All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH 5.19 0000/1157] 5.19.2-rc1 review
@ 2022-08-15 17:49 Greg Kroah-Hartman
  2022-08-15 17:49 ` [PATCH 5.19 0001/1157] Makefile: link with -z noexecstack --no-warn-rwx-segments Greg Kroah-Hartman
                   ` (993 more replies)
  0 siblings, 994 replies; 1191+ messages in thread
From: Greg Kroah-Hartman @ 2022-08-15 17:49 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, torvalds, akpm, linux, shuah,
	patches, lkft-triage, pavel, jonathanh, f.fainelli,
	sudipm.mukherjee, slade

This is the start of the stable review cycle for the 5.19.2 release.
There are 1157 patches in this series, all will be posted as a response
to this one.  If anyone has any issues with these being applied, please
let me know.

Responses should be made by Wed, 17 Aug 2022 18:01:29 +0000.
Anything received after that time might be too late.

The whole patch series can be found in one patch at:
	https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.19.2-rc1.gz
or in the git tree and branch at:
	git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.19.y
and the diffstat can be found below.

thanks,

greg k-h

-------------
Pseudo-Shortlog of commits:

Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Linux 5.19.2-rc1

Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
    Bluetooth: L2CAP: Fix l2cap_global_chan_by_psm regression

Pavel Begunkov <asml.silence@gmail.com>
    io_uring: mem-account pbuf buckets

Russell Currey <ruscur@russell.cc>
    powerpc/kexec: Fix build failure from uninitialised variable

Alexander Gordeev <agordeev@linux.ibm.com>
    Revert "s390/smp: enforce lowcore protection on CPU restart"

Vladimir Oltean <vladimir.oltean@nxp.com>
    net: dsa: felix: fix min gate len calculation for tc when its first gate is closed

Steven Rostedt (Google) <rostedt@goodmis.org>
    tracing: Use a copy of the va_list for __assign_vstr()

Johannes Berg <johannes.berg@intel.com>
    wifi: cfg80211: remove chandef check in cfg80211_cac_event()

Johannes Berg <johannes.berg@intel.com>
    wifi: nl80211: acquire wdev mutex earlier in start_ap

Johannes Berg <johannes.berg@intel.com>
    wifi: nl80211: relax wdev mutex check in wdev_chandef()

Johannes Berg <johannes.berg@intel.com>
    wifi: nl80211: hold wdev mutex for tid config

Johannes Berg <johannes.berg@intel.com>
    wifi: cfg80211: handle IBSS in channel switch

Paolo Abeni <pabeni@redhat.com>
    mptcp: refine memory scheduling

Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Revert "devcoredump: remove the useless gfp_t parameter in dev_coredumpv and dev_coredumpm"

Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Revert "mwifiex: fix sleep in atomic context bugs caused by dev_coredumpv"

Eric Dumazet <edumazet@google.com>
    raw: fix a typo in raw_icmp_error()

Eric Dumazet <edumazet@google.com>
    raw: remove unused variables from raw6_icmp_error()

Jason A. Donenfeld <Jason@zx2c4.com>
    crypto: lib/blake2s - reduce stack frame usage in self test

Eric Dumazet <edumazet@google.com>
    tcp: fix over estimation in sk_forced_mem_schedule()

Robert Foss <robert.foss@linaro.org>
    Revert "drm/bridge: anx7625: Use DPI bus type"

Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
    net_sched: cls_route: remove from list when handle is 0

Naveen N. Rao <naveen.n.rao@linux.vnet.ibm.com>
    powerpc64/ftrace: Fix ftrace for clang builds

Christophe Leroy <christophe.leroy@csgroup.eu>
    powerpc: Fix eh field when calling lwarx on PPC32

SeongJae Park <sj@kernel.org>
    xen-blkfront: Apply 'feature_persistent' parameter when connect

Maximilian Heyne <mheyne@amazon.de>
    xen-blkback: Apply 'feature_persistent' parameter when connect

SeongJae Park <sj@kernel.org>
    xen-blkback: fix persistent grants negotiation

Mårten Lindahl <marten.lindahl@axis.com>
    tpm: Add check for Failure mode for TPM2 modules

Huacai Chen <chenhuacai@kernel.org>
    tpm: eventlog: Fix section mismatch for DEBUG_SECTION_MISMATCH

Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
    KEYS: asymmetric: enforce SM2 signature use pkey algo

Jan Kara <jack@suse.cz>
    ext4: fix race when reusing xattr blocks

Jan Kara <jack@suse.cz>
    ext4: unindent codeblock in ext4_xattr_block_set()

Jan Kara <jack@suse.cz>
    ext4: remove EA inode entry from mbcache on inode eviction

Lukas Czerner <lczerner@redhat.com>
    ext4: make sure ext4_append() always allocates new block

Lukas Czerner <lczerner@redhat.com>
    ext4: check if directory block is within i_size

Bagas Sanjaya <bagasdotme@gmail.com>
    Documentation: ext4: fix cell spacing of table heading on blockmap table

Ye Bin <yebin10@huawei.com>
    ext4: fix warning in ext4_iomap_begin as race between bmap and write

Baokun Li <libaokun1@huawei.com>
    ext4: correct the misjudgment in ext4_iget_extra_inode

Baokun Li <libaokun1@huawei.com>
    ext4: correct max_inline_xattr_value_size computing

Baokun Li <libaokun1@huawei.com>
    ext4: fix use-after-free in ext4_xattr_set_entry

Baokun Li <libaokun1@huawei.com>
    ext4: add EXT4_INODE_HAS_XATTR_SPACE macro in xattr.h

Eric Whitney <enwlinux@gmail.com>
    ext4: fix extent status tree race in writeback error recovery path

Theodore Ts'o <tytso@mit.edu>
    ext4: update s_overhead_clusters in the superblock during an on-line resize

Zhang Yi <yi.zhang@huawei.com>
    ext4: fix reading leftover inlined symlinks

Steven Rostedt (Google) <rostedt@goodmis.org>
    tracing: Use a struct alignof to determine trace event field alignment

Steven Rostedt (Google) <rostedt@goodmis.org>
    batman-adv: tracing: Use the new __vstring() helper

Miaohe Lin <linmiaohe@huawei.com>
    hugetlb_cgroup: fix wrong hugetlb cgroup numa stat

Jianglei Nie <niejianglei2021@163.com>
    mm/damon/reclaim: fix potential memory leak in damon_reclaim_init()

Mike Snitzer <snitzer@kernel.org>
    dm: fix dm-raid crash if md_handle_request() splits bio

Mikulas Patocka <mpatocka@redhat.com>
    dm raid: fix address sanitizer warning in raid_resume

Mikulas Patocka <mpatocka@redhat.com>
    dm raid: fix address sanitizer warning in raid_status

Sean Christopherson <seanjc@google.com>
    KVM: nVMX: Attempt to load PERF_GLOBAL_CTRL on nVMX xfer iff it exists

Sean Christopherson <seanjc@google.com>
    KVM: VMX: Add helper to check if the guest PMU has PERF_GLOBAL_CTRL

Sean Christopherson <seanjc@google.com>
    Revert "KVM: x86/pmu: Accept 0 for absent PMU MSRs when host-initiated if !enable_pmu"

Like Xu <likexu@tencent.com>
    KVM: x86/pmu: Accept 0 for absent PMU MSRs when host-initiated if !enable_pmu

Like Xu <likexu@tencent.com>
    KVM: x86/pmu: Ignore pmu->global_ctrl check if vPMU doesn't support global_ctrl

Sean Christopherson <seanjc@google.com>
    KVM: VMX: Mark all PERF_GLOBAL_(OVF)_CTRL bits reserved if there's no vPMU

Like Xu <like.xu@linux.intel.com>
    KVM: x86/pmu: Introduce the ctrl_mask value for fixed counter

Sumanth Korikkar <sumanthk@linux.ibm.com>
    s390/unwind: fix fgraph return address recovery

Jason A. Donenfeld <Jason@zx2c4.com>
    powerpc/powernv/kvm: Use darn for H_RANDOM on Power9

Rafael J. Wysocki <rafael.j.wysocki@intel.com>
    ACPI: CPPC: Do not prevent CPPC from working in the future

Artem Bityutskiy <artem.bityutskiy@linux.intel.com>
    intel_idle: make SPR C1 and C1E be independent

Filipe Manana <fdmanana@suse.com>
    btrfs: join running log transaction when logging new name

Naohiro Aota <naohiro.aota@wdc.com>
    btrfs: zoned: wait until zone is finished when allocation didn't progress

Naohiro Aota <naohiro.aota@wdc.com>
    btrfs: zoned: write out partially allocated region

Naohiro Aota <naohiro.aota@wdc.com>
    btrfs: zoned: activate necessary block group

Naohiro Aota <naohiro.aota@wdc.com>
    btrfs: zoned: activate metadata block group on flush_space

Naohiro Aota <naohiro.aota@wdc.com>
    btrfs: zoned: introduce space_info->active_total_bytes

Stefan Roesch <shr@fb.com>
    btrfs: store chunk size in space-info struct

Naohiro Aota <naohiro.aota@wdc.com>
    btrfs: zoned: disable metadata overcommit for zoned

Naohiro Aota <naohiro.aota@wdc.com>
    btrfs: zoned: finish least available block group on data bg allocation

Naohiro Aota <naohiro.aota@wdc.com>
    btrfs: let can_allocate_chunk return error

Naohiro Aota <naohiro.aota@wdc.com>
    btrfs: convert count_max_extents() to use fs_info->max_extent_size

Naohiro Aota <naohiro.aota@wdc.com>
    btrfs: replace BTRFS_MAX_EXTENT_SIZE with fs_info->max_extent_size

Naohiro Aota <naohiro.aota@wdc.com>
    btrfs: zoned: revive max_zone_append_bytes

Naohiro Aota <naohiro.aota@wdc.com>
    block: add bdev_max_segments() helper

Nikolay Borisov <nborisov@suse.com>
    btrfs: properly flag filesystem with BTRFS_FEATURE_INCOMPAT_BIG_METADATA

Josef Bacik <josef@toxicpanda.com>
    btrfs: reset block group chunk force if we have to wait

Naohiro Aota <naohiro.aota@wdc.com>
    btrfs: fix error handling of fallback uncompress write

Naohiro Aota <naohiro.aota@wdc.com>
    btrfs: ensure pages are unlocked on cow_file_range() failure

Josef Bacik <josef@toxicpanda.com>
    btrfs: tree-log: make the return value for log syncing consistent

Jinke Han <hanjinke.666@bytedance.com>
    block: don't allow the same type rq_qos add more than once

Chen Zhongjin <chenzhongjin@huawei.com>
    locking/csd_lock: Change csdlock_debug from early_param to __setup

Jason A. Donenfeld <Jason@zx2c4.com>
    timekeeping: contribute wall clock to rng on time change

Pali Rohár <pali@kernel.org>
    ARM: Marvell: Update PCIe fixup

Tyler Hicks <tyhicks@linux.microsoft.com>
    net/9p: Initialize the iounit field during fid creation

Luo Meng <luomeng12@huawei.com>
    dm thin: fix use-after-free crash in dm_sm_register_threshold_callback

Steven Rostedt (Google) <rostedt@goodmis.org>
    tracing/events: Add __vstring() and __assign_vstr() helper macros

Michal Suchanek <msuchanek@suse.de>
    kexec, KEYS, s390: Make use of built-in and secondary keyring for signature verification

Coiby Xu <coxu@redhat.com>
    kexec: clean up arch_kexec_kernel_verify_sig

Naveen N. Rao <naveen.n.rao@linux.vnet.ibm.com>
    kexec_file: drop weak attribute from functions

Mikulas Patocka <mpatocka@redhat.com>
    dm writecache: set a default MAX_WRITEBACK_JOBS

Robert Marko <robimarko@gmail.com>
    PCI: qcom: Power on PHY before IPQ8074 DBI register accesses

Mohamed Khalfella <mkhalfella@purestorage.com>
    PCI/AER: Iterate over error counters instead of error strings

Alexander Lobakin <alexandr.lobakin@intel.com>
    iommu/vt-d: avoid invalid memory access via node_online(NUMA_NO_NODE)

Sean Christopherson <seanjc@google.com>
    KVM: x86: Signal #GP, not -EPERM, on bad WRMSR(MCi_CTL/STATUS)

Lev Kujawski <lkujaw@member.fsf.org>
    KVM: set_msr_mce: Permit guests to ignore single-bit ECC errors

Alexander Shishkin <alexander.shishkin@linux.intel.com>
    intel_th: pci: Add Raptor Lake-S CPU support

Alexander Shishkin <alexander.shishkin@linux.intel.com>
    intel_th: pci: Add Raptor Lake-S PCH support

Alexander Shishkin <alexander.shishkin@linux.intel.com>
    intel_th: pci: Add Meteor Lake-P support

Sudeep Holla <sudeep.holla@arm.com>
    firmware: arm_scpi: Ensure scpi_info is not assigned if the probe fails

Jason A. Donenfeld <Jason@zx2c4.com>
    crypto: blake2s - remove shash module

Jitao Shi <jitao.shi@mediatek.com>
    drm/mediatek: Keep dsi as LP00 before dcs cmds transfer

Phil Auld <pauld@redhat.com>
    drivers/base: fix userspace break from using bin_attributes for cpumap and cpulist

Guo Ren <guoren@kernel.org>
    csky: abiv1: Fixup compile error

David Collins <quic_collinsd@quicinc.com>
    spmi: trace: fix stack-out-of-bound access in SPMI tracing functions

Al Viro <viro@zeniv.linux.org.uk>
    __follow_mount_rcu(): verify that mount_lock remains unchanged

Xie Shaowen <studentxswpy@163.com>
    Input: gscps2 - check return value of ioremap() in gscps2_probe()

Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
    posix-cpu-timers: Cleanup CPU timers before freeing them during exec

Bharath SM <bharathsm@microsoft.com>
    SMB3: fix lease break timeout when multiple deferred close handles for the same file.

Alexander Lobakin <alexandr.lobakin@intel.com>
    x86/olpc: fix 'logical not is only applied to the left hand side'

Masami Hiramatsu (Google) <mhiramat@kernel.org>
    x86/kprobes: Update kcb status flag after singlestepping

Steven Rostedt (Google) <rostedt@goodmis.org>
    ftrace/x86: Add back ftrace_expected assignment

Kim Phillips <kim.phillips@amd.com>
    x86/bugs: Enable STIBP for IBPB mitigated RETBleed

Paulo Alcantara <pc@cjr.nz>
    cifs: fix lock length calculation

Arun Easi <aeasi@marvell.com>
    scsi: qla2xxx: Fix losing FCP-2 targets during port perturbation tests

Arun Easi <aeasi@marvell.com>
    scsi: qla2xxx: Fix losing target when it reappears during delete

Arun Easi <aeasi@marvell.com>
    scsi: qla2xxx: Fix losing FCP-2 targets on long port disable with I/Os

Quinn Tran <qutran@marvell.com>
    scsi: qla2xxx: Wind down adapter after PCIe error

Quinn Tran <qutran@marvell.com>
    scsi: qla2xxx: Fix erroneous mailbox timeout after PCI error injection

Arun Easi <aeasi@marvell.com>
    scsi: qla2xxx: Fix excessive I/O error messages by default

Arun Easi <aeasi@marvell.com>
    scsi: qla2xxx: Fix crash due to stale SRB access around I/O timeouts

Quinn Tran <qutran@marvell.com>
    scsi: qla2xxx: Turn off multi-queue for 8G adapters

Arun Easi <aeasi@marvell.com>
    scsi: qla2xxx: Fix discovery issues in FC-AL topology

Quinn Tran <qutran@marvell.com>
    scsi: qla2xxx: Fix imbalance vha->vref_count

Steffen Maier <maier@linux.ibm.com>
    scsi: zfcp: Fix missing auto port scan and thus missing target ports

Peter Wang <peter.wang@mediatek.com>
    scsi: ufs: core: Correct ufshcd_shutdown() flow

Zheyu Ma <zheyuma97@gmail.com>
    video: fbdev: s3fb: Check the size of screen before memset_io()

Zheyu Ma <zheyuma97@gmail.com>
    video: fbdev: arkfb: Check the size of screen before memset_io()

Zheyu Ma <zheyuma97@gmail.com>
    video: fbdev: vt8623fb: Check the size of screen before memset_io()

Jaewook Kim <jw5454.kim@samsung.com>
    f2fs: do not allow to decompress files have FI_COMPRESS_RELEASED

Andrea Righi <andrea.righi@canonical.com>
    x86/entry: Build thunk_$(BITS) only if CONFIG_PREEMPTION=y

Mel Gorman <mgorman@techsingularity.net>
    sched/core: Do not requeue task on CPU excluded from cpus_mask

Tianchen Ding <dtcccc@linux.alibaba.com>
    sched: Remove the limitation of WF_ON_CPU on wakelist if wakee cpu is idle

Tianchen Ding <dtcccc@linux.alibaba.com>
    sched: Fix the check of nr_running at queue wakelist

Florian Fainelli <f.fainelli@gmail.com>
    tools/thermal: Fix possible path truncations

Zheyu Ma <zheyuma97@gmail.com>
    video: fbdev: arkfb: Fix a divide-by-zero bug in ark_set_pixclock()

Siddh Raman Pant <code@siddh.me>
    x86/numa: Use cpumask_available instead of hardcoded NULL check

Waiman Long <longman@redhat.com>
    sched, cpuset: Fix dl_cpu_busy() panic due to empty cs->cpus_allowed

Michael Ellerman <mpe@ellerman.id.au>
    powerpc/64e: Fix kexec build error

Douglas Anderson <dianders@chromium.org>
    tty: serial: qcom-geni-serial: Fix %lu -> %u in print statements

Josh Poimboeuf <jpoimboe@kernel.org>
    scripts/faddr2line: Fix vmlinux detection on arm64

Arnaldo Carvalho de Melo <acme@redhat.com>
    genelf: Use HAVE_LIBCRYPTO_SUPPORT, not the never defined HAVE_LIBCRYPTO

Michael Ellerman <mpe@ellerman.id.au>
    powerpc/pci: Fix PHB numbering when using opal-phbid

Chenyi Qiang <chenyi.qiang@intel.com>
    x86/bus_lock: Don't assume the init value of DEBUGCTLMSR.BUS_LOCK_DETECT to be zero

Chen Zhongjin <chenzhongjin@huawei.com>
    kprobes: Forbid probing on trampoline and BPF code areas

Ian Rogers <irogers@google.com>
    perf symbol: Fail to read phdr workaround

Miaoqian Lin <linmq006@gmail.com>
    powerpc/cell/axon_msi: Fix refcount leak in setup_msi_msg_address

Miaoqian Lin <linmq006@gmail.com>
    powerpc/xive: Fix refcount leak in xive_get_max_prio

Miaoqian Lin <linmq006@gmail.com>
    powerpc/spufs: Fix refcount leak in spufs_init_isolated_loader

Matthew Wilcox (Oracle) <willy@infradead.org>
    cifs: Fix memory leak when using fscache

Chao Liu <liuchao@coolpad.com>
    f2fs: fix to remove F2FS_COMPR_FL and tag F2FS_NOCOMP_FL at the same time

Chao Yu <chao@kernel.org>
    f2fs: fix to check inline_data during compressed inode conversion

Chao Yu <chao@kernel.org>
    f2fs: fix to invalidate META_MAPPING before DIO write

Kan Liang <kan.liang@linux.intel.com>
    perf stat: Revert "perf stat: Add default hybrid events"

Alexander Gordeev <agordeev@linux.ibm.com>
    s390/smp: enforce lowcore protection on CPU restart

Sherry Sun <sherry.sun@nxp.com>
    tty: serial: fsl_lpuart: correct the count of break characters

Vijaya Krishna Nivarthi <quic_vnivarth@quicinc.com>
    tty: serial: qcom-geni-serial: Fix get_clk_div_rate() which otherwise could return a sub-optimal clock rate.

Guo Mengqi <guomengqi3@huawei.com>
    serial: 8250_bcm2835aux: Add missing clk_disable_unprepare()

Rashmica Gupta <rashmica@linux.ibm.com>
    selftests/powerpc: Fix matrix multiply assist test

Pali Rohár <pali@kernel.org>
    powerpc/pci: Prefer PCI domain assignment via DT 'linux,pci-domain' and alias

Alexey Kardashevskiy <aik@ozlabs.ru>
    powerpc/iommu: Fix iommu_table_in_use for a small default DMA window case

Alexey Kardashevskiy <aik@ozlabs.ru>
    pseries/iommu/ddw: Fix kdump to work in absence of ibm,dma-window

Christophe Leroy <christophe.leroy@csgroup.eu>
    video: fbdev: offb: Include missing linux/platform_device.h

Christophe Leroy <christophe.leroy@csgroup.eu>
    powerpc/32: Do not allow selection of e5500 or e6500 CPUs on PPC32

Christophe Leroy <christophe.leroy@csgroup.eu>
    powerpc/32s: Fix boot failure with KASAN + SMP + JUMP_LABEL_FEATURE_CHECK_DEBUG

Christophe Leroy <christophe.leroy@csgroup.eu>
    powerpc/32: Call mmu_mark_initmem_nx() regardless of data block mapping.

Claudiu Beznea <claudiu.beznea@microchip.com>
    ASoC: mchp-spdifrx: disable end of block interrupt on failures

Rustam Subkhankulov <subkhankulov@ispras.ru>
    video: fbdev: sis: fix typos in SiS_GetModeID()

Liang He <windhl@126.com>
    video: fbdev: amba-clcd: Fix refcount leak bugs

Yong Zhi <yong.zhi@intel.com>
    ASoC: Intel: sof_rt5682: Perform quirk check first in card late probe

William Dean <williamsukatube@gmail.com>
    watchdog: armada_37xx_wdt: check the return value of devm_ioremap() in armada_37xx_wdt_probe()

Jean Delvare <jdelvare@suse.de>
    watchdog: sp5100_tco: Fix a memory leak of EFCH MMIO resource

Jiasheng Jiang <jiasheng@iscas.ac.cn>
    watchdog: f71808e_wdt: Add check for platform_driver_register

Liang He <windhl@126.com>
    ASoC: audio-graph-card2: Add of_node_put() in fail path

Liang He <windhl@126.com>
    ASoC: audio-graph-card: Add of_node_put() in fail path

Xie Yongji <xieyongji@bytedance.com>
    fuse: Remove the control interface for virtio-fs

Christophe JAILLET <christophe.jaillet@wanadoo.fr>
    ASoC: qcom: q6dsp: Fix an off-by-one in q6adm_alloc_copp()

Shengjiu Wang <shengjiu.wang@nxp.com>
    ASoC: imx-card: use snd_pcm_format_t type for asrc_format

Shengjiu Wang <shengjiu.wang@nxp.com>
    ASoC: fsl_easrc: use snd_pcm_format_t type for sample_format

Shengjiu Wang <shengjiu.wang@nxp.com>
    ASoC: fsl-asoc-card: force cast the asrc_format type

Shengjiu Wang <shengjiu.wang@nxp.com>
    ASoC: fsl_asrc: force cast the asrc_format type

Thomas Richter <tmricht@linux.ibm.com>
    perf test: Fix test case 83 ('perf stat CSV output linter') on s390

Alexander Gordeev <agordeev@linux.ibm.com>
    s390/zcore: fix race when reading from hardware system area

Alexander Gordeev <agordeev@linux.ibm.com>
    s390/crash: fix incorrect number of bytes to copy to user space

Sunil V L <sunilvl@ventanamicro.com>
    riscv: spinwait: Fix hartid variable type

Adrian Hunter <adrian.hunter@intel.com>
    perf tools: Fix dso_id inode generation comparison

Liang He <windhl@126.com>
    iommu/arm-smmu: qcom_iommu: Add of_node_put() when breaking out of loop

Mario Limonciello <mario.limonciello@amd.com>
    ASoC: amd: yc: Decrease level of error message

Miaoqian Lin <linmq006@gmail.com>
    mfd: max77620: Fix refcount leak in max77620_initialise_fps

Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
    mfd: t7l66xb: Drop platform disable callback

Sibi Sankar <quic_sibis@quicinc.com>
    remoteproc: sysmon: Wait for SSCTL service to come up

Siddharth Gupta <sidgup@codeaurora.org>
    remoteproc: qcom: pas: Check if coredump is enabled

Zhihao Cheng <chengzhihao1@huawei.com>
    proc: fix a dentry lock race between release_task and lookup

Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
    lib/smp_processor_id: fix imbalanced instrumentation_end() call

Dan Carpenter <dan.carpenter@oracle.com>
    kfifo: fix kfifo_to_user() return type

Emil Renner Berthing <emil.renner.berthing@canonical.com>
    leds: pwm-multicolor: Don't show -EPROBE_DEFER as errors

Miaoqian Lin <linmq006@gmail.com>
    rpmsg: qcom_smd: Fix refcount leak in qcom_smd_parse_edge

Florian Fainelli <f.fainelli@gmail.com>
    MIPS: Fixed __debug_virt_addr_valid()

Hangyu Hua <hbh25y@gmail.com>
    net: 9p: fix refcount leak in p9_read_work() error handling

Kent Overstreet <kent.overstreet@gmail.com>
    9p: Add client parameter to p9_req_put()

Kent Overstreet <kent.overstreet@gmail.com>
    9p: Drop kref usage

Sam Protsenko <semen.protsenko@linaro.org>
    iommu/exynos: Handle failed IOMMU device registration properly

Doug Berger <opendmb@gmail.com>
    serial: 8250_bcm7271: Save/restore RTS in suspend/resume

Dan Carpenter <dan.carpenter@oracle.com>
    ASoC: SOF: ipc-msg-injector: fix copy in sof_msg_inject_ipc4_dfs_write()

Liang He <windhl@126.com>
    ASoC: mt6359: Fix refcount leak bug

Liang He <windhl@126.com>
    ASoc: audio-graph-card2: Fix refcount leak bug in __graph_get_type()

Yang Yingliang <yangyingliang@huawei.com>
    cpufreq: mediatek: fix error return code in mtk_cpu_dvfs_info_init()

Peter Ujfalusi <peter.ujfalusi@linux.intel.com>
    ASoC: SOF: ipc3-topology: Prevent double freeing of ipc_control_data via load_bytes

Alexander Lobakin <alexandr.lobakin@intel.com>
    lib/bitmap: fix off-by-one in bitmap_to_arr64()

Robin Murphy <robin.murphy@arm.com>
    swiotlb: fail map correctly with failed io_tlb_default_mem

YC Hung <yc.hung@mediatek.com>
    ASoC: SOF: mediatek: fix mt8195 StatvectorSel wrong setting

Florian Fainelli <f.fainelli@gmail.com>
    MIPS: vdso: Utilize __pa() for gic_pfn

Daniel Starke <daniel.starke@siemens.com>
    tty: n_gsm: fix missing corner cases in gsmld_poll()

Daniel Starke <daniel.starke@siemens.com>
    tty: n_gsm: fix flow control handling in tx path

Daniel Starke <daniel.starke@siemens.com>
    tty: n_gsm: fix DM command

Daniel Starke <daniel.starke@siemens.com>
    tty: n_gsm: fix wrong T1 retry count handling

Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
    serial: 8250_fsl: Don't report FE, PE and OE twice

Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
    ASoC: audio-graph-card2.c: use of_property_read_u32() for rate

Eric Farman <farman@linux.ibm.com>
    vfio/ccw: Do not change FSM state in subchannel event

Eric Farman <farman@linux.ibm.com>
    vfio/ccw: Fix FSM state if mdev probe fails

Michael Kawano <mkawano@linux.ibm.com>
    vfio/ccw: Remove UUID from s390 debug log

Sireesh Kodali <sireeshkodali1@gmail.com>
    remoteproc: qcom: wcnss: Fix handling of IRQs

Shengjiu Wang <shengjiu.wang@nxp.com>
    ASoC: imx-card: Fix DSD/PDM mclk frequency

Tiezhu Yang <yangtiezhu@loongson.cn>
    MIPS: Loongson64: Fix section mismatch warning

Liang He <windhl@126.com>
    ASoC: qcom: Fix missing of_node_put() in asoc_qcom_lpass_cpu_platform_probe()

Daniel Starke <daniel.starke@siemens.com>
    tty: n_gsm: fix resource allocation order in gsm_activate_mux()

Daniel Starke <daniel.starke@siemens.com>
    tty: n_gsm: fix deadlock and link starvation in outgoing data path

Daniel Starke <daniel.starke@siemens.com>
    tty: n_gsm: fix race condition in gsmld_write()

Daniel Starke <daniel.starke@siemens.com>
    tty: n_gsm: fix packet re-transmission without open control channel

Daniel Starke <daniel.starke@siemens.com>
    tty: n_gsm: fix non flow control frames during mux flow off

Daniel Starke <daniel.starke@siemens.com>
    tty: n_gsm: fix missing timer to handle stalled links

Daniel Starke <daniel.starke@siemens.com>
    tty: n_gsm: fix wrong queuing behavior in gsm_dlci_data_output()

Daniel Starke <daniel.starke@siemens.com>
    tty: n_gsm: fix tty registration before control channel open

Daniel Starke <daniel.starke@siemens.com>
    tty: n_gsm: fix user open not possible at responder until initiator open

Alexander Lobakin <alexandr.lobakin@intel.com>
    net/ice: fix initializing the bitmap in the switch code

Yishai Hadas <yishaih@nvidia.com>
    vfio: Split migration ops from main device ops

Yishai Hadas <yishaih@nvidia.com>
    vfio/mlx5: Protect mlx5vf_disable_fds() upon close device

Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
    ASoC: codecs: wsa881x: handle timeouts in resume path

Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
    serial: 8250_dw: Take port lock while accessing LSR

Tom Rix <trix@redhat.com>
    ASoC: samsung: change gpiod_speaker_power and rx1950_audio from global to static variables

Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
    ASoC: soc-core.c: fixup snd_soc_of_get_dai_link_cpus()

Athira Rajeev <atrajeev@linux.vnet.ibm.com>
    powerpc/perf: Optimize clearing the pending PMI and remove WARN_ON for PMI check in power_pmu_disable

Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
    ASoC: samsung: h1940_uda1380: include proepr GPIO consumer header

Michael Ellerman <mpe@ellerman.id.au>
    selftests/powerpc: Skip energy_scale_info test on older firmware

Hangyu Hua <hbh25y@gmail.com>
    rpmsg: Fix possible refcount leak in rpmsg_register_device_override()

Alexey Kardashevskiy <aik@ozlabs.ru>
    KVM: PPC: Book3s: Fix warning about xics_rm_h_xirr_x

Miaoqian Lin <linmq006@gmail.com>
    remoteproc: imx_rproc: Fix refcount leak in imx_rproc_addr_init

Chen Zhongjin <chenzhongjin@huawei.com>
    profiling: fix shift too large makes kernel panic

Joe Lawrence <joe.lawrence@redhat.com>
    selftests/livepatch: better synchronize test_klp_callbacks_busy

Miaoqian Lin <linmq006@gmail.com>
    remoteproc: k3-r5: Fix refcount leak in k3_r5_cluster_of_init

AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
    rpmsg: mtk_rpmsg: Fix circular locking dependency

Shengjiu Wang <shengjiu.wang@nxp.com>
    rpmsg: char: Add mutex protection for rpmsg_eptdev_open()

Charles Keepax <ckeepax@opensource.cirrus.com>
    ASoC: cs35l45: Add endianness flag in snd_soc_component_driver

Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
    ASoC: codecs: wcd9335: move gains from SX_TLV to S8_TLV

Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
    ASoC: codecs: msm8916-wcd-digital: move gains from SX_TLV to S8_TLV

Peter Ujfalusi <peter.ujfalusi@linux.intel.com>
    ASoC: SOF: make ctx_store and ctx_restore as optional

Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
    serial: 8250_dw: Store LSR into lsr_saved_flags in dw8250_tx_wait_empty()

Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
    serial: 8250_dw: Use serial_lsr_in() in dw8250_handle_irq()

Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
    serial: 8250: Get preserved flags using serial_lsr_in()

Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
    serial: 8250: Create serial_lsr_in()

Yang Yingliang <yangyingliang@huawei.com>
    serial: pic32: fix missing clk_disable_unprepare() on error in pic32_uart_startup()

Miaoqian Lin <linmq006@gmail.com>
    ASoC: mediatek: mt8173-rt5650: Fix refcount leak in mt8173_rt5650_dev_probe

Jiasheng Jiang <jiasheng@iscas.ac.cn>
    ASoC: codecs: da7210: add check for i2c_add_driver

Miaoqian Lin <linmq006@gmail.com>
    ASoC: mt6797-mt6351: Fix refcount leak in mt6797_mt6351_dev_probe

Randy Dunlap <rdunlap@infradead.org>
    ASoC: max98390: use linux/gpio/consumer.h to fix build

Miaoqian Lin <linmq006@gmail.com>
    ASoC: mediatek: mt8173: Fix refcount leak in mt8173_rt5650_rt5676_dev_probe

Fabio Estevam <festevam@gmail.com>
    ASoC: imx-audmux: Silence a clang warning

Miaoqian Lin <linmq006@gmail.com>
    ASoC: samsung: Fix error handling in aries_audio_probe

Miaoqian Lin <linmq006@gmail.com>
    ASoC: cros_ec_codec: Fix refcount leak in cros_ec_codec_platform_probe

Tang Bin <tangbin@cmss.chinamobile.com>
    opp: Fix error check in dev_pm_opp_attach_genpd()

Nathan Chancellor <nathan@kernel.org>
    usb: cdns3: Don't use priv_dev uninitialized in cdns3_gadget_ep_enable()

Zhihao Cheng <chengzhihao1@huawei.com>
    jbd2: fix assertion 'jh->b_frozen_data == NULL' failure when journal aborted

Li Lingfeng <lilingfeng3@huawei.com>
    ext4: recover csum seed of tmp_inode after migrating to extents

Zhang Yi <yi.zhang@huawei.com>
    jbd2: fix outstanding credits assert in jbd2_journal_commit_transaction()

Keith Busch <kbusch@kernel.org>
    block: ensure iov_iter advances for added pages

Keith Busch <kbusch@kernel.org>
    block/bio: remove duplicate append pages code

Christoph Hellwig <hch@lst.de>
    nvme: catch -ENODEV from nvme_revalidate_zones again

Nick Bowler <nbowler@draconx.ca>
    nvme: define compat_ioctl again to unbreak 32-bit userspace.

Bean Huo <beanhuo@micron.com>
    nvme: use command_id instead of req->tag in trace_nvme_complete_rq()

Christoph Hellwig <hch@lst.de>
    mtip32xx: fix device removal

Yu Kuai <yukuai3@huawei.com>
    nbd: add missing definition of pr_fmt

Dan Carpenter <dan.carpenter@oracle.com>
    null_blk: fix ida error handling in null_add_dev()

Md Haris Iqbal <haris.iqbal@ionos.com>
    block/rnbd-srv: Set keep_id to true after mutex_trylock

Zhu Yanjun <yanjun.zhu@linux.dev>
    RDMA/rxe: Fix error unwind in rxe_create_qp()

Maor Gottlieb <maorg@nvidia.com>
    RDMA/mlx5: Add missing check for return value in get namespace flow

Xu Qiang <xuqiang36@huawei.com>
    of/fdt: declared return type does not match actual return type

Andrei Vagin <avagin@google.com>
    selftests: kvm: set rax before vmcall

Juergen Gross <jgross@suse.com>
    xen: don't require virtio with grants for non-PV guests

Juergen Gross <jgross@suse.com>
    virtio: replace restricted mem access flag with callback

Andreas Schwab <schwab@suse.de>
    rtla: Fix double free

Daniel Bristot de Oliveira <bristot@kernel.org>
    rtla: Fix Makefile when called from -C tools/

Dan Carpenter <dan.carpenter@oracle.com>
    selftest/vm: uninitialized variable in main()

Dan Carpenter <dan.carpenter@oracle.com>
    tools/testing/selftests/vm/hugetlb-madvise.c: silence uninitialized variable warning

Adam Sindelar <adam@wowsignal.io>
    selftests/vm: fix errno handling in mrelease_test

Miaohe Lin <linmiaohe@huawei.com>
    mm/mmap.c: fix missing call to vm_unacct_memory in mmap_region

Liam R. Howlett <Liam.Howlett@oracle.com>
    android: binder: stop saving a pointer to the VMA

Bart Van Assche <bvanassche@acm.org>
    RDMA/srpt: Fix a use-after-free

Bart Van Assche <bvanassche@acm.org>
    RDMA/srpt: Introduce a reference count in struct srpt_device

Bart Van Assche <bvanassche@acm.org>
    RDMA/srpt: Duplicate port name members

Dan Carpenter <dan.carpenter@oracle.com>
    platform/olpc: Fix uninitialized data in debugfs write

Vadim Pasternak <vadimp@nvidia.com>
    platform/mellanox: mlxreg-lc: Fix error flow and extend verbosity

Hans de Goede <hdegoede@redhat.com>
    platform/x86: pmc_atom: Match all Lex BayTrail boards with critclk_systems DMI table

Dan Carpenter <dan.carpenter@oracle.com>
    tools/power/x86/intel-speed-select: Fix off by one check

Sean Christopherson <seanjc@google.com>
    KVM: nVMX: Set UMIP bit CR4_FIXED1 MSR when emulating UMIP

Peter Suti <peter.suti@streamunlimited.com>
    staging: fbtft: core: set smem_len before fb_deferred_io_init call

Patrice Chotard <patrice.chotard@foss.st.com>
    mtd: spi-nor: fix spi_nor_spimem_setup_op() call in spi_nor_erase_{sector,chip}()

Andrey Strachuk <strochuk@ispras.ru>
    usb: cdns3: change place of 'priv_ep' assignment in cdns3_gadget_ep_dequeue(), cdns3_gadget_ep_enable()

Alexey Sheplyakov <asheplyakov@basealt.ru>
    usb: xhci_plat_remove: avoid NULL dereference

Johan Hovold <johan@kernel.org>
    USB: serial: fix tty-port initialized comments

Basavaraj Natikar <Basavaraj.Natikar@amd.com>
    HID: amd_sfh: Handle condition of "no sensors"

Vidya Sagar <vidyas@nvidia.com>
    PCI: tegra194: Fix link up retry sequence

Vidya Sagar <vidyas@nvidia.com>
    PCI: tegra194: Fix Root Port interrupt handling

Bob Pearson <rpearsonhpe@gmail.com>
    RDMA/rxe: Fix rnr retry behavior

Md Haris Iqbal <haris.phnx@gmail.com>
    RDMA/rxe: For invalidate compare according to set keys in mr

Artem Borisov <dedsa2002@gmail.com>
    HID: alps: Declare U1_UNICORN_LEGACY support

Liang He <windhl@126.com>
    mmc: cavium-thunderx: Add of_node_put() when breaking out of loop

Liang He <windhl@126.com>
    mmc: cavium-octeon: Add of_node_put() when breaking out of loop

Liang He <windhl@126.com>
    mmc: core: quirks: Add of_node_put() when breaking out of loop

Bob Pearson <rpearsonhpe@gmail.com>
    RDMA/rxe: Fix mw bind to allow any consumer key portion

Antonio Borneo <antonio.borneo@foss.st.com>
    scripts/gdb: fix 'lx-dmesg' on 32 bits arch

Fabio Estevam <festevam@denx.de>
    dmaengine: imx-dma: Cast of_device_get_match_data() with (uintptr_t)

Basavaraj Natikar <Basavaraj.Natikar@amd.com>
    HID: amd_sfh: Add NULL check for hid device

Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
    HID: mcp2221: prevent a buffer overflow in mcp_smbus_write()

Dan Carpenter <dan.carpenter@oracle.com>
    iio: adc: max1027: unlock on error path in max1027_read_single_value()

Liang He <windhl@126.com>
    gpio: gpiolib-of: Fix refcount bugs in of_mm_gpiochip_add_data()

Jianglei Nie <niejianglei2021@163.com>
    RDMA/hfi1: fix potential memory leak in setup_base_ctxt()

Bryan O'Donoghue <bryan.odonoghue@linaro.org>
    clk: qcom: gcc-msm8939: Fix weird field spacing in ftbl_gcc_camss_cci_clk

Bjorn Andersson <bjorn.andersson@linaro.org>
    clk: qcom: gdsc: Bump parent usage count when GDSC is found enabled

Abel Vesa <abel.vesa@linaro.org>
    clk: qcom: Drop mmcx gdsc supply for dispcc and videocc

Gwendal Grignou <gwendal@chromium.org>
    iio: cros: Register FIFO callback after sensor is registered

Zhu Yanjun <yanjun.zhu@linux.dev>
    RDMA/rxe: Fix BUG: KASAN: null-ptr-deref in rxe_qp_do_cleanup

Cheng Xu <chengyou@linux.alibaba.com>
    RDMA/siw: Fix duplicated reported IW_CM_EVENT_CONNECT_REPLY event

Haoyue Xu <xuhaoyue1@hisilicon.com>
    RDMA/hns: Fix incorrect clearing of interrupt status register

Jianglei Nie <niejianglei2021@163.com>
    RDMA/qedr: Fix potential memory leak in __qedr_alloc_mr()

Md Haris Iqbal <haris.iqbal@ionos.com>
    RDMA/rtrs-clt: Replace list_next_or_null_rr_rcu with an inline function

Jack Wang <jinpu.wang@ionos.com>
    RDMA/rtrs-srv: Fix modinfo output for stringify

Mustafa Ismail <mustafa.ismail@intel.com>
    RDMA/irdma: Fix setting of QP context err_rq_idx_valid field

Mustafa Ismail <mustafa.ismail@intel.com>
    RDMA/irdma: Fix VLAN connection with wildcard address

Mustafa Ismail <mustafa.ismail@intel.com>
    RDMA/irdma: Fix a window for use-after-free

Patrick Wang <patrick.wang.shcn@gmail.com>
    mm: percpu: use kmemleak_ignore_phys() instead of kmemleak_free()

Christopher Obbard <chris.obbard@collabora.com>
    um: random: Don't initialise hwrng struct with zero

Kalesh Singh <kaleshsingh@google.com>
    KVM: arm64: Fix hypervisor address symbolization

Peng Fan <peng.fan@nxp.com>
    interconnect: imx: fix max_node_id

Samuel Holland <samuel@sholland.org>
    phy: rockchip-inno-usb2: Ignore OTG IRQs in host mode

Fabrice Gasnier <fabrice.gasnier@foss.st.com>
    phy: stm32: fix error return in stm32_usbphyc_phy_init

Dan Carpenter <dan.carpenter@oracle.com>
    eeprom: idt_89hpesx: uninitialized data in idt_dbgfs_csr_write()

Johan Hovold <johan+linaro@kernel.org>
    usb: dwc3: qcom: fix missing optional irq warnings

Rohith Kollalsi <quic_rkollals@quicinc.com>
    usb: dwc3: core: Do not perform GCTL_CORE_SOFTRESET during bootup

Thinh Nguyen <Thinh.Nguyen@synopsys.com>
    usb: dwc3: core: Deprecate GCTL.CORESOFTRESET

Liang He <windhl@126.com>
    usb: aspeed-vhub: Fix refcount leak bug in ast_vhub_init_desc()

Randy Dunlap <rdunlap@infradead.org>
    usb: gadget: udc: amd5536 depends on HAS_DMA

Yang Yingliang <yangyingliang@huawei.com>
    xtensa: iss: fix handling error cases in iss_net_configure()

Max Filippov <jcmvbkbc@gmail.com>
    xtensa: iss/network: provide release() callback

Mahesh Rajashekhara <Mahesh.Rajashekhara@microchip.com>
    scsi: smartpqi: Fix DMA direction for RAID requests

Christian Marangi <ansuelsmth@gmail.com>
    PCI: qcom: Set up rev 2.1.0 PARF_PHY before enabling clocks

Stefan Roese <sr@denx.de>
    PCI/portdrv: Don't disable AER reporting in get_port_device_capability()

Claudio Imbrenda <imbrenda@linux.ibm.com>
    KVM: s390: pv: leak the topmost page table when destroy fails

Christian Loehle <CLoehle@hyperstone.com>
    mmc: block: Add single read for 4k sector cards

Liang He <windhl@126.com>
    of: device: Fix missing of_node_put() in of_dma_set_restricted_buffer

Eugen Hristev <eugen.hristev@microchip.com>
    mmc: sdhci-of-at91: fix set_uhs_signaling rewriting of MC1R

Christophe JAILLET <christophe.jaillet@wanadoo.fr>
    memstick/ms_block: Fix a memory leak

Christophe JAILLET <christophe.jaillet@wanadoo.fr>
    memstick/ms_block: Fix some incorrect memory allocation

Lad Prabhakar <prabhakar.mahadev-lad.rj@bp.renesas.com>
    mmc: renesas_sdhi: Get the reset handle early in the probe

Fabio Estevam <festevam@gmail.com>
    mmc: mxcmmc: Silence a clang warning

Miaoqian Lin <linmq006@gmail.com>
    mmc: sdhci-of-esdhc: Fix refcount leak in esdhc_signal_voltage_switch

Bhupesh Sharma <bhupesh.sharma@linaro.org>
    dt-bindings: mmc: sdhci-msm: Fix issues in yaml bindings

Dan Carpenter <dan.carpenter@oracle.com>
    habanalabs: fix double unlock on error in map_device_va()

jianchunfu <jianchunfu@cmss.chinamobile.com>
    rtla/utils: Use calloc and check the potential memory allocation failure

Duoming Zhou <duoming@zju.edu.cn>
    staging: rtl8192u: Fix sleep in atomic context bug in dm_fsync_timer_callback

Carlos Llamas <cmllamas@google.com>
    binder: fix redefinition of seq_file attributes

Alexander Shishkin <alexander.shishkin@linux.intel.com>
    intel_th: msu: Fix vmalloced buffers

Jiasheng Jiang <jiasheng@iscas.ac.cn>
    intel_th: msu-sink: Potential dereference of null pointer

Christophe JAILLET <christophe.jaillet@wanadoo.fr>
    intel_th: Fix a resource leak in an error handling path

James Smart <jsmart2021@gmail.com>
    scsi: lpfc: Revert RSCN_MEMENTO workaround for misbehaved configuration

Bart Van Assche <bvanassche@acm.org>
    scsi: sd: Rework asynchronous resume support

Dan Carpenter <dan.carpenter@oracle.com>
    scsi: qla2xxx: Check correct variable in qla24xx_async_gffid()

Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
    phy: qcom-qmp: fix the QSERDES_V5_COM_CMN_MODE register

Shunsuke Mie <mie@igel.co.jp>
    PCI: endpoint: Don't stop controller when unbinding endpoint function

Viacheslav Mitrofanov <v.v.mitrofanov@yadro.com>
    dmaengine: sf-pdma: Add multithread support for a DMA channel

Quentin Perret <qperret@google.com>
    KVM: arm64: Don't return from void function

Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
    soundwire: revisit driver bind/unbind and callbacks

Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
    soundwire: bus_type: fix remove and shutdown support

Serge Semin <Sergey.Semin@baikalelectronics.ru>
    PCI: dwc: Always enable CDM check if "snps,enable-cdm-check" exists

Serge Semin <Sergey.Semin@baikalelectronics.ru>
    PCI: dwc: Deallocate EPC memory on dw_pcie_ep_init() errors

Serge Semin <Sergey.Semin@baikalelectronics.ru>
    PCI: dwc: Set INCREASE_REGION_SIZE flag based on limit address

Serge Semin <Sergey.Semin@baikalelectronics.ru>
    PCI: dwc: Disable outbound windows only for controllers using iATU

Serge Semin <Sergey.Semin@baikalelectronics.ru>
    PCI: dwc: Add unroll iATU space support to dw_pcie_disable_atu()

Serge Semin <Sergey.Semin@baikalelectronics.ru>
    PCI: dwc: Stop link on host_init errors and de-initialization

Peter Geis <pgwipeout@gmail.com>
    phy: rockchip-inno-usb2: Sync initial otg state

Andy Shevchenko <andriy.shevchenko@linux.intel.com>
    phy: ti: tusb1210: Don't check for write errors when powering on

Tianyu Li <tianyu.li@arm.com>
    mm/mempolicy: fix get_nodes out of bound access

Andrey Konovalov <andreyknvl@gmail.com>
    kasan: fix zeroing vmalloc memory with HW_TAGS

Miaohe Lin <linmiaohe@huawei.com>
    mm/migration: fix potential pte_unmap on an not mapped pte

Miaohe Lin <linmiaohe@huawei.com>
    mm/migration: return errno when isolate_huge_page failed

Yang Shi <shy828301@gmail.com>
    mm: rmap: use the correct parameter name for DEFINE_PAGE_VMA_WALK

Yushan Zhou <katrinzhou@tencent.com>
    kernfs: fix potential NULL dereference in __kernfs_remove

Nikita Travkin <nikita@trvn.ru>
    clk: qcom: clk-rcg2: Make sure to not write d=0 to the NMD register

Nikita Travkin <nikita@trvn.ru>
    clk: qcom: clk-rcg2: Fail Duty-Cycle configuration if MND divider is not enabled.

Vladimir Zapolskiy <vladimir.zapolskiy@linaro.org>
    clk: qcom: camcc-sm8250: Fix topology around titan_top power domain

Vladimir Zapolskiy <vladimir.zapolskiy@linaro.org>
    clk: qcom: camcc-sdm845: Fix topology around titan_top power domain

Robert Marko <robimarko@gmail.com>
    clk: qcom: ipq8074: set BRANCH_HALT_DELAY flag for UBI clocks

Robert Marko <robimarko@gmail.com>
    clk: qcom: ipq8074: fix NSS port frequency tables

Robert Marko <robimarko@gmail.com>
    clk: qcom: ipq8074: SW workaround for UBI32 PLL lock

Robert Marko <robimarko@gmail.com>
    clk: qcom: ipq8074: fix NSS core PLL-s

Bob Pearson <rpearsonhpe@gmail.com>
    RDMA/rxe: Fix deadlock in rxe_do_local_ops()

Bob Pearson <rpearsonhpe@gmail.com>
    RDMA/rxe: Add a responder state for atomic reply

Sergey Shtylyov <s.shtylyov@omp.ru>
    usb: host: xhci: use snprintf() in xhci_decode_trb()

Bryan O'Donoghue <bryan.odonoghue@linaro.org>
    clk: qcom: gcc-msm8939: Point MM peripherals to system_mm_noc clock

Bryan O'Donoghue <bryan.odonoghue@linaro.org>
    clk: qcom: gcc-msm8939: Add missing system_mm_noc_bfdcd_clk_src

Bryan O'Donoghue <bryan.odonoghue@linaro.org>
    clk: qcom: gcc-msm8939: Fix bimc_ddr_clk_src rcgr base address

Bryan O'Donoghue <bryan.odonoghue@linaro.org>
    clk: qcom: gcc-msm8939: Add missing SYSTEM_MM_NOC_BFDCD_CLK_SRC

Neal Liu <neal_liu@aspeedtech.com>
    usb: gadget: f_mass_storage: Make CD-ROM emulation works with Windows OS

Mike Leach <mike.leach@linaro.org>
    coresight: syscfg: Update load and unload operations

Mike Leach <mike.leach@linaro.org>
    coresight: configfs: Fix unload of configurations on module exit

Christian Marangi <ansuelsmth@gmail.com>
    clk: qcom: clk-krait: unlock spin after mux completion

Zhang Wensheng <zhangwensheng5@huawei.com>
    driver core: fix potential deadlock in __driver_attach

Christophe JAILLET <christophe.jaillet@wanadoo.fr>
    misc: rtsx: Fix an error handling path in rtsx_pci_probe()

Vladimir Zapolskiy <vladimir.zapolskiy@linaro.org>
    clk: qcom: camcc-sm8250: Fix halt on boot by reducing driver's init level

Mark Brown <broonie@kernel.org>
    mtd: dataflash: Add SPI ID table

Geert Uytterhoeven <geert+renesas@glider.be>
    mtd: hyperbus: rpc-if: Fix RPM imbalance in probe error path

Ben Gardon <bgardon@google.com>
    KVM: x86: Fix errant brace in KVM capability handling

Serge Semin <Sergey.Semin@baikalelectronics.ru>
    dmaengine: dw-edma: Fix eDMA Rd/Wr-channels and DMA-direction semantics

Mike Christie <michael.christie@oracle.com>
    scsi: iscsi: Fix session removal on shutdown

Mike Christie <michael.christie@oracle.com>
    scsi: iscsi: Add helper to remove a session from the kernel

Mike Christie <michael.christie@oracle.com>
    scsi: iscsi: Allow iscsi_if_stop_conn() to be called from kernel

Duoming Zhou <duoming@zju.edu.cn>
    mwifiex: fix sleep in atomic context bugs caused by dev_coredumpv

Duoming Zhou <duoming@zju.edu.cn>
    devcoredump: remove the useless gfp_t parameter in dev_coredumpv and dev_coredumpm

Sean Christopherson <seanjc@google.com>
    KVM: selftests: Use vm_create_with_vcpus() in max_guest_memory_test

Sean Christopherson <seanjc@google.com>
    KVM: selftests: Convert s390x/diag318_test_handler away from VCPU_ID

Sean Christopherson <seanjc@google.com>
    KVM: Don't set Accessed/Dirty bits for ZERO_PAGE

Miaohe Lin <linmiaohe@huawei.com>
    mm/memremap: fix memunmap_pages() race with get_dev_pagemap()

Miaohe Lin <linmiaohe@huawei.com>
    lib/test_hmm: avoid accessing uninitialized pages

Dongliang Mu <mudongliangabcd@gmail.com>
    RDMA/rxe: fix xa_alloc_cycle() error return value check again

Peng Fan <peng.fan@nxp.com>
    clk: imx: clk-fracn-gppll: correct rdiv

Liu Ying <victor.liu@nxp.com>
    clk: imx: clk-fracn-gppll: Return rate in rate table properly in ->recalc_rate()

Peng Fan <peng.fan@nxp.com>
    clk: imx: clk-fracn-gppll: fix mfd value

Peng Fan <peng.fan@nxp.com>
    clk: imx93: correct nic_media parent

Haibo Chen <haibo.chen@nxp.com>
    clk: imx93: use adc_root as the parent clock of adc1

Rex-BC Chen <rex-bc.chen@mediatek.com>
    clk: mediatek: reset: Fix written reset bit offset

Jonathan Cameron <Jonathan.Cameron@huawei.com>
    iio: temp: maxim_thermocouple: Fix alignment for DMA safety

Jonathan Cameron <Jonathan.Cameron@huawei.com>
    iio: temp: max31865: Fix alignment for DMA safety

Jonathan Cameron <Jonathan.Cameron@huawei.com>
    iio: temp: ltc2983: Fix alignment for DMA safety

Jonathan Cameron <Jonathan.Cameron@huawei.com>
    iio: resolver: ad2s90: Fix alignment for DMA safety

Jonathan Cameron <Jonathan.Cameron@huawei.com>
    iio: resolver: ad2s1200: Fix alignment for DMA safety

Jonathan Cameron <Jonathan.Cameron@huawei.com>
    iio: proximity: as3935: Fix alignment for DMA safety

Jonathan Cameron <Jonathan.Cameron@huawei.com>
    iio: potentiometer: mcp4131: Fix alignment for DMA safety

Jonathan Cameron <Jonathan.Cameron@huawei.com>
    iio: potentiometer: mcp41010: Fix alignment for DMA safety

Jonathan Cameron <Jonathan.Cameron@huawei.com>
    iio: potentiometer: max5481: Fix alignment for DMA safety

Jonathan Cameron <Jonathan.Cameron@huawei.com>
    iio: potentiometer: ad5272: Fix alignment for DMA safety

Jonathan Cameron <Jonathan.Cameron@huawei.com>
    iio: potentiometer: ad5110: Fix alignment for DMA safety

Jonathan Cameron <Jonathan.Cameron@huawei.com>
    iio: imu: mpu6050: Fix alignment for DMA safety

Jonathan Cameron <Jonathan.Cameron@huawei.com>
    iio: imu: inv_icm42600: Fix alignment for DMA safety in buffer code.

Jonathan Cameron <Jonathan.Cameron@huawei.com>
    iio: imu: inv_icm42600: Fix alignment for DMA safety

Jonathan Cameron <Jonathan.Cameron@huawei.com>
    iio: imu: fxos8700: Fix alignment for DMA safety

Jonathan Cameron <Jonathan.Cameron@huawei.com>
    iio: gyro: fxas210002c: Fix alignment for DMA safety

Jonathan Cameron <Jonathan.Cameron@huawei.com>
    iio: gyro: adxrs450: Fix alignment for DMA safety

Jonathan Cameron <Jonathan.Cameron@huawei.com>
    iio: gyro: adis16130: Fix alignment for DMA safety

Jonathan Cameron <Jonathan.Cameron@huawei.com>
    iio: gyro: adis16080: Fix alignment for DMA safety

Jonathan Cameron <Jonathan.Cameron@huawei.com>
    iio: frequency: adrf6780: Fix alignment for DMA safety

Jonathan Cameron <Jonathan.Cameron@huawei.com>
    iio: frequency: admv4420: Fix alignment for DMA safety

Jonathan Cameron <Jonathan.Cameron@huawei.com>
    iio: frequency: admv1014: Fix alignment for DMA safety

Jonathan Cameron <Jonathan.Cameron@huawei.com>
    iio: frequency: admv1013: Fix alignment for DMA safety

Jonathan Cameron <Jonathan.Cameron@huawei.com>
    iio: frequency: adf4371: Fix alignment for DMA safety

Jonathan Cameron <Jonathan.Cameron@huawei.com>
    iio: frequency: adf4350: Fix alignment for DMA safety

Jonathan Cameron <Jonathan.Cameron@huawei.com>
    iio: frequency: ad9523: Fix alignment for DMA safety

Jonathan Cameron <Jonathan.Cameron@huawei.com>
    iio: dac: ti-dac7612: Fix alignment for DMA safety

Jonathan Cameron <Jonathan.Cameron@huawei.com>
    iio: dac: ti-dac7311: Fix alignment for DMA safety

Jonathan Cameron <Jonathan.Cameron@huawei.com>
    iio: dac: ti-dac5571: Fix alignment for DMA safety

Jonathan Cameron <Jonathan.Cameron@huawei.com>
    iio: dac: ti-dac082s085: Fix alignment for DMA safety

Jonathan Cameron <Jonathan.Cameron@huawei.com>
    iio: dac: mcp4922: Fix alignment for DMA safety

Jonathan Cameron <Jonathan.Cameron@huawei.com>
    iio: dac: ltc2688: Fix alignment for DMA safety

Jonathan Cameron <Jonathan.Cameron@huawei.com>
    iio: dac: ad8801: Fix alignment for DMA safety

Jonathan Cameron <Jonathan.Cameron@huawei.com>
    iio: dac: ad7303: Fix alignment for DMA safety

Jonathan Cameron <Jonathan.Cameron@huawei.com>
    iio: dac: ad7293: Fix alignment for DMA safety

Jonathan Cameron <Jonathan.Cameron@huawei.com>
    iio: dac: ad5791: Fix alignment for DMA saftey

Jonathan Cameron <Jonathan.Cameron@huawei.com>
    iio: dac: ad5770r: Fix alignment for DMA safety

Jonathan Cameron <Jonathan.Cameron@huawei.com>
    iio: dac: ad5766: Fix alignment for DMA safety

Jonathan Cameron <Jonathan.Cameron@huawei.com>
    iio: dac: ad5764: Fix alignment for DMA safety

Jonathan Cameron <Jonathan.Cameron@huawei.com>
    iio: dac: ad5761: Fix alignment for DMA safety

Jonathan Cameron <Jonathan.Cameron@huawei.com>
    iio: dac: ad5755: Fix alignment for DMA safety

Jonathan Cameron <Jonathan.Cameron@huawei.com>
    iio: dac: ad5686: Fix alignment for DMA safety

Jonathan Cameron <Jonathan.Cameron@huawei.com>
    iio: dac: ad5592r: Fix alignment for DMA safety

Jonathan Cameron <Jonathan.Cameron@huawei.com>
    iio: dac: ad5504: Fix alignment for DMA safety

Jonathan Cameron <Jonathan.Cameron@huawei.com>
    iio: dac: ad5449: Fix alignment for DMA safety

Jonathan Cameron <Jonathan.Cameron@huawei.com>
    iio: dac: ad5421: Fix alignment for DMA safety

Jonathan Cameron <Jonathan.Cameron@huawei.com>
    iio: dac: ad5360: Fix alignment for DMA safety

Jonathan Cameron <Jonathan.Cameron@huawei.com>
    iio: dac: ad5064: Fix alignment for DMA safety

Jonathan Cameron <Jonathan.Cameron@huawei.com>
    iio: common: ssp: Fix alignment for DMA safety

Jonathan Cameron <Jonathan.Cameron@huawei.com>
    iio: amplifiers: ad8366: Fix alignment for DMA safety

Jonathan Cameron <Jonathan.Cameron@huawei.com>
    iio: addac: ad74413r: Fix alignment for DMA safety

Jonathan Cameron <Jonathan.Cameron@huawei.com>
    iio: adc: ti-tlc4541: Fix alignment for DMA safety

Jonathan Cameron <Jonathan.Cameron@huawei.com>
    iio: adc: ti-ads8688: Fix alignment for DMA safety

Jonathan Cameron <Jonathan.Cameron@huawei.com>
    iio: adc: ti-ads8344: Fix alignment for DMA safety

Jonathan Cameron <Jonathan.Cameron@huawei.com>
    iio: adc: ti-ads7950: Fix alignment for DMA safety

Jonathan Cameron <Jonathan.Cameron@huawei.com>
    iio: adc: ti-ads131e08: Fix alignment for DMA safety

Jonathan Cameron <Jonathan.Cameron@huawei.com>
    iio: adc: ti-ads124s08: Fix alignment for DMA safety

Jonathan Cameron <Jonathan.Cameron@huawei.com>
    iio: adc: ti-adc161s626: Fix alignment for DMA safety

Jonathan Cameron <Jonathan.Cameron@huawei.com>
    iio: adc: ti-adc128s052: Fix alignment for DMA safety

Jonathan Cameron <Jonathan.Cameron@huawei.com>
    iio: adc: ti-adc12138: Fix alignment for DMA safety

Jonathan Cameron <Jonathan.Cameron@huawei.com>
    iio: adc: ti-adc108s102: Fix alignment for DMA safety

Jonathan Cameron <Jonathan.Cameron@huawei.com>
    iio: adc: ti-adc084s021: Fix alignment for DMA safety

Jonathan Cameron <Jonathan.Cameron@huawei.com>
    iio: adc: ti-adc0832: Fix alignment for DMA safety

Jonathan Cameron <Jonathan.Cameron@huawei.com>
    iio: adc: mcp320x: Fix alignment for DMA safety

Jonathan Cameron <Jonathan.Cameron@huawei.com>
    iio: adc: max1241: Fix alignment for DMA safety

Jonathan Cameron <Jonathan.Cameron@huawei.com>
    iio: adc: max1118: Fix alignment for DMA safety

Jonathan Cameron <Jonathan.Cameron@huawei.com>
    iio: adc: max11100: Fix alignment for DMA safety

Jonathan Cameron <Jonathan.Cameron@huawei.com>
    iio: adc: max1027: Fix alignment for DMA safety

Jonathan Cameron <Jonathan.Cameron@huawei.com>
    iio: adc: ltc2497: Fix alignment for DMA safety

Jonathan Cameron <Jonathan.Cameron@huawei.com>
    iio: adc: ltc2496: Fix alignment for DMA safety

Jonathan Cameron <Jonathan.Cameron@huawei.com>
    iio: adc: hi8435: Fix alignment for DMA safety

Jonathan Cameron <Jonathan.Cameron@huawei.com>
    iio: adc: ad7949: Fix alignment for DMA safety

Jonathan Cameron <Jonathan.Cameron@huawei.com>
    iio: adc: ad7923: Fix alignment for DMA safety

Jonathan Cameron <Jonathan.Cameron@huawei.com>
    iio: adc: ad7887: Fix alignment for DMA safety

Jonathan Cameron <Jonathan.Cameron@huawei.com>
    iio: adc: ad7768-1: Fix alignment for DMA safety

Jonathan Cameron <Jonathan.Cameron@huawei.com>
    iio: adc: ad7766: Fix alignment for DMA safety

Jonathan Cameron <Jonathan.Cameron@huawei.com>
    iio: adc: ad7606: Fix alignment for DMA safety

Jonathan Cameron <Jonathan.Cameron@huawei.com>
    iio: adc: ad7476: Fix alignment for DMA safety

Jonathan Cameron <Jonathan.Cameron@huawei.com>
    iio: adc: ad7298: Fix alignment for DMA safety

Jonathan Cameron <Jonathan.Cameron@huawei.com>
    iio: adc: ad7292: Fix alignment for DMA safety

Jonathan Cameron <Jonathan.Cameron@huawei.com>
    iio: adc: ad7280a: Fix alignment for DMA safety

Jonathan Cameron <Jonathan.Cameron@huawei.com>
    iio: adc: ad7266: Fix alignment for DMA safety

Jonathan Cameron <Jonathan.Cameron@huawei.com>
    iio: accel: sca3300: Fix alignment for DMA safety

Jonathan Cameron <Jonathan.Cameron@huawei.com>
    iio: accel: sca3000: Fix alignment for DMA safety

Jonathan Cameron <Jonathan.Cameron@huawei.com>
    iio: accel: bma220: Fix alignment for DMA safety

Jonathan Cameron <Jonathan.Cameron@huawei.com>
    iio: accel: adxl367: Fix alignment for DMA safety

Jonathan Cameron <Jonathan.Cameron@huawei.com>
    iio: accel: adxl355: Fix alignment for DMA safety

Jonathan Cameron <Jonathan.Cameron@huawei.com>
    iio: accel: adxl313: Fix alignment for DMA safety

Jonathan Cameron <Jonathan.Cameron@huawei.com>
    iio: core: Fix IIO_ALIGN and rename as it was not sufficiently large

Jagath Jog J <jagathjog1996@gmail.com>
    iio: accel: bma400: Add triggered buffer support

Jagath Jog J <jagathjog1996@gmail.com>
    iio: accel: bma400: conversion to device-managed function

Jagath Jog J <jagathjog1996@gmail.com>
    iio: accel: bma400: Reordering of header files

Gwendal Grignou <gwendal@chromium.org>
    iio: sx9324: Fix register field spelling

Stephen Boyd <swboyd@chromium.org>
    platform/chrome: cros_ec: Always expose last resume result

Jagath Jog J <jagathjog1996@gmail.com>
    iio: accel: bma400: Fix the scale min and max macro values

Quinn Tran <qutran@marvell.com>
    scsi: qla2xxx: edif: Reduce N2N thrashing at app_start time

Quinn Tran <qutran@marvell.com>
    scsi: qla2xxx: edif: Fix no logout on delete for N2N

Quinn Tran <qutran@marvell.com>
    scsi: qla2xxx: edif: Fix session thrash

Quinn Tran <qutran@marvell.com>
    scsi: qla2xxx: edif: Tear down session if keys have been removed

Quinn Tran <qutran@marvell.com>
    scsi: qla2xxx: edif: Fix no login after app start

Quinn Tran <qutran@marvell.com>
    scsi: qla2xxx: edif: Reduce disruption due to multiple app start

Quinn Tran <qutran@marvell.com>
    scsi: qla2xxx: edif: Send LOGO for unexpected IKE message

Thomas Gleixner <tglx@linutronix.de>
    netfilter: xtables: Bring SPDX identifier back

Miquel Raynal <miquel.raynal@bootlin.com>
    dmaengine: dw: dmamux: Fix build without CONFIG_OF

Miquel Raynal <miquel.raynal@bootlin.com>
    dmaengine: dw: dmamux: Export the module device table

Tang Bin <tangbin@cmss.chinamobile.com>
    usb: xhci: tegra: Fix error check

Clément Léger <clement.leger@bootlin.com>
    usb: host: ohci-at91: add support to enter suspend using SMC

Dan Carpenter <dan.carpenter@oracle.com>
    usbip: vudc: Don't enable IRQs prematurely

Tang Bin <tangbin@cmss.chinamobile.com>
    usb: gadget: tegra-xudc: Fix error check in tegra_xudc_powerdomain_init()

Miaoqian Lin <linmq006@gmail.com>
    usb: ohci-nxp: Fix refcount leak in ohci_hcd_nxp_probe

Laurent Pinchart <laurent.pinchart@ideasonboard.com>
    usb: gadget: uvc: Fix comment blocks style

Frank Li <Frank.Li@nxp.com>
    usb: cdns3: fix random warning message when driver load

Miaoqian Lin <linmq006@gmail.com>
    usb: host: Fix refcount leak in ehci_hcd_ppc_of_probe

Marco Pagani <marpagan@redhat.com>
    fpga: altera-pr-ip: fix unsigned comparison with less than zero

Miaoqian Lin <linmq006@gmail.com>
    PCI: mediatek-gen3: Fix refcount leak in mtk_pcie_init_irq_domains()

Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
    mtd: st_spi_fsm: Disable clock only after device was unregistered

Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
    mtd: st_spi_fsm: Warn about failure to unregister mtd device

Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
    mtd: spear_smi: Drop if with an always false condition

Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
    mtd: st_spi_fsm: Add a clk_disable_unprepare() in .probe()'s error path

Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
    mtd: spear_smi: Don't skip cleanup after mtd_device_unregister() failed

Miaoqian Lin <linmq006@gmail.com>
    mtd: parsers: ofpart: Fix refcount leak in bcm4908_partitions_fw_offset

Miaoqian Lin <linmq006@gmail.com>
    mtd: partitions: Fix refcount leak in parse_redboot_of

Duoming Zhou <duoming@zju.edu.cn>
    mtd: sm_ftl: Fix deadlock caused by cancel_work_sync in sm_release

Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
    HID: cp2112: prevent a buffer overflow in cp2112_xfer()

Miaoqian Lin <linmq006@gmail.com>
    PCI: tegra194: Fix PM error handling in tegra_pcie_config_ep()

Miaoqian Lin <linmq006@gmail.com>
    PCI: microchip: Fix refcount leak in mc_pcie_init_irq_domains()

Chanho Park <chanho61.park@samsung.com>
    phy: samsung: exynosautov9-ufs: correct TSRV register configurations

Sean Christopherson <seanjc@google.com>
    KVM: x86/mmu: Drop RWX=0 SPTEs during ept_sync_page()

Sean Christopherson <seanjc@google.com>
    KVM: SVM: Stuff next_rip on emulated INT3 injection if NRIPS is supported

Sean Christopherson <seanjc@google.com>
    KVM: SVM: Unwind "speculative" RIP advancement if INTn injection "fails"

Quinn Tran <qutran@marvell.com>
    scsi: qla2xxx: edif: Fix n2n login retry for secure device

Quinn Tran <qutran@marvell.com>
    scsi: qla2xxx: edif: Fix n2n discovery issue with secure target

Quinn Tran <qutran@marvell.com>
    scsi: qla2xxx: edif: Add retry for ELS passthrough

Quinn Tran <qutran@marvell.com>
    scsi: qla2xxx: edif: Synchronize NPIV deletion with authentication application

Quinn Tran <qutran@marvell.com>
    scsi: qla2xxx: edif: Fix potential stuck session in sa update

Quinn Tran <qutran@marvell.com>
    scsi: qla2xxx: edif: Add bsg interface to read doorbell events

Quinn Tran <qutran@marvell.com>
    scsi: qla2xxx: edif: Wait for app to ack on sess down

Quinn Tran <qutran@marvell.com>
    scsi: qla2xxx: edif: bsg refactor

Quinn Tran <qutran@marvell.com>
    scsi: qla2xxx: edif: Reduce Initiator-Initiator thrashing

Vaibhav Jain <vaibhav@linux.ibm.com>
    of: check previous kernel's ima-kexec-buffer against memory bounds

Biju Das <biju.das.jz@bp.renesas.com>
    clk: renesas: rzg2l: Fix reset status function

Christophe JAILLET <christophe.jaillet@wanadoo.fr>
    mtd: rawnand: meson: Fix a potential double free issue

Miaoqian Lin <linmq006@gmail.com>
    mtd: maps: Fix refcount leak in ap_flash_init

Miaoqian Lin <linmq006@gmail.com>
    mtd: maps: Fix refcount leak in of_flash_probe_versatile

Ralph Siemsen <ralph.siemsen@linaro.org>
    clk: renesas: r9a06g032: Fix UART clkgrp bitsel

Mario Limonciello <mario.limonciello@amd.com>
    HID: amd_sfh: Don't show client init failed as error when discovery fails

Jason A. Donenfeld <Jason@zx2c4.com>
    wireguard: allowedips: don't corrupt stack when detecting overflow

Jason A. Donenfeld <Jason@zx2c4.com>
    wireguard: ratelimiter: use hrtimer in selftest

Maxim Mikityanskiy <maximmi@nvidia.com>
    net/mlx5e: xsk: Discard unaligned XSK frames on striding RQ

Maciej Żenczykowski <maze@google.com>
    net: usb: make USB_RTL8153_ECM non user configurable

Hangyu Hua <hbh25y@gmail.com>
    dccp: put dccp_qpolicy_full() and dccp_qpolicy_push() in the same lock

Jian Shen <shenjian15@huawei.com>
    net: ionic: fix error check for vlan flags in ionic_set_nic_features()

Jian Shen <shenjian15@huawei.com>
    net: ice: fix error NETIF_F_HW_VLAN_CTAG_FILTER check in ice_vsi_sync_fltr()

Eric Dumazet <edumazet@google.com>
    net: rose: fix netdev reference changes

Jakub Kicinski <kuba@kernel.org>
    netdevsim: Avoid allocation warnings triggered from user space

Przemyslaw Patynowski <przemyslawx.patynowski@intel.com>
    iavf: Fix 'tc qdisc show' listing too many queues

Przemyslaw Patynowski <przemyslawx.patynowski@intel.com>
    iavf: Fix max_rate limiting

William Dean <williamsukatube@gmail.com>
    wifi: rtw88: check the return value of alloc_workqueue()

Ido Schimmel <idosch@nvidia.com>
    netdevsim: fib: Fix reference count leak on route deletion failure

Mike Manning <mvrmanning@gmail.com>
    net: allow unbound socket for packets in VRF when tcp_l3mdev_accept set

Kai Ye <yekai13@huawei.com>
    crypto: hisilicon/sec - fix auth key size error

Pali Rohár <pali@kernel.org>
    crypto: inside-secure - Add missing MODULE_DEVICE_TABLE for of

Zhengchao Shao <shaozhengchao@huawei.com>
    crypto: hisilicon/hpre - don't use GFP_KERNEL to alloc mem during softirq

Eric Dumazet <edumazet@google.com>
    ax25: fix incorrect dev_tracker usage

Shay Drory <shayd@nvidia.com>
    net/mlx5: Fix driver use of uninitialized timeout

Yevgeny Kliteynik <kliteyn@nvidia.com>
    net/mlx5: DR, Fix SMFS steering info dump format

Maher Sanalla <msanalla@nvidia.com>
    net/mlx5: Adjust log_max_qp to be 18 at most

Vlad Buslov <vladbu@nvidia.com>
    net/mlx5e: Modify slow path rules to go to slow fdb

Maxim Mikityanskiy <maximmi@nvidia.com>
    net/mlx5e: Fix calculations related to max MPWQE size

Maxim Mikityanskiy <maximmi@nvidia.com>
    net/mlx5e: xsk: Account for XSK RQ UMRs when calculating ICOSQ size

Maxim Mikityanskiy <maximmi@nvidia.com>
    net/mlx5e: Fix the value of MLX5E_MAX_RQ_NUM_MTTS

Maor Dickman <maord@nvidia.com>
    net/mlx5e: TC, Fix post_act to not match on in_port metadata

Gal Pressman <gal@nvidia.com>
    net/mlx5e: Remove WARN_ON when trying to offload an unsupported TLS cipher/version

Dan Carpenter <dan.carpenter@oracle.com>
    drm/amd/display: fix signedness bug in execute_synaptics_rc_command()

Ezequiel Garcia <ezequiel@vanguardiasur.com.ar>
    hantro: Remove incorrect HEVC SPS validation

Jernej Skrabec <jernej.skrabec@gmail.com>
    media: cedrus: hevc: Add check for invalid timestamp

Hangyu Hua <hbh25y@gmail.com>
    wifi: libertas: Fix possible refcount leak in if_usb_probe()

Jose Ignacio Tornos Martinez <jtornosm@redhat.com>
    wifi: iwlwifi: mvm: fix double list_add at iwl_mvm_mac_wake_tx_queue

Ammar Faizi <ammarfaizi2@gnuweeb.org>
    wifi: wil6210: debugfs: fix uninitialized variable use in `wil_write_file_wmi()`

Manikanta Pubbisetty <quic_mpubbise@quicinc.com>
    wifi: ath11k: Fix register write failure on QCN9074

Liang He <windhl@126.com>
    i2c: mux-gpmux: Add of_node_put() when breaking out of loop

Joanne Koong <joannelkoong@gmail.com>
    bpf: Fix bpf_xdp_pointer return pointer

Paul Chaignon <paul@isovalent.com>
    bpf: Set flow flag to allow any source IP in bpf_tunnel_key

Paul Chaignon <paul@isovalent.com>
    ip_tunnels: Add new flow flags field to ip_tunnel_key

Qu Wenruo <wqu@suse.com>
    btrfs: update stripe_sectors::uptodate in steal_rbio

Bjorn Andersson <bjorn.andersson@linaro.org>
    i2c: qcom-geni: Use the correct return value

Lars-Peter Clausen <lars@metafoo.de>
    i2c: cadence: Support PEC for SMBus block read

Ying Hsu <yinghsu@chromium.org>
    Bluetooth: Add default wakeup callback for HCI UART driver

Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
    Bluetooth: hci_sync: Fix not updating privacy_mode

Zhengping Jiang <jiangzp@google.com>
    Bluetooth: hci_sync: Fix resuming scan after suspend resume

Zhengping Jiang <jiangzp@google.com>
    Bluetooth: mgmt: Fix refresh cached connection info

Schspa Shi <schspa@gmail.com>
    Bluetooth: When HCI work queue is drained, only queue chained work

Jiasheng Jiang <jiasheng@iscas.ac.cn>
    Bluetooth: hci_intel: Add check for platform_driver_register

Vincent Mailhol <mailhol.vincent@wanadoo.fr>
    can: pch_can: pch_can_error(): initialize errc before using it

Dan Carpenter <dan.carpenter@oracle.com>
    libbpf: Fix str_has_sfx()'s return value

Vincent Mailhol <mailhol.vincent@wanadoo.fr>
    can: error: specify the values of data[5..7] of CAN error frames

Vincent Mailhol <mailhol.vincent@wanadoo.fr>
    can: usb_8dev: do not report txerr and rxerr during bus-off

Vincent Mailhol <mailhol.vincent@wanadoo.fr>
    can: kvaser_usb_leaf: do not report txerr and rxerr during bus-off

Vincent Mailhol <mailhol.vincent@wanadoo.fr>
    can: kvaser_usb_hydra: do not report txerr and rxerr during bus-off

Vincent Mailhol <mailhol.vincent@wanadoo.fr>
    can: sun4i_can: do not report txerr and rxerr during bus-off

Vincent Mailhol <mailhol.vincent@wanadoo.fr>
    can: hi311x: do not report txerr and rxerr during bus-off

Vincent Mailhol <mailhol.vincent@wanadoo.fr>
    can: sja1000: do not report txerr and rxerr during bus-off

Vincent Mailhol <mailhol.vincent@wanadoo.fr>
    can: rcar_can: do not report txerr and rxerr during bus-off

Vincent Mailhol <mailhol.vincent@wanadoo.fr>
    can: pch_can: do not report txerr and rxerr during bus-off

Dan Carpenter <dan.carpenter@oracle.com>
    libbpf: fix an snprintf() overflow check

Dan Carpenter <dan.carpenter@oracle.com>
    selftests/bpf: fix a test for snprintf() overflow

Andrii Nakryiko <andrii@kernel.org>
    libbpf: make RINGBUF map size adjustments more eagerly

Andrii Nakryiko <andrii@kernel.org>
    bpf: fix potential 32-bit overflow when accessing ARRAY map element

Alex Deucher <alexander.deucher@amd.com>
    drm/amdgpu: restore original stable pstate on ctx fini

Alex Deucher <alexander.deucher@amd.com>
    drm/amdgpu: use the same HDP flush registers for all nbio 2.3.x

Alex Deucher <alexander.deucher@amd.com>
    drm/amdgpu: use the same HDP flush registers for all nbio 7.4.x

Rustam Subkhankulov <subkhankulov@ispras.ru>
    wifi: p54: add missing parentheses in p54_flush()

Christophe JAILLET <christophe.jaillet@wanadoo.fr>
    wifi: p54: Fix an error handling path in p54spi_probe()

Dan Carpenter <dan.carpenter@oracle.com>
    wifi: wil6210: debugfs: fix info leak in wil_write_file_wmi()

Jernej Skrabec <jernej.skrabec@gmail.com>
    media: cedrus: h265: Fix logic for not low delay flag

Benjamin Gaignard <benjamin.gaignard@collabora.com>
    media: uapi: HEVC: Change pic_order_cnt definition in v4l2_hevc_dpb_entry

Jernej Skrabec <jernej.skrabec@gmail.com>
    media: cedrus: h265: Fix flag name

Jason A. Donenfeld <Jason@zx2c4.com>
    fs: check FMODE_LSEEK to control internal pipe splicing

Yang Yingliang <yangyingliang@huawei.com>
    media: ov7251: add missing disable functions on error in ov7251_set_power_on()

Sakari Ailus <sakari.ailus@linux.intel.com>
    media: v4l: async: Also match secondary fwnode endpoints

Johannes Berg <johannes.berg@intel.com>
    wifi: nl80211: acquire wdev mutex for dump_survey

Alexei Starovoitov <ast@kernel.org>
    bpf: Fix subprog names in stack traces.

Wolfram Sang <wsa+renesas@sang-engineering.com>
    selftests: timers: clocksource-switch: fix passing errors from child

Wolfram Sang <wsa+renesas@sang-engineering.com>
    selftests: timers: valid-adjtimex: build fix for newer toolchains

David Gow <davidgow@google.com>
    kunit: executor: Fix a memory leak on failure in kunit_filter_tests

Anquan Wu <leiqi96@hotmail.com>
    libbpf: Fix the name of a reused map

Yonglong Li <liyonglong@chinatelecom.cn>
    tcp: make retransmitted SKB fit into the send window

Song Liu <song@kernel.org>
    bpf, x86: fix freeing of not-finalized bpf_prog_pack

Tony Ambardar <tony.ambardar@gmail.com>
    bpf, x64: Add predicate for bpf2bpf with tailcalls support in JIT

Jian Zhang <zhangjian210@huawei.com>
    drm/exynos/exynos7_drm_decon: free resources when clk_set_parent() failed.

Liu Jian <liujian56@huawei.com>
    skmsg: Fix invalid last sg check in sk_msg_recvmsg()

Liang He <windhl@126.com>
    mediatek: mt76: eeprom: fix missing of_node_put() in mt76_find_power_limits_node()

Liang He <windhl@126.com>
    mediatek: mt76: mac80211: Fix missing of_node_put() in mt76_led_init()

Felix Fietkau <nbd@nbd.name>
    mt76: mt7615: fix throughput regression on DFS channels

Shayne Chen <shayne.chen@mediatek.com>
    mt76: mt7915: fix incorrect testmode ipg on band 1 caused by wmm_idx

Lorenzo Bianconi <lorenzo@kernel.org>
    mt76: connac: move connac2_mac_write_txwi in mt76_connac module

Lorenzo Bianconi <lorenzo@kernel.org>
    mt76: connac: move mac connac2 defs in mt76_connac2_mac.h

Lorenzo Bianconi <lorenzo@kernel.org>
    mt76: mt7915: rely on mt76_dev in mt7915_mac_write_txwi signature

Lorenzo Bianconi <lorenzo@kernel.org>
    mt76: mt7921: rely on mt76_dev in mt7921_mac_write_txwi signature

Deren Wu <deren.wu@mediatek.com>
    mt76: mt7921: enlarge maximum VHT MPDU length to 11454

Deren Wu <deren.wu@mediatek.com>
    mt76: mt7921: fix aggregation subframes setting to HE max

Deren Wu <deren.wu@mediatek.com>
    mt76: mt7921s: fix possible sdio deadlock in command fail

Lorenzo Bianconi <lorenzo@kernel.org>
    mt76: mt7921: do not update pm states in case of error

Lorenzo Bianconi <lorenzo@kernel.org>
    mt76: mt7615: do not update pm stats in case of error

Johannes Berg <johannes.berg@intel.com>
    wifi: mac80211: move some future per-link data to bss_conf

Johannes Berg <johannes.berg@intel.com>
    wifi: cfg80211: do some rework towards MLO link APIs

Johannes Berg <johannes.berg@intel.com>
    wifi: mac80211: reject WEP or pairwise keys with key ID > 3

Deren Wu <deren.wu@mediatek.com>
    mt76: mt7921: not support beacon offload disable command

YN Chen <yn.chen@mediatek.com>
    mt76: mt7921s: fix firmware download random fail

Dan Carpenter <dan.carpenter@oracle.com>
    mt76: mt7915: fix endian bug in mt7915_rf_regval_set()

Lorenzo Bianconi <lorenzo@kernel.org>
    mt76: mt76x02u: fix possible memory leak in __mt76x02u_mcu_send_msg

Lorenzo Bianconi <lorenzo@kernel.org>
    mt76: mt7915: fix endianness in mt7915_rf_regval_get

Ming Qian <ming.qian@nxp.com>
    media: amphion: only insert the first sequence startcode for vc1l format

Ming Qian <ming.qian@nxp.com>
    media: amphion: sync buffer status with firmware during abort

Ezequiel Garcia <ezequiel@vanguardiasur.com.ar>
    media: hantro: Fix RK3399 H.264 format advertising

Benjamin Gaignard <benjamin.gaignard@collabora.com>
    media: hantro: Be more accurate on pixel formats step_width constraints

Ming Qian <ming.qian@nxp.com>
    media: amphion: defer setting last_buffer_dequeued until resolution changes are processed

Chen-Yu Tsai <wenst@chromium.org>
    media: mediatek: vcodec: Initialize decoder parameters for each instance

Chen-Yu Tsai <wenst@chromium.org>
    media: mediatek: vcodec: decoder: Drop max_{width,height} from mtk_vcodec_ctx

Chen-Yu Tsai <wenst@chromium.org>
    media: mediatek: vcodec: decoder: Skip alignment for default resolution

Chen-Yu Tsai <wenst@chromium.org>
    media: mediatek: vcodec: decoder: Fix resolution clamping in TRY_FMT

Chen-Yu Tsai <wenst@chromium.org>
    media: mediatek: vcodec: decoder: Fix 4K frame size enumeration

Hans de Goede <hdegoede@redhat.com>
    media: atomisp: revert "don't pass a pointer to a local variable"

Rob Clark <robdclark@chromium.org>
    drm/msm/dpu: Fix for non-visible planes

Ming Qian <ming.qian@nxp.com>
    media: amphion: release core lock before reset vpu core

AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
    media: platform: mtk-mdp: Fix mdp_ipi_comm structure alignment

Zhengchao Shao <shaozhengchao@huawei.com>
    crypto: hisilicon - Kunpeng916 crypto driver don't sleep when in softirq

Zhengchao Shao <shaozhengchao@huawei.com>
    crypto: hisilicon/sec - don't sleep when in softirq

Mateusz Jończyk <mat.jonczyk@o2.pl>
    drm/radeon: avoid bogus "vram limit (0) must be a power of 2" warning

Rob Clark <robdclark@chromium.org>
    drm/msm/mdp5: Fix global state lock backoff

Yixun Lan <dlan@gentoo.org>
    libbpf, riscv: Use a0 for RC register

Douglas Anderson <dianders@chromium.org>
    drm/msm: Avoid unclocked GMU register access in 6xx gpu_busy

Hsin-Yi Wang <hsinyi@chromium.org>
    drm/bridge: anx7625: Fix NULL pointer crash when using edp-panel

Qiao Ma <mqaio@linux.alibaba.com>
    net: hinic: avoid kernel hung in hinic_get_stats64()

Qiao Ma <mqaio@linux.alibaba.com>
    net: hinic: fix bug that ethtool get wrong stats

Christophe JAILLET <christophe.jaillet@wanadoo.fr>
    hinic: Use the bitmap API when applicable

Vladimir Oltean <vladimir.oltean@nxp.com>
    net: dsa: felix: build as module when tc-taprio is module

Vladimir Oltean <vladimir.oltean@nxp.com>
    net: sched: provide shim definitions for taprio_offload_{get,free}

Rob Clark <robdclark@chromium.org>
    drm/msm: Fix fence rollover issue

Hangyu Hua <hbh25y@gmail.com>
    drm: bridge: sii8620: fix possible off-by-one

Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
    drm/msm/hdmi: fill the pwr_regs bulk regulators

Abhinav Kumar <quic_abhinavk@quicinc.com>
    drm/msm/dpu: remove hard-coded linewidth limit for writeback

Abhinav Kumar <quic_abhinavk@quicinc.com>
    drm/msm/dpu: fix maxlinewidth for writeback block

Abhinav Kumar <quic_abhinavk@quicinc.com>
    drm/msm/dpu: move intf and wb assignment to dpu_encoder_setup_display()

Guillaume Ranquet <granquet@baylibre.com>
    drm/mediatek: dpi: Only enable dpi after the bridge is enabled

Bo-Chen Chen <rex-bc.chen@mediatek.com>
    drm/mediatek: dpi: Remove output format of YUV

Christophe JAILLET <christophe.jaillet@wanadoo.fr>
    drm/rockchip: Fix an error handling path rockchip_dp_probe()

Brian Norris <briannorris@chromium.org>
    drm/rockchip: vop: Don't crash for invalid duplicate_state()

Alaa Mohamed <eng.alaamohamedsoliman.am@gmail.com>
    selftests: net: fib_rule_tests: fix support for running individual tests

Vladimir Oltean <vladimir.oltean@nxp.com>
    net: dsa: felix: drop oversized frames with tc-taprio instead of hanging the port

Vladimir Oltean <vladimir.oltean@nxp.com>
    net: dsa: felix: keep reference on entire tc-taprio config

Xiaoliang Yang <xiaoliang.yang_1@nxp.com>
    net: dsa: felix: update base time of time-aware shaper when adjusting PTP time

Maciej Fijalkowski <maciej.fijalkowski@intel.com>
    selftests/xsk: Destroy BPF resources only when ctx refcount drops to 0

Qian Cai <quic_qiancai@quicinc.com>
    crypto: arm64/gcm - Select AEAD for GHASH_ARM64_CE

Matthew Wilcox (Oracle) <willy@infradead.org>
    mm: Account dirty folios properly during splits

Dave Stevenson <dave.stevenson@raspberrypi.com>
    drm/vc4: hdmi: Move pixel doubling from Pixelvalve to HDMI block

Dave Stevenson <dave.stevenson@raspberrypi.com>
    drm/vc4: hdmi: Correct HDMI timing registers for interlaced modes

Dom Cobley <popcornmix@gmail.com>
    drm/vc4: hdmi: Force modeset when bpc or format changes

Mateusz Kwiatkowski <kfyatek+publicgit@gmail.com>
    drm/vc4: hdmi: Fix timings for interlaced modes

Dave Stevenson <dave.stevenson@raspberrypi.com>
    drm/vc4: hdmi: Move HDMI reset to pm_resume

Dave Stevenson <dave.stevenson@raspberrypi.com>
    drm/vc4: hdmi: Switch to pm_runtime_status_suspended

Dave Stevenson <dave.stevenson@raspberrypi.com>
    drm/vc4: hdmi: Reset HDMI MISC_CONTROL register

Dom Cobley <popcornmix@gmail.com>
    drm/vc4: hdmi: Avoid full hdmi audio fifo writes

Dom Cobley <popcornmix@gmail.com>
    drm/vc4: hdmi: Clear unused infoframe packet RAM registers

Dave Stevenson <dave.stevenson@raspberrypi.com>
    drm/vc4: hdmi: Add all the vc5 HDMI registers into the debugfs dumps

Dave Stevenson <dave.stevenson@raspberrypi.com>
    drm/vc4: dsi: Add correct stop condition to vc4_dsi_encoder_disable iteration

Dave Stevenson <dave.stevenson@raspberrypi.com>
    drm/vc4: dsi: Fix dsi0 interrupt support

Dave Stevenson <dave.stevenson@raspberrypi.com>
    drm/vc4: dsi: Register dsi0 as the correct vc4 encoder type

Dave Stevenson <dave.stevenson@raspberrypi.com>
    drm/vc4: dsi: Correct pixel order for DSI0

Dave Stevenson <dave.stevenson@raspberrypi.com>
    drm/vc4: dsi: Correct DSI divider calculations

Dave Stevenson <dave.stevenson@raspberrypi.com>
    drm/vc4: dsi: Release workaround buffer and DMA

Dave Stevenson <dave.stevenson@raspberrypi.com>
    drm/vc4: plane: Fix margin calculations for the right/bottom edges

Dom Cobley <popcornmix@gmail.com>
    drm/vc4: plane: Remove subpixel positioning check

Maxime Ripard <maxime@cerno.tech>
    drm/vc4: kms: Use maximum FIFO load for the HVS clock rate

Yunfei Dong <yunfei.dong@mediatek.com>
    media: mediatek: vcodec: Fix non subdev architecture open power fail

Miaoqian Lin <linmq006@gmail.com>
    media: tw686x: Fix memory leak in tw686x_video_init

Jian Zhang <zhangjian210@huawei.com>
    media: driver/nxp/imx-jpeg: fix a unexpected return value problem

Chen-Yu Tsai <wenst@chromium.org>
    media: mediatek: vcodec: Skip SOURCE_CHANGE & EOS events for stateless

Yunfei Dong <yunfei.dong@mediatek.com>
    media: mediatek: vcodec: Initialize decoder parameters after getting dec_capability

Arnd Bergmann <arnd@arndb.de>
    media: sta2x11: remove VIRT_TO_BUS dependency

Ming Qian <ming.qian@nxp.com>
    media: v4l2-mem2mem: prevent pollerr when last_buffer_dequeued is set

Niels Dossche <dossche.niels@gmail.com>
    media: hdpvr: fix error value returns in hdpvr_read

Miaoqian Lin <linmq006@gmail.com>
    drm/mcde: Fix refcount leak in mcde_dsi_bind

Ming Qian <ming.qian@nxp.com>
    media: amphion: output firmware error message

Ming Qian <ming.qian@nxp.com>
    media: imx-jpeg: Disable slot interrupt when frame done

Jiasheng Jiang <jiasheng@iscas.ac.cn>
    drm: bridge: adv7511: Add check for mipi_dsi_driver_register

Tom Lendacky <thomas.lendacky@amd.com>
    crypto: ccp - During shutdown, check SEV data pointer before using

Jörn-Thorben Hinz <jthinz@mailbox.tu-berlin.de>
    selftests/bpf: Fix rare segfault in sock_fields prog test

YueHaibing <yuehaibing@huawei.com>
    drm/display: Fix build error without CONFIG_OF

Jian Shen <shenjian15@huawei.com>
    test_bpf: fix incorrect netdev features

Frederic Weisbecker <frederic@kernel.org>
    rcutorture: Fix ksoftirqd boosting timing and iteration

Paul E. McKenney <paulmck@kernel.org>
    torture: Adjust to again produce debugging information

Yifan Zhang <yifan1.zhang@amd.com>
    drm/amdkfd: correct sdma queue number of sdma 6.0.1

Mario Limonciello <mario.limonciello@amd.com>
    drm/amd: Don't show warning on reading vbios values for SMU13 3.1

Alex Deucher <alexander.deucher@amd.com>
    drm/radeon: fix incorrrect SPDX-License-Identifiers

Ping-Ke Shih <pkshih@realtek.com>
    wifi: rtw89: 8852a: rfk: fix div 0 exception

Alexey Kodanev <aleksei.kodanev@bell-sw.com>
    wifi: iwlegacy: 4965: fix potential off-by-one overflow in il4965_rs_fill_link_cmd()

Johannes Berg <johannes.berg@intel.com>
    wifi: mac80211: set STA deflink addresses

Pavel Skripkin <paskripkin@gmail.com>
    ath9k: fix use-after-free in ath9k_hif_usb_rx_cb

Niklas Söderlund <niklas.soderlund+renesas@ragnatech.se>
    media: rcar-vin: Fix channel routing for Ebisu

Ming Qian <ming.qian@nxp.com>
    media: imx-jpeg: Implement drain using v4l2-mem2mem helpers

Ming Qian <ming.qian@nxp.com>
    media: imx-jpeg: Align upwards buffer size

Ming Qian <ming.qian@nxp.com>
    media: imx-jpeg: Leave a blank space before the configuration data

Ming Qian <ming.qian@nxp.com>
    media: imx-jpeg: Correct some definition according specification

Benjamin Gaignard <benjamin.gaignard@collabora.com>
    media: Hantro: Correct G2 init qp field

Ming Qian <ming.qian@nxp.com>
    media: amphion: return error if format is unsupported by vpu

Zheyu Ma <zheyuma97@gmail.com>
    media: tw686x: Register the irq at the end of probe

Yang Yingliang <yangyingliang@huawei.com>
    media: camss: csid: fix wrong size passed to devm_kmalloc_array()

Eugen Hristev <eugen.hristev@microchip.com>
    media: atmel: atmel-sama7g5-isc: fix warning in configs without OF

Kuniyuki Iwashima <kuniyu@amazon.com>
    raw: Fix mixed declarations error in raw_icmp_error().

Eric Dumazet <edumazet@google.com>
    raw: convert raw sockets to RCU

Eric Dumazet <edumazet@google.com>
    raw: use more conventional iterators

Eric Dumazet <edumazet@google.com>
    ping: convert to RCU lookups, get rid of rwlock

Oleksij Rempel <linux@rempel-privat.de>
    net: ag71xx: fix discards 'const' qualifier warning

Alexey Khoroshilov <khoroshilov@ispras.ru>
    crypto: sun8i-ss - fix infinite loop in sun8i_ss_setup_ivs()

Eric Dumazet <edumazet@google.com>
    tcp: fix possible freeze in tx path under memory pressure

Andrii Nakryiko <andrii@kernel.org>
    selftests/bpf: Don't force lld on non-x86 architectures

Andrii Nakryiko <andrii@kernel.org>
    libbpf: Fix internal USDT address translation logic for shared libraries

Xu Wang <vulab@iscas.ac.cn>
    i2c: Fix a potential use after free

Zheng Bin <zhengbin13@huawei.com>
    drm/bridge: it6505: Add missing CRYPTO_HASH dependency

Nícolas F. R. A. Prado <nfraprado@collabora.com>
    drm/bridge: anx7625: Zero error variable when panel bridge not present

Marc Kleine-Budde <mkl@pengutronix.de>
    can: netlink: allow configuring of fixed data bit rates without need for do_set_data_bittiming callback

Tales Lelo da Aparecida <tales.aparecida@gmail.com>
    drm/vkms: check plane_composer->map[0] before using it

Marc Kleine-Budde <mkl@pengutronix.de>
    can: netlink: allow configuring of fixed bit rates without need for do_set_bittiming callback

Eric Dumazet <edumazet@google.com>
    net: fix sk_wmem_schedule() and sk_rmem_schedule() errors

Peng Wu <wupeng58@huawei.com>
    crypto: sun8i-ss - fix a NULL vs IS_ERR() check in sun8i_ss_hashkey

Dan Carpenter <dan.carpenter@oracle.com>
    crypto: sun8i-ss - Fix error codes for dma_mapping_error()

Dan Carpenter <dan.carpenter@oracle.com>
    crypto: sun8i-ss - fix error codes in allocate_flows()

Antonio Borneo <antonio.borneo@foss.st.com>
    drm: adv7511: override i2c address of cec before accessing it

Andrii Nakryiko <andrii@kernel.org>
    libbpf: Fix uprobe symbol file offset calculation logic

Miaoqian Lin <linmq006@gmail.com>
    drm/virtio: Fix NULL vs IS_ERR checking in virtio_gpu_object_shmem_init

Xiaomeng Tong <xiam0nd.tong@gmail.com>
    virtio-gpu: fix a missing check to avoid NULL dereference

Fabio Estevam <festevam@gmail.com>
    i2c: mxs: Silence a clang warning

Tali Perry <tali.perry1@gmail.com>
    i2c: npcm: Correct slave role behavior

Tali Perry <tali.perry1@gmail.com>
    i2c: npcm: Remove own slave addresses 2:10

Leung, Martin <Martin.Leung@amd.com>
    drm/amdgpu/display: Prepare for new interfaces

ZhenGuo Yin <zhenguo.yin@amd.com>
    drm/amdgpu: fix scratch register access method in SRIOV

Bjorn Andersson <bjorn.andersson@linaro.org>
    drm/bridge: lt9611uxc: Cancel only driver's work

Miaoqian Lin <linmq006@gmail.com>
    drm/meson: encoder_hdmi: Fix refcount leak in meson_encoder_hdmi_init

Miaoqian Lin <linmq006@gmail.com>
    drm/meson: encoder_cvbs: Fix refcount leak in meson_encoder_cvbs_init

Xinlei Lee <xinlei.lee@mediatek.com>
    drm/mediatek: Add pull-down MIPI operation in mtk_dsi_poweroff function

Jitao Shi <jitao.shi@mediatek.com>
    drm/mediatek: Separate poweron/poweroff from enable/disable and define new funcs

Xinlei Lee <xinlei.lee@mediatek.com>
    drm/mediatek: Modify dsi funcs to atomic operations

Alexey Kodanev <aleksei.kodanev@bell-sw.com>
    drm/radeon: fix potential buffer overflow in ni_set_mc_special_registers()

Manikanta Pubbisetty <quic_mpubbise@quicinc.com>
    ath11k: Avoid REO CMD failed prints during firmware recovery

Manikanta Pubbisetty <quic_mpubbise@quicinc.com>
    ath11k: Fix incorrect debug_mask mappings

Christian Marangi <ansuelsmth@gmail.com>
    ath11k: fix missing skb drop on htc_tx_completion error

Yuze Chi <chiyuze@google.com>
    libbpf: Fix is_pow_of_2

Martin KaFai Lau <kafai@fb.com>
    selftests/bpf: Fix tc_redirect_dtime

Lorenzo Bianconi <lorenzo@kernel.org>
    sample: bpf: xdp_router_ipv4: Allow the kernel to send arp requests

Yuntao Wang <ytcoode@gmail.com>
    selftests/bpf: Fix test_run logic in fexit_stress.c

Javier Martinez Canillas <javierm@redhat.com>
    drm/ssd130x: Only define a SPI device ID table when built as a module

Yunhao Tian <t123yh.xyz@gmail.com>
    drm/mipi-dbi: align max_chunk to 2 in spi_transfer

Johan Hovold <johan+linaro@kernel.org>
    ath11k: fix IRQ affinity warning on shutdown

Johan Hovold <johan+linaro@kernel.org>
    ath11k: fix netdev open race

Ajay Singh <ajay.kathat@microchip.com>
    wifi: wilc1000: use correct sequence of RESET for chip Power-UP/Down

Dan Carpenter <dan.carpenter@oracle.com>
    wifi: rtlwifi: fix error codes in rtl_debugfs_set_write_h2c()

Fabio Estevam <festevam@gmail.com>
    drm: bridge: adv7511: Move CEC definitions to adv7511_cec.c

Gao Chao <gaochao49@huawei.com>
    drm/panel: Fix build error when CONFIG_DRM_PANEL_SAMSUNG_ATNA33XC20=y && CONFIG_DRM_DISPLAY_HELPER=m

Javier Martinez Canillas <javierm@redhat.com>
    drm/st7735r: Fix module autoloading for Okaya RH128128T

John Stultz <jstultz@google.com>
    drm/bridge: lt9611: Use both bits for HDMI sensing

Jani Nikula <jani.nikula@intel.com>
    drm/edid: reset display info in drm_add_edid_modes() for NULL edid

Manikanta Pubbisetty <quic_mpubbise@quicinc.com>
    ath11k: Init hw_params before setting up AHB resources

Baochen Qiang <quic_bqiang@quicinc.com>
    ath11k: Fix warning on variable 'sar' dereference before check

Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
    ath10k: do not enforce interrupt trigger type

Marek Vasut <marex@denx.de>
    drm/bridge: tc358767: Make sure Refclk clock are enabled

Marek Vasut <marex@denx.de>
    drm/bridge: tc358767: Handle dsi_lanes == 0 as invalid

Douglas Anderson <dianders@chromium.org>
    drm/dp: Export symbol / kerneldoc fixes for DP AUX bus

Miaoqian Lin <linmq006@gmail.com>
    drm/meson: Fix refcount leak in meson_encoder_hdmi_init

Thomas Zimmermann <tzimmermann@suse.de>
    drm/mgag200: Acquire I/O lock while reading EDID

Xin Ji <xji@analogixsemi.com>
    drm/bridge: anx7625: Use DPI bus type

Geert Uytterhoeven <geert+renesas@glider.be>
    drm: bridge: DRM_FSL_LDB should depend on ARCH_MXC

Dan Carpenter <dan.carpenter@oracle.com>
    drm/rockchip: vop2: unlock on error path in vop2_crtc_atomic_enable()

Jani Nikula <jani.nikula@intel.com>
    drm/i915: remove unused GEM_DEBUG_DECL() and GEM_DEBUG_BUG_ON()

Marek Vasut <marex@denx.de>
    dt-bindings: display: bridge: ldb: Fill in reg property

Hongnan Li <hongnan.li@linux.alibaba.com>
    erofs: update ctx->pos for every emitted dirent

Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
    pwm: lpc18xx: Fix period handling

Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
    pwm: sifive: Shut down hardware only after pwmchip_remove() completed

Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
    pwm: sifive: Ensure the clk is enabled exactly once per running PWM

Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
    pwm: sifive: Simplify offset calculation for PWMCMP registers

Mike Snitzer <snitzer@kernel.org>
    dm: return early from dm_pr_call() if DM device is suspended

Colin Ian King <colin.king@intel.com>
    tools/power turbostat: Fix file pointer leak

Markus Mayer <mmayer@broadcom.com>
    thermal/tools/tmon: Include pthread and time headers in tmon.h

YiFei Zhu <zhuyifei@google.com>
    selftests/seccomp: Fix compile warning when CC=clang

Michal Koutný <mkoutny@suse.com>
    io_uring: Don't require reinitable percpu_ref

Jens Axboe <axboe@kernel.dk>
    io_uring: define a 'prep' and 'issue' handler for each opcode

Jens Axboe <axboe@kernel.dk>
    io_uring: move to separate directory

Peter Zijlstra <peterz@infradead.org>
    x86/extable: Fix ex_handler_msr() print condition

Mel Gorman <mgorman@techsingularity.net>
    sched/numa: Initialise numa_migrate_retry

Christian Göttsche <cgzones@googlemail.com>
    sched: only perform capability check on privileged operation

Nicolas Saenz Julienne <nsaenzju@redhat.com>
    nohz/full, sched/rt: Fix missed tick-reenabling bug in dequeue_task_rt()

Anshuman Khandual <anshuman.khandual@arm.com>
    drivers/perf: arm_spe: Fix consistency of SYS_PMSCR_EL1.CX

Liang He <windhl@126.com>
    perf: RISC-V: Add of_node_put() when breaking out of for_each_of_cpu_node()

Xu Qiang <xuqiang36@huawei.com>
    irqdomain: Report irq number for NOMAP domains

Stephan Gerhold <stephan.gerhold@kernkonzept.com>
    ARM: dts: qcom: msm8974: Disable remoteprocs by default

Sumit Garg <sumit.garg@linaro.org>
    arm64: dts: qcom: qcs404: Fix incorrect USB2 PHYs assignment

Marijn Suijten <marijn.suijten@somainline.org>
    arm64: dts: qcom: msm8998: Make regulator voltages multiple of step-size

Parikshit Pareek <quic_ppareek@quicinc.com>
    soc: qcom: socinfo: Fix the id of SA8540P SoC

Konrad Dybcio <konrad.dybcio@somainline.org>
    soc: qcom: Make QCOM_RPMPD depend on PM

Liang He <windhl@126.com>
    regulator: of: Fix refcount leak bug in of_get_regulation_constraints()

Mikulas Patocka <mpatocka@redhat.com>
    dm writecache: count number of blocks discarded, not number of discard bios

Mikulas Patocka <mpatocka@redhat.com>
    dm writecache: count number of blocks written, not number of write bios

Mikulas Patocka <mpatocka@redhat.com>
    dm writecache: count number of blocks read, not number of read bios

Mikulas Patocka <mpatocka@redhat.com>
    dm writecache: return void from functions

Hsin-Yi Wang <hsinyi@chromium.org>
    PM: domains: Ensure genpd_debugfs_dir exists before remove

Bart Van Assche <bvanassche@acm.org>
    blktrace: Trace remapped requests correctly

Linus Walleij <linus.walleij@linaro.org>
    hwmon: (drivetemp) Add module alias

Armin Wolf <W_Armin@gmx.de>
    hwmon: (sch56xx-common) Add DMI override table

Yang Yingliang <yangyingliang@huawei.com>
    spi: tegra20-slink: fix UAF in tegra_slink_remove()

Yang Yingliang <yangyingliang@huawei.com>
    spi: Fix simplification of devm_spi_register_controller

Nandhini Srikandan <nandhini.srikandan@intel.com>
    spi: dw: Fix IP-core versions macro

Ming Lei <ming.lei@redhat.com>
    blk-mq: don't create hctx debugfs dir until q->debugfs_dir is created

Andy Shevchenko <andriy.shevchenko@linux.intel.com>
    spi: Return deferred probe error when controller isn't yet available

Gao Xiang <xiang@kernel.org>
    erofs: avoid consecutive detection for Highmem memory

Yuwen Chen <chenyuwen1@meizu.com>
    erofs: wake up all waiters after z_erofs_lzma_head ready

Johan Hovold <johan+linaro@kernel.org>
    arm64: dts: qcom: sc7280: fix PCIe clock reference

Tamás Szűcs <tszucs@protonmail.ch>
    arm64: tegra: Fix SDMMC1 CD on P2888

Mikko Perttunen <mperttunen@nvidia.com>
    arm64: tegra: Mark BPMP channels as no-memory-wc

Nick Hainke <vincent@systemli.org>
    arm64: dts: mt7622: fix BPI-R64 WPS button

Johan Hovold <johan+linaro@kernel.org>
    arm64: dts: qcom: sm8250: add missing PCIe PHY clock-cells

Johan Hovold <johan+linaro@kernel.org>
    arm64: dts: qcom: sc7280: drop PCIe PHY clock index

Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
    arm64: dts: qcom: msm8996: correct #clock-cells for QMP PHY nodes

Marijn Suijten <marijn.suijten@somainline.org>
    arm64: dts: qcom: sm6125: Append -state suffix to pinctrl nodes

Marijn Suijten <marijn.suijten@somainline.org>
    arm64: dts: qcom: sm6125: Move sdc2 pinctrl from seine-pdx201 to sm6125

Yang Yingliang <yangyingliang@huawei.com>
    m68k: virt: Fix missing platform_device_unregister() on error in virt_platform_init()

Eric Auger <eric.auger@redhat.com>
    ACPI: VIOT: Fix ACS setup

Chanho Park <chanho61.park@samsung.com>
    arm64: dts: exynosautov9: correct spi11 pin names

Kan Liang <kan.liang@linux.intel.com>
    perf/x86/intel: Fix PEBS data source encoding for ADL

Kan Liang <kan.liang@linux.intel.com>
    perf/x86/intel: Fix PEBS memory access info encoding for ADL

Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
    arm64: dts: qcom: msm8994: add required ranges to OCMEM

Sireesh Kodali <sireeshkodali1@gmail.com>
    arm64: dts: qcom: msm8916: Fix typo in pronto remoteproc node

GONG, Ruiqi <gongruiqi1@huawei.com>
    stack: Declare {randomize_,}kstack_offset to fix Sparse warnings

Kees Cook <keescook@chromium.org>
    lib: overflow: Do not define 64-bit tests on 32-bit

Jason A. Donenfeld <Jason@zx2c4.com>
    usercopy: use unsigned long instead of uintptr_t

Yang Yingliang <yangyingliang@huawei.com>
    bus: hisi_lpc: fix missing platform_device_put() in hisi_lpc_acpi_probe()

Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
    ARM: dts: qcom: pm8841: add required thermal-sensor-cells

Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
    ARM: dts: qcom: msm8974: add required ranges to OCMEM

Miaoqian Lin <linmq006@gmail.com>
    soc: qcom: aoss: Fix refcount leak in qmp_cooling_devices_register

Miaoqian Lin <linmq006@gmail.com>
    soc: qcom: ocmem: Fix refcount leak in of_get_ocmem

Luca Weiss <luca@z3ntu.xyz>
    ARM: dts: qcom-msm8974: fix irq type on blsp2_uart1

Christian Marangi <ansuelsmth@gmail.com>
    ARM: dts: qcom: replace gcc PXO with pxo_board fixed clock

Dan Williams <dan.j.williams@intel.com>
    ACPI: APEI: Fix _EINJ vs EFI_MEMORY_SP

Stephan Gerhold <stephan.gerhold@kernkonzept.com>
    regulator: qcom_smd: Fix pm8916_pldo range

Chris Paterson <chris.paterson2@renesas.com>
    arm64: dts: renesas: r9a07g054l2-smarc: Correct SoC name in comment

Geert Uytterhoeven <geert+renesas@glider.be>
    arm64: dts: renesas: r8a779m8: Drop operating points above 1.5 GHz

Miaoqian Lin <linmq006@gmail.com>
    cpufreq: zynq: Fix refcount leak in zynq_get_revision

Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
    arm64: dts: qcom: sdm636-sony-xperia-ganges-mermaid: correct sdc2 pinconf

Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
    arm64: dts: qcom: sdm630: fix gpu's interconnect path

Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
    arm64: dts: qcom: sdm630: fix the qusb2phy ref clock

Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
    arm64: dts: qcom: sdm630: disable GPU by default

Miaoqian Lin <linmq006@gmail.com>
    ARM: OMAP2+: Fix refcount leak in omap3xxx_prm_late_init

Miaoqian Lin <linmq006@gmail.com>
    ARM: OMAP2+: Fix refcount leak in omapdss_init_of

Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
    ARM: dts: qcom: mdm9615: add missing PMIC GPIO reg

Marijn Suijten <marijn.suijten@somainline.org>
    arm64: dts: qcom: sdm845-akatsuki: Round down l22a regulator voltage

Keith Busch <kbusch@kernel.org>
    block: fix infinite loop for invalid zone append

Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
    spi: s3c64xx: constify fsd_spi_port_config

Michael Walle <michael@walle.cc>
    soc: fsl: guts: machine variable might be unset

Stephen Boyd <swboyd@chromium.org>
    arm64: dts: qcom: sc7180: Remove ipa_fw_mem node on trogdor

Peter Zijlstra <peterz@infradead.org>
    locking/lockdep: Fix lockdep_init_map_*() confusion

Alexandru Elisei <alexandru.elisei@arm.com>
    arm64: cpufeature: Allow different PMU versions in ID_DFR0_EL1

Mark Rutland <mark.rutland@arm.com>
    arm64: select TRACE_IRQFLAGS_NMI_SUPPORT

Nícolas F. R. A. Prado <nfraprado@collabora.com>
    arm64: dts: mt8192: Fix idle-states entry-method

Nícolas F. R. A. Prado <nfraprado@collabora.com>
    arm64: dts: mt8192: Fix idle-states nodes naming scheme

Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
    ARM: dts: ast2600-evb-a1: fix board compatible

Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
    ARM: dts: ast2600-evb: fix board compatible

Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
    ARM: dts: ast2500-evb: fix board compatible

Johan Hovold <johan@kernel.org>
    x86/pmem: Fix platform-device leak in error path

Max Krummenacher <max.krummenacher@toradex.com>
    Revert "ARM: dts: imx6qdl-apalis: Avoid underscore in node name"

Geert Uytterhoeven <geert+renesas@glider.be>
    arm64: dts: renesas: Fix thermal-sensors on single-zone sensors

Liang He <windhl@126.com>
    soc: amlogic: Fix refcount leak in meson-secure-pwrc.c

Geert Uytterhoeven <geert+renesas@glider.be>
    soc: renesas: r8a779a0-sysc: Fix A2DP1 and A2CV[2357] PDR values

Marcel Ziswiler <marcel.ziswiler@toradex.com>
    ARM: dts: imx7-colibri-eval-v3: correct can controller comment

Marcel Ziswiler <marcel.ziswiler@toradex.com>
    ARM: dts: imx7-colibri: move aliases, chosen, extcon and gpio-keys

Oleksandr Suvorov <oleksandr.suvorov@toradex.com>
    ARM: dts: imx7-colibri: improve wake-up with gpio key

Philippe Schenker <philippe.schenker@toradex.com>
    ARM: dts: imx7-colibri: add usb dual-role switching using extcon

Marcel Ziswiler <marcel.ziswiler@toradex.com>
    ARM: dts: imx7-colibri: overhaul display/touch functionality

Marcel Ziswiler <marcel.ziswiler@toradex.com>
    ARM: dts: imx7d-colibri-emmc: add cpu1 supply

Guilherme G. Piccoli <gpiccoli@igalia.com>
    ACPI: processor/idle: Annotate more functions to live in cpuidle section

Miaoqian Lin <linmq006@gmail.com>
    ARM: bcm: Fix refcount leak in bcm_kona_smc_init

Christophe JAILLET <christophe.jaillet@wanadoo.fr>
    spi: spi-altera-dfl: Fix an error handling path

Geert Uytterhoeven <geert+renesas@glider.be>
    arm64: dts: renesas: beacon: Fix regulator node names

Miaoqian Lin <linmq006@gmail.com>
    meson-mx-socinfo: Fix refcount leak in meson_mx_socinfo_init

Juri Lelli <juri.lelli@redhat.com>
    wait: Fix __wait_event_hrtimeout for RT/DL tasks

Kees Cook <keescook@chromium.org>
    kasan: test: Silence GCC 12 warnings

Dylan Yudaken <dylany@fb.com>
    io_uring: fix io_uring_cqe_overflow trace format

Xiu Jianfeng <xiujianfeng@huawei.com>
    selinux: Add boundary check in put_entry()

Xiu Jianfeng <xiujianfeng@huawei.com>
    selinux: fix memleak in security_read_state_kernel()

Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
    PM: hibernate: defer device probing when resuming from hibernation

Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
    hwmon: (sht15) Fix wrong assumptions in device remove callback

Hans de Goede <hdegoede@redhat.com>
    ACPI: video: Use native backlight on Dell Inspiron N4010

Lukasz Luba <lukasz.luba@arm.com>
    PM: EM: convert power field to micro-Watts precision and align drivers

Armin Wolf <W_Armin@gmx.de>
    hwmon: (dell-smm) Add Dell XPS 13 7390 to fan control whitelist

Lv Ruyi <lv.ruyi@zte.com.cn>
    firmware: tegra: Fix error check return value of debugfs_create_file()

Liang He <windhl@126.com>
    ARM: shmobile: rcar-gen2: Increase refcount for new reference

Samuel Holland <samuel@sholland.org>
    arm64: dts: allwinner: a64: orangepi-win: Fix LED node name

Robert Marko <robimarko@gmail.com>
    arm64: dts: qcom: ipq8074: fix NAND node name

Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
    arm64: dts: qcom: add missing AOSS QMP compatible fallback

Gwendal Grignou <gwendal@chromium.org>
    arm64: dts: qcom: sc7280: Rename sar sensor labels

Manivannan Sadhasivam <mani@kernel.org>
    ARM: dts: qcom: sdx55: Fix the IRQ trigger type for UART

huhai <huhai@kylinos.cn>
    ACPI: LPSS: Fix missing check in register_device_clock()

Manyi Li <limanyi@uniontech.com>
    ACPI: PM: save NVS memory for Lenovo G40-45

Hans de Goede <hdegoede@redhat.com>
    ACPI: EC: Drop the EC_FLAGS_IGNORE_DSDT_GPE quirk

Hans de Goede <hdegoede@redhat.com>
    ACPI: EC: Remove duplicate ThinkPad X1 Carbon 6th entry from DMI quirks

Liang He <windhl@126.com>
    ARM: OMAP2+: pdata-quirks: Fix refcount leak bug

Liang He <windhl@126.com>
    ARM: OMAP2+: display: Fix refcount leak bug

Guo Mengqi <guomengqi3@huawei.com>
    spi: synquacer: Add missing clk_disable_unprepare()

David Heidelberg <david@ixit.cz>
    arm64: dts: qcom: timer should use only 32-bit size

Linus Walleij <linus.walleij@linaro.org>
    ARM: dts: ux500: Fix Gavini accelerometer mounting matrix

Linus Walleij <linus.walleij@linaro.org>
    ARM: dts: ux500: Fix Codina accelerometer mounting matrix

Linus Walleij <linus.walleij@linaro.org>
    ARM: dts: ux500: Fix Janice accelerometer mounting matrix

Christian Lamparter <chunkeey@gmail.com>
    ARM: dts: BCM5301X: Add DT for Meraki MR26

Alexander Stein <alexander.stein@ew.tq-group.com>
    ARM: dts: imx6ul: fix qspi node compatible

Alexander Stein <alexander.stein@ew.tq-group.com>
    ARM: dts: imx6ul: fix lcdif node compatible

Alexander Stein <alexander.stein@ew.tq-group.com>
    ARM: dts: imx6ul: fix csi node compatible

Alexander Stein <alexander.stein@ew.tq-group.com>
    ARM: dts: imx6ul: fix keypad compatible

Alexander Stein <alexander.stein@ew.tq-group.com>
    ARM: dts: imx6ul: change operating-points to uint32-matrix

Alexander Stein <alexander.stein@ew.tq-group.com>
    ARM: dts: imx6ul: add missing properties for sram

William Dean <williamsukatube@163.com>
    irqchip/mips-gic: Check the return value of ioremap() in gic_of_init()

John Keeping <john@metanate.com>
    sched/core: Always flush pending blk_plug

Vincent Guittot <vincent.guittot@linaro.org>
    sched/fair: fix case with reduced capacity CPU

Samuel Holland <samuel@sholland.org>
    genirq: GENERIC_IRQ_IPI depends on SMP

Samuel Holland <samuel@sholland.org>
    irqchip/mips-gic: Only register IPI domain when SMP is enabled

Antonio Borneo <antonio.borneo@foss.st.com>
    genirq: Don't return error on missing optional irq_request_resources()

Chen Yu <yu.c.chen@intel.com>
    sched/fair: Introduce SIS_UTIL to search idle CPU based on sum of util_avg

Jan Kara <jack@suse.cz>
    ext2: Add more validity checks for inode counts

James Morse <james.morse@arm.com>
    arm64: errata: Remove AES hwcap for COMPAT tasks

Catalin Marinas <catalin.marinas@arm.com>
    arm64: kasan: Revert "arm64: mte: reset the page tag in page->flags"

haibinzhang (张海斌) <haibinzhang@tencent.com>
    arm64: fix oops in concurrently setting insn_emulation sysctls

Francis Laniel <flaniel@linux.microsoft.com>
    arm64: Do not forget syscall when starting a new thread.

Andrey Konovalov <andreyknvl@gmail.com>
    arm64: stacktrace: use non-atomic __set_bit

Andrey Konovalov <andreyknvl@gmail.com>
    arm64: kasan: do not instrument stacktrace.c

Mark Rutland <mark.rutland@arm.com>
    arch: make TRACE_IRQFLAGS_NMI_SUPPORT generic

Wyes Karny <wyes.karny@amd.com>
    x86: Handle idle=nomwait cmdline properly for x86_idle

Benjamin Segall <bsegall@google.com>
    epoll: autoremove wakers even more aggressively

Florian Westphal <fw@strlen.de>
    netfilter: nf_tables: fix null deref due to zeroed list head

Pablo Neira Ayuso <pablo@netfilter.org>
    netfilter: nf_tables: disallow jump to implicit chain from set element

Pablo Neira Ayuso <pablo@netfilter.org>
    netfilter: nf_tables: upfront validation of data via nft_data_init()

Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
    netfilter: nf_tables: do not allow RULE_ID to refer to another chain

Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
    netfilter: nf_tables: do not allow CHAIN_ID to refer to another table

Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
    netfilter: nf_tables: do not allow SET_ID to refer to another table

Michael Grzeschik <m.grzeschik@pengutronix.de>
    usb: dwc3: gadget: fix high speed multiplier setting

Michael Grzeschik <m.grzeschik@pengutronix.de>
    usb: dwc3: gadget: refactor dwc3_repare_one_trb

Alan Stern <stern@rowland.harvard.edu>
    USB: gadget: Fix use-after-free Read in usb_udc_uevent()

Kunihiko Hayashi <hayashi.kunihiko@socionext.com>
    arm64: dts: uniphier: Fix USB interrupts for PXs3 SoC

Kunihiko Hayashi <hayashi.kunihiko@socionext.com>
    ARM: dts: uniphier: Fix USB interrupts for PXs2 SoC

Jose Alonso <joalonsof@gmail.com>
    Revert "net: usb: ax88179_178a needs FLAG_SEND_ZLP"

Weitao Wang <WeitaoWang-oc@zhaoxin.com>
    USB: HCD: Fix URB giveback issue in tasklet function

Linyu Yuan <quic_linyyuan@quicinc.com>
    usb: typec: ucsi: Acknowledge the GET_ERROR_STATUS command completion

Suzuki K Poulose <suzuki.poulose@arm.com>
    coresight: Clear the connection field properly

Huacai Chen <chenhuacai@kernel.org>
    MIPS: cpuinfo: Fix a warning for CONFIG_CPUMASK_OFFSTACK

Michael Ellerman <mpe@ellerman.id.au>
    powerpc/powernv: Avoid crashing if rng is NULL

Christophe Leroy <christophe.leroy@csgroup.eu>
    powerpc/ptdump: Fix display of RW pages on FSL_BOOK3E

Pali Rohár <pali@kernel.org>
    powerpc/fsl-pci: Fix Class Code of PCIe Root Port

Christophe Leroy <christophe.leroy@csgroup.eu>
    powerpc/64e: Fix early TLB miss with KUAP

Christophe Leroy <christophe.leroy@csgroup.eu>
    powerpc: Restore CONFIG_DEBUG_INFO in defconfigs

Alexander Lobakin <alexandr.lobakin@intel.com>
    ia64, processor: fix -Wincompatible-pointer-types in ia64_get_irr()

Xiaomeng Tong <xiam0nd.tong@gmail.com>
    media: [PATCH] pci: atomisp_cmd: fix three missing checks on list iterator

Randy Dunlap <rdunlap@infradead.org>
    media: isl7998x: select V4L2_FWNODE to fix build error

Jan Kara <jack@suse.cz>
    mbcache: add functions to delete entry if unused

Jan Kara <jack@suse.cz>
    mbcache: don't reclaim used entries

Mikulas Patocka <mpatocka@redhat.com>
    md-raid10: fix KASAN warning

Mikulas Patocka <mpatocka@redhat.com>
    md-raid: destroy the bitmap after destroying the thread

Narendra Hadke <nhadke@marvell.com>
    serial: mvebu-uart: uart2 error bits clearing

Miklos Szeredi <mszeredi@redhat.com>
    fuse: fix deadlock between atomic O_TRUNC and page invalidation

Miklos Szeredi <mszeredi@redhat.com>
    fuse: write inode in fuse_release()

Miklos Szeredi <mszeredi@redhat.com>
    fuse: ioctl: translate ENOSYS

Miklos Szeredi <mszeredi@redhat.com>
    fuse: limit nsec

Namjae Jeon <linkinjeon@kernel.org>
    ksmbd: fix heap-based overflow in set_ntacl_dacl()

Namjae Jeon <linkinjeon@kernel.org>
    ksmbd: fix use-after-free bug in smb2_tree_disconect

Hyunchul Lee <hyc.lee@gmail.com>
    ksmbd: prevent out of bound read for SMB2_WRITE

Hyunchul Lee <hyc.lee@gmail.com>
    ksmbd: prevent out of bound read for SMB2_TREE_CONNNECT

Namjae Jeon <linkinjeon@kernel.org>
    ksmbd: fix memory leak in smb2_handle_negotiate

Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
    soundwire: qcom: Check device status before reading devid

Bikash Hazarika <bhazarika@marvell.com>
    scsi: qla2xxx: Zero undefined mailbox IN registers

Bikash Hazarika <bhazarika@marvell.com>
    scsi: qla2xxx: Fix incorrect display of max frame size

Tony Battersby <tonyb@cybernetics.com>
    scsi: sg: Allow waiting for commands to complete on removed device

James Smart <jsmart2021@gmail.com>
    scsi: lpfc: Remove extra atomic_inc on cmd_pending in queuecommand after VMID

Zheyu Ma <zheyuma97@gmail.com>
    iio: light: isl29028: Fix the warning in isl29028_remove()

Fawzi Khaber <fawzi.khaber@tdk.com>
    iio: fix iio_format_avail_range() printing for none IIO_VAL_INT

Jason A. Donenfeld <Jason@zx2c4.com>
    um: seed rng using host OS rng

Benjamin Beichler <benjamin.beichler@uni-rostock.de>
    um: Remove straying parenthesis

Amit Kumar Mahapatra <amit.kumar-mahapatra@xilinx.com>
    mtd: rawnand: arasan: Update NAND bus clock instead of system clock

Olga Kitaina <okitain@gmail.com>
    mtd: rawnand: arasan: Fix clock rate in NV-DDR

Qu Wenruo <wqu@suse.com>
    btrfs: reject log replay if there is unsupported RO compat flag

Tadeusz Struk <tadeusz.struk@linaro.org>
    bpf: Fix KASAN use-after-free Read in compute_effective_progs

Leo Li <sunpeng.li@amd.com>
    drm/amdgpu: Check BO's requested pinning domains against its preferred_domains

Dmitry Osipenko <dmitry.osipenko@collabora.com>
    drm/tegra: Fix vmapping of prime buffers

Lyude Paul <lyude@redhat.com>
    drm/nouveau/kms: Fix failure path for creating DP connectors

Lyude Paul <lyude@redhat.com>
    drm/nouveau/acpi: Don't print error when we get -EINPROGRESS from pm_runtime

Lyude Paul <lyude@redhat.com>
    drm/nouveau: Don't pm_runtime_put_sync(), only pm_runtime_put_autosuspend()

Timur Tabi <ttabi@nvidia.com>
    drm/nouveau: fix another off-by-one in nvbios_addr

Imre Deak <imre.deak@intel.com>
    drm/dp/mst: Read the extended DPCD capabilities during system resume

Thomas Zimmermann <tzimmermann@suse.de>
    drm/hyperv-drm: Include framebuffer and EDID headers

Thomas Zimmermann <tzimmermann@suse.de>
    drm/fb-helper: Fix out-of-bounds access

Paul Cercueil <paul@crapouillou.net>
    drm/ingenic: Use the highest possible DMA burst size

Phil Elwell <phil@raspberrypi.org>
    drm/vc4: hdmi: Disable audio if dmas property is present but empty

Dmitry Osipenko <dmitry.osipenko@collabora.com>
    drm/shmem-helper: Add missing vunmap on error

Dmitry Osipenko <dmitry.osipenko@collabora.com>
    drm/gem: Properly annotate WW context on drm_gem_lock_reservations() error

Mathew McBride <matt@traverse.com.au>
    rtc: rx8025: fix 12/24 hour mode detection on RX-8035

Jason A. Donenfeld <Jason@zx2c4.com>
    wireguard: selftests: set CONFIG_NONPORTABLE on riscv32

Atish Patra <atishp@rivosinc.com>
    RISC-V: Update user page mapping only once during start

Atish Patra <atishp@rivosinc.com>
    RISC-V: Fix SBI PMU calls for RV32

Atish Patra <atishp@rivosinc.com>
    RISC-V: Fix counter restart during overflow for RV32

Xianting Tian <xianting.tian@linux.alibaba.com>
    RISC-V: Add modules to virtual kernel memory layout dump

Xianting Tian <xianting.tian@linux.alibaba.com>
    RISC-V: Fixup schedule out issue in machine_crash_shutdown()

Xianting Tian <xianting.tian@linux.alibaba.com>
    RISC-V: Fixup get incorrect user mode PC for kernel mode regs

Xianting Tian <xianting.tian@linux.alibaba.com>
    RISC-V: kexec: Fixup use of smp_processor_id() in preemptible context

Ben Dooks <ben.dooks@sifive.com>
    RISC-V: Declare cpu_ops_spinwait in <asm/cpu_ops.h>

Ben Dooks <ben.dooks@sifive.com>
    RISC-V: cpu_ops_spinwait.c should include head.h

Mark Kettenis <kettenis@openbsd.org>
    riscv: dts: starfive: correct number of external interrupts

Conor Dooley <conor.dooley@microchip.com>
    dt-bindings: riscv: fix SiFive l2-cache's cache-sets

Chen Lifu <chenlifu@huawei.com>
    riscv: lib: uaccess: fix CSR_STATUS SR_SUM bit

Yipeng Zou <zouyipeng@huawei.com>
    riscv:uprobe fix SR_SPIE set/clear handling

Helge Deller <deller@gmx.de>
    parisc: io_pgetevents_time64() needs compat syscall in 32-bit compat mode

William Dean <williamsukatube@gmail.com>
    parisc: Check the return value of ioremap() in lba_driver_probe()

Helge Deller <deller@gmx.de>
    parisc: Drop pa_swapper_pg_lock spinlock

Helge Deller <deller@gmx.de>
    parisc: Fix device names in /proc/iomem

Jiachen Zhang <zhangjiachen.jaycee@bytedance.com>
    ovl: drop WARN_ON() dentry is NULL in ovl_encode_fh()

John Allen <john.allen@amd.com>
    crypto: ccp - Use kzalloc for sev ioctl interfaces to prevent kernel memory leak

Al Viro <viro@zeniv.linux.org.uk>
    fix short copy handling in copy_mc_pipe_to_iter()

Lukas Wunner <lukas@wunner.de>
    usbnet: smsc95xx: Fix deadlock on runtime resume

Lukas Wunner <lukas@wunner.de>
    usbnet: Fix linkwatch use-after-free on disconnect

Helge Deller <deller@gmx.de>
    fbcon: Fix accelerated fbdev scrolling while logo is still shown

Helge Deller <deller@gmx.de>
    fbcon: Fix boundary checks for fbcon=vc:n1-n2 parameters

Rafael J. Wysocki <rafael.j.wysocki@intel.com>
    thermal: sysfs: Fix cooling_device_stats_setup() error code path

Yang Xu <xuyang2018.jy@fujitsu.com>
    fs: Add missing umask strip in vfs_tmpfile

David Howells <dhowells@redhat.com>
    vfs: Check the truncate maximum size in inode_newsize_ok()

Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
    tty: vt: initialize unicode screen buffer

Cameron Williams <cang1@live.co.uk>
    tty: 8250: Add support for Brainboxes PX cards.

Huacai Chen <chenhuacai@kernel.org>
    LoongArch: cpuinfo: Fix a warning for CONFIG_CPUMASK_OFFSTACK

Bedant Patnaik <bedant.patnaik@gmail.com>
    ALSA: hda/realtek: Add a quirk for HP OMEN 15 (8786) mute LED

Meng Tang <tangmeng@uniontech.com>
    ALSA: hda/realtek: Add quirk for another Asus K42JZ model

Allen Ballway <ballway@chromium.org>
    ALSA: hda/cirrus - support for iMac 12,1 model

Meng Tang <tangmeng@uniontech.com>
    ALSA: hda/conexant: Add quirk for LENOVO 20149 Notebook model

Coleman Dietsch <dietschc@csp.edu>
    KVM: x86/xen: Stop Xen timer before changing IRQ

Coleman Dietsch <dietschc@csp.edu>
    KVM: x86/xen: Initialize Xen timer only once

Paolo Bonzini <pbonzini@redhat.com>
    KVM: x86: revalidate steal time cache if MSR value changes

Paolo Bonzini <pbonzini@redhat.com>
    KVM: x86: do not report preemption if the steal time cache is stale

Sean Christopherson <seanjc@google.com>
    KVM: x86/mmu: Fully re-evaluate MMIO caching when SPTE masks change

Sean Christopherson <seanjc@google.com>
    KVM: x86: Tag kvm_mmu_x86_module_init() with __init

Sean Christopherson <seanjc@google.com>
    KVM: SVM: Disable SEV-ES support if MMIO caching is disable

Sean Christopherson <seanjc@google.com>
    KVM: x86/mmu: Treat NX as a valid SPTE bit for NPT

Sean Christopherson <seanjc@google.com>
    KVM: x86: Set error code to segment selector on LLDT/LTR non-canonical #GP

Sean Christopherson <seanjc@google.com>
    KVM: x86: Mark TSS busy during LTR emulation _after_ all fault checks

Sean Christopherson <seanjc@google.com>
    KVM: nVMX: Inject #UD if VMXON is attempted with incompatible CR0/CR4

Sean Christopherson <seanjc@google.com>
    KVM: nVMX: Account for KVM reserved CR4 bits in consistency checks

Sean Christopherson <seanjc@google.com>
    KVM: nVMX: Let userspace set nVMX MSR to any _host_ supported value

Sean Christopherson <seanjc@google.com>
    KVM: x86: Split kvm_is_valid_cr4() and export only the non-vendor bits

Sean Christopherson <seanjc@google.com>
    KVM: Do not incorporate page offset into gfn=>pfn cache user address

Sean Christopherson <seanjc@google.com>
    KVM: Fix multiple races in gfn=>pfn cache refresh

Sean Christopherson <seanjc@google.com>
    KVM: Fully serialize gfn=>pfn cache refresh via mutex

Sean Christopherson <seanjc@google.com>
    KVM: Put the extra pfn reference when reusing a pfn in the gpc cache

Sean Christopherson <seanjc@google.com>
    KVM: Drop unused @gpa param from gfn=>pfn cache's __release_gpc() helper

Nico Boehr <nrb@linux.ibm.com>
    KVM: s390: pv: don't present the ecall interrupt twice

Maciej S. Szmigiero <maciej.szmigiero@oracle.com>
    KVM: SVM: Don't BUG if userspace injects an interrupt with GIF=0

Sean Christopherson <seanjc@google.com>
    KVM: nVMX: Snapshot pre-VM-Enter DEBUGCTL for !nested_run_pending case

Sean Christopherson <seanjc@google.com>
    KVM: nVMX: Snapshot pre-VM-Enter BNDCFGS for !nested_run_pending case

Ping Cheng <pinglinux@gmail.com>
    HID: wacom: Don't register pad_input for touch switch

Ping Cheng <pinglinux@gmail.com>
    HID: wacom: Only report rotation for art pen

Guenter Roeck <linux@roeck-us.net>
    HID: nintendo: Add missing array termination

Maximilian Luz <luzmaximilian@gmail.com>
    HID: hid-input: add Surface Go battery quirk

Jeff Layton <jlayton@kernel.org>
    lockd: detect and reject lock arguments that overflow

Mikulas Patocka <mpatocka@redhat.com>
    add barriers to buffer_uptodate and set_buffer_uptodate

Johannes Berg <johannes.berg@intel.com>
    wifi: mac80211_hwsim: use 32-bit skb cookie

Johannes Berg <johannes.berg@intel.com>
    wifi: mac80211_hwsim: add back erroneously removed cast

Jeongik Cha <jeongik@google.com>
    wifi: mac80211_hwsim: fix race condition in pending packet

Zev Weiss <zev@bewilderbeest.net>
    hwmon: (nct6775) Fix platform driver suspend regression

syed sabakareem <Syed.SabaKareem@amd.com>
    ASoC: amd: yc: Update DMI table entries

Philipp Jungkamp <p.jungkamp@gmx.net>
    ALSA: hda/realtek: Add quirk for Lenovo Yoga9 14IAP7

Ivan Hasenkampf <ivan.hasenkampf@gmail.com>
    ALSA: hda/realtek: Add quirk for HP Spectre x360 15-eb0xxx

Tim Crawford <tcrawford@system76.com>
    ALSA: hda/realtek: Add quirk for Clevo NV45PZ

Zheyu Ma <zheyuma97@gmail.com>
    ALSA: bcd2000: Fix a UAF bug on the error path of probing

Takashi Iwai <tiwai@suse.de>
    ALSA: usb-audio: Add quirk for Behringer UMC202HD

Jeff Layton <jlayton@kernel.org>
    nfsd: eliminate the NFSD_FILE_BREAK_* flags

Trond Myklebust <trond.myklebust@hammerspace.com>
    pNFS/flexfiles: Report RDMA connection errors to the server

Nilesh Javali <njavali@marvell.com>
    scsi: Revert "scsi: qla2xxx: Fix disk failure to rediscover"

Trond Myklebust <trond.myklebust@hammerspace.com>
    Revert "pNFS: nfs3_set_ds_client should set NFS_CS_NOPING"

Nick Desaulniers <ndesaulniers@google.com>
    x86: link vdso and boot with -z noexecstack --no-warn-rwx-segments

Nick Desaulniers <ndesaulniers@google.com>
    Makefile: link with -z noexecstack --no-warn-rwx-segments


-------------

Diffstat:

 Documentation/ABI/testing/sysfs-driver-xen-blkback |   2 +-
 .../ABI/testing/sysfs-driver-xen-blkfront          |   2 +-
 .../admin-guide/device-mapper/writecache.rst       |  16 +-
 Documentation/admin-guide/kernel-parameters.txt    |  29 +-
 Documentation/admin-guide/pm/cpuidle.rst           |  15 +-
 Documentation/arm64/silicon-errata.rst             |   4 +
 .../bindings/display/bridge/fsl,ldb.yaml           |  16 +-
 .../devicetree/bindings/mmc/sdhci-msm.yaml         |  52 +-
 .../devicetree/bindings/riscv/sifive-l2-cache.yaml |   6 +-
 Documentation/filesystems/ext4/blockmap.rst        |   2 +-
 .../userspace-api/media/v4l/ext-ctrls-codec.rst    |   2 +-
 MAINTAINERS                                        |   7 +-
 Makefile                                           |  10 +-
 arch/Kconfig                                       |   3 +
 arch/arm/boot/dts/Makefile                         |   1 +
 arch/arm/boot/dts/aspeed-ast2500-evb.dts           |   2 +-
 arch/arm/boot/dts/aspeed-ast2600-evb-a1.dts        |   1 +
 arch/arm/boot/dts/aspeed-ast2600-evb.dts           |   2 +-
 arch/arm/boot/dts/bcm53015-meraki-mr26.dts         | 166 ++++
 arch/arm/boot/dts/imx6qdl-apalis.dtsi              |   4 +-
 arch/arm/boot/dts/imx6ul.dtsi                      |  33 +-
 arch/arm/boot/dts/imx7-colibri-aster.dtsi          |  71 --
 arch/arm/boot/dts/imx7-colibri-eval-v3.dtsi        |  91 +--
 arch/arm/boot/dts/imx7-colibri.dtsi                | 130 +++-
 arch/arm/boot/dts/imx7d-colibri-aster.dts          |  20 +
 arch/arm/boot/dts/imx7d-colibri-emmc.dtsi          |   4 +
 arch/arm/boot/dts/imx7d-colibri-eval-v3.dts        |  32 +
 arch/arm/boot/dts/imx7s-colibri-aster.dts          |  20 +
 arch/arm/boot/dts/imx7s-colibri-eval-v3.dts        |  32 +
 arch/arm/boot/dts/qcom-ipq8064.dtsi                |   2 +-
 arch/arm/boot/dts/qcom-mdm9615.dtsi                |   1 +
 arch/arm/boot/dts/qcom-msm8974.dtsi                |   7 +-
 .../arm/boot/dts/qcom-msm8974pro-fairphone-fp2.dts |   2 +
 arch/arm/boot/dts/qcom-msm8974pro-samsung-klte.dts |   2 +
 arch/arm/boot/dts/qcom-pm8841.dtsi                 |   1 +
 arch/arm/boot/dts/qcom-sdx55.dtsi                  |   2 +-
 arch/arm/boot/dts/ste-ux500-samsung-codina.dts     |   4 +-
 arch/arm/boot/dts/ste-ux500-samsung-gavini.dts     |   4 +-
 arch/arm/boot/dts/ste-ux500-samsung-janice.dts     |   4 +-
 arch/arm/boot/dts/uniphier-pxs2.dtsi               |   8 +-
 arch/arm/crypto/Kconfig                            |   2 +-
 arch/arm/crypto/Makefile                           |   4 +-
 arch/arm/crypto/blake2s-shash.c                    |  75 --
 arch/arm/mach-bcm/bcm_kona_smc.c                   |   1 +
 arch/arm/mach-dove/Kconfig                         |   1 +
 arch/arm/mach-dove/pcie.c                          |  11 +-
 arch/arm/mach-mv78xx0/pcie.c                       |  11 +-
 arch/arm/mach-omap2/display.c                      |   3 +
 arch/arm/mach-omap2/pdata-quirks.c                 |   2 +
 arch/arm/mach-omap2/prm3xxx.c                      |   1 +
 arch/arm/mach-orion5x/Kconfig                      |   1 +
 arch/arm/mach-orion5x/pci.c                        |  12 +-
 arch/arm/mach-shmobile/regulator-quirk-rcar-gen2.c |   5 +-
 arch/arm/mach-zynq/common.c                        |   1 +
 arch/arm/xen/enlighten.c                           |   4 +-
 arch/arm64/Kconfig                                 |  17 +
 .../boot/dts/allwinner/sun50i-a64-orangepi-win.dts |   2 +-
 .../boot/dts/exynos/exynosautov9-pinctrl.dtsi      |   6 +-
 .../boot/dts/mediatek/mt7622-bananapi-bpi-r64.dts  |   2 +-
 arch/arm64/boot/dts/mediatek/mt8192.dtsi           |  26 +-
 arch/arm64/boot/dts/nvidia/tegra186.dtsi           |   1 +
 arch/arm64/boot/dts/nvidia/tegra194-p2888.dtsi     |   2 +-
 arch/arm64/boot/dts/nvidia/tegra194.dtsi           |   1 +
 arch/arm64/boot/dts/nvidia/tegra234.dtsi           |   1 +
 arch/arm64/boot/dts/qcom/ipq6018.dtsi              |  22 +-
 arch/arm64/boot/dts/qcom/ipq8074.dtsi              |   2 +-
 arch/arm64/boot/dts/qcom/msm8916.dtsi              |   4 +-
 arch/arm64/boot/dts/qcom/msm8994.dtsi              |   1 +
 arch/arm64/boot/dts/qcom/msm8996.dtsi              |   6 +-
 .../qcom/msm8998-sony-xperia-yoshino-poplar.dts    |  10 +-
 arch/arm64/boot/dts/qcom/qcs404.dtsi               |   4 +-
 arch/arm64/boot/dts/qcom/sc7180-trogdor.dtsi       |   1 +
 arch/arm64/boot/dts/qcom/sc7180.dtsi               |  24 +-
 arch/arm64/boot/dts/qcom/sc7280-herobrine.dtsi     |   4 +-
 arch/arm64/boot/dts/qcom/sc7280.dtsi               |  30 +-
 arch/arm64/boot/dts/qcom/sdm630.dtsi               |   7 +-
 .../dts/qcom/sdm636-sony-xperia-ganges-mermaid.dts |   2 +-
 .../dts/qcom/sdm845-sony-xperia-tama-akatsuki.dts  |   5 +-
 arch/arm64/boot/dts/qcom/sdm845.dtsi               |  22 +-
 .../dts/qcom/sm6125-sony-xperia-seine-pdx201.dts   |  36 +-
 arch/arm64/boot/dts/qcom/sm6125.dtsi               |  30 +-
 arch/arm64/boot/dts/qcom/sm6350.dtsi               |  22 +-
 arch/arm64/boot/dts/qcom/sm8150.dtsi               |  24 +-
 arch/arm64/boot/dts/qcom/sm8250.dtsi               |  30 +-
 arch/arm64/boot/dts/qcom/sm8350.dtsi               |  24 +-
 arch/arm64/boot/dts/qcom/sm8450.dtsi               |  22 +-
 .../boot/dts/renesas/beacon-renesom-baseboard.dtsi |   6 +-
 arch/arm64/boot/dts/renesas/r8a774c0.dtsi          |   2 +-
 arch/arm64/boot/dts/renesas/r8a77990.dtsi          |   2 +-
 arch/arm64/boot/dts/renesas/r8a779m8.dtsi          |   5 +
 arch/arm64/boot/dts/renesas/r9a07g054l2-smarc.dts  |   2 +-
 arch/arm64/boot/dts/socionext/uniphier-pxs3.dtsi   |   8 +-
 arch/arm64/crypto/Kconfig                          |   1 +
 arch/arm64/include/asm/kexec.h                     |   4 +-
 arch/arm64/include/asm/processor.h                 |   3 +-
 arch/arm64/kernel/Makefile                         |   5 +
 arch/arm64/kernel/armv8_deprecated.c               |   9 +-
 arch/arm64/kernel/cpu_errata.c                     |  16 +
 arch/arm64/kernel/cpufeature.c                     |  16 +-
 arch/arm64/kernel/hibernate.c                      |   5 -
 arch/arm64/kernel/mte.c                            |   9 -
 arch/arm64/kernel/stacktrace.c                     |   6 +-
 arch/arm64/kvm/handle_exit.c                       |   4 +-
 arch/arm64/kvm/hyp/nvhe/switch.c                   |   2 +-
 arch/arm64/kvm/hyp/vhe/switch.c                    |   2 +-
 arch/arm64/mm/copypage.c                           |   9 -
 arch/arm64/mm/mteswap.c                            |   9 -
 arch/arm64/tools/cpucaps                           |   1 +
 arch/csky/abiv1/inc/abi/string.h                   |   6 +
 arch/ia64/include/asm/processor.h                  |   2 +-
 arch/loongarch/kernel/proc.c                       |   2 +-
 arch/m68k/virt/platform.c                          |  58 +-
 arch/mips/kernel/proc.c                            |   2 +-
 arch/mips/kernel/vdso.c                            |   2 +-
 arch/mips/loongson64/numa.c                        |   1 -
 arch/mips/mm/physaddr.c                            |  14 +-
 arch/parisc/kernel/cache.c                         |   3 -
 arch/parisc/kernel/drivers.c                       |   9 +-
 arch/parisc/kernel/syscalls/syscall.tbl            |   2 +-
 arch/powerpc/configs/44x/akebono_defconfig         |   2 +-
 arch/powerpc/configs/44x/currituck_defconfig       |   2 +-
 arch/powerpc/configs/44x/fsp2_defconfig            |   2 +-
 arch/powerpc/configs/44x/iss476-smp_defconfig      |   2 +-
 arch/powerpc/configs/44x/warp_defconfig            |   2 +-
 arch/powerpc/configs/52xx/lite5200b_defconfig      |   2 +-
 arch/powerpc/configs/52xx/motionpro_defconfig      |   2 +-
 arch/powerpc/configs/52xx/tqm5200_defconfig        |   2 +-
 arch/powerpc/configs/adder875_defconfig            |   2 +-
 arch/powerpc/configs/ep8248e_defconfig             |   2 +-
 arch/powerpc/configs/ep88xc_defconfig              |   2 +-
 arch/powerpc/configs/fsl-emb-nonhw.config          |   2 +-
 arch/powerpc/configs/mgcoge_defconfig              |   2 +-
 arch/powerpc/configs/mpc5200_defconfig             |   2 +-
 arch/powerpc/configs/mpc8272_ads_defconfig         |   2 +-
 arch/powerpc/configs/mpc885_ads_defconfig          |   2 +-
 arch/powerpc/configs/ppc6xx_defconfig              |   2 +-
 arch/powerpc/configs/pq2fads_defconfig             |   2 +-
 arch/powerpc/configs/ps3_defconfig                 |   2 +-
 arch/powerpc/configs/tqm8xx_defconfig              |   2 +-
 arch/powerpc/include/asm/archrandom.h              |   5 -
 arch/powerpc/include/asm/kexec.h                   |   9 +
 arch/powerpc/include/asm/simple_spinlock.h         |  15 +-
 arch/powerpc/kernel/iommu.c                        |   5 +
 arch/powerpc/kernel/pci-common.c                   |  29 +-
 arch/powerpc/kernel/trace/ftrace.c                 |   8 +-
 arch/powerpc/kexec/file_load_64.c                  |  55 ++
 arch/powerpc/kvm/book3s_hv_builtin.c               |   7 +-
 arch/powerpc/kvm/book3s_xics.h                     |   1 +
 arch/powerpc/mm/kasan/init_32.c                    |   2 +-
 arch/powerpc/mm/nohash/8xx.c                       |   4 +-
 arch/powerpc/mm/nohash/tlb_low_64e.S               |  17 +-
 arch/powerpc/mm/pgtable_32.c                       |   6 +-
 arch/powerpc/mm/ptdump/shared.c                    |   6 +-
 arch/powerpc/perf/core-book3s.c                    |  35 +-
 arch/powerpc/platforms/Kconfig.cputype             |   4 +-
 arch/powerpc/platforms/cell/axon_msi.c             |   1 +
 arch/powerpc/platforms/cell/spufs/inode.c          |   1 +
 arch/powerpc/platforms/powernv/rng.c               |  34 +-
 arch/powerpc/platforms/pseries/iommu.c             |  89 ++-
 arch/powerpc/sysdev/fsl_pci.c                      |   8 +
 arch/powerpc/sysdev/fsl_pci.h                      |   1 +
 arch/powerpc/sysdev/xive/spapr.c                   |   1 +
 arch/riscv/boot/dts/starfive/jh7100.dtsi           |   2 +-
 arch/riscv/include/asm/cpu_ops.h                   |   1 +
 arch/riscv/kernel/cpu_ops.c                        |   4 +-
 arch/riscv/kernel/cpu_ops_spinwait.c               |   6 +-
 arch/riscv/kernel/crash_save_regs.S                |   2 +-
 arch/riscv/kernel/machine_kexec.c                  |  28 +-
 arch/riscv/kernel/probes/uprobes.c                 |   6 -
 arch/riscv/lib/uaccess.S                           |   4 +-
 arch/riscv/mm/init.c                               |   4 +
 arch/s390/include/asm/gmap.h                       |   2 +
 arch/s390/include/asm/kexec.h                      |   3 +
 arch/s390/include/asm/unwind.h                     |   2 +-
 arch/s390/kernel/crash_dump.c                      |   2 +-
 arch/s390/kernel/machine_kexec_file.c              |  18 +-
 arch/s390/kvm/intercept.c                          |  15 +
 arch/s390/kvm/pv.c                                 |   9 +-
 arch/s390/kvm/sigp.c                               |   4 +-
 arch/s390/mm/gmap.c                                |  86 +++
 arch/s390/mm/init.c                                |   4 +-
 arch/um/drivers/random.c                           |   2 +-
 arch/um/include/asm/archrandom.h                   |  30 +
 arch/um/include/asm/xor.h                          |   2 +-
 arch/um/include/shared/os.h                        |   7 +
 arch/um/kernel/um_arch.c                           |   8 +
 arch/um/os-Linux/util.c                            |   6 +
 arch/x86/Kconfig                                   |   1 +
 arch/x86/Kconfig.debug                             |   3 -
 arch/x86/boot/Makefile                             |   2 +-
 arch/x86/boot/compressed/Makefile                  |   4 +
 arch/x86/crypto/Makefile                           |   4 +-
 arch/x86/crypto/blake2s-glue.c                     |   3 +-
 arch/x86/crypto/blake2s-shash.c                    |  77 --
 arch/x86/entry/Makefile                            |   3 +-
 arch/x86/entry/thunk_32.S                          |   2 -
 arch/x86/entry/thunk_64.S                          |   4 -
 arch/x86/entry/vdso/Makefile                       |   2 +-
 arch/x86/events/intel/core.c                       |   7 +-
 arch/x86/events/intel/ds.c                         | 129 ++--
 arch/x86/events/perf_event.h                       |  14 +
 arch/x86/include/asm/kexec.h                       |   6 +
 arch/x86/include/asm/kvm_host.h                    |   3 +-
 arch/x86/kernel/cpu/bugs.c                         |  10 +-
 arch/x86/kernel/cpu/intel.c                        |  27 +-
 arch/x86/kernel/ftrace.c                           |   1 +
 arch/x86/kernel/kprobes/core.c                     |  18 +-
 arch/x86/kernel/pmem.c                             |   7 +-
 arch/x86/kernel/process.c                          |   9 +-
 arch/x86/kvm/emulate.c                             |  23 +-
 arch/x86/kvm/mmu.h                                 |   2 +
 arch/x86/kvm/mmu/mmu.c                             |   8 +-
 arch/x86/kvm/mmu/paging_tmpl.h                     |   9 +-
 arch/x86/kvm/mmu/spte.c                            |  22 +
 arch/x86/kvm/mmu/spte.h                            |   3 +-
 arch/x86/kvm/svm/nested.c                          |   3 +-
 arch/x86/kvm/svm/sev.c                             |  10 +
 arch/x86/kvm/svm/svm.c                             |  38 +-
 arch/x86/kvm/vmx/nested.c                          | 106 +--
 arch/x86/kvm/vmx/nested.h                          |   3 +-
 arch/x86/kvm/vmx/pmu_intel.c                       |  13 +-
 arch/x86/kvm/vmx/vmx.c                             |   4 +-
 arch/x86/kvm/vmx/vmx.h                             |  12 +
 arch/x86/kvm/x86.c                                 |  33 +-
 arch/x86/kvm/x86.h                                 |   2 +-
 arch/x86/kvm/xen.c                                 |  31 +-
 arch/x86/mm/extable.c                              |  16 +-
 arch/x86/mm/mem_encrypt_amd.c                      |   4 +-
 arch/x86/mm/numa.c                                 |   4 +-
 arch/x86/net/bpf_jit_comp.c                        |  31 +
 arch/x86/platform/olpc/olpc-xo1-sci.c              |   2 +-
 arch/x86/um/Makefile                               |   3 +-
 arch/x86/xen/enlighten_hvm.c                       |   4 +-
 arch/x86/xen/enlighten_pv.c                        |   5 +-
 arch/xtensa/platforms/iss/network.c                |  42 +-
 block/bio.c                                        |  99 +--
 block/blk-iocost.c                                 |  20 +-
 block/blk-iolatency.c                              |  18 +-
 block/blk-mq-debugfs.c                             |   3 +
 block/blk-rq-qos.h                                 |  11 +-
 block/blk-wbt.c                                    |  12 +-
 crypto/Kconfig                                     |  20 +-
 crypto/Makefile                                    |   1 -
 crypto/asymmetric_keys/public_key.c                |   7 +-
 crypto/blake2s_generic.c                           |  75 --
 crypto/tcrypt.c                                    |  12 -
 crypto/testmgr.c                                   |  24 -
 crypto/testmgr.h                                   | 217 ------
 drivers/acpi/acpi_lpss.c                           |   3 +
 drivers/acpi/apei/einj.c                           |   2 +
 drivers/acpi/bus.c                                 |   1 +
 drivers/acpi/cppc_acpi.c                           |  54 +-
 drivers/acpi/ec.c                                  |  82 +-
 drivers/acpi/processor_idle.c                      |   6 +-
 drivers/acpi/sleep.c                               |   8 +
 drivers/acpi/video_detect.c                        |   8 +
 drivers/acpi/viot.c                                |  26 +-
 drivers/android/binder.c                           | 114 ++-
 drivers/android/binder_alloc.c                     |  30 +-
 drivers/android/binder_alloc.h                     |   2 +-
 drivers/android/binder_alloc_selftest.c            |   2 +-
 drivers/android/binder_internal.h                  |  46 +-
 drivers/android/binderfs.c                         |  47 +-
 drivers/base/dd.c                                  |   5 +-
 drivers/base/node.c                                |   4 +-
 drivers/base/power/domain.c                        |   3 +
 drivers/base/topology.c                            |  32 +-
 drivers/block/mtip32xx/mtip32xx.c                  | 157 ++--
 drivers/block/mtip32xx/mtip32xx.h                  |   1 -
 drivers/block/nbd.c                                |   6 +-
 drivers/block/null_blk/main.c                      |  14 +-
 drivers/block/rnbd/rnbd-srv.c                      |   3 +-
 drivers/block/xen-blkback/xenbus.c                 |  20 +-
 drivers/block/xen-blkfront.c                       |   4 +-
 drivers/bluetooth/hci_intel.c                      |   6 +-
 drivers/bluetooth/hci_serdev.c                     |  11 +
 drivers/bus/hisi_lpc.c                             |  10 +-
 drivers/char/tpm/tpm2-cmd.c                        |   6 +
 drivers/clk/imx/clk-fracn-gppll.c                  |  33 +-
 drivers/clk/imx/clk-imx93.c                        |   4 +-
 drivers/clk/mediatek/reset.c                       |   4 +-
 drivers/clk/qcom/camcc-sdm845.c                    |   4 +
 drivers/clk/qcom/camcc-sm8250.c                    |  16 +-
 drivers/clk/qcom/clk-krait.c                       |   7 +-
 drivers/clk/qcom/clk-rcg2.c                        |  16 +-
 drivers/clk/qcom/dispcc-sm8250.c                   |   1 -
 drivers/clk/qcom/gcc-ipq8074.c                     |  60 +-
 drivers/clk/qcom/gcc-msm8939.c                     |  33 +-
 drivers/clk/qcom/gdsc.c                            |   8 +
 drivers/clk/qcom/videocc-sm8250.c                  |   4 -
 drivers/clk/renesas/r9a06g032-clocks.c             |   8 +-
 drivers/clk/renesas/rzg2l-cpg.c                    |   2 +-
 drivers/cpufreq/mediatek-cpufreq-hw.c              |   7 +-
 drivers/cpufreq/mediatek-cpufreq.c                 |   1 +
 drivers/cpufreq/scmi-cpufreq.c                     |   6 +
 .../crypto/allwinner/sun8i-ss/sun8i-ss-cipher.c    |   1 +
 drivers/crypto/allwinner/sun8i-ss/sun8i-ss-core.c  |  16 +-
 drivers/crypto/allwinner/sun8i-ss/sun8i-ss-hash.c  |  10 +-
 drivers/crypto/ccp/sev-dev.c                       |  12 +-
 drivers/crypto/hisilicon/hpre/hpre_crypto.c        |   2 +-
 drivers/crypto/hisilicon/sec/sec_algs.c            |  14 +-
 drivers/crypto/hisilicon/sec/sec_drv.h             |   2 +-
 drivers/crypto/hisilicon/sec2/sec.h                |   2 +-
 drivers/crypto/hisilicon/sec2/sec_crypto.c         |  26 +-
 drivers/crypto/hisilicon/sec2/sec_crypto.h         |   1 +
 drivers/crypto/inside-secure/safexcel.c            |   2 +
 drivers/dma/dw-edma/dw-edma-core.c                 |   2 +-
 drivers/dma/dw/rzn1-dmamux.c                       |   3 +
 drivers/dma/imx-dma.c                              |   2 +-
 drivers/dma/sf-pdma/sf-pdma.c                      |  44 +-
 drivers/firmware/arm_scpi.c                        |  61 +-
 drivers/firmware/tegra/bpmp-debugfs.c              |  10 +-
 drivers/fpga/altera-pr-ip-core.c                   |   2 +-
 drivers/gpio/gpiolib-of.c                          |   4 +-
 drivers/gpu/drm/amd/amdgpu/amdgpu_ctx.c            |  60 +-
 drivers/gpu/drm/amd/amdgpu/amdgpu_discovery.c      |  10 +-
 drivers/gpu/drm/amd/amdgpu/amdgpu_object.c         |   4 +
 drivers/gpu/drm/amd/amdgpu/gfx_v10_0.c             |   7 +-
 drivers/gpu/drm/amd/amdgpu/nbio_v2_3.c             |  21 -
 drivers/gpu/drm/amd/amdgpu/nbio_v2_3.h             |   1 -
 drivers/gpu/drm/amd/amdgpu/nbio_v7_4.c             |  21 -
 drivers/gpu/drm/amd/amdgpu/nbio_v7_4.h             |   1 -
 drivers/gpu/drm/amd/amdkfd/kfd_device.c            |   2 +-
 drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c  |   2 +
 .../drm/amd/display/amdgpu_dm/amdgpu_dm_helpers.c  |   2 +-
 drivers/gpu/drm/amd/display/dc/core/dc_link.c      |  17 +-
 drivers/gpu/drm/amd/display/dc/core/dc_link_dp.c   |  52 +-
 drivers/gpu/drm/amd/display/dc/dc.h                |   1 +
 .../amd/display/dc/dce110/dce110_hw_sequencer.c    |  23 +-
 drivers/gpu/drm/amd/display/dc/dcn31/dcn31_dccg.c  |  13 +-
 drivers/gpu/drm/amd/display/dc/dcn31/dcn31_dccg.h  |   2 +-
 drivers/gpu/drm/amd/display/dc/inc/hw/dccg.h       |   4 +-
 drivers/gpu/drm/amd/display/dc/inc/hw/mpc.h        |   5 +
 .../drm/amd/display/dc/inc/hw_sequencer_private.h  |   2 +
 drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0.c     |   2 +
 drivers/gpu/drm/bridge/Kconfig                     |   3 +
 drivers/gpu/drm/bridge/adv7511/adv7511.h           |  12 -
 drivers/gpu/drm/bridge/adv7511/adv7511_cec.c       |  12 +
 drivers/gpu/drm/bridge/adv7511/adv7511_drv.c       |  24 +-
 drivers/gpu/drm/bridge/analogix/anx7625.c          |  21 +-
 drivers/gpu/drm/bridge/lontium-lt9611.c            |   2 +-
 drivers/gpu/drm/bridge/lontium-lt9611uxc.c         |   2 +-
 drivers/gpu/drm/bridge/sil-sii8620.c               |   4 +-
 drivers/gpu/drm/bridge/tc358767.c                  |  34 +-
 drivers/gpu/drm/display/Kconfig                    |   2 +-
 drivers/gpu/drm/display/drm_dp_aux_bus.c           |   4 +-
 drivers/gpu/drm/display/drm_dp_mst_topology.c      |   7 +-
 drivers/gpu/drm/drm_edid.c                         |   1 +
 drivers/gpu/drm/drm_fb_helper.c                    |  27 +-
 drivers/gpu/drm/drm_gem.c                          |   4 +-
 drivers/gpu/drm/drm_gem_shmem_helper.c             |   1 +
 drivers/gpu/drm/drm_mipi_dbi.c                     |   7 +
 drivers/gpu/drm/exynos/exynos7_drm_decon.c         |  17 +-
 drivers/gpu/drm/hyperv/hyperv_drm_modeset.c        |   2 +
 drivers/gpu/drm/i915/i915_gem.h                    |   4 -
 drivers/gpu/drm/ingenic/ingenic-drm-drv.c          |  10 +-
 drivers/gpu/drm/ingenic/ingenic-drm.h              |   3 +
 drivers/gpu/drm/mcde/mcde_dsi.c                    |   1 +
 drivers/gpu/drm/mediatek/mtk_dpi.c                 |  33 +-
 drivers/gpu/drm/mediatek/mtk_dsi.c                 |  93 ++-
 drivers/gpu/drm/meson/meson_encoder_cvbs.c         |   1 +
 drivers/gpu/drm/meson/meson_encoder_hdmi.c         |  19 +-
 drivers/gpu/drm/mgag200/mgag200_mode.c             |  10 +
 drivers/gpu/drm/msm/adreno/a5xx_gpu.c              |   8 -
 drivers/gpu/drm/msm/adreno/a6xx_gmu.c              |  13 +-
 drivers/gpu/drm/msm/adreno/a6xx_gpu.c              |  12 +-
 drivers/gpu/drm/msm/adreno/a6xx_gpu.h              |   3 +-
 drivers/gpu/drm/msm/disp/dpu1/dpu_crtc.c           |   6 +
 drivers/gpu/drm/msm/disp/dpu1/dpu_encoder.c        |  36 +-
 .../gpu/drm/msm/disp/dpu1/dpu_encoder_phys_wb.c    |   6 +-
 drivers/gpu/drm/msm/disp/dpu1/dpu_hw_catalog.c     |   6 +-
 drivers/gpu/drm/msm/disp/mdp5/mdp5_pipe.c          |   3 +-
 drivers/gpu/drm/msm/hdmi/hdmi.c                    |   3 +
 drivers/gpu/drm/msm/msm_fence.c                    |  11 +-
 drivers/gpu/drm/msm/msm_gpu.h                      |  11 +-
 drivers/gpu/drm/msm/msm_gpu_devfreq.c              |  39 +-
 drivers/gpu/drm/nouveau/nouveau_connector.c        |   8 +-
 drivers/gpu/drm/nouveau/nouveau_display.c          |   4 +-
 drivers/gpu/drm/nouveau/nouveau_fbcon.c            |   2 +-
 drivers/gpu/drm/nouveau/nvkm/subdev/bios/base.c    |   2 +-
 drivers/gpu/drm/panel/Kconfig                      |   2 +
 drivers/gpu/drm/radeon/.gitignore                  |   2 +-
 drivers/gpu/drm/radeon/Kconfig                     |   2 +-
 drivers/gpu/drm/radeon/Makefile                    |   2 +-
 drivers/gpu/drm/radeon/ni_dpm.c                    |   6 +-
 drivers/gpu/drm/radeon/radeon_device.c             |   2 +-
 drivers/gpu/drm/rockchip/analogix_dp-rockchip.c    |  10 +-
 drivers/gpu/drm/rockchip/rockchip_drm_vop.c        |   3 +
 drivers/gpu/drm/rockchip/rockchip_drm_vop2.c       |   1 +
 drivers/gpu/drm/solomon/ssd130x-spi.c              |   2 +
 drivers/gpu/drm/tegra/gem.c                        |  11 +-
 drivers/gpu/drm/tiny/st7735r.c                     |   1 +
 drivers/gpu/drm/vc4/vc4_crtc.c                     |  14 +-
 drivers/gpu/drm/vc4/vc4_dsi.c                      | 152 +++-
 drivers/gpu/drm/vc4/vc4_hdmi.c                     | 169 ++++-
 drivers/gpu/drm/vc4/vc4_hdmi.h                     |   8 +
 drivers/gpu/drm/vc4/vc4_hdmi_regs.h                |   7 +-
 drivers/gpu/drm/vc4/vc4_kms.c                      |   4 +-
 drivers/gpu/drm/vc4/vc4_plane.c                    |  30 +-
 drivers/gpu/drm/virtio/virtgpu_ioctl.c             |   6 +-
 drivers/gpu/drm/virtio/virtgpu_object.c            |   4 +-
 drivers/gpu/drm/vkms/vkms_composer.c               |   2 +-
 drivers/hid/amd-sfh-hid/amd_sfh_client.c           |   2 +
 drivers/hid/amd-sfh-hid/amd_sfh_hid.c              |  12 +-
 drivers/hid/amd-sfh-hid/amd_sfh_pcie.c             |   3 +-
 drivers/hid/hid-alps.c                             |   2 +
 drivers/hid/hid-cp2112.c                           |   5 +
 drivers/hid/hid-ids.h                              |   1 +
 drivers/hid/hid-input.c                            |   2 +
 drivers/hid/hid-mcp2221.c                          |   3 +
 drivers/hid/hid-nintendo.c                         |   1 +
 drivers/hid/wacom_sys.c                            |   2 +-
 drivers/hid/wacom_wac.c                            |  72 +-
 drivers/hwmon/dell-smm-hwmon.c                     |   8 +
 drivers/hwmon/drivetemp.c                          |   1 +
 drivers/hwmon/nct6775-core.c                       |   3 +-
 drivers/hwmon/nct6775-platform.c                   |   2 +-
 drivers/hwmon/nct6775.h                            |   2 +
 drivers/hwmon/sch56xx-common.c                     |  44 +-
 drivers/hwmon/sht15.c                              |  17 +-
 drivers/hwtracing/coresight/coresight-config.h     |   2 +
 drivers/hwtracing/coresight/coresight-core.c       |   1 +
 drivers/hwtracing/coresight/coresight-syscfg.c     | 295 +++++--
 drivers/hwtracing/coresight/coresight-syscfg.h     |  13 +
 drivers/hwtracing/intel_th/msu-sink.c              |   3 +
 drivers/hwtracing/intel_th/msu.c                   |  14 +-
 drivers/hwtracing/intel_th/pci.c                   |  25 +-
 drivers/i2c/busses/i2c-cadence.c                   |  10 +-
 drivers/i2c/busses/i2c-mxs.c                       |   2 +-
 drivers/i2c/busses/i2c-npcm7xx.c                   |  50 +-
 drivers/i2c/busses/i2c-qcom-geni.c                 |   2 +-
 drivers/i2c/i2c-core-base.c                        |   3 +-
 drivers/i2c/muxes/i2c-mux-gpmux.c                  |   1 +
 drivers/idle/intel_idle.c                          |  24 +-
 drivers/iio/accel/Kconfig                          |   2 +
 drivers/iio/accel/adxl313_core.c                   |   2 +-
 drivers/iio/accel/adxl355_core.c                   |   2 +-
 drivers/iio/accel/adxl367.c                        |   2 +-
 drivers/iio/accel/adxl367_spi.c                    |   8 +-
 drivers/iio/accel/bma220_spi.c                     |   2 +-
 drivers/iio/accel/bma400.h                         |  35 +-
 drivers/iio/accel/bma400_core.c                    | 250 +++++-
 drivers/iio/accel/bma400_i2c.c                     |  10 +-
 drivers/iio/accel/bma400_spi.c                     |   8 +-
 drivers/iio/accel/cros_ec_accel_legacy.c           |   4 +-
 drivers/iio/accel/sca3000.c                        |   4 +-
 drivers/iio/accel/sca3300.c                        |   2 +-
 drivers/iio/adc/ad7266.c                           |   4 +-
 drivers/iio/adc/ad7280a.c                          |   2 +-
 drivers/iio/adc/ad7292.c                           |   2 +-
 drivers/iio/adc/ad7298.c                           |   2 +-
 drivers/iio/adc/ad7476.c                           |   5 +-
 drivers/iio/adc/ad7606.h                           |   4 +-
 drivers/iio/adc/ad7766.c                           |   5 +-
 drivers/iio/adc/ad7768-1.c                         |   4 +-
 drivers/iio/adc/ad7887.c                           |   5 +-
 drivers/iio/adc/ad7923.c                           |   4 +-
 drivers/iio/adc/ad7949.c                           |   2 +-
 drivers/iio/adc/adi-axi-adc.c                      |   7 +-
 drivers/iio/adc/hi8435.c                           |   2 +-
 drivers/iio/adc/ltc2496.c                          |   4 +-
 drivers/iio/adc/ltc2497.c                          |   4 +-
 drivers/iio/adc/max1027.c                          |   8 +-
 drivers/iio/adc/max11100.c                         |   4 +-
 drivers/iio/adc/max1118.c                          |   2 +-
 drivers/iio/adc/max1241.c                          |   2 +-
 drivers/iio/adc/mcp320x.c                          |   2 +-
 drivers/iio/adc/ti-adc0832.c                       |   2 +-
 drivers/iio/adc/ti-adc084s021.c                    |   4 +-
 drivers/iio/adc/ti-adc108s102.c                    |   4 +-
 drivers/iio/adc/ti-adc12138.c                      |   2 +-
 drivers/iio/adc/ti-adc128s052.c                    |   2 +-
 drivers/iio/adc/ti-adc161s626.c                    |   2 +-
 drivers/iio/adc/ti-ads124s08.c                     |   2 +-
 drivers/iio/adc/ti-ads131e08.c                     |   2 +-
 drivers/iio/adc/ti-ads7950.c                       |   4 +-
 drivers/iio/adc/ti-ads8344.c                       |   2 +-
 drivers/iio/adc/ti-ads8688.c                       |   2 +-
 drivers/iio/adc/ti-tlc4541.c                       |   4 +-
 drivers/iio/addac/ad74413r.c                       |   4 +-
 drivers/iio/amplifiers/ad8366.c                    |   4 +-
 .../iio/common/cros_ec_sensors/cros_ec_lid_angle.c |   4 +-
 .../iio/common/cros_ec_sensors/cros_ec_sensors.c   |   6 +-
 .../common/cros_ec_sensors/cros_ec_sensors_core.c  |  58 +-
 drivers/iio/common/ssp_sensors/ssp.h               |   3 +-
 drivers/iio/dac/ad5064.c                           |   4 +-
 drivers/iio/dac/ad5360.c                           |   4 +-
 drivers/iio/dac/ad5421.c                           |   4 +-
 drivers/iio/dac/ad5449.c                           |   4 +-
 drivers/iio/dac/ad5504.c                           |   2 +-
 drivers/iio/dac/ad5592r-base.h                     |   4 +-
 drivers/iio/dac/ad5686.h                           |   6 +-
 drivers/iio/dac/ad5755.c                           |   4 +-
 drivers/iio/dac/ad5761.c                           |   4 +-
 drivers/iio/dac/ad5764.c                           |   4 +-
 drivers/iio/dac/ad5766.c                           |   2 +-
 drivers/iio/dac/ad5770r.c                          |   2 +-
 drivers/iio/dac/ad5791.c                           |   2 +-
 drivers/iio/dac/ad7293.c                           |   2 +-
 drivers/iio/dac/ad7303.c                           |   4 +-
 drivers/iio/dac/ad8801.c                           |   2 +-
 drivers/iio/dac/ltc2688.c                          |   4 +-
 drivers/iio/dac/mcp4922.c                          |   2 +-
 drivers/iio/dac/ti-dac082s085.c                    |   2 +-
 drivers/iio/dac/ti-dac5571.c                       |   2 +-
 drivers/iio/dac/ti-dac7311.c                       |   2 +-
 drivers/iio/dac/ti-dac7612.c                       |   4 +-
 drivers/iio/frequency/ad9523.c                     |   6 +-
 drivers/iio/frequency/adf4350.c                    |   6 +-
 drivers/iio/frequency/adf4371.c                    |   2 +-
 drivers/iio/frequency/admv1013.c                   |   2 +-
 drivers/iio/frequency/admv1014.c                   |   2 +-
 drivers/iio/frequency/admv4420.c                   |   2 +-
 drivers/iio/frequency/adrf6780.c                   |   2 +-
 drivers/iio/gyro/adis16080.c                       |   2 +-
 drivers/iio/gyro/adis16130.c                       |   2 +-
 drivers/iio/gyro/adxrs450.c                        |   2 +-
 drivers/iio/gyro/fxas21002c_core.c                 |   6 +-
 drivers/iio/imu/fxos8700_core.c                    |   2 +-
 drivers/iio/imu/inv_icm42600/inv_icm42600.h        |   2 +-
 drivers/iio/imu/inv_icm42600/inv_icm42600_buffer.h |   2 +-
 drivers/iio/imu/inv_mpu6050/inv_mpu_iio.h          |   2 +-
 drivers/iio/industrialio-core.c                    |  22 +-
 drivers/iio/light/cros_ec_light_prox.c             |   6 +-
 drivers/iio/light/isl29028.c                       |   2 +-
 drivers/iio/potentiometer/ad5110.c                 |   4 +-
 drivers/iio/potentiometer/ad5272.c                 |   2 +-
 drivers/iio/potentiometer/max5481.c                |   2 +-
 drivers/iio/potentiometer/mcp41010.c               |   2 +-
 drivers/iio/potentiometer/mcp4131.c                |   2 +-
 drivers/iio/pressure/cros_ec_baro.c                |   6 +-
 drivers/iio/proximity/as3935.c                     |   2 +-
 drivers/iio/proximity/sx9324.c                     |   4 +-
 drivers/iio/resolver/ad2s1200.c                    |   2 +-
 drivers/iio/resolver/ad2s90.c                      |   2 +-
 drivers/iio/temperature/ltc2983.c                  |   4 +-
 drivers/iio/temperature/max31865.c                 |   2 +-
 drivers/iio/temperature/maxim_thermocouple.c       |   2 +-
 drivers/infiniband/hw/hfi1/file_ops.c              |   4 +-
 drivers/infiniband/hw/hns/hns_roce_hw_v2.c         |   4 +-
 drivers/infiniband/hw/irdma/cm.c                   |  11 +-
 drivers/infiniband/hw/irdma/hw.c                   |  15 +-
 drivers/infiniband/hw/irdma/verbs.c                |   2 +-
 drivers/infiniband/hw/mlx5/fs.c                    |   6 +-
 drivers/infiniband/hw/qedr/verbs.c                 |   8 +-
 drivers/infiniband/sw/rxe/rxe_comp.c               |   8 +-
 drivers/infiniband/sw/rxe/rxe_loc.h                |   2 +-
 drivers/infiniband/sw/rxe/rxe_mr.c                 |  12 +-
 drivers/infiniband/sw/rxe/rxe_mw.c                 |   7 -
 drivers/infiniband/sw/rxe/rxe_pool.c               |   4 +-
 drivers/infiniband/sw/rxe/rxe_qp.c                 |  23 +-
 drivers/infiniband/sw/rxe/rxe_req.c                |  23 +-
 drivers/infiniband/sw/rxe/rxe_resp.c               |  24 +-
 drivers/infiniband/sw/rxe/rxe_verbs.h              |   1 +
 drivers/infiniband/sw/siw/siw_cm.c                 |   7 +-
 drivers/infiniband/ulp/iser/iscsi_iser.c           |   4 +-
 drivers/infiniband/ulp/rtrs/rtrs-clt.c             |  35 +-
 drivers/infiniband/ulp/rtrs/rtrs-pri.h             |  21 +-
 drivers/infiniband/ulp/srpt/ib_srpt.c              | 148 +++-
 drivers/infiniband/ulp/srpt/ib_srpt.h              |  18 +-
 drivers/input/serio/gscps2.c                       |   4 +
 drivers/interconnect/imx/imx.c                     |   8 +-
 drivers/iommu/arm/arm-smmu/qcom_iommu.c            |   7 +-
 drivers/iommu/exynos-iommu.c                       |   6 +-
 drivers/iommu/intel/dmar.c                         |   2 +-
 drivers/irqchip/Kconfig                            |   5 +-
 drivers/irqchip/irq-mips-gic.c                     |  84 +-
 drivers/leds/rgb/leds-pwm-multicolor.c             |   3 +-
 drivers/md/dm-raid.c                               |   5 +-
 drivers/md/dm-thin-metadata.c                      |   7 +-
 drivers/md/dm-thin.c                               |   4 +-
 drivers/md/dm-writecache.c                         |  43 +-
 drivers/md/dm.c                                    |  18 +-
 drivers/md/md.c                                    |   2 +-
 drivers/md/raid10.c                                |   5 +-
 drivers/media/i2c/Kconfig                          |   1 +
 drivers/media/i2c/ov7251.c                         |   2 +
 drivers/media/pci/sta2x11/Kconfig                  |   2 +-
 drivers/media/pci/tw686x/tw686x-core.c             |  18 +-
 drivers/media/pci/tw686x/tw686x-video.c            |   4 +-
 drivers/media/platform/amphion/vdec.c              |  47 +-
 drivers/media/platform/amphion/vpu.h               |   1 +
 drivers/media/platform/amphion/vpu_core.c          |   7 +-
 drivers/media/platform/amphion/vpu_malone.c        |   4 +
 drivers/media/platform/amphion/vpu_msgs.c          |   7 +-
 drivers/media/platform/amphion/vpu_rpc.h           |   7 +-
 drivers/media/platform/amphion/vpu_v4l2.c          |   6 +-
 drivers/media/platform/atmel/atmel-sama7g5-isc.c   |   2 +
 drivers/media/platform/mediatek/mdp/mtk_mdp_ipi.h  |   2 +
 .../platform/mediatek/vcodec/mtk_vcodec_dec.c      |  73 +-
 .../platform/mediatek/vcodec/mtk_vcodec_dec_drv.c  |   5 +
 .../mediatek/vcodec/mtk_vcodec_dec_stateless.c     |   7 +
 .../platform/mediatek/vcodec/mtk_vcodec_drv.h      |   4 -
 drivers/media/platform/nxp/imx-jpeg/mxc-jpeg-hw.c  |   5 +
 drivers/media/platform/nxp/imx-jpeg/mxc-jpeg-hw.h  |   9 +-
 drivers/media/platform/nxp/imx-jpeg/mxc-jpeg.c     | 264 +++----
 drivers/media/platform/nxp/imx-jpeg/mxc-jpeg.h     |   2 -
 drivers/media/platform/qcom/camss/camss-csid.c     |   2 +-
 .../media/platform/renesas/rcar-vin/rcar-core.c    |   2 +-
 drivers/media/usb/hdpvr/hdpvr-video.c              |   2 +-
 drivers/media/v4l2-core/v4l2-async.c               |  35 +-
 drivers/media/v4l2-core/v4l2-mem2mem.c             |   2 +-
 drivers/memstick/core/ms_block.c                   |  11 +-
 drivers/mfd/max77620.c                             |   2 +
 drivers/mfd/t7l66xb.c                              |   6 +-
 drivers/misc/cardreader/rtsx_pcr.c                 |   6 +-
 drivers/misc/eeprom/idt_89hpesx.c                  |   8 +-
 drivers/misc/habanalabs/common/memory.c            |   6 +-
 drivers/mmc/core/block.c                           |  28 +-
 drivers/mmc/core/quirks.h                          |   4 +-
 drivers/mmc/host/cavium-octeon.c                   |   1 +
 drivers/mmc/host/cavium-thunderx.c                 |   4 +-
 drivers/mmc/host/mxcmmc.c                          |   2 +-
 drivers/mmc/host/renesas_sdhi_core.c               |   8 +-
 drivers/mmc/host/sdhci-of-at91.c                   |   9 +-
 drivers/mmc/host/sdhci-of-esdhc.c                  |   1 +
 drivers/mtd/devices/mtd_dataflash.c                |   8 +
 drivers/mtd/devices/spear_smi.c                    |  10 +-
 drivers/mtd/devices/st_spi_fsm.c                   |  12 +-
 drivers/mtd/hyperbus/rpc-if.c                      |   8 +-
 drivers/mtd/maps/physmap-versatile.c               |   2 +
 drivers/mtd/nand/raw/arasan-nand-controller.c      |  16 +-
 drivers/mtd/nand/raw/meson_nand.c                  |   1 -
 drivers/mtd/parsers/ofpart_bcm4908.c               |   3 +
 drivers/mtd/parsers/redboot.c                      |   1 +
 drivers/mtd/sm_ftl.c                               |   2 +-
 drivers/mtd/spi-nor/core.c                         |   6 +-
 drivers/net/can/dev/netlink.c                      |   6 +-
 drivers/net/can/pch_can.c                          |   8 +-
 drivers/net/can/rcar/rcar_can.c                    |   8 +-
 drivers/net/can/sja1000/sja1000.c                  |   7 +-
 drivers/net/can/spi/hi311x.c                       |   5 +-
 drivers/net/can/sun4i_can.c                        |   9 +-
 drivers/net/can/usb/kvaser_usb/kvaser_usb_hydra.c  |  12 +-
 drivers/net/can/usb/kvaser_usb/kvaser_usb_leaf.c   |   6 +-
 drivers/net/can/usb/usb_8dev.c                     |   7 +-
 drivers/net/dsa/ocelot/Kconfig                     |   1 +
 drivers/net/dsa/ocelot/felix.c                     |   9 +
 drivers/net/dsa/ocelot/felix.h                     |   1 +
 drivers/net/dsa/ocelot/felix_vsc9959.c             | 300 +++++++-
 drivers/net/ethernet/atheros/ag71xx.c              |   2 +-
 drivers/net/ethernet/huawei/hinic/hinic_dev.h      |   3 -
 drivers/net/ethernet/huawei/hinic/hinic_main.c     |  68 +-
 drivers/net/ethernet/huawei/hinic/hinic_rx.c       |   2 -
 drivers/net/ethernet/huawei/hinic/hinic_tx.c       |   2 -
 drivers/net/ethernet/intel/iavf/iavf.h             |   6 +
 drivers/net/ethernet/intel/iavf/iavf_main.c        |  46 +-
 drivers/net/ethernet/intel/ice/ice_main.c          |   2 +-
 drivers/net/ethernet/intel/ice/ice_switch.c        |   2 +-
 drivers/net/ethernet/mellanox/mlx5/core/en.h       |  21 +-
 .../net/ethernet/mellanox/mlx5/core/en/params.c    |  12 +
 .../ethernet/mellanox/mlx5/core/en/tc/post_act.c   |   1 +
 .../net/ethernet/mellanox/mlx5/core/en/xsk/rx.h    |  14 +
 .../ethernet/mellanox/mlx5/core/en_accel/ktls.c    |   2 +-
 .../ethernet/mellanox/mlx5/core/eswitch_offloads.c |  23 +-
 drivers/net/ethernet/mellanox/mlx5/core/lib/tout.c |  11 +-
 drivers/net/ethernet/mellanox/mlx5/core/lib/tout.h |   1 -
 drivers/net/ethernet/mellanox/mlx5/core/main.c     |   4 +-
 .../ethernet/mellanox/mlx5/core/steering/dr_dbg.c  |  13 +-
 drivers/net/ethernet/mscc/ocelot.c                 |   1 +
 drivers/net/ethernet/mscc/ocelot_ptp.c             |   8 +
 drivers/net/ethernet/pensando/ionic/ionic_lif.c    |   2 +-
 drivers/net/netdevsim/bpf.c                        |   8 +-
 drivers/net/netdevsim/fib.c                        |  27 +-
 drivers/net/usb/Kconfig                            |   3 +-
 drivers/net/usb/ax88179_178a.c                     |  26 +-
 drivers/net/usb/smsc95xx.c                         |  26 +-
 drivers/net/usb/usbnet.c                           |   8 +-
 drivers/net/wireguard/allowedips.c                 |   9 +-
 drivers/net/wireguard/selftest/allowedips.c        |   6 +-
 drivers/net/wireguard/selftest/ratelimiter.c       |  25 +-
 drivers/net/wireless/ath/ath10k/htt_rx.c           |   2 +-
 drivers/net/wireless/ath/ath10k/mac.c              |   8 +-
 drivers/net/wireless/ath/ath10k/snoc.c             |   5 +-
 drivers/net/wireless/ath/ath10k/wmi-tlv.c          |   2 +-
 drivers/net/wireless/ath/ath10k/wmi.c              |   2 +-
 drivers/net/wireless/ath/ath11k/ahb.c              |  56 +-
 drivers/net/wireless/ath/ath11k/core.c             |  30 +-
 drivers/net/wireless/ath/ath11k/debug.h            |   4 +-
 drivers/net/wireless/ath/ath11k/dp_rx.c            |   5 +-
 drivers/net/wireless/ath/ath11k/htc.c              |   4 +-
 drivers/net/wireless/ath/ath11k/hw.h               |   2 -
 drivers/net/wireless/ath/ath11k/mac.c              |  25 +-
 drivers/net/wireless/ath/ath11k/pci.c              |  72 +-
 drivers/net/wireless/ath/ath11k/pcic.c             |  57 +-
 drivers/net/wireless/ath/ath11k/pcic.h             |   2 +
 drivers/net/wireless/ath/ath11k/wmi.c              |   4 +-
 drivers/net/wireless/ath/ath6kl/cfg80211.c         |   6 +-
 drivers/net/wireless/ath/ath9k/beacon.c            |   2 +-
 drivers/net/wireless/ath/ath9k/htc.h               |  10 +-
 drivers/net/wireless/ath/ath9k/htc_drv_beacon.c    |   2 +-
 drivers/net/wireless/ath/ath9k/htc_drv_init.c      |   3 +-
 drivers/net/wireless/ath/wil6210/cfg80211.c        |   9 +-
 drivers/net/wireless/ath/wil6210/debugfs.c         |  18 +-
 .../broadcom/brcm80211/brcmfmac/cfg80211.c         |   4 +-
 drivers/net/wireless/intel/iwlegacy/4965-rs.c      |   5 +-
 drivers/net/wireless/intel/iwlwifi/mvm/coex.c      |   6 +-
 drivers/net/wireless/intel/iwlwifi/mvm/d3.c        |   2 +-
 .../net/wireless/intel/iwlwifi/mvm/debugfs-vif.c   |   4 +-
 .../net/wireless/intel/iwlwifi/mvm/ftm-responder.c |   4 +-
 drivers/net/wireless/intel/iwlwifi/mvm/mac-ctxt.c  |  10 +-
 drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c  |  10 +-
 drivers/net/wireless/intel/iwlwifi/mvm/power.c     |   2 +-
 drivers/net/wireless/intel/iwlwifi/mvm/rs.c        |   2 +-
 drivers/net/wireless/intel/iwlwifi/mvm/sta.c       |   1 +
 drivers/net/wireless/intel/iwlwifi/mvm/tdls.c      |   4 +-
 .../net/wireless/intel/iwlwifi/mvm/time-event.c    |   4 +-
 drivers/net/wireless/intel/iwlwifi/mvm/tx.c        |   2 +-
 drivers/net/wireless/intersil/p54/main.c           |   2 +-
 drivers/net/wireless/intersil/p54/p54spi.c         |   3 +-
 drivers/net/wireless/mac80211_hwsim.c              |  36 +-
 drivers/net/wireless/marvell/libertas/if_usb.c     |   1 +
 drivers/net/wireless/marvell/libertas/mesh.c       |  10 +-
 drivers/net/wireless/marvell/mwifiex/11h.c         |   2 +-
 drivers/net/wireless/marvell/mwifiex/cfg80211.c    |  18 +-
 drivers/net/wireless/mediatek/mt76/eeprom.c        |   5 +-
 drivers/net/wireless/mediatek/mt76/mac80211.c      |   5 +-
 drivers/net/wireless/mediatek/mt76/mt7615/mac.c    |   7 +-
 drivers/net/wireless/mediatek/mt76/mt7615/main.c   |  21 -
 drivers/net/wireless/mediatek/mt76/mt7615/mcu.c    |  14 +-
 drivers/net/wireless/mediatek/mt76/mt7615/mt7615.h |   1 -
 drivers/net/wireless/mediatek/mt76/mt76_connac.h   |   6 +
 .../net/wireless/mediatek/mt76/mt76_connac2_mac.h  | 167 ++++
 .../net/wireless/mediatek/mt76/mt76_connac_mac.c   | 284 +++++++
 .../net/wireless/mediatek/mt76/mt76x02_usb_mcu.c   |   2 +-
 .../net/wireless/mediatek/mt76/mt7915/debugfs.c    |   5 +-
 drivers/net/wireless/mediatek/mt76/mt7915/mac.c    | 260 +------
 drivers/net/wireless/mediatek/mt76/mt7915/mac.h    | 142 +---
 drivers/net/wireless/mediatek/mt76/mt7915/mcu.c    |  16 +-
 drivers/net/wireless/mediatek/mt76/mt7915/mt7915.h |  17 +-
 .../net/wireless/mediatek/mt76/mt7915/testmode.c   |   9 +-
 drivers/net/wireless/mediatek/mt76/mt7921/init.c   |   6 +-
 drivers/net/wireless/mediatek/mt76/mt7921/mac.c    | 213 +-----
 drivers/net/wireless/mediatek/mt76/mt7921/mac.h    | 123 +--
 drivers/net/wireless/mediatek/mt76/mt7921/main.c   |   2 +-
 drivers/net/wireless/mediatek/mt76/mt7921/mcu.c    |  25 +-
 drivers/net/wireless/mediatek/mt76/mt7921/mt7921.h |  15 -
 .../net/wireless/mediatek/mt76/mt7921/pci_mac.c    |   4 +-
 .../net/wireless/mediatek/mt76/mt7921/pci_mcu.c    |   6 +-
 .../net/wireless/mediatek/mt76/mt7921/sdio_mcu.c   |  10 +-
 drivers/net/wireless/microchip/wilc1000/cfg80211.c |   3 +-
 drivers/net/wireless/microchip/wilc1000/spi.c      |   6 +-
 drivers/net/wireless/quantenna/qtnfmac/cfg80211.c  |  14 +-
 drivers/net/wireless/quantenna/qtnfmac/commands.c  |   2 +-
 drivers/net/wireless/quantenna/qtnfmac/event.c     |  15 +-
 drivers/net/wireless/realtek/rtlwifi/debug.c       |   8 +-
 drivers/net/wireless/realtek/rtw88/main.c          |   4 +
 drivers/net/wireless/realtek/rtw89/rtw8852a_rfk.c  |   4 +-
 drivers/net/wireless/ti/wlcore/main.c              |   2 +-
 drivers/nvme/host/core.c                           |  14 +-
 drivers/nvme/host/multipath.c                      |   1 +
 drivers/nvme/host/trace.h                          |   2 +-
 drivers/of/device.c                                |   5 +-
 drivers/of/fdt.c                                   |   2 +-
 drivers/of/kexec.c                                 |  17 +
 drivers/opp/core.c                                 |   4 +-
 drivers/opp/of.c                                   |  15 +-
 drivers/parisc/lba_pci.c                           |   6 +-
 drivers/pci/controller/dwc/pcie-designware-ep.c    |  18 +-
 drivers/pci/controller/dwc/pcie-designware-host.c  |  30 +-
 drivers/pci/controller/dwc/pcie-designware.c       |  46 +-
 drivers/pci/controller/dwc/pcie-qcom.c             |  58 +-
 drivers/pci/controller/dwc/pcie-tegra194.c         |  49 +-
 drivers/pci/controller/pcie-mediatek-gen3.c        |   7 +-
 drivers/pci/controller/pcie-microchip-host.c       |   2 +
 drivers/pci/endpoint/functions/pci-epf-test.c      |   1 -
 drivers/pci/pcie/aer.c                             |   7 +-
 drivers/pci/pcie/portdrv_core.c                    |   9 +-
 drivers/perf/arm_spe_pmu.c                         |  22 +-
 drivers/perf/riscv_pmu.c                           |   1 -
 drivers/perf/riscv_pmu_sbi.c                       |  21 +-
 drivers/phy/qualcomm/phy-qcom-qmp.h                |   3 +-
 drivers/phy/rockchip/phy-rockchip-inno-usb2.c      |  10 +-
 drivers/phy/samsung/phy-exynosautov9-ufs.c         |  18 +-
 drivers/phy/st/phy-stm32-usbphyc.c                 |   4 +-
 drivers/phy/ti/phy-tusb1210.c                      |   5 +-
 drivers/platform/chrome/cros_ec.c                  |   8 +-
 drivers/platform/mellanox/mlxreg-lc.c              |  82 +-
 drivers/platform/olpc/olpc-ec.c                    |   2 +-
 drivers/platform/x86/pmc_atom.c                    |  19 +-
 drivers/powercap/dtpm_cpu.c                        |   5 +-
 drivers/pwm/pwm-lpc18xx-sct.c                      |  55 +-
 drivers/pwm/pwm-sifive.c                           |  61 +-
 drivers/regulator/of_regulator.c                   |   6 +-
 drivers/regulator/qcom_smd-regulator.c             |   4 +-
 drivers/remoteproc/imx_rproc.c                     |   7 +-
 drivers/remoteproc/qcom_q6v5_pas.c                 |   3 +
 drivers/remoteproc/qcom_sysmon.c                   |  10 +
 drivers/remoteproc/qcom_wcnss.c                    |  10 +-
 drivers/remoteproc/ti_k3_r5_remoteproc.c           |   2 +
 drivers/rpmsg/mtk_rpmsg.c                          |   2 +
 drivers/rpmsg/qcom_smd.c                           |   1 +
 drivers/rpmsg/rpmsg_char.c                         |   7 +-
 drivers/rpmsg/rpmsg_core.c                         |   1 +
 drivers/rtc/rtc-rx8025.c                           |  22 +-
 drivers/s390/char/zcore.c                          |  11 +-
 drivers/s390/cio/vfio_ccw_drv.c                    |  24 +-
 drivers/s390/cio/vfio_ccw_fsm.c                    |  26 +-
 drivers/s390/cio/vfio_ccw_ops.c                    |  10 +-
 drivers/s390/scsi/zfcp_fc.c                        |  29 +-
 drivers/s390/scsi/zfcp_fc.h                        |   6 +-
 drivers/s390/scsi/zfcp_fsf.c                       |   4 +-
 drivers/scsi/be2iscsi/be_main.c                    |   2 +-
 drivers/scsi/bnx2i/bnx2i_iscsi.c                   |   2 +-
 drivers/scsi/cxgbi/libcxgbi.c                      |   2 +-
 drivers/scsi/iscsi_tcp.c                           |   4 +-
 drivers/scsi/libiscsi.c                            |   9 +-
 drivers/scsi/lpfc/lpfc.h                           |   1 -
 drivers/scsi/lpfc/lpfc_els.c                       |   8 +-
 drivers/scsi/lpfc/lpfc_hbadisc.c                   |   3 +-
 drivers/scsi/lpfc/lpfc_scsi.c                      |   1 -
 drivers/scsi/qedi/qedi_main.c                      |   9 +-
 drivers/scsi/qla2xxx/qla_attr.c                    |  24 +-
 drivers/scsi/qla2xxx/qla_bsg.c                     |  10 +-
 drivers/scsi/qla2xxx/qla_dbg.h                     |   2 +-
 drivers/scsi/qla2xxx/qla_def.h                     |  18 +-
 drivers/scsi/qla2xxx/qla_edif.c                    | 502 +++++++++---
 drivers/scsi/qla2xxx/qla_edif.h                    |   7 +-
 drivers/scsi/qla2xxx/qla_edif_bsg.h                | 106 ++-
 drivers/scsi/qla2xxx/qla_fw.h                      |   2 +-
 drivers/scsi/qla2xxx/qla_gbl.h                     |   6 +-
 drivers/scsi/qla2xxx/qla_gs.c                      | 129 +++-
 drivers/scsi/qla2xxx/qla_init.c                    |  93 ++-
 drivers/scsi/qla2xxx/qla_iocb.c                    |   5 +-
 drivers/scsi/qla2xxx/qla_isr.c                     |  25 +-
 drivers/scsi/qla2xxx/qla_mbx.c                     |  19 +-
 drivers/scsi/qla2xxx/qla_mid.c                     |   6 +-
 drivers/scsi/qla2xxx/qla_nvme.c                    |   5 -
 drivers/scsi/qla2xxx/qla_os.c                      |  93 ++-
 drivers/scsi/qla2xxx/qla_target.c                  |  35 +-
 drivers/scsi/scsi_transport_iscsi.c                |  66 +-
 drivers/scsi/sd.c                                  |  84 +-
 drivers/scsi/sd.h                                  |   5 +
 drivers/scsi/sg.c                                  |  53 +-
 drivers/scsi/smartpqi/smartpqi_init.c              |   4 +-
 drivers/soc/amlogic/meson-mx-socinfo.c             |   1 +
 drivers/soc/amlogic/meson-secure-pwrc.c            |   4 +-
 drivers/soc/fsl/guts.c                             |   2 +-
 drivers/soc/qcom/Kconfig                           |   1 +
 drivers/soc/qcom/ocmem.c                           |   3 +
 drivers/soc/qcom/qcom_aoss.c                       |   4 +-
 drivers/soc/qcom/socinfo.c                         |   3 +-
 drivers/soc/renesas/r8a779a0-sysc.c                |  10 +-
 drivers/soundwire/bus.c                            |  75 +-
 drivers/soundwire/bus_type.c                       |  38 +-
 drivers/soundwire/qcom.c                           |   4 +
 drivers/soundwire/slave.c                          |   3 +-
 drivers/soundwire/stream.c                         |  53 +-
 drivers/spi/spi-altera-dfl.c                       |  14 +-
 drivers/spi/spi-dw.h                               |   2 +-
 drivers/spi/spi-s3c64xx.c                          |   2 +-
 drivers/spi/spi-synquacer.c                        |   1 +
 drivers/spi/spi-tegra20-slink.c                    |   3 +-
 drivers/spi/spi.c                                  |  21 +-
 drivers/staging/fbtft/fbtft-core.c                 |   2 +-
 drivers/staging/media/atomisp/pci/atomisp_cmd.c    |  57 +-
 .../media/atomisp/pci/runtime/rmgr/src/rmgr_vbuf.c |   4 +-
 drivers/staging/media/hantro/hantro_g2_hevc_dec.c  |   7 +-
 drivers/staging/media/hantro/hantro_g2_regs.h      |   2 +-
 drivers/staging/media/hantro/hantro_hevc.c         |  25 +-
 drivers/staging/media/hantro/hantro_hw.h           |  17 +-
 drivers/staging/media/hantro/hantro_v4l2.c         |   2 +-
 drivers/staging/media/hantro/imx8m_vpu_hw.c        |  80 +-
 drivers/staging/media/hantro/rockchip_vpu_hw.c     | 164 ++--
 drivers/staging/media/hantro/sama5d4_vdec_hw.c     |  40 +-
 drivers/staging/media/hantro/sunxi_vpu_hw.c        |  24 +-
 drivers/staging/media/sunxi/cedrus/cedrus_h265.c   |  36 +-
 drivers/staging/media/sunxi/cedrus/cedrus_regs.h   |   3 +-
 drivers/staging/rtl8192u/r8192U.h                  |   2 +-
 drivers/staging/rtl8192u/r8192U_dm.c               |  38 +-
 drivers/staging/rtl8192u/r8192U_dm.h               |   2 +-
 drivers/staging/rtl8723bs/os_dep/ioctl_cfg80211.c  |   4 +-
 drivers/thermal/cpufreq_cooling.c                  |  13 +-
 drivers/thermal/devfreq_cooling.c                  |  19 +-
 drivers/thermal/thermal_sysfs.c                    |  10 +-
 drivers/tty/n_gsm.c                                | 757 ++++++++++++------
 drivers/tty/serial/8250/8250.h                     |  20 +
 drivers/tty/serial/8250/8250_bcm2835aux.c          |   6 +-
 drivers/tty/serial/8250/8250_bcm7271.c             |  24 +-
 drivers/tty/serial/8250/8250_core.c                |   3 +-
 drivers/tty/serial/8250/8250_dw.c                  |  10 +-
 drivers/tty/serial/8250/8250_fsl.c                 |   2 +-
 drivers/tty/serial/8250/8250_pci.c                 | 109 +++
 drivers/tty/serial/8250/8250_port.c                |  17 +-
 drivers/tty/serial/fsl_lpuart.c                    |  12 +-
 drivers/tty/serial/mvebu-uart.c                    |  11 +
 drivers/tty/serial/pic32_uart.c                    |   4 +-
 drivers/tty/serial/qcom_geni_serial.c              |  88 ++-
 drivers/tty/vt/vt.c                                |   2 +-
 drivers/ufs/core/ufshcd.c                          |   6 +-
 drivers/usb/cdns3/cdns3-gadget.c                   |  13 +-
 drivers/usb/core/hcd.c                             |  34 +-
 drivers/usb/dwc3/core.c                            |   9 +-
 drivers/usb/dwc3/dwc3-qcom.c                       |   4 +-
 drivers/usb/dwc3/gadget.c                          |  92 +--
 drivers/usb/gadget/function/f_mass_storage.c       |  11 +-
 drivers/usb/gadget/function/f_uvc.c                |  30 +-
 drivers/usb/gadget/function/uvc_queue.c            |   6 +-
 drivers/usb/gadget/function/uvc_video.c            |  12 +-
 drivers/usb/gadget/udc/Kconfig                     |   2 +-
 drivers/usb/gadget/udc/aspeed-vhub/hub.c           |   4 +-
 drivers/usb/gadget/udc/core.c                      |  11 +-
 drivers/usb/gadget/udc/tegra-xudc.c                |   8 +-
 drivers/usb/host/ehci-ppc-of.c                     |   1 +
 drivers/usb/host/ohci-at91.c                       |  69 +-
 drivers/usb/host/ohci-nxp.c                        |   1 +
 drivers/usb/host/xhci-tegra.c                      |   8 +-
 drivers/usb/host/xhci.h                            |   2 +-
 drivers/usb/serial/sierra.c                        |   3 +-
 drivers/usb/serial/usb-serial.c                    |   2 +-
 drivers/usb/serial/usb_wwan.c                      |   3 +-
 drivers/usb/typec/ucsi/ucsi.c                      |   4 +
 drivers/usb/usbip/vudc_sysfs.c                     |  14 +-
 drivers/vfio/pci/hisilicon/hisi_acc_vfio_pci.c     |  11 +-
 drivers/vfio/pci/mlx5/cmd.c                        |  14 +-
 drivers/vfio/pci/mlx5/cmd.h                        |   4 +-
 drivers/vfio/pci/mlx5/main.c                       |  11 +-
 drivers/vfio/pci/vfio_pci_core.c                   |   7 +
 drivers/vfio/vfio.c                                |  11 +-
 drivers/video/fbdev/amba-clcd.c                    |  24 +-
 drivers/video/fbdev/arkfb.c                        |   9 +-
 drivers/video/fbdev/core/fbcon.c                   |  12 +-
 drivers/video/fbdev/offb.c                         |   1 +
 drivers/video/fbdev/s3fb.c                         |   2 +
 drivers/video/fbdev/sis/init.c                     |   4 +-
 drivers/video/fbdev/vt8623fb.c                     |   2 +
 drivers/virtio/Kconfig                             |   4 +
 drivers/virtio/Makefile                            |   1 +
 drivers/virtio/virtio.c                            |   4 +-
 drivers/virtio/virtio_anchor.c                     |  18 +
 drivers/watchdog/armada_37xx_wdt.c                 |   2 +
 drivers/watchdog/f71808e_wdt.c                     |   4 +-
 drivers/watchdog/sp5100_tco.c                      |   1 +
 drivers/xen/Kconfig                                |   9 +
 drivers/xen/grant-dma-ops.c                        |  10 +
 fs/Makefile                                        |   2 -
 fs/attr.c                                          |   2 +
 fs/btrfs/block-group.c                             |  29 +-
 fs/btrfs/ctree.h                                   |  34 +-
 fs/btrfs/delalloc-space.c                          |   6 +-
 fs/btrfs/disk-io.c                                 |  38 +-
 fs/btrfs/extent-tree.c                             |  71 +-
 fs/btrfs/extent_io.c                               |   4 +-
 fs/btrfs/file.c                                    |   2 +-
 fs/btrfs/inode.c                                   | 177 ++++-
 fs/btrfs/raid56.c                                  |  26 +-
 fs/btrfs/space-info.c                              | 108 ++-
 fs/btrfs/space-info.h                              |   8 +-
 fs/btrfs/tree-log.c                                |  27 +-
 fs/btrfs/tree-log.h                                |   3 +
 fs/btrfs/volumes.c                                 |  28 +-
 fs/btrfs/zoned.c                                   | 125 +++
 fs/btrfs/zoned.h                                   |  18 +
 fs/cifs/cifsglob.h                                 |   4 +-
 fs/cifs/file.c                                     |  34 +-
 fs/erofs/decompressor.c                            |  16 +-
 fs/erofs/decompressor_lzma.c                       |   1 +
 fs/erofs/dir.c                                     |  16 +-
 fs/eventpoll.c                                     |  22 +
 fs/exec.c                                          |   3 +
 fs/ext2/super.c                                    |  12 +-
 fs/ext4/ext4.h                                     |   1 +
 fs/ext4/inline.c                                   |  33 +
 fs/ext4/inode.c                                    |  24 +-
 fs/ext4/migrate.c                                  |   4 +-
 fs/ext4/namei.c                                    |  23 +
 fs/ext4/resize.c                                   |   1 +
 fs/ext4/symlink.c                                  |  15 +
 fs/ext4/xattr.c                                    | 168 ++--
 fs/ext4/xattr.h                                    |  14 +
 fs/f2fs/data.c                                     |   7 +-
 fs/f2fs/f2fs.h                                     |   2 +-
 fs/f2fs/file.c                                     |  19 +-
 fs/fuse/control.c                                  |   4 +-
 fs/fuse/dir.c                                      |   7 +-
 fs/fuse/file.c                                     |  39 +-
 fs/fuse/inode.c                                    |   6 +
 fs/fuse/ioctl.c                                    |  15 +-
 fs/jbd2/commit.c                                   |   2 +-
 fs/jbd2/transaction.c                              |  14 +-
 fs/kernfs/dir.c                                    |   7 +-
 fs/ksmbd/smb2misc.c                                |  12 +-
 fs/ksmbd/smb2pdu.c                                 |  52 +-
 fs/ksmbd/smbacl.c                                  | 130 +++-
 fs/ksmbd/smbacl.h                                  |   2 +-
 fs/ksmbd/vfs.c                                     |   5 +
 fs/lockd/svc4proc.c                                |   8 +
 fs/lockd/xdr4.c                                    |  19 +-
 fs/mbcache.c                                       |  76 +-
 fs/namei.c                                         |   4 +
 fs/nfs/flexfilelayout/flexfilelayout.c             |   4 +
 fs/nfs/nfs3client.c                                |   1 -
 fs/nfsd/filecache.c                                |  22 +-
 fs/nfsd/filecache.h                                |   4 +-
 fs/nfsd/trace.h                                    |   2 -
 fs/overlayfs/export.c                              |   2 +-
 fs/proc/base.c                                     |  46 +-
 fs/splice.c                                        |  10 +-
 include/acpi/cppc_acpi.h                           |   2 +-
 include/crypto/internal/blake2s.h                  | 108 ---
 include/dt-bindings/clock/qcom,gcc-msm8939.h       |   1 +
 include/linux/acpi_viot.h                          |   2 +
 include/linux/blkdev.h                             |   5 +
 include/linux/bpf.h                                |   1 -
 include/linux/buffer_head.h                        |  25 +-
 include/linux/cpumask.h                            |  18 +
 include/linux/device-mapper.h                      |   6 +
 include/linux/energy_model.h                       |  54 +-
 include/linux/filter.h                             |   9 +
 include/linux/hugetlb.h                            |   6 +-
 include/linux/ieee80211.h                          |   3 +
 include/linux/iio/common/cros_ec_sensors_core.h    |   7 +-
 include/linux/iio/iio.h                            |  10 +-
 include/linux/kexec.h                              |  45 +-
 include/linux/kfifo.h                              |   2 +-
 include/linux/kvm_types.h                          |   2 +
 include/linux/lockd/xdr.h                          |   2 +
 include/linux/lockdep.h                            |  30 +-
 include/linux/mbcache.h                            |  10 +-
 include/linux/mdev.h                               |   5 -
 include/linux/mfd/t7l66xb.h                        |   1 -
 include/linux/once_lite.h                          |  20 +-
 include/linux/pipe_fs_i.h                          |   9 +
 include/linux/platform-feature.h                   |   6 +-
 include/linux/rmap.h                               |   4 +-
 include/linux/sched.h                              |   2 +-
 include/linux/sched/rt.h                           |   8 -
 include/linux/sched/topology.h                     |   1 +
 include/linux/soundwire/sdw.h                      |   6 +-
 include/linux/swapops.h                            |  12 +-
 include/linux/tpm_eventlog.h                       |   2 +-
 include/linux/trace_events.h                       |  18 +
 include/linux/usb/hcd.h                            |   1 +
 include/linux/vfio.h                               |  30 +-
 include/linux/virtio_anchor.h                      |  19 +
 include/linux/wait.h                               |   9 +-
 include/media/hevc-ctrls.h                         |   4 +-
 include/net/9p/client.h                            |   8 +-
 include/net/ax25.h                                 |   1 +
 include/net/bluetooth/hci.h                        |   1 +
 include/net/cfg80211.h                             |  99 ++-
 include/net/inet6_hashtables.h                     |   7 +-
 include/net/inet_hashtables.h                      |  19 +-
 include/net/inet_sock.h                            |  11 +
 include/net/ip_tunnels.h                           |   1 +
 include/net/mac80211.h                             |  40 +-
 include/net/netfilter/nf_tables.h                  |   9 +-
 include/net/pkt_sched.h                            |  17 +
 include/net/raw.h                                  |  16 +-
 include/net/rawv6.h                                |   7 +-
 include/net/sock.h                                 |  12 +-
 include/net/xdp_sock_drv.h                         |  11 +
 include/scsi/libiscsi.h                            |   2 +-
 include/scsi/scsi_transport_iscsi.h                |   1 +
 include/soc/mscc/ocelot.h                          |   6 +
 include/trace/events/io_uring.h                    |   2 +-
 include/trace/events/spmi.h                        |  12 +-
 include/trace/stages/stage1_struct_define.h        |   3 +
 include/trace/stages/stage2_data_offsets.h         |   3 +
 include/trace/stages/stage4_event_fields.h         |  11 +-
 include/trace/stages/stage5_get_offsets.h          |   4 +
 include/trace/stages/stage6_event_callback.h       |  12 +
 include/uapi/linux/can/error.h                     |   5 +-
 include/uapi/linux/dm-ioctl.h                      |   4 +-
 include/uapi/linux/netfilter/xt_IDLETIMER.h        |  17 +-
 include/uapi/linux/nl80211.h                       |  28 +
 include/xen/xen-ops.h                              |   9 +
 include/xen/xen.h                                  |   8 -
 init/main.c                                        |   1 +
 io_uring/Makefile                                  |   6 +
 {fs => io_uring}/io-wq.c                           |   0
 {fs => io_uring}/io-wq.h                           |   0
 {fs => io_uring}/io_uring.c                        | 844 +++++++++------------
 kernel/bpf/arraymap.c                              |  20 +-
 kernel/bpf/cgroup.c                                |  70 +-
 kernel/bpf/core.c                                  |  35 +-
 kernel/bpf/verifier.c                              |   7 +-
 kernel/cgroup/cpuset.c                             |   2 +-
 kernel/dma/swiotlb.c                               |   2 +-
 kernel/irq/Kconfig                                 |   1 +
 kernel/irq/chip.c                                  |   3 +-
 kernel/irq/irqdomain.c                             |   2 +
 kernel/kexec_file.c                                |  66 +-
 kernel/kprobes.c                                   |   3 +-
 kernel/locking/lockdep.c                           |   7 +-
 kernel/power/energy_model.c                        |  24 +-
 kernel/power/user.c                                |  13 +-
 kernel/profile.c                                   |   7 +
 kernel/rcu/rcutorture.c                            |  28 +-
 kernel/sched/core.c                                | 190 +++--
 kernel/sched/fair.c                                | 142 +++-
 kernel/sched/features.h                            |   3 +-
 kernel/sched/rt.c                                  |  15 +-
 kernel/sched/sched.h                               |   1 -
 kernel/smp.c                                       |   4 +-
 kernel/time/hrtimer.c                              |   1 +
 kernel/time/timekeeping.c                          |   7 +-
 kernel/trace/blktrace.c                            |   2 +-
 lib/bitmap.c                                       |   2 +-
 lib/crypto/blake2s-selftest.c                      |  41 +
 lib/crypto/blake2s.c                               |  37 +-
 lib/iov_iter.c                                     |  15 +-
 lib/kunit/executor.c                               |   4 +-
 lib/livepatch/test_klp_callbacks_busy.c            |   8 +
 lib/overflow_kunit.c                               |   6 +
 lib/smp_processor_id.c                             |   2 +-
 lib/test_bpf.c                                     |   4 +-
 lib/test_hmm.c                                     |  10 +-
 lib/test_kasan.c                                   |  10 +
 mm/damon/reclaim.c                                 |   4 +-
 mm/gup.c                                           |   2 +-
 mm/huge_memory.c                                   |  11 +-
 mm/hugetlb.c                                       |  15 +-
 mm/hugetlb_cgroup.c                                |   1 +
 mm/kasan/hw_tags.c                                 |  32 +-
 mm/memory-failure.c                                |   2 +-
 mm/memory_hotplug.c                                |   2 +-
 mm/mempolicy.c                                     |   4 +-
 mm/memremap.c                                      |   2 +-
 mm/migrate.c                                       |  30 +-
 mm/mmap.c                                          |   1 -
 mm/percpu.c                                        |   6 +-
 mm/usercopy.c                                      |   2 +-
 mm/vmalloc.c                                       |  10 +-
 net/9p/client.c                                    |  36 +-
 net/9p/trans_fd.c                                  |  13 +-
 net/9p/trans_rdma.c                                |   2 +-
 net/9p/trans_virtio.c                              |   4 +-
 net/9p/trans_xen.c                                 |   2 +-
 net/ax25/af_ax25.c                                 |   4 +-
 net/batman-adv/trace.h                             |   9 +-
 net/bluetooth/hci_core.c                           |  10 +-
 net/bluetooth/hci_event.c                          |   5 +-
 net/bluetooth/hci_sync.c                           |   8 +-
 net/bluetooth/l2cap_core.c                         |  13 +-
 net/bluetooth/mgmt.c                               |  10 +-
 net/core/filter.c                                  |   3 +-
 net/core/skmsg.c                                   |   4 +-
 net/dccp/proto.c                                   |  10 +-
 net/ipv4/af_inet.c                                 |   2 +
 net/ipv4/ping.c                                    |  36 +-
 net/ipv4/raw.c                                     | 164 ++--
 net/ipv4/raw_diag.c                                |  53 +-
 net/ipv4/tcp.c                                     |  33 +-
 net/ipv4/tcp_output.c                              |  30 +-
 net/ipv6/af_inet6.c                                |   3 +
 net/ipv6/raw.c                                     | 120 ++-
 net/mac80211/airtime.c                             |   4 +-
 net/mac80211/cfg.c                                 |  48 +-
 net/mac80211/chan.c                                |  39 +-
 net/mac80211/driver-ops.h                          |   2 +-
 net/mac80211/ethtool.c                             |   4 +-
 net/mac80211/ibss.c                                |  10 +-
 net/mac80211/ieee80211_i.h                         |   6 +-
 net/mac80211/iface.c                               |   8 +-
 net/mac80211/key.c                                 |  18 +-
 net/mac80211/main.c                                |   4 +-
 net/mac80211/mesh.c                                |  14 +-
 net/mac80211/mlme.c                                |  44 +-
 net/mac80211/ocb.c                                 |   3 +-
 net/mac80211/offchannel.c                          |   6 +-
 net/mac80211/rate.c                                |   5 +-
 net/mac80211/rx.c                                  |   2 +-
 net/mac80211/sta_info.c                            |   4 +-
 net/mac80211/tdls.c                                |   6 +-
 net/mac80211/tx.c                                  |  28 +-
 net/mac80211/util.c                                |  16 +-
 net/mac80211/vht.c                                 |   6 +-
 net/mptcp/protocol.c                               |   3 +-
 net/netfilter/nf_tables_api.c                      | 100 +--
 net/netfilter/nft_bitwise.c                        |  66 +-
 net/netfilter/nft_cmp.c                            |  44 +-
 net/netfilter/nft_immediate.c                      |  22 +-
 net/netfilter/nft_range.c                          |  27 +-
 net/rose/af_rose.c                                 |  11 +-
 net/rose/rose_route.c                              |   2 +
 net/sched/cls_route.c                              |   2 +-
 net/wireless/ap.c                                  |  46 +-
 net/wireless/chan.c                                | 206 +++--
 net/wireless/core.c                                |  28 +-
 net/wireless/core.h                                |  13 +-
 net/wireless/ibss.c                                |  57 +-
 net/wireless/mesh.c                                |  31 +-
 net/wireless/mlme.c                                |  75 +-
 net/wireless/nl80211.c                             | 656 +++++++++++-----
 net/wireless/ocb.c                                 |   5 +-
 net/wireless/rdev-ops.h                            |  32 +-
 net/wireless/reg.c                                 | 139 ++--
 net/wireless/scan.c                                |   8 +-
 net/wireless/sme.c                                 | 102 +--
 net/wireless/trace.h                               |  86 ++-
 net/wireless/util.c                                |  44 +-
 net/wireless/wext-compat.c                         |  48 +-
 net/wireless/wext-sme.c                            |  29 +-
 samples/bpf/xdp_router_ipv4.bpf.c                  |   9 +
 scripts/faddr2line                                 |   4 +-
 scripts/gdb/linux/dmesg.py                         |   9 +-
 scripts/gdb/linux/utils.py                         |  14 +-
 security/selinux/ss/policydb.h                     |   2 +
 security/selinux/ss/services.c                     |   9 +-
 sound/pci/hda/patch_cirrus.c                       |   1 +
 sound/pci/hda/patch_conexant.c                     |  11 +-
 sound/pci/hda/patch_realtek.c                      | 124 +++
 sound/soc/amd/yc/acp6x-mach.c                      |  32 +-
 sound/soc/amd/yc/pci-acp6x.c                       |   2 +-
 sound/soc/atmel/mchp-spdifrx.c                     |   9 +-
 sound/soc/codecs/cros_ec_codec.c                   |   1 +
 sound/soc/codecs/cs35l45.c                         |   2 +
 sound/soc/codecs/da7210.c                          |   2 +
 sound/soc/codecs/max98390.c                        |   2 +-
 sound/soc/codecs/msm8916-wcd-digital.c             |  46 +-
 sound/soc/codecs/mt6359-accdet.c                   |   1 +
 sound/soc/codecs/mt6359.c                          |   1 +
 sound/soc/codecs/wcd9335.c                         |  81 +-
 sound/soc/codecs/wsa881x.c                         |  10 +-
 sound/soc/fsl/fsl-asoc-card.c                      |   5 +-
 sound/soc/fsl/fsl_asrc.c                           |   6 +-
 sound/soc/fsl/fsl_easrc.c                          |   9 +-
 sound/soc/fsl/fsl_easrc.h                          |   2 +-
 sound/soc/fsl/imx-audmux.c                         |   2 +-
 sound/soc/fsl/imx-card.c                           |  22 +-
 sound/soc/generic/audio-graph-card.c               |   4 +-
 sound/soc/generic/audio-graph-card2.c              |  44 +-
 sound/soc/intel/boards/sof_rt5682.c                |  18 +-
 sound/soc/mediatek/mt6797/mt6797-mt6351.c          |   6 +-
 sound/soc/mediatek/mt8173/mt8173-rt5650-rt5676.c   |  10 +-
 sound/soc/mediatek/mt8173/mt8173-rt5650.c          |   9 +-
 sound/soc/qcom/lpass-cpu.c                         |   1 +
 sound/soc/qcom/qdsp6/q6adm.c                       |   2 +-
 sound/soc/samsung/aries_wm8994.c                   |   6 +-
 sound/soc/samsung/h1940_uda1380.c                  |   2 +-
 sound/soc/samsung/rx1950_uda1380.c                 |   4 +-
 sound/soc/soc-core.c                               |  18 +-
 sound/soc/sof/ipc3-topology.c                      |   1 +
 sound/soc/sof/mediatek/mt8195/mt8195-loader.c      |   2 +-
 sound/soc/sof/sof-client-ipc-msg-injector.c        |  29 +-
 sound/soc/sof/sof-priv.h                           |   4 +-
 sound/usb/bcd2000/bcd2000.c                        |   3 +-
 sound/usb/quirks.c                                 |   2 +
 tools/lib/bpf/bpf_tracing.h                        |   2 +-
 tools/lib/bpf/gen_loader.c                         |   2 +-
 tools/lib/bpf/libbpf.c                             | 154 ++--
 tools/lib/bpf/libbpf_internal.h                    |  11 +-
 tools/lib/bpf/linker.c                             |   5 -
 tools/lib/bpf/usdt.c                               | 123 +--
 tools/lib/bpf/xsk.c                                |   9 +-
 tools/perf/builtin-stat.c                          |  30 -
 tools/perf/tests/shell/stat+csv_output.sh          |   7 +-
 tools/perf/util/dsos.c                             |  15 +-
 tools/perf/util/genelf.c                           |   6 +-
 tools/perf/util/symbol-elf.c                       |  27 +-
 tools/power/x86/intel-speed-select/isst-daemon.c   |   2 +-
 tools/power/x86/turbostat/turbostat.c              |   2 +-
 tools/testing/selftests/bpf/Makefile               |  21 +-
 tools/testing/selftests/bpf/prog_tests/btf.c       |   2 +-
 .../selftests/bpf/prog_tests/fexit_stress.c        |  32 +-
 .../testing/selftests/bpf/prog_tests/sock_fields.c |   1 -
 .../testing/selftests/bpf/prog_tests/tc_redirect.c |   8 +-
 tools/testing/selftests/bpf/progs/test_tc_dtime.c  |  53 +-
 .../selftests/kvm/lib/s390x/diag318_test_handler.c |   9 +-
 tools/testing/selftests/kvm/lib/x86_64/processor.c |   2 +-
 .../testing/selftests/kvm/max_guest_memory_test.c  |  26 +-
 tools/testing/selftests/net/fib_rule_tests.sh      |  23 +
 tools/testing/selftests/powerpc/math/mma.S         |   3 +
 .../selftests/powerpc/papr_attributes/attr_test.c  |  30 +-
 tools/testing/selftests/rcutorture/bin/kvm.sh      |   6 +-
 tools/testing/selftests/seccomp/seccomp_bpf.c      |   2 +-
 .../testing/selftests/timers/clocksource-switch.c  |   6 +-
 tools/testing/selftests/timers/valid-adjtimex.c    |   2 +-
 tools/testing/selftests/vm/hugepage-mremap.c       |   2 +-
 tools/testing/selftests/vm/hugetlb-madvise.c       |   5 +-
 tools/testing/selftests/vm/mrelease_test.c         |  16 +-
 .../selftests/wireguard/qemu/arch/riscv32.config   |   1 +
 tools/thermal/tmon/sysfs.c                         |  24 +-
 tools/thermal/tmon/tmon.h                          |   3 +
 tools/tracing/rtla/Makefile                        |   2 +-
 tools/tracing/rtla/src/trace.c                     |   9 +-
 tools/tracing/rtla/src/utils.c                     |   5 +-
 virt/kvm/kvm_main.c                                |  25 +-
 virt/kvm/pfncache.c                                | 207 +++--
 1280 files changed, 15051 insertions(+), 9078 deletions(-)



^ permalink raw reply	[flat|nested] 1191+ messages in thread

* [PATCH 5.19 0001/1157] Makefile: link with -z noexecstack --no-warn-rwx-segments
  2022-08-15 17:49 [PATCH 5.19 0000/1157] 5.19.2-rc1 review Greg Kroah-Hartman
@ 2022-08-15 17:49 ` Greg Kroah-Hartman
  2022-08-15 17:49 ` [PATCH 5.19 0002/1157] x86: link vdso and boot " Greg Kroah-Hartman
                   ` (992 subsequent siblings)
  993 siblings, 0 replies; 1191+ messages in thread
From: Greg Kroah-Hartman @ 2022-08-15 17:49 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Fangrui Song, Nick Desaulniers,
	Linus Torvalds, Jens Axboe

From: Nick Desaulniers <ndesaulniers@google.com>

commit 0d362be5b14200b77ecc2127936a5ff82fbffe41 upstream.

Users of GNU ld (BFD) from binutils 2.39+ will observe multiple
instances of a new warning when linking kernels in the form:

  ld: warning: vmlinux: missing .note.GNU-stack section implies executable stack
  ld: NOTE: This behaviour is deprecated and will be removed in a future version of the linker
  ld: warning: vmlinux has a LOAD segment with RWX permissions

Generally, we would like to avoid the stack being executable.  Because
there could be a need for the stack to be executable, assembler sources
have to opt-in to this security feature via explicit creation of the
.note.GNU-stack feature (which compilers create by default) or command
line flag --noexecstack.  Or we can simply tell the linker the
production of such sections is irrelevant and to link the stack as
--noexecstack.

LLVM's LLD linker defaults to -z noexecstack, so this flag isn't
strictly necessary when linking with LLD, only BFD, but it doesn't hurt
to be explicit here for all linkers IMO.  --no-warn-rwx-segments is
currently BFD specific and only available in the current latest release,
so it's wrapped in an ld-option check.

While the kernel makes extensive usage of ELF sections, it doesn't use
permissions from ELF segments.

Link: https://lore.kernel.org/linux-block/3af4127a-f453-4cf7-f133-a181cce06f73@kernel.dk/
Link: https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=ba951afb99912da01a6e8434126b8fac7aa75107
Link: https://github.com/llvm/llvm-project/issues/57009
Reported-and-tested-by: Jens Axboe <axboe@kernel.dk>
Suggested-by: Fangrui Song <maskray@google.com>
Signed-off-by: Nick Desaulniers <ndesaulniers@google.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 Makefile |    5 +++++
 1 file changed, 5 insertions(+)

--- a/Makefile
+++ b/Makefile
@@ -1033,6 +1033,11 @@ KBUILD_CFLAGS   += $(KCFLAGS)
 KBUILD_LDFLAGS_MODULE += --build-id=sha1
 LDFLAGS_vmlinux += --build-id=sha1
 
+KBUILD_LDFLAGS	+= -z noexecstack
+ifeq ($(CONFIG_LD_IS_BFD),y)
+KBUILD_LDFLAGS	+= $(call ld-option,--no-warn-rwx-segments)
+endif
+
 ifeq ($(CONFIG_STRIP_ASM_SYMS),y)
 LDFLAGS_vmlinux	+= $(call ld-option, -X,)
 endif



^ permalink raw reply	[flat|nested] 1191+ messages in thread

* [PATCH 5.19 0002/1157] x86: link vdso and boot with -z noexecstack --no-warn-rwx-segments
  2022-08-15 17:49 [PATCH 5.19 0000/1157] 5.19.2-rc1 review Greg Kroah-Hartman
  2022-08-15 17:49 ` [PATCH 5.19 0001/1157] Makefile: link with -z noexecstack --no-warn-rwx-segments Greg Kroah-Hartman
@ 2022-08-15 17:49 ` Greg Kroah-Hartman
  2022-08-15 17:49 ` [PATCH 5.19 0003/1157] Revert "pNFS: nfs3_set_ds_client should set NFS_CS_NOPING" Greg Kroah-Hartman
                   ` (991 subsequent siblings)
  993 siblings, 0 replies; 1191+ messages in thread
From: Greg Kroah-Hartman @ 2022-08-15 17:49 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Fangrui Song, Nick Desaulniers,
	Linus Torvalds, Jens Axboe

From: Nick Desaulniers <ndesaulniers@google.com>

commit ffcf9c5700e49c0aee42dcba9a12ba21338e8136 upstream.

Users of GNU ld (BFD) from binutils 2.39+ will observe multiple
instances of a new warning when linking kernels in the form:

  ld: warning: arch/x86/boot/pmjump.o: missing .note.GNU-stack section implies executable stack
  ld: NOTE: This behaviour is deprecated and will be removed in a future version of the linker
  ld: warning: arch/x86/boot/compressed/vmlinux has a LOAD segment with RWX permissions

Generally, we would like to avoid the stack being executable.  Because
there could be a need for the stack to be executable, assembler sources
have to opt-in to this security feature via explicit creation of the
.note.GNU-stack feature (which compilers create by default) or command
line flag --noexecstack.  Or we can simply tell the linker the
production of such sections is irrelevant and to link the stack as
--noexecstack.

LLVM's LLD linker defaults to -z noexecstack, so this flag isn't
strictly necessary when linking with LLD, only BFD, but it doesn't hurt
to be explicit here for all linkers IMO.  --no-warn-rwx-segments is
currently BFD specific and only available in the current latest release,
so it's wrapped in an ld-option check.

While the kernel makes extensive usage of ELF sections, it doesn't use
permissions from ELF segments.

Link: https://lore.kernel.org/linux-block/3af4127a-f453-4cf7-f133-a181cce06f73@kernel.dk/
Link: https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=ba951afb99912da01a6e8434126b8fac7aa75107
Link: https://github.com/llvm/llvm-project/issues/57009
Reported-and-tested-by: Jens Axboe <axboe@kernel.dk>
Suggested-by: Fangrui Song <maskray@google.com>
Signed-off-by: Nick Desaulniers <ndesaulniers@google.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/x86/boot/Makefile            |    2 +-
 arch/x86/boot/compressed/Makefile |    4 ++++
 arch/x86/entry/vdso/Makefile      |    2 +-
 3 files changed, 6 insertions(+), 2 deletions(-)

--- a/arch/x86/boot/Makefile
+++ b/arch/x86/boot/Makefile
@@ -103,7 +103,7 @@ $(obj)/zoffset.h: $(obj)/compressed/vmli
 AFLAGS_header.o += -I$(objtree)/$(obj)
 $(obj)/header.o: $(obj)/zoffset.h
 
-LDFLAGS_setup.elf	:= -m elf_i386 -T
+LDFLAGS_setup.elf	:= -m elf_i386 -z noexecstack -T
 $(obj)/setup.elf: $(src)/setup.ld $(SETUP_OBJS) FORCE
 	$(call if_changed,ld)
 
--- a/arch/x86/boot/compressed/Makefile
+++ b/arch/x86/boot/compressed/Makefile
@@ -69,6 +69,10 @@ LDFLAGS_vmlinux := -pie $(call ld-option
 ifdef CONFIG_LD_ORPHAN_WARN
 LDFLAGS_vmlinux += --orphan-handling=warn
 endif
+LDFLAGS_vmlinux += -z noexecstack
+ifeq ($(CONFIG_LD_IS_BFD),y)
+LDFLAGS_vmlinux += $(call ld-option,--no-warn-rwx-segments)
+endif
 LDFLAGS_vmlinux += -T
 
 hostprogs	:= mkpiggy
--- a/arch/x86/entry/vdso/Makefile
+++ b/arch/x86/entry/vdso/Makefile
@@ -180,7 +180,7 @@ quiet_cmd_vdso = VDSO    $@
 		 sh $(srctree)/$(src)/checkundef.sh '$(NM)' '$@'
 
 VDSO_LDFLAGS = -shared --hash-style=both --build-id=sha1 \
-	$(call ld-option, --eh-frame-hdr) -Bsymbolic
+	$(call ld-option, --eh-frame-hdr) -Bsymbolic -z noexecstack
 GCOV_PROFILE := n
 
 quiet_cmd_vdso_and_check = VDSO    $@



^ permalink raw reply	[flat|nested] 1191+ messages in thread

* [PATCH 5.19 0003/1157] Revert "pNFS: nfs3_set_ds_client should set NFS_CS_NOPING"
  2022-08-15 17:49 [PATCH 5.19 0000/1157] 5.19.2-rc1 review Greg Kroah-Hartman
  2022-08-15 17:49 ` [PATCH 5.19 0001/1157] Makefile: link with -z noexecstack --no-warn-rwx-segments Greg Kroah-Hartman
  2022-08-15 17:49 ` [PATCH 5.19 0002/1157] x86: link vdso and boot " Greg Kroah-Hartman
@ 2022-08-15 17:49 ` Greg Kroah-Hartman
  2022-08-15 17:49 ` [PATCH 5.19 0004/1157] scsi: Revert "scsi: qla2xxx: Fix disk failure to rediscover" Greg Kroah-Hartman
                   ` (990 subsequent siblings)
  993 siblings, 0 replies; 1191+ messages in thread
From: Greg Kroah-Hartman @ 2022-08-15 17:49 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Trond Myklebust

From: Trond Myklebust <trond.myklebust@hammerspace.com>

commit 9597152d98840c2517230740952df97cfcc07e2f upstream.

This reverts commit c6eb58435b98bd843d3179664a0195ff25adb2c3.
If a transport is down, then we want to fail over to other transports if
they are listed in the GETDEVICEINFO reply.

Fixes: c6eb58435b98 ("pNFS: nfs3_set_ds_client should set NFS_CS_NOPING")
Cc: stable@vger.kernel.org # 5.11.x
Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 fs/nfs/nfs3client.c |    1 -
 1 file changed, 1 deletion(-)

--- a/fs/nfs/nfs3client.c
+++ b/fs/nfs/nfs3client.c
@@ -108,7 +108,6 @@ struct nfs_client *nfs3_set_ds_client(st
 	if (mds_srv->flags & NFS_MOUNT_NORESVPORT)
 		__set_bit(NFS_CS_NORESVPORT, &cl_init.init_flags);
 
-	__set_bit(NFS_CS_NOPING, &cl_init.init_flags);
 	__set_bit(NFS_CS_DS, &cl_init.init_flags);
 
 	/* Use the MDS nfs_client cl_ipaddr. */



^ permalink raw reply	[flat|nested] 1191+ messages in thread

* [PATCH 5.19 0004/1157] scsi: Revert "scsi: qla2xxx: Fix disk failure to rediscover"
  2022-08-15 17:49 [PATCH 5.19 0000/1157] 5.19.2-rc1 review Greg Kroah-Hartman
                   ` (2 preceding siblings ...)
  2022-08-15 17:49 ` [PATCH 5.19 0003/1157] Revert "pNFS: nfs3_set_ds_client should set NFS_CS_NOPING" Greg Kroah-Hartman
@ 2022-08-15 17:49 ` Greg Kroah-Hartman
  2022-08-15 17:49 ` [PATCH 5.19 0005/1157] pNFS/flexfiles: Report RDMA connection errors to the server Greg Kroah-Hartman
                   ` (989 subsequent siblings)
  993 siblings, 0 replies; 1191+ messages in thread
From: Greg Kroah-Hartman @ 2022-08-15 17:49 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Himanshu Madhani, Nilesh Javali,
	Martin K. Petersen

From: Nilesh Javali <njavali@marvell.com>

commit 5bc7b01c513a4a9b4cfe306e8d1720cfcfd3b8a3 upstream.

This fixes the regression of NVMe discovery failure during driver load
time.

This reverts commit 6a45c8e137d4e2c72eecf1ac7cf64f2fdfcead99.

Link: https://lore.kernel.org/r/20220713052045.10683-2-njavali@marvell.com
Cc: stable@vger.kernel.org
Reviewed-by: Himanshu Madhani <himanshu.madhani@oracle.com>
Signed-off-by: Nilesh Javali <njavali@marvell.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/scsi/qla2xxx/qla_init.c |    5 ++---
 drivers/scsi/qla2xxx/qla_nvme.c |    5 -----
 2 files changed, 2 insertions(+), 8 deletions(-)

--- a/drivers/scsi/qla2xxx/qla_init.c
+++ b/drivers/scsi/qla2xxx/qla_init.c
@@ -5767,8 +5767,6 @@ qla2x00_reg_remote_port(scsi_qla_host_t
 	if (atomic_read(&fcport->state) == FCS_ONLINE)
 		return;
 
-	qla2x00_set_fcport_state(fcport, FCS_ONLINE);
-
 	rport_ids.node_name = wwn_to_u64(fcport->node_name);
 	rport_ids.port_name = wwn_to_u64(fcport->port_name);
 	rport_ids.port_id = fcport->d_id.b.domain << 16 |
@@ -5869,7 +5867,6 @@ qla2x00_update_fcport(scsi_qla_host_t *v
 		qla2x00_reg_remote_port(vha, fcport);
 		break;
 	case MODE_TARGET:
-		qla2x00_set_fcport_state(fcport, FCS_ONLINE);
 		if (!vha->vha_tgt.qla_tgt->tgt_stop &&
 			!vha->vha_tgt.qla_tgt->tgt_stopped)
 			qlt_fc_port_added(vha, fcport);
@@ -5887,6 +5884,8 @@ qla2x00_update_fcport(scsi_qla_host_t *v
 	if (NVME_TARGET(vha->hw, fcport))
 		qla_nvme_register_remote(vha, fcport);
 
+	qla2x00_set_fcport_state(fcport, FCS_ONLINE);
+
 	if (IS_IIDMA_CAPABLE(vha->hw) && vha->hw->flags.gpsc_supported) {
 		if (fcport->id_changed) {
 			fcport->id_changed = 0;
--- a/drivers/scsi/qla2xxx/qla_nvme.c
+++ b/drivers/scsi/qla2xxx/qla_nvme.c
@@ -37,11 +37,6 @@ int qla_nvme_register_remote(struct scsi
 		(fcport->nvme_flag & NVME_FLAG_REGISTERED))
 		return 0;
 
-	if (atomic_read(&fcport->state) == FCS_ONLINE)
-		return 0;
-
-	qla2x00_set_fcport_state(fcport, FCS_ONLINE);
-
 	fcport->nvme_flag &= ~NVME_FLAG_RESETTING;
 
 	memset(&req, 0, sizeof(struct nvme_fc_port_info));



^ permalink raw reply	[flat|nested] 1191+ messages in thread

* [PATCH 5.19 0005/1157] pNFS/flexfiles: Report RDMA connection errors to the server
  2022-08-15 17:49 [PATCH 5.19 0000/1157] 5.19.2-rc1 review Greg Kroah-Hartman
                   ` (3 preceding siblings ...)
  2022-08-15 17:49 ` [PATCH 5.19 0004/1157] scsi: Revert "scsi: qla2xxx: Fix disk failure to rediscover" Greg Kroah-Hartman
@ 2022-08-15 17:49 ` Greg Kroah-Hartman
  2022-08-15 17:49 ` [PATCH 5.19 0006/1157] nfsd: eliminate the NFSD_FILE_BREAK_* flags Greg Kroah-Hartman
                   ` (988 subsequent siblings)
  993 siblings, 0 replies; 1191+ messages in thread
From: Greg Kroah-Hartman @ 2022-08-15 17:49 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Trond Myklebust

From: Trond Myklebust <trond.myklebust@hammerspace.com>

commit 7836d75467e9d214bdf5c693b32721de729a6e38 upstream.

The RPC/RDMA driver will return -EPROTO and -ENODEV as connection errors
under certain circumstances. Make sure that we handle them and report
them to the server. If not, we can end up cycling forever in a
LAYOUTGET/LAYOUTRETURN loop.

Fixes: a12f996d3413 ("NFSv4/pNFS: Use connections to a DS that are all of the same protocol family")
Cc: stable@vger.kernel.org # 5.11.x
Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 fs/nfs/flexfilelayout/flexfilelayout.c |    4 ++++
 1 file changed, 4 insertions(+)

--- a/fs/nfs/flexfilelayout/flexfilelayout.c
+++ b/fs/nfs/flexfilelayout/flexfilelayout.c
@@ -1131,6 +1131,8 @@ static int ff_layout_async_handle_error_
 	case -EIO:
 	case -ETIMEDOUT:
 	case -EPIPE:
+	case -EPROTO:
+	case -ENODEV:
 		dprintk("%s DS connection error %d\n", __func__,
 			task->tk_status);
 		nfs4_delete_deviceid(devid->ld, devid->nfs_client,
@@ -1236,6 +1238,8 @@ static void ff_layout_io_track_ds_error(
 		case -ENOBUFS:
 		case -EPIPE:
 		case -EPERM:
+		case -EPROTO:
+		case -ENODEV:
 			*op_status = status = NFS4ERR_NXIO;
 			break;
 		case -EACCES:



^ permalink raw reply	[flat|nested] 1191+ messages in thread

* [PATCH 5.19 0006/1157] nfsd: eliminate the NFSD_FILE_BREAK_* flags
  2022-08-15 17:49 [PATCH 5.19 0000/1157] 5.19.2-rc1 review Greg Kroah-Hartman
                   ` (4 preceding siblings ...)
  2022-08-15 17:49 ` [PATCH 5.19 0005/1157] pNFS/flexfiles: Report RDMA connection errors to the server Greg Kroah-Hartman
@ 2022-08-15 17:49 ` Greg Kroah-Hartman
  2022-08-15 17:49 ` [PATCH 5.19 0007/1157] ALSA: usb-audio: Add quirk for Behringer UMC202HD Greg Kroah-Hartman
                   ` (987 subsequent siblings)
  993 siblings, 0 replies; 1191+ messages in thread
From: Greg Kroah-Hartman @ 2022-08-15 17:49 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Olga Kornieskaia, Jeff Layton, Chuck Lever

From: Jeff Layton <jlayton@kernel.org>

commit 23ba98de6dcec665e15c0ca19244379bb0d30932 upstream.

We had a report from the spring Bake-a-thon of data corruption in some
nfstest_interop tests. Looking at the traces showed the NFS server
allowing a v3 WRITE to proceed while a read delegation was still
outstanding.

Currently, we only set NFSD_FILE_BREAK_* flags if
NFSD_MAY_NOT_BREAK_LEASE was set when we call nfsd_file_alloc.
NFSD_MAY_NOT_BREAK_LEASE was intended to be set when finding files for
COMMIT ops, where we need a writeable filehandle but don't need to
break read leases.

It doesn't make any sense to consult that flag when allocating a file
since the file may be used on subsequent calls where we do want to break
the lease (and the usage of it here seems to be reverse from what it
should be anyway).

Also, after calling nfsd_open_break_lease, we don't want to clear the
BREAK_* bits. A lease could end up being set on it later (more than
once) and we need to be able to break those leases as well.

This means that the NFSD_FILE_BREAK_* flags now just mirror
NFSD_MAY_{READ,WRITE} flags, so there's no need for them at all. Just
drop those flags and unconditionally call nfsd_open_break_lease every
time.

Reported-by: Olga Kornieskaia <kolga@netapp.com>
Link: https://bugzilla.redhat.com/show_bug.cgi?id=2107360
Fixes: 65294c1f2c5e (nfsd: add a new struct file caching facility to nfsd)
Cc: <stable@vger.kernel.org> # 5.4.x : bb283ca18d1e NFSD: Clean up the show_nf_flags() macro
Cc: <stable@vger.kernel.org> # 5.4.x
Signed-off-by: Jeff Layton <jlayton@kernel.org>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 fs/nfsd/filecache.c |   22 +---------------------
 fs/nfsd/filecache.h |    4 +---
 fs/nfsd/trace.h     |    2 --
 3 files changed, 2 insertions(+), 26 deletions(-)

--- a/fs/nfsd/filecache.c
+++ b/fs/nfsd/filecache.c
@@ -184,12 +184,6 @@ nfsd_file_alloc(struct inode *inode, uns
 		nf->nf_hashval = hashval;
 		refcount_set(&nf->nf_ref, 1);
 		nf->nf_may = may & NFSD_FILE_MAY_MASK;
-		if (may & NFSD_MAY_NOT_BREAK_LEASE) {
-			if (may & NFSD_MAY_WRITE)
-				__set_bit(NFSD_FILE_BREAK_WRITE, &nf->nf_flags);
-			if (may & NFSD_MAY_READ)
-				__set_bit(NFSD_FILE_BREAK_READ, &nf->nf_flags);
-		}
 		nf->nf_mark = NULL;
 		trace_nfsd_file_alloc(nf);
 	}
@@ -958,21 +952,7 @@ wait_for_construction:
 
 	this_cpu_inc(nfsd_file_cache_hits);
 
-	if (!(may_flags & NFSD_MAY_NOT_BREAK_LEASE)) {
-		bool write = (may_flags & NFSD_MAY_WRITE);
-
-		if (test_bit(NFSD_FILE_BREAK_READ, &nf->nf_flags) ||
-		    (test_bit(NFSD_FILE_BREAK_WRITE, &nf->nf_flags) && write)) {
-			status = nfserrno(nfsd_open_break_lease(
-					file_inode(nf->nf_file), may_flags));
-			if (status == nfs_ok) {
-				clear_bit(NFSD_FILE_BREAK_READ, &nf->nf_flags);
-				if (write)
-					clear_bit(NFSD_FILE_BREAK_WRITE,
-						  &nf->nf_flags);
-			}
-		}
-	}
+	status = nfserrno(nfsd_open_break_lease(file_inode(nf->nf_file), may_flags));
 out:
 	if (status == nfs_ok) {
 		*pnf = nf;
--- a/fs/nfsd/filecache.h
+++ b/fs/nfsd/filecache.h
@@ -37,9 +37,7 @@ struct nfsd_file {
 	struct net		*nf_net;
 #define NFSD_FILE_HASHED	(0)
 #define NFSD_FILE_PENDING	(1)
-#define NFSD_FILE_BREAK_READ	(2)
-#define NFSD_FILE_BREAK_WRITE	(3)
-#define NFSD_FILE_REFERENCED	(4)
+#define NFSD_FILE_REFERENCED	(2)
 	unsigned long		nf_flags;
 	struct inode		*nf_inode;
 	unsigned int		nf_hashval;
--- a/fs/nfsd/trace.h
+++ b/fs/nfsd/trace.h
@@ -696,8 +696,6 @@ DEFINE_CLID_EVENT(confirmed_r);
 	__print_flags(val, "|",						\
 		{ 1 << NFSD_FILE_HASHED,	"HASHED" },		\
 		{ 1 << NFSD_FILE_PENDING,	"PENDING" },		\
-		{ 1 << NFSD_FILE_BREAK_READ,	"BREAK_READ" },		\
-		{ 1 << NFSD_FILE_BREAK_WRITE,	"BREAK_WRITE" },	\
 		{ 1 << NFSD_FILE_REFERENCED,	"REFERENCED"})
 
 DECLARE_EVENT_CLASS(nfsd_file_class,



^ permalink raw reply	[flat|nested] 1191+ messages in thread

* [PATCH 5.19 0007/1157] ALSA: usb-audio: Add quirk for Behringer UMC202HD
  2022-08-15 17:49 [PATCH 5.19 0000/1157] 5.19.2-rc1 review Greg Kroah-Hartman
                   ` (5 preceding siblings ...)
  2022-08-15 17:49 ` [PATCH 5.19 0006/1157] nfsd: eliminate the NFSD_FILE_BREAK_* flags Greg Kroah-Hartman
@ 2022-08-15 17:49 ` Greg Kroah-Hartman
  2022-08-15 17:49 ` [PATCH 5.19 0008/1157] ALSA: bcd2000: Fix a UAF bug on the error path of probing Greg Kroah-Hartman
                   ` (986 subsequent siblings)
  993 siblings, 0 replies; 1191+ messages in thread
From: Greg Kroah-Hartman @ 2022-08-15 17:49 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Takashi Iwai

From: Takashi Iwai <tiwai@suse.de>

commit e086c37f876fd1f551e2b4f9be97d4a1923cd219 upstream.

Just like other Behringer models, UMC202HD (USB ID 1397:0507) requires
the quirk for the stable streaming, too.

BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=215934
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20220722143948.29804-1-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 sound/usb/quirks.c |    2 ++
 1 file changed, 2 insertions(+)

--- a/sound/usb/quirks.c
+++ b/sound/usb/quirks.c
@@ -1843,6 +1843,8 @@ static const struct usb_audio_quirk_flag
 		   QUIRK_FLAG_SHARE_MEDIA_DEVICE | QUIRK_FLAG_ALIGN_TRANSFER),
 	DEVICE_FLG(0x1395, 0x740a, /* Sennheiser DECT */
 		   QUIRK_FLAG_GET_SAMPLE_RATE),
+	DEVICE_FLG(0x1397, 0x0507, /* Behringer UMC202HD */
+		   QUIRK_FLAG_PLAYBACK_FIRST | QUIRK_FLAG_GENERIC_IMPLICIT_FB),
 	DEVICE_FLG(0x1397, 0x0508, /* Behringer UMC204HD */
 		   QUIRK_FLAG_PLAYBACK_FIRST | QUIRK_FLAG_GENERIC_IMPLICIT_FB),
 	DEVICE_FLG(0x1397, 0x0509, /* Behringer UMC404HD */



^ permalink raw reply	[flat|nested] 1191+ messages in thread

* [PATCH 5.19 0008/1157] ALSA: bcd2000: Fix a UAF bug on the error path of probing
  2022-08-15 17:49 [PATCH 5.19 0000/1157] 5.19.2-rc1 review Greg Kroah-Hartman
                   ` (6 preceding siblings ...)
  2022-08-15 17:49 ` [PATCH 5.19 0007/1157] ALSA: usb-audio: Add quirk for Behringer UMC202HD Greg Kroah-Hartman
@ 2022-08-15 17:49 ` Greg Kroah-Hartman
  2022-08-15 17:49 ` [PATCH 5.19 0009/1157] ALSA: hda/realtek: Add quirk for Clevo NV45PZ Greg Kroah-Hartman
                   ` (985 subsequent siblings)
  993 siblings, 0 replies; 1191+ messages in thread
From: Greg Kroah-Hartman @ 2022-08-15 17:49 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Zheyu Ma, Takashi Iwai

From: Zheyu Ma <zheyuma97@gmail.com>

commit ffb2759df7efbc00187bfd9d1072434a13a54139 upstream.

When the driver fails in snd_card_register() at probe time, it will free
the 'bcd2k->midi_out_urb' before killing it, which may cause a UAF bug.

The following log can reveal it:

[   50.727020] BUG: KASAN: use-after-free in bcd2000_input_complete+0x1f1/0x2e0 [snd_bcd2000]
[   50.727623] Read of size 8 at addr ffff88810fab0e88 by task swapper/4/0
[   50.729530] Call Trace:
[   50.732899]  bcd2000_input_complete+0x1f1/0x2e0 [snd_bcd2000]

Fix this by adding usb_kill_urb() before usb_free_urb().

Fixes: b47a22290d58 ("ALSA: MIDI driver for Behringer BCD2000 USB device")
Signed-off-by: Zheyu Ma <zheyuma97@gmail.com>
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20220715010515.2087925-1-zheyuma97@gmail.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 sound/usb/bcd2000/bcd2000.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/sound/usb/bcd2000/bcd2000.c
+++ b/sound/usb/bcd2000/bcd2000.c
@@ -348,7 +348,8 @@ static int bcd2000_init_midi(struct bcd2
 static void bcd2000_free_usb_related_resources(struct bcd2000 *bcd2k,
 						struct usb_interface *interface)
 {
-	/* usb_kill_urb not necessary, urb is aborted automatically */
+	usb_kill_urb(bcd2k->midi_out_urb);
+	usb_kill_urb(bcd2k->midi_in_urb);
 
 	usb_free_urb(bcd2k->midi_out_urb);
 	usb_free_urb(bcd2k->midi_in_urb);



^ permalink raw reply	[flat|nested] 1191+ messages in thread

* [PATCH 5.19 0009/1157] ALSA: hda/realtek: Add quirk for Clevo NV45PZ
  2022-08-15 17:49 [PATCH 5.19 0000/1157] 5.19.2-rc1 review Greg Kroah-Hartman
                   ` (7 preceding siblings ...)
  2022-08-15 17:49 ` [PATCH 5.19 0008/1157] ALSA: bcd2000: Fix a UAF bug on the error path of probing Greg Kroah-Hartman
@ 2022-08-15 17:49 ` Greg Kroah-Hartman
  2022-08-15 17:49 ` [PATCH 5.19 0010/1157] ALSA: hda/realtek: Add quirk for HP Spectre x360 15-eb0xxx Greg Kroah-Hartman
                   ` (984 subsequent siblings)
  993 siblings, 0 replies; 1191+ messages in thread
From: Greg Kroah-Hartman @ 2022-08-15 17:49 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Tim Crawford, Takashi Iwai

From: Tim Crawford <tcrawford@system76.com>

commit be561ffad708f0cee18aee4231f80ffafaf7a419 upstream.

Fixes headset detection on Clevo NV45PZ.

Signed-off-by: Tim Crawford <tcrawford@system76.com>
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20220731032243.4300-1-tcrawford@system76.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 sound/pci/hda/patch_realtek.c |    1 +
 1 file changed, 1 insertion(+)

--- a/sound/pci/hda/patch_realtek.c
+++ b/sound/pci/hda/patch_realtek.c
@@ -9203,6 +9203,7 @@ static const struct snd_pci_quirk alc269
 	SND_PCI_QUIRK(0x1558, 0x4018, "Clevo NV40M[BE]", ALC293_FIXUP_SYSTEM76_MIC_NO_PRESENCE),
 	SND_PCI_QUIRK(0x1558, 0x4019, "Clevo NV40MZ", ALC293_FIXUP_SYSTEM76_MIC_NO_PRESENCE),
 	SND_PCI_QUIRK(0x1558, 0x4020, "Clevo NV40MB", ALC293_FIXUP_SYSTEM76_MIC_NO_PRESENCE),
+	SND_PCI_QUIRK(0x1558, 0x4041, "Clevo NV4[15]PZ", ALC256_FIXUP_SYSTEM76_MIC_NO_PRESENCE),
 	SND_PCI_QUIRK(0x1558, 0x40a1, "Clevo NL40GU", ALC293_FIXUP_SYSTEM76_MIC_NO_PRESENCE),
 	SND_PCI_QUIRK(0x1558, 0x40c1, "Clevo NL40[CZ]U", ALC293_FIXUP_SYSTEM76_MIC_NO_PRESENCE),
 	SND_PCI_QUIRK(0x1558, 0x40d1, "Clevo NL41DU", ALC293_FIXUP_SYSTEM76_MIC_NO_PRESENCE),



^ permalink raw reply	[flat|nested] 1191+ messages in thread

* [PATCH 5.19 0010/1157] ALSA: hda/realtek: Add quirk for HP Spectre x360 15-eb0xxx
  2022-08-15 17:49 [PATCH 5.19 0000/1157] 5.19.2-rc1 review Greg Kroah-Hartman
                   ` (8 preceding siblings ...)
  2022-08-15 17:49 ` [PATCH 5.19 0009/1157] ALSA: hda/realtek: Add quirk for Clevo NV45PZ Greg Kroah-Hartman
@ 2022-08-15 17:49 ` Greg Kroah-Hartman
  2022-08-15 17:49 ` [PATCH 5.19 0011/1157] ALSA: hda/realtek: Add quirk for Lenovo Yoga9 14IAP7 Greg Kroah-Hartman
                   ` (983 subsequent siblings)
  993 siblings, 0 replies; 1191+ messages in thread
From: Greg Kroah-Hartman @ 2022-08-15 17:49 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Ivan Hasenkampf, Takashi Iwai

From: Ivan Hasenkampf <ivan.hasenkampf@gmail.com>

commit 24df5428ef9d1ca1edd54eca7eb667110f2dfae3 upstream.

Fixes speaker output on HP Spectre x360 15-eb0xxx

[ re-sorted in SSID order by tiwai ]

Signed-off-by: Ivan Hasenkampf <ivan.hasenkampf@gmail.com>
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20220803164001.290394-1-ivan.hasenkampf@gmail.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 sound/pci/hda/patch_realtek.c |    2 ++
 1 file changed, 2 insertions(+)

--- a/sound/pci/hda/patch_realtek.c
+++ b/sound/pci/hda/patch_realtek.c
@@ -9044,6 +9044,8 @@ static const struct snd_pci_quirk alc269
 	SND_PCI_QUIRK(0x103c, 0x861f, "HP Elite Dragonfly G1", ALC285_FIXUP_HP_GPIO_AMP_INIT),
 	SND_PCI_QUIRK(0x103c, 0x869d, "HP", ALC236_FIXUP_HP_MUTE_LED),
 	SND_PCI_QUIRK(0x103c, 0x86c7, "HP Envy AiO 32", ALC274_FIXUP_HP_ENVY_GPIO),
+	SND_PCI_QUIRK(0x103c, 0x86e7, "HP Spectre x360 15-eb0xxx", ALC285_FIXUP_HP_SPECTRE_X360_EB1),
+	SND_PCI_QUIRK(0x103c, 0x86e8, "HP Spectre x360 15-eb0xxx", ALC285_FIXUP_HP_SPECTRE_X360_EB1),
 	SND_PCI_QUIRK(0x103c, 0x8716, "HP Elite Dragonfly G2 Notebook PC", ALC285_FIXUP_HP_GPIO_AMP_INIT),
 	SND_PCI_QUIRK(0x103c, 0x8720, "HP EliteBook x360 1040 G8 Notebook PC", ALC285_FIXUP_HP_GPIO_AMP_INIT),
 	SND_PCI_QUIRK(0x103c, 0x8724, "HP EliteBook 850 G7", ALC285_FIXUP_HP_GPIO_LED),



^ permalink raw reply	[flat|nested] 1191+ messages in thread

* [PATCH 5.19 0011/1157] ALSA: hda/realtek: Add quirk for Lenovo Yoga9 14IAP7
  2022-08-15 17:49 [PATCH 5.19 0000/1157] 5.19.2-rc1 review Greg Kroah-Hartman
                   ` (9 preceding siblings ...)
  2022-08-15 17:49 ` [PATCH 5.19 0010/1157] ALSA: hda/realtek: Add quirk for HP Spectre x360 15-eb0xxx Greg Kroah-Hartman
@ 2022-08-15 17:49 ` Greg Kroah-Hartman
  2022-08-15 17:49 ` [PATCH 5.19 0012/1157] ASoC: amd: yc: Update DMI table entries Greg Kroah-Hartman
                   ` (982 subsequent siblings)
  993 siblings, 0 replies; 1191+ messages in thread
From: Greg Kroah-Hartman @ 2022-08-15 17:49 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Philipp Jungkamp, Takashi Iwai

From: Philipp Jungkamp <p.jungkamp@gmx.net>

commit 3790a3d6dbbc48e30586e9c3fc752a00e2e11946 upstream.

The Lenovo Yoga 9 14IAP7 is set up similarly to the Thinkpad X1 7th and
8th Gen. It also has the speakers attached to NID 0x14 and the bass
speakers to NID 0x17, but here the codec misreports the NID 0x17 as
unconnected.

The pincfg and hda verbs connect and activate the bass speaker
amplifiers, but the generic driver will connect them to NID 0x06 which
has no volume control. Set connection list/preferred connections is
required to gain volume control.

BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=208555
Signed-off-by: Philipp Jungkamp <p.jungkamp@gmx.net>
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20220729162103.6062-1-p.jungkamp@gmx.net
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 sound/pci/hda/patch_realtek.c |  109 ++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 109 insertions(+)

--- a/sound/pci/hda/patch_realtek.c
+++ b/sound/pci/hda/patch_realtek.c
@@ -6787,6 +6787,43 @@ static void alc_fixup_dell4_mic_no_prese
 	}
 }
 
+static void alc287_fixup_yoga9_14iap7_bass_spk_pin(struct hda_codec *codec,
+					  const struct hda_fixup *fix, int action)
+{
+	/*
+	 * The Pin Complex 0x17 for the bass speakers is wrongly reported as
+	 * unconnected.
+	 */
+	static const struct hda_pintbl pincfgs[] = {
+		{ 0x17, 0x90170121 },
+		{ }
+	};
+	/*
+	 * Avoid DAC 0x06 and 0x08, as they have no volume controls.
+	 * DAC 0x02 and 0x03 would be fine.
+	 */
+	static const hda_nid_t conn[] = { 0x02, 0x03 };
+	/*
+	 * Prefer both speakerbar (0x14) and bass speakers (0x17) connected to DAC 0x02.
+	 * Headphones (0x21) are connected to DAC 0x03.
+	 */
+	static const hda_nid_t preferred_pairs[] = {
+		0x14, 0x02,
+		0x17, 0x02,
+		0x21, 0x03,
+		0
+	};
+	struct alc_spec *spec = codec->spec;
+
+	switch (action) {
+	case HDA_FIXUP_ACT_PRE_PROBE:
+		snd_hda_apply_pincfgs(codec, pincfgs);
+		snd_hda_override_conn_list(codec, 0x17, ARRAY_SIZE(conn), conn);
+		spec->gen.preferred_dacs = preferred_pairs;
+		break;
+	}
+}
+
 enum {
 	ALC269_FIXUP_GPIO2,
 	ALC269_FIXUP_SONY_VAIO,
@@ -7023,6 +7060,8 @@ enum {
 	ALC245_FIXUP_CS35L41_SPI_4_HP_GPIO_LED,
 	ALC285_FIXUP_HP_SPEAKERS_MICMUTE_LED,
 	ALC295_FIXUP_FRAMEWORK_LAPTOP_MIC_NO_PRESENCE,
+	ALC287_FIXUP_YOGA9_14IAP7_BASS_SPK,
+	ALC287_FIXUP_YOGA9_14IAP7_BASS_SPK_PIN,
 };
 
 /* A special fixup for Lenovo C940 and Yoga Duet 7;
@@ -8865,6 +8904,74 @@ static const struct hda_fixup alc269_fix
 		.chained = true,
 		.chain_id = ALC269_FIXUP_HEADSET_MODE_NO_HP_MIC
 	},
+	[ALC287_FIXUP_YOGA9_14IAP7_BASS_SPK] = {
+		.type = HDA_FIXUP_VERBS,
+		.v.verbs = (const struct hda_verb[]) {
+			// enable left speaker
+			{ 0x20, AC_VERB_SET_COEF_INDEX, 0x24 },
+			{ 0x20, AC_VERB_SET_PROC_COEF, 0x41 },
+
+			{ 0x20, AC_VERB_SET_COEF_INDEX, 0x26 },
+			{ 0x20, AC_VERB_SET_PROC_COEF, 0xc },
+			{ 0x20, AC_VERB_SET_PROC_COEF, 0x0 },
+			{ 0x20, AC_VERB_SET_PROC_COEF, 0x1a },
+			{ 0x20, AC_VERB_SET_PROC_COEF, 0xb020 },
+
+			{ 0x20, AC_VERB_SET_COEF_INDEX, 0x26 },
+			{ 0x20, AC_VERB_SET_PROC_COEF, 0xf },
+			{ 0x20, AC_VERB_SET_PROC_COEF, 0x0 },
+			{ 0x20, AC_VERB_SET_PROC_COEF, 0x42 },
+			{ 0x20, AC_VERB_SET_PROC_COEF, 0xb020 },
+
+			{ 0x20, AC_VERB_SET_COEF_INDEX, 0x26 },
+			{ 0x20, AC_VERB_SET_PROC_COEF, 0x10 },
+			{ 0x20, AC_VERB_SET_PROC_COEF, 0x0 },
+			{ 0x20, AC_VERB_SET_PROC_COEF, 0x40 },
+			{ 0x20, AC_VERB_SET_PROC_COEF, 0xb020 },
+
+			{ 0x20, AC_VERB_SET_COEF_INDEX, 0x26 },
+			{ 0x20, AC_VERB_SET_PROC_COEF, 0x2 },
+			{ 0x20, AC_VERB_SET_PROC_COEF, 0x0 },
+			{ 0x20, AC_VERB_SET_PROC_COEF, 0x0 },
+			{ 0x20, AC_VERB_SET_PROC_COEF, 0xb020 },
+
+			// enable right speaker
+			{ 0x20, AC_VERB_SET_COEF_INDEX, 0x24 },
+			{ 0x20, AC_VERB_SET_PROC_COEF, 0x46 },
+
+			{ 0x20, AC_VERB_SET_COEF_INDEX, 0x26 },
+			{ 0x20, AC_VERB_SET_PROC_COEF, 0xc },
+			{ 0x20, AC_VERB_SET_PROC_COEF, 0x0 },
+			{ 0x20, AC_VERB_SET_PROC_COEF, 0x2a },
+			{ 0x20, AC_VERB_SET_PROC_COEF, 0xb020 },
+
+			{ 0x20, AC_VERB_SET_COEF_INDEX, 0x26 },
+			{ 0x20, AC_VERB_SET_PROC_COEF, 0xf },
+			{ 0x20, AC_VERB_SET_PROC_COEF, 0x0 },
+			{ 0x20, AC_VERB_SET_PROC_COEF, 0x46 },
+			{ 0x20, AC_VERB_SET_PROC_COEF, 0xb020 },
+
+			{ 0x20, AC_VERB_SET_COEF_INDEX, 0x26 },
+			{ 0x20, AC_VERB_SET_PROC_COEF, 0x10 },
+			{ 0x20, AC_VERB_SET_PROC_COEF, 0x0 },
+			{ 0x20, AC_VERB_SET_PROC_COEF, 0x44 },
+			{ 0x20, AC_VERB_SET_PROC_COEF, 0xb020 },
+
+			{ 0x20, AC_VERB_SET_COEF_INDEX, 0x26 },
+			{ 0x20, AC_VERB_SET_PROC_COEF, 0x2 },
+			{ 0x20, AC_VERB_SET_PROC_COEF, 0x0 },
+			{ 0x20, AC_VERB_SET_PROC_COEF, 0x0 },
+			{ 0x20, AC_VERB_SET_PROC_COEF, 0xb020 },
+
+			{ },
+		},
+	},
+	[ALC287_FIXUP_YOGA9_14IAP7_BASS_SPK_PIN] = {
+		.type = HDA_FIXUP_FUNC,
+		.v.func = alc287_fixup_yoga9_14iap7_bass_spk_pin,
+		.chained = true,
+		.chain_id = ALC287_FIXUP_YOGA9_14IAP7_BASS_SPK,
+	},
 };
 
 static const struct snd_pci_quirk alc269_fixup_tbl[] = {
@@ -9318,6 +9425,7 @@ static const struct snd_pci_quirk alc269
 	SND_PCI_QUIRK(0x17aa, 0x3176, "ThinkCentre Station", ALC283_FIXUP_HEADSET_MIC),
 	SND_PCI_QUIRK(0x17aa, 0x3178, "ThinkCentre Station", ALC283_FIXUP_HEADSET_MIC),
 	SND_PCI_QUIRK(0x17aa, 0x31af, "ThinkCentre Station", ALC623_FIXUP_LENOVO_THINKSTATION_P340),
+	SND_PCI_QUIRK(0x17aa, 0x3801, "Lenovo Yoga9 14IAP7", ALC287_FIXUP_YOGA9_14IAP7_BASS_SPK_PIN),
 	SND_PCI_QUIRK(0x17aa, 0x3802, "Lenovo Yoga DuetITL 2021", ALC287_FIXUP_YOGA7_14ITL_SPEAKERS),
 	SND_PCI_QUIRK(0x17aa, 0x3813, "Legion 7i 15IMHG05", ALC287_FIXUP_LEGION_15IMHG05_SPEAKERS),
 	SND_PCI_QUIRK(0x17aa, 0x3818, "Lenovo C940 / Yoga Duet 7", ALC298_FIXUP_LENOVO_C940_DUET7),
@@ -9563,6 +9671,7 @@ static const struct hda_model_fixup alc2
 	{.id = ALC285_FIXUP_HP_SPECTRE_X360, .name = "alc285-hp-spectre-x360"},
 	{.id = ALC285_FIXUP_HP_SPECTRE_X360_EB1, .name = "alc285-hp-spectre-x360-eb1"},
 	{.id = ALC287_FIXUP_IDEAPAD_BASS_SPK_AMP, .name = "alc287-ideapad-bass-spk-amp"},
+	{.id = ALC287_FIXUP_YOGA9_14IAP7_BASS_SPK_PIN, .name = "alc287-yoga9-bass-spk-pin"},
 	{.id = ALC623_FIXUP_LENOVO_THINKSTATION_P340, .name = "alc623-lenovo-thinkstation-p340"},
 	{.id = ALC255_FIXUP_ACER_HEADPHONE_AND_MIC, .name = "alc255-acer-headphone-and-mic"},
 	{.id = ALC285_FIXUP_HP_GPIO_AMP_INIT, .name = "alc285-hp-amp-init"},



^ permalink raw reply	[flat|nested] 1191+ messages in thread

* [PATCH 5.19 0012/1157] ASoC: amd: yc: Update DMI table entries
  2022-08-15 17:49 [PATCH 5.19 0000/1157] 5.19.2-rc1 review Greg Kroah-Hartman
                   ` (10 preceding siblings ...)
  2022-08-15 17:49 ` [PATCH 5.19 0011/1157] ALSA: hda/realtek: Add quirk for Lenovo Yoga9 14IAP7 Greg Kroah-Hartman
@ 2022-08-15 17:49 ` Greg Kroah-Hartman
  2022-08-15 17:49 ` [PATCH 5.19 0013/1157] hwmon: (nct6775) Fix platform driver suspend regression Greg Kroah-Hartman
                   ` (981 subsequent siblings)
  993 siblings, 0 replies; 1191+ messages in thread
From: Greg Kroah-Hartman @ 2022-08-15 17:49 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, syed sabakareem, Mario Limonciello,
	David Korth, Mark Brown

From: syed sabakareem <Syed.SabaKareem@amd.com>

commit be0aa8d4b0fcb4532bf7973141e911998ab39508 upstream.

Removed intel DMI product id's 21AW/21AX/21D8/21D9/21BN/21BQ
in DMI table and updated DMI entry for AMD platform X13 Gen 3
platform 21CM/21CN.

Link: https://bugzilla.kernel.org/show_bug.cgi?id=216267

Signed-off-by: syed sabakareem <Syed.SabaKareem@amd.com>
Reviewed-by: Mario Limonciello <mario.limonciello@amd.com>
Reported-by: David Korth <gerbilsoft@gerbilsoft.com>
Fixes: fa991481b8b2 ("ASoC: amd: add YC machine driver using dmic")
Link: https://lore.kernel.org/r/20220722134603.316668-1-Syed.SabaKareem@amd.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 sound/soc/amd/yc/acp6x-mach.c |   32 ++------------------------------
 1 file changed, 2 insertions(+), 30 deletions(-)

--- a/sound/soc/amd/yc/acp6x-mach.c
+++ b/sound/soc/amd/yc/acp6x-mach.c
@@ -105,28 +105,14 @@ static const struct dmi_system_id yc_acp
 		.driver_data = &acp6x_card,
 		.matches = {
 			DMI_MATCH(DMI_BOARD_VENDOR, "LENOVO"),
-			DMI_MATCH(DMI_PRODUCT_NAME, "21AW"),
+			DMI_MATCH(DMI_PRODUCT_NAME, "21CM"),
 		}
 	},
 	{
 		.driver_data = &acp6x_card,
 		.matches = {
 			DMI_MATCH(DMI_BOARD_VENDOR, "LENOVO"),
-			DMI_MATCH(DMI_PRODUCT_NAME, "21AX"),
-		}
-	},
-	{
-		.driver_data = &acp6x_card,
-		.matches = {
-			DMI_MATCH(DMI_BOARD_VENDOR, "LENOVO"),
-			DMI_MATCH(DMI_PRODUCT_NAME, "21BN"),
-		}
-	},
-	{
-		.driver_data = &acp6x_card,
-		.matches = {
-			DMI_MATCH(DMI_BOARD_VENDOR, "LENOVO"),
-			DMI_MATCH(DMI_PRODUCT_NAME, "21BQ"),
+			DMI_MATCH(DMI_PRODUCT_NAME, "21CN"),
 		}
 	},
 	{
@@ -157,20 +143,6 @@ static const struct dmi_system_id yc_acp
 			DMI_MATCH(DMI_PRODUCT_NAME, "21CL"),
 		}
 	},
-	{
-		.driver_data = &acp6x_card,
-		.matches = {
-			DMI_MATCH(DMI_BOARD_VENDOR, "LENOVO"),
-			DMI_MATCH(DMI_PRODUCT_NAME, "21D8"),
-		}
-	},
-	{
-		.driver_data = &acp6x_card,
-		.matches = {
-			DMI_MATCH(DMI_BOARD_VENDOR, "LENOVO"),
-			DMI_MATCH(DMI_PRODUCT_NAME, "21D9"),
-		}
-	},
 	{}
 };
 



^ permalink raw reply	[flat|nested] 1191+ messages in thread

* [PATCH 5.19 0013/1157] hwmon: (nct6775) Fix platform driver suspend regression
  2022-08-15 17:49 [PATCH 5.19 0000/1157] 5.19.2-rc1 review Greg Kroah-Hartman
                   ` (11 preceding siblings ...)
  2022-08-15 17:49 ` [PATCH 5.19 0012/1157] ASoC: amd: yc: Update DMI table entries Greg Kroah-Hartman
@ 2022-08-15 17:49 ` Greg Kroah-Hartman
  2022-08-15 17:49 ` [PATCH 5.19 0014/1157] wifi: mac80211_hwsim: fix race condition in pending packet Greg Kroah-Hartman
                   ` (980 subsequent siblings)
  993 siblings, 0 replies; 1191+ messages in thread
From: Greg Kroah-Hartman @ 2022-08-15 17:49 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Zoltán Kővágó,
	stable, Zev Weiss, Guenter Roeck

From: Zev Weiss <zev@bewilderbeest.net>

commit f4e6960f4f16b1ca5da16cec7612ecc86402ac05 upstream.

Commit c3963bc0a0cf ("hwmon: (nct6775) Split core and platform
driver") introduced a slight change in nct6775_suspend() in order to
avoid an otherwise-needless symbol export for nct6775_update_device(),
replacing a call to that function with a simple dev_get_drvdata()
instead.

As it turns out, there is no guarantee that nct6775_update_device()
is ever called prior to suspend. If this happens, the resume function
ends up writing bad data into the various chip registers, which results
in a crash shortly after resume.

To fix the problem, just add the symbol export and return to using
nct6775_update_device() as was employed previously.

Reported-by: Zoltán Kővágó <dirty.ice.hu@gmail.com>
Tested-by: Zoltán Kővágó <dirty.ice.hu@gmail.com>
Fixes: c3963bc0a0cf ("hwmon: (nct6775) Split core and platform driver")
Cc: stable@kernel.org
Signed-off-by: Zev Weiss <zev@bewilderbeest.net>
Link: https://lore.kernel.org/r/20220810052646.13825-1-zev@bewilderbeest.net
[groeck: Updated description]
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/hwmon/nct6775-core.c     | 3 ++-
 drivers/hwmon/nct6775-platform.c | 2 +-
 drivers/hwmon/nct6775.h          | 2 ++
 3 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/drivers/hwmon/nct6775-core.c b/drivers/hwmon/nct6775-core.c
index 446964cbae4c..da9ec6983e13 100644
--- a/drivers/hwmon/nct6775-core.c
+++ b/drivers/hwmon/nct6775-core.c
@@ -1480,7 +1480,7 @@ static int nct6775_update_pwm_limits(struct device *dev)
 	return 0;
 }
 
-static struct nct6775_data *nct6775_update_device(struct device *dev)
+struct nct6775_data *nct6775_update_device(struct device *dev)
 {
 	struct nct6775_data *data = dev_get_drvdata(dev);
 	int i, j, err = 0;
@@ -1615,6 +1615,7 @@ static struct nct6775_data *nct6775_update_device(struct device *dev)
 	mutex_unlock(&data->update_lock);
 	return err ? ERR_PTR(err) : data;
 }
+EXPORT_SYMBOL_GPL(nct6775_update_device);
 
 /*
  * Sysfs callback functions
diff --git a/drivers/hwmon/nct6775-platform.c b/drivers/hwmon/nct6775-platform.c
index ab30437221ce..41c97cfacfb8 100644
--- a/drivers/hwmon/nct6775-platform.c
+++ b/drivers/hwmon/nct6775-platform.c
@@ -359,7 +359,7 @@ static int __maybe_unused nct6775_suspend(struct device *dev)
 {
 	int err;
 	u16 tmp;
-	struct nct6775_data *data = dev_get_drvdata(dev);
+	struct nct6775_data *data = nct6775_update_device(dev);
 
 	if (IS_ERR(data))
 		return PTR_ERR(data);
diff --git a/drivers/hwmon/nct6775.h b/drivers/hwmon/nct6775.h
index 93f708148e65..be41848c3cd2 100644
--- a/drivers/hwmon/nct6775.h
+++ b/drivers/hwmon/nct6775.h
@@ -196,6 +196,8 @@ static inline int nct6775_write_value(struct nct6775_data *data, u16 reg, u16 va
 	return regmap_write(data->regmap, reg, value);
 }
 
+struct nct6775_data *nct6775_update_device(struct device *dev);
+
 bool nct6775_reg_is_word_sized(struct nct6775_data *data, u16 reg);
 int nct6775_probe(struct device *dev, struct nct6775_data *data,
 		  const struct regmap_config *regmapcfg);
-- 
2.37.1




^ permalink raw reply related	[flat|nested] 1191+ messages in thread

* [PATCH 5.19 0014/1157] wifi: mac80211_hwsim: fix race condition in pending packet
  2022-08-15 17:49 [PATCH 5.19 0000/1157] 5.19.2-rc1 review Greg Kroah-Hartman
                   ` (12 preceding siblings ...)
  2022-08-15 17:49 ` [PATCH 5.19 0013/1157] hwmon: (nct6775) Fix platform driver suspend regression Greg Kroah-Hartman
@ 2022-08-15 17:49 ` Greg Kroah-Hartman
  2022-08-15 17:49 ` [PATCH 5.19 0015/1157] wifi: mac80211_hwsim: add back erroneously removed cast Greg Kroah-Hartman
                   ` (979 subsequent siblings)
  993 siblings, 0 replies; 1191+ messages in thread
From: Greg Kroah-Hartman @ 2022-08-15 17:49 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Jeongik Cha, Johannes Berg

From: Jeongik Cha <jeongik@google.com>

commit 4ee186fa7e40ae06ebbfbad77e249e3746e14114 upstream.

A pending packet uses a cookie as an unique key, but it can be duplicated
because it didn't use atomic operators.

And also, a pending packet can be null in hwsim_tx_info_frame_received_nl
due to race condition with mac80211_hwsim_stop.

For this,
 * Use an atomic type and operator for a cookie
 * Add a lock around the loop for pending packets

Signed-off-by: Jeongik Cha <jeongik@google.com>
Link: https://lore.kernel.org/r/20220704084354.3556326-1-jeongik@google.com
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/wireless/mac80211_hwsim.c |   14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

--- a/drivers/net/wireless/mac80211_hwsim.c
+++ b/drivers/net/wireless/mac80211_hwsim.c
@@ -680,7 +680,7 @@ struct mac80211_hwsim_data {
 	bool ps_poll_pending;
 	struct dentry *debugfs;
 
-	uintptr_t pending_cookie;
+	atomic64_t pending_cookie;
 	struct sk_buff_head pending;	/* packets pending */
 	/*
 	 * Only radios in the same group can communicate together (the
@@ -1347,7 +1347,7 @@ static void mac80211_hwsim_tx_frame_nl(s
 	int i;
 	struct hwsim_tx_rate tx_attempts[IEEE80211_TX_MAX_RATES];
 	struct hwsim_tx_rate_flag tx_attempts_flags[IEEE80211_TX_MAX_RATES];
-	uintptr_t cookie;
+	u64 cookie;
 
 	if (data->ps != PS_DISABLED)
 		hdr->frame_control |= cpu_to_le16(IEEE80211_FCTL_PM);
@@ -1416,8 +1416,7 @@ static void mac80211_hwsim_tx_frame_nl(s
 		goto nla_put_failure;
 
 	/* We create a cookie to identify this skb */
-	data->pending_cookie++;
-	cookie = data->pending_cookie;
+	cookie = (u64)atomic64_inc_return(&data->pending_cookie);
 	info->rate_driver_data[0] = (void *)cookie;
 	if (nla_put_u64_64bit(skb, HWSIM_ATTR_COOKIE, cookie, HWSIM_ATTR_PAD))
 		goto nla_put_failure;
@@ -4080,6 +4079,7 @@ static int hwsim_tx_info_frame_received_
 	const u8 *src;
 	unsigned int hwsim_flags;
 	int i;
+	unsigned long flags;
 	bool found = false;
 
 	if (!info->attrs[HWSIM_ATTR_ADDR_TRANSMITTER] ||
@@ -4107,18 +4107,20 @@ static int hwsim_tx_info_frame_received_
 	}
 
 	/* look for the skb matching the cookie passed back from user */
+	spin_lock_irqsave(&data2->pending.lock, flags);
 	skb_queue_walk_safe(&data2->pending, skb, tmp) {
 		u64 skb_cookie;
 
 		txi = IEEE80211_SKB_CB(skb);
-		skb_cookie = (u64)(uintptr_t)txi->rate_driver_data[0];
+		skb_cookie = (u64)txi->rate_driver_data[0];
 
 		if (skb_cookie == ret_skb_cookie) {
-			skb_unlink(skb, &data2->pending);
+			__skb_unlink(skb, &data2->pending);
 			found = true;
 			break;
 		}
 	}
+	spin_unlock_irqrestore(&data2->pending.lock, flags);
 
 	/* not found */
 	if (!found)



^ permalink raw reply	[flat|nested] 1191+ messages in thread

* [PATCH 5.19 0015/1157] wifi: mac80211_hwsim: add back erroneously removed cast
  2022-08-15 17:49 [PATCH 5.19 0000/1157] 5.19.2-rc1 review Greg Kroah-Hartman
                   ` (13 preceding siblings ...)
  2022-08-15 17:49 ` [PATCH 5.19 0014/1157] wifi: mac80211_hwsim: fix race condition in pending packet Greg Kroah-Hartman
@ 2022-08-15 17:49 ` Greg Kroah-Hartman
  2022-08-15 17:49 ` [PATCH 5.19 0016/1157] wifi: mac80211_hwsim: use 32-bit skb cookie Greg Kroah-Hartman
                   ` (978 subsequent siblings)
  993 siblings, 0 replies; 1191+ messages in thread
From: Greg Kroah-Hartman @ 2022-08-15 17:49 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, kernel test robot, Johannes Berg,
	Jeongik Cha

From: Johannes Berg <johannes.berg@intel.com>

commit 58b6259d820d63c2adf1c7541b54cce5a2ae6073 upstream.

The robots report that we're now casting to a differently
sized integer, which is correct, and the previous patch
had erroneously removed it.

Reported-by: kernel test robot <lkp@intel.com>
Fixes: 4ee186fa7e40 ("wifi: mac80211_hwsim: fix race condition in pending packet")
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Cc: Jeongik Cha <jeongik@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/wireless/mac80211_hwsim.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/net/wireless/mac80211_hwsim.c
+++ b/drivers/net/wireless/mac80211_hwsim.c
@@ -4112,7 +4112,7 @@ static int hwsim_tx_info_frame_received_
 		u64 skb_cookie;
 
 		txi = IEEE80211_SKB_CB(skb);
-		skb_cookie = (u64)txi->rate_driver_data[0];
+		skb_cookie = (u64)(uintptr_t)txi->rate_driver_data[0];
 
 		if (skb_cookie == ret_skb_cookie) {
 			__skb_unlink(skb, &data2->pending);



^ permalink raw reply	[flat|nested] 1191+ messages in thread

* [PATCH 5.19 0016/1157] wifi: mac80211_hwsim: use 32-bit skb cookie
  2022-08-15 17:49 [PATCH 5.19 0000/1157] 5.19.2-rc1 review Greg Kroah-Hartman
                   ` (14 preceding siblings ...)
  2022-08-15 17:49 ` [PATCH 5.19 0015/1157] wifi: mac80211_hwsim: add back erroneously removed cast Greg Kroah-Hartman
@ 2022-08-15 17:49 ` Greg Kroah-Hartman
  2022-08-15 17:49 ` [PATCH 5.19 0017/1157] add barriers to buffer_uptodate and set_buffer_uptodate Greg Kroah-Hartman
                   ` (977 subsequent siblings)
  993 siblings, 0 replies; 1191+ messages in thread
From: Greg Kroah-Hartman @ 2022-08-15 17:49 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Johannes Berg, Jeongik Cha

From: Johannes Berg <johannes.berg@intel.com>

commit cc5250cdb43d444061412df7fae72d2b4acbdf97 upstream.

We won't really have enough skbs to need a 64-bit cookie,
and on 32-bit platforms storing the 64-bit cookie into the
void *rate_driver_data doesn't work anyway. Switch back to
using just a 32-bit cookie and uintptr_t for the type to
avoid compiler warnings about all this.

Fixes: 4ee186fa7e40 ("wifi: mac80211_hwsim: fix race condition in pending packet")
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Cc: Jeongik Cha <jeongik@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/wireless/mac80211_hwsim.c |   10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

--- a/drivers/net/wireless/mac80211_hwsim.c
+++ b/drivers/net/wireless/mac80211_hwsim.c
@@ -680,7 +680,7 @@ struct mac80211_hwsim_data {
 	bool ps_poll_pending;
 	struct dentry *debugfs;
 
-	atomic64_t pending_cookie;
+	atomic_t pending_cookie;
 	struct sk_buff_head pending;	/* packets pending */
 	/*
 	 * Only radios in the same group can communicate together (the
@@ -1347,7 +1347,7 @@ static void mac80211_hwsim_tx_frame_nl(s
 	int i;
 	struct hwsim_tx_rate tx_attempts[IEEE80211_TX_MAX_RATES];
 	struct hwsim_tx_rate_flag tx_attempts_flags[IEEE80211_TX_MAX_RATES];
-	u64 cookie;
+	uintptr_t cookie;
 
 	if (data->ps != PS_DISABLED)
 		hdr->frame_control |= cpu_to_le16(IEEE80211_FCTL_PM);
@@ -1416,7 +1416,7 @@ static void mac80211_hwsim_tx_frame_nl(s
 		goto nla_put_failure;
 
 	/* We create a cookie to identify this skb */
-	cookie = (u64)atomic64_inc_return(&data->pending_cookie);
+	cookie = atomic_inc_return(&data->pending_cookie);
 	info->rate_driver_data[0] = (void *)cookie;
 	if (nla_put_u64_64bit(skb, HWSIM_ATTR_COOKIE, cookie, HWSIM_ATTR_PAD))
 		goto nla_put_failure;
@@ -4109,10 +4109,10 @@ static int hwsim_tx_info_frame_received_
 	/* look for the skb matching the cookie passed back from user */
 	spin_lock_irqsave(&data2->pending.lock, flags);
 	skb_queue_walk_safe(&data2->pending, skb, tmp) {
-		u64 skb_cookie;
+		uintptr_t skb_cookie;
 
 		txi = IEEE80211_SKB_CB(skb);
-		skb_cookie = (u64)(uintptr_t)txi->rate_driver_data[0];
+		skb_cookie = (uintptr_t)txi->rate_driver_data[0];
 
 		if (skb_cookie == ret_skb_cookie) {
 			__skb_unlink(skb, &data2->pending);



^ permalink raw reply	[flat|nested] 1191+ messages in thread

* [PATCH 5.19 0017/1157] add barriers to buffer_uptodate and set_buffer_uptodate
  2022-08-15 17:49 [PATCH 5.19 0000/1157] 5.19.2-rc1 review Greg Kroah-Hartman
                   ` (15 preceding siblings ...)
  2022-08-15 17:49 ` [PATCH 5.19 0016/1157] wifi: mac80211_hwsim: use 32-bit skb cookie Greg Kroah-Hartman
@ 2022-08-15 17:49 ` Greg Kroah-Hartman
  2022-08-15 17:49 ` [PATCH 5.19 0018/1157] lockd: detect and reject lock arguments that overflow Greg Kroah-Hartman
                   ` (976 subsequent siblings)
  993 siblings, 0 replies; 1191+ messages in thread
From: Greg Kroah-Hartman @ 2022-08-15 17:49 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Mikulas Patocka,
	Matthew Wilcox (Oracle),
	Linus Torvalds

From: Mikulas Patocka <mpatocka@redhat.com>

commit d4252071b97d2027d246f6a82cbee4d52f618b47 upstream.

Let's have a look at this piece of code in __bread_slow:

	get_bh(bh);
	bh->b_end_io = end_buffer_read_sync;
	submit_bh(REQ_OP_READ, 0, bh);
	wait_on_buffer(bh);
	if (buffer_uptodate(bh))
		return bh;

Neither wait_on_buffer nor buffer_uptodate contain any memory barrier.
Consequently, if someone calls sb_bread and then reads the buffer data,
the read of buffer data may be executed before wait_on_buffer(bh) on
architectures with weak memory ordering and it may return invalid data.

Fix this bug by adding a memory barrier to set_buffer_uptodate and an
acquire barrier to buffer_uptodate (in a similar way as
folio_test_uptodate and folio_mark_uptodate).

Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Reviewed-by: Matthew Wilcox (Oracle) <willy@infradead.org>
Cc: stable@vger.kernel.org
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 include/linux/buffer_head.h |   25 ++++++++++++++++++++++++-
 1 file changed, 24 insertions(+), 1 deletion(-)

--- a/include/linux/buffer_head.h
+++ b/include/linux/buffer_head.h
@@ -117,7 +117,6 @@ static __always_inline int test_clear_bu
  * of the form "mark_buffer_foo()".  These are higher-level functions which
  * do something in addition to setting a b_state bit.
  */
-BUFFER_FNS(Uptodate, uptodate)
 BUFFER_FNS(Dirty, dirty)
 TAS_BUFFER_FNS(Dirty, dirty)
 BUFFER_FNS(Lock, locked)
@@ -135,6 +134,30 @@ BUFFER_FNS(Meta, meta)
 BUFFER_FNS(Prio, prio)
 BUFFER_FNS(Defer_Completion, defer_completion)
 
+static __always_inline void set_buffer_uptodate(struct buffer_head *bh)
+{
+	/*
+	 * make it consistent with folio_mark_uptodate
+	 * pairs with smp_load_acquire in buffer_uptodate
+	 */
+	smp_mb__before_atomic();
+	set_bit(BH_Uptodate, &bh->b_state);
+}
+
+static __always_inline void clear_buffer_uptodate(struct buffer_head *bh)
+{
+	clear_bit(BH_Uptodate, &bh->b_state);
+}
+
+static __always_inline int buffer_uptodate(const struct buffer_head *bh)
+{
+	/*
+	 * make it consistent with folio_test_uptodate
+	 * pairs with smp_mb__before_atomic in set_buffer_uptodate
+	 */
+	return (smp_load_acquire(&bh->b_state) & (1UL << BH_Uptodate)) != 0;
+}
+
 #define bh_offset(bh)		((unsigned long)(bh)->b_data & ~PAGE_MASK)
 
 /* If we *know* page->private refers to buffer_heads */



^ permalink raw reply	[flat|nested] 1191+ messages in thread

* [PATCH 5.19 0018/1157] lockd: detect and reject lock arguments that overflow
  2022-08-15 17:49 [PATCH 5.19 0000/1157] 5.19.2-rc1 review Greg Kroah-Hartman
                   ` (16 preceding siblings ...)
  2022-08-15 17:49 ` [PATCH 5.19 0017/1157] add barriers to buffer_uptodate and set_buffer_uptodate Greg Kroah-Hartman
@ 2022-08-15 17:49 ` Greg Kroah-Hartman
  2022-08-15 17:49 ` [PATCH 5.19 0019/1157] HID: hid-input: add Surface Go battery quirk Greg Kroah-Hartman
                   ` (975 subsequent siblings)
  993 siblings, 0 replies; 1191+ messages in thread
From: Greg Kroah-Hartman @ 2022-08-15 17:49 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jan Kasiak, Jeff Layton, Chuck Lever

From: Jeff Layton <jlayton@kernel.org>

commit 6930bcbfb6ceda63e298c6af6d733ecdf6bd4cde upstream.

lockd doesn't currently vet the start and length in nlm4 requests like
it should, and can end up generating lock requests with arguments that
overflow when passed to the filesystem.

The NLM4 protocol uses unsigned 64-bit arguments for both start and
length, whereas struct file_lock tracks the start and end as loff_t
values. By the time we get around to calling nlm4svc_retrieve_args,
we've lost the information that would allow us to determine if there was
an overflow.

Start tracking the actual start and len for NLM4 requests in the
nlm_lock. In nlm4svc_retrieve_args, vet these values to ensure they
won't cause an overflow, and return NLM4_FBIG if they do.

Link: https://bugzilla.linux-nfs.org/show_bug.cgi?id=392
Reported-by: Jan Kasiak <j.kasiak@gmail.com>
Signed-off-by: Jeff Layton <jlayton@kernel.org>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Cc: <stable@vger.kernel.org> # 5.14+
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 fs/lockd/svc4proc.c       |    8 ++++++++
 fs/lockd/xdr4.c           |   19 ++-----------------
 include/linux/lockd/xdr.h |    2 ++
 3 files changed, 12 insertions(+), 17 deletions(-)

--- a/fs/lockd/svc4proc.c
+++ b/fs/lockd/svc4proc.c
@@ -32,6 +32,10 @@ nlm4svc_retrieve_args(struct svc_rqst *r
 	if (!nlmsvc_ops)
 		return nlm_lck_denied_nolocks;
 
+	if (lock->lock_start > OFFSET_MAX ||
+	    (lock->lock_len && ((lock->lock_len - 1) > (OFFSET_MAX - lock->lock_start))))
+		return nlm4_fbig;
+
 	/* Obtain host handle */
 	if (!(host = nlmsvc_lookup_host(rqstp, lock->caller, lock->len))
 	 || (argp->monitor && nsm_monitor(host) < 0))
@@ -50,6 +54,10 @@ nlm4svc_retrieve_args(struct svc_rqst *r
 		/* Set up the missing parts of the file_lock structure */
 		lock->fl.fl_file  = file->f_file[mode];
 		lock->fl.fl_pid = current->tgid;
+		lock->fl.fl_start = (loff_t)lock->lock_start;
+		lock->fl.fl_end = lock->lock_len ?
+				   (loff_t)(lock->lock_start + lock->lock_len - 1) :
+				   OFFSET_MAX;
 		lock->fl.fl_lmops = &nlmsvc_lock_operations;
 		nlmsvc_locks_init_private(&lock->fl, host, (pid_t)lock->svid);
 		if (!lock->fl.fl_owner) {
--- a/fs/lockd/xdr4.c
+++ b/fs/lockd/xdr4.c
@@ -20,13 +20,6 @@
 
 #include "svcxdr.h"
 
-static inline loff_t
-s64_to_loff_t(__s64 offset)
-{
-	return (loff_t)offset;
-}
-
-
 static inline s64
 loff_t_to_s64(loff_t offset)
 {
@@ -70,8 +63,6 @@ static bool
 svcxdr_decode_lock(struct xdr_stream *xdr, struct nlm_lock *lock)
 {
 	struct file_lock *fl = &lock->fl;
-	u64 len, start;
-	s64 end;
 
 	if (!svcxdr_decode_string(xdr, &lock->caller, &lock->len))
 		return false;
@@ -81,20 +72,14 @@ svcxdr_decode_lock(struct xdr_stream *xd
 		return false;
 	if (xdr_stream_decode_u32(xdr, &lock->svid) < 0)
 		return false;
-	if (xdr_stream_decode_u64(xdr, &start) < 0)
+	if (xdr_stream_decode_u64(xdr, &lock->lock_start) < 0)
 		return false;
-	if (xdr_stream_decode_u64(xdr, &len) < 0)
+	if (xdr_stream_decode_u64(xdr, &lock->lock_len) < 0)
 		return false;
 
 	locks_init_lock(fl);
 	fl->fl_flags = FL_POSIX;
 	fl->fl_type  = F_RDLCK;
-	end = start + len - 1;
-	fl->fl_start = s64_to_loff_t(start);
-	if (len == 0 || end < 0)
-		fl->fl_end = OFFSET_MAX;
-	else
-		fl->fl_end = s64_to_loff_t(end);
 
 	return true;
 }
--- a/include/linux/lockd/xdr.h
+++ b/include/linux/lockd/xdr.h
@@ -41,6 +41,8 @@ struct nlm_lock {
 	struct nfs_fh		fh;
 	struct xdr_netobj	oh;
 	u32			svid;
+	u64			lock_start;
+	u64			lock_len;
 	struct file_lock	fl;
 };
 



^ permalink raw reply	[flat|nested] 1191+ messages in thread

* [PATCH 5.19 0019/1157] HID: hid-input: add Surface Go battery quirk
  2022-08-15 17:49 [PATCH 5.19 0000/1157] 5.19.2-rc1 review Greg Kroah-Hartman
                   ` (17 preceding siblings ...)
  2022-08-15 17:49 ` [PATCH 5.19 0018/1157] lockd: detect and reject lock arguments that overflow Greg Kroah-Hartman
@ 2022-08-15 17:49 ` Greg Kroah-Hartman
  2022-08-15 17:49 ` [PATCH 5.19 0022/1157] HID: wacom: Dont register pad_input for touch switch Greg Kroah-Hartman
                   ` (974 subsequent siblings)
  993 siblings, 0 replies; 1191+ messages in thread
From: Greg Kroah-Hartman @ 2022-08-15 17:49 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Maximilian Luz, Jiri Kosina

From: Maximilian Luz <luzmaximilian@gmail.com>

commit db925d809011c37b246434fdce71209fc2e6c0c2 upstream.

Similar to the Surface Go (1), the (Elantech) touchscreen/digitizer in
the Surface Go 2 mistakenly reports the battery of the stylus. Instead
of over the touchscreen device, battery information is provided via
bluetooth and the touchscreen device reports an empty battery.

Apply the HID_BATTERY_QUIRK_IGNORE quirk to ignore this battery and
prevent the erroneous low battery warnings.

Cc: stable@vger.kernel.org
Signed-off-by: Maximilian Luz <luzmaximilian@gmail.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/hid/hid-ids.h   |    1 +
 drivers/hid/hid-input.c |    2 ++
 2 files changed, 3 insertions(+)

--- a/drivers/hid/hid-ids.h
+++ b/drivers/hid/hid-ids.h
@@ -413,6 +413,7 @@
 #define USB_DEVICE_ID_ASUS_UX550VE_TOUCHSCREEN	0x2544
 #define USB_DEVICE_ID_ASUS_UX550_TOUCHSCREEN	0x2706
 #define I2C_DEVICE_ID_SURFACE_GO_TOUCHSCREEN	0x261A
+#define I2C_DEVICE_ID_SURFACE_GO2_TOUCHSCREEN	0x2A1C
 
 #define USB_VENDOR_ID_ELECOM		0x056e
 #define USB_DEVICE_ID_ELECOM_BM084	0x0061
--- a/drivers/hid/hid-input.c
+++ b/drivers/hid/hid-input.c
@@ -381,6 +381,8 @@ static const struct hid_device_id hid_ba
 	  HID_BATTERY_QUIRK_IGNORE },
 	{ HID_I2C_DEVICE(USB_VENDOR_ID_ELAN, I2C_DEVICE_ID_SURFACE_GO_TOUCHSCREEN),
 	  HID_BATTERY_QUIRK_IGNORE },
+	{ HID_I2C_DEVICE(USB_VENDOR_ID_ELAN, I2C_DEVICE_ID_SURFACE_GO2_TOUCHSCREEN),
+	  HID_BATTERY_QUIRK_IGNORE },
 	{}
 };
 



^ permalink raw reply	[flat|nested] 1191+ messages in thread

* [PATCH 5.19 0022/1157] HID: wacom: Dont register pad_input for touch switch
  2022-08-15 17:49 [PATCH 5.19 0000/1157] 5.19.2-rc1 review Greg Kroah-Hartman
                   ` (18 preceding siblings ...)
  2022-08-15 17:49 ` [PATCH 5.19 0019/1157] HID: hid-input: add Surface Go battery quirk Greg Kroah-Hartman
@ 2022-08-15 17:49 ` Greg Kroah-Hartman
  2022-08-15 17:49 ` [PATCH 5.19 0023/1157] KVM: nVMX: Snapshot pre-VM-Enter BNDCFGS for !nested_run_pending case Greg Kroah-Hartman
                   ` (973 subsequent siblings)
  993 siblings, 0 replies; 1191+ messages in thread
From: Greg Kroah-Hartman @ 2022-08-15 17:49 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Ping Cheng, Jason Gerecke, Jiri Kosina

From: Ping Cheng <pinglinux@gmail.com>

commit d6b675687a4ab4dba684716d97c8c6f81bf10905 upstream.

Touch switch state is received through WACOM_PAD_FIELD. However, it
is reported by touch_input. Don't register pad_input if no other pad
events require the interface.

Cc: stable@vger.kernel.org
Signed-off-by: Ping Cheng <ping.cheng@wacom.com>
Reviewed-by: Jason Gerecke <jason.gerecke@wacom.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/hid/wacom_sys.c |    2 +-
 drivers/hid/wacom_wac.c |   43 +++++++++++++++++++++++++------------------
 2 files changed, 26 insertions(+), 19 deletions(-)

--- a/drivers/hid/wacom_sys.c
+++ b/drivers/hid/wacom_sys.c
@@ -2121,7 +2121,7 @@ static int wacom_register_inputs(struct
 
 	error = wacom_setup_pad_input_capabilities(pad_input_dev, wacom_wac);
 	if (error) {
-		/* no pad in use on this interface */
+		/* no pad events using this interface */
 		input_free_device(pad_input_dev);
 		wacom_wac->pad_input = NULL;
 		pad_input_dev = NULL;
--- a/drivers/hid/wacom_wac.c
+++ b/drivers/hid/wacom_wac.c
@@ -2019,7 +2019,6 @@ static void wacom_wac_pad_usage_mapping(
 		wacom_wac->has_mute_touch_switch = true;
 		usage->type = EV_SW;
 		usage->code = SW_MUTE_DEVICE;
-		features->device_type |= WACOM_DEVICETYPE_PAD;
 		break;
 	case WACOM_HID_WD_TOUCHSTRIP:
 		wacom_map_usage(input, usage, field, EV_ABS, ABS_RX, 0);
@@ -2099,6 +2098,30 @@ static void wacom_wac_pad_event(struct h
 			wacom_wac->hid_data.inrange_state |= value;
 	}
 
+	/* Process touch switch state first since it is reported through touch interface,
+	 * which is indepentent of pad interface. In the case when there are no other pad
+	 * events, the pad interface will not even be created.
+	 */
+	if ((equivalent_usage == WACOM_HID_WD_MUTE_DEVICE) ||
+	   (equivalent_usage == WACOM_HID_WD_TOUCHONOFF)) {
+		if (wacom_wac->shared->touch_input) {
+			bool *is_touch_on = &wacom_wac->shared->is_touch_on;
+
+			if (equivalent_usage == WACOM_HID_WD_MUTE_DEVICE && value)
+				*is_touch_on = !(*is_touch_on);
+			else if (equivalent_usage == WACOM_HID_WD_TOUCHONOFF)
+				*is_touch_on = value;
+
+			input_report_switch(wacom_wac->shared->touch_input,
+					    SW_MUTE_DEVICE, !(*is_touch_on));
+			input_sync(wacom_wac->shared->touch_input);
+		}
+		return;
+	}
+
+	if (!input)
+		return;
+
 	switch (equivalent_usage) {
 	case WACOM_HID_WD_TOUCHRING:
 		/*
@@ -2134,22 +2157,6 @@ static void wacom_wac_pad_event(struct h
 			input_event(input, usage->type, usage->code, 0);
 		break;
 
-	case WACOM_HID_WD_MUTE_DEVICE:
-	case WACOM_HID_WD_TOUCHONOFF:
-		if (wacom_wac->shared->touch_input) {
-			bool *is_touch_on = &wacom_wac->shared->is_touch_on;
-
-			if (equivalent_usage == WACOM_HID_WD_MUTE_DEVICE && value)
-				*is_touch_on = !(*is_touch_on);
-			else if (equivalent_usage == WACOM_HID_WD_TOUCHONOFF)
-				*is_touch_on = value;
-
-			input_report_switch(wacom_wac->shared->touch_input,
-					    SW_MUTE_DEVICE, !(*is_touch_on));
-			input_sync(wacom_wac->shared->touch_input);
-		}
-		break;
-
 	case WACOM_HID_WD_MODE_CHANGE:
 		if (wacom_wac->is_direct_mode != value) {
 			wacom_wac->is_direct_mode = value;
@@ -2835,7 +2842,7 @@ void wacom_wac_event(struct hid_device *
 	/* usage tests must precede field tests */
 	if (WACOM_BATTERY_USAGE(usage))
 		wacom_wac_battery_event(hdev, field, usage, value);
-	else if (WACOM_PAD_FIELD(field) && wacom->wacom_wac.pad_input)
+	else if (WACOM_PAD_FIELD(field))
 		wacom_wac_pad_event(hdev, field, usage, value);
 	else if (WACOM_PEN_FIELD(field) && wacom->wacom_wac.pen_input)
 		wacom_wac_pen_event(hdev, field, usage, value);



^ permalink raw reply	[flat|nested] 1191+ messages in thread

* [PATCH 5.19 0023/1157] KVM: nVMX: Snapshot pre-VM-Enter BNDCFGS for !nested_run_pending case
  2022-08-15 17:49 [PATCH 5.19 0000/1157] 5.19.2-rc1 review Greg Kroah-Hartman
                   ` (19 preceding siblings ...)
  2022-08-15 17:49 ` [PATCH 5.19 0022/1157] HID: wacom: Dont register pad_input for touch switch Greg Kroah-Hartman
@ 2022-08-15 17:49 ` Greg Kroah-Hartman
  2022-08-15 17:49 ` [PATCH 5.19 0024/1157] KVM: nVMX: Snapshot pre-VM-Enter DEBUGCTL " Greg Kroah-Hartman
                   ` (972 subsequent siblings)
  993 siblings, 0 replies; 1191+ messages in thread
From: Greg Kroah-Hartman @ 2022-08-15 17:49 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Lei Wang, Sean Christopherson, Paolo Bonzini

From: Sean Christopherson <seanjc@google.com>

commit fa578398a0ba2c079fa1170da21fa5baae0cedb2 upstream.

If a nested run isn't pending, snapshot vmcs01.GUEST_BNDCFGS irrespective
of whether or not VM_ENTRY_LOAD_BNDCFGS is set in vmcs12.  When restoring
nested state, e.g. after migration, without a nested run pending,
prepare_vmcs02() will propagate nested.vmcs01_guest_bndcfgs to vmcs02,
i.e. will load garbage/zeros into vmcs02.GUEST_BNDCFGS.

If userspace restores nested state before MSRs, then loading garbage is a
non-issue as loading BNDCFGS will also update vmcs02.  But if usersepace
restores MSRs first, then KVM is responsible for propagating L2's value,
which is actually thrown into vmcs01, into vmcs02.

Restoring L2 MSRs into vmcs01, i.e. loading all MSRs before nested state
is all kinds of bizarre and ideally would not be supported.  Sadly, some
VMMs do exactly that and rely on KVM to make things work.

Note, there's still a lurking SMM bug, as propagating vmcs01.GUEST_BNDFGS
to vmcs02 across RSM may corrupt L2's BNDCFGS.  But KVM's entire VMX+SMM
emulation is flawed as SMI+RSM should not toouch _any_ VMCS when use the
"default treatment of SMIs", i.e. when not using an SMI Transfer Monitor.

Link: https://lore.kernel.org/all/Yobt1XwOfb5M6Dfa@google.com
Fixes: 62cf9bd8118c ("KVM: nVMX: Fix emulation of VM_ENTRY_LOAD_BNDCFGS")
Cc: stable@vger.kernel.org
Cc: Lei Wang <lei4.wang@intel.com>
Signed-off-by: Sean Christopherson <seanjc@google.com>
Message-Id: <20220614215831.3762138-2-seanjc@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/x86/kvm/vmx/nested.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/arch/x86/kvm/vmx/nested.c
+++ b/arch/x86/kvm/vmx/nested.c
@@ -3376,7 +3376,8 @@ enum nvmx_vmentry_status nested_vmx_ente
 	if (!(vmcs12->vm_entry_controls & VM_ENTRY_LOAD_DEBUG_CONTROLS))
 		vmx->nested.vmcs01_debugctl = vmcs_read64(GUEST_IA32_DEBUGCTL);
 	if (kvm_mpx_supported() &&
-		!(vmcs12->vm_entry_controls & VM_ENTRY_LOAD_BNDCFGS))
+	    (!vmx->nested.nested_run_pending ||
+	     !(vmcs12->vm_entry_controls & VM_ENTRY_LOAD_BNDCFGS)))
 		vmx->nested.vmcs01_guest_bndcfgs = vmcs_read64(GUEST_BNDCFGS);
 
 	/*



^ permalink raw reply	[flat|nested] 1191+ messages in thread

* [PATCH 5.19 0024/1157] KVM: nVMX: Snapshot pre-VM-Enter DEBUGCTL for !nested_run_pending case
  2022-08-15 17:49 [PATCH 5.19 0000/1157] 5.19.2-rc1 review Greg Kroah-Hartman
                   ` (20 preceding siblings ...)
  2022-08-15 17:49 ` [PATCH 5.19 0023/1157] KVM: nVMX: Snapshot pre-VM-Enter BNDCFGS for !nested_run_pending case Greg Kroah-Hartman
@ 2022-08-15 17:49 ` Greg Kroah-Hartman
  2022-08-15 17:49 ` [PATCH 5.19 0025/1157] KVM: SVM: Dont BUG if userspace injects an interrupt with GIF=0 Greg Kroah-Hartman
                   ` (971 subsequent siblings)
  993 siblings, 0 replies; 1191+ messages in thread
From: Greg Kroah-Hartman @ 2022-08-15 17:49 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Sean Christopherson, Paolo Bonzini

From: Sean Christopherson <seanjc@google.com>

commit 764643a6be07445308e492a528197044c801b3ba upstream.

If a nested run isn't pending, snapshot vmcs01.GUEST_IA32_DEBUGCTL
irrespective of whether or not VM_ENTRY_LOAD_DEBUG_CONTROLS is set in
vmcs12.  When restoring nested state, e.g. after migration, without a
nested run pending, prepare_vmcs02() will propagate
nested.vmcs01_debugctl to vmcs02, i.e. will load garbage/zeros into
vmcs02.GUEST_IA32_DEBUGCTL.

If userspace restores nested state before MSRs, then loading garbage is a
non-issue as loading DEBUGCTL will also update vmcs02.  But if usersepace
restores MSRs first, then KVM is responsible for propagating L2's value,
which is actually thrown into vmcs01, into vmcs02.

Restoring L2 MSRs into vmcs01, i.e. loading all MSRs before nested state
is all kinds of bizarre and ideally would not be supported.  Sadly, some
VMMs do exactly that and rely on KVM to make things work.

Note, there's still a lurking SMM bug, as propagating vmcs01's DEBUGCTL
to vmcs02 across RSM may corrupt L2's DEBUGCTL.  But KVM's entire VMX+SMM
emulation is flawed as SMI+RSM should not toouch _any_ VMCS when use the
"default treatment of SMIs", i.e. when not using an SMI Transfer Monitor.

Link: https://lore.kernel.org/all/Yobt1XwOfb5M6Dfa@google.com
Fixes: 8fcc4b5923af ("kvm: nVMX: Introduce KVM_CAP_NESTED_STATE")
Cc: stable@vger.kernel.org
Signed-off-by: Sean Christopherson <seanjc@google.com>
Message-Id: <20220614215831.3762138-3-seanjc@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/x86/kvm/vmx/nested.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/arch/x86/kvm/vmx/nested.c
+++ b/arch/x86/kvm/vmx/nested.c
@@ -3373,7 +3373,8 @@ enum nvmx_vmentry_status nested_vmx_ente
 	if (likely(!evaluate_pending_interrupts) && kvm_vcpu_apicv_active(vcpu))
 		evaluate_pending_interrupts |= vmx_has_apicv_interrupt(vcpu);
 
-	if (!(vmcs12->vm_entry_controls & VM_ENTRY_LOAD_DEBUG_CONTROLS))
+	if (!vmx->nested.nested_run_pending ||
+	    !(vmcs12->vm_entry_controls & VM_ENTRY_LOAD_DEBUG_CONTROLS))
 		vmx->nested.vmcs01_debugctl = vmcs_read64(GUEST_IA32_DEBUGCTL);
 	if (kvm_mpx_supported() &&
 	    (!vmx->nested.nested_run_pending ||



^ permalink raw reply	[flat|nested] 1191+ messages in thread

* [PATCH 5.19 0025/1157] KVM: SVM: Dont BUG if userspace injects an interrupt with GIF=0
  2022-08-15 17:49 [PATCH 5.19 0000/1157] 5.19.2-rc1 review Greg Kroah-Hartman
                   ` (21 preceding siblings ...)
  2022-08-15 17:49 ` [PATCH 5.19 0024/1157] KVM: nVMX: Snapshot pre-VM-Enter DEBUGCTL " Greg Kroah-Hartman
@ 2022-08-15 17:49 ` Greg Kroah-Hartman
  2022-08-15 17:49 ` [PATCH 5.19 0026/1157] KVM: s390: pv: dont present the ecall interrupt twice Greg Kroah-Hartman
                   ` (970 subsequent siblings)
  993 siblings, 0 replies; 1191+ messages in thread
From: Greg Kroah-Hartman @ 2022-08-15 17:49 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Sean Christopherson,
	Maciej S. Szmigiero, Paolo Bonzini

From: Maciej S. Szmigiero <maciej.szmigiero@oracle.com>

commit f17c31c48e5cde9895a491d91c424eeeada3e134 upstream.

Don't BUG/WARN on interrupt injection due to GIF being cleared,
since it's trivial for userspace to force the situation via
KVM_SET_VCPU_EVENTS (even if having at least a WARN there would be correct
for KVM internally generated injections).

  kernel BUG at arch/x86/kvm/svm/svm.c:3386!
  invalid opcode: 0000 [#1] SMP
  CPU: 15 PID: 926 Comm: smm_test Not tainted 5.17.0-rc3+ #264
  Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015
  RIP: 0010:svm_inject_irq+0xab/0xb0 [kvm_amd]
  Code: <0f> 0b 0f 1f 00 0f 1f 44 00 00 80 3d ac b3 01 00 00 55 48 89 f5 53
  RSP: 0018:ffffc90000b37d88 EFLAGS: 00010246
  RAX: 0000000000000000 RBX: ffff88810a234ac0 RCX: 0000000000000006
  RDX: 0000000000000000 RSI: ffffc90000b37df7 RDI: ffff88810a234ac0
  RBP: ffffc90000b37df7 R08: ffff88810a1fa410 R09: 0000000000000000
  R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
  R13: ffff888109571000 R14: ffff88810a234ac0 R15: 0000000000000000
  FS:  0000000001821380(0000) GS:ffff88846fdc0000(0000) knlGS:0000000000000000
  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
  CR2: 00007f74fc550008 CR3: 000000010a6fe000 CR4: 0000000000350ea0
  Call Trace:
   <TASK>
   inject_pending_event+0x2f7/0x4c0 [kvm]
   kvm_arch_vcpu_ioctl_run+0x791/0x17a0 [kvm]
   kvm_vcpu_ioctl+0x26d/0x650 [kvm]
   __x64_sys_ioctl+0x82/0xb0
   do_syscall_64+0x3b/0xc0
   entry_SYSCALL_64_after_hwframe+0x44/0xae
   </TASK>

Fixes: 219b65dcf6c0 ("KVM: SVM: Improve nested interrupt injection")
Cc: stable@vger.kernel.org
Co-developed-by: Sean Christopherson <seanjc@google.com>
Signed-off-by: Sean Christopherson <seanjc@google.com>
Signed-off-by: Maciej S. Szmigiero <maciej.szmigiero@oracle.com>
Message-Id: <35426af6e123cbe91ec7ce5132ce72521f02b1b5.1651440202.git.maciej.szmigiero@oracle.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/x86/kvm/svm/svm.c |    2 --
 1 file changed, 2 deletions(-)

--- a/arch/x86/kvm/svm/svm.c
+++ b/arch/x86/kvm/svm/svm.c
@@ -3385,8 +3385,6 @@ static void svm_inject_irq(struct kvm_vc
 {
 	struct vcpu_svm *svm = to_svm(vcpu);
 
-	BUG_ON(!(gif_set(svm)));
-
 	trace_kvm_inj_virq(vcpu->arch.interrupt.nr);
 	++vcpu->stat.irq_injections;
 



^ permalink raw reply	[flat|nested] 1191+ messages in thread

* [PATCH 5.19 0026/1157] KVM: s390: pv: dont present the ecall interrupt twice
  2022-08-15 17:49 [PATCH 5.19 0000/1157] 5.19.2-rc1 review Greg Kroah-Hartman
                   ` (22 preceding siblings ...)
  2022-08-15 17:49 ` [PATCH 5.19 0025/1157] KVM: SVM: Dont BUG if userspace injects an interrupt with GIF=0 Greg Kroah-Hartman
@ 2022-08-15 17:49 ` Greg Kroah-Hartman
  2022-08-15 17:49 ` [PATCH 5.19 0027/1157] KVM: Drop unused @gpa param from gfn=>pfn caches __release_gpc() helper Greg Kroah-Hartman
                   ` (969 subsequent siblings)
  993 siblings, 0 replies; 1191+ messages in thread
From: Greg Kroah-Hartman @ 2022-08-15 17:49 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Nico Boehr, Claudio Imbrenda,
	Janosch Frank, Christian Borntraeger

From: Nico Boehr <nrb@linux.ibm.com>

commit c3f0e5fd2d33d80c5a5a8b5e5d2bab2841709cc8 upstream.

When the SIGP interpretation facility is present and a VCPU sends an
ecall to another VCPU in enabled wait, the sending VCPU receives a 56
intercept (partial execution), so KVM can wake up the receiving CPU.
Note that the SIGP interpretation facility will take care of the
interrupt delivery and KVM's only job is to wake the receiving VCPU.

For PV, the sending VCPU will receive a 108 intercept (pv notify) and
should continue like in the non-PV case, i.e. wake the receiving VCPU.

For PV and non-PV guests the interrupt delivery will occur through the
SIGP interpretation facility on SIE entry when SIE finds the X bit in
the status field set.

However, in handle_pv_notification(), there was no special handling for
SIGP, which leads to interrupt injection being requested by KVM for the
next SIE entry. This results in the interrupt being delivered twice:
once by the SIGP interpretation facility and once by KVM through the
IICTL.

Add the necessary special handling in handle_pv_notification(), similar
to handle_partial_execution(), which simply wakes the receiving VCPU and
leave interrupt delivery to the SIGP interpretation facility.

In contrast to external calls, emergency calls are not interpreted but
also cause a 108 intercept, which is why we still need to call
handle_instruction() for SIGP orders other than ecall.

Since kvm_s390_handle_sigp_pei() is now called for all SIGP orders which
cause a 108 intercept - even if they are actually handled by
handle_instruction() - move the tracepoint in kvm_s390_handle_sigp_pei()
to avoid possibly confusing trace messages.

Signed-off-by: Nico Boehr <nrb@linux.ibm.com>
Cc: <stable@vger.kernel.org> # 5.7
Fixes: da24a0cc58ed ("KVM: s390: protvirt: Instruction emulation")
Reviewed-by: Claudio Imbrenda <imbrenda@linux.ibm.com>
Reviewed-by: Janosch Frank <frankja@linux.ibm.com>
Reviewed-by: Christian Borntraeger <borntraeger@linux.ibm.com>
Link: https://lore.kernel.org/r/20220718130434.73302-1-nrb@linux.ibm.com
Message-Id: <20220718130434.73302-1-nrb@linux.ibm.com>
Signed-off-by: Claudio Imbrenda <imbrenda@linux.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/s390/kvm/intercept.c |   15 +++++++++++++++
 arch/s390/kvm/sigp.c      |    4 ++--
 2 files changed, 17 insertions(+), 2 deletions(-)

--- a/arch/s390/kvm/intercept.c
+++ b/arch/s390/kvm/intercept.c
@@ -528,12 +528,27 @@ static int handle_pv_uvc(struct kvm_vcpu
 
 static int handle_pv_notification(struct kvm_vcpu *vcpu)
 {
+	int ret;
+
 	if (vcpu->arch.sie_block->ipa == 0xb210)
 		return handle_pv_spx(vcpu);
 	if (vcpu->arch.sie_block->ipa == 0xb220)
 		return handle_pv_sclp(vcpu);
 	if (vcpu->arch.sie_block->ipa == 0xb9a4)
 		return handle_pv_uvc(vcpu);
+	if (vcpu->arch.sie_block->ipa >> 8 == 0xae) {
+		/*
+		 * Besides external call, other SIGP orders also cause a
+		 * 108 (pv notify) intercept. In contrast to external call,
+		 * these orders need to be emulated and hence the appropriate
+		 * place to handle them is in handle_instruction().
+		 * So first try kvm_s390_handle_sigp_pei() and if that isn't
+		 * successful, go on with handle_instruction().
+		 */
+		ret = kvm_s390_handle_sigp_pei(vcpu);
+		if (!ret)
+			return ret;
+	}
 
 	return handle_instruction(vcpu);
 }
--- a/arch/s390/kvm/sigp.c
+++ b/arch/s390/kvm/sigp.c
@@ -480,9 +480,9 @@ int kvm_s390_handle_sigp_pei(struct kvm_
 	struct kvm_vcpu *dest_vcpu;
 	u8 order_code = kvm_s390_get_base_disp_rs(vcpu, NULL);
 
-	trace_kvm_s390_handle_sigp_pei(vcpu, order_code, cpu_addr);
-
 	if (order_code == SIGP_EXTERNAL_CALL) {
+		trace_kvm_s390_handle_sigp_pei(vcpu, order_code, cpu_addr);
+
 		dest_vcpu = kvm_get_vcpu_by_id(vcpu->kvm, cpu_addr);
 		BUG_ON(dest_vcpu == NULL);
 



^ permalink raw reply	[flat|nested] 1191+ messages in thread

* [PATCH 5.19 0027/1157] KVM: Drop unused @gpa param from gfn=>pfn caches __release_gpc() helper
  2022-08-15 17:49 [PATCH 5.19 0000/1157] 5.19.2-rc1 review Greg Kroah-Hartman
                   ` (23 preceding siblings ...)
  2022-08-15 17:49 ` [PATCH 5.19 0026/1157] KVM: s390: pv: dont present the ecall interrupt twice Greg Kroah-Hartman
@ 2022-08-15 17:49 ` Greg Kroah-Hartman
  2022-08-15 17:49 ` [PATCH 5.19 0028/1157] KVM: Put the extra pfn reference when reusing a pfn in the gpc cache Greg Kroah-Hartman
                   ` (968 subsequent siblings)
  993 siblings, 0 replies; 1191+ messages in thread
From: Greg Kroah-Hartman @ 2022-08-15 17:49 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Sean Christopherson, Paolo Bonzini

From: Sean Christopherson <seanjc@google.com>

commit 345b0fd6fe5f66dfe841bad0b39dd11a5672df68 upstream.

Drop the @pga param from __release_gpc() and rename the helper to make it
more obvious that the cache itself is not being released.  The helper
will be reused by a future commit to release a pfn+khva combination that
is _never_ associated with the cache, at which point the current name
would go from slightly misleading to blatantly wrong.

No functional change intended.

Cc: stable@vger.kernel.org
Signed-off-by: Sean Christopherson <seanjc@google.com>
Message-Id: <20220429210025.3293691-4-seanjc@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 virt/kvm/pfncache.c |   10 +++-------
 1 file changed, 3 insertions(+), 7 deletions(-)

--- a/virt/kvm/pfncache.c
+++ b/virt/kvm/pfncache.c
@@ -95,7 +95,7 @@ bool kvm_gfn_to_pfn_cache_check(struct k
 }
 EXPORT_SYMBOL_GPL(kvm_gfn_to_pfn_cache_check);
 
-static void __release_gpc(struct kvm *kvm, kvm_pfn_t pfn, void *khva, gpa_t gpa)
+static void gpc_release_pfn_and_khva(struct kvm *kvm, kvm_pfn_t pfn, void *khva)
 {
 	/* Unmap the old page if it was mapped before, and release it */
 	if (!is_error_noslot_pfn(pfn)) {
@@ -146,7 +146,6 @@ int kvm_gfn_to_pfn_cache_refresh(struct
 	unsigned long page_offset = gpa & ~PAGE_MASK;
 	kvm_pfn_t old_pfn, new_pfn;
 	unsigned long old_uhva;
-	gpa_t old_gpa;
 	void *old_khva;
 	bool old_valid;
 	int ret = 0;
@@ -160,7 +159,6 @@ int kvm_gfn_to_pfn_cache_refresh(struct
 
 	write_lock_irq(&gpc->lock);
 
-	old_gpa = gpc->gpa;
 	old_pfn = gpc->pfn;
 	old_khva = gpc->khva - offset_in_page(gpc->khva);
 	old_uhva = gpc->uhva;
@@ -244,7 +242,7 @@ int kvm_gfn_to_pfn_cache_refresh(struct
  out:
 	write_unlock_irq(&gpc->lock);
 
-	__release_gpc(kvm, old_pfn, old_khva, old_gpa);
+	gpc_release_pfn_and_khva(kvm, old_pfn, old_khva);
 
 	return ret;
 }
@@ -254,14 +252,12 @@ void kvm_gfn_to_pfn_cache_unmap(struct k
 {
 	void *old_khva;
 	kvm_pfn_t old_pfn;
-	gpa_t old_gpa;
 
 	write_lock_irq(&gpc->lock);
 
 	gpc->valid = false;
 
 	old_khva = gpc->khva - offset_in_page(gpc->khva);
-	old_gpa = gpc->gpa;
 	old_pfn = gpc->pfn;
 
 	/*
@@ -273,7 +269,7 @@ void kvm_gfn_to_pfn_cache_unmap(struct k
 
 	write_unlock_irq(&gpc->lock);
 
-	__release_gpc(kvm, old_pfn, old_khva, old_gpa);
+	gpc_release_pfn_and_khva(kvm, old_pfn, old_khva);
 }
 EXPORT_SYMBOL_GPL(kvm_gfn_to_pfn_cache_unmap);
 



^ permalink raw reply	[flat|nested] 1191+ messages in thread

* [PATCH 5.19 0028/1157] KVM: Put the extra pfn reference when reusing a pfn in the gpc cache
  2022-08-15 17:49 [PATCH 5.19 0000/1157] 5.19.2-rc1 review Greg Kroah-Hartman
                   ` (24 preceding siblings ...)
  2022-08-15 17:49 ` [PATCH 5.19 0027/1157] KVM: Drop unused @gpa param from gfn=>pfn caches __release_gpc() helper Greg Kroah-Hartman
@ 2022-08-15 17:49 ` Greg Kroah-Hartman
  2022-08-15 17:49 ` [PATCH 5.19 0029/1157] KVM: Fully serialize gfn=>pfn cache refresh via mutex Greg Kroah-Hartman
                   ` (967 subsequent siblings)
  993 siblings, 0 replies; 1191+ messages in thread
From: Greg Kroah-Hartman @ 2022-08-15 17:49 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Sean Christopherson, Paolo Bonzini

From: Sean Christopherson <seanjc@google.com>

commit 3dddf65b4f4c451c345d34ae85bdf1791a746e49 upstream.

Put the struct page reference to pfn acquired by hva_to_pfn() when the
old and new pfns for a gfn=>pfn cache match.  The cache already has a
reference via the old/current pfn, and will only put one reference when
the cache is done with the pfn.

Fixes: 982ed0de4753 ("KVM: Reinstate gfn_to_pfn_cache with invalidation support")
Cc: stable@vger.kernel.org
Signed-off-by: Sean Christopherson <seanjc@google.com>
Message-Id: <20220429210025.3293691-5-seanjc@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 virt/kvm/pfncache.c |    8 ++++++++
 1 file changed, 8 insertions(+)

--- a/virt/kvm/pfncache.c
+++ b/virt/kvm/pfncache.c
@@ -206,6 +206,14 @@ int kvm_gfn_to_pfn_cache_refresh(struct
 
 		if (gpc->usage & KVM_HOST_USES_PFN) {
 			if (new_pfn == old_pfn) {
+				/*
+				 * Reuse the existing pfn and khva, but put the
+				 * reference acquired hva_to_pfn_retry(); the
+				 * cache still holds a reference to the pfn
+				 * from the previous refresh.
+				 */
+				gpc_release_pfn_and_khva(kvm, new_pfn, NULL);
+
 				new_khva = old_khva;
 				old_pfn = KVM_PFN_ERR_FAULT;
 				old_khva = NULL;



^ permalink raw reply	[flat|nested] 1191+ messages in thread

* [PATCH 5.19 0029/1157] KVM: Fully serialize gfn=>pfn cache refresh via mutex
  2022-08-15 17:49 [PATCH 5.19 0000/1157] 5.19.2-rc1 review Greg Kroah-Hartman
                   ` (25 preceding siblings ...)
  2022-08-15 17:49 ` [PATCH 5.19 0028/1157] KVM: Put the extra pfn reference when reusing a pfn in the gpc cache Greg Kroah-Hartman
@ 2022-08-15 17:49 ` Greg Kroah-Hartman
  2022-08-15 17:49 ` [PATCH 5.19 0030/1157] KVM: Fix multiple races in gfn=>pfn cache refresh Greg Kroah-Hartman
                   ` (966 subsequent siblings)
  993 siblings, 0 replies; 1191+ messages in thread
From: Greg Kroah-Hartman @ 2022-08-15 17:49 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Lai Jiangshan, Sean Christopherson,
	Paolo Bonzini

From: Sean Christopherson <seanjc@google.com>

commit 93984f19e7bce4c18084a6ef3dacafb155b806ed upstream.

Protect gfn=>pfn cache refresh with a mutex to fully serialize refreshes.
The refresh logic doesn't protect against

- concurrent unmaps, or refreshes with different GPAs (which may or may not
  happen in practice, for example if a cache is only used under vcpu->mutex;
  but it's allowed in the code)

- a false negative on the memslot generation.  If the first refresh sees
  a stale memslot generation, it will refresh the hva and generation before
  moving on to the hva=>pfn translation.  If it then drops gpc->lock, a
  different user of the cache can come along, acquire gpc->lock, see that
  the memslot generation is fresh, and skip the hva=>pfn update due to the
  userspace address also matching (because it too was updated).

The refresh path can already sleep during hva=>pfn resolution, so wrap
the refresh with a mutex to ensure that any given refresh runs to
completion before other callers can start their refresh.

Cc: stable@vger.kernel.org
Cc: Lai Jiangshan <jiangshanlai@gmail.com>
Signed-off-by: Sean Christopherson <seanjc@google.com>
Message-Id: <20220429210025.3293691-7-seanjc@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 include/linux/kvm_types.h |    2 ++
 virt/kvm/pfncache.c       |   12 ++++++++++++
 2 files changed, 14 insertions(+)

--- a/include/linux/kvm_types.h
+++ b/include/linux/kvm_types.h
@@ -19,6 +19,7 @@ struct kvm_memslots;
 enum kvm_mr_change;
 
 #include <linux/bits.h>
+#include <linux/mutex.h>
 #include <linux/types.h>
 #include <linux/spinlock_types.h>
 
@@ -69,6 +70,7 @@ struct gfn_to_pfn_cache {
 	struct kvm_vcpu *vcpu;
 	struct list_head list;
 	rwlock_t lock;
+	struct mutex refresh_lock;
 	void *khva;
 	kvm_pfn_t pfn;
 	enum pfn_cache_usage usage;
--- a/virt/kvm/pfncache.c
+++ b/virt/kvm/pfncache.c
@@ -157,6 +157,13 @@ int kvm_gfn_to_pfn_cache_refresh(struct
 	if (page_offset + len > PAGE_SIZE)
 		return -EINVAL;
 
+	/*
+	 * If another task is refreshing the cache, wait for it to complete.
+	 * There is no guarantee that concurrent refreshes will see the same
+	 * gpa, memslots generation, etc..., so they must be fully serialized.
+	 */
+	mutex_lock(&gpc->refresh_lock);
+
 	write_lock_irq(&gpc->lock);
 
 	old_pfn = gpc->pfn;
@@ -250,6 +257,8 @@ int kvm_gfn_to_pfn_cache_refresh(struct
  out:
 	write_unlock_irq(&gpc->lock);
 
+	mutex_unlock(&gpc->refresh_lock);
+
 	gpc_release_pfn_and_khva(kvm, old_pfn, old_khva);
 
 	return ret;
@@ -261,6 +270,7 @@ void kvm_gfn_to_pfn_cache_unmap(struct k
 	void *old_khva;
 	kvm_pfn_t old_pfn;
 
+	mutex_lock(&gpc->refresh_lock);
 	write_lock_irq(&gpc->lock);
 
 	gpc->valid = false;
@@ -276,6 +286,7 @@ void kvm_gfn_to_pfn_cache_unmap(struct k
 	gpc->pfn = KVM_PFN_ERR_FAULT;
 
 	write_unlock_irq(&gpc->lock);
+	mutex_unlock(&gpc->refresh_lock);
 
 	gpc_release_pfn_and_khva(kvm, old_pfn, old_khva);
 }
@@ -290,6 +301,7 @@ int kvm_gfn_to_pfn_cache_init(struct kvm
 
 	if (!gpc->active) {
 		rwlock_init(&gpc->lock);
+		mutex_init(&gpc->refresh_lock);
 
 		gpc->khva = NULL;
 		gpc->pfn = KVM_PFN_ERR_FAULT;



^ permalink raw reply	[flat|nested] 1191+ messages in thread

* [PATCH 5.19 0030/1157] KVM: Fix multiple races in gfn=>pfn cache refresh
  2022-08-15 17:49 [PATCH 5.19 0000/1157] 5.19.2-rc1 review Greg Kroah-Hartman
                   ` (26 preceding siblings ...)
  2022-08-15 17:49 ` [PATCH 5.19 0029/1157] KVM: Fully serialize gfn=>pfn cache refresh via mutex Greg Kroah-Hartman
@ 2022-08-15 17:49 ` Greg Kroah-Hartman
  2022-08-15 17:49 ` [PATCH 5.19 0031/1157] KVM: Do not incorporate page offset into gfn=>pfn cache user address Greg Kroah-Hartman
                   ` (965 subsequent siblings)
  993 siblings, 0 replies; 1191+ messages in thread
From: Greg Kroah-Hartman @ 2022-08-15 17:49 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, David Woodhouse, Mingwei Zhang,
	Sean Christopherson, Paolo Bonzini

From: Sean Christopherson <seanjc@google.com>

commit 58cd407ca4c6278cf9f9d09a2e663bf645b0c982 upstream.

Rework the gfn=>pfn cache (gpc) refresh logic to address multiple races
between the cache itself, and between the cache and mmu_notifier events.

The existing refresh code attempts to guard against races with the
mmu_notifier by speculatively marking the cache valid, and then marking
it invalid if a mmu_notifier invalidation occurs.  That handles the case
where an invalidation occurs between dropping and re-acquiring gpc->lock,
but it doesn't handle the scenario where the cache is refreshed after the
cache was invalidated by the notifier, but before the notifier elevates
mmu_notifier_count.  The gpc refresh can't use the "retry" helper as its
invalidation occurs _before_ mmu_notifier_count is elevated and before
mmu_notifier_range_start is set/updated.

  CPU0                                    CPU1
  ----                                    ----

  gfn_to_pfn_cache_invalidate_start()
  |
  -> gpc->valid = false;
                                          kvm_gfn_to_pfn_cache_refresh()
                                          |
                                          |-> gpc->valid = true;

                                          hva_to_pfn_retry()
                                          |
                                          -> acquire kvm->mmu_lock
                                             kvm->mmu_notifier_count == 0
                                             mmu_seq == kvm->mmu_notifier_seq
                                             drop kvm->mmu_lock
                                             return pfn 'X'
  acquire kvm->mmu_lock
  kvm_inc_notifier_count()
  drop kvm->mmu_lock()
  kernel frees pfn 'X'
                                          kvm_gfn_to_pfn_cache_check()
                                          |
                                          |-> gpc->valid == true

                                          caller accesses freed pfn 'X'

Key off of mn_active_invalidate_count to detect that a pfncache refresh
needs to wait for an in-progress mmu_notifier invalidation.  While
mn_active_invalidate_count is not guaranteed to be stable, it is
guaranteed to be elevated prior to an invalidation acquiring gpc->lock,
so either the refresh will see an active invalidation and wait, or the
invalidation will run after the refresh completes.

Speculatively marking the cache valid is itself flawed, as a concurrent
kvm_gfn_to_pfn_cache_check() would see a valid cache with stale pfn/khva
values.  The KVM Xen use case explicitly allows/wants multiple users;
even though the caches are allocated per vCPU, __kvm_xen_has_interrupt()
can read a different vCPU (or vCPUs).  Address this race by invalidating
the cache prior to dropping gpc->lock (this is made possible by fixing
the above mmu_notifier race).

Complicating all of this is the fact that both the hva=>pfn resolution
and mapping of the kernel address can sleep, i.e. must be done outside
of gpc->lock.

Fix the above races in one fell swoop, trying to fix each individual race
is largely pointless and essentially impossible to test, e.g. closing one
hole just shifts the focus to the other hole.

Fixes: 982ed0de4753 ("KVM: Reinstate gfn_to_pfn_cache with invalidation support")
Cc: stable@vger.kernel.org
Cc: David Woodhouse <dwmw@amazon.co.uk>
Cc: Mingwei Zhang <mizhang@google.com>
Signed-off-by: Sean Christopherson <seanjc@google.com>
Message-Id: <20220429210025.3293691-8-seanjc@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 virt/kvm/kvm_main.c |    9 ++
 virt/kvm/pfncache.c |  193 ++++++++++++++++++++++++++++++++--------------------
 2 files changed, 131 insertions(+), 71 deletions(-)

--- a/virt/kvm/kvm_main.c
+++ b/virt/kvm/kvm_main.c
@@ -724,6 +724,15 @@ static int kvm_mmu_notifier_invalidate_r
 	kvm->mn_active_invalidate_count++;
 	spin_unlock(&kvm->mn_invalidate_lock);
 
+	/*
+	 * Invalidate pfn caches _before_ invalidating the secondary MMUs, i.e.
+	 * before acquiring mmu_lock, to avoid holding mmu_lock while acquiring
+	 * each cache's lock.  There are relatively few caches in existence at
+	 * any given time, and the caches themselves can check for hva overlap,
+	 * i.e. don't need to rely on memslot overlap checks for performance.
+	 * Because this runs without holding mmu_lock, the pfn caches must use
+	 * mn_active_invalidate_count (see above) instead of mmu_notifier_count.
+	 */
 	gfn_to_pfn_cache_invalidate_start(kvm, range->start, range->end,
 					  hva_range.may_block);
 
--- a/virt/kvm/pfncache.c
+++ b/virt/kvm/pfncache.c
@@ -112,31 +112,122 @@ static void gpc_release_pfn_and_khva(str
 	}
 }
 
-static kvm_pfn_t hva_to_pfn_retry(struct kvm *kvm, unsigned long uhva)
+static inline bool mmu_notifier_retry_cache(struct kvm *kvm, unsigned long mmu_seq)
 {
+	/*
+	 * mn_active_invalidate_count acts for all intents and purposes
+	 * like mmu_notifier_count here; but the latter cannot be used
+	 * here because the invalidation of caches in the mmu_notifier
+	 * event occurs _before_ mmu_notifier_count is elevated.
+	 *
+	 * Note, it does not matter that mn_active_invalidate_count
+	 * is not protected by gpc->lock.  It is guaranteed to
+	 * be elevated before the mmu_notifier acquires gpc->lock, and
+	 * isn't dropped until after mmu_notifier_seq is updated.
+	 */
+	if (kvm->mn_active_invalidate_count)
+		return true;
+
+	/*
+	 * Ensure mn_active_invalidate_count is read before
+	 * mmu_notifier_seq.  This pairs with the smp_wmb() in
+	 * mmu_notifier_invalidate_range_end() to guarantee either the
+	 * old (non-zero) value of mn_active_invalidate_count or the
+	 * new (incremented) value of mmu_notifier_seq is observed.
+	 */
+	smp_rmb();
+	return kvm->mmu_notifier_seq != mmu_seq;
+}
+
+static kvm_pfn_t hva_to_pfn_retry(struct kvm *kvm, struct gfn_to_pfn_cache *gpc)
+{
+	/* Note, the new page offset may be different than the old! */
+	void *old_khva = gpc->khva - offset_in_page(gpc->khva);
+	kvm_pfn_t new_pfn = KVM_PFN_ERR_FAULT;
+	void *new_khva = NULL;
 	unsigned long mmu_seq;
-	kvm_pfn_t new_pfn;
-	int retry;
+
+	lockdep_assert_held(&gpc->refresh_lock);
+
+	lockdep_assert_held_write(&gpc->lock);
+
+	/*
+	 * Invalidate the cache prior to dropping gpc->lock, the gpa=>uhva
+	 * assets have already been updated and so a concurrent check() from a
+	 * different task may not fail the gpa/uhva/generation checks.
+	 */
+	gpc->valid = false;
 
 	do {
 		mmu_seq = kvm->mmu_notifier_seq;
 		smp_rmb();
 
+		write_unlock_irq(&gpc->lock);
+
+		/*
+		 * If the previous iteration "failed" due to an mmu_notifier
+		 * event, release the pfn and unmap the kernel virtual address
+		 * from the previous attempt.  Unmapping might sleep, so this
+		 * needs to be done after dropping the lock.  Opportunistically
+		 * check for resched while the lock isn't held.
+		 */
+		if (new_pfn != KVM_PFN_ERR_FAULT) {
+			/*
+			 * Keep the mapping if the previous iteration reused
+			 * the existing mapping and didn't create a new one.
+			 */
+			if (new_khva == old_khva)
+				new_khva = NULL;
+
+			gpc_release_pfn_and_khva(kvm, new_pfn, new_khva);
+
+			cond_resched();
+		}
+
 		/* We always request a writeable mapping */
-		new_pfn = hva_to_pfn(uhva, false, NULL, true, NULL);
+		new_pfn = hva_to_pfn(gpc->uhva, false, NULL, true, NULL);
 		if (is_error_noslot_pfn(new_pfn))
-			break;
+			goto out_error;
+
+		/*
+		 * Obtain a new kernel mapping if KVM itself will access the
+		 * pfn.  Note, kmap() and memremap() can both sleep, so this
+		 * too must be done outside of gpc->lock!
+		 */
+		if (gpc->usage & KVM_HOST_USES_PFN) {
+			if (new_pfn == gpc->pfn) {
+				new_khva = old_khva;
+			} else if (pfn_valid(new_pfn)) {
+				new_khva = kmap(pfn_to_page(new_pfn));
+#ifdef CONFIG_HAS_IOMEM
+			} else {
+				new_khva = memremap(pfn_to_hpa(new_pfn), PAGE_SIZE, MEMREMAP_WB);
+#endif
+			}
+			if (!new_khva) {
+				kvm_release_pfn_clean(new_pfn);
+				goto out_error;
+			}
+		}
+
+		write_lock_irq(&gpc->lock);
 
-		KVM_MMU_READ_LOCK(kvm);
-		retry = mmu_notifier_retry_hva(kvm, mmu_seq, uhva);
-		KVM_MMU_READ_UNLOCK(kvm);
-		if (!retry)
-			break;
+		/*
+		 * Other tasks must wait for _this_ refresh to complete before
+		 * attempting to refresh.
+		 */
+		WARN_ON_ONCE(gpc->valid);
+	} while (mmu_notifier_retry_cache(kvm, mmu_seq));
+
+	gpc->valid = true;
+	gpc->pfn = new_pfn;
+	gpc->khva = new_khva + (gpc->gpa & ~PAGE_MASK);
+	return 0;
 
-		cond_resched();
-	} while (1);
+out_error:
+	write_lock_irq(&gpc->lock);
 
-	return new_pfn;
+	return -EFAULT;
 }
 
 int kvm_gfn_to_pfn_cache_refresh(struct kvm *kvm, struct gfn_to_pfn_cache *gpc,
@@ -147,7 +238,6 @@ int kvm_gfn_to_pfn_cache_refresh(struct
 	kvm_pfn_t old_pfn, new_pfn;
 	unsigned long old_uhva;
 	void *old_khva;
-	bool old_valid;
 	int ret = 0;
 
 	/*
@@ -169,7 +259,6 @@ int kvm_gfn_to_pfn_cache_refresh(struct
 	old_pfn = gpc->pfn;
 	old_khva = gpc->khva - offset_in_page(gpc->khva);
 	old_uhva = gpc->uhva;
-	old_valid = gpc->valid;
 
 	/* If the userspace HVA is invalid, refresh that first */
 	if (gpc->gpa != gpa || gpc->generation != slots->generation ||
@@ -182,7 +271,6 @@ int kvm_gfn_to_pfn_cache_refresh(struct
 		gpc->uhva = gfn_to_hva_memslot(gpc->memslot, gfn);
 
 		if (kvm_is_error_hva(gpc->uhva)) {
-			gpc->pfn = KVM_PFN_ERR_FAULT;
 			ret = -EFAULT;
 			goto out;
 		}
@@ -194,60 +282,8 @@ int kvm_gfn_to_pfn_cache_refresh(struct
 	 * If the userspace HVA changed or the PFN was already invalid,
 	 * drop the lock and do the HVA to PFN lookup again.
 	 */
-	if (!old_valid || old_uhva != gpc->uhva) {
-		unsigned long uhva = gpc->uhva;
-		void *new_khva = NULL;
-
-		/* Placeholders for "hva is valid but not yet mapped" */
-		gpc->pfn = KVM_PFN_ERR_FAULT;
-		gpc->khva = NULL;
-		gpc->valid = true;
-
-		write_unlock_irq(&gpc->lock);
-
-		new_pfn = hva_to_pfn_retry(kvm, uhva);
-		if (is_error_noslot_pfn(new_pfn)) {
-			ret = -EFAULT;
-			goto map_done;
-		}
-
-		if (gpc->usage & KVM_HOST_USES_PFN) {
-			if (new_pfn == old_pfn) {
-				/*
-				 * Reuse the existing pfn and khva, but put the
-				 * reference acquired hva_to_pfn_retry(); the
-				 * cache still holds a reference to the pfn
-				 * from the previous refresh.
-				 */
-				gpc_release_pfn_and_khva(kvm, new_pfn, NULL);
-
-				new_khva = old_khva;
-				old_pfn = KVM_PFN_ERR_FAULT;
-				old_khva = NULL;
-			} else if (pfn_valid(new_pfn)) {
-				new_khva = kmap(pfn_to_page(new_pfn));
-#ifdef CONFIG_HAS_IOMEM
-			} else {
-				new_khva = memremap(pfn_to_hpa(new_pfn), PAGE_SIZE, MEMREMAP_WB);
-#endif
-			}
-			if (new_khva)
-				new_khva += page_offset;
-			else
-				ret = -EFAULT;
-		}
-
-	map_done:
-		write_lock_irq(&gpc->lock);
-		if (ret) {
-			gpc->valid = false;
-			gpc->pfn = KVM_PFN_ERR_FAULT;
-			gpc->khva = NULL;
-		} else {
-			/* At this point, gpc->valid may already have been cleared */
-			gpc->pfn = new_pfn;
-			gpc->khva = new_khva;
-		}
+	if (!gpc->valid || old_uhva != gpc->uhva) {
+		ret = hva_to_pfn_retry(kvm, gpc);
 	} else {
 		/* If the HVA→PFN mapping was already valid, don't unmap it. */
 		old_pfn = KVM_PFN_ERR_FAULT;
@@ -255,11 +291,26 @@ int kvm_gfn_to_pfn_cache_refresh(struct
 	}
 
  out:
+	/*
+	 * Invalidate the cache and purge the pfn/khva if the refresh failed.
+	 * Some/all of the uhva, gpa, and memslot generation info may still be
+	 * valid, leave it as is.
+	 */
+	if (ret) {
+		gpc->valid = false;
+		gpc->pfn = KVM_PFN_ERR_FAULT;
+		gpc->khva = NULL;
+	}
+
+	/* Snapshot the new pfn before dropping the lock! */
+	new_pfn = gpc->pfn;
+
 	write_unlock_irq(&gpc->lock);
 
 	mutex_unlock(&gpc->refresh_lock);
 
-	gpc_release_pfn_and_khva(kvm, old_pfn, old_khva);
+	if (old_pfn != new_pfn)
+		gpc_release_pfn_and_khva(kvm, old_pfn, old_khva);
 
 	return ret;
 }



^ permalink raw reply	[flat|nested] 1191+ messages in thread

* [PATCH 5.19 0031/1157] KVM: Do not incorporate page offset into gfn=>pfn cache user address
  2022-08-15 17:49 [PATCH 5.19 0000/1157] 5.19.2-rc1 review Greg Kroah-Hartman
                   ` (27 preceding siblings ...)
  2022-08-15 17:49 ` [PATCH 5.19 0030/1157] KVM: Fix multiple races in gfn=>pfn cache refresh Greg Kroah-Hartman
@ 2022-08-15 17:49 ` Greg Kroah-Hartman
  2022-08-15 17:49 ` [PATCH 5.19 0032/1157] KVM: x86: Split kvm_is_valid_cr4() and export only the non-vendor bits Greg Kroah-Hartman
                   ` (964 subsequent siblings)
  993 siblings, 0 replies; 1191+ messages in thread
From: Greg Kroah-Hartman @ 2022-08-15 17:49 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Sean Christopherson, Paolo Bonzini

From: Sean Christopherson <seanjc@google.com>

commit 3ba2c95ea180740b16281fa43a3ee5f47279c0ed upstream.

Don't adjust the userspace address in the gfn=>pfn cache by the page
offset from the gpa.  KVM should never use the user address directly, and
all KVM operations that translate a user address to something else
require the user address to be page aligned.  Ignoring the offset will
allow the cache to reuse a gfn=>hva translation in the unlikely event
that the page offset of the gpa changes, but the gfn does not.  And more
importantly, not having to (un)adjust the user address will simplify a
future bug fix.

Cc: stable@vger.kernel.org
Signed-off-by: Sean Christopherson <seanjc@google.com>
Message-Id: <20220429210025.3293691-6-seanjc@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 virt/kvm/pfncache.c |    2 --
 1 file changed, 2 deletions(-)

--- a/virt/kvm/pfncache.c
+++ b/virt/kvm/pfncache.c
@@ -274,8 +274,6 @@ int kvm_gfn_to_pfn_cache_refresh(struct
 			ret = -EFAULT;
 			goto out;
 		}
-
-		gpc->uhva += page_offset;
 	}
 
 	/*



^ permalink raw reply	[flat|nested] 1191+ messages in thread

* [PATCH 5.19 0032/1157] KVM: x86: Split kvm_is_valid_cr4() and export only the non-vendor bits
  2022-08-15 17:49 [PATCH 5.19 0000/1157] 5.19.2-rc1 review Greg Kroah-Hartman
                   ` (28 preceding siblings ...)
  2022-08-15 17:49 ` [PATCH 5.19 0031/1157] KVM: Do not incorporate page offset into gfn=>pfn cache user address Greg Kroah-Hartman
@ 2022-08-15 17:49 ` Greg Kroah-Hartman
  2022-08-15 17:49 ` [PATCH 5.19 0033/1157] KVM: nVMX: Let userspace set nVMX MSR to any _host_ supported value Greg Kroah-Hartman
                   ` (963 subsequent siblings)
  993 siblings, 0 replies; 1191+ messages in thread
From: Greg Kroah-Hartman @ 2022-08-15 17:49 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Sean Christopherson, Paolo Bonzini

From: Sean Christopherson <seanjc@google.com>

commit c33f6f2228fe8517e38941a508e9f905f99ecba9 upstream.

Split the common x86 parts of kvm_is_valid_cr4(), i.e. the reserved bits
checks, into a separate helper, __kvm_is_valid_cr4(), and export only the
inner helper to vendor code in order to prevent nested VMX from calling
back into vmx_is_valid_cr4() via kvm_is_valid_cr4().

On SVM, this is a nop as SVM doesn't place any additional restrictions on
CR4.

On VMX, this is also currently a nop, but only because nested VMX is
missing checks on reserved CR4 bits for nested VM-Enter.  That bug will
be fixed in a future patch, and could simply use kvm_is_valid_cr4() as-is,
but nVMX has _another_ bug where VMXON emulation doesn't enforce VMX's
restrictions on CR0/CR4.  The cleanest and most intuitive way to fix the
VMXON bug is to use nested_host_cr{0,4}_valid().  If the CR4 variant
routes through kvm_is_valid_cr4(), using nested_host_cr4_valid() won't do
the right thing for the VMXON case as vmx_is_valid_cr4() enforces VMX's
restrictions if and only if the vCPU is post-VMXON.

Cc: stable@vger.kernel.org
Signed-off-by: Sean Christopherson <seanjc@google.com>
Message-Id: <20220607213604.3346000-2-seanjc@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/x86/kvm/svm/nested.c |    3 ++-
 arch/x86/kvm/vmx/vmx.c    |    4 ++--
 arch/x86/kvm/x86.c        |   12 +++++++++---
 arch/x86/kvm/x86.h        |    2 +-
 4 files changed, 14 insertions(+), 7 deletions(-)

--- a/arch/x86/kvm/svm/nested.c
+++ b/arch/x86/kvm/svm/nested.c
@@ -320,7 +320,8 @@ static bool __nested_vmcb_check_save(str
 			return false;
 	}
 
-	if (CC(!kvm_is_valid_cr4(vcpu, save->cr4)))
+	/* Note, SVM doesn't have any additional restrictions on CR4. */
+	if (CC(!__kvm_is_valid_cr4(vcpu, save->cr4)))
 		return false;
 
 	if (CC(!kvm_valid_efer(vcpu, save->efer)))
--- a/arch/x86/kvm/vmx/vmx.c
+++ b/arch/x86/kvm/vmx/vmx.c
@@ -3230,8 +3230,8 @@ static bool vmx_is_valid_cr4(struct kvm_
 {
 	/*
 	 * We operate under the default treatment of SMM, so VMX cannot be
-	 * enabled under SMM.  Note, whether or not VMXE is allowed at all is
-	 * handled by kvm_is_valid_cr4().
+	 * enabled under SMM.  Note, whether or not VMXE is allowed at all,
+	 * i.e. is a reserved bit, is handled by common x86 code.
 	 */
 	if ((cr4 & X86_CR4_VMXE) && is_smm(vcpu))
 		return false;
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -1094,7 +1094,7 @@ int kvm_emulate_xsetbv(struct kvm_vcpu *
 }
 EXPORT_SYMBOL_GPL(kvm_emulate_xsetbv);
 
-bool kvm_is_valid_cr4(struct kvm_vcpu *vcpu, unsigned long cr4)
+bool __kvm_is_valid_cr4(struct kvm_vcpu *vcpu, unsigned long cr4)
 {
 	if (cr4 & cr4_reserved_bits)
 		return false;
@@ -1102,9 +1102,15 @@ bool kvm_is_valid_cr4(struct kvm_vcpu *v
 	if (cr4 & vcpu->arch.cr4_guest_rsvd_bits)
 		return false;
 
-	return static_call(kvm_x86_is_valid_cr4)(vcpu, cr4);
+	return true;
+}
+EXPORT_SYMBOL_GPL(__kvm_is_valid_cr4);
+
+static bool kvm_is_valid_cr4(struct kvm_vcpu *vcpu, unsigned long cr4)
+{
+	return __kvm_is_valid_cr4(vcpu, cr4) &&
+	       static_call(kvm_x86_is_valid_cr4)(vcpu, cr4);
 }
-EXPORT_SYMBOL_GPL(kvm_is_valid_cr4);
 
 void kvm_post_set_cr4(struct kvm_vcpu *vcpu, unsigned long old_cr4, unsigned long cr4)
 {
--- a/arch/x86/kvm/x86.h
+++ b/arch/x86/kvm/x86.h
@@ -407,7 +407,7 @@ static inline void kvm_machine_check(voi
 void kvm_load_guest_xsave_state(struct kvm_vcpu *vcpu);
 void kvm_load_host_xsave_state(struct kvm_vcpu *vcpu);
 int kvm_spec_ctrl_test_value(u64 value);
-bool kvm_is_valid_cr4(struct kvm_vcpu *vcpu, unsigned long cr4);
+bool __kvm_is_valid_cr4(struct kvm_vcpu *vcpu, unsigned long cr4);
 int kvm_handle_memory_failure(struct kvm_vcpu *vcpu, int r,
 			      struct x86_exception *e);
 int kvm_handle_invpcid(struct kvm_vcpu *vcpu, unsigned long type, gva_t gva);



^ permalink raw reply	[flat|nested] 1191+ messages in thread

* [PATCH 5.19 0033/1157] KVM: nVMX: Let userspace set nVMX MSR to any _host_ supported value
  2022-08-15 17:49 [PATCH 5.19 0000/1157] 5.19.2-rc1 review Greg Kroah-Hartman
                   ` (29 preceding siblings ...)
  2022-08-15 17:49 ` [PATCH 5.19 0032/1157] KVM: x86: Split kvm_is_valid_cr4() and export only the non-vendor bits Greg Kroah-Hartman
@ 2022-08-15 17:49 ` Greg Kroah-Hartman
  2022-08-15 17:49 ` [PATCH 5.19 0034/1157] KVM: nVMX: Account for KVM reserved CR4 bits in consistency checks Greg Kroah-Hartman
                   ` (962 subsequent siblings)
  993 siblings, 0 replies; 1191+ messages in thread
From: Greg Kroah-Hartman @ 2022-08-15 17:49 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, David Matlack, Sean Christopherson,
	Paolo Bonzini

From: Sean Christopherson <seanjc@google.com>

commit f8ae08f9789ad59d318ea75b570caa454aceda81 upstream.

Restrict the nVMX MSRs based on KVM's config, not based on the guest's
current config.  Using the guest's config to audit the new config
prevents userspace from restoring the original config (KVM's config) if
at any point in the past the guest's config was restricted in any way.

Fixes: 62cc6b9dc61e ("KVM: nVMX: support restore of VMX capability MSRs")
Cc: stable@vger.kernel.org
Cc: David Matlack <dmatlack@google.com>
Signed-off-by: Sean Christopherson <seanjc@google.com>
Message-Id: <20220607213604.3346000-6-seanjc@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/x86/kvm/vmx/nested.c |   70 ++++++++++++++++++++++++----------------------
 1 file changed, 37 insertions(+), 33 deletions(-)

--- a/arch/x86/kvm/vmx/nested.c
+++ b/arch/x86/kvm/vmx/nested.c
@@ -1223,7 +1223,7 @@ static int vmx_restore_vmx_basic(struct
 		BIT_ULL(49) | BIT_ULL(54) | BIT_ULL(55) |
 		/* reserved */
 		BIT_ULL(31) | GENMASK_ULL(47, 45) | GENMASK_ULL(63, 56);
-	u64 vmx_basic = vmx->nested.msrs.basic;
+	u64 vmx_basic = vmcs_config.nested.basic;
 
 	if (!is_bitwise_subset(vmx_basic, data, feature_and_reserved))
 		return -EINVAL;
@@ -1246,36 +1246,42 @@ static int vmx_restore_vmx_basic(struct
 	return 0;
 }
 
-static int
-vmx_restore_control_msr(struct vcpu_vmx *vmx, u32 msr_index, u64 data)
+static void vmx_get_control_msr(struct nested_vmx_msrs *msrs, u32 msr_index,
+				u32 **low, u32 **high)
 {
-	u64 supported;
-	u32 *lowp, *highp;
-
 	switch (msr_index) {
 	case MSR_IA32_VMX_TRUE_PINBASED_CTLS:
-		lowp = &vmx->nested.msrs.pinbased_ctls_low;
-		highp = &vmx->nested.msrs.pinbased_ctls_high;
+		*low = &msrs->pinbased_ctls_low;
+		*high = &msrs->pinbased_ctls_high;
 		break;
 	case MSR_IA32_VMX_TRUE_PROCBASED_CTLS:
-		lowp = &vmx->nested.msrs.procbased_ctls_low;
-		highp = &vmx->nested.msrs.procbased_ctls_high;
+		*low = &msrs->procbased_ctls_low;
+		*high = &msrs->procbased_ctls_high;
 		break;
 	case MSR_IA32_VMX_TRUE_EXIT_CTLS:
-		lowp = &vmx->nested.msrs.exit_ctls_low;
-		highp = &vmx->nested.msrs.exit_ctls_high;
+		*low = &msrs->exit_ctls_low;
+		*high = &msrs->exit_ctls_high;
 		break;
 	case MSR_IA32_VMX_TRUE_ENTRY_CTLS:
-		lowp = &vmx->nested.msrs.entry_ctls_low;
-		highp = &vmx->nested.msrs.entry_ctls_high;
+		*low = &msrs->entry_ctls_low;
+		*high = &msrs->entry_ctls_high;
 		break;
 	case MSR_IA32_VMX_PROCBASED_CTLS2:
-		lowp = &vmx->nested.msrs.secondary_ctls_low;
-		highp = &vmx->nested.msrs.secondary_ctls_high;
+		*low = &msrs->secondary_ctls_low;
+		*high = &msrs->secondary_ctls_high;
 		break;
 	default:
 		BUG();
 	}
+}
+
+static int
+vmx_restore_control_msr(struct vcpu_vmx *vmx, u32 msr_index, u64 data)
+{
+	u32 *lowp, *highp;
+	u64 supported;
+
+	vmx_get_control_msr(&vmcs_config.nested, msr_index, &lowp, &highp);
 
 	supported = vmx_control_msr(*lowp, *highp);
 
@@ -1287,6 +1293,7 @@ vmx_restore_control_msr(struct vcpu_vmx
 	if (!is_bitwise_subset(supported, data, GENMASK_ULL(63, 32)))
 		return -EINVAL;
 
+	vmx_get_control_msr(&vmx->nested.msrs, msr_index, &lowp, &highp);
 	*lowp = data;
 	*highp = data >> 32;
 	return 0;
@@ -1300,10 +1307,8 @@ static int vmx_restore_vmx_misc(struct v
 		BIT_ULL(28) | BIT_ULL(29) | BIT_ULL(30) |
 		/* reserved */
 		GENMASK_ULL(13, 9) | BIT_ULL(31);
-	u64 vmx_misc;
-
-	vmx_misc = vmx_control_msr(vmx->nested.msrs.misc_low,
-				   vmx->nested.msrs.misc_high);
+	u64 vmx_misc = vmx_control_msr(vmcs_config.nested.misc_low,
+				       vmcs_config.nested.misc_high);
 
 	if (!is_bitwise_subset(vmx_misc, data, feature_and_reserved_bits))
 		return -EINVAL;
@@ -1331,10 +1336,8 @@ static int vmx_restore_vmx_misc(struct v
 
 static int vmx_restore_vmx_ept_vpid_cap(struct vcpu_vmx *vmx, u64 data)
 {
-	u64 vmx_ept_vpid_cap;
-
-	vmx_ept_vpid_cap = vmx_control_msr(vmx->nested.msrs.ept_caps,
-					   vmx->nested.msrs.vpid_caps);
+	u64 vmx_ept_vpid_cap = vmx_control_msr(vmcs_config.nested.ept_caps,
+					       vmcs_config.nested.vpid_caps);
 
 	/* Every bit is either reserved or a feature bit. */
 	if (!is_bitwise_subset(vmx_ept_vpid_cap, data, -1ULL))
@@ -1345,20 +1348,21 @@ static int vmx_restore_vmx_ept_vpid_cap(
 	return 0;
 }
 
-static int vmx_restore_fixed0_msr(struct vcpu_vmx *vmx, u32 msr_index, u64 data)
+static u64 *vmx_get_fixed0_msr(struct nested_vmx_msrs *msrs, u32 msr_index)
 {
-	u64 *msr;
-
 	switch (msr_index) {
 	case MSR_IA32_VMX_CR0_FIXED0:
-		msr = &vmx->nested.msrs.cr0_fixed0;
-		break;
+		return &msrs->cr0_fixed0;
 	case MSR_IA32_VMX_CR4_FIXED0:
-		msr = &vmx->nested.msrs.cr4_fixed0;
-		break;
+		return &msrs->cr4_fixed0;
 	default:
 		BUG();
 	}
+}
+
+static int vmx_restore_fixed0_msr(struct vcpu_vmx *vmx, u32 msr_index, u64 data)
+{
+	const u64 *msr = vmx_get_fixed0_msr(&vmcs_config.nested, msr_index);
 
 	/*
 	 * 1 bits (which indicates bits which "must-be-1" during VMX operation)
@@ -1367,7 +1371,7 @@ static int vmx_restore_fixed0_msr(struct
 	if (!is_bitwise_subset(data, *msr, -1ULL))
 		return -EINVAL;
 
-	*msr = data;
+	*vmx_get_fixed0_msr(&vmx->nested.msrs, msr_index) = data;
 	return 0;
 }
 
@@ -1428,7 +1432,7 @@ int vmx_set_vmx_msr(struct kvm_vcpu *vcp
 		vmx->nested.msrs.vmcs_enum = data;
 		return 0;
 	case MSR_IA32_VMX_VMFUNC:
-		if (data & ~vmx->nested.msrs.vmfunc_controls)
+		if (data & ~vmcs_config.nested.vmfunc_controls)
 			return -EINVAL;
 		vmx->nested.msrs.vmfunc_controls = data;
 		return 0;



^ permalink raw reply	[flat|nested] 1191+ messages in thread

* [PATCH 5.19 0034/1157] KVM: nVMX: Account for KVM reserved CR4 bits in consistency checks
  2022-08-15 17:49 [PATCH 5.19 0000/1157] 5.19.2-rc1 review Greg Kroah-Hartman
                   ` (30 preceding siblings ...)
  2022-08-15 17:49 ` [PATCH 5.19 0033/1157] KVM: nVMX: Let userspace set nVMX MSR to any _host_ supported value Greg Kroah-Hartman
@ 2022-08-15 17:49 ` Greg Kroah-Hartman
  2022-08-15 17:49 ` [PATCH 5.19 0035/1157] KVM: nVMX: Inject #UD if VMXON is attempted with incompatible CR0/CR4 Greg Kroah-Hartman
                   ` (961 subsequent siblings)
  993 siblings, 0 replies; 1191+ messages in thread
From: Greg Kroah-Hartman @ 2022-08-15 17:49 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Sean Christopherson, Paolo Bonzini

From: Sean Christopherson <seanjc@google.com>

commit ca58f3aa53d165afe4ab74c755bc2f6d168617ac upstream.

Check that the guest (L2) and host (L1) CR4 values that would be loaded
by nested VM-Enter and VM-Exit respectively are valid with respect to
KVM's (L0 host) allowed CR4 bits.  Failure to check KVM reserved bits
would allow L1 to load an illegal CR4 (or trigger hardware VM-Fail or
failed VM-Entry) by massaging guest CPUID to allow features that are not
supported by KVM.  Amusingly, KVM itself is an accomplice in its doom, as
KVM adjusts L1's MSR_IA32_VMX_CR4_FIXED1 to allow L1 to enable bits for
L2 based on L1's CPUID model.

Note, although nested_{guest,host}_cr4_valid() are _currently_ used if
and only if the vCPU is post-VMXON (nested.vmxon == true), that may not
be true in the future, e.g. emulating VMXON has a bug where it doesn't
check the allowed/required CR0/CR4 bits.

Cc: stable@vger.kernel.org
Fixes: 3899152ccbf4 ("KVM: nVMX: fix checks on CR{0,4} during virtual VMX operation")
Signed-off-by: Sean Christopherson <seanjc@google.com>
Message-Id: <20220607213604.3346000-3-seanjc@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/x86/kvm/vmx/nested.h |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/arch/x86/kvm/vmx/nested.h
+++ b/arch/x86/kvm/vmx/nested.h
@@ -281,7 +281,8 @@ static inline bool nested_cr4_valid(stru
 	u64 fixed0 = to_vmx(vcpu)->nested.msrs.cr4_fixed0;
 	u64 fixed1 = to_vmx(vcpu)->nested.msrs.cr4_fixed1;
 
-	return fixed_bits_valid(val, fixed0, fixed1);
+	return fixed_bits_valid(val, fixed0, fixed1) &&
+	       __kvm_is_valid_cr4(vcpu, val);
 }
 
 /* No difference in the restrictions on guest and host CR4 in VMX operation. */



^ permalink raw reply	[flat|nested] 1191+ messages in thread

* [PATCH 5.19 0035/1157] KVM: nVMX: Inject #UD if VMXON is attempted with incompatible CR0/CR4
  2022-08-15 17:49 [PATCH 5.19 0000/1157] 5.19.2-rc1 review Greg Kroah-Hartman
                   ` (31 preceding siblings ...)
  2022-08-15 17:49 ` [PATCH 5.19 0034/1157] KVM: nVMX: Account for KVM reserved CR4 bits in consistency checks Greg Kroah-Hartman
@ 2022-08-15 17:49 ` Greg Kroah-Hartman
  2022-08-15 17:49 ` [PATCH 5.19 0036/1157] KVM: x86: Mark TSS busy during LTR emulation _after_ all fault checks Greg Kroah-Hartman
                   ` (960 subsequent siblings)
  993 siblings, 0 replies; 1191+ messages in thread
From: Greg Kroah-Hartman @ 2022-08-15 17:49 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Eric Li, Sean Christopherson, Paolo Bonzini

From: Sean Christopherson <seanjc@google.com>

commit c7d855c2aff2d511fd60ee2e356134c4fb394799 upstream.

Inject a #UD if L1 attempts VMXON with a CR0 or CR4 that is disallowed
per the associated nested VMX MSRs' fixed0/1 settings.  KVM cannot rely
on hardware to perform the checks, even for the few checks that have
higher priority than VM-Exit, as (a) KVM may have forced CR0/CR4 bits in
hardware while running the guest, (b) there may incompatible CR0/CR4 bits
that have lower priority than VM-Exit, e.g. CR0.NE, and (c) userspace may
have further restricted the allowed CR0/CR4 values by manipulating the
guest's nested VMX MSRs.

Note, despite a very strong desire to throw shade at Jim, commit
70f3aac964ae ("kvm: nVMX: Remove superfluous VMX instruction fault checks")
is not to blame for the buggy behavior (though the comment...).  That
commit only removed the CR0.PE, EFLAGS.VM, and COMPATIBILITY mode checks
(though it did erroneously drop the CPL check, but that has already been
remedied).  KVM may force CR0.PE=1, but will do so only when also
forcing EFLAGS.VM=1 to emulate Real Mode, i.e. hardware will still #UD.

Link: https://bugzilla.kernel.org/show_bug.cgi?id=216033
Fixes: ec378aeef9df ("KVM: nVMX: Implement VMXON and VMXOFF")
Reported-by: Eric Li <ercli@ucdavis.edu>
Cc: stable@vger.kernel.org
Signed-off-by: Sean Christopherson <seanjc@google.com>
Message-Id: <20220607213604.3346000-4-seanjc@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/x86/kvm/vmx/nested.c |   23 ++++++++++++++---------
 1 file changed, 14 insertions(+), 9 deletions(-)

--- a/arch/x86/kvm/vmx/nested.c
+++ b/arch/x86/kvm/vmx/nested.c
@@ -4968,20 +4968,25 @@ static int handle_vmon(struct kvm_vcpu *
 		| FEAT_CTL_VMX_ENABLED_OUTSIDE_SMX;
 
 	/*
-	 * The Intel VMX Instruction Reference lists a bunch of bits that are
-	 * prerequisite to running VMXON, most notably cr4.VMXE must be set to
-	 * 1 (see vmx_is_valid_cr4() for when we allow the guest to set this).
-	 * Otherwise, we should fail with #UD.  But most faulting conditions
-	 * have already been checked by hardware, prior to the VM-exit for
-	 * VMXON.  We do test guest cr4.VMXE because processor CR4 always has
-	 * that bit set to 1 in non-root mode.
+	 * Note, KVM cannot rely on hardware to perform the CR0/CR4 #UD checks
+	 * that have higher priority than VM-Exit (see Intel SDM's pseudocode
+	 * for VMXON), as KVM must load valid CR0/CR4 values into hardware while
+	 * running the guest, i.e. KVM needs to check the _guest_ values.
+	 *
+	 * Rely on hardware for the other two pre-VM-Exit checks, !VM86 and
+	 * !COMPATIBILITY modes.  KVM may run the guest in VM86 to emulate Real
+	 * Mode, but KVM will never take the guest out of those modes.
 	 */
-	if (!kvm_read_cr4_bits(vcpu, X86_CR4_VMXE)) {
+	if (!nested_host_cr0_valid(vcpu, kvm_read_cr0(vcpu)) ||
+	    !nested_host_cr4_valid(vcpu, kvm_read_cr4(vcpu))) {
 		kvm_queue_exception(vcpu, UD_VECTOR);
 		return 1;
 	}
 
-	/* CPL=0 must be checked manually. */
+	/*
+	 * CPL=0 and all other checks that are lower priority than VM-Exit must
+	 * be checked manually.
+	 */
 	if (vmx_get_cpl(vcpu)) {
 		kvm_inject_gp(vcpu, 0);
 		return 1;



^ permalink raw reply	[flat|nested] 1191+ messages in thread

* [PATCH 5.19 0036/1157] KVM: x86: Mark TSS busy during LTR emulation _after_ all fault checks
  2022-08-15 17:49 [PATCH 5.19 0000/1157] 5.19.2-rc1 review Greg Kroah-Hartman
                   ` (32 preceding siblings ...)
  2022-08-15 17:49 ` [PATCH 5.19 0035/1157] KVM: nVMX: Inject #UD if VMXON is attempted with incompatible CR0/CR4 Greg Kroah-Hartman
@ 2022-08-15 17:49 ` Greg Kroah-Hartman
  2022-08-15 17:49 ` [PATCH 5.19 0037/1157] KVM: x86: Set error code to segment selector on LLDT/LTR non-canonical #GP Greg Kroah-Hartman
                   ` (959 subsequent siblings)
  993 siblings, 0 replies; 1191+ messages in thread
From: Greg Kroah-Hartman @ 2022-08-15 17:49 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, syzbot+760a73552f47a8cd0fd9,
	Tetsuo Handa, Hou Wenlong, Sean Christopherson, Maxim Levitsky

From: Sean Christopherson <seanjc@google.com>

commit ec6e4d863258d4bfb36d48d5e3ef68140234d688 upstream.

Wait to mark the TSS as busy during LTR emulation until after all fault
checks for the LTR have passed.  Specifically, don't mark the TSS busy if
the new TSS base is non-canonical.

Opportunistically drop the one-off !seg_desc.PRESENT check for TR as the
only reason for the early check was to avoid marking a !PRESENT TSS as
busy, i.e. the common !PRESENT is now done before setting the busy bit.

Fixes: e37a75a13cda ("KVM: x86: Emulator ignores LDTR/TR extended base on LLDT/LTR")
Reported-by: syzbot+760a73552f47a8cd0fd9@syzkaller.appspotmail.com
Cc: stable@vger.kernel.org
Cc: Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>
Cc: Hou Wenlong <houwenlong.hwl@antgroup.com>
Signed-off-by: Sean Christopherson <seanjc@google.com>
Reviewed-by: Maxim Levitsky <mlevitsk@redhat.com>
Link: https://lore.kernel.org/r/20220711232750.1092012-2-seanjc@google.com
Signed-off-by: Sean Christopherson <seanjc@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/x86/kvm/emulate.c |   19 +++++++++----------
 1 file changed, 9 insertions(+), 10 deletions(-)

--- a/arch/x86/kvm/emulate.c
+++ b/arch/x86/kvm/emulate.c
@@ -1687,16 +1687,6 @@ static int __load_segment_descriptor(str
 	case VCPU_SREG_TR:
 		if (seg_desc.s || (seg_desc.type != 1 && seg_desc.type != 9))
 			goto exception;
-		if (!seg_desc.p) {
-			err_vec = NP_VECTOR;
-			goto exception;
-		}
-		old_desc = seg_desc;
-		seg_desc.type |= 2; /* busy */
-		ret = ctxt->ops->cmpxchg_emulated(ctxt, desc_addr, &old_desc, &seg_desc,
-						  sizeof(seg_desc), &ctxt->exception);
-		if (ret != X86EMUL_CONTINUE)
-			return ret;
 		break;
 	case VCPU_SREG_LDTR:
 		if (seg_desc.s || seg_desc.type != 2)
@@ -1737,6 +1727,15 @@ static int __load_segment_descriptor(str
 				((u64)base3 << 32), ctxt))
 			return emulate_gp(ctxt, 0);
 	}
+
+	if (seg == VCPU_SREG_TR) {
+		old_desc = seg_desc;
+		seg_desc.type |= 2; /* busy */
+		ret = ctxt->ops->cmpxchg_emulated(ctxt, desc_addr, &old_desc, &seg_desc,
+						  sizeof(seg_desc), &ctxt->exception);
+		if (ret != X86EMUL_CONTINUE)
+			return ret;
+	}
 load:
 	ctxt->ops->set_segment(ctxt, selector, &seg_desc, base3, seg);
 	if (desc)



^ permalink raw reply	[flat|nested] 1191+ messages in thread

* [PATCH 5.19 0037/1157] KVM: x86: Set error code to segment selector on LLDT/LTR non-canonical #GP
  2022-08-15 17:49 [PATCH 5.19 0000/1157] 5.19.2-rc1 review Greg Kroah-Hartman
                   ` (33 preceding siblings ...)
  2022-08-15 17:49 ` [PATCH 5.19 0036/1157] KVM: x86: Mark TSS busy during LTR emulation _after_ all fault checks Greg Kroah-Hartman
@ 2022-08-15 17:49 ` Greg Kroah-Hartman
  2022-08-15 17:49 ` [PATCH 5.19 0038/1157] KVM: x86/mmu: Treat NX as a valid SPTE bit for NPT Greg Kroah-Hartman
                   ` (958 subsequent siblings)
  993 siblings, 0 replies; 1191+ messages in thread
From: Greg Kroah-Hartman @ 2022-08-15 17:49 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Sean Christopherson, Maxim Levitsky

From: Sean Christopherson <seanjc@google.com>

commit 2626206963ace9e8bf92b6eea5ff78dd674c555c upstream.

When injecting a #GP on LLDT/LTR due to a non-canonical LDT/TSS base, set
the error code to the selector.  Intel SDM's says nothing about the #GP,
but AMD's APM explicitly states that both LLDT and LTR set the error code
to the selector, not zero.

Note, a non-canonical memory operand on LLDT/LTR does generate a #GP(0),
but the KVM code in question is specific to the base from the descriptor.

Fixes: e37a75a13cda ("KVM: x86: Emulator ignores LDTR/TR extended base on LLDT/LTR")
Cc: stable@vger.kernel.org
Signed-off-by: Sean Christopherson <seanjc@google.com>
Reviewed-by: Maxim Levitsky <mlevitsk@redhat.com>
Link: https://lore.kernel.org/r/20220711232750.1092012-3-seanjc@google.com
Signed-off-by: Sean Christopherson <seanjc@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/x86/kvm/emulate.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/arch/x86/kvm/emulate.c
+++ b/arch/x86/kvm/emulate.c
@@ -1724,8 +1724,8 @@ static int __load_segment_descriptor(str
 		if (ret != X86EMUL_CONTINUE)
 			return ret;
 		if (emul_is_noncanonical_address(get_desc_base(&seg_desc) |
-				((u64)base3 << 32), ctxt))
-			return emulate_gp(ctxt, 0);
+						 ((u64)base3 << 32), ctxt))
+			return emulate_gp(ctxt, err_code);
 	}
 
 	if (seg == VCPU_SREG_TR) {



^ permalink raw reply	[flat|nested] 1191+ messages in thread

* [PATCH 5.19 0038/1157] KVM: x86/mmu: Treat NX as a valid SPTE bit for NPT
  2022-08-15 17:49 [PATCH 5.19 0000/1157] 5.19.2-rc1 review Greg Kroah-Hartman
                   ` (34 preceding siblings ...)
  2022-08-15 17:49 ` [PATCH 5.19 0037/1157] KVM: x86: Set error code to segment selector on LLDT/LTR non-canonical #GP Greg Kroah-Hartman
@ 2022-08-15 17:49 ` Greg Kroah-Hartman
  2022-08-15 17:49 ` [PATCH 5.19 0039/1157] KVM: SVM: Disable SEV-ES support if MMIO caching is disable Greg Kroah-Hartman
                   ` (957 subsequent siblings)
  993 siblings, 0 replies; 1191+ messages in thread
From: Greg Kroah-Hartman @ 2022-08-15 17:49 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Sean Christopherson, Paolo Bonzini

From: Sean Christopherson <seanjc@google.com>

commit 6c6ab524cfae0799e55c82b2c1d61f1af0156f8d upstream.

Treat the NX bit as valid when using NPT, as KVM will set the NX bit when
the NX huge page mitigation is enabled (mindblowing) and trigger the WARN
that fires on reserved SPTE bits being set.

KVM has required NX support for SVM since commit b26a71a1a5b9 ("KVM: SVM:
Refuse to load kvm_amd if NX support is not available") for exactly this
reason, but apparently it never occurred to anyone to actually test NPT
with the mitigation enabled.

  ------------[ cut here ]------------
  spte = 0x800000018a600ee7, level = 2, rsvd bits = 0x800f0000001fe000
  WARNING: CPU: 152 PID: 15966 at arch/x86/kvm/mmu/spte.c:215 make_spte+0x327/0x340 [kvm]
  Hardware name: Google, Inc. Arcadia_IT_80/Arcadia_IT_80, BIOS 10.48.0 01/27/2022
  RIP: 0010:make_spte+0x327/0x340 [kvm]
  Call Trace:
   <TASK>
   tdp_mmu_map_handle_target_level+0xc3/0x230 [kvm]
   kvm_tdp_mmu_map+0x343/0x3b0 [kvm]
   direct_page_fault+0x1ae/0x2a0 [kvm]
   kvm_tdp_page_fault+0x7d/0x90 [kvm]
   kvm_mmu_page_fault+0xfb/0x2e0 [kvm]
   npf_interception+0x55/0x90 [kvm_amd]
   svm_invoke_exit_handler+0x31/0xf0 [kvm_amd]
   svm_handle_exit+0xf6/0x1d0 [kvm_amd]
   vcpu_enter_guest+0xb6d/0xee0 [kvm]
   ? kvm_pmu_trigger_event+0x6d/0x230 [kvm]
   vcpu_run+0x65/0x2c0 [kvm]
   kvm_arch_vcpu_ioctl_run+0x355/0x610 [kvm]
   kvm_vcpu_ioctl+0x551/0x610 [kvm]
   __se_sys_ioctl+0x77/0xc0
   __x64_sys_ioctl+0x1d/0x20
   do_syscall_64+0x44/0xa0
   entry_SYSCALL_64_after_hwframe+0x46/0xb0
   </TASK>
  ---[ end trace 0000000000000000 ]---

Cc: stable@vger.kernel.org
Signed-off-by: Sean Christopherson <seanjc@google.com>
Message-Id: <20220723013029.1753623-1-seanjc@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/x86/kvm/mmu/mmu.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/arch/x86/kvm/mmu/mmu.c
+++ b/arch/x86/kvm/mmu/mmu.c
@@ -4567,7 +4567,7 @@ reset_tdp_shadow_zero_bits_mask(struct k
 
 	if (boot_cpu_is_amd())
 		__reset_rsvds_bits_mask(shadow_zero_check, reserved_hpa_bits(),
-					context->root_role.level, false,
+					context->root_role.level, true,
 					boot_cpu_has(X86_FEATURE_GBPAGES),
 					false, true);
 	else



^ permalink raw reply	[flat|nested] 1191+ messages in thread

* [PATCH 5.19 0039/1157] KVM: SVM: Disable SEV-ES support if MMIO caching is disable
  2022-08-15 17:49 [PATCH 5.19 0000/1157] 5.19.2-rc1 review Greg Kroah-Hartman
                   ` (35 preceding siblings ...)
  2022-08-15 17:49 ` [PATCH 5.19 0038/1157] KVM: x86/mmu: Treat NX as a valid SPTE bit for NPT Greg Kroah-Hartman
@ 2022-08-15 17:49 ` Greg Kroah-Hartman
  2022-08-15 17:49 ` [PATCH 5.19 0040/1157] KVM: x86: Tag kvm_mmu_x86_module_init() with __init Greg Kroah-Hartman
                   ` (956 subsequent siblings)
  993 siblings, 0 replies; 1191+ messages in thread
From: Greg Kroah-Hartman @ 2022-08-15 17:49 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Michael Roth, Tom Lendacky,
	Sean Christopherson, Paolo Bonzini

From: Sean Christopherson <seanjc@google.com>

commit 0c29397ac1fdd64ae59941a477511a05e61a4754 upstream.

Disable SEV-ES if MMIO caching is disabled as SEV-ES relies on MMIO SPTEs
generating #NPF(RSVD), which are reflected by the CPU into the guest as
a #VC.  With SEV-ES, the untrusted host, a.k.a. KVM, doesn't have access
to the guest instruction stream or register state and so can't directly
emulate in response to a #NPF on an emulated MMIO GPA.  Disabling MMIO
caching means guest accesses to emulated MMIO ranges cause #NPF(!PRESENT),
and those flavors of #NPF cause automatic VM-Exits, not #VC.

Adjust KVM's MMIO masks to account for the C-bit location prior to doing
SEV(-ES) setup, and document that dependency between adjusting the MMIO
SPTE mask and SEV(-ES) setup.

Fixes: b09763da4dd8 ("KVM: x86/mmu: Add module param to disable MMIO caching (for testing)")
Reported-by: Michael Roth <michael.roth@amd.com>
Tested-by: Michael Roth <michael.roth@amd.com>
Cc: Tom Lendacky <thomas.lendacky@amd.com>
Cc: stable@vger.kernel.org
Signed-off-by: Sean Christopherson <seanjc@google.com>
Message-Id: <20220803224957.1285926-4-seanjc@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/x86/kvm/mmu.h      |    2 ++
 arch/x86/kvm/mmu/spte.c |    1 +
 arch/x86/kvm/mmu/spte.h |    2 --
 arch/x86/kvm/svm/sev.c  |   10 ++++++++++
 arch/x86/kvm/svm/svm.c  |    9 ++++++---
 5 files changed, 19 insertions(+), 5 deletions(-)

--- a/arch/x86/kvm/mmu.h
+++ b/arch/x86/kvm/mmu.h
@@ -11,6 +11,8 @@
 #define PT32_PT_BITS 10
 #define PT32_ENT_PER_PAGE (1 << PT32_PT_BITS)
 
+extern bool __read_mostly enable_mmio_caching;
+
 #define PT_WRITABLE_SHIFT 1
 #define PT_USER_SHIFT 2
 
--- a/arch/x86/kvm/mmu/spte.c
+++ b/arch/x86/kvm/mmu/spte.c
@@ -21,6 +21,7 @@
 
 bool __read_mostly enable_mmio_caching = true;
 module_param_named(mmio_caching, enable_mmio_caching, bool, 0444);
+EXPORT_SYMBOL_GPL(enable_mmio_caching);
 
 u64 __read_mostly shadow_host_writable_mask;
 u64 __read_mostly shadow_mmu_writable_mask;
--- a/arch/x86/kvm/mmu/spte.h
+++ b/arch/x86/kvm/mmu/spte.h
@@ -5,8 +5,6 @@
 
 #include "mmu_internal.h"
 
-extern bool __read_mostly enable_mmio_caching;
-
 /*
  * A MMU present SPTE is backed by actual memory and may or may not be present
  * in hardware.  E.g. MMIO SPTEs are not considered present.  Use bit 11, as it
--- a/arch/x86/kvm/svm/sev.c
+++ b/arch/x86/kvm/svm/sev.c
@@ -22,6 +22,7 @@
 #include <asm/trapnr.h>
 #include <asm/fpu/xcr.h>
 
+#include "mmu.h"
 #include "x86.h"
 #include "svm.h"
 #include "svm_ops.h"
@@ -2221,6 +2222,15 @@ void __init sev_hardware_setup(void)
 	if (!sev_es_enabled)
 		goto out;
 
+	/*
+	 * SEV-ES requires MMIO caching as KVM doesn't have access to the guest
+	 * instruction stream, i.e. can't emulate in response to a #NPF and
+	 * instead relies on #NPF(RSVD) being reflected into the guest as #VC
+	 * (the guest can then do a #VMGEXIT to request MMIO emulation).
+	 */
+	if (!enable_mmio_caching)
+		goto out;
+
 	/* Does the CPU support SEV-ES? */
 	if (!boot_cpu_has(X86_FEATURE_SEV_ES))
 		goto out;
--- a/arch/x86/kvm/svm/svm.c
+++ b/arch/x86/kvm/svm/svm.c
@@ -4897,13 +4897,16 @@ static __init int svm_hardware_setup(voi
 	/* Setup shadow_me_value and shadow_me_mask */
 	kvm_mmu_set_me_spte_mask(sme_me_mask, sme_me_mask);
 
-	/* Note, SEV setup consumes npt_enabled. */
+	svm_adjust_mmio_mask();
+
+	/*
+	 * Note, SEV setup consumes npt_enabled and enable_mmio_caching (which
+	 * may be modified by svm_adjust_mmio_mask()).
+	 */
 	sev_hardware_setup();
 
 	svm_hv_hardware_setup();
 
-	svm_adjust_mmio_mask();
-
 	for_each_possible_cpu(cpu) {
 		r = svm_cpu_init(cpu);
 		if (r)



^ permalink raw reply	[flat|nested] 1191+ messages in thread

* [PATCH 5.19 0040/1157] KVM: x86: Tag kvm_mmu_x86_module_init() with __init
  2022-08-15 17:49 [PATCH 5.19 0000/1157] 5.19.2-rc1 review Greg Kroah-Hartman
                   ` (36 preceding siblings ...)
  2022-08-15 17:49 ` [PATCH 5.19 0039/1157] KVM: SVM: Disable SEV-ES support if MMIO caching is disable Greg Kroah-Hartman
@ 2022-08-15 17:49 ` Greg Kroah-Hartman
  2022-08-15 17:49 ` [PATCH 5.19 0041/1157] KVM: x86/mmu: Fully re-evaluate MMIO caching when SPTE masks change Greg Kroah-Hartman
                   ` (955 subsequent siblings)
  993 siblings, 0 replies; 1191+ messages in thread
From: Greg Kroah-Hartman @ 2022-08-15 17:49 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Kai Huang, Michael Roth,
	Sean Christopherson, Paolo Bonzini

From: Sean Christopherson <seanjc@google.com>

commit 982bae43f11c37b51d2f1961bb25ef7cac3746fa upstream.

Mark kvm_mmu_x86_module_init() with __init, the entire reason it exists
is to initialize variables when kvm.ko is loaded, i.e. it must never be
called after module initialization.

Fixes: 1d0e84806047 ("KVM: x86/mmu: Resolve nx_huge_pages when kvm.ko is loaded")
Cc: stable@vger.kernel.org
Reviewed-by: Kai Huang <kai.huang@intel.com>
Tested-by: Michael Roth <michael.roth@amd.com>
Signed-off-by: Sean Christopherson <seanjc@google.com>
Message-Id: <20220803224957.1285926-2-seanjc@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/x86/include/asm/kvm_host.h |    2 +-
 arch/x86/kvm/mmu/mmu.c          |    2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

--- a/arch/x86/include/asm/kvm_host.h
+++ b/arch/x86/include/asm/kvm_host.h
@@ -1654,7 +1654,7 @@ static inline int kvm_arch_flush_remote_
 #define kvm_arch_pmi_in_guest(vcpu) \
 	((vcpu) && (vcpu)->arch.handling_intr_from_guest)
 
-void kvm_mmu_x86_module_init(void);
+void __init kvm_mmu_x86_module_init(void);
 int kvm_mmu_vendor_module_init(void);
 void kvm_mmu_vendor_module_exit(void);
 
--- a/arch/x86/kvm/mmu/mmu.c
+++ b/arch/x86/kvm/mmu/mmu.c
@@ -6275,7 +6275,7 @@ static int set_nx_huge_pages(const char
  * nx_huge_pages needs to be resolved to true/false when kvm.ko is loaded, as
  * its default value of -1 is technically undefined behavior for a boolean.
  */
-void kvm_mmu_x86_module_init(void)
+void __init kvm_mmu_x86_module_init(void)
 {
 	if (nx_huge_pages == -1)
 		__set_nx_huge_pages(get_nx_auto_mode());



^ permalink raw reply	[flat|nested] 1191+ messages in thread

* [PATCH 5.19 0041/1157] KVM: x86/mmu: Fully re-evaluate MMIO caching when SPTE masks change
  2022-08-15 17:49 [PATCH 5.19 0000/1157] 5.19.2-rc1 review Greg Kroah-Hartman
                   ` (37 preceding siblings ...)
  2022-08-15 17:49 ` [PATCH 5.19 0040/1157] KVM: x86: Tag kvm_mmu_x86_module_init() with __init Greg Kroah-Hartman
@ 2022-08-15 17:49 ` Greg Kroah-Hartman
  2022-08-15 17:49 ` [PATCH 5.19 0042/1157] KVM: x86: do not report preemption if the steal time cache is stale Greg Kroah-Hartman
                   ` (954 subsequent siblings)
  993 siblings, 0 replies; 1191+ messages in thread
From: Greg Kroah-Hartman @ 2022-08-15 17:49 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Michael Roth, Tom Lendacky,
	Sean Christopherson, Kai Huang, Paolo Bonzini

From: Sean Christopherson <seanjc@google.com>

commit c3e0c8c2e8b17bae30d5978bc2decdd4098f0f99 upstream.

Fully re-evaluate whether or not MMIO caching can be enabled when SPTE
masks change; simply clearing enable_mmio_caching when a configuration
isn't compatible with caching fails to handle the scenario where the
masks are updated, e.g. by VMX for EPT or by SVM to account for the C-bit
location, and toggle compatibility from false=>true.

Snapshot the original module param so that re-evaluating MMIO caching
preserves userspace's desire to allow caching.  Use a snapshot approach
so that enable_mmio_caching still reflects KVM's actual behavior.

Fixes: 8b9e74bfbf8c ("KVM: x86/mmu: Use enable_mmio_caching to track if MMIO caching is enabled")
Reported-by: Michael Roth <michael.roth@amd.com>
Cc: Tom Lendacky <thomas.lendacky@amd.com>
Cc: stable@vger.kernel.org
Tested-by: Michael Roth <michael.roth@amd.com>
Signed-off-by: Sean Christopherson <seanjc@google.com>
Reviewed-by: Kai Huang <kai.huang@intel.com>
Message-Id: <20220803224957.1285926-3-seanjc@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/x86/kvm/mmu/mmu.c  |    4 ++++
 arch/x86/kvm/mmu/spte.c |   19 +++++++++++++++++++
 arch/x86/kvm/mmu/spte.h |    1 +
 3 files changed, 24 insertions(+)

--- a/arch/x86/kvm/mmu/mmu.c
+++ b/arch/x86/kvm/mmu/mmu.c
@@ -6274,11 +6274,15 @@ static int set_nx_huge_pages(const char
 /*
  * nx_huge_pages needs to be resolved to true/false when kvm.ko is loaded, as
  * its default value of -1 is technically undefined behavior for a boolean.
+ * Forward the module init call to SPTE code so that it too can handle module
+ * params that need to be resolved/snapshot.
  */
 void __init kvm_mmu_x86_module_init(void)
 {
 	if (nx_huge_pages == -1)
 		__set_nx_huge_pages(get_nx_auto_mode());
+
+	kvm_mmu_spte_module_init();
 }
 
 /*
--- a/arch/x86/kvm/mmu/spte.c
+++ b/arch/x86/kvm/mmu/spte.c
@@ -20,6 +20,7 @@
 #include <asm/vmx.h>
 
 bool __read_mostly enable_mmio_caching = true;
+static bool __ro_after_init allow_mmio_caching;
 module_param_named(mmio_caching, enable_mmio_caching, bool, 0444);
 EXPORT_SYMBOL_GPL(enable_mmio_caching);
 
@@ -43,6 +44,18 @@ u64 __read_mostly shadow_nonpresent_or_r
 
 u8 __read_mostly shadow_phys_bits;
 
+void __init kvm_mmu_spte_module_init(void)
+{
+	/*
+	 * Snapshot userspace's desire to allow MMIO caching.  Whether or not
+	 * KVM can actually enable MMIO caching depends on vendor-specific
+	 * hardware capabilities and other module params that can't be resolved
+	 * until the vendor module is loaded, i.e. enable_mmio_caching can and
+	 * will change when the vendor module is (re)loaded.
+	 */
+	allow_mmio_caching = enable_mmio_caching;
+}
+
 static u64 generation_mmio_spte_mask(u64 gen)
 {
 	u64 mask;
@@ -338,6 +351,12 @@ void kvm_mmu_set_mmio_spte_mask(u64 mmio
 	BUG_ON((u64)(unsigned)access_mask != access_mask);
 	WARN_ON(mmio_value & shadow_nonpresent_or_rsvd_lower_gfn_mask);
 
+	/*
+	 * Reset to the original module param value to honor userspace's desire
+	 * to (dis)allow MMIO caching.  Update the param itself so that
+	 * userspace can see whether or not KVM is actually using MMIO caching.
+	 */
+	enable_mmio_caching = allow_mmio_caching;
 	if (!enable_mmio_caching)
 		mmio_value = 0;
 
--- a/arch/x86/kvm/mmu/spte.h
+++ b/arch/x86/kvm/mmu/spte.h
@@ -444,6 +444,7 @@ static inline u64 restore_acc_track_spte
 
 u64 kvm_mmu_changed_pte_notifier_make_spte(u64 old_spte, kvm_pfn_t new_pfn);
 
+void __init kvm_mmu_spte_module_init(void);
 void kvm_mmu_reset_all_pte_masks(void);
 
 #endif



^ permalink raw reply	[flat|nested] 1191+ messages in thread

* [PATCH 5.19 0042/1157] KVM: x86: do not report preemption if the steal time cache is stale
  2022-08-15 17:49 [PATCH 5.19 0000/1157] 5.19.2-rc1 review Greg Kroah-Hartman
                   ` (38 preceding siblings ...)
  2022-08-15 17:49 ` [PATCH 5.19 0041/1157] KVM: x86/mmu: Fully re-evaluate MMIO caching when SPTE masks change Greg Kroah-Hartman
@ 2022-08-15 17:49 ` Greg Kroah-Hartman
  2022-08-15 17:49 ` [PATCH 5.19 0043/1157] KVM: x86: revalidate steal time cache if MSR value changes Greg Kroah-Hartman
                   ` (953 subsequent siblings)
  993 siblings, 0 replies; 1191+ messages in thread
From: Greg Kroah-Hartman @ 2022-08-15 17:49 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, David Woodhouse, Paolo Bonzini

From: Paolo Bonzini <pbonzini@redhat.com>

commit c3c28d24d910a746b02f496d190e0e8c6560224b upstream.

Commit 7e2175ebd695 ("KVM: x86: Fix recording of guest steal time
/ preempted status", 2021-11-11) open coded the previous call to
kvm_map_gfn, but in doing so it dropped the comparison between the cached
guest physical address and the one in the MSR.  This cause an incorrect
cache hit if the guest modifies the steal time address while the memslots
remain the same.  This can happen with kexec, in which case the preempted
bit is written at the address used by the old kernel instead of
the old one.

Cc: David Woodhouse <dwmw@amazon.co.uk>
Cc: stable@vger.kernel.org
Fixes: 7e2175ebd695 ("KVM: x86: Fix recording of guest steal time / preempted status")
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/x86/kvm/x86.c |    2 ++
 1 file changed, 2 insertions(+)

--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -4635,6 +4635,7 @@ static void kvm_steal_time_set_preempted
 	struct kvm_steal_time __user *st;
 	struct kvm_memslots *slots;
 	static const u8 preempted = KVM_VCPU_PREEMPTED;
+	gpa_t gpa = vcpu->arch.st.msr_val & KVM_STEAL_VALID_BITS;
 
 	/*
 	 * The vCPU can be marked preempted if and only if the VM-Exit was on
@@ -4662,6 +4663,7 @@ static void kvm_steal_time_set_preempted
 	slots = kvm_memslots(vcpu->kvm);
 
 	if (unlikely(slots->generation != ghc->generation ||
+		     gpa != ghc->gpa ||
 		     kvm_is_error_hva(ghc->hva) || !ghc->memslot))
 		return;
 



^ permalink raw reply	[flat|nested] 1191+ messages in thread

* [PATCH 5.19 0043/1157] KVM: x86: revalidate steal time cache if MSR value changes
  2022-08-15 17:49 [PATCH 5.19 0000/1157] 5.19.2-rc1 review Greg Kroah-Hartman
                   ` (39 preceding siblings ...)
  2022-08-15 17:49 ` [PATCH 5.19 0042/1157] KVM: x86: do not report preemption if the steal time cache is stale Greg Kroah-Hartman
@ 2022-08-15 17:49 ` Greg Kroah-Hartman
  2022-08-15 17:50 ` [PATCH 5.19 0044/1157] KVM: x86/xen: Initialize Xen timer only once Greg Kroah-Hartman
                   ` (952 subsequent siblings)
  993 siblings, 0 replies; 1191+ messages in thread
From: Greg Kroah-Hartman @ 2022-08-15 17:49 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Dave Young, Xiaoying Yan,
	David Woodhouse, Paolo Bonzini, Dr . David Alan Gilbert

From: Paolo Bonzini <pbonzini@redhat.com>

commit 901d3765fa804ce42812f1d5b1f3de2dfbb26723 upstream.

Commit 7e2175ebd695 ("KVM: x86: Fix recording of guest steal time
/ preempted status", 2021-11-11) open coded the previous call to
kvm_map_gfn, but in doing so it dropped the comparison between the cached
guest physical address and the one in the MSR.  This cause an incorrect
cache hit if the guest modifies the steal time address while the memslots
remain the same.  This can happen with kexec, in which case the steal
time data is written at the address used by the old kernel instead of
the old one.

While at it, rename the variable from gfn to gpa since it is a plain
physical address and not a right-shifted one.

Reported-by: Dave Young <ruyang@redhat.com>
Reported-by: Xiaoying Yan  <yiyan@redhat.com>
Analyzed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Cc: David Woodhouse <dwmw@amazon.co.uk>
Cc: stable@vger.kernel.org
Fixes: 7e2175ebd695 ("KVM: x86: Fix recording of guest steal time / preempted status")
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/x86/kvm/x86.c |    6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -3386,6 +3386,7 @@ static void record_steal_time(struct kvm
 	struct gfn_to_hva_cache *ghc = &vcpu->arch.st.cache;
 	struct kvm_steal_time __user *st;
 	struct kvm_memslots *slots;
+	gpa_t gpa = vcpu->arch.st.msr_val & KVM_STEAL_VALID_BITS;
 	u64 steal;
 	u32 version;
 
@@ -3403,13 +3404,12 @@ static void record_steal_time(struct kvm
 	slots = kvm_memslots(vcpu->kvm);
 
 	if (unlikely(slots->generation != ghc->generation ||
+		     gpa != ghc->gpa ||
 		     kvm_is_error_hva(ghc->hva) || !ghc->memslot)) {
-		gfn_t gfn = vcpu->arch.st.msr_val & KVM_STEAL_VALID_BITS;
-
 		/* We rely on the fact that it fits in a single page. */
 		BUILD_BUG_ON((sizeof(*st) - 1) & KVM_STEAL_VALID_BITS);
 
-		if (kvm_gfn_to_hva_cache_init(vcpu->kvm, ghc, gfn, sizeof(*st)) ||
+		if (kvm_gfn_to_hva_cache_init(vcpu->kvm, ghc, gpa, sizeof(*st)) ||
 		    kvm_is_error_hva(ghc->hva) || !ghc->memslot)
 			return;
 	}



^ permalink raw reply	[flat|nested] 1191+ messages in thread

* [PATCH 5.19 0044/1157] KVM: x86/xen: Initialize Xen timer only once
  2022-08-15 17:49 [PATCH 5.19 0000/1157] 5.19.2-rc1 review Greg Kroah-Hartman
                   ` (40 preceding siblings ...)
  2022-08-15 17:49 ` [PATCH 5.19 0043/1157] KVM: x86: revalidate steal time cache if MSR value changes Greg Kroah-Hartman
@ 2022-08-15 17:50 ` Greg Kroah-Hartman
  2022-08-15 17:50 ` [PATCH 5.19 0045/1157] KVM: x86/xen: Stop Xen timer before changing IRQ Greg Kroah-Hartman
                   ` (951 subsequent siblings)
  993 siblings, 0 replies; 1191+ messages in thread
From: Greg Kroah-Hartman @ 2022-08-15 17:50 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, syzbot+e54f930ed78eb0f85281,
	Coleman Dietsch, Sean Christopherson, Paolo Bonzini

From: Coleman Dietsch <dietschc@csp.edu>

commit af735db31285fa699384c649be72a9f32ecbb665 upstream.

Add a check for existing xen timers before initializing a new one.

Currently kvm_xen_init_timer() is called on every
KVM_XEN_VCPU_ATTR_TYPE_TIMER, which is causing the following ODEBUG
crash when vcpu->arch.xen.timer is already set.

ODEBUG: init active (active state 0)
object type: hrtimer hint: xen_timer_callbac0
RIP: 0010:debug_print_object+0x16e/0x250 lib/debugobjects.c:502
Call Trace:
__debug_object_init
debug_hrtimer_init
debug_init
hrtimer_init
kvm_xen_init_timer
kvm_xen_vcpu_set_attr
kvm_arch_vcpu_ioctl
kvm_vcpu_ioctl
vfs_ioctl

Fixes: 536395260582 ("KVM: x86/xen: handle PV timers oneshot mode")
Cc: stable@vger.kernel.org
Link: https://syzkaller.appspot.com/bug?id=8234a9dfd3aafbf092cc5a7cd9842e3ebc45fc42
Reported-by: syzbot+e54f930ed78eb0f85281@syzkaller.appspotmail.com
Signed-off-by: Coleman Dietsch <dietschc@csp.edu>
Reviewed-by: Sean Christopherson <seanjc@google.com>
Message-Id: <20220808190607.323899-2-dietschc@csp.edu>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/x86/kvm/xen.c |    4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

--- a/arch/x86/kvm/xen.c
+++ b/arch/x86/kvm/xen.c
@@ -713,7 +713,9 @@ int kvm_xen_vcpu_set_attr(struct kvm_vcp
 				break;
 			}
 			vcpu->arch.xen.timer_virq = data->u.timer.port;
-			kvm_xen_init_timer(vcpu);
+
+			if (!vcpu->arch.xen.timer.function)
+				kvm_xen_init_timer(vcpu);
 
 			/* Restart the timer if it's set */
 			if (data->u.timer.expires_ns)



^ permalink raw reply	[flat|nested] 1191+ messages in thread

* [PATCH 5.19 0045/1157] KVM: x86/xen: Stop Xen timer before changing IRQ
  2022-08-15 17:49 [PATCH 5.19 0000/1157] 5.19.2-rc1 review Greg Kroah-Hartman
                   ` (41 preceding siblings ...)
  2022-08-15 17:50 ` [PATCH 5.19 0044/1157] KVM: x86/xen: Initialize Xen timer only once Greg Kroah-Hartman
@ 2022-08-15 17:50 ` Greg Kroah-Hartman
  2022-08-15 17:50 ` [PATCH 5.19 0046/1157] ALSA: hda/conexant: Add quirk for LENOVO 20149 Notebook model Greg Kroah-Hartman
                   ` (950 subsequent siblings)
  993 siblings, 0 replies; 1191+ messages in thread
From: Greg Kroah-Hartman @ 2022-08-15 17:50 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, syzbot+e54f930ed78eb0f85281,
	Coleman Dietsch, Sean Christopherson, David Woodhouse,
	Paolo Bonzini

From: Coleman Dietsch <dietschc@csp.edu>

commit c036899136355758dcd88878145036ab4d9c1f26 upstream.

Stop Xen timer (if it's running) prior to changing the IRQ vector and
potentially (re)starting the timer. Changing the IRQ vector while the
timer is still running can result in KVM injecting a garbage event, e.g.
vm_xen_inject_timer_irqs() could see a non-zero xen.timer_pending from
a previous timer but inject the new xen.timer_virq.

Fixes: 536395260582 ("KVM: x86/xen: handle PV timers oneshot mode")
Cc: stable@vger.kernel.org
Link: https://syzkaller.appspot.com/bug?id=8234a9dfd3aafbf092cc5a7cd9842e3ebc45fc42
Reported-by: syzbot+e54f930ed78eb0f85281@syzkaller.appspotmail.com
Signed-off-by: Coleman Dietsch <dietschc@csp.edu>
Reviewed-by: Sean Christopherson <seanjc@google.com>
Acked-by: David Woodhouse <dwmw@amazon.co.uk>
Message-Id: <20220808190607.323899-3-dietschc@csp.edu>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/x86/kvm/xen.c |   33 ++++++++++++++++-----------------
 1 file changed, 16 insertions(+), 17 deletions(-)

--- a/arch/x86/kvm/xen.c
+++ b/arch/x86/kvm/xen.c
@@ -707,25 +707,24 @@ int kvm_xen_vcpu_set_attr(struct kvm_vcp
 		break;
 
 	case KVM_XEN_VCPU_ATTR_TYPE_TIMER:
-		if (data->u.timer.port) {
-			if (data->u.timer.priority != KVM_IRQ_ROUTING_XEN_EVTCHN_PRIO_2LEVEL) {
-				r = -EINVAL;
-				break;
-			}
-			vcpu->arch.xen.timer_virq = data->u.timer.port;
+		if (data->u.timer.port &&
+		    data->u.timer.priority != KVM_IRQ_ROUTING_XEN_EVTCHN_PRIO_2LEVEL) {
+			r = -EINVAL;
+			break;
+		}
 
-			if (!vcpu->arch.xen.timer.function)
-				kvm_xen_init_timer(vcpu);
+		if (!vcpu->arch.xen.timer.function)
+			kvm_xen_init_timer(vcpu);
 
-			/* Restart the timer if it's set */
-			if (data->u.timer.expires_ns)
-				kvm_xen_start_timer(vcpu, data->u.timer.expires_ns,
-						    data->u.timer.expires_ns -
-						    get_kvmclock_ns(vcpu->kvm));
-		} else if (kvm_xen_timer_enabled(vcpu)) {
-			kvm_xen_stop_timer(vcpu);
-			vcpu->arch.xen.timer_virq = 0;
-		}
+		/* Stop the timer (if it's running) before changing the vector */
+		kvm_xen_stop_timer(vcpu);
+		vcpu->arch.xen.timer_virq = data->u.timer.port;
+
+		/* Start the timer if the new value has a valid vector+expiry. */
+		if (data->u.timer.port && data->u.timer.expires_ns)
+			kvm_xen_start_timer(vcpu, data->u.timer.expires_ns,
+					    data->u.timer.expires_ns -
+					    get_kvmclock_ns(vcpu->kvm));
 
 		r = 0;
 		break;



^ permalink raw reply	[flat|nested] 1191+ messages in thread

* [PATCH 5.19 0046/1157] ALSA: hda/conexant: Add quirk for LENOVO 20149 Notebook model
  2022-08-15 17:49 [PATCH 5.19 0000/1157] 5.19.2-rc1 review Greg Kroah-Hartman
                   ` (42 preceding siblings ...)
  2022-08-15 17:50 ` [PATCH 5.19 0045/1157] KVM: x86/xen: Stop Xen timer before changing IRQ Greg Kroah-Hartman
@ 2022-08-15 17:50 ` Greg Kroah-Hartman
  2022-08-15 17:50 ` [PATCH 5.19 0047/1157] ALSA: hda/cirrus - support for iMac 12,1 model Greg Kroah-Hartman
                   ` (949 subsequent siblings)
  993 siblings, 0 replies; 1191+ messages in thread
From: Greg Kroah-Hartman @ 2022-08-15 17:50 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Meng Tang, Takashi Iwai

From: Meng Tang <tangmeng@uniontech.com>

commit f83bb2592482fe94c6eea07a8121763c80f36ce5 upstream.

There is another LENOVO 20149 (Type1Sku0) Notebook model with
CX20590, the device PCI SSID is 17aa:3977, which headphones are
not responding, that requires the quirk CXT_PINCFG_LENOVO_NOTEBOOK.
Add the corresponding entry to the quirk table.

Signed-off-by: Meng Tang <tangmeng@uniontech.com>
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20220808073406.19460-1-tangmeng@uniontech.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 sound/pci/hda/patch_conexant.c |   11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

--- a/sound/pci/hda/patch_conexant.c
+++ b/sound/pci/hda/patch_conexant.c
@@ -222,6 +222,7 @@ enum {
 	CXT_PINCFG_LEMOTE_A1205,
 	CXT_PINCFG_COMPAQ_CQ60,
 	CXT_FIXUP_STEREO_DMIC,
+	CXT_PINCFG_LENOVO_NOTEBOOK,
 	CXT_FIXUP_INC_MIC_BOOST,
 	CXT_FIXUP_HEADPHONE_MIC_PIN,
 	CXT_FIXUP_HEADPHONE_MIC,
@@ -772,6 +773,14 @@ static const struct hda_fixup cxt_fixups
 		.type = HDA_FIXUP_FUNC,
 		.v.func = cxt_fixup_stereo_dmic,
 	},
+	[CXT_PINCFG_LENOVO_NOTEBOOK] = {
+		.type = HDA_FIXUP_PINS,
+		.v.pins = (const struct hda_pintbl[]) {
+			{ 0x1a, 0x05d71030 },
+			{ }
+		},
+		.chain_id = CXT_FIXUP_STEREO_DMIC,
+	},
 	[CXT_FIXUP_INC_MIC_BOOST] = {
 		.type = HDA_FIXUP_FUNC,
 		.v.func = cxt5066_increase_mic_boost,
@@ -971,7 +980,7 @@ static const struct snd_pci_quirk cxt506
 	SND_PCI_QUIRK(0x17aa, 0x3905, "Lenovo G50-30", CXT_FIXUP_STEREO_DMIC),
 	SND_PCI_QUIRK(0x17aa, 0x390b, "Lenovo G50-80", CXT_FIXUP_STEREO_DMIC),
 	SND_PCI_QUIRK(0x17aa, 0x3975, "Lenovo U300s", CXT_FIXUP_STEREO_DMIC),
-	SND_PCI_QUIRK(0x17aa, 0x3977, "Lenovo IdeaPad U310", CXT_FIXUP_STEREO_DMIC),
+	SND_PCI_QUIRK(0x17aa, 0x3977, "Lenovo IdeaPad U310", CXT_PINCFG_LENOVO_NOTEBOOK),
 	SND_PCI_QUIRK(0x17aa, 0x3978, "Lenovo G50-70", CXT_FIXUP_STEREO_DMIC),
 	SND_PCI_QUIRK(0x17aa, 0x397b, "Lenovo S205", CXT_FIXUP_STEREO_DMIC),
 	SND_PCI_QUIRK_VENDOR(0x17aa, "Thinkpad", CXT_FIXUP_THINKPAD_ACPI),



^ permalink raw reply	[flat|nested] 1191+ messages in thread

* [PATCH 5.19 0047/1157] ALSA: hda/cirrus - support for iMac 12,1 model
  2022-08-15 17:49 [PATCH 5.19 0000/1157] 5.19.2-rc1 review Greg Kroah-Hartman
                   ` (43 preceding siblings ...)
  2022-08-15 17:50 ` [PATCH 5.19 0046/1157] ALSA: hda/conexant: Add quirk for LENOVO 20149 Notebook model Greg Kroah-Hartman
@ 2022-08-15 17:50 ` Greg Kroah-Hartman
  2022-08-15 17:50 ` [PATCH 5.19 0048/1157] ALSA: hda/realtek: Add quirk for another Asus K42JZ model Greg Kroah-Hartman
                   ` (948 subsequent siblings)
  993 siblings, 0 replies; 1191+ messages in thread
From: Greg Kroah-Hartman @ 2022-08-15 17:50 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Allen Ballway, Takashi Iwai

From: Allen Ballway <ballway@chromium.org>

commit 74bba640d69914cf832b87f6bbb700e5ba430672 upstream.

The 12,1 model requires the same configuration as the 12,2 model
to enable headphones but has a different codec SSID. Adds
12,1 SSID for matching quirk.

[ re-sorted in SSID order by tiwai ]

Signed-off-by: Allen Ballway <ballway@chromium.org>
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20220810152701.1.I902c2e591bbf8de9acb649d1322fa1f291849266@changeid
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 sound/pci/hda/patch_cirrus.c |    1 +
 1 file changed, 1 insertion(+)

--- a/sound/pci/hda/patch_cirrus.c
+++ b/sound/pci/hda/patch_cirrus.c
@@ -395,6 +395,7 @@ static const struct snd_pci_quirk cs420x
 
 	/* codec SSID */
 	SND_PCI_QUIRK(0x106b, 0x0600, "iMac 14,1", CS420X_IMAC27_122),
+	SND_PCI_QUIRK(0x106b, 0x0900, "iMac 12,1", CS420X_IMAC27_122),
 	SND_PCI_QUIRK(0x106b, 0x1c00, "MacBookPro 8,1", CS420X_MBP81),
 	SND_PCI_QUIRK(0x106b, 0x2000, "iMac 12,2", CS420X_IMAC27_122),
 	SND_PCI_QUIRK(0x106b, 0x2800, "MacBookPro 10,1", CS420X_MBP101),



^ permalink raw reply	[flat|nested] 1191+ messages in thread

* [PATCH 5.19 0048/1157] ALSA: hda/realtek: Add quirk for another Asus K42JZ model
  2022-08-15 17:49 [PATCH 5.19 0000/1157] 5.19.2-rc1 review Greg Kroah-Hartman
                   ` (44 preceding siblings ...)
  2022-08-15 17:50 ` [PATCH 5.19 0047/1157] ALSA: hda/cirrus - support for iMac 12,1 model Greg Kroah-Hartman
@ 2022-08-15 17:50 ` Greg Kroah-Hartman
  2022-08-15 17:50 ` [PATCH 5.19 0049/1157] ALSA: hda/realtek: Add a quirk for HP OMEN 15 (8786) mute LED Greg Kroah-Hartman
                   ` (947 subsequent siblings)
  993 siblings, 0 replies; 1191+ messages in thread
From: Greg Kroah-Hartman @ 2022-08-15 17:50 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Meng Tang, Takashi Iwai

From: Meng Tang <tangmeng@uniontech.com>

commit f882c4bef9cb914d9f7be171afb10ed26536bfa7 upstream.

There is another Asus K42JZ model with the PCI SSID 1043:1313
that requires the quirk ALC269VB_FIXUP_ASUS_MIC_NO_PRESENCE.
Add the corresponding entry to the quirk table.

Signed-off-by: Meng Tang <tangmeng@uniontech.com>
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20220805074534.20003-1-tangmeng@uniontech.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 sound/pci/hda/patch_realtek.c |   11 +++++++++++
 1 file changed, 11 insertions(+)

--- a/sound/pci/hda/patch_realtek.c
+++ b/sound/pci/hda/patch_realtek.c
@@ -6879,6 +6879,7 @@ enum {
 	ALC269_FIXUP_LIMIT_INT_MIC_BOOST,
 	ALC269VB_FIXUP_ASUS_ZENBOOK,
 	ALC269VB_FIXUP_ASUS_ZENBOOK_UX31A,
+	ALC269VB_FIXUP_ASUS_MIC_NO_PRESENCE,
 	ALC269_FIXUP_LIMIT_INT_MIC_BOOST_MUTE_LED,
 	ALC269VB_FIXUP_ORDISSIMO_EVE2,
 	ALC283_FIXUP_CHROME_BOOK,
@@ -7466,6 +7467,15 @@ static const struct hda_fixup alc269_fix
 		.chained = true,
 		.chain_id = ALC269VB_FIXUP_ASUS_ZENBOOK,
 	},
+	[ALC269VB_FIXUP_ASUS_MIC_NO_PRESENCE] = {
+		.type = HDA_FIXUP_PINS,
+		.v.pins = (const struct hda_pintbl[]) {
+			{ 0x18, 0x01a110f0 },  /* use as headset mic */
+			{ }
+		},
+		.chained = true,
+		.chain_id = ALC269_FIXUP_HEADSET_MIC
+	},
 	[ALC269_FIXUP_LIMIT_INT_MIC_BOOST_MUTE_LED] = {
 		.type = HDA_FIXUP_FUNC,
 		.v.func = alc269_fixup_limit_int_mic_boost,
@@ -9237,6 +9247,7 @@ static const struct snd_pci_quirk alc269
 	SND_PCI_QUIRK(0x1043, 0x12a0, "ASUS X441UV", ALC233_FIXUP_EAPD_COEF_AND_MIC_NO_PRESENCE),
 	SND_PCI_QUIRK(0x1043, 0x12e0, "ASUS X541SA", ALC256_FIXUP_ASUS_MIC),
 	SND_PCI_QUIRK(0x1043, 0x12f0, "ASUS X541UV", ALC256_FIXUP_ASUS_MIC),
+	SND_PCI_QUIRK(0x1043, 0x1313, "Asus K42JZ", ALC269VB_FIXUP_ASUS_MIC_NO_PRESENCE),
 	SND_PCI_QUIRK(0x1043, 0x13b0, "ASUS Z550SA", ALC256_FIXUP_ASUS_MIC),
 	SND_PCI_QUIRK(0x1043, 0x1427, "Asus Zenbook UX31E", ALC269VB_FIXUP_ASUS_ZENBOOK),
 	SND_PCI_QUIRK(0x1043, 0x1517, "Asus Zenbook UX31A", ALC269VB_FIXUP_ASUS_ZENBOOK_UX31A),



^ permalink raw reply	[flat|nested] 1191+ messages in thread

* [PATCH 5.19 0049/1157] ALSA: hda/realtek: Add a quirk for HP OMEN 15 (8786) mute LED
  2022-08-15 17:49 [PATCH 5.19 0000/1157] 5.19.2-rc1 review Greg Kroah-Hartman
                   ` (45 preceding siblings ...)
  2022-08-15 17:50 ` [PATCH 5.19 0048/1157] ALSA: hda/realtek: Add quirk for another Asus K42JZ model Greg Kroah-Hartman
@ 2022-08-15 17:50 ` Greg Kroah-Hartman
  2022-08-15 17:50 ` [PATCH 5.19 0050/1157] LoongArch: cpuinfo: Fix a warning for CONFIG_CPUMASK_OFFSTACK Greg Kroah-Hartman
                   ` (946 subsequent siblings)
  993 siblings, 0 replies; 1191+ messages in thread
From: Greg Kroah-Hartman @ 2022-08-15 17:50 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Bedant Patnaik, Takashi Iwai

From: Bedant Patnaik <bedant.patnaik@gmail.com>

commit 30267718fe2d4dbea49015b022f6f1fe16ca31ab upstream.

Board ID 8786 seems to be another variant of the Omen 15 that needs
ALC285_FIXUP_HP_MUTE_LED for working mute LED.

Signed-off-by: Bedant Patnaik <bedant.patnaik@gmail.com>
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20220809142455.6473-1-bedant.patnaik@gmail.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 sound/pci/hda/patch_realtek.c |    1 +
 1 file changed, 1 insertion(+)

--- a/sound/pci/hda/patch_realtek.c
+++ b/sound/pci/hda/patch_realtek.c
@@ -9178,6 +9178,7 @@ static const struct snd_pci_quirk alc269
 		      ALC285_FIXUP_HP_GPIO_AMP_INIT),
 	SND_PCI_QUIRK(0x103c, 0x8783, "HP ZBook Fury 15 G7 Mobile Workstation",
 		      ALC285_FIXUP_HP_GPIO_AMP_INIT),
+	SND_PCI_QUIRK(0x103c, 0x8786, "HP OMEN 15", ALC285_FIXUP_HP_MUTE_LED),
 	SND_PCI_QUIRK(0x103c, 0x8787, "HP OMEN 15", ALC285_FIXUP_HP_MUTE_LED),
 	SND_PCI_QUIRK(0x103c, 0x8788, "HP OMEN 15", ALC285_FIXUP_HP_MUTE_LED),
 	SND_PCI_QUIRK(0x103c, 0x87c8, "HP", ALC287_FIXUP_HP_GPIO_LED),



^ permalink raw reply	[flat|nested] 1191+ messages in thread

* [PATCH 5.19 0050/1157] LoongArch: cpuinfo: Fix a warning for CONFIG_CPUMASK_OFFSTACK
  2022-08-15 17:49 [PATCH 5.19 0000/1157] 5.19.2-rc1 review Greg Kroah-Hartman
                   ` (46 preceding siblings ...)
  2022-08-15 17:50 ` [PATCH 5.19 0049/1157] ALSA: hda/realtek: Add a quirk for HP OMEN 15 (8786) mute LED Greg Kroah-Hartman
@ 2022-08-15 17:50 ` Greg Kroah-Hartman
  2022-08-15 17:50 ` [PATCH 5.19 0051/1157] tty: 8250: Add support for Brainboxes PX cards Greg Kroah-Hartman
                   ` (945 subsequent siblings)
  993 siblings, 0 replies; 1191+ messages in thread
From: Greg Kroah-Hartman @ 2022-08-15 17:50 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Huacai Chen

From: Huacai Chen <chenhuacai@loongson.cn>

commit 28e112afa44ad0814120d41c68fa72372a2cd2c2 upstream.

When CONFIG_CPUMASK_OFFSTACK and CONFIG_DEBUG_PER_CPU_MAPS is selected,
cpu_max_bits_warn() generates a runtime warning similar as below while
we show /proc/cpuinfo. Fix this by using nr_cpu_ids (the runtime limit)
instead of NR_CPUS to iterate CPUs.

[    3.052463] ------------[ cut here ]------------
[    3.059679] WARNING: CPU: 3 PID: 1 at include/linux/cpumask.h:108 show_cpuinfo+0x5e8/0x5f0
[    3.070072] Modules linked in: efivarfs autofs4
[    3.076257] CPU: 0 PID: 1 Comm: systemd Not tainted 5.19-rc5+ #1052
[    3.084034] Hardware name: Loongson Loongson-3A5000-7A1000-1w-V0.1-CRB/Loongson-LS3A5000-7A1000-1w-EVB-V1.21, BIOS Loongson-UDK2018-V2.0.04082-beta7 04/27
[    3.099465] Stack : 9000000100157b08 9000000000f18530 9000000000cf846c 9000000100154000
[    3.109127]         9000000100157a50 0000000000000000 9000000100157a58 9000000000ef7430
[    3.118774]         90000001001578e8 0000000000000040 0000000000000020 ffffffffffffffff
[    3.128412]         0000000000aaaaaa 1ab25f00eec96a37 900000010021de80 900000000101c890
[    3.138056]         0000000000000000 0000000000000000 0000000000000000 0000000000aaaaaa
[    3.147711]         ffff8000339dc220 0000000000000001 0000000006ab4000 0000000000000000
[    3.157364]         900000000101c998 0000000000000004 9000000000ef7430 0000000000000000
[    3.167012]         0000000000000009 000000000000006c 0000000000000000 0000000000000000
[    3.176641]         9000000000d3de08 9000000001639390 90000000002086d8 00007ffff0080286
[    3.186260]         00000000000000b0 0000000000000004 0000000000000000 0000000000071c1c
[    3.195868]         ...
[    3.199917] Call Trace:
[    3.203941] [<90000000002086d8>] show_stack+0x38/0x14c
[    3.210666] [<9000000000cf846c>] dump_stack_lvl+0x60/0x88
[    3.217625] [<900000000023d268>] __warn+0xd0/0x100
[    3.223958] [<9000000000cf3c90>] warn_slowpath_fmt+0x7c/0xcc
[    3.231150] [<9000000000210220>] show_cpuinfo+0x5e8/0x5f0
[    3.238080] [<90000000004f578c>] seq_read_iter+0x354/0x4b4
[    3.245098] [<90000000004c2e90>] new_sync_read+0x17c/0x1c4
[    3.252114] [<90000000004c5174>] vfs_read+0x138/0x1d0
[    3.258694] [<90000000004c55f8>] ksys_read+0x70/0x100
[    3.265265] [<9000000000cfde9c>] do_syscall+0x7c/0x94
[    3.271820] [<9000000000202fe4>] handle_syscall+0xc4/0x160
[    3.281824] ---[ end trace 8b484262b4b8c24c ]---

Cc: stable@vger.kernel.org
Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/loongarch/kernel/proc.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/arch/loongarch/kernel/proc.c
+++ b/arch/loongarch/kernel/proc.c
@@ -106,7 +106,7 @@ static void *c_start(struct seq_file *m,
 {
 	unsigned long i = *pos;
 
-	return i < NR_CPUS ? (void *)(i + 1) : NULL;
+	return i < nr_cpu_ids ? (void *)(i + 1) : NULL;
 }
 
 static void *c_next(struct seq_file *m, void *v, loff_t *pos)



^ permalink raw reply	[flat|nested] 1191+ messages in thread

* [PATCH 5.19 0051/1157] tty: 8250: Add support for Brainboxes PX cards.
  2022-08-15 17:49 [PATCH 5.19 0000/1157] 5.19.2-rc1 review Greg Kroah-Hartman
                   ` (47 preceding siblings ...)
  2022-08-15 17:50 ` [PATCH 5.19 0050/1157] LoongArch: cpuinfo: Fix a warning for CONFIG_CPUMASK_OFFSTACK Greg Kroah-Hartman
@ 2022-08-15 17:50 ` Greg Kroah-Hartman
  2022-08-15 17:50 ` [PATCH 5.19 0052/1157] tty: vt: initialize unicode screen buffer Greg Kroah-Hartman
                   ` (944 subsequent siblings)
  993 siblings, 0 replies; 1191+ messages in thread
From: Greg Kroah-Hartman @ 2022-08-15 17:50 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Cameron Williams, stable

From: Cameron Williams <cang1@live.co.uk>

commit ef5a03a26c87a760bc3d86b5af7b773e82f8b1b7 upstream.

Add support for some of the Brainboxes PCIe (PX) range of
serial cards, including the PX-101, PX-235/PX-246,
PX-203/PX-257, PX-260/PX-701, PX-310, PX-313,
PX-320/PX-324/PX-376/PX-387, PX-335/PX-346, PX-368, PX-420,
PX-803 and PX-846.

Signed-off-by: Cameron Williams <cang1@live.co.uk>
Cc: stable <stable@kernel.org>
Link: https://lore.kernel.org/r/AM5PR0202MB2564669252BDC59BF55A6E87C4879@AM5PR0202MB2564.eurprd02.prod.outlook.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/tty/serial/8250/8250_pci.c |  109 +++++++++++++++++++++++++++++++++++++
 1 file changed, 109 insertions(+)

--- a/drivers/tty/serial/8250/8250_pci.c
+++ b/drivers/tty/serial/8250/8250_pci.c
@@ -5077,6 +5077,115 @@ static const struct pci_device_id serial
 		0, 0,
 		pbn_b2_4_115200 },
 	/*
+	 * Brainboxes PX-101
+	 */
+	{	PCI_VENDOR_ID_INTASHIELD, 0x4005,
+		PCI_ANY_ID, PCI_ANY_ID,
+		0, 0,
+		pbn_b0_2_115200 },
+	{	PCI_VENDOR_ID_INTASHIELD, 0x4019,
+		PCI_ANY_ID, PCI_ANY_ID,
+		0, 0,
+		pbn_oxsemi_2_15625000 },
+	/*
+	 * Brainboxes PX-235/246
+	 */
+	{	PCI_VENDOR_ID_INTASHIELD, 0x4004,
+		PCI_ANY_ID, PCI_ANY_ID,
+		0, 0,
+		pbn_b0_1_115200 },
+	{	PCI_VENDOR_ID_INTASHIELD, 0x4016,
+		PCI_ANY_ID, PCI_ANY_ID,
+		0, 0,
+		pbn_oxsemi_1_15625000 },
+	/*
+	 * Brainboxes PX-203/PX-257
+	 */
+	{	PCI_VENDOR_ID_INTASHIELD, 0x4006,
+		PCI_ANY_ID, PCI_ANY_ID,
+		0, 0,
+		pbn_b0_2_115200 },
+	{	PCI_VENDOR_ID_INTASHIELD, 0x4015,
+		PCI_ANY_ID, PCI_ANY_ID,
+		0, 0,
+		pbn_oxsemi_4_15625000 },
+	/*
+	 * Brainboxes PX-260/PX-701
+	 */
+	{	PCI_VENDOR_ID_INTASHIELD, 0x400A,
+		PCI_ANY_ID, PCI_ANY_ID,
+		0, 0,
+		pbn_oxsemi_4_15625000 },
+	/*
+	 * Brainboxes PX-310
+	 */
+	{	PCI_VENDOR_ID_INTASHIELD, 0x400E,
+		PCI_ANY_ID, PCI_ANY_ID,
+		0, 0,
+		pbn_oxsemi_2_15625000 },
+	/*
+	 * Brainboxes PX-313
+	 */
+	{	PCI_VENDOR_ID_INTASHIELD, 0x400C,
+		PCI_ANY_ID, PCI_ANY_ID,
+		0, 0,
+		pbn_oxsemi_2_15625000 },
+	/*
+	 * Brainboxes PX-320/324/PX-376/PX-387
+	 */
+	{	PCI_VENDOR_ID_INTASHIELD, 0x400B,
+		PCI_ANY_ID, PCI_ANY_ID,
+		0, 0,
+		pbn_oxsemi_1_15625000 },
+	/*
+	 * Brainboxes PX-335/346
+	 */
+	{	PCI_VENDOR_ID_INTASHIELD, 0x400F,
+		PCI_ANY_ID, PCI_ANY_ID,
+		0, 0,
+		pbn_oxsemi_4_15625000 },
+	/*
+	 * Brainboxes PX-368
+	 */
+	{       PCI_VENDOR_ID_INTASHIELD, 0x4010,
+		PCI_ANY_ID, PCI_ANY_ID,
+		0, 0,
+		pbn_oxsemi_4_15625000 },
+	/*
+	 * Brainboxes PX-420
+	 */
+	{	PCI_VENDOR_ID_INTASHIELD, 0x4000,
+		PCI_ANY_ID, PCI_ANY_ID,
+		0, 0,
+		pbn_b0_4_115200 },
+	{	PCI_VENDOR_ID_INTASHIELD, 0x4011,
+		PCI_ANY_ID, PCI_ANY_ID,
+		0, 0,
+		pbn_oxsemi_4_15625000 },
+	/*
+	 * Brainboxes PX-803
+	 */
+	{	PCI_VENDOR_ID_INTASHIELD, 0x4009,
+		PCI_ANY_ID, PCI_ANY_ID,
+		0, 0,
+		pbn_b0_1_115200 },
+	{	PCI_VENDOR_ID_INTASHIELD, 0x401E,
+		PCI_ANY_ID, PCI_ANY_ID,
+		0, 0,
+		pbn_oxsemi_1_15625000 },
+	/*
+	 * Brainboxes PX-846
+	 */
+	{	PCI_VENDOR_ID_INTASHIELD, 0x4008,
+		PCI_ANY_ID, PCI_ANY_ID,
+		0, 0,
+		pbn_b0_1_115200 },
+	{	PCI_VENDOR_ID_INTASHIELD, 0x4017,
+		PCI_ANY_ID, PCI_ANY_ID,
+		0, 0,
+		pbn_oxsemi_1_15625000 },
+
+	/*
 	 * Perle PCI-RAS cards
 	 */
 	{       PCI_VENDOR_ID_PLX, PCI_DEVICE_ID_PLX_9030,



^ permalink raw reply	[flat|nested] 1191+ messages in thread

* [PATCH 5.19 0052/1157] tty: vt: initialize unicode screen buffer
  2022-08-15 17:49 [PATCH 5.19 0000/1157] 5.19.2-rc1 review Greg Kroah-Hartman
                   ` (48 preceding siblings ...)
  2022-08-15 17:50 ` [PATCH 5.19 0051/1157] tty: 8250: Add support for Brainboxes PX cards Greg Kroah-Hartman
@ 2022-08-15 17:50 ` Greg Kroah-Hartman
  2022-08-15 17:50 ` [PATCH 5.19 0053/1157] vfs: Check the truncate maximum size in inode_newsize_ok() Greg Kroah-Hartman
                   ` (943 subsequent siblings)
  993 siblings, 0 replies; 1191+ messages in thread
From: Greg Kroah-Hartman @ 2022-08-15 17:50 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, syzbot, Jiri Slaby, Tetsuo Handa

From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>

commit af77c56aa35325daa2bc2bed5c2ebf169be61b86 upstream.

syzbot reports kernel infoleak at vcs_read() [1], for buffer can be read
immediately after resize operation. Initialize buffer using kzalloc().

  ----------
  #include <fcntl.h>
  #include <unistd.h>
  #include <sys/ioctl.h>
  #include <linux/fb.h>

  int main(int argc, char *argv[])
  {
    struct fb_var_screeninfo var = { };
    const int fb_fd = open("/dev/fb0", 3);
    ioctl(fb_fd, FBIOGET_VSCREENINFO, &var);
    var.yres = 0x21;
    ioctl(fb_fd, FBIOPUT_VSCREENINFO, &var);
    return read(open("/dev/vcsu", O_RDONLY), &var, sizeof(var)) == -1;
  }
  ----------

Link: https://syzkaller.appspot.com/bug?extid=31a641689d43387f05d3 [1]
Cc: stable <stable@vger.kernel.org>
Reported-by: syzbot <syzbot+31a641689d43387f05d3@syzkaller.appspotmail.com>
Reviewed-by: Jiri Slaby <jirislaby@kernel.org>
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Link: https://lore.kernel.org/r/4ef053cf-e796-fb5e-58b7-3ae58242a4ad@I-love.SAKURA.ne.jp
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/tty/vt/vt.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/tty/vt/vt.c
+++ b/drivers/tty/vt/vt.c
@@ -344,7 +344,7 @@ static struct uni_screen *vc_uniscr_allo
 	/* allocate everything in one go */
 	memsize = cols * rows * sizeof(char32_t);
 	memsize += rows * sizeof(char32_t *);
-	p = vmalloc(memsize);
+	p = vzalloc(memsize);
 	if (!p)
 		return NULL;
 



^ permalink raw reply	[flat|nested] 1191+ messages in thread

* [PATCH 5.19 0053/1157] vfs: Check the truncate maximum size in inode_newsize_ok()
  2022-08-15 17:49 [PATCH 5.19 0000/1157] 5.19.2-rc1 review Greg Kroah-Hartman
                   ` (49 preceding siblings ...)
  2022-08-15 17:50 ` [PATCH 5.19 0052/1157] tty: vt: initialize unicode screen buffer Greg Kroah-Hartman
@ 2022-08-15 17:50 ` Greg Kroah-Hartman
  2022-08-15 17:50 ` [PATCH 5.19 0054/1157] fs: Add missing umask strip in vfs_tmpfile Greg Kroah-Hartman
                   ` (942 subsequent siblings)
  993 siblings, 0 replies; 1191+ messages in thread
From: Greg Kroah-Hartman @ 2022-08-15 17:50 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, David Howells, Jeff Layton,
	Namjae Jeon, stable, Alexander Viro, Steve French, Hyunchul Lee,
	Chuck Lever, Dave Wysochanski, Linus Torvalds

From: David Howells <dhowells@redhat.com>

commit e2ebff9c57fe4eb104ce4768f6ebcccf76bef849 upstream.

If something manages to set the maximum file size to MAX_OFFSET+1, this
can cause the xfs and ext4 filesystems at least to become corrupt.

Ordinarily, the kernel protects against userspace trying this by
checking the value early in the truncate() and ftruncate() system calls
calls - but there are at least two places that this check is bypassed:

 (1) Cachefiles will round up the EOF of the backing file to DIO block
     size so as to allow DIO on the final block - but this might push
     the offset negative. It then calls notify_change(), but this
     inadvertently bypasses the checking. This can be triggered if
     someone puts an 8EiB-1 file on a server for someone else to try and
     access by, say, nfs.

 (2) ksmbd doesn't check the value it is given in set_end_of_file_info()
     and then calls vfs_truncate() directly - which also bypasses the
     check.

In both cases, it is potentially possible for a network filesystem to
cause a disk filesystem to be corrupted: cachefiles in the client's
cache filesystem; ksmbd in the server's filesystem.

nfsd is okay as it checks the value, but we can then remove this check
too.

Fix this by adding a check to inode_newsize_ok(), as called from
setattr_prepare(), thereby catching the issue as filesystems set up to
perform the truncate with minimal opportunity for bypassing the new
check.

Fixes: 1f08c925e7a3 ("cachefiles: Implement backing file wrangling")
Fixes: f44158485826 ("cifsd: add file operations")
Signed-off-by: David Howells <dhowells@redhat.com>
Reported-by: Jeff Layton <jlayton@kernel.org>
Tested-by: Jeff Layton <jlayton@kernel.org>
Reviewed-by: Namjae Jeon <linkinjeon@kernel.org>
Cc: stable@kernel.org
Acked-by: Alexander Viro <viro@zeniv.linux.org.uk>
cc: Steve French <sfrench@samba.org>
cc: Hyunchul Lee <hyc.lee@gmail.com>
cc: Chuck Lever <chuck.lever@oracle.com>
cc: Dave Wysochanski <dwysocha@redhat.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 fs/attr.c |    2 ++
 1 file changed, 2 insertions(+)

--- a/fs/attr.c
+++ b/fs/attr.c
@@ -184,6 +184,8 @@ EXPORT_SYMBOL(setattr_prepare);
  */
 int inode_newsize_ok(const struct inode *inode, loff_t offset)
 {
+	if (offset < 0)
+		return -EINVAL;
 	if (inode->i_size < offset) {
 		unsigned long limit;
 



^ permalink raw reply	[flat|nested] 1191+ messages in thread

* [PATCH 5.19 0054/1157] fs: Add missing umask strip in vfs_tmpfile
  2022-08-15 17:49 [PATCH 5.19 0000/1157] 5.19.2-rc1 review Greg Kroah-Hartman
                   ` (50 preceding siblings ...)
  2022-08-15 17:50 ` [PATCH 5.19 0053/1157] vfs: Check the truncate maximum size in inode_newsize_ok() Greg Kroah-Hartman
@ 2022-08-15 17:50 ` Greg Kroah-Hartman
  2022-08-15 17:50 ` [PATCH 5.19 0055/1157] thermal: sysfs: Fix cooling_device_stats_setup() error code path Greg Kroah-Hartman
                   ` (941 subsequent siblings)
  993 siblings, 0 replies; 1191+ messages in thread
From: Greg Kroah-Hartman @ 2022-08-15 17:50 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Christian Brauner (Microsoft),
	Darrick J. Wong, Yang Xu, Jeff Layton

From: Yang Xu <xuyang2018.jy@fujitsu.com>

commit ac6800e279a22b28f4fc21439843025a0d5bf03e upstream.

All creation paths except for O_TMPFILE handle umask in the vfs directly
if the filesystem doesn't support or enable POSIX ACLs. If the filesystem
does then umask handling is deferred until posix_acl_create().
Because, O_TMPFILE misses umask handling in the vfs it will not honor
umask settings. Fix this by adding the missing umask handling.

Link: https://lore.kernel.org/r/1657779088-2242-2-git-send-email-xuyang2018.jy@fujitsu.com
Fixes: 60545d0d4610 ("[O_TMPFILE] it's still short a few helpers, but infrastructure should be OK now...")
Cc: <stable@vger.kernel.org> # 4.19+
Reported-by: Christian Brauner (Microsoft) <brauner@kernel.org>
Reviewed-by: Darrick J. Wong <djwong@kernel.org>
Reviewed-and-Tested-by: Jeff Layton <jlayton@kernel.org>
Acked-by: Christian Brauner (Microsoft) <brauner@kernel.org>
Signed-off-by: Yang Xu <xuyang2018.jy@fujitsu.com>
Signed-off-by: Christian Brauner (Microsoft) <brauner@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 fs/namei.c |    2 ++
 1 file changed, 2 insertions(+)

--- a/fs/namei.c
+++ b/fs/namei.c
@@ -3565,6 +3565,8 @@ struct dentry *vfs_tmpfile(struct user_n
 	child = d_alloc(dentry, &slash_name);
 	if (unlikely(!child))
 		goto out_err;
+	if (!IS_POSIXACL(dir))
+		mode &= ~current_umask();
 	error = dir->i_op->tmpfile(mnt_userns, dir, child, mode);
 	if (error)
 		goto out_err;



^ permalink raw reply	[flat|nested] 1191+ messages in thread

* [PATCH 5.19 0055/1157] thermal: sysfs: Fix cooling_device_stats_setup() error code path
  2022-08-15 17:49 [PATCH 5.19 0000/1157] 5.19.2-rc1 review Greg Kroah-Hartman
                   ` (51 preceding siblings ...)
  2022-08-15 17:50 ` [PATCH 5.19 0054/1157] fs: Add missing umask strip in vfs_tmpfile Greg Kroah-Hartman
@ 2022-08-15 17:50 ` Greg Kroah-Hartman
  2022-08-15 17:50 ` [PATCH 5.19 0056/1157] fbcon: Fix boundary checks for fbcon=vc:n1-n2 parameters Greg Kroah-Hartman
                   ` (940 subsequent siblings)
  993 siblings, 0 replies; 1191+ messages in thread
From: Greg Kroah-Hartman @ 2022-08-15 17:50 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Di Shen, Rafael J. Wysocki

From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>

commit d5a8aa5d7d80d21ab6b266f1bed4194b61746199 upstream.

If cooling_device_stats_setup() fails to create the stats object, it
must clear the last slot in cooling_device_attr_groups that was
initially empty (so as to make it possible to add stats attributes to
the cooling device attribute groups).

Failing to do so may cause the stats attributes to be created by
mistake for a device that doesn't have a stats object, because the
slot in question might be populated previously during the registration
of another cooling device.

Fixes: 8ea229511e06 ("thermal: Add cooling device's statistics in sysfs")
Reported-by: Di Shen <di.shen@unisoc.com>
Tested-by: Di Shen <di.shen@unisoc.com>
Cc: 4.17+ <stable@vger.kernel.org> # 4.17+
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/thermal/thermal_sysfs.c |   10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

--- a/drivers/thermal/thermal_sysfs.c
+++ b/drivers/thermal/thermal_sysfs.c
@@ -813,12 +813,13 @@ static const struct attribute_group cool
 
 static void cooling_device_stats_setup(struct thermal_cooling_device *cdev)
 {
+	const struct attribute_group *stats_attr_group = NULL;
 	struct cooling_dev_stats *stats;
 	unsigned long states;
 	int var;
 
 	if (cdev->ops->get_max_state(cdev, &states))
-		return;
+		goto out;
 
 	states++; /* Total number of states is highest state + 1 */
 
@@ -828,7 +829,7 @@ static void cooling_device_stats_setup(s
 
 	stats = kzalloc(var, GFP_KERNEL);
 	if (!stats)
-		return;
+		goto out;
 
 	stats->time_in_state = (ktime_t *)(stats + 1);
 	stats->trans_table = (unsigned int *)(stats->time_in_state + states);
@@ -838,9 +839,12 @@ static void cooling_device_stats_setup(s
 
 	spin_lock_init(&stats->lock);
 
+	stats_attr_group = &cooling_device_stats_attr_group;
+
+out:
 	/* Fill the empty slot left in cooling_device_attr_groups */
 	var = ARRAY_SIZE(cooling_device_attr_groups) - 2;
-	cooling_device_attr_groups[var] = &cooling_device_stats_attr_group;
+	cooling_device_attr_groups[var] = stats_attr_group;
 }
 
 static void cooling_device_stats_destroy(struct thermal_cooling_device *cdev)



^ permalink raw reply	[flat|nested] 1191+ messages in thread

* [PATCH 5.19 0056/1157] fbcon: Fix boundary checks for fbcon=vc:n1-n2 parameters
  2022-08-15 17:49 [PATCH 5.19 0000/1157] 5.19.2-rc1 review Greg Kroah-Hartman
                   ` (52 preceding siblings ...)
  2022-08-15 17:50 ` [PATCH 5.19 0055/1157] thermal: sysfs: Fix cooling_device_stats_setup() error code path Greg Kroah-Hartman
@ 2022-08-15 17:50 ` Greg Kroah-Hartman
  2022-08-15 17:50 ` [PATCH 5.19 0057/1157] fbcon: Fix accelerated fbdev scrolling while logo is still shown Greg Kroah-Hartman
                   ` (939 subsequent siblings)
  993 siblings, 0 replies; 1191+ messages in thread
From: Greg Kroah-Hartman @ 2022-08-15 17:50 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Daniel Vetter, Helge Deller

From: Helge Deller <deller@gmx.de>

commit cad564ca557f8d3bb3b1fa965d9a2b3f6490ec69 upstream.

The user may use the fbcon=vc:<n1>-<n2> option to tell fbcon to take
over the given range (n1...n2) of consoles. The value for n1 and n2
needs to be a positive number and up to (MAX_NR_CONSOLES - 1).
The given values were not fully checked against those boundaries yet.

To fix the issue, convert first_fb_vc and last_fb_vc to unsigned
integers and check them against the upper boundary, and make sure that
first_fb_vc is smaller than last_fb_vc.

Cc: stable@vger.kernel.org # v4.19+
Reviewed-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Signed-off-by: Helge Deller <deller@gmx.de>
Link: https://patchwork.freedesktop.org/patch/msgid/YpkYRMojilrtZIgM@p100
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/video/fbdev/core/fbcon.c |    8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

--- a/drivers/video/fbdev/core/fbcon.c
+++ b/drivers/video/fbdev/core/fbcon.c
@@ -125,8 +125,8 @@ static int logo_lines;
    enums.  */
 static int logo_shown = FBCON_LOGO_CANSHOW;
 /* console mappings */
-static int first_fb_vc;
-static int last_fb_vc = MAX_NR_CONSOLES - 1;
+static unsigned int first_fb_vc;
+static unsigned int last_fb_vc = MAX_NR_CONSOLES - 1;
 static int fbcon_is_default = 1; 
 static int primary_device = -1;
 static int fbcon_has_console_bind;
@@ -440,10 +440,12 @@ static int __init fb_console_setup(char
 			options += 3;
 			if (*options)
 				first_fb_vc = simple_strtoul(options, &options, 10) - 1;
-			if (first_fb_vc < 0)
+			if (first_fb_vc >= MAX_NR_CONSOLES)
 				first_fb_vc = 0;
 			if (*options++ == '-')
 				last_fb_vc = simple_strtoul(options, &options, 10) - 1;
+			if (last_fb_vc < first_fb_vc || last_fb_vc >= MAX_NR_CONSOLES)
+				last_fb_vc = MAX_NR_CONSOLES - 1;
 			fbcon_is_default = 0; 
 			continue;
 		}



^ permalink raw reply	[flat|nested] 1191+ messages in thread

* [PATCH 5.19 0057/1157] fbcon: Fix accelerated fbdev scrolling while logo is still shown
  2022-08-15 17:49 [PATCH 5.19 0000/1157] 5.19.2-rc1 review Greg Kroah-Hartman
                   ` (53 preceding siblings ...)
  2022-08-15 17:50 ` [PATCH 5.19 0056/1157] fbcon: Fix boundary checks for fbcon=vc:n1-n2 parameters Greg Kroah-Hartman
@ 2022-08-15 17:50 ` Greg Kroah-Hartman
  2022-08-15 17:50 ` [PATCH 5.19 0058/1157] usbnet: Fix linkwatch use-after-free on disconnect Greg Kroah-Hartman
                   ` (938 subsequent siblings)
  993 siblings, 0 replies; 1191+ messages in thread
From: Greg Kroah-Hartman @ 2022-08-15 17:50 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Daniel Vetter, Helge Deller

From: Helge Deller <deller@gmx.de>

commit 3866cba87dcd0162fb41e9b3b653d0af68fad5ec upstream.

There is no need to directly skip over to the SCROLL_REDRAW case while
the logo is still shown.

When using DRM, this change has no effect because the code will reach
the SCROLL_REDRAW case immediately anyway.

But if you run an accelerated fbdev driver and have
FRAMEBUFFER_CONSOLE_LEGACY_ACCELERATION enabled, console scrolling is
slowed down by factors so that it feels as if you use a 9600 baud
terminal.

So, drop those unnecessary checks and speed up fbdev console
acceleration during bootup.

Cc: stable@vger.kernel.org # v5.10+
Acked-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Signed-off-by: Helge Deller <deller@gmx.de>
Link: https://patchwork.freedesktop.org/patch/msgid/YpkYxk7wsBPx3po+@p100
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/video/fbdev/core/fbcon.c |    4 ----
 1 file changed, 4 deletions(-)

--- a/drivers/video/fbdev/core/fbcon.c
+++ b/drivers/video/fbdev/core/fbcon.c
@@ -1760,8 +1760,6 @@ static bool fbcon_scroll(struct vc_data
 	case SM_UP:
 		if (count > vc->vc_rows)	/* Maximum realistic size */
 			count = vc->vc_rows;
-		if (logo_shown >= 0)
-			goto redraw_up;
 		switch (fb_scrollmode(p)) {
 		case SCROLL_MOVE:
 			fbcon_redraw_blit(vc, info, p, t, b - t - count,
@@ -1850,8 +1848,6 @@ static bool fbcon_scroll(struct vc_data
 	case SM_DOWN:
 		if (count > vc->vc_rows)	/* Maximum realistic size */
 			count = vc->vc_rows;
-		if (logo_shown >= 0)
-			goto redraw_down;
 		switch (fb_scrollmode(p)) {
 		case SCROLL_MOVE:
 			fbcon_redraw_blit(vc, info, p, b - 1, b - t - count,



^ permalink raw reply	[flat|nested] 1191+ messages in thread

* [PATCH 5.19 0058/1157] usbnet: Fix linkwatch use-after-free on disconnect
  2022-08-15 17:49 [PATCH 5.19 0000/1157] 5.19.2-rc1 review Greg Kroah-Hartman
                   ` (54 preceding siblings ...)
  2022-08-15 17:50 ` [PATCH 5.19 0057/1157] fbcon: Fix accelerated fbdev scrolling while logo is still shown Greg Kroah-Hartman
@ 2022-08-15 17:50 ` Greg Kroah-Hartman
  2022-08-15 17:50 ` [PATCH 5.19 0059/1157] usbnet: smsc95xx: Fix deadlock on runtime resume Greg Kroah-Hartman
                   ` (937 subsequent siblings)
  993 siblings, 0 replies; 1191+ messages in thread
From: Greg Kroah-Hartman @ 2022-08-15 17:50 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jann Horn, Oleksij Rempel,
	Lukas Wunner, Oliver Neukum, Jakub Kicinski

From: Lukas Wunner <lukas@wunner.de>

commit a69e617e533edddf3fa3123149900f36e0a6dc74 upstream.

usbnet uses the work usbnet_deferred_kevent() to perform tasks which may
sleep.  On disconnect, completion of the work was originally awaited in
->ndo_stop().  But in 2003, that was moved to ->disconnect() by historic
commit "[PATCH] USB: usbnet, prevent exotic rtnl deadlock":

  https://git.kernel.org/tglx/history/c/0f138bbfd83c

The change was made because back then, the kernel's workqueue
implementation did not allow waiting for a single work.  One had to wait
for completion of *all* work by calling flush_scheduled_work(), and that
could deadlock when waiting for usbnet_deferred_kevent() with rtnl_mutex
held in ->ndo_stop().

The commit solved one problem but created another:  It causes a
use-after-free in USB Ethernet drivers aqc111.c, asix_devices.c,
ax88179_178a.c, ch9200.c and smsc75xx.c:

* If the drivers receive a link change interrupt immediately before
  disconnect, they raise EVENT_LINK_RESET in their (non-sleepable)
  ->status() callback and schedule usbnet_deferred_kevent().
* usbnet_deferred_kevent() invokes the driver's ->link_reset() callback,
  which calls netif_carrier_{on,off}().
* That in turn schedules the work linkwatch_event().

Because usbnet_deferred_kevent() is awaited after unregister_netdev(),
netif_carrier_{on,off}() may operate on an unregistered netdev and
linkwatch_event() may run after free_netdev(), causing a use-after-free.

In 2010, usbnet was changed to only wait for a single instance of
usbnet_deferred_kevent() instead of *all* work by commit 23f333a2bfaf
("drivers/net: don't use flush_scheduled_work()").

Unfortunately the commit neglected to move the wait back to
->ndo_stop().  Rectify that omission at long last.

Reported-by: Jann Horn <jannh@google.com>
Link: https://lore.kernel.org/netdev/CAG48ez0MHBbENX5gCdHAUXZ7h7s20LnepBF-pa5M=7Bi-jZrEA@mail.gmail.com/
Reported-by: Oleksij Rempel <o.rempel@pengutronix.de>
Link: https://lore.kernel.org/netdev/20220315113841.GA22337@pengutronix.de/
Signed-off-by: Lukas Wunner <lukas@wunner.de>
Cc: stable@vger.kernel.org
Acked-by: Oliver Neukum <oneukum@suse.com>
Link: https://lore.kernel.org/r/d1c87ebe9fc502bffcd1576e238d685ad08321e4.1655987888.git.lukas@wunner.de
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/usb/usbnet.c |    8 ++------
 1 file changed, 2 insertions(+), 6 deletions(-)

--- a/drivers/net/usb/usbnet.c
+++ b/drivers/net/usb/usbnet.c
@@ -849,13 +849,11 @@ int usbnet_stop (struct net_device *net)
 
 	mpn = !test_and_clear_bit(EVENT_NO_RUNTIME_PM, &dev->flags);
 
-	/* deferred work (task, timer, softirq) must also stop.
-	 * can't flush_scheduled_work() until we drop rtnl (later),
-	 * else workers could deadlock; so make workers a NOP.
-	 */
+	/* deferred work (timer, softirq, task) must also stop */
 	dev->flags = 0;
 	del_timer_sync (&dev->delay);
 	tasklet_kill (&dev->bh);
+	cancel_work_sync(&dev->kevent);
 	if (!pm)
 		usb_autopm_put_interface(dev->intf);
 
@@ -1619,8 +1617,6 @@ void usbnet_disconnect (struct usb_inter
 	net = dev->net;
 	unregister_netdev (net);
 
-	cancel_work_sync(&dev->kevent);
-
 	usb_scuttle_anchored_urbs(&dev->deferred);
 
 	if (dev->driver_info->unbind)



^ permalink raw reply	[flat|nested] 1191+ messages in thread

* [PATCH 5.19 0059/1157] usbnet: smsc95xx: Fix deadlock on runtime resume
  2022-08-15 17:49 [PATCH 5.19 0000/1157] 5.19.2-rc1 review Greg Kroah-Hartman
                   ` (55 preceding siblings ...)
  2022-08-15 17:50 ` [PATCH 5.19 0058/1157] usbnet: Fix linkwatch use-after-free on disconnect Greg Kroah-Hartman
@ 2022-08-15 17:50 ` Greg Kroah-Hartman
  2022-08-15 17:50 ` [PATCH 5.19 0060/1157] fix short copy handling in copy_mc_pipe_to_iter() Greg Kroah-Hartman
                   ` (936 subsequent siblings)
  993 siblings, 0 replies; 1191+ messages in thread
From: Greg Kroah-Hartman @ 2022-08-15 17:50 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Lukas Wunner, Andre Edich, David S. Miller

From: Lukas Wunner <lukas@wunner.de>

commit 7b960c967f2aa01ab8f45c5a0bd78e754cffdeee upstream.

Commit 05b35e7eb9a1 ("smsc95xx: add phylib support") amended
smsc95xx_resume() to call phy_init_hw().  That function waits for the
device to runtime resume even though it is placed in the runtime resume
path, causing a deadlock.

The problem is that phy_init_hw() calls down to smsc95xx_mdiobus_read(),
which never uses the _nopm variant of usbnet_read_cmd().

Commit b4df480f68ae ("usbnet: smsc95xx: add reset_resume function with
reset operation") causes a similar deadlock on resume if the device was
already runtime suspended when entering system sleep:

That's because the commit introduced smsc95xx_reset_resume(), which
calls down to smsc95xx_reset(), which neglects to use _nopm accessors.

Fix by auto-detecting whether a device access is performed by the
suspend/resume task_struct and use the _nopm variant if so.  This works
because the PM core guarantees that suspend/resume callbacks are run in
task context.

Stacktrace for posterity:

  INFO: task kworker/2:1:49 blocked for more than 122 seconds.
  Workqueue: usb_hub_wq hub_event
  schedule
  rpm_resume
  __pm_runtime_resume
  usb_autopm_get_interface
  usbnet_read_cmd
  __smsc95xx_read_reg
  __smsc95xx_phy_wait_not_busy
  __smsc95xx_mdio_read
  smsc95xx_mdiobus_read
  __mdiobus_read
  mdiobus_read
  smsc_phy_reset
  phy_init_hw
  smsc95xx_resume
  usb_resume_interface
  usb_resume_both
  usb_runtime_resume
  __rpm_callback
  rpm_callback
  rpm_resume
  __pm_runtime_resume
  usb_autoresume_device
  hub_event
  process_one_work

Fixes: b4df480f68ae ("usbnet: smsc95xx: add reset_resume function with reset operation")
Signed-off-by: Lukas Wunner <lukas@wunner.de>
Cc: stable@vger.kernel.org # v3.16+
Cc: Andre Edich <andre.edich@microchip.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/usb/smsc95xx.c |   26 ++++++++++++++++++++------
 1 file changed, 20 insertions(+), 6 deletions(-)

--- a/drivers/net/usb/smsc95xx.c
+++ b/drivers/net/usb/smsc95xx.c
@@ -71,6 +71,7 @@ struct smsc95xx_priv {
 	struct fwnode_handle *irqfwnode;
 	struct mii_bus *mdiobus;
 	struct phy_device *phydev;
+	struct task_struct *pm_task;
 };
 
 static bool turbo_mode = true;
@@ -80,13 +81,14 @@ MODULE_PARM_DESC(turbo_mode, "Enable mul
 static int __must_check __smsc95xx_read_reg(struct usbnet *dev, u32 index,
 					    u32 *data, int in_pm)
 {
+	struct smsc95xx_priv *pdata = dev->driver_priv;
 	u32 buf;
 	int ret;
 	int (*fn)(struct usbnet *, u8, u8, u16, u16, void *, u16);
 
 	BUG_ON(!dev);
 
-	if (!in_pm)
+	if (current != pdata->pm_task)
 		fn = usbnet_read_cmd;
 	else
 		fn = usbnet_read_cmd_nopm;
@@ -110,13 +112,14 @@ static int __must_check __smsc95xx_read_
 static int __must_check __smsc95xx_write_reg(struct usbnet *dev, u32 index,
 					     u32 data, int in_pm)
 {
+	struct smsc95xx_priv *pdata = dev->driver_priv;
 	u32 buf;
 	int ret;
 	int (*fn)(struct usbnet *, u8, u8, u16, u16, const void *, u16);
 
 	BUG_ON(!dev);
 
-	if (!in_pm)
+	if (current != pdata->pm_task)
 		fn = usbnet_write_cmd;
 	else
 		fn = usbnet_write_cmd_nopm;
@@ -1490,9 +1493,12 @@ static int smsc95xx_suspend(struct usb_i
 	u32 val, link_up;
 	int ret;
 
+	pdata->pm_task = current;
+
 	ret = usbnet_suspend(intf, message);
 	if (ret < 0) {
 		netdev_warn(dev->net, "usbnet_suspend error\n");
+		pdata->pm_task = NULL;
 		return ret;
 	}
 
@@ -1732,6 +1738,7 @@ done:
 	if (ret && PMSG_IS_AUTO(message))
 		usbnet_resume(intf);
 
+	pdata->pm_task = NULL;
 	return ret;
 }
 
@@ -1752,29 +1759,31 @@ static int smsc95xx_resume(struct usb_in
 	/* do this first to ensure it's cleared even in error case */
 	pdata->suspend_flags = 0;
 
+	pdata->pm_task = current;
+
 	if (suspend_flags & SUSPEND_ALLMODES) {
 		/* clear wake-up sources */
 		ret = smsc95xx_read_reg_nopm(dev, WUCSR, &val);
 		if (ret < 0)
-			return ret;
+			goto done;
 
 		val &= ~(WUCSR_WAKE_EN_ | WUCSR_MPEN_);
 
 		ret = smsc95xx_write_reg_nopm(dev, WUCSR, val);
 		if (ret < 0)
-			return ret;
+			goto done;
 
 		/* clear wake-up status */
 		ret = smsc95xx_read_reg_nopm(dev, PM_CTRL, &val);
 		if (ret < 0)
-			return ret;
+			goto done;
 
 		val &= ~PM_CTL_WOL_EN_;
 		val |= PM_CTL_WUPS_;
 
 		ret = smsc95xx_write_reg_nopm(dev, PM_CTRL, val);
 		if (ret < 0)
-			return ret;
+			goto done;
 	}
 
 	phy_init_hw(pdata->phydev);
@@ -1783,15 +1792,20 @@ static int smsc95xx_resume(struct usb_in
 	if (ret < 0)
 		netdev_warn(dev->net, "usbnet_resume error\n");
 
+done:
+	pdata->pm_task = NULL;
 	return ret;
 }
 
 static int smsc95xx_reset_resume(struct usb_interface *intf)
 {
 	struct usbnet *dev = usb_get_intfdata(intf);
+	struct smsc95xx_priv *pdata = dev->driver_priv;
 	int ret;
 
+	pdata->pm_task = current;
 	ret = smsc95xx_reset(dev);
+	pdata->pm_task = NULL;
 	if (ret < 0)
 		return ret;
 



^ permalink raw reply	[flat|nested] 1191+ messages in thread

* [PATCH 5.19 0060/1157] fix short copy handling in copy_mc_pipe_to_iter()
  2022-08-15 17:49 [PATCH 5.19 0000/1157] 5.19.2-rc1 review Greg Kroah-Hartman
                   ` (56 preceding siblings ...)
  2022-08-15 17:50 ` [PATCH 5.19 0059/1157] usbnet: smsc95xx: Fix deadlock on runtime resume Greg Kroah-Hartman
@ 2022-08-15 17:50 ` Greg Kroah-Hartman
  2022-08-15 17:50 ` [PATCH 5.19 0061/1157] crypto: ccp - Use kzalloc for sev ioctl interfaces to prevent kernel memory leak Greg Kroah-Hartman
                   ` (935 subsequent siblings)
  993 siblings, 0 replies; 1191+ messages in thread
From: Greg Kroah-Hartman @ 2022-08-15 17:50 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jeff Layton,
	Christian Brauner (Microsoft),
	Al Viro, stable

From: Al Viro <viro@zeniv.linux.org.uk>

commit c3497fd009ef2c59eea60d21c3ac22de3585ed7d upstream.

Unlike other copying operations on ITER_PIPE, copy_mc_to_iter() can
result in a short copy.  In that case we need to trim the unused
buffers, as well as the length of partially filled one - it's not
enough to set ->head, ->iov_offset and ->count to reflect how
much had we copied.  Not hard to fix, fortunately...

I'd put a helper (pipe_discard_from(pipe, head)) into pipe_fs_i.h,
rather than iov_iter.c - it has nothing to do with iov_iter and
having it will allow us to avoid an ugly kludge in fs/splice.c.
We could put it into lib/iov_iter.c for now and move it later,
but I don't see the point going that way...

Cc: stable@kernel.org # 4.19+
Fixes: ca146f6f091e "lib/iov_iter: Fix pipe handling in _copy_to_iter_mcsafe()"
Reviewed-by: Jeff Layton <jlayton@kernel.org>
Reviewed-by: Christian Brauner (Microsoft) <brauner@kernel.org>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 include/linux/pipe_fs_i.h |    9 +++++++++
 lib/iov_iter.c            |   15 +++++++++++----
 2 files changed, 20 insertions(+), 4 deletions(-)

--- a/include/linux/pipe_fs_i.h
+++ b/include/linux/pipe_fs_i.h
@@ -229,6 +229,15 @@ static inline bool pipe_buf_try_steal(st
 	return buf->ops->try_steal(pipe, buf);
 }
 
+static inline void pipe_discard_from(struct pipe_inode_info *pipe,
+		unsigned int old_head)
+{
+	unsigned int mask = pipe->ring_size - 1;
+
+	while (pipe->head > old_head)
+		pipe_buf_release(pipe, &pipe->bufs[--pipe->head & mask]);
+}
+
 /* Differs from PIPE_BUF in that PIPE_SIZE is the length of the actual
    memory allocation, whereas PIPE_BUF makes atomicity guarantees.  */
 #define PIPE_SIZE		PAGE_SIZE
--- a/lib/iov_iter.c
+++ b/lib/iov_iter.c
@@ -689,6 +689,7 @@ static size_t copy_mc_pipe_to_iter(const
 	struct pipe_inode_info *pipe = i->pipe;
 	unsigned int p_mask = pipe->ring_size - 1;
 	unsigned int i_head;
+	unsigned int valid = pipe->head;
 	size_t n, off, xfer = 0;
 
 	if (!sanity(i))
@@ -702,11 +703,17 @@ static size_t copy_mc_pipe_to_iter(const
 		rem = copy_mc_to_kernel(p + off, addr + xfer, chunk);
 		chunk -= rem;
 		kunmap_local(p);
-		i->head = i_head;
-		i->iov_offset = off + chunk;
-		xfer += chunk;
-		if (rem)
+		if (chunk) {
+			i->head = i_head;
+			i->iov_offset = off + chunk;
+			xfer += chunk;
+			valid = i_head + 1;
+		}
+		if (rem) {
+			pipe->bufs[i_head & p_mask].len -= rem;
+			pipe_discard_from(pipe, valid);
 			break;
+		}
 		n -= chunk;
 		off = 0;
 		i_head++;



^ permalink raw reply	[flat|nested] 1191+ messages in thread

* [PATCH 5.19 0061/1157] crypto: ccp - Use kzalloc for sev ioctl interfaces to prevent kernel memory leak
  2022-08-15 17:49 [PATCH 5.19 0000/1157] 5.19.2-rc1 review Greg Kroah-Hartman
                   ` (57 preceding siblings ...)
  2022-08-15 17:50 ` [PATCH 5.19 0060/1157] fix short copy handling in copy_mc_pipe_to_iter() Greg Kroah-Hartman
@ 2022-08-15 17:50 ` Greg Kroah-Hartman
  2022-08-15 17:50 ` [PATCH 5.19 0062/1157] ovl: drop WARN_ON() dentry is NULL in ovl_encode_fh() Greg Kroah-Hartman
                   ` (934 subsequent siblings)
  993 siblings, 0 replies; 1191+ messages in thread
From: Greg Kroah-Hartman @ 2022-08-15 17:50 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Andy Nguyen, David Rientjes,
	Peter Gonda, John Allen, Herbert Xu

From: John Allen <john.allen@amd.com>

commit 13dc15a3f5fd7f884e4bfa8c011a0ae868df12ae upstream.

For some sev ioctl interfaces, input may be passed that is less than or
equal to SEV_FW_BLOB_MAX_SIZE, but larger than the data that PSP
firmware returns. In this case, kmalloc will allocate memory that is the
size of the input rather than the size of the data. Since PSP firmware
doesn't fully overwrite the buffer, the sev ioctl interfaces with the
issue may return uninitialized slab memory.

Currently, all of the ioctl interfaces in the ccp driver are safe, but
to prevent future problems, change all ioctl interfaces that allocate
memory with kmalloc to use kzalloc and memset the data buffer to zero
in sev_ioctl_do_platform_status.

Fixes: 38103671aad3 ("crypto: ccp: Use the stack and common buffer for status commands")
Fixes: e799035609e15 ("crypto: ccp: Implement SEV_PEK_CSR ioctl command")
Fixes: 76a2b524a4b1d ("crypto: ccp: Implement SEV_PDH_CERT_EXPORT ioctl command")
Fixes: d6112ea0cb344 ("crypto: ccp - introduce SEV_GET_ID2 command")
Cc: stable@vger.kernel.org
Reported-by: Andy Nguyen <theflow@google.com>
Suggested-by: David Rientjes <rientjes@google.com>
Suggested-by: Peter Gonda <pgonda@google.com>
Signed-off-by: John Allen <john.allen@amd.com>
Reviewed-by: Peter Gonda <pgonda@google.com>
Acked-by: David Rientjes <rientjes@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/crypto/ccp/sev-dev.c |   10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

--- a/drivers/crypto/ccp/sev-dev.c
+++ b/drivers/crypto/ccp/sev-dev.c
@@ -577,6 +577,8 @@ static int sev_ioctl_do_platform_status(
 	struct sev_user_data_status data;
 	int ret;
 
+	memset(&data, 0, sizeof(data));
+
 	ret = __sev_do_cmd_locked(SEV_CMD_PLATFORM_STATUS, &data, &argp->error);
 	if (ret)
 		return ret;
@@ -630,7 +632,7 @@ static int sev_ioctl_do_pek_csr(struct s
 	if (input.length > SEV_FW_BLOB_MAX_SIZE)
 		return -EFAULT;
 
-	blob = kmalloc(input.length, GFP_KERNEL);
+	blob = kzalloc(input.length, GFP_KERNEL);
 	if (!blob)
 		return -ENOMEM;
 
@@ -854,7 +856,7 @@ static int sev_ioctl_do_get_id2(struct s
 	input_address = (void __user *)input.address;
 
 	if (input.address && input.length) {
-		id_blob = kmalloc(input.length, GFP_KERNEL);
+		id_blob = kzalloc(input.length, GFP_KERNEL);
 		if (!id_blob)
 			return -ENOMEM;
 
@@ -973,14 +975,14 @@ static int sev_ioctl_do_pdh_export(struc
 	if (input.cert_chain_len > SEV_FW_BLOB_MAX_SIZE)
 		return -EFAULT;
 
-	pdh_blob = kmalloc(input.pdh_cert_len, GFP_KERNEL);
+	pdh_blob = kzalloc(input.pdh_cert_len, GFP_KERNEL);
 	if (!pdh_blob)
 		return -ENOMEM;
 
 	data.pdh_cert_address = __psp_pa(pdh_blob);
 	data.pdh_cert_len = input.pdh_cert_len;
 
-	cert_blob = kmalloc(input.cert_chain_len, GFP_KERNEL);
+	cert_blob = kzalloc(input.cert_chain_len, GFP_KERNEL);
 	if (!cert_blob) {
 		ret = -ENOMEM;
 		goto e_free_pdh;



^ permalink raw reply	[flat|nested] 1191+ messages in thread

* [PATCH 5.19 0062/1157] ovl: drop WARN_ON() dentry is NULL in ovl_encode_fh()
  2022-08-15 17:49 [PATCH 5.19 0000/1157] 5.19.2-rc1 review Greg Kroah-Hartman
                   ` (58 preceding siblings ...)
  2022-08-15 17:50 ` [PATCH 5.19 0061/1157] crypto: ccp - Use kzalloc for sev ioctl interfaces to prevent kernel memory leak Greg Kroah-Hartman
@ 2022-08-15 17:50 ` Greg Kroah-Hartman
  2022-08-15 17:50 ` [PATCH 5.19 0063/1157] parisc: Fix device names in /proc/iomem Greg Kroah-Hartman
                   ` (933 subsequent siblings)
  993 siblings, 0 replies; 1191+ messages in thread
From: Greg Kroah-Hartman @ 2022-08-15 17:50 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Hongbo Yin, Jiachen Zhang,
	Tianci Zhang, Miklos Szeredi

From: Jiachen Zhang <zhangjiachen.jaycee@bytedance.com>

commit dd524b7f317de8d31d638cbfdc7be4cf9b770e42 upstream.

Some code paths cannot guarantee the inode have any dentry alias. So
WARN_ON() all !dentry may flood the kernel logs.

For example, when an overlayfs inode is watched by inotifywait (1), and
someone is trying to read the /proc/$(pidof inotifywait)/fdinfo/INOTIFY_FD,
at that time if the dentry has been reclaimed by kernel (such as
echo 2 > /proc/sys/vm/drop_caches), there will be a WARN_ON(). The
printed call stack would be like:

    ? show_mark_fhandle+0xf0/0xf0
    show_mark_fhandle+0x4a/0xf0
    ? show_mark_fhandle+0xf0/0xf0
    ? seq_vprintf+0x30/0x50
    ? seq_printf+0x53/0x70
    ? show_mark_fhandle+0xf0/0xf0
    inotify_fdinfo+0x70/0x90
    show_fdinfo.isra.4+0x53/0x70
    seq_show+0x130/0x170
    seq_read+0x153/0x440
    vfs_read+0x94/0x150
    ksys_read+0x5f/0xe0
    do_syscall_64+0x59/0x1e0
    entry_SYSCALL_64_after_hwframe+0x44/0xa9

So let's drop WARN_ON() to avoid kernel log flooding.

Reported-by: Hongbo Yin <yinhongbo@bytedance.com>
Signed-off-by: Jiachen Zhang <zhangjiachen.jaycee@bytedance.com>
Signed-off-by: Tianci Zhang <zhangtianci.1997@bytedance.com>
Fixes: 8ed5eec9d6c4 ("ovl: encode pure upper file handles")
Cc: <stable@vger.kernel.org> # v4.16
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 fs/overlayfs/export.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/fs/overlayfs/export.c
+++ b/fs/overlayfs/export.c
@@ -259,7 +259,7 @@ static int ovl_encode_fh(struct inode *i
 		return FILEID_INVALID;
 
 	dentry = d_find_any_alias(inode);
-	if (WARN_ON(!dentry))
+	if (!dentry)
 		return FILEID_INVALID;
 
 	bytes = ovl_dentry_to_fid(ofs, dentry, fid, buflen);



^ permalink raw reply	[flat|nested] 1191+ messages in thread

* [PATCH 5.19 0063/1157] parisc: Fix device names in /proc/iomem
  2022-08-15 17:49 [PATCH 5.19 0000/1157] 5.19.2-rc1 review Greg Kroah-Hartman
                   ` (59 preceding siblings ...)
  2022-08-15 17:50 ` [PATCH 5.19 0062/1157] ovl: drop WARN_ON() dentry is NULL in ovl_encode_fh() Greg Kroah-Hartman
@ 2022-08-15 17:50 ` Greg Kroah-Hartman
  2022-08-15 17:50 ` [PATCH 5.19 0064/1157] parisc: Drop pa_swapper_pg_lock spinlock Greg Kroah-Hartman
                   ` (932 subsequent siblings)
  993 siblings, 0 replies; 1191+ messages in thread
From: Greg Kroah-Hartman @ 2022-08-15 17:50 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Helge Deller

From: Helge Deller <deller@gmx.de>

commit cab56b51ec0e69128909cef4650e1907248d821b upstream.

Fix the output of /proc/iomem to show the real hardware device name
including the pa_pathname, e.g. "Merlin 160 Core Centronics [8:16:0]".
Up to now only the pa_pathname ("[8:16.0]") was shown.

Signed-off-by: Helge Deller <deller@gmx.de>
Cc: <stable@vger.kernel.org> # v4.9+
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/parisc/kernel/drivers.c |    9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

--- a/arch/parisc/kernel/drivers.c
+++ b/arch/parisc/kernel/drivers.c
@@ -520,7 +520,6 @@ alloc_pa_dev(unsigned long hpa, struct h
 	dev->id.hversion_rev = iodc_data[1] & 0x0f;
 	dev->id.sversion = ((iodc_data[4] & 0x0f) << 16) |
 			(iodc_data[5] << 8) | iodc_data[6];
-	dev->hpa.name = parisc_pathname(dev);
 	dev->hpa.start = hpa;
 	/* This is awkward.  The STI spec says that gfx devices may occupy
 	 * 32MB or 64MB.  Unfortunately, we don't know how to tell whether
@@ -534,10 +533,10 @@ alloc_pa_dev(unsigned long hpa, struct h
 		dev->hpa.end = hpa + 0xfff;
 	}
 	dev->hpa.flags = IORESOURCE_MEM;
-	name = parisc_hardware_description(&dev->id);
-	if (name) {
-		strlcpy(dev->name, name, sizeof(dev->name));
-	}
+	dev->hpa.name = dev->name;
+	name = parisc_hardware_description(&dev->id) ? : "unknown";
+	snprintf(dev->name, sizeof(dev->name), "%s [%s]",
+		name, parisc_pathname(dev));
 
 	/* Silently fail things like mouse ports which are subsumed within
 	 * the keyboard controller



^ permalink raw reply	[flat|nested] 1191+ messages in thread

* [PATCH 5.19 0064/1157] parisc: Drop pa_swapper_pg_lock spinlock
  2022-08-15 17:49 [PATCH 5.19 0000/1157] 5.19.2-rc1 review Greg Kroah-Hartman
                   ` (60 preceding siblings ...)
  2022-08-15 17:50 ` [PATCH 5.19 0063/1157] parisc: Fix device names in /proc/iomem Greg Kroah-Hartman
@ 2022-08-15 17:50 ` Greg Kroah-Hartman
  2022-08-15 17:50 ` [PATCH 5.19 0065/1157] parisc: Check the return value of ioremap() in lba_driver_probe() Greg Kroah-Hartman
                   ` (931 subsequent siblings)
  993 siblings, 0 replies; 1191+ messages in thread
From: Greg Kroah-Hartman @ 2022-08-15 17:50 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Helge Deller, kernel test robot

From: Helge Deller <deller@gmx.de>

commit 3fbc9a7de0564c55d8a9584c9cd2c9dfe6bd6d43 upstream.

This spinlock was dropped with commit b7795074a046 ("parisc: Optimize
per-pagetable spinlocks") in kernel v5.12.

Remove it to silence a sparse warning.

Signed-off-by: Helge Deller <deller@gmx.de>
Reported-by: kernel test robot <lkp@intel.com>
Cc: <stable@vger.kernel.org> # v5.12+
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/parisc/kernel/cache.c |    3 ---
 1 file changed, 3 deletions(-)

--- a/arch/parisc/kernel/cache.c
+++ b/arch/parisc/kernel/cache.c
@@ -50,9 +50,6 @@ void flush_instruction_cache_local(void)
  */
 DEFINE_SPINLOCK(pa_tlb_flush_lock);
 
-/* Swapper page setup lock. */
-DEFINE_SPINLOCK(pa_swapper_pg_lock);
-
 #if defined(CONFIG_64BIT) && defined(CONFIG_SMP)
 int pa_serialize_tlb_flushes __ro_after_init;
 #endif



^ permalink raw reply	[flat|nested] 1191+ messages in thread

* [PATCH 5.19 0065/1157] parisc: Check the return value of ioremap() in lba_driver_probe()
  2022-08-15 17:49 [PATCH 5.19 0000/1157] 5.19.2-rc1 review Greg Kroah-Hartman
                   ` (61 preceding siblings ...)
  2022-08-15 17:50 ` [PATCH 5.19 0064/1157] parisc: Drop pa_swapper_pg_lock spinlock Greg Kroah-Hartman
@ 2022-08-15 17:50 ` Greg Kroah-Hartman
  2022-08-15 17:50 ` [PATCH 5.19 0066/1157] parisc: io_pgetevents_time64() needs compat syscall in 32-bit compat mode Greg Kroah-Hartman
                   ` (930 subsequent siblings)
  993 siblings, 0 replies; 1191+ messages in thread
From: Greg Kroah-Hartman @ 2022-08-15 17:50 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Hacash Robot, William Dean, Helge Deller

From: William Dean <williamsukatube@gmail.com>

commit cf59f34d7f978d14d6520fd80a78a5ad5cb8abf8 upstream.

The function ioremap() in lba_driver_probe() can fail, so
its return value should be checked.

Fixes: 4bdc0d676a643 ("remove ioremap_nocache and devm_ioremap_nocache")
Reported-by: Hacash Robot <hacashRobot@santino.com>
Signed-off-by: William Dean <williamsukatube@gmail.com>
Signed-off-by: Helge Deller <deller@gmx.de>
Cc: <stable@vger.kernel.org> # v5.6+
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/parisc/lba_pci.c |    6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

--- a/drivers/parisc/lba_pci.c
+++ b/drivers/parisc/lba_pci.c
@@ -1476,9 +1476,13 @@ lba_driver_probe(struct parisc_device *d
 	u32 func_class;
 	void *tmp_obj;
 	char *version;
-	void __iomem *addr = ioremap(dev->hpa.start, 4096);
+	void __iomem *addr;
 	int max;
 
+	addr = ioremap(dev->hpa.start, 4096);
+	if (addr == NULL)
+		return -ENOMEM;
+
 	/* Read HW Rev First */
 	func_class = READ_REG32(addr + LBA_FCLASS);
 



^ permalink raw reply	[flat|nested] 1191+ messages in thread

* [PATCH 5.19 0066/1157] parisc: io_pgetevents_time64() needs compat syscall in 32-bit compat mode
  2022-08-15 17:49 [PATCH 5.19 0000/1157] 5.19.2-rc1 review Greg Kroah-Hartman
                   ` (62 preceding siblings ...)
  2022-08-15 17:50 ` [PATCH 5.19 0065/1157] parisc: Check the return value of ioremap() in lba_driver_probe() Greg Kroah-Hartman
@ 2022-08-15 17:50 ` Greg Kroah-Hartman
  2022-08-15 17:50 ` [PATCH 5.19 0067/1157] riscv:uprobe fix SR_SPIE set/clear handling Greg Kroah-Hartman
                   ` (929 subsequent siblings)
  993 siblings, 0 replies; 1191+ messages in thread
From: Greg Kroah-Hartman @ 2022-08-15 17:50 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Helge Deller

From: Helge Deller <deller@gmx.de>

commit 6431e92fc827bdd2d28f79150d90415ba9ce0d21 upstream.

For all syscalls in 32-bit compat mode on 64-bit kernels the upper
32-bits of the 64-bit registers are zeroed out, so a negative 32-bit
signed value will show up as positive 64-bit signed value.

This behaviour breaks the io_pgetevents_time64() syscall which expects
signed 64-bit values for the "min_nr" and "nr" parameters.
Fix this by switching to the compat_sys_io_pgetevents_time64() syscall,
which uses "compat_long_t" types for those parameters.

Cc: <stable@vger.kernel.org> # v5.1+
Signed-off-by: Helge Deller <deller@gmx.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/parisc/kernel/syscalls/syscall.tbl |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/arch/parisc/kernel/syscalls/syscall.tbl
+++ b/arch/parisc/kernel/syscalls/syscall.tbl
@@ -413,7 +413,7 @@
 412	32	utimensat_time64		sys_utimensat			sys_utimensat
 413	32	pselect6_time64			sys_pselect6			compat_sys_pselect6_time64
 414	32	ppoll_time64			sys_ppoll			compat_sys_ppoll_time64
-416	32	io_pgetevents_time64		sys_io_pgetevents		sys_io_pgetevents
+416	32	io_pgetevents_time64		sys_io_pgetevents		compat_sys_io_pgetevents_time64
 417	32	recvmmsg_time64			sys_recvmmsg			compat_sys_recvmmsg_time64
 418	32	mq_timedsend_time64		sys_mq_timedsend		sys_mq_timedsend
 419	32	mq_timedreceive_time64		sys_mq_timedreceive		sys_mq_timedreceive



^ permalink raw reply	[flat|nested] 1191+ messages in thread

* [PATCH 5.19 0067/1157] riscv:uprobe fix SR_SPIE set/clear handling
  2022-08-15 17:49 [PATCH 5.19 0000/1157] 5.19.2-rc1 review Greg Kroah-Hartman
                   ` (63 preceding siblings ...)
  2022-08-15 17:50 ` [PATCH 5.19 0066/1157] parisc: io_pgetevents_time64() needs compat syscall in 32-bit compat mode Greg Kroah-Hartman
@ 2022-08-15 17:50 ` Greg Kroah-Hartman
  2022-08-15 17:50 ` [PATCH 5.19 0068/1157] riscv: lib: uaccess: fix CSR_STATUS SR_SUM bit Greg Kroah-Hartman
                   ` (928 subsequent siblings)
  993 siblings, 0 replies; 1191+ messages in thread
From: Greg Kroah-Hartman @ 2022-08-15 17:50 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Yipeng Zou, Guo Ren, Palmer Dabbelt

From: Yipeng Zou <zouyipeng@huawei.com>

commit 3dbe5829408bc1586f75b4667ef60e5aab0209c7 upstream.

In riscv the process of uprobe going to clear spie before exec
the origin insn,and set spie after that.But When access the page
which origin insn has been placed a page fault may happen and
irq was disabled in arch_uprobe_pre_xol function,It cause a WARN
as follows.
There is no need to clear/set spie in arch_uprobe_pre/post/abort_xol.
We can just remove it.

[   31.684157] BUG: sleeping function called from invalid context at kernel/locking/rwsem.c:1488
[   31.684677] in_atomic(): 0, irqs_disabled(): 1, non_block: 0, pid: 76, name: work
[   31.684929] preempt_count: 0, expected: 0
[   31.685969] CPU: 2 PID: 76 Comm: work Tainted: G
[   31.686542] Hardware name: riscv-virtio,qemu (DT)
[   31.686797] Call Trace:
[   31.687053] [<ffffffff80006442>] dump_backtrace+0x30/0x38
[   31.687699] [<ffffffff80812118>] show_stack+0x40/0x4c
[   31.688141] [<ffffffff8081817a>] dump_stack_lvl+0x44/0x5c
[   31.688396] [<ffffffff808181aa>] dump_stack+0x18/0x20
[   31.688653] [<ffffffff8003e454>] __might_resched+0x114/0x122
[   31.688948] [<ffffffff8003e4b2>] __might_sleep+0x50/0x7a
[   31.689435] [<ffffffff80822676>] down_read+0x30/0x130
[   31.689728] [<ffffffff8000b650>] do_page_fault+0x166/x446
[   31.689997] [<ffffffff80003c0c>] ret_from_exception+0x0/0xc

Fixes: 74784081aac8 ("riscv: Add uprobes supported")
Signed-off-by: Yipeng Zou <zouyipeng@huawei.com>
Reviewed-by: Guo Ren <guoren@kernel.org>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/20220721065820.245755-1-zouyipeng@huawei.com
Signed-off-by: Palmer Dabbelt <palmer@rivosinc.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/riscv/kernel/probes/uprobes.c |    6 ------
 1 file changed, 6 deletions(-)

--- a/arch/riscv/kernel/probes/uprobes.c
+++ b/arch/riscv/kernel/probes/uprobes.c
@@ -59,8 +59,6 @@ int arch_uprobe_pre_xol(struct arch_upro
 
 	instruction_pointer_set(regs, utask->xol_vaddr);
 
-	regs->status &= ~SR_SPIE;
-
 	return 0;
 }
 
@@ -72,8 +70,6 @@ int arch_uprobe_post_xol(struct arch_upr
 
 	instruction_pointer_set(regs, utask->vaddr + auprobe->insn_size);
 
-	regs->status |= SR_SPIE;
-
 	return 0;
 }
 
@@ -111,8 +107,6 @@ void arch_uprobe_abort_xol(struct arch_u
 	 * address.
 	 */
 	instruction_pointer_set(regs, utask->vaddr);
-
-	regs->status &= ~SR_SPIE;
 }
 
 bool arch_uretprobe_is_alive(struct return_instance *ret, enum rp_check ctx,



^ permalink raw reply	[flat|nested] 1191+ messages in thread

* [PATCH 5.19 0068/1157] riscv: lib: uaccess: fix CSR_STATUS SR_SUM bit
  2022-08-15 17:49 [PATCH 5.19 0000/1157] 5.19.2-rc1 review Greg Kroah-Hartman
                   ` (64 preceding siblings ...)
  2022-08-15 17:50 ` [PATCH 5.19 0067/1157] riscv:uprobe fix SR_SPIE set/clear handling Greg Kroah-Hartman
@ 2022-08-15 17:50 ` Greg Kroah-Hartman
  2022-08-15 17:50 ` [PATCH 5.19 0069/1157] dt-bindings: riscv: fix SiFive l2-caches cache-sets Greg Kroah-Hartman
                   ` (927 subsequent siblings)
  993 siblings, 0 replies; 1191+ messages in thread
From: Greg Kroah-Hartman @ 2022-08-15 17:50 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Chen Lifu, Ben Dooks, Palmer Dabbelt

From: Chen Lifu <chenlifu@huawei.com>

commit c08b4848f596fd95543197463b5162bd7bab2442 upstream.

Since commit 5d8544e2d007 ("RISC-V: Generic library routines and assembly")
and commit ebcbd75e3962 ("riscv: Fix the bug in memory access fixup code"),
if __clear_user and __copy_user return from an fixup branch,
CSR_STATUS SR_SUM bit will be set, it is a vulnerability, so that
S-mode memory accesses to pages that are accessible by U-mode will success.
Disable S-mode access to U-mode memory should clear SR_SUM bit.

Fixes: 5d8544e2d007 ("RISC-V: Generic library routines and assembly")
Fixes: ebcbd75e3962 ("riscv: Fix the bug in memory access fixup code")
Signed-off-by: Chen Lifu <chenlifu@huawei.com>
Reviewed-by: Ben Dooks <ben.dooks@codethink.co.uk>
Link: https://lore.kernel.org/r/20220615014714.1650349-1-chenlifu@huawei.com
Cc: stable@vger.kernel.org
Signed-off-by: Palmer Dabbelt <palmer@rivosinc.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/riscv/lib/uaccess.S |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/arch/riscv/lib/uaccess.S
+++ b/arch/riscv/lib/uaccess.S
@@ -175,7 +175,7 @@ ENTRY(__asm_copy_from_user)
 	/* Exception fixup code */
 10:
 	/* Disable access to user memory */
-	csrs CSR_STATUS, t6
+	csrc CSR_STATUS, t6
 	mv a0, t5
 	ret
 ENDPROC(__asm_copy_to_user)
@@ -227,7 +227,7 @@ ENTRY(__clear_user)
 	/* Exception fixup code */
 11:
 	/* Disable access to user memory */
-	csrs CSR_STATUS, t6
+	csrc CSR_STATUS, t6
 	mv a0, a1
 	ret
 ENDPROC(__clear_user)



^ permalink raw reply	[flat|nested] 1191+ messages in thread

* [PATCH 5.19 0069/1157] dt-bindings: riscv: fix SiFive l2-caches cache-sets
  2022-08-15 17:49 [PATCH 5.19 0000/1157] 5.19.2-rc1 review Greg Kroah-Hartman
                   ` (65 preceding siblings ...)
  2022-08-15 17:50 ` [PATCH 5.19 0068/1157] riscv: lib: uaccess: fix CSR_STATUS SR_SUM bit Greg Kroah-Hartman
@ 2022-08-15 17:50 ` Greg Kroah-Hartman
  2022-08-15 17:50 ` [PATCH 5.19 0070/1157] riscv: dts: starfive: correct number of external interrupts Greg Kroah-Hartman
                   ` (926 subsequent siblings)
  993 siblings, 0 replies; 1191+ messages in thread
From: Greg Kroah-Hartman @ 2022-08-15 17:50 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Atul Khare, Conor Dooley,
	Krzysztof Kozlowski, Palmer Dabbelt

From: Conor Dooley <conor.dooley@microchip.com>

commit b60cf8e59e61133b6c9514ff8d8c8d7049d040ef upstream.

Fix device tree schema validation error messages for the SiFive
Unmatched: ' cache-sets:0:0: 1024 was expected'.

The existing bindings allow for just 1024 cache-sets but the fu740 on
Unmatched the has 2048 cache-sets. The ISA itself permits any arbitrary
power of two, however this is not supported by dt-schema. The RTL for
the IP, to which the number of cache-sets is a tunable parameter, has
been released publicly so speculatively adding a small number of
"reasonable" values seems unwise also.

Instead, as the binding only supports two distinct controllers: add 2048
and explicitly lock it to the fu740's l2 cache while limiting 1024 to
the l2 cache on the fu540.

Fixes: af951c3a113b ("dt-bindings: riscv: Update l2 cache DT documentation to add support for SiFive FU740")
Reported-by: Atul Khare <atulkhare@rivosinc.com>
Signed-off-by: Conor Dooley <conor.dooley@microchip.com>
Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/20220803185359.942928-1-mail@conchuod.ie
Signed-off-by: Palmer Dabbelt <palmer@rivosinc.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 Documentation/devicetree/bindings/riscv/sifive-l2-cache.yaml |    6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

--- a/Documentation/devicetree/bindings/riscv/sifive-l2-cache.yaml
+++ b/Documentation/devicetree/bindings/riscv/sifive-l2-cache.yaml
@@ -46,7 +46,7 @@ properties:
     const: 2
 
   cache-sets:
-    const: 1024
+    enum: [1024, 2048]
 
   cache-size:
     const: 2097152
@@ -84,6 +84,8 @@ then:
       description: |
         Must contain entries for DirError, DataError and DataFail signals.
       maxItems: 3
+    cache-sets:
+      const: 1024
 
 else:
   properties:
@@ -91,6 +93,8 @@ else:
       description: |
         Must contain entries for DirError, DataError, DataFail, DirFail signals.
       minItems: 4
+    cache-sets:
+      const: 2048
 
 additionalProperties: false
 



^ permalink raw reply	[flat|nested] 1191+ messages in thread

* [PATCH 5.19 0070/1157] riscv: dts: starfive: correct number of external interrupts
  2022-08-15 17:49 [PATCH 5.19 0000/1157] 5.19.2-rc1 review Greg Kroah-Hartman
                   ` (66 preceding siblings ...)
  2022-08-15 17:50 ` [PATCH 5.19 0069/1157] dt-bindings: riscv: fix SiFive l2-caches cache-sets Greg Kroah-Hartman
@ 2022-08-15 17:50 ` Greg Kroah-Hartman
  2022-08-15 17:50 ` [PATCH 5.19 0071/1157] RISC-V: cpu_ops_spinwait.c should include head.h Greg Kroah-Hartman
                   ` (925 subsequent siblings)
  993 siblings, 0 replies; 1191+ messages in thread
From: Greg Kroah-Hartman @ 2022-08-15 17:50 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Mark Kettenis, Palmer Dabbelt

From: Mark Kettenis <kettenis@openbsd.org>

commit a208acf0eac857dc8cdaddd63a4e18ed03f91786 upstream.

The PLIC integrated on the Vic_U7_Core integrated on the StarFive
JH7100 SoC actually supports 133 external interrupts.  127 of these
are exposed to the outside world; the remainder are used by other
devices that are part of the core-complex such as the L2 cache
controller.  But all 133 interrupts are external interrupts as far
as the PLIC is concerned.  Fix the property so that the driver can
manage these additional interrupts, which is important since the
interrupts for the L2 cache controller are enabled by default.

Fixes: ec85362fb121 ("RISC-V: Add initial StarFive JH7100 device tree")
Signed-off-by: Mark Kettenis <kettenis@openbsd.org>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/20220707185529.19509-1-kettenis@openbsd.org
Signed-off-by: Palmer Dabbelt <palmer@rivosinc.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/riscv/boot/dts/starfive/jh7100.dtsi |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/arch/riscv/boot/dts/starfive/jh7100.dtsi
+++ b/arch/riscv/boot/dts/starfive/jh7100.dtsi
@@ -118,7 +118,7 @@
 			interrupt-controller;
 			#address-cells = <0>;
 			#interrupt-cells = <1>;
-			riscv,ndev = <127>;
+			riscv,ndev = <133>;
 		};
 
 		clkgen: clock-controller@11800000 {



^ permalink raw reply	[flat|nested] 1191+ messages in thread

* [PATCH 5.19 0071/1157] RISC-V: cpu_ops_spinwait.c should include head.h
  2022-08-15 17:49 [PATCH 5.19 0000/1157] 5.19.2-rc1 review Greg Kroah-Hartman
                   ` (67 preceding siblings ...)
  2022-08-15 17:50 ` [PATCH 5.19 0070/1157] riscv: dts: starfive: correct number of external interrupts Greg Kroah-Hartman
@ 2022-08-15 17:50 ` Greg Kroah-Hartman
  2022-08-15 17:50 ` [PATCH 5.19 0072/1157] RISC-V: Declare cpu_ops_spinwait in <asm/cpu_ops.h> Greg Kroah-Hartman
                   ` (924 subsequent siblings)
  993 siblings, 0 replies; 1191+ messages in thread
From: Greg Kroah-Hartman @ 2022-08-15 17:50 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Ben Dooks, Palmer Dabbelt

From: Ben Dooks <ben.dooks@sifive.com>

commit e4aa991c05aedc3ead92d1352af86db74090dc3c upstream.

Running sparse shows cpu_ops_spinwait.c is missing two definitions
found in head.h, so include it to stop the following warnings:

arch/riscv/kernel/cpu_ops_spinwait.c:15:6: warning: symbol '__cpu_spinwait_stack_pointer' was not declared. Should it be static?
arch/riscv/kernel/cpu_ops_spinwait.c:16:6: warning: symbol '__cpu_spinwait_task_pointer' was not declared. Should it be static?

Signed-off-by: Ben Dooks <ben.dooks@sifive.com>
Link: https://lore.kernel.org/r/20220713215306.94675-1-ben.dooks@sifive.com
Fixes: c78f94f35cf6 ("RISC-V: Use __cpu_up_stack/task_pointer only for spinwait method")
Cc: stable@vger.kernel.org
Signed-off-by: Palmer Dabbelt <palmer@rivosinc.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/riscv/kernel/cpu_ops_spinwait.c |    2 ++
 1 file changed, 2 insertions(+)

--- a/arch/riscv/kernel/cpu_ops_spinwait.c
+++ b/arch/riscv/kernel/cpu_ops_spinwait.c
@@ -11,6 +11,8 @@
 #include <asm/sbi.h>
 #include <asm/smp.h>
 
+#include "head.h"
+
 const struct cpu_operations cpu_ops_spinwait;
 void *__cpu_spinwait_stack_pointer[NR_CPUS] __section(".data");
 void *__cpu_spinwait_task_pointer[NR_CPUS] __section(".data");



^ permalink raw reply	[flat|nested] 1191+ messages in thread

* [PATCH 5.19 0072/1157] RISC-V: Declare cpu_ops_spinwait in <asm/cpu_ops.h>
  2022-08-15 17:49 [PATCH 5.19 0000/1157] 5.19.2-rc1 review Greg Kroah-Hartman
                   ` (68 preceding siblings ...)
  2022-08-15 17:50 ` [PATCH 5.19 0071/1157] RISC-V: cpu_ops_spinwait.c should include head.h Greg Kroah-Hartman
@ 2022-08-15 17:50 ` Greg Kroah-Hartman
  2022-08-15 17:50 ` [PATCH 5.19 0073/1157] RISC-V: kexec: Fixup use of smp_processor_id() in preemptible context Greg Kroah-Hartman
                   ` (923 subsequent siblings)
  993 siblings, 0 replies; 1191+ messages in thread
From: Greg Kroah-Hartman @ 2022-08-15 17:50 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Ben Dooks, Palmer Dabbelt

From: Ben Dooks <ben.dooks@sifive.com>

commit da6d2128e56a50a0d497c8e41ca1d33d88bcc0aa upstream.

The cpu_ops_spinwait is used in a couple of places in arch/riscv
and is causing a sparse warning due to no declaration. Add this
to <asm/cpu_ops.h> with the others to fix the following:

arch/riscv/kernel/cpu_ops_spinwait.c:16:29: warning: symbol 'cpu_ops_spinwait' was not declared. Should it be static?

Signed-off-by: Ben Dooks <ben.dooks@sifive.com>
Link: https://lore.kernel.org/r/20220714071811.187491-1-ben.dooks@sifive.com
[Palmer: Drop the extern from cpu_ops.c]
Fixes: 2ffc48fc7071 ("RISC-V: Move spinwait booting method to its own config")
Cc: stable@vger.kernel.org
Signed-off-by: Palmer Dabbelt <palmer@rivosinc.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/riscv/include/asm/cpu_ops.h |    1 +
 arch/riscv/kernel/cpu_ops.c      |    4 +---
 2 files changed, 2 insertions(+), 3 deletions(-)

--- a/arch/riscv/include/asm/cpu_ops.h
+++ b/arch/riscv/include/asm/cpu_ops.h
@@ -38,6 +38,7 @@ struct cpu_operations {
 #endif
 };
 
+extern const struct cpu_operations cpu_ops_spinwait;
 extern const struct cpu_operations *cpu_ops[NR_CPUS];
 void __init cpu_set_ops(int cpu);
 
--- a/arch/riscv/kernel/cpu_ops.c
+++ b/arch/riscv/kernel/cpu_ops.c
@@ -15,9 +15,7 @@
 const struct cpu_operations *cpu_ops[NR_CPUS] __ro_after_init;
 
 extern const struct cpu_operations cpu_ops_sbi;
-#ifdef CONFIG_RISCV_BOOT_SPINWAIT
-extern const struct cpu_operations cpu_ops_spinwait;
-#else
+#ifndef CONFIG_RISCV_BOOT_SPINWAIT
 const struct cpu_operations cpu_ops_spinwait = {
 	.name		= "",
 	.cpu_prepare	= NULL,



^ permalink raw reply	[flat|nested] 1191+ messages in thread

* [PATCH 5.19 0073/1157] RISC-V: kexec: Fixup use of smp_processor_id() in preemptible context
  2022-08-15 17:49 [PATCH 5.19 0000/1157] 5.19.2-rc1 review Greg Kroah-Hartman
                   ` (69 preceding siblings ...)
  2022-08-15 17:50 ` [PATCH 5.19 0072/1157] RISC-V: Declare cpu_ops_spinwait in <asm/cpu_ops.h> Greg Kroah-Hartman
@ 2022-08-15 17:50 ` Greg Kroah-Hartman
  2022-08-15 17:50 ` [PATCH 5.19 0074/1157] RISC-V: Fixup get incorrect user mode PC for kernel mode regs Greg Kroah-Hartman
                   ` (922 subsequent siblings)
  993 siblings, 0 replies; 1191+ messages in thread
From: Greg Kroah-Hartman @ 2022-08-15 17:50 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Guo Ren, Heiko Stuebner, Atish Patra,
	Xianting Tian, Palmer Dabbelt

From: Xianting Tian <xianting.tian@linux.alibaba.com>

commit 357628e68f5c08ad578a718dc62a0031e06dbe91 upstream.

Use __smp_processor_id() to avoid check the preemption context when
CONFIG_DEBUG_PREEMPT enabled, as we will enter crash kernel and no
return.

Without the patch,
[  103.781044] sysrq: Trigger a crash
[  103.784625] Kernel panic - not syncing: sysrq triggered crash
[  103.837634] CPU1: off
[  103.889668] CPU2: off
[  103.933479] CPU3: off
[  103.939424] Starting crashdump kernel...
[  103.943442] BUG: using smp_processor_id() in preemptible [00000000] code: sh/346
[  103.950884] caller is debug_smp_processor_id+0x1c/0x26
[  103.956051] CPU: 0 PID: 346 Comm: sh Kdump: loaded Not tainted 5.10.113-00002-gce03f03bf4ec-dirty #149
[  103.965355] Call Trace:
[  103.967805] [<ffffffe00020372a>] walk_stackframe+0x0/0xa2
[  103.973206] [<ffffffe000bcf1f4>] show_stack+0x32/0x3e
[  103.978258] [<ffffffe000bd382a>] dump_stack_lvl+0x72/0x8e
[  103.983655] [<ffffffe000bd385a>] dump_stack+0x14/0x1c
[  103.988705] [<ffffffe000bdc8fe>] check_preemption_disabled+0x9e/0xaa
[  103.995057] [<ffffffe000bdc926>] debug_smp_processor_id+0x1c/0x26
[  104.001150] [<ffffffe000206c64>] machine_kexec+0x22/0xd0
[  104.006463] [<ffffffe000291a7e>] __crash_kexec+0x6a/0xa4
[  104.011774] [<ffffffe000bcf3fa>] panic+0xfc/0x2b0
[  104.016480] [<ffffffe000656ca4>] sysrq_reset_seq_param_set+0x0/0x70
[  104.022745] [<ffffffe000657310>] __handle_sysrq+0x8c/0x154
[  104.028229] [<ffffffe0006577e8>] write_sysrq_trigger+0x5a/0x6a
[  104.034061] [<ffffffe0003d90e0>] proc_reg_write+0x58/0xd4
[  104.039459] [<ffffffe00036cff4>] vfs_write+0x7e/0x254
[  104.044509] [<ffffffe00036d2f6>] ksys_write+0x58/0xbe
[  104.049558] [<ffffffe00036d36a>] sys_write+0xe/0x16
[  104.054434] [<ffffffe000201b9a>] ret_from_syscall+0x0/0x2
[  104.067863] Will call new kernel at ecc00000 from hart id 0
[  104.074939] FDT image at fc5ee000
[  104.079523] Bye...

With the patch we can got clear output,
[   67.740553] sysrq: Trigger a crash
[   67.744166] Kernel panic - not syncing: sysrq triggered crash
[   67.809123] CPU1: off
[   67.865210] CPU2: off
[   67.909075] CPU3: off
[   67.919123] Starting crashdump kernel...
[   67.924900] Will call new kernel at ecc00000 from hart id 0
[   67.932045] FDT image at fc5ee000
[   67.935560] Bye...

Fixes: 0e105f1d0037 ("riscv: use hart id instead of cpu id on machine_kexec")
Reviewed-by: Guo Ren <guoren@kernel.org>
Reviewed-by: Heiko Stuebner <heiko@sntech.de>
Reviewed-by: Atish Patra <atishp@rivosinc.com>
Signed-off-by: Xianting Tian <xianting.tian@linux.alibaba.com>
Link: https://lore.kernel.org/r/20220811074150.3020189-2-xianting.tian@linux.alibaba.com
Cc: stable@vger.kernel.org
Signed-off-by: Palmer Dabbelt <palmer@rivosinc.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/riscv/kernel/machine_kexec.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/arch/riscv/kernel/machine_kexec.c
+++ b/arch/riscv/kernel/machine_kexec.c
@@ -171,7 +171,7 @@ machine_kexec(struct kimage *image)
 	struct kimage_arch *internal = &image->arch;
 	unsigned long jump_addr = (unsigned long) image->start;
 	unsigned long first_ind_entry = (unsigned long) &image->head;
-	unsigned long this_cpu_id = smp_processor_id();
+	unsigned long this_cpu_id = __smp_processor_id();
 	unsigned long this_hart_id = cpuid_to_hartid_map(this_cpu_id);
 	unsigned long fdt_addr = internal->fdt_addr;
 	void *control_code_buffer = page_address(image->control_code_page);



^ permalink raw reply	[flat|nested] 1191+ messages in thread

* [PATCH 5.19 0074/1157] RISC-V: Fixup get incorrect user mode PC for kernel mode regs
  2022-08-15 17:49 [PATCH 5.19 0000/1157] 5.19.2-rc1 review Greg Kroah-Hartman
                   ` (70 preceding siblings ...)
  2022-08-15 17:50 ` [PATCH 5.19 0073/1157] RISC-V: kexec: Fixup use of smp_processor_id() in preemptible context Greg Kroah-Hartman
@ 2022-08-15 17:50 ` Greg Kroah-Hartman
  2022-08-15 17:50 ` [PATCH 5.19 0075/1157] RISC-V: Fixup schedule out issue in machine_crash_shutdown() Greg Kroah-Hartman
                   ` (921 subsequent siblings)
  993 siblings, 0 replies; 1191+ messages in thread
From: Greg Kroah-Hartman @ 2022-08-15 17:50 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Xianting Tian, Palmer Dabbelt, Guo Ren

From: Xianting Tian <xianting.tian@linux.alibaba.com>

commit 59c026c359c30f116fef6ee958e24d04983efbb0 upstream.

When use 'echo c > /proc/sysrq-trigger' to trigger kdump, riscv_crash_save_regs()
will be called to save regs for vmcore, we found "epc" value 00ffffffa5537400
is not a valid kernel virtual address, but is a user virtual address. Other
regs(eg, ra, sp, gp...) are correct kernel virtual address.
Actually 0x00ffffffb0dd9400 is the user mode PC of 'PID: 113 Comm: sh', which
is saved in the task's stack.

[   21.201701] CPU: 0 PID: 113 Comm: sh Kdump: loaded Not tainted 5.18.9 #45
[   21.201979] Hardware name: riscv-virtio,qemu (DT)
[   21.202160] epc : 00ffffffa5537400 ra : ffffffff80088640 sp : ff20000010333b90
[   21.202435]  gp : ffffffff810dde38 tp : ff6000000226c200 t0 : ffffffff8032be7c
[   21.202707]  t1 : 0720072007200720 t2 : 30203a7375746174 s0 : ff20000010333cf0
[   21.202973]  s1 : 0000000000000000 a0 : ff20000010333b98 a1 : 0000000000000001
[   21.203243]  a2 : 0000000000000010 a3 : 0000000000000000 a4 : 28c8f0aeffea4e00
[   21.203519]  a5 : 28c8f0aeffea4e00 a6 : 0000000000000009 a7 : ffffffff8035c9b8
[   21.203794]  s2 : ffffffff810df0a8 s3 : ffffffff810df718 s4 : ff20000010333b98
[   21.204062]  s5 : 0000000000000000 s6 : 0000000000000007 s7 : ffffffff80c4a468
[   21.204331]  s8 : 00ffffffef451410 s9 : 0000000000000007 s10: 00aaaaaac0510700
[   21.204606]  s11: 0000000000000001 t3 : ff60000001218f00 t4 : ff60000001218f00
[   21.204876]  t5 : ff60000001218000 t6 : ff200000103338b8
[   21.205079] status: 0000000200000020 badaddr: 0000000000000000 cause: 0000000000000008

With the incorrect PC, the backtrace showed by crash tool as below, the first
stack frame is abnormal,

crash> bt
PID: 113      TASK: ff60000002269600  CPU: 0    COMMAND: "sh"
 #0 [ff2000001039bb90] __efistub_.Ldebug_info0 at 00ffffffa5537400 <-- Abnormal
 #1 [ff2000001039bcf0] panic at ffffffff806578ba
 #2 [ff2000001039bd50] sysrq_reset_seq_param_set at ffffffff8038c030
 #3 [ff2000001039bda0] __handle_sysrq at ffffffff8038c5f8
 #4 [ff2000001039be00] write_sysrq_trigger at ffffffff8038cad8
 #5 [ff2000001039be20] proc_reg_write at ffffffff801b7edc
 #6 [ff2000001039be40] vfs_write at ffffffff80152ba6
 #7 [ff2000001039be80] ksys_write at ffffffff80152ece
 #8 [ff2000001039bed0] sys_write at ffffffff80152f46

With the patch, we can get current kernel mode PC, the output as below,

[   17.607658] CPU: 0 PID: 113 Comm: sh Kdump: loaded Not tainted 5.18.9 #42
[   17.607937] Hardware name: riscv-virtio,qemu (DT)
[   17.608150] epc : ffffffff800078f8 ra : ffffffff8008862c sp : ff20000010333b90
[   17.608441]  gp : ffffffff810dde38 tp : ff6000000226c200 t0 : ffffffff8032be68
[   17.608741]  t1 : 0720072007200720 t2 : 666666666666663c s0 : ff20000010333cf0
[   17.609025]  s1 : 0000000000000000 a0 : ff20000010333b98 a1 : 0000000000000001
[   17.609320]  a2 : 0000000000000010 a3 : 0000000000000000 a4 : 0000000000000000
[   17.609601]  a5 : ff60000001c78000 a6 : 000000000000003c a7 : ffffffff8035c9a4
[   17.609894]  s2 : ffffffff810df0a8 s3 : ffffffff810df718 s4 : ff20000010333b98
[   17.610186]  s5 : 0000000000000000 s6 : 0000000000000007 s7 : ffffffff80c4a468
[   17.610469]  s8 : 00ffffffca281410 s9 : 0000000000000007 s10: 00aaaaaab5bb6700
[   17.610755]  s11: 0000000000000001 t3 : ff60000001218f00 t4 : ff60000001218f00
[   17.611041]  t5 : ff60000001218000 t6 : ff20000010333988
[   17.611255] status: 0000000200000020 badaddr: 0000000000000000 cause: 0000000000000008

With the correct PC, the backtrace showed by crash tool as below,

crash> bt
PID: 113      TASK: ff6000000226c200  CPU: 0    COMMAND: "sh"
 #0 [ff20000010333b90] riscv_crash_save_regs at ffffffff800078f8 <--- Normal
 #1 [ff20000010333cf0] panic at ffffffff806578c6
 #2 [ff20000010333d50] sysrq_reset_seq_param_set at ffffffff8038c03c
 #3 [ff20000010333da0] __handle_sysrq at ffffffff8038c604
 #4 [ff20000010333e00] write_sysrq_trigger at ffffffff8038cae4
 #5 [ff20000010333e20] proc_reg_write at ffffffff801b7ee8
 #6 [ff20000010333e40] vfs_write at ffffffff80152bb2
 #7 [ff20000010333e80] ksys_write at ffffffff80152eda
 #8 [ff20000010333ed0] sys_write at ffffffff80152f52

Fixes: e53d28180d4d ("RISC-V: Add kdump support")
Co-developed-by: Guo Ren <guoren@kernel.org>
Signed-off-by: Xianting Tian <xianting.tian@linux.alibaba.com>
Link: https://lore.kernel.org/r/20220811074150.3020189-3-xianting.tian@linux.alibaba.com
Cc: stable@vger.kernel.org
Signed-off-by: Palmer Dabbelt <palmer@rivosinc.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/riscv/kernel/crash_save_regs.S |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/arch/riscv/kernel/crash_save_regs.S
+++ b/arch/riscv/kernel/crash_save_regs.S
@@ -44,7 +44,7 @@ SYM_CODE_START(riscv_crash_save_regs)
 	REG_S t6,  PT_T6(a0)	/* x31 */
 
 	csrr t1, CSR_STATUS
-	csrr t2, CSR_EPC
+	auipc t2, 0x0
 	csrr t3, CSR_TVAL
 	csrr t4, CSR_CAUSE
 



^ permalink raw reply	[flat|nested] 1191+ messages in thread

* [PATCH 5.19 0075/1157] RISC-V: Fixup schedule out issue in machine_crash_shutdown()
  2022-08-15 17:49 [PATCH 5.19 0000/1157] 5.19.2-rc1 review Greg Kroah-Hartman
                   ` (71 preceding siblings ...)
  2022-08-15 17:50 ` [PATCH 5.19 0074/1157] RISC-V: Fixup get incorrect user mode PC for kernel mode regs Greg Kroah-Hartman
@ 2022-08-15 17:50 ` Greg Kroah-Hartman
  2022-08-15 17:50 ` [PATCH 5.19 0076/1157] RISC-V: Add modules to virtual kernel memory layout dump Greg Kroah-Hartman
                   ` (920 subsequent siblings)
  993 siblings, 0 replies; 1191+ messages in thread
From: Greg Kroah-Hartman @ 2022-08-15 17:50 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Xianting Tian, Palmer Dabbelt

From: Xianting Tian <xianting.tian@linux.alibaba.com>

commit ad943893d5f1d0aeea892bf7b781cf8062b36d58 upstream.

Current task of executing crash kexec will be schedule out when panic is
triggered by RCU Stall, as it needs to wait rcu completion. It lead to
inability to enter the crash system.

The implementation of machine_crash_shutdown() is non-standard for RISC-V
according to other Arch's implementation(eg, x86, arm64), we need to send
IPI to stop secondary harts.

[224521.877268] rcu: INFO: rcu_preempt detected stalls on CPUs/tasks:
[224521.883471] rcu: 	0-...0: (3 GPs behind) idle=cfa/0/0x1 softirq=3968793/3968793 fqs=2495
[224521.891742] 	(detected by 2, t=5255 jiffies, g=60855593, q=328)
[224521.897754] Task dump for CPU 0:
[224521.901074] task:swapper/0     state:R  running task   stack:  0 pid:  0 ppid:   0 flags:0x00000008
[224521.911090] Call Trace:
[224521.913638] [<ffffffe000c432de>] __schedule+0x208/0x5ea
[224521.918957] Kernel panic - not syncing: RCU Stall
[224521.923773] bad: scheduling from the idle thread!
[224521.928571] CPU: 2 PID: 0 Comm: swapper/2 Kdump: loaded Tainted: G   O  5.10.113-yocto-standard #1
[224521.938658] Call Trace:
[224521.941200] [<ffffffe00020395c>] walk_stackframe+0x0/0xaa
[224521.946689] [<ffffffe000c34f8e>] show_stack+0x32/0x3e
[224521.951830] [<ffffffe000c39020>] dump_stack_lvl+0x7e/0xa2
[224521.957317] [<ffffffe000c39058>] dump_stack+0x14/0x1c
[224521.962459] [<ffffffe000243884>] dequeue_task_idle+0x2c/0x40
[224521.968207] [<ffffffe000c434f4>] __schedule+0x41e/0x5ea
[224521.973520] [<ffffffe000c43826>] schedule+0x34/0xe4
[224521.978487] [<ffffffe000c46cae>] schedule_timeout+0xc6/0x170
[224521.984234] [<ffffffe000c4491e>] wait_for_completion+0x98/0xf2
[224521.990157] [<ffffffe00026d9e2>] __wait_rcu_gp+0x148/0x14a
[224521.995733] [<ffffffe0002761c4>] synchronize_rcu+0x5c/0x66
[224522.001307] [<ffffffe00026f1a6>] rcu_sync_enter+0x54/0xe6
[224522.006795] [<ffffffe00025a436>] percpu_down_write+0x32/0x11c
[224522.012629] [<ffffffe000c4266a>] _cpu_down+0x92/0x21a
[224522.017771] [<ffffffe000219a0a>] smp_shutdown_nonboot_cpus+0x90/0x118
[224522.024299] [<ffffffe00020701e>] machine_crash_shutdown+0x30/0x4a
[224522.030483] [<ffffffe00029a3f8>] __crash_kexec+0x62/0xa6
[224522.035884] [<ffffffe000c3515e>] panic+0xfa/0x2b6
[224522.040678] [<ffffffe0002772be>] rcu_sched_clock_irq+0xc26/0xcb8
[224522.046774] [<ffffffe00027fc7a>] update_process_times+0x62/0x8a
[224522.052785] [<ffffffe00028d522>] tick_sched_timer+0x9e/0x102
[224522.058533] [<ffffffe000280c3a>] __hrtimer_run_queues+0x16a/0x318
[224522.064716] [<ffffffe0002812ec>] hrtimer_interrupt+0xd4/0x228
[224522.070551] [<ffffffe0009a69b6>] riscv_timer_interrupt+0x3c/0x48
[224522.076646] [<ffffffe000268f8c>] handle_percpu_devid_irq+0xb0/0x24c
[224522.083004] [<ffffffe00026428e>] __handle_domain_irq+0xa8/0x122
[224522.089014] [<ffffffe00062f954>] riscv_intc_irq+0x38/0x60
[224522.094501] [<ffffffe000201bd4>] ret_from_exception+0x0/0xc
[224522.100161] [<ffffffe000c42146>] rcu_eqs_enter.constprop.0+0x8c/0xb8

With the patch, it can enter crash system when RCU Stall occur.

Fixes: e53d28180d4d ("RISC-V: Add kdump support")
Signed-off-by: Xianting Tian <xianting.tian@linux.alibaba.com>
Link: https://lore.kernel.org/r/20220811074150.3020189-4-xianting.tian@linux.alibaba.com
Cc: stable@vger.kernel.org
Signed-off-by: Palmer Dabbelt <palmer@rivosinc.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/riscv/kernel/machine_kexec.c |   26 ++++++++++++++++++++++----
 1 file changed, 22 insertions(+), 4 deletions(-)

--- a/arch/riscv/kernel/machine_kexec.c
+++ b/arch/riscv/kernel/machine_kexec.c
@@ -138,19 +138,37 @@ void machine_shutdown(void)
 #endif
 }
 
+/* Override the weak function in kernel/panic.c */
+void crash_smp_send_stop(void)
+{
+	static int cpus_stopped;
+
+	/*
+	 * This function can be called twice in panic path, but obviously
+	 * we execute this only once.
+	 */
+	if (cpus_stopped)
+		return;
+
+	smp_send_stop();
+	cpus_stopped = 1;
+}
+
 /*
  * machine_crash_shutdown - Prepare to kexec after a kernel crash
  *
  * This function is called by crash_kexec just before machine_kexec
- * below and its goal is similar to machine_shutdown, but in case of
- * a kernel crash. Since we don't handle such cases yet, this function
- * is empty.
+ * and its goal is to shutdown non-crashing cpus and save registers.
  */
 void
 machine_crash_shutdown(struct pt_regs *regs)
 {
+	local_irq_disable();
+
+	/* shutdown non-crashing cpus */
+	crash_smp_send_stop();
+
 	crash_save_cpu(regs, smp_processor_id());
-	machine_shutdown();
 	pr_info("Starting crashdump kernel...\n");
 }
 



^ permalink raw reply	[flat|nested] 1191+ messages in thread

* [PATCH 5.19 0076/1157] RISC-V: Add modules to virtual kernel memory layout dump
  2022-08-15 17:49 [PATCH 5.19 0000/1157] 5.19.2-rc1 review Greg Kroah-Hartman
                   ` (72 preceding siblings ...)
  2022-08-15 17:50 ` [PATCH 5.19 0075/1157] RISC-V: Fixup schedule out issue in machine_crash_shutdown() Greg Kroah-Hartman
@ 2022-08-15 17:50 ` Greg Kroah-Hartman
  2022-08-15 17:50 ` [PATCH 5.19 0077/1157] RISC-V: Fix counter restart during overflow for RV32 Greg Kroah-Hartman
                   ` (919 subsequent siblings)
  993 siblings, 0 replies; 1191+ messages in thread
From: Greg Kroah-Hartman @ 2022-08-15 17:50 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Guo Ren, Heiko Stuebner,
	Xianting Tian, Palmer Dabbelt

From: Xianting Tian <xianting.tian@linux.alibaba.com>

commit f9293ad46d8ba9909187a37b7215324420ad4596 upstream.

Modules always live before the kernel, MODULES_END is fixed but
MODULES_VADDR isn't fixed, it depends on the kernel size.
Let's add it to virtual kernel memory layout dump.

As MODULES is only defined for CONFIG_64BIT, so we dump it when
CONFIG_64BIT=y.

eg,
MODULES_VADDR - MODULES_END
0xffffffff01133000 - 0xffffffff80000000

Reviewed-by: Guo Ren <guoren@kernel.org>
Reviewed-by: Heiko Stuebner <heiko@sntech.de>
Signed-off-by: Xianting Tian <xianting.tian@linux.alibaba.com>
Link: https://lore.kernel.org/r/20220811074150.3020189-5-xianting.tian@linux.alibaba.com
Cc: stable@vger.kernel.org
Fixes: 2bfc6cd81bd1 ("riscv: Move kernel mapping outside of linear mapping")
Signed-off-by: Palmer Dabbelt <palmer@rivosinc.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/riscv/mm/init.c |    4 ++++
 1 file changed, 4 insertions(+)

--- a/arch/riscv/mm/init.c
+++ b/arch/riscv/mm/init.c
@@ -135,6 +135,10 @@ static void __init print_vm_layout(void)
 		(unsigned long)VMEMMAP_END);
 	print_ml("vmalloc", (unsigned long)VMALLOC_START,
 		(unsigned long)VMALLOC_END);
+#ifdef CONFIG_64BIT
+	print_ml("modules", (unsigned long)MODULES_VADDR,
+		(unsigned long)MODULES_END);
+#endif
 	print_ml("lowmem", (unsigned long)PAGE_OFFSET,
 		(unsigned long)high_memory);
 	if (IS_ENABLED(CONFIG_64BIT)) {



^ permalink raw reply	[flat|nested] 1191+ messages in thread

* [PATCH 5.19 0077/1157] RISC-V: Fix counter restart during overflow for RV32
  2022-08-15 17:49 [PATCH 5.19 0000/1157] 5.19.2-rc1 review Greg Kroah-Hartman
                   ` (73 preceding siblings ...)
  2022-08-15 17:50 ` [PATCH 5.19 0076/1157] RISC-V: Add modules to virtual kernel memory layout dump Greg Kroah-Hartman
@ 2022-08-15 17:50 ` Greg Kroah-Hartman
  2022-08-15 17:50 ` [PATCH 5.19 0078/1157] RISC-V: Fix SBI PMU calls " Greg Kroah-Hartman
                   ` (918 subsequent siblings)
  993 siblings, 0 replies; 1191+ messages in thread
From: Greg Kroah-Hartman @ 2022-08-15 17:50 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Atish Patra, Guo Ren, Palmer Dabbelt

From: Atish Patra <atishp@rivosinc.com>

commit acc1b919f47926b089be21b8aaa29ec91fef0aa2 upstream.

Pass the upper half of the initial value of the counter correctly
for RV32.

Fixes: 4905ec2fb7e6 ("RISC-V: Add sscofpmf extension support")
Signed-off-by: Atish Patra <atishp@rivosinc.com>
Reviewed-by: Guo Ren <guoren@kernel.org>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/20220711174632.4186047-2-atishp@rivosinc.com
Signed-off-by: Palmer Dabbelt <palmer@rivosinc.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/perf/riscv_pmu_sbi.c |    5 +++++
 1 file changed, 5 insertions(+)

--- a/drivers/perf/riscv_pmu_sbi.c
+++ b/drivers/perf/riscv_pmu_sbi.c
@@ -525,8 +525,13 @@ static inline void pmu_sbi_start_overflo
 			hwc = &event->hw;
 			max_period = riscv_pmu_ctr_get_width_mask(event);
 			init_val = local64_read(&hwc->prev_count) & max_period;
+#if defined(CONFIG_32BIT)
+			sbi_ecall(SBI_EXT_PMU, SBI_EXT_PMU_COUNTER_START, idx, 1,
+				  flag, init_val, init_val >> 32, 0);
+#else
 			sbi_ecall(SBI_EXT_PMU, SBI_EXT_PMU_COUNTER_START, idx, 1,
 				  flag, init_val, 0, 0);
+#endif
 		}
 		ctr_ovf_mask = ctr_ovf_mask >> 1;
 		idx++;



^ permalink raw reply	[flat|nested] 1191+ messages in thread

* [PATCH 5.19 0078/1157] RISC-V: Fix SBI PMU calls for RV32
  2022-08-15 17:49 [PATCH 5.19 0000/1157] 5.19.2-rc1 review Greg Kroah-Hartman
                   ` (74 preceding siblings ...)
  2022-08-15 17:50 ` [PATCH 5.19 0077/1157] RISC-V: Fix counter restart during overflow for RV32 Greg Kroah-Hartman
@ 2022-08-15 17:50 ` Greg Kroah-Hartman
  2022-08-15 17:50 ` [PATCH 5.19 0079/1157] RISC-V: Update user page mapping only once during start Greg Kroah-Hartman
                   ` (917 subsequent siblings)
  993 siblings, 0 replies; 1191+ messages in thread
From: Greg Kroah-Hartman @ 2022-08-15 17:50 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Atish Patra, Palmer Dabbelt

From: Atish Patra <atishp@rivosinc.com>

commit 0209b5830bea42dd3ce33ab0397231e67ec3b751 upstream.

Some of the SBI PMU calls does not pass 64bit arguments
correctly and not under RV32 compile time flags. Currently,
this doesn't create any incorrect results as RV64 ignores
any value in the additional register and qemu doesn't support
raw events.

Fix those SBI calls in order to set correct values for RV32.

Fixes: e9991434596f ("RISC-V: Add perf platform driver based on SBI PMU extension")
Signed-off-by: Atish Patra <atishp@rivosinc.com>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/20220711174632.4186047-4-atishp@rivosinc.com
Signed-off-by: Palmer Dabbelt <palmer@rivosinc.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/perf/riscv_pmu_sbi.c |   10 ++++++++++
 1 file changed, 10 insertions(+)

--- a/drivers/perf/riscv_pmu_sbi.c
+++ b/drivers/perf/riscv_pmu_sbi.c
@@ -274,8 +274,13 @@ static int pmu_sbi_ctr_get_idx(struct pe
 		cflags |= SBI_PMU_CFG_FLAG_SET_UINH;
 
 	/* retrieve the available counter index */
+#if defined(CONFIG_32BIT)
+	ret = sbi_ecall(SBI_EXT_PMU, SBI_EXT_PMU_COUNTER_CFG_MATCH, cbase, cmask,
+			cflags, hwc->event_base, hwc->config, hwc->config >> 32);
+#else
 	ret = sbi_ecall(SBI_EXT_PMU, SBI_EXT_PMU_COUNTER_CFG_MATCH, cbase, cmask,
 			cflags, hwc->event_base, hwc->config, 0);
+#endif
 	if (ret.error) {
 		pr_debug("Not able to find a counter for event %lx config %llx\n",
 			hwc->event_base, hwc->config);
@@ -417,8 +422,13 @@ static void pmu_sbi_ctr_start(struct per
 	struct hw_perf_event *hwc = &event->hw;
 	unsigned long flag = SBI_PMU_START_FLAG_SET_INIT_VALUE;
 
+#if defined(CONFIG_32BIT)
 	ret = sbi_ecall(SBI_EXT_PMU, SBI_EXT_PMU_COUNTER_START, hwc->idx,
 			1, flag, ival, ival >> 32, 0);
+#else
+	ret = sbi_ecall(SBI_EXT_PMU, SBI_EXT_PMU_COUNTER_START, hwc->idx,
+			1, flag, ival, 0, 0);
+#endif
 	if (ret.error && (ret.error != SBI_ERR_ALREADY_STARTED))
 		pr_err("Starting counter idx %d failed with error %d\n",
 			hwc->idx, sbi_err_map_linux_errno(ret.error));



^ permalink raw reply	[flat|nested] 1191+ messages in thread

* [PATCH 5.19 0079/1157] RISC-V: Update user page mapping only once during start
  2022-08-15 17:49 [PATCH 5.19 0000/1157] 5.19.2-rc1 review Greg Kroah-Hartman
                   ` (75 preceding siblings ...)
  2022-08-15 17:50 ` [PATCH 5.19 0078/1157] RISC-V: Fix SBI PMU calls " Greg Kroah-Hartman
@ 2022-08-15 17:50 ` Greg Kroah-Hartman
  2022-08-15 17:50 ` [PATCH 5.19 0080/1157] wireguard: selftests: set CONFIG_NONPORTABLE on riscv32 Greg Kroah-Hartman
                   ` (916 subsequent siblings)
  993 siblings, 0 replies; 1191+ messages in thread
From: Greg Kroah-Hartman @ 2022-08-15 17:50 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Anup Patel, Atish Patra, Guo Ren,
	Palmer Dabbelt

From: Atish Patra <atishp@rivosinc.com>

commit 133a6d1fe7d7ad8393af025c4dde379c0616661f upstream.

Currently, riscv_pmu_event_set_period updates the userpage mapping.
However, the caller of riscv_pmu_event_set_period should update
the userpage mapping because the counter can not be updated/started
from set_period function in counter overflow path.

Invoke the perf_event_update_userpage at the caller so that it
doesn't get invoked twice during counter start path.

Fixes: f5bfa23f576f ("RISC-V: Add a perf core library for pmu drivers")
Reviewed-by: Anup Patel <anup@brainfault.org>
Signed-off-by: Atish Patra <atishp@rivosinc.com>
Reviewed-by: Guo Ren <guoren@kernel.org>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/20220711174632.4186047-3-atishp@rivosinc.com
Signed-off-by: Palmer Dabbelt <palmer@rivosinc.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/perf/riscv_pmu.c     |    1 -
 drivers/perf/riscv_pmu_sbi.c |    1 +
 2 files changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/perf/riscv_pmu.c
+++ b/drivers/perf/riscv_pmu.c
@@ -170,7 +170,6 @@ int riscv_pmu_event_set_period(struct pe
 		left = (max_period >> 1);
 
 	local64_set(&hwc->prev_count, (u64)-left);
-	perf_event_update_userpage(event);
 
 	return overflow;
 }
--- a/drivers/perf/riscv_pmu_sbi.c
+++ b/drivers/perf/riscv_pmu_sbi.c
@@ -542,6 +542,7 @@ static inline void pmu_sbi_start_overflo
 			sbi_ecall(SBI_EXT_PMU, SBI_EXT_PMU_COUNTER_START, idx, 1,
 				  flag, init_val, 0, 0);
 #endif
+			perf_event_update_userpage(event);
 		}
 		ctr_ovf_mask = ctr_ovf_mask >> 1;
 		idx++;



^ permalink raw reply	[flat|nested] 1191+ messages in thread

* [PATCH 5.19 0080/1157] wireguard: selftests: set CONFIG_NONPORTABLE on riscv32
  2022-08-15 17:49 [PATCH 5.19 0000/1157] 5.19.2-rc1 review Greg Kroah-Hartman
                   ` (76 preceding siblings ...)
  2022-08-15 17:50 ` [PATCH 5.19 0079/1157] RISC-V: Update user page mapping only once during start Greg Kroah-Hartman
@ 2022-08-15 17:50 ` Greg Kroah-Hartman
  2022-08-15 17:50 ` [PATCH 5.19 0081/1157] rtc: rx8025: fix 12/24 hour mode detection on RX-8035 Greg Kroah-Hartman
                   ` (915 subsequent siblings)
  993 siblings, 0 replies; 1191+ messages in thread
From: Greg Kroah-Hartman @ 2022-08-15 17:50 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jason A. Donenfeld, Palmer Dabbelt

From: Jason A. Donenfeld <Jason@zx2c4.com>

commit 9019b4f6d9bd88524ecd95420cf9cd4aaed7a125 upstream.

When the CONFIG_PORTABLE/CONFIG_NONPORTABLE switches were added, various
configs were updated, but the wireguard config was forgotten about. This
leads to unbootable test kernels, causing CI fails. Add
CONFIG_NONPORTABLE=y to the wireguard test suite configuration for
riscv32.

Fixes: 44c1e84a38a0 ("RISC-V: Add CONFIG_{NON,}PORTABLE")
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/20220809145757.83673-1-Jason@zx2c4.com
Signed-off-by: Palmer Dabbelt <palmer@rivosinc.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 tools/testing/selftests/wireguard/qemu/arch/riscv32.config |    1 +
 1 file changed, 1 insertion(+)

--- a/tools/testing/selftests/wireguard/qemu/arch/riscv32.config
+++ b/tools/testing/selftests/wireguard/qemu/arch/riscv32.config
@@ -1,3 +1,4 @@
+CONFIG_NONPORTABLE=y
 CONFIG_ARCH_RV32I=y
 CONFIG_MMU=y
 CONFIG_FPU=y



^ permalink raw reply	[flat|nested] 1191+ messages in thread

* [PATCH 5.19 0081/1157] rtc: rx8025: fix 12/24 hour mode detection on RX-8035
  2022-08-15 17:49 [PATCH 5.19 0000/1157] 5.19.2-rc1 review Greg Kroah-Hartman
                   ` (77 preceding siblings ...)
  2022-08-15 17:50 ` [PATCH 5.19 0080/1157] wireguard: selftests: set CONFIG_NONPORTABLE on riscv32 Greg Kroah-Hartman
@ 2022-08-15 17:50 ` Greg Kroah-Hartman
  2022-08-15 17:50 ` [PATCH 5.19 0082/1157] drm/gem: Properly annotate WW context on drm_gem_lock_reservations() error Greg Kroah-Hartman
                   ` (914 subsequent siblings)
  993 siblings, 0 replies; 1191+ messages in thread
From: Greg Kroah-Hartman @ 2022-08-15 17:50 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Mathew McBride, Alexandre Belloni

From: Mathew McBride <matt@traverse.com.au>

commit 71af91565052214ad86f288e0d8ffb165f790995 upstream.

The 12/24hr flag in the RX-8035 can be found in the hour register,
instead of the CTRL1 on the RX-8025. This was overlooked when
support for the RX-8035 was added, and was causing read errors when
the hour register 'overflowed'.

To deal with the relevant register not always being visible in
the relevant functions, determine the 12/24 mode at startup and
store it in the driver state.

Signed-off-by: Mathew McBride <matt@traverse.com.au>
Fixes: f120e2e33ac8 ("rtc: rx8025: implement RX-8035 support")
Cc: stable@vger.kernel.org
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Link: https://lore.kernel.org/r/20220706074236.24011-1-matt@traverse.com.au
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/rtc/rtc-rx8025.c |   22 ++++++++++++++++++----
 1 file changed, 18 insertions(+), 4 deletions(-)

--- a/drivers/rtc/rtc-rx8025.c
+++ b/drivers/rtc/rtc-rx8025.c
@@ -55,6 +55,8 @@
 #define RX8025_BIT_CTRL2_XST	BIT(5)
 #define RX8025_BIT_CTRL2_VDET	BIT(6)
 
+#define RX8035_BIT_HOUR_1224	BIT(7)
+
 /* Clock precision adjustment */
 #define RX8025_ADJ_RESOLUTION	3050 /* in ppb */
 #define RX8025_ADJ_DATA_MAX	62
@@ -78,6 +80,7 @@ struct rx8025_data {
 	struct rtc_device *rtc;
 	enum rx_model model;
 	u8 ctrl1;
+	int is_24;
 };
 
 static s32 rx8025_read_reg(const struct i2c_client *client, u8 number)
@@ -226,7 +229,7 @@ static int rx8025_get_time(struct device
 
 	dt->tm_sec = bcd2bin(date[RX8025_REG_SEC] & 0x7f);
 	dt->tm_min = bcd2bin(date[RX8025_REG_MIN] & 0x7f);
-	if (rx8025->ctrl1 & RX8025_BIT_CTRL1_1224)
+	if (rx8025->is_24)
 		dt->tm_hour = bcd2bin(date[RX8025_REG_HOUR] & 0x3f);
 	else
 		dt->tm_hour = bcd2bin(date[RX8025_REG_HOUR] & 0x1f) % 12
@@ -254,7 +257,7 @@ static int rx8025_set_time(struct device
 	 */
 	date[RX8025_REG_SEC] = bin2bcd(dt->tm_sec);
 	date[RX8025_REG_MIN] = bin2bcd(dt->tm_min);
-	if (rx8025->ctrl1 & RX8025_BIT_CTRL1_1224)
+	if (rx8025->is_24)
 		date[RX8025_REG_HOUR] = bin2bcd(dt->tm_hour);
 	else
 		date[RX8025_REG_HOUR] = (dt->tm_hour >= 12 ? 0x20 : 0)
@@ -279,6 +282,7 @@ static int rx8025_init_client(struct i2c
 	struct rx8025_data *rx8025 = i2c_get_clientdata(client);
 	u8 ctrl[2], ctrl2;
 	int need_clear = 0;
+	int hour_reg;
 	int err;
 
 	err = rx8025_read_regs(client, RX8025_REG_CTRL1, 2, ctrl);
@@ -303,6 +307,16 @@ static int rx8025_init_client(struct i2c
 
 		err = rx8025_write_reg(client, RX8025_REG_CTRL2, ctrl2);
 	}
+
+	if (rx8025->model == model_rx_8035) {
+		/* In RX-8035, 12/24 flag is in the hour register */
+		hour_reg = rx8025_read_reg(client, RX8025_REG_HOUR);
+		if (hour_reg < 0)
+			return hour_reg;
+		rx8025->is_24 = (hour_reg & RX8035_BIT_HOUR_1224);
+	} else {
+		rx8025->is_24 = (ctrl[1] & RX8025_BIT_CTRL1_1224);
+	}
 out:
 	return err;
 }
@@ -329,7 +343,7 @@ static int rx8025_read_alarm(struct devi
 	/* Hardware alarms precision is 1 minute! */
 	t->time.tm_sec = 0;
 	t->time.tm_min = bcd2bin(ald[0] & 0x7f);
-	if (rx8025->ctrl1 & RX8025_BIT_CTRL1_1224)
+	if (rx8025->is_24)
 		t->time.tm_hour = bcd2bin(ald[1] & 0x3f);
 	else
 		t->time.tm_hour = bcd2bin(ald[1] & 0x1f) % 12
@@ -350,7 +364,7 @@ static int rx8025_set_alarm(struct devic
 	int err;
 
 	ald[0] = bin2bcd(t->time.tm_min);
-	if (rx8025->ctrl1 & RX8025_BIT_CTRL1_1224)
+	if (rx8025->is_24)
 		ald[1] = bin2bcd(t->time.tm_hour);
 	else
 		ald[1] = (t->time.tm_hour >= 12 ? 0x20 : 0)



^ permalink raw reply	[flat|nested] 1191+ messages in thread

* [PATCH 5.19 0082/1157] drm/gem: Properly annotate WW context on drm_gem_lock_reservations() error
  2022-08-15 17:49 [PATCH 5.19 0000/1157] 5.19.2-rc1 review Greg Kroah-Hartman
                   ` (78 preceding siblings ...)
  2022-08-15 17:50 ` [PATCH 5.19 0081/1157] rtc: rx8025: fix 12/24 hour mode detection on RX-8035 Greg Kroah-Hartman
@ 2022-08-15 17:50 ` Greg Kroah-Hartman
  2022-08-15 17:50 ` [PATCH 5.19 0083/1157] drm/shmem-helper: Add missing vunmap on error Greg Kroah-Hartman
                   ` (913 subsequent siblings)
  993 siblings, 0 replies; 1191+ messages in thread
From: Greg Kroah-Hartman @ 2022-08-15 17:50 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Thomas Hellström,
	Christian König, Dmitry Osipenko, Daniel Vetter

From: Dmitry Osipenko <dmitry.osipenko@collabora.com>

commit 2939deac1fa220bc82b89235f146df1d9b52e876 upstream.

Use ww_acquire_fini() in the error code paths. Otherwise lockdep
thinks that lock is held when lock's memory is freed after the
drm_gem_lock_reservations() error. The ww_acquire_context needs to be
annotated as "released", which fixes the noisy "WARNING: held lock freed!"
splat of VirtIO-GPU driver with CONFIG_DEBUG_MUTEXES=y and enabled lockdep.

Cc: stable@vger.kernel.org
Fixes: 7edc3e3b975b5 ("drm: Add helpers for locking an array of BO reservations.")
Reviewed-by: Thomas Hellström <thomas.hellstrom@linux.intel.com>
Reviewed-by: Christian König <christian.koenig@amd.com>
Signed-off-by: Dmitry Osipenko <dmitry.osipenko@collabora.com>
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Link: https://patchwork.freedesktop.org/patch/msgid/20220630200405.1883897-2-dmitry.osipenko@collabora.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/gpu/drm/drm_gem.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/gpu/drm/drm_gem.c
+++ b/drivers/gpu/drm/drm_gem.c
@@ -1226,7 +1226,7 @@ retry:
 		ret = dma_resv_lock_slow_interruptible(obj->resv,
 								 acquire_ctx);
 		if (ret) {
-			ww_acquire_done(acquire_ctx);
+			ww_acquire_fini(acquire_ctx);
 			return ret;
 		}
 	}
@@ -1251,7 +1251,7 @@ retry:
 				goto retry;
 			}
 
-			ww_acquire_done(acquire_ctx);
+			ww_acquire_fini(acquire_ctx);
 			return ret;
 		}
 	}



^ permalink raw reply	[flat|nested] 1191+ messages in thread

* [PATCH 5.19 0083/1157] drm/shmem-helper: Add missing vunmap on error
  2022-08-15 17:49 [PATCH 5.19 0000/1157] 5.19.2-rc1 review Greg Kroah-Hartman
                   ` (79 preceding siblings ...)
  2022-08-15 17:50 ` [PATCH 5.19 0082/1157] drm/gem: Properly annotate WW context on drm_gem_lock_reservations() error Greg Kroah-Hartman
@ 2022-08-15 17:50 ` Greg Kroah-Hartman
  2022-08-15 17:50 ` [PATCH 5.19 0084/1157] drm/vc4: hdmi: Disable audio if dmas property is present but empty Greg Kroah-Hartman
                   ` (912 subsequent siblings)
  993 siblings, 0 replies; 1191+ messages in thread
From: Greg Kroah-Hartman @ 2022-08-15 17:50 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Dmitry Osipenko, Daniel Vetter

From: Dmitry Osipenko <dmitry.osipenko@collabora.com>

commit df4aaf015775221dde8a51ee09edb919981f091e upstream.

The vmapping of dma-buf may succeed, but DRM SHMEM rejects the IOMEM
mapping, and thus, drm_gem_shmem_vmap_locked() should unvmap the IOMEM
before erroring out.

Cc: stable@vger.kernel.org
Fixes: 49a3f51dfeee ("drm/gem: Use struct dma_buf_map in GEM vmap ops and convert GEM backends")
Signed-off-by: Dmitry Osipenko <dmitry.osipenko@collabora.com>
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Link: https://patchwork.freedesktop.org/patch/msgid/20220630200058.1883506-2-dmitry.osipenko@collabora.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/gpu/drm/drm_gem_shmem_helper.c |    1 +
 1 file changed, 1 insertion(+)

--- a/drivers/gpu/drm/drm_gem_shmem_helper.c
+++ b/drivers/gpu/drm/drm_gem_shmem_helper.c
@@ -302,6 +302,7 @@ static int drm_gem_shmem_vmap_locked(str
 		ret = dma_buf_vmap(obj->import_attach->dmabuf, map);
 		if (!ret) {
 			if (WARN_ON(map->is_iomem)) {
+				dma_buf_vunmap(obj->import_attach->dmabuf, map);
 				ret = -EIO;
 				goto err_put_pages;
 			}



^ permalink raw reply	[flat|nested] 1191+ messages in thread

* [PATCH 5.19 0084/1157] drm/vc4: hdmi: Disable audio if dmas property is present but empty
  2022-08-15 17:49 [PATCH 5.19 0000/1157] 5.19.2-rc1 review Greg Kroah-Hartman
                   ` (80 preceding siblings ...)
  2022-08-15 17:50 ` [PATCH 5.19 0083/1157] drm/shmem-helper: Add missing vunmap on error Greg Kroah-Hartman
@ 2022-08-15 17:50 ` Greg Kroah-Hartman
  2022-08-15 17:50 ` [PATCH 5.19 0085/1157] drm/ingenic: Use the highest possible DMA burst size Greg Kroah-Hartman
                   ` (911 subsequent siblings)
  993 siblings, 0 replies; 1191+ messages in thread
From: Greg Kroah-Hartman @ 2022-08-15 17:50 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Phil Elwell, Maxime Ripard

From: Phil Elwell <phil@raspberrypi.org>

commit db2b927f8668adf3ac765e0921cd2720f5c04172 upstream.

The dmas property is used to hold the dmaengine channel used for audio
output.

Older device trees were missing that property, so if it's not there we
disable the audio output entirely.

However, some overlays have set an empty value to that property, mostly
to workaround the fact that overlays cannot remove a property. Let's add
a test for that case and if it's empty, let's disable it as well.

Cc: <stable@vger.kernel.org>
Signed-off-by: Phil Elwell <phil@raspberrypi.org>
Link: https://lore.kernel.org/r/20220613144800.326124-18-maxime@cerno.tech
Signed-off-by: Maxime Ripard <maxime@cerno.tech>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/gpu/drm/vc4/vc4_hdmi.c |    6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

--- a/drivers/gpu/drm/vc4/vc4_hdmi.c
+++ b/drivers/gpu/drm/vc4/vc4_hdmi.c
@@ -2035,12 +2035,12 @@ static int vc4_hdmi_audio_init(struct vc
 	struct device *dev = &vc4_hdmi->pdev->dev;
 	struct platform_device *codec_pdev;
 	const __be32 *addr;
-	int index;
+	int index, len;
 	int ret;
 
-	if (!of_find_property(dev->of_node, "dmas", NULL)) {
+	if (!of_find_property(dev->of_node, "dmas", &len) || !len) {
 		dev_warn(dev,
-			 "'dmas' DT property is missing, no HDMI audio\n");
+			 "'dmas' DT property is missing or empty, no HDMI audio\n");
 		return 0;
 	}
 



^ permalink raw reply	[flat|nested] 1191+ messages in thread

* [PATCH 5.19 0085/1157] drm/ingenic: Use the highest possible DMA burst size
  2022-08-15 17:49 [PATCH 5.19 0000/1157] 5.19.2-rc1 review Greg Kroah-Hartman
                   ` (81 preceding siblings ...)
  2022-08-15 17:50 ` [PATCH 5.19 0084/1157] drm/vc4: hdmi: Disable audio if dmas property is present but empty Greg Kroah-Hartman
@ 2022-08-15 17:50 ` Greg Kroah-Hartman
  2022-08-15 17:50 ` [PATCH 5.19 0086/1157] drm/fb-helper: Fix out-of-bounds access Greg Kroah-Hartman
                   ` (910 subsequent siblings)
  993 siblings, 0 replies; 1191+ messages in thread
From: Greg Kroah-Hartman @ 2022-08-15 17:50 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Paul Cercueil, Sam Ravnborg,
	Christophe Branchereau

From: Paul Cercueil <paul@crapouillou.net>

commit f0dce5c4fdaf9e98dd2755ffb1363822854b6287 upstream.

Until now, when running at the maximum resolution of 1280x720 at 32bpp
on the JZ4770 SoC the output was garbled, the X/Y position of the
top-left corner of the framebuffer warping to a random position with
the whole image being offset accordingly, every time a new frame was
being submitted.

This problem can be eliminated by using a bigger burst size for the DMA.

Set in each soc_info structure the maximum burst size supported by the
corresponding SoC, and use it in the driver.

Set the new value using regmap_update_bits() instead of
regmap_set_bits(), since we do want to override the old value of the
burst size. (Note that regmap_set_bits() wasn't really valid before for
the same reason, but it never seemed to be a problem).

Cc: <stable@vger.kernel.org>
Fixes: 90b86fcc47b4 ("DRM: Add KMS driver for the Ingenic JZ47xx SoCs")
Signed-off-by: Paul Cercueil <paul@crapouillou.net>
Link: https://patchwork.freedesktop.org/patch/msgid/20220702230727.66704-1-paul@crapouillou.net
Acked-by: Sam Ravnborg <sam@ravnborg.org>
Tested-by: Christophe Branchereau <cbranchereau@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/gpu/drm/ingenic/ingenic-drm-drv.c |   10 ++++++++--
 drivers/gpu/drm/ingenic/ingenic-drm.h     |    3 +++
 2 files changed, 11 insertions(+), 2 deletions(-)

--- a/drivers/gpu/drm/ingenic/ingenic-drm-drv.c
+++ b/drivers/gpu/drm/ingenic/ingenic-drm-drv.c
@@ -69,6 +69,7 @@ struct jz_soc_info {
 	bool map_noncoherent;
 	bool use_extended_hwdesc;
 	bool plane_f0_not_working;
+	u32 max_burst;
 	unsigned int max_width, max_height;
 	const u32 *formats_f0, *formats_f1;
 	unsigned int num_formats_f0, num_formats_f1;
@@ -318,8 +319,9 @@ static void ingenic_drm_crtc_update_timi
 		regmap_write(priv->map, JZ_REG_LCD_REV, mode->htotal << 16);
 	}
 
-	regmap_set_bits(priv->map, JZ_REG_LCD_CTRL,
-			JZ_LCD_CTRL_OFUP | JZ_LCD_CTRL_BURST_16);
+	regmap_update_bits(priv->map, JZ_REG_LCD_CTRL,
+			   JZ_LCD_CTRL_OFUP | JZ_LCD_CTRL_BURST_MASK,
+			   JZ_LCD_CTRL_OFUP | priv->soc_info->max_burst);
 
 	/*
 	 * IPU restart - specify how much time the LCDC will wait before
@@ -1518,6 +1520,7 @@ static const struct jz_soc_info jz4740_s
 	.map_noncoherent = false,
 	.max_width = 800,
 	.max_height = 600,
+	.max_burst = JZ_LCD_CTRL_BURST_16,
 	.formats_f1 = jz4740_formats,
 	.num_formats_f1 = ARRAY_SIZE(jz4740_formats),
 	/* JZ4740 has only one plane */
@@ -1529,6 +1532,7 @@ static const struct jz_soc_info jz4725b_
 	.map_noncoherent = false,
 	.max_width = 800,
 	.max_height = 600,
+	.max_burst = JZ_LCD_CTRL_BURST_16,
 	.formats_f1 = jz4725b_formats_f1,
 	.num_formats_f1 = ARRAY_SIZE(jz4725b_formats_f1),
 	.formats_f0 = jz4725b_formats_f0,
@@ -1541,6 +1545,7 @@ static const struct jz_soc_info jz4770_s
 	.map_noncoherent = true,
 	.max_width = 1280,
 	.max_height = 720,
+	.max_burst = JZ_LCD_CTRL_BURST_64,
 	.formats_f1 = jz4770_formats_f1,
 	.num_formats_f1 = ARRAY_SIZE(jz4770_formats_f1),
 	.formats_f0 = jz4770_formats_f0,
@@ -1555,6 +1560,7 @@ static const struct jz_soc_info jz4780_s
 	.plane_f0_not_working = true,	/* REVISIT */
 	.max_width = 4096,
 	.max_height = 2048,
+	.max_burst = JZ_LCD_CTRL_BURST_64,
 	.formats_f1 = jz4770_formats_f1,
 	.num_formats_f1 = ARRAY_SIZE(jz4770_formats_f1),
 	.formats_f0 = jz4770_formats_f0,
--- a/drivers/gpu/drm/ingenic/ingenic-drm.h
+++ b/drivers/gpu/drm/ingenic/ingenic-drm.h
@@ -106,6 +106,9 @@
 #define JZ_LCD_CTRL_BURST_4			(0x0 << 28)
 #define JZ_LCD_CTRL_BURST_8			(0x1 << 28)
 #define JZ_LCD_CTRL_BURST_16			(0x2 << 28)
+#define JZ_LCD_CTRL_BURST_32			(0x3 << 28)
+#define JZ_LCD_CTRL_BURST_64			(0x4 << 28)
+#define JZ_LCD_CTRL_BURST_MASK			(0x7 << 28)
 #define JZ_LCD_CTRL_RGB555			BIT(27)
 #define JZ_LCD_CTRL_OFUP			BIT(26)
 #define JZ_LCD_CTRL_FRC_GRAYSCALE_16		(0x0 << 24)



^ permalink raw reply	[flat|nested] 1191+ messages in thread

* [PATCH 5.19 0086/1157] drm/fb-helper: Fix out-of-bounds access
  2022-08-15 17:49 [PATCH 5.19 0000/1157] 5.19.2-rc1 review Greg Kroah-Hartman
                   ` (82 preceding siblings ...)
  2022-08-15 17:50 ` [PATCH 5.19 0085/1157] drm/ingenic: Use the highest possible DMA burst size Greg Kroah-Hartman
@ 2022-08-15 17:50 ` Greg Kroah-Hartman
  2022-08-15 17:50   ` Greg Kroah-Hartman
                   ` (909 subsequent siblings)
  993 siblings, 0 replies; 1191+ messages in thread
From: Greg Kroah-Hartman @ 2022-08-15 17:50 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Nuno Gonçalves,
	Thomas Zimmermann, Javier Martinez Canillas, Maarten Lankhorst,
	Maxime Ripard

From: Thomas Zimmermann <tzimmermann@suse.de>

commit ae25885bdf59fde40726863c57fd20e4a0642183 upstream.

Clip memory range to screen-buffer size to avoid out-of-bounds access
in fbdev deferred I/O's damage handling.

Fbdev's deferred I/O can only track pages. From the range of pages, the
damage handler computes the clipping rectangle for the display update.
If the fbdev screen buffer ends near the beginning of a page, that page
could contain more scanlines. The damage handler would then track these
non-existing scanlines as dirty and provoke an out-of-bounds access
during the screen update. Hence, clip the maximum memory range to the
size of the screen buffer.

While at it, rename the variables min/max to min_off/max_off in
drm_fb_helper_deferred_io(). This avoids confusion with the macros of
the same name.

Reported-by: Nuno Gonçalves <nunojpg@gmail.com>
Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de>
Reviewed-by: Javier Martinez Canillas <javierm@redhat.com>
Tested-by: Nuno Gonçalves <nunojpg@gmail.com>
Fixes: 67b723f5b742 ("drm/fb-helper: Calculate damaged area in separate helper")
Cc: Thomas Zimmermann <tzimmermann@suse.de>
Cc: Javier Martinez Canillas <javierm@redhat.com>
Cc: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
Cc: Maxime Ripard <mripard@kernel.org>
Cc: <stable@vger.kernel.org> # v5.18+
Link: https://patchwork.freedesktop.org/patch/msgid/20220621104617.8817-1-tzimmermann@suse.de
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/gpu/drm/drm_fb_helper.c |   27 +++++++++++++++++++--------
 1 file changed, 19 insertions(+), 8 deletions(-)

--- a/drivers/gpu/drm/drm_fb_helper.c
+++ b/drivers/gpu/drm/drm_fb_helper.c
@@ -680,7 +680,11 @@ static void drm_fb_helper_damage(struct
 	schedule_work(&helper->damage_work);
 }
 
-/* Convert memory region into area of scanlines and pixels per scanline */
+/*
+ * Convert memory region into area of scanlines and pixels per
+ * scanline. The parameters off and len must not reach beyond
+ * the end of the framebuffer.
+ */
 static void drm_fb_helper_memory_range_to_clip(struct fb_info *info, off_t off, size_t len,
 					       struct drm_rect *clip)
 {
@@ -715,22 +719,29 @@ static void drm_fb_helper_memory_range_t
  */
 void drm_fb_helper_deferred_io(struct fb_info *info, struct list_head *pagereflist)
 {
-	unsigned long start, end, min, max;
+	unsigned long start, end, min_off, max_off;
 	struct fb_deferred_io_pageref *pageref;
 	struct drm_rect damage_area;
 
-	min = ULONG_MAX;
-	max = 0;
+	min_off = ULONG_MAX;
+	max_off = 0;
 	list_for_each_entry(pageref, pagereflist, list) {
 		start = pageref->offset;
 		end = start + PAGE_SIZE;
-		min = min(min, start);
-		max = max(max, end);
+		min_off = min(min_off, start);
+		max_off = max(max_off, end);
 	}
-	if (min >= max)
+	if (min_off >= max_off)
 		return;
 
-	drm_fb_helper_memory_range_to_clip(info, min, max - min, &damage_area);
+	/*
+	 * As we can only track pages, we might reach beyond the end
+	 * of the screen and account for non-existing scanlines. Hence,
+	 * keep the covered memory area within the screen buffer.
+	 */
+	max_off = min(max_off, info->screen_size);
+
+	drm_fb_helper_memory_range_to_clip(info, min_off, max_off - min_off, &damage_area);
 	drm_fb_helper_damage(info, damage_area.x1, damage_area.y1,
 			     drm_rect_width(&damage_area),
 			     drm_rect_height(&damage_area));



^ permalink raw reply	[flat|nested] 1191+ messages in thread

* [PATCH 5.19 0087/1157] drm/hyperv-drm: Include framebuffer and EDID headers
  2022-08-15 17:49 [PATCH 5.19 0000/1157] 5.19.2-rc1 review Greg Kroah-Hartman
@ 2022-08-15 17:50   ` Greg Kroah-Hartman
  2022-08-15 17:49 ` [PATCH 5.19 0002/1157] x86: link vdso and boot " Greg Kroah-Hartman
                     ` (992 subsequent siblings)
  993 siblings, 0 replies; 1191+ messages in thread
From: Greg Kroah-Hartman @ 2022-08-15 17:50 UTC (permalink / raw)
  To: linux-kernel
  Cc: linux-hyperv, Greg Kroah-Hartman, dri-devel, Deepak Rawat,
	stable, Thomas Zimmermann, Maxime Ripard

From: Thomas Zimmermann <tzimmermann@suse.de>

commit 009a3a52791f31c57d755a73f6bc66fbdd8bd76c upstream.

Fix a number of compile errors by including the correct header
files. Examples are shown below.

  ../drivers/gpu/drm/hyperv/hyperv_drm_modeset.c: In function 'hyperv_blit_to_vram_rect':
  ../drivers/gpu/drm/hyperv/hyperv_drm_modeset.c:25:48: error: invalid use of undefined type 'struct drm_framebuffer'
   25 |         struct hyperv_drm_device *hv = to_hv(fb->dev);
      |                                                ^~

  ../drivers/gpu/drm/hyperv/hyperv_drm_modeset.c: In function 'hyperv_connector_get_modes':
  ../drivers/gpu/drm/hyperv/hyperv_drm_modeset.c:59:17: error: implicit declaration of function 'drm_add_modes_noedid' [-Werror=implicit-function-declaration]
   59 |         count = drm_add_modes_noedid(connector,
      |                 ^~~~~~~~~~~~~~~~~~~~

  ../drivers/gpu/drm/hyperv/hyperv_drm_modeset.c:62:9: error: implicit declaration of function 'drm_set_preferred_mode'; did you mean 'drm_mm_reserve_node'? [-Werror=implicit-function-declaration]
   62 |         drm_set_preferred_mode(connector, hv->preferred_width,
      |         ^~~~~~~~~~~~~~~~~~~~~~

Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de>
Fixes: 76c56a5affeb ("drm/hyperv: Add DRM driver for hyperv synthetic video device")
Fixes: 720cf96d8fec ("drm: Drop drm_framebuffer.h from drm_crtc.h")
Fixes: 255490f9150d ("drm: Drop drm_edid.h from drm_crtc.h")
Cc: Deepak Rawat <drawat.floss@gmail.com>
Cc: Thomas Zimmermann <tzimmermann@suse.de>
Cc: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
Cc: Maxime Ripard <mripard@kernel.org>
Cc: linux-hyperv@vger.kernel.org
Cc: dri-devel@lists.freedesktop.org
Cc: <stable@vger.kernel.org> # v5.14+
Acked-by: Maxime Ripard <maxime@cerno.tech>
Reviewed-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20220622083413.12573-1-tzimmermann@suse.de
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/gpu/drm/hyperv/hyperv_drm_modeset.c |    2 ++
 1 file changed, 2 insertions(+)

--- a/drivers/gpu/drm/hyperv/hyperv_drm_modeset.c
+++ b/drivers/gpu/drm/hyperv/hyperv_drm_modeset.c
@@ -7,9 +7,11 @@
 
 #include <drm/drm_damage_helper.h>
 #include <drm/drm_drv.h>
+#include <drm/drm_edid.h>
 #include <drm/drm_fb_helper.h>
 #include <drm/drm_format_helper.h>
 #include <drm/drm_fourcc.h>
+#include <drm/drm_framebuffer.h>
 #include <drm/drm_gem_atomic_helper.h>
 #include <drm/drm_gem_framebuffer_helper.h>
 #include <drm/drm_gem_shmem_helper.h>



^ permalink raw reply	[flat|nested] 1191+ messages in thread

* [PATCH 5.19 0087/1157] drm/hyperv-drm: Include framebuffer and EDID headers
@ 2022-08-15 17:50   ` Greg Kroah-Hartman
  0 siblings, 0 replies; 1191+ messages in thread
From: Greg Kroah-Hartman @ 2022-08-15 17:50 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Thomas Zimmermann, Deepak Rawat,
	Maarten Lankhorst, Maxime Ripard, linux-hyperv, dri-devel,
	Maxime Ripard, Ville Syrjälä

From: Thomas Zimmermann <tzimmermann@suse.de>

commit 009a3a52791f31c57d755a73f6bc66fbdd8bd76c upstream.

Fix a number of compile errors by including the correct header
files. Examples are shown below.

  ../drivers/gpu/drm/hyperv/hyperv_drm_modeset.c: In function 'hyperv_blit_to_vram_rect':
  ../drivers/gpu/drm/hyperv/hyperv_drm_modeset.c:25:48: error: invalid use of undefined type 'struct drm_framebuffer'
   25 |         struct hyperv_drm_device *hv = to_hv(fb->dev);
      |                                                ^~

  ../drivers/gpu/drm/hyperv/hyperv_drm_modeset.c: In function 'hyperv_connector_get_modes':
  ../drivers/gpu/drm/hyperv/hyperv_drm_modeset.c:59:17: error: implicit declaration of function 'drm_add_modes_noedid' [-Werror=implicit-function-declaration]
   59 |         count = drm_add_modes_noedid(connector,
      |                 ^~~~~~~~~~~~~~~~~~~~

  ../drivers/gpu/drm/hyperv/hyperv_drm_modeset.c:62:9: error: implicit declaration of function 'drm_set_preferred_mode'; did you mean 'drm_mm_reserve_node'? [-Werror=implicit-function-declaration]
   62 |         drm_set_preferred_mode(connector, hv->preferred_width,
      |         ^~~~~~~~~~~~~~~~~~~~~~

Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de>
Fixes: 76c56a5affeb ("drm/hyperv: Add DRM driver for hyperv synthetic video device")
Fixes: 720cf96d8fec ("drm: Drop drm_framebuffer.h from drm_crtc.h")
Fixes: 255490f9150d ("drm: Drop drm_edid.h from drm_crtc.h")
Cc: Deepak Rawat <drawat.floss@gmail.com>
Cc: Thomas Zimmermann <tzimmermann@suse.de>
Cc: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
Cc: Maxime Ripard <mripard@kernel.org>
Cc: linux-hyperv@vger.kernel.org
Cc: dri-devel@lists.freedesktop.org
Cc: <stable@vger.kernel.org> # v5.14+
Acked-by: Maxime Ripard <maxime@cerno.tech>
Reviewed-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20220622083413.12573-1-tzimmermann@suse.de
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/gpu/drm/hyperv/hyperv_drm_modeset.c |    2 ++
 1 file changed, 2 insertions(+)

--- a/drivers/gpu/drm/hyperv/hyperv_drm_modeset.c
+++ b/drivers/gpu/drm/hyperv/hyperv_drm_modeset.c
@@ -7,9 +7,11 @@
 
 #include <drm/drm_damage_helper.h>
 #include <drm/drm_drv.h>
+#include <drm/drm_edid.h>
 #include <drm/drm_fb_helper.h>
 #include <drm/drm_format_helper.h>
 #include <drm/drm_fourcc.h>
+#include <drm/drm_framebuffer.h>
 #include <drm/drm_gem_atomic_helper.h>
 #include <drm/drm_gem_framebuffer_helper.h>
 #include <drm/drm_gem_shmem_helper.h>



^ permalink raw reply	[flat|nested] 1191+ messages in thread

* [PATCH 5.19 0088/1157] drm/dp/mst: Read the extended DPCD capabilities during system resume
  2022-08-15 17:49 [PATCH 5.19 0000/1157] 5.19.2-rc1 review Greg Kroah-Hartman
                   ` (84 preceding siblings ...)
  2022-08-15 17:50   ` Greg Kroah-Hartman
@ 2022-08-15 17:50 ` Greg Kroah-Hartman
  2022-08-15 17:50 ` [PATCH 5.19 0089/1157] drm/nouveau: fix another off-by-one in nvbios_addr Greg Kroah-Hartman
                   ` (907 subsequent siblings)
  993 siblings, 0 replies; 1191+ messages in thread
From: Greg Kroah-Hartman @ 2022-08-15 17:50 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Lyude Paul, Imre Deak, Jani Nikula

From: Imre Deak <imre.deak@intel.com>

commit 7a710a8bc909313951eb9252d8419924c771d7c2 upstream.

The WD22TB4 Thunderbolt dock at least will revert its DP_MAX_LINK_RATE
from HBR3 to HBR2 after system suspend/resume if the DP_DP13_DPCD_REV
registers are not read subsequently also as required.

Fix this by reading DP_DP13_DPCD_REV registers as well, matching what is
done during connector detection. While at it also fix up the same call
in drm_dp_mst_dump_topology().

Cc: Lyude Paul <lyude@redhat.com>
Closes: https://gitlab.freedesktop.org/drm/intel/-/issues/5292
Signed-off-by: Imre Deak <imre.deak@intel.com>
Reviewed-by: Jani Nikula <jani.nikula@intel.com>
Cc: <stable@vger.kernel.org> # v5.14+
Reviewed-by: Lyude Paul <lyude@redhat.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20220614094537.885472-1-imre.deak@intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/gpu/drm/display/drm_dp_mst_topology.c |    7 ++-----
 1 file changed, 2 insertions(+), 5 deletions(-)

--- a/drivers/gpu/drm/display/drm_dp_mst_topology.c
+++ b/drivers/gpu/drm/display/drm_dp_mst_topology.c
@@ -3860,9 +3860,7 @@ int drm_dp_mst_topology_mgr_resume(struc
 	if (!mgr->mst_primary)
 		goto out_fail;
 
-	ret = drm_dp_dpcd_read(mgr->aux, DP_DPCD_REV, mgr->dpcd,
-			       DP_RECEIVER_CAP_SIZE);
-	if (ret != DP_RECEIVER_CAP_SIZE) {
+	if (drm_dp_read_dpcd_caps(mgr->aux, mgr->dpcd) < 0) {
 		drm_dbg_kms(mgr->dev, "dpcd read failed - undocked during suspend?\n");
 		goto out_fail;
 	}
@@ -4911,8 +4909,7 @@ void drm_dp_mst_dump_topology(struct seq
 		u8 buf[DP_PAYLOAD_TABLE_SIZE];
 		int ret;
 
-		ret = drm_dp_dpcd_read(mgr->aux, DP_DPCD_REV, buf, DP_RECEIVER_CAP_SIZE);
-		if (ret) {
+		if (drm_dp_read_dpcd_caps(mgr->aux, buf) < 0) {
 			seq_printf(m, "dpcd read failed\n");
 			goto out;
 		}



^ permalink raw reply	[flat|nested] 1191+ messages in thread

* [PATCH 5.19 0089/1157] drm/nouveau: fix another off-by-one in nvbios_addr
  2022-08-15 17:49 [PATCH 5.19 0000/1157] 5.19.2-rc1 review Greg Kroah-Hartman
                   ` (85 preceding siblings ...)
  2022-08-15 17:50 ` [PATCH 5.19 0088/1157] drm/dp/mst: Read the extended DPCD capabilities during system resume Greg Kroah-Hartman
@ 2022-08-15 17:50 ` Greg Kroah-Hartman
  2022-08-15 17:50 ` [PATCH 5.19 0090/1157] drm/nouveau: Dont pm_runtime_put_sync(), only pm_runtime_put_autosuspend() Greg Kroah-Hartman
                   ` (906 subsequent siblings)
  993 siblings, 0 replies; 1191+ messages in thread
From: Greg Kroah-Hartman @ 2022-08-15 17:50 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Timur Tabi, Karol Herbst, Lyude Paul

From: Timur Tabi <ttabi@nvidia.com>

commit c441d28945fb113220d48d6c86ebc0b090a2b677 upstream.

This check determines whether a given address is part of
image 0 or image 1.  Image 1 starts at offset image0_size,
so that address should be included.

Fixes: 4d4e9907ff572 ("drm/nouveau/bios: guard against out-of-bounds accesses to image")
Cc: <stable@vger.kernel.org> # v4.8+
Signed-off-by: Timur Tabi <ttabi@nvidia.com>
Reviewed-by: Karol Herbst <kherbst@redhat.com>
Signed-off-by: Lyude Paul <lyude@redhat.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20220511163716.3520591-1-ttabi@nvidia.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/gpu/drm/nouveau/nvkm/subdev/bios/base.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/gpu/drm/nouveau/nvkm/subdev/bios/base.c
+++ b/drivers/gpu/drm/nouveau/nvkm/subdev/bios/base.c
@@ -33,7 +33,7 @@ nvbios_addr(struct nvkm_bios *bios, u32
 {
 	u32 p = *addr;
 
-	if (*addr > bios->image0_size && bios->imaged_addr) {
+	if (*addr >= bios->image0_size && bios->imaged_addr) {
 		*addr -= bios->image0_size;
 		*addr += bios->imaged_addr;
 	}



^ permalink raw reply	[flat|nested] 1191+ messages in thread

* [PATCH 5.19 0090/1157] drm/nouveau: Dont pm_runtime_put_sync(), only pm_runtime_put_autosuspend()
  2022-08-15 17:49 [PATCH 5.19 0000/1157] 5.19.2-rc1 review Greg Kroah-Hartman
                   ` (86 preceding siblings ...)
  2022-08-15 17:50 ` [PATCH 5.19 0089/1157] drm/nouveau: fix another off-by-one in nvbios_addr Greg Kroah-Hartman
@ 2022-08-15 17:50 ` Greg Kroah-Hartman
  2022-08-15 17:50 ` [PATCH 5.19 0091/1157] drm/nouveau/acpi: Dont print error when we get -EINPROGRESS from pm_runtime Greg Kroah-Hartman
                   ` (905 subsequent siblings)
  993 siblings, 0 replies; 1191+ messages in thread
From: Greg Kroah-Hartman @ 2022-08-15 17:50 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Lyude Paul, David Airlie, Hans de Goede

From: Lyude Paul <lyude@redhat.com>

commit c96cfaf8fc02d4bb70727dfa7ce7841a3cff9be2 upstream.

While trying to fix another issue, it occurred to me that I don't actually
think there is any situation where we want pm_runtime_put() in nouveau to
be synchronous. In fact, this kind of just seems like it would cause
issues where we may unexpectedly block a thread we don't expect to be
blocked.

So, let's only use pm_runtime_put_autosuspend().

Changes since v1:
* Use pm_runtime_put_autosuspend(), not pm_runtime_put()

Signed-off-by: Lyude Paul <lyude@redhat.com>
Reviewed-by: David Airlie <airlied@linux.ie>
Fixes: 3a6536c51d5d ("drm/nouveau: Intercept ACPI_VIDEO_NOTIFY_PROBE")
Cc: Hans de Goede <hdegoede@redhat.com>
Cc: <stable@vger.kernel.org> # v4.10+
Link: https://patchwork.freedesktop.org/patch/msgid/20220714174234.949259-3-lyude@redhat.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/gpu/drm/nouveau/nouveau_display.c |    2 +-
 drivers/gpu/drm/nouveau/nouveau_fbcon.c   |    2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/gpu/drm/nouveau/nouveau_display.c
+++ b/drivers/gpu/drm/nouveau/nouveau_display.c
@@ -515,7 +515,7 @@ nouveau_display_hpd_work(struct work_str
 
 	pm_runtime_mark_last_busy(drm->dev->dev);
 noop:
-	pm_runtime_put_sync(drm->dev->dev);
+	pm_runtime_put_autosuspend(dev->dev);
 }
 
 #ifdef CONFIG_ACPI
--- a/drivers/gpu/drm/nouveau/nouveau_fbcon.c
+++ b/drivers/gpu/drm/nouveau/nouveau_fbcon.c
@@ -466,7 +466,7 @@ nouveau_fbcon_set_suspend_work(struct wo
 	if (state == FBINFO_STATE_RUNNING) {
 		nouveau_fbcon_hotplug_resume(drm->fbcon);
 		pm_runtime_mark_last_busy(drm->dev->dev);
-		pm_runtime_put_sync(drm->dev->dev);
+		pm_runtime_put_autosuspend(drm->dev->dev);
 	}
 }
 



^ permalink raw reply	[flat|nested] 1191+ messages in thread

* [PATCH 5.19 0091/1157] drm/nouveau/acpi: Dont print error when we get -EINPROGRESS from pm_runtime
  2022-08-15 17:49 [PATCH 5.19 0000/1157] 5.19.2-rc1 review Greg Kroah-Hartman
                   ` (87 preceding siblings ...)
  2022-08-15 17:50 ` [PATCH 5.19 0090/1157] drm/nouveau: Dont pm_runtime_put_sync(), only pm_runtime_put_autosuspend() Greg Kroah-Hartman
@ 2022-08-15 17:50 ` Greg Kroah-Hartman
  2022-08-15 17:50 ` [PATCH 5.19 0092/1157] drm/nouveau/kms: Fix failure path for creating DP connectors Greg Kroah-Hartman
                   ` (904 subsequent siblings)
  993 siblings, 0 replies; 1191+ messages in thread
From: Greg Kroah-Hartman @ 2022-08-15 17:50 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Lyude Paul, David Airlie

From: Lyude Paul <lyude@redhat.com>

commit 53c26181950ddc3c8ace3c0939c89e9c4d8deeb9 upstream.

Since this isn't actually a failure.

Signed-off-by: Lyude Paul <lyude@redhat.com>
Reviewed-by: David Airlie <airlied@linux.ie>
Fixes: 79e765ad665d ("drm/nouveau/drm/nouveau: Prevent handling ACPI HPD events too early")
Cc: <stable@vger.kernel.org> # v4.19+
Link: https://patchwork.freedesktop.org/patch/msgid/20220714174234.949259-2-lyude@redhat.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/gpu/drm/nouveau/nouveau_display.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/gpu/drm/nouveau/nouveau_display.c
+++ b/drivers/gpu/drm/nouveau/nouveau_display.c
@@ -537,7 +537,7 @@ nouveau_display_acpi_ntfy(struct notifie
 				 * it's own hotplug events.
 				 */
 				pm_runtime_put_autosuspend(drm->dev->dev);
-			} else if (ret == 0) {
+			} else if (ret == 0 || ret == -EINPROGRESS) {
 				/* We've started resuming the GPU already, so
 				 * it will handle scheduling a full reprobe
 				 * itself



^ permalink raw reply	[flat|nested] 1191+ messages in thread

* [PATCH 5.19 0092/1157] drm/nouveau/kms: Fix failure path for creating DP connectors
  2022-08-15 17:49 [PATCH 5.19 0000/1157] 5.19.2-rc1 review Greg Kroah-Hartman
                   ` (88 preceding siblings ...)
  2022-08-15 17:50 ` [PATCH 5.19 0091/1157] drm/nouveau/acpi: Dont print error when we get -EINPROGRESS from pm_runtime Greg Kroah-Hartman
@ 2022-08-15 17:50 ` Greg Kroah-Hartman
  2022-08-15 17:50 ` [PATCH 5.19 0093/1157] drm/tegra: Fix vmapping of prime buffers Greg Kroah-Hartman
                   ` (903 subsequent siblings)
  993 siblings, 0 replies; 1191+ messages in thread
From: Greg Kroah-Hartman @ 2022-08-15 17:50 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Lyude Paul, David Airlie

From: Lyude Paul <lyude@redhat.com>

commit ca0367ca5d9216644b41f86348d6661f8d9e32d8 upstream.

It looks like that when we moved nouveau over to using drm_dp_aux_init()
and registering it's aux bus during late connector registration, we totally
forgot to fix the failure codepath in nouveau_connector_create() - as it
still seems to assume that drm_dp_aux_init() can fail (it can't).

So, let's fix that and also add a missing check to ensure that we've
properly allocated nv_connector->aux.name while we're at it.

Signed-off-by: Lyude Paul <lyude@redhat.com>
Reviewed-by: David Airlie <airlied@linux.ie>
Fixes: fd43ad9d47e7 ("drm/nouveau/kms/nv50-: Move AUX adapter reg to connector late register/early unregister")
Cc: <stable@vger.kernel.org> # v5.14+
Link: https://patchwork.freedesktop.org/patch/msgid/20220526204313.656473-1-lyude@redhat.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/gpu/drm/nouveau/nouveau_connector.c |    8 +++-----
 1 file changed, 3 insertions(+), 5 deletions(-)

--- a/drivers/gpu/drm/nouveau/nouveau_connector.c
+++ b/drivers/gpu/drm/nouveau/nouveau_connector.c
@@ -1361,13 +1361,11 @@ nouveau_connector_create(struct drm_devi
 		snprintf(aux_name, sizeof(aux_name), "sor-%04x-%04x",
 			 dcbe->hasht, dcbe->hashm);
 		nv_connector->aux.name = kstrdup(aux_name, GFP_KERNEL);
-		drm_dp_aux_init(&nv_connector->aux);
-		if (ret) {
-			NV_ERROR(drm, "Failed to init AUX adapter for sor-%04x-%04x: %d\n",
-				 dcbe->hasht, dcbe->hashm, ret);
+		if (!nv_connector->aux.name) {
 			kfree(nv_connector);
-			return ERR_PTR(ret);
+			return ERR_PTR(-ENOMEM);
 		}
+		drm_dp_aux_init(&nv_connector->aux);
 		fallthrough;
 	default:
 		funcs = &nouveau_connector_funcs;



^ permalink raw reply	[flat|nested] 1191+ messages in thread

* [PATCH 5.19 0093/1157] drm/tegra: Fix vmapping of prime buffers
  2022-08-15 17:49 [PATCH 5.19 0000/1157] 5.19.2-rc1 review Greg Kroah-Hartman
                   ` (89 preceding siblings ...)
  2022-08-15 17:50 ` [PATCH 5.19 0092/1157] drm/nouveau/kms: Fix failure path for creating DP connectors Greg Kroah-Hartman
@ 2022-08-15 17:50 ` Greg Kroah-Hartman
  2022-08-15 17:50 ` [PATCH 5.19 0094/1157] drm/amdgpu: Check BOs requested pinning domains against its preferred_domains Greg Kroah-Hartman
                   ` (902 subsequent siblings)
  993 siblings, 0 replies; 1191+ messages in thread
From: Greg Kroah-Hartman @ 2022-08-15 17:50 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Dmitry Osipenko, Thierry Reding

From: Dmitry Osipenko <dmitry.osipenko@collabora.com>

commit c7860cbee9989882d2908682526a5ef617523cfe upstream.

The code assumes that Tegra GEM is permanently vmapped, which is not
true for the scattered buffers. After converting Tegra video decoder
driver to V4L API, we're now getting a BUG_ON from dma-buf core on playing
video using libvdpau-tegra on T30+ because tegra_gem_prime_vmap() sets
vaddr to NULL. Older pre-V4L video decoder driver wasn't vmapping dma-bufs.
Fix it by actually vmapping the exported GEMs.

Cc: stable@vger.kernel.org
Signed-off-by: Dmitry Osipenko <dmitry.osipenko@collabora.com>
Signed-off-by: Thierry Reding <treding@nvidia.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/gpu/drm/tegra/gem.c |   11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

--- a/drivers/gpu/drm/tegra/gem.c
+++ b/drivers/gpu/drm/tegra/gem.c
@@ -704,14 +704,23 @@ static int tegra_gem_prime_vmap(struct d
 {
 	struct drm_gem_object *gem = buf->priv;
 	struct tegra_bo *bo = to_tegra_bo(gem);
+	void *vaddr;
 
-	iosys_map_set_vaddr(map, bo->vaddr);
+	vaddr = tegra_bo_mmap(&bo->base);
+	if (IS_ERR(vaddr))
+		return PTR_ERR(vaddr);
+
+	iosys_map_set_vaddr(map, vaddr);
 
 	return 0;
 }
 
 static void tegra_gem_prime_vunmap(struct dma_buf *buf, struct iosys_map *map)
 {
+	struct drm_gem_object *gem = buf->priv;
+	struct tegra_bo *bo = to_tegra_bo(gem);
+
+	tegra_bo_munmap(&bo->base, map->vaddr);
 }
 
 static const struct dma_buf_ops tegra_gem_prime_dmabuf_ops = {



^ permalink raw reply	[flat|nested] 1191+ messages in thread

* [PATCH 5.19 0094/1157] drm/amdgpu: Check BOs requested pinning domains against its preferred_domains
  2022-08-15 17:49 [PATCH 5.19 0000/1157] 5.19.2-rc1 review Greg Kroah-Hartman
                   ` (90 preceding siblings ...)
  2022-08-15 17:50 ` [PATCH 5.19 0093/1157] drm/tegra: Fix vmapping of prime buffers Greg Kroah-Hartman
@ 2022-08-15 17:50 ` Greg Kroah-Hartman
  2022-08-15 17:50 ` [PATCH 5.19 0095/1157] bpf: Fix KASAN use-after-free Read in compute_effective_progs Greg Kroah-Hartman
                   ` (901 subsequent siblings)
  993 siblings, 0 replies; 1191+ messages in thread
From: Greg Kroah-Hartman @ 2022-08-15 17:50 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Leo Li, Alex Deucher, Christian König

From: Leo Li <sunpeng.li@amd.com>

commit f5ba14043621f4afdf3ad5f92ee2d8dbebbe4340 upstream.

When pinning a buffer, we should check to see if there are any
additional restrictions imposed by bo->preferred_domains. This will
prevent the BO from being moved to an invalid domain when pinning.

For example, this can happen if the user requests to create a BO in GTT
domain for display scanout. amdgpu_dm will allow pinning to either VRAM
or GTT domains, since DCN can scanout from either or. However, in
amdgpu_bo_pin_restricted(), pinning to VRAM is preferred if there is
adequate carveout. This can lead to pinning to VRAM despite the user
requesting GTT placement for the BO.

v2: Allow the kernel to override the domain, which can happen when
    exporting a BO to a V4L camera (for example).

Signed-off-by: Leo Li <sunpeng.li@amd.com>
Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
Reviewed-by: Christian König <christian.koenig@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/gpu/drm/amd/amdgpu/amdgpu_object.c |    4 ++++
 1 file changed, 4 insertions(+)

--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_object.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_object.c
@@ -882,6 +882,10 @@ int amdgpu_bo_pin_restricted(struct amdg
 	if (WARN_ON_ONCE(min_offset > max_offset))
 		return -EINVAL;
 
+	/* Check domain to be pinned to against preferred domains */
+	if (bo->preferred_domains & domain)
+		domain = bo->preferred_domains & domain;
+
 	/* A shared bo cannot be migrated to VRAM */
 	if (bo->tbo.base.import_attach) {
 		if (domain & AMDGPU_GEM_DOMAIN_GTT)



^ permalink raw reply	[flat|nested] 1191+ messages in thread

* [PATCH 5.19 0095/1157] bpf: Fix KASAN use-after-free Read in compute_effective_progs
  2022-08-15 17:49 [PATCH 5.19 0000/1157] 5.19.2-rc1 review Greg Kroah-Hartman
                   ` (91 preceding siblings ...)
  2022-08-15 17:50 ` [PATCH 5.19 0094/1157] drm/amdgpu: Check BOs requested pinning domains against its preferred_domains Greg Kroah-Hartman
@ 2022-08-15 17:50 ` Greg Kroah-Hartman
  2022-08-15 17:50 ` [PATCH 5.19 0096/1157] btrfs: reject log replay if there is unsupported RO compat flag Greg Kroah-Hartman
                   ` (900 subsequent siblings)
  993 siblings, 0 replies; 1191+ messages in thread
From: Greg Kroah-Hartman @ 2022-08-15 17:50 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, syzbot+f264bffdfbd5614f3bb2,
	Tadeusz Struk, Andrii Nakryiko

From: Tadeusz Struk <tadeusz.struk@linaro.org>

commit 4c46091ee985ae84c60c5e95055d779fcd291d87 upstream.

Syzbot found a Use After Free bug in compute_effective_progs().
The reproducer creates a number of BPF links, and causes a fault
injected alloc to fail, while calling bpf_link_detach on them.
Link detach triggers the link to be freed by bpf_link_free(),
which calls __cgroup_bpf_detach() and update_effective_progs().
If the memory allocation in this function fails, the function restores
the pointer to the bpf_cgroup_link on the cgroup list, but the memory
gets freed just after it returns. After this, every subsequent call to
update_effective_progs() causes this already deallocated pointer to be
dereferenced in prog_list_length(), and triggers KASAN UAF error.

To fix this issue don't preserve the pointer to the prog or link in the
list, but remove it and replace it with a dummy prog without shrinking
the table. The subsequent call to __cgroup_bpf_detach() or
__cgroup_bpf_detach() will correct it.

Fixes: af6eea57437a ("bpf: Implement bpf_link-based cgroup BPF program attachment")
Reported-by: <syzbot+f264bffdfbd5614f3bb2@syzkaller.appspotmail.com>
Signed-off-by: Tadeusz Struk <tadeusz.struk@linaro.org>
Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
Cc: <stable@vger.kernel.org>
Link: https://syzkaller.appspot.com/bug?id=8ebf179a95c2a2670f7cf1ba62429ec044369db4
Link: https://lore.kernel.org/bpf/20220517180420.87954-1-tadeusz.struk@linaro.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 kernel/bpf/cgroup.c |   70 ++++++++++++++++++++++++++++++++++++++++++++--------
 1 file changed, 60 insertions(+), 10 deletions(-)

--- a/kernel/bpf/cgroup.c
+++ b/kernel/bpf/cgroup.c
@@ -721,6 +721,60 @@ static struct bpf_prog_list *find_detach
 }
 
 /**
+ * purge_effective_progs() - After compute_effective_progs fails to alloc new
+ *                           cgrp->bpf.inactive table we can recover by
+ *                           recomputing the array in place.
+ *
+ * @cgrp: The cgroup which descendants to travers
+ * @prog: A program to detach or NULL
+ * @link: A link to detach or NULL
+ * @atype: Type of detach operation
+ */
+static void purge_effective_progs(struct cgroup *cgrp, struct bpf_prog *prog,
+				  struct bpf_cgroup_link *link,
+				  enum cgroup_bpf_attach_type atype)
+{
+	struct cgroup_subsys_state *css;
+	struct bpf_prog_array *progs;
+	struct bpf_prog_list *pl;
+	struct list_head *head;
+	struct cgroup *cg;
+	int pos;
+
+	/* recompute effective prog array in place */
+	css_for_each_descendant_pre(css, &cgrp->self) {
+		struct cgroup *desc = container_of(css, struct cgroup, self);
+
+		if (percpu_ref_is_zero(&desc->bpf.refcnt))
+			continue;
+
+		/* find position of link or prog in effective progs array */
+		for (pos = 0, cg = desc; cg; cg = cgroup_parent(cg)) {
+			if (pos && !(cg->bpf.flags[atype] & BPF_F_ALLOW_MULTI))
+				continue;
+
+			head = &cg->bpf.progs[atype];
+			list_for_each_entry(pl, head, node) {
+				if (!prog_list_prog(pl))
+					continue;
+				if (pl->prog == prog && pl->link == link)
+					goto found;
+				pos++;
+			}
+		}
+found:
+		BUG_ON(!cg);
+		progs = rcu_dereference_protected(
+				desc->bpf.effective[atype],
+				lockdep_is_held(&cgroup_mutex));
+
+		/* Remove the program from the array */
+		WARN_ONCE(bpf_prog_array_delete_safe_at(progs, pos),
+			  "Failed to purge a prog from array at index %d", pos);
+	}
+}
+
+/**
  * __cgroup_bpf_detach() - Detach the program or link from a cgroup, and
  *                         propagate the change to descendants
  * @cgrp: The cgroup which descendants to traverse
@@ -739,7 +793,6 @@ static int __cgroup_bpf_detach(struct cg
 	struct bpf_prog_list *pl;
 	struct list_head *progs;
 	u32 flags;
-	int err;
 
 	atype = to_cgroup_bpf_attach_type(type);
 	if (atype < 0)
@@ -761,9 +814,12 @@ static int __cgroup_bpf_detach(struct cg
 	pl->prog = NULL;
 	pl->link = NULL;
 
-	err = update_effective_progs(cgrp, atype);
-	if (err)
-		goto cleanup;
+	if (update_effective_progs(cgrp, atype)) {
+		/* if update effective array failed replace the prog with a dummy prog*/
+		pl->prog = old_prog;
+		pl->link = link;
+		purge_effective_progs(cgrp, old_prog, link, atype);
+	}
 
 	/* now can actually delete it from this cgroup list */
 	list_del(&pl->node);
@@ -775,12 +831,6 @@ static int __cgroup_bpf_detach(struct cg
 		bpf_prog_put(old_prog);
 	static_branch_dec(&cgroup_bpf_enabled_key[atype]);
 	return 0;
-
-cleanup:
-	/* restore back prog or link */
-	pl->prog = old_prog;
-	pl->link = link;
-	return err;
 }
 
 static int cgroup_bpf_detach(struct cgroup *cgrp, struct bpf_prog *prog,



^ permalink raw reply	[flat|nested] 1191+ messages in thread

* [PATCH 5.19 0096/1157] btrfs: reject log replay if there is unsupported RO compat flag
  2022-08-15 17:49 [PATCH 5.19 0000/1157] 5.19.2-rc1 review Greg Kroah-Hartman
                   ` (92 preceding siblings ...)
  2022-08-15 17:50 ` [PATCH 5.19 0095/1157] bpf: Fix KASAN use-after-free Read in compute_effective_progs Greg Kroah-Hartman
@ 2022-08-15 17:50 ` Greg Kroah-Hartman
  2022-08-15 17:50 ` [PATCH 5.19 0097/1157] mtd: rawnand: arasan: Fix clock rate in NV-DDR Greg Kroah-Hartman
                   ` (899 subsequent siblings)
  993 siblings, 0 replies; 1191+ messages in thread
From: Greg Kroah-Hartman @ 2022-08-15 17:50 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Qu Wenruo, David Sterba

From: Qu Wenruo <wqu@suse.com>

commit dc4d31684974d140250f3ee612c3f0cab13b3146 upstream.

[BUG]
If we have a btrfs image with dirty log, along with an unsupported RO
compatible flag:

log_root		30474240
...
compat_flags		0x0
compat_ro_flags		0x40000003
			( FREE_SPACE_TREE |
			  FREE_SPACE_TREE_VALID |
			  unknown flag: 0x40000000 )

Then even if we can only mount it RO, we will still cause metadata
update for log replay:

  BTRFS info (device dm-1): flagging fs with big metadata feature
  BTRFS info (device dm-1): using free space tree
  BTRFS info (device dm-1): has skinny extents
  BTRFS info (device dm-1): start tree-log replay

This is definitely against RO compact flag requirement.

[CAUSE]
RO compact flag only forces us to do RO mount, but we will still do log
replay for plain RO mount.

Thus this will result us to do log replay and update metadata.

This can be very problematic for new RO compat flag, for example older
kernel can not understand v2 cache, and if we allow metadata update on
RO mount and invalidate/corrupt v2 cache.

[FIX]
Just reject the mount unless rescue=nologreplay is provided:

  BTRFS error (device dm-1): cannot replay dirty log with unsupport optional features (0x40000000), try rescue=nologreplay instead

We don't want to set rescue=nologreply directly, as this would make the
end user to read the old data, and cause confusion.

Since the such case is really rare, we're mostly fine to just reject the
mount with an error message, which also includes the proper workaround.

CC: stable@vger.kernel.org #4.9+
Signed-off-by: Qu Wenruo <wqu@suse.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 fs/btrfs/disk-io.c |   14 ++++++++++++++
 1 file changed, 14 insertions(+)

--- a/fs/btrfs/disk-io.c
+++ b/fs/btrfs/disk-io.c
@@ -3670,6 +3670,20 @@ int __cold open_ctree(struct super_block
 		err = -EINVAL;
 		goto fail_alloc;
 	}
+	/*
+	 * We have unsupported RO compat features, although RO mounted, we
+	 * should not cause any metadata write, including log replay.
+	 * Or we could screw up whatever the new feature requires.
+	 */
+	if (unlikely(features && btrfs_super_log_root(disk_super) &&
+		     !btrfs_test_opt(fs_info, NOLOGREPLAY))) {
+		btrfs_err(fs_info,
+"cannot replay dirty log with unsupported compat_ro features (0x%llx), try rescue=nologreplay",
+			  features);
+		err = -EINVAL;
+		goto fail_alloc;
+	}
+
 
 	if (sectorsize < PAGE_SIZE) {
 		struct btrfs_subpage_info *subpage_info;



^ permalink raw reply	[flat|nested] 1191+ messages in thread

* [PATCH 5.19 0097/1157] mtd: rawnand: arasan: Fix clock rate in NV-DDR
  2022-08-15 17:49 [PATCH 5.19 0000/1157] 5.19.2-rc1 review Greg Kroah-Hartman
                   ` (93 preceding siblings ...)
  2022-08-15 17:50 ` [PATCH 5.19 0096/1157] btrfs: reject log replay if there is unsupported RO compat flag Greg Kroah-Hartman
@ 2022-08-15 17:50 ` Greg Kroah-Hartman
  2022-08-15 17:50 ` [PATCH 5.19 0098/1157] mtd: rawnand: arasan: Update NAND bus clock instead of system clock Greg Kroah-Hartman
                   ` (898 subsequent siblings)
  993 siblings, 0 replies; 1191+ messages in thread
From: Greg Kroah-Hartman @ 2022-08-15 17:50 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Olga Kitaina, Amit Kumar Mahapatra,
	Miquel Raynal

From: Olga Kitaina <okitain@gmail.com>

commit e16eceea863b417fd328588b1be1a79de0bc937f upstream.

According to the Arasan NAND controller spec, the flash clock rate for SDR
must be <= 100 MHz, while for NV-DDR it must be the same as the rate of the
CLK line for the mode. The driver previously always set 100 MHz for NV-DDR,
which would result in incorrect behavior for NV-DDR modes 0-4.

The appropriate clock rate can be calculated from the NV-DDR timing
parameters as 1/tCK, or for rates measured in picoseconds,
10^12 / nand_nvddr_timings->tCK_min.

Fixes: 197b88fecc50 ("mtd: rawnand: arasan: Add new Arasan NAND controller")
CC: stable@vger.kernel.org # 5.8+
Signed-off-by: Olga Kitaina <okitain@gmail.com>
Signed-off-by: Amit Kumar Mahapatra <amit.kumar-mahapatra@xilinx.com>
Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
Link: https://lore.kernel.org/linux-mtd/20220628154824.12222-3-amit.kumar-mahapatra@xilinx.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/mtd/nand/raw/arasan-nand-controller.c |    8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

--- a/drivers/mtd/nand/raw/arasan-nand-controller.c
+++ b/drivers/mtd/nand/raw/arasan-nand-controller.c
@@ -1043,7 +1043,13 @@ static int anfc_setup_interface(struct n
 				 DQS_BUFF_SEL_OUT(dqs_mode);
 	}
 
-	anand->clk = ANFC_XLNX_SDR_DFLT_CORE_CLK;
+	if (nand_interface_is_sdr(conf)) {
+		anand->clk = ANFC_XLNX_SDR_DFLT_CORE_CLK;
+	} else {
+		/* ONFI timings are defined in picoseconds */
+		anand->clk = div_u64((u64)NSEC_PER_SEC * 1000,
+				     conf->timings.nvddr.tCK_min);
+	}
 
 	/*
 	 * Due to a hardware bug in the ZynqMP SoC, SDR timing modes 0-1 work



^ permalink raw reply	[flat|nested] 1191+ messages in thread

* [PATCH 5.19 0098/1157] mtd: rawnand: arasan: Update NAND bus clock instead of system clock
  2022-08-15 17:49 [PATCH 5.19 0000/1157] 5.19.2-rc1 review Greg Kroah-Hartman
                   ` (94 preceding siblings ...)
  2022-08-15 17:50 ` [PATCH 5.19 0097/1157] mtd: rawnand: arasan: Fix clock rate in NV-DDR Greg Kroah-Hartman
@ 2022-08-15 17:50 ` Greg Kroah-Hartman
  2022-08-15 17:50 ` [PATCH 5.19 0099/1157] um: Remove straying parenthesis Greg Kroah-Hartman
                   ` (897 subsequent siblings)
  993 siblings, 0 replies; 1191+ messages in thread
From: Greg Kroah-Hartman @ 2022-08-15 17:50 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Amit Kumar Mahapatra, Miquel Raynal

From: Amit Kumar Mahapatra <amit.kumar-mahapatra@xilinx.com>

commit 7499bfeedb47efc1ee4dc793b92c610d46e6d6a6 upstream.

In current implementation the Arasan NAND driver is updating the
system clock(i.e., anand->clk) in accordance to the timing modes
(i.e., SDR or NVDDR). But as per the Arasan NAND controller spec the
flash clock or the NAND bus clock(i.e., nfc->bus_clk), need to be
updated instead. This patch keeps the system clock unchanged and updates
the NAND bus clock as per the timing modes.

Fixes: 197b88fecc50 ("mtd: rawnand: arasan: Add new Arasan NAND controller")
CC: stable@vger.kernel.org # 5.8+
Signed-off-by: Amit Kumar Mahapatra <amit.kumar-mahapatra@xilinx.com>
Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
Link: https://lore.kernel.org/linux-mtd/20220628154824.12222-2-amit.kumar-mahapatra@xilinx.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/mtd/nand/raw/arasan-nand-controller.c |    8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

--- a/drivers/mtd/nand/raw/arasan-nand-controller.c
+++ b/drivers/mtd/nand/raw/arasan-nand-controller.c
@@ -347,17 +347,17 @@ static int anfc_select_target(struct nan
 
 	/* Update clock frequency */
 	if (nfc->cur_clk != anand->clk) {
-		clk_disable_unprepare(nfc->controller_clk);
-		ret = clk_set_rate(nfc->controller_clk, anand->clk);
+		clk_disable_unprepare(nfc->bus_clk);
+		ret = clk_set_rate(nfc->bus_clk, anand->clk);
 		if (ret) {
 			dev_err(nfc->dev, "Failed to change clock rate\n");
 			return ret;
 		}
 
-		ret = clk_prepare_enable(nfc->controller_clk);
+		ret = clk_prepare_enable(nfc->bus_clk);
 		if (ret) {
 			dev_err(nfc->dev,
-				"Failed to re-enable the controller clock\n");
+				"Failed to re-enable the bus clock\n");
 			return ret;
 		}
 



^ permalink raw reply	[flat|nested] 1191+ messages in thread

* [PATCH 5.19 0099/1157] um: Remove straying parenthesis
  2022-08-15 17:49 [PATCH 5.19 0000/1157] 5.19.2-rc1 review Greg Kroah-Hartman
                   ` (95 preceding siblings ...)
  2022-08-15 17:50 ` [PATCH 5.19 0098/1157] mtd: rawnand: arasan: Update NAND bus clock instead of system clock Greg Kroah-Hartman
@ 2022-08-15 17:50 ` Greg Kroah-Hartman
  2022-08-15 17:50 ` [PATCH 5.19 0100/1157] um: seed rng using host OS rng Greg Kroah-Hartman
                   ` (896 subsequent siblings)
  993 siblings, 0 replies; 1191+ messages in thread
From: Greg Kroah-Hartman @ 2022-08-15 17:50 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Benjamin Beichler, Richard Weinberger

From: Benjamin Beichler <benjamin.beichler@uni-rostock.de>

commit c6496e0a4a90d8149203c16323cff3fa46e422e7 upstream.

Commit e3a33af812c6 ("um: fix and optimize xor select template for CONFIG64 and timetravel mode")
caused a build regression when CONFIG_XOR_BLOCKS and CONFIG_UML_TIME_TRAVEL_SUPPORT
are selected.
Fix it by removing the straying parenthesis.

Cc: stable@vger.kernel.org
Fixes: e3a33af812c6 ("um: fix and optimize xor select template for CONFIG64 and timetravel mode")
Signed-off-by: Benjamin Beichler <benjamin.beichler@uni-rostock.de>
[rw: Added commit message]
Signed-off-by: Richard Weinberger <richard@nod.at>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/um/include/asm/xor.h |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/arch/um/include/asm/xor.h
+++ b/arch/um/include/asm/xor.h
@@ -18,7 +18,7 @@
 #undef XOR_SELECT_TEMPLATE
 /* pick an arbitrary one - measuring isn't possible with inf-cpu */
 #define XOR_SELECT_TEMPLATE(x)	\
-	(time_travel_mode == TT_MODE_INFCPU ? TT_CPU_INF_XOR_DEFAULT : x))
+	(time_travel_mode == TT_MODE_INFCPU ? TT_CPU_INF_XOR_DEFAULT : x)
 #endif
 
 #endif



^ permalink raw reply	[flat|nested] 1191+ messages in thread

* [PATCH 5.19 0100/1157] um: seed rng using host OS rng
  2022-08-15 17:49 [PATCH 5.19 0000/1157] 5.19.2-rc1 review Greg Kroah-Hartman
                   ` (96 preceding siblings ...)
  2022-08-15 17:50 ` [PATCH 5.19 0099/1157] um: Remove straying parenthesis Greg Kroah-Hartman
@ 2022-08-15 17:50 ` Greg Kroah-Hartman
  2022-08-15 17:50 ` [PATCH 5.19 0101/1157] iio: fix iio_format_avail_range() printing for none IIO_VAL_INT Greg Kroah-Hartman
                   ` (895 subsequent siblings)
  993 siblings, 0 replies; 1191+ messages in thread
From: Greg Kroah-Hartman @ 2022-08-15 17:50 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Johannes Berg, Anton Ivanov,
	Jason A. Donenfeld

From: Jason A. Donenfeld <Jason@zx2c4.com>

commit 0b9ba6135d7f18b82f3d8bebb55ded725ba88e0e upstream.

UML generally does not provide access to special CPU instructions like
RDRAND, and execution tends to be rather deterministic, with no real
hardware interrupts, making good randomness really very hard, if not
all together impossible. Not only is this a security eyebrow raiser, but
it's also quite annoying when trying to do various pieces of UML-based
automation that takes a long time to boot, if ever.

Fix this by trivially calling getrandom() in the host and using that
seed as "bootloader randomness", which initializes the rng immediately
at UML boot.

The old behavior can be restored the same way as on any other arch, by
way of CONFIG_TRUST_BOOTLOADER_RANDOMNESS=n or
random.trust_bootloader=0. So seen from that perspective, this just
makes UML act like other archs, which is positive in its own right.

Additionally, wire up arch_get_random_{int,long}() in the same way, so
that reseeds can also make use of the host RNG, controllable by
CONFIG_TRUST_CPU_RANDOMNESS and random.trust_cpu, per usual.

Cc: stable@vger.kernel.org
Acked-by: Johannes Berg <johannes@sipsolutions.net>
Acked-By: Anton Ivanov <anton.ivanov@cambridgegreys.com>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/um/include/asm/archrandom.h |   30 ++++++++++++++++++++++++++++++
 arch/um/include/shared/os.h      |    7 +++++++
 arch/um/kernel/um_arch.c         |    8 ++++++++
 arch/um/os-Linux/util.c          |    6 ++++++
 4 files changed, 51 insertions(+)
 create mode 100644 arch/um/include/asm/archrandom.h

--- /dev/null
+++ b/arch/um/include/asm/archrandom.h
@@ -0,0 +1,30 @@
+/* SPDX-License-Identifier: GPL-2.0 */
+#ifndef __ASM_UM_ARCHRANDOM_H__
+#define __ASM_UM_ARCHRANDOM_H__
+
+#include <linux/types.h>
+
+/* This is from <os.h>, but better not to #include that in a global header here. */
+ssize_t os_getrandom(void *buf, size_t len, unsigned int flags);
+
+static inline bool __must_check arch_get_random_long(unsigned long *v)
+{
+	return os_getrandom(v, sizeof(*v), 0) == sizeof(*v);
+}
+
+static inline bool __must_check arch_get_random_int(unsigned int *v)
+{
+	return os_getrandom(v, sizeof(*v), 0) == sizeof(*v);
+}
+
+static inline bool __must_check arch_get_random_seed_long(unsigned long *v)
+{
+	return false;
+}
+
+static inline bool __must_check arch_get_random_seed_int(unsigned int *v)
+{
+	return false;
+}
+
+#endif
--- a/arch/um/include/shared/os.h
+++ b/arch/um/include/shared/os.h
@@ -11,6 +11,12 @@
 #include <irq_user.h>
 #include <longjmp.h>
 #include <mm_id.h>
+/* This is to get size_t */
+#ifndef __UM_HOST__
+#include <linux/types.h>
+#else
+#include <sys/types.h>
+#endif
 
 #define CATCH_EINTR(expr) while ((errno = 0, ((expr) < 0)) && (errno == EINTR))
 
@@ -243,6 +249,7 @@ extern void stack_protections(unsigned l
 extern int raw(int fd);
 extern void setup_machinename(char *machine_out);
 extern void setup_hostinfo(char *buf, int len);
+extern ssize_t os_getrandom(void *buf, size_t len, unsigned int flags);
 extern void os_dump_core(void) __attribute__ ((noreturn));
 extern void um_early_printk(const char *s, unsigned int n);
 extern void os_fix_helper_signals(void);
--- a/arch/um/kernel/um_arch.c
+++ b/arch/um/kernel/um_arch.c
@@ -16,6 +16,7 @@
 #include <linux/sched/task.h>
 #include <linux/kmsg_dump.h>
 #include <linux/suspend.h>
+#include <linux/random.h>
 
 #include <asm/processor.h>
 #include <asm/cpufeature.h>
@@ -406,6 +407,8 @@ int __init __weak read_initrd(void)
 
 void __init setup_arch(char **cmdline_p)
 {
+	u8 rng_seed[32];
+
 	stack_protections((unsigned long) &init_thread_info);
 	setup_physmem(uml_physmem, uml_reserved, physmem_size, highmem);
 	mem_total_pages(physmem_size, iomem_size, highmem);
@@ -416,6 +419,11 @@ void __init setup_arch(char **cmdline_p)
 	strlcpy(boot_command_line, command_line, COMMAND_LINE_SIZE);
 	*cmdline_p = command_line;
 	setup_hostinfo(host_info, sizeof host_info);
+
+	if (os_getrandom(rng_seed, sizeof(rng_seed), 0) == sizeof(rng_seed)) {
+		add_bootloader_randomness(rng_seed, sizeof(rng_seed));
+		memzero_explicit(rng_seed, sizeof(rng_seed));
+	}
 }
 
 void __init check_bugs(void)
--- a/arch/um/os-Linux/util.c
+++ b/arch/um/os-Linux/util.c
@@ -14,6 +14,7 @@
 #include <sys/wait.h>
 #include <sys/mman.h>
 #include <sys/utsname.h>
+#include <sys/random.h>
 #include <init.h>
 #include <os.h>
 
@@ -96,6 +97,11 @@ static inline void __attribute__ ((noret
 			exit(127);
 }
 
+ssize_t os_getrandom(void *buf, size_t len, unsigned int flags)
+{
+	return getrandom(buf, len, flags);
+}
+
 /*
  * UML helper threads must not handle SIGWINCH/INT/TERM
  */



^ permalink raw reply	[flat|nested] 1191+ messages in thread

* [PATCH 5.19 0101/1157] iio: fix iio_format_avail_range() printing for none IIO_VAL_INT
  2022-08-15 17:49 [PATCH 5.19 0000/1157] 5.19.2-rc1 review Greg Kroah-Hartman
                   ` (97 preceding siblings ...)
  2022-08-15 17:50 ` [PATCH 5.19 0100/1157] um: seed rng using host OS rng Greg Kroah-Hartman
@ 2022-08-15 17:50 ` Greg Kroah-Hartman
  2022-08-15 17:50 ` [PATCH 5.19 0102/1157] iio: light: isl29028: Fix the warning in isl29028_remove() Greg Kroah-Hartman
                   ` (894 subsequent siblings)
  993 siblings, 0 replies; 1191+ messages in thread
From: Greg Kroah-Hartman @ 2022-08-15 17:50 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Fawzi Khaber, Jean-Baptiste Maneyrol,
	Stable, Jonathan Cameron

From: Fawzi Khaber <fawzi.khaber@tdk.com>

commit 5e1f91850365de55ca74945866c002fda8f00331 upstream.

iio_format_avail_range() should print range as follow [min, step, max], so
the function was previously calling iio_format_list() with length = 3,
length variable refers to the array size of values not the number of
elements. In case of non IIO_VAL_INT values each element has integer part
and decimal part. With length = 3 this would cause premature end of loop
and result in printing only one element.

Signed-off-by: Fawzi Khaber <fawzi.khaber@tdk.com>
Signed-off-by: Jean-Baptiste Maneyrol <jean-baptiste.maneyrol@tdk.com>
Fixes: eda20ba1e25e ("iio: core: Consolidate iio_format_avail_{list,range}()")
Link: https://lore.kernel.org/r/20220718130706.32571-1-jmaneyrol@invensense.com
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/iio/industrialio-core.c |   18 +++++++++++++++++-
 1 file changed, 17 insertions(+), 1 deletion(-)

--- a/drivers/iio/industrialio-core.c
+++ b/drivers/iio/industrialio-core.c
@@ -835,7 +835,23 @@ static ssize_t iio_format_avail_list(cha
 
 static ssize_t iio_format_avail_range(char *buf, const int *vals, int type)
 {
-	return iio_format_list(buf, vals, type, 3, "[", "]");
+	int length;
+
+	/*
+	 * length refers to the array size , not the number of elements.
+	 * The purpose is to print the range [min , step ,max] so length should
+	 * be 3 in case of int, and 6 for other types.
+	 */
+	switch (type) {
+	case IIO_VAL_INT:
+		length = 3;
+		break;
+	default:
+		length = 6;
+		break;
+	}
+
+	return iio_format_list(buf, vals, type, length, "[", "]");
 }
 
 static ssize_t iio_read_channel_info_avail(struct device *dev,



^ permalink raw reply	[flat|nested] 1191+ messages in thread

* [PATCH 5.19 0102/1157] iio: light: isl29028: Fix the warning in isl29028_remove()
  2022-08-15 17:49 [PATCH 5.19 0000/1157] 5.19.2-rc1 review Greg Kroah-Hartman
                   ` (98 preceding siblings ...)
  2022-08-15 17:50 ` [PATCH 5.19 0101/1157] iio: fix iio_format_avail_range() printing for none IIO_VAL_INT Greg Kroah-Hartman
@ 2022-08-15 17:50 ` Greg Kroah-Hartman
  2022-08-15 17:50 ` [PATCH 5.19 0103/1157] scsi: lpfc: Remove extra atomic_inc on cmd_pending in queuecommand after VMID Greg Kroah-Hartman
                   ` (893 subsequent siblings)
  993 siblings, 0 replies; 1191+ messages in thread
From: Greg Kroah-Hartman @ 2022-08-15 17:50 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Zheyu Ma, Stable, Jonathan Cameron

From: Zheyu Ma <zheyuma97@gmail.com>

commit 06674fc7c003b9d0aa1d37fef7ab2c24802cc6ad upstream.

The driver use the non-managed form of the register function in
isl29028_remove(). To keep the release order as mirroring the ordering
in probe, the driver should use non-managed form in probe, too.

The following log reveals it:

[   32.374955] isl29028 0-0010: remove
[   32.376861] general protection fault, probably for non-canonical address 0xdffffc0000000006: 0000 [#1] PREEMPT SMP KASAN PTI
[   32.377676] KASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037]
[   32.379432] RIP: 0010:kernfs_find_and_get_ns+0x28/0xe0
[   32.385461] Call Trace:
[   32.385807]  sysfs_unmerge_group+0x59/0x110
[   32.386110]  dpm_sysfs_remove+0x58/0xc0
[   32.386391]  device_del+0x296/0xe50
[   32.386959]  cdev_device_del+0x1d/0xd0
[   32.387231]  devm_iio_device_unreg+0x27/0xb0
[   32.387542]  devres_release_group+0x319/0x3d0
[   32.388162]  i2c_device_remove+0x93/0x1f0

Fixes: 2db5054ac28d ("staging: iio: isl29028: add runtime power management support")
Signed-off-by: Zheyu Ma <zheyuma97@gmail.com>
Link: https://lore.kernel.org/r/20220717004241.2281028-1-zheyuma97@gmail.com
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/iio/light/isl29028.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/iio/light/isl29028.c
+++ b/drivers/iio/light/isl29028.c
@@ -625,7 +625,7 @@ static int isl29028_probe(struct i2c_cli
 					 ISL29028_POWER_OFF_DELAY_MS);
 	pm_runtime_use_autosuspend(&client->dev);
 
-	ret = devm_iio_device_register(indio_dev->dev.parent, indio_dev);
+	ret = iio_device_register(indio_dev);
 	if (ret < 0) {
 		dev_err(&client->dev,
 			"%s(): iio registration failed with error %d\n",



^ permalink raw reply	[flat|nested] 1191+ messages in thread

* [PATCH 5.19 0103/1157] scsi: lpfc: Remove extra atomic_inc on cmd_pending in queuecommand after VMID
  2022-08-15 17:49 [PATCH 5.19 0000/1157] 5.19.2-rc1 review Greg Kroah-Hartman
                   ` (99 preceding siblings ...)
  2022-08-15 17:50 ` [PATCH 5.19 0102/1157] iio: light: isl29028: Fix the warning in isl29028_remove() Greg Kroah-Hartman
@ 2022-08-15 17:50 ` Greg Kroah-Hartman
  2022-08-15 17:51 ` [PATCH 5.19 0104/1157] scsi: sg: Allow waiting for commands to complete on removed device Greg Kroah-Hartman
                   ` (892 subsequent siblings)
  993 siblings, 0 replies; 1191+ messages in thread
From: Greg Kroah-Hartman @ 2022-08-15 17:50 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Justin Tee, James Smart, Martin K. Petersen

From: James Smart <jsmart2021@gmail.com>

commit 0948a9c5386095baae4012190a6b65aba684a907 upstream.

VMID introduced an extra increment of cmd_pending, causing double-counting
of the I/O. The normal increment ios performed in lpfc_get_scsi_buf.

Link: https://lore.kernel.org/r/20220701211425.2708-5-jsmart2021@gmail.com
Fixes: 33c79741deaf ("scsi: lpfc: vmid: Introduce VMID in I/O path")
Cc: <stable@vger.kernel.org> # v5.14+
Co-developed-by: Justin Tee <justin.tee@broadcom.com>
Signed-off-by: Justin Tee <justin.tee@broadcom.com>
Signed-off-by: James Smart <jsmart2021@gmail.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/scsi/lpfc/lpfc_scsi.c |    1 -
 1 file changed, 1 deletion(-)

--- a/drivers/scsi/lpfc/lpfc_scsi.c
+++ b/drivers/scsi/lpfc/lpfc_scsi.c
@@ -5456,7 +5456,6 @@ lpfc_queuecommand(struct Scsi_Host *shos
 				cur_iocbq->cmd_flag |= LPFC_IO_VMID;
 		}
 	}
-	atomic_inc(&ndlp->cmd_pending);
 
 #ifdef CONFIG_SCSI_LPFC_DEBUG_FS
 	if (unlikely(phba->hdwqstat_on & LPFC_CHECK_SCSI_IO))



^ permalink raw reply	[flat|nested] 1191+ messages in thread

* [PATCH 5.19 0104/1157] scsi: sg: Allow waiting for commands to complete on removed device
  2022-08-15 17:49 [PATCH 5.19 0000/1157] 5.19.2-rc1 review Greg Kroah-Hartman
                   ` (100 preceding siblings ...)
  2022-08-15 17:50 ` [PATCH 5.19 0103/1157] scsi: lpfc: Remove extra atomic_inc on cmd_pending in queuecommand after VMID Greg Kroah-Hartman
@ 2022-08-15 17:51 ` Greg Kroah-Hartman
  2022-08-15 17:51 ` [PATCH 5.19 0105/1157] scsi: qla2xxx: Fix incorrect display of max frame size Greg Kroah-Hartman
                   ` (891 subsequent siblings)
  993 siblings, 0 replies; 1191+ messages in thread
From: Greg Kroah-Hartman @ 2022-08-15 17:51 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Douglas Gilbert, Tony Battersby,
	Martin K. Petersen

From: Tony Battersby <tonyb@cybernetics.com>

commit 3455607fd7be10b449f5135c00dc306b85dc0d21 upstream.

When a SCSI device is removed while in active use, currently sg will
immediately return -ENODEV on any attempt to wait for active commands that
were sent before the removal.  This is problematic for commands that use
SG_FLAG_DIRECT_IO since the data buffer may still be in use by the kernel
when userspace frees or reuses it after getting ENODEV, leading to
corrupted userspace memory (in the case of READ-type commands) or corrupted
data being sent to the device (in the case of WRITE-type commands).  This
has been seen in practice when logging out of a iscsi_tcp session, where
the iSCSI driver may still be processing commands after the device has been
marked for removal.

Change the policy to allow userspace to wait for active sg commands even
when the device is being removed.  Return -ENODEV only when there are no
more responses to read.

Link: https://lore.kernel.org/r/5ebea46f-fe83-2d0b-233d-d0dcb362dd0a@cybernetics.com
Cc: <stable@vger.kernel.org>
Acked-by: Douglas Gilbert <dgilbert@interlog.com>
Signed-off-by: Tony Battersby <tonyb@cybernetics.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/scsi/sg.c |   53 +++++++++++++++++++++++++++++++++--------------------
 1 file changed, 33 insertions(+), 20 deletions(-)

--- a/drivers/scsi/sg.c
+++ b/drivers/scsi/sg.c
@@ -195,7 +195,7 @@ static void sg_link_reserve(Sg_fd * sfp,
 static void sg_unlink_reserve(Sg_fd * sfp, Sg_request * srp);
 static Sg_fd *sg_add_sfp(Sg_device * sdp);
 static void sg_remove_sfp(struct kref *);
-static Sg_request *sg_get_rq_mark(Sg_fd * sfp, int pack_id);
+static Sg_request *sg_get_rq_mark(Sg_fd * sfp, int pack_id, bool *busy);
 static Sg_request *sg_add_request(Sg_fd * sfp);
 static int sg_remove_request(Sg_fd * sfp, Sg_request * srp);
 static Sg_device *sg_get_dev(int dev);
@@ -444,6 +444,7 @@ sg_read(struct file *filp, char __user *
 	Sg_fd *sfp;
 	Sg_request *srp;
 	int req_pack_id = -1;
+	bool busy;
 	sg_io_hdr_t *hp;
 	struct sg_header *old_hdr;
 	int retval;
@@ -466,20 +467,16 @@ sg_read(struct file *filp, char __user *
 	if (retval)
 		return retval;
 
-	srp = sg_get_rq_mark(sfp, req_pack_id);
+	srp = sg_get_rq_mark(sfp, req_pack_id, &busy);
 	if (!srp) {		/* now wait on packet to arrive */
-		if (atomic_read(&sdp->detaching))
-			return -ENODEV;
 		if (filp->f_flags & O_NONBLOCK)
 			return -EAGAIN;
 		retval = wait_event_interruptible(sfp->read_wait,
-			(atomic_read(&sdp->detaching) ||
-			(srp = sg_get_rq_mark(sfp, req_pack_id))));
-		if (atomic_read(&sdp->detaching))
-			return -ENODEV;
-		if (retval)
-			/* -ERESTARTSYS as signal hit process */
-			return retval;
+			((srp = sg_get_rq_mark(sfp, req_pack_id, &busy)) ||
+			(!busy && atomic_read(&sdp->detaching))));
+		if (!srp)
+			/* signal or detaching */
+			return retval ? retval : -ENODEV;
 	}
 	if (srp->header.interface_id != '\0')
 		return sg_new_read(sfp, buf, count, srp);
@@ -940,9 +937,7 @@ sg_ioctl_common(struct file *filp, Sg_de
 		if (result < 0)
 			return result;
 		result = wait_event_interruptible(sfp->read_wait,
-			(srp_done(sfp, srp) || atomic_read(&sdp->detaching)));
-		if (atomic_read(&sdp->detaching))
-			return -ENODEV;
+			srp_done(sfp, srp));
 		write_lock_irq(&sfp->rq_list_lock);
 		if (srp->done) {
 			srp->done = 2;
@@ -2079,19 +2074,28 @@ sg_unlink_reserve(Sg_fd * sfp, Sg_reques
 }
 
 static Sg_request *
-sg_get_rq_mark(Sg_fd * sfp, int pack_id)
+sg_get_rq_mark(Sg_fd * sfp, int pack_id, bool *busy)
 {
 	Sg_request *resp;
 	unsigned long iflags;
 
+	*busy = false;
 	write_lock_irqsave(&sfp->rq_list_lock, iflags);
 	list_for_each_entry(resp, &sfp->rq_list, entry) {
-		/* look for requests that are ready + not SG_IO owned */
-		if ((1 == resp->done) && (!resp->sg_io_owned) &&
+		/* look for requests that are not SG_IO owned */
+		if ((!resp->sg_io_owned) &&
 		    ((-1 == pack_id) || (resp->header.pack_id == pack_id))) {
-			resp->done = 2;	/* guard against other readers */
-			write_unlock_irqrestore(&sfp->rq_list_lock, iflags);
-			return resp;
+			switch (resp->done) {
+			case 0: /* request active */
+				*busy = true;
+				break;
+			case 1: /* request done; response ready to return */
+				resp->done = 2;	/* guard against other readers */
+				write_unlock_irqrestore(&sfp->rq_list_lock, iflags);
+				return resp;
+			case 2: /* response already being returned */
+				break;
+			}
 		}
 	}
 	write_unlock_irqrestore(&sfp->rq_list_lock, iflags);
@@ -2145,6 +2149,15 @@ sg_remove_request(Sg_fd * sfp, Sg_reques
 		res = 1;
 	}
 	write_unlock_irqrestore(&sfp->rq_list_lock, iflags);
+
+	/*
+	 * If the device is detaching, wakeup any readers in case we just
+	 * removed the last response, which would leave nothing for them to
+	 * return other than -ENODEV.
+	 */
+	if (unlikely(atomic_read(&sfp->parentdp->detaching)))
+		wake_up_interruptible_all(&sfp->read_wait);
+
 	return res;
 }
 



^ permalink raw reply	[flat|nested] 1191+ messages in thread

* [PATCH 5.19 0105/1157] scsi: qla2xxx: Fix incorrect display of max frame size
  2022-08-15 17:49 [PATCH 5.19 0000/1157] 5.19.2-rc1 review Greg Kroah-Hartman
                   ` (101 preceding siblings ...)
  2022-08-15 17:51 ` [PATCH 5.19 0104/1157] scsi: sg: Allow waiting for commands to complete on removed device Greg Kroah-Hartman
@ 2022-08-15 17:51 ` Greg Kroah-Hartman
  2022-08-15 17:51 ` [PATCH 5.19 0106/1157] scsi: qla2xxx: Zero undefined mailbox IN registers Greg Kroah-Hartman
                   ` (890 subsequent siblings)
  993 siblings, 0 replies; 1191+ messages in thread
From: Greg Kroah-Hartman @ 2022-08-15 17:51 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Himanshu Madhani, Bikash Hazarika,
	Nilesh Javali, Martin K. Petersen

From: Bikash Hazarika <bhazarika@marvell.com>

commit cf3b4fb655796674e605268bd4bfb47a47c8bce6 upstream.

Replace display field with the correct field.

Link: https://lore.kernel.org/r/20220713052045.10683-3-njavali@marvell.com
Fixes: 8777e4314d39 ("scsi: qla2xxx: Migrate NVME N2N handling into state machine")
Cc: stable@vger.kernel.org
Reviewed-by: Himanshu Madhani <himanshu.madhani@oracle.com>
Signed-off-by: Bikash Hazarika <bhazarika@marvell.com>
Signed-off-by: Nilesh Javali <njavali@marvell.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/scsi/qla2xxx/qla_def.h  |    1 +
 drivers/scsi/qla2xxx/qla_gs.c   |    9 +++------
 drivers/scsi/qla2xxx/qla_init.c |    2 ++
 drivers/scsi/qla2xxx/qla_isr.c  |    4 +---
 4 files changed, 7 insertions(+), 9 deletions(-)

--- a/drivers/scsi/qla2xxx/qla_def.h
+++ b/drivers/scsi/qla2xxx/qla_def.h
@@ -3975,6 +3975,7 @@ struct qla_hw_data {
 	/* SRB cache. */
 #define SRB_MIN_REQ     128
 	mempool_t       *srb_mempool;
+	u8 port_name[WWN_SIZE];
 
 	volatile struct {
 		uint32_t	mbox_int		:1;
--- a/drivers/scsi/qla2xxx/qla_gs.c
+++ b/drivers/scsi/qla2xxx/qla_gs.c
@@ -1596,7 +1596,6 @@ qla2x00_hba_attributes(scsi_qla_host_t *
 	unsigned int callopt)
 {
 	struct qla_hw_data *ha = vha->hw;
-	struct init_cb_24xx *icb24 = (void *)ha->init_cb;
 	struct new_utsname *p_sysid = utsname();
 	struct ct_fdmi_hba_attr *eiter;
 	uint16_t alen;
@@ -1758,8 +1757,8 @@ qla2x00_hba_attributes(scsi_qla_host_t *
 	/* MAX CT Payload Length */
 	eiter = entries + size;
 	eiter->type = cpu_to_be16(FDMI_HBA_MAXIMUM_CT_PAYLOAD_LENGTH);
-	eiter->a.max_ct_len = cpu_to_be32(le16_to_cpu(IS_FWI2_CAPABLE(ha) ?
-		icb24->frame_payload_size : ha->init_cb->frame_payload_size));
+	eiter->a.max_ct_len = cpu_to_be32(ha->frame_payload_size >> 2);
+
 	alen = sizeof(eiter->a.max_ct_len);
 	alen += FDMI_ATTR_TYPELEN(eiter);
 	eiter->len = cpu_to_be16(alen);
@@ -1851,7 +1850,6 @@ qla2x00_port_attributes(scsi_qla_host_t
 	unsigned int callopt)
 {
 	struct qla_hw_data *ha = vha->hw;
-	struct init_cb_24xx *icb24 = (void *)ha->init_cb;
 	struct new_utsname *p_sysid = utsname();
 	char *hostname = p_sysid ?
 		p_sysid->nodename : fc_host_system_hostname(vha->host);
@@ -1903,8 +1901,7 @@ qla2x00_port_attributes(scsi_qla_host_t
 	/* Max frame size. */
 	eiter = entries + size;
 	eiter->type = cpu_to_be16(FDMI_PORT_MAX_FRAME_SIZE);
-	eiter->a.max_frame_size = cpu_to_be32(le16_to_cpu(IS_FWI2_CAPABLE(ha) ?
-		icb24->frame_payload_size : ha->init_cb->frame_payload_size));
+	eiter->a.max_frame_size = cpu_to_be32(ha->frame_payload_size);
 	alen = sizeof(eiter->a.max_frame_size);
 	alen += FDMI_ATTR_TYPELEN(eiter);
 	eiter->len = cpu_to_be16(alen);
--- a/drivers/scsi/qla2xxx/qla_init.c
+++ b/drivers/scsi/qla2xxx/qla_init.c
@@ -4509,6 +4509,8 @@ qla2x00_init_rings(scsi_qla_host_t *vha)
 			 BIT_6) != 0;
 		ql_dbg(ql_dbg_init, vha, 0x00bc, "FA-WWPN Support: %s.\n",
 		    (ha->flags.fawwpn_enabled) ? "enabled" : "disabled");
+		/* Init_cb will be reused for other command(s).  Save a backup copy of port_name */
+		memcpy(ha->port_name, ha->init_cb->port_name, WWN_SIZE);
 	}
 
 	/* ELS pass through payload is limit by frame size. */
--- a/drivers/scsi/qla2xxx/qla_isr.c
+++ b/drivers/scsi/qla2xxx/qla_isr.c
@@ -1354,9 +1354,7 @@ skip_rio:
 			if (!vha->vp_idx) {
 				if (ha->flags.fawwpn_enabled &&
 				    (ha->current_topology == ISP_CFG_F)) {
-					void *wwpn = ha->init_cb->port_name;
-
-					memcpy(vha->port_name, wwpn, WWN_SIZE);
+					memcpy(vha->port_name, ha->port_name, WWN_SIZE);
 					fc_host_port_name(vha->host) =
 					    wwn_to_u64(vha->port_name);
 					ql_dbg(ql_dbg_init + ql_dbg_verbose,



^ permalink raw reply	[flat|nested] 1191+ messages in thread

* [PATCH 5.19 0106/1157] scsi: qla2xxx: Zero undefined mailbox IN registers
  2022-08-15 17:49 [PATCH 5.19 0000/1157] 5.19.2-rc1 review Greg Kroah-Hartman
                   ` (102 preceding siblings ...)
  2022-08-15 17:51 ` [PATCH 5.19 0105/1157] scsi: qla2xxx: Fix incorrect display of max frame size Greg Kroah-Hartman
@ 2022-08-15 17:51 ` Greg Kroah-Hartman
  2022-08-15 17:51 ` [PATCH 5.19 0107/1157] soundwire: qcom: Check device status before reading devid Greg Kroah-Hartman
                   ` (889 subsequent siblings)
  993 siblings, 0 replies; 1191+ messages in thread
From: Greg Kroah-Hartman @ 2022-08-15 17:51 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Himanshu Madhani, Bikash Hazarika,
	Quinn Tran, Nilesh Javali, Martin K. Petersen

From: Bikash Hazarika <bhazarika@marvell.com>

commit 6c96a3c7d49593ef15805f5e497601c87695abc9 upstream.

While requesting a new mailbox command, driver does not write any data to
unused registers.  Initialize the unused register value to zero while
requesting a new mailbox command to prevent stale entry access by firmware.

Link: https://lore.kernel.org/r/20220713052045.10683-4-njavali@marvell.com
Cc: stable@vger.kernel.org
Reviewed-by: Himanshu Madhani <himanshu.madhani@oracle.com>
Signed-off-by: Bikash Hazarika <bhazarika@marvell.com>
Signed-off-by: Quinn Tran <qutran@marvell.com>
Signed-off-by: Nilesh Javali <njavali@marvell.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/scsi/qla2xxx/qla_mbx.c |    2 ++
 1 file changed, 2 insertions(+)

--- a/drivers/scsi/qla2xxx/qla_mbx.c
+++ b/drivers/scsi/qla2xxx/qla_mbx.c
@@ -238,6 +238,8 @@ qla2x00_mailbox_command(scsi_qla_host_t
 			ql_dbg(ql_dbg_mbx, vha, 0x1112,
 			    "mbox[%d]<-0x%04x\n", cnt, *iptr);
 			wrt_reg_word(optr, *iptr);
+		} else {
+			wrt_reg_word(optr, 0);
 		}
 
 		mboxes >>= 1;



^ permalink raw reply	[flat|nested] 1191+ messages in thread

* [PATCH 5.19 0107/1157] soundwire: qcom: Check device status before reading devid
  2022-08-15 17:49 [PATCH 5.19 0000/1157] 5.19.2-rc1 review Greg Kroah-Hartman
                   ` (103 preceding siblings ...)
  2022-08-15 17:51 ` [PATCH 5.19 0106/1157] scsi: qla2xxx: Zero undefined mailbox IN registers Greg Kroah-Hartman
@ 2022-08-15 17:51 ` Greg Kroah-Hartman
  2022-08-15 17:51 ` [PATCH 5.19 0108/1157] ksmbd: fix memory leak in smb2_handle_negotiate Greg Kroah-Hartman
                   ` (888 subsequent siblings)
  993 siblings, 0 replies; 1191+ messages in thread
From: Greg Kroah-Hartman @ 2022-08-15 17:51 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Srinivas Kandagatla, Vinod Koul

From: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>

commit aa1262ca66957183ea1fb32a067e145b995f3744 upstream.

As per hardware datasheet its recommended that we check the device
status before reading devid assigned by auto-enumeration.

Without this patch we see SoundWire devices with invalid enumeration
addresses on the bus.

Cc: stable@vger.kernel.org
Fixes: a6e6581942ca ("soundwire: qcom: add auto enumeration support")
Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
Link: https://lore.kernel.org/r/20220706095644.5852-1-srinivas.kandagatla@linaro.org
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/soundwire/qcom.c |    4 ++++
 1 file changed, 4 insertions(+)

--- a/drivers/soundwire/qcom.c
+++ b/drivers/soundwire/qcom.c
@@ -471,6 +471,10 @@ static int qcom_swrm_enumerate(struct sd
 	char *buf1 = (char *)&val1, *buf2 = (char *)&val2;
 
 	for (i = 1; i <= SDW_MAX_DEVICES; i++) {
+		/* do not continue if the status is Not Present  */
+		if (!ctrl->status[i])
+			continue;
+
 		/*SCP_Devid5 - Devid 4*/
 		ctrl->reg_read(ctrl, SWRM_ENUMERATOR_SLAVE_DEV_ID_1(i), &val1);
 



^ permalink raw reply	[flat|nested] 1191+ messages in thread

* [PATCH 5.19 0108/1157] ksmbd: fix memory leak in smb2_handle_negotiate
  2022-08-15 17:49 [PATCH 5.19 0000/1157] 5.19.2-rc1 review Greg Kroah-Hartman
                   ` (104 preceding siblings ...)
  2022-08-15 17:51 ` [PATCH 5.19 0107/1157] soundwire: qcom: Check device status before reading devid Greg Kroah-Hartman
@ 2022-08-15 17:51 ` Greg Kroah-Hartman
  2022-08-15 17:51 ` [PATCH 5.19 0109/1157] ksmbd: prevent out of bound read for SMB2_TREE_CONNNECT Greg Kroah-Hartman
                   ` (887 subsequent siblings)
  993 siblings, 0 replies; 1191+ messages in thread
From: Greg Kroah-Hartman @ 2022-08-15 17:51 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Namjae Jeon, Hyunchul Lee,
	Steve French, zdi-disclosures

From: Namjae Jeon <linkinjeon@kernel.org>

commit aa7253c2393f6dcd6a1468b0792f6da76edad917 upstream.

The allocated memory didn't free under an error
path in smb2_handle_negotiate().

Fixes: e2f34481b24d ("cifsd: add server-side procedures for SMB3")
Cc: stable@vger.kernel.org
Reported-by: zdi-disclosures@trendmicro.com # ZDI-CAN-17815
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
Reviewed-by: Hyunchul Lee <hyc.lee@gmail.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 fs/ksmbd/smb2pdu.c |    4 ++++
 1 file changed, 4 insertions(+)

--- a/fs/ksmbd/smb2pdu.c
+++ b/fs/ksmbd/smb2pdu.c
@@ -1139,12 +1139,16 @@ int smb2_handle_negotiate(struct ksmbd_w
 			       status);
 			rsp->hdr.Status = status;
 			rc = -EINVAL;
+			kfree(conn->preauth_info);
+			conn->preauth_info = NULL;
 			goto err_out;
 		}
 
 		rc = init_smb3_11_server(conn);
 		if (rc < 0) {
 			rsp->hdr.Status = STATUS_INVALID_PARAMETER;
+			kfree(conn->preauth_info);
+			conn->preauth_info = NULL;
 			goto err_out;
 		}
 



^ permalink raw reply	[flat|nested] 1191+ messages in thread

* [PATCH 5.19 0109/1157] ksmbd: prevent out of bound read for SMB2_TREE_CONNNECT
  2022-08-15 17:49 [PATCH 5.19 0000/1157] 5.19.2-rc1 review Greg Kroah-Hartman
                   ` (105 preceding siblings ...)
  2022-08-15 17:51 ` [PATCH 5.19 0108/1157] ksmbd: fix memory leak in smb2_handle_negotiate Greg Kroah-Hartman
@ 2022-08-15 17:51 ` Greg Kroah-Hartman
  2022-08-15 17:51 ` [PATCH 5.19 0110/1157] ksmbd: prevent out of bound read for SMB2_WRITE Greg Kroah-Hartman
                   ` (886 subsequent siblings)
  993 siblings, 0 replies; 1191+ messages in thread
From: Greg Kroah-Hartman @ 2022-08-15 17:51 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Hyunchul Lee, Namjae Jeon,
	Steve French, zdi-disclosures

From: Hyunchul Lee <hyc.lee@gmail.com>

commit 824d4f64c20093275f72fc8101394d75ff6a249e upstream.

if Status is not 0 and PathLength is long,
smb_strndup_from_utf16 could make out of bound
read in smb2_tree_connnect.

This bug can lead an oops looking something like:

[ 1553.882047] BUG: KASAN: slab-out-of-bounds in smb_strndup_from_utf16+0x469/0x4c0 [ksmbd]
[ 1553.882064] Read of size 2 at addr ffff88802c4eda04 by task kworker/0:2/42805
...
[ 1553.882095] Call Trace:
[ 1553.882098]  <TASK>
[ 1553.882101]  dump_stack_lvl+0x49/0x5f
[ 1553.882107]  print_report.cold+0x5e/0x5cf
[ 1553.882112]  ? smb_strndup_from_utf16+0x469/0x4c0 [ksmbd]
[ 1553.882122]  kasan_report+0xaa/0x120
[ 1553.882128]  ? smb_strndup_from_utf16+0x469/0x4c0 [ksmbd]
[ 1553.882139]  __asan_report_load_n_noabort+0xf/0x20
[ 1553.882143]  smb_strndup_from_utf16+0x469/0x4c0 [ksmbd]
[ 1553.882155]  ? smb_strtoUTF16+0x3b0/0x3b0 [ksmbd]
[ 1553.882166]  ? __kmalloc_node+0x185/0x430
[ 1553.882171]  smb2_tree_connect+0x140/0xab0 [ksmbd]
[ 1553.882185]  handle_ksmbd_work+0x30e/0x1020 [ksmbd]
[ 1553.882197]  process_one_work+0x778/0x11c0
[ 1553.882201]  ? _raw_spin_lock_irq+0x8e/0xe0
[ 1553.882206]  worker_thread+0x544/0x1180
[ 1553.882209]  ? __cpuidle_text_end+0x4/0x4
[ 1553.882214]  kthread+0x282/0x320
[ 1553.882218]  ? process_one_work+0x11c0/0x11c0
[ 1553.882221]  ? kthread_complete_and_exit+0x30/0x30
[ 1553.882225]  ret_from_fork+0x1f/0x30
[ 1553.882231]  </TASK>

There is no need to check error request validation in server.
This check allow invalid requests not to validate message.

Fixes: e2f34481b24d ("cifsd: add server-side procedures for SMB3")
Cc: stable@vger.kernel.org
Reported-by: zdi-disclosures@trendmicro.com # ZDI-CAN-17818
Signed-off-by: Hyunchul Lee <hyc.lee@gmail.com>
Acked-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 fs/ksmbd/smb2misc.c |    5 -----
 1 file changed, 5 deletions(-)

--- a/fs/ksmbd/smb2misc.c
+++ b/fs/ksmbd/smb2misc.c
@@ -90,11 +90,6 @@ static int smb2_get_data_area_len(unsign
 	*off = 0;
 	*len = 0;
 
-	/* error reqeusts do not have data area */
-	if (hdr->Status && hdr->Status != STATUS_MORE_PROCESSING_REQUIRED &&
-	    (((struct smb2_err_rsp *)hdr)->StructureSize) == SMB2_ERROR_STRUCTURE_SIZE2_LE)
-		return ret;
-
 	/*
 	 * Following commands have data areas so we have to get the location
 	 * of the data buffer offset and data buffer length for the particular



^ permalink raw reply	[flat|nested] 1191+ messages in thread

* [PATCH 5.19 0110/1157] ksmbd: prevent out of bound read for SMB2_WRITE
  2022-08-15 17:49 [PATCH 5.19 0000/1157] 5.19.2-rc1 review Greg Kroah-Hartman
                   ` (106 preceding siblings ...)
  2022-08-15 17:51 ` [PATCH 5.19 0109/1157] ksmbd: prevent out of bound read for SMB2_TREE_CONNNECT Greg Kroah-Hartman
@ 2022-08-15 17:51 ` Greg Kroah-Hartman
  2022-08-15 17:51 ` [PATCH 5.19 0111/1157] ksmbd: fix use-after-free bug in smb2_tree_disconect Greg Kroah-Hartman
                   ` (885 subsequent siblings)
  993 siblings, 0 replies; 1191+ messages in thread
From: Greg Kroah-Hartman @ 2022-08-15 17:51 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Hyunchul Lee, Namjae Jeon,
	Steve French, zdi-disclosures

From: Hyunchul Lee <hyc.lee@gmail.com>

commit ac60778b87e45576d7bfdbd6f53df902654e6f09 upstream.

OOB read memory can be written to a file,
if DataOffset is 0 and Length is too large
in SMB2_WRITE request of compound request.

To prevent this, when checking the length of
the data area of SMB2_WRITE in smb2_get_data_area_len(),
let the minimum of DataOffset be the size of
SMB2 header + the size of SMB2_WRITE header.

This bug can lead an oops looking something like:

[  798.008715] BUG: KASAN: slab-out-of-bounds in copy_page_from_iter_atomic+0xd3d/0x14b0
[  798.008724] Read of size 252 at addr ffff88800f863e90 by task kworker/0:2/2859
...
[  798.008754] Call Trace:
[  798.008756]  <TASK>
[  798.008759]  dump_stack_lvl+0x49/0x5f
[  798.008764]  print_report.cold+0x5e/0x5cf
[  798.008768]  ? __filemap_get_folio+0x285/0x6d0
[  798.008774]  ? copy_page_from_iter_atomic+0xd3d/0x14b0
[  798.008777]  kasan_report+0xaa/0x120
[  798.008781]  ? copy_page_from_iter_atomic+0xd3d/0x14b0
[  798.008784]  kasan_check_range+0x100/0x1e0
[  798.008788]  memcpy+0x24/0x60
[  798.008792]  copy_page_from_iter_atomic+0xd3d/0x14b0
[  798.008795]  ? pagecache_get_page+0x53/0x160
[  798.008799]  ? iov_iter_get_pages_alloc+0x1590/0x1590
[  798.008803]  ? ext4_write_begin+0xfc0/0xfc0
[  798.008807]  ? current_time+0x72/0x210
[  798.008811]  generic_perform_write+0x2c8/0x530
[  798.008816]  ? filemap_fdatawrite_wbc+0x180/0x180
[  798.008820]  ? down_write+0xb4/0x120
[  798.008824]  ? down_write_killable+0x130/0x130
[  798.008829]  ext4_buffered_write_iter+0x137/0x2c0
[  798.008833]  ext4_file_write_iter+0x40b/0x1490
[  798.008837]  ? __fsnotify_parent+0x275/0xb20
[  798.008842]  ? __fsnotify_update_child_dentry_flags+0x2c0/0x2c0
[  798.008846]  ? ext4_buffered_write_iter+0x2c0/0x2c0
[  798.008851]  __kernel_write+0x3a1/0xa70
[  798.008855]  ? __x64_sys_preadv2+0x160/0x160
[  798.008860]  ? security_file_permission+0x4a/0xa0
[  798.008865]  kernel_write+0xbb/0x360
[  798.008869]  ksmbd_vfs_write+0x27e/0xb90 [ksmbd]
[  798.008881]  ? ksmbd_vfs_read+0x830/0x830 [ksmbd]
[  798.008892]  ? _raw_read_unlock+0x2a/0x50
[  798.008896]  smb2_write+0xb45/0x14e0 [ksmbd]
[  798.008909]  ? __kasan_check_write+0x14/0x20
[  798.008912]  ? _raw_spin_lock_bh+0xd0/0xe0
[  798.008916]  ? smb2_read+0x15e0/0x15e0 [ksmbd]
[  798.008927]  ? memcpy+0x4e/0x60
[  798.008931]  ? _raw_spin_unlock+0x19/0x30
[  798.008934]  ? ksmbd_smb2_check_message+0x16af/0x2350 [ksmbd]
[  798.008946]  ? _raw_spin_lock_bh+0xe0/0xe0
[  798.008950]  handle_ksmbd_work+0x30e/0x1020 [ksmbd]
[  798.008962]  process_one_work+0x778/0x11c0
[  798.008966]  ? _raw_spin_lock_irq+0x8e/0xe0
[  798.008970]  worker_thread+0x544/0x1180
[  798.008973]  ? __cpuidle_text_end+0x4/0x4
[  798.008977]  kthread+0x282/0x320
[  798.008982]  ? process_one_work+0x11c0/0x11c0
[  798.008985]  ? kthread_complete_and_exit+0x30/0x30
[  798.008989]  ret_from_fork+0x1f/0x30
[  798.008995]  </TASK>

Fixes: e2f34481b24d ("cifsd: add server-side procedures for SMB3")
Cc: stable@vger.kernel.org
Reported-by: zdi-disclosures@trendmicro.com # ZDI-CAN-17817
Signed-off-by: Hyunchul Lee <hyc.lee@gmail.com>
Acked-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 fs/ksmbd/smb2misc.c |    7 +++++--
 fs/ksmbd/smb2pdu.c  |    8 +++-----
 2 files changed, 8 insertions(+), 7 deletions(-)

--- a/fs/ksmbd/smb2misc.c
+++ b/fs/ksmbd/smb2misc.c
@@ -131,8 +131,11 @@ static int smb2_get_data_area_len(unsign
 		*len = le16_to_cpu(((struct smb2_read_req *)hdr)->ReadChannelInfoLength);
 		break;
 	case SMB2_WRITE:
-		if (((struct smb2_write_req *)hdr)->DataOffset) {
-			*off = le16_to_cpu(((struct smb2_write_req *)hdr)->DataOffset);
+		if (((struct smb2_write_req *)hdr)->DataOffset ||
+		    ((struct smb2_write_req *)hdr)->Length) {
+			*off = max_t(unsigned int,
+				     le16_to_cpu(((struct smb2_write_req *)hdr)->DataOffset),
+				     offsetof(struct smb2_write_req, Buffer));
 			*len = le32_to_cpu(((struct smb2_write_req *)hdr)->Length);
 			break;
 		}
--- a/fs/ksmbd/smb2pdu.c
+++ b/fs/ksmbd/smb2pdu.c
@@ -6499,14 +6499,12 @@ int smb2_write(struct ksmbd_work *work)
 		writethrough = true;
 
 	if (is_rdma_channel == false) {
-		if ((u64)le16_to_cpu(req->DataOffset) + length >
-		    get_rfc1002_len(work->request_buf)) {
-			pr_err("invalid write data offset %u, smb_len %u\n",
-			       le16_to_cpu(req->DataOffset),
-			       get_rfc1002_len(work->request_buf));
+		if (le16_to_cpu(req->DataOffset) <
+		    offsetof(struct smb2_write_req, Buffer)) {
 			err = -EINVAL;
 			goto out;
 		}
+
 		data_buf = (char *)(((char *)&req->hdr.ProtocolId) +
 				    le16_to_cpu(req->DataOffset));
 



^ permalink raw reply	[flat|nested] 1191+ messages in thread

* [PATCH 5.19 0111/1157] ksmbd: fix use-after-free bug in smb2_tree_disconect
  2022-08-15 17:49 [PATCH 5.19 0000/1157] 5.19.2-rc1 review Greg Kroah-Hartman
                   ` (107 preceding siblings ...)
  2022-08-15 17:51 ` [PATCH 5.19 0110/1157] ksmbd: prevent out of bound read for SMB2_WRITE Greg Kroah-Hartman
@ 2022-08-15 17:51 ` Greg Kroah-Hartman
  2022-08-15 17:51 ` [PATCH 5.19 0112/1157] ksmbd: fix heap-based overflow in set_ntacl_dacl() Greg Kroah-Hartman
                   ` (884 subsequent siblings)
  993 siblings, 0 replies; 1191+ messages in thread
From: Greg Kroah-Hartman @ 2022-08-15 17:51 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Namjae Jeon, Hyunchul Lee,
	Steve French, zdi-disclosures

From: Namjae Jeon <linkinjeon@kernel.org>

commit cf6531d98190fa2cf92a6d8bbc8af0a4740a223c upstream.

smb2_tree_disconnect() freed the struct ksmbd_tree_connect,
but it left the dangling pointer. It can be accessed
again under compound requests.

This bug can lead an oops looking something link:

[ 1685.468014 ] BUG: KASAN: use-after-free in ksmbd_tree_conn_disconnect+0x131/0x160 [ksmbd]
[ 1685.468068 ] Read of size 4 at addr ffff888102172180 by task kworker/1:2/4807
...
[ 1685.468130 ] Call Trace:
[ 1685.468132 ]  <TASK>
[ 1685.468135 ]  dump_stack_lvl+0x49/0x5f
[ 1685.468141 ]  print_report.cold+0x5e/0x5cf
[ 1685.468145 ]  ? ksmbd_tree_conn_disconnect+0x131/0x160 [ksmbd]
[ 1685.468157 ]  kasan_report+0xaa/0x120
[ 1685.468194 ]  ? ksmbd_tree_conn_disconnect+0x131/0x160 [ksmbd]
[ 1685.468206 ]  __asan_report_load4_noabort+0x14/0x20
[ 1685.468210 ]  ksmbd_tree_conn_disconnect+0x131/0x160 [ksmbd]
[ 1685.468222 ]  smb2_tree_disconnect+0x175/0x250 [ksmbd]
[ 1685.468235 ]  handle_ksmbd_work+0x30e/0x1020 [ksmbd]
[ 1685.468247 ]  process_one_work+0x778/0x11c0
[ 1685.468251 ]  ? _raw_spin_lock_irq+0x8e/0xe0
[ 1685.468289 ]  worker_thread+0x544/0x1180
[ 1685.468293 ]  ? __cpuidle_text_end+0x4/0x4
[ 1685.468297 ]  kthread+0x282/0x320
[ 1685.468301 ]  ? process_one_work+0x11c0/0x11c0
[ 1685.468305 ]  ? kthread_complete_and_exit+0x30/0x30
[ 1685.468309 ]  ret_from_fork+0x1f/0x30

Fixes: e2f34481b24d ("cifsd: add server-side procedures for SMB3")
Cc: stable@vger.kernel.org
Reported-by: zdi-disclosures@trendmicro.com # ZDI-CAN-17816
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
Reviewed-by: Hyunchul Lee <hyc.lee@gmail.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 fs/ksmbd/smb2pdu.c |    1 +
 1 file changed, 1 insertion(+)

--- a/fs/ksmbd/smb2pdu.c
+++ b/fs/ksmbd/smb2pdu.c
@@ -2043,6 +2043,7 @@ int smb2_tree_disconnect(struct ksmbd_wo
 
 	ksmbd_close_tree_conn_fds(work);
 	ksmbd_tree_conn_disconnect(sess, tcon);
+	work->tcon = NULL;
 	return 0;
 }
 



^ permalink raw reply	[flat|nested] 1191+ messages in thread

* [PATCH 5.19 0112/1157] ksmbd: fix heap-based overflow in set_ntacl_dacl()
  2022-08-15 17:49 [PATCH 5.19 0000/1157] 5.19.2-rc1 review Greg Kroah-Hartman
                   ` (108 preceding siblings ...)
  2022-08-15 17:51 ` [PATCH 5.19 0111/1157] ksmbd: fix use-after-free bug in smb2_tree_disconect Greg Kroah-Hartman
@ 2022-08-15 17:51 ` Greg Kroah-Hartman
  2022-08-15 17:51 ` [PATCH 5.19 0113/1157] fuse: limit nsec Greg Kroah-Hartman
                   ` (883 subsequent siblings)
  993 siblings, 0 replies; 1191+ messages in thread
From: Greg Kroah-Hartman @ 2022-08-15 17:51 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Hyunchul Lee, Namjae Jeon,
	Steve French, zdi-disclosures

From: Namjae Jeon <linkinjeon@kernel.org>

commit 8f0541186e9ad1b62accc9519cc2b7a7240272a7 upstream.

The testcase use SMB2_SET_INFO_HE command to set a malformed file attribute
under the label `security.NTACL`. SMB2_QUERY_INFO_HE command in testcase
trigger the following overflow.

[ 4712.003781] ==================================================================
[ 4712.003790] BUG: KASAN: slab-out-of-bounds in build_sec_desc+0x842/0x1dd0 [ksmbd]
[ 4712.003807] Write of size 1060 at addr ffff88801e34c068 by task kworker/0:0/4190

[ 4712.003813] CPU: 0 PID: 4190 Comm: kworker/0:0 Not tainted 5.19.0-rc5 #1
[ 4712.003850] Workqueue: ksmbd-io handle_ksmbd_work [ksmbd]
[ 4712.003867] Call Trace:
[ 4712.003870]  <TASK>
[ 4712.003873]  dump_stack_lvl+0x49/0x5f
[ 4712.003935]  print_report.cold+0x5e/0x5cf
[ 4712.003972]  ? ksmbd_vfs_get_sd_xattr+0x16d/0x500 [ksmbd]
[ 4712.003984]  ? cmp_map_id+0x200/0x200
[ 4712.003988]  ? build_sec_desc+0x842/0x1dd0 [ksmbd]
[ 4712.004000]  kasan_report+0xaa/0x120
[ 4712.004045]  ? build_sec_desc+0x842/0x1dd0 [ksmbd]
[ 4712.004056]  kasan_check_range+0x100/0x1e0
[ 4712.004060]  memcpy+0x3c/0x60
[ 4712.004064]  build_sec_desc+0x842/0x1dd0 [ksmbd]
[ 4712.004076]  ? parse_sec_desc+0x580/0x580 [ksmbd]
[ 4712.004088]  ? ksmbd_acls_fattr+0x281/0x410 [ksmbd]
[ 4712.004099]  smb2_query_info+0xa8f/0x6110 [ksmbd]
[ 4712.004111]  ? psi_group_change+0x856/0xd70
[ 4712.004148]  ? update_load_avg+0x1c3/0x1af0
[ 4712.004152]  ? asym_cpu_capacity_scan+0x5d0/0x5d0
[ 4712.004157]  ? xas_load+0x23/0x300
[ 4712.004162]  ? smb2_query_dir+0x1530/0x1530 [ksmbd]
[ 4712.004173]  ? _raw_spin_lock_bh+0xe0/0xe0
[ 4712.004179]  handle_ksmbd_work+0x30e/0x1020 [ksmbd]
[ 4712.004192]  process_one_work+0x778/0x11c0
[ 4712.004227]  ? _raw_spin_lock_irq+0x8e/0xe0
[ 4712.004231]  worker_thread+0x544/0x1180
[ 4712.004234]  ? __cpuidle_text_end+0x4/0x4
[ 4712.004239]  kthread+0x282/0x320
[ 4712.004243]  ? process_one_work+0x11c0/0x11c0
[ 4712.004246]  ? kthread_complete_and_exit+0x30/0x30
[ 4712.004282]  ret_from_fork+0x1f/0x30

This patch add the buffer validation for security descriptor that is
stored by malformed SMB2_SET_INFO_HE command. and allocate large
response buffer about SMB2_O_INFO_SECURITY file info class.

Fixes: e2f34481b24d ("cifsd: add server-side procedures for SMB3")
Cc: stable@vger.kernel.org
Reported-by: zdi-disclosures@trendmicro.com # ZDI-CAN-17771
Reviewed-by: Hyunchul Lee <hyc.lee@gmail.com>
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 fs/ksmbd/smb2pdu.c |   39 ++++++++++-----
 fs/ksmbd/smbacl.c  |  130 +++++++++++++++++++++++++++++++++++------------------
 fs/ksmbd/smbacl.h  |    2 
 fs/ksmbd/vfs.c     |    5 ++
 4 files changed, 119 insertions(+), 57 deletions(-)

--- a/fs/ksmbd/smb2pdu.c
+++ b/fs/ksmbd/smb2pdu.c
@@ -535,9 +535,10 @@ int smb2_allocate_rsp_buf(struct ksmbd_w
 		struct smb2_query_info_req *req;
 
 		req = smb2_get_msg(work->request_buf);
-		if (req->InfoType == SMB2_O_INFO_FILE &&
-		    (req->FileInfoClass == FILE_FULL_EA_INFORMATION ||
-		     req->FileInfoClass == FILE_ALL_INFORMATION))
+		if ((req->InfoType == SMB2_O_INFO_FILE &&
+		     (req->FileInfoClass == FILE_FULL_EA_INFORMATION ||
+		     req->FileInfoClass == FILE_ALL_INFORMATION)) ||
+		    req->InfoType == SMB2_O_INFO_SECURITY)
 			sz = large_sz;
 	}
 
@@ -2974,7 +2975,7 @@ int smb2_open(struct ksmbd_work *work)
 						goto err_out;
 
 					rc = build_sec_desc(user_ns,
-							    pntsd, NULL,
+							    pntsd, NULL, 0,
 							    OWNER_SECINFO |
 							    GROUP_SECINFO |
 							    DACL_SECINFO,
@@ -3819,6 +3820,15 @@ static int verify_info_level(int info_le
 	return 0;
 }
 
+static int smb2_resp_buf_len(struct ksmbd_work *work, unsigned short hdr2_len)
+{
+	int free_len;
+
+	free_len = (int)(work->response_sz -
+		(get_rfc1002_len(work->response_buf) + 4)) - hdr2_len;
+	return free_len;
+}
+
 static int smb2_calc_max_out_buf_len(struct ksmbd_work *work,
 				     unsigned short hdr2_len,
 				     unsigned int out_buf_len)
@@ -3828,9 +3838,7 @@ static int smb2_calc_max_out_buf_len(str
 	if (out_buf_len > work->conn->vals->max_trans_size)
 		return -EINVAL;
 
-	free_len = (int)(work->response_sz -
-			 (get_rfc1002_len(work->response_buf) + 4)) -
-		hdr2_len;
+	free_len = smb2_resp_buf_len(work, hdr2_len);
 	if (free_len < 0)
 		return -EINVAL;
 
@@ -5093,10 +5101,10 @@ static int smb2_get_info_sec(struct ksmb
 	struct smb_ntsd *pntsd = (struct smb_ntsd *)rsp->Buffer, *ppntsd = NULL;
 	struct smb_fattr fattr = {{0}};
 	struct inode *inode;
-	__u32 secdesclen;
+	__u32 secdesclen = 0;
 	unsigned int id = KSMBD_NO_FID, pid = KSMBD_NO_FID;
 	int addition_info = le32_to_cpu(req->AdditionalInformation);
-	int rc;
+	int rc = 0, ppntsd_size = 0;
 
 	if (addition_info & ~(OWNER_SECINFO | GROUP_SECINFO | DACL_SECINFO |
 			      PROTECTED_DACL_SECINFO |
@@ -5142,11 +5150,14 @@ static int smb2_get_info_sec(struct ksmb
 
 	if (test_share_config_flag(work->tcon->share_conf,
 				   KSMBD_SHARE_FLAG_ACL_XATTR))
-		ksmbd_vfs_get_sd_xattr(work->conn, user_ns,
-				       fp->filp->f_path.dentry, &ppntsd);
-
-	rc = build_sec_desc(user_ns, pntsd, ppntsd, addition_info,
-			    &secdesclen, &fattr);
+		ppntsd_size = ksmbd_vfs_get_sd_xattr(work->conn, user_ns,
+						     fp->filp->f_path.dentry,
+						     &ppntsd);
+
+	/* Check if sd buffer size exceeds response buffer size */
+	if (smb2_resp_buf_len(work, 8) > ppntsd_size)
+		rc = build_sec_desc(user_ns, pntsd, ppntsd, ppntsd_size,
+				    addition_info, &secdesclen, &fattr);
 	posix_acl_release(fattr.cf_acls);
 	posix_acl_release(fattr.cf_dacls);
 	kfree(ppntsd);
--- a/fs/ksmbd/smbacl.c
+++ b/fs/ksmbd/smbacl.c
@@ -690,6 +690,7 @@ posix_default_acl:
 static void set_ntacl_dacl(struct user_namespace *user_ns,
 			   struct smb_acl *pndacl,
 			   struct smb_acl *nt_dacl,
+			   unsigned int aces_size,
 			   const struct smb_sid *pownersid,
 			   const struct smb_sid *pgrpsid,
 			   struct smb_fattr *fattr)
@@ -703,9 +704,19 @@ static void set_ntacl_dacl(struct user_n
 	if (nt_num_aces) {
 		ntace = (struct smb_ace *)((char *)nt_dacl + sizeof(struct smb_acl));
 		for (i = 0; i < nt_num_aces; i++) {
-			memcpy((char *)pndace + size, ntace, le16_to_cpu(ntace->size));
-			size += le16_to_cpu(ntace->size);
-			ntace = (struct smb_ace *)((char *)ntace + le16_to_cpu(ntace->size));
+			unsigned short nt_ace_size;
+
+			if (offsetof(struct smb_ace, access_req) > aces_size)
+				break;
+
+			nt_ace_size = le16_to_cpu(ntace->size);
+			if (nt_ace_size > aces_size)
+				break;
+
+			memcpy((char *)pndace + size, ntace, nt_ace_size);
+			size += nt_ace_size;
+			aces_size -= nt_ace_size;
+			ntace = (struct smb_ace *)((char *)ntace + nt_ace_size);
 			num_aces++;
 		}
 	}
@@ -878,7 +889,7 @@ int parse_sec_desc(struct user_namespace
 /* Convert permission bits from mode to equivalent CIFS ACL */
 int build_sec_desc(struct user_namespace *user_ns,
 		   struct smb_ntsd *pntsd, struct smb_ntsd *ppntsd,
-		   int addition_info, __u32 *secdesclen,
+		   int ppntsd_size, int addition_info, __u32 *secdesclen,
 		   struct smb_fattr *fattr)
 {
 	int rc = 0;
@@ -938,15 +949,25 @@ int build_sec_desc(struct user_namespace
 
 		if (!ppntsd) {
 			set_mode_dacl(user_ns, dacl_ptr, fattr);
-		} else if (!ppntsd->dacloffset) {
-			goto out;
 		} else {
 			struct smb_acl *ppdacl_ptr;
+			unsigned int dacl_offset = le32_to_cpu(ppntsd->dacloffset);
+			int ppdacl_size, ntacl_size = ppntsd_size - dacl_offset;
+
+			if (!dacl_offset ||
+			    (dacl_offset + sizeof(struct smb_acl) > ppntsd_size))
+				goto out;
+
+			ppdacl_ptr = (struct smb_acl *)((char *)ppntsd + dacl_offset);
+			ppdacl_size = le16_to_cpu(ppdacl_ptr->size);
+			if (ppdacl_size > ntacl_size ||
+			    ppdacl_size < sizeof(struct smb_acl))
+				goto out;
 
-			ppdacl_ptr = (struct smb_acl *)((char *)ppntsd +
-						le32_to_cpu(ppntsd->dacloffset));
 			set_ntacl_dacl(user_ns, dacl_ptr, ppdacl_ptr,
-				       nowner_sid_ptr, ngroup_sid_ptr, fattr);
+				       ntacl_size - sizeof(struct smb_acl),
+				       nowner_sid_ptr, ngroup_sid_ptr,
+				       fattr);
 		}
 		pntsd->dacloffset = cpu_to_le32(offset);
 		offset += le16_to_cpu(dacl_ptr->size);
@@ -980,24 +1001,31 @@ int smb_inherit_dacl(struct ksmbd_conn *
 	struct smb_sid owner_sid, group_sid;
 	struct dentry *parent = path->dentry->d_parent;
 	struct user_namespace *user_ns = mnt_user_ns(path->mnt);
-	int inherited_flags = 0, flags = 0, i, ace_cnt = 0, nt_size = 0;
-	int rc = 0, num_aces, dacloffset, pntsd_type, acl_len;
+	int inherited_flags = 0, flags = 0, i, ace_cnt = 0, nt_size = 0, pdacl_size;
+	int rc = 0, num_aces, dacloffset, pntsd_type, pntsd_size, acl_len, aces_size;
 	char *aces_base;
 	bool is_dir = S_ISDIR(d_inode(path->dentry)->i_mode);
 
-	acl_len = ksmbd_vfs_get_sd_xattr(conn, user_ns,
-					 parent, &parent_pntsd);
-	if (acl_len <= 0)
+	pntsd_size = ksmbd_vfs_get_sd_xattr(conn, user_ns,
+					    parent, &parent_pntsd);
+	if (pntsd_size <= 0)
 		return -ENOENT;
 	dacloffset = le32_to_cpu(parent_pntsd->dacloffset);
-	if (!dacloffset) {
+	if (!dacloffset || (dacloffset + sizeof(struct smb_acl) > pntsd_size)) {
 		rc = -EINVAL;
 		goto free_parent_pntsd;
 	}
 
 	parent_pdacl = (struct smb_acl *)((char *)parent_pntsd + dacloffset);
+	acl_len = pntsd_size - dacloffset;
 	num_aces = le32_to_cpu(parent_pdacl->num_aces);
 	pntsd_type = le16_to_cpu(parent_pntsd->type);
+	pdacl_size = le16_to_cpu(parent_pdacl->size);
+
+	if (pdacl_size > acl_len || pdacl_size < sizeof(struct smb_acl)) {
+		rc = -EINVAL;
+		goto free_parent_pntsd;
+	}
 
 	aces_base = kmalloc(sizeof(struct smb_ace) * num_aces * 2, GFP_KERNEL);
 	if (!aces_base) {
@@ -1008,11 +1036,23 @@ int smb_inherit_dacl(struct ksmbd_conn *
 	aces = (struct smb_ace *)aces_base;
 	parent_aces = (struct smb_ace *)((char *)parent_pdacl +
 			sizeof(struct smb_acl));
+	aces_size = acl_len - sizeof(struct smb_acl);
 
 	if (pntsd_type & DACL_AUTO_INHERITED)
 		inherited_flags = INHERITED_ACE;
 
 	for (i = 0; i < num_aces; i++) {
+		int pace_size;
+
+		if (offsetof(struct smb_ace, access_req) > aces_size)
+			break;
+
+		pace_size = le16_to_cpu(parent_aces->size);
+		if (pace_size > aces_size)
+			break;
+
+		aces_size -= pace_size;
+
 		flags = parent_aces->flags;
 		if (!smb_inherit_flags(flags, is_dir))
 			goto pass;
@@ -1057,8 +1097,7 @@ int smb_inherit_dacl(struct ksmbd_conn *
 		aces = (struct smb_ace *)((char *)aces + le16_to_cpu(aces->size));
 		ace_cnt++;
 pass:
-		parent_aces =
-			(struct smb_ace *)((char *)parent_aces + le16_to_cpu(parent_aces->size));
+		parent_aces = (struct smb_ace *)((char *)parent_aces + pace_size);
 	}
 
 	if (nt_size > 0) {
@@ -1153,7 +1192,7 @@ int smb_check_perm_dacl(struct ksmbd_con
 	struct smb_ntsd *pntsd = NULL;
 	struct smb_acl *pdacl;
 	struct posix_acl *posix_acls;
-	int rc = 0, acl_size;
+	int rc = 0, pntsd_size, acl_size, aces_size, pdacl_size, dacl_offset;
 	struct smb_sid sid;
 	int granted = le32_to_cpu(*pdaccess & ~FILE_MAXIMAL_ACCESS_LE);
 	struct smb_ace *ace;
@@ -1162,37 +1201,33 @@ int smb_check_perm_dacl(struct ksmbd_con
 	struct smb_ace *others_ace = NULL;
 	struct posix_acl_entry *pa_entry;
 	unsigned int sid_type = SIDOWNER;
-	char *end_of_acl;
+	unsigned short ace_size;
 
 	ksmbd_debug(SMB, "check permission using windows acl\n");
-	acl_size = ksmbd_vfs_get_sd_xattr(conn, user_ns,
-					  path->dentry, &pntsd);
-	if (acl_size <= 0 || !pntsd || !pntsd->dacloffset) {
-		kfree(pntsd);
-		return 0;
-	}
+	pntsd_size = ksmbd_vfs_get_sd_xattr(conn, user_ns,
+					    path->dentry, &pntsd);
+	if (pntsd_size <= 0 || !pntsd)
+		goto err_out;
+
+	dacl_offset = le32_to_cpu(pntsd->dacloffset);
+	if (!dacl_offset ||
+	    (dacl_offset + sizeof(struct smb_acl) > pntsd_size))
+		goto err_out;
 
 	pdacl = (struct smb_acl *)((char *)pntsd + le32_to_cpu(pntsd->dacloffset));
-	end_of_acl = ((char *)pntsd) + acl_size;
-	if (end_of_acl <= (char *)pdacl) {
-		kfree(pntsd);
-		return 0;
-	}
+	acl_size = pntsd_size - dacl_offset;
+	pdacl_size = le16_to_cpu(pdacl->size);
 
-	if (end_of_acl < (char *)pdacl + le16_to_cpu(pdacl->size) ||
-	    le16_to_cpu(pdacl->size) < sizeof(struct smb_acl)) {
-		kfree(pntsd);
-		return 0;
-	}
+	if (pdacl_size > acl_size || pdacl_size < sizeof(struct smb_acl))
+		goto err_out;
 
 	if (!pdacl->num_aces) {
-		if (!(le16_to_cpu(pdacl->size) - sizeof(struct smb_acl)) &&
+		if (!(pdacl_size - sizeof(struct smb_acl)) &&
 		    *pdaccess & ~(FILE_READ_CONTROL_LE | FILE_WRITE_DAC_LE)) {
 			rc = -EACCES;
 			goto err_out;
 		}
-		kfree(pntsd);
-		return 0;
+		goto err_out;
 	}
 
 	if (*pdaccess & FILE_MAXIMAL_ACCESS_LE) {
@@ -1200,11 +1235,16 @@ int smb_check_perm_dacl(struct ksmbd_con
 			DELETE;
 
 		ace = (struct smb_ace *)((char *)pdacl + sizeof(struct smb_acl));
+		aces_size = acl_size - sizeof(struct smb_acl);
 		for (i = 0; i < le32_to_cpu(pdacl->num_aces); i++) {
+			if (offsetof(struct smb_ace, access_req) > aces_size)
+				break;
+			ace_size = le16_to_cpu(ace->size);
+			if (ace_size > aces_size)
+				break;
+			aces_size -= ace_size;
 			granted |= le32_to_cpu(ace->access_req);
 			ace = (struct smb_ace *)((char *)ace + le16_to_cpu(ace->size));
-			if (end_of_acl < (char *)ace)
-				goto err_out;
 		}
 
 		if (!pdacl->num_aces)
@@ -1216,7 +1256,15 @@ int smb_check_perm_dacl(struct ksmbd_con
 	id_to_sid(uid, sid_type, &sid);
 
 	ace = (struct smb_ace *)((char *)pdacl + sizeof(struct smb_acl));
+	aces_size = acl_size - sizeof(struct smb_acl);
 	for (i = 0; i < le32_to_cpu(pdacl->num_aces); i++) {
+		if (offsetof(struct smb_ace, access_req) > aces_size)
+			break;
+		ace_size = le16_to_cpu(ace->size);
+		if (ace_size > aces_size)
+			break;
+		aces_size -= ace_size;
+
 		if (!compare_sids(&sid, &ace->sid) ||
 		    !compare_sids(&sid_unix_NFS_mode, &ace->sid)) {
 			found = 1;
@@ -1226,8 +1274,6 @@ int smb_check_perm_dacl(struct ksmbd_con
 			others_ace = ace;
 
 		ace = (struct smb_ace *)((char *)ace + le16_to_cpu(ace->size));
-		if (end_of_acl < (char *)ace)
-			goto err_out;
 	}
 
 	if (*pdaccess & FILE_MAXIMAL_ACCESS_LE && found) {
--- a/fs/ksmbd/smbacl.h
+++ b/fs/ksmbd/smbacl.h
@@ -193,7 +193,7 @@ struct posix_acl_state {
 int parse_sec_desc(struct user_namespace *user_ns, struct smb_ntsd *pntsd,
 		   int acl_len, struct smb_fattr *fattr);
 int build_sec_desc(struct user_namespace *user_ns, struct smb_ntsd *pntsd,
-		   struct smb_ntsd *ppntsd, int addition_info,
+		   struct smb_ntsd *ppntsd, int ppntsd_size, int addition_info,
 		   __u32 *secdesclen, struct smb_fattr *fattr);
 int init_acl_state(struct posix_acl_state *state, int cnt);
 void free_acl_state(struct posix_acl_state *state);
--- a/fs/ksmbd/vfs.c
+++ b/fs/ksmbd/vfs.c
@@ -1540,6 +1540,11 @@ int ksmbd_vfs_get_sd_xattr(struct ksmbd_
 	}
 
 	*pntsd = acl.sd_buf;
+	if (acl.sd_size < sizeof(struct smb_ntsd)) {
+		pr_err("sd size is invalid\n");
+		goto out_free;
+	}
+
 	(*pntsd)->osidoffset = cpu_to_le32(le32_to_cpu((*pntsd)->osidoffset) -
 					   NDR_NTSD_OFFSETOF);
 	(*pntsd)->gsidoffset = cpu_to_le32(le32_to_cpu((*pntsd)->gsidoffset) -



^ permalink raw reply	[flat|nested] 1191+ messages in thread

* [PATCH 5.19 0113/1157] fuse: limit nsec
  2022-08-15 17:49 [PATCH 5.19 0000/1157] 5.19.2-rc1 review Greg Kroah-Hartman
                   ` (109 preceding siblings ...)
  2022-08-15 17:51 ` [PATCH 5.19 0112/1157] ksmbd: fix heap-based overflow in set_ntacl_dacl() Greg Kroah-Hartman
@ 2022-08-15 17:51 ` Greg Kroah-Hartman
  2022-08-15 17:51 ` [PATCH 5.19 0114/1157] fuse: ioctl: translate ENOSYS Greg Kroah-Hartman
                   ` (882 subsequent siblings)
  993 siblings, 0 replies; 1191+ messages in thread
From: Greg Kroah-Hartman @ 2022-08-15 17:51 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Miklos Szeredi

From: Miklos Szeredi <mszeredi@redhat.com>

commit 47912eaa061a6a81e4aa790591a1874c650733c0 upstream.

Limit nanoseconds to 0..999999999.

Fixes: d8a5ba45457e ("[PATCH] FUSE - core")
Cc: <stable@vger.kernel.org>
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 fs/fuse/inode.c |    6 ++++++
 1 file changed, 6 insertions(+)

--- a/fs/fuse/inode.c
+++ b/fs/fuse/inode.c
@@ -180,6 +180,12 @@ void fuse_change_attributes_common(struc
 	inode->i_uid     = make_kuid(fc->user_ns, attr->uid);
 	inode->i_gid     = make_kgid(fc->user_ns, attr->gid);
 	inode->i_blocks  = attr->blocks;
+
+	/* Sanitize nsecs */
+	attr->atimensec = min_t(u32, attr->atimensec, NSEC_PER_SEC - 1);
+	attr->mtimensec = min_t(u32, attr->mtimensec, NSEC_PER_SEC - 1);
+	attr->ctimensec = min_t(u32, attr->ctimensec, NSEC_PER_SEC - 1);
+
 	inode->i_atime.tv_sec   = attr->atime;
 	inode->i_atime.tv_nsec  = attr->atimensec;
 	/* mtime from server may be stale due to local buffered write */



^ permalink raw reply	[flat|nested] 1191+ messages in thread

* [PATCH 5.19 0114/1157] fuse: ioctl: translate ENOSYS
  2022-08-15 17:49 [PATCH 5.19 0000/1157] 5.19.2-rc1 review Greg Kroah-Hartman
                   ` (110 preceding siblings ...)
  2022-08-15 17:51 ` [PATCH 5.19 0113/1157] fuse: limit nsec Greg Kroah-Hartman
@ 2022-08-15 17:51 ` Greg Kroah-Hartman
  2022-08-15 17:51 ` [PATCH 5.19 0115/1157] fuse: write inode in fuse_release() Greg Kroah-Hartman
                   ` (881 subsequent siblings)
  993 siblings, 0 replies; 1191+ messages in thread
From: Greg Kroah-Hartman @ 2022-08-15 17:51 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Christian Kohlschütter, Miklos Szeredi

From: Miklos Szeredi <mszeredi@redhat.com>

commit 02c0cab8e7345b06f1c0838df444e2902e4138d3 upstream.

Overlayfs may fail to complete updates when a filesystem lacks
fileattr/xattr syscall support and responds with an ENOSYS error code,
resulting in an unexpected "Function not implemented" error.

This bug may occur with FUSE filesystems, such as davfs2.

Steps to reproduce:

  # install davfs2, e.g., apk add davfs2
  mkdir /test mkdir /test/lower /test/upper /test/work /test/mnt
  yes '' | mount -t davfs -o ro http://some-web-dav-server/path \
    /test/lower
  mount -t overlay -o upperdir=/test/upper,lowerdir=/test/lower \
    -o workdir=/test/work overlay /test/mnt

  # when "some-file" exists in the lowerdir, this fails with "Function
  # not implemented", with dmesg showing "overlayfs: failed to retrieve
  # lower fileattr (/some-file, err=-38)"
  touch /test/mnt/some-file

The underlying cause of this regresion is actually in FUSE, which fails to
translate the ENOSYS error code returned by userspace filesystem (which
means that the ioctl operation is not supported) to ENOTTY.

Reported-by: Christian Kohlschütter <christian@kohlschutter.com>
Fixes: 72db82115d2b ("ovl: copy up sync/noatime fileattr flags")
Fixes: 59efec7b9039 ("fuse: implement ioctl support")
Cc: <stable@vger.kernel.org>
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 fs/fuse/ioctl.c |   15 +++++++++++++--
 1 file changed, 13 insertions(+), 2 deletions(-)

--- a/fs/fuse/ioctl.c
+++ b/fs/fuse/ioctl.c
@@ -9,6 +9,17 @@
 #include <linux/compat.h>
 #include <linux/fileattr.h>
 
+static ssize_t fuse_send_ioctl(struct fuse_mount *fm, struct fuse_args *args)
+{
+	ssize_t ret = fuse_simple_request(fm, args);
+
+	/* Translate ENOSYS, which shouldn't be returned from fs */
+	if (ret == -ENOSYS)
+		ret = -ENOTTY;
+
+	return ret;
+}
+
 /*
  * CUSE servers compiled on 32bit broke on 64bit kernels because the
  * ABI was defined to be 'struct iovec' which is different on 32bit
@@ -259,7 +270,7 @@ long fuse_do_ioctl(struct file *file, un
 	ap.args.out_pages = true;
 	ap.args.out_argvar = true;
 
-	transferred = fuse_simple_request(fm, &ap.args);
+	transferred = fuse_send_ioctl(fm, &ap.args);
 	err = transferred;
 	if (transferred < 0)
 		goto out;
@@ -393,7 +404,7 @@ static int fuse_priv_ioctl(struct inode
 	args.out_args[1].size = inarg.out_size;
 	args.out_args[1].value = ptr;
 
-	err = fuse_simple_request(fm, &args);
+	err = fuse_send_ioctl(fm, &args);
 	if (!err) {
 		if (outarg.result < 0)
 			err = outarg.result;



^ permalink raw reply	[flat|nested] 1191+ messages in thread

* [PATCH 5.19 0115/1157] fuse: write inode in fuse_release()
  2022-08-15 17:49 [PATCH 5.19 0000/1157] 5.19.2-rc1 review Greg Kroah-Hartman
                   ` (111 preceding siblings ...)
  2022-08-15 17:51 ` [PATCH 5.19 0114/1157] fuse: ioctl: translate ENOSYS Greg Kroah-Hartman
@ 2022-08-15 17:51 ` Greg Kroah-Hartman
  2022-08-15 17:51 ` [PATCH 5.19 0116/1157] fuse: fix deadlock between atomic O_TRUNC and page invalidation Greg Kroah-Hartman
                   ` (880 subsequent siblings)
  993 siblings, 0 replies; 1191+ messages in thread
From: Greg Kroah-Hartman @ 2022-08-15 17:51 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, syzbot+6e1efbd8efaaa6860e91, Miklos Szeredi

From: Miklos Szeredi <mszeredi@redhat.com>

commit 035ff33cf4db101250fb980a3941bf078f37a544 upstream.

A race between write(2) and close(2) allows pages to be dirtied after
fuse_flush -> write_inode_now().  If these pages are not flushed from
fuse_release(), then there might not be a writable open file later.  So any
remaining dirty pages must be written back before the file is released.

This is a partial revert of the blamed commit.

Reported-by: syzbot+6e1efbd8efaaa6860e91@syzkaller.appspotmail.com
Fixes: 36ea23374d1f ("fuse: write inode in fuse_vma_close() instead of fuse_release()")
Cc: <stable@vger.kernel.org> # v5.16
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 fs/fuse/file.c |    9 +++++++++
 1 file changed, 9 insertions(+)

--- a/fs/fuse/file.c
+++ b/fs/fuse/file.c
@@ -338,6 +338,15 @@ static int fuse_open(struct inode *inode
 
 static int fuse_release(struct inode *inode, struct file *file)
 {
+	struct fuse_conn *fc = get_fuse_conn(inode);
+
+	/*
+	 * Dirty pages might remain despite write_inode_now() call from
+	 * fuse_flush() due to writes racing with the close.
+	 */
+	if (fc->writeback_cache)
+		write_inode_now(inode, 1);
+
 	fuse_release_common(file, false);
 
 	/* return value is ignored by VFS */



^ permalink raw reply	[flat|nested] 1191+ messages in thread

* [PATCH 5.19 0116/1157] fuse: fix deadlock between atomic O_TRUNC and page invalidation
  2022-08-15 17:49 [PATCH 5.19 0000/1157] 5.19.2-rc1 review Greg Kroah-Hartman
                   ` (112 preceding siblings ...)
  2022-08-15 17:51 ` [PATCH 5.19 0115/1157] fuse: write inode in fuse_release() Greg Kroah-Hartman
@ 2022-08-15 17:51 ` Greg Kroah-Hartman
  2022-08-15 17:51 ` [PATCH 5.19 0117/1157] serial: mvebu-uart: uart2 error bits clearing Greg Kroah-Hartman
                   ` (879 subsequent siblings)
  993 siblings, 0 replies; 1191+ messages in thread
From: Greg Kroah-Hartman @ 2022-08-15 17:51 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Jiachen Zhang, Miklos Szeredi

From: Miklos Szeredi <mszeredi@redhat.com>

commit 2fdbb8dd01556e1501132b5ad3826e8f71e24a8b upstream.

fuse_finish_open() will be called with FUSE_NOWRITE set in case of atomic
O_TRUNC open(), so commit 76224355db75 ("fuse: truncate pagecache on
atomic_o_trunc") replaced invalidate_inode_pages2() by truncate_pagecache()
in such a case to avoid the A-A deadlock. However, we found another A-B-B-A
deadlock related to the case above, which will cause the xfstests
generic/464 testcase hung in our virtio-fs test environment.

For example, consider two processes concurrently open one same file, one
with O_TRUNC and another without O_TRUNC. The deadlock case is described
below, if open(O_TRUNC) is already set_nowrite(acquired A), and is trying
to lock a page (acquiring B), open() could have held the page lock
(acquired B), and waiting on the page writeback (acquiring A). This would
lead to deadlocks.

open(O_TRUNC)
----------------------------------------------------------------
fuse_open_common
  inode_lock            [C acquire]
  fuse_set_nowrite      [A acquire]

  fuse_finish_open
    truncate_pagecache
      lock_page         [B acquire]
      truncate_inode_page
      unlock_page       [B release]

  fuse_release_nowrite  [A release]
  inode_unlock          [C release]
----------------------------------------------------------------

open()
----------------------------------------------------------------
fuse_open_common
  fuse_finish_open
    invalidate_inode_pages2
      lock_page         [B acquire]
        fuse_launder_page
          fuse_wait_on_page_writeback [A acquire & release]
      unlock_page       [B release]
----------------------------------------------------------------

Besides this case, all calls of invalidate_inode_pages2() and
invalidate_inode_pages2_range() in fuse code also can deadlock with
open(O_TRUNC).

Fix by moving the truncate_pagecache() call outside the nowrite protected
region.  The nowrite protection is only for delayed writeback
(writeback_cache) case, where inode lock does not protect against
truncation racing with writes on the server.  Write syscalls racing with
page cache truncation still get the inode lock protection.

This patch also changes the order of filemap_invalidate_lock()
vs. fuse_set_nowrite() in fuse_open_common().  This new order matches the
order found in fuse_file_fallocate() and fuse_do_setattr().

Reported-by: Jiachen Zhang <zhangjiachen.jaycee@bytedance.com>
Tested-by: Jiachen Zhang <zhangjiachen.jaycee@bytedance.com>
Fixes: e4648309b85a ("fuse: truncate pending writes on O_TRUNC")
Cc: <stable@vger.kernel.org>
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 fs/fuse/dir.c  |    7 ++++++-
 fs/fuse/file.c |   30 +++++++++++++++++-------------
 2 files changed, 23 insertions(+), 14 deletions(-)

--- a/fs/fuse/dir.c
+++ b/fs/fuse/dir.c
@@ -537,6 +537,7 @@ static int fuse_create_open(struct inode
 	struct fuse_file *ff;
 	void *security_ctx = NULL;
 	u32 security_ctxlen;
+	bool trunc = flags & O_TRUNC;
 
 	/* Userspace expects S_IFREG in create mode */
 	BUG_ON((mode & S_IFMT) != S_IFREG);
@@ -561,7 +562,7 @@ static int fuse_create_open(struct inode
 	inarg.mode = mode;
 	inarg.umask = current_umask();
 
-	if (fm->fc->handle_killpriv_v2 && (flags & O_TRUNC) &&
+	if (fm->fc->handle_killpriv_v2 && trunc &&
 	    !(flags & O_EXCL) && !capable(CAP_FSETID)) {
 		inarg.open_flags |= FUSE_OPEN_KILL_SUIDGID;
 	}
@@ -623,6 +624,10 @@ static int fuse_create_open(struct inode
 	} else {
 		file->private_data = ff;
 		fuse_finish_open(inode, file);
+		if (fm->fc->atomic_o_trunc && trunc)
+			truncate_pagecache(inode, 0);
+		else if (!(ff->open_flags & FOPEN_KEEP_CACHE))
+			invalidate_inode_pages2(inode->i_mapping);
 	}
 	return err;
 
--- a/fs/fuse/file.c
+++ b/fs/fuse/file.c
@@ -210,13 +210,9 @@ void fuse_finish_open(struct inode *inod
 		fi->attr_version = atomic64_inc_return(&fc->attr_version);
 		i_size_write(inode, 0);
 		spin_unlock(&fi->lock);
-		truncate_pagecache(inode, 0);
 		file_update_time(file);
 		fuse_invalidate_attr_mask(inode, FUSE_STATX_MODSIZE);
-	} else if (!(ff->open_flags & FOPEN_KEEP_CACHE)) {
-		invalidate_inode_pages2(inode->i_mapping);
 	}
-
 	if ((file->f_mode & FMODE_WRITE) && fc->writeback_cache)
 		fuse_link_write_file(file);
 }
@@ -239,30 +235,38 @@ int fuse_open_common(struct inode *inode
 	if (err)
 		return err;
 
-	if (is_wb_truncate || dax_truncate) {
+	if (is_wb_truncate || dax_truncate)
 		inode_lock(inode);
-		fuse_set_nowrite(inode);
-	}
 
 	if (dax_truncate) {
 		filemap_invalidate_lock(inode->i_mapping);
 		err = fuse_dax_break_layouts(inode, 0, 0);
 		if (err)
-			goto out;
+			goto out_inode_unlock;
 	}
 
+	if (is_wb_truncate || dax_truncate)
+		fuse_set_nowrite(inode);
+
 	err = fuse_do_open(fm, get_node_id(inode), file, isdir);
 	if (!err)
 		fuse_finish_open(inode, file);
 
-out:
+	if (is_wb_truncate || dax_truncate)
+		fuse_release_nowrite(inode);
+	if (!err) {
+		struct fuse_file *ff = file->private_data;
+
+		if (fc->atomic_o_trunc && (file->f_flags & O_TRUNC))
+			truncate_pagecache(inode, 0);
+		else if (!(ff->open_flags & FOPEN_KEEP_CACHE))
+			invalidate_inode_pages2(inode->i_mapping);
+	}
 	if (dax_truncate)
 		filemap_invalidate_unlock(inode->i_mapping);
-
-	if (is_wb_truncate | dax_truncate) {
-		fuse_release_nowrite(inode);
+out_inode_unlock:
+	if (is_wb_truncate || dax_truncate)
 		inode_unlock(inode);
-	}
 
 	return err;
 }



^ permalink raw reply	[flat|nested] 1191+ messages in thread

* [PATCH 5.19 0117/1157] serial: mvebu-uart: uart2 error bits clearing
  2022-08-15 17:49 [PATCH 5.19 0000/1157] 5.19.2-rc1 review Greg Kroah-Hartman
                   ` (113 preceding siblings ...)
  2022-08-15 17:51 ` [PATCH 5.19 0116/1157] fuse: fix deadlock between atomic O_TRUNC and page invalidation Greg Kroah-Hartman
@ 2022-08-15 17:51 ` Greg Kroah-Hartman
  2022-08-15 17:51 ` [PATCH 5.19 0118/1157] md-raid: destroy the bitmap after destroying the thread Greg Kroah-Hartman
                   ` (878 subsequent siblings)
  993 siblings, 0 replies; 1191+ messages in thread
From: Greg Kroah-Hartman @ 2022-08-15 17:51 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Yi Guo, Nadav Haklai, Narendra Hadke,
	Pali Rohár

From: Narendra Hadke <nhadke@marvell.com>

commit a7209541239e5dd44d981289e5f9059222d40fd1 upstream.

For mvebu uart2, error bits are not cleared on buffer read.
This causes interrupt loop and system hang.

Cc: stable@vger.kernel.org
Reviewed-by: Yi Guo <yi.guo@cavium.com>
Reviewed-by: Nadav Haklai <nadavh@marvell.com>
Signed-off-by: Narendra Hadke <nhadke@marvell.com>
Signed-off-by: Pali Rohár <pali@kernel.org>
Link: https://lore.kernel.org/r/20220726091221.12358-1-pali@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/tty/serial/mvebu-uart.c | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/drivers/tty/serial/mvebu-uart.c b/drivers/tty/serial/mvebu-uart.c
index 0429c2a54290..ff61a8d00014 100644
--- a/drivers/tty/serial/mvebu-uart.c
+++ b/drivers/tty/serial/mvebu-uart.c
@@ -265,6 +265,7 @@ static void mvebu_uart_rx_chars(struct uart_port *port, unsigned int status)
 	struct tty_port *tport = &port->state->port;
 	unsigned char ch = 0;
 	char flag = 0;
+	int ret;
 
 	do {
 		if (status & STAT_RX_RDY(port)) {
@@ -277,6 +278,16 @@ static void mvebu_uart_rx_chars(struct uart_port *port, unsigned int status)
 				port->icount.parity++;
 		}
 
+		/*
+		 * For UART2, error bits are not cleared on buffer read.
+		 * This causes interrupt loop and system hang.
+		 */
+		if (IS_EXTENDED(port) && (status & STAT_BRK_ERR)) {
+			ret = readl(port->membase + UART_STAT);
+			ret |= STAT_BRK_ERR;
+			writel(ret, port->membase + UART_STAT);
+		}
+
 		if (status & STAT_BRK_DET) {
 			port->icount.brk++;
 			status &= ~(STAT_FRM_ERR | STAT_PAR_ERR);
-- 
2.37.1




^ permalink raw reply related	[flat|nested] 1191+ messages in thread

* [PATCH 5.19 0118/1157] md-raid: destroy the bitmap after destroying the thread
  2022-08-15 17:49 [PATCH 5.19 0000/1157] 5.19.2-rc1 review Greg Kroah-Hartman
                   ` (114 preceding siblings ...)
  2022-08-15 17:51 ` [PATCH 5.19 0117/1157] serial: mvebu-uart: uart2 error bits clearing Greg Kroah-Hartman
@ 2022-08-15 17:51 ` Greg Kroah-Hartman
  2022-08-15 17:51 ` [PATCH 5.19 0119/1157] md-raid10: fix KASAN warning Greg Kroah-Hartman
                   ` (877 subsequent siblings)
  993 siblings, 0 replies; 1191+ messages in thread
From: Greg Kroah-Hartman @ 2022-08-15 17:51 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Mikulas Patocka, Song Liu, Jens Axboe

From: Mikulas Patocka <mpatocka@redhat.com>

commit e151db8ecfb019b7da31d076130a794574c89f6f upstream.

When we ran the lvm test "shell/integrity-blocksize-3.sh" on a kernel with
kasan, we got failure in write_page.

The reason for the failure is that md_bitmap_destroy is called before
destroying the thread and the thread may be waiting in the function
write_page for the bio to complete. When the thread finishes waiting, it
executes "if (test_bit(BITMAP_WRITE_ERROR, &bitmap->flags))", which
triggers the kasan warning.

Note that the commit 48df498daf62 that caused this bug claims that it is
neede for md-cluster, you should check md-cluster and possibly find
another bugfix for it.

BUG: KASAN: use-after-free in write_page+0x18d/0x680 [md_mod]
Read of size 8 at addr ffff889162030c78 by task mdX_raid1/5539

CPU: 10 PID: 5539 Comm: mdX_raid1 Not tainted 5.19.0-rc2 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-2 04/01/2014
Call Trace:
 <TASK>
 dump_stack_lvl+0x34/0x44
 print_report.cold+0x45/0x57a
 ? __lock_text_start+0x18/0x18
 ? write_page+0x18d/0x680 [md_mod]
 kasan_report+0xa8/0xe0
 ? write_page+0x18d/0x680 [md_mod]
 kasan_check_range+0x13f/0x180
 write_page+0x18d/0x680 [md_mod]
 ? super_sync+0x4d5/0x560 [dm_raid]
 ? md_bitmap_file_kick+0xa0/0xa0 [md_mod]
 ? rs_set_dev_and_array_sectors+0x2e0/0x2e0 [dm_raid]
 ? mutex_trylock+0x120/0x120
 ? preempt_count_add+0x6b/0xc0
 ? preempt_count_sub+0xf/0xc0
 md_update_sb+0x707/0xe40 [md_mod]
 md_reap_sync_thread+0x1b2/0x4a0 [md_mod]
 md_check_recovery+0x533/0x960 [md_mod]
 raid1d+0xc8/0x2a20 [raid1]
 ? var_wake_function+0xe0/0xe0
 ? psi_group_change+0x411/0x500
 ? preempt_count_sub+0xf/0xc0
 ? _raw_spin_lock_irqsave+0x78/0xc0
 ? __lock_text_start+0x18/0x18
 ? raid1_end_read_request+0x2a0/0x2a0 [raid1]
 ? preempt_count_sub+0xf/0xc0
 ? _raw_spin_unlock_irqrestore+0x19/0x40
 ? del_timer_sync+0xa9/0x100
 ? try_to_del_timer_sync+0xc0/0xc0
 ? _raw_spin_lock_irqsave+0x78/0xc0
 ? __lock_text_start+0x18/0x18
 ? __list_del_entry_valid+0x68/0xa0
 ? finish_wait+0xa3/0x100
 md_thread+0x161/0x260 [md_mod]
 ? unregister_md_personality+0xa0/0xa0 [md_mod]
 ? _raw_spin_lock_irqsave+0x78/0xc0
 ? prepare_to_wait_event+0x2c0/0x2c0
 ? unregister_md_personality+0xa0/0xa0 [md_mod]
 kthread+0x148/0x180
 ? kthread_complete_and_exit+0x20/0x20
 ret_from_fork+0x1f/0x30
 </TASK>

Allocated by task 5522:
 kasan_save_stack+0x1e/0x40
 __kasan_kmalloc+0x80/0xa0
 md_bitmap_create+0xa8/0xe80 [md_mod]
 md_run+0x777/0x1300 [md_mod]
 raid_ctr+0x249c/0x4a30 [dm_raid]
 dm_table_add_target+0x2b0/0x620 [dm_mod]
 table_load+0x1c8/0x400 [dm_mod]
 ctl_ioctl+0x29e/0x560 [dm_mod]
 dm_compat_ctl_ioctl+0x7/0x20 [dm_mod]
 __do_compat_sys_ioctl+0xfa/0x160
 do_syscall_64+0x90/0xc0
 entry_SYSCALL_64_after_hwframe+0x46/0xb0

Freed by task 5680:
 kasan_save_stack+0x1e/0x40
 kasan_set_track+0x21/0x40
 kasan_set_free_info+0x20/0x40
 __kasan_slab_free+0xf7/0x140
 kfree+0x80/0x240
 md_bitmap_free+0x1c3/0x280 [md_mod]
 __md_stop+0x21/0x120 [md_mod]
 md_stop+0x9/0x40 [md_mod]
 raid_dtr+0x1b/0x40 [dm_raid]
 dm_table_destroy+0x98/0x1e0 [dm_mod]
 __dm_destroy+0x199/0x360 [dm_mod]
 dev_remove+0x10c/0x160 [dm_mod]
 ctl_ioctl+0x29e/0x560 [dm_mod]
 dm_compat_ctl_ioctl+0x7/0x20 [dm_mod]
 __do_compat_sys_ioctl+0xfa/0x160
 do_syscall_64+0x90/0xc0
 entry_SYSCALL_64_after_hwframe+0x46/0xb0

Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Cc: stable@vger.kernel.org
Fixes: 48df498daf62 ("md: move bitmap_destroy to the beginning of __md_stop")
Signed-off-by: Song Liu <song@kernel.org>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/md/md.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/md/md.c
+++ b/drivers/md/md.c
@@ -6244,11 +6244,11 @@ static void mddev_detach(struct mddev *m
 static void __md_stop(struct mddev *mddev)
 {
 	struct md_personality *pers = mddev->pers;
-	md_bitmap_destroy(mddev);
 	mddev_detach(mddev);
 	/* Ensure ->event_work is done */
 	if (mddev->event_work.func)
 		flush_workqueue(md_misc_wq);
+	md_bitmap_destroy(mddev);
 	spin_lock(&mddev->lock);
 	mddev->pers = NULL;
 	spin_unlock(&mddev->lock);



^ permalink raw reply	[flat|nested] 1191+ messages in thread

* [PATCH 5.19 0119/1157] md-raid10: fix KASAN warning
  2022-08-15 17:49 [PATCH 5.19 0000/1157] 5.19.2-rc1 review Greg Kroah-Hartman
                   ` (115 preceding siblings ...)
  2022-08-15 17:51 ` [PATCH 5.19 0118/1157] md-raid: destroy the bitmap after destroying the thread Greg Kroah-Hartman
@ 2022-08-15 17:51 ` Greg Kroah-Hartman
  2022-08-15 17:51 ` [PATCH 5.19 0120/1157] mbcache: dont reclaim used entries Greg Kroah-Hartman
                   ` (876 subsequent siblings)
  993 siblings, 0 replies; 1191+ messages in thread
From: Greg Kroah-Hartman @ 2022-08-15 17:51 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Mikulas Patocka, Song Liu, Jens Axboe

From: Mikulas Patocka <mpatocka@redhat.com>

commit d17f744e883b2f8d13cca252d71cfe8ace346f7d upstream.

There's a KASAN warning in raid10_remove_disk when running the lvm
test lvconvert-raid-reshape.sh. We fix this warning by verifying that the
value "number" is valid.

BUG: KASAN: slab-out-of-bounds in raid10_remove_disk+0x61/0x2a0 [raid10]
Read of size 8 at addr ffff889108f3d300 by task mdX_raid10/124682

CPU: 3 PID: 124682 Comm: mdX_raid10 Not tainted 5.19.0-rc6 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-2 04/01/2014
Call Trace:
 <TASK>
 dump_stack_lvl+0x34/0x44
 print_report.cold+0x45/0x57a
 ? __lock_text_start+0x18/0x18
 ? raid10_remove_disk+0x61/0x2a0 [raid10]
 kasan_report+0xa8/0xe0
 ? raid10_remove_disk+0x61/0x2a0 [raid10]
 raid10_remove_disk+0x61/0x2a0 [raid10]
Buffer I/O error on dev dm-76, logical block 15344, async page read
 ? __mutex_unlock_slowpath.constprop.0+0x1e0/0x1e0
 remove_and_add_spares+0x367/0x8a0 [md_mod]
 ? super_written+0x1c0/0x1c0 [md_mod]
 ? mutex_trylock+0xac/0x120
 ? _raw_spin_lock+0x72/0xc0
 ? _raw_spin_lock_bh+0xc0/0xc0
 md_check_recovery+0x848/0x960 [md_mod]
 raid10d+0xcf/0x3360 [raid10]
 ? sched_clock_cpu+0x185/0x1a0
 ? rb_erase+0x4d4/0x620
 ? var_wake_function+0xe0/0xe0
 ? psi_group_change+0x411/0x500
 ? preempt_count_sub+0xf/0xc0
 ? _raw_spin_lock_irqsave+0x78/0xc0
 ? __lock_text_start+0x18/0x18
 ? raid10_sync_request+0x36c0/0x36c0 [raid10]
 ? preempt_count_sub+0xf/0xc0
 ? _raw_spin_unlock_irqrestore+0x19/0x40
 ? del_timer_sync+0xa9/0x100
 ? try_to_del_timer_sync+0xc0/0xc0
 ? _raw_spin_lock_irqsave+0x78/0xc0
 ? __lock_text_start+0x18/0x18
 ? _raw_spin_unlock_irq+0x11/0x24
 ? __list_del_entry_valid+0x68/0xa0
 ? finish_wait+0xa3/0x100
 md_thread+0x161/0x260 [md_mod]
 ? unregister_md_personality+0xa0/0xa0 [md_mod]
 ? _raw_spin_lock_irqsave+0x78/0xc0
 ? prepare_to_wait_event+0x2c0/0x2c0
 ? unregister_md_personality+0xa0/0xa0 [md_mod]
 kthread+0x148/0x180
 ? kthread_complete_and_exit+0x20/0x20
 ret_from_fork+0x1f/0x30
 </TASK>

Allocated by task 124495:
 kasan_save_stack+0x1e/0x40
 __kasan_kmalloc+0x80/0xa0
 setup_conf+0x140/0x5c0 [raid10]
 raid10_run+0x4cd/0x740 [raid10]
 md_run+0x6f9/0x1300 [md_mod]
 raid_ctr+0x2531/0x4ac0 [dm_raid]
 dm_table_add_target+0x2b0/0x620 [dm_mod]
 table_load+0x1c8/0x400 [dm_mod]
 ctl_ioctl+0x29e/0x560 [dm_mod]
 dm_compat_ctl_ioctl+0x7/0x20 [dm_mod]
 __do_compat_sys_ioctl+0xfa/0x160
 do_syscall_64+0x90/0xc0
 entry_SYSCALL_64_after_hwframe+0x46/0xb0

Last potentially related work creation:
 kasan_save_stack+0x1e/0x40
 __kasan_record_aux_stack+0x9e/0xc0
 kvfree_call_rcu+0x84/0x480
 timerfd_release+0x82/0x140
L __fput+0xfa/0x400
 task_work_run+0x80/0xc0
 exit_to_user_mode_prepare+0x155/0x160
 syscall_exit_to_user_mode+0x12/0x40
 do_syscall_64+0x42/0xc0
 entry_SYSCALL_64_after_hwframe+0x46/0xb0

Second to last potentially related work creation:
 kasan_save_stack+0x1e/0x40
 __kasan_record_aux_stack+0x9e/0xc0
 kvfree_call_rcu+0x84/0x480
 timerfd_release+0x82/0x140
 __fput+0xfa/0x400
 task_work_run+0x80/0xc0
 exit_to_user_mode_prepare+0x155/0x160
 syscall_exit_to_user_mode+0x12/0x40
 do_syscall_64+0x42/0xc0
 entry_SYSCALL_64_after_hwframe+0x46/0xb0

The buggy address belongs to the object at ffff889108f3d200
 which belongs to the cache kmalloc-256 of size 256
The buggy address is located 0 bytes to the right of
 256-byte region [ffff889108f3d200, ffff889108f3d300)

The buggy address belongs to the physical page:
page:000000007ef2a34c refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1108f3c
head:000000007ef2a34c order:2 compound_mapcount:0 compound_pincount:0
flags: 0x4000000000010200(slab|head|zone=2)
raw: 4000000000010200 0000000000000000 dead000000000001 ffff889100042b40
raw: 0000000000000000 0000000080200020 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff889108f3d200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff889108f3d280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff889108f3d300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
                   ^
 ffff889108f3d380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff889108f3d400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Cc: stable@vger.kernel.org
Signed-off-by: Song Liu <song@kernel.org>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/md/raid10.c |    5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

--- a/drivers/md/raid10.c
+++ b/drivers/md/raid10.c
@@ -2167,9 +2167,12 @@ static int raid10_remove_disk(struct mdd
 	int err = 0;
 	int number = rdev->raid_disk;
 	struct md_rdev **rdevp;
-	struct raid10_info *p = conf->mirrors + number;
+	struct raid10_info *p;
 
 	print_conf(conf);
+	if (unlikely(number >= mddev->raid_disks))
+		return 0;
+	p = conf->mirrors + number;
 	if (rdev == p->rdev)
 		rdevp = &p->rdev;
 	else if (rdev == p->replacement)



^ permalink raw reply	[flat|nested] 1191+ messages in thread

* [PATCH 5.19 0120/1157] mbcache: dont reclaim used entries
  2022-08-15 17:49 [PATCH 5.19 0000/1157] 5.19.2-rc1 review Greg Kroah-Hartman
                   ` (116 preceding siblings ...)
  2022-08-15 17:51 ` [PATCH 5.19 0119/1157] md-raid10: fix KASAN warning Greg Kroah-Hartman
@ 2022-08-15 17:51 ` Greg Kroah-Hartman
  2022-08-15 17:51 ` [PATCH 5.19 0121/1157] mbcache: add functions to delete entry if unused Greg Kroah-Hartman
                   ` (875 subsequent siblings)
  993 siblings, 0 replies; 1191+ messages in thread
From: Greg Kroah-Hartman @ 2022-08-15 17:51 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Jan Kara, Theodore Tso

From: Jan Kara <jack@suse.cz>

commit 58318914186c157477b978b1739dfe2f1b9dc0fe upstream.

Do not reclaim entries that are currently used by somebody from a
shrinker. Firstly, these entries are likely useful. Secondly, we will
need to keep such entries to protect pending increment of xattr block
refcount.

CC: stable@vger.kernel.org
Fixes: 82939d7999df ("ext4: convert to mbcache2")
Signed-off-by: Jan Kara <jack@suse.cz>
Link: https://lore.kernel.org/r/20220712105436.32204-1-jack@suse.cz
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 fs/mbcache.c |   10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

--- a/fs/mbcache.c
+++ b/fs/mbcache.c
@@ -288,7 +288,7 @@ static unsigned long mb_cache_shrink(str
 	while (nr_to_scan-- && !list_empty(&cache->c_list)) {
 		entry = list_first_entry(&cache->c_list,
 					 struct mb_cache_entry, e_list);
-		if (entry->e_referenced) {
+		if (entry->e_referenced || atomic_read(&entry->e_refcnt) > 2) {
 			entry->e_referenced = 0;
 			list_move_tail(&entry->e_list, &cache->c_list);
 			continue;
@@ -302,6 +302,14 @@ static unsigned long mb_cache_shrink(str
 		spin_unlock(&cache->c_list_lock);
 		head = mb_cache_entry_head(cache, entry->e_key);
 		hlist_bl_lock(head);
+		/* Now a reliable check if the entry didn't get used... */
+		if (atomic_read(&entry->e_refcnt) > 2) {
+			hlist_bl_unlock(head);
+			spin_lock(&cache->c_list_lock);
+			list_add_tail(&entry->e_list, &cache->c_list);
+			cache->c_entry_count++;
+			continue;
+		}
 		if (!hlist_bl_unhashed(&entry->e_hash_list)) {
 			hlist_bl_del_init(&entry->e_hash_list);
 			atomic_dec(&entry->e_refcnt);



^ permalink raw reply	[flat|nested] 1191+ messages in thread

* [PATCH 5.19 0121/1157] mbcache: add functions to delete entry if unused
  2022-08-15 17:49 [PATCH 5.19 0000/1157] 5.19.2-rc1 review Greg Kroah-Hartman
                   ` (117 preceding siblings ...)
  2022-08-15 17:51 ` [PATCH 5.19 0120/1157] mbcache: dont reclaim used entries Greg Kroah-Hartman
@ 2022-08-15 17:51 ` Greg Kroah-Hartman
  2022-08-15 17:51 ` [PATCH 5.19 0122/1157] media: isl7998x: select V4L2_FWNODE to fix build error Greg Kroah-Hartman
                   ` (874 subsequent siblings)
  993 siblings, 0 replies; 1191+ messages in thread
From: Greg Kroah-Hartman @ 2022-08-15 17:51 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Jan Kara, Theodore Tso

From: Jan Kara <jack@suse.cz>

commit 3dc96bba65f53daa217f0a8f43edad145286a8f5 upstream.

Add function mb_cache_entry_delete_or_get() to delete mbcache entry if
it is unused and also add a function to wait for entry to become unused
- mb_cache_entry_wait_unused(). We do not share code between the two
deleting function as one of them will go away soon.

CC: stable@vger.kernel.org
Fixes: 82939d7999df ("ext4: convert to mbcache2")
Signed-off-by: Jan Kara <jack@suse.cz>
Link: https://lore.kernel.org/r/20220712105436.32204-2-jack@suse.cz
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 fs/mbcache.c            |   66 ++++++++++++++++++++++++++++++++++++++++++++++--
 include/linux/mbcache.h |   10 ++++++-
 2 files changed, 73 insertions(+), 3 deletions(-)

--- a/fs/mbcache.c
+++ b/fs/mbcache.c
@@ -11,7 +11,7 @@
 /*
  * Mbcache is a simple key-value store. Keys need not be unique, however
  * key-value pairs are expected to be unique (we use this fact in
- * mb_cache_entry_delete()).
+ * mb_cache_entry_delete_or_get()).
  *
  * Ext2 and ext4 use this cache for deduplication of extended attribute blocks.
  * Ext4 also uses it for deduplication of xattr values stored in inodes.
@@ -125,6 +125,19 @@ void __mb_cache_entry_free(struct mb_cac
 }
 EXPORT_SYMBOL(__mb_cache_entry_free);
 
+/*
+ * mb_cache_entry_wait_unused - wait to be the last user of the entry
+ *
+ * @entry - entry to work on
+ *
+ * Wait to be the last user of the entry.
+ */
+void mb_cache_entry_wait_unused(struct mb_cache_entry *entry)
+{
+	wait_var_event(&entry->e_refcnt, atomic_read(&entry->e_refcnt) <= 3);
+}
+EXPORT_SYMBOL(mb_cache_entry_wait_unused);
+
 static struct mb_cache_entry *__entry_find(struct mb_cache *cache,
 					   struct mb_cache_entry *entry,
 					   u32 key)
@@ -217,7 +230,7 @@ out:
 }
 EXPORT_SYMBOL(mb_cache_entry_get);
 
-/* mb_cache_entry_delete - remove a cache entry
+/* mb_cache_entry_delete - try to remove a cache entry
  * @cache - cache we work with
  * @key - key
  * @value - value
@@ -254,6 +267,55 @@ void mb_cache_entry_delete(struct mb_cac
 }
 EXPORT_SYMBOL(mb_cache_entry_delete);
 
+/* mb_cache_entry_delete_or_get - remove a cache entry if it has no users
+ * @cache - cache we work with
+ * @key - key
+ * @value - value
+ *
+ * Remove entry from cache @cache with key @key and value @value. The removal
+ * happens only if the entry is unused. The function returns NULL in case the
+ * entry was successfully removed or there's no entry in cache. Otherwise the
+ * function grabs reference of the entry that we failed to delete because it
+ * still has users and return it.
+ */
+struct mb_cache_entry *mb_cache_entry_delete_or_get(struct mb_cache *cache,
+						    u32 key, u64 value)
+{
+	struct hlist_bl_node *node;
+	struct hlist_bl_head *head;
+	struct mb_cache_entry *entry;
+
+	head = mb_cache_entry_head(cache, key);
+	hlist_bl_lock(head);
+	hlist_bl_for_each_entry(entry, node, head, e_hash_list) {
+		if (entry->e_key == key && entry->e_value == value) {
+			if (atomic_read(&entry->e_refcnt) > 2) {
+				atomic_inc(&entry->e_refcnt);
+				hlist_bl_unlock(head);
+				return entry;
+			}
+			/* We keep hash list reference to keep entry alive */
+			hlist_bl_del_init(&entry->e_hash_list);
+			hlist_bl_unlock(head);
+			spin_lock(&cache->c_list_lock);
+			if (!list_empty(&entry->e_list)) {
+				list_del_init(&entry->e_list);
+				if (!WARN_ONCE(cache->c_entry_count == 0,
+		"mbcache: attempt to decrement c_entry_count past zero"))
+					cache->c_entry_count--;
+				atomic_dec(&entry->e_refcnt);
+			}
+			spin_unlock(&cache->c_list_lock);
+			mb_cache_entry_put(cache, entry);
+			return NULL;
+		}
+	}
+	hlist_bl_unlock(head);
+
+	return NULL;
+}
+EXPORT_SYMBOL(mb_cache_entry_delete_or_get);
+
 /* mb_cache_entry_touch - cache entry got used
  * @cache - cache the entry belongs to
  * @entry - entry that got used
--- a/include/linux/mbcache.h
+++ b/include/linux/mbcache.h
@@ -30,15 +30,23 @@ void mb_cache_destroy(struct mb_cache *c
 int mb_cache_entry_create(struct mb_cache *cache, gfp_t mask, u32 key,
 			  u64 value, bool reusable);
 void __mb_cache_entry_free(struct mb_cache_entry *entry);
+void mb_cache_entry_wait_unused(struct mb_cache_entry *entry);
 static inline int mb_cache_entry_put(struct mb_cache *cache,
 				     struct mb_cache_entry *entry)
 {
-	if (!atomic_dec_and_test(&entry->e_refcnt))
+	unsigned int cnt = atomic_dec_return(&entry->e_refcnt);
+
+	if (cnt > 0) {
+		if (cnt <= 3)
+			wake_up_var(&entry->e_refcnt);
 		return 0;
+	}
 	__mb_cache_entry_free(entry);
 	return 1;
 }
 
+struct mb_cache_entry *mb_cache_entry_delete_or_get(struct mb_cache *cache,
+						    u32 key, u64 value);
 void mb_cache_entry_delete(struct mb_cache *cache, u32 key, u64 value);
 struct mb_cache_entry *mb_cache_entry_get(struct mb_cache *cache, u32 key,
 					  u64 value);



^ permalink raw reply	[flat|nested] 1191+ messages in thread

* [PATCH 5.19 0122/1157] media: isl7998x: select V4L2_FWNODE to fix build error
  2022-08-15 17:49 [PATCH 5.19 0000/1157] 5.19.2-rc1 review Greg Kroah-Hartman
                   ` (118 preceding siblings ...)
  2022-08-15 17:51 ` [PATCH 5.19 0121/1157] mbcache: add functions to delete entry if unused Greg Kroah-Hartman
@ 2022-08-15 17:51 ` Greg Kroah-Hartman
  2022-08-15 17:51 ` [PATCH 5.19 0123/1157] media: [PATCH] pci: atomisp_cmd: fix three missing checks on list iterator Greg Kroah-Hartman
                   ` (873 subsequent siblings)
  993 siblings, 0 replies; 1191+ messages in thread
From: Greg Kroah-Hartman @ 2022-08-15 17:51 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Randy Dunlap, kernel test robot,
	Marek Vasut, Pengutronix Kernel Team, Michael Tretter,
	Sakari Ailus, Mauro Carvalho Chehab

From: Randy Dunlap <rdunlap@infradead.org>

commit 81e005842d0b8167c059553a1c29c36d8a7a9329 upstream.

Fix build error when VIDEO_ISL7998X=y and V4L2_FWNODE=m
by selecting V4L2_FWNODE.

microblaze-linux-ld: drivers/media/i2c/isl7998x.o: in function `isl7998x_probe':
(.text+0x8f4): undefined reference to `v4l2_fwnode_endpoint_parse'

Cc: stable@vger.kernel.org # 5.18 and above
Fixes: 51ef2be546e2 ("media: i2c: isl7998x: Add driver for Intersil ISL7998x")
Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
Reported-by: kernel test robot <lkp@intel.com>
Cc: Marek Vasut <marex@denx.de>
Cc: Pengutronix Kernel Team <kernel@pengutronix.de>
Reviewed-by: Michael Tretter <m.tretter@pengutronix.de>
Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/media/i2c/Kconfig |    1 +
 1 file changed, 1 insertion(+)

--- a/drivers/media/i2c/Kconfig
+++ b/drivers/media/i2c/Kconfig
@@ -1178,6 +1178,7 @@ config VIDEO_ISL7998X
 	depends on OF_GPIO
 	select MEDIA_CONTROLLER
 	select VIDEO_V4L2_SUBDEV_API
+	select V4L2_FWNODE
 	help
 	  Support for Intersil ISL7998x analog to MIPI-CSI2 or
 	  BT.656 decoder.



^ permalink raw reply	[flat|nested] 1191+ messages in thread

* [PATCH 5.19 0123/1157] media: [PATCH] pci: atomisp_cmd: fix three missing checks on list iterator
  2022-08-15 17:49 [PATCH 5.19 0000/1157] 5.19.2-rc1 review Greg Kroah-Hartman
                   ` (119 preceding siblings ...)
  2022-08-15 17:51 ` [PATCH 5.19 0122/1157] media: isl7998x: select V4L2_FWNODE to fix build error Greg Kroah-Hartman
@ 2022-08-15 17:51 ` Greg Kroah-Hartman
  2022-08-15 17:51 ` [PATCH 5.19 0124/1157] ia64, processor: fix -Wincompatible-pointer-types in ia64_get_irr() Greg Kroah-Hartman
                   ` (872 subsequent siblings)
  993 siblings, 0 replies; 1191+ messages in thread
From: Greg Kroah-Hartman @ 2022-08-15 17:51 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Xiaomeng Tong, Mauro Carvalho Chehab

From: Xiaomeng Tong <xiam0nd.tong@gmail.com>

commit 09b204eb9de9fdf07d028c41c4331b5cfeb70dd7 upstream.

The three bugs are here:
	__func__, s3a_buf->s3a_data->exp_id);
	__func__, md_buf->metadata->exp_id);
	__func__, dis_buf->dis_data->exp_id);

The list iterator 's3a_buf/md_buf/dis_buf' will point to a bogus
position containing HEAD if the list is empty or no element is found.
This case must be checked before any use of the iterator, otherwise
it will lead to a invalid memory access.

To fix this bug, add an check. Use a new variable '*_iter' as the
list iterator, while use the old variable '*_buf' as a dedicated
pointer to point to the found element.

Link: https://lore.kernel.org/linux-media/20220414041415.3342-1-xiam0nd.tong@gmail.com
Cc: stable@vger.kernel.org
Fixes: ad85094b293e4 ("Revert "media: staging: atomisp: Remove driver"")
Signed-off-by: Xiaomeng Tong <xiam0nd.tong@gmail.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/staging/media/atomisp/pci/atomisp_cmd.c |   57 +++++++++++++++---------
 1 file changed, 36 insertions(+), 21 deletions(-)

--- a/drivers/staging/media/atomisp/pci/atomisp_cmd.c
+++ b/drivers/staging/media/atomisp/pci/atomisp_cmd.c
@@ -901,9 +901,9 @@ void atomisp_buf_done(struct atomisp_sub
 	int err;
 	unsigned long irqflags;
 	struct ia_css_frame *frame = NULL;
-	struct atomisp_s3a_buf *s3a_buf = NULL, *_s3a_buf_tmp;
-	struct atomisp_dis_buf *dis_buf = NULL, *_dis_buf_tmp;
-	struct atomisp_metadata_buf *md_buf = NULL, *_md_buf_tmp;
+	struct atomisp_s3a_buf *s3a_buf = NULL, *_s3a_buf_tmp, *s3a_iter;
+	struct atomisp_dis_buf *dis_buf = NULL, *_dis_buf_tmp, *dis_iter;
+	struct atomisp_metadata_buf *md_buf = NULL, *_md_buf_tmp, *md_iter;
 	enum atomisp_metadata_type md_type;
 	struct atomisp_device *isp = asd->isp;
 	struct v4l2_control ctrl;
@@ -942,60 +942,75 @@ void atomisp_buf_done(struct atomisp_sub
 
 	switch (buf_type) {
 	case IA_CSS_BUFFER_TYPE_3A_STATISTICS:
-		list_for_each_entry_safe(s3a_buf, _s3a_buf_tmp,
+		list_for_each_entry_safe(s3a_iter, _s3a_buf_tmp,
 					 &asd->s3a_stats_in_css, list) {
-			if (s3a_buf->s3a_data ==
+			if (s3a_iter->s3a_data ==
 			    buffer.css_buffer.data.stats_3a) {
-				list_del_init(&s3a_buf->list);
-				list_add_tail(&s3a_buf->list,
+				list_del_init(&s3a_iter->list);
+				list_add_tail(&s3a_iter->list,
 					      &asd->s3a_stats_ready);
+				s3a_buf = s3a_iter;
 				break;
 			}
 		}
 
 		asd->s3a_bufs_in_css[css_pipe_id]--;
 		atomisp_3a_stats_ready_event(asd, buffer.css_buffer.exp_id);
-		dev_dbg(isp->dev, "%s: s3a stat with exp_id %d is ready\n",
-			__func__, s3a_buf->s3a_data->exp_id);
+		if (s3a_buf)
+			dev_dbg(isp->dev, "%s: s3a stat with exp_id %d is ready\n",
+				__func__, s3a_buf->s3a_data->exp_id);
+		else
+			dev_dbg(isp->dev, "%s: s3a stat is ready with no exp_id found\n",
+				__func__);
 		break;
 	case IA_CSS_BUFFER_TYPE_METADATA:
 		if (error)
 			break;
 
 		md_type = atomisp_get_metadata_type(asd, css_pipe_id);
-		list_for_each_entry_safe(md_buf, _md_buf_tmp,
+		list_for_each_entry_safe(md_iter, _md_buf_tmp,
 					 &asd->metadata_in_css[md_type], list) {
-			if (md_buf->metadata ==
+			if (md_iter->metadata ==
 			    buffer.css_buffer.data.metadata) {
-				list_del_init(&md_buf->list);
-				list_add_tail(&md_buf->list,
+				list_del_init(&md_iter->list);
+				list_add_tail(&md_iter->list,
 					      &asd->metadata_ready[md_type]);
+				md_buf = md_iter;
 				break;
 			}
 		}
 		asd->metadata_bufs_in_css[stream_id][css_pipe_id]--;
 		atomisp_metadata_ready_event(asd, md_type);
-		dev_dbg(isp->dev, "%s: metadata with exp_id %d is ready\n",
-			__func__, md_buf->metadata->exp_id);
+		if (md_buf)
+			dev_dbg(isp->dev, "%s: metadata with exp_id %d is ready\n",
+				__func__, md_buf->metadata->exp_id);
+		else
+			dev_dbg(isp->dev, "%s: metadata is ready with no exp_id found\n",
+				__func__);
 		break;
 	case IA_CSS_BUFFER_TYPE_DIS_STATISTICS:
-		list_for_each_entry_safe(dis_buf, _dis_buf_tmp,
+		list_for_each_entry_safe(dis_iter, _dis_buf_tmp,
 					 &asd->dis_stats_in_css, list) {
-			if (dis_buf->dis_data ==
+			if (dis_iter->dis_data ==
 			    buffer.css_buffer.data.stats_dvs) {
 				spin_lock_irqsave(&asd->dis_stats_lock,
 						  irqflags);
-				list_del_init(&dis_buf->list);
-				list_add(&dis_buf->list, &asd->dis_stats);
+				list_del_init(&dis_iter->list);
+				list_add(&dis_iter->list, &asd->dis_stats);
 				asd->params.dis_proj_data_valid = true;
 				spin_unlock_irqrestore(&asd->dis_stats_lock,
 						       irqflags);
+				dis_buf = dis_iter;
 				break;
 			}
 		}
 		asd->dis_bufs_in_css--;
-		dev_dbg(isp->dev, "%s: dis stat with exp_id %d is ready\n",
-			__func__, dis_buf->dis_data->exp_id);
+		if (dis_buf)
+			dev_dbg(isp->dev, "%s: dis stat with exp_id %d is ready\n",
+				__func__, dis_buf->dis_data->exp_id);
+		else
+			dev_dbg(isp->dev, "%s: dis stat is ready with no exp_id found\n",
+				__func__);
 		break;
 	case IA_CSS_BUFFER_TYPE_VF_OUTPUT_FRAME:
 	case IA_CSS_BUFFER_TYPE_SEC_VF_OUTPUT_FRAME:



^ permalink raw reply	[flat|nested] 1191+ messages in thread

* [PATCH 5.19 0124/1157] ia64, processor: fix -Wincompatible-pointer-types in ia64_get_irr()
  2022-08-15 17:49 [PATCH 5.19 0000/1157] 5.19.2-rc1 review Greg Kroah-Hartman
                   ` (120 preceding siblings ...)
  2022-08-15 17:51 ` [PATCH 5.19 0123/1157] media: [PATCH] pci: atomisp_cmd: fix three missing checks on list iterator Greg Kroah-Hartman
@ 2022-08-15 17:51 ` Greg Kroah-Hartman
  2022-08-15 17:51 ` [PATCH 5.19 0125/1157] powerpc: Restore CONFIG_DEBUG_INFO in defconfigs Greg Kroah-Hartman
                   ` (871 subsequent siblings)
  993 siblings, 0 replies; 1191+ messages in thread
From: Greg Kroah-Hartman @ 2022-08-15 17:51 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, kernel test robot, Alexander Lobakin,
	Andy Shevchenko, Yury Norov

From: Alexander Lobakin <alexandr.lobakin@intel.com>

commit e5a16a5c4602c119262f350274021f90465f479d upstream.

test_bit(), as any other bitmap op, takes `unsigned long *` as a
second argument (pointer to the actual bitmap), as any bitmap
itself is an array of unsigned longs. However, the ia64_get_irr()
code passes a ref to `u64` as a second argument.
This works with the ia64 bitops implementation due to that they
have `void *` as the second argument and then cast it later on.
This works with the bitmap API itself due to that `unsigned long`
has the same size on ia64 as `u64` (`unsigned long long`), but
from the compiler PoV those two are different.
Define @irr as `unsigned long` to fix that. That implies no
functional changes. Has been hidden for 16 years!

Fixes: a58786917ce2 ("[IA64] avoid broken SAL_CACHE_FLUSH implementations")
Cc: stable@vger.kernel.org # 2.6.16+
Reported-by: kernel test robot <lkp@intel.com>
Signed-off-by: Alexander Lobakin <alexandr.lobakin@intel.com>
Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Reviewed-by: Yury Norov <yury.norov@gmail.com>
Signed-off-by: Yury Norov <yury.norov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/ia64/include/asm/processor.h |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/arch/ia64/include/asm/processor.h
+++ b/arch/ia64/include/asm/processor.h
@@ -538,7 +538,7 @@ ia64_get_irr(unsigned int vector)
 {
 	unsigned int reg = vector / 64;
 	unsigned int bit = vector % 64;
-	u64 irr;
+	unsigned long irr;
 
 	switch (reg) {
 	case 0: irr = ia64_getreg(_IA64_REG_CR_IRR0); break;



^ permalink raw reply	[flat|nested] 1191+ messages in thread

* [PATCH 5.19 0125/1157] powerpc: Restore CONFIG_DEBUG_INFO in defconfigs
  2022-08-15 17:49 [PATCH 5.19 0000/1157] 5.19.2-rc1 review Greg Kroah-Hartman
                   ` (121 preceding siblings ...)
  2022-08-15 17:51 ` [PATCH 5.19 0124/1157] ia64, processor: fix -Wincompatible-pointer-types in ia64_get_irr() Greg Kroah-Hartman
@ 2022-08-15 17:51 ` Greg Kroah-Hartman
  2022-08-15 17:51 ` [PATCH 5.19 0126/1157] powerpc/64e: Fix early TLB miss with KUAP Greg Kroah-Hartman
                   ` (870 subsequent siblings)
  993 siblings, 0 replies; 1191+ messages in thread
From: Greg Kroah-Hartman @ 2022-08-15 17:51 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Christophe Leroy, Kees Cook,
	Michael Ellerman

From: Christophe Leroy <christophe.leroy@csgroup.eu>

commit 92f89ec1b534b6eca2b81bae97d30a786932f51a upstream.

Commit f9b3cd245784 ("Kconfig.debug: make DEBUG_INFO selectable from a
choice") broke the selection of CONFIG_DEBUG_INFO by powerpc defconfigs.

It is now necessary to select one of the three DEBUG_INFO_DWARF*
options to get DEBUG_INFO enabled.

Replace DEBUG_INFO=y by DEBUG_INFO_DWARF_TOOLCHAIN_DEFAULT=y in all
defconfigs using the following command:

sed -i s/DEBUG_INFO=y/DEBUG_INFO_DWARF_TOOLCHAIN_DEFAULT=y/g `git grep -l DEBUG_INFO arch/powerpc/configs/`

Fixes: f9b3cd245784 ("Kconfig.debug: make DEBUG_INFO selectable from a choice")
Cc: stable@vger.kernel.org
Signed-off-by: Christophe Leroy <christophe.leroy@csgroup.eu>
Reviewed-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Link: https://lore.kernel.org/r/98a4c2603bf9e4b776e219f5b8541d23aa24e854.1654930308.git.christophe.leroy@csgroup.eu
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/powerpc/configs/44x/akebono_defconfig    |    2 +-
 arch/powerpc/configs/44x/currituck_defconfig  |    2 +-
 arch/powerpc/configs/44x/fsp2_defconfig       |    2 +-
 arch/powerpc/configs/44x/iss476-smp_defconfig |    2 +-
 arch/powerpc/configs/44x/warp_defconfig       |    2 +-
 arch/powerpc/configs/52xx/lite5200b_defconfig |    2 +-
 arch/powerpc/configs/52xx/motionpro_defconfig |    2 +-
 arch/powerpc/configs/52xx/tqm5200_defconfig   |    2 +-
 arch/powerpc/configs/adder875_defconfig       |    2 +-
 arch/powerpc/configs/ep8248e_defconfig        |    2 +-
 arch/powerpc/configs/ep88xc_defconfig         |    2 +-
 arch/powerpc/configs/fsl-emb-nonhw.config     |    2 +-
 arch/powerpc/configs/mgcoge_defconfig         |    2 +-
 arch/powerpc/configs/mpc5200_defconfig        |    2 +-
 arch/powerpc/configs/mpc8272_ads_defconfig    |    2 +-
 arch/powerpc/configs/mpc885_ads_defconfig     |    2 +-
 arch/powerpc/configs/ppc6xx_defconfig         |    2 +-
 arch/powerpc/configs/pq2fads_defconfig        |    2 +-
 arch/powerpc/configs/ps3_defconfig            |    2 +-
 arch/powerpc/configs/tqm8xx_defconfig         |    2 +-
 20 files changed, 20 insertions(+), 20 deletions(-)

--- a/arch/powerpc/configs/44x/akebono_defconfig
+++ b/arch/powerpc/configs/44x/akebono_defconfig
@@ -118,7 +118,7 @@ CONFIG_CRAMFS=y
 CONFIG_NLS_DEFAULT="n"
 CONFIG_NLS_CODEPAGE_437=y
 CONFIG_NLS_ISO8859_1=y
-CONFIG_DEBUG_INFO=y
+CONFIG_DEBUG_INFO_DWARF_TOOLCHAIN_DEFAULT=y
 CONFIG_MAGIC_SYSRQ=y
 CONFIG_DETECT_HUNG_TASK=y
 CONFIG_XMON=y
--- a/arch/powerpc/configs/44x/currituck_defconfig
+++ b/arch/powerpc/configs/44x/currituck_defconfig
@@ -73,7 +73,7 @@ CONFIG_NFS_FS=y
 CONFIG_NFS_V3_ACL=y
 CONFIG_NFS_V4=y
 CONFIG_NLS_DEFAULT="n"
-CONFIG_DEBUG_INFO=y
+CONFIG_DEBUG_INFO_DWARF_TOOLCHAIN_DEFAULT=y
 CONFIG_MAGIC_SYSRQ=y
 CONFIG_DETECT_HUNG_TASK=y
 CONFIG_XMON=y
--- a/arch/powerpc/configs/44x/fsp2_defconfig
+++ b/arch/powerpc/configs/44x/fsp2_defconfig
@@ -110,7 +110,7 @@ CONFIG_XZ_DEC=y
 CONFIG_PRINTK_TIME=y
 CONFIG_MESSAGE_LOGLEVEL_DEFAULT=3
 CONFIG_DYNAMIC_DEBUG=y
-CONFIG_DEBUG_INFO=y
+CONFIG_DEBUG_INFO_DWARF_TOOLCHAIN_DEFAULT=y
 CONFIG_MAGIC_SYSRQ=y
 CONFIG_DETECT_HUNG_TASK=y
 CONFIG_CRYPTO_CBC=y
--- a/arch/powerpc/configs/44x/iss476-smp_defconfig
+++ b/arch/powerpc/configs/44x/iss476-smp_defconfig
@@ -56,7 +56,7 @@ CONFIG_PROC_KCORE=y
 CONFIG_TMPFS=y
 CONFIG_CRAMFS=y
 # CONFIG_NETWORK_FILESYSTEMS is not set
-CONFIG_DEBUG_INFO=y
+CONFIG_DEBUG_INFO_DWARF_TOOLCHAIN_DEFAULT=y
 CONFIG_MAGIC_SYSRQ=y
 CONFIG_DETECT_HUNG_TASK=y
 CONFIG_PPC_EARLY_DEBUG=y
--- a/arch/powerpc/configs/44x/warp_defconfig
+++ b/arch/powerpc/configs/44x/warp_defconfig
@@ -88,7 +88,7 @@ CONFIG_NLS_UTF8=y
 CONFIG_CRC_CCITT=y
 CONFIG_CRC_T10DIF=y
 CONFIG_PRINTK_TIME=y
-CONFIG_DEBUG_INFO=y
+CONFIG_DEBUG_INFO_DWARF_TOOLCHAIN_DEFAULT=y
 CONFIG_DEBUG_FS=y
 CONFIG_MAGIC_SYSRQ=y
 CONFIG_DETECT_HUNG_TASK=y
--- a/arch/powerpc/configs/52xx/lite5200b_defconfig
+++ b/arch/powerpc/configs/52xx/lite5200b_defconfig
@@ -58,6 +58,6 @@ CONFIG_NFS_FS=y
 CONFIG_NFS_V4=y
 CONFIG_ROOT_NFS=y
 CONFIG_PRINTK_TIME=y
-CONFIG_DEBUG_INFO=y
+CONFIG_DEBUG_INFO_DWARF_TOOLCHAIN_DEFAULT=y
 CONFIG_DETECT_HUNG_TASK=y
 # CONFIG_DEBUG_BUGVERBOSE is not set
--- a/arch/powerpc/configs/52xx/motionpro_defconfig
+++ b/arch/powerpc/configs/52xx/motionpro_defconfig
@@ -84,7 +84,7 @@ CONFIG_ROOT_NFS=y
 CONFIG_NLS_CODEPAGE_437=y
 CONFIG_NLS_ISO8859_1=y
 CONFIG_PRINTK_TIME=y
-CONFIG_DEBUG_INFO=y
+CONFIG_DEBUG_INFO_DWARF_TOOLCHAIN_DEFAULT=y
 CONFIG_DETECT_HUNG_TASK=y
 # CONFIG_DEBUG_BUGVERBOSE is not set
 CONFIG_CRYPTO_ECB=y
--- a/arch/powerpc/configs/52xx/tqm5200_defconfig
+++ b/arch/powerpc/configs/52xx/tqm5200_defconfig
@@ -85,7 +85,7 @@ CONFIG_ROOT_NFS=y
 CONFIG_NLS_CODEPAGE_437=y
 CONFIG_NLS_ISO8859_1=y
 CONFIG_PRINTK_TIME=y
-CONFIG_DEBUG_INFO=y
+CONFIG_DEBUG_INFO_DWARF_TOOLCHAIN_DEFAULT=y
 CONFIG_DETECT_HUNG_TASK=y
 # CONFIG_DEBUG_BUGVERBOSE is not set
 CONFIG_CRYPTO_ECB=y
--- a/arch/powerpc/configs/adder875_defconfig
+++ b/arch/powerpc/configs/adder875_defconfig
@@ -45,7 +45,7 @@ CONFIG_CRAMFS=y
 CONFIG_NFS_FS=y
 CONFIG_ROOT_NFS=y
 CONFIG_CRC32_SLICEBY4=y
-CONFIG_DEBUG_INFO=y
+CONFIG_DEBUG_INFO_DWARF_TOOLCHAIN_DEFAULT=y
 CONFIG_DEBUG_FS=y
 CONFIG_MAGIC_SYSRQ=y
 CONFIG_DETECT_HUNG_TASK=y
--- a/arch/powerpc/configs/ep8248e_defconfig
+++ b/arch/powerpc/configs/ep8248e_defconfig
@@ -59,7 +59,7 @@ CONFIG_NLS_CODEPAGE_437=y
 CONFIG_NLS_ASCII=y
 CONFIG_NLS_ISO8859_1=y
 CONFIG_NLS_UTF8=y
-CONFIG_DEBUG_INFO=y
+CONFIG_DEBUG_INFO_DWARF_TOOLCHAIN_DEFAULT=y
 CONFIG_MAGIC_SYSRQ=y
 # CONFIG_SCHED_DEBUG is not set
 CONFIG_BDI_SWITCH=y
--- a/arch/powerpc/configs/ep88xc_defconfig
+++ b/arch/powerpc/configs/ep88xc_defconfig
@@ -48,6 +48,6 @@ CONFIG_CRAMFS=y
 CONFIG_NFS_FS=y
 CONFIG_ROOT_NFS=y
 CONFIG_CRC32_SLICEBY4=y
-CONFIG_DEBUG_INFO=y
+CONFIG_DEBUG_INFO_DWARF_TOOLCHAIN_DEFAULT=y
 CONFIG_MAGIC_SYSRQ=y
 CONFIG_DETECT_HUNG_TASK=y
--- a/arch/powerpc/configs/fsl-emb-nonhw.config
+++ b/arch/powerpc/configs/fsl-emb-nonhw.config
@@ -24,7 +24,7 @@ CONFIG_CRYPTO_PCBC=m
 CONFIG_CRYPTO_SHA256=y
 CONFIG_CRYPTO_SHA512=y
 CONFIG_DEBUG_FS=y
-CONFIG_DEBUG_INFO=y
+CONFIG_DEBUG_INFO_DWARF_TOOLCHAIN_DEFAULT=y
 CONFIG_DEBUG_KERNEL=y
 CONFIG_DEBUG_SHIRQ=y
 CONFIG_DETECT_HUNG_TASK=y
--- a/arch/powerpc/configs/mgcoge_defconfig
+++ b/arch/powerpc/configs/mgcoge_defconfig
@@ -73,7 +73,7 @@ CONFIG_NLS_CODEPAGE_437=y
 CONFIG_NLS_ASCII=y
 CONFIG_NLS_ISO8859_1=y
 CONFIG_NLS_UTF8=y
-CONFIG_DEBUG_INFO=y
+CONFIG_DEBUG_INFO_DWARF_TOOLCHAIN_DEFAULT=y
 CONFIG_DEBUG_FS=y
 CONFIG_MAGIC_SYSRQ=y
 # CONFIG_SCHED_DEBUG is not set
--- a/arch/powerpc/configs/mpc5200_defconfig
+++ b/arch/powerpc/configs/mpc5200_defconfig
@@ -122,6 +122,6 @@ CONFIG_ROOT_NFS=y
 CONFIG_NLS_CODEPAGE_437=y
 CONFIG_NLS_ISO8859_1=y
 CONFIG_PRINTK_TIME=y
-CONFIG_DEBUG_INFO=y
+CONFIG_DEBUG_INFO_DWARF_TOOLCHAIN_DEFAULT=y
 CONFIG_DEBUG_KERNEL=y
 CONFIG_DETECT_HUNG_TASK=y
--- a/arch/powerpc/configs/mpc8272_ads_defconfig
+++ b/arch/powerpc/configs/mpc8272_ads_defconfig
@@ -67,7 +67,7 @@ CONFIG_NLS_CODEPAGE_437=y
 CONFIG_NLS_ASCII=y
 CONFIG_NLS_ISO8859_1=y
 CONFIG_NLS_UTF8=y
-CONFIG_DEBUG_INFO=y
+CONFIG_DEBUG_INFO_DWARF_TOOLCHAIN_DEFAULT=y
 CONFIG_MAGIC_SYSRQ=y
 CONFIG_DETECT_HUNG_TASK=y
 CONFIG_BDI_SWITCH=y
--- a/arch/powerpc/configs/mpc885_ads_defconfig
+++ b/arch/powerpc/configs/mpc885_ads_defconfig
@@ -71,7 +71,7 @@ CONFIG_ROOT_NFS=y
 CONFIG_CRYPTO=y
 CONFIG_CRYPTO_DEV_TALITOS=y
 CONFIG_CRC32_SLICEBY4=y
-CONFIG_DEBUG_INFO=y
+CONFIG_DEBUG_INFO_DWARF_TOOLCHAIN_DEFAULT=y
 CONFIG_MAGIC_SYSRQ=y
 CONFIG_DEBUG_FS=y
 CONFIG_DEBUG_VM_PGTABLE=y
--- a/arch/powerpc/configs/ppc6xx_defconfig
+++ b/arch/powerpc/configs/ppc6xx_defconfig
@@ -1065,7 +1065,7 @@ CONFIG_NLS_ISO8859_14=m
 CONFIG_NLS_ISO8859_15=m
 CONFIG_NLS_KOI8_R=m
 CONFIG_NLS_KOI8_U=m
-CONFIG_DEBUG_INFO=y
+CONFIG_DEBUG_INFO_DWARF_TOOLCHAIN_DEFAULT=y
 CONFIG_HEADERS_INSTALL=y
 CONFIG_MAGIC_SYSRQ=y
 CONFIG_DEBUG_KERNEL=y
--- a/arch/powerpc/configs/pq2fads_defconfig
+++ b/arch/powerpc/configs/pq2fads_defconfig
@@ -68,7 +68,7 @@ CONFIG_NLS_CODEPAGE_437=y
 CONFIG_NLS_ASCII=y
 CONFIG_NLS_ISO8859_1=y
 CONFIG_NLS_UTF8=y
-CONFIG_DEBUG_INFO=y
+CONFIG_DEBUG_INFO_DWARF_TOOLCHAIN_DEFAULT=y
 CONFIG_MAGIC_SYSRQ=y
 CONFIG_DETECT_HUNG_TASK=y
 # CONFIG_SCHED_DEBUG is not set
--- a/arch/powerpc/configs/ps3_defconfig
+++ b/arch/powerpc/configs/ps3_defconfig
@@ -153,7 +153,7 @@ CONFIG_NLS_CODEPAGE_437=y
 CONFIG_NLS_ISO8859_1=y
 CONFIG_CRC_CCITT=m
 CONFIG_CRC_T10DIF=y
-CONFIG_DEBUG_INFO=y
+CONFIG_DEBUG_INFO_DWARF_TOOLCHAIN_DEFAULT=y
 CONFIG_MAGIC_SYSRQ=y
 CONFIG_DEBUG_MEMORY_INIT=y
 CONFIG_DEBUG_STACKOVERFLOW=y
--- a/arch/powerpc/configs/tqm8xx_defconfig
+++ b/arch/powerpc/configs/tqm8xx_defconfig
@@ -55,6 +55,6 @@ CONFIG_CRAMFS=y
 CONFIG_NFS_FS=y
 CONFIG_ROOT_NFS=y
 CONFIG_CRC32_SLICEBY4=y
-CONFIG_DEBUG_INFO=y
+CONFIG_DEBUG_INFO_DWARF_TOOLCHAIN_DEFAULT=y
 CONFIG_MAGIC_SYSRQ=y
 CONFIG_DETECT_HUNG_TASK=y



^ permalink raw reply	[flat|nested] 1191+ messages in thread

* [PATCH 5.19 0126/1157] powerpc/64e: Fix early TLB miss with KUAP
  2022-08-15 17:49 [PATCH 5.19 0000/1157] 5.19.2-rc1 review Greg Kroah-Hartman
                   ` (122 preceding siblings ...)
  2022-08-15 17:51 ` [PATCH 5.19 0125/1157] powerpc: Restore CONFIG_DEBUG_INFO in defconfigs Greg Kroah-Hartman
@ 2022-08-15 17:51 ` Greg Kroah-Hartman
  2022-08-15 17:51 ` [PATCH 5.19 0127/1157] powerpc/fsl-pci: Fix Class Code of PCIe Root Port Greg Kroah-Hartman
                   ` (869 subsequent siblings)
  993 siblings, 0 replies; 1191+ messages in thread
From: Greg Kroah-Hartman @ 2022-08-15 17:51 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Christophe Leroy, Michael Ellerman

From: Christophe Leroy <christophe.leroy@csgroup.eu>

commit 09317643117ade87c03158341e87466413fa8f1a upstream.

With KUAP, the TLB miss handler bails out when an access to user
memory is performed with a nul TID.

But the normal TLB miss routine which is only used early during boot
does the check regardless for all memory areas, not only user memory.

By chance there is no early IO or vmalloc access, but when KASAN
come we will start having early TLB misses.

Fix it by creating a special branch for user accesses similar to the
one in the 'bolted' TLB miss handlers. Unfortunately SPRN_MAS1 is
now read too early and there are no registers available to preserve
it so it will be read a second time.

Fixes: 57bc963837f5 ("powerpc/kuap: Wire-up KUAP on book3e/64")
Cc: stable@vger.kernel.org
Signed-off-by: Christophe Leroy <christophe.leroy@csgroup.eu>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Link: https://lore.kernel.org/r/8d6c5859a45935d6e1a336da4dc20be421e8cea7.1656427701.git.christophe.leroy@csgroup.eu
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/powerpc/mm/nohash/tlb_low_64e.S |   17 ++++++++---------
 1 file changed, 8 insertions(+), 9 deletions(-)

--- a/arch/powerpc/mm/nohash/tlb_low_64e.S
+++ b/arch/powerpc/mm/nohash/tlb_low_64e.S
@@ -583,7 +583,7 @@ itlb_miss_fault_e6500:
 	 */
 	rlwimi	r11,r14,32-19,27,27
 	rlwimi	r11,r14,32-16,19,19
-	beq	normal_tlb_miss
+	beq	normal_tlb_miss_user
 	/* XXX replace the RMW cycles with immediate loads + writes */
 1:	mfspr	r10,SPRN_MAS1
 	cmpldi	cr0,r15,8		/* Check for vmalloc region */
@@ -626,7 +626,7 @@ itlb_miss_fault_e6500:
 
 	cmpldi	cr0,r15,0			/* Check for user region */
 	std	r14,EX_TLB_ESR(r12)		/* write crazy -1 to frame */
-	beq	normal_tlb_miss
+	beq	normal_tlb_miss_user
 
 	li	r11,_PAGE_PRESENT|_PAGE_BAP_SX	/* Base perm */
 	oris	r11,r11,_PAGE_ACCESSED@h
@@ -653,6 +653,12 @@ itlb_miss_fault_e6500:
  * r11 = PTE permission mask
  * r10 = crap (free to use)
  */
+normal_tlb_miss_user:
+#ifdef CONFIG_PPC_KUAP
+	mfspr	r14,SPRN_MAS1
+	rlwinm.	r14,r14,0,0x3fff0000
+	beq-	normal_tlb_miss_access_fault /* KUAP fault */
+#endif
 normal_tlb_miss:
 	/* So we first construct the page table address. We do that by
 	 * shifting the bottom of the address (not the region ID) by
@@ -683,11 +689,6 @@ finish_normal_tlb_miss:
 	/* Check if required permissions are met */
 	andc.	r15,r11,r14
 	bne-	normal_tlb_miss_access_fault
-#ifdef CONFIG_PPC_KUAP
-	mfspr	r11,SPRN_MAS1
-	rlwinm.	r10,r11,0,0x3fff0000
-	beq-	normal_tlb_miss_access_fault /* KUAP fault */
-#endif
 
 	/* Now we build the MAS:
 	 *
@@ -709,9 +710,7 @@ finish_normal_tlb_miss:
 	rldicl	r10,r14,64-8,64-8
 	cmpldi	cr0,r10,BOOK3E_PAGESZ_4K
 	beq-	1f
-#ifndef CONFIG_PPC_KUAP
 	mfspr	r11,SPRN_MAS1
-#endif
 	rlwimi	r11,r14,31,21,24
 	rlwinm	r11,r11,0,21,19
 	mtspr	SPRN_MAS1,r11



^ permalink raw reply	[flat|nested] 1191+ messages in thread

* [PATCH 5.19 0127/1157] powerpc/fsl-pci: Fix Class Code of PCIe Root Port
  2022-08-15 17:49 [PATCH 5.19 0000/1157] 5.19.2-rc1 review Greg Kroah-Hartman
                   ` (123 preceding siblings ...)
  2022-08-15 17:51 ` [PATCH 5.19 0126/1157] powerpc/64e: Fix early TLB miss with KUAP Greg Kroah-Hartman
@ 2022-08-15 17:51 ` Greg Kroah-Hartman
  2022-08-15 17:51 ` [PATCH 5.19 0128/1157] powerpc/ptdump: Fix display of RW pages on FSL_BOOK3E Greg Kroah-Hartman
                   ` (868 subsequent siblings)
  993 siblings, 0 replies; 1191+ messages in thread
From: Greg Kroah-Hartman @ 2022-08-15 17:51 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Pali Rohár, Michael Ellerman

From: Pali Rohár <pali@kernel.org>

commit 0c551abfa004ce154d487d91777bf221c808a64f upstream.

By default old pre-3.0 Freescale PCIe controllers reports invalid PCI Class
Code 0x0b20 for PCIe Root Port. It can be seen by lspci -b output on P2020
board which has this pre-3.0 controller:

  $ lspci -bvnn
  00:00.0 Power PC [0b20]: Freescale Semiconductor Inc P2020E [1957:0070] (rev 21)
          !!! Invalid class 0b20 for header type 01
          Capabilities: [4c] Express Root Port (Slot-), MSI 00

Fix this issue by programming correct PCI Class Code 0x0604 for PCIe Root
Port to the Freescale specific PCIe register 0x474.

With this change lspci -b output is:

  $ lspci -bvnn
  00:00.0 PCI bridge [0604]: Freescale Semiconductor Inc P2020E [1957:0070] (rev 21) (prog-if 00 [Normal decode])
          Capabilities: [4c] Express Root Port (Slot-), MSI 00

Without any "Invalid class" error. So class code was properly reflected
into standard (read-only) PCI register 0x08.

Same fix is already implemented in U-Boot pcie_fsl.c driver in commit:
http://source.denx.de/u-boot/u-boot/-/commit/d18d06ac35229345a0af80977a408cfbe1d1015b

Fix activated by U-Boot stay active also after booting Linux kernel.
But boards which use older U-Boot version without that fix are affected and
still require this fix.

So implement this class code fix also in kernel fsl_pci.c driver.

Cc: stable@vger.kernel.org
Signed-off-by: Pali Rohár <pali@kernel.org>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Link: https://lore.kernel.org/r/20220706101043.4867-1-pali@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/powerpc/sysdev/fsl_pci.c |    8 ++++++++
 arch/powerpc/sysdev/fsl_pci.h |    1 +
 2 files changed, 9 insertions(+)

--- a/arch/powerpc/sysdev/fsl_pci.c
+++ b/arch/powerpc/sysdev/fsl_pci.c
@@ -521,6 +521,7 @@ int fsl_add_bridge(struct platform_devic
 	struct resource rsrc;
 	const int *bus_range;
 	u8 hdr_type, progif;
+	u32 class_code;
 	struct device_node *dev;
 	struct ccsr_pci __iomem *pci;
 	u16 temp;
@@ -594,6 +595,13 @@ int fsl_add_bridge(struct platform_devic
 			PPC_INDIRECT_TYPE_SURPRESS_PRIMARY_BUS;
 		if (fsl_pcie_check_link(hose))
 			hose->indirect_type |= PPC_INDIRECT_TYPE_NO_PCIE_LINK;
+		/* Fix Class Code to PCI_CLASS_BRIDGE_PCI_NORMAL for pre-3.0 controller */
+		if (in_be32(&pci->block_rev1) < PCIE_IP_REV_3_0) {
+			early_read_config_dword(hose, 0, 0, PCIE_FSL_CSR_CLASSCODE, &class_code);
+			class_code &= 0xff;
+			class_code |= PCI_CLASS_BRIDGE_PCI_NORMAL << 8;
+			early_write_config_dword(hose, 0, 0, PCIE_FSL_CSR_CLASSCODE, class_code);
+		}
 	} else {
 		/*
 		 * Set PBFR(PCI Bus Function Register)[10] = 1 to
--- a/arch/powerpc/sysdev/fsl_pci.h
+++ b/arch/powerpc/sysdev/fsl_pci.h
@@ -18,6 +18,7 @@ struct platform_device;
 
 #define PCIE_LTSSM	0x0404		/* PCIE Link Training and Status */
 #define PCIE_LTSSM_L0	0x16		/* L0 state */
+#define PCIE_FSL_CSR_CLASSCODE	0x474	/* FSL GPEX CSR */
 #define PCIE_IP_REV_2_2		0x02080202 /* PCIE IP block version Rev2.2 */
 #define PCIE_IP_REV_3_0		0x02080300 /* PCIE IP block version Rev3.0 */
 #define PIWAR_EN		0x80000000	/* Enable */



^ permalink raw reply	[flat|nested] 1191+ messages in thread

* [PATCH 5.19 0128/1157] powerpc/ptdump: Fix display of RW pages on FSL_BOOK3E
  2022-08-15 17:49 [PATCH 5.19 0000/1157] 5.19.2-rc1 review Greg Kroah-Hartman
                   ` (124 preceding siblings ...)
  2022-08-15 17:51 ` [PATCH 5.19 0127/1157] powerpc/fsl-pci: Fix Class Code of PCIe Root Port Greg Kroah-Hartman
@ 2022-08-15 17:51 ` Greg Kroah-Hartman
  2022-08-15 17:51 ` [PATCH 5.19 0129/1157] powerpc/powernv: Avoid crashing if rng is NULL Greg Kroah-Hartman
                   ` (867 subsequent siblings)
  993 siblings, 0 replies; 1191+ messages in thread
From: Greg Kroah-Hartman @ 2022-08-15 17:51 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Christophe Leroy, Michael Ellerman

From: Christophe Leroy <christophe.leroy@csgroup.eu>

commit dd8de84b57b02ba9c1fe530a6d916c0853f136bd upstream.

On FSL_BOOK3E, _PAGE_RW is defined with two bits, one for user and one
for supervisor. As soon as one of the two bits is set, the page has
to be display as RW. But the way it is implemented today requires both
bits to be set in order to display it as RW.

Instead of display RW when _PAGE_RW bits are set and R otherwise,
reverse the logic and display R when _PAGE_RW bits are all 0 and
RW otherwise.

This change has no impact on other platforms as _PAGE_RW is a single
bit on all of them.

Fixes: 8eb07b187000 ("powerpc/mm: Dump linux pagetables")
Cc: stable@vger.kernel.org
Signed-off-by: Christophe Leroy <christophe.leroy@csgroup.eu>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Link: https://lore.kernel.org/r/0c33b96317811edf691e81698aaee8fa45ec3449.1656427391.git.christophe.leroy@csgroup.eu
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/powerpc/mm/ptdump/shared.c |    6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

--- a/arch/powerpc/mm/ptdump/shared.c
+++ b/arch/powerpc/mm/ptdump/shared.c
@@ -17,9 +17,9 @@ static const struct flag_info flag_array
 		.clear	= "    ",
 	}, {
 		.mask	= _PAGE_RW,
-		.val	= _PAGE_RW,
-		.set	= "rw",
-		.clear	= "r ",
+		.val	= 0,
+		.set	= "r ",
+		.clear	= "rw",
 	}, {
 		.mask	= _PAGE_EXEC,
 		.val	= _PAGE_EXEC,



^ permalink raw reply	[flat|nested] 1191+ messages in thread

* [PATCH 5.19 0129/1157] powerpc/powernv: Avoid crashing if rng is NULL
  2022-08-15 17:49 [PATCH 5.19 0000/1157] 5.19.2-rc1 review Greg Kroah-Hartman
                   ` (125 preceding siblings ...)
  2022-08-15 17:51 ` [PATCH 5.19 0128/1157] powerpc/ptdump: Fix display of RW pages on FSL_BOOK3E Greg Kroah-Hartman
@ 2022-08-15 17:51 ` Greg Kroah-Hartman
  2022-08-15 17:51 ` [PATCH 5.19 0130/1157] MIPS: cpuinfo: Fix a warning for CONFIG_CPUMASK_OFFSTACK Greg Kroah-Hartman
                   ` (866 subsequent siblings)
  993 siblings, 0 replies; 1191+ messages in thread
From: Greg Kroah-Hartman @ 2022-08-15 17:51 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jason A. Donenfeld, Michael Ellerman

From: Michael Ellerman <mpe@ellerman.id.au>

commit 90b5d4fe0b3ba7f589c6723c6bfb559d9e83956a upstream.

On a bare-metal Power8 system that doesn't have an "ibm,power-rng", a
malicious QEMU and guest that ignore the absence of the
KVM_CAP_PPC_HWRNG flag, and calls H_RANDOM anyway, will dereference a
NULL pointer.

In practice all Power8 machines have an "ibm,power-rng", but let's not
rely on that, add a NULL check and early return in
powernv_get_random_real_mode().

Fixes: e928e9cb3601 ("KVM: PPC: Book3S HV: Add fast real-mode H_RANDOM implementation.")
Cc: stable@vger.kernel.org # v4.1+
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Link: https://lore.kernel.org/r/20220727143219.2684192-1-mpe@ellerman.id.au
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/powerpc/platforms/powernv/rng.c |    2 ++
 1 file changed, 2 insertions(+)

--- a/arch/powerpc/platforms/powernv/rng.c
+++ b/arch/powerpc/platforms/powernv/rng.c
@@ -63,6 +63,8 @@ int powernv_get_random_real_mode(unsigne
 	struct powernv_rng *rng;
 
 	rng = raw_cpu_read(powernv_rng);
+	if (!rng)
+		return 0;
 
 	*v = rng_whiten(rng, __raw_rm_readq(rng->regs_real));
 



^ permalink raw reply	[flat|nested] 1191+ messages in thread

* [PATCH 5.19 0130/1157] MIPS: cpuinfo: Fix a warning for CONFIG_CPUMASK_OFFSTACK
  2022-08-15 17:49 [PATCH 5.19 0000/1157] 5.19.2-rc1 review Greg Kroah-Hartman
                   ` (126 preceding siblings ...)
  2022-08-15 17:51 ` [PATCH 5.19 0129/1157] powerpc/powernv: Avoid crashing if rng is NULL Greg Kroah-Hartman
@ 2022-08-15 17:51 ` Greg Kroah-Hartman
  2022-08-15 17:51 ` [PATCH 5.19 0131/1157] coresight: Clear the connection field properly Greg Kroah-Hartman
                   ` (865 subsequent siblings)
  993 siblings, 0 replies; 1191+ messages in thread
From: Greg Kroah-Hartman @ 2022-08-15 17:51 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Huacai Chen, Thomas Bogendoerfer

From: Huacai Chen <chenhuacai@loongson.cn>

commit e1a534f5d074db45ae5cbac41d8912b98e96a006 upstream.

When CONFIG_CPUMASK_OFFSTACK and CONFIG_DEBUG_PER_CPU_MAPS is selected,
cpu_max_bits_warn() generates a runtime warning similar as below while
we show /proc/cpuinfo. Fix this by using nr_cpu_ids (the runtime limit)
instead of NR_CPUS to iterate CPUs.

[    3.052463] ------------[ cut here ]------------
[    3.059679] WARNING: CPU: 3 PID: 1 at include/linux/cpumask.h:108 show_cpuinfo+0x5e8/0x5f0
[    3.070072] Modules linked in: efivarfs autofs4
[    3.076257] CPU: 0 PID: 1 Comm: systemd Not tainted 5.19-rc5+ #1052
[    3.084034] Hardware name: Loongson Loongson-3A4000-7A1000-1w-V0.1-CRB/Loongson-LS3A4000-7A1000-1w-EVB-V1.21, BIOS Loongson-UDK2018-V2.0.04082-beta7 04/27
[    3.099465] Stack : 9000000100157b08 9000000000f18530 9000000000cf846c 9000000100154000
[    3.109127]         9000000100157a50 0000000000000000 9000000100157a58 9000000000ef7430
[    3.118774]         90000001001578e8 0000000000000040 0000000000000020 ffffffffffffffff
[    3.128412]         0000000000aaaaaa 1ab25f00eec96a37 900000010021de80 900000000101c890
[    3.138056]         0000000000000000 0000000000000000 0000000000000000 0000000000aaaaaa
[    3.147711]         ffff8000339dc220 0000000000000001 0000000006ab4000 0000000000000000
[    3.157364]         900000000101c998 0000000000000004 9000000000ef7430 0000000000000000
[    3.167012]         0000000000000009 000000000000006c 0000000000000000 0000000000000000
[    3.176641]         9000000000d3de08 9000000001639390 90000000002086d8 00007ffff0080286
[    3.186260]         00000000000000b0 0000000000000004 0000000000000000 0000000000071c1c
[    3.195868]         ...
[    3.199917] Call Trace:
[    3.203941] [<98000000002086d8>] show_stack+0x38/0x14c
[    3.210666] [<9800000000cf846c>] dump_stack_lvl+0x60/0x88
[    3.217625] [<980000000023d268>] __warn+0xd0/0x100
[    3.223958] [<9800000000cf3c90>] warn_slowpath_fmt+0x7c/0xcc
[    3.231150] [<9800000000210220>] show_cpuinfo+0x5e8/0x5f0
[    3.238080] [<98000000004f578c>] seq_read_iter+0x354/0x4b4
[    3.245098] [<98000000004c2e90>] new_sync_read+0x17c/0x1c4
[    3.252114] [<98000000004c5174>] vfs_read+0x138/0x1d0
[    3.258694] [<98000000004c55f8>] ksys_read+0x70/0x100
[    3.265265] [<9800000000cfde9c>] do_syscall+0x7c/0x94
[    3.271820] [<9800000000202fe4>] handle_syscall+0xc4/0x160
[    3.281824] ---[ end trace 8b484262b4b8c24c ]---

Cc: stable@vger.kernel.org
Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/mips/kernel/proc.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/arch/mips/kernel/proc.c
+++ b/arch/mips/kernel/proc.c
@@ -311,7 +311,7 @@ static void *c_start(struct seq_file *m,
 {
 	unsigned long i = *pos;
 
-	return i < NR_CPUS ? (void *) (i + 1) : NULL;
+	return i < nr_cpu_ids ? (void *) (i + 1) : NULL;
 }
 
 static void *c_next(struct seq_file *m, void *v, loff_t *pos)



^ permalink raw reply	[flat|nested] 1191+ messages in thread

* [PATCH 5.19 0131/1157] coresight: Clear the connection field properly
  2022-08-15 17:49 [PATCH 5.19 0000/1157] 5.19.2-rc1 review Greg Kroah-Hartman
                   ` (127 preceding siblings ...)
  2022-08-15 17:51 ` [PATCH 5.19 0130/1157] MIPS: cpuinfo: Fix a warning for CONFIG_CPUMASK_OFFSTACK Greg Kroah-Hartman
@ 2022-08-15 17:51 ` Greg Kroah-Hartman
  2022-08-15 17:51 ` [PATCH 5.19 0132/1157] usb: typec: ucsi: Acknowledge the GET_ERROR_STATUS command completion Greg Kroah-Hartman
                   ` (864 subsequent siblings)
  993 siblings, 0 replies; 1191+ messages in thread
From: Greg Kroah-Hartman @ 2022-08-15 17:51 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Mathieu Poirier, Mike Leach, Leo Yan,
	Suzuki K Poulose

From: Suzuki K Poulose <suzuki.poulose@arm.com>

commit 2af89ebacf299b7fba5f3087d35e8a286ec33706 upstream.

coresight devices track their connections (output connections) and
hold a reference to the fwnode. When a device goes away, we walk through
the devices on the coresight bus and make sure that the references
are dropped. This happens both ways:
 a) For all output connections from the device, drop the reference to
    the target device via coresight_release_platform_data()

b) Iterate over all the devices on the coresight bus and drop the
   reference to fwnode if *this* device is the target of the output
   connection, via coresight_remove_conns()->coresight_remove_match().

However, the coresight_remove_match() doesn't clear the fwnode field,
after dropping the reference, this causes use-after-free and
additional refcount drops on the fwnode.

e.g., if we have two devices, A and B, with a connection, A -> B.
If we remove B first, B would clear the reference on B, from A
via coresight_remove_match(). But when A is removed, it still has
a connection with fwnode still pointing to B. Thus it tries to  drops
the reference in coresight_release_platform_data(), raising the bells
like :

[   91.990153] ------------[ cut here ]------------
[   91.990163] refcount_t: addition on 0; use-after-free.
[   91.990212] WARNING: CPU: 0 PID: 461 at lib/refcount.c:25 refcount_warn_saturate+0xa0/0x144
[   91.990260] Modules linked in: coresight_funnel coresight_replicator coresight_etm4x(-)
 crct10dif_ce coresight ip_tables x_tables ipv6 [last unloaded: coresight_cpu_debug]
[   91.990398] CPU: 0 PID: 461 Comm: rmmod Tainted: G        W       T 5.19.0-rc2+ #53
[   91.990418] Hardware name: ARM LTD ARM Juno Development Platform/ARM Juno Development Platform, BIOS EDK II Feb  1 2019
[   91.990434] pstate: 600000c5 (nZCv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
[   91.990454] pc : refcount_warn_saturate+0xa0/0x144
[   91.990476] lr : refcount_warn_saturate+0xa0/0x144
[   91.990496] sp : ffff80000c843640
[   91.990509] x29: ffff80000c843640 x28: ffff800009957c28 x27: ffff80000c8439a8
[   91.990560] x26: ffff00097eff1990 x25: ffff8000092b6ad8 x24: ffff00097eff19a8
[   91.990610] x23: ffff80000c8439a8 x22: 0000000000000000 x21: ffff80000c8439c2
[   91.990659] x20: 0000000000000000 x19: ffff00097eff1a10 x18: ffff80000ab99c40
[   91.990708] x17: 0000000000000000 x16: 0000000000000000 x15: ffff80000abf6fa0
[   91.990756] x14: 000000000000001d x13: 0a2e656572662d72 x12: 657466612d657375
[   91.990805] x11: 203b30206e6f206e x10: 6f69746964646120 x9 : ffff8000081aba28
[   91.990854] x8 : 206e6f206e6f6974 x7 : 69646461203a745f x6 : 746e756f63666572
[   91.990903] x5 : ffff00097648ec58 x4 : 0000000000000000 x3 : 0000000000000027
[   91.990952] x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff00080260ba00
[   91.991000] Call trace:
[   91.991012]  refcount_warn_saturate+0xa0/0x144
[   91.991034]  kobject_get+0xac/0xb0
[   91.991055]  of_node_get+0x2c/0x40
[   91.991076]  of_fwnode_get+0x40/0x60
[   91.991094]  fwnode_handle_get+0x3c/0x60
[   91.991116]  fwnode_get_nth_parent+0xf4/0x110
[   91.991137]  fwnode_full_name_string+0x48/0xc0
[   91.991158]  device_node_string+0x41c/0x530
[   91.991178]  pointer+0x320/0x3ec
[   91.991198]  vsnprintf+0x23c/0x750
[   91.991217]  vprintk_store+0x104/0x4b0
[   91.991238]  vprintk_emit+0x8c/0x360
[   91.991257]  vprintk_default+0x44/0x50
[   91.991276]  vprintk+0xcc/0xf0
[   91.991295]  _printk+0x68/0x90
[   91.991315]  of_node_release+0x13c/0x14c
[   91.991334]  kobject_put+0x98/0x114
[   91.991354]  of_node_put+0x24/0x34
[   91.991372]  of_fwnode_put+0x40/0x5c
[   91.991390]  fwnode_handle_put+0x38/0x50
[   91.991411]  coresight_release_platform_data+0x74/0xb0 [coresight]
[   91.991472]  coresight_unregister+0x64/0xcc [coresight]
[   91.991525]  etm4_remove_dev+0x64/0x78 [coresight_etm4x]
[   91.991563]  etm4_remove_amba+0x1c/0x2c [coresight_etm4x]
[   91.991598]  amba_remove+0x3c/0x19c

Reproducible by: (Build all coresight components as modules):

  #!/bin/sh
  while true
  do
     for m in tmc stm cpu_debug etm4x replicator funnel
     do
     	modprobe coresight_${m}
     done

     for m in tmc stm cpu_debug etm4x replicator funnel
     do
     	rmmode coresight_${m}
     done
  done

Cc: stable@vger.kernel.org
Cc: Mathieu Poirier <mathieu.poirier@linaro.org>
Cc: Mike Leach <mike.leach@linaro.org>
Cc: Leo Yan <leo.yan@linaro.org>
Signed-off-by: Suzuki K Poulose <suzuki.poulose@arm.com>
Fixes: 37ea1ffddffa ("coresight: Use fwnode handle instead of device names")
Link: https://lore.kernel.org/r/20220614214024.3005275-1-suzuki.poulose@arm.com
Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/hwtracing/coresight/coresight-core.c |    1 +
 1 file changed, 1 insertion(+)

--- a/drivers/hwtracing/coresight/coresight-core.c
+++ b/drivers/hwtracing/coresight/coresight-core.c
@@ -1424,6 +1424,7 @@ static int coresight_remove_match(struct
 			 * platform data.
 			 */
 			fwnode_handle_put(conn->child_fwnode);
+			conn->child_fwnode = NULL;
 			/* No need to continue */
 			break;
 		}



^ permalink raw reply	[flat|nested] 1191+ messages in thread

* [PATCH 5.19 0132/1157] usb: typec: ucsi: Acknowledge the GET_ERROR_STATUS command completion
  2022-08-15 17:49 [PATCH 5.19 0000/1157] 5.19.2-rc1 review Greg Kroah-Hartman
                   ` (128 preceding siblings ...)
  2022-08-15 17:51 ` [PATCH 5.19 0131/1157] coresight: Clear the connection field properly Greg Kroah-Hartman
@ 2022-08-15 17:51 ` Greg Kroah-Hartman
  2022-08-15 17:51 ` [PATCH 5.19 0133/1157] USB: HCD: Fix URB giveback issue in tasklet function Greg Kroah-Hartman
                   ` (863 subsequent siblings)
  993 siblings, 0 replies; 1191+ messages in thread
From: Greg Kroah-Hartman @ 2022-08-15 17:51 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Jack Pham, Linyu Yuan

From: Linyu Yuan <quic_linyyuan@quicinc.com>

commit a7dc438b5e446afcd1b3b6651da28271400722f2 upstream.

We found PPM will not send any notification after it report error status
and OPM issue GET_ERROR_STATUS command to read the details about error.

According UCSI spec, PPM may clear the Error Status Data after the OPM
has acknowledged the command completion.

This change add operation to acknowledge the command completion from PPM.

Fixes: bdc62f2bae8f (usb: typec: ucsi: Simplified registration and I/O API)
Cc: <stable@vger.kernel.org> # 5.10
Signed-off-by: Jack Pham <quic_jackp@quicinc.com>
Signed-off-by: Linyu Yuan <quic_linyyuan@quicinc.com>
Link: https://lore.kernel.org/r/1658817949-4632-1-git-send-email-quic_linyyuan@quicinc.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/usb/typec/ucsi/ucsi.c |    4 ++++
 1 file changed, 4 insertions(+)

--- a/drivers/usb/typec/ucsi/ucsi.c
+++ b/drivers/usb/typec/ucsi/ucsi.c
@@ -76,6 +76,10 @@ static int ucsi_read_error(struct ucsi *
 	if (ret)
 		return ret;
 
+	ret = ucsi_acknowledge_command(ucsi);
+	if (ret)
+		return ret;
+
 	switch (error) {
 	case UCSI_ERROR_INCOMPATIBLE_PARTNER:
 		return -EOPNOTSUPP;



^ permalink raw reply	[flat|nested] 1191+ messages in thread

* [PATCH 5.19 0133/1157] USB: HCD: Fix URB giveback issue in tasklet function
  2022-08-15 17:49 [PATCH 5.19 0000/1157] 5.19.2-rc1 review Greg Kroah-Hartman
                   ` (129 preceding siblings ...)
  2022-08-15 17:51 ` [PATCH 5.19 0132/1157] usb: typec: ucsi: Acknowledge the GET_ERROR_STATUS command completion Greg Kroah-Hartman
@ 2022-08-15 17:51 ` Greg Kroah-Hartman
  2022-08-15 17:51 ` [PATCH 5.19 0134/1157] Revert "net: usb: ax88179_178a needs FLAG_SEND_ZLP" Greg Kroah-Hartman
                   ` (862 subsequent siblings)
  993 siblings, 0 replies; 1191+ messages in thread
From: Greg Kroah-Hartman @ 2022-08-15 17:51 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, stable, Alan Stern, Weitao Wang

From: Weitao Wang <WeitaoWang-oc@zhaoxin.com>

commit 26c6c2f8a907c9e3a2f24990552a4d77235791e6 upstream.

Usb core introduce the mechanism of giveback of URB in tasklet context to
reduce hardware interrupt handling time. On some test situation(such as
FIO with 4KB block size), when tasklet callback function called to
giveback URB, interrupt handler add URB node to the bh->head list also.
If check bh->head list again after finish all URB giveback of local_list,
then it may introduce a "dynamic balance" between giveback URB and add URB
to bh->head list. This tasklet callback function may not exit for a long
time, which will cause other tasklet function calls to be delayed. Some
real-time applications(such as KB and Mouse) will see noticeable lag.

In order to prevent the tasklet function from occupying the cpu for a long
time at a time, new URBS will not be added to the local_list even though
the bh->head list is not empty. But also need to ensure the left URB
giveback to be processed in time, so add a member high_prio for structure
giveback_urb_bh to prioritize tasklet and schelule this tasklet again if
bh->head list is not empty.

At the same time, we are able to prioritize tasklet through structure
member high_prio. So, replace the local high_prio_bh variable with this
structure member in usb_hcd_giveback_urb.

Fixes: 94dfd7edfd5c ("USB: HCD: support giveback of URB in tasklet context")
Cc: stable <stable@kernel.org>
Reviewed-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Weitao Wang <WeitaoWang-oc@zhaoxin.com>
Link: https://lore.kernel.org/r/20220726074918.5114-1-WeitaoWang-oc@zhaoxin.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/usb/core/hcd.c  |   26 +++++++++++++++-----------
 include/linux/usb/hcd.h |    1 +
 2 files changed, 16 insertions(+), 11 deletions(-)

--- a/drivers/usb/core/hcd.c
+++ b/drivers/usb/core/hcd.c
@@ -1691,7 +1691,6 @@ static void usb_giveback_urb_bh(struct t
 
 	spin_lock_irq(&bh->lock);
 	bh->running = true;
- restart:
 	list_replace_init(&bh->head, &local_list);
 	spin_unlock_irq(&bh->lock);
 
@@ -1705,10 +1704,17 @@ static void usb_giveback_urb_bh(struct t
 		bh->completing_ep = NULL;
 	}
 
-	/* check if there are new URBs to giveback */
+	/*
+	 * giveback new URBs next time to prevent this function
+	 * from not exiting for a long time.
+	 */
 	spin_lock_irq(&bh->lock);
-	if (!list_empty(&bh->head))
-		goto restart;
+	if (!list_empty(&bh->head)) {
+		if (bh->high_prio)
+			tasklet_hi_schedule(&bh->bh);
+		else
+			tasklet_schedule(&bh->bh);
+	}
 	bh->running = false;
 	spin_unlock_irq(&bh->lock);
 }
@@ -1737,7 +1743,7 @@ static void usb_giveback_urb_bh(struct t
 void usb_hcd_giveback_urb(struct usb_hcd *hcd, struct urb *urb, int status)
 {
 	struct giveback_urb_bh *bh;
-	bool running, high_prio_bh;
+	bool running;
 
 	/* pass status to tasklet via unlinked */
 	if (likely(!urb->unlinked))
@@ -1748,13 +1754,10 @@ void usb_hcd_giveback_urb(struct usb_hcd
 		return;
 	}
 
-	if (usb_pipeisoc(urb->pipe) || usb_pipeint(urb->pipe)) {
+	if (usb_pipeisoc(urb->pipe) || usb_pipeint(urb->pipe))
 		bh = &hcd->high_prio_bh;
-		high_prio_bh = true;
-	} else {
+	else
 		bh = &hcd->low_prio_bh;
-		high_prio_bh = false;
-	}
 
 	spin_lock(&bh->lock);
 	list_add_tail(&urb->urb_list, &bh->head);
@@ -1763,7 +1766,7 @@ void usb_hcd_giveback_urb(struct usb_hcd
 
 	if (running)
 		;
-	else if (high_prio_bh)
+	else if (bh->high_prio)
 		tasklet_hi_schedule(&bh->bh);
 	else
 		tasklet_schedule(&bh->bh);
@@ -2959,6 +2962,7 @@ int usb_add_hcd(struct usb_hcd *hcd,
 
 	/* initialize tasklets */
 	init_giveback_urb_bh(&hcd->high_prio_bh);
+	hcd->high_prio_bh.high_prio = true;
 	init_giveback_urb_bh(&hcd->low_prio_bh);
 
 	/* enable irqs just before we start the controller,
--- a/include/linux/usb/hcd.h
+++ b/include/linux/usb/hcd.h
@@ -66,6 +66,7 @@
 
 struct giveback_urb_bh {
 	bool running;
+	bool high_prio;
 	spinlock_t lock;
 	struct list_head  head;
 	struct tasklet_struct bh;



^ permalink raw reply	[flat|nested] 1191+ messages in thread

* [PATCH 5.19 0134/1157] Revert "net: usb: ax88179_178a needs FLAG_SEND_ZLP"
  2022-08-15 17:49 [PATCH 5.19 0000/1157] 5.19.2-rc1 review Greg Kroah-Hartman
                   ` (130 preceding siblings ...)
  2022-08-15 17:51 ` [PATCH 5.19 0133/1157] USB: HCD: Fix URB giveback issue in tasklet function Greg Kroah-Hartman
@ 2022-08-15 17:51 ` Greg Kroah-Hartman
  2022-08-15 17:51 ` [PATCH 5.19 0135/1157] ARM: dts: uniphier: Fix USB interrupts for PXs2 SoC Greg Kroah-Hartman
                   ` (861 subsequent siblings)
  993 siblings, 0 replies; 1191+ messages in thread
From: Greg Kroah-Hartman @ 2022-08-15 17:51 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Ronald Wahl, Jose Alonso, David S. Miller

From: Jose Alonso <joalonsof@gmail.com>

commit 6fd2c17fb6e02a8c0ab51df1cfec82ce96b8e83d upstream.

This reverts commit 36a15e1cb134c0395261ba1940762703f778438c.

The usage of FLAG_SEND_ZLP causes problems to other firmware/hardware
versions that have no issues.

The FLAG_SEND_ZLP is not safe to use in this context.
See:
https://patchwork.ozlabs.org/project/netdev/patch/1270599787.8900.8.camel@Linuxdev4-laptop/#118378
The original problem needs another way to solve.

Fixes: 36a15e1cb134 ("net: usb: ax88179_178a needs FLAG_SEND_ZLP")
Cc: stable@vger.kernel.org
Reported-by: Ronald Wahl <ronald.wahl@raritan.com>
Link: https://bugzilla.kernel.org/show_bug.cgi?id=216327
Link: https://bugs.archlinux.org/task/75491
Signed-off-by: Jose Alonso <joalonsof@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/usb/ax88179_178a.c |   26 +++++++++++++-------------
 1 file changed, 13 insertions(+), 13 deletions(-)

--- a/drivers/net/usb/ax88179_178a.c
+++ b/drivers/net/usb/ax88179_178a.c
@@ -1801,7 +1801,7 @@ static const struct driver_info ax88179_
 	.link_reset = ax88179_link_reset,
 	.reset = ax88179_reset,
 	.stop = ax88179_stop,
-	.flags = FLAG_ETHER | FLAG_FRAMING_AX | FLAG_SEND_ZLP,
+	.flags = FLAG_ETHER | FLAG_FRAMING_AX,
 	.rx_fixup = ax88179_rx_fixup,
 	.tx_fixup = ax88179_tx_fixup,
 };
@@ -1814,7 +1814,7 @@ static const struct driver_info ax88178a
 	.link_reset = ax88179_link_reset,
 	.reset = ax88179_reset,
 	.stop = ax88179_stop,
-	.flags = FLAG_ETHER | FLAG_FRAMING_AX | FLAG_SEND_ZLP,
+	.flags = FLAG_ETHER | FLAG_FRAMING_AX,
 	.rx_fixup = ax88179_rx_fixup,
 	.tx_fixup = ax88179_tx_fixup,
 };
@@ -1827,7 +1827,7 @@ static const struct driver_info cypress_
 	.link_reset = ax88179_link_reset,
 	.reset = ax88179_reset,
 	.stop = ax88179_stop,
-	.flags = FLAG_ETHER | FLAG_FRAMING_AX | FLAG_SEND_ZLP,
+	.flags = FLAG_ETHER | FLAG_FRAMING_AX,
 	.rx_fixup = ax88179_rx_fixup,
 	.tx_fixup = ax88179_tx_fixup,
 };
@@ -1840,7 +1840,7 @@ static const struct driver_info dlink_du
 	.link_reset = ax88179_link_reset,
 	.reset = ax88179_reset,
 	.stop = ax88179_stop,
-	.flags = FLAG_ETHER | FLAG_FRAMING_AX | FLAG_SEND_ZLP,
+	.flags = FLAG_ETHER | FLAG_FRAMING_AX,
 	.rx_fixup = ax88179_rx_fixup,
 	.tx_fixup = ax88179_tx_fixup,
 };
@@ -1853,7 +1853,7 @@ static const struct driver_info sitecom_
 	.link_reset = ax88179_link_reset,
 	.reset = ax88179_reset,
 	.stop = ax88179_stop,
-	.flags = FLAG_ETHER | FLAG_FRAMING_AX | FLAG_SEND_ZLP,
+	.flags = FLAG_ETHER | FLAG_FRAMING_AX,
 	.rx_fixup = ax88179_rx_fixup,
 	.tx_fixup = ax88179_tx_fixup,
 };
@@ -1866,7 +1866,7 @@ static const struct driver_info samsung_
 	.link_reset = ax88179_link_reset,
 	.reset = ax88179_reset,
 	.stop = ax88179_stop,
-	.flags = FLAG_ETHER | FLAG_FRAMING_AX | FLAG_SEND_ZLP,
+	.flags = FLAG_ETHER | FLAG_FRAMING_AX,
 	.rx_fixup = ax88179_rx_fixup,
 	.tx_fixup = ax88179_tx_fixup,
 };
@@ -1879,7 +1879,7 @@ static const struct driver_info lenovo_i
 	.link_reset = ax88179_link_reset,
 	.reset = ax88179_reset,
 	.stop = ax88179_stop,
-	.flags = FLAG_ETHER | FLAG_FRAMING_AX | FLAG_SEND_ZLP,
+	.flags = FLAG_ETHER | FLAG_FRAMING_AX,
 	.rx_fixup = ax88179_rx_fixup,
 	.tx_fixup = ax88179_tx_fixup,
 };
@@ -1892,7 +1892,7 @@ static const struct driver_info belkin_i
 	.link_reset = ax88179_link_reset,
 	.reset	= ax88179_reset,
 	.stop	= ax88179_stop,
-	.flags	= FLAG_ETHER | FLAG_FRAMING_AX | FLAG_SEND_ZLP,
+	.flags	= FLAG_ETHER | FLAG_FRAMING_AX,
 	.rx_fixup = ax88179_rx_fixup,
 	.tx_fixup = ax88179_tx_fixup,
 };
@@ -1905,7 +1905,7 @@ static const struct driver_info toshiba_
 	.link_reset = ax88179_link_reset,
 	.reset	= ax88179_reset,
 	.stop = ax88179_stop,
-	.flags	= FLAG_ETHER | FLAG_FRAMING_AX | FLAG_SEND_ZLP,
+	.flags	= FLAG_ETHER | FLAG_FRAMING_AX,
 	.rx_fixup = ax88179_rx_fixup,
 	.tx_fixup = ax88179_tx_fixup,
 };
@@ -1918,7 +1918,7 @@ static const struct driver_info mct_info
 	.link_reset = ax88179_link_reset,
 	.reset	= ax88179_reset,
 	.stop	= ax88179_stop,
-	.flags	= FLAG_ETHER | FLAG_FRAMING_AX | FLAG_SEND_ZLP,
+	.flags	= FLAG_ETHER | FLAG_FRAMING_AX,
 	.rx_fixup = ax88179_rx_fixup,
 	.tx_fixup = ax88179_tx_fixup,
 };
@@ -1931,7 +1931,7 @@ static const struct driver_info at_umc20
 	.link_reset = ax88179_link_reset,
 	.reset  = ax88179_reset,
 	.stop   = ax88179_stop,
-	.flags  = FLAG_ETHER | FLAG_FRAMING_AX | FLAG_SEND_ZLP,
+	.flags  = FLAG_ETHER | FLAG_FRAMING_AX,
 	.rx_fixup = ax88179_rx_fixup,
 	.tx_fixup = ax88179_tx_fixup,
 };
@@ -1944,7 +1944,7 @@ static const struct driver_info at_umc20
 	.link_reset = ax88179_link_reset,
 	.reset  = ax88179_reset,
 	.stop   = ax88179_stop,
-	.flags  = FLAG_ETHER | FLAG_FRAMING_AX | FLAG_SEND_ZLP,
+	.flags  = FLAG_ETHER | FLAG_FRAMING_AX,
 	.rx_fixup = ax88179_rx_fixup,
 	.tx_fixup = ax88179_tx_fixup,
 };
@@ -1957,7 +1957,7 @@ static const struct driver_info at_umc20
 	.link_reset = ax88179_link_reset,
 	.reset  = ax88179_reset,
 	.stop   = ax88179_stop,
-	.flags  = FLAG_ETHER | FLAG_FRAMING_AX | FLAG_SEND_ZLP,
+	.flags  = FLAG_ETHER | FLAG_FRAMING_AX,
 	.rx_fixup = ax88179_rx_fixup,
 	.tx_fixup = ax88179_tx_fixup,
 };



^ permalink raw reply	[flat|nested] 1191+ messages in thread

* [PATCH 5.19 0135/1157] ARM: dts: uniphier: Fix USB interrupts for PXs2 SoC
  2022-08-15 17:49 [PATCH 5.19 0000/1157] 5.19.2-rc1 review Greg Kroah-Hartman
                   ` (131 preceding siblings ...)
  2022-08-15 17:51 ` [PATCH 5.19 0134/1157] Revert "net: usb: ax88179_178a needs FLAG_SEND_ZLP" Greg Kroah-Hartman
@ 2022-08-15 17:51 ` Greg Kroah-Hartman
  2022-08-15 17:51 ` [PATCH 5.19 0136/1157] arm64: dts: uniphier: Fix USB interrupts for PXs3 SoC Greg Kroah-Hartman
                   ` (860 subsequent siblings)
  993 siblings, 0 replies; 1191+ messages in thread
From: Greg Kroah-Hartman @ 2022-08-15 17:51 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Ryuta NAKANISHI, Kunihiko Hayashi,
	Arnd Bergmann

From: Kunihiko Hayashi <hayashi.kunihiko@socionext.com>

commit 9b0dc7abb5cc43a2dbf90690c3c6011dcadc574d upstream.

An interrupt for USB device are shared with USB host. Set interrupt-names
property to common "dwc_usb3" instead of "host" and "peripheral".

Cc: stable@vger.kernel.org
Fixes: 45be1573ad19 ("ARM: dts: uniphier: Add USB3 controller nodes")
Reported-by: Ryuta NAKANISHI <nakanishi.ryuta@socionext.com>
Signed-off-by: Kunihiko Hayashi <hayashi.kunihiko@socionext.com>
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/arm/boot/dts/uniphier-pxs2.dtsi |    8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

--- a/arch/arm/boot/dts/uniphier-pxs2.dtsi
+++ b/arch/arm/boot/dts/uniphier-pxs2.dtsi
@@ -597,8 +597,8 @@
 			compatible = "socionext,uniphier-dwc3", "snps,dwc3";
 			status = "disabled";
 			reg = <0x65a00000 0xcd00>;
-			interrupt-names = "host", "peripheral";
-			interrupts = <0 134 4>, <0 135 4>;
+			interrupt-names = "dwc_usb3";
+			interrupts = <0 134 4>;
 			pinctrl-names = "default";
 			pinctrl-0 = <&pinctrl_usb0>, <&pinctrl_usb2>;
 			clock-names = "ref", "bus_early", "suspend";
@@ -693,8 +693,8 @@
 			compatible = "socionext,uniphier-dwc3", "snps,dwc3";
 			status = "disabled";
 			reg = <0x65c00000 0xcd00>;
-			interrupt-names = "host", "peripheral";
-			interrupts = <0 137 4>, <0 138 4>;
+			interrupt-names = "dwc_usb3";
+			interrupts = <0 137 4>;
 			pinctrl-names = "default";
 			pinctrl-0 = <&pinctrl_usb1>, <&pinctrl_usb3>;
 			clock-names = "ref", "bus_early", "suspend";



^ permalink raw reply	[flat|nested] 1191+ messages in thread

* [PATCH 5.19 0136/1157] arm64: dts: uniphier: Fix USB interrupts for PXs3 SoC
  2022-08-15 17:49 [PATCH 5.19 0000/1157] 5.19.2-rc1 review Greg Kroah-Hartman
                   ` (132 preceding siblings ...)
  2022-08-15 17:51 ` [PATCH 5.19 0135/1157] ARM: dts: uniphier: Fix USB interrupts for PXs2 SoC Greg Kroah-Hartman
@ 2022-08-15 17:51 ` Greg Kroah-Hartman
  2022-08-15 17:51 ` [PATCH 5.19 0137/1157] USB: gadget: Fix use-after-free Read in usb_udc_uevent() Greg Kroah-Hartman
                   ` (859 subsequent siblings)
  993 siblings, 0 replies; 1191+ messages in thread
From: Greg Kroah-Hartman @ 2022-08-15 17:51 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Ryuta NAKANISHI, Kunihiko Hayashi,
	Arnd Bergmann

From: Kunihiko Hayashi <hayashi.kunihiko@socionext.com>

commit fe17b91a7777df140d0f1433991da67ba658796c upstream.

An interrupt for USB device are shared with USB host. Set interrupt-names
property to common "dwc_usb3" instead of "host" and "peripheral".

Cc: stable@vger.kernel.org
Fixes: d7b9beb830d7 ("arm64: dts: uniphier: Add USB3 controller nodes")
Reported-by: Ryuta NAKANISHI <nakanishi.ryuta@socionext.com>
Signed-off-by: Kunihiko Hayashi <hayashi.kunihiko@socionext.com>
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/arm64/boot/dts/socionext/uniphier-pxs3.dtsi |    8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

--- a/arch/arm64/boot/dts/socionext/uniphier-pxs3.dtsi
+++ b/arch/arm64/boot/dts/socionext/uniphier-pxs3.dtsi
@@ -599,8 +599,8 @@
 			compatible = "socionext,uniphier-dwc3", "snps,dwc3";
 			status = "disabled";
 			reg = <0x65a00000 0xcd00>;
-			interrupt-names = "host", "peripheral";
-			interrupts = <0 134 4>, <0 135 4>;
+			interrupt-names = "dwc_usb3";
+			interrupts = <0 134 4>;
 			pinctrl-names = "default";
 			pinctrl-0 = <&pinctrl_usb0>, <&pinctrl_usb2>;
 			clock-names = "ref", "bus_early", "suspend";
@@ -701,8 +701,8 @@
 			compatible = "socionext,uniphier-dwc3", "snps,dwc3";
 			status = "disabled";
 			reg = <0x65c00000 0xcd00>;
-			interrupt-names = "host", "peripheral";
-			interrupts = <0 137 4>, <0 138 4>;
+			interrupt-names = "dwc_usb3";
+			interrupts = <0 137 4>;
 			pinctrl-names = "default";
 			pinctrl-0 = <&pinctrl_usb1>, <&pinctrl_usb3>;
 			clock-names = "ref", "bus_early", "suspend";



^ permalink raw reply	[flat|nested] 1191+ messages in thread

* [PATCH 5.19 0137/1157] USB: gadget: Fix use-after-free Read in usb_udc_uevent()
  2022-08-15 17:49 [PATCH 5.19 0000/1157] 5.19.2-rc1 review Greg Kroah-Hartman
                   ` (133 preceding siblings ...)
  2022-08-15 17:51 ` [PATCH 5.19 0136/1157] arm64: dts: uniphier: Fix USB interrupts for PXs3 SoC Greg Kroah-Hartman
@ 2022-08-15 17:51 ` Greg Kroah-Hartman
  2022-08-15 17:51 ` [PATCH 5.19 0138/1157] usb: dwc3: gadget: refactor dwc3_repare_one_trb Greg Kroah-Hartman
                   ` (858 subsequent siblings)
  993 siblings, 0 replies; 1191+ messages in thread
From: Greg Kroah-Hartman @ 2022-08-15 17:51 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Alan Stern, syzbot+b0de012ceb1e2a97891b

From: Alan Stern <stern@rowland.harvard.edu>

commit 2191c00855b03aa59c20e698be713d952d51fc18 upstream.

The syzbot fuzzer found a race between uevent callbacks and gadget
driver unregistration that can cause a use-after-free bug:

---------------------------------------------------------------
BUG: KASAN: use-after-free in usb_udc_uevent+0x11f/0x130
drivers/usb/gadget/udc/core.c:1732
Read of size 8 at addr ffff888078ce2050 by task udevd/2968

CPU: 1 PID: 2968 Comm: udevd Not tainted 5.19.0-rc4-next-20220628-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google
06/29/2022
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
 print_address_description mm/kasan/report.c:317 [inline]
 print_report.cold+0x2ba/0x719 mm/kasan/report.c:433
 kasan_report+0xbe/0x1f0 mm/kasan/report.c:495
 usb_udc_uevent+0x11f/0x130 drivers/usb/gadget/udc/core.c:1732
 dev_uevent+0x290/0x770 drivers/base/core.c:2424
---------------------------------------------------------------

The bug occurs because usb_udc_uevent() dereferences udc->driver but
does so without acquiring the udc_lock mutex, which protects this
field.  If the gadget driver is unbound from the udc concurrently with
uevent processing, the driver structure may be accessed after it has
been deallocated.

To prevent the race, we make sure that the routine holds the mutex
around the racing accesses.

Link: <https://lore.kernel.org/all/0000000000004de90405a719c951@google.com>
CC: stable@vger.kernel.org # fc274c1e9973
Reported-and-tested-by: syzbot+b0de012ceb1e2a97891b@syzkaller.appspotmail.com
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Link: https://lore.kernel.org/r/YtlrnhHyrHsSky9m@rowland.harvard.edu
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/usb/gadget/udc/core.c |   11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

--- a/drivers/usb/gadget/udc/core.c
+++ b/drivers/usb/gadget/udc/core.c
@@ -1728,13 +1728,14 @@ static int usb_udc_uevent(struct device
 		return ret;
 	}
 
-	if (udc->driver) {
+	mutex_lock(&udc_lock);
+	if (udc->driver)
 		ret = add_uevent_var(env, "USB_UDC_DRIVER=%s",
 				udc->driver->function);
-		if (ret) {
-			dev_err(dev, "failed to add uevent USB_UDC_DRIVER\n");
-			return ret;
-		}
+	mutex_unlock(&udc_lock);
+	if (ret) {
+		dev_err(dev, "failed to add uevent USB_UDC_DRIVER\n");
+		return ret;
 	}
 
 	return 0;



^ permalink raw reply	[flat|nested] 1191+ messages in thread

* [PATCH 5.19 0138/1157] usb: dwc3: gadget: refactor dwc3_repare_one_trb
  2022-08-15 17:49 [PATCH 5.19 0000/1157] 5.19.2-rc1 review Greg Kroah-Hartman
                   ` (134 preceding siblings ...)
  2022-08-15 17:51 ` [PATCH 5.19 0137/1157] USB: gadget: Fix use-after-free Read in usb_udc_uevent() Greg Kroah-Hartman
@ 2022-08-15 17:51 ` Greg Kroah-Hartman
  2022-08-15 17:51 ` [PATCH 5.19 0139/1157] usb: dwc3: gadget: fix high speed multiplier setting Greg Kroah-Hartman
                   ` (857 subsequent siblings)
  993 siblings, 0 replies; 1191+ messages in thread
From: Greg Kroah-Hartman @ 2022-08-15 17:51 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, stable, Michael Grzeschik

From: Michael Grzeschik <m.grzeschik@pengutronix.de>

commit 23385cec5f354794dadced7f28c31da7ae3eb54c upstream.

The function __dwc3_prepare_one_trb has many parameters. Since it is
only used in dwc3_prepare_one_trb there is no point in keeping the
function. We merge both functions and get rid of the big list of
parameters.

Fixes: 40d829fb2ec6 ("usb: dwc3: gadget: Correct ISOC DATA PIDs for short packets")
Cc: stable <stable@kernel.org>
Signed-off-by: Michael Grzeschik <m.grzeschik@pengutronix.de>
Link: https://lore.kernel.org/r/20220704141812.1532306-2-m.grzeschik@pengutronix.de
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/usb/dwc3/gadget.c |   92 ++++++++++++++++++++--------------------------
 1 file changed, 40 insertions(+), 52 deletions(-)

--- a/drivers/usb/dwc3/gadget.c
+++ b/drivers/usb/dwc3/gadget.c
@@ -1182,17 +1182,49 @@ static u32 dwc3_calc_trbs_left(struct dw
 	return trbs_left;
 }
 
-static void __dwc3_prepare_one_trb(struct dwc3_ep *dep, struct dwc3_trb *trb,
-		dma_addr_t dma, unsigned int length, unsigned int chain,
-		unsigned int node, unsigned int stream_id,
-		unsigned int short_not_ok, unsigned int no_interrupt,
-		unsigned int is_last, bool must_interrupt)
+/**
+ * dwc3_prepare_one_trb - setup one TRB from one request
+ * @dep: endpoint for which this request is prepared
+ * @req: dwc3_request pointer
+ * @trb_length: buffer size of the TRB
+ * @chain: should this TRB be chained to the next?
+ * @node: only for isochronous endpoints. First TRB needs different type.
+ * @use_bounce_buffer: set to use bounce buffer
+ * @must_interrupt: set to interrupt on TRB completion
+ */
+static void dwc3_prepare_one_trb(struct dwc3_ep *dep,
+		struct dwc3_request *req, unsigned int trb_length,
+		unsigned int chain, unsigned int node, bool use_bounce_buffer,
+		bool must_interrupt)
 {
+	struct dwc3_trb		*trb;
+	dma_addr_t		dma;
+	unsigned int		stream_id = req->request.stream_id;
+	unsigned int		short_not_ok = req->request.short_not_ok;
+	unsigned int		no_interrupt = req->request.no_interrupt;
+	unsigned int		is_last = req->request.is_last;
 	struct dwc3		*dwc = dep->dwc;
 	struct usb_gadget	*gadget = dwc->gadget;
 	enum usb_device_speed	speed = gadget->speed;
 
-	trb->size = DWC3_TRB_SIZE_LENGTH(length);
+	if (use_bounce_buffer)
+		dma = dep->dwc->bounce_addr;
+	else if (req->request.num_sgs > 0)
+		dma = sg_dma_address(req->start_sg);
+	else
+		dma = req->request.dma;
+
+	trb = &dep->trb_pool[dep->trb_enqueue];
+
+	if (!req->trb) {
+		dwc3_gadget_move_started_request(req);
+		req->trb = trb;
+		req->trb_dma = dwc3_trb_dma_offset(dep, trb);
+	}
+
+	req->num_trbs++;
+
+	trb->size = DWC3_TRB_SIZE_LENGTH(trb_length);
 	trb->bpl = lower_32_bits(dma);
 	trb->bph = upper_32_bits(dma);
 
@@ -1232,10 +1264,10 @@ static void __dwc3_prepare_one_trb(struc
 				unsigned int mult = 2;
 				unsigned int maxp = usb_endpoint_maxp(ep->desc);
 
-				if (length <= (2 * maxp))
+				if (trb_length <= (2 * maxp))
 					mult--;
 
-				if (length <= maxp)
+				if (trb_length <= maxp)
 					mult--;
 
 				trb->size |= DWC3_TRB_SIZE_PCM1(mult);
@@ -1309,50 +1341,6 @@ static void __dwc3_prepare_one_trb(struc
 	trace_dwc3_prepare_trb(dep, trb);
 }
 
-/**
- * dwc3_prepare_one_trb - setup one TRB from one request
- * @dep: endpoint for which this request is prepared
- * @req: dwc3_request pointer
- * @trb_length: buffer size of the TRB
- * @chain: should this TRB be chained to the next?
- * @node: only for isochronous endpoints. First TRB needs different type.
- * @use_bounce_buffer: set to use bounce buffer
- * @must_interrupt: set to interrupt on TRB completion
- */
-static void dwc3_prepare_one_trb(struct dwc3_ep *dep,
-		struct dwc3_request *req, unsigned int trb_length,
-		unsigned int chain, unsigned int node, bool use_bounce_buffer,
-		bool must_interrupt)
-{
-	struct dwc3_trb		*trb;
-	dma_addr_t		dma;
-	unsigned int		stream_id = req->request.stream_id;
-	unsigned int		short_not_ok = req->request.short_not_ok;
-	unsigned int		no_interrupt = req->request.no_interrupt;
-	unsigned int		is_last = req->request.is_last;
-
-	if (use_bounce_buffer)
-		dma = dep->dwc->bounce_addr;
-	else if (req->request.num_sgs > 0)
-		dma = sg_dma_address(req->start_sg);
-	else
-		dma = req->request.dma;
-
-	trb = &dep->trb_pool[dep->trb_enqueue];
-
-	if (!req->trb) {
-		dwc3_gadget_move_started_request(req);
-		req->trb = trb;
-		req->trb_dma = dwc3_trb_dma_offset(dep, trb);
-	}
-
-	req->num_trbs++;
-
-	__dwc3_prepare_one_trb(dep, trb, dma, trb_length, chain, node,
-			stream_id, short_not_ok, no_interrupt, is_last,
-			must_interrupt);
-}
-
 static bool dwc3_needs_extra_trb(struct dwc3_ep *dep, struct dwc3_request *req)
 {
 	unsigned int maxp = usb_endpoint_maxp(dep->endpoint.desc);



^ permalink raw reply	[flat|nested] 1191+ messages in thread

* [PATCH 5.19 0139/1157] usb: dwc3: gadget: fix high speed multiplier setting
  2022-08-15 17:49 [PATCH 5.19 0000/1157] 5.19.2-rc1 review Greg Kroah-Hartman
                   ` (135 preceding siblings ...)
  2022-08-15 17:51 ` [PATCH 5.19 0138/1157] usb: dwc3: gadget: refactor dwc3_repare_one_trb Greg Kroah-Hartman
@ 2022-08-15 17:51 ` Greg Kroah-Hartman
  2022-08-15 17:51 ` [PATCH 5.19 0140/1157] netfilter: nf_tables: do not allow SET_ID to refer to another table Greg Kroah-Hartman
                   ` (856 subsequent siblings)
  993 siblings, 0 replies; 1191+ messages in thread
From: Greg Kroah-Hartman @ 2022-08-15 17:51 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, stable, Michael Grzeschik

From: Michael Grzeschik <m.grzeschik@pengutronix.de>

commit 8affe37c525d800a2628c4ecfaed13b77dc5634a upstream.

For High-Speed Transfers the prepare_one_trb function is calculating the
multiplier setting for the trb based on the length parameter of the trb
currently prepared. This assumption is wrong. For trbs with a sg list,
the length of the actual request has to be taken instead.

Fixes: 40d829fb2ec6 ("usb: dwc3: gadget: Correct ISOC DATA PIDs for short packets")
Cc: stable <stable@kernel.org>
Signed-off-by: Michael Grzeschik <m.grzeschik@pengutronix.de>
Link: https://lore.kernel.org/r/20220704141812.1532306-3-m.grzeschik@pengutronix.de
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/usb/dwc3/gadget.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/usb/dwc3/gadget.c
+++ b/drivers/usb/dwc3/gadget.c
@@ -1264,10 +1264,10 @@ static void dwc3_prepare_one_trb(struct
 				unsigned int mult = 2;
 				unsigned int maxp = usb_endpoint_maxp(ep->desc);
 
-				if (trb_length <= (2 * maxp))
+				if (req->request.length <= (2 * maxp))
 					mult--;
 
-				if (trb_length <= maxp)
+				if (req->request.length <= maxp)
 					mult--;
 
 				trb->size |= DWC3_TRB_SIZE_PCM1(mult);



^ permalink raw reply	[flat|nested] 1191+ messages in thread

* [PATCH 5.19 0140/1157] netfilter: nf_tables: do not allow SET_ID to refer to another table
  2022-08-15 17:49 [PATCH 5.19 0000/1157] 5.19.2-rc1 review Greg Kroah-Hartman
                   ` (136 preceding siblings ...)
  2022-08-15 17:51 ` [PATCH 5.19 0139/1157] usb: dwc3: gadget: fix high speed multiplier setting Greg Kroah-Hartman
@ 2022-08-15 17:51 ` Greg Kroah-Hartman
  2022-08-15 17:51 ` [PATCH 5.19 0141/1157] netfilter: nf_tables: do not allow CHAIN_ID " Greg Kroah-Hartman
                   ` (855 subsequent siblings)
  993 siblings, 0 replies; 1191+ messages in thread
From: Greg Kroah-Hartman @ 2022-08-15 17:51 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Thadeu Lima de Souza Cascardo,
	Pablo Neira Ayuso

From: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>

commit 470ee20e069a6d05ae549f7d0ef2bdbcee6a81b2 upstream.

When doing lookups for sets on the same batch by using its ID, a set from a
different table can be used.

Then, when the table is removed, a reference to the set may be kept after
the set is freed, leading to a potential use-after-free.

When looking for sets by ID, use the table that was used for the lookup by
name, and only return sets belonging to that same table.

This fixes CVE-2022-2586, also reported as ZDI-CAN-17470.

Reported-by: Team Orca of Sea Security (@seasecresponse)
Fixes: 958bee14d071 ("netfilter: nf_tables: use new transaction infrastructure to handle sets")
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/netfilter/nf_tables_api.c |    4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -3842,6 +3842,7 @@ static struct nft_set *nft_set_lookup_by
 }
 
 static struct nft_set *nft_set_lookup_byid(const struct net *net,
+					   const struct nft_table *table,
 					   const struct nlattr *nla, u8 genmask)
 {
 	struct nftables_pernet *nft_net = nft_pernet(net);
@@ -3853,6 +3854,7 @@ static struct nft_set *nft_set_lookup_by
 			struct nft_set *set = nft_trans_set(trans);
 
 			if (id == nft_trans_set_id(trans) &&
+			    set->table == table &&
 			    nft_active_genmask(set, genmask))
 				return set;
 		}
@@ -3873,7 +3875,7 @@ struct nft_set *nft_set_lookup_global(co
 		if (!nla_set_id)
 			return set;
 
-		set = nft_set_lookup_byid(net, nla_set_id, genmask);
+		set = nft_set_lookup_byid(net, table, nla_set_id, genmask);
 	}
 	return set;
 }



^ permalink raw reply	[flat|nested] 1191+ messages in thread

* [PATCH 5.19 0141/1157] netfilter: nf_tables: do not allow CHAIN_ID to refer to another table
  2022-08-15 17:49 [PATCH 5.19 0000/1157] 5.19.2-rc1 review Greg Kroah-Hartman
                   ` (137 preceding siblings ...)
  2022-08-15 17:51 ` [PATCH 5.19 0140/1157] netfilter: nf_tables: do not allow SET_ID to refer to another table Greg Kroah-Hartman
@ 2022-08-15 17:51 ` Greg Kroah-Hartman
  2022-08-15 17:51 ` [PATCH 5.19 0142/1157] netfilter: nf_tables: do not allow RULE_ID to refer to another chain Greg Kroah-Hartman
                   ` (854 subsequent siblings)
  993 siblings, 0 replies; 1191+ messages in thread
From: Greg Kroah-Hartman @ 2022-08-15 17:51 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Thadeu Lima de Souza Cascardo,
	Pablo Neira Ayuso

From: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>

commit 95f466d22364a33d183509629d0879885b4f547e upstream.

When doing lookups for chains on the same batch by using its ID, a chain
from a different table can be used. If a rule is added to a table but
refers to a chain in a different table, it will be linked to the chain in
table2, but would have expressions referring to objects in table1.

Then, when table1 is removed, the rule will not be removed as its linked to
a chain in table2. When expressions in the rule are processed or removed,
that will lead to a use-after-free.

When looking for chains by ID, use the table that was used for the lookup
by name, and only return chains belonging to that same table.

Fixes: 837830a4b439 ("netfilter: nf_tables: add NFTA_RULE_CHAIN_ID attribute")
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/netfilter/nf_tables_api.c |    6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -2472,6 +2472,7 @@ err:
 }
 
 static struct nft_chain *nft_chain_lookup_byid(const struct net *net,
+					       const struct nft_table *table,
 					       const struct nlattr *nla)
 {
 	struct nftables_pernet *nft_net = nft_pernet(net);
@@ -2482,6 +2483,7 @@ static struct nft_chain *nft_chain_looku
 		struct nft_chain *chain = trans->ctx.chain;
 
 		if (trans->msg_type == NFT_MSG_NEWCHAIN &&
+		    chain->table == table &&
 		    id == nft_trans_chain_id(trans))
 			return chain;
 	}
@@ -3417,7 +3419,7 @@ static int nf_tables_newrule(struct sk_b
 			return -EOPNOTSUPP;
 
 	} else if (nla[NFTA_RULE_CHAIN_ID]) {
-		chain = nft_chain_lookup_byid(net, nla[NFTA_RULE_CHAIN_ID]);
+		chain = nft_chain_lookup_byid(net, table, nla[NFTA_RULE_CHAIN_ID]);
 		if (IS_ERR(chain)) {
 			NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN_ID]);
 			return PTR_ERR(chain);
@@ -9607,7 +9609,7 @@ static int nft_verdict_init(const struct
 						 tb[NFTA_VERDICT_CHAIN],
 						 genmask);
 		} else if (tb[NFTA_VERDICT_CHAIN_ID]) {
-			chain = nft_chain_lookup_byid(ctx->net,
+			chain = nft_chain_lookup_byid(ctx->net, ctx->table,
 						      tb[NFTA_VERDICT_CHAIN_ID]);
 			if (IS_ERR(chain))
 				return PTR_ERR(chain);



^ permalink raw reply	[flat|nested] 1191+ messages in thread

* [PATCH 5.19 0142/1157] netfilter: nf_tables: do not allow RULE_ID to refer to another chain
  2022-08-15 17:49 [PATCH 5.19 0000/1157] 5.19.2-rc1 review Greg Kroah-Hartman
                   ` (138 preceding siblings ...)
  2022-08-15 17:51 ` [PATCH 5.19 0141/1157] netfilter: nf_tables: do not allow CHAIN_ID " Greg Kroah-Hartman
@ 2022-08-15 17:51 ` Greg Kroah-Hartman
  2022-08-15 17:51 ` [PATCH 5.19 0143/1157] netfilter: nf_tables: upfront validation of data via nft_data_init() Greg Kroah-Hartman
                   ` (853 subsequent siblings)
  993 siblings, 0 replies; 1191+ messages in thread
From: Greg Kroah-Hartman @ 2022-08-15 17:51 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Thadeu Lima de Souza Cascardo,
	Pablo Neira Ayuso

From: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>

commit 36d5b2913219ac853908b0f1c664345e04313856 upstream.

When doing lookups for rules on the same batch by using its ID, a rule from
a different chain can be used. If a rule is added to a chain but tries to
be positioned next to a rule from a different chain, it will be linked to
chain2, but the use counter on chain1 would be the one to be incremented.

When looking for rules by ID, use the chain that was used for the lookup by
name. The chain used in the context copied to the transaction needs to
match that same chain. That way, struct nft_rule does not need to get
enlarged with another member.

Fixes: 1a94e38d254b ("netfilter: nf_tables: add NFTA_RULE_ID attribute")
Fixes: 75dd48e2e420 ("netfilter: nf_tables: Support RULE_ID reference in new rule")
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/netfilter/nf_tables_api.c |    7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -3373,6 +3373,7 @@ static int nft_table_validate(struct net
 }
 
 static struct nft_rule *nft_rule_lookup_byid(const struct net *net,
+					     const struct nft_chain *chain,
 					     const struct nlattr *nla);
 
 #define NFT_RULE_MAXEXPRS	128
@@ -3461,7 +3462,7 @@ static int nf_tables_newrule(struct sk_b
 				return PTR_ERR(old_rule);
 			}
 		} else if (nla[NFTA_RULE_POSITION_ID]) {
-			old_rule = nft_rule_lookup_byid(net, nla[NFTA_RULE_POSITION_ID]);
+			old_rule = nft_rule_lookup_byid(net, chain, nla[NFTA_RULE_POSITION_ID]);
 			if (IS_ERR(old_rule)) {
 				NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_POSITION_ID]);
 				return PTR_ERR(old_rule);
@@ -3606,6 +3607,7 @@ err_release_expr:
 }
 
 static struct nft_rule *nft_rule_lookup_byid(const struct net *net,
+					     const struct nft_chain *chain,
 					     const struct nlattr *nla)
 {
 	struct nftables_pernet *nft_net = nft_pernet(net);
@@ -3616,6 +3618,7 @@ static struct nft_rule *nft_rule_lookup_
 		struct nft_rule *rule = nft_trans_rule(trans);
 
 		if (trans->msg_type == NFT_MSG_NEWRULE &&
+		    trans->ctx.chain == chain &&
 		    id == nft_trans_rule_id(trans))
 			return rule;
 	}
@@ -3665,7 +3668,7 @@ static int nf_tables_delrule(struct sk_b
 
 			err = nft_delrule(&ctx, rule);
 		} else if (nla[NFTA_RULE_ID]) {
-			rule = nft_rule_lookup_byid(net, nla[NFTA_RULE_ID]);
+			rule = nft_rule_lookup_byid(net, chain, nla[NFTA_RULE_ID]);
 			if (IS_ERR(rule)) {
 				NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_ID]);
 				return PTR_ERR(rule);



^ permalink raw reply	[flat|nested] 1191+ messages in thread

* [PATCH 5.19 0143/1157] netfilter: nf_tables: upfront validation of data via nft_data_init()
  2022-08-15 17:49 [PATCH 5.19 0000/1157] 5.19.2-rc1 review Greg Kroah-Hartman
                   ` (139 preceding siblings ...)
  2022-08-15 17:51 ` [PATCH 5.19 0142/1157] netfilter: nf_tables: do not allow RULE_ID to refer to another chain Greg Kroah-Hartman
@ 2022-08-15 17:51 ` Greg Kroah-Hartman
  2022-08-15 17:51 ` [PATCH 5.19 0144/1157] netfilter: nf_tables: disallow jump to implicit chain from set element Greg Kroah-Hartman
                   ` (852 subsequent siblings)
  993 siblings, 0 replies; 1191+ messages in thread
From: Greg Kroah-Hartman @ 2022-08-15 17:51 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Pablo Neira Ayuso

From: Pablo Neira Ayuso <pablo@netfilter.org>

commit 341b6941608762d8235f3fd1e45e4d7114ed8c2c upstream.

Instead of parsing the data and then validate that type and length are
correct, pass a description of the expected data so it can be validated
upfront before parsing it to bail out earlier.

This patch adds a new .size field to specify the maximum size of the
data area. The .len field is optional and it is used as an input/output
field, it provides the specific length of the expected data in the input
path. If then .len field is not specified, then obtained length from the
netlink attribute is stored. This is required by cmp, bitwise, range and
immediate, which provide no netlink attribute that describes the data
length. The immediate expression uses the destination register type to
infer the expected data type.

Relying on opencoded validation of the expected data might lead to
subtle bugs as described in 7e6bc1f6cabc ("netfilter: nf_tables:
stricter validation of element data").

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 include/net/netfilter/nf_tables.h |    4 -
 net/netfilter/nf_tables_api.c     |   78 +++++++++++++++++++-------------------
 net/netfilter/nft_bitwise.c       |   66 ++++++++++++++++----------------
 net/netfilter/nft_cmp.c           |   44 +++++++++------------
 net/netfilter/nft_immediate.c     |   22 +++++++++-
 net/netfilter/nft_range.c         |   27 +++++--------
 6 files changed, 126 insertions(+), 115 deletions(-)

--- a/include/net/netfilter/nf_tables.h
+++ b/include/net/netfilter/nf_tables.h
@@ -208,11 +208,11 @@ struct nft_ctx {
 
 struct nft_data_desc {
 	enum nft_data_types		type;
+	unsigned int			size;
 	unsigned int			len;
 };
 
-int nft_data_init(const struct nft_ctx *ctx,
-		  struct nft_data *data, unsigned int size,
+int nft_data_init(const struct nft_ctx *ctx, struct nft_data *data,
 		  struct nft_data_desc *desc, const struct nlattr *nla);
 void nft_data_hold(const struct nft_data *data, enum nft_data_types type);
 void nft_data_release(const struct nft_data *data, enum nft_data_types type);
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -5202,19 +5202,13 @@ static int nft_setelem_parse_flags(const
 static int nft_setelem_parse_key(struct nft_ctx *ctx, struct nft_set *set,
 				 struct nft_data *key, struct nlattr *attr)
 {
-	struct nft_data_desc desc;
-	int err;
-
-	err = nft_data_init(ctx, key, NFT_DATA_VALUE_MAXLEN, &desc, attr);
-	if (err < 0)
-		return err;
-
-	if (desc.type != NFT_DATA_VALUE || desc.len != set->klen) {
-		nft_data_release(key, desc.type);
-		return -EINVAL;
-	}
+	struct nft_data_desc desc = {
+		.type	= NFT_DATA_VALUE,
+		.size	= NFT_DATA_VALUE_MAXLEN,
+		.len	= set->klen,
+	};
 
-	return 0;
+	return nft_data_init(ctx, key, &desc, attr);
 }
 
 static int nft_setelem_parse_data(struct nft_ctx *ctx, struct nft_set *set,
@@ -5223,24 +5217,17 @@ static int nft_setelem_parse_data(struct
 				  struct nlattr *attr)
 {
 	u32 dtype;
-	int err;
-
-	err = nft_data_init(ctx, data, NFT_DATA_VALUE_MAXLEN, desc, attr);
-	if (err < 0)
-		return err;
 
 	if (set->dtype == NFT_DATA_VERDICT)
 		dtype = NFT_DATA_VERDICT;
 	else
 		dtype = NFT_DATA_VALUE;
 
-	if (dtype != desc->type ||
-	    set->dlen != desc->len) {
-		nft_data_release(data, desc->type);
-		return -EINVAL;
-	}
+	desc->type = dtype;
+	desc->size = NFT_DATA_VALUE_MAXLEN;
+	desc->len = set->dlen;
 
-	return 0;
+	return nft_data_init(ctx, data, desc, attr);
 }
 
 static void *nft_setelem_catchall_get(const struct net *net,
@@ -9631,7 +9618,7 @@ static int nft_verdict_init(const struct
 	}
 
 	desc->len = sizeof(data->verdict);
-	desc->type = NFT_DATA_VERDICT;
+
 	return 0;
 }
 
@@ -9684,20 +9671,25 @@ nla_put_failure:
 }
 
 static int nft_value_init(const struct nft_ctx *ctx,
-			  struct nft_data *data, unsigned int size,
-			  struct nft_data_desc *desc, const struct nlattr *nla)
+			  struct nft_data *data, struct nft_data_desc *desc,
+			  const struct nlattr *nla)
 {
 	unsigned int len;
 
 	len = nla_len(nla);
 	if (len == 0)
 		return -EINVAL;
-	if (len > size)
+	if (len > desc->size)
 		return -EOVERFLOW;
+	if (desc->len) {
+		if (len != desc->len)
+			return -EINVAL;
+	} else {
+		desc->len = len;
+	}
 
 	nla_memcpy(data->data, nla, len);
-	desc->type = NFT_DATA_VALUE;
-	desc->len  = len;
+
 	return 0;
 }
 
@@ -9717,7 +9709,6 @@ static const struct nla_policy nft_data_
  *
  *	@ctx: context of the expression using the data
  *	@data: destination struct nft_data
- *	@size: maximum data length
  *	@desc: data description
  *	@nla: netlink attribute containing data
  *
@@ -9727,24 +9718,35 @@ static const struct nla_policy nft_data_
  *	The caller can indicate that it only wants to accept data of type
  *	NFT_DATA_VALUE by passing NULL for the ctx argument.
  */
-int nft_data_init(const struct nft_ctx *ctx,
-		  struct nft_data *data, unsigned int size,
+int nft_data_init(const struct nft_ctx *ctx, struct nft_data *data,
 		  struct nft_data_desc *desc, const struct nlattr *nla)
 {
 	struct nlattr *tb[NFTA_DATA_MAX + 1];
 	int err;
 
+	if (WARN_ON_ONCE(!desc->size))
+		return -EINVAL;
+
 	err = nla_parse_nested_deprecated(tb, NFTA_DATA_MAX, nla,
 					  nft_data_policy, NULL);
 	if (err < 0)
 		return err;
 
-	if (tb[NFTA_DATA_VALUE])
-		return nft_value_init(ctx, data, size, desc,
-				      tb[NFTA_DATA_VALUE]);
-	if (tb[NFTA_DATA_VERDICT] && ctx != NULL)
-		return nft_verdict_init(ctx, data, desc, tb[NFTA_DATA_VERDICT]);
-	return -EINVAL;
+	if (tb[NFTA_DATA_VALUE]) {
+		if (desc->type != NFT_DATA_VALUE)
+			return -EINVAL;
+
+		err = nft_value_init(ctx, data, desc, tb[NFTA_DATA_VALUE]);
+	} else if (tb[NFTA_DATA_VERDICT] && ctx != NULL) {
+		if (desc->type != NFT_DATA_VERDICT)
+			return -EINVAL;
+
+		err = nft_verdict_init(ctx, data, desc, tb[NFTA_DATA_VERDICT]);
+	} else {
+		err = -EINVAL;
+	}
+
+	return err;
 }
 EXPORT_SYMBOL_GPL(nft_data_init);
 
--- a/net/netfilter/nft_bitwise.c
+++ b/net/netfilter/nft_bitwise.c
@@ -93,7 +93,16 @@ static const struct nla_policy nft_bitwi
 static int nft_bitwise_init_bool(struct nft_bitwise *priv,
 				 const struct nlattr *const tb[])
 {
-	struct nft_data_desc mask, xor;
+	struct nft_data_desc mask = {
+		.type	= NFT_DATA_VALUE,
+		.size	= sizeof(priv->mask),
+		.len	= priv->len,
+	};
+	struct nft_data_desc xor = {
+		.type	= NFT_DATA_VALUE,
+		.size	= sizeof(priv->xor),
+		.len	= priv->len,
+	};
 	int err;
 
 	if (tb[NFTA_BITWISE_DATA])
@@ -103,37 +112,30 @@ static int nft_bitwise_init_bool(struct
 	    !tb[NFTA_BITWISE_XOR])
 		return -EINVAL;
 
-	err = nft_data_init(NULL, &priv->mask, sizeof(priv->mask), &mask,
-			    tb[NFTA_BITWISE_MASK]);
+	err = nft_data_init(NULL, &priv->mask, &mask, tb[NFTA_BITWISE_MASK]);
 	if (err < 0)
 		return err;
-	if (mask.type != NFT_DATA_VALUE || mask.len != priv->len) {
-		err = -EINVAL;
-		goto err_mask_release;
-	}
 
-	err = nft_data_init(NULL, &priv->xor, sizeof(priv->xor), &xor,
-			    tb[NFTA_BITWISE_XOR]);
+	err = nft_data_init(NULL, &priv->xor, &xor, tb[NFTA_BITWISE_XOR]);
 	if (err < 0)
-		goto err_mask_release;
-	if (xor.type != NFT_DATA_VALUE || xor.len != priv->len) {
-		err = -EINVAL;
-		goto err_xor_release;
-	}
+		goto err_xor_err;
 
 	return 0;
 
-err_xor_release:
-	nft_data_release(&priv->xor, xor.type);
-err_mask_release:
+err_xor_err:
 	nft_data_release(&priv->mask, mask.type);
+
 	return err;
 }
 
 static int nft_bitwise_init_shift(struct nft_bitwise *priv,
 				  const struct nlattr *const tb[])
 {
-	struct nft_data_desc d;
+	struct nft_data_desc desc = {
+		.type	= NFT_DATA_VALUE,
+		.size	= sizeof(priv->data),
+		.len	= sizeof(u32),
+	};
 	int err;
 
 	if (tb[NFTA_BITWISE_MASK] ||
@@ -143,13 +145,12 @@ static int nft_bitwise_init_shift(struct
 	if (!tb[NFTA_BITWISE_DATA])
 		return -EINVAL;
 
-	err = nft_data_init(NULL, &priv->data, sizeof(priv->data), &d,
-			    tb[NFTA_BITWISE_DATA]);
+	err = nft_data_init(NULL, &priv->data, &desc, tb[NFTA_BITWISE_DATA]);
 	if (err < 0)
 		return err;
-	if (d.type != NFT_DATA_VALUE || d.len != sizeof(u32) ||
-	    priv->data.data[0] >= BITS_PER_TYPE(u32)) {
-		nft_data_release(&priv->data, d.type);
+
+	if (priv->data.data[0] >= BITS_PER_TYPE(u32)) {
+		nft_data_release(&priv->data, desc.type);
 		return -EINVAL;
 	}
 
@@ -339,22 +340,21 @@ static const struct nft_expr_ops nft_bit
 static int
 nft_bitwise_extract_u32_data(const struct nlattr * const tb, u32 *out)
 {
-	struct nft_data_desc desc;
 	struct nft_data data;
-	int err = 0;
+	struct nft_data_desc desc = {
+		.type	= NFT_DATA_VALUE,
+		.size	= sizeof(data),
+		.len	= sizeof(u32),
+	};
+	int err;
 
-	err = nft_data_init(NULL, &data, sizeof(data), &desc, tb);
+	err = nft_data_init(NULL, &data, &desc, tb);
 	if (err < 0)
 		return err;
 
-	if (desc.type != NFT_DATA_VALUE || desc.len != sizeof(u32)) {
-		err = -EINVAL;
-		goto err;
-	}
 	*out = data.data[0];
-err:
-	nft_data_release(&data, desc.type);
-	return err;
+
+	return 0;
 }
 
 static int nft_bitwise_fast_init(const struct nft_ctx *ctx,
--- a/net/netfilter/nft_cmp.c
+++ b/net/netfilter/nft_cmp.c
@@ -73,20 +73,16 @@ static int nft_cmp_init(const struct nft
 			const struct nlattr * const tb[])
 {
 	struct nft_cmp_expr *priv = nft_expr_priv(expr);
-	struct nft_data_desc desc;
+	struct nft_data_desc desc = {
+		.type	= NFT_DATA_VALUE,
+		.size	= sizeof(priv->data),
+	};
 	int err;
 
-	err = nft_data_init(NULL, &priv->data, sizeof(priv->data), &desc,
-			    tb[NFTA_CMP_DATA]);
+	err = nft_data_init(NULL, &priv->data, &desc, tb[NFTA_CMP_DATA]);
 	if (err < 0)
 		return err;
 
-	if (desc.type != NFT_DATA_VALUE) {
-		err = -EINVAL;
-		nft_data_release(&priv->data, desc.type);
-		return err;
-	}
-
 	err = nft_parse_register_load(tb[NFTA_CMP_SREG], &priv->sreg, desc.len);
 	if (err < 0)
 		return err;
@@ -202,12 +198,14 @@ static int nft_cmp_fast_init(const struc
 			     const struct nlattr * const tb[])
 {
 	struct nft_cmp_fast_expr *priv = nft_expr_priv(expr);
-	struct nft_data_desc desc;
 	struct nft_data data;
+	struct nft_data_desc desc = {
+		.type	= NFT_DATA_VALUE,
+		.size	= sizeof(data),
+	};
 	int err;
 
-	err = nft_data_init(NULL, &data, sizeof(data), &desc,
-			    tb[NFTA_CMP_DATA]);
+	err = nft_data_init(NULL, &data, &desc, tb[NFTA_CMP_DATA]);
 	if (err < 0)
 		return err;
 
@@ -301,11 +299,13 @@ static int nft_cmp16_fast_init(const str
 			       const struct nlattr * const tb[])
 {
 	struct nft_cmp16_fast_expr *priv = nft_expr_priv(expr);
-	struct nft_data_desc desc;
+	struct nft_data_desc desc = {
+		.type	= NFT_DATA_VALUE,
+		.size	= sizeof(priv->data),
+	};
 	int err;
 
-	err = nft_data_init(NULL, &priv->data, sizeof(priv->data), &desc,
-			    tb[NFTA_CMP_DATA]);
+	err = nft_data_init(NULL, &priv->data, &desc, tb[NFTA_CMP_DATA]);
 	if (err < 0)
 		return err;
 
@@ -368,8 +368,11 @@ const struct nft_expr_ops nft_cmp16_fast
 static const struct nft_expr_ops *
 nft_cmp_select_ops(const struct nft_ctx *ctx, const struct nlattr * const tb[])
 {
-	struct nft_data_desc desc;
 	struct nft_data data;
+	struct nft_data_desc desc = {
+		.type	= NFT_DATA_VALUE,
+		.size	= sizeof(data),
+	};
 	enum nft_cmp_ops op;
 	u8 sreg;
 	int err;
@@ -392,14 +395,10 @@ nft_cmp_select_ops(const struct nft_ctx
 		return ERR_PTR(-EINVAL);
 	}
 
-	err = nft_data_init(NULL, &data, sizeof(data), &desc,
-			    tb[NFTA_CMP_DATA]);
+	err = nft_data_init(NULL, &data, &desc, tb[NFTA_CMP_DATA]);
 	if (err < 0)
 		return ERR_PTR(err);
 
-	if (desc.type != NFT_DATA_VALUE)
-		goto err1;
-
 	sreg = ntohl(nla_get_be32(tb[NFTA_CMP_SREG]));
 
 	if (op == NFT_CMP_EQ || op == NFT_CMP_NEQ) {
@@ -411,9 +410,6 @@ nft_cmp_select_ops(const struct nft_ctx
 			return &nft_cmp16_fast_ops;
 	}
 	return &nft_cmp_ops;
-err1:
-	nft_data_release(&data, desc.type);
-	return ERR_PTR(-EINVAL);
 }
 
 struct nft_expr_type nft_cmp_type __read_mostly = {
--- a/net/netfilter/nft_immediate.c
+++ b/net/netfilter/nft_immediate.c
@@ -29,20 +29,36 @@ static const struct nla_policy nft_immed
 	[NFTA_IMMEDIATE_DATA]	= { .type = NLA_NESTED },
 };
 
+static enum nft_data_types nft_reg_to_type(const struct nlattr *nla)
+{
+	enum nft_data_types type;
+	u8 reg;
+
+	reg = ntohl(nla_get_be32(nla));
+	if (reg == NFT_REG_VERDICT)
+		type = NFT_DATA_VERDICT;
+	else
+		type = NFT_DATA_VALUE;
+
+	return type;
+}
+
 static int nft_immediate_init(const struct nft_ctx *ctx,
 			      const struct nft_expr *expr,
 			      const struct nlattr * const tb[])
 {
 	struct nft_immediate_expr *priv = nft_expr_priv(expr);
-	struct nft_data_desc desc;
+	struct nft_data_desc desc = {
+		.size	= sizeof(priv->data),
+	};
 	int err;
 
 	if (tb[NFTA_IMMEDIATE_DREG] == NULL ||
 	    tb[NFTA_IMMEDIATE_DATA] == NULL)
 		return -EINVAL;
 
-	err = nft_data_init(ctx, &priv->data, sizeof(priv->data), &desc,
-			    tb[NFTA_IMMEDIATE_DATA]);
+	desc.type = nft_reg_to_type(tb[NFTA_IMMEDIATE_DREG]);
+	err = nft_data_init(ctx, &priv->data, &desc, tb[NFTA_IMMEDIATE_DATA]);
 	if (err < 0)
 		return err;
 
--- a/net/netfilter/nft_range.c
+++ b/net/netfilter/nft_range.c
@@ -51,7 +51,14 @@ static int nft_range_init(const struct n
 			const struct nlattr * const tb[])
 {
 	struct nft_range_expr *priv = nft_expr_priv(expr);
-	struct nft_data_desc desc_from, desc_to;
+	struct nft_data_desc desc_from = {
+		.type	= NFT_DATA_VALUE,
+		.size	= sizeof(priv->data_from),
+	};
+	struct nft_data_desc desc_to = {
+		.type	= NFT_DATA_VALUE,
+		.size	= sizeof(priv->data_to),
+	};
 	int err;
 	u32 op;
 
@@ -61,26 +68,16 @@ static int nft_range_init(const struct n
 	    !tb[NFTA_RANGE_TO_DATA])
 		return -EINVAL;
 
-	err = nft_data_init(NULL, &priv->data_from, sizeof(priv->data_from),
-			    &desc_from, tb[NFTA_RANGE_FROM_DATA]);
+	err = nft_data_init(NULL, &priv->data_from, &desc_from,
+			    tb[NFTA_RANGE_FROM_DATA]);
 	if (err < 0)
 		return err;
 
-	if (desc_from.type != NFT_DATA_VALUE) {
-		err = -EINVAL;
-		goto err1;
-	}
-
-	err = nft_data_init(NULL, &priv->data_to, sizeof(priv->data_to),
-			    &desc_to, tb[NFTA_RANGE_TO_DATA]);
+	err = nft_data_init(NULL, &priv->data_to, &desc_to,
+			    tb[NFTA_RANGE_TO_DATA]);
 	if (err < 0)
 		goto err1;
 
-	if (desc_to.type != NFT_DATA_VALUE) {
-		err = -EINVAL;
-		goto err2;
-	}
-
 	if (desc_from.len != desc_to.len) {
 		err = -EINVAL;
 		goto err2;



^ permalink raw reply	[flat|nested] 1191+ messages in thread

* [PATCH 5.19 0144/1157] netfilter: nf_tables: disallow jump to implicit chain from set element
  2022-08-15 17:49 [PATCH 5.19 0000/1157] 5.19.2-rc1 review Greg Kroah-Hartman
                   ` (140 preceding siblings ...)
  2022-08-15 17:51 ` [PATCH 5.19 0143/1157] netfilter: nf_tables: upfront validation of data via nft_data_init() Greg Kroah-Hartman
@ 2022-08-15 17:51 ` Greg Kroah-Hartman
  2022-08-15 17:51 ` [PATCH 5.19 0145/1157] netfilter: nf_tables: fix null deref due to zeroed list head Greg Kroah-Hartman
                   ` (851 subsequent siblings)
  993 siblings, 0 replies; 1191+ messages in thread
From: Greg Kroah-Hartman @ 2022-08-15 17:51 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Pablo Neira Ayuso

From: Pablo Neira Ayuso <pablo@netfilter.org>

commit f323ef3a0d49e147365284bc1f02212e617b7f09 upstream.

Extend struct nft_data_desc to add a flag field that specifies
nft_data_init() is being called for set element data.

Use it to disallow jump to implicit chain from set element, only jump
to chain via immediate expression is allowed.

Fixes: d0e2c7de92c7 ("netfilter: nf_tables: add NFT_CHAIN_BINDING")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 include/net/netfilter/nf_tables.h |    5 +++++
 net/netfilter/nf_tables_api.c     |    4 ++++
 2 files changed, 9 insertions(+)

--- a/include/net/netfilter/nf_tables.h
+++ b/include/net/netfilter/nf_tables.h
@@ -206,10 +206,15 @@ struct nft_ctx {
 	bool				report;
 };
 
+enum nft_data_desc_flags {
+	NFT_DATA_DESC_SETELEM	= (1 << 0),
+};
+
 struct nft_data_desc {
 	enum nft_data_types		type;
 	unsigned int			size;
 	unsigned int			len;
+	unsigned int			flags;
 };
 
 int nft_data_init(const struct nft_ctx *ctx, struct nft_data *data,
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -5226,6 +5226,7 @@ static int nft_setelem_parse_data(struct
 	desc->type = dtype;
 	desc->size = NFT_DATA_VALUE_MAXLEN;
 	desc->len = set->dlen;
+	desc->flags = NFT_DATA_DESC_SETELEM;
 
 	return nft_data_init(ctx, data, desc, attr);
 }
@@ -9611,6 +9612,9 @@ static int nft_verdict_init(const struct
 			return PTR_ERR(chain);
 		if (nft_is_base_chain(chain))
 			return -EOPNOTSUPP;
+		if (desc->flags & NFT_DATA_DESC_SETELEM &&
+		    chain->flags & NFT_CHAIN_BINDING)
+			return -EINVAL;
 
 		chain->use++;
 		data->verdict.chain = chain;



^ permalink raw reply	[flat|nested] 1191+ messages in thread

* [PATCH 5.19 0145/1157] netfilter: nf_tables: fix null deref due to zeroed list head
  2022-08-15 17:49 [PATCH 5.19 0000/1157] 5.19.2-rc1 review Greg Kroah-Hartman
                   ` (141 preceding siblings ...)
  2022-08-15 17:51 ` [PATCH 5.19 0144/1157] netfilter: nf_tables: disallow jump to implicit chain from set element Greg Kroah-Hartman
@ 2022-08-15 17:51 ` Greg Kroah-Hartman
  2022-08-15 17:51 ` [PATCH 5.19 0146/1157] epoll: autoremove wakers even more aggressively Greg Kroah-Hartman
                   ` (850 subsequent siblings)
  993 siblings, 0 replies; 1191+ messages in thread
From: Greg Kroah-Hartman @ 2022-08-15 17:51 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, mingi cho, Florian Westphal,
	Pablo Neira Ayuso

From: Florian Westphal <fw@strlen.de>

commit 580077855a40741cf511766129702d97ff02f4d9 upstream.

In nf_tables_updtable, if nf_tables_table_enable returns an error,
nft_trans_destroy is called to free the transaction object.

nft_trans_destroy() calls list_del(), but the transaction was never
placed on a list -- the list head is all zeroes, this results in
a null dereference:

BUG: KASAN: null-ptr-deref in nft_trans_destroy+0x26/0x59
Call Trace:
 nft_trans_destroy+0x26/0x59
 nf_tables_newtable+0x4bc/0x9bc
 [..]

Its sane to assume that nft_trans_destroy() can be called
on the transaction object returned by nft_trans_alloc(), so
make sure the list head is initialised.

Fixes: 55dd6f93076b ("netfilter: nf_tables: use new transaction infrastructure to handle table")
Reported-by: mingi cho <mgcho.minic@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/netfilter/nf_tables_api.c |    1 +
 1 file changed, 1 insertion(+)

--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -153,6 +153,7 @@ static struct nft_trans *nft_trans_alloc
 	if (trans == NULL)
 		return NULL;
 
+	INIT_LIST_HEAD(&trans->list);
 	trans->msg_type = msg_type;
 	trans->ctx	= *ctx;
 



^ permalink raw reply	[flat|nested] 1191+ messages in thread

* [PATCH 5.19 0146/1157] epoll: autoremove wakers even more aggressively
  2022-08-15 17:49 [PATCH 5.19 0000/1157] 5.19.2-rc1 review Greg Kroah-Hartman
                   ` (142 preceding siblings ...)
  2022-08-15 17:51 ` [PATCH 5.19 0145/1157] netfilter: nf_tables: fix null deref due to zeroed list head Greg Kroah-Hartman
@ 2022-08-15 17:51 ` Greg Kroah-Hartman
  2022-08-15 17:51 ` [PATCH 5.19 0147/1157] x86: Handle idle=nomwait cmdline properly for x86_idle Greg Kroah-Hartman
                   ` (849 subsequent siblings)
  993 siblings, 0 replies; 1191+ messages in thread
From: Greg Kroah-Hartman @ 2022-08-15 17:51 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Ben Segall, Shakeel Butt,
	Alexander Viro, Linus Torvalds, Eric Dumazet, Roman Penyaev,
	Jason Baron, Khazhismel Kumykov, Heiher, stable, Andrew Morton

From: Benjamin Segall <bsegall@google.com>

commit a16ceb13961068f7209e34d7984f8e42d2c06159 upstream.

If a process is killed or otherwise exits while having active network
connections and many threads waiting on epoll_wait, the threads will all
be woken immediately, but not removed from ep->wq.  Then when network
traffic scans ep->wq in wake_up, every wakeup attempt will fail, and will
not remove the entries from the list.

This means that the cost of the wakeup attempt is far higher than usual,
does not decrease, and this also competes with the dying threads trying to
actually make progress and remove themselves from the wq.

Handle this by removing visited epoll wq entries unconditionally, rather
than only when the wakeup succeeds - the structure of ep_poll means that
the only potential loss is the timed_out->eavail heuristic, which now can
race and result in a redundant ep_send_events attempt.  (But only when
incoming data and a timeout actually race, not on every timeout)

Shakeel added:

: We are seeing this issue in production with real workloads and it has
: caused hard lockups.  Particularly network heavy workloads with a lot
: of threads in epoll_wait() can easily trigger this issue if they get
: killed (oom-killed in our case).

Link: https://lkml.kernel.org/r/xm26fsjotqda.fsf@google.com
Signed-off-by: Ben Segall <bsegall@google.com>
Tested-by: Shakeel Butt <shakeelb@google.com>
Cc: Alexander Viro <viro@zeniv.linux.org.uk>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Shakeel Butt <shakeelb@google.com>
Cc: Eric Dumazet <edumazet@google.com>
Cc: Roman Penyaev <rpenyaev@suse.de>
Cc: Jason Baron <jbaron@akamai.com>
Cc: Khazhismel Kumykov <khazhy@google.com>
Cc: Heiher <r@hev.cc>
Cc: <stable@kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 fs/eventpoll.c |   22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)

--- a/fs/eventpoll.c
+++ b/fs/eventpoll.c
@@ -1747,6 +1747,21 @@ static struct timespec64 *ep_timeout_to_
 	return to;
 }
 
+/*
+ * autoremove_wake_function, but remove even on failure to wake up, because we
+ * know that default_wake_function/ttwu will only fail if the thread is already
+ * woken, and in that case the ep_poll loop will remove the entry anyways, not
+ * try to reuse it.
+ */
+static int ep_autoremove_wake_function(struct wait_queue_entry *wq_entry,
+				       unsigned int mode, int sync, void *key)
+{
+	int ret = default_wake_function(wq_entry, mode, sync, key);
+
+	list_del_init(&wq_entry->entry);
+	return ret;
+}
+
 /**
  * ep_poll - Retrieves ready events, and delivers them to the caller-supplied
  *           event buffer.
@@ -1828,8 +1843,15 @@ static int ep_poll(struct eventpoll *ep,
 		 * normal wakeup path no need to call __remove_wait_queue()
 		 * explicitly, thus ep->lock is not taken, which halts the
 		 * event delivery.
+		 *
+		 * In fact, we now use an even more aggressive function that
+		 * unconditionally removes, because we don't reuse the wait
+		 * entry between loop iterations. This lets us also avoid the
+		 * performance issue if a process is killed, causing all of its
+		 * threads to wake up without being removed normally.
 		 */
 		init_wait(&wait);
+		wait.func = ep_autoremove_wake_function;
 
 		write_lock_irq(&ep->lock);
 		/*



^ permalink raw reply	[flat|nested] 1191+ messages in thread

* [PATCH 5.19 0147/1157] x86: Handle idle=nomwait cmdline properly for x86_idle
  2022-08-15 17:49 [PATCH 5.19 0000/1157] 5.19.2-rc1 review Greg Kroah-Hartman
                   ` (143 preceding siblings ...)
  2022-08-15 17:51 ` [PATCH 5.19 0146/1157] epoll: autoremove wakers even more aggressively Greg Kroah-Hartman
@ 2022-08-15 17:51 ` Greg Kroah-Hartman
  2022-08-15 17:51 ` [PATCH 5.19 0148/1157] arch: make TRACE_IRQFLAGS_NMI_SUPPORT generic Greg Kroah-Hartman
                   ` (848 subsequent siblings)
  993 siblings, 0 replies; 1191+ messages in thread
From: Greg Kroah-Hartman @ 2022-08-15 17:51 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Wyes Karny, Dave Hansen, Zhang Rui,
	Sasha Levin

From: Wyes Karny <wyes.karny@amd.com>

[ Upstream commit 8bcedb4ce04750e1ccc9a6b6433387f6a9166a56 ]

When kernel is booted with idle=nomwait do not use MWAIT as the
default idle state.

If the user boots the kernel with idle=nomwait, it is a clear
direction to not use mwait as the default idle state.
However, the current code does not take this into consideration
while selecting the default idle state on x86.

Fix it by checking for the idle=nomwait boot option in
prefer_mwait_c1_over_halt().

Also update the documentation around idle=nomwait appropriately.

[ dhansen: tweak commit message ]

Signed-off-by: Wyes Karny <wyes.karny@amd.com>
Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
Tested-by: Zhang Rui <rui.zhang@intel.com>
Link: https://lkml.kernel.org/r/fdc2dc2d0a1bc21c2f53d989ea2d2ee3ccbc0dbe.1654538381.git-series.wyes.karny@amd.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 Documentation/admin-guide/pm/cpuidle.rst | 15 +++++++++------
 arch/x86/kernel/process.c                |  9 ++++++---
 2 files changed, 15 insertions(+), 9 deletions(-)

diff --git a/Documentation/admin-guide/pm/cpuidle.rst b/Documentation/admin-guide/pm/cpuidle.rst
index aec2cd2aaea7..19754beb5a4e 100644
--- a/Documentation/admin-guide/pm/cpuidle.rst
+++ b/Documentation/admin-guide/pm/cpuidle.rst
@@ -612,8 +612,8 @@ the ``menu`` governor to be used on the systems that use the ``ladder`` governor
 by default this way, for example.
 
 The other kernel command line parameters controlling CPU idle time management
-described below are only relevant for the *x86* architecture and some of
-them affect Intel processors only.
+described below are only relevant for the *x86* architecture and references
+to ``intel_idle`` affect Intel processors only.
 
 The *x86* architecture support code recognizes three kernel command line
 options related to CPU idle time management: ``idle=poll``, ``idle=halt``,
@@ -635,10 +635,13 @@ idle, so it very well may hurt single-thread computations performance as well as
 energy-efficiency.  Thus using it for performance reasons may not be a good idea
 at all.]
 
-The ``idle=nomwait`` option disables the ``intel_idle`` driver and causes
-``acpi_idle`` to be used (as long as all of the information needed by it is
-there in the system's ACPI tables), but it is not allowed to use the
-``MWAIT`` instruction of the CPUs to ask the hardware to enter idle states.
+The ``idle=nomwait`` option prevents the use of ``MWAIT`` instruction of
+the CPU to enter idle states. When this option is used, the ``acpi_idle``
+driver will use the ``HLT`` instruction instead of ``MWAIT``. On systems
+running Intel processors, this option disables the ``intel_idle`` driver
+and forces the use of the ``acpi_idle`` driver instead. Note that in either
+case, ``acpi_idle`` driver will function only if all the information needed
+by it is in the system's ACPI tables.
 
 In addition to the architecture-level kernel command line options affecting CPU
 idle time management, there are parameters affecting individual ``CPUIdle``
diff --git a/arch/x86/kernel/process.c b/arch/x86/kernel/process.c
index d456ce21c255..9346c95e8879 100644
--- a/arch/x86/kernel/process.c
+++ b/arch/x86/kernel/process.c
@@ -821,6 +821,10 @@ static void amd_e400_idle(void)
  */
 static int prefer_mwait_c1_over_halt(const struct cpuinfo_x86 *c)
 {
+	/* User has disallowed the use of MWAIT. Fallback to HALT */
+	if (boot_option_idle_override == IDLE_NOMWAIT)
+		return 0;
+
 	if (c->x86_vendor != X86_VENDOR_INTEL)
 		return 0;
 
@@ -932,9 +936,8 @@ static int __init idle_setup(char *str)
 	} else if (!strcmp(str, "nomwait")) {
 		/*
 		 * If the boot option of "idle=nomwait" is added,
-		 * it means that mwait will be disabled for CPU C2/C3
-		 * states. In such case it won't touch the variable
-		 * of boot_option_idle_override.
+		 * it means that mwait will be disabled for CPU C1/C2/C3
+		 * states.
 		 */
 		boot_option_idle_override = IDLE_NOMWAIT;
 	} else
-- 
2.35.1




^ permalink raw reply related	[flat|nested] 1191+ messages in thread

* [PATCH 5.19 0148/1157] arch: make TRACE_IRQFLAGS_NMI_SUPPORT generic
  2022-08-15 17:49 [PATCH 5.19 0000/1157] 5.19.2-rc1 review Greg Kroah-Hartman
                   ` (144 preceding siblings ...)
  2022-08-15 17:51 ` [PATCH 5.19 0147/1157] x86: Handle idle=nomwait cmdline properly for x86_idle Greg Kroah-Hartman
@ 2022-08-15 17:51 ` Greg Kroah-Hartman
  2022-08-15 17:51 ` [PATCH 5.19 0149/1157] arm64: kasan: do not instrument stacktrace.c Greg Kroah-Hartman
                   ` (847 subsequent siblings)
  993 siblings, 0 replies; 1191+ messages in thread
From: Greg Kroah-Hartman @ 2022-08-15 17:51 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Mark Rutland, Catalin Marinas,
	Ingo Molnar, Peter Zijlstra (Intel),
	Thomas Gleixner, Will Deacon, Sasha Levin

From: Mark Rutland <mark.rutland@arm.com>

[ Upstream commit 4510bffb4d0246cdcc1f14c7367c026b807a862d ]

On most architectures, IRQ flag tracing is disabled in NMI context, and
architectures need to define and select TRACE_IRQFLAGS_NMI_SUPPORT in
order to enable this.

Commit:

  859d069ee1ddd878 ("lockdep: Prepare for NMI IRQ state tracking")

Permitted IRQ flag tracing in NMI context, allowing lockdep to work in
NMI context where an architecture had suitable entry logic. At the time,
most architectures did not have such suitable entry logic, and this broke
lockdep on such architectures. Thus, this was partially disabled in
commit:

  ed00495333ccc80f ("locking/lockdep: Fix TRACE_IRQFLAGS vs. NMIs")

... with architectures needing to select TRACE_IRQFLAGS_NMI_SUPPORT to
enable IRQ flag tracing in NMI context.

Currently TRACE_IRQFLAGS_NMI_SUPPORT is defined under
arch/x86/Kconfig.debug. Move it to arch/Kconfig so architectures can
select it without having to provide their own definition.

Since the regular TRACE_IRQFLAGS_SUPPORT is selected by
arch/x86/Kconfig, the select of TRACE_IRQFLAGS_NMI_SUPPORT is moved
there too.

There should be no functional change as a result of this patch.

Signed-off-by: Mark Rutland <mark.rutland@arm.com>
Cc: Catalin Marinas <catalin.marinas@arm.com>
Cc: Ingo Molnar <mingo@kernel.org>
Cc: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Will Deacon <will@kernel.org>
Link: https://lore.kernel.org/r/20220511131733.4074499-2-mark.rutland@arm.com
Signed-off-by: Will Deacon <will@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/Kconfig           | 3 +++
 arch/x86/Kconfig       | 1 +
 arch/x86/Kconfig.debug | 3 ---
 3 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/arch/Kconfig b/arch/Kconfig
index 71b9272acb28..5ea3e3838c21 100644
--- a/arch/Kconfig
+++ b/arch/Kconfig
@@ -223,6 +223,9 @@ config HAVE_FUNCTION_DESCRIPTORS
 config TRACE_IRQFLAGS_SUPPORT
 	bool
 
+config TRACE_IRQFLAGS_NMI_SUPPORT
+	bool
+
 #
 # An arch should select this if it provides all these things:
 #
diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
index 52a7f91527fe..25e2b8b75e40 100644
--- a/arch/x86/Kconfig
+++ b/arch/x86/Kconfig
@@ -278,6 +278,7 @@ config X86
 	select SYSCTL_EXCEPTION_TRACE
 	select THREAD_INFO_IN_TASK
 	select TRACE_IRQFLAGS_SUPPORT
+	select TRACE_IRQFLAGS_NMI_SUPPORT
 	select USER_STACKTRACE_SUPPORT
 	select VIRT_TO_BUS
 	select HAVE_ARCH_KCSAN			if X86_64
diff --git a/arch/x86/Kconfig.debug b/arch/x86/Kconfig.debug
index 340399f69954..bdfe08f1a930 100644
--- a/arch/x86/Kconfig.debug
+++ b/arch/x86/Kconfig.debug
@@ -1,8 +1,5 @@
 # SPDX-License-Identifier: GPL-2.0
 
-config TRACE_IRQFLAGS_NMI_SUPPORT
-	def_bool y
-
 config EARLY_PRINTK_USB
 	bool
 
-- 
2.35.1




^ permalink raw reply related	[flat|nested] 1191+ messages in thread

* [PATCH 5.19 0149/1157] arm64: kasan: do not instrument stacktrace.c
  2022-08-15 17:49 [PATCH 5.19 0000/1157] 5.19.2-rc1 review Greg Kroah-Hartman
                   ` (145 preceding siblings ...)
  2022-08-15 17:51 ` [PATCH 5.19 0148/1157] arch: make TRACE_IRQFLAGS_NMI_SUPPORT generic Greg Kroah-Hartman
@ 2022-08-15 17:51 ` Greg Kroah-Hartman
  2022-08-15 17:51 ` [PATCH 5.19 0150/1157] arm64: stacktrace: use non-atomic __set_bit Greg Kroah-Hartman
                   ` (846 subsequent siblings)
  993 siblings, 0 replies; 1191+ messages in thread
From: Greg Kroah-Hartman @ 2022-08-15 17:51 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Mark Rutland, Andrey Konovalov,
	Will Deacon, Sasha Levin

From: Andrey Konovalov <andreyknvl@google.com>

[ Upstream commit 802b91118d11227b527153849ea761b280691373 ]

Disable KASAN instrumentation of arch/arm64/kernel/stacktrace.c.

This speeds up Generic KASAN by 5-20%.

As a side-effect, KASAN is now unable to detect bugs in the stack trace
collection code. This is taken as an acceptable downside.

Also replace READ_ONCE_NOCHECK() with READ_ONCE() in stacktrace.c.
As the file is now not instrumented, there is no need to use the
NOCHECK version of READ_ONCE().

Suggested-by: Mark Rutland <mark.rutland@arm.com>
Acked-by: Mark Rutland <mark.rutland@arm.com>
Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
Link: https://lore.kernel.org/r/c4c944a2a905e949760fbeb29258185087171708.1653317461.git.andreyknvl@google.com
Signed-off-by: Will Deacon <will@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/arm64/kernel/Makefile     | 5 +++++
 arch/arm64/kernel/stacktrace.c | 4 ++--
 2 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/arch/arm64/kernel/Makefile b/arch/arm64/kernel/Makefile
index fa7981d0d917..7075a9c6a4a6 100644
--- a/arch/arm64/kernel/Makefile
+++ b/arch/arm64/kernel/Makefile
@@ -14,6 +14,11 @@ CFLAGS_REMOVE_return_address.o = $(CC_FLAGS_FTRACE)
 CFLAGS_REMOVE_syscall.o	 = -fstack-protector -fstack-protector-strong
 CFLAGS_syscall.o	+= -fno-stack-protector
 
+# When KASAN is enabled, a stack trace is recorded for every alloc/free, which
+# can significantly impact performance. Avoid instrumenting the stack trace
+# collection code to minimize this impact.
+KASAN_SANITIZE_stacktrace.o := n
+
 # It's not safe to invoke KCOV when portions of the kernel environment aren't
 # available or are out-of-sync with HW state. Since `noinstr` doesn't always
 # inhibit KCOV instrumentation, disable it for the entire compilation unit.
diff --git a/arch/arm64/kernel/stacktrace.c b/arch/arm64/kernel/stacktrace.c
index 0467cb79f080..c246e8d9f95b 100644
--- a/arch/arm64/kernel/stacktrace.c
+++ b/arch/arm64/kernel/stacktrace.c
@@ -124,8 +124,8 @@ static int notrace unwind_next(struct task_struct *tsk,
 	 * Record this frame record's values and location. The prev_fp and
 	 * prev_type are only meaningful to the next unwind_next() invocation.
 	 */
-	state->fp = READ_ONCE_NOCHECK(*(unsigned long *)(fp));
-	state->pc = READ_ONCE_NOCHECK(*(unsigned long *)(fp + 8));
+	state->fp = READ_ONCE(*(unsigned long *)(fp));
+	state->pc = READ_ONCE(*(unsigned long *)(fp + 8));
 	state->prev_fp = fp;
 	state->prev_type = info.type;
 
-- 
2.35.1




^ permalink raw reply related	[flat|nested] 1191+ messages in thread

* [PATCH 5.19 0150/1157] arm64: stacktrace: use non-atomic __set_bit
  2022-08-15 17:49 [PATCH 5.19 0000/1157] 5.19.2-rc1 review Greg Kroah-Hartman
                   ` (146 preceding siblings ...)
  2022-08-15 17:51 ` [PATCH 5.19 0149/1157] arm64: kasan: do not instrument stacktrace.c Greg Kroah-Hartman
@ 2022-08-15 17:51 ` Greg Kroah-Hartman
  2022-08-15 17:51 ` [PATCH 5.19 0151/1157] arm64: Do not forget syscall when starting a new thread Greg Kroah-Hartman
                   ` (845 subsequent siblings)
  993 siblings, 0 replies; 1191+ messages in thread
From: Greg Kroah-Hartman @ 2022-08-15 17:51 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Mark Rutland, Andrey Konovalov,
	Will Deacon, Sasha Levin

From: Andrey Konovalov <andreyknvl@google.com>

[ Upstream commit 446297b28a21244e4045026c4599d1b14a67e2ce ]

Use the non-atomic version of set_bit() in arch/arm64/kernel/stacktrace.c,
as there is no concurrent accesses to frame->prev_type.

This speeds up stack trace collection and improves the boot time of
Generic KASAN by 2-5%.

Suggested-by: Mark Rutland <mark.rutland@arm.com>
Acked-by: Mark Rutland <mark.rutland@arm.com>
Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
Link: https://lore.kernel.org/r/23dfa36d1cc91e4a1059945b7834eac22fb9854d.1653317461.git.andreyknvl@google.com
Signed-off-by: Will Deacon <will@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/arm64/kernel/stacktrace.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/arch/arm64/kernel/stacktrace.c b/arch/arm64/kernel/stacktrace.c
index c246e8d9f95b..d6bef106e37e 100644
--- a/arch/arm64/kernel/stacktrace.c
+++ b/arch/arm64/kernel/stacktrace.c
@@ -117,7 +117,7 @@ static int notrace unwind_next(struct task_struct *tsk,
 		if (fp <= state->prev_fp)
 			return -EINVAL;
 	} else {
-		set_bit(state->prev_type, state->stacks_done);
+		__set_bit(state->prev_type, state->stacks_done);
 	}
 
 	/*
-- 
2.35.1




^ permalink raw reply related	[flat|nested] 1191+ messages in thread

* [PATCH 5.19 0151/1157] arm64: Do not forget syscall when starting a new thread.
  2022-08-15 17:49 [PATCH 5.19 0000/1157] 5.19.2-rc1 review Greg Kroah-Hartman
                   ` (147 preceding siblings ...)
  2022-08-15 17:51 ` [PATCH 5.19 0150/1157] arm64: stacktrace: use non-atomic __set_bit Greg Kroah-Hartman
@ 2022-08-15 17:51 ` Greg Kroah-Hartman
  2022-08-15 17:51 ` [PATCH 5.19 0152/1157] arm64: fix oops in concurrently setting insn_emulation sysctls Greg Kroah-Hartman
                   ` (844 subsequent siblings)
  993 siblings, 0 replies; 1191+ messages in thread
From: Greg Kroah-Hartman @ 2022-08-15 17:51 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Francis Laniel, Will Deacon, Sasha Levin

From: Francis Laniel <flaniel@linux.microsoft.com>

[ Upstream commit de6921856f99c11d3986c6702d851e1328d4f7f6 ]

Enable tracing of the execve*() system calls with the
syscalls:sys_exit_execve tracepoint by removing the call to
forget_syscall() when starting a new thread and preserving the value of
regs->syscallno across exec.

Signed-off-by: Francis Laniel <flaniel@linux.microsoft.com>
Link: https://lore.kernel.org/r/20220608162447.666494-2-flaniel@linux.microsoft.com
Signed-off-by: Will Deacon <will@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/arm64/include/asm/processor.h | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/arch/arm64/include/asm/processor.h b/arch/arm64/include/asm/processor.h
index 9e58749db21d..86eb0bfe3b38 100644
--- a/arch/arm64/include/asm/processor.h
+++ b/arch/arm64/include/asm/processor.h
@@ -272,8 +272,9 @@ void tls_preserve_current_state(void);
 
 static inline void start_thread_common(struct pt_regs *regs, unsigned long pc)
 {
+	s32 previous_syscall = regs->syscallno;
 	memset(regs, 0, sizeof(*regs));
-	forget_syscall(regs);
+	regs->syscallno = previous_syscall;
 	regs->pc = pc;
 
 	if (system_uses_irq_prio_masking())
-- 
2.35.1




^ permalink raw reply related	[flat|nested] 1191+ messages in thread

* [PATCH 5.19 0152/1157] arm64: fix oops in concurrently setting insn_emulation sysctls
  2022-08-15 17:49 [PATCH 5.19 0000/1157] 5.19.2-rc1 review Greg Kroah-Hartman
                   ` (148 preceding siblings ...)
  2022-08-15 17:51 ` [PATCH 5.19 0151/1157] arm64: Do not forget syscall when starting a new thread Greg Kroah-Hartman
@ 2022-08-15 17:51 ` Greg Kroah-Hartman
  2022-08-15 17:51 ` [PATCH 5.19 0153/1157] arm64: kasan: Revert "arm64: mte: reset the page tag in page->flags" Greg Kroah-Hartman
                   ` (843 subsequent siblings)
  993 siblings, 0 replies; 1191+ messages in thread
From: Greg Kroah-Hartman @ 2022-08-15 17:51 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, hewenliang, Haibin Zhang,
	Catalin Marinas, Will Deacon, Sasha Levin

From: haibinzhang (张海斌) <haibinzhang@tencent.com>

[ Upstream commit af483947d472eccb79e42059276c4deed76f99a6 ]

emulation_proc_handler() changes table->data for proc_dointvec_minmax
and can generate the following Oops if called concurrently with itself:

 | Unable to handle kernel NULL pointer dereference at virtual address 0000000000000010
 | Internal error: Oops: 96000006 [#1] SMP
 | Call trace:
 | update_insn_emulation_mode+0xc0/0x148
 | emulation_proc_handler+0x64/0xb8
 | proc_sys_call_handler+0x9c/0xf8
 | proc_sys_write+0x18/0x20
 | __vfs_write+0x20/0x48
 | vfs_write+0xe4/0x1d0
 | ksys_write+0x70/0xf8
 | __arm64_sys_write+0x20/0x28
 | el0_svc_common.constprop.0+0x7c/0x1c0
 | el0_svc_handler+0x2c/0xa0
 | el0_svc+0x8/0x200

To fix this issue, keep the table->data as &insn->current_mode and
use container_of() to retrieve the insn pointer. Another mutex is
used to protect against the current_mode update but not for retrieving
insn_emulation as table->data is no longer changing.

Co-developed-by: hewenliang <hewenliang4@huawei.com>
Signed-off-by: hewenliang <hewenliang4@huawei.com>
Signed-off-by: Haibin Zhang <haibinzhang@tencent.com>
Reviewed-by: Catalin Marinas <catalin.marinas@arm.com>
Link: https://lore.kernel.org/r/20220128090324.2727688-1-hewenliang4@huawei.com
Link: https://lore.kernel.org/r/9A004C03-250B-46C5-BF39-782D7551B00E@tencent.com
Signed-off-by: Will Deacon <will@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/arm64/kernel/armv8_deprecated.c | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/arch/arm64/kernel/armv8_deprecated.c b/arch/arm64/kernel/armv8_deprecated.c
index 6875a16b09d2..fb0e7c7b2e20 100644
--- a/arch/arm64/kernel/armv8_deprecated.c
+++ b/arch/arm64/kernel/armv8_deprecated.c
@@ -59,6 +59,7 @@ struct insn_emulation {
 static LIST_HEAD(insn_emulation);
 static int nr_insn_emulated __initdata;
 static DEFINE_RAW_SPINLOCK(insn_emulation_lock);
+static DEFINE_MUTEX(insn_emulation_mutex);
 
 static void register_emulation_hooks(struct insn_emulation_ops *ops)
 {
@@ -207,10 +208,10 @@ static int emulation_proc_handler(struct ctl_table *table, int write,
 				  loff_t *ppos)
 {
 	int ret = 0;
-	struct insn_emulation *insn = (struct insn_emulation *) table->data;
+	struct insn_emulation *insn = container_of(table->data, struct insn_emulation, current_mode);
 	enum insn_emulation_mode prev_mode = insn->current_mode;
 
-	table->data = &insn->current_mode;
+	mutex_lock(&insn_emulation_mutex);
 	ret = proc_dointvec_minmax(table, write, buffer, lenp, ppos);
 
 	if (ret || !write || prev_mode == insn->current_mode)
@@ -223,7 +224,7 @@ static int emulation_proc_handler(struct ctl_table *table, int write,
 		update_insn_emulation_mode(insn, INSN_UNDEF);
 	}
 ret:
-	table->data = insn;
+	mutex_unlock(&insn_emulation_mutex);
 	return ret;
 }
 
@@ -247,7 +248,7 @@ static void __init register_insn_emulation_sysctl(void)
 		sysctl->maxlen = sizeof(int);
 
 		sysctl->procname = insn->ops->name;
-		sysctl->data = insn;
+		sysctl->data = &insn->current_mode;
 		sysctl->extra1 = &insn->min;
 		sysctl->extra2 = &insn->max;
 		sysctl->proc_handler = emulation_proc_handler;
-- 
2.35.1




^ permalink raw reply related	[flat|nested] 1191+ messages in thread

* [PATCH 5.19 0153/1157] arm64: kasan: Revert "arm64: mte: reset the page tag in page->flags"
  2022-08-15 17:49 [PATCH 5.19 0000/1157] 5.19.2-rc1 review Greg Kroah-Hartman
                   ` (149 preceding siblings ...)
  2022-08-15 17:51 ` [PATCH 5.19 0152/1157] arm64: fix oops in concurrently setting insn_emulation sysctls Greg Kroah-Hartman
@ 2022-08-15 17:51 ` Greg Kroah-Hartman
  2022-08-15 17:51 ` [PATCH 5.19 0154/1157] arm64: errata: Remove AES hwcap for COMPAT tasks Greg Kroah-Hartman
                   ` (842 subsequent siblings)
  993 siblings, 0 replies; 1191+ messages in thread
From: Greg Kroah-Hartman @ 2022-08-15 17:51 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Catalin Marinas, Will Deacon,
	Vincenzo Frascino, Andrey Konovalov, Peter Collingbourne,
	Sasha Levin

From: Catalin Marinas <catalin.marinas@arm.com>

[ Upstream commit 20794545c14692094a882d2221c251c4573e6adf ]

This reverts commit e5b8d9218951e59df986f627ec93569a0d22149b.

Pages mapped in user-space with PROT_MTE have the allocation tags either
zeroed or copied/restored to some user values. In order for the kernel
to access such pages via page_address(), resetting the tag in
page->flags was necessary. This tag resetting was deferred to
set_pte_at() -> mte_sync_page_tags() but it can race with another CPU
reading the flags (via page_to_virt()):

P0 (mte_sync_page_tags):	P1 (memcpy from virt_to_page):
				  Rflags!=0xff
  Wflags=0xff
  DMB (doesn't help)
  Wtags=0
				  Rtags=0   // fault

Since now the post_alloc_hook() function resets the page->flags tag when
unpoisoning is skipped for user pages (including the __GFP_ZEROTAGS
case), revert the arm64 commit calling page_kasan_tag_reset().

Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
Cc: Will Deacon <will@kernel.org>
Cc: Vincenzo Frascino <vincenzo.frascino@arm.com>
Cc: Andrey Konovalov <andreyknvl@gmail.com>
Cc: Peter Collingbourne <pcc@google.com>
Reviewed-by: Vincenzo Frascino <vincenzo.frascino@arm.com>
Acked-by: Andrey Konovalov <andreyknvl@gmail.com>
Link: https://lore.kernel.org/r/20220610152141.2148929-5-catalin.marinas@arm.com
Signed-off-by: Will Deacon <will@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/arm64/kernel/hibernate.c | 5 -----
 arch/arm64/kernel/mte.c       | 9 ---------
 arch/arm64/mm/copypage.c      | 9 ---------
 arch/arm64/mm/mteswap.c       | 9 ---------
 4 files changed, 32 deletions(-)

diff --git a/arch/arm64/kernel/hibernate.c b/arch/arm64/kernel/hibernate.c
index 2e248342476e..af5df48ba915 100644
--- a/arch/arm64/kernel/hibernate.c
+++ b/arch/arm64/kernel/hibernate.c
@@ -300,11 +300,6 @@ static void swsusp_mte_restore_tags(void)
 		unsigned long pfn = xa_state.xa_index;
 		struct page *page = pfn_to_online_page(pfn);
 
-		/*
-		 * It is not required to invoke page_kasan_tag_reset(page)
-		 * at this point since the tags stored in page->flags are
-		 * already restored.
-		 */
 		mte_restore_page_tags(page_address(page), tags);
 
 		mte_free_tag_storage(tags);
diff --git a/arch/arm64/kernel/mte.c b/arch/arm64/kernel/mte.c
index f6b00743c399..b2b730233274 100644
--- a/arch/arm64/kernel/mte.c
+++ b/arch/arm64/kernel/mte.c
@@ -48,15 +48,6 @@ static void mte_sync_page_tags(struct page *page, pte_t old_pte,
 	if (!pte_is_tagged)
 		return;
 
-	page_kasan_tag_reset(page);
-	/*
-	 * We need smp_wmb() in between setting the flags and clearing the
-	 * tags because if another thread reads page->flags and builds a
-	 * tagged address out of it, there is an actual dependency to the
-	 * memory access, but on the current thread we do not guarantee that
-	 * the new page->flags are visible before the tags were updated.
-	 */
-	smp_wmb();
 	mte_clear_page_tags(page_address(page));
 }
 
diff --git a/arch/arm64/mm/copypage.c b/arch/arm64/mm/copypage.c
index 0dea80bf6de4..24913271e898 100644
--- a/arch/arm64/mm/copypage.c
+++ b/arch/arm64/mm/copypage.c
@@ -23,15 +23,6 @@ void copy_highpage(struct page *to, struct page *from)
 
 	if (system_supports_mte() && test_bit(PG_mte_tagged, &from->flags)) {
 		set_bit(PG_mte_tagged, &to->flags);
-		page_kasan_tag_reset(to);
-		/*
-		 * We need smp_wmb() in between setting the flags and clearing the
-		 * tags because if another thread reads page->flags and builds a
-		 * tagged address out of it, there is an actual dependency to the
-		 * memory access, but on the current thread we do not guarantee that
-		 * the new page->flags are visible before the tags were updated.
-		 */
-		smp_wmb();
 		mte_copy_page_tags(kto, kfrom);
 	}
 }
diff --git a/arch/arm64/mm/mteswap.c b/arch/arm64/mm/mteswap.c
index a9e50e930484..4334dec93bd4 100644
--- a/arch/arm64/mm/mteswap.c
+++ b/arch/arm64/mm/mteswap.c
@@ -53,15 +53,6 @@ bool mte_restore_tags(swp_entry_t entry, struct page *page)
 	if (!tags)
 		return false;
 
-	page_kasan_tag_reset(page);
-	/*
-	 * We need smp_wmb() in between setting the flags and clearing the
-	 * tags because if another thread reads page->flags and builds a
-	 * tagged address out of it, there is an actual dependency to the
-	 * memory access, but on the current thread we do not guarantee that
-	 * the new page->flags are visible before the tags were updated.
-	 */
-	smp_wmb();
 	mte_restore_page_tags(page_address(page), tags);
 
 	return true;
-- 
2.35.1




^ permalink raw reply related	[flat|nested] 1191+ messages in thread

* [PATCH 5.19 0154/1157] arm64: errata: Remove AES hwcap for COMPAT tasks
  2022-08-15 17:49 [PATCH 5.19 0000/1157] 5.19.2-rc1 review Greg Kroah-Hartman
                   ` (150 preceding siblings ...)
  2022-08-15 17:51 ` [PATCH 5.19 0153/1157] arm64: kasan: Revert "arm64: mte: reset the page tag in page->flags" Greg Kroah-Hartman
@ 2022-08-15 17:51 ` Greg Kroah-Hartman
  2022-08-15 17:51 ` [PATCH 5.19 0155/1157] ext2: Add more validity checks for inode counts Greg Kroah-Hartman
                   ` (841 subsequent siblings)
  993 siblings, 0 replies; 1191+ messages in thread
From: Greg Kroah-Hartman @ 2022-08-15 17:51 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Ard Biesheuvel, James Morse,
	Will Deacon, Sasha Levin

From: James Morse <james.morse@arm.com>

[ Upstream commit 44b3834b2eed595af07021b1c64e6f9bc396398b ]

Cortex-A57 and Cortex-A72 have an erratum where an interrupt that
occurs between a pair of AES instructions in aarch32 mode may corrupt
the ELR. The task will subsequently produce the wrong AES result.

The AES instructions are part of the cryptographic extensions, which are
optional. User-space software will detect the support for these
instructions from the hwcaps. If the platform doesn't support these
instructions a software implementation should be used.

Remove the hwcap bits on affected parts to indicate user-space should
not use the AES instructions.

Acked-by: Ard Biesheuvel <ardb@kernel.org>
Signed-off-by: James Morse <james.morse@arm.com>
Link: https://lore.kernel.org/r/20220714161523.279570-3-james.morse@arm.com
Signed-off-by: Will Deacon <will@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 Documentation/arm64/silicon-errata.rst |  4 ++++
 arch/arm64/Kconfig                     | 16 ++++++++++++++++
 arch/arm64/kernel/cpu_errata.c         | 16 ++++++++++++++++
 arch/arm64/kernel/cpufeature.c         | 14 +++++++++++++-
 arch/arm64/tools/cpucaps               |  1 +
 5 files changed, 50 insertions(+), 1 deletion(-)

diff --git a/Documentation/arm64/silicon-errata.rst b/Documentation/arm64/silicon-errata.rst
index d27db84d585e..0b4235b1f8c4 100644
--- a/Documentation/arm64/silicon-errata.rst
+++ b/Documentation/arm64/silicon-errata.rst
@@ -82,10 +82,14 @@ stable kernels.
 +----------------+-----------------+-----------------+-----------------------------+
 | ARM            | Cortex-A57      | #1319537        | ARM64_ERRATUM_1319367       |
 +----------------+-----------------+-----------------+-----------------------------+
+| ARM            | Cortex-A57      | #1742098        | ARM64_ERRATUM_1742098       |
++----------------+-----------------+-----------------+-----------------------------+
 | ARM            | Cortex-A72      | #853709         | N/A                         |
 +----------------+-----------------+-----------------+-----------------------------+
 | ARM            | Cortex-A72      | #1319367        | ARM64_ERRATUM_1319367       |
 +----------------+-----------------+-----------------+-----------------------------+
+| ARM            | Cortex-A72      | #1655431        | ARM64_ERRATUM_1742098       |
++----------------+-----------------+-----------------+-----------------------------+
 | ARM            | Cortex-A73      | #858921         | ARM64_ERRATUM_858921        |
 +----------------+-----------------+-----------------+-----------------------------+
 | ARM            | Cortex-A76      | #1188873,1418040| ARM64_ERRATUM_1418040       |
diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig
index 1652a9800ebe..3ad734de8e49 100644
--- a/arch/arm64/Kconfig
+++ b/arch/arm64/Kconfig
@@ -503,6 +503,22 @@ config ARM64_ERRATUM_834220
 
 	  If unsure, say Y.
 
+config ARM64_ERRATUM_1742098
+	bool "Cortex-A57/A72: 1742098: ELR recorded incorrectly on interrupt taken between cryptographic instructions in a sequence"
+	depends on COMPAT
+	default y
+	help
+	  This option removes the AES hwcap for aarch32 user-space to
+	  workaround erratum 1742098 on Cortex-A57 and Cortex-A72.
+
+	  Affected parts may corrupt the AES state if an interrupt is
+	  taken between a pair of AES instructions. These instructions
+	  are only present if the cryptography extensions are present.
+	  All software should have a fallback implementation for CPUs
+	  that don't implement the cryptography extensions.
+
+	  If unsure, say Y.
+
 config ARM64_ERRATUM_845719
 	bool "Cortex-A53: 845719: a load might read incorrect data"
 	depends on COMPAT
diff --git a/arch/arm64/kernel/cpu_errata.c b/arch/arm64/kernel/cpu_errata.c
index c05cc3b6162e..6b92989f4cc2 100644
--- a/arch/arm64/kernel/cpu_errata.c
+++ b/arch/arm64/kernel/cpu_errata.c
@@ -395,6 +395,14 @@ static struct midr_range trbe_write_out_of_range_cpus[] = {
 };
 #endif /* CONFIG_ARM64_WORKAROUND_TRBE_WRITE_OUT_OF_RANGE */
 
+#ifdef CONFIG_ARM64_ERRATUM_1742098
+static struct midr_range broken_aarch32_aes[] = {
+	MIDR_RANGE(MIDR_CORTEX_A57, 0, 1, 0xf, 0xf),
+	MIDR_ALL_VERSIONS(MIDR_CORTEX_A72),
+	{},
+};
+#endif /* CONFIG_ARM64_WORKAROUND_TRBE_WRITE_OUT_OF_RANGE */
+
 const struct arm64_cpu_capabilities arm64_errata[] = {
 #ifdef CONFIG_ARM64_WORKAROUND_CLEAN_CACHE
 	{
@@ -657,6 +665,14 @@ const struct arm64_cpu_capabilities arm64_errata[] = {
 		/* Cortex-A510 r0p0 - r0p1 */
 		ERRATA_MIDR_REV_RANGE(MIDR_CORTEX_A510, 0, 0, 1)
 	},
+#endif
+#ifdef CONFIG_ARM64_ERRATUM_1742098
+	{
+		.desc = "ARM erratum 1742098",
+		.capability = ARM64_WORKAROUND_1742098,
+		CAP_MIDR_RANGE_LIST(broken_aarch32_aes),
+		.type = ARM64_CPUCAP_LOCAL_CPU_ERRATUM,
+	},
 #endif
 	{
 	}
diff --git a/arch/arm64/kernel/cpufeature.c b/arch/arm64/kernel/cpufeature.c
index 8d88433de81d..90018643d424 100644
--- a/arch/arm64/kernel/cpufeature.c
+++ b/arch/arm64/kernel/cpufeature.c
@@ -79,6 +79,7 @@
 #include <asm/cpufeature.h>
 #include <asm/cpu_ops.h>
 #include <asm/fpsimd.h>
+#include <asm/hwcap.h>
 #include <asm/insn.h>
 #include <asm/kvm_host.h>
 #include <asm/mmu_context.h>
@@ -1971,6 +1972,14 @@ static void cpu_enable_mte(struct arm64_cpu_capabilities const *cap)
 }
 #endif /* CONFIG_ARM64_MTE */
 
+static void elf_hwcap_fixup(void)
+{
+#ifdef CONFIG_ARM64_ERRATUM_1742098
+	if (cpus_have_const_cap(ARM64_WORKAROUND_1742098))
+		compat_elf_hwcap2 &= ~COMPAT_HWCAP2_AES;
+#endif /* ARM64_ERRATUM_1742098 */
+}
+
 #ifdef CONFIG_KVM
 static bool is_kvm_protected_mode(const struct arm64_cpu_capabilities *entry, int __unused)
 {
@@ -3143,8 +3152,10 @@ void __init setup_cpu_features(void)
 	setup_system_capabilities();
 	setup_elf_hwcaps(arm64_elf_hwcaps);
 
-	if (system_supports_32bit_el0())
+	if (system_supports_32bit_el0()) {
 		setup_elf_hwcaps(compat_elf_hwcaps);
+		elf_hwcap_fixup();
+	}
 
 	if (system_uses_ttbr0_pan())
 		pr_info("emulated: Privileged Access Never (PAN) using TTBR0_EL1 switching\n");
@@ -3197,6 +3208,7 @@ static int enable_mismatched_32bit_el0(unsigned int cpu)
 							 cpu_active_mask);
 	get_cpu_device(lucky_winner)->offline_disabled = true;
 	setup_elf_hwcaps(compat_elf_hwcaps);
+	elf_hwcap_fixup();
 	pr_info("Asymmetric 32-bit EL0 support detected on CPU %u; CPU hot-unplug disabled on CPU %u\n",
 		cpu, lucky_winner);
 	return 0;
diff --git a/arch/arm64/tools/cpucaps b/arch/arm64/tools/cpucaps
index 507b20373953..8809e14cf86a 100644
--- a/arch/arm64/tools/cpucaps
+++ b/arch/arm64/tools/cpucaps
@@ -61,6 +61,7 @@ WORKAROUND_1418040
 WORKAROUND_1463225
 WORKAROUND_1508412
 WORKAROUND_1542419
+WORKAROUND_1742098
 WORKAROUND_1902691
 WORKAROUND_2038923
 WORKAROUND_2064142
-- 
2.35.1




^ permalink raw reply related	[flat|nested] 1191+ messages in thread

* [PATCH 5.19 0155/1157] ext2: Add more validity checks for inode counts
  2022-08-15 17:49 [PATCH 5.19 0000/1157] 5.19.2-rc1 review Greg Kroah-Hartman
                   ` (151 preceding siblings ...)
  2022-08-15 17:51 ` [PATCH 5.19 0154/1157] arm64: errata: Remove AES hwcap for COMPAT tasks Greg Kroah-Hartman
@ 2022-08-15 17:51 ` Greg Kroah-Hartman
  2022-08-15 17:51 ` [PATCH 5.19 0156/1157] sched/fair: Introduce SIS_UTIL to search idle CPU based on sum of util_avg Greg Kroah-Hartman
                   ` (840 subsequent siblings)
  993 siblings, 0 replies; 1191+ messages in thread
From: Greg Kroah-Hartman @ 2022-08-15 17:51 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, syzbot+d273f7d7f58afd93be48,
	Jan Kara, Sasha Levin

From: Jan Kara <jack@suse.cz>

[ Upstream commit fa78f336937240d1bc598db817d638086060e7e9 ]

Add checks verifying number of inodes stored in the superblock matches
the number computed from number of inodes per group. Also verify we have
at least one block worth of inodes per group. This prevents crashes on
corrupted filesystems.

Reported-by: syzbot+d273f7d7f58afd93be48@syzkaller.appspotmail.com
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 fs/ext2/super.c | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/fs/ext2/super.c b/fs/ext2/super.c
index f6a19f6d9f6d..cdffa2a041af 100644
--- a/fs/ext2/super.c
+++ b/fs/ext2/super.c
@@ -1059,9 +1059,10 @@ static int ext2_fill_super(struct super_block *sb, void *data, int silent)
 			sbi->s_frags_per_group);
 		goto failed_mount;
 	}
-	if (sbi->s_inodes_per_group > sb->s_blocksize * 8) {
+	if (sbi->s_inodes_per_group < sbi->s_inodes_per_block ||
+	    sbi->s_inodes_per_group > sb->s_blocksize * 8) {
 		ext2_msg(sb, KERN_ERR,
-			"error: #inodes per group too big: %lu",
+			"error: invalid #inodes per group: %lu",
 			sbi->s_inodes_per_group);
 		goto failed_mount;
 	}
@@ -1071,6 +1072,13 @@ static int ext2_fill_super(struct super_block *sb, void *data, int silent)
 	sbi->s_groups_count = ((le32_to_cpu(es->s_blocks_count) -
 				le32_to_cpu(es->s_first_data_block) - 1)
 					/ EXT2_BLOCKS_PER_GROUP(sb)) + 1;
+	if ((u64)sbi->s_groups_count * sbi->s_inodes_per_group !=
+	    le32_to_cpu(es->s_inodes_count)) {
+		ext2_msg(sb, KERN_ERR, "error: invalid #inodes: %u vs computed %llu",
+			 le32_to_cpu(es->s_inodes_count),
+			 (u64)sbi->s_groups_count * sbi->s_inodes_per_group);
+		goto failed_mount;
+	}
 	db_count = (sbi->s_groups_count + EXT2_DESC_PER_BLOCK(sb) - 1) /
 		   EXT2_DESC_PER_BLOCK(sb);
 	sbi->s_group_desc = kmalloc_array(db_count,
-- 
2.35.1




^ permalink raw reply related	[flat|nested] 1191+ messages in thread

* [PATCH 5.19 0156/1157] sched/fair: Introduce SIS_UTIL to search idle CPU based on sum of util_avg
  2022-08-15 17:49 [PATCH 5.19 0000/1157] 5.19.2-rc1 review Greg Kroah-Hartman
                   ` (152 preceding siblings ...)
  2022-08-15 17:51 ` [PATCH 5.19 0155/1157] ext2: Add more validity checks for inode counts Greg Kroah-Hartman
@ 2022-08-15 17:51 ` Greg Kroah-Hartman
  2022-08-15 17:51 ` [PATCH 5.19 0157/1157] genirq: Dont return error on missing optional irq_request_resources() Greg Kroah-Hartman
                   ` (839 subsequent siblings)
  993 siblings, 0 replies; 1191+ messages in thread
From: Greg Kroah-Hartman @ 2022-08-15 17:51 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Tim Chen, Peter Zijlstra, Chen Yu,
	Yicong Yang, Mohini Narkhede, K Prateek Nayak, Sasha Levin

From: Chen Yu <yu.c.chen@intel.com>

[ Upstream commit 70fb5ccf2ebb09a0c8ebba775041567812d45f86 ]

[Problem Statement]
select_idle_cpu() might spend too much time searching for an idle CPU,
when the system is overloaded.

The following histogram is the time spent in select_idle_cpu(),
when running 224 instances of netperf on a system with 112 CPUs
per LLC domain:

@usecs:
[0]                  533 |                                                    |
[1]                 5495 |                                                    |
[2, 4)             12008 |                                                    |
[4, 8)            239252 |                                                    |
[8, 16)          4041924 |@@@@@@@@@@@@@@                                      |
[16, 32)        12357398 |@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@         |
[32, 64)        14820255 |@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@|
[64, 128)       13047682 |@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@       |
[128, 256)       8235013 |@@@@@@@@@@@@@@@@@@@@@@@@@@@@                        |
[256, 512)       4507667 |@@@@@@@@@@@@@@@                                     |
[512, 1K)        2600472 |@@@@@@@@@                                           |
[1K, 2K)          927912 |@@@                                                 |
[2K, 4K)          218720 |                                                    |
[4K, 8K)           98161 |                                                    |
[8K, 16K)          37722 |                                                    |
[16K, 32K)          6715 |                                                    |
[32K, 64K)           477 |                                                    |
[64K, 128K)            7 |                                                    |

netperf latency usecs:
=======
case            	load    	    Lat_99th	    std%
TCP_RR          	thread-224	      257.39	(  0.21)

The time spent in select_idle_cpu() is visible to netperf and might have a negative
impact.

[Symptom analysis]
The patch [1] from Mel Gorman has been applied to track the efficiency
of select_idle_sibling. Copy the indicators here:

SIS Search Efficiency(se_eff%):
        A ratio expressed as a percentage of runqueues scanned versus
        idle CPUs found. A 100% efficiency indicates that the target,
        prev or recent CPU of a task was idle at wakeup. The lower the
        efficiency, the more runqueues were scanned before an idle CPU
        was found.

SIS Domain Search Efficiency(dom_eff%):
        Similar, except only for the slower SIS
	patch.

SIS Fast Success Rate(fast_rate%):
        Percentage of SIS that used target, prev or
	recent CPUs.

SIS Success rate(success_rate%):
        Percentage of scans that found an idle CPU.

The test is based on Aubrey's schedtests tool, including netperf, hackbench,
schbench and tbench.

Test on vanilla kernel:
schedstat_parse.py -f netperf_vanilla.log
case	        load	    se_eff%	    dom_eff%	  fast_rate%	success_rate%
TCP_RR	   28 threads	     99.978	      18.535	      99.995	     100.000
TCP_RR	   56 threads	     99.397	       5.671	      99.964	     100.000
TCP_RR	   84 threads	     21.721	       6.818	      73.632	     100.000
TCP_RR	  112 threads	     12.500	       5.533	      59.000	     100.000
TCP_RR	  140 threads	      8.524	       4.535	      49.020	     100.000
TCP_RR	  168 threads	      6.438	       3.945	      40.309	      99.999
TCP_RR	  196 threads	      5.397	       3.718	      32.320	      99.982
TCP_RR	  224 threads	      4.874	       3.661	      25.775	      99.767
UDP_RR	   28 threads	     99.988	      17.704	      99.997	     100.000
UDP_RR	   56 threads	     99.528	       5.977	      99.970	     100.000
UDP_RR	   84 threads	     24.219	       6.992	      76.479	     100.000
UDP_RR	  112 threads	     13.907	       5.706	      62.538	     100.000
UDP_RR	  140 threads	      9.408	       4.699	      52.519	     100.000
UDP_RR	  168 threads	      7.095	       4.077	      44.352	     100.000
UDP_RR	  196 threads	      5.757	       3.775	      35.764	      99.991
UDP_RR	  224 threads	      5.124	       3.704	      28.748	      99.860

schedstat_parse.py -f schbench_vanilla.log
(each group has 28 tasks)
case	        load	    se_eff%	    dom_eff%	  fast_rate%	success_rate%
normal	   1   mthread	     99.152	       6.400	      99.941	     100.000
normal	   2   mthreads	     97.844	       4.003	      99.908	     100.000
normal	   3   mthreads	     96.395	       2.118	      99.917	      99.998
normal	   4   mthreads	     55.288	       1.451	      98.615	      99.804
normal	   5   mthreads	      7.004	       1.870	      45.597	      61.036
normal	   6   mthreads	      3.354	       1.346	      20.777	      34.230
normal	   7   mthreads	      2.183	       1.028	      11.257	      21.055
normal	   8   mthreads	      1.653	       0.825	       7.849	      15.549

schedstat_parse.py -f hackbench_vanilla.log
(each group has 28 tasks)
case			load	        se_eff%	    dom_eff%	  fast_rate%	success_rate%
process-pipe	     1 group	         99.991	       7.692	      99.999	     100.000
process-pipe	    2 groups	         99.934	       4.615	      99.997	     100.000
process-pipe	    3 groups	         99.597	       3.198	      99.987	     100.000
process-pipe	    4 groups	         98.378	       2.464	      99.958	     100.000
process-pipe	    5 groups	         27.474	       3.653	      89.811	      99.800
process-pipe	    6 groups	         20.201	       4.098	      82.763	      99.570
process-pipe	    7 groups	         16.423	       4.156	      77.398	      99.316
process-pipe	    8 groups	         13.165	       3.920	      72.232	      98.828
process-sockets	     1 group	         99.977	       5.882	      99.999	     100.000
process-sockets	    2 groups	         99.927	       5.505	      99.996	     100.000
process-sockets	    3 groups	         99.397	       3.250	      99.980	     100.000
process-sockets	    4 groups	         79.680	       4.258	      98.864	      99.998
process-sockets	    5 groups	          7.673	       2.503	      63.659	      92.115
process-sockets	    6 groups	          4.642	       1.584	      58.946	      88.048
process-sockets	    7 groups	          3.493	       1.379	      49.816	      81.164
process-sockets	    8 groups	          3.015	       1.407	      40.845	      75.500
threads-pipe	     1 group	         99.997	       0.000	     100.000	     100.000
threads-pipe	    2 groups	         99.894	       2.932	      99.997	     100.000
threads-pipe	    3 groups	         99.611	       4.117	      99.983	     100.000
threads-pipe	    4 groups	         97.703	       2.624	      99.937	     100.000
threads-pipe	    5 groups	         22.919	       3.623	      87.150	      99.764
threads-pipe	    6 groups	         18.016	       4.038	      80.491	      99.557
threads-pipe	    7 groups	         14.663	       3.991	      75.239	      99.247
threads-pipe	    8 groups	         12.242	       3.808	      70.651	      98.644
threads-sockets	     1 group	         99.990	       6.667	      99.999	     100.000
threads-sockets	    2 groups	         99.940	       5.114	      99.997	     100.000
threads-sockets	    3 groups	         99.469	       4.115	      99.977	     100.000
threads-sockets	    4 groups	         87.528	       4.038	      99.400	     100.000
threads-sockets	    5 groups	          6.942	       2.398	      59.244	      88.337
threads-sockets	    6 groups	          4.359	       1.954	      49.448	      87.860
threads-sockets	    7 groups	          2.845	       1.345	      41.198	      77.102
threads-sockets	    8 groups	          2.871	       1.404	      38.512	      74.312

schedstat_parse.py -f tbench_vanilla.log
case			load	      se_eff%	    dom_eff%	  fast_rate%	success_rate%
loopback	  28 threads	       99.976	      18.369	      99.995	     100.000
loopback	  56 threads	       99.222	       7.799	      99.934	     100.000
loopback	  84 threads	       19.723	       6.819	      70.215	     100.000
loopback	 112 threads	       11.283	       5.371	      55.371	      99.999
loopback	 140 threads	        0.000	       0.000	       0.000	       0.000
loopback	 168 threads	        0.000	       0.000	       0.000	       0.000
loopback	 196 threads	        0.000	       0.000	       0.000	       0.000
loopback	 224 threads	        0.000	       0.000	       0.000	       0.000

According to the test above, if the system becomes busy, the
SIS Search Efficiency(se_eff%) drops significantly. Although some
benchmarks would finally find an idle CPU(success_rate% = 100%), it is
doubtful whether it is worth it to search the whole LLC domain.

[Proposal]
It would be ideal to have a crystal ball to answer this question:
How many CPUs must a wakeup path walk down, before it can find an idle
CPU? Many potential metrics could be used to predict the number.
One candidate is the sum of util_avg in this LLC domain. The benefit
of choosing util_avg is that it is a metric of accumulated historic
activity, which seems to be smoother than instantaneous metrics
(such as rq->nr_running). Besides, choosing the sum of util_avg
would help predict the load of the LLC domain more precisely, because
SIS_PROP uses one CPU's idle time to estimate the total LLC domain idle
time.

In summary, the lower the util_avg is, the more select_idle_cpu()
should scan for idle CPU, and vice versa. When the sum of util_avg
in this LLC domain hits 85% or above, the scan stops. The reason to
choose 85% as the threshold is that this is the imbalance_pct(117)
when a LLC sched group is overloaded.

Introduce the quadratic function:

y = SCHED_CAPACITY_SCALE - p * x^2
and y'= y / SCHED_CAPACITY_SCALE

x is the ratio of sum_util compared to the CPU capacity:
x = sum_util / (llc_weight * SCHED_CAPACITY_SCALE)
y' is the ratio of CPUs to be scanned in the LLC domain,
and the number of CPUs to scan is calculated by:

nr_scan = llc_weight * y'

Choosing quadratic function is because:
[1] Compared to the linear function, it scans more aggressively when the
    sum_util is low.
[2] Compared to the exponential function, it is easier to calculate.
[3] It seems that there is no accurate mapping between the sum of util_avg
    and the number of CPUs to be scanned. Use heuristic scan for now.

For a platform with 112 CPUs per LLC, the number of CPUs to scan is:
sum_util%   0    5   15   25  35  45  55   65   75   85   86 ...
scan_nr   112  111  108  102  93  81  65   47   25    1    0 ...

For a platform with 16 CPUs per LLC, the number of CPUs to scan is:
sum_util%   0    5   15   25  35  45  55   65   75   85   86 ...
scan_nr    16   15   15   14  13  11   9    6    3    0    0 ...

Furthermore, to minimize the overhead of calculating the metrics in
select_idle_cpu(), borrow the statistics from periodic load balance.
As mentioned by Abel, on a platform with 112 CPUs per LLC, the
sum_util calculated by periodic load balance after 112 ms would
decay to about 0.5 * 0.5 * 0.5 * 0.7 = 8.75%, thus bringing a delay
in reflecting the latest utilization. But it is a trade-off.
Checking the util_avg in newidle load balance would be more frequent,
but it brings overhead - multiple CPUs write/read the per-LLC shared
variable and introduces cache contention. Tim also mentioned that,
it is allowed to be non-optimal in terms of scheduling for the
short-term variations, but if there is a long-term trend in the load
behavior, the scheduler can adjust for that.

When SIS_UTIL is enabled, the select_idle_cpu() uses the nr_scan
calculated by SIS_UTIL instead of the one from SIS_PROP. As Peter and
Mel suggested, SIS_UTIL should be enabled by default.

This patch is based on the util_avg, which is very sensitive to the
CPU frequency invariance. There is an issue that, when the max frequency
has been clamp, the util_avg would decay insanely fast when
the CPU is idle. Commit addca285120b ("cpufreq: intel_pstate: Handle no_turbo
in frequency invariance") could be used to mitigate this symptom, by adjusting
the arch_max_freq_ratio when turbo is disabled. But this issue is still
not thoroughly fixed, because the current code is unaware of the user-specified
max CPU frequency.

[Test result]

netperf and tbench were launched with 25% 50% 75% 100% 125% 150%
175% 200% of CPU number respectively. Hackbench and schbench were launched
by 1, 2 ,4, 8 groups. Each test lasts for 100 seconds and repeats 3 times.

The following is the benchmark result comparison between
baseline:vanilla v5.19-rc1 and compare:patched kernel. Positive compare%
indicates better performance.

Each netperf test is a:
netperf -4 -H 127.0.1 -t TCP/UDP_RR -c -C -l 100
netperf.throughput
=======
case            	load    	baseline(std%)	compare%( std%)
TCP_RR          	28 threads	 1.00 (  0.34)	 -0.16 (  0.40)
TCP_RR          	56 threads	 1.00 (  0.19)	 -0.02 (  0.20)
TCP_RR          	84 threads	 1.00 (  0.39)	 -0.47 (  0.40)
TCP_RR          	112 threads	 1.00 (  0.21)	 -0.66 (  0.22)
TCP_RR          	140 threads	 1.00 (  0.19)	 -0.69 (  0.19)
TCP_RR          	168 threads	 1.00 (  0.18)	 -0.48 (  0.18)
TCP_RR          	196 threads	 1.00 (  0.16)	+194.70 ( 16.43)
TCP_RR          	224 threads	 1.00 (  0.16)	+197.30 (  7.85)
UDP_RR          	28 threads	 1.00 (  0.37)	 +0.35 (  0.33)
UDP_RR          	56 threads	 1.00 ( 11.18)	 -0.32 (  0.21)
UDP_RR          	84 threads	 1.00 (  1.46)	 -0.98 (  0.32)
UDP_RR          	112 threads	 1.00 ( 28.85)	 -2.48 ( 19.61)
UDP_RR          	140 threads	 1.00 (  0.70)	 -0.71 ( 14.04)
UDP_RR          	168 threads	 1.00 ( 14.33)	 -0.26 ( 11.16)
UDP_RR          	196 threads	 1.00 ( 12.92)	+186.92 ( 20.93)
UDP_RR          	224 threads	 1.00 ( 11.74)	+196.79 ( 18.62)

Take the 224 threads as an example, the SIS search metrics changes are
illustrated below:

    vanilla                    patched
   4544492          +237.5%   15338634        sched_debug.cpu.sis_domain_search.avg
     38539        +39686.8%   15333634        sched_debug.cpu.sis_failed.avg
  128300000          -87.9%   15551326        sched_debug.cpu.sis_scanned.avg
   5842896          +162.7%   15347978        sched_debug.cpu.sis_search.avg

There is -87.9% less CPU scans after patched, which indicates lower overhead.
Besides, with this patch applied, there is -13% less rq lock contention
in perf-profile.calltrace.cycles-pp._raw_spin_lock.raw_spin_rq_lock_nested
.try_to_wake_up.default_wake_function.woken_wake_function.
This might help explain the performance improvement - Because this patch allows
the waking task to remain on the previous CPU, rather than grabbing other CPUs'
lock.

Each hackbench test is a:
hackbench -g $job --process/threads --pipe/sockets -l 1000000 -s 100
hackbench.throughput
=========
case            	load    	baseline(std%)	compare%( std%)
process-pipe    	1 group 	 1.00 (  1.29)	 +0.57 (  0.47)
process-pipe    	2 groups 	 1.00 (  0.27)	 +0.77 (  0.81)
process-pipe    	4 groups 	 1.00 (  0.26)	 +1.17 (  0.02)
process-pipe    	8 groups 	 1.00 (  0.15)	 -4.79 (  0.02)
process-sockets 	1 group 	 1.00 (  0.63)	 -0.92 (  0.13)
process-sockets 	2 groups 	 1.00 (  0.03)	 -0.83 (  0.14)
process-sockets 	4 groups 	 1.00 (  0.40)	 +5.20 (  0.26)
process-sockets 	8 groups 	 1.00 (  0.04)	 +3.52 (  0.03)
threads-pipe    	1 group 	 1.00 (  1.28)	 +0.07 (  0.14)
threads-pipe    	2 groups 	 1.00 (  0.22)	 -0.49 (  0.74)
threads-pipe    	4 groups 	 1.00 (  0.05)	 +1.88 (  0.13)
threads-pipe    	8 groups 	 1.00 (  0.09)	 -4.90 (  0.06)
threads-sockets 	1 group 	 1.00 (  0.25)	 -0.70 (  0.53)
threads-sockets 	2 groups 	 1.00 (  0.10)	 -0.63 (  0.26)
threads-sockets 	4 groups 	 1.00 (  0.19)	+11.92 (  0.24)
threads-sockets 	8 groups 	 1.00 (  0.08)	 +4.31 (  0.11)

Each tbench test is a:
tbench -t 100 $job 127.0.0.1
tbench.throughput
======
case            	load    	baseline(std%)	compare%( std%)
loopback        	28 threads	 1.00 (  0.06)	 -0.14 (  0.09)
loopback        	56 threads	 1.00 (  0.03)	 -0.04 (  0.17)
loopback        	84 threads	 1.00 (  0.05)	 +0.36 (  0.13)
loopback        	112 threads	 1.00 (  0.03)	 +0.51 (  0.03)
loopback        	140 threads	 1.00 (  0.02)	 -1.67 (  0.19)
loopback        	168 threads	 1.00 (  0.38)	 +1.27 (  0.27)
loopback        	196 threads	 1.00 (  0.11)	 +1.34 (  0.17)
loopback        	224 threads	 1.00 (  0.11)	 +1.67 (  0.22)

Each schbench test is a:
schbench -m $job -t 28 -r 100 -s 30000 -c 30000
schbench.latency_90%_us
========
case            	load    	baseline(std%)	compare%( std%)
normal          	1 mthread	 1.00 ( 31.22)	 -7.36 ( 20.25)*
normal          	2 mthreads	 1.00 (  2.45)	 -0.48 (  1.79)
normal          	4 mthreads	 1.00 (  1.69)	 +0.45 (  0.64)
normal          	8 mthreads	 1.00 (  5.47)	 +9.81 ( 14.28)

*Consider the Standard Deviation, this -7.36% regression might not be valid.

Also, a OLTP workload with a commercial RDBMS has been tested, and there
is no significant change.

There were concerns that unbalanced tasks among CPUs would cause problems.
For example, suppose the LLC domain is composed of 8 CPUs, and 7 tasks are
bound to CPU0~CPU6, while CPU7 is idle:

          CPU0    CPU1    CPU2    CPU3    CPU4    CPU5    CPU6    CPU7
util_avg  1024    1024    1024    1024    1024    1024    1024    0

Since the util_avg ratio is 87.5%( = 7/8 ), which is higher than 85%,
select_idle_cpu() will not scan, thus CPU7 is undetected during scan.
But according to Mel, it is unlikely the CPU7 will be idle all the time
because CPU7 could pull some tasks via CPU_NEWLY_IDLE.

lkp(kernel test robot) has reported a regression on stress-ng.sock on a
very busy system. According to the sched_debug statistics, it might be caused
by SIS_UTIL terminates the scan and chooses a previous CPU earlier, and this
might introduce more context switch, especially involuntary preemption, which
impacts a busy stress-ng. This regression has shown that, not all benchmarks
in every scenario benefit from idle CPU scan limit, and it needs further
investigation.

Besides, there is slight regression in hackbench's 16 groups case when the
LLC domain has 16 CPUs. Prateek mentioned that we should scan aggressively
in an LLC domain with 16 CPUs. Because the cost to search for an idle one
among 16 CPUs is negligible. The current patch aims to propose a generic
solution and only considers the util_avg. Something like the below could
be applied on top of the current patch to fulfill the requirement:

	if (llc_weight <= 16)
		nr_scan = nr_scan * 32 / llc_weight;

For LLC domain with 16 CPUs, the nr_scan will be expanded to 2 times large.
The smaller the CPU number this LLC domain has, the larger nr_scan will be
expanded. This needs further investigation.

There is also ongoing work[2] from Abel to filter out the busy CPUs during
wakeup, to further speed up the idle CPU scan. And it could be a following-up
optimization on top of this change.

Suggested-by: Tim Chen <tim.c.chen@intel.com>
Suggested-by: Peter Zijlstra <peterz@infradead.org>
Signed-off-by: Chen Yu <yu.c.chen@intel.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Tested-by: Yicong Yang <yangyicong@hisilicon.com>
Tested-by: Mohini Narkhede <mohini.narkhede@intel.com>
Tested-by: K Prateek Nayak <kprateek.nayak@amd.com>
Link: https://lore.kernel.org/r/20220612163428.849378-1-yu.c.chen@intel.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 include/linux/sched/topology.h |  1 +
 kernel/sched/fair.c            | 87 ++++++++++++++++++++++++++++++++++
 kernel/sched/features.h        |  3 +-
 3 files changed, 90 insertions(+), 1 deletion(-)

diff --git a/include/linux/sched/topology.h b/include/linux/sched/topology.h
index 56cffe42abbc..816df6cc444e 100644
--- a/include/linux/sched/topology.h
+++ b/include/linux/sched/topology.h
@@ -81,6 +81,7 @@ struct sched_domain_shared {
 	atomic_t	ref;
 	atomic_t	nr_busy_cpus;
 	int		has_idle_cores;
+	int		nr_idle_scan;
 };
 
 struct sched_domain {
diff --git a/kernel/sched/fair.c b/kernel/sched/fair.c
index 77b2048a9326..3fb857a35b16 100644
--- a/kernel/sched/fair.c
+++ b/kernel/sched/fair.c
@@ -6336,6 +6336,7 @@ static int select_idle_cpu(struct task_struct *p, struct sched_domain *sd, bool
 {
 	struct cpumask *cpus = this_cpu_cpumask_var_ptr(select_idle_mask);
 	int i, cpu, idle_cpu = -1, nr = INT_MAX;
+	struct sched_domain_shared *sd_share;
 	struct rq *this_rq = this_rq();
 	int this = smp_processor_id();
 	struct sched_domain *this_sd;
@@ -6375,6 +6376,17 @@ static int select_idle_cpu(struct task_struct *p, struct sched_domain *sd, bool
 		time = cpu_clock(this);
 	}
 
+	if (sched_feat(SIS_UTIL)) {
+		sd_share = rcu_dereference(per_cpu(sd_llc_shared, target));
+		if (sd_share) {
+			/* because !--nr is the condition to stop scan */
+			nr = READ_ONCE(sd_share->nr_idle_scan) + 1;
+			/* overloaded LLC is unlikely to have idle cpu/core */
+			if (nr == 1)
+				return -1;
+		}
+	}
+
 	for_each_cpu_wrap(cpu, cpus, target + 1) {
 		if (has_idle_core) {
 			i = select_idle_core(p, cpu, cpus, &idle_cpu);
@@ -9222,6 +9234,77 @@ find_idlest_group(struct sched_domain *sd, struct task_struct *p, int this_cpu)
 	return idlest;
 }
 
+static void update_idle_cpu_scan(struct lb_env *env,
+				 unsigned long sum_util)
+{
+	struct sched_domain_shared *sd_share;
+	int llc_weight, pct;
+	u64 x, y, tmp;
+	/*
+	 * Update the number of CPUs to scan in LLC domain, which could
+	 * be used as a hint in select_idle_cpu(). The update of sd_share
+	 * could be expensive because it is within a shared cache line.
+	 * So the write of this hint only occurs during periodic load
+	 * balancing, rather than CPU_NEWLY_IDLE, because the latter
+	 * can fire way more frequently than the former.
+	 */
+	if (!sched_feat(SIS_UTIL) || env->idle == CPU_NEWLY_IDLE)
+		return;
+
+	llc_weight = per_cpu(sd_llc_size, env->dst_cpu);
+	if (env->sd->span_weight != llc_weight)
+		return;
+
+	sd_share = rcu_dereference(per_cpu(sd_llc_shared, env->dst_cpu));
+	if (!sd_share)
+		return;
+
+	/*
+	 * The number of CPUs to search drops as sum_util increases, when
+	 * sum_util hits 85% or above, the scan stops.
+	 * The reason to choose 85% as the threshold is because this is the
+	 * imbalance_pct(117) when a LLC sched group is overloaded.
+	 *
+	 * let y = SCHED_CAPACITY_SCALE - p * x^2                       [1]
+	 * and y'= y / SCHED_CAPACITY_SCALE
+	 *
+	 * x is the ratio of sum_util compared to the CPU capacity:
+	 * x = sum_util / (llc_weight * SCHED_CAPACITY_SCALE)
+	 * y' is the ratio of CPUs to be scanned in the LLC domain,
+	 * and the number of CPUs to scan is calculated by:
+	 *
+	 * nr_scan = llc_weight * y'                                    [2]
+	 *
+	 * When x hits the threshold of overloaded, AKA, when
+	 * x = 100 / pct, y drops to 0. According to [1],
+	 * p should be SCHED_CAPACITY_SCALE * pct^2 / 10000
+	 *
+	 * Scale x by SCHED_CAPACITY_SCALE:
+	 * x' = sum_util / llc_weight;                                  [3]
+	 *
+	 * and finally [1] becomes:
+	 * y = SCHED_CAPACITY_SCALE -
+	 *     x'^2 * pct^2 / (10000 * SCHED_CAPACITY_SCALE)            [4]
+	 *
+	 */
+	/* equation [3] */
+	x = sum_util;
+	do_div(x, llc_weight);
+
+	/* equation [4] */
+	pct = env->sd->imbalance_pct;
+	tmp = x * x * pct * pct;
+	do_div(tmp, 10000 * SCHED_CAPACITY_SCALE);
+	tmp = min_t(long, tmp, SCHED_CAPACITY_SCALE);
+	y = SCHED_CAPACITY_SCALE - tmp;
+
+	/* equation [2] */
+	y *= llc_weight;
+	do_div(y, SCHED_CAPACITY_SCALE);
+	if ((int)y != sd_share->nr_idle_scan)
+		WRITE_ONCE(sd_share->nr_idle_scan, (int)y);
+}
+
 /**
  * update_sd_lb_stats - Update sched_domain's statistics for load balancing.
  * @env: The load balancing environment.
@@ -9234,6 +9317,7 @@ static inline void update_sd_lb_stats(struct lb_env *env, struct sd_lb_stats *sd
 	struct sched_group *sg = env->sd->groups;
 	struct sg_lb_stats *local = &sds->local_stat;
 	struct sg_lb_stats tmp_sgs;
+	unsigned long sum_util = 0;
 	int sg_status = 0;
 
 	do {
@@ -9266,6 +9350,7 @@ static inline void update_sd_lb_stats(struct lb_env *env, struct sd_lb_stats *sd
 		sds->total_load += sgs->group_load;
 		sds->total_capacity += sgs->group_capacity;
 
+		sum_util += sgs->group_util;
 		sg = sg->next;
 	} while (sg != env->sd->groups);
 
@@ -9291,6 +9376,8 @@ static inline void update_sd_lb_stats(struct lb_env *env, struct sd_lb_stats *sd
 		WRITE_ONCE(rd->overutilized, SG_OVERUTILIZED);
 		trace_sched_overutilized_tp(rd, SG_OVERUTILIZED);
 	}
+
+	update_idle_cpu_scan(env, sum_util);
 }
 
 #define NUMA_IMBALANCE_MIN 2
diff --git a/kernel/sched/features.h b/kernel/sched/features.h
index 1cf435bbcd9c..ee7f23c76bd3 100644
--- a/kernel/sched/features.h
+++ b/kernel/sched/features.h
@@ -60,7 +60,8 @@ SCHED_FEAT(TTWU_QUEUE, true)
 /*
  * When doing wakeups, attempt to limit superfluous scans of the LLC domain.
  */
-SCHED_FEAT(SIS_PROP, true)
+SCHED_FEAT(SIS_PROP, false)
+SCHED_FEAT(SIS_UTIL, true)
 
 /*
  * Issue a WARN when we do multiple update_rq_clock() calls
-- 
2.35.1




^ permalink raw reply related	[flat|nested] 1191+ messages in thread

* [PATCH 5.19 0157/1157] genirq: Dont return error on missing optional irq_request_resources()
  2022-08-15 17:49 [PATCH 5.19 0000/1157] 5.19.2-rc1 review Greg Kroah-Hartman
                   ` (153 preceding siblings ...)
  2022-08-15 17:51 ` [PATCH 5.19 0156/1157] sched/fair: Introduce SIS_UTIL to search idle CPU based on sum of util_avg Greg Kroah-Hartman
@ 2022-08-15 17:51 ` Greg Kroah-Hartman
  2022-08-15 17:51 ` [PATCH 5.19 0158/1157] irqchip/mips-gic: Only register IPI domain when SMP is enabled Greg Kroah-Hartman
                   ` (838 subsequent siblings)
  993 siblings, 0 replies; 1191+ messages in thread
From: Greg Kroah-Hartman @ 2022-08-15 17:51 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Antonio Borneo, Marc Zyngier, Sasha Levin

From: Antonio Borneo <antonio.borneo@foss.st.com>

[ Upstream commit 95001b756467ecc9f5973eb5e74e97699d9bbdf1 ]

Function irq_chip::irq_request_resources() is reported as optional
in the declaration of struct irq_chip.
If the parent irq_chip does not implement it, we should ignore it
and return.

Don't return error if the functions is missing.

Signed-off-by: Antonio Borneo <antonio.borneo@foss.st.com>
Signed-off-by: Marc Zyngier <maz@kernel.org>
Link: https://lore.kernel.org/r/20220512160544.13561-1-antonio.borneo@foss.st.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 kernel/irq/chip.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/kernel/irq/chip.c b/kernel/irq/chip.c
index 886789dcee43..c19040530789 100644
--- a/kernel/irq/chip.c
+++ b/kernel/irq/chip.c
@@ -1516,7 +1516,8 @@ int irq_chip_request_resources_parent(struct irq_data *data)
 	if (data->chip->irq_request_resources)
 		return data->chip->irq_request_resources(data);
 
-	return -ENOSYS;
+	/* no error on missing optional irq_chip::irq_request_resources */
+	return 0;
 }
 EXPORT_SYMBOL_GPL(irq_chip_request_resources_parent);
 
-- 
2.35.1




^ permalink raw reply related	[flat|nested] 1191+ messages in thread

* [PATCH 5.19 0158/1157] irqchip/mips-gic: Only register IPI domain when SMP is enabled
  2022-08-15 17:49 [PATCH 5.19 0000/1157] 5.19.2-rc1 review Greg Kroah-Hartman
                   ` (154 preceding siblings ...)
  2022-08-15 17:51 ` [PATCH 5.19 0157/1157] genirq: Dont return error on missing optional irq_request_resources() Greg Kroah-Hartman
@ 2022-08-15 17:51 ` Greg Kroah-Hartman
  2022-08-15 17:51 ` [PATCH 5.19 0159/1157] genirq: GENERIC_IRQ_IPI depends on SMP Greg Kroah-Hartman
                   ` (837 subsequent siblings)
  993 siblings, 0 replies; 1191+ messages in thread
From: Greg Kroah-Hartman @ 2022-08-15 17:51 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, kernel test robot, Samuel Holland,
	Marc Zyngier, Sasha Levin

From: Samuel Holland <samuel@sholland.org>

[ Upstream commit 8190cc572981f2f13b6ffc26c7cfa7899e5d3ccc ]

The MIPS GIC irqchip driver may be selected in a uniprocessor
configuration, but it unconditionally registers an IPI domain.

Limit the part of the driver dealing with IPIs to only be compiled when
GENERIC_IRQ_IPI is enabled, which corresponds to an SMP configuration.

Reported-by: kernel test robot <lkp@intel.com>
Signed-off-by: Samuel Holland <samuel@sholland.org>
Signed-off-by: Marc Zyngier <maz@kernel.org>
Link: https://lore.kernel.org/r/20220701200056.46555-2-samuel@sholland.org
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/irqchip/Kconfig        |  3 +-
 drivers/irqchip/irq-mips-gic.c | 80 +++++++++++++++++++++++-----------
 2 files changed, 56 insertions(+), 27 deletions(-)

diff --git a/drivers/irqchip/Kconfig b/drivers/irqchip/Kconfig
index bbb11cb8b0f7..12664ac6ac2d 100644
--- a/drivers/irqchip/Kconfig
+++ b/drivers/irqchip/Kconfig
@@ -322,7 +322,8 @@ config KEYSTONE_IRQ
 
 config MIPS_GIC
 	bool
-	select GENERIC_IRQ_IPI
+	select GENERIC_IRQ_IPI if SMP
+	select IRQ_DOMAIN_HIERARCHY
 	select MIPS_CM
 
 config INGENIC_IRQ
diff --git a/drivers/irqchip/irq-mips-gic.c b/drivers/irqchip/irq-mips-gic.c
index ff89b36267dd..8a9efb6ae587 100644
--- a/drivers/irqchip/irq-mips-gic.c
+++ b/drivers/irqchip/irq-mips-gic.c
@@ -52,13 +52,15 @@ static DEFINE_PER_CPU_READ_MOSTLY(unsigned long[GIC_MAX_LONGS], pcpu_masks);
 
 static DEFINE_SPINLOCK(gic_lock);
 static struct irq_domain *gic_irq_domain;
-static struct irq_domain *gic_ipi_domain;
 static int gic_shared_intrs;
 static unsigned int gic_cpu_pin;
 static unsigned int timer_cpu_pin;
 static struct irq_chip gic_level_irq_controller, gic_edge_irq_controller;
+
+#ifdef CONFIG_GENERIC_IRQ_IPI
 static DECLARE_BITMAP(ipi_resrv, GIC_MAX_INTRS);
 static DECLARE_BITMAP(ipi_available, GIC_MAX_INTRS);
+#endif /* CONFIG_GENERIC_IRQ_IPI */
 
 static struct gic_all_vpes_chip_data {
 	u32	map;
@@ -472,9 +474,11 @@ static int gic_irq_domain_map(struct irq_domain *d, unsigned int virq,
 	u32 map;
 
 	if (hwirq >= GIC_SHARED_HWIRQ_BASE) {
+#ifdef CONFIG_GENERIC_IRQ_IPI
 		/* verify that shared irqs don't conflict with an IPI irq */
 		if (test_bit(GIC_HWIRQ_TO_SHARED(hwirq), ipi_resrv))
 			return -EBUSY;
+#endif /* CONFIG_GENERIC_IRQ_IPI */
 
 		err = irq_domain_set_hwirq_and_chip(d, virq, hwirq,
 						    &gic_level_irq_controller,
@@ -567,6 +571,8 @@ static const struct irq_domain_ops gic_irq_domain_ops = {
 	.map = gic_irq_domain_map,
 };
 
+#ifdef CONFIG_GENERIC_IRQ_IPI
+
 static int gic_ipi_domain_xlate(struct irq_domain *d, struct device_node *ctrlr,
 				const u32 *intspec, unsigned int intsize,
 				irq_hw_number_t *out_hwirq,
@@ -670,6 +676,48 @@ static const struct irq_domain_ops gic_ipi_domain_ops = {
 	.match = gic_ipi_domain_match,
 };
 
+static int gic_register_ipi_domain(struct device_node *node)
+{
+	struct irq_domain *gic_ipi_domain;
+	unsigned int v[2], num_ipis;
+
+	gic_ipi_domain = irq_domain_add_hierarchy(gic_irq_domain,
+						  IRQ_DOMAIN_FLAG_IPI_PER_CPU,
+						  GIC_NUM_LOCAL_INTRS + gic_shared_intrs,
+						  node, &gic_ipi_domain_ops, NULL);
+	if (!gic_ipi_domain) {
+		pr_err("Failed to add IPI domain");
+		return -ENXIO;
+	}
+
+	irq_domain_update_bus_token(gic_ipi_domain, DOMAIN_BUS_IPI);
+
+	if (node &&
+	    !of_property_read_u32_array(node, "mti,reserved-ipi-vectors", v, 2)) {
+		bitmap_set(ipi_resrv, v[0], v[1]);
+	} else {
+		/*
+		 * Reserve 2 interrupts per possible CPU/VP for use as IPIs,
+		 * meeting the requirements of arch/mips SMP.
+		 */
+		num_ipis = 2 * num_possible_cpus();
+		bitmap_set(ipi_resrv, gic_shared_intrs - num_ipis, num_ipis);
+	}
+
+	bitmap_copy(ipi_available, ipi_resrv, GIC_MAX_INTRS);
+
+	return 0;
+}
+
+#else /* !CONFIG_GENERIC_IRQ_IPI */
+
+static inline int gic_register_ipi_domain(struct device_node *node)
+{
+	return 0;
+}
+
+#endif /* !CONFIG_GENERIC_IRQ_IPI */
+
 static int gic_cpu_startup(unsigned int cpu)
 {
 	/* Enable or disable EIC */
@@ -688,11 +736,12 @@ static int gic_cpu_startup(unsigned int cpu)
 static int __init gic_of_init(struct device_node *node,
 			      struct device_node *parent)
 {
-	unsigned int cpu_vec, i, gicconfig, v[2], num_ipis;
+	unsigned int cpu_vec, i, gicconfig;
 	unsigned long reserved;
 	phys_addr_t gic_base;
 	struct resource res;
 	size_t gic_len;
+	int ret;
 
 	/* Find the first available CPU vector. */
 	i = 0;
@@ -780,30 +829,9 @@ static int __init gic_of_init(struct device_node *node,
 		return -ENXIO;
 	}
 
-	gic_ipi_domain = irq_domain_add_hierarchy(gic_irq_domain,
-						  IRQ_DOMAIN_FLAG_IPI_PER_CPU,
-						  GIC_NUM_LOCAL_INTRS + gic_shared_intrs,
-						  node, &gic_ipi_domain_ops, NULL);
-	if (!gic_ipi_domain) {
-		pr_err("Failed to add IPI domain");
-		return -ENXIO;
-	}
-
-	irq_domain_update_bus_token(gic_ipi_domain, DOMAIN_BUS_IPI);
-
-	if (node &&
-	    !of_property_read_u32_array(node, "mti,reserved-ipi-vectors", v, 2)) {
-		bitmap_set(ipi_resrv, v[0], v[1]);
-	} else {
-		/*
-		 * Reserve 2 interrupts per possible CPU/VP for use as IPIs,
-		 * meeting the requirements of arch/mips SMP.
-		 */
-		num_ipis = 2 * num_possible_cpus();
-		bitmap_set(ipi_resrv, gic_shared_intrs - num_ipis, num_ipis);
-	}
-
-	bitmap_copy(ipi_available, ipi_resrv, GIC_MAX_INTRS);
+	ret = gic_register_ipi_domain(node);
+	if (ret)
+		return ret;
 
 	board_bind_eic_interrupt = &gic_bind_eic_interrupt;
 
-- 
2.35.1




^ permalink raw reply related	[flat|nested] 1191+ messages in thread

* [PATCH 5.19 0159/1157] genirq: GENERIC_IRQ_IPI depends on SMP
  2022-08-15 17:49 [PATCH 5.19 0000/1157] 5.19.2-rc1 review Greg Kroah-Hartman
                   ` (155 preceding siblings ...)
  2022-08-15 17:51 ` [PATCH 5.19 0158/1157] irqchip/mips-gic: Only register IPI domain when SMP is enabled Greg Kroah-Hartman
@ 2022-08-15 17:51 ` Greg Kroah-Hartman
  2022-08-15 17:51 ` [PATCH 5.19 0160/1157] sched/fair: fix case with reduced capacity CPU Greg Kroah-Hartman
                   ` (836 subsequent siblings)
  993 siblings, 0 replies; 1191+ messages in thread
From: Greg Kroah-Hartman @ 2022-08-15 17:51 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, kernel test robot, Samuel Holland,
	Marc Zyngier, Sasha Levin

From: Samuel Holland <samuel@sholland.org>

[ Upstream commit 0f5209fee90b4544c58b4278d944425292789967 ]

The generic IPI code depends on the IRQ affinity mask being allocated
and initialized. This will not be the case if SMP is disabled. Fix up
the remaining driver that selected GENERIC_IRQ_IPI in a non-SMP config.

Reported-by: kernel test robot <lkp@intel.com>
Signed-off-by: Samuel Holland <samuel@sholland.org>
Signed-off-by: Marc Zyngier <maz@kernel.org>
Link: https://lore.kernel.org/r/20220701200056.46555-3-samuel@sholland.org
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/irqchip/Kconfig | 2 +-
 kernel/irq/Kconfig      | 1 +
 2 files