xmission.com
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/x86/kernel/step.c |    3 +--
 kernel/ptrace.c        |    5 ++---
 2 files changed, 3 insertions(+), 5 deletions(-)

--- a/arch/x86/kernel/step.c
+++ b/arch/x86/kernel/step.c
@@ -173,8 +173,7 @@ void set_task_blockstep(struct task_stru
 	 *
 	 * NOTE: this means that set/clear TIF_BLOCKSTEP is only safe if
 	 * task is current or it can't be running, otherwise we can race
-	 * with __switch_to_xtra(). We rely on ptrace_freeze_traced() but
-	 * PTRACE_KILL is not safe.
+	 * with __switch_to_xtra(). We rely on ptrace_freeze_traced().
 	 */
 	local_irq_disable();
 	debugctl = get_debugctlmsr();
--- a/kernel/ptrace.c
+++ b/kernel/ptrace.c
@@ -1120,9 +1120,8 @@ int ptrace_request(struct task_struct *c
 		return ptrace_resume(child, request, data);
 
 	case PTRACE_KILL:
-		if (child->exit_state)	/* already dead */
-			return 0;
-		return ptrace_resume(child, request, SIGKILL);
+		send_sig_info(SIGKILL, SEND_SIG_NOINFO, child);
+		return 0;
 
 #ifdef CONFIG_HAVE_ARCH_TRACEHOOK
 	case PTRACE_GETREGSET:



^ permalink raw reply	[flat|nested] 174+ messages in thread

* [PATCH 4.9 004/167] btrfs: add "0x" prefix for unsupported optional features
  2022-06-13 10:07 [PATCH 4.9 000/167] 4.9.318-rc1 review Greg Kroah-Hartman
                   ` (2 preceding siblings ...)
  2022-06-13 10:07 ` [PATCH 4.9 003/167] ptrace: Reimplement PTRACE_KILL by always sending SIGKILL Greg Kroah-Hartman
@ 2022-06-13 10:07 ` Greg Kroah-Hartman
  2022-06-13 10:07 ` [PATCH 4.9 005/167] drm/virtio: fix NULL pointer dereference in virtio_gpu_conn_get_modes Greg Kroah-Hartman
                   ` (167 subsequent siblings)
  171 siblings, 0 replies; 174+ messages in thread
From: Greg Kroah-Hartman @ 2022-06-13 10:07 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Nikolay Borisov, Qu Wenruo, David Sterba

From: Qu Wenruo <wqu@suse.com>

commit d5321a0fa8bc49f11bea0b470800962c17d92d8f upstream.

The following error message lack the "0x" obviously:

  cannot mount because of unsupported optional features (4000)

Add the prefix to make it less confusing. This can happen on older
kernels that try to mount a filesystem with newer features so it makes
sense to backport to older trees.

CC: stable@vger.kernel.org # 4.14+
Reviewed-by: Nikolay Borisov <nborisov@suse.com>
Signed-off-by: Qu Wenruo <wqu@suse.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 fs/btrfs/disk-io.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/fs/btrfs/disk-io.c
+++ b/fs/btrfs/disk-io.c
@@ -2716,7 +2716,7 @@ int open_ctree(struct super_block *sb,
 		~BTRFS_FEATURE_INCOMPAT_SUPP;
 	if (features) {
 		btrfs_err(fs_info,
-		    "cannot mount because of unsupported optional features (%llx)",
+		    "cannot mount because of unsupported optional features (0x%llx)",
 		    features);
 		err = -EINVAL;
 		goto fail_alloc;
@@ -2769,7 +2769,7 @@ int open_ctree(struct super_block *sb,
 		~BTRFS_FEATURE_COMPAT_RO_SUPP;
 	if (!(sb->s_flags & MS_RDONLY) && features) {
 		btrfs_err(fs_info,
-	"cannot mount read-write because of unsupported optional features (%llx)",
+	"cannot mount read-write because of unsupported optional features (0x%llx)",
 		       features);
 		err = -EINVAL;
 		goto fail_alloc;



^ permalink raw reply	[flat|nested] 174+ messages in thread

* [PATCH 4.9 005/167] drm/virtio: fix NULL pointer dereference in virtio_gpu_conn_get_modes
  2022-06-13 10:07 [PATCH 4.9 000/167] 4.9.318-rc1 review Greg Kroah-Hartman
                   ` (3 preceding siblings ...)
  2022-06-13 10:07 ` [PATCH 4.9 004/167] btrfs: add "0x" prefix for unsupported optional features Greg Kroah-Hartman
@ 2022-06-13 10:07 ` Greg Kroah-Hartman
  2022-06-13 10:08 ` [PATCH 4.9 006/167] mwifiex: add mutex lock for call in mwifiex_dfs_chan_sw_work_queue Greg Kroah-Hartman
                   ` (166 subsequent siblings)
  171 siblings, 0 replies; 174+ messages in thread
From: Greg Kroah-Hartman @ 2022-06-13 10:07 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Liu Zixian, Gerd Hoffmann, Sasha Levin

From: Liu Zixian <liuzixian4@huawei.com>

[ Upstream commit 194d250cdc4a40ccbd179afd522a9e9846957402 ]

drm_cvt_mode may return NULL and we should check it.

This bug is found by syzkaller:

FAULT_INJECTION stacktrace:
[  168.567394] FAULT_INJECTION: forcing a failure.
name failslab, interval 1, probability 0, space 0, times 1
[  168.567403] CPU: 1 PID: 6425 Comm: syz Kdump: loaded Not tainted 4.19.90-vhulk2201.1.0.h1035.kasan.eulerosv2r10.aarch64 #1
[  168.567406] Hardware name: QEMU KVM Virtual Machine, BIOS 0.0.0 02/06/2015
[  168.567408] Call trace:
[  168.567414]  dump_backtrace+0x0/0x310
[  168.567418]  show_stack+0x28/0x38
[  168.567423]  dump_stack+0xec/0x15c
[  168.567427]  should_fail+0x3ac/0x3d0
[  168.567437]  __should_failslab+0xb8/0x120
[  168.567441]  should_failslab+0x28/0xc0
[  168.567445]  kmem_cache_alloc_trace+0x50/0x640
[  168.567454]  drm_mode_create+0x40/0x90
[  168.567458]  drm_cvt_mode+0x48/0xc78
[  168.567477]  virtio_gpu_conn_get_modes+0xa8/0x140 [virtio_gpu]
[  168.567485]  drm_helper_probe_single_connector_modes+0x3a4/0xd80
[  168.567492]  drm_mode_getconnector+0x2e0/0xa70
[  168.567496]  drm_ioctl_kernel+0x11c/0x1d8
[  168.567514]  drm_ioctl+0x558/0x6d0
[  168.567522]  do_vfs_ioctl+0x160/0xf30
[  168.567525]  ksys_ioctl+0x98/0xd8
[  168.567530]  __arm64_sys_ioctl+0x50/0xc8
[  168.567536]  el0_svc_common+0xc8/0x320
[  168.567540]  el0_svc_handler+0xf8/0x160
[  168.567544]  el0_svc+0x10/0x218

KASAN stacktrace:
[  168.567561] BUG: KASAN: null-ptr-deref in virtio_gpu_conn_get_modes+0xb4/0x140 [virtio_gpu]
[  168.567565] Read of size 4 at addr 0000000000000054 by task syz/6425
[  168.567566]
[  168.567571] CPU: 1 PID: 6425 Comm: syz Kdump: loaded Not tainted 4.19.90-vhulk2201.1.0.h1035.kasan.eulerosv2r10.aarch64 #1
[  168.567573] Hardware name: QEMU KVM Virtual Machine, BIOS 0.0.0 02/06/2015
[  168.567575] Call trace:
[  168.567578]  dump_backtrace+0x0/0x310
[  168.567582]  show_stack+0x28/0x38
[  168.567586]  dump_stack+0xec/0x15c
[  168.567591]  kasan_report+0x244/0x2f0
[  168.567594]  __asan_load4+0x58/0xb0
[  168.567607]  virtio_gpu_conn_get_modes+0xb4/0x140 [virtio_gpu]
[  168.567612]  drm_helper_probe_single_connector_modes+0x3a4/0xd80
[  168.567617]  drm_mode_getconnector+0x2e0/0xa70
[  168.567621]  drm_ioctl_kernel+0x11c/0x1d8
[  168.567624]  drm_ioctl+0x558/0x6d0
[  168.567628]  do_vfs_ioctl+0x160/0xf30
[  168.567632]  ksys_ioctl+0x98/0xd8
[  168.567636]  __arm64_sys_ioctl+0x50/0xc8
[  168.567641]  el0_svc_common+0xc8/0x320
[  168.567645]  el0_svc_handler+0xf8/0x160
[  168.567649]  el0_svc+0x10/0x218

Signed-off-by: Liu Zixian <liuzixian4@huawei.com>
Link: http://patchwork.freedesktop.org/patch/msgid/20220322091730.1653-1-liuzixian4@huawei.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/gpu/drm/virtio/virtgpu_display.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/gpu/drm/virtio/virtgpu_display.c b/drivers/gpu/drm/virtio/virtgpu_display.c
index 58048709c34e..1e528f13959d 100644
--- a/drivers/gpu/drm/virtio/virtgpu_display.c
+++ b/drivers/gpu/drm/virtio/virtgpu_display.c
@@ -184,6 +184,8 @@ static int virtio_gpu_conn_get_modes(struct drm_connector *connector)
 		DRM_DEBUG("add mode: %dx%d\n", width, height);
 		mode = drm_cvt_mode(connector->dev, width, height, 60,
 				    false, false, false);
+		if (!mode)
+			return count;
 		mode->type |= DRM_MODE_TYPE_PREFERRED;
 		drm_mode_probed_add(connector, mode);
 		count++;
-- 
2.35.1




^ permalink raw reply related	[flat|nested] 174+ messages in thread

* [PATCH 4.9 006/167] mwifiex: add mutex lock for call in mwifiex_dfs_chan_sw_work_queue
  2022-06-13 10:07 [PATCH 4.9 000/167] 4.9.318-rc1 review Greg Kroah-Hartman
                   ` (4 preceding siblings ...)
  2022-06-13 10:07 ` [PATCH 4.9 005/167] drm/virtio: fix NULL pointer dereference in virtio_gpu_conn_get_modes Greg Kroah-Hartman
@ 2022-06-13 10:08 ` Greg Kroah-Hartman
  2022-06-13 10:08 ` [PATCH 4.9 007/167] b43legacy: Fix assigning negative value to unsigned variable Greg Kroah-Hartman
                   ` (165 subsequent siblings)
  171 siblings, 0 replies; 174+ messages in thread
From: Greg Kroah-Hartman @ 2022-06-13 10:08 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Brian Norris, Niels Dossche,
	Kalle Valo, Sasha Levin

From: Niels Dossche <dossche.niels@gmail.com>

[ Upstream commit 3e12968f6d12a34b540c39cbd696a760cc4616f0 ]

cfg80211_ch_switch_notify uses ASSERT_WDEV_LOCK to assert that
net_device->ieee80211_ptr->mtx (which is the same as priv->wdev.mtx)
is held during the function's execution.
mwifiex_dfs_chan_sw_work_queue is one of its callers, which does not
hold that lock, therefore violating the assertion.
Add a lock around the call.

Disclaimer:
I am currently working on a static analyser to detect missing locks.
This was a reported case. I manually verified the report by looking
at the code, so that I do not send wrong information or patches.
After concluding that this seems to be a true positive, I created
this patch.
However, as I do not in fact have this particular hardware,
I was unable to test it.

Reviewed-by: Brian Norris <briannorris@chromium.org>
Signed-off-by: Niels Dossche <dossche.niels@gmail.com>
Signed-off-by: Kalle Valo <kvalo@kernel.org>
Link: https://lore.kernel.org/r/20220321225515.32113-1-dossche.niels@gmail.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/wireless/marvell/mwifiex/11h.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/net/wireless/marvell/mwifiex/11h.c b/drivers/net/wireless/marvell/mwifiex/11h.c
index 43dccd5b0291..3024a83c0f33 100644
--- a/drivers/net/wireless/marvell/mwifiex/11h.c
+++ b/drivers/net/wireless/marvell/mwifiex/11h.c
@@ -308,5 +308,7 @@ void mwifiex_dfs_chan_sw_work_queue(struct work_struct *work)
 
 	mwifiex_dbg(priv->adapter, MSG,
 		    "indicating channel switch completion to kernel\n");
+	mutex_lock(&priv->wdev.mtx);
 	cfg80211_ch_switch_notify(priv->netdev, &priv->dfs_chandef);
+	mutex_unlock(&priv->wdev.mtx);
 }
-- 
2.35.1




^ permalink raw reply related	[flat|nested] 174+ messages in thread

* [PATCH 4.9 007/167] b43legacy: Fix assigning negative value to unsigned variable
  2022-06-13 10:07 [PATCH 4.9 000/167] 4.9.318-rc1 review Greg Kroah-Hartman
                   ` (5 preceding siblings ...)
  2022-06-13 10:08 ` [PATCH 4.9 006/167] mwifiex: add mutex lock for call in mwifiex_dfs_chan_sw_work_queue Greg Kroah-Hartman
@ 2022-06-13 10:08 ` Greg Kroah-Hartman
  2022-06-13 10:08 ` [PATCH 4.9 008/167] b43: " Greg Kroah-Hartman
                   ` (164 subsequent siblings)
  171 siblings, 0 replies; 174+ messages in thread
From: Greg Kroah-Hartman @ 2022-06-13 10:08 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Haowen Bai, Kalle Valo, Sasha Levin

From: Haowen Bai <baihaowen@meizu.com>

[ Upstream commit 3f6b867559b3d43a7ce1b4799b755e812fc0d503 ]

fix warning reported by smatch:
drivers/net/wireless/broadcom/b43legacy/phy.c:1181 b43legacy_phy_lo_b_measure()
warn: assigning (-772) to unsigned variable 'fval'

Signed-off-by: Haowen Bai <baihaowen@meizu.com>
Signed-off-by: Kalle Valo <kvalo@kernel.org>
Link: https://lore.kernel.org/r/1648203433-8736-1-git-send-email-baihaowen@meizu.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/wireless/broadcom/b43legacy/phy.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/net/wireless/broadcom/b43legacy/phy.c b/drivers/net/wireless/broadcom/b43legacy/phy.c
index 995c7d0c212a..11ee5ee48976 100644
--- a/drivers/net/wireless/broadcom/b43legacy/phy.c
+++ b/drivers/net/wireless/broadcom/b43legacy/phy.c
@@ -1148,7 +1148,7 @@ void b43legacy_phy_lo_b_measure(struct b43legacy_wldev *dev)
 	struct b43legacy_phy *phy = &dev->phy;
 	u16 regstack[12] = { 0 };
 	u16 mls;
-	u16 fval;
+	s16 fval;
 	int i;
 	int j;
 
-- 
2.35.1




^ permalink raw reply related	[flat|nested] 174+ messages in thread

* [PATCH 4.9 008/167] b43: Fix assigning negative value to unsigned variable
  2022-06-13 10:07 [PATCH 4.9 000/167] 4.9.318-rc1 review Greg Kroah-Hartman
                   ` (6 preceding siblings ...)
  2022-06-13 10:08 ` [PATCH 4.9 007/167] b43legacy: Fix assigning negative value to unsigned variable Greg Kroah-Hartman
@ 2022-06-13 10:08 ` Greg Kroah-Hartman
  2022-06-13 10:08 ` [PATCH 4.9 009/167] ipw2x00: Fix potential NULL dereference in libipw_xmit() Greg Kroah-Hartman
                   ` (163 subsequent siblings)
  171 siblings, 0 replies; 174+ messages in thread
From: Greg Kroah-Hartman @ 2022-06-13 10:08 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Haowen Bai, Kalle Valo, Sasha Levin

From: Haowen Bai <baihaowen@meizu.com>

[ Upstream commit 11800d893b38e0e12d636c170c1abc19c43c730c ]

fix warning reported by smatch:
drivers/net/wireless/broadcom/b43/phy_n.c:585 b43_nphy_adjust_lna_gain_table()
warn: assigning (-2) to unsigned variable '*(lna_gain[0])'

Signed-off-by: Haowen Bai <baihaowen@meizu.com>
Signed-off-by: Kalle Valo <kvalo@kernel.org>
Link: https://lore.kernel.org/r/1648203315-28093-1-git-send-email-baihaowen@meizu.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/wireless/broadcom/b43/phy_n.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/net/wireless/broadcom/b43/phy_n.c b/drivers/net/wireless/broadcom/b43/phy_n.c
index d1afa74aa144..9cbc17c2751c 100644
--- a/drivers/net/wireless/broadcom/b43/phy_n.c
+++ b/drivers/net/wireless/broadcom/b43/phy_n.c
@@ -594,7 +594,7 @@ static void b43_nphy_adjust_lna_gain_table(struct b43_wldev *dev)
 	u16 data[4];
 	s16 gain[2];
 	u16 minmax[2];
-	static const u16 lna_gain[4] = { -2, 10, 19, 25 };
+	static const s16 lna_gain[4] = { -2, 10, 19, 25 };
 
 	if (nphy->hang_avoid)
 		b43_nphy_stay_in_carrier_search(dev, 1);
-- 
2.35.1




^ permalink raw reply related	[flat|nested] 174+ messages in thread

* [PATCH 4.9 009/167] ipw2x00: Fix potential NULL dereference in libipw_xmit()
  2022-06-13 10:07 [PATCH 4.9 000/167] 4.9.318-rc1 review Greg Kroah-Hartman
                   ` (7 preceding siblings ...)
  2022-06-13 10:08 ` [PATCH 4.9 008/167] b43: " Greg Kroah-Hartman
@ 2022-06-13 10:08 ` Greg Kroah-Hartman
  2022-06-13 10:08 ` [PATCH 4.9 010/167] ACPICA: Avoid cache flush inside virtual machines Greg Kroah-Hartman
                   ` (162 subsequent siblings)
  171 siblings, 0 replies; 174+ messages in thread
From: Greg Kroah-Hartman @ 2022-06-13 10:08 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Haowen Bai, Kalle Valo, Sasha Levin

From: Haowen Bai <baihaowen@meizu.com>

[ Upstream commit e8366bbabe1d207cf7c5b11ae50e223ae6fc278b ]

crypt and crypt->ops could be null, so we need to checking null
before dereference

Signed-off-by: Haowen Bai <baihaowen@meizu.com>
Signed-off-by: Kalle Valo <kvalo@kernel.org>
Link: https://lore.kernel.org/r/1648797055-25730-1-git-send-email-baihaowen@meizu.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/wireless/intel/ipw2x00/libipw_tx.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/net/wireless/intel/ipw2x00/libipw_tx.c b/drivers/net/wireless/intel/ipw2x00/libipw_tx.c
index e8c039879b05..cb30b3b63635 100644
--- a/drivers/net/wireless/intel/ipw2x00/libipw_tx.c
+++ b/drivers/net/wireless/intel/ipw2x00/libipw_tx.c
@@ -397,7 +397,7 @@ netdev_tx_t libipw_xmit(struct sk_buff *skb, struct net_device *dev)
 
 		/* Each fragment may need to have room for encryption
 		 * pre/postfix */
-		if (host_encrypt)
+		if (host_encrypt && crypt && crypt->ops)
 			bytes_per_frag -= crypt->ops->extra_mpdu_prefix_len +
 			    crypt->ops->extra_mpdu_postfix_len;
 
-- 
2.35.1




^ permalink raw reply related	[flat|nested] 174+ messages in thread

* [PATCH 4.9 010/167] ACPICA: Avoid cache flush inside virtual machines
  2022-06-13 10:07 [PATCH 4.9 000/167] 4.9.318-rc1 review Greg Kroah-Hartman
                   ` (8 preceding siblings ...)
  2022-06-13 10:08 ` [PATCH 4.9 009/167] ipw2x00: Fix potential NULL dereference in libipw_xmit() Greg Kroah-Hartman
@ 2022-06-13 10:08 ` Greg Kroah-Hartman
  2022-06-13 10:08 ` [PATCH 4.9 011/167] ALSA: jack: Access input_dev under mutex Greg Kroah-Hartman
                   ` (161 subsequent siblings)
  171 siblings, 0 replies; 174+ messages in thread
From: Greg Kroah-Hartman @ 2022-06-13 10:08 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Kirill A. Shutemov, Dave Hansen,
	Dan Williams, Thomas Gleixner, Sasha Levin

From: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>

[ Upstream commit e2efb6359e620521d1e13f69b2257de8ceaa9475 ]

While running inside virtual machine, the kernel can bypass cache
flushing. Changing sleep state in a virtual machine doesn't affect the
host system sleep state and cannot lead to data loss.

Before entering sleep states, the ACPI code flushes caches to prevent
data loss using the WBINVD instruction.  This mechanism is required on
bare metal.

But, any use WBINVD inside of a guest is worthless.  Changing sleep
state in a virtual machine doesn't affect the host system sleep state
and cannot lead to data loss, so most hypervisors simply ignore it.
Despite this, the ACPI code calls WBINVD unconditionally anyway.
It's useless, but also normally harmless.

In TDX guests, though, WBINVD stops being harmless; it triggers a
virtualization exception (#VE).  If the ACPI cache-flushing WBINVD
were left in place, TDX guests would need handling to recover from
the exception.

Avoid using WBINVD whenever running under a hypervisor.  This both
removes the useless WBINVDs and saves TDX from implementing WBINVD
handling.

Signed-off-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
Reviewed-by: Dave Hansen <dave.hansen@linux.intel.com>
Reviewed-by: Dan Williams <dan.j.williams@intel.com>
Reviewed-by: Thomas Gleixner <tglx@linutronix.de>
Link: https://lkml.kernel.org/r/20220405232939.73860-30-kirill.shutemov@linux.intel.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/x86/include/asm/acenv.h | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

diff --git a/arch/x86/include/asm/acenv.h b/arch/x86/include/asm/acenv.h
index 1b010a859b8b..6de59a4f723c 100644
--- a/arch/x86/include/asm/acenv.h
+++ b/arch/x86/include/asm/acenv.h
@@ -16,7 +16,19 @@
 
 /* Asm macros */
 
-#define ACPI_FLUSH_CPU_CACHE()	wbinvd()
+/*
+ * ACPI_FLUSH_CPU_CACHE() flushes caches on entering sleep states.
+ * It is required to prevent data loss.
+ *
+ * While running inside virtual machine, the kernel can bypass cache flushing.
+ * Changing sleep state in a virtual machine doesn't affect the host system
+ * sleep state and cannot lead to data loss.
+ */
+#define ACPI_FLUSH_CPU_CACHE()					\
+do {								\
+	if (!cpu_feature_enabled(X86_FEATURE_HYPERVISOR))	\
+		wbinvd();					\
+} while (0)
 
 int __acpi_acquire_global_lock(unsigned int *lock);
 int __acpi_release_global_lock(unsigned int *lock);
-- 
2.35.1




^ permalink raw reply related	[flat|nested] 174+ messages in thread

* [PATCH 4.9 011/167] ALSA: jack: Access input_dev under mutex
  2022-06-13 10:07 [PATCH 4.9 000/167] 4.9.318-rc1 review Greg Kroah-Hartman
                   ` (9 preceding siblings ...)
  2022-06-13 10:08 ` [PATCH 4.9 010/167] ACPICA: Avoid cache flush inside virtual machines Greg Kroah-Hartman
@ 2022-06-13 10:08 ` Greg Kroah-Hartman
  2022-06-13 10:08 ` [PATCH 4.9 012/167] drm/amd/pm: fix double free in si_parse_power_table() Greg Kroah-Hartman
                   ` (160 subsequent siblings)
  171 siblings, 0 replies; 174+ messages in thread
From: Greg Kroah-Hartman @ 2022-06-13 10:08 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Amadeusz Sławiński,
	Cezary Rojewski, Takashi Iwai, Sasha Levin

From: Amadeusz Sławiński <amadeuszx.slawinski@linux.intel.com>

[ Upstream commit 1b6a6fc5280e97559287b61eade2d4b363e836f2 ]

It is possible when using ASoC that input_dev is unregistered while
calling snd_jack_report, which causes NULL pointer dereference.
In order to prevent this serialize access to input_dev using mutex lock.

Signed-off-by: Amadeusz Sławiński <amadeuszx.slawinski@linux.intel.com>
Reviewed-by: Cezary Rojewski <cezary.rojewski@intel.com>
Link: https://lore.kernel.org/r/20220412091628.3056922-1-amadeuszx.slawinski@linux.intel.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 include/sound/jack.h |  1 +
 sound/core/jack.c    | 34 +++++++++++++++++++++++++++-------
 2 files changed, 28 insertions(+), 7 deletions(-)

diff --git a/include/sound/jack.h b/include/sound/jack.h
index 1e84bfb553cf..4742f842b457 100644
--- a/include/sound/jack.h
+++ b/include/sound/jack.h
@@ -77,6 +77,7 @@ struct snd_jack {
 	const char *id;
 #ifdef CONFIG_SND_JACK_INPUT_DEV
 	struct input_dev *input_dev;
+	struct mutex input_dev_lock;
 	int registered;
 	int type;
 	char name[100];
diff --git a/sound/core/jack.c b/sound/core/jack.c
index 36cfe1c54109..d2f9a92453f2 100644
--- a/sound/core/jack.c
+++ b/sound/core/jack.c
@@ -48,8 +48,11 @@ static int snd_jack_dev_disconnect(struct snd_device *device)
 #ifdef CONFIG_SND_JACK_INPUT_DEV
 	struct snd_jack *jack = device->device_data;
 
-	if (!jack->input_dev)
+	mutex_lock(&jack->input_dev_lock);
+	if (!jack->input_dev) {
+		mutex_unlock(&jack->input_dev_lock);
 		return 0;
+	}
 
 	/* If the input device is registered with the input subsystem
 	 * then we need to use a different deallocator. */
@@ -58,6 +61,7 @@ static int snd_jack_dev_disconnect(struct snd_device *device)
 	else
 		input_free_device(jack->input_dev);
 	jack->input_dev = NULL;
+	mutex_unlock(&jack->input_dev_lock);
 #endif /* CONFIG_SND_JACK_INPUT_DEV */
 	return 0;
 }
@@ -96,8 +100,11 @@ static int snd_jack_dev_register(struct snd_device *device)
 	snprintf(jack->name, sizeof(jack->name), "%s %s",
 		 card->shortname, jack->id);
 
-	if (!jack->input_dev)
+	mutex_lock(&jack->input_dev_lock);
+	if (!jack->input_dev) {
+		mutex_unlock(&jack->input_dev_lock);
 		return 0;
+	}
 
 	jack->input_dev->name = jack->name;
 
@@ -122,6 +129,7 @@ static int snd_jack_dev_register(struct snd_device *device)
 	if (err == 0)
 		jack->registered = 1;
 
+	mutex_unlock(&jack->input_dev_lock);
 	return err;
 }
 #endif /* CONFIG_SND_JACK_INPUT_DEV */
@@ -242,9 +250,11 @@ int snd_jack_new(struct snd_card *card, const char *id, int type,
 		return -ENOMEM;
 	}
 
-	/* don't creat input device for phantom jack */
-	if (!phantom_jack) {
 #ifdef CONFIG_SND_JACK_INPUT_DEV
+	mutex_init(&jack->input_dev_lock);
+
+	/* don't create input device for phantom jack */
+	if (!phantom_jack) {
 		int i;
 
 		jack->input_dev = input_allocate_device();
@@ -262,8 +272,8 @@ int snd_jack_new(struct snd_card *card, const char *id, int type,
 				input_set_capability(jack->input_dev, EV_SW,
 						     jack_switch_types[i]);
 
-#endif /* CONFIG_SND_JACK_INPUT_DEV */
 	}
+#endif /* CONFIG_SND_JACK_INPUT_DEV */
 
 	err = snd_device_new(card, SNDRV_DEV_JACK, jack, &ops);
 	if (err < 0)
@@ -303,10 +313,14 @@ EXPORT_SYMBOL(snd_jack_new);
 void snd_jack_set_parent(struct snd_jack *jack, struct device *parent)
 {
 	WARN_ON(jack->registered);
-	if (!jack->input_dev)
+	mutex_lock(&jack->input_dev_lock);
+	if (!jack->input_dev) {
+		mutex_unlock(&jack->input_dev_lock);
 		return;
+	}
 
 	jack->input_dev->dev.parent = parent;
+	mutex_unlock(&jack->input_dev_lock);
 }
 EXPORT_SYMBOL(snd_jack_set_parent);
 
@@ -354,6 +368,8 @@ EXPORT_SYMBOL(snd_jack_set_key);
 
 /**
  * snd_jack_report - Report the current status of a jack
+ * Note: This function uses mutexes and should be called from a
+ * context which can sleep (such as a workqueue).
  *
  * @jack:   The jack to report status for
  * @status: The current status of the jack
@@ -373,8 +389,11 @@ void snd_jack_report(struct snd_jack *jack, int status)
 					    status & jack_kctl->mask_bits);
 
 #ifdef CONFIG_SND_JACK_INPUT_DEV
-	if (!jack->input_dev)
+	mutex_lock(&jack->input_dev_lock);
+	if (!jack->input_dev) {
+		mutex_unlock(&jack->input_dev_lock);
 		return;
+	}
 
 	for (i = 0; i < ARRAY_SIZE(jack->key); i++) {
 		int testbit = SND_JACK_BTN_0 >> i;
@@ -393,6 +412,7 @@ void snd_jack_report(struct snd_jack *jack, int status)
 	}
 
 	input_sync(jack->input_dev);
+	mutex_unlock(&jack->input_dev_lock);
 #endif /* CONFIG_SND_JACK_INPUT_DEV */
 }
 EXPORT_SYMBOL(snd_jack_report);
-- 
2.35.1




^ permalink raw reply related	[flat|nested] 174+ messages in thread

* [PATCH 4.9 012/167] drm/amd/pm: fix double free in si_parse_power_table()
  2022-06-13 10:07 [PATCH 4.9 000/167] 4.9.318-rc1 review Greg Kroah-Hartman
                   ` (10 preceding siblings ...)
  2022-06-13 10:08 ` [PATCH 4.9 011/167] ALSA: jack: Access input_dev under mutex Greg Kroah-Hartman
@ 2022-06-13 10:08 ` Greg Kroah-Hartman
  2022-06-13 10:08 ` [PATCH 4.9 013/167] ath9k: fix QCA9561 PA bias level Greg Kroah-Hartman
                   ` (159 subsequent siblings)
  171 siblings, 0 replies; 174+ messages in thread
From: Greg Kroah-Hartman @ 2022-06-13 10:08 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Keita Suzuki, Alex Deucher, Sasha Levin

From: Keita Suzuki <keitasuzuki.park@sslab.ics.keio.ac.jp>

[ Upstream commit f3fa2becf2fc25b6ac7cf8d8b1a2e4a86b3b72bd ]

In function si_parse_power_table(), array adev->pm.dpm.ps and its member
is allocated. If the allocation of each member fails, the array itself
is freed and returned with an error code. However, the array is later
freed again in si_dpm_fini() function which is called when the function
returns an error.

This leads to potential double free of the array adev->pm.dpm.ps, as
well as leak of its array members, since the members are not freed in
the allocation function and the array is not nulled when freed.
In addition adev->pm.dpm.num_ps, which keeps track of the allocated
array member, is not updated until the member allocation is
successfully finished, this could also lead to either use after free,
or uninitialized variable access in si_dpm_fini().

Fix this by postponing the free of the array until si_dpm_fini() and
increment adev->pm.dpm.num_ps everytime the array member is allocated.

Signed-off-by: Keita Suzuki <keitasuzuki.park@sslab.ics.keio.ac.jp>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/gpu/drm/amd/amdgpu/si_dpm.c | 8 +++-----
 1 file changed, 3 insertions(+), 5 deletions(-)

diff --git a/drivers/gpu/drm/amd/amdgpu/si_dpm.c b/drivers/gpu/drm/amd/amdgpu/si_dpm.c
index 4826befc1bc3..fe6fda42fde8 100644
--- a/drivers/gpu/drm/amd/amdgpu/si_dpm.c
+++ b/drivers/gpu/drm/amd/amdgpu/si_dpm.c
@@ -7313,17 +7313,15 @@ static int si_parse_power_table(struct amdgpu_device *adev)
 	if (!adev->pm.dpm.ps)
 		return -ENOMEM;
 	power_state_offset = (u8 *)state_array->states;
-	for (i = 0; i < state_array->ucNumEntries; i++) {
+	for (adev->pm.dpm.num_ps = 0, i = 0; i < state_array->ucNumEntries; i++) {
 		u8 *idx;
 		power_state = (union pplib_power_state *)power_state_offset;
 		non_clock_array_index = power_state->v2.nonClockInfoIndex;
 		non_clock_info = (struct _ATOM_PPLIB_NONCLOCK_INFO *)
 			&non_clock_info_array->nonClockInfo[non_clock_array_index];
 		ps = kzalloc(sizeof(struct  si_ps), GFP_KERNEL);
-		if (ps == NULL) {
-			kfree(adev->pm.dpm.ps);
+		if (ps == NULL)
 			return -ENOMEM;
-		}
 		adev->pm.dpm.ps[i].ps_priv = ps;
 		si_parse_pplib_non_clock_info(adev, &adev->pm.dpm.ps[i],
 					      non_clock_info,
@@ -7345,8 +7343,8 @@ static int si_parse_power_table(struct amdgpu_device *adev)
 			k++;
 		}
 		power_state_offset += 2 + power_state->v2.ucNumDPMLevels;
+		adev->pm.dpm.num_ps++;
 	}
-	adev->pm.dpm.num_ps = state_array->ucNumEntries;
 
 	/* fill in the vce power states */
 	for (i = 0; i < AMDGPU_MAX_VCE_LEVELS; i++) {
-- 
2.35.1




^ permalink raw reply related	[flat|nested] 174+ messages in thread

* [PATCH 4.9 013/167] ath9k: fix QCA9561 PA bias level
  2022-06-13 10:07 [PATCH 4.9 000/167] 4.9.318-rc1 review Greg Kroah-Hartman
                   ` (11 preceding siblings ...)
  2022-06-13 10:08 ` [PATCH 4.9 012/167] drm/amd/pm: fix double free in si_parse_power_table() Greg Kroah-Hartman
@ 2022-06-13 10:08 ` Greg Kroah-Hartman
  2022-06-13 10:08 ` [PATCH 4.9 014/167] media: cx25821: Fix the warning when removing the module Greg Kroah-Hartman
                   ` (158 subsequent siblings)
  171 siblings, 0 replies; 174+ messages in thread
From: Greg Kroah-Hartman @ 2022-06-13 10:08 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Thibaut VARÈNE, Felix Fietkau,
	Toke Høiland-Jørgensen, Kalle Valo, Sasha Levin

From: Thibaut VARÈNE <hacks+kernel@slashdirt.org>

[ Upstream commit e999a5da28a0e0f7de242d841ef7d5e48f4646ae ]

This patch fixes an invalid TX PA DC bias level on QCA9561, which
results in a very low output power and very low throughput as devices
are further away from the AP (compared to other 2.4GHz APs).

This patch was suggested by Felix Fietkau, who noted[1]:
"The value written to that register is wrong, because while the mask
definition AR_CH0_TOP2_XPABIASLVL uses a different value for 9561, the
shift definition AR_CH0_TOP2_XPABIASLVL_S is hardcoded to 12, which is
wrong for 9561."

In real life testing, without this patch the 2.4GHz throughput on
Yuncore XD3200 is around 10Mbps sitting next to the AP, and closer to
practical maximum with the patch applied.

[1] https://lore.kernel.org/all/91c58969-c60e-2f41-00ac-737786d435ae@nbd.name

Signed-off-by: Thibaut VARÈNE <hacks+kernel@slashdirt.org>
Acked-by: Felix Fietkau <nbd@nbd.name>
Acked-by: Toke Høiland-Jørgensen <toke@toke.dk>
Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
Link: https://lore.kernel.org/r/20220417145145.1847-1-hacks+kernel@slashdirt.org
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/wireless/ath/ath9k/ar9003_phy.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/net/wireless/ath/ath9k/ar9003_phy.h b/drivers/net/wireless/ath/ath9k/ar9003_phy.h
index a171dbb29fbb..ad949eb02f3d 100644
--- a/drivers/net/wireless/ath/ath9k/ar9003_phy.h
+++ b/drivers/net/wireless/ath/ath9k/ar9003_phy.h
@@ -720,7 +720,7 @@
 #define AR_CH0_TOP2		(AR_SREV_9300(ah) ? 0x1628c : \
 					(AR_SREV_9462(ah) ? 0x16290 : 0x16284))
 #define AR_CH0_TOP2_XPABIASLVL		(AR_SREV_9561(ah) ? 0x1e00 : 0xf000)
-#define AR_CH0_TOP2_XPABIASLVL_S	12
+#define AR_CH0_TOP2_XPABIASLVL_S	(AR_SREV_9561(ah) ? 9 : 12)
 
 #define AR_CH0_XTAL		(AR_SREV_9300(ah) ? 0x16294 : \
 				 ((AR_SREV_9462(ah) || AR_SREV_9565(ah)) ? 0x16298 : \
-- 
2.35.1




^ permalink raw reply related	[flat|nested] 174+ messages in thread

* [PATCH 4.9 014/167] media: cx25821: Fix the warning when removing the module
  2022-06-13 10:07 [PATCH 4.9 000/167] 4.9.318-rc1 review Greg Kroah-Hartman
                   ` (12 preceding siblings ...)
  2022-06-13 10:08 ` [PATCH 4.9 013/167] ath9k: fix QCA9561 PA bias level Greg Kroah-Hartman
@ 2022-06-13 10:08 ` Greg Kroah-Hartman
  2022-06-13 10:08 ` [PATCH 4.9 015/167] scsi: megaraid: Fix error check return value of register_chrdev() Greg Kroah-Hartman
                   ` (157 subsequent siblings)
  171 siblings, 0 replies; 174+ messages in thread
From: Greg Kroah-Hartman @ 2022-06-13 10:08 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Zheyu Ma, Hans Verkuil,
	Mauro Carvalho Chehab, Sasha Levin

From: Zheyu Ma <zheyuma97@gmail.com>

[ Upstream commit 2203436a4d24302871617373a7eb21bc17e38762 ]

When removing the module, we will get the following warning:

[   14.746697] remove_proc_entry: removing non-empty directory 'irq/21', leaking at least 'cx25821[1]'
[   14.747449] WARNING: CPU: 4 PID: 368 at fs/proc/generic.c:717 remove_proc_entry+0x389/0x3f0
[   14.751611] RIP: 0010:remove_proc_entry+0x389/0x3f0
[   14.759589] Call Trace:
[   14.759792]  <TASK>
[   14.759975]  unregister_irq_proc+0x14c/0x170
[   14.760340]  irq_free_descs+0x94/0xe0
[   14.760640]  mp_unmap_irq+0xb6/0x100
[   14.760937]  acpi_unregister_gsi_ioapic+0x27/0x40
[   14.761334]  acpi_pci_irq_disable+0x1d3/0x320
[   14.761688]  pci_disable_device+0x1ad/0x380
[   14.762027]  ? _raw_spin_unlock_irqrestore+0x2d/0x60
[   14.762442]  ? cx25821_shutdown+0x20/0x9f0 [cx25821]
[   14.762848]  cx25821_finidev+0x48/0xc0 [cx25821]
[   14.763242]  pci_device_remove+0x92/0x240

Fix this by freeing the irq before call pci_disable_device().

Signed-off-by: Zheyu Ma <zheyuma97@gmail.com>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/media/pci/cx25821/cx25821-core.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/media/pci/cx25821/cx25821-core.c b/drivers/media/pci/cx25821/cx25821-core.c
index d58c58e61bde..acd896ca1339 100644
--- a/drivers/media/pci/cx25821/cx25821-core.c
+++ b/drivers/media/pci/cx25821/cx25821-core.c
@@ -1354,11 +1354,11 @@ static void cx25821_finidev(struct pci_dev *pci_dev)
 	struct cx25821_dev *dev = get_cx25821(v4l2_dev);
 
 	cx25821_shutdown(dev);
-	pci_disable_device(pci_dev);
 
 	/* unregister stuff */
 	if (pci_dev->irq)
 		free_irq(pci_dev->irq, dev);
+	pci_disable_device(pci_dev);
 
 	cx25821_dev_unregister(dev);
 	v4l2_device_unregister(v4l2_dev);
-- 
2.35.1




^ permalink raw reply related	[flat|nested] 174+ messages in thread

* [PATCH 4.9 015/167] scsi: megaraid: Fix error check return value of register_chrdev()
  2022-06-13 10:07 [PATCH 4.9 000/167] 4.9.318-rc1 review Greg Kroah-Hartman
                   ` (13 preceding siblings ...)
  2022-06-13 10:08 ` [PATCH 4.9 014/167] media: cx25821: Fix the warning when removing the module Greg Kroah-Hartman
@ 2022-06-13 10:08 ` Greg Kroah-Hartman
  2022-06-13 10:08 ` [PATCH 4.9 016/167] drm/amd/pm: fix the compile warning Greg Kroah-Hartman
                   ` (156 subsequent siblings)
  171 siblings, 0 replies; 174+ messages in thread
From: Greg Kroah-Hartman @ 2022-06-13 10:08 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Zeal Robot, Lv Ruyi,
	Martin K. Petersen, Sasha Levin

From: Lv Ruyi <lv.ruyi@zte.com.cn>

[ Upstream commit c5acd61dbb32b6bda0f3a354108f2b8dcb788985 ]

If major equals 0, register_chrdev() returns an error code when it fails.
This function dynamically allocates a major and returns its number on
success, so we should use "< 0" to check it instead of "!".

Link: https://lore.kernel.org/r/20220418105755.2558828-1-lv.ruyi@zte.com.cn
Reported-by: Zeal Robot <zealci@zte.com.cn>
Signed-off-by: Lv Ruyi <lv.ruyi@zte.com.cn>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/scsi/megaraid.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/scsi/megaraid.c b/drivers/scsi/megaraid.c
index 2cbfec6a7466..2f7132edcd3f 100644
--- a/drivers/scsi/megaraid.c
+++ b/drivers/scsi/megaraid.c
@@ -4705,7 +4705,7 @@ static int __init megaraid_init(void)
 	 * major number allocation.
 	 */
 	major = register_chrdev(0, "megadev_legacy", &megadev_fops);
-	if (!major) {
+	if (major < 0) {
 		printk(KERN_WARNING
 				"megaraid: failed to register char device\n");
 	}
-- 
2.35.1




^ permalink raw reply related	[flat|nested] 174+ messages in thread

* [PATCH 4.9 016/167] drm/amd/pm: fix the compile warning
  2022-06-13 10:07 [PATCH 4.9 000/167] 4.9.318-rc1 review Greg Kroah-Hartman
                   ` (14 preceding siblings ...)
  2022-06-13 10:08 ` [PATCH 4.9 015/167] scsi: megaraid: Fix error check return value of register_chrdev() Greg Kroah-Hartman
@ 2022-06-13 10:08 ` Greg Kroah-Hartman
  2022-06-13 10:08 ` [PATCH 4.9 017/167] ipv6: Dont send rs packets to the interface of ARPHRD_TUNNEL Greg Kroah-Hartman
                   ` (155 subsequent siblings)
  171 siblings, 0 replies; 174+ messages in thread
From: Greg Kroah-Hartman @ 2022-06-13 10:08 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, kernel test robot, Alex Deucher,
	Evan Quan, Sasha Levin

From: Evan Quan <evan.quan@amd.com>

[ Upstream commit 555238d92ac32dbad2d77ad2bafc48d17391990c ]

Fix the compile warning below:
drivers/gpu/drm/amd/amdgpu/../pm/legacy-dpm/kv_dpm.c:1641
kv_get_acp_boot_level() warn: always true condition '(table->entries[i]->clk >= 0) => (0-u32max >= 0)'

Reported-by: kernel test robot <lkp@intel.com>
CC: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Evan Quan <evan.quan@amd.com>
Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/gpu/drm/amd/amdgpu/kv_dpm.c | 14 +-------------
 1 file changed, 1 insertion(+), 13 deletions(-)

diff --git a/drivers/gpu/drm/amd/amdgpu/kv_dpm.c b/drivers/gpu/drm/amd/amdgpu/kv_dpm.c
index f61c489e5f6d..81f1591a9be9 100644
--- a/drivers/gpu/drm/amd/amdgpu/kv_dpm.c
+++ b/drivers/gpu/drm/amd/amdgpu/kv_dpm.c
@@ -1617,19 +1617,7 @@ static int kv_update_samu_dpm(struct amdgpu_device *adev, bool gate)
 
 static u8 kv_get_acp_boot_level(struct amdgpu_device *adev)
 {
-	u8 i;
-	struct amdgpu_clock_voltage_dependency_table *table =
-		&adev->pm.dpm.dyn_state.acp_clock_voltage_dependency_table;
-
-	for (i = 0; i < table->count; i++) {
-		if (table->entries[i].clk >= 0) /* XXX */
-			break;
-	}
-
-	if (i >= table->count)
-		i = table->count - 1;
-
-	return i;
+	return 0;
 }
 
 static void kv_update_acp_boot_level(struct amdgpu_device *adev)
-- 
2.35.1




^ permalink raw reply related	[flat|nested] 174+ messages in thread

* [PATCH 4.9 017/167] ipv6: Dont send rs packets to the interface of ARPHRD_TUNNEL
  2022-06-13 10:07 [PATCH 4.9 000/167] 4.9.318-rc1 review Greg Kroah-Hartman
                   ` (15 preceding siblings ...)
  2022-06-13 10:08 ` [PATCH 4.9 016/167] drm/amd/pm: fix the compile warning Greg Kroah-Hartman
@ 2022-06-13 10:08 ` Greg Kroah-Hartman
  2022-06-13 10:08 ` [PATCH 4.9 018/167] ASoC: dapm: Dont fold register value changes into notifications Greg Kroah-Hartman
                   ` (154 subsequent siblings)
  171 siblings, 0 replies; 174+ messages in thread
From: Greg Kroah-Hartman @ 2022-06-13 10:08 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, jianghaoran, Jakub Kicinski, Sasha Levin

From: jianghaoran <jianghaoran@kylinos.cn>

[ Upstream commit b52e1cce31ca721e937d517411179f9196ee6135 ]

ARPHRD_TUNNEL interface can't process rs packets
and will generate TX errors

ex:
ip tunnel add ethn mode ipip local 192.168.1.1 remote 192.168.1.2
ifconfig ethn x.x.x.x

ethn: flags=209<UP,POINTOPOINT,RUNNING,NOARP>  mtu 1480
	inet x.x.x.x  netmask 255.255.255.255  destination x.x.x.x
	inet6 fe80::5efe:ac1e:3cdb  prefixlen 64  scopeid 0x20<link>
	tunnel   txqueuelen 1000  (IPIP Tunnel)
	RX packets 0  bytes 0 (0.0 B)
	RX errors 0  dropped 0  overruns 0  frame 0
	TX packets 0  bytes 0 (0.0 B)
	TX errors 3  dropped 0 overruns 0  carrier 0  collisions 0

Signed-off-by: jianghaoran <jianghaoran@kylinos.cn>
Link: https://lore.kernel.org/r/20220429053802.246681-1-jianghaoran@kylinos.cn
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/ipv6/addrconf.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
index 30ca73c78125..02f62253a835 100644
--- a/net/ipv6/addrconf.c
+++ b/net/ipv6/addrconf.c
@@ -3993,7 +3993,8 @@ static void addrconf_dad_completed(struct inet6_ifaddr *ifp, bool bump_id)
 	send_rs = send_mld &&
 		  ipv6_accept_ra(ifp->idev) &&
 		  ifp->idev->cnf.rtr_solicits != 0 &&
-		  (dev->flags&IFF_LOOPBACK) == 0;
+		  (dev->flags & IFF_LOOPBACK) == 0 &&
+		  (dev->type != ARPHRD_TUNNEL);
 	read_unlock_bh(&ifp->idev->lock);
 
 	/* While dad is in progress mld report's source address is in6_addrany.
-- 
2.35.1




^ permalink raw reply related	[flat|nested] 174+ messages in thread

* [PATCH 4.9 018/167] ASoC: dapm: Dont fold register value changes into notifications
  2022-06-13 10:07 [PATCH 4.9 000/167] 4.9.318-rc1 review Greg Kroah-Hartman
                   ` (16 preceding siblings ...)
  2022-06-13 10:08 ` [PATCH 4.9 017/167] ipv6: Dont send rs packets to the interface of ARPHRD_TUNNEL Greg Kroah-Hartman
@ 2022-06-13 10:08 ` Greg Kroah-Hartman
  2022-06-13 10:08 ` [PATCH 4.9 019/167] dma-debug: change allocation mode from GFP_NOWAIT to GFP_ATIOMIC Greg Kroah-Hartman
                   ` (153 subsequent siblings)
  171 siblings, 0 replies; 174+ messages in thread
From: Greg Kroah-Hartman @ 2022-06-13 10:08 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Mark Brown, Sasha Levin

From: Mark Brown <broonie@kernel.org>

[ Upstream commit ad685980469b9f9b99d4d6ea05f4cb8f57cb2234 ]

DAPM tracks and reports the value presented to the user from DAPM controls
separately to the register value, these may diverge during initialisation
or when an autodisable control is in use.

When writing DAPM controls we currently report that a change has occurred
if either the DAPM value or the value stored in the register has changed,
meaning that if the two are out of sync we may appear to report a spurious
event to userspace. Since we use this folded in value for nothing other
than the value reported to userspace simply drop the folding in of the
register change.

Signed-off-by: Mark Brown <broonie@kernel.org>
Link: https://lore.kernel.org/r/20220428161833.3690050-1-broonie@kernel.org
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 sound/soc/soc-dapm.c | 2 --
 1 file changed, 2 deletions(-)

diff --git a/sound/soc/soc-dapm.c b/sound/soc/soc-dapm.c
index 878a4fc97f04..40bf50cd87bc 100644
--- a/sound/soc/soc-dapm.c
+++ b/sound/soc/soc-dapm.c
@@ -3165,7 +3165,6 @@ int snd_soc_dapm_put_volsw(struct snd_kcontrol *kcontrol,
 			update.val = val;
 			card->update = &update;
 		}
-		change |= reg_change;
 
 		ret = soc_dapm_mixer_update_power(card, kcontrol, connect);
 
@@ -3270,7 +3269,6 @@ int snd_soc_dapm_put_enum_double(struct snd_kcontrol *kcontrol,
 			update.val = val;
 			card->update = &update;
 		}
-		change |= reg_change;
 
 		ret = soc_dapm_mux_update_power(card, kcontrol, item[0], e);
 
-- 
2.35.1




^ permalink raw reply related	[flat|nested] 174+ messages in thread

* [PATCH 4.9 019/167] dma-debug: change allocation mode from GFP_NOWAIT to GFP_ATIOMIC
  2022-06-13 10:07 [PATCH 4.9 000/167] 4.9.318-rc1 review Greg Kroah-Hartman
                   ` (17 preceding siblings ...)
  2022-06-13 10:08 ` [PATCH 4.9 018/167] ASoC: dapm: Dont fold register value changes into notifications Greg Kroah-Hartman
@ 2022-06-13 10:08 ` Greg Kroah-Hartman
  2022-06-13 10:08 ` [PATCH 4.9 020/167] ipmi:ssif: Check for NULL msg when handling events and messages Greg Kroah-Hartman
                   ` (152 subsequent siblings)
  171 siblings, 0 replies; 174+ messages in thread
From: Greg Kroah-Hartman @ 2022-06-13 10:08 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Mikulas Patocka, Christoph Hellwig,
	Sasha Levin

From: Mikulas Patocka <mpatocka@redhat.com>

[ Upstream commit 84bc4f1dbbbb5f8aa68706a96711dccb28b518e5 ]

We observed the error "cacheline tracking ENOMEM, dma-debug disabled"
during a light system load (copying some files). The reason for this error
is that the dma_active_cacheline radix tree uses GFP_NOWAIT allocation -
so it can't access the emergency memory reserves and it fails as soon as
anybody reaches the watermark.

This patch changes GFP_NOWAIT to GFP_ATOMIC, so that it can access the
emergency memory reserves.

Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Signed-off-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 lib/dma-debug.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/dma-debug.c b/lib/dma-debug.c
index 4435bec55fb5..baafebabe3ac 100644
--- a/lib/dma-debug.c
+++ b/lib/dma-debug.c
@@ -463,7 +463,7 @@ EXPORT_SYMBOL(debug_dma_dump_mappings);
  * At any time debug_dma_assert_idle() can be called to trigger a
  * warning if any cachelines in the given page are in the active set.
  */
-static RADIX_TREE(dma_active_cacheline, GFP_NOWAIT);
+static RADIX_TREE(dma_active_cacheline, GFP_ATOMIC);
 static DEFINE_SPINLOCK(radix_lock);
 #define ACTIVE_CACHELINE_MAX_OVERLAP ((1 << RADIX_TREE_MAX_TAGS) - 1)
 #define CACHELINE_PER_PAGE_SHIFT (PAGE_SHIFT - L1_CACHE_SHIFT)
-- 
2.35.1




^ permalink raw reply related	[flat|nested] 174+ messages in thread

* [PATCH 4.9 020/167] ipmi:ssif: Check for NULL msg when handling events and messages
  2022-06-13 10:07 [PATCH 4.9 000/167] 4.9.318-rc1 review Greg Kroah-Hartman
                   ` (18 preceding siblings ...)
  2022-06-13 10:08 ` [PATCH 4.9 019/167] dma-debug: change allocation mode from GFP_NOWAIT to GFP_ATIOMIC Greg Kroah-Hartman
@ 2022-06-13 10:08 ` Greg Kroah-Hartman
  2022-06-13 10:08 ` [PATCH 4.9 021/167] openrisc: start CPU timer early in boot Greg Kroah-Hartman
                   ` (151 subsequent siblings)
  171 siblings, 0 replies; 174+ messages in thread
From: Greg Kroah-Hartman @ 2022-06-13 10:08 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Haowen Bai, Corey Minyard, Sasha Levin

From: Corey Minyard <cminyard@mvista.com>

[ Upstream commit 7602b957e2404e5f98d9a40b68f1fd27f0028712 ]

Even though it's not possible to get into the SSIF_GETTING_MESSAGES and
SSIF_GETTING_EVENTS states without a valid message in the msg field,
it's probably best to be defensive here and check and print a log, since
that means something else went wrong.

Also add a default clause to that switch statement to release the lock
and print a log, in case the state variable gets messed up somehow.

Reported-by: Haowen Bai <baihaowen@meizu.com>
Signed-off-by: Corey Minyard <cminyard@mvista.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/char/ipmi/ipmi_ssif.c | 23 +++++++++++++++++++++++
 1 file changed, 23 insertions(+)

diff --git a/drivers/char/ipmi/ipmi_ssif.c b/drivers/char/ipmi/ipmi_ssif.c
index a4ef9a6bd367..45117728e735 100644
--- a/drivers/char/ipmi/ipmi_ssif.c
+++ b/drivers/char/ipmi/ipmi_ssif.c
@@ -812,6 +812,14 @@ static void msg_done_handler(struct ssif_info *ssif_info, int result,
 		break;
 
 	case SSIF_GETTING_EVENTS:
+		if (!msg) {
+			/* Should never happen, but just in case. */
+			dev_warn(&ssif_info->client->dev,
+				 "No message set while getting events\n");
+			ipmi_ssif_unlock_cond(ssif_info, flags);
+			break;
+		}
+
 		if ((result < 0) || (len < 3) || (msg->rsp[2] != 0)) {
 			/* Error getting event, probably done. */
 			msg->done(msg);
@@ -835,6 +843,14 @@ static void msg_done_handler(struct ssif_info *ssif_info, int result,
 		break;
 
 	case SSIF_GETTING_MESSAGES:
+		if (!msg) {
+			/* Should never happen, but just in case. */
+			dev_warn(&ssif_info->client->dev,
+				 "No message set while getting messages\n");
+			ipmi_ssif_unlock_cond(ssif_info, flags);
+			break;
+		}
+
 		if ((result < 0) || (len < 3) || (msg->rsp[2] != 0)) {
 			/* Error getting event, probably done. */
 			msg->done(msg);
@@ -857,6 +873,13 @@ static void msg_done_handler(struct ssif_info *ssif_info, int result,
 			deliver_recv_msg(ssif_info, msg);
 		}
 		break;
+
+	default:
+		/* Should never happen, but just in case. */
+		dev_warn(&ssif_info->client->dev,
+			 "Invalid state in message done handling: %d\n",
+			 ssif_info->ssif_state);
+		ipmi_ssif_unlock_cond(ssif_info, flags);
 	}
 
 	flags = ipmi_ssif_lock_cond(ssif_info, &oflags);
-- 
2.35.1




^ permalink raw reply related	[flat|nested] 174+ messages in thread

* [PATCH 4.9 021/167] openrisc: start CPU timer early in boot
  2022-06-13 10:07 [PATCH 4.9 000/167] 4.9.318-rc1 review Greg Kroah-Hartman
                   ` (19 preceding siblings ...)
  2022-06-13 10:08 ` [PATCH 4.9 020/167] ipmi:ssif: Check for NULL msg when handling events and messages Greg Kroah-Hartman
@ 2022-06-13 10:08 ` Greg Kroah-Hartman
  2022-06-13 10:08 ` [PATCH 4.9 022/167] nvme-pci: fix a NULL pointer dereference in nvme_alloc_admin_tags Greg Kroah-Hartman
                   ` (150 subsequent siblings)
  171 siblings, 0 replies; 174+ messages in thread
From: Greg Kroah-Hartman @ 2022-06-13 10:08 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Thomas Gleixner, Arnd Bergmann,
	Jonas Bonn, Stefan Kristiansson, Stafford Horne, Guenter Roeck,
	Jason A. Donenfeld, Sasha Levin

From: Jason A. Donenfeld <Jason@zx2c4.com>

[ Upstream commit 516dd4aacd67a0f27da94f3fe63fe0f4dbab6e2b ]

In order to measure the boot process, the timer should be switched on as
early in boot as possible. As well, the commit defines the get_cycles
macro, like the previous patches in this series, so that generic code is
aware that it's implemented by the platform, as is done on other archs.

Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Arnd Bergmann <arnd@arndb.de>
Cc: Jonas Bonn <jonas@southpole.se>
Cc: Stefan Kristiansson <stefan.kristiansson@saunalahti.fi>
Acked-by: Stafford Horne <shorne@gmail.com>
Reported-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/openrisc/include/asm/timex.h | 1 +
 arch/openrisc/kernel/head.S       | 9 +++++++++
 2 files changed, 10 insertions(+)

diff --git a/arch/openrisc/include/asm/timex.h b/arch/openrisc/include/asm/timex.h
index 9935cad1b9b9..34d015bf0462 100644
--- a/arch/openrisc/include/asm/timex.h
+++ b/arch/openrisc/include/asm/timex.h
@@ -27,6 +27,7 @@ static inline cycles_t get_cycles(void)
 {
 	return mfspr(SPR_TTCR);
 }
+#define get_cycles get_cycles
 
 /* This isn't really used any more */
 #define CLOCK_TICK_RATE 1000
diff --git a/arch/openrisc/kernel/head.S b/arch/openrisc/kernel/head.S
index 98dd6860bc0b..0b6be5b3522b 100644
--- a/arch/openrisc/kernel/head.S
+++ b/arch/openrisc/kernel/head.S
@@ -452,6 +452,15 @@ _start:
 	l.ori	r3,r0,0x1
 	l.mtspr	r0,r3,SPR_SR
 
+	/*
+	 * Start the TTCR as early as possible, so that the RNG can make use of
+	 * measurements of boot time from the earliest opportunity. Especially
+	 * important is that the TTCR does not return zero by the time we reach
+	 * rand_initialize().
+	 */
+	l.movhi r3,hi(SPR_TTMR_CR)
+	l.mtspr r0,r3,SPR_TTMR
+
 	CLEAR_GPR(r1)
 	CLEAR_GPR(r2)
 	CLEAR_GPR(r3)
-- 
2.35.1




^ permalink raw reply related	[flat|nested] 174+ messages in thread

* [PATCH 4.9 022/167] nvme-pci: fix a NULL pointer dereference in nvme_alloc_admin_tags
  2022-06-13 10:07 [PATCH 4.9 000/167] 4.9.318-rc1 review Greg Kroah-Hartman
                   ` (20 preceding siblings ...)
  2022-06-13 10:08 ` [PATCH 4.9 021/167] openrisc: start CPU timer early in boot Greg Kroah-Hartman
@ 2022-06-13 10:08 ` Greg Kroah-Hartman
  2022-06-13 10:08 ` [PATCH 4.9 023/167] ASoC: rt5645: Fix errorenous cleanup order Greg Kroah-Hartman
                   ` (149 subsequent siblings)
  171 siblings, 0 replies; 174+ messages in thread
From: Greg Kroah-Hartman @ 2022-06-13 10:08 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Kyle Smith, Chaitanya Kulkarni,
	Hannes Reinecke, Christoph Hellwig, Sasha Levin

From: Smith, Kyle Miller (Nimble Kernel) <kyles@hpe.com>

[ Upstream commit da42761181627e9bdc37d18368b827948a583929 ]

In nvme_alloc_admin_tags, the admin_q can be set to an error (typically
-ENOMEM) if the blk_mq_init_queue call fails to set up the queue, which
is checked immediately after the call. However, when we return the error
message up the stack, to nvme_reset_work the error takes us to
nvme_remove_dead_ctrl()
  nvme_dev_disable()
   nvme_suspend_queue(&dev->queues[0]).

Here, we only check that the admin_q is non-NULL, rather than not
an error or NULL, and begin quiescing a queue that never existed, leading
to bad / NULL pointer dereference.

Signed-off-by: Kyle Smith <kyles@hpe.com>
Reviewed-by: Chaitanya Kulkarni <kch@nvidia.com>
Reviewed-by: Hannes Reinecke <hare@suse.de>
Signed-off-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/nvme/host/pci.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c
index c87f27d3ee31..e7b872592f36 100644
--- a/drivers/nvme/host/pci.c
+++ b/drivers/nvme/host/pci.c
@@ -1203,6 +1203,7 @@ static int nvme_alloc_admin_tags(struct nvme_dev *dev)
 		dev->ctrl.admin_q = blk_mq_init_queue(&dev->admin_tagset);
 		if (IS_ERR(dev->ctrl.admin_q)) {
 			blk_mq_free_tag_set(&dev->admin_tagset);
+			dev->ctrl.admin_q = NULL;
 			return -ENOMEM;
 		}
 		if (!blk_get_queue(dev->ctrl.admin_q)) {
-- 
2.35.1




^ permalink raw reply related	[flat|nested] 174+ messages in thread

* [PATCH 4.9 023/167] ASoC: rt5645: Fix errorenous cleanup order
  2022-06-13 10:07 [PATCH 4.9 000/167] 4.9.318-rc1 review Greg Kroah-Hartman
                   ` (21 preceding siblings ...)
  2022-06-13 10:08 ` [PATCH 4.9 022/167] nvme-pci: fix a NULL pointer dereference in nvme_alloc_admin_tags Greg Kroah-Hartman
@ 2022-06-13 10:08 ` Greg Kroah-Hartman
  2022-06-13 10:08 ` [PATCH 4.9 024/167] media: exynos4-is: Fix compile warning Greg Kroah-Hartman
                   ` (148 subsequent siblings)
  171 siblings, 0 replies; 174+ messages in thread
From: Greg Kroah-Hartman @ 2022-06-13 10:08 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Lin Ma, Mark Brown, Sasha Levin

From: Lin Ma <linma@zju.edu.cn>

[ Upstream commit 2def44d3aec59e38d2701c568d65540783f90f2f ]

There is a logic error when removing rt5645 device as the function
rt5645_i2c_remove() first cancel the &rt5645->jack_detect_work and
delete the &rt5645->btn_check_timer latter. However, since the timer
handler rt5645_btn_check_callback() will re-queue the jack_detect_work,
this cleanup order is buggy.

That is, once the del_timer_sync in rt5645_i2c_remove is concurrently
run with the rt5645_btn_check_callback, the canceled jack_detect_work
will be rescheduled again, leading to possible use-after-free.

This patch fix the issue by placing the del_timer_sync function before
the cancel_delayed_work_sync.

Signed-off-by: Lin Ma <linma@zju.edu.cn>
Link: https://lore.kernel.org/r/20220516092035.28283-1-linma@zju.edu.cn
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 sound/soc/codecs/rt5645.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/sound/soc/codecs/rt5645.c b/sound/soc/codecs/rt5645.c
index 1ac96ef9ee20..703b26ec4e15 100644
--- a/sound/soc/codecs/rt5645.c
+++ b/sound/soc/codecs/rt5645.c
@@ -3878,6 +3878,12 @@ static int rt5645_i2c_remove(struct i2c_client *i2c)
 	if (i2c->irq)
 		free_irq(i2c->irq, rt5645);
 
+	/*
+	 * Since the rt5645_btn_check_callback() can queue jack_detect_work,
+	 * the timer need to be delted first
+	 */
+	del_timer_sync(&rt5645->btn_check_timer);
+
 	cancel_delayed_work_sync(&rt5645->jack_detect_work);
 	cancel_delayed_work_sync(&rt5645->rcclock_work);
 
-- 
2.35.1




^ permalink raw reply related	[flat|nested] 174+ messages in thread

* [PATCH 4.9 024/167] media: exynos4-is: Fix compile warning
  2022-06-13 10:07 [PATCH 4.9 000/167] 4.9.318-rc1 review Greg Kroah-Hartman
                   ` (22 preceding siblings ...)
  2022-06-13 10:08 ` [PATCH 4.9 023/167] ASoC: rt5645: Fix errorenous cleanup order Greg Kroah-Hartman
@ 2022-06-13 10:08 ` Greg Kroah-Hartman
  2022-06-13 10:08 ` [PATCH 4.9 025/167] rxrpc: Return an error to sendmsg if call failed Greg Kroah-Hartman
                   ` (147 subsequent siblings)
  171 siblings, 0 replies; 174+ messages in thread
From: Greg Kroah-Hartman @ 2022-06-13 10:08 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, kernel test robot, Kwanghoon Son,
	Sakari Ailus, Mauro Carvalho Chehab, Sasha Levin

From: Kwanghoon Son <k.son@samsung.com>

[ Upstream commit e080f5c1f2b6d02c02ee5d674e0e392ccf63bbaf ]

Declare static on function 'fimc_isp_video_device_unregister'.

When VIDEO_EXYNOS4_ISP_DMA_CAPTURE=n, compiler warns about
warning: no previous prototype for function [-Wmissing-prototypes]

Reported-by: kernel test robot <lkp@intel.com>
Signed-off-by: Kwanghoon Son <k.son@samsung.com>
Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/media/platform/exynos4-is/fimc-isp-video.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/media/platform/exynos4-is/fimc-isp-video.h b/drivers/media/platform/exynos4-is/fimc-isp-video.h
index f79a1b348aa6..67ef85249912 100644
--- a/drivers/media/platform/exynos4-is/fimc-isp-video.h
+++ b/drivers/media/platform/exynos4-is/fimc-isp-video.h
@@ -35,7 +35,7 @@ static inline int fimc_isp_video_device_register(struct fimc_isp *isp,
 	return 0;
 }
 
-void fimc_isp_video_device_unregister(struct fimc_isp *isp,
+static inline void fimc_isp_video_device_unregister(struct fimc_isp *isp,
 				enum v4l2_buf_type type)
 {
 }
-- 
2.35.1




^ permalink raw reply related	[flat|nested] 174+ messages in thread

* [PATCH 4.9 025/167] rxrpc: Return an error to sendmsg if call failed
  2022-06-13 10:07 [PATCH 4.9 000/167] 4.9.318-rc1 review Greg Kroah-Hartman
                   ` (23 preceding siblings ...)
  2022-06-13 10:08 ` [PATCH 4.9 024/167] media: exynos4-is: Fix compile warning Greg Kroah-Hartman
@ 2022-06-13 10:08 ` Greg Kroah-Hartman
  2022-06-13 10:08 ` [PATCH 4.9 026/167] eth: tg3: silence the GCC 12 array-bounds warning Greg Kroah-Hartman
                   ` (146 subsequent siblings)
  171 siblings, 0 replies; 174+ messages in thread
From: Greg Kroah-Hartman @ 2022-06-13 10:08 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Marc Dionne, David Howells,
	linux-afs, David S. Miller, Sasha Levin

From: David Howells <dhowells@redhat.com>

[ Upstream commit 4ba68c5192554876bd8c3afd904e3064d2915341 ]

If at the end of rxrpc sendmsg() or rxrpc_kernel_send_data() the call that
was being given data was aborted remotely or otherwise failed, return an
error rather than returning the amount of data buffered for transmission.

The call (presumably) did not complete, so there's not much point
continuing with it.  AF_RXRPC considers it "complete" and so will be
unwilling to do anything else with it - and won't send a notification for
it, deeming the return from sendmsg sufficient.

Not returning an error causes afs to incorrectly handle a StoreData
operation that gets interrupted by a change of address due to NAT
reconfiguration.

This doesn't normally affect most operations since their request parameters
tend to fit into a single UDP packet and afs_make_call() returns before the
server responds; StoreData is different as it involves transmission of a
lot of data.

This can be triggered on a client by doing something like:

	dd if=/dev/zero of=/afs/example.com/foo bs=1M count=512

at one prompt, and then changing the network address at another prompt,
e.g.:

	ifconfig enp6s0 inet 192.168.6.2 && route add 192.168.6.1 dev enp6s0

Tracing packets on an Auristor fileserver looks something like:

192.168.6.1 -> 192.168.6.3  RX 107 ACK Idle  Seq: 0  Call: 4  Source Port: 7000  Destination Port: 7001
192.168.6.3 -> 192.168.6.1  AFS (RX) 1482 FS Request: Unknown(64538) (64538)
192.168.6.3 -> 192.168.6.1  AFS (RX) 1482 FS Request: Unknown(64538) (64538)
192.168.6.1 -> 192.168.6.3  RX 107 ACK Idle  Seq: 0  Call: 4  Source Port: 7000  Destination Port: 7001
<ARP exchange for 192.168.6.2>
192.168.6.2 -> 192.168.6.1  AFS (RX) 1482 FS Request: Unknown(0) (0)
192.168.6.2 -> 192.168.6.1  AFS (RX) 1482 FS Request: Unknown(0) (0)
192.168.6.1 -> 192.168.6.2  RX 107 ACK Exceeds Window  Seq: 0  Call: 4  Source Port: 7000  Destination Port: 7001
192.168.6.1 -> 192.168.6.2  RX 74 ABORT  Seq: 0  Call: 4  Source Port: 7000  Destination Port: 7001
192.168.6.1 -> 192.168.6.2  RX 74 ABORT  Seq: 29321  Call: 4  Source Port: 7000  Destination Port: 7001

The Auristor fileserver logs code -453 (RXGEN_SS_UNMARSHAL), but the abort
code received by kafs is -5 (RX_PROTOCOL_ERROR) as the rx layer sees the
condition and generates an abort first and the unmarshal error is a
consequence of that at the application layer.

Reported-by: Marc Dionne <marc.dionne@auristor.com>
Signed-off-by: David Howells <dhowells@redhat.com>
cc: linux-afs@lists.infradead.org
Link: http://lists.infradead.org/pipermail/linux-afs/2021-December/004810.html # v1
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/rxrpc/sendmsg.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/net/rxrpc/sendmsg.c b/net/rxrpc/sendmsg.c
index 2ec1c29eeba4..b8e87804296c 100644
--- a/net/rxrpc/sendmsg.c
+++ b/net/rxrpc/sendmsg.c
@@ -336,6 +336,12 @@ static int rxrpc_send_data(struct rxrpc_sock *rx,
 
 success:
 	ret = copied;
+	if (READ_ONCE(call->state) == RXRPC_CALL_COMPLETE) {
+		read_lock_bh(&call->state_lock);
+		if (call->error < 0)
+			ret = call->error;
+		read_unlock_bh(&call->state_lock);
+	}
 out:
 	call->tx_pending = skb;
 	_leave(" = %d", ret);
-- 
2.35.1




^ permalink raw reply related	[flat|nested] 174+ messages in thread

* [PATCH 4.9 026/167] eth: tg3: silence the GCC 12 array-bounds warning
  2022-06-13 10:07 [PATCH 4.9 000/167] 4.9.318-rc1 review Greg Kroah-Hartman
                   ` (24 preceding siblings ...)
  2022-06-13 10:08 ` [PATCH 4.9 025/167] rxrpc: Return an error to sendmsg if call failed Greg Kroah-Hartman
@ 2022-06-13 10:08 ` Greg Kroah-Hartman
  2022-06-13 10:08 ` [PATCH 4.9 027/167] fs: jfs: fix possible NULL pointer dereference in dbFree() Greg Kroah-Hartman
                   ` (145 subsequent siblings)
  171 siblings, 0 replies; 174+ messages in thread
From: Greg Kroah-Hartman @ 2022-06-13 10:08 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jakub Kicinski, David S. Miller, Sasha Levin

From: Jakub Kicinski <kuba@kernel.org>

[ Upstream commit 9dec850fd7c210a04b4707df8e6c95bfafdd6a4b ]

GCC 12 currently generates a rather inconsistent warning:

drivers/net/ethernet/broadcom/tg3.c:17795:51: warning: array subscript 5 is above array bounds of ‘struct tg3_napi[5]’ [-Warray-bounds]
17795 |                 struct tg3_napi *tnapi = &tp->napi[i];
      |                                           ~~~~~~~~^~~

i is guaranteed < tp->irq_max which in turn is either 1 or 5.
There are more loops like this one in the driver, but strangely
GCC 12 dislikes only this single one.

Silence this silliness for now.

Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/ethernet/broadcom/Makefile | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/drivers/net/ethernet/broadcom/Makefile b/drivers/net/ethernet/broadcom/Makefile
index 79f2372c66ec..4211c6cd6b35 100644
--- a/drivers/net/ethernet/broadcom/Makefile
+++ b/drivers/net/ethernet/broadcom/Makefile
@@ -15,3 +15,8 @@ obj-$(CONFIG_BGMAC_BCMA) += bgmac-bcma.o bgmac-bcma-mdio.o
 obj-$(CONFIG_BGMAC_PLATFORM) += bgmac-platform.o
 obj-$(CONFIG_SYSTEMPORT) += bcmsysport.o
 obj-$(CONFIG_BNXT) += bnxt/
+
+# FIXME: temporarily silence -Warray-bounds on non W=1+ builds
+ifndef KBUILD_EXTRA_WARN
+CFLAGS_tg3.o += -Wno-array-bounds
+endif
-- 
2.35.1




^ permalink raw reply related	[flat|nested] 174+ messages in thread

* [PATCH 4.9 027/167] fs: jfs: fix possible NULL pointer dereference in dbFree()
  2022-06-13 10:07 [PATCH 4.9 000/167] 4.9.318-rc1 review Greg Kroah-Hartman
                   ` (25 preceding siblings ...)
  2022-06-13 10:08 ` [PATCH 4.9 026/167] eth: tg3: silence the GCC 12 array-bounds warning Greg Kroah-Hartman
@ 2022-06-13 10:08 ` Greg Kroah-Hartman
  2022-06-13 10:08 ` [PATCH 4.9 028/167] ARM: OMAP1: clock: Fix UART rate reporting algorithm Greg Kroah-Hartman
                   ` (144 subsequent siblings)
  171 siblings, 0 replies; 174+ messages in thread
From: Greg Kroah-Hartman @ 2022-06-13 10:08 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, TOTE Robot, Zixuan Fu, Dave Kleikamp,
	Sasha Levin

From: Zixuan Fu <r33s3n6@gmail.com>

[ Upstream commit 0d4837fdb796f99369cf7691d33de1b856bcaf1f ]

In our fault-injection testing, the variable "nblocks" in dbFree() can be
zero when kmalloc_array() fails in dtSearch(). In this case, the variable
 "mp" in dbFree() would be NULL and then it is dereferenced in
"write_metapage(mp)".

The failure log is listed as follows:

[   13.824137] BUG: kernel NULL pointer dereference, address: 0000000000000020
...
[   13.827416] RIP: 0010:dbFree+0x5f7/0x910 [jfs]
[   13.834341] Call Trace:
[   13.834540]  <TASK>
[   13.834713]  txFreeMap+0x7b4/0xb10 [jfs]
[   13.835038]  txUpdateMap+0x311/0x650 [jfs]
[   13.835375]  jfs_lazycommit+0x5f2/0xc70 [jfs]
[   13.835726]  ? sched_dynamic_update+0x1b0/0x1b0
[   13.836092]  kthread+0x3c2/0x4a0
[   13.836355]  ? txLockFree+0x160/0x160 [jfs]
[   13.836763]  ? kthread_unuse_mm+0x160/0x160
[   13.837106]  ret_from_fork+0x1f/0x30
[   13.837402]  </TASK>
...

This patch adds a NULL check of "mp" before "write_metapage(mp)" is called.

Reported-by: TOTE Robot <oslab@tsinghua.edu.cn>
Signed-off-by: Zixuan Fu <r33s3n6@gmail.com>
Signed-off-by: Dave Kleikamp <dave.kleikamp@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 fs/jfs/jfs_dmap.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/fs/jfs/jfs_dmap.c b/fs/jfs/jfs_dmap.c
index 6dac48e29d28..a07fbb60ac3c 100644
--- a/fs/jfs/jfs_dmap.c
+++ b/fs/jfs/jfs_dmap.c
@@ -398,7 +398,8 @@ int dbFree(struct inode *ip, s64 blkno, s64 nblocks)
 	}
 
 	/* write the last buffer. */
-	write_metapage(mp);
+	if (mp)
+		write_metapage(mp);
 
 	IREAD_UNLOCK(ipbmap);
 
-- 
2.35.1




^ permalink raw reply related	[flat|nested] 174+ messages in thread

* [PATCH 4.9 028/167] ARM: OMAP1: clock: Fix UART rate reporting algorithm
  2022-06-13 10:07 [PATCH 4.9 000/167] 4.9.318-rc1 review Greg Kroah-Hartman
                   ` (26 preceding siblings ...)
  2022-06-13 10:08 ` [PATCH 4.9 027/167] fs: jfs: fix possible NULL pointer dereference in dbFree() Greg Kroah-Hartman
@ 2022-06-13 10:08 ` Greg Kroah-Hartman
  2022-06-13 10:08 ` [PATCH 4.9 029/167] fat: add ratelimit to fat*_ent_bread() Greg Kroah-Hartman
                   ` (143 subsequent siblings)
  171 siblings, 0 replies; 174+ messages in thread
From: Greg Kroah-Hartman @ 2022-06-13 10:08 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Janusz Krzysztofik, Tony Lindgren,
	Arnd Bergmann, Sasha Levin

From: Janusz Krzysztofik <jmkrzyszt@gmail.com>

[ Upstream commit 338d5d476cde853dfd97378d20496baabc2ce3c0 ]

Since its introduction to the mainline kernel, omap1_uart_recalc() helper
makes incorrect use of clk->enable_bit as a ready to use bitmap mask while
it only provides the bit number.  Fix it.

Signed-off-by: Janusz Krzysztofik <jmkrzyszt@gmail.com>
Acked-by: Tony Lindgren <tony@atomide.com>
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/arm/mach-omap1/clock.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/arch/arm/mach-omap1/clock.c b/arch/arm/mach-omap1/clock.c
index 034b89499bd7..a3599696e7cc 100644
--- a/arch/arm/mach-omap1/clock.c
+++ b/arch/arm/mach-omap1/clock.c
@@ -44,7 +44,7 @@ static DEFINE_SPINLOCK(clockfw_lock);
 unsigned long omap1_uart_recalc(struct clk *clk)
 {
 	unsigned int val = __raw_readl(clk->enable_reg);
-	return val & clk->enable_bit ? 48000000 : 12000000;
+	return val & 1 << clk->enable_bit ? 48000000 : 12000000;
 }
 
 unsigned long omap1_sossi_recalc(struct clk *clk)
-- 
2.35.1




^ permalink raw reply related	[flat|nested] 174+ messages in thread

* [PATCH 4.9 029/167] fat: add ratelimit to fat*_ent_bread()
  2022-06-13 10:07 [PATCH 4.9 000/167] 4.9.318-rc1 review Greg Kroah-Hartman
                   ` (27 preceding siblings ...)
  2022-06-13 10:08 ` [PATCH 4.9 028/167] ARM: OMAP1: clock: Fix UART rate reporting algorithm Greg Kroah-Hartman
@ 2022-06-13 10:08 ` Greg Kroah-Hartman
  2022-06-13 10:08 ` [PATCH 4.9 030/167] ARM: versatile: Add missing of_node_put in dcscb_init Greg Kroah-Hartman
                   ` (142 subsequent siblings)
  171 siblings, 0 replies; 174+ messages in thread
From: Greg Kroah-Hartman @ 2022-06-13 10:08 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, OGAWA Hirofumi, qianfan,
	Andrew Morton, Sasha Levin

From: OGAWA Hirofumi <hirofumi@mail.parknet.co.jp>

[ Upstream commit 183c3237c928109d2008c0456dff508baf692b20 ]

fat*_ent_bread() can be the cause of too many report on I/O error path.
So use fat_msg_ratelimit() instead.

Link: https://lkml.kernel.org/r/87bkxogfeq.fsf@mail.parknet.co.jp
Signed-off-by: OGAWA Hirofumi <hirofumi@mail.parknet.co.jp>
Reported-by: qianfan <qianfanguijin@163.com>
Tested-by: qianfan <qianfanguijin@163.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 fs/fat/fatent.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/fs/fat/fatent.c b/fs/fat/fatent.c
index 0129d4d07a54..b0b1a71c07b7 100644
--- a/fs/fat/fatent.c
+++ b/fs/fat/fatent.c
@@ -92,7 +92,8 @@ static int fat12_ent_bread(struct super_block *sb, struct fat_entry *fatent,
 err_brelse:
 	brelse(bhs[0]);
 err:
-	fat_msg(sb, KERN_ERR, "FAT read failed (blocknr %llu)", (llu)blocknr);
+	fat_msg_ratelimit(sb, KERN_ERR, "FAT read failed (blocknr %llu)",
+			  (llu)blocknr);
 	return -EIO;
 }
 
@@ -105,8 +106,8 @@ static int fat_ent_bread(struct super_block *sb, struct fat_entry *fatent,
 	fatent->fat_inode = MSDOS_SB(sb)->fat_inode;
 	fatent->bhs[0] = sb_bread(sb, blocknr);
 	if (!fatent->bhs[0]) {
-		fat_msg(sb, KERN_ERR, "FAT read failed (blocknr %llu)",
-		       (llu)blocknr);
+		fat_msg_ratelimit(sb, KERN_ERR, "FAT read failed (blocknr %llu)",
+				  (llu)blocknr);
 		return -EIO;
 	}
 	fatent->nr_bhs = 1;
-- 
2.35.1




^ permalink raw reply related	[flat|nested] 174+ messages in thread

* [PATCH 4.9 030/167] ARM: versatile: Add missing of_node_put in dcscb_init
  2022-06-13 10:07 [PATCH 4.9 000/167] 4.9.318-rc1 review Greg Kroah-Hartman
                   ` (28 preceding siblings ...)
  2022-06-13 10:08 ` [PATCH 4.9 029/167] fat: add ratelimit to fat*_ent_bread() Greg Kroah-Hartman
@ 2022-06-13 10:08 ` Greg Kroah-Hartman
  2022-06-13 10:08 ` [PATCH 4.9 031/167] ARM: dts: exynos: add atmel,24c128 fallback to Samsung EEPROM Greg Kroah-Hartman
                   ` (141 subsequent siblings)
  171 siblings, 0 replies; 174+ messages in thread
From: Greg Kroah-Hartman @ 2022-06-13 10:08 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Peng Wu, Linus Walleij,
	Arnd Bergmann, Sasha Levin

From: Peng Wu <wupeng58@huawei.com>

[ Upstream commit 23b44f9c649bbef10b45fa33080cd8b4166800ae ]

The device_node pointer is returned by of_find_compatible_node
with refcount incremented. We should use of_node_put() to avoid
the refcount leak.

Signed-off-by: Peng Wu <wupeng58@huawei.com>
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Link: https://lore.kernel.org/r/20220428230356.69418-1-linus.walleij@linaro.org'
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/arm/mach-vexpress/dcscb.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/arch/arm/mach-vexpress/dcscb.c b/arch/arm/mach-vexpress/dcscb.c
index 5cedcf572104..3e86cff1d4d3 100644
--- a/arch/arm/mach-vexpress/dcscb.c
+++ b/arch/arm/mach-vexpress/dcscb.c
@@ -146,6 +146,7 @@ static int __init dcscb_init(void)
 	if (!node)
 		return -ENODEV;
 	dcscb_base = of_iomap(node, 0);
+	of_node_put(node);
 	if (!dcscb_base)
 		return -EADDRNOTAVAIL;
 	cfg = readl_relaxed(dcscb_base + DCS_CFG_R);
-- 
2.35.1




^ permalink raw reply related	[flat|nested] 174+ messages in thread

* [PATCH 4.9 031/167] ARM: dts: exynos: add atmel,24c128 fallback to Samsung EEPROM
  2022-06-13 10:07 [PATCH 4.9 000/167] 4.9.318-rc1 review Greg Kroah-Hartman
                   ` (29 preceding siblings ...)
  2022-06-13 10:08 ` [PATCH 4.9 030/167] ARM: versatile: Add missing of_node_put in dcscb_init Greg Kroah-Hartman
@ 2022-06-13 10:08 ` Greg Kroah-Hartman
  2022-06-13 10:08 ` [PATCH 4.9 032/167] ARM: hisi: Add missing of_node_put after of_find_compatible_node Greg Kroah-Hartman
                   ` (140 subsequent siblings)
  171 siblings, 0 replies; 174+ messages in thread
From: Greg Kroah-Hartman @ 2022-06-13 10:08 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Rob Herring, Krzysztof Kozlowski,
	Sasha Levin

From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>

[ Upstream commit f038e8186fbc5723d7d38c6fa1d342945107347e ]

The Samsung s524ad0xd1 EEPROM should use atmel,24c128 fallback,
according to the AT24 EEPROM bindings.

Reported-by: Rob Herring <robh@kernel.org>
Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Link: https://lore.kernel.org/r/20220426183443.243113-1-krzysztof.kozlowski@linaro.org
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/arm/boot/dts/exynos5250-smdk5250.dts | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/arch/arm/boot/dts/exynos5250-smdk5250.dts b/arch/arm/boot/dts/exynos5250-smdk5250.dts
index 54e79f6887ff..3dda0569f86a 100644
--- a/arch/arm/boot/dts/exynos5250-smdk5250.dts
+++ b/arch/arm/boot/dts/exynos5250-smdk5250.dts
@@ -129,7 +129,7 @@
 	samsung,i2c-max-bus-freq = <20000>;
 
 	eeprom@50 {
-		compatible = "samsung,s524ad0xd1";
+		compatible = "samsung,s524ad0xd1", "atmel,24c128";
 		reg = <0x50>;
 	};
 
@@ -288,7 +288,7 @@
 	samsung,i2c-max-bus-freq = <20000>;
 
 	eeprom@51 {
-		compatible = "samsung,s524ad0xd1";
+		compatible = "samsung,s524ad0xd1", "atmel,24c128";
 		reg = <0x51>;
 	};
 
-- 
2.35.1




^ permalink raw reply related	[flat|nested] 174+ messages in thread

* [PATCH 4.9 032/167] ARM: hisi: Add missing of_node_put after of_find_compatible_node
  2022-06-13 10:07 [PATCH 4.9 000/167] 4.9.318-rc1 review Greg Kroah-Hartman
                   ` (30 preceding siblings ...)
  2022-06-13 10:08 ` [PATCH 4.9 031/167] ARM: dts: exynos: add atmel,24c128 fallback to Samsung EEPROM Greg Kroah-Hartman
@ 2022-06-13 10:08 ` Greg Kroah-Hartman
  2022-06-13 10:08 ` [PATCH 4.9 033/167] PCI: Avoid pci_dev_lock() AB/BA deadlock with sriov_numvfs_store() Greg Kroah-Hartman
                   ` (139 subsequent siblings)
  171 siblings, 0 replies; 174+ messages in thread
From: Greg Kroah-Hartman @ 2022-06-13 10:08 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Peng Wu, Wei Xu, Sasha Levin

From: Peng Wu <wupeng58@huawei.com>

[ Upstream commit 9bc72e47d4630d58a840a66a869c56b29554cfe4 ]

of_find_compatible_node  will increment the refcount of the returned
device_node. Calling of_node_put() to avoid the refcount leak

Signed-off-by: Peng Wu <wupeng58@huawei.com>
Signed-off-by: Wei Xu <xuwei5@hisilicon.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/arm/mach-hisi/platsmp.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/arch/arm/mach-hisi/platsmp.c b/arch/arm/mach-hisi/platsmp.c
index e1d67648d5d0..fccceab33325 100644
--- a/arch/arm/mach-hisi/platsmp.c
+++ b/arch/arm/mach-hisi/platsmp.c
@@ -70,14 +70,17 @@ static void __init hi3xxx_smp_prepare_cpus(unsigned int max_cpus)
 		}
 		ctrl_base = of_iomap(np, 0);
 		if (!ctrl_base) {
+			of_node_put(np);
 			pr_err("failed to map address\n");
 			return;
 		}
 		if (of_property_read_u32(np, "smp-offset", &offset) < 0) {
+			of_node_put(np);
 			pr_err("failed to find smp-offset property\n");
 			return;
 		}
 		ctrl_base += offset;
+		of_node_put(np);
 	}
 }
 
@@ -163,6 +166,7 @@ static int hip01_boot_secondary(unsigned int cpu, struct task_struct *idle)
 	if (WARN_ON(!node))
 		return -1;
 	ctrl_base = of_iomap(node, 0);
+	of_node_put(node);
 
 	/* set the secondary core boot from DDR */
 	remap_reg_value = readl_relaxed(ctrl_base + REG_SC_CTRL);
-- 
2.35.1




^ permalink raw reply related	[flat|nested] 174+ messages in thread

* [PATCH 4.9 033/167] PCI: Avoid pci_dev_lock() AB/BA deadlock with sriov_numvfs_store()
  2022-06-13 10:07 [PATCH 4.9 000/167] 4.9.318-rc1 review Greg Kroah-Hartman
                   ` (31 preceding siblings ...)
  2022-06-13 10:08 ` [PATCH 4.9 032/167] ARM: hisi: Add missing of_node_put after of_find_compatible_node Greg Kroah-Hartman
@ 2022-06-13 10:08 ` Greg Kroah-Hartman
  2022-06-13 10:08 ` [PATCH 4.9 034/167] powerpc/xics: fix refcount leak in icp_opal_init() Greg Kroah-Hartman
                   ` (138 subsequent siblings)
  171 siblings, 0 replies; 174+ messages in thread
From: Greg Kroah-Hartman @ 2022-06-13 10:08 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Yicong Yang, Bjorn Helgaas,
	Sasha Levin, Jay Zhou

From: Yicong Yang <yangyicong@hisilicon.com>

[ Upstream commit a91ee0e9fca9d7501286cfbced9b30a33e52740a ]

The sysfs sriov_numvfs_store() path acquires the device lock before the
config space access lock:

  sriov_numvfs_store
    device_lock                 # A (1) acquire device lock
    sriov_configure
      vfio_pci_sriov_configure  # (for example)
        vfio_pci_core_sriov_configure
          pci_disable_sriov
            sriov_disable
              pci_cfg_access_lock
                pci_wait_cfg    # B (4) wait for dev->block_cfg_access == 0

Previously, pci_dev_lock() acquired the config space access lock before the
device lock:

  pci_dev_lock
    pci_cfg_access_lock
      dev->block_cfg_access = 1 # B (2) set dev->block_cfg_access = 1
    device_lock                 # A (3) wait for device lock

Any path that uses pci_dev_lock(), e.g., pci_reset_function(), may
deadlock with sriov_numvfs_store() if the operations occur in the sequence
(1) (2) (3) (4).

Avoid the deadlock by reversing the order in pci_dev_lock() so it acquires
the device lock before the config space access lock, the same as the
sriov_numvfs_store() path.

[bhelgaas: combined and adapted commit log from Jay Zhou's independent
subsequent posting:
https://lore.kernel.org/r/20220404062539.1710-1-jianjay.zhou@huawei.com]
Link: https://lore.kernel.org/linux-pci/1583489997-17156-1-git-send-email-yangyicong@hisilicon.com/
Also-posted-by: Jay Zhou <jianjay.zhou@huawei.com>
Signed-off-by: Yicong Yang <yangyicong@hisilicon.com>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/pci/pci.c | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/drivers/pci/pci.c b/drivers/pci/pci.c
index 2cf13578fe75..e6e0012269cd 100644
--- a/drivers/pci/pci.c
+++ b/drivers/pci/pci.c
@@ -4079,18 +4079,18 @@ static int __pci_dev_reset(struct pci_dev *dev, int probe)
 
 static void pci_dev_lock(struct pci_dev *dev)
 {
-	pci_cfg_access_lock(dev);
 	/* block PM suspend, driver probe, etc. */
 	device_lock(&dev->dev);
+	pci_cfg_access_lock(dev);
 }
 
 /* Return 1 on successful lock, 0 on contention */
 static int pci_dev_trylock(struct pci_dev *dev)
 {
-	if (pci_cfg_access_trylock(dev)) {
-		if (device_trylock(&dev->dev))
+	if (device_trylock(&dev->dev)) {
+		if (pci_cfg_access_trylock(dev))
 			return 1;
-		pci_cfg_access_unlock(dev);
+		device_unlock(&dev->dev);
 	}
 
 	return 0;
@@ -4098,8 +4098,8 @@ static int pci_dev_trylock(struct pci_dev *dev)
 
 static void pci_dev_unlock(struct pci_dev *dev)
 {
-	device_unlock(&dev->dev);
 	pci_cfg_access_unlock(dev);
+	device_unlock(&dev->dev);
 }
 
 /**
-- 
2.35.1




^ permalink raw reply related	[flat|nested] 174+ messages in thread

* [PATCH 4.9 034/167] powerpc/xics: fix refcount leak in icp_opal_init()
  2022-06-13 10:07 [PATCH 4.9 000/167] 4.9.318-rc1 review Greg Kroah-Hartman
                   ` (32 preceding siblings ...)
  2022-06-13 10:08 ` [PATCH 4.9 033/167] PCI: Avoid pci_dev_lock() AB/BA deadlock with sriov_numvfs_store() Greg Kroah-Hartman
@ 2022-06-13 10:08 ` Greg Kroah-Hartman
  2022-06-13 10:08 ` [PATCH 4.9 035/167] macintosh/via-pmu: Fix build failure when CONFIG_INPUT is disabled Greg Kroah-Hartman
                   ` (137 subsequent siblings)
  171 siblings, 0 replies; 174+ messages in thread
From: Greg Kroah-Hartman @ 2022-06-13 10:08 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Zeal Robot, Lv Ruyi,
	Michael Ellerman, Sasha Levin

From: Lv Ruyi <lv.ruyi@zte.com.cn>

[ Upstream commit 5dd9e27ea4a39f7edd4bf81e9e70208e7ac0b7c9 ]

The of_find_compatible_node() function returns a node pointer with
refcount incremented, use of_node_put() on it when done.

Reported-by: Zeal Robot <zealci@zte.com.cn>
Signed-off-by: Lv Ruyi <lv.ruyi@zte.com.cn>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Link: https://lore.kernel.org/r/20220402013419.2410298-1-lv.ruyi@zte.com.cn
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/powerpc/sysdev/xics/icp-opal.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/arch/powerpc/sysdev/xics/icp-opal.c b/arch/powerpc/sysdev/xics/icp-opal.c
index b53f80f0b4d8..80a4fa6dcc55 100644
--- a/arch/powerpc/sysdev/xics/icp-opal.c
+++ b/arch/powerpc/sysdev/xics/icp-opal.c
@@ -199,6 +199,7 @@ int icp_opal_init(void)
 
 	printk("XICS: Using OPAL ICP fallbacks\n");
 
+	of_node_put(np);
 	return 0;
 }
 
-- 
2.35.1




^ permalink raw reply related	[flat|nested] 174+ messages in thread

* [PATCH 4.9 035/167] macintosh/via-pmu: Fix build failure when CONFIG_INPUT is disabled
  2022-06-13 10:07 [PATCH 4.9 000/167] 4.9.318-rc1 review Greg Kroah-Hartman
                   ` (33 preceding siblings ...)
  2022-06-13 10:08 ` [PATCH 4.9 034/167] powerpc/xics: fix refcount leak in icp_opal_init() Greg Kroah-Hartman
@ 2022-06-13 10:08 ` Greg Kroah-Hartman
  2022-06-13 10:08 ` [PATCH 4.9 036/167] drm: fix EDID struct for old ARM OABI format Greg Kroah-Hartman
                   ` (136 subsequent siblings)
  171 siblings, 0 replies; 174+ messages in thread
From: Greg Kroah-Hartman @ 2022-06-13 10:08 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, kernel test robot, Finn Thain,
	Randy Dunlap, Christophe Leroy, Michael Ellerman, Sasha Levin

From: Finn Thain <fthain@linux-m68k.org>

[ Upstream commit 86ce436e30d86327c9f5260f718104ae7b21f506 ]

drivers/macintosh/via-pmu-event.o: In function `via_pmu_event':
via-pmu-event.c:(.text+0x44): undefined reference to `input_event'
via-pmu-event.c:(.text+0x68): undefined reference to `input_event'
via-pmu-event.c:(.text+0x94): undefined reference to `input_event'
via-pmu-event.c:(.text+0xb8): undefined reference to `input_event'
drivers/macintosh/via-pmu-event.o: In function `via_pmu_event_init':
via-pmu-event.c:(.init.text+0x20): undefined reference to `input_allocate_device'
via-pmu-event.c:(.init.text+0xc4): undefined reference to `input_register_device'
via-pmu-event.c:(.init.text+0xd4): undefined reference to `input_free_device'
make[1]: *** [Makefile:1155: vmlinux] Error 1
make: *** [Makefile:350: __build_one_by_one] Error 2

Don't call into the input subsystem unless CONFIG_INPUT is built-in.

Reported-by: kernel test robot <lkp@intel.com>
Signed-off-by: Finn Thain <fthain@linux-m68k.org>
Tested-by: Randy Dunlap <rdunlap@infradead.org>
Reviewed-by: Christophe Leroy <christophe.leroy@csgroup.eu>
Acked-by: Randy Dunlap <rdunlap@infradead.org>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Link: https://lore.kernel.org/r/5edbe76ce68227f71e09af4614cc4c1bd61c7ec8.1649326292.git.fthain@linux-m68k.org
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/macintosh/Kconfig   | 4 ++++
 drivers/macintosh/Makefile  | 3 ++-
 drivers/macintosh/via-pmu.c | 2 +-
 3 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/drivers/macintosh/Kconfig b/drivers/macintosh/Kconfig
index d28690f6e262..9e226e143473 100644
--- a/drivers/macintosh/Kconfig
+++ b/drivers/macintosh/Kconfig
@@ -87,6 +87,10 @@ config ADB_PMU
 	  this device; you should do so if your machine is one of those
 	  mentioned above.
 
+config ADB_PMU_EVENT
+	def_bool y
+	depends on ADB_PMU && INPUT=y
+
 config ADB_PMU_LED
 	bool "Support for the Power/iBook front LED"
 	depends on ADB_PMU
diff --git a/drivers/macintosh/Makefile b/drivers/macintosh/Makefile
index 383ba920085b..8513c8aa2faf 100644
--- a/drivers/macintosh/Makefile
+++ b/drivers/macintosh/Makefile
@@ -11,7 +11,8 @@ obj-$(CONFIG_MAC_EMUMOUSEBTN)	+= mac_hid.o
 obj-$(CONFIG_INPUT_ADBHID)	+= adbhid.o
 obj-$(CONFIG_ANSLCD)		+= ans-lcd.o
 
-obj-$(CONFIG_ADB_PMU)		+= via-pmu.o via-pmu-event.o
+obj-$(CONFIG_ADB_PMU)		+= via-pmu.o
+obj-$(CONFIG_ADB_PMU_EVENT)	+= via-pmu-event.o
 obj-$(CONFIG_ADB_PMU_LED)	+= via-pmu-led.o
 obj-$(CONFIG_PMAC_BACKLIGHT)	+= via-pmu-backlight.o
 obj-$(CONFIG_ADB_CUDA)		+= via-cuda.o
diff --git a/drivers/macintosh/via-pmu.c b/drivers/macintosh/via-pmu.c
index 32c696799300..9bdb7d2055b1 100644
--- a/drivers/macintosh/via-pmu.c
+++ b/drivers/macintosh/via-pmu.c
@@ -1439,7 +1439,7 @@ pmu_handle_data(unsigned char *data, int len)
 		pmu_pass_intr(data, len);
 		/* len == 6 is probably a bad check. But how do I
 		 * know what PMU versions send what events here? */
-		if (len == 6) {
+		if (IS_ENABLED(CONFIG_ADB_PMU_EVENT) && len == 6) {
 			via_pmu_event(PMU_EVT_POWER, !!(data[1]&8));
 			via_pmu_event(PMU_EVT_LID, data[1]&1);
 		}
-- 
2.35.1




^ permalink raw reply related	[flat|nested] 174+ messages in thread

* [PATCH 4.9 036/167] drm: fix EDID struct for old ARM OABI format
  2022-06-13 10:07 [PATCH 4.9 000/167] 4.9.318-rc1 review Greg Kroah-Hartman
                   ` (34 preceding siblings ...)
  2022-06-13 10:08 ` [PATCH 4.9 035/167] macintosh/via-pmu: Fix build failure when CONFIG_INPUT is disabled Greg Kroah-Hartman
@ 2022-06-13 10:08 ` Greg Kroah-Hartman
  2022-06-13 10:08 ` [PATCH 4.9 037/167] ASoC: mediatek: Fix error handling in mt8173_max98090_dev_probe Greg Kroah-Hartman
                   ` (135 subsequent siblings)
  171 siblings, 0 replies; 174+ messages in thread
From: Greg Kroah-Hartman @ 2022-06-13 10:08 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Sudip Mukherjee, Arnd Bergmann,
	Maarten Lankhorst, Maxime Ripard, Thomas Zimmermann,
	David Airlie, Daniel Vetter, Linus Torvalds, Sasha Levin

From: Linus Torvalds <torvalds@linux-foundation.org>

[ Upstream commit 47f15561b69e226bfc034e94ff6dbec51a4662af ]

When building the kernel for arm with the "-mabi=apcs-gnu" option, gcc
will force alignment of all structures and unions to a word boundary
(see also STRUCTURE_SIZE_BOUNDARY and the "-mstructure-size-boundary=XX"
option if you're a gcc person), even when the members of said structures
do not want or need said alignment.

This completely messes up the structure alignment of 'struct edid' on
those targets, because even though all the embedded structures are
marked with "__attribute__((packed))", the unions that contain them are
not.

This was exposed by commit f1e4c916f97f ("drm/edid: add EDID block count
and size helpers"), but the bug is pre-existing.  That commit just made
the structure layout problem cause a build failure due to the addition
of the

        BUILD_BUG_ON(sizeof(*edid) != EDID_LENGTH);

sanity check in drivers/gpu/drm/drm_edid.c:edid_block_data().

This legacy union alignment should probably not be used in the first
place, but we can fix the layout by adding the packed attribute to the
union entries even when each member is already packed and it shouldn't
matter in a sane build environment.

You can see this issue with a trivial test program:

  union {
	struct {
		char c[5];
	};
	struct {
		char d;
		unsigned e;
	} __attribute__((packed));
  } a = { "1234" };

where building this with a normal "gcc -S" will result in the expected
5-byte size of said union:

	.type	a, @object
	.size	a, 5

but with an ARM compiler and the old ABI:

    arm-linux-gnu-gcc -mabi=apcs-gnu -mfloat-abi=soft -S t.c

you get

	.type	a, %object
	.size	a, 8

instead, because even though each member of the union is packed, the
union itself still gets aligned.

This was reported by Sudip for the spear3xx_defconfig target.

Link: https://lore.kernel.org/lkml/YpCUzStDnSgQLNFN@debian/
Reported-by: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
Acked-by: Arnd Bergmann <arnd@arndb.de>
Cc: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
Cc: Maxime Ripard <mripard@kernel.org>
Cc: Thomas Zimmermann <tzimmermann@suse.de>
Cc: David Airlie <airlied@linux.ie>
Cc: Daniel Vetter <daniel@ffwll.ch>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 include/drm/drm_edid.h | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/include/drm/drm_edid.h b/include/drm/drm_edid.h
index c3a7d440bc11..514a02095983 100644
--- a/include/drm/drm_edid.h
+++ b/include/drm/drm_edid.h
@@ -114,7 +114,7 @@ struct detailed_data_monitor_range {
 			u8 supported_scalings;
 			u8 preferred_refresh;
 		} __attribute__((packed)) cvt;
-	} formula;
+	} __attribute__((packed)) formula;
 } __attribute__((packed));
 
 struct detailed_data_wpindex {
@@ -147,7 +147,7 @@ struct detailed_non_pixel {
 		struct detailed_data_wpindex color;
 		struct std_timing timings[6];
 		struct cvt_timing cvt[4];
-	} data;
+	} __attribute__((packed)) data;
 } __attribute__((packed));
 
 #define EDID_DETAIL_EST_TIMINGS 0xf7
@@ -165,7 +165,7 @@ struct detailed_timing {
 	union {
 		struct detailed_pixel_timing pixel_data;
 		struct detailed_non_pixel other_data;
-	} data;
+	} __attribute__((packed)) data;
 } __attribute__((packed));
 
 #define DRM_EDID_INPUT_SERRATION_VSYNC (1 << 0)
-- 
2.35.1




^ permalink raw reply related	[flat|nested] 174+ messages in thread

* [PATCH 4.9 037/167] ASoC: mediatek: Fix error handling in mt8173_max98090_dev_probe
  2022-06-13 10:07 [PATCH 4.9 000/167] 4.9.318-rc1 review Greg Kroah-Hartman
                   ` (35 preceding siblings ...)
  2022-06-13 10:08 ` [PATCH 4.9 036/167] drm: fix EDID struct for old ARM OABI format Greg Kroah-Hartman
@ 2022-06-13 10:08 ` Greg Kroah-Hartman
  2022-06-13 10:08 ` [PATCH 4.9 038/167] x86/delay: Fix the wrong asm constraint in delay_loop() Greg Kroah-Hartman
                   ` (134 subsequent siblings)
  171 siblings, 0 replies; 174+ messages in thread
From: Greg Kroah-Hartman @ 2022-06-13 10:08 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Miaoqian Lin,
	AngeloGioacchino Del Regno, Mark Brown, Sasha Levin

From: Miaoqian Lin <linmq006@gmail.com>

[ Upstream commit 4f4e0454e226de3bf4efd7e7924d1edc571c52d5 ]

Call of_node_put(platform_node) to avoid refcount leak in
the error path.

Fixes: 94319ba10eca ("ASoC: mediatek: Use platform_of_node for machine drivers")
Fixes: 493433785df0 ("ASoC: mediatek: mt8173: fix device_node leak")
Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
Link: https://lore.kernel.org/r/20220404092903.26725-1-linmq006@gmail.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 sound/soc/mediatek/mt8173/mt8173-max98090.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/sound/soc/mediatek/mt8173/mt8173-max98090.c b/sound/soc/mediatek/mt8173/mt8173-max98090.c
index cab30cb48366..85bf9eafda49 100644
--- a/sound/soc/mediatek/mt8173/mt8173-max98090.c
+++ b/sound/soc/mediatek/mt8173/mt8173-max98090.c
@@ -170,7 +170,8 @@ static int mt8173_max98090_dev_probe(struct platform_device *pdev)
 	if (!codec_node) {
 		dev_err(&pdev->dev,
 			"Property 'audio-codec' missing or invalid\n");
-		return -EINVAL;
+		ret = -EINVAL;
+		goto put_platform_node;
 	}
 	for (i = 0; i < card->num_links; i++) {
 		if (mt8173_max98090_dais[i].codec_name)
@@ -185,6 +186,8 @@ static int mt8173_max98090_dev_probe(struct platform_device *pdev)
 			__func__, ret);
 
 	of_node_put(codec_node);
+
+put_platform_node:
 	of_node_put(platform_node);
 	return ret;
 }
-- 
2.35.1




^ permalink raw reply related	[flat|nested] 174+ messages in thread

* [PATCH 4.9 038/167] x86/delay: Fix the wrong asm constraint in delay_loop()
  2022-06-13 10:07 [PATCH 4.9 000/167] 4.9.318-rc1 review Greg Kroah-Hartman
                   ` (36 preceding siblings ...)
  2022-06-13 10:08 ` [PATCH 4.9 037/167] ASoC: mediatek: Fix error handling in mt8173_max98090_dev_probe Greg Kroah-Hartman
@ 2022-06-13 10:08 ` Greg Kroah-Hartman
  2022-06-13 10:08 ` [PATCH 4.9 039/167] drm/mediatek: Fix mtk_cec_mask() Greg Kroah-Hartman
                   ` (133 subsequent siblings)
  171 siblings, 0 replies; 174+ messages in thread
From: Greg Kroah-Hartman @ 2022-06-13 10:08 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Ammar Faizi, Borislav Petkov, Sasha Levin

From: Ammar Faizi <ammarfaizi2@gnuweeb.org>

[ Upstream commit b86eb74098a92afd789da02699b4b0dd3f73b889 ]

The asm constraint does not reflect the fact that the asm statement can
modify the value of the local variable loops. Which it does.

Specifying the wrong constraint may lead to undefined behavior, it may
clobber random stuff (e.g. local variable, important temporary value in
regs, etc.). This is especially dangerous when the compiler decides to
inline the function and since it doesn't know that the value gets
modified, it might decide to use it from a register directly without
reloading it.

Change the constraint to "+a" to denote that the first argument is an
input and an output argument.

  [ bp: Fix typo, massage commit message. ]

Fixes: e01b70ef3eb3 ("x86: fix bug in arch/i386/lib/delay.c file, delay_loop function")
Signed-off-by: Ammar Faizi <ammarfaizi2@gnuweeb.org>
Signed-off-by: Borislav Petkov <bp@suse.de>
Link: https://lore.kernel.org/r/20220329104705.65256-2-ammarfaizi2@gnuweeb.org
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/x86/lib/delay.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/arch/x86/lib/delay.c b/arch/x86/lib/delay.c
index 71a3759a2d4e..60cc4f222cbf 100644
--- a/arch/x86/lib/delay.c
+++ b/arch/x86/lib/delay.c
@@ -42,8 +42,8 @@ static void delay_loop(unsigned long loops)
 		"	jnz 2b		\n"
 		"3:	dec %0		\n"
 
-		: /* we don't need output */
-		:"a" (loops)
+		: "+a" (loops)
+		:
 	);
 }
 
-- 
2.35.1




^ permalink raw reply related	[flat|nested] 174+ messages in thread

* [PATCH 4.9 039/167] drm/mediatek: Fix mtk_cec_mask()
  2022-06-13 10:07 [PATCH 4.9 000/167] 4.9.318-rc1 review Greg Kroah-Hartman
                   ` (37 preceding siblings ...)
  2022-06-13 10:08 ` [PATCH 4.9 038/167] x86/delay: Fix the wrong asm constraint in delay_loop() Greg Kroah-Hartman
@ 2022-06-13 10:08 ` Greg Kroah-Hartman
  2022-06-13 10:08 ` [PATCH 4.9 040/167] spi: spi-ti-qspi: Fix return value handling of wait_for_completion_timeout Greg Kroah-Hartman
                   ` (132 subsequent siblings)
  171 siblings, 0 replies; 174+ messages in thread
From: Greg Kroah-Hartman @ 2022-06-13 10:08 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Miles Chen,
	AngeloGioacchino Del Regno, Matthias Brugger, Zhiqiang Lin,
	CK Hu, Chun-Kuang Hu, Sasha Levin

From: Miles Chen <miles.chen@mediatek.com>

[ Upstream commit 2c5d69b0a141e1e98febe3111e6f4fd8420493a5 ]

In current implementation, mtk_cec_mask() writes val into target register
and ignores the mask. After talking to our hdmi experts, mtk_cec_mask()
should read a register, clean only mask bits, and update (val | mask) bits
to the register.

Link: https://patchwork.kernel.org/project/linux-mediatek/patch/20220315232301.2434-1-miles.chen@mediatek.com/
Fixes: 8f83f26891e1 ("drm/mediatek: Add HDMI support")
Signed-off-by: Miles Chen <miles.chen@mediatek.com>
Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
Reviewed-by: Matthias Brugger <matthias.bgg@gmail.com>
Cc: Zhiqiang Lin <zhiqiang.lin@mediatek.com>
Cc: CK Hu <ck.hu@mediatek.com>
Cc: Matthias Brugger <matthias.bgg@gmail.com>
Cc: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
Signed-off-by: Chun-Kuang Hu <chunkuang.hu@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/gpu/drm/mediatek/mtk_cec.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/gpu/drm/mediatek/mtk_cec.c b/drivers/gpu/drm/mediatek/mtk_cec.c
index 7a3eb8c17ef9..4e5482986dc2 100644
--- a/drivers/gpu/drm/mediatek/mtk_cec.c
+++ b/drivers/gpu/drm/mediatek/mtk_cec.c
@@ -91,7 +91,7 @@ static void mtk_cec_mask(struct mtk_cec *cec, unsigned int offset,
 	u32 tmp = readl(cec->regs + offset) & ~mask;
 
 	tmp |= val & mask;
-	writel(val, cec->regs + offset);
+	writel(tmp, cec->regs + offset);
 }
 
 void mtk_cec_set_hpd_event(struct device *dev,
-- 
2.35.1




^ permalink raw reply related	[flat|nested] 174+ messages in thread

* [PATCH 4.9 040/167] spi: spi-ti-qspi: Fix return value handling of wait_for_completion_timeout
  2022-06-13 10:07 [PATCH 4.9 000/167] 4.9.318-rc1 review Greg Kroah-Hartman
                   ` (38 preceding siblings ...)
  2022-06-13 10:08 ` [PATCH 4.9 039/167] drm/mediatek: Fix mtk_cec_mask() Greg Kroah-Hartman
@ 2022-06-13 10:08 ` Greg Kroah-Hartman
  2022-06-13 10:08 ` [PATCH 4.9 041/167] NFC: NULL out the dev->rfkill to prevent UAF Greg Kroah-Hartman
                   ` (131 subsequent siblings)
  171 siblings, 0 replies; 174+ messages in thread
From: Greg Kroah-Hartman @ 2022-06-13 10:08 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Miaoqian Lin, Mark Brown, Sasha Levin

From: Miaoqian Lin <linmq006@gmail.com>

[ Upstream commit 8b1ea69a63eb62f97cef63e6d816b64ed84e8760 ]

wait_for_completion_timeout() returns unsigned long not int.
It returns 0 if timed out, and positive if completed.
The check for <= 0 is ambiguous and should be == 0 here
indicating timeout which is the only error case.

Fixes: 5720ec0a6d26 ("spi: spi-ti-qspi: Add DMA support for QSPI mmap read")
Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
Link: https://lore.kernel.org/r/20220411111034.24447-1-linmq006@gmail.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/spi/spi-ti-qspi.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/drivers/spi/spi-ti-qspi.c b/drivers/spi/spi-ti-qspi.c
index b0a5486936c0..0b0f69551da0 100644
--- a/drivers/spi/spi-ti-qspi.c
+++ b/drivers/spi/spi-ti-qspi.c
@@ -401,6 +401,7 @@ static int ti_qspi_dma_xfer(struct ti_qspi *qspi, dma_addr_t dma_dst,
 	enum dma_ctrl_flags flags = DMA_CTRL_ACK | DMA_PREP_INTERRUPT;
 	struct dma_async_tx_descriptor *tx;
 	int ret;
+	unsigned long time_left;
 
 	tx = dma_dev->device_prep_dma_memcpy(chan, dma_dst, dma_src,
 					     len, flags);
@@ -420,9 +421,9 @@ static int ti_qspi_dma_xfer(struct ti_qspi *qspi, dma_addr_t dma_dst,
 	}
 
 	dma_async_issue_pending(chan);
-	ret = wait_for_completion_timeout(&qspi->transfer_complete,
+	time_left = wait_for_completion_timeout(&qspi->transfer_complete,
 					  msecs_to_jiffies(len));
-	if (ret <= 0) {
+	if (time_left == 0) {
 		dmaengine_terminate_sync(chan);
 		dev_err(qspi->dev, "DMA wait_for_completion_timeout\n");
 		return -ETIMEDOUT;
-- 
2.35.1




^ permalink raw reply related	[flat|nested] 174+ messages in thread

* [PATCH 4.9 041/167] NFC: NULL out the dev->rfkill to prevent UAF
  2022-06-13 10:07 [PATCH 4.9 000/167] 4.9.318-rc1 review Greg Kroah-Hartman
                   ` (39 preceding siblings ...)
  2022-06-13 10:08 ` [PATCH 4.9 040/167] spi: spi-ti-qspi: Fix return value handling of wait_for_completion_timeout Greg Kroah-Hartman
@ 2022-06-13 10:08 ` Greg Kroah-Hartman
  2022-06-13 10:08 ` [PATCH 4.9 042/167] HID: hid-led: fix maximum brightness for Dream Cheeky Greg Kroah-Hartman
                   ` (130 subsequent siblings)
  171 siblings, 0 replies; 174+ messages in thread
From: Greg Kroah-Hartman @ 2022-06-13 10:08 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Lin Ma, Krzysztof Kozlowski,
	David S. Miller, Sasha Levin

From: Lin Ma <linma@zju.edu.cn>

[ Upstream commit 1b0e81416a24d6e9b8c2341e22e8bf48f8b8bfc9 ]

Commit 3e3b5dfcd16a ("NFC: reorder the logic in nfc_{un,}register_device")
assumes the device_is_registered() in function nfc_dev_up() will help
to check when the rfkill is unregistered. However, this check only
take effect when device_del(&dev->dev) is done in nfc_unregister_device().
Hence, the rfkill object is still possible be dereferenced.

The crash trace in latest kernel (5.18-rc2):

[   68.760105] ==================================================================
[   68.760330] BUG: KASAN: use-after-free in __lock_acquire+0x3ec1/0x6750
[   68.760756] Read of size 8 at addr ffff888009c93018 by task fuzz/313
[   68.760756]
[   68.760756] CPU: 0 PID: 313 Comm: fuzz Not tainted 5.18.0-rc2 #4
[   68.760756] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014
[   68.760756] Call Trace:
[   68.760756]  <TASK>
[   68.760756]  dump_stack_lvl+0x57/0x7d
[   68.760756]  print_report.cold+0x5e/0x5db
[   68.760756]  ? __lock_acquire+0x3ec1/0x6750
[   68.760756]  kasan_report+0xbe/0x1c0
[   68.760756]  ? __lock_acquire+0x3ec1/0x6750
[   68.760756]  __lock_acquire+0x3ec1/0x6750
[   68.760756]  ? lockdep_hardirqs_on_prepare+0x410/0x410
[   68.760756]  ? register_lock_class+0x18d0/0x18d0
[   68.760756]  lock_acquire+0x1ac/0x4f0
[   68.760756]  ? rfkill_blocked+0xe/0x60
[   68.760756]  ? lockdep_hardirqs_on_prepare+0x410/0x410
[   68.760756]  ? mutex_lock_io_nested+0x12c0/0x12c0
[   68.760756]  ? nla_get_range_signed+0x540/0x540
[   68.760756]  ? _raw_spin_lock_irqsave+0x4e/0x50
[   68.760756]  _raw_spin_lock_irqsave+0x39/0x50
[   68.760756]  ? rfkill_blocked+0xe/0x60
[   68.760756]  rfkill_blocked+0xe/0x60
[   68.760756]  nfc_dev_up+0x84/0x260
[   68.760756]  nfc_genl_dev_up+0x90/0xe0
[   68.760756]  genl_family_rcv_msg_doit+0x1f4/0x2f0
[   68.760756]  ? genl_family_rcv_msg_attrs_parse.constprop.0+0x230/0x230
[   68.760756]  ? security_capable+0x51/0x90
[   68.760756]  genl_rcv_msg+0x280/0x500
[   68.760756]  ? genl_get_cmd+0x3c0/0x3c0
[   68.760756]  ? lock_acquire+0x1ac/0x4f0
[   68.760756]  ? nfc_genl_dev_down+0xe0/0xe0
[   68.760756]  ? lockdep_hardirqs_on_prepare+0x410/0x410
[   68.760756]  netlink_rcv_skb+0x11b/0x340
[   68.760756]  ? genl_get_cmd+0x3c0/0x3c0
[   68.760756]  ? netlink_ack+0x9c0/0x9c0
[   68.760756]  ? netlink_deliver_tap+0x136/0xb00
[   68.760756]  genl_rcv+0x1f/0x30
[   68.760756]  netlink_unicast+0x430/0x710
[   68.760756]  ? memset+0x20/0x40
[   68.760756]  ? netlink_attachskb+0x740/0x740
[   68.760756]  ? __build_skb_around+0x1f4/0x2a0
[   68.760756]  netlink_sendmsg+0x75d/0xc00
[   68.760756]  ? netlink_unicast+0x710/0x710
[   68.760756]  ? netlink_unicast+0x710/0x710
[   68.760756]  sock_sendmsg+0xdf/0x110
[   68.760756]  __sys_sendto+0x19e/0x270
[   68.760756]  ? __ia32_sys_getpeername+0xa0/0xa0
[   68.760756]  ? fd_install+0x178/0x4c0
[   68.760756]  ? fd_install+0x195/0x4c0
[   68.760756]  ? kernel_fpu_begin_mask+0x1c0/0x1c0
[   68.760756]  __x64_sys_sendto+0xd8/0x1b0
[   68.760756]  ? lockdep_hardirqs_on+0xbf/0x130
[   68.760756]  ? syscall_enter_from_user_mode+0x1d/0x50
[   68.760756]  do_syscall_64+0x3b/0x90
[   68.760756]  entry_SYSCALL_64_after_hwframe+0x44/0xae
[   68.760756] RIP: 0033:0x7f67fb50e6b3
...
[   68.760756] RSP: 002b:00007f67fa91fe90 EFLAGS: 00000293 ORIG_RAX: 000000000000002c
[   68.760756] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f67fb50e6b3
[   68.760756] RDX: 000000000000001c RSI: 0000559354603090 RDI: 0000000000000003
[   68.760756] RBP: 00007f67fa91ff00 R08: 00007f67fa91fedc R09: 000000000000000c
[   68.760756] R10: 0000000000000000 R11: 0000000000000293 R12: 00007ffe824d496e
[   68.760756] R13: 00007ffe824d496f R14: 00007f67fa120000 R15: 0000000000000003

[   68.760756]  </TASK>
[   68.760756]
[   68.760756] Allocated by task 279:
[   68.760756]  kasan_save_stack+0x1e/0x40
[   68.760756]  __kasan_kmalloc+0x81/0xa0
[   68.760756]  rfkill_alloc+0x7f/0x280
[   68.760756]  nfc_register_device+0xa3/0x1a0
[   68.760756]  nci_register_device+0x77a/0xad0
[   68.760756]  nfcmrvl_nci_register_dev+0x20b/0x2c0
[   68.760756]  nfcmrvl_nci_uart_open+0xf2/0x1dd
[   68.760756]  nci_uart_tty_ioctl+0x2c3/0x4a0
[   68.760756]  tty_ioctl+0x764/0x1310
[   68.760756]  __x64_sys_ioctl+0x122/0x190
[   68.760756]  do_syscall_64+0x3b/0x90
[   68.760756]  entry_SYSCALL_64_after_hwframe+0x44/0xae
[   68.760756]
[   68.760756] Freed by task 314:
[   68.760756]  kasan_save_stack+0x1e/0x40
[   68.760756]  kasan_set_track+0x21/0x30
[   68.760756]  kasan_set_free_info+0x20/0x30
[   68.760756]  __kasan_slab_free+0x108/0x170
[   68.760756]  kfree+0xb0/0x330
[   68.760756]  device_release+0x96/0x200
[   68.760756]  kobject_put+0xf9/0x1d0
[   68.760756]  nfc_unregister_device+0x77/0x190
[   68.760756]  nfcmrvl_nci_unregister_dev+0x88/0xd0
[   68.760756]  nci_uart_tty_close+0xdf/0x180
[   68.760756]  tty_ldisc_kill+0x73/0x110
[   68.760756]  tty_ldisc_hangup+0x281/0x5b0
[   68.760756]  __tty_hangup.part.0+0x431/0x890
[   68.760756]  tty_release+0x3a8/0xc80
[   68.760756]  __fput+0x1f0/0x8c0
[   68.760756]  task_work_run+0xc9/0x170
[   68.760756]  exit_to_user_mode_prepare+0x194/0x1a0
[   68.760756]  syscall_exit_to_user_mode+0x19/0x50
[   68.760756]  do_syscall_64+0x48/0x90
[   68.760756]  entry_SYSCALL_64_after_hwframe+0x44/0xae

This patch just add the null out of dev->rfkill to make sure such
dereference cannot happen. This is safe since the device_lock() already
protect the check/write from data race.

Fixes: 3e3b5dfcd16a ("NFC: reorder the logic in nfc_{un,}register_device")
Signed-off-by: Lin Ma <linma@zju.edu.cn>
Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/nfc/core.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/net/nfc/core.c b/net/nfc/core.c
index 8c38a21fb0c6..120259c2b6a7 100644
--- a/net/nfc/core.c
+++ b/net/nfc/core.c
@@ -1174,6 +1174,7 @@ void nfc_unregister_device(struct nfc_dev *dev)
 	if (dev->rfkill) {
 		rfkill_unregister(dev->rfkill);
 		rfkill_destroy(dev->rfkill);
+		dev->rfkill = NULL;
 	}
 	dev->shutting_down = true;
 	device_unlock(&dev->dev);
-- 
2.35.1




^ permalink raw reply related	[flat|nested] 174+ messages in thread

* [PATCH 4.9 042/167] HID: hid-led: fix maximum brightness for Dream Cheeky
  2022-06-13 10:07 [PATCH 4.9 000/167] 4.9.318-rc1 review Greg Kroah-Hartman
                   ` (40 preceding siblings ...)
  2022-06-13 10:08 ` [PATCH 4.9 041/167] NFC: NULL out the dev->rfkill to prevent UAF Greg Kroah-Hartman
@ 2022-06-13 10:08 ` Greg Kroah-Hartman
  2022-06-13 10:08 ` [PATCH 4.9 043/167] spi: img-spfi: Fix pm_runtime_get_sync() error checking Greg Kroah-Hartman
                   ` (129 subsequent siblings)
  171 siblings, 0 replies; 174+ messages in thread
From: Greg Kroah-Hartman @ 2022-06-13 10:08 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jonathan Teh, Jiri Kosina, Sasha Levin

From: Jonathan Teh <jonathan.teh@outlook.com>

[ Upstream commit 116c3f4a78ebe478d5ad5a038baf931e93e7d748 ]

Increase maximum brightness for Dream Cheeky to 63. Emperically
determined based on testing in kernel 4.4 on this device:

Bus 003 Device 002: ID 1d34:0004 Dream Cheeky Webmail Notifier

Fixes: 6c7ad07e9e05 ("HID: migrate USB LED driver from usb misc to hid")
Signed-off-by: Jonathan Teh <jonathan.teh@outlook.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/hid/hid-led.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/hid/hid-led.c b/drivers/hid/hid-led.c
index d3e1ab162f7c..7fc5982a0ca4 100644
--- a/drivers/hid/hid-led.c
+++ b/drivers/hid/hid-led.c
@@ -369,7 +369,7 @@ static const struct hidled_config hidled_configs[] = {
 		.type = DREAM_CHEEKY,
 		.name = "Dream Cheeky Webmail Notifier",
 		.short_name = "dream_cheeky",
-		.max_brightness = 31,
+		.max_brightness = 63,
 		.num_leds = 1,
 		.report_size = 9,
 		.report_type = RAW_REQUEST,
-- 
2.35.1




^ permalink raw reply related	[flat|nested] 174+ messages in thread

* [PATCH 4.9 043/167] spi: img-spfi: Fix pm_runtime_get_sync() error checking
  2022-06-13 10:07 [PATCH 4.9 000/167] 4.9.318-rc1 review Greg Kroah-Hartman
                   ` (41 preceding siblings ...)
  2022-06-13 10:08 ` [PATCH 4.9 042/167] HID: hid-led: fix maximum brightness for Dream Cheeky Greg Kroah-Hartman
@ 2022-06-13 10:08 ` Greg Kroah-Hartman
  2022-06-13 10:08 ` [PATCH 4.9 044/167] ath9k_htc: fix potential out of bounds access with invalid rxstatus->rs_keyix Greg Kroah-Hartman
                   ` (128 subsequent siblings)
  171 siblings, 0 replies; 174+ messages in thread
From: Greg Kroah-Hartman @ 2022-06-13 10:08 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Zheng Yongjun, Mark Brown, Sasha Levin

From: Zheng Yongjun <zhengyongjun3@huawei.com>

[ Upstream commit cc470d55343056d6b2a5c32e10e0aad06f324078 ]

If the device is already in a runtime PM enabled state
pm_runtime_get_sync() will return 1, so a test for negative
value should be used to check for errors.

Fixes: deba25800a12b ("spi: Add driver for IMG SPFI controller")
Signed-off-by: Zheng Yongjun <zhengyongjun3@huawei.com>
Link: https://lore.kernel.org/r/20220422062641.10486-1-zhengyongjun3@huawei.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/spi/spi-img-spfi.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/spi/spi-img-spfi.c b/drivers/spi/spi-img-spfi.c
index 2a340234c85c..82ab1bc2196a 100644
--- a/drivers/spi/spi-img-spfi.c
+++ b/drivers/spi/spi-img-spfi.c
@@ -771,7 +771,7 @@ static int img_spfi_resume(struct device *dev)
 	int ret;
 
 	ret = pm_runtime_get_sync(dev);
-	if (ret) {
+	if (ret < 0) {
 		pm_runtime_put_noidle(dev);
 		return ret;
 	}
-- 
2.35.1




^ permalink raw reply related	[flat|nested] 174+ messages in thread

* [PATCH 4.9 044/167] ath9k_htc: fix potential out of bounds access with invalid rxstatus->rs_keyix
  2022-06-13 10:07 [PATCH 4.9 000/167] 4.9.318-rc1 review Greg Kroah-Hartman
                   ` (42 preceding siblings ...)
  2022-06-13 10:08 ` [PATCH 4.9 043/167] spi: img-spfi: Fix pm_runtime_get_sync() error checking Greg Kroah-Hartman
@ 2022-06-13 10:08 ` Greg Kroah-Hartman
  2022-06-13 10:08 ` [PATCH 4.9 045/167] inotify: show inotify mask flags in proc fdinfo Greg Kroah-Hartman
                   ` (127 subsequent siblings)
  171 siblings, 0 replies; 174+ messages in thread
From: Greg Kroah-Hartman @ 2022-06-13 10:08 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Dan Carpenter,
	Toke Høiland-Jørgensen, Kalle Valo, Sasha Levin

From: Dan Carpenter <dan.carpenter@oracle.com>

[ Upstream commit 2dc509305cf956381532792cb8dceef2b1504765 ]

The "rxstatus->rs_keyix" eventually gets passed to test_bit() so we need to
ensure that it is within the bitmap.

drivers/net/wireless/ath/ath9k/common.c:46 ath9k_cmn_rx_accept()
error: passing untrusted data 'rx_stats->rs_keyix' to 'test_bit()'

Fixes: 4ed1a8d4a257 ("ath9k_htc: use ath9k_cmn_rx_accept")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Acked-by: Toke Høiland-Jørgensen <toke@toke.dk>
Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
Link: https://lore.kernel.org/r/20220409061225.GA5447@kili
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/wireless/ath/ath9k/htc_drv_txrx.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/drivers/net/wireless/ath/ath9k/htc_drv_txrx.c b/drivers/net/wireless/ath/ath9k/htc_drv_txrx.c
index 6a9c9b4ef2c9..fe4491eff8ca 100644
--- a/drivers/net/wireless/ath/ath9k/htc_drv_txrx.c
+++ b/drivers/net/wireless/ath/ath9k/htc_drv_txrx.c
@@ -1004,6 +1004,14 @@ static bool ath9k_rx_prepare(struct ath9k_htc_priv *priv,
 		goto rx_next;
 	}
 
+	if (rxstatus->rs_keyix >= ATH_KEYMAX &&
+	    rxstatus->rs_keyix != ATH9K_RXKEYIX_INVALID) {
+		ath_dbg(common, ANY,
+			"Invalid keyix, dropping (keyix: %d)\n",
+			rxstatus->rs_keyix);
+		goto rx_next;
+	}
+
 	/* Get the RX status information */
 
 	memset(rx_status, 0, sizeof(struct ieee80211_rx_status));
-- 
2.35.1




^ permalink raw reply related	[flat|nested] 174+ messages in thread

* [PATCH 4.9 045/167] inotify: show inotify mask flags in proc fdinfo
  2022-06-13 10:07 [PATCH 4.9 000/167] 4.9.318-rc1 review Greg Kroah-Hartman
                   ` (43 preceding siblings ...)
  2022-06-13 10:08 ` [PATCH 4.9 044/167] ath9k_htc: fix potential out of bounds access with invalid rxstatus->rs_keyix Greg Kroah-Hartman
@ 2022-06-13 10:08 ` Greg Kroah-Hartman
  2022-06-13 10:08 ` [PATCH 4.9 046/167] x86/pm: Fix false positive kmemleak report in msr_build_context() Greg Kroah-Hartman
                   ` (126 subsequent siblings)
  171 siblings, 0 replies; 174+ messages in thread
From: Greg Kroah-Hartman @ 2022-06-13 10:08 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Amir Goldstein, Jan Kara, Sasha Levin

From: Amir Goldstein <amir73il@gmail.com>

[ Upstream commit a32e697cda27679a0327ae2cafdad8c7170f548f ]

The inotify mask flags IN_ONESHOT and IN_EXCL_UNLINK are not "internal
to kernel" and should be exposed in procfs fdinfo so CRIU can restore
them.

Fixes: 6933599697c9 ("inotify: hide internal kernel bits from fdinfo")
Link: https://lore.kernel.org/r/20220422120327.3459282-2-amir73il@gmail.com
Signed-off-by: Amir Goldstein <amir73il@gmail.com>
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 fs/notify/fdinfo.c               | 11 ++---------
 fs/notify/inotify/inotify.h      | 12 ++++++++++++
 fs/notify/inotify/inotify_user.c |  2 +-
 3 files changed, 15 insertions(+), 10 deletions(-)

diff --git a/fs/notify/fdinfo.c b/fs/notify/fdinfo.c
index fd98e5100cab..317b7e7eb2e7 100644
--- a/fs/notify/fdinfo.c
+++ b/fs/notify/fdinfo.c
@@ -83,16 +83,9 @@ static void inotify_fdinfo(struct seq_file *m, struct fsnotify_mark *mark)
 	inode_mark = container_of(mark, struct inotify_inode_mark, fsn_mark);
 	inode = igrab(mark->inode);
 	if (inode) {
-		/*
-		 * IN_ALL_EVENTS represents all of the mask bits
-		 * that we expose to userspace.  There is at
-		 * least one bit (FS_EVENT_ON_CHILD) which is
-		 * used only internally to the kernel.
-		 */
-		u32 mask = mark->mask & IN_ALL_EVENTS;
-		seq_printf(m, "inotify wd:%x ino:%lx sdev:%x mask:%x ignored_mask:%x ",
+		seq_printf(m, "inotify wd:%x ino:%lx sdev:%x mask:%x ignored_mask:0 ",
 			   inode_mark->wd, inode->i_ino, inode->i_sb->s_dev,
-			   mask, mark->ignored_mask);
+			   inotify_mark_user_mask(mark));
 		show_mark_fhandle(m, inode);
 		seq_putc(m, '\n');
 		iput(inode);
diff --git a/fs/notify/inotify/inotify.h b/fs/notify/inotify/inotify.h
index ed855ef6f077..b0440287d7dd 100644
--- a/fs/notify/inotify/inotify.h
+++ b/fs/notify/inotify/inotify.h
@@ -20,6 +20,18 @@ static inline struct inotify_event_info *INOTIFY_E(struct fsnotify_event *fse)
 	return container_of(fse, struct inotify_event_info, fse);
 }
 
+/*
+ * INOTIFY_USER_FLAGS represents all of the mask bits that we expose to
+ * userspace.  There is at least one bit (FS_EVENT_ON_CHILD) which is
+ * used only internally to the kernel.
+ */
+#define INOTIFY_USER_MASK (IN_ALL_EVENTS | IN_ONESHOT | IN_EXCL_UNLINK)
+
+static inline __u32 inotify_mark_user_mask(struct fsnotify_mark *fsn_mark)
+{
+	return fsn_mark->mask & INOTIFY_USER_MASK;
+}
+
 extern void inotify_ignored_and_remove_idr(struct fsnotify_mark *fsn_mark,
 					   struct fsnotify_group *group);
 extern int inotify_handle_event(struct fsnotify_group *group,
diff --git a/fs/notify/inotify/inotify_user.c b/fs/notify/inotify/inotify_user.c
index 69d1ea3d292a..bb60bf1527e4 100644
--- a/fs/notify/inotify/inotify_user.c
+++ b/fs/notify/inotify/inotify_user.c
@@ -97,7 +97,7 @@ static inline __u32 inotify_arg_to_mask(u32 arg)
 	mask = (FS_IN_IGNORED | FS_EVENT_ON_CHILD | FS_UNMOUNT);
 
 	/* mask off the flags used to open the fd */
-	mask |= (arg & (IN_ALL_EVENTS | IN_ONESHOT | IN_EXCL_UNLINK));
+	mask |= (arg & INOTIFY_USER_MASK);
 
 	return mask;
 }
-- 
2.35.1




^ permalink raw reply related	[flat|nested] 174+ messages in thread

* [PATCH 4.9 046/167] x86/pm: Fix false positive kmemleak report in msr_build_context()
  2022-06-13 10:07 [PATCH 4.9 000/167] 4.9.318-rc1 review Greg Kroah-Hartman
                   ` (44 preceding siblings ...)
  2022-06-13 10:08 ` [PATCH 4.9 045/167] inotify: show inotify mask flags in proc fdinfo Greg Kroah-Hartman
@ 2022-06-13 10:08 ` Greg Kroah-Hartman
  2022-06-13 10:08 ` [PATCH 4.9 047/167] drm/msm/dsi: fix error checks and return values for DSI xmit functions Greg Kroah-Hartman
                   ` (125 subsequent siblings)
  171 siblings, 0 replies; 174+ messages in thread
From: Greg Kroah-Hartman @ 2022-06-13 10:08 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Mat Martineau, Matthieu Baerts,
	Borislav Petkov, Rafael J. Wysocki, Sasha Levin

From: Matthieu Baerts <matthieu.baerts@tessares.net>

[ Upstream commit b0b592cf08367719e1d1ef07c9f136e8c17f7ec3 ]

Since

  e2a1256b17b1 ("x86/speculation: Restore speculation related MSRs during S3 resume")

kmemleak reports this issue:

  unreferenced object 0xffff888009cedc00 (size 256):
    comm "swapper/0", pid 1, jiffies 4294693823 (age 73.764s)
    hex dump (first 32 bytes):
      00 00 00 00 00 00 00 00 48 00 00 00 00 00 00 00  ........H.......
      00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    backtrace:
      msr_build_context (include/linux/slab.h:621)
      pm_check_save_msr (arch/x86/power/cpu.c:520)
      do_one_initcall (init/main.c:1298)
      kernel_init_freeable (init/main.c:1370)
      kernel_init (init/main.c:1504)
      ret_from_fork (arch/x86/entry/entry_64.S:304)

Reproducer:

  - boot the VM with a debug kernel config (see
    https://github.com/multipath-tcp/mptcp_net-next/issues/268)
  - wait ~1 minute
  - start a kmemleak scan

The root cause here is alignment within the packed struct saved_context
(from suspend_64.h). Kmemleak only searches for pointers that are
aligned (see how pointers are scanned in kmemleak.c), but pahole shows
that the saved_msrs struct member and all members after it in the
structure are unaligned:

  struct saved_context {
    struct pt_regs             regs;                 /*     0   168 */
    /* --- cacheline 2 boundary (128 bytes) was 40 bytes ago --- */
    u16                        ds;                   /*   168     2 */

    ...

    u64                        misc_enable;          /*   232     8 */
    bool                       misc_enable_saved;    /*   240     1 */

   /* Note below odd offset values for the remainder of this struct */

    struct saved_msrs          saved_msrs;           /*   241    16 */
    /* --- cacheline 4 boundary (256 bytes) was 1 bytes ago --- */
    long unsigned int          efer;                 /*   257     8 */
    u16                        gdt_pad;              /*   265     2 */
    struct desc_ptr            gdt_desc;             /*   267    10 */
    u16                        idt_pad;              /*   277     2 */
    struct desc_ptr            idt;                  /*   279    10 */
    u16                        ldt;                  /*   289     2 */
    u16                        tss;                  /*   291     2 */
    long unsigned int          tr;                   /*   293     8 */
    long unsigned int          safety;               /*   301     8 */
    long unsigned int          return_address;       /*   309     8 */

    /* size: 317, cachelines: 5, members: 25 */
    /* last cacheline: 61 bytes */
  } __attribute__((__packed__));

Move misc_enable_saved to the end of the struct declaration so that
saved_msrs fits in before the cacheline 4 boundary.

The comment above the saved_context declaration says to fix wakeup_64.S
file and __save/__restore_processor_state() if the struct is modified:
it looks like all the accesses in wakeup_64.S are done through offsets
which are computed at build-time. Update that comment accordingly.

At the end, the false positive kmemleak report is due to a limitation
from kmemleak but it is always good to avoid unaligned members for
optimisation purposes.

Please note that it looks like this issue is not new, e.g.

  https://lore.kernel.org/all/9f1bb619-c4ee-21c4-a251-870bd4db04fa@lwfinger.net/
  https://lore.kernel.org/all/94e48fcd-1dbd-ebd2-4c91-f39941735909@molgen.mpg.de/

  [ bp: Massage + cleanup commit message. ]

Fixes: 7a9c2dd08ead ("x86/pm: Introduce quirk framework to save/restore extra MSR registers around suspend/resume")
Suggested-by: Mat Martineau <mathew.j.martineau@linux.intel.com>
Signed-off-by: Matthieu Baerts <matthieu.baerts@tessares.net>
Signed-off-by: Borislav Petkov <bp@suse.de>
Reviewed-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Link: https://lore.kernel.org/r/20220426202138.498310-1-matthieu.baerts@tessares.net
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/x86/include/asm/suspend_32.h |  2 +-
 arch/x86/include/asm/suspend_64.h | 12 ++++++++----
 2 files changed, 9 insertions(+), 5 deletions(-)

diff --git a/arch/x86/include/asm/suspend_32.h b/arch/x86/include/asm/suspend_32.h
index 5cc2ce4ab8a3..4cb2a435dc85 100644
--- a/arch/x86/include/asm/suspend_32.h
+++ b/arch/x86/include/asm/suspend_32.h
@@ -20,7 +20,6 @@ struct saved_context {
 #endif
 	unsigned long cr0, cr2, cr3, cr4;
 	u64 misc_enable;
-	bool misc_enable_saved;
 	struct saved_msrs saved_msrs;
 	struct desc_ptr gdt_desc;
 	struct desc_ptr idt;
@@ -29,6 +28,7 @@ struct saved_context {
 	unsigned long tr;
 	unsigned long safety;
 	unsigned long return_address;
+	bool misc_enable_saved;
 } __attribute__((packed));
 
 #endif /* _ASM_X86_SUSPEND_32_H */
diff --git a/arch/x86/include/asm/suspend_64.h b/arch/x86/include/asm/suspend_64.h
index 701751918921..a235dd7983f0 100644
--- a/arch/x86/include/asm/suspend_64.h
+++ b/arch/x86/include/asm/suspend_64.h
@@ -13,9 +13,13 @@
  * Image of the saved processor state, used by the low level ACPI suspend to
  * RAM code and by the low level hibernation code.
  *
- * If you modify it, fix arch/x86/kernel/acpi/wakeup_64.S and make sure that
- * __save/__restore_processor_state(), defined in arch/x86/kernel/suspend_64.c,
- * still work as required.
+ * If you modify it, check how it is used in arch/x86/kernel/acpi/wakeup_64.S
+ * and make sure that __save/__restore_processor_state(), defined in
+ * arch/x86/power/cpu.c, still work as required.
+ *
+ * Because the structure is packed, make sure to avoid unaligned members. For
+ * optimisation purposes but also because tools like kmemleak only search for
+ * pointers that are aligned.
  */
 struct saved_context {
 	struct pt_regs regs;
@@ -35,7 +39,6 @@ struct saved_context {
 
 	unsigned long cr0, cr2, cr3, cr4, cr8;
 	u64 misc_enable;
-	bool misc_enable_saved;
 	struct saved_msrs saved_msrs;
 	unsigned long efer;
 	u16 gdt_pad; /* Unused */
@@ -47,6 +50,7 @@ struct saved_context {
 	unsigned long tr;
 	unsigned long safety;
 	unsigned long return_address;
+	bool misc_enable_saved;
 } __attribute__((packed));
 
 #define loaddebug(thread,register) \
-- 
2.35.1




^ permalink raw reply related	[flat|nested] 174+ messages in thread

* [PATCH 4.9 047/167] drm/msm/dsi: fix error checks and return values for DSI xmit functions
  2022-06-13 10:07 [PATCH 4.9 000/167] 4.9.318-rc1 review Greg Kroah-Hartman
                   ` (45 preceding siblings ...)
  2022-06-13 10:08 ` [PATCH 4.9 046/167] x86/pm: Fix false positive kmemleak report in msr_build_context() Greg Kroah-Hartman
@ 2022-06-13 10:08 ` Greg Kroah-Hartman
  2022-06-13 10:08 ` [PATCH 4.9 048/167] drm/msm/hdmi: check return value after calling platform_get_resource_byname() Greg Kroah-Hartman
                   ` (124 subsequent siblings)
  171 siblings, 0 replies; 174+ messages in thread
From: Greg Kroah-Hartman @ 2022-06-13 10:08 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Dan Carpenter, Dmitry Baryshkov,
	Abhinav Kumar, Marijn Suijten, Sasha Levin

From: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>

[ Upstream commit f0e7e9ed379c012c4d6b09a09b868accc426223c ]

As noticed by Dan ([1] an the followup thread) there are multiple issues
with the return values for MSM DSI command transmission callback. In
the error case it can easily return a positive value when it should
have returned a proper error code.

This commits attempts to fix these issues both in TX and in RX paths.

[1]: https://lore.kernel.org/linux-arm-msm/20211001123617.GH2283@kili/

Fixes: a689554ba6ed ("drm/msm: Initial add DSI connector support")
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
Reviewed-by: Abhinav Kumar <quic_abhinavk@quicinc.com>
Tested-by: Marijn Suijten <marijn.suijten@somainline.org>
Patchwork: https://patchwork.freedesktop.org/patch/480501/
Link: https://lore.kernel.org/r/20220401231104.967193-1-dmitry.baryshkov@linaro.org
Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/gpu/drm/msm/dsi/dsi_host.c | 21 ++++++++++++++-------
 1 file changed, 14 insertions(+), 7 deletions(-)

diff --git a/drivers/gpu/drm/msm/dsi/dsi_host.c b/drivers/gpu/drm/msm/dsi/dsi_host.c
index 246336a9f47d..bea4969900ab 100644
--- a/drivers/gpu/drm/msm/dsi/dsi_host.c
+++ b/drivers/gpu/drm/msm/dsi/dsi_host.c
@@ -1240,10 +1240,10 @@ static int dsi_cmds2buf_tx(struct msm_dsi_host *msm_host,
 			dsi_get_bpp(msm_host->format) / 8;
 
 	len = dsi_cmd_dma_add(msm_host, msg);
-	if (!len) {
+	if (len < 0) {
 		pr_err("%s: failed to add cmd type = 0x%x\n",
 			__func__,  msg->type);
-		return -EINVAL;
+		return len;
 	}
 
 	/* for video mode, do not send cmds more than
@@ -1262,10 +1262,14 @@ static int dsi_cmds2buf_tx(struct msm_dsi_host *msm_host,
 	}
 
 	ret = dsi_cmd_dma_tx(msm_host, len);
-	if (ret < len) {
-		pr_err("%s: cmd dma tx failed, type=0x%x, data0=0x%x, len=%d\n",
-			__func__, msg->type, (*(u8 *)(msg->tx_buf)), len);
-		return -ECOMM;
+	if (ret < 0) {
+		pr_err("%s: cmd dma tx failed, type=0x%x, data0=0x%x, len=%d, ret=%d\n",
+			__func__, msg->type, (*(u8 *)(msg->tx_buf)), len, ret);
+		return ret;
+	} else if (ret < len) {
+		pr_err("%s: cmd dma tx failed, type=0x%x, data0=0x%x, ret=%d len=%d\n",
+			__func__, msg->type, (*(u8 *)(msg->tx_buf)), ret, len);
+		return -EIO;
 	}
 
 	return len;
@@ -1979,9 +1983,12 @@ int msm_dsi_host_cmd_rx(struct mipi_dsi_host *host,
 		}
 
 		ret = dsi_cmds2buf_tx(msm_host, msg);
-		if (ret < msg->tx_len) {
+		if (ret < 0) {
 			pr_err("%s: Read cmd Tx failed, %d\n", __func__, ret);
 			return ret;
+		} else if (ret < msg->tx_len) {
+			pr_err("%s: Read cmd Tx failed, too short: %d\n", __func__, ret);
+			return -ECOMM;
 		}
 
 		/*
-- 
2.35.1




^ permalink raw reply related	[flat|nested] 174+ messages in thread

* [PATCH 4.9 048/167] drm/msm/hdmi: check return value after calling platform_get_resource_byname()
  2022-06-13 10:07 [PATCH 4.9 000/167] 4.9.318-rc1 review Greg Kroah-Hartman
                   ` (46 preceding siblings ...)
  2022-06-13 10:08 ` [PATCH 4.9 047/167] drm/msm/dsi: fix error checks and return values for DSI xmit functions Greg Kroah-Hartman
@ 2022-06-13 10:08 ` Greg Kroah-Hartman
  2022-06-13 10:08 ` [PATCH 4.9 049/167] drm/rockchip: vop: fix possible null-ptr-deref in vop_bind() Greg Kroah-Hartman
                   ` (123 subsequent siblings)
  171 siblings, 0 replies; 174+ messages in thread
From: Greg Kroah-Hartman @ 2022-06-13 10:08 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Yang Yingliang, Dmitry Baryshkov,
	Sasha Levin

From: Yang Yingliang <yangyingliang@huawei.com>

[ Upstream commit a36e506711548df923ceb7ec9f6001375be799a5 ]

It will cause null-ptr-deref if platform_get_resource_byname() returns NULL,
we need check the return value.

Fixes: c6a57a50ad56 ("drm/msm/hdmi: add hdmi hdcp support (V3)")
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
Patchwork: https://patchwork.freedesktop.org/patch/482992/
Link: https://lore.kernel.org/r/20220422032227.2991553-1-yangyingliang@huawei.com
Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/gpu/drm/msm/hdmi/hdmi.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/drivers/gpu/drm/msm/hdmi/hdmi.c b/drivers/gpu/drm/msm/hdmi/hdmi.c
index a968cad509c2..48ab46726707 100644
--- a/drivers/gpu/drm/msm/hdmi/hdmi.c
+++ b/drivers/gpu/drm/msm/hdmi/hdmi.c
@@ -148,6 +148,10 @@ static struct hdmi *msm_hdmi_init(struct platform_device *pdev)
 	/* HDCP needs physical address of hdmi register */
 	res = platform_get_resource_byname(pdev, IORESOURCE_MEM,
 		config->mmio_name);
+	if (!res) {
+		ret = -EINVAL;
+		goto fail;
+	}
 	hdmi->mmio_phy_addr = res->start;
 
 	hdmi->qfprom_mmio = msm_ioremap(pdev,
-- 
2.35.1




^ permalink raw reply related	[flat|nested] 174+ messages in thread

* [PATCH 4.9 049/167] drm/rockchip: vop: fix possible null-ptr-deref in vop_bind()
  2022-06-13 10:07 [PATCH 4.9 000/167] 4.9.318-rc1 review Greg Kroah-Hartman
                   ` (47 preceding siblings ...)
  2022-06-13 10:08 ` [PATCH 4.9 048/167] drm/msm/hdmi: check return value after calling platform_get_resource_byname() Greg Kroah-Hartman
@ 2022-06-13 10:08 ` Greg Kroah-Hartman
  2022-06-13 10:08 ` [PATCH 4.9 050/167] x86/mm: Cleanup the control_va_addr_alignment() __setup handler Greg Kroah-Hartman
                   ` (122 subsequent siblings)
  171 siblings, 0 replies; 174+ messages in thread
From: Greg Kroah-Hartman @ 2022-06-13 10:08 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Yang Yingliang, Heiko Stuebner, Sasha Levin

From: Yang Yingliang <yangyingliang@huawei.com>

[ Upstream commit f8c242908ad15bbd604d3bcb54961b7d454c43f8 ]

It will cause null-ptr-deref in resource_size(), if platform_get_resource()
returns NULL, move calling resource_size() after devm_ioremap_resource() that
will check 'res' to avoid null-ptr-deref.

Fixes: 2048e3286f34 ("drm: rockchip: Add basic drm driver")
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Signed-off-by: Heiko Stuebner <heiko@sntech.de>
Link: https://patchwork.freedesktop.org/patch/msgid/20220422032854.2995175-1-yangyingliang@huawei.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/gpu/drm/rockchip/rockchip_drm_vop.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/gpu/drm/rockchip/rockchip_drm_vop.c b/drivers/gpu/drm/rockchip/rockchip_drm_vop.c
index 5bed63eee5f0..050f9a59ed54 100644
--- a/drivers/gpu/drm/rockchip/rockchip_drm_vop.c
+++ b/drivers/gpu/drm/rockchip/rockchip_drm_vop.c
@@ -1524,10 +1524,10 @@ static int vop_bind(struct device *dev, struct device *master, void *data)
 	vop_win_init(vop);
 
 	res = platform_get_resource(pdev, IORESOURCE_MEM, 0);
-	vop->len = resource_size(res);
 	vop->regs = devm_ioremap_resource(dev, res);
 	if (IS_ERR(vop->regs))
 		return PTR_ERR(vop->regs);
+	vop->len = resource_size(res);
 
 	vop->regsbak = devm_kzalloc(dev, vop->len, GFP_KERNEL);
 	if (!vop->regsbak)
-- 
2.35.1




^ permalink raw reply related	[flat|nested] 174+ messages in thread

* [PATCH 4.9 050/167] x86/mm: Cleanup the control_va_addr_alignment() __setup handler
  2022-06-13 10:07 [PATCH 4.9 000/167] 4.9.318-rc1 review Greg Kroah-Hartman
                   ` (48 preceding siblings ...)
  2022-06-13 10:08 ` [PATCH 4.9 049/167] drm/rockchip: vop: fix possible null-ptr-deref in vop_bind() Greg Kroah-Hartman
@ 2022-06-13 10:08 ` Greg Kroah-Hartman
  2022-06-13 10:08 ` [PATCH 4.9 051/167] drm/msm: return an error pointer in msm_gem_prime_get_sg_table() Greg Kroah-Hartman
                   ` (121 subsequent siblings)
  171 siblings, 0 replies; 174+ messages in thread
From: Greg Kroah-Hartman @ 2022-06-13 10:08 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Igor Zhbanov, Randy Dunlap,
	Borislav Petkov, Sasha Levin

From: Randy Dunlap <rdunlap@infradead.org>

[ Upstream commit 1ef64b1e89e6d4018da46e08ffc32779a31160c7 ]

Clean up control_va_addr_alignment():

a. Make '=' required instead of optional (as documented).
b. Print a warning if an invalid option value is used.
c. Return 1 from the __setup handler when an invalid option value is
   used. This prevents the kernel from polluting init's (limited)
   environment space with the entire string.

Fixes: dfb09f9b7ab0 ("x86, amd: Avoid cache aliasing penalties on AMD family 15h")
Reported-by: Igor Zhbanov <i.zhbanov@omprussia.ru>
Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
Signed-off-by: Borislav Petkov <bp@suse.de>
Link: https://lore.kernel.org/r/64644a2f-4a20-bab3-1e15-3b2cdd0defe3@omprussia.ru
Link: https://lore.kernel.org/r/20220315001045.7680-1-rdunlap@infradead.org
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/x86/kernel/sys_x86_64.c | 7 ++-----
 1 file changed, 2 insertions(+), 5 deletions(-)

diff --git a/arch/x86/kernel/sys_x86_64.c b/arch/x86/kernel/sys_x86_64.c
index 1d4e7fd3e66d..1078705292fc 100644
--- a/arch/x86/kernel/sys_x86_64.c
+++ b/arch/x86/kernel/sys_x86_64.c
@@ -66,9 +66,6 @@ static int __init control_va_addr_alignment(char *str)
 	if (*str == 0)
 		return 1;
 
-	if (*str == '=')
-		str++;
-
 	if (!strcmp(str, "32"))
 		va_align.flags = ALIGN_VA_32;
 	else if (!strcmp(str, "64"))
@@ -78,11 +75,11 @@ static int __init control_va_addr_alignment(char *str)
 	else if (!strcmp(str, "on"))
 		va_align.flags = ALIGN_VA_32 | ALIGN_VA_64;
 	else
-		return 0;
+		pr_warn("invalid option value: 'align_va_addr=%s'\n", str);
 
 	return 1;
 }
-__setup("align_va_addr", control_va_addr_alignment);
+__setup("align_va_addr=", control_va_addr_alignment);
 
 SYSCALL_DEFINE6(mmap, unsigned long, addr, unsigned long, len,
 		unsigned long, prot, unsigned long, flags,
-- 
2.35.1




^ permalink raw reply related	[flat|nested] 174+ messages in thread

* [PATCH 4.9 051/167] drm/msm: return an error pointer in msm_gem_prime_get_sg_table()
  2022-06-13 10:07 [PATCH 4.9 000/167] 4.9.318-rc1 review Greg Kroah-Hartman
                   ` (49 preceding siblings ...)
  2022-06-13 10:08 ` [PATCH 4.9 050/167] x86/mm: Cleanup the control_va_addr_alignment() __setup handler Greg Kroah-Hartman
@ 2022-06-13 10:08 ` Greg Kroah-Hartman
  2022-06-13 10:08 ` [PATCH 4.9 052/167] media: uvcvideo: Fix missing check to determine if element is found in list Greg Kroah-Hartman
                   ` (120 subsequent siblings)
  171 siblings, 0 replies; 174+ messages in thread
From: Greg Kroah-Hartman @ 2022-06-13 10:08 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Dan Carpenter, Dmitry Baryshkov, Sasha Levin

From: Dan Carpenter <dan.carpenter@oracle.com>

[ Upstream commit cf575e31611eb6dccf08fad02e57e35b2187704d ]

The msm_gem_prime_get_sg_table() needs to return error pointers on
error.  This is called from drm_gem_map_dma_buf() and returning a
NULL will lead to a crash in that function.

Fixes: ac45146733b0 ("drm/msm: fix msm_gem_prime_get_sg_table()")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
Patchwork: https://patchwork.freedesktop.org/patch/485023/
Link: https://lore.kernel.org/r/YnOmtS5tfENywR9m@kili
Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/gpu/drm/msm/msm_gem_prime.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/gpu/drm/msm/msm_gem_prime.c b/drivers/gpu/drm/msm/msm_gem_prime.c
index 13403c6da6c7..7e4664968106 100644
--- a/drivers/gpu/drm/msm/msm_gem_prime.c
+++ b/drivers/gpu/drm/msm/msm_gem_prime.c
@@ -26,7 +26,7 @@ struct sg_table *msm_gem_prime_get_sg_table(struct drm_gem_object *obj)
 	int npages = obj->size >> PAGE_SHIFT;
 
 	if (WARN_ON(!msm_obj->pages))  /* should have already pinned! */
-		return NULL;
+		return ERR_PTR(-ENOMEM);
 
 	return drm_prime_pages_to_sg(msm_obj->pages, npages);
 }
-- 
2.35.1




^ permalink raw reply related	[flat|nested] 174+ messages in thread

* [PATCH 4.9 052/167] media: uvcvideo: Fix missing check to determine if element is found in list
  2022-06-13 10:07 [PATCH 4.9 000/167] 4.9.318-rc1 review Greg Kroah-Hartman
                   ` (50 preceding siblings ...)
  2022-06-13 10:08 ` [PATCH 4.9 051/167] drm/msm: return an error pointer in msm_gem_prime_get_sg_table() Greg Kroah-Hartman
@ 2022-06-13 10:08 ` Greg Kroah-Hartman
  2022-06-13 10:08 ` [PATCH 4.9 053/167] ASoC: mxs-saif: Fix refcount leak in mxs_saif_probe Greg Kroah-Hartman
                   ` (119 subsequent siblings)
  171 siblings, 0 replies; 174+ messages in thread
From: Greg Kroah-Hartman @ 2022-06-13 10:08 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Xiaomeng Tong, Laurent Pinchart,
	Mauro Carvalho Chehab, Sasha Levin

From: Xiaomeng Tong <xiam0nd.tong@gmail.com>

[ Upstream commit 261f33388c29f6f3c12a724e6d89172b7f6d5996 ]

The list iterator will point to a bogus position containing HEAD if
the list is empty or the element is not found in list. This case
should be checked before any use of the iterator, otherwise it will
lead to a invalid memory access. The missing check here is before
"pin = iterm->id;", just add check here to fix the security bug.

In addition, the list iterator value will *always* be set and non-NULL
by list_for_each_entry(), so it is incorrect to assume that the iterator
value will be NULL if the element is not found in list, considering
the (mis)use here: "if (iterm == NULL".

Use a new value 'it' as the list iterator, while use the old value
'iterm' as a dedicated pointer to point to the found element, which
1. can fix this bug, due to 'iterm' is NULL only if it's not found.
2. do not need to change all the uses of 'iterm' after the loop.
3. can also limit the scope of the list iterator 'it' *only inside*
   the traversal loop by simply declaring 'it' inside the loop in the
   future, as usage of the iterator outside of the list_for_each_entry
   is considered harmful. https://lkml.org/lkml/2022/2/17/1032

Fixes: d5e90b7a6cd1c ("[media] uvcvideo: Move to video_ioctl2")
Signed-off-by: Xiaomeng Tong <xiam0nd.tong@gmail.com>
Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/media/usb/uvc/uvc_v4l2.c | 20 +++++++++++---------
 1 file changed, 11 insertions(+), 9 deletions(-)

diff --git a/drivers/media/usb/uvc/uvc_v4l2.c b/drivers/media/usb/uvc/uvc_v4l2.c
index 2b1e06e825f0..53d81ef9a4be 100644
--- a/drivers/media/usb/uvc/uvc_v4l2.c
+++ b/drivers/media/usb/uvc/uvc_v4l2.c
@@ -846,29 +846,31 @@ static int uvc_ioctl_enum_input(struct file *file, void *fh,
 	struct uvc_video_chain *chain = handle->chain;
 	const struct uvc_entity *selector = chain->selector;
 	struct uvc_entity *iterm = NULL;
+	struct uvc_entity *it;
 	u32 index = input->index;
-	int pin = 0;
 
 	if (selector == NULL ||
 	    (chain->dev->quirks & UVC_QUIRK_IGNORE_SELECTOR_UNIT)) {
 		if (index != 0)
 			return -EINVAL;
-		list_for_each_entry(iterm, &chain->entities, chain) {
-			if (UVC_ENTITY_IS_ITERM(iterm))
+		list_for_each_entry(it, &chain->entities, chain) {
+			if (UVC_ENTITY_IS_ITERM(it)) {
+				iterm = it;
 				break;
+			}
 		}
-		pin = iterm->id;
 	} else if (index < selector->bNrInPins) {
-		pin = selector->baSourceID[index];
-		list_for_each_entry(iterm, &chain->entities, chain) {
-			if (!UVC_ENTITY_IS_ITERM(iterm))
+		list_for_each_entry(it, &chain->entities, chain) {
+			if (!UVC_ENTITY_IS_ITERM(it))
 				continue;
-			if (iterm->id == pin)
+			if (it->id == selector->baSourceID[index]) {
+				iterm = it;
 				break;
+			}
 		}
 	}
 
-	if (iterm == NULL || iterm->id != pin)
+	if (iterm == NULL)
 		return -EINVAL;
 
 	memset(input, 0, sizeof(*input));
-- 
2.35.1




^ permalink raw reply related	[flat|nested] 174+ messages in thread

* [PATCH 4.9 053/167] ASoC: mxs-saif: Fix refcount leak in mxs_saif_probe
  2022-06-13 10:07 [PATCH 4.9 000/167] 4.9.318-rc1 review Greg Kroah-Hartman
                   ` (51 preceding siblings ...)
  2022-06-13 10:08 ` [PATCH 4.9 052/167] media: uvcvideo: Fix missing check to determine if element is found in list Greg Kroah-Hartman
@ 2022-06-13 10:08 ` Greg Kroah-Hartman
  2022-06-13 10:08 ` [PATCH 4.9 054/167] regulator: pfuze100: Fix refcount leak in pfuze_parse_regulators_dt Greg Kroah-Hartman
                   ` (118 subsequent siblings)
  171 siblings, 0 replies; 174+ messages in thread
From: Greg Kroah-Hartman @ 2022-06-13 10:08 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Miaoqian Lin, Mark Brown, Sasha Levin

From: Miaoqian Lin <linmq006@gmail.com>

[ Upstream commit 2be84f73785fa9ed6443e3c5b158730266f1c2ee ]

of_parse_phandle() returns a node pointer with refcount
incremented, we should use of_node_put() on it when done.

Fixes: 08641c7c74dd ("ASoC: mxs: add device tree support for mxs-saif")
Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
Link: https://lore.kernel.org/r/20220511133725.39039-1-linmq006@gmail.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 sound/soc/mxs/mxs-saif.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/sound/soc/mxs/mxs-saif.c b/sound/soc/mxs/mxs-saif.c
index 5977a2011d9e..76e1059e7f15 100644
--- a/sound/soc/mxs/mxs-saif.c
+++ b/sound/soc/mxs/mxs-saif.c
@@ -748,6 +748,7 @@ static int mxs_saif_probe(struct platform_device *pdev)
 		saif->master_id = saif->id;
 	} else {
 		ret = of_alias_get_id(master, "saif");
+		of_node_put(master);
 		if (ret < 0)
 			return ret;
 		else
-- 
2.35.1




^ permalink raw reply related	[flat|nested] 174+ messages in thread

* [PATCH 4.9 054/167] regulator: pfuze100: Fix refcount leak in pfuze_parse_regulators_dt
  2022-06-13 10:07 [PATCH 4.9 000/167] 4.9.318-rc1 review Greg Kroah-Hartman
                   ` (52 preceding siblings ...)
  2022-06-13 10:08 ` [PATCH 4.9 053/167] ASoC: mxs-saif: Fix refcount leak in mxs_saif_probe Greg Kroah-Hartman
@ 2022-06-13 10:08 ` Greg Kroah-Hartman
  2022-06-13 10:08 ` [PATCH 4.9 055/167] media: exynos4-is: Change clk_disable to clk_disable_unprepare Greg Kroah-Hartman
                   ` (117 subsequent siblings)
  171 siblings, 0 replies; 174+ messages in thread
From: Greg Kroah-Hartman @ 2022-06-13 10:08 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Miaoqian Lin, Mark Brown, Sasha Levin

From: Miaoqian Lin <linmq006@gmail.com>

[ Upstream commit afaa7b933ef00a2d3262f4d1252087613fb5c06d ]

of_node_get() returns a node with refcount incremented.
Calling of_node_put() to drop the reference when not needed anymore.

Fixes: 3784b6d64dc5 ("regulator: pfuze100: add pfuze100 regulator driver")
Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
Link: https://lore.kernel.org/r/20220511113506.45185-1-linmq006@gmail.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/regulator/pfuze100-regulator.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/regulator/pfuze100-regulator.c b/drivers/regulator/pfuze100-regulator.c
index ffb1f61d2c75..998c7c972e60 100644
--- a/drivers/regulator/pfuze100-regulator.c
+++ b/drivers/regulator/pfuze100-regulator.c
@@ -407,6 +407,7 @@ static int pfuze_parse_regulators_dt(struct pfuze_chip *chip)
 	parent = of_get_child_by_name(np, "regulators");
 	if (!parent) {
 		dev_err(dev, "regulators node not found\n");
+		of_node_put(np);
 		return -EINVAL;
 	}
 
@@ -431,6 +432,7 @@ static int pfuze_parse_regulators_dt(struct pfuze_chip *chip)
 	}
 
 	of_node_put(parent);
+	of_node_put(np);
 	if (ret < 0) {
 		dev_err(dev, "Error parsing regulator init data: %d\n",
 			ret);
-- 
2.35.1




^ permalink raw reply related	[flat|nested] 174+ messages in thread

* [PATCH 4.9 055/167] media: exynos4-is: Change clk_disable to clk_disable_unprepare
  2022-06-13 10:07 [PATCH 4.9 000/167] 4.9.318-rc1 review Greg Kroah-Hartman
                   ` (53 preceding siblings ...)
  2022-06-13 10:08 ` [PATCH 4.9 054/167] regulator: pfuze100: Fix refcount leak in pfuze_parse_regulators_dt Greg Kroah-Hartman
@ 2022-06-13 10:08 ` Greg Kroah-Hartman
  2022-06-13 10:08 ` [PATCH 4.9 056/167] media: pvrusb2: fix array-index-out-of-bounds in pvr2_i2c_core_init Greg Kroah-Hartman
                   ` (116 subsequent siblings)
  171 siblings, 0 replies; 174+ messages in thread
From: Greg Kroah-Hartman @ 2022-06-13 10:08 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Miaoqian Lin, Hans Verkuil,
	Mauro Carvalho Chehab, Sasha Levin

From: Miaoqian Lin <linmq006@gmail.com>

[ Upstream commit 9fadab72a6916c7507d7fedcd644859eef995078 ]

The corresponding API for clk_prepare_enable is clk_disable_unprepare,
other than clk_disable.

Fix this by changing clk_disable to clk_disable_unprepare.

Fixes: b4155d7d5b2c ("[media] exynos4-is: Ensure fimc-is clocks are not enabled until properly configured")
Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/media/platform/exynos4-is/fimc-is.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/media/platform/exynos4-is/fimc-is.c b/drivers/media/platform/exynos4-is/fimc-is.c
index f9456f26ff4f..590ec04de827 100644
--- a/drivers/media/platform/exynos4-is/fimc-is.c
+++ b/drivers/media/platform/exynos4-is/fimc-is.c
@@ -144,7 +144,7 @@ static int fimc_is_enable_clocks(struct fimc_is *is)
 			dev_err(&is->pdev->dev, "clock %s enable failed\n",
 				fimc_is_clocks[i]);
 			for (--i; i >= 0; i--)
-				clk_disable(is->clocks[i]);
+				clk_disable_unprepare(is->clocks[i]);
 			return ret;
 		}
 		pr_debug("enabled clock: %s\n", fimc_is_clocks[i]);
-- 
2.35.1




^ permalink raw reply related	[flat|nested] 174+ messages in thread

* [PATCH 4.9 056/167] media: pvrusb2: fix array-index-out-of-bounds in pvr2_i2c_core_init
  2022-06-13 10:07 [PATCH 4.9 000/167] 4.9.318-rc1 review Greg Kroah-Hartman
                   ` (54 preceding siblings ...)
  2022-06-13 10:08 ` [PATCH 4.9 055/167] media: exynos4-is: Change clk_disable to clk_disable_unprepare Greg Kroah-Hartman
@ 2022-06-13 10:08 ` Greg Kroah-Hartman
  2022-06-13 10:08 ` [PATCH 4.9 057/167] Bluetooth: fix dangling sco_conn and use-after-free in sco_sock_timeout Greg Kroah-Hartman
                   ` (115 subsequent siblings)
  171 siblings, 0 replies; 174+ messages in thread
From: Greg Kroah-Hartman @ 2022-06-13 10:08 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Pavel Skripkin, Hans Verkuil,
	Mauro Carvalho Chehab, Sasha Levin, syzbot+1a247e36149ffd709a9b

From: Pavel Skripkin <paskripkin@gmail.com>

[ Upstream commit 471bec68457aaf981add77b4f590d65dd7da1059 ]

Syzbot reported that -1 is used as array index. The problem was in
missing validation check.

hdw->unit_number is initialized with -1 and then if init table walk fails
this value remains unchanged. Since code blindly uses this member for
array indexing adding sanity check is the easiest fix for that.

hdw->workpoll initialization moved upper to prevent warning in
__flush_work.

Reported-and-tested-by: syzbot+1a247e36149ffd709a9b@syzkaller.appspotmail.com

Fixes: d855497edbfb ("V4L/DVB (4228a): pvrusb2 to kernel 2.6.18")
Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/media/usb/pvrusb2/pvrusb2-hdw.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/drivers/media/usb/pvrusb2/pvrusb2-hdw.c b/drivers/media/usb/pvrusb2/pvrusb2-hdw.c
index 40535db585a0..b868a77a048c 100644
--- a/drivers/media/usb/pvrusb2/pvrusb2-hdw.c
+++ b/drivers/media/usb/pvrusb2/pvrusb2-hdw.c
@@ -2615,6 +2615,11 @@ struct pvr2_hdw *pvr2_hdw_create(struct usb_interface *intf,
 	} while (0);
 	mutex_unlock(&pvr2_unit_mtx);
 
+	INIT_WORK(&hdw->workpoll, pvr2_hdw_worker_poll);
+
+	if (hdw->unit_number == -1)
+		goto fail;
+
 	cnt1 = 0;
 	cnt2 = scnprintf(hdw->name+cnt1,sizeof(hdw->name)-cnt1,"pvrusb2");
 	cnt1 += cnt2;
@@ -2626,8 +2631,6 @@ struct pvr2_hdw *pvr2_hdw_create(struct usb_interface *intf,
 	if (cnt1 >= sizeof(hdw->name)) cnt1 = sizeof(hdw->name)-1;
 	hdw->name[cnt1] = 0;
 
-	INIT_WORK(&hdw->workpoll,pvr2_hdw_worker_poll);
-
 	pvr2_trace(PVR2_TRACE_INIT,"Driver unit number is %d, name is %s",
 		   hdw->unit_number,hdw->name);
 
-- 
2.35.1




^ permalink raw reply related	[flat|nested] 174+ messages in thread

* [PATCH 4.9 057/167] Bluetooth: fix dangling sco_conn and use-after-free in sco_sock_timeout
  2022-06-13 10:07 [PATCH 4.9 000/167] 4.9.318-rc1 review Greg Kroah-Hartman
                   ` (55 preceding siblings ...)
  2022-06-13 10:08 ` [PATCH 4.9 056/167] media: pvrusb2: fix array-index-out-of-bounds in pvr2_i2c_core_init Greg Kroah-Hartman
@ 2022-06-13 10:08 ` Greg Kroah-Hartman
  2022-06-13 10:08 ` [PATCH 4.9 058/167] m68k: math-emu: Fix dependencies of math emulation support Greg Kroah-Hartman
                   ` (114 subsequent siblings)
  171 siblings, 0 replies; 174+ messages in thread
From: Greg Kroah-Hartman @ 2022-06-13 10:08 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, syzbot+2bef95d3ab4daa10155b,
	Ying Hsu, Joseph Hwang, Marcel Holtmann, Sasha Levin

From: Ying Hsu <yinghsu@chromium.org>

[ Upstream commit 7aa1e7d15f8a5b65f67bacb100d8fc033b21efa2 ]

Connecting the same socket twice consecutively in sco_sock_connect()
could lead to a race condition where two sco_conn objects are created
but only one is associated with the socket. If the socket is closed
before the SCO connection is established, the timer associated with the
dangling sco_conn object won't be canceled. As the sock object is being
freed, the use-after-free problem happens when the timer callback
function sco_sock_timeout() accesses the socket. Here's the call trace:

dump_stack+0x107/0x163
? refcount_inc+0x1c/
print_address_description.constprop.0+0x1c/0x47e
? refcount_inc+0x1c/0x7b
kasan_report+0x13a/0x173
? refcount_inc+0x1c/0x7b
check_memory_region+0x132/0x139
refcount_inc+0x1c/0x7b
sco_sock_timeout+0xb2/0x1ba
process_one_work+0x739/0xbd1
? cancel_delayed_work+0x13f/0x13f
? __raw_spin_lock_init+0xf0/0xf0
? to_kthread+0x59/0x85
worker_thread+0x593/0x70e
kthread+0x346/0x35a
? drain_workqueue+0x31a/0x31a
? kthread_bind+0x4b/0x4b
ret_from_fork+0x1f/0x30

Link: https://syzkaller.appspot.com/bug?extid=2bef95d3ab4daa10155b
Reported-by: syzbot+2bef95d3ab4daa10155b@syzkaller.appspotmail.com
Fixes: e1dee2c1de2b ("Bluetooth: fix repeated calls to sco_sock_kill")
Signed-off-by: Ying Hsu <yinghsu@chromium.org>
Reviewed-by: Joseph Hwang <josephsih@chromium.org>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/bluetooth/sco.c | 21 +++++++++++++--------
 1 file changed, 13 insertions(+), 8 deletions(-)

diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c
index b3b4ffaa394f..9892ce82cbdf 100644
--- a/net/bluetooth/sco.c
+++ b/net/bluetooth/sco.c
@@ -542,19 +542,24 @@ static int sco_sock_connect(struct socket *sock, struct sockaddr *addr, int alen
 	    addr->sa_family != AF_BLUETOOTH)
 		return -EINVAL;
 
-	if (sk->sk_state != BT_OPEN && sk->sk_state != BT_BOUND)
-		return -EBADFD;
+	lock_sock(sk);
+	if (sk->sk_state != BT_OPEN && sk->sk_state != BT_BOUND) {
+		err = -EBADFD;
+		goto done;
+	}
 
-	if (sk->sk_type != SOCK_SEQPACKET)
-		return -EINVAL;
+	if (sk->sk_type != SOCK_SEQPACKET) {
+		err = -EINVAL;
+		goto done;
+	}
 
 	hdev = hci_get_route(&sa->sco_bdaddr, &sco_pi(sk)->src, BDADDR_BREDR);
-	if (!hdev)
-		return -EHOSTUNREACH;
+	if (!hdev) {
+		err = -EHOSTUNREACH;
+		goto done;
+	}
 	hci_dev_lock(hdev);
 
-	lock_sock(sk);
-
 	/* Set destination address and psm */
 	bacpy(&sco_pi(sk)->dst, &sa->sco_bdaddr);
 
-- 
2.35.1




^ permalink raw reply related	[flat|nested] 174+ messages in thread

* [PATCH 4.9 058/167] m68k: math-emu: Fix dependencies of math emulation support
  2022-06-13 10:07 [PATCH 4.9 000/167] 4.9.318-rc1 review Greg Kroah-Hartman
                   ` (56 preceding siblings ...)
  2022-06-13 10:08 ` [PATCH 4.9 057/167] Bluetooth: fix dangling sco_conn and use-after-free in sco_sock_timeout Greg Kroah-Hartman
@ 2022-06-13 10:08 ` Greg Kroah-Hartman
  2022-06-13 10:08 ` [PATCH 4.9 059/167] sctp: read sk->sk_bound_dev_if once in sctp_rcv() Greg Kroah-Hartman
                   ` (113 subsequent siblings)
  171 siblings, 0 replies; 174+ messages in thread
From: Greg Kroah-Hartman @ 2022-06-13 10:08 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, kernel test robot,
	Geert Uytterhoeven, Greg Ungerer, Sasha Levin

From: Geert Uytterhoeven <geert@linux-m68k.org>

[ Upstream commit ed6bc6bf0a7d75e80eb1df883c09975ebb74e590 ]

If CONFIG_M54xx=y, CONFIG_MMU=y, and CONFIG_M68KFPU_EMU=y:

    {standard input}:272: Error: invalid instruction for this architecture; needs 68000 or higher (68000 [68ec000, 68hc000, 68hc001, 68008, 68302, 68306, 68307, 68322, 68356], 68010, 68020 [68k, 68ec020], 68030 [68ec030], 68040 [68ec040], 68060 [68ec060], cpu32 [68330, 68331, 68332, 68333, 68334, 68336, 68340, 68341, 68349, 68360], fidoa [fido]) -- statement `sub.b %d1,%d3' ignored
    {standard input}:609: Error: invalid instruction for this architecture; needs 68020 or higher (68020 [68k, 68ec020], 68030 [68ec030], 68040 [68ec040], 68060 [68ec060]) -- statement `bfextu 4(%a1){%d0,#8},%d0' ignored
    {standard input}:752: Error: operands mismatch -- statement `mulu.l 4(%a0),%d3:%d0' ignored
    {standard input}:1155: Error: operands mismatch -- statement `divu.l %d0,%d3:%d7' ignored

The math emulation support code is intended for 68020 and higher, and
uses several instructions or instruction modes not available on coldfire
or 68000.

Originally, the dependency of M68KFPU_EMU on MMU was fine, as MMU
support was only available on 68020 or higher.  But this assumption
was broken by the introduction of MMU support for M547x and M548x.

Drop the dependency on MMU, as the code should work fine on 68020 and up
without MMU (which are not yet supported by Linux, though).
Add dependencies on M68KCLASSIC (to rule out Coldfire) and FPU (kernel
has some type of floating-point support --- be it hardware or software
emulated, to rule out anything below 68020).

Fixes: 1f7034b9616e6f14 ("m68k: allow ColdFire 547x and 548x CPUs to be built with MMU enabled")
Reported-by: kernel test robot <lkp@intel.com>
Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org>
Reviewed-by: Greg Ungerer <gerg@linux-m68k.org>
Link: https://lore.kernel.org/r/18c34695b7c95107f60ccca82a4ff252f3edf477.1652446117.git.geert@linux-m68k.org
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/m68k/Kconfig.cpu | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/arch/m68k/Kconfig.cpu b/arch/m68k/Kconfig.cpu
index d2219f30b78f..2268d19cc915 100644
--- a/arch/m68k/Kconfig.cpu
+++ b/arch/m68k/Kconfig.cpu
@@ -307,7 +307,7 @@ comment "Processor Specific Options"
 
 config M68KFPU_EMU
 	bool "Math emulation support"
-	depends on MMU
+	depends on M68KCLASSIC && FPU
 	help
 	  At some point in the future, this will cause floating-point math
 	  instructions to be emulated by the kernel on machines that lack a
-- 
2.35.1




^ permalink raw reply related	[flat|nested] 174+ messages in thread

* [PATCH 4.9 059/167] sctp: read sk->sk_bound_dev_if once in sctp_rcv()
  2022-06-13 10:07 [PATCH 4.9 000/167] 4.9.318-rc1 review Greg Kroah-Hartman
                   ` (57 preceding siblings ...)
  2022-06-13 10:08 ` [PATCH 4.9 058/167] m68k: math-emu: Fix dependencies of math emulation support Greg Kroah-Hartman
@ 2022-06-13 10:08 ` Greg Kroah-Hartman
  2022-06-13 10:08 ` [PATCH 4.9 060/167] ASoC: wm2000: fix missing clk_disable_unprepare() on error in wm2000_anc_transition() Greg Kroah-Hartman
                   ` (112 subsequent siblings)
  171 siblings, 0 replies; 174+ messages in thread
From: Greg Kroah-Hartman @ 2022-06-13 10:08 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Eric Dumazet, Neil Horman,
	Vlad Yasevich, Marcelo Ricardo Leitner, David S. Miller,
	Sasha Levin

From: Eric Dumazet <edumazet@google.com>

[ Upstream commit a20ea298071f46effa3aaf965bf9bb34c901db3f ]

sctp_rcv() reads sk->sk_bound_dev_if twice while the socket
is not locked. Another cpu could change this field under us.

Fixes: 0fd9a65a76e8 ("[SCTP] Support SO_BINDTODEVICE socket option on incoming packets.")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Neil Horman <nhorman@tuxdriver.com>
Cc: Vlad Yasevich <vyasevich@gmail.com>
Cc: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/sctp/input.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/net/sctp/input.c b/net/sctp/input.c
index 9c1670b4a687..ed3a8a66a00b 100644
--- a/net/sctp/input.c
+++ b/net/sctp/input.c
@@ -103,6 +103,7 @@ int sctp_rcv(struct sk_buff *skb)
 	struct sctp_chunk *chunk;
 	union sctp_addr src;
 	union sctp_addr dest;
+	int bound_dev_if;
 	int family;
 	struct sctp_af *af;
 	struct net *net = dev_net(skb->dev);
@@ -180,7 +181,8 @@ int sctp_rcv(struct sk_buff *skb)
 	 * If a frame arrives on an interface and the receiving socket is
 	 * bound to another interface, via SO_BINDTODEVICE, treat it as OOTB
 	 */
-	if (sk->sk_bound_dev_if && (sk->sk_bound_dev_if != af->skb_iif(skb))) {
+	bound_dev_if = READ_ONCE(sk->sk_bound_dev_if);
+	if (bound_dev_if && (bound_dev_if != af->skb_iif(skb))) {
 		if (transport) {
 			sctp_transport_put(transport);
 			asoc = NULL;
-- 
2.35.1




^ permalink raw reply related	[flat|nested] 174+ messages in thread

* [PATCH 4.9 060/167] ASoC: wm2000: fix missing clk_disable_unprepare() on error in wm2000_anc_transition()
  2022-06-13 10:07 [PATCH 4.9 000/167] 4.9.318-rc1 review Greg Kroah-Hartman
                   ` (58 preceding siblings ...)
  2022-06-13 10:08 ` [PATCH 4.9 059/167] sctp: read sk->sk_bound_dev_if once in sctp_rcv() Greg Kroah-Hartman
@ 2022-06-13 10:08 ` Greg Kroah-Hartman
  2022-06-13 10:08 ` [PATCH 4.9 061/167] rxrpc: Fix listen() setting the bar too high for the prealloc rings Greg Kroah-Hartman
                   ` (111 subsequent siblings)
  171 siblings, 0 replies; 174+ messages in thread
From: Greg Kroah-Hartman @ 2022-06-13 10:08 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Yang Yingliang, Charles Keepax,
	Mark Brown, Sasha Levin

From: Yang Yingliang <yangyingliang@huawei.com>

[ Upstream commit be2af740e2a9c7134f2d8ab4f104006e110b13de ]

Fix the missing clk_disable_unprepare() before return
from wm2000_anc_transition() in the error handling case.

Fixes: 514cfd6dd725 ("ASoC: wm2000: Integrate with clock API")
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Acked-by: Charles Keepax <ckeepax@opensource.cirrus.com>
Link: https://lore.kernel.org/r/20220514091053.686416-1-yangyingliang@huawei.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 sound/soc/codecs/wm2000.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/sound/soc/codecs/wm2000.c b/sound/soc/codecs/wm2000.c
index 23cde3a0dc11..73cda3c2a861 100644
--- a/sound/soc/codecs/wm2000.c
+++ b/sound/soc/codecs/wm2000.c
@@ -545,7 +545,7 @@ static int wm2000_anc_transition(struct wm2000_priv *wm2000,
 {
 	struct i2c_client *i2c = wm2000->i2c;
 	int i, j;
-	int ret;
+	int ret = 0;
 
 	if (wm2000->anc_mode == mode)
 		return 0;
@@ -575,13 +575,13 @@ static int wm2000_anc_transition(struct wm2000_priv *wm2000,
 		ret = anc_transitions[i].step[j](i2c,
 						 anc_transitions[i].analogue);
 		if (ret != 0)
-			return ret;
+			break;
 	}
 
 	if (anc_transitions[i].dest == ANC_OFF)
 		clk_disable_unprepare(wm2000->mclk);
 
-	return 0;
+	return ret;
 }
 
 static int wm2000_anc_set_mode(struct wm2000_priv *wm2000)
-- 
2.35.1




^ permalink raw reply related	[flat|nested] 174+ messages in thread

* [PATCH 4.9 061/167] rxrpc: Fix listen() setting the bar too high for the prealloc rings
  2022-06-13 10:07 [PATCH 4.9 000/167] 4.9.318-rc1 review Greg Kroah-Hartman
                   ` (59 preceding siblings ...)
  2022-06-13 10:08 ` [PATCH 4.9 060/167] ASoC: wm2000: fix missing clk_disable_unprepare() on error in wm2000_anc_transition() Greg Kroah-Hartman
@ 2022-06-13 10:08 ` Greg Kroah-Hartman
  2022-06-13 10:08 ` [PATCH 4.9 062/167] rxrpc: Dont try to resend the request if were receiving the reply Greg Kroah-Hartman
                   ` (110 subsequent siblings)
  171 siblings, 0 replies; 174+ messages in thread
From: Greg Kroah-Hartman @ 2022-06-13 10:08 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Marc Dionne, David Howells,
	linux-afs, David S. Miller, Sasha Levin

From: David Howells <dhowells@redhat.com>

[ Upstream commit 88e22159750b0d55793302eeed8ee603f5c1a95c ]

AF_RXRPC's listen() handler lets you set the backlog up to 32 (if you bump
up the sysctl), but whilst the preallocation circular buffers have 32 slots
in them, one of them has to be a dead slot because we're using CIRC_CNT().

This means that listen(rxrpc_sock, 32) will cause an oops when the socket
is closed because rxrpc_service_prealloc_one() allocated one too many calls
and rxrpc_discard_prealloc() won't then be able to get rid of them because
it'll think the ring is empty.  rxrpc_release_calls_on_socket() then tries
to abort them, but oopses because call->peer isn't yet set.

Fix this by setting the maximum backlog to RXRPC_BACKLOG_MAX - 1 to match
the ring capacity.

 BUG: kernel NULL pointer dereference, address: 0000000000000086
 ...
 RIP: 0010:rxrpc_send_abort_packet+0x73/0x240 [rxrpc]
 Call Trace:
  <TASK>
  ? __wake_up_common_lock+0x7a/0x90
  ? rxrpc_notify_socket+0x8e/0x140 [rxrpc]
  ? rxrpc_abort_call+0x4c/0x60 [rxrpc]
  rxrpc_release_calls_on_socket+0x107/0x1a0 [rxrpc]
  rxrpc_release+0xc9/0x1c0 [rxrpc]
  __sock_release+0x37/0xa0
  sock_close+0x11/0x20
  __fput+0x89/0x240
  task_work_run+0x59/0x90
  do_exit+0x319/0xaa0

Fixes: 00e907127e6f ("rxrpc: Preallocate peers, conns and calls for incoming service requests")
Reported-by: Marc Dionne <marc.dionne@auristor.com>
Signed-off-by: David Howells <dhowells@redhat.com>
cc: linux-afs@lists.infradead.org
Link: https://lists.infradead.org/pipermail/linux-afs/2022-March/005079.html
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/rxrpc/sysctl.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/net/rxrpc/sysctl.c b/net/rxrpc/sysctl.c
index 34c706d2f79c..f9afc21b7e2c 100644
--- a/net/rxrpc/sysctl.c
+++ b/net/rxrpc/sysctl.c
@@ -18,7 +18,7 @@ static struct ctl_table_header *rxrpc_sysctl_reg_table;
 static const unsigned int zero = 0;
 static const unsigned int one = 1;
 static const unsigned int four = 4;
-static const unsigned int thirtytwo = 32;
+static const unsigned int max_backlog = RXRPC_BACKLOG_MAX - 1;
 static const unsigned int n_65535 = 65535;
 static const unsigned int n_max_acks = RXRPC_RXTX_BUFF_SIZE - 1;
 
@@ -114,7 +114,7 @@ static struct ctl_table rxrpc_sysctl_table[] = {
 		.mode		= 0644,
 		.proc_handler	= proc_dointvec_minmax,
 		.extra1		= (void *)&four,
-		.extra2		= (void *)&thirtytwo,
+		.extra2		= (void *)&max_backlog,
 	},
 	{
 		.procname	= "rx_window_size",
-- 
2.35.1




^ permalink raw reply related	[flat|nested] 174+ messages in thread

* [PATCH 4.9 062/167] rxrpc: Dont try to resend the request if were receiving the reply
  2022-06-13 10:07 [PATCH 4.9 000/167] 4.9.318-rc1 review Greg Kroah-Hartman
                   ` (60 preceding siblings ...)
  2022-06-13 10:08 ` [PATCH 4.9 061/167] rxrpc: Fix listen() setting the bar too high for the prealloc rings Greg Kroah-Hartman
@ 2022-06-13 10:08 ` Greg Kroah-Hartman
  2022-06-13 10:08 ` [PATCH 4.9 063/167] soc: qcom: smp2p: Fix missing of_node_put() in smp2p_parse_ipc Greg Kroah-Hartman
                   ` (109 subsequent siblings)
  171 siblings, 0 replies; 174+ messages in thread
From: Greg Kroah-Hartman @ 2022-06-13 10:08 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, David Howells, linux-afs,
	David S. Miller, Sasha Levin

From: David Howells <dhowells@redhat.com>

[ Upstream commit 114af61f88fbe34d641b13922d098ffec4c1be1b ]

rxrpc has a timer to trigger resending of unacked data packets in a call.
This is not cancelled when a client call switches to the receive phase on
the basis that most calls don't last long enough for it to ever expire.
However, if it *does* expire after we've started to receive the reply, we
shouldn't then go into trying to retransmit or pinging the server to find
out if an ack got lost.

Fix this by skipping the resend code if we're into receiving the reply to a
client call.

Fixes: 17926a79320a ("[AF_RXRPC]: Provide secure RxRPC sockets for use by userspace and kernel both")
Signed-off-by: David Howells <dhowells@redhat.com>
cc: linux-afs@lists.infradead.org
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/rxrpc/call_event.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/net/rxrpc/call_event.c b/net/rxrpc/call_event.c
index 97a17ada4431..4aae0904ae1b 100644
--- a/net/rxrpc/call_event.c
+++ b/net/rxrpc/call_event.c
@@ -403,7 +403,8 @@ void rxrpc_process_call(struct work_struct *work)
 		goto recheck_state;
 	}
 
-	if (test_and_clear_bit(RXRPC_CALL_EV_RESEND, &call->events)) {
+	if (test_and_clear_bit(RXRPC_CALL_EV_RESEND, &call->events) &&
+	    call->state != RXRPC_CALL_CLIENT_RECV_REPLY) {
 		rxrpc_resend(call, now);
 		goto recheck_state;
 	}
-- 
2.35.1




^ permalink raw reply related	[flat|nested] 174+ messages in thread

* [PATCH 4.9 063/167] soc: qcom: smp2p: Fix missing of_node_put() in smp2p_parse_ipc
  2022-06-13 10:07 [PATCH 4.9 000/167] 4.9.318-rc1 review Greg Kroah-Hartman
                   ` (61 preceding siblings ...)
  2022-06-13 10:08 ` [PATCH 4.9 062/167] rxrpc: Dont try to resend the request if were receiving the reply Greg Kroah-Hartman
@ 2022-06-13 10:08 ` Greg Kroah-Hartman
  2022-06-13 10:08 ` [PATCH 4.9 064/167] soc: qcom: smsm: Fix missing of_node_put() in smsm_parse_ipc Greg Kroah-Hartman
                   ` (108 subsequent siblings)
  171 siblings, 0 replies; 174+ messages in thread
From: Greg Kroah-Hartman @ 2022-06-13 10:08 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Miaoqian Lin, Bjorn Andersson, Sasha Levin

From: Miaoqian Lin <linmq006@gmail.com>

[ Upstream commit 8fd3f18ea31a398ecce4a6d3804433658678b0a3 ]

The device_node pointer is returned by of_parse_phandle()  with refcount
incremented. We should use of_node_put() on it when done.

Fixes: 50e99641413e ("soc: qcom: smp2p: Qualcomm Shared Memory Point to Point")
Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
Signed-off-by: Bjorn Andersson <bjorn.andersson@linaro.org>
Link: https://lore.kernel.org/r/20220308071942.22942-1-linmq006@gmail.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/soc/qcom/smp2p.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/soc/qcom/smp2p.c b/drivers/soc/qcom/smp2p.c
index 4c5767c73b7a..a0562dec9604 100644
--- a/drivers/soc/qcom/smp2p.c
+++ b/drivers/soc/qcom/smp2p.c
@@ -416,6 +416,7 @@ static int smp2p_parse_ipc(struct qcom_smp2p *smp2p)
 	}
 
 	smp2p->ipc_regmap = syscon_node_to_regmap(syscon);
+	of_node_put(syscon);
 	if (IS_ERR(smp2p->ipc_regmap))
 		return PTR_ERR(smp2p->ipc_regmap);
 
-- 
2.35.1




^ permalink raw reply related	[flat|nested] 174+ messages in thread

* [PATCH 4.9 064/167] soc: qcom: smsm: Fix missing of_node_put() in smsm_parse_ipc
  2022-06-13 10:07 [PATCH 4.9 000/167] 4.9.318-rc1 review Greg Kroah-Hartman
                   ` (62 preceding siblings ...)
  2022-06-13 10:08 ` [PATCH 4.9 063/167] soc: qcom: smp2p: Fix missing of_node_put() in smp2p_parse_ipc Greg Kroah-Hartman
@ 2022-06-13 10:08 ` Greg Kroah-Hartman
  2022-06-13 10:08 ` [PATCH 4.9 065/167] mfd: ipaq-micro: Fix error check return value of platform_get_irq() Greg Kroah-Hartman
                   ` (107 subsequent siblings)
  171 siblings, 0 replies; 174+ messages in thread
From: Greg Kroah-Hartman @ 2022-06-13 10:08 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Miaoqian Lin, Bjorn Andersson, Sasha Levin

From: Miaoqian Lin <linmq006@gmail.com>

[ Upstream commit aad66a3c78da668f4506356c2fdb70b7a19ecc76 ]

The device_node pointer is returned by of_parse_phandle()  with refcount
incremented. We should use of_node_put() on it when done.

Fixes: c97c4090ff72 ("soc: qcom: smsm: Add driver for Qualcomm SMSM")
Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
Signed-off-by: Bjorn Andersson <bjorn.andersson@linaro.org>
Link: https://lore.kernel.org/r/20220308073648.24634-1-linmq006@gmail.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/soc/qcom/smsm.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/soc/qcom/smsm.c b/drivers/soc/qcom/smsm.c
index 783cb3364599..01bc8528f24d 100644
--- a/drivers/soc/qcom/smsm.c
+++ b/drivers/soc/qcom/smsm.c
@@ -367,6 +367,7 @@ static int smsm_parse_ipc(struct qcom_smsm *smsm, unsigned host_id)
 		return 0;
 
 	host->ipc_regmap = syscon_node_to_regmap(syscon);
+	of_node_put(syscon);
 	if (IS_ERR(host->ipc_regmap))
 		return PTR_ERR(host->ipc_regmap);
 
-- 
2.35.1




^ permalink raw reply related	[flat|nested] 174+ messages in thread

* [PATCH 4.9 065/167] mfd: ipaq-micro: Fix error check return value of platform_get_irq()
  2022-06-13 10:07 [PATCH 4.9 000/167] 4.9.318-rc1 review Greg Kroah-Hartman
                   ` (63 preceding siblings ...)
  2022-06-13 10:08 ` [PATCH 4.9 064/167] soc: qcom: smsm: Fix missing of_node_put() in smsm_parse_ipc Greg Kroah-Hartman
@ 2022-06-13 10:08 ` Greg Kroah-Hartman
  2022-06-13 10:09 ` [PATCH 4.9 066/167] scsi: fcoe: Fix Wstringop-overflow warnings in fcoe_wwn_from_mac() Greg Kroah-Hartman
                   ` (106 subsequent siblings)
  171 siblings, 0 replies; 174+ messages in thread
From: Greg Kroah-Hartman @ 2022-06-13 10:08 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Zeal Robot, Lv Ruyi, Linus Walleij,
	Lee Jones, Sasha Levin

From: Lv Ruyi <lv.ruyi@zte.com.cn>

[ Upstream commit 3b49ae380ce1a3054e0c505dd9a356b82a5b48e8 ]

platform_get_irq() return negative value on failure, so null check of
irq is incorrect. Fix it by comparing whether it is less than zero.

Fixes: dcc21cc09e3c ("mfd: Add driver for Atmel Microcontroller on iPaq h3xxx")
Reported-by: Zeal Robot <zealci@zte.com.cn>
Signed-off-by: Lv Ruyi <lv.ruyi@zte.com.cn>
Reviewed-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Lee Jones <lee.jones@linaro.org>
Link: https://lore.kernel.org/r/20220412085305.2533030-1-lv.ruyi@zte.com.cn
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/mfd/ipaq-micro.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/mfd/ipaq-micro.c b/drivers/mfd/ipaq-micro.c
index df16fd1df68b..b03489268252 100644
--- a/drivers/mfd/ipaq-micro.c
+++ b/drivers/mfd/ipaq-micro.c
@@ -418,7 +418,7 @@ static int __init micro_probe(struct platform_device *pdev)
 	micro_reset_comm(micro);
 
 	irq = platform_get_irq(pdev, 0);
-	if (!irq)
+	if (irq < 0)
 		return -EINVAL;
 	ret = devm_request_irq(&pdev->dev, irq, micro_serial_isr,
 			       IRQF_SHARED, "ipaq-micro",
-- 
2.35.1




^ permalink raw reply related	[flat|nested] 174+ messages in thread

* [PATCH 4.9 066/167] scsi: fcoe: Fix Wstringop-overflow warnings in fcoe_wwn_from_mac()
  2022-06-13 10:07 [PATCH 4.9 000/167] 4.9.318-rc1 review Greg Kroah-Hartman
                   ` (64 preceding siblings ...)
  2022-06-13 10:08 ` [PATCH 4.9 065/167] mfd: ipaq-micro: Fix error check return value of platform_get_irq() Greg Kroah-Hartman
@ 2022-06-13 10:09 ` Greg Kroah-Hartman
  2022-06-13 10:09 ` [PATCH 4.9 067/167] drivers/base/node.c: fix compaction sysfs file leak Greg Kroah-Hartman
                   ` (105 subsequent siblings)
  171 siblings, 0 replies; 174+ messages in thread
From: Greg Kroah-Hartman @ 2022-06-13 10:09 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Gustavo A. R. Silva, Sasha Levin

From: Gustavo A. R. Silva <gustavoars@kernel.org>

[ Upstream commit 54db804d5d7d36709d1ce70bde3b9a6c61b290b6 ]

Fix the following Wstringop-overflow warnings when building with GCC-11:

drivers/scsi/fcoe/fcoe.c: In function ‘fcoe_netdev_config’:
drivers/scsi/fcoe/fcoe.c:744:32: warning: ‘fcoe_wwn_from_mac’ accessing 32 bytes in a region of size 6 [-Wstringop-overflow=]
  744 |                         wwnn = fcoe_wwn_from_mac(ctlr->ctl_src_addr, 1, 0);
      |                                ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
drivers/scsi/fcoe/fcoe.c:744:32: note: referencing argument 1 of type ‘unsigned char *’
In file included from drivers/scsi/fcoe/fcoe.c:36:
./include/scsi/libfcoe.h:252:5: note: in a call to function ‘fcoe_wwn_from_mac’
  252 | u64 fcoe_wwn_from_mac(unsigned char mac[MAX_ADDR_LEN], unsigned int, unsigned int);
      |     ^~~~~~~~~~~~~~~~~
drivers/scsi/fcoe/fcoe.c:747:32: warning: ‘fcoe_wwn_from_mac’ accessing 32 bytes in a region of size 6 [-Wstringop-overflow=]
  747 |                         wwpn = fcoe_wwn_from_mac(ctlr->ctl_src_addr,
      |                                ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  748 |                                                  2, 0);
      |                                                  ~~~~~
drivers/scsi/fcoe/fcoe.c:747:32: note: referencing argument 1 of type ‘unsigned char *’
In file included from drivers/scsi/fcoe/fcoe.c:36:
./include/scsi/libfcoe.h:252:5: note: in a call to function ‘fcoe_wwn_from_mac’
  252 | u64 fcoe_wwn_from_mac(unsigned char mac[MAX_ADDR_LEN], unsigned int, unsigned int);
      |     ^~~~~~~~~~~~~~~~~
  CC      drivers/scsi/bnx2fc/bnx2fc_io.o
In function ‘bnx2fc_net_config’,
    inlined from ‘bnx2fc_if_create’ at drivers/scsi/bnx2fc/bnx2fc_fcoe.c:1543:7:
drivers/scsi/bnx2fc/bnx2fc_fcoe.c:833:32: warning: ‘fcoe_wwn_from_mac’ accessing 32 bytes in a region of size 6 [-Wstringop-overflow=]
  833 |                         wwnn = fcoe_wwn_from_mac(ctlr->ctl_src_addr,
      |                                ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  834 |                                                  1, 0);
      |                                                  ~~~~~
drivers/scsi/bnx2fc/bnx2fc_fcoe.c: In function ‘bnx2fc_if_create’:
drivers/scsi/bnx2fc/bnx2fc_fcoe.c:833:32: note: referencing argument 1 of type ‘unsigned char *’
In file included from drivers/scsi/bnx2fc/bnx2fc.h:53,
                 from drivers/scsi/bnx2fc/bnx2fc_fcoe.c:17:
./include/scsi/libfcoe.h:252:5: note: in a call to function ‘fcoe_wwn_from_mac’
  252 | u64 fcoe_wwn_from_mac(unsigned char mac[MAX_ADDR_LEN], unsigned int, unsigned int);
      |     ^~~~~~~~~~~~~~~~~
In function ‘bnx2fc_net_config’,
    inlined from ‘bnx2fc_if_create’ at drivers/scsi/bnx2fc/bnx2fc_fcoe.c:1543:7:
drivers/scsi/bnx2fc/bnx2fc_fcoe.c:839:32: warning: ‘fcoe_wwn_from_mac’ accessing 32 bytes in a region of size 6 [-Wstringop-overflow=]
  839 |                         wwpn = fcoe_wwn_from_mac(ctlr->ctl_src_addr,
      |                                ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  840 |                                                  2, 0);
      |                                                  ~~~~~
drivers/scsi/bnx2fc/bnx2fc_fcoe.c: In function ‘bnx2fc_if_create’:
drivers/scsi/bnx2fc/bnx2fc_fcoe.c:839:32: note: referencing argument 1 of type ‘unsigned char *’
In file included from drivers/scsi/bnx2fc/bnx2fc.h:53,
                 from drivers/scsi/bnx2fc/bnx2fc_fcoe.c:17:
./include/scsi/libfcoe.h:252:5: note: in a call to function ‘fcoe_wwn_from_mac’
  252 | u64 fcoe_wwn_from_mac(unsigned char mac[MAX_ADDR_LEN], unsigned int, unsigned int);
      |     ^~~~~~~~~~~~~~~~~
drivers/scsi/qedf/qedf_main.c: In function ‘__qedf_probe’:
drivers/scsi/qedf/qedf_main.c:3520:30: warning: ‘fcoe_wwn_from_mac’ accessing 32 bytes in a region of size 6 [-Wstringop-overflow=]
 3520 |                 qedf->wwnn = fcoe_wwn_from_mac(qedf->mac, 1, 0);
      |                              ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
drivers/scsi/qedf/qedf_main.c:3520:30: note: referencing argument 1 of type ‘unsigned char *’
In file included from drivers/scsi/qedf/qedf.h:9,
                 from drivers/scsi/qedf/qedf_main.c:23:
./include/scsi/libfcoe.h:252:5: note: in a call to function ‘fcoe_wwn_from_mac’
  252 | u64 fcoe_wwn_from_mac(unsigned char mac[MAX_ADDR_LEN], unsigned int, unsigned int);
      |     ^~~~~~~~~~~~~~~~~
drivers/scsi/qedf/qedf_main.c:3521:30: warning: ‘fcoe_wwn_from_mac’ accessing 32 bytes in a region of size 6 [-Wstringop-overflow=]
 3521 |                 qedf->wwpn = fcoe_wwn_from_mac(qedf->mac, 2, 0);
      |                              ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
drivers/scsi/qedf/qedf_main.c:3521:30: note: referencing argument 1 of type ‘unsigned char *’
In file included from drivers/scsi/qedf/qedf.h:9,
                 from drivers/scsi/qedf/qedf_main.c:23:
./include/scsi/libfcoe.h:252:5: note: in a call to function ‘fcoe_wwn_from_mac’
  252 | u64 fcoe_wwn_from_mac(unsigned char mac[MAX_ADDR_LEN], unsigned int, unsigned int);
      |     ^~~~~~~~~~~~~~~~~

by changing the array size to the correct value of ETH_ALEN in the
argument declaration.

Also, fix a couple of checkpatch warnings:
WARNING: function definition argument 'unsigned int' should also have an identifier name

This helps with the ongoing efforts to globally enable
-Wstringop-overflow.

Link: https://github.com/KSPP/linux/issues/181
Fixes: 85b4aa4926a5 ("[SCSI] fcoe: Fibre Channel over Ethernet")
Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/scsi/fcoe/fcoe_ctlr.c | 2 +-
 include/scsi/libfcoe.h        | 3 ++-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/drivers/scsi/fcoe/fcoe_ctlr.c b/drivers/scsi/fcoe/fcoe_ctlr.c
index f5f3a8113bc5..5bb85b424eba 100644
--- a/drivers/scsi/fcoe/fcoe_ctlr.c
+++ b/drivers/scsi/fcoe/fcoe_ctlr.c
@@ -1945,7 +1945,7 @@ EXPORT_SYMBOL(fcoe_ctlr_recv_flogi);
  *
  * Returns: u64 fc world wide name
  */
-u64 fcoe_wwn_from_mac(unsigned char mac[MAX_ADDR_LEN],
+u64 fcoe_wwn_from_mac(unsigned char mac[ETH_ALEN],
 		      unsigned int scheme, unsigned int port)
 {
 	u64 wwn;
diff --git a/include/scsi/libfcoe.h b/include/scsi/libfcoe.h
index a911f993219d..ac14f3798e84 100644
--- a/include/scsi/libfcoe.h
+++ b/include/scsi/libfcoe.h
@@ -261,7 +261,8 @@ int fcoe_ctlr_recv_flogi(struct fcoe_ctlr *, struct fc_lport *,
 			 struct fc_frame *);
 
 /* libfcoe funcs */
-u64 fcoe_wwn_from_mac(unsigned char mac[MAX_ADDR_LEN], unsigned int, unsigned int);
+u64 fcoe_wwn_from_mac(unsigned char mac[ETH_ALEN], unsigned int scheme,
+		      unsigned int port);
 int fcoe_libfc_config(struct fc_lport *, struct fcoe_ctlr *,
 		      const struct libfc_function_template *, int init_fcp);
 u32 fcoe_fc_crc(struct fc_frame *fp);
-- 
2.35.1




^ permalink raw reply related	[flat|nested] 174+ messages in thread

* [PATCH 4.9 067/167] drivers/base/node.c: fix compaction sysfs file leak
  2022-06-13 10:07 [PATCH 4.9 000/167] 4.9.318-rc1 review Greg Kroah-Hartman
                   ` (65 preceding siblings ...)
  2022-06-13 10:09 ` [PATCH 4.9 066/167] scsi: fcoe: Fix Wstringop-overflow warnings in fcoe_wwn_from_mac() Greg Kroah-Hartman
@ 2022-06-13 10:09 ` Greg Kroah-Hartman
  2022-06-13 10:09 ` [PATCH 4.9 068/167] powerpc/8xx: export cpm_setbrg for modules Greg Kroah-Hartman
                   ` (104 subsequent siblings)
  171 siblings, 0 replies; 174+ messages in thread
From: Greg Kroah-Hartman @ 2022-06-13 10:09 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Miaohe Lin, Rafael J. Wysocki,
	Mel Gorman, Minchan Kim, KAMEZAWA Hiroyuki, KOSAKI Motohiro,
	Andrew Morton, Sasha Levin

From: Miaohe Lin <linmiaohe@huawei.com>

[ Upstream commit da63dc84befaa9e6079a0bc363ff0eaa975f9073 ]

Compaction sysfs file is created via compaction_register_node in
register_node.  But we forgot to remove it in unregister_node.  Thus
compaction sysfs file is leaked.  Using compaction_unregister_node to fix
this issue.

Link: https://lkml.kernel.org/r/20220401070905.43679-1-linmiaohe@huawei.com
Fixes: ed4a6d7f0676 ("mm: compaction: add /sys trigger for per-node memory compaction")
Signed-off-by: Miaohe Lin <linmiaohe@huawei.com>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Rafael J. Wysocki <rafael@kernel.org>
Cc: Mel Gorman <mel@csn.ul.ie>
Cc: Minchan Kim <minchan.kim@gmail.com>
Cc: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
Cc: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/base/node.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/base/node.c b/drivers/base/node.c
index 5548f9686016..7f9126633080 100644
--- a/drivers/base/node.c
+++ b/drivers/base/node.c
@@ -315,6 +315,7 @@ static int register_node(struct node *node, int num, struct node *parent)
  */
 void unregister_node(struct node *node)
 {
+	compaction_unregister_node(node);
 	hugetlb_unregister_node(node);		/* no-op, if memoryless node */
 
 	device_unregister(&node->dev);
-- 
2.35.1




^ permalink raw reply related	[flat|nested] 174+ messages in thread

* [PATCH 4.9 068/167] powerpc/8xx: export cpm_setbrg for modules
  2022-06-13 10:07 [PATCH 4.9 000/167] 4.9.318-rc1 review Greg Kroah-Hartman
                   ` (66 preceding siblings ...)
  2022-06-13 10:09 ` [PATCH 4.9 067/167] drivers/base/node.c: fix compaction sysfs file leak Greg Kroah-Hartman
@ 2022-06-13 10:09 ` Greg Kroah-Hartman
  2022-06-13 10:09 ` [PATCH 4.9 069/167] powerpc/idle: Fix return value of __setup() handler Greg Kroah-Hartman
                   ` (103 subsequent siblings)
  171 siblings, 0 replies; 174+ messages in thread
From: Greg Kroah-Hartman @ 2022-06-13 10:09 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Randy Dunlap, kernel test robot,
	Christophe Leroy, Michael Ellerman, Sasha Levin

From: Randy Dunlap <rdunlap@infradead.org>

[ Upstream commit 22f8e625ebabd7ed3185b82b44b4f12fc0402113 ]

Fix missing export for a loadable module build:

ERROR: modpost: "cpm_setbrg" [drivers/tty/serial/cpm_uart/cpm_uart.ko] undefined!

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc")
Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
Reported-by: kernel test robot <lkp@intel.com>
[chleroy: Changed Fixes: tag]
Signed-off-by: Christophe Leroy <christophe.leroy@csgroup.eu>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Link: https://lore.kernel.org/r/20210122010819.30986-1-rdunlap@infradead.org
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/powerpc/sysdev/cpm1.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/arch/powerpc/sysdev/cpm1.c b/arch/powerpc/sysdev/cpm1.c
index 986cd111d4df..8f2dc4ea9376 100644
--- a/arch/powerpc/sysdev/cpm1.c
+++ b/arch/powerpc/sysdev/cpm1.c
@@ -290,6 +290,7 @@ cpm_setbrg(uint brg, uint rate)
 		out_be32(bp, (((BRG_UART_CLK_DIV16 / rate) - 1) << 1) |
 			      CPM_BRG_EN | CPM_BRG_DIV16);
 }
+EXPORT_SYMBOL(cpm_setbrg);
 
 struct cpm_ioport16 {
 	__be16 dir, par, odr_sor, dat, intr;
-- 
2.35.1




^ permalink raw reply related	[flat|nested] 174+ messages in thread

* [PATCH 4.9 069/167] powerpc/idle: Fix return value of __setup() handler
  2022-06-13 10:07 [PATCH 4.9 000/167] 4.9.318-rc1 review Greg Kroah-Hartman
                   ` (67 preceding siblings ...)
  2022-06-13 10:09 ` [PATCH 4.9 068/167] powerpc/8xx: export cpm_setbrg for modules Greg Kroah-Hartman
@ 2022-06-13 10:09 ` Greg Kroah-Hartman
  2022-06-13 10:09 ` [PATCH 4.9 070/167] powerpc/4xx/cpm: " Greg Kroah-Hartman
                   ` (102 subsequent siblings)
  171 siblings, 0 replies; 174+ messages in thread
From: Greg Kroah-Hartman @ 2022-06-13 10:09 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Igor Zhbanov, Randy Dunlap,
	Michael Ellerman, Sasha Levin

From: Randy Dunlap <rdunlap@infradead.org>

[ Upstream commit b793a01000122d2bd133ba451a76cc135b5e162c ]

__setup() handlers should return 1 to obsolete_checksetup() in
init/main.c to indicate that the boot option has been handled.

A return of 0 causes the boot option/value to be listed as an Unknown
kernel parameter and added to init's (limited) argument or environment
strings.

Also, error return codes don't mean anything to obsolete_checksetup() --
only non-zero (usually 1) or zero. So return 1 from powersave_off().

Fixes: 302eca184fb8 ("[POWERPC] cell: use ppc_md->power_save instead of cbe_idle_loop")
Reported-by: Igor Zhbanov <izh1979@gmail.com>
Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Link: https://lore.kernel.org/r/20220502192925.19954-1-rdunlap@infradead.org
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/powerpc/kernel/idle.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/arch/powerpc/kernel/idle.c b/arch/powerpc/kernel/idle.c
index d7216c9abda1..ca79aacfeda2 100644
--- a/arch/powerpc/kernel/idle.c
+++ b/arch/powerpc/kernel/idle.c
@@ -41,7 +41,7 @@ static int __init powersave_off(char *arg)
 {
 	ppc_md.power_save = NULL;
 	cpuidle_disable = IDLE_POWERSAVE_OFF;
-	return 0;
+	return 1;
 }
 __setup("powersave=off", powersave_off);
 
-- 
2.35.1




^ permalink raw reply related	[flat|nested] 174+ messages in thread

* [PATCH 4.9 070/167] powerpc/4xx/cpm: Fix return value of __setup() handler
  2022-06-13 10:07 [PATCH 4.9 000/167] 4.9.318-rc1 review Greg Kroah-Hartman
                   ` (68 preceding siblings ...)
  2022-06-13 10:09 ` [PATCH 4.9 069/167] powerpc/idle: Fix return value of __setup() handler Greg Kroah-Hartman
@ 2022-06-13 10:09 ` Greg Kroah-Hartman
  2022-06-13 10:09 ` [PATCH 4.9 071/167] tty: fix deadlock caused by calling printk() under tty_port->lock Greg Kroah-Hartman
                   ` (101 subsequent siblings)
  171 siblings, 0 replies; 174+ messages in thread
From: Greg Kroah-Hartman @ 2022-06-13 10:09 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Igor Zhbanov, Randy Dunlap,
	Michael Ellerman, Sasha Levin

From: Randy Dunlap <rdunlap@infradead.org>

[ Upstream commit 5bb99fd4090fe1acfdb90a97993fcda7f8f5a3d6 ]

__setup() handlers should return 1 to obsolete_checksetup() in
init/main.c to indicate that the boot option has been handled.

A return of 0 causes the boot option/value to be listed as an Unknown
kernel parameter and added to init's (limited) argument or environment
strings.

Also, error return codes don't mean anything to obsolete_checksetup() --
only non-zero (usually 1) or zero. So return 1 from cpm_powersave_off().

Fixes: d164f6d4f910 ("powerpc/4xx: Add suspend and idle support")
Reported-by: Igor Zhbanov <izh1979@gmail.com>
Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Link: https://lore.kernel.org/r/20220502192941.20955-1-rdunlap@infradead.org
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/powerpc/sysdev/ppc4xx_cpm.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/arch/powerpc/sysdev/ppc4xx_cpm.c b/arch/powerpc/sysdev/ppc4xx_cpm.c
index ba95adf81d8d..05047cf32dbb 100644
--- a/arch/powerpc/sysdev/ppc4xx_cpm.c
+++ b/arch/powerpc/sysdev/ppc4xx_cpm.c
@@ -341,6 +341,6 @@ late_initcall(cpm_init);
 static int __init cpm_powersave_off(char *arg)
 {
 	cpm.powersave_off = 1;
-	return 0;
+	return 1;
 }
 __setup("powersave=off", cpm_powersave_off);
-- 
2.35.1




^ permalink raw reply related	[flat|nested] 174+ messages in thread

* [PATCH 4.9 071/167] tty: fix deadlock caused by calling printk() under tty_port->lock
  2022-06-13 10:07 [PATCH 4.9 000/167] 4.9.318-rc1 review Greg Kroah-Hartman
                   ` (69 preceding siblings ...)
  2022-06-13 10:09 ` [PATCH 4.9 070/167] powerpc/4xx/cpm: " Greg Kroah-Hartman
@ 2022-06-13 10:09 ` Greg Kroah-Hartman
  2022-06-13 10:09 ` [PATCH 4.9 072/167] Input: sparcspkr - fix refcount leak in bbc_beep_probe Greg Kroah-Hartman
                   ` (100 subsequent siblings)
  171 siblings, 0 replies; 174+ messages in thread
From: Greg Kroah-Hartman @ 2022-06-13 10:09 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Qi Zheng, Jiri Slaby, Akinobu Mita,
	Vlastimil Babka, Steven Rostedt (Google),
	Andrew Morton, Sasha Levin

From: Qi Zheng <zhengqi.arch@bytedance.com>

[ Upstream commit 6b9dbedbe3499fef862c4dff5217cf91f34e43b3 ]

pty_write() invokes kmalloc() which may invoke a normal printk() to print
failure message.  This can cause a deadlock in the scenario reported by
syz-bot below:

       CPU0              CPU1                    CPU2
       ----              ----                    ----
                         lock(console_owner);
                                                 lock(&port_lock_key);
  lock(&port->lock);
                         lock(&port_lock_key);
                                                 lock(&port->lock);
  lock(console_owner);

As commit dbdda842fe96 ("printk: Add console owner and waiter logic to
load balance console writes") said, such deadlock can be prevented by
using printk_deferred() in kmalloc() (which is invoked in the section
guarded by the port->lock).  But there are too many printk() on the
kmalloc() path, and kmalloc() can be called from anywhere, so changing
printk() to printk_deferred() is too complicated and inelegant.

Therefore, this patch chooses to specify __GFP_NOWARN to kmalloc(), so
that printk() will not be called, and this deadlock problem can be
avoided.

Syzbot reported the following lockdep error:

======================================================
WARNING: possible circular locking dependency detected
5.4.143-00237-g08ccc19a-dirty #10 Not tainted
------------------------------------------------------
syz-executor.4/29420 is trying to acquire lock:
ffffffff8aedb2a0 (console_owner){....}-{0:0}, at: console_trylock_spinning kernel/printk/printk.c:1752 [inline]
ffffffff8aedb2a0 (console_owner){....}-{0:0}, at: vprintk_emit+0x2ca/0x470 kernel/printk/printk.c:2023

but task is already holding lock:
ffff8880119c9158 (&port->lock){-.-.}-{2:2}, at: pty_write+0xf4/0x1f0 drivers/tty/pty.c:120

which lock already depends on the new lock.

the existing dependency chain (in reverse order) is:

-> #2 (&port->lock){-.-.}-{2:2}:
       __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
       _raw_spin_lock_irqsave+0x35/0x50 kernel/locking/spinlock.c:159
       tty_port_tty_get drivers/tty/tty_port.c:288 [inline]          		<-- lock(&port->lock);
       tty_port_default_wakeup+0x1d/0xb0 drivers/tty/tty_port.c:47
       serial8250_tx_chars+0x530/0xa80 drivers/tty/serial/8250/8250_port.c:1767
       serial8250_handle_irq.part.0+0x31f/0x3d0 drivers/tty/serial/8250/8250_port.c:1854
       serial8250_handle_irq drivers/tty/serial/8250/8250_port.c:1827 [inline] 	<-- lock(&port_lock_key);
       serial8250_default_handle_irq+0xb2/0x220 drivers/tty/serial/8250/8250_port.c:1870
       serial8250_interrupt+0xfd/0x200 drivers/tty/serial/8250/8250_core.c:126
       __handle_irq_event_percpu+0x109/0xa50 kernel/irq/handle.c:156
       [...]

-> #1 (&port_lock_key){-.-.}-{2:2}:
       __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
       _raw_spin_lock_irqsave+0x35/0x50 kernel/locking/spinlock.c:159
       serial8250_console_write+0x184/0xa40 drivers/tty/serial/8250/8250_port.c:3198
										<-- lock(&port_lock_key);
       call_console_drivers kernel/printk/printk.c:1819 [inline]
       console_unlock+0x8cb/0xd00 kernel/printk/printk.c:2504
       vprintk_emit+0x1b5/0x470 kernel/printk/printk.c:2024			<-- lock(console_owner);
       vprintk_func+0x8d/0x250 kernel/printk/printk_safe.c:394
       printk+0xba/0xed kernel/printk/printk.c:2084
       register_console+0x8b3/0xc10 kernel/printk/printk.c:2829
       univ8250_console_init+0x3a/0x46 drivers/tty/serial/8250/8250_core.c:681
       console_init+0x49d/0x6d3 kernel/printk/printk.c:2915
       start_kernel+0x5e9/0x879 init/main.c:713
       secondary_startup_64+0xa4/0xb0 arch/x86/kernel/head_64.S:241

-> #0 (console_owner){....}-{0:0}:
       [...]
       lock_acquire+0x127/0x340 kernel/locking/lockdep.c:4734
       console_trylock_spinning kernel/printk/printk.c:1773 [inline]		<-- lock(console_owner);
       vprintk_emit+0x307/0x470 kernel/printk/printk.c:2023
       vprintk_func+0x8d/0x250 kernel/printk/printk_safe.c:394
       printk+0xba/0xed kernel/printk/printk.c:2084
       fail_dump lib/fault-inject.c:45 [inline]
       should_fail+0x67b/0x7c0 lib/fault-inject.c:144
       __should_failslab+0x152/0x1c0 mm/failslab.c:33
       should_failslab+0x5/0x10 mm/slab_common.c:1224
       slab_pre_alloc_hook mm/slab.h:468 [inline]
       slab_alloc_node mm/slub.c:2723 [inline]
       slab_alloc mm/slub.c:2807 [inline]
       __kmalloc+0x72/0x300 mm/slub.c:3871
       kmalloc include/linux/slab.h:582 [inline]
       tty_buffer_alloc+0x23f/0x2a0 drivers/tty/tty_buffer.c:175
       __tty_buffer_request_room+0x156/0x2a0 drivers/tty/tty_buffer.c:273
       tty_insert_flip_string_fixed_flag+0x93/0x250 drivers/tty/tty_buffer.c:318
       tty_insert_flip_string include/linux/tty_flip.h:37 [inline]
       pty_write+0x126/0x1f0 drivers/tty/pty.c:122				<-- lock(&port->lock);
       n_tty_write+0xa7a/0xfc0 drivers/tty/n_tty.c:2356
       do_tty_write drivers/tty/tty_io.c:961 [inline]
       tty_write+0x512/0x930 drivers/tty/tty_io.c:1045
       __vfs_write+0x76/0x100 fs/read_write.c:494
       [...]

other info that might help us debug this:

Chain exists of:
  console_owner --> &port_lock_key --> &port->lock

Link: https://lkml.kernel.org/r/20220511061951.1114-2-zhengqi.arch@bytedance.com
Link: https://lkml.kernel.org/r/20220510113809.80626-2-zhengqi.arch@bytedance.com
Fixes: b6da31b2c07c ("tty: Fix data race in tty_insert_flip_string_fixed_flag")
Signed-off-by: Qi Zheng <zhengqi.arch@bytedance.com>
Acked-by: Jiri Slaby <jirislaby@kernel.org>
Acked-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Akinobu Mita <akinobu.mita@gmail.com>
Cc: Vlastimil Babka <vbabka@suse.cz>
Cc: Steven Rostedt (Google) <rostedt@goodmis.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/tty/tty_buffer.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/tty/tty_buffer.c b/drivers/tty/tty_buffer.c
index dfccc102c1dd..e65faa98146e 100644
--- a/drivers/tty/tty_buffer.c
+++ b/drivers/tty/tty_buffer.c
@@ -166,7 +166,8 @@ static struct tty_buffer *tty_buffer_alloc(struct tty_port *port, size_t size)
 	   have queued and recycle that ? */
 	if (atomic_read(&port->buf.mem_used) > port->buf.mem_limit)
 		return NULL;
-	p = kmalloc(sizeof(struct tty_buffer) + 2 * size, GFP_ATOMIC);
+	p = kmalloc(sizeof(struct tty_buffer) + 2 * size,
+		    GFP_ATOMIC | __GFP_NOWARN);
 	if (p == NULL)
 		return NULL;
 
-- 
2.35.1




^ permalink raw reply related	[flat|nested] 174+ messages in thread

* [PATCH 4.9 072/167] Input: sparcspkr - fix refcount leak in bbc_beep_probe
  2022-06-13 10:07 [PATCH 4.9 000/167] 4.9.318-rc1 review Greg Kroah-Hartman
                   ` (70 preceding siblings ...)
  2022-06-13 10:09 ` [PATCH 4.9 071/167] tty: fix deadlock caused by calling printk() under tty_port->lock Greg Kroah-Hartman
@ 2022-06-13 10:09 ` Greg Kroah-Hartman
  2022-06-13 10:09 ` [PATCH 4.9 073/167] video: fbdev: clcdfb: Fix refcount leak in clcdfb_of_vram_setup Greg Kroah-Hartman
                   ` (99 subsequent siblings)
  171 siblings, 0 replies; 174+ messages in thread
From: Greg Kroah-Hartman @ 2022-06-13 10:09 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Miaoqian Lin, Dmitry Torokhov, Sasha Levin

From: Miaoqian Lin <linmq006@gmail.com>

[ Upstream commit c8994b30d71d64d5dcc9bc0edbfdf367171aa96f ]

of_find_node_by_path() calls of_find_node_opts_by_path(),
which returns a node pointer with refcount
incremented, we should use of_node_put() on it when done.
Add missing of_node_put() to avoid refcount leak.

Fixes: 9c1a5077fdca ("input: Rewrite sparcspkr device probing.")
Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
Link: https://lore.kernel.org/r/20220516081018.42728-1-linmq006@gmail.com
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/input/misc/sparcspkr.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/input/misc/sparcspkr.c b/drivers/input/misc/sparcspkr.c
index 4a5afc7fe96e..f6e1f38267d9 100644
--- a/drivers/input/misc/sparcspkr.c
+++ b/drivers/input/misc/sparcspkr.c
@@ -204,6 +204,7 @@ static int bbc_beep_probe(struct platform_device *op)
 
 	info = &state->u.bbc;
 	info->clock_freq = of_getintprop_default(dp, "clock-frequency", 0);
+	of_node_put(dp);
 	if (!info->clock_freq)
 		goto out_free;
 
-- 
2.35.1




^ permalink raw reply related	[flat|nested] 174+ messages in thread

* [PATCH 4.9 073/167] video: fbdev: clcdfb: Fix refcount leak in clcdfb_of_vram_setup
  2022-06-13 10:07 [PATCH 4.9 000/167] 4.9.318-rc1 review Greg Kroah-Hartman
                   ` (71 preceding siblings ...)
  2022-06-13 10:09 ` [PATCH 4.9 072/167] Input: sparcspkr - fix refcount leak in bbc_beep_probe Greg Kroah-Hartman
@ 2022-06-13 10:09 ` Greg Kroah-Hartman
  2022-06-13 10:09 ` [PATCH 4.9 074/167] iommu/amd: Increase timeout waiting for GA log enablement Greg Kroah-Hartman
                   ` (98 subsequent siblings)
  171 siblings, 0 replies; 174+ messages in thread
From: Greg Kroah-Hartman @ 2022-06-13 10:09 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Miaoqian Lin, Helge Deller, Sasha Levin

From: Miaoqian Lin <linmq006@gmail.com>

[ Upstream commit b23789a59fa6f00e98a319291819f91fbba0deb8 ]

of_parse_phandle() returns a node pointer with refcount incremented, we should
use of_node_put() on it when not need anymore.  Add missing of_node_put() to
avoid refcount leak.

Fixes: d10715be03bd ("video: ARM CLCD: Add DT support")
Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
Signed-off-by: Helge Deller <deller@gmx.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/video/fbdev/amba-clcd.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/drivers/video/fbdev/amba-clcd.c b/drivers/video/fbdev/amba-clcd.c
index 89880b70cc28..ca3707e59633 100644
--- a/drivers/video/fbdev/amba-clcd.c
+++ b/drivers/video/fbdev/amba-clcd.c
@@ -849,12 +849,15 @@ static int clcdfb_of_vram_setup(struct clcd_fb *fb)
 		return -ENODEV;
 
 	fb->fb.screen_base = of_iomap(memory, 0);
-	if (!fb->fb.screen_base)
+	if (!fb->fb.screen_base) {
+		of_node_put(memory);
 		return -ENOMEM;
+	}
 
 	fb->fb.fix.smem_start = of_translate_address(memory,
 			of_get_address(memory, 0, &size, NULL));
 	fb->fb.fix.smem_len = size;
+	of_node_put(memory);
 
 	return 0;
 }
-- 
2.35.1




^ permalink raw reply related	[flat|nested] 174+ messages in thread

* [PATCH 4.9 074/167] iommu/amd: Increase timeout waiting for GA log enablement
  2022-06-13 10:07 [PATCH 4.9 000/167] 4.9.318-rc1 review Greg Kroah-Hartman
                   ` (72 preceding siblings ...)
  2022-06-13 10:09 ` [PATCH 4.9 073/167] video: fbdev: clcdfb: Fix refcount leak in clcdfb_of_vram_setup Greg Kroah-Hartman
@ 2022-06-13 10:09 ` Greg Kroah-Hartman
  2022-06-13 10:09 ` [PATCH 4.9 075/167] wifi: mac80211: fix use-after-free in chanctx code Greg Kroah-Hartman
                   ` (97 subsequent siblings)
  171 siblings, 0 replies; 174+ messages in thread
From: Greg Kroah-Hartman @ 2022-06-13 10:09 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, D. Ziegfeld, Jörg-Volker Peetz,
	Joerg Roedel, Sasha Levin

From: Joerg Roedel <jroedel@suse.de>

[ Upstream commit 42bb5aa043382f09bef2cc33b8431be867c70f8e ]

On some systems it can take a long time for the hardware to enable the
GA log of the AMD IOMMU. The current wait time is only 0.1ms, but
testing showed that it can take up to 14ms for the GA log to enter
running state after it has been enabled.

Sometimes the long delay happens when booting the system, sometimes
only on resume. Adjust the timeout accordingly to not print a warning
when hardware takes a longer than usual.

There has already been an attempt to fix this with commit

	9b45a7738eec ("iommu/amd: Fix loop timeout issue in iommu_ga_log_enable()")

But that commit was based on some wrong math and did not fix the issue
in all cases.

Cc: "D. Ziegfeld" <dzigg@posteo.de>
Cc: Jörg-Volker Peetz <jvpeetz@web.de>
Fixes: 8bda0cfbdc1a ("iommu/amd: Detect and initialize guest vAPIC log")
Signed-off-by: Joerg Roedel <jroedel@suse.de>
Link: https://lore.kernel.org/r/20220520102214.12563-1-joro@8bytes.org
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/iommu/amd_iommu_init.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/iommu/amd_iommu_init.c
+++ b/drivers/iommu/amd_iommu_init.c
@@ -86,7 +86,7 @@
 #define ACPI_DEVFLAG_LINT1              0x80
 #define ACPI_DEVFLAG_ATSDIS             0x10000000
 
-#define LOOP_TIMEOUT	100000
+#define LOOP_TIMEOUT	2000000
 /*
  * ACPI table definitions
  *



^ permalink raw reply	[flat|nested] 174+ messages in thread

* [PATCH 4.9 075/167] wifi: mac80211: fix use-after-free in chanctx code
  2022-06-13 10:07 [PATCH 4.9 000/167] 4.9.318-rc1 review Greg Kroah-Hartman
                   ` (73 preceding siblings ...)
  2022-06-13 10:09 ` [PATCH 4.9 074/167] iommu/amd: Increase timeout waiting for GA log enablement Greg Kroah-Hartman
@ 2022-06-13 10:09 ` Greg Kroah-Hartman
  2022-06-13 10:09 ` [PATCH 4.9 076/167] iwlwifi: mvm: fix assert 1F04 upon reconfig Greg Kroah-Hartman
                   ` (96 subsequent siblings)
  171 siblings, 0 replies; 174+ messages in thread
From: Greg Kroah-Hartman @ 2022-06-13 10:09 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Johannes Berg, Kalle Valo

From: Johannes Berg <johannes.berg@intel.com>

commit 2965c4cdf7ad9ce0796fac5e57debb9519ea721e upstream.

In ieee80211_vif_use_reserved_context(), when we have an
old context and the new context's replace_state is set to
IEEE80211_CHANCTX_REPLACE_NONE, we free the old context
in ieee80211_vif_use_reserved_reassign(). Therefore, we
cannot check the old_ctx anymore, so we should set it to
NULL after this point.

However, since the new_ctx replace state is clearly not
IEEE80211_CHANCTX_REPLACES_OTHER, we're not going to do
anything else in this function and can just return to
avoid accessing the freed old_ctx.

Cc: stable@vger.kernel.org
Fixes: 5bcae31d9cb1 ("mac80211: implement multi-vif in-place reservations")
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Kalle Valo <kvalo@kernel.org>
Link: https://lore.kernel.org/r/20220601091926.df419d91b165.I17a9b3894ff0b8323ce2afdb153b101124c821e5@changeid
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/mac80211/chan.c |    7 ++-----
 1 file changed, 2 insertions(+), 5 deletions(-)

--- a/net/mac80211/chan.c
+++ b/net/mac80211/chan.c
@@ -1640,12 +1640,9 @@ int ieee80211_vif_use_reserved_context(s
 
 	if (new_ctx->replace_state == IEEE80211_CHANCTX_REPLACE_NONE) {
 		if (old_ctx)
-			err = ieee80211_vif_use_reserved_reassign(sdata);
-		else
-			err = ieee80211_vif_use_reserved_assign(sdata);
+			return ieee80211_vif_use_reserved_reassign(sdata);
 
-		if (err)
-			return err;
+		return ieee80211_vif_use_reserved_assign(sdata);
 	}
 
 	/*



^ permalink raw reply	[flat|nested] 174+ messages in thread

* [PATCH 4.9 076/167] iwlwifi: mvm: fix assert 1F04 upon reconfig
  2022-06-13 10:07 [PATCH 4.9 000/167] 4.9.318-rc1 review Greg Kroah-Hartman
                   ` (74 preceding siblings ...)
  2022-06-13 10:09 ` [PATCH 4.9 075/167] wifi: mac80211: fix use-after-free in chanctx code Greg Kroah-Hartman
@ 2022-06-13 10:09 ` Greg Kroah-Hartman
  2022-06-13 10:09 ` [PATCH 4.9 077/167] fs-writeback: writeback_sb_inodes:Recalculate wrote according skipped pages Greg Kroah-Hartman
                   ` (95 subsequent siblings)
  171 siblings, 0 replies; 174+ messages in thread
From: Greg Kroah-Hartman @ 2022-06-13 10:09 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Emmanuel Grumbach, Gregory Greenman,
	Johannes Berg

From: Emmanuel Grumbach <emmanuel.grumbach@intel.com>

commit 9d096e3d3061dbf4ee10e2b59fc2c06e05bdb997 upstream.

When we reconfig we must not send the MAC_POWER command that relates to
a MAC that was not yet added to the firmware.

Ignore those in the iterator.

Cc: stable@vger.kernel.org
Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
Signed-off-by: Gregory Greenman <gregory.greenman@intel.com>
Link: https://lore.kernel.org/r/20220517120044.ed2ffc8ce732.If786e19512d0da4334a6382ea6148703422c7d7b@changeid
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/wireless/intel/iwlwifi/mvm/power.c |    3 +++
 1 file changed, 3 insertions(+)

--- a/drivers/net/wireless/intel/iwlwifi/mvm/power.c
+++ b/drivers/net/wireless/intel/iwlwifi/mvm/power.c
@@ -612,6 +612,9 @@ static void iwl_mvm_power_get_vifs_itera
 	struct iwl_mvm_vif *mvmvif = iwl_mvm_vif_from_mac80211(vif);
 	struct iwl_power_vifs *power_iterator = _data;
 
+	if (!mvmvif->uploaded)
+		return;
+
 	switch (ieee80211_vif_type_p2p(vif)) {
 	case NL80211_IFTYPE_P2P_DEVICE:
 		break;



^ permalink raw reply	[flat|nested] 174+ messages in thread

* [PATCH 4.9 077/167] fs-writeback: writeback_sb_inodes:Recalculate wrote according skipped pages
  2022-06-13 10:07 [PATCH 4.9 000/167] 4.9.318-rc1 review Greg Kroah-Hartman
                   ` (75 preceding siblings ...)
  2022-06-13 10:09 ` [PATCH 4.9 076/167] iwlwifi: mvm: fix assert 1F04 upon reconfig Greg Kroah-Hartman
@ 2022-06-13 10:09 ` Greg Kroah-Hartman
  2022-06-13 10:09 ` [PATCH 4.9 078/167] ext4: fix use-after-free in ext4_rename_dir_prepare Greg Kroah-Hartman
                   ` (94 subsequent siblings)
  171 siblings, 0 replies; 174+ messages in thread
From: Greg Kroah-Hartman @ 2022-06-13 10:09 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Zhihao Cheng, Jan Kara,
	Christoph Hellwig, Jens Axboe

From: Zhihao Cheng <chengzhihao1@huawei.com>

commit 68f4c6eba70df70a720188bce95c85570ddfcc87 upstream.

Commit 505a666ee3fc ("writeback: plug writeback in wb_writeback() and
writeback_inodes_wb()") has us holding a plug during wb_writeback, which
may cause a potential ABBA dead lock:

    wb_writeback		fat_file_fsync
blk_start_plug(&plug)
for (;;) {
  iter i-1: some reqs have been added into plug->mq_list  // LOCK A
  iter i:
    progress = __writeback_inodes_wb(wb, work)
    . writeback_sb_inodes // fat's bdev
    .   __writeback_single_inode
    .   . generic_writepages
    .   .   __block_write_full_page
    .   .   . . 	    __generic_file_fsync
    .   .   . . 	      sync_inode_metadata
    .   .   . . 	        writeback_single_inode
    .   .   . . 		  __writeback_single_inode
    .   .   . . 		    fat_write_inode
    .   .   . . 		      __fat_write_inode
    .   .   . . 		        sync_dirty_buffer	// fat's bdev
    .   .   . . 			  lock_buffer(bh)	// LOCK B
    .   .   . . 			    submit_bh
    .   .   . . 			      blk_mq_get_tag	// LOCK A
    .   .   . trylock_buffer(bh)  // LOCK B
    .   .   .   redirty_page_for_writepage
    .   .   .     wbc->pages_skipped++
    .   .   --wbc->nr_to_write
    .   wrote += write_chunk - wbc.nr_to_write  // wrote > 0
    .   requeue_inode
    .     redirty_tail_locked
    if (progress)    // progress > 0
      continue;
  iter i+1:
      queue_io
      // similar process with iter i, infinite for-loop !
}
blk_finish_plug(&plug)   // flush plug won't be called

Above process triggers a hungtask like:
[  399.044861] INFO: task bb:2607 blocked for more than 30 seconds.
[  399.046824]       Not tainted 5.18.0-rc1-00005-gefae4d9eb6a2-dirty
[  399.051539] task:bb              state:D stack:    0 pid: 2607 ppid:
2426 flags:0x00004000
[  399.051556] Call Trace:
[  399.051570]  __schedule+0x480/0x1050
[  399.051592]  schedule+0x92/0x1a0
[  399.051602]  io_schedule+0x22/0x50
[  399.051613]  blk_mq_get_tag+0x1d3/0x3c0
[  399.051640]  __blk_mq_alloc_requests+0x21d/0x3f0
[  399.051657]  blk_mq_submit_bio+0x68d/0xca0
[  399.051674]  __submit_bio+0x1b5/0x2d0
[  399.051708]  submit_bio_noacct+0x34e/0x720
[  399.051718]  submit_bio+0x3b/0x150
[  399.051725]  submit_bh_wbc+0x161/0x230
[  399.051734]  __sync_dirty_buffer+0xd1/0x420
[  399.051744]  sync_dirty_buffer+0x17/0x20
[  399.051750]  __fat_write_inode+0x289/0x310
[  399.051766]  fat_write_inode+0x2a/0xa0
[  399.051783]  __writeback_single_inode+0x53c/0x6f0
[  399.051795]  writeback_single_inode+0x145/0x200
[  399.051803]  sync_inode_metadata+0x45/0x70
[  399.051856]  __generic_file_fsync+0xa3/0x150
[  399.051880]  fat_file_fsync+0x1d/0x80
[  399.051895]  vfs_fsync_range+0x40/0xb0
[  399.051929]  __x64_sys_fsync+0x18/0x30

In my test, 'need_resched()' (which is imported by 590dca3a71 "fs-writeback:
unplug before cond_resched in writeback_sb_inodes") in function
'writeback_sb_inodes()' seldom comes true, unless cond_resched() is deleted
from write_cache_pages().

Fix it by correcting wrote number according number of skipped pages
in writeback_sb_inodes().

Goto Link to find a reproducer.

Link: https://bugzilla.kernel.org/show_bug.cgi?id=215837
Cc: stable@vger.kernel.org # v4.3
Signed-off-by: Zhihao Cheng <chengzhihao1@huawei.com>
Reviewed-by: Jan Kara <jack@suse.cz>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Link: https://lore.kernel.org/r/20220510133805.1988292-1-chengzhihao1@huawei.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 fs/fs-writeback.c |   13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

--- a/fs/fs-writeback.c
+++ b/fs/fs-writeback.c
@@ -1569,11 +1569,12 @@ static long writeback_sb_inodes(struct s
 	};
 	unsigned long start_time = jiffies;
 	long write_chunk;
-	long wrote = 0;  /* count both pages and inodes */
+	long total_wrote = 0;  /* count both pages and inodes */
 
 	while (!list_empty(&wb->b_io)) {
 		struct inode *inode = wb_inode(wb->b_io.prev);
 		struct bdi_writeback *tmp_wb;
+		long wrote;
 
 		if (inode->i_sb != sb) {
 			if (work->sb) {
@@ -1649,7 +1650,9 @@ static long writeback_sb_inodes(struct s
 
 		wbc_detach_inode(&wbc);
 		work->nr_pages -= write_chunk - wbc.nr_to_write;
-		wrote += write_chunk - wbc.nr_to_write;
+		wrote = write_chunk - wbc.nr_to_write - wbc.pages_skipped;
+		wrote = wrote < 0 ? 0 : wrote;
+		total_wrote += wrote;
 
 		if (need_resched()) {
 			/*
@@ -1671,7 +1674,7 @@ static long writeback_sb_inodes(struct s
 		tmp_wb = inode_to_wb_and_lock_list(inode);
 		spin_lock(&inode->i_lock);
 		if (!(inode->i_state & I_DIRTY_ALL))
-			wrote++;
+			total_wrote++;
 		requeue_inode(inode, tmp_wb, &wbc);
 		inode_sync_complete(inode);
 		spin_unlock(&inode->i_lock);
@@ -1685,14 +1688,14 @@ static long writeback_sb_inodes(struct s
 		 * bail out to wb_writeback() often enough to check
 		 * background threshold and other termination conditions.
 		 */
-		if (wrote) {
+		if (total_wrote) {
 			if (time_is_before_jiffies(start_time + HZ / 10UL))
 				break;
 			if (work->nr_pages <= 0)
 				break;
 		}
 	}
-	return wrote;
+	return total_wrote;
 }
 
 static long __writeback_inodes_wb(struct bdi_writeback *wb,



^ permalink raw reply	[flat|nested] 174+ messages in thread

* [PATCH 4.9 078/167] ext4: fix use-after-free in ext4_rename_dir_prepare
  2022-06-13 10:07 [PATCH 4.9 000/167] 4.9.318-rc1 review Greg Kroah-Hartman
                   ` (76 preceding siblings ...)
  2022-06-13 10:09 ` [PATCH 4.9 077/167] fs-writeback: writeback_sb_inodes:Recalculate wrote according skipped pages Greg Kroah-Hartman
@ 2022-06-13 10:09 ` Greg Kroah-Hartman
  2022-06-13 10:09 ` [PATCH 4.9 079/167] ext4: fix bug_on in ext4_writepages Greg Kroah-Hartman
                   ` (93 subsequent siblings)
  171 siblings, 0 replies; 174+ messages in thread
From: Greg Kroah-Hartman @ 2022-06-13 10:09 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Ye Bin, Jan Kara, Theodore Tso, stable

From: Ye Bin <yebin10@huawei.com>

commit 0be698ecbe4471fcad80e81ec6a05001421041b3 upstream.

We got issue as follows:
EXT4-fs (loop0): mounted filesystem without journal. Opts: ,errors=continue
ext4_get_first_dir_block: bh->b_data=0xffff88810bee6000 len=34478
ext4_get_first_dir_block: *parent_de=0xffff88810beee6ae bh->b_data=0xffff88810bee6000
ext4_rename_dir_prepare: [1] parent_de=0xffff88810beee6ae
==================================================================
BUG: KASAN: use-after-free in ext4_rename_dir_prepare+0x152/0x220
Read of size 4 at addr ffff88810beee6ae by task rep/1895

CPU: 13 PID: 1895 Comm: rep Not tainted 5.10.0+ #241
Call Trace:
 dump_stack+0xbe/0xf9
 print_address_description.constprop.0+0x1e/0x220
 kasan_report.cold+0x37/0x7f
 ext4_rename_dir_prepare+0x152/0x220
 ext4_rename+0xf44/0x1ad0
 ext4_rename2+0x11c/0x170
 vfs_rename+0xa84/0x1440
 do_renameat2+0x683/0x8f0
 __x64_sys_renameat+0x53/0x60
 do_syscall_64+0x33/0x40
 entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x7f45a6fc41c9
RSP: 002b:00007ffc5a470218 EFLAGS: 00000246 ORIG_RAX: 0000000000000108
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f45a6fc41c9
RDX: 0000000000000005 RSI: 0000000020000180 RDI: 0000000000000005
RBP: 00007ffc5a470240 R08: 00007ffc5a470160 R09: 0000000020000080
R10: 00000000200001c0 R11: 0000000000000246 R12: 0000000000400bb0
R13: 00007ffc5a470320 R14: 0000000000000000 R15: 0000000000000000

The buggy address belongs to the page:
page:00000000440015ce refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x10beee
flags: 0x200000000000000()
raw: 0200000000000000 ffffea00043ff4c8 ffffea0004325608 0000000000000000
raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff88810beee580: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff88810beee600: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff88810beee680: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                                  ^
 ffff88810beee700: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff88810beee780: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
Disabling lock debugging due to kernel taint
ext4_rename_dir_prepare: [2] parent_de->inode=3537895424
ext4_rename_dir_prepare: [3] dir=0xffff888124170140
ext4_rename_dir_prepare: [4] ino=2
ext4_rename_dir_prepare: ent->dir->i_ino=2 parent=-757071872

Reason is first directory entry which 'rec_len' is 34478, then will get illegal
parent entry. Now, we do not check directory entry after read directory block
in 'ext4_get_first_dir_block'.
To solve this issue, check directory entry in 'ext4_get_first_dir_block'.

[ Trigger an ext4_error() instead of just warning if the directory is
  missing a '.' or '..' entry.   Also make sure we return an error code
  if the file system is corrupted.  -TYT ]

Signed-off-by: Ye Bin <yebin10@huawei.com>
Reviewed-by: Jan Kara <jack@suse.cz>
Link: https://lore.kernel.org/r/20220414025223.4113128-1-yebin10@huawei.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Cc: stable@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 fs/ext4/namei.c |   30 +++++++++++++++++++++++++++---
 1 file changed, 27 insertions(+), 3 deletions(-)

--- a/fs/ext4/namei.c
+++ b/fs/ext4/namei.c
@@ -3318,6 +3318,9 @@ static struct buffer_head *ext4_get_firs
 	struct buffer_head *bh;
 
 	if (!ext4_has_inline_data(inode)) {
+		struct ext4_dir_entry_2 *de;
+		unsigned int offset;
+
 		/* The first directory block must not be a hole, so
 		 * treat it as DIRENT_HTREE
 		 */
@@ -3326,9 +3329,30 @@ static struct buffer_head *ext4_get_firs
 			*retval = PTR_ERR(bh);
 			return NULL;
 		}
-		*parent_de = ext4_next_entry(
-					(struct ext4_dir_entry_2 *)bh->b_data,
-					inode->i_sb->s_blocksize);
+
+		de = (struct ext4_dir_entry_2 *) bh->b_data;
+		if (ext4_check_dir_entry(inode, NULL, de, bh, bh->b_data,
+					 bh->b_size, 0) ||
+		    le32_to_cpu(de->inode) != inode->i_ino ||
+		    strcmp(".", de->name)) {
+			EXT4_ERROR_INODE(inode, "directory missing '.'");
+			brelse(bh);
+			*retval = -EFSCORRUPTED;
+			return NULL;
+		}
+		offset = ext4_rec_len_from_disk(de->rec_len,
+						inode->i_sb->s_blocksize);
+		de = ext4_next_entry(de, inode->i_sb->s_blocksize);
+		if (ext4_check_dir_entry(inode, NULL, de, bh, bh->b_data,
+					 bh->b_size, offset) ||
+		    le32_to_cpu(de->inode) == 0 || strcmp("..", de->name)) {
+			EXT4_ERROR_INODE(inode, "directory missing '..'");
+			brelse(bh);
+			*retval = -EFSCORRUPTED;
+			return NULL;
+		}
+		*parent_de = de;
+
 		return bh;
 	}
 



^ permalink raw reply	[flat|nested] 174+ messages in thread

* [PATCH 4.9 079/167] ext4: fix bug_on in ext4_writepages
  2022-06-13 10:07 [PATCH 4.9 000/167] 4.9.318-rc1 review Greg Kroah-Hartman
                   ` (77 preceding siblings ...)
  2022-06-13 10:09 ` [PATCH 4.9 078/167] ext4: fix use-after-free in ext4_rename_dir_prepare Greg Kroah-Hartman
@ 2022-06-13 10:09 ` Greg Kroah-Hartman
  2022-06-13 10:09 ` [PATCH 4.9 080/167] ext4: verify dir block before splitting it Greg Kroah-Hartman
                   ` (92 subsequent siblings)
  171 siblings, 0 replies; 174+ messages in thread
From: Greg Kroah-Hartman @ 2022-06-13 10:09 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, stable, Ye Bin, Jan Kara, Theodore Tso

From: Ye Bin <yebin10@huawei.com>

commit ef09ed5d37b84d18562b30cf7253e57062d0db05 upstream.

we got issue as follows:
EXT4-fs error (device loop0): ext4_mb_generate_buddy:1141: group 0, block bitmap and bg descriptor inconsistent: 25 vs 31513 free cls
------------[ cut here ]------------
kernel BUG at fs/ext4/inode.c:2708!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI
CPU: 2 PID: 2147 Comm: rep Not tainted 5.18.0-rc2-next-20220413+ #155
RIP: 0010:ext4_writepages+0x1977/0x1c10
RSP: 0018:ffff88811d3e7880 EFLAGS: 00010246
RAX: 0000000000000000 RBX: 0000000000000001 RCX: ffff88811c098000
RDX: 0000000000000000 RSI: ffff88811c098000 RDI: 0000000000000002
RBP: ffff888128140f50 R08: ffffffffb1ff6387 R09: 0000000000000000
R10: 0000000000000007 R11: ffffed10250281ea R12: 0000000000000001
R13: 00000000000000a4 R14: ffff88811d3e7bb8 R15: ffff888128141028
FS:  00007f443aed9740(0000) GS:ffff8883aef00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020007200 CR3: 000000011c2a4000 CR4: 00000000000006e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 do_writepages+0x130/0x3a0
 filemap_fdatawrite_wbc+0x83/0xa0
 filemap_flush+0xab/0xe0
 ext4_alloc_da_blocks+0x51/0x120
 __ext4_ioctl+0x1534/0x3210
 __x64_sys_ioctl+0x12c/0x170
 do_syscall_64+0x3b/0x90

It may happen as follows:
1. write inline_data inode
vfs_write
  new_sync_write
    ext4_file_write_iter
      ext4_buffered_write_iter
        generic_perform_write
          ext4_da_write_begin
            ext4_da_write_inline_data_begin -> If inline data size too
            small will allocate block to write, then mapping will has
            dirty page
                ext4_da_convert_inline_data_to_extent ->clear EXT4_STATE_MAY_INLINE_DATA
2. fallocate
do_vfs_ioctl
  ioctl_preallocate
    vfs_fallocate
      ext4_fallocate
        ext4_convert_inline_data
          ext4_convert_inline_data_nolock
            ext4_map_blocks -> fail will goto restore data
            ext4_restore_inline_data
              ext4_create_inline_data
              ext4_write_inline_data
              ext4_set_inode_state -> set inode EXT4_STATE_MAY_INLINE_DATA
3. writepages
__ext4_ioctl
  ext4_alloc_da_blocks
    filemap_flush
      filemap_fdatawrite_wbc
        do_writepages
          ext4_writepages
            if (ext4_has_inline_data(inode))
              BUG_ON(ext4_test_inode_state(inode, EXT4_STATE_MAY_INLINE_DATA))

The root cause of this issue is we destory inline data until call
ext4_writepages under delay allocation mode.  But there maybe already
convert from inline to extent.  To solve this issue, we call
filemap_flush first..

Cc: stable@kernel.org
Signed-off-by: Ye Bin <yebin10@huawei.com>
Reviewed-by: Jan Kara <jack@suse.cz>
Link: https://lore.kernel.org/r/20220516122634.1690462-1-yebin10@huawei.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 fs/ext4/inline.c |   12 ++++++++++++
 1 file changed, 12 insertions(+)

--- a/fs/ext4/inline.c
+++ b/fs/ext4/inline.c
@@ -1984,6 +1984,18 @@ int ext4_convert_inline_data(struct inod
 	if (!ext4_has_inline_data(inode)) {
 		ext4_clear_inode_state(inode, EXT4_STATE_MAY_INLINE_DATA);
 		return 0;
+	} else if (!ext4_test_inode_state(inode, EXT4_STATE_MAY_INLINE_DATA)) {
+		/*
+		 * Inode has inline data but EXT4_STATE_MAY_INLINE_DATA is
+		 * cleared. This means we are in the middle of moving of
+		 * inline data to delay allocated block. Just force writeout
+		 * here to finish conversion.
+		 */
+		error = filemap_flush(inode->i_mapping);
+		if (error)
+			return error;
+		if (!ext4_has_inline_data(inode))
+			return 0;
 	}
 
 	needed_blocks = ext4_writepage_trans_blocks(inode);



^ permalink raw reply	[flat|nested] 174+ messages in thread

* [PATCH 4.9 080/167] ext4: verify dir block before splitting it
  2022-06-13 10:07 [PATCH 4.9 000/167] 4.9.318-rc1 review Greg Kroah-Hartman
                   ` (78 preceding siblings ...)
  2022-06-13 10:09 ` [PATCH 4.9 079/167] ext4: fix bug_on in ext4_writepages Greg Kroah-Hartman
@ 2022-06-13 10:09 ` Greg Kroah-Hartman
  2022-06-13 10:09 ` [PATCH 4.9 081/167] dlm: fix plock invalid read Greg Kroah-Hartman
                   ` (91 subsequent siblings)
  171 siblings, 0 replies; 174+ messages in thread
From: Greg Kroah-Hartman @ 2022-06-13 10:09 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Jan Kara, Theodore Tso

From: Jan Kara <jack@suse.cz>

commit 46c116b920ebec58031f0a78c5ea9599b0d2a371 upstream.

Before splitting a directory block verify its directory entries are sane
so that the splitting code does not access memory it should not.

Cc: stable@vger.kernel.org
Signed-off-by: Jan Kara <jack@suse.cz>
Link: https://lore.kernel.org/r/20220518093332.13986-1-jack@suse.cz
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 fs/ext4/namei.c |   32 +++++++++++++++++++++-----------
 1 file changed, 21 insertions(+), 11 deletions(-)

--- a/fs/ext4/namei.c
+++ b/fs/ext4/namei.c
@@ -270,9 +270,9 @@ static struct dx_frame *dx_probe(struct
 				 struct dx_hash_info *hinfo,
 				 struct dx_frame *frame);
 static void dx_release(struct dx_frame *frames);
-static int dx_make_map(struct inode *dir, struct ext4_dir_entry_2 *de,
-		       unsigned blocksize, struct dx_hash_info *hinfo,
-		       struct dx_map_entry map[]);
+static int dx_make_map(struct inode *dir, struct buffer_head *bh,
+		       struct dx_hash_info *hinfo,
+		       struct dx_map_entry *map_tail);
 static void dx_sort_map(struct dx_map_entry *map, unsigned count);
 static struct ext4_dir_entry_2 *dx_move_dirents(char *from, char *to,
 		struct dx_map_entry *offsets, int count, unsigned blocksize);
@@ -1185,15 +1185,23 @@ static inline int search_dirblock(struct
  * Create map of hash values, offsets, and sizes, stored at end of block.
  * Returns number of entries mapped.
  */
-static int dx_make_map(struct inode *dir, struct ext4_dir_entry_2 *de,
-		       unsigned blocksize, struct dx_hash_info *hinfo,
+static int dx_make_map(struct inode *dir, struct buffer_head *bh,
+		       struct dx_hash_info *hinfo,
 		       struct dx_map_entry *map_tail)
 {
 	int count = 0;
-	char *base = (char *) de;
+	struct ext4_dir_entry_2 *de = (struct ext4_dir_entry_2 *)bh->b_data;
+	unsigned int buflen = bh->b_size;
+	char *base = bh->b_data;
 	struct dx_hash_info h = *hinfo;
 
-	while ((char *) de < base + blocksize) {
+	if (ext4_has_metadata_csum(dir->i_sb))
+		buflen -= sizeof(struct ext4_dir_entry_tail);
+
+	while ((char *) de < base + buflen) {
+		if (ext4_check_dir_entry(dir, NULL, de, bh, base, buflen,
+					 ((char *)de) - base))
+			return -EFSCORRUPTED;
 		if (de->name_len && de->inode) {
 			ext4fs_dirhash(de->name, de->name_len, &h);
 			map_tail--;
@@ -1203,8 +1211,7 @@ static int dx_make_map(struct inode *dir
 			count++;
 			cond_resched();
 		}
-		/* XXX: do we need to check rec_len == 0 case? -Chris */
-		de = ext4_next_entry(de, blocksize);
+		de = ext4_next_entry(de, dir->i_sb->s_blocksize);
 	}
 	return count;
 }
@@ -1755,8 +1762,11 @@ static struct ext4_dir_entry_2 *do_split
 
 	/* create map in the end of data2 block */
 	map = (struct dx_map_entry *) (data2 + blocksize);
-	count = dx_make_map(dir, (struct ext4_dir_entry_2 *) data1,
-			     blocksize, hinfo, map);
+	count = dx_make_map(dir, *bh, hinfo, map);
+	if (count < 0) {
+		err = count;
+		goto journal_error;
+	}
 	map -= count;
 	dx_sort_map(map, count);
 	/* Ensure that neither split block is over half full */



^ permalink raw reply	[flat|nested] 174+ messages in thread

* [PATCH 4.9 081/167] dlm: fix plock invalid read
  2022-06-13 10:07 [PATCH 4.9 000/167] 4.9.318-rc1 review Greg Kroah-Hartman
                   ` (79 preceding siblings ...)
  2022-06-13 10:09 ` [PATCH 4.9 080/167] ext4: verify dir block before splitting it Greg Kroah-Hartman
@ 2022-06-13 10:09 ` Greg Kroah-Hartman
  2022-06-13 10:09 ` [PATCH 4.9 082/167] dlm: fix missing lkb refcount handling Greg Kroah-Hartman
                   ` (90 subsequent siblings)
  171 siblings, 0 replies; 174+ messages in thread
From: Greg Kroah-Hartman @ 2022-06-13 10:09 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Andreas Gruenbacher, Alexander Aring,
	David Teigland

From: Alexander Aring <aahringo@redhat.com>

commit 42252d0d2aa9b94d168241710a761588b3959019 upstream.

This patch fixes an invalid read showed by KASAN. A unlock will allocate a
"struct plock_op" and a followed send_op() will append it to a global
send_list data structure. In some cases a followed dev_read() moves it
to recv_list and dev_write() will cast it to "struct plock_xop" and access
fields which are only available in those structures. At this point an
invalid read happens by accessing those fields.

To fix this issue the "callback" field is moved to "struct plock_op" to
indicate that a cast to "plock_xop" is allowed and does the additional
"plock_xop" handling if set.

Example of the KASAN output which showed the invalid read:

[ 2064.296453] ==================================================================
[ 2064.304852] BUG: KASAN: slab-out-of-bounds in dev_write+0x52b/0x5a0 [dlm]
[ 2064.306491] Read of size 8 at addr ffff88800ef227d8 by task dlm_controld/7484
[ 2064.308168]
[ 2064.308575] CPU: 0 PID: 7484 Comm: dlm_controld Kdump: loaded Not tainted 5.14.0+ #9
[ 2064.310292] Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011
[ 2064.311618] Call Trace:
[ 2064.312218]  dump_stack_lvl+0x56/0x7b
[ 2064.313150]  print_address_description.constprop.8+0x21/0x150
[ 2064.314578]  ? dev_write+0x52b/0x5a0 [dlm]
[ 2064.315610]  ? dev_write+0x52b/0x5a0 [dlm]
[ 2064.316595]  kasan_report.cold.14+0x7f/0x11b
[ 2064.317674]  ? dev_write+0x52b/0x5a0 [dlm]
[ 2064.318687]  dev_write+0x52b/0x5a0 [dlm]
[ 2064.319629]  ? dev_read+0x4a0/0x4a0 [dlm]
[ 2064.320713]  ? bpf_lsm_kernfs_init_security+0x10/0x10
[ 2064.321926]  vfs_write+0x17e/0x930
[ 2064.322769]  ? __fget_light+0x1aa/0x220
[ 2064.323753]  ksys_write+0xf1/0x1c0
[ 2064.324548]  ? __ia32_sys_read+0xb0/0xb0
[ 2064.325464]  do_syscall_64+0x3a/0x80
[ 2064.326387]  entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 2064.327606] RIP: 0033:0x7f807e4ba96f
[ 2064.328470] Code: 89 54 24 18 48 89 74 24 10 89 7c 24 08 e8 39 87 f8 ff 48 8b 54 24 18 48 8b 74 24 10 41 89 c0 8b 7c 24 08 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 31 44 89 c7 48 89 44 24 08 e8 7c 87 f8 ff 48
[ 2064.332902] RSP: 002b:00007ffd50cfe6e0 EFLAGS: 00000293 ORIG_RAX: 0000000000000001
[ 2064.334658] RAX: ffffffffffffffda RBX: 000055cc3886eb30 RCX: 00007f807e4ba96f
[ 2064.336275] RDX: 0000000000000040 RSI: 00007ffd50cfe7e0 RDI: 0000000000000010
[ 2064.337980] RBP: 00007ffd50cfe7e0 R08: 0000000000000000 R09: 0000000000000001
[ 2064.339560] R10: 000055cc3886eb30 R11: 0000000000000293 R12: 000055cc3886eb80
[ 2064.341237] R13: 000055cc3886eb00 R14: 000055cc3886f590 R15: 0000000000000001
[ 2064.342857]
[ 2064.343226] Allocated by task 12438:
[ 2064.344057]  kasan_save_stack+0x1c/0x40
[ 2064.345079]  __kasan_kmalloc+0x84/0xa0
[ 2064.345933]  kmem_cache_alloc_trace+0x13b/0x220
[ 2064.346953]  dlm_posix_unlock+0xec/0x720 [dlm]
[ 2064.348811]  do_lock_file_wait.part.32+0xca/0x1d0
[ 2064.351070]  fcntl_setlk+0x281/0xbc0
[ 2064.352879]  do_fcntl+0x5e4/0xfe0
[ 2064.354657]  __x64_sys_fcntl+0x11f/0x170
[ 2064.356550]  do_syscall_64+0x3a/0x80
[ 2064.358259]  entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 2064.360745]
[ 2064.361511] Last potentially related work creation:
[ 2064.363957]  kasan_save_stack+0x1c/0x40
[ 2064.365811]  __kasan_record_aux_stack+0xaf/0xc0
[ 2064.368100]  call_rcu+0x11b/0xf70
[ 2064.369785]  dlm_process_incoming_buffer+0x47d/0xfd0 [dlm]
[ 2064.372404]  receive_from_sock+0x290/0x770 [dlm]
[ 2064.374607]  process_recv_sockets+0x32/0x40 [dlm]
[ 2064.377290]  process_one_work+0x9a8/0x16e0
[ 2064.379357]  worker_thread+0x87/0xbf0
[ 2064.381188]  kthread+0x3ac/0x490
[ 2064.383460]  ret_from_fork+0x22/0x30
[ 2064.385588]
[ 2064.386518] Second to last potentially related work creation:
[ 2064.389219]  kasan_save_stack+0x1c/0x40
[ 2064.391043]  __kasan_record_aux_stack+0xaf/0xc0
[ 2064.393303]  call_rcu+0x11b/0xf70
[ 2064.394885]  dlm_process_incoming_buffer+0x47d/0xfd0 [dlm]
[ 2064.397694]  receive_from_sock+0x290/0x770 [dlm]
[ 2064.399932]  process_recv_sockets+0x32/0x40 [dlm]
[ 2064.402180]  process_one_work+0x9a8/0x16e0
[ 2064.404388]  worker_thread+0x87/0xbf0
[ 2064.406124]  kthread+0x3ac/0x490
[ 2064.408021]  ret_from_fork+0x22/0x30
[ 2064.409834]
[ 2064.410599] The buggy address belongs to the object at ffff88800ef22780
[ 2064.410599]  which belongs to the cache kmalloc-96 of size 96
[ 2064.416495] The buggy address is located 88 bytes inside of
[ 2064.416495]  96-byte region [ffff88800ef22780, ffff88800ef227e0)
[ 2064.422045] The buggy address belongs to the page:
[ 2064.424635] page:00000000b6bef8bc refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0xef22
[ 2064.428970] flags: 0xfffffc0000200(slab|node=0|zone=1|lastcpupid=0x1fffff)
[ 2064.432515] raw: 000fffffc0000200 ffffea0000d68b80 0000001400000014 ffff888001041780
[ 2064.436110] raw: 0000000000000000 0000000080200020 00000001ffffffff 0000000000000000
[ 2064.439813] page dumped because: kasan: bad access detected
[ 2064.442548]
[ 2064.443310] Memory state around the buggy address:
[ 2064.445988]  ffff88800ef22680: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc
[ 2064.449444]  ffff88800ef22700: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc
[ 2064.452941] >ffff88800ef22780: 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc
[ 2064.456383]                                                     ^
[ 2064.459386]  ffff88800ef22800: 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc
[ 2064.462788]  ffff88800ef22880: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc
[ 2064.466239] ==================================================================

reproducer in python:

import argparse
import struct
import fcntl
import os

parser = argparse.ArgumentParser()

parser.add_argument('-f', '--file',
		    help='file to use fcntl, must be on dlm lock filesystem e.g. gfs2')

args = parser.parse_args()

f = open(args.file, 'wb+')

lockdata = struct.pack('hhllhh', fcntl.F_WRLCK,0,0,0,0,0)
fcntl.fcntl(f, fcntl.F_SETLK, lockdata)
lockdata = struct.pack('hhllhh', fcntl.F_UNLCK,0,0,0,0,0)
fcntl.fcntl(f, fcntl.F_SETLK, lockdata)

Fixes: 586759f03e2e ("gfs2: nfs lock support for gfs2")
Cc: stable@vger.kernel.org
Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
Signed-off-by: Alexander Aring <aahringo@redhat.com>
Signed-off-by: David Teigland <teigland@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 fs/dlm/plock.c |   12 +++++-------
 1 file changed, 5 insertions(+), 7 deletions(-)

--- a/fs/dlm/plock.c
+++ b/fs/dlm/plock.c
@@ -26,11 +26,11 @@ struct plock_op {
 	struct list_head list;
 	int done;
 	struct dlm_plock_info info;
+	int (*callback)(struct file_lock *fl, int result);
 };
 
 struct plock_xop {
 	struct plock_op xop;
-	int (*callback)(struct file_lock *fl, int result);
 	void *fl;
 	void *file;
 	struct file_lock flc;
@@ -132,19 +132,18 @@ int dlm_posix_lock(dlm_lockspace_t *lock
 		/* fl_owner is lockd which doesn't distinguish
 		   processes on the nfs client */
 		op->info.owner	= (__u64) fl->fl_pid;
-		xop->callback	= fl->fl_lmops->lm_grant;
+		op->callback	= fl->fl_lmops->lm_grant;
 		locks_init_lock(&xop->flc);
 		locks_copy_lock(&xop->flc, fl);
 		xop->fl		= fl;
 		xop->file	= file;
 	} else {
 		op->info.owner	= (__u64)(long) fl->fl_owner;
-		xop->callback	= NULL;
 	}
 
 	send_op(op);
 
-	if (xop->callback == NULL) {
+	if (!op->callback) {
 		rv = wait_event_interruptible(recv_wq, (op->done != 0));
 		if (rv == -ERESTARTSYS) {
 			log_debug(ls, "dlm_posix_lock: wait killed %llx",
@@ -206,7 +205,7 @@ static int dlm_plock_callback(struct plo
 	file = xop->file;
 	flc = &xop->flc;
 	fl = xop->fl;
-	notify = xop->callback;
+	notify = op->callback;
 
 	if (op->info.rv) {
 		notify(fl, op->info.rv);
@@ -439,10 +438,9 @@ static ssize_t dev_write(struct file *fi
 		if (op->info.fsid == info.fsid &&
 		    op->info.number == info.number &&
 		    op->info.owner == info.owner) {
-			struct plock_xop *xop = (struct plock_xop *)op;
 			list_del_init(&op->list);
 			memcpy(&op->info, &info, sizeof(info));
-			if (xop->callback)
+			if (op->callback)
 				do_callback = 1;
 			else
 				op->done = 1;



^ permalink raw reply	[flat|nested] 174+ messages in thread

* [PATCH 4.9 082/167] dlm: fix missing lkb refcount handling
  2022-06-13 10:07 [PATCH 4.9 000/167] 4.9.318-rc1 review Greg Kroah-Hartman
                   ` (80 preceding siblings ...)
  2022-06-13 10:09 ` [PATCH 4.9 081/167] dlm: fix plock invalid read Greg Kroah-Hartman
@ 2022-06-13 10:09 ` Greg Kroah-Hartman
  2022-06-13 10:09 ` [PATCH 4.9 083/167] ocfs2: dlmfs: fix error handling of user_dlm_destroy_lock Greg Kroah-Hartman
                   ` (89 subsequent siblings)
  171 siblings, 0 replies; 174+ messages in thread
From: Greg Kroah-Hartman @ 2022-06-13 10:09 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Alexander Aring, David Teigland

From: Alexander Aring <aahringo@redhat.com>

commit 1689c169134f4b5a39156122d799b7dca76d8ddb upstream.

We always call hold_lkb(lkb) if we increment lkb->lkb_wait_count.
So, we always need to call unhold_lkb(lkb) if we decrement
lkb->lkb_wait_count. This patch will add missing unhold_lkb(lkb) if we
decrement lkb->lkb_wait_count. In case of setting lkb->lkb_wait_count to
zero we need to countdown until reaching zero and call unhold_lkb(lkb).
The waiters list unhold_lkb(lkb) can be removed because it's done for
the last lkb_wait_count decrement iteration as it's done in
_remove_from_waiters().

This issue was discovered by a dlm gfs2 test case which use excessively
dlm_unlock(LKF_CANCEL) feature. Probably the lkb->lkb_wait_count value
never reached above 1 if this feature isn't used and so it was not
discovered before.

The testcase ended in a rsb on the rsb keep data structure with a
refcount of 1 but no lkb was associated with it, which is itself
an invalid behaviour. A side effect of that was a condition in which
the dlm was sending remove messages in a looping behaviour. With this
patch that has not been reproduced.

Cc: stable@vger.kernel.org
Signed-off-by: Alexander Aring <aahringo@redhat.com>
Signed-off-by: David Teigland <teigland@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 fs/dlm/lock.c |   11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

--- a/fs/dlm/lock.c
+++ b/fs/dlm/lock.c
@@ -1555,6 +1555,7 @@ static int _remove_from_waiters(struct d
 		lkb->lkb_wait_type = 0;
 		lkb->lkb_flags &= ~DLM_IFL_OVERLAP_CANCEL;
 		lkb->lkb_wait_count--;
+		unhold_lkb(lkb);
 		goto out_del;
 	}
 
@@ -1581,6 +1582,7 @@ static int _remove_from_waiters(struct d
 		log_error(ls, "remwait error %x reply %d wait_type %d overlap",
 			  lkb->lkb_id, mstype, lkb->lkb_wait_type);
 		lkb->lkb_wait_count--;
+		unhold_lkb(lkb);
 		lkb->lkb_wait_type = 0;
 	}
 
@@ -5314,11 +5316,16 @@ int dlm_recover_waiters_post(struct dlm_
 		lkb->lkb_flags &= ~DLM_IFL_OVERLAP_UNLOCK;
 		lkb->lkb_flags &= ~DLM_IFL_OVERLAP_CANCEL;
 		lkb->lkb_wait_type = 0;
-		lkb->lkb_wait_count = 0;
+		/* drop all wait_count references we still
+		 * hold a reference for this iteration.
+		 */
+		while (lkb->lkb_wait_count) {
+			lkb->lkb_wait_count--;
+			unhold_lkb(lkb);
+		}
 		mutex_lock(&ls->ls_waiters_mutex);
 		list_del_init(&lkb->lkb_wait_reply);
 		mutex_unlock(&ls->ls_waiters_mutex);
-		unhold_lkb(lkb); /* for waiters list */
 
 		if (oc || ou) {
 			/* do an unlock or cancel instead of resending */



^ permalink raw reply	[flat|nested] 174+ messages in thread

* [PATCH 4.9 083/167] ocfs2: dlmfs: fix error handling of user_dlm_destroy_lock
  2022-06-13 10:07 [PATCH 4.9 000/167] 4.9.318-rc1 review Greg Kroah-Hartman
                   ` (81 preceding siblings ...)
  2022-06-13 10:09 ` [PATCH 4.9 082/167] dlm: fix missing lkb refcount handling Greg Kroah-Hartman
@ 2022-06-13 10:09 ` Greg Kroah-Hartman
  2022-06-13 10:09 ` [PATCH 4.9 084/167] scsi: dc395x: Fix a missing check on list iterator Greg Kroah-Hartman
                   ` (88 subsequent siblings)
  171 siblings, 0 replies; 174+ messages in thread
From: Greg Kroah-Hartman @ 2022-06-13 10:09 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Junxiao Bi, Joseph Qi, Mark Fasheh,
	Joel Becker, Joseph Qi, Changwei Ge, Gang He, Jun Piao,
	Andrew Morton

From: Junxiao Bi via Ocfs2-devel <ocfs2-devel@oss.oracle.com>

commit 863e0d81b6683c4cbc588ad831f560c90e494bef upstream.

When user_dlm_destroy_lock failed, it didn't clean up the flags it set
before exit.  For USER_LOCK_IN_TEARDOWN, if this function fails because of
lock is still in used, next time when unlink invokes this function, it
will return succeed, and then unlink will remove inode and dentry if lock
is not in used(file closed), but the dlm lock is still linked in dlm lock
resource, then when bast come in, it will trigger a panic due to
user-after-free.  See the following panic call trace.  To fix this,
USER_LOCK_IN_TEARDOWN should be reverted if fail.  And also error should
be returned if USER_LOCK_IN_TEARDOWN is set to let user know that unlink
fail.

For the case of ocfs2_dlm_unlock failure, besides USER_LOCK_IN_TEARDOWN,
USER_LOCK_BUSY is also required to be cleared.  Even though spin lock is
released in between, but USER_LOCK_IN_TEARDOWN is still set, for
USER_LOCK_BUSY, if before every place that waits on this flag,
USER_LOCK_IN_TEARDOWN is checked to bail out, that will make sure no flow
waits on the busy flag set by user_dlm_destroy_lock(), then we can
simplely revert USER_LOCK_BUSY when ocfs2_dlm_unlock fails.  Fix
user_dlm_cluster_lock() which is the only function not following this.

[  941.336392] (python,26174,16):dlmfs_unlink:562 ERROR: unlink
004fb0000060000b5a90b8c847b72e1, error -16 from destroy
[  989.757536] ------------[ cut here ]------------
[  989.757709] kernel BUG at fs/ocfs2/dlmfs/userdlm.c:173!
[  989.757876] invalid opcode: 0000 [#1] SMP
[  989.758027] Modules linked in: ksplice_2zhuk2jr_ib_ipoib_new(O)
ksplice_2zhuk2jr(O) mptctl mptbase xen_netback xen_blkback xen_gntalloc
xen_gntdev xen_evtchn cdc_ether usbnet mii ocfs2 jbd2 rpcsec_gss_krb5
auth_rpcgss nfsv4 nfsv3 nfs_acl nfs fscache lockd grace ocfs2_dlmfs
ocfs2_stack_o2cb ocfs2_dlm ocfs2_nodemanager ocfs2_stackglue configfs bnx2fc
fcoe libfcoe libfc scsi_transport_fc sunrpc ipmi_devintf bridge stp llc
rds_rdma rds bonding ib_sdp ib_ipoib rdma_ucm ib_ucm ib_uverbs ib_umad
rdma_cm ib_cm iw_cm falcon_lsm_serviceable(PE) falcon_nf_netcontain(PE)
mlx4_vnic falcon_kal(E) falcon_lsm_pinned_13402(E) mlx4_ib ib_sa ib_mad
ib_core ib_addr xenfs xen_privcmd dm_multipath iTCO_wdt iTCO_vendor_support
pcspkr sb_edac edac_core i2c_i801 lpc_ich mfd_core ipmi_ssif i2c_core ipmi_si
ipmi_msghandler
[  989.760686]  ioatdma sg ext3 jbd mbcache sd_mod ahci libahci ixgbe dca ptp
pps_core vxlan udp_tunnel ip6_udp_tunnel megaraid_sas mlx4_core crc32c_intel
be2iscsi bnx2i cnic uio cxgb4i cxgb4 cxgb3i libcxgbi ipv6 cxgb3 mdio
libiscsi_tcp qla4xxx iscsi_boot_sysfs libiscsi scsi_transport_iscsi wmi
dm_mirror dm_region_hash dm_log dm_mod [last unloaded:
ksplice_2zhuk2jr_ib_ipoib_old]
[  989.761987] CPU: 10 PID: 19102 Comm: dlm_thread Tainted: P           OE
4.1.12-124.57.1.el6uek.x86_64 #2
[  989.762290] Hardware name: Oracle Corporation ORACLE SERVER
X5-2/ASM,MOTHERBOARD,1U, BIOS 30350100 06/17/2021
[  989.762599] task: ffff880178af6200 ti: ffff88017f7c8000 task.ti:
ffff88017f7c8000
[  989.762848] RIP: e030:[<ffffffffc07d4316>]  [<ffffffffc07d4316>]
__user_dlm_queue_lockres.part.4+0x76/0x80 [ocfs2_dlmfs]
[  989.763185] RSP: e02b:ffff88017f7cbcb8  EFLAGS: 00010246
[  989.763353] RAX: 0000000000000000 RBX: ffff880174d48008 RCX:
0000000000000003
[  989.763565] RDX: 0000000000120012 RSI: 0000000000000003 RDI:
ffff880174d48170
[  989.763778] RBP: ffff88017f7cbcc8 R08: ffff88021f4293b0 R09:
0000000000000000
[  989.763991] R10: ffff880179c8c000 R11: 0000000000000003 R12:
ffff880174d48008
[  989.764204] R13: 0000000000000003 R14: ffff880179c8c000 R15:
ffff88021db7a000
[  989.764422] FS:  0000000000000000(0000) GS:ffff880247480000(0000)
knlGS:ffff880247480000
[  989.764685] CS:  e033 DS: 0000 ES: 0000 CR0: 0000000080050033
[  989.764865] CR2: ffff8000007f6800 CR3: 0000000001ae0000 CR4:
0000000000042660
[  989.765081] Stack:
[  989.765167]  0000000000000003 ffff880174d48040 ffff88017f7cbd18
ffffffffc07d455f
[  989.765442]  ffff88017f7cbd88 ffffffff816fb639 ffff88017f7cbd38
ffff8800361b5600
[  989.765717]  ffff88021db7a000 ffff88021f429380 0000000000000003
ffffffffc0453020
[  989.765991] Call Trace:
[  989.766093]  [<ffffffffc07d455f>] user_bast+0x5f/0xf0 [ocfs2_dlmfs]
[  989.766287]  [<ffffffff816fb639>] ? schedule_timeout+0x169/0x2d0
[  989.766475]  [<ffffffffc0453020>] ? o2dlm_lock_ast_wrapper+0x20/0x20
[ocfs2_stack_o2cb]
[  989.766738]  [<ffffffffc045303a>] o2dlm_blocking_ast_wrapper+0x1a/0x20
[ocfs2_stack_o2cb]
[  989.767010]  [<ffffffffc0864ec6>] dlm_do_local_bast+0x46/0xe0 [ocfs2_dlm]
[  989.767217]  [<ffffffffc084f5cc>] ? dlm_lockres_calc_usage+0x4c/0x60
[ocfs2_dlm]
[  989.767466]  [<ffffffffc08501f1>] dlm_thread+0xa31/0x1140 [ocfs2_dlm]
[  989.767662]  [<ffffffff816f78da>] ? __schedule+0x24a/0x810
[  989.767834]  [<ffffffff816f78ce>] ? __schedule+0x23e/0x810
[  989.768006]  [<ffffffff816f78da>] ? __schedule+0x24a/0x810
[  989.768178]  [<ffffffff816f78ce>] ? __schedule+0x23e/0x810
[  989.768349]  [<ffffffff816f78da>] ? __schedule+0x24a/0x810
[  989.768521]  [<ffffffff816f78ce>] ? __schedule+0x23e/0x810
[  989.768693]  [<ffffffff816f78da>] ? __schedule+0x24a/0x810
[  989.768893]  [<ffffffff816f78ce>] ? __schedule+0x23e/0x810
[  989.769067]  [<ffffffff816f78da>] ? __schedule+0x24a/0x810
[  989.769241]  [<ffffffff810ce4d0>] ? wait_woken+0x90/0x90
[  989.769411]  [<ffffffffc084f7c0>] ? dlm_kick_thread+0x80/0x80 [ocfs2_dlm]
[  989.769617]  [<ffffffff810a8bbb>] kthread+0xcb/0xf0
[  989.769774]  [<ffffffff816f78da>] ? __schedule+0x24a/0x810
[  989.769945]  [<ffffffff816f78da>] ? __schedule+0x24a/0x810
[  989.770117]  [<ffffffff810a8af0>] ? kthread_create_on_node+0x180/0x180
[  989.770321]  [<ffffffff816fdaa1>] ret_from_fork+0x61/0x90
[  989.770492]  [<ffffffff810a8af0>] ? kthread_create_on_node+0x180/0x180
[  989.770689] Code: d0 00 00 00 f0 45 7d c0 bf 00 20 00 00 48 89 83 c0 00 00
00 48 89 83 c8 00 00 00 e8 55 c1 8c c0 83 4b 04 10 48 83 c4 08 5b 5d c3 <0f>
0b 0f 1f 84 00 00 00 00 00 55 48 89 e5 41 55 41 54 53 48 83
[  989.771892] RIP  [<ffffffffc07d4316>]
__user_dlm_queue_lockres.part.4+0x76/0x80 [ocfs2_dlmfs]
[  989.772174]  RSP <ffff88017f7cbcb8>
[  989.772704] ---[ end trace ebd1e38cebcc93a8 ]---
[  989.772907] Kernel panic - not syncing: Fatal exception
[  989.773173] Kernel Offset: disabled

Link: https://lkml.kernel.org/r/20220518235224.87100-2-junxiao.bi@oracle.com
Signed-off-by: Junxiao Bi <junxiao.bi@oracle.com>
Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com>
Cc: Mark Fasheh <mark@fasheh.com>
Cc: Joel Becker <jlbec@evilplan.org>
Cc: Joseph Qi <jiangqi903@gmail.com>
Cc: Changwei Ge <gechangwei@live.cn>
Cc: Gang He <ghe@suse.com>
Cc: Jun Piao <piaojun@huawei.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 fs/ocfs2/dlmfs/userdlm.c |   16 +++++++++++++++-
 1 file changed, 15 insertions(+), 1 deletion(-)

--- a/fs/ocfs2/dlmfs/userdlm.c
+++ b/fs/ocfs2/dlmfs/userdlm.c
@@ -448,6 +448,11 @@ again:
 	}
 
 	spin_lock(&lockres->l_lock);
+	if (lockres->l_flags & USER_LOCK_IN_TEARDOWN) {
+		spin_unlock(&lockres->l_lock);
+		status = -EAGAIN;
+		goto bail;
+	}
 
 	/* We only compare against the currently granted level
 	 * here. If the lock is blocked waiting on a downconvert,
@@ -614,7 +619,7 @@ int user_dlm_destroy_lock(struct user_lo
 	spin_lock(&lockres->l_lock);
 	if (lockres->l_flags & USER_LOCK_IN_TEARDOWN) {
 		spin_unlock(&lockres->l_lock);
-		return 0;
+		goto bail;
 	}
 
 	lockres->l_flags |= USER_LOCK_IN_TEARDOWN;
@@ -628,12 +633,17 @@ int user_dlm_destroy_lock(struct user_lo
 	}
 
 	if (lockres->l_ro_holders || lockres->l_ex_holders) {
+		lockres->l_flags &= ~USER_LOCK_IN_TEARDOWN;
 		spin_unlock(&lockres->l_lock);
 		goto bail;
 	}
 
 	status = 0;
 	if (!(lockres->l_flags & USER_LOCK_ATTACHED)) {
+		/*
+		 * lock is never requested, leave USER_LOCK_IN_TEARDOWN set
+		 * to avoid new lock request coming in.
+		 */
 		spin_unlock(&lockres->l_lock);
 		goto bail;
 	}
@@ -644,6 +654,10 @@ int user_dlm_destroy_lock(struct user_lo
 
 	status = ocfs2_dlm_unlock(conn, &lockres->l_lksb, DLM_LKF_VALBLK);
 	if (status) {
+		spin_lock(&lockres->l_lock);
+		lockres->l_flags &= ~USER_LOCK_IN_TEARDOWN;
+		lockres->l_flags &= ~USER_LOCK_BUSY;
+		spin_unlock(&lockres->l_lock);
 		user_log_dlm_error("ocfs2_dlm_unlock", status, lockres);
 		goto bail;
 	}



^ permalink raw reply	[flat|nested] 174+ messages in thread

* [PATCH 4.9 084/167] scsi: dc395x: Fix a missing check on list iterator
  2022-06-13 10:07 [PATCH 4.9 000/167] 4.9.318-rc1 review Greg Kroah-Hartman
                   ` (82 preceding siblings ...)
  2022-06-13 10:09 ` [PATCH 4.9 083/167] ocfs2: dlmfs: fix error handling of user_dlm_destroy_lock Greg Kroah-Hartman
@ 2022-06-13 10:09 ` Greg Kroah-Hartman
  2022-06-13 10:09 ` [PATCH 4.9 085/167] scsi: ufs: qcom: Add a readl() to make sure ref_clk gets enabled Greg Kroah-Hartman
                   ` (87 subsequent siblings)
  171 siblings, 0 replies; 174+ messages in thread
From: Greg Kroah-Hartman @ 2022-06-13 10:09 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Xiaomeng Tong, Martin K. Petersen

From: Xiaomeng Tong <xiam0nd.tong@gmail.com>

commit 036a45aa587a10fa2abbd50fbd0f6c4cfc44f69f upstream.

The bug is here:

	p->target_id, p->target_lun);

The list iterator 'p' will point to a bogus position containing HEAD if the
list is empty or no element is found. This case must be checked before any
use of the iterator, otherwise it will lead to an invalid memory access.

To fix this bug, add a check. Use a new variable 'iter' as the list
iterator, and use the original variable 'p' as a dedicated pointer to point
to the found element.

Link: https://lore.kernel.org/r/20220414040231.2662-1-xiam0nd.tong@gmail.com
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable@vger.kernel.org
Signed-off-by: Xiaomeng Tong <xiam0nd.tong@gmail.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/scsi/dc395x.c |   15 ++++++++++++---
 1 file changed, 12 insertions(+), 3 deletions(-)

--- a/drivers/scsi/dc395x.c
+++ b/drivers/scsi/dc395x.c
@@ -3775,10 +3775,19 @@ static struct DeviceCtlBlk *device_alloc
 #endif
 	if (dcb->target_lun != 0) {
 		/* Copy settings */
-		struct DeviceCtlBlk *p;
-		list_for_each_entry(p, &acb->dcb_list, list)
-			if (p->target_id == dcb->target_id)
+		struct DeviceCtlBlk *p = NULL, *iter;
+
+		list_for_each_entry(iter, &acb->dcb_list, list)
+			if (iter->target_id == dcb->target_id) {
+				p = iter;
 				break;
+			}
+
+		if (!p) {
+			kfree(dcb);
+			return NULL;
+		}
+
 		dprintkdbg(DBG_1, 
 		       "device_alloc: <%02i-%i> copy from <%02i-%i>\n",
 		       dcb->target_id, dcb->target_lun,



^ permalink raw reply	[flat|nested] 174+ messages in thread

* [PATCH 4.9 085/167] scsi: ufs: qcom: Add a readl() to make sure ref_clk gets enabled
  2022-06-13 10:07 [PATCH 4.9 000/167] 4.9.318-rc1 review Greg Kroah-Hartman
                   ` (83 preceding siblings ...)
  2022-06-13 10:09 ` [PATCH 4.9 084/167] scsi: dc395x: Fix a missing check on list iterator Greg Kroah-Hartman
@ 2022-06-13 10:09 ` Greg Kroah-Hartman
  2022-06-13 10:09 ` [PATCH 4.9 086/167] drm/amdgpu/cs: make commands with 0 chunks illegal behaviour Greg Kroah-Hartman
                   ` (86 subsequent siblings)
  171 siblings, 0 replies; 174+ messages in thread
From: Greg Kroah-Hartman @ 2022-06-13 10:09 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Bjorn Andersson,
	Manivannan Sadhasivam, Martin K. Petersen

From: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>

commit 8eecddfca30e1651dc1c74531ed5eef21dcce7e3 upstream.

In ufs_qcom_dev_ref_clk_ctrl(), it was noted that the ref_clk needs to be
stable for at least 1us. Even though there is wmb() to make sure the write
gets "completed", there is no guarantee that the write actually reached the
UFS device. There is a good chance that the write could be stored in a
Write Buffer (WB). In that case, even though the CPU waits for 1us, the
ref_clk might not be stable for that period.

So lets do a readl() to make sure that the previous write has reached the
UFS device before udelay().

Also, the wmb() after writel_relaxed() is not really needed. Both writel()
and readl() are ordered on all architectures and the CPU won't speculate
instructions after readl() due to the in-built control dependency with read
value on weakly ordered architectures. So it can be safely removed.

Link: https://lore.kernel.org/r/20220504084212.11605-4-manivannan.sadhasivam@linaro.org
Fixes: f06fcc7155dc ("scsi: ufs-qcom: add QUniPro hardware support and power optimizations")
Cc: stable@vger.kernel.org
Reviewed-by: Bjorn Andersson <bjorn.andersson@linaro.org>
Signed-off-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/scsi/ufs/ufs-qcom.c |    7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

--- a/drivers/scsi/ufs/ufs-qcom.c
+++ b/drivers/scsi/ufs/ufs-qcom.c
@@ -915,8 +915,11 @@ static void ufs_qcom_dev_ref_clk_ctrl(st
 
 		writel_relaxed(temp, host->dev_ref_clk_ctrl_mmio);
 
-		/* ensure that ref_clk is enabled/disabled before we return */
-		wmb();
+		/*
+		 * Make sure the write to ref_clk reaches the destination and
+		 * not stored in a Write Buffer (WB).
+		 */
+		readl(host->dev_ref_clk_ctrl_mmio);
 
 		/*
 		 * If we call hibern8 exit after this, we need to make sure that



^ permalink raw reply	[flat|nested] 174+ messages in thread

* [PATCH 4.9 086/167] drm/amdgpu/cs: make commands with 0 chunks illegal behaviour.
  2022-06-13 10:07 [PATCH 4.9 000/167] 4.9.318-rc1 review Greg Kroah-Hartman
                   ` (84 preceding siblings ...)
  2022-06-13 10:09 ` [PATCH 4.9 085/167] scsi: ufs: qcom: Add a readl() to make sure ref_clk gets enabled Greg Kroah-Hartman
@ 2022-06-13 10:09 ` Greg Kroah-Hartman
  2022-06-13 10:09 ` [PATCH 4.9 087/167] drm/bridge: analogix_dp: Grab runtime PM reference for DP-AUX Greg Kroah-Hartman
                   ` (85 subsequent siblings)
  171 siblings, 0 replies; 174+ messages in thread
From: Greg Kroah-Hartman @ 2022-06-13 10:09 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Dave Airlie, Alex Deucher

From: Dave Airlie <airlied@redhat.com>

commit 31ab27b14daaa75541a415c6794d6f3567fea44a upstream.

Submitting a cs with 0 chunks, causes an oops later, found trying
to execute the wrong userspace driver.

MESA_LOADER_DRIVER_OVERRIDE=v3d glxinfo

[172536.665184] BUG: kernel NULL pointer dereference, address: 00000000000001d8
[172536.665188] #PF: supervisor read access in kernel mode
[172536.665189] #PF: error_code(0x0000) - not-present page
[172536.665191] PGD 6712a0067 P4D 6712a0067 PUD 5af9ff067 PMD 0
[172536.665195] Oops: 0000 [#1] SMP NOPTI
[172536.665197] CPU: 7 PID: 2769838 Comm: glxinfo Tainted: P           O      5.10.81 #1-NixOS
[172536.665199] Hardware name: To be filled by O.E.M. To be filled by O.E.M./CROSSHAIR V FORMULA-Z, BIOS 2201 03/23/2015
[172536.665272] RIP: 0010:amdgpu_cs_ioctl+0x96/0x1ce0 [amdgpu]
[172536.665274] Code: 75 18 00 00 4c 8b b2 88 00 00 00 8b 46 08 48 89 54 24 68 49 89 f7 4c 89 5c 24 60 31 d2 4c 89 74 24 30 85 c0 0f 85 c0 01 00 00 <48> 83 ba d8 01 00 00 00 48 8b b4 24 90 00 00 00 74 16 48 8b 46 10
[172536.665276] RSP: 0018:ffffb47c0e81bbe0 EFLAGS: 00010246
[172536.665277] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
[172536.665278] RDX: 0000000000000000 RSI: ffffb47c0e81be28 RDI: ffffb47c0e81bd68
[172536.665279] RBP: ffff936524080010 R08: 0000000000000000 R09: ffffb47c0e81be38
[172536.665281] R10: ffff936524080010 R11: ffff936524080000 R12: ffffb47c0e81bc40
[172536.665282] R13: ffffb47c0e81be28 R14: ffff9367bc410000 R15: ffffb47c0e81be28
[172536.665283] FS:  00007fe35e05d740(0000) GS:ffff936c1edc0000(0000) knlGS:0000000000000000
[172536.665284] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[172536.665286] CR2: 00000000000001d8 CR3: 0000000532e46000 CR4: 00000000000406e0
[172536.665287] Call Trace:
[172536.665322]  ? amdgpu_cs_find_mapping+0x110/0x110 [amdgpu]
[172536.665332]  drm_ioctl_kernel+0xaa/0xf0 [drm]
[172536.665338]  drm_ioctl+0x201/0x3b0 [drm]
[172536.665369]  ? amdgpu_cs_find_mapping+0x110/0x110 [amdgpu]
[172536.665372]  ? selinux_file_ioctl+0x135/0x230
[172536.665399]  amdgpu_drm_ioctl+0x49/0x80 [amdgpu]
[172536.665403]  __x64_sys_ioctl+0x83/0xb0
[172536.665406]  do_syscall_64+0x33/0x40
[172536.665409]  entry_SYSCALL_64_after_hwframe+0x44/0xa9

Bug: https://gitlab.freedesktop.org/drm/amd/-/issues/2018
Signed-off-by: Dave Airlie <airlied@redhat.com>
Cc: stable@vger.kernel.org
Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c
@@ -139,7 +139,7 @@ int amdgpu_cs_parser_init(struct amdgpu_
 	int ret;
 
 	if (cs->in.num_chunks == 0)
-		return 0;
+		return -EINVAL;
 
 	chunk_array = kmalloc_array(cs->in.num_chunks, sizeof(uint64_t), GFP_KERNEL);
 	if (!chunk_array)



^ permalink raw reply	[flat|nested] 174+ messages in thread

* [PATCH 4.9 087/167] drm/bridge: analogix_dp: Grab runtime PM reference for DP-AUX
  2022-06-13 10:07 [PATCH 4.9 000/167] 4.9.318-rc1 review Greg Kroah-Hartman
                   ` (85 preceding siblings ...)
  2022-06-13 10:09 ` [PATCH 4.9 086/167] drm/amdgpu/cs: make commands with 0 chunks illegal behaviour Greg Kroah-Hartman
@ 2022-06-13 10:09 ` Greg Kroah-Hartman
  2022-06-13 10:09 ` [PATCH 4.9 088/167] md: fix an incorrect NULL check in does_sb_need_changing Greg Kroah-Hartman
                   ` (84 subsequent siblings)
  171 siblings, 0 replies; 174+ messages in thread
From: Greg Kroah-Hartman @ 2022-06-13 10:09 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Tomeu Vizoso, Brian Norris, Douglas Anderson

From: Brian Norris <briannorris@chromium.org>

commit 8fb6c44fe8468f92ac7b8bbfcca4404a4e88645f upstream.

If the display is not enable()d, then we aren't holding a runtime PM
reference here. Thus, it's easy to accidentally cause a hang, if user
space is poking around at /dev/drm_dp_aux0 at the "wrong" time.

Let's get a runtime PM reference, and check that we "see" the panel.
Don't force any panel power-up, etc., because that can be intrusive, and
that's not what other drivers do (see
drivers/gpu/drm/bridge/ti-sn65dsi86.c and
drivers/gpu/drm/bridge/parade-ps8640.c.)

Fixes: 0d97ad03f422 ("drm/bridge: analogix_dp: Remove duplicated code")
Cc: <stable@vger.kernel.org>
Cc: Tomeu Vizoso <tomeu.vizoso@collabora.com>
Signed-off-by: Brian Norris <briannorris@chromium.org>
Reviewed-by: Douglas Anderson <dianders@chromium.org>
Signed-off-by: Douglas Anderson <dianders@chromium.org>
Link: https://patchwork.freedesktop.org/patch/msgid/20220301181107.v4.1.I773a08785666ebb236917b0c8e6c05e3de471e75@changeid
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/gpu/drm/bridge/analogix/analogix_dp_core.c |   13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

--- a/drivers/gpu/drm/bridge/analogix/analogix_dp_core.c
+++ b/drivers/gpu/drm/bridge/analogix/analogix_dp_core.c
@@ -1275,8 +1275,19 @@ static ssize_t analogix_dpaux_transfer(s
 				       struct drm_dp_aux_msg *msg)
 {
 	struct analogix_dp_device *dp = to_dp(aux);
+	int ret;
 
-	return analogix_dp_transfer(dp, msg);
+	pm_runtime_get_sync(dp->dev);
+
+	ret = analogix_dp_detect_hpd(dp);
+	if (ret)
+		goto out;
+
+	ret = analogix_dp_transfer(dp, msg);
+out:
+	pm_runtime_put(dp->dev);
+
+	return ret;
 }
 
 int analogix_dp_bind(struct device *dev, struct drm_device *drm_dev,



^ permalink raw reply	[flat|nested] 174+ messages in thread

* [PATCH 4.9 088/167] md: fix an incorrect NULL check in does_sb_need_changing
  2022-06-13 10:07 [PATCH 4.9 000/167] 4.9.318-rc1 review Greg Kroah-Hartman
                   ` (86 preceding siblings ...)
  2022-06-13 10:09 ` [PATCH 4.9 087/167] drm/bridge: analogix_dp: Grab runtime PM reference for DP-AUX Greg Kroah-Hartman
@ 2022-06-13 10:09 ` Greg Kroah-Hartman
  2022-06-13 10:09 ` [PATCH 4.9 089/167] md: fix an incorrect NULL check in md_reload_sb Greg Kroah-Hartman
                   ` (83 subsequent siblings)
  171 siblings, 0 replies; 174+ messages in thread
From: Greg Kroah-Hartman @ 2022-06-13 10:09 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Guoqing Jiang, Xiaomeng Tong,
	Goldwyn Rodrigues, Song Liu

From: Xiaomeng Tong <xiam0nd.tong@gmail.com>

commit fc8738343eefc4ea8afb6122826dea48eacde514 upstream.

The bug is here:
	if (!rdev)

The list iterator value 'rdev' will *always* be set and non-NULL
by rdev_for_each(), so it is incorrect to assume that the iterator
value will be NULL if the list is empty or no element found.
Otherwise it will bypass the NULL check and lead to invalid memory
access passing the check.

To fix the bug, use a new variable 'iter' as the list iterator,
while using the original variable 'rdev' as a dedicated pointer to
point to the found element.

Cc: stable@vger.kernel.org
Fixes: 2aa82191ac36 ("md-cluster: Perform a lazy update")
Acked-by: Guoqing Jiang <guoqing.jiang@linux.dev>
Signed-off-by: Xiaomeng Tong <xiam0nd.tong@gmail.com>
Acked-by: Goldwyn Rodrigues <rgoldwyn@suse.com>
Signed-off-by: Song Liu <song@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/md/md.c |    8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

--- a/drivers/md/md.c
+++ b/drivers/md/md.c
@@ -2254,14 +2254,16 @@ static void sync_sbs(struct mddev *mddev
 
 static bool does_sb_need_changing(struct mddev *mddev)
 {
-	struct md_rdev *rdev;
+	struct md_rdev *rdev = NULL, *iter;
 	struct mdp_superblock_1 *sb;
 	int role;
 
 	/* Find a good rdev */
-	rdev_for_each(rdev, mddev)
-		if ((rdev->raid_disk >= 0) && !test_bit(Faulty, &rdev->flags))
+	rdev_for_each(iter, mddev)
+		if ((iter->raid_disk >= 0) && !test_bit(Faulty, &iter->flags)) {
+			rdev = iter;
 			break;
+		}
 
 	/* No good device found. */
 	if (!rdev)



^ permalink raw reply	[flat|nested] 174+ messages in thread

* [PATCH 4.9 089/167] md: fix an incorrect NULL check in md_reload_sb
  2022-06-13 10:07 [PATCH 4.9 000/167] 4.9.318-rc1 review Greg Kroah-Hartman
                   ` (87 preceding siblings ...)
  2022-06-13 10:09 ` [PATCH 4.9 088/167] md: fix an incorrect NULL check in does_sb_need_changing Greg Kroah-Hartman
@ 2022-06-13 10:09 ` Greg Kroah-Hartman
  2022-06-13 10:09 ` [PATCH 4.9 090/167] RDMA/hfi1: Fix potential integer multiplication overflow errors Greg Kroah-Hartman
                   ` (82 subsequent siblings)
  171 siblings, 0 replies; 174+ messages in thread
From: Greg Kroah-Hartman @ 2022-06-13 10:09 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Xiaomeng Tong, Song Liu

From: Xiaomeng Tong <xiam0nd.tong@gmail.com>

commit 64c54d9244a4efe9bc6e9c98e13c4bbb8bb39083 upstream.

The bug is here:
	if (!rdev || rdev->desc_nr != nr) {

The list iterator value 'rdev' will *always* be set and non-NULL
by rdev_for_each_rcu(), so it is incorrect to assume that the
iterator value will be NULL if the list is empty or no element
found (In fact, it will be a bogus pointer to an invalid struct
object containing the HEAD). Otherwise it will bypass the check
and lead to invalid memory access passing the check.

To fix the bug, use a new variable 'iter' as the list iterator,
while using the original variable 'pdev' as a dedicated pointer to
point to the found element.

Cc: stable@vger.kernel.org
Fixes: 70bcecdb1534 ("md-cluster: Improve md_reload_sb to be less error prone")
Signed-off-by: Xiaomeng Tong <xiam0nd.tong@gmail.com>
Signed-off-by: Song Liu <song@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/md/md.c |   10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

--- a/drivers/md/md.c
+++ b/drivers/md/md.c
@@ -8882,16 +8882,18 @@ static int read_rdev(struct mddev *mddev
 
 void md_reload_sb(struct mddev *mddev, int nr)
 {
-	struct md_rdev *rdev;
+	struct md_rdev *rdev = NULL, *iter;
 	int err;
 
 	/* Find the rdev */
-	rdev_for_each_rcu(rdev, mddev) {
-		if (rdev->desc_nr == nr)
+	rdev_for_each_rcu(iter, mddev) {
+		if (iter->desc_nr == nr) {
+			rdev = iter;
 			break;
+		}
 	}
 
-	if (!rdev || rdev->desc_nr != nr) {
+	if (!rdev) {
 		pr_warn("%s: %d Could not find rdev with nr %d\n", __func__, __LINE__, nr);
 		return;
 	}



^ permalink raw reply	[flat|nested] 174+ messages in thread

* [PATCH 4.9 090/167] RDMA/hfi1: Fix potential integer multiplication overflow errors
  2022-06-13 10:07 [PATCH 4.9 000/167] 4.9.318-rc1 review Greg Kroah-Hartman
                   ` (88 preceding siblings ...)
  2022-06-13 10:09 ` [PATCH 4.9 089/167] md: fix an incorrect NULL check in md_reload_sb Greg Kroah-Hartman
@ 2022-06-13 10:09 ` Greg Kroah-Hartman
  2022-06-13 10:09 ` [PATCH 4.9 091/167] irqchip/armada-370-xp: Do not touch Performance Counter Overflow on A375, A38x, A39x Greg Kroah-Hartman
                   ` (81 subsequent siblings)
  171 siblings, 0 replies; 174+ messages in thread
From: Greg Kroah-Hartman @ 2022-06-13 10:09 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Mike Marciniszyn, Dennis Dalessandro,
	Jason Gunthorpe

From: Dennis Dalessandro <dennis.dalessandro@cornelisnetworks.com>

commit f93e91a0372c922c20d5bee260b0f43b4b8a1bee upstream.

When multiplying of different types, an overflow is possible even when
storing the result in a larger type. This is because the conversion is
done after the multiplication. So arithmetic overflow and thus in
incorrect value is possible.

Correct an instance of this in the inter packet delay calculation.  Fix by
ensuring one of the operands is u64 which will promote the other to u64 as
well ensuring no overflow.

Cc: stable@vger.kernel.org
Fixes: 7724105686e7 ("IB/hfi1: add driver files")
Link: https://lore.kernel.org/r/20220520183712.48973.29855.stgit@awfm-01.cornelisnetworks.com
Reviewed-by: Mike Marciniszyn <mike.marciniszyn@cornelisnetworks.com>
Signed-off-by: Dennis Dalessandro <dennis.dalessandro@cornelisnetworks.com>
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/infiniband/hw/hfi1/init.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/infiniband/hw/hfi1/init.c
+++ b/drivers/infiniband/hw/hfi1/init.c
@@ -371,7 +371,7 @@ void set_link_ipg(struct hfi1_pportdata
 	u16 shift, mult;
 	u64 src;
 	u32 current_egress_rate; /* Mbits /sec */
-	u32 max_pkt_time;
+	u64 max_pkt_time;
 	/*
 	 * max_pkt_time is the maximum packet egress time in units
 	 * of the fabric clock period 1/(805 MHz).



^ permalink raw reply	[flat|nested] 174+ messages in thread

* [PATCH 4.9 091/167] irqchip/armada-370-xp: Do not touch Performance Counter Overflow on A375, A38x, A39x
  2022-06-13 10:07 [PATCH 4.9 000/167] 4.9.318-rc1 review Greg Kroah-Hartman
                   ` (89 preceding siblings ...)
  2022-06-13 10:09 ` [PATCH 4.9 090/167] RDMA/hfi1: Fix potential integer multiplication overflow errors Greg Kroah-Hartman
@ 2022-06-13 10:09 ` Greg Kroah-Hartman
  2022-06-13 10:09 ` [PATCH 4.9 092/167] irqchip: irq-xtensa-mx: fix initial IRQ affinity Greg Kroah-Hartman
                   ` (80 subsequent siblings)
  171 siblings, 0 replies; 174+ messages in thread
From: Greg Kroah-Hartman @ 2022-06-13 10:09 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Pali Rohár, Andrew Lunn, Marc Zyngier

From: Pali Rohár <pali@kernel.org>

commit a3d66a76348daf559873f19afc912a2a7c2ccdaf upstream.

Register ARMADA_370_XP_INT_FABRIC_MASK_OFFS is Armada 370 and XP specific
and on new Armada platforms it has different meaning. It does not configure
Performance Counter Overflow interrupt masking. So do not touch this
register on non-A370/XP platforms (A375, A38x and A39x).

Signed-off-by: Pali Rohár <pali@kernel.org>
Cc: stable@vger.kernel.org
Fixes: 28da06dfd9e4 ("irqchip: armada-370-xp: Enable the PMU interrupts")
Reviewed-by: Andrew Lunn <andrew@lunn.ch>
Signed-off-by: Marc Zyngier <maz@kernel.org>
Link: https://lore.kernel.org/r/20220425113706.29310-1-pali@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/irqchip/irq-armada-370-xp.c |   11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

--- a/drivers/irqchip/irq-armada-370-xp.c
+++ b/drivers/irqchip/irq-armada-370-xp.c
@@ -312,7 +312,16 @@ static void armada_xp_mpic_smp_cpu_init(
 
 static void armada_xp_mpic_perf_init(void)
 {
-	unsigned long cpuid = cpu_logical_map(smp_processor_id());
+	unsigned long cpuid;
+
+	/*
+	 * This Performance Counter Overflow interrupt is specific for
+	 * Armada 370 and XP. It is not available on Armada 375, 38x and 39x.
+	 */
+	if (!of_machine_is_compatible("marvell,armada-370-xp"))
+		return;
+
+	cpuid = cpu_logical_map(smp_processor_id());
 
 	/* Enable Performance Counter Overflow interrupts */
 	writel(ARMADA_370_XP_INT_CAUSE_PERF(cpuid),



^ permalink raw reply	[flat|nested] 174+ messages in thread

* [PATCH 4.9 092/167] irqchip: irq-xtensa-mx: fix initial IRQ affinity
  2022-06-13 10:07 [PATCH 4.9 000/167] 4.9.318-rc1 review Greg Kroah-Hartman
                   ` (90 preceding siblings ...)
  2022-06-13 10:09 ` [PATCH 4.9 091/167] irqchip/armada-370-xp: Do not touch Performance Counter Overflow on A375, A38x, A39x Greg Kroah-Hartman
@ 2022-06-13 10:09 ` Greg Kroah-Hartman
  2022-06-13 10:09 ` [PATCH 4.9 093/167] mac80211: upgrade passive scan to active scan on DFS channels after beacon rx Greg Kroah-Hartman
                   ` (79 subsequent siblings)
  171 siblings, 0 replies; 174+ messages in thread
From: Greg Kroah-Hartman @ 2022-06-13 10:09 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Max Filippov

From: Max Filippov <jcmvbkbc@gmail.com>

commit a255ee29252066d621df5d6b420bf534c6ba5bc0 upstream.

When irq-xtensa-mx chip is used in non-SMP configuration its
irq_set_affinity callback is not called leaving IRQ affinity set empty.
As a result IRQ delivery does not work in that configuration.
Initialize IRQ affinity of the xtensa MX interrupt distributor to CPU 0
for all external IRQ lines.

Cc: stable@vger.kernel.org
Signed-off-by: Max Filippov <jcmvbkbc@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/irqchip/irq-xtensa-mx.c |   18 ++++++++++++++----
 1 file changed, 14 insertions(+), 4 deletions(-)

--- a/drivers/irqchip/irq-xtensa-mx.c
+++ b/drivers/irqchip/irq-xtensa-mx.c
@@ -139,14 +139,25 @@ static struct irq_chip xtensa_mx_irq_chi
 	.irq_set_affinity = xtensa_mx_irq_set_affinity,
 };
 
+static void __init xtensa_mx_init_common(struct irq_domain *root_domain)
+{
+	unsigned int i;
+
+	irq_set_default_host(root_domain);
+	secondary_init_irq();
+
+	/* Initialize default IRQ routing to CPU 0 */
+	for (i = 0; i < XCHAL_NUM_EXTINTERRUPTS; ++i)
+		set_er(1, MIROUT(i));
+}
+
 int __init xtensa_mx_init_legacy(struct device_node *interrupt_parent)
 {
 	struct irq_domain *root_domain =
 		irq_domain_add_legacy(NULL, NR_IRQS - 1, 1, 0,
 				&xtensa_mx_irq_domain_ops,
 				&xtensa_mx_irq_chip);
-	irq_set_default_host(root_domain);
-	secondary_init_irq();
+	xtensa_mx_init_common(root_domain);
 	return 0;
 }
 
@@ -156,8 +167,7 @@ static int __init xtensa_mx_init(struct
 	struct irq_domain *root_domain =
 		irq_domain_add_linear(np, NR_IRQS, &xtensa_mx_irq_domain_ops,
 				&xtensa_mx_irq_chip);
-	irq_set_default_host(root_domain);
-	secondary_init_irq();
+	xtensa_mx_init_common(root_domain);
 	return 0;
 }
 IRQCHIP_DECLARE(xtensa_mx_irq_chip, "cdns,xtensa-mx", xtensa_mx_init);



^ permalink raw reply	[flat|nested] 174+ messages in thread

* [PATCH 4.9 093/167] mac80211: upgrade passive scan to active scan on DFS channels after beacon rx
  2022-06-13 10:07 [PATCH 4.9 000/167] 4.9.318-rc1 review Greg Kroah-Hartman
                   ` (91 preceding siblings ...)
  2022-06-13 10:09 ` [PATCH 4.9 092/167] irqchip: irq-xtensa-mx: fix initial IRQ affinity Greg Kroah-Hartman
@ 2022-06-13 10:09 ` Greg Kroah-Hartman
  2022-06-13 10:09 ` [PATCH 4.9 094/167] um: chan_user: Fix winch_tramp() return value Greg Kroah-Hartman
                   ` (78 subsequent siblings)
  171 siblings, 0 replies; 174+ messages in thread
From: Greg Kroah-Hartman @ 2022-06-13 10:09 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Catrinel Catrinescu, Felix Fietkau,
	Johannes Berg

From: Felix Fietkau <nbd@nbd.name>

commit b041b7b9de6e1d4362de855ab90f9d03ef323edd upstream.

In client mode, we can't connect to hidden SSID APs or SSIDs not advertised
in beacons on DFS channels, since we're forced to passive scan. Fix this by
sending out a probe request immediately after the first beacon, if active
scan was requested by the user.

Cc: stable@vger.kernel.org
Reported-by: Catrinel Catrinescu <cc@80211.de>
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Link: https://lore.kernel.org/r/20220420104907.36275-1-nbd@nbd.name
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/mac80211/ieee80211_i.h |    5 +++++
 net/mac80211/scan.c        |   20 ++++++++++++++++++++
 2 files changed, 25 insertions(+)

--- a/net/mac80211/ieee80211_i.h
+++ b/net/mac80211/ieee80211_i.h
@@ -1066,6 +1066,9 @@ struct tpt_led_trigger {
  *	a scan complete for an aborted scan.
  * @SCAN_HW_CANCELLED: Set for our scan work function when the scan is being
  *	cancelled.
+ * @SCAN_BEACON_WAIT: Set whenever we're passive scanning because of radar/no-IR
+ *	and could send a probe request after receiving a beacon.
+ * @SCAN_BEACON_DONE: Beacon received, we can now send a probe request
  */
 enum {
 	SCAN_SW_SCANNING,
@@ -1074,6 +1077,8 @@ enum {
 	SCAN_COMPLETED,
 	SCAN_ABORTED,
 	SCAN_HW_CANCELLED,
+	SCAN_BEACON_WAIT,
+	SCAN_BEACON_DONE,
 };
 
 /**
--- a/net/mac80211/scan.c
+++ b/net/mac80211/scan.c
@@ -205,6 +205,16 @@ void ieee80211_scan_rx(struct ieee80211_
 	if (likely(!sdata1 && !sdata2))
 		return;
 
+	if (test_and_clear_bit(SCAN_BEACON_WAIT, &local->scanning)) {
+		/*
+		 * we were passive scanning because of radar/no-IR, but
+		 * the beacon/proberesp rx gives us an opportunity to upgrade
+		 * to active scan
+		 */
+		 set_bit(SCAN_BEACON_DONE, &local->scanning);
+		 ieee80211_queue_delayed_work(&local->hw, &local->scan_work, 0);
+	}
+
 	if (ieee80211_is_probe_resp(mgmt->frame_control)) {
 		struct cfg80211_scan_request *scan_req;
 		struct cfg80211_sched_scan_request *sched_scan_req;
@@ -646,6 +656,8 @@ static int __ieee80211_start_scan(struct
 						IEEE80211_CHAN_RADAR)) ||
 		    !req->n_ssids) {
 			next_delay = IEEE80211_PASSIVE_CHANNEL_TIME;
+			if (req->n_ssids)
+				set_bit(SCAN_BEACON_WAIT, &local->scanning);
 		} else {
 			ieee80211_scan_state_send_probe(local, &next_delay);
 			next_delay = IEEE80211_CHANNEL_TIME;
@@ -826,6 +838,8 @@ static void ieee80211_scan_state_set_cha
 	    !scan_req->n_ssids) {
 		*next_delay = IEEE80211_PASSIVE_CHANNEL_TIME;
 		local->next_scan_state = SCAN_DECISION;
+		if (scan_req->n_ssids)
+			set_bit(SCAN_BEACON_WAIT, &local->scanning);
 		return;
 	}
 
@@ -918,6 +932,8 @@ void ieee80211_scan_work(struct work_str
 			goto out;
 	}
 
+	clear_bit(SCAN_BEACON_WAIT, &local->scanning);
+
 	/*
 	 * as long as no delay is required advance immediately
 	 * without scheduling a new work
@@ -928,6 +944,10 @@ void ieee80211_scan_work(struct work_str
 			goto out_complete;
 		}
 
+		if (test_and_clear_bit(SCAN_BEACON_DONE, &local->scanning) &&
+		    local->next_scan_state == SCAN_DECISION)
+			local->next_scan_state = SCAN_SEND_PROBE;
+
 		switch (local->next_scan_state) {
 		case SCAN_DECISION:
 			/* if no more bands/channels left, complete scan */



^ permalink raw reply	[flat|nested] 174+ messages in thread

* [PATCH 4.9 094/167] um: chan_user: Fix winch_tramp() return value
  2022-06-13 10:07 [PATCH 4.9 000/167] 4.9.318-rc1 review Greg Kroah-Hartman
                   ` (92 preceding siblings ...)
  2022-06-13 10:09 ` [PATCH 4.9 093/167] mac80211: upgrade passive scan to active scan on DFS channels after beacon rx Greg Kroah-Hartman
@ 2022-06-13 10:09 ` Greg Kroah-Hartman
  2022-06-13 10:09 ` [PATCH 4.9 095/167] um: Fix out-of-bounds read in LDT setup Greg Kroah-Hartman
                   ` (77 subsequent siblings)
  171 siblings, 0 replies; 174+ messages in thread
From: Greg Kroah-Hartman @ 2022-06-13 10:09 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Johannes Berg, Richard Weinberger,
	Nathan Chancellor

From: Johannes Berg <johannes.berg@intel.com>

commit 57ae0b67b747031bc41fb44643aa5344ab58607e upstream.

The previous fix here was only partially correct, it did
result in returning a proper error value in case of error,
but it also clobbered the pid that we need to return from
this function (not just zero for success).

As a result, it returned 0 here, but later this is treated
as a pid and used to kill the process, but since it's now
0 we kill(0, SIGKILL), which makes UML kill itself rather
than just the helper thread.

Fix that and make it more obvious by using a separate
variable for the pid.

Fixes: ccf1236ecac4 ("um: fix error return code in winch_tramp()")
Reported-and-tested-by: Nathan Chancellor <nathan@kernel.org>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Cc: stable@vger.kernel.org
Signed-off-by: Richard Weinberger <richard@nod.at>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/um/drivers/chan_user.c |    9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

--- a/arch/um/drivers/chan_user.c
+++ b/arch/um/drivers/chan_user.c
@@ -220,7 +220,7 @@ static int winch_tramp(int fd, struct tt
 		       unsigned long *stack_out)
 {
 	struct winch_data data;
-	int fds[2], n, err;
+	int fds[2], n, err, pid;
 	char c;
 
 	err = os_pipe(fds, 1, 1);
@@ -238,8 +238,9 @@ static int winch_tramp(int fd, struct tt
 	 * problem with /dev/net/tun, which if held open by this
 	 * thread, prevents the TUN/TAP device from being reused.
 	 */
-	err = run_helper_thread(winch_thread, &data, CLONE_FILES, stack_out);
-	if (err < 0) {
+	pid = run_helper_thread(winch_thread, &data, CLONE_FILES, stack_out);
+	if (pid < 0) {
+		err = pid;
 		printk(UM_KERN_ERR "fork of winch_thread failed - errno = %d\n",
 		       -err);
 		goto out_close;
@@ -263,7 +264,7 @@ static int winch_tramp(int fd, struct tt
 		goto out_close;
 	}
 
-	return err;
+	return pid;
 
  out_close:
 	close(fds[1]);



^ permalink raw reply	[flat|nested] 174+ messages in thread

* [PATCH 4.9 095/167] um: Fix out-of-bounds read in LDT setup
  2022-06-13 10:07 [PATCH 4.9 000/167] 4.9.318-rc1 review Greg Kroah-Hartman
                   ` (93 preceding siblings ...)
  2022-06-13 10:09 ` [PATCH 4.9 094/167] um: chan_user: Fix winch_tramp() return value Greg Kroah-Hartman
@ 2022-06-13 10:09 ` Greg Kroah-Hartman
  2022-06-13 10:09 ` [PATCH 4.9 096/167] iommu/msm: Fix an incorrect NULL check on list iterator Greg Kroah-Hartman
                   ` (76 subsequent siblings)
  171 siblings, 0 replies; 174+ messages in thread
From: Greg Kroah-Hartman @ 2022-06-13 10:09 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Vincent Whitchurch, Richard Weinberger

From: Vincent Whitchurch <vincent.whitchurch@axis.com>

commit 2a4a62a14be1947fa945c5c11ebf67326381a568 upstream.

syscall_stub_data() expects the data_count parameter to be the number of
longs, not bytes.

 ==================================================================
 BUG: KASAN: stack-out-of-bounds in syscall_stub_data+0x70/0xe0
 Read of size 128 at addr 000000006411f6f0 by task swapper/1

 CPU: 0 PID: 1 Comm: swapper Not tainted 5.18.0+ #18
 Call Trace:
  show_stack.cold+0x166/0x2a7
  __dump_stack+0x3a/0x43
  dump_stack_lvl+0x1f/0x27
  print_report.cold+0xdb/0xf81
  kasan_report+0x119/0x1f0
  kasan_check_range+0x3a3/0x440
  memcpy+0x52/0x140
  syscall_stub_data+0x70/0xe0
  write_ldt_entry+0xac/0x190
  init_new_ldt+0x515/0x960
  init_new_context+0x2c4/0x4d0
  mm_init.constprop.0+0x5ed/0x760
  mm_alloc+0x118/0x170
  0x60033f48
  do_one_initcall+0x1d7/0x860
  0x60003e7b
  kernel_init+0x6e/0x3d4
  new_thread_handler+0x1e7/0x2c0

 The buggy address belongs to stack of task swapper/1
  and is located at offset 64 in frame:
  init_new_ldt+0x0/0x960

 This frame has 2 objects:
  [32, 40) 'addr'
  [64, 80) 'desc'
 ==================================================================

Fixes: 858259cf7d1c443c83 ("uml: maintain own LDT entries")
Signed-off-by: Vincent Whitchurch <vincent.whitchurch@axis.com>
Cc: stable@vger.kernel.org
Signed-off-by: Richard Weinberger <richard@nod.at>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/x86/um/ldt.c |    6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

--- a/arch/x86/um/ldt.c
+++ b/arch/x86/um/ldt.c
@@ -23,9 +23,11 @@ static long write_ldt_entry(struct mm_id
 {
 	long res;
 	void *stub_addr;
+
+	BUILD_BUG_ON(sizeof(*desc) % sizeof(long));
+
 	res = syscall_stub_data(mm_idp, (unsigned long *)desc,
-				(sizeof(*desc) + sizeof(long) - 1) &
-				    ~(sizeof(long) - 1),
+				sizeof(*desc) / sizeof(long),
 				addr, &stub_addr);
 	if (!res) {
 		unsigned long args[] = { func,



^ permalink raw reply	[flat|nested] 174+ messages in thread

* [PATCH 4.9 096/167] iommu/msm: Fix an incorrect NULL check on list iterator
  2022-06-13 10:07 [PATCH 4.9 000/167] 4.9.318-rc1 review Greg Kroah-Hartman
                   ` (94 preceding siblings ...)
  2022-06-13 10:09 ` [PATCH 4.9 095/167] um: Fix out-of-bounds read in LDT setup Greg Kroah-Hartman
@ 2022-06-13 10:09 ` Greg Kroah-Hartman
  2022-06-13 10:09 ` [PATCH 4.9 097/167] nodemask.h: fix compilation error with GCC12 Greg Kroah-Hartman
                   ` (75 subsequent siblings)
  171 siblings, 0 replies; 174+ messages in thread
From: Greg Kroah-Hartman @ 2022-06-13 10:09 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Xiaomeng Tong, Joerg Roedel

From: Xiaomeng Tong <xiam0nd.tong@gmail.com>

commit 8b9ad480bd1dd25f4ff4854af5685fa334a2f57a upstream.

The bug is here:
	if (!iommu || iommu->dev->of_node != spec->np) {

The list iterator value 'iommu' will *always* be set and non-NULL by
list_for_each_entry(), so it is incorrect to assume that the iterator
value will be NULL if the list is empty or no element is found (in fact,
it will point to a invalid structure object containing HEAD).

To fix the bug, use a new value 'iter' as the list iterator, while use
the old value 'iommu' as a dedicated variable to point to the found one,
and remove the unneeded check for 'iommu->dev->of_node != spec->np'
outside the loop.

Cc: stable@vger.kernel.org
Fixes: f78ebca8ff3d6 ("iommu/msm: Add support for generic master bindings")
Signed-off-by: Xiaomeng Tong <xiam0nd.tong@gmail.com>
Link: https://lore.kernel.org/r/20220501132823.12714-1-xiam0nd.tong@gmail.com
Signed-off-by: Joerg Roedel <jroedel@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/iommu/msm_iommu.c |   11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

--- a/drivers/iommu/msm_iommu.c
+++ b/drivers/iommu/msm_iommu.c
@@ -580,16 +580,19 @@ static void insert_iommu_master(struct d
 static int qcom_iommu_of_xlate(struct device *dev,
 			       struct of_phandle_args *spec)
 {
-	struct msm_iommu_dev *iommu;
+	struct msm_iommu_dev *iommu = NULL, *iter;
 	unsigned long flags;
 	int ret = 0;
 
 	spin_lock_irqsave(&msm_iommu_lock, flags);
-	list_for_each_entry(iommu, &qcom_iommu_devices, dev_node)
-		if (iommu->dev->of_node == spec->np)
+	list_for_each_entry(iter, &qcom_iommu_devices, dev_node) {
+		if (iter->dev->of_node == spec->np) {
+			iommu = iter;
 			break;
+		}
+	}
 
-	if (!iommu || iommu->dev->of_node != spec->np) {
+	if (!iommu) {
 		ret = -ENODEV;
 		goto fail;
 	}



^ permalink raw reply	[flat|nested] 174+ messages in thread

* [PATCH 4.9 097/167] nodemask.h: fix compilation error with GCC12
  2022-06-13 10:07 [PATCH 4.9 000/167] 4.9.318-rc1 review Greg Kroah-Hartman
                   ` (95 preceding siblings ...)
  2022-06-13 10:09 ` [PATCH 4.9 096/167] iommu/msm: Fix an incorrect NULL check on list iterator Greg Kroah-Hartman
@ 2022-06-13 10:09 ` Greg Kroah-Hartman
  2022-06-13 10:09 ` [PATCH 4.9 098/167] hugetlb: fix huge_pmd_unshare address update Greg Kroah-Hartman
                   ` (74 subsequent siblings)
  171 siblings, 0 replies; 174+ messages in thread
From: Greg Kroah-Hartman @ 2022-06-13 10:09 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Christophe de Dinechin,
	Christophe de Dinechin, Andrew Morton, Ben Segall,
	Michael S. Tsirkin, Steven Rostedt, Ingo Molnar, Mel Gorman,
	Dietmar Eggemann, Vincent Guittot, Paolo Bonzini,
	Daniel Bristot de Oliveira, Jason Wang, Zhen Lei, Juri Lelli,
	Peter Zijlstra

From: Christophe de Dinechin <dinechin@redhat.com>

commit 37462a920392cb86541650a6f4121155f11f1199 upstream.

With gcc version 12.0.1 20220401 (Red Hat 12.0.1-0), building with
defconfig results in the following compilation error:

|   CC      mm/swapfile.o
| mm/swapfile.c: In function `setup_swap_info':
| mm/swapfile.c:2291:47: error: array subscript -1 is below array bounds
|  of `struct plist_node[]' [-Werror=array-bounds]
|  2291 |                                 p->avail_lists[i].prio = 1;
|       |                                 ~~~~~~~~~~~~~~^~~
| In file included from mm/swapfile.c:16:
| ./include/linux/swap.h:292:27: note: while referencing `avail_lists'
|   292 |         struct plist_node avail_lists[]; /*
|       |                           ^~~~~~~~~~~

This is due to the compiler detecting that the mask in
node_states[__state] could theoretically be zero, which would lead to
first_node() returning -1 through find_first_bit.

I believe that the warning/error is legitimate.  I first tried adding a
test to check that the node mask is not emtpy, since a similar test exists
in the case where MAX_NUMNODES == 1.

However, adding the if statement causes other warnings to appear in
for_each_cpu_node_but, because it introduces a dangling else ambiguity.
And unfortunately, GCC is not smart enough to detect that the added test
makes the case where (node) == -1 impossible, so it still complains with
the same message.

This is why I settled on replacing that with a harmless, but relatively
useless (node) >= 0 test.  Based on the warning for the dangling else, I
also decided to fix the case where MAX_NUMNODES == 1 by moving the
condition inside the for loop.  It will still only be tested once.  This
ensures that the meaning of an else following for_each_node_mask or
derivatives would not silently have a different meaning depending on the
configuration.

Link: https://lkml.kernel.org/r/20220414150855.2407137-3-dinechin@redhat.com
Signed-off-by: Christophe de Dinechin <christophe@dinechin.org>
Signed-off-by: Christophe de Dinechin <dinechin@redhat.com>
Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
Cc: Ben Segall <bsegall@google.com>
Cc: "Michael S. Tsirkin" <mst@redhat.com>
Cc: Steven Rostedt <rostedt@goodmis.org>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Mel Gorman <mgorman@suse.de>
Cc: Dietmar Eggemann <dietmar.eggemann@arm.com>
Cc: Vincent Guittot <vincent.guittot@linaro.org>
Cc: Paolo Bonzini <pbonzini@redhat.com>
Cc: Daniel Bristot de Oliveira <bristot@redhat.com>
Cc: Jason Wang <jasowang@redhat.com>
Cc: Zhen Lei <thunder.leizhen@huawei.com>
Cc: Juri Lelli <juri.lelli@redhat.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 include/linux/nodemask.h |   13 ++++++-------
 1 file changed, 6 insertions(+), 7 deletions(-)

--- a/include/linux/nodemask.h
+++ b/include/linux/nodemask.h
@@ -365,14 +365,13 @@ static inline void __nodes_fold(nodemask
 }
 
 #if MAX_NUMNODES > 1
-#define for_each_node_mask(node, mask)			\
-	for ((node) = first_node(mask);			\
-		(node) < MAX_NUMNODES;			\
-		(node) = next_node((node), (mask)))
+#define for_each_node_mask(node, mask)				    \
+	for ((node) = first_node(mask);				    \
+	     (node >= 0) && (node) < MAX_NUMNODES;		    \
+	     (node) = next_node((node), (mask)))
 #else /* MAX_NUMNODES == 1 */
-#define for_each_node_mask(node, mask)			\
-	if (!nodes_empty(mask))				\
-		for ((node) = 0; (node) < 1; (node)++)
+#define for_each_node_mask(node, mask)                                  \
+	for ((node) = 0; (node) < 1 && !nodes_empty(mask); (node)++)
 #endif /* MAX_NUMNODES */
 
 /*



^ permalink raw reply	[flat|nested] 174+ messages in thread

* [PATCH 4.9 098/167] hugetlb: fix huge_pmd_unshare address update
  2022-06-13 10:07 [PATCH 4.9 000/167] 4.9.318-rc1 review Greg Kroah-Hartman
                   ` (96 preceding siblings ...)
  2022-06-13 10:09 ` [PATCH 4.9 097/167] nodemask.h: fix compilation error with GCC12 Greg Kroah-Hartman
@ 2022-06-13 10:09 ` Greg Kroah-Hartman
  2022-06-13 10:09 ` [PATCH 4.9 099/167] rtl818x: Prevent using not initialized queues Greg Kroah-Hartman
                   ` (73 subsequent siblings)
  171 siblings, 0 replies; 174+ messages in thread
From: Greg Kroah-Hartman @ 2022-06-13 10:09 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Mike Kravetz, Muchun Song, Andrew Morton

From: Mike Kravetz <mike.kravetz@oracle.com>

commit 48381273f8734d28ef56a5bdf1966dd8530111bc upstream.

The routine huge_pmd_unshare() is passed a pointer to an address
associated with an area which may be unshared.  If unshare is successful
this address is updated to 'optimize' callers iterating over huge page
addresses.  For the optimization to work correctly, address should be
updated to the last huge page in the unmapped/unshared area.  However, in
the common case where the passed address is PUD_SIZE aligned, the address
is incorrectly updated to the address of the preceding huge page.  That
wastes CPU cycles as the unmapped/unshared range is scanned twice.

Link: https://lkml.kernel.org/r/20220524205003.126184-1-mike.kravetz@oracle.com
Fixes: 39dde65c9940 ("shared page table for hugetlb page")
Signed-off-by: Mike Kravetz <mike.kravetz@oracle.com>
Acked-by: Muchun Song <songmuchun@bytedance.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 mm/hugetlb.c |    9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

--- a/mm/hugetlb.c
+++ b/mm/hugetlb.c
@@ -4593,7 +4593,14 @@ int huge_pmd_unshare(struct mm_struct *m
 	pud_clear(pud);
 	put_page(virt_to_page(ptep));
 	mm_dec_nr_pmds(mm);
-	*addr = ALIGN(*addr, HPAGE_SIZE * PTRS_PER_PTE) - HPAGE_SIZE;
+	/*
+	 * This update of passed address optimizes loops sequentially
+	 * processing addresses in increments of huge page size (PMD_SIZE
+	 * in this case).  By clearing the pud, a PUD_SIZE area is unmapped.
+	 * Update address to the 'last page' in the cleared area so that
+	 * calling loop can move to first page past this area.
+	 */
+	*addr |= PUD_SIZE - PMD_SIZE;
 	return 1;
 }
 #define want_pmd_share()	(1)



^ permalink raw reply	[flat|nested] 174+ messages in thread

* [PATCH 4.9 099/167] rtl818x: Prevent using not initialized queues
  2022-06-13 10:07 [PATCH 4.9 000/167] 4.9.318-rc1 review Greg Kroah-Hartman
                   ` (97 preceding siblings ...)
  2022-06-13 10:09 ` [PATCH 4.9 098/167] hugetlb: fix huge_pmd_unshare address update Greg Kroah-Hartman
@ 2022-06-13 10:09 ` Greg Kroah-Hartman
  2022-06-13 10:09 ` [PATCH 4.9 100/167] ASoC: rt5514: Fix event generation for "DSP Voice Wake Up" control Greg Kroah-Hartman
                   ` (72 subsequent siblings)
  171 siblings, 0 replies; 174+ messages in thread
From: Greg Kroah-Hartman @ 2022-06-13 10:09 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, pa, Alexander Wetzel, Kalle Valo

From: Alexander Wetzel <alexander@wetzel-home.de>

commit 746285cf81dc19502ab238249d75f5990bd2d231 upstream.

Using not existing queues can panic the kernel with rtl8180/rtl8185 cards.
Ignore the skb priority for those cards, they only have one tx queue. Pierre
Asselin (pa@panix.com) reported the kernel crash in the Gentoo forum:

https://forums.gentoo.org/viewtopic-t-1147832-postdays-0-postorder-asc-start-25.html

He also confirmed that this patch fixes the issue. In summary this happened:

After updating wpa_supplicant from 2.9 to 2.10 the kernel crashed with a
"divide error: 0000" when connecting to an AP. Control port tx now tries to
use IEEE80211_AC_VO for the priority, which wpa_supplicants starts to use in
2.10.

Since only the rtl8187se part of the driver supports QoS, the priority
of the skb is set to IEEE80211_AC_BE (2) by mac80211 for rtl8180/rtl8185
cards.

rtl8180 is then unconditionally reading out the priority and finally crashes on
drivers/net/wireless/realtek/rtl818x/rtl8180/dev.c line 544 without this
patch:
	idx = (ring->idx + skb_queue_len(&ring->queue)) % ring->entries

"ring->entries" is zero for rtl8180/rtl8185 cards, tx_ring[2] never got
initialized.

Cc: stable@vger.kernel.org
Reported-by: pa@panix.com
Tested-by: pa@panix.com
Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
Signed-off-by: Kalle Valo <kvalo@kernel.org>
Link: https://lore.kernel.org/r/20220422145228.7567-1-alexander@wetzel-home.de
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/wireless/realtek/rtl818x/rtl8180/dev.c |    8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

--- a/drivers/net/wireless/realtek/rtl818x/rtl8180/dev.c
+++ b/drivers/net/wireless/realtek/rtl818x/rtl8180/dev.c
@@ -460,8 +460,10 @@ static void rtl8180_tx(struct ieee80211_
 	struct rtl8180_priv *priv = dev->priv;
 	struct rtl8180_tx_ring *ring;
 	struct rtl8180_tx_desc *entry;
+	unsigned int prio = 0;
 	unsigned long flags;
-	unsigned int idx, prio, hw_prio;
+	unsigned int idx, hw_prio;
+
 	dma_addr_t mapping;
 	u32 tx_flags;
 	u8 rc_flags;
@@ -470,7 +472,9 @@ static void rtl8180_tx(struct ieee80211_
 	/* do arithmetic and then convert to le16 */
 	u16 frame_duration = 0;
 
-	prio = skb_get_queue_mapping(skb);
+	/* rtl8180/rtl8185 only has one useable tx queue */
+	if (dev->queues > IEEE80211_AC_BK)
+		prio = skb_get_queue_mapping(skb);
 	ring = &priv->tx_ring[prio];
 
 	mapping = pci_map_single(priv->pdev, skb->data,



^ permalink raw reply	[flat|nested] 174+ messages in thread

* [PATCH 4.9 100/167] ASoC: rt5514: Fix event generation for "DSP Voice Wake Up" control
  2022-06-13 10:07 [PATCH 4.9 000/167] 4.9.318-rc1 review Greg Kroah-Hartman
                   ` (98 preceding siblings ...)
  2022-06-13 10:09 ` [PATCH 4.9 099/167] rtl818x: Prevent using not initialized queues Greg Kroah-Hartman
@ 2022-06-13 10:09 ` Greg Kroah-Hartman
  2022-06-13 10:09 ` [PATCH 4.9 101/167] carl9170: tx: fix an incorrect use of list iterator Greg Kroah-Hartman
                   ` (71 subsequent siblings)
  171 siblings, 0 replies; 174+ messages in thread
From: Greg Kroah-Hartman @ 2022-06-13 10:09 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Mark Brown

From: Mark Brown <broonie@kernel.org>

commit 4213ff556740bb45e2d9ff0f50d056c4e7dd0921 upstream.

The driver has a custom put function for "DSP Voice Wake Up" which does
not generate event notifications on change, instead returning 0. Since we
already exit early in the case that there is no change this can be fixed
by unconditionally returning 1 at the end of the function.

Signed-off-by: Mark Brown <broonie@kernel.org>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/20220428162444.3883147-1-broonie@kernel.org
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 sound/soc/codecs/rt5514.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/sound/soc/codecs/rt5514.c
+++ b/sound/soc/codecs/rt5514.c
@@ -345,7 +345,7 @@ static int rt5514_dsp_voice_wake_up_put(
 		}
 	}
 
-	return 0;
+	return 1;
 }
 
 static const struct snd_kcontrol_new rt5514_snd_controls[] = {



^ permalink raw reply	[flat|nested] 174+ messages in thread

* [PATCH 4.9 101/167] carl9170: tx: fix an incorrect use of list iterator
  2022-06-13 10:07 [PATCH 4.9 000/167] 4.9.318-rc1 review Greg Kroah-Hartman
                   ` (99 preceding siblings ...)
  2022-06-13 10:09 ` [PATCH 4.9 100/167] ASoC: rt5514: Fix event generation for "DSP Voice Wake Up" control Greg Kroah-Hartman
@ 2022-06-13 10:09 ` Greg Kroah-Hartman
  2022-06-13 10:09 ` [PATCH 4.9 102/167] gma500: fix an incorrect NULL check on " Greg Kroah-Hartman
                   ` (70 subsequent siblings)
  171 siblings, 0 replies; 174+ messages in thread
From: Greg Kroah-Hartman @ 2022-06-13 10:09 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Xiaomeng Tong, Christian Lamparter,
	Kalle Valo

From: Xiaomeng Tong <xiam0nd.tong@gmail.com>

commit 54a6f29522da3c914da30e50721dedf51046449a upstream.

If the previous list_for_each_entry_continue_rcu() don't exit early
(no goto hit inside the loop), the iterator 'cvif' after the loop
will be a bogus pointer to an invalid structure object containing
the HEAD (&ar->vif_list). As a result, the use of 'cvif' after that
will lead to a invalid memory access (i.e., 'cvif->id': the invalid
pointer dereference when return back to/after the callsite in the
carl9170_update_beacon()).

The original intention should have been to return the valid 'cvif'
when found in list, NULL otherwise. So just return NULL when no
entry found, to fix this bug.

Cc: stable@vger.kernel.org
Fixes: 1f1d9654e183c ("carl9170: refactor carl9170_update_beacon")
Signed-off-by: Xiaomeng Tong <xiam0nd.tong@gmail.com>
Acked-by: Christian Lamparter <chunkeey@gmail.com>
Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
Link: https://lore.kernel.org/r/20220328122820.1004-1-xiam0nd.tong@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/wireless/ath/carl9170/tx.c |    3 +++
 1 file changed, 3 insertions(+)

--- a/drivers/net/wireless/ath/carl9170/tx.c
+++ b/drivers/net/wireless/ath/carl9170/tx.c
@@ -1554,6 +1554,9 @@ static struct carl9170_vif_info *carl917
 					goto out;
 			}
 		} while (ar->beacon_enabled && i--);
+
+		/* no entry found in list */
+		return NULL;
 	}
 
 out:



^ permalink raw reply	[flat|nested] 174+ messages in thread

* [PATCH 4.9 102/167] gma500: fix an incorrect NULL check on list iterator
  2022-06-13 10:07 [PATCH 4.9 000/167] 4.9.318-rc1 review Greg Kroah-Hartman
                   ` (100 preceding siblings ...)
  2022-06-13 10:09 ` [PATCH 4.9 101/167] carl9170: tx: fix an incorrect use of list iterator Greg Kroah-Hartman
@ 2022-06-13 10:09 ` Greg Kroah-Hartman
  2022-06-13 10:09 ` [PATCH 4.9 103/167] docs/conf.py: Cope with removal of language=None in Sphinx 5.0.0 Greg Kroah-Hartman
                   ` (69 subsequent siblings)
  171 siblings, 0 replies; 174+ messages in thread
From: Greg Kroah-Hartman @ 2022-06-13 10:09 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Xiaomeng Tong, Patrik Jakobsson

From: Xiaomeng Tong <xiam0nd.tong@gmail.com>

commit bdef417d84536715145f6dc9cc3275c46f26295a upstream.

The bug is here:
	return crtc;

The list iterator value 'crtc' will *always* be set and non-NULL by
list_for_each_entry(), so it is incorrect to assume that the iterator
value will be NULL if the list is empty or no element is found.

To fix the bug, return 'crtc' when found, otherwise return NULL.

Cc: stable@vger.kernel.org
fixes: 89c78134cc54d ("gma500: Add Poulsbo support")
Signed-off-by: Xiaomeng Tong <xiam0nd.tong@gmail.com>
Signed-off-by: Patrik Jakobsson <patrik.r.jakobsson@gmail.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20220327052028.2013-1-xiam0nd.tong@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/gpu/drm/gma500/psb_intel_display.c |    7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

--- a/drivers/gpu/drm/gma500/psb_intel_display.c
+++ b/drivers/gpu/drm/gma500/psb_intel_display.c
@@ -548,14 +548,15 @@ void psb_intel_crtc_init(struct drm_devi
 
 struct drm_crtc *psb_intel_get_crtc_from_pipe(struct drm_device *dev, int pipe)
 {
-	struct drm_crtc *crtc = NULL;
+	struct drm_crtc *crtc;
 
 	list_for_each_entry(crtc, &dev->mode_config.crtc_list, head) {
 		struct gma_crtc *gma_crtc = to_gma_crtc(crtc);
+
 		if (gma_crtc->pipe == pipe)
-			break;
+			return crtc;
 	}
-	return crtc;
+	return NULL;
 }
 
 int gma_connector_clones(struct drm_device *dev, int type_mask)



^ permalink raw reply	[flat|nested] 174+ messages in thread

* [PATCH 4.9 103/167] docs/conf.py: Cope with removal of language=None in Sphinx 5.0.0
  2022-06-13 10:07 [PATCH 4.9 000/167] 4.9.318-rc1 review Greg Kroah-Hartman
                   ` (101 preceding siblings ...)
  2022-06-13 10:09 ` [PATCH 4.9 102/167] gma500: fix an incorrect NULL check on " Greg Kroah-Hartman
@ 2022-06-13 10:09 ` Greg Kroah-Hartman
  2022-06-13 10:09 ` [PATCH 4.9 104/167] dt-bindings: gpio: altera: correct interrupt-cells Greg Kroah-Hartman
                   ` (68 subsequent siblings)
  171 siblings, 0 replies; 174+ messages in thread
From: Greg Kroah-Hartman @ 2022-06-13 10:09 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Akira Yokosawa, Jonathan Corbet

From: Akira Yokosawa <akiyks@gmail.com>

commit 627f01eab93d8671d4e4afee9b148f9998d20e7c upstream.

One of the changes in Sphinx 5.0.0 [1] says [sic]:

    5.0.0 final

     - #10474: language does not accept None as it value.
       The default value of language becomes to 'en' now.

[1]: https://www.sphinx-doc.org/en/master/changes.html#release-5-0-0-released-may-30-2022

It results in a new warning from Sphinx 5.0.0 [sic]:

    WARNING: Invalid configuration value found: 'language = None'.
    Update your configuration to a valid langauge code. Falling
    back to 'en' (English).

Silence the warning by using 'en'.
It works with all the Sphinx versions required for building
kernel documentation (1.7.9 or later).

Signed-off-by: Akira Yokosawa <akiyks@gmail.com>
Link: https://lore.kernel.org/r/bd0c2ddc-2401-03cb-4526-79ca664e1cbe@gmail.com
Cc: stable@vger.kernel.org
Signed-off-by: Jonathan Corbet <corbet@lwn.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 Documentation/conf.py |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/Documentation/conf.py
+++ b/Documentation/conf.py
@@ -96,7 +96,7 @@ finally:
 #
 # This is also used if you do content translation via gettext catalogs.
 # Usually you set "language" from the command line for these cases.
-language = None
+language = 'en'
 
 # There are two options for replacing |today|: either, you set today to some
 # non-false value, then it is used:



^ permalink raw reply	[flat|nested] 174+ messages in thread

* [PATCH 4.9 104/167] dt-bindings: gpio: altera: correct interrupt-cells
  2022-06-13 10:07 [PATCH 4.9 000/167] 4.9.318-rc1 review Greg Kroah-Hartman
                   ` (102 preceding siblings ...)
  2022-06-13 10:09 ` [PATCH 4.9 103/167] docs/conf.py: Cope with removal of language=None in Sphinx 5.0.0 Greg Kroah-Hartman
@ 2022-06-13 10:09 ` Greg Kroah-Hartman
  2022-06-13 10:09 ` [PATCH 4.9 105/167] RDMA/rxe: Generate a completion for unsupported/invalid opcode Greg Kroah-Hartman
                   ` (67 subsequent siblings)
  171 siblings, 0 replies; 174+ messages in thread
From: Greg Kroah-Hartman @ 2022-06-13 10:09 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Dinh Nguyen

From: Dinh Nguyen <dinguyen@kernel.org>

commit 3a21c3ac93aff7b4522b152399df8f6a041df56d upstream.

update documentation to correctly state the interrupt-cells to be 2.

Cc: stable@vger.kernel.org
Fixes: 4fd9bbc6e071 ("drivers/gpio: Altera soft IP GPIO driver devicetree binding")
Signed-off-by: Dinh Nguyen <dinguyen@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 Documentation/devicetree/bindings/gpio/gpio-altera.txt |    5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

--- a/Documentation/devicetree/bindings/gpio/gpio-altera.txt
+++ b/Documentation/devicetree/bindings/gpio/gpio-altera.txt
@@ -9,8 +9,9 @@ Required properties:
   - The second cell is reserved and is currently unused.
 - gpio-controller : Marks the device node as a GPIO controller.
 - interrupt-controller: Mark the device node as an interrupt controller
-- #interrupt-cells : Should be 1. The interrupt type is fixed in the hardware.
+- #interrupt-cells : Should be 2. The interrupt type is fixed in the hardware.
   - The first cell is the GPIO offset number within the GPIO controller.
+  - The second cell is the interrupt trigger type and level flags.
 - interrupts: Specify the interrupt.
 - altr,interrupt-type: Specifies the interrupt trigger type the GPIO
   hardware is synthesized. This field is required if the Altera GPIO controller
@@ -38,6 +39,6 @@ gpio_altr: gpio@0xff200000 {
 	altr,interrupt-type = <IRQ_TYPE_EDGE_RISING>;
 	#gpio-cells = <2>;
 	gpio-controller;
-	#interrupt-cells = <1>;
+	#interrupt-cells = <2>;
 	interrupt-controller;
 };



^ permalink raw reply	[flat|nested] 174+ messages in thread

* [PATCH 4.9 105/167] RDMA/rxe: Generate a completion for unsupported/invalid opcode
  2022-06-13 10:07 [PATCH 4.9 000/167] 4.9.318-rc1 review Greg Kroah-Hartman
                   ` (103 preceding siblings ...)
  2022-06-13 10:09 ` [PATCH 4.9 104/167] dt-bindings: gpio: altera: correct interrupt-cells Greg Kroah-Hartman
@ 2022-06-13 10:09 ` Greg Kroah-Hartman
  2022-06-13 10:09 ` [PATCH 4.9 106/167] MIPS: IP27: Remove incorrect `cpu_has_fpu override Greg Kroah-Hartman
                   ` (66 subsequent siblings)
  171 siblings, 0 replies; 174+ messages in thread
From: Greg Kroah-Hartman @ 2022-06-13 10:09 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Xiao Yang, Jason Gunthorpe

From: Xiao Yang <yangx.jy@fujitsu.com>

commit 2f917af777011c88e977b9b9a5d00b280d3a59ce upstream.

Current rxe_requester() doesn't generate a completion when processing an
unsupported/invalid opcode. If rxe driver doesn't support a new opcode
(e.g. RDMA Atomic Write) and RDMA library supports it, an application
using the new opcode can reproduce this issue. Fix the issue by calling
"goto err;".

Fixes: 8700e3e7c485 ("Soft RoCE driver")
Link: https://lore.kernel.org/r/20220410113513.27537-1-yangx.jy@fujitsu.com
Signed-off-by: Xiao Yang <yangx.jy@fujitsu.com>
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/infiniband/sw/rxe/rxe_req.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/infiniband/sw/rxe/rxe_req.c
+++ b/drivers/infiniband/sw/rxe/rxe_req.c
@@ -677,7 +677,7 @@ next_wqe:
 	opcode = next_opcode(qp, wqe, wqe->wr.opcode);
 	if (unlikely(opcode < 0)) {
 		wqe->status = IB_WC_LOC_QP_OP_ERR;
-		goto exit;
+		goto err;
 	}
 
 	mask = rxe_opcode[opcode].mask;



^ permalink raw reply	[flat|nested] 174+ messages in thread

* [PATCH 4.9 106/167] MIPS: IP27: Remove incorrect `cpu_has_fpu override
  2022-06-13 10:07 [PATCH 4.9 000/167] 4.9.318-rc1 review Greg Kroah-Hartman
                   ` (104 preceding siblings ...)
  2022-06-13 10:09 ` [PATCH 4.9 105/167] RDMA/rxe: Generate a completion for unsupported/invalid opcode Greg Kroah-Hartman
@ 2022-06-13 10:09 ` Greg Kroah-Hartman
  2022-06-13 10:09 ` [PATCH 4.9 107/167] netfilter: nf_tables: disallow non-stateful expression in sets earlier Greg Kroah-Hartman
                   ` (65 subsequent siblings)
  171 siblings, 0 replies; 174+ messages in thread
From: Greg Kroah-Hartman @ 2022-06-13 10:09 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Maciej W. Rozycki, Stephen Zhang,
	Thomas Bogendoerfer

From: Maciej W. Rozycki <macro@orcam.me.uk>

commit 424c3781dd1cb401857585331eaaa425a13f2429 upstream.

Remove unsupported forcing of `cpu_has_fpu' to 1, which makes the `nofpu'
kernel parameter non-functional, and also causes a link error:

ld: arch/mips/kernel/traps.o: in function `trap_init':
./arch/mips/include/asm/msa.h:(.init.text+0x348): undefined reference to `handle_fpe'
ld: ./arch/mips/include/asm/msa.h:(.init.text+0x354): undefined reference to `handle_fpe'
ld: ./arch/mips/include/asm/msa.h:(.init.text+0x360): undefined reference to `handle_fpe'

where the CONFIG_MIPS_FP_SUPPORT configuration option has been disabled.

Signed-off-by: Maciej W. Rozycki <macro@orcam.me.uk>
Reported-by: Stephen Zhang <starzhangzsd@gmail.com>
Fixes: 0ebb2f4159af ("MIPS: IP27: Update/restructure CPU overrides")
Cc: stable@vger.kernel.org # v4.2+
Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/mips/include/asm/mach-ip27/cpu-feature-overrides.h |    1 -
 1 file changed, 1 deletion(-)

--- a/arch/mips/include/asm/mach-ip27/cpu-feature-overrides.h
+++ b/arch/mips/include/asm/mach-ip27/cpu-feature-overrides.h
@@ -28,7 +28,6 @@
 #define cpu_has_6k_cache		0
 #define cpu_has_8k_cache		0
 #define cpu_has_tx39_cache		0
-#define cpu_has_fpu			1
 #define cpu_has_nofpuex			0
 #define cpu_has_32fpr			1
 #define cpu_has_counter			1



^ permalink raw reply	[flat|nested] 174+ messages in thread

* [PATCH 4.9 107/167] netfilter: nf_tables: disallow non-stateful expression in sets earlier
  2022-06-13 10:07 [PATCH 4.9 000/167] 4.9.318-rc1 review Greg Kroah-Hartman
                   ` (105 preceding siblings ...)
  2022-06-13 10:09 ` [PATCH 4.9 106/167] MIPS: IP27: Remove incorrect `cpu_has_fpu override Greg Kroah-Hartman
@ 2022-06-13 10:09 ` Greg Kroah-Hartman
  2022-06-13 10:09 ` [PATCH 4.9 108/167] pcmcia: db1xxx_ss: restrict to MIPS_DB1XXX boards Greg Kroah-Hartman
                   ` (64 subsequent siblings)
  171 siblings, 0 replies; 174+ messages in thread
From: Greg Kroah-Hartman @ 2022-06-13 10:09 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Pablo Neira Ayuso, Ajay Kaher, Aaron Adams

From: Pablo Neira Ayuso <pablo@netfilter.org>

commit 520778042ccca019f3ffa136dd0ca565c486cedd upstream.

Since 3e135cd499bf ("netfilter: nft_dynset: dynamic stateful expression
instantiation"), it is possible to attach stateful expressions to set
elements.

cd5125d8f518 ("netfilter: nf_tables: split set destruction in deactivate
and destroy phase") introduces conditional destruction on the object to
accomodate transaction semantics.

nft_expr_init() calls expr->ops->init() first, then check for
NFT_STATEFUL_EXPR, this stills allows to initialize a non-stateful
lookup expressions which points to a set, which might lead to UAF since
the set is not properly detached from the set->binding for this case.
Anyway, this combination is non-sense from nf_tables perspective.

This patch fixes this problem by checking for NFT_STATEFUL_EXPR before
expr->ops->init() is called.

The reporter provides a KASAN splat and a poc reproducer (similar to
those autogenerated by syzbot to report use-after-free errors). It is
unknown to me if they are using syzbot or if they use similar automated
tool to locate the bug that they are reporting.

For the record, this is the KASAN splat.

[   85.431824] ==================================================================
[   85.432901] BUG: KASAN: use-after-free in nf_tables_bind_set+0x81b/0xa20
[   85.433825] Write of size 8 at addr ffff8880286f0e98 by task poc/776
[   85.434756]
[   85.434999] CPU: 1 PID: 776 Comm: poc Tainted: G        W         5.18.0+ #2
[   85.436023] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-2 04/01/2014

Fixes: 0b2d8a7b638b ("netfilter: nf_tables: add helper functions for expression handling")
Reported-and-tested-by: Aaron Adams <edg-e@nccgroup.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
[Ajay: Regenerated the patch for v4.9.y]
Signed-off-by: Ajay Kaher <akaher@vmware.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/netfilter/nf_tables_api.c |   16 ++++++++++------
 net/netfilter/nft_dynset.c    |    3 ---
 2 files changed, 10 insertions(+), 9 deletions(-)

--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -1756,23 +1756,27 @@ struct nft_expr *nft_expr_init(const str
 
 	err = nf_tables_expr_parse(ctx, nla, &info);
 	if (err < 0)
-		goto err1;
+		goto err_expr_parse;
+
+	err = -EOPNOTSUPP;
+	if (!(info.ops->type->flags & NFT_EXPR_STATEFUL))
+		goto err_expr_stateful;
 
 	err = -ENOMEM;
 	expr = kzalloc(info.ops->size, GFP_KERNEL);
 	if (expr == NULL)
-		goto err2;
+		goto err_expr_stateful;
 
 	err = nf_tables_newexpr(ctx, &info, expr);
 	if (err < 0)
-		goto err3;
+		goto err_expr_new;
 
 	return expr;
-err3:
+err_expr_new:
 	kfree(expr);
-err2:
+err_expr_stateful:
 	module_put(info.ops->type->owner);
-err1:
+err_expr_parse:
 	return ERR_PTR(err);
 }
 
--- a/net/netfilter/nft_dynset.c
+++ b/net/netfilter/nft_dynset.c
@@ -196,9 +196,6 @@ static int nft_dynset_init(const struct
 		if (IS_ERR(priv->expr))
 			return PTR_ERR(priv->expr);
 
-		err = -EOPNOTSUPP;
-		if (!(priv->expr->ops->type->flags & NFT_EXPR_STATEFUL))
-			goto err1;
 	} else if (set->flags & NFT_SET_EVAL)
 		return -EINVAL;
 



^ permalink raw reply	[flat|nested] 174+ messages in thread

* [PATCH 4.9 108/167] pcmcia: db1xxx_ss: restrict to MIPS_DB1XXX boards
  2022-06-13 10:07 [PATCH 4.9 000/167] 4.9.318-rc1 review Greg Kroah-Hartman
                   ` (106 preceding siblings ...)
  2022-06-13 10:09 ` [PATCH 4.9 107/167] netfilter: nf_tables: disallow non-stateful expression in sets earlier Greg Kroah-Hartman
@ 2022-06-13 10:09 ` Greg Kroah-Hartman
  2022-06-13 10:09 ` [PATCH 4.9 109/167] staging: greybus: codecs: fix type confusion of list iterator variable Greg Kroah-Hartman
                   ` (63 subsequent siblings)
  171 siblings, 0 replies; 174+ messages in thread
From: Greg Kroah-Hartman @ 2022-06-13 10:09 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Randy Dunlap, kernel test robot,
	Arnd Bergmann, Daniel Vetter, Kees Cook, Thomas Bogendoerfer,
	linux-mips, Manuel Lauss, Dominik Brodowski, Sasha Levin

From: Randy Dunlap <rdunlap@infradead.org>

[ Upstream commit 3928cf08334ed895a31458cbebd8d4ec6d84c080 ]

When the MIPS_ALCHEMY board selection is MIPS_XXS1500 instead of
MIPS_DB1XXX, the PCMCIA driver 'db1xxx_ss' has build errors due
to missing DB1XXX symbols. The PCMCIA driver should be restricted
to MIPS_DB1XXX instead of MIPS_ALCHEMY to fix this build error.

ERROR: modpost: "bcsr_read" [drivers/pcmcia/db1xxx_ss.ko] undefined!
ERROR: modpost: "bcsr_mod" [drivers/pcmcia/db1xxx_ss.ko] undefined!

Fixes: 42a4f17dc356 ("MIPS: Alchemy: remove SOC_AU1X00 in favor of MIPS_ALCHEMY")
Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
Reported-by: kernel test robot <lkp@intel.com>
Cc: Arnd Bergmann <arnd@arndb.de>
Cc: Daniel Vetter <daniel.vetter@ffwll.ch>
Cc: Kees Cook <keescook@chromium.org>
Cc: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
Cc: linux-mips@vger.kernel.org
Acked-by: Manuel Lauss <manuel.lauss@gmail.com>
Signed-off-by: Dominik Brodowski <linux@dominikbrodowski.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/pcmcia/Kconfig | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/pcmcia/Kconfig b/drivers/pcmcia/Kconfig
index d3c378b4db6c..20d85d564b80 100644
--- a/drivers/pcmcia/Kconfig
+++ b/drivers/pcmcia/Kconfig
@@ -146,7 +146,7 @@ config TCIC
 
 config PCMCIA_ALCHEMY_DEVBOARD
 	tristate "Alchemy Db/Pb1xxx PCMCIA socket services"
-	depends on MIPS_ALCHEMY && PCMCIA
+	depends on MIPS_DB1XXX && PCMCIA
 	help
 	  Enable this driver of you want PCMCIA support on your Alchemy
 	  Db1000, Db/Pb1100, Db/Pb1500, Db/Pb1550, Db/Pb1200, DB1300
-- 
2.35.1




^ permalink raw reply related	[flat|nested] 174+ messages in thread

* [PATCH 4.9 109/167] staging: greybus: codecs: fix type confusion of list iterator variable
  2022-06-13 10:07 [PATCH 4.9 000/167] 4.9.318-rc1 review Greg Kroah-Hartman
                   ` (107 preceding siblings ...)
  2022-06-13 10:09 ` [PATCH 4.9 108/167] pcmcia: db1xxx_ss: restrict to MIPS_DB1XXX boards Greg Kroah-Hartman
@ 2022-06-13 10:09 ` Greg Kroah-Hartman
  2022-06-13 10:09 ` [PATCH 4.9 110/167] usb: usbip: fix a refcount leak in stub_probe() Greg Kroah-Hartman
                   ` (62 subsequent siblings)
  171 siblings, 0 replies; 174+ messages in thread
From: Greg Kroah-Hartman @ 2022-06-13 10:09 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Dan Carpenter, Vaibhav Agarwal,
	Mark Greer, Jakob Koschel, Sasha Levin

From: Jakob Koschel <jakobkoschel@gmail.com>

[ Upstream commit 84ef256550196bc06e6849a34224c998b45bd557 ]

If the list does not exit early then data == NULL and 'module' does not
point to a valid list element.
Using 'module' in such a case is not valid and was therefore removed.

Fixes: 6dd67645f22c ("greybus: audio: Use single codec driver registration")
Reviewed-by: Dan Carpenter <dan.carpenter@oracle.com>
Reviewed-by: Vaibhav Agarwal <vaibhav.sr@gmail.com>
Reviewed-by: Mark Greer <mgreer@animalcreek.com>
Signed-off-by: Jakob Koschel <jakobkoschel@gmail.com>
Link: https://lore.kernel.org/r/20220321123626.3068639-1-jakobkoschel@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/staging/greybus/audio_codec.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/staging/greybus/audio_codec.c b/drivers/staging/greybus/audio_codec.c
index 4c2d6c2d4fb4..90bc23408a9c 100644
--- a/drivers/staging/greybus/audio_codec.c
+++ b/drivers/staging/greybus/audio_codec.c
@@ -618,8 +618,8 @@ static int gbcodec_mute_stream(struct snd_soc_dai *dai, int mute, int stream)
 			break;
 	}
 	if (!data) {
-		dev_err(dai->dev, "%s:%s DATA connection missing\n",
-			dai->name, module->name);
+		dev_err(dai->dev, "%s DATA connection missing\n",
+			dai->name);
 		mutex_unlock(&codec->lock);
 		return -ENODEV;
 	}
-- 
2.35.1




^ permalink raw reply related	[flat|nested] 174+ messages in thread

* [PATCH 4.9 110/167] usb: usbip: fix a refcount leak in stub_probe()
  2022-06-13 10:07 [PATCH 4.9 000/167] 4.9.318-rc1 review Greg Kroah-Hartman
                   ` (108 preceding siblings ...)
  2022-06-13 10:09 ` [PATCH 4.9 109/167] staging: greybus: codecs: fix type confusion of list iterator variable Greg Kroah-Hartman
@ 2022-06-13 10:09 ` Greg Kroah-Hartman
  2022-06-13 10:09 ` [PATCH 4.9 111/167] usb: usbip: add missing device lock on tweak configuration cmd Greg Kroah-Hartman
                   ` (61 subsequent siblings)
  171 siblings, 0 replies; 174+ messages in thread
From: Greg Kroah-Hartman @ 2022-06-13 10:09 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Shuah Khan, Hangyu Hua, Sasha Levin

From: Hangyu Hua <hbh25y@gmail.com>

[ Upstream commit 9ec4cbf1cc55d126759051acfe328d489c5d6e60 ]

usb_get_dev() is called in stub_device_alloc(). When stub_probe() fails
after that, usb_put_dev() needs to be called to release the reference.

Fix this by moving usb_put_dev() to sdev_free error path handling.

Find this by code review.

Fixes: 3ff67445750a ("usbip: fix error handling in stub_probe()")
Reviewed-by: Shuah Khan <skhan@linuxfoundation.org>
Signed-off-by: Hangyu Hua <hbh25y@gmail.com>
Link: https://lore.kernel.org/r/20220412020257.9767-1-hbh25y@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/usb/usbip/stub_dev.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/usb/usbip/stub_dev.c b/drivers/usb/usbip/stub_dev.c
index cec5805feb25..ca76ee4058c9 100644
--- a/drivers/usb/usbip/stub_dev.c
+++ b/drivers/usb/usbip/stub_dev.c
@@ -441,7 +441,6 @@ static int stub_probe(struct usb_device *udev)
 			     (struct usb_dev_state *) udev);
 err_port:
 	dev_set_drvdata(&udev->dev, NULL);
-	usb_put_dev(udev);
 
 	/* we already have busid_priv, just lock busid_lock */
 	spin_lock(&busid_priv->busid_lock);
@@ -456,6 +455,7 @@ static int stub_probe(struct usb_device *udev)
 	put_busid_priv(busid_priv);
 
 sdev_free:
+	usb_put_dev(udev);
 	stub_device_free(sdev);
 
 	return rc;
-- 
2.35.1




^ permalink raw reply related	[flat|nested] 174+ messages in thread

* [PATCH 4.9 111/167] usb: usbip: add missing device lock on tweak configuration cmd
  2022-06-13 10:07 [PATCH 4.9 000/167] 4.9.318-rc1 review Greg Kroah-Hartman
                   ` (109 preceding siblings ...)
  2022-06-13 10:09 ` [PATCH 4.9 110/167] usb: usbip: fix a refcount leak in stub_probe() Greg Kroah-Hartman
@ 2022-06-13 10:09 ` Greg Kroah-Hartman
  2022-06-13 10:09 ` [PATCH 4.9 112/167] USB: storage: karma: fix rio_karma_init return Greg Kroah-Hartman
                   ` (60 subsequent siblings)
  171 siblings, 0 replies; 174+ messages in thread
From: Greg Kroah-Hartman @ 2022-06-13 10:09 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Shuah Khan, Niels Dossche, Sasha Levin

From: Niels Dossche <dossche.niels@gmail.com>

[ Upstream commit d088fabace2ca337b275d1d4b36db4fe7771e44f ]

The function documentation of usb_set_configuration says that its
callers should hold the device lock. This lock is held for all
callsites except tweak_set_configuration_cmd. The code path can be
executed for example when attaching a remote USB device.
The solution is to surround the call by the device lock.

This bug was found using my experimental own-developed static analysis
tool, which reported the missing lock on v5.17.2. I manually verified
this bug report by doing code review as well. I runtime checked that
the required lock is not held. I compiled and runtime tested this on
x86_64 with a USB mouse. After applying this patch, my analyser no
longer reports this potential bug.

Fixes: 2c8c98158946 ("staging: usbip: let client choose device configuration")
Reviewed-by: Shuah Khan <skhan@linuxfoundation.org>
Signed-off-by: Niels Dossche <dossche.niels@gmail.com>
Link: https://lore.kernel.org/r/20220412165055.257113-1-dossche.niels@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/usb/usbip/stub_rx.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/usb/usbip/stub_rx.c b/drivers/usb/usbip/stub_rx.c
index d47176f9c310..dd6228a51d0d 100644
--- a/drivers/usb/usbip/stub_rx.c
+++ b/drivers/usb/usbip/stub_rx.c
@@ -151,7 +151,9 @@ static int tweak_set_configuration_cmd(struct urb *urb)
 	req = (struct usb_ctrlrequest *) urb->setup_packet;
 	config = le16_to_cpu(req->wValue);
 
+	usb_lock_device(sdev->udev);
 	err = usb_set_configuration(sdev->udev, config);
+	usb_unlock_device(sdev->udev);
 	if (err && err != -ENODEV)
 		dev_err(&sdev->udev->dev, "can't set config #%d, error %d\n",
 			config, err);
-- 
2.35.1




^ permalink raw reply related	[flat|nested] 174+ messages in thread

* [PATCH 4.9 112/167] USB: storage: karma: fix rio_karma_init return
  2022-06-13 10:07 [PATCH 4.9 000/167] 4.9.318-rc1 review Greg Kroah-Hartman
                   ` (110 preceding siblings ...)
  2022-06-13 10:09 ` [PATCH 4.9 111/167] usb: usbip: add missing device lock on tweak configuration cmd Greg Kroah-Hartman
@ 2022-06-13 10:09 ` Greg Kroah-Hartman
  2022-06-13 10:09 ` [PATCH 4.9 113/167] pwm: lp3943: Fix duty calculation in case period was clamped Greg Kroah-Hartman
                   ` (59 subsequent siblings)
  171 siblings, 0 replies; 174+ messages in thread
From: Greg Kroah-Hartman @ 2022-06-13 10:09 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Alan Stern, Lin Ma, Sasha Levin

From: Lin Ma <linma@zju.edu.cn>

[ Upstream commit b92ffb1eddd9a66a90defc556dcbf65a43c196c7 ]

The function rio_karam_init() should return -ENOMEM instead of
value 0 (USB_STOR_TRANSPORT_GOOD) when allocation fails.

Similarly, it should return -EIO when rio_karma_send_command() fails.

Fixes: dfe0d3ba20e8 ("USB Storage: add rio karma eject support")
Acked-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Lin Ma <linma@zju.edu.cn>
Link: https://lore.kernel.org/r/20220412144359.28447-1-linma@zju.edu.cn
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/usb/storage/karma.c | 15 ++++++++-------
 1 file changed, 8 insertions(+), 7 deletions(-)

diff --git a/drivers/usb/storage/karma.c b/drivers/usb/storage/karma.c
index f9d407f0b508..13d77421a915 100644
--- a/drivers/usb/storage/karma.c
+++ b/drivers/usb/storage/karma.c
@@ -185,23 +185,24 @@ static void rio_karma_destructor(void *extra)
 
 static int rio_karma_init(struct us_data *us)
 {
-	int ret = 0;
 	struct karma_data *data = kzalloc(sizeof(struct karma_data), GFP_NOIO);
 	if (!data)
-		goto out;
+		return -ENOMEM;
 
 	data->recv = kmalloc(RIO_RECV_LEN, GFP_NOIO);
 	if (!data->recv) {
 		kfree(data);
-		goto out;
+		return -ENOMEM;
 	}
 
 	us->extra = data;
 	us->extra_destructor = rio_karma_destructor;
-	ret = rio_karma_send_command(RIO_ENTER_STORAGE, us);
-	data->in_storage = (ret == 0);
-out:
-	return ret;
+	if (rio_karma_send_command(RIO_ENTER_STORAGE, us))
+		return -EIO;
+
+	data->in_storage = 1;
+
+	return 0;
 }
 
 static struct scsi_host_template karma_host_template;
-- 
2.35.1




^ permalink raw reply related	[flat|nested] 174+ messages in thread

* [PATCH 4.9 113/167] pwm: lp3943: Fix duty calculation in case period was clamped
  2022-06-13 10:07 [PATCH 4.9 000/167] 4.9.318-rc1 review Greg Kroah-Hartman
                   ` (111 preceding siblings ...)
  2022-06-13 10:09 ` [PATCH 4.9 112/167] USB: storage: karma: fix rio_karma_init return Greg Kroah-Hartman
@ 2022-06-13 10:09 ` Greg Kroah-Hartman
  2022-06-13 10:09 ` [PATCH 4.9 114/167] rpmsg: qcom_smd: Fix irq_of_parse_and_map() return value Greg Kroah-Hartman
                   ` (58 subsequent siblings)
  171 siblings, 0 replies; 174+ messages in thread
From: Greg Kroah-Hartman @ 2022-06-13 10:09 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Uwe Kleine-König,
	Thierry Reding, Sasha Levin

From: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>

[ Upstream commit 5e3b07ca5cc78cd4a987e78446849e41288d87cb ]

The hardware only supports periods <= 1.6 ms and if a bigger period is
requested it is clamped to 1.6 ms. In this case duty_cycle might be bigger
than 1.6 ms and then the duty cycle register is written with a value
bigger than LP3943_MAX_DUTY. So clamp duty_cycle accordingly.

Fixes: af66b3c0934e ("pwm: Add LP3943 PWM driver")
Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
Signed-off-by: Thierry Reding <thierry.reding@gmail.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/pwm/pwm-lp3943.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/pwm/pwm-lp3943.c b/drivers/pwm/pwm-lp3943.c
index 872ea76a4f19..4612315687cd 100644
--- a/drivers/pwm/pwm-lp3943.c
+++ b/drivers/pwm/pwm-lp3943.c
@@ -128,6 +128,7 @@ static int lp3943_pwm_config(struct pwm_chip *chip, struct pwm_device *pwm,
 	if (err)
 		return err;
 
+	duty_ns = min(duty_ns, period_ns);
 	val = (u8)(duty_ns * LP3943_MAX_DUTY / period_ns);
 
 	return lp3943_write_byte(lp3943, reg_duty, val);
-- 
2.35.1




^ permalink raw reply related	[flat|nested] 174+ messages in thread

* [PATCH 4.9 114/167] rpmsg: qcom_smd: Fix irq_of_parse_and_map() return value
  2022-06-13 10:07 [PATCH 4.9 000/167] 4.9.318-rc1 review Greg Kroah-Hartman
                   ` (112 preceding siblings ...)
  2022-06-13 10:09 ` [PATCH 4.9 113/167] pwm: lp3943: Fix duty calculation in case period was clamped Greg Kroah-Hartman
@ 2022-06-13 10:09 ` Greg Kroah-Hartman
  2022-06-13 10:09 ` [PATCH 4.9 115/167] rtc: mt6397: check return value after calling platform_get_resource() Greg Kroah-Hartman
                   ` (57 subsequent siblings)
  171 siblings, 0 replies; 174+ messages in thread
From: Greg Kroah-Hartman @ 2022-06-13 10:09 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Krzysztof Kozlowski, Bjorn Andersson,
	Sasha Levin

From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>

[ Upstream commit 1a358d35066487d228a68303d808bc4721c6b1b9 ]

The irq_of_parse_and_map() returns 0 on failure, not a negative ERRNO.

Fixes: 53e2822e56c7 ("rpmsg: Introduce Qualcomm SMD backend")
Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Signed-off-by: Bjorn Andersson <bjorn.andersson@linaro.org>
Link: https://lore.kernel.org/r/20220422105326.78713-1-krzysztof.kozlowski@linaro.org
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/rpmsg/qcom_smd.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/rpmsg/qcom_smd.c b/drivers/rpmsg/qcom_smd.c
index 312cb7fec5b0..5e67e42e6461 100644
--- a/drivers/rpmsg/qcom_smd.c
+++ b/drivers/rpmsg/qcom_smd.c
@@ -1258,7 +1258,7 @@ static int qcom_smd_parse_edge(struct device *dev,
 	}
 
 	irq = irq_of_parse_and_map(node, 0);
-	if (irq < 0) {
+	if (!irq) {
 		dev_err(dev, "required smd interrupt missing\n");
 		return -EINVAL;
 	}
-- 
2.35.1




^ permalink raw reply related	[flat|nested] 174+ messages in thread

* [PATCH 4.9 115/167] rtc: mt6397: check return value after calling platform_get_resource()
  2022-06-13 10:07 [PATCH 4.9 000/167] 4.9.318-rc1 review Greg Kroah-Hartman
                   ` (113 preceding siblings ...)
  2022-06-13 10:09 ` [PATCH 4.9 114/167] rpmsg: qcom_smd: Fix irq_of_parse_and_map() return value Greg Kroah-Hartman
@ 2022-06-13 10:09 ` Greg Kroah-Hartman
  2022-06-13 10:09 ` [PATCH 4.9 116/167] serial: meson: acquire port->lock in startup() Greg Kroah-Hartman
                   ` (56 subsequent siblings)
  171 siblings, 0 replies; 174+ messages in thread
From: Greg Kroah-Hartman @ 2022-06-13 10:09 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Yang Yingliang,
	AngeloGioacchino Del Regno, Alexandre Belloni, Sasha Levin

From: Yang Yingliang <yangyingliang@huawei.com>

[ Upstream commit d3b43eb505bffb8e4cdf6800c15660c001553fe6 ]

It will cause null-ptr-deref if platform_get_resource() returns NULL,
we need check the return value.

Fixes: fc2979118f3f ("rtc: mediatek: Add MT6397 RTC driver")
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Link: https://lore.kernel.org/r/20220505125043.1594771-1-yangyingliang@huawei.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/rtc/rtc-mt6397.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/rtc/rtc-mt6397.c b/drivers/rtc/rtc-mt6397.c
index 494a7fbd512b..7e37ec7c8e02 100644
--- a/drivers/rtc/rtc-mt6397.c
+++ b/drivers/rtc/rtc-mt6397.c
@@ -339,6 +339,8 @@ static int mtk_rtc_probe(struct platform_device *pdev)
 		return -ENOMEM;
 
 	res = platform_get_resource(pdev, IORESOURCE_MEM, 0);
+	if (!res)
+		return -EINVAL;
 	rtc->addr_base = res->start;
 
 	res = platform_get_resource(pdev, IORESOURCE_IRQ, 0);
-- 
2.35.1




^ permalink raw reply related	[flat|nested] 174+ messages in thread

* [PATCH 4.9 116/167] serial: meson: acquire port->lock in startup()
  2022-06-13 10:07 [PATCH 4.9 000/167] 4.9.318-rc1 review Greg Kroah-Hartman
                   ` (114 preceding siblings ...)
  2022-06-13 10:09 ` [PATCH 4.9 115/167] rtc: mt6397: check return value after calling platform_get_resource() Greg Kroah-Hartman
@ 2022-06-13 10:09 ` Greg Kroah-Hartman
  2022-06-13 10:09 ` [PATCH 4.9 117/167] serial: digicolor-usart: Dont allow CS5-6 Greg Kroah-Hartman
                   ` (55 subsequent siblings)
  171 siblings, 0 replies; 174+ messages in thread
From: Greg Kroah-Hartman @ 2022-06-13 10:09 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Marek Szyprowski, Petr Mladek,
	Jiri Slaby, Neil Armstrong, John Ogness, Sasha Levin

From: John Ogness <john.ogness@linutronix.de>

[ Upstream commit 589f892ac8ef244e47c5a00ffd8605daa1eaef8e ]

The uart_ops startup() callback is called without interrupts
disabled and without port->lock locked, relatively late during the
boot process (from the call path of console_on_rootfs()). If the
device is a console, it was already previously registered and could
be actively printing messages.

Since the startup() callback is reading/writing registers used by
the console write() callback (AML_UART_CONTROL), its access must
be synchronized using the port->lock. Currently it is not.

The startup() callback is the only function that explicitly enables
interrupts. Without the synchronization, it is possible that
interrupts become accidentally permanently disabled.

CPU0                           CPU1
meson_serial_console_write     meson_uart_startup
--------------------------     ------------------
spin_lock(port->lock)
val = readl(AML_UART_CONTROL)
uart_console_write()
                               writel(INT_EN, AML_UART_CONTROL)
writel(val, AML_UART_CONTROL)
spin_unlock(port->lock)

Add port->lock synchronization to meson_uart_startup() to avoid
racing with meson_serial_console_write().

Also add detailed comments to meson_uart_reset() explaining why it
is *not* using port->lock synchronization.

Link: https://lore.kernel.org/lkml/2a82eae7-a256-f70c-fd82-4e510750906e@samsung.com
Fixes: ff7693d079e5 ("ARM: meson: serial: add MesonX SoC on-chip uart driver")
Reported-by: Marek Szyprowski <m.szyprowski@samsung.com>
Tested-by: Marek Szyprowski <m.szyprowski@samsung.com>
Reviewed-by: Petr Mladek <pmladek@suse.com>
Reviewed-by: Jiri Slaby <jirislaby@kernel.org>
Acked-by: Neil Armstrong <narmstrong@baylibre.com>
Signed-off-by: John Ogness <john.ogness@linutronix.de>
Link: https://lore.kernel.org/r/20220508103547.626355-1-john.ogness@linutronix.de
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/tty/serial/meson_uart.c | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/drivers/tty/serial/meson_uart.c b/drivers/tty/serial/meson_uart.c
index 6aea0f4a9165..273292f09bf6 100644
--- a/drivers/tty/serial/meson_uart.c
+++ b/drivers/tty/serial/meson_uart.c
@@ -253,6 +253,14 @@ static const char *meson_uart_type(struct uart_port *port)
 	return (port->type == PORT_MESON) ? "meson_uart" : NULL;
 }
 
+/*
+ * This function is called only from probe() using a temporary io mapping
+ * in order to perform a reset before setting up the device. Since the
+ * temporarily mapped region was successfully requested, there can be no
+ * console on this port at this time. Hence it is not necessary for this
+ * function to acquire the port->lock. (Since there is no console on this
+ * port at this time, the port->lock is not initialized yet.)
+ */
 static void meson_uart_reset(struct uart_port *port)
 {
 	u32 val;
@@ -267,9 +275,12 @@ static void meson_uart_reset(struct uart_port *port)
 
 static int meson_uart_startup(struct uart_port *port)
 {
+	unsigned long flags;
 	u32 val;
 	int ret = 0;
 
+	spin_lock_irqsave(&port->lock, flags);
+
 	val = readl(port->membase + AML_UART_CONTROL);
 	val |= AML_UART_CLR_ERR;
 	writel(val, port->membase + AML_UART_CONTROL);
@@ -285,6 +296,8 @@ static int meson_uart_startup(struct uart_port *port)
 	val = (AML_UART_RECV_IRQ(1) | AML_UART_XMIT_IRQ(port->fifosize / 2));
 	writel(val, port->membase + AML_UART_MISC);
 
+	spin_unlock_irqrestore(&port->lock, flags);
+
 	ret = request_irq(port->irq, meson_uart_interrupt, 0,
 			  meson_uart_type(port), port);
 
-- 
2.35.1




^ permalink raw reply related	[flat|nested] 174+ messages in thread

* [PATCH 4.9 117/167] serial: digicolor-usart: Dont allow CS5-6
  2022-06-13 10:07 [PATCH 4.9 000/167] 4.9.318-rc1 review Greg Kroah-Hartman
                   ` (115 preceding siblings ...)
  2022-06-13 10:09 ` [PATCH 4.9 116/167] serial: meson: acquire port->lock in startup() Greg Kroah-Hartman
@ 2022-06-13 10:09 ` Greg Kroah-Hartman
  2022-06-13 10:09 ` [PATCH 4.9 118/167] serial: txx9: " Greg Kroah-Hartman
                   ` (54 subsequent siblings)
  171 siblings, 0 replies; 174+ messages in thread
From: Greg Kroah-Hartman @ 2022-06-13 10:09 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Baruch Siach, Ilpo Järvinen,
	Sasha Levin

From: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>

[ Upstream commit fd63031b8c0763addcecdefe0e0c59d49646204e ]

Only CS7 and CS8 seem supported but CSIZE is not sanitized to CS8 in
the default: block.

Set CSIZE correctly so that userspace knows the effective value.
Incorrect CSIZE also results in miscalculation of the frame bits in
tty_get_char_size() or in its predecessor where the roughly the same
code is directly within uart_update_timeout().

Fixes: 5930cb3511df (serial: driver for Conexant Digicolor USART)
Acked-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Link: https://lore.kernel.org/r/20220519081808.3776-3-ilpo.jarvinen@linux.intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/tty/serial/digicolor-usart.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/tty/serial/digicolor-usart.c b/drivers/tty/serial/digicolor-usart.c
index 794864fac625..74127813e6db 100644
--- a/drivers/tty/serial/digicolor-usart.c
+++ b/drivers/tty/serial/digicolor-usart.c
@@ -313,6 +313,8 @@ static void digicolor_uart_set_termios(struct uart_port *port,
 	case CS8:
 	default:
 		config |= UA_CONFIG_CHAR_LEN;
+		termios->c_cflag &= ~CSIZE;
+		termios->c_cflag |= CS8;
 		break;
 	}
 
-- 
2.35.1




^ permalink raw reply related	[flat|nested] 174+ messages in thread

* [PATCH 4.9 118/167] serial: txx9: Dont allow CS5-6
  2022-06-13 10:07 [PATCH 4.9 000/167] 4.9.318-rc1 review Greg Kroah-Hartman
                   ` (116 preceding siblings ...)
  2022-06-13 10:09 ` [PATCH 4.9 117/167] serial: digicolor-usart: Dont allow CS5-6 Greg Kroah-Hartman
@ 2022-06-13 10:09 ` Greg Kroah-Hartman
  2022-06-13 10:09 ` [PATCH 4.9 119/167] serial: sh-sci: " Greg Kroah-Hartman
                   ` (53 subsequent siblings)
  171 siblings, 0 replies; 174+ messages in thread
From: Greg Kroah-Hartman @ 2022-06-13 10:09 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Ilpo Järvinen, Sasha Levin

From: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>

[ Upstream commit 79ac88655dc0551e3571ad16bdabdbe65d61553e ]

Only CS7 and CS8 are supported but CSIZE is not sanitized with
CS5 or CS6 to CS8.

Set CSIZE correctly so that userspace knows the effective value.
Incorrect CSIZE also results in miscalculation of the frame bits in
tty_get_char_size() or in its predecessor where the roughly the same
code is directly within uart_update_timeout().

Fixes: 1da177e4c3f4 (Linux-2.6.12-rc2)
Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Link: https://lore.kernel.org/r/20220519081808.3776-5-ilpo.jarvinen@linux.intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/tty/serial/serial_txx9.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/tty/serial/serial_txx9.c b/drivers/tty/serial/serial_txx9.c
index ffb3fb1bda9e..61e0b65c3aaf 100644
--- a/drivers/tty/serial/serial_txx9.c
+++ b/drivers/tty/serial/serial_txx9.c
@@ -652,6 +652,8 @@ serial_txx9_set_termios(struct uart_port *port, struct ktermios *termios,
 	case CS6:	/* not supported */
 	case CS8:
 		cval |= TXX9_SILCR_UMODE_8BIT;
+		termios->c_cflag &= ~CSIZE;
+		termios->c_cflag |= CS8;
 		break;
 	}
 
-- 
2.35.1




^ permalink raw reply related	[flat|nested] 174+ messages in thread

* [PATCH 4.9 119/167] serial: sh-sci: Dont allow CS5-6
  2022-06-13 10:07 [PATCH 4.9 000/167] 4.9.318-rc1 review Greg Kroah-Hartman
                   ` (117 preceding siblings ...)
  2022-06-13 10:09 ` [PATCH 4.9 118/167] serial: txx9: " Greg Kroah-Hartman
@ 2022-06-13 10:09 ` Greg Kroah-Hartman
  2022-06-13 10:09 ` [PATCH 4.9 120/167] serial: st-asc: Sanitize CSIZE and correct PARENB for CS7 Greg Kroah-Hartman
                   ` (52 subsequent siblings)
  171 siblings, 0 replies; 174+ messages in thread
From: Greg Kroah-Hartman @ 2022-06-13 10:09 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Ilpo Järvinen, Sasha Levin

From: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>

[ Upstream commit 9b87162de8be26bf3156460b37deee6399fd0fcb ]

Only CS7 and CS8 seem supported but CSIZE is not sanitized from
CS5 or CS6 to CS8.

Set CSIZE correctly so that userspace knows the effective value.
Incorrect CSIZE also results in miscalculation of the frame bits in
tty_get_char_size() or in its predecessor where the roughly the same
code is directly within uart_update_timeout().

Fixes: 1da177e4c3f4 (Linux-2.6.12-rc2)
Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Link: https://lore.kernel.org/r/20220519081808.3776-6-ilpo.jarvinen@linux.intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/tty/serial/sh-sci.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/drivers/tty/serial/sh-sci.c b/drivers/tty/serial/sh-sci.c
index 5c6243a31166..91c69fc3987a 100644
--- a/drivers/tty/serial/sh-sci.c
+++ b/drivers/tty/serial/sh-sci.c
@@ -2206,8 +2206,12 @@ static void sci_set_termios(struct uart_port *port, struct ktermios *termios,
 	unsigned long max_freq = 0;
 	int best_clk = -1;
 
-	if ((termios->c_cflag & CSIZE) == CS7)
+	if ((termios->c_cflag & CSIZE) == CS7) {
 		smr_val |= SCSMR_CHR;
+	} else {
+		termios->c_cflag &= ~CSIZE;
+		termios->c_cflag |= CS8;
+	}
 	if (termios->c_cflag & PARENB)
 		smr_val |= SCSMR_PE;
 	if (termios->c_cflag & PARODD)
-- 
2.35.1




^ permalink raw reply related	[flat|nested] 174+ messages in thread

* [PATCH 4.9 120/167] serial: st-asc: Sanitize CSIZE and correct PARENB for CS7
  2022-06-13 10:07 [PATCH 4.9 000/167] 4.9.318-rc1 review Greg Kroah-Hartman
                   ` (118 preceding siblings ...)
  2022-06-13 10:09 ` [PATCH 4.9 119/167] serial: sh-sci: " Greg Kroah-Hartman
@ 2022-06-13 10:09 ` Greg Kroah-Hartman
  2022-06-13 10:09 ` [PATCH 4.9 121/167] firmware: dmi-sysfs: Fix memory leak in dmi_sysfs_register_handle Greg Kroah-Hartman
                   ` (51 subsequent siblings)
  171 siblings, 0 replies; 174+ messages in thread
From: Greg Kroah-Hartman @ 2022-06-13 10:09 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Srinivas Kandagatla,
	Ilpo Järvinen, Sasha Levin

From: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>

[ Upstream commit 52bb1cb7118564166b04d52387bd8403632f5190 ]

Only CS7 and CS8 seem supported but CSIZE is not sanitized from CS5 or
CS6 to CS8. In addition, ASC_CTL_MODE_7BIT_PAR suggests that CS7 has
to have parity, thus add PARENB.

Incorrect CSIZE results in miscalculation of the frame bits in
tty_get_char_size() or in its predecessor where the roughly the same
code is directly within uart_update_timeout().

Fixes: c4b058560762 (serial:st-asc: Add ST ASC driver.)
Cc: Srinivas Kandagatla <srinivas.kandagatla@st.com>
Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Link: https://lore.kernel.org/r/20220519081808.3776-8-ilpo.jarvinen@linux.intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/tty/serial/st-asc.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/drivers/tty/serial/st-asc.c b/drivers/tty/serial/st-asc.c
index 379e5bd37df9..b845cd05e350 100644
--- a/drivers/tty/serial/st-asc.c
+++ b/drivers/tty/serial/st-asc.c
@@ -509,10 +509,14 @@ static void asc_set_termios(struct uart_port *port, struct ktermios *termios,
 	/* set character length */
 	if ((cflag & CSIZE) == CS7) {
 		ctrl_val |= ASC_CTL_MODE_7BIT_PAR;
+		cflag |= PARENB;
 	} else {
 		ctrl_val |= (cflag & PARENB) ?  ASC_CTL_MODE_8BIT_PAR :
 						ASC_CTL_MODE_8BIT;
+		cflag &= ~CSIZE;
+		cflag |= CS8;
 	}
+	termios->c_cflag = cflag;
 
 	/* set stop bit */
 	ctrl_val |= (cflag & CSTOPB) ? ASC_CTL_STOP_2BIT : ASC_CTL_STOP_1BIT;
-- 
2.35.1




^ permalink raw reply related	[flat|nested] 174+ messages in thread

* [PATCH 4.9 121/167] firmware: dmi-sysfs: Fix memory leak in dmi_sysfs_register_handle
  2022-06-13 10:07 [PATCH 4.9 000/167] 4.9.318-rc1 review Greg Kroah-Hartman
                   ` (119 preceding siblings ...)
  2022-06-13 10:09 ` [PATCH 4.9 120/167] serial: st-asc: Sanitize CSIZE and correct PARENB for CS7 Greg Kroah-Hartman
@ 2022-06-13 10:09 ` Greg Kroah-Hartman
  2022-06-13 10:09 ` [PATCH 4.9 122/167] clocksource/drivers/oxnas-rps: Fix irq_of_parse_and_map() return value Greg Kroah-Hartman
                   ` (50 subsequent siblings)
  171 siblings, 0 replies; 174+ messages in thread
From: Greg Kroah-Hartman @ 2022-06-13 10:09 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Miaoqian Lin, Sasha Levin

From: Miaoqian Lin <linmq006@gmail.com>

[ Upstream commit 660ba678f9998aca6db74f2dd912fa5124f0fa31 ]

kobject_init_and_add() takes reference even when it fails.
According to the doc of kobject_init_and_add()

   If this function returns an error, kobject_put() must be called to
   properly clean up the memory associated with the object.

Fix this issue by calling kobject_put().

Fixes: 948af1f0bbc8 ("firmware: Basic dmi-sysfs support")
Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
Link: https://lore.kernel.org/r/20220511071421.9769-1-linmq006@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/firmware/dmi-sysfs.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/firmware/dmi-sysfs.c b/drivers/firmware/dmi-sysfs.c
index ef76e5eecf0b..37f76daa2b3d 100644
--- a/drivers/firmware/dmi-sysfs.c
+++ b/drivers/firmware/dmi-sysfs.c
@@ -601,7 +601,7 @@ static void __init dmi_sysfs_register_handle(const struct dmi_header *dh,
 				    "%d-%d", dh->type, entry->instance);
 
 	if (*ret) {
-		kfree(entry);
+		kobject_put(&entry->kobj);
 		return;
 	}
 
-- 
2.35.1




^ permalink raw reply related	[flat|nested] 174+ messages in thread

* [PATCH 4.9 122/167] clocksource/drivers/oxnas-rps: Fix irq_of_parse_and_map() return value
  2022-06-13 10:07 [PATCH 4.9 000/167] 4.9.318-rc1 review Greg Kroah-Hartman
                   ` (120 preceding siblings ...)
  2022-06-13 10:09 ` [PATCH 4.9 121/167] firmware: dmi-sysfs: Fix memory leak in dmi_sysfs_register_handle Greg Kroah-Hartman
@ 2022-06-13 10:09 ` Greg Kroah-Hartman
  2022-06-13 10:09 ` [PATCH 4.9 123/167] net: ethernet: mtk_eth_soc: out of bounds read in mtk_hwlro_get_fdir_entry() Greg Kroah-Hartman
                   ` (49 subsequent siblings)
  171 siblings, 0 replies; 174+ messages in thread
From: Greg Kroah-Hartman @ 2022-06-13 10:09 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Krzysztof Kozlowski, Neil Armstrong,
	Daniel Lezcano, Sasha Levin

From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>

[ Upstream commit 9c04a8ff03def4df3f81219ffbe1ec9b44ff5348 ]

The irq_of_parse_and_map() returns 0 on failure, not a negative ERRNO.

Fixes: 89355274e1f7 ("clocksource/drivers/oxnas-rps: Add Oxford Semiconductor RPS Dual Timer")
Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Reviewed-by: Neil Armstrong <narmstrong@baylibre.com>
Link: https://lore.kernel.org/r/20220422104101.55754-1-krzysztof.kozlowski@linaro.org
Signed-off-by: Daniel Lezcano <daniel.lezcano@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/clocksource/timer-oxnas-rps.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/clocksource/timer-oxnas-rps.c b/drivers/clocksource/timer-oxnas-rps.c
index d630bf417773..411f211185d3 100644
--- a/drivers/clocksource/timer-oxnas-rps.c
+++ b/drivers/clocksource/timer-oxnas-rps.c
@@ -247,7 +247,7 @@ static int __init oxnas_rps_timer_init(struct device_node *np)
 	}
 
 	rps->irq = irq_of_parse_and_map(np, 0);
-	if (rps->irq < 0) {
+	if (!rps->irq) {
 		ret = -EINVAL;
 		goto err_iomap;
 	}
-- 
2.35.1




^ permalink raw reply related	[flat|nested] 174+ messages in thread

* [PATCH 4.9 123/167] net: ethernet: mtk_eth_soc: out of bounds read in mtk_hwlro_get_fdir_entry()
  2022-06-13 10:07 [PATCH 4.9 000/167] 4.9.318-rc1 review Greg Kroah-Hartman
                   ` (121 preceding siblings ...)
  2022-06-13 10:09 ` [PATCH 4.9 122/167] clocksource/drivers/oxnas-rps: Fix irq_of_parse_and_map() return value Greg Kroah-Hartman
@ 2022-06-13 10:09 ` Greg Kroah-Hartman
  2022-06-13 10:09 ` [PATCH 4.9 124/167] modpost: fix removing numeric suffixes Greg Kroah-Hartman
                   ` (48 subsequent siblings)
  171 siblings, 0 replies; 174+ messages in thread
From: Greg Kroah-Hartman @ 2022-06-13 10:09 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Dan Carpenter, David S. Miller, Sasha Levin

From: Dan Carpenter <dan.carpenter@oracle.com>

[ Upstream commit e7e7104e2d5ddf3806a28695670f21bef471f1e1 ]

The "fsp->location" variable comes from user via ethtool_get_rxnfc().
Check that it is valid to prevent an out of bounds read.

Fixes: 7aab747e5563 ("net: ethernet: mediatek: add ethtool functions to configure RX flows of HW LRO")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/ethernet/mediatek/mtk_eth_soc.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/net/ethernet/mediatek/mtk_eth_soc.c b/drivers/net/ethernet/mediatek/mtk_eth_soc.c
index 5b072bf80783..84d667957221 100644
--- a/drivers/net/ethernet/mediatek/mtk_eth_soc.c
+++ b/drivers/net/ethernet/mediatek/mtk_eth_soc.c
@@ -1496,6 +1496,9 @@ static int mtk_hwlro_get_fdir_entry(struct net_device *dev,
 	struct ethtool_rx_flow_spec *fsp =
 		(struct ethtool_rx_flow_spec *)&cmd->fs;
 
+	if (fsp->location >= ARRAY_SIZE(mac->hwlro_ip))
+		return -EINVAL;
+
 	/* only tcp dst ipv4 is meaningful, others are meaningless */
 	fsp->flow_type = TCP_V4_FLOW;
 	fsp->h_u.tcp_ip4_spec.ip4dst = ntohl(mac->hwlro_ip[fsp->location]);
-- 
2.35.1




^ permalink raw reply related	[flat|nested] 174+ messages in thread

* [PATCH 4.9 124/167] modpost: fix removing numeric suffixes
  2022-06-13 10:07 [PATCH 4.9 000/167] 4.9.318-rc1 review Greg Kroah-Hartman
                   ` (122 preceding siblings ...)
  2022-06-13 10:09 ` [PATCH 4.9 123/167] net: ethernet: mtk_eth_soc: out of bounds read in mtk_hwlro_get_fdir_entry() Greg Kroah-Hartman
@ 2022-06-13 10:09 ` Greg Kroah-Hartman
  2022-06-13 10:09 ` [PATCH 4.9 125/167] jffs2: fix memory leak in jffs2_do_fill_super Greg Kroah-Hartman
                   ` (47 subsequent siblings)
  171 siblings, 0 replies; 174+ messages in thread
From: Greg Kroah-Hartman @ 2022-06-13 10:09 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Alexander Lobakin, Petr Mladek,
	Masahiro Yamada, Sasha Levin

From: Alexander Lobakin <alexandr.lobakin@intel.com>

[ Upstream commit b5beffa20d83c4e15306c991ffd00de0d8628338 ]

With the `-z unique-symbol` linker flag or any similar mechanism,
it is possible to trigger the following:

ERROR: modpost: "param_set_uint.0" [vmlinux] is a static EXPORT_SYMBOL

The reason is that for now the condition from remove_dot():

if (m && (s[n + m] == '.' || s[n + m] == 0))

which was designed to test if it's a dot or a '\0' after the suffix
is never satisfied.
This is due to that `s[n + m]` always points to the last digit of a
numeric suffix, not on the symbol next to it (from a custom debug
print added to modpost):

param_set_uint.0, s[n + m] is '0', s[n + m + 1] is '\0'

So it's off-by-one and was like that since 2014.

Fix this for the sake of any potential upcoming features, but don't
bother stable-backporting, as it's well hidden -- apart from that
LD flag, it can be triggered only with GCC LTO which never landed
upstream.

Fixes: fcd38ed0ff26 ("scripts: modpost: fix compilation warning")
Signed-off-by: Alexander Lobakin <alexandr.lobakin@intel.com>
Reviewed-by: Petr Mladek <pmladek@suse.com>
Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 scripts/mod/modpost.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/scripts/mod/modpost.c b/scripts/mod/modpost.c
index 62b0552b7b71..29c3e4d6fc06 100644
--- a/scripts/mod/modpost.c
+++ b/scripts/mod/modpost.c
@@ -1932,7 +1932,7 @@ static char *remove_dot(char *s)
 
 	if (n && s[n]) {
 		size_t m = strspn(s + n + 1, "0123456789");
-		if (m && (s[n + m] == '.' || s[n + m] == 0))
+		if (m && (s[n + m + 1] == '.' || s[n + m + 1] == 0))
 			s[n] = 0;
 	}
 	return s;
-- 
2.35.1




^ permalink raw reply related	[flat|nested] 174+ messages in thread

* [PATCH 4.9 125/167] jffs2: fix memory leak in jffs2_do_fill_super
  2022-06-13 10:07 [PATCH 4.9 000/167] 4.9.318-rc1 review Greg Kroah-Hartman
                   ` (123 preceding siblings ...)
  2022-06-13 10:09 ` [PATCH 4.9 124/167] modpost: fix removing numeric suffixes Greg Kroah-Hartman
@ 2022-06-13 10:09 ` Greg Kroah-Hartman
  2022-06-13 10:10 ` [PATCH 4.9 126/167] tcp: tcp_rtx_synack() can be called from process context Greg Kroah-Hartman
                   ` (46 subsequent siblings)
  171 siblings, 0 replies; 174+ messages in thread
From: Greg Kroah-Hartman @ 2022-06-13 10:09 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Baokun Li, Richard Weinberger, Sasha Levin

From: Baokun Li <libaokun1@huawei.com>

[ Upstream commit c14adb1cf70a984ed081c67e9d27bc3caad9537c ]

If jffs2_iget() or d_make_root() in jffs2_do_fill_super() returns
an error, we can observe the following kmemleak report:

--------------------------------------------
unreferenced object 0xffff888105a65340 (size 64):
  comm "mount", pid 710, jiffies 4302851558 (age 58.239s)
  hex dump (first 32 bytes):
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  backtrace:
    [<ffffffff859c45e5>] kmem_cache_alloc_trace+0x475/0x8a0
    [<ffffffff86160146>] jffs2_sum_init+0x96/0x1a0
    [<ffffffff86140e25>] jffs2_do_mount_fs+0x745/0x2120
    [<ffffffff86149fec>] jffs2_do_fill_super+0x35c/0x810
    [<ffffffff8614aae9>] jffs2_fill_super+0x2b9/0x3b0
    [...]
unreferenced object 0xffff8881bd7f0000 (size 65536):
  comm "mount", pid 710, jiffies 4302851558 (age 58.239s)
  hex dump (first 32 bytes):
    bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb  ................
    bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb  ................
  backtrace:
    [<ffffffff858579ba>] kmalloc_order+0xda/0x110
    [<ffffffff85857a11>] kmalloc_order_trace+0x21/0x130
    [<ffffffff859c2ed1>] __kmalloc+0x711/0x8a0
    [<ffffffff86160189>] jffs2_sum_init+0xd9/0x1a0
    [<ffffffff86140e25>] jffs2_do_mount_fs+0x745/0x2120
    [<ffffffff86149fec>] jffs2_do_fill_super+0x35c/0x810
    [<ffffffff8614aae9>] jffs2_fill_super+0x2b9/0x3b0
    [...]
--------------------------------------------

This is because the resources allocated in jffs2_sum_init() are not
released. Call jffs2_sum_exit() to release these resources to solve
the problem.

Fixes: e631ddba5887 ("[JFFS2] Add erase block summary support (mount time improvement)")
Signed-off-by: Baokun Li <libaokun1@huawei.com>
Signed-off-by: Richard Weinberger <richard@nod.at>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 fs/jffs2/fs.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/fs/jffs2/fs.c b/fs/jffs2/fs.c
index d3c9e4c82e57..610e11e76f2d 100644
--- a/fs/jffs2/fs.c
+++ b/fs/jffs2/fs.c
@@ -597,6 +597,7 @@ int jffs2_do_fill_super(struct super_block *sb, void *data, int silent)
 	jffs2_free_raw_node_refs(c);
 	kvfree(c->blocks);
 	jffs2_clear_xattr_subsystem(c);
+	jffs2_sum_exit(c);
  out_inohash:
 	kfree(c->inocache_list);
  out_wbuf:
-- 
2.35.1




^ permalink raw reply related	[flat|nested] 174+ messages in thread

* [PATCH 4.9 126/167] tcp: tcp_rtx_synack() can be called from process context
  2022-06-13 10:07 [PATCH 4.9 000/167] 4.9.318-rc1 review Greg Kroah-Hartman
                   ` (124 preceding siblings ...)
  2022-06-13 10:09 ` [PATCH 4.9 125/167] jffs2: fix memory leak in jffs2_do_fill_super Greg Kroah-Hartman
@ 2022-06-13 10:10 ` Greg Kroah-Hartman
  2022-06-13 10:10 ` [PATCH 4.9 127/167] tracing: Avoid adding tracer option before update_tracer_options Greg Kroah-Hartman
                   ` (45 subsequent siblings)
  171 siblings, 0 replies; 174+ messages in thread
From: Greg Kroah-Hartman @ 2022-06-13 10:10 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Eric Dumazet, Laurent Fasnacht,
	Neal Cardwell, Jakub Kicinski, Sasha Levin

From: Eric Dumazet <edumazet@google.com>

[ Upstream commit 0a375c822497ed6ad6b5da0792a12a6f1af10c0b ]

Laurent reported the enclosed report [1]

This bug triggers with following coditions:

0) Kernel built with CONFIG_DEBUG_PREEMPT=y

1) A new passive FastOpen TCP socket is created.
   This FO socket waits for an ACK coming from client to be a complete
   ESTABLISHED one.
2) A socket operation on this socket goes through lock_sock()
   release_sock() dance.
3) While the socket is owned by the user in step 2),
   a retransmit of the SYN is received and stored in socket backlog.
4) At release_sock() time, the socket backlog is processed while
   in process context.
5) A SYNACK packet is cooked in response of the SYN retransmit.
6) -> tcp_rtx_synack() is called in process context.

Before blamed commit, tcp_rtx_synack() was always called from BH handler,
from a timer handler.

Fix this by using TCP_INC_STATS() & NET_INC_STATS()
which do not assume caller is in non preemptible context.

[1]
BUG: using __this_cpu_add() in preemptible [00000000] code: epollpep/2180
caller is tcp_rtx_synack.part.0+0x36/0xc0
CPU: 10 PID: 2180 Comm: epollpep Tainted: G           OE     5.16.0-0.bpo.4-amd64 #1  Debian 5.16.12-1~bpo11+1
Hardware name: Supermicro SYS-5039MC-H8TRF/X11SCD-F, BIOS 1.7 11/23/2021
Call Trace:
 <TASK>
 dump_stack_lvl+0x48/0x5e
 check_preemption_disabled+0xde/0xe0
 tcp_rtx_synack.part.0+0x36/0xc0
 tcp_rtx_synack+0x8d/0xa0
 ? kmem_cache_alloc+0x2e0/0x3e0
 ? apparmor_file_alloc_security+0x3b/0x1f0
 inet_rtx_syn_ack+0x16/0x30
 tcp_check_req+0x367/0x610
 tcp_rcv_state_process+0x91/0xf60
 ? get_nohz_timer_target+0x18/0x1a0
 ? lock_timer_base+0x61/0x80
 ? preempt_count_add+0x68/0xa0
 tcp_v4_do_rcv+0xbd/0x270
 __release_sock+0x6d/0xb0
 release_sock+0x2b/0x90
 sock_setsockopt+0x138/0x1140
 ? __sys_getsockname+0x7e/0xc0
 ? aa_sk_perm+0x3e/0x1a0
 __sys_setsockopt+0x198/0x1e0
 __x64_sys_setsockopt+0x21/0x30
 do_syscall_64+0x38/0xc0
 entry_SYSCALL_64_after_hwframe+0x44/0xae

Fixes: 168a8f58059a ("tcp: TCP Fast Open Server - main code path")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Laurent Fasnacht <laurent.fasnacht@proton.ch>
Acked-by: Neal Cardwell <ncardwell@google.com>
Link: https://lore.kernel.org/r/20220530213713.601888-1-eric.dumazet@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/ipv4/tcp_output.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c
index 95b0f486cb10..e0009cd69da7 100644
--- a/net/ipv4/tcp_output.c
+++ b/net/ipv4/tcp_output.c
@@ -3709,8 +3709,8 @@ int tcp_rtx_synack(const struct sock *sk, struct request_sock *req)
 	tcp_rsk(req)->txhash = net_tx_rndhash();
 	res = af_ops->send_synack(sk, NULL, &fl, req, NULL, TCP_SYNACK_NORMAL);
 	if (!res) {
-		__TCP_INC_STATS(sock_net(sk), TCP_MIB_RETRANSSEGS);
-		__NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPSYNRETRANS);
+		TCP_INC_STATS(sock_net(sk), TCP_MIB_RETRANSSEGS);
+		NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPSYNRETRANS);
 		if (unlikely(tcp_passive_fastopen(sk)))
 			tcp_sk(sk)->total_retrans++;
 	}
-- 
2.35.1




^ permalink raw reply related	[flat|nested] 174+ messages in thread

* [PATCH 4.9 127/167] tracing: Avoid adding tracer option before update_tracer_options
  2022-06-13 10:07 [PATCH 4.9 000/167] 4.9.318-rc1 review Greg Kroah-Hartman
                   ` (125 preceding siblings ...)
  2022-06-13 10:10 ` [PATCH 4.9 126/167] tcp: tcp_rtx_synack() can be called from process context Greg Kroah-Hartman
@ 2022-06-13 10:10 ` Greg Kroah-Hartman
  2022-06-13 10:10 ` [PATCH 4.9 128/167] i2c: cadence: Increase timeout per message if necessary Greg Kroah-Hartman
                   ` (44 subsequent siblings)
  171 siblings, 0 replies; 174+ messages in thread
From: Greg Kroah-Hartman @ 2022-06-13 10:10 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, kernel test robot, Mark-PK Tsai,
	Steven Rostedt (Google),
	Sasha Levin

From: Mark-PK Tsai <mark-pk.tsai@mediatek.com>

[ Upstream commit ef9188bcc6ca1d8a2ad83e826b548e6820721061 ]

To prepare for support asynchronous tracer_init_tracefs initcall,
avoid calling create_trace_option_files before __update_tracer_options.
Otherwise, create_trace_option_files will show warning because
some tracers in trace_types list are already in tr->topts.

For example, hwlat_tracer call register_tracer in late_initcall,
and global_trace.dir is already created in tracing_init_dentry,
hwlat_tracer will be put into tr->topts.
Then if the __update_tracer_options is executed after hwlat_tracer
registered, create_trace_option_files find that hwlat_tracer is
already in tr->topts.

Link: https://lkml.kernel.org/r/20220426122407.17042-2-mark-pk.tsai@mediatek.com

Link: https://lore.kernel.org/lkml/20220322133339.GA32582@xsang-OptiPlex-9020/
Reported-by: kernel test robot <oliver.sang@intel.com>
Signed-off-by: Mark-PK Tsai <mark-pk.tsai@mediatek.com>
Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 kernel/trace/trace.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c
index 90e0fd5621da..de1638df2b09 100644
--- a/kernel/trace/trace.c
+++ b/kernel/trace/trace.c
@@ -4798,12 +4798,18 @@ static void tracing_set_nop(struct trace_array *tr)
 	tr->current_trace = &nop_trace;
 }
 
+static bool tracer_options_updated;
+
 static void add_tracer_options(struct trace_array *tr, struct tracer *t)
 {
 	/* Only enable if the directory has been created already. */
 	if (!tr->dir)
 		return;
 
+	/* Only create trace option files after update_tracer_options finish */
+	if (!tracer_options_updated)
+		return;
+
 	create_trace_option_files(tr, t);
 }
 
@@ -7082,6 +7088,7 @@ static void __update_tracer_options(struct trace_array *tr)
 static void update_tracer_options(struct trace_array *tr)
 {
 	mutex_lock(&trace_types_lock);
+	tracer_options_updated = true;
 	__update_tracer_options(tr);
 	mutex_unlock(&trace_types_lock);
 }
-- 
2.35.1




^ permalink raw reply related	[flat|nested] 174+ messages in thread

* [PATCH 4.9 128/167] i2c: cadence: Increase timeout per message if necessary
  2022-06-13 10:07 [PATCH 4.9 000/167] 4.9.318-rc1 review Greg Kroah-Hartman
                   ` (126 preceding siblings ...)
  2022-06-13 10:10 ` [PATCH 4.9 127/167] tracing: Avoid adding tracer option before update_tracer_options Greg Kroah-Hartman
@ 2022-06-13 10:10 ` Greg Kroah-Hartman
  2022-06-13 10:10 ` [PATCH 4.9 129/167] m68knommu: set ZERO_PAGE() to the allocated zeroed page Greg Kroah-Hartman
                   ` (43 subsequent siblings)
  171 siblings, 0 replies; 174+ messages in thread
From: Greg Kroah-Hartman @ 2022-06-13 10:10 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Lucas Tanure, Michal Simek,
	Wolfram Sang, Sasha Levin

From: Lucas Tanure <tanureal@opensource.cirrus.com>

[ Upstream commit 96789dce043f5bff8b7d62aa28d52a7c59403a84 ]

Timeout as 1 second sets an upper limit on the length
of the transfer executed, but there is no maximum length
of a write or read message set in i2c_adapter_quirks for
this controller.

This upper limit affects devices that require sending
large firmware blobs over I2C.

To remove that limitation, calculate the minimal time
necessary, plus some wiggle room, for every message and
use it instead of the default one second, if more than
one second.

Signed-off-by: Lucas Tanure <tanureal@opensource.cirrus.com>
Acked-by: Michal Simek <michal.simek@xilinx.com>
Signed-off-by: Wolfram Sang <wsa@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/i2c/busses/i2c-cadence.c | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/drivers/i2c/busses/i2c-cadence.c b/drivers/i2c/busses/i2c-cadence.c
index 23ee1a423654..a29ac9bae6d5 100644
--- a/drivers/i2c/busses/i2c-cadence.c
+++ b/drivers/i2c/busses/i2c-cadence.c
@@ -511,7 +511,7 @@ static void cdns_i2c_master_reset(struct i2c_adapter *adap)
 static int cdns_i2c_process_msg(struct cdns_i2c *id, struct i2c_msg *msg,
 		struct i2c_adapter *adap)
 {
-	unsigned long time_left;
+	unsigned long time_left, msg_timeout;
 	u32 reg;
 
 	id->p_msg = msg;
@@ -536,8 +536,16 @@ static int cdns_i2c_process_msg(struct cdns_i2c *id, struct i2c_msg *msg,
 	else
 		cdns_i2c_msend(id);
 
+	/* Minimal time to execute this message */
+	msg_timeout = msecs_to_jiffies((1000 * msg->len * BITS_PER_BYTE) / id->i2c_clk);
+	/* Plus some wiggle room */
+	msg_timeout += msecs_to_jiffies(500);
+
+	if (msg_timeout < adap->timeout)
+		msg_timeout = adap->timeout;
+
 	/* Wait for the signal of completion */
-	time_left = wait_for_completion_timeout(&id->xfer_done, adap->timeout);
+	time_left = wait_for_completion_timeout(&id->xfer_done, msg_timeout);
 	if (time_left == 0) {
 		cdns_i2c_master_reset(adap);
 		dev_err(id->adap.dev.parent,
-- 
2.35.1




^ permalink raw reply related	[flat|nested] 174+ messages in thread

* [PATCH 4.9 129/167] m68knommu: set ZERO_PAGE() to the allocated zeroed page
  2022-06-13 10:07 [PATCH 4.9 000/167] 4.9.318-rc1 review Greg Kroah-Hartman
                   ` (127 preceding siblings ...)
  2022-06-13 10:10 ` [PATCH 4.9 128/167] i2c: cadence: Increase timeout per message if necessary Greg Kroah-Hartman
@ 2022-06-13 10:10 ` Greg Kroah-Hartman
  2022-06-13 10:10 ` [PATCH 4.9 130/167] m68knommu: fix undefined reference to `_init_sp Greg Kroah-Hartman
                   ` (42 subsequent siblings)
  171 siblings, 0 replies; 174+ messages in thread
From: Greg Kroah-Hartman @ 2022-06-13 10:10 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Hugh Dickens, Greg Ungerer, Sasha Levin

From: Greg Ungerer <gerg@linux-m68k.org>

[ Upstream commit dc068f46217970d9516f16cd37972a01d50dc055 ]

The non-MMU m68k pagetable ZERO_PAGE() macro is being set to the
somewhat non-sensical value of "virt_to_page(0)". The zeroth page
is not in any way guaranteed to be a page full of "0". So the result
is that ZERO_PAGE() will almost certainly contain random values.

We already allocate a real "empty_zero_page" in the mm setup code shared
between MMU m68k and non-MMU m68k. It is just not hooked up to the
ZERO_PAGE() macro for the non-MMU m68k case.

Fix ZERO_PAGE() to use the allocated "empty_zero_page" pointer.

I am not aware of any specific issues caused by the old code.

Link: https://lore.kernel.org/linux-m68k/2a462b23-5b8e-bbf4-ec7d-778434a3b9d7@google.com/T/#t
Reported-by: Hugh Dickens <hughd@google.com>
Signed-off-by: Greg Ungerer <gerg@linux-m68k.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/m68k/include/asm/pgtable_no.h | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/arch/m68k/include/asm/pgtable_no.h b/arch/m68k/include/asm/pgtable_no.h
index ac7d87a02335..269443e1084b 100644
--- a/arch/m68k/include/asm/pgtable_no.h
+++ b/arch/m68k/include/asm/pgtable_no.h
@@ -41,7 +41,8 @@ extern void paging_init(void);
  * ZERO_PAGE is a global shared page that is always zero: used
  * for zero-mapped memory areas etc..
  */
-#define ZERO_PAGE(vaddr)	(virt_to_page(0))
+extern void *empty_zero_page;
+#define ZERO_PAGE(vaddr)	(virt_to_page(empty_zero_page))
 
 /*
  * No page table caches to initialise.
-- 
2.35.1




^ permalink raw reply related	[flat|nested] 174+ messages in thread

* [PATCH 4.9 130/167] m68knommu: fix undefined reference to `_init_sp
  2022-06-13 10:07 [PATCH 4.9 000/167] 4.9.318-rc1 review Greg Kroah-Hartman
                   ` (128 preceding siblings ...)
  2022-06-13 10:10 ` [PATCH 4.9 129/167] m68knommu: set ZERO_PAGE() to the allocated zeroed page Greg Kroah-Hartman
@ 2022-06-13 10:10 ` Greg Kroah-Hartman
  2022-06-13 10:10 ` [PATCH 4.9 131/167] video: fbdev: pxa3xx-gcu: release the resources correctly in pxa3xx_gcu_probe/remove() Greg Kroah-Hartman
                   ` (41 subsequent siblings)
  171 siblings, 0 replies; 174+ messages in thread
From: Greg Kroah-Hartman @ 2022-06-13 10:10 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, kernel test robot,
	Geert Uytterhoeven, Greg Ungerer, Sasha Levin

From: Greg Ungerer <gerg@linux-m68k.org>

[ Upstream commit a71b9e66fee47c59b3ec34e652b5c23bc6550794 ]

When configuring a nommu classic m68k system enabling the uboot parameter
passing support (CONFIG_UBOOT) will produce the following compile error:

   m68k-linux-ld: arch/m68k/kernel/uboot.o: in function `process_uboot_commandline':
   uboot.c:(.init.text+0x32): undefined reference to `_init_sp'

The logic to support this option is only used on ColdFire based platforms
(in its head.S startup code). So make the selection of this option
depend on building for a ColdFire based platform.

Reported-by: kernel test robot <lkp@intel.com>
Reviewed-by: Geert Uytterhoeven <geert@linux-m68k.org>
Acked-by: Geert Uytterhoeven <geert@linux-m68k.org>
Signed-off-by: Greg Ungerer <gerg@linux-m68k.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/m68k/Kconfig.machine | 1 +
 1 file changed, 1 insertion(+)

diff --git a/arch/m68k/Kconfig.machine b/arch/m68k/Kconfig.machine
index f622c3ccafc3..9f2896493ca0 100644
--- a/arch/m68k/Kconfig.machine
+++ b/arch/m68k/Kconfig.machine
@@ -302,6 +302,7 @@ comment "Machine Options"
 
 config UBOOT
 	bool "Support for U-Boot command line parameters"
+	depends on COLDFIRE
 	help
 	  If you say Y here kernel will try to collect command
 	  line parameters from the initial u-boot stack.
-- 
2.35.1




^ permalink raw reply related	[flat|nested] 174+ messages in thread

* [PATCH 4.9 131/167] video: fbdev: pxa3xx-gcu: release the resources correctly in pxa3xx_gcu_probe/remove()
  2022-06-13 10:07 [PATCH 4.9 000/167] 4.9.318-rc1 review Greg Kroah-Hartman
                   ` (129 preceding siblings ...)
  2022-06-13 10:10 ` [PATCH 4.9 130/167] m68knommu: fix undefined reference to `_init_sp Greg Kroah-Hartman
@ 2022-06-13 10:10 ` Greg Kroah-Hartman
  2022-06-13 10:10 ` [PATCH 4.9 132/167] net: fix nla_strcmp to handle more then one trailing null character Greg Kroah-Hartman
                   ` (40 subsequent siblings)
  171 siblings, 0 replies; 174+ messages in thread
From: Greg Kroah-Hartman @ 2022-06-13 10:10 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Yang Yingliang, Helge Deller, Sasha Levin

From: Yang Yingliang <yangyingliang@huawei.com>

[ Upstream commit d87ad457f7e1b8d2492ca5b1531eb35030a1cc8f ]

In pxa3xx_gcu_probe(), the sequence of error lable is wrong, it will
leads some resource leaked, so adjust the sequence to handle the error
correctly, and if pxa3xx_gcu_add_buffer() fails, pxa3xx_gcu_free_buffers()
need be called.
In pxa3xx_gcu_remove(), add missing clk_disable_unpreprare().

Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Signed-off-by: Helge Deller <deller@gmx.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/video/fbdev/pxa3xx-gcu.c | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/drivers/video/fbdev/pxa3xx-gcu.c b/drivers/video/fbdev/pxa3xx-gcu.c
index 50bce45e7f3d..184773b6b9e4 100644
--- a/drivers/video/fbdev/pxa3xx-gcu.c
+++ b/drivers/video/fbdev/pxa3xx-gcu.c
@@ -662,6 +662,7 @@ static int pxa3xx_gcu_probe(struct platform_device *pdev)
 	for (i = 0; i < 8; i++) {
 		ret = pxa3xx_gcu_add_buffer(dev, priv);
 		if (ret) {
+			pxa3xx_gcu_free_buffers(dev, priv);
 			dev_err(dev, "failed to allocate DMA memory\n");
 			goto err_disable_clk;
 		}
@@ -677,15 +678,15 @@ static int pxa3xx_gcu_probe(struct platform_device *pdev)
 			SHARED_SIZE, irq);
 	return 0;
 
-err_free_dma:
-	dma_free_coherent(dev, SHARED_SIZE,
-			priv->shared, priv->shared_phys);
+err_disable_clk:
+	clk_disable_unprepare(priv->clk);
 
 err_misc_deregister:
 	misc_deregister(&priv->misc_dev);
 
-err_disable_clk:
-	clk_disable_unprepare(priv->clk);
+err_free_dma:
+	dma_free_coherent(dev, SHARED_SIZE,
+			  priv->shared, priv->shared_phys);
 
 	return ret;
 }
@@ -698,6 +699,7 @@ static int pxa3xx_gcu_remove(struct platform_device *pdev)
 	pxa3xx_gcu_wait_idle(priv);
 	misc_deregister(&priv->misc_dev);
 	dma_free_coherent(dev, SHARED_SIZE, priv->shared, priv->shared_phys);
+	clk_disable_unprepare(priv->clk);
 	pxa3xx_gcu_free_buffers(dev, priv);
 
 	return 0;
-- 
2.35.1




^ permalink raw reply related	[flat|nested] 174+ messages in thread

* [PATCH 4.9 132/167] net: fix nla_strcmp to handle more then one trailing null character
  2022-06-13 10:07 [PATCH 4.9 000/167] 4.9.318-rc1 review Greg Kroah-Hartman
                   ` (130 preceding siblings ...)
  2022-06-13 10:10 ` [PATCH 4.9 131/167] video: fbdev: pxa3xx-gcu: release the resources correctly in pxa3xx_gcu_probe/remove() Greg Kroah-Hartman
@ 2022-06-13 10:10 ` Greg Kroah-Hartman
  2022-06-13 10:10 ` [PATCH 4.9 133/167] ata: pata_octeon_cf: Fix refcount leak in octeon_cf_probe Greg Kroah-Hartman
                   ` (39 subsequent siblings)
  171 siblings, 0 replies; 174+ messages in thread
From: Greg Kroah-Hartman @ 2022-06-13 10:10 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Nucca Chen, Cong Wang, David Ahern,
	David S. Miller, Jakub Kicinski, Jamal Hadi Salim, Jiri Pirko,
	Jiri Pirko, Sasha Levin

From: Maciej Żenczykowski <maze@google.com>

[ Upstream commit 2c16db6c92b0ee4aa61e88366df82169e83c3f7e ]

Android userspace has been using TCA_KIND with a char[IFNAMESIZ]
many-null-terminated buffer containing the string 'bpf'.

This works on 4.19 and ceases to work on 5.10.

I'm not entirely sure what fixes tag to use, but I think the issue
was likely introduced in the below mentioned 5.4 commit.

Reported-by: Nucca Chen <nuccachen@google.com>
Cc: Cong Wang <xiyou.wangcong@gmail.com>
Cc: David Ahern <dsahern@gmail.com>
Cc: David S. Miller <davem@davemloft.net>
Cc: Jakub Kicinski <jakub.kicinski@netronome.com>
Cc: Jamal Hadi Salim <jhs@mojatatu.com>
Cc: Jiri Pirko <jiri@mellanox.com>
Cc: Jiri Pirko <jiri@resnulli.us>
Fixes: 62794fc4fbf5 ("net_sched: add max len check for TCA_KIND")
Change-Id: I66dc281f165a2858fc29a44869a270a2d698a82b
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 lib/nlattr.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/nlattr.c b/lib/nlattr.c
index fce1e9afc6d9..ea27e1d069b1 100644
--- a/lib/nlattr.c
+++ b/lib/nlattr.c
@@ -316,7 +316,7 @@ int nla_strcmp(const struct nlattr *nla, const char *str)
 	int attrlen = nla_len(nla);
 	int d;
 
-	if (attrlen > 0 && buf[attrlen - 1] == '\0')
+	while (attrlen > 0 && buf[attrlen - 1] == '\0')
 		attrlen--;
 
 	d = attrlen - len;
-- 
2.35.1




^ permalink raw reply related	[flat|nested] 174+ messages in thread

* [PATCH 4.9 133/167] ata: pata_octeon_cf: Fix refcount leak in octeon_cf_probe
  2022-06-13 10:07 [PATCH 4.9 000/167] 4.9.318-rc1 review Greg Kroah-Hartman
                   ` (131 preceding siblings ...)
  2022-06-13 10:10 ` [PATCH 4.9 132/167] net: fix nla_strcmp to handle more then one trailing null character Greg Kroah-Hartman
@ 2022-06-13 10:10 ` Greg Kroah-Hartman
  2022-06-13 10:10 ` [PATCH 4.9 134/167] net/mlx4_en: Fix wrong return value on ioctl EEPROM query failure Greg Kroah-Hartman
                   ` (38 subsequent siblings)
  171 siblings, 0 replies; 174+ messages in thread
From: Greg Kroah-Hartman @ 2022-06-13 10:10 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Miaoqian Lin, Sergey Shtylyov,
	Damien Le Moal, Sasha Levin

From: Miaoqian Lin <linmq006@gmail.com>

[ Upstream commit 10d6bdf532902be1d8aa5900b3c03c5671612aa2 ]

of_find_device_by_node() takes reference, we should use put_device()
to release it when not need anymore.
Add missing put_device() to avoid refcount leak.

Fixes: 43f01da0f279 ("MIPS/OCTEON/ata: Convert pata_octeon_cf.c to use device tree.")
Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
Reviewed-by: Sergey Shtylyov <s.shtylyov@omp.ru>
Signed-off-by: Damien Le Moal <damien.lemoal@opensource.wdc.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/ata/pata_octeon_cf.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/ata/pata_octeon_cf.c b/drivers/ata/pata_octeon_cf.c
index 7e6359e32ab6..fb07d16a9f2a 100644
--- a/drivers/ata/pata_octeon_cf.c
+++ b/drivers/ata/pata_octeon_cf.c
@@ -898,12 +898,14 @@ static int octeon_cf_probe(struct platform_device *pdev)
 				int i;
 				res_dma = platform_get_resource(dma_dev, IORESOURCE_MEM, 0);
 				if (!res_dma) {
+					put_device(&dma_dev->dev);
 					of_node_put(dma_node);
 					return -EINVAL;
 				}
 				cf_port->dma_base = (u64)devm_ioremap_nocache(&pdev->dev, res_dma->start,
 									 resource_size(res_dma));
 				if (!cf_port->dma_base) {
+					put_device(&dma_dev->dev);
 					of_node_put(dma_node);
 					return -EINVAL;
 				}
@@ -913,6 +915,7 @@ static int octeon_cf_probe(struct platform_device *pdev)
 					irq = i;
 					irq_handler = octeon_cf_interrupt;
 				}
+				put_device(&dma_dev->dev);
 			}
 			of_node_put(dma_node);
 		}
-- 
2.35.1




^ permalink raw reply related	[flat|nested] 174+ messages in thread

* [PATCH 4.9 134/167] net/mlx4_en: Fix wrong return value on ioctl EEPROM query failure
  2022-06-13 10:07 [PATCH 4.9 000/167] 4.9.318-rc1 review Greg Kroah-Hartman
                   ` (132 preceding siblings ...)
  2022-06-13 10:10 ` [PATCH 4.9 133/167] ata: pata_octeon_cf: Fix refcount leak in octeon_cf_probe Greg Kroah-Hartman
@ 2022-06-13 10:10 ` Greg Kroah-Hartman
  2022-06-13 10:10 ` [PATCH 4.9 135/167] SUNRPC: Fix the calculation of xdr->end in xdr_get_next_encode_buffer() Greg Kroah-Hartman
                   ` (37 subsequent siblings)
  171 siblings, 0 replies; 174+ messages in thread
From: Greg Kroah-Hartman @ 2022-06-13 10:10 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Gal Pressman, Tariq Toukan,
	Jakub Kicinski, Sasha Levin

From: Gal Pressman <gal@nvidia.com>

[ Upstream commit f5826c8c9d57210a17031af5527056eefdc2b7eb ]

The ioctl EEPROM query wrongly returns success on read failures, fix
that by returning the appropriate error code.

Fixes: 7202da8b7f71 ("ethtool, net/mlx4_en: Cable info, get_module_info/eeprom ethtool support")
Signed-off-by: Gal Pressman <gal@nvidia.com>
Signed-off-by: Tariq Toukan <tariqt@nvidia.com>
Link: https://lore.kernel.org/r/20220606115718.14233-1-tariqt@nvidia.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/ethernet/mellanox/mlx4/en_ethtool.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/net/ethernet/mellanox/mlx4/en_ethtool.c b/drivers/net/ethernet/mellanox/mlx4/en_ethtool.c
index 1569300844f0..8b0c28d4c627 100644
--- a/drivers/net/ethernet/mellanox/mlx4/en_ethtool.c
+++ b/drivers/net/ethernet/mellanox/mlx4/en_ethtool.c
@@ -2003,7 +2003,7 @@ static int mlx4_en_get_module_eeprom(struct net_device *dev,
 			en_err(priv,
 			       "mlx4_get_module_info i(%d) offset(%d) bytes_to_read(%d) - FAILED (0x%x)\n",
 			       i, offset, ee->len - i, ret);
-			return 0;
+			return ret;
 		}
 
 		i += ret;
-- 
2.35.1




^ permalink raw reply related	[flat|nested] 174+ messages in thread

* [PATCH 4.9 135/167] SUNRPC: Fix the calculation of xdr->end in xdr_get_next_encode_buffer()
  2022-06-13 10:07 [PATCH 4.9 000/167] 4.9.318-rc1 review Greg Kroah-Hartman
                   ` (133 preceding siblings ...)
  2022-06-13 10:10 ` [PATCH 4.9 134/167] net/mlx4_en: Fix wrong return value on ioctl EEPROM query failure Greg Kroah-Hartman
@ 2022-06-13 10:10 ` Greg Kroah-Hartman
  2022-06-13 10:10 ` [PATCH 4.9 136/167] net: xfrm: unexport __init-annotated xfrm4_protocol_init() Greg Kroah-Hartman
                   ` (36 subsequent siblings)
  171 siblings, 0 replies; 174+ messages in thread
From: Greg Kroah-Hartman @ 2022-06-13 10:10 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Chuck Lever, NeilBrown,
	J. Bruce Fields, Sasha Levin

From: Chuck Lever <chuck.lever@oracle.com>

[ Upstream commit 6c254bf3b637dd4ef4f78eb78c7447419c0161d7 ]

I found that NFSD's new NFSv3 READDIRPLUS XDR encoder was screwing up
right at the end of the page array. xdr_get_next_encode_buffer() does
not compute the value of xdr->end correctly:

 * The check to see if we're on the final available page in xdr->buf
   needs to account for the space consumed by @nbytes.

 * The new xdr->end value needs to account for the portion of @nbytes
   that is to be encoded into the previous buffer.

Fixes: 2825a7f90753 ("nfsd4: allow encoding across page boundaries")
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Reviewed-by: NeilBrown <neilb@suse.de>
Reviewed-by: J. Bruce Fields <bfields@fieldses.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/sunrpc/xdr.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/net/sunrpc/xdr.c b/net/sunrpc/xdr.c
index dd547edee59f..06b4b76edd9d 100644
--- a/net/sunrpc/xdr.c
+++ b/net/sunrpc/xdr.c
@@ -544,7 +544,11 @@ static __be32 *xdr_get_next_encode_buffer(struct xdr_stream *xdr,
 	 */
 	xdr->p = (void *)p + frag2bytes;
 	space_left = xdr->buf->buflen - xdr->buf->len;
-	xdr->end = (void *)p + min_t(int, space_left, PAGE_SIZE);
+	if (space_left - nbytes >= PAGE_SIZE)
+		xdr->end = (void *)p + PAGE_SIZE;
+	else
+		xdr->end = (void *)p + space_left - frag1bytes;
+
 	xdr->buf->page_len += frag2bytes;
 	xdr->buf->len += nbytes;
 	return p;
-- 
2.35.1




^ permalink raw reply related	[flat|nested] 174+ messages in thread

* [PATCH 4.9 136/167] net: xfrm: unexport __init-annotated xfrm4_protocol_init()
  2022-06-13 10:07 [PATCH 4.9 000/167] 4.9.318-rc1 review Greg Kroah-Hartman
                   ` (134 preceding siblings ...)
  2022-06-13 10:10 ` [PATCH 4.9 135/167] SUNRPC: Fix the calculation of xdr->end in xdr_get_next_encode_buffer() Greg Kroah-Hartman
@ 2022-06-13 10:10 ` Greg Kroah-Hartman
  2022-06-13 10:10 ` [PATCH 4.9 137/167] net: altera: Fix refcount leak in altera_tse_mdio_create Greg Kroah-Hartman
                   ` (35 subsequent siblings)
  171 siblings, 0 replies; 174+ messages in thread
From: Greg Kroah-Hartman @ 2022-06-13 10:10 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Stephen Rothwell, Masahiro Yamada,
	Steffen Klassert, Jakub Kicinski, Sasha Levin

From: Masahiro Yamada <masahiroy@kernel.org>

[ Upstream commit 4a388f08d8784af48f352193d2b72aaf167a57a1 ]

EXPORT_SYMBOL and __init is a bad combination because the .init.text
section is freed up after the initialization. Hence, modules cannot
use symbols annotated __init. The access to a freed symbol may end up
with kernel panic.

modpost used to detect it, but it has been broken for a decade.

Recently, I fixed modpost so it started to warn it again, then this
showed up in linux-next builds.

There are two ways to fix it:

  - Remove __init
  - Remove EXPORT_SYMBOL

I chose the latter for this case because the only in-tree call-site,
net/ipv4/xfrm4_policy.c is never compiled as modular.
(CONFIG_XFRM is boolean)

Fixes: 2f32b51b609f ("xfrm: Introduce xfrm_input_afinfo to access the the callbacks properly")
Reported-by: Stephen Rothwell <sfr@canb.auug.org.au>
Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
Acked-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/ipv4/xfrm4_protocol.c | 1 -
 1 file changed, 1 deletion(-)

diff --git a/net/ipv4/xfrm4_protocol.c b/net/ipv4/xfrm4_protocol.c
index dccefa9d84cf..5a4b19834fe2 100644
--- a/net/ipv4/xfrm4_protocol.c
+++ b/net/ipv4/xfrm4_protocol.c
@@ -298,4 +298,3 @@ void __init xfrm4_protocol_init(void)
 {
 	xfrm_input_register_afinfo(&xfrm4_input_afinfo);
 }
-EXPORT_SYMBOL(xfrm4_protocol_init);
-- 
2.35.1




^ permalink raw reply related	[flat|nested] 174+ messages in thread

* [PATCH 4.9 137/167] net: altera: Fix refcount leak in altera_tse_mdio_create
  2022-06-13 10:07 [PATCH 4.9 000/167] 4.9.318-rc1 review Greg Kroah-Hartman
                   ` (135 preceding siblings ...)
  2022-06-13 10:10 ` [PATCH 4.9 136/167] net: xfrm: unexport __init-annotated xfrm4_protocol_init() Greg Kroah-Hartman
@ 2022-06-13 10:10 ` Greg Kroah-Hartman
  2022-06-13 10:10 ` [PATCH 4.9 138/167] iio: dummy: iio_simple_dummy: check the return value of kstrdup() Greg Kroah-Hartman
                   ` (34 subsequent siblings)
  171 siblings, 0 replies; 174+ messages in thread
From: Greg Kroah-Hartman @ 2022-06-13 10:10 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Miaoqian Lin, Jakub Kicinski, Sasha Levin

From: Miaoqian Lin <linmq006@gmail.com>

[ Upstream commit 11ec18b1d8d92b9df307d31950dcba0b3dd7283c ]

Every iteration of for_each_child_of_node() decrements
the reference count of the previous node.
When break from a for_each_child_of_node() loop,
we need to explicitly call of_node_put() on the child node when
not need anymore.
Add missing of_node_put() to avoid refcount leak.

Fixes: bbd2190ce96d ("Altera TSE: Add main and header file for Altera Ethernet Driver")
Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
Link: https://lore.kernel.org/r/20220607041144.7553-1-linmq006@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/ethernet/altera/altera_tse_main.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/drivers/net/ethernet/altera/altera_tse_main.c b/drivers/net/ethernet/altera/altera_tse_main.c
index e02b99f77b1c..9d63bb33844e 100644
--- a/drivers/net/ethernet/altera/altera_tse_main.c
+++ b/drivers/net/ethernet/altera/altera_tse_main.c
@@ -152,7 +152,8 @@ static int altera_tse_mdio_create(struct net_device *dev, unsigned int id)
 	mdio = mdiobus_alloc();
 	if (mdio == NULL) {
 		netdev_err(dev, "Error allocating MDIO bus\n");
-		return -ENOMEM;
+		ret = -ENOMEM;
+		goto put_node;
 	}
 
 	mdio->name = ALTERA_TSE_RESOURCE_NAME;
@@ -169,6 +170,7 @@ static int altera_tse_mdio_create(struct net_device *dev, unsigned int id)
 			   mdio->id);
 		goto out_free_mdio;
 	}
+	of_node_put(mdio_node);
 
 	if (netif_msg_drv(priv))
 		netdev_info(dev, "MDIO bus %s: created\n", mdio->id);
@@ -178,6 +180,8 @@ static int altera_tse_mdio_create(struct net_device *dev, unsigned int id)
 out_free_mdio:
 	mdiobus_free(mdio);
 	mdio = NULL;
+put_node:
+	of_node_put(mdio_node);
 	return ret;
 }
 
-- 
2.35.1




^ permalink raw reply related	[flat|nested] 174+ messages in thread

* [PATCH 4.9 138/167] iio: dummy: iio_simple_dummy: check the return value of kstrdup()
  2022-06-13 10:07 [PATCH 4.9 000/167] 4.9.318-rc1 review Greg Kroah-Hartman
                   ` (136 preceding siblings ...)
  2022-06-13 10:10 ` [PATCH 4.9 137/167] net: altera: Fix refcount leak in altera_tse_mdio_create Greg Kroah-Hartman
@ 2022-06-13 10:10 ` Greg Kroah-Hartman
  2022-06-13 10:10 ` [PATCH 4.9 139/167] lkdtm/usercopy: Expand size of "out of frame" object Greg Kroah-Hartman
                   ` (33 subsequent siblings)
  171 siblings, 0 replies; 174+ messages in thread
From: Greg Kroah-Hartman @ 2022-06-13 10:10 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Xiaoke Wang, Jonathan Cameron, Sasha Levin

From: Xiaoke Wang <xkernel.wang@foxmail.com>

[ Upstream commit ba93642188a6fed754bf7447f638bc410e05a929 ]

kstrdup() is also a memory allocation-related function, it returns NULL
when some memory errors happen. So it is better to check the return
value of it so to catch the memory error in time. Besides, there should
have a kfree() to clear up the allocation if we get a failure later in
this function to prevent memory leak.

Signed-off-by: Xiaoke Wang <xkernel.wang@foxmail.com>
Link: https://lore.kernel.org/r/tencent_C920CFCC33B9CC1C63141FE1334A39FF8508@qq.com
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/iio/dummy/iio_simple_dummy.c | 20 ++++++++++++--------
 1 file changed, 12 insertions(+), 8 deletions(-)

diff --git a/drivers/iio/dummy/iio_simple_dummy.c b/drivers/iio/dummy/iio_simple_dummy.c
index ad3410e528b6..7fef76f0b5c7 100644
--- a/drivers/iio/dummy/iio_simple_dummy.c
+++ b/drivers/iio/dummy/iio_simple_dummy.c
@@ -572,10 +572,9 @@ static struct iio_sw_device *iio_dummy_probe(const char *name)
 	struct iio_sw_device *swd;
 
 	swd = kzalloc(sizeof(*swd), GFP_KERNEL);
-	if (!swd) {
-		ret = -ENOMEM;
-		goto error_kzalloc;
-	}
+	if (!swd)
+		return ERR_PTR(-ENOMEM);
+
 	/*
 	 * Allocate an IIO device.
 	 *
@@ -587,7 +586,7 @@ static struct iio_sw_device *iio_dummy_probe(const char *name)
 	indio_dev = iio_device_alloc(sizeof(*st));
 	if (!indio_dev) {
 		ret = -ENOMEM;
-		goto error_ret;
+		goto error_free_swd;
 	}
 
 	st = iio_priv(indio_dev);
@@ -618,6 +617,10 @@ static struct iio_sw_device *iio_dummy_probe(const char *name)
 	 *    indio_dev->name = spi_get_device_id(spi)->name;
 	 */
 	indio_dev->name = kstrdup(name, GFP_KERNEL);
+	if (!indio_dev->name) {
+		ret = -ENOMEM;
+		goto error_free_device;
+	}
 
 	/* Provide description of available channels */
 	indio_dev->channels = iio_dummy_channels;
@@ -634,7 +637,7 @@ static struct iio_sw_device *iio_dummy_probe(const char *name)
 
 	ret = iio_simple_dummy_events_register(indio_dev);
 	if (ret < 0)
-		goto error_free_device;
+		goto error_free_name;
 
 	ret = iio_simple_dummy_configure_buffer(indio_dev);
 	if (ret < 0)
@@ -651,11 +654,12 @@ static struct iio_sw_device *iio_dummy_probe(const char *name)
 	iio_simple_dummy_unconfigure_buffer(indio_dev);
 error_unregister_events:
 	iio_simple_dummy_events_unregister(indio_dev);
+error_free_name:
+	kfree(indio_dev->name);
 error_free_device:
 	iio_device_free(indio_dev);
-error_ret:
+error_free_swd:
 	kfree(swd);
-error_kzalloc:
 	return ERR_PTR(ret);
 }
 
-- 
2.35.1




^ permalink raw reply related	[flat|nested] 174+ messages in thread

* [PATCH 4.9 139/167] lkdtm/usercopy: Expand size of "out of frame" object
  2022-06-13 10:07 [PATCH 4.9 000/167] 4.9.318-rc1 review Greg Kroah-Hartman
                   ` (137 preceding siblings ...)
  2022-06-13 10:10 ` [PATCH 4.9 138/167] iio: dummy: iio_simple_dummy: check the return value of kstrdup() Greg Kroah-Hartman
@ 2022-06-13 10:10 ` Greg Kroah-Hartman
  2022-06-13 10:10 ` [PATCH 4.9 140/167] tty: synclink_gt: Fix null-pointer-dereference in slgt_clean() Greg Kroah-Hartman
                   ` (32 subsequent siblings)
  171 siblings, 0 replies; 174+ messages in thread
From: Greg Kroah-Hartman @ 2022-06-13 10:10 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Muhammad Usama Anjum, Arnd Bergmann,
	Kees Cook, Sasha Levin

From: Kees Cook <keescook@chromium.org>

[ Upstream commit f387e86d3a74407bdd9c5815820ac9d060962840 ]

To be sufficiently out of range for the usercopy test to see the lifetime
mismatch, expand the size of the "bad" buffer, which will let it be
beyond current_stack_pointer regardless of stack growth direction.
Paired with the recent addition of stack depth checking under
CONFIG_HARDENED_USERCOPY=y, this will correctly start tripping again.

Reported-by: Muhammad Usama Anjum <usama.anjum@collabora.com>
Cc: Arnd Bergmann <arnd@arndb.de>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Reviewed-by: Muhammad Usama Anjum <usama.anjum@collabora.com>
Link: https://lore.kernel.org/lkml/762faf1b-0443-5ddf-4430-44a20cf2ec4d@collabora.com/
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/misc/lkdtm_usercopy.c | 17 ++++++++++++++---
 1 file changed, 14 insertions(+), 3 deletions(-)

diff --git a/drivers/misc/lkdtm_usercopy.c b/drivers/misc/lkdtm_usercopy.c
index 1dd611423d8b..36438947244d 100644
--- a/drivers/misc/lkdtm_usercopy.c
+++ b/drivers/misc/lkdtm_usercopy.c
@@ -28,12 +28,12 @@ static const unsigned char test_text[] = "This is a test.\n";
  */
 static noinline unsigned char *trick_compiler(unsigned char *stack)
 {
-	return stack + 0;
+	return stack + unconst;
 }
 
 static noinline unsigned char *do_usercopy_stack_callee(int value)
 {
-	unsigned char buf[32];
+	unsigned char buf[128];
 	int i;
 
 	/* Exercise stack to avoid everything living in registers. */
@@ -41,7 +41,12 @@ static noinline unsigned char *do_usercopy_stack_callee(int value)
 		buf[i] = value & 0xff;
 	}
 
-	return trick_compiler(buf);
+	/*
+	 * Put the target buffer in the middle of stack allocation
+	 * so that we don't step on future stack users regardless
+	 * of stack growth direction.
+	 */
+	return trick_compiler(&buf[(128/2)-32]);
 }
 
 static noinline void do_usercopy_stack(bool to_user, bool bad_frame)
@@ -64,6 +69,12 @@ static noinline void do_usercopy_stack(bool to_user, bool bad_frame)
 		bad_stack -= sizeof(unsigned long);
 	}
 
+#ifdef ARCH_HAS_CURRENT_STACK_POINTER
+	pr_info("stack     : %px\n", (void *)current_stack_pointer);
+#endif
+	pr_info("good_stack: %px-%px\n", good_stack, good_stack + sizeof(good_stack));
+	pr_info("bad_stack : %px-%px\n", bad_stack, bad_stack + sizeof(good_stack));
+
 	user_addr = vm_mmap(NULL, 0, PAGE_SIZE,
 			    PROT_READ | PROT_WRITE | PROT_EXEC,
 			    MAP_ANONYMOUS | MAP_PRIVATE, 0);
-- 
2.35.1




^ permalink raw reply related	[flat|nested] 174+ messages in thread

* [PATCH 4.9 140/167] tty: synclink_gt: Fix null-pointer-dereference in slgt_clean()
  2022-06-13 10:07 [PATCH 4.9 000/167] 4.9.318-rc1 review Greg Kroah-Hartman
                   ` (138 preceding siblings ...)
  2022-06-13 10:10 ` [PATCH 4.9 139/167] lkdtm/usercopy: Expand size of "out of frame" object Greg Kroah-Hartman
@ 2022-06-13 10:10 ` Greg Kroah-Hartman
  2022-06-13 10:10 ` [PATCH 4.9 141/167] tty: Fix a possible resource leak in icom_probe Greg Kroah-Hartman
                   ` (31 subsequent siblings)
  171 siblings, 0 replies; 174+ messages in thread
From: Greg Kroah-Hartman @ 2022-06-13 10:10 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jiri Slaby, Zheyu Ma, Sasha Levin

From: Zheyu Ma <zheyuma97@gmail.com>

[ Upstream commit 689ca31c542687709ba21ec2195c1fbce34fd029 ]

When the driver fails at alloc_hdlcdev(), and then we remove the driver
module, we will get the following splat:

[   25.065966] general protection fault, probably for non-canonical address 0xdffffc0000000182: 0000 [#1] PREEMPT SMP KASAN PTI
[   25.066914] KASAN: null-ptr-deref in range [0x0000000000000c10-0x0000000000000c17]
[   25.069262] RIP: 0010:detach_hdlc_protocol+0x2a/0x3e0
[   25.077709] Call Trace:
[   25.077924]  <TASK>
[   25.078108]  unregister_hdlc_device+0x16/0x30
[   25.078481]  slgt_cleanup+0x157/0x9f0 [synclink_gt]

Fix this by checking whether the 'info->netdev' is a null pointer first.

Reviewed-by: Jiri Slaby <jirislaby@kernel.org>
Signed-off-by: Zheyu Ma <zheyuma97@gmail.com>
Link: https://lore.kernel.org/r/20220410114814.3920474-1-zheyuma97@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/tty/synclink_gt.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/tty/synclink_gt.c b/drivers/tty/synclink_gt.c
index 7446ce29f677..b5d053763263 100644
--- a/drivers/tty/synclink_gt.c
+++ b/drivers/tty/synclink_gt.c
@@ -1823,6 +1823,8 @@ static int hdlcdev_init(struct slgt_info *info)
  */
 static void hdlcdev_exit(struct slgt_info *info)
 {
+	if (!info->netdev)
+		return;
 	unregister_hdlc_device(info->netdev);
 	free_netdev(info->netdev);
 	info->netdev = NULL;
-- 
2.35.1




^ permalink raw reply related	[flat|nested] 174+ messages in thread

* [PATCH 4.9 141/167] tty: Fix a possible resource leak in icom_probe
  2022-06-13 10:07 [PATCH 4.9 000/167] 4.9.318-rc1 review Greg Kroah-Hartman
                   ` (139 preceding siblings ...)
  2022-06-13 10:10 ` [PATCH 4.9 140/167] tty: synclink_gt: Fix null-pointer-dereference in slgt_clean() Greg Kroah-Hartman
@ 2022-06-13 10:10 ` Greg Kroah-Hartman
  2022-06-13 10:10 ` [PATCH 4.9 142/167] drivers: staging: rtl8192e: Fix deadlock in rtllib_beacons_stop() Greg Kroah-Hartman
                   ` (30 subsequent siblings)
  171 siblings, 0 replies; 174+ messages in thread
From: Greg Kroah-Hartman @ 2022-06-13 10:10 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jiri Slaby, Huang Guobin, Sasha Levin

From: Huang Guobin <huangguobin4@huawei.com>

[ Upstream commit ee157a79e7c82b01ae4c25de0ac75899801f322c ]

When pci_read_config_dword failed, call pci_release_regions() and
pci_disable_device() to recycle the resource previously allocated.

Reviewed-by: Jiri Slaby <jirislaby@kernel.org>
Signed-off-by: Huang Guobin <huangguobin4@huawei.com>
Link: https://lore.kernel.org/r/20220331091005.3290753-1-huangguobin4@huawei.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/tty/serial/icom.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/tty/serial/icom.c b/drivers/tty/serial/icom.c
index c60a8d5e4020..a3e420669674 100644
--- a/drivers/tty/serial/icom.c
+++ b/drivers/tty/serial/icom.c
@@ -1515,7 +1515,7 @@ static int icom_probe(struct pci_dev *dev,
 	retval = pci_read_config_dword(dev, PCI_COMMAND, &command_reg);
 	if (retval) {
 		dev_err(&dev->dev, "PCI Config read FAILED\n");
-		return retval;
+		goto probe_exit0;
 	}
 
 	pci_write_config_dword(dev, PCI_COMMAND,
-- 
2.35.1




^ permalink raw reply related	[flat|nested] 174+ messages in thread

* [PATCH 4.9 142/167] drivers: staging: rtl8192e: Fix deadlock in rtllib_beacons_stop()
  2022-06-13 10:07 [PATCH 4.9 000/167] 4.9.318-rc1 review Greg Kroah-Hartman
                   ` (140 preceding siblings ...)
  2022-06-13 10:10 ` [PATCH 4.9 141/167] tty: Fix a possible resource leak in icom_probe Greg Kroah-Hartman
@ 2022-06-13 10:10 ` Greg Kroah-Hartman
  2022-06-13 10:10 ` [PATCH 4.9 143/167] USB: host: isp116x: check return value after calling platform_get_resource() Greg Kroah-Hartman
                   ` (29 subsequent siblings)
  171 siblings, 0 replies; 174+ messages in thread
From: Greg Kroah-Hartman @ 2022-06-13 10:10 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Duoming Zhou, Sasha Levin

From: Duoming Zhou <duoming@zju.edu.cn>

[ Upstream commit 9b6bdbd9337de3917945847bde262a34a87a6303 ]

There is a deadlock in rtllib_beacons_stop(), which is shown
below:

   (Thread 1)              |      (Thread 2)
                           | rtllib_send_beacon()
rtllib_beacons_stop()      |  mod_timer()
 spin_lock_irqsave() //(1) |  (wait a time)
 ...                       | rtllib_send_beacon_cb()
 del_timer_sync()          |  spin_lock_irqsave() //(2)
 (wait timer to stop)      |  ...

We hold ieee->beacon_lock in position (1) of thread 1 and
use del_timer_sync() to wait timer to stop, but timer handler
also need ieee->beacon_lock in position (2) of thread 2.
As a result, rtllib_beacons_stop() will block forever.

This patch extracts del_timer_sync() from the protection of
spin_lock_irqsave(), which could let timer handler to obtain
the needed lock.

Signed-off-by: Duoming Zhou <duoming@zju.edu.cn>
Link: https://lore.kernel.org/r/20220417141641.124388-1-duoming@zju.edu.cn
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/staging/rtl8192e/rtllib_softmac.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/staging/rtl8192e/rtllib_softmac.c b/drivers/staging/rtl8192e/rtllib_softmac.c
index da74dc49b95e..f46def63967b 100644
--- a/drivers/staging/rtl8192e/rtllib_softmac.c
+++ b/drivers/staging/rtl8192e/rtllib_softmac.c
@@ -655,9 +655,9 @@ static void rtllib_beacons_stop(struct rtllib_device *ieee)
 	spin_lock_irqsave(&ieee->beacon_lock, flags);
 
 	ieee->beacon_txing = 0;
-	del_timer_sync(&ieee->beacon_timer);
 
 	spin_unlock_irqrestore(&ieee->beacon_lock, flags);
+	del_timer_sync(&ieee->beacon_timer);
 
 }
 
-- 
2.35.1




^ permalink raw reply related	[flat|nested] 174+ messages in thread

* [PATCH 4.9 143/167] USB: host: isp116x: check return value after calling platform_get_resource()
  2022-06-13 10:07 [PATCH 4.9 000/167] 4.9.318-rc1 review Greg Kroah-Hartman
                   ` (141 preceding siblings ...)
  2022-06-13 10:10 ` [PATCH 4.9 142/167] drivers: staging: rtl8192e: Fix deadlock in rtllib_beacons_stop() Greg Kroah-Hartman
@ 2022-06-13 10:10 ` Greg Kroah-Hartman
  2022-06-13 10:10 ` [PATCH 4.9 144/167] drivers: tty: serial: Fix deadlock in sa1100_set_termios() Greg Kroah-Hartman
                   ` (28 subsequent siblings)
  171 siblings, 0 replies; 174+ messages in thread
From: Greg Kroah-Hartman @ 2022-06-13 10:10 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Zhen Ni, Sasha Levin

From: Zhen Ni <nizhen@uniontech.com>

[ Upstream commit 134a3408c2d3f7e23eb0e4556e0a2d9f36c2614e ]

It will cause null-ptr-deref if platform_get_resource() returns NULL,
we need check the return value.

Signed-off-by: Zhen Ni <nizhen@uniontech.com>
Link: https://lore.kernel.org/r/20220302033716.31272-1-nizhen@uniontech.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/usb/host/isp116x-hcd.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/drivers/usb/host/isp116x-hcd.c b/drivers/usb/host/isp116x-hcd.c
index d089b3fb7a13..c32145e63aea 100644
--- a/drivers/usb/host/isp116x-hcd.c
+++ b/drivers/usb/host/isp116x-hcd.c
@@ -1551,10 +1551,12 @@ static int isp116x_remove(struct platform_device *pdev)
 
 	iounmap(isp116x->data_reg);
 	res = platform_get_resource(pdev, IORESOURCE_MEM, 1);
-	release_mem_region(res->start, 2);
+	if (res)
+		release_mem_region(res->start, 2);
 	iounmap(isp116x->addr_reg);
 	res = platform_get_resource(pdev, IORESOURCE_MEM, 0);
-	release_mem_region(res->start, 2);
+	if (res)
+		release_mem_region(res->start, 2);
 
 	usb_put_hcd(hcd);
 	return 0;
-- 
2.35.1




^ permalink raw reply related	[flat|nested] 174+ messages in thread

* [PATCH 4.9 144/167] drivers: tty: serial: Fix deadlock in sa1100_set_termios()
  2022-06-13 10:07 [PATCH 4.9 000/167] 4.9.318-rc1 review Greg Kroah-Hartman
                   ` (142 preceding siblings ...)
  2022-06-13 10:10 ` [PATCH 4.9 143/167] USB: host: isp116x: check return value after calling platform_get_resource() Greg Kroah-Hartman
@ 2022-06-13 10:10 ` Greg Kroah-Hartman
  2022-06-13 10:10 ` [PATCH 4.9 145/167] drivers: usb: host: Fix deadlock in oxu_bus_suspend() Greg Kroah-Hartman
                   ` (27 subsequent siblings)
  171 siblings, 0 replies; 174+ messages in thread
From: Greg Kroah-Hartman @ 2022-06-13 10:10 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Duoming Zhou, Sasha Levin

From: Duoming Zhou <duoming@zju.edu.cn>

[ Upstream commit 62b2caef400c1738b6d22f636c628d9f85cd4c4c ]

There is a deadlock in sa1100_set_termios(), which is shown
below:

   (Thread 1)              |      (Thread 2)
                           | sa1100_enable_ms()
sa1100_set_termios()       |  mod_timer()
 spin_lock_irqsave() //(1) |  (wait a time)
 ...                       | sa1100_timeout()
 del_timer_sync()          |  spin_lock_irqsave() //(2)
 (wait timer to stop)      |  ...

We hold sport->port.lock in position (1) of thread 1 and
use del_timer_sync() to wait timer to stop, but timer handler
also need sport->port.lock in position (2) of thread 2. As a result,
sa1100_set_termios() will block forever.

This patch moves del_timer_sync() before spin_lock_irqsave()
in order to prevent the deadlock.

Signed-off-by: Duoming Zhou <duoming@zju.edu.cn>
Link: https://lore.kernel.org/r/20220417111626.7802-1-duoming@zju.edu.cn
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/tty/serial/sa1100.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/tty/serial/sa1100.c b/drivers/tty/serial/sa1100.c
index fd3d1329d48c..68eb1c9faa29 100644
--- a/drivers/tty/serial/sa1100.c
+++ b/drivers/tty/serial/sa1100.c
@@ -452,6 +452,8 @@ sa1100_set_termios(struct uart_port *port, struct ktermios *termios,
 	baud = uart_get_baud_rate(port, termios, old, 0, port->uartclk/16); 
 	quot = uart_get_divisor(port, baud);
 
+	del_timer_sync(&sport->timer);
+
 	spin_lock_irqsave(&sport->port.lock, flags);
 
 	sport->port.read_status_mask &= UTSR0_TO_SM(UTSR0_TFS);
@@ -482,8 +484,6 @@ sa1100_set_termios(struct uart_port *port, struct ktermios *termios,
 				UTSR1_TO_SM(UTSR1_ROR);
 	}
 
-	del_timer_sync(&sport->timer);
-
 	/*
 	 * Update the per-port timeout.
 	 */
-- 
2.35.1




^ permalink raw reply related	[flat|nested] 174+ messages in thread

* [PATCH 4.9 145/167] drivers: usb: host: Fix deadlock in oxu_bus_suspend()
  2022-06-13 10:07 [PATCH 4.9 000/167] 4.9.318-rc1 review Greg Kroah-Hartman
                   ` (143 preceding siblings ...)
  2022-06-13 10:10 ` [PATCH 4.9 144/167] drivers: tty: serial: Fix deadlock in sa1100_set_termios() Greg Kroah-Hartman
@ 2022-06-13 10:10 ` Greg Kroah-Hartman
  2022-06-13 10:10 ` [PATCH 4.9 146/167] USB: hcd-pci: Fully suspend across freeze/thaw cycle Greg Kroah-Hartman
                   ` (26 subsequent siblings)
  171 siblings, 0 replies; 174+ messages in thread
From: Greg Kroah-Hartman @ 2022-06-13 10:10 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Duoming Zhou, Sasha Levin

From: Duoming Zhou <duoming@zju.edu.cn>

[ Upstream commit 4d378f2ae58138d4c55684e1d274e7dd94aa6524 ]

There is a deadlock in oxu_bus_suspend(), which is shown below:

   (Thread 1)              |      (Thread 2)
                           | timer_action()
oxu_bus_suspend()          |  mod_timer()
 spin_lock_irq() //(1)     |  (wait a time)
 ...                       | oxu_watchdog()
 del_timer_sync()          |  spin_lock_irq() //(2)
 (wait timer to stop)      |  ...

We hold oxu->lock in position (1) of thread 1, and use
del_timer_sync() to wait timer to stop, but timer handler
also need oxu->lock in position (2) of thread 2. As a result,
oxu_bus_suspend() will block forever.

This patch extracts del_timer_sync() from the protection of
spin_lock_irq(), which could let timer handler to obtain
the needed lock.

Signed-off-by: Duoming Zhou <duoming@zju.edu.cn>
Link: https://lore.kernel.org/r/20220417120305.64577-1-duoming@zju.edu.cn
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/usb/host/oxu210hp-hcd.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/usb/host/oxu210hp-hcd.c b/drivers/usb/host/oxu210hp-hcd.c
index 2f48da0c0bb3..af5248f62c59 100644
--- a/drivers/usb/host/oxu210hp-hcd.c
+++ b/drivers/usb/host/oxu210hp-hcd.c
@@ -3491,8 +3491,10 @@ static int oxu_bus_suspend(struct usb_hcd *hcd)
 		}
 	}
 
+	spin_unlock_irq(&oxu->lock);
 	/* turn off now-idle HC */
 	del_timer_sync(&oxu->watchdog);
+	spin_lock_irq(&oxu->lock);
 	ehci_halt(oxu);
 	hcd->state = HC_STATE_SUSPENDED;
 
-- 
2.35.1




^ permalink raw reply related	[flat|nested] 174+ messages in thread

* [PATCH 4.9 146/167] USB: hcd-pci: Fully suspend across freeze/thaw cycle
  2022-06-13 10:07 [PATCH 4.9 000/167] 4.9.318-rc1 review Greg Kroah-Hartman
                   ` (144 preceding siblings ...)
  2022-06-13 10:10 ` [PATCH 4.9 145/167] drivers: usb: host: Fix deadlock in oxu_bus_suspend() Greg Kroah-Hartman
@ 2022-06-13 10:10 ` Greg Kroah-Hartman
  2022-06-13 10:10 ` [PATCH 4.9 147/167] usb: dwc2: gadget: dont reset gadgets driver->bus Greg Kroah-Hartman
                   ` (25 subsequent siblings)
  171 siblings, 0 replies; 174+ messages in thread
From: Greg Kroah-Hartman @ 2022-06-13 10:10 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Alan Stern, Evan Green, Sasha Levin

From: Evan Green <evgreen@chromium.org>

[ Upstream commit 63acaa8e9c65dc34dc249440216f8e977f5d2748 ]

The documentation for the freeze() method says that it "should quiesce
the device so that it doesn't generate IRQs or DMA". The unspoken
consequence of not doing this is that MSIs aimed at non-boot CPUs may
get fully lost if they're sent during the period where the target CPU is
offline.

The current callbacks for USB HCD do not fully quiesce interrupts,
specifically on XHCI. Change to use the full suspend/resume flow for
freeze/thaw to ensure interrupts are fully quiesced. This fixes issues
where USB devices fail to thaw during hibernation because XHCI misses
its interrupt and cannot recover.

Acked-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Evan Green <evgreen@chromium.org>
Link: https://lore.kernel.org/r/20220421103751.v3.2.I8226c7fdae88329ef70957b96a39b346c69a914e@changeid
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/usb/core/hcd-pci.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/usb/core/hcd-pci.c b/drivers/usb/core/hcd-pci.c
index 7af23b215254..a416eea9a366 100644
--- a/drivers/usb/core/hcd-pci.c
+++ b/drivers/usb/core/hcd-pci.c
@@ -637,10 +637,10 @@ const struct dev_pm_ops usb_hcd_pci_pm_ops = {
 	.suspend_noirq	= hcd_pci_suspend_noirq,
 	.resume_noirq	= hcd_pci_resume_noirq,
 	.resume		= hcd_pci_resume,
-	.freeze		= check_root_hub_suspended,
+	.freeze		= hcd_pci_suspend,
 	.freeze_noirq	= check_root_hub_suspended,
 	.thaw_noirq	= NULL,
-	.thaw		= NULL,
+	.thaw		= hcd_pci_resume,
 	.poweroff	= hcd_pci_suspend,
 	.poweroff_noirq	= hcd_pci_suspend_noirq,
 	.restore_noirq	= hcd_pci_resume_noirq,
-- 
2.35.1




^ permalink raw reply related	[flat|nested] 174+ messages in thread

* [PATCH 4.9 147/167] usb: dwc2: gadget: dont reset gadgets driver->bus
  2022-06-13 10:07 [PATCH 4.9 000/167] 4.9.318-rc1 review Greg Kroah-Hartman
                   ` (145 preceding siblings ...)
  2022-06-13 10:10 ` [PATCH 4.9 146/167] USB: hcd-pci: Fully suspend across freeze/thaw cycle Greg Kroah-Hartman
@ 2022-06-13 10:10 ` Greg Kroah-Hartman
  2022-06-13 10:10 ` [PATCH 4.9 148/167] misc: rtsx: set NULL intfdata when probe fails Greg Kroah-Hartman
                   ` (24 subsequent siblings)
  171 siblings, 0 replies; 174+ messages in thread
From: Greg Kroah-Hartman @ 2022-06-13 10:10 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Marek Szyprowski, Sasha Levin

From: Marek Szyprowski <m.szyprowski@samsung.com>

[ Upstream commit 3120aac6d0ecd9accf56894aeac0e265f74d3d5a ]

UDC driver should not touch gadget's driver internals, especially it
should not reset driver->bus. This wasn't harmful so far, but since
commit fc274c1e9973 ("USB: gadget: Add a new bus for gadgets") gadget
subsystem got it's own bus and messing with ->bus triggers the
following NULL pointer dereference:

dwc2 12480000.hsotg: bound driver g_ether
8<--- cut here ---
Unable to handle kernel NULL pointer dereference at virtual address 00000000
[00000000] *pgd=00000000
Internal error: Oops: 5 [#1] SMP ARM
Modules linked in: ...
CPU: 0 PID: 620 Comm: modprobe Not tainted 5.18.0-rc5-next-20220504 #11862
Hardware name: Samsung Exynos (Flattened Device Tree)
PC is at module_add_driver+0x44/0xe8
LR is at sysfs_do_create_link_sd+0x84/0xe0
...
Process modprobe (pid: 620, stack limit = 0x(ptrval))
...
 module_add_driver from bus_add_driver+0xf4/0x1e4
 bus_add_driver from driver_register+0x78/0x10c
 driver_register from usb_gadget_register_driver_owner+0x40/0xb4
 usb_gadget_register_driver_owner from do_one_initcall+0x44/0x1e0
 do_one_initcall from do_init_module+0x44/0x1c8
 do_init_module from load_module+0x19b8/0x1b9c
 load_module from sys_finit_module+0xdc/0xfc
 sys_finit_module from ret_fast_syscall+0x0/0x54
Exception stack(0xf1771fa8 to 0xf1771ff0)
...
dwc2 12480000.hsotg: new device is high-speed
---[ end trace 0000000000000000 ]---

Fix this by removing driver->bus entry reset.

Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>
Link: https://lore.kernel.org/r/20220505104618.22729-1-m.szyprowski@samsung.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/usb/dwc2/gadget.c | 1 -
 1 file changed, 1 deletion(-)

diff --git a/drivers/usb/dwc2/gadget.c b/drivers/usb/dwc2/gadget.c
index 65bcbbad6d54..44bab6727b43 100644
--- a/drivers/usb/dwc2/gadget.c
+++ b/drivers/usb/dwc2/gadget.c
@@ -3445,7 +3445,6 @@ static int dwc2_hsotg_udc_start(struct usb_gadget *gadget,
 
 	WARN_ON(hsotg->driver);
 
-	driver->driver.bus = NULL;
 	hsotg->driver = driver;
 	hsotg->gadget.dev.of_node = hsotg->dev->of_node;
 	hsotg->gadget.speed = USB_SPEED_UNKNOWN;
-- 
2.35.1




^ permalink raw reply related	[flat|nested] 174+ messages in thread

* [PATCH 4.9 148/167] misc: rtsx: set NULL intfdata when probe fails
  2022-06-13 10:07 [PATCH 4.9 000/167] 4.9.318-rc1 review Greg Kroah-Hartman
                   ` (146 preceding siblings ...)
  2022-06-13 10:10 ` [PATCH 4.9 147/167] usb: dwc2: gadget: dont reset gadgets driver->bus Greg Kroah-Hartman
@ 2022-06-13 10:10 ` Greg Kroah-Hartman
  2022-06-13 10:10 ` [PATCH 4.9 149/167] clocksource/drivers/sp804: Avoid error on multiple instances Greg Kroah-Hartman
                   ` (23 subsequent siblings)
  171 siblings, 0 replies; 174+ messages in thread
From: Greg Kroah-Hartman @ 2022-06-13 10:10 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Shuah Khan, Sasha Levin

From: Shuah Khan <skhan@linuxfoundation.org>

[ Upstream commit f861d36e021e1ac4a0a2a1f6411d623809975d63 ]

rtsx_usb_probe() doesn't call usb_set_intfdata() to null out the
interface pointer when probe fails. This leaves a stale pointer.
Noticed the missing usb_set_intfdata() while debugging an unrelated
invalid DMA mapping problem.

Fix it with a call to usb_set_intfdata(..., NULL).

Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
Link: https://lore.kernel.org/r/20220429210913.46804-1-skhan@linuxfoundation.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/mfd/rtsx_usb.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/mfd/rtsx_usb.c b/drivers/mfd/rtsx_usb.c
index 691dab791f7a..e94f855eac15 100644
--- a/drivers/mfd/rtsx_usb.c
+++ b/drivers/mfd/rtsx_usb.c
@@ -678,6 +678,7 @@ static int rtsx_usb_probe(struct usb_interface *intf,
 	return 0;
 
 out_init_fail:
+	usb_set_intfdata(ucr->pusb_intf, NULL);
 	usb_free_coherent(ucr->pusb_dev, IOBUF_SIZE, ucr->iobuf,
 			ucr->iobuf_dma);
 	return ret;
-- 
2.35.1




^ permalink raw reply related	[flat|nested] 174+ messages in thread

* [PATCH 4.9 149/167] clocksource/drivers/sp804: Avoid error on multiple instances
  2022-06-13 10:07 [PATCH 4.9 000/167] 4.9.318-rc1 review Greg Kroah-Hartman
                   ` (147 preceding siblings ...)
  2022-06-13 10:10 ` [PATCH 4.9 148/167] misc: rtsx: set NULL intfdata when probe fails Greg Kroah-Hartman
@ 2022-06-13 10:10 ` Greg Kroah-Hartman
  2022-06-13 10:10 ` [PATCH 4.9 150/167] staging: rtl8712: fix uninit-value in r871xu_drv_init() Greg Kroah-Hartman
                   ` (22 subsequent siblings)
  171 siblings, 0 replies; 174+ messages in thread
From: Greg Kroah-Hartman @ 2022-06-13 10:10 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Andre Przywara, Robin Murphy,
	Daniel Lezcano, Sasha Levin

From: Andre Przywara <andre.przywara@arm.com>

[ Upstream commit a98399cbc1e05f7b977419f03905501d566cf54e ]

When a machine sports more than one SP804 timer instance, we only bring
up the first one, since multiple timers of the same kind are not useful
to Linux. As this is intentional behaviour, we should not return an
error message, as we do today:
===============
[    0.000800] Failed to initialize '/bus@8000000/motherboard-bus@8000000/iofpga-bus@300000000/timer@120000': -22
===============

Replace the -EINVAL return with a debug message and return 0 instead.

Also we do not reach the init function anymore if the DT node is
disabled (as this is now handled by OF_DECLARE), so remove the explicit
check for that case.

This fixes a long standing bogus error when booting ARM's fastmodels.

Signed-off-by: Andre Przywara <andre.przywara@arm.com>
Reviewed-by: Robin Murphy <robin.murphy@arm.com>
Link: https://lore.kernel.org/r/20220506162522.3675399-1-andre.przywara@arm.com
Signed-off-by: Daniel Lezcano <daniel.lezcano@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/clocksource/timer-sp804.c | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/drivers/clocksource/timer-sp804.c b/drivers/clocksource/timer-sp804.c
index d07863388e05..780699e4d120 100644
--- a/drivers/clocksource/timer-sp804.c
+++ b/drivers/clocksource/timer-sp804.c
@@ -227,6 +227,11 @@ static int __init sp804_of_init(struct device_node *np)
 	struct clk *clk1, *clk2;
 	const char *name = of_get_property(np, "compatible", NULL);
 
+	if (initialized) {
+		pr_debug("%pOF: skipping further SP804 timer device\n", np);
+		return 0;
+	}
+
 	base = of_iomap(np, 0);
 	if (!base)
 		return -ENXIO;
@@ -235,11 +240,6 @@ static int __init sp804_of_init(struct device_node *np)
 	writel(0, base + TIMER_CTRL);
 	writel(0, base + TIMER_2_BASE + TIMER_CTRL);
 
-	if (initialized || !of_device_is_available(np)) {
-		ret = -EINVAL;
-		goto err;
-	}
-
 	clk1 = of_clk_get(np, 0);
 	if (IS_ERR(clk1))
 		clk1 = NULL;
-- 
2.35.1




^ permalink raw reply related	[flat|nested] 174+ messages in thread

* [PATCH 4.9 150/167] staging: rtl8712: fix uninit-value in r871xu_drv_init()
  2022-06-13 10:07 [PATCH 4.9 000/167] 4.9.318-rc1 review Greg Kroah-Hartman
                   ` (148 preceding siblings ...)
  2022-06-13 10:10 ` [PATCH 4.9 149/167] clocksource/drivers/sp804: Avoid error on multiple instances Greg Kroah-Hartman
@ 2022-06-13 10:10 ` Greg Kroah-Hartman
  2022-06-13 10:10 ` [PATCH 4.9 151/167] serial: msm_serial: disable interrupts in __msm_console_write() Greg Kroah-Hartman
                   ` (21 subsequent siblings)
  171 siblings, 0 replies; 174+ messages in thread
From: Greg Kroah-Hartman @ 2022-06-13 10:10 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, syzbot+6f5ecd144854c0d8580b,
	Dan Carpenter, Wang Cheng, Sasha Levin

From: Wang Cheng <wanngchenng@gmail.com>

[ Upstream commit 0458e5428e5e959d201a40ffe71d762a79ecedc4 ]

When 'tmpU1b' returns from r8712_read8(padapter, EE_9346CR) is 0,
'mac[6]' will not be initialized.

BUG: KMSAN: uninit-value in r871xu_drv_init+0x2d54/0x3070 drivers/staging/rtl8712/usb_intf.c:541
 r871xu_drv_init+0x2d54/0x3070 drivers/staging/rtl8712/usb_intf.c:541
 usb_probe_interface+0xf19/0x1600 drivers/usb/core/driver.c:396
 really_probe+0x653/0x14b0 drivers/base/dd.c:596
 __driver_probe_device+0x3e9/0x530 drivers/base/dd.c:752
 driver_probe_device drivers/base/dd.c:782 [inline]
 __device_attach_driver+0x79f/0x1120 drivers/base/dd.c:899
 bus_for_each_drv+0x2d6/0x3f0 drivers/base/bus.c:427
 __device_attach+0x593/0x8e0 drivers/base/dd.c:970
 device_initial_probe+0x4a/0x60 drivers/base/dd.c:1017
 bus_probe_device+0x17b/0x3e0 drivers/base/bus.c:487
 device_add+0x1fff/0x26e0 drivers/base/core.c:3405
 usb_set_configuration+0x37e9/0x3ed0 drivers/usb/core/message.c:2170
 usb_generic_driver_probe+0x13c/0x300 drivers/usb/core/generic.c:238
 usb_probe_device+0x309/0x570 drivers/usb/core/driver.c:293
 really_probe+0x653/0x14b0 drivers/base/dd.c:596
 __driver_probe_device+0x3e9/0x530 drivers/base/dd.c:752
 driver_probe_device drivers/base/dd.c:782 [inline]
 __device_attach_driver+0x79f/0x1120 drivers/base/dd.c:899
 bus_for_each_drv+0x2d6/0x3f0 drivers/base/bus.c:427
 __device_attach+0x593/0x8e0 drivers/base/dd.c:970
 device_initial_probe+0x4a/0x60 drivers/base/dd.c:1017
 bus_probe_device+0x17b/0x3e0 drivers/base/bus.c:487
 device_add+0x1fff/0x26e0 drivers/base/core.c:3405
 usb_new_device+0x1b8e/0x2950 drivers/usb/core/hub.c:2566
 hub_port_connect drivers/usb/core/hub.c:5358 [inline]
 hub_port_connect_change drivers/usb/core/hub.c:5502 [inline]
 port_event drivers/usb/core/hub.c:5660 [inline]
 hub_event+0x58e3/0x89e0 drivers/usb/core/hub.c:5742
 process_one_work+0xdb6/0x1820 kernel/workqueue.c:2307
 worker_thread+0x10b3/0x21e0 kernel/workqueue.c:2454
 kthread+0x3c7/0x500 kernel/kthread.c:377
 ret_from_fork+0x1f/0x30

Local variable mac created at:
 r871xu_drv_init+0x1771/0x3070 drivers/staging/rtl8712/usb_intf.c:394
 usb_probe_interface+0xf19/0x1600 drivers/usb/core/driver.c:396

KMSAN: uninit-value in r871xu_drv_init
https://syzkaller.appspot.com/bug?id=3cd92b1d85428b128503bfa7a250294c9ae00bd8

Reported-by: <syzbot+6f5ecd144854c0d8580b@syzkaller.appspotmail.com>
Tested-by: <syzbot+6f5ecd144854c0d8580b@syzkaller.appspotmail.com>
Reviewed-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Wang Cheng <wanngchenng@gmail.com>
Link: https://lore.kernel.org/r/14c3886173dfa4597f0704547c414cfdbcd11d16.1652618244.git.wanngchenng@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/staging/rtl8712/usb_intf.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/drivers/staging/rtl8712/usb_intf.c b/drivers/staging/rtl8712/usb_intf.c
index d0ba42dfafeb..7b7cb2a7db60 100644
--- a/drivers/staging/rtl8712/usb_intf.c
+++ b/drivers/staging/rtl8712/usb_intf.c
@@ -569,13 +569,13 @@ static int r871xu_drv_init(struct usb_interface *pusb_intf,
 		} else {
 			AutoloadFail = false;
 		}
-		if (((mac[0] == 0xff) && (mac[1] == 0xff) &&
+		if ((!AutoloadFail) ||
+		    ((mac[0] == 0xff) && (mac[1] == 0xff) &&
 		     (mac[2] == 0xff) && (mac[3] == 0xff) &&
 		     (mac[4] == 0xff) && (mac[5] == 0xff)) ||
 		    ((mac[0] == 0x00) && (mac[1] == 0x00) &&
 		     (mac[2] == 0x00) && (mac[3] == 0x00) &&
-		     (mac[4] == 0x00) && (mac[5] == 0x00)) ||
-		     (!AutoloadFail)) {
+		     (mac[4] == 0x00) && (mac[5] == 0x00))) {
 			mac[0] = 0x00;
 			mac[1] = 0xe0;
 			mac[2] = 0x4c;
-- 
2.35.1




^ permalink raw reply related	[flat|nested] 174+ messages in thread

* [PATCH 4.9 151/167] serial: msm_serial: disable interrupts in __msm_console_write()
  2022-06-13 10:07 [PATCH 4.9 000/167] 4.9.318-rc1 review Greg Kroah-Hartman
                   ` (149 preceding siblings ...)
  2022-06-13 10:10 ` [PATCH 4.9 150/167] staging: rtl8712: fix uninit-value in r871xu_drv_init() Greg Kroah-Hartman
@ 2022-06-13 10:10 ` Greg Kroah-Hartman
  2022-06-13 10:10 ` [PATCH 4.9 152/167] md: protect md_unregister_thread from reentrancy Greg Kroah-Hartman
                   ` (20 subsequent siblings)
  171 siblings, 0 replies; 174+ messages in thread
From: Greg Kroah-Hartman @ 2022-06-13 10:10 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Marek Szyprowski, Petr Mladek,
	John Ogness, Sasha Levin

From: John Ogness <john.ogness@linutronix.de>

[ Upstream commit aabdbb1b7a5819e18c403334a31fb0cc2c06ad41 ]

__msm_console_write() assumes that interrupts are disabled, but
with threaded console printers it is possible that the write()
callback of the console is called with interrupts enabled.

Explicitly disable interrupts using local_irq_save() to preserve
the assumed context.

Reported-by: Marek Szyprowski <m.szyprowski@samsung.com>
Reviewed-by: Petr Mladek <pmladek@suse.com>
Signed-off-by: John Ogness <john.ogness@linutronix.de>
Link: https://lore.kernel.org/r/20220506213324.470461-1-john.ogness@linutronix.de
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/tty/serial/msm_serial.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/drivers/tty/serial/msm_serial.c b/drivers/tty/serial/msm_serial.c
index c284e61ed4fc..33d035f9fded 100644
--- a/drivers/tty/serial/msm_serial.c
+++ b/drivers/tty/serial/msm_serial.c
@@ -1578,6 +1578,7 @@ static inline struct uart_port *msm_get_port_from_line(unsigned int line)
 static void __msm_console_write(struct uart_port *port, const char *s,
 				unsigned int count, bool is_uartdm)
 {
+	unsigned long flags;
 	int i;
 	int num_newlines = 0;
 	bool replaced = false;
@@ -1595,6 +1596,8 @@ static void __msm_console_write(struct uart_port *port, const char *s,
 			num_newlines++;
 	count += num_newlines;
 
+	local_irq_save(flags);
+
 	if (port->sysrq)
 		locked = 0;
 	else if (oops_in_progress)
@@ -1640,6 +1643,8 @@ static void __msm_console_write(struct uart_port *port, const char *s,
 
 	if (locked)
 		spin_unlock(&port->lock);
+
+	local_irq_restore(flags);
 }
 
 static void msm_console_write(struct console *co, const char *s,
-- 
2.35.1




^ permalink raw reply related	[flat|nested] 174+ messages in thread

* [PATCH 4.9 152/167] md: protect md_unregister_thread from reentrancy
  2022-06-13 10:07 [PATCH 4.9 000/167] 4.9.318-rc1 review Greg Kroah-Hartman
                   ` (150 preceding siblings ...)
  2022-06-13 10:10 ` [PATCH 4.9 151/167] serial: msm_serial: disable interrupts in __msm_console_write() Greg Kroah-Hartman
@ 2022-06-13 10:10 ` Greg Kroah-Hartman
  2022-06-13 10:10 ` [PATCH 4.9 153/167] Revert "net: af_key: add check for pfkey_broadcast in function pfkey_process" Greg Kroah-Hartman
                   ` (19 subsequent siblings)
  171 siblings, 0 replies; 174+ messages in thread
From: Greg Kroah-Hartman @ 2022-06-13 10:10 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Donald Buczek, Guoqing Jiang,
	Song Liu, Sasha Levin

From: Guoqing Jiang <guoqing.jiang@cloud.ionos.com>

[ Upstream commit 1e267742283a4b5a8ca65755c44166be27e9aa0f ]

Generally, the md_unregister_thread is called with reconfig_mutex, but
raid_message in dm-raid doesn't hold reconfig_mutex to unregister thread,
so md_unregister_thread can be called simulitaneously from two call sites
in theory.

Then after previous commit which remove the protection of reconfig_mutex
for md_unregister_thread completely, the potential issue could be worse
than before.

Let's take pers_lock at the beginning of function to ensure reentrancy.

Reported-by: Donald Buczek <buczek@molgen.mpg.de>
Signed-off-by: Guoqing Jiang <guoqing.jiang@linux.dev>
Signed-off-by: Song Liu <song@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/md/md.c | 15 ++++++++++-----
 1 file changed, 10 insertions(+), 5 deletions(-)

diff --git a/drivers/md/md.c b/drivers/md/md.c
index 0197d18b5407..9e8373e7e287 100644
--- a/drivers/md/md.c
+++ b/drivers/md/md.c
@@ -7254,17 +7254,22 @@ EXPORT_SYMBOL(md_register_thread);
 
 void md_unregister_thread(struct md_thread **threadp)
 {
-	struct md_thread *thread = *threadp;
-	if (!thread)
-		return;
-	pr_debug("interrupting MD-thread pid %d\n", task_pid_nr(thread->tsk));
-	/* Locking ensures that mddev_unlock does not wake_up a
+	struct md_thread *thread;
+
+	/*
+	 * Locking ensures that mddev_unlock does not wake_up a
 	 * non-existent thread
 	 */
 	spin_lock(&pers_lock);
+	thread = *threadp;
+	if (!thread) {
+		spin_unlock(&pers_lock);
+		return;
+	}
 	*threadp = NULL;
 	spin_unlock(&pers_lock);
 
+	pr_debug("interrupting MD-thread pid %d\n", task_pid_nr(thread->tsk));
 	kthread_stop(thread->tsk);
 	kfree(thread);
 }
-- 
2.35.1




^ permalink raw reply related	[flat|nested] 174+ messages in thread

* [PATCH 4.9 153/167] Revert "net: af_key: add check for pfkey_broadcast in function pfkey_process"
  2022-06-13 10:07 [PATCH 4.9 000/167] 4.9.318-rc1 review Greg Kroah-Hartman
                   ` (151 preceding siblings ...)
  2022-06-13 10:10 ` [PATCH 4.9 152/167] md: protect md_unregister_thread from reentrancy Greg Kroah-Hartman
@ 2022-06-13 10:10 ` Greg Kroah-Hartman
  2022-06-13 10:10 ` [PATCH 4.9 154/167] drm/radeon: fix a possible null pointer dereference Greg Kroah-Hartman
                   ` (18 subsequent siblings)
  171 siblings, 0 replies; 174+ messages in thread
From: Greg Kroah-Hartman @ 2022-06-13 10:10 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Michal Kubecek, Steffen Klassert,
	Sasha Levin

From: Michal Kubecek <mkubecek@suse.cz>

[ Upstream commit 9c90c9b3e50e16d03c7f87d63e9db373974781e0 ]

This reverts commit 4dc2a5a8f6754492180741facf2a8787f2c415d7.

A non-zero return value from pfkey_broadcast() does not necessarily mean
an error occurred as this function returns -ESRCH when no registered
listener received the message. In particular, a call with
BROADCAST_PROMISC_ONLY flag and null one_sk argument can never return
zero so that this commit in fact prevents processing any PF_KEY message.
One visible effect is that racoon daemon fails to find encryption
algorithms like aes and refuses to start.

Excluding -ESRCH return value would fix this but it's not obvious that
we really want to bail out here and most other callers of
pfkey_broadcast() also ignore the return value. Also, as pointed out by
Steffen Klassert, PF_KEY is kind of deprecated and newer userspace code
should use netlink instead so that we should only disturb the code for
really important fixes.

v2: add a comment explaining why is the return value ignored

Signed-off-by: Michal Kubecek <mkubecek@suse.cz>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/key/af_key.c | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/net/key/af_key.c b/net/key/af_key.c
index d5dc614af2f9..0737fc7b7ebd 100644
--- a/net/key/af_key.c
+++ b/net/key/af_key.c
@@ -2861,10 +2861,12 @@ static int pfkey_process(struct sock *sk, struct sk_buff *skb, const struct sadb
 	void *ext_hdrs[SADB_EXT_MAX];
 	int err;
 
-	err = pfkey_broadcast(skb_clone(skb, GFP_KERNEL), GFP_KERNEL,
-			      BROADCAST_PROMISC_ONLY, NULL, sock_net(sk));
-	if (err)
-		return err;
+	/* Non-zero return value of pfkey_broadcast() does not always signal
+	 * an error and even on an actual error we may still want to process
+	 * the message so rather ignore the return value.
+	 */
+	pfkey_broadcast(skb_clone(skb, GFP_KERNEL), GFP_KERNEL,
+			BROADCAST_PROMISC_ONLY, NULL, sock_net(sk));
 
 	memset(ext_hdrs, 0, sizeof(ext_hdrs));
 	err = parse_exthdrs(skb, hdr, ext_hdrs);
-- 
2.35.1




^ permalink raw reply related	[flat|nested] 174+ messages in thread

* [PATCH 4.9 154/167] drm/radeon: fix a possible null pointer dereference
  2022-06-13 10:07 [PATCH 4.9 000/167] 4.9.318-rc1 review Greg Kroah-Hartman
                   ` (152 preceding siblings ...)
  2022-06-13 10:10 ` [PATCH 4.9 153/167] Revert "net: af_key: add check for pfkey_broadcast in function pfkey_process" Greg Kroah-Hartman
@ 2022-06-13 10:10 ` Greg Kroah-Hartman
  2022-06-13 10:10 ` [PATCH 4.9 155/167] modpost: fix undefined behavior of is_arm_mapping_symbol() Greg Kroah-Hartman
                   ` (17 subsequent siblings)
  171 siblings, 0 replies; 174+ messages in thread
From: Greg Kroah-Hartman @ 2022-06-13 10:10 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Gong Yuanjun, Alex Deucher, Sasha Levin

From: Gong Yuanjun <ruc_gongyuanjun@163.com>

[ Upstream commit a2b28708b645c5632dc93669ab06e97874c8244f ]

In radeon_fp_native_mode(), the return value of drm_mode_duplicate()
is assigned to mode, which will lead to a NULL pointer dereference
on failure of drm_mode_duplicate(). Add a check to avoid npd.

The failure status of drm_cvt_mode() on the other path is checked too.

Signed-off-by: Gong Yuanjun <ruc_gongyuanjun@163.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/gpu/drm/radeon/radeon_connectors.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/drivers/gpu/drm/radeon/radeon_connectors.c b/drivers/gpu/drm/radeon/radeon_connectors.c
index 9e6c2be0cc7d..a759955e3797 100644
--- a/drivers/gpu/drm/radeon/radeon_connectors.c
+++ b/drivers/gpu/drm/radeon/radeon_connectors.c
@@ -489,6 +489,8 @@ static struct drm_display_mode *radeon_fp_native_mode(struct drm_encoder *encode
 	    native_mode->vdisplay != 0 &&
 	    native_mode->clock != 0) {
 		mode = drm_mode_duplicate(dev, native_mode);
+		if (!mode)
+			return NULL;
 		mode->type = DRM_MODE_TYPE_PREFERRED | DRM_MODE_TYPE_DRIVER;
 		drm_mode_set_name(mode);
 
@@ -503,6 +505,8 @@ static struct drm_display_mode *radeon_fp_native_mode(struct drm_encoder *encode
 		 * simpler.
 		 */
 		mode = drm_cvt_mode(dev, native_mode->hdisplay, native_mode->vdisplay, 60, true, false, false);
+		if (!mode)
+			return NULL;
 		mode->type = DRM_MODE_TYPE_PREFERRED | DRM_MODE_TYPE_DRIVER;
 		DRM_DEBUG_KMS("Adding cvt approximation of native panel mode %s\n", mode->name);
 	}
-- 
2.35.1




^ permalink raw reply related	[flat|nested] 174+ messages in thread

* [PATCH 4.9 155/167] modpost: fix undefined behavior of is_arm_mapping_symbol()
  2022-06-13 10:07 [PATCH 4.9 000/167] 4.9.318-rc1 review Greg Kroah-Hartman
                   ` (153 preceding siblings ...)
  2022-06-13 10:10 ` [PATCH 4.9 154/167] drm/radeon: fix a possible null pointer dereference Greg Kroah-Hartman
@ 2022-06-13 10:10 ` Greg Kroah-Hartman
  2022-06-13 10:10 ` [PATCH 4.9 156/167] nodemask: Fix return values to be unsigned Greg Kroah-Hartman
                   ` (16 subsequent siblings)
  171 siblings, 0 replies; 174+ messages in thread
From: Greg Kroah-Hartman @ 2022-06-13 10:10 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Masahiro Yamada, Nick Desaulniers,
	Sasha Levin

From: Masahiro Yamada <masahiroy@kernel.org>

[ Upstream commit d6b732666a1bae0df3c3ae06925043bba34502b1 ]

The return value of is_arm_mapping_symbol() is unpredictable when "$"
is passed in.

strchr(3) says:
  The strchr() and strrchr() functions return a pointer to the matched
  character or NULL if the character is not found. The terminating null
  byte is considered part of the string, so that if c is specified as
  '\0', these functions return a pointer to the terminator.

When str[1] is '\0', strchr("axtd", str[1]) is not NULL, and str[2] is
referenced (i.e. buffer overrun).

Test code
---------

  char str1[] = "abc";
  char str2[] = "ab";

  strcpy(str1, "$");
  strcpy(str2, "$");

  printf("test1: %d\n", is_arm_mapping_symbol(str1));
  printf("test2: %d\n", is_arm_mapping_symbol(str2));

Result
------

  test1: 0
  test2: 1

Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
Reviewed-by: Nick Desaulniers <ndesaulniers@google.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 scripts/mod/modpost.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/scripts/mod/modpost.c b/scripts/mod/modpost.c
index 29c3e4d6fc06..c5f3267aa08a 100644
--- a/scripts/mod/modpost.c
+++ b/scripts/mod/modpost.c
@@ -1212,7 +1212,8 @@ static int secref_whitelist(const struct sectioncheck *mismatch,
 
 static inline int is_arm_mapping_symbol(const char *str)
 {
-	return str[0] == '$' && strchr("axtd", str[1])
+	return str[0] == '$' &&
+	       (str[1] == 'a' || str[1] == 'd' || str[1] == 't' || str[1] == 'x')
 	       && (str[2] == '\0' || str[2] == '.');
 }
 
-- 
2.35.1




^ permalink raw reply related	[flat|nested] 174+ messages in thread

* [PATCH 4.9 156/167] nodemask: Fix return values to be unsigned
  2022-06-13 10:07 [PATCH 4.9 000/167] 4.9.318-rc1 review Greg Kroah-Hartman
                   ` (154 preceding siblings ...)
  2022-06-13 10:10 ` [PATCH 4.9 155/167] modpost: fix undefined behavior of is_arm_mapping_symbol() Greg Kroah-Hartman
@ 2022-06-13 10:10 ` Greg Kroah-Hartman
  2022-06-13 10:10 ` [PATCH 4.9 157/167] vringh: Fix loop descriptors check in the indirect cases Greg Kroah-Hartman
                   ` (15 subsequent siblings)
  171 siblings, 0 replies; 174+ messages in thread
From: Greg Kroah-Hartman @ 2022-06-13 10:10 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Christophe de Dinechin,
	Alexey Dobriyan, Yury Norov, Andy Shevchenko, Rasmus Villemoes,
	Andrew Morton, Zhen Lei, Kees Cook, Sasha Levin

From: Kees Cook <keescook@chromium.org>

[ Upstream commit 0dfe54071d7c828a02917b595456bfde1afdddc9 ]

The nodemask routines had mixed return values that provided potentially
signed return values that could never happen. This was leading to the
compiler getting confusing about the range of possible return values
(it was thinking things could be negative where they could not be). Fix
all the nodemask routines that should be returning unsigned
(or bool) values. Silences:

 mm/swapfile.c: In function ‘setup_swap_info’:
 mm/swapfile.c:2291:47: error: array subscript -1 is below array bounds of ‘struct plist_node[]’ [-Werror=array-bounds]
  2291 |                                 p->avail_lists[i].prio = 1;
       |                                 ~~~~~~~~~~~~~~^~~
 In file included from mm/swapfile.c:16:
 ./include/linux/swap.h:292:27: note: while referencing ‘avail_lists’
   292 |         struct plist_node avail_lists[]; /*
       |                           ^~~~~~~~~~~

Reported-by: Christophe de Dinechin <dinechin@redhat.com>
Link: https://lore.kernel.org/lkml/20220414150855.2407137-3-dinechin@redhat.com/
Cc: Alexey Dobriyan <adobriyan@gmail.com>
Cc: Yury Norov <yury.norov@gmail.com>
Cc: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Cc: Rasmus Villemoes <linux@rasmusvillemoes.dk>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Zhen Lei <thunder.leizhen@huawei.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Yury Norov <yury.norov@gmail.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 include/linux/nodemask.h | 38 +++++++++++++++++++-------------------
 lib/nodemask.c           |  4 ++--
 2 files changed, 21 insertions(+), 21 deletions(-)

diff --git a/include/linux/nodemask.h b/include/linux/nodemask.h
index 7b7155a6c984..3cc98ded3373 100644
--- a/include/linux/nodemask.h
+++ b/include/linux/nodemask.h
@@ -41,11 +41,11 @@
  * void nodes_shift_right(dst, src, n)	Shift right
  * void nodes_shift_left(dst, src, n)	Shift left
  *
- * int first_node(mask)			Number lowest set bit, or MAX_NUMNODES
- * int next_node(node, mask)		Next node past 'node', or MAX_NUMNODES
- * int next_node_in(node, mask)		Next node past 'node', or wrap to first,
+ * unsigned int first_node(mask)	Number lowest set bit, or MAX_NUMNODES
+ * unsigend int next_node(node, mask)	Next node past 'node', or MAX_NUMNODES
+ * unsigned int next_node_in(node, mask) Next node past 'node', or wrap to first,
  *					or MAX_NUMNODES
- * int first_unset_node(mask)		First node not set in mask, or 
+ * unsigned int first_unset_node(mask)	First node not set in mask, or
  *					MAX_NUMNODES
  *
  * nodemask_t nodemask_of_node(node)	Return nodemask with bit 'node' set
@@ -143,7 +143,7 @@ static inline void __nodes_clear(nodemask_t *dstp, unsigned int nbits)
 
 #define node_test_and_set(node, nodemask) \
 			__node_test_and_set((node), &(nodemask))
-static inline int __node_test_and_set(int node, nodemask_t *addr)
+static inline bool __node_test_and_set(int node, nodemask_t *addr)
 {
 	return test_and_set_bit(node, addr->bits);
 }
@@ -190,7 +190,7 @@ static inline void __nodes_complement(nodemask_t *dstp,
 
 #define nodes_equal(src1, src2) \
 			__nodes_equal(&(src1), &(src2), MAX_NUMNODES)
-static inline int __nodes_equal(const nodemask_t *src1p,
+static inline bool __nodes_equal(const nodemask_t *src1p,
 					const nodemask_t *src2p, unsigned int nbits)
 {
 	return bitmap_equal(src1p->bits, src2p->bits, nbits);
@@ -198,7 +198,7 @@ static inline int __nodes_equal(const nodemask_t *src1p,
 
 #define nodes_intersects(src1, src2) \
 			__nodes_intersects(&(src1), &(src2), MAX_NUMNODES)
-static inline int __nodes_intersects(const nodemask_t *src1p,
+static inline bool __nodes_intersects(const nodemask_t *src1p,
 					const nodemask_t *src2p, unsigned int nbits)
 {
 	return bitmap_intersects(src1p->bits, src2p->bits, nbits);
@@ -206,20 +206,20 @@ static inline int __nodes_intersects(const nodemask_t *src1p,
 
 #define nodes_subset(src1, src2) \
 			__nodes_subset(&(src1), &(src2), MAX_NUMNODES)
-static inline int __nodes_subset(const nodemask_t *src1p,
+static inline bool __nodes_subset(const nodemask_t *src1p,
 					const nodemask_t *src2p, unsigned int nbits)
 {
 	return bitmap_subset(src1p->bits, src2p->bits, nbits);
 }
 
 #define nodes_empty(src) __nodes_empty(&(src), MAX_NUMNODES)
-static inline int __nodes_empty(const nodemask_t *srcp, unsigned int nbits)
+static inline bool __nodes_empty(const nodemask_t *srcp, unsigned int nbits)
 {
 	return bitmap_empty(srcp->bits, nbits);
 }
 
 #define nodes_full(nodemask) __nodes_full(&(nodemask), MAX_NUMNODES)
-static inline int __nodes_full(const nodemask_t *srcp, unsigned int nbits)
+static inline bool __nodes_full(const nodemask_t *srcp, unsigned int nbits)
 {
 	return bitmap_full(srcp->bits, nbits);
 }
@@ -250,15 +250,15 @@ static inline void __nodes_shift_left(nodemask_t *dstp,
           > MAX_NUMNODES, then the silly min_ts could be dropped. */
 
 #define first_node(src) __first_node(&(src))
-static inline int __first_node(const nodemask_t *srcp)
+static inline unsigned int __first_node(const nodemask_t *srcp)
 {
-	return min_t(int, MAX_NUMNODES, find_first_bit(srcp->bits, MAX_NUMNODES));
+	return min_t(unsigned int, MAX_NUMNODES, find_first_bit(srcp->bits, MAX_NUMNODES));
 }
 
 #define next_node(n, src) __next_node((n), &(src))
-static inline int __next_node(int n, const nodemask_t *srcp)
+static inline unsigned int __next_node(int n, const nodemask_t *srcp)
 {
-	return min_t(int,MAX_NUMNODES,find_next_bit(srcp->bits, MAX_NUMNODES, n+1));
+	return min_t(unsigned int, MAX_NUMNODES, find_next_bit(srcp->bits, MAX_NUMNODES, n+1));
 }
 
 /*
@@ -266,7 +266,7 @@ static inline int __next_node(int n, const nodemask_t *srcp)
  * the first node in src if needed.  Returns MAX_NUMNODES if src is empty.
  */
 #define next_node_in(n, src) __next_node_in((n), &(src))
-int __next_node_in(int node, const nodemask_t *srcp);
+unsigned int __next_node_in(int node, const nodemask_t *srcp);
 
 static inline void init_nodemask_of_node(nodemask_t *mask, int node)
 {
@@ -286,9 +286,9 @@ static inline void init_nodemask_of_node(nodemask_t *mask, int node)
 })
 
 #define first_unset_node(mask) __first_unset_node(&(mask))
-static inline int __first_unset_node(const nodemask_t *maskp)
+static inline unsigned int __first_unset_node(const nodemask_t *maskp)
 {
-	return min_t(int,MAX_NUMNODES,
+	return min_t(unsigned int, MAX_NUMNODES,
 			find_first_zero_bit(maskp->bits, MAX_NUMNODES));
 }
 
@@ -428,11 +428,11 @@ static inline int num_node_state(enum node_states state)
 
 #define first_online_node	first_node(node_states[N_ONLINE])
 #define first_memory_node	first_node(node_states[N_MEMORY])
-static inline int next_online_node(int nid)
+static inline unsigned int next_online_node(int nid)
 {
 	return next_node(nid, node_states[N_ONLINE]);
 }
-static inline int next_memory_node(int nid)
+static inline unsigned int next_memory_node(int nid)
 {
 	return next_node(nid, node_states[N_MEMORY]);
 }
diff --git a/lib/nodemask.c b/lib/nodemask.c
index e42a5bf44d33..f6ad9c2775a8 100644
--- a/lib/nodemask.c
+++ b/lib/nodemask.c
@@ -2,9 +2,9 @@
 #include <linux/module.h>
 #include <linux/random.h>
 
-int __next_node_in(int node, const nodemask_t *srcp)
+unsigned int __next_node_in(int node, const nodemask_t *srcp)
 {
-	int ret = __next_node(node, srcp);
+	unsigned int ret = __next_node(node, srcp);
 
 	if (ret == MAX_NUMNODES)
 		ret = __first_node(srcp);
-- 
2.35.1




^ permalink raw reply related	[flat|nested] 174+ messages in thread

* [PATCH 4.9 157/167] vringh: Fix loop descriptors check in the indirect cases
  2022-06-13 10:07 [PATCH 4.9 000/167] 4.9.318-rc1 review Greg Kroah-Hartman
                   ` (155 preceding siblings ...)
  2022-06-13 10:10 ` [PATCH 4.9 156/167] nodemask: Fix return values to be unsigned Greg Kroah-Hartman
@ 2022-06-13 10:10 ` Greg Kroah-Hartman
  2022-06-13 10:10 ` [PATCH 4.9 158/167] ALSA: hda/conexant - Fix loopback issue with CX20632 Greg Kroah-Hartman
                   ` (14 subsequent siblings)
  171 siblings, 0 replies; 174+ messages in thread
From: Greg Kroah-Hartman @ 2022-06-13 10:10 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Xie Yongji, Fam Zheng,
	Michael S. Tsirkin, Jason Wang, Sasha Levin

From: Xie Yongji <xieyongji@bytedance.com>

[ Upstream commit dbd29e0752286af74243cf891accf472b2f3edd8 ]

We should use size of descriptor chain to test loop condition
in the indirect case. And another statistical count is also introduced
for indirect descriptors to avoid conflict with the statistical count
of direct descriptors.

Fixes: f87d0fbb5798 ("vringh: host-side implementation of virtio rings.")
Signed-off-by: Xie Yongji <xieyongji@bytedance.com>
Signed-off-by: Fam Zheng <fam.zheng@bytedance.com>
Message-Id: <20220505100910.137-1-xieyongji@bytedance.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Acked-by: Jason Wang <jasowang@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/vhost/vringh.c | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/drivers/vhost/vringh.c b/drivers/vhost/vringh.c
index da47542496cc..63f0ab3e6f63 100644
--- a/drivers/vhost/vringh.c
+++ b/drivers/vhost/vringh.c
@@ -262,7 +262,7 @@ __vringh_iov(struct vringh *vrh, u16 i,
 	     gfp_t gfp,
 	     int (*copy)(void *dst, const void *src, size_t len))
 {
-	int err, count = 0, up_next, desc_max;
+	int err, count = 0, indirect_count = 0, up_next, desc_max;
 	struct vring_desc desc, *descs;
 	struct vringh_range range = { -1ULL, 0 }, slowrange;
 	bool slow = false;
@@ -319,7 +319,12 @@ __vringh_iov(struct vringh *vrh, u16 i,
 			continue;
 		}
 
-		if (count++ == vrh->vring.num) {
+		if (up_next == -1)
+			count++;
+		else
+			indirect_count++;
+
+		if (count > vrh->vring.num || indirect_count > desc_max) {
 			vringh_bad("Descriptor loop in %p", descs);
 			err = -ELOOP;
 			goto fail;
@@ -381,6 +386,7 @@ __vringh_iov(struct vringh *vrh, u16 i,
 				i = return_from_indirect(vrh, &up_next,
 							 &descs, &desc_max);
 				slow = false;
+				indirect_count = 0;
 			} else
 				break;
 		}
-- 
2.35.1




^ permalink raw reply related	[flat|nested] 174+ messages in thread

* [PATCH 4.9 158/167] ALSA: hda/conexant - Fix loopback issue with CX20632
  2022-06-13 10:07 [PATCH 4.9 000/167] 4.9.318-rc1 review Greg Kroah-Hartman
                   ` (156 preceding siblings ...)
  2022-06-13 10:10 ` [PATCH 4.9 157/167] vringh: Fix loop descriptors check in the indirect cases Greg Kroah-Hartman
@ 2022-06-13 10:10 ` Greg Kroah-Hartman
  2022-06-13 10:10 ` [PATCH 4.9 159/167] cifs: return errors during session setup during reconnects Greg Kroah-Hartman
                   ` (13 subsequent siblings)
  171 siblings, 0 replies; 174+ messages in thread
From: Greg Kroah-Hartman @ 2022-06-13 10:10 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, huangwenhui, Takashi Iwai

From: huangwenhui <huangwenhuia@uniontech.com>

commit d5ea7544c32ba27c2c5826248e4ff58bd50a2518 upstream.

On a machine with CX20632, Alsamixer doesn't have 'Loopback
Mixing' and 'Line'.

Signed-off-by: huangwenhui <huangwenhuia@uniontech.com>
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20220607065631.10708-1-huangwenhuia@uniontech.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 sound/pci/hda/patch_conexant.c |    7 +++++++
 1 file changed, 7 insertions(+)

--- a/sound/pci/hda/patch_conexant.c
+++ b/sound/pci/hda/patch_conexant.c
@@ -942,6 +942,13 @@ static int patch_conexant_auto(struct hd
 		snd_hda_pick_fixup(codec, cxt5051_fixup_models,
 				   cxt5051_fixups, cxt_fixups);
 		break;
+	case 0x14f15098:
+		codec->pin_amp_workaround = 1;
+		spec->gen.mixer_nid = 0x22;
+		spec->gen.add_stereo_mix_input = HDA_HINT_STEREO_MIX_AUTO;
+		snd_hda_pick_fixup(codec, cxt5066_fixup_models,
+				   cxt5066_fixups, cxt_fixups);
+		break;
 	case 0x14f150f2:
 		codec->power_save_node = 1;
 		/* Fall through */



^ permalink raw reply	[flat|nested] 174+ messages in thread

* [PATCH 4.9 159/167] cifs: return errors during session setup during reconnects
  2022-06-13 10:07 [PATCH 4.9 000/167] 4.9.318-rc1 review Greg Kroah-Hartman
                   ` (157 preceding siblings ...)
  2022-06-13 10:10 ` [PATCH 4.9 158/167] ALSA: hda/conexant - Fix loopback issue with CX20632 Greg Kroah-Hartman
@ 2022-06-13 10:10 ` Greg Kroah-Hartman
  2022-06-13 10:10 ` [PATCH 4.9 160/167] ata: libata-transport: fix {dma|pio|xfer}_mode sysfs files Greg Kroah-Hartman
                   ` (12 subsequent siblings)
  171 siblings, 0 replies; 174+ messages in thread
From: Greg Kroah-Hartman @ 2022-06-13 10:10 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Shyam Prasad N, Enzo Matsumiya, Steve French

From: Shyam Prasad N <sprasad@microsoft.com>

commit 8ea21823aa584b55ba4b861307093b78054b0c1b upstream.

During reconnects, we check the return value from
cifs_negotiate_protocol, and have handlers for both success
and failures. But if that passes, and cifs_setup_session
returns any errors other than -EACCES, we do not handle
that. This fix adds a handler for that, so that we don't
go ahead and try a tree_connect on a failed session.

Signed-off-by: Shyam Prasad N <sprasad@microsoft.com>
Reviewed-by: Enzo Matsumiya <ematsumiya@suse.de>
Cc: stable@vger.kernel.org
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 fs/cifs/smb2pdu.c |    3 +++
 1 file changed, 3 insertions(+)

--- a/fs/cifs/smb2pdu.c
+++ b/fs/cifs/smb2pdu.c
@@ -265,6 +265,9 @@ smb2_reconnect(__le16 smb2_command, stru
 			rc = -EHOSTDOWN;
 			mutex_unlock(&tcon->ses->session_mutex);
 			goto failed;
+		} else if (rc) {
+			mutex_unlock(&ses->session_mutex);
+			goto out;
 		}
 	}
 	if (rc || !tcon->need_reconnect) {



^ permalink raw reply	[flat|nested] 174+ messages in thread

* [PATCH 4.9 160/167] ata: libata-transport: fix {dma|pio|xfer}_mode sysfs files
  2022-06-13 10:07 [PATCH 4.9 000/167] 4.9.318-rc1 review Greg Kroah-Hartman
                   ` (158 preceding siblings ...)
  2022-06-13 10:10 ` [PATCH 4.9 159/167] cifs: return errors during session setup during reconnects Greg Kroah-Hartman
@ 2022-06-13 10:10 ` Greg Kroah-Hartman
  2022-06-13 19:52   ` Sergey Shtylyov
  2022-06-13 10:10 ` [PATCH 4.9 161/167] nfc: st21nfca: fix incorrect validating logic in EVT_TRANSACTION Greg Kroah-Hartman
                   ` (11 subsequent siblings)
  171 siblings, 1 reply; 174+ messages in thread
From: Greg Kroah-Hartman @ 2022-06-13 10:10 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Sergey Shtylyov, Damien Le Moal

From: Sergey Shtylyov <s.shtylyov@omp.ru>

commit 72aad489f992871e908ff6d9055b26c6366fb864 upstream.

The {dma|pio}_mode sysfs files are incorrectly documented as having a
list of the supported DMA/PIO transfer modes, while the corresponding
fields of the *struct* ata_device hold the transfer mode IDs, not masks.

To match these docs, the {dma|pio}_mode (and even xfer_mode!) sysfs
files are handled by the ata_bitfield_name_match() macro which leads to
reading such kind of nonsense from them:

$ cat /sys/class/ata_device/dev3.0/pio_mode
XFER_UDMA_7, XFER_UDMA_6, XFER_UDMA_5, XFER_UDMA_4, XFER_MW_DMA_4,
XFER_PIO_6, XFER_PIO_5, XFER_PIO_4, XFER_PIO_3, XFER_PIO_2, XFER_PIO_1,
XFER_PIO_0

Using the correct ata_bitfield_name_search() macro fixes that:

$ cat /sys/class/ata_device/dev3.0/pio_mode
XFER_PIO_4

While fixing the file documentation, somewhat reword the {dma|pio}_mode
file doc and add a note about being mostly useful for PATA devices to
the xfer_mode file doc...

Fixes: d9027470b886 ("[libata] Add ATA transport class")
Signed-off-by: Sergey Shtylyov <s.shtylyov@omp.ru>
Cc: stable@vger.kernel.org
Signed-off-by: Damien Le Moal <damien.lemoal@opensource.wdc.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 Documentation/ABI/testing/sysfs-ata |    5 +++--
 drivers/ata/libata-transport.c      |    2 +-
 2 files changed, 4 insertions(+), 3 deletions(-)

--- a/Documentation/ABI/testing/sysfs-ata
+++ b/Documentation/ABI/testing/sysfs-ata
@@ -59,17 +59,18 @@ class
 
 dma_mode
 
-	Transfer modes supported by the device when in DMA mode.
+	DMA transfer mode used by the device.
 	Mostly used by PATA device.
 
 pio_mode
 
-	Transfer modes supported by the device when in PIO mode.
+	PIO transfer mode used by the device.
 	Mostly used by PATA device.
 
 xfer_mode
 
 	Current transfer mode.
+	Mostly used by PATA device.
 
 id
 
--- a/drivers/ata/libata-transport.c
+++ b/drivers/ata/libata-transport.c
@@ -196,7 +196,7 @@ static struct {
 	{ XFER_PIO_0,			"XFER_PIO_0" },
 	{ XFER_PIO_SLOW,		"XFER_PIO_SLOW" }
 };
-ata_bitfield_name_match(xfer,ata_xfer_names)
+ata_bitfield_name_search(xfer, ata_xfer_names)
 
 /*
  * ATA Port attributes



^ permalink raw reply	[flat|nested] 174+ messages in thread

* [PATCH 4.9 161/167] nfc: st21nfca: fix incorrect validating logic in EVT_TRANSACTION
  2022-06-13 10:07 [PATCH 4.9 000/167] 4.9.318-rc1 review Greg Kroah-Hartman
                   ` (159 preceding siblings ...)
  2022-06-13 10:10 ` [PATCH 4.9 160/167] ata: libata-transport: fix {dma|pio|xfer}_mode sysfs files Greg Kroah-Hartman
@ 2022-06-13 10:10 ` Greg Kroah-Hartman
  2022-06-13 10:10 ` [PATCH 4.9 162/167] nfc: st21nfca: fix memory leaks in EVT_TRANSACTION handling Greg Kroah-Hartman
                   ` (10 subsequent siblings)
  171 siblings, 0 replies; 174+ messages in thread
From: Greg Kroah-Hartman @ 2022-06-13 10:10 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Martin Faltesek, Guenter Roeck,
	Krzysztof Kozlowski, Jakub Kicinski

From: Martin Faltesek <mfaltesek@google.com>

commit 77e5fe8f176a525523ae091d6fd0fbb8834c156d upstream.

The first validation check for EVT_TRANSACTION has two different checks
tied together with logical AND. One is a check for minimum packet length,
and the other is for a valid aid_tag. If either condition is true (fails),
then an error should be triggered.  The fix is to change && to ||.

Fixes: 26fc6c7f02cb ("NFC: st21nfca: Add HCI transaction event support")
Cc: stable@vger.kernel.org
Signed-off-by: Martin Faltesek <mfaltesek@google.com>
Reviewed-by: Guenter Roeck <groeck@chromium.org>
Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/nfc/st21nfca/se.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/nfc/st21nfca/se.c
+++ b/drivers/nfc/st21nfca/se.c
@@ -320,7 +320,7 @@ int st21nfca_connectivity_event_received
 		 * AID		81	5 to 16
 		 * PARAMETERS	82	0 to 255
 		 */
-		if (skb->len < NFC_MIN_AID_LENGTH + 2 &&
+		if (skb->len < NFC_MIN_AID_LENGTH + 2 ||
 		    skb->data[0] != NFC_EVT_TRANSACTION_AID_TAG)
 			return -EPROTO;
 



^ permalink raw reply	[flat|nested] 174+ messages in thread

* [PATCH 4.9 162/167] nfc: st21nfca: fix memory leaks in EVT_TRANSACTION handling
  2022-06-13 10:07 [PATCH 4.9 000/167] 4.9.318-rc1 review Greg Kroah-Hartman
                   ` (160 preceding siblings ...)
  2022-06-13 10:10 ` [PATCH 4.9 161/167] nfc: st21nfca: fix incorrect validating logic in EVT_TRANSACTION Greg Kroah-Hartman
@ 2022-06-13 10:10 ` Greg Kroah-Hartman
  2022-06-13 10:10 ` [PATCH 4.9 163/167] Input: bcm5974 - set missing URB_NO_TRANSFER_DMA_MAP urb flag Greg Kroah-Hartman
                   ` (9 subsequent siblings)
  171 siblings, 0 replies; 174+ messages in thread
From: Greg Kroah-Hartman @ 2022-06-13 10:10 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Martin Faltesek, Guenter Roeck,
	Krzysztof Kozlowski, Jakub Kicinski

From: Martin Faltesek <mfaltesek@google.com>

commit 996419e0594abb311fb958553809f24f38e7abbe upstream.

Error paths do not free previously allocated memory. Add devm_kfree() to
those failure paths.

Fixes: 26fc6c7f02cb ("NFC: st21nfca: Add HCI transaction event support")
Fixes: 4fbcc1a4cb20 ("nfc: st21nfca: Fix potential buffer overflows in EVT_TRANSACTION")
Cc: stable@vger.kernel.org
Signed-off-by: Martin Faltesek <mfaltesek@google.com>
Reviewed-by: Guenter Roeck <groeck@chromium.org>
Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/nfc/st21nfca/se.c |   13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

--- a/drivers/nfc/st21nfca/se.c
+++ b/drivers/nfc/st21nfca/se.c
@@ -332,22 +332,29 @@ int st21nfca_connectivity_event_received
 		transaction->aid_len = skb->data[1];
 
 		/* Checking if the length of the AID is valid */
-		if (transaction->aid_len > sizeof(transaction->aid))
+		if (transaction->aid_len > sizeof(transaction->aid)) {
+			devm_kfree(dev, transaction);
 			return -EINVAL;
+		}
 
 		memcpy(transaction->aid, &skb->data[2],
 		       transaction->aid_len);
 
 		/* Check next byte is PARAMETERS tag (82) */
 		if (skb->data[transaction->aid_len + 2] !=
-		    NFC_EVT_TRANSACTION_PARAMS_TAG)
+		    NFC_EVT_TRANSACTION_PARAMS_TAG) {
+			devm_kfree(dev, transaction);
 			return -EPROTO;
+		}
 
 		transaction->params_len = skb->data[transaction->aid_len + 3];
 
 		/* Total size is allocated (skb->len - 2) minus fixed array members */
-		if (transaction->params_len > ((skb->len - 2) - sizeof(struct nfc_evt_transaction)))
+		if (transaction->params_len > ((skb->len - 2) -
+		    sizeof(struct nfc_evt_transaction))) {
+			devm_kfree(dev, transaction);
 			return -EINVAL;
+		}
 
 		memcpy(transaction->params, skb->data +
 		       transaction->aid_len + 4, transaction->params_len);



^ permalink raw reply	[flat|nested] 174+ messages in thread

* [PATCH 4.9 163/167] Input: bcm5974 - set missing URB_NO_TRANSFER_DMA_MAP urb flag
  2022-06-13 10:07 [PATCH 4.9 000/167] 4.9.318-rc1 review Greg Kroah-Hartman
                   ` (161 preceding siblings ...)
  2022-06-13 10:10 ` [PATCH 4.9 162/167] nfc: st21nfca: fix memory leaks in EVT_TRANSACTION handling Greg Kroah-Hartman
@ 2022-06-13 10:10 ` Greg Kroah-Hartman
  2022-06-13 10:10 ` [PATCH 4.9 164/167] powerpc/32: Fix overread/overwrite of thread_struct via ptrace Greg Kroah-Hartman
                   ` (8 subsequent siblings)
  171 siblings, 0 replies; 174+ messages in thread
From: Greg Kroah-Hartman @ 2022-06-13 10:10 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Mathias Nyman, Dmitry Torokhov

From: Mathias Nyman <mathias.nyman@linux.intel.com>

commit c42e65664390be7c1ef3838cd84956d3a2739d60 upstream.

The bcm5974 driver does the allocation and dma mapping of the usb urb
data buffer, but driver does not set the URB_NO_TRANSFER_DMA_MAP flag
to let usb core know the buffer is already mapped.

usb core tries to map the already mapped buffer, causing a warning:
"xhci_hcd 0000:00:14.0: rejecting DMA map of vmalloc memory"

Fix this by setting the URB_NO_TRANSFER_DMA_MAP, letting usb core
know buffer is already mapped by bcm5974 driver

Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Cc: stable@vger.kernel.org
Link: https://bugzilla.kernel.org/show_bug.cgi?id=215890
Link: https://lore.kernel.org/r/20220606113636.588955-1-mathias.nyman@linux.intel.com
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/input/mouse/bcm5974.c |    7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

--- a/drivers/input/mouse/bcm5974.c
+++ b/drivers/input/mouse/bcm5974.c
@@ -956,17 +956,22 @@ static int bcm5974_probe(struct usb_inte
 	if (!dev->tp_data)
 		goto err_free_bt_buffer;
 
-	if (dev->bt_urb)
+	if (dev->bt_urb) {
 		usb_fill_int_urb(dev->bt_urb, udev,
 				 usb_rcvintpipe(udev, cfg->bt_ep),
 				 dev->bt_data, dev->cfg.bt_datalen,
 				 bcm5974_irq_button, dev, 1);
 
+		dev->bt_urb->transfer_flags |= URB_NO_TRANSFER_DMA_MAP;
+	}
+
 	usb_fill_int_urb(dev->tp_urb, udev,
 			 usb_rcvintpipe(udev, cfg->tp_ep),
 			 dev->tp_data, dev->cfg.tp_datalen,
 			 bcm5974_irq_trackpad, dev, 1);
 
+	dev->tp_urb->transfer_flags |= URB_NO_TRANSFER_DMA_MAP;
+
 	/* create bcm5974 device */
 	usb_make_path(udev, dev->phys, sizeof(dev->phys));
 	strlcat(dev->phys, "/input0", sizeof(dev->phys));



^ permalink raw reply	[flat|nested] 174+ messages in thread

* [PATCH 4.9 164/167] powerpc/32: Fix overread/overwrite of thread_struct via ptrace
  2022-06-13 10:07 [PATCH 4.9 000/167] 4.9.318-rc1 review Greg Kroah-Hartman
                   ` (162 preceding siblings ...)
  2022-06-13 10:10 ` [PATCH 4.9 163/167] Input: bcm5974 - set missing URB_NO_TRANSFER_DMA_MAP urb flag Greg Kroah-Hartman
@ 2022-06-13 10:10 ` Greg Kroah-Hartman
  2022-06-13 10:10 ` [PATCH 4.9 165/167] mtd: cfi_cmdset_0002: Move and rename chip_check/chip_ready/chip_good_for_write Greg Kroah-Hartman
                   ` (7 subsequent siblings)
  171 siblings, 0 replies; 174+ messages in thread
From: Greg Kroah-Hartman @ 2022-06-13 10:10 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Ariel Miculas, Christophe Leroy,
	Michael Ellerman

From: Michael Ellerman <mpe@ellerman.id.au>

commit 8e1278444446fc97778a5e5c99bca1ce0bbc5ec9 upstream.

The ptrace PEEKUSR/POKEUSR (aka PEEKUSER/POKEUSER) API allows a process
to read/write registers of another process.

To get/set a register, the API takes an index into an imaginary address
space called the "USER area", where the registers of the process are
laid out in some fashion.

The kernel then maps that index to a particular register in its own data
structures and gets/sets the value.

The API only allows a single machine-word to be read/written at a time.
So 4 bytes on 32-bit kernels and 8 bytes on 64-bit kernels.

The way floating point registers (FPRs) are addressed is somewhat
complicated, because double precision float values are 64-bit even on
32-bit CPUs. That means on 32-bit kernels each FPR occupies two
word-sized locations in the USER area. On 64-bit kernels each FPR
occupies one word-sized location in the USER area.

Internally the kernel stores the FPRs in an array of u64s, or if VSX is
enabled, an array of pairs of u64s where one half of each pair stores
the FPR. Which half of the pair stores the FPR depends on the kernel's
endianness.

To handle the different layouts of the FPRs depending on VSX/no-VSX and
big/little endian, the TS_FPR() macro was introduced.

Unfortunately the TS_FPR() macro does not take into account the fact
that the addressing of each FPR differs between 32-bit and 64-bit
kernels. It just takes the index into the "USER area" passed from
userspace and indexes into the fp_state.fpr array.

On 32-bit there are 64 indexes that address FPRs, but only 32 entries in
the fp_state.fpr array, meaning the user can read/write 256 bytes past
the end of the array. Because the fp_state sits in the middle of the
thread_struct there are various fields than can be overwritten,
including some pointers. As such it may be exploitable.

It has also been observed to cause systems to hang or otherwise
misbehave when using gdbserver, and is probably the root cause of this
report which could not be easily reproduced:
  https://lore.kernel.org/linuxppc-dev/dc38afe9-6b78-f3f5-666b-986939e40fc6@keymile.com/

Rather than trying to make the TS_FPR() macro even more complicated to
fix the bug, or add more macros, instead add a special-case for 32-bit
kernels. This is more obvious and hopefully avoids a similar bug
happening again in future.

Note that because 32-bit kernels never have VSX enabled the code doesn't
need to consider TS_FPRWIDTH/OFFSET at all. Add a BUILD_BUG_ON() to
ensure that 32-bit && VSX is never enabled.

Fixes: 87fec0514f61 ("powerpc: PTRACE_PEEKUSR/PTRACE_POKEUSER of FPR registers in little endian builds")
Cc: stable@vger.kernel.org # v3.13+
Reported-by: Ariel Miculas <ariel.miculas@belden.com>
Tested-by: Christophe Leroy <christophe.leroy@csgroup.eu>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Link: https://lore.kernel.org/r/20220609133245.573565-1-mpe@ellerman.id.au
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/powerpc/kernel/ptrace.c |   18 ++++++++++++++----
 1 file changed, 14 insertions(+), 4 deletions(-)

--- a/arch/powerpc/kernel/ptrace.c
+++ b/arch/powerpc/kernel/ptrace.c
@@ -2938,8 +2938,13 @@ long arch_ptrace(struct task_struct *chi
 
 			flush_fp_to_thread(child);
 			if (fpidx < (PT_FPSCR - PT_FPR0))
-				memcpy(&tmp, &child->thread.TS_FPR(fpidx),
-				       sizeof(long));
+				if (IS_ENABLED(CONFIG_PPC32)) {
+					// On 32-bit the index we are passed refers to 32-bit words
+					tmp = ((u32 *)child->thread.fp_state.fpr)[fpidx];
+				} else {
+					memcpy(&tmp, &child->thread.TS_FPR(fpidx),
+					       sizeof(long));
+				}
 			else
 				tmp = child->thread.fp_state.fpscr;
 		}
@@ -2971,8 +2976,13 @@ long arch_ptrace(struct task_struct *chi
 
 			flush_fp_to_thread(child);
 			if (fpidx < (PT_FPSCR - PT_FPR0))
-				memcpy(&child->thread.TS_FPR(fpidx), &data,
-				       sizeof(long));
+				if (IS_ENABLED(CONFIG_PPC32)) {
+					// On 32-bit the index we are passed refers to 32-bit words
+					((u32 *)child->thread.fp_state.fpr)[fpidx] = data;
+				} else {
+					memcpy(&child->thread.TS_FPR(fpidx), &data,
+					       sizeof(long));
+				}
 			else
 				child->thread.fp_state.fpscr = data;
 			ret = 0;



^ permalink raw reply	[flat|nested] 174+ messages in thread

* [PATCH 4.9 165/167] mtd: cfi_cmdset_0002: Move and rename chip_check/chip_ready/chip_good_for_write
  2022-06-13 10:07 [PATCH 4.9 000/167] 4.9.318-rc1 review Greg Kroah-Hartman
                   ` (163 preceding siblings ...)
  2022-06-13 10:10 ` [PATCH 4.9 164/167] powerpc/32: Fix overread/overwrite of thread_struct via ptrace Greg Kroah-Hartman
@ 2022-06-13 10:10 ` Greg Kroah-Hartman
  2022-06-13 10:10 ` [PATCH 4.9 166/167] mtd: cfi_cmdset_0002: Use chip_ready() for write on S29GL064N Greg Kroah-Hartman
                   ` (6 subsequent siblings)
  171 siblings, 0 replies; 174+ messages in thread
From: Greg Kroah-Hartman @ 2022-06-13 10:10 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Tokunori Ikegami,
	Vignesh Raghavendra, Miquel Raynal

From: Tokunori Ikegami <ikegami.t@gmail.com>

commit 083084df578a8bdb18334f69e7b32d690aaa3247 upstream.

This is a preparation patch for the S29GL064N buffer writes fix. There
is no functional change.

Link: https://lore.kernel.org/r/b687c259-6413-26c9-d4c9-b3afa69ea124@pengutronix.de/
Fixes: dfeae1073583("mtd: cfi_cmdset_0002: Change write buffer to check correct value")
Signed-off-by: Tokunori Ikegami <ikegami.t@gmail.com>
Cc: stable@vger.kernel.org
Acked-by: Vignesh Raghavendra <vigneshr@ti.com>
Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
Link: https://lore.kernel.org/linux-mtd/20220323170458.5608-2-ikegami.t@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/mtd/chips/cfi_cmdset_0002.c |   77 ++++++++++++++----------------------
 1 file changed, 32 insertions(+), 45 deletions(-)

--- a/drivers/mtd/chips/cfi_cmdset_0002.c
+++ b/drivers/mtd/chips/cfi_cmdset_0002.c
@@ -726,50 +726,34 @@ static struct mtd_info *cfi_amdstd_setup
 }
 
 /*
- * Return true if the chip is ready.
+ * Return true if the chip is ready and has the correct value.
  *
  * Ready is one of: read mode, query mode, erase-suspend-read mode (in any
  * non-suspended sector) and is indicated by no toggle bits toggling.
  *
+ * Error are indicated by toggling bits or bits held with the wrong value,
+ * or with bits toggling.
+ *
  * Note that anything more complicated than checking if no bits are toggling
  * (including checking DQ5 for an error status) is tricky to get working
  * correctly and is therefore not done	(particularly with interleaved chips
  * as each chip must be checked independently of the others).
  */
-static int __xipram chip_ready(struct map_info *map, unsigned long addr)
+static int __xipram chip_ready(struct map_info *map, unsigned long addr,
+			       map_word *expected)
 {
 	map_word d, t;
+	int ret;
 
 	d = map_read(map, addr);
 	t = map_read(map, addr);
 
-	return map_word_equal(map, d, t);
-}
+	ret = map_word_equal(map, d, t);
 
-/*
- * Return true if the chip is ready and has the correct value.
- *
- * Ready is one of: read mode, query mode, erase-suspend-read mode (in any
- * non-suspended sector) and it is indicated by no bits toggling.
- *
- * Error are indicated by toggling bits or bits held with the wrong value,
- * or with bits toggling.
- *
- * Note that anything more complicated than checking if no bits are toggling
- * (including checking DQ5 for an error status) is tricky to get working
- * correctly and is therefore not done	(particularly with interleaved chips
- * as each chip must be checked independently of the others).
- *
- */
-static int __xipram chip_good(struct map_info *map, unsigned long addr, map_word expected)
-{
-	map_word oldd, curd;
-
-	oldd = map_read(map, addr);
-	curd = map_read(map, addr);
+	if (!ret || !expected)
+		return ret;
 
-	return	map_word_equal(map, oldd, curd) &&
-		map_word_equal(map, curd, expected);
+	return map_word_equal(map, t, *expected);
 }
 
 static int get_chip(struct map_info *map, struct flchip *chip, unsigned long adr, int mode)
@@ -786,7 +770,7 @@ static int get_chip(struct map_info *map
 
 	case FL_STATUS:
 		for (;;) {
-			if (chip_ready(map, adr))
+			if (chip_ready(map, adr, NULL))
 				break;
 
 			if (time_after(jiffies, timeo)) {
@@ -824,7 +808,7 @@ static int get_chip(struct map_info *map
 		chip->state = FL_ERASE_SUSPENDING;
 		chip->erase_suspended = 1;
 		for (;;) {
-			if (chip_ready(map, adr))
+			if (chip_ready(map, adr, NULL))
 				break;
 
 			if (time_after(jiffies, timeo)) {
@@ -1357,7 +1341,7 @@ static int do_otp_lock(struct map_info *
 	/* wait for chip to become ready */
 	timeo = jiffies + msecs_to_jiffies(2);
 	for (;;) {
-		if (chip_ready(map, adr))
+		if (chip_ready(map, adr, NULL))
 			break;
 
 		if (time_after(jiffies, timeo)) {
@@ -1624,10 +1608,11 @@ static int __xipram do_write_oneword(str
 		}
 
 		/*
-		 * We check "time_after" and "!chip_good" before checking
-		 * "chip_good" to avoid the failure due to scheduling.
+		 * We check "time_after" and "!chip_ready" before checking
+		 * "chip_ready" to avoid the failure due to scheduling.
 		 */
-		if (time_after(jiffies, timeo) && !chip_good(map, adr, datum)) {
+		if (time_after(jiffies, timeo) &&
+		    !chip_ready(map, adr, &datum)) {
 			xip_enable(map, chip, adr);
 			printk(KERN_WARNING "MTD %s(): software timeout\n", __func__);
 			xip_disable(map, chip, adr);
@@ -1635,7 +1620,7 @@ static int __xipram do_write_oneword(str
 			break;
 		}
 
-		if (chip_good(map, adr, datum))
+		if (chip_ready(map, adr, &datum))
 			break;
 
 		/* Latency issues. Drop the lock, wait a while and retry */
@@ -1879,13 +1864,13 @@ static int __xipram do_write_buffer(stru
 		}
 
 		/*
-		 * We check "time_after" and "!chip_good" before checking "chip_good" to avoid
-		 * the failure due to scheduling.
+		 * We check "time_after" and "!chip_ready" before checking
+		 * "chip_ready" to avoid the failure due to scheduling.
 		 */
-		if (time_after(jiffies, timeo) && !chip_good(map, adr, datum))
+		if (time_after(jiffies, timeo) && !chip_ready(map, adr, &datum))
 			break;
 
-		if (chip_good(map, adr, datum)) {
+		if (chip_ready(map, adr, &datum)) {
 			xip_enable(map, chip, adr);
 			goto op_done;
 		}
@@ -2019,7 +2004,7 @@ static int cfi_amdstd_panic_wait(struct
 	 * If the driver thinks the chip is idle, and no toggle bits
 	 * are changing, then the chip is actually idle for sure.
 	 */
-	if (chip->state == FL_READY && chip_ready(map, adr))
+	if (chip->state == FL_READY && chip_ready(map, adr, NULL))
 		return 0;
 
 	/*
@@ -2036,7 +2021,7 @@ static int cfi_amdstd_panic_wait(struct
 
 		/* wait for the chip to become ready */
 		for (i = 0; i < jiffies_to_usecs(timeo); i++) {
-			if (chip_ready(map, adr))
+			if (chip_ready(map, adr, NULL))
 				return 0;
 
 			udelay(1);
@@ -2100,13 +2085,13 @@ retry:
 	map_write(map, datum, adr);
 
 	for (i = 0; i < jiffies_to_usecs(uWriteTimeout); i++) {
-		if (chip_ready(map, adr))
+		if (chip_ready(map, adr, NULL))
 			break;
 
 		udelay(1);
 	}
 
-	if (!chip_good(map, adr, datum)) {
+	if (!chip_ready(map, adr, &datum)) {
 		/* reset on all failures. */
 		map_write(map, CMD(0xF0), chip->start);
 		/* FIXME - should have reset delay before continuing */
@@ -2247,6 +2232,7 @@ static int __xipram do_erase_chip(struct
 	DECLARE_WAITQUEUE(wait, current);
 	int ret = 0;
 	int retry_cnt = 0;
+	map_word datum = map_word_ff(map);
 
 	adr = cfi->addr_unlock1;
 
@@ -2301,7 +2287,7 @@ static int __xipram do_erase_chip(struct
 			chip->erase_suspended = 0;
 		}
 
-		if (chip_good(map, adr, map_word_ff(map)))
+		if (chip_ready(map, adr, &datum))
 			break;
 
 		if (time_after(jiffies, timeo)) {
@@ -2343,6 +2329,7 @@ static int __xipram do_erase_oneblock(st
 	DECLARE_WAITQUEUE(wait, current);
 	int ret = 0;
 	int retry_cnt = 0;
+	map_word datum = map_word_ff(map);
 
 	adr += chip->start;
 
@@ -2397,7 +2384,7 @@ static int __xipram do_erase_oneblock(st
 			chip->erase_suspended = 0;
 		}
 
-		if (chip_good(map, adr, map_word_ff(map))) {
+		if (chip_ready(map, adr, &datum)) {
 			xip_enable(map, chip, adr);
 			break;
 		}
@@ -2612,7 +2599,7 @@ static int __maybe_unused do_ppb_xxlock(
 	 */
 	timeo = jiffies + msecs_to_jiffies(2000);	/* 2s max (un)locking */
 	for (;;) {
-		if (chip_ready(map, adr))
+		if (chip_ready(map, adr, NULL))
 			break;
 
 		if (time_after(jiffies, timeo)) {



^ permalink raw reply	[flat|nested] 174+ messages in thread

* [PATCH 4.9 166/167] mtd: cfi_cmdset_0002: Use chip_ready() for write on S29GL064N
  2022-06-13 10:07 [PATCH 4.9 000/167] 4.9.318-rc1 review Greg Kroah-Hartman
                   ` (164 preceding siblings ...)
  2022-06-13 10:10 ` [PATCH 4.9 165/167] mtd: cfi_cmdset_0002: Move and rename chip_check/chip_ready/chip_good_for_write Greg Kroah-Hartman
@ 2022-06-13 10:10 ` Greg Kroah-Hartman
  2022-06-13 10:10 ` [PATCH 4.9 167/167] PCI: qcom: Fix unbalanced PHY init on probe errors Greg Kroah-Hartman
                   ` (5 subsequent siblings)
  171 siblings, 0 replies; 174+ messages in thread
From: Greg Kroah-Hartman @ 2022-06-13 10:10 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Tokunori Ikegami,
	Vignesh Raghavendra, Miquel Raynal

From: Tokunori Ikegami <ikegami.t@gmail.com>

commit 0a8e98305f63deaf0a799d5cf5532cc83af035d1 upstream.

Since commit dfeae1073583("mtd: cfi_cmdset_0002: Change write buffer to
check correct value") buffered writes fail on S29GL064N. This is
because, on S29GL064N, reads return 0xFF at the end of DQ polling for
write completion, where as, chip_good() check expects actual data
written to the last location to be returned post DQ polling completion.
Fix is to revert to using chip_good() for S29GL064N which only checks
for DQ lines to settle down to determine write completion.

Link: https://lore.kernel.org/r/b687c259-6413-26c9-d4c9-b3afa69ea124@pengutronix.de/
Fixes: dfeae1073583("mtd: cfi_cmdset_0002: Change write buffer to check correct value")
Cc: stable@vger.kernel.org
Signed-off-by: Tokunori Ikegami <ikegami.t@gmail.com>
Acked-by: Vignesh Raghavendra <vigneshr@ti.com>
Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
Link: https://lore.kernel.org/linux-mtd/20220323170458.5608-3-ikegami.t@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/mtd/chips/cfi_cmdset_0002.c |   42 +++++++++++++++++++++++++++++-------
 include/linux/mtd/cfi.h             |    1 
 2 files changed, 35 insertions(+), 8 deletions(-)

--- a/drivers/mtd/chips/cfi_cmdset_0002.c
+++ b/drivers/mtd/chips/cfi_cmdset_0002.c
@@ -49,6 +49,10 @@
 #define SST49LF008A		0x005a
 #define AT49BV6416		0x00d6
 
+enum cfi_quirks {
+	CFI_QUIRK_DQ_TRUE_DATA = BIT(0),
+};
+
 static int cfi_amdstd_read (struct mtd_info *, loff_t, size_t, size_t *, u_char *);
 static int cfi_amdstd_write_words(struct mtd_info *, loff_t, size_t, size_t *, const u_char *);
 static int cfi_amdstd_write_buffers(struct mtd_info *, loff_t, size_t, size_t *, const u_char *);
@@ -361,6 +365,15 @@ static void fixup_s29ns512p_sectors(stru
 	pr_warning("%s: Bad S29NS512P CFI data; adjust to 512 sectors\n", mtd->name);
 }
 
+static void fixup_quirks(struct mtd_info *mtd)
+{
+	struct map_info *map = mtd->priv;
+	struct cfi_private *cfi = map->fldrv_priv;
+
+	if (cfi->mfr == CFI_MFR_AMD && cfi->id == 0x0c01)
+		cfi->quirks |= CFI_QUIRK_DQ_TRUE_DATA;
+}
+
 /* Used to fix CFI-Tables of chips without Extended Query Tables */
 static struct cfi_fixup cfi_nopri_fixup_table[] = {
 	{ CFI_MFR_SST, 0x234a, fixup_sst39vf }, /* SST39VF1602 */
@@ -399,6 +412,7 @@ static struct cfi_fixup cfi_fixup_table[
 #if !FORCE_WORD_WRITE
 	{ CFI_MFR_ANY, CFI_ID_ANY, fixup_use_write_buffers },
 #endif
+	{ CFI_MFR_ANY, CFI_ID_ANY, fixup_quirks },
 	{ 0, 0, NULL }
 };
 static struct cfi_fixup jedec_fixup_table[] = {
@@ -756,6 +770,18 @@ static int __xipram chip_ready(struct ma
 	return map_word_equal(map, t, *expected);
 }
 
+static int __xipram chip_good(struct map_info *map, unsigned long addr,
+			      map_word *expected)
+{
+	struct cfi_private *cfi = map->fldrv_priv;
+	map_word *datum = expected;
+
+	if (cfi->quirks & CFI_QUIRK_DQ_TRUE_DATA)
+		datum = NULL;
+
+	return chip_ready(map, addr, datum);
+}
+
 static int get_chip(struct map_info *map, struct flchip *chip, unsigned long adr, int mode)
 {
 	DECLARE_WAITQUEUE(wait, current);
@@ -1608,11 +1634,11 @@ static int __xipram do_write_oneword(str
 		}
 
 		/*
-		 * We check "time_after" and "!chip_ready" before checking
-		 * "chip_ready" to avoid the failure due to scheduling.
+		 * We check "time_after" and "!chip_good" before checking
+		 * "chip_good" to avoid the failure due to scheduling.
 		 */
 		if (time_after(jiffies, timeo) &&
-		    !chip_ready(map, adr, &datum)) {
+		    !chip_good(map, adr, &datum)) {
 			xip_enable(map, chip, adr);
 			printk(KERN_WARNING "MTD %s(): software timeout\n", __func__);
 			xip_disable(map, chip, adr);
@@ -1620,7 +1646,7 @@ static int __xipram do_write_oneword(str
 			break;
 		}
 
-		if (chip_ready(map, adr, &datum))
+		if (chip_good(map, adr, &datum))
 			break;
 
 		/* Latency issues. Drop the lock, wait a while and retry */
@@ -1864,13 +1890,13 @@ static int __xipram do_write_buffer(stru
 		}
 
 		/*
-		 * We check "time_after" and "!chip_ready" before checking
-		 * "chip_ready" to avoid the failure due to scheduling.
+		 * We check "time_after" and "!chip_good" before checking
+		 * "chip_good" to avoid the failure due to scheduling.
 		 */
-		if (time_after(jiffies, timeo) && !chip_ready(map, adr, &datum))
+		if (time_after(jiffies, timeo) && !chip_good(map, adr, &datum))
 			break;
 
-		if (chip_ready(map, adr, &datum)) {
+		if (chip_good(map, adr, &datum)) {
 			xip_enable(map, chip, adr);
 			goto op_done;
 		}
--- a/include/linux/mtd/cfi.h
+++ b/include/linux/mtd/cfi.h
@@ -293,6 +293,7 @@ struct cfi_private {
 	map_word sector_erase_cmd;
 	unsigned long chipshift; /* Because they're of the same type */
 	const char *im_name;	 /* inter_module name for cmdset_setup */
+	unsigned long quirks;
 	struct flchip chips[0];  /* per-chip data structure for each chip */
 };
 



^ permalink raw reply	[flat|nested] 174+ messages in thread

* [PATCH 4.9 167/167] PCI: qcom: Fix unbalanced PHY init on probe errors
  2022-06-13 10:07 [PATCH 4.9 000/167] 4.9.318-rc1 review Greg Kroah-Hartman
                   ` (165 preceding siblings ...)
  2022-06-13 10:10 ` [PATCH 4.9 166/167] mtd: cfi_cmdset_0002: Use chip_ready() for write on S29GL064N Greg Kroah-Hartman
@ 2022-06-13 10:10 ` Greg Kroah-Hartman
  2022-06-13 11:55 ` [PATCH 4.9 000/167] 4.9.318-rc1 review Pavel Machek
                   ` (4 subsequent siblings)
  171 siblings, 0 replies; 174+ messages in thread
From: Greg Kroah-Hartman @ 2022-06-13 10:10 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Johan Hovold, Lorenzo Pieralisi,
	Bjorn Helgaas, Manivannan Sadhasivam, Stanimir Varbanov

From: Johan Hovold <johan+linaro@kernel.org>

commit 83013631f0f9961416abd812e228c8efbc2f6069 upstream.

Undo the PHY initialisation (e.g. balance runtime PM) if host
initialisation fails during probe.

Link: https://lore.kernel.org/r/20220401133854.10421-3-johan+linaro@kernel.org
Fixes: 82a823833f4e ("PCI: qcom: Add Qualcomm PCIe controller driver")
Signed-off-by: Johan Hovold <johan+linaro@kernel.org>
Signed-off-by: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Reviewed-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
Acked-by: Stanimir Varbanov <svarbanov@mm-sol.com>
Cc: stable@vger.kernel.org      # 4.5
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/pci/host/pcie-qcom.c |    7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

--- a/drivers/pci/host/pcie-qcom.c
+++ b/drivers/pci/host/pcie-qcom.c
@@ -562,10 +562,15 @@ static int qcom_pcie_probe(struct platfo
 	ret = dw_pcie_host_init(pp);
 	if (ret) {
 		dev_err(dev, "cannot initialize host\n");
-		return ret;
+		goto err_phy_exit;
 	}
 
 	return 0;
+
+err_phy_exit:
+	phy_exit(pcie->phy);
+
+	return ret;
 }
 
 static const struct of_device_id qcom_pcie_match[] = {



^ permalink raw reply	[flat|nested] 174+ messages in thread

* Re: [PATCH 4.9 000/167] 4.9.318-rc1 review
  2022-06-13 10:07 [PATCH 4.9 000/167] 4.9.318-rc1 review Greg Kroah-Hartman
                   ` (166 preceding siblings ...)
  2022-06-13 10:10 ` [PATCH 4.9 167/167] PCI: qcom: Fix unbalanced PHY init on probe errors Greg Kroah-Hartman
@ 2022-06-13 11:55 ` Pavel Machek
  2022-06-13 17:52 ` Florian Fainelli
                   ` (3 subsequent siblings)
  171 siblings, 0 replies; 174+ messages in thread
From: Pavel Machek @ 2022-06-13 11:55 UTC (permalink / raw)
  To: Greg Kroah-Hartman
  Cc: linux-kernel, stable, torvalds, akpm, linux, shuah, patches,
	lkft-triage, pavel, jonathanh, f.fainelli, sudipm.mukherjee,
	slade

[-- Attachment #1: Type: text/plain, Size: 660 bytes --]

Hi!

> This is the start of the stable review cycle for the 4.9.318 release.
> There are 167 patches in this series, all will be posted as a response
> to this one.  If anyone has any issues with these being applied, please
> let me know.

CIP testing did not find any problems here:

https://gitlab.com/cip-project/cip-testing/linux-stable-rc-ci/-/tree/linux-4.9.y

Tested-by: Pavel Machek (CIP) <pavel@denx.de>

Best regards,
                                                                Pavel
-- 
DENX Software Engineering GmbH,      Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

^ permalink raw reply	[flat|nested] 174+ messages in thread

* Re: [PATCH 4.9 000/167] 4.9.318-rc1 review
  2022-06-13 10:07 [PATCH 4.9 000/167] 4.9.318-rc1 review Greg Kroah-Hartman
                   ` (167 preceding siblings ...)
  2022-06-13 11:55 ` [PATCH 4.9 000/167] 4.9.318-rc1 review Pavel Machek
@ 2022-06-13 17:52 ` Florian Fainelli
  2022-06-13 23:56 ` Guenter Roeck
                   ` (2 subsequent siblings)
  171 siblings, 0 replies; 174+ messages in thread
From: Florian Fainelli @ 2022-06-13 17:52 UTC (permalink / raw)
  To: Greg Kroah-Hartman, linux-kernel
  Cc: stable, torvalds, akpm, linux, shuah, patches, lkft-triage,
	pavel, jonathanh, sudipm.mukherjee, slade

On 6/13/22 03:07, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 4.9.318 release.
> There are 167 patches in this series, all will be posted as a response
> to this one.  If anyone has any issues with these being applied, please
> let me know.
> 
> Responses should be made by Wed, 15 Jun 2022 09:47:08 +0000.
> Anything received after that time might be too late.
> 
> The whole patch series can be found in one patch at:
> 	https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.9.318-rc1.gz
> or in the git tree and branch at:
> 	git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.9.y
> and the diffstat can be found below.
> 
> thanks,
> 
> greg k-h

On ARCH_BRCMSTB using 32-bit and 64-bit ARM kernels:

Tested-by: Florian Fainelli <f.fainelli@gmail.com>
-- 
Florian

^ permalink raw reply	[flat|nested] 174+ messages in thread

* Re: [PATCH 4.9 160/167] ata: libata-transport: fix {dma|pio|xfer}_mode sysfs files
  2022-06-13 10:10 ` [PATCH 4.9 160/167] ata: libata-transport: fix {dma|pio|xfer}_mode sysfs files Greg Kroah-Hartman
@ 2022-06-13 19:52   ` Sergey Shtylyov
  0 siblings, 0 replies; 174+ messages in thread
From: Sergey Shtylyov @ 2022-06-13 19:52 UTC (permalink / raw)
  To: Greg Kroah-Hartman, linux-kernel; +Cc: stable, Damien Le Moal

On 6/13/22 1:10 PM, Greg Kroah-Hartman wrote:

> From: Sergey Shtylyov <s.shtylyov@omp.ru>
> 
> commit 72aad489f992871e908ff6d9055b26c6366fb864 upstream.
> 
> The {dma|pio}_mode sysfs files are incorrectly documented as having a
> list of the supported DMA/PIO transfer modes, while the corresponding
> fields of the *struct* ata_device hold the transfer mode IDs, not masks.
> 
> To match these docs, the {dma|pio}_mode (and even xfer_mode!) sysfs
> files are handled by the ata_bitfield_name_match() macro which leads to
> reading such kind of nonsense from them:
> 
> $ cat /sys/class/ata_device/dev3.0/pio_mode
> XFER_UDMA_7, XFER_UDMA_6, XFER_UDMA_5, XFER_UDMA_4, XFER_MW_DMA_4,
> XFER_PIO_6, XFER_PIO_5, XFER_PIO_4, XFER_PIO_3, XFER_PIO_2, XFER_PIO_1,
> XFER_PIO_0
> 
> Using the correct ata_bitfield_name_search() macro fixes that:
> 
> $ cat /sys/class/ata_device/dev3.0/pio_mode
> XFER_PIO_4
> 
> While fixing the file documentation, somewhat reword the {dma|pio}_mode
> file doc and add a note about being mostly useful for PATA devices to
> the xfer_mode file doc...
> 
> Fixes: d9027470b886 ("[libata] Add ATA transport class")
> Signed-off-by: Sergey Shtylyov <s.shtylyov@omp.ru>
> Cc: stable@vger.kernel.org
> Signed-off-by: Damien Le Moal <damien.lemoal@opensource.wdc.com>
> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> ---
>  Documentation/ABI/testing/sysfs-ata |    5 +++--
>  drivers/ata/libata-transport.c      |    2 +-
>  2 files changed, 4 insertions(+), 3 deletions(-)
> 
> --- a/Documentation/ABI/testing/sysfs-ata
> +++ b/Documentation/ABI/testing/sysfs-ata
> @@ -59,17 +59,18 @@ class
>  
>  dma_mode
>  
> -	Transfer modes supported by the device when in DMA mode.
> +	DMA transfer mode used by the device.
>  	Mostly used by PATA device.
>  
>  pio_mode
>  
> -	Transfer modes supported by the device when in PIO mode.
> +	PIO transfer mode used by the device.
>  	Mostly used by PATA device.
>  
>  xfer_mode
>  
>  	Current transfer mode.
> +	Mostly used by PATA device.
>  

   Again, needs s/device/devices/ as reported already...

MBR, Sergey

^ permalink raw reply	[flat|nested] 174+ messages in thread

* Re: [PATCH 4.9 000/167] 4.9.318-rc1 review
  2022-06-13 10:07 [PATCH 4.9 000/167] 4.9.318-rc1 review Greg Kroah-Hartman
                   ` (168 preceding siblings ...)
  2022-06-13 17:52 ` Florian Fainelli
@ 2022-06-13 23:56 ` Guenter Roeck
  2022-06-14  3:09 ` Shuah Khan
  2022-06-14  7:52 ` Naresh Kamboju
  171 siblings, 0 replies; 174+ messages in thread
From: Guenter Roeck @ 2022-06-13 23:56 UTC (permalink / raw)
  To: Greg Kroah-Hartman
  Cc: linux-kernel, stable, torvalds, akpm, shuah, patches,
	lkft-triage, pavel, jonathanh, f.fainelli, sudipm.mukherjee,
	slade

On Mon, Jun 13, 2022 at 12:07:54PM +0200, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 4.9.318 release.
> There are 167 patches in this series, all will be posted as a response
> to this one.  If anyone has any issues with these being applied, please
> let me know.
> 
> Responses should be made by Wed, 15 Jun 2022 09:47:08 +0000.
> Anything received after that time might be too late.
> 

Build results:
	total: 164 pass: 164 fail: 0
Qemu test results:
	total: 397 pass: 397 fail: 0

Tested-by: Guenter Roeck <linux@roeck-us.net>

Guenter

^ permalink raw reply	[flat|nested] 174+ messages in thread

* Re: [PATCH 4.9 000/167] 4.9.318-rc1 review
  2022-06-13 10:07 [PATCH 4.9 000/167] 4.9.318-rc1 review Greg Kroah-Hartman
                   ` (169 preceding siblings ...)
  2022-06-13 23:56 ` Guenter Roeck
@ 2022-06-14  3:09 ` Shuah Khan
  2022-06-14  7:52 ` Naresh Kamboju
  171 siblings, 0 replies; 174+ messages in thread
From: Shuah Khan @ 2022-06-14  3:09 UTC (permalink / raw)
  To: Greg Kroah-Hartman, linux-kernel
  Cc: stable, torvalds, akpm, linux, shuah, patches, lkft-triage,
	pavel, jonathanh, f.fainelli, sudipm.mukherjee, slade,
	Shuah Khan

On 6/13/22 4:07 AM, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 4.9.318 release.
> There are 167 patches in this series, all will be posted as a response
> to this one.  If anyone has any issues with these being applied, please
> let me know.
> 
> Responses should be made by Wed, 15 Jun 2022 09:47:08 +0000.
> Anything received after that time might be too late.
> 
> The whole patch series can be found in one patch at:
> 	https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.9.318-rc1.gz
> or in the git tree and branch at:
> 	git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.9.y
> and the diffstat can be found below.
> 
> thanks,
> 
> greg k-h
> 

Compiled and booted on my test system. No dmesg regressions.

Tested-by: Shuah Khan <skhan@linuxfoundation.org>

thanks,
-- Shuah

^ permalink raw reply	[flat|nested] 174+ messages in thread

* Re: [PATCH 4.9 000/167] 4.9.318-rc1 review
  2022-06-13 10:07 [PATCH 4.9 000/167] 4.9.318-rc1 review Greg Kroah-Hartman
                   ` (170 preceding siblings ...)
  2022-06-14  3:09 ` Shuah Khan
@ 2022-06-14  7:52 ` Naresh Kamboju
  171 siblings, 0 replies; 174+ messages in thread
From: Naresh Kamboju @ 2022-06-14  7:52 UTC (permalink / raw)
  To: Greg Kroah-Hartman
  Cc: linux-kernel, stable, torvalds, akpm, linux, shuah, patches,
	lkft-triage, pavel, jonathanh, f.fainelli, sudipm.mukherjee,
	slade

On Mon, 13 Jun 2022 at 15:44, Greg Kroah-Hartman
<gregkh@linuxfoundation.org> wrote:
>
> This is the start of the stable review cycle for the 4.9.318 release.
> There are 167 patches in this series, all will be posted as a response
> to this one.  If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Wed, 15 Jun 2022 09:47:08 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
>         https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.9.318-rc1.gz
> or in the git tree and branch at:
>         git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.9.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h


Results from Linaro’s test farm.
No regressions on arm64, arm, x86_64, and i386.

Tested-by: Linux Kernel Functional Testing <lkft@linaro.org>

## Build
* kernel: 4.9.318-rc1
* git: https://gitlab.com/Linaro/lkft/mirrors/stable/linux-stable-rc
* git branch: linux-4.9.y
* git commit: bb08155cd0997415c865f2def1e3c09686546cee
* git describe: v4.9.317-168-gbb08155cd099
* test details:
https://qa-reports.linaro.org/lkft/linux-stable-rc-linux-4.9.y/build/v4.9.317-168-gbb08155cd099

## Test Regressions (compared to v4.9.317-109-g3f34965b10c5)
No test regressions found.

## Metric Regressions (compared to v4.9.317-109-g3f34965b10c5)
No metric regressions found.

## Test Fixes (compared to v4.9.317-109-g3f34965b10c5)
No test fixes found.

## Metric Fixes (compared to v4.9.317-109-g3f34965b10c5)
No metric fixes found.

## Test result summary
total: 95213, pass: 83457, fail: 193, skip: 10418, xfail: 1145

## Build Summary
* arc: 10 total, 10 passed, 0 failed
* arm: 261 total, 255 passed, 6 failed
* arm64: 50 total, 39 passed, 11 failed
* i386: 27 total, 23 passed, 4 failed
* mips: 22 total, 22 passed, 0 failed
* parisc: 12 total, 0 passed, 12 failed
* powerpc: 36 total, 16 passed, 20 failed
* s390: 12 total, 9 passed, 3 failed
* sh: 24 total, 24 passed, 0 failed
* sparc: 12 total, 12 passed, 0 failed
* x86_64: 46 total, 44 passed, 2 failed

## Test suites summary
* fwts
* igt-gpu-tools
* kunit
* kvm-unit-tests
* libhugetlbfs
* log-parser-boot
* log-parser-test
* ltp-cap_bounds
* ltp-cap_bounds-tests
* ltp-commands
* ltp-commands-tests
* ltp-containers
* ltp-containers-tests
* ltp-controllers-tests
* ltp-cpuhotplug-tests
* ltp-crypto
* ltp-crypto-tests
* ltp-cve-tests
* ltp-dio-tests
* ltp-fcntl-locktests
* ltp-fcntl-locktests-tests
* ltp-filecaps
* ltp-filecaps-tests
* ltp-fs
* ltp-fs-tests
* ltp-fs_bind
* ltp-fs_bind-tests
* ltp-fs_perms_simple
* ltp-fs_perms_simple-tests
* ltp-fsx
* ltp-fsx-tests
* ltp-hugetlb
* ltp-hugetlb-tests
* ltp-io
* ltp-io-tests
* ltp-ipc
* ltp-ipc-tests
* ltp-math-tests
* ltp-mm-tests
* ltp-nptl
* ltp-nptl-tests
* ltp-open-posix-tests
* ltp-pty
* ltp-pty-tests
* ltp-sched
* ltp-sched-tests
* ltp-securebits
* ltp-securebits-tests
* ltp-smoke
* ltp-syscalls-tests
* ltp-tracing-tests
* network-basic-tests
* packetdrill
* rcutorture
* ssuite
* v4l2-compliance
* vdso

--
Linaro LKFT
https://lkft.linaro.org

^ permalink raw reply	[flat|nested] 174+ messages in thread

end of thread, other threads:[~2022-06-14  7:55 UTC | newest]

Thread overview: 174+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-06-13 10:07 [PATCH 4.9 000/167] 4.9.318-rc1 review Greg Kroah-Hartman
2022-06-13 10:07 ` [PATCH 4.9 001/167] USB: new quirk for Dell Gen 2 devices Greg Kroah-Hartman
2022-06-13 10:07 ` [PATCH 4.9 002/167] ptrace/xtensa: Replace PT_SINGLESTEP with TIF_SINGLESTEP Greg Kroah-Hartman
2022-06-13 10:07 ` [PATCH 4.9 003/167] ptrace: Reimplement PTRACE_KILL by always sending SIGKILL Greg Kroah-Hartman
2022-06-13 10:07 ` [PATCH 4.9 004/167] btrfs: add "0x" prefix for unsupported optional features Greg Kroah-Hartman
2022-06-13 10:07 ` [PATCH 4.9 005/167] drm/virtio: fix NULL pointer dereference in virtio_gpu_conn_get_modes Greg Kroah-Hartman
2022-06-13 10:08 ` [PATCH 4.9 006/167] mwifiex: add mutex lock for call in mwifiex_dfs_chan_sw_work_queue Greg Kroah-Hartman
2022-06-13 10:08 ` [PATCH 4.9 007/167] b43legacy: Fix assigning negative value to unsigned variable Greg Kroah-Hartman
2022-06-13 10:08 ` [PATCH 4.9 008/167] b43: " Greg Kroah-Hartman
2022-06-13 10:08 ` [PATCH 4.9 009/167] ipw2x00: Fix potential NULL dereference in libipw_xmit() Greg Kroah-Hartman
2022-06-13 10:08 ` [PATCH 4.9 010/167] ACPICA: Avoid cache flush inside virtual machines Greg Kroah-Hartman
2022-06-13 10:08 ` [PATCH 4.9 011/167] ALSA: jack: Access input_dev under mutex Greg Kroah-Hartman
2022-06-13 10:08 ` [PATCH 4.9 012/167] drm/amd/pm: fix double free in si_parse_power_table() Greg Kroah-Hartman
2022-06-13 10:08 ` [PATCH 4.9 013/167] ath9k: fix QCA9561 PA bias level Greg Kroah-Hartman
2022-06-13 10:08 ` [PATCH 4.9 014/167] media: cx25821: Fix the warning when removing the module Greg Kroah-Hartman
2022-06-13 10:08 ` [PATCH 4.9 015/167] scsi: megaraid: Fix error check return value of register_chrdev() Greg Kroah-Hartman
2022-06-13 10:08 ` [PATCH 4.9 016/167] drm/amd/pm: fix the compile warning Greg Kroah-Hartman
2022-06-13 10:08 ` [PATCH 4.9 017/167] ipv6: Dont send rs packets to the interface of ARPHRD_TUNNEL Greg Kroah-Hartman
2022-06-13 10:08 ` [PATCH 4.9 018/167] ASoC: dapm: Dont fold register value changes into notifications Greg Kroah-Hartman
2022-06-13 10:08 ` [PATCH 4.9 019/167] dma-debug: change allocation mode from GFP_NOWAIT to GFP_ATIOMIC Greg Kroah-Hartman
2022-06-13 10:08 ` [PATCH 4.9 020/167] ipmi:ssif: Check for NULL msg when handling events and messages Greg Kroah-Hartman
2022-06-13 10:08 ` [PATCH 4.9 021/167] openrisc: start CPU timer early in boot Greg Kroah-Hartman
2022-06-13 10:08 ` [PATCH 4.9 022/167] nvme-pci: fix a NULL pointer dereference in nvme_alloc_admin_tags Greg Kroah-Hartman
2022-06-13 10:08 ` [PATCH 4.9 023/167] ASoC: rt5645: Fix errorenous cleanup order Greg Kroah-Hartman
2022-06-13 10:08 ` [PATCH 4.9 024/167] media: exynos4-is: Fix compile warning Greg Kroah-Hartman
2022-06-13 10:08 ` [PATCH 4.9 025/167] rxrpc: Return an error to sendmsg if call failed Greg Kroah-Hartman
2022-06-13 10:08 ` [PATCH 4.9 026/167] eth: tg3: silence the GCC 12 array-bounds warning Greg Kroah-Hartman
2022-06-13 10:08 ` [PATCH 4.9 027/167] fs: jfs: fix possible NULL pointer dereference in dbFree() Greg Kroah-Hartman
2022-06-13 10:08 ` [PATCH 4.9 028/167] ARM: OMAP1: clock: Fix UART rate reporting algorithm Greg Kroah-Hartman
2022-06-13 10:08 ` [PATCH 4.9 029/167] fat: add ratelimit to fat*_ent_bread() Greg Kroah-Hartman
2022-06-13 10:08 ` [PATCH 4.9 030/167] ARM: versatile: Add missing of_node_put in dcscb_init Greg Kroah-Hartman
2022-06-13 10:08 ` [PATCH 4.9 031/167] ARM: dts: exynos: add atmel,24c128 fallback to Samsung EEPROM Greg Kroah-Hartman
2022-06-13 10:08 ` [PATCH 4.9 032/167] ARM: hisi: Add missing of_node_put after of_find_compatible_node Greg Kroah-Hartman
2022-06-13 10:08 ` [PATCH 4.9 033/167] PCI: Avoid pci_dev_lock() AB/BA deadlock with sriov_numvfs_store() Greg Kroah-Hartman
2022-06-13 10:08 ` [PATCH 4.9 034/167] powerpc/xics: fix refcount leak in icp_opal_init() Greg Kroah-Hartman
2022-06-13 10:08 ` [PATCH 4.9 035/167] macintosh/via-pmu: Fix build failure when CONFIG_INPUT is disabled Greg Kroah-Hartman
2022-06-13 10:08 ` [PATCH 4.9 036/167] drm: fix EDID struct for old ARM OABI format Greg Kroah-Hartman
2022-06-13 10:08 ` [PATCH 4.9 037/167] ASoC: mediatek: Fix error handling in mt8173_max98090_dev_probe Greg Kroah-Hartman
2022-06-13 10:08 ` [PATCH 4.9 038/167] x86/delay: Fix the wrong asm constraint in delay_loop() Greg Kroah-Hartman
2022-06-13 10:08 ` [PATCH 4.9 039/167] drm/mediatek: Fix mtk_cec_mask() Greg Kroah-Hartman
2022-06-13 10:08 ` [PATCH 4.9 040/167] spi: spi-ti-qspi: Fix return value handling of wait_for_completion_timeout Greg Kroah-Hartman
2022-06-13 10:08 ` [PATCH 4.9 041/167] NFC: NULL out the dev->rfkill to prevent UAF Greg Kroah-Hartman
2022-06-13 10:08 ` [PATCH 4.9 042/167] HID: hid-led: fix maximum brightness for Dream Cheeky Greg Kroah-Hartman
2022-06-13 10:08 ` [PATCH 4.9 043/167] spi: img-spfi: Fix pm_runtime_get_sync() error checking Greg Kroah-Hartman
2022-06-13 10:08 ` [PATCH 4.9 044/167] ath9k_htc: fix potential out of bounds access with invalid rxstatus->rs_keyix Greg Kroah-Hartman
2022-06-13 10:08 ` [PATCH 4.9 045/167] inotify: show inotify mask flags in proc fdinfo Greg Kroah-Hartman
2022-06-13 10:08 ` [PATCH 4.9 046/167] x86/pm: Fix false positive kmemleak report in msr_build_context() Greg Kroah-Hartman
2022-06-13 10:08 ` [PATCH 4.9 047/167] drm/msm/dsi: fix error checks and return values for DSI xmit functions Greg Kroah-Hartman
2022-06-13 10:08 ` [PATCH 4.9 048/167] drm/msm/hdmi: check return value after calling platform_get_resource_byname() Greg Kroah-Hartman
2022-06-13 10:08 ` [PATCH 4.9 049/167] drm/rockchip: vop: fix possible null-ptr-deref in vop_bind() Greg Kroah-Hartman
2022-06-13 10:08 ` [PATCH 4.9 050/167] x86/mm: Cleanup the control_va_addr_alignment() __setup handler Greg Kroah-Hartman
2022-06-13 10:08 ` [PATCH 4.9 051/167] drm/msm: return an error pointer in msm_gem_prime_get_sg_table() Greg Kroah-Hartman
2022-06-13 10:08 ` [PATCH 4.9 052/167] media: uvcvideo: Fix missing check to determine if element is found in list Greg Kroah-Hartman
2022-06-13 10:08 ` [PATCH 4.9 053/167] ASoC: mxs-saif: Fix refcount leak in mxs_saif_probe Greg Kroah-Hartman
2022-06-13 10:08 ` [PATCH 4.9 054/167] regulator: pfuze100: Fix refcount leak in pfuze_parse_regulators_dt Greg Kroah-Hartman
2022-06-13 10:08 ` [PATCH 4.9 055/167] media: exynos4-is: Change clk_disable to clk_disable_unprepare Greg Kroah-Hartman
2022-06-13 10:08 ` [PATCH 4.9 056/167] media: pvrusb2: fix array-index-out-of-bounds in pvr2_i2c_core_init Greg Kroah-Hartman
2022-06-13 10:08 ` [PATCH 4.9 057/167] Bluetooth: fix dangling sco_conn and use-after-free in sco_sock_timeout Greg Kroah-Hartman
2022-06-13 10:08 ` [PATCH 4.9 058/167] m68k: math-emu: Fix dependencies of math emulation support Greg Kroah-Hartman
2022-06-13 10:08 ` [PATCH 4.9 059/167] sctp: read sk->sk_bound_dev_if once in sctp_rcv() Greg Kroah-Hartman
2022-06-13 10:08 ` [PATCH 4.9 060/167] ASoC: wm2000: fix missing clk_disable_unprepare() on error in wm2000_anc_transition() Greg Kroah-Hartman
2022-06-13 10:08 ` [PATCH 4.9 061/167] rxrpc: Fix listen() setting the bar too high for the prealloc rings Greg Kroah-Hartman
2022-06-13 10:08 ` [PATCH 4.9 062/167] rxrpc: Dont try to resend the request if were receiving the reply Greg Kroah-Hartman
2022-06-13 10:08 ` [PATCH 4.9 063/167] soc: qcom: smp2p: Fix missing of_node_put() in smp2p_parse_ipc Greg Kroah-Hartman
2022-06-13 10:08 ` [PATCH 4.9 064/167] soc: qcom: smsm: Fix missing of_node_put() in smsm_parse_ipc Greg Kroah-Hartman
2022-06-13 10:08 ` [PATCH 4.9 065/167] mfd: ipaq-micro: Fix error check return value of platform_get_irq() Greg Kroah-Hartman
2022-06-13 10:09 ` [PATCH 4.9 066/167] scsi: fcoe: Fix Wstringop-overflow warnings in fcoe_wwn_from_mac() Greg Kroah-Hartman
2022-06-13 10:09 ` [PATCH 4.9 067/167] drivers/base/node.c: fix compaction sysfs file leak Greg Kroah-Hartman
2022-06-13 10:09 ` [PATCH 4.9 068/167] powerpc/8xx: export cpm_setbrg for modules Greg Kroah-Hartman
2022-06-13 10:09 ` [PATCH 4.9 069/167] powerpc/idle: Fix return value of __setup() handler Greg Kroah-Hartman
2022-06-13 10:09 ` [PATCH 4.9 070/167] powerpc/4xx/cpm: " Greg Kroah-Hartman
2022-06-13 10:09 ` [PATCH 4.9 071/167] tty: fix deadlock caused by calling printk() under tty_port->lock Greg Kroah-Hartman
2022-06-13 10:09 ` [PATCH 4.9 072/167] Input: sparcspkr - fix refcount leak in bbc_beep_probe Greg Kroah-Hartman
2022-06-13 10:09 ` [PATCH 4.9 073/167] video: fbdev: clcdfb: Fix refcount leak in clcdfb_of_vram_setup Greg Kroah-Hartman
2022-06-13 10:09 ` [PATCH 4.9 074/167] iommu/amd: Increase timeout waiting for GA log enablement Greg Kroah-Hartman
2022-06-13 10:09 ` [PATCH 4.9 075/167] wifi: mac80211: fix use-after-free in chanctx code Greg Kroah-Hartman
2022-06-13 10:09 ` [PATCH 4.9 076/167] iwlwifi: mvm: fix assert 1F04 upon reconfig Greg Kroah-Hartman
2022-06-13 10:09 ` [PATCH 4.9 077/167] fs-writeback: writeback_sb_inodes:Recalculate wrote according skipped pages Greg Kroah-Hartman
2022-06-13 10:09 ` [PATCH 4.9 078/167] ext4: fix use-after-free in ext4_rename_dir_prepare Greg Kroah-Hartman
2022-06-13 10:09 ` [PATCH 4.9 079/167] ext4: fix bug_on in ext4_writepages Greg Kroah-Hartman
2022-06-13 10:09 ` [PATCH 4.9 080/167] ext4: verify dir block before splitting it Greg Kroah-Hartman
2022-06-13 10:09 ` [PATCH 4.9 081/167] dlm: fix plock invalid read Greg Kroah-Hartman
2022-06-13 10:09 ` [PATCH 4.9 082/167] dlm: fix missing lkb refcount handling Greg Kroah-Hartman
2022-06-13 10:09 ` [PATCH 4.9 083/167] ocfs2: dlmfs: fix error handling of user_dlm_destroy_lock Greg Kroah-Hartman
2022-06-13 10:09 ` [PATCH 4.9 084/167] scsi: dc395x: Fix a missing check on list iterator Greg Kroah-Hartman
2022-06-13 10:09 ` [PATCH 4.9 085/167] scsi: ufs: qcom: Add a readl() to make sure ref_clk gets enabled Greg Kroah-Hartman
2022-06-13 10:09 ` [PATCH 4.9 086/167] drm/amdgpu/cs: make commands with 0 chunks illegal behaviour Greg Kroah-Hartman
2022-06-13 10:09 ` [PATCH 4.9 087/167] drm/bridge: analogix_dp: Grab runtime PM reference for DP-AUX Greg Kroah-Hartman
2022-06-13 10:09 ` [PATCH 4.9 088/167] md: fix an incorrect NULL check in does_sb_need_changing Greg Kroah-Hartman
2022-06-13 10:09 ` [PATCH 4.9 089/167] md: fix an incorrect NULL check in md_reload_sb Greg Kroah-Hartman
2022-06-13 10:09 ` [PATCH 4.9 090/167] RDMA/hfi1: Fix potential integer multiplication overflow errors Greg Kroah-Hartman
2022-06-13 10:09 ` [PATCH 4.9 091/167] irqchip/armada-370-xp: Do not touch Performance Counter Overflow on A375, A38x, A39x Greg Kroah-Hartman
2022-06-13 10:09 ` [PATCH 4.9 092/167] irqchip: irq-xtensa-mx: fix initial IRQ affinity Greg Kroah-Hartman
2022-06-13 10:09 ` [PATCH 4.9 093/167] mac80211: upgrade passive scan to active scan on DFS channels after beacon rx Greg Kroah-Hartman
2022-06-13 10:09 ` [PATCH 4.9 094/167] um: chan_user: Fix winch_tramp() return value Greg Kroah-Hartman
2022-06-13 10:09 ` [PATCH 4.9 095/167] um: Fix out-of-bounds read in LDT setup Greg Kroah-Hartman
2022-06-13 10:09 ` [PATCH 4.9 096/167] iommu/msm: Fix an incorrect NULL check on list iterator Greg Kroah-Hartman
2022-06-13 10:09 ` [PATCH 4.9 097/167] nodemask.h: fix compilation error with GCC12 Greg Kroah-Hartman
2022-06-13 10:09 ` [PATCH 4.9 098/167] hugetlb: fix huge_pmd_unshare address update Greg Kroah-Hartman
2022-06-13 10:09 ` [PATCH 4.9 099/167] rtl818x: Prevent using not initialized queues Greg Kroah-Hartman
2022-06-13 10:09 ` [PATCH 4.9 100/167] ASoC: rt5514: Fix event generation for "DSP Voice Wake Up" control Greg Kroah-Hartman
2022-06-13 10:09 ` [PATCH 4.9 101/167] carl9170: tx: fix an incorrect use of list iterator Greg Kroah-Hartman
2022-06-13 10:09 ` [PATCH 4.9 102/167] gma500: fix an incorrect NULL check on " Greg Kroah-Hartman
2022-06-13 10:09 ` [PATCH 4.9 103/167] docs/conf.py: Cope with removal of language=None in Sphinx 5.0.0 Greg Kroah-Hartman
2022-06-13 10:09 ` [PATCH 4.9 104/167] dt-bindings: gpio: altera: correct interrupt-cells Greg Kroah-Hartman
2022-06-13 10:09 ` [PATCH 4.9 105/167] RDMA/rxe: Generate a completion for unsupported/invalid opcode Greg Kroah-Hartman
2022-06-13 10:09 ` [PATCH 4.9 106/167] MIPS: IP27: Remove incorrect `cpu_has_fpu override Greg Kroah-Hartman
2022-06-13 10:09 ` [PATCH 4.9 107/167] netfilter: nf_tables: disallow non-stateful expression in sets earlier Greg Kroah-Hartman
2022-06-13 10:09 ` [PATCH 4.9 108/167] pcmcia: db1xxx_ss: restrict to MIPS_DB1XXX boards Greg Kroah-Hartman
2022-06-13 10:09 ` [PATCH 4.9 109/167] staging: greybus: codecs: fix type confusion of list iterator variable Greg Kroah-Hartman
2022-06-13 10:09 ` [PATCH 4.9 110/167] usb: usbip: fix a refcount leak in stub_probe() Greg Kroah-Hartman
2022-06-13 10:09 ` [PATCH 4.9 111/167] usb: usbip: add missing device lock on tweak configuration cmd Greg Kroah-Hartman
2022-06-13 10:09 ` [PATCH 4.9 112/167] USB: storage: karma: fix rio_karma_init return Greg Kroah-Hartman
2022-06-13 10:09 ` [PATCH 4.9 113/167] pwm: lp3943: Fix duty calculation in case period was clamped Greg Kroah-Hartman
2022-06-13 10:09 ` [PATCH 4.9 114/167] rpmsg: qcom_smd: Fix irq_of_parse_and_map() return value Greg Kroah-Hartman
2022-06-13 10:09 ` [PATCH 4.9 115/167] rtc: mt6397: check return value after calling platform_get_resource() Greg Kroah-Hartman
2022-06-13 10:09 ` [PATCH 4.9 116/167] serial: meson: acquire port->lock in startup() Greg Kroah-Hartman
2022-06-13 10:09 ` [PATCH 4.9 117/167] serial: digicolor-usart: Dont allow CS5-6 Greg Kroah-Hartman
2022-06-13 10:09 ` [PATCH 4.9 118/167] serial: txx9: " Greg Kroah-Hartman
2022-06-13 10:09 ` [PATCH 4.9 119/167] serial: sh-sci: " Greg Kroah-Hartman
2022-06-13 10:09 ` [PATCH 4.9 120/167] serial: st-asc: Sanitize CSIZE and correct PARENB for CS7 Greg Kroah-Hartman
2022-06-13 10:09 ` [PATCH 4.9 121/167] firmware: dmi-sysfs: Fix memory leak in dmi_sysfs_register_handle Greg Kroah-Hartman
2022-06-13 10:09 ` [PATCH 4.9 122/167] clocksource/drivers/oxnas-rps: Fix irq_of_parse_and_map() return value Greg Kroah-Hartman
2022-06-13 10:09 ` [PATCH 4.9 123/167] net: ethernet: mtk_eth_soc: out of bounds read in mtk_hwlro_get_fdir_entry() Greg Kroah-Hartman
2022-06-13 10:09 ` [PATCH 4.9 124/167] modpost: fix removing numeric suffixes Greg Kroah-Hartman
2022-06-13 10:09 ` [PATCH 4.9 125/167] jffs2: fix memory leak in jffs2_do_fill_super Greg Kroah-Hartman
2022-06-13 10:10 ` [PATCH 4.9 126/167] tcp: tcp_rtx_synack() can be called from process context Greg Kroah-Hartman
2022-06-13 10:10 ` [PATCH 4.9 127/167] tracing: Avoid adding tracer option before update_tracer_options Greg Kroah-Hartman
2022-06-13 10:10 ` [PATCH 4.9 128/167] i2c: cadence: Increase timeout per message if necessary Greg Kroah-Hartman
2022-06-13 10:10 ` [PATCH 4.9 129/167] m68knommu: set ZERO_PAGE() to the allocated zeroed page Greg Kroah-Hartman
2022-06-13 10:10 ` [PATCH 4.9 130/167] m68knommu: fix undefined reference to `_init_sp Greg Kroah-Hartman
2022-06-13 10:10 ` [PATCH 4.9 131/167] video: fbdev: pxa3xx-gcu: release the resources correctly in pxa3xx_gcu_probe/remove() Greg Kroah-Hartman
2022-06-13 10:10 ` [PATCH 4.9 132/167] net: fix nla_strcmp to handle more then one trailing null character Greg Kroah-Hartman
2022-06-13 10:10 ` [PATCH 4.9 133/167] ata: pata_octeon_cf: Fix refcount leak in octeon_cf_probe Greg Kroah-Hartman
2022-06-13 10:10 ` [PATCH 4.9 134/167] net/mlx4_en: Fix wrong return value on ioctl EEPROM query failure Greg Kroah-Hartman
2022-06-13 10:10 ` [PATCH 4.9 135/167] SUNRPC: Fix the calculation of xdr->end in xdr_get_next_encode_buffer() Greg Kroah-Hartman
2022-06-13 10:10 ` [PATCH 4.9 136/167] net: xfrm: unexport __init-annotated xfrm4_protocol_init() Greg Kroah-Hartman
2022-06-13 10:10 ` [PATCH 4.9 137/167] net: altera: Fix refcount leak in altera_tse_mdio_create Greg Kroah-Hartman
2022-06-13 10:10 ` [PATCH 4.9 138/167] iio: dummy: iio_simple_dummy: check the return value of kstrdup() Greg Kroah-Hartman
2022-06-13 10:10 ` [PATCH 4.9 139/167] lkdtm/usercopy: Expand size of "out of frame" object Greg Kroah-Hartman
2022-06-13 10:10 ` [PATCH 4.9 140/167] tty: synclink_gt: Fix null-pointer-dereference in slgt_clean() Greg Kroah-Hartman
2022-06-13 10:10 ` [PATCH 4.9 141/167] tty: Fix a possible resource leak in icom_probe Greg Kroah-Hartman
2022-06-13 10:10 ` [PATCH 4.9 142/167] drivers: staging: rtl8192e: Fix deadlock in rtllib_beacons_stop() Greg Kroah-Hartman
2022-06-13 10:10 ` [PATCH 4.9 143/167] USB: host: isp116x: check return value after calling platform_get_resource() Greg Kroah-Hartman
2022-06-13 10:10 ` [PATCH 4.9 144/167] drivers: tty: serial: Fix deadlock in sa1100_set_termios() Greg Kroah-Hartman
2022-06-13 10:10 ` [PATCH 4.9 145/167] drivers: usb: host: Fix deadlock in oxu_bus_suspend() Greg Kroah-Hartman
2022-06-13 10:10 ` [PATCH 4.9 146/167] USB: hcd-pci: Fully suspend across freeze/thaw cycle Greg Kroah-Hartman
2022-06-13 10:10 ` [PATCH 4.9 147/167] usb: dwc2: gadget: dont reset gadgets driver->bus Greg Kroah-Hartman
2022-06-13 10:10 ` [PATCH 4.9 148/167] misc: rtsx: set NULL intfdata when probe fails Greg Kroah-Hartman
2022-06-13 10:10 ` [PATCH 4.9 149/167] clocksource/drivers/sp804: Avoid error on multiple instances Greg Kroah-Hartman
2022-06-13 10:10 ` [PATCH 4.9 150/167] staging: rtl8712: fix uninit-value in r871xu_drv_init() Greg Kroah-Hartman
2022-06-13 10:10 ` [PATCH 4.9 151/167] serial: msm_serial: disable interrupts in __msm_console_write() Greg Kroah-Hartman
2022-06-13 10:10 ` [PATCH 4.9 152/167] md: protect md_unregister_thread from reentrancy Greg Kroah-Hartman
2022-06-13 10:10 ` [PATCH 4.9 153/167] Revert "net: af_key: add check for pfkey_broadcast in function pfkey_process" Greg Kroah-Hartman
2022-06-13 10:10 ` [PATCH 4.9 154/167] drm/radeon: fix a possible null pointer dereference Greg Kroah-Hartman
2022-06-13 10:10 ` [PATCH 4.9 155/167] modpost: fix undefined behavior of is_arm_mapping_symbol() Greg Kroah-Hartman
2022-06-13 10:10 ` [PATCH 4.9 156/167] nodemask: Fix return values to be unsigned Greg Kroah-Hartman
2022-06-13 10:10 ` [PATCH 4.9 157/167] vringh: Fix loop descriptors check in the indirect cases Greg Kroah-Hartman
2022-06-13 10:10 ` [PATCH 4.9 158/167] ALSA: hda/conexant - Fix loopback issue with CX20632 Greg Kroah-Hartman
2022-06-13 10:10 ` [PATCH 4.9 159/167] cifs: return errors during session setup during reconnects Greg Kroah-Hartman
2022-06-13 10:10 ` [PATCH 4.9 160/167] ata: libata-transport: fix {dma|pio|xfer}_mode sysfs files Greg Kroah-Hartman
2022-06-13 19:52   ` Sergey Shtylyov
2022-06-13 10:10 ` [PATCH 4.9 161/167] nfc: st21nfca: fix incorrect validating logic in EVT_TRANSACTION Greg Kroah-Hartman
2022-06-13 10:10 ` [PATCH 4.9 162/167] nfc: st21nfca: fix memory leaks in EVT_TRANSACTION handling Greg Kroah-Hartman
2022-06-13 10:10 ` [PATCH 4.9 163/167] Input: bcm5974 - set missing URB_NO_TRANSFER_DMA_MAP urb flag Greg Kroah-Hartman
2022-06-13 10:10 ` [PATCH 4.9 164/167] powerpc/32: Fix overread/overwrite of thread_struct via ptrace Greg Kroah-Hartman
2022-06-13 10:10 ` [PATCH 4.9 165/167] mtd: cfi_cmdset_0002: Move and rename chip_check/chip_ready/chip_good_for_write Greg Kroah-Hartman
2022-06-13 10:10 ` [PATCH 4.9 166/167] mtd: cfi_cmdset_0002: Use chip_ready() for write on S29GL064N Greg Kroah-Hartman
2022-06-13 10:10 ` [PATCH 4.9 167/167] PCI: qcom: Fix unbalanced PHY init on probe errors Greg Kroah-Hartman
2022-06-13 11:55 ` [PATCH 4.9 000/167] 4.9.318-rc1 review Pavel Machek
2022-06-13 17:52 ` Florian Fainelli
2022-06-13 23:56 ` Guenter Roeck
2022-06-14  3:09 ` Shuah Khan
2022-06-14  7:52 ` Naresh Kamboju

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.